I’m IPv6 ready – are you?

Firstly for those wondering about Courier-IMAP / authlib / maildrop+authlib packages for Leonidas:  I’ve built them successfully – only a minor adjustment needed after all that –  and it’s available in the usual place. Enjoy, and let me know if there’s any bugs / issues.

(For a change I managed to get them out the door before someone emailed me asking where they were. Miracles happen! :-P)

I was quite surprised – and pleased – to check my website stats and find that my most frequent visitor is an IPv6 address:

IPv6 in AWStats for ThatFlemingGent

(If only the GeoIP database had an idea about IPv6 netblock ownership…)

A good friend of mine is a network administrator for a fair size network – two AS’ under his control and a network covering the Australian eastern seaboard. He’s often tasked with finding additional IPv4 address space

Because IPv4 addressing is becoming scarce the registrars in many locales (APNIC in his and my case) set a high bar for new allocations to network service providers (must use 80% of existing allocation, justify new allocations for a max of a /22 last I heard) – and rightfully so. They’re not toffees and they are indeed becoming quite scarce, moreso with increasing takeup of internet-enabled mobile devices and broader broadband availability.

Yes, there are other options such as NAT (Network Address Translation) and name-based virtual hosting to mitigate many issues – but not all applications play nice behind NAT, Voice apps and some games being good examples – and port forwarding isn’t simple for the novice user.

IPv6, step up to the plate! Support in Linux has been around for aeons and it’s rock solid. If you’re already IPv6-enabled, you’re likely talking to me over it now[1]. It’s even on by default with “link-local” fe80:: class addressing ubiquitous on new installs (even if there’s a lot of frankly ordinary advice on turning it off!)

For Fedora, there’s a number of options for public IPv6 – the documents for the “initscripts” package show the basics of IPv6 quasi-native tunnelling and “6to4” tunnelling and are a good starting point

The latter is easier and a good option if you don’t have a nearby tunnel broker / point of presence like SiXXS, Hurricane Electric or a provider offering a Hexago-like service.

(Australia is a good example – the AARNet educational network offers such a service, as does Internode for it’s customers; Telstra may still do so but that’s it, with Hurricane Electric a higher-latency option down here. Other points of presence are just too distant to be useful)

Wolfgang Rupprecht has a Fedora-specific howto, which applies just as well for F11 or even RHEL/CentOS.

The aiccu package is in the Everything repository if you’re eyeing off a SiXXS tunnel connection.

The “go6” client from Hexago is another that hasn’t been packaged yet (to my knowledge and while I use it due to my provider’s use of their broker software I’m not really a fan)

HE.NET (Hurricane Electric) lets you use the standard tools, no extra apps needed (bless ’em!)

The simplest method? 6to4. It’s not as fast as full tunnelling or “native” direct IPv6, but it will get you “on the road” so to speak. Unfortunately NetworkManager currently gets in the way,  going from my testing, but on a headless gateway not using NM it works a charm:

  1. Make sure IPv6 is on in your network config: (NETWORKING_IPV6=”yes” in /etc/sysconfig/network)
  2. Tell the network the default IPv6 interface to use (set “IPV6_DEFAULTDEV=tun6to4” in the above file)
  3. Add the following lines to your network interface:
    • IPV6INIT=yes
    • IPV6TO4INIT=yes
  4. That’s about it – restart the network service and you should be rollin’.

It will use anycast to 192.88.99.1 (default anycast prefix host for 6to4) to find the nearest 6to4 broker and use it as the endpoint. Test by going to a site like www.kame.net (if you see an animated turtle, it’s working) and enjoy.

I’m moving servers next week (a Xen VPS with a fatter pipe) and rest assured it will be IPv6-aware!

[1]

[mfleming@qbert ~]$ host -t AAAA www.thatfleminggent.com
www.thatfleminggent.com has IPv6 address 2001:44b8:62:1b0::1

Sort-of-Emergency Post

I’ll keep this short as it’s a little late and I should turn in.

I’ve had a bit of a hosting hiccup – my now ex-host unceremoniously cut me off and disconnected my server on Valentine’s Day, citing an ESA copyright notice. Unfortunately for him and the ESA, there’s absolutely zero proof or truth to the notice itself. What I found a bit insulting was the null routing of my home IP – to the entire network there –  preventing me from accessing the reboot port / console to see what was happening!

I’ve decided to simply move on. I’ve brought my server home (Thanks SteveL!) and my sites and most functions are being served from my “loungeroom datacentre” until I get better hosting.

All mail / web / domain and messaging services are fine. Of the game servers only Battle for Wesnoth is running. NTP is sadly out, as of course the IP has changed. I may or may not rejoin the pool, I’ve not decided.

The Fedora repository is fine (getsnmp and tintin got updates)

No IPv6 though, alas, not until some internal changes are made.

As this is only a DSL connection it’s not ideal but it will do for a week or two – I’ll likely go with a VPS (Xen preferred or VMWare – not Virtuozzo!) and have leaned towards Slicehost or Linode. I’ve had a couple of more local offers, but these two have the backing and experience I like. Suggestions for others welcome 🙂

Offline, again.

Sorry to readers / visitors again for another extended outage. This one is again not my doing but this time there’s been a happier ending.

I elected on Friday to churn my ADSL service to Internode (a fairly large ISP here in Australia) as they provide a decent service and I get a discount as a member of the System Administrator’s Guild of Australia.

Their advertised turnaround time was 20 days(!) so I’d put in my intention to close my current DSL service (see previous posts) in 30 days as required by contract. The story of what happened there has already been posted below 😉

This time, I dropped off-air at around 11 (or so Nagios told me) – I actually went home to check the console to see a bunch of CHAP password errors. Opened my ticket with WC and added that I’m offline again, can someone have a look. Of course, they have no idea.

As it turns out, Telstra had switched my line over to the Agile DSLAM used by Internode some time that day – but noone told me, Internode and Webcentral. I only cottoned on when a reboot of my router saw it train using ADSL2+ modulation and a line speed of close to 18Mbps. A call to Internode got me the login details needed, some IP config changes, tickets to update DNS and voila – I’m back baby at a much swifter speed!

So this tale has a happy ending.

Offline for too long

Apologies for the outage even though it’s not really my fault. I gave Webcentral (who supply my ADSL service) the necessary 30 days notice for account closure on Monday only to find the service cut off on Wednesday afternoon because two staff members failed to read the ticket and issued an immediate closure – I was ssh’d in from work at the time and just saw the session time out.

In total, I was off for 2d 4h 48m 23s according to my internal Nagios monitoring service.

The people responsible will be shot. 🙂

Charley Says “Don’t Generate Backscatter”

Seems I’ve been on the end of a fair amount of backscatter because some clueless nimrod of a spammer used enlartenment.com as the SMTP sender domain of one of their mailouts.

I found the attempt mildly amusing. It basically provided a free benchmark for my MySQL server 🙂

Despite having only a 512 ADSL line and commodity hardware running the server, I barely noticed a thing – not one message hit the queue and the bandwidth overhead was negligible.

For the visual person, here’s today’s reject graph from mailgraph 

Y’see, when idiots use a nonexistent address to spam some other idiots who’ve set their SMTP servers to reject rather than discard obvious spam, you get null-sender bouncebacks to the unfortunate sucker in the Return-Path.

However, greylisting really makes the last part of the equation lots of fun – Idiots 2-7000 (sending the backscatter) not only have to deal with the double-bounces generated by a DSN sent to a nonexistent address, but the temp failures due to me telling your service to piss off and come back later (the aforementioned greylisting).

Perhaps this will teach admins to discard/quarantine spam rather than just reject it. Especially those sucker^H^H^souls running Sendmail. 🙂

A word on DNS blacklists.

There seems to be some disagreement regarding use of DNS blacklists (“DNSBLs”) among some members of the Internet community (pro-DNSBL here and slightly con here for example)

This is fine, they’re both valuable notices and opinions. What bothers me a little is the seeming lack of understanding (mostly from commenters) of how they work in practice, how they’re actually implemented on mailservers and the reasons for listing. Interestingly these arguments seem to rear up only when someone’s fave domain / service gets listed on a widely used blacklist.

Any blacklist entry is just a simple DNS A/TXT record, nothing more. It’s not going to hunt you down and eat your brain. They even go away after a while and life goes on.

But seriously…

Like any service, there will be good examples and not-so-good examples. The arguments against seem to focus on

  • “Political listings!!eleventyone!” cries (often accompanied by accusations of censorship/ulterior motive on the part of the DNSBL maintainers)

Some are indeed poorly maintained and have contained spite listings (ORBS from the old days was a frequently cited example, SORBS is often accused of same; I don’t necessarily agree, I think it’s just too broad and poorly maintained) but the bigger names – Spamhaus, what was MAPS (now owned by Trend Micro?) in particular need to be impartial and accountable as they have paying customers.

Even the other “big names” – NJABL and DSBL to name two need some level of openness if they’re going to be widely used and taken seriously – and in these cases I think they do. In the case of gmail.com, look at the listing and their stated processes – frankly it looks pretty clear that it’s purely a technical decision; someone at Google allowed the box to relay mail for clients it’s shouldn’t, which is hard to fuck up these days but still possible if you’re not paying attention.

A tester found this and submitted it, and it tested positive. Simple as that. No politics or such involved. Do folks believe Google should get a free pass on this because they’re Google? Not me – that’d be doing them (Google) a disservice. Open SMTP relaying is a security issue and it’s imperative to let folks know, especially the maintainers of the service.

  • “They’re ineffective”

So, what’s the alternative? Legislation hasn’t cut it, nor will it. Bayesian filtering is OK, but as implemented isn’t a panacea or useful on it’s own. Rule / regexp based filtering is too prone to false negatives as well as positives. Challenge-response mechanisms? Fsck off, they generate more noise than the spam itself. I can pull up plenty of examples with not too much effort

DNS blacklists at least cut down on obvious junk from the “known” spam systems / networks, misconfigured proxies, botnets and zombies. Your own choices of scoring/filtering can take care of the rest. Ask any DNSBL using provider – and there’s a lot of them (including mine as well as my own systems)

  • “They can’t be trusted”

This is a daft argument. Really – I suppose proponents of such arguments don’t allow DNS either? You’re never quite sure if a packet is spoofed / poisoned or not. Why do you trust Verisign / Thawte to sign that SSL cert? Is that PGP key really Phil Zimmermans?

But they all have policies and best-practice documents. Verisign are trusted because they’ve shown themselves to be so over time (plus contracts to ensure same I’d imagine) and they check their documents throroughly. DNS has DNSSEC for the paranoid, and the roots are distributed and maintained professionally. PGP – ever heard of “web of trust” or key-signing parties? Noone is forcing you to trust a key owned by someone unmet…

Noone with a half-clue is going to implement or add a DNS blacklist or any security feature without at least looking at the consequences and practical realities of said action. They’re going to Read The Fucking Manual or Check The Fucking Policy first, at least you’d hope. If they’ve got users and customers, they’re going to notify them via policy that this is going to take place (for ISPs, make it clear in the terms at signup if need be)

Again, DNSBL maintainers are reliant on their record as good citizens otherwise noone’s going to use them. They publish policies and guidelines for use so even the most inept excuse for a sysadmin can use them and user can understand why they’re there. They publish the listings with appropriate information regarding how and why a listing exists. What more accountability can you ask for without a contract?

I personally like some lists – not all, my Anti-Spam pages and some of my wiki documents outline what I prefer and use. They cut out a lot of spam – not all of it, but as mentioned a lot of it (Spamhaus rejects a LOT of crap) and surprisingly I’ve not had a false positive in recent memory – and I check my logs carefully (viva pflogsumm!). I’ve also been at this spam-fighting game for around 10 years (NANAE posts going back to ’97ish) and remember some of the bigger players when they were just starting up!

My point, in summary: They’re not a panacea but they’re not inherently evil, political or a censorship tool. They’re just DNS records!

On their own, they do little – it’s HOW and WHERE they’re implemented that matters. Poor choices will lead to poor results and vice versa. Use them wisely if you choose to!

Don’t go apportioning blame where it’s not deserved – the blacklist doesn’t set your local policy and blacklist (non)usage, you/your sysadmin does.

DNSBL operators just provide a tool and instructions on how to use it, along with relevant support information and policies. If you don’t like them – don’t use them (or don’t use the parts you don’t want, most are fairly modular now) if you do, go for it – but be aware of the consequences.

…so he tries to get too frickin’ clever..

…and almost loses.

As noted in my last entry, I picked up a gigabit switch in the post Christmas sales along with a suitable network card. Today, being a generally wet/overcast day (meaning “watch cricket on the TV and hack around a bit if it’s slow”) I picked up a matching gig card for Qbert, my server.
For someone of my experience, this installation would not normally pose an issue. Alas, as it’s my homebrew FrankenServer and not one of the nicer pre-built IBM/HP jobs I deal with at work, I obtained the following wisdom (or thoroughly LARTed, depending on your perspective).

While all sentient beings have Buddha-nature, can become bodhisattvas and save others from suffering, all non-sentient computer hardware has Bastard-nature, can become mischievous and cause great suffering.

The card slotted in fine, everything powered up ok initially – except it decided to throw a watchdog error and refuse to pass traffic. A reboot, reconfigure – nothing. Frob a couple of extra bits in BIOS. Nope – what NIC are you talking about, thinks the system. A regression / sense of deja-vu tells me to try another PCI slot and take the IRQ away from the USB ports (which Linux will handle OK thanks)… Bingo.

“I want to transfer packets,

But the switch I cannot see,

A power cycles helps not,

Fscking IRQ conflicts!”

Well – all was OK. I’ve not seen an IRQ conflict in years – even on old, decrepit crap (like pong). Seems the RAID array controller and the new NIC wanted the same thing, as the others had already been taken according to BIOS. Removing the USB IRQs freed enough for them to go their seperate ways.

This leads me to a second oddity, but less of a problem for my situation. It seems the new switch (a Linksys SD2008 for those interested – 8 port unmanaged switch) doesn’t support jumbo frames.

What’s a jumbo frame you ask? Gigabit ethernet supports frames with a Maximum Transfer Unit (MTU) larger than the normal Ethernet standard of 1500 bytes – often up to 9216bytes per frame. This is very handy for huge files (video, CAD documents, massive images). However this switch lacks the capability according to some Googling.

Mind you, the testing I’ve performed gives me quite adequate transfer rates (around 2G a minute plus) so I’m not overly concerned. I’m primarily interested in spooling smaller files from my server (mail, RPMs for build systems, music and SMB/NFS shared files) than massive images. Still, how many places will sell an 8 port gig switch for $AU150 (without it being shite)?

I’ll see how it all fares in the longer term 🙂

Another Christmas survived.

It wasn’t half bad, actually – got to catch up with Paul and his missus among other relatives I don’t see too frequently. As usual, the food is plentiful and good.

Sleeping on the couch (as per tradition for me) was not so good and my back is absolutely killing me. Next year I’m either demanding a proper bed or bringing my own 🙂

I’m now up one apron (!?), a cookbook, a Far Side calendar (I miss Gary Larson too..) and a small Buddha/mini Zen garden. I’m halfway through a bigger one without the candles in it. However it’s a definite improvement over the dead bonsai currently on my outside table 😉

The cash also proffered (a good standby for folks unsure of what gifts to buy) have been put to good use in the post Christmas sales – a couple of decent shirts with stuff left over.

I’d also hung onto enough saved cash to upgrade the local network to Gigabit ethernet – an 8-port Linksys and associated NIC for my workstation so far (just a simple Netgear GA311, which has been painless). I’ll likely pick up another for qbert later this week.

I also acquired my brother’s old Logitech Quickcam 3000 – which to my amazement was immediately spotted and configured under Fedora, as it uses the Phillips chipset (pwc kernel driver). I’ve not tinkered too much, just Ekiga (SIP / VoIP software) and a couple of snapshots.

Now, to find a SIP phone app that does half-decent video/audio, is free and cross-platform. I’ve tried OpenWengo and it’s left me unimpressed so far (looks good, not easy to use). I’ve already got the aforementioned Ekiga software but that’s currently Linux-only unless you want to risk a beta for Windows (no, not on Mum’s machine)

Things to look forward to: Holidays for 2 weeks from the New Year. Catch up with Bri and other folks I’ve not seen over the Christmas break. New website design planning (repoview is already ahead, due to it breaking with new python-kid packages ;-))