Archive for February, 2013

LOPSA San Diego – Tonight

LOPSA San Diego Meeting

Thursday Feb 28 2013

6pm until whenever

Callahan’s Pub in Mira Mesa

This will be a social, meet and greet meeting.  Come and meet some of the fine sysadmins in the San Diego area. Come out and meet your peers, network, talk shop, grab a bite and/or a beer and celebrate all things syasdmin.

LOPSA is an international professional society for IT people of all job descriptions.

If you’re planning to attend, please RSVP at Meetup.com so we can get a headcount ahead of time. Of course, if you can only make it at the last minute, you’re very welcome too! (We understand the life of a sysadmin!)

Our members manage everything from desktops to servers, storage to networks, laptops to supercomputers. Come out and get connected to the rich sysadmin community in San Diego!

Leave a comment

LOPSA San Diego – Tomorrow

LOPSA San Diego Meeting

Thursday Feb 28 2013

6pm until whenever

Callahan’s Pub in Mira Mesa

This will be a social, meet and greet meeting.  Come and meet some of the fine sysadmins in the San Diego area. Come out and meet your peers, network, talk shop, grab a bite and/or a beer and celebrate all things syasdmin.

LOPSA is an international professional society for IT people of all job descriptions.

If you’re planning to attend, please RSVP at Meetup.com so we can get a headcount ahead of time. Of course, if you can only make it at the last minute, you’re very welcome too! (We understand the life of a sysadmin!)

Our members manage everything from desktops to servers, storage to networks, laptops to supercomputers. Come out and get connected to the rich sysadmin community in San Diego!

Leave a comment

IPv6 – Airport Extreme update 7.6.3 breaks existing IPv6 tunnels

A few days ago I had an unexpected network problem.  An IPv6 tunnel to tunnelbroker.net that had been up for months went down and wouldn’t restart. My tunnel endpoint is an Apple Airport Extreme base station (AEBS) that was originally running 7.6.1.

This all started when my ‘net connection died, IPv4 and IPv6 both just stopped working. I tracked it down to the AEBS. For some reason it just completely stopped passing any traffic at all. It’s done this twice before; it looks like the problem is uptime related. The AEBS seems to want a full power cycle about every 120-150 days of uptime.

Unfortunately, I also decided take the downtime as an opportunity to do the pending firmware update, to 7.6.3.

Which breaks existing IPv6 tunnels.

Fortunately, this was already figured out by others. Hurricane Electric support quickly referred me to this post in their support forums, which references this Ars Technica article, which leads to the root cause, as determined by users at SIXXS.

Apple changed the firmware to now require a valid IPv6 prefix in the “IPv6 Delegated Prefix” field in order to handle 6in4 tunnels. This field did not exist in earlier versions of the firmware, and was only added to the firmware around version 7.6 or so. At that time, existing configurations would still work, with no value in that field.

The 7.6.3 update requires a valid prefix, or the router will discard protocol-41 (6in4) packets from the other end of the tunnel.

If it wasn’t for the pretty good support for IPv6 in MacOS, I’d have guessed that Apple hates IPv6, as they keep breaking it on the AEBS product family.

Leave a comment

LOPSA San Diego Meeting – Feb 28

LOPSA San Diego Meeting

Thursday Feb 28 2013

6pm until whenever

Callahan’s Pub in Mira Mesa

This will be a social, meet and greet meeting.  Come and meet some of the fine sysadmins in the San Diego area. Come out and meet your peers, network, talk shop, grab a bite and/or a beer and celebrate all things syasdmin.

LOPSA is an international professional society for IT people of all job descriptions.

If you’re planning to attend, please RSVP at Meetup.com so we can get a headcount ahead of time. Of course, if you can only make it at the last minute, you’re very welcome too! (We understand the life of a sysadmin!)

Our members manage everything from desktops to servers, storage to networks, laptops to supercomputers. Come out and get connected to the rich sysadmin community in San Diego!

Leave a comment

IPv6 – CGN and Teredo Considered Harmful

There, I said it. The so-called “IPv6 transition strategies” are making it harder, more complicated and less secure to deploy IPv6 than just “doing the right thing”.

Carrier Grade NAT (CGN) and Teredo (among others) are the last gasps of an IPv4 world, and have no place in the modern Internet. While they may have short-term advantages to network operators, they will cause problems for their end users until they are finally phased out. Dual stack would be a better transition process, especially for customers.

keep-calm-and-dual-stackCGN is, as much as anything else, a way for carriers with a large network or large installed base of end users to make the fewest (and hopefully least expensive) changes in their networks. They are betting that by introducing a small number of large-scale NAT devices on the border between their networks and the Internet that they can avoid making sweeping internal network changes, or upgrading CPE (Customer Premise Equipment).

At best, even when working correctly, CGN breaks end-user accountability, geo-location and the end user experience. On top if that, it will slow IPv6 adoption, and force “true IPv6” users to adopt a host operational work-arounds and complicate deployment of next generation mobile and Internet applications.

CGN is inherently selfish on the part of the network operators that deploy it. They are saying “I want to spend less money, so I’m going to force everyone else to make changes or suffer in order to continue to talk to my customers.”

Or, as Owen Delong put it in his excellent look at the tradeoffs in CGN:

Almost all of the advantages of the second approach [transition to CGN and avoid investing in IPv6 deployment] are immediate and accrue to the benefit of the provider, while almost all of the immediate drawbacks impact the subscriber.

The next part of my rant has to do with Teredo, a “last resort transition technology”.

Like CGN, Teredo promises to allow end-user equipment to connect to the public IPv6 Internet over IPv4. It does this by “invisibly” tunneling your IPv6 traffic over the public Internet, to a “Teredo gateway”. A Teredo gateway performs a 4to6 network translation and passes your traffic onto the desired IPv6 destination. Teredo is implemented transparently in some Microsoft operating systems and can by default provide an IPv4 tunnel to the outside world for your IPv6 traffic.  It can, also provide an “invisible” tunnel from the outside world back into the heart of your network. And of course, all your network traffic could be intercepted at the Teredo gateway.

Teredo security has been a hot topic for years, with some concerns being raised shortly after Teredo’s standardization in 2006, and RFC6169 finally providing IETF consensus in 2011. Sadly, Teredo security must still be discussed, even though it is 0.01% of network traffic to dual-stacked resources. Fortunately, there’s a move in IETF to declare 6to4 technologies (including Teredo) as “historic”. Teredo will complicate network security until it is gone.

I for one, cannot wait for both CGN and Teredo to be consigned to the dustbin of history.

Leave a comment

%d bloggers like this: