Full house of network devices

This is the picture of my home full house of network devices. They are : two 802.11n routers, four 802.11n client devices, a pair of Powerline Ethernet adpators, two 3G USB dongles and other. I am a TP-LINK super fan.  


Dibbler for Windows XP

For those who are using Windows XP, they know that there is not yet a DHCPv6 client even IPv6 stack is manually installed.  The good news is Dibbler DHCPv6 portable client is available free of charge at http://klub.com.pl/dhcpv6/dibbler/.  I don't have the chance to experience this add-on DHCPv6 client as all my desktop and notebook PCs are running Windows 7.  Have fun.


China generated 32 % of global network attack traffic

China generated 32 % of global network attack traffic, according to Akamai's State of the Internet 3Q 2012 Report.  It is really a champion and a shame.

The second worst country is US, responsible for 13 % of the total.  Some nice pictures of the situation can be seen from:



Fake HKCERT email

By now, it has been widely reported in the media that there was a fake HKCERT email advising recipients to patch the recent Adobe Flash vulnerability and a fake patch was attached.  I tried to look at what HKCERT has been taking in order to protect its email domain.  Unfortunately, HKCERT does not use Sender Policy Framework to specify what IP addresses and domains can use "hkcert.org" as the sender domain in the email header.    HKCERT has learnt a lesson in hard way.


Gmail over IPv6

An overseas network administrator contacted me to discuss the problem when conducting IPv6 email tests with Gmail.  Understandably, some administrators think that Google Gmail can help to test IPv6 email setup.   The fact is Gmail receives incoming emails from dual-stack mail servers based on the rule that v6 channel has priority over v4, but in sending out emails to dual-stack mail server, Gmail always selects the v4 path.  I also doubt if Gmail can send out to IPv6 only mail servers. In the past, my IT colleagues thought our dual-stack mail server was wrongly configured after testing with Gmail and  spent many hours of trouble-shooting with no clue of what happened.  In the end, it was Gmail that used its own means of v4/v6 path selection without adhering to the dual-stack rule.  I think this fact is now well-known to the IPv6 technical community. 


Reverse lookup of a /64 prefix

Reverse lookup is necessary for IPv6 address assigned to SMTP Server otherwise the emails sent out will be treated as spam by other SMTP servers.  To this end, I have asked my serving ISP to dedicate the reverse lookup of  the prefix 2401:300:0:1::/64 to me.  The configuration at my side is tested ok and perfect.

[localhost ~]# dig -x 2401:300:0:1::8080

; <<>> DiG 9.5.2-RedHat-9.5.2-1.fc10 <<>> -x 2401:300:0:1::8080
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- 36584="36584" font="font" id:="id:" noerror="noerror" opcode:="opcode:" query="query" status:="status:">
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 4


;; ANSWER SECTION: 86400IN PTR v6-mail.com.

;; AUTHORITY SECTION: 86400 IN NS ns2.i3way.net. 86400 IN NS ns1.i3way.net.

ns1.i3way.net.          3600    IN      A
ns1.i3way.net.          3600    IN      AAAA    2401:300:0:1::8080
ns2.i3way.net.          3600    IN      A
ns2.i3way.net.          3600    IN      AAAA    2001:470:18:16c::2

;; Query time: 1 msec
;; WHEN: Mon Jan 14 09:07:46 2013
;; MSG SIZE  rcvd: 248


Bank's e-statement should not be attached with email

Shame on Citibank.  It violated the security practice promulgated by the banking authority in HK.  Over the past 12 months, I found that Citibank attached a monthly e-statement pdf to me via email though the attached pdf was password protected.  Fraudsters can disguise themselves as a bank and attach malicious code in pdf.  The chance of success is high as e-statements are so important that target recipients will open and read them to see how much they need to pay.  As far as I know, other banks just alert their users that e-statements are ready online without providing any clickable links in the email.  Until today, Citibank notified me about a new arrangement of no more e-statement attachment.  Unfortunately, Citibank did not offer apology to its customers for ignoring this important security matter previously.


Greylisting and dual-stack mail servers

I notice that some network administrators are now using greylisting on their IPv6 mail server as there is no other IPv6 anti-spam solutions in the market.  They should be minded that that greylisting might not work as expected in a dual-stack configuration.  Why not ?  It is because if the v6 channel does not accept the mail, the sending side will fall back immediately to deliver the same mail over v4  channel.  Unless the greylisting is also employed on IPv4, I do not see the effectiveness of greylisting on IPv6 only for a dual-stack configured mail server.   I have no idea whether this is a weakness or not. 


Targeted Geographical Banner Ads

Today I visited BBC UK website and the banner on the right hand corner was an advertisement of CSL LTE service.  Hey, this is really smart.  BBC detected that the IP address was from Hong Kong and it could select an ad banner of Hong Kong clients.  However, this Internet marketing strategy will fail if I access BBC through a proxy server or VPN.


Install Flash on Nexus 7

Just found out that flash is absent from default Chrome browser of Nexus 7 (Android Jelly Bean OS).  Too bad, I need to browse quite a number of websites running flash.

On googling, I got great hints (http://www.howtogeek.com/120277/how-to-install-flash-on-the-nexus-7-and-other-jelly-bean-devices/)

First download the flash apk from XDA developer forum (http://forum.xda-developers.com/attachment.php?attachmentid=1199371&d=1342343609)

Second, download and install Firefox-beta from Google Play.

Third, before installation of the flash apk, set the security of Nexus 7 to allow running app from other untrusted sources other than Google Play.

So that's all.  Afterward, use Firefox to browse flash websites.  One important step is to change back to the original security settings otherwise one will get into trouble of getting malicious applications installed. 


Netgear 802.11ac adapter

802.11ac client devices are still rarely seen in the market as the ac standard has not been ratified by IEEE yet.  However, I recently come across Netgear A6200 which the manufacturer said can support 867 Mbps if operated on 802.11ac.  This sounds quite OK to me as the device can only have 2 built-in antennas.  However, the USB interface works on USB 2.0 which can operate at maximum of 480 Mbps.  In that case, whatever high speeds in the air interface are then capped to 480 Mbps.  Should manufacturers better claim 802.11ac client devices can have a maximum throughput of 480 Mbps instead of 867 Mbps.


IPv6 speedtest engine

My IPv6 speedtest engine at speedtest.warrenkwok.com is now successfully configured.  Again, it runs Ookla licence free speedtest mini.   Actually, if clients connect via IPv6 channel, it will test the speed of IPv6 connection and similar action for IPv4.    The maximum speed that can be tested is 100 Mbps.


30th anniversary of TCP/IP

On 1 January 1983, TCP/IP was successfully launched to  replace NCP. The advantage of TCP/IP is its versatility. It can switch packets of all shapes and sizes, and work across a varieties of networks.  This set of open network communications protocols has changed the world dramatically.  Special thanks must be conveyed to Vint Cerf, Robert Kahn and Jon Postel.