Just a guy in Vermont trying to connect all the dots...
Dan York
Author's posts
Apr 18
Where Are The IPv6-Only Wi-Fi Routers And Access Points?
In trying to set up an IPv6-only Wi-Fi network for a test environment in my home office, I ran across an interesting stumbling block:
You can’t turn IPv4 OFF on typical Wi-Fi access points or routers!
Now, this does make a certain degree of sense for consumer-grade equipment. Providing such a setting is simply one more thing for someone to mess up – and generate support calls into the router manufacturer about how they can’t get on the network, can’t access email, etc., etc. So I get it… the consumer equipment manufacturers are operating on commodity margins and need to minimize support inquiries.
It may also be quite honestly that… no one has asked for it! We’ve been living in a world where IPv4 was the only option for so long that equipment product managers may not even be thinking about the desire for an IPv6-only Wi-Fi network. “Why would you ever want to do that?”
But I do want to do that – and I imagine I’m not alone among those of us working on deploying IPv6. I want a Wi-Fi test network that is IPv6-only. No IPv4 at all. Just IPv6… which then lets me connect to an IPv6 server and experiment with various different transition technologies. Plus I get to see which apps work in an IPv6-only environment and which don’t. I want a Wi-Fi network to experiment and play in the land of pure IPv6.
However, in searching online and looking through documentation of various Wi-Fi routers and access points, I’ve yet to find any off-the-shelf routers/APs that allow IPv4 to be disabled on an interface.
Yes, multiple people have suggested that I could hack the OpenWRT or DD-WRT code to roll my own AP without IPv4… and yes, I certainly could, and maybe that winds up being my only choice, but I’d personally rather hack on other projects than my Wi-Fi infrastructure. However, that may be what I do.
Have any of you seen Wi-Fi routers or access points where you could disable IPv4 on the Wi-Fi network and only use IPv6? Even better, an AP that lets me create multiple networks and have one of them be IPv6-only?
Or have any of you already hacked OpenWRT or similar code to be IPv6-only?
I’d love to hear what options folks have found (and would love to publicize them here).
Image credit: a_ninjamonkey on Flickr
Apr 16
Excellent Interactive Map of DNSSEC Support by Swedish Municipalities
This morning we learned via a tweet about this very cool interactive map of the status of DNSSEC support by Swedish municipalities. Sweden has by far been one of the leaders world-wide in implementing DNSSEC and the fact that such a map like this can even be constructed is a great testimony to all the excellent work happening there.
Kudos, too, to whomever created this map and site. Other than seeing it was funded by the great folks at .SE it’s not clear from the site who created it. We love seeing visualizations like this and look forward to seeing more such maps for other parts of the world.
Apr 16
Comcast Rolling Out Home Gateway Support for IPv6 – And Nothing’s Controversial About a /64…
Outstanding news for Comcast subscribers last week at the North American IPv6 Summit! Comcast’s John Brzozowski, chief architect for IPv6 and distinguished engineer, indicated that Comcast was now moving its IPv6 support from just supporting single computers to supporting entire home networks. In a Network World article titled “Comcast is first U.S. ISP to offer IPv6 to home gateway users“, Carolyn Duffy Marson reports on Brzozowski’s comments, including the fact that the service is already available in two cities.
This step is critical for adoption of IPv6 by home users as most home users do typically have some type of home gateway providing Internet access to the many devices within their home. Prior to this step, you could only connect a single computer for IPv6 access. While this certainly made sense for Comcast as they started testing out their production IPv6 support, it is great to see them moving on to support the home gateway use case that the majority of Comcast customers will have.
Comcast also very helpfully is providing a website showing which home gateway devices will work with IPv6 (look for checkmarks in the IPv6 column):
My only real issue with the article is this sentence:
In a somewhat controversial move, Comcast is giving each of its home networking users what’s called a /64 block of IPv6 addresses, which represents more than 18 quintillion IPv6 addresses…
There’s actually nothing “controversial” about providing a /64 block as that’s the standard allocation of IPv6 addresses to a router. This enables all devices within the router’s network to use “Stateless Address Autoconfiguration (SLAAC)” to automatically create their IPv6 addresses by combining the “router advertisement” with the devices own MAC address. It’s what makes IPv6 “just work” for devices.
However, I completely understand why the author would write that. When I first started digging into the details of IPv6 several years back I had the same reaction – aren’t we setting ourselves up for failure by starting out already giving up half our address space to the host portion?
Coming from the address-constrained IPv4 space – and just with an engineer’s view of efficiency, it seemed insanely wasteful! And in some cases where there are always going to be a limited number of devices on a network, it certainly may be wasteful… but for the majority of networks using a /64 enables SLAAC and also makes room for innovation. As we look at the sensor-based “Internet of Things”, we may find use for that very large address space. Time will tell, but in the meantime the /64 allocation is just how things are done in IPv6 – welcome to the world of IP address abundance!
Aside from that minor note, it was great to see this article and congrats to Comcast for rolling out this support for IPv6 home gateways! As World IPv6 Launch nears, this will definitely enable more people to get connected!
Apr 13
Jitsi Is The First VoIP Softphone To Support DNSSEC
With it’s 1.0 release last week, the Jitsi soft phone became the first VoIP client I know of to support DNSSEC. Jitsi, formerly known as the “SIP Communicator”, is available for Windows, Mac OS X or Linux from:
Jitsi has a great range of features including support for voice and video calls, chat/IM, desktop sharing, conference calls, wideband audio and much more. It works with the SIP (Session Initiation Protocol) and XMPP (Jabber) protocols and connects to common services like GoogleTalk, AIM, Yahoo!Messenger, Facebook chat, etc. It’s also free and the source code is all available.
Jitsi has supported SIP and XMPP over IPv6 for quite some time now, but with this new release adds support of DNSSEC courtesy, I learned, of some funding from the NLnet Foundation and the University of Applied Sciences and Arts Northwestern Switzerland (FHNW). The DNSSEC code itself was implemented by Ingo Bauersachs from this university.
Essentially what Jitsi now does if you enable DNSSEC is to validate the signing of the SRV records in DNS that provide the address information for the remote end of the SIP or XMPP connection.
To step back and explain a bit further, if Alice wants to call Bob (to be cliche), and she knows his SIP address is “sip:bob@example.com”, her SIP client, IP-PBX or other SIP server (depending upon configuration) is going to perform a DNS lookup on “example.com” to retrieve the relevant SRV records. These records will provide the IP address(es) of the SIP server on Bob’s side. Alice’s SIP software will then connect to those IP addresses to send the appropriate SIP INVITE to start a conversation with Bob.
But how does Alice’s software know that the SRV records retrieved from DNS are correct? How can it know that they were not tampered with?
What if she is trying to call her bank and an attacker is redirecting her to another SIP server where there is a similar call center or IVR? (Okay, leaving aside the fact that at this moment you may not be able to make SIP connections to many banks… but that is changing slowly.)
Enter DNSSEC.
If the “example.com” domain is signed via DNSSEC, including all the SRV records, then the VoIP client can validate that the SRV records are in fact correct and the connection can be made knowing that it is to the intended recipient based on the SIP address.
From a configuration point of view, there has been one more screen added to Jitsi’s preferences:
At this moment there is no documentation on the Jitsi site about the DNSSEC features (they are working on it… and open to any offers of assistance! 
, but I asked Ingo Bauersachs about the configuration of the resolver. His reply was this:
Libunbound, the library Jitsi is using, is validating the DNSSEC chain, but it’s not a full resolver. Queries for DNSKEY, DS, etc. are sent to the OS’s resolver, or if configured, to the “Custom name servers”.
The option to override the OS’s default resolver is there because during development, the only servers supporting all relevant record types were from DNS-OARC and Verisign.
The choice not to use libunbound as a fully recursive resolver was performance and that it’s for one simply not the job of an application to perform recursive DNS queries.
In my own case, I’m running a local instance of DNSSEC-Trigger and that is my operating systems default resolver. I’ll be able to perform the DNSSEC resolution without any issues. Ingo also indicated that the table at the bottom of the Preferences panel will fill up with domains as you start to connect to sites (any sites – DNSSEC-signed or not). You can then specify what the DNSSEC-related behavior is for individual domains.
That’s how this all works, of course, when you have both publicly accessible SIP servers with SRV records – and DNSSEC signatures on those records. There may not be a whole lot of those sites out there quite yet, but having apps like Jitsi available will only help.
If you have a SIP- or XMPP-based VoIP or IM system (or “Unified Communications” system to use the appropriate marketing buzzwords) where you can sign your domain with DNSSEC, definitely check out Jitsi and see how it works. And as you have it working, I’d certainly love to hear from you and perhaps feature some examples in future blog posts.
The Jitsi team is also very interested in feedback and indicated that sending messages to the “dev” mailing list (and joining that list if you want) would be the best way to proceed.
I’m also personally interested in trying this out in a test environment… if you’ve got a SIP server with a domain that is DNSSEC-signed, please drop me a note as I’d like to try calling you. 
Kudos to the NLnet Foundation for funding this work and to Ingo Bauersachs and the Jitsi team for implementing it all. I’m looking forward to seeing where this goes!
P.S. Wikipedia has a decent page on SRV records if you want to know more about these record types.
Apr 13
Have You Signed Your Domain With DNSSEC Yet? (Here are instructions…)
Have you signed your domain name with DNSSEC yet? If not, how about doing that today? Or as a weekend project?
This one little step can go a long way in both helping make your own Internet presence that much more secure and also in helping move the overall DNSSEC effort forward industry-wide.
To help you out, we’ve put together a few “how to sign your domain name using DNSSEC” tutorials for some of the leading registrars supporting DNSSEC:
http://www.internetsociety.org/deploy360/resources/dnssec-registrars/
If your registrar is not listed on that page, you can also check ICANN’s list of registrars supporting DNSSEC to see if your registrar is listed.
If your registrar is not listed on either site, you may want to look at your registrar’s website to see if they have any mention of DNSSEC. Note that I’ve found a couple of registrars out there who mention “Premium DNS” and on closer inspection turn out to essentially be GoDaddy resellers – in which case the GoDaddy DNSSEC tutorial applies. (And if you do find that they support DNSSEC, could you please send us a note so that we can add them to our list? Thanks!)
And if you still can’t find any information, why not drop an email to your registrar’s support address asking when they will have DNSSEC support? Either that… or consider moving your domain to a registrar that does support DNSSEC already! (Yes, I know, moving registrars can be a headache… )
If we can each take a moment to go out and sign some more domains (or to encourage more registrars to support DNSSEC), we’ll move that much closer to having a more secure Internet!
Apr 13
WordPress Dominates Top 100 Blog/Media Sites
If you had any doubt about the outcome of the "platform wars" of the past few years for "blog"-type sites, one graphic can remove that doubt:
This comes from a just-released study from Pingdom and before you say "well, of course, this is all about blogs, so naturally WordPress would dominate"... please do scroll down the article and see the range of sites that Pingdom's study covers (the ones that are italicized use WordPress):
- Huffington Post
- Mashable
- TechCrunch
- Engadget
- Gizmodo
- Ars Technica
- The Next Web
- GigaOm
- CNN Political Ticker
- ReadWriteWeb
... and many more... the point is that what is classified as a "blog" for this study includes many of the "media" sites that many of us visit frequently - and many of those "media" sites turn out to be using WordPress.
The Pingdom article has many other great pieces of information, including this chart comparing the platforms of the Technorati Top 100 blogs in 2009 versus 2012:
The outright (and not surprising) decline of some platforms like TypePad (on which this DisruptiveConversations site is still hosted) is very clear for all to see as well as the strong rise in WordPress usage.
The ecosystem around WordPress continues to expand at a phenomenal rate and studies like this are useful to measure that actual growth. What would be interesting to see, too, would be a study of "websites" in general, i.e. not just "blogs" but perhaps the Alexa Top 100 or some other set, to see what % of sites there use WordPress and these other platforms. As noted in the Pingdom article, the WordPress team has spent a great amount of time working on making the system more useful as a more generic content management system (CMS) and so the type of sites that are now using WordPress is expanding far beyond its roots in blogging. It will be interesting to see how that changes the web hosting dynamics over the next few years.
Thanks to Pingdom for undertaking the work - and I look forward to seeing what the field looks like in another three years!
If you found this post interesting or useful, please consider either:
- following me on Twitter;
- adding me to a circle on Google+;
- subscribing to my email newsletter; or
- subscribing to the RSS feed.
Apr 13
Jima’s IPv6 TLD Hall-of-Shame
Patrick “Jima” Laughton is an advocate for IPv6 who, inspired by a conversation on Facebook, decided to do something to highlight which top-level domains (TLDs) were NOT IPv6-ready. And thus was born the “IPv6 TLD Hall-of-Shame“, available at:
He has two lists:
- TLDs without IPv6 nameservers
- TLDs with IPv6 nameservers but no IPv6 “glue” records in the root zone
He’s been updating the list periodically and has been removing TLDs as they add IPv6 service. As World IPv6 Launch grows closer and closer, we’d like to see these lists shrink even more!
Kudos to Jima for creating and maintaining this list and we look forward to the day when he’ll have empty lists and can shut the site down.
Apr 12
WebRTC (real-time VoIP in web browsers) On April 13th VUC Call – Join In!
Want to learn about how voice and video calls will take place right in your web browser? WITHOUT a Flash or Java plugin?
The "WebRTC" initiative is making this a reality through efforts of the major browser vendors, VoIP industry companies and standards working groups within both the IETF and W3C. On the VoIP Users Conference (VUC) Call on Friday, April 13th, the group will have a discussion of what exactly is happening with WebRTC... and then some live demos from the Voxeo Labs and Phono teams who have been working on this topic for some time now.
This is, to me, an incredibly important area of work as we have the opportunity to really bake real-time communications (RTC) into the fabric of the tools we use every day to work with the Internet.
I'm looking forward to the VUC call ("tomorrow" as I write this, but probably "today" when most of you read it) and would encourage you to join in to listen and/or participate in the conversation.
You can join the live call via SIP, Skype or the regular old PSTN. There is also an IRC backchannel that gets heavy usage during the call. It will be recorded so you can always listen later.
If you found this post interesting or useful, please consider either:
- following me on Twitter;
- adding me to a circle on Google+;
- subscribing to my email newsletter; or
- subscribing to the RSS feed
Apr 12
SegTEL/TVC Stringing Fiber Through Keene, NH – A New Internet Choice?
- who is stringing new fiber?
Followed, of course, by "that's kind of a cool way to ride around town" (probably literally cool, today).
My initial thought was that it was upgraded wiring from either Fair Point Communications, our local phone company (who bought out Verizon's landline business up "he-ah"), or Time Warner Cable, who owns the cable franchise for Keene, NH.
It turned out to be neither, but rather someone new.
I walked out and met the crew up the street when they happened to be reloading connectors into the bucket. One of them said this was new service for "SegTEL". He said SegTel was a private company who had been recently bought out by someone and was planning to provide high-speed Internet access to businesses.
As I walked back to my house, my immediate reactions were:
- Cool! Will there be a plan I can afford as an individual?
- Will they offer IPv6?
To my surprise, SegTEL appears to have no functioning website! I did find that it has been acquired by Tech Valley Communications in New York, whose announcement of the acquisition completion in January included this bit:
segTEL was founded in 1998 and provides fiber optic telecommunication services to carrier, wholesale, and large enterprise customers throughout New Hampshire, Vermont, Massachusetts and Maine. segTEL has unique and extensive expertise in providing customized fiber optic loop, backhaul and transport services to Top-25 wireline and wireless carriers. All segTEL staff will continue their current operational activities with the combined company.
SegTEL was/is apparently located in Enfield/Lebanon, NH, about an hour north of me. In reading through TVC's news page it seems TVC received a substantial private equity investment in 2010 that made all of this possible. A Business Review article adds a bit more context to the acquisition. They also have some interesting links on the TVC news page about the growth of fiber.
An NTIA document refers to 10Gbps and 1Gbps Ethernet offerings (I'd take it!) and an FCC document from September confirms the transfer to TVC. It seems, though, that SegTEL and TVC both have been primarily targeting other service providers and large enterprises, not individuals. (Which does make me wonder why they were stringing the fiber through our very residential neighborhood.)
Sooo... given that a big fat fiber cable is connected to a pole that is literally about 25 feet away from my server, will I be able to play with a big pipe? Or will it be priced out of my range? (Probably!) And, important to my role, will it support IPv6?
And SegTEL or TVC folks, should you read this... you've got a willing beta tester for your new service offering! ;-)
If you found this post interesting or useful, please consider either:
- following me on Twitter;
- adding me to a circle on Google+;
- subscribing to my email newsletter; or
- subscribing to the RSS feed
Apr 12
White House Summer Jobs Code Sprint Deadline is Monday, April 16, 2012
Interesting to see that the White House is sponsoring its first ever code sprint… from the announcement back on April 2nd:
Today we’re announcing the first ever White House Code Sprint. This is a call to developers around the country to use the Summer Jobs+ API to build job search apps for your favorite browsers, social networking platforms, smart phones and feature phones. Submit your apps using this form by Monday April 16th at 8 a.m. EST, and we’ll pick the most innovative ones to feature on WhiteHouse.gov.
The Code Sprint web page says a little bit more:
The White House and the Department of Labor have just released an API opening access to thousands of summer internships, training and mentorships opportunities through their Summer Jobs+ Bank. We’re challenging the developer community to build apps that reach kids throughout the nation on their browsers, Facebook, Android, iOS, SMS or any other platform.
This is the first ever White House Code Sprint and we’re excited to see what innovative apps you build over the next seven days. There is no ideal app, but keep in mind that our goal is to share opportunities in our job bank with as many youth as possible.
It’s good to see the White House seeking to tap into the energy and passion of the developer community… I don’t personally have the time to participate in this event, but I hope they do get some interesting application submissions. My one comment is that they didn’t allow much time… they issued the notice on April 2nd with a deadline, then, of April 9th. Not much time to publicize it and get interest… but we’ll see.
If you are interested, the deadline has been extended to this coming Monday, April 16th.
