Category Archives: Personal

This is for posts that are categorized as Personal

One Venti MoCA Please

Intro
When my family and I moved into our townhouse almost 2 years ago I never thought providing wireless coverage was going to be  difficult.  Well, I was wrong, and it’s mainly my fault.

I live in a three story townhouse with Internet service from Comcast coming into our basement terminated into an Apple AirPort Time Capsule providing great 802.11ac coverage up to the second floor.

On my second floor I have a TV, TiVo and Apple TV that I have plugged into an Apple AirPort Extreme (802.11ac) and here’s where I (knowingly) messed up: it’s connected by extending my wireless network from the basement.  Ever since I’ve done that, wireless and network connectivity on the third floor has been around 2 to 5  Mbps (Megabits per second) and I’ve been OK with that until something happened that killed Internet access on my third floor.

Why I needed MoCA
When this happened, all I got were complaints about the Internet “sucking” from my family and the pleasure of watching my LTE data usage go up.  My house is not wired for Ethernet and to wire CAT6 to my second floor AirPort  would require tearing down drywall and ripping up hardwood floors, which was not going to happen,  so, I started looking into what my options were.

I could only think of two available options: using my existing coax cable infrastructure or power lines to extend Ethernet. After a quick Google search, I quickly eliminated using power lines because, I just don’t like the thought of using the power lines in my house to extend Ethernet and, the fastest equipment I could find topped out at 500Mbps (Megabits not Megabytes!).  Next up, coax and to be honest, I was not interested in using it either because it reminded me of when I used to install Novell Netware networks for Title Insurance companies throughout Florida in 1998-2000.

What I investigated about MoCA before buying MoCA
For starters, there is an industry standard from the Multimedia over Coax Alliance for extending an IP network over coax in the home.  It’s simply called MoCA (pronounced mo-cha like the chocolate coffee drink we all love) and is a Layer 2 (Datalink) protocol that has two revisions MoCA 1.1 and 2.0.  According to the MoCA WiKi, MoCA 1.1 operates at speeds up to 275Mbps and 2.0 operates at speeds up to 1.4Gbps, clearly MoCA 2.0 was the winner here so what next?

Not a lot of technical info out there for ‘technical people’, because it just works
I started with a simple Google search about what specifically was required to implement a MoCA network and how to secure it.  As a networking/collaboration person, I wasn’t finding what I wanted.  I found a bunch of forums where people used it to network their TiVos and loved it, which led into discovering that MoCA is how all the cable/satellite/ftth providers networked their cable boxes on premise for their customers.  Basically, people turned it on, really didn’t understand it and didn’t care because, it just worked.  The primary issue most people had was forgetting to install a Point of Entry (POE) filter.

Technical details of MoCA
At this point, I’m sold on MoCA and wanted to implement it but, I needed to make sure that I wasn’t going to stop my cable modem and TV from working.  For starters, I wanted to know what the purpose of a MoCA POE filter was and how it would not interfere with service from Comcast.

There are two primary reasons for a MoCA POE filter: security and isolation.  Think of connecting Comcast’s (or any cable provider’s) public service into your home coax network, the same as plugging your home Ethernet network directly into your Internet Service Provider (ISP)  without a NAT Router or Firewall; you’re exposed.  With the Internet, you’re computer is exposed to the public Internet and in a matter of minutes it will start getting scanned and probed for weakness.  In the case of coax, since it’s shared infrastructure, your coax network is now on the same segment as the rest of your neighbors that use that same shared infrastructure from your cable provider.  So, if you enable MoCA, you’re enabling it for your neighbors and all they need to do is plug in a MoCA bridge (like a TiVo) and they’re now a part of your network.  How you prevent this is by installing a MoCA POE filter, which can loosely be related to a NAT Router for your Ethernet network.  A MoCA POE filter isolates your MoCA network to your home and physically stops your MoCA network from getting extended into your cable provider’s network, which covers isolation and security.

Some MoCA equipment will allow you to encrypt MoCA traffic but I’m a perimeter and policy security guy when it comes to my home network.  Encrypting the MoCA signal on the bridge, to me, seems like unnecessary overhead on the equipment that will slow my throughput down and make troubleshooting a bit more complicated.  I just plain see it as unnecessary with a MoCA POE filter.

How does a MoCA POE filter accomplish all of this?  MoCA operates in the 500 to 1650 MHz bands.  A MoCA POE filter will block this range from exiting one side of the filter and keep it on the other, hence the name Point of Entry filter.  So, you place the MoCA POE filter where your cable service provider comes into your home before it is split.  In the below screenshot, Comcast comes in on the left into my POE filter, then to the splitter and in-home coax runs.

Venti MoCA Screenshot 1 of 4
MoCA POE Filter

Without getting into a bunch of details, because I’m not a coax expert, there is a different type of MoCA filter for traditional cable (Comcast, TWC, etc.) providers than there is for Verizon FiOS and Direct TV, so pay attention if you use Verizon or Direct TV, to what type of MoCA POE filter you purchase.

What I bought and why
First, I started with the MoCA POE filter.  I purchased one made by Holland Electronics from Amazon that was specifically made for traditional cable providers, since I have Comcast that “Bandstop provides a typical 35-45dB of rejection in the MoCA 1125-1525Mhz band.”

Next, I wanted to find good and fast MoCA 2.0 Bridges to bridge my coax and Ethernet networks together and, I wanted to make sure that they operated within the range of what my MoCA POE filter blocked.  This was not an easy task but, I settled on the Actiontec ECB6200 Bonded MoCA 2.0 Network Adapter so I could get 1.4Gbps bi-directionally.  After looking through the documentation, I discovered that it operated in the extended D band of 1125 to 1675 MhZ range.  I bought a pair directly from Actiontec and anxiously awaited their arrival.

Cable Modem MoCA Bridge 1-2
Cable Modem MoCA Bridge 1-1
Cable Modem MoCA Bridge 1-2
Cable Modem MoCA Bridge 1-2
Venti MoCA Screenshot 4 of 4
Upstairs MoCA Bridge

How easy it was and next steps
Once my MoCA POE filter and pair of Actiontec MoCA bridges arrived I installed them and had my network up and running in under 30 minutes and it was literally plug and play.

It has now been 3 months since I installed my MoCA network and I am getting ready to light up the two remaining coax runs in my home.  With that said, it introduces signal loss from Comcast because I’ll have to introduce another splitter into the environment but, that’s for another day and post and will have no impact on my MoCA network.

I wrote this post to share knowledge gaps and fears I had going into this project and hope it helps someone else out there contemplating MoCA vs. Powerline.  Go MoCA!

OpenSSL & IANA TLS Cipher Suites

I have been working with OpenVPN, OpenSSL and OpenSSH for the past couple of weeks on my Raspberry Pi running Debian “Wheezy” which has been fun and frustrating at the same time.

Due to the version of OpenVPN included with “Wheezy” and OpenVPN that I was running on my client, I was having a heck of a time getting the TLS Cipher to match up between Server and Client in configuration.

I found a software patch written by someone on the OpenVPN Dev team  and within it, it had a nice table showing the OpenSSL Cipher Suite Name and corresponding IANA Cipher Suite Name.  Since I wasted hours trying to figure this out, I hope it will help someone else out and save them time.

TLS OpenSSL Cipher Suite Name TLS IANA (IETF) Cipher Suite Name
ADH-SEED-SHA TLS-DH-anon-WITH-SEED-CBC-SHA
AES128-GCM-SHA256 TLS-RSA-WITH-AES-128-GCM-SHA256
AES128-SHA256 TLS-RSA-WITH-AES-128-CBC-SHA256
AES128-SHA TLS-RSA-WITH-AES-128-CBC-SHA
AES256-GCM-SHA384 TLS-RSA-WITH-AES-256-GCM-SHA384
AES256-SHA256 TLS-RSA-WITH-AES-256-CBC-SHA256
AES256-SHA TLS-RSA-WITH-AES-256-CBC-SHA
CAMELLIA128-SHA256 TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256
CAMELLIA128-SHA TLS-RSA-WITH-CAMELLIA-128-CBC-SHA
CAMELLIA256-SHA256 TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256
CAMELLIA256-SHA TLS-RSA-WITH-CAMELLIA-256-CBC-SHA
DES-CBC3-SHA TLS-RSA-WITH-3DES-EDE-CBC-SHA
DES-CBC-SHA TLS-RSA-WITH-DES-CBC-SHA
DH-DSS-SEED-SHA TLS-DH-DSS-WITH-SEED-CBC-SHA
DHE-DSS-AES128-GCM-SHA256 TLS-DHE-DSS-WITH-AES-128-GCM-SHA256
DHE-DSS-AES128-SHA256 TLS-DHE-DSS-WITH-AES-128-CBC-SHA256
DHE-DSS-AES128-SHA TLS-DHE-DSS-WITH-AES-128-CBC-SHA
DHE-DSS-AES256-GCM-SHA384 TLS-DHE-DSS-WITH-AES-256-GCM-SHA384
DHE-DSS-AES256-SHA256 TLS-DHE-DSS-WITH-AES-256-CBC-SHA256
DHE-DSS-AES256-SHA TLS-DHE-DSS-WITH-AES-256-CBC-SHA
DHE-DSS-CAMELLIA128-SHA256 TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256
DHE-DSS-CAMELLIA128-SHA TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA
DHE-DSS-CAMELLIA256-SHA256 TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256
DHE-DSS-CAMELLIA256-SHA TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA
DHE-DSS-DES-CBC3-SHA TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA
DHE-DSS-DES-CBC-SHA TLS-DHE-DSS-WITH-DES-CBC-SHA
DHE-DSS-SEED-SHA TLS-DHE-DSS-WITH-SEED-CBC-SHA
DHE-RSA-AES128-GCM-SHA256 TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
DHE-RSA-AES128-SHA256 TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
DHE-RSA-AES128-SHA TLS-DHE-RSA-WITH-AES-128-CBC-SHA
DHE-RSA-AES256-GCM-SHA384 TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
DHE-RSA-AES256-SHA256 TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
DHE-RSA-AES256-SHA TLS-DHE-RSA-WITH-AES-256-CBC-SHA
DHE-RSA-CAMELLIA128-SHA256 TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256
DHE-RSA-CAMELLIA128-SHA TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
DHE-RSA-CAMELLIA256-SHA256 TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256
DHE-RSA-CAMELLIA256-SHA TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA
DHE-RSA-DES-CBC3-SHA TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA
DHE-RSA-DES-CBC-SHA TLS-DHE-RSA-WITH-DES-CBC-SHA
DHE-RSA-SEED-SHA TLS-DHE-RSA-WITH-SEED-CBC-SHA
DH-RSA-SEED-SHA TLS-DH-RSA-WITH-SEED-CBC-SHA
ECDH-ECDSA-AES128-GCM-SHA256 TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256
ECDH-ECDSA-AES128-SHA256 TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256
ECDH-ECDSA-AES128-SHA TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA
ECDH-ECDSA-AES256-GCM-SHA384 TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384
ECDH-ECDSA-AES256-SHA256 TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA256
ECDH-ECDSA-AES256-SHA384 TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384
ECDH-ECDSA-AES256-SHA TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA
ECDH-ECDSA-CAMELLIA128-SHA256 TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA256
ECDH-ECDSA-CAMELLIA128-SHA TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA
ECDH-ECDSA-CAMELLIA256-SHA256 TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA256
ECDH-ECDSA-CAMELLIA256-SHA TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA
ECDH-ECDSA-DES-CBC3-SHA TLS-ECDH-ECDSA-WITH-3DES-EDE-CBC-SHA
ECDH-ECDSA-DES-CBC-SHA TLS-ECDH-ECDSA-WITH-DES-CBC-SHA
ECDH-ECDSA-RC4-SHA TLS-ECDH-ECDSA-WITH-RC4-128-SHA
ECDHE-ECDSA-AES128-GCM-SHA256 TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
ECDHE-ECDSA-AES128-SHA256 TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256
ECDHE-ECDSA-AES128-SHA384 TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA384
ECDHE-ECDSA-AES128-SHA TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA
ECDHE-ECDSA-AES256-GCM-SHA384 TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA256 TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA256
ECDHE-ECDSA-AES256-SHA384 TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384
ECDHE-ECDSA-AES256-SHA TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA
ECDHE-ECDSA-CAMELLIA128-SHA256 TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA256
ECDHE-ECDSA-CAMELLIA128-SHA TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA
ECDHE-ECDSA-CAMELLIA256-SHA256 TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA256
ECDHE-ECDSA-CAMELLIA256-SHA TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA
ECDHE-ECDSA-DES-CBC3-SHA TLS-ECDHE-ECDSA-WITH-3DES-EDE-CBC-SHA
ECDHE-ECDSA-DES-CBC-SHA TLS-ECDHE-ECDSA-WITH-DES-CBC-SHA
ECDHE-ECDSA-RC4-SHA TLS-ECDHE-ECDSA-WITH-RC4-128-SHA
ECDHE-RSA-AES128-GCM-SHA256 TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
ECDHE-RSA-AES128-SHA256 TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256
ECDHE-RSA-AES128-SHA384 TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA384
ECDHE-RSA-AES128-SHA TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA
ECDHE-RSA-AES256-GCM-SHA384 TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
ECDHE-RSA-AES256-SHA256 TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA256
ECDHE-RSA-AES256-SHA384 TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384
ECDHE-RSA-AES256-SHA TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA
ECDHE-RSA-CAMELLIA128-SHA256 TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA256
ECDHE-RSA-CAMELLIA128-SHA TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA
ECDHE-RSA-CAMELLIA256-SHA256 TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA256
ECDHE-RSA-CAMELLIA256-SHA TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA
ECDHE-RSA-DES-CBC3-SHA TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA
ECDHE-RSA-DES-CBC-SHA TLS-ECDHE-RSA-WITH-DES-CBC-SHA
ECDHE-RSA-RC4-SHA TLS-ECDHE-RSA-WITH-RC4-128-SHA
ECDH-RSA-AES128-GCM-SHA256 TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256
ECDH-RSA-AES128-SHA256 TLS-ECDH-RSA-WITH-AES-128-CBC-SHA256
ECDH-RSA-AES128-SHA384 TLS-ECDH-RSA-WITH-AES-128-CBC-SHA384
ECDH-RSA-AES128-SHA TLS-ECDH-RSA-WITH-AES-128-CBC-SHA
ECDH-RSA-AES256-GCM-SHA384 TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384
ECDH-RSA-AES256-SHA256 TLS-ECDH-RSA-WITH-AES-256-CBC-SHA256
ECDH-RSA-AES256-SHA384 TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384
ECDH-RSA-AES256-SHA TLS-ECDH-RSA-WITH-AES-256-CBC-SHA
ECDH-RSA-CAMELLIA128-SHA256 TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA256
ECDH-RSA-CAMELLIA128-SHA TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA
ECDH-RSA-CAMELLIA256-SHA256 TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA256
ECDH-RSA-CAMELLIA256-SHA TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA
ECDH-RSA-DES-CBC3-SHA TLS-ECDH-RSA-WITH-3DES-EDE-CBC-SHA
ECDH-RSA-DES-CBC-SHA TLS-ECDH-RSA-WITH-DES-CBC-SHA
ECDH-RSA-RC4-SHA TLS-ECDH-RSA-WITH-RC4-128-SHA
EDH-DSS-DES-CBC3-SHA TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA
EDH-DSS-DES-CBC-SHA TLS-DHE-DSS-WITH-DES-CBC-SHA
EDH-RSA-DES-CBC3-SHA TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA
EDH-RSA-DES-CBC-SHA TLS-DHE-RSA-WITH-DES-CBC-SHA
EXP-DES-CBC-SHA TLS-RSA-EXPORT-WITH-DES40-CBC-SHA
EXP-EDH-DSS-DES-CBC-SHA TLS-DH-DSS-EXPORT-WITH-DES40-CBC-SHA
EXP-EDH-RSA-DES-CBC-SHA TLS-DH-RSA-EXPORT-WITH-DES40-CBC-SHA
EXP-RC2-CBC-MD5 TLS-RSA-EXPORT-WITH-RC2-CBC-40-MD5
EXP-RC4-MD5 TLS-RSA-EXPORT-WITH-RC4-40-MD5
NULL-MD5 TLS-RSA-WITH-NULL-MD5
NULL-SHA256 TLS-RSA-WITH-NULL-SHA256
NULL-SHA TLS-RSA-WITH-NULL-SHA
PSK-3DES-EDE-CBC-SHA TLS-PSK-WITH-3DES-EDE-CBC-SHA
PSK-AES128-CBC-SHA TLS-PSK-WITH-AES-128-CBC-SHA
PSK-AES256-CBC-SHA TLS-PSK-WITH-AES-256-CBC-SHA
PSK-RC4-SHA TLS-PSK-WITH-RC4-128-SHA
RC4-MD5 TLS-RSA-WITH-RC4-128-MD5
RC4-SHA TLS-RSA-WITH-RC4-128-SHA
SEED-SHA TLS-RSA-WITH-SEED-CBC-SHA
SRP-DSS-3DES-EDE-CBC-SHA TLS-SRP-SHA-DSS-WITH-3DES-EDE-CBC-SHA
SRP-DSS-AES-128-CBC-SHA TLS-SRP-SHA-DSS-WITH-AES-128-CBC-SHA
SRP-DSS-AES-256-CBC-SHA TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA
SRP-RSA-3DES-EDE-CBC-SHA TLS-SRP-SHA-RSA-WITH-3DES-EDE-CBC-SHA
SRP-RSA-AES-128-CBC-SHA TLS-SRP-SHA-RSA-WITH-AES-128-CBC-SHA
SRP-RSA-AES-256-CBC-SHA TLS-SRP-SHA-RSA-WITH-AES-256-CBC-SHA

Source: [PATCH 5/5] Switch to IANA names for TLS ciphers.