date:20110511

Re: Yahoo and IPv6

2011-05-11 Thread Tore Anderson

* Tony Hain

 So take the relays out of the path by putting up a 6to4 router and a
 2002:: prefix address on the content servers. Longest match will
 cause 6to4 connected systems to prefer that prefix while native
 connected systems will prefer the current prefix. The resulting IPv4
 path will be exactly what it is today door-to-door. Forcing traffic
 through a third party by holding to a purity principle for dns, and
 then complaining about the results is not exactly the most productive
 thing one could do.

If you add a 6to4  record to your domain name, you'll attract 6to4
traffic from a lot of systems that would earlier have used IPv4. This is
because 6to4-6to4 is preferred above IPv4-IPv4 in RFC 3484 (which in
turn is preferred aboue 6to4-NativeV6).

This in turn results in a net decrease of reliability, as 6to4 is
extremely unreliable, even in the situation where the relays are known
to work correctly - the failure rate in this case has been indepentently
verified by Emile Aben of the RIPE NCC
(https://labs.ripe.net/Members/emileaben/6to4-how-bad-is-it-really) and
Geoff Huston of APNIC
(http://www.potaroo.net/ispcol/2010-12/6to4fail.html) to be in the 15%
ballpark.

Also, I actually tried it myself, by «triple-stacking» (adding a 6to4
) the dual-stack measurement point in my own brokenness experiment
(http://fud.no/ipv6). Overall brokenness increased about ten-fold, from
around 0.03% to 0.3%, so the change was reverted the next day.

In conclusion, publishing 6to4  records is a terrible idea if
you're concerned about reliability.

 The argument is that enterprise firewalls are blocking it, but that
 makes no sense because many/most enterprises are in 1918 space so 
 6to4 will not be attempted to begin with, and for those that have
 public space internally the oft-cited systems that are domain members
 will have 6to4 off by default. To get them to turn it on would
 require the IT staff to explicitly enable it for the end systems but
 then turn around and block it at the firewall ... Not exactly a
 likely scenario.

Perhaps most enterprises are in 1918 space, but I don't the reasoning
why an enterprise that are not using 1918 space would be more likely to
use Active Directory than those that are using 1918 space. I would have
thought that the use of AD is completely orthogonal the use of 1918 space?

In any case, there's no shortage of 6to4 implementations in the wild that
will happily enable 6to4 from 1918 addresses even though it cannot
possibly work.

 The most likely source of public space for non-domain joined systems
 would be universities,

My data shows that university networks are overrepresented with broken
end-users, yes.

 but no one that is complaining about protocol 41 filtering has shown
 that the source addresses are coming from those easily identifiable
 places.

http://www.fud.no/ipv6/snapshot-20101221/gnuplot/nouninett-t10-historic.png

The red line is the overall internet brokenness I measured. The green
line is the overall brokenness for the internet *except* UNINETT, the
Norwegian University and Research Network, which filters proto-41. So
that particular network with some tens of thousands of end users are
responsible for around one-third of all failed dual-stack connection
attempts, in a country that has around five million citizens.

The sharp drop at the end is when they finally deployed native IPv6 at
certain proto-41-filtered problem spots in their network, by the way.

 That leaves the case of networks that use public addresses
 internally, but nat those at the border. This would confuse the
 client into thinking 6to4 should be viable, only to have protocol 41
 blocked by the nat. These networks do exist,

End users in such networks are likely to increase sharply in numbers,
thanks to IPv4 depletion and the inevitable deployment of CGNs using
bogon or unrouted public addresses.

 The 6rd hack is nothing more than 6to4 in a different prefix to get
 around the one-liner that should be ignored in the original RFC that
 said to only publish the /16 into IPv6 bgp. I can already hear the
 screams about routing table, but there is no difference between the
 impact of a 6rd specific announcement and a deaggregate of 2002::

Only in the case that the 2002::/16-deaggregating ISP only has *one*
IPv4 PA allocation, and that the 6RD using ISP you're comparing it to
gets a *separate* IPv6 PA allocation dedicated to 6RD end users,
something which I don't believe will be granted in the RIPE region at
least.

The only well-known deployment of 6RD (Free.fr / AS12322) currently
originate 18 IPv4 prefixes and a single IPv6 prefix. With your solution
they would need to originate 18 deaggregates of 2002::/16 instead, in
addition to their single IPv6 PA allocation for native deployments.

-- 
Tore Anderson
Redpill Linpro AS - http://www.redpill-linpro.com
Tel: +47 21 54 41 27

Re: Yahoo and IPv6

2011-05-11 Thread Iljitsch van Beijnum

On 11 mei 2011, at 2:39, Karl Auer wrote:

 On Wed, 2011-05-11 at 10:19 +1000, Mark Andrews wrote:
 For the record Apple's current iChat (the OS (10.6.7) is completely
 up to date) fails such a test.  It will try IPv6 and not fallback
 to IPv4.  End users shouldn't be seeing these sorts of errors.

Hm, I've had a very hard time finding any IPv6-capable servers to let my iChat 
talk to...

 Is that possibly a failure of the underlying resolver library? Do other
 applications on the same platform behave correctly?

Apple's Mail application used to do this, but after many years they fixed this, 
it will now fall back to IPv4 without trouble. This isn't a resolver issue, as 
the resolver can't know whether IPv6 connectivity does or doesn't work. The 
resolver simply gives applications that don't explicitly ask for a particular 
address type all of the addresses of all types for which the system currently 
has connectivity, I think as determined by the presence of a default route, 
maybe the presence of an address also matters.

What applications need to do when they connect to a remote server is to try the 
next address when the first one fails and cycle through all addresses before 
giving up. Of course with IPv4 having multiple addresses is extremely rare so 
IPv4 applications typically don't bother with this, so it has to be addressed 
when IPv6ifying applications.

RE: Yahoo and IPv6

2011-05-11 Thread Igor Gashinsky

On Tue, 10 May 2011, Frank Bulk wrote:

:: If I can anticipate Igor's response, he'll say that he'll whitelist those
:: IPv6-only networks and so he's just help 182,000 people.

That's a very good guess as to what I was going to say :)

-igor

:: -Original Message-
:: From: Owen DeLong [mailto:o...@delong.com] 
:: Sent: Tuesday, May 10, 2011 1:23 PM
:: To: Igor Gashinsky
:: Cc: nanog@nanog.org
:: Subject: Re: Yahoo and IPv6
:: 
:: On May 10, 2011, at 9:32 AM, Igor Gashinsky wrote:
:: 
::  On Tue, 10 May 2011, valdis.kletni...@vt.edu wrote:
::  
::  :: On Tue, 10 May 2011 02:17:46 EDT, Igor Gashinsky said:
::  :: 
::  ::  The time for finger-pointing is over, period, all we are all trying
:: to do 
::  ::  now is figure out how to deal with the present (sucky) situation. The
:: 
::  ::  current reality is that for a non-insignificant percentage of users
:: when 
::  ::  you enable dual-stack, they are gong to drop off the face of the
:: planet. 
::  ::  Now, for *you*, 0.026% may be insignificant (and, standalone, that
:: number 
::  ::  is insignificant), but for a global content provider that has ~700M
:: users, 
::  ::  that's 182 *thousand* users that *you*, *through your actions* just
:: took 
::  ::  out.. 182,000 - that is *not* insignificant
::  :: 
::  :: At any given instant, there's a *lot* more than 182,000 users who are
:: cut off
::  :: due to various *IPv4* misconfigurations and issues.
::  
::  Yes, but *these* 182,000 users have perfectly working ipv4 connectivity, 
::  and you are asking *me* to break them through *my* actions. Sorry, that's 
::  simply too many to break for me, without a damn good reason to do so.
::  
:: In other words, Igor can't turn on  records generally until there are
:: 182,001 IPv6-only users that are broken from his lack of  records.
:: 
:: Given IP address consumption rates in Asia and the lack of available IPv4
:: resources in Asia, with a traditional growth month to month of nearly
:: 30 million IPv4 addresses consumed, I suspect it will not be long before
:: the 182,001 broken IPv6 users become relevant.
:: 
::  Doing that on world ipv6 day, when there is a lot of press, and most other
:: 
::  large content players doing the same, *is* a good reason - it may actually
:: 
::  has a shot of accomplishing some good, since it may get those users to 
::  realize that they are broken, and fix their systems, but outside of flag 
::  day, if I enabled  by default for all users, all I'm going to do is 
::  send those broken users to my competitors who chose not to enable  
::  on their sites. 
::  
:: Agreed. I think IPv6 day is a great plan for this very reason. I also hope
:: that
:: a lot of organizations that try things out on IPv6 day will decide that the
:: brokenness that has been so hyped wasn't actually noticeable and then
:: leave their  records in place. I do not expect Yahoo or Google to
:: be among them, but, hopefully a lot of other organizations will do so.
:: 
::  This is why I think automatic, measurement-based whitelisting/blacklisting
:: 
::  to minimize the collateral damage of enabling  is going to be 
::  inevitable (with the trigger set to something around 99.99%), and about 
::  the only way we see wide-scale IPv6 adoption by content players, outside 
::  events like world ipv6 day.
::  
:: This will be interesting. Personally, I think it will be more along the
:: lines
:: of when there are more IPv6 only eye-balls with broken IPv4 than there
:: are IPv4 eye-balls with broken IPv6,  will become the obvious
:: solution.
:: 
:: In my opinion, this is just a matter of time and will happen much sooner
:: than
:: I think most people anticipate.
:: 
:: Owen
:: 
::

RE: 23,000 IP addresses

2011-05-11 Thread Keith Medcalf

Luis Marta wrote on 2011-05-10:


 In the EU you have Directive 2006/24/EC: http://eur-
 lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2006:105:0054:0063:EN:PDF

 Article 6 - Periods of retention
 Member States shall ensure that the categories of data specified in Article
 5 are retained for periods of not less than six months and not more than two
 years from the date of the communication.

 Article 5 - Categories of data to be retained
 1. Member States shall ensure that the following categories of data are
 retained under this Directive:
 (a) data necessary to trace and identify the source of a communication:
 (...) the name and address of the subscriber or registered user to whom an
 Internet Protocol (IP) address, user ID or telephone number was allocated at
 the time of the communication;

The real problem is in the stupid wording.  The IP Address is not allocated to 
a subscriber or registered user.  It is handed out for use on an authorized 
circuit.  That circuit is being paid for by someone.  There is no nexus between 
a circuit number and a subscriber or user (or there should not be -- and 
there only is if YOU CHOOSE TO CREATE SUCH).  If network operators behaved 
rationally, the proper response to any request to divulge information related 
to an IP address would be limited to the Account Number which was paying for 
the circuit on which the IP Address was allocated WITH NO IDENTIFICATION OF ANY 
INDIVIDUAL WHATSOEVER.

The entire problem is being created by Network Operators who are making up 
answers that they cannot prove are true, and causing grief to their customers.

Eventually some customer will decide to challenge the Network Operator to prove 
their allegations of misfeasance.  The result will be that the Network 
Operators will lose, and lose big time.  After all, it is the Network Operators 
who are the accusers -- not the media mafia.

 Each member state creates its own law, according to the directive. In
 Portugal, you have to retain the data for one year.

 Best Regards,
 Luís Marta.

--- Keith Medcalf
()  ascii ribbon campaign against html e-mail
/\  www.asciiribbon.org

Re: 23,000 IP addresses

2011-05-11 Thread Roland Perry

In article 5f713bd4b694ac42a8bb61aa6001a...@mail.dessus.com, Keith
Medcalf kmedc...@dessus.com writes

Article 5 - Categories of data to be retained
1. Member States shall ensure that the following categories of data are
retained under this Directive:
(a) data necessary to trace and identify the source of a communication:
(...) the name and address of the subscriber or registered user to whom an
Internet Protocol (IP) address, user ID or telephone number was allocated at
the time of the communication;

The real problem is in the stupid wording. The IP Address is not allocated to a
subscriber or registered user. It is handed out for use
on an authorized circuit. That circuit is being paid for by someone. There is no nexus between a
circuit number and a subscriber or
user (or there should not be -- and there only is if YOU CHOOSE TO CREATE
SUCH).

While there's an argument that the circuit number doesn't identify the
user, it most certainly identifies the Subscriber, who is the person who
has the legal contract for supply of the circuit.

If network operators behaved rationally, the proper response to any request to
divulge information related to an IP address would be limited to
the Account Number which was paying for the circuit on which the IP Address was
allocated WITH NO IDENTIFICATION OF ANY INDIVIDUAL WHATSOEVER.

So you'd give out the bank/credit card number, but not the name? The
legislation above asks for the name and address, and in many
jurisdictions revealing the credit card number or bank account number
would be regarded as *more* intrusive, not less.

--
Roland Perry

Re: 23,000 IP addresses

2011-05-11 Thread Michael Holstein


 I wonder how things go if you challenge them in court.  This is surely a
 topic for another list, but it seems to me it'd be fairly difficult to
 prove unless they downloaded part of the movie from your IP and verified
 that what they got really was a part of the movie. 

I have the netflow records to prove this is NOT the case. All
MediaSentry (et.al.) do is scrape the tracker. We have also received a
number of takedown notices that have numbers transposed, involve parts
of our netblock that were not in use at the time in question, etc.

I would think that whole penalty of perjury thing would have some
weight behind it.

Stanford (in)famously managed to get DMCA notices for all the printers
on campus, just by faking a client into putting the printer's IP into
the tracker as a seed.

Cheers,

Michael Holstein
Cleveland State University

Re: Yahoo and IPv6

2011-05-11 Thread Mark Andrews


In message 03c70cde-8169-437b-8394-26f839413...@muada.com, Iljitsch van Beijn
um writes:
 On 11 mei 2011, at 2:39, Karl Auer wrote:
 
  On Wed, 2011-05-11 at 10:19 +1000, Mark Andrews wrote:
  For the record Apple's current iChat (the OS (10.6.7) is completely
  up to date) fails such a test.  It will try IPv6 and not fallback
  to IPv4.  End users shouldn't be seeing these sorts of errors.
 
 Hm, I've had a very hard time finding any IPv6-capable servers to let my =
 iChat talk to...

Well I found this bug because the jabber server was IPv4 only and
the box it is on got a  address.  The jabber server is now
running dual stack with the IPv6 ports being forwarded to the IPv4
ports.  It's not optimal but it works.

  Is that possibly a failure of the underlying resolver library? Do =
 other
  applications on the same platform behave correctly?
 
 Apple's Mail application used to do this, but after many years they =
 fixed this, it will now fall back to IPv4 without trouble. This isn't a =
 resolver issue, as the resolver can't know whether IPv6 connectivity =
 does or doesn't work. The resolver simply gives applications that don't =
 explicitly ask for a particular address type all of the addresses of all =
 types for which the system currently has connectivity, I think as =
 determined by the presence of a default route, maybe the presence of an =
 address also matters.
 
 What applications need to do when they connect to a remote server is to =
 try the next address when the first one fails and cycle through all =
 addresses before giving up. Of course with IPv4 having multiple =
 addresses is extremely rare so IPv4 applications typically don't bother =
 with this, so it has to be addressed when IPv6ifying applications.=

This is basic RFC 1123 multihome support.

Also see 
https://www.isc.org/community/blog/201101/how-to-connect-to-a-multi-homed-server-over-tcp

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Japan electrical power?

2011-05-11 Thread Robert Boyle


Hello,

This is sort of off-topic, but no where near as much as half of the 
topics on NANOG. It is relevant to netops for anyone who has a 
presence in Japan. Does anyone on NANOG have firsthand in-depth 
knowledge of the electrical system in Japan? I know voltage varies 
from town to town and prefecture to prefecture. It seems most is 
90V-110V. Do most homes and businesses have a single leg or do they 
have 200-220V available? Are most circuit breakers 15A? Do they use 
20A anywhere? What is used in commercial settings? What is the 
typical service to a home? 60A, 100A, 200A? I have searched, but 
haven't found enough definitive info to be useful. I am designing 
some new equipment and Japan is the worst case scenario from a power 
standpoint because they use such a low line voltage. If my gear works 
in rocky  mountainous low-voltage Japan, it will work anywhere. Any 
information or good links would be appreciated. I can't give out any 
info on the new gear yet until some key IP is protected. It doesn't 
compete with anything on the market today. Thanks for any help anyone 
can give. Domo arigato!


-Robert


Well done is better than well said. - Benjamin Franklin

Re: 23,000 IP addresses

2011-05-11 Thread Ken Chase

On Wed, May 11, 2011 at 09:56:56AM +0800, Ong Beng Hui said:

 while, I am not a lawyer, so what after they know who is using that  
 broadband connection for that IP. So, they have identified the 80yr old,  
 what next ? and what if i have a free-for-all wireless router in my  
 house which anyone can tap on, which i regularly switch off during  
 nighttime for energy saving reason. :)

Simple. Just make having clue on configuring your wifi AP a legal requirement. 
:)

Sides, since WPA is cracked now too, to some extent, i dont think most APs
have any sort of guaranteed protection. Hell, it's better to leave it wide
open, as having the prosecution accuse you of child porn because you used a
hard-but-crackable WPA2 (it's one in a billion to crack it! beyond a
reasonable doubt! we dont have anyone anywhere in our IT who could possibly
crack it!) instead of WEP or wide open seems like a greater pitfall.

What about projects like http://NoCat.net - will they be made illegal? That's 
going
to be an awesome can of worms.

/kc
-- 
Ken Chase - k...@heavycomputing.ca skype:kenchase23 +1 416 897 6284 Toronto 
Canada
Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front 
St. W.

Re: 23,000 IP addresses

2011-05-11 Thread Christopher Morrow

On Wed, May 11, 2011 at 8:48 AM, Michael Holstein
michael.holst...@csuohio.edu wrote:

 I wonder how things go if you challenge them in court.  This is surely a
 topic for another list, but it seems to me it'd be fairly difficult to
 prove unless they downloaded part of the movie from your IP and verified
 that what they got really was a part of the movie.

 I have the netflow records to prove this is NOT the case. All
 MediaSentry (et.al.) do is scrape the tracker. We have also received a
 number of takedown notices that have numbers transposed, involve parts
 of our netblock that were not in use at the time in question, etc.

this is exactly the same situation I outlined previously...
darknet/tcdump can't be a bittorrent user.

 I would think that whole penalty of perjury thing would have some
 weight behind it.

apparently not :( (I'd say something about lobbyists et.al, but...)

-chris

Re: .io registrar

2011-05-11 Thread Kevin Loch


Jeremy Kister wrote:
Does anyone know of a competent .io registrar who charges in the = 
$75/yr area ?


I've been using tierra.net (domaindiscover.com) but they continually 
break my domains.


this year, although their website says my domain expires 4/2012, my 
domain stopped working today.  the .io servers aren't serving records, 
and nic.io says the domain expired 4/8/2011.


i got a hold of them this morning got a ticket -- but after 4 hours 
still no response.



also, although nic.io lists a bunch of .io registrars, when I called 
them they almost all say we don't register .io :D


I have a .io domain with Moniker and have not had any problems.

- Kevin

47 matches

Mail list logo