Friday, August 20, 2010

IPv6 PPPoE on OpenWRT

Teksavvy, a canadian provider, is offering IPv6 service through DSL PPPoE. As an IPv6 oldtimer, I subscribe to their service to give it a try. They gave me an IPv4-only PPPoE service userid/password and an IPv4 and IPv6 PPPoE service userid/password. The IPv6 service includes a /64 for the PPP link and a /56 for the home network. This blog describes how to have OpenWRT (BackFire 10.03.1-RC1) running as the PPPoE end host and advertising and routing the prefix in the home network. Using 2001:db8:1:1::/64 as prefix for PPP link and 2001:db8:2::/56 for home prefix. Choosing 2001:db8:2:1::1/64 out of the /56 for the interface on the LAN side. Only relevant changes in configuration files are shown.
Here are the steps:

OpenWRT Backfire does not have IPv6 enabled by default:
# opkg update; opkg install kmod-ipv6
Configure IPv6 on the WAN and LAN side:
# cat /etc/config/network
config 'interface' 'lan'
option 'ip6addr' '2001:db8:2:1::1/64'
config 'interface' 'wan'
option 'proto' 'pppoe'
option 'username' 'userid@provider'
option 'password' 'mypassword'
option 'ipv6' '1'
Install and Configure the Router Advertisement daemon to advertise the prefix on the home LAN.
# opkg install radvd
#cat /etc/config/radvd
config interface
option interface 'lan'
option ignore 0
config prefix
option interface 'lan'
option prefix '2001:db8:2:1::/64'
option ignore 0
# ln -s /etc/init.d/radvd /etc/rc.d/S50radvd
Reboot

The /etc/ppp/ipv6-up and ipv6-down scripts are already configured to create the default IPv6 route to the PPP interface.

It works!

# ping6 www.viagenie.ca
ping6 www.viagenie.ca
PING6(56=40+8+8 bytes) 2001:db8:2:1:5123:35ff:fef4:1234 --> 2620:0:230:8000::2
16 bytes from 2620:0:230:8000::2, icmp_seq=0 hlim=50 time=55.993 ms
16 bytes from 2620:0:230:8000::2, icmp_seq=1 hlim=50 time=56.896 ms
16 bytes from 2620:0:230:8000::2, icmp_seq=2 hlim=50 time=56.585 ms
^C
--- jazz.viagenie.ca ping6 statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 55.993/56.491/56.896/0.375 ms

Note that there is no IPv6 firewall configured by default.

Friday, August 13, 2010

IPv6 PPPoE on MacOSX

Teksavvy, a canadian provider, is offering IPv6 service through DSL PPPoE. As an IPv6 oldtimer, I subscribe to their service to give it a try. They gave me an IPv4-only PPPoE service userid/password and an IPv4 and IPv6 PPPoE service userid/password. This blog describes how to have MacOSX (10.6.4) running as the PPPoE end host.
Here are the steps:
  1. Create a new network configuration: Preferences->Network->Configuration->Modify Configurations-> + -> PPPoE
  2. Select the new network configuration.
  3. IPv4 Configuration->Create a new PPPoE Service. Enter the PPPoE username and password given by the service provider.
  4. Enable IPv6: Advanced->Configure IPv6->Automatic
  5. Connect: Apply the configs, select the PPPoE interface and then Connect.
IPv4 should be running. IPv6 not quite. In Terminal window, type ifconfig ppp0. You should see something like (IP addresses changed):
# ifconfig ppp0
ppp0: flags=8051 mtu 1492
inet 192.0.2.1 --> 1.2.3.4 netmask 0xffffff00
inet6 fe80::5123:35ff:fef4:1234%ppp0 prefixlen 64 scopeid 0xa

IPv6 link-local addresses were negotiated during the PPP multilink session. See the PPP logs:
# grep IPV6CP /var/log/ppp.log
... : rcvd [IPV6CP ConfReq id=0x46 ]
... : sent [IPV6CP ConfAck id=0x46 ]
(Note: you can also view the logs within the Console application.)

However, the IPv6 global addresses are now shown anywhere, either in the Network Settings Panel, nor with ifconfig ppp0. The IPv6 PPP specification(RFC5072) says that the global address is obtained by router advertisements on the PPP link or by DHCPv6.
Inspection of MacOSX shows that router advertisements were not enabled (surprisingly, becauseI'm using IPv6 RA at the office without having to do any change in the kernel config) in the kernel, so I enable them.
# sudo sysctl -w net.inet6.ip6.accept_rtadv=1
net.inet6.ip6.accept_rtadv: 0 -> 1

And restart the PPP session.
Now I see my global IPv6 address on the PPP interface:
#ifconfig ppp0
ppp0: flags=8051 mtu 1492
inet 192.0.2.1 --> 1.2.3.4 netmask 0xffffff00
inet6 fe80::5123:35ff:fef4:1234%ppp0 prefixlen 64 scopeid 0xa
inet6 2001:db8:1234:167:55123:35ff:fef4:1234 prefixlen 64 autoconf

However, the default IPv6 route is not created. So I did manually pointing to the PPP interface.
# route add -inet6 default -iface ppp0

Now it works!

# ping6 www.viagenie.ca
ping6 www.viagenie.ca
PING6(56=40+8+8 bytes) 2001:db8:1234:167:55123:35ff:fef4:1234 --> 2620:0:230:8000::2
16 bytes from 2620:0:230:8000::2, icmp_seq=0 hlim=50 time=55.993 ms
16 bytes from 2620:0:230:8000::2, icmp_seq=1 hlim=50 time=56.896 ms
16 bytes from 2620:0:230:8000::2, icmp_seq=2 hlim=50 time=56.585 ms
^C
--- jazz.viagenie.ca ping6 statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 55.993/56.491/56.896/0.375 ms

To automate these steps, I'm using pppd scriptability. From pppd man page, one can create the following files which are executed upon certain actions.

# sudo echo '/sbin/route add -inet6 default -iface ppp0' > /etc/ppp/ipv6-up
# sudo echo '/sbin/route delete -inet6 default -iface ppp0' > /etc/ppp/ipv6-down
# sudo chmod +x /etc/ppp/ipv6*

Restarting PPP will execute these scripts when IPv6 will be up and down. One can confirm the execution of the scripts by looking at the logs:
# grep Script /var/log/ppp.log
... : Script /etc/ppp/ipv6-up started (pid 78398)
... : Script /etc/ppp/ipv6-up finished (pid 78398), status = 0x0

I'm still looking for a way to integrate the sysctl command in the right script file.

Sunday, February 7, 2010

Remaining IPv4 /8 prefixes are dirty

As of January 2010, there is less than 10% of the IPv4 address space remaining for new networks. The current timeline is that no more address space will be available by 2012. However, the remaining IPv4 address space is not as usable and clean as one may think. Evidence has shown that many unallocated prefixes from the IANA pool are used internally by organizations or by VPN vendors. Moreover, my company does IP networking consulting and we have seen many times our customer's networks numbered with one of these unallocated prefixes. The top 10 identified were: 1.0.0.0/8 2.0.0.0/8, 5.0.0.0/8, 23.0.0.0/8, 27.0.0.0/8, 46.0.0.0/8, 100.0.0.0/8, 107.0.0.0/8, 176.0.0.0/8, 111.0.0.0/8. As of writing 1.0.0.0/8 has already been allocated by IANA to APNIC.

I've written a script that parses the IANA IPv4 address registry to find the unallocated prefixes and identify the ones that have been identified as already in use. The result is astonishing. From the ~24 /8 prefixes unallocated (at time of writing), only 2 /8 prefixes are "clean" (not reported to be used internally by organizations) and 22 are "dirty" because they are already in use by some organizations. The "clean" prefixes are: 14.0.0.0/8 and 106.0.0.0/8.

However, the level of "dirtiness" is variable. Some such as 1.0.0.0/8, 2.0.0.0/8 and 100.0.0.0/8 are much more used internally in private networks and implementations than others. In fact, the recent allocation of 1.0.0.0/8 by IANA have spurred discussions and studies on this issue.

What happens if I already use one of these "dirty" to-be-allocated prefixes in my network?
When the prefix you are using start being announced on the IPv4 Internet, then the sites and networks on the Internet using that prefix will not be reachable from your network and users. It may become a support nightmare if, for example, one of the sites is a well known content site using load-balancing and only some of its servers use the prefix. Therefore, sometimes your users will be able to reach that content, sometimes not: hours of interesting troubleshooting...

Is it possible that I'm using these "dirty" prefixes without knowing?
Even you might not know if you are using the dirty prefixes! For example, maybe your VPN vendor is using that "dirty" prefix to avoid collisions with RFC1918 private address space. When your computer setup the VPN connection, the host routing table then contains a route to this prefix through the VPN interface. Therefore, your host won't be able to reach a site on the Internet that has the same prefix. VPN software is often "smart" which means they setup the VPN on demand and disconnect when not in use. That means, similar to the previous paragraph, sometimes you will be able to reach some sites (when VPN is down) and sometimes you will not be able (when VPN is up): hours of interesting troubleshooting...

What happens if I receive a chunk of these "dirty" to-be-allocated prefixes from my provider?
Your network will become a magnet for packets that, before, went nowhere. Moreover, some end-users on the Internet will not be able to reach your network and sites since they are using the same prefix internally as yours.

What is the solution?
Well, if you are in the previous situations (already using a to-be-allocated prefix), then you should start planning to renumber. You could try to put more NATs but that become pretty tricky. If you are receiving one of these "dirty" prefixes from your provider, then it will be a rocky road...

The best approach, that is future proof, is to start deploying IPv6.

Thursday, February 15, 2007

Using Internationalized domain names (idn) with Firefox

Internationalized domain names (idn) is a way to support non-ascii characters in domain names. Most characters in the world can be put in domain names with idn. Technically speaking, an idn (ex: viagénie.com) represented in the Unicode character set are encoded in ascii with a prefix (xn--) and saved as is in the DNS. For example, viagénie.com is actually stored as "xn--viagnie-eya.com". It is up to the browser to show it decoded properly (as viagénie.com instead of xn--viagnie-eya.com).

There has been some (appropriate) concerns on the too large character set available for idn, such as spoofing domain names. The brute force cure is to show the encoded version (xn--viagnie-eya.com) to the user instead of the decoded version (viagénie.com) of the idn. Therefore, some top-level DNS registries have applied some restrictive rules on the possible set of characters that can be registered in the domain names under their authority, some haven't. There is work currently to update the idn specification to be more restrictive in the use of inappropriate characters in idn.

By the principle of precaution, Firefox developers decided to disable the decoding of idn for the TLD registries that do not have sufficient restrictive rules (on the judgement of the developers). The drawback of this is that, by default, for some tlds, idn displays well (i.e. viagénie.biz), for some tlds, idn are displayed un-decoded (ie. xn--viagnie-eya.com). Other browser vendors have different ways: always decode, never decode, ....

One of the tld registry in the list of non-decoded idn in Firefox is .com, but .biz is decoded. Type in the url box of your browser:
  • http://www.viagénie.com
And then, after connecting to the site, look at the url box. The .com in Firefox default config should show the xn-- version.

To force Firefox to enable IDN and to decode .com idn, do the following:
  1. about:config" in the url box.
  2. filter "idn"
  3. make sure that network.enableIDN is set to True
  4. add a new item: "network.IDN.whitelist.com" as a boolean and set it to true. (to add a new item, go to the up-right corner and option click the little icon there: took me a while to find it out!)

Disclosure Note: I was the co-chair of the IETF working group on idn and am co-author of some parts of the whole specification(RFC 3454, RFC 3491). So yes, I'm partly responsible for this not perfect idn solution that needs improvement. But I think that even in the current shape, it is still good enough technology to make the Internet more ready for everybody in any language.

Technical references:

Using Firefox 2.0 with IPv6 on MacOS X

By default, Firefox disables IPv6 support on MacOS X but not on other platforms. To enable IPv6 on Firefox, do:
  1. "about:config" in the url box.
  2. filter "ipv6",
  3. select "network.dns.disableIPv6"
  4. and set the value to "false".
For more information, see mozilla knowledge base.