This is Warren Kwok's Internet note pad, electronic diary, online rubbish journal, whatever you might name it ! It is an archive of my random thoughts in a chronological order. I am not good at reporting boring things and change them to lively. If you find this blog boring, sorry that it is your problem.
2011/02/27
2011/02/26
AOA Audio Extractor
AOA Audio Extractor is a great feel program. It helps me to extract audio from video files. Very easy to use and no need to read the fucking manual. Enjoy !
2011/02/24
Will .cn implement DNSSEC
During the DNSSEC Summit on 21 Feb at APRICOT-APAN 2011, CNNIC representative (forget his name) said there are many problems with DNSSEC such as extra processing power, extra bandwidth, poor efficiency, frequent updates plus China does not want to use foreign software for signing .cn zones as it is a national security matter.
The guy did not tell the main reason behind. DNSSEC will make China Great Firewall (GFW) unworkable in poisoning domain names as a way of blocking websites.
I tend to think DNSSEC will not be implemented in China as long as GFW employs cache poisoning.
The guy did not tell the main reason behind. DNSSEC will make China Great Firewall (GFW) unworkable in poisoning domain names as a way of blocking websites.
I tend to think DNSSEC will not be implemented in China as long as GFW employs cache poisoning.
2011/02/22
DNS64/NAT64 supports https
Today was the second day I joined APRICOT-APAN2011. The organizer announced that there was an AP giving IPv6 addresses only and the facility had been equipped with DNS64/NAT64 for crossing to IPv4 networks. After using it, I was fascinated to note that my IPv6 only Windows 7 laptop could access all IPv4 websites without difficulty. What's more. I was able to establish HTTPS connection with IPv4 servers. Here below are two pictures to show the IPv6 addresses and the DNS64 mechanism. Please click to enlarge when viewing.
In the 2nd screen cap, the IP address of facebook 66.220.147.44 was mapped to 64:ff9b::42dc:932c. Needless to say 42dc:932c is exactly 66.220.147.44.
Fantastic network showcase at APRICOT-APAN2011
I joined the first day of APRICOT-APAN2011. The infrastructure of the conference venue made every participant surprised. The Internet backbone for the conference venue was running 100 Gbps. There are over 70 WiFi access points scattered in the conference hall and various meeting rooms. Depending on the SSID we chose, the WiFi access points could offer both IPv4 and IPv6 addresses to clients, or IPv6 address only, or both IPv4 and IPv5 addresses at 802.11a 5 GHz frequency band which should be very high speed. What's more. These was a pool of Ethernet ports, each port could offer 1Gbps connection.
This showcase in Hong Kong reminded me about the Beijing Olympics Games in 2008. I think other countries might be scared to host APRICOT after seeing Hong Kong's effort in offering top class infrastructure for the conference.
This showcase in Hong Kong reminded me about the Beijing Olympics Games in 2008. I think other countries might be scared to host APRICOT after seeing Hong Kong's effort in offering top class infrastructure for the conference.
2011/02/15
Acessing a website with IPv4 and 6to4 address
This is an interesting question. When a dual-stack host with both native IPv6 and IPv4 connectivity access a website http://www.abc.com/ which has an IPv4 address and a 6to4 address, should the client host use IPv4 or IPv6 paths. Since the IPv6 address of the server is not an native one and is less reliable, the client host shall abandon IPv6 and use IPv4 connection only.
I have tested and the scenario is verified correct.
I have tested and the scenario is verified correct.
2011/02/14
PCI WLAN route died
My PCI WLAN router, model BLW-04EM had been working fine for over six years. Today, the WLAN transmission suddenly ceased which might be due to failure of the radio transceiver. Actually, this one supported WEP, the key of which can be compromised easily. I have long considered to buy another WLAN router that comes with WPA. This is the right time for replacement.
2011/02/13
IP range for WLAN
I have come across a lot of guidelines and tips on securing WiFi access points. The actions that can be taken include disabling SSID, using WPA2, employinmg MAC address filter, not to use default factory settings, changing admin passwords, turning off DHCP and just asking client to use static IP address, and finally only logon to the access point through LAN instead of wireless.
Strange ! For DHCP config or static IP config, nobody mentions about changing the default network of 192.168.0.1/24 to other difficult to remember RFC1918 range such as 10.97.103.0/24 and the Access Point IP address from 192.168.0.1 to some IP like 10.97.103.29 etc. It is easy to launch an attack if APs are riding on 192.168.0.1 and bad guys need not try other IP addresses. I tend to think the reason for not doing this is home users must be familiar with RFC1918 IP ranges and the subnet masks.
Strange ! For DHCP config or static IP config, nobody mentions about changing the default network of 192.168.0.1/24 to other difficult to remember RFC1918 range such as 10.97.103.0/24 and the Access Point IP address from 192.168.0.1 to some IP like 10.97.103.29 etc. It is easy to launch an attack if APs are riding on 192.168.0.1 and bad guys need not try other IP addresses. I tend to think the reason for not doing this is home users must be familiar with RFC1918 IP ranges and the subnet masks.
2011/02/09
Windows 7 in handling IPv4 and IPv6 connectivity
I promised myself to jot down some reference notes on Windows 7 and Windows 2008 Server in handling IPv4 and IPv6 connectivity. The following touches on different scenarios based on my past experience.
Difference between Windows XP and Windows 7
Windows XP and Windows 2003 Server do not come with IPv6. On the other hand, Windows 7 and Windows 2008 Server have IPv6 fully enabled by default. Some people are worried that automatic tunnelling in Windows 7 poses security risks and they want to uinnstall IPv6 stack. Microsoft strongly advises not to do this since the kernel of Windows 7 and Windows 2008 Server is closely integrated with IPv6. There is no guarantee that all internal function of Windows 7 can proceed in the absence of IPv6 stack.
DNS interactions in Windows 2003 and Windows 7
When browsing a website, Windows 7 will request AAAA record first and then followed by A record in the name resolution process. In the case of Windows XP IPv4 single stack hosts, only A record is queried. To be fair, the extra query is necessary as dual-stack hosts take care of selecting IPv6 or IPv4 path to access a particular web server.
Windows 7 – native IPv4 + native IPv6
Native IPv6 has a higher routing preference than native IPv4. As a rule of thumb, to reach a dual-stack website, native IPv6 (as opposed to Teredo and 6to4) will always be selected first.
Windows 7 – IPv4 + Teredo IPv6 address
Teredo is created on a pseudo-network interface. Teredo has a lower routing preference than native IPv4. In case of accessing a dual-stack website, IPv4 will be selected.
Windows 7 – IPv4 + 6to4 IPv6 address
Same as Teredo, 6to4 is also a pseudo-network interface and therefore it has a lower routing than native IPv4. When accessing a dual-stack server, IPv4 will be selected.
Windows 7 – IPv4 + GUI-based Tunnel Broker Client
The GUI based tunnel broker client (such as gogoclient) establishes a generic network interface to the OS. Since it is not a pseudo-network interface, Windows 7 and Windows 2008 regard it as native IPv6. With GUI-based tunnel broker client, IPv6 will be selected first when accessing a dual-stack website.
Windows 7 – 6to4 and Teredo disabled by native IPv6
When any network interface (Ethernet, tunnel broker) is fired up with native IPv6, 6to4 and Teredo will be disabled completely. This makes logical sense since the transitional IPv6 access is no longer required.
Finally, I have not tested the case of IPv6 on Wifi interface as I do not have an AP capable of allocating IPv6. I think IPv6 on WiFi can disable Teredo, 6to4 and also has a higher routing preference than native IPv4 on LAN port.
Difference between Windows XP and Windows 7
Windows XP and Windows 2003 Server do not come with IPv6. On the other hand, Windows 7 and Windows 2008 Server have IPv6 fully enabled by default. Some people are worried that automatic tunnelling in Windows 7 poses security risks and they want to uinnstall IPv6 stack. Microsoft strongly advises not to do this since the kernel of Windows 7 and Windows 2008 Server is closely integrated with IPv6. There is no guarantee that all internal function of Windows 7 can proceed in the absence of IPv6 stack.
DNS interactions in Windows 2003 and Windows 7
When browsing a website, Windows 7 will request AAAA record first and then followed by A record in the name resolution process. In the case of Windows XP IPv4 single stack hosts, only A record is queried. To be fair, the extra query is necessary as dual-stack hosts take care of selecting IPv6 or IPv4 path to access a particular web server.
Windows 7 – native IPv4 + native IPv6
Native IPv6 has a higher routing preference than native IPv4. As a rule of thumb, to reach a dual-stack website, native IPv6 (as opposed to Teredo and 6to4) will always be selected first.
Windows 7 – IPv4 + Teredo IPv6 address
Teredo is created on a pseudo-network interface. Teredo has a lower routing preference than native IPv4. In case of accessing a dual-stack website, IPv4 will be selected.
Windows 7 – IPv4 + 6to4 IPv6 address
Same as Teredo, 6to4 is also a pseudo-network interface and therefore it has a lower routing than native IPv4. When accessing a dual-stack server, IPv4 will be selected.
Windows 7 – IPv4 + GUI-based Tunnel Broker Client
The GUI based tunnel broker client (such as gogoclient) establishes a generic network interface to the OS. Since it is not a pseudo-network interface, Windows 7 and Windows 2008 regard it as native IPv6. With GUI-based tunnel broker client, IPv6 will be selected first when accessing a dual-stack website.
Windows 7 – 6to4 and Teredo disabled by native IPv6
When any network interface (Ethernet, tunnel broker) is fired up with native IPv6, 6to4 and Teredo will be disabled completely. This makes logical sense since the transitional IPv6 access is no longer required.
Finally, I have not tested the case of IPv6 on Wifi interface as I do not have an AP capable of allocating IPv6. I think IPv6 on WiFi can disable Teredo, 6to4 and also has a higher routing preference than native IPv4 on LAN port.
2011/02/02
IPv4 address exhaustion and final "/8" block allocation policy
ICANN and IANA will announce on 3 Feb 2011 (tomorrow) the completion exhaustion of IPv4 addresses worldwide. Watch out for wide international media coverage.
This does not mean ISPs can not obtain further IPv4 allocations from the five RIRs (APNIC, ARIN, LACNIC, AFRNIC and RIPE), but RIRs will never get anything from their mother.
According to APNIC, yesterday, it received the final allocations of "39/8" and "106/8" from IANA. APNIC will continue to make allocations according to its own established policies. APNIC expects normal allocations to continue for a further three to six months.
After this time, APNIC will act on the final "/8" policy and each member will only have a single chance of obtaining a "/22" block or 1024 IPv4 address for IPv6 transitional arrangement. After all, ISPs or mobile operators must build some IPv6-IPv4 systems for bridging to IPv4 networks even if they roll out their IPv6 access networks. APNIC expects that the final "/8" for IPv6 transition can last for five years.
The final "/8" block of APNIC can serve 16384 companies in the Asia Pacific Region for preparing their transitional arrangements.
This does not mean ISPs can not obtain further IPv4 allocations from the five RIRs (APNIC, ARIN, LACNIC, AFRNIC and RIPE), but RIRs will never get anything from their mother.
According to APNIC, yesterday, it received the final allocations of "39/8" and "106/8" from IANA. APNIC will continue to make allocations according to its own established policies. APNIC expects normal allocations to continue for a further three to six months.
After this time, APNIC will act on the final "/8" policy and each member will only have a single chance of obtaining a "/22" block or 1024 IPv4 address for IPv6 transitional arrangement. After all, ISPs or mobile operators must build some IPv6-IPv4 systems for bridging to IPv4 networks even if they roll out their IPv6 access networks. APNIC expects that the final "/8" for IPv6 transition can last for five years.
The final "/8" block of APNIC can serve 16384 companies in the Asia Pacific Region for preparing their transitional arrangements.
2011/02/01
DNS64/NAT64 for IPv6 hosts to access IPv4 websites
DNS64/NAT64 is a method of allowing IPv6 hosts to access IPv4 websites. I find a schematic diagram to illustrate how these two systems work:
If the DNS resolves that a website has A record only, it then appends the IPv4 address of the A record to an IPv6 prefix to form the AAAA record as the destination address. NAT64 recognize that this prefix is for routing to IPv4 hosts and it knows how to extract the relevant IPv4 address for subsequent routing.
As a home user, it is not easy for me to try this set up due to the lack of NAT64 router. The best I can play is DNS64 and by way of dig, I might try to test if an A record can be appended successfully to form an AAAA record.
Subscribe to:
Posts (Atom)