MPLS VPN

MPLS VPN is a solution to solve duplicate customer address range in the provider routing table. By having this solution, a service provider will be able to provide a connectivity for several customers which are connected each other with privete IP(s).

Data plane on this solution is a bit different with MPLS unicast. The PE (provider edge) has another table called VRF (Virtual Routing and Forwarding). The PE also add two labels (instead of one label) into the header. The outer label is being used to deliver the packet to the next router, while the inner label is being used to identify which VRF is related to the packet.

One of the challange to implement VPN is overlapping IP address. This problem is solved by using RD (route distinguisher) by taking advantage of MP-BGP. The RD will add 64-bit RD to the 32-bit IP-v4  prefix. Then MPLS will your RT (route target) to decide which packet is correlated to which VRF.

MPLS Unicast IP

MPLS is a protocol that forward packet based on Label instead of IP address. There are several MPLS application, and one of them is MPLS Unicast IP. A router with MPLS Unicast IP is actually forwarding a packet to the same path as a router with IP routing. The difference is only that the MPLS router forwards the packet based on Label. Then why it is important to know what MPLS Unicast IP is? It is important since many of the application is using MPLS unicast IP forwarding as part of the MPLS network.

MPLS has something called Control Plane and Data Plane. The Data Plane are the data structured used by the MPLS in operation.  FIB, LFIB, LIB are the tables that we are talking about. FIB contains information to map IP address and network interface of where a packet destined to an IP address will be forwarded. LFIB contains information to map label and network interface of where a packet with a label will be forwarded. And the LIB is actualy a library of LFIB, which map all labels and ports including the ones which are not currently being used to forward packet. LIB contains only the best map, so that there is only network interface mapped to a label on it. 

Now, how the LIB feeds the LFIB and FIB? 

In simple words, the MPLS routers distribute routing information using EIGRP, OSPF or other routing procotol. From this protocol, the MPLS router will know where is the best route to delivere a packet. The router will pick up the best route, find the related label on the LIB and then update the LFIB.

How-To Change Time Zone in Linux

I was looking for how-to change time-zone in my linux box.

Fortunately, I found the website below:

http://www.wikihow.com/Change-the-Timezone-in-Linux

Steps

1. Logged in as root, check which timezone your machine is currently using by executing `date`. You'll see something like Mon 17 Jan 2005 12:15:08 PM PST, PST in this case is the current timezone.
2. Change to the directory /usr/share/zoneinfo here you will find a list of time zone regions. Choose the most appropriate region, if you live in Canada or the US this directory is the "America" directory.
3. If you wish, backup the previous timezone configuration by copying it to a different location. Such as

   mv /etc/localtime  /etc/localtime-old 

4. Create a symbolic link from the appropiate timezone to /etc/localtime. Example:

   ln -sf /usr/share/zoneinfo/Europe/Amsterdam /etc/localtime 

5. If you have the utility rdate, update the current system time by executing

   /usr/bin/rdate -s time-a.nist.gov 

6. Set the ZONE entry in the file /etc/sysconfig/clock file (e.g. "America/Los_Angeles")
7. Set the hardware clock by executing:

   /sbin/hwclock --systohc

Line is up, Protocol is Down

I've got several questions from some friends of what it means by the status when it shows "Line is up, Protocol is Down". From google, I found two websites explaining about the meaning of the statis, i,e:

• Troubleshooting Line Protocol is Down, from Cisco
  
• Cisco Show Interface
  

Basically, this status will be appear when one of the conditions below met:

• Local or remote router misconfigured
  
• Keep-alives not being sent by remote router
  
• Leased-line or other carrier service problems, such as noisy lines or faulty switch
  
• Timing problem on cable, possibly caused by the CSU/DSU not being set correctly.
  
• Failed local or remote CSU/DSU.
  
• Router failure.
  

Install Exim with DKIM and Domainkeys on DirectAdmin

Installing Exim on DirectAdmin makes my day today. I have to dig several sites in order to finish the installation. I think It will be better to document it here. I may need it again in the future, or perhaps you may need this when you need to compile Exim with DKIM and domainkeys on Centos.

First, compile and install the DKIM:

wget http://duncanthrax.net/exim-experimental/libdkim-1.0.16-tk.tar.gz

tar zxvf libdkim-1.0.16-tk.tar.gz

cd libdkim-1.0.16-tk

cd src

make

make install

cd ..

cp lib/libdkim.a /usr/lib

cp include/dkim.h /usr/include/

Compline and Install Domainkeys:

tar zxvf libdomainkeys-0.69.tar.gz

cd libdomainkeys-0.69

make

echo -lresolv > dns.lib

make

make install

cp *.h /usr/local/include/

cp *.a /usr/local/lib

Download Exim:

wget http://files.directadmin.com/services/all/exim/exim-4.69.tar.gz

tar xvzf exim-4.69.tar.gz

cd exim-4.69/Local

wget http://www.directadmin.com/Makefile

perl -pi -e 's/^EXTRALIBS/#EXTRALIBS/' Makefile

Edit the Makefile:

EXPERIMENTAL_DKIM=yes

CFLAGS  += -I/usr/include

LDFLAGS += -ldkim -lssl -lstdc++ -L/usr/lib

EXPERIMENTAL_DOMAINKEYS=yes

CFLAGS  += -I/usr/local/include

LDFLAGS += -ldomainkeys -L/usr/local/lib

#added April 9, 2008

HAVE_ICONV=yes

CFLAGS=-O -I/usr/local/include

EXTRALIBS_EXIM=-L/usr/local/lib -liconv

#end add

Compile and Install it:

cd ..

make

make install

Last job, you need to rename the compiled exim and restart:

cp -f /usr/sbin/exim-4.69-12 /usr/sbin/exim

/sbin/service restart exim

That's it, you have exim with domainkeys on DirectAdmin now.

How to determine the root port

The root port will be determined based on the algorithm below.
1. Lowest port cost
2. Lowest value of the forwarding switch's ID
3. Lowest port priority
4. Lowest internal port number

Multidimensional array in perl

I have several arrays from results of reading and parsing each line from the input. Since Perl doesn't really have a multidimensional array, I need to find out the trick to handle this problem.

Found the page below after digging on google:
http://www.unix.org.ua/orelly/perl/prog3/ch09_01.htm

Then I test it with simple code, as below:

#!/usr/bin/perl
# to test reading a file, split it, then put it into array

use strict;
use warnings;

my $ref_line;
my @lines;

open FH,"testfile.txt";
while () {
push @lines, [split(" ",$_)];
}

for $ref_line (@lines) {
print "@$ref_line[7]\n";
}

The result looks OK to me. Now it's the time to write the code into my project.

Apache prompt for pass-phrase on every start up

My Apache wasn't start when I rebooted the machine. It was prompting for pass-phrase while nobody was sitting in front of the machine. I'd better get rid off the the pass-phrase dialog to be prompted.

Found the solution as below.

How can I get rid of the pass-phrase dialog at Apache startup time?

The reason this dialog pops up at startup and every re-start is that the RSA private key inside your server.key file is stored in encrypted format for security reasons. The pass-phrase is needed decrypt this file, so it can be read and parsed. Removing the pass-phrase removes a layer of security from your server - proceed with caution!

1. Remove the encryption from the RSA private key (while keeping a backup copy of the original file):
   
   $ cp server.key server.key.org
$ openssl rsa -in server.key.org -out server.key
   
   
2. Make sure the server.key file is only readable by root:
   
   $ chmod 400 server.key
   
   

Now server.key contains an unencrypted copy of the key. If you point your server at this file, it will not prompt you for a pass-phrase. HOWEVER, if anyone gets this key they will be able to impersonate you on the net. PLEASE make sure that the permissions on this file are such that only root or the web server user can read it (preferably get your web server to start as root but run as another user, and have the key readable only by root).

As an alternative approach you can use the ``SSLPassPhraseDialog exec:/path/to/program'' facility. Bear in mind that this is neither more nor less secure, of course.

source: http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#removepassphrase

Securing MySQL step-by-step

Found several links of securing MySQL. Here are they:

• Securing MySQL step-by-step
  
• A question on forum about virtual server
• Can't connect to server
• Connect securely from remote
  

Instal Apache SSL on Ubuntu

Here are the list of installing Apache (version 1) with SSL on Ubuntu.

• apt-get install apache libapache-mod-ssl
• dpkg-reconfigure libapache-mod-ssl
• fill in all details with your details
• cp /usr/share/doc/libapache-mod-ssl/examples/mod-ssl.conf /etc/apache/conf.d/
• cp /usr/share/doc/libapache-mod-ssl/examples/vhost.conf.gz /etc/apache/conf.d/
• cd /etc/apache/conf.d/
• gzip -d vhost.conf.gz
• edit vhost.conf and change all snakeoil references to server. ie. snakeoil-dsa.crt = server.crt
• stop apache
• start apache

Have fun !!!