Re: Youtube CDN unreachable over IPv6
Op 6-11-2015 om 19:17 schreef Christopher Schmidt via NANOG: > Hi all, > > Thanks for the reports. > > To the best of our knowledge, this issue has been resolved at this > time. If you are still having problems connecting to YouTube CDN > nodes, please feel free to let me know, and I will investigate > further. It's here again since this tuesday. lsintra:~# host r2---sn-8xgn5uxa-i5he.googlevideo.com r2---sn-8xgn5uxa-i5he.googlevideo.com is an alias for r2.sn-8xgn5uxa-i5he.googlevideo.com. r2.sn-8xgn5uxa-i5he.googlevideo.com has address 62.214.62.205 r2.sn-8xgn5uxa-i5he.googlevideo.com has IPv6 address 2001:1438:1:2::d lsintra:~# telnet 62.214.62.205 443 Trying 62.214.62.205... Connected to cache.google.com (62.214.62.205). Escape character is '^]'. ^] telnet> quit Connection closed. lsintra:~# telnet 2001:1438:1:2::d 443 Trying 2001:1438:1:2::d... ^]quit ^]^[^]^C lsintra:~# Is it possible for Google to realize some form of internal monitoring to catch these defunct dual stack nodes? Kind regards, Seth > On Fri, Nov 6, 2015 at 12:48 PM, Blair Trosper <blair.tros...@gmail.com> > wrote: >> This was happening two weeks ago in the Bay Area as well. It happens quite >> a lot, actually...search for my old threads. I gave up trying to get it >> noticed. > > Blair, > > I'm not aware of a similar issue with IPv6 being unavailable while > IPv4 is available recently. > > I did not see any threads with information in them with the name > "Blair" attached in either the October archive > (http://mailman.nanog.org/pipermail/nanog/2015-October/thread.html) or > the September archive > (http://mailman.nanog.org/pipermail/nanog/2015-September/thread.html) > . > > If this issue is ongoing, I would be happy to look into this; > otherwise, I don't believe there is any action I can take to assist at > this time. > > All the best. > > >>> * seth@dds.nl (Seth Mos) [Fri 06 Nov 2015, 09:00 CET]: >>>> Dear Google, >>>> >>>> It appears that one of the Youtube CDN's (in Europe, NL) is not >>>> reachable over IPv6 from AS 20844. Can someone get back to us on this, >>>> the company can't access any of the videos currently, although the >>>> mainpage loads fine (over IPv6). >>>> >>>> Kind regards, >>>> >>>> Seth >>>> >>>> telnet r6---sn-5hne6n76.googlevideo.com 443 >>>> Trying 2a00:1450:401c:4::b... >>>> telnet: connect to address 2a00:1450:401c:4::b: Connection timed out >>>> Trying 74.125.100.203... >>>> Connected to r6.sn-5hne6n76.googlevideo.com (74.125.100.203). >>>> Escape character is '^]'. >>>> Connection closed by foreign host. >>>> >>>> telnet www.youtube.com 443 >>>> Trying 2a00:1450:4013:c01::5d... >>>> Connected to youtube-ui.l.google.com (2a00:1450:4013:c01::5d). >>>> Escape character is '^]'. >>>> Connection closed by foreign host. >>> >
Re: Youtube CDN unreachable over IPv6
Op 14-1-2016 om 16:37 schreef valdis.kletni...@vt.edu: > On Thu, 14 Jan 2016 16:04:54 +0100, Seth Mos said: > >> lsintra:~# telnet 62.214.62.205 443 > >> lsintra:~# telnet 2001:1438:1:2::d 443 > >> Is it possible for Google to realize some form of internal >> monitoring to catch these defunct dual stack nodes? > > A traceroute to both would help greatly in determining whether it's > really Google's fault, or if your ipv6 routing is borked. > I can reach the rest of the Google IPv6 services over IPv6, the player loads, but the video stream does not. I've pasted the traceroute below. seth@ratchet:~$ traceroute 62.214.62.205 traceroute to 62.214.62.205 (62.214.62.205), 30 hops max, 60 byte packets 1 edge-c2f.coltex.nl (91.227.27.41) 88.901 ms 88.932 ms 89.008 ms 2 91.227.27.3 (91.227.27.3) 0.522 ms 0.568 ms 0.628 ms 3 90-145-28-101.network.unet.nl (90.145.28.101) 2.104 ms 3.673 ms 3.665 ms 4 dus002isp005.versatel.de (80.249.209.109) 11.773 ms 11.612 ms 11.594 ms 5 10g-9-4.esn001isp005.versatel.de (62.214.110.234) 12.181 ms 12.306 ms 12. 416 ms 6 ge-05-01-803.dor002isp005.versatel.de (62.214.111.26) 12.174 ms ge-5-1-853. dor002isp006.versatel.de (62.214.111.30) 12.252 ms ge-05-01-803.dor002isp005.ve rsatel.de (62.214.111.26) 12.069 ms 7 dor2is2.versatel.de (62.214.104.170) 13.174 ms fra20ip6.versatel.de (62.214 .104.174) 12.954 ms 13.159 ms 8 10g-9-4.hhb002isp005.versatel.de (62.214.110.110) 18.732 ms 10g-8-4.hhb002i sp005.versatel.de (62.214.110.122) 19.051 ms 18.653 ms 9 * * * seth@ratchet:~$ traceroute 2001:1438:1:2::d traceroute to 2001:1438:1:2::d (2001:1438:1:2::d), 30 hops max, 80 byte packets 1 * * cltx-gw.coltex.nl (2001:67c:226c:ff00::1) 4.302 ms 2 2001:67c:226c:ff01::3 (2001:67c:226c:ff01::3) 0.418 ms 0.418 ms 0.451 ms 3 2a02:120:0:200::3:1 (2a02:120:0:200::3:1) 2.205 ms 2.376 ms 2.360 ms 4 dus002isp005.versatel.de (2001:7f8:1::a500:8881:1) 11.594 ms 11.364 ms 11.523 ms 5 2001:1438:0:1::4e2 (2001:1438:0:1::4e2) 12.522 ms 2001:1438:0:1::212 (2001:1438:0:1::212) 12.704 ms 2001:1438:0:1::222 (2001:1438:0:1::222) 12.676 ms 6 2001:1438:0:1::2a2 (2001:1438:0:1::2a2) 63.452 ms 2001:1438:0:1::2b2 (2001:1438:0:1::2b2) 63.572 ms 2001:1438:0:1::2a2 (2001:1438:0:1::2a2) 63.538 ms 7 2001:1438:0:1::112 (2001:1438:0:1::112) 13.318 ms 13.225 ms 2001:1438:0:1::522 (2001:1438:0:1::522) 13.087 ms 8 2001:1438:0:1::92 (2001:1438:0:1::92) 18.879 ms 2001:1438:0:1::172 (2001:1438:0:1::172) 19.088 ms 2001:1438:0:1::92 (2001:1438:0:1::92) 18.959 ms 9 * * *
Re: Broadband Router Comparisons
Smallnetbuilder.com has quite a few models of routers tested, which is decent. I've bugged them about ipv6 testing before but not too much progress there. Powerconsumption is not listed either, which can be as expensive as the router itself at 21 cents per kWh. Regards, Seth Oorspronkelijk bericht Van: Lorell HathcockDatum: 24-12-2015 03:49 (GMT+01:00) Aan: nanog@nanog.org Onderwerp: Broadband Router Comparisons All: Not all consumer grade customer premises equipment is created equally. But end customers sure think it is. I have retirement aged customers buying the crappiest routers and then blaming my cable network for all their connection woes. The real problem is that there were plenty of problems on the cable network to deal with, so it was impossible to tell between a problem that a customer was having with their CPE versus a real problem in my network. Much of that has been cleared up on my side now, but customers were used to blaming us for everything so that they don't even consider that their equipment could be to blame. I want to be able to point out a third party list of all (most) broadband routers that rates them by performance. Or that rates them by crappiness that I can send them to so they can look up their own router and determine if other users have had problems with that router and what can be done to fix it. So far my search has been in vain. Any thoughts? Thanks in advance. Lorell Hathcock Sent from my iPad
Re: Google Chrome 47.0.2526.73M broken NTLM proxy authentication
A quick update, Google Chrome engineering did cut a new release with a fix for this but it's not available yet. https://code.google.com/p/chromium/issues/detail?id=544255 The current workaround is to shrink your return headers smaller then 4096 bytes to prevent the authentication popup. Get ready for a rough monday morning, we've already had to field quite a few calls, and the GPO policy doesn't work, yay. Dear Google, your internet browser doesn't browse the internet, please make haste. Kind regards, Seth Op 3-12-2015 om 9:04 schreef Seth Mos: > Dear Google, > > As of Dec 2nd the Google Chrome 47.0.2526.73M breaks NTLM proxy > authentication. This is unfortunate as nobody can get off the company > network now, which is secure I suppose, but not quite what I had in mind. > > https://productforums.google.com/forum/#!topic/chrome/G_9eXH9c_ns;context-place=forum/chrome > > So if anybody gets called that Google Chrome is throwing a > username/password prompt for every website you try, listing the website > as the authentication domain, instead of the proxy server, this is for you. > > If you are ahead of the curve, you can make a GPO to disable Chrome > updates for the time being until this is fixed. If the browser already > updated, well, sorry. > > Kind regards, > > Seth >
Google Chrome 47.0.2526.73M broken NTLM proxy authentication
Dear Google, As of Dec 2nd the Google Chrome 47.0.2526.73M breaks NTLM proxy authentication. This is unfortunate as nobody can get off the company network now, which is secure I suppose, but not quite what I had in mind. https://productforums.google.com/forum/#!topic/chrome/G_9eXH9c_ns;context-place=forum/chrome So if anybody gets called that Google Chrome is throwing a username/password prompt for every website you try, listing the website as the authentication domain, instead of the proxy server, this is for you. If you are ahead of the curve, you can make a GPO to disable Chrome updates for the time being until this is fixed. If the browser already updated, well, sorry. Kind regards, Seth
Youtube CDN unreachable over IPv6
Dear Google, It appears that one of the Youtube CDN's (in Europe, NL) is not reachable over IPv6 from AS 20844. Can someone get back to us on this, the company can't access any of the videos currently, although the mainpage loads fine (over IPv6). Kind regards, Seth telnet r6---sn-5hne6n76.googlevideo.com 443 Trying 2a00:1450:401c:4::b... telnet: connect to address 2a00:1450:401c:4::b: Connection timed out Trying 74.125.100.203... Connected to r6.sn-5hne6n76.googlevideo.com (74.125.100.203). Escape character is '^]'. Connection closed by foreign host. telnet www.youtube.com 443 Trying 2a00:1450:4013:c01::5d... Connected to youtube-ui.l.google.com (2a00:1450:4013:c01::5d). Escape character is '^]'. Connection closed by foreign host.
Re: another tilt at the Verizon FIOS IPv6 windmill
Ricky Beam schreef op 18-7-2015 om 1:14: On Fri, 17 Jul 2015 06:25:26 -0400, Christopher Morrow morrowc.li...@gmail.com wrote: mean that your UBee has to do dhcpv6? (or the downstream thingy from the UBee has to do dhcpv6?) The Ubee router is in bridge mode. Customers have ZERO access to the thing, even when it is running in routed mode. So I have no idea what it's trying to do. All I can say is no RAs are coming from it (through it/whatever) It *could* be it's blocking it -- it's multicast, so who knows what it's doing with it. Without RAs, nothing connected to it will even attempt IPv6 -- the RA being the indicator to use DHCP or not, and who's the router. And further, when I tell my Cisco 1841 to do DHCP anyway, I get no answer. So, the blanket statement that it's ready isn't true. For a point of interest, the Ubee 320 and 321 wireless routers/modems are in use by Ziggo in the Netherlands. Although they've rolled back the 320 modems to a older firmware, the 321 is still active on their IPv6 rollout. The problems were not strictly related to Ipv6 perse, but the newer firmware broken Voice on these all-the -things-in-one devices. The 321 appears to be unaffected and is still active, although in just a few regions at this point of the rollout. What's very specific about this rollout in relation to the above, is that Ziggo is currently only supporting IPv6 with the Ubee in router mode (with the wifi hotspot). The good news is that it also operates a DHCP-PD server so that you can connect your own router to the Ubee and still get IPv6 routed to you out of the /56 allocated to the customer. For now, all the customers with the Ubee in bridge mode are SOL. It's not clear what the reason is, but Ubee in bridge mode with IPv6 is listed on the road map. If that's intentional policy or that the firmware isn't ready yet is not clear at this point. Regards, Seth
Re: Remember Internet-In-A-Box?
So, if i get this right. The problem is not quite as bad to fix. It just needs a dnscache/dnsproxy process bound to the ipv4 localhost that uses the ipv6 dns server. Basically what dnsmasq does. Biggest problem is that it wouldn't follow autoconfigure and thus require manual intervention. That is a no go for dynamic networks of any sort. Cheers Oorspronkelijk bericht Van: Owen DeLong o...@delong.com Datum: 16-07-2015 08:51 (GMT+01:00) Aan: Mark Andrews ma...@isc.org Cc: nanog@nanog.org Onderwerp: Re: Remember Internet-In-A-Box? On Jul 15, 2015, at 19:32 , Mark Andrews ma...@isc.org wrote: In message 55a682e6.1050...@matthew.at, Matthew Kaufman writes: On 7/14/2015 11:22 PM, Mark Andrews wrote: Yet I can take a Windows XP box. Tell it to enable IPv6 and it just works. Everything that a node needed existed when Windows XP was released. The last 15 years has been waiting for ISP's and CPE vendors to deliver IPv6 as a product. This is not to say that every vendor deployed all the parts of the protocol properly but they existed. This is only true for dual-stacked networks. I just tried to set up an IPv6-only WiFi network at my house recently, and it was a total fail due to non-implementation of relatively new standards... starting with the fact that my Juniper SRX doesn't run a load new enough to include RDNSS information in RAs, and some of the devices I wanted to test with (Android tablets) won't do DHCPv6. You can blame the religious zealots that insisted that everything DHCP does has to also be done via RA's. This means that everyone has to implement everything twice. Something Google should have realised when they releases Android. Actually, no. In this case, the problem isn’t the things RA does, but the things his implementation of RA doesn’t do (RDNSS). Without RDNSS, android would still be brain-damaged and unable to figure out what an IPv6 nameserver is. The only way it would be able to talk to the IPv6 internet was if it got nameservers from DHCP4. At least with RDNSS, a thin lightweight client can get nameservers on IPv6. At least with RDNSS, a network administrator that doesn’t want to have to do DHCPv6 doesn’t have to in most cases. The XP box is in an even worse situation if you try to run it on a v6-only network. Which is fixable with a third party DHCPv6 client / manual configuration of the nameservers. Nope… XP’s resolver is utterly and completely incapable of transmitting an IPv6 DNS request. You _HAVE_ to have an IPv4 resolver reachable to the box or forego any idea of using DNS. Owen
Re: 'gray' market IPv4
We had the same thing finding a broker for a /24 pi in the RIPE region. Not all of the brokers have the size you want, eg a /20 when you need a /24. It ends up being between 2500 to 4000 euros depending on notary fees and if you already have a LIR agreement. Cheers Oorspronkelijk bericht Van: Nicholas Warren nwar...@barryelectric.com Datum: 14-07-2015 15:19 (GMT+01:00) Aan: nanog@nanog.org Onderwerp: 'gray' market IPv4 Where is one of these v4 markets that we can buy some IPv4 space from? I would prefer to have a place where we could see recent transactions, something along the lines of x amount of addresses for y amount of monies. Google search is failing me for some reason.. - Thanks, Nich
Re: Dual stack IPv6 for IPv4 depletion
Meanwhile, I'm sitting here on a patio at a cafe on Samos, Greece. And the free wifi gives me native v6 to my tablet and phone without any intervention. Test-ipv6.com tells me that the score is 10/10 and all the google bits just work. So, surely it just works. I wish we had it this easy in the Netherlands. There, sales still asks, what for (Vodafone fiber). Cheers, Seth Verzonden vanaf Samsung-tablet Oorspronkelijk bericht Van: Karl Auer ka...@biplane.com.au Datum: 10-07-2015 14:16 (GMT+01:00) Aan: NANOG List nanog@nanog.org Onderwerp: Re: Dual stack IPv6 for IPv4 depletion On Fri, 2015-07-10 at 02:08 -0400, Ricky Beam wrote: And planning for a future that doesn't happen because you're too caught up in *planning* that future is irrelevant, too. Advocating for fewer limits is not planning. It's the opposite of it. It's about retaining more flexibility - as a matter of principle. And in ~15 years when they have a jobs, they can change what we built. (assuming ever let the paint dry long enough to use it.) We've had twenty years to implement IPv6 and golly haven't we done a great job? I suppose we could all hope that our kids will be less hopeless than we have been. Still... I'd prefer to leave them something that is easier to change and improve than the last thing we built. IPv6 will never get there until it, too, just works. No - so why do so many people just keep on and on moaning about how IPv6 doesn't just work, forgetting that once upon a time IPv4 didn't just work either? Getting there and just working are two things that have to be developed together. One doesn't follow the other, they both become true side by side, or neither happens at all. Regards, K. -- ~~~ Karl Auer (ka...@biplane.com.au) http://www.biplane.com.au/kauer http://twitter.com/kauer389 GPG fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4 Old fingerprint: EC67 61E2 C2F6 EB55 884B E129 072B 0AF0 72AA 9882
Re: Dual stack IPv6 for IPv4 depletion
Residential users just buy another router for wifi coverage at the local wall mart. They have no clue about anything internet. That is why isp CPE devices should always perform dhcp-pd on their own to provide a prefix to the downstream devices so those have globally routed ipv6 too. For that to work you need concepts like route aggregation in the form of a /48 for the CPE so it can hand out a /56 to the customer bought CPE. Seth Oorspronkelijk bericht Van: Mike Hammett na...@ics-il.net Datum: 09-07-2015 04:03 (GMT+01:00) Aan: nanog@nanog.org Onderwerp: Re: Dual stack IPv6 for IPv4 depletion I wasn't aware that residential users had (intentionally) multiple layers of routing within the home. I'm also not sure what address length has to do with routability, other than networks filtering prefix lengths. If that's an issue, that customer is covered by the ISP's larger allocation, or they get their own PI space if they're BGPing. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest Internet Exchange http://www.midwest-ix.com - Original Message - From: Karl Auer ka...@biplane.com.au To: nanog@nanog.org Sent: Wednesday, July 8, 2015 8:36:41 PM Subject: Re: Dual stack IPv6 for IPv4 depletion On Wed, 2015-07-08 at 19:57 -0500, Mike Hammett wrote: Isn't /56 the standard end-user allocation? No - it's just a common one. And a bad one. /48s for all opens up a whole different world of end-user reachability, routability and flexibility that a mere /56 does not. Regards, K. -- ~~~ Karl Auer (ka...@biplane.com.au) http://www.biplane.com.au/kauer http://twitter.com/kauer389 GPG fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4 Old fingerprint: EC67 61E2 C2F6 EB55 884B E129 072B 0AF0 72AA 9882
Re: Youtube / IPv6 / Netherlands
Marco Davids schreef op 25-6-2015 om 14:33: Hi, Would anyone from Google care to explain to me off-list why certain Youtube-content is blocked in the Netherlands while using IPv6 when it is working fine via IPv4? Geolocation imperfections perhaps? The IPv6-address is within 2a02:a47f:e000::/36 (actually, it is: 2a02:a444:443b:0::::) To add to Marco, The entire 2a02:a400::/25 prefix is used by KPN Netherlands for consumer and small business DSL internet. http://bgp.he.net/ip/2A02:A400:C17F:0:: Kind regards, Seth
Re: Youtube / IPv6 / Netherlands
Op 25 jun. 2015, om 16:44 heeft Max Tulyev max...@netassist.ua het volgende geschreven: Hi, +1. Our 2a01:d0::/32 is floating by Google's geo all around the world, it was Iran, now it is Russia... and I can't do anything with it, and have no human contact in Google for complaint. That sounds like a software problem where it does not match anything in the database and then proceeds to return the last known value of the variable. :/ That’s even worse then saying “We don’t know”. Regards, Seth On 25.06.15 15:33, Marco Davids wrote: Hi, Would anyone from Google care to explain to me off-list why certain Youtube-content is blocked in the Netherlands while using IPv6 when it is working fine via IPv4? Geolocation imperfections perhaps? The IPv6-address is within 2a02:a47f:e000::/36 (actually, it is: 2a02:a444:443b:0::::) Thank you.
Re: Recommended 10GE ISCSI SAN switch
Paul S. schreef op 12-5-2015 om 15:36: Hi guys, We're shortly going to be getting some 10G SANs, and I was wondering what people were using as SAN switches for 10G SANs. In one location a HP Procurve 8212zl with 8 SFP+ module, and a 8Gbe module. Here i'm using a Dell EQL PS6210 SSD cabinet and 24 SATA disk EQL cabinet on 10G. In another location on a budget a Netgear M7100 24X with a Dell EQL PS6010 with Intel S3500 800GB SSDs. In both locations the switches appear to be doing fine in combination with VMware ESXi 5.5 and Intel X540-2 cards. It is my understanding that low buffer sizes make most 'normal' 10G ethernet switches unsuitable for the job. Not so sure on that, opinions vary a lot here. Similar to the stance on Flow Control where one vendor will advocate using it and another advocates against it. If you only have a single link, then Flow control will sleep the connection which can impact your performance with a higher Queue depth. For multiple 1G links the impact is ofcourse a lot less overall. If you are going to invest in a new SAN make sure to ditch spinning rust, it's the biggest breakthrough in storage since a while and it's a factor of a *lot*. The price doesn't break the bank either, the Dell EQL 6110 was out of warranty, retail value around $3500 us. The 18 Intel S3500 SSDs were about 11k euro (16 + 2 spare). In raid 6 that's a good 10TB of storage. It's a shame that SAN HQ keeps emailing us once a day that the drives are not original ;) With that sheer amount of space it's going to take a while before it ever breaks (wears out). It'll be out of service long before then. Also, you can max out a single 10G link with about 4-6 recent SSDs, so smaller cabinets with more uplinks make all the sense. In that respect the newer cabinets (Dell EQL PS6210) with 24 drives and just 2 10Ge uplinks are a bit odd. Still, it's nice to do 300-400MB/s in a VM on a 5 year old ESX on a dime. :) We're pretty much an exclusive Juniper shop, but are not biased in any way -- best tool for the job is what I've been tasked with to find. Keeping that in mind, how would something like a EX4550 fare in the role? Are there better devices in the same price range? If the switches work for you and you are comfortable with them I'd count that as a better argument. Only budget switches are likely to cause you real grief here. Kind regards, Seth
Re: Frontier: Blocking port 22 because of illegal files?
Stephen Satchell schreef op 26-3-2015 om 12:24: On 03/25/2015 07:31 PM, Aaron C. de Bruyn wrote: After getting a few helpful users on the phone to run some quick tests, we found port 22 was blocked. It's been a while since I did this, but you can select an additional port to accept SSH connections. A Google search indicates you can specify multiple ports in OpenSSH. Picking the right port to use is an exercise, though, that will depend on what other services you are running on your server. People with sane ISPs can use the standard port. People on Frontier can use the alternate port, which shouldn't be firewalled by the provider. If Frontier is running a mostly-closed firewall configuration, then you have to be damn careful about the port you select. Ahem, just to clarify, he is not talking about inbound on the Frontier connection, but outbound *from* the Frontier network. Akin to the Let's block outbound port 25 (smtp). This is just a really really bad idea m'kay. Cheers
Re: Recommended wireless AP for 400 users office
Op 29 jan. 2015, om 17:18 heeft Tyler Mills tylermi...@gmail.com het volgende geschreven: Most of the issues are related to firmware. Most of my UBNT experience was with the UAP-Pro and the UAP-AC, and it wasn't a good experience. Production firmwares seem to be of beta quality. It’s meh, but it’s good enough. Getting wifi „right” is really hard considering the sheer amount of different hardware, network stacks etc. For features, they can't compete with Ruckus. One thing I can think of off the top of my head is support for tagging management on its own VLAN and tagging wired traffic onto another. If you were to implement this on the UBNT products you would have to SSH into every single one and implement the features as you would on a linux box, and it might work. Ruckus, you configure the VLAN's how you would want through the Zonedirector or the AP's GUI and it will just work. That’s not true in my experience. Fyi, I just setup a new site here using the Unifi Pro AP’s and I’ve been doing the reverse. Management is untagged, and tag all the traffic VLANs. That works just fine, have been doing that since 2013. The networks are all plain WPA2, but most devices on our wifi seem fine roaming throughout the building without dropping much traffic. The management tool is quite allright, more so when considering the prices and the lack of a subscription model. Really, the subscription models offered for some of the other gear is off the wall. The Unifi gear is by no means bad, but it’s still way better then manually configuring wireless APs without any management. It’s still far better then the 3Com/H3C gear I had before that was 3 times as expensive and still lacks proper english for the management. We have a site with 26 APs, and a new one with 8. You can now manage multiple sites from the same server too. They cost more, but you get what you pay for. Yup! Cheers, Seth
Re: Got a call at 4am - RAID Gurus Please Read
symack schreef op 9-12-2014 22:03: * Can I change from an active (ie, disks with data) raid 5 to raid 10. There are 4 drives Dump and restore. I've used Acronis succesfully in the past and today, they have a bootable ISO. Also, if you have the option, they have universal restore so you can restore Windows on another piece of hardware (you provide the drivers). in the unit, and I have two on the shelf that I can plug in. * If so, will I have less of performance impact with RAID 10 + write-thru then RAID 5 + write through Raid10 is the only valid raid format these days. With the disks as big as they get these days it's possible for silent corruption. And with 4TB+ disks that is a real thing. Raid 6 is ok, if you accept rebuilds that take a week, literally. Although the rebuild rate on our 11 disk raid 6 SSD array (2TB) is less then a day. If it accepts sata drives, consider just using SSDs instead. They're just 600 euros for a 800GB drive. (Intel S3500) Given I can move from RAID 5 to RAID 10 without loosing data. How long to anticipate downtime for this process? Is there heavy sector re-arranging happening here? And the same for write-thru, is it done quick? Heavy sectory re-arranging, yes, so just dump and restore, it's faster and more reliable. Also, you then have a working bare metal restore backup. Regards, Seth
Mozilla performing pdf.js DNS queries?
Hi, Whilst rummaging through some DNS (dnsmasq) logs I've noticed quite a decent amount of queries for pdf.js from what appear to be mozilla browsers. Seems rather odd that it is performing DNS queries for a internal PDF viewer. Has anyone else come across these lookups? Kind regards, Seth
Re: Mozilla performing pdf.js DNS queries?
David Hofstee schreef op 13-11-2014 14:39: Pdf is quite a standard. One might wonder what it cannot do. One could call it evil. http://superuser.com/questions/368486/link-to-image-within-pdf-and-have-the-image-displayed Ah yes, a image within a PDF could definitely do this I suppose. I just thought it odd that the browser would leak this out. dnsmasq[3151]: query[A] pdf.js from 10.6.24.11 dnsmasq[3151]: query[] pdf.js from 10.6.24.11 dnsmasq[3151]: query[A] pdf.js from 10.6.24.11 dnsmasq[3151]: query[] pdf.js from 10.6.24.11 This could become a whole can of worms if a .js TLD ever makes it to the internet and registers this domain name. We see this from Ubuntu terminals running Mozilla Firefox 33.0 Best regards, Seth David Hofstee Deliverability Management MailPlus B.V. Netherlands (ESP) -Oorspronkelijk bericht- Van: NANOG [mailto:nanog-boun...@nanog.org] Namens Seth Mos Verzonden: Thursday, November 13, 2014 2:26 PM Aan: NANOG list Onderwerp: Mozilla performing pdf.js DNS queries? Hi, Whilst rummaging through some DNS (dnsmasq) logs I've noticed quite a decent amount of queries for pdf.js from what appear to be mozilla browsers. Seems rather odd that it is performing DNS queries for a internal PDF viewer. Has anyone else come across these lookups? Kind regards, Seth
Re: anyone from vodafone(.nl) around?
David Hofstee schreef op 23-10-2014 11:02: Hi, Is anyone from Vodafone around? We are having connectivity loss with smtp.vodafone.nl and the helpdesk is not cooperating... I've had good succes getting a out of date bogon filter issue for all Vodafone NL customers resolved after contacting the following address from the WHOIS information on bgp.he.net. nmc...@vodafone.com Kind regards, Seth
Re: Netalyzr Android: call for volunteers
Srikanth Sundaresan schreef op 6-10-2014 0:43: Hi all, Netalyzr is a free network measurement and debugging app developed by the International Computer Science Institute, Berkeley. Hi, Maybe it's just me, but my Xperia T (LT30p) does have IPv6 on Wifi and test-ipv6.com validates it. It runs Android 4.3. However, the Netalyzer apps has told me in 2 consecutive runs that it does not have IPv6 support. That does not appear intended. Kind regards, Seth
Re: Ars Technica on IPv4 exhaustion
Op 18 jun. 2014, om 11:41 heeft Martin Geddes m...@martingeddes.com het volgende geschreven: IPv6 will never become the defacto standard until the vast majority of users have access to IPv6 connectivity. It may never become the defacto standard, period. Nearly 20 years to reach 2% penetration is a strong hint that the costs outweigh the benefits. To be fair, it is only now that there is considerable leverage to actually use IPv6 outside of a academic scope. Our company is ready now, and it’s just a commercial retailer. I know we are way ahead of the curve but I didn’t find it all that hard. I see a lot of people crying foul, still, but IPv6 capable equipment is readily available now, and, it is up to you if you find it worthwhile to purchase. The worldwide IPv6 transit network is complete and most ISPs can actually deliver on IPv6 if you push them for it and don’t let them ship you off with „we can’t do it yet”. As such we’ve had IPv6 at work since 2012, and we got to talk to engineers and it wasn’t really that much of a problem. Also, the free BGP tunnel from HE.net really is a lifesaver in getting at least backup peering in place, and that worked fine for over a year. IP's global addressing system is broken from the outset. See John Day's presentation Surviving Networking’s Dark Ages - or How in the Hell Do You Lose a Layer!? http://irati.eu/wp-content/uploads/2013/01/1-LostLayer130123.pdf (or, indeed, lots of them at once.) I don’t know, 64 bits for the networks, and 64 bits for the hosts seems fine, although to be fair, a 96/32 split could have worked too, more about networks and aggregated routes, less about hosts. It’s also really good that there is a „absolute split” at 64 bits to designate the network prefix part. That makes network identifying a lot easier. I suppose that is where the shorter network prefix is coming from, it’s easier to remember. It's really all about scopes, not layers - the TCP/IP architecture is divided up the wrong way, and it will never be fixed. It's an escaped 1970s lab experiment that was able to extract the statistical multiplexing gain faster than rivals, but on a performance and security buy now, pay later basis. I like that IPv6 is close enough to IPv4 that I can just run with it. That’s not a drawback. If you understand classless subnetting you can work with Ipv6. May all your intentional semantics become operational, Martin I didn’t find it all that hard to become operational. Not everything I have at work does IPv6, but that’s not really a requirement, is it? I don’t care enough for backwards compatability with IPv4, actually, I’m really glad it isn’t so failure states are much easier to diagnose. I can see how IPv4.2 SP2 would have subtle issues with IPv4.3 SP1, but there is a hot fix for that, but not for your model. SOL. Not very different if I must say. Cheers, Seth On 17 June 2014 23:12, Andrew Fried andrew.fr...@gmail.com wrote: IPv6 will never become the defacto standard until the vast majority of users have access to IPv6 connectivity. Everything I have at the colo is dual stacked, but I can't reach my own systems via IPv6 because my business class Verizon Fios connection is IPv4 *only*. Yes, Comcast is in the process of rolling out IPv6, but my Comcast circuit in Washington DC is IPv4 only. And I'd suspect that everyone with Time Warner, ATT, Cox, etc are all in the same boat. Whether the reason for the lack of IPv6 deployment is laziness or an intentional omission on the part of large ISPs to protect their income from leasing IPv4 addresses doesn't matter to the vast majority of the end users; they simply can't access IPv6 via IPv4 only networks, without using some kludgy, complicated tunneling protocols. Andy -- Andrew Fried andrew.fr...@gmail.com On 6/17/14, 5:48 PM, Jared Mauch wrote: On Jun 17, 2014, at 5:41 PM, Lee Howard l...@asgard.org wrote: On 6/17/14 4:20 PM, Jay Ashworth j...@baylink.com wrote: Here's what the general public is hearing: But only while they still have IPv4 addresses: ~$ dig arstechnica.com +short ~$ http://arstechnica.com/information-technology/2014/06/with-the-americas-ru nning-out-of-ipv4-its-official-the-internet-is-full/ Can't tech news sites *please* run dual stack while they're spouting end-of-IPv4 stories? wishful thinking=on I would love to see a few more properties do IPv6 by default, such as ARS, Twitter and a few others. After posting some links and being a log stalker last night the first 3 hits from non-bots were from users on IPv6 enabled networks. It does ring a bit hollow that these sites haven't gotten there when others (Google, Facebook) have already shown you can publish records with no adverse public impact. Making IPv6 available by default for users would be an excellent step. People like ATT who control the 'attwifi' ssid could do NAT66 at their
Re: The Cidr Report
Op 26 apr. 2014, om 20:05 heeft Hank Nussbacher h...@efes.iucc.ac.il het volgende geschreven: At 22:00 25/04/2014 +, cidr-rep...@potaroo.net wrote: This report has been generated at Fri Apr 25 21:13:54 2014 AEST. The report analyses the BGP Routing Table of AS2.0 router and generates a report on aggregation potential within the table. Check http://www.cidr-report.org/2.0 for a current version of this report. Recent Table History Date PrefixesCIDR Agg 18-04-14499254 282312 19-04-14499492 282427 20-04-14499557 282428 21-04-14499371 282193 22-04-14499156 282325 23-04-14499260 282597 24-04-14499642 282663 25-04-14500177 282878 Historic event - 500K prefixes on the Internet. And now we wait for everything to fall over at 512k ;)
Re: Requirements for IPv6 Firewalls
On 18-4-2014 8:57, Matt Palmer wrote: On Thu, Apr 17, 2014 at 09:05:17PM -0500, Timothy Morizot wrote: On Apr 17, 2014 7:52 PM, Matthew Kaufman matt...@matthew.at wrote: While you're at it, the document can explain to admins who have been burned, often more than once, by the pain of re-numbering internal services at static addresses how IPv6 without NAT will magically solve this problem. If you're worried about that issue, either get your own end user assignment(s) from ARIN or use ULA internally and employ NAT-PT (prefix translation) at the perimeter. That's not even a hard question. Why use NAT-PT in that instance? Since IPv6 interfaces are happy running with multiple addresses, the machines can have their publically-accessable address and also their ULA address, with internal services binding to (and referring to, via DNS, et al) the ULA address; when you change providers, the publically-accessable address changes (whoopee!), but the internal service address doesn't. Sounds good in theory, I tried it but it got ugly really fast. Before you know it you have a layers of obfuscation, and even more work to get it to work right. That's really not a good argument for the general IPv6 case. Then there's the issue of making not just hosts do address selection but bringing that down to making applications choose address selection. As a admin I really don't want to go there. I just want a central point where I can pass, block or redirect. Just keep it as simple as possible, but not simpler. A host with a IPv4 and GLA IPv6 address is as complicated as you want it. The only case I see for NPt is for cheap multi wan where you have the primary prefix on your LAN and perform NPt for that prefix when it goes out the 3G stick. Note that you would still need the same (delegated) prefix size on both connections (e.g. /64, /56 or /48) What is also nice is that in the case of NPt the firewall rules for both WAN and 3G can be the same as the destination address (after performing NPt) is still the same. Manageable. Kind regards, Seth
Re: Requirements for IPv6 Firewalls
Op 17 apr. 2014, om 20:50 heeft William Herrin b...@herrin.us het volgende geschreven: On Thu, Apr 17, 2014 at 2:32 PM, Eugeniu Patrascu eu...@imacandi.net wrote: It's a bigger risk to think that NAT somehow magically protects you against stuff on the Internet. You are entitled to your opinion and you are entitled to run your network in accordance with your opinion. To vendors who would sell me product, I would respectfully suggest that attempts to forcefully educate me as to what I *should want* offers neither a short nor particularly successful path to closing a sale. Having deployed IPv6 at the internet point and halfway into the company I work for I can tell you that I am *really* glad that I can now see what a firewall rule does properly instead of also having to peer at the NAT table which is 1:1 or a port forward etc. Also, when IPv4 NAT and rules don’t match up, hilarity ensues. It greatly improves my workflow, it’s just become a whole lot easier for me. NAT66 definitely has a place, and I’m a huge proponent for it so the small SMB people and home users so they can do Multi Wan without BGP. The part that isn’t solved yet by the IETF, but at least there is a really good RFC for NPt. In my experience it improves security because of the transparency. For anything resembling 100 people, get a ASN, PI and BGP. You’ll thank me later, unlikely to have to renumber anything(1). Kind regards, Seth (1) Yeah I know, unless you grow from a /48 to a /32 Regards, Bill Herrin -- William D. Herrin her...@dirtside.com bill@herrin.us09o 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: Cisco ADSL2/VDSL2 Voip Router
On 13-12-2013 14:54, Nick Cameo wrote: Hello Everyone, I have a customer that is looking for a voip router. The router part is easy however, they need it to support their ADSL/VDSL connection PPoE, and all that lovely stuff. Can you gents and ladies kindly recommend something that would fit all. preferably the cisco route. If you have one not in use, we would be interested in hearing from you. Something entirely different: Draytek Vigor 2850, maybe? Cheers
Re: ATT UVERSE Native IPv6, a HOWTO
On 2-12-2013 22:25, Ricky Beam wrote: On Fri, 29 Nov 2013 08:39:59 -0500, Rob Seastrom r...@seastrom.com wrote: Handing out /56's like Pez is just wasting address space -- someone *is* paying for that space. Yes, it's waste; giving everyone 256 networks You clearly have no understanding of route aggregation which just made it's entry into the soho. The router will set up it's own DHCP-PD prefix delegation for downstream routers. Without a /56 or larger it is very hard to do automatically. It is not wasting it is required for proper operation of a routing internet. You can't just NAT a downstream router and still have IPv6. People buy extra wifi routers at their favorite shop and *will* plug the cable into the Internet port. With IPv6 and DHCP-PD they will still get working IPv6 internet. Great! Cheers, Seth
Re: Meraki
Op 22 nov 2013, om 06:37 heeft Jay Ashworth het volgende geschreven: - Original Message - Anecdote: My local IHOP finally managed to get Wifi internet access in the restaurant. For reasons unknown to me, it's a Meraki box, backhauled *over T-mobile*. That's just as unpleasant as you'd think it would be, And More! Both the wifi and 3G (yes, 3G) boxes lock up on a fairly regular basis, requiring a power cycle, which, generally, they'll only do because I've been eating there for 20 years, and they trust me when I ask them to. I can't say whether this provides any illumination on the rest of their product line, but... To compound matters, i'd go as far as to say that any wireless solution on 2.4Ghz isn't really a wireless solution. It's just not feasible anymore in 2013, there is just *so much* interference from everything using the unlicensed 2.4Ghz band that it's own success is it's greatest downfall. Reliable wireless isn't (to use the famous war quote friendly fire isn't) For whatever reasons, whomever I talk to they all tell me that ISP here sucks, and if I ask further if they are using the wireless thingamabob that the ISP shipped them, they says yes. So, that's about right then. I've been using a PCengines.ch Alix router for years now (AMD Geode, x86, 256MB ram, CF) with a cable modem in bridge mode with seperate dual band access points in the places where I need them (living room, attic office) and I can't say that my experiences with the ISP here mesh with theirs. Anyhow, if you are going to deploy wireless, make sure to use dual band, and name the 2.4Ghz SSID internet and the 5Ghz SSID faster-internet. You'll see people having a heck of a better time. Social engineering works :) When we chose the Ubiquity wireless kit we could deploy twice as many APs for the same price of one of the other APs. This effectively means we have a very dense wireless network that covers the entire building, and lot's of kit that can actually see and use the 5Ghz band. Setup was super easy, I added a unifi DNS name that points to my unifi controller host and I get a email that a new AP is ready to be put into service. Having a local management host instead of some cloud was a hard requirement. I also like that I can just apt-get update; apt-get upgrade the software. By using DNS remote deployment was super easy too, send the unit off and let them plug it in, it then comes onto the network and registers itself. I believe every current Apple iDevice currently supports the 5Ghz band, and all the Dell gear we purchase also comes ordered with it. Heck, even my 2011 Sony Xperia T has 5Ghz wireless now, as do the current Samsung Galaxy S3, S4 Best regards, Seth
Re: Meraki
Op 19 nov 2013, om 18:25 heeft Hank Disuko het volgende geschreven: Hi folks, I've traditionally been a Cisco Catalyst shop for my switching gear. I am doing a significant hardware refresh in one of my offices, which will entail replacing about 20 access switches and a couple core devices. Pretty simple L3 VLAN environment with VRRP/HSRP, on the physical end I have 1G fibre/copper and 10G fibre. My core switch of choice will likely be the Cat 4500 series. I'm considering Cisco's Meraki platform for my access layer and I'm looking for deployment stories of folks that have deployed Meraki in the past...good/bad/ugly kinda stuff. I know Meraki hardcores were upset when Cisco acquired them, but not exactly sure why. Anyway, any thoughts would be useful. Thanks! We used to use the 3Com wireless kit before it became H3C, and then HP, which worked ok but the engrish in the UI was horrid. We've since purchased 25 Ubiquity wireless access points, specifically the 300N Pro access points, they work really well, pricing is competitive priced and the management is nice. I've setup a Debian VM, installed their management software from their APT repo and just go from there. The version 3 software also supports multi-site which is really nice. It's a huge upgrade over our previous wireless though. Cheers, Seth
Re: Verizon DSL moving to CGN
On 9-4-2013 1:10, Jay Ashworth wrote: - Original Message - From: Huasong Zhou huas...@kalorama.com We got this modem and router all in one box from Comcast directly. And by the way, home use routers don't assign 10.0.0.0 numbers. I have seen consumer NAT routers assign addresses in all three RFC1918 blocks, though I couldn't cite particular models for you. 10./ is less common than 172./, but not impossible. Early Alcatel/Lucent Speedtouch modems assigned 10/8 to the LAN, effectively breaking all VPN networking to our office. No fun to be had in that one. Luckily all these shipped without Wifi and have now all been replaced by Thomson wifi models that use 192.168.[01]/24 Some of the AlliedData Copperjet modems use 172.x Regards, Seth
Re: NOC display software
On 13-2-2013 16:19, JoeSox wrote: Just wondering if anyone can recommend Windows software (it could be Linux too but I might need to create a separate host for that configuration) that enables rotating [on one monitor] several webpages (dashboards) or windows (application dashboards). It would be nice if it was freeware or open source but whatever works best is what I am looking for. For example, if I wanted one monitor to cycle thru my local SolarWinds Orion, Office 365 Health Status, and anyother webdashboards. We use a Dell Optiplex that drives 2 rotated FullHD 42 inch TV's. This gives us effectively a 2k x 4k resolution to work with. We have written a custom webpage that refreshes divs automatically, it has a country map and puts the various sites on the map where the outage is. This is mainly handy for DSL outages. The left TV is almost entirely a map of the Netherlands with a few Nagios summaries and refresh counters underneath. The right TV pane lists the nagios detail and various business processes as well as open tickets from our ticket system. We use Chrome in kiosk mode, but Firefox could work too. Cheers, Seth
Re: IPV6 in enterprise best practices/white papaers
Op 26 jan 2013, om 18:47 heeft William Herrin het volgende geschreven: On Sat, Jan 26, 2013 at 4:26 AM, Pavel Dimow paveldi...@gmail.com wrote: I can start to create record and PTR recors in DNS and after that I should configure my dhcp servers and after all has been done I can test ipv6 in LAN and after that I can start configure bgp with ISP. Is this correct procedure? Nope. In their infinite(simal) wisdom the architects of IPv6 determined that a host configured with both a global scope IPv6 address and an IPv4 address will attempt IPv6 in preference to IPv4. If you configure IPv6 on a LAN without first installing your IPv6 Internet connection, that LAN will break horribly. Work your way from the outside in: start with BGP, then the interior routers and configure the LAN last. +3 That's what I did too, it works the best, you really need to make sure that the connectivity you turn up actually works. I started with the internet connections, and luckily HE.net also offers free BGP tunnels for PI connectivity, which will do in a pinch and you still can maintain redundancy of only 1 ISP can actually do native yet. From there I started with the firewalls and routers, dual stacked those first. I then did some servers, some Linux, some Windows. DNS was first, then email. I wish more ISPs dual stacked their email servers, they are prime candidate because nothing dies instantly and delivery is retried. It seems so obvious, and everybody is focusing on port 80, weird. Email for offices also seems like the prime candidate for end-to-end for businesses. More then websites. I still see plenty of companies hosting their own email. Oh, and if you add a IPv6 on a AD server, do all of them at once. Because ipv6 is preferred, they will all try that single server with a IPv6 address. That is address preference for you! So make sure that for some of the steps you deploy it just like IPv4, not a little bit, but all the way. Add all the IPv6 addressing to your monitoring before going any further. You don't want to fly this blind. We use Nagios, it works well enough, I can't see BGP table size, but I can monitor next hop with ping6, so that worked fine. The clients still don't have IPv6, but everybody browses the net via a dual stack squid proxy, so they didn't even notice. At some point in 2013 the clients will get a IPv6 address too, dhcp6 only, no autoconfig for management reasons. Not that the clients can actually get out to the internet, they can't now with IPv4, so no change there. Regards, Seth
Re: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6
On 18-1-2013 15:03, William Herrin wrote: On Thu, Jan 17, 2013 at 11:15 PM, Constantine A. Murenin muren...@gmail.com wrote: On the technical side, enterprises have been doing large-scale NAT for more than a decade now without any doomsday consequences. CGN is not different. Well yeah, but everything is under control of the IT department to setup rules and forwards. That's not the same as a end user that wants a port forward to host a xbox 360 game on their fiber connection and can't set it up. I've tried getting the firewall disabled that denies ALL incoming traffic on my 3G stick and it's simply not possible, that is the sort of flexibility that the market is selling. Most of the ISPs I have personally and professionally worked with have the flexibility of a piece of mahogany. I'm pretty sure that some of the dedicated online game hosters are looking forward to this. Those investments should turn out great. Regards, Seth
MTU issues s0.wp.com
Hi, Since about a week or so it's become impossible to reach wp.com content over IPv6. IPv4 content does work fine, using the IPv6 literal returns a 404 which is small enough to fit in a smaller 1480 byte MTU. I have another test site that has a clean 1500 byte mtu and I can fetch the s0.wp.com page from there. It looks like tunneled IPv6 users might be in hurt here. Is anyone else experiencing similar issues? My traceroute shows they are employing a CDN for s0.wp.com, so not everyone might be affected. 7 asd2-rou-1022.NL.eurorings.net (2001:680:0:800f::291) 6.460 ms 6.203 ms 6.188 ms 8 asd2-rou-1044.eurorings.net (2001:680::134:222:85:63) 6.447 ms 6.494 ms 6.495 ms 9 adm-b5-link.telia.net (2001:2000:3080:6f::1) 6.818 ms 6.936 ms 6.891 ms 10 ldn-b3-v6.telia.net (2001:2000:3018:5::1) 15.290 ms 27.481 ms 15.380 ms 11 edgecast-ic-147468-ldn-b3.c.telia.net (2001:2000:3080:378::2) 15.116 ms 15.174 ms 15.176 ms 12 2606:2800:234:1922:15a7:17bf:bb7:f09 (2606:2800:234:1922:15a7:17bf:bb7:f09) 15.496 ms 15.327 ms 15.460 ms Kind regards, Seth
Re: IPv4 address length technical design
Op 3-10-2012 18:33, Kevin Broderick schreef: I'll add that in the mid-90's, in a University Of Washington lecture hall, Vint Cerf expressed some regret over going with 32 bits. Chuckle worthy and at the time, and a fond memory - K Pick a number between this and that. It's the 80's and you can still count the computers in the world. :) It is/was a experiment and you have the choice between a really large and a larger number. Humans are not too good in comparing really large numbers. If it was ever decided to use a smaller value, for the size of the experiment it might have went quite different. The safe (larger) choice ended up bringing more pain. As a time honored ritual, the temporary solution becomes the production solution. Oops... And that was not quite what Mr Cerf meant to do. Regards, Seth
Re: Throw me a IPv6 bone (sort of was IPv6 ignorance)
Op 21-9-2012 21:42, Mark Radabaugh schreef: Running dual stack to residential consumers still has huge issues with CPE. It's not an environment where we have control over the router the customer picks up at Walmart. There is really very little point in spending a lot of resources on something the consumer can't currently use. I don't think saying we missed the boat really applies - and the consumer CPE ship is sinking at the dock. Enable dual stack per default, the old routers ignore it anyhow. The new ones that do support it, and really, Linksys and D-Link as well as Netgear do support it now will use it and should just work. I recommend DHCP-PD, it seems to work well with relatively low overhead. AVM seems to know just how to make these relatively cheap all-in-ones with a great feature set and reasonable quality. There is a lot of room for improvement, there always have been. It's not like the original Linksys WRT54G was really _that_ good, was it? The other good news is that there is a new Wifi standard! You'll see a new surge of people swapping out 30$ routers because they are convinced that the new 30$ router will be a lot better then the previous one. Maybe it is. I know it's a chicken and egg problem, and shoving it out further means you just decided for the ISP that you need a far beefier CGN box in the future. I am not totally convinced that was your long term plan. Most ISPs in asia that are now pouring significant monetary resources into a CGN box that might be almost pointless in 5 years is not the investment they were looking for.
Re: Big Temporary Networks
Op 18-9-2012 22:50, William Herrin schreef: On Tue, Sep 18, 2012 at 4:31 PM, Nick Hilliard n...@foobar.org wrote: On 18/09/2012 21:24, William Herrin wrote: IPv6 falls down compared to IPv4 on wifi networks when it responds to a router solicitation with a multicast (instead of unicast) router advertisement. You mean it has one extra potential failure mode in situations where radio retransmission doesn't deal with the packet loss - which will cause RA to retry. Fall down is a slight overstatement. Potayto, potahto. Like I said, I have no interest in defending IPv6. But I'm very interested in how to implement an IPv6 network that's as or more reliable than the equivalent IPv4 network. That makes me interested in the faults which get in the way. Regards, Bill Herrin Yes, radvd has a configuration option to send unicast packets. But I think the effects are slightly overstated. Unless someone fudged the lifetime counters on the ra config nobody will ever notice a RA getting lost. Once every few seconds a RA message will be sent and it will be valid for atleast a couple of minutes. Within that time there will be multiple RA announcements, and unless you missed 5 minutes of RA advertisements everything is fine. And if you do miss 5 minutes of RA multicast traffic, really, you have bigger problems. I see network stacks springing to life in the space of 3 seconds on the 1st message I send out. That's pretty stellar, and faster then some clients perform the DHCPv4 request. Also note that some wifi networks eat DHCPv4 broadcasts too, which is pretty much the same deal as what you are referring to above. They will retry the DHCPv4 request, and so do client that perform router sollicitation requests. No different. And if the wifi network is so bad that you have icmp and udp dropping like mad, I doubt anybody would want to use it. You are more likely that they will disable wifi altogether and use 3g. The 2.4Ghz wifi band is so crowded now that this has become the effective standard. Unless you are a happy camper that actually has a wifi card that supports the 5Ghz band. Which is far too uncommon in phones and tablets. boo. Cheers, Seth
Re: The Department of Work and Pensions, UK has an entire /8
Op 19-9-2012 14:35, Leo Bicknell schreef: In a message written on Tue, Sep 18, 2012 at 09:11:50PM -0700, Mike Hale wrote: I'd love to hear the reasoning for this. Why would it be bad policy to force companies to use the resources they are assigned or give them back to the general pool? There's also a ROI problem. People smarter than I have done the math, and figured out that if X% of the address space can be reclaimed via these efforts, that gains Y years of address space. Turns out Y is pretty darn small no matter how agressive the search for underutilized space. Basically the RIR's would have to spin up more staff and, well, harass pretty much every IP holder for a couple of years just to delay the transition to IPv6 by a couple of years. In the short term moving the date a couple of years may seem like a win, but in the long term its really insignificant. It's also important to note that RIR's are paid for by the users, the ramp up in staff and legal costs of such and effort falls back on the community. Is delaying IPv6 adoption worth having RIR fees double? Forcing a government organization to renumber their (large!) network to 10/8 just to give it back it to ARIN would be a massive undertaking. There are considerable drawbacks: 1. The renumbering of a government organization is payed for by the UK taxpayers. I'm sure the UK can use the funds somewhere else right now. 2. The time taken to complete this operation would likely run into years, see 1. 3. Even if the renumbering completes by 2015 it would be far too late, since we need it now rather then later. 4. The actual value of the sale of the /8 could either be huge in 2015, or insignificant in 2015. So the irony is that the taxpayer lobbying for return wants to have the /8 returned to or sell it. But there is a significant non-zero cost and he would be paying for it himself. I also like the idea of public services to be reachable in the future. Just because it is not in use now, I'll see them using it in the future. Regards, Seth
Re: The Department of Work and Pensions, UK has an entire /8
Op 20 sep 2012, om 07:34 heeft Mark Andrews het volgende geschreven: In message caaawwbw2oh0-cpsvwyrfdodvjotavaq8wdlussqvshs5cot...@mail.gmail.com , Jimmy Hess writes: The work to fix this on most OS is minimal. The work to ensure that it could be used safely over the big I Internet is enormous. It's not so much about making sure new equipment can support it than getting servers that don't support it upgraded as well as every box in between. I'm only afraid it may operate worse then 1/8. Not sure how happy you would be as an ISP or a customer in that range. Cheers, Seth
Re: The Department of Work and Pensions, UK has an entire /8
Op 18 sep 2012, om 18:39 heeft George Herbert het volgende geschreven: I'm having problems finding any announcements for this net 10/8, too. Can someone talk to these IANA folks about reclaiming it, too? They have a bunch of other space in 172.x they should be able to use... Don't worry, they'll give in and assign us some more. Seth ;-) George William Herbert Sent from my iPhone On Sep 18, 2012, at 8:36 AM, John Levine jo...@iecc.com wrote: John Graham-Cumming, who found this unused block, wrote in a blog post that the DWP was in possession of 51.0.0.0/8 IPv4 addresses. Please, don't anyone tell him about 25/8.
Re: using reserved IPv6 space
Op 17-7-2012 8:43, Owen DeLong schreef: On Jul 16, 2012, at 10:36 PM, Seth Mos wrote: Hi, Op 16 jul 2012, om 18:34 heeft valdis.kletni...@vt.edu het volgende geschreven: To highlight what the current NAT66 is useful for, it's a RFC for Network Prefix translation. It has nothing do with obfuscation or hiding the network anymore. It's current application is multihoming for the poor. And it's a really poor way to do multihoming. You don't have to spend a lot of money to multihome properly. Did you see I mentioned poor? Poor as in unwilling to pay anything more then the cost for the 2 internet connections they already have. If you are a individual this likely applies. 3G stick anyone? If you are a business, see B for Business and B for BGP. Also, I hope Mobile Internet providers will be supporting DHCP6 and DHCP6-PD for hotspots. Another place where I can see cruft being made. On that note, the world of Mobile internet providers seems to be full of assumptions about the use of the devices and connection. It can probably never be saved anymore. If there ever was a mobile network that not respected the users/clients interests this would be it. Example: You have a Cable and a DSL, they both provide IPv6 and you want to provide failover. You then use ULA or one of the Global Addresses on the LAN network, and set up NAT66 mappings for the secondary WAN, or both if you are using ULA. I have that and I use BGP with an ARIN prefix using the Cable and DSL as layer 2 substrates for dual-stack tunnels. So can any user just send them an email Hey, I dual home, can I have a /48 please?. That's not even considering that I need to terminate the prefix on a BGP router somewhere that someone surely wants money for. Works pretty well and doesn't cost much more than the NAT66 based solution. It's in your words doesn't cost much more which translates to too much, we're all cheapskates :-) Once you go to tunnels, why not go all the way and put BGP across the tunnels? Because by using 2 tunnels from 2 different providers you actually hope to increase redundancy, we are not talking 2 Hurricane Electric tunnels here. It's one /48 from HE.net and another /48 Sixxs. I've had a bit too much the past few months where a number of the HE.net tunnelbrokers have been the target for a DDoS attack. Nothing I can blame HE.net for, but it does illustrate my point that having 2 different upstream (tunnel) providers work best. Regards, Seth
Re: using reserved IPv6 space
Hi, Op 16 jul 2012, om 18:34 heeft valdis.kletni...@vt.edu het volgende geschreven: On Mon, 16 Jul 2012 11:09:28 -0500, -Hammer- said: ---That is clearly a matter of opinion. NAT64 and NAT66 wouldn't be there if there weren't enough customers asking for it. Are all the customers naive? I doubt it. They have their reasons. I agree with your purist definition and did not say I was using it. My point is that vendors are still rolling out base line features even today. Sorry to tell you this, but the customers *are* naive and asking for stupid stuff. They think they need NAT under IPv6 because they suffered with it in IPv4 due to addressing issues or a (totally percieved) security benefit (said benefit being *entirely* based on the fact that once you get NAT working, you can build a stateful firewall for essentially free). The address crunch is gone, and stateful firewalls exist, so there's no *real* reason to keep pounding your head against the wall other than we've been doing it for 15 years. To highlight what the current NAT66 is useful for, it's a RFC for Network Prefix translation. It has nothing do with obfuscation or hiding the network anymore. It's current application is multihoming for the poor. Example: You have a Cable and a DSL, they both provide IPv6 and you want to provide failover. You then use ULA or one of the Global Addresses on the LAN network, and set up NAT66 mappings for the secondary WAN, or both if you are using ULA. This will not hide *anything* as your machines will now be *visible* on 2 global prefixes at the same time. And yes, you still use the stateful firewall rules on each WAN for the incoming traffic. And you can redirect traffic as needed out each WAN. It's the closest thing to the existing Dual WAN that current routers support. Also note that this also works fine with 2 IPv6 tunnels. Bind each tunnel to a WAN and you have the same failover for IPv6 as IPv4. Cheers, Seth
Re: NAT66 was Re: using reserved IPv6 space
Op 17 jul 2012, om 04:56 heeft Grant Ridder het volgende geschreven: If you are running an HA pair, why would you care which box it went back through? Because it could be/is a stateful firewall and the backup will drop the traffic. (FreeBSD CARP) Cheers, Seth -Grant On Monday, July 16, 2012, Mark Andrews wrote: In message CAD8GWsswFwnPKTfxt= squumzofs3_-yrihy8o4gt3w9+x6f...@mail.gmail.com javascript:;, Lee writes: On 7/16/12, Owen DeLong o...@delong.com javascript:; wrote: Why would you want NAT66? ICK!!! One of the best benefits of IPv6 is being able to eliminate NAT. NAT was a necessary evil for IPv4 address conservation. It has no good use in IPv6. NAT is good for getting the return traffic to the right firewall. How else do you deal with multiple firewalls asymmetric routing? Traffic goes where the routing protocols direct it. NAT doesn't help this and may actually hinder as the source address cannot be used internally to direct traffic to the correct egress point. Instead you need internal routers that have to try to track traffic flows rather than making simple decisions based on source and destination addresess. Applications that use multiple connections may not always end up with consistent external source addresses. Yes, it's possible to get traffic back to the right place without NAT. But is it as easy as just NATing the outbound traffic at the firewall? It can be and it can be easier to debug without NAT mangling addresses. The only thing helpful NAT66 does is delay the externally visible source address selection until the packet passes the NAT66 box. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.orgjavascript:;
Re: ipv6 book recommendations?
Op 5-6-2012 23:23, William Herrin schreef: On 6/5/12, David Hubbarddhubb...@dino.hostasaurus.com wrote: Hi David, Instead of going the book route, I'd suggest getting some tunneled addresses from he.net and then working through http://ipv6.he.net/certification/ . They have the basics pretty well covered, it's interactive and it's free. +1 it's one of the best ways to learn. Do. Some additional thoughts: 1. Anybody who tells you that there are security best practices for IPv6 is full of it. It simply hasn't seen enough use in the environment to which we're now deploying it and rudimentary technologies widely used in IPv4 (e.g. NAT/PAT to private address space) haven't yet made their transition. Well, not quite, but firewall rules work just the same as before. Use those. The longer version is that some people used from internet to any rules on their wan which in a IPv4 NAT really translated to allow everything to my external address. Unless you used 1:1 ofcourse, but I digress. In IPv6 such a rule really means anything internal. People that have administered firewalls that route public addresses will know exactly what I mean. d. Default customer assignments should be /56 or /48 depending on who you ask. /48 was the IETF's original plan. Few of your customers appear to use tens of LANS, let alone thousands. Maybe that will change but the motivations driving such a thing seem a bit pie in the sky. /56 let's the customer implement more than one LAN (e.g. wired and wireless) but burns through your address space much more slowly. /60 would do that too but nobody seems to be using it. /64 allows only one LAN, so avoid it. You seem to miss a semi important thing here. Daisy chaining of routers in the premises. Some routers (pfSense included) allow for setting up prefix delegation, this means that you can connect routers behind the one you have and still have native v6. Although the automatic setup system I wrote for this works with /56 networks it will only setup PD for /64 networks at this point. I allocate a part of the assigned /56 network for prefix delegation automatically. If the PD is /48 I can delegate /56 networks to the subrouters, which on their turn can delegate /64 networks to another sub router. It's not that the user itself will actually assign all those networks, but routers will do automatically and you need proper route aggregation. It's unlikely that all networks will be directly assinged as /64 networks either, it could also be multiple routers. Even if it was done manually I'd assign a /60 route out of a /56 PD. The notion that it will always be a /64 is... well. Regards, Seth
Re: Our first inbound email via IPv6 (was spam!)
Op 5-6-2012 16:10, Livingood, Jason schreef: In preparation for the World IPv6 Launch, inbound (SMTP) email to the comcast.net domain was IPv6-enabled today, June 5, 2012, at 9:34 UTC. Roughly one minute later, at 9:35:30 UTC we received our first inbound email over IPv6 from 2001:4ba0:fff4:1c::2. That first bit of mail was spam, and was caught by our Cloudmark messaging anti-abuse platform (the sender attempted a range of standard spam tactics in subsequent connections). In the past several hours we have of course seen other messages from a range of hosts, many of which were legitimate email so it wasn't just spam! ;-) Since the Internet is of course more than just the web, we encourage others to start making non-HTTP services available via IPv6 as well. I always wondered why (ISPs) never started with rolling out IPv6 email servers first, the fallback from 6 to 4 is transparent and invisible to the end user at a delay of a maximum of 30 seconds. I enabled v6 for my email before my website since the impact if it didn't work on the 1st try was almost nil. Still waiting for the 1st Country to top Romania' 6% deployment. I'm sure we can do better then 0.21. IMHO Asking users if they want IPv6 is the wrong way round, you enable IPv6 and then allow for opt-out in the service portal. That's basically what the Romanian ISP did. They have not gone bankrupt either, so maybe it's not all as bad as we think. Cheers, Seth
Re: ipv6 book recommendations?
Op 5-6-2012 16:29, David Hubbard schreef: Does anyone have suggestions on good books to really get a thorough understanding of v6, subnetting, security practices, etc. Or a few books. Just turned up dual stack with our peers and a test network but I'd like to be a lot more comfortable with it before looking at our customer network. I liked the O'reilly IPv6 essentials. I've read a few chapters when I needed it. Cheers, Seth
Re: Automatic IPv6 due to broadcast
Op 17-4-2012 10:33, Carlos Martinez-Cagnazzo schreef: IMO it's much easier to disable one rogue than to disable IPv6 on the whole network. That is if you can find it, but with some proper tcpdumping and/or CLI commands (depending on the switches that you have) it should be relatively easy. Even better, the IPv6 gateway you got assigned is based on the MAC address. That means you can also find what brand of device is advertising. http://standards.ieee.org/develop/regauth/oui/public.html You can most likely find which IPv4 address the MAC corresponds too as well. Was that so hard? Not to mention that, as pointed by others, this provides a wonderful opportunity to look into this new (*grin*) protocol. Indeed! Cheers! ~Carlos Cheers, Seth
Re: IPv6 support via Charter | Ideas on BGP Tunnel via HE
Hi, Op 11 apr 2012, om 20:16 heeft Anurag Bhatia het volgende geschreven: Also, does it makes sense to go for BGP Tunnel for now? I just setup IPv6 Tunnel via Hurricane Electric. Latency seems pretty much OK ~ 10-15ms of overhead. Yet to test other parameters. I heard Tunnels are usually bad. Can someone tell how to test this tunnel setup to confirm if there is a performance issue or not? I am thinking of writing a quick bash script and run via cron to test latency, packet loss and bandwidth throughput for couple of days. If anyone has better idea, please let me know. Also using a HE.net BGP tunnel for our IPv6, simply because having just 1 native provider with Ipv6 isn't redundant. That and it's 8mbit. The v4 connection which the tunnel connects over is 90mbit, and the tunnel needs to travel from NL to DE for the FRA BGP peering. I'm getting about 40mbit through the IPv6 tunnel, so i'd say it works well, although the throughput has slowly been dropping to the 30's range over the last 6 months. But that's probably because of the latency. For something that is provided for free I'm really glad we have it. I should have peered with their UK PoP as it's much closer by latency, thus faster. Cheers, Seth
Re: Shim6, was: Re: filtering /48 is going to be necessary
On 12-3-2012 16:07, Robert E. Seastrom wrote: Doug Barton do...@dougbarton.us writes: Grass-roots, bottom-up policy process + Need for multihoming + Got tired of waiting = IPv6 PI + Cheap End Users = IPv6 NPt (IPv6 Prefix Translation) Cheers, Seth
Re: Shim6, was: Re: filtering /48 is going to be necessary
Hi, Op 12 mrt 2012, om 18:09 heeft Owen DeLong het volgende geschreven: + Cheap End Users = IPv6 NPt (IPv6 Prefix Translation) Cheers, Seth I don't get the association between cheap end users and NPT. Can you explain how one relates to the other, given the added costs of unnecessarily translating prefixes? Well, to explain cheap here I would like to explain it as following: - The existing yumcha plastic soap box that you can buy at your local electronics store is powerful enough. About as fast in v6 as it does v4 since it is all software anyhow. It only gets faster from there. - Requires no cooperation from the ISP. This gets excessively worse where n 1. Some have 8 or more for added bandwidth. - The excessive cost associated by current ISP practices that demand you use a business connection (at reduced bandwidth and increased cost). Somehow there was a decision that you can't have PI on consumer connections. - Traffic engineering is a cinch, since it is all controlled by the single box. For example round robin the connections for increased download speed. Similar to how we do it in v4 land. - It is mighty cheap to implement in current software, a number of Cisco and Jumiper releases support it. The various *bsd platforms do and linux is in development. - Not to underestimate the failover capabilities when almost all routers support 3G dongles for backup internet these days. There are considerable drawbacks ofcourse: - Rewriting prefixes breaks voip/ftp again although without the port rewriting the impact is less, but significant. I'd really wish that h323, ftp and voip would go away. Or other protocols the embed local IP information inside the datagram. But I digress. - People balk at the idea of NAT66, not to underestimate a very focal group here. All for solutions here. :-) - It requires keeping state, so no graceful failover. This means dropping sessions ofcourse but the people that want this likely won't care for the price they are paying. Probably missed a bunch of arguments the people will complain about. It is probably best explained in the current experimental draft for NPt. http://tools.ietf.org/html/rfc6296 Cheers, Seth
Re: ATT home DSL IPv6 configuration?
Op 10 mrt 2012, om 03:40 heeft Chris Adams het volgende geschreven: Can anybody tell me how they are configuring their IPv6 setup? They deploy using 6rd. In other words, they get to deploy IPv6 _again_ in about a few years time. Basically any router with 6rd support and the knobs in the ui to input their 6rd border relay and you should be good. It's nice that you can use their border relay from outside the US too. Regards, Seth
Re: enterprise 802.11
Hi, We chose the 3Com, now H3C wx3012 controller and AP9552 accesspoints. Initial issues where that blackberries could not connect to the wifi, the support initially was mediocre. Do note that this was at the time that everything got sold to HP. And they did pick up the issue and came around with a fix in about a month time. It's been working swell since then, I mean, the spelling errors in the UI I can live with. It's been stable so far. It was also by far the most reasonably priced. That counts for something. Vlans, radius, captive portal etc, worked for me. Ui is good enough to use and diagnose clients. Wireless coverage, is ... well, it's wireless. Reliable wireless isn't. Unless it's 5Ghz, and stopped by 1 floor or wall. I digress. Regards, Seth Op 15 jan 2012, om 20:57 heeft Mike Hale het volgende geschreven: Cisco's wireless solutions are pretty badass. The APs I've used are absolutely rock solid. Set up will take a bit of time, but once you're done, maintenance is minimal. On Jan 15, 2012 11:54 AM, Mike Lyon mike.l...@gmail.com wrote: Ubiquity (www.ubnt.com) has their Unifi line of products. It's still pretty new in the marketspace and this, working out the bugs. I use their other products exclusively for outdoor wireless. However, in the offices ive done, ive used Cisco's WLC 4402 controller which supports 12 access points. They have controllers which support more APs as well. Hit me up offlist if you have any quesrions. -mike Sent from my iPhone On Jan 15, 2012, at 11:39, Meftah Tayeb tayeb.mef...@gmail.com wrote: Ubiquity or ubikity, maybe is miss spelled Someone correct the spelling for him please thank you - Original Message - From: Ken King kk...@yammer-inc.com To: nanog@nanog.org Sent: Sunday, January 15, 2012 9:30 PM Subject: enterprise 802.11 I need to choose a wireless solution for a new office. up to 600 devices will connect. most devices are mac books and mobile phones. we can see hundreds of access points in close proximity to our new office space. what are the thoughts these days on the best enterprise solution/vendor? Thanks for your replies. Ken King __ Information from ESET NOD32 Antivirus, version of virus signature database 6793 (20120113) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 6793 (20120113) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com
IPv6 resolvers
Hi Nanog, Owen, I was wondering if many people are seeing horrendous latency on the free Hurricane Electric resolvers? Both accessing the v4 or v6 resolvers have horrendous latency. This could well be coupled to their free nature and popularity. So far when contacting Hurricane Electric they restart the resolver on their end and all is well again, but now other pfSense users in the US were noticing these latency issues as well, leading me to believe it is a larger issue. But I was wondering if a more permanent solution for these resolvers exist. 74.82.42.42 2373 msec 2001:470:20::2 2592 msec The google DNS server I'm using is doing swimmingly so far, OpenDNS seems ok too. 2001:4860:4860::884416 msec Kind regards, Seth Mos
Re: IPv6 resolvers
Hi, Just pointing out to other responding to this thread that I was referring to the *query* response times, I said nothing about ICMP which is perfectly fine. So please stop responding with ping response times already :-) No, pfSense does not set these per default, they are in wide use because these are part of the Google DNS whitelist for V6 records. Op 4 jan 2012, om 21:33 heeft Mark Kamichoff het volgende geschreven: ;; ANSWER SECTION: cnn.com. 299 IN A 157.166.226.26 cnn.com. 299 IN A 157.166.255.19 cnn.com. 299 IN A 157.166.255.18 cnn.com. 299 IN A 157.166.226.25 And a similar mistake I see others respond too as well, this is another domain with just a IPv4 record. That was not really what I was complaining about but I was not specific enough in my email When requesting the DNS for the hostname with a Quad A the story is entirely different! Try www.pfsense.com or www.didi.nl Those will definitely hit the issue, otherwise one can always use Nanog.org like below. 74.82.42.42 2204 msec 2001:4860:4860::884417 msec 2001:470:20::2 2890 msec Best regards, Seth ;; Query time: 38 msec ;; SERVER: 74.82.42.42#53(74.82.42.42) ;; WHEN: Wed Jan 4 15:27:17 2012 ;; MSG SIZE rcvd: 89 (neodymium:15:32)% dig @2001:470:20::2 cnn.com. A ; DiG 9.7.3 @2001:470:20::2 cnn.com. A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 41382 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;cnn.com. IN A ;; ANSWER SECTION: cnn.com. 295 IN A 157.166.226.25 cnn.com. 295 IN A 157.166.255.18 cnn.com. 295 IN A 157.166.255.19 cnn.com. 295 IN A 157.166.226.26 ;; Query time: 20 msec ;; SERVER: 2001:470:20::2#53(2001:470:20::2) ;; WHEN: Wed Jan 4 15:32:27 2012 ;; MSG SIZE rcvd: 89 That being said, keep in mind these are anycasted. I'm using 216.66.22.2 [tserv13.ash1.ipv6.he.net] for IPv4 and 209.51.161.14 [tserv4.nyc4.ipv6.he.net] according to the A record returned by whoami.akamai.net. I might not be hitting the same server you are. - Mark -- Mark Kamichoff p...@prolixium.com http://www.prolixium.com/
Re: IPv6 RA vs DHCPv6 - The chosen one?
Op 26 dec 2011, om 20:46 heeft Steven Bellovin het volgende geschreven: Not quite what you're asking for, but I was very pleasantly surprised to see that some (at least) Brother printers support IPv6. Progress... Indeed, my Mac has no issues printing or scanning to my MFC-9465DCN I purchased recently. I was pleasantly surprised, only SLAAC though, but it does register through mDNS and bonjour. Cheers, Seth
Re: IPv6 RA vs DHCPv6 - The chosen one?
Hi, Op 21 dec 2011, om 20:16 heeft Tomas Podermanski het volgende geschreven: Hi, from my perspective the short answer for this never-ending story is: To be fair, SLAAC was designed as a light weight method to configure addressing on the hosts. Hosts. We don't have hosts on the internet anymore, we stopped using dialup ages ago (or so it seems). We now address routers, and those have very different requirements, like needing routing and firewalling and some way to get subnets routed to them, that is where dhcp6 prefix delegation comes in. SLAAC serves no purpose for routers bar making the configure process awkward and error prone. That wasn't what we needed. I recently had a conversation with a promoter of the SLAAC method. A 64KB ram device can configure a address and work as a autonomous sensor. I raised the concern that the device might need to connect to a host, since you couldn't find it in a /64 of address space. He honestly suggested that you could just configure to have it connect to a static address. Really, and nobody renumbers networks, at all? That's false. And that is still a host, not a router. And since then we've come a lot farther then 64KB sensor devices. Considering we can buy (wireless) routers at the local mall that have more ram and processing power then we used to have in a computer in the 90s now in a tablet, phone or other embedded device. Having built DHCP6 support in a open source firewall I agree that the (+IPv6) configuration of routers has become overly complicated and error prone, even more so due to possible renumbering. RA will have one thought, and the DHCP6 client another, not even going into multiple (possible differing) feeds of both IPv4 and IPv6 DNS servers. It was intended for hosts, not really minding that, but please, can we stop using it for routers? Regards, Seth
Re: Dynamic (changing) IPv6 prefix delegation
Hi, Op 24 nov 2011, om 21:09 heeft Joel jaeggli het volgende geschreven: On 11/21/11 14:18 , Nathan Eisenberg wrote: Look at the number that are refusing to make generous prefix allocations to residential end users and limiting them to /56, /60, or even worse, /64. Owen, What does Joe Sixpack do at home with a /48 that he cannot do with a /56 or a /60? prefix delegation to a downstream device via dhcp-pd Joe Sixpack might not even realize that his device even does this. I actually added a dhcpv6 server that can do just this. Still considering if it should do that automatically. Contrary to proper networking, I frequently see double nat routers because they purchased a new wifi routers which is then daisy chained to the old one. Or they had a non-wifi model and plugged in the port labeled (internet) of the new wifi router into the existing one. Which is more common. With dhcp-pd in each, you could daisy chain a few times before it gives out. You know what, let's just build that because I can, it's a few hours of coding, but nothing too serious. Most hooks are already in place. I just didn't start a dhcpdv6 automatically yet. In a nutshell. Yes, Please. Regards, Seth
Dynamic (changing) IPv6 prefix delegation
Hello List, As a pfSense developer I recently ran into a test system that (actually) gets a IPv6 prefix from it's ISP. (Hurrah). What is bewildering to me is that each time the system establishes a new PPPoE session to the ISP they assign a different IPv6 prefix via delegation together with a differing IPv4 address for the WAN. Is this going to be forward for other consumer ISPs in the world? One of the thoughts that came to mind is T-Online in Germany that still disconnects it's (PPPoE) user base every 24 hours for a new random IP. Short of setting really short timers on the RA messages for the LAN I can see a multitude of complications for consumers in the long run. People that configure their NAS, Media Player and Printer on their own network. And using ULA for either is not workable unless they somehow manage to grow DNS skill on the end user. Their NAS probably wants to download from the 'net and access videos from the NAS. The media player wants to be able to access youtube and the laptop needs to (reliably) find it's printer each time. I really hope that ISPs will commit to assigning the same prefix to the same user on each successive connection. Here is to hoping. Kind regards, Seth
Re: Firewalls - Ease of Use and Maintenance?
On 9-11-2011 0:06, Jones, Barry wrote: Hello all. I am potentially looking at firewall products and wanted suggestions as to the easiest firewalls to install, configure and maintain? I have a few small networks ( 50 nodes at one site, 50 odd at another, and maybe 20 at another. I have worked with Cisco Pix, ASA, Netscreen, and Checkpoint (Nokia), and each have strong and not as strong features for ease of use. Like everyone, I'm resource challenged and need an easy solution to stand up and operate. I am biased because I am a pfSense developer. pfSense is a free open source FreeBSD based firewall with the pf packet filter. http://www.pfsense.org It supports various features and installable packages that might fill your needs. Commercial support is also available. One of the reasons I use it at work is because it is by far the cheapest solution to gigabit redundant (Active/Passive) firewalls. It runs on x86 machines from the low end PCengines.ch Alix 2D3 to something like a dual core Intel Atom for or the higher end on a normal server. It is administered entirely via the webUI, saves the config in a XML file you can backup and then restore on pretty much any other hardware you have around should it need to be replaced. The (readable) XML file was also really easy to provision things like hundreds of VPN tunnels instead of clicking through the UI. The PHP command interface allows you to perform scripting operations on the XML as well which comes in handy on mass mutations. Kind regards, Seth
Re: Firewalls - Ease of Use and Maintenance?
On 9-11-2011 11:07, Tom Hill wrote: On Wed, 2011-11-09 at 09:13 +0100, Seth Mos wrote: I am biased because I am a pfSense developer. pfSense is a free open source FreeBSD based firewall with the pf packet filter. http://www.pfsense.org I'm a very happy user of m0n0wall and I know pfSense is often seen as the more 'grown up' variant. Still though, I hear bad things of the IPv6 support in pfSense. It's available but not stock-standard supported. That is correct, it is in the 2.1 branch. Our code has diverged a lot from m0n0wall where it came from so porting it was not easy. Instead I wrote the code from scratch. I wrote the IPv6 code in pfSense 2.1 for the last year and I've been using it in production for quite a while now. Since February this year to be precise. It is true that until 2.1 is released somewhere next year the latest official release is pfSense 2.0. The people running Commercial support do support 2.1 with IPv6 if you need it though. There are already a number of customers running it in production because they needed IPv6 support. The biggest holdup is lack of commercial VPN client support for dual-stack. Viscosity, TunnelBlick I am looking at you. We do ship a working Windows OpenVPN dual stack client solution in the Client exporter on 2.1. Working dual stack for your VPN solution is kind of important if you expect to be able to reach your corporate servers. Much grief/fun to be had here. If the corporate LAN advertises quad A records then it will confuse your VPN clients if they have a v4 VPN address but only a v6 internet address. How does the pfSense developer attitude towards filtering the entire Internet, IPv6 included, currently stand? I do not quite understand your question. If you are referring to a default deny policy on incoming traffic, then yes. The default rule is to deny incoming traffic over IPv6 as it did over IPv4. You will need to create rules to allow it through. Default LAN rule is allow both IPv4 and IPv6 out. Ofcourse you can alter the firewall rules as you see fit. If I misunderstood your question then please verify. Kind regards, Seth
Re: Performance Issues - PTR Records
On 7-11-2011 14:46, sth...@nethelp.no wrote: The practice of filling out the reverse zone with fake PTR record started before there was wide spread support for UPDATE/DNS. There isn't any need for this to be done anymore. Machines are capable of adding records for themselves. How do I setup this for DHCPv6-PD? Say, I delegate 2001:db8:42::/48 to the end user. Should I delegate reverse DNS as well? If so, to whom? Or is it the CPEs responibility to dynamically add records for whatever addresses it sees on the internal LAN(s)? Are there CPEs capable of doing this? Or will the end systems themselves do the update against my DNS server? If so, how do I authenticate that? With my ISP hat on, I find the idea of customer CPEs updating their own PTR records to be completely unacceptable. So I guess I'll either live without the reverse DNS, or use a name server that can synthesize answers on the fly. That seems like a really nice feature, create a reverse record to spoof a mail server and the reverse DNS will match up. If the domain does not employ SPF it will look legit, forward and reverse won't match up ofcourse. Not sure how many mailservers have issues with that if the reverse matches up. Sounds like a fine way to employ a spam botnet. Regards, Seth
Re: routing issue for verizon dsl customers in western massachusetts
Congratulations on your nat444 connection. I suspect a autoblocklist of sorts. They somehow always end up blocking the hosts you are using. I vaguely remember my watchguard firebox 1000 doing so. It was red too. Regards and good luck, Seth typed on a tiny touchscreen, why exactly? Steve Bohrer skboh...@simons-rock.eduschreef: On Sep 15, 2011, at 3:39 PM, Christopher Morrow wrote: On Thu, Sep 15, 2011 at 3:34 PM, Brian Gold bg...@simons-rock.edu wrote: Over the past week, we've discovered that there is an issue with the way some Verizon DSL customers are being routed in Western Massachusetts that is preventing them from reaching my employers public IPs. The problem is only limited to Verizon DSL customers, everyone else can reach these IP addresses just fine. After many hours on the phone with Verizon tech support, I finally managed to get myself and one of my coworker's home dsl connections switched from a redback router to a juniper router which resolved the issue, but only for us. [...] If you buy verizon services at your day job you can probably make noise through your sales droids better than here (sadly)... verizon likes to jump when customers have problems, if the customer is a large corporation or other 'important' customer. That is just the problem! The college does not buy any Verizon network stuff directly, so we don't really have any access to their support. (We have a few cell phones, but not enough to be important.) Brian Gold (who first posted) happens to have their DSL to his house, and he was one of five who have reported the problem, so that gave him a slight in. But the only techs he could reach as an end user were not high enough up to fix this problem in a general way. After pressing them for literally hours, he was able to get transfered to their NOC, and get the problem resolved for his one address. But, they would not give him the NOC contact, and he had to repeat this multi- hour process to get it fixed for an other user. Verizon's DSL support suggested that we get our bandwith provider involved, and so they tried to pitch in, but they don't have any Verizon NOC contact either, especially since this issue is purely within a small corner of Verizon's DSL network, not on any of Verizon's links to our provider. This issue hits only a few Verizon DSL users in NW Mass. It does not really seem like a routing problem, because the affected users can reach many of the servers in our AS, but not some addresses. Unfortunately, the blocked addresses include our web server and our mail server, so our staff who live out there noticed the issue pretty quickly. Traceroutes from Brian's house show that for our blocked hosts, the users don't get beyond Verizon's NAT. The Verizon tech's fix of re-patching Brian's DSL line in to a different router feels to me like there is a config problem in the other router, but the tech we got is not authorized to alter the config. It would be nice if we could reach someone who could actually edit the broken config and make it right. Anyone from Verzion's NOC for Western Mass reading this? Or, does anyone else have useful contact info for them? FWIW, Simon's Rock is 208.81.88.0/21, AS 19345. Here are a failed and a good trace from Brian's house, to different servers on our campus : FAILS: Tracing route to wilbur.simons-rock.edu [208.81.88.15] over a maximum of 30 hops: 11 ms1 ms1 ms 192.168.10.1 2 1 ms 1 ms 1 ms 192.168.1.1 353 ms 104 ms 116 ms 10.14.1.1 4 *** Request timed out. 5 *** Request timed out. 6 *** Request timed out. 7 *** Request timed out. WORKS: Tracing route to dev.simons-rock.edu [208.81.88.25] over a maximum of 30 hops: 11 ms1 ms1 ms 192.168.10.1 2 1 ms 1 ms 1 ms 192.168.1.1 387 ms54 ms54 ms 10.14.1.1 499 ms 109 ms 103 ms at-0-3-0-1711.WMA-CORE-RTR2.verizon- gni.net [130.81.10.77] 516 ms18 ms16 ms so-7-3-1-0.NY5030-BB-RTR2.verizon- gni.net [130.81.20.6] 619 ms17 ms17 ms 0.xe-3-1-0.BR3.NYC4.ALTER.NET [152.63.2.81] 718 ms21 ms18 ms 204.255.168.194 8 108 ms 188 ms 116 ms pos5-0-2488M.cr1.BOS1.gblx.net [67.17.94.57] 924 ms28 ms23 ms pos0-0-0-155M.ar1.BOS1.gblx.net [67.17.70.162] 10 121 ms 160 ms 127 ms 64.213.79.250 1177 ms77 ms78 ms 208.81.88.25 Trace complete. Anyways, thanks for any suggestions you can offer. Steve Bohrer Network Administrator ITS, Bard College at Simon's Rock 413-528-7645
Re: NAT444 or ?
Op 7 sep 2011, om 19:06 heeft jean-francois.tremblay...@videotron.com het volgende geschreven: On Wed, Sep 07, 2011 at 12:16:28PM +0200, Randy Bush wrote: I'm going to have to deploy NAT444 with dual-stack real soon now. you may want to review the presentations from last week's apnic meeting in busan. real mesurements. sufficiently scary that people who were heavily pushing nat444 for the last two years suddenly started to say it was not me who pushed nat444, it was him! as if none of us had a memory. Hm, I fail to find relevant slides discussing that. Could you please point us to those? I had the same question. I found Miyakawa-san's presentation has some dramatic examples of CGN NAT444 effects using Google Maps: http://meetings.apnic.net/__data/assets/file/0011/38297/Miyakawa-APNIC-KEYNOTE-IPv6-2011-8.pptx.pdf However these are with a very high address-sharing ratio (several thousands users per address). Using a sparser density (= 64 users per address) is likely to show much less dramatic user impacts. I think you have the numbers off, he started with 1000 users sharing the same IP, since you can only do 62k sessions or so and with a normal timeout on those sessions you ran into issues quickly. The summary is that with anything less then 20 tcp sessions per user simultaneous google maps or earth was problematic. From 15 and downwards almost unsable. He deducted from testing that about 10 users per IP was a more realistic limit without taking out the entire CGN experience. On a personal note, this isn't even taking into question things like broken virus scanners or other software updates that will happily try to do 5 sessions per second, or a msn client lost trying to do 10 per second. The most the windows IP stack will allow on client versions. The real big issue that will be the downfall of NAT444 is the issue with ACLS and automatic blocklists and the loss of granular access control on that which the ISP has no control of. Which roughly estimates to the internet. Regards, Seth
Re: NAT444 or ?
Op 8 sep 2011, om 07:26 heeft Geoff Huston het volgende geschreven: On 08/09/2011, at 2:41 AM, Leigh Porter wrote: It may not be what Randy was referring to above, but as part of that program at APNIC32 I reported on the failure rate I am measuring for Teredo. I'm not sure its all in the slides I was using, but what I was trying to say was that STUN is simply terrible at reliably negotiating a NAT. I was then wondering what pixie dust CGNs were going to use that would have any impact on the ~50% connection failure rate I'm observing in Teredo. And if there is no such thing as pixie dust (damn!) I was then wondering if NATs are effectively unuseable if you want anything fancier than 1:1 TCP connections (like multi-user games, for example). After all, a 50% connection failure rate for STUN is hardly encouraging news for a CGN deployer if your basic objective is not to annoy your customers. The striking thing I picked up is that NTT considers the CGN equipment a big black hole where money goes into. Because it won't solve their problem now or in the future and it becomes effectively a piece of equipment they need to buy and then scrap soon after. They acknowledge the need, but they'd rather not buy one. That and they (the isp) get called for anything which doesn't work. Regards, Seth
Re: Point to MultiPoint VPN w/qos
On 6-9-2011 15:49, Positively Optimistic wrote: Greetings Does anyone have a suggestion for a single piece of hardware that would support 8 or less Ethernet interfaces and the two vpn tunnels ? Single piece of hardware, no. If 2, then yes. A PCengines Alix 2D3 with pfSense/m0n0wall and OpenVPN UDP tunnels to the datacenter combined with a Power over Ethernet switch would seem a likely combination. A HP Procurve 8 Port gigabit desktop switch with PoE comes to mind. Not too expensive, fanless, quiet, reliable does VLANS. That way you can power the router and phones from the same (smallish) UPS. Say a 700VA APC. Regards, Seth
Re: iCloud - Is it going to hurt access providers?
Op 3 sep 2011, om 19:49 heeft Jimmy Hess het volgende geschreven: On Sat, Sep 3, 2011 at 6:20 AM, Skeeve Stevens ske...@eintellego.net wrote: My guess is that 99% of consumer internet access is Asymmetrical (DSL, Cable, wireless, etc) and iCloud when launched will 'upload' obscene amounts of gigs of music, tv, backups, email, photos, documents/data and so on to their data centres. since a majority of music files backed up would be file-identical with material someone else had already backed up, and identical to material already in the iTunes store (which they could pre-seed their database with). How would storage vendors otherwise sell de duplication. I mean you could make the application smarter but that wouldn't sell more spinning rust or licenses. Regards, Seth
Re: in defense of lisp
Op 13-7-2011 16:09, Randy Bush schreef: btw, a litte birdie told me to take another look at The free Open Source FreeBSD based pfSense firewall supports this. Not everyone can get BGP, specifically calling out residential connections here. As a 1:1 NAT mechanism it works pretty well, I can reach the outside, and the outside can reach me. Which I think is what was intended in the specifications. And pretty much the internet. It took me 4 months to write the IPv6 support in pfSense to what it is today. Which is not feature complete. But the NPT part was just a few hours in the grand scheme. I've also contacted the nice people from the draft that we support it. Since then we've got v4 and v6 with BGP at work so it's moot. But I digress. Kind regards, Seth Mos pfSense developer. 6296 IPv6-to-IPv6 Network Prefix Translation. M. Wasserman, F. Baker. June 2011. (Format: TXT=73700 bytes) (Status: EXPERIMENTAL) which also could be considered to be in the loc/id space randy
Re: Address Assignment Question
Op 20 jun 2011, om 23:24 heeft Tony Finch het volgende geschreven: On 20 Jun 2011, at 16:26, Jérôme Nicolle jer...@ceriz.fr wrote: But most RBL managers are shitheads anyway, so help them evade, that'll be one more proof of spamhaus co. uselessness and negative impact on the Internet's best practices. An organization that blocks 90% of spam with no false positives is incredibly useful. Using a greylisting system is equally effective without the black list part. My milter-greylist installation is aimed at allowing as much mail through as it can, instead of the other way around. Milter-greylist has a nice urlcheck feature and/or ldap verification for users. In my case it's a PHP script. If I can verify the IP to be inside a /22 of the MX records, www records or domain records that is sufficient to bypass the greylisting. The timers are also quite lenient. Just 15 minutes of wait is enough, of they are persistent if we've seen them before by domain. We get the email regardless and phone calls are rare, and I never run the risk of never getting the email. This has turned out to be a really effective way to allow normal email through without much delay. After just 2 days at work it's whitelisted over 75% of the active domains we do business with. We have about 17 domains and I know what the poster is asking, we've been emailing our customers before, subscribed customers none the less. We've had our share of blacklisting before. And we even sent the emails with unsubscribe links. But some of them will click the report this as spam link in their favourite mail agent as a means to unsubscribe. I mean, clicking a link is hard. The end result is that we end up on various block lists. It's a good thing that the email servers at large isps are often sensible enough to let the email through. Some of the smaller ones had rather odd draconian limits set. This makes the situation for all of us worse. Regards, Seth
Re: Address Assignment Question
Op 20 jun 2011, om 23:55 heeft John Levine het volgende geschreven: An organization that blocks 90% of spam with no false positives is incredibly useful. Using a greylisting system is equally effective without the black list part. Hi. I'm the guy who wrote the CEAS paper on greylisting. Greylisting is useful, but anyone who thinks it's a substitute for DNSBLs has never run a large mail system. We use the black lists for scoring spam messages, but we never outright block messages. I was not implying that blacklists are not useful at all. I just see things in shades of grey over black and white. Of the 17 domains we have with roughly 250 users it does well enough. Regards, Seth
Re: Question about migrating to IPv6 with multiple upstreams.
Op 14 jun 2011, om 19:04 heeft Ray Soucy het volgende geschreven: My guess is within the next year we'll see something pop up that does this. Ehm, It's already here, you searched google right? I finished it 4 months ago. And a number of commercial platforms already support it. Although Owen doesn't like it much. I really wish there was a more bomb proof lite version of the BGP protocol. - One that has proper authentication not based on a single MD5. - One that does not allow the client side to define the networks. - That will only support default routes, it's easier if it can not carry the world. I think a evolved version of ebgp multihop is workable, but you'd still need some lightweight form of hooking back into the BGP table. Ideally, ISPs could deploy a number of these route guides that would inject the proper route into the real BGP table, but by then it is filtered and the ISP has proper control over what ends up in it. Some ISPs could mark this up as a luxury version. Perhaps a form of PI bound to country (Exchange) would be a workable solution. So request a piece of country PI that is delegated explicitly to the roaming guide(s). Regards, Seth
Re: Question about migrating to IPv6 with multiple upstreams.
Op 12 jun 2011, om 03:50 heeft Randy Carpenter het volgende geschreven: I have an interesting situation at a business that I am working on. We currently have the office set up with redundant connections for their mission critical servers and such, and also have a (cheap) cable modem for general browsing on client machines. So basically policy routing? The interesting part is that the client machines need to access some customer networks via the main redundant network, so we have a firewall set up to route those connections via the redundant connections, and everything else via the cheaper, faster cable modem. NAT is used on both outbound connections. Yep that sounds like policy routing. With IPv6, we are having some trouble coming up with a way to do this. Since there is no NAT, does anyone have any ideas as to how this could be accomplished? Sure there is NAT, you can use prefix translation to translate your Global Address Range from the redundant ISP to the Cable ISP Global address range when leaving that interface. I've run a similar setup with 3 independent ISPs with IPv6 netblocks. Whichever connection the traffic went out it got the right GUA mapped onto it. Note that this is 1:1 NAT and not N:1. In my case there was no primary GUA range, I used a ULA on the LAN side of things, and mapped the corresponding GUA onto it when leaving the network. I had 3 rules, 1 for each WAN and mapped the ULA/56 to the GUA/56. In your case you already have a primary connection of sorts, so I'd suggest using that on the LAN side and only map the other GUA onto it when it leaves the other interfaces. The policy routing rules on your firewall can make all the routing decissions for you. If you search google for IPv6 network prefix translation there will be a firewall listed that can do this somewhere in the middle of the page. Cheers, Seth
Re: The stupidity of trying to fix DHCPv6
Op 12 jun 2011, om 12:05 heeft Daniel Roesen het volgende geschreven: VRRP communications itself is via link-local addresses. There is a requirement to have a link-local virtual address as well, but there might be many more, e.g. global scope. In FreeBSD with pfSense I use CARP with a v6 addresses which are GUA, the isp routes my /48 to the GUA address, failover time when rebooting firewalls is in the order of seconds. I see no missed http requests and no existing requests drop. The servers behind it are also configured to use the LAN side GUA CARP ipv6 address as the default gateway. pfsync makes sure that traffic state is being kept. Otherwise a whole lot of IPv6 VRRP setups won't be working here. :) We use global scope addresses as VRRP virtual router addresses. Indeed, same here. We have a open ticket iirc to patch our radvd daemon to also announce properly when active on a v6 CARP Address. It's that or being able to manually sending a GUA address as being the gateway. Wait, that sounds suspicously like trying to send a gateway bit by way of DHCP. Luckily servers are statically configured. But now comes the deal that I want all my client nodes on the corporate lan to also use the GUA address (which has stateful failover) for the gateway instead of the link local address of one of my CARP cluster nodes. Other options include crafting a link local address for the CARP address and make sure that radvd uses that. The backup carp node won't hear anything or be heard when the address has BACKUP status. It's on the todo list. Regards, Seth
Re: Facebook Engineering, on WIPv6D:
Hi Jay, Can you correlate the user from the access logs and send them a email that their IPv6 internet is not working correctly? Regards, Seth Op 9 jun 2011, om 05:03 heeft Jay Ashworth het volgende geschreven: World IPv6 Day came to an end earlier today. We successfully enabled IPv6 on our site for 24 hours, with great results. We saw over 1 million users reach us over IPv6. We’re pleased that we did not see any increase in the number of users seeking help from our Help Center. The estimated 0.03% of users who may have been affected would have experienced slow page loads during the test. Based on the encouraging results, we’ve decided to leave our Developer site dual-stacked, supporting both IPv4 and IPv6. And we will continue to adapt our entire code base and tools to support IPv6. We are glad to have joined with the Internet Society, major Web companies, and other industry players to enable IPv6 for this test day. It was a great opportunity to test our infrastructure and IPv6 readiness. IPv6 is vital to the continued growth of the Internet, and World IPv6 Day was a great step in the advancement of the protocol. We hope the overall success of the 24 hour test will encourage others in the industry to establish reliable IPv6 connectivity and develop robust IPv6 products. Donn is glad the Internet didn't break today. That last was in italics... :-) Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
Re: SIXXS contact
Op 27-4-2011 0:38, Andrew Kirch schreef: On 4/26/2011 12:11 PM, Brielle Bruns wrote: I've run a volunteer/free hosting service since 1997 or so - it never ceases to amaze me how people will complain about free things, but when you ask them to pony up a little monthly support its like you killed their puppy. I just term people who are more of a hassle then they are worth. I'm not complaining, but I would point out that if these free brokers are the public face of IPv6 for many hobbyists (and much of the various software run on/over the internet is written by volunteers, and/or given away for free), we aren't going to get there. The big deafening silence from SIXXS is really unfortunate in that it does actively affect my opinion of IPv6, my willingness to spend time implementing it, pestering my upstream about it, or having my business give a damn about it. Yes I know they're volunteers, but how much does that matter? This same silence you mention is also my personal experience. I work on a open source firewall project in my spare time and found the issue annoying, as such I've decided to forgot Sixxs (dynamic) tunnel support and recommend the free Hurricane Electric tunnelbroker instead. I can spend my time better in getting OpenVPN working with IPv6 then waiting to accumulate kredits(tm). Kind regards, Seth