Andrew's blog

Excellent, due to a little hack we now have the Catalyst website up on IPv6. Thanks David!

This is using the same method that we used to get another large NZ site IPv6 enabled for World IPv6 Day.

Funnily enough we've discovered there is a NZ company that is providing a commercial solution using the same method we're using. Even though it is dirty, and is really, really the wrong way to do it.

Note: It is worth noting that Catalyst's email server has been IPv6 enabled for several years now, as have our DNS servers.

In the vein of World IPv6 Day, I've finally re-enabled IPv6 for the etc.gen.nz mailserver and for our main website (and my git repo).

These services used to have IPv6 enabled, but when I moved them from my home server to one hosted in a data centre we lost IPv6 support. However in the last few months, our hosting company has deployed IPv6 support to their hosting facility, and I finally found time to finish setting it up on the server.

So, we're back on IPv6, just in time for World IPv6 Day!

Here's an email I've just received about a new IPv6 group in New Zealand, if you have an interested in the future of IPv6 in New Zealand, please join:

A workshop at held at InternetNZ on the 28 November in Wellington
saw the formation of a New Zealand IPv6 Steering Group. This group includes
representatives from telecommunications carriers, internet service
providers, ICT vendors, and industry and user associations. The members of this
steering group consist of invited senior representatives from the following organisations:

InternetNZ
TUANZ
ISPANZ
Telecommunications Carriers Forum
Digital Development Forum
Telecom
TelstraClear
WorldXChange
Orcon
FX Networks
REANNZ
Canterbury Development Corporation
Kordia
Cisco
Vodafone
Juniper Networks
Alcatel Lucent
Braintrust


This steering group will primarily be concerned with high level discussion
regarding the deployment of IPv6 within New Zealand. The steering group
will not necessarily be a place where technical discussion takes place.

As with so many things these days, a combination of business and
technical expertise must be bought together to solve a given problem.
To this end at the same workshop a Technical Special Interest Group
(TechSIG) was also established.

The goals of this group are:

. To act as a central point for IPv6 technical discussion within the
    New Zealand Internet community.
. To identify to the IPv6 Steering Group any business related barriers
    to IPv6 deployment which have been identified by the SIG's
    technical contributors.
. To comment and provide potential solutions to technical related barriers
    identified by members of the IPv6 Steering Group.
. To stimulate the production of relevant technical documentation.

The co-conveners of this group are

Andy Linton
Nathan Ward
Brian Carpenter
Dean Pemberton

A mailing list has been created and membership is open to all interested
parties.  Subscription details can be found at the link below;
http://listserver.internetnz.net.nz/mailman/listinfo/ipv6-techsig

I would encourage anyone who has an interest in the deployment and growth
of IPv6 to join and contribute to the list.

Please do not feel that this is a 'Networking Specialist Only' list. The
deployment of IPv6 (and depletion of IPv4) has just as significant an
impact on system administrators and content/application providers as it
does on network administrators. I welcome all technical viewpoints onto the list.


Thank you for your time.

Dean Pemberton
(Co-convener, IPv6 Steering Group Technical SIG)

A fantastic song from the RIPE 55 Meeting.

I'll try the embedded thing as well...

We normally see quite a few people finding this blog via Google. It can be quite amusing to see what search terms led to us.

Earlier this month I decided to check it out again, there were no hits from Google. At all. This was kinda odd, as the googlebots (both for the search engine and for reader) normally hit us quite often.

Looking back through the logs the last time Google hit us was the 14th of March. Which is quite some time ago.

I cruised over to Google and checked Reader, and sure enough the most recent article from our blog is dated the 14th of March. I then tried telling Google to index blog.etc.gen.nz using the WebMaster tools. No dice, it says:

General HTTP error: Domain name not found

Two things happened on that day:

1. I moved from DynDNS to FreeDNS,
   
2. I added AAAA (IPv6) records to some of my hosts, which is why I moved to FreeDNS. DynDNS doesn't support that.
   

It appears that one of those changes caused Google to start ignoring us. And in fact, it is the change to FreeDNS.

Damn.

I think it is finally time to bite the bullet and start running my own nameserver. Which I want to do anyhow to start using DNSSEC...

Some further investigations with the help of a mate (you know who you are) I've discovered that FreeDNS is rejecting DNS queries from Google. I'm not the only one to have encountered this problem.

Update: The issue is FreeDNS. Updated entry to reflect that.
Update 2: Okay, the FreeDNS maintainer is now allowing Google to access our DNS entries again, so we're back in Google. But still, bizarre.

The IPv6 .nz name servers and whois server are now up and running. The announcement from .nz Registry Services sent to NZNOG:

---

NZRS is today pleased to announce that the .nz name servers are now operating
with IPv6 connectivity in what can be regarded as the first phase of the .nz
IPv6 rollout. The name servers are named ns8.dns.net.nz and ns9.dns.net.nz, and
are located in Wellington and Albany repsectively.

Both are connected to the NZ IPv6 Internet Exchange and there is a .nz Whois
server accessible at whois.ipv6.srs.net.nz.

NZRS thanks Open Contributors Corporation for Advanced Internet Development
(OCCAID) and US telco Sprint for providing the IPv6 tunnels, and thanks Citylink
for help in connecting to the NZ IPv6 Internet Exchange.

.nz Registry Services is responsible for the operation of the register of domain
names and the Domain Name System (DNS) in the .nz domain name space.


For further information contact:

support< at >nzrs.net.nz

---

There might be a few more tweaks to the setup, but otherwise, it is looking good.

If anyone is using IPv6 in New Zealand but are not peering with the v6ix then please contact Andrew Ruthven at Catalyst (puck in catalyst.net.nz) to talk about tunnels or other peering arrangements.

Everybody thinks that running a virus scanner on a Windows box is a good thing, right?

Well, it seems that it can be bad if you want to have working IPv6.

I spent several hours at a customers site yesterday working on IPv6 enabling their Windows XP workstations, but was having issues. I did the usual trick of turning off any and all Windows firewalls and the virus scanner, but we still had issues.

The behaviour was that IPv6 addresses were being allocated, we could ping and tracert6 to IPv6 hosts, we could telnet to port 80 on them, but neither Internet Explorer or Firefox wanted to work. Going to an IPv6 website would cause the browser to just hang. Looking in a network dump I could see an initial connection being made to the server, but then no actual requests.

I decided to blame the virus scanner, on the basis that they quite often interfere with the normal flow of events. Even though it was turned off, it might still be interfering. After actually uninstalling it (and rebooting, uninstalling it caused Internet Explorer to crash), everything worked!

Moral of the story, if you're using a virus scanner (in this case NOD32 from ESET) and you're having issues using IPv6, uninstall the virus scanner!

The guys at SixXS have added a new tool to their treasure trove of IPv6 tools. A BitTorrent tracker available only via IPv6.

Go and check out the catalog for some installation CDs and whatever else they throw up there.

Our blog is now accessible via the IPv6 Internet. While I've had the network IPv6 enabled for few months now, I've finally taken the plunge and changed Dynamic DNS providers, which means I can make our addresses available via DNS.

I used DynDNS for many years, but unfortunately they don't support AAAA records. I'm now using FreeDNS. They allow a domain name to have a static AAAA record and then dynamic updating of an A record. Which is exactly what I need!

Firewalling IPv6 on Linux seems to be a vaguely documented topic, and most of that documentation seems to be out of date as it is a fast moving target. I've spent a bit of time over the last couple of days working on improving my firewalling situation and thought I should write up what I've found.

After a bit of digging I found that while IPv6 connection tracking was merged in 2.6.16, the configuration options are somewhat hidden. Up until yesterday I was running 2.6.19.x on my firewall and I discovered that while ip6tables allowed me to configure a stateful firewall, it wasn't actually doing anything!

I looked around for the required nf_conntrack_ipv6 module and couldn't find it. I looked in my running kernels config and couldn't find it. In fact I couldn't find any option for enabling IPv6 connection tracking at all. After some digging (grep'ing the Kconfig files helps) I found that I needed to change over to the new (experimental) Layer 3 Independent Connection tracking support.

The catch here is that if you have the old school Connection tracking (CONFIG_IP_NF_CONNTRACK) enabled you'll never see the new independent method (CONFIG_NF_CONNTRACK) in menuconfig. Which is why I'd never seen it before. So I disabled CONFIG_IP_NF_CONNTRACK (in IP: Netfilter Configuration), enabled (the now visible) CONFIG_NF_CONNTRACK (in Core Netfilter Configuration) went into both the IP and IPv6 Netfilter Configuration menus and selected support for the connection tracking option.

Compiled, installed and rebooted. Suddenly I had IPv6 connection tracking working. w00t! But no IPv4 NAT. Damn. It turns out that IPv4 NAT support was only ported to the new Layer 3 Independent Connection stuff in 2.6.20.

So I downloaded 2.6.20.3, jumped into the IP: Netfilter Configuration menu and found "Full NAT". That's what I want. Compiled, installed and rebooted.

Now I have my old IPv4 NAT working, and a full stateful IPv6 firewall (with no NAT!).

Oh, if you are using IPv6 stateful firewalling with Linux then you want to upgrade to 2.6.20.3, it fixes an issue with incorrectly classifying IPv6 fragments as ESTABLISHED and letting them through. Oops. Also, 2.6.20 moves the config options around again...