Where's my fluoride?

▼ Yesterday when I woke up, I wasn't worried at all about my fluoride levels. Then I started reading, and I became worried that I wasn't getting enough to keep my teeth healthy. After that, I read some more, and become somewhat worried I may be getting too much. All thanks to dr. Google.

If you want to know more about fluoride, read this article over at the Micronutrient Information Center at the Linus Pauling Institute of Oregon State University. (I wonder if the people who work there carry extra large business cards.) I was already aware of this part:

Fluoride's high chemical reactivity and small radius allow it to either displace the larger hydroxyl (-OH) ion in the hydroxyapatite crystal, forming fluoroapatite, or to increase crystal density by entering spaces within the hydroxyapatite crystal. Fluoroapatite hardens tooth enamel and stabilizes bone mineral.

When I was young I got fluoride treatments from the dentist and of course I've been brushing my teeth with fluoride-containing toothpaste as long as I can remember. So all that hydroxyapatite should have been turned into the more cavity-resistant fluoroapatite by now, right?

Probably not.

The trouble is that when your teeth are exposed to an environment with a pH below 4.5 (the pH of most fruits and fruit juices as well as sodas is below that), the apatite that makes up your teeth is demineralized—i.e., your teeth basically start to dissolve. Fortunately, saliva contains the necessary calcium and phosphate ions to allow the apatite to remineralize when the pH gets back to normal, repairing the early stages of cavities. The advantage of fluoroapatite over hydroxyapatite is that the fluor-containing type is slower to demineralize and faster to remineralize.

If we can believe Wikipedia (or common sense, really), the remineralization with fluoroapatite requires fluor ions to be present in the mouth. This will happen a few times a day when brushing with fluoride toothpaste, but what about the rest of the day? To get the best remineralization, you need to take in fluoride at much more regular intervals.

This is where water fluoridation comes in. Turns out that for some stupid reason, that doesn't happen here in the Netherlands. So this is the part where I stated to get worried about getting enough fluoride. And for some reason, it's really hard to get fluoride supplements. Also, most food contains barely any fluoride.

With one exception: tea. The tea plant absorbs a lot of fluoride from the environment. So, if, like me, you're a big tea drinker, you're probably getting all the fluoride you need: the USDA says prepared instant powder tea contains 335 micrograms of fluoride per 100 ml. According to the Linus Pauling Institute, adults need 3 (women) to 4 (men) milligrams of fluoride per day. So three or four big mugs of tea should take care of that quite nicely. Then again, the numbers at the Linus Pauling Institute are much lower, at 1 mg per liter for black tea after "5 minutes continuous infusion". But:

A cross-sectional study of more than 6,000 14-year old children in the UK found that those who drank tea had significantly fewer dental caries than nondrinkers; results were independent of whether sugar was added to tea.

However, if you drink a lot of (strong) tea, you can get bone disease from getting too much fluoride on an ongoing basis.

Permalink - posted 2015-05-27

Bring on the 2.5, 5 and 25 Gbps Ethernet!

▼ I'm at the RIPE meeting in Amsterdam this week. Yesterday, one of the first presentations was one from Alcatel-Lucent's Greg Hankins: Evolution of Ethernet Speeds: What’s New and What’s Next (PDF, see here for a link to the video recording).

Apparently, we're going to get some new Ethernet speeds in the (relatively) near future, such as 2.5, 5 and 25 Gbps. I can't wait!

My first computer with Gigabit Ethernet was the PowerBook I bought in 2003. It's now more than a decade later and my current Apple laptop... doesn't have any Ethernet at all. But for 20 to 30 euros/dollars you can get a 10/100/1000 Mbps Ethernet adapter that connects to either a Thunderbolt or a USB3 port. That's exactly as fast as the Ethernet port on my old PowerBook, even though according to Geekbench 2, my late-2013 MacBook Pro is more than ten times faster than the 1.25 GHz PowerBook (32-bit scores are 7110 vs 658). The SSD in the MBP is also about ten times faster than the HDD in the PB at about 800 vs 80 MB/s. USB is 5 Gbps instead of 480 Mbps, Wi-Fi 1300 vs 54 Mbps. It's just the Ethernet that's been completely stagnant.

So why is that? We've had 10 Gigabit Ethernet since the early 2000s. But the problem with that is that originally, 10GE was designed to work over fiber, which can easily handle that bandwidth. It took a lot of work to make 10GE work over copper, and that never got cheap in the way that GE got cheap so we never got 10/100/1000/10000 Mbps Ethernet ports the same way we went from 10/100 to 10/100/1000 Mbps Ethernet ports on our laptops and desktops. Even the biggest and baddest Mac that you can buy today, the Mac Pro, only has two 10/100/1000 ports, and no extension slots for adding 10GE.

The problem with all of this is that Gigabit Ethernet tops out at about 119 MB/s. That's more than enough to saturate any internet connection that a mere mortal can afford, but it's not enough to keep up with our SSDs or even a RAID array when copying files locally, with SSDs that easily go over 500 MB/s these days. With 2.5 Gbps Ethernet we'd get a lot closer at about 300 MB/s, and 5 Gbps Ethernet would be even better at about 600 MB/s. With modern designs, I expect that 5 but certainly 2.5 Gbps over regular twisted pair cabling can be made sufficiently cheap that these speeds will be supported routinely, and USB3 can easily handle 2.5 Gbps and probably also 5 Gbps. 2.5 and 5 Gbps are also intended to run over existing cat 5e/cat 6 cabling over distances of 100 meters, the same as Gigabit Ethernet. Traditionally, higher speeds over copper require more advanced cabling and/or support shorter distances.

There will also be 25 Gbps Ethernet that will be a nice step up for big servers that now use 10 Gbps, and perhaps 50 Gbps in the future. See the presentation for what's new for 10 and 40 Gbps and even 400 Gbps.

Permalink - posted 2015-05-12

RPKI is ready for real-world deployment

▼ For some years now, the Regional Internet Registries have been rolling out RPKI. The Resource Public Key Infrastructure allows holders of IP addresses to authorize an autonomous system to inject those addresses in BGP. (See here for an overview of how RPKI works and more links.)

I've always thought it would be hard to deploy RPKI in the real world, because it's just way too easy for a certificate or ROA (route origination authorization) to expire. If that then leads to routes becoming invalid and the addresses in question being unreachable, that would be a good example of the cure being worse than the disease.

Fortunately, that's not the case: RPKI is ready for real-world deployment today.

The way to deploy RPKI that's suggested in RFC 6483 as well as the relevant Cisco and Juniper documentation is to assign different local preference values to the three possible RPKI states, such as:

• Valid (RPKI checks out): local preference of 200 (highest)
• Unknown (no RPKI for this prefix): local preference of 100 (normal)
• Invalid (RPKI present but doesn't check out): local preference of 50 (lowest)

So packets will follow a path that is RPKI-validated if available. If not, they follow a path that isn't covered by RPKI if that's available. Only if there's no "valid" or "unknown" paths, the packets will be sent over an "invalid" path that is covered by RPKI, but validation failed. The trouble with this approach is that it still allows for invalid more specific prefixes to hijack traffic. For instance:

RIPE has a ROA for prefix 193.0.0.0/21 that allows AS 3333 to originate that prefix, with a maximum prefix length of /21. So if AS 4444 originates 193.0.0.0/21, that will result in the following BGP table:

    Network       Next Hop       Metric LocPrf Weight Path
>*  193.0.0.0/21  19.11.111.244      10    200      0 3333 i
 *                29.249.178.10      10     50      0 4444 i

So effectively, the path through AS 4444 is ignored. However, AS 4444 could also do this:

    Network       Next Hop       Metric LocPrf Weight Path
>*  193.0.0.0/21  19.11.111.244      10    200      0 3333 i
>*  193.0.0.0/24  29.249.178.10      10     50      0 4444 i
>*  193.0.1.0/24  29.249.178.10      10     50      0 4444 i
>*  193.0.2.0/24  29.249.178.10      10     50      0 4444 i
>*  193.0.3.0/24  29.249.178.10      10     50      0 4444 i
>*  193.0.4.0/24  29.249.178.10      10     50      0 4444 i
>*  193.0.5.0/24  29.249.178.10      10     50      0 4444 i
>*  193.0.6.0/24  29.249.178.10      10     50      0 4444 i
>*  193.0.7.0/24  29.249.178.10      10     50      0 4444 i

So even though the path towards the /21 is still routed to AS 3333, the packets flow to AS 4444 because of the longest match first rule. Solution: filter out "invalid" prefixes completely.

But then, what happens when RIPE forgets to renew their certificate or ROA in time? If their prefix would then revert to "invalid", it would disappear from routing tables everywhere, and RIPE would be unreachable:

    Network       Next Hop       Metric LocPrf Weight Path

In this scenario, it would be very dangerous to filter "invalid" prefixes, as RPKI is still relatively immature and mistakes will happen.

However, it turns out that the results of expired certificates and ROAs aren't actually problematic. In a post to the NANOG list, Alex Band points out:

If ARIN (or another other RIR) went offline or signed broken data, all signed prefixes that previously has the RPKI status "Valid", would fall back to the state "Unknown", as if they were never signed in the first place. The state would NOT be "Invalid".

So what would happen is this:

    Network       Next Hop       Metric LocPrf Weight Path
>*  193.0.0.0/21  19.11.111.244      10    100      0 3333 i

Obviously, in this case the protection against unauthorized origination of the prefixes in question would go away, but in the normal situation where nobody tries to hijack those prefixes, they would still be reachable and a mistake with certificate or ROA expiration wouldn't immediately lead to a network disappearing off of the internet.

In other words: deploy RPKI today. It doesn't protect against all forms of malicious address hijacking, but it does offer very robust protection against accidental unauthorized route origination, such as the infamous Youtube/Pakistan incident. Also, you can run an RPKI validator locally without the need for your upstream ISPs or peers to do the same.

Permalink - posted 2015-04-30