“I’ve read your profile with great interest…”

“… and I’d like to talk to you about a very interesting project!”

Yes, you may have a very interesting project to offer
No, – you haven’t read my profile, or what is so hard to understand about “I’m currently not looking for any projects”?

Social networks. Sometimes it’s better to not use them.


Dual-stacking your servers and services is more then just running another protocol.

Having two protocols means having more work to do and also that more things can go wrong (or missed while configuring). While troubleshooting you have to thing of both protocols (most of the time) and
you also have to monitor both protocols.

So my advice: Single Stack where you can, DualStack where you must. Prefer IPv6 over v4 where you can. And test, test, test before doing so.

Give your admins / developers / help-desk the possibility to check and test all: IPv4, IPv6 and Dual-Stack.


Two questions I’ve been asking myself in the last couple of days:

– Why do people still believe that they can put a Linux server onto the internet and never ever have to take care of updates?

– Why do people still believe that DNS only uses TCP for zone transfers?

IPv6 addresses

While looking at these slides by Fernando Gont and Jen Linkova, I decided too look at Alexa top 1 Milion myself[1].

Using host I got the AAAA for the domains and used a small Perl script to analyze the data. I got a total of 70750 AAAA records not all of them global unicast.


If you are interested I going to repeat this monthly.

[1] Alexa data file was from July 28th, it took a couple of days to do all the name lookups.

Dual-Stack Monitoring

I recently got one of those shiny new domain under one of those new TLDs (has something to do with my first and last name ;-).

I added the BIND configuration by copying another zone file and the replaced the relevant parts. I also created a new Apache vhost, restarted both services and tested from my computer. Everything worked.

Well not everything. I only tested using IPv6 and not v4. I had a wrong IPv4 address in my zone file. :-(

If you run dual-stacked services always test and monitor both protocols. If your using Icinga / Nagios take a look at check_v46 .

If you have both A and AAAA record for the host you are monitoring check_v6 will run a plugin for both address types:

root@mon:/usr/lib/nagios/plugins# ./check_v46 ./check_http -H blog.quux.de
OK: IPv6/blog.quux.de OK, IPv4/blog.quux.de OK | ipv6_a1_time=4.708759s;;;0.000000 ipv6_a1_size=26086B;;;0 ipv4_a1_time=2.244641s;;;0.000000 ipv4_a1_size=26061B;;;0
Status details:
HTTP OK: HTTP/1.1 200 OK - 26086 bytes in 4.709 second response time
HTTP OK: HTTP/1.1 200 OK - 26061 bytes in 2.245 second response time

If you only have A or AAAA only there will be only one check:

root@mon:/usr/lib/nagios/plugins# ./check_v46 ./check_http -H www.wordpress.org
OK: IPv4/www.wordpress.org OK | ipv4_a1_time=0.383439s;;;0.000000 ipv4_a1_size=275B;;;0
Status details:
HTTP OK: HTTP/1.1 301 Moved Permanently - 275 bytes in 0.383 second response time

More IPv6 problems (I)

Several talks at last weeks IPv6 Kongress in Frankfurt mentioned the problems you encounter when your provider does only DS-Lite. DS-Lite means you have native IPv6 and IPv4 is tunneled via Ipv6 and NATed at your providers edge. This way your provider saves IPv4 addresses. This is the case with most (all?) German cable TV ISPs. So if you get a new connection (new customer, upgrade, or your just moving) you’ll end up with IPv6 and a IPv4 address shared with X other customers. Other provider may leave out the IPv6 part, assign you a private IPv4 address and let you share a public IPv4 address with others.

There are some problems with that:

1. Some applications won’t work. Most likely your NAS box at home (or in my case it would be an ssh connection to my home lab), VPNs, SIP and some games will break. For SIP there is a Blog post by SIPGATE (a large German SIP provider) (in German). To summaries: They complain that cable ISPs suddenly introduced this new IPv6 protocol. This was a total surprise. There are many comment attached to this post telling SIPGATE that they should have started implementing IPv6 some time ago.

2. If your ISP hides too many users behind one public IP address things will break: Missing parts on Google maps are one thing ((see this presentation)). I did some test for customers and in one case I managed too loose the search field on the customers web page (which is essential if you are selling used cars) and in another case I managed to get rid of the login fields on the web page of an insurance company (which people might be using to log into their accounts to buy new contracts, file insurances claims, …)

One of the questions asked last week: “Is there a workaround?” – Yes there is! Implement IPv6 on your internet facing side of your business now. You should have done a year or two ago but that’s your problem.

Looking at the Google statistics about 8 percent of the users in Germany access Google via IPv6. Be aware that you will make mistakes implementing IPv6 The question is: How many of your users will notice? 10%, 15%, 20%, 25%, …?

If you still refuse to implement IPv6 you are not alone. And I don’t mind. The longer you wait, the higher my hourly rates will be. And not only mine, there is a limited number of IPv6 literates out there. And if suddenly all people decide that they need new routing, switching and firewall equipment, they’ll notice that it takes your favorite (and all other) vendor some weeks to deliver.

BTW: If you want to test if your provider is using CGN this test might help.

IPv6 problem

Today is stumbled over another IPv6 Layer-8 problem.

I tried to access the customers WLAN. As usual with many WLAN setups there is a captive portal where you have to enter some credentials and after that you can access the network. Instead of a captive portal I saw the staring page of my locally installed Apache. Digging a little deeper:

host protal.example.com
protal.example.com has address
protal.example.com has IPv6 address ::1

[x] Captive portal is IPv6 enabled!

I think I was wearing the right T-Shirt at last weeks IPv6 Kongress in Frankfurt.

v6 only Puppet master (on Debian Wheezy)

On my server I’m running out of vintage IPv4 addresses. So I have to run some servers IPv6 only. One of my first choices was to migrate my puppet master to v6-only.

On Debian Wheezy (and probably others) you have to add

bindaddress = ::

to the master section of your puppet.conf

(Thanks to yath on #debian.de)