Category: Microsoft

IPv4 Exhaustion Gets Real – Microsoft Runs Out Of U.S. Addresses For Azure Cloud – Time To Move To IPv6!

us ipv4BOOM! IPv4 address exhaustion just hit home really hard for a good number of people.  They set up virtual machines (VMs) in a US region on Microsoft’s Azure Cloud and now suddenly find that when they use those VMs to access other websites they are treated as if they are from a country outside the US.  Why?

Because Microsoft RAN OUT OF IPv4 ADDRESSES from its “U.S.” blocks of IPv4 addresses!

As Microsoft notes in their blog post:

Some Azure customers may have noticed that for a VM deployed in a US region, when they launch a localized page on a web browser it may redirect them to an international site. 

Oops.

They go on to say precisely what we and many others have been warning about for some time:

IPv4 address space has been fully assigned in the United States, meaning there is no additional IPv4 address space available. This requires Microsoft to use the IPv4 address space available to us globally for the addressing of new services. The result is that we will have to use IPv4 address space assigned to a non-US region to address services which may be in a US region.  It is not possible to transfer registration because the IP space is allocated to the registration authorities by Internet Assigned Numbers Authority.

Keep in mind, too, that back in 2011 Microsoft bought 666,624 IPv4 addresses from Nortel for $7.5 million. So they have already been shopping for more IPv4 space in the North American region.

They’re out.  Done.  Finished.

And so all those people wanting to run VMs on Microsoft’s Azure Cloud are suddenly confronting the reality that if they wanted their server to appear as if it came from the US, they can’t!

Sure, their domain name can look like it is a regular address for a US company… but in the underlying IP addressing their server will appear to the rest of the Internet to be in Brazil or some other location based on some of the geographical IP databases.

UPDATE: It is apparently not just Azure Cloud accounts in the US.  Over on Hacker News a commenter indicated that an Azure account in the North Europe datacenter in Dublin, Ireland, is also getting an IP address from Brazil.  I would guess (but don’t know for a fact) that this means Microsoft may be out of European IP addresses, too.

The impact is that servers running in the Azure Cloud (on VMs) may be treated by applications and services running on other servers as if they are outside the U.S. and so they may be given different choices or options than would be given to US servers.  The example shown in Microsoft’s blog post is of a web browser running on a VM connecting to a site and being given a Portuguese web page because the web server thought the incoming connection was coming from Brazil.  Depending upon how strongly the web server being visited serves out pages based on geographic IP data there may or may not be an easy option to get to pages intended for visitors from the US – or it might at least require more steps.   On a more serious note, there may be some sites that might block traffic in their firewalls based on where IP addresses are thought to be coming from – and so while you thought your server was set up “in the U.S.” it could instead wind up on someone’s blocked list.

Somewhat ironically, we wrote just yesterday about the need for cloud providers to get with the IPv6 program - and today we have living proof of WHY cloud providers need to care.

And as we also noted earlier this week, Latin and South America are basically out of IPv4 addresses – so while Microsoft can use some Brazilian IPv4 addresses today, odds are pretty good they won’t be able to get any more!

Here are a couple of other posts about today’s news:

The cold hard reality is that we simply cannot continue to rely on the “experimental” version of the Internet that used IPv4 addresses.  We need to collectively take the leap to the production version of the Internet using IPv6.

There are BILLIONS of people still to come online on the Internet – and there are BILLIONS more devices that we want to put online as part of the “Internet of Things”.  IPv4 simply doesn’t have the necessary number of addresses!

To get started with IPv6, please visit our “Start Here” page to find resources that are focused for your type of organization. And if you don’t find what you need, please let us know!  We are here to help you make the transition!

As Microsoft so vividly showed us today, IPv4 exhaustion is going to increasingly make IT systems more complicated.  It’s time to make the move to IPv6 where we don’t have to worry about address exhaustion – or having to use IP addresses from a different part of the world.

The time for IPv6 is now!

Good discussions on this topic are happening at:

 

GigaOm: Cloud Providers Need To Get IPv6!

GigaOm article about IPv6Over on GigaOm today we were delighted to see the article “With billions of devices coming online, cloud providers better get with IPv6 program“.  In that article, author Barb Darrow writes:

As we enter the internet of things era, with millions; check that, billions of devices coming online, we’re going to need a lot more unique IP addresses. That means the big cloud providers need to get on the stick to support IPv6, the internet protocol that opens up billions of new addresses for just that purpose.

EXACTLY!

This is a key point we’ve been making in our events and presentations – with all these many devices coming online, and also with 3-4 billion more people to come online, we need to move to using IPv6!

In the article, she goes on to note that IPv6 is NOT supported by Microsoft Azure, Google Computer Engine and most of Amazon Web Services.  She does point out that IBM Softlayer does support IPv6 as will a new “Verizon Cloud” service apparently coming out later this year.  (All of which has made me note that we need a page on this Deploy360 site about “cloud services that support IPv6″.)

A few weeks back I asked a friend of mine who has an Internet of Things (IoT) startup whether his new service supported IPv6.  He runs his system, not surprisingly, on a cloud platform – in his case Amazon’s Elastic Compute Cloud (EC2) – and because EC2 doesn’t have IPv6, he can’t run his apps over IPv6.

We need to get there.  We need all the cloud providers to be enabled for IPv6, because they will then enable all the companies, large and small and everything in between, to make the move to the “production” version of the Internet.

Barb Darrow mentions in the GigaOm article that “the device population explosion pose to cloud providers and the very architecture of data centers will be a hot topic next week at Structure“, where Structure is GigaOm’s conference on the whole “cloud” topic.  That sounds great… although in looking at the agenda I don’t see anything specifically mentioning IPv6.  Hopefully that is a topic that gets covered and maybe we’ll be able to write about some of the IPv6-related news next week.

UPDATE: In a comment to this post, Barb Darrow indicates that IPv6 will be a topic in the Structure panel “What has to happen to enable the infrastructure to support IOT?”  And indeed, to support the Internet of Things (IoT) we very definitely need to move to IPv6!

Meanwhile, if you are a cloud provider – or anyone else – do check out our “Start Here” page or just browse through some of our IPv6 resources to get started with the move to IPv6!

Microsoft Publishes Guide To Deploying DNSSEC In Windows Server 2012

Microsoft DNSSEC GuideDo you work in an enterprise using Microsoft Windows Server 2012 and are interested in either deploying DNSSEC validation to provide better security to your users – and/or securing your own DNS zones using DNSSEC?

If so, the good folks at Microsoft just recently released a new guide “DNSSEC in Windows Server 2012” that guides you through what you need to do to deploy DNSSEC in Windows Server 2012 and Windows Server 2012 R2.  I’d note that it covers both the validation and signing sides of DNSSEC.

The document has four major sections:

  • Overview of DNSSEC
  • DNSSEC in Windows
  • DNSSEC Deployment Planning
  • Deploy DNSSEC with Windows Server 2012

as well as few appendices.  The document goes into quite a deep level of detail with how DNSSEC is integrated into various aspects of Windows Server 2012.  The “Deployment Planning” section seemed quite useful, too, as it explored some of the performance requirements and also suggested a process for staging a deployment.

In reading through the document, I was quite impressed by the “Deploy DNSSEC with Windows Server 2012″ section that includes many different checklists to help administrators know precisely what they need to be doing.  While I don’t personally work with a Windows Server 2012, the checklists seemed to be covering the areas that I would want them to cover.

As we look to get more enterprises doing DNSSEC validation and also signing their own zones, it is great to see this document come out of Microsoft!    If you work with Microsoft Windows Server 2012, definitely do give it a look – and start deploying DNSSEC today!

 

Microsoft: The Best Xbox One Gaming Experience Will Be Over IPv6

Xbox One and IPv6Do you want the best gaming experience using the upcoming Xbox One console from Microsoft?  If so, you should ask your network operator if you can get IPv6!  Or, if you are a network operator, you should look at rolling out IPv6 to your customers!

Yesterday at NANOG 59 in Phoenix, Arizona, Microsoft’s Chris Palmer explained that the Xbox One gaming console uses IPv6 for the peer-to-peer (p2p) communication between gamers.   His slides are now available from the NANOG site and they walk through the IPv6 support and the rationale for the continued use of the Teredo transition technology so that Xbox One will work over IPv4.  (The video is also included below.)

A key point on Palmer’s second slide is this:

Network operators that want to provide the best possible user experience for Xbox One users:

  • Provide IPv6 Connectivity
  • Allow transition technologies such as Teredo to function
  • Allow for IPsec transport mode to function

So… if you are a network operator and you want your gaming customers using the Xbox One to have the best possible gaming experience, make IPv6 available to your customers! (Find out how to get started with IPv6)

I learned of this talk through a post via Wes George in the Google+ IPv6 community and there has been some discussion there.  There has also been a good bit of discussion in the IPv6-ops mailing list (to which you can subscribe if you are interested) with concerns being raised about the continued usage of Teredo and the challenges of using that particular transition technology.  Christopher Palmer answered some of the questions and also pointed to a more detailed technical document about the Xbox One and IPv6 available in Word form from Microsoft’s web site. Dan Wing also pointed out that there are other similar P2P usage of IPv6 such as Apple’s Back To My Mac (documented in RFC 6281) and Microsoft’s Direct Access.

Even with the concerns this is definitely a great step forward in getting more consumer electronics not only IPv6-enabled but actively using IPv6 in their operations.  Kudos to Christopher Palmer and the rest of the Microsoft team for making this happen!

The video of Christopher Palmer’s presentation is also available for viewing:

Now… can we get the rest of the gaming consoles to please work over IPv6?   And will this move encourage more network operators to get serious about rolling out IPv6 to their customers?


UPDATE: This post seems to have attracted some attention and there are some interesting discussion threads over on Hacker News and also over on Reddit.

Microsoft Researching Skype Password Reset Security Hole

This morning The Next Web reported on an exploit where Skype’s password reset web page could be used to hijack a user’s Skype account using only the password associated with the account. So… if you could guess someone’s email address (which can often be found through a Google search), you could effectively take over their Skype account.

Microsoft/Skype has DISABLED this feature while they investigate further so it appears that for the moment the security risk is limited.

However, it may be wise to watch closely the email account associated with your Skype ID for the next bit to see if any random password reset messages are sent to your account. Odds are that attackers will be sniffing around trying to see if there is any other way to exploit the apparent vulnerability.

The Next Web team reports that they were able to reproduce the attack on two Skype accounts of willing victims, confirming that the vulnerability was indeed real. They also reported the issue to Skype and worked with folks there.

The vulnerability is interesting in that it shows the complexity of modern communication applications. Skype is for the most part a desktop/mobile application, but yet it does rely on a centralized cloud-based service for authentication/passwords, etc. A vulnerability in the web interface for that central service then weakens the security of the overall system.

The “good” news for Microsoft/Skype is that because this appears to be a vulnerability in the web interface of the centralized system, this is probably something relatively easy for them to fix – and without requiring any client updates.

Kudos to Microsoft/Skype for reacting quickly to minimize the risk and we look forward to the issue being addressed.


UPDATE #1: Skype has issued a brief statement on their “heartbeat” web site with the same text that has been quoted in several articles.

UPDATE #2: The Verge has an article out now where many people in the comments are suggesting you change the email address associated with your Skype account to something less likely to be guessed. While Microsoft seems to have removed the immediate attack vector and this change is no longer critical to do, it may be something some of you may want to consider.

UPDATE #3: There’s a long Hacker News thread on this issue that also includes a link to an article walking through the exploit step-by-step as well as walking through links to protect your account. Note that because of the steps Microsoft has taken the exploit steps no longer work.