如果 proxy server 不支援 IPv6 的話，
那 client 端對 IPv6 網站的連線要求，
到了 proxy 裡面，
就會因為網域名稱無法被正確解析而無法瀏覽 IPv6 的網站。

Linux 系統的 squid 是知名好用的 proxy 伺服器套件，
但在 2.6 版仍未支援 IPv6 ，
必須在 3.0 版之後才能支援 IPv6 。

WIndows XP SP3 安裝啟動 IPV6 的簡易步驟：

ipv6 install

然後再確認是否成功。

ipv6 if

IPv6 暫時用不到的東西先停用…

停用 Firefox IPv6：

1. 在網址列貼上 about:config
2. network.dns.disableIPv6=true

停用 Ubuntu 9.10 IPv6：

1. sudo vi /etc/default/grub

2. GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1 quiet splash"

資料來源：
http://en.kioskea.net/faq/sujet-759-ubuntu-disabling-ipv6-support
http://www.wmfield.idv.tw/430

Internet Protocol Version 6 (IPv6) is considered to be the next generation protocol for the Internet. It is designed to support continued Internet growth in the number of users, along with greatly enhanced routing functionality. The current version, Internet Protocol Version 4 (IPv4), was developed in the 1970s and provides the basis for today’s Internet functionality. However, IPv4 suffers from some serious limitations that are now inhibitors to any more growth of the Internet which in turn, inhibits additional integration of the Internet as a global business networking solution. IPv4 provides 2³² (4,294,967,296) addresses.  Although this appears to be a very large number, it is now insufficient to support the requirements of the maturing Internet.

IPv6 has been under development by the Internet community for over ten years and is designed to overcome these limitations by greatly expanding available IP address space, and by incorporating features such as end-to-end security, mobile communications, quality of service, and system-management burden reduction.

The true transition of the global Internet from IPv4 to IPv6 is expected to span many years. And, during this period of transition, many organizations introducing IPv6 into their infrastructure will support both IPv4 and IPv6 concurrently. There is not a one-size-fits-all transition strategy for IPv6. The incremental, phased approach allows for a significant period where IPv4 and IPv6 can co-exist using one or more transition mechanisms to ensure interoperability between the two protocol suites. The most often used methods of performing this transition is by operating in a dual-stack environment, and the use of tunneling and translation between the two versions of Internet Protocol (IP).

Although there is seldom a viable dialogue between a company’s technical decision makers (TDMs) and business decision makers (BDMs), a professional CCNA must always recognize that any addition to, or modification of, an existing or newly installed network will require an additional amount of money, commonly known as transition costs. Transition costs can be classified as either recurring or non-recurring, and can stem from several sources. However, they are most commonly associated with software and hardware acquisition, employee training, consulting services, and operational costs.

Transition to IPv6 can be phased into an organization’s infrastructure and applications through a lifecycle management process. Organizations expect to acquire IPv6 capability while upgrading infrastructure as part of the normal technology amortization-replacement lifecycle. The availability of transition mechanisms will enable organizations to replace only that equipment deemed necessary to facilitate IPv6 integration. As existing equipment is replaced with newer equipment, native IPv6 capability will be part of the equipment’s basic operating capability. Consequently, the cost of transition from equipment replacement should be significantly minimized.

Training will be an important part of the integration process. IPv6, while built on many of the fundamental principles of IPv4, is different enough that most IT personnel will require formalized training. The level of training required will vary, and will depend on the role a member of the organization’s IT staff plays in developing, deploying, and supporting IPv6 integration.  Companies will potentially need to make plans for training their staff.

There are four main categories of training that are considered to be the most critical for any organization that is transitioning from IPv4 to IPv6.

• Awareness – This is generalized information about IPv6 and IPv6-related issues. This type of training is most commonly delivered through workshops, seminars, conferences, and summits. These types of events typically provide overviews of IPv6 technologies, identify vendors that support IPv6, and provide participants with a rudimentary understanding of the IPv6 technology, as well as business drivers, deployment issues, and potential services and/or products enabled by IPv6.
• Architectural – Training in this category should be very detailed and oriented toward those individuals who will have primary responsibilities in designing the architecture and deploying IPv6. Although the type of subject matter will be quite broad, particular attention should be paid to the fundamentals of IPv6, DNS, and DHCPv6, auto-configuration, IPv6 address allocation, transition mechanism, security principles for IPv6 environments, and mobility. Additional topics covered should be routing, multicasting, and principles for connecting to the IPv6 Internet.

  These topics are the areas where participants will encounter the greatest number of new subjects relative to IPv6, and will have the greatest impact on the development of successful integration plans.

• Operational – Once IPv6 has been integrated into the network, it will need to be supported. Operational training will consist mostly of job-specific training targeted to a participant’s job responsibilities. Core topics such as the fundamentals of IPv6, auto-configuration, and transition mechanisms will need to be covered.

  However, the bulk of operational training should focus on supporting applications or protocols that have IPv6 underneath them. One example is training for system administrators focusing on supporting IPv6-enabled e-mail and web servers. Operational training will often be hardware- or software-specific, generally produced by or for a particular vendor’s product.

• Specialized – As IPv6 deployment advances and the base level of understanding becomes more pervasive, the need for specialized training will emerge. This type of training should focus less on IPv6 specifically and address greater technological topics where IPv6 plays an important role.

All of my posts addressing the transition from IPv4 to IPv6 could be considered as falling into the Awareness category of training. And, my next one will specifically address the three most commonly used transition strategies, known as dual stack, tunneling, and translation between the two versions of IP.

Author: David Stahl

NOTES

Kevin Kelly Web 3.0

Embodied – mobile web/iphones is it a trend?

Restructured Data – linking ideas together

Co-dependency – I Web therefor I am?

RFID chips are reprogrammable, is there possible an issue with privacy?

Google Wave

conversation = content

Is Google Wave just another version of a messageboard?

Google Social Search allows real time searching with SNS

Author: Cynthia Verspaget
Date: Friday, November 13, 2009 9:59:15 AM WST
Subject: Official Thread: Activity discussion

For this weeks activity you are asked the following:
This final week has given you some ideas about future directions the
web might take.  Pick one, or more, of these predicted changes and
think about how your experience of life online might be different in
five years time.  And what will Google (and its competitors) have to
say about you at that time?

A few years ago while doing a Microsoft Course we were discussing IPv4 and the future of IPv6, how these new IP address would change how the whole world works. The discussion was how buildings will soon be built with each light, soap dispenser, toilet roll holder etc having its own unique IP address. Most likely using a RFID tag or a sensor of some kind on each item within the whole building. The amazing thing that will happen is if with server tools set correctly to alert when certain network traffic occurs a person will know instantly if a light globe has burnt out, no soap or no toilet rolls. The exact location and problem will be known most likely before the incident has occurred.

That’s 340,282,366,920,938,463,463,374,607,431,768,211,456 rolls of toilet paper.

Author: Cynthia Verspaget
Date: Friday, November 13, 2009 10:03:20 AM WST
Subject: Official Thread: Reflection on Identity

In this thread, we would like you to reflect upon where your identity fits into the web
– as you have experienced beginning the construction of a web presence how do you think this works as a platform to anchor your identity online?

Will you keep your web presence once
the unit is over? How useful is the
concept of web presence in understanding the emerging social web? Reflect upon these things with your experiences of your on line presence construction in mind…

 

Initially while throwing around ideas about my web presence I was thinking of removing it after the course was done, however, I found a topic I was willing to share with the world so I decided that once all said and done I will keep it going. A few changes like removing the exegesis, but the essence would stay.

Тестовый пост через Питон. 

[Интересная|Довольно интересная|Забавная] система для постинга.

Det finns ett område av internet som håller på att bli förslummat. Ett sorts utstött område där du inte vill hamna och om du gör det kan det dröja veckor tills du vet det och månader innan du kan åtgärda det. Det är dom avstänga ip-numrernas stadsdel.

När någon gör något dumt på nätet går det ut varningar och ISPer stänger av routing till dom ip-numrerna. Dessa blacklists är en del isper dåliga på att rensa upp, det läggs till nya men inget tas bort. Dock kan en tidigare blacklistad address komma tillbaka i RIPEs händer och delas ut till nån annan, problemet är att blacklisten finns kvar. Så du kan sitta där med din nya heta webtjänst men det visar sig att alla som använder t.ex. ComHem eller AT&T inte kommer åt, för att dom inte har rensat sin blacklist.

Vi får acceptera att IPv4 är dött, adressutrymmet är nästan fullt redan. Det är dags att skynda på införandet av IPv6!

Läs mer om internets spökstäder.

TELEHOUSE America’s NYIIX Internet Peering Exchange Becomes the Largest and Longest Running Public Peering Point in the New York Market

Linked with TELEHOUSE America’s Los Angeles Exchange LAIIX, TELEHOUSE Peering Offers Service Providers a Global Interlink for IX Interconnection

Staten Island, NY, USA – November 18, 2009– TELEHOUSE America (www.telehouse.com), the United States’ leading provider of dedicated data centers, international Internet exchanges and managed IT services, announces that its New York International Internet Exchange public peering platform (NYIIX) remains the longest running and largest public Internet exchange point in the New York metropolitan market. Since its inception in 1996, the NYIIX has been a vital public IP interconnection point for global carriers, ISPs, content providers and enterprise businesses within New York. NYIIX is headquartered at 25 Broadway, TELEHOUSE America’s Broadway Center, and provides redundant and diverse direct interconnectivity to and from the 60 Hudson Street and 111 Eighth Avenue carrier hotel facilities.

The NYIIX platform continues to be updated to meet the growing technology requirements of the industry and currently operates Brocade RX series switches. The platform supports IPv4 and IPv6 peering connections and offers standard bilateral peering exchange as well as multilateral peering arrangements. In addition, NYIIX offers private peering over VLAN – enabling secure private peering or direct bandwidth over the NYIIX. As of October 2009, the NYIIX peering platform has over 120 members and handles over 80 Gbps of traffic, making it the largest public Internet exchange in the New York Metro Market.

In addition to NYIIX, TELEHOUSE America also operates the Los Angeles International Internet Exchange (LAIIX). Launched in 2000, the LAIIX provides public peering interconnectivity via its Layer-2 switch offering connectivity to multiple transit providers. In Los Angeles, the LAIIX provides optimal primary and secondary IP traffic routing options with direct route server access, ensuring highly advanced peering among multiple simultaneous network routes. As one of the oldest private peering points in the Los Angeles market, LAIIX serves as a key IP peering gateway to the Asia-Pacific region.

With the announcement of TELEHOUSE America’s Global Interlink services in 2008, the company interconnected its NYIIX and LAIIX platforms and has also made both peering exchanges accessible from any of the 12 Interlink PoPs throughout the world. Global Interlink provides seamless redundant and diverse Ethernet private line connections between multiple carrier hotels throughout the US and Europe.

“With over 120 active members on NYIIX and over 55 members on LAIIX, TELEHOUSE America provides robust public peering connectivity solutions among the most prominent network operators in the industry,” commented Akio Sugeno, Sr. Director Business Development, Internet Engineering & Operations for TELEHOUSE America and the founder of both NYIIX and LAIIX. “We are excited to witness the continued growth of our Internet Exchange platforms in both New York and Los Angeles and look forward to extending the NYIIX to 7 Teleport, TELEHOUSE’s Teleport Center on Staten Island in the coming months.”

Connectivity to the NYIIX and LAIIX is currently available from major carrier hotel facilities throughout the US and Europe, for more information about TELEHOUSE America’s public peering solutions and its complete total solutions for data center solutions, colocation, infrastructure management and global communications services, please visit www.telehouse.com or email sales@telehouse.com.

MEDIA CONTACT:

Ilissa Miller

Jaymie Scotto & Associates 1.866.695.3629

pr@jaymiescotto.com

TELEHOUSE AMERICA CONTACT:

Vincent Corley

Telehouse America

718.355.2572

corley@telehouse.com

Our 6LoWPAN book has now been released by Wiley. Last week we received the very first copies directly in Japan while at IETF-76. Pre-orders should start arriving any time now to people. At least we are very pleased with the result, so happy reading! For those who would like a preview an excerpt is available on-line:

“6LoWPAN: The Wireless Embedded Internet” – Chapter 1

I will be releasing the book’s companion course slides and exercises very soon at http://6lowpan.net.

IPv6/IPv4 хости, які під’єднані до каналів зв’язку без IPv6 маршрутизаторів можуть використовувати конфігуровані тунелі для доступу до IPv6 маршрутизатора. Цей тунель дозволить хосту вести обмін даними з IPv6 Інтернет (тобто вузлами, які мають лише IPv6 адреси). Якщо відома IPv4 адреса IPv6/IPv4 маршрутизатора, який під’єднаний до IPv6 магістралі, то її можна використати як адресу кінцевої точки тунелю:

Конфігурований тунель за замовчуванням

Такий тунель може бути доданий в таблицю маршрутів як запис IPv6 „маршруту за замовчуванням”. Таким чином усі IPv6 адреси призначення будуть задовольняти цьому запису, а отже потенційно можуть використовувати тунель як перший перехід. Оскільки „довжина маски” (“mask length“) такого маршруту дорівнює нулю, то він буде використовуватись лише в тому випадку, якщо немає іншого маршруту з довшою маскою, яка збігається з адресою призначення. Конфігурований тунель за замовчуванням може бути використаний в поєднанні з автоматичним тунелюванням.

Далі – “Конфігурований тунель за замовчуванням з використанням IPv4 „альтернативних адрес”

Опубліковано на сайті: “IPv6 українською“

Setelah lama nggak nulis, sampai lupa password wp he he.. akhirnya tergelitik juga untuk sedikit sharing. Hal yang membuat saya agak prihatin adalah perkembangan implementasi IPv6 di Indonesia sangat-sangat lambat. Padahal secara logika sudah bisa disimpulkan bahwa tidak ada cara lain agar perkembangan internet di Indonesia tidak terhambat selain berpindah ke IPv6. Saya mungkin tidak perlu jelaskan panjang lebar apa itu IPv6 karena sudah banyak literatur dan rekan-rekan yang membahasnya. Tapi yang saya ingin jelaskan adalah hambatan yang akan kita hadapi jika kita tidak segera beraksi untuk menggunakan IPv6.

Singkat cerita, IPv4 saat ini jumlahnya tinggal 10% saja, dan beberapa lama lagi akan habis. Kapan habisnya ? banyak hal yang bisa menentukan kapan. Regulasi di RIR, semakin mempersulit kita mendapatkan IP Public. IP public adalah alamat IP yang mutlak di miliki oleh server/perangkat yang dapat di akses di internet. Yang jelas karena IP merupakan alamat, sehingga tidak boleh ada server yang memiliki IP sama. bisa dibayangkan kalau alamat rumah kita ada kembarannya persis. misal di kota Malang ada 2 jalan dengan nama Ahmad Yani. Sehingga otomatis ada 2 rumah dengan alamat Ahmad Yani no 10 Malang. Kalau ada yang kirim surat, nyampainya kemana ? pasti pak pos bingung. Nah agar pak pos bingung pemerintah pasti mengatur agar tidak ada nama sama dalam satu kota. Demikian pula RIR. yang di Indonesia dikelola oleh IDNIC/APJII dibawah koordinasi APNIC. organisasi tersebut bersama organisasi lain di seluruh dunia (ARIN, RIPE, APNIC, LACNIC, AfriNIC) mengkoordinasikan agar tidak ada IP yang sama untuk 2 server. Masalahnya, IPv4 cuman ada 32 bit. Kalau dihitung secara kasar hanya ada 2 ^ 32 IP (dikurangi pembagian kelas IP, localhost dll ).  Bayangin aja.. IPv4 itu di desain sebelum tahun 80, dan distandarkan tahun 1981. Jaman itu gak kepikir kalau jumlah komputer bakal berkembang seperti sekarang. Malah saat ini yang butuh IP gak cuman komputer. Berapa banyak orang update status facebook, twitter, chat via YM pakai HP ? padahal perkembangan jumlah HP jauh lebih banyak dibanding komputer. Nah tahun 1994 muncul suatu model untuk memisahkan antara ip global dan local network yang didasarkan RFC 1631 – The IP Network Address Translator (NAT). Dan kemudian diikuti RFC1918 tentang alokasi ip private pada tahun 1996. Kombinasi IP private dan NAT telah berhasil menekan jumlah kebutuhan akan IPv4 public. Karena pada kenyataannya sebagian besar pengguna internet adalah pengakses. Sehingga IP public hanya di berikan bagi pihak-pihak yang memerlukan dengan syarat yang sangat ketat. Dalam suatu zona network (kantor, rumah, kampus dll) dianggap hanya perlu satu/sedikit ip publik, dan yang lain pakai ip private dengan mekanisme NAT di router. Inilah yang membuat prediksi kehabisan IPv4 dapat ditekan. Namun NAT menimbulkan banyak masalah, antara lain hilangnya point to point communication antara dua node. Contohnya begini, kita punya HP dan punya nomor yang uniq, demikian pula hp teman kita. kalau saya akan menghubungi dia, saya tinggal tekan nomor dia, maka saya akan langsung tersambung ke dia. Tapi jika kita akan menelpon teman kita via komputer, mau tidak mau kita dan teman kita harus terlebih dahulu connect ke server VOIP. misalnya skype atau yahoo. dan keduanya harus connect ke server yang sama. keduanya ke skype atau dua-duanya login ke yahoo. setelah itu saat kita call, maka data voice kita harus di kirimkan terlebih dahulu ke skype, dan skype akan mengirimkan data suara tersebut ke komputer teman kita. Jika yg satu login ke skype dan yg satu login ke yahoo keduanya tidak dapat dapat saling berkomunikasi. (bisa saja jika keduanya memiliki perjanjian pertukaran data, akan tetapi kita tetap perlu yahoo dan skype). Nah contoh yang lain, komputer di belakan NAT, akan berkomunikasi ke internet menggunakan IP dari NAT router. Sehingga jika terdapat beberapa komputer yang berada di belakang NAT, maka komputer tersebut akan menggunakan IP publik yang sama untuk berkomunikasi di internet. artinya bahwa sebuah server di internet tidak akan mengetahui secara persis komputer mana yang sedang mengaksesnya. yang dia tau bahwa yang mengakses server tersebut hanyalah NAT router yang memiliki IP. bagaimana kalau ada serangan dari belakang NAT ? yang bisa tahu hanya admin yang mengelola NAT router. dan jika admin tersebut tidak punya log koneksi ? hilanglah.. masalah lain NAT adalah, komputer di rumah bisa dengan mudah mengakses seluruh konten di Internet. Tapi bagaimana jika anda sudah mempersiapkan presentasi dan di simpan di komputer rumah yang terkoneksi dengan speedy dengan Modem router (pakai NAT tentunya), ternyata ketinggalan. Bisakan komputer rumah di akses dari kantor secara langsung ? pasti akan kerepotan, bagi yang advance mungkin bisa setting DMZ/port forwarding di modemnya. Tapi apa semua orang bisa?.

Wah.. sudah waktunya ngantor.. ntar di lanjutin deh.. sabar ya.. best partnya ada di lanjutan ceritanya

The institutional horror stories continue, the old Internet Protocol Version 4 (IPv4) address space is nearly gone, and if we do not transition to IPv6 with its nearly unlimited address space the Internet will grind to a halt.

A recent survey in Europe by the European Commission concludes that even in technology-progressive European countries “few companies are prepared for the switch from the current naming protocol, IPv4, to the new regime (protocol), IPv6.” ARIN (the US-based Internet Registry) agrees, reminding us that “with less than 15% of IPv4 address space remaining, ARIN is now compelled to advise the Internet community that migration to IPv6 is necessary for any applications that require ongoing availability of contiguous IP number resources.”

OK, so what the heck? Why aren’t we listening to those who understand the sense of urgency to migrate to IPv6, and get moving towards establishing a solid migration plan? Are the vendors ignoring the problem, reticent in providing IPv6 support in either application software or hardware, and preventing us from adopting IPv6? Are we just comfortable in our use of IPv4, network address translation/NAT, and are information technology professionals simply afraid to make a stand with management to start making the move?

Most mainstream software providers appear to be making the effort to go to IPv6. Microsoft has IPv6 as an inherent part of Windows and new Windows applications, Apple – ditto. Google engineers Lorenzo Colitti and Erik Kline recently received the Itojun Award from the Internet Society for “contributions to the development and deployment of IPv6.”

All major switching, routing, and server hardware companies are producing operating systems which include IPv6 compliance. Even cloud computing vendors such as 3tera are providing native IPv6 support within their platform and infrastructure as a service support.

What I Want from IPv6

I want everything from IPv6. Everything that has an electronic, communications, mobility, or interface should be addressable. I love the idea the California Highway Patrol can work with a company such as On Star to shut down a stolen car on the freeway before the driver kills himself or an innocent motorist. I love the idea I can work with an electrical utility to provide smart GRID technology to my entire home electrical system and not only reduce my bill, but also lower my carbon footprint. I love the idea I can control nearly anything I own or manage through a smart phone handset.

The IPv6 address space is large enough that we will have more than sufficient means to address everything we want – while smart people start working on IPv10 or whatever is needed for a couple generations down the road. So they can extend IPv10 to the rest of the galaxy.

Of course, unless we move forward and accept the temporary pain of moving to IPv6, none of this is likely to happen outside of some private implementations such as Verizon Wireless’ LTE network. Verizon is forcing the IPv6 issue with handset and device vendors by demanding their “…device shall support IPv6. The device may support IPv4. IPv6 and IPv4 support shall be per the 3GPP Release 8 Specifications (March 2009)” Kudos to Verizon for taking a stand on IPv6.

I further encourage moving my identity to an IPv6 address. Who needs a social security number, =social insurance number, or other identity when I can have my own personal IPv6 address? No identity fraud, as it can be linked to my DNA or other funky unique security code. My IP address, with my DNA and fingerprint, and I have the basic elements of a base for all other communications and identifications. Or I will become a borg.

But I would like to log into my home, and have heat turned on 5 minutes from arrival, the oven warming, favorite TV dinner selected for cooking, and even my 2 liter bottle of diet soda positioned for easy removal. My television set was remotely programmed, and the MP3 player auto-filled with music and other stuff from its docking station to give me something to listen to during my evening run along the beach or Wildwood Canyon.

Every device for my personal life that has a pulse can have an IPv6 address, controllable by me for whatever reason I choose. No IPv6 address for my jog though, as I want to de-couple some things important to life.

Who Cares About IPv6?

Martin Levy, from Hurricane Electric (a global Internet service and network provider based in Fremont, California), is a tireless evangelist for IPv6. A member of nearly every IPv6 working group (real working groups, not social working groups!), Martin travels the globe teaching, chiding, and inspiring networks to make the move. Martin recently recorded an interview with the European Internet Registry/RIPE where he explains His position on IPv6, his company’s approach to IPv6, and reminding the Internet community of the risks of not making the move to IPv6.

Martin strongly advises ” If you’re getting connectivity in a data center as a transit over an international connection, as a cross connect inside a telecom hotel, if you are an enterprise, IPv6 (deployment) should just be a tick mark…”

Martin travels the world in his quest to inform, and encourage those who do accept their responsibilities and urgencies embracing IPv6, such as at a recent conference in Slovenia, where Martin congratulated the Internet networking and content community by stating “Slovenia’s IPv6 initiative has been very successful and is becoming a blue-print for IPv6 initiatives in other countries worldwide.”

Internode, a large Internet network provider in Australia, has joined the movement towards IPv6. Partially because it is the right thing to do, partially because it is nearly impossible to get additional IPv4 address space from the Asian Internet registry, APNIC (Asia-Pacific Network Information Center).

“Our objective is to ensure that Internode has the most experience of any Australian broadband provider with the operation and support of native IPv6,” Internode managing director Simon Hackett said in a statement. “By the time IPv6 becomes a necessary part of connecting new users to the Internet, Internode will offer the very best ‘production’ IPv6 service available in Australia. At that point, for all customers, IPv6 will ‘just work’.” (Network World, 6 Nov 09)

Our Call to Action

Every blog entry is supposed to include a pithy call to action. In this case the call to action is real. We need to adopt IPv6. Excuses will not bring our global Internet-connected and Internet-enabled world together, and will not enable our next generation of network users to fully execute on the promise of exploiting life in the “matrix.”

IT Managers – you need to get off your backsides, and learn, learn, learn, everything you can about Ipv6. It is mission-critical. Then you need to brief your management – the CFOs, CTOs, CEOs, CXOs, and let them know the urgency of re-stacking your organization to accommodate and drive Ipv6.

Networks – If you are an Internet network provider, and you do not support Ipv6, please get out of the business. With all due respect, you are the problem.

Content providers, application service providers, SaaS providers, equipment vendors, and everybody else hanging an Internet shingle on your door. Ditto – if you are not building IPv6 support into your product, you are the problem. Make it easy for the IT managers, individuals, and future generations by taking Verizon’s approach. “If you do not include IPv6 support in your product, we will not use it.”

What is your IPv6 message?

John Savageau, Long Beach

Migration from IPv4 to IPv6: It is Easier to Nail Jell-O to the Wall than Understand the Mandates and Timing

It has often been said that anything can be proved with statistics, and that may well be the case. This post describes an exercise in statistical analysis, in order to make some predictions about when certain events may take place; in this case, the date and time for the required transition from IPv4 to IPv6.

The growing popularity of mobile and fixed-network devices that require Internet connectivity is rapidly depleting the pool of available public IPv4 addresses. This rapidly approaching depletion of IPv4 address has been known for many years, but, the prognostication of the exact date and time for this situation has been argued many times, in many different and diverse venues. There has never been a credible agreement between the “experts,” either individually or as a member of a recognized group. What is universally agreed upon, however, is that this situation is now beginning to seriously impede emerging Internet markets around the world.

For instance, until the last five years, China has had fewer public IPv4 addresses allocated than Stanford University. And, the U.S. Department of Defense (DOD) had more IPv4 addresses than all of Asia. This wasn’t due to any geopolitical boycott of China or Asia. It’s just that this situation existed because when IP addresses were doled out 40 years ago, the Internet was a DOD project and Stanford was heavily involved. As a result, Stanford was awarded and kept a large block of addresses for themselves.

Asia, China in particular, following massive economic growth, is a relatively new and growing market for IPv6 because there is so little legacy infrastructure in place. With the accelerating growth in Chinese business and personal requirements for Internet connectivity, designers are going directly to IPv6 networks and only using bridge connections to IPv4. It is accepted within the industry that China and Taiwan are on track to design and directly install an impressive IPv6 infrastructure, whereas the private sector here in the U.S. is lagging well behind. This same growth, along with the associated need for large allocations of public IPv6 addresses, is also being seen in India.

The one exception to any fixed, drop-dead change over requirement is the Federal government, which has mandated that all government agency network backbones have to speak IPv6 in the very near future. However, in reality, there is considerable slippage in the migration dates.

The obvious solution to solve this approaching Internet shutout of new users is to move to IPv6, which has 128-bit addresses. That comes out to 340,282,366,920,938,463,463,374,607,431,768,211,456 possible public addresses. To put this incredible number into an easier-to-understand concept, these IPv6 addresses provide five IPv6 addresses for ever square meter on the face of the earth, including the water.

In most regards, IPv6 is a conservative extension of IPv4. Most transport and application-layer protocols need little or no change to operate over IPv6. Also, IPv6 specifies a new packet format, designed to minimize packet-header processing. Since the headers of IPv4 packets and IPv6 packets are significantly different, the two protocols are not interoperable.

While the two biggest reasons why network designers will want to migrate to IPv6 remain as the need for more public addresses and mandates from different government organizations, IPv6 includes some very attractive features and migration tools.

Address Assignment Features:
IPv6 address assignment allows easier renumbering, dynamic allocation, and recovery of addresses, with great features for mobile devices to move around and keep their IP addresses, avoiding having to close and reopen an application.

IPv6 hosts can configure themselves automatically when connected to a routed IPv6 network using ICMPv6 router discovery messages. When first connected to a network, a host sends a link-local multicast router solicitation request for its configuration parameters. If configured for this process, routers respond to such a request with a router advertisement packet that contains network-layer configuration parameters.

In addition, a network may use stateful configuration with the Dynamic Host Configuration Protocol for IPv6 (DHCPv6) or hosts may be configured statically.

Aggregation:
Ipv6’s huge address space makes for much easier aggregation of blocks of addresses in the Internet. The larger 128-bit IPv6 address, versus the 32-bit IPv4 address, allows more flexibility in designing newer addressing architectures, as well as providing large enough address spaces for predicted future growth of the Internet and Internet related technologies. A new addressing format, called the Aggregatable Global Unicast Address Format, has been developed to help solve route complexity scaling problems with the current IPv4 Internet.

No Need for NAT/PAT:
Using publicly registered unique addresses on all devices removes the need for NAT/PAT, which also avoids some of the application layer and VPN tunneling issues caused by NAT.

IPsec:
Internet Protocol Security (IPsec), the protocol for IP encryption and authentication, forms an integral part of the base protocol suite in IPv6. IPsec support is mandatory in IPv6. This is unlike IPv4 where it is optional but usually implemented. IPsec, however, is not widely used at present except for securing traffic between IPv6 Border Gateway Protocol (BGP) routers.

Header Improvements:
A number of significant simplifications have been made to the packet header. In addition, the process of packet forwarding has been simplified in order to make packet processing by routers simpler and more efficient.

The packet header in IPv6 is simpler than that used in IPv4, with many rarely used fields moved to separate options. In addition, IPv6 routers do not perform fragmentation.

Significantly, the IPv6 header is not protected by a checksum. The integrity protection is assumed to be assured by both a link layer checksum and a higher layer (TCP, UDP, etc.) checksum. In effect, IPv6 routers do not need to re-compute a checksum when header fields (such as the TTL or Hop Count) change.

The Time-to-Live field of IPv4 has been renamed to Hop Limit, reflecting the fact that routers are no longer expected to compute the time a packet has spent in a queue.

Transition Tools:
Even though IPv6 solves a large number of significant problems, an overnight migration from IPv4 to IPv6 is not possible. For one thing, the actual, physical number of devices installed in existing world-wide network infrastructures is well into the billions. And, in some cases, even if you wanted to migrate to IPv6, the actual hardware devices, or their installed software, might not provide IPv6 support. Also, when planning for such a transition, the issue of budget and cost could become a show stopper.

In my next post we will examine the main options and the basic implementation of processes used for providing a carefully planned migration and transition from IPv4 to IPv6.

Hi.

Tag 4 und somit der vorletzte Tag der Tech-Ed EMEA 2009 in Berlin.

Für mich standen folgende Vorträge und Themen auf dem Plan:

CLI312 Group Policy Changes for Windows 7 and Windows Server 2008 R2
Presenter: Michael Kleef

• Windows 7
  • Bisher Funktion als Teil des Winlogon, bei Vista und Win7 jetzt ein eigener Dienst
  • 1500 GPs in XP + 800 Vista + 300 in Win7, über 3000 ADMX Settings
  • Network Location Awareness (NLA) Dienst prüft die Verfügbarkeit eines DC´s, alle 90 min Refresh der GPO´s
  • User.env.log in XP jetzt XML Eventlog Gefiltert auf GPO Events
  • ADM Templates jetzt Sprachunabhänige XML Files ADMX die Sprachen in ADML Dateien
  • In XP nur ein Lokale GPO, nun mehrfache Lokale GPO´s möglich
• Windows Server 2008 R2
  • SYSVOL Replikation Umstellung auf DFS-R (Windows Server 2008 Domain Mode), alles min. W2k8 DC´s, Self-Healing SysVol
  • Central GPO Store – Kopieren des Lokalen Verzeichnisses “%WINDIR%PolicyDeinitions nach “%SYSVOL%\PolicyDefinitions”
• PowerShell Scripting in GP, PowerShell cmdlets für GPMC Operationen, GPMC muss installiert sein!
• Policy Preferences sind keine Policy sondern Empfehlungen, User kann diese Einstellungen ändern, GPO´s sind verbindliche Einstellungen, Client Side Extensions (CSE) müssen installiert werden
• Vista Update für CSE ist zum Ende des Jahres geplant für Support von Windows 7 Policy Preferences
• Wireless Policys, PKI Policys, Bitlocker, NAP, Applocker,
• Advanced Audit Policy Configuration nur Windows 7 und Server 2008 R2, CSE Update für Vista wird das verbessern
• Immer die neusten GPMC Tools nutzen, nicht neue Windows 7/Server 2008 R”2 GPMC nutzen dann wieder die alte GPMC (Server 2003)

CLI401 Windows 7 and Windows Server 2008 R2 Kernel Changes (*PDC at TechEd)
Presenter: Mark Russinovich

• Windows 7 und Server 2008 R2 Kernel Version 6.1
• 64 bit only, Server Core WOW64 optional
• Windows 7 Footprint Reduzierung gegenüber Vista 10-15 %, über 400 Komponenten
• Windows Server 2008 R2 Footprint Reduzierung gegenüber Server 2008 10 %
• Core Parking (auf Server und Hyperthreading Workstations, SMT) und komplette Prozessoren können in Deep Sleep State geschickt werden (Intel Core i5 / i7)
• Unified Background Process manager, registriert nicht benötige Dienste (Event basierende Dienste), Bluetooth, IP Adress, Domain Join W32, …, Dienste werden gestartet und gestoppt
• Virtual Accounts NT Service\servicename, managed Accounts, Dienste die isoliert von anderen Diensten im eigenen Security Kontext laufen
• Managed Service Accounts, AD managed diese Accounts wie Computerkonten
• Bitlocker 200 MB hide Partition unverschlüsselt zum Start der verschlüsselten Partitionen
• Bitlocker to Go verschlüsselt USB-Sticks und -Platten, per Passwort oder SmartCard
• Native VHD Support, Boot von VHDs,Ziel: max. 10% Performance Verlust
• DFSS Dynamic Fair Share Scheduling – RDS (TS) Sessions werden zwischen allen User gleich behandelt, kein User kann mehr die komplette Performance des TS Servers beeinflußen
• Support bis zu 256 Cores/prozessoren
• Entfernen des Dispatcher Lock

SVR401 DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and Transition Technologies
Presenter: John Craddock

• Direct Access
• Patch Mmgt, GPOs, Health Check, NAP, RDP, …
• MAC Adress Privacy – Permanent Interface identifer
• ZoneID bei mehr NICs
• Dual IP Stack
• Transition Technologies:
  • Ipv6 over ipv4
  • IP -> 6to4 ISATAP
  • UDP -> Teredo
  • HTTPS (IP-HTTPS)
• 6to4
  • 2002:wwxx:yyzz:0:0:0:wwxx:yyzz
  • Wwxx:yyzz ist die IPv4 Adresse als Hex
  • 144.19.200.2 ist dann 9013:c802
• ISATAP – Intra-Site Tunneling
  • ISATAP Global Block List in DNS aktivieren (dnscmd /query globalblocklist)
  • 10.20.100.55 ist dann fd00:9999:0:100:0:5efe:10.20.100.55
• IPv4 only Hosts
  • NAT-PT und DNS-ALG wird benötigt
  • Forefront UAG, Support für NAT64 und DNS64
• Teredo
  • Client hinter 1 oder mehr NATs
  • Teredo Clients spricht mit dem Teredo Server um den NAT Typ rauszufinden
  • 2 IPv4 Adressen für den Teredo Server nötig
  • 2001 Teredo Prefix
  • Teredo Port 35
• IP-HTTPS
  • Wenn Teredo Port block wird IP-HTTPS als Alternative genutzt
  • Zertikate müssen ausgestellt werden
  • CRL muss erreichbar sein

SVR402 DirectAccess Technical Drilldown, Part 2 of 2: Putting It All Together
Presenter: John Craddock

• Ipsec
  • Ipsec Tunnel (authenticatied and encrypted)
  • Authenticated connects (computer and user authentication)
  • ESP Tunnel (NULL) zum Direct Acces Endpoint oder ESP Tunnel direkt bis zum App-Server
• Direct Access über IP-HTTPS ist doppelt verschlüsselt
• Network Location & Network Resolution
• Über die HTTPS Website nls.corp.example.com wird über NRPT (Resolution Policy Table) festgestellt ob der Client im Internet ist (DA) oder im CorpNe
• Direct Access
  • ISATAP Global Block List in DNS aktivieren (dnscmd /query globalblocklist)
  • Computer Zertifikate müssen dem DA Server ausgestellt werden (internal Zertifikate und öffentliches Zertifikate
  • CRL muss verfügbar sein (veröffentlicht)
  • Add Direct Accces Mgmt Console Feature
  • DA Setup
  • Step 1: Computer/User Gruppe für DA Zugriff definieren
  • Step 2: Auswahl der Netzwerkinterfaces für internal und external Netzwerke
  • Zertifkate auswählen für Corp Net und HTTPS Zertifikat für external Name
  • Step 3: Infrastructure Server definieren -> NLS Server auswählen (HTTPS Website) -> NLRP Tabelle wird automatisch erzeugt für corp.example.com und nls.corp.example.com und ggf. noch Isatap.corp.example.com
  • Step 4: App-Server definieren
  • Ggf. End-to-End Authentication einstellen
  • Save + Finish
• IPSec ESP Null benötigt Server 2008
• Ipsec über IPv6 kein Support für Windows Server 2003
• 2 Faktor Authentification benötigt Windows Server 2008 Funktional Level
• Direct Acces GPO für Windows 7 Clients erstellen
• DA Server und DA Client MÜSSEN Domain Member sein

SIA403 A Deep Dive on the New Microsoft Forefront Threat Management Gateway
Presenters: David Cross, Donny Rose

• Web Client Protection
• Mail Protection (Exchange Edge Rolle + Forefront Protection for Exchange)
• NIS/NIPS
• NPS/NAP
• Remote Access (VPN, SSTP, Secure Publishing)
• Mgmt Funtionen erweitert
• Arrays, Load Balancing
• Malware Inspection nur Outbound NICHT inbound -> UAG
• HTTP/HTTPS Inspection In und Outbound
• UTM Unified Thread Management
• TMG Direct Access per IPv6 only zu Windows Server 2008 kein Support für IPv6 zu Windows Server 2003 -> UAG oder z.B. auch Cisco NAT-PT
• LLQ Files im TMG Logvereichnis für temp. Downtime des SQL Express Dienstes
• MRS – Microsoft Reputation Service, Anti-Malware Datenbank für URL-Filtering
• URL-Filtering User Lizenz nötig zusätzlich zur Prozessor Lizenz
• VoIP Traversal (kein OCS Support ! )
• ISP Link Redundancy (Load Balancing/Failover)
• NIS System Updates Erweiterung für 3rd Party auf der Liste aber noch kein Zeitplanplan
• RTM ???
• Release ??? in EN/US und Deutschland 

Nach den Session folgte in der Community Halle wieder ein Buffet, an dem ich mich mit Nicki Wruck ausgetauscht habe.

Jetzt gehts noch zur German Language Party im Blue Man Group Haus.

Na dann, Viel Spass beim selber Testen!
CU

Slighty shabby and a late start to Thursday following the Windows Server 2008 R2 EAP dinner – many thanks to Stuart, Gareth, Neil, Alex, etc.

We were also joined by Allen Stewart & Rajesh Dave from corp.  Allen is Principal PM for Windows Server and Raj is a PM for Windows Hyper-V.  Both are very interesting & incredibly knowledgable guys and we had a great chat.  I hounded them for info on Hyper-V thin-provisioning of memory and whilst they couldn’t confirm anything as said ‘we all live in hope…’

As for the dinner, the UK team chose a fabulous Italian restaurant called Bacco (www.bacco.de/english/restaurant/restaurant.html) which I’d definately go back to and hosted a great evening…
…as for the  night, I’d been invited to the 1E TechEd Europe party at Spindler & Klatt www.spindlerklatt.de - an uuber trendy restaurant/club in East Berlin frequented by the likes of Angelina, Clooney, and now Cook!

What a great party and many many thanks to all the team at 1E (www.1e.com).  Did I mention I was the 4th member of the team in the founding year of the business but we went our separate ways (yes I probably did & several times ), oh for a few percent of that now… anyway, moving on!

Seriously though hats off to Samir, Mark, and Phil – they have built a company that knows how to throw a great party (regarded as the best at TechEd), and a team of very bright, talented people who have a lot of respect for the company and its founders.

Ouch my head is pounding!  time to go to sessions…

ITS211 Keeping Your CIO Happy: Microsoft Office SharePoint Server 2007 SLA Scorecarding with Operations Manager 2007 and SQL Server 2008

Presenters: Gordon McKenna, Sean Roberts, www.inframon.com

Thu 11/12 | 10:45-12:00 | London 2 – Hall 7-1b

Learn how you can create CIO level SLA scorecards in SharePoint Server 2007 for Microsoft System Center Operations Manager 2007 using some of the new features in Microsoft SQL Server 2008 Reporting Services and to create Executive SLA views of your Operational Environment. The session looks at why these types of views are important to many companies, what impact this can have on your business, and what simple steps you can take to achieve very effective, high-level executive views of everything from performance and availability of your key LOB services and applications, whether important SLAs and KPIs are being achieved and whether your IT department is meeting the day-to-day needs of your business. The key demos in this session take you through the steps you need to implement effective business scorecarding in SharePoint Server 2007 using key metrics collected in the Operations Manager 2007 Datawarehouse based on “real-world” experiences gained from the field. After attending this presentation you will have a good insight into how CIO Scorecards can help you add value to your Operations Manager deployments, helping you to show real value to your executives.

Tip – to remove parameter data from Ops Mgr reports imported into a SharePoint webpart, suffix the url with &rc:Parameters=collapsed

Cracking session from Gordon & Sean on how to try and keep your CIO happy (if that’s possible! )

blog Daniel Savage

Service Level dashboard – free solution accelerator dashboard on Microsoft

SVR401 & 402 DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and Transition Technologies + Part 2 of 2: Putting It All Together

Presenter: John Craddock (www.xtseminars.co.uk)

Thu 11/12 | 13:30-14:45 | Helsinki – Hall 7-2a

Take a sprinkling of Windows 7, add Windows Server 2008 R2, IPv6 and IPsec and you have a solution that will allow direct access to your corporate network without the need for VPNs. Come to these demo-rich sessions and learn how to integrate DirectAccess into your environment. In Part 1 learn about IPv6 addressing, host configuration and transitioning technologies including 6to4, ISATAP, Teredo and IPHTTPS. Through a series of demos learn how to build an IPv6 Network and interoperate with IPv4 networks and hosts. In Part 2 we add the details of IPSec, and components that are only available with Windows 7 and Windows Server 2008 R2 to build the DirectAccess infrastructure. Learn how to control access to corporate resources and manage Internet connected PCs through group policy. Part 1 is highly recommended as a prerequisite for Part 2.

John Craddock is an extremely talented AD/identity expert, and deeply technical across many other fields – in this case IPv6 & DA.

I was also lucky enough to have a drink with John and my old Microsoft PSS chum Paul Duffy on Monday night at the cleverly named hotel ‘Berlin Berlin’.

John is a genuine international industry expert and a thoroughly nice bloke with it!   Paul, another ‘genie-I’ went on to become PM for Office Communicator and knows a thing or ten about OCS amongst other subjects to a deep level.  This probably explains why these two know each other!

Anyway, back to the session plus my own notes, links, etc.

Gems & Tips

- be careful, not all apps will be compatible – test!
- to be native will likely mean new network gear, is new network layer (layer 2 unchanged)
- hex is back!  use of double colon notation, but can only be used once per address
- cannot mix with ipV4 mask bit notation
- host derived with mac address which has privacy issues, Win7 & R2 generate random based on interface, can be disabled (revert to mac based) with netsh interface ipv6 set global randomizeidentifiers=disabled

- route print -6 will show IPv6 route table

- ::1 is IPv6 loopback

- if you have a registered IPv4 address then you automatically have an IPv6 address on the 6to4 network

6to4 http://en.wikipedia.org/wiki/6to4 states 6to4 performs three functions:

1. Assigns a block of IPv6 address space to any host or network that has a global IPv4 address.
2. Encapsulates IPv6 packets inside IPv4 packets for transmission over an IPv4 network using 6in4.
3. Routes traffic between 6to4 and “native” IPv6 networks.

- you need to manually unblock ISATAP entry in DNS which can be done via the registry or command line, e.g.

C:\>dnscmd /config /globalqueryblocklist wpad

Registry property globalqueryblocklist successfully reset.
Command completed successfully.

ISATAP is a huge subject in it’s own right, the Intra-site Automatic Tunnel Addressing Protocol Deployment Guide is available at http://www.microsoft.com/downloads/details.aspx?familyid=0f3a8868-e337-43d1-b271-b8c8702344cd&displaylang=en

Putting it all together..

- Check tunnel endpoint authentication using ‘klist’ to list Kerberos data
- Use NRTP to direct DNS queries to a specific server for a particular names space (view using ‘netsh namespace show effectivepolicy’)
- PKI needs to be right as certificates are the foundations
- you must publish the revocation list
- NLS (Nework Location Server) is just a https website accessible from the DA server, e.g. nls.corp.example.com
- if it doesn’t work, it could be a couple of days troubleshooting!

 

DAT312 All You Needed to Know about Microsoft SQL Server 2008 Failover Clustering

Presenter: Gopal Ashok

Thu 11/12 | 17:00-18:15 | London 3 – Hall 7-1b

There are major architectural changes in SQL Server 2008 for failover cluster setup and management, geared towards increased reliability and high-availability. To learn all the benefits and changes, attend this session for a comprehensive overview direct from the product development group. We cover SQL Server 2008 failover clustering setup, underlying Windows Server cluster and how SQL Server uses it, what’s new in SQL Server 2008 for failover clustering, differences from previous versions of SQL Server and future directions. This includes details of SQL Server 2008 failover clustering setup operations together with demos to illustrate the new setup.

- new features
- applications need retry mechanisms built in to provide seamless failover
- no longer have to take down the cluster to upgrade, supports rolling upgrades

Want to deploy stretched clusters?  lots do.  As in separate geo-redundant clusters, not separate nodes e.g.

Stretched SQL Clusters or the doodles of an artist?

- sql 2008 failover clustering install breaks on windows server 2008 R2 and needs to be slipstreamed with SP1 (If only we knew this last weekend!)
(slipstreaming is incorporating patches into the installation media to effect a higher level of install base over RTM – Microsoft tend to do this but not always quickly!)
see http://blogs.msdn.com/psssql/archive/2009/03/17/how-to-fix-your-sql-server-2008-setup-before-you-run-setup-part-ii.aspx for more info
- during upgrades to a 2-node cluster there will be a period of time when you are exposed to node failure, and must not have a failover attempt for fear of corruption.  removing the node from the cluster owners will stop premature attempted failover.

Further Microsoft resources.. (will add others also)

      SQL Server ^® 2008 Failover Clustering White Paper: http://sqlcat.com/whitepapers/archive/2009/07/08/sql-server-2008-failover-clustering.aspx

      Recommended  Books Online  Doc Refresh #7 (May, 2009), or later: http://msdn.microsoft.com/en-us/library/ms130214.aspx

      Failover Clusters – Getting Started: http://msdn.microsoft.com/en-us/library/ms189134.aspx

      Rolling upgrade process and best practice: http://msdn.microsoft.com/en-us/library/ms191295.aspx

      Maintaining a Failover Cluster: http://msdn.microsoft.com/en-us/library/ms178061.aspx

      Setup command line usage: http://msdn.microsoft.com/en-us/library/ms144259.aspx

      Configuration.ini file usage: http://msdn.microsoft.com/en-us/library/dd239405.aspx

 

I know this is Über nerdish, but regarding IPv6 addresses:

• 128 bit address space. In other words theoretically there are 340,282,366,920,938,463,463,374,607,431,768,211,456 addresses available. This means there are approximately 6.67 * 10^27 IPv6 addresses per square meter on our planet.

If you understand that you already know how hilarious that is.

При конфігурованому тунелюванні адреси кінцевих точок тунелю визначаються з конфігураційної інформації на вузлі інкапсулювання. Для кожного тунелю вузол інкапсулювання зберігає адресу кінцевої точки тунелю. Коли IPv6 пакет передається через тунель, кінцева адреса тунелю, сконфігурована для цього тунелю, використовується як адреса призначення в інкапсульованому IPv4 заголовку. Топологія мережі в такому випадку зображена на рис:

Топологія мережі при конфігурованому тунелюванні

Визначення того, які пакети тунелювати, зазвичай здійснюється на основі маршрутної інформації на вузлі інкапсулювання. Для цього можуть використовуватись таблиці маршрутів, пошук в яких відбувається на основі адреси призначення з використанням префіксної маски.

Далі – “Конфігурований тунель за замовчуванням“

Опубліковано на сайті: “IPv6 українською“

Конфігуроване тунелювання використовує IPv6 інтерфейси (над IPv4 „канальним рівнем”), а тому повинно мати локальну в межах каналу адресу. Ця адреса використовується протоколами маршрутизації для роботи з тунелями.
Ідентифікатор інтерфейсу для подібних інтерфейсів має бути 32-бітною IPv4 адресою цього інтерфейсу, в якій порядок байтів такий самий як і в заголовку IPv4 пакету. Оскільки ідентифікатор інтерфейсу має 64 біта, то ліворуч від IPv4 адреси дописуються 32 нулі. Треба зауважити що „Універсальний/Локальний” біт в такому випадку дорівнює 0, а отже такий Ідентифікатор інтерфейсу не є глобально-унікальним. Якщо вузол має декілька IPv4 адрес на одному фізичному інтерфейсі, то для утворення IPv6 адреси використовується одна з них (яка саме визначає адміністратор системи).

Локальна в межах каналу IPv6 адреса утворюється за рахунок додавання Ідентифікатору інтерфейсу, описаного вище, до префіксу FE80::/64:

Локальна в межах каналу IPv6 адреса

Далі – “Конфігуроване тунелювання“

Опубліковано на сайті: “IPv6 українською“

Як тільки IPv6/IPv4 вузол отримує IPv4 пакет, який адресовано одному з його інтерфейсів та в полі протоколу стоїть значення 41, він збирає пакет якщо його було фрагментовано на IPv4 рівні, відділяє IPv4 заголовок і передає IPv6 пакет на власний IPv6 рівень.

Вузол деінкапсулювання повинен бути здатним зібрати IPv4 пакет довжиною 1300 байт (1280 байт плюс IPv4 заголовок).

Процес деінкапсуляції показано на рис:

Деінкапсуляція пакету

Під час деінкапсуляції пакету IPv6 заголовок залишається незмінним. Якщо пакет буде передано далі (тобто вузол деінкапсулювання не є адресою призначення), то значення поля ліміт переходів зменшується на одиницю.
Як частина деінкапсуляції, вузол повинен „мовчки” (Без генерації ICMP повідомлення про виявлену помилку)  відкинути пакети з неправильною IPv4 адресою відправника, такою як групова адреса, широкомовна адреса, 0.0.0.0 та 127.0.0.1. Взагалі, вузол повинен використовувати правила фільтрації адрес які вудсутні в глобальній мережі (martian filtering), та вхідну фільтрацію (ingress filtering) для IPv4 адрес відправника.
IPv4 заголовок інкапсуляції відкидається.

Після деінкапсуляції вузел повинен „мовчки” відкинути пакет з неправильною IPv6 адресою відправника. Неправильною адресою відправника вважаються групові адреси, невизначена адреса, адреса зворотнього інтерфейсу (інтерфейсу-петлі); IPv4-сумісна IPv6 адреса в якій IPv4 частина адреси представлена груповою IPv4 адресою, широкомовною адресою, 0.0.0.0 або 127.0.0.1. Фактично необхідно використовувати правила фільтрації адрес які відсутні в глобальній мережі та вхідну фільтрацію для IPv4-сумісних адрес відправника.

Вузол деінкапсулювання збирає IPv4 пакет перед деінкапсуляцією IPv6 пакету. Всі опції в IPv6 пакеті залишаються без змін, навіть якщо IPv4 пакет було фрагментовано.

Після того як IPv6 пакет деінкапсульовано, він оброблюється майже так само як будь-який інший прийнятий IPv6 пакет. Єдина різниця в тому, що деінкапсульований пакет не повинен просуватись далі до тих пір, доки вузол не буде явно сконфігуровано для просування таких пакетів від заданної IPv4 адреси відправника. Ця конфігурація може бути неявно задана у вигляді сконфігурованого тунелю для заданної IPv4 адреси. Таке обмеження необхідне для того щоб запобігти використанню тунелювання як спосіб обходу вхідної фільтрації [17].

17. Ferguson, P. and D. Senie, “Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing”, RFC 2827, May 2000.

Далі – “Локальні в межах каналу адреси для тунелів“

Опубліковано на сайті: “IPv6 українською“

Unless you have been living deep inside the Amazon rain forest, totally cut off from communicating with anyone, anywhere, you know that the world has changed tremendously over the last 20 years. Although almost every area of our lives has been affected with these sweeping changes, in this post I want to focus on those changes that have been the result of the growth and maturation of the Internet and the developments in networking technologies in general.

Twenty five years ago, no global network existed to which the general populace could easily connect. Twelve years ago, what we consider to be the public Internet had grown and matured to the point where people in most parts of the world could connect to it. However, most of these users were usually what could be called “computer literate.” If we fast forward to today, it seems that practically everyone has Internet access through their PCs, handheld devices, phone, and soon, their refrigerator or BMW.

Practically every contemporary mobile phone now supports Internet traffic, requiring the use of an Internet Protocol (IP) address. Most new cars now have the ability to acquire and use an IP address, along with wireless communications. (This allows car dealers to contact their customer when the car’s diagnostics detect a problem with the car.) In addition, consumer product manufacturers have pushed the idea that all of their appliances need to be IP enabled.

The first publicly used version of IP, Version 4 (IPv4), which uses 32 contiguous binary bits, provides an addressing capability of about 4 billion addresses which, in binary, is represented as 232. This number of unique IP addresses was considered to be sufficient in the early design stages of the Internet when the explosive growth and worldwide proliferation of networks was never anticipated. In addition, even though IPv4 provides approximately 4.3 billion addresses, large blocks of IPv4 addresses are still reserved for special uses and are unavailable for public allocation.

IPv4 has served the Internet well for many decades, but is reaching the limits of its design. Among other limitations, IPv4 is somewhat difficult to configure, is running out of addressing space, and provides no features for site renumbering to allow for an easy change of Internet Service Provider (ISP). Since it is an immutable rule that every individual host on an IP network must be assigned a unique IP address, which is used to communicate with other hosts on the same network or globally, it is now universally accepted that there are insufficient publicly routable IPv4 addresses to provide a distinct address to every Internet device or service.

Various mechanisms have been developed to alleviate these problems, for example Dynamic Host Configuration Protocol (DHCP), which has been discussed in a previous post, and Network Address Translation (NAT). It is accepted that each of these processes has its own set of limitations.

NAT is a process whereby a single public IP address can represent multiple internal Local Area Network (LAN) hosts that are using private addresses. Individual nodes, operating behind NAT, appear to be sending their data from the public IP address of the translating device, usually a router doing double-duty. The translating device maintains a mapping of each host’s source address, which originates traffic inside the network, and forwards replies from the Internet accordingly. However, this process, among others, has always been considered to be a stop-gap measure and not a final or complete solution to the inherent problems of IPv4.

The Internet Engineering Task Force (IETF) took on this problem in the early 1990s by starting an IPng (Internet Protocol next generation) project. After more than two years of defining goals and features, getting the best possible advice from industry and user experts, and sponsoring a protocol design competition, a new Internet Protocol was selected. Many proposed protocols were reviewed, analyzed, and evaluated. By 1996, a series of RFCs were released defining Internet Protocol Version 6 (IPv6), starting with RFC 2460. (As an aside, the IPng designers could not use version number 5 as a successor to IPv4, because it had been assigned to an experimental flow-oriented streaming protocol, Internet Stream Protocol (ISP) intended to support video and audio.)

Estimates of the time frame until complete exhaustion of IPv4 addresses, delivered by many well-meaning and sincere “experts” used to vary widely. In September 2005, a report by Cisco Systems suggested that the pool of available addresses would dry up in as little as four or five years. Then, in May 2009, a daily updated report projected that the Internet Assigned Number Authority (IANA) pool of unallocated addresses would be exhausted in June 2011, with the various Regional Internet Registries using up their allocations from IANA in March 2012. There is now consensus among Regional Internet Registries that final milestones of the exhaustion process will be passed in 2010 or 2011 at the latest, and a policy process has started for the end-game and post-exhaustion era.

In upcoming posts we will examine Ipv6 in much more detail and discuss the various methods available for transitioning from Ipv4 to Ipv6.

Author: David Stahl

A survey conducted by the European Commission across Europe has revealed that just 17percent of organizations and institutions have upgraded to IPv6. And that means there would be a shortage of IP addresses in few years(probably next year).
Transition to IPv6 involves the purchase of new networking equipments and support has already been built into Windows and Mac computers.
The effect of this “no room” condition is :
* Internet speeds would drop
* New connections would be expensive or simply impossible to obtain.

more on this news here.

Additional information :

• What is IPv6?
• Technical details
• What is my IP?

There’s always been a certain amount of conspiracy theories when security type events happen or instances where there is secrecy. There are those who don’t buy the ‘reported’ reason a security event (like a breach) occurred, those who claim to have inside information or just those who see a story and draw their own conclusions. The following is my take (Satire Alert) on Transmission Control Protocol/Internet Protocol v6 and the end of the world as we know it. That can affect our security, right?!?

Recently there have been more than the usual number of articles about IPv6 and the need to deploy it soon since the v4 blocks are almost gone. Yes we’ve been hearing this for years (RFC2460 was defined in December 1998) but now the hype may be over as indicated in this article. There are many security enhancements in v6 nicely covered here but that’s not where I’m going.

In my first blog post on DevCentral, aptly titled First Post, I introduced psilva’s prophecies. I’ve been in the Internet industry since ’94 and while not a ‘know it all’ I have seen my share of changes and have seen a bunch of ‘ideas’ over time come true. For instance, I had always thought that the Internet would eventually become our entertainment delivery method and some 14 years later, that’s the case. That’s not that wild as I’m sure many of you figured it was only a matter of time once we started to see streaming video and broadband to the home. In that First Post, I offered my prediction of how our nomenclature might change over the next 50-100 years. That now, we no longer give our full name/address for contacting/correspondence as we’ve done in the past – we just give email. The idea was that over time, our current first/last naming convention might dissolve to where we are known as users@domains or a single string of characters. Twitter is enforcing that with their @namingconventions.

IPv6, at 128-bits (v4 is 32-bit), gives us the ability to assign an IP address to just about anything – heck, all the portable mobile devices we carry each need one and consumer appliances like TVs, refrigerators, thermostat, DVRs, garage door openers, coffee machines and just about any electronic item could potentially have an IP address. Schedule your toaster via a Web GUI to perfectly brown your bagel when you get home. You can already control your lights and alarm systems over the internet. In addition, each one of us, worldwide, would be able to have our own personal IP address that would follow us anywhere.  Hold on, I’m getting a call through my earring but first must authenticate with the chip in my earlobe. That same chip, after checking my print and pulse, would open the garage, unlock the doors, disable the home alarm, turn on the heat and start the microwave for a nice hot meal as soon as I enter. I could chip my child (like the dog) to be able to GPS their behind if they are not at the movies as indicated. Not so farfetched. That doesn’t sound so sinister, psilva, how can that be the beginning of the end?

OK, now the fun begins.  While not a Nostradamus follower, although History/Discovery Channels have covered him often, he does have something to say about numbers. You might remember he got a lot of press and was the subject of spam after 9/11 due to this quatrain which his followers say indicates that he predicted that disaster. Conspiracy? He was very much into numbers and also indicated that when we are all identified as numbers, that will be an sign of the impending doom. We do have a numbering system in the states called a Social Security Number, which is our Gov’t identity and very much linked to our own security. With IPv6, now the entire world can be identified by number and thus fulfills psilva’s prophecy #2.  The timing is right also.  2012 is getting a lot of play as the end of time.  Both the Mayans and Nostradamus feel that 2012 is the end of days and Hollywood has taken notice.  Now this does slightly negate my 1st prophecy since I’m giving our name change around 50 years but 2012 does sound about right for a full IPv6 transformation so it does fit nicely with doomsayers – if you’re into conspiracies.

ps

• #20 out of 26 Short Topics about Security
• previous stories: 19, 18, 17, 16, 15, 14, 13.5, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1