Visiting parents and friends in Nuernberg

This week I'll be visiting parents and friends in Nuernberg. I'm telling you that because this implicitly means that I'll most likely not be able to continue the pace of netfilter development like in the last couple of weeks.

It also means that I'll probably be doing some scheduled maintenance of the netfilter.org boxes (which are located in Nuernberg, too). So don't be surprised by some shortly-announced downtime. If you're curious what I'm planning: ganesha needs a RAM upgrade (512MB->1GB), and lakshmi needs an upgrade to Debian sarge. Maybe I'll also have time to work on the fail over solution, too.

I expect to read my mails daily, so there shouldn't be any delay in that.

nfnetlink_log submitted

I've submitted my nfnetlink_log patches to DaveM earlier today. So what is this about? It's a replacement for ipt_LOG, ip6t_LOG, ebt_ulog, ipt_ULOG. It introduces a layer-3 (AF_xxx) independent way of logging packets via a userspace logging process.

Again, one step towards code unification. One new piece of code that replaces four existing ones (of similar size), and obsoletes the need for any other such mechanisms that might have appeared for other protocols later on.

If you want to see how to use it from your favourite userspace app, please refer to libnfnetlink_log.

public netfilter-2.6.14 git tree

I've made public my netfilter-2.6.14 tree (based on DaveM's net-2.6.14 tree) at http://people.netfilter.org/laforge/scm/netfilter-2.6.14.git, also available via rsync://people.netfilter.org/users/laforge/scm/netfilter-2.6.14.git

Since this is the first time I'm making a public git tree available, please contact me in case you have any problems accessing it.

I still need to find out how to produce incremental git trees like the ipw2200 project does - this way I would not have to provide a full kernel tree, but only those changes that I do in the netfilter part of it.

Merging the PPTP helper to net-2.6.14

After having finished my work on the nfnetlink based subsystems, I've progressed to making the PPTP helper fit for mainline inclusion in 2.6.14.

First, it needed an update towards the 2.6.13 conntrack helper API changes (now that expect's have refcounts). Second, we don't have lockhelp.h anymore, and third I want to fall-back to ip_conntrack_proto_generic in case GRE version1 (RCF1701) packets are seen. Stay tuned.

iptables-1.3.3 is released

Today I've released iptables-1.3.3. Among some minor fixes (such as for the extremely important feature to SNAT and DNAT to/from ICMP ID _ranges_), it contains one major fix for an embarrassing use-after-free problem that was only introduced with 1.3.2. What do we learn from this? I need to review patches more carefully.

It also includes the NFQUEUE target, which is basically an extension to QUEUE. QUEUE only supports one queue number (0), so there can only be one userspace process be attached to it. This lead to the ugly hack of ipqmpd, the IP QUEUE multiplex daemon. Combining NFQUEUE with nfnetlink_queue (which is already in DaveM's net-2.6.14 tree), you can now have 65535 different queues, each heading to a separate userspace process. This is again one step ahead towards supporting "100% userspace conntrack helpers" which are sort of a strange hybrid variant of transparent proxies.

Data Retention is No Solution

EDRi and XS4ALL have started an online petition against the recent European Commission proposal on mandatory 12 month data retention of all telecommunications meta-data.

Much like the software patent issue, we again have a situation where the European Parliament (those who are directly elected by the public) is against the proposal, while the commission and some national governments are pushing it.

With your support (and at least your signature), there are chances that this data retention directive - like the proposed software patent directive - can be turned down. Please take your time and sign, thanks.

Please also consider supporting the EDRi. They recently announced that they're short of funding.

Chaosradio on Electronic Health Card

Today I'll be moderating this months' episode of Chaosradio on the upcoming German Gesundheitskarte (Electronic Health Card, EHC).

This is the latest incarnation of the ever-increasing number of large-scale IT projects in public atministration. Following-up infamous examples such as TollCollect, the ALG2 software, INPOL-NEU, ELSTER, and last but not least the RFID enabled electronic Passport. And it will affect the data privacy and data protection of even more German citizens than any of the beforementioned systems!

I'm very pleased to announce Thomas Maus (ThoMaus), one (if not the) most prominent critical experts on the EHC as a live guest in the radio studio.

This subject is actually one that I think fits best into the idea of Chaosradio: Technical, but with vast implications on society. Even more than my last "favourite" data retention, but less than the upcoming Chaosradio show on "voting machines".

From my point of view there are too many issues currently at this border between technology, politics and society that need to be adressed. Too many to just talk about geeky technological stuff that is certainly also happening and woth covering it in Chaosradio.

Back home in Berlin

After one day for travel and sleeping-over-the-jetlag, I'm finally back on track at my home in Berlin.

I just decided to skip WTH, since it would require me to leave again in only two days (and I have another travel coming up on 1st August. So I'd rather spend the time to continue my current netfilter projects, taking care of accounting and tax declaration, etc.

Unfortunately I'm bound to using slower/older machines and my notebook, since the warranty replacement for my workstations' liquid cooling system has not yet arrived :(

Intel releases Development manual for e1000 chips

Finally, within years, at least one hardware vendor does The Right Thing (TM): Intel releases hardware documentation about their Gigabit Ethernet Controller chips (known as 'e1000') in the Linux world. (For the curious ones: you can get it from the e1000 sourceforge page)

Even more surprising, they are doing it _despite_ providing a high-quality GPL licensed Linux driver. And by doing this, they show that they have understood that the many developers who are playing with their chip will in the end help them to perform even better, but only if they can actually read the hardware documentation.

There's a group of Linux networking developers who are constantly trying to optimize the driver and come up with new strategies on how to deal with high packet rates.. And at least until now, all the big current Gigabit Ethernet chips did not come with any kind of documentation.

Broadcom tg3 and Syskonnect/Marvell Yukon2 now have a severe competitive disadvantage. Let's see whether they get the clue, and release documentation, too.

I'm not a big fan of Intel, but what they're doing with regard to Linux and their e1000 and ipw2xxx chips is really good. Thanks, Intel!

RMS visits ASUS: Free Software beyond their notice ?!?

In his blog, Richard Stallman writes that he had a very unpleasant experience visiting ASUS in Taiwan.

This is outrageous, considering they are using Linux and other free software programs in their products and making business from it.

Their WL500g routers are using Linux, and did not comply with the GPL. So in 2004, I used my copyright to enforce the license. I have obtained a declaration to cease and desist from ASUS Headquarters in Taiwan, and they modified their product promptly to bring it into GPL compliance. See this news item on the netfilter.org project homepage.

Even today, ASUS seems to be using Free Software in a number of their latest devices, as I indicated in this blog entry.

Revamping netlink sockets

While writing on nfnetlink, ctnetlink, nfnetlink_queue and other bits of the 'new' netfilter infrastructure, I've run into a number of minor shortcomings in netlink that are surprisingly hard to overcome.

One of them is refcounting, i.e. making sure that the module implementing a particular functionality via netlink doesn't silently disappear by module unloading while sockets are still open from userspace.

I've now finished one implementation, but it might cause module refcount leaks if a kernel module implementing a netlink socket closes the socket in some other codepath but the module_exit() function.

The other problem (slightly harder) is module auto-loading. It's my position that the kernel should autoload the respective module once a userspace process opens a netlink socket. However, this can not be made obligatory, since multiple userspace processes might also just wish to communicate with themselves, with no listener/sender in the kernel at all.

OLS: Wireless Kernel Configuration BOF

James Ketrenos (the ipw2xxx maintainer) was running a BOF to get input on ideas for a new wireless kernel configuration API from the Linux community.

Due to excessive coding (see in some different entry of this journal), Patrick and me came in a bit late. We tried to convince the audience that netlink was the way to go, and that the current ioctl() interface could be served by some compatibility layer that converts the ioctl's to netlink messages.

Also, I raised the requirement for integrating this config interface with a unified userspace interface for association and authentication (i.e. management frames).

Unfortunately James had to leave quite early, so we couldn't finish the discussion in a more detailed way in a smaller group.

The IEEE and their policy on publication of standards.

The IEEE is a standardization body. Being a Linux network developer, access to their 802.x standards is sometimes quite valuable. A couple of years ago they introduced the "Get 802" program, where they would make available the 802 standards family some time after publication. This is great.

However, I recently needed a copy of the current draft of the 802.11e standard. They charge USD60 for this, which is a reasonable fee that I was willing to pay.

However, they only seem to be offering in some proprietary DRM format. This is totally unacceptable, since it would requires installation of the purchase and installation a proprietary operating system.

Networks (and especially the Internet) are built upon open and publicly available standards. Free and Open Source projects can only implement industry standards if they can actually access those standards. The availability of such standards is therefore an important aspect of their fast implementation and adoption.

I very much understand the requirement of standards organizations to charge reasonable fees (such as USD60 for the 802.11E draft) for purchasing copies of it.

However, after obtaining such a copy, I would like to print it or pages of it, I would like to view it on all of my computers, and I wan to do so while staying offline without any authentication that (I suppose) your DRM system requires.

By putting such incredible obstacles between the developers and the standardization body, they will achieve nothing but frustration and hamper the adoption of the standards which they care about.

OLS: netfilter hacking with Patrick

Patrick McHardy and me sat together for a number of nights, reading and discussing various current issues with the networking code. It's surprising how much fallout we get from these discussions.

Apart from tons of new code (nfnetlink, ctnetlink, nfnetlink_queue, ...) there are apparently still quite a number of interesting bugs in esp. the NAT code that have been there for 5+ years without anybody noticing them.

What comes immediately to my mind is Rusty's famous quote "When we do something wrong, the users just hit reload. Nobody will notice, you never get bug reports". Especially when the NAT or conntrack code are doing something wrong that doesn't disrupt the protocol, it's relatively difficult to find those bugs.

So what did we find? For example, that ICMP ID NAT [yes, we do support that] had a number of endianness bugs. So when you wanted it to NAT ICMP ID's to a particular range [instead of any free ID], it would use totally different numbers that the administrator or the helper plugin actually specified - but only on little endian machines.

Some other bug was more severe, since it can theoretically cause memory corruption [a stale pointer could have been used since it was accidentally added to a list of 'static' variable declaration].

Lots of netfilter hacking over the last couple of days

Following-up meeting the other networking hackers at netconf, I got really extremely motivated and basically spent every single minute hacking code.

The projects include:

• skb shrinkage (already merged in DaveM's net-2.6.14 tree)
• nfnetlink (already merged in DaveM's net-2.6.14 tree)
• conntrack event notifiers (already merged in DaveM's net-2.6.14 tree)
• ctnetlink (reworked to use network byte order in all the payload)
• nfnetlink_queue (a nfnetlink-based queue implementation)
• vdev (a virtual device that allows you to use multiple mac addresses on one Ethernet device)
• mmio_test (include support for machine-parseable reporting)

OLS Day 1

I didn't actually visit any of the talks, but instead read some of the papers in the written proceedings, hacking lots of code and talking to various people.

I've also managed to convince GregKH that support for async URB submission from userspace needs CONFIG_BROKEN. libusb doesn't use it anyway, and the number of users of this interface is limited. Unfortunately one of my customers is one of the users, so I might be forced to implement a cleaner interface for the same purpose.

First day of netconf

The first day of netconf went quite fine, but we basically lost quite some amount of time waiting. First waiting for free tables at breakfast, then waiting for the bloated enrollment procedures of the Security Guards at the Ericsson venue...

Added with technical issues with the 800x600-only projector and the amount of time spent travelling from the hotel to the venue, we lost a lot of time and therefore actually didn't have the time to fit all talks into their respective slot, but only 60%.

The most cool work I've seen at this first day is Thomas Graf's work on a unified Linux kernel networking configuration and statistics tool...

Heading off to netconf in Montreal

Later today I'll be heading off towards Montreal for netconf 2005. I'm really looking forward to that event and the interesting discussions with my fellow Linux networking developers.

I'm actually meeting Patrick McHardy in Paris, as we'll be on the same transatlantic flight. I hope we can get some of the pending netfilter/iptables issues discussion meanwhile ;)

After netconf, most of us are heading to Ottawa for Kernel Summit and OLS. I've turned down the invitation to the kernel summit, since usually there is nothing on the agenda that even remotely touches the packet filter or even the core network stack, so I'd rather make space for somebody else.

I'm supposed to have network connectivity almost all the time, so I don't expect big delays in email responses.

Almost all vendors of console servers GPL incompliant

According to this German article (by Dr. Dirk Wetter), out of seven tested console servers (all Linux-based) of various vendors, only two even mentioned that GPL licensed software was used in the product. The majority of the devices did neither mention the GPL, nor make any source code offer.

The vendors have been contacted by the author of the article, and almost all promised to make their devices GPL compliant in the future. It has yet to be seen whether they actually fulfill that promise. I will ask each of them for a copy of the full corresponding source code, since the offer implicitly has to exist [the devices didn't ship with the source code, so 3a GPL is no longer possible].

It's really disappointing to see this happen again and again. Everybody seems to not care at all about the copyright of the code involved.

ASUS has a whole line of new gpl violating devices

Apparently, the AAM6020VI, AAM6020BI, AAM6030VI and AAM5030BI devices all contain Linux (including netfilter/iptables) -based firmware images, but no source code is made available.

None of the devices is sold here in Germany, so I can't go after ASUS Germany.

Estampie - Marco Polo (Live DVD)

Estampie is definitely one of my very favourite music bands ever. For the majority of my readers: They do serious medieval music. "serious" meaning they are doing this at the level of profession that you expect from classical musicians. Estampie is doing this for some 20 years, and they're not to be confused with the Spielmannsmusik that you recently find at any of the tourist-laden medieval festival.

At one of those dates when I was travelling to yet-another Free Software related conference, they played a programme called Marco Polo - Music of the Silk Route. Basically they tried to go beyond European medieval music and build bridges to other musical traditions of the same time, such as Khorasan Dotar music from Iran, traditional Mongolian music and some Indian Percussion.

They recently released a Live recording DVD from that project, and I am totally in love with the blend of music they have created. What they have created is "real" world music to me.

And there is more to come. As Michael Popp (the leader of the ensemble) points out in the interview section, "Marco Polo" was just the beginning of a trilogy. I'll definitely make sure that my travel schedule will adjust to the dates of the second and third part of the trilogy. There's no way I'll miss them.

(Non-)Internet at LSM/RMLL

Did I ever mention that having reliable and fast Internet access is the single most important factor for me (and other busy developers, especially those who are self-employed or run their own company) when visiting a conference or other event?

When visiting a conference, I basically have to leave all my work behind for a number of days. I can only do that if I at least respond once per day to customer emails, and deal with the most important things that pile up in the incoming queue of business-related email and faxes.

So at LSM the first issue with the network was authentication. You were required to enter your login name and password that you used to register for the conference [several months ago]. For those people who don't reuse the same password for multiple sites again and again, and who don't have monster brains, this means that the password is not something they will remember off their head. In my case that password is securely stored in an encrypted keyring on my nfs serve at home.

Obviously it wouldn't be a problem to bring that password to the event, if somebody actually had cared to spread the information that it would be required at the event.

After some discussion with multiple people, a new account was created for me. It was supposed to work within 15 minutes, but it didn't.

Even better, the wireless network was shut off at 6pm. Jeez. They don't get it. When at a conference, I need to use the nights in order to cover up for the lost working time during the day. If there is no Internet access in the evening or during the day, I'm unable to do so.

On Thursday it was even better: The wireless network was shut off at 12 noon. Somebody told me that this was to motivate the incentive for people to go to a speech by the mayor of Dijon. This speech would no doubt be very interesting - if only I understood a single word of French. So the best thing the foreign visitors (among them a number of speakers) could have done during that time was to catch up with their email and work - if only there was network access.

So as a matter of fact, I've now spent the longest period offline (four working days) for years. I can only imagine how upset some of my customers will be. Thanks, LSM.

This will be my last post about this horrible event. I only wish I had taken the first train back after running into the problems finding an accommodation on Tuesday.

Libre Supper at LSM/RMLL

The problems with this conference continue.

The social event libre supper costs real money, and about the only thing you get for it is a nice venue. It was held in the city hall.

The buffet was not set up in the middle of the hall, but in some separate room next to it. So the bottleneck was not the buffet itself, but the door between the hall and the buffet-room. This further prolonged the queue lining up unnecessarily.

So at the time I ended up at the buffet, there weren't even any glasses left - meaning that I had to "enjoy" my dinner without wine or water. Obviously everyone would line up for a second and probably third helping. People like me who refuse to line up for half an hour and only enqueue when the queue is shorter don't actually get any of the desert.

I've probably never wasted my money and time more efficiently.

Chaotic Organization at LSM/RMLL

After my voluntary 6-hour stopover in Paris, I finally arrived in Dijon at something like 7pm.

During the train ride there, I wanted to read the instructions on how to get onto the campus. I've received an email regarding that subject some time ago, but I didn't yet read it, since I have all my email synchronized to (an encrypted partition on) my notebook. Sadly it turned out that this email didn't contain any instructions but just a link. Obviously the link is useless unless you have online access. Ok, I can't blame the LSM/RMLL for not having read the email before - but it's also been the first time in all of the conferences I visit that such vital instructions haven't been sent by mail.

Luckily I ran into some LSM/RMLL attendees in downtown Bordeaux who told me how to find the campus.

At the campus, I found dozens of LSM/RMLL signs pointing in contradictory directions - and nobody there.

So I called the only other person at LSM/RMLL of whom I had the cell phone number: Werner Koch, one of the other speakers. He was lost, too :( So I made the only reasonable decision: Get back to the city centre and look for a hotel room. Obviously, the tourist information was long closed. So I walked from one hotel to the other. The first two were fully booked. At the instance of entering the third hotel, Werner called again.

Luckily he ran into some other attendees (not organizer!) who managed to talk one of (obviously non-English speaking) officials at the student dormitories into accepting the two of us for one night.

Obviously I didn't have the breakfast vouchers at the time of breakfast (since registration opens only after breakfast is finished, and it's a 15minute walk to the restaurant). So I end up at the conference venue without breakfast.

I think this is the way you _not_ want to organize a conference. I don't think there was any other event (even the previous LSM in Bordeaux I've been to) which had equally non-existent speaker care. At most events, you get picked up from the airport / railway station, brought to your accommodation, and at the hotel reception you receive printed instructions, such as a map of the campus, Instructions on when to be where, and (most importantly) some contact phone numbers in case you get lost or have any other problems in a country whose language you don't speak.

At my presentation (as the presentation of David Turner, FSF GPL Compliance Lab Engineer) were about 10-15 people in the audience. So I'm actually leaving an ever-growing pile of work behind in my office, choose to not do any paid work for three days, paying for the accommodation myself (travel is covered), going through all the hassle of the travel as described above, to talk in front of that small an audience. I guess this really was my last LSM.

And yes, I could continue this rant now about the wireless network, which requires you to log in with the account data you used to register for the conference. That data is securely stored on my hard drive at home. Why would I bring such data with me, if nobody tells me upfront that I would need it? *sigh*

Picking up pre-paid SCNF tickets in France

If you want to do an online purchase of a SCNF (french national railway) ticket, the only option you get is: Pre-pay the ticket via credit card in their online store, and later pick up the ticket at some vending machine at the railway station.

So this is what I did for my Paris->Dijon travel. So I went to the first vending machine at the CDG Airport in Paris. For authorization you are required to enter the booking code, your name and the credit card you used to do the online purchase. The first machine was broken, since it wasn't able to read the magnetic stripe on my credit card. The second machine already had a sign attached that it is malfunctioning and cannot be used for pickup of pre-paid tickets. Al the other machines were out of service.

Then I went to the next machine and tried to buy a public transport ticket from CDG airport to Gare de Lyon. The fare is 8 EUR and according to the signs on the machine, you can pay cash (in coins, which I never have), by french debit cards (which I obviously don't have) or by VISA card. Unfortunately it refused to accept my perfectly valid VISA card. So I had to line up at the long queue in front of the ticket counters.

At Gare de Lyon, I tried again to pick up my train ticket to Dijon. Most of the machines would again have problems reading the magnetic stripe on the VISA cards, and the others could read it, but would just tell me: Cancelled, please retry at a different machine.

So I again had to line up for the extremely long queue in front of the ticket counters, wait in addition for the only English-speaking cashier to become available. I told her my story, and she said: Yes, it only works with french VISA cards.

I was outraged. The online shop for buying tickets is fully translated to English and German (among others). You can buy the ticket using a non-french VISA card, and the amount is charged to your credit card account at that time. The translated instructions tell you to pick up your ticket at the machines, and nowhere it was stated that you have to queue up in front of a counter with non-french VISA cards.

The sole purpose of reading the credit card at the ticket machine is to provide a third authentication factor ('is this person really the person who booked the ticket'). There is no technical reason for restricting this to credit cards of a particular issuing country.

I'm planning to write some letters about this, since this is actually against fair competition regulations. If I want to receive the same service and not wait for half an hour for every train ticket I buy than everybody else, I have to open an account with a french bank.

Heading off to LSM/RMLL

I'm heading off towards LSM/RMLL (Libre Software Meeting) in Dijon (France) tomorrow.

I'm looking forward to this event, especially since I'm going to meet David Turner, the new head of the FSF's GPL compliance lab. We've got a lot to talk about with regard to cooperation/coordination between the gpl enforcement efforts of the FSF and gpl-violations.org.

Travelling will take me enroute to Paris, so I'll spend a couple of hours stopover in the city to visit some of its famous cemeteries. With some luck the weather will be ok for photography...

For those who are curious: I'll be back to Berlin by Friday evening.

pptp-conntrack-nat for 2.6.11 and 2.6.12.x ready

I've finished the port of pptp-conntrack-nat to the new 'rustynat' infrastructure of the 2.6.11 (and 2.6.12.x) kernels.

The frequent reader of this blog will have noticed my prior post. Despite being just a minor kernel release, the conntrack/nat core got some recent re-work which made porting of non-trivial helpers quite complex.

I've tested plain conntrack and SNAT/MASQUERADE so far. DNAT remains untested for now, but should work. It's not as common so I deferred testing and potential debugging - esp. since I'm going to be travelling again by tomorrow.

Thanks again to the cool guys from NetBoxBlue for funding this work. That made it a lot easier to put this in the top section of my TODO list.

Liquid cooling system of my workstation massively corroded

Only three months after putting in place the Alphacool liquid cooling system for my dual Opteron workstation, it has already corroded severely.

I don't really understand why, since I only used a readily-packaged set as offered by the vendor, and I only used original anti-corrosion liquid from the same vendor.

Spent multiple hours getting rid of all the crystals in the system, dismantling the CPU coolers, etc.

I hope the vendor replaces some of the parts for free and comes up with a good solution to prevent this in the future. I don't want to give up my silent office anymore. (btw: I didn't tell you about my new managed VLAN-capable fan-less 16port gigE switch, did I?).

Heather J. Meeker spreads false claims about gpl-violations.org.

In an article on linuxinsider.com, Heather J. Meeker of Greenbar Traurig LLP (don't miss the background info at FFII Wiki) makes false claims about the gpl-violations project and myself.

I've pointed out her mistakes in the following letter:

Dear Ms. Meeker,

it has come to my attention that you have authored an article entitled "Open Source and the Legend of Linksys", published at linuxinsider.com, in which you make false statements in order to discredit the gpl-violations.org project and myself.

There is nothing wrong with press articles and commentaries about the GPL, the gpl-violations.org project or myself, no matter how critical they are - as long as they are based on facts. Spreading lies is however not acceptable to me.

The most obviously wrong statement is "But, it so happened, that AOpen was actually compliant, having offered the source code on a German Web site, as Welte later noted in his blog. Never mind.".

The truth is: AOpen Germany offered the _object_ code of the GPL licensed software on their German FTP-server, without complying to the GPL license terms. My blog clearly states "Firmware" (which is by definition object code, not source code). This means that in fact they are even legally responsible, since they distributed GPL licensed software without adhering to the license conditions.

Two other quotes from your article: "The problem is that Welte apparently does not hold the copyright to the code that is the subject of these letters."

"Some of Welte's targets have complied voluntarily, but one suspects that is because they were simply unaware of the problem. Welte apparently has no authority to enforce these copyrights."

This is again wrong. I have never enforced any copyright that I don't own. What has happened is that some other Linux kernel developers have transferred their copyright to me, so I can take action in cases where my own copyright is not involved. [which by the way is also a good indication that gpl-violations.org is not some lone lunatic but backed by the development community].

Obviously I reserve the right to inform any organization about illegal copyright infringement they might be committing, even if I'm not the copyright holder. This must not be confused with legal GPL enforcement by an actual copyright holder through in or out-of-court legal action.

Specifically, regarding to the "CeBIT letter action", I could have started legal proceedings in all those cases. In fact, my legal team an I were planning to personally hand over a preliminary injunction at one of the CeBIT booths. Rather than doing so, I thought I could save the respective infringing companies the trouble of legal charges and legal expenses by first writing them an informal letter.

At this point in time, I do not know the legal situation of such easily-to-be-proven false statements in the US. In Germany we have laws that force the press to publish "correction statements" written by the person or entity that was subject of those false statements. I will consult my legal advise about this matter.

I would like to ask you to clarify those issues. Since it is an on-line article, it should be possible to amend it. If that is not possible, I'm sure there is some other way to let the readers know about those two "mistakes" in the article.

Sincerely, Harald Welte

I've posted some additional comments in the talkback section of the article. They yet have to be approved by the publisher.

WPA, Linux, wpa_supplicant, DWL-7000AP, freeradius

It's amazing how long it can take to set up a small "reasonably-secure" WPA wireless network.

I thought it would be pretty straight-forward. Just configure the AP to EAP, tell it the radius secret, apt-get install freeradius, distribute some X.509 certificates and start wpa_supplicant on the client machines.

In principle, that's it. However, practical issues I ran into:

• The AP crashes every so often
• The AP needs to reboot after every single config change (no chance to do multiple changes and then reboot
• The AP needs some 5 minutes to reboot
• The AP refuses to use certain totally valid IP addresses, be it via DHCP or statically configured in the web frontend
• The Debian freeradius package on AMD64 misses EAP support due to a libtool problem (missing -fPIC), known since January.
• The Debian freeradius package doesn't ship with EAP-TLS, since the EAP-TLS code is GPL licensed but links to openssl.
• wpa_supplicant doesn't work with the PowerBook built-in Airport (orinoco_cs) card

So I wasted the better part of a day to overcome the issues above, but I'm still not happy. My PowerBook now needs an Atheros Cardbus card, even though it has a built-in card. DHCP randomly fails for unknown reasons (I see the valid DHCP replies go into the AP, but it fails to pass them on).