IT LIFE

Windows 7 SP1 Release Pushed to Q4'10

2010-03-09T19:09:00.000-08:00

Waiting for SP1 before jumping to Windows 7? It could still happen this year.

Now that Windows 7 has settled in inside consumer homes after the considerable marketing push from retail, attention is turning to Microsoft's next step in development – the first Service Pack.

Just to be extra safe, many IT professionals prefer to wait until at least the first Service Pack for a Windows version before implementing a new version of the OS into their departments. The reason is that the first massive wave of users will already have hit the OS to clear out any possible bugs and compatibility issues.

According to source of TechARP, Microsoft initially planned a 22-month development period for Windows 7 SP1 but is now looking to bump that up to a release sometime within 2010.

We've heard from various other sources that the updated target for SP1 is sometime this summer or fall, the TechARP's sources point to the last (presumably calendar) quarter of 2010. Such a release would put Windows 7's first service pack on a similar RTM-to-SP1 schedule that Windows XP and Windows Vista had.

While Microsoft hasn't detailed exactly what SP1 will bring, many expect it just to be a massive collection of the incremental patches and updates that are already presently available from Windows Update.

AMD 890GX Unveiled: Three Motherboards Compared

2010-03-02T22:21:00.000-08:00

AMD’s chipsets have long provided great features for the money, especially compared to high-end platforms like X48 and X58 from its chief rival, Intel. Everything between the mid-priced (still high-end) 790FX to its more commonplace integrated-graphics products can be attractive, depending on your usage model.

The entire range provides expanded PCIe 2.0 pathways for multi-card configurations, and its integrated-graphics parts actually deliver reasonable 3D performance and an option for multi-monitor support. If you love building productivity-oriented machines at an affordable price or need the ultimate in configurability, AMD might be your best choice. After all, we've yet to be bowled over by Intel's CPU efforts between $100 and $200, while AMD continues to offer a number of compelling quad-core models.

Today’s launch focuses on two components, the 890GX northbridge with its revised Radeon HD 4290 graphics engine and the SB850 southbridge. Upgrades include DX10.1 graphics, SATA 6Gb/s, two additional USB 2.0 ports, and integrated gigabit networking.

But our emphasis here is on a trio of motherboards emerging alongside the new core logic from Asus, Gigabyte, and MSI. Note that you'll see USB 3.0 support in the pages to come. However, the 890GX platform does not natively support USB 3.0; rather, it's added via an on-board controller.

AMD Launches 6 Core CPU-ready 890GX Mobo

2010-03-02T22:18:00.000-08:00

This board is prepped for the hexacore AMD Phenom II X6.

AMD and its motherboard partners today released the AMD 890GX Chipset, integrated with the ATI Radeon HD 4290, and are designed to be compatible with the upcoming AMD Phenom II X6 six-core processor.

The AMD 890GX Chipset supports the SATA 3.0 6Gb/s hard drive interface and many AMD 890GX-based motherboards feature SuperSpeed USB 3.0 support.

We've got our hands on the Gigabyte GA-890GPA-UD3H, the Asus M4A89GTD Pro/USB3, and the MSI 890GXM-G65. After putting them through a barrage of tests, our reviews department found that AMD’s SB850 southbridge is probably the best reason to select an 890GX motherboard over the products it replaces thanks to the new integrated SATA 6Gb/s controller.

Hack Expert Says Windows 7 is Hard to Hack

2010-03-02T02:23:00.000-08:00

Windows 7 is harder to hack than Apple's Snow Leopard--mainly due to Flash being installed by default on SL.

Security expert Charlie Miller has participated in the Pwn2Own contest over the last two years, and has won both times. Held in the CansecWest Conference in Vancouver, British Columbia, Canada, the contest challenges contestants to find "big bugs" in web browsers, operating systems, and even in mobile devices. With the 2010 conference just around the corner (March 24), oneITsecurity conducted an interview with the champ and asked Miller which was harder to crack: Windows 7 or Snow Leopard?

"Windows 7 is slightly more difficult because it has full ASLR (address space layout randomization) and a smaller attack surface (for example, no Java or Flash by default)," he said. "Windows used to be much harder because it had full ASLR and DEP (data execution prevention). But recently, a talk at Black Hat DC showed how to get around these protections in a browser in Windows."

He also added that a safe browsing combination would be to use Chrome or Internet Explorer 8 on Windows 7, however he said that there isn't enough difference between the two browsers to "get worked up about." But he did emphasize that Flash not be installed no matter what browser or OS is used by the consumer.

The interview also covered exploits on game consoles. As the interviewer points out, the devices are in our living rooms, in our dens and offices, yet there are still few exploits and vulnerabilities discovered. Why aren't security researchers working on finding exploits on these devices? Because there are more PCs, and game consoles don't need to be connected to the Internet.

"I’ve had Wii for a year or so and its never been on the Internet," Miller said. "Its hard to remotely attack the box when you can’t get packets to it :) Also, computers, and phones to a lesser extent, are designed to be customized, to download and use/render content from the Internet. This is where vulnerabilities exist and exploits are created. Game consoles don’t do this as much so the attack surface is much smaller. The final reason, is it is hard to do research on them. Its not easy to get a debugger running on an Xbox, for example."

Windows 7 Tablet Gets CPU Upgrade

2010-03-02T02:19:00.000-08:00

Archos is sporting a meatier Archos 9 tablet at ceBIT 2010.
Jkkmobile, currently attending CeBIT 2010, is reporting that Archos is showcasing an upgraded version of its PC tablet, the Archos 9. The hardware revision could be a sign that Archos plans to duke it out with Apple and its upcoming tablet, the iPad.

Packed with Windows 7 Starter Edition, an 8.9-inch LED backlit, resistive touchscreen, 1GB or RAM and 60GB of HDD storage, the current version poses as a handy tool around the house for a meaty $550 USD. Consumers can play 1080p videos on its 16:9 screen, have video chats with its built-in webcam, and even access websites utilizing Adobe's Flash platform. It's definitely a sexy little machine.
However the version on display at CeBIT 2010 offers a faster CPU. The current model sports the Intel Atom Z510 clocking at 1.1 GHz, whereas the upgrade model's CPU is clocked at 1.2 GHz. There was also mention of a faster GPU (the current model uses the Intel Poulsbo US15W), a faster bus, and hyper-threading. The site also said that the hard drive size still remains the same at 1.8-inches... no surprise there.
The rest of the specs apparently are unchanged: a 1024 x 600 native resolution, USB 2.0 ports, Realtek ALC269 audio and more. Future upgrades may bring a capacitive multitouch display and an optional 3G module.
The revamped Archos 9 should pose as an excellent rival to Apple's iPad when it eventually hits the market. Hopefully the price will be reasonable.

Seagate Introduces 2TB 6Gb/s Enterprise Hard Drive

2010-02-23T17:34:00.000-08:00

Seagate has just introduced a new hard drive that hits not one, but two sweet spots: it's 2TB in size, and it supports the new 6Gb/s interface. It's also an Enterprise drive, which means that it's extremely reliable and useful for always-on or server-based applications.

The industry's first 2TB 6Gb/s SAS Enterprise Drive is now shipping, with the Constellation ES offering a 7200RPM spindle rate, PowerChoice optimized power and cooling technology, and a government-grade security option. There's no clear mention of how expensive this will be, but if the 2TB version is just too high, there will also be a 500GB, 1TB and 2TB option available.

The fourth-generation, 3.5-inch Seagate® Constellation™ ES drive family for 7200-RPM enterprise environments enables cost-effective, highly efficient storage with capacities of 500GB, 1TB and 2TB. Supporting up to 76TB per square foot, it offers best-in-class reliability, leading 6Gb/s SAS or SATA 3Gb/s performance, PowerChoice™ optimized power and cooling technology, and a government-grade security option – all backed by Seagate.

“Nearline is the fastest growing segment in enterprise storage and Seagate is committed to meeting the market demands of its OEM and system integrator partners in this space,” said Carla Kennedy, vice president, Seagate Enterprise Product Line Management. “Seagate’s leadership in technology development, volume manufacturing and supply chain execution has resulted in an exemplary next-generation nearline solution. The Constellation™ ES drive tackles the concerns of shrinking IT budgets, floor space constraints and energy consumption, efficiently and cost-effectively.”

R.A.T. 9 mouse long on features, Michael Bay-good looks

2010-02-23T17:28:00.000-08:00

At CES we met with SteelSeries, and the company stressed that the gaming gear it creates isn't ostentatious; there aren't many glowing logos or crazy designs. Mad Catz seems to have gone the other way with the R.A.T. series of mice, and you would be forgiven if you thought you were gaming with Megatron's left testicle.

Even though the design is pure Michael Bay, it's remarkably comfortable in your hand, as all the places where skin meets mouse are smooth and comfortable. Even better, you can adjust the size, the weight, and the thumb rest. You can add a rest for your pinky finger on some models if you want. The chassis is made of metal, so you can go ahead and slam it on your desk after a bad match... the desk may break, but the mouse should be fine.

My favorite feature? Under your thumb you'll find a button that lowers the DPI settings on the mouse, making it more precise when you press down. "It's a sniper button!" I exclaimed. The company rep smiled and nodded.

The basic model will run $49.99, but the R.A.T. 9 will cost a dizzying $129.99. That gets you all the bells and whistles, plus wireless capabilities, an extra battery with a charging station that also holds any of the weights you're not using in the mouse, and a horizontal metal scroll wheel you can hit with your thumb. An allen wrench allows you to adjust nearly every aspect of the experience.

We'll be looking at the SteelSeries gear very soon, but the Mad Catz R.A.T. line is impressive, and very desirable if you can never seem to find a mouse that works well with your hands, or you just love to be able to tweak and adjust your gear. The line will begin shipping this spring.

Guide to Virtualization

2010-02-22T23:44:00.000-08:00

From buzz to reality

In 2003, Intel announced that it was working on a technology called "Vanderpool" that was aimed at providing hardware-level support for something called "virtualization." With that announcement, the decades-old concept of virtualization had officially arrived on the technology press radar. In spite of its long history in computing, however, as a new buzzword, "virtualization" at first smelled ominously similar to terms like "trusted computing" and "convergence." In other words, many folks had a vague notion of what virtualization was, and from what they could tell it sounded like a decent enough idea, but you got the impression that nobody outside of a few vendors and CIO types was really too excited.

Fast-forward to 2008, and virtualization has gone from a solution in search of a problem, to an explosive market with an array of real implementations on offer, to a word that's often mentioned in the same sentence with terms like "shakeout" and "consolidation." But whatever the state of "virtualization" as a buzzword, virtualization as a technology is definitely here to stay.

Virtualization implementations are so widespread that some are even popular in the consumer market, and some (the really popular ones) even involve gaming. Anyone who uses an emulator like MAME uses virtualization, as does anyone who uses either the Xbox 360 or the Playstation 3. From the server closet to the living room, virtualization is subtly, but radically, changing the relationship between software applications and hardware.

In the present article I'll take a close look at virtualization—what it is, what it does, and how it does what it does.

Abstraction, and the big shifts in computing

Most of the biggest tectonic shifts in computing have been fundamentally about remixing the relationship between hardware and software by inserting a new abstraction layer in between programmers and the processor. The first of these shifts was the instruction set architecture (ISA) revolution, which was kicked off by IBM's invention of the microcode engine. By putting a stable interface—the programming model and the instruction set—in between the programmer and the hardware, IBM and its imitators were able to cut down on software development costs by letting programmers reuse binary code from previous generations of a product, an idea that was novel at the time.

Another major shift in computing came with the introduction of the reduced instruction set computing (RISC) concept, a concept that put compilers and high-level languages in between programmers and the ISA, leading to better performance.

Virtualization is the latest in this progression of moving software further away from hardware, and this time, the benefits have less to do with reducing development costs and increasing raw performance than they do with reducing infrastructure costs by allowing software to take better advantage of existing hardware.

Right now, there are two different technologies being pushed by vendors under the name of "virtualization": OS virtualization, and application virtualization. This article will cover only OS virtualization, but application virtualization is definitely important and deserves its own article.

The hardware/software stack

Figure 1 below shows a typical hardware/software stack. In a typical stack, the operating system runs directly on top of the hardware, while application software runs on top of the operating system. The operating system, then, is accustomed to having exclusive, privileged control of the underlying hardware, hardware that it exposes selectively to applications. To use client/server terminology, the operating system is a server that provides its client applications with access to a multitude of hardware and software services, while hiding from those clients the complexity of the underlying hardware/software stack.

Because of its special, intermediary position in the hardware/software stack, two of the operating system's most important jobs are isolating the various running applications from one another so that they don't overwrite each other's data, and arbitrating among the applications for the use of shared resources (memory, storage, networking, etc.). In order to carry out these isolation and arbitration duties, the OS must have free and uninterrupted rein to manage every corner of the machine as it sees fit... or, rather, it must think that it has such exclusive latitude. There are a number of situations (described below) where it's helpful to limit the OS's access to the underlying hardware, and that's where virtualization comes in.

Virtualization basics

The basic idea behind virtualization is to slip a relatively thin layer of software, called a virtual machine monitor (VMM) directly underneath the OS, and then to let this new software layer run multiple copies of the OS, or multiple different OSes, or both. There are two main ways that this is accomplished: 1) by running a VMM on top of a host OS, and letting it host multiple virtual machines, or 2) by wedging the VMM between the hardware and the guest OSes, in which case the VMM is called a hypervisor. Let's look at the second, hypervisor-based method, first.

The hypervisor

In a virtualized system like the one shown in Figure 2, each operating system that runs on top of the hypervisor is typically called a guest operating system. These guest operating systems don't "know" that they're running on top of another software layer. Each one believes that it has the kind of exclusive and privileged access to the hardware that it needs in order to carry out its isolation and arbitration duties. Much of the challenge of virtualization on an x86 platform lies in maintaining this illusion of supreme privilege for each guest OS. The x86 ISA is particularly uncooperative in this regard, which is why Intel's virtualization technology (VT-x, formerly known as Vanderpool) is so important. But more on VT-x later.

In order to create the illusion that each OS has exclusive access to the hardware, the hypervisor (also called the virtual machine monitor, or VMM) presents to guest OS a software-created image or simulation of an idealized computer—processor, peripherals, the works. These software-created images are called virtual machines (VMs), and the VM is what the OS runs on top of and interacts with.

In the end, the virtualized software stack is arranged as follows: at the lowest level, the hypervisor runs multiple VMs; each VM hosts an OS; and each OS runs multiple applications. So the hypervisor swaps virtual machines on and off of the actual system hardware, in a very low-granularity form of time sharing.

I'll go into much more technical detail on exactly how the hypervisor does its thing in a bit, but now that we've got the basics out of the way let's move the discussion back out to the practical level for a moment.

The host/guest model

Another, very popular method for implementing virtualization is to run virtual machines as part of a user-level process on a regular OS. This model is depicted in Figure 3, where an application like VMware runs on top of a host OS, just like any other user-level app, but it contains a VMM that hosts one or more virtual machines. Each of these VMs, in turn, host guest operating systems.

As you might imagine, this virtualization method is typically slower than the hypervisor-based approach, since there's much more software sitting between the guest OS and the actual hardware. But virtualization packages that are based on this approach are relatively painless to deploy, since you can install them and run them like any other application, without requiring a reboot.

Why virtualization?

Virtualization is finding a growing number of uses, in both the enterprise and the home. Here are a few places where you'll see virtualization at work.

Server consolidation

A common enterprise use of virtualization is server consolidation. Server consolidation involves the use of virtualization to replace multiple real but underutilized machines with multiple virtual machines running on a single system. This practice of taking multiple underutilized servers offline and consolidating all of them onto a single server machine with virtualization saves on space, power, cooling, and maintenance costs.

Live migration for load balancing and fault tolerance

Load balancing and fault tolerance are closely related enterprise uses of virtualization. Both of these uses involve a technique called live migration, in which an entire virtual machine that's running an OS and application stack is seamlessly moved from one physical server to another, all without any apparent interruption in the OS/application stack's execution. So a server farm can load-balance by moving a VM from an over-utilized system to an under-utilized system; and if the hardware in a particular server starts to fail, then that server's VMs can be live migrated to other servers on the network and the original server shut down for maintenance, all without a service interruption.

Performance isolation and security

Sometimes, multi-user OSes don't do a good enough job of isolating users from one another; this is especially true when a user or program is a resource hog or is actively hostile, as is the case with an intruder or a virus. By implementing a more robust and coarse-grained form of hardware sharing that swaps entire OS/application stacks on and off the hardware, a VMM can more effectively isolate users and applications from one another for both performance and security reasons.

Note that security is more than an enterprise use of virtualization. Both the Xbox 360 and the Playstation 3 use virtual machines to limit the kinds of software that can be run on the console hardware and to control users' access to protected content

Software development and legacy system support

For individual users, virtualization provides a number of work- and entertainment-related benefits. On the work side, software developers make extensive use of virtualization to write and debug programs. A program with a bug that crashes an entire OS can be a huge pain to debug if you have to reboot every time you run it; with virtualization, you can do your test runs in a virtual machine and just reboot the VM whenever it goes down.

Developers also use virtualization to write programs for one OS or ISA on another. So a Windows user who wants to write software for Linux using Windows-based development tools can easily do test runs by running Linux in a VM on the Windows machine.

A popular entertainment use for virtualization is the emulation of obsolete hardware, especially older game consoles. Users of popular game system emulators like MAME can enjoy games written for hardware that's no longer in production.

Types of virtualization

For virtualization to work, the VMM must give each guest OS the illusion of exclusive access to the following parts of the machine:

CPU

Main memory

Mass Storage (typically a hard disk)

I/O (typically a network interface)

Virtualization software accomplishes this bit of magic by virtualizing each of the four components to some degree or another. In other words, the software presents a carefully crafted and controlled model of the whole computer—called a virtual machine—to each guest OS. This virtual machine consists of the four main parts listed above, with each part being abstracted from the actual hardware to a greater or lesser degree, depending on the needs of the guest OS and the capabilities of the hardware.

Depending on certain features of the hardware and guest operating system, each of these four parts can be easier or harder to virtualize. Problems with virtualizing one or more of the four components listed above have resulted in the development of three primary types of virtualization, each of which is distinguished by the manner in which the VMM interposes itself in between the hardware and the guest OS:

Emulation (including binary translation)

Classical virtualization

Paravirtualization

Except for this list's omission of OS virtualization, which I won't cover here, it superficially resembles the standard list of virtualization types that you'll see in most articles on the topic. In this article, however, these categories work in a slightly different, but hopefully more useful, manner than is common. (For those who are already familiar with some virtualization terminology, you'll notice that I've opted for the more strictly defined "classical virtualization" category instead of the "full virtualization" category. This was done for reasons that will become clear later.)

Emulation

Emulation is the flavor of virtualization that places the largest amount of software in between the hardware and the guest OS, and because of that, it can also be the slowest of the three types. With emulation, the VMM presents to each guest OS a software-based model of the entire computer, including the microprocessor. All of the instructions in the instruction streams of both the guest OS and application programs must first pass through the VMM before being passed on to the processor, often so that they can be translated into the processor's native ISA and executed.

Even the parts of the OS that interface with the I/O and mass storage hardware (i.e. the drivers) must also pass through the virtual machine, with the result that no part of the OS really touches the hardware directly without going through the VMM first.

Because of all of the software that sits between the guest OS and the hardware, emulation can reduce OS and application performance by orders of magnitude versus native execution. This is certainly the case for virtualized systems where the processor has an ISA that's different from that for which the OS was written (e.g., the version of VirtualPC that ran x86-based Windows on the PowerPC-based Mac platform). However, some modern binary-translation-based approaches, like VMware's products where both the guest and host operating systems have the same ISA, boast speeds approaching native execution for certain kinds of workloads. (This is because VMware binary translation kernel only emulates the small fraction of x86 instructions that present problems for virtualization, while passing the rest directly on to the hardware. But more on this in Part II.)

Classical virtualization

When a guest OS and host processor share the same ISA, and when that ISA is amenable to the trap-and-emulate technique (more on this term Part II), the VMM can forgo the costly binary translation step and pass the OS and application instruction streams directly on to the processor. The result is that each guest OS and its attendant applications run faster than they would under emulation, but not quite as fast as they would if the OS had exclusive control of the hardware.

With classical virtualization, the processor traps instructions that might accidentally clue the OS in to the fact that there's something odd and unexpected going on behind its back. These problem instructions have to be emulated by the VMM, so that the VMM can keep the guest OS in the dark about what's going on.

We'll talk more about these problem instructions and how the VMM handles them in Part II.

Paravirtualization

Because classical virtualization requires that the VMM trap and emulate a handful of common problem instructions, guest OSes and their applications can sometimes run more slowly than they do when running natively. A technique called paravirtualization remedies this problem by modifying the guest OS so that these instructions don't pose a problem. With a cooperative guest OS that has been properly modified, the VMM can trust the OS to run with less oversight—and less costly overhead.

The main drawback to paravirtualization is that the OS must be modified in order to support the technique. These modifications are typically minimal, but they require access to the OS source code. For this reason, Linux is the most popular paravirtualized OS.

Though I don't often link to Wikipedia, this table provides an excellent overview of virtualization packages and techniques on different platforms. At this point in the article, you should be well equipped to understand most of what you'll find there, so go check it out before proceeding with Part II.

Ultimately, there are a number of factors that play into a decision of which type of virtualization is best for a given implementation. The nature of the hardware and of the guest OS may rule out one or more of the three options, and for hardware/OS combinations where multiple options are possible, performance, stability, or ease of remote management may be among the deciding factors.

In an ideal world, binary translation and paravirtualization wouldn't be necessary, and full virtualization would enable VMM to run guest OSes at near-native speeds. Historically, the main barrier to making this happen on commodity hardware has been the presence of certain problems in the x86 ISA, problems that Intel has fixed with VT-x, but are nonetheless worth taking a look at in order to understand how virtualization is actually implemented in hardware and software.

Privilege levels, rings, and fooling the guest OS

In the previous installment of the Virtualization Guide, I talked in general ways about the exculsive hardware access privileges that the OS reserves for itself. Now it's time to nuance that picture a bit, so you can see exactly how the OS retains the upper hand over applications and users. This brief installment sets the stage for Part III, which will talk in some detail about Intel VT.

A microprocessor does more than just blindly run whatever instructions are loaded into its front end, without regard for where those instructions came from. Microprocessors are in fact "aware" of the OS, and they provide direct hardware support for enforcing divisions between components of the hardware/software stack that I described in the previous article.

In order to keep applications from usurping any part of the OS's privileged access to system hardware, processors provide a mechanism that allows different programs to run at different privilege levels. These privilege levels are called rings, and they're arranged in a hierarchy that starts with Ring 0 (the lowest, most trusted level) and extends upwards through one or more progressively less-trusted Rings (e.g., Ring 1, Ring 2, and so on).

On any given processor, Ring 0 is the most privileged level, and any software that runs in Ring 0 is running in the most privileged state that the hardware supports. Such trusted software has complete command of the processor and of the rest of the system, which is why Ring 0 is typically reserved exclusively for the OS. Rings 1 and higher are less privileged, and they're home to less sensitive parts of the OS and to user-level application software.

Many processors have only two rings, Ring 0 for the OS and Ring 1 for all the other software in the stack. The x86 ISA, in contrast, has four rings (Rings 0 through 3), presumably because x86's designers thought more was better. But it turns out that all operating systems (with the exception of the erstwhile OS/2) use only two of x86's privilege levels: Ring 0 for the OS and Ring 3 for everything else. Rings 1 and 2 go completely unused.

Because programs running in the higher rings have restrictions on what parts of the system they can touch, it's harder for these de-privileged programs to do any real damage to the system, like crash it, or overwrite another user's data either through accident or malice. Conversely, an accidental or malicious error in a Ring 0 program (typically the OS kernel) often has catastrophic consequences for the entire software stack. The general rule is that programs are vulnerable to interference from programs that are running in the same ring or in a lower ring, but not in a higher ring. This rule means that the program at the very lowest ring is untouchable, while the programs in the higher rings are at the mercy of programs running below them.

The introduction of a hypervisor into this ring structure complicates the software stack picture to a greater or lesser degree, depending on the nature of the hardware's ISA and the exact type of virtualization being used. Specifically, the hypervisor must be the most privileged program in the stack that it hosts, which means that it must run in a lower ring than the guest OS. Clearly, this means that the guest OS must be de-privileged by being booted out of Ring 0 and forced to run in a higher ring. Most of the challenge of virtualization lies in keeping the guest OS in the dark about the fact that it's no longer running in Ring 0, and "classical" virtualization solutions meet this challenge with two tricks: trap-and-emulate, and shadow structures.

Trap and emulate

Whenever a program attempts to execute an instruction for which it lacks sufficient privileges (i.e., it needs to be in a lower ring to execute that instruction), the attempted instruction fails and (ideally) triggers a special alert called a fault.

A hypervisor takes advantage of faults to implement virtualization by running the OS in a higher ring and then listening for it to trigger a fault. When the OS executes an instruction for which it needs the Ring 0 privileges to which it's accustomed, the resulting instruction fault alerts the hypervisor. The hypervisor then steps in and takes control of the processor (or, it traps the fault), so that it can emulate the execution of that instruction. By trapping instructions that fault because they require Ring 0 privileges, and then running those instructions in emulation in order to produce the expected result for the guest OS, the hypervisor can keep the OS from detecting that it's running in a Ring other than zero.

The number of instructions in an ISA that must be trapped and emulated by the virtual machine may be very small, but all it takes is one to make the trap-and-emulate technique absolutely necessary.

Shadow structures

You might think of trap-and-emulate as the more passive of the two methods that the hypervisor has of fooling a guest OS. It's passive in the sense that the hypervisor waits on the guest OS to do something that it normally should be able to do but can't, before kicking into action with its deception. But virtualization involves a more active form of deception as well: the constant presentation of certain artificial stage props to the guest OS, props that enable the OS to serve its own running applications without catching wind of the fact that it doesn't have exclusive access to the hardware.

As part of its isolation and arbitration duties, there are a number of special-purpose, hardware-based data structures that an OS must maintain and constantly reference . Some of these structures, which we'll call primary structures, are special-purpose registers on the CPU, while others are tables that are stored in memory. Because a normal microprocessor only supports one copy of each of these primary structures, the hypervisor must have a way to let all the guest OSes share that one copy.

The solution is for the virtual machine to show each guest OS its own private copy of each primary structure. These private, VM-specific copies are call shadow structures, and the hypervisor uses these shadow structures in conjunction with their corresponding primary structures to keep guests OSes from interfering with one another.

Privileged state

Trap-and-emulate and shadow structures work together to keep the OS from figuring out that it's not running in Ring 0 and that it's actually sharing the hardware with more than one operating system. Behind both of these techniques is the necessity that the hypervisor, instead of the OS, have exclusive write access to privileged state. Now, let's unpack this phrase, because the concept that it conveys is critical to understanding how virtualization works.

"State" is a term that programmers use to refer to the small but essential collection of variable values and tables, held both on the processor and in main memory, that make up any program's "short-term memory." A better way to define a program's state would be to say that state encompasses all of the information you would need to save somewhere if you were going to stop a running program, and then restart it later at the same point in its execution.

Privileged state, then, is private data that the OS needs about currently running applications, data such as which pages of memory they've been allocated and what flags they've set on the processor. This privileged state should only be altered by the most trusted program in the system, and this typically means the OS. However, when a hypervisor takes over the OS's management of privileged state, then the hypervisor has to monitor and manage the OS's access to this data—data that the guest OS still needs in order to do its job. So the hypervisor must provide each guest OS some sort of access to privileged state, but no guest OS must be allowed to alter—or write to—privileged state without the hypervisor's intervention. In may cases, guest OSes may get read access to privileged state, but write access is always forbidden.

When it comes to controlling write access to privileged state, the hardware's ISA can be either a huge help or a huge hindrance. The x86 ISA is the latter, a fact that makes virtualization on x86 hardware especially challenging.

Classical virtualization vs. x86-based virtualization

The trap-and-emulate technique that I've described above is an essential part of what's often called "classical virtualization." Classical virtualization is so called in order to distinguish it from the kind of virtualization that has been done on x86 systems prior to the recent introduction of Intel's VT-x technology. For reasons I'll discuss in the next installment, the trap-and-emulate technique just doesn't work on the x86 ISA, a fact that means that all virtualization on x86 hardware (pre-VT, of course) is either binary translation or paravirtualization. Even a software package like VMware, which most articles on virtualization place in the "full virtualization" category, still uses binary translation (BT) to control the OS's access to the CPU.

Why would a virtualization solution use binary translation—a technology typically reserved for translating between two separate ISAs—to run an x86-based OS on x86 processor hardware? The answer is that x86 unfortunately allows non-faulting write access to privileged state. In other words, the execution of some x86 instructions can have the side-effect of altering privileged state without triggering a fault that would alert a hypervisor to the fact that it needs to intervene and emulate the instruction. This feature of x86 makes classical, trap-and-emulate-based virtualization impossible to implement on x86 hardware prior to the introduction of VT-x.

Guide to I/O Virtualization

2010-02-22T07:24:00.000-08:00

Virtualization is a key enabling technology for the modern datacenter. Without virtualization, tricks like load balancing and multitenancy wouldn't be available from datacenters that use commodity x86 hardware to supply the on-demand compute cycles and networked storage that powers the current generation of cloud-based Web applications.

Even though it has been used pervasively in datacenters for the past few years, virtualization isn't standing still. Rather, the technology is still evolving, and with the launch of I/O virtualization support from Intel and AMD it's poised to reach new levels of performance and flexibility. Our past virtualization coverage looked at the basics of what virtualization is, and how processors are virtualized. The current installment will take a close look at how I/O virtualization is used to boost the performance of individual servers by better virtualizing parts of the machine besides the CPU.

Part 1 described three ways in which a component might be virtualized; emulation, "classic" virtualization, and paravirtualization, and part 2 described in more detail how each of these methods was used in CPU virtualization. But the CPU is not the only part of a computer that can use these techniques; although hardware devices are quite different from a CPU, similar approaches are equally useful.

I/O basics: the case of PCI and PCIe

Before looking at how I/O devices are virtualized, it's important to know in broad terms how they work. These days most PC hardware is, from an electronic and software perspective, PCI or PCI Express (PCIe); although many devices (disk controllers, integrated graphics, on-board networking) are not physically PCI or PCIe—they don't plug into a slot on the motherboard—the way in which they are detected, identified, and communicated with is still via PCI or PCIe.

In PCI, each device is identified by a bus number, a device number, and a device function. A given computer might have several PCI buses which might be linked (one bus used to extend another bus, joined through a PCI bridge) or independent (several buses all attached to the CPU), or some combination of the two. Generally, large high-end machines with lots of I/O expansion have more complicated PCI topologies than smaller or cheaper systems. Each device on a bus is assigned a device number by the PCI controller, and each device exposes one or more numbered functions. For example, many graphics cards offer integrated sound hardware for use with HDMI; typically the graphics capability will be function zero, the sound will be function 1. Only one device can use the bus at any given moment, which is why high-end machines often have multiple independent buses—this allows multiple devices to be active simultaneously.

PCIe operates similarly. PCIe is a point-to-point architecture rather than a bus architecture; rather than all devices (and all hardware slots) on the same bus being electrically connected, in PCIe there are no connections between devices. Instead, each device is connected solely to the controller. Each connection between device and controller is regarded as its own bus; devices are still assigned numbers, but because there can only be one device on each "bus," this number will always be zero. This approach allows software to treat PCIe as if it were PCI, allowing for easier migration from PCI to PCIe. This point-to-point topology alleviates the bus contention problem in PCI—since there is no bus sharing, there are fewer restrictions on concurrent device activity.

Actual data transfer to and from the device can use three mechanisms—system memory, x86 I/O ports, and PCI configuration space. x86 I/O ports are there to provide legacy compatibility, and PCI configuration space is used primarily for configuration. The main way that the OS communicates with PCIe devices is through system memory; this is the only mechanism that allows for large, general-purpose transfers. (With I/O ports, reads and writes are limited to 32 bits, and the CPU must take action after every single read or write, making communication slow and processor-intensive. And PCI configuration space is limited to 256 bytes, and used only for device configuration). Each device is assigned a block of system memory to which it can read and write directly ("DMA," direct memory access). For I/O devices requiring bulk transfers—disk controllers, network adaptors, video cards—this is the primary communication mechanism, as each of these devices performs regular large transfers.

When software wants to tell a PCI device to do something, the host delivers a command to the bus. Each device inspects the command, and acts on it if necessary. When the device wants to tell the CPU to do something—either because it has completed a command, or received some data—it interrupts the CPU, which in turn executes the device driver. PCI interrupts are generally delivered using 4 physical interrupt connections. These connections are shared between all devices on the same bus, so the device driver must then examine the interrupt to ensure it is handled properly. PCIe interrupts do not use physical hardware; instead, a message is sent to the device driver by writing to the block of memory assigned to the device—PCIe uses the same system for interrupts as it does for data transfer. This avoids the need to share interrupt lines, by enabling interrupts to be directed specifically and solely to the device that needs them.

Virtualizing PCI and PCIe

So, how do these things get virtualized? The first approach is emulation. Just as CPU emulation requires an entire virtual CPU to be run "in software," the same is true of device emulation. Generally, the approach taken is for the virtualization software to emulate well-known real-world devices. All the PCI infrastructure—device enumeration and identification, interrupts, DMA—is replicated in software. These software models respond to the same commands, and do the same thing as their hardware counterparts. The guest OS will write to its virtualized device memory (whether it be system memory, x86 I/O, or PCI configuration space), and trigger interrupts, and the VMM software will respond as if it were real hardware. Even this interrupt signalling uses emulation; one of the emulated devices is an interrupt controller.

This "response" generally means making an equivalent call to the host OS. So, for example, to write some data to disk, the guest OS will use its driver to write that to the disk controller's device memory, which sits inside a device model—a kind of virtual controller—along with the PCI configuration space and a virtual version of the controller chip. Then, using an interrupt sent via the VM's virtual interrupt controller, the guest OS commands the VMM's virtual disk controller to write that to a particular location on the disk. In turn, the VMM's disk controller will tell the host OS to write the data to a particular spot in a file (or, when used with so-called raw disks, to a particular spot on disk). The host OS then does the same thing as the guest OS—it copies the data to the disk controller's device memory via its driver and signals an interrupt.

in the diagram above, you can see that there's an entire virtual device and a virtual interrupt controller in the VM, and then another pair of these in the VMM. That's two layers of emulation before you get to the hardware. (The one element of the diagram above that's probably not at all self-explanatory is the little tab with gears on it beneath the OS. That's the device driver, and device model in the VMM uses it to interface with the hardware.)

By emulating real-world hardware, pre-existing guest OS drivers can be used, providing greater compatibility and ease of configuration. This is not without some risks; for example, support for the brand of network card that VirtualBox emulated was dropped in Windows Vista, meaning that VirtualBox lost its built-in networking support (this was ultimately addressed by VirtualBox being updated to emulate a second kind of network card, one that was still supported). Overall, however, it provides a simple solution that works with a broad range of guest OSes, and for basic, low bandwidth hardware—PCI controllers, mouse and keyboard controllers, etc.—the performance is acceptable, too.

This approach also provides decoupling. The guest OS might think that it is using, say, an IDE hard disk, but the host might be using SCSI, SATA, or even some future as-yet-uninvented interface. The virtualized hardware is "frozen;" regardless of the host technology, the virtual hardware is always the same. This is important for some use-cases, like Windows 7's Windows XP Mode, which is designed to run legacy software in a legacy OS. Windows XP lacks built-in support for SATA, for example, but since Virtual PC emulates IDE, XP's lack of support does not cause any compatibility issue. The guest OS only has to be compatible with the virtual machine.

The other major advantage of this technique is that it allows multiplexing; many guest OSes can run on the same host OS, and they can all share the host's I/O capabilities, enabling the use of more guest OSes than one has physical network interfaces or hard disks, which is greatly beneficial in system consolidation situations.

The big problem with this approach is with hardware that performs high bandwidth transfers (such as disk controllers or network interfaces), and with hardware that is very complex (such as graphics cards). For the former, the problem is that every time an I/O operation occurs, the VMM has to trap it and emulate it. Worse, it then has to call into the host OS to actually do the real work (write to disk, send a network packet, etc.), in turn causing additional data copying and interrupts. For a mouse or a keyboard, this overhead is small and not a big issue, but for a hard disk or network interface, which might perform hundreds of megabytes of I/O per second, the overhead is substantial. The result? Higher processor usage and lower throughput.

For the latter case, complex hardware, the problem is simply that emulating the hardware on the CPU is slow; GPUs are extremely fast at certain kinds of number crunching, and emulating this on a CPU is much, much slower. The most common way of avoiding this problem is for the VM software to simply not bother; instead of emulating a complex GPU, it emulates instead a simple 2D device, with no OpenGL or Direct3D capabilities. That's increasingly becoming unattractive, however, as mainstream OSes (including both Windows Vista and Windows 7) are demanding 3D hardware even for regular desktop usage.

One thing that's substantially missing here is any equivalent to CPU virtualization's "binary translation." A key performance feature of virtualization software is that the entire CPU doesn't have to be emulated. Most of the time, it can just run the guest OS's instructions directly. It's only certain unsafe instructions that have to be detected somehow (whether by binary translation or the trap-and-emulate approach) and performed in software. Everything else runs at full hardware speed. I/O devices typically aren't amenable to this kind of approach, because I/O devices, unlike CPUs, don't contain the machinery to be shared among multiple applications and/or users.

The performance problem with emulation can only be avoided by avoiding emulation entirely, which brings us neatly to paravirtualization.

Paravirtualization

Paravirtualization for the CPU requires modifications to the guest OS. Wherever the guest OS would do something that would normally require the VMM to step in, the guest OS either avoids the operation entirely, or tells the host OS what to do in a high-level way. For example, OSes typically disable processor interrupts for brief periods while performing critical operations to ensure that data integrity is maintained. Disabling interrupts requires using a privileged CPU instruction, so this must either be translated or trapped and emulated. With paravirtualization, the guest OS would simply tell the VMM to "disable interrupts." Communicating with the hypervisor can be done without the overhead of binary translation, so this approach can offer improved performance.

Paravirtualization for the CPU can be problematic because modifications have to be made to the OS core. Such modifications are not an issue for Linux or FreeBSD, but they're not an option for Windows or Mac OS X.

Paravirtualization for I/O takes a similar approach to paravirtualization for the CPU. The VMM exposes a relatively high-level API to guest OSes enabling, say, network operations or disk operations, and the guest OS is modified to use this API. Because I/O devices use drivers and are not part of the core OS, paravirtualization doesn't pose the same problems for I/O as it does for the CPU.

This approach is beginning to gain traction; Xen, VMware, and Microsoft's HyperV all provide paravirtualization APIs in addition to their emulated devices, so they can offer accelerated performance to any guests that have suitable paravirtual drivers. Though paravirtualization forfeits the driver compatibility of emulation, it retains the advantages of decoupling the guest from the specifics of the host hardware, and of multiplexing multiple guests onto a single set of physical hardware.

As well as providing improved performance for high-bandwidth devices, there are some efforts underway to use this approach to provide graphical acceleration to VMs. VirtualBox, for example, has experimental support for accelerated 3D within a VM. As with other paravirtualization systems, it requires the use of a special VirtualBox graphics driver within the guest OS. This driver passes 3D commands to the host system, where they are executed on the host's GPU. The results are then passed back to the guest. This use of paravirtualization greatly expands the range of tasks that virtual machines can be used for; robust support for accelerated 3D within a VM might one day make gaming, CAD, and visualization possible within a VM.

There is, however, a kind of hardware device that is widely used where communication uses neat, encapsulated packets rather than reading and writing from system memory, and that is USB. Though the USBcontroller is a regular PCI device that uses system memory to communicate, USB itself communicates using packets sent down the USB bus. An increasingly common feature of virtualization software is to continue to emulate the USB controller, but to pass the actual USB packets to the host's USB controller (and vice versa), enabling USB devices attached to the host to be passed through to the guest. The guest then uses its own USB device drivers to communicate with the device on the host.

In this way, there is direct communication between the guest OS and the actual device, allowing the full performance and range of capabilities of the device to be leveraged by the guest. This allows the wide range of USB devices to be used within the guest, without having to emulate each kind of device individually. It even allows the guest to use devices that the host has no driver for—again, this has particular advantages when virtualization is being used for legacy compatibility.

Talking to the hardware directly

Although paravirtualization improves performance, it's still not as good as native performance. To gain native performance, you need to cut out the emulated middle-man. Just as CPU virtualization gets a huge boost by direct execution of code, I/O virtualization would be improved by allowing virtual machines to talk to hardware directly.

This direct approach has an obvious pitfall—the ability to multiplex is lost. If a device is assigned to one guest, it can't be assigned to any other guests. But for many applications, that might not be such a big deal. It's relatively cheap to add a load of network interfaces to a machine (allowing one interface per guest), for example, so cost and management savings can still be achieved over and above dedicated hardware. Direct assignment also requires the guest OS to have an appropriate driver for the hardware, making the approach useless for legacy compatibility.

Hypervisor-based systems like HyperV and Xen already perform direct assignment, in a sense. With these hypervisors, all operating systems are run as guests. The first guest—the one used to bless the machine—is special, though, because it has the system's physical hardware available to it. The other guests use paravirtualized drivers to send I/O requests to this special first guest, and it uses its device drivers to communicate with the hardware. A more generalized direct assignment system would extend this capability to any guest.

Direct assignment is not without its problems, however. The big issue is the interrupts and shared memory used by devices to communicate with the CPU. The shared memory that the devices use for communication is all based on physical memory addresses. This is a problem, because each guest has its own virtualized physical memory addressing. The physical addresses used by the real hardware don't correlate to the virtual physical addresses visible to each guest, which means that whenever the guest's driver directs the device to perform DMA, it will end up using the wrong memory addresses. Interrupts pose another problem; they have to be serviced by the host, because only the host has access to the rest of the machine's hardware.

There are probably ways in which this could be worked around; perhaps a special driver in the host to handle the interrupt, translate any physical addresses, and pass it on to the guest, but such a driver would have to be tailored to the physical device to ensure that commands were properly translated.

The IOMMU

To support direct assignment robustly and in a device-independent manner requires support from the hardware. And so that's exactly what's happened, with Intel's VT-d and AMD's AMD IOMMU/AMD-Vi. These extensions add an I/O memory management unit (IOMMU) to the platform. An IOMMU allows the device memory addresses used in DMA to be mapped to physical memory addresses in a manner transparent to the device hardware, in much the same was a processor's MMU allows virtual memory addresses to be mapped to physical memory addresses.

With an IOMMU, the translation between the guest's physical addresses and the host's physical addresses can be handled completely transparently; the VMM will have to configure the IOMMU in the first place, but after that, everything else will happen automatically.

IOMMUs have been a feature of some platforms for many years, but x86 has always done without. During the AGP era, a similar (but more limited) device was found in x86 systems, the AGP GART (graphics aperture remapping table). The GART allowed AGP devices to "see" a contiguous view of system memory, even if the underlying memory was not actually contiguous. PCIe has a similar capability, but the PCIe GART is built into the PCIe graphics hardware itself. The AGP GART, in contrast, was a system feature provided by the chipset. The GART was limited, though, as it performed the same mapping for any request (whether by the CPU or the graphics card). A general-purpose IOMMU, that handles requests from different devices differently, is only recently becoming available.

Using the IOMMU not only allows the remapping to be performed automatically, it also provides a kind of memory protection. Without an IOMMU, a device can perform DMA to physical addresses that it should not be able to touch; with the IOMMU, such DMA requests can be blocked. The IOMMU can be configured such that a request from a particular device (identified by the bus/device/function triple) can only have access to particular memory ranges, with any accesses outside those ranges being trapped as an error.

The Intel and AMD IOMMUs also support interrupt remapping. Both PCI interrupts and PCIe interrupts are understood by the IOMMU, and redirected remapped as appropriate.

By using an IOMMU, the hypervisor can safely assign physical hardware directly to guest OSes, ending the need for them to funnel all their I/O through the host, and removing the layers of emulation that are normally needed for virtualized I/O, achieving native-level I/O performance for virtual machines.

The IOMMU is useful in non-virtualization scenarios, too. Many PCI devices can only use 32-bit physical addresses. This means that their buffers must all fit within the first 4 GiB of physical memory. This can make that first 4 GiB of physical memory cramped, especially when some devices, like video cards, create enormous buffers occupying many gigabytes of that memory. The IOMMU solves this problem by allowing the devices to stick with their 32-bit physical addresses, and transparently remapping them to any memory location.

The use of VT-d and AMD IOMMU in this way does sacrifice one of the benefits of emulation and paravirtualization systems: multiplexing. Direct assignment is 1:1; the device can be assigned to exactly one guest. This might not be an issue with some devices, such as multiport network cards, but it stands in the way of, say, robust native-performance virtualization of a graphics card.

The solution to this multiplexing problem has been to extend PCIe. PCIe has been extended so that devices can offer multiple virtualized functions. Though devices can currently support multiple functions, these multiple functions are used to support different hardware capabilities; the virtualized functions will be used to support the same hardware capabilities several times over. Each bus/device/virtual function triple will be assignable to a different VM, thereby allowing the device to be shared, while still allowing it be used with directly assigned I/O through the use of the IOMMU.

Widespread support for this is still a ways off. Devices that support the PCIe Single Root I/O Virtualization specification (SR-IOV) are on the market, but are unusual; a few high-end networking controllers support it (e.g. Intel's 82576 Gigabit Ethernet controller and Neterion's X3100 series). Because these devices have to support virtualization in hardware, meaning that any internal buffers have to be replicated for each associated VM, they do not offer the near-unlimited sharing of emulated devices. Nonetheless, Intel's ethernet controller supports 8 virtual functions per port, giving 8 VMs native access to the same physical hardware.

CPU virtualization has been near-native for many years, but the I/O performance of virtual machines has long left something to be desired. If and when PCIe SR-IOV devices become widespread, near-native virtualization of both processor and I/O alike will be a practical reality. When this happens, it will increase performance and reduce costs and overhead in the datacenter, as individual servers will have far less virtualization-related overhead.

A tale of two qubits: how quantum computers work

2010-02-22T07:10:00.000-08:00

Quantum information is the physics of knowledge. To be more specific, the field of quantum information studies the implications that quantum mechanics has on the fundamental nature of information. By studying this relationship between quantum theory and information, it is possible to design a new type of computer—a quantum computer. A largescale, working quantum computer—the kind of quantum computer some scientists think we might see in 50 years—would be capable of performing some tasks impossibly quickly.
To date, the two most promising uses for such a device are quantum search and quantum factoring. To understand the power of a quantum search, consider classically searching a phonebook for the name which matches a particular phone number. If the phonebook has 10,000 entries, on average you'll need to look through about half of them—5,000 entries—before you get lucky. A quantum search algorithm only needs to guess 100 times. With 5,000 guesses a quantum computer could search through a phonebook with 25 million names.
Although quantum search is impressive, quantum factoring algorithms pose a legitimate, considerable threat to security. This is because the most common form of Internet security, public key cryptography, relies on certain math problems (like factoring numbers that are hundreds of digits long) being effectively impossible to solve. Quantum algorithms can perform this task exponentially faster than the best known classical strategies, rendering some forms of modern cryptography powerless to stop a quantum codebreaker.
Quantum computers are fundamentally different from classical computers because the physics of quantum information is also the physics of possibility. Classical computer memories are constrained to exist at any given time as a simple list of zeros and ones. In contrast, in a single quantum memory many such combinations—even all possible lists of zeros and ones—can all exist simultaneously. During a quantum algorithm, this symphony of possibilities split and merge, eventually coalescing around a single solution. The complexity of these large quantum states made of multiple possibilities make a complete description of quantum search or factoring a daunting task.
Rather than focusing on these large systems, therefore, the goal of this article is to describe the most fundamental, the most intriguing, and the most disturbing consequences of quantum information through an in-depth description of the smallest quantum systems. By learning how to think about the smallest quantum computers, it becomes possible to get a feeling for how and why larger quantum computers are so powerful. To that end, this article is divided into three parts:
Single qubits. The quantum bit, or qubit, is the simplest unit of quantum information. We look at how single qubits are described, how they are measured, how they change, and the classical assumptions about reality that they force us to abandon.
Pairs of qubits. The second section deals with two-qubit systems, and more importantly, describes what two-qubit systems make possible: entanglement. The crown jewel of quantum mechanics, the phenomenon of entanglement is inextricably bound to the power of quantum computers.
Quantum physics 101. The first two sections will focus on the question of how qubits work, avoiding the related question of why they work they way they do. Here we take a crash course in qualitative quantum theory, doing our best to get a look at the man behind the curtain. The only prerequisites for this course are a little courage and a healthy willingness to ignore common sense.
Single qubits
Bits, either classical or quantum, are the simplest possible units of information. They are oracle-like objects that, when asked a question (i.e., when measured), can respond in one of only two ways. Measuring a bit, either classical or quantum, will result in one of two possible outcomes. At first glance, this makes it sound like there is no difference between bits and qubits. In fact, the difference is not in the possible answers, but in the possible questions. For normal bits, only a single measurement is permitted, meaning that only a single question can be asked: Is this bit a zero or a one? In contrast, a qubit is a system which can be asked many, many different questions, but to each question, only one of two answers can be given.
This bizarre behavior is the very essence of quantum mechanics, and the goal of this section is to explain both the bounds that quantum theory places on such an object and the consequences that such bounds have for our classical assumptions. Given how counterintuitive this behavior seems, I will first explain in some detail how polarized light provides the perfect example of a qubit. Using a little light, some polarized sunglasses, and a 3D screening of "Avatar," I'll use that specific example to describe how all single-qubit states can be thought of as points on or inside a sphere, and finally how the fundamental operations of quantum measurement, rotation, and decoherence can be visualized and understood using that sphere.
Before continuing, I should define a word that I'll be using frequently: state. A system's state is a complete description of that system; every system (including a single qubit) is in a particular state, and any systems that would behave completely identically are said to have the same state. Classical bits, therefore, are always in one of exactly two states, "zero" or "one."
With that out of the way, our first step is to find an object which always gives one of exactly two answers, but which can be measured in many different ways. Here's where you're going to need those polarized sunglasses. Polarized sunglasses are different from normal sunglasses because they are designed to block the glare from horizontal surfaces, like a long stretch of desert highway or the surface of a lake on a sunny day.
How do they work? Light is in fact made of photons—the smallest indivisible unit of light—and every photon creates a tiny, oscillating electric field as it travels. Light from the sun (and most other sources of light) is composed of photons oscillating in all sorts of directions. However, light which is reflected off a horizontal surface (like glare off a lake) will become horizontally polarized. When the light reaches the sunglasses, the photons are either transmitted or absorbed. If a photon's electric field oscillates horizontally, polarized sunglasses absorb it. If it oscillates vertically, it will pass right through the same sunglasses.
These polarized lenses provide our first example of a quantum measurement, as they show a way to distinguish between horizontally polarized and vertically polarized photons (based on which gets transmitted and which gets absorbed). They can, of course, be used to ask a different question (make a different measurement) if they are tilted. By tilting your head 90 degrees, you make a measurement which is the opposite of the first, as the sunglasses transmit all of the glare you were trying to avoid. By tilting your head 45 degrees to one side (diagonally) or the other side (antidiagonally), they will transmit only half the glare.
Does this mean that the types of questions you can ask are limited to the angles at which you can tilt your head? That may seem reasonable, but if you went to see the 3D showing of Avatar, you might have guessed that this isn't true. In order to create the illusion of three-dimensional objects on a two-dimensional screen, movie theaters need to control exactly which photons go to each of your eyes. For decades, this was done using color. (Remember the 3D glasses with one red lens and one blue lens?)
To get full-color 3D, we need another way to control which photons go in which eye. Once again there are only two answers—absorbed or transmitted—so we need new questions. You don't want the entire movie to change when you tilt your head, so using horizontally and vertically polarized lenses is out. Likewise, diagonally and antidiagonally polarized lenses won't work. (Test this out in a 3D movie—tilting your head won't ruin the effect.)
The solution is something completely different, called circular polarization. The two lenses in modern 3D glasses each ask the question, is an incoming photon right-circularly polarized or left-circularly polarized?Each lens transmits only one of these two types of light (one of the two answers to the question), allowing special projectors (which transmit the same types of light) to control what image is seen by each of your eyes, thereby creating the illusion of electric blue warriors riding extra-terrestrial pterodactyls flying off the screen.
If the polarization of a photon is the perfect example of a quantum bit, what can the following three questions/measurments tell us about it?
Is the polarization horizontal or vertical?
Is the polarization diagonal or anti-diagonal? (In other words, will it pass through my polarized sunglasses when I tilt my head forty-five degrees to the left or to the right of vertical?)
Is the polarization right-circularly or left-circularly polarized? (In other words, does it pass through the right or left lens of a pair of 3D glasses?)
If we performed the measurements that these three questions represent on the horizontally polarized photons generated by highway glare, we would learn that each photon always passes through a horizontal polarizer (question 1), but has only a 50% chance of passing through diagonal (question 2) or right-circular polarizers (question 3).

AMD reveals Fusion CPU+GPU, to challege Intel in laptops

2010-02-22T05:41:00.000-08:00

SAN FRANCISCO—The "Llano" processor that AMD described today in an ISSCC session is not a CPU, and it's not a GPU—instead, it's a hybrid design that the chipmaker is calling an "accelerated processor unit," or APU. Whatever you call it, it could well give Intel a run for its money in the laptop market, by combining a full DX11-compatible GPU with four out-of-order CPU cores on a single, 32nm processor die.

Details on the highly parallel vector hardware—the "GPU" part of the device—have yet to be disclosed, but AMD is focusing today's revelations on the CPU part of the design. In a nutshell, AMD has taken the "STARS" core that's used in their current 45nm offerings, shrunk it to a new 32nm SOI high-K process, and added new power gating and dynamic power optimization capabilities to it. Each out-of-order core has a bit under 35 million transistors, and a 1MB L2 cache that's not included in that number. AMD is targeting sub-3GHz operation, and a power consumption range of 2.5 to 25 watts.

The chipmaker will put down four such cores, shown in the micrograph below, along with enough vector hardware to power a DX11 GPU. Overall, most of the work on the x86 side of Llano was done on dynamic power optimization and on fitting the design to the 32nm process. In this respect, Llano differs from the upcoming "Bobcat" mobile part in that the latter is more portable across a range of processes and configurations, and features less custom work.AMD has announced that Llano will be sampling in the second half of this year, and will be available from OEMs sometime in 2011. Power optimization goes digital

It's not often that I say this, but perhaps the most interesting and novel part of the Llano core is its unique approach to dynamic power optimization. AMD fellow Sam Naffziger walked me through the approach in a briefing this morning, and it departs from traditional power management approaches in that it relies on digital, not analog, data.

A normal processor power module takes analog input from a set of diodes placed throughout the die, and these diodes act as thermal sensors, informing the module when the die heats up in an area due to increased compute activity. In this model, then, die temperature is monitored as a proxy for power consumption, and the power module uses this temperature/power data to make on-the-fly adjustments to parameters like clockspeed. The blessing and curse of this method is that these analog sensors respond to every change in thermals, whether it's driven by an actual, compute-related boost in power consumption or by external, environmental factors, like a sudden rise in ambient temperature.

Llano's approach, in contrast, uses a set of 95 digital signals from different parts of the chip that AMD has empirically identified as having a strong correlation to power consumption. So signals like integer traffic, cache misses, or branch mispredicts are monitored via low-frequency sampling, and these signals give the power module a picture of the chip's power consumption that AMD claims "is accurate to within 2 percent across a broad range of application types."

High hopes for first genuine "Fusion" offspring of AMD + ATI

I personally have relatively high hopes for Llano as notebook part that could well out-do whatever Intel has in 2011. Intel is infamous for the poor quality of its integrated graphics processors (IGPs), and, while the most recent Intel IGPs are much less embarrassing than their predecessors, it's not clear that the company has the ability or the will to compete with NVIDIA and AMD/ATI in this area. So when it comes to raw performance as a CPU and GPU, I expect Llano to do quite well. But for commercial success as a mobile part, the big question concerns Llano's platform-level power draw, and that will depend on real-world success of the power management innovations that AMD has introduced today.

It's possible that, for gaming on-the-go, Llano's biggest competitor will be NVIDIA's upcoming x86 CPU + GPU combination. But right now, that device is still just a secret skunkworks project about which almost nothing is known. Still, if it's not public by 2011, I'm not sure what NVIDIA's mobile strategy will look like. With CPU/GPU fusion products like Llano and the DMI licensing dispute combining to kill NVIDIA's IGP business, the company needs new mobile ideas in a big way.

Microsoft Courier tablet prototype reminds us of Codex

2010-01-04T00:29:00.000-08:00

The tablet arena seems to be getting about just as much hype as the netbook market was getting when the first ones were being showed off. This time though, Microsoft is interested in a bit more than just the software side of things. Gizmodo got its hands on Courier, quickly called it "Microsoft's astonishing take on the tablet," and noted that the interfaced was "unlike anything we've seen before." Don't get too excited just yet. First we must remember that this is in the late prototype stage of development, but that still means prototype, no matter how you slice it. Microsoft is developing the user experience and showing design concepts to outside agencies, but at any time the device can still be axed.

Secondly, the device is in fact a booklet, not a tablet: it has two 7-inch screens that are both designed to be used with a stylus as well as hands. Think of it like a DS on its side, except both screens can be touched—multitouched in fact. The hinge that connects the two screens has a single home button and can be used to hold items you want move from one page to another. Various status icons, like wireless signal and battery life, are shown along the rim of one of the screens. There's also a 3MP VGA 4x zoom camera with flash on the back cover. Check out the video, branded by Microsoft's Pioneer Studios, for a closer look:

As we noted earlier this week when the Microsoft tablet rumors came back in full force, Chief Experience Officer J Allard is leading the Alchemy Ventures group that includes at least one exec from Microsoft Surface. We must remember that the group of engineering experts has more than just the Courier prototype in the works.

Codex

Now that we've covered everything we know so far on Courier, let's talk about Codex, the Microsoft Research project we first heard about in October 2008. At the time, the dual screen device had a moleskine-style knitted elastic strap to hold it securely shut, a loop for the pen, and a mesh pocket so you wouldn't lose small items you wanted to bring with you. It weighed just over two pounds.

Codex used InkSeine, a prototype inking application also developed for Microsoft Research and released in February 2008 for Tablet PC and UMPC devices. We covered InkSeine's infrequent updates once or twice, including in March 2009 when Microsoft improved the software's support for Windows 7. It's not clear if Courier runs some form of InkSeine, but we'd be surprised if it didn't.

The similarities between Codex and Courier are too striking to ignore. Microsoft Chairman Bill Gates is a big fan of tablets, so it's really not a huge surprise that development has been going on for so long. We bet Gates would be quite happy if some form of a Microsoft tablet saw the light of day; would you share his enthusiasm?

Nvidia Countersues Intel on License Agreement

2009-03-27T19:47:00.000-07:00

A nice break from the he said, she said of Intel’s recent lawsuit with AMD is... Intel's he said, she said lawsuit with Nvidia. The latter has filed a counter-suit against Intel claiming a breach of contract.

In February Intel filed a lawsuit against Nvidia, which stated that the chipset license agreement the two companies signed four years ago does not extend to Intel’s future generation CPUs with integrated memory controllers.

"The disagreement is over the fact that they (Intel) don't believe we have the right to design chipsets for CPUs with integrated memory controllers, which we do," said Nvidia CEO Jen-Hsun Huang at the time. "Nvidia entered into an agreement in 2004 in order to bring platform innovations to Intel CPU based systems, and in return, Intel took a license to our rich portfolio of 3D, GPU, and other computing patents."

Reuters today reported that Nvidia is claiming that Intel has “manufactured” the licensing dispute as part of a “calculated strategy to eliminate Nvidia as a competitive threat.” According to Reuters, Nvidia believes Intel made misleading statements designed to undermine Nvidia's licensing rights and the counter-suit “seeks to terminate Intel's license to Nvidia's patents related to graphics processing and three-dimensional computing.” Reuters goes on to cite Nvidia spokesman Hector Marinez as saying Nvidia believes that without a licensing agreement, Intel's line of integrated graphics chips violate Nvidia's patent portfolio.

Previous reports say that the two have been fighting over this for a while. Huang said last month that Nvidia has been attempting to resolve the disagreement with Intel in a fair and reasonable manner for over a year. Huang also claimed that Nvidia’s Ion platform was what triggered the hostile action.

Nvidia CEO Responds to Intel Lawsuit

2009-02-23T20:19:00.000-08:00

Last Monday, Intel filed a lawsuit against Nvidia, which apparently stated that the chipset license agreement the two companies signed four years ago does not extend to Intel’s future generation CPUs with integrated memory controllers. While Nvidia responded with a statement and official press release last week week, CEO Jen-Hsun Huang spoke to Digitimes about the suit and explained why he thinks the suit is groundless.

The original agreement (made in 2004) allowed Nvidia to produce chipsets for Intel CPUs without integrated memory controllers. At the time however, Intel did not have any integrated memory controllers in its plans and so no stipulation was in place to forbid Nvidia from making chipsets for CPUs with memory controllers. Nvidia responded to the court filing with a release stating that “we are confident that our license, as negotiated, applies," and that "Nvidia has been attempting to resolve the disagreement with Intel in a fair and reasonable manner for over a year."

"The disagreement is over the fact that they (Intel) don't believe we have the right to design chipsets for CPUs with integrated memory controllers, which we do," said Huang. "Nvidia entered into an agreement in 2004 in order to bring platform innovations to Intel CPU based systems, and in return, Intel took a license to our rich portfolio of 3D, GPU, and other computing patents."

Huang told Digitimes that the agreement was Huang revealed that the agreement made with Intel is "broad" nd does not go as far as to name specific technologies. He also said that the trigger Intel's "hostile action" seems to be the announcement of Nvidia's Ion platform.

Huang assured Digitimes that he is confident that the courts would find that the agreement does give Nvidia rights to produce chipsets that support Intel CPUs with integrated memory controllers and added that the company is not afraid of Intel and will not be backing down.

This case is about the future and Nvidia's ability to continue to innovate and make a difference in the industry by creating its own products, not just those that Intel allows it to create, Digitimes quotes Huang as saying.

Intel Sues Nvidia; Nvidia Says Intel is Afraid

2009-02-18T19:44:00.000-08:00

On Monday, Intel filed a lawsuit against Nvidia, which apparently stated that the chipset license agreement the two companies signed four years ago does not extend to Intel’s future generation CPUs with integrated memory controllers.

The original deal allowed Nvidia to produce chipsets for Intel CPUs without integrated memory controllers. At the time however, Intel did not have any integrated memory controllers in its plans and so no stipulation was in place to forbid Nvidia from making chipsets for CPUs with memory controllers.

Today, Nvidia responded to the court filing with a press release stating that “we are confident that our license, as negotiated, applies," and that "Nvidia has been attempting to resolve the disagreement with Intel in a fair and reasonable manner for over a year."

Although currently shipping Nvidia chipsets are not affected by this dispute, future chipsets from Nvidia designed for Intel's Core i7 or future Atom processors are at risk. Nvidia's upcoming Ion platform for use with future Intel Atom processors is one such a product that may be affected by the court filing, as future Intel Atom processor are expected to feature an integrated memory controller. Judging from Nvidia's response, it seems Nvidia believes Intel is trying to inhibit Nvidia from releasing innovative products such as the Ion platform.

"When combined with a CPU, Ion enables a two-chip PC architecture for Intel processors two years ahead of Intel’s own solution. In addition, the Ion platform offers 10x the performance of Intel’s current three chip design." Nvidia continues to state, "given the broad and growing adoption of Nvidia’s platform innovations, it is not surprising that Intel is now initiating a dispute over a contract signed four years ago. Innovations like Ion, SLI, Hybrid power, and CUDA threaten Intel’s ability to control the PC platform."

The Nvidia Ion platform was recently put to the test and the results showed that the Ion platform was indeed a winner, offering excellent power savings and excellent graphical performance. Although the Intel Atom processor had been designed for use in inexpensive netbooks and nettops, Nvidia was able to show with its Ion platform that GPU performance does not need to be sacrificed to achieve a low cost Intel Atom-based system. With future Intel Atom processors expected to also feature integrated graphics solutions though, there may even more pressure on the long-term viability of the Ion platform.

Although the Nvidia Ion platform will likely appear first in inexpensive desktop systems, if rumors hold true it may be Lenovo that is first to release notebooks featuring the Nvidia Ion platform. According to a Commerical Times report, an 11-inch, a 12-inch and possibly a 13-inch Ion-based notebook will be released by Lenovo in the second quarter of 2009.

AMD's chipset game: Rien ne vas plus

2008-03-04T17:58:00.000-08:00

Markham (ON) – AMD’s has raised its bet and placed its chips in a cutthroat chipset market: To gain ground on Nvidia and Intel, the manufacturer decided to put a fully-fledged GPU into its next mainstream integrated chipset 780G, which could win the company lots of new customers. But it could cost AMD lots of discrete graphics card sales as well and cut deep into its profit margins. Will AMD win and what does the 780 mean to you?

AMD's Markham offices, previously ATI headquarters

On a Roulette table, you typically meet two types of players. Those who simply try to stay in the game as long as possible while holding on to their budget for as long as possible. Simply participating will get you a nearly 50/50 or a nearly 2/3 chance when playing the outer fields. You’ll never win big, but you won’t lose big either. However, if you want to catch up to the big boys, you’ll have to take higher risks that could leave you bankrupt or propel you to the top of the table.

AMD’s chipset division is in such a game right now. Let’s watch.

AMD has lost touch with the other big players, Intel and Nvidia, and is behind. There’s nothing to get particularly excited about AMD’s chipsets these days and the company could continue its current game and probably would be ok, if it pushes its platform message strongly. But the next bets in this game, the 780G and 780V, are now on the table and we know AMD’s strategy: The green team wants to join the high-rollers again and takes an unexpected risk that could surprise the others or fail miserably.

780G chipset (left), SB700 Southbridge

The big picture: Upvalue the chipset, devalue cheap graphics cards

Integrated graphics chipsets are the commodity in the graphics chip industry. They are in the very low-end of PCs, but account for the lion’s share of the market in terms of unit numbers. You don’t talk about them, they simply do their job. And for some time now, they are even good enough again to run today’s standard Windows operating system. No one who buys a PC with a graphics chipset really cares (or cannot afford to care) about the graphics performance. But this may be different with this new 780G chipset, which is aiming for cheap and mainstream PCs in the $399 and $499 price range.

Technically, from a performance view, the 780G isn’t just a chipset. It really is a $19 chipset that performs (we believe AMD on this one for a moment) like a $50 entry-level standalone graphics card. In the past, a graphics chipset was based on a recent graphics engine, but usually saw substantial downgrades to keep a clear performance and price distance to the discrete product. AMD claims that in the 780G there is a full R620 graphics chip, just like in its current entry-level graphics cards, offering a performance similar to that of, well, $50 graphics cards.

That means, of course that the 780G offers the R620 DirectX 10 core, which includes two independent display controllers (VGA and HDMI/DVI/DP with HDCP), a Hypertransport 3 interface and two PCIe Gen 2 interfaces. There’s also a new Displaycache, which cuts down power consumption. In terms of core data, there are two versions of the 780: The base 780V (codenamed RS780C) is clocked at 350 MHz and integrates a Radeon 3100 engine; the more interesting one is the 780G (codenamed RS780), which runs at 500 MHz, runs a Radeon 3200 engine, supports UVD as well as Hybrid Graphics, which allows users to combine the integrated chipset with a discrete graphics card to increase the system’s graphics performance. We will return to that further down.

The decision to put such a capable chip into the 780G has really two effects: From an application view, AMD increases the value of the chipset again, in a similar way Windows Vista devalued it: When Vista launched, your average chipsets, especially Intel’s 915 and 945 were pretty much useless, since they couldn’t run the software’s fancy eye candy. So you had to go with a 256 MB discrete graphics card and it is still a good idea to do so today. However, the 780G brings up the performance to a pre-Vista time and lends chipsets new credibility.

However, on the other side, if that chipset is good enough for Vista, why would you or an OEM keep using a $50 graphics card, if a $19 chipset does the job just as well? AMD’s corporate vice president and general manager of the firm’s chipset division, Phil Eisler, conceded to TG Daily that there is a certain danger that the company could shoot itself in the foot with this chip: This chip could cannibalize discrete sales. “We have had an internal debate about that,” he said. We have no doubt about that, especially since this chipset is claimed to playback HD DVD and Blu-ray without problems (something you only could do with a high-end graphics card 18 months ago) and to run almost any mainstream PC game out there. AMD itself calls the 780G “the by far fastest motherboard GPU we have ever built.” So, if the 780G is really that good, it is a clear money saving opportunity for OEMs, which potentially could drop discrete graphics cards from their systems – not just Nvidia cards, but ATI Radeon cards as well.

From that perspective, the decision to use a full R620 core for the 780G is a risky play, but it will also challenge Intel and Nvidia. Intel, of course, is the main target and AMD claims that the 780G is more than twice as fast as Intel’s G35 under 3DMark06, almost three times as fast under 3DMark05and achieves frame rates of 27 fps under Crysis (1024x768), 43 fps under Call of Duty 4, 40 fps under Half-Life 2 and 35 fps under Doom 3.

Hybrid Graphics

780G motherboards

To compensate for the risk of selling fewer discrete cards, Eisler believes OEMs and consumers will take advantage of the new Hybrid Graphics technology. The goal of every chip manufacturer is to sell more chips every quarter, so it shouldn’t be too surprising that AMD and Nvidia are linking integrated graphics chipsets with discrete graphics.

he concept itself is enticing: You can upgrade your $19 chipset with, for example, a Radeon HD 3450 graphics cards, which currently sells for about $55 in U.S. retail: AMD promises that the addition of the graphics card will more than double the graphics performance of the system. Compared to a non-hybrid graphics system with just a HD 3450 graphics card, the 780G will add about 70% of the 3450’s performance.

To illustrate the performance gain, AMD claims that the above mentioned frame rates will substantially increase in a hybrid graphics environment: Crysis will see 32 fps, Call of Duty 4 73 fps, Half-Life 2 68 fps and Doom 3 60 fps.

The problem in this scenario really is that buyers of $399-$499 PCs don’t upgrade their graphics, which means that OEMs will have to install the graphics cars in the first place. Margins are extremely tight in this space anyway, so why would spend an extra $30-$50 for a graphics card, especially if the 780G is already good enough to run most games and Vista?

A partial answer may be that graphics performance simply sells. And that $499 PC may not have a discrete card, but a $599 or $649 PC may have Hybrid graphics installed. Eisler believes that two out of three PCs using the 780 chipset will use the chipset only, whereas the remaining third of PCs will include an additional graphics card.

Conclusion

I'm not sure whether it is a smart move on AMD’s side to use a full R620 for the 780G chipset, which by the way is couple with the SB700 Southbridge (basically a SB600 Southbridge with lower power consumption and improved connectivity). Vendors will have a close look at this one and if they can save a few bucks, they will – no matter how great hybrid graphics is.

From the consumer view, it may be worth your while looking at those reviews and see how well the chipset stacks up against other chipsets and entry-level discrete systems. It could save you a bundle of money on your next Vista home office PC.

Silverstone Prototype HTPC

An interesting market for the 780G certainly is the home entertainment center PC (HTPC). If you think about those noisy boxes we have today, the idea of an entirely passively cooled system that is still capable of playing your HD movies and running a few games would be fantastic. It isn’t really surprising that AMD is especially pitching this idea, even if the company has to concede that the success and failure of HTPCs will not be decided by AMD – but by companies such as Comcast and AT&T, which do not provide the bandwidth that would be necessary to support decent HTPCs, as well as most Hollywood studios, which apparently still believe consumers will pay $20 for a DRM-riddled movie download.

Technically, the 780G chipset is a great platform for a HTPC. Realistically, the HTPC will not become mainstream in 2008, no matter how badly AMD wants this to happen.

2008-02-21T20:22:00.000-08:00

Isaiah revealed: VIA's new low-power architecture
And then there were three

So much of the PC world's coverage is focused on the horse race between Intel and its archrival AMD that we often forget about the other x86 processor company out there, the one that's still well-known among the crowd of tweakers, hackers, and enthusiasts who build their own home firewall boxes and in-car PCs. I'm talking, of course, about VIA, maker of the low-power, low-cost, and also relatively low-performance x86 processors at the heart of many special-purpose DIY boxes. VIA's processors, designed by the company's Centaur subsidiary, focus on keeping costs and power down at the expense of performance.

VIA's newly launched processor architecture, known for the last three years by its codename, "Isaiah," will keep the company's focus on cost and power intact while taking things in a substantially different direction. In short, this year will see something truly odd happen on the low end of the x86 market: VIA and Intel will, architecturally speaking, switch places. Intel will take a giant step down the power/performance ladder with the debut of Silverthorne/Diamondville, its first in-order x86 processor design since the original Pentium, while VIA will attempt to move up into Intel's territory with its first-ever out-of-order, fully buzzword-compliant processor, codenamed Isaiah.

In this brief article, I'll give an overview of Isaiah and of what VIA hopes to accomplish with this new design. Most of the high-level details of Isaiah have been known since at least 2004, when VIA began publicizing the forthcoming processor's general feature list (i.e., 64-bit support, out-of-order execution, vector processing, memory disambiguation, and others). So I'll focus here on a recap of those features and on a broader look at the market that VIA is headed into.

Introducing Isaiah



The Isaiah processor, which was first unveiled at the Fall Processor Forum in 2004, will start shipping in the spring of this year. The new-from-the-ground-up processor is fabricated on an unnamed 65nm process (VIA isn't ready to reveal who its foundry is) and at some point at a year or more out, it will shift to 45nm. As is typical of VIA, the company will use process shrinks to gain cost and power advantages, and not to increase performance by ramping up clockspeed. "Good enough" performance is the goal, and now that the company has made the leap to out-of-order execution (see below) it can focus on maturing the basic Isaiah design by eliminating bottlenecks when they do core revisions.
  Die plot of the Isaiah

(Note: Much of the language in VIA's architecture white paper stresses that this or that feature is characteristic of the "initial" Isaiah architecture, with "initial" in italics for extra stress in some cases. VIA has also said a number of times, both in the white paper and in my conversation with them, how much they've learned in designing and implementing Isaiah over the past few years. So we can expect parameters like decode width, issue width, buffer depth, and so on to change with the next core revision.)

Isaiah is pin-compatible with existing C7 processors, and VIA is promising two to four times the performance of C7 while staying within the same power and thermal envelope. The company also says that Isaiah will sell for about the same price as existing C7 parts, which means that VIA parts will continue to be favorites with the small form factor crowd that builds Mini-, Nano-, and Pico-ITX systems.

Though the current Isaiah parts are single-core, VIA assured me that it does have a dual-core variant in the works, but wouldn't say much more. Isaiah was designed with dual-core in mind, and Centaur's president, Glenn Henry, suggested that a dual-core part would probably happen at the 45nm node.

Isaiah also brings to VIA's line-up support for the latest and greatest in the alphabet soup of x86 ISA extensions that AMD and Intel have introduced over the past few years. Intel's virtualization extensions are supported in the new processor, as are the various SSE flavors.

The new processor also contains some added support for security features, like an on-board random number generator, hardware acceleration for popular crypto algorithms, and a "secure execution mode" that lets instructions access a private "volatile secure memory" (VSM) area on the chip. This added mode and special memory pool are both unique to VIA products, so I don't know enough about them to go into any detail on them. It's likely that they may find use in some application-specific embedded situations.

Isaiah's front end

The shift to out-of-order execution means that Isaiah joins the rest of the modern x86 processors in breaking down long, variable-length x86 instructions into shorter, uniform micro-ops (or "uops"). This uop translation means that Isaiah's front-end pipeline is now fairly bulky and features the stages and hardware that readers of my book or my past processor articles will recognize from comparable Intel and AMD designs.

                                          Isaiah's architecture. Image source: VIA

Isaiah fetches instructions into a two-cycle decode phase that can take in three x86 instructions of any size or type per cycle. VIA claims that the decode phase can do both Conroe-style macro-fusion of some x86 instruction combinations, like compare and jump, and micro-ops fusion of instructions that use different issue ports. As is the case in Intel's Conroe (also known as the Core 2 Duo), these two types of fusion cut down on the amount of bookkeeping logic needed to track in-flight instructions.


                                      Isaiah architecture branch prediction. Image source: VIA

Recent years have shown that for more deeply pipelined out-of-order machines, branch prediction is one of the places where microarchitects get the best power/performance return-on-investment for transistors spent. So like its competition from Intel and AMD, Isaiah spends quite a few resources on branch prediction in both the fetch and decode phases of its pipeline. The processor has a total of eight branch predictors spread out over two of its fetch and translate/decode stages, each of which targets a different type of branch, and all of which vote to determine the prediction and branch target for speculative execution.

Isaiah's back end

Isaiah's decode phase passes instructions into a uop queue, where they fall into the processor's re-order buffer (ROB) for register renaming and allocation into reservation stations (RS). There's no word from VIA on how deep the ROB and RS buffers are, but if people are dying to know I can ask and I'm sure they will tell me.

The ROB + RS hardware, which is the heart of the out-of-order engine, issues up to seven instructions per cycle to any of seven execution units:
Two 64-bit integer units
Two 128-bit vector/floating-point units
Three load-store units (store-address, store-data, and load-data)

The FP/vector units, which VIA calls "media units," aren't symmetric; using a typical division of labor, one focuses on addition and the other on multiplication (and probably permutes). These FP/vector have fairly robust floating-point capabilities—more so than I would expect from a processor that mostly be used in embedded and low-power situations that typically see more integer-intensive, branchy code.

In particular, the FP units can do any type of floating-point add (vector, scalar, double-precision, or single-precision) in only two clocks—at least one clock less than the Core 2 Duo's three- or four-clock latency. The FP multiply hardware is similarly speedy, and is capable of executing single-precision multiples in three clocks and double-precision multiplies in four.

VIA attributes this low FP latency to a "completely new algorithm" for floating-point adds, but I have my suspicions that Isaiah may also be sacrificing some clockspeed scaling headroom in order to keep its pipelines short. Even if it is, this won't affect it much, since the point of Isaiah is low power and not high clockspeeds.

Data flow and cache hierarchy

On the data-flow side of the processor, Isaiah can do the kind of memory disambiguation that Intel's Core 2 Duo uses to commit memory writes out-of-order. Isaiah also can do store merging, where smaller writes are combined with larger writes in the write buffer and sent out to memory as a group.

Isaiah's cache hierarchy has some important differences from its competitors. Its 64K L1 instruction and data caches are twice as large as the typical 32K L1 caches of its competitors. The processor's L1 and 1MB L2 caches are also exclusive, meaning that data that resides in the L1 is not present in the L2, and vice versa. This exclusive design can have its drawbacks, but it makes the L1 + L2 function like a single, larger cache. Both the L1 and L2 caches are 16-way set associative.

Isaiah also has a special data prefetch cache that should help it save space in the regular cache hierarchy. Data that's prefetched doesn't typically get accessed more than once, so there's no need to take up regular cache space with it. The data prefetch cache solves this problem putting prefetched data into a special 64-line cache.

Conclusions

VIA is aiming Isaiah at the same segment that Intel, AMD, and ARM are targeting with their forthcoming processors: the so-called mobile Internet device (MID) and ultramobile PC (UMPC). Right now, the fate of the UMPC as a form factor has yet to be decided, so there's no guarantee that there will even be a market there for everyone to fight over. It's possible that the real action will be in the emerging flash-based laptop form factor (see the Asus Eee PC or Apple's new MacBook Air) or in the (increasingly ill-named) "smartphone" category



Regardless of what happens to the UMPC, though, 2008 will see a mix of low-power x86 devices, both in-order and out-of-order, from all three x86 players as they go head-to-head with the increasingly complex RISC processors from companies like ARM and MIPS that currently own the low-power space. ARM in particular will throw its hat into the out-of-order ring later this year with their forthcoming dual-core Cortex A9 processor. Whether any of the x86 contenders, whether they go out-of-order like VIA or in-order like Intel, can take on the reigning champ of the mobile and embedded space remains to be seen. But Isaiah looks like a worthy contender at the very least.

Appendix: making the leap to out-of-order

How could Isaiah possibly deliver on a two to four times performance increase over its predecessor in the same thermal and power envelope? Part of the answer is in the jump to 65nm, but tied up with that move is a change to the way that the processor executes instructions that's enabled by Isaiah's enlarged transistor budget.

With its in-order design built on an aging but inexpensive 90nm process technology, the VIA C7 (codenamed Esther) and its predecessors have long lagged the x86 competition in terms of performance-enhancing microarchitectural features. Specifically, VIA's processors—even the ones launched as recently as 2005—have so far lacked the one crucial architectural feature that separates the Pentium from the Pentium Pro and that is the hallmark of almost all modern desktop- and server-oriented processor designs: an instruction window.

In a nutshell, an instruction window is what enables modern processors to dynamically reorganize the sequential instruction stream so that instructions can execute inside the processor in an order other than the one in which they were placed by a programmer. On an in-order processor like the C7, an instruction that takes a long time to execute or that's waiting for data can stall the processor so that no other work gets done until that instruction finishes executing. In contrast, an out-of-order processor with an instruction window can allow instructions to flow around the problem instruction so that the processor continues to work; the instruction window's bookkeeping apparatus enables it to put the instructions back into their original order before writing their results out to programmer-visible memory.

As you might imagine, an instruction window is fairly complex to implement, and the costs associated bookkeeping apparatus described above don't even tell the whole story. Because an out-of-order core can reorder and track only small, uniform instructions, the long, variable-length x86 instructions that come into the processor must be broken down into a series of uniform instructions called micro-ops. So the front end of the processor, which is the part that prepares the variable-length x86 instructions for execution, also balloons with extra translation and decoding hardware.

All told, the transition from in-order to out-of-order is a massive leap in hardware complexity and size for an x86 processor, which is why it has taken the power-conscious VIA line so long to get here. Conversely, jettisoning all of that extra hardware can save tons of die space and power, which is why Intel's forthcoming mobile-oriented Silverthorne/Diamondville processor is an in-order design.

2008-02-21T20:15:00.000-08:00

Microsoft's 'Centro' SMB bundle renamed

Microsoft will release a public beta version of server software bundle for medium-size businesses, code-named ‘Centro,’ in the first half of next year
Centro is intended to make it simpler for businesses with limited IT management resources to install and control key software tools. The bundle will go on sale in the second half of next year as Windows Essential Business Server, the director of product planning in the company's server and tools division, Russ Madlener, said Wednesday.

The product, now in a private beta, is based on Windows Server 2008 (formerly Longhorn), the company's next major server operating system update due for release next year.

Essential Business Server is intended for businesses with 25 to 250 PCs. Since system administrators in companies of that size often have a wide remit of IT duties, Microsoft has tried to simplify management and deployment of the software bundle, the company said.

For example, Windows Essential Business Server has one administration console, and other independent software vendors can write applications that can be managed through that console, Madlener said.

Security vendor Symantec will integrate its Backup Exec and Endpoint Protection products into Essential Business Server's management console. Other companies that have committed to integrating with the server include Citrix, CA, CommVault, Trend Micro, FullArmor, McAfee and Quest, Microsoft said.
Essential Business Server will come in two editions, Standard and Premium. The Standard edition contains:
Exchange Server 2007 for email; Microsoft's business email security product Forefront Security for Exchange; System Center Essentials for management, and Internet Security Acceleration Server 2006, a firewall and VPN gateway security product.

The Premium version adds one of Microsoft's database products, SQL Server 2008.

Microsoft has so far not released pricing for Essential Business Server, but Madlener indicated that it will likely be cheaper than buying separate licences for the included products.

2008-02-21T20:09:00.000-08:00

Microsoft opens up about new operating system

Microsoft has revealed details of the next version of its Windows OS for small businesses, and formally introduced a new product line aimed at small and mid-size businesses.
Microsoft Windows Small Business Server (SBS) 2008, formerly code-named "Cougar," is one of two software bundles in Microsoft's new Windows Essential Server Solutions line; it also includes Windows Essential Business Server 2008, formerly code-named "Centro" and aimed at mid-sized companies. Both products are based on the same code as Windows Server 2008, the next version of Microsoft's enterprise server OS.

The products in the Essential line bundle a server OS with other software products that Microsoft deems necessary to running a business - such as Microsoft's messaging software, Exchange Server and security products - to provide what Microsoft describes as an all-in-one, easy-to-install software stack for companies that may only have a small IT support staff.

SBS 2008 is aimed at companies with up to 50 PCs and includes one-year trial subscriptions to Microsoft Forefront Security for Exchange Server Small Business Edition and Windows Live OneCare for Server.

The software also provides integration with Microsoft's web-based service, Microsoft Office Live Small Business, to help companies set up and manage websites and web-based collaboration workspaces for employees. Support for Windows Mobile devices, so employees can access business information and email remotely, also is bundled in.

According to Microsoft, it designed SBS 2008 for simplified deployment, set-up and administration from one management console that administrators can access remotely. The software also comes in a premium edition for companies that need more heavy lifting from their business software.

SBS 2008 will be demonstrated on hardware from Dell at Microsoft's event later this month in Los Angeles, in which Microsoft will highlight a triptych of releases - Windows Server 2008, Visual Studio 2008 and SQL Server 2008. Both SBS 2008 and Windows Essential Business Server 2008 are scheduled to be available in the second half of 2008.

Windows Essential Business Server 2008, which Microsoft has previously discussed, also is intended to make it simpler for businesses with limited IT management resources to install and control critical software tools. The product is aimed at businesses with 25 to 250 PCs and is currently in beta.
Like SBS 2008, Windows Essential Business Server 2008 also has a single management console for administrators. However, unlike SBS 2008, third parties can integrate their products into the console so they can be managed from it as well. In fact, Microsoft has already said that Symantec, Citrix, CA, Trend Micro, FullArmor, McAfee and Quest are among the companies that will integrate products with the software.

"Based on our conversations with customers and partners, we felt the mid-market IT is a much different customer than a small-business owner, so we wanted to respect that in the way we designed the management UI for each product," said Steven VanRoekel, senior director in the server and tools division at Microsoft.

Operating Systems and Servers News

2008-02-21T19:36:00.000-08:00

Microsoft pulls buggy Vista SP1 update files

Responding to reports of endlessly rebooting PCs that flooded support newsgroups last week, Microsoft has said that it had pulled an update designed to prep Windows Vista for Service Pack 1.

Although the update - actually a pair of prerequisite files that modify Vista's install components - has been temporarily pulled from Windows Update, Microsoft has not yet produced a fix for users whose machines either won't boot or reboot constantly.

"Immediately after receiving reports of this error, we made the decision to temporarily suspend automatic distribution of the update to avoid further customer impact while we investigate possible causes," said Nick White, a Vista program manager, in a post to the company's blog Tuesday afternoon.

White downplayed the problem. "So far, we've been able to determine that this problem only affects a small number of customers in unique circumstances. We are working to identify possible solutions and will make the update available again shortly after we address the issue."

According to White, Update 937287 was the cause of the problem. In a support document, Microsoft describes that update as one for Vista's installation software, "the component that handles the installation and the removal of software updates, language packs, optional Windows features and service packs." Along with a companion update pushed to users starting February 12, and another that was offered to machines running Vista Ultimate and Vista Business in January, the guilty update is required before Vista can be upgraded to Service Pack 1 (SP1).

Shortly after the two prerequisites hit Windows Update last week, users began reporting problems on Microsoft's support newsgroups. Most said that the update hung as the message "Configuring Updates Step 3 of 3 - 0% Complete" appeared on the screen. When users rebooted hoping to clear the error, their PCs went into an endless cycle of reboots. A smaller number of users said that their computers refused to boot normally.

Some users have been able to regain control by booting from a Vista install DVD and selecting the "Restore from a previous restore point" option.

It's uncertain whether Microsoft knows exactly why Update 937287 is hammering PCs. Even after White posted the company statement to the Vista blog, Darrell Gorter, a Microsoft employee, was asking users to send him system logs. "I still need more log files for the investigations that we are doing," Gorter said in a message on the support newsgroup. Late last week, Gorter made a similar request on the same message board.

Also unclear is the actual extent of the problem. Although White called the number "small," the traffic on the Vista SP1 newsgroup is heavy. One thread had been viewed more than 35,500 times by late Tuesday.

Microsoft Makes Strategic Changes in Technology and Business Practices to Expand Interoperability

2008-02-21T19:32:00.000-08:00

New interoperability principles and actions will increase openness of key products.

REDMOND, Wash. — Feb. 21, 2008 — Microsoft Corp. today announced a set of broad-reaching changes to its technology and business practices to increase the openness of its products and drive greater interoperability, opportunity and choice for developers, partners, customers and competitors.

Specifically, Microsoft is implementing four new interoperability principles and corresponding actions across its high-volume business products: (1) ensuring open connections; (2) promoting data portability; (3) enhancing support for industry standards; and (4) fostering more open engagement with customers and the industry, including open source communities.

“These steps represent an important step and significant change in how we share information about our products and technologies,” said Microsoft chief executive officer Steve Ballmer. “For the past 33 years, we have shared a lot of information with hundreds of thousands of partners around the world and helped build the industry, but today’s announcement represents a significant expansion toward even greater transparency. Our goal is to promote greater interoperability, opportunity and choice for customers and developers throughout the industry by making our products more open and by sharing even more information about our technologies.”

According to Ray Ozzie, Microsoft chief software architect, the company’s announcement reflects the significance that individuals and businesses place upon the ease of information-sharing. As heterogeneity is the norm within enterprise architectures, interoperability across applications and services has become a key requirement.

“Customers need all their vendors, including and especially Microsoft, to deliver software and services that are flexible enough such that any developer can use their open interfaces and data to effectively integrate applications or to compose entirely new solutions,” said Ozzie. “By increasing the openness of our products, we will provide developers additional opportunity to innovate and deliver value for customers.”

“The principles and actions announced today by Microsoft are a very significant expansion of its efforts to promote interoperability,” said Manfred Wangler, vice president, Corporate Research and Technology, Software and Engineering, Siemens. “While Microsoft has made considerable progress on interoperability over the past several years, including working with us on the Interoperability Executive Customer Council, today’s news take Microsoft’s interoperability commitment to a whole new level.”

“The interoperability principles and actions announced today by Microsoft will benefit the broader IT community,” said Thomas Vogel, head, Information Management, Novartis Pharma. “Ensuring open connections to Microsoft’s high-volume products presents significant opportunities for the vast majority of software developers, which will help foster greater interoperability, opportunity and choice in the marketplace. We look forward to a constructive, structured, and multilateral dialogue to ensure stakeholder-driven evolution of these principles and actions.”

The interoperability principles and actions announced today apply to the following high-volume Microsoft products: Windows Vista (including the .NET Framework), Windows Server 2008, SQL Server 2008, Office 2007, Exchange Server 2007, and Office SharePoint Server 2007, and future versions of all these products. Highlights of the specific actions Microsoft is taking to implement its new interoperability principles are described below.•
Ensuring open connections to Microsoft’s high-volume products. To enhance connections with third-party products, Microsoft will publish on its Web site documentation for all application programming interfaces (APIs) and communications protocols in its high-volume products that are used by other Microsoft products. Developers do not need to take a license or pay a royalty or other fee to access this information. Open access to this documentation will ensure that third-party developers can connect to Microsoft’s high-volume products just as Microsoft’s other products do. •
As an immediate next step, starting today Microsoft will openly publish on MSDN over 30,000 pages of documentation for Windows client and server protocols that were previously available only under a trade secret license through the Microsoft Work Group Server Protocol Program (WSPP) and the Microsoft Communication Protocol Program (MCPP). Protocol documentation for additional products, such as Office 2007 and all of the other high-volume products covered by these principles, will be published in the upcoming months.
•
Microsoft will indicate on its Web site which protocols are covered by Microsoft patents and will license all of these patents on reasonable and non-discriminatory terms, at low royalty rates. To assist those interested in considering a patent license, Microsoft will make available a list of specific Microsoft patents and patent applications that cover each protocol.
•
Microsoft is providing a covenant not to sue open source developers for development or non-commercial distribution of implementations of these protocols. These developers will be able to use the documentation for free to develop products. Companies that engage in commercial distribution of these protocol implementations will be able to obtain a patent license from Microsoft, as will enterprises that obtain these implementations from a distributor that does not have such a patent license.

•
Documenting how Microsoft supports industry standards and extensions. To increase transparency and promote interoperability, when Microsoft supports a standard in a high-volume product, it will work with other major implementers of the standard toward achieving robust, consistent and interoperable implementations across a broad range of widely deployed products. •
Microsoft will document for the development community how it supports such standards, including those Microsoft extensions that affect interoperability with other implementations of these standards. This documentation will be published on Microsoft’s Web site and it will be accessible without a license, royalty or other fee. These actions will allow third-party developers implementing standards to understand how a standard is used in a Microsoft product and foster improved interoperability for customers. Microsoft will make available a list of any of its patents that cover any of these extensions, and will make available patent licenses on reasonable and non-discriminatory terms.

•
Enhancing Office 2007 to provide greater flexibility of document formats. To promote user choice among document formats, Microsoft will design new APIs for the Word, Excel and PowerPoint applications in Office 2007 to enable developers to plug in additional document formats and to enable users to set these formats as their default for saving documents.
•
Launching the Open Source Interoperability Initiative. To promote and enable more interoperability between commercial and community-based open source technologies and Microsoft products, this initiative will provide resources, facilities and events, including labs, plug fests, technical content and opportunities for ongoing cooperative development.
•
Expanding industry outreach and dialogue. An ongoing dialogue with customers, developers and open source communities will be created through an online Interoperability Forum. In addition, a Document Interoperability Initiative will be launched to address data exchange between widely deployed formats.

The Interoperability Executive Customer (IEC) Council, an advisory organization established in 2006 and consisting mainly of chief information and technology officers from more than 40 companies and government bodies around the world, will help guide Microsoft in its work under these principles and actions. The full text of Microsoft’s new Interoperability Principles, and a full list of the actions Microsoft is taking, can be found on Microsoft’s Interoperability site.

The interoperability principles and actions announced today reflect the changed legal landscape for Microsoft and the IT industry. They are an important step forward for the company in its ongoing efforts to fulfill the responsibilities and obligations outlined in the September 2007 judgment of the European Court of First Instance (CFI).

“As we said immediately after the CFI decision last September, Microsoft is committed to taking all necessary steps to ensure we are in full compliance with European law,” said Brad Smith, Microsoft general counsel. “Through the initiatives we are announcing, we are taking responsibility for implementing the principles in the interoperability portion of the CFI decision across all of Microsoft’s high-volume products. We will take additional steps in the coming weeks to address the remaining portion of the CFI decision, and we are committed to providing full information to the European Commission so it can evaluate all of these steps.”

Microsoft surprises with open source move

2008-02-21T18:57:00.000-08:00

Microsoft, for so long regarded by some as the bad boy of the computer industry, has surprised many with the announcement that it is to make far-reaching changes to its technology and increase the openness of its products.

In a major policy announcement, Redmond says it is planning on implementing four new interoperability principles and corresponding actions across its high-volume business products. These include “ensuring open connections; promoting data portability; enhancing support for industry standards; and fostering more open engagement with customers and the industry, including open source communities.”

"These steps represent an important step and significant change in how we share information about our products and technologies," said Microsoft CEO Steve Ballmer. "...but today's announcement represents a significant expansion toward even greater transparency. Our goal is to promote greater interoperability, opportunity and choice for customers and developers throughout the industry by making our products more open and by sharing even more information about our technologies."

"Customers need all their vendors, including and especially Microsoft, to deliver software and services that are flexible enough such that any developer can use their open interfaces and data to effectively integrate applications or to compose entirely new solutions," said Ray Ozzie, Microsoft chief software architect. "By increasing the openness of our products, we will provide developers additional opportunity to innovate and deliver value for customers."

The interoperability principles and actions announced apply to most of Microsoft’s frontline products, including Vista (including the .NET Framework), as well as Windows Server 2008, SQL Server 2008, Office 2007, Exchange Server 2007, and Office SharePoint Server 2007, and future versions of all these products.

Microsoft says it will specifically ensure open connections to its high-volume products, by publishing on its website documentation for all application programming interfaces (APIs) and communications protocols. Developers do not need to take a license or pay a royalty or other fee to access this information.

"Starting today Microsoft will also openly publish on MSDN over 30,000 pages of documentation for Windows client and server protocols that were previously available only under a trade secret license through the Microsoft Work Group Server Protocol Program (WSPP) and the Microsoft Communication Protocol Program (MCPP). Protocol documentation for additional products, such as Office 2007 and all of the other high-volume products covered by these principles, will be published in the upcoming months."

Microsoft said it would also indicate which protocols are covered by Microsoft patents and will license all of these patents on reasonable and non-discriminatory terms, at low royalty rates.

And Microsoft is also revealed that it is providing a covenant not to sue open source developers for development or non-commercial distribution of implementations of these protocols. "These developers will be able to use the documentation for free to develop products. Companies that engage in commercial distribution of these protocol implementations will be able to obtain a patent license from Microsoft, as will enterprises that obtain these implementations from a distributor that does not have such a patent license."

Redmond also said it would support industry standards and extensions, and will document for the development community how it supports such standards.

Office 2007 will be enhanced to provide greater flexibility of document formats. This includes "designing new APIs for the Word, Excel and PowerPoint applications in Office 2007 to enable developers to plug in additional document formats and to enable users to set these formats as their default for saving documents."

Microsoft's full statement can be read

Aburizal Bakrie dan DPR pengkhianat rakyat Jatim Sidoarjo

2008-02-20T04:23:00.000-08:00

Ok biasanya aku selalu postin berbagai hal tentang komputer. Tapi, gara-gara aku membaca halaman utama dari Jawa Pos, yang mengatakan bahwa DPR memutuskan bencana lumpur Lapindo adalah fenomena alam, bukan karena kesalahan manusia. What the fuck........?????

Pernyataan itu keluar setelah bapak-bapak pengkhianat bangsa itu mengadakan rapat paripurna setelah menerima laporan dari (katanya) tim ahli geologi yang menyatakan bahwa proses pengeboran yang dilakukan oleh PT Lapindo Brantas itu sudah sesuai dengan prosedur.

Sesuai prosedur buathukmu!!!!

Jelas-jelas rapat itu pasti banyak kolusinya. Lihat aja anggota yang rapat rata-rata dari Golkar semua. Bakrie juga Golkar. So pasti rata-rata semuanya sudah diatur alias di sogok oleh Bakrie.

Gue berdoa saja semoga Tuhan YME bener-bener mendengar doa rakyat Sidoarjo, dan semoga Bakrie beserta kroni-kroninya mendapatkan balasan dunia dalam waktu dekat dan di saksikan bersama-sama oleh semua rakyat Indonesia, khususnya rakyat Porong Sidoarjo. Amien.

Ini aku masukin artikel yang aku ambil dari Jawa Pos edisi Rabu 20 Febuari 2008

Pengkhianatan DPR terhadap Korban Lumpur Lapindo

Salah satu kesimpulan yang disampaikan tim pengawas DPR terhadap Badan Pengendalian Lumpur Sidoarjo (BPLS) ialah bencana lumpur di Sidoarjo tersebut merupakan peristiwa atau bencana alam. Luapan lumpur yang menenggelamkan lebih dari tiga desa itu bukan disebabkan kesalahan Lapindo. Kesimpulan ini sangat mengagetkan, bahkan sangat menyakitkan. Bahkan juga patut disebut sebagai pengkhianatan DPR terhadap rakyat Sidoarjo.

Sesungguhnya proses pembentukan tim pengawas bencana lumpur itu sejak awal memang penuh dengan kontroversial. Cacat dari awal. Tim tersebut di bentuk ketika tak tercapai kesepakatan tentang bagaimana usul interpelasi yang di antaranya saya merupakan salah seorang inisiator.

Ketika itu, beberapa pihak menolak penggunaan interpelasi dan sebagai gantinya dibentuk tim pengawas. Sejak semula saya keberatan dengan pembentukan tim pengawas yang komposisi anggotanya sangat kompromistis itu.

Dapil Sidoarjo dibuang

Saya sebagai inisiator utama interpelasi Lapindo dan juga merupakan salah seorang anggota DPR yang mewakili rakyat Sidoarjo tidak masuk dalam tim pengawas. Karena itu, saya tidak mengetahui secara jelas kegiatan tim. Yang jelas, hasilnya bukan hanya mengecewakan, tapi juga sangat menyakitkan bagi saya:bencana lumpur Sidoarjo merupakan peristiwa alam.

Saya tidak habis mengerti bagaimana "wakil rakyat" itu bisa mengambil keputusan yang sangat menyakitkan hati rakyat Sidoarjo. Salah satu fraksi di DPR berusaha keras memasukkan unsur kecerobohan Lapindo atau adanya "human error", tapi ternyata usul itu ditolak.

Agak mengherankan, tokoh yang menjadi tim perumus kesimpulan DPR tidak melibatkan anggota DPR yang berasal dari daerah pemilihan Sidoarjo. Setidaknya kawan-kawan yang selama ini aktif memperjuangkan kasus lumpur di Sidoarjo tidak dilibatkan sama sekali.

Bencana lumpur di Sidoarjo yang mengakibatkan kesengsaraan puluhan ribu rakyat ternyata hanya dijadikan "mainan" sebagian anggota DPR. Mereka tidak ada empati dan simpati dengan rakyat korban lumpur Lapindo yang sudah dua tahun hidup sengsara karena terjangan lumpur laknat tersebut.

Mereka tidak merasakan betapa beratnya kehancuran ekonomi masyarakat dan susahnya sebagian masyarakat Jawa Timur akibat semburan lumpur itu. Layak kalau rakyat makin tidak percaya kepada DPR yang seharusnya mewakili kepentingan rakyat.

Siapa Ahli Geologi itu?

Dalam laporan yang disampaikan kepada Bamus DPR minggu yang lalu disebutkan, berdasarkan keterangan sebagian besar ahli geologi, semburan lumpur Lapindo merupakan fenomena alam. Yang mengherankan, tidak disbutkan siapa saja ahli geologi yang memberikan keterangan yang menyesatkan tersebut.

Tidak disebutkan pula dalam laporan tersebut adanya kesalahan Lapindo Brantas Inc dalam proses pengeboran migas di kawasan Sidoarjo. Bahkan di kesankan pembayaran ganti rugi yang diberikan Lapindo seolah-olah merupakan kebaikan hati perusahaan besar tersebut.
Cukup banyak keanehan dalam penyelesaian kasus lumpur yang menyengsarakan banyak pihak di Jawa Timur itu. Laporan tersebut dibacakan H Tamam Achda, wakil ketua P2LS dari FPP yang berasal dari Jawa Barat. Diantara 29 anggota tim, hanya 4 orang yang mewakili daerah pemilihan I Jawa Timur (Surabaya-Sidoarjo).

Saya sendiri tidak masuk dalam tim itu meski secara intensif mengikuti masalah tersebut sejak awal. Bisa dikatakan, wakil-wakil rakyat dari Sidoarjo tidak banyak mendapat peran dalam tim tersebut. Bahkan, dalam perumusannya, mereka juga tidak tahu menahu.

Jika dalam urusan Aceh atau Papua, anggota DPR dari daerah bersangkutan selalu dilibatkan. Tapi dalam urusan lumpur Lapindo ini, anggota DPR yang mewakili Sidoarjo, tidak dilibatkan. Wajar kalau ada anggapan bahwa dengan sengaja anggota DPR yang mewakili daerah bencana tersebut sudah dimarginalkan.

Beberapa anggota yang cukup vokal mengkritik masalah lumpur seperti Permadi dan Pupung Suhari dari FPDIP tidak mendapat kesempatan membela rakyat Sidoarjo. Pupung mengkritik laporan yang disampaikan di depan Bamus DPR, menyatakan Lapindo Brantas telah melakukan pengeboran sesuai dengan prosedur.

Laporan tersebut patut diduga ada kolusi besar yang menyengsarakan rakyat Porong, Sidoarjo. Tetapi, suara keras seperti ini tidak akan diketahui masyarakat karena ada usaha sistematis untuk menutup-nutupinya. Sangat kelewatan sekali bahwa DPR tidak pro rakyat Sidoarjo.
Jadi, sangat disesalkan jika laporan tim P2LS itu diterima sidang paripurna DPR. Jadi, jelas saya akan menolak keras laporan yang sangat menyesatkan dan menyakiti rakyat Sidoarjo
Djoko Susiloanggota DPR dari daerah pemilihan I Jawa Timur (Surabaya-Sidoarjo)Jawa Pos RAbu 20 Febuari 2008

Everything you need to know about IPv6

2008-02-19T14:51:00.000-08:00

Once upon a time...

When the ARPANET was designed in the late 1960s, it was outfitted with a Network Control Protocol (NCP) that made it possible for the very different types of hosts connected to the network to talk with each other. However, it soon became clear that NCP was limiting in some ways, so work started on something better. The engineers decided that it made sense to split the monolithic NCP protocol into two parts: an Internet Protocol that allows packets to be routed between the different networks connected to the ARPANET, and a Transport Control Protocol that takes a data stream, splits it into segments and transmits the segments using the Internet Protocol. On the other side, the receiving Transport Control Protocol makes sure the segments are put together in the right order before they're delivered as a data stream to the receiving application. An important implication of this approach is that unlike, for instance, a phone connected to a wired or wireless phone network, a host connected to the ARPANET then and the Internet now must know its own address.

TCP/IP has served us well since it was born in 1981, but for some time now it has been clear that the IP part has a limitation that makes continued growth of the Internet for decades to come problematic. In order to accommodate a large number of hosts but not waste too much space in the IP packet on overhead, the TCP/IP designers settled on an address size of 32 bits. With 32 bits, it's possible to express 4,294,967,296 different values. Over half a billion of those are unusable as addresses for various reasons, giving us a total of 3.7 billion possible addresses for hosts on the Internet. As of January 1, 2007, 2.4 billion of those were in (some kind of) use. 1.3 billion were still available and about 170 million new addresses are given out each year. So at this rate, 7.5 years from now, we'll be clean out of IP addresses; faster if the number of addresses used per year goes up.

The feasibility of an open IPv4 market

This is usually when someone brings up NAT. Home routers (and a lot of enterprise equipment) use a technique called "network address translation" so that a single IP address can be shared by a larger number of hosts. The discussion usually goes like this:

"Use NAT, n00b. All 1337 of my Linux boxes share a single IP and it's safer, too!"

"NAT is not a firewall."

"NAT sucks."

"You suck."

So what about NAT?

Hosts behind a NAT device get addresses in the 10.0.0.0, 172.16.0.0, or 192.168.0.0 address blocks that have been set aside for private use in RFC 1918. The NAT device replaces the private address in packets sent by the hosts in the internal network with its own address, and the reverse for incoming packets. This way, multiple computers can share a single public address. However, NAT has several downsides. First of all, incoming connections don't work anymore, because when a session request comes in from the outside, the NAT device doesn't know which internal host this request should go to. This is largely solvable with port mappings and protocols like uPnP and NAT-PMP.

IPv4 address ranges
Class A: 1.0.0.1 to 126.255.255.254
Class B: 128.1.0.1 to 191.255.255.254
Class C: 192.0.1.1 to 223.225.254.254
Class D: 224.0.0.0 to 239.255.255.255 — reserved for multicast groups
Class E: 240.0.0.0 to 254.255.255.254 — reserved

Things get even trickier for applications that need referrals. NAT also breaks protocols that embed IP addresses. For instance, with VoIP, the client computer says to the server, "Please send incoming calls to this address." Obviously this doesn't work if the address in question is a private address. Working around this requires a significant amount of special case logic in the NAT device, the communication protocol, and/or the application. For this reason and a few others, most of the people who participate in the Internet Engineering Task Force (IETF) don't care much for NAT.

More to the point, NAT is already in wide use, and apparently we still need 170 million new IP addresses every year.

In the early days of the Internet, some organizations got excessively large address blocks. For instance, IBM, Xerox, HP, DEC, Apple and MIT all received "class A" address blocks of nearly 17 million addresses. (So HP, which acquired DEC, has more than 33 million addresses.) However, reclaiming those blocks would be a huge effort and only buy us a few more years: we currently burn through a class A block in five weeks. It's debatable how long we can make the IP address space last, especially as more and more devices, such as VoIP phones, become Internet-connected, but you can only keep squeezing the toothpaste tube for so long before it makes sense to buy a new one, even if the old one isn't technically empty. So in the early 1990s, the IETF started its "IP next generation" effort.

Larger addresses

The IPng project eventually resulted in IPv6 in 1995. In addition to the source and destination addresses and other housekeeping information, each IP packet contains a version number. For reasons lost in the mists of time, current IP packets have version number 4, and the first version number available for the new protocol was 6. So the old IP is now called IPv4, and the new IP IPv6. Apart from autoconfiguration and a lot of minor details that are best left to another article, IPv6 first and foremost sports larger addresses. Much larger addresses. 40 or 48 bits would have given us more than a trillion or even 281 trillion addresses, respectively, and 64 bits would have been a nice round number. But as the axiom goes, once bitten, twice shy, so the IETF opted for 128 bits this time around. The total number of possible addresses that this gives us:

340,282,366,920,938,463,463,374,607,431,768,211,456

To put this into perspective: there are currently 130 million people born each year. If this number of births remains the same until the sun goes dark in 5 billion years, and all of these people live to be 72 years old, they can all have 53 times the address space of the IPv4 Internet for every second of their lives. Let nobody accuse the IETF of being frugal this time around.

IPv4 addresses are written down by splitting them into four 8-bit values and putting periods between those, for instance, 192.0.2.31. IPv6 addresses on the other hand, are written down as eight 16-bit values with colons between them, and each 16-bit value is displayed in hexadecimal, i.e., using numbers and the letters A - F. For example, 2001:db8:31:1:20a:95ff:fef5:246e. It's not uncommon for IPv6 addresses to have a sequence of consecutive zeroes. In these cases, exactly one of those sequences can be left out. So 2001:db8:31:0:0:0:0:1 becomes 2001:db8:31::1 and the IPv6 loopback address 0:0:0:0:0:0:0:1 becomes ::1.

Stateless autoconfiguration

Although in most regards, IPv6 is still IP and works pretty much the same as IPv4, the new protocol departs from IPv4 in some ways. With IPv4, you need a DHCP server to tell you your address if you don't want to resort to manual configuration. This works very well if there's a single DHCP server, but not so much when there's more than one and they supply conflicting information. It can also be hard to get a system to have the same address across reboots with DHCP.

With IPv6, DHCP is largely unnecessary because of stateless autoconfiguration. This is a mechanism whereby routers send out "router advertisements" (RAs) that contain the upper 64 bits of an IPv6 address, and hosts generate the lower 64 bits themselves in order to form a complete address.

Traditionally, the bottom 64 bits of an IPv6 address are generated from a MAC address by flipping a bit and adding the bits ff:fe in the middle. So the Ethernet MAC address 00:0a:95:f5:24:6e results in 20a:95ff:fef5:246e as the lower 64 bits of an IPv6 address, called the "interface identifier" in IPv6 parlance. This way, if all the routers send out the same prefix for the upper 64 bits, the host will always configure the same IPv6 address for itself. No configuration is required, either on the host or a DHCP server. Alternatively, a host may generate its IPv6 address using a random number so its MAC address remains hidden from the rest of the Internet. Windows uses this type of addresses for outgoing sessions to aid privacy. Other operating systems can also generate these temporary addresses (a new one is generated every 24 hours) but don't do so by default.

When a router sends out several address prefixes, or several routers send out different address prefixes, hosts simply create addresses from each of those prefixes. Routers can make the hosts connected to them renumber their IPv6 addresses by removing the old prefix and advertising a new one. When done right, this is completely seamless.

Although the DHCPv6 protocol (the IPv6 version of DHCP) can give out IPv6 addresses the same way IPv4 DHCP servers give out IPv4 addresses, I haven't encountered any DHCPv6 servers or DHCPv6 clients that support this capability. With IPv6, DHCP is mostly used to distribute additional information, such as DNS server addresses, although there will be a way to do this through router advertisements as well soon, further diminishing the need for DHCP in IPv6.

Special address types

In addition to regular "global unicast" addresses as discussed on the previous page, IPv6 has several other types of addresses. I don't want to mention them all, but the three most important special purpose address types are:

Link local

Link local addresses are used to communicate over a single physical or logical subnetwork, such as an Ethernet. These addresses start with fe80 and are extensively used for IPv6's internal house keeping.

Site local

This is the IPv6 equivalent of the RFC 1918 private address space in IPv4. However, the IETF found the situation where different organizations use the same address space undesirable, so they created "unique site local" addresses where everyone takes a randomly selected block out of the IPv6 address space starting with fd.

Multicast

A multicast address is a group address, so every packet sent to a multicast address is received by all members of the group. Multicast addresses start with ff and can be used for applications where several hosts must receive the same information at the same time, such as live video broadcasts and also for autoconfiguration and discovery.

When running over Ethernet or WiFi, IPv4 hosts use broadcasts for discovery functions. For instance, in order to be able to send a packet over Ethernet, it's necessary to know the destination MAC address. So IPv4 simply broadcasts "who has 192.0.2.31?" to all systems on the network in question. IPv6, on the other hand, sends these packets to a multicast address, so only IPv6 hosts listening for these requests get to see them; on other systems the Ethernet hardware simply ignores the packets, and it's even possible for switches to filter them out by keeping track of the multicast groups hosts are listening on for each switch port.

IPv6 security

There is a lot of talk about how IPv6 is more secure than IPv4. This boils down to two things; one of them is real, the other isn't. The good news is that because the IPv6 address space is so large, randomly scanning for systems that are vulnerable is completely infeasible. The story goes that at the height of the self-propagating malware explosion a few years ago, an unpatched Windows system would be infected faster than it could download the necessary security updates. With IPv6, that is simply impossible: even with a billion infected hosts each scanning a billion IPv6 addresses per second, it takes more than a hundred million years to scan just the IPv6 address space that's given out to ISPs right now, which is about 0.01 percent of what's available. However, targeted scanning, although not easy, is still possible, so security measures like those used with IPv4 are still necessary.

The idea was to give IPv6 security a big push by making IPsec support mandatory. IPsec encrypts each individual packet, so it can be applied to all IP traffic, unlike the widely used SSL, which only works on top of TCP. However, for a number of reasons, it's very difficult to build IPsec support into applications, so it never gained much real-world use except as a mechanism to implement VPNs. And despite the fact that IPsec was developed for IPv6 or at least with IPv6 in mind, it also works with IPv4. All in all, IPsec can't be considered a security advantage for IPv6.

Let me reiterate a point I made earlier: a host that has IPv6 turned on will create a link local address for itself. This means that any host that has IPv6 enabled—out of the box for Windows Vista, Mac OS X, and most Linux and BSD distributions—is reachable over IPv6 for hosts connected to the same Ethernet, even if there's no IPv6 router sending out router advertisements. By monitoring IPv6 autoconfiguration traffic or by trying link local addresses created from MAC addresses seen in other types of traffic, it's not too difficult to find the addresses in question. An even easier method is sending out a multicast ping, and see what comes back. Windows blocks these, but BSD/Mac/Linux generally send back replies. The command line on these systems is:

ping6 -I interface-name ff02::1

Use the ifconfig command to find interface names. On systems where the IPv6 networking stack derives from the KAME implementation, such as the BSD family and MacOS, there are additional ping6 options that are even more helpful for nosy types. Type man ping6 to find out more.

With IPv4, there will generally be a NAT device that functions as a simple firewall by blocking incoming sessions (although there are ways to trick NATs into allowing them). Since there are more than enough public addresses to go around in IPv6, along with the dislike for NAT in IETF circles, there is almost never any NAT with IPv6, so no automatic protection against incoming sessions. This lack of automatic basic firewalling that comes with NAT is only the beginning, though. Many software firewalls that run on the to-be-firewalled host itself only support IPv4 and don't get in the way of IPv6 packets at all. The Windows and Mac OS built-in firewalls don't have this problem, but if you're doing any firewalling on Linux or BSD (or command line firewalling with Mac OS X), make sure that your services are firewalled over IPv6, too. On the BSD/Linux side, a good choice in this regard is the pf firewalling package, because unlike iptables, ipfw, or ipf, it supports both IPv4 and IPv6 and allows rules that apply to both. If you have a router or home gateway that supports IPv6, make sure that it, too, filters IPv6. A stateful filter that allows outgoing connections and return traffic, but not incoming connections closest to the IPv4 NAT filtering functionality.

Running IPv6

Although designing a new protocol isn't exactly trivial, the hard part is getting it deployed. Having to put an entire new infrastructure in place or flipping a switch from "IPv4" to "IPv6" for the current Internet aren't feasible. To avoid these issues as much as possible, the IETF came up with a number of transition techniques. The most important ones are dual stack and tunneling. Dual stack is nothing more than the notion that a host can run both IPv4 and IPv6 side by side, so it can talk to IPv4 hosts over IPv4 and to IPv6 hosts over IPv6. Tunneling means that when IPv6 packets must cross part of the network that only supports IPv4, the IPv6 packets are put inside IPv4 packets, transmitted across the IPv4-only part of the network, and then the IPv4 part is removed and the packets continue on their way over IPv6.

As mentioned earlier, most modern operating systems are set up for dual-stack operation by default. So if there's an IPv6 router on the local network that advertises an IPv6 prefix, a host will generate an IPv6 address for itself so it can talk to the IPv6 Internet. Now that Microsoft has enabled IPv6 by default in Vista (it can be turned on and off with ipv6 install and ipv6 uninstall in XP), we can probably expect more IPv6-enabled home routers like Apple's draft-802.11n Airport Extreme in the future.

Note that there's no requirement that your ISP supports the new protocol in order to use IPv6: an IPv6-enabled router or a host itself can use a tunnel to reach the IPv6 Internet. There are several tunneling techniques, but the most common ones are "manual" IPv6 in IP tunnels where the exact path of the tunneled IPv6 packets is set up through manual configuration, and 6to4 automatic tunneling. With 6to4, a host or router can create a range of IPv6 addresses from its IPv4 address. 6to4 addresses are easily recognizable because they always start with 2002. Because every 6to4-derived IPv6 address maps to an IPv4 address, it's easy for a system that understands 6to4 to tunnel the IPv6 packets to the right place over IPv4. Gateways make it possible for native IPv6 systems to communicate with 6to4 systems.

6to4 is easy to use because it doesn't require any configuration, and has the added bonus that it comes with built-in IPv6 address space. However, only public IPv4 addresses can be used for 6to4, so hosts behind NAT can't do 6to4 tunneling, and another limitation is the dependence on public gateways, which makes 6to4 slower and less reliable than other forms of IPv6 connectivity. If you're serious about IPv6, you'll want to set up a manual tunnel. If your ISP offers this service, that's the best choice to avoid unnecessary tunnel detours, but one of the many tunnel brokers is a good alternative.

Note that Windows Vista (and Windows XP with IPv6 enabled) have 6to4 enabled by default when the system has a public IPv4 address. The same is true for the new Airport Extreme, which will send out router advertisements with its 6to4 IPv6 address prefix so hosts connected to it will configure an IPv6 address and be tunneled over 6to4 by the router. 6to4 is also relatively easy to turn on with Mac OS X and BSD/Linux.

Systems with IPv6 connectivity (regardless of the type) decide whether to use IPv4 or IPv6 to reach a destination by consulting the DNS. Communication over the Internet requires addresses, but we generally work with domain names. The DNS takes care of the difference by having one or more A (address) records that contain an IPv4 address associated with a given name. If a system also has an IPv6 address, this is added to the DNS with an AAAA (quad-A) record. Hosts that only have IPv4 connectivity ignore the AAAA records, but dual stack hosts ask the DNS for both the A and AAAA records. They will then generally prefer to connect to a destination over IPv6 if possible, and use IPv4 if there's no AAAA record in the DNS or connecting over IPv6 doesn't work. Some applications and/or OSes always ask for AAAA records when IPv6 is turned on, which creates a problem with some (increasingly rare) buggy DNS servers that return an error after an AAAA query. In these cases, turning off IPv6 can make surfing the web a lot faster.

You can see if your computer has working IPv6 connectivity by connecting to www.kame.net or www.apnic.net. KAME is a Japanese project that built an IPv6 networking stack for BSD and Mac OS. Their mascot is a turtle, which dances if you connect over IPv6. APNIC is responsible for giving out IP addresses in the Asia-Pacific region, and their web site will tell you your IP address (IPv4 or IPv6) in the top left corner of the page. Internet Explorer under Windows, Safari on Mac OS X 10.4, and Firefox under Windows, Linux and BSD will use IPv6 when available on the system, but Firefox on the Mac has IPv6 turned off in about:config.

IPv6 and the future of home networking

Although stateless autoconfig works very differently from DHCP, in practice IPv6 works much the same as IPv4 in a home network: computers and other devices automatically get an address from a router, modem or gateway so they can connect to the 'Net without manual intervention. Firewalling is a bit different, because with IPv4, most people don't have the option to keep their network completely open.

When IPv6 takes off, we'll probably see a new class of home firewall products that allow more granular blocking of services and devices in a home IPv6 network than either block incoming sessions or allow everything, like we have in today's first IPv6 home routers. The abundance of address space also makes it possible to have separate subnetworks for different purposes, which will be helpful as more and more devices connect to the network. And we still have a lot to look forward to: the IETF is currently working on mobility and multihoming extensions to IPv6. Mobility means moving from one network to another while keeping the same IP address. So a VoIP call could start on your home network, continue over wireless service and then finish at work. Multihoming means connecting to more than one ISP at the same time, so that when one fails, communication sessions automatically move over to the other.

Moral of the story

Although IPv6 is taking its sweet time to conquer the world, it's now showing up in more and more places, so you may actually run into it one of these days. If you're working on security, keep your eye out for IPv6 because if overlooked, IPv6 could allow things that are blocked over IPv4. And if you're buying expensive equipment, you may want to make sure that if it doesn't do IPv6 today, it's at least upgradable, so you can still use your gear if IPv6 picks up more quickly than expected as IPv4 addresses run out. And it never hurts to experiment a bit with the new protocol so you know how it works by the time you need it.

Can an IPv4 stock market stave off address depletion, IPv6?

2008-02-19T14:26:00.001-08:00

There are many uncertainties surrounding the depletion of the IPv4 address space and the move to IPv6. Currently, five Regional Internet Registries give out address space to anyone who can show a reasonable need for it and pays some administration costs. If nothing changes, that practice will end around 2012 when we run out of unused IPv4 addresses. One possible solution is creating an IP address space market, allowing people who need IPv4 addresses can buy them from those who have a surplus, so that IPv4 address space remains available for a few more years.

Ideally, by the time we run out of IPv4 addresses, we'll all be using IPv6. At the rate IPv6 takeup is happening now, however, a full-scale switch to IPv6 seems highly unlikely. After the IPv4 address space has been depleted, new Internet users will only be able to get IPv6 address space, while existing users are still only connected through IPv4.

Network World has an article speculating about additional delays in rolling out IPv6 if a proposed IPv4 address trading policy is adopted by ARIN. The American Registry for Internet Numbers is responsible for giving out IP addresses in North America. Its policies "are developed in an open and transparent manner by the Internet community," according to the Internet Resource Policy Evaluation Process. An important aspect of that process is that anyone can submit a policy proposal, so the mere existence of a proposal doesn't mean all that much.

The issue of address trading comes up more frequently as we come closer to running out of IPv4 address space. Efforts to reclaim some of the large IPv4 address blocks that have been given out as "legacy assignments" long ago haven't proven all that successful. According to an ICANN blog entry, four blocks of 16.78 million addresses were reclaimed last year: blocks 14, 46, 49, and 50. In reality it was only one: blocks 49 and 50 were marked as "Returned to IANA Mar 98" previously, but is now "Reserved" (unused)—no real change. Block 14 had only some 129 addresses used; nice to have the whole block back, but 129 addresses isn't going to make much of a difference. Even the full 16.78 million addresses in block 46 only give us an extra month's worth of IPv4 address space: we're now using up around 12 of those blocks per year. Did I mention that that was the good news? The not so good news: "Despite this windfall we are unlikely to see any more whole /8s returned to the IANA free pool," notes ICANN. "Our investigations indicate that the other legacy 'Class A' assignments are all at least partially used. Recovering the space in those blocks would require large companies to engage in expensive renumbering exercises."

The feasibility of an open IPv4 market

The question is: will a little money make those renumbering exercises more palpable, so that address space that couldn't be recovered for free will enter the market? That's one of the many questions that surrounds a future IP address market. On the one hand, it's possible that organizations that hold large amounts of address space—most notably, the US government with 150 million or so addresses and HP with 33 million—will spend the time and money to free up parts of their address space and put it on the market. The hard part here is that this address space has been around for a long time, which almost guarantees that it's hardcoded in places. As a result, freeing it up probably means extensive system audits. On the other hand, it's entirely possible that such audits prove to be too much trouble or too expensive to bother with, so very little address space would enter the newly created market. Large ISPs need millions of addresses to connect new customers, addresses which they basically get for free today. Even a cost of $1 per address may be prohibitive, pushing those ISPs to implement address conservation techniques—and, ideally, IPv6—instead of buying address space at market prices.

It could be even worse: if demand outstrips supply, the price for IPv4 addresses could skyrocket, where it's attractive for sellers to wait for prices to get even higher before selling. If I were a domain squatter, I would certainly diversify my business in the direction of address squatting while address space is still easy to get.

And what about the rest of the world? The US holds more than half of the currently given out address space, twice as much as the rest of the developed world put together. Of the developing world, only China has a significant amount of address space. So poor countries would have to go to rich, American organizations to buy address space. This isn't likely to be popular in much of the world.

An IPv4 market could work in both directions: a run on the bank could mean that we're effectively out of IPv4 address space one or two years sooner than the currently speculated end date of 2012, or a market with good liquidity could recover, say, 50 percent of the legacy address blocks, more than doubling the still available IPv4 address space and the time that we have. However, the North American Network Operators aren't waiting for that: during their meeting this week, they'll have an IPv6 hour where IPv4 will be turned off temporarily. The Internet Engineering Task Force is planning to do the same during its meeting next month. Time to go either short or long IPv4 addresses in anticipation of the results.

GeForce 8 To Get Software PhysX Engine

2008-02-19T14:03:00.000-08:00

NVIDIA's purchase of AGEIA leads to a PhysX-on-CUDA port

With the announcement earlier this month of NVIDIA's acquisition of AGEIA, rumours began to fly immediately surrounding the future of dedicated physics hardware -- and it now appears that the PhysX name will live on as a checkbox beside the capabilities of some current and most future NVIDIA GPUs.
The physics-intensive Cell Factor: Revolution demo will soon be "No PhysX Card Required"

During NVIDIA's fourth-quarter financial results conference call, CEO Jen-Hsun Huang responded to several questions about the plans for technology obtained in the AGEIA purchase, revealing that the plan is to port the AGEIA PhysX engine to NVIDIA's CUDA (Compute Unified Device Architecture) C-like programming language.

"We're working toward the physics-engine-to-CUDA port as we speak. And we intend to throw a lot of resources at it." said Huang. "[PhysX on CUDA] is just going to be a software download. Every single GPU that is CUDA-enabled will be able to run the physics engine when it comes."

NVIDIA's choice to run a physics engine on a GPU runs in stark contrast to AMD's assertion in late 2007 that "GPU based physics is dead until DirectX 11." Every NVIDIA 8-series GPU is currently capable of running CUDA applications, and future GPUs will no doubt retain this feature.

The idea of using SLI for more than graphics has been brought up by NVIDIA in the past, so it was no surprise to hear Huang endorsing its further use again. "It might - and probably will - encourage people to buy a second GPU for their SLI slot. And for the highest-end gamer, it will encourage them to buy three GPUs." No mention was made of the use of the upcoming "Hybrid SLI" technology showcased at CES 2008, but an onboard GPU supporting CUDA could theoretically be used as a physics processor while discrete GPUs handle the rendering.

No timeframe for the release of the PhysX-on-CUDA software was specified, but with the PhysX engine to be available to a larger audience, it will no doubt encourage the development of more accelerated physics engines in upcoming titles.

Windows Server 2003 SP2 released

2008-02-19T13:37:00.000-08:00

After a nine-month testing cycle, Microsoft finally released Windows Server 2003 Service Pack 2 last night. The 32-bit, 64-bit, and Itanium editions of the update have been made available, and they can be applied to several systems including every version of Windows Server 2003, Windows Server 2003 R2 and Windows Storage Server R2, Windows Unified Data Storage Server 2003 SP1, Windows Small Business Server 2003 R2, and Windows XP Professional x64.

The update includes several fixes plus a handful of new Features such as Windows Deployment Services, the Windows Server 2003 Scalable Networking Pack, a tool for testing hotfixes, XmlLite, support for Wi-Fi Protected Access 2, the revamped Microsoft Management Console 3, and firewall per port authentication.

Although the update is certainly appreciated, some have complained that Microsoft sprung this update on system administrators. Susan Bradley, who runs the SBS Diva Blog, asked why Microsoft failed to provide upfront notice that the service pack was going to appear on Windows Server Update Services, or WSUS.

Microsoft? You gave us admins a heads up before XP sp2 was Microsoft updated out to our boxes...why can't you give us a heads up on this? The MSRC blog says "no patches" ...and yes I understand that they don't consider a Service Pack a "Security patch" but anything that you vaguely hint to on that Advance notice day should be discussed fully on your blog. Right now even the Microsoft Update blog isn't blogging that SP2 is out.

Microsoft... you TELL us that's coming out before you shoot it out on Microsoft update will you?

If you would like to temporarily keep Windows Server SP2 off your boxes, Microsoft has released a toolkit which will block the delivery of the software through Automatic Updates and Windows Update.

For those that wish to download the service pack, it can be obtained through the Microsoft Download Center.
Windows Server 2003 SP2 (x86)
Windows Server 2003 SP2 (x64)
Windows Server 2003 SP2 (Itanium)

If you're planning to upgrade to the full retail version of Windows Small Business Server 2003 or migrate to Windows Server 2003, you may need to remove Windows Server 2003 SP2 first. KB 932600 has more information about the problems that can occur from leaving the service pack installed.

Windows Server 2008 will ship with SP1 installed

2008-02-19T00:40:00.000-08:00

Windows 2008 is scheduled to begin shipping in the next few weeks. When it does, business customers and IT staff who are interested in the OS, but who don't have plans to deploy it until its first service pack, are in for a surprise. According to Microsoft, Windows Server 2008 will ship with what the company refers to as SP1 already installed. As a result, the first post-release service pack for WS 2008 will be SP2.

management for Windows Server, Ian McDonald, explained the rationale behind this decision a few days back. According to him, Microsoft has actually been attempting to synchronize its client/server release schedule for most of the past decade. After the Windows ME/Windows 2000 launch, Redmond apparently intended to do a combined release, but opted to fork and launch Windows XP early due to customer pressure. Windows Server 2003 didn't appear until April, 2003, well after the launch of both XP and XP SP1. Microsoft kept both products updated—XP got SP2 in August, 2004, while WS 2003 R2 tipped up in December of 2005—but the two products were never working from the same codebase or on the same release schedule.

After nearly eight years, Microsoft has resolved this particular issue, and the implications are positive. Building Vista and WS 2008 SP1 on the same codebase should make it easier for the company to patch vulnerabilities, port new features from one version of the OS to the other, and generally simplify the entire update process. Microsoft's update service is now advanced enough to distinguish OS-specific fixes; a patch for a media player issue won't end up downloading to a WS 2008 system, and patches for a server system won't end up in a Vista machine.

The only problem with McDonald's explanation comes at the end, where he states: "So, it's [Windows Server 2008] called SP1—in retrospect i should just say its called that so you don't have to wait for SP1 for it to be right like people have before." McDonald appears to be missing the point. Businesses don't wait for a service pack release because the addition of an "SP" suffix imbues an operating system with some sort of magical powers. A service pack represents a comprehensive body of software updates released and approved by Microsoft after the relevant OS has spent a significant amount of time (typically one year or more) in the wild.

In the real world, it doesn't matter if Microsoft releases a new product with SP1 or SP10 attached to its name. In almost every case, businesses have a huge number of reasons not to jump for a new OS—any new OS, for that matter—immediately. IT departments are unwilling to risk the stability and security of their infrastructure for any new product, from Microsoft or anyone else. Implying that a suffix change is sufficient to allay corporate IT concerns is akin to saying that such concerns are needless and silly in the first place. That's not a statement likely to resonate well with security and network administrators.

Intel set to announce graphics partnership with Nvidia?

2008-02-19T00:27:00.000-08:00

Chicago (IL) – Intel may soon be announcing a close relationship with Nvidia, which apparently will be contributing to the company’s Larrabee project, TG Daily has learned. Larrabee is expected to roll out in 2009 and debut as a floating point accelerator product with a performance of more than 1 TFlops as well as a high-end graphics card with dual-graphics capabilities.

Rumors about Intel’s Larrabee processor have been floating around for more than a year. Especially since the product’s official announcement at this year’s spring IDF and an accelerating interest in floating point accelerators, the topic itself and surrounding rumors are gaining traction every day.

Industry sources told TG Daily that Intel is preparing a “big” announcement involving technologies that will be key to develop Larrabee. And at least some of those technologies may actually be coming from Nvidia, we hear: Our sources described Larrabee as a “joint effort” between the two companies, which may expand over time. A scenario in which Intel may work with Nvidia to develop Intel-tailored discrete graphics solutions is speculation but is considered to be a likely relationship between the two companies down the road. Clearly, Intel and Nvidia are thinking well beyond their cross-licensing agreements that are in place today.

It is unclear when the collaboration will be announced; however, details could surface as early as June 26, when the International Supercomputing Conference 2007 will open its doors in Dresden, Germany.

Asked about a possible announcement with Intel, Nvidia spokesperson Ken Brown provided us with a brief statement: “We enjoy a good working relationship with Intel and have agreements and ongoing engineering activities as a result. This said, we cannot comment further about items that are covered by confidentiality agreements between Intel and Nvidia.”

Intel replied to our inquiry by saying that the company does "not comment on rumors and speculation."

The AMD-ATI and Intel-Nvidia thingy

In the light of the AMD-ATI merger, it is only to be expected that the relationship between Intel and Nvidia is examined on an ongoing basis. So, what does a closer relationship between Intel and Nvidia mean?

The combination with ATI enabled AMD to grow into a different class of company. It evolved from being CPU-focused into a platform company that not only can match some key technologies of Intel, but at least for now has an edge in areas such as visualization capabilities. At a recent press briefing, the company showed off some of its ideas and it was clear to us that especially the area of general purpose GPUs will pave the way to a whole new world of enterprise and desktop computing.

Nvidia is taking a similar approach with its CUDA software interface, which allows developers to take advantage of the (general purpose) floating point horsepower of Geforce 8 graphics processors - more than 500 GFlops per chip. Intel’s Larrabee processor is also aimed at applications that benefit from floating point acceleration – such as physics, enhanced AI and ray tracing.

While it has been speculated that Intel may be creating Larrabee with an IA CPU architecture, we were told there may be more GPU elements in this processor than we previously had thought. A Larrabee card with a (general purpose) graphics processing unit will support CPUs in applications that at least partially benefit from massively parallel processing (as opposed to the traditional sequential processing); in gaming, the Larrabee processor can be used for physics processing, for example.

An imminent collaboration announcement between Intel and Nvidia, which reminds us of a recent Digitimes story that claimed Nvidia was trading technologies with Intel, of course, raises the question how close the relationship between Intel and Nvidia might be. It also raises the question, once again, if Intel may actually be interested in buying Nvidia – which could make a whole lot of sense for Intel, but appears to be rather unlikely at this time. Nvidia could cost Intel more than $15 billion, given the firm’s current market cap of $12.6 billion, and the talk in Silicon Valley indicates that Nvidia co-founder and CEO Jen-Hsun Huang isn’t really interested in selling the company.

But a deal with Intel, involving the licensing of technologies or even supply of GPUs could have a huge impact on Nvidia’s bottom line and catapult the company into a new phase of growth. However, a closer collaboration could be important for Intel as well: AMD’s acquisition of ATI was not a measure to raise the stakes in the graphics market or to battle Nvidia; it was a move to compete in the future CPU market – with Intel. Having Nvidia on board provides Intel with a graphics advantage, at least from today’s point of view, and could allow the company to more easily access advanced graphics technology down the road.

What we know about Larrabee

Intel has recently shared more information with the public about its intents in the realm of general purpose GPU (GPGPU). In a presentation from March 7 of this year, Intel discussed its data parallelism programming implementation called Ct. The presentation discusses the use of flat vectors and very large instruction words (VLIW as utilized in ATI/AMD's R600). In essence, the Ct application programming language (API) bridges the gap of allowing it to work with existing legacy APIs and libraries as well as co-exist with current multiprocessing APIs (Pthreads and OpenMP), yet provides “extended functionality to address irregular algorithms.”

There are several things to point out from the image above, which is a block diagram of a board utilizing Larrabee. First is the PCIe 2.0 interface with the system. Intel is currently testing PCIe 2.0 as part of the Bearlake-X (Beachwood) chipset (commercial name: X38), which could be coming out as part of the Wolfdale 45 nm processor rollout late this year or early in 2008. Larrabee won’t arrive until 2009, but our sources indicate that if you buy an X38-based board, you will be able to run a Larrabee board in such a system.

In the upper right hand corner the power connections indicate 150 watts and 75 watts. These correspond to 8-pin and 6-pin power connections that we have seen on the recent ATI HD2900XT. Intel expects the power consumption of such a board to be higher than 150 watts. There are video outputs to the far left and as well as video in. Larrabee appears to have VIVO functionality as well as HDMI output based on the audio-in block seen at the top left.
A set of BSI connections are next to the audio in connection. We are not positive on what the abbreviation stands for but we speculate that these are connections for using these cards in parallel like ATI’s Crossfire or Nvidia’s SLI technologies. Finally, there is the size of the processor (package). That is over twice the size of current GPUs as ATI’s R600 is roughly 21 mm by 20 mm (420 mm²). Intel describes the chip as a “discrete high end GPU” on a general purpose platform, using at least 16 cores and providing a “fully programmable performance of 1 TFlops.”

Moving on we can see that Larrabee will be based on a multi-SIMD configuration. From other discussions about the chip across the net, it would seem that each is scalar that works using Vec16 instructions. That would mean that, for graphics applications, it could work on blocks of 2x2 pixels at a time. These “in-Order” execution SIMDs will have floating point 16 (FP16) precision as outlined by IEEE754. Also to note is the use of a ring memory architecture. From a presentation by Intel Chief Architect Ed Davis called “tera Tera Tera”, Davis outlines that the internal bandwidth on the bus will be 256 B/cycle and the external memory will have a bandwidth of 128 GB/s. This is extremely fast and achievable based on the 1.7-2.5 GHz projections for the core frequency. Attached to each core will be some form of texturing unit as well as a dynamically partitioned cache and ring stop on the memory ring.

In the final image below you will notice that each device will have a 17 GB/s of bandwidth per link. These links tie into a next generation Southbridge titled “ICH-n” as this is yet to be determined. From discussions with those in the industry, it would appear that the external memory might not be soldered into the board but in fact be plug in modules. The slide denotes DDR3, GDDR, as well as FBD or fully buffered DIMMs. It will be interesting to see what form this will actually be implemented as but that is the fun of speculation.

The current layout of project Larrabee is a deviation of previous Intel roadmap targets. In a 2005 whitepaper entitled “Platform 2015: Intel Processor and Platform Evolution for the Next Decade”, the company outlines a series of Xscale processors based on Explicitly Parallel Instruction Computing or EPIC. Intel has deviated slightly from its initial roadmap since the release of this paper: Intel sold Xscale to Marvell last year, which makes it a rather unlikely product for Larrabee – and could have opened up the discussion for other processing units.

What is interesting is that rumors that Intel was looking for talent for an upcoming “project” involving graphics started passing around already more than a year and a half ago. In August of last year, you could apply for positions on Career Builder and Intel’s own website. A current generic job description exists on Intel’s website.

Concluding note

While this is an interesting approach to graphics, physics, and general purpose processing, we will be seeing the meat in the final product as well as the success of acceptance with independent software vendors (ISVs). In our opinion, the concept of the GPGPU is the most significant development in the computer environment in at least 15 years. The topic has been gaining ground lately and this new implementation from Intel could take things to a whole new level. As for the graphics performance, only time will tell.

It will be interesting to see which role Nvidia will play in Intel’s strategy. Keep a close eye on this one.

Mysterious chip start-up to take on Intel in mobile space

2008-02-19T00:22:00.000-08:00

Stop me if you've heard this one: "A secretive, venture-backed startup company walks into a bar and announces that it plans to take on Intel by producing a low-power x86 processor aimed (initially?) at portables and laptops."

No, this isn't a joke about about Transmeta, though former Transmeta CEO Matt Perry is also CEO of the mysterious startup in question. Just about the only thing that's publicly known about this new x86 processor company is its name and its location: Montalvo Systems, based in—where else?—Santa Clara, California. All of the rest of the information to leak out about Montalvo comes courtesy of two recent stories by CNet's Michael Kanellos, who has a source that has been feeding him the goods on the startup. Kanellos has also dug up some patents filed at the WIPO, both of which provide additional insight into Montalvo Systems' plans.

From my reading of Kanellos' report and my admittedly hasty examination of the patents that Montalvo has filed in the US and internationally, it looks like the company will rely on at least two tricks to get x86 performance/watt ratios up enough to be able to make a go of dethroning Intel's Core 2 Duo.

The first trick that the company uses is an asymmetrical multicore approach, which Kanellos likens to IBM's Cell. Something tells me that whatever Montalvo has in mind, the only substantial thing that it could possibly have in common with Cell is that it can be generally described as an asymmetric multiprocessor on a chip. Anyway, Kanellos claims that Montalvo's chip mixes a more robust, larger-footprint core with multiple smaller, more lightweight, lower-power cores so that the processor can use the smaller cores for less intensive compute work and the larger cores when more muscle is needed.

The second trick, which I was able to sort out from looking through Montalvo's patents, is that the chip contains some sort of large pool of cache joined to a fairly robust control unit that can service DMA and DRAM requests by itself without waking the main processor. One suggestion from the patent is that you could put a highly compressed framebuffer in this cache and have an IGP read from it and decompress it without waking the CPU. Ultimately, the "buffer/mini-cache" (as the patent calls it) can be used for any type of non-cacheable traffic, with the control unit and cache servicing high-bandwidth DMA requests of any type without the processor's intervention.

There's no way for me to evaluate Montalvo's technology based on some reported rumors and an afternoon with a handful of patents, so I won't even bother to try to evaluate whether the company has a chance against even a small established player like VIA, much less Intel. But I will suggest a few general reasons why I'm skeptical.
No silver bullets

First, non-process-based power efficiency improvements from one processor to the next are like all other types of generational advances in processors—each generational jump in efficiency or raw performance is the cumulative result of many small tricks and tweaks, each of which contributes a few percentage points to the overall "20 percent performance improvement" claims that you typically see with a new processor.

My point is that there's never really a "silver bullet" for getting that magical double-digit improvement to whatever metric you're trying to improve, at least not at this mature stage in microprocessor evolution. You just make a whole bunch of refinements to an existing design (yours or someone else's) to get yourself over the hump. So if someone actually does come up with a way to remix processor microarchitecture and/or the cache hierarchy that gives them, say, a 15 percent or greater performance per watt boost over Intel on mainstream consumer workloads, I'll eat my hat. And if the company that buys that winning lottery ticket happens to be Montalvo, I'll eat your hat.

The second point that I want to make is that Intel has already announced (or rather, officially acknowledged the existence of) a forthcoming product family that consists of multiple small, low-power x86 cores on a single die. The company also has a large library of core designs of varying degrees of robustness. So if asymmetric multiprocessing turns out to be anything like a silver bullet for power efficiency, Intel could announce a competing product in short order.

Microsoft pushes Windows Server 2003 SP2 out via Automatic Update

2008-02-18T13:55:00.000-08:00

June 12 isn't just another Patch Tuesday for Windows IT administrators—it's also the day Microsoft has chosen to distribute Windows Server 2003 SP2 via Automatic Update. The service pack has been available for download since March 13 but will now be automatically distributed to the appropriate systems. IT administrators who wish to block the download can do so by downloading an SP blocker utility.

Microsoft caught some flak back in March for releasing the service pack on a Patch Tuesday that happened to coincide with an earlier start to Daylight Savings Time, and the same scenario may play out again if admins feel overloaded by having to deal with the usual security fixes plus the new service pack. Server 2003 Pack SP2 is a cumulative update for Windows Server 2003, 2003 R2, 2003 SP1, Storage Server R2, Unified Data Storage Server, Compute Cluster Server, Small Business Server 2003 R2, and Windows XP Professional x64.

NVIDIA Releases New Windows XP Drivers

2007-12-21T21:48:00.000-08:00

ForceWare 169.21 drivers released for Windows XP

Yesterday NVIDIA rolled out a new driver for Windows XP users called ForceWare 169.21 for Windows XP and XP Media Center Edition. The new driver supports everything from the 8800 Ultra and new 8800 GT and 512MB GTS to the old GeForce FX 5100.

The driver uses the new NVIDIA control panel introduced in October of 2006. This latest driver release fixes a myriad of issues for a variety of single and dual GPU NVIDIA systems. Notable fixes for all GPUs are the repair of the control panel run display optimization wizard back button that didn’t work, flickering puddle reflections in FEAR and a crash in Star Wars: Republic Commando when starting new games.

A few fixes for the new NVIDIA 8800 GT cards are added to the drivers including an issue with Bioshock where a small black square appears during part of the intro sequence when antialiasing is enabled. An issue on the 8800 GTX with Blu-ray color settings not taking effect has been repaired as well.

Issues with SLI have been addressed in the new driver as well with a fix for Stalker with SLI 8800 GTX cards where game performance didn’t improve much. NVIDIA has a PDF document that details all the fixes provided in the 169.21 driver update.

Windows XP users looking for the new driver can get it here

Mozilla Releases Firefox 3 Beta 2; Beefs Up Security

2007-12-21T21:39:00.000-08:00

Firefox 3 is shaping up to be a very secure browser thanks to new features

A scathing report on browser security from Microsoft, which claimed in an "unbiased" analysis that Internet Explorer was vastly more secure than Mozilla's Firefox, ignited a recent war of words between the two browser makers. However, Mozilla decided that it was wiser to back up its words with action, rather than just more talk.

The end result is that the company just released the second beta candidate of the third iteration of its increasingly popular Firefox browser, and this release ups the ante on security with many new features.

The new browser has tighter protection against cross-site restrictions on cookies, better malware protection, clearer website identification information in the status bar, stricter SSL error pages, version checking for insecure plugins, a built in antivirus program in the download utility, and improved protection against JSON data leaks.

The feature Mozilla is most proud of is its improved protection from malicious sites. When a user visits a malicious site in Firefox 3, the browser plays sheriff and blocks the site. Even better; it does it with an interface that does not allow click through.

Mozilla's "Chief Security Something-or-Other" (according to his business cards) Window Snyder says that even the utilitarian features in the Firefox browser double as security aids. For example, she stated Firefox's ability to restore tabbing makes patching the browser and easier process, thus helping to safeguard it. She stated, ”I really do believe that every feature is a security feature and should be evaluated as such."

While Microsoft touts that it has fewer vulnerabilities than its competitors, Mozilla measures its browser's security by a different gauge. It judges its performance based on "days of vulnerability", the number of days between when a known exploit code for a vulnerability appears and the publication of the patch for that vulnerability. By this measure Firefox was only vulnerable for 9 days in 2006, versus Internet Explorer, which was vulnerable 286 days of the year.

Mozilla also says that its public bug count is a mark of integrity and the lack of a public IE bug database is a way for Microsoft to hide their vulnerabilities. Mike Schroepfer, Mozilla's VP of engineering said the lack was, "[a] vivid reminder that there is no way for anyone outside of Microsoft to confirm how many vulnerabilities ever existed in Internet Explorer."

Dave Marcus, security research and communications manager at McAfee Avert Labs, threw out an independent opinion on the issue saying the debate over "days of vulnerability" versus vulnerability counts was pointless and that the only thing that mattered was how quickly patches were made.

Firefox is also working frantically to finish fixes for its identified non-security related bugs in time for the final release of Firefox 3.

Who will win the next generation browser war remains to be seen, but as Mozilla's Firefox 3 Beta 2 release indicates, both companies are going to stake their reputation on providing the most secure solution to the consumer

Networking Basics: Part 1

2007-12-13T10:09:00.000-08:00

Network Adapters

The first piece of hardware that I want to discuss is a network adapter. There are many different names for network adapters, including network cards, Network Interface Cards, NICs. These are all generic terms for the same piece of hardware. A network card’s job is to physically attach a computer to a network, so that the computer can participate in network communications.

The first thing that you need to know about network cards is that the network card has to match the network medium. The network medium refers to the type of cabling that is being used on the network. Wireless networks are a science all their own, and I will talk about them in a separate article.

At one time making sure that a network card matched the network medium was a really big deal, because there were a large number of competing standards in existence. For example, before you built a network and started buying network cards and cabling, you had to decide if you were going to use Ethernet, coaxal Ethernet, Token Ring, Arcnet, or one of the other networking standards of the time. Each networking technology had its strengths and weaknesses, and it was important to figure out which one was the most appropriate for your organization.

Today, most of the networking technologies that I mentioned above are quickly becoming extinct. Pretty much the only type of wired network used by small and medium sized businesses is Ethernet. You can see an example of an Ethernet network card, shown in Figure A.

Figure A: This is what an Ethernet card looks like

Modern Ethernet networks use twisted pair cabling containing eight wires. These wires are arranged in a special order, and an RJ-45 connecter is crimped onto the end of the cable. An RJ-45 cable looks like the connector on the end of a phone cord, but it’s bigger. Phone cords use RJ-11 connectors as opposed to the RJ-45 connectors used by Ethernet cable. You can see an example of an Ethernet cable with an RJ-45 connector, shown in Figure B.

Figure B: This is an Ethernet cable with an RJ-45 connector installed

Hubs and Switches

As you can see, computers use network cards to send and receive data. The data is transmitted over Ethernet cables. However, you normally can’t just run an Ethernet cable between two PCs and call it a network.

In this day and age of high speed Internet access being almost universally available, you tend to hear the term broadband thrown around a lot. Broadband is a type of network in which data is sent and received across the same wire. In contrast, Ethernet uses Baseband communications. Baseband uses separate wires for sending and receiving data. What this means is that if one PC is sending data across a particular wire within the Ethernet cable, then the PC that is receiving the data needs to have the wire redirected to its receiving port.

You can actually network two PCs together in this way. You can create what is known as a cross over cable. A cross over cable is simply a network cable that has the sending and receiving wires reversed at one end, so that two PCs can be linked directly together.

The problem with using a cross over cable to build a network is that the network will be limited to using no more and no less than two PCs. Rather than using a cross over cable, most networks use normal Ethernet cables that do not have the sending and receiving wires reversed at one end.

Of course the sending and receiving wires have to be reversed at some point in order for communications to succeed. This is the job of a hub or a switch. Hubs are starting to become extinct, but I want to talk about them any way because it will make it easier to explain switches later on.

There are different types of hubs, but generally speaking a hub is nothing more than a box with a bunch of RJ-45 ports. Each computer on a network would be connected to a hub via an Ethernet cable. You can see a picture of a hub, shown in Figure C.

Figure C: A hub is a device that acts as a central connection point for computers on a network

A hub has two different jobs. Its first job is to provide a central point of connection for all of the computers on the network. Every computer plugs into the hub (multiple hubs can be daisy chained together if necessary in order to accommodate more computers).

The hub’s other job is to arrange the ports in such a way so that if a PC transmits data, the data is sent over the other computer’s receive wires.

Right now you might be wondering how data gets to the correct destination if more than two PCs are connected to a hub. The secret lies in the network card. Each Ethernet card is programmed at the factory with a unique Media Access Control (MAC) address. When a computer on an Ethernet network transmits data across an Ethernet network containing PCs connected to a hub, the data is actually sent to every computer on the network. As each computer receives the data, it compares the destination address to its own MAC address. If the addresses match then the computer knows that it is the intended recipient, otherwise it ignores the data.

As you can see, when computers are connected via a hub, every packet gets sent to every computer on the network. The problem is that any computer can send a transmission at any given time. Have you ever been on a conference call and accidentally started to talk at the same time as someone else? This is the same thing that happens on this type of network.

When a PC needs to transmit data, it checks to make sure that no other computers are sending data at the moment. If the line is clear, it transmits the necessary data. If another computer tries to communicate at the same time though, then the packets of data that are traveling across the wire collide and are destroyed (this is why this type of network is sometimes referred to as a collision domain). Both PCs then have to wait for a random amount of time and attempt to retransmit the packet that was destroyed.

As the number of PCs on a collision domain increases, so does the number of collisions. As the number of collisions increase, network efficiency is decreased. This is why switches have almost completely replaced hubs.

A switch, such as the one shown in Figure D, performs all of the same basic tasks as a hub. The difference is that when a PC on the network needs to communicate with another PC, the switch uses a set of internal logic circuits to establish a dedicated, logical path between the two PCs. What this means is that the two PCs are free to communicate with each other, without having to worry about collisions.

Figure D: A switch looks a lot like a hub, but performs very differently

Switches greatly improve a network’s efficiency. Yes, they eliminate collisions, but there is more to it than that. Because of the way that switches work, they can establish parallel communications paths. For example, just because computer A is communicating with computer B, there is no reason why computer C can’t simultaneously communicate with computer D. In a collision domain, these types of parallel communications would be impossible because they would result in collisions.

I want to continue the discussion of networking hardware by talking about one of the most important networking components; routers.

Even if you are new to networking, you have probably heard of routers. Broadband Internet connections, such as those utilizing a cable modem or a DSL modem, almost always require a router. A router's job isn't to provide Internet connectivity though. A router's job is to move packets of data from one network to another. There are actually many different types of routers ranging from simple, inexpensive routers used for home Internet connectivity to the insanely expensive routers used by giant corporations. Regardless of a router’s cost or complexity, routers all work on the same basic principles.

That being the case, I'm going to focus my discussion around simple, low budget routers that are typically used to connect a PC to a broadband Internet connection. My reason for doing so is that this article series is intended for beginners. In my opinion, it will be a lot easier to teach you the basics if I am referencing something that is at least somewhat familiar to most people, and that is not as complicated as many of the routers used within huge corporations. Besides, the routers used in corporations work on the same basic principles as the routers that I will be discussing in this article. If you are wanting a greater level of knowledge though, don’t worry. I will talk about the science of routing in a whole lot more detail later in this article series.

As I explained earlier, a router's job is to move packets of data from one network to another. This definition might seem strange in the context of a PC that's connected to a broadband Internet connection. If you stop and think about it, the Internet is a network (actually it's a collection of networks, but that's beside the point).

So if a router's job is to move traffic between two networks, and the Internet is one of those networks, where is the other one? In this particular case, the PC that is connected to the router is actually configured as a very simple network.

To get a better idea of what I am talking about, take a look at the pictures shown in Figures A and B. Figure A shows the front of a 3COM broadband router, while Figure B shows the back view of the same router.

Figure A: This is the front view of a 3COM broadband router

Figure B: A broadband Internet router contains a set of RJ-45 ports just like a hub or switch

As you can see in the figures, there is nothing especially remarkable about the front view of the router. I wanted to include this view anyway though, so that those of you who are unfamiliar with routers can see what a router looks like. Figure B is much more interesting.

If you look at Figure B, you’ll see that there are three sets of ports on the back of the router. The port on the far left is where the power supply connects to the router. The middle port is an RJ-45 port used to connect to the remote network. In this particular case, this router is intended to provide Internet connectivity. As such, this middle port would typically be used to connect the router to a cable modem or to a DSL modem. The modem in turn would provide the actual connectivity to the Internet.

If you look at the set of ports on the far right, you’ll see that there are four RJ-45 ports. If you think back to the first part of this article series, you’ll recall that hubs and switches also contained large groups of RJ-45 ports. In the case of a hub or switch, the RJ-45 ports are used to provide connectivity to the computers on the network.

These ports work the exact same way on this router. This particular router has a four port switch built in. Remember earlier when I said that a router’s job was to move packets between one network and another? I explained that in the case of a broadband router, the Internet represents one network, and the PC represents the second network. The reason why a single computer can represent an entire network is because the router does not treat the PC as a standalone device. Routers treat the PC as a node on a network. As you can see from the photo in Figure B, this particular router could actually accommodate a network of four PCs. It’s just that most home users who use this type of configuration only plug one PC into the router. Therefore a more precise explanation would be that this type of network routes packets of data between a small network (even if that network only consists of a single computer) to the Internet (which it treats as a second network).

The Routing Process

Now that I've talked a little bit about what a router is and what it does, I want to talk about the routing process. In order to understand how routing works, you have to understand a little bit about how the TCP/IP protocol works.

Every device connected to a TCP/IP network has a unique IP address bound to its network interface. The IP address consists of a series of four numbers separated by periods. For example, a typical IP address looks something like this: 192.168.0.1

The best analogy I can think of to describe an IP address is to compare it to a street address. A street address consists of a number and a street name. The number identifies the specific building on the street. An IP address works kind of the same way. The address is broken into the network number and a device number. If you were to compare an IP address to a Street address, then think of the network number as being like a street name, and at the device number as being like a house number. The network number identifies which network the device is on, and the device number gives the device an identity on that network.

So how do you know where the network number ends and the device number begins? This is the job of the subnet mask. A subnet mask tells the computer where the network number portion of an IP address stops, and where the device number starts. Subnetting can be complicated, and I will cover in detail in a separate article. For now, let's keep it simple and look at a very basic subnet mask.

A subnet mask looks a lot like an IP address in that it follows the format of having four numbers separated by periods. A typical subnet mask looks like this: 255.255.255.0

In this particular example, the first three numbers (called octets) are each 255, and the last number 0. The number 255 indicates that all of the bits in the corresponding position in the IP address are a part of the network number. The number zero indicates that none of the bits in the corresponding position in the IP address are a part of the network number, and therefore they all belong to the device number.

I know this probably sounds a little bit confusing, so consider this example. Imagine that you had a PC with an IP address of 192.168.1.1 and a subnet mask of 255.255.255.0. In this particular case, the first three octets of the subnet mask are all 255. This means that the first three octets of the IP address all belong to the network number. Therefore, the network number portion of this IP address is 192.168.1.x.

The reason why this is important to know is because a router’s job is to move packets of data from one network to another. All of the devices on a network (or on a network segment to be more precise) share a common network number. For example, if 192.168.1.x was the network number associated with computers attached to the router shown in Figure B, then the IP addresses for four individual computers might be:

192.168.1.1
192.168.1.2
192.168.1.3
192.168.1.4

As you can see, each computer on the local network shares the same network number, but has a different device number. As you may know, whenever a computer needs to communicate with another computer on a network, it does so by referring to the other computer’s IP address. For example, in this particular case the computer with the address of 192.168.1.1 could easily send a packet of data to the computer with the address of 192.168.1.3, because both computers are a part of the same physical network.

Things work a bit differently if a computer needs to access a computer on another network. Since I am focusing this particular discussion on small broadband routers that are designed to provide Internet connectivity, let’s pretend that one of the users on the local network wanted to visit the www.brienposey.com Web site. A Web site is hosted by a server. Like any other computer, a Web server has a unique IP address. The IP address for this particular Web site is 24.235.10.4.

You can easily look at this IP address and tell that it does not belong to the 192.168.1.x network. That being the case, the computer that’s trying to reach the Web site can’t just send the packet out along the local network, because the Web server isn’t a part of the local network. Instead, the computer that needs to send the packet looks at its default gateway address.

The default gateway is a part of a computer’s TCP/IP configuration. It is basically a way of telling a computer that if it does not know where to send a packet, then send it to the specified default gateway address. The default gateway’s address would be the router’s IP address. In this case, the router’s IP address would probably be 192.168.1.0.

Notice that the router’s IP address shares the same network number as the other computers on the local network. It has to so that it can be accessible to those computers. Actually, a router has at least two IP addresses. One of those addresses uses the same network number as your local network. The router’s other IP address is assigned by your ISP. This IP address uses the same network number as the ISPs network. The router’s job is therefore to move packets from your local network onto the ISPs network. Your ISP has routers of its own that work in exactly the same way, but that route packets to other parts of the Internet.

In the last part of this article series, I talked about how all of the computers on a network segment share a common IP address range. I also explained that when a computer needs to access information from a computer on another network or network segment, it’s a router’s job to move the necessary packets of data from the local network to another network (such as the Internet).

If you read that article, you probably noticed that in one of my examples, I made a reference to the IP address that’s associated with my Web site. To be able to access a Web site, your Web browser has to know the Web site’s IP address. Only then can it give that address to the router, which in turn routes the outbound request packets to the appropriate destination. Even though every Web site has an IP address, you probably visit Web sites every day without ever having to know an IP address. In this article, I will show you why this is possible.

I have already explained that IP addresses are similar to street addresses. The network portion of the address defines which network segment the computer exists on, and the computer portion of the address designates a specific computer on that network. Knowing an IP address is a requirement for TCP/IP based communications between two computers.

When you open a Web browser and enter the name of a Web site (which is known as the site’s domain name, URL, or Universal Resource Locator), the Web browser goes straight to the Web site without you ever having to enter an IP address. With that in mind, consider my comparison of IP addresses to postal addresses. You can’t just write someone’s name on an envelope, drop the envelope in the mail, and expect it to be delivered. The post office can’t deliver the letter unless it has an address. The same basic concept applies to visiting Web sites. Your computer cannot communicate with a Web site unless it knows the site’s IP address.

So if your computer needs to know a Web site’s IP address before it can access the site, and you aren’t entering the IP address, where does the IP address come from? Translating domain names into IP addresses is the job of a DNS server.

In the two articles leading up to this one, I talked about several aspects of a computer’s TCP/IP configuration, such as the IP address, subnet mask, and default gateway. If you look at Figure A, you will notice that there is one more configuration option that has been filled in; the Preferred DNS server.

Figure A: The Preferred DNS Server is defined as a part of a computer’s TCP/IP configuration

As you can see in the figure, the preferred DNS server is defined as a part of a computer’s TCP/IP configuration. What this means is that the computer will always know the IP address of a DNS server. This is important because a computer cannot communicate with another computer using the TCP/IP protocol unless an IP address is known.

With that in mind, let’s take a look at what happens when you attempt to visit a Web site. The process begins when you open a Web browser and enter a URL. When you do, the Web browser knows that it can not locate the Web site based on the URL alone. It therefore retrieves the DNS server’s IP address from the computer’s TCP/IP configuration and passes the URL on to the DNS server. The DNS server then looks up the URL on a table which also lists the site’s IP address. The DNS server then returns the IP address to the Web browser, and the browser is then able to communicate with the requested Web site.

Actually, that explanation is a little bit over simplified. DNS name resolution can only work in the way that I just described if the DNS server contains a record that corresponds to the site that’s being requested. If you were to visit a random Web site, there is a really good chance that your DNS server does not contain a record for the site. The reason for this is because the Internet is so big. There are millions of Web sites, and new sites are created every day. There is no way that a single DNS server could possibly keep up with all of those sites and service requests from everyone who is connected to the Internet.

Let’s pretend for a moment that it was possible for a single DNS server to store records for every Web site in existence. Even if the server’s capacity were not an issue, the server would be overwhelmed by the sheer volume of name resolution requests that it would receive from people using the Internet. A centralized DNS server would also be a very popular target for attacks.

Instead, DNS servers are distributed so that a single DNS server does not have to provide name resolutions for the entire Internet. There is an organization named the Internet Corporation for Assigned Names and Numbers, or ICANN for short, that is responsible for all of the registered domain names on the Internet. Because managing all of those domain names is such a huge job, ICANN delegates portions of the domain naming responsibility to various other firms. For example, Network Solutions is responsible for all of the .com domain names. Even so, Network Solutions does not maintain a list of the IP addresses associated with all of the .com domains. In most cases, Network Solution’s DNS servers contain records that point to the DNS server that is considered to be authoritative for each domain.

To see how all this works, imagine that you wanted to visit the www.brienposey.com website. When you enter the request into your Web browser, your Web browser forwards the URL to the DNS server specified by your computer’s TCP/IP configuration. More than likely, your DNS server is not going to know the IP address of this website. Therefore, it will send the request to the ICANN DNS server. The ICANN DNS server wouldn’t know the IP address for the website that you are trying to visit. It would however know the IP address of the DNS server that is responsible for domain names ending in .COM. It would return this address to your Web browser, which in return would submit the request to the specified DNS server.

The top level DNS server for domains ending in .COM would not know the IP address of the requested Web site either, but it would know the IP address of a DNS server that is authoritative for the brienposey.com domain. It would send this address back to the machine that made the request. The Web browser would then send the DNS query to the DNS server that is authoritative for the requested domain. That DNS server would then return the websites IP address, thus allowing the machine to communicate with the requested website.

As you can see, there are a lot of steps that must be completed in order for a computer to find the IP address of a website. To help reduce the number of DNS queries that must be made, the results of DNS queries are usually cached for either a few hours or a few days, depending on how the machine is configured. Caching IP addresses greatly improves performance and minimizes the amount of bandwidth consumed by DNS queries. Imagine how inefficient Web browsing would be if your computer had to do a full set of DNS queries every time you visit a new page.

Networking Basics: Part 2

2007-12-13T10:08:00.000-08:00

So far in this article series, I have talked a lot about networking hardware and about the TCP/IP protocol. The networking hardware is used to establish a physical connection between devices, while the TCP/IP protocol is essentially the language that the various devices use to communicate with each other. In this article, I will continue the discussion by talking a little bit about the computers that are connected to a network.

Even if you are new to networking, you have no doubt heard terms such as server and workstation. These terms are generally used to refer to a computer’s role on the network rather than the computer’s hardware. For example, just because a computer is acting as a server, it doesn’t necessarily mean that it has to be running server hardware. It is possible to install a server operating system onto a PC, and have that PC act as a network server. Of course in most real life networks, servers are running specialized hardware to help them to be able to handle the heavy workload that servers are typically subjected to.

What might make the concept of network servers a little bit more confusing is that technically speaking a server is any computer that hosts resources over a network. This means that even a computer that’s running Windows XP could be considered to be a server if it is configured to share some kind of resource, such as files or a printer.

Computers on a network typically fall into one of three roles. Usually a computer is considered to be either a workstation (sometimes referred to as a client), server, or a peer.

Workstations are computers that use network resources, but that do not host resources of their own. For example, a computer that is running Windows XP would be considered a workstation so long as it is connected to a network and is not sharing files or printers.

Servers are computers that are dedicated to the task of hosting network resources. Typically, nobody is going to be sitting down at a server to do their work. Windows servers (that is, computers running Windows Server 2003, Windows 2000 Server, or Windows NT Server) have a user interface that is very similar to what you would find on a Windows workstation. It is possible that someone with an appropriate set of permissions could sit down at the server and run Microsoft Office or some other application. Even so, such behavior is strongly discouraged because it undermines the server’s security, decreases the server’s performance, and has the potential to affect the server’s stability.

The last type of computer that is commonly found on a network is a peer. A peer machine is a computer that acts as both a workstation and a server. Such machines typically run workstation operating systems (such as Windows XP), but are used to both access and host network resources.

In the past, peers were found primarily on very small networks. The idea was that if a small company lacks the resources to purchase true servers, then the workstations could be configured to perform double duty. For example, each user could make their own files accessible to every other user on the network. If a user happens to have a printer attached to their PC, they can also share the printer so that others on the network can print to it.

Peer networks have been traditionally discouraged in larger companies because of their inherent lack of security, and because they cannot be centrally managed. That’s why peer networks are primarily found in extremely small companies or in homes with multiple PCs. Windows Vista (the successor to Windows XP) is attempting to change that. Windows Vista will allow users on traditional client/server networks to form peer groups that will allow the users and those groups to share resources amongst themselves in a secure manner, without breaking their connection to network servers. This new feature is being marketed as a collaboration tool.

Earlier I mentioned that peer networks are discouraged in favor of client/server networks because they lack security and centralized manageability. However, just because a network is made up of workstations and servers, it doesn’t necessarily guarantee security and centralized management. Remember, a server is only a machine that is dedicated to the task of hosting resources over a network. Having said that, there are countless varieties of servers and some types of servers are dedicated to providing security and manageability.

For example, Windows servers fall into two primary categories; member servers and domain controllers. There is really nothing special about a member server. A member server is simply a computer that is connected to a network, and is running a Windows Server operating system. A member server might be used as a file repository (known as a file server), or to host one or more network printers (known as a print server). Member servers are also frequently used to host network applications. For example, Microsoft offers a product called Exchange Server 2003 that when installed on a member server, allows that member server to function as a mail server. The point is that a member server can be used for just about anything.

Domain controllers are much more specialized. A domain controller’s job is to provide security and manageability to the network. I am assuming that you’re probably familiar with the idea of logging on to a network by entering a username and password. On a Windows network, it is the domain controller that is responsible for keeping track of usernames and passwords.

The person who is responsible for managing the network is known as the network administrator. Whenever a user needs to gain access to resources on a Windows network, the administrator uses a utility provided by a domain controller to create a user account and password for the new user. When the new user (or any user for that matter) attempts to log onto the network, the users credentials (their username and password) are transmitted to the domain controller. The domain controller validates the user’s credentials by comparing them against the copy stored in the domain controller’s database. Assuming that the password that the user entered matches the password that the domain controller has on file, the user is granted access to the network. This process is called authentication.

On a Windows network, only the domain controllers perform authentication services. Of course users will probably need to access resources stored on member servers. This is not a problem because resources on member servers are protected by a set of permissions that are related to the security information stored on domain controllers.

For example, suppose that my user name was Brien. I enter my username and password, which is sent to a domain controller for authentication. When the domain controller authenticates me, it has not actually given me access to any resources. Instead, it validates that I am who I claim to be. When I go to access resources off of a member server, my computer presents a special access token to the member server that basically says that I have been authenticated by a domain controller. The member server does not trust me, but it does trust the domain controller. Therefore, since the domain controller has validated my identity, the member server accepts that I am who I claim to be and gives me access to any resources for which I have permission to access.

Domain Controllers

In the previous article in this series, I talked about the roles of various computers on a network. As you may recall, one of the roles that I talked a little bit about was that of a domain controller. In this article, I will talk more about what domain controllers are and how they fit into your network infrastructure.

One of the most important concepts in Windows networking is that of a domain. A domain is basically a collection of user accounts and computer accounts that are grouped together so that they can be centrally managed. It is the job of the domain controller to facilitate this central management of domain resources.

To see why this is important, consider that any workstation that’s running Windows XP contains a handful of built in user accounts. Windows XP even allows you to create additional user accounts on the workstation. Unless the workstation is functioning as a standalone system or is a part of a peer network, these workstation level user accounts (called local user accounts) are not used for controlling access to network resources. Instead, local user accounts are used to regulate access to the local computer. They act primarily as a mechanism which insures that administrators can perform workstation maintenance, without the end users having the ability to tamper with workstation settings.

The reason why local user accounts are not used to control access to resources outside of the workstation that they reside on is because doing so would create an extreme management burden. Think about it for a minute. Local user accounts reside on each individual workstation. This means that if local user accounts were a network’s primary security mechanism, then an administrator would have to physically travel to the computer containing an account any time a change is needed to be made to the account’s permissions. This might not be a big deal on smaller networks, but making security changes would be extremely cumbersome on larger networks or in situations in which a change is needed to be applied globally to all accounts.

Another reason why local user accounts are not used to control access to network resources is because they don’t travel with the user from one computer to another. For instance, if a user’s computer crashed, the user couldn’t just log on to another computer and work while their computer was being fixed, because the user’s account is specific to the computer that crashed. In order for the user to be able to do any work, a new account would have to be created on the computer that the user is now working with.

These are just a few of the reasons why using local user accounts to secure access to network resources is impractical. Even if you wanted to implement this type of security, Windows does not allow it. Local user accounts can only be used to secure local resources.

A domain solves these and other problems by centralizing user accounts (and other configuration and security related objects that I will talk about later in the series). This allows for easier administration, and allows users to log onto the network from any PC on the network (unless you restrict which machines a user can login from).

With the information that I have given you so far regarding domains, it may seem that the philosophy behind domains is that, since the resources which users need access to reside on a server, you should use server level user accounts to control access to those resources. In a way this idea is true, but there is a little more to it than that.

Back in the early 1990s I was working for a large insurance company that was running a network with servers running Novell NetWare. Windows networking hadn’t been invented yet, and Novell NetWare was the server operating system of choice at the time. At the time when I was hired, the company only had one network server, which contained all of the user accounts and all of the resources that the users needed access to. A few months later, someone decided that the users at the company needed to run a brand new application. Because of the size of the application and the volume of data that the application produced, the application was placed onto a dedicated server.

The version of Novell NetWare that the company was running at the time used the idea that I presented earlier in which resources residing on a server were protected by user accounts which also resided on that server. The problem with this architecture was that each server had its own, completely independent set of user accounts. When the new server was added to the network, users logged in using the normal method, but they had to enter another username and password to access resources on the new server.

At first things ran smoothly, but about a month after the new server was installed things started to get ugly. It became time for users to change their password. Users didn’t realize that they now had to change their password in two different places. This meant that passwords fell out of sync, and the help desk was flooded with calls related to password resets. As the company continued to grow and added more servers, the problem was further compounded.

Eventually, Novell released version 4.0 of NetWare. NetWare version 4 introduced a technology called the Directory Service. The idea was that users should not have a separate account for each server. Instead, a single user account could be used to authenticate users regardless of how many servers there were on the network.

The interesting thing about this little history lesson is that although domains are unique to Microsoft networks (Novell networks do not use domains), domains work on the same basic principle. In fact, when Windows 2000 was released, Microsoft included a feature which is still in use today called the Active Directory. The Active Directory is very similar to the directory service that Novell networks use.

So what does all of this have to do with domains? Well, on Windows servers running Windows 2000 Server, Windows Server 2003, or the forthcoming Longhorn Server, it is the domain controller’s job to run the Active Directory service. The Active Directory acts as a repository for directory objects. Among these objects are user accounts. As such, one of a domain controller’s primary jobs is to provide authentication services.

One very important concept to keep in mind is that domain controllers provide authentication, not authorization. What this means is that when a user logs on to a network, a domain controller validates the user’s username and password and essentially confirms that the user is who they claim to be. The domain controller does not however tell the user what resources they have rights to.

Resources on Windows networks are secured by access control lists (ACLs). An ACL is basically just a list that tells who has rights to what. When a user attempts to access a resource, they present their identity to the server containing the resource. That server makes sure that the user’s identity has been authenticated and then cross references the user’s identity with an ACL to see what it is that the user has rights to.

Windows Domain

I introduced you to the concept of domains and domain controllers. In this article, I want to continue the discussion by talking about the anatomy of a Windows domain.

As I explained in this article series, domains are not something new. Microsoft originally introduced them in Windows NT Server. Originally, domains were completely self contained. A single domain often housed all of the user accounts for an entire company, and the domain’s administrator had complete control over the domain and anything in it.

Occasionally though, having a single domain just wasn’t practical. For example, if a company had offices in several different cities, then each office might have its own domain. Another common scenario is when one company buys another company. In such situations, it is not at all uncommon for both companies to already have domains.

In situations like these, it is sometimes necessary for users from one domain to access resources located in another domain. Microsoft created trusts as a way of facilitating such access. The best way that I can think of to describe trusts is to compare them to the way that security works at an airport.

In the Untied States, passengers are required to show their drivers license to airport security staff before boarding a domestic flight. Suppose for a moment that I were going to fly somewhere. The security staff at the airport does not know who I am, and they certainly don’t trust me. They do however trust the state of South Carolina. They assume that the state of South Carolina has exercised due diligence in verifying my identity before issuing me a drivers license. Therefore, I can show them a South Carolina drivers license and they will let me on the plane, even though they don’t necessarily trust me as an individual.

Domain trusts work the same way. Suppose that I am a domain administrator and my domain contains resources that users in another domain need to access. If I am not an administrator in the foreign domain then I have no control over who is given user accounts in that domain. If I trust the administrator of that domain not to do anything stupid, then I can establish a trust so that my domain trusts members of the other domain. In a situation like this, my domain would be referred to as the trusting domain, and the foreign domain would be known as the trusted domain.

In the previous article, I mentioned that domain controllers provide authentication, not authorization. This holds true even when trust relationships are involved. Simply choosing to trust a foreign domain does not give the users in that domain rights to access any of the resources in your domain. You must still assign permissions just as you would for users in your own domain.

At the beginning of this article, I mentioned that in Windows NT a domain was a completely self contained environment, and that trusts were created as a way of allowing users in one domain to access resources in another domain. These concepts still hold partially true today, but the domain model changed dramatically when Microsoft created the Active Directory. As you may recall, the Active Directory was first introduced in Windows 2000, but is still in use today in Windows Server 2003 and the soon to be released Longhorn Server.

One of the primary differences between Windows NT style domains and Active Directory domains is that domains are no longer completely isolated from each other. In Windows NT, there was really no organizational structure for domains. Each domain was completely independent of any other domain. In an Active Directory environment, the primary organizational structure is known as a forest. A forest can contain multiple domain trees.

The best way that I can think of to compare a domain tree is to compare it to a family tree. A family tree consists of great grandparents, grandparents, parents, children, etc. Each member of a family tree has some relation to the members above and below them. A domain tree works in a similar manner, and you can tell a domain’s position within a tree just by looking at its name.

Active Directory domains use DNS style names, similar to the names used by Web sites. In Part 3 of this article series, I explained how DNS servers resolve URLs for Web browsers. The same technique is used internally in an Active Directory environment. Think about it for a moment. DNS stands for Domain Name Server. In fact, a DNS server is a required component for any Active Directory deployment.

To see how domain naming works, let’s take a look at how my own network is set up. My network’s primary domain is named production.com. I don’t actually own the production.com Internet domain name, but it doesn’t matter because this domain is private and is only accessible from inside my network.

The production.com domain is considered to be a top level domain. If this were an Internet domain, it would not be a top level domain, because .com would be a top level domain and production.com would be a child domain of the .com domain. In spite of this minor difference, the same basic principle holds true. I could easily create a child domain by creating another domain name that encompasses production.com. For example, sales.production.com would be considered to be a child domain of the production.com domain. You can even create grandchild domains. An example of a grandchild domain of production.com would be widgets.sales.production.com. As you can see, you can easily tell a domain’s position within a domain tree just by looking at the number of periods in the domain’s name.

Earlier I mentioned that an Active Directory forest can contain domain trees. You are not limited to creating a single domain tree. In fact, my own network uses two domain trees; production.com and test.com. The test.com domain contains all of the servers that I monkey around with while experimenting with the various techniques that I write articles about. The production.com domain contains the servers that I actually use to run my business. This domain contains my mail server and some file servers.

The point is that having the ability to create multiple domain trees allows you to segregate your network in a way that makes the most sense from a management prospective. For example, suppose that a company has offices in five different cities. The company could easily create an Active Directory forest that contains five different domain trees; one for each city. There would most likely be a different administrator in each city, and that administrator would be free to create child domains off of their domain tree on an as needed basis.

The beauty of this type of structure is that all of these domains fall within a common forest. This means that while administrative control over individual domains or domain trees might be delegated to an administrator in another city, the forest administrator ultimately maintains control over all of the domains in the forest. Furthermore, trust relationships are greatly simplified because every domain in the forest automatically trusts every other domain in the forest. It is still possible to establish trusts with external forests or domains.

Networking Basics: Part 3

2007-12-13T10:07:00.000-08:00

Introduction to FSMO Roles

So far in this article series, I have explained that the Active Directory consists of a forest filled with domain trees, and that the names of each domain indicate its position within the forest. Given the hierarchical nature of the Active Directory, it might be easy to assume that domains near the top of the hierarchy (or rather the domain controllers within those domains) are the most important. This isn't necessarily the case though. In this article, I will discuss the rules that individual domain controllers play within the Active Directory forest.

Earlier in this series, I talked about how domains in Windows NT were all encompassing. Like Active Directory domains, Windows NT domains supported the use of multiple domain controllers. Remember that domain controllers are responsible for authenticating user logons. Therefore, if a domain controller is not available then no one will be able to log on to the network. Microsoft realized this early on and designed Windows to allow multiple domain controllers so that if a domain controller failed, another domain controller would be available to authenticate logons. Having multiple domain controllers also allows the domain related work load to be shared by multiple computers rather than the full burden falling on a single server.

Although Windows NT supported multiple domain controllers within a domain, one of these domain controllers was considered to be more important than the others. This was known as the Primary Domain Controller or PDC. As you may recall, a domain controller contains a database of all of the user accounts within the domain (among other things). This database was called the Security Accounts Manager, or SAM database.

In Windows NT, the PDC stored the master copy of the database. Other domain controllers within a Windows NT domain were known as Backup Domain Controllers or BDCs. Any time that a change needed to be made to the domain controller’s database, the change would be written to the PDC. The PDC would then replicate the change out to all of the BDCs in the domain. Under normal circumstances, the PDC was the only domain controller in a Windows NT domain to which domain related updates could be applied. If the PDC were to fail, there was a way to promote a BDC to PDC, thus enabling that domain controller to act as the domain’s one and only PDC.

Active Directory domains do things a little bit differently. The Active Directory uses a Multi master replication model. What this means is that every domain controller within a domain is writable. There is no longer the concept of PDCs and BDCs. If an administrator needs to make a change to the Active Directory database, the change can be applied to any domain controller in the domain, and then replicated to the remaining domain controllers.

Although the multimaster replication model probably sounds like a good idea, it opens the door for contradictory changes. For example, what happens if two different administrators apply contradictory changes to two different domain controllers at the same time?

In most cases, the Active Directory assumes that the most recent change takes precedence. In some situations, the consequences of a conflict are too serious to rely on this type of conflict resolution. In these cases, Microsoft takes a stand point that it is better to prevent a conflict from occurring in the first place than to try to resolve the conflict after it happens.

To handle these types of situations, Windows is designed to designate certain domain controllers to perform Flexible Single Master Operation (FSMO) roles. Essentially this means that Active Directory domains fully support multimaster replication except in certain circumstances in which the domain reverts to using a single master replication model. There are three different FSMO roles that are assigned at the domain level, and two additional roles that are assigned the forest level.

Where are the FSMO Roles Located?

For the most part, the FSMO roles pretty much take care of themselves. It is important however for you to know which domain controllers host these roles. By default, the first domain controller in the forest hosts all five roles. As additional domains are created, the first domain controller brought online in each domain holds all three of the domain level FSMO roles.

The reason why it is so important to know which domain controllers hold these roles is because hardware eventually gets old and is decommissioned. I once saw a situation in which a network administrator was preparing to deploy an Active Directory network for his company. While waiting for the newly ordered servers to arrive, the administrator installed Windows onto a junk PC so that he could begin playing around with the various Active Directory management tools.

When the new servers finally arrived, the administrator configured them as domain controllers in the already created domain rather than creating a new forest. Of course this meant that the junk PC was holding the FSMO roles for the domain in the forest. Everything worked fine until the administrator decided to remove the “junk” PC from the network. Had he properly decommissioned this server, there would not have been a problem. Being inexperienced though, he simply reformatted the machine’s hard drive. All of a sudden the Active Directory began to experience numerous problems. If this administrator had realized that the machine that he had removed from the domain was hosting the domain and forest’s FSMO roles, the problems could have been avoided. Incidentally, in a situation like this there is a way of seizing the FSMO roles from the deceased server so that your network can resume normal operations.

What are the FSMO Roles?

I will talk more about the specific functions of the FSMO roles in the next article in this series. I do however want to quickly mention what these roles are. As you may recall, I mentioned that there are three domain specific roles, and two forest specific roles.

The domain specific roles include the Relative identifier, the Primary Domain Controller Emulator, and the Infrastructure Master. Forest level roles include the Schema Master and the Domain Naming master. Below is a brief description of what these roles do:

Schema Master: maintains the authoritative copy of the Active Directory database schema.

Domain Naming Master: maintains the list of domains within the forest.

Relative Identifier Master: responsible for ensuring that every Active Directory object at a domain receives a unique security identifier.

Primary Domain Controller Emulator: acts as the Primary Domain Controller in domains containing domain controllers running Windows NT.

Infrastructure Master: the Infrastructure Master is responsible for updating an object’s security identifier and distinguished name in a cross domain object reference

The Importance of FSMO Roles

In the previous part of this article series, I explained that Active Directory domains use multi master replication except in certain situations in which it is critically important to avoid a conflict. In those situations, Windows reverts to a single master replication model in which a single domain controller acts as the sole authority for the change in question. These domain controllers are said to hold Flexible Single Operations Master (FSMO) roles.

As I explained in Part 7 of this article series, there are five different FSMO roles. Two of these roles exist at the forest level, and three of the roles exist at the domain level. The Forest level roles include the Schema Master and the Domain Naming master, while the domain level FSMO roles include the Relative Identifier Master, Primary Domain Controller (PDC) Emulator, and Infrastructure Master.

I actually debated as to whether or not to discuss FSMO roles so early in this article series. Ultimately I decided to go ahead because FSMO roles are so important to supporting Active Directory functionality.

As I’m sure you probably know, in order to be able to function, the Active Directory requires that the DNS services are accessible and that the domain have at least one domain controller. When an Active Directory based network is initially created, the first domain controller to be brought online is almost always configured to act as the network’s DNS server. This same domain controller is also assigned all five of the FSMO roles. If other domains are created within the forest, then the first domain controller within each domain will host the FSMO roles for that domain. The forest level FSMO roles are only hosted on a single domain controller regardless of the number of domains in the forest.

I tell you this because I want to talk about what will happen if a domain controller that is hosting the FSMO roles fails. If the domain controller that contains the forest level FSMO roles fails, you are definitely going to notice the problem. It isn’t that the FSMO roles themselves are all that critical to the network’s operation, but rather that the domain controller that hosts the forest level FSMO roles is usually also hosting the DNS services, which are considered critical to Active Directory. If the DNS services were hosted on a separate server and the domains within the forest each had more than one domain controller, you probably wouldn’t even notice the failure for a while (unless you had monitoring software to alert you to the failure).

Usually, there are no immediate consequences to an FSMO role failure, but some rather strange symptoms will develop later on if the problem is not corrected. That being the case, it is important to know the signs of an FSMO role failure. It is also important for you to know how to determine which server is hosting each FSMO role. That way, if symptoms matching that of an FSMO failure occur, you can check to see which server is hosting the role that may have failed, and can then begin the troubleshooting process on that server.

The Schema Master

The Active Directory is really nothing more than a database, and like any other database, the Active Directory contains a schema. Unlike many other databases, the Active Directory’s schema is not static. There are any number of operations that require extending the schema. For example, installing Exchange Server requires the Active Directory schema to be extended. Any time that changes are made to the Active Directory schema, those changes are applied to the Schema Master.

The Schema Master is by far the most critical of the FSMO roles, so Microsoft hides it from view. If you need to find out which server is hosting the Schema Master role, then insert your Windows Server 2003 installation CD, and double click on the ADMINPAK.MSI file that’s found in the CD’s I386 directory. When you do, Windows will launch the Administration Tools Pack Setup Wizard. Follow the wizard’s prompts to install the Administration Tools pack.

When the installation process completes, close the Setup wizard and open the Microsoft Management Console by entering the MMC command at the Run prompt. When the console opens, select the Add / Remove Snap-In command from the File menu. When you do, Windows will display the Add / Remove Snap-in properties sheet. Click the Add button found on the properties sheet’s Standalone tab to reveal a list of available snap-ins. Select the Active Directory Schema snap-in from the list and click the Add button, followed by the Close and OK buttons.

Now that the snap-in has been loaded, right click on the Active Directory Schema container and select the Operations Master command from the resulting shortcut menu. You will now see a dialog box that tells you which server is acting as the forest’s Schema Master.

The Domain Naming Master

As I have already explained, an Active Directory forest can contain multiple domains. It’s the Domain Naming Master’s job to keep track of these domains. If the Domain Naming Master were to fail, then it would be impossible to create or remove domains until the Domain Naming Master comes back online.

To determine which server is acting as the Domain naming Master for the forest, open the Active Directory Domains and Trusts console. When the console opens, right click on the Active Directory Domains and Trusts container and select the Operations Masters command from the resulting shortcut menu. When you do, Windows will display the Domain Naming master.

The Relative Identifier

As you know, the Active Directory allows administrators to create Active Directory objects on any domain controller. The catch is that each object must have a unique relative identifier number. To prevent relative identifier numbers from being duplicated, the Relative Identifier Master allocates a pool of relative identifiers to each domain controller. When a new object is created within a domain, the domain controller that the object is being created on takes one of its relative identifiers out of its pool and assigns it to the object. When the pool is exhausted, the domain controller must contact the Relative Identifier Master for additional relative identifiers. As such, the eventual symptom of a Relative Identifier Master failure is the inability to create objects in the Active Directory.

To determine which server is acting as the Relative Identifier for a domain, open the Active Directory Users and Computers console. When the console opens, right click on the listing for the current domain and select the Operations Masters command from the resulting shortcut menu. When you do, Windows will display the Operations Masters properties sheet. You can determine which domain controller is acting as the Relative Identifier by looking at the properties sheet’s RID tab.

The Primary Domain Controller Emulator

Throughout this article series, I have talked about the role that the Primary Domain Controller (PDC) plays in Windows NT environments. The PDC emulator role was created to allow Active Directory domain controllers to co-exist with Windows NT domain controllers. The basic idea was that when an organization is being upgraded from Windows NT to Windows 2000 or to Windows Server 2003, the PDC is the first domain controller to be upgraded. At that point, the newly upgraded domain controller functions both as an Active Directory domain controller and as a PDC to the domain controllers that are still running Windows NT.

Today the PDC emulator role is largely irrelevant because very few organizations still use Windows NT Server. If you need to determine which server in your domain is hosting the PDC Emulator role though, you can do so by opening the Active Directory Users and Computers console. When the console opens, right click on the listing for the current domain and select the Operations Masters command from the resulting shortcut menu. When you do, Windows will display the Operations Masters properties sheet. You can determine which domain controller is acting as the PDC Emulator by looking at the properties sheet’s PDC tab.

The Infrastructure Master

In an Active Directory environment, a forest can contain multiple domains. Of course the implication of this is that Active Directory domains are not completely independent entities. They must occasionally communicate with the rest of the forest. This is where the Infrastructure Master comes into play. When you create, modify, or delete an object within a domain, the change will naturally be propagated throughout the domain. The problem is that the rest of the forest is not aware of the change. It’s the Infrastructure Master’s job to make the rest of the forest aware of the change.

If an Infrastructure Master server fails then changes to objects will not be visible across domain boundaries. For example, if you were to rename a user account, the user account would still appear to have its old name when viewed from other domains in the forest.

To determine which server is acting as the Infrastructure Master for a domain, open the Active Directory Users and Computers console. When the console opens, right click on the listing for the current domain and select the Operations Masters command from the resulting shortcut menu. When you do, Windows will display the Operations Masters properties sheet. You can determine which domain controller is acting as the Infrastructure Master by looking at the properties sheet’s Infrastructure tab.

Active Directory Information

In the last few parts of this article series, I talked a lot about what the Active Directory is, and how it works in regards to your network's domain controllers. You already know from the previous articles in this series that the Active Directory is essentially a database containing various objects such as user accounts and computer accounts. In this article, I want to continue the discussion by showing you how the Active Directory is structured.

If you have ever used Microsoft Access or SQL Server, then you are probably used to being able to open the database and view it in its entirety. However, none of the primary administrative tools used for managing the Active Directory will allow you to see the entire Active Directory database. Instead, Microsoft provides you with a variety of management tools that each focus on a specific area of the database. As a new administrator, the administrative tool that you will probably use the most often is the Active Directory Users and Computers console.

You can access the Active Directory Users and Computers console from any Windows Server 2003 domain controller by selecting the Active Directory Users and Computers command from the server’s Start / All Programs / Administrative Tools menu. The console itself looks something like what you see in Figure A

Figure A: The Active Directory Users and Computers console is the primary administrative tool for managing Active Directory objects.

I will later discuss the process of creating or editing Active Directory objects, meanwhile I wanted to go ahead and show you this console because it reveals a little bit the structure of the Active Directory. If you look at Figure A, you will notice that there are a number of containers, each of which correspond to a specific object type. Every object in the entire Active Directory is assigned an object type (known as an object class). Each object also has a number of attributes associated with it. The specific attributes vary depending on the object type.

For example, the Users container is filled with user accounts, which are all classified as user objects as shown in Figure B. If you were to right click on one of these user objects and choose the Properties command from the resulting shortcut menu, you would see the user objects' properties sheet, as shown in Figure C.

Figure B: The Users container is filled with user accounts, which are all classified as user objects.

Figure C: When you right click on a user object and select the Properties command from the resulting shortcut menu, you will see the user’s properties sheet.

If you look at figure C, you will see that there are fields for various pieces of information such as first name, last name, telephone number, etc. Each of these fields corresponds to a specific attribute of the individual object. Although the majority of the fields shown in the figure are not populated, in a real life situation these fields could be used to create a corporate directory. In fact, many applications are designed to extract information directly from the Active Directory. For example, Microsoft Exchange Server (Microsoft’s e-mail server product) creates a global address list that is based on the contents of the Active Directory. This global address list is used when sending e-mail messages to other users in the company.

If you look at Figure D, you can see a screen in which I performed a search on the name Hershey (my cat’s name in case you are wondering), and Outlook returned all of the Global Address List entries that contain the name Hershey. Not surprisingly there is only one result. If you look at the results portion of the window though, you can see where Outlook would display the user’s title, business phone number, and location had these fields been populated. All of this information was extracted from the Active Directory.

Figure D

If you wanted to see even more information about the user, you could right click on the user’s name and choose the Properties command from the resulting menu. Doing so would display the screen shown in Figure E. Keep in mind that this is not an administrative screen. This is a screen that any user in the company can access directly through Outlook 2007 in order to find information about other employees.

Figure E: You can view Active Directory information directly through Microsoft Outlook.

It is easy to dismiss the significance of what I just showed you. After all, Outlook is a Microsoft product, so it only makes sense that Outlook would be able to extract information from the Active Directory which is a part of another Microsoft product.

What a lot of people do not realize though, is that it is fairly easy for anyone with the appropriate permissions to extract information from the Active Directory. In fact, there are countless third party products that are designed to interact with the Active Directory. Some are even capable of storing data in dedicated Active Directory partitions.

The reason why it is possible for you or for third party software vendors to interact with the Active Directory is because the Active Directory is based on a well known standard. The Active Directory is based on a standard called X.500. The X.500 standard is basically just a common way of implementing a directory service. Microsoft is not the only company to create a directory service based on this service. Novell originally created the NetWare Directory Service based on this standard.

There is also a standard way of accessing directory service information. In an Active Directory environment, accessing directory information involves using the Lightweight Directory Access Protocol, otherwise known as LDAP. The LDAP protocol runs on top of the TCP/IP protocol.

The first thing that you need to know about the LDAP protocol is that whoever named it must have been on crack, because there is nothing lightweight about it (although it is more lightweight than the original directory access protocol, which was not designed to take advantage of the TCP/IP protocol stack). Entire books have been written on LDAP, and an in depth discussion is not really appropriate at this point in the article series.

What I will tell you is that every object in the Active Directory is refered to by a distinguished name (often abbreviated as DN). The distinguished name is based on the object’s position within the directory hierarchy. There are many different components that can go into a distinguished name, but some of the more common ones are a common name (abbreviated as CN) and a domain name (abbreviated as DC). For example, suppose that the Contoso.com domain contained an account named User1, and the account was located in the Users container. In such a situation, the distinguished name for the user account would be:

CN=User1, CN=Users, DC=Contoso, DC=com

Distinguished Names

n the previous part of this article series, I explained that the LDAP protocol references objects in the Active Directory by their distinguished name, and that every object in the directory has its own unique distinguished name. In this article, I want to continue the discussion by explaining how distinguished names work.

Before I Begin

Before I get started, I just want to remind you that distinguished names are not unique to the Active Directory. Microsoft built the Active Directory to take advantage of industry standards which are used by other companies such as Novell and IBM. By learning how distinguished names work, you will not only be better prepared to manage an Active Directory environment, you will also have some degree of familiarity if you are ever asked to work with a non Microsoft network operating system.

Basic Naming Rules

Distinguished names are made up of attributes, which are assigned values. A single distinguished name almost always contains multiple attribute value pairs. To see what I am talking about, let’s look at a simple distinguished name:

CN=User1, CN=Users, DC=Contoso, DC=com

In this particular example, the distinguished name is made up of four different attribute / value pairs, each of which are separated by a comma. The first attribute / value pair is CN=USER1. In this attribute / value pair, CN (which stands for Common Name) is the attribute and User1 is the value. Attributes and values are always separated by the equals sign, and attribute / value pairs are always separated from each other by commas.

Relative Distinguished Names

When you look at a distinguished name such as CN=User1, CN=Users, DC=Contoso, DC=com, one thing probably becomes immediately apparent; distinguished names can be really long. If you take a closer look at this distinguished name, you will notice that it is hierarchical. In this particular case, DC=com represents the highest level of the hierarchy. DC=Contoso represents the second level of the hierarchy. You can tell that COM and Contoso are both domains because both use the DC attribute. The domain hierarchy mimics the domain hierarchy used by DNS servers (you learned about the DNS hierarchy earlier in this series).

It is important to understand how the distinguished name hierarchy works for two reasons. First, by understanding the naming hierarchy, it becomes possible to know exactly where a particular object is located within the directory. The other reason why it is important to understand the nature of the directory hierarchy is because sometimes shortcuts are used in lieu of a full distinguished name.

To see what I am talking about, let’s take another look at our example distinguished name: CN=User1, CN=Users, DC=Contoso, DC=com. This distinguished name simply refers to a user account (more precisely known as a user object) named User1. The rest of the information in the distinguished name simply tells us the object’s position within the directory hierarchy.

If you were trying to tell another person about this object, you would probably casually refer to it as User1. Sometimes LDAP does the same thing. This is possible because it isn’t necessary to provide information about an object’s location in the hierarchy if the location is already known.

For example, if we are performing some operation on user objects located in the Users container in the Contoso.com domain, is it really necessary to explicitly state that every single object is located in the Contoso.com domain’s Users container?

In situations like this, the distinguished name is often replaced by a Relative Display Name (abbreviated RDN). In the case of CN=User1, CN=Users, DC=Contoso, DC=com, the RDN is CN=User1. The RDN is always made up of the most specific identifier. This will be the left most attribute / value pair in the distinguished name. The remaining portion of the distinguished name is known as the parent distinguished name. In this particular case, the parent distinguished name would be CN=Users, DC=Contoso, DC=com.

Before I move on, I want to mention that Microsoft tends to use a slightly different distinguished name format than some other network operating system manufacturers. As you have already seen, Microsoft’s distinguished names tend to be based on containers and domains. There is certainly nothing wrong with this format, because it does comply with RFC 2253, which sets the rules for distinguished names.

Some of the other network operating systems tend to base their distinguished name hierarchies on companies and countries rather than containers and domains. In these types of distinguished names, the attribute O is used to designate an organization (company) name, and the letter C is used to designate a country name. Using this naming convention, the distinguished name CN=User1, CN=Users, DC=Contoso, DC=com would look something like this:

CN=User1, O=Contoso, C=US

Keep in mind that the two formats both comply with RFC 2253, but they cannot be used interchangeably. Remember that a distinguished name’s job is to describe an object and its position within the directory. The reason for the two different distinguished name formats is that Microsoft structures their directory differently than some of their competitors.

Special Characters in Distinguished Names

So far you have seen that commas and equal signs have special meaning in the context of a distinguished name. There are several other characters that also have special meanings. These characters include the plus sign, the greater than and less than signs, the number sign, the back slash, and the quotation mark. I’m not going to bother covering most of these because you will rarely, if ever, have to use them in real life.

I do however want to talk about the back slash. The back slash allows you to tell an LDAP statement to ignore the following character. This allows you to store otherwise forbidden characters in your directory.

To see how this is of use, consider that full names are often expressed as last name comma first name. Even so, LDAP does not allow you to use the statement CN=Smith, John because the comma is used by LDAP to separate attribute / value pairs. If you wanted to store the value Smith, John in the directory, you could do so by making use of the back slash, as shown below:

CN=Smith\, John

In the statement above, the back slash tells LDAP to treat the comma as data rather than as a part of the command syntax. Another way to accomplish this is to surround the entire attribute value by quotation marks. Everything within the quotation marks is treated as data rather than as a part of the syntax.

There is a special rule regarding the use of the back slash within quotation marks. The back slash can only be used to force LDAP to ignore another back slash. To put it simply, if you needed to include a back slash as a part of the data, you would simply use two back slashes instead of one. Any other use of the back slash between quotation marks is considered to be illegal.

Networking Basics: Part 4

2007-12-13T10:06:00.000-08:00

The Active Directory Users and Computers Console

Over the last several parts of this article series, I have talked a lot about the inner workings of the Active Directory. In this article, I want to switch gears and show you what all of this information has to do with running a network.

Windows Server 2003 comes with several different tools used for managing the Active Directory. The Active Directory management tool that you will use most often for day-to-day management tasks is the Active Directory Users and Computers console. As the name implies, this console is used to create, manage, and delete user and computer accounts.

You can access this console by clicking your server’s Start button and navigating through the Start menu to All Programs / Administrative Tools. The Active Directory Users and Computers option should be near the top of the Administrative Tools menu. Keep in mind that only domain controllers contain this option, so if you do not see the Active Directory Users and Computers command, make sure that you are logged into a domain controller.

Another thing that you might notice is that the Administrative Tools menu contains a couple of other Active Directory tools: Active Directory Domains and Trusts and Active Directory Sites and Services. I will be discussing these utilities in future articles.

When you open the Active Directory Users and Computers container, you will see a screen similar to the one that is shown in Figure A. As you might recall from previous articles in the series, the Active Directory is based on a forest, which contains one or more domains. Although the forest represents the entire Active Directory, the Active Directory Users and Computers console does not allow you to work with the Active Directory at the forest level. The Active Directory Users and Computers console is strictly a domain level tool. In fact, if you look at Figure A, you will notice that production.com is highlighted. Production.com is a domain on my network. All of the containers listed beneath the domain contain Active Directory objects that are specific to the domain.

Figure A: The Active Directory Users and Computers console allows you to manage individual domains

You might have noticed that I said that production.com was one of the domains on my network, and yet none of my other domains are listed in Figure A. The Active Directory Users and Computers console only lists one domain at a time for the sake of keeping the console uncluttered. Remember when I said that the Active Directory Users and Computers console is only accessible from the Administrative Tools menu if you are logged into a domain controller? Well, the domain that is listed in the console corresponds to the domain controller that you are logged into. For example, in writing this article I logged in to one of the domain controllers for the production.com domain, so the Active Directory Users and Computers console connects to the production.com domain.

The problem with this is that domains are often geographically dispersed. For example, it is fairly common for large companies to have a different domain for each corporate office. If for instance you were in Miami, Florida and the company’s other domain represented an office in Las Vegas, Nevada it would not be practical to have to travel across the country every time you needed to manage the Las Vegas domain. Fortunately, you do not have to.

Although the Active Directory Users and Computers console defaults to displaying the domain that is associated with the domain controller that you are logged in to, you can use the console to display any domain that you have rights to. All you have to do is to right click on the domain that is being displayed and then select the Connect to Domain command from the resulting shortcut menu. Doing so displays a screen that allows you to either type in the name of the domain that you want to connect to, or to click a Browse button and browse for the domain.

Just as a domain might be located far away, you might also find it impractical to log directly in to a domain controller. For example I have worked in several offices in which domain controllers were located in a separate building or too far across the facility that I was in to make logging in to a domain controller impractical for day to day maintenance.

The good news is that you do not have to be logged in to a domain controller to access the Active Directory Users and Computers console. You only have to be logged in to a domain controller to access the Active Directory Users and Computers console from the Administrative Tools menu. You can access the Active Directory Users and Computers console from a member server by manually loading it into the Microsoft Management Console.

To do so, enter the MMC command at the server’s Run prompt. When you do that, the server will open an empty Microsoft Management Console. Next, select the Add / Remove Snap-In command from the console’s File menu. Windows will now open the Add / Remove Snap-In properties sheet. Click the Add button found on the properties sheet’s Standalone tab and you will see a list of all of the available snap-ins. Select the Active Directory Users and Computers option from the list of snap-ins and click the Add button, followed by the Close and OK buttons. The console will now be loaded.

In some situations loading the console in this way may produce an error. If you receive an error and the console does not allow you to manage the domain then right click on the Active Directory Users and Computers container and select the Connect to Domain Controller command from the resulting shortcut menu. This will give you the chance to connect the console to a specific domain controller without actually having to log in to that domain controller. Doing so will allow you to manage the domain as if you were sitting at the domain controller’s console.

That technique works great if you have a server at your disposal, but what happens if your workstation is running Windows Vista, and all of the servers are on the other side of the building?

One of the easiest solutions to this problem is to establish an RDP session with one of your servers. RDP is the Remote Desktop Protocol. It allows you to remotely control servers in your organization. In a Windows Server 2003 environment, you can enable a remote session by right clicking on My Computer and selecting the Properties command from the resulting shortcut menu. Upon doing so, you will see the System Properties sheet. Now, go to the Remote tab and select the Enable Remote Desktop on this Computer check box, as shown in Figure B.

Figure B: You can configure a server to support Remote Desktop connections

To connect to the server from Windows Vista, select the Remote Desktop Connection command from the All Programs / Accessories menu. When you do, you will see a screen similar to the one that is shown in Figure C. Now, just enter the name of your server and click the Connect button to establish a remote control session

Figure C: Windows Vista makes it easy to connect to a remote server.

User Account Management

How to create a user account and some basic user account management techniques.

One of the most common uses for the Active Directory Users in Computers console is to create new user accounts. To do so, expand the container corresponding to the domain that you are attached to, and select the Users container. When you do, the console's details pane will display all of the user accounts that currently exist in the domain, as shown in Figure A.

Figure A: Selecting the Users container causes the console to display all of the user accounts in the domain.

Now, right click on the Users container and select the New command from the resulting shortcut menu. When you do, you will see a submenu that gives you the choice of many different types of objects that you can create. Technically, the Users container is just a container and you can put pretty much any type of object in it. It is generally considered bad practice though to store objects other than user objects in the Users container. That being the case, select the User command from the submenu. When you do, you will see the dialog box shown in Figure B

Figure B: The New Object – User dialog box allows you to create a new user account

As you can see in the figure, Windows initially only requires you to enter some very basic information about the user. Although this screen asks for things like first name and last name, these are not technically required. The only piece of information that is absolutely required is the User Logon Name. Although the other fields are optional, I recommend filling them in anyway.

The reason why I recommend filling in as many fields as you can is because a user account is nothing more than an object that will reside within the Active Directory. Things like first name and last name are attributes of the user object that you are creating. The more attribute information that you fill in, the more useful the information stored in the Active Directory will be. After all, the Active Directory is a database that you can query for information. In fact, many applications work by extracting the various attributes from the Active Directory. When you have filled in the various fields, click the Next button, and you will be taken to the screen shown in Figure C

Figure C: You will be prompted to assign a password to the new user account.

As you can see in the figure, assigning a password is fairly simple. All you really have to do is type, and retype the password. By default, the user is required to change the password at the next logon. You can prevent this behavior by clearing the User Must Change Password at Next Logon check box. There is another check box allowing you to prevent the user from changing their password at all. You also have the option of setting passwords to never expire, or disabling the account completely.

Although there is nothing overly complex about the password screen, there is one important thing to keep in mind. When you assign a password to a new user account, the password must comply with your corporate security policy. If the password that you use does not meet the requirements dictated by the applicable group policies, then the user account will not be created.

Click next and you will see a screen displaying a summary of the options that you have chosen. Assuming that everything looks good, click Finish and the new user account will be created.

Editing User Account Attributes

Earlier, I discussed the importance of filling in the various attributes as you create a new user account. You might have noticed that the screens involved in creating a new user account did not really have many attributes that you were able to fill in. However, the Active Directory contains dozens of built in attributes related to user accounts.

I am not saying that you have to go through the console and populate dozens of attributes for every single user account. There are some attributes that do come in handy. I recommend populating attributes that are related to basic contact information. In fact, some corporations create corporate directories that are based solely on information stored in these Active Directory attributes. Even if you are not interested in building applications that extract information from your Active Directory, it is still a good idea to populate the Active Directory with user contact information. For example, suppose that you need to reboot a server, and a user is still logged into an application that resides on the server. If you have the user's contact information stored in the Active Directory, then you can simply look up the user's phone number, and call the user to ask them to log out.

Before I show you how to populate the various Active Directory attributes, I want to mention that the same technique can also be used for modifying existing attributes. For example, if a female employee were to get married, she might change her last name. You could use the techniques that I am about to show you to modify the contents of the Last Name attribute.

To access the various user account attributes, simply right click on the user account of choice and select the Properties command from the resulting shortcut menu. Upon doing so, Windows will display the screen shown in Figure D.

Figure D: The user's properties sheet is used to store attribute and configuration information for the user account.

As you can see in the figure, the properties sheet's General tab allows you to modify the user’s first name, last name, or display name. You can also fill in (or modify) a few other fields such as Description, Office, Telephone Number, E-mail, or Web Page. If you are interested in storing more detailed information about the user, then check out the Address, Telephones, and Organization tabs. These tabs all contain fields for storing much more detailed information about the user.

Resetting a User’s Password

You probably noticed in Figure D that there are a lot of different tabs on the user’s properties sheet. Most of these tabs are related to the security and configuration of the user account. One thing that most new administrators seem to notice right away when exploring these tabs is that there is no option on any of the tabs to reset the user’s password.

If you need to reset a user’s password, then close the user’s properties sheet. After doing so, right click on the user account and select the Reset Password command found on the resulting shortcut menu.

Creating Groups

This article continues the Networking for Beginners series by introducing the concept of security groups.

I showed you how to use the Active Directory Users and Computers console to create and manage user accounts. In this article, I want to continue the discussion by teaching you about groups.

In a domain environment, user accounts are essential. A user account gives a user a unique identity on the network. This means that it is possible to track the user’s online activity. It is also possible to give a user account a unique set of permissions, assign the user a unique e-mail address, and meet all of the user’s other individual needs.

Although custom tailoring a user account to meet a user’s individual needs sounds like a good idea, it isn’t really practical in a lot of cases. Setting up and managing user accounts is a time consuming task. It isn’t a big deal if you’ve only got a couple dozen users in your organization, but if your organization has thousands of users, then account management can quickly become an overwhelming burden.

My advice is that even if you manage a very small network, you should treat the small network as if it were a big network. The reason for this is that you never know when the network will grow. Using good management techniques from the very beginning will help you to avoid a logistical nightmare later on.

I have actually seen the consequences of unexpected, rapid growth in the real world. About fifteen years ago, I was hired as a network administrator for an insurance company. At the time, the network was very small. There were only a couple dozen workstations attached to the network. The woman who was in charge of the network had no prior IT experience and was thrown to the wolves, so to speak. Not having an IT background, and not knowing any better, she had configured the network so that all of the configuration settings existed on a per user basis.

At the time, this was no big deal. There weren't many users, and it was easy to manage the various accounts and permissions. Within a year there were over two hundred PCs on the network. By the time I left the company a couple of years later, there were well over a thousand people using a network that was only initially designed to handle a few dozen.

As you can imagine, the network experienced some severe growing pains. Some of these growing pains were related to hardware performance, but most were related to the inability to effectively manage that many user accounts. Eventually, the network became such a mess that all of the user accounts had to be deleted and recreated from scratch.

Obviously, rapid unexpected growth can cause problems, but you are probably wondering why in the world things became so unmanageable that all of the accounts had to be deleted so that we could “just start over”.

As I mentioned before, all of the configuration and security settings were user based. This meant that if a department manager came to me and asked me to tell him who had access to a particular network resource, I would have to look at every account individually to see whether or not the user had access to the resource. When you only have a couple dozen users, checking every account to see which users have access to something is tedious and disruptive (at the time, checking took about 20 minutes). When you’ve got a couple hundred users checking every user account can take most of the day.

Granted, the events that I just described happened well over a decade ago. As the IT industry goes, these events might as well have occurred in prehistoric times. After all, the network operating systems that were in use at the time are now extinct. Even so, the lessons learned back then are as relevant today as they were then.

All of the problems that I just described could have been prevented if groups had been used. The basic idea behind groups is that a group can contain multiple user accounts. Since security settings are assigned at the group level, you should never manually assign permissions directly to a user account. Instead, you would assign permission to a group, and then make the user a member of the group.

I realize that this might sound a little confusing, so I will demonstrate the technique for you. Suppose that one of your file servers contains a folder named Data, and that you need to grant a user read access to the Data folder. Rather than assigning the permission directly to the user, let’s create a group.

To do so, open the Active Directory Users and Computers console. When the console opens, right click on the Users container, and select the New | Group commands from the resulting shortcut menus. Upon doing so, you will see a screen similar to the one that is shown in Figure A. At a minimum, you must assign a name to the group. For ease of management, let’s just call the group Data, since the group is going to be used to secure the Data folder. For right now, don’t worry about the group scope or the group type settings. I will teach you about these settings in the next part of this series.

Figure A: Enter a name for the group that you are creating

Click OK, and the Data group will be added to the list of users, as shown in Figure B. Notice that the group’s icon uses two heads, indicating that it is a group, as opposed to the single headed icon used for user accounts.

Figure B: The Data group is added to the list of users

Now, double click on the Data group, and you will see the group’s properties sheet. Select the properties sheet’s Members tab, and click the Add button. You are now free to add user accounts to the group. The accounts that you add are said to be group members. You can see what the Members tab looks like in Figure C.

Figure C: The Members tab lists all of the group’s members

Now it’s time to put the group to work. To do so, right click on the Data folder, and select the Properties command from the resulting shortcut menu. When you do, you will see the folder’s properties sheet. Go to the properties sheet’s Security tab, and click the Add button. When prompted, enter the name of the group that you just created (Data) and click OK. You are now free to establish a set of permissions for the group. Whatever permissions you apply to the group, also apply to group members. As you can see in Figure D, there are some other rights that are applied to the folder by default. It is best to remove the Users group from the access control list to prevent any accidental contradictions of permissions.

Figure D: The Data group is added to the folder’s access control list

Remember earlier when I mentioned how much work it was to try to figure out which users had access to a particular resource? Well, when groups are in use, the process becomes simple. If you need to know which users have access to the folder, just look to see which groups have access to the folder, as shown in Figure D. Once you know which groups can access the folder, determining who has rights to the folder is as simple as checking the group’s membership list (shown in Figure C). Any time additional users need access to the folder, just add their names to the list of group members. Likewise, you can remove permissions to the folder by deleting a user’s name from the list of group members.

Security Groups

The various types of security groups that Windows allows you to create.

In the previous article, I showed you how to create security groups in Windows Server 2003. When I walked you through the process though, you might have noticed that Windows allows you to create a few different types of groups, as shown in Figure A. As you might have guessed, each of these group types has a specific purpose. In this article, I will explain what each type of group is used for.

Figure A: Windows allows you to create a few different types of groups

f you look at the dialog box shown above, you will notice that the Group Scope area provides you with the option of creating a domain local, global, or universal group. There is also a fourth type of group that is not shown here, it is simply called a local group.

Local Groups

Local groups are groups that are specific to individual computer. As you know by now, local computers can contain user accounts that are completely separate from those accounts that belong to the domain that the computer is connected to. These are known as a local user accounts, and they are only accessible from the computer on which they reside. Furthermore, local user accounts can only exist on workstations and on member servers. Domain controllers do not allow for the existence of local user accounts.

With this in mind that should come as no surprise that local groups are simply groups that are specific to a particular member server or workstation. A local group is often used to manage local user accounts. For example, the local Administrators group allows you to designate which users are administrators over the local machine.

Although a local group can only be used to secure resources residing on the local machine, it doesn't mean that the group's membership must be limited to local users. While a local group can, and usually does, contain local users, it can also contain domain users. Furthermore, local groups can also contain other groups that reside at the domain level. For example, you could make a universal group a member of a local group, and the universal group’s members will basically become members of the local group. In fact, a local group can contain local users, domain users, domain local groups, global groups, and universal groups.

There are two caveats that you need to be aware of though. First, as you might have noticed, a local group cannot contain another local group. It would seem that you should be able to drop one group into another, but you can’t. Someone at Microsoft once told me that the reason for this is to prevent a situation in which two local groups become members of each other.

The other caveat that you need to be aware of is that local groups can only contain domain users and domain level groups if the machine containing the local group is a member of the domain. Otherwise, local groups can only contain local users.

Domain Local Groups

Given what you've just learned about local groups, the idea of a domain local group probably sounds contradictory. The reason why domain local groups exist though, is because domain controllers do not contain a local account database. This means that there are no such things as local users or local groups on a domain controller. Even so, domain controllers have local resources that need to be managed. This is where domain local groups come into play.

When you install Windows Server 2003 onto a computer, the machine typically begins life as either a standalone server or as a member server. In either case, local user accounts and local groups are created during the installation process. Now suppose that you wanted to convert the machine into a domain controller. When you run DCPROMO, the local groups and local user accounts are converted into domain local groups and domain user accounts.

It is important to keep in mind that all of the domain controllers within a domain share a common user account database. This means that if you add a user to a domain local group on one domain controller, the user will be a member of that domain local group on every domain controller in the entire domain.

The most important thing to keep in mind about domain local groups is that there are two different types. As I mentioned, when DCPROMO is run, the local groups are converted to domain local groups. Any domain local groups that are created by running DCPROMO are placed into the Builtin folder in the Active Directory Users and Computers console, as shown in Figure B.

Figure B: Domain local groups created by DCPROMO reside in the Builtin container

The reason why this is important to know is because there are some restrictions imposed on these particular domain local groups. These groups cannot be moved or deleted. Likewise, if you cannot make these groups members of other domain local groups.

These restrictions do not apply to domain local groups that you create though. Domain local groups that you create typically began life in the Users container. From there, you are free to move or delete them to your heart’s content.

I have to be perfectly frank and tell you though that in all the years I have been working with Windows Server, I have yet to find a good argument for creating domain local groups. In fact, domain local groups are basically identical to global groups, except that they are restricted to an individual domain.

Global Groups

Global groups are by far the most commonly used type of group. In most cases, a global group simply acts as a collection of Active Directory user accounts. The interesting thing about global groups is that they can be placed inside of each other. You can make one global group a member of another global group, so long as both global groups exist within the same domain.

Keep in mind, the global groups can only contain Active Directory resource. You cannot place a local user account or a local group into a global group. You can however, add a global group to a local group. In fact, doing so is the most common way of granting domain users permissions to resources stored on a local computer. For example, suppose that you wanted to give the managers in your company administrative rights to their workstations (not that I recommend doing that, this is just an example). To do so, you could create a global group called Managers, and place each of the manager’s domain user accounts into it. You could then add the Managers group to the workstation’s local Administrators group, thus making the managers administrators on those workstations.

Microsoft Delivers Vista SP1 Release Candidate to Customers

2007-12-13T07:23:00.000-08:00

Yesterday, Microsoft issued Service Pack 1 (SP1) for Office 2007 along with a Release Candidate version of Ser3 (Svice Pack P3) for Windows XP. Today, the boys from Redmond are turning their attention to Windows Vista.

Windows Vista users can now download a release candidate version of SP1 for the operating system. SP1 RC1 was released to a select group of testers last month, but this is the first time that the service pack has been opened up to the public.

SP1 includes numerous bugfixes and security updates introduced since the release of Vista on November 30, 2006. Also included are improvements to ReadyBoost, increased network performance, faster file copying and stepped-up anti-piracy measures.

Neowin also notes that improvements have been made to Vista's update engine including support for hotpatching:

Improves patch deployment by retrying failed updates in cases where multiple updates are pending and the failure of one update causes other updates to fail as well.
Enables reliable OS installation by optimizing OS installers so that they are run only when required during patch installation. Fewer installers operating results in fewer points of potential failure during installation, which leads to more robust and reliable installation.
Improves overall install time for updates by optimizing the query for installed OS updates.
Improves robustness during the patch installation by being resilient to transient errors such as sharing violations or access violations.
Improves robustness of transient failures during the disk cleanup of old OS files after install.
Improves the uninstallation experience for OS updates by improving the uninstallation routines in custom OS installation code.
Improves reliability of OS updates by making them more resilient to unexpected interruptions, such as power failure

Service Pack 1 RC1 can be downloaded directly from Microsoft's website via a standalone package. Users can also choose to download a small 348KB applet which will use Windows Update do only download SP1 updates specific to your system.

AMD's K8L and 4x4 Preview

2007-12-12T09:07:00.000-08:00

wice each year, AMD hosts an analyst day. The spring event, which took place at the Sunnyvale headquarters, is more technically oriented and tends to deal with the actual details of the company’s products and technology itself rather than financial performance and metrics. The event itself was relatively low key and included speakers from AMD and a few key partners, such as Sun, VMware, Rackable and video presentations from Microsoft and Alienware nee Dell. There was quite a bit of interesting information presented, but what really seemed to be worth dwelling on were the new revelations about the K8L and the 4x4 gaming systems.

Just as an aside, several architects at AMD expressed puzzlement at the origins of the K8L name. There is an internal engineering code name for the project, but the marketing team is slightly behind and has yet to provide something catchy for the rest of the world. At least one architect at AMD indicated a preference for the name K8++, but it seems unlikely that anyone in marketing or PR would share this point of view.

Do you Have Change for Some Cache?

Previously, Chuck Moore had described several incremental enhancements in the K8L at the Spring Processor Forum. The instruction fetch unit now includes an indirect branch predictor and fetches 32 bytes per cycle. The FP and SSE units have all been widened to 128 bits, as have the memory pipes. The load/store units also have somewhat more flexible execution; they can re-order loads with respect to other loads (although loads cannot move around stores). Physical and virtual addressing is expanded to 48 bits, and the page tables have been augmented as well. The page tables now support nesting for virtualization, and include 1GB pages. On the power side, the cores and system functionality will have separate power planes and independent C and P states. These are not all of the changes, but most of the key elements.

Figure 1 – Floor Plan of K8L

The first significant disclosures regarding the K8L had to do with the cache hierarchy within a single core. Despite an erroneous rumor to the contrary at Daily Tech, the L1D and L1I caches remain at 64KB each, according to a senior architect at AMD. The floor plan of the K8L also tends to confirm that the L1 caches have not decreased in size. The K8L did experience some L2 cache shrinkage and initial parts will feature a 2MB shared L3 cache. Based on the cache sizes, the L2 cache is still exclusive of the L1 contents, and the L3 cache is certainly not inclusive (although this does not mean it is exclusive). Additionally, it is easy to deduce, based on information about the load/store units that the bus between the L1 and L2 caches has been widened to 256 bits. The L3 cache is extensible, and it seems likely that 4MB parts will come out, perhaps as a way to differentiate between low-end parts intended for 1-2 sockets, and the higher-end parts for 4-8 sockets.

Scale up at Last?

Many industry insiders have commented that the K8 is eerily reminiscent of the ill-fated Alpha EV7. The EV7 augmented a high performance core with on-die directories for cache coherency and four interprocessor communication links operating at 6.4GB/s each. The EV7 also incorporated two memory controllers supporting eight channels of RDRAM, a total memory bandwidth of 12.8GB/s per processor. Like the EV7, the K8 enhanced on a prior generation design; adding a memory controller, and three Hypertransport links. With three 8GB/s links, the K8 is an excellent choice for 1-8P servers. In theory, the K8 can scale up to 8 sockets; however, in practice it is extremely difficult. First, the only glueless 8 socket systems require multiple system boards; the Tyan Thunder K8QW uses 2 boards, while the Iwill H8502 uses 5 boards. Secondly, the snoop broadcast protocol used in the K8 ends up saturating the Hypertransport links. Third, using 8 sockets requires slightly more complicated system topologies that increase the number of hops between sockets and hence average memory latency. As a result, performance projections for commercial server workloads (OLTP in particular) show very poor gains (10-40% depending on which estimate) for glueless 8 socket systems over 4 socket systems.

AMD’s success with the Opteron for 4 socket systems, where they have roughly half the market, has prompted the architects to extend the K8L’s scalability a step further. The K8L will add an additional lane of 16 bit Hypertransport 3.0 to each device, providing 4 in total. Each link can run at up to 5.2GT/s, and can be split into two separate 8 bit links. So a single device could be configured with eight 8 bit Hypertranpsort links, instead of the regular four 16 bit links. Figure 1 below shows a fully connected system using split links.

Figure 2 – 4 and 8 Socket K8L System

Alternative configurations are also conceivable, but are beyond the scope of this article. Given these disclosures, the K8L will be somewhat more suitable to 8 socket systems, since it solves the topology and latency issues, although there is no disclosed solution for the snooping problem.

While AMD did not discuss the matter, we had initially hypothesized that the limit was still 8 nodes per system. It turns out that we were premature, and AMD has increased the number of nodes, although we do not know by how much. Any limitation is probably in the neighborhood of 16-64, both due to AMD’s partners, and technical constraints. AMD’s major partners: IBM, Sun and HP, all have highly scalable systems that use other architectures (PPC, SPARC and IPF, respectively). The notion of white box vendors selling high processor count systems would not sit well with any of those three, since the margins are far higher on their larger systems. Moreover, such a move could interfere with Newisys’ scalable Opteron servers. Lastly, scaling to above 16 sockets would require a significant investment of technical resources that would not improve, and could even detract from single device performance.

Ultimately, the 8 socket scaling for the K8L should substantially improve over the prior generation. Whether anyone will be willing to attempt glueless 16 sockets or more is certainly unclear, but it seems safe to say that 8 socket K8L systems will be quite compelling.

Gaming the System

Anyone who has been following the gaming segment has probably noticed an increasing desperation on behalf of the major vendors (AMD, Intel, Nvidia and ATi) to retain leadership in their respective areas of expertise, no matter the cost. This started with the Pentium 4 Extreme Edition, which sold reasonably well, despite its equally extreme pricing. While these ‘extreme’ parts have ridiculous ASPs, it does seem like the major goal is really PR, rather than profitability. Sometimes, these products also fall short on real performance, because the software ecosystem is unprepared.

AMD introduced a new product line for the extreme gaming market, which is in essence, a dual socket system using Athlon FX processors and standard DDR2 (rather than the registered DIMMs used for Opteron). This announcement is obviously an attempt to bolster one of AMD’s core markets, against future encroachment from Intel’s Conroe XE. However, the good news is that AMD resisted the temptation to do a quick hack for bragging rights. Both MPUs can attach to memory, and the system is outfitted to work with dual GPUs. The latency should be rather similar or slightly better than existing two socket Opteron systems, although it is quite unclear to what extent the extra processors will improve performance for most games.

There is an added wrinkle, which is that to some extent 4x4 will compete with Opteron based workstations and servers, such as the Tyan Thunder K8WE. Although product plan details have not been announced, it seems like the main differentiator between 4x4 and a 2 socket Opteron would be ECC protection for memory. For some applications this could be enough to ensure that the users pick the appropriately positioned product. However, some buyers will see the two as interchangeable and simply opt for the cheaper solution. In fact, if the 4x4 works with regular Athlon parts, it might be just the thing for a low cost scale out system, load balanced web servers for instance. However, since the system is not likely to appear till the latter part of the year, AMD will have a while to figure out a marketing strategy to avoid these undesirable crossovers.

Conclusion

AMD’s spring analyst day presented a lot of news on future plans, products and focus areas at the company. The most interesting part was a nice preview of the next generation K8 microprocessor. The K8L, as it has been dubbed, is a strong incremental improvement over the 65nm shrink of the K8. There will be several changes to the microarchitecture, most notably in the memory hierarchy. The level of integration will also increase, enhancing the scalability of systems built around this next generation part, which is due out in the middle of 2007. Naturally, once more details are available, full coverage of the subject would be in order. Preliminarily, the “K8L” looks to be a very solid MPU, elegantly integrating four cores together. The other topic we covered was AMD’s 4x4 announcement, which is somewhat more niche. Fortunately for end-users, 4x4 is a well planned out design from the technical perspective and not a simple grab for the performance crown.

Unfortunately, discussing everything that went on would be nearly impossible. While we focused heavily on the K8L and the 4x4 platform, there were other topics that are worth mentioning. AMD discussed their plans for fabs and manufacturing capacity, initiatives to serve the developing world and a 65nm mobile Turion part. By far and away the most exciting topic that we have not discussed are coprocessors, but that is an issue for another day

Microsoft Extends Sales of Windows XP

2007-12-12T07:38:00.000-08:00

Taking into consideration customer and partner requests, Microsoft will sell Windows XP for another 5 months

In a recent press release Microsoft announced it will eextnd sales of its Windows XP operating system to OEMs and retail channels for five months over the initial end date, through June 30, 2008. The move comes after a great amount of feedback from customers and partners regarding the original end-of-sale date of January 31, 2008.

Mike Nash, the corporate vice president of Windows Product Management, stated, "While we’ve been pleased with the positive response we’ve seen and heard from customers using Windows Vista, there are some customers who need a little more time to make the switch to Windows Vista."

Nash went on to say that Microsoft's original policy of a four-year availability of operating systems to OEM and retail channels had been established in 2002. However, due to the delays in the launch of Windows Vista, Microsoft felt that offering Windows XP for sale for an additional five months would make more sense.

When asked about what Microsoft was hearing in terms of feedback from customers regarding Windows Vista Nash stated, "With more than 60 million licenses sold as of this summer, Windows Vista is on track to be the fastest-selling operating system in Microsoft’s history."

Microsoft's Nash feels that the strong sales thus far are due to the doubling of sales of pre-built desktop and laptop computers bundled with Windows Vista as the primary OS. However, recently Microsoft also decided to offer OEMs theoption to let customers downgrade from Windows Vista to Windows XP.

Microsoft Provides XP Downgrade for Unhappy Vista Users

2007-12-12T07:37:00.000-08:00

OEMs now have the option to provide XP downgrade to Vista Business, Vista Ultimate

customers

Windows Vista is Microsoft's current flagship operating system for consumers. The operating system launched in late November for OEMs and was released to consumers on January 30.

Microsoft has long-touted the operating system as a revolutionary product for desktops and notebooks -- a product that would leave no consumers longing for the 5-year-old Windows XP operating system.

"Windows Vista and Microsoft Office 2007 will transform the way people work and play," said Microsoft chairman Bill Gates on January 30. "Windows Vista and Microsoft Office 2007 squarely address the needs and aspirations of people around the globe."

"The visual effects are spectacular; the navigation is streamlined and intuitive," added Microsoft CEO Steve Ballmer. "They make it much easier to protect your PC, yourself and your children online. And they work together to help you accomplish more throughout the day."

In the months following the consumer launch of Windows Vista, Microsoft played the numbers game with sales figures. The company announced in late March that it sold 20 million licenses of Vista within two months compared to just 17 million for Windows XP. The number crept up to 40 million by mid-May and by late July; Microsoft reported that 60 million copies of Windows Vista had been shipped around the world.

Microsoft expects to have shipped one billion copies of Windows by the end of 2008.

Despite the many successes that Microsoft has touted with its operating system, some consumers just aren't impressed. Some have derided Windows Vista as being a bloat-fest with a prettier GUI and slower performance than its well-seasoned Windows XP predecessor -- ironically, both of those "flaws" were leveled against Windows XP in comparison to Windows 2000 after its launch in late 2001.

Other features that have irritated a number of consumers include the intrusive User Access Control (which can be turned off), application and driver incompatibilities, beefed up anti-piracy/activation scheme and Explorer's inability to remember View Settings among countless others -- feel free to add your own in the comments section.

The numerous issues many customers have with Windows Vista are compounded by the fact that many feel that Microsoft's pricing for the operating system doesn't quite mesh with the perceived value offered over Windows XP. Windows Vista is priced at $199/$99.95 for Vista Home Basic, $239/$159 for Vista Home Premium, $299/$199 for Vista Business and $399/$259 for Vista Ultimate (full/upgrade).

As a result of the complaints from customers and businesses regarding Vista, Microsoft recently began offering an "XP downgrade" option for OEMs. The decision to downgrade a Vista installation is fully supported by Microsoft, but it’s up to each individual OEM to provide the option to its customers. Unfortunately, the option only exists for Vista Business and Vista Ultimate installations – Vista Home Basic and Vista Home Premium users are out of luck.

Fujitsu, which took matters into its own hands by offering copies of Windows XP with its Vista notebooks and Tablet PCs, fully embraces Microsoft's decision.

"That's going to help out small- and medium-size businesses," said Fujitsu's Brandon Farris to CNET News.

Other PC retailers such as Hewlett-Packard, Dell and Lenovo also provide their customers with Windows XP if they so choose.

"For business desktops, workstations and select business notebooks and tablet PCs, customers can configure their systems to include the XP Pro restore disc for little or no charge," said HP spokeswoman Tiffany Smith.

"We've been offering it and we're still offering it," added Dell's Anne Camden.

While Vista Business and Vista Ultimate users have always had the right to downgrade to Windows XP per the licensing agreement, the actual implementation of the program has been lacking. The process by which to get XP media for new systems with Vista Business or Vista Ultimate pre-installed was often complicated and troublesome, but changes made over the past few months have made it considerably easier for customers.

Some companies, such as Dell, have even gone so far to allow consumers to purchase new PCs with Windows XP pre-installed; thus leaving Vista completely out of the equation.

With that said, the window of opportunity to acquire Windows XP is slowly closing. Direct OEM and retail license availability of Windows XP will cease on January 31, 2008.

Microsoft Releases Office 2007 SP1, XP SP3 Release Candidate to the Public

2007-12-12T07:35:00.000-08:00

Microsoft releases updates for two popular software platforms

Microsoft has two presents for its customers today with the release of Service Pack 1 (SP1) for Office 2007 and Service Pack 3 (SP3) Release Candidate 1 (RC1) for Windows XP.

According to the Office 2007 SP1 whitepaper [DOC], Microsoft took steps to enhance its productivity suite in the areas of stability, performance and security.

In reference to stability, Microsoft addressed at least five bugs in each of its Office 2007 applications and improved the stability of its server components. Performance improved across the board with Excel, Outlook, PowerPoint and the SharePoint Server seeing the biggest gains. Likewise, Microsoft made incremental improvements to security and offers better protection against malicious software.

Office 2007 SP1 can be downloaded directly from Microsoft and weighs in at 281MB.

Microsoft also has a surprise for customers that have stuck with the company's long-serving Windows XP operating system. Windows XP made the headlines in recent months for its increased popularity despite the introduction of Windows Vista.

SP3 includes 1,073 hotfixes and contains four new feature additions for customers: a new activation scheme, Network Access Protection Module, Microsoft Kernel Mode Cryptographic Module and a Black Hole Router detection algorithm.

Previous beta and release candidate versions of SP3 were available to beta testers, but RC1 is now available for the public to test.

Those who wish to try out Windows XP SP3 RC1 can download it directly from Microsoft.

Entertainment

2007-12-04T08:14:00.001-08:00

Flash Strike

Want to be Neo?

Miss the plumber already