2012/12/29

GovWiFi IPv6 again

I went to Central Library today to experience GovWiFi IPv6 service.  Everything is transparent to users and they even do not know they are accessing Facebook, Google, Yahoo and Youtube over IPv6 channel.  It should be faster than IPv4 connections.  I had two screen captures to verify my IPv6 connection.






2012/12/28

GovWiFi now supports IPv6

I am supposed to track all major IPv6 development in HK but I regret that I only noticed a bit late the next generation GovWiFi which supports IPv6 on 802.11n.  Here it is:

http://www.info.gov.hk/gia/general/201212/21/P201212210311.htm

This is a major development of IPv6 in HK.

2012/11/15

wrong hole

Wrong hole, this is the most interesting song and lyrics I have ever encountered.

http://www.youtube.com/watch?v=Fm_dlpB0Wmc&feature=rellist&playnext=1&list=PL35EA36D0A5F4367F

The video got 1.9 million hit rates.  Woo, to be honest, if the environment is dark and the two holes are so close, it is not unusual to stick in the wrong hole.


2012/11/09

Taobao is on IPv6

Taobao.com is the equivalent of ebay in mainland China.  It has announced that a large scale trial of IPv6 is taking place at :

ipv6.taobao.com

I have tracked the path.   Interestingly, it is going through HK6IX  and CERNET2 as follows:

Netfront (my IPv6 ISP) <-> HK6IX <-> CERNET2 <-> Alibaba <-> IPv6 at Taobao

Thanks to HK6IX and CERNET2 which help to make the connection fast.

2012/10/30

HSBC pays little attention to the prevention of email phishing.

I received an email from HSBC about annual service fee.  Usually, if I receive an email from a bank, I will open the email header to identify if it is really coming from a bank or it is just a phishing email.  For the HSBC's email, the sender domain is checked ok.  However, there is no DKIM messages in the email header.  To probe further on email protection, I tried to dig the SPF records of hsbc.com.hk.  Oh no, its SPF is based on "soft fail".  That is a poor setting.   Without the proper use of SPF and DKIM, I can conclude that HSBC pays little attention to the prevention of email phishing.

2012/10/28

BlueScreenView

I hate Windows Blue Screen of Death (BSOD).   Just yesterday, one Windows 7 experienced BSOD three times a day.  After reboot, I decided to use BlueScreenView to look at the dump file.  It was shown that the driver athurx.sys caused the hang up.  The driver was used by TP-LINK wireless adaptor and the remedy was to re-install the latest driver from TP-LINK website.  Seems resolved now but have to wait for some more days to verify the stability.


2012/10/23

Resources Public Key Infrastructure (RPKI)

My colleagues in HKSAR Government have successfully signed the routing prefixes with RPKI and the results could be checked over Hurricane Electric's BGP portal.














I guess the HKSAR Government is the first entity in Hong Kong to adopt RPKI signing to secure the global routing infrastructure.  RPKI signing is just one part.  For routers to be able to validate RPKI, the routers must be able to support RPKI and there is a need to establish an RPKI-validating cache server with trust anchors of the five RIRs configured.  Again,  I have no doubt that the Government will be the first entity in Hong Kong to adopt the full set of RPKI configurations.

2012/10/20

Hotmail and Yahoo email service


A female boss (Miss Erica Yuen) is recruiting an assistant in Facebook.  One statement she made is that " If you are using Hotmail or Yahoo Mail, sorry that you will not be considered. If you can tolerate such poor email service, you are not the kind of person I am looking for."

I have to report this to senior people in Yahoo in US. 


2012/10/06

multiple servers for a website

I find the following announcement in a popular website very crazy:

"Dear members,

We have added more servers to deal with traffic increase.  Please remember to access the domain names vip.abc.com, www2.abc.com, www3.abc.com and www4.abc.com. "

It is absolutely not necessary to ask members to memorize the additional domain names. Users will be confused about which one to use at a particular time.  Just a single domain name "www.abc.com" will be fine and with the use of DNS round robin pointing to several IP addresses, the loading of the servers can be evenly distributed.

Just take a look at www.cnn.com:

[localhost~]# dig www.cnn.com +short
www.cnn.com.vgtf.net.
cnn-lax.gslb.vgtf.net.
157.166.241.11
157.166.240.11
157.166.240.13
157.166.241.10
[localhost~]#

Can't stop myself from laughing....

2012/10/03

The first three IPv6 websites in HK

Here is the screen shot of the first three IPv6 websites in HK registered with sixy.ch dated back about 1000 days ago.







My managed website bya.org.hk came as the second.  Great work.

2012/10/02

US Government IPv6 Deadline

The US Government previously imposed a deadline that by 30 Sept 2012, all Federal agencies must have their public-facing servers running on IPv6.  The deadline has passed already.  Less than 30 % of Federal websites are operating with IPv6.  The situation of mail and DNS servers are even worse. This is the statistics provided by NIST one week ago.
















A question remains.  How to push these Federal agencies to quickly deploy IPv6?

2012/09/30

CPEs

I have gained 146 CPEs in the past three years through attending security conferences, offering training courses and writing security-related articles.  For renewal of my CISSP credential,  I only need 120 CPEs. 10 CPEs can be carried forward to the next 3-year term.  Counting back, I am wasting 16 CPEs.

2012/09/28

DNSSEC can support wild card domain names

I have tested that DNSSEC can support wild card domain names by looking at the status of the AD (Authenticated Data) field.  Here is a snapshot.  Look at the AD field.  My original entry in the name server side is "*.i3way.net  1H IN A 202.81.252.116".

C:\bind>dig kill123.i3way.net
; <<>> DiG 9.9.1-P2 <<>> kill123.i3way.net
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 5
;; ANSWER SECTION:
kill123.i3way.net.      3600    IN      A       202.81.252.116
C:\bind>dig kill234.i3way.net
;; ANSWER SECTION:
kill234.i3way.net.      3600    IN      A       202.81.252.116
C:\bind>dig kill234.i3way.net
; <<>> DiG 9.9.1-P2 <<>> kill234.i3way.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- 12253="12253" font="font" id:="id:" noerror="noerror" opcode:="opcode:" query="query" status:="status:">
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 5
kill234.i3way.net.      3600    IN      A       202.81.252.116

2012/09/27

Root server instance and DDoS attacks

Maldives suffers from DDoS attacks from time to time. The attack traffic is coming from overseas and therefore the international links are saturated.  However, the local backbone within the country should have sufficient capacity to serve local access but due to the need to do name query with root zone nameservers which are in overseas, local people can not access local website.  The solution is of course to implement anycast root server instance within the country.   Apart from mitigating the effect of DDoS attack, the other purpose is that if there is a break in submarine cables due to earthquake, at least, local content can still be accessible by local people.

2012/09/26

A look at DNSSEC amplification attack again

The query "dig +dnssec any isc.org" returns a packet size of 3993 bytes

[ ~]# dig +dnssec any isc.org | grep "MSG SIZE"
;; MSG SIZE  rcvd: 3994

The original query is 50 bytes in size.  If the answer is directed to a victim name server using IP address spoofing (reflector), this action can give an amplification factor of 80.  In theory, a 100 Mbps link can flood out 8 Gbps traffic to DoS a name server.  Woo, no way the name server can survive.

2012/09/22

DNSSEC-aware resolvers

I noticed that  the biggest ISPs in US  (Comcast, AT&T, Sprint, Verizon etc) have made  their resolvers DNSSEC-aware.  This is in response to FCC recommendation  to protect their customers.  The task is easy, just add the root trust anchor in resolvers and enable DNSSEC in configuration file.

In other countries, if ISPs do not want to validate DNSSEC, they should leave this job to corporate users or end users.  In that case, they should not block DNSSEC traffic in their network with UDP larger than 512 bytes.  Not just don’t block, they should set their firewalls in an appropriate way to allow large UDP  payload to go through.  In fact, this requirement is not just for DNSSEC, it is also for IPv6.   When a resolver ask for the name servers of .com from the root zone, 13 name servers, 13 IPv4 addresses and 13 IPv6 addresses will be provided.  The UDP size could be larger than 512 bytes.

2012/09/19

Europe ran out of IPv4 addresses

Europe has run out of IPv4 addresses, that was announced by RIPE on 14 September 2012.  That is a good news.  In the lack of IPv4 addresses, ISPs, mobile operators and large corporations will think seriously about  IPv6 deployment in order to sustain their future business plans.  This will drive the growth of IPv6.

In fact, in Asia Pacific region, we have no more IPv4 addresses since 15 April 2011.

I am a keen supporter of IPv6.  All my emails to gmail users are sent over IPv6 channel everyday.

2012/09/18

rescuing mail server

The Hong Kong National Education Centre (HKNEC) has been under DDoS attack by Anonymous since last Saturday and the attack is going on.  Both web access and email service can not respond.  From DNS records, I note that there are some actions taking place to rescue the mail service:

hknec.org.              3600    IN      MX      90 218.103.29.37.
hknec.org.              3600    IN      MX      10 mail.hknec.org.

HKNEC wants to use the backup mail server to rescue in case the main can not respond.  However MX can not point to an IP address.  "218.103.29.37. " is wrong with a full stop after 37.  For host name, the last full stop is required.

Another thing wrong is that the backup mail server (218.103.29.37)  and the main server (218.103.29.36) are on the same network segment and the network segment is now under heavy DDoS traffic.  An IP address outside the network segment should be used for mail backup.

Don't laugh...  I have learnt a lot from the rescue operation of HKNEC.

2012/09/17

NSEC3+OptOut

In my past four previous talks about DNSSEC in Hong Kong, I told audiences about weakness of NSEC in zone walking and NSEC3 can prevent this by providing hashed names to give signed proof of non-exsitence records. However, I have not touched on NSEC3+OptOut which aims at TLD. Here it is. 

With “NSEC3 Opt-Out”, only child zones that are themselves DNSSEC signed and having DS suibmitted to TLD will be signed by the TLD operator. An example is that if  a TLD operator has 500,000 names in its zone of which 1% of all child zones have DS already submitted, under the opt-out scheme, the final TLD zone will contain about 5,000 signed DS  (instead of 500,000 signed DS records, of  which 495,000 do not require NSEC3 hashed names). Opt-Out will reduce zone file size while serving DNSSEC optimally at TLD. 

If all child zones in a TLD have DS submitted, the effect of Opt-out will be nullified.


2012/09/16

Future career plan

My son is applying for Sir Edward Youde Memorial Scholarship for subsidy of studying Economics in university next year.  In the application form, there is a box called "Future Career Plan" for him to fill in.  He sought my help and I came with the following:

"I plan to be an economic consultant providing professional advices and consulting services on economic, financial, and business strategies to large corporations and government agencies. Through my knowledge across multiple industries, I will develop state-of-the-art analyses and insights for our clients on complex business issues."

It is hard to predict the future. I just put down something from my basic instinct.

2012/09/14

Apology from godaddy

I received an apology from CEO of godaddy about the service interruption on this Monday.  I have been a loyal customer of godaddy.com for over 12 years, and I can recall that there has been no service outage in the past 12 years except the one happened on Monday.   No worry, I will stay with godaddy, the number one registrar in the world.

Dear warren kwok,

We owe you a big apology for the intermittent service outages we experienced on September 10 that may have impacted your website, your email and other Go Daddy services.

We let you down and we know it. We take our responsibilities — and the trust you place in us — very seriously. I cannot express how sorry I am to those of you who were inconvenienced.

The service outage was due to a series of internal network events that corrupted router data tables. Once the issues were identified, we took corrective actions to restore services for our customers and GoDaddy.com. We have implemented a series of immediate measures to fix the problem.

At no time was any sensitive customer information, including credit card data, passwords or names and addresses, compromised.

Throughout our history, we have provided 99.999% uptime in our DNS infrastructure. This is the level of performance we expect from ourselves. Monday, we fell short of these expectations. We have learned from this event and will use it to drive improvement in our services.

As a result of this disruption, you will receive 30% off any new product or renewal.* This offer will be available to you for the next 7 days. Simply place source code Apology4a in your cart or mention the code when you call 480-505-8877.

It's an honor to serve you. As always, please call us 24/7 at 480-505-8877 — anytime, for any reason. 

Sincerely,

Scott Wagner
CEO
GoDaddy.com

2012/09/06

Kaspersky AV sucks

I did not use my notebook for almost a week.  When I opened it last night, Kaspersky AV prompted me to update AV database.  Oh shit, the accumulated new AV signatures took up a file size of 9534KB and my notebook was downloading at 22KB/sec.  It would take me 433 seconds to complete the process. I have used Trend Micro Tatanium and such trouble does not exist.

We are now living in a cloud-based computing era.  By now, AV protection should all be cloud-based and there is no need for users to regularly download AV signatures.  I have decided to uninstall Kaspersky.



2012/09/03

Dying for a Job

Who dare to write such a letter for a job?

Dear Sir,

Application for Employment

I refer to the recent death of the Technical Manager at your Company and hereby apply for the replacement  of the deceased Manager.

Each time I apply for a job, I get a reply that there is no vacancy but in this case I have caught you red-handed and you have no excuse because I even attended the funeral to be sure that he was truly dead and buried before applying.

Attached to this letter is a copy of my CV and his death certificate.

Yours faithfully,

(xxx yyy zzzz) 

2012/08/31

Portable IPv6 Address Blocks need not be multi-homed

I almost forgot to mention one important IPv6 development in the Asia Pacific Region.  APNIC 34 made a decision to allow portable IPv6 address (Provider Indepedent) blocks be allocated to applicants without using multi-homed configuration.  Many companies can have their own /48 address block and they need not change their network configurations when changing serving ISP.  There is an argument that such arrangement would result in a large number of fragmented /48 blocks in the global routing table.  The design of IPv6 is to have routes in terms of  /32.  Hey, routers' performance are not really affected  by large routing table.  Who care ? We should consider the benefits to end users instead of giving less loading to equipment.

APNIC is the only RIR that waives the requirement of multi-homing in allocation of Provider Independent IPv6 address block.   Seems that the Asia Pacific region is moving faster than other regions.

2012/08/30

Greylisting in v6 SMTP servers

I have observed that many v6 SMTP servers are using greylisting.  I am not quite happy with greylisting because of the extra delay time in delivering a legitimate email. If some messages are urgent, you expect the recipient can get shortly after you click the send button.  But for IPv6, can we prove that greylisting can really help since as of today there is no IPv6-based DNSRBL?

2012/08/22

Chrome browser must not be used for speedtest

I have a 1000Mbps GPON FTTH installed at home.  Using Chrome browser for speedtest, I can only have download speeds around 350 Mbps while upload speeds are always below 250 Mbps.  But when I change to IE browser, things are quite different.  Download speeds are boosted to 800 Mbps and upload speeds around 600 Mbps.   I recalled that I had not seen such discrepancies in 100 Mbps broadband services.  I will attach screen dumps to show what I have experienced later on.  I really like to know what is wrong with Chrome.

2012/08/07

IPv6 Statistics

Last week, I heard about the number of IPv6 users in US climbed up to 3.3 million which makes US the country having the largest number of IPv6 users.  How comes this figure !! It is from :

 http://resources.potaroo.net/iso3166/v6dcc.html

I think the above is provided by Geoff Huston or APNIC.  They use advertized /64 prefixes to estimate the number of IPv6 users.  Sounds pretty logical but I have no idea of the underlying methodology. Good work, anyway.  

2012/08/05

IPv6 Prefix Delegation

This is the best and most useful description of IPv6 Prefix Delegation I have ever come across:


Prefix delegation (PD) is a mechanism developed to provide automated delegation of IP address blocks. The delegation is done from an ISP to its customer. The ISP does not require any knowledge of the customer's internal network topology. The DHCP-PD protocol runs between a Customer Edge (CE) and a Provider Edge (PE) router, the CE is called a Requesting Router (RR) and the PE router a Delegating Router (DR). The RR acts as the DHCP client, and requests prefixes from the DR (DHCP server). The DR injects a route into the provider's routing system for the delegated prefix on behalf of the RR. That way, a dynamic routing protocol between the RR and the DR is not needed; however, the RR and the DR must be  directly connected. 


Prefix Delegation requires the use of AAA Server for authentication.  I grab an illustrative diagram above. 

2012/07/30

octocheck app

I mentioned about Octocheck in my last blog post.  I have now captured a picture and post it here.


2012/07/29

Apps for checking the balance of Octopus

I finally found the best app of the year.  It is the Octocheck (Octopus Card NFC Reader), an app for checking the balance of Octopus Card with the  last 10 trading date, time, nature of the transaction and the amount of information.  


It is available from Google Play at :

https://play.google.com/store/apps/details?id=com.octopuscards.nfc_reader

The smartphones and tablets must have NFC functionality.  My son's smartphone Xperia Ion has this feature so one installation should be sufficient for the whole family.

There are 13 million Octopus Cards actively used by consumers every day.  This app comes a bit late.  Anyway, still need to say thanks to Octopus Cards Limited for developing an useful app.  This might be the first large scale application of NFC in smartphones for Hong Kong people.

2012/07/25

Test the IPv6 readiness of a domain

I got a five stars pass when testing my domain i3way.net at the test site ip6.nl for IPv6 readiness.  The most difficult part to get 5 stars is the use of IPv6 glue record for the domain which means IPv6 only resolvers could still fetch the domain records.  I note that many domains have failed in this aspect.



2012/07/23

"域"見未來

二零一二年六月十三日,互聯網名稱與數字地址分配機構 ( Internet Corporation for Assigned Names and Numbers, 簡稱ICANN ) 公佈了申請營運新通用頂級域名的名單,共有1930份申請,其中香港的企業共提交了42份申請,佔全球申請的百份之二,令香港的IT業界喜出望外。

互聯網現時除地區頂級域名以外 (如 「.hk」、 「.cn」 及「.tw」 等),通用頂級域名共有22個,最為人熟識的有「.com」、 「.net」及 「 .org」 等。時至今日,互聯網服務巳函蓋每個行業,現有的22個通用頂級域名已不能滿足各行各業的需求,而且缺乏選擇。ICANN預期新增的通用頂級域名可以為互聯網締造更多的創新,選擇和競爭,最終能為用户提供更優質的服務。舉個例說,銀行業可申請使用 「.bank」,唱片業可用「.music」,酒店業可用「.hotel」等頂級域名。世界各地企業也可以公司的註冊名稱或品牌申請頂級域名,如 「.ibm」、 「.microsoft」、「.skype」和 「.android」 等。

申請新通用頂級域名所涉及的費用令人咋舌,申請人先要付出 18.5 萬美元 (約145萬港元) 一筆過申請費,日後每年還要繳交 2.5 萬美元 (約20萬港元) 的行政費。ICANN 在審批每個域名時還會考慮申請人的背景,包括技術支援、財政及營運能力,要有足夠實力才能獲批,保守估計,平均每個新通用頂級域名真正成本,可能會超過百萬美元。

香港的两家電訊服務商,分別是電訊盈科有限公司和中信國際電訊(信息技術)有限公司,合共申請了八個頂級域名作日後業務之用,包括「.pccw」、「.hkt」、「.電訊盈科」、「.香港電訊」、「.now」、「.nowtv」、「.中信」及 「.citic」。ICANN 的名單公佈後,筆者發現有多達六家公司申請「.now」,而只有電訊盈科有限公司申請「.nowtv」, 至此筆者不得不佩服該公司的部置和策略,他們早已估計 「.now」 會引發一場爭奪戰,一旦競投「.now」失手,還有「.nowtv」可即時補上。

在眾多申請當中,最觸目的是 「.app」 ,共有13間公司爭奪,包括亞馬遜 (Amazon) 和谷歌 (Google)。業界估計,谷歌對「.app」是志在必得的,谷歌會不惜動用過千萬美元,擊敗其他對手,最終奪得「.app」的擁有權。

開放通用頂級域名亦令各大城市希望擁有自己的數碼地標的夢想成真,世界各地的市政府都申請以城市為名的域名,例如「.nyc」、「.tokyo」、「.paris」、 「.广东」、「.广州」和「.佛山」 等。或許有人會問,為甚麽沒有香港機構申請「 .香港」,其實 「.香港」是地區域名的國際化名稱,因此,「.香港」在多年前已委派給香港互聯網註冊管理有限公司管理。

不得不提的是一些致為有趣的申請,足以令人拍案叫絕,例如 「.gay」、「.sex」「.eat」、「.dog」、「.我愛你」、「.八掛」等,ICANN 的審批專家團隊會否開放這些有趣的頂級域名,大家不妨拭目以待。

總的來說,這次盛事,是互聯網的一次重大改革,預期新一批通用頂級域名將在 2013 年中投入服務,屆時互聯網將會出現一番新景像。


2012/07/18

do not zip pdf file

I was surprised to receive an email with a zipped attachment which contained a pdf file. Hey, pdf file is more or less an image type and it could hardly be compressed.  Further checking revealed that the original pdf file size was 4.278 MB and after zip compression, the size was 4.252 MB.  The compression ratio is less than 1 %.  It is just not worthwhile for both the sender and receiver wasting their time to compress and decompress the file.


2012/07/13

speedtest mini

Finally, I got a copy of  licence free speedtest mini. Thanks to Ookla though no support is offered.  I have to  remind myself to amend /etc/php.ini to allow uploading large files by HTTP POST request.

Speedtest mini does not show up the IP address of the visiting client. I have added a script to display the IP address. A restart button is also added to enable another test without using the browser refresh.

2012/07/11

Internet in IPv6 is 2000::/3, not ::/0

Some people think that routing to IPv6 Internet is ::/0 which means everything. This is not recommendable since not all prefixes of IPv6 are allocated to RIRs.

Internet in v6 should be 2000::/3 (reference RFC4291), but not ::/0. This is unlikely to change in the coming 30 years. Do not use ::/0 in making default route.

If I want to add a route to IPv6 world, then :

#/sbin/route -A inet6 add 200::./3 gw 2001:4625::7

Special attention must be paid to prefix 64:ff9b::/96 for DNS6 +NAT64.  There should be an additional  route to the NAT64 router serving 64:ff9b::/96.

2012/07/10

TP-Link 500 Mbps HomePlug

Shit, TP-Link 500 Mbps HomePlug can only offer 185 Mbps connection speed. 
The powerline noise, distance and cable capacitance factors added up together eat away 315 Mbps. Poor technology will never reach the mass market. 

2012/07/09

DNSChanger Eliminated

Today, the US Government shutted down the substituted resolvers for the DNSChanger malware.  More than 0.3 million users can not access the Internet permanently if they do not clear the malware.  In Hong Kong, it is estimated 800 users will suffer.   Actually, the number of infected PCs was about 4 million in last November and it was the efforts of CERTs and ISPs worldwide to take back 3.7 million infected PCs.

A test tool is available at  http://www.dns-ok.us/.  If a host is infected, the background color will be red.


2012/07/06

IPv6 email autoreply facilities again

My IPv6 email autoreply facilities (autoreply@v6-mail.com and www.v6-mail.com) have helped many system administrators to test and troubleshoot their v6 or dual-stack SMTP servers.   I decided that for those successful email transactions via v6 channel, I will pass the maillog to the parties initiating the email tests.   This definitely shall make other people happy and the workload imposed on me is quite minimal.

2012/06/28

Automatic channel selection of WiFi router

I normally have 30 Mbps connection to the Internet via WiFi and VDSL modem.  In the past three days, the speed dropped to less than 0.5 Mbps.  I used a WiFi scanner to scan what channels had been used by my own router and other routers in the neighborhood. Pretty good, due to automatic channel selection, my WiFI router picked channel 9 which was less used.  As things did not improve, I decided to manual assign the WiFi channel.  Channel 6 was selected despite one or two routers nearby were using it.  After rebooting the router, speeds came back to normal.  I suspected that there might be strong interference to Channel 9 due to other devices like Microwave Oven, Bluetooth, Cordless Phone or toys.  The fact is there is no way to make a complaint or seek help since the whole WiFi band is unprotected, free to use by any people and any devices.  Picking the most reliable channel in the junk 2.4 GHz band depends on luck.  Having said that, I am inclined to switch to 5GHz 802.11a band for router and client device provided that the prices drop to average user affordable level.

2012/06/23

神舟五號返回艙

神舟五號返回艙在太古城中心。單看外型艙面金屬嚴重燒焦,已知強國航天技術嚴重落後。算把啦,將研究經費改善民生吧!


2012/06/20

802.11n or Powerline Ethernet Adaptor

I note that powerline ethernet adpators which some body call them as homeplug can now support 500 Mbps and 1000 Mbps.  This is much better than 802.11n WiFi connection. The best I can get from 802.11n at home is always below 30 Mbps though the specification states the client can have a maximum speed of 300 Mbps.  If the throughput of ethernet adpators is reduced to half due to cable length or noise, the offered speed of 250 Mbps - 500 Mbps is still far superior than the best WiFi devices. It is now the right time to consider replacing 802.11n by powerline ethernet.  

2012/06/17

IPv6 Router Advertizement Attack

I heard the IPv6 router advertizement attack almost a year ago but did not jot it down in writing. Here it is. A single Windows 7 machine can make all Windows machines in a local area network not workable by flooding bogus RA messages with many bogus source addresses.  Only about 20 seconds of flooding is capable of doing great harm. The CPU usage of all machines are approaching 100 % and then hang up


Microsoft has indicated that no patches will be released to rectify this bug but Windows 8 will have this problem removed.  In other words, there is no cure from the OS side. Shame on Microsoft.

For those organisations that need to use IPv6 RA for address assignment, they should use an Ethernet switch with RA guard.

Good luck to those who allow RA in their internal network.

2012/06/13

Interactions of ntpdate with DNS round robin

To follow up on my last post of ntpdate interactions with DNS round robin,  I wanted to find if the shortest path fails, whether ntpdate will take the second path as backup.  The answer is affirmative. I have tested it with firewall blocking the reachability of the shortest path. Some captures are given below for reference.

Test : 118.143.17.82 is blocked by firewall to stimulate the shortest path failure

# ntpdate -4 time.hko.hk
13 Jun 08:53:48 ntpdate[3578]: sendto(118.143.17.82): Operation not permitted
13 Jun 08:53:49 ntpdate[3578]: sendto(118.143.17.82): Operation not permitted
13 Jun 08:53:50 ntpdate[3578]: sendto(118.143.17.82): Operation not permitted
13 Jun 08:53:51 ntpdate[3578]: sendto(118.143.17.82): Operation not permitted
13 Jun 08:53:52 ntpdate[3578]: adjust time server 223.255.185.2 offset -0.000177 sec

More details by :

#ntpdate -4 -d time.hko.hk
13 Jun 09:01:15 ntpdate[3699]: ntpdate 4.2.4p5@1.1541-o Wed Oct  8 11:22:55 UTC 2008 (1)
Looking for host time.hko.hk and service ntp
host found : 118.143.17.82
transmit(118.143.17.82)
13 Jun 09:01:15 ntpdate[3699]: sendto(118.143.17.82): Operation not permitted
transmit(223.255.185.2)
receive(223.255.185.2)
transmit(223.255.185.2)
receive(223.255.185.2)
transmit(223.255.185.2)
receive(223.255.185.2)
transmit(223.255.185.2)
receive(223.255.185.2)
transmit(223.255.185.2)
transmit(118.143.17.82)
13 Jun 09:01:16 ntpdate[3699]: sendto(118.143.17.82): Operation not permitted
transmit(118.143.17.82)
13 Jun 09:01:17 ntpdate[3699]: sendto(118.143.17.82): Operation not permitted
transmit(118.143.17.82)
13 Jun 09:01:18 ntpdate[3699]: sendto(118.143.17.82): Operation not permitted
transmit(118.143.17.82)
118.143.17.82: Server dropped: no data
server 118.143.17.82, port 123
stratum 0, precision 0, leap 00, trust 000
refid [118.143.17.82], delay 0.00000, dispersion 64.00000
transmitted 4, in filter 4
reference time:    00000000.00000000  Thu, Feb  7 2036 14:28:16.000
originate timestamp: 00000000.00000000  Thu, Feb  7 2036 14:28:16.000
transmit timestamp:  d38264de.bd2b5c2c  Wed, Jun 13 2012  9:01:18.738
filter delay:  0.00000  0.00000  0.00000  0.00000
         0.00000  0.00000  0.00000  0.00000
filter offset: 0.000000 0.000000 0.000000 0.000000
         0.000000 0.000000 0.000000 0.000000
delay 0.00000, dispersion 64.00000
offset 0.000000

server 223.255.185.2, port 123
stratum 1, precision -19, leap 00, trust 000
refid [GPS], delay 0.03297, dispersion 0.00114
transmitted 4, in filter 4
reference time:    d38264db.09591159  Wed, Jun 13 2012  9:01:15.036
originate timestamp: d38264db.fb344598  Wed, Jun 13 2012  9:01:15.981
transmit timestamp:  d38264db.fa50e9ce  Wed, Jun 13 2012  9:01:15.977
filter delay:  0.04730  0.03297  0.03494  0.03299
         0.00000  0.00000  0.00000  0.00000
filter offset: 0.006902 -0.00027 0.000801 -0.00029
         0.000000 0.000000 0.000000 0.000000
delay 0.03297, dispersion 0.00114
offset -0.000275

13 Jun 09:01:19 ntpdate[3699]: adjust time server 223.255.185.2 offset -0.000275 sec

***** End of Capture ******

As can be seen, "ntpdate -4 -d time.hko.hk"  will first establish handshakes  with all available IP addresses to determine which one is the best for time sync.  If the best IP address is broken, the other will be taken up.

2012/06/12

DNS round robin has no effect on ntpdate

Just found out that if a NTP server has 2 IPaddresses, when clients conduct time sync with the NTP server, the IP address with lower delay will be used.  That is to say, ntpdate has intelligence to  to sync with an IP address with minimal delay.   The effect is that ntpdate overrides DNS round robin rule.  To me, this is a new finding.

Here is the example I used for time.hko.hk.  When doing a ping by hostname, both IP addresses can be selected one by one.  However, when doing ntpdate, only one IP address will be selected.

#ping time.hko.hk
PING time.hko.hk (118.143.17.82) 56(84) bytes of data.
^C
--- time.hko.hk ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1828ms

[warren@dnssec ~]# ping time.hko.hk
PING time.hko.hk (223.255.185.2) 56(84) bytes of data.
^C
--- time.hko.hk ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1137ms

# ntpdate -4 time.hko.hk
12 Jun 13:31:57 ntpdate[24994]: adjust time server 118.143.17.82 offset 0.000340 sec
# ntpdate -4 time.hko.hk
12 Jun 13:31:59 ntpdate[24995]: adjust time server 118.143.17.82 offset -0.000125 sec


2012/06/07

Use of gogoCLIENT after 6 June 2012

I like to remind users in Hong Kong who are using gogoCLIENT to access IPv6 and dual-stack websites. After 6 June 2012, GogoCLIENT makes your Windows 7 quite slow in accessing dual-stack websites like Google, Facebook and Yahoo as the nearest tunnel gateway of freenet6.net is in Taiwan. Yes, that is the reality for accessing dual-stack websites but same speed for accessing pure v4 website, still very slow for pure v6 websites. If is up to users to judge if they still want to use gogoCLIENT.

If you have an IPv6 ready router such as D-Link and Linksys, please use router-based 6in4 tunnel with an user account with Hurricane Electric. Since HE has 6in4 gateway in HK with high bandwidth, the v6 speed should be quite OK.

GogoCLIENT is  widely used in Taiwan because all major ISPs there have their TSP tunneling gateway. Taiwan users who want access to v6 network can apply to their ISP for a user account. The v6 speed of course is OK unlike the case of Hong Kong whereby users must connect to Taiwan and then to other parts of the world.

2012/06/06

World IPv6 Launch

Today is 6 June 2012 which is named as the World IPv6 Launch by the Internet community.  A new era  has just begun on the Internet starting from 6 June 2012.  Thanks to Google, Yahoo, Facebook, Comcast, Cisco, D-Link and many other companies and organisations that support the new protocol.  Enjoy IPv6.

2012/05/31

Windows XP and IPv6

I am helping an organization to write a 40-page consumer guide on IPv6.  One sub-section deals with IPv6 in Windows XP and its limitations. This is what I have come up with today.


"While IPv6 functionality is present in Windows XP, it is not suitable for use in a corporate network environment. The following limitations are found in Windows XP in support of IPv6:


1.  There is no graphical user interface for address assignment and these tasks must be performed at command line.
2.     There is no DHCPv6 client in Windows XP. An IPv6 router can only use Stateless Address Autoconfiguration (SLAAC) to assign address to a Windows XP PC.
3.     Privacy protection mechanism in address assignment through SLAAC is not enabled by default. Activity tracking based on the IPv6 address is possible
4.     The personal firewall of Windows XP is broken when IPv6 is installed. When a port is open in IPv4, the same port is also open in IPv6.
5.     Windows XP can not have name resolution over IPv6. Some websites will not be accessible by Windows XP if the domain names of the websites are hosted in IPv6 only name servers."

After reading the above, I doubt people still want to use IPv6 in Windows XP.  

2012/05/24

v4 SMTP server can send out v6 outgoing email

Some friends asked me the myth about my SMTP server running on IPv4 can send out IPv6 emails to dual-stack SMTP servers.   There is no secret. My SMTP Server does not bind to any specific IP address so it just listen and use all available addresses in the Network Interface Card, both v4 and v6.  In sending email to a dual-stack mail server, v6 path is logically selected first.  However, I can not receive incoming emails from v6 path due to the lack of a MX record pointing to a v6 host.  Interesting stuff !!

2012/05/23

Our IPv6 SMTP Server in service

OFCA IPv6 SMTP Server was successfully configured. The most difficult part was to ask the ISP to do the reverse v6 lookup matching to the host of MX record.  I did not touch the server work.  I just gave technical advice and everything worked to my satisfaction.


May 23 22:57:46 i3way sendmail[19437]: q4NEvMol019435: to=, ctladdr= (500/500), delay=00:00:24, xdelay=00:00:24, mailer=esmtp, pri=120315, relay=mail.ofca.gov.hk. [IPv6:2001:218:6009:2::51], dsn=2.0.0, stat=Sent (q4NEvSjc011727 Message accepted for delivery)
May 23 22:57:46 i3way sendmail[19437]: q4NEvMol019435: to=, ctladdr= (500/500), delay=00:00:24, xdelay=00:00:24, mailer=esmtp, pri=120315, relay=mail.ofca.gov.hk. [IPv6:2001:218:6009:2::51], dsn=2.0.0, stat=Sent (q4NEvSjc011727 Message accepted for delivery)
May 23 22:52:48 i3way sendmail[19378]: q4NEqO8V019376: to=,, ctladdr= (500/500), delay=00:00:24, xdelay=00:00:24, mailer=esmtp, pri=151351, relay=mail.ofca.gov.hk. [IPv6:2001:218:6009:2::51], dsn=2.0.0, stat=Sent (q4NEqePi011717 Message accepted for delivery)
May 23 22:57:46 i3way sendmail[19437]: q4NEvMol019435: to=, ctladdr= (500/500), delay=00:00:24, xdelay=00:00:24, mailer=esmtp, pri=120315, relay=mail.ofca.gov.hk. [IPv6:2001:218:6009:2::51], dsn=2.0.0, stat=Sent (q4NEvSjc011727 Message accepted for delivery)

2012/05/21

Staying Alive

Staying Alive - that's the promise of Robin Gibb, but he did not keep his promise. He left us. He meets Maurice and Andy now in another place, another world. 


I was listening to his songs with my ipod this morning without knowing the sad news.  The name "Bee Gees" is always staying alive in my mind and my heart. 


To all with a broken heart, how can you mend a broken group ? 

2012/05/10

Facebook Phishing

I've got quite a number of phishing email pretending from Facebook.  The tactic is old and easily detected. The messages said I have some friend requests and asked me to click a link.  In another message, it asked me to confirm email address by clicking a page in order to associate with my Facebook account.  These tricks are obvious and the links will re-direct me to malware websites.














2012/05/01

Email honeypot HD storage problem

One of my friends has successfully set up an email honeypot acting as an open relay decoy.  Spammers successfully seize the host and deposit spam messages. The email honeypot just does not deliver any messages but store up on a daily basis. Then comes a difficulty.  A spam message has thousands of recipients and each spam message to a recipient consisting of the mail header part and message part (2 files) resulting in many millions of new files created a day which eat up several Gbytes of HD storage.  I recalled that I resolved this problem many years ago.  In sendmail.cf or sendmail.mc, there is an option to limit the number of recipients in a message.  I rather like to edit sendmail.cf directly by adding these 2 lines:

# maximum number of recipients per SMTP envelope 
O MaxRecipientsPerMessage=10 

This should work fine as I am quite sure I have tried this many many times before.

2012/04/14

6rd tunneling will be available to Hong Kong Science and Technology Park

Hong Kong Science and Technology Park (HKSTP) is the second hi-tech center in Hong Kong with lots of technology companies doing R&D on new products and applications.  Sadly, no native IPv6 connections and facilities are available there yet.  How could the technology companies develop IPv6 products, solutions and applications.

Cyberport Hong Kong is aware of the situation.  I have been told quite firm that Cyberport is now developing a 6RD solution for extending a network node to tenants in HKSTP which basically works like native IPv6 connections.  6RD is a well-proven quick tunneling solution built on existing IPv4 infrastructure and only a few hardware facilities are required. What a tenant needs  is a simple router supporting 6RD connection in WAN side (D-LINK, Linksys, Netgear etc) whereas the LAN side can have DHCPv6, SLAAC or other methods of address allocation.  I hope the project could be implemented as soon as possible such that important IPv6 network resource and connectivity could be available to the high-tech community in Hong Kong.

2012/04/08

Missing the trailing dot in zone file

Missing the trailing dot in config authoritative name servers is a common mistake committed by network administrators. I admit that I always forget this important aspect.  As a reminder, I now jot down some easy reference to alert myself aware of this carelessness.

Forward lookup of mx for zome example.com

; zone example.com.
@  IN  MX 10  mailhost.example.com
[ the final part should be mailhost.example.com.]
becomes
@  IN  MX 10  mailhost.example.com.example.com.


Reverse lookup of 192.0.2.1 to produce host.example.com

; zone 2.0.192.in-addr.arpa.
1  IN  PTR    host.example.com
[ the final part should be host.example.com.]
becomes
1  IN  PTR    host.example.com.2.0.192.in-addr.arpa.

Keep the above in mind as much and as long as possible.

2012/04/05

My new IPv6 address is 2401:0300:0:1:8080

Netfront has assigned the block 2401:300:0:1::/64 to me. I see my NIC doing auto-config after learning the prefix from the router. The IPv6 address was 2401:300:0:1:215:f2ff:febc:38c which was  derived from EUI-64.

Oh God, too difficult to remember the long string. I manually assigned 2401:300:0:1::8080 to the NIC. Afterwards, I just added the default gateway and everything was working so smoothly without reboot. Thanks to the power and flexibility of IPv6 in Linux

2012/03/30

Some ISPs with /32 prefix do not take up the reverse delegation

I just notice some ISPs who have been allocated /32 prefixes from APNIC have not taken up the reverse delegation of their own address range.  They will face problem if the addresses are used to set up SMTP servers by their corporate customers.  One example is HGC who owns the prefix 2403:5000::/32.

[warren@dnssec ~]# nslookup
 > set type=ns
 >  0.0.0.5.3.0.4.2.ip6.arpa.
Server:         202.81.252.116
Address:        202.81.252.116#53

** server can't find 0.0.0.5.3.0.4.2.ip6.arpa.: NXDOMAIN

Here is a good example of CPCNet with 2403:2c00::/32

[warren@dnssec ~]# nslookup
 > set type=ns
 >  0.0.c.2.3.0.4.2.ip6.arpa.
 Server: 202.81.252.116
Address: 202.81.252.116#53

Non-authoritative answer:
0.0.c.2.3.0.4.2.ip6.arpa nameserver = ns1.hk.net.
0.0.c.2.3.0.4.2.ip6.arpa nameserver = ns2.hk.net.

Authoritative answers can be found from:
ns1.hk.net has AAAA address 2403:2c00:2::1

2012/03/29

IPv6 network time service available now from the Hong Kong Observatory

IPv6 NTP service is available from the Hong Kong Observatory (HKO) now at "time.hko.hk", the public announcement is at:

http://www.info.gov.hk/gia/general/201203/29/P201203290205.htm

OFTA and CUHK have been helping the tests and configurations in the past 3 months. We are happy to work with HKO colleagues and share experience on technical issues of IPv6. This IPv6 NTP system is highly resilient, running dual-stack with v4 and v6 redundant links from two different ISPs.

[warren@ ~]# ntpdate -q time.hko.hk
server 2403:5000:171:11::2, stratum 1, offset -0.000255, delay 0.03191
server 2407:8000:8001:80::8, stratum 1, offset -0.000517, delay 0.03520
server 223.255.185.2, stratum 1, offset -0.000185, delay 0.03293
server 118.143.17.82, stratum 1, offset -0.000069, delay 0.02800
29 Mar 21:57:16 ntpdate[24631]: adjust time server 118.143.17.82 offset -0.000069 sec

It took 27 months from my first proposal to HKO to successful implementation. A great feeling of relaxation, finally.

2012/03/28

v6 subnet calculator

Three years ago, when I taught about IPv6 subnetting, I asked the audiences to use binary or hexadecimal concept to subdivide a prefix into smaller subnets.  This is not necessary anymore.  People can use a v6 subnet calculator to do the job.  It can be downloaded at http://www.accumuli.com/pages/files/IPv6SubnetCalculator.zip



2012/03/27

Find "Aaron Cheung" in Facebook, the 1st person to bring commercial Internet services to Hong Kong

I suddenly found an old friend whose name is "Aaron Cheung" in Facebook.  He was the first person to bring commercial Internet services to Hong Kong. I met him in around 1993. At that time, I was a system operator of Fidonet and my node was 488 in Hong Kong.  During an informal gathering, he told me that he was setting up the first 64k leased line from HK to US west coast  to run the first commercial Internet service in HK, the the Hong Kong Internet Gateway Service (HKIGS).  Later on, I was amongst the first 10 customers of HKIGS.  I did not subscribe to HKIGS service in around 1996  since then I did not hear anything about him and HKIGS.

I still remembered the HKIGS handbook (less than 20 pages)  teaching us how to send email, using gopher and other services in a Unix shell environment.  Thanks for all the great services of HKIGS in those years.

2012/03/09

Frameset hijacking website

Today I heard news about a fake website "company-registry.com/hkma/" spoofing itself as the website of the Hong Kong Monetary Authority (HKMA).  I accessed the URL and found that the website owner used frameset to load HKMA web content into a frame.  That says, the content is real, and it comes from the official website but framed and under other people domain.  The HTML source codes are really simple below (I purposely add an extra space in <  > ):

< html>
< head>
< meta http-equiv="Content-Type" content="text/html; charset=gb2312">
< title>香港金融管理局< /title>
< meta name="Keywords" content="香港金融管理局">
< meta name="description" content="香港金融管理局(金管局)由外汇基金管理局与银行业监理处合并而成。金管局的主要职能由《外汇基金条例》和《银行业条例》规定,并向财政司司长负责,金管局是香港政府架构中负责维持货币及银行体系稳定机构....">
< /head>
< frameset border=0 frameborder=0 frameSpacing=0 rows=4%,96%>
< frame marginHeight=5 marginWidth=10 name=mainsoft src="index_.htm" scrolling="no">
< frame src=" http://www.info.gov.hk/hkma/index.htm" >
< /html>

There are many javascripts that prevent a frame from loading web content. One that I have tested is below:
 < SCRIPT LANGUAGE="JavaScript">
if (window != top) top.location.href = location.href;
< /SCRIPT>

Good luck, HKMA !!!

2012/03/04

Knot DNS

I notice the release of Knot DNS version 1.0.0 by the CZ Internet community.  This is a high performance authoritative name server software supporting DNSSEC and NSEC3.  When tested on a 4-core Intel Xeon X3430, 2.40 GHz, 2 GB RAM, running Linux 2.6.38-11, x86_64, Knot DNS can handle 200k queries per second while BIND 9.8 can handle slighty half of Knot DNS.   Knot DNS is a perfect choice of secondary level domains (STD) or even TLDs.  However, there is still a long way to go compared with Nominum Authoritative Name Server (ANS).  This software has a stunng peformance of processing 1 million queries per second if running on same hardware config.  Nominum ANS is the king of name server software !!



2012/02/28

iperf speed test

I am tired of  using ftp to test upload and download speed.  Some guys said that FTP has limitation in case the bandwidth of the broadband line is large. I have to explore the use of  iperf to find out if the download and upload speed are accurate.

As my home PC is riding on an internal IP address 192.168.1.104, it can act as a client to perform upload test.  However, for download test, the internal host must act as a server.  Hopefully, I am able to set up a virtual server on my WiFi router and forward connection for port 50001 from the WAN side to the host 192.168.1.104 on the LAN side.



2012/02/09

IPv6 subnet prefix

The following sketch might be useful to help determine which position of an IPv6 address to play with in order to set a subnet prefix. I just copy it from a website so the background colour remains.

IPv6 Subnets

2001:0DB8:0400:000e:0000:0000:0000:402b
      ||| |||| |||| |||| |||| |||| ||||
      ||| |||| |||| |||| |||| |||| |||128
      ||| |||| |||| |||| |||| |||| ||124
      ||| |||| |||| |||| |||| |||| |120
      ||| |||| |||| |||| |||| |||| 116
      ||| |||| |||| |||| |||| |||112
      ||| |||| |||| |||| |||| ||108
      ||| |||| |||| |||| |||| |104
      ||| |||| |||| |||| |||| 100
      ||| |||| |||| |||| |||96
      ||| |||| |||| |||| ||92
      ||| |||| |||| |||| |88
      ||| |||| |||| |||| 84
      ||| |||| |||| |||80
      ||| |||| |||| ||76
      ||| |||| |||| |72
      ||| |||| |||| 68
      ||| |||| |||64
      ||| |||| ||60
      ||| |||| |56
      ||| |||| 52
      ||| |||48
      ||| ||44
      ||| |40
      ||| 36
      ||32
      |28
      24

2012/02/06

RFC 3901 - DNS IPv6 Transport Operational Guidelines


Some colleagues in the Government want to supplement native IPv6 connection to their serving websites but their ISPs told them that nameservers are not yet equipped with IPv6 transport. My colleagues are quite frustrated worrying that IPv6 only hosts will not be able to access the websites because of an IPv6 brokenness in DNS path.

Actually, the ISPs do not quite understand the issue. IETF has published "RFC 3901 - DNS IPv6 Transport Operational Guidelines". In order to preserve name space continuity in the transition to IPv4, the essential points to note are :

- All recursive name servers should be IPv4 only or dual stack hosts.
- All zones should be served by at least one authoritative IPv4 capable host.

IPv6 only hosts will access a dual-stack resolver to find the nameservers and the nameservers do not need to be served with IPv6 transport. So long as nameserves can return AAAA records to resolvers, IPv6 only client hosts can receive the information and hence there is no brokenness in the name resolution process.

I recall that I have answered the same question at least twice.