catalyst - 1

The IPv6 .nz name servers and whois server are now up and running. The announcement from .nz Registry Services sent to NZNOG:

---

NZRS is today pleased to announce that the .nz name servers are now operating
with IPv6 connectivity in what can be regarded as the first phase of the .nz
IPv6 rollout. The name servers are named ns8.dns.net.nz and ns9.dns.net.nz, and
are located in Wellington and Albany repsectively.

Both are connected to the NZ IPv6 Internet Exchange and there is a .nz Whois
server accessible at whois.ipv6.srs.net.nz.

NZRS thanks Open Contributors Corporation for Advanced Internet Development
(OCCAID) and US telco Sprint for providing the IPv6 tunnels, and thanks Citylink
for help in connecting to the NZ IPv6 Internet Exchange.

.nz Registry Services is responsible for the operation of the register of domain
names and the Domain Name System (DNS) in the .nz domain name space.


For further information contact:

support< at >nzrs.net.nz

---

There might be a few more tweaks to the setup, but otherwise, it is looking good.

If anyone is using IPv6 in New Zealand but are not peering with the v6ix then please contact Andrew Ruthven at Catalyst (puck in catalyst.net.nz) to talk about tunnels or other peering arrangements.

Well, it had to happen sometime. I ran the install.sh script included in a tarball (which had to run as root) and it screwed my system.

Running:
chmod -R 775 /$VARIABLE

When $VARIABLE is undefined it does bad things, very bad things. I managed to repair enough of the files to be able to login remotely, and I'm currently going through and reinstalling all the Debian packages on my box, fixing other issues as they arise. It is highly likely this cockup will hang around for years and years to come.

Bug report has been filed.

I'm going to install Xen on this box and do any testing of applications in a clean room which I can just blow away if things go horribly wrong again.

Everybody thinks that running a virus scanner on a Windows box is a good thing, right?

Well, it seems that it can be bad if you want to have working IPv6.

I spent several hours at a customers site yesterday working on IPv6 enabling their Windows XP workstations, but was having issues. I did the usual trick of turning off any and all Windows firewalls and the virus scanner, but we still had issues.

The behaviour was that IPv6 addresses were being allocated, we could ping and tracert6 to IPv6 hosts, we could telnet to port 80 on them, but neither Internet Explorer or Firefox wanted to work. Going to an IPv6 website would cause the browser to just hang. Looking in a network dump I could see an initial connection being made to the server, but then no actual requests.

I decided to blame the virus scanner, on the basis that they quite often interfere with the normal flow of events. Even though it was turned off, it might still be interfering. After actually uninstalling it (and rebooting, uninstalling it caused Internet Explorer to crash), everything worked!

Moral of the story, if you're using a virus scanner (in this case NOD32 from ESET) and you're having issues using IPv6, uninstall the virus scanner!

The guys at SixXS have added a new tool to their treasure trove of IPv6 tools. A BitTorrent tracker available only via IPv6.

Go and check out the catalog for some installation CDs and whatever else they throw up there.

On the topic of birth announcements, at Catalyst we have an internal IRC channel for general chit-chat and communication within teams. We now have a habit of setting the topic of the main channel to announce new staff members. On the 14th of April the topic was set to:

New staff: François, on L7, New person: Brooke Rose Ruthven, 9:10am, 14/4/2007, 6lb8oz (congratulations Andrew & Susanne)

Thank you karora for setting the topic!

At some stage Brooke might move into the "New staff" classification, who knows?

Nice, we're now on Planet Andrew. I hope people don't mind if Susanne occasionally posts there.

w00t!

Debian Etch is released!

Now it is time to perform the ritual upgrade dance on a bunch of machines that weren't already running Etch while it was the testing distribution. And also I'll need to decide if the boxes that were already running it should move to lenny (which will is the name for the next stable release). I think I'll defer that decision a few months though...

Our blog is now accessible via the IPv6 Internet. While I've had the network IPv6 enabled for few months now, I've finally taken the plunge and changed Dynamic DNS providers, which means I can make our addresses available via DNS.

I used DynDNS for many years, but unfortunately they don't support AAAA records. I'm now using FreeDNS. They allow a domain name to have a static AAAA record and then dynamic updating of an A record. Which is exactly what I need!

Firewalling IPv6 on Linux seems to be a vaguely documented topic, and most of that documentation seems to be out of date as it is a fast moving target. I've spent a bit of time over the last couple of days working on improving my firewalling situation and thought I should write up what I've found.

After a bit of digging I found that while IPv6 connection tracking was merged in 2.6.16, the configuration options are somewhat hidden. Up until yesterday I was running 2.6.19.x on my firewall and I discovered that while ip6tables allowed me to configure a stateful firewall, it wasn't actually doing anything!

I looked around for the required nf_conntrack_ipv6 module and couldn't find it. I looked in my running kernels config and couldn't find it. In fact I couldn't find any option for enabling IPv6 connection tracking at all. After some digging (grep'ing the Kconfig files helps) I found that I needed to change over to the new (experimental) Layer 3 Independent Connection tracking support.

The catch here is that if you have the old school Connection tracking (CONFIG_IP_NF_CONNTRACK) enabled you'll never see the new independent method (CONFIG_NF_CONNTRACK) in menuconfig. Which is why I'd never seen it before. So I disabled CONFIG_IP_NF_CONNTRACK (in IP: Netfilter Configuration), enabled (the now visible) CONFIG_NF_CONNTRACK (in Core Netfilter Configuration) went into both the IP and IPv6 Netfilter Configuration menus and selected support for the connection tracking option.

Compiled, installed and rebooted. Suddenly I had IPv6 connection tracking working. w00t! But no IPv4 NAT. Damn. It turns out that IPv4 NAT support was only ported to the new Layer 3 Independent Connection stuff in 2.6.20.

So I downloaded 2.6.20.3, jumped into the IP: Netfilter Configuration menu and found "Full NAT". That's what I want. Compiled, installed and rebooted.

Now I have my old IPv4 NAT working, and a full stateful IPv6 firewall (with no NAT!).

Oh, if you are using IPv6 stateful firewalling with Linux then you want to upgrade to 2.6.20.3, it fixes an issue with incorrectly classifying IPv6 fragments as ESTABLISHED and letting them through. Oops. Also, 2.6.20 moves the config options around again...

At Linux.conf.au 2007 there was an organised GPG key signing session, where lots of people performed the GPG KeySigning dance. Afterwards quite a few (but less) people hung around in the foyer for the to perform the CAcert assurance dance.

I assured a few people, then joined a queue to be assured by one of the CAcert super assurers (and continued to assure people while waiting in the queue). This assurance bumped me up to the maximum number of points allowed for normal people. W00t!

I wasn't the only person from Catalyst to use this trick to get maximum points. As a result we now have 3 people able to allocate 35 points each. We also have a number of other people who can allocate less points than that. So if you're in the Wellington region and are interested in CAcert, drop by our offices (with suitable ID) and we can get you bootstrapped so you can start assuring people as well.