Email or username:

Password:

Forgot your password?
Sindarina, Edge Case Detective's posts Post Back to profile
Top-level
Katze

@ljrk @sindarina @miki Let me rephrase this in financial terms, maybe then I'll get across how important it is to not have random IP addresses somewhere in code, docs, or even blog posts.

Currently the entire 1.2.3/24 is unassigned as far as I can tell, probably because people used those addresses at large, and simply announcing the /24 (and you have to announce an entire /24 at a time, smaller routes won't be accepted on the internet) will probably net you an enormous amount of traffic. The APNIC Debogon Project for instance has the goal of reintroducing such problematic network addresses back into the internet by working with a variety of ISPs and other instances to remove something like old filter lists for networks that were once widely blocked. The filter lists probably aren't too much of a problem in this case, it's more a matter of the amount of bogus traffic you'd get if you announced that network, and considering it's stemming from IPs present in various documentation, maybe even defaults somewhere, it seems rather likely to me that the reintroduction of that network probably won't happen anytime soon (although some people would probably pay very well for that IP).

So let's get into the fun part; IPv4 address space is expensive. Very expensive actually. Some sources estimate around 50$-70$ per IP, and /24 blocks do seem to net one around 10k$. I'm not too involved in the financial part of networking so I'm not too sure how reliable these numbers are, but sources seem to be somewhat consistent in those numbers. Also last time I heard about this kind of thing companies would try to buy existing but failing other companies to acquire their allocations rather than buy them to avoid having to go through a bunch of reassignment and justification stuff.
In any case removing a good chunk of internet for something that is priced about three times my gross monthly salary, because people thought the IP looked better in the docs.… eh. I don't know about that.

Even better would be adding IP addresses from networks which have actual technical implications like multicast ranges or other reserved networks which could potentially¹ cause actual issues rather than just not working.

Then there's the part about potential security implications; you add 1.2.3.4 to your docs for a curl command that uploads some data, expecting people to input the correct address, but some people still just copy&paste it. Years later maybe. Maybe after the IP has been reassigned and maybe there is a webserver running on that IP now. And they just inadvertently uploaded some important, maybe even PII, data to that server, which may be on a different continent.… ohhh boi, don't we all love to get an email from a service provider to tell us they accidentally leaked some information.

I know that writing documentation is hard. So hard in fact there are people who specialize in doing this; technical writers. But embedding IPs, domains, or other internet resources you do not own to your documentation creates problems for someone, somewhere.
Just think about how you'd feel if a DDoS as a service provider decided to add your website/server as an example domain for their API docs.…

Things like these may seem like a good idea if you can ignore the consequences, but we all know you shouldn't ignore the consequences just because you're not affected by them.

24 Jun 2023 at 22:49 | Wall-to-wall | Open on catcatnya.com
6 comments
Katze

@ljrk @sindarina @miki Personal opinion: if you're writing documentation in the assumption that people won't read half of it then I have a personal issue with your way of doing, because I would much rather you stop reinforcing that existing bias. The fallout of any form of text or information base trying to safeguard the people who won't even stop to read a single info box or bold written text is that people suddenly read news headlines and consider the entire article read. Or to read the first three words of a sentence and assuming they know the rest. This causes issues in all areas of life; prime example being the misinformation bias surrounding news because people don't bother to read more than the headline.

Making it easier to get away with not reading the important bits is part of the problem IMHO, not a solution. Not by a long shot.

@ljrk @sindarina @miki Personal opinion: if you're writing documentation in the assumption that people won't read half of it then I have a personal issue with your way of doing, because I would much rather you stop reinforcing that existing bias. The fallout of any form of text or information base trying to safeguard the people who won't even stop to read a single info box or bold written text is that people suddenly read news headlines and consider the entire article read. Or to read the first three...

24 Jun 2023 at 22:57 | Open on catcatnya.com
lj·rk

@benaryorg @sindarina @miki You don't learn by giving people a hard time. That's been established by quite a long time. It's a bullshit "didactic" theory that's still promoted by authoritarian teachers. I thought we were over that crap.

It's all about making good documentation. And any good technical writer will tell you that things that are written in an accessible and self explanatory way are better than unclear/complex technicalities with explanatory text *around* them.

Take *any* well-written technical paper, document, book. None of them will slap a lot of complicated formulas there and then have a second page explaining them. It will pick you up from line one and guide you through every step. It will have self-explanatory and carefully chosen names and terms for concepts introduced.

And no, 192.0.2.0/24 is not self-explanatory or obvious. Maybe it's simply bad how all this unfolded that the RFC came too late and we should've standardized 1.2.3.0/24 as test IP range, idc. But I do care about things being as obvious as they can (but not more than that).

I follow that RFC, in most cases. But there are cases where I don't, and repeating a lot of points that *I already know* won't change my mind. Addressing the problems I have with that RFC might. But alas, that doesn't happen.

@benaryorg @sindarina @miki You don't learn by giving people a hard time. That's been established by quite a long time. It's a bullshit "didactic" theory that's still promoted by authoritarian teachers. I thought we were over that crap.

It's all about making good documentation. And any good technical writer will tell you that things that are written in an accessible and self explanatory way are better than unclear/complex technicalities with explanatory text *around* them.

24 Jun 2023 at 23:10 | Open on todon.eu
Katze replied to lj·rk

@ljrk neither am I saying to make it hard to get the information from the documentation nor am I saying to strip down the documentation by making it "self explanatory". Something being "self explanatory" is a concept in which I do not believe because rather than making something more accessible it usually just causes different people to have issues with the documentation.
If you remove the "don't forget to change the IP" entirely then you're just tripping up a different set of people.

The only real solution to the problem of making things clear is by employing more than just text in documentation. Be it visuals, or something interactive.
The interactive part (OVH's API docs being an example, you enter values in textboxes and it generates PHP or Python code, would love curl too but still good) is hard to get right and often not really possible (think text documentation).

However the visual part is comparatively ubiquitous.

curl https://192.0.2.1/foo
             ^^^^^^^^^
            change this

Or if the command gets a little too long and you should factor out parts anyway:

ip=192.0.2.1 # change this
curl "https://${ip?}/foo"

This doesn't solve everything, but it both conveys the need to change a value as well as it possibly can IMHO (at least better than just hoping that 1.2.3.4 catches someone's eye) and it does make it easy to retrieve this message. Although it is less accessible for users of screen-readers, but for that you'll probably always need some regular text that is just™ readable by a screen reader).

The idea you're describing in your third paragraph, or at least in the way that you describe it, is very much tied to a multi-step thing, an API documentation may not contain multiple steps. Other pieces of documentation may not warrant introducing any concepts, they are just that one thing you should do and the only fluff that could possibly be there is a small info box telling you to change values accordingly. And whenever a technical paper, document, book, or anything of sorts tries to denote that this is an example, then it will probably make it clear that this is, in fact, an example, something that has to be reviewed before using, something that has to be understood before executing, something that is a template to the thing that you are trying to do.
There should never be an IP already filled out in anything that looks copy&pastable unless it is clearly marked as "this is what it looks like for me, your mileage may vary" together with the template of how to find out what you ought to do yourself.
That's where the IP ranges kick in. They aren't there to put in some code to start with, they're there to describe how things should look like in most cases:

To do the thing you can run this command:

curl https://$IP/foo

Note that you need to replace the `$IP` with your own IP ([insert pointer on where to find this information here, maybe an inline reference?]), for IPv4 this is just the regular IP as in `192.0.2.0`, for IPv6 bracketed notation is required: `[2001:db8::1234]`.

The IPs should not serve as placeholders, but as examples themselves IMHO.
Whatever documentation uses them inline without having a clearly established context (that of an example) and clear marking for which parts are variable, I don't like it.

Tech has the same issue whenever Regex comes along and people push all of the verification into the Regex itself (see the dreaded email regex that doesn't ever work anymore). No, the Regex is a means to denote a patterns, which is then captured and actually validated in a second step. Shoving Integer range validation into a Regex is the pinnacle of "you won't be able to maintain this in two weeks", and it's the same with IPs in documentation. Don't embed them. Put them next to the important part as an example. Remember the old placeholders in text inputs on the web? When there was actual text in there that you could just submit if you did not change the field, because it was stored as the value? And then finally came along the browser-supported placeholder attributes that allowed us to specify something that is visible, but not part of the content. This is what documentation needs those IPs to be. A thing to look at, but not to use.

And as someone who has read more network documentation than I'd like, 10.10.10.10 communicating with 11.11.11.11 is just as unusable to me. Call it Host A and Host B, or better even put an example there and have them be Server and Client or something.
Put the IPs there as an example of what it could look like, but do not use it to describe the actual content.
I don't want to know that 10.10.10.10 establishes a connectio— No! The client uses its internal IP (in this case 192.0.2.1) to connect to the servers public facing IP (here 203.0.113.1) which is visible to the server as the routers public facing IP (198.51.100.1) thanks to NAT.
Why anyone would ever keep talking about the IPs is beyond me. So many people have trouble with numbers already, especially if you have more than two of them, they get mixed up, the communication gets tedious, I haven't seen a person who was good at all those numbers in my life.

And in this kind of documentation, does it matter whether the IP is 1.1.1.1 or 198.51.100.1? I would say No, because it is clear in every sentence that these are examples.

@ljrk neither am I saying to make it hard to get the information from the documentation nor am I saying to strip down the documentation by making it "self explanatory". Something being "self explanatory" is a concept in which I do not believe because rather than making something more accessible it usually just causes different people to have issues with the documentation.
If you remove the "don't forget to change the IP" entirely then you're just tripping up a different set of people.

25 Jun 2023 at 2:35 | Open on catcatnya.com
lj·rk replied to Katze

@benaryorg

> If you remove the "don't forget to change the IP" entirely then you're just tripping up a different set of people.

Didn't say that. I said that it should ideally be made as clear as possible from the command itself, you yourself give many of such examples. But it's friggin' hard and I had people literally run commands with placeholders 1:1 despite everything you described. And not too few.

Maybe I'm burnt because I taught freshmen CompSci, most of them having never opened the command line a week before. But I always try to assume the least competent user – which means, assume that they do not *know* that RFC and they do not look at surrounding hints.

@benaryorg

> If you remove the "don't forget to change the IP" entirely then you're just tripping up a different set of people.

Didn't say that. I said that it should ideally be made as clear as possible from the command itself, you yourself give many of such examples. But it's friggin' hard and I had people literally run commands with placeholders 1:1 despite everything you described. And not too few.

25 Jun 2023 at 8:36 | Open on todon.eu
Katze replied to lj·rk

@ljrk I think the freshmen CompSci may be the reason indeed. Considering that school, university, most sorts of academics in general will encourage or even require skimming texts. When people from that background arrive in tech and see actual good documentation it's probably the firnt time they read a text that's written to be read for information, not written to comply with academic standards.

I get that we shouldn't make participation hard for people, but in that one instance I think it's arguably okay to do something to get that (IMHO toxic) mindset out of their heads.
Most people I know and have known are from a non-academic background and the majority of thes still tries to cut through docs but ultimately reads the important bits. It's more a habit of trying to skip chapters than parts of a sentence. And skipping in introduction may be much less problematic than skipping the half of the sentence that digs into the actual matter.

However overall I still don't think some inadvertent issue like making networks unusable or breaking your local connectivity by accident (something detecting public IPs and disabling a port or whatever) is worth the (presumably small) margin of people who will notice the funky looking address.

But at this point I'd have to agree, I am repeating myself, so I won't reiterate :blobCat_wink_tongue_out:​

@ljrk I think the freshmen CompSci may be the reason indeed. Considering that school, university, most sorts of academics in general will encourage or even require skimming texts. When people from that background arrive in tech and see actual good documentation it's probably the firnt time they read a text that's written to be read for information, not written to comply with academic standards.

25 Jun 2023 at 8:57 | Open on catcatnya.com
lj·rk replied to Katze

@benaryorg That's why I wouldn't put 1.2.3.4 in docs/example configs for... idk, a BGP router or something lol.

As I said, it really comes down to the target group, and if I get more confusing/questions about 192.0.2.0/24 and it holds up students or confuses them, I tend to use 1.2.3.4 (it's mostly oral lectures, although I hate giving lectures).

25 Jun 2023 at 9:18 | Open on todon.eu
Go Up