Another way to look at IPv6 address space

When talking about the huge capacity of IPv6 address space, people tend to describe it in a static way like the address space is large enough to assign an IPv6 address to every sand particle or every single leave on earth. In my view, this is conceptually not correct since sand particles and leaf do not need to use TCP/IP for communications.

I like to try to think of it in a dynamic way. If 1 million /64 subnets are assigned to people or electronic devices every second, then it would take 584,942 years to make the address space completely exhausted ((2 ^64 / (365*24*3600*10^6)). This is longer than the history of human civilization. Will IPv6 addresses be completely exhausted ? No way, no need to worry.

ZSK rollover in Top Level Domains

I am getting confused about the timing of ZSK rollover in Top Level Domain. In the course of ZSK rollover in TLD, all the DS records submitted by child zones will be re-signed and thus the workload is large. Here below is my observation:

com. – 1 weeks
org. – 3 weeks
asia. – 3 weeks
my. – 3 months
th. – 1 week

I can not locate any RFC related to this technical aspect. Intuitively, from a security angle, I incline to think 3 months is too long while 1 week ZSK will introduce heavy workload on the name servers. I tend to think 3 – 4 weeks is the best option.

Assignment of two IPv6 addresses

Starbuck is my favourite coffee shop. So I like to assign this IPv6 address to Starbuck website -  2001::cafe:c0ff:ee.

Likewise, if a supermarket sells poor quality beef to customers, I have no choice but to assign this IPv6 address to the supermarket - 2001::bad:beef

ipod battery

My 60G ipod was fully charged about 6 months ago.  Afterwards, I did not use it until yesterday.  Surprise, when I turned it on, the battery status remained fully charged, no leakage at all.  What kind of battery is Apple using for its ipod, ipad and iphone series.   What I know is that it is lithium-based battery with no memory effect.  I have no idea that the battery's charged capacity will not leak even for a certain  period of time.

Good news after World IPv6 Day

Finally, there is a good news from ISOC after the eventful World IPv6 Day.  ISOC has announced that roughly about 2/3 of participating organizations decided to leave their content on IPv6 instead of turning IPv6 off.  This is quite understandable.  The problem of brokenness is very insignificant or even undetectable.  Despite this, I am eager waiting for the reports of Facebook, Google, and Yahoo or ISOC to  summarize the captured statistics.

APNIC’s new logo is fantastic

APNIC’s new logo is fantastically designed. In the capital words APNIC, AP are bolded which reflects its role as a Regional Internet Registry for the Asia Pacific Region.  The bracket means it is embracing the worldwide Internet community and the the two colons ( :: ) inside the bracket highlight that APNIC is fully committed to IPv6 adoption.

Well-done, APNIC.

Chromebook disappointed me totally

Google has announced the release of Chromebook at US$499. No, this is totally not attractive. My expectation is that Chromebook should be sold below US$300.

Chromebook is no more than a thin client with the difference that the underlying OS is the Chrome browser. There might be arguments that it offers the benefits of fast boot-up (in a matter of less than 10 seconds), longer battery use, and better security (no virus software, sandboxing approach to protect end users). But are these benefits justified for the high cost ?  I would rather add some money buy an ipad2 (US$629) or Android 3.0 tablet which offer me more functionalities, applications and computing powers.

Windows 7 handling RA and RDNSS

My last blog posted touched on IPv6 RA with RDNSS and I like to thank my reader Revellion for reminding me that Windows 7 machines do not support RDNSS in RA.


Actually, I had some experience on a different scenario. During APRICOT-APAN 2011, I used a IPv6 only network and the v6 address assigned to my Window 7 machine was quite like auto-configuration but there was the assignment of v6 DNS resolvers. I was mindful that Windows 7 could not support RA with RDNSS and the question was where come the assignment of v6 DNS resolvers. The answer was that the network was using a DHCPv6 to assign DNS resolvers while there was a RADVD to accomplish the task of auto-config IPv6 address for clients. Up to this point, I should fire a bullet at Microsoft for not releasing patches to make RA working with RDNSS. This would save the unnecessary provision of a DHCPv6 server.


Luckily, I still keep a picture of the configuration for reference which is posted  below. 

RFC 6106 - IPv6 Router Advertisement Options for DNS Configuration

RFC 6106 has become my best favorite RFC in the last 12 months. Four years ago, when I first learnt IPv6, I knew for sure that Stateless Automatic Address Configuration can assign IPv6 addresses to clients but what about the assignment of DNS resolvers. Without DNS resolvers, SLACC is useless as no one can remember IPv6 addresses. RFC 6106 helps to strengthen the capability of SLACC by allowing DNS configuration.

In Linux, RADVD can have fully function of SLACC plus RDNSS. Just look at the following few lines in the config file :


interface name {

          list of interface specific options
          list of prefix definitions
          list of clients (IPv6 addresses) to advertise to
          list of route definitions
          list of RDNSS definitions
};

RDNSS ip [ip] [ip] {
     list of rdnss specific options
};

Just wonder if I have the time to configue one set of RADVD with RDNSS and then test the allocation of prefix and DNS resolvers to Windows 7 machines.

Kidney for an ipad2

In China, a 17-year student sold his kidney for an ipad2.  The news and interview can be found in the URLhttp://www.wupia.com/2011/06/a-high-school-student-in-china-sold-his-kidney-for-an-ipad-2/
Apple will definitely release  ipad 3, ipad 4, ipad 5 and so  on.  I am  afraid that after two more rounds, the 17-year  student has no more internal  organs to sell.
My dear Almighty God, please tell me the meaning  and value of life. Can human beings trade their  internal organs with electronic  devices ?

Which iOS supports IPv6

On World IPv6 Day, some friends and I  had discussion about which iPhone OS (iOS) supports IPv6.  In fact, iOS 4.1 has IPv6 support but due to the lack of privacy-enabled address, the use of  iOS 4.1 in IPv6 environment is risky and the users can be tracked through the EUI-64 bit identifier.  iOS 4.3 has privacy address enabled by default.  Hence, it is only logical and sensible to claim iOS 4.3 fully supports IPv6.

Can readers please correct me if I am wrong.  Thank you.

World IPv6 Day is over, what’s next ?

Now that World IPv6 Day is over, it has proven that the problem of brokenness is insignificant or even undetectable.  What comes next ?  We are eagerly waiting for Facebook, Google and Yahoo to publicly announce that they will enable IPv6 access their web content on a permanent basis on par with IPv4.  It would be the most eye-catching news if the three billion-hit web conglomerates join hands and make the announcement together.

Then comes to the action of ICANN.  With biggest content providers supporting IPv6, what strategies ICANN should adopt in order to motivate service providers and CPE vendors to move to IPv6 as quickly as possible.  ICANN should seize this golden opportunity to put pressure to ISPs and CPE vendors quoting the success of W6D.

LISP Reliability Issue

Facebook adopts LISP which necessitates the use of three routers to connect from IPv6 Internet to Facebook's existing IPv4 platforms. The three routers are namely; Egress Tunnel Router (ETR), Exchange Tunnel Router (XTR) and Ingress Tunnel Router (ITR). Readers may refer to my earlier blog post at URL

http://warrenkwok.blogspot.com/2011/05/facebook-adopts-lisp-to-roll-out-ipv6.html

There is a degradation in reliability as compared to a single router. Assuming each of the three routers has a reliability of 99.9 %, if cascaded together, the overall reliability of the routing system drops to 99.7 %. The down time will be increased from 8.76 hours to 26.28 hours in a year.

Can Facebook and other early LISP adopters accept the degradation ?

No IE9 for Windows XP

My son wanted to use IE9 on his Windows XP desktop PC. I told him that this could not be done.

Isn't it fair ? Microsoft does not offer IE 9 for XP. I have tried IE9 on Windows 7. It is fast and has a good performance in loading grpahics and gives a very streamlined operation in tabbed browsing.

Frankly, we do not have many choice. IE 8 is buggy. Firefox now only gets bigger but also gets slower. Chrome has a cache problem especially when I post comments on other people's status on facebook. I urge Microsoft to re-consider developing an IE 9 version for current XP users.

Absolutey amazing. All big content providers and organisations are on IPv6 today.

Absolutey amazing. All big content providers and organisations are on IPv6 today. This is something I have never seen in my life.  I like to record this moment in the history of human networked information society.

[warren@dnssec ~]# dig aaaa www.facebook.com +short
2620:0:1c18:0:face:b00c:0:3
[warren@dnssec ~]# dig aaaa www.google.com +short
http://www.l.google.com/.
2404:6800:8002::69
[warren@dnssec ~]# dig aaaa www.yahoo.com +short
fpfd.wa1.b.yahoo.com.
2001:4998:f011:1fe::3000
2001:4998:f011:1fe::3001
[warren@dnssec ~]# dig aaaa www.bing.com +short
ipv6.search.ms.com.edgesuite.net.
a1877.dscb.akamai.net.
2600:140e:3::3cfe:af33
2600:140e:3::3cfe:af38
[warren@dnssec ~]# dig aaaa www.xbox.com +short
http://www.gtm.xbox.com/.
msxbwsd.vo.llnwd.net.
2402:6800:720:11:230:48ff:fe8d:aa6e
2402:6800:720:11:230:48ff:fe8d:a992
[warren@dnssec ~]# dig aaaa www.cisco.com +short
v6day.cisco.com.akadns.net.
geo-v6day.cisco.com.akadns.net.
cisco-redir.v6day.akadns.net.
cisco.v6day.akadns.net.
2001:420:80:1:c:15c0:d06:f00d
[warren@dnssec ~]# dig aaaa www.youtube.com +short
youtube-ui.l.google.com.
2404:6800:8002::5b

web-based v6 email autoreply tool

My v6 email autoreply tool has been working since Feb 2010.  Network administrators can use an email client to send an email to autoreply@v6-mail.com and my system v6-mail.com will initiate an autoreply process to test if the v6 SMTP server can handle v6 email transactions properly.

Based on my past experience, I have further developed a web-based tool with similar function at http://www.v6-mail.com/. The website is accessible by IPv6 only.  Visitors can type the v6 email address  under test together with their  names, subject and the message content.  Afterward, they have to type an verification code displayed in the screen to prove that the visitors are not automated scripts.  Once the send button is kicked, they will receive an v6 autoreply email.

I should have developed this tool a bit earler. Sorry for my laziness.

Failed the test as a Hong Kong IPv6 website

I tried to submit my v6 website http://www.diaryking.com/ to IPv6World.Asia as a Hong Kong v6-enabled website.  The test failed and my submission was rejeced.

The reason was that the ping rtt time was about 290 msec from a Hong Kong v6 node and the acceptance criterion is to have rtt < 10 msec.  The site rides on a overseas proxy somewhere in Netherlands. 

I have no bad feeling at all.  The accepting criterion is fair and reasonable.

Enable v6 access by web proxy approach

The website below help v4 website owners to make their sites accessible by IPv6.

http://ipv6proxy.prolocation.net/

This is a web proxy approach. A website only has to enable AAAA record pointing to the v6 leg of the proxy server which is 2a00:d00:ff:131:94:228:131:131. When the proxy receives the http headers, it knows the domains name and can get the web content from v4 network and pass to the v6 visiting clients.

However, there are some limitations. No doubt end-to-end connectivity is broken so I can readily imagine that HTTPS and VPN can not be supported.

CUHK opens its v6 Stratum 2 NTP Server for public

In our department, we have some equipment that are not dual-stack and they ride on IPv6 only.  It is hard to provide a good system clock to these system since there is not yet an authoritative NTP server.  I just learn that CUHK has released its v6 Stratum 2 NTP Server (ntp.cuhk.edu.hk)  for public use.  Thanks to Cheng Chee-hoo of CUHK.

The Hong Kong Observatory will provide its v6 NTP Server by the end of 2011.  For the time being, I still have to use the one offered by CUHK.


[warren@dnssec ~]# /usr/sbin/ntpdate -6 ntp.cuhk.edu.hk
 3 Jun 21:09:58 ntpdate[31742]: adjust time server 2405:3000:3:b0:137:189:11:149 offset 0.008007 sec
[warren@dnssec ~]# /usr/sbin/ntpdate -6 ntp.cuhk.edu.hk
 3 Jun 21:09:59 ntpdate[31743]: adjust time server 2405:3000:3:b0:137:189:11:149 offset 0.007619 sec
[warren@dnssec ~]# /usr/sbin/ntpdate -6 ntp.cuhk.edu.hk
 3 Jun 21:09:59 ntpdate[31744]: adjust time server 2405:3000:3:b0:137:189:11:149 offset 0.007238 sec
[warren@dnssec ~]# /usr/sbin/ntpdate -6 ntp.cuhk.edu.hk
 3 Jun 21:10:00 ntpdate[31745]: adjust time server 2405:3000:3:b0:137:189:11:149 offset 0.006820 sec
[warren@dnssec ~]# /usr/sbin/ntpdate -6 ntp.cuhk.edu.hk
 3 Jun 21:10:02 ntpdate[31751]: adjust time server 2405:3000:3:b0:137:189:11:149 offset 0.005666 sec
[warren@dnssec ~]#

What benefits of IPv6 apart from large address space and elimination of NAT

Tomorrow, I will have a talk about IPv6 to be delivered to the technological community in Hong Kong Science Park.  One of the item touches on other benefits of IPv6 other than large address space and elimination of NAT.  I purposely scrap IPSEC. I have not seen or heard any practical application of IPSEC on IPv6.  The second to discard is flow label in header. This can be interpreted as QoS but as of today no all routers and devices can support flow label.  It is just there for future applications.

In my view, the benefit lies in efficient header removing a lot of out-dated fields  and optional messages can be packed in the form of extension headers.  On addressing, the hierarchal addressing scheme enables each ISP to simply advertises a  clean and lean /32 prefix.  Hence the size of the global routing table can be reduced which should  boost speed and performance of routers. The last I want to mention is path MTU discovery.  In IPv6, routers are not allowed to perform fragmentation and only the source and destination use path MTU to determine the maximum packet size.  This again reduces unnecessary workload to routers.  All these three distinctive features taken together sustain the claim that IPv6 is faster than IPv4 intrinsically.


The protocol IPv6 is a boring thing.  Frankly, I have no confidence to turn it into something interesting !

SOA minimum to deal with the large number of queries for AAAA record for a website which only runs on IPv4

A DNS administrator set the SOA minimum to 1 minutes for a popular domain which only runs IPv4. The result is that there is constantly a large number of queries for AAAA record throughout the day and the two set of authoritative name servers are becoming slow. These queries come from dual-stack Windows 7 and MAC PCs which always ask for AAAA record before A record when accessing a website. In the absence of AAAA record, the authoritative name servers will reply no such record (NXDOMAIN) and the negative cache period of NXDOMAIN in those querying resolvers is defined by SOA minimum (60 seconds) . After 60 seconds, any query for the domain in resolvers will lookup for AAAA record again.

It is important to set the SOA minimum to a higher value like 1 hour (3600 sec) for protecting the authoritative name servers from overloading. As more and more users change to use Windows 7, the DNS traffic for asking non-existing AAAA record will boost. All DNS administrators have a role to play for the smooth and steady operations of the Internet.