Egypt is back

Posted on February 2, 2011 by admin

Nice to see my family online again!!

> sh ip bgp  41.232.88.0/21
BGP routing table entry for 41.232.88.0/21
Paths: (3 available, best #1, table Default-IP-Routing-Table)
  Advertised to non peer-group peers:
  67.43.129.241
  174 3356 8452, (aggregated by 8452 163.121.170.97)
    38.104.158.77 from 38.104.158.77 (66.28.1.208)
      Origin IGP, metric 12012, localpref 100, weight 112, valid, external, atomic-aggregate, best
      Community: 174:21000 174:22013
      Last update: Wed Feb  2 04:43:00 2011

  6453 3356 8452, (aggregated by 8452 163.121.170.97)
    205.211.165.121 (metric 1) from 205.211.165.121 (67.43.129.244)
      Origin IGP, localpref 100, weight 110, valid, internal, atomic-aggregate
      Last update: Wed Feb  2 04:42:47 2011

  6453 3356 8452, (aggregated by 8452 163.121.170.97)
    67.43.129.244 (metric 1) from 67.43.129.244 (67.43.129.244)
      Origin IGP, localpref 100, weight 111, valid, internal, atomic-aggregate
      Last update: Wed Feb  2 04:42:47 2011

>
Posted in bgp | Leave a comment

Novatel MC547 on FreeBSD 8.2

Posted on January 18, 2011 by admin

Not really an IPV6 posting, but I am curious how fast this will appear in google. (I will file a format PR later). But for users of the Novatel MC547 3g stick from Bell Canada, a bit of changes need to be made to the FreeBSD source code in order to get it to work.

diff  -u usbdevs.orig usbdevs
--- usbdevs.orig        2011-01-17 10:30:36.000000000 -0500
+++ usbdevs     2011-01-17 11:33:06.000000000 -0500
@@ -2388,6 +2388,7 @@
 product NOVATEL ZEROCD2                0x5030  Novatel ZeroCD
 product NOVATEL U727_2         0x5100  Merlin U727 CDMA
 product NOVATEL U760           0x6000  Novatel U760
+product NOVATEL MC547          0x7042  Novatel MC547
 product NOVATEL MC760          0x6002  Novatel MC760
 product NOVATEL2 FLEXPACKGPS   0x0100  NovAtel FlexPack GPS receiver

--- u3g.c       2010-12-02 21:34:53.000000000 -0500
+++ /tmp/u3g.c  2011-01-18 13:48:23.000000000 -0500
@@ -65,7 +65,7 @@
#include

#ifdef USB_DEBUG
-static int u3g_debug = 0;
+static int u3g_debug = 1;

SYSCTL_NODE(_hw_usb, OID_AUTO, u3g, CTLFLAG_RW, 0, "USB 3g");
SYSCTL_INT(_hw_usb_u3g, OID_AUTO, debug, CTLFLAG_RW,
@@ -302,6 +302,7 @@
U3G_DEV(NOVATEL, EU730, 0),
U3G_DEV(NOVATEL, EU740, 0),
U3G_DEV(NOVATEL, EU870D, 0),
+       U3G_DEV(NOVATEL, MC547, 0),
U3G_DEV(NOVATEL, MC760, 0),
U3G_DEV(NOVATEL, MC950D, 0),
U3G_DEV(NOVATEL, U720, 0),

camcontrol eject pass0 in some cases will put it in the correct modem mode after that. For the APN, I used pda.bell.ca and the following ppp.conf seems to work just fine on FreeBSD 8.x

bpppgprs:
set device /dev/cuaU5.0
set speed 921600
set timeout 0
set authname wapuser1
set authkey wap
set dial "ABORT BUSY TIMEOUT 2 \
\"\" \
AT OK-AT-OK \
AT+CFUN=1 OK-AT-OK \
AT+CMEE=2 OK-AT-OK \
AT+CSQ OK \
AT+CGDCONT=1,\\\"IP\\\",\\\"pda.bell.ca\\\" OK \
AT+CGACT? OK-AT-OK \
AT+CGATT? OK \
AT+CGCLASS? OK \
AT+COPS? OK \
AT&v OK \
ATD*99# CONNECT"
set crtscts on
#set mtu maximum 296
#set mru maximum 296
disable vjcomp
disable acfcomp
disable deflate
disable deflate24
disable pred1
disable protocomp
disable mppe
disable ipv6cp
disable lqr
disable echo
nat enable yes
disable dns
resolv writable
set dns 8.8.8.8
set ifaddr 10.1.0.2/0 10.1.0.1/0 255.255.255.255 0.0.0.0
#add default HISADDR          # See ppp.link*

…. PR created

http://www.freebsd.org/cgi/query-pr.cgi?pr=154127

Posted in freebsd | Tagged , , , , | 1 Comment

Missing routes

Posted on December 25, 2010 by admin

In IPv4 land, you could probably get by with a single feed and see the entire internet.  Of course you would not have any redundancy, but apart from the odd spat and peering fight, you could get to everything.  In V6, not so much.  Of the 3 transit peers I have, the numbers range quite a bit.  AS174 is missing about 20% of what AS6939 and AS6453 has. There is idle gossip on http://nanog.org as to the reasons… but there are still some 500 /32s (ignoring more specific /48s which might be reachable through the /32)

eg

  11647 6453 293
  11647 6453 701 668
  11647 6453 30071 13645
  11647 13030 15716
  11647 6453 5511
  11647 6453 6762 5609, (aggregated by 5609 163.162.170.129)
  11647 6453 6830
  11647 6453 25137
  11647 6453 30071 4608, (aggregated by 4608 203.119.76.3)
  11647 6453 30071 2549
  11647 6453 30071 10318
  11647 6453 6762 7303
  11647 6453 30071
  11647 6453 6762 8280
  11647 6453 13030
  11647 13030
  11647 6453 701
  11647 6453 6762
  11647 6453 5511 8346
  11647 6453 30071
  11647 6453 13030 8271
  11647 13030 8271
  11647 6453 13030 33845
  11647 6453 30071 4608, (aggregated by 4608 203.119.76.3)
  11647 6453 701 18061 9555
  11647 6453 6762 7642
  11647 6453 30071 6536
  11647 6453 701 18750
  11647 6453 30071 19151
  11647 6453 701 26773
  11647 6453 30071 10326
  11647 6453 30071 19151 16842
  11647 6453 30071 19151 31877
  11647 6453 30071 19151 22911
  11647 6453 30071 13911
  11647 6453 30071 7786
  11647 6453 30071 13911 14595
  11647 6453 6762 7303 4270
  11647 6453 6762 7303 4270 27770
  11647 6453 6762 7303 4270 5692
  11647 6453 13030 48218
  11647 13030 48218
  11647 6453 13030 20634
  11647 13030 20634
  11647 6453 701 12702 24807
  11647 6453 6830
  11647 6453 5511 8697
  11647 6453 6762 31463
  11647 13030 9191
  11647 6453 13030 25164
  11647 13030 25164
  11647 6453 13030 16242
  11647 13030 16242
  11647 6453 13030 28717
  11647 6453 13030 25563
  11647 13030 25563
  11647 6453 5511 3215
  11647 6453 5511 3215
  11647 6453 5511 3215
  11647 6453 5511 12493
  11647 6453 13030 44573
  11647 6453 13030 35366
  11647 6453 13030 29430
  11647 13030 29430
  11647 6453 13030 21232
  11647 13030 21232
  11647 6453 13030 47617
  11647 13030 47617
  11647 6453 6830 20825
  11647 6453 6762 8953
  11647 6453 13030 15216
  11647 13030 15216
  11647 6453 13030
  11647 13030

For a full list of /32 routes, see ipv6-routes-missing.txt

BTW, there is a cool tool at
http://www.sixxs.net/tools/grh/compare/ which can give further information/views

Posted in bgp, ipv6 | Leave a comment

Countdown

Posted on October 18, 2010 by admin

Well, it sounds dire, but
http://www.nro.net/media/remaining-ipv4-address-below-5.html
it will be a while before networks are forced to move to ipv6. Still, it will make for good headlines :)

I think the next phase will be various registries turning up the financial heat on existing block owners to demonstrate real and proper usage of their existing allocations first….

NetRange:       17.0.0.0 – 17.255.255.255
CIDR:           17.0.0.0/8
OriginAS:
NetName:        APPLE-WWNET
NetHandle:      NET-17-0-0-0-1
Parent:

NetRange:       17.0.0.0 – 17.255.255.255CIDR:           17.0.0.0/8OriginAS:NetName:        APPLE-WWNETNetHandle:      NET-17-0-0-0-1Parent:

Apple ? You really need a /8 ?  Same with HP and a few others.

Posted in ipv6 | Tagged | Leave a comment

ipv6 PTR Records and Mail

Posted on September 30, 2010 by admin

Ran into a small issue with a colleague’s email getting flagged as spam.  SpamAssassin, didnt like the fact that his PC (which defaults to IPv6 if available) didnt have  PTR record.  As Windows 7 has IPv6 privacy extensions on by default there was no PTR record to match to an A record.  Generally this was a no-no in ipv4 days, but in IPv6 days, its err… not practical. To quote http://tools.ietf.org/html/draft-howard-isp-ip6rdns-00

[to create a /48 worth of ptr records] If 1000 entries could
 be written per second, the zone  would still not be complete
 after two quintillion years.

OK, so thats not gonna happen here….And asking all outside mail servers to “fix” this check is not going to happen there either :(  Dont really like many of the options listed in the RFC either… Dynamic DNS, hacking up DHCP6 (What happened to the benefits of SAC?)…. Hmmmm

Posted in ipv6 | Leave a comment

Not quite naked without my NAT but feeling the draft

Posted on September 17, 2010 by admin

One of the promises of IPv6 is that its supposed to do away with the evils of NAT! My Favorite book so far on IPv6 is “IPv6 in Practice” and he writes on one of the benefits of IPv6

Abolition of NAT With IPv6 there is no need to connect multiple machines to the Internet using a single address and network address translation (NAT). Without NAT, end-to-end connectivity becomes available again, allowing machines to connect to each other without intermediate “broker” services, like mail exchangers/relays, web proxies, DNS forwarders or SIP gatekeepers, that are run by a service provider. At first glance this doesn’t seem like much of an advantage, but at this time its consequences are barely fathomable, making services possible that are difficult even to imagine to our NAT-conditioned minds.

Allowing… end to … end connectivity ??? Good lord. I dont want unrestricted end to end connectivity. I want it restricted on the big bad internet.  And the strawman argument that NAT is not security that you will often see in other IPv6 discussions is just that, a strawman. .  Of course, NAT by itself is NOT security.  But given the choice between

a) Stateful firewall between hosts and the internet
b) Stateful firewall between hosts that are RFC 1918 and the internet

I will take b)
Case in point. While setting up our office firewall to allow out IPv6 from our workstations, I had allowed all icmp6 traffic in and out by accident. BAD! Is it the end of the world, no of course not. It would take eons for someone to scan for internal hosts with a traditional ping scan. But outbound connectivity from various internal severs will leave enough information for someone to find such hosts by other means. e.g. our internal WINS file server has a static IPv6 IP. It also punts out mail on occasion… which will be in some headers. With that in mind, someone could now send icmp6 traffic to the host. Is that a bad thing… Well, not in of itself, but hacks rarely are. They are usually a combination of partial vulnerabilities combined together in novel ways.
Looking at my favorite OS, FreeBSD, I see the following default rules for IPv6 ipfw


00400           0              0 deny ip from any to ::1
00500           0              0 deny ip from ::1 to any
00600           8            580 allow ipv6-icmp from :: to ff02::/16
00700      118703        8071672 allow ipv6-icmp from fe80::/10 to fe80::/10
00800        4890         507228 allow ipv6-icmp from fe80::/10 to ff02::/16
00900       21025        3182910 allow ipv6-icmp from any to any ip6 icmp6types 1
01000      179147       12264112 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136

OK, so some link local prefixes, fair enough… icmp types 1,2,135 and 136. Looking at the sys/netinet/icmp6.h, it looks like they are

#define ICMP6_DST_UNREACH               1       /* dest unreachable, codes: */
#define ICMP6_PACKET_TOO_BIG            2       /* packet too big */
#define ND_NEIGHBOR_SOLICIT             135     /* neighbor solicitation */
#define ND_NEIGHBOR_ADVERT              136     /* neighbor advertisement */

Ummm, ok. I guess that makes sense. But why not

#define ICMP6_TIME_EXCEEDED             3       /* time exceeded, code: */
#define ICMP6_PARAM_PROB                4       /* ip6 header bad */

They seem reasonable messages you would want to allow too no ? Not a rhetorical question….

Posted in freebsd, ipv6 | Tagged , , , , | 1 Comment

BGP

Posted on September 15, 2010 by admin

More notes after the fact…. It was surprisingly easy actually. Started out on Torix.  Most everything locally can be had via the route servers.  One small annoying thing… Who the hell came up with

show ipv6 bgp sum

Whoever decided that syntax has either super long fingers, or does not type that combo of keys (v then 6) very much…  Try it…. ipv6… ipv6.  When you are debugging pathing issues, you have to type it a lot and its very annoying!

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
2001:478:245:1::xx
                4 yyyyy   22512   70943        0    0    0 02w1d15h        2
2001:478:245:1::xx
                4 yyyyy   26464   22514        0    0    0 02w1d15h      250
2001:478:245:1::xx
                4  yyyy  107913   23254        0    0    0 02w1d15h      141
2001:478:245:1::xx
                4  7081   67602  116045        0    0    0 02w1d15h       35
2001:478:245:1::254
                4  7081   67605  116276        0    0    0 02w1d15h       35

Total number of neighbors 6

A full view is only about 3000 routes

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
2001:5a0:1000:200::5
                4  6453   55779    7908        0    0    0 5d11h43m     3168

In terms of config, there is not a hell of a lot more than plain old bgp4

 address-family ipv6
 network 2607:f3e0::/32
 neighbor 2001:5a0:1000:200::5 activate
 neighbor 2001:5a0:1000:200::5 remove-private-AS
 neighbor 2001:5a0:1000:200::5 soft-reconfiguration inbound
 neighbor 2001:5a0:1000:200::5 prefix-list SENTEX-INET6 out
 neighbor 2001:5a0:1000:200::5 route-map TELEGLOBE-6-OUT out

In terms of dealing with peers it was fairly straight forward. Cogent was very easy. “Hey, I want IPV6 transit”… “Sign this paper” and that was that. A week later I had the info and was ready to go. TATA (6453) was a lot more paperwork and back and forth, but once I dealt with the ipnoc folks it was easy enough as they were pretty clueful. The peers at Torix were also easy to deal with. he.net is probably the most IPv6 gung ho org out there. They have a lot of tutorials and links aggregated into one location which I will write about later

Posted in bgp, freebsd, ipv6 | Tagged , , | Leave a comment

SMTP MX

Posted on September 14, 2010 by admin

OK, added smtp mx records as well. I dont really use the domain tancsa.com for email, but I am sure my dog will chew up some spam. 128bitorville@tancsa.com. I wonder how long before he gets some spam from the crawlers….

0# host -tmx tancsa.com
tancsa.com mail is handled by 50 offsite.sentex.ca.
tancsa.com mail is handled by 10 smtp46.sentex.ca.
0# host smtp46.sentex.ca
smtp46.sentex.ca has address 64.7.153.10
smtp46.sentex.ca has address 64.7.153.30
smtp46.sentex.ca has address 199.212.134.4
smtp46.sentex.ca has address 199.212.134.9
smtp46.sentex.ca has IPv6 address 2607:f3e0::9
smtp46.sentex.ca has IPv6 address 2607:f3e0::4
0#
Posted in freebsd, ipv6 | Tagged , | Leave a comment

First Apache site

Posted on September 14, 2010 by admin

v6 apache… Well, it was almost as easy as restart… I added the quad A record for www.tancsa.com, and it resolved as expected…. netstat -na showed

0[vinyl4]# netstat -na | grep LISTEN | grep 80
tcp46      0      0  *.80                   *.*                    LISTEN
0[vinyl4]#

But instead it went to the default webserver… Oh, of course

 NameVirtualHost 2607:f3e0:0:1::17:80

I have been running a few servers for outbound connections. smarthost1 and smarthost2 are both IPv6 aware and are even sending out mail to a few domains that run dual stack by default

0(smarthost1)% grep IPv6 /var/log/maillog | grep "stat=Sent" | wc
      16     303    3961
0(smarthost1)%
0(smarthost1)% grep IPv6 /var/log/maillog | grep "stat=Sent" | awk -F"=" '{printf "%s\n",$7}' | sort | uniq
box3.bevhost.com. [IPv6:2002:cb62:54cd::1], dsn
mail.acc.umu.se. [IPv6:2001:6b0:e:2018::156], dsn
mx1.email.luna.net. [IPv6:2001:9c0:1:1001::35], dsn
mx1.freebsd.org. [IPv6:2001:4f8:fff6::34], dsn
mx2.email.luna.net. [IPv6:2001:9c0:1:1002::82], dsn
p.nsm.ctmail.com. [IPv6:2001:470:1f04:815::2], dsn
prefix1.sourcecable.net. [IPv6:2001:470:1c:3c0::2], dsn
smtp.ucla.edu. [IPv6:2607:f010:3fe:102:101c:23ff:febf:cfa7], dsn
0(smarthost1)%

hahaha... not even 0.01% of outbound mail yet!!!

Bizarrely enough, I do see some inbound spam attempts (probably from bots) on offsite. For most of my domains, I make offsite the last in MX line. It seems some spam box think they have better luck bypassing spam filters by going to the last MX record. offsite just rejects the connection without an RST so it takes a nice long time to timeout.

09:20:56.451118 IP6 2a02:728:e:864:214:22ff:fe09:af30.51496 > 2607:f3e0:0:80::290.25: Flags [S], seq 982508558, win 5760, options [mss 1440,nop,nop,TS val 3257207615 ecr 0], length 0

... From Holland.

I will have to tart up this blog and perhaps put some dancing turtles on ala http://www.kame.net... Perhaps an animated Orville.

Posted in freebsd, ipv6 | Tagged | Leave a comment

Hello world!

Posted on September 10, 2010 by admin

So, why the blog ?  Well, I have been working on understanding IPv6 in my network and for customers and thought I should be capturing along the way what I have been learning.  So why not in blog format.

Posted in Uncategorized | Leave a comment