IPv6@home - or, the search for v6 in Denmark
So, IPv6 launch day was 2 days ago. Why did I wait two days to write about it ? Well, firstly because I'm not going to write about it - there's many good (and bad articles) that abound on the net regarding this glorious non-event. Don't get me wrong, it's awesome that Google, Netflix, Facebook, Akamai, etc... are finally enabling v6 by default on all their public facing services, alongside IPv4. It's just a bit frustrating that it had to take a push-start such as this: a dedicated "launch day" for it to get rolling, making it sound like IPv6 is something new, or that it needs to be marketed in the same manner as some product you don't really need, like the Snoggie Blanket, or broccoli. By the way, I do like broccoli, I don't know what the fuss is all about.
The other reason I didn't get to write about IPv6 launch day was because I was too busy to notice it, and when I did, I remembered that I wanted to write about the fact that I've been enjoying native (not tunnelled, not 6rd) IPv6 connectivity at home for almost 2 years now. What's so special about that ? Well, for one thing I wanted to check with my ISP that it was ok to write that they were providing me with IPv6 service, as it's not something you'll find as a checkbox for on their website. Obviously, they're ok with it, otherwise you wouldn't be reading this :)
The other reason why it's a bit unique is that, to my knowledge, no other operator in Denmark is actually providing IPv6 on their residential product, officially or not.
Why is that ? France is doing it. Bulgaria as well. Usually, Denmark is thought to be quite progressive on many fronts, but when it comes to IT, there's a strong skepticism of anything that's new or will require you to change your habits. Which is kind of a paradox, considering that IPv6 is almost 20 years old. There are a few recurring comments I have heard here over the past few years about IPv6: It's useless, it will never pick up, IPv4 is plenty enough, etc.
I can understand the skepticism to some extent, precisely because IPv6 took so long to be adopted. After all, why enable a new protocol when the current one is doing so well ? And that may just be part of the problem: adoption of IPv4 grew so fast, that by the time IPv6 was stable, there was simply no short term economic incentive enable it.
Well, there's no doubt that IPv4 is not going to go away any time soon - if we only look at the number of legacy in-house applications still running on systems that long ago should have been put on the artificial respirator, then we're bound to be using 32-bit addresses for quite a few years yet. And no doubt we'll find, and use, more hacks like NAT44 to keep reusing the same old IPv4 addresses, to the joy of IPv4 traders.
But that doesn't mean that you shouldn't be looking *now* at IPv6, while you still have the time. I'm currently in the process of deploying v6 for our hosting services, and several others of our customers. Why ? I just want to get it done before they ask me for it. Like this, I have more time to get ready, more time to test, debug. Once I'm done, it will be one process to allocate v6 and v4, add ACLs, filters, DNS names, routes, etc...
And yes, I do believe not offering IPv6 is going to be competitive disadvantage. I already know of a few customers in Asia and the Pacific that will not buy transit from providers that don't offer IPv6. This is traffic carriers as well as content providers.
I have grumbled in the past about my ISP, but this time around I can only say thanks to Telia for making it possible to run IPv6 natively from the comfort of my couch. Ok, it's a /64, not a /48, but I'm still happy :)
I hope everyone reading this in DK will call their ISP and ask them when they intend to provide IPv6 natively. And if they say they don't know, or they don't have any plans to, tell them it's a shame, and that IPv6 launch day was two days ago, remember?
Otherwise, you know who to call :)
posted at: 16:36 | path: | permanent link to this entry
So now it's going to be obligatory to use NemID for authenticating and securing transactions with public services in Denmark (for instance, taxes, social security information) but also for Electronic Banking (i.e. "netbank"), after the 1st of July 2010.
The problem is that there's a perfectly functional solution existing today in the form of "Digital Signature", which is widely used. It's an X.509 solution using public key cryptography. In layman's terms: a private key is owned and maintaned by you, and no one else, and a public key, widely distributed, is signed by a trusted public authority. The key (no pun intended) element here is "private key". You are the sole administrator of that key, in fact if you lose that key or forget the password that protects (decrypts) it, you will have to contact the issuer (DanID) and ask for a new key pair to be generate (a new "Digital Signature").
Apart from the new pricing model (NemID will be more expensive for businesses), and the fact that the signature will be combined with a "one-time password" list of passwords (which is always an improvement) there is a major flaw in how NemID will be implemented:
The public and private keys will be stored by NemID. What it means is that your private key, is no longer private. This is not mentioned on the NemID website, but a couple of articles (in Danish -- the NemID website itself is in Danish only as well) have detailed the problem:
Here are the issues as I see them:
NemID argues that if they wanted to abuse their position of trusted party and defraud their customers, they could have done so long ago. The issue is not so much that of trust (an entire discussion by itself) but the fact that NemID becomes a choice target for industrial attacks ("hacking"). Except it's not credit card numbers we're talking about, but entire digital identities. Before, this was mitigated by the fact that one had to install spyware on many personal computers and use keyboard loggers to capture passphrases. Now, it's the old Egyptian tomb raider solution: forget the big granite door in front, just dig around the limestone walls.
Finally, NemID argues that since the certificates are not "qualified" (the identity of the person to which the certificate is assigned is not physically verified, but only implied through you Danish CPR number and paper post), there is no requirement to treat NemID as a "Digital Signature". So why market it/promote it as such ?
As a result of this, I've written to my bank, Danske Bank, with which I have been very happy so far. Here is a list of the mails exchanged so far. I'm relatively positive about the answer I have received, but I'm not holding my breath.
I encourage you to write to your bank and ask them to which extent they intend to enforce NemID as the sole solution to access your electronic banking. Maybe we can make enough noise to attract the attention of lawmakers and politicians. If we make it their problem, they'll get grumpy and start asking questions to the Danish National IT and Telecom Agency (the regulators, who until now have been suspiciously quiet in this matter), and maybe to PBS/NemID themselves...
From: me To: Danske Bank Hej, Jeg har et spørgsmål angående NemID. Planlægger Danske Bank om at sk over til NemID også ? Jeg har nemlig et problem me NemID, idet den ikke overholder lovkrave om Digital Signatur, og det vil tvinge mig væk fra Danske Bank hvis I bruger NemID :( - - - - From: Danske Bank To: me Hej Som det fremgår af nedenstående planlægger Danske Bank og alle andre pengeinstitutter at overgå til NemID. For at der i Danmark kan udbredes en standardiseret digital signatur, er de danske pengeinstitutter enedes om at drive en fælles sikkerhedsløsning til netbanker. Løsningen kaldes NemID, og den er også accepteret af Staten som adgangsgivende til f.eks. Skat, Borgerservice, eTinglysning m.m. Dermed bliver en væsentlig forudsætning for en digitalisering af samfundet opfyldt. - - - - From: me To: Danske Bank Hej Xxxxx, Problemet er at DanID bevarer en kopi af signaturen -- det er stik imod lovkrav. Det er ikke tilfældet med den nuværende Digital Signatur løsning, hvor kun brugeren har en kopi af private nøgle. http://www.version2.dk/artikel/14483-banker-tvinger-nemid-igennem-til-alle-netbank-brugere "NemID bryder nemlig med princippet bag den nuværende digitale signatur ved at opbevare både den offentlige og den private nøgle for en signatur centralt hos DanID" Det er mit job til daglig om at designe og implementere sikkerheds løsninger, og her har PBS/NemID begået for alvorlig en overtrædelse af sikkerhedsprincipper. Jeg bliver desværre nødt til at meddele at jeg vil begynde at lede efter en bank der ikke tvinger deres kunde til at bruge NemID løsningen som eneste login mulighed til deres netbank. - - - - - From: Danske Bank To: me Hej Vi er i gang med at undersøge sagen og vender tilbage snarest muligt til dig. Med venlig hilsen - - - -
posted at: 14:02 | path: | permanent link to this entry
Fri, 31 Jul 2009
I've heard of code freeze, but please...
The least they could have done is indicate WHICH versions on WHICH hardware. The explanation below reads like the extended version of Excuse Of The Day.
From: Customer Services
Date: xxxxxxxxxxxxxx To: xxxxxxxxxxxxxxx Subject: xxxxxxxxx Re: xxxxxxxxxxxxx Datacentre affected by heavy storm Dear Valued Customer, Further to the storm on the XXth of XXXX, we investigated on what happened. The Inergen release in XXX has been investigated by internal and external experts, and no failures or unexpected parameters or tracks have been found. The investigation has covered areas such as pressure, temperature, dust, gas, air speed, vibrations and turbulence. Inergen is the industry preferred solution to extinguishing fire in data center. However, failed hard drives in connection with the use of Inergen in different rooms have been investigated by the manufacturer, and their conclusion are: A sudden temperature change of up to 2-3 degrees within 1 second, which some servers have experienced (normal recommendations are max 5 degrees within 1 hour) have caused some raid controllers, SCSI disks and HD to be unstable. The combination of this instability and a low firmware/driver version has caused some of these controllers/disks to fail after a period of time (not all failures are recorded at the same time). The investigation also shows that not all affected disks had failures, but the failure in the SCSI/raid has caused the disks to fail. Therefore the conclusion to the failures is that low firmware/driver versions are not sufficiently resilient for any Inergen generated shift of temperature and an upgrade of firmware/drivers can be needed in order to eliminate the chance of failure in the future. Thus xxxxxxxxxx recommends that all customers ensure that the newest supported/tested available version of firmware and drivers are installed. Furthermore, based on the incident, xxxxxxxxxx will continue to investigate if change in infrastructure or parameters can reduce the impact on the installed hardware in case of any Inergen release. All related fire extinguishing systems will be back in normal mode at end this week. An incident report has been finalized. If you have any questions regarding this communication, please contact xxxxxxxxxxxx or send an e-mail to email@example.com . Please reference above ticket number when you call. Respectfully, xxxxxxxxxx European Customer Service Center
posted at: 12:10 | path: | permanent link to this entry
Fri, 06 Feb 2009
Chelonia Mobile -- or -- IPv6 for the people
A couple of weeks ago, I helped my mom, who lives in Paris, to setup her new ADSL connection. Nothing unusual there, most of you reading this have to live with the occasional burden of being the first line of PC support for your family and friend. Those who won't take "... but I don't work with PCs!" for an answer.
I'd decided to migrate her away from her current TV/Internet cable provider which had been getting more expensive with nothing of value to offer for the price hike. We're talking 60 EUR / month (ca. 450 DKK, for the Euro-challenged), which by French Internet market standards is pretty expensive. For this, she was getting 40-or-so channels, IP telephony, and 4/1 Mbps Internet (100/4 Mbps if we renewed the contract, which we didn't).
So I made her subscribe to Free, the second largest DSL provider in France (after France Telecom/Orange, the legacy national operator).
I guided my mom through the installation over the phone, since I live in Copenhagen; and while my mom is no technical guru (she still calls me when she receives popups from Software Update on the Mac, asking me if it's safe to say "Accept"), we got things up and running in under a couple of hours.
Free likes to do things differently. Take for instance the way they price their access. With Free, you don't pay more if you want a higher speed service. Free provisions your DSL at the highest speed the loop will allow, which in the case of the copper at my mom's place, is 18 Mbit/s down and 1 Mbit/s up. Not too bad. Had the DSLAM been closer, it would have been 24 Mbit/s.
And of course she gets IP telephony. Flatrate to all landlines in Europe, and North America.
Then you get the 150 channels in the base package. There's 300 to choose from, and you can pick individual channels. Want CNN ? That's 0,7 EUR / month on top (5 DKK).
And it's much cheaper... 30 EUR / month (225 DKK).
Like I mentioned earlier, Free likes to do things differently. Both the founder (Xavier Niel) and technical director (Rani Assaf) have a reputation for being mavericks. For example, Free was one, if not the first ISP to develop in-house combination DSL modem and set-top-box/video recorder, the Freebox. This gave them a huge advantage over the competition when it came to providing extra services, a long time before anyone else.
Features like VideoLan client (VLC) support, allowing you to watch any of the subscribed channels, or a pre-recorded program, from any computer in the home. Or do the reverse: the VLC client in the set-top-box will let you watch films stored on your computer, provided you can serve them over HTTP. Or SIP service so you can use your VoIP line from anywhere in the world. Did I mention the fact that the set-top-box is HD, has a built-in hard disk recorder, and communicates with the DSL modem using PLC ? If for some reason that doesn't work, no problem they'll just switch to WiFi.
I almost forgot the reason I was writing this in the first place.
You know, the protocol that according to various Danish ISPs, "... only Vista implements ...", or "... hasn't been deployed yet ..."
Did I mention that Free doesn't like to do things like anyone else ?
Actually, Free isn't the only French ISP to deploy IPv6. In fact, Nerim was the first to offer native IPv6, already in March 2003, mostly targeted to their semi-professional customers.
But the way it happened in Free's case, was that Rani Assaf got tired of the loud handful of geeks on the Free support newgroups inquiring as to when IPv6 would be available. As a response, he wrote in the same support forum:
- Find 10.000 people who are interested by this gadget, and we'll do it for 1 EUR / month
- Find 100.000 people, and we'll do it for free.
They got 24.000 signatures (they do have 3.5 million subscribers...), and they ended up delivering IPv6 at no additional cost. Some will argue it's not native IPv6 (they tunnel IPv6 back to their core using a variation of 6to4 called 6to4rd, where it's pure IPv6 once again), but hey, ping6 tells me it works.
Since then, other businesses are catching up, and competition is fierce.
OVH, a large hosting company established in France and a few other European countries, offers colocated servers to rent (the Kimsufi) from basic virtual server with 9 GB of space at 40 DKK / month, to dedicated machines for 150 DKK / month. And this includes unlimited bandwidth... and native IPv6. Free has an equivalent, albeit at a slightly higher price.
In the case of my mom's DSL, it was very easy to enable IPv6. By default the Freebox functions as a bridge (probably not a wise choice security wise), but it took only a couple of clicks on the Free's user portal to change the operation mode to router, enabling DHCP, firewall and NAT services on the Freebox, as well as IP6 router advertisement.
All that was left was to enable IPv6 autoconfiguration on my mom's Mac, and once that was done, IPv6 was active.
So what does my mom get out of all this ? Well, she doesn't know or care what IPv6 is. She's 66, and she's a painter. In her most recent mail, she was waiting for one of her friends to pass by and show her how to record stuff on the Freebox. Just before that she'd called me to make sure it was still all right to say OK to the Software Update dialog.
But without knowing it, she's already using IPv6. Nameservers, a few websites, Google if you setup your caching nameservers correctly.
And I know that if I told her to point her browser to www.kame.net the turtle on the screen would move...
(thank you Itojun)
URGENT - HELP ME RETRIEVE 170 MILLION U.S. DOLLARS
HELLO MY NAME IS STEIN BAGGERS AND I AM A 41 YEAR OLD BUSINESS MAN AND CEO OF THE COMPANY IT FACTORY. I HAVE 170 MILLION US DOLLARS THAT I NEED TO RETRIEVE, FROM A BANK ACCOUNT IN DENMARK. I AM CURRENTLY LIVING IN THE BAHAMAS, BUT I AM NOT ABLE TO GET THIS HARD EARNED MONEY TRANSFERRED TO ME, AND THIS IS WHY I NEED YOUR HELP. I HAVE AN EQUIVALENT 170 MILLION US DOLLARS STUCK IN A BANK IN DENMARK, BUT THEY ARE IN DANISH KRONER. FOR SOME REASON THEY DON'T LIKE DENMARK IN DUBAI AND THE REST OF THE MIDDLE EAST, AND IN THE BAHAMAS THEY HAVE NEVER HEARD OF KRONER, AND KEEP SAYING "EURO! EURO!". I CAN'T BELIEVE I DIDN'T THINK ABOUT THIS PROBLEM BEFORE I LEFT. I AGREE TO REWARD YOU WITH PART OF THE MONEY FOR YOUR ASSISTANCE, KINDNESS AND PARTICIPATION IN THIS CHARITABLE PROJECT. THIS MAIL MIGHT COME TO YOU AS A SURPRISE AND THE TEMPTATION TO IGNORE IT AS UNSERIOUS COULD COME INTO YOUR MIND BUT PLEASE CONSIDER IT A HELP TO A POOR FELLOW WHO HAS TO BUY A NEW MERCEDES AND PORSCHE. YOU ARE AT LIBERTY TO USE YOUR DISCRETION TO DISTRIBUTE 10% OF THE MONEY AND FEEL FREE AS WELL TO REIMBURSE YOURSELF WHEN YOU HAVE THE MONEY FOR ANY EXPENSES YOU INCUR IN THE COURSE OF COLLECTING THE MONEY. KINDLY EXPEDITE ACTION AND CONTACT ME VIA E-MAIL: ITFACTORY4EVER@YAHOO.COM IF THIS PROPOSAL IS ACCEPTABLE TO YOU. BEST REGARDS, MR STEIN BAGGER
We are running out of IPv4 addresses...
and there's no slowing down
I remember messing around with IPv6 for the first time almost 10 years ago, while setting up a training installation at the INET 1998 workshops in Geneva. It was straightfoward to get the the Windows NT (MSRIPv6), BSDi, FreeBSD and Linux hosts to autoconfigure themselves on the local subnet and communicate using IPv6. The general enthusiasm reflected one idea: "We're going to migrate to IPv6". At no point do I remember thinking "gee, and how will they communicate with IPv4 ?". I don't remember anyone talking about the transition itself, or the protocols involved.
As a followup to the recent announcement that the IETF's IPv6 Working Group had effectively been dissolved, some individuals on the NANOG list have been pointing out the apparent fact that, while a lot of time and effort was spent on designing "IPNG", as IPv6 was originally called, including all the bells and whistles that IPv4 lacked, like QoS, IPsec, autoconfiguration, prefix hierarchisation, (effectively a Second System Effect), not a lot of thinking has gone into the effective migration away from IPv4 to IPv6, and more importantly, how IPv6 and IPv4 users are supposed to talk together -- at least not on the massive scale of today's Internet.
Today this issue is very much present in the minds of network operators around the globe. A few are very aware of the wall that's looming ahread, and are trying to spread the message. After the Year 2000 hype (at least, as it was perceived by the general public), it's difficult to get worked up about impending doom scenarios, especially those the date of which keep changing.
The fact is, IPv6 and IPv4 are not compatible on the wire. This means that IPv4 and IPv6 are different protocols, and that an IPv4 host cannot talk to an IPv6 host and vice versa, unless at least one of the hosts is dual stacked (running both protocols), or some sort of translation mechanisms exists (NAT or application level gateway) to allow the hosts to talk to each other. Indirectly this could mean that many more IPv4 addresses than we have left today might be required, to allow for a transition where every IPv6 host could talk to every IPv4 node, and vice-versa.
RFC2766, which defines NAT-PT (NAT Protocol Translation) nails the problem description square on the head:
"There is expected to be a long transition period during which it will be necessary for IPv4 and IPv6 nodes to coexist and communicate. A strong, flexible set of IPv4-to-IPv6 transition and coexistence mechanisms will be required during this transition period."(emphasis mine)
Today, 7 years after NAT-PT was introduced, a new RFC recommends that NAT-PT be deprecated.
The original draft of this RFC stated, in September 2004:
"Description of an alternative protocol translation mechanism is out of scope for this document."But today, 3 years later, and the Draft made standard, "There are no simple, useful, scalable translation or transition mechanisms" (cf. prev.cit.).
Even here in Denmark, which has a reputation for early adoption of new technologies, and where Internet penetration is among the highest in the world , most larger organizations I talk to are absolutely ignorant or unconcerned about the deployment of IPv6 -- not that they have no idea what IPv6 is, but they have no plans to deploy it, or do not seem to be aware of the issues regarding IPv4 depletion: they have no strategy, or at least intended strategy, with regards to IPv6.
As someone I know who is very knowledgeable with IPv6 wrote a half year ago,
"Still not much going on in Denmark with regards to IPv6. Nobody cares, nobody wants it, nobody works to implement it."Time to smell the coffee
Learning IPv6 is one more burden for the average network administrator. Administrating IPv6 and IPv4 in parallel even more so. Dual routing tables, dual filtering paths, dual routing protocols, twice the security hassle. Even more reasons to start now. Not while it's early (that was 5 years ago), but while there's still time.
In hindsight, considering that many of the more revolutionary aspects of IPv6 have been dropped, it might have been smarter to just make IPv6 on-the-wire compatible with IPv4, and to use the lower 32 bits of the IPv6 addressing space to map the IPv4 space into it, enabling a simple compatibility mode for IPv6 to communicate with IPv4-only hosts, without the need for extra translation. [a few readers pointed out to me that this is contradictory with the idea of having a 128-bit address space: there can be no compatibility on the wire. Any sort of "compatibility" where an IPv6 host emits IPv4 packets is in fact simpley a dual stack system].
Unfortunately, this is not the case, and we have to deal with an installed base of tens of millions of IPv4-only NAT gateways and CPE (customer premises equipment) that only support IPv4, and will likely never support IPv6. It's in this environment that IPv6 will need to be deployed. The transition will most likely not be "from the core to edge" in one smooth wave. IPv6 is going to pop-up everywhere it makes sense, and for it to function it will have to use all the dirty tricks that IPv4 used to survive, including tunneling, protocol translation, and application level gateways.
A number of announcement of publications were made recently, underlining the problem at hand:
Compare this to a very informative presentation from Randy Bush regarding the reality of such a transition (and, in some cases, why it's plain impossible, since IPv6 is not "backwards compatible" with IPv4):
[IPv6 Transition & Operational Reality]
(the part regarding the emergence of a market for IPv4 addresses, and the transition from allocation to entitlement is worth it by itself).
Some background data and interesting comments from Geoff Huston, who maintains a page which is updated daily with an estimate of when IANA and RIRs will run out of unallocated IPv4 space (and the trading -- whether it's legitimate or not -- will begin):
To get a feel of the context, a very informative read is the transcript of the APNIC Plenary, New Delhi, Sept. 2007.
Some good starting points on IPv6
There are some very interesting
of the operational experiences of deploying IPv6.
posted at: 09:26 | path: | permanent link to this entry