Re: Are IPv6-only Internet services viable today?

[Jim Burwell]

On 1/16/2010 07:01, Antonio Querubin wrote:
> On Sat, 16 Jan 2010, Cam Byrne wrote:
>
>> interested you can read the ietf draft.  Assuming you have a ds-lite
>> cpe, you can park dual-stack hosts behind it.  But, it does not "just
>
> If your hosts are dual-stacked, why would you need a ds-lite cpe in
> the first place?
>
The point of DS-Lite is to provide IPv4 internet access to hosts which
only have IPv6 addresses in an IPv6 only network environment.  That is,
IPv4 connectivity isn't available all the way through to the provider's
CGN.  If you did straight dual-stack, the provider would have to do IPv4
connectivity all the way to the CGN, and also maintain unique RFC1918 IP
address assignments to every customer going through a particular CGN. 
With DS-Lite, the IPv4 traffic is tunneled from a DS-Lite router
fronting the customer's LAN, or from a host itself (a presumption)
running some sort of DS-Lite driver.  Because the traffic can by
identified by the CGN from the tunnel it came in on, the RFC1918s don't
have to be unique (the customer can pick whatever he wants for his/her
LAN).  A full DS network isn't needed throughout the entire provider
infrastructure, hence the name DS "Lite". 



smime.p7s
Description: S/MIME Cryptographic Signature

Re: Katrina response, private and public

[Eric Brunner-Williams]

At around noon, Eastern, the State Department was provided with 
information on the fuel situation at the Port au Prince NAP, which has 
used 2/3rds of the available diesel (8gal/hour run rate, 160 gal 
remaining) keeping the microwave backhaul to the DR up, and all 
remaining governmental and NGO network access.


Eric

On 1/16/10 10:43 AM, Reynold Guerrier wrote:

Guys

The buggest issues in the 2 coming days will be energy. And I can't
assure that we will be able to get fuel for the generator. Equipment
with Solar energy will be our best shot.


Reynold Guerrier
AHTIC
Treasurer
Network Engineer
Haiti Earthquake Survivor

On Fri, Jan 15, 2010 at 10:40 AM, Eric Brunner-Williams
mailto:brun...@nic-naa.net>> wrote:

Folks,

After the Katrina landfall a diverse group of wireless people
started organizing a relief effort, culminating in work around
Waveland. There was also a group from the NPGS in Monterey, who
worked on the Boxing Day Tsunami aftermath.

Does anyone have a similar contact set?

Eric




--
===
Reynold Guerrier
IT Consultant
509-3446-0099
IM: rey...@hotmail.com 
Skype: reygji

RE: Anyone see a game changer here?

[George Bonser]

> -Original Message-
> From: andrew.wallace

> It appears this is just western propaganda because:
> 
> One analyst said Friday that he is not sure the attacks point to the
> Chinese government. Rob Knake, a cybersecurity expert with the Council
> on Foreign Relations, said his analysis of results from a technology
> firm investigating the attacks suggests that they "were not
> state-sponsored or the work of an elite, sophisticated group such as
> the Chinese military."
> 
> http://www.washingtonpost.com/wp-
> dyn/content/article/2010/01/15/AR2010011503321.html
> 
> Andrew

At some point, due to fundamental human nature, it doesn't matter if a
government is doing it or not.  Imagine if private citizens of one
country were shooting at the citizens of another country across the
border while the army stood by and simply watched.  The country on the
receiving end asks for it to stop but the country where the shooting is
originating from says "hey, we aren't doing it!  It is originating from
our country but it isn't the government doing it" where the receiving
side says "I don't care who is doing it, please make them stop."

It can be damaging to a country's or network operator's reputation as a
good neighbor if they allow such chaos to continue without doing
anything about it.  In many other countries where governments exert less
control, the network operators themselves often police their users by
disconnecting those who are seen to engage in such activities.  A
network operator who refuses to cooperate is often seen by their peers
as somehow "rogue" and may be shunned by the community.

The point is that it doesn't matter who is at the keyboard or who is
coding the malware.  If they are enabled by their network operator or
government looking the other way, then it is a natural tendency for
people to instinctively hold them partially responsible for the conduct
as being complicit in it.  And that isn't anything unique with China in
particular, the same thing goes for a network operator or government
anywhere on the planet.

I think in this case because China does exercise a lot of control over
their network traffic, there is a natural tendency for people to become
frustrated when they get the feeling that the government is doing
nothing to stop this sort of traffic while other types of traffic are
vigorously policed.

So the next question would be, to what extent do the various network
operators in China assist in disconnecting the sources of such traffic?
I think I already know the answer.

RE: Anyone see a game changer here?

[Keith Medcalf]

>Personally I was amused at people adding cement to USB ports to mitigate
>against the "removable media threat".  The issue I see is people forget
>that floppies posed the same threat back in the day.

Do you mean the "AutoRun" threat, since this sort of thing is usually done by 
people who (a) run M$ Winders and (b) do not know how to turn off the really 
annoying "helpful" features created by the clueless idiots in Redmond ... and 
those idiots keep on creating more and more security hole "features" that have 
to be disabled.

Someone should tell the idiots who design API's that API's are designed to be 
used -- and they will be used to do what it was designed to do -- and if that 
design constitutes a security flaw, then it will be used as such and the only 
solution is to stop designing stupid APIs.  The most laughable example is the 
creation of API hooks into the kernel for use by AntiVirus vendors.  
Unfortunately, these APIs can, by their very definition, be used by anyone who 
wants for any purpose they desire.

Personally I would prefer a secure kernel that cannot be tampered with or 
compromised by anyone.  Adding a deliberately designed security flaw to enable 
a third party to stay in business providing a partial plug for the deliberately 
designed hole is utter lunacy!

Back to removable media, AutoRun is, and always has been, completely trivial to 
completely, utterly and irrevocably disable -- and I have been doing so since, 
well, since this idiotic mis-feature first appeared somewhere in the early 90's.

The same applies to other crap-ware vectors such as Flash.

Just because some people are slow or do not pay attention to what has been 
going on in the world for 20 years on, does not make these "new".

Its like dogs -- they have been around for thousands of years.  Some people 
just don't notice that they have teeth until they, through their own stupidity, 
get bitten by one.

Now, back to your regularly scheduled programming ...

Re: Are IPv6-only Internet services viable today?

[Cam Byrne]

- Original message -
> On Sat, 16 Jan 2010, Cam Byrne wrote:
>
> > interested you can read the ietf draft.  Assuming you have a ds-lite
> > cpe, you can park dual-stack hosts behind it.  But, it does not "just
>
> If your hosts are dual-stacked, why would you need a ds-lite cpe in the
> first place?

A dual-stack capable host like windows 7 does not ensure any ipv6 network 
access beyond the local LAN, especially given todays ipv4-only service 
dominance.  There are various ways to translate or tunnel to solve this 
problem, connecting v6 and v4 islands, including nat64 and ds-lite 


>
> Antonio Querubin
> 808-545-5282 x3003
> e-mail/xmpp:  t...@lava.net

Re: Katrina response, private and public

[Reynold Guerrier]

Guys

The buggest issues in the 2 coming days will be energy. And I can't assure
that we will be able to get fuel for the generator. Equipment with Solar
energy will be our best shot.


Reynold Guerrier
AHTIC
Treasurer
Network Engineer
Haiti Earthquake Survivor

On Fri, Jan 15, 2010 at 10:40 AM, Eric Brunner-Williams  wrote:

> Folks,
>
> After the Katrina landfall a diverse group of wireless people started
> organizing a relief effort, culminating in work around Waveland. There was
> also a group from the NPGS in Monterey, who worked on the Boxing Day Tsunami
> aftermath.
>
> Does anyone have a similar contact set?
>
> Eric
>
>


-- 
===
Reynold Guerrier
IT Consultant
509-3446-0099
IM: rey...@hotmail.com
Skype: reygji

Re: Anyone see a game changer here?

[Joe Greco]

> On Fri, Jan 15, 2010 at 2:07 PM, Bruce Williams
>  wrote:
> > Mark Rasch, former head of the Department of Justice computer crime
> > unit, called the attacks “cyberwarfare,” and said it was clearly an
> > escalation of a digital conflict between China and the U.S.
> >
> > As if the old threat models weren't bad enough...
> >
> >
> > Bruce
> 
> It appears this is just western propaganda because:
> 
> One analyst said Friday that he is not sure the attacks point to the
> Chinese government. Rob Knake, a cybersecurity expert with the Council
> on Foreign Relations, said his analysis of results from a technology
> firm investigating the attacks suggests that they "were not
> state-sponsored or the work of an elite, sophisticated group such as
> the Chinese military."
> 
> http://www.washingtonpost.com/wp-dyn/content/article/2010/01/15/AR2010011503321.html

It's kind of a stretch to go calling it "western propaganda" just because
one cybersecurity expert "is not sure".

If another cybersecurity expert suggested that it seemed possible that
little green men might be responsible for the attacks, would you suddenly
believe in Martians?

There is almost always someone who will take up an opposing point of view.
It's certainly good to keep in mind that there's a margin for error in
these sorts of things.  However, it's also smart to keep in mind that a
large number of people have looked at this issue, most certainly including
a slew of experts from the government, who would have had to agree with
the China assessment prior to the State Department decision to issue a
formal protest.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.

Re: News about the .HT domain

[Reynold Guerrier]

Thank you Stephane.

Max Larson Henry who is the technical contact has lost his house nad his
mother in-law. So guys do all you can to have it up and running. Down here
we are working to keep the remaining of the network up and running. But we
might have some energy problem in the coming days.

Reynold Guerrier
AHTIC
Treasurer

On Fri, Jan 15, 2010 at 11:49 AM, Stephane Bortzmeyer wrote:

> I have no information about the state of the Internet links in Haiti
> (everything seems down) but, for the .HT top-level domain, here are a
> few news.
>
> .HT has six name servers, four outside of the country. They were not
> affected so .HT never had a problem resolving. Main DNS lesson: always
> put name servers in very diverse places.
>
> The master was in Port-au-Prince and is unreachable, probably for a
> long time. A new (stealth) master has been set up in Australia by
> Cocca and the slaves are now reconfigured to use it. Two already do it
> and therefore the zone no longer risks expiration (and can even be
> modified).
>
> You may find information at .
>
> % check_soa ht
> There was no response from ns2.nic.ht
> There was no response from ns1.nic.ht
> dns.princeton.edu has serial number 2010011198
> charles.cdec.polymtl.ca has serial number 2010011198
> ht-ns.anycast.pch.net has serial number 2010011615
> ns3.nic.fr has serial number 2010011615
>
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.9 (GNU/Linux)
>
> iD8DBQFLUJx8QTZHl5fW0kYRAsgwAJ9pZ26tNlxHpBkLNKvy9HgjIWCK6gCfYBOq
> 5VCVBIVyiUdAOwDxPzKBphE=
> =B1vY
> -END PGP SIGNATURE-
>
>


-- 
===
Reynold Guerrier
IT Consultant
509-3446-0099
IM: rey...@hotmail.com
Skype: reygji

Re: Are IPv6-only Internet services viable today?

[Antonio Querubin]

On Sat, 16 Jan 2010, Cam Byrne wrote:

interested you can read the ietf draft.  Assuming you have a ds-lite 
cpe, you can park dual-stack hosts behind it.  But, it does not "just


If your hosts are dual-stacked, why would you need a ds-lite cpe in the 
first place?


Antonio Querubin
808-545-5282 x3003
e-mail/xmpp:  t...@lava.net

Re: Are IPv6-only Internet services viable today?

[Cam Byrne]

- Original message -
>
> On Jan 15, 2010, at 7:53 PM, Jim Burwell wrote:
>
> > Sorry for late response here...
> >
> > On 1/14/2010 15:20, Cameron Byrne wrote:
> > > On Thu, Jan 14, 2010 at 3:00 PM, Jim Burwell  wrote:
> > >
> > > > On 1/14/2010 11:10, Cameron Byrne wrote:
> > > >
> > > > > Folks,
> > > > >
> > > > > My question to the community is:  assuming a network based IPv6 to IP4
> > > > > translator is in place (like NAT64 / DNS64), are IPv6-only Internet
> > > > > services viable as a product today?  In particular, would it be
> > > > > appropriate for a 3G /smartphone or wireless broadband focused on at
> > > > > casual (web and email) Internet users?  Keep in mind, these users have
> > > > > NAT44 today.
> > > > >
> > > > >
> > > > You may also want to read up on Dual Stack Lite (DS-Lite)
> > > > ,
> > > >
> > > I have looked at DS-lite very carefully.    First, DS-Lite fits better
> > > for cable operators since they have CPE and can have a DS-lite
> > > function in the CPE that they control, and that in turn allows them to
> > > provide IPv4, IPv6, and dual-stack to the end-host that they do not
> > > control.  DS-Lite does not fit as well for a mobile phones since it
> > > would require a major change to the phone's OS.  Second, DS-Lite
> > > requires tunneling as well as translation, so it is one more piece of
> > > overhead in addition to NAT64 solution.  For me, i believe it is less
> > > complex to manage a single stack IPv6 host with NAT64 translation than
> > > a dual stack host, tunneling infrastructure, as well as NAT44 CGN,
> > > which is what DS-lite requires.  They both achieve the same result,
> > > but I believe in the mobile space there is a quicker time to market as
> > > well as more progress toward the end-goal of IPv6-only using NAT64
> > > than DS-lite.
> > >
> > I guess the choice here is between standing up and managing a NAT64 CGN
> > + special DNS64 DNS server infrastructure, or a DS-Lite CGN + DS-Lite
> > tunneling infrastructure (you'd be able to keep existing "vanilla" DNS
> > servers).
> >
> >
> As I understand DS-Lite, an IPv6-capable device is a DS-Lite capable device
> without any modification.  The DS-Lite Gateway does all the heavy lifting
> to provide IPv4 services and do the NAT64 translation between the IPv6-only
> end-user device (phone) and the IPv4 internet.
>
> Owen

ummm.  An ipv6 device is not natively a ds-lite device.  There is always a 
tunneling component which is generally after market client software (in the 
case of mobile devices) or some cpe function.  If you are interested you can 
read the ietf draft.  Assuming you have a ds-lite cpe, you can park dual-stack 
hosts behind it.  But, it does not "just work" today like the demonstration i 
posted.

>
>

Re: Are IPv6-only Internet services viable today?

[Jim Burwell]

On 1/15/2010 23:45, Owen DeLong wrote:
>
> On Jan 15, 2010, at 7:53 PM, Jim Burwell wrote:
>
>> Sorry for late response here...
>>
>> On 1/14/2010 15:20, Cameron Byrne wrote:
>>> On Thu, Jan 14, 2010 at 3:00 PM, Jim Burwell >> > wrote:
>>>
 On 1/14/2010 11:10, Cameron Byrne wrote:

> Folks,
>
> My question to the community is:  assuming a network based IPv6 to IP4
> translator is in place (like NAT64 / DNS64), are IPv6-only Internet
> services viable as a product today?  In particular, would it be
> appropriate for a 3G /smartphone or wireless broadband focused on at
> casual (web and email) Internet users?  Keep in mind, these users have
> NAT44 today.
>
>
 You may also want to read up on Dual Stack Lite (DS-Lite)
 ,

>>> I have looked at DS-lite very carefully.   First, DS-Lite fits better
>>> for cable operators since they have CPE and can have a DS-lite
>>> function in the CPE that they control, and that in turn allows them to
>>> provide IPv4, IPv6, and dual-stack to the end-host that they do not
>>> control.  DS-Lite does not fit as well for a mobile phones since it
>>> would require a major change to the phone's OS.  Second, DS-Lite
>>> requires tunneling as well as translation, so it is one more piece of
>>> overhead in addition to NAT64 solution.  For me, i believe it is less
>>> complex to manage a single stack IPv6 host with NAT64 translation than
>>> a dual stack host, tunneling infrastructure, as well as NAT44 CGN,
>>> which is what DS-lite requires.  They both achieve the same result,
>>> but I believe in the mobile space there is a quicker time to market as
>>> well as more progress toward the end-goal of IPv6-only using NAT64
>>> than DS-lite.
>>>
>> I guess the choice here is between standing up and managing a NAT64 CGN
>> + special DNS64 DNS server infrastructure, or a DS-Lite CGN + DS-Lite
>> tunneling infrastructure (you'd be able to keep existing "vanilla" DNS
>> servers).
>>
>>
> As I understand DS-Lite, an IPv6-capable device is a DS-Lite capable
> device
> without any modification.  The DS-Lite Gateway does all the heavy lifting
> to provide IPv4 services and do the NAT64 translation between the
> IPv6-only
> end-user device (phone) and the IPv4 internet.
>
Could well be the case.  My idea was that you could do it either way. 
You could have a DS-Lite gateway (Typical.  Likely built into the "cable
modem" or similar device), or in the case where no gateway is available,
a DS-Lite "client" (basically a virtual nic/tunnel driver) on the
machine would establish the tunnel and an IPv4 address itself.  But
perhaps this latter method was never intended?


smime.p7s
Description: S/MIME Cryptographic Signature

Re: Katrina response, private and public

[Eric Brunner-Williams]

On 1/15/10 11:52 AM, Bill Woodcock wrote:
>On Fri, 15 Jan 2010, Eric Brunner-Williams wrote:
>  >  After the Katrina landfall a diverse group of wireless 
people started

>  >  organizing a relief effort...
>
> There are quite a lot of us working on it, is there something specific
> you're volunteering to do?
>
>  -Bill
>
>
>

Thank you Bill,

As I'm in Geneva this morning so the only thing I can share that is 
immediately accessible is the experience of living for four of the 
past five years off-grid.


My best generator was the Honda 2000 watt, 120V, super quiet, 15 
hours/gal unit. My second best was the (PRC knock-off) Pony 1000 Watt 
120V super quiet. Everything begins at the generator. Gas is useful.


For batteries a series of 6V AGM. A single 6V AGM can power a VSAT 
(HughesNet) for several hours. With three and even a 1000 watt 120V 
genset a VSAT link can be kept up a large part of 24/7. They are heavy 
and never pre-positioned (gensets aren't either), but they are the 
stable, long-term uptime must have.


An efficient pure-sine wave inverter completes the electrical basic of 
a mobile programmer's electrical infrastructure. Non-pure-sine eats 
voltage and phase delta sensitive gear.


Learning about Electrical Cost of Link Characteristics (ECLC, a low 
energy pun on the PILC WG abbreviation) was the most important thing I 
learned going off-grid.


Some of these points are made within the larger ICT donor framework, 
at 
http://www.inveneo.org/download/Inveneo_ICT-Sustainability_Primer0809.pdf
, the Inveneo ICT Sustainability Primer, which is worth the read 
(particularly on why "donated kit" and Windoz are wicked expensive to 
field), see pages 2 and 3.


Things overlooked in the Inveneo paper is the role of portable 
generators, 6V battery management, and VSAT, which are what I see as 
the "off-grid" critical toolkit.


I had educational and medical requirements in addition to my 
always-connected-to-my-racks-in-Maine needs.


I'm wicked pleased to see the NSRC kit in route, and as I'm in Geneva 
I'll start on our IRC PoC and our own donor commit. When I get back to 
Cornell I'll start there too, as I know there is an interest at 
Cornell Law in the Maison des Infants de Dieu orphanage in Port au Prince.


Eric

Re: Anyone see a game changer here?

[andrew.wallace]

On Fri, Jan 15, 2010 at 2:07 PM, Bruce Williams
 wrote:
> Mark Rasch, former head of the Department of Justice computer crime
> unit, called the attacks “cyberwarfare,” and said it was clearly an
> escalation of a digital conflict between China and the U.S.
>
> As if the old threat models weren't bad enough...
>
>
> Bruce

It appears this is just western propaganda because:

One analyst said Friday that he is not sure the attacks point to the
Chinese government. Rob Knake, a cybersecurity expert with the Council
on Foreign Relations, said his analysis of results from a technology
firm investigating the attacks suggests that they "were not
state-sponsored or the work of an elite, sophisticated group such as
the Chinese military."

http://www.washingtonpost.com/wp-dyn/content/article/2010/01/15/AR2010011503321.html

Andrew