I almost forgot to mention one important IPv6 development in the Asia Pacific Region. APNIC 34 made a decision to allow portable IPv6 address (Provider Indepedent) blocks be allocated to applicants without using multi-homed configuration. Many companies can have their own /48 address block and they need not change their network configurations when changing serving ISP. There is an argument that such arrangement would result in a large number of fragmented /48 blocks in the global routing table. The design of IPv6 is to have routes in terms of /32. Hey, routers' performance are not really affected by large routing table. Who care ? We should consider the benefits to end users instead of giving less loading to equipment.
APNIC is the only RIR that waives the requirement of multi-homing in allocation of Provider Independent IPv6 address block. Seems that the Asia Pacific region is moving faster than other regions.
2012/08/30
Greylisting in v6 SMTP servers
I have observed that many v6 SMTP servers are using greylisting. I am not quite happy with greylisting because of the extra delay time in delivering a legitimate email. If some messages are urgent, you expect the recipient can get shortly after you click the send button. But for IPv6, can we prove that greylisting can really help since as of today there is no IPv6-based DNSRBL?
2012/08/22
Chrome browser must not be used for speedtest
I have a 1000Mbps GPON FTTH installed at home. Using Chrome browser for speedtest, I can only have download speeds around 350 Mbps while upload speeds are always below 250 Mbps. But when I change to IE browser, things are quite different. Download speeds are boosted to 800 Mbps and upload speeds around 600 Mbps. I recalled that I had not seen such discrepancies in 100 Mbps broadband services. I will attach screen dumps to show what I have experienced later on. I really like to know what is wrong with Chrome.
2012/08/07
IPv6 Statistics
Last week, I heard about the number of IPv6 users in US climbed up to 3.3 million which makes US the country having the largest number of IPv6 users. How comes this figure !! It is from :
http://resources.potaroo.net/iso3166/v6dcc.html
I think the above is provided by Geoff Huston or APNIC. They use advertized /64 prefixes to estimate the number of IPv6 users. Sounds pretty logical but I have no idea of the underlying methodology. Good work, anyway.
http://resources.potaroo.net/iso3166/v6dcc.html
I think the above is provided by Geoff Huston or APNIC. They use advertized /64 prefixes to estimate the number of IPv6 users. Sounds pretty logical but I have no idea of the underlying methodology. Good work, anyway.
2012/08/05
IPv6 Prefix Delegation
This is the best and most useful description of IPv6 Prefix Delegation I have ever come across:
Prefix delegation (PD) is a mechanism developed to provide automated delegation of IP address blocks. The delegation is done from an ISP to its customer. The ISP does not require any knowledge of the customer's internal network topology. The DHCP-PD protocol runs between a Customer Edge (CE) and a Provider Edge (PE) router, the CE is called a Requesting Router (RR) and the PE router a Delegating Router (DR). The RR acts as the DHCP client, and requests prefixes from the DR (DHCP server). The DR injects a route into the provider's routing system for the delegated prefix on behalf of the RR. That way, a dynamic routing protocol between the RR and the DR is not needed; however, the RR and the DR must be directly connected.
Prefix Delegation requires the use of AAA Server for authentication. I grab an illustrative diagram above.
Prefix delegation (PD) is a mechanism developed to provide automated delegation of IP address blocks. The delegation is done from an ISP to its customer. The ISP does not require any knowledge of the customer's internal network topology. The DHCP-PD protocol runs between a Customer Edge (CE) and a Provider Edge (PE) router, the CE is called a Requesting Router (RR) and the PE router a Delegating Router (DR). The RR acts as the DHCP client, and requests prefixes from the DR (DHCP server). The DR injects a route into the provider's routing system for the delegated prefix on behalf of the RR. That way, a dynamic routing protocol between the RR and the DR is not needed; however, the RR and the DR must be directly connected.
2012/07/30
octocheck app
I mentioned about Octocheck in my last blog post. I have now captured a picture and post it here.
2012/07/29
Apps for checking the balance of Octopus
I finally found the best app of the year. It is the Octocheck (Octopus Card NFC Reader), an app for checking the balance of Octopus Card with the last 10 trading date, time, nature of the transaction and the amount of information.
It is available from Google Play at :
https://play.google.com/store/apps/details?id=com.octopuscards.nfc_reader
The smartphones and tablets must have NFC functionality. My son's smartphone Xperia Ion has this feature so one installation should be sufficient for the whole family.
There are 13 million Octopus Cards actively used by consumers every day. This app comes a bit late. Anyway, still need to say thanks to Octopus Cards Limited for developing an useful app. This might be the first large scale application of NFC in smartphones for Hong Kong people.
It is available from Google Play at :
https://play.google.com/store/apps/details?id=com.octopuscards.nfc_reader
The smartphones and tablets must have NFC functionality. My son's smartphone Xperia Ion has this feature so one installation should be sufficient for the whole family.
There are 13 million Octopus Cards actively used by consumers every day. This app comes a bit late. Anyway, still need to say thanks to Octopus Cards Limited for developing an useful app. This might be the first large scale application of NFC in smartphones for Hong Kong people.
2012/07/25
Test the IPv6 readiness of a domain
I got a five stars pass when testing my domain i3way.net at the test site ip6.nl for IPv6 readiness. The most difficult part to get 5 stars is the use of IPv6 glue record for the domain which means IPv6 only resolvers could still fetch the domain records. I note that many domains have failed in this aspect.
2012/07/23
"域"見未來
二零一二年六月十三日,互聯網名稱與數字地址分配機構 ( Internet Corporation for Assigned Names and Numbers, 簡稱ICANN ) 公佈了申請營運新通用頂級域名的名單,共有1930份申請,其中香港的企業共提交了42份申請,佔全球申請的百份之二,令香港的IT業界喜出望外。
互聯網現時除地區頂級域名以外 (如 「.hk」、 「.cn」 及「.tw」 等),通用頂級域名共有22個,最為人熟識的有「.com」、 「.net」及 「 .org」 等。時至今日,互聯網服務巳函蓋每個行業,現有的22個通用頂級域名已不能滿足各行各業的需求,而且缺乏選擇。ICANN預期新增的通用頂級域名可以為互聯網締造更多的創新,選擇和競爭,最終能為用户提供更優質的服務。舉個例說,銀行業可申請使用 「.bank」,唱片業可用「.music」,酒店業可用「.hotel」等頂級域名。世界各地企業也可以公司的註冊名稱或品牌申請頂級域名,如 「.ibm」、 「.microsoft」、「.skype」和 「.android」 等。
申請新通用頂級域名所涉及的費用令人咋舌,申請人先要付出 18.5 萬美元 (約145萬港元) 一筆過申請費,日後每年還要繳交 2.5 萬美元 (約20萬港元) 的行政費。ICANN 在審批每個域名時還會考慮申請人的背景,包括技術支援、財政及營運能力,要有足夠實力才能獲批,保守估計,平均每個新通用頂級域名真正成本,可能會超過百萬美元。
香港的两家電訊服務商,分別是電訊盈科有限公司和中信國際電訊(信息技術)有限公司,合共申請了八個頂級域名作日後業務之用,包括「.pccw」、「.hkt」、「.電訊盈科」、「.香港電訊」、「.now」、「.nowtv」、「.中信」及 「.citic」。ICANN 的名單公佈後,筆者發現有多達六家公司申請「.now」,而只有電訊盈科有限公司申請「.nowtv」, 至此筆者不得不佩服該公司的部置和策略,他們早已估計 「.now」 會引發一場爭奪戰,一旦競投「.now」失手,還有「.nowtv」可即時補上。
在眾多申請當中,最觸目的是 「.app」 ,共有13間公司爭奪,包括亞馬遜 (Amazon) 和谷歌 (Google)。業界估計,谷歌對「.app」是志在必得的,谷歌會不惜動用過千萬美元,擊敗其他對手,最終奪得「.app」的擁有權。
開放通用頂級域名亦令各大城市希望擁有自己的數碼地標的夢想成真,世界各地的市政府都申請以城市為名的域名,例如「.nyc」、「.tokyo」、「.paris」、 「.广东」、「.广州」和「.佛山」 等。或許有人會問,為甚麽沒有香港機構申請「 .香港」,其實 「.香港」是地區域名的國際化名稱,因此,「.香港」在多年前已委派給香港互聯網註冊管理有限公司管理。
不得不提的是一些致為有趣的申請,足以令人拍案叫絕,例如 「.gay」、「.sex」「.eat」、「.dog」、「.我愛你」、「.八掛」等,ICANN 的審批專家團隊會否開放這些有趣的頂級域名,大家不妨拭目以待。
總的來說,這次盛事,是互聯網的一次重大改革,預期新一批通用頂級域名將在 2013 年中投入服務,屆時互聯網將會出現一番新景像。
2012/07/18
do not zip pdf file
I was surprised to receive an email with a zipped attachment which contained a pdf file. Hey, pdf file is more or less an image type and it could hardly be compressed. Further checking revealed that the original pdf file size was 4.278 MB and after zip compression, the size was 4.252 MB. The compression ratio is less than 1 %. It is just not worthwhile for both the sender and receiver wasting their time to compress and decompress the file.
2012/07/13
speedtest mini
Finally, I got a copy of licence free speedtest mini. Thanks to Ookla though no support is offered. I have to remind myself to amend /etc/php.ini to allow uploading large files by HTTP POST request.
Speedtest mini does not show up the IP address of the visiting client. I have added a script to display the IP address. A restart button is also added to enable another test without using the browser refresh.
![]()
Speedtest mini does not show up the IP address of the visiting client. I have added a script to display the IP address. A restart button is also added to enable another test without using the browser refresh.
2012/07/11
Internet in IPv6 is 2000::/3, not ::/0
Some people think
that routing to IPv6 Internet is ::/0 which means everything. This is not
recommendable since not all prefixes of IPv6 are allocated to RIRs.
Internet in v6 should be 2000::/3 (reference
RFC4291), but not ::/0. This is unlikely to change in the coming 30 years. Do not use ::/0 in making default route.
If I want to add
a route to IPv6 world, then :
#/sbin/route -A
inet6 add 200::./3 gw 2001:4625::7
Special attention
must be paid to prefix 64:ff9b::/96 for DNS6 +NAT64. There should be an additional route
to the NAT64 router serving 64:ff9b::/96.
2012/07/10
TP-Link 500 Mbps HomePlug
Shit, TP-Link 500 Mbps HomePlug can only offer 185 Mbps connection speed.
The powerline noise, distance and cable capacitance factors added up together eat away 315 Mbps. Poor technology will never reach the mass market.
The powerline noise, distance and cable capacitance factors added up together eat away 315 Mbps. Poor technology will never reach the mass market.
2012/07/09
DNSChanger Eliminated
Today, the US Government shutted down the substituted resolvers for the DNSChanger malware. More than 0.3 million users can not access the Internet permanently if they do not clear the malware. In Hong Kong, it is estimated 800 users will suffer. Actually, the number of infected PCs was about 4 million in last November and it was the efforts of CERTs and ISPs worldwide to take back 3.7 million infected PCs.
A test tool is available at http://www.dns-ok.us/. If a host is infected, the background color will be red.
A test tool is available at http://www.dns-ok.us/. If a host is infected, the background color will be red.
2012/07/06
IPv6 email autoreply facilities again
My IPv6 email autoreply facilities (autoreply@v6-mail.com and www.v6-mail.com) have helped many system administrators to test and troubleshoot their v6 or dual-stack SMTP servers. I decided that for those successful email transactions via v6 channel, I will pass the maillog to the parties initiating the email tests. This definitely shall make other people happy and the workload imposed on me is quite minimal.
2012/06/28
Automatic channel selection of WiFi router
I normally have 30 Mbps connection to the Internet via WiFi and VDSL modem. In the past three days, the speed dropped to less than 0.5 Mbps. I used a WiFi scanner to scan what channels had been used by my own router and other routers in the neighborhood. Pretty good, due to automatic channel selection, my WiFI router picked channel 9 which was less used. As things did not improve, I decided to manual assign the WiFi channel. Channel 6 was selected despite one or two routers nearby were using it. After rebooting the router, speeds came back to normal. I suspected that there might be strong interference to Channel 9 due to other devices like Microwave Oven, Bluetooth, Cordless Phone or toys. The fact is there is no way to make a complaint or seek help since the whole WiFi band is unprotected, free to use by any people and any devices. Picking the most reliable channel in the junk 2.4 GHz band depends on luck. Having said that, I am inclined to switch to 5GHz 802.11a band for router and client device provided that the prices drop to average user affordable level.
2012/06/23
2012/06/20
802.11n or Powerline Ethernet Adaptor
I note that powerline ethernet adpators
which some body call them as homeplug can now support 500 Mbps and 1000
Mbps. This is much better than 802.11n
WiFi connection. The best I can get from 802.11n at home is always below 30 Mbps though
the specification states the client can have a maximum speed of 300 Mbps. If the throughput of ethernet adpators is reduced
to half due to cable length or noise, the offered speed of 250 Mbps - 500 Mbps
is still far superior than the best WiFi devices. It is now the right time to
consider replacing 802.11n by powerline ethernet.
2012/06/17
IPv6 Router Advertizement Attack
I heard the IPv6 router advertizement attack
almost a year ago but did not jot it down in writing. Here it is. A single
Windows 7 machine can make all Windows machines in a local area network not
workable by flooding bogus RA messages with many bogus source addresses. Only about 20 seconds of flooding is capable
of doing great harm. The CPU usage of all machines are approaching 100 % and
then hang up
Microsoft has indicated that no patches
will be released to rectify this bug but Windows 8 will have this problem
removed. In other words, there is no
cure from the OS side. Shame on Microsoft.
For those organisations that need to use
IPv6 RA for address assignment, they should use an Ethernet switch with RA
guard.
Good luck to those who allow RA in their
internal network.
2012/06/13
Interactions of ntpdate with DNS round robin
To follow up on my last post of ntpdate interactions with DNS round robin, I wanted to find if the shortest path fails, whether ntpdate will take the second path as backup. The answer is affirmative. I have tested it with firewall blocking the reachability of the shortest path. Some captures are given below for reference.
Test : 118.143.17.82 is blocked by firewall to stimulate the shortest path failure
# ntpdate -4 time.hko.hk
13 Jun 08:53:48 ntpdate[3578]: sendto(118.143.17.82): Operation not permitted
13 Jun 08:53:49 ntpdate[3578]: sendto(118.143.17.82): Operation not permitted
13 Jun 08:53:50 ntpdate[3578]: sendto(118.143.17.82): Operation not permitted
13 Jun 08:53:51 ntpdate[3578]: sendto(118.143.17.82): Operation not permitted
13 Jun 08:53:52 ntpdate[3578]: adjust time server 223.255.185.2 offset -0.000177 sec
More details by :
#ntpdate -4 -d time.hko.hk
13 Jun 09:01:15 ntpdate[3699]: ntpdate 4.2.4p5@1.1541-o Wed Oct 8 11:22:55 UTC 2008 (1)
Looking for host time.hko.hk and service ntp
host found : 118.143.17.82
transmit(118.143.17.82)
13 Jun 09:01:15 ntpdate[3699]: sendto(118.143.17.82): Operation not permitted
transmit(223.255.185.2)
receive(223.255.185.2)
transmit(223.255.185.2)
receive(223.255.185.2)
transmit(223.255.185.2)
receive(223.255.185.2)
transmit(223.255.185.2)
receive(223.255.185.2)
transmit(223.255.185.2)
transmit(118.143.17.82)
13 Jun 09:01:16 ntpdate[3699]: sendto(118.143.17.82): Operation not permitted
transmit(118.143.17.82)
13 Jun 09:01:17 ntpdate[3699]: sendto(118.143.17.82): Operation not permitted
transmit(118.143.17.82)
13 Jun 09:01:18 ntpdate[3699]: sendto(118.143.17.82): Operation not permitted
transmit(118.143.17.82)
118.143.17.82: Server dropped: no data
server 118.143.17.82, port 123
stratum 0, precision 0, leap 00, trust 000
refid [118.143.17.82], delay 0.00000, dispersion 64.00000
transmitted 4, in filter 4
reference time: 00000000.00000000 Thu, Feb 7 2036 14:28:16.000
originate timestamp: 00000000.00000000 Thu, Feb 7 2036 14:28:16.000
transmit timestamp: d38264de.bd2b5c2c Wed, Jun 13 2012 9:01:18.738
filter delay: 0.00000 0.00000 0.00000 0.00000
0.00000 0.00000 0.00000 0.00000
filter offset: 0.000000 0.000000 0.000000 0.000000
0.000000 0.000000 0.000000 0.000000
delay 0.00000, dispersion 64.00000
offset 0.000000
server 223.255.185.2, port 123
stratum 1, precision -19, leap 00, trust 000
refid [GPS], delay 0.03297, dispersion 0.00114
transmitted 4, in filter 4
reference time: d38264db.09591159 Wed, Jun 13 2012 9:01:15.036
originate timestamp: d38264db.fb344598 Wed, Jun 13 2012 9:01:15.981
transmit timestamp: d38264db.fa50e9ce Wed, Jun 13 2012 9:01:15.977
filter delay: 0.04730 0.03297 0.03494 0.03299
0.00000 0.00000 0.00000 0.00000
filter offset: 0.006902 -0.00027 0.000801 -0.00029
0.000000 0.000000 0.000000 0.000000
delay 0.03297, dispersion 0.00114
offset -0.000275
13 Jun 09:01:19 ntpdate[3699]: adjust time server 223.255.185.2 offset -0.000275 sec
***** End of Capture ******
As can be seen, "ntpdate -4 -d time.hko.hk" will first establish handshakes with all available IP addresses to determine which one is the best for time sync. If the best IP address is broken, the other will be taken up.
# ntpdate -4 time.hko.hk
13 Jun 08:53:48 ntpdate[3578]: sendto(118.143.17.82): Operation not permitted
13 Jun 08:53:49 ntpdate[3578]: sendto(118.143.17.82): Operation not permitted
13 Jun 08:53:50 ntpdate[3578]: sendto(118.143.17.82): Operation not permitted
13 Jun 08:53:51 ntpdate[3578]: sendto(118.143.17.82): Operation not permitted
13 Jun 08:53:52 ntpdate[3578]: adjust time server 223.255.185.2 offset -0.000177 sec
More details by :
#ntpdate -4 -d time.hko.hk
13 Jun 09:01:15 ntpdate[3699]: ntpdate 4.2.4p5@1.1541-o Wed Oct 8 11:22:55 UTC 2008 (1)
Looking for host time.hko.hk and service ntp
host found : 118.143.17.82
transmit(118.143.17.82)
13 Jun 09:01:15 ntpdate[3699]: sendto(118.143.17.82): Operation not permitted
transmit(223.255.185.2)
receive(223.255.185.2)
transmit(223.255.185.2)
receive(223.255.185.2)
transmit(223.255.185.2)
receive(223.255.185.2)
transmit(223.255.185.2)
receive(223.255.185.2)
transmit(223.255.185.2)
transmit(118.143.17.82)
13 Jun 09:01:16 ntpdate[3699]: sendto(118.143.17.82): Operation not permitted
transmit(118.143.17.82)
13 Jun 09:01:17 ntpdate[3699]: sendto(118.143.17.82): Operation not permitted
transmit(118.143.17.82)
13 Jun 09:01:18 ntpdate[3699]: sendto(118.143.17.82): Operation not permitted
transmit(118.143.17.82)
118.143.17.82: Server dropped: no data
server 118.143.17.82, port 123
stratum 0, precision 0, leap 00, trust 000
refid [118.143.17.82], delay 0.00000, dispersion 64.00000
transmitted 4, in filter 4
reference time: 00000000.00000000 Thu, Feb 7 2036 14:28:16.000
originate timestamp: 00000000.00000000 Thu, Feb 7 2036 14:28:16.000
transmit timestamp: d38264de.bd2b5c2c Wed, Jun 13 2012 9:01:18.738
filter delay: 0.00000 0.00000 0.00000 0.00000
0.00000 0.00000 0.00000 0.00000
filter offset: 0.000000 0.000000 0.000000 0.000000
0.000000 0.000000 0.000000 0.000000
delay 0.00000, dispersion 64.00000
offset 0.000000
server 223.255.185.2, port 123
stratum 1, precision -19, leap 00, trust 000
refid [GPS], delay 0.03297, dispersion 0.00114
transmitted 4, in filter 4
reference time: d38264db.09591159 Wed, Jun 13 2012 9:01:15.036
originate timestamp: d38264db.fb344598 Wed, Jun 13 2012 9:01:15.981
transmit timestamp: d38264db.fa50e9ce Wed, Jun 13 2012 9:01:15.977
filter delay: 0.04730 0.03297 0.03494 0.03299
0.00000 0.00000 0.00000 0.00000
filter offset: 0.006902 -0.00027 0.000801 -0.00029
0.000000 0.000000 0.000000 0.000000
delay 0.03297, dispersion 0.00114
offset -0.000275
13 Jun 09:01:19 ntpdate[3699]: adjust time server 223.255.185.2 offset -0.000275 sec
***** End of Capture ******
As can be seen, "ntpdate -4 -d time.hko.hk" will first establish handshakes with all available IP addresses to determine which one is the best for time sync. If the best IP address is broken, the other will be taken up.
Subscribe to:
Comments (Atom)