News items for tag ipv6 - Koos van den Hout

2015-06-03 Working IPv6 at Surfnet office 3 years ago
December last year I noticed IPv6 at the Surfnet office breaking in interesting ways. Recently I was invited to come over and test it again, news was that the problem I was seeing should be fixed now. I accepted that invitation and Yesterday I was at the new office and tested it. And indeed it now works good, I received a stable IPv6 assignment and I was able to keep long-running IPv6 sessions to multiple systems at home. The technical reasons behind it are 'interesting' but the good news is that the eduroamers network now has stable IPv6.

Tags: ,
2015-04-27 Upgrading the homeserver to Ubuntu 12.04 3 years ago
And to get to a version of Ubuntu with support available I kept doing and did 'do-release-upgrade' again today on the homeserver greenblatt.

Again the upgrade was running for a while. A big improvement is that the process now uses screen so I was able to attach to that running console from other sessions and answer questions.

After the upgrade the reboot came, and after the reboot I noticed resolving was broken. This was traced back to the ppp0 interface for the connection to the outside world and the internal interface for services having started completely without IPv6 support. Doing an ifdown and ifup helped, but this should all start correct automatically.

I noticed the new Postgresql 9.1 is already installed, but Postgresql 8.4 is the default version available over port 5432, so I can do the pg_upgradecluster when I have time for that.

Later I noticed some packages were held back. I traced this back to /etc/apt/preferences still being optimized for Ubuntu 8.04 hardy and hardy-backports. I emptied the preferences file and it all sorted itself out and now everything is up to date.

This was probably the reason Postgresql 8.4 was left installed and active. After the updates above apt-get autoremove was going to delete Postgresql 8.4.
Read the rest of Upgrading the homeserver to Ubuntu 12.04

Tags: , , ,
2015-03-27 Overly interested Amazon EC2 nodes 3 years ago
On Camp Wireless and The Virtual Bookcase I see the following pattern in the access logs:
2620:108:700f::36bc:aade - - [27/Mar/2015:13:27:11 +0100] "GET / HTTP/1.1" 302 298 "-" "curl/7.36.0"
2406:da00:ff00::36e2:d963 - - [27/Mar/2015:13:27:38 +0100] "GET / HTTP/1.1" 302 298 "-" "curl/7.36.0"
Constant requests, 2 or 3 per minute from Amazon EC2 IPv6 addresses just requesting the / using curl. Over the day I now see 1334 unique addresses with at most 5 requests from one url.

The same pattern as described in Stange stream of HTTP GET requests in apache logs, from amazon ec2 instances - Server Fault with no real answer to the why.

It's not a problematic amount of traffic, I'd just like to understand what is happenning!

Tags: , , , , ,
2015-01-05 Leap second announcement 3 years ago
Promptly after fixing the previus leapsecond file I get the IERS Bulletin C number 49 today which states:
                                   UTC TIME STEP
                            on the 1st of July 2015


 A positive leap second will be introduced at the end of June 2015.
 The sequence of dates of the UTC second markers will be:

                          2015 June 30,     23h 59m 59s
                          2015 June 30,     23h 59m 60s
                          2015 July  1,      0h  0m  0s
And I notice the IETF seems to update the canonical leap-seconds file about two months after the decision is made by the IERS.

It's a good thing ntpd starts complaining when the file is about to expire.

Update 2015-01-06: An update was available from ftp://time.nist.gov/ but only when I connected over IPv6. An interesting form of IPv6 promotion. Notice the difference in messages between the old file and the new file loading:
Jan  5 13:54:33 ritchie ntpd[13710]: leapsecond file ('/etc/ntp/leap-seconds.3644438400'): good hash signature
Jan  5 13:54:33 ritchie ntpd[13710]: leapsecond file ('/etc/ntp/leap-seconds.3644438400'): loaded, expire=2015-06-28T00:00Z ofs=35 (no entries after build date)
Jan  6 10:14:17 ritchie ntpd[26348]: leapsecond file ('/etc/ntp/leap-seconds.3629404800'): good hash signature
Jan  6 10:14:17 ritchie ntpd[26348]: leapsecond file ('/etc/ntp/leap-seconds.3629404800'): loaded, expire=2015-12-28T00:00Z last=2015-07-01T00:00Z ofs=36

Tags: , ,
2014-12-11 IPv6 breaking without default router 3 years ago
Interesting type of IPv6 breakage currently at the Surf office:
Wireless LAN adapter Wireless Network Connection:

   Connection-specific DNS Suffix  . : eduroamers.nl
   IPv6 Address. . . . . . . . . . . : 2001:610:188:431:9d25:9938:408e:6714
   Temporary IPv6 Address. . . . . . : 2001:610:188:431:2c5e:681:fda1:702
   Link-local IPv6 Address . . . . . : fe80::9d25:9938:408e:6714%11
   IPv4 Address. . . . . . . . . . . : 145.96.1.57
   Subnet Mask . . . . . . . . . . . : 255.255.252.0
   Default Gateway . . . . . . . . . : 145.96.0.1
What's missing here? A default gateway for IPv6. Which breaks any external IPv6 connectivity. And I like having external IPv6 connectivity, for example for logging into systems at home. The solution is simple:
C:\>ipconfig /renew6

Windows IP Configuration

Wireless LAN adapter Wireless Network Connection:

   Connection-specific DNS Suffix  . : eduroamers.nl
   IPv6 Address. . . . . . . . . . . : 2001:610:188:431:9d25:9938:408e:6714
   Temporary IPv6 Address. . . . . . : 2001:610:188:431:2c5e:681:fda1:702
   Link-local IPv6 Address . . . . . : fe80::9d25:9938:408e:6714%11
   IPv4 Address. . . . . . . . . . . : 145.96.1.57
   Subnet Mask . . . . . . . . . . . : 255.255.252.0
   Default Gateway . . . . . . . . . : fe80::222:dff:fe84:8800%11
                                       145.96.0.1
I wonder how this happens.

Update 2014-12-15: And I got in touch with someone at SURFnet who suggested the best cause of action: see if this problem persists after the upcoming move of the SURFnet offices.

Update 2015-06-03: And now the IPv6 over the wireless network at the Surfnet offices is fixed.

Tags: ,
2014-11-03 Fun with network connection managers 3 years ago
I tried NetworkManager again because wicd was showing downsides, such as:
  • Not dealing correctly when the laptop is resumed with the ethernet cable attached: it doesn't run dhcp on the wired lan which makes services which only have IPv4 addresses unreachable. Took a while to understand that one for obvious reasons.
  • Making the wired network interface flap between connected and disconnected state when a network cable is inserted after boot. Solution: restart wicd first.
I tried NetworkManager again, kicked out ages ago because it fully depended on a Gnome desktop, which I don't run. But now it has nm-connection-editor and nm-cli which should make things less impossible. But after testing I found out NetworkManager is even worse for me than wicd.
Read the rest of Fun with network connection managers

Tags: , , ,
2014-09-22 (#) 3 years ago
So work made a laptop with the standard Windows 7 software image available to me and I noticed when I took it home it doesn't do any IPv6. Which is not what I want. Some searching found How to disable IPv6 or its components in Windows - Microsoft Support which has the right answers which were used by the people creating this software image. I changed the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\DisabledComponents registry key to 0x01 so I don't get the Isatap/Teredo tunnels.

Interesting remark in that support article:
We do not recommend that you disable IPv6 or its components, or some Windows components may not function. Additionally, system startup will be delayed for 5 seconds if IPv6 is disabled.
I guess I'll have to find another way to disable the Isatap/Teredo tunnels to make the system boot faster. I want IPv6 to work when it's available native or not at all. Some aspects of the work network make things slow when tunneling protocols are tried. Which is probably the reason of disabling it in the first place.

Update 2014-10-01: It seems this setting gets reset somehow: I am at the Surfnet Relatiedagen 2014 and just noticed the laptop has no IPv6 on the network here, which surprised me. But a check of the settings showed no IPv6 addresses at all, not even link-local. A check on my Android phone shows globally routable IPv6 addresses.

Tags: , ,
2014-09-05 (#) 3 years ago
Oh and another interesting thing about the new TP-Link TL-WDR4300. It does IPv6. If I read the docs correctly it can do DHCP6 with prefix delegation or tunnels. It even gives itself an IPv6 address on the LAN side when that side runs address advertising. But ...
$ telnet -6 ap 80
Trying 2001:980:14ca:2:ea94:f6ff:fe91:21b3...
telnet: Unable to connect to remote host: Connection refused
the webinterface isn't available via IPv6. Nothing in the device is available via IPv6 according to nmap.

Tags: , ,
2014-08-04 IPv6 visitor stats 2014 3 years ago
Time to count IPv6 visitor percentage to different websites again:
SiteJuly 2009July 2010July 2011July 2012July 2014
http://idefix.net/ my homepage 1% 2% 2% 3% 4%
http://netwerk.pcgg.nl/ hcc!pcgg netwerkgroep 2% 2% 2% 3% 1%
http://weather.idefix.net/ weather maps < 1% 5% 6% 7% 6%
http://bbs.idefix.net/ BBS files 1% 1% 1% 3%
http://webcam.idefix.net/ the webcam < 1% 1% < 1% 2% 2%
http://www.virtualbookcase.com/ The Virtual Bookcase < 1% 1% 1% 4% 87%
http://www.camp-wireless.org/ Camp Wireless < 1% 1% 1% 3% 70%
http://weatherstation.idefix.net/ Weather station Utrecht Overvecht 1%
Interesting numbers. Results for The Virtual Bookcase and Camp Wireless are totally skewed thanks to some IPv6 bot constantly checking the site from constantly changing IPv6 addresses .. but without privacy extensions enabled.

Method: unique IPv6 addresses seen in the whole month / total unique addresses seen in the whole month.

Tags: , , , , , ,
2014-06-03 (#) 4 years ago
Na wat hikken van de verbinding naar buiten was ik er een paar maanden terug niet blij mee dat intern dan ook de IPv6 routering stukging. Dat bleek te zijn omdat wide-dhcpv6-client bij het niet meer kunnen verkrijgen van adressen via prefix delegation deze ook terugtrekt van de gedelegeerde interfaces. Vervolgens vervallen de routes naar de subnetten thuis en kan ik met clients daar niet meer werken. Maar ik wil ook met IPv6 werken als de verbinding naar buiten weg is.

Ik had als oplossing bedacht om wel een prefix op te vragen maar niet meer de interfaces te laten configureren door wide-dhcpv6-client, maar ze gewoon statisch te configureren. Uit /etc/wide-dhcpv6/dhcp6c.conf:
interface ppp0
{
        send ia-pd 0;

        script "/etc/wide-dhcpv6/dhcp6c-script";
};
id-assoc pd {
#    prefix-interface eth0.1 {
#        sla-id 1;
#    };
#    prefix-interface eth0.3 {
#        sla-id 2;
#    };
};
Alleen komt er dan een hele obscure foutmelding uit wide-dhcpv6:
Jun  3 09:26:18 greenblatt dhcp6c[6474]: add_options: /etc/wide-dhcpv6/dhcp6c.conf:14 IA_PD (0) is not defined
Jun  3 09:26:18 greenblatt dhcp6c[6474]: main: failed to parse configuration file
En bij xs4all krijg ik geen IPv6 meer als ik het niet opvraag met prefix-delegation. Dat is heel lang goedgegaan, maar met de laatste updates aan hun access-routers ging het echt mis en zat ik ineens zonder IPv6. Configuratie aangepast, ik ken ze nu weer toe. Er blijkt echt iets te moeten gebeuren met de prefix delegatie om wide-dhcpv6-client er eentje op te laten vragen.

Tags: , ,
2014-04-15 (#) 4 years ago
Modern times, attacks on hosts via both IPv4 and IPv6:
Apr 15 15:23:56 greenblatt kernel: [4741660.011622] FW reject: IN=ppp0 OUT= MAC= SRC=175.44.9.137 DST=xx.xx.xx.xx LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=6517 DF PROTO=TCP SPT=49363 DPT=21 WINDOW=8192 RES=0x00 SYN URGP=0
Apr 15 15:23:57 greenblatt kernel: [4741660.370701] FW reject: IN=ppp0 OUT= MAC= SRC=175.44.9.137 DST=xx.xx.xx.xx LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=8371 DF PROTO=TCP SPT=49363 DPT=21 WINDOW=8192 RES=0x00 SYN URGP=0
Apr 15 15:23:58 greenblatt kernel: [4741660.768693] FW reject: IN=ppp0 OUT= MAC= SRC=175.44.9.137 DST=xx.xx.xx.xx LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=10428 DF PROTO=TCP SPT=49363 DPT=21 WINDOW=8192 RES=0x00 SYN URGP=0
Apr 15 15:23:58 greenblatt kernel: [4741660.924225] FW reject: IN=ppp0 OUT= MAC= SRC=2002:af2c:0989:0000:0000:0000:af2c:0989 DST=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx LEN=68 TC=0 HOPLIMIT=120 FLOWLBL=0 PROTO=TCP SPT=50764 DPT=21 WINDOW=8192 RES=0x00 SYN URGP=0
Apr 15 15:24:01 greenblatt kernel: [4741662.117101] FW reject: IN=ppp0 OUT= MAC= SRC=2002:af2c:0989:0000:0000:0000:af2c:0989 DST=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx LEN=68 TC=0 HOPLIMIT=120 FLOWLBL=0 PROTO=TCP SPT=50764 DPT=21 WINDOW=8192 RES=0x00 SYN URGP=0
Apr 15 15:24:07 greenblatt kernel: [4741664.510439] FW reject: IN=ppp0 OUT= MAC= SRC=2002:af2c:0989:0000:0000:0000:af2c:0989 DST=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx LEN=68 TC=0 HOPLIMIT=120 FLOWLBL=0 PROTO=TCP SPT=50764 DPT=21 WINDOW=8192 RES=0x00 SYN URGP=0
Same source via IPv4 and IPv6 with 6to4.

Tags: , ,
2014-03-12 (#) 4 years ago
Er kwam een nuttige tip van Miquel van Smoorenburg van xs4all voorbij:
Er is voor IPv6 geen MSS-clamping nodig als je radvd een MTU van 1492 adverteert op je LAN. Dat is ook wat de Fritzbox doet, en voor zover ik weet gaan alle OSen daar correct mee om.
Dus in radvd.conf:
interface eth0.1
{
    AdvSendAdvert on;
    AdvHomeAgentFlag off;
    AdvLinkMTU 1492;
    prefix ::/64 {
        AdvOnLink on;
        AdvAutonomous on;
        AdvPreferredLifetime 604800;
        AdvValidLifetime 2592000;
    };
};

Tags: ,
2014-03-01 Netgear GS716Tv2 switch and IPv6 management 4 years ago
Sharing my earlier experiences with the hidden telnet interface on the Netgear GS716T switch was appreciated by someone else with a Netgear GS110p switch: "Hidden" CLI interface on Netgear GS110TP. So I guess this is a feature on multiple netgear switches.

And that article made me look at the firmware version, finding in the release notes for the newer version:
New Features:
* Add IPv6 management, IPv6 ACL, and IPv6 DiffServ support.
I like that feature a lot! And indeed, after upgrade and setting the IPv6 management address:
Read the rest of Netgear GS716Tv2 switch and IPv6 management

Tags: , ,
2013-10-06 (#) 4 years ago
IPv6 is growing up: I'm seeing a portscan in my logs from an IPv6 address!
SRC=2001:0da8:0001:fffe:0000:0000:0000:0108 DST=2001:0980:14ca:0042:0000:0000:0000:0018 LEN=64 TC=0 HOPLIMIT=242 FLOWLBL=0 PROTO=TCP SPT=52537 DPT=110 WINDOW=1024 RES=0x00 SYN URGP=0
SRC=2001:0da8:0001:fffe:0000:0000:0000:0108 DST=2001:0980:14ca:0042:0000:0000:0000:0018 LEN=64 TC=0 HOPLIMIT=242 FLOWLBL=0 PROTO=TCP SPT=52537 DPT=135 WINDOW=1024 RES=0x00 SYN URGP=0
SRC=2001:0da8:0001:fffe:0000:0000:0000:0108 DST=2001:0980:14ca:0042:0000:0000:0000:0018 LEN=348 TC=0 HOPLIMIT=38 FLOWLBL=74565 PROTO=UDP SPT=57528 DPT=40408 LEN=308
sshd[5410]: Did not receive identification string from 2001:da8:1:fffe::108
Interesting source address:
inet6num:       2001:0DA8:0000::/40
netname:        CER2BKB6-CERNET2
descr:          ~{9z<RMxBgVPPD~}
descr:          CERNET2 Backbone Connection and Test Block
descr:          Beijing 100084, China
The scans were limited to 2 IPv6 addresses related to published services.

Tags: , ,
2013-08-20 (#) 4 years ago
Correctly firewalling IPv6 was a bit of a search for me but I think I managed it. There is a bit of an apparent contradiction: filtering too much ipv6-icmp will break things, and allowing it too much will allow a neighbour cache overflow attack. In the end I settled on allowing ipv6-icmp in the INPUT ip6tables rule but not on the FORWARD ip6tables rule. Both rules do have a rule for ESTABLISHED,RELATED traffic. This all for the external interface(s), internal interfaces are trusted.

I tested this with nmap from an external ipv6-enabled host and found out there is no way to input ipv6 address ranges. So to scan a number of addresses I had to type them all in full.

Tags: , , ,
2013-08-16 (#) 4 years ago
More and easy fun with the rtl-sdr stick: receiving and decoding Automatic dependent surveillance-broadcast (ADS-B) data from airplanes. Airplanes above a certain size regularly broadcast their location/altitude/speed in a data format which other airplanes can receive and use in collision-avoidance systems.

I used no special antenna, just the 'tv antenna' that came with the dvb-t stick. The dump1090 application which can receive, decode and present the ADS-B data includes a webserver which shows the results on google maps. Results with pictures: success in decoding ads-b data using an rtl-sdr stick, the added TV antenna and the dump1090 software - Koos van den Hout on google+. Only downside that needs fixing: the included tcp networking code is IPv4-only.

Update: A bit of searching finds IPV6 support by proller · Pull Request #25 · antirez/dump1090 which fixes the lack of ipv6 support.

Tags: , ,
2013-05-29 (#) 5 years ago
I checked for updates of NDPMon, an IPv6 neighbour discovery protocol monitor and noticed I was way behind the current times. I also found out it can now monitor multiple network interfaces in once instance of the program, so I can keep an eye on both wired and wireless networks at home.

Do take the advice of using the 'learning' mode of NDPMon as mentioned in the documentation for NDPMon. It makes getting the entire correct router advertisment correct into the datafile correctly so much easier. Downside is you have to run at a quiet time and after each IPv6 network reconfiguration.

It would also be nice if NDPMon would report on which interface certain traffic was seen.

Update: Ok, NDPMon still manages to warn about a router configuration it has learned itself. I found a remark in the NDPMon documentation/configuration page:
Under the tag addresses are listed the IPv6 global addresses of the router. This is not required for the tool to work properly, but can be useful is the router send NA messages for its global addresses (to avoid raising NA router flag alerts).
So I added the global IPv6 addresses of the routers, let's see if this decreases the noise.

Tags: , , ,
2013-05-13 (#) 5 years ago
IPv6 is op steeds meer plekken, en toen Henk van de Kamer mij vroeg om een wijziging te maken om IPv4 zonetransfers weer mogelijk te maken, gaf ik als antwoord dat ik naast IPv4 ook IPv6 transfers wilde toestaan voor pcgg.nl. Zo geconfigureerd, en nu werkt het, en het resultaat is er ook naar: pcgg.nl op de ip6.nl readyness tester: 5 sterren. Mail en web diensten voor dit domein zijn volledig bereikbaar via zowel IPv6 als IPv4.

Tags: , ,
2012-12-21 (#) 5 years ago
The posting Completely different: BIND 10 - Jan-Piet Mens triggered me to have a look at my resolver/authoritive setup at home. I was running only bind 9 both as authoritive server for several zones and as resolver for home systems but I decided to test a setup with those functions split. For fun I tried it with recursion in pdns-recursor, part of PowerDNS while keeping bind9 for the authoritive server. I had to select the right IPv6 and IPv4 addresses for authoritive and resolving servers. I do have enough addresses at home thanks to IPv6 and IPv4-with-NAT to do this, but I have to select the right ones. The server at home is known as ns2.idefix.net so the choice of addresses for the authoritive server is easy. So the relevant part of the bind9 configuration in named.conf:
    listen-on-v6 {
        2001:980:14ca:42::694; # auth ext
    };
    listen-on {
        82.95.196.202; # auth ext
    };
And the pdns-recursor in recursor.conf is set up like:
# local-address IP addresses to listen on, separated by spaces or commas
#
local-address=127.0.0.1,2001:980:14ca:42::18,10.42.2.1,::1
It was a bit of pondering which process got to listen on the v4/v6 localhost address, but I think the resolver is the best candidate. The resolver advertised in radvd.conf has been adjusted.

The next thing to setup was a certain set of zones that the recursor can't find on the Internet, so they need to be asked directly from the authoritive bind9 server. I configured this in recursor.conf like:
forward-zones=koos.koffie.dot=82.95.196.202,10.in-addr.arpa=82.95.196.202,a.c.4.1.0.8.9.0.1.0.0.2.ip6.arpa=82.95.196.202
I tried this with the IPv6 addresses for the authoritive server but this makes pdns-recursor not answer at all, so I reverted to IPv4 for the moment until I understand what is going wrong and why. Testing this makes pdns-recursor hang for other queries too, so for full debugging I need to test this in a way that doesn't affect the rest of my home network. From the command-line the requests work over both IPv6 and IPv4. Enabling query-logging in bind9 doesn't show those requests coming in.

Update: If I read things correctly forward-zones with IPv6 support only came in powerdns-recursor 3.2 and ubuntu 8.04 comes with pdns-recursor 3.1.4. Switching to pdns-recursor from hardy-backports upgrades to 3.3-2~hardy1 and forward-zones starts working over IPv6. Less legacy IP, more IPv6!
forward-zones=koos.koffie.dot=2001:980:14ca:42::694,10.in-addr.arpa=2001:980:14ca:42::694,a.c.4.1.0.8.9.0.1.0.0.2.ip6.arpa=2001:980:14ca:42::694
And it works.

Tags: , ,
2012-11-30 (#) 5 years ago
I mailed nos.nl about android security but the mail got delayed:
   ----- Transcript of session follows -----
... while talking to mx0.mail.omroep.nl.:
>>> DATA
<<< 450 4.7.1 Client host rejected: cannot find your hostname, [2001:980:14ca:61::13]
<publieksreacties at nos.nl>... Deferred: 450 4.7.1 Client host rejected: cannot find your hostname, [2001:980:14ca:61::13]
<<< 554 5.5.1 Error: no valid recipients
So bonuspoints for publieke omroepen for implementing IPv6 and minus several points for xs4all for still not offering IPv6 reverse DNS.

So I rerouted the mail via the xs4all mailservers.

Tags: ,
⇐ Newer news items for tag ipv6  Older news items for tag ipv6 ⇒
, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred.

PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers pgp key statistics for 0x5BA9368BE6F334E4 Koos van den Hout
RSS
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews