RE: NANOG 40 agenda posted
In the past we've used www6 for v6 only, www4 for v4 only, and www has both v6 and v4. Which works fine for you and me, but not for my mother. Which means it is an excellent suggestion for the transition phase into an IPv6 Internet. Since that happens to be where we are right now, IPv6 transition, this is an excellent all-round idea for all services and servers. We should adopt this as a best-practice. In a few years, when IPv6 is everywhere and your mother comes online with IPv6, then we will be out of the transition period and a new set of best practices comes into play. --Michael Dillon
Re: why same names, was Re: NANOG 40 agenda posted
On 30/05/2007, at 8:00 PM, Iljitsch van Beijnum wrote: I can't seem to reach www.ietf.org over IPv6 these days and I have to wait 10 seconds before I fall back to IPv4. What browser are you using that falls back? Does it require hints (ie. unreachables, or similar) or does a timeout in TCP session establishment trigger it? Of course you can argue that the only way we'll be able to get to the ideal world is by forcing people to deal with the breakage so that it'll be fixed, but I'd point to Vijay's presentations. The problem is, if you're a large scale ISP, how many calls to your help desk will it take until your helpdesk staff says turn off IPv6? Not many. That's why we need to proceed with caution. But there is still time, making rash decisions based on the current situation would be a mistake. The IPv6 internet and applications grow more mature every year. The ball is in the ISP/NSP court at the moment. Here's why, which is really a really really brief summary of how I've read this thread, and my thoughts as it's progressed. a) Vista and other systems try IPv6. If they think they can get IPv6 they'll (often) prefer records to A records. That's good, on the surface. b) If (a) happens, and the endpoint referred to by the record isn't reachable, then the eyeball can't reach the content. Service is degraded. c) Because of (b), content providers aren't going to turn on records. So, it seems to me that the unreachable mentioned in (b) needs to be fixed. That's us, as network operators. Teredo relays/servers and 6to4 relays would be a good first step. Who here who runs an access network has either of these available for production use? If you do, what info can you share? Before someone starts it, the debate between transition protocols to use is well and truely over. Teredo and 6to4 have been chosen for use by the software vendors of the end systems. (fine by me) If I were attending NANOG, I'd be more than happy to run workshops on how to deploy Teredo and 6to4, however I'm in New Zealand and flights are expensive. I'm sure there are people who have more operational experience with these than I do currently. Microsoft run both, perhaps someone from there can say a few words? Vista points to their Teredo server by default, so they'll definitely have some learnings from that, I'm sure. -- Nathan Ward
RE: IPv6 Advertisements
This assumes a single machine scanning, not a botnet of 1000 or even the 1.5m the dutch gov't collected 2 yrs ago. Again, a sane discussion is in order. Scanning isn't AS EASY, but it certainly is still feasible, With 1.5 million hosts it will only take 3500 years... for a _single_ /64! I'm not sure that's what I would call feasible. I would call that not understanding today's security world. Scanning is not the primary mode of looking for vulnerabilities today. There are several more effective come here and get infected and click on this attachment and get infected techniques. What scanning that does go on today usually not the lets scan the Internet. No money in it. You target your scans to the address ranges of the sites you are trying to mine (i.e. build BOTNETs) or go after.
Re: IPv6 Deployment (Was: Re: NANOG 40 agenda posted)
Donald Stahl wrote: If ARIN is going to assign /48's, and people are blocking anything longer than /32- well then that's a problem :) To be specific, ARIN is currently assigning up to /48 out of 2620::/23. I noticed that http://www.space.net/~gert/RIPE/ipv6-filters.html has the following entry in the strict list: ipv6 prefix-list ipv6-ebgp-strict permit 2620::/23 ge 24 le 32 which is not particularly useful. It should be 'le 48' if the intent is to track RIR assignment policies. - Kevin
Re: 6bone space used still in the free (www.ietf.org over IPv6 broken) (Was: why same names, was Re: NANOG 40 agenda posted)
On Wed, 30 May 2007, Jeroen Massar wrote: [let me whine again about this one more time... *sigh*] [guilty parties in cc + public ml's so that every body sees again that this is being sent to you so that you can't deny it... *sigh again*] Actually appreciated, as the only sessions with 3ffe link addresses (less than you can count on one hand) are with networks that haven't responded to previous emails from us to renumber, and hopefully now something will be done. It will all get sorted out anyway as we've recently completed a network wide core router upgrade and moved IPv6 into our core, and IPv6 BGP sessions over tunnels are deprecated and being replaced with native sessions. (BTW for observers, he isn't talking about 3ffe prefix announcements, he is talking about a left over 3ffe::/127 address used on a link.) BTW, here is our IPv6 peering information for anybody with a IPv6 BGP tunnel with us, we would be happy to migrate you to native sessions (send email to [EMAIL PROTECTED] to get sessions setup): NAP Status Speed IPv4 IPv6 --- --- --- -- EQUINIX-ASH UP 10GigE 206.223.115.37 2001:504:0:2::6939:1 EQUINIX-CHI UP GigE206.223.119.37 2001:504:0:4::6939:1 EQUINIX-DAL UP GigE206.223.118.37 2001:504:0:5::6939:1 EQUINIX-LAX UP GigE206.223.123.37 2001:504:0:3::6939:1 EQUINIX-SJC UP 10GigE 206.223.116.37 2001:504:0:1::6939:1 LINXUP 10GigE 195.66.224.21 2001:7f8:4:0::1b1b:1 LINXUP GigE195.66.226.21 2001:7f8:4:1::1b1b:2 LoNAP UP GigE193.203.5.128 2001:7f8:17::1b1b:1 AMS-IX UP 10GigE 195.69.145.150 2001:7f8:1::a500:6939:1 NL-IX UP GigE194.153.154.14 2001:7f8:13::a500:6939:1 PAIX Palo Alto UP 10GigE 198.32.176.20 2001:504:d::10 NYIIX UP 10GigE 198.32.160.61 2001:504:1::a500:6939:1 LAIIX UP GigE198.32.146.50 2001:504:a::a500:6939:1 PAIX New York PENDING DE-CIX PENDING NOTAPENDING SIX PENDING Iljitsch van Beijnum wrote: On 30-mei-2007, at 13:23, Nathan Ward wrote: I can't seem to reach www.ietf.org over IPv6 these days and I have to wait 10 seconds before I fall back to IPv4. [..] I think what's going on is that packets from www.ietf.org don't make it back to my ISP. A ping6 or traceroute6 doesn't show any ICMP errors and TCP sessions don't connect so it's not a PMTUD problem. So it's an actual timeout. I also just started noticing this, that is, that it does not work. And there is a very simple explanation for this: 6bone space. As a lot of people might recall, the 6bone was shutdown on 6/6/6. Still there are folks who are definitely not running anything operational or who care at all about the state of their network, if they did they would not be using it now would they? As this is what I found on the way from $US - $IE 7 2001:470:0:1f::2 112.131 ms 108.949 ms 108.316 ms 8 2001:470:0:9::2 109.864 ms 112.767 ms 111.586 ms 9 3ffe:80a::c 111.118 ms 86.010 ms 86.648 ms 10 2001:450:2001:1000:0:670:1708:1225 193.914 ms 194.640 ms 194.976 ms And what do we see: 6bone space and still in use. As a lot of places correctly filter it out, the PMTU's get dropped, as they are supposed to be dropped. Just the same as you would expect to see if somebody was using 10.0.0.0/8 address space for a link. Similarly discouraged, though done on occasion. The whois.6bone.net registry is fun of course: inet6num: 3FFE:800::/24 netname: ISI-LAP descr:Harry Try IPv6 country: CA Fortunately it still also has: ipv6-site:ISI-LAP origin: AS4554 descr:LAP-EXCHANGE Los Angeles country: US Which matches what GRH has on list for it: Bill. Now I have a very very very simple question: Can you folks finally, a year after the 6bone was supposed to be completely gone, renumber from out that 6bone address space that you are not supposed to use anymore? That most likely will resolve the issues that a lot of people are seeing. Or should there be another 6/6/7 date which states that de-peering networks which are still announcing/forwarding 6bone space should become into effect? Would you similarly disconnect a nonresponsive customer because they used a /30 from RFC1918 space on a point to point link with you? BTW, I do agree that the links involved should be renumbered immediately. Considering we are in the business of providing connectivity, the thought of tearing down the session as opposed to gracefully getting rid of them didn't cross our mind. Of course, Neustar, who are hosting www.ietf.org, might also want to look for a couple of extra transit providers who can provide them with real connectivity to the rest of the world. That won't renumber Bill Manning's links
RE: 6bone space used still in the free (www.ietf.org over IPv6 broken) (Was: why same names, was Re: NANOG 40 agenda posted)
I think what's going on is that packets from www.ietf.org don't make it back to my ISP. A ping6 or traceroute6 doesn't show any ICMP errors and TCP sessions don't connect so it's not a PMTUD problem. So it's an actual timeout. I also just started noticing this, that is, that it does not work. And there is a very simple explanation for this: 6bone space. We (OCCAID) had recently turned up peering with a few networks (including HE and others) and as a result our outbound path to HEAnet and other networks had changed. Some of the abrupt route changes are being corrected today evening and hopefully should resolve pMTU problems in reaching www.ietf.org. If you continue to experience trouble in reaching thru OCCAID via IPv6, please don't hesitate to drop me a line in private. Regards, James
Re: NANOG 40 agenda posted
On Wed, May 30, 2007 at 12:40:00PM -0700, Randy Bush wrote: This is a grand game of chicken. The ISPs are refusing to move first due to lack of content pure bs. most significant backbones are dual stack. you are the chicken, claiming the sky is falling. I'd have to say I agree. Even those networks that are saddled with lots of legacy gear are coming up with creative ways to deploy it (eg: 6PE). GX, FT, NTT(was verio), and lots of other carriers have IPv6 capabilities and the ability to deliver them in a global fashion. I'm leaving out a lot of folks i know, but the case in my mind is a lack of sufficent push or pull to create the required intertia to move things. Push -- ie: US Federal purchasing mandate impacts a small number of folks who can decipher the FAR. Pull -- user demand for their ipv6 pr0n. The same has been true of other failed or niche technologies such as multicast and IPv6. There are a lot of enterprises and NSPs that have solved these issues within their domain and they've scaled [so far]. I'd say that if your provider can't give you a reasonable answer on a date for some form of IPv6 support (even experimental, free, tunneled or otherwise) you will run into issues with them up to some point. I am a bit sympathetic to those that have to wait for stuff like upgraded DOCSIS and otherwise from their provider if they have the usual one or two providers at your home, but at the same time applying some pressure to them will help get a good deployment and may get you in on their beta or something else. - jared -- Jared Mauch | pgp key available via finger from [EMAIL PROTECTED] clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Re: dual-stack [was: NANOG 40 agenda posted]
I guess we have different definitions for most significant backbones. Unless you mean they have a dual-stack router running _somewhere_, say, for instance, at a single IX or a lab LAN or something. Which is not particularly useful if we are talking about a significant backbone. Rather than go back and forth- can we get some real data? Can anyone comment on the backbone IPv6 status of the major carriers? -Don
Re: DHCPv6 and stateless autoconf, was: NANOG 40 agenda posted
On Wed, May 30, 2007 at 09:10:02PM +0200, Iljitsch van Beijnum wrote: If you like DHCP, fine, run DHCP. But I don't like it, so please don't force _me_ to run it. OK, I can (and do) live with that. I tend to prefer technical reasons to choose a technology (and in so doing, hope to avoid throwing spaghetti at the wall), but if you'd rather base your decisions on what you like (or not), you have every right to do so. In my opinion there are a bulk of technical merits that place DHCPv6 ahead of RTadv. I don't like either protocol, but they're what we've got. -- David W. HankinsIf you don't do it right the first time, Software Engineeryou'll just have to do it again. Internet Systems Consortium, Inc. -- Jack T. Hankins pgpwl5LeW7oiR.pgp Description: PGP signature
Re: 6bone space used still in the free (www.ietf.org over IPv6 broken) (Was: why same names, was Re: NANOG 40 agenda posted)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 James Jun wrote: I think what's going on is that packets from www.ietf.org don't make it back to my ISP. A ping6 or traceroute6 doesn't show any ICMP errors and TCP sessions don't connect so it's not a PMTUD problem. So it's an actual timeout. I also just started noticing this, that is, that it does not work. And there is a very simple explanation for this: 6bone space. We (OCCAID) had recently turned up peering with a few networks (including HE and others) and as a result our outbound path to HEAnet and other networks had changed. Some of the abrupt route changes are being corrected today evening and hopefully should resolve pMTU problems in reaching www.ietf.org. If you continue to experience trouble in reaching thru OCCAID via IPv6, please don't hesitate to drop me a line in private. Regards, James - --- that was quick, although I tunneling via freenet6. [EMAIL PROTECTED]:/etc/ppp/peers$ traceroute6 www.ietf.org traceroute to www.ietf.org (2610:a0:c779:b::d1ad:35b4) from 2001:5c0:8fff:::a5, 30 hops max, 16 byte packets 1 2001:5c0:8fff:::a4 (2001:5c0:8fff:::a4) 91.114 ms 90.643 ms 92.29 ms 2 freenet6.hexago.com (2001:5c0:0:5::114) 95.166 ms 102.207 ms 95.866 ms 3 if-5-0-1.6bb1.mtt-montreal.ipv6.teleglobe.net (2001:5a0:300::5) 89.454 ms 120.386 ms 92.113 ms 4 if-1-0.mcore3.mtt-montreal.ipv6.teleglobe.net (2001:5a0:300:100::1) 90.882 ms 92.495 ms 91.239 ms 5 if-13-0.mcore4.nqt-newyork.ipv6.teleglobe.net (2001:5a0:300:100::2) 96.672 ms 97.731 ms 97.782 ms 6 2001:5a0:400:200::1 (2001:5a0:400:200::1) 107.734 ms 96.951 ms 97.486 ms 7 2001:5a0:600:200::1 (2001:5a0:600:200::1) 107.223 ms 105.586 ms 103.39 ms 8 2001:5a0:600:200::5 (2001:5a0:600:200::5) 104.942 ms 106.728 ms 102.465 ms 9 2001:5a0:600::5 (2001:5a0:600::5) 107.945 ms 104.898 ms 103.782 ms 10 equinix6-was.ip.tiscali.net (2001:504:0:2::3257:1) 107.448 ms 109.082 ms 107.891 ms 11 equi6ix-ash.ipv6.us.occaid.net (2001:504:0:2:0:3:71:1) 223.532 ms 217.531 ms 218.709 ms 12 unassigned.in6.twdx.net (2001:4830:e6:d::2) 219.648 ms 221.496 ms 223.614 ms 13 stsc350a-eth3c0.va.neustar.com (2610:a0:c779::fe) 228.079 ms 227.053 ms 226.536 ms 14 www.ietf.ORG (2610:a0:c779:b::d1ad:35b4) 226.191 ms 227.959 ms 219.163 ms regards, /virendra -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGXdovpbZvCIJx1bcRAu0lAJ4ldNWYXCvBf4Vtvkdih8WknZc5XwCfdKKy UsquQuxR+AytwKrfuOF0MlM= =oJoI -END PGP SIGNATURE-
Re: Microsoft and Teredo
I gotta say that until I saw your blog I had no idea my Windows Mobile phone spoke v6. Very cool. Sean Siler wrote: I understand some questions recently arose regarding Microsoft and Teredo. I tried reading through the archives but it has more twists that Pacific Coast Highway. Are there some specific requests/questions that I can help with? Best Regards, Sean Siler Sean Siler|IPv6 Program Manager|Microsoft [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] | 703.485.1170 http://blogs.technet.com/ipv6 IPv6 is ready. Are you?
Re: dual-stack [was: NANOG 40 agenda posted]
I've been trying to collect the info about services (including ISPs and transit providers) and products (software and hardware) that say they offer IPv6 (still in the phase of verifying one by one, but almost done !). Is still not complete, but I think provides a good picture. http://www.ipv6-to-standard.org/ Just a few examples: You can type ISP in the free search box, or TLD, or load balancer. Regards, Jordi De: Donald Stahl [EMAIL PROTECTED] Responder a: [EMAIL PROTECTED] Fecha: Wed, 30 May 2007 16:07:19 -0400 (EDT) Para: Patrick W. Gilmore [EMAIL PROTECTED] CC: nanog@nanog.org Asunto: Re: dual-stack [was: NANOG 40 agenda posted] I guess we have different definitions for most significant backbones. Unless you mean they have a dual-stack router running _somewhere_, say, for instance, at a single IX or a lab LAN or something. Which is not particularly useful if we are talking about a significant backbone. Rather than go back and forth- can we get some real data? Can anyone comment on the backbone IPv6 status of the major carriers? -Don ** The IPv6 Portal: http://www.ipv6tf.org Bye 6Bone. Hi, IPv6 ! http://www.ipv6day.org This electronic message contains information which may be privileged or confidential. The information is intended to be for the use of the individual(s) named above. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, including attached files, is prohibited.
Re: Microsoft and Teredo
Hi Nathan, I can probably talk about our own experience ... We started running Teredo Server+Relay in the Windows 2003 implementation around 3-4 years ago (not completely sure right now). Unfortunately, when the Service Pack (SP1 I think) was released, stopped working. Until then it was working perfectly, not any issue. Then we moved to a Linux with Miredo, and it has been working since them, first with the 6Bone prefix from Microsoft, then on 6/6/2006, we moved to the RFC one, 2001::/32. No issues at all. Regards, Jordi De: Nathan Ward [EMAIL PROTECTED] Responder a: [EMAIL PROTECTED] Fecha: Thu, 31 May 2007 10:44:10 +1200 Para: Nanog nanog@nanog.org Asunto: Re: Microsoft and Teredo On 31/05/2007, at 5:40 AM, Sean Siler wrote: I understand some questions recently arose regarding Microsoft and Teredo. I tried reading through the archives but it has more twists that Pacific Coast Highway. Are there some specific requests/questions that I can help with? Probably, yeah. From another post my Michael Dillon: Since we are all collectively playing catchup at this point, it would be very useful for some clear guidance on who needs to deploy Teredo and 6to4 and where it needs to be deployed. Also, the benefits of deployment versus the problems caused by not having it. Should this be in every PoP or just somewhere on your network? Are there things that can be measured to tell you whether or not lack of Teredo/6to4 is causing user problems? Maybe you can provide operational experience from running the Teredo servers and relays that Microsoft host? Do you host them just at Microsoft or do you also have some inside ISPs? Have you done any work to help/advise on deploying Teredo servers/relays in to ISPs? Any learnings from that that you can share? What about corporate networks? That oughta get you started :-) -- Nathan Ward ** The IPv6 Portal: http://www.ipv6tf.org Bye 6Bone. Hi, IPv6 ! http://www.ipv6day.org This electronic message contains information which may be privileged or confidential. The information is intended to be for the use of the individual(s) named above. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, including attached files, is prohibited.
Re: Microsoft and Teredo
On 31/05/2007, at 10:52 AM, JORDI PALET MARTINEZ wrote: Hi Nathan, I can probably talk about our own experience ... We started running Teredo Server+Relay in the Windows 2003 implementation around 3-4 years ago (not completely sure right now). Unfortunately, when the Service Pack (SP1 I think) was released, stopped working. Until then it was working perfectly, not any issue. Then we moved to a Linux with Miredo, and it has been working since them, first with the 6Bone prefix from Microsoft, then on 6/6/2006, we moved to the RFC one, 2001::/32. No issues at all. Where does it live in your network, at each POP, or just in a datacenter somewhere? Infact, what kind of network are you? (content, transit, access) How have you configured clients to talk to your Teredo server instead of the default MS one? How do you get to the world? Native IPv6 or tunnels? Has it improved reachability/reliability of dual stack or v6-only content? How do you know? Any thoughts about how content providers could use Teredo servers/ relays to improve their connectivity? -- Nathan Ward
Re: IPv6 Deployment
what problem is it that IPv6 is actually supposed to solve? that's an easy one. in 1993-5, the press was screaming that we were about to run out of ip space. a half-assed design was released. the press stopped screaming. victory was declared, everyone went home. and, as usual, ops and engineering get to clean up the disaster. randy
Re: IPv6 Deployment
Most of those features were completely gone by 1995 TLAs et alia lasted until 2000+. and i think anycast is still broken, though we can at least ignore it and use v4-style anycast, which turns out to be what we need. leaving larger address space as the sole practical benefit and no actual transition plan. This wisdom of this approach is questionable at best, and I'll admit to being part of the team that went along... well, you get two points for copping to it. i lay on the train tracks and was squashed. i take the arin proclamation as a problem is looming. the solution space is not as appealing as we might wish. the time to figure out the transition plan is now. don't expect arin to figure it out for you. i like 40 more bits as well as the next geek. but how the hell do we get from here to there? either we sort out how a v6-only site gets to the internet, there is still ipv4 space at every site and all that implies, or the users are screwed. randy
Re: IPv6 Deployment
i think anycast is still broken, though we can at least ignore it and use v4-style anycast, which turns out to be what we need. recant i am told by a good friend who lurks that this was actually fixed a year or two ago. a team of ops-oriented folk were sufficiently persistent and strident to get it fixed. randy
Re: IPv6 Deployment
At 6:28 PM -0700 5/30/07, Randy Bush wrote: well, you get two points for copping to it. i lay on the train tracks and was squashed. Well, I became a contentious objector... (RFC1669). One can confirm a real sense of humor to the cosmos, because I now get to be lead advocate for the very scenario I noted back then really might not be viable... :-) i like 40 more bits as well as the next geek. but how the hell do we get from here to there? either we sort out how a v6-only site gets to the internet, there is still ipv4 space at every site and all that implies, or the users are screwed. We aggressively work on getting little Internet content sites (aka the 'servers' of new Internet endsites) reachable via IPv6, whether by native IPv6 to endsite, tunnel to endsite, or tunnel transition mechanism within the ISP. ISPs need to take the lead on this for now new sites, by actively promoting IPv6 with IPv4 connections. Doing that, plus the significant effort of IPv6 backbone work is serious work. Big content providers have to figure out how to do native IPv6 (or fake it really well) before the first IPv6-only user arrives... Their readiness has to be 100% on that day (or the day they can't themselves obtain additional IPv4 space), but it's fairly academic until that point. /John
Re: IPv6 Deployment
On Wed, 30 May 2007 18:52:12 PDT, Randy Bush said: i think anycast is still broken, though we can at least ignore it and use v4-style anycast, which turns out to be what we need. recant i am told by a good friend who lurks that this was actually fixed a year or two ago. a team of ops-oriented folk were sufficiently persistent and strident to get it fixed. Fixed as in new RFC released, or New IOS shipped that DTRT, or Most sites have actually *deployed* the new code? pgp5R0JWFIFm4.pgp Description: PGP signature