Dan York

Just a guy in Vermont trying to connect all the dots...

Author's posts

Apr 26

Looking for IPv6 Training or Courseware? Check Out RIPE NCC’s Offerings

By Dan York in Training

Interested in taking training classes about IPv6?Looking for IPv6-related courseware? Or IPv6 exercises you can use in your own training classes?

As we’ve now noted in our resource directory, RIPE NCC, the Regional Internet Registry (RIR) for the European region, offers an IPv6 training course available to RIPE NCC members – and offers IPv6 courseware available to all.

You can see the outline for the RIPE NCC IPv6 training class at:

https://www.ripe.net/lir-services/training/courses/ipv6

RIPE NCC members can attend any of their upcoming courses happening throughout the region.

If you are NOT a member of the RIPE NCC, their IPv6 training courseware available to all for free at:

https://www.ripe.net/lir-services/training/material/ripe-ncc-training-material/#IPV6

The slides they use are there and are updated periodically. They also provide a number of exercise worksheets that can be used in training classes as well as a very handy “IPv6 Subnetting Card“ and a very useful guide on “Preparing an IPv6 Addressing Plan“.

Additionally, RIPE NCC provides an e-learning page with a few video case studies relating to IPv6 as well as a list of other IPv6-related resources.

Check it all out… and we greatly appreciate RIPE NCC making their material available to all!

IPv6

Apr 26

Nic.at Publishes DNSSEC Report With .AT Statistics, Info

By Dan York in DNSSEC

This month the folks at Nic.at, the Austrian registry, published an interesting “.at report” that was entirely devoted to DNSSEC and was full of statistics and charts.

The driver for this focused report was the DNSSEC signing of the .at domain on February 29, 2012. This report, one of a series of regular reports from nic.at, first discusses the signing of the .at domain and provides some global statistics about DNSSEC adoption.

The report then covers some stats about DNSSEC implementation at domain name registrars supporting .AT domains which shows there is definitely room for growth. Only 14 .AT registrars currently support DNSSEC… but that to me is actually good news because there are no .AT registrars listed on either our Deploy360 list of DNSSEC registrars nor on ICANN’s list – so obviously it sounds like there are a few more registrars we can add!

I found one set of statistics about registrar plans of interest, in part for the interesting difference between two of the questions:

DNSSEC statistics

Here 51% believe that DNSSEC will prevail as an additional security measure… but only 23% viewed DNSSEC as significant for them as a registrar. (I would say some education is necessary there, eh?)

Also, only 15% have received customer requests about DNSSEC. (Clearly, we as consumers need to be contacting registrars – and encouraging people we know to contact registrars – to increase this percentage!)

I also found the question about whether DNSSEC was a paid option or not to be intriguing:

There is a rather different approach of the six questioned .at-registrars that offer DNSSEC-compliant nameserver services: half of them charge fees, one registrar actively promotes DNSSEC without additional fees, and one third offers DNSSEC for free without any active promotion.

It will be interesting to see over time how these different business models continue. I appreciated the fact that Nic.at’s partner list has a “Partner Search” tab where you can check a box for “supports DNSSEC” to see only the DNSSEC-enabled registrars. Unfortunately in a very brief scan of the actual partner sites I couldn’t find mentions of DNSSEC in their web pages… but I didn’t do a very deep look.

The report goes on to provide a timeline for the .AT signing and some other information and interviews. Nic.at also provides a couple of sections of their site related to DNSSEC:

Congratulations to the Nic.at team for the signing of the .AT zone and it’s great to see a focused newsletter like this helping educate people about what is going on with DNSSEC. It will be great to see the growth of signed .AT domains as this word gets out and as more registrars support DNSSEC and make it easier for domain name holders to sign their domains.

Statistics

Apr 25

Sitemap

By Dan York

T-Mobile Completes IPv6 Deployment on US Network

By Dan York in About Deploy360

In an email message on Monday, T-Mobile’s Cameron Byrne let people interested in IPv6 know that IPv6 deployment was now complete on T-Mobile’s U.S. network:

Folks,

The IPv6 network deployment is now complete, with a few outstanding service caveats (MMS is still an issue, …) that we will continue to work on.

We will no longer be doing any white listing since all T-Mobile customers in all of T-Mobile’s coverage area can now access the APN epc.tmobile.com using IPv6 PDP on phones that work with IPv6.

Regarding phone that work with IPv6, we are continuing to push the
manufacturers to support IPv6, and we are seeing some positive signs as
Android 4.0 updates are now being tested with IPv6.

In the meantime, the Samsung Galaxy Nexus (UMTS) remains the best bet
for what is available now.

The news spread through the tech world yesterday in large part through an ExtremeTech article, “IPv6 now deployed across entire T-Mobile US network,” that received good traffic through social networks. The discussion on Hacker News raised the question of why the IPv6 was limited to certain phones, and a look in the T-Mobile IPv6 setup instructions and FAQ provided this answer:

4. My phone is not listed above, will it work with IPv6?

No, most phones do not have the Android radio firmware (RIL) that allows the phone to support IPv6 on the mobile interface. T-Mobile USA is encouraging all handset phone manufacturers to support IPv6. If more phones become available, we will update this site.

It’s interesting to note that it is a device limitation (of not having the correct firmware) and it is great to see that T-Mobile is working with handset vendors to encourage support of IPv6. I’d note in the first email message I quoted the part about Android 4.0 updates being tested with IPv6.

The T-Mobile IPv6 site also references a number of known issues and provides some info about how they are making IPv4 content available over the IPv6 network.

All this is definitely great to see! If you are a T-Mobile USA user with a Samsung Galaxy Nexus it’s definitely worth checking it out to see how the IPv6 network works.

P.S. I would love to do so myself but sadly T-Mobile’s coverage is still rather sparse in the woods of southwestern New Hampshire that I call home…

Apr 25

Digium Releases 3 Asterisk Security Advisories

By Dan York in Asterisk, VoIP Security

This week Digium released three security advisories allowing remote authenticated sessions to either crash an Asterisk server or escalate user privileges. The advisories are:

In all cases the solution is to upgrade to the latest releases of Asterisk Open Source (1.6.2.24, 1.8.11.1 or 10.3.1 ) or Asterisk Business Edition (C.3.7.4).

Apr 25

Microsoft Security TechCenter: DNSSEC and DNS Amplification Attacks

By Dan York in DNSSEC, Security

What are the security risks related to using DNSSEC with regard to “DNS amplification attacks”? In a recent article at Microsoft’s Security Tech Center, Greg Lindsay dives into exactly that question.

First, though, he explains how a DNS amplification attack is a form of a Distributed Denial of Service (DDoS) attack that uses DNS queries combined with source address spoofing to send a large volume of traffic at a target system. He provides some examples of exactly how such an attack could be carried out.

Nicely, we get to see some examples of how DNSSEC will be implemented in the forthcoming Windows 8, both at the command line and in the GUI. (I will be curious as Windows 8 rolls out to learn more about the “DNSSEC zone signing wizard” apparently available in the DNS Manager.)

He ends with a note that:

Signing a DNS zone and adding DNSSEC records to a DNS response increases the total size of a response, but does not increase the risk for DNS amplification past the existing limit placed on the server for UDP response size.

Since the TCP conversation cannot be easily spoofed, these additional records do not inherently increase the severity of DNS amplification attacks.

and concludes with useful advice about how to help prevent DNSSEC amplification attacks.

I found it a very useful article regardless of whether you use Microsoft DNS servers or not. Good to get this kind of information out there so that IT security teams can understand how to address and mitigate potential risks.

Apr 25

Want To Make Your Web Content Available over IPv6? Check Out The Excellent RFC 6589

By Dan York in Content, Content Providers, IETF, RFCs

Are you a “content provider,” such as a website operator, seeking to understand how to ensure your content is available over IPv6? Would you like to know what challenges you can expect? What kind of migration strategies you can use? What you should do for an implementation plan?

If so, the IETF recently published an excellent guide in RFC 6589, “Considerations for Transitioning Content to IPv6“ available at:

http://tools.ietf.org/html/rfc6589

The primary author is Jason Livingood of Comcast but many others have contributed to creating an excellent document! It explains both the issues with moving content to IPv6 and offers suggestions for migration plans and implementation tactics. With World IPv6 Launch fast approaching on June 6, 2012, it is excellent to have this document available to help content providers understand what they need to do!

From the introduction to the RFC:

This document describes considerations for the transition of end-user content on the Internet to IPv6. While this is tailored to address end-user content, which is typically web-based, many aspects of this document may be more broadly applicable to the transition to IPv6 of other applications and services. The issues explored herein will be of particular interest to major web content sites (sometimes described hereinafter as “high-service-level domains”), which have specific and unique concerns related to maintaining a high-quality user experience for all of their users during their transition to IPv6. This document explores the challenges involved in the transition to IPv6, potential migration tactics, possible migration phases, and other considerations. Some sections of this document also include information about the potential implications of various migration tactics or phased approaches to the transition to IPv6.

You can see from the table of contents the range of topics covered in the document:

1. Introduction
2. Challenges When Transitioning Content to IPv6
3. IPv6 Adoption Implications
4. Potential Migration Tactics
5. Potential Implementation Phases
6. Other Considerations
6.1. Security Considerations
6.2. Privacy Considerations
6.3. Considerations with Poor IPv4 and Good IPv6 Transport

The document is an excellent guide for content providers and anyone seeking to understand how to make their content available over IPv6. We’ve now added RFC 6589 to our list of resources and look forward to learning how it may help many of you get your content ready for IPv6!

IPv6, Tools

Apr 24

Contrasting Mercurial vs Git: Two Opposing Blog Posts

By Dan York in Git, Version Control

Gitvsmercurial Which should you use for a distributed version control system (DVCS) – git or mercurial? That was the question taken up recently by two opposing blog posts on Atlassian’s blog:

Admittedly this is a bit of a “religious” issue with adherents on either side being extremely passionate about the topic. In my own case, my writing here (as well as my Github account) definitely show that I fall down on the side of git… but I’m also always interested to learning more about the various tools.

The two blog posts are written by passionate advocates for each tool and so naturally have that flavor. Regardless, they make for interesting reading. I don’t see myself switching to Mercurial any time soon… but it’s interesting to see the pros and cons of each. We still don’t have the “perfect” tool… but will we ever?

Given that I started working with version control systems back when RCS was the only option I had… and then CVS was a huge step forward… and then SVN was viewed as excellent… all I can say is that we’ve come a loooonnngg way and it’s greatto see both git and mercurial out there.

P.S. I should note that both of these articles are part of Atlassian’s “DVCS Guide” that has some other useful pieces about why distributed version control systems are worth investigating and using.

DVCS, git, Mercurial, Tools

Apr 24

RFC 6589 – Transitioning Content to IPv6

By Dan York in Content Providers

Are you a “content provider,” such as a website operator, seeking to understand how to ensure your content is available over IPv6? If so, the IETF recently published an excellent guide in RFC 6589, “Considerations for Transitioning Content to IPv6“. Written by Comcast’s Jason Livingood the document explains both the issues with moving content to IPv6 and offers suggestions for migration plans and implementation tactics.

From the introduction:

This document describes considerations for the transition of end-user content on the Internet to IPv6. While this is tailored to address end-user content, which is typically web-based, many aspects of this document may be more broadly applicable to the transition to IPv6 of other applications and services. The issues explored herein will be of particular interest to major web content sites (sometimes described hereinafter as “high-service-level domains”), which have specific and unique concerns related to maintaining a high-quality user experience for all of their users during their transition to IPv6. This document explores the challenges involved in the transition to IPv6, potential migration tactics, possible migration phases, and other considerations. Some sections of this document also include information about the potential implications of various migration tactics or phased approaches to the transition to IPv6.

The table of contents is as follows:

   1. Introduction ....................................................4
   2. Challenges When Transitioning Content to IPv6 ...................4
      2.1. IPv6-Related Impairment ....................................5
      2.2. Operational Maturity Concerns ..............................5
      2.3. Volume-Based Concerns ......................................5
   3. IPv6 Adoption Implications ......................................6
   4. Potential Migration Tactics .....................................6
      4.1. Solving Current End-User IPv6 Impairments ..................7
      4.2. Using IPv6-Specific Names ..................................8
      4.3. Implementing DNS Resolver Whitelisting .....................8
           4.3.1. How DNS Resolver Whitelisting Works ................11
           4.3.2. Similarities to Content Delivery Networks
                  and Global Server Load Balancing ...................15
           4.3.3. Similarities to DNS Load Balancing .................15
           4.3.4. Similarities to Split DNS ..........................15
           4.3.5. Related Considerations .............................16
      4.4. Implementing DNS Blacklisting .............................17
      4.5. Transitioning Directly to Native Dual Stack ...............18
   5. Potential Implementation Phases ................................19
      5.1. No Access to IPv6 Content .................................19
      5.2. Using IPv6-Specific Names .................................19
      5.3. Deploying DNS Resolver Whitelisting Using Manual
           Processes .................................................19
      5.4. Deploying DNS Resolver Whitelisting Using
           Automated Processes .......................................19
      5.5. Turning Off DNS Resolver Whitelisting .....................20
      5.6. Deploying DNS Blacklisting ................................20
      5.7. Fully Dual-Stack Content ..................................20
   6. Other Considerations ...........................................20
      6.1. Security Considerations ...................................20
      6.2. Privacy Considerations ....................................21
      6.3. Considerations with Poor IPv4 and Good IPv6 Transport .....22

The document is an excellent guide for content providers and anyone seeking to understand how to make their content available over IPv6.

IPv6

Apr 24

Internet Society Launches "Internet Hall of Fame" Celebrating Early Pioneers

By Dan York

One of the very cool announcements coming out of the Internet Society's Global INET event in Geneva this week was the creation of an "Internet Hall of Fame" that recognizes many of the pioneers who started this amazing journey we've been on. The full site is available at:

internethalloffame.org

Wired also had a great writeup:

The Internet Gets a Hall of Fame (Including Al Gore!)

As is noted in the Wired article:

The inductees fall into three categories: Pioneers who were key to the early design of the internet; Innovators who built on the net’s foundations with technical innovations and policy work; and Global Connectors who have helped expand the net’s growth and use around the world.

Both the site and the Wired article are well worth a read. It's an amazing journey we've been on since those early days of the Internet... and it's great to see folks like those listed here getting the recognition they justly deserve!

If you found this post interesting or useful, please consider either: