SolarScale Blog

Worry about IPv6?

Someone (tydel) made me aware of this article named Why you shouldn't worry about IPv6 just yet. I'd like to counter-argument this article somewhat. I'll focus on the highlights.

Cassidy says that "According to these networking experts, we're only a matter of months, or maybe weeks, from network Armageddon".

What you have to realize is that converting to IPv6 on the server side isn't the end of the migration. All your customers will have to move to IPv6 as well and some will be left behind because some owners of networks are probably a bit lazy to do a migration. So that means that if you want to run your business online, in order to get the full potential customer base you'll have to run IPv4 and IPv6 dual stacked so that you can satisfy both, until everyone is speaking IPv6. And since space is running out on IPv4 an IPv4 address may be a lot more expensive than an IPv6 address due to scarcity. Eventually there may not be any more IPv4 addresses to give out so this is the reason for dooms day calls.

Cassidy goes on to say "In fact, IPv6 starts to look a lot like IPv2 if you consider that the default v6 address for your machine finishes with its MAC address".

So I'm unsure what he means to say here. Perhaps he's worried that a MAC address is a secret thing and that if you know the MAC address you can use the MAC restricted access point? AFAIK an 802.11 packet encrypted or not still has 3 MAC addresses in its header (see /usr/src/sys/net80211/net80211.h) so these aren't secret to someone close to sniffing the radio. So he has no point really.

Cassidy goes to conclude in the second last paragraph: " Is there an IPv6 "killer app" yet for smaller networks? No. Is there any reason based on security or ease of management - unless you're running a 100.000-seat network or national-level ISP - for you to move up to it? No.".

I think he's wrong there. Sure there is no "killer app" unless you call facebook a killer ap (but facebook runs on IPv4 as well). But it's especially the small ISP's that could benefit from a migration to IPv6. National level ISP's have huge resources and are out to compete with small ISPs and steal their customers, and IPv6 means independence from these large networks. It means that small ISP's keep their customers from switching to large ISP's that have IPv6 enabled. This is a bonus. Plus, being on a small ISP means that they give you something that the large ones don't and not usually the opposite.

Stupid Nettricks

On February 24th, 2009 I blogged about the traceroute tricks. Here is the link. I've updated this to include IPv6 now and I've written a small hackish program that does this as well. This took up 1.5 days of mine for a show such as this:

cordelia$ traceroute6 mimas.centroid.eu 
traceroute6 to mimas.centroid.eu (2001:a60:f074::20) from 2001:a60:f074::1, 64 hops max, 12 byte packets
 1  xxx.hello.xxx.centroid.eu  1.066 ms  0.269 ms  0.378 ms
 2  xxx.why.xxx.centroid.eu  0.464 ms  0.503 ms  0.358 ms
 3  xxx.are.xxx.centroid.eu  0.614 ms  0.658 ms  0.897 ms
 4  xxx.you.xxx.centroid.eu  0.556 ms  0.361 ms  0.338 ms
 5  xxx.tracerouting6.xxx.centroid.eu  0.472 ms  0.499 ms  0.411 ms
 6  mimas.centroid.eu  0.3 ms  0.478 ms  0.318 ms
cordelia$ 

It's just vanity. It's a net-trick. Well at least I didn't play civilizations and waste time. In the meantime I've learned about divert(4) sockets in OpenBSD and even submitted a documenatation fix for pf.conf(5).

Random Hackepedia

The RH for this week is One Way Hash.

Cryologd fixes a memory leak

The program in cryologd with the name of "cl" had a memory leak. It wasn't apparent when there was little data that it processed, but with lots of concatenated encrypted data which it decrypts to plaintext, the memory leak was apparent. 2 lines change, here is the source.

Random Hackepedia

The RH for this week is Uid.

SSL_accept error from host: -1

My dad has a mac powerbook (or macbook or something) and I tried to make it work with my mail server. POP3 SSL worked but postfix SSL for SASL authenticated relay did not. I use a self-signed certificate and that was the problem. I couldn't paste the error message from the Apple Mail.app but it said something like the remote host did not accept SSL. I wasn't about to try it without SSL because the password is sent in the plain then. The postfix server gave this error message:

Aug  1 22:57:42 proteus postfix/smtpd[12251]: connect from p54AAB41C.dip.t-diali
n.net[84.170.180.28]
Aug  1 22:57:42 proteus postfix/smtpd[12251]: SSL_accept error from p54AAB41C.di
p.t-dialin.net[84.170.180.28]: -1
Aug  1 22:57:42 proteus postfix/smtpd[12251]: lost connection after STARTTLS fro
m p54AAB41C.dip.t-dialin.net[84.170.180.28]

As a first diagnosis I tried the openssl s_client method to see if it can connect to my postfix server, and it could so it must have been in the Apple Mail. Also for self assurance it worked in Ubuntu and Windows 7 so why not in Mac OS X Leopard.

So I did a bit of googling and learned that Apple's mail program did not accept the certificate given to it because the hostname in the certificate was wrong and just gave up (in the process blaming the server for giving up!). There is a way to force it though. I downloaded the servers CA certificate file which has a .pem extension (this is not the private key!) and double clicked on it in Mac OS X.

smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem

I thought I'd write this down as I'm probably going to be faced with it again some time in the future.

Random Hackepedia

The RH for this week is Pid.

Watching the ISS

The past few days in Germany have been hot but the nights are cooler with mostly clear skies. This gave me an opportunity to see the ISS twice in the late evening (around 11PM). Once it was unexpected and we weren't sure what it was. The second time I got the data from the NASA sightings page, which is found here.

The space station looks like a flying jet but you'll notice that it doesn't blink nor does it have red and green lights. It's just a continuous and steady crossing of the sky mostly coming from the west towards the east. Without the moon and planets it's probably the brightest object in the sky as it zips at 28,000 Km/h's into the night. Anyhow it was a nice experience seeing this (it was my first time).

Fire has SSL support

Believe it or not I have made an IRC client. It's called fire and I've coded SSL support into it yesterday and today. The SSL functionality seems to be stable, you can download the source code here.

The Korean incident: tcpwrappers

I was checking my logs yesterday when I noticed that someone from an IP in Korea was trying to brute force my pop3 daemon. I noticed after they got about 6000 attempts in. So I looked at wrapping them with tcpwrappers. The pop3 daemon on the outside of solarscale.de is Dovecot and they by default don't have tcp wrappers support. But there is a patch. So I applied it and noticed that some hunks of the patch failed. Particularely near the configure scripts so I ended up editing config.h myself and added the define for tcp wrappers in it. Then I built it and noticed that it would bomb out in 2 spots, all it needed was an edit in the Makefile to add "-lwrap" in the LIBS= line. Then it built. When it was installed I noticed that my changes to /etc/hosts.{allow,deny} were not effective. So I did a bit of googling and read that Dovecot is chrooted. So it was just a matter of finding the chroot and putting its own hosts.deny in there. It worked. So now only a select number of hosts can use the pop3 service.

goldflipper% telnet solarscale.de 110
Trying 62.75.160.180...
Connected to solarscale.de.
Escape character is '^]'.
Connection closed by foreign host.

The patch is found here.