Posts tagged networking
Today is the day many companies and organizations permanently enable IPv6 for their products and services. This is a big deal.
We’ve had all of our major public servers accessible by both IPv4 and IPv6 for some time, and continuously since World IPv6 Day last year. We’ve also been assigning IPv6 networks by request to customers with routers and network gear capable of supporting it. We’d love to assign more, but although enterprise-grade equipment and every major computer operating system supports IPv6, support in consumer-grade equipment such as DSL routers has been in a chicken-and-egg limbo for years.
So what’s the big deal?
The Internet has run on the IPv4 protocol since September, 1981. An IPv4 address is a 32-bit value, which provides around 4 billion unique IP addresses. Even though changes have been made to the allocation and usage of this space, from replacing the original classed network system with CIDR to routing schemes like NAT, it was never really designed or intended for an rapidly growing public Internet, and it’s clearly at the end of its road.
IPv6, which has actually been around for longer than you might think, is the next generation of Internet addressing. Will it ever fully replace IPv4? That’s unknown but the days of freely allocating more IPv4 addresses are at an end.
IPv6 uses a 128-bit address and provides a vastly larger number of unique IP addresses. Large enough to handle 4 billion unique organizations each with 4 billion unique clients each with their own 64-bit address space, itself 4 billion times larger than the entire IPv4 address space. IPv6 provides the room to create and implement advanced networking features like auto-configuration, efficient routing, and simplified renumbering.
What can you do to help move us further away from IPv4?
Talk to your Internet and/or hosting provider about IPv6 and ask about their deployment plans. Ask them to publicly comment or announce their plans. Talk to your IT department and ask the same questions.
Welcome to the production Internet!
We’ve been working on building a proper vmForge account creation and management site, so for the last couple of weeks I’ve worked a lot with the vCloud API. It’s a RESTful system, which means everything’s done by getting XML from and posting XML to a web server. It’s perhaps not the worst API I’ve ever worked with, but its tedious to work through. Even more so because their parser is insanely pedantic, to the point of requiring elements in a specific order. So that’s a point in PHP’s favor, that it maintains key order in associated arrays.
If you wanted to learn how to use Juniper networking gear, and especially get some exposure to JunOS, their network OS based on FreeBSD that you need to configure almost all the Juniper devices with, there are many free or reasonable learning options available.
Having successfully implemented its plan to expand the list of generic top-level domains (beginning Jan 12th, anyone with $185,000 burning a hole in their pocket can apply to create the .spork gTLD), the Internet Corporation for Assigned Names and Numbers has now announced a plan to similarly expand the IPv4 address system.
IPv4 uses 32-bit (four-byte) addresses, such as 184.108.40.206, which limits the network to approximately 4 billion unique addresses. As the Internet has grown, this address space has been progressively consumed, to the point where there are almost no IPv4 addresses left to be assigned.
To resolve this, ICANN has proposed that new network identifiers (the highest byte of an IP address) be created and distributed to the regional registries. Where the current address space ends at 255.255.255.255, this proposal would open up higher networks and addresses such as 2220.127.116.11, 403.0.0.1, and 518.104.22.168 for immediate use. This would effectively double the current address space and put off address exhaustion for at least another year.
Eventually, non-numeric networks such as apple.0.0.1 might even be possible, or CIDR blocks such as apple.iigs.0.0/16.
ICANN intends to push aggressively for the plan, despite early criticism from network providers that its bogus, poop-headed, and unworkable. Further, Chrysler has already threatened a trademark lawsuit unless the entire 300 network is handed over to it. There is some concern that if the Chrysler suit is successful, it could prompt a similar suit from Ferrari which would decimate the new address space.
If the proposal is approved by ICANN directors, the new networks and addresses would become available on April 1st of next year.
So, I got a little tired of FTP and SSH brute force attempts. I know that if you have strong passwords on your system, you can safely ignore them, and on customer systems behind real firewalls, I do so. However, on my personal systems, I have 0 problem blocking people who annoy me. So I installed pfBlocker on my virtual firewall to see what I could do.
pfBlocker is a package that has blacklist functions that supersede a couple older packages. I initially installed it a replacement for CountryBlock. The first thing I did was go through my logs and see which countries were the most obnoxious. China was the first to go, followed by Southeast Asia, and Venezuela. Sorry, I don’t want you accessing my network.
That allow took care of 70% of my attempted exploits. There are, however, plenty of compromised machines in the United States of America, so I had to think of something else.