Movie of the Week: The Dark Knight

Posted on 27 July, 2008 by Matthias Scheler

A lot has been said about the latest Batman movie, The Dark Knight. Especially Heath Ledger‘s performance as the Joker has been praised a lot. I became sceptical about the film because of all the hype.

This evening Silke and I went to watch The Dark Knight ourselves. I must say it deserved all the hype. The movie was exciting, disturbing and full of action. Heath Ledger was simply brilliant. He reached a level of malignant madness that will assure him a place in the midst of legendary movie villains.

All in all it was one of the two best Batman movies ever. It reflected the dark ambience of the comics perfectly.

Posted in Movies & TV | 1 Comment

DNS cache poisoning vs. NAT

Posted on 27 July, 2008 by Matthias Scheler

The latest DNS security issue (please read Hubert’s Blog entry) proves again that NAT is a bad idea. If you run a DNS server behind a NAT (which you really shouldn’t) you can pick one of two evils:

  1. You use a fixed query source port on your DNS server which makes it susceptible to DNS cache poisoning.
  2. You use random query source port which will create a lot of entries in the NAT mapping table of your NAT gateway. But as DNS mostly uses the connectionless UDP the NAT gateway can only rely on idle timeouts to delete those mappings. As a result the NAT mapping table will fill up quickly. This will cause problems especially on small router appliances.
    Even if your NAT router can handle this gracefully there is a good chance that it will undo the randomisation of the source port by assigning sequential port numbers on NAT mappings.

The only solution I can think of are NAT implementations which recognize DNS traffic and use very short lived NAT mappings for it. But that will make NAT even more evil because it has to make more assumptions about that IP traffic to work properly.

What we really need is DNSSEC (to make DNS secure) and IPv6 (to get rid of NAT).

Posted in IPv6 | Comments Off on DNS cache poisoning vs. NAT

RAID and file system performance tuning

Posted on 25 July, 2008 by Matthias Scheler

The last time I tested software RAID 1 under NetBSD I wasn’t really satisfied with the performance. Especially file system operations were much slower than I expected. Resulting from that my current home server uses an Intel SRCS14L RAID Controller instead of software RAID.

I had considered also buying a new RAID controller for my future home server. Areca’s ARC-1210 looked like the best candidate. But the ARC-1210 is not exactly cheap (as expected) and unfortunately has a fan. As reducing the noise level was one of the main goals to buy new server hardware I was put off.

After some consideration I decided to give RAIDframe another try. Encouraged by David Brownlee’s benchmark results I ran a similar benchmark on my hardware. To do that I wrote a shell script which consecutively creates RAID 1 volumes and FFSv1 file systems with all the combinations of parameters listed in the table below. Each of the file systems is mounted (not using soft dependences) and benchmarked by extracting the tar archives with the NetBSD 4.0 sources to it. The time required to complete each of the benchmark runs is recorded afterwards. Below are the averages of the results of two runs of my test script, smaller time values imply better performance of course.

Block size / Fragment size 32 sectors per stripe unit 64 sectors per stripe unit 128 sectors per stripe unit
8KB / 1KB 285 seconds 253 seconds 239 seconds
8KB / 2KB 299 seconds 263 seconds 246 seconds
8KB / 4KB 305 seconds 277 seconds 261 seconds
8KB / 8KB 285 seconds 269 seconds 259 seconds
16KB / 2KB 290 seconds 250 seconds 230 seconds
16KB / 4KB 303 seconds 271 seconds 243 seconds
16KB / 8KB 327 seconds 301 seconds 277 seconds
16KB / 16KB 430 seconds 306 seconds 291 seconds
32KB / 4KB 288 seconds 260 seconds 241 seconds
32KB / 8KB 311 seconds 287 seconds 264 seconds
32KB / 16KB 437 seconds 320 seconds 295 seconds
32KB / 32KB 470 seconds 437 seconds 331 seconds

Unsurprisingly I’m now using a RAID 1 volume with 128 sectors per stripe unit and file systems with a block size of 16KB and a fragment size of 2KB. I’m not sure whether these values always result in the best possible performance but they seem to work for David Brownlee and me.

Posted in NetBSD | Comments Off on RAID and file system performance tuning