January 2013 archive

10 Updated Internet-Drafts Related to IPv6 Security

Fernando Gont of SI6 Networks has been a VERY busy man lately!  He and his colleagues and co-authors have recently updated a whole host of Internet-Drafts related to IPv6 security.  In a post to the full-disclosure mailing list, Fernando provided his list that includes:

Network Reconnaissance in IPv6 Networks

Security Implications of IPv6 on IPv4 Networks

Virtual Private Network (VPN) traffic leakages in dual-stack
hosts/ networks

Security Assessment of Neighbor Discovery (ND) for IPv6

DHCPv6-Shield: Protecting Against Rogue DHCPv6 Servers

Security Implications of IPv6 Fragmentation with IPv6
Neighbor Discovery

Security Implications of IPv6 options of Type 10xxxxxx

Security Implications of Predictable Fragment

Processing of IPv6 “atomic” fragments

Recommendations on filtering of IPv4 packets containing IPv4 options

Some of these are broader documents while some dive deep into specific issues or solutions.  Altogether they do represent a great amount of work on IPv6 security issues, which is excellent and definitely needed as we continue to move to using more and more IPv6 in our networks.

Thanks to Fernando and the others involved in the work for getting these updated drafts out.  If you have any comments on these drafts, I know that Fernando is always looking for feedback – his email address and contact info in Argentina can be found at the end of any of the drafts.

PowerDNS Releases Version 3.2 With Increased DNSSEC Support

Congratulations to Bert Hubert and the rest of the team at PowerDNS for their release 3.2 last Thursday that, if you scroll down through the release announcement and changelog is pretty much mostly about improvements to their already strong DNSSEC support!  The list of changes and improvements is rather impressive.

In speaking with Bert last week, he said the team there views DNSSEC as basically “done” now for the authoritative server end and is now moving to focus on what they can do to make DNSSEC easier for deployment in DNS resolvers.  We’re looking forward to seeing what the team does there.

Meanwhile, if you are a PowerDNS user, the new release will give you even more DNSSEC power… time to upgrade!

FIR #687 – 1/21/13 – For Immediate Release

Latest Edelman Trust Barometer released; interview update; Quick News: CEO online sociability has doubled, Starbucks says seismic consumer behavior changes are linked to technology, court rules against news agencies that used photos posted to Twitter, what marketers should learn from Lance Armstrong; Ragan promo; News That Fits: Tesco and the horsemeat kerfuffle, Dan York's report, big trouble in mainstream media, Media Monitoring Minute from CustomScoop, listener comments; Barclays CEO lays it on the line for employees, brands a personal responsibility are trumping politics; music from All Mighty Whispers; and more.

Report: Routing Resiliency Measurements – Where We Are And What Needs To Be Done

What are the actual frequency of routing security incidents? And what are the operational and economic impacts of such security incidents?

We all know that “routing security” incidents happen, but it’s hard to get a grasp on exactly what the situation is.  To that end, our colleagues in the Internet Society Standards and Technology team organized a “Routing Resiliency Measurements Workshop” in November 2012 to bring together participants from network operators, research labs, universities and vendors to explore what we can measure now – and what we need to do to start collecting more accurate measurements.  The team has now published a report:

and our colleague Andrei Robachevsky has published some observations about the workshop.  As Andrei notes, the point of the workshop was to address three main questions:

  1. What level of attack has there been in the past – to what extent do security incidents happen, but go unnoticed, or get dealt with inside a single network, possibly introducing collateral damage?
  2. Are the number and impact of service disruptions and malicious activity stable, increasing, or decreasing?
  3. Can we understand why, and track it collectively?

The report goes into some detail on what was discussed in the workshop and some of the approaches that were outlined.  As Andrei relays in his post, the workshop didn’t magically produce answers to all these questions… but it did lay the foundation for where more work needs to occur.

As we open up the new topic area of Routing Resiliency / Security here on Deploy360, we intend to bring you more information from workshops such as these… and ultimately more of the solutions and best operational practices that can lead to a more resilient and secure Internet.


cPanel To Add IPv6 Support in 2013

Good news for the many people out there using cPanel to configure their hosted website… IPv6 support is coming this year. In a post titled “IPv6 Implementation Update” they state:

Much like Y2K, this issue requires a proactive solution rather than a reactive response. That is why cPanel has been working diligently on research and analysis to incorporate IPv6 support into our products. In 2013 we will begin to deliver features that support IPv6.

As some of you may already know, IPv6 is much more than just a change in the addressing scheme. However, given the urgency of supporting IPv6 addressing, we will first focus on allowing you to manage manually assigned IPv6 addresses at least as well as you can currently manage IPv4 addresses in cPanel & WHM. We also look forward to supporting IPv6 addresses on NSD, MyDNS and BIND (for DNS functionality), Apache (for website functionality), cPanel & WHM and its related services, and the various mail services we support. Additional services will be made IPv6-capable as deemed fit. The level of support cPanel will provide for IPv6 will provide functionality needed for serving web content.

Given the large usage of cPanel among web hosting providers it is great to see that this support for IPv6 will be added to the software.  The cPanel article encouraged people to join in the IPv6-related discussion happening in the Feature Requests area of their website.  It’s interesting to read there already the comments of people who have not implemented cPanel (or have chosen different hosting providers who don’t use cPanel) because of its lack of IPv6 support.

Facebook Rolls Out Free Voice Calls In The US On iOS – A Quick Walkthrough And A Big, Huge Caveat

Facebook voice 1Facebook today rolled out it's free voice calling in the US via its Messenger app for iOS (iPhone/iPad). The Verge was the first I saw with the news and a great number of sites are now following.

Voice calling through Facebook has the potential to be hugely disruptive... rather than calling on your phone over your regular phone connection - or even rather than using Skype, you can just call from directly within Facebook. This is the kind of "Over-The-Top (OTT)" app that gives telco operators a fit... goodbye, telco voice minutes!

Plus, it's using some HD voice codec so the sound quality is outstanding.

And since the folks at Facebook want you to live your life inside of their very pretty walls, this just provides yet one more reason for you to stay within those walls.

BUT... there's a big huge caveat that I'll get to in a moment.

A Quick Walkthrough

First, though, let's look at how it works. When you go into the Messenger app and open a chat with a friend (in this case, Jim Courtney), all you have to do is click the "i" button in the upper right:

Facebook voice 2

After you do that you will get a window that I showed at the beginning of an article where you have a "Free Call" button.

Facebook voice 10

When you press that, you begin a call experience very similar to any other call on your iPhone. First you are connecting to the other person and then you are in the actual call:

Facebook voice 3 Facebook voice4

There is apparently the standard accept and decline buttons. (I neglected to have Jim call me back to get a screenshot.) While you are in the call you have a button to hang up, a speakerphone button and a microphone mute button. The last button is very nice in that it lets you remain in the call while using other features of your iPhone. In these two screenshots you can see that I could access our Messenger chat and also go back to my main iPhone screen to launch other applications. I can always tap the bar at the top to return to Messenger and the controls to our voice conversation:

Facebook voice 5 Facebook voice 6

The voice quality during the conversation was outstanding. It was crystal clear and rich enough that we knew it was some kind of HD voice codec being used.

All in all it was an excellent experience.

The Big, Huge Caveat

So what's the problem? Well... the reality is that right now trying to find someone to call is a struggle!

Going down through my contacts in the Messenger app was an exercise in futility. Person after person after person had the "Free Call" button greyed out:

Facebook voice 9

Here's the fundamental problem:

You must be running the MESSENGER app on your iPhone!

It doesn't matter if you are running the Facebook application on your iPhone... you must be running Messenger.

And bizarrely there is no linkage between the two applications. If I am over in the Facebook application and go into a chat with Jim Courtney, notice that I have only the ability to "View Timeline":

Facebook voice 11

And of course you must have an iPhone or iPad. If you have an Android device or some other device you are out of luck right now.

So the only people you can use this with are other people running Messenger on iOS.

Presumably Facebook is assuming people will just keep Messenger running... but I know that I, for one, try to limit the number of apps I keep running on my iPhone for battery life reasons.

More fundamentally, I never have used the Messenger app for chatting with other friends in Facebook. The Facebook app already provides the ability to chat... so why would I use the Messenger app? (And I know Facebook focuses on the speed that you can get to sending messages... but that's not critical for me.)

Potential For Disruption?

Now if Facebook gets their act together and makes this more intuitive and ubiquitous, the potential is there for more serious disruption. If it can be integrated into the main Facebook app... and can work for Android as well as iOS... and can work for people outside the US and Canada... THEN we might see more people shifting voice calls over into Facebook's voice service.

The potential is certainly huge, given Facebook's massive size.

Until then... it's an interesting option to have available... but I just don't see many people using it.

What About The Technology Behind It?

My other natural question was to wonder what they are using for the technology behind their voice service. As The Verge pointed out, Facebook and Skype have had a partnership to deliver video calling within Facebook's website. Could this be another component of that partnership? Is it a partnership with another VoIP provider? Is it something homegrown?

For now, I haven't seen any details that help explain that, but I'll certainly be watching to see what we can learn.

UPDATE: A tweet from Aswath Rao pointed me to a TechCrunch article from earlier this month when Facebook rolled out free voice calling in Canada that indicates that the technology is NOT from Skype. Separately I asked a Skype representative if Skype was involved in today's rollout and received the simple answer of "no".

If you found this post interesting or useful, please consider either:

Playing Google’s Zamboni Game/Doodle… Over IPv6!

Okay, maybe it’s a small thing, but I have to admit that when I wound up on Google’s home page today to try out their “Zamboni doodle” celebrating the 112th birthday of Frank Zamboni, I don’t know which I found cooler… the game itself, or the fact that I was getting to it entirely over IPv6:

(Address bar IPv6 info courtesy of the IPvFoo extension for Google Chrome.)

Just another moment when I’m glad that Google’s websites are accessible via IPv6!  As a web developer, too, I had to know: is this Zamboni game done entirely in JavaScript?  A StackExchange answer says that it is, which is fascinating.

P.S. And yes, that was as high as I let my score go… the Zamboni looks like it could be an enormous time-suck, and I do have some writing that needs to be done!

Are You A Redditor? Subscribe To The IPv6 Subreddit

Are you are redditor?  Is Reddit one of your main sources of information, news and links?  If so, have you checked out the IPv6 “subreddit”?  It is at:


and currently has close to 4,000 readers subscribed to it. I’ve found it a useful place for both finding new links and stories and also for some interesting discussions related to those stories.  If you’re a reddit user, do check it out!

P.S. And if you’re not a reddit user, there are many other places where IPv6 is discussed on other services.

FIR #686 – 1/14/13 – For Immediate Release

Math correction; new outro from Donna Papacosta; PRCA interview coming; Quick News: LinkedIn the preferred recruiter's tool, brand sites remain important, the end of regret-the-error as we know it, a look at Betterific; Ragan promo; News That Fits: PR's move into paid content, Dan York's report, customer service in social media age, Media Monitoring Minute from CustomScoop, listener comments, social networking adopted on intranets, Michael Netzley's Asia report, UK ambassadors and FCO staff are blogging; how to comment; music from Human Face; and more.

Tech Matters: Big Changes In The IPv6 Landscape

World IPv6 Launch logoWhat kind of growth did we see for IPv6 in 2012?  What did we see in terms of adoption of IPv6 within various industries?  Yesterday our colleague Phil Roberts outlined his view on the “Big Changes In The IPv6 Landscape in 2012“. Phil  wrote about many of the changes that happened over 2012, particularly with World IPv6 Launch in June.  Here are some of the major developments he saw:

Today, ten percent of the Alexa Top 1000 websites are now enabled with IPv6 and large access networks have enabled IPv6 for their end users, according to measurements we made for World IPv6 Launch.

Four of the five largest websites in the world – Google, Facebook, YouTube, Yahoo!, and Wikipedia – all serve IPv6 from their main websites today. In addition, content distribution networks like Limelight and Akamai are providing services to their customers to enable IPv6 hosted content, and hosting companies are making it possible for hosted websites to use IPv6 as well. The three largest web-hosting companies in Germany serve IPv6 for all their hosted websites.

Also at the end of 2012, there were significant deployments in access networks. AT&T, Verizon Wireless, and Comcast in North America, RCS&RDS in Romania, CTC and Softbank in Japan, XS4ALL in the Netherlands, Swisscom in Switzerland, DT in Germany, and Internode in Australia all began enabling IPv6 for their end users, all without the end users needing to configure anything in their networks, and in fact, probably, most not even knowing they are using IPv6.

All of which is excellent news!  Phil goes on to talk about Google’s measurement of over 1% of their traffic coming in over IPv6 and also the World IPv6 Launch measurements site that contains links to a variety of the sites measuring IPv6 traffic on an ongoing basis.

2012 was a great year for IPv6 – and now it’s time to continue building on that momentum.  Have you deployed IPv6 yet for your network(s)? Is your website accessible over IPv6?  Are your DNS entries available over IPv6?

If not… how can we help you?  Check out our basic IPv6 information or our list of IPv6 resources to get started.  And if you can’t find what you are looking for, please let us know and we’ll be glad to help you.

Let’s make 2013 and even better year for IPv6!