Re: [swinog] Switzerland judged "Cleanest Country"
2012/8/13 Oliver Schad > > It doesn't make sense to mix up responsibilities of entities. I'm very > happy, that most of my domains have nothing to do with switch.ch and > this clueless law. > > I think the law makes a good job of delimiting the cases where the block can be done. In addition, I think Switch makes a good job applying this law. I'd be happy that switch blocks one of my domains to prevent me from being sued for damages by some infected people. Furthermore, if the law is abused or misused, it will be enough to change it. Guillaume ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] O2 (UK) sends your mobile number in HTTP header to every website you visit
Hi, I just did a dump of packets reaching a website from Swisscom, and no phone number nor other identification data is inserted. Guillaume 2012/1/25 Stanislav Sinyagin > http://news.ycombinator.com/item?id=3508857 > > did anyone test this for Swiss operators? > > > ___ > swinog mailing list > swinog@lists.swinog.ch > http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog > > ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Split-horizon addressing (Was: Experience with 6rd Hardware)
2011/6/6 Jeroen Massar : > On 2011-Jun-06 16:18, Guillaume Leclanche wrote: >> 2011/6/6 Jeroen Massar : >>> ULA would still require NAT66 if you want those hosts to be able to >>> communicate to the outside, unless of course you want to firewall your >>> internal machines based on the global prefix and update those firewall >>> rules and all other dependencies all the time when your prefix >>> changes... (the prefix change is why I mention NAT66 as renumbering is >>> not funny, anywhere). >> >> So, first of all we talk about sites that would have today a dynamic >> IPv4 address. That would be residential, mobile, and SOHO. >> >> In the worst case, these sites can deal with LAN communication using >> ULA addresses, and then any public communication should be handled via >> public IPv6, which are at the moment all in 2000::/3, so clearly easy >> to identify and to put in a firewall. Readdressing the public >> addresses in the LAN is done easily with RAs, or DHCPv6-PD if the LAN >> is subdivided (an still in that case we've most likely left the normal >> SOHO, and we're in a bigger company that will have static v4 and most >> likely IPv6oE or in the home of a geek). > > So did you try the above out? Because if you did you would find the > following minor problems: No I did not do the test completely, but I've been in the process of seeing how to get things work together in a nice way over the last month. Details below. > - what updates the firewall rules that the internal host has it's > global changed IPv6 address? Swapping out the first 64bits could > work in theory, but might just break existing connections. If you've changed your IPv6 prefix, you will break existing connections anyway. I think in IPv6 the firewall should be filtering what really has to be filtered, that is LAN stuff: netbios, mDNS, nfs, printing, etc. Such a stateless filter can be done simply by "in/out" interfaces without knowing the real IP addresses. You'd need the addresses to maintain a stateful filter (or want address-specific filters, but then again you can't do it better with NAT, where you use the Layer 4 ID to do port redirection). My personal opinion is that it's not necessary, but I admit that views can differ here. > - how do you 'address' the internal services, everything goes by > address or do you allow people to use hostnames? Who updates > those hostnames, and does that hostname mean the internal one > or the external address or both? mDNS should kick in here. That's definitely the way to go for most deployments. Apple did a good job on that one, and it's fair to say that it's a well-thought technology. An mDNS responder should respond with the ULA address of a service (if available of course). I agree that mDNS is in a developing state, and it's not all working as expected for IPv6. > > - when you have printer configured, and you take your laptop to > the lake, and you want to print, does it use the internal address > or the external one? Corner case. If you do that, you start your VPN and you're in your LAN. > And then the other bunch of issues which effectively come down to a > split-horizon view of a network. Folks are worried about IPv4+IPv6 > fallback-connect issues as their browsers try both IPv6 and IPv4, be > very worried when a host is both ULA and global though, which one to > pick and when... There's a major difference here. IPv4 vs IPv6 selection is left to the application, or if available, to a high level library with named based sockets. ULA vs Global is left to the OS, which will do the selection following IETF standards. This means that applications don't have to be fixed. > > One of the biggest things with IPv6 which IPv4 does not allow for > everyone on the world (as it works too with IPv4 if you got a large > enough chunk of addresses) is that your address is globally unique, and > thus you can keep on sending packets to that single address without > issues. That concept breaks with ULA. No, ULA has to be used for LAN-LAN communications, and Global for internet communications. Each equipment should have both addresses. If this is not respected, and ULA is used as RFC1918 with NAT66, then the goal is not reached, and as you say, it doesn't make much sense. > > ULA is nice, it solves some problems, but it does not solve the problem > when a host is also connected to a public network and does get a > globally unique address through there. ULA does solve the problem when > the network is not connected to anything else and you don't want to > bother with getting a prefix for a private network. > >> And finally, 6rd is a transition technology,
Re: [swinog] Experience with 6rd Hardware
2011/6/6 Jeroen Massar : > ULA would still require NAT66 if you want those hosts to be able to > communicate to the outside, unless of course you want to firewall your > internal machines based on the global prefix and update those firewall > rules and all other dependencies all the time when your prefix > changes... (the prefix change is why I mention NAT66 as renumbering is > not funny, anywhere). So, first of all we talk about sites that would have today a dynamic IPv4 address. That would be residential, mobile, and SOHO. In the worst case, these sites can deal with LAN communication using ULA addresses, and then any public communication should be handled via public IPv6, which are at the moment all in 2000::/3, so clearly easy to identify and to put in a firewall. Readdressing the public addresses in the LAN is done easily with RAs, or DHCPv6-PD if the LAN is subdivided (an still in that case we've most likely left the normal SOHO, and we're in a bigger company that will have static v4 and most likely IPv6oE or in the home of a geek). And finally, 6rd is a transition technology, and will be certainly removed in a few years to go to IPv6oE, once incompatible hardware will be phased out. Well, that's a wish, don't take it for granted :) Guillaume ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Experience with 6rd Hardware
2011/6/6 Jeroen Massar : > On 2011-Jun-06 15:44, Guillaume Leclanche wrote: >> 2011/6/6 Jeroen Massar : >>> The fun and joy of 6rd is of course that your IPv6 prefix changes every >>> time you get a new IPv4 address. With IPv4 and NAT this did not matter >>> so much to the internal network, but now when your IP address changes >>> you need to renumber your home network, the joys of that will be awesome >>> for people selling consultancy services and the likes. >>> (Just take a guess when NAT66 becomes standard because of that) >> >> Jeroen, I tought you were a lover of Unique Local Addresses, what >> happened to you ? :) > > And why would I be that? Well let's say that was a reference to the work done by sixxs with the ULA repository. But in the end my point was that ULA, not NAT66 is the answer to this situation (decoupling public from "private"). I did not understand why you mentionned NAT66 then. Guillaume ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Experience with 6rd Hardware
2011/6/6 Jeroen Massar : > The fun and joy of 6rd is of course that your IPv6 prefix changes every > time you get a new IPv4 address. With IPv4 and NAT this did not matter > so much to the internal network, but now when your IP address changes > you need to renumber your home network, the joys of that will be awesome > for people selling consultancy services and the likes. > (Just take a guess when NAT66 becomes standard because of that) Jeroen, I tought you were a lover of Unique Local Addresses, what happened to you ? :) Guillaume ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Experience with 6rd Hardware
2011/6/6 Adrian Kägi : > > Im looking for H/W like Netgear,Linksys and so on... > A Linux router would do the job. 6rd is supported since 2.6.33. So probably any openwrt-based router would support it as well. Guillaume ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] [Apnic-announce] APNIC IPv4 Address Pool Reaches Final /8
Hi, APNIC is out of the IPv4 game officially now. "From now, all new and existing APNIC account holders will be entitled to receive a maximum allocation of a /22 from the Final /8 address space." Forwarded mail can be read online at : http://mailman.apnic.net/mailing-lists/apnic-announce/archive/2011/04/msg2.html Guillaume 2011/4/14 Srinivas (Sunny) Chendi : > ___ > > APNIC IPv4 Address Pool Reaches Final /8 > ___ > > > Dear APNIC community > > We are writing to inform you that as of Friday, 15 April 2011, the APNIC > pool reached the Final /8 IPv4 address block, bringing us to Stage Three > of IPv4 exhaustion in the Asia Pacific. For more information about Stage > Three, please refer to: > > http://www.apnic.net/ipv4-exhaustion/stages > > > Last /8 address policy > -- > > IPv4 requests will now be assessed under section 9.10 in "Policies > for IPv4 address space management in the Asia Pacific region": > > http://www.apnic.net/policy/add-manage-policy#9.10 > > APNIC's objective during Stage Three is to provide IPv4 address space > for new entrants to the market and for those deploying IPv6. > > http://www.apnic.net/ipv4-stage3-faq > > From now, all new and existing APNIC account holders will be entitled > to receive a maximum allocation of a /22 from the Final /8 address > space. > > For more details on the eligibility criteria according to the Final /8 > policy, please refer to: > > http://www.apnic.net/criteria > > > Act NOW on IPv6 > --- > > We encourage Asia Pacific Internet community members to deploy IPv6 > within their organizations. You can refer to APNIC for information > regarding IPv6 deployment, statistics, training, and related regional > policies at: > > http://www.apnic.net/ipv6 > > To apply for IPv6 addresses now, please visit: > > http://www.apnic.net/kickstart > > > ___ > > APNIC Secretariat secretar...@apnic.net > Asia Pacific Network Information Centre (APNIC) Tel: +61 7 3858 3100 > PO Box 3646 South Brisbane, QLD 4101 Australia Fax: +61 7 3858 3199 > 6 Cordelia Street, South Brisbane, QLD http://www.apnic.net > ___ > * Sent by email to save paper. Print only if necessary. > > > ___ > Apnic-announce mailing list > apnic-annou...@lists.apnic.net > http://mailman.apnic.net/mailman/listinfo/apnic-announce > ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] IPv4 already exhausted at IANA ?
2010/12/3 Manfredo Miserocchi : Hi Manfredo, > But we're working on Ipv6 from 10 years, previewing this moment. If operators > are not ready yet, this is not because > nobody had care of it. In other words, I'm not seeing anything strange in the > fact that IPv4 are in effect finished. If > NRO decided to distribute last /8s in such way, or in another, doesn't > matter. The fact is that the D-day is near us and > we cannot continue to surprise ourselves every time if this happens. I agree with you, it's not a surprise. I wanted to send a well-argumented reminder for those who still think that the counter is "just a counter". Given the audience of the list in Switzerland and outside, it's always good to tickle people who missed the event, especially when they're planning their budget for the year to come. Normally Freddy or Jeroen would do that but for once they were maybe "exhausted" ;) Guillaume ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
[swinog] IPv4 already exhausted at IANA ?
Hello, I noticed on this list no special reaction to the fact that IANA has only 7*/8 left after the allocations on Nov. 30th. So I thought I'd start a thread to share my thoughts on the fact that IPv4 is in reality _already_ exhausted at IANA. If you read IANA policies, you know that among the 7 "/8" (some here will know a /8 as "class A" even though it's incorrect), 5 are reserved (1 per RIR) and will be allocated when they are the only ones left. That leaves IANA with only 2 "/8". But APNIC is _already_ entitled to get these addresses, as per IANA policy (they don't have enough left to hold 9 months at their average alloc rate). And when they will in reality request these addresses, it will trigger the allocation of the "last 5", and, well, the end. The request from APNIC could come tomorrow, or next week, or in 3/4 months. They can do it whenever they want. It doesn't matter, the way the movie ends is already known : APNIC will get 3 more /8, our beloved RIPE will get 1 more, as well as ARIN, LACNIC, and AFRINIC. If you have another understanding of the situation, please share, I didn't find a lot of real analysis on the current situation, mainly refs to potaroo, so I'd be happy to discuss. Now if you have not thought yet about how your network will reach the networks that will be IPv6-only starting middle of next year, well ... I'm sure a lot of people on the list are ready to help :) Guillaume ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
[swinog] About the Fiber Cut in Augst yesterday; reasons, consequences and solutions
Hello, As some of you probably already know, our (Fibre Lac) 144-fibers cable was completely cut yesterday on the motorway between Basel and Zürich, somewhere on the communal territory of KaiserAugst, in Canton Argau, near the border with Basel-Land. On this part of the motorway, there are a lot of ducts burried, something like six 120mm ducts and twelve 34 mm. The people doing work there were installing new driver crash barriers, which is done by digging holes for the posts and then putting the posts in the holes. They go as far as 1m for the barrier to be correctly installed. The 34mm fiber ducts, used by Fibre Lac and two international operators, are burried below the six 120mm ducts, and the whole thing is filled with concrete. The workers still managed to have the posts go through two (empty) 120mm ducts and reached, 60cm under the ground, fiber optics cables, among which they broke several the tubes, but only one really filled with fibers, ours. The other operators were not cut. Among impacted customers and partners, there were several operators and internet exchanges, and especially SwissIX and IXEurope (TIX link Geneva-Zurich). We then quickly started to look for a rescue solution at least for the active network (we couldn't really find a 144-fibers unsused cable on another path), and we managed to have a rescue link set up at about 22:40, thanks to several people : - Freddy Kuenzler, Init7, for lending the fiber pair, and spending hours trying to get the whole thing working, - Sascha Kaufmann, IXEurope, for spending hours trying to get the whole thing working, - Herr Bolliger, IWB, for spending hours trying to get the whole thing working, when it was public holidays in Basel. Today, at 5am, a 200m temporary fiber cable was replacing the broken one, laid down in a temporary duct behind the fence along the motorway, this is obviously not secure, but at least bytes can flow again. We're working on the definitive solution, which means re-opening the motorway, changing the damaged duct parts, and blow a new cable. If you want more information, I'll be happy to provide you with it, since I believe it's quite an ususual incident and I think it's better for everyone to know what happens and what is done ! I and Fibre Lac globally, we are really sorry for every one of you who got issues directly or indirectly due to this incident. Thank you for your understanding ! Guillaume ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
RE: [swinog] Power outage in CERN
EDF supply failed, and when the CERN switched to the Swiss network, SIG didn't handle the load, I've been said there was a power failure consequently in a wider area of Geneva than just the CERN. CERN is on diesel power and does not know how long it will last. That's all that I know (not directly from CERN-mouth). Guillaume > -Message d'origine- > De : [EMAIL PROTECTED] [mailto:swinog- > [EMAIL PROTECTED] De la part de Jérôme Tissières > Envoyé : mardi, 16. mai 2006 14:18 > À : swinog@swinog.ch > Objet : [swinog] Power outage in CERN > > Hi all, > > It seems the CERN have (again) a power outage, but not all is down. > > The hotline is not reachable... anybody have more infos ? > > Thanks, > Jerome > ___ > swinog mailing list > swinog@lists.swinog.ch > http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog