iljitsch.com

blog-onderwerpen: netwerk · BGP / IPv6 / meer · instellingen · zw/w · mijn bedrijf: inet⁶ consult · Twitter · Mastodon · LinkedIn · email · 🇺🇸 🇳🇱

Dit zijn algemene netwerk-gerelateerde posts. Archief voor 2005.

IPv6 deployment

When I talk about IPv6 I like to bring up two pictures of a web site, one seen over IPv4 and the other over IPv6. Obviously, the two pictures are identical. Because of this invisibility, it's hard to know what kind of deployment progress there is with IPv6. A few years ago I decided to visit all the web sites of all AMS-IX members and see which ones I could reach over IPv6. The results weren't all that impressive back then, but things have started to change over the past year. In april 2004 the web sites of four members were reachable over IPv6 (with one other having an unreachable address) and in march 2005 this was nine out of 213.

For many organizations making their web site available over IPv6 is a serious commitment, so the number of AMS-IX members that run IPv6 is even higher. According to the AMS-IX member list in march 2005, for 213 members with 343 ports there were 59 IPv6 addresses present on the exchange.

However, the AMS-IX membership isn't exactly representative of the net as a whole. I also had a look at a self-proclaimed list of the top 100 English language web sites but out of those not a single one was reachable over IPv6.

One (http://www.alibaba.com/) suffered from the "doubleclick syndrome" and didn't reply to AAAA DNS queries, which introduces a 10 second delay when visiting this site with an IPv6-enabled WWW browser. This is the reason why many people are disabling IPv6 in Firefox.

My conclusion: IPv6 deployment is happening, but it has a very long way to go.

Permalink - geplaatst 2005-04-17

ISPs putting customers behind NAT

Because some IETF documents such as RFC 3489 and draft-ietf-sipping-nat-scenarios-00.txt talk about ISPs putting their customers behind a Network Address Translation device, Philip Matthews posed the question to the NANOG list about how wide spread this practice is.

Some people followed up with examples. Most of these are for things such as GPRS and 802.11, but there are also a few ISPs that do this for "regular" services such as DSL. According to Philip in a summarization of private replies:

"It seems that there are quite a few providers who do this. I was told of at least 24 providers in the U.S., as well as providers in Canada, in Central America, in Europe, and in Africa which which do this."

Unfortunately, there is little or no information why service providers do this except for examples where small ISPs are unable to get enough addresses or get their own address block routed from a large incumbent telco/ISP in non-deregulated markets.

In the IETF, NAT has a bad reputation because it breaks many protocols and because it's hard (if possible at all) to run services on NATed systems. Users who run their own NAT device (which is probably the majority of all "always-on" IP users) can configure their NAT to allow certain incoming traffic, but this won't work with service provider NAT because a single port number must be shared across several customers.

Permalink - geplaatst 2005-04-23

Spoofer project

The MIT Advanced Network Architecture Group runs a Spoofer project. You can view the results and/or download a client in order to participate.

The goal of this research project is to determine to what degree hosts connected to the internet can spoof source addresses in outgoing packets. The problem with spoofing is that it can be used to hide the true origin of malicious packets that are used in denial of service (DoS) or distributed denial of service (DDoS) attacks.

The current wisdom was/is that DDoSers have such an easy time launching their attacks from compromised hosts ("zombies") under their control, that spoofing isn't worth the trouble these days. (And NATs may rewrite the spoofed address into a non-spoofed address.) Unfortunately, there is little public information about the (D)DoS problem, but anecdotal evidence suggests that most DDoS attacks indeed use real addresses, but there is still a class of attacks that uses spoofed addresses.

Note that the trouble with spoofing is not just that the source remains hidden, but also that it's impossible to filter out the packets based on source address. Some people argue that the number of sources is so large that this doesn't matter, but I'm not convinced by this argument.

Anyway, it's interesting to see that many networks don't allow outgoing packets with spoofed sources, but there is also a large class of networks that allows them. And it's not entirely a binary thing: some networks filter, but not with 100% success.

It's interesting to note that as of Service Pack 2 Windows XP no longer allows programs to send spoofed packets. (But taking part in the Spoofer project is still encouraged for WinXPSP2 users because it shows important data points.)

Permalink - geplaatst 2005-05-06

Search for:

Archives: 2001, 2002, 2003, 2004, 2005, 2007, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2018, 2019, 2020, 2021, 2022, 2023, 2024