GC, NG FW, CF Access, DS-Lite, IPv4 death

Garbage Collection

Had long discussions about what's the best method of doing garbage collection. I've written tons of garbage collection code and I usually prefer following method:

  1. Purge expired data based on life cycle.
  2. Do tree scan from root, removing unreachable objects.

This allows step 1. to be easily run, even very often. As well as makes the code for the step much simpler.

Doing step 2. separately, allows confirming integrity of the data in the tree structure in general.

In terms of optimization, sure, it would be more efficient to do targeted cleanup with step 1. But in most of cases GC doesn't run that often. For integrity, you'll need to implement step 2 anyway at some point. Or you'll risk leaving junk in the data structures because some of cases doing 1. have failed or so. This is simple and very efficient way of getting rid of junk.

Another good question is if the 2. phase should be top down or reversed? I often use solution, where I'll do root down scan, but I'll always take all the data and remove linked data from that. This allows doing down layer by layer starting from top, without need to do recursive travel in data structures. Which allows much more efficient pruning. Doing pruning from bottom up, is of course the simplest of all method. But problem with that is requirement for multiple cleanup rounds, if linking is cut from far away objects. One scan only detects missing reference. But the path cloud be cut from many references away. This is reason why I'm not using this method for deeply linked data structures.

Layered approach is also very effective because you can push most of required work to the SQL server instead of doing tons of small queries and processing ORM mapped data in Python.

Other entries

  • Checked out new plans for Finnish Maritime Defense Corvettes. With fully integrated weapons fire control, communications and information systems. Including ELINT suite. All the usual stuff modern military vessels should have. Helipad and helicopter hangar.
  • Had long discussion with colleagues about Next-Generation Firewalls and how "great" the cheap consumer firewalls are which often lack basic SPI.
  • Introducing Cloudflare Access. Hmm, no. I've loved layered security approach, which means that corporate network can't be trusted more than Internet. Both should be considered to be compromised, all services should be authenticated and encrypted, etc. It's just huge risk to think that devices or users in the corporate network should be trusted. The attack surface is already so huge, so it's basically impossible to make the corporate network secure, if it is still supposed to be used for daily operations without insanely complicating things. That's just my thoughts about this. I guess I've said this over and over again. One friend just thought that getting cheap NAT 'router' would make your network secure. Aaheem. No. Not even Next-Generation Firewalls make the corporate network secure.
  • Encountered first ever ISP which uses DS-Lite (4 over 6 tunnel). Currently it feels like ISPs wouldn't be IPv6 ready. And with many operators you'll need to use tunneling like 6to4 or 6in4, or in some good cases 6rd. But in this case, ISP offers only native IPv6 network, and traffic can be tunneled using DS-Lite to Carrier Grade NAT (CG-NAT / CGN / LSN) box for IPv4 connectivity. I thought it would take, ugh, a long time, before would be at this point.
  • Many IPS in Finland already don't give you public IPv4 address at all. If you want to access net using IPv4 you'll have to go through their CGN and all devices get private network addresses like 10.0.0.0/8. But that doesn't yet require using DS-Lite, because the DHCP server provides NATed configuration automatically for end devices. For many uses this isn't a problem, but for some use cases this is of course a huge problem.

2019-05-05