Category Archives: IPv6

ICANN is IPv6 enabled, or not ?

Posted by Patrick Vande Walle on 13 June 2007 6 comments

I was browsing the schedule of the upcoming ICANN meetings in San Juan and noticed a logo in the top left corner suggesting that the web site is “IPv6 enabled”.

Unfortunately, we are not there yet. Good try, maybe next time.

hiram:~ patrick$ host sanjuan2007.icann.org
sanjuan2007.icann.org is an alias for ganges.lax.icann.org.
ganges.lax.icann.org has address 208.77.191.173

hiram:~ patrick$ dig ganges.lax.icann.org AAAA
; <<>> DiG 9.3.4 <<>> ganges.lax.icann.org AAAA
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13528
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ganges.lax.icann.org. IN AAAA

Still, congratulations to ICANN for the work they have done to make information more accessible on the web. The only missing piece now is an ICS file to be able to import the meeting schedules directly in our computer or PDA.

This host is DNSSEC enabled

Posted by Patrick Vande Walle on 4 June 2007 None comments

We keep hearing in the ICANN and IETF crowds that DNSSEC is unavoidable and that it is the way to go. These are the same crowds saying that we should move to – or at least support – IPv6. In both cases, the prophets are not always those who actually do it. While www.isoc.org and www.ietf.org are running on a dual IPv4/IPv6 stack, much of the companies working within the IETF do not run dual stack web sites: Cisco, Microsoft, IBM, Sun, etc.

So, rather than telling others that they should run DNSSEC, I figured I should do my homework and run DNSSEC myself, without waiting for my TLDs to get signed.

The job is done, but it was no easy task. If you are looking for a simple button on a GUI to sign your DNS zones, move on. Currently, this is not for the faint of heart, which might explain the slow adoption path. Bind does include all the tools, but you first have to figure out how the damn thing works and use the right parameters.

I found a tool which made my life much easier. It is called ZKT. Once you have configured the header files to your environment and adapted your file directory structure to the requisites of ZKT, you can actually sign all your zones in one pass. It will call the necessary Bind tools with the right parameters. I have created a cron job that will periodically check which signatures need updating and change the zone files accordingly. Highly recommended.

IPv6 for the rest of us

Posted by Patrick Vande Walle on 30 May 2007 None comments

IPv6 deployment is in a chicken and egg situation. On the one hand, there is no willingness from ISPs and commodity DNS router manufacturers to include IPv6 support in their infrastructure or equipment because “there is no demand”. On the other hand, there is no demand because the average Joe Blow could not care less if he accesses a web site under IPv4 or IPv6. It should just work. The equipment and infrastructure should adapt transparently.

One of these days, when there will be IPv6-only web sites, Joe Blow will call his ISP to complain he cannot access them. This may happen sooner that you think. The North American Internet Registry (ARIN) has issued an advisory to alert the community that it will no more be in a position to allocate IPv4 addresses in the near future and strongly advises companies and ISPs to look at IPv6 instead.

What we users can do is to stop waiting for the industry to get its act together and work around its limitations.

Most consumer OSes these days support IPv6, either natively like MacOSX, Linux or Windows Vista or as an add-on, like Windows XP. If you have the traditional setup with a computer connected to the Internet through a DSL router, the latter is being assigned a dynamic IP address. Your computer in turn is being assigned an IP address by the router, typically out of a private address space (per RFC 1918).

What we need now is a way to tunnel trough the hostile IPv4 environment to connect to an IPv6 Internet. The specifications are defined in RFC 4380 and nicknamed Teredo. There is an implementation for Unix-like operating systems called Miredo. And for those of you who are uncomfortable editing Makefiles and compiling source code, the good news is that there are pre-packaged versions for MacOSX and Ubuntu Feisty (just type “apt-get install miredo”. You should have the universe repository active).

I tested both and they work out of the box. I am actually editing this post through an IPv6 tunnel over a straight IPv4 ADSL connection. Pretty amazing.

I did not test the MS Windows implementation. However, since Microsoft wrote the specs, I suppose it should be quite easy to set up there, too. Some tips are available at the IPv6 Task Force web site and Microsoft‘s own site.

What does that bring to you ? Well, first you will be considered a certified geek by your neighbourhood. More seriously, not much right now. What I notice is actually that my connection is slowing down. This may be due to the fact that tunnelling a protocol through another one is never efficient. Also, the peering agreements between backbone operators are not as optimal as they are in the IPv4 world. But at least, I am ready for the future.

IPv6 vulnerability in RHEL4/CentOS4

Posted by Patrick Vande Walle on 10 May 2007 None comments

I was reading this article this morning on IPv6 vulnerabilities and specifically the IPv6′s type 0 routing headers. The recommendation is to disable the routing of these headers, as they have no practical purpose anyway.

After doing some Googling, I read that this kind of header was disabled by default in Linux kernels starting with version 2.6.20.9. This server is running version 2.6.9-42. The workaround here is to filter out those packets at the firewall level. Fine, except for the fact that ip6tables on RHEL4 and CentOS4 does not include the plugin to filter out the routing headers. Hence, you need to recompile the iptables package with the ip6rt module enabled. That’s just a small Makefile editing.

To make life easier for you, here are my RPM and SRPM:

iptables-ipv6-1.2.11-3.1.isoc.i386.rpm
iptables-1.2.11-3.1.isoc.src.rpm

Once installed, do not forget to add the following lines at the top of the /etc/sysconfig/ip6tables file, near the top and before allowing anything else :

-A INPUT    -m rt --rt-type 0 -j DROP
-A FORWARD  -m rt --rt-type 0 -j DROP
-A OUTPUT   -m rt --rt-type 0 -j DROP

Of course, if you are not running IPv6 at all, this is not an issue for you. And if you are using another distribution, your mileage may vary, as they say.

IT, Society, and Culture: Power to the People

Posted by Patrick Vande Walle on 8 February 2007 None comments

The American Chamber of Commerce of Luxembourg is organizing an event tonight at the RTL TV studios called “IT, Society, and Culture”.

I will be presenting some reflections on how we went from a top-down approach of the Internet to a bottom-up proces and what the challenges are. My presentation is here in PDF format.

The main idea behind the presentation is that we have not yet reached the bottom-up phase, despite all the talk about blogs, YouTube, etc. The fact remains that the hoster of the blog or video sharing platform is still in a position to take down you web site. There is still someone, somewhere who can silence you. It is only when your platform will be under your total control that we will be able to the the user is the Internet, as Time Magazine puts it.

However, before we can reach that stage there are still some technical challenges we need to solve. If you wish to host your blog on your home computer, you need an easy to understand operating system and web server. It’s coming. You also need bandwidth. Asymetrical DSL won’t cut it. What you need is fiber to the home, with 100 Mbits both ways. You also need a fixed IP address. With current IPv4 addresses becoming scarce, IPv6 seems like the answer.

There are societal challenges, too. With IP everywhere and always on, we risk an Orwellian society where every one of your moves can be monitored. Will the average Internet user use the increased bandwidth to contribute something useful for the society, or post gore videos of men being hanged ?