Category Archives: Computers

World IPv6 Day – what now?

Posted on by

Hopefully most people will have realised by now that last Wednesday (8 June) was World IPv6 Day.  The idea of this day was to enable IPv6 on various web sites, including some quite famous ones like Google and Facebook and Yahoo! and see what would happen.

Irritatingly, there were many press articles about World IPv6 Day were published which seemed to me to be still largely sceptical of the whole thing, or was dismissed as a pointless exercise.  But really, the whole point of the day itself was basically to see what would happen when people enabled IPv6 on their servers.  Perhaps The Register put it the best with their headline, even if the article itself wasn’t much good in my opinion —”World IPv6 Day fails to kill Internet”, as if that was some kind of surprise.  (I knew it wouldn’t, but then again this web site has been IPv6 enabled for ages…)

But even if the press think or thought it was all one great big massive publicity stunt, what now?  Because now, the day is over, and presumably we can all go back to sleep — but sadly we can’t, because IPv4 addresses are still running out.  We can’t use NAT, or double NAT, or treble NAT forever.  And it left me thinking about what should happen next, because the world after World IPv6 Day doesn’t seem much different to the world before World IPv6 Day.  Maybe we should have another one next year…?

Thankfully, things do seem to be moving, but slowly.  Two big UK ISPs have announced on their respective web sites that they either have plans to roll out v6 or are trialling it – O2/Be are hopefully going to have v6 available at the end of the year, and Plusnet are currently trialling now.  And Billion now have a UK version of an IPv6 ADSL wireless router (albeit with beta firmware) also shipping.

I’m hoping that when O2/Be roll out their v6 implementation, being one of the larger UK ISPs, that this would entice the likes of BT Retail and TalkTalk to follow suit.  Plusnet, although owned by BT, is not really big enough to be called a ‘big player’ in the market.  It’s the old problem – the ISPs are claiming there’s no demand, and the service providers can’t roll it out because the ISPs aren’t offering it, which means they can’t create demand.  Perhaps things won’t change until the companies that got the last APNIC allocations use their allocations up 9 months hence.

It’s all slightly depressing, isn’t it? :)

Dilemma of the week – to HTML or not to HTML?

Posted on by

I was only considering earlier today whether it might be time to give in to all my principles and ‘convert’ to the ‘standard’ that Microsoft probably should have but in fact never invented – HTML email*.  Up until now, all my emails have been resolutely plain text, monospaced affairs designed to take up as little space as possible.  However, in today’s world, everyone else is using HTML mail and I’m not — so perhaps it’s time to give in and convert.

The big disadvantage, of course, is that your email basically needs to be sent twice, once as a text/plain MIME part for the ‘legacy’ mail readers that can only understand plain text, and once as a text/html MIME part for the HTML-capable readers.  This does noticeably increase the size of an email, but then again in today’s “broadband” world this probably isn’t anywhere nearly as much of a problem as it used to be.  The downside of HTML email is that it does dramatically increase the scope for nasties to enter into your e-mail client by use of nefarious HTML tags.  Thankfully modern email clients are much better at sanitising HTML, and also not loading remote images by default so much of this risk is reduced, but not all.  The upside of plain text is that it is just that — plain text.  Nothing to go wrong.

Another ‘attraction’ of HTML mail is that you can make your mails much ‘prettier’ using colours, boxes, CSS, whatever (I think you can even put in a background if you’re that desperate!), as well as different font styles/sizes (although this is limited to what fonts are on the client machine, which basically forces you to specify either “serif” or “sans-serif” and hope for the best, unless there is a way of embedding fonts these days.)

Perhaps I’ll trial it and see how it goes.  I can always go back to my old-fashioned ways if it doesn’t work out … :)

* Believe it or not, it was Netscape!

Review: IPv4 “Significant Announcement” ceremony and press conference

Posted on by

So now we know what blocks of IPv4 look like.  They’re glass!  Today was the live webcast of the Numbering Resource Organisation‘s “Significant Announcement” ceremony from some hotel in Florida, USA.  Each of the Regional Internet Registries were awarded a commemorative glass block and some kind of large white certificate as they were each given their final /8 allocation of 16,777,216 IPv4 addresses.  Each award was followed by a speech, the quality of which (in my opinion at least) fared from ‘appalling’ to ‘not that good’.  This was followed by a press conference in which I understand the questions were not that great, and in some cases answered inaccurately.  So I’m expecting a whole raft of wrong news articles tomorrow.

Now we can say they are all gone.  They truly are.  You can check the official list – they really are all allocated!  Goodbye and thanks for all the fish…

Update: The actual ceremony and press conference are on YouTube now – announcement and press conference.

LDAP, pGINA 2.1 and Single Sign-on

Posted on by

Now that the frenzy of IPv4 exhaustion is over for a little while, it was time to turn my hand to some of the more mundane aspects of computing.  One of the “things to do” on my list was single sign-on; that is, being able to log in using the same user name and password at any machine on my network.

There’s two main problems getting this to work – the main one is that I have a mix of Windows and Linux machines on my network.  This requires a bit of thought.  Many years ago, there was a fantastic piece of software called pGina which implemented the Microsoft GINA specification (which if you want the simple explanation, is the bit of code that does the login box).  Using pGina, you could add plugins to authenticate users via something other than local users or a Windows domain controller.  So I used the LDAP plugin, and it worked, and it was great.

Then something happened.  Microsoft released Windows Vista.  And in that version of Windows, Microsoft decided to revamp the way the login box was done, replacing the GINA stuff with something called ‘Credential Providers’.  And my beloved pGina stopped working.  With the author at the time indicating that a Vista version wasn’t going to be forthcoming very quickly, I gave up and went to local authentication again.

But…

Last week I discovered that there was a new 2.x version of pGina which *did* implement a Credential Provider, so now Vista and Windows 7 users can once again use LDAP login on the Windows box.  Great news!  So, it was time to get all this up and running again.  To cut a long story short, I have pGina 2.1 installed, but it is not working yet.  The reason why is that I wanted to concentrate on getting the Linux part of it working first, and then sort pGina out later.

The Linux part was going to be interesting.  Using concepts that I first discovered the best part of 15 years ago, and remembering how to do it, was going to be fun.  The first job was to implement a common login system between all the Linux machines.  There are multiple ways to do this, and I would have preferred to have gone the Kerberos+LDAP route, but this isn’t actually possible yet using pGina since it was the LDAP plugin, but not a Kerberos one.  So plain LDAP it was.

It’s been a long time since I’d used OpenLDAP with any kind of sensible purpose, and a bit of a surprise was waiting for me – in Debian squeeze, they had decided to move to the ‘dynamic’ cn=config type configuration, where all the config is stored in the directory itself, rather than the old-fahsioned slapd.conf method.  It took a while to figure this out… but once I had, it was just a case of firing up Eclipse, using Apache Directory Studio to navigate the LDAP tree, and to put all the right options and permissions and suchlike in.

So, now I have an LDAP tree which will support single sign on.  It was just a case then of installing the libpam-ldap and libnss-ldap packages and configuring them up appropriately.  One thing that did catch me out was the fact that Debian seem to link their packages with GnuTLS rather than OpenSSL.  Although I knew this, it wasn’t working properly.  Much frustration later, it appears that reason it wasn’t working was that you cannot use the tlscertdir parameter when using GnuTLS – only tlscertfile will work.  So, having figured that out, all my clients are now talking to each other using StartTLS rather than plain text.

That done, the next job was to somehow make my ‘network’ home directories appear on all the machines.  NFS is the obvious choice for this, but for one reason and another, using straight NFS is not likely to work in my network.  Specifically, I didn’t want the situation where I could not mount my NFS drives on boot, if the virtual machines didn’t come up in the right order or it got ‘stuck’.  So, I decided to resurrect the automounter.  I haven’t used this in donkeys’ years, but I was nicely surprised to see that the latest version of autofs, autofs5, comes with LDAP support – which is handy, since I had just set up my LDAP server anyway.

So, a little scratching of heads and a few entries in my LDAP server later, I had the automounter configured, which would pick up my NFS directories up from the file server but (most importantly) only mount them when required, which means that none of my virtual machines would hang upon boot if the file server hadn’t started up yet, since the home directories aren’t required then.

So far, all is well, and it seems to be quite a good solution.  I still haven’t got pGina working, mainly because I haven’t had time, but hopefully that shouldn’t be too difficult to get going, now that I know the rest of it works.

IPv4 all gone

Posted on by

The news has been announced.  In the last two hours, APNIC have been allocated the last two /8s in the IPv4 address pool, which will trigger the distribution of the ‘final five’ blocks, one to each Regional Internet Registry, which officially means that there are no more IPv4 addresses left in the IANA pool.

What does this mean now?  Well, each RIR still has a stock of addresses.  With APNIC taking the last two blocks, they now have in the region of 3.2 /8s left, ARIN have about the same, and RIPE have nearly 4.  Obviously each RIR will get an additional 1/8 from the ‘final five’ in addition to this.  Current estimates are that these addresses will be gone in around 6 months.

Party time!

IPv4 Exhaustion: Could tomorrow be the big day?

Posted on by

The Internet has been buzzing over the past few days about what the exact date will be for IANA to ‘push the button’ and finally exhaust their stock of /8s by allocating two blocks to APNIC.  The rumours have been for quite some time that 31st Jan/1st Feb was going to be the big day, but now big big (and not very subtle) hints from several people who should know have been dropped, and also neatly coincides with NANOG 51, the perennial meeting of the North American Network Operators Group, and is also the day before Chinese New Year’s Eve.

So, watch this space!  NANOG 51 starts today, with the main events tomorrow, Tuesday and Wednesday.  I’m expecting an announcement around 09:30 EST (so 14:30 UK time, and around 00:30 in APNIC’s office in Brisbane) tomorrow.

Anyone for a party? :)

Clueless IPv6 Comment of the Day

Posted on by

Had to laugh (or possibly cry) at the following quote from reporter Claire Connelly of news.com.au, at http://www.news.com.au/technology/the-internet-has-run-out-of-ip-addresses-and-what-happens-after-that-is-anyones-guess/story-e6frfro0-1225995086627 today:

“Web developers have tried to compensate for this problem by creating IPv6 – a system which recognises six-digit IP addresses.”

The rest of it is so full of errors, I won’t even begin to start pointing them out – but it made me laugh anyway.  If this is the quality of reporting we’re going to get next week when the addresses *do* run out, I think we’re in for a bit of fun…

(In case you weren’t aware, IPv6 addresses aren’t six digits in length – they are 128-bit numbers, which is technically 32 hex digits in length, if all of the leading zeros are present.)

IPv4 Exhaustion News: Another bumper day at APNIC

Posted on by

At APNIC, it seems to have been another fantastic day of handing out loads of IPv4 addresses to the Chinese – today a /10 (or about 4 million addresses) was allocated to China Mobile bringing the total APNIC address pool down to 1.4 /8s, from 1.66 /8s at the weekend, a whopping 0.26 /8s decrease in one day.

There is still rampant speculation on when ‘IANA IPv4 exhaustion day’ will be,  since apparently it’s meant to be a secret – but my guess is still on 00:00 UTC+10 Tuesday 1 Feb (which is about 14:00 UK time Monday 31 Jan).  Can’t come soon enough for me…

IPv4 should be all gone, except that it isn’t…

Posted on by

Those of you that have been watching the various “IPv4 exhaustion sites” (including Geoff Huston’s Potaroo site and Stephan Lagerholm’s IPv4Depletion site, as well as the official graph page at APNIC) will know that IANA should have run out of IPv4 addresses last weekend, under normal circumstances.  However this hasn’t happened, and it appears that no-one has “pushed the button”, that is, the day when a RIR asks for the last 2 /8s available for allocation, and thereby triggering a distribution of the remaining 5 /8s one each to each of the Regional Internet Registries (RIRs).

According to comments made from people who should know, the reason this hasn’t happened is that someone, no idea whether IANA, APNIC, or IANA plus all the RIRs, wants to turn this into a massive PR stunt.  So it appears there is an exhaustion day, but it’s a secret.  And that irritates me.  It’s not as if IANA didn’t know this was coming, they could have had the press releases written months ago.

APNIC’s pool is getting lower by the day (at the time of writing this was 1.67 /8s, or 28,017,950 addresses, and the usual threshold for asking for more addresses is about 2.0 /8s.  There are a number of dates it could be, for example, there’s January 31st, Feb 14th, or even the ICANN meeting in March when it is rumoured that Bill Clinton will be coming to speak (but personally I don’t think they can last that long).  It could be today (except that today is a weekend).

I really just wish everyone would stop stalling for time and push the button to start Stage 2.  Whatever day or time it happens, the press are going to be all over it, there’s going to be mass panic in some quarters of the industry, and it wouldn’t surprise me if one or more ISPs or service providers disappear in the next year or two because they just weren’t ready in time and got caught out.  So let’s just push the button now, please IANA? (Well, okay, when you get up!)

28,017,950.72

IPv4 – The end is coming quicker than you think

Posted on by

Today the news was announced that IANA, the organisation ultimately responsible for allocating IPv4 addresses to the Internet community, has just allocated a further 4 blocks of /8 in one day.  Two of these went to ARIN, the Regional Internet Registry for the North America, one went to AfriNIC, the RIR for the continent of Africa, and one to RIPE NCC, the RIR for Europe.

This means that we now have 7 blocks of /8 left out of a total of 256.  At the beginning yesterday we had 11.  This basically cuts the total free IPv4 space remaining from 4.3% to 2.7%, a decrease of almost half.  Current estimates as of yesterday were predicting that the IPv4 address space would run out at the beginning of March, but with addresses being used so quickly, that might well be December or January.

So what happens now?  Well, as of now, there are 7 /8s left.  If a further two blocks of /8 are allocated, this leaves 5 remaining.  IANA policy is believed to be that when only 5 blocks of /8 are remaining, they will be distributed equally to each of the five RIRs – that is, ARIN, RIPE NCC, LACNIC, AfriNIC and APNIC.  If (as is likely) APNIC require one or more blocks (most probably because of China’s insatiable appetite for new addresses), this means we could be down to 5 /8s very quickly.  And at that point, the last five will be distributed evenly, and we will have run out at IANA, possibly before Christmas.

This begs the question – why is almost no-one is ready for it?  Out of the “sticking plaster” options, Carrier Grade NAT is certainly one solution, (that is, effectively NATing and/or PATing the NATs) but this only works so well until we either run out of addresses *and* TCP/UDP ports, but also means that we will be double, triple or even quadruple NATing our hosts.  This scuppers any chance of PAT (Port Address Translation) working unless all the NATs do the PAT, which is unlikely to be workable, especially when one or more of the NATs are being run by unprepared-for-IPv6 ISPs, and this means that no-one will successfully be able to run servers behind NAT.

So please, ISPs, please stop thinking about rolling out Carrier Grade NAT which will cost ££££££s and start rolling out IPv6 which will also cost ££££££s.  It will cost you less in the long run.  (But I doubt they’re going to listen to me, so if you don’t mind, I’ll just get my metaphorical IPv6-enabled deckchair and sit in it eating my metaphorical IPv6-enabled popcorn whilst watching the chaos ensue.  It really isn’t going to be pretty.)

At some point, the procrastinating ISPs (which currently seems to be all of them) will need to wake up.  Perhaps this will be when people can’t access Google, Facebook, YouTube, iPlayer, <insert popular new service here only available on v6>.  But I can pretty much guarantee the IPv6 roll out will be done in a rush and badly.  If only people had started thinking about this 5 years ago (like the ISP I use did…)