Well, this blog supports IPv6 since its creation. And I don’t have any plans to turn IPv6 access off. Oh, before I forget. Some people hid easter eggs in their IPv6 address:

> host -t aaaa www.facebook.com.
www.facebook.com has IPv6 address 2620::1c18:0:face:b00c:0:1

> host -t aaaa www.cisco.com.
www.cisco.com has IPv6 address 2001:420:80:1:c:15c0:d06:f00d

This is a big step in the right direction in my opinion. Finally a lot of popular content is made available to end users via IPv6. Thanks a lot Google!

I only wish they would admit more Internet Service Providers to the Google over IPv6 project. My ISP AAISP still cannot get access although they are among the few which offer native IPv6 connectivity to their customers.

As my support contract doesn’t allow me to submit bug reports I had to open a service request. It took Cisco’s support organisation four weeks to reproduce the problem and another two month to submit a bug report. I wasn’t too impressed by these delays especially as I didn’t get any status updates for extended periods of time. When the bug had finally been reported to their engineering department I got an experimental firmware build with working IPv6 support within two weeks.

Considering that Cisco is a huge company I should probably be happy that they fixed the problem within three month. But I guess I’m still annoyed that they didn’t find such a fundamental problem before they released the software. A ping, one ping only, would have been enough.

The only way to get access to software updates is purchasing a Cisco support contract. Buying such a support contract is not an easy task. You need to figure out the right type of support contract (unless you want to spend more than a thousand pounds on it), find a Cisco reseller and then fight with the bureaucrats at Cisco who struggle to deal with customers that don’t have a business address. They apparently don’t want home users to use their products.

When I finally got my support contract I thought all was well now. I was able to download the latest IOS image available back then, installed it on my Cisco router and didn’t encouter any problems. But in September Cisco published a new security advisory. I went to their support website, looked for a firmware update and did not find one. I checked the advisory again and found out that the update for the firmware version that I am using wouldn’t be available before October, the 23th.

Last Thursday (a day ahead of schedule … hurray) the update was finally available on Cisco’s website. I downloaded it, installed it and found out that IPv6 doesn’t work properly in this release. Cisco broke support for the Neighbor Discovery Protocol (which is as essential to IPv6 as ARP is to IPv4) without even noticing it. I had to downgrade the IOS on my Cisco router to the previous version to get IPv6 working again. I tried to submit a bug report via their support website but it doesn’t provide me with that option. I guess I need to buy a more expensive support contract to be entitled to inform Cisco about bugs in their software.

All together I can see a very clever business scheme in there:

1. You sell expensive hardware and software which inevitably contains bugs.
2. You let customers pay for fixing these bugs via expensive support contracts.
3. You ask customers for even more money before you allow them to actually submit bugs.

With that strategy you can generate a lot of revenue. You don’t even have to invest in software quality because that would only reduce your earnings. And your customers will think twice before troubling you about software bugs.

Can somebody please release an affordable and reliable A-DSL home router with fully functional IPv6 support? Pretty, pretty please?

I attended a presentation about the Native IPv6 deployment at XS4ALL and Silke learned how to brew beer. We even found time to leave the camping site and visited the nearby towns Vierhouten and Nunspeet. We especially liked the Pannkoekehuis Likkepot in Vierhouten where you can get an astonishing wide range of sweet and savoury pancakes. Those we tried were delicious. The rest of time we mostly hung out in the BSD tent, …

… talked to people and even got a bit of hacking done.

The four days spun away and on Sunday morning it was time to take down our tent and carry all our belongings back to the car. After a final meal of tasty pancakes we drove back to Hoek van Holland to catch the ferry back to England. We arrived in Cambridge the next morning, a bit tired but relaxed and in good humour.

Unfortunately the daily grind caught up us with very quickly. We had a rough week and were very happy when we made it to the weekend. But after a refreshing sunday afternoon tea at Peacocks Tearoom and a nice walk along the river Great Ouse things look much better now.

The Intel PRO/1000 PT is supported by NetBSD 4.0 and newer and works like a charm for me. According to TTCP its Intel i82572EI chip provides a 13% higher transmit rate than the Broadcom chip. It also supports hardware-assisted checksums and TCP segmentation for both IPv4 and IPv6. Above all the card performed flawlessly in my server for over a week now with all the hardware features enabled.

So if you are looking for a fast and reliable Gigabit Ethernet PCI Express card the Intel PRO/1000 PT is a good option.

1. You use a fixed query source port on your DNS server which makes it susceptible to DNS cache poisoning.
2. You use random query source port which will create a lot of entries in the NAT mapping table of your NAT gateway. But as DNS mostly uses the connectionless UDP the NAT gateway can only rely on idle timeouts to delete those mappings. As a result the NAT mapping table will fill up quickly. This will cause problems especially on small router appliances.
   Even if your NAT router can handle this gracefully there is a good chance that it will undo the randomisation of the source port by assigning sequential port numbers on NAT mappings.

The only solution I can think of are NAT implementations which recognize DNS traffic and use very short lived NAT mappings for it. But that will make NAT even more evil because it has to make more assumptions about that IP traffic to work properly.

What we really need is DNSSEC (to make DNS secure) and IPv6 (to get rid of NAT).

Well done, Google! But what took you so long?

One of the things I really liked about IPv6 so far was the total absence of spam. But thanks to Microsoft’s Windows Vista (with builtin IPv6 support) spammers are now invading this domain, too.

1. Less noise and power consumption, the firewall was a SPARCstation 20.
2. One less UN*X system to look after.
3. Less power bricks under my desk.
4. No more MTU problems caused by PPPoA to PPPoE bridging.
5. More reliable (than the Linksys DSL modem).

Unfortunately my requirement list for a DSL router was long:

1. Normal routing for public IP address
2. NAT for non-public IP address
3. IPv6 support
4. IPsec VPN support
5. Flexible packet filter rules
6. Proper administration interface
7. SNMP support (for MRTG)
8. Configuration file backup and restore
9. ADSL 2+ support (for future use)

I searched the web for possible candidates and found exactly one: the Cisco 877W.

I was not to happy about this because my previous jobs taught me that Cisco equipment can cause a lot of trouble:

1. The IOS version that is installed on your Cisco never supports all the features you need.
2. The IOS version which supports all those features requires more memory and/or a larger flash card than your Cisco is equipped with.
3. At least a part of the necessary configuration will be completely unobvious and you have to search the web or ask arround to figure it out.
4. You will reach a point where it seems to work. Just when you enjoy your success it will break horribly.
5. Cisco will not allow you to download a firmware update without a support contract even if it fixes a critical security hole.

I bought a Cisco 877W (with an extra 802.11g WLAN option) nevertheless. And of course things went wrong:

1. Despite being advertised as supporting IPv6 it did not.
2. The IOS version with IPv6 support required a larger flash card.
3. The first flash card upgrade I received was broken. I didn’t realized that immediately of course but spent hours figuring out why format flash: wasn’t working.
4. Configuring the DSL connection on the 877W is tricky. You can’t simply take the obvious approach and use the ATM interface. You need to create a Dialer interface (sounds archaic, doesn’t it?) and tell that to use the ATM interface for “dialing” out. Fortunately Google found a useful example configuration.
5. When I finally got the Cisco working as a router (with the NetBSD firewall still providing packet filtering and NAT) I was pleased. But 10 minutes later the DSL connection went down. It happened again and again until I finally had to switch back to the Linksys DSL modem. Before I did that my Internet link wasn’t even stable enough to search the web for a solution. I posted a question to the Usenet and got a lot of unhelpful comments suggesting that my phone line was probably bad. Finally somebody pointed out to that Cisco is distributing firmware updates for the builtin DSL modem of the 877W on their public FTP server. I installed version 3.0.10 of the firmware,connect the phone line to the Cisco again and this time it really worked fine.

But getting basic routing functionality working was of course only half the story. I still needed to write Cisco IOS packet filter rules (for IPv4 and IPv6) and get NAT working. I had to postpone doing that several times mostly because of problems with the backup mail server for my domains. Last Friday I finally managed to write the IPv4 packet filter rules despite spending most of the day on maintenance of that backup mail server. On Saturday I found time to write the IPv6 rules, After a nice relaxing walk through the Botanic Garden I got NAT working on Sunday.

Now it was time to put the old firewall out of operation. My wife and I removed a stack of old hardware first:

The old Wireless Access Point had to stay because the IOS version currently installed on my Cisco 877W doesn’t support bridging IPv6 for some weird reason. There is a IOS version which does but who knows how to get it.

We set up the Cisco, connected all the cables and powered the router up. For some unknown reasons the universe showed mercy and everything just worked fine without further problems. It has worked fine ever since and I’m still enjoying The Silence of the Packets because the SPARCstation 20 is no longer making a lot of noise.