Re: Transition Planning for IPv6 as mandated by the US Govt
On 17/03/2008, at 11:07 PM, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: If you're providing content or network services on v6 and you don't have both a Teredo and 6to4 relay, you should - there are more v6 users on those two than there are on native v6[1]. Talk to me and I'll give you a pre-built FreeBSD image that does it, boot off compact flash or hard drives. Soekris (~$350USD, incl. power supply and CF card), or regular server/whatever PC. Pardon me for interfering with your lucrative business here, but anyone contemplating running a Teredo relay and 6to4 relay should first understand the capacity issues before buying a little embedded box to stick in their network. The ARIN IPv6 wiki has this page http://www.getipv6.info/index.php/First_Steps_for_ISPs which not only gives you a number of options for setting up 6to4 and Teredo relays, it also points you to documents which describe what these things do so that you can understand how to size them and how to manage them. And the ARIN wiki tries to be vendor agnostic as well. Hi Michael, Giving away code and hardware is quite the opposite of lucrative, let me assure you. I'm not selling anything. Code is freely available. When I've got some decent instructions for it I'll post links to NANOG if you like. To be fair, it's really nothing more than FreeBSD with a couple of patches, and Miredo packaged up in a nice-to-deal-with bundle, that means you can plug it in today and make it work with 2 or 3 lines of config, instead of spending the next 3 years engineering a solution that the various parts of the business agree with - that is, assuming they give their engineers time to even think about IPv6, let alone engineer for it. Key word: pragmatic. It moves about 20Mbit/s on a Soekris box, probably more. If you're doing more 6to4 and Teredo traffic than that, then well done. How fast can you do it on a Cisco (or, whatever) box? Someone lend me some hardware for a week and I'd be more than happy to test and publish numbers on that. Soekris was an example of hardware, as that's what I've developed on. As I mentioned, it works on regular PC hardware as well - it's just an i386 FreeBSD thing. I've actually given this Soekris hardware away to several ISPs here in New Zealand, sponsored by InternetNZ. That's also related to another project - when I've got that all written up properly I'll let you know. Geoff Huston wrote about it on his ISP column a month or so back. The reason I do this, is so people at ISPs are deploying these things, instead of not because it might not scale at some point in the future. If it doesn't suit their needs in terms of scale, I'm more than happy to tell them other ways to do it - and have done. Note my comment something along the lines of ask me if you want cisco configs, and as I mentioned, this code will run on any i386 box you throw it at. I've also got several slide packs with this stuff in it, if people want those. I believe they're reachable via the NZNOG website somewhere (nznog.org, I think). Ps. Yes, vendors should do Teredo relay and 6to4 in hardware. If you're a vendor and do, tell me, and I'll encourage people to give you lots of money. Pps. I'll reply to those of you who asked me for 6to4 Cisco configs and code later today (it's 1.30pm here), I'm just heading off to fix some stuff first. That wiki thing Michael posted links to has the cisco stuff. Thanks, -- Nathan Ward
Re: Transition Planning for IPv6 as mandated by the US Govt
On 18/03/2008, at 3:34 PM, Andy Dills wrote: On Tue, 18 Mar 2008, Nathan Ward wrote: I'm not selling anything. Code is freely available. When I've got some decent instructions for it I'll post links to NANOG if you like. To be fair, it's really nothing more than FreeBSD with a couple of patches, and Miredo packaged up in a nice-to-deal-with bundle, that means you can plug it in today and make it work with 2 or 3 lines of config, instead of spending the next 3 years engineering a solution that the various parts of the business agree with - that is, assuming they give their engineers time to even think about IPv6, let alone engineer for it. Key word: pragmatic. Perhaps you could integrate your work with a project like pfsense? From what I've seen, that's the best open source CPE solution, and doesn't yet have real IPv6 support (but has just about everything else). That would be a huge benefit to the community and potentially open up some business opportunities for you. It'd be good if the pfsense guys would do some IPv6 stuff, yes. I however, am not really interested in building CPEs, nor am I interested in building CPEs commercially. Thanks, -- Nathan Ward
Re: Transition Planning for IPv6 as mandated by the US Govt
On 15/03/2008, at 7:19 PM, Glen Kent wrote: I have another related question: Do all ISPs atleast support tunneling the IPv6 pkts to some end point? For example, is there a way for an IPv6 enthusiast to send his IPv6 packet from his laptop to a remote IPv6 server in the current circumstances if his ISP does not actively support native IPv6? Yes - 6to4 and Teredo. 6to4[1] if your router (or some host with an unfiltered non-RFC1918 address) supports it. Teredo[2] if you're behind NAT or some other filtering. - These are enabled by default in Vista. - Enable them in XP SP2 by typing 'netsh interface ipv6 install'. - Apple Airport Extreme has 6to4 enabled by default if it is your NAT router (stateful firewall, allowing new connections outgoing- only by default) - Cisco supports 6to4 and has for years. - Linux and FreeBSD both support 6to4 (no OpenBSD, can't recall RE. NetBSD). - Teredo support in Linux and *BSD with 'miredo' software - it's in APT and FreeBSD ports. Azureus bittorrent client uses IPv6 for DHT. More DHT IPv6 bidirectional relationships than DHT IPv4 bidirectional relationships. So, it's not just IPv6 enthusiasts. Numbers here: http://www.ops.ietf.org/lists/v6ops/v6ops.2007/msg00859.html More up to date numbers when I get around to processing them [3]. Upcoming version of uTorrent will enable IPv6 (so, Teredo/6to4) on XP SP2 as part of the install process - currently Azureus only uses it if it's enabled already. If you're providing content or network services on v6 and you don't have both a Teredo and 6to4 relay, you should - there are more v6 users on those two than there are on native v6[1]. Talk to me and I'll give you a pre-built FreeBSD image that does it, boot off compact flash or hard drives. Soekris (~$350USD, incl. power supply and CF card), or regular server/whatever PC. Also, if you want config for 6to4 on Cisco, email me and I'll hook you up so I'm not spamming the list with it, alternatively Google. It's about 10 lines, and requires you to inject an anycast IPv4 /24 and an IPv6 /16 in to your IGP(s). Thanks, -- Nathan Ward [1] RFC3056 [2] RFC4380, see also http://technet.microsoft.com/en-us/library/bb457011.aspx [3] I made this up. But seriously, prove me wrong. Current numbers (well, I got bored of waiting, processing 800MB of PCAP takes a while) are that I've had 1,402,634 unique host addresses talk to one of my test host over IPv6/6to4 - and that's just people running a recent version of Azureus with a public unfiltered IPv4 address, and have 6to4 enabled. Imagine what the numbers are like for Teredo users (ie. no requirement for public unfiltered IPv4 address, works through NAT). Imagine what the numbers are for people not running Azureus. Yeah, you get the idea. I really should get around to writing this stuff up properly.. If there's anyone out there who wants to roll some code to pull some stats out of PCAP files so I don't have to process this stuff with cut sed awk uniq etc. please contact me. Oh also if anyone knows Java and can hack some changes in to Azureus for me that'd be useful - it only seems to want to listen on one IPv6 address, I want it to listen on.. 3.
Re: Network Operator Groups Outside the US
On 17/01/2008, at 1:55 AM, Skeeve Stevens wrote: NZNog – The New Zealand Operator Group - http://www.nznog.org/ - 2008 Conference will be held in a couple of week - http://2008.nznog.org/ s/a couple of/1/ It starts this coming Wednesday, and goes until Friday. -- Nathan Ward
Re: Geographic map of IPv6 availability
On 15/10/2007, at 8:24 PM, Martin Hannigan wrote: [moresnip] The way I read the portion of the thread related to resolver behavoir was that the resolver behavior was being discussed. Not the client. The resolver should have an attribute to select the preference between A vs. . Otherwise, it's setting network policy through code. My question was if there is an option to adjust this, where is it? I don't see it. I'm not a BIND uber-expert. If there is no option, there quite possibly ought to be one. I guess the question could also be asked as to whether BIND honours the host's configuration of the address selection policy - which seems more likely than implementing it itself. For those who missed it - OS level address selection policy won't apply to BIND without specific code, as BIND is a recursive resolver so won't be calling getaddrinfo(3). -- Nathan Ward
Re: Sun Project Blackbox / Portable Data Center
On 15/10/2007, at 12:05 AM, Simon Lyall wrote: As for where the Blackboxes will be used, It'll be where companies want servers in place in weeks or months and existing datacenters are full or in the wrong place. Think of a building full of people processing insurance claims in India or a cluster delivering video on demand in each Asian city with more than 500,000 people. Or say, lots of processing somewhere short term - like video editing/ rendering/whatever at the Olympic games. -- Nathan Ward
Re: abandon cable the price of copper
On 14/09/2007, at 12:48 AM, [EMAIL PROTECTED] wrote: this might be a revenue stream ... As I recall, it's also a big source of outages in Vietnam (I think?); soldiers are allowed to haul up 'old' copper cable from the sea and sell it. Of course, telling if something's copper or fibre or dead or alive can be kinda hard for a guy on a fishing boat with a hook. -- Nathan Ward
Re: Going dual-stack, how do apps behave and what to do as an operator (Was: Apple Airport Extreme IPv6 problems?)
On 24/09/2007, at 10:46 PM, JORDI PALET MARTINEZ wrote: There is something not correct here ... Proto-41 is supported by many boxes, even NAT boxes, I guess by mistake from de vendor/implementation ... Basically many boxes just understand TCP and UDP and they decide to pass-thru other unknown protocols, instead of discarding them. Probably doesn't work so well if you have 6k people behind the same NAT, and they all try and use proto-41, though. -- Nathan Ward
Re: Going dual-stack, how do apps behave and what to do as an operator (Was: Apple Airport Extreme IPv6 problems?)
On 20/09/2007, at 4:08 AM, Seth Mattinen wrote: Adrian Chadd wrote: On Wed, Sep 19, 2007, Iljitsch van Beijnum wrote: location would be enough. If I had some old 7200s lying around I'd use those, in locations where replacing drives isn't a huge deal a BSD box (Linux if you insist) would be a good choice because they give you a bigger CPU for your money. As someone who is building little compact flash and USB flash based BSD boxes for various tasks, I can quite happily say its entirely possible to build diskless based Linux/BSD routers which are upgraded about as easy as upgrading a Cisco router (ie, copy over new image, run save-config script, reboot.) Its been that way for quite some time. If there's interest I'll hack up a FreeBSD nanobsd image with ipv6 support, a routing daemon (whatever people think is good enough) and whatever other stuff is enough to act as a 6to4 gateway. You too can build diskless core2duo software routers for USD $1k. What about Soekris hardware? I don't have any personal experience with it, but it looks very appealing to build load balancers/ routers out of, and quite inexpensive. Adrian, Seth, anyone else interested. I've almost got a Soekris FreeBSD image going, working just as Adrian describes RE upgrades, running Miredo and 6to4 relays. I'll release for testing within a couple weeks, drop me an email if you'd like to play. I'm doing both NET4801 and NET4501, as that's what I've got here right now. The only stuff left to do is put some basic configs on there, and test Miredo some. 6to4 etc. all functions fine, it just needs some hand holding. -- Nathan Ward
Re: Going dual-stack, how do apps behave and what to do as an operator (Was: Apple Airport Extreme IPv6 problems?)
On 24/09/2007, at 11:48 PM, [EMAIL PROTECTED] wrote: On Mon, 24 Sep 2007 23:35:12 +1200, Nathan Ward said: Probably doesn't work so well if you have 6k people behind the same NAT, and they all try and use proto-41, though. If you have 6,000 people behind a single NAT, proto-41 is probably the least of your concerns, and Randy Bush may or may not be thinking of awarding you an Innovative Engineering Award. :) Don't worry, /I/ don't do this. Some large enterprise/campus networks do, though. Let's revise my number to 2. Just as much as a problem if they're both trying to do proto-41 :-) The other thing to note - 6to4 kicks in on Vista if it has a non- RFC1918 IPv4 address, so we're talking about people NATing large numbers of non-RFC1918 space. Regardless of how crazy they might seem, these networks exist, and they're preventing people from rolling out IPv6 () to production stuff. It's annoying, because they're often the same people who say I'm not going to pay attention to IPv6, I've got enough addresses., and we all lose because of it. (That, or when those networks become few enough that we can turn on records for production stuff, they'll be forced to sort their stuff out). -- Nathan Ward
Re: Apple Airport Extreme IPv6 problems?
On 17/09/2007, at 2:38 AM, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I think we will never move to IPv6 if vendors don't do things like the one in the Airport. However, in order to make this transition phase where there may be a possible degradation of the RTT, we need to cooperation of the operators, for example deploying 6to4 relays in their networks. And just what should operators do to cooperate? Are you aware of any documents that describe how to set up 6to4 relays in an ISP network? I believe there are books that document it. Personally, I've got a bunch of slides - if you think that they'll be of use I can clean them up. I intend to add some step-by-step textual stuff to http:// ipv6.cluepon.net/ but haven't had a chance yet, I've only really covered end user Teredo stuff - please add stuff if you can. -- Nathan Ward
Re: Going dual-stack, how do apps behave and what to do as an operator (Was: Apple Airport Extreme IPv6 problems?)
of it, put it on your important content sites. This will allow you to discover if your clients are using IPv6 and if they are able to reach it. Then if you are confident that you are up to it and that your clients are fine, you might want to consider adding 's to your site and go fully dual stack. If anyone does run the ipv6wwwtest code (or something similar), please talk to me, as I'd like some numbers from some larger web properties so I can rant about it soon at an operator meeting near you, and perhaps aggregate numbers and provide an IPv6 Internet health report regularly. You don't actually need any RIR space. You'll note that the braintrust.co.nz website does the checks using 6to4, as the place that server lives can't get native IPv6 transit. This takes less than a day to set up and does not require you to turn on an IPv6 network, and you can regularly evaluate whether enabling your content (and network!) for IPv6 is a good idea or not. Also, if you do deploy an IPv6 network for your content, set up a Teredo relay, and point 2001::/32 at it. Your viewers/users will automatically use this relay when accessing your content, and their traffic to you will be over IPv4, all they way from their PC to your network - so, equivalent performance as IPv4. Note that I say relay here, not server. If you have somewhat tech savvy users you can of course also ask them to test it for you. Check out our Cool new toy: we got IPv6! or something and ask them how it works. Mozilla.org are doing this for example. Cue Matthew Zeier. (Apologies for a dis-jointed email. It's 1am, I'm tired and in a ranty mood) -- Nathan Ward
Re: Security gain from NAT
On 6/06/2007, at 2:53 PM, Roger Marquis wrote: So now the cruft extends and embraces, and you have to play DNS view games based on whether it's on company A's legacy net, company B's legacy net, or the DMZ in between them, and start poking around in the middle of DNS packets to tweak the replies (which sort of guarantees you can't deploy DNSSEC). IPv4 junk You clearly missed the start of this conversation, and my summaries in the last couple of days, about which I am not surprised. We were discussing IPv6, the lack of NAT was brought up as being viewed as a blocker for security reasons, and solutions were presented so that it no longer is, assuming adequate education is provided. -- Nathan Ward
Re: Getting a BGP table in to a lab
Nathan Ward wrote: I'm trying to come up with a way to get a full BGP routing table in to my lab. I'm not really fussed about keeping it up to date, so a snapshot is fine. At the moment, I'm thinking about spending a few hours hacking together a BGP daemon in perl to peer with and record a table from a production router, disconnect, and then start peering with lab routers. Am I reinventing a wheel here? So, I'm going to throw some code together and I'll let the list know where it can be found.. The point here is that I want full tables in my lab without having to keep peering sessions up with my production network. As a side note, It seems strange, yet somehow very fitting, that I was automatically assumed to not be a network operator, on a network operators list.. -- Nathan Ward
Re: Getting a BGP table in to a lab
Nathan Ward wrote: I'm trying to come up with a way to get a full BGP routing table in to my lab. I'm not really fussed about keeping it up to date, so a snapshot is fine. At the moment, I'm thinking about spending a few hours hacking together a BGP daemon in perl to peer with and record a table from a production router, disconnect, and then start peering with lab routers. Am I reinventing a wheel here? Alexander Tudor tells me: snip The simplest way to load up your favorite router with a bgp table is to: a. get a bgp trace file (obtainable from routeviews.org or ripe.net -ris or pch.net) b. get route_btoa from ripe.net (standard tool for reading a bgp trace file, updates or full tables) c. download the mrtd.net toolkit ( do not use its route_btoa) d. read carefully documentation on sbgp program contained within mrtd package e. pipe output from route_btoa (from ripe.net) into sbgp (who should peer with your router and load up the table) It takes a bit of time to set up but it works. /snip According to the documentation, sbgp can create these trace files too, so I can create traces applicable to my network. I'm not sure if it'll handle MP-BGP though.. Thanks Alexander.
Getting a BGP table in to a lab
I'm trying to come up with a way to get a full BGP routing table in to my lab. I'm not really fussed about keeping it up to date, so a snapshot is fine. At the moment, I'm thinking about spending a few hours hacking together a BGP daemon in perl to peer with and record a table from a production router, disconnect, and then start peering with lab routers. Am I reinventing a wheel here? -- Nathan Ward
Re: djbdns: An alternative to BIND
Vicky - Thou shalt not post about DJB software to a mailing list Vixie reads regularly. I take it you didn't listen in bible study class.. I had a play with DJBDNS after using BIND for years. Here's why I switched back: - No AXFR support - No TCP support - I was forced to use DJBs naming conventions for zones - Licensing - Installation Now, it looks like some of this has changed in the past few years, but at the time I was unable to provide a bunch of services that I wanted to because of these missing features. One of the reasons I see people quoting for their transition from BIND to DJBDNS is BIND is hard to configure. Really. If you've got a good understanding of DNS (which, IMO, is required to run DJBDNS effectively), and you're finding BIND hard to configure, you'd best unsubscribe now and start looking for work elsewhere. The other one is BIND is a bigger binary than DJBDNS. So? It's the 00's kids, RAM and disk are cheaper than a hooker scraping for a fix. My licensing and installation points above are common to all DJB software. I'm a lazy bastard. I want to click a button or tap some keys and have stuff happen in a way I understand and trust. I don't want to have my hosts littered with weird arcane trash that isn't looked after by my packaging system. If DJB were to allow people to provide binary packages of his software, this point wouldn't exist. Anyway, in closing - Run BIND9. Save yourself. On 9/04/2005, at 12:19 PM, Chris Kuethe wrote: On Apr 8, 2005 4:55 PM, Vicky Rode [EMAIL PROTECTED] wrote: http://software.newsforge.com/article.pl?sid=05/04/06/197203from=rss Just wondering how many have transitioned to djbdns from bind and if so any feedback. regards, /vicky I used to use djbdns on my laptop for testing things, and then I took an afternoon, learned to write BIND zone files, and decided I should just use the BIND that comes with so many modern unixen and that powers so much of the internet anyway... Since then, I've always preferred deploying bind over djbdns. Even if it was easier to configure, the installation process for DJBDNS always really annoyed me. So that's a djbdns *to* bind transition story. CK -- GDB has a 'break' feature; why doesn't it have 'fix' too?
