A comprehensive guide on various types of linux virtual networking interfaces. keywords: vlan, vxlan, macvlan, ipvlan, macvtap, ipvtap, veth, vcan, vxcan, ipoib, nlmon, dummy interface, ifb.

A refreshing viewpoint: when we use UDP as an unreliable protocol, we often actually wants its "timeliness" property, which is to say if we have to choose from dropping two versions of a data, we want to drop the old one. This is why real-time video streaming and gaming choose UDP. The datagram extension in QUIC offers a nice solution. Data are split into streams, within each stream data is ordered. Each stream has a priority attached that is used to determine which packet to drop.

However, how do you choose which to drop without having a bloating buffer that hurts latency? The author suggests using delay-based congestion control like BBR that uses network metrics to probe the bandwidth and RTT.

curl ifconfig.io
curl ifconfig.me
curl ifconfig.co
curl ip.sb
curl icanhazip.com
curl myip.wtf/text
curl geofind.me # has geolocation info

port reachability test:

ifconfig.co/port/22

Netfilter TPROXY target explained.

The part most interest me is how to use Linux network namespace to experiment with network layouts on the same machine.

A utility to find subdomains for a domain.

Also see https://crt.sh.

Two attacks to make send traffic outside protected VPN tunnel.

1. exploit VPN's LAN direct access mechanism by spoofing fake IP for target.com
2. spoof the IP for VPN server

I reckon these methods should only affect unencrypted traffic or TLS without proper CN checks. Interestingly, this technique is used by some VPN software in China as an alternative way to selectively route traffic to VPN (to circumvent internet censorship). https://dreamacro.github.io/clash/configuration/dns.html#fake-ip

A really nice article on how to synchronize game state over a network with latency and high packet loss. The protocol described in the last is quite clever:

Instead of detecting packet loss after the fact and resending lost packets, we redundantly include all inputs in each UDP packet until we know for sure the other side has received them

By the way, the website seems to have a lot of worth reading articles on game development, especially networking related ones: https://gafferongames.com/

Internal mechanisms of a TCP connection.

The article explained the working of VoIP in simple words. I'm not interested in building a personal VoIP system, but it's good to learn about the unfamiliar terminologies like SIP, ALG, DID, etc, which I saw on my modem. Now I feel more confident to I turn off ALG and other stuff.

A guide on how to create a network namespace, bind interfaces, set routes, and run programs in it.

Small utility for generating DHCP options for pushing static routes to devices via DHCP.

Reveal domains parked at the same IP as a given domain. It can also show IPs (and their domains) nearby.

5GHz band overlaps with some radar installation. Some channels are required to perform a mechanism called Dynamic Frequency Selection (DFS) to adjust the frequency to avoid colliding with radar signals. DFS can cause a slow down in the start up time and may disrupt normal usage intermittently.

To mitigate DFS events, you can pick channels that are not subjected to DFS scan. You can check out this page for information of DFS channels on different countries: https://en.wikipedia.org/wiki/List_of_WLAN_channels

A great post on an interesting nteworking problem: how does distributed servers send packets to the internet while sharing a common set of IP addresses?

For ingress there is the technique of anycast which allows the client to connect to any one of the servers, but for egress it's a lot more trickier because the client needs to know about where the traffic comes from.

TCP slow start algorithm starts by sending a small amount of data, usually 10 TCP packets. A webpage of 14kB will fit in these 10 packets (MTU - len(headers)). Doing so can deliver the content to the users in one round-trip.

I had the same issue with my previous work laptop earlier. Turns out it was caused by the always scanning™ AirPlay. What a (not) surprise! Fortuitously I have switched to Linux few months ago.

No need to trust self-signed certificate to intercept tls traffic, if we have the secret keys.

It generates a random subdomain and tracks the IP from whoever tries to look up the domain name record.

An extensive introduction to IPv6 concepts.

IPv6 has always baffled me on how it works. There are too many unfamiliar terms and mechanisms such that I never felt confident enough to start using IPv6. This article solves much of my confusion.