Anonymous threatened to blackout the Internet

Anonymous has threatened to blackout the Internet if Stop Online Piracy Act is passed:

http://www.homelandsecuritynewswire.com/dr20111223-anonymous-threatens-internet-blackout-over-controversial-legislation

Some people might ask how can the entire Internet be blackouted.  If the root zone can be taken down, all websites and emails in the world will disappear.  It is not known if Anonymous will attack hundreds of root servers scattered around the globe.

IPv6 address entry keyboard

Just received my IPv6 address entry keyboard. The double colon key (::) is very important !


There is no such code as double colon in ASCII standard.  If IPv6 gains popularity, it might be desirable to include :: as special character in ASCII table.

I own the IPv6 address prefix of 2002:ca51:fc74::/48 permanently

I am not an ISP but I own the IPv6 address prefix of 2002:ca51:fc74::/48 permanently. The reverse lookup for this range has been delegated to me by the Number Resource Organization (NRO).

This is just a gimmick. For those who are familiar with IPv6 addressing, they have already recognized that 2002:ca51:fc74::/48 is 6to4 equivalent of IPv4 address 202.81.252.116.  I have previously used this v4 address to access NRO and claim to administer the reverse lookup for the range 2002:ca51:fc74::/48. This is just a gimmick. For those who are familiar with IPv6 addressing, they have already recognized that 2002:ca51:fc74::/48 is the 6to4 equivalent of IPv4 address 202.81.252.116. I have previously used this v4 address to access NRO and claim to administer the reverse lookup for the range 2002:ca51:fc74::/48.

If you do a "dig -x 2002:ca51:fc74::1", my v6 nameserver will give you an answer saying it is v6-mail.com.

DHCPv6 in Lion

In my last blogpost at :

http://warrenkwok.blogspot.com/2011/07/good-and-bad-news-about-mac-osx-107-on.html

I mistakenly wrote that Mac OS 10.7 (Lion) could not support DHCPv6 client configurations. Some friends told me that they have tested Lion and confirmed that DHCPv6 can be fully supported.  With this good news, all the latest common PC OS (OSX, Windows 7 and Linux) can support DHCPv6.  On a further thought, OSX and Linux have better support of IPv6 configurations than Windows 7 as Windows 7 is still lacking RDNSS as of today.  Windows 7 definitely needs to catch up.

Code of ethics for war-driving

I will join the WTIA-PISA war-driving on this Sunday (18 Dec), an activity of the 2011 SafeWiFi Campaign.

Our team note that people are very concerned about privacy issue as a result of Google's unethical capture of WiFi data all over the world. We ask all participants to sign a statement on code of ethics which include no privacy intrusion, no monitoring of payload, no connection to scanned WiFi access points and all data must be destroyed after statistical analysis. As a further step to ensure no network connection, all team members must have TCP/IP protocols in their notebook PC disabled. We will check against each other such settings to ensure a high level of integrity.

The  planned Macao war-driving by WTIA-PISA in September 2011 was banned by the Macao Government due to privacy issue stirred up by Google.

ITVoice 2012

Last Sunday, I casted my votes to 20 members of ITVoice 2012 in the Election Committee election of the IT Sub-sector. They all won their seats with high vote. Well-done, my friends. This was quite an historical moment so I decided to record the voting results in the picture below. I might watch this blogpost again five years later.

As usual, Charles Mok is again the King of the IT Sub-sector. He harvested 1466 votes, 218 votes more than he got in 2006.

IPv6 address input keyboard

I have placed order for an IPv6 address entry keyboard at US$15 from ipv6buddy.com.

The keys of A-F plus colon, double colon and slash keys which are packed together adjacent to numeric keys is very handy for input of IPv6 addresses and prefix lengths.  This keyboard should have been developed some years ago but not until now.

Server no reboot for 805 days

My server placed in a data center had not been rebooted for over 805 days. Frankly, if there is a fault and if I need to go to the data center for repair, I might find the place but can not remember which rack houses the equipment. Then on 7 December 2011, the server lost connection to the outside world. I sought help from the serving ISP and it told me that the port on the Ethernet switch did not detect any connection. The ISP then called a technician in the data center and it was found the power cable did not plug firmly to the power supply unit. After properly tightened the power cord and reboot, everything got back to normal.

Damn it, my goal of no server reboot for 1000 days just crashed.

Hong Kong WiFi Security Index

Today was my second day in Tokyo for the Cybersecurity Forum organized by the Asia-Pacific Telecommunity.  I gave a presentation on “Promoting WiFi Security Awareness in Hong Kong”. This is what I said to 20 countries of the Asia Pacific region  at the end of my presentation :

If there is just one thing you like to learn from Hong Kong’s experience, it will be the Hong Kong WiFi Security Index.

In-flight WiFi service

I flew to Tokyo today by Cathay Pacific CX548.  When the plane elevated to a certain altitude, the Captain announced that electronic devices of passengers could be switched on.  However, any devices that use WiFi or Bluetooth should be switched off in order to avoid interference to aircraft electronic systems.  Hey, Captain, are you kidding.  In-flight WiFi is an essential service for passengers especially for those flying long haul.  Can you imagine losing Facebook or Gmail for 12 - 14 hours while on the sky.  Boeing aircraft are already providing in-flight WiFi service. Of course, usage charge must be imposed. What's wrong with Cathay Pacific.

HK Government’s IPv6 NTP Server at time.hko.hk

In the past 3 days, I was working with colleagues in the Hong Kong Observatory to find out the problem of their IPv6 NTP system.  The system could not accept NTP request while "ntpdate -d -v 2407:8000:8001:80::8" showed that the host was found.

After many hours of testing and troubleshooting, we were sure that there was a bug in the firmware of the new atomic clock system which affected v6 network connectivity.  However, we applied a temporary fix to make things work in a stable manner. The system could be accessed now.

I like to thank colleagues of CUHK, OGCIO and OFTA for helping the end-to-end testing and fault-finding in the past 3 days.

Now that the system is normal, I can do "ntpdate -6 time.hko.hk" to conduct time sync over v6 network.

D-LINK DIR-655 IPv6 home router

This week, I bought an IPv6 home router, model D-LINK DIR-655 with the latest firmware. 

This one supports Prefix Delegation, SLACC, DHCPv6, IPv6 PPPoE, 6in4, 6to4 and 6rd tunneling. I have 6in4 tunnel with Hurricane Electric (HE) and I can say that configure 6in4 tunnel on DIR-665 is not easy.  The routed /64 prefix allocated by HE should be configured in the LAN side while the /64 prefix for tunneling should be input in the WAN side.  The v6 resolver provision was a bit complicated.  I thought using v6 resolvers of OpenDNS would be ok but in fact it was not. I was not quite sure if HE network blocked access to OpenDNS.  As a last resort, I used the anycast v6 resolvers of HE in both the WAN and LAN side and that completely my 6in4 configuration with success.

I use static v6 configuration for hosts in the LAN side though I know DHCPv6 will be more convenient.  Hey, think it other way, the routed .64 prefix offered to me will never change, there is no harm to use static v6 configuration.

The last IPv4 address in the world is 223.255.254.254

Today, I checked that the last Class C address block 223.255.255.0/24 is still in the hands of APNIC and I very much doubt APNIC will allocate it to any organizations.  Having saying that, we can expect the last IPv4 address that can be used in the world is 223.255.254.254 which is now owned by Singapore Marina Bay Sands Pte Ltd.  Of course, 223.255.254.255 can not be used as it is a broadcast address on a per Class C basis.

vistumbler

My blog post two days ago mentioned about WiFi Hopper which could not be run in 64-bit Windows platform.  One reader suggested to execute WiFi Hopper under a VM environment.  Yes, it could be but the speeed of operation will be really slow.

I have found the solution. Vistumbler is another WiFi sniffer that supports Windows 7.  The captured log can be saved in CSV format for analysis by excel.  I will definitely use vistumbler in the coming war driving exercise. 

TP-LINK TL-WN822N 802.11n client

In August, I purchased one set of TP-Link TL-WN822N cleint which is claimed to have a speed of  300Mbps.  At that time, I was attracted by the ivory colour, the light green LED and the two antennas realizing that the dual-antenna design will help to boost the performance of MIMO-based 802.11n connection.  To my satisfaction, this wireless client runs perfectly fast and there is no difference in speed when accessing Interent compared with using a 100Mbps Ethernet network card.

Yesterday, I decided to buy another one either for backup difference or for use in other desktop PCs. This is the best WiFi client I have ever used.

WiFi Hopper only available in 32-bit Windows XP

I planned to join the WiFi war driving exercise which will be held in December 2011.  The bad news is that the war driving software "WiFi Hopper" can only support 32-bit Windows XP.  I have my old Windows XP notebook scrapped more than a year.  My notebook in use now is running 64-bit Windows 7.  How can I join the war driving exercise?  I think I have to borrow one XP notebook from my friends.

Postfix greylisting

I added greylisting to my IPv6 SMTP server runnung Postfix by adding the package postgrey.  All incoming messages will be rejected and if  the connecting sources are legitimate email servers, the messages will be queued up for retry. After the greylisted period of 5 minutes, the messages from the same sources will then be accepted by postgrey.  In the case of spam emails by zombie computers, the zombies which do not act like a SMTP server, will not store and queue up emails for subsequent delivery. On the whole, I believe greylisting is over 90 % effective to reject spam from zombies.

Hurricane Electric's 10G link at HKIX

Hurricane Electric has installed a new 10G dual-stack link at HKIX:

http://www.marketwatch.com/story/hurricane-electric-announces-significant-global-upgrade-of-peering-bandwidth-2011-11-16

This really helps me a lot as I am using 6in4 tunnel of Hurricane Electric to bridge to the IPv6 Internet.  After the upgrade, I tested that my IPv6 connections to overseas is at 8Mbps while the speed of connection to HK6IX is 91 Mbps.  Actually, the connection is limited by my 100M network interface card and the Ethernet switch of my serving ISP.

Thanks, Hurricane Electric.

Interesting picture

This is an interesting picture.  Seems like both disc A and B are moving.   Which one do you think is moving a bit faster.

In fact, both are not moving.  But if we look at them together at the same time, we have the illusion that they are moving.

Can MAC address filter circumvent WEP cracking

We all know that WEP can be cracked in a few minutes.  There is an interesting question of whether MAC address filter can  increase the difficulty of WEP cracking.

The answer is No. MAC address filters  are useless because  MAC addresses are broadcast over air. When a legitimate client is connected to a WEP AP,  a hacker can use hacking tools to discover the MAC address. He then clones the MAC address to his devices and then proceed to crack the WEP key.   To reinforce my saying, I have taken a photo from a Linux machine running spoonweb.  In the photo below, the MAC address of a connecting client is shown.

Android phone failed to sync gmail

On Friday,  all of a sudden, my Android phone could not sync gmail.  Intuitively, I had the impression that access to market would also fail as market relies on gmail account for authentication. Finally, it was proven that all Gmail and Facebook could not sync while access to market completely failed.

After investigation, I noted that my phone had the date set to 1 Jan 2000.  Shit, auto-sync requires accurate time information on the terminal devices.  After changing the date properly, everything was restored.

A good learning experience and exercise.

In memory of Dennis Ritchie, Father of Unix

It was sad to read news about  Dennis Ritchie, Father of Unix, who passed away on 12 October 2011.


I was addicted to Unix in 1992 but only got my first reference book in 1994. As my appreciation to Dennis Ritchie, Father of Unix, I shall keep this book for the rest of my life.

Blackberry outage in three continents

Yersterday, there was a massive RIM's network outage in Europe, Middle East and Africa which lasted for 3 hours :

http://edition.cnn.com/2011/10/10/tech/mobile/blackberry-outage/index.html

Millions of users were affected. 

As usual, RIM will never disclose the root of the failure using the excuse that RIM's network is based on a proprietary design and it needs to keep its network design and architecture confidential.

Though Asia was not affected in the incident yesterday, we can not be sure we get the same luck next time.

iPhone 5 can not support 4G LTE

With the coming release of iPhone 5, IT and technology savvy people are guessing if it can support high speed 4G LTE.  My view is that iPhone 5 will not be equipped with 4G LTE air interface.  The reason is that there are now just a few 4G LTE networks.  Apple must make a logical decision and careful investment.  May be iPhone 6 released in next year can do that.

IPv6 Speed Test

ipv6-test.com is hosted in France and it can offer speed tests on both IPv4 and IPv6 connection. It is now seeking help from other web administrators to set up such facility in other region.  As I do not have high speed native IPv6 connection otherwise I will volunteer to make my server as a mirror test site in Hong Kong.

The speed tests done today were the best I have ever conducted.  The overseas IPv4 and IPv6 connection speeds were  almost the same at around 4.5 Mbps.  This speed is sufficient for DVD-quality full screen video.

gogoclient on WiFi

This is a good news. Gogoclient can work on WiFi which enables me to have IPv6 tunnel connection  on WiFi. I had tested several times before but all failed.  I did not know what went wrong.  Then after changing a new WiFi router, everything works now.

I note that there is a new version of Gogoclient which supports DS-Lite.  I will download and try it.

sharepod to replace iTunes

iTunes is too bulky to manage ipod songs.  I have now changed to sharepod, small file size, just 5MB file size plus the interface is neat and clean.  


Another headache of iTunes is that if some songs in a PC's folder  are inadvertently deleted, iTunes attempts to delete the same songs in ipod because of auto-sync.  No such hassle in sharepod. 


The only shortcoming is that I have to connect ipod to sharepod if I want to listen to music through  my PC.

25GB Cloud Storage

I got 25GB cloud storage from PCCW.  It is a free service. Once connected, there will be a u drive with the name uhub.  Just like plugging in a USB flash drive.

Doesn't sound much increase in storage capacity if one is using desktop or notebook.  However, the cloud storage is accessible by iPhone and Android and this feature is very significant since smartphones do not come with hard drive.

The speed of access is a bit slow which can not be compared to accessing a local hard drive. The transfer of files is not aided by encryption. If this option is available, it makes access even slower. However, the experience of commercial paid cloud storage should be much better and encryption is a MUST.

watching Youtube freezed after installing Windows 7 SP1

For the past 3 months, my Windows 7 notebook freezed  whenever watching Youtube videos or videos of appledaily news.  I thought it could be due to system drivers corruption.  I re-installed Windows 7 again and in the first 3 days, everything was fine. Afterwards, automatic update installed SP1 and the problem appeared again.  Shit, some bloggers say this SP1 problem had been confirmed by Microsoft because of a weakness of memory manager performs frequent paging in and paging out requests when memory usage is high.

Microsoft has released a hotfix to it downloadable at :

http://support.microsoft.com/kb/2575077

I did not apply the hotfix.  I just uninstalled SP1 and my Windows 7 is now stable and performing well.

Shall name-based virtal hosting be used in a web server even only a single website is hosted on the IP address

This is a web server security question. Shall name-based virtal hosting be used in a web server even only a single website is hosted on the IP address ?  The typical cases are www.hkexnews.hk and www.hkex.com.hk.  The  websites  respond to clients even the HTTP headers do not contain a hostname, just an IP address only .  The answer to me is quite obvious. 

Multiple SSL websites on a single IP address

Apache 2.2.12 or higher version can support Server Name Identification (SNI) in Transport Layer Security (TLS). That is to say, multiple SSL websites can be hosted on a single IP address. This is a great help. In fact, SNI in TLS has become an IETF standard (RFC 3546) dated back to end 2003.

There is now a tool to test if browsers can support SNI in the TLS handshake:

https://sni.velox.ch/

During the test, I noticed IE8 prompted an error message of invalid certificate, I just pressed the  continue browsing button and I saw more details about IE failure. 

What I observed is that the current version of Firefox, Chrome and Safari are capable of SNI while IE still lacks this function. On server side, I track that Microsoft IIS 7.5 is not able to do this SNI thing, but Microsoft has committed to make it in the next version.  For browsers in smartphones, I can not test one by one since there are so many different packages.

This is just a bit of development. There is a long way to go before a single IP address can support multiple SSL websites on all different platforms while some browsers might still fall behind.

Apache Killer killed

After waiting for 6 days, Apache Software Foundation finally released Apache 2.2.20 which removes the HTTP Range Exploit.   The fix is that if  the sum of all ranges in a request is larger than the original file, the server ignores the ranges and sends the complete file.


All system administrators should be relaxed now.  The most devastating bug in the history of the open source community has been eliminated.

Apache Killer again

Regarding interim fixes for protecting against Apache Killer (Range Exploit), many system administrators are frustrated whether to ban range completely or to allow a certain number of range.  Last Friday, I took the approach of banning HTTP Range Header completely.  After discussions with some system administrators, they were of the view that the method of 5 ranges restriction is recommendable. The reason is that Microsoft IIS allows not more than 5 ranges in header and IE browsers are in strict conformance with IIS. That is to say, IE browsers will not send out HTTP headers with more than 5 ranges.

This is sound and reasonable and so I decided to follow the approach.

It might be argued that why not care Firefox, Chrome, Safari, Opera and mini-browsers in smartphones. The situation is so complicated. There is no perfect answer.

two partitions in ASUS notebook

A friend got a new ASUS notebook but he disliked two partitions on it.  He wanted to merge the two partitions to make a bigger C drive.  I cautioned him not to do so.

The use of two partitions on a notebook PC is a good operational practice. The first partition is for holding system files where the other partition is for files of user applications and data.  If Win 7 system crashes  due to viruses, spyware or inadvertent corruption of system files, the recovery disk containing the factory default image can be dumped back to the first partition while keeping the user data unaffected as far as possible. This might be complicated in the event that only one partition is used for holding all kinds of files.  For Linux system, multiple partition requirement is more important not just for backup, recovery but also for scalability and expansion.

Rescue Windows XP Again

My son’s desktop PC crashed on 6 April 2010 and it was restored by fixboot to repair the boot.ini program.  After 14 months, it crashed again.  This time the master boot record was corrupted. The rescue method was to run FIXMBR at the System Recovery Console. 

I wonder why XP boot up process gets into trouble so easily.  Or else the hard disk in question is not so reliable ?

Apache Killer

Some friends alerted me of the “Apache Killer” bug which can be viewed at the URL below:

http://mail-archives.apache.org/mod_mbox/httpd-announce/201108.mbox/%3C20110824161640.122D387DD@minotaur.apache.org%3E

This bug exploits Apache's flaw in handling the RANGE field in HTTP request header. By sending a crafted request with a large number of fields within the Range header, the attacker is amplifying the request as each byte range field forces Apache to make separate copies of the requested resource which eventually consumes all CPU and memory resources.

The bad news is that system administrators need to wait for another 48 hours for Apache Foundation to release the patches. In the mean time, they can apply interim measures such as not allowing the use of Range headers.

This bug was first found in 2007. Wonder why Apache Foundation did not pay attention to it.

XP Security 2012 Malware

My office desktop PC was infected with a malware called "XP  Security 2012". This malware stopped all the three browsers and running any executable files resulted with the error message "Application not found".

2 hours were  spent to remove the malware by using malwarebytes to scan the whole hard disk. Next, the failure of running executable files was due to corruption of .exe file association in the registry. Running the Windows File Association Fixes for .exe extension would bring the machine back to normal.

This is a deadly malware since it kills browser function and disable all executable programmes. I guess I would not have contracted the malware if I were using Chrome for web browsing.

HKEx attack incident

When asked for comments onf HKEx hacking incident, the Financial Secretary Mr John Tsang said he disagreed with suggestions that the website was not secure enough and added that many large organisations around the world have had their sites hacked into.

Oh my God, this is a poor attitude. If top Hong Kong government official has such view or mindset, there is no hope for Hong Kong to maintain a higher cyber security standard.  HKEx runs some mission critical systems for the finance market, it should have emergency plans and backup measures to minimize the impact of large scale cyber attacks. Besides, these plans and measures should have been drilled on a regular basis to test system and human responses. HKEx should disclose what actions they made after discovering the hacking.

What the fuck has Hong Kong learnt from the HKEx attack case.

TSIG-based zone transfer and clock sync

For a long time, I was puzzled why accurate time sync is needed between master and slave nameservers in Transaction Signature (TSIG) based zone transfer. I finally got the answer.

 To recap on the concept of TSIG, we must recognize that slave server trusts a master server based on IP in the config file.  But IP address can be spoofed and there is a likelihood of attackers passing hacked zone file to the slave server.  A better approach is for master and slave to use a common key.  Master server would generate signature of hash while slave will decrypt the signature and get back the hash and compare with the received zone file.

When signature is generated, there is a times tamp in particular field.  The time stamp is useful to avoid replay attack later on as the time stamp is far deviated from the current system clock.  If I still remember correctly, the tolerance for time stamp is 5 minutes in Bind. Only if the attacker can do the replay attack within the next 5 minutes, otherwise the zone file together with signature will be ignored.  By same logic, if the difference of system clock in master and slave is more than 5 minutes, the legitimate TSIG-based zone transfer will also fail.

That is why the master and slave must sync with a NTP server in a more frequent manner.

No flash for 64-bit IE9

My 64-bit IE9 could not play flash video when browsing.  Logically, as IE9 is so new, I thought it was necessary to download Adobe flash player 64-bit version.  Surprise, there is no such software as 64-bit flash.  Please see the dump below :

I do have 32-bit version of IE9 and this one has flash 10.3 properly running.  Without support for flash, I think 64-bit IE9 is almost handicapped considering that there can be up to one fourth of the world websites using flash to display content.

FTP Error "500 - Illegal port command"

After changing my Wifi home router to TP-Link, I can successfully login to a ftp server but can not do "ls" or  or transfer files and the error code returned was 500 – illegal port command.

On careful reading the TP-Link manual, there is a security feature called FTP ALG which allows ftp traversal over NAT. Without enabling FTP ALG, ftp is destined to fail because the client provides a private IP address and a port number to the FTP server but somehow, the port number is changed by the NAT device. FTP ALG ensures that the NATed port number and the ftp data port number initiated by the client are kept in a one-to-one mapping state table.

This is another example of NAT breaking end-to-end connectivity. Similar ALGs are also needed for SIP and H.323. NAT only brings troubles to the networked Internet world and it should be dropped as soon as practicable.

laptop with two display cards

My son intended to buy a Sony VAIO SB25 laptop.  Strange, it comes with two display cards; AMD Radeon HD 6470M and Intel HD Graphics 3000 card.  According to the website, the former display card shall be used to play 3D games in speed mode while the latter is for viewing in stamina mode for ordinary applications such as word processing or browsing web content.  The fact is that the Radeon display card consumes a lot of power and it would make the battery running out faster.  The use of an Intel card will help to preserve the battery capacity.  However, the end user needs to press a button in order to switch mode.  Then come my question : can the laptop be designed to auto switch from one mode to the other ?   

Which company made the first IPv6-compatible product ?

Yesterady, I took part in an online quiz on IPv6 of 10 questions and I could answer 9 questions correct.  There was a question asking which company first made the commercial IPv6-compatible product.  The choice were : Cisco, Digital Equipment Corporation, IBM, and Novell.  I picked Cisco as IPv6 backbone must bre ready before any IPv6 applications can be realized.  The answer was wrong.  It was IBM that offered IBM AIX 4.3 in 1997 which was the first product to support IPv6 in the market.

Good and bad news about MAC OSX 10.7 on IPv6

MAC OSX 10.7 is in the market now.  In terms of IPv6 improvement, it can now support RDNSS and when working with SLAAC, it can configure IPv6 address and get DNS resolvers from RADVD.  The bad news is OSX 10.7 still does not provide a genuine DHCPv6 client.  I must mention that not all organisations will adopt auto-config due to security concern and in that case DHCPv6 is the only available option to get IPv6 addresses.

Apple should have given out  DHCPv6 client program to its MAC OSX a long time ago.  What is the diffculty !!

.hk SOA Serial Number

I noticed that the SOA serial number of TLD .hk on 11 July has the format of 2071521800 whereas that record on 1 June 2011 was 2071506233. The increment was 15567.  My guess is that from 1 June 2011 to 11 July 2011, there have been 15,567 changes made in the .hk records including new domain additions, deletions and change of glue records etc. So long as the SOA serial number has a higher value than its previous one, it is possible for a primary server to update secondary servers.

Usually, some TLDs (example .se) prefer to use the yyyymmddss format like 2011071103 or the Unix time format like 1310367702 (example .com and .net) which can be readily translated back to 11 July 2011, 7 hours 3 min and 12 seconds.

It will be an interesting task to study if SOA serial number format adopted by .hk could yield technical and/or operational merits as compared to other traditional formats.

An ISP uses 6to4 tunnel to serve as v6 DNS resolver

Strange ! WTT has rolled out native IPv6 service but it  does not want to feed native IPv6 connection to its own dual-stack resolvers but uses 6to4 tunnels for serving as v6 DNS resolvers.  I have the chance to read WTT's  IPv6 configuration guide and notice that for static configuration, users have to input the DNS resolver as "2002:d596:2a92:1:71:53::". This is a 6to4 tunnel address.  Why not hook up the DNS resolver to its own native IPv6 link. 

The extra path to a 6to4 gateway introduces delay and there is no acceptable guarantee of service. Bearing in mind the WTT 200M native IPv6 service is for corporate users, how comes WTT offers a lower class service for not providing truly v4/v6 DNS resolvers.

I think ISPs in Hong Kong should be careful not to rely on tunnels as part of its native v6 service

1.8 GHz or 2.4 GHz cordless phone

My old home cordless phone broke down with the display showing nothing. I had to decide buying a new 1.8 GHz or 2.4 GHz cordless phone. In fact, the choice is not difficult. 2.4 GHz band is a junk band with lot of devices sharing the frequency channels like WiFi, Bluetooth, alarm, wireless camera and many more. When I open my netbook and scan the available WiFi in the neighbourhood, I find 17 SSIDs. Thus, the chance of interference in the 2.4 GHz is many times higher than the 1.8 GHz band.

I believe I have made a smart choice in not purchasing a 2.4 GHz cordless phone.

Remove Joomla icon

Joomla is a very popular open-source content management software for web and it is estimated that about 2 % of websites in the world are running on it.  On some occassions, if I access a website running Joomla, the default Joomla icon is displayed in the address bar.  This is regarded as a security risk and bad guys  can launch attacks target at Joomla.  It is desirable to remove the icon (favicon.ico) and replace it with the organisation's or company's logo in an 16 x 16 icon size.



Stratum 1 or 2 NTP

Yesterday I had a chat with colleagues in the Hong Kong Observatory who are planning to provide v6 NTP server by end of 2011.  During the discussion, they corrected me that their v4 or v6 NTP Servers are basically Stratum 1 and I previously had the idea that these servers were Stratum 2.  The atomic clock itself is regarded as Stratum  0 and if it is networked to an NTP Server, the NTP Server is then a Stratum 1 facility.  What we are now using in our office LAN is Stratum 2 which gets the time reference signal from a Stratum 1  source to feed to another networked segment.  Counting forward, Stratum 4 is unusable as the accuracy will further be degraded after three networked segments bearing in mind that each of them introduces some latency.

Another way to look at IPv6 address space

When talking about the huge capacity of IPv6 address space, people tend to describe it in a static way like the address space is large enough to assign an IPv6 address to every sand particle or every single leave on earth. In my view, this is conceptually not correct since sand particles and leaf do not need to use TCP/IP for communications.

I like to try to think of it in a dynamic way. If 1 million /64 subnets are assigned to people or electronic devices every second, then it would take 584,942 years to make the address space completely exhausted ((2 ^64 / (365*24*3600*10^6)). This is longer than the history of human civilization. Will IPv6 addresses be completely exhausted ? No way, no need to worry.

ZSK rollover in Top Level Domains

I am getting confused about the timing of ZSK rollover in Top Level Domain. In the course of ZSK rollover in TLD, all the DS records submitted by child zones will be re-signed and thus the workload is large. Here below is my observation:

com. – 1 weeks
org. – 3 weeks
asia. – 3 weeks
my. – 3 months
th. – 1 week

I can not locate any RFC related to this technical aspect. Intuitively, from a security angle, I incline to think 3 months is too long while 1 week ZSK will introduce heavy workload on the name servers. I tend to think 3 – 4 weeks is the best option.

Assignment of two IPv6 addresses

Starbuck is my favourite coffee shop. So I like to assign this IPv6 address to Starbuck website -  2001::cafe:c0ff:ee.

Likewise, if a supermarket sells poor quality beef to customers, I have no choice but to assign this IPv6 address to the supermarket - 2001::bad:beef

ipod battery

My 60G ipod was fully charged about 6 months ago.  Afterwards, I did not use it until yesterday.  Surprise, when I turned it on, the battery status remained fully charged, no leakage at all.  What kind of battery is Apple using for its ipod, ipad and iphone series.   What I know is that it is lithium-based battery with no memory effect.  I have no idea that the battery's charged capacity will not leak even for a certain  period of time.

Good news after World IPv6 Day

Finally, there is a good news from ISOC after the eventful World IPv6 Day.  ISOC has announced that roughly about 2/3 of participating organizations decided to leave their content on IPv6 instead of turning IPv6 off.  This is quite understandable.  The problem of brokenness is very insignificant or even undetectable.  Despite this, I am eager waiting for the reports of Facebook, Google, and Yahoo or ISOC to  summarize the captured statistics.

APNIC’s new logo is fantastic

APNIC’s new logo is fantastically designed. In the capital words APNIC, AP are bolded which reflects its role as a Regional Internet Registry for the Asia Pacific Region.  The bracket means it is embracing the worldwide Internet community and the the two colons ( :: ) inside the bracket highlight that APNIC is fully committed to IPv6 adoption.

Well-done, APNIC.

Chromebook disappointed me totally

Google has announced the release of Chromebook at US$499. No, this is totally not attractive. My expectation is that Chromebook should be sold below US$300.

Chromebook is no more than a thin client with the difference that the underlying OS is the Chrome browser. There might be arguments that it offers the benefits of fast boot-up (in a matter of less than 10 seconds), longer battery use, and better security (no virus software, sandboxing approach to protect end users). But are these benefits justified for the high cost ?  I would rather add some money buy an ipad2 (US$629) or Android 3.0 tablet which offer me more functionalities, applications and computing powers.

Windows 7 handling RA and RDNSS

My last blog posted touched on IPv6 RA with RDNSS and I like to thank my reader Revellion for reminding me that Windows 7 machines do not support RDNSS in RA.


Actually, I had some experience on a different scenario. During APRICOT-APAN 2011, I used a IPv6 only network and the v6 address assigned to my Window 7 machine was quite like auto-configuration but there was the assignment of v6 DNS resolvers. I was mindful that Windows 7 could not support RA with RDNSS and the question was where come the assignment of v6 DNS resolvers. The answer was that the network was using a DHCPv6 to assign DNS resolvers while there was a RADVD to accomplish the task of auto-config IPv6 address for clients. Up to this point, I should fire a bullet at Microsoft for not releasing patches to make RA working with RDNSS. This would save the unnecessary provision of a DHCPv6 server.


Luckily, I still keep a picture of the configuration for reference which is posted  below. 

RFC 6106 - IPv6 Router Advertisement Options for DNS Configuration

RFC 6106 has become my best favorite RFC in the last 12 months. Four years ago, when I first learnt IPv6, I knew for sure that Stateless Automatic Address Configuration can assign IPv6 addresses to clients but what about the assignment of DNS resolvers. Without DNS resolvers, SLACC is useless as no one can remember IPv6 addresses. RFC 6106 helps to strengthen the capability of SLACC by allowing DNS configuration.

In Linux, RADVD can have fully function of SLACC plus RDNSS. Just look at the following few lines in the config file :


interface name {

          list of interface specific options
          list of prefix definitions
          list of clients (IPv6 addresses) to advertise to
          list of route definitions
          list of RDNSS definitions
};

RDNSS ip [ip] [ip] {
     list of rdnss specific options
};

Just wonder if I have the time to configue one set of RADVD with RDNSS and then test the allocation of prefix and DNS resolvers to Windows 7 machines.

Kidney for an ipad2

In China, a 17-year student sold his kidney for an ipad2.  The news and interview can be found in the URLhttp://www.wupia.com/2011/06/a-high-school-student-in-china-sold-his-kidney-for-an-ipad-2/
Apple will definitely release  ipad 3, ipad 4, ipad 5 and so  on.  I am  afraid that after two more rounds, the 17-year  student has no more internal  organs to sell.
My dear Almighty God, please tell me the meaning  and value of life. Can human beings trade their  internal organs with electronic  devices ?

Which iOS supports IPv6

On World IPv6 Day, some friends and I  had discussion about which iPhone OS (iOS) supports IPv6.  In fact, iOS 4.1 has IPv6 support but due to the lack of privacy-enabled address, the use of  iOS 4.1 in IPv6 environment is risky and the users can be tracked through the EUI-64 bit identifier.  iOS 4.3 has privacy address enabled by default.  Hence, it is only logical and sensible to claim iOS 4.3 fully supports IPv6.

Can readers please correct me if I am wrong.  Thank you.

World IPv6 Day is over, what’s next ?

Now that World IPv6 Day is over, it has proven that the problem of brokenness is insignificant or even undetectable.  What comes next ?  We are eagerly waiting for Facebook, Google and Yahoo to publicly announce that they will enable IPv6 access their web content on a permanent basis on par with IPv4.  It would be the most eye-catching news if the three billion-hit web conglomerates join hands and make the announcement together.

Then comes to the action of ICANN.  With biggest content providers supporting IPv6, what strategies ICANN should adopt in order to motivate service providers and CPE vendors to move to IPv6 as quickly as possible.  ICANN should seize this golden opportunity to put pressure to ISPs and CPE vendors quoting the success of W6D.

LISP Reliability Issue

Facebook adopts LISP which necessitates the use of three routers to connect from IPv6 Internet to Facebook's existing IPv4 platforms. The three routers are namely; Egress Tunnel Router (ETR), Exchange Tunnel Router (XTR) and Ingress Tunnel Router (ITR). Readers may refer to my earlier blog post at URL

http://warrenkwok.blogspot.com/2011/05/facebook-adopts-lisp-to-roll-out-ipv6.html

There is a degradation in reliability as compared to a single router. Assuming each of the three routers has a reliability of 99.9 %, if cascaded together, the overall reliability of the routing system drops to 99.7 %. The down time will be increased from 8.76 hours to 26.28 hours in a year.

Can Facebook and other early LISP adopters accept the degradation ?

No IE9 for Windows XP

My son wanted to use IE9 on his Windows XP desktop PC. I told him that this could not be done.

Isn't it fair ? Microsoft does not offer IE 9 for XP. I have tried IE9 on Windows 7. It is fast and has a good performance in loading grpahics and gives a very streamlined operation in tabbed browsing.

Frankly, we do not have many choice. IE 8 is buggy. Firefox now only gets bigger but also gets slower. Chrome has a cache problem especially when I post comments on other people's status on facebook. I urge Microsoft to re-consider developing an IE 9 version for current XP users.

Absolutey amazing. All big content providers and organisations are on IPv6 today.

Absolutey amazing. All big content providers and organisations are on IPv6 today. This is something I have never seen in my life.  I like to record this moment in the history of human networked information society.

[warren@dnssec ~]# dig aaaa www.facebook.com +short
2620:0:1c18:0:face:b00c:0:3
[warren@dnssec ~]# dig aaaa www.google.com +short
http://www.l.google.com/.
2404:6800:8002::69
[warren@dnssec ~]# dig aaaa www.yahoo.com +short
fpfd.wa1.b.yahoo.com.
2001:4998:f011:1fe::3000
2001:4998:f011:1fe::3001
[warren@dnssec ~]# dig aaaa www.bing.com +short
ipv6.search.ms.com.edgesuite.net.
a1877.dscb.akamai.net.
2600:140e:3::3cfe:af33
2600:140e:3::3cfe:af38
[warren@dnssec ~]# dig aaaa www.xbox.com +short
http://www.gtm.xbox.com/.
msxbwsd.vo.llnwd.net.
2402:6800:720:11:230:48ff:fe8d:aa6e
2402:6800:720:11:230:48ff:fe8d:a992
[warren@dnssec ~]# dig aaaa www.cisco.com +short
v6day.cisco.com.akadns.net.
geo-v6day.cisco.com.akadns.net.
cisco-redir.v6day.akadns.net.
cisco.v6day.akadns.net.
2001:420:80:1:c:15c0:d06:f00d
[warren@dnssec ~]# dig aaaa www.youtube.com +short
youtube-ui.l.google.com.
2404:6800:8002::5b

web-based v6 email autoreply tool

My v6 email autoreply tool has been working since Feb 2010.  Network administrators can use an email client to send an email to autoreply@v6-mail.com and my system v6-mail.com will initiate an autoreply process to test if the v6 SMTP server can handle v6 email transactions properly.

Based on my past experience, I have further developed a web-based tool with similar function at http://www.v6-mail.com/. The website is accessible by IPv6 only.  Visitors can type the v6 email address  under test together with their  names, subject and the message content.  Afterward, they have to type an verification code displayed in the screen to prove that the visitors are not automated scripts.  Once the send button is kicked, they will receive an v6 autoreply email.

I should have developed this tool a bit earler. Sorry for my laziness.

Failed the test as a Hong Kong IPv6 website

I tried to submit my v6 website http://www.diaryking.com/ to IPv6World.Asia as a Hong Kong v6-enabled website.  The test failed and my submission was rejeced.

The reason was that the ping rtt time was about 290 msec from a Hong Kong v6 node and the acceptance criterion is to have rtt < 10 msec.  The site rides on a overseas proxy somewhere in Netherlands. 

I have no bad feeling at all.  The accepting criterion is fair and reasonable.

Enable v6 access by web proxy approach

The website below help v4 website owners to make their sites accessible by IPv6.

http://ipv6proxy.prolocation.net/

This is a web proxy approach. A website only has to enable AAAA record pointing to the v6 leg of the proxy server which is 2a00:d00:ff:131:94:228:131:131. When the proxy receives the http headers, it knows the domains name and can get the web content from v4 network and pass to the v6 visiting clients.

However, there are some limitations. No doubt end-to-end connectivity is broken so I can readily imagine that HTTPS and VPN can not be supported.

CUHK opens its v6 Stratum 2 NTP Server for public

In our department, we have some equipment that are not dual-stack and they ride on IPv6 only.  It is hard to provide a good system clock to these system since there is not yet an authoritative NTP server.  I just learn that CUHK has released its v6 Stratum 2 NTP Server (ntp.cuhk.edu.hk)  for public use.  Thanks to Cheng Chee-hoo of CUHK.

The Hong Kong Observatory will provide its v6 NTP Server by the end of 2011.  For the time being, I still have to use the one offered by CUHK.


[warren@dnssec ~]# /usr/sbin/ntpdate -6 ntp.cuhk.edu.hk
 3 Jun 21:09:58 ntpdate[31742]: adjust time server 2405:3000:3:b0:137:189:11:149 offset 0.008007 sec
[warren@dnssec ~]# /usr/sbin/ntpdate -6 ntp.cuhk.edu.hk
 3 Jun 21:09:59 ntpdate[31743]: adjust time server 2405:3000:3:b0:137:189:11:149 offset 0.007619 sec
[warren@dnssec ~]# /usr/sbin/ntpdate -6 ntp.cuhk.edu.hk
 3 Jun 21:09:59 ntpdate[31744]: adjust time server 2405:3000:3:b0:137:189:11:149 offset 0.007238 sec
[warren@dnssec ~]# /usr/sbin/ntpdate -6 ntp.cuhk.edu.hk
 3 Jun 21:10:00 ntpdate[31745]: adjust time server 2405:3000:3:b0:137:189:11:149 offset 0.006820 sec
[warren@dnssec ~]# /usr/sbin/ntpdate -6 ntp.cuhk.edu.hk
 3 Jun 21:10:02 ntpdate[31751]: adjust time server 2405:3000:3:b0:137:189:11:149 offset 0.005666 sec
[warren@dnssec ~]#

What benefits of IPv6 apart from large address space and elimination of NAT

Tomorrow, I will have a talk about IPv6 to be delivered to the technological community in Hong Kong Science Park.  One of the item touches on other benefits of IPv6 other than large address space and elimination of NAT.  I purposely scrap IPSEC. I have not seen or heard any practical application of IPSEC on IPv6.  The second to discard is flow label in header. This can be interpreted as QoS but as of today no all routers and devices can support flow label.  It is just there for future applications.

In my view, the benefit lies in efficient header removing a lot of out-dated fields  and optional messages can be packed in the form of extension headers.  On addressing, the hierarchal addressing scheme enables each ISP to simply advertises a  clean and lean /32 prefix.  Hence the size of the global routing table can be reduced which should  boost speed and performance of routers. The last I want to mention is path MTU discovery.  In IPv6, routers are not allowed to perform fragmentation and only the source and destination use path MTU to determine the maximum packet size.  This again reduces unnecessary workload to routers.  All these three distinctive features taken together sustain the claim that IPv6 is faster than IPv4 intrinsically.


The protocol IPv6 is a boring thing.  Frankly, I have no confidence to turn it into something interesting !

SOA minimum to deal with the large number of queries for AAAA record for a website which only runs on IPv4

A DNS administrator set the SOA minimum to 1 minutes for a popular domain which only runs IPv4. The result is that there is constantly a large number of queries for AAAA record throughout the day and the two set of authoritative name servers are becoming slow. These queries come from dual-stack Windows 7 and MAC PCs which always ask for AAAA record before A record when accessing a website. In the absence of AAAA record, the authoritative name servers will reply no such record (NXDOMAIN) and the negative cache period of NXDOMAIN in those querying resolvers is defined by SOA minimum (60 seconds) . After 60 seconds, any query for the domain in resolvers will lookup for AAAA record again.

It is important to set the SOA minimum to a higher value like 1 hour (3600 sec) for protecting the authoritative name servers from overloading. As more and more users change to use Windows 7, the DNS traffic for asking non-existing AAAA record will boost. All DNS administrators have a role to play for the smooth and steady operations of the Internet.

Facebook adopts LISP to roll out IPv6 Service

This is a diagram drawn by me about how Facebook rolls out its IPv6 service.

LISP (Locater/Identifier Separation Protocol) is amazing. It redefines the relationship between end-point, IP address and router. The IP address assigned to an end-point is simply an identifier and the router is a locator. If the Locator can be spilt into egress and ingress network elements and with the addition of one to one single v4-v6 mapping, then all existing v4 platforms can server v6. Facebook can then save hardware cost, avoid v4 and v6 software clash and most importantly achieve quick roll out of IPv6 service.

There are two questions remaining. First can LISP handle huge traffic and second how can resilience be built into LISP.

No matter how, LISP is a promising new technology which content providers should pay attention to.

IPv6 Cache Servers + IPv4 Forwarders

Our company has implemented an native IPv6 link and we now have an IPv6 only network. However, on testing through test-ipv6.com, the score for IPv6 stability and readiness was just 7/10.  The problem is that the two DNS resolvers riding on IPv6 offered by the serving ISP are just caching servers which pass queries to two forwarders.  The forwarders can only support IPv4.  We are surprised to note that an IPv6 capable ISP does not offer full IPv6 connectivity to its name resolving systems.  This will affect our global IPv6 reachability.

As a small customer, we do not have the power to ask the ISP to change its network architecture.  We can only just alert  the ISP hoping that it will do something positive.  On the  other hand, the cost of setting up our own IPv6 or dual-stack resolvers is insignificant. 

A message to all my IT friends in Facebook

In view of the recent Internet Learning Support Program incident and the advantages given to iProA, I have no choice but to send out a message to all my IT friends in Facebook which reads as follows :


"Dear XXX,


You are in the IT field. Are you a member of iProA ? If so, I am not your friend anymore. I ask this because most of my friends are in the IT Sector. Some of them turn to DAB and iProA to get social and political advantages. I want to make sure all my IT friends are clean from DAB poison. 

Sorry to bother you and ask you."


All replies so far are positive.

OpenDNS offers IPv6 resolvers

Some years ago, I tried OpenDNS resolvers at 208.67.222.222 and 208.67.220.220. The performance is  OK and the two resolvers are on different network to avoid a single point of failure. The good news today is OpenDNS can now provide IPv6 resolvers at 2620:0:ccc::2 and 2620:0:ccd::2 for the Internet community. Looking at the address syntax, the two resolvers are on different /48 subnet and again giving some resilience.

I definitely have the need to use IPv6 resolvers for network configurations, testing and troubleshooting. A big hand to OpenDNS.

Impact of World IPv6 Day to Hong Kong

As World IPv6 Day (W6D) is approaching, IT people in this city start to think how many users will not be able to access Facebook, Google and Yahoo and what is the overall impact to Hong Kong.  If we look at the nature of IPv6 brokenness, it is the behavior of dual-stack clients wrongly select the 6to4 tunnels instead of the native IPv4 path to reach a  destination website that is running both native IPv4 and IPv6.  Hong Kong is quite lucky as Hurricane Electric (HE) has provided a 6to4 gateway with ample bandwidth.  The clients will use 6to4 tunnels to reach HE’s 6to4 gateway and then access Facebook, Yahoo or Google on IPv6 without break.  This works on the condition the serving ISPs do not block protocol 41 in their firewalls and access to the anycast addresss 192.88.99.1 is also not restricted.  Specifically, any intentional blocking of the anycast network 192.88.99.0/24 in the ISP side should not exist.  In other words, the impact to Hong Kong is quite minimal if ISPs are willing to let protocol 41 to pass through.

On checking the number of ASNs advertising 192.88.99.0/24, I notice that there are 33 6to4 gateways in the world. In some other countries where there is no 6to4 gateway, users will experience brokenness on W6D.  

In case of complete breakdown of HE’s 6to4 gateway in Hong Kong, there will be about 2500 users with broken access.  The figure is based on 0.05 % brokenness estimated by ISOC multiplied by 5 million PC users in Hong Kong.  I must say this is an unfounded worry. 

How about congestion in 6to4 gateway.  This should not be a problem since HE’s 6to4 gateway has a bandwidth of 1 Gbps and if 2500 users access the gateway at the same time, each user can have 400 kbps connection speed.

I think I am the first IT people to analyze the impact of W6D to Hong Kong.  I hope my analysis is sound and justifiable. 

Empty a file

I note that most people use /dev/null to empty an existing  file such as :

#cat /dev/null > dnssec.log

Another common usage is "echo -n > dnssec.log" .

My way of clearing all content of a file is odd as I am using tail :

#tail dnssec.log > dnssec.log

Interesting, I forget how, where and when I learnt this crazy command.  Indeed, I don't quite understand  how printing some last lines of a file on screen and then pipe to the file itself can actually clear all the content.

If it is not CISSP, it may not be the best fit

CISSP holders, when accessing ISC2 website (http://www.isc2.org/), please don't be annoyed by the banner of a dog trying to get into a tiny wooden hut. ISC2 is just promoting the status of CISSP with a key message “If it is not CISSP, it may not be the best fit”.

Facebook Internet email addresses are easy to harvest

Facebook offers me the Internet email address as “warren.kwok@facebook.com” as I have a URL of www.facebook.com/warren.kwok for other facebook users to view my profile. I am quite worried that my Facebook email address can be harvested easily and this account will receive large amount of spam emails. I have tried randomly to play with the following URLs after logging in to find if such users in facebook are valid:

www.facebook.com/peter.chan
www.facebook.com/andy.chan
www.facebook.com/david.lee

All are success. That means, I have harvested three valid email addresses @facebook.com.

Without knowing what facebook can do in anti-spam, it gives me no choice but to stop the email account @facebook.com  by setting the privacy preferences as not to receive any Internet email messages.  The return error message below verified that things work up to my expectation:

***** Quote *****
Final-Recipient: rfc822; warren.kwok@facebook.com
Diagnostic-Code: smtp; 550 5.1.1 RCP-P2 http://postmaster.facebook.com/response_codes?ip=202.81.252.116#rcp Refused due to recipient preferences
Action: failed
Last-Attempt-Date: Sun, 22 May 2011 18:37:56 -0700
Status: 5.1.1
***** End of quote *****

Control-Enter shortcut key in IE Browser

When using Chrome and Firefox, if I just type "cnn" followed by CTRL-ENTER, the address bar will make up the site "ww.cnn.com" and the content can be displayed successfully. This is a special hotkey in browser and I think that might be a reason corporation and companies like ".com" so much due to its convenience over other Top Level Domains in browsers.

But what happen to my IE. If I do the same on IE, the address bar will become "www.cnn.com.tw". Hey, the crazy thing is ".tw". It is because my IE browser is a Taiwanese version. I don’t understand why Microsoft is so crazy to insert ".tw" when dealing with the most common CTRL-ENTER shortcut when the IE browser is a Taiwanese version. I am not going to change my IE to English version just because of this crazy flaw. I must say I hate the foolish mindset of Microsoft software people.

chksig - DNSSEC tool for Windows

Right now, there is not any GUI DNSSEC testing tools for Windows other than dig which is command line based. Chksig (http://www.simpledns.com/outbox/chksig.zip)  can be handy to troubleshoot faults in DNSSEC-signed name records in authoritative name servers. 



T



















This tool is bundled with another copy which work on DOS command-line interface.  Using this tool in both the GUI mode and command-line mode are interesting.

nslookup should be phased out

Shit ! A large number of system administrators are still using “nslookup” to test and troubleshoot faults in resolvers and name servers. They should be aware that “nslookup” is an outdated primitive tool which can not offer much help. They should use “dig”.  Dig for Windows is widely avaialable.  Alternatively, they can install BIND for Windows but just use dig without caring to set up an authoritative name server or resolver.

Just ask yourself a simple question, can nslookup tell if a resolver has successfully verified the signature of a queried name record if the zone being interrogated is DNSSEC-signed.

103/8

For those who have visited APNIC after 15 April, they should have noticed a  flashing banner with big words of "103/8" which I have captured below:

103/8 is the final /8 block and when allocation of 103 prefix is started, APNIC has already activated the final /8 policy.   The final /8 policy only allows existing or new members to get /22 (1024) IPv4 addresses which can only be used to build v4<->v6 transition systems for supporting IPv6 networks to reach IPv4 networks.  This banner might stay in APNIC website for up to 5 years.  Its purpose is to remind ISPs and corporations that they should move to IPv6 by now. 

The consumption of v4 addresses in AP Region is alarming.  On Feb 2011, IANA allocated the 39/8 and 106/8 to APNIC.  These two blocks were depleted in early April 2011 prompting APNIC to activate the final /8 policy for the last block.