techblog 

A lot of people I know get very excited by Apples. In the interests of spreading my bets, one of my machines is an Apple. Maybe it’s just me, but I just don’t get the usability benefits that everyone raves about.

For example, I found this great little library called libnet. It allows you to do raw socket manipulation in a platform-independent way, hiding a load of gory details. I was having some trouble testing libnet code, so I thought I’d try everything on my own network (to make sure that firewalls weren’t getting in the way). “Great!”, I thought, “I’ll try my Mac”.

Unfortunately, although libnet compiles and installs to Max OS X, you can’t actually use it to write to raw sockets :

“Write error: libnet_write_raw_ipv4(): -1 bytes written (Invalid argument)”

I can find this terse response from Apple.

The solution? Boot up the Linux VM! :0)

You could reasonably point out that there is simply no support for the latest OS X in a library which was last released several years ago - but the fact remains, it is unusable on a Mac! I have had similar issues with Java and Ruby code; it seems like I am tending to do more work in VMs, and less work on the Mac itself.

Maybe it’s just me…

Those who monitor the availability of .uk nameservers through RIPE NCC’s DNSMON service will have noticed that ns6.nic.uk was offline for over 24 hours last week. This is a much longer outage than I would have liked but it has highlighted some interesting issues.

We manage seven of our nameservers directly. Since a rationalisation effort in 2002 they have all been hosted in other organisation’s networks, usually IXPs or ISPs, and are subject to contracts with specific SLAs. (Prior to this .uk nameservers were hosted by volunteers on a ‘best effort’ basis.) One nameserver, ns6.nic.uk, is different. It is hosted by NikHef in Amsterdam. When we were offered the chance to have a nameserver in Amsterdam we were very keen to take it. The arrangement to host did not include an SLA and was not subject to contract. It was in effect a gentleman’s agreement. We paid a modest sum for rack space and connectivity, but we had no claim over NikHef regarding the availability of the service.

The base level of DNS traffic to the .uk nameservers is pretty low at about 15 Mb/s over all seven that we manage and monitor. However, we do see an increasing number of traffic spikes, with peaks of 400-500% of this base level. During these spikes we see a very large number of queries for non-existent MX records coming from a great number of machines. My assumption is that this is backscatter from a spam storm, with the originating IPs being part of a botnet. I have no proof of this however.

There was a major spike on Thursday 25 September with total traffic levels peaking at over 70 Mb/s. Though six of the nameservers dealt with this surge with no obvious problems, this had a large impact on ns6.nic.uk. Because NikHef is not a supplier of network services the .uk nameserver is hosted within their own network. The surge caused their gateway router to be overwhelmed and within an hour they had downed our connection. I cannot blame them for this, and I would probably sacrifice a ‘guest’ service in similar circumstances. They tried to bring it back with severe rate limiting, but it was still largely unreachable. I began to think we would have a very long outage, even that we would have to relocate the whole nameserver system.

I moaned about the situation to anyone who would listen, and it was my friend Will Hargrave who suggested I buy alternative transit from Goscomb Technologies. They are handily placed as Dan Goscomb is presently based in Amsterdam and has a router in the same datacentre. Dan was able to get ns6.nic.uk back online within 3-4 hours of me speaking to him. The biggest effort required on our side was deleting and recreating the RIPE route-object, as this involved several different maintainers working in concert.

So, we now have all our nameservers back online. The main lesson from this is that we should ensure that all services we take are properly protected by contract. This has been the way we work for many years, but we need to review the arrangements we have as this one clearly fell through the net. As it stands now we still have no contract with NikHef regarding the rack space we occupy. Arrangements like this are just not good enough for a ccTLD registry.

With the impending exhaustion of IPV4 address space (currently predicted as 17 Oct 2011 http://www.potaroo.net/tools/ipv4/index.html ) it seems every networking event these days has coverage of ipv6, which can only be a good thing I guess. So yesterday while at uknof I discovered that google are now running an ipv6 only version of their website at ipv6.google.com which made me wonder how easy it is to get ipv6 up and running on a personal laptop/desktop.

Now I normally reserve the ‘It Just Works’ phrase for Mac OSX however today I felt the need to apply it to ipv6 or more specifically an ipv6 technology which I have only recently become aware of called Teredo. This enables you to tunnel ipv6 traffic through a NAT over ipv4. In simplistic terms it encapsulates all your ipv6 packets inside ipv4 UDP packets and sends them to a Teredo Server/Relay which then strips the ipv6 back out and forwards it to the ipv6 only internet (further technical detail available at references listed at the end of this article)

The real plus point of this approach though is how easy it is to configure on the client:

OSX- Download and install the client here: http://www.deepdarc.com/miredo-osx/
Linux- Download compile and install the client here: http://www.remlab.net/miredo/
Windows XP SP2 and above- Run two commands at a dos prompt
‘netsh interface ipv6 install’
‘netsh interface ipv6 set teredo client’

You’re done.

To check your ipv6 is working try accessing http://ipv6.google.com or do a traceroute6 (tracert6 for windows) to 2001:7fd::1 which is the ipv6 address for the K Root DNS server.

Ok so it’s not native ipv6 but it does give you some basic understanding and experience.

As I understand it the ease of use and installation under Windows is explained by the fact this was originally a Microsoft invention.

More technical details are available at the following links

http://www.microsoft.com/technet/network/ipv6/teredo.mspx
http://www.rfc-editor.org/rfc/rfc4380.txt

Additional Security note:

Potential users and in particular network security admins should be aware that running a teredo tunnel opens a publicly routed ipv6 address on the machine in question. It maybe wise to configure firewalls to block this behavior behind corporate networks.