Thursday, December 22, 2011

IPv6 Link-local Multicast Name Resolution (LLMNR) in Windows 7

While I was working on some IPv6 testing I noticed some interesting udp listener ports on my system and I couldn't remember what the port was actually used for. In this case I did the following:

C:\Users\Ed>netstat -p UDPv6 -an

Active Connections

  Proto  Local Address          Foreign Address        State
  UDP    [::]:5355              *:*
<removed for brevity>

UDP port 5355 is part of the Link-local Multicast Name Resolution (LLMNR) process and technically in IPv6 is actually a multicast process listening on the multicast address FF02::1:3

What is the the purpose of LLMNR? LLMNR allows hosts on the same subnet to be able to resolve hostnames without the need for a DNS server. It is based on DNS and the best write up is still by Joseph Davies for his Cable Guy articles.

It is more useful for home network situations or where teams are building out temporary wireless or wired networks to collaborate. Unfortunately, LLMNR isn't utilized by Linux or OSX at all. Apple came up with mDNS and later DNS-SD to address the name resolution issues for local networking and it appears that some Linux implementations utilize that also. There is a nice write up of some of the Zero Configuration Networking options on Wikipedia.
- Ed

Tuesday, December 13, 2011

Network World article - How to get IPv6 address space from ARIN

My article for Network World on How to get IPv6 address space from ARIN was published last month and I forgot to post anything about it. As with my previous Network World article it requires registration on their site but I hope you can live through that to take the time to read it. I might later be able to repost the full article on my blog but for now the only access is via Network World.
- Ed

Tuesday, November 29, 2011

When to consider using Provider Assigned IPv6 address space

For network engineers who spend their days designing IP network and running BGP the thought of running Provider Assigned (PA) IPv6 address space is often meet with a look of repulsion and disdain. Given the relative easy for most enterprise network engineers to run multi-homed BGP and to have redundant Internet Service Providers with a single IPv4 or IPv6 address block this might be a justified reaction. However, there are cases for smaller businesses and even smaller branch offices to run IPv6 PA address space that might make sense.

For instance, if you have a remote office that has limited service provider options and perhaps it is not cost effective to run BGP at the remote site you can utilize PA space to dual stack the site and simply put IPv6 ACL's in place to building corporate access policies. For small businesses it makes little sense to try and BGP multi-home due to the hardware and engineering talent required to maintain such arrangements. Considering how infrequent it is for a company to change ISP's for a given location it is not inconceivable that turning up a new service provider and migrating to a new PA block is a reasonable solution for many.

The biggest outcry I hear most often is from System Administrators who seem to think changing IP addresses will break all their server configurations, printer settings and other items. My calm reply is that they can continue to utilize IPv4 RFC 1918 space as they were and that if they are not using DNS for name resolution by now then they should likely not have that SA job anymore. DNS allows for an easy migration from one PA block to a new one with minimal impact. In addition, you can utilize DHCPv6 to manage resources and the lease times ensuring that the migration can be quick and relatively painless like most other maintenance windows for OS upgrades or WAN service provider transitions. In addition, hosts are designed to have multiple IPv6 addresses in use at the same time which theoretically means the host would control the timing of the cut-over from one PA space to a new one.

To top it off, it could be argued that for MPLS or other WAN services it might make sense to get PA space for those point to point links and allow for better summary aggregate routing for the Provider Independent (PI)  space you do have as /48 sites without wasting a /48 for WAN or VPN links within your network. You could even put route filtering in place to prevent the propagation of the PA space out of your network which would control transit WAN/MPLS traffic loads. Just because the Global Unicast Address (GUA) space you get from your provider is available to route globally doesn't mean you have to advertise it or even have the service provider advertise it either.

With the recent introduction of RFC 6296 it is possible to migrate from one prefix to the other in one move but to do this requires some downtime while the prefix replacement happens. It also introduces the problem of what IPv6 address does the host actually have at any given moment (it won't have both like a migration.) Realistically it breaks the end to end transport by being yet another version of NAT. While it is a good tool to have I don't advocate utilizing it unless the use case truly dictates needing it. Just migrate to a new IPv6 address block and things will work as expected. Hopefully your business will grow enough that the migration will be to PI address space and you only have to do the migration once!
- Ed

Friday, November 11, 2011

Odd IPv6 ULA use cases

I have to be honest, I am not a huge fan of the idea of IPv6 ULA (unique local addressing) at all. I have seen several use cases presented and even some knowledge based articles written saying to use it such as this one by Apple. There are ULA address prefix generators like this one at SixXS which are useful if you want to do ULA, my question is WHY?

At the core of the question is what do you gain by doing ULA that you don't get with doing Global Unicast Addressing? I would argue you get no benefit of having to global register a /48 ULA then simply applying for a /48 or larger from ARIN or one of the other regional registries that provide public IPv6 address space with the exception of price (which could be a big deal for some small businesses but just get your IPv6 address space from your provider for free then.) Furthermore, ULA by definition in rfc4193 cannot be routed globally and must be filtered at the edge which very much limits your IPv6 deployment and ensures you have to either deploy Global Unicast Addressing at a later date or do prefix translation as described in rfc6296 which is a viable solution but seems to introduce yet another network translation component on the network when one is not needed if you simply used Global Unicast Addressing the first time around.

The other concern I have is some OS platforms not behaving as expected when getting ULA addresses. Ideally all OS behavior with ULA would know that you don't have global IPv6 access with a ULA at all but if you are using prefix translation is that still true? Also, since IPv6 is preferred do we run into a case where the network team is putting ULA in play and breaking some of the default OS behavior that is desired for transitioning to IPv6?

Given the fact that the effort is almost identical for deploying ULA and it is Global Unicast I am not convinced that ULA is something that is needed or should be recommended. I would love to hear feedback on this one. The few corner use cases I have heard still do not seem to overcome the argument of just using Global Unicast.
- Ed

Wednesday, November 09, 2011

gogoNETLive! 2 IPv6 Conference wrap up

If you missed the gogoNETLive! 2 IPv6 Conference that happened at San Jose State University last week you can still get a chance to see the content from the conference. Almost all the sessions were recorded and the video and pdf's of the slides will be posted soon. I encourage you to check out last years content also, the majority of that is still applicable and a valuable baseline for understanding what is happening in IPv6.

The next big IPv6 events happening will be the IPv6 World Congress in Paris, France and then the re branded Rocky Mountain IPv6 Summit which is now being called the 2012 North American IPv6 Summit. The North American IPv6 Summit is by far the largest IPv6 event in the US and is expected to have over 500 folks attending and will likely sell out. If you have any interest at all in getting good practical IPv6 knowledge from real world experts both these events would be worth your time and effort.
- Ed

Friday, October 14, 2011

Network World article - Who's who in IPv6

My article for Network World on Who's who in IPv6 was published a few days ago. It requires registration on their site but I hope you live through that to take a read. I might later be able to repost the full article on my blog but for now the only access is via Network World.

I am very much interested in feedback of who you felt I left off the list. I have some caveats, I was not able to do a who's who for service provider manufactures, professional services consulting, training/education, OS's/applications and security solutions. There just wasn't enough room. Perhaps I will get the chance to do that in another article.
- Ed

Thursday, October 13, 2011

CAv6TF and gogoNETLive!2 IPv6 Conference - Nov 1-3

Nov 1-3 the gogoNETLive!2 IPv6 Conference will be happening at San Jose State University. The line up of speakers is excellent and there will be a day of hands on practical labs to learn IPv6. To get in on the labs you should sign up right away, it is first come first served. To register for the event visit the registration page. You can hit me up on twitter (@ehorley) to get a discount code.

This event is the only dedicated IPv6 focused conference that happens in California and the CAv6TF is hoping that folks take advantage of the opportunity to learn about IPv6.
- Ed

Monday, October 03, 2011

Microsoft Private Cloud

Every hardware and software manufacture has a different definition and thoughts around cloud, both public and private. Few are big enough to have impact on the industry in any meaningful way. Some who do that come to mind are Cisco, Amazon, Apple, VMware, Citrix and Microsoft.

On Tuesday evening (Oct 4th) at the monthly PacITPros event in San Francisco Chris Henley (@chrisjhenley) with Microsoft will be presenting on Microsoft's approach to private cloud. If you are interested at all in what Microsoft is doing, what direction and strategy they are utilizing and how it will impact you then this is a presentation not to miss. Chris is a great speaker and is honest and open about what he can share. The great thing about Chris is that he and his teammates (IT Pro Evangelist in the Developer Platform Evangelist group) all do practical hands on projects and labs with the OS and help in developing solutions that make sense for IT Pros.

So if you haven't RSVP'ed for the monthly San Francisco meeting go do it now, you get free pizza and a chance to hear first hand how Microsoft will be approaching private cloud, what more could you ask for?
- Ed

Friday, September 30, 2011

Some IPv6 humor

Ethan Banks (@ecbanks) tweeted this out and I thought it was amusing and wanted to keep a link to it so here it is for your amusement:


It hits home about some of the challenges around discussing IPv6.
- Ed

Friday, September 23, 2011

PacITPros LA IPv6 Presentation Follow Up, Cisco ACE supporting IPv6 and gogoNETLive!2 IPv6 Conference

Thank you to all who showed up to see me present at the Los Angeles Pacific IT Professionals User Group meeting on Tuesday. The crowd was wonderful and asked some great questions about IPv6.

We ended up changing the topic a bit at the last minute for the meeting to better tailor the content to those who were signed up to attend. As a result, the presentation was titled "The What, Why and When of IPv6 - should I even care?" and the presentation was focused on the basics of IPv6, what is it, why should I care about it and when it affect you or your clients. It covered some basic background about the IPv6 protocol, what products and technologies are utilizing it today and how that impacts what you do as an IT Professional. The presentation is available to download from the user group's MeetUp site - just register and you can download it. Lots of thanks to Microsoft MVP Jessica DeVita who hosts and runs the meetings, she did a wonderful job as always and to Microsoft MVP Richard Hicks who presented on DirectAccess immediately after me.

Also, Cisco made up some IPv6 ground in their ACE platform with their new code release announcement on the Sept 20th. As of ACE A5(1.0) which added some much needed IPv6 features. Shannon McFarland has a great write up on his blog so I won't bother repeating it. I do now have to modify my support statements about ACE and IPv6 so for those Cisco SE's who have seen my presentations in the past please read the release notes and Shannon's blog - it will clear up a lot of items.

To round things out, the gogoNETLive!2 IPv6 conference is open for registration now. The conference is Nov 1-3rd and if you sign up prior to Oct 1st and use the discount code "earlybird" you can get 25% off. If you are a student simply use the code "student" and you will get 75% off - you need a valid student ID to show at the time of the conference or you will be charged the full price. The line up of presenters is great and they will be adding more! This conference will be worth both your time and money to attend.
- Ed

Monday, September 12, 2011

Presenting in Los Angeles on Deploying IPv6 in Microsoft Enterprise Networks

On Tuesday, September 20th at 6pm I will be in downtown Los Angeles at the Pacific IT Professionals User Group meeting presenting on Deploying IPv6 in a Microsoft Enterprise Network. In addition, Richard Hicks (fellow MVP) will be presenting on DirectAccess. I'm excited that Jessica DeVita (another MVP!) who runs the group invited me to come and present. If you are in Los Angeles and want to come join us the event is free to attend and you can sign up at their MeetUp site.

I will post the presentation after the event, I'm still updating some of the content. A quick abstract for my presentation.

Abstract: The presentation is focused on the basic deployment items that system and network administrators need to pay attention to for Enterprises networks that are primarily Microsoft focused. Topics covered include default IPv6 behavior of different Windows OS's, when transition technologies are enabled, what Microsoft products will use IPv6 and deployment guide modifications for Exchange, DirectAccess, Forefront UAG and TMG. In addition, if time allows, some design challenges around DHCP and DNS and how Windows 7 will behave vs Apple OSX or Linux implementations.

Hope to see you there!
- Ed Horley - Microsoft MVP - Windows IT Pro

Tuesday, August 30, 2011

ARIN IPv6 end user address allocations

I recently attended one of the ARIN Road show events and one of the topics of discussion was the recent change in IPv6 allocation justification. I wanted to review through the new policy guidelines and give more of a quick overview guide and thoughts to what they are doing in their approach to IPv6 address allocations.

The quick and dirty for those that have an existing ASN and are multi-homed is that you automatically qualify for a /48 delegation from ARIN which is considered a single "site." Translating that into number of subnets you have to build out as /64 networks is 64-48=16 which would be 2^16 or 65,536.

Not bad but there are a lot of use cases where that will not be enough depending on what your organization is providing in terms of services. To reduce the amount of work that ARIN has to do in terms of justification they have made some very simple breakdowns based on the number of sites an organization has or will have within the next 12 months. An initial size allocation will be based off the largest site you operate and the following:
- More than 1 but less than or equal to 12 sites justified, receives a /44 assignment
- More than 12 but less than or equal to 192 sites justified, receives a /40 assignment
- More than 192 but less than or equal to 3,072 sites justified, receives a /36 assignment
- More than 3,072 but less than or equal to 49,152 sites justified, receives a /32 assignment

If you have more than 49,152 sites you should look at the ISP Address Space Guidelines, that will cover the allocation requirements for much larger organizations.

As you can tell, it is pretty simple, you take the largest site you have and use that as the allocation basis. More than likely it fits within the /48 definitions. If so, then the allocation rules above (which allocate on natural nibble boundaries) are very generous. Keep in mind, the largest site you have dictates the use case so the reality is even if you have a smaller remote office with 12 folks they will get a /48 in this design. It allows you to grow that site to be identical to your largest current site topology.

The /40 allocation is really large, if you are at 16 sites for example you end up with 256 sites (because of the round up to the next nibble boundary) with /48 address blocks each with 65,536 /64 subnets. That /40 is 16,777,216 /64 subnets for a single organization to operate and use. If your organization today is making use of RFC 1918 IPv4 address space this allocation is identical in terms of the number of subnets in IPv6 verses the total number of IPv4 addresses in RFC 1918 10.0.0.0/8. You get as many subnets in a /40 delegation from ARIN as the total number of addresses you are used to using in RFC 1918 10.0.0.0/8 IPv4, that is an insane amount of address space!

By moving on a natural nibble boundary ARIN is being incredibly generous with IPv6 addresses but they are also simplifying the routing table by summarizing on easy subnet boundaries. They are gambling that the routing table summarization will pay off long term with service providers supporting end user delegations. This assumes that end users are not going crazy breaking up their subnet advertisements from their early initial allocations or at least do them on even nibble boundaries.

So, from the example above you can see that ARIN is doing the opposite of the sparse allocations traditionally done for IPv4. They are massively over allocating IPv6 address space in the hopes of not having to re-allocate address space and also simplifying the routing tables at the same time. Seems like a good plan out of the gate for now but I wonder what challenges there will be with some of the multi-national organizations that are getting IPv6 address block from multiple regional registries and each request is including all their "sites." Arguably the IPv6 address space is so large it really doesn't matter but I think more on principle that it is potential wasteful. Thoughts?
- Ed



Monday, August 01, 2011

Presenting Deploying IPv6 in a Microsoft Enterprise Network at Pacific IT Professionals

I will be presenting an updated version of my Rocky Mountain IPv6 Task Force presentation tomorrow at the Pacific IT Professional User Group meeting at Microsoft's office in San Francisco on August 2nd. It is a free and open meeting to attend. Only request if for everyone to RSVP so they know how much pizza to order. Hope to see you there.
- Ed

Thursday, July 21, 2011

June 2011 Microsoft Springboard Series Insider Article - What You Should Know About IPv6

I was recently published in the June 2011 issue of Microsoft's Springboard Series Insider newsletter. The newsletter goes out to 1M plus IT Pros. Unfortunately it is NOT published to the web at all so I am providing the content of the article in case others are interested in reading it.

What You Should Know About IPv6
Recently in the news you might have been reading more about IPv6, both in IT publications but even in mainstream news outlets. There have been some significant events over the last 6 months that are worthy of a quick mention to have an understanding of why IPv6 right now should be of interest to you.
On February 3rd, 2011, the IANA announced they had allocated all public IPv4 address blocks available out to all the 5 regional registries around the globe, which are AfriNIC (Africa), APNIC (Asia/Pacific), ARIN (North America), LACNIC (Latin America and some Caribbean Islands) & RIPE (Europe, Middle East and Central Asia.) These 5 regional registries allocate IPv4 and IPv6 addresses to local service providers and others who request IP address space within their respective areas. Because each regional registry has a different run rate of requests for IPv4 addresses, each region has a different predicted depletion date. See the sidebar for more about the predicted timelines. Effectively what this means is that we have emptied out the pool of IPv4 addresses that fills the bucket of the regional registries which then provide IP addresses to all of us.
In April, APNIC (the regional registry that handles Asia/Pacific) ran low enough on IPv4 addresses that they can no longer hand out larger public IPv4 address blocks and are only handing out much smaller IPv4 address blocks per very strict guidelines. APNIC will likely be the first regional registry to completely run out of IPv4 address blocks to hand out. RIPE, the registry for Europe, is not much further behind and for many ISPs and larger hosting providers it will be difficult if not almost impossible to get larger IPv4 address blocks by the end of 2011. In fact, the current aggressive projections is that RIPE will run out of addressing by September of 2011.
So what impact does this have on IT Pros that run and maintain services on the Internet today? What about services like VPN, OWA, SharePoint, Exchange, DNS and others? Likely in the immediate short term, not a lot. That being said, it will become more and more common that you encounter hosts that may only have IPv6 connectivity due to the lack of IPv4 addresses in certain parts of the world. If your services do not have IPv6 translation services or native IPv6 available then you will be unable to communicate with those hosts. Remember that IPv4 and IPv6 are incompatible protocols that cannot communicate without a protocol translator of some kind. Initially this may not be a large concern for smaller enterprises and small business. However, for larger international enterprises and government entities this concern is very real. How do you handle a situation where an executive traveling in Asia or Europe using a local ISP only has IPv6 addressing and is unable to connect to any of the corporate resources? Do you have a plan to address this inevitable situation?
Microsoft has enabled IPv6 by default in their recent OS platforms and actually has a long history of working on and supporting IPv6. Specifically Windows 7 and Windows Server 2008 R2 are IPv6 Ready Logo certified and work well in native IPv6 environments along with dual stack environments. (Dual stack refers to the situation where both IPv4 and IPv6 are available on the same Layer 2 network, wired or wireless, and the host gets both types of addresses.) Joseph Davies, author of Understanding IPv6, Second Edition by Microsoft Press has produced many articles on IPv6 and I highly recommend reading them as the starting point of learning IPv6 in a Microsoft Enterprise and Home network.
Given the difficulty of having IPv6 hosts trying to reach IPv4 resources, clearly Microsoft would have thought of some sort of transition services to allow IPv6 traffic on an IPv4 network and you are correct in assuming they put those into the OS. Windows 7 and Server 2008 R2 have the following transition services built into the OS.
  • 6to4 - tunnels IPv6 traffic over IPv4 without having to build an explicit tunnel, uses public relays to get to the IPv6 Internet, and requires the host to have a public IPv4 address to auto-generate it's IPv6 addresses based off that public IPv4 address.
  • ISATAP - allows dual stack nodes to tunnel on top of IPv4 utilizing an ISATAP router for auto-configuration and forwarding, doesn't require multicast, and is typically used in enterprises to build an overlay IPv6 network on an existing IPv4 one to get around gaps in native IPv6 routing.
  • Teredo - same function as 6to4 but works behind an IPv4 NAT (able to do NAT traversal); to route to the IPv6 Internet, a Teredo relay has to be functional.
Each of the above transition services is a tool for an IT pro to design a solution to meet their requirements for migrating and supporting IPv6. Unfortunately, you need to understand when these transition services are on by default and when they are not. This is critical in Enterprise networks where compliance and auditing of existing IPv4 traffic may be in place but a lack of understanding of when IPv6 is or is not functional on the platform may cause additional behavior that was not anticipated. Remember, with Windows 7 and Windows Server 2008 R2, IPv6 is enabled by default and the OS will prefer to use IPv6 if it is available. When IPv6 hosts are Layer 2 adjacent to each other, hosts will auto-assign IPv6 addresses (link-local addressing) and also auto discover and do name resolution with adjacent hosts in IPv6. This can cause some interesting behavior for IT Operations when they are watching reported stats back on logical Layer 3 IPv4 addresses and suddenly the hosts begin passing all their traffic across the logical Layer 3 IPv6 address instead! The graph for the IPv4 address goes to almost zero and if you are not graphing the IPv6 address, you might wonder (in an alarmed state!) where the heck all your traffic went.
Here is a quick example of IPv6 transition services being on by default and following best practices for a deployment, but might not result in the most desirable outcome. If you are deploying Exchange 2010 and you set up Edge Transport role servers per their recommendations in a DMZ with Windows Server 2008 R2-based computers that are not domain joined and happen to use public IPv4 addresses in your DMZ, you might want to check your servers to see if they are doing 6to4 automatically. If you did not turn off 6to4 explicitly and the server has a public IPv4 address, the server is likely sending out some traffic via it's 6to4 interface if it is getting AAAA records back via DNS which would specify an IPv6 address as the best way to reach a host. You might see similar behavior with Teredo if the server has a private IPv4 address.
You can check the status of your IPv6 interfaces using the following netsh commands:
netsh interface ipv6 show interface
netsh interface ipv6 show address
netsh interface ipv6 show route
You can turn off 6to4, ISATAP and Teredo with the following netsh commands:
netsh interface ipv6 6to4 set state state=disabled
netsh interface ipv6 set teredo disable
netsh interface ipv6 isatap set state state=disabled
The takeaway is that you can't ignore IPv6. You should proactively design and deploy solutions and transition technologies within your environment but understand what their purpose is and if you are running them. You will have to support IPv6 and your OS platforms (all the major OS platforms use IPv6 first and "fallback" to IPv4) are already making use of IPv6, so simply ignoring that the protocol is running on your network is folly. Importantly, do NOT turn off IPv6 - you might actually break something that is working just fine in your network today! Additionally, if you have a separate network team that is planning on deploying IPv6, if you turn off IPv6 you are actively blocking the ability of that team to provide you those new services. The key is to be aware and KNOW what you are running in your environment.
So, what are the 10 steps I should take as an IT pro to get IPv6 deployed in a Microsoft enterprise network?
  1. Acquire Provider Independent IPv6 address space through a regional registry.
  2. Do native IPv6 peering or use a tunnel service to get your address space routable.
  3. Get an external firewall and external routing working.
  4. Test public IPv6 with external DNS, mail and perhaps a test web server.
  5. Evaluate transition services as needed - perhaps you have a case for using ISATAP.
  6. Test your applications in a lab - do NOT make your corporate or production users guinea pigs! Additionally Microsoft has an IPv6 Test Lab available for Windows 7 and Windows Server 2008 R2.
  7. Get internal IPv6 routing, DNS & DHCP working (phases are possible).
  8. Dual stack your servers.
  9. Provide dual stack to your workstation virtual local area networks (VLANS).
  10. Deploy a VPN dual-stacked solution.
A more detailed presentation can be found on my blog or on the California IPv6 Task Force website and yes, you can reach both of those sites via IPv6!
If you are able to get at least the first 3 items done, you can participate in World IPv6 Day on June 8th, 2011. All the major content providers on the Internet plan to make their services available via IPv6 on that day including Facebook, Google, Yahoo!, Bing, Xbox, and tons of others. You can find the current list at the ISOC website which also has information on how to take part in the event.
If you don't have time to get Provider Independent IPv6 space but you would like to get something up quickly to test with on June 8th, I would recommend several tunnel broker services that you can get up and working within minutes. If you have a router or server that can do a 6in4 tunnel, check out IPv6 Tunnel Broker, which is run and maintained by Hurricane Electric, a premier IPv6 provider. Additionally, if you already have a BGP ASN you can peer with them directly via a tunnel and if you have Provider Independent IPv6 space, advertise it that way to get it working ASAP. You can also try out the gogoCLIENT, which makes use of the Freenet6 project and has clients for Windows 7 (32 and 64-bit), Linux and OSX. Other projects like SixXS are available to do IPv6 tunnel services too.
Finally, Microsoft has ongoing articles on TechNet on all sorts of IPv6 topics. For instance, Chris Palmer wrote a blog entry on World IPv6 Day and Windows and Microsoft keeps an ongoing IPv6 Blog along with its main IPv6 site at www.microsoft.com/ipv6, which contains links and resources about IPv6. To top it all off, there are regional task forces across the world that are helping to spread the word locally about IPv6. You can find out more about them on the IPv6 Forum. Finally, make sure to check out Bing on June 8th via your IPv6 connection!

Ed Horley is a Principal Solutions Architect at Groupware Technology in the San Francisco Bay Area. Ed is actively involved in IPv6 serving as the co-chair of the California IPv6 Task Force and additionally helping with the North American IPv6 Task Force. He is a current Microsoft MVP (first awarded back in 2004) and has spent the last 15 years working in networking as an IT professional. He is actively involved in the Pacific IT Professionals users group and enjoys umpiring women's lacrosse when he isn't playing around on IPv6 networks. Contact him at ed@howfunky.com or check out his blog at www.howfunky.com
- Ed

Monday, July 04, 2011

Happy 4th of July, another year of being an MVP & more PacITPros stuff

On July 1st I received an email stating I was renewed for my 8th year as a Microsoft MVP. It's an honor every time to be awarded. The wonderful part was that my friend Jessica DeVita was awarded this year also, her first time as an MVP.


Springboard Series Technical Expert PanelSpeaking of Jessica, she has been working on running PacITPros down in the LA area and is hosting a big Microsoft Springboard event for Stephen Rose on July 12th on Deployment - sign up if you are in the area for the Microsoft Partner Conference as it is just down the street at the Microsoft downtown LA offices.

Tomorrow is our regular monthly San Francisco meeting. We will be having OpenDNS presenting at the Microsoft offices in San Francisco. RSVP for the PacITPros event and come participate in the largest IT Pro User Group in the San Francisco Bay Area - best part is that it is free.

As a final note, my thanks and gratitude to the men and women who serve in the armed forces, they allow us to celebrate this wonderful 4th of July under the watch of their dedication to liberty and freedom. Time to go put up our American Flag out front!
- Ed

Monday, May 23, 2011

Nice article by Chris Palmer - World IPv6 Day and Windows

There is a nice blog post by Chris Palmer with Microsoft on World IPv6 Day and Windows. What is nice about the article is the fact it covers some of the long term impacts you will face and the solutions that are in place and how some of those solutions might not work perfectly.
For those that are following IPv6 much of this is not new but for the majority of Windows users out there all this information is entirely new and really important. Hats off to Chris for putting it all together in a nice easy to use format.
- Ed

Friday, May 13, 2011

Getting read to head off to Microsoft TechEd

This weekend will be packing stuff and making sure I have all the correct events in my packed calendar for the week of Microsoft TechEd. In addition to all the regular scheduled events there are tons of side sessions and events happening and trying to keep track of all of them is almost impossible! I am excited to be heading back to catch up with fellow Microsoft MVP's several who are presenting.
In addition to all this I have several CAv6TF and NAv6TF items going on too. I hope to soon have monthly meetings happening for the CAv6TF in both the Bay Area and in Los Angeles. I will update as that finalizes and firms up.
- Ed

Wednesday, May 11, 2011

A chance to see my Deploying IPv6 in a Microsoft Enterprise Network presentation again

Groupware Technology will be hosting a Tech Day event at our Campbell office on Thursday the 12th of May in the afternoon. If you are interested in seeing my Deploying IPv6 in a Microsoft Enterprise Network presentation please RSVP for the event. This is the same presentation I gave at the Rocky Mountain IPv6 Summit less than a month ago. Feel free to bring along any question you might have regarding IPv6 as it is a topic I love to chat about. Hope to see you there!
- Ed

Tuesday, May 03, 2011

PacITPros meeting tonight will have live demo of IPv6 RA flood DOS for Windows 7 and Server 2008

If you are interested in seeing the behavior hands on for the Windows 7 and Server 2008R2 IPv6 RA flood denial of service then you need to show up at tonight's Pacific IT Professionals user group meeting in San Francisco. Sam Bowne will be showing off this simple but effective DOS. I have a feeling there will be more IPv6 specific issues found over the next year or two simply because not enough folks have been testing IPv6 on a regular basis. Hope to see you there.
- Ed

Wednesday, April 27, 2011

My presentation from the Rocky Mountain IPv6 Summit

My presentation given at the Rocky Mountain 2011 IPv6 Summit is available here. The presentation title is Deploying IPv6 in a Microsoft Enterprise Network and the abstract for the presentation is below:
Level: 100/200
Abstract: The presentation is focused on the basic deployment items that system and network administrators need to pay attention to for Enterprises networks that are primarily Microsoft focused.
Topics covered include default IPv6 behavior of different Windows OS's, when transition technologies are enabled, what Microsoft products will use IPv6 and deployment guide modifications for Exchange, DirectAccess, Forefront UAG and TMG.
In addition, if time allows, some design challenges around DHCP and DNS and how Windows 7 will behave vs Apple OSX or Linux implementations.

Feel free to provide feedback or corrections - please note I use the notes field for a lot of reference items so please look through those for details.

Also, if you are interested check out Sam Bowne's YouTube video about the IPv6 RA Flood DOS issue for Windows7 and Server 2008R2 and please see his site too for additional IPv6 info and presentations.
- Ed

Friday, April 22, 2011

Presenting at the Rocky Mountain IPv6 Summit - Deploying IPv6 in a Microsoft Enterprise Network

Next week I will be presenting at the Rocky Mountain IPv6 Summit in Denver, CO. I'm excited about this for two reasons. First, I will be talking about IPv6 which for folks who know me is something I can't seem to not bring up in technical discussions. Second, I will get to see my daughter Briana while I am in town as she is attending CU Boulder.

If you are attending the event I hope to see you in the enterprise track. I will be presenting Deploying IPv6 in a Microsoft Enterprise Network. After my presentation will be William Dixon with Microsoft doing a live demo of Windows 7/Server 2008 R2 DirectAccess. Earlier in the day will be Shannon McFarland with Cisco presenting Enterprise IPv6 Deployment Overview, that should be really good. I must admit I am disappointed that Scott Hogg will not be presenting on IPv6 Security. Scott has a huge depth of knowledge and is the chair of the Rocky Mountain IPv6 Task Force. Maybe I can twist his arm to do side session during the lunch break one of the days.

I will post up my presentation after the event, it will also be up on the RMv6TF website to download too.
- Ed

Monday, April 11, 2011

One week into a new job

For those that may not have heard I recently changed jobs and have a new employer. I'm excited to be working with several engineering friends whom I have know for a couple of years at my new job and looking forward to some additional roles I will be playing.

I also hope to make a few more conferences, user group meetings and trade shows to talk about IPv6 and the impact it will have on enterprises in the near future and what sort of planning and design work they should be engaged with to reduce the disruption that could potentially happen with an unplanned hurried roll out of IPv6.

Overall, I am excited about the year and projects ahead and hope to get a few posts up about IPv6 experiences I can share to help the community. I will post my presentation deck for the Rocky Mountain IPv6 Task Force IPv6 Summit after the event on April 25-27th, I will be presenting "Deploying IPv6 in a Microsoft Enterprise Network"
- Ed

Wednesday, March 30, 2011

RunAs Radio - my IPv6 interview

I wanted to give a quick thank you to Richard Campbell and Greg Hughes who do all the work over at RunAs Radio. Richard was kind enough to interview me in regards to IPv6 and what is happening in the space. I am also honored to be right after Stephen Rose who was on their show last week. They have an impressive list of IT Professionals they have interviewed about a wide variety of topic, I've been listening to shows myself now, they do a great job!
- Ed

Tuesday, February 22, 2011

Useful Windows 7 IPv6 netsh commands

I finally have taken time to gather together some useful netsh commands and their output that can be used in Windows 7 and Server 2008 for learning your IPv6 configuration information. This is partly inspired by Chris Vashel who kindly posted a comment on my previous IPv6 post regarding Windows 7 and Server 2008 R2 and provided some quick netsh commands to turn off some automatic tunneling behavior of Windows.

I want to cover a bit more then just turning off the IPv6 tunneling as Chris outlined (and I am including here again for reference) but also show the other fantastic IPv6 support that Microsoft has built into Windows 7 and Server 2008 R2. There is too much for one post so this will likely take a few, keep any eye out for updates.

So, what important netsh commands should you know about? I think the first ones would be "show" commands. You can get a lot of the basics from existing commands you already know like:
C:\Users\Ed>ipconfig /all
<... omitted for brevity...>
Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 PL Network Connection
   Physical Address. . . . . . . . . : 00-16-41-E6-E9-C3
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:db8:7:7:b9f7:e225:37d0:960f(Preferred)
   Temporary IPv6 Address. . . . . . : 2001:db8:7:7:41b9:cf5b:e4d5:7392(Preferred)
   Link-local IPv6 Address . . . . . : fe80::b9f7:e225:37d0:960f%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.7.0.23(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
<... omitted for brevity...>
   Default Gateway . . . . . . . . . : fe80::215:63ff:fe88:4bdc%11
                                       10.7.0.1
   DHCP Server . . . . . . . . . . . : 10.7.0.1
   DNS Servers . . . . . . . . . . . : 10.7.0.10

   NetBIOS over Tcpip. . . . . . . . : Enabled
<... omitted for brevity...>

So first lets determine the actual interface ID's that are used, to see those use:
C:\Users\Ed>netsh interface ipv6 show interface

Idx     Met         MTU          State                Name
---  ----------  ----------  ------------  ---------------------------
  1          50  4294967295  connected     Loopback Pseudo-Interface 1
 12          25        1500  connected     Wireless Network Connection
<... omitted for brevity...>
 11          20        1500  connected     Local Area Connection
 15          50        1280  disconnected  Teredo Tunneling Pseudo-Interface
<... omitted for brevity...>
 25          50        1280  disconnected  6TO4 Adapter
<... omitted for brevity...>
 29          50        1280  disconnected  Reusable Microsoft 6To4 Adapter
<... omitted for brevity...>

I highlighted the interface I am interested in getting more information about, my wired port which is ID 11. To get details from netsh for all interfaces we would issue:
C:\Users\Ed>netsh interface ipv6 show address
<... omitted for brevity...>
 Interface 11: Local Area Connection

Addr Type  DAD State   Valid Life Pref. Life Address
---------  ----------- ---------- ---------- ------------------------
Temporary  Preferred        3m16s      3m16s 2001:db8:7:7:41b9:cf5b:e4d5:7392
Public     Preferred        3m16s      3m16s 2001:db8:7:7:b9f7:e225:37d0:960f
Other      Preferred     infinite   infinite fe80::b9f7:e225:37d0:960f%11
<... omitted for brevity...>

To get details from netsh for a specific interface (11 is the wired port, we got that earlier) we would issue:
C:\Users\Ed>netsh interface ipv6 show address 11

Address 2001:db8:7:7:41b9:cf5b:e4d5:7392 Parameters
---------------------------------------------------------
Interface Luid     : Local Area Connection
Scope Id           : 0.0
Valid Lifetime     : 4m18s
Preferred Lifetime : 4m18s
DAD State          : Preferred
Address Type       : Temporary

Address 2001:db8:7:7:b9f7:e225:37d0:960f Parameters
---------------------------------------------------------
Interface Luid     : Local Area Connection
Scope Id           : 0.0
Valid Lifetime     : 4m18s
Preferred Lifetime : 4m18s
DAD State          : Preferred
Address Type       : Public

Address fe80::b9f7:e225:37d0:960f%11 Parameters
---------------------------------------------------------
Interface Luid     : Local Area Connection
Scope Id           : 0.11
Valid Lifetime     : infinite
Preferred Lifetime : infinite
DAD State          : Preferred
Address Type       : Other

The next useful show command is to know how things are routing:
C:\Users\Ed>netsh interface ipv6 show route

Publish  Type      Met  Prefix                    Idx  Gateway/Interface Name
-------  --------  ---  ------------------------  ---  ------------------------
No       Manual    256  ::/0                       11  fe80::215:63ff:fe88:4bdc
No       Manual    256  ::1/128                     1  Loopback Pseudo-Interface 1
No       Manual    8    2001:db8:7:7::/64       11  Local Area Connection
No       Manual    256  2001:db8:7:7:41b9:cf5b:e4d5:7392/128   11  Local Area Connection
No       Manual    256  2001:db8:7:7:b9f7:e225:37d0:960f/128   11  Local Area Connection
No       Manual    256  fe80::/64                  15  Teredo Tunneling Pseudo-Interface
No       Manual    256  fe80::/64                  11  Local Area Connection
<... omitted for brevity...>
No       Manual    256  ff00::/8                    1  Loopback Pseudo-Interface 1
No       Manual    256  ff00::/8                   15  Teredo Tunneling Pseudo-Interface
No       Manual    256  ff00::/8                   11  Local Area Connection
<... omitted for brevity...>

So if you want to see your specific routes per interface you can do that using:
C:\Users\Ed>netsh interface ipv6 show route verbose

Destination Prefix:     ::/0
Source Prefix:          ::/0
Interface Index:        11
Gateway/Interface Name: fe80::215:63ff:fe88:4bdc
Publish:                No
Type:                   Manual
Metric:                 256
SitePrefixLength        0
ValidLifeTime           1755
PreferredLifeTime       1755

Destination Prefix:     ::1/128
Source Prefix:          ::/0
Interface Index:        1
Gateway/Interface Name: Loopback Pseudo-Interface 1
Publish:                No
Type:                   Manual
Metric:                 256
SitePrefixLength        0
ValidLifeTime           Infinite
PreferredLifeTime       Infinite

Destination Prefix:     2001:db8:7:7::/64
Source Prefix:          ::/0
Interface Index:        11
Gateway/Interface Name: Local Area Connection
Publish:                No
Type:                   Manual
Metric:                 8
SitePrefixLength        0
ValidLifeTime           255
PreferredLifeTime       255

Destination Prefix:     2001:db8:7:7:41b9:cf5b:e4d5:7392/128
Source Prefix:          ::/0
Interface Index:        11
Gateway/Interface Name: Local Area Connection
Publish:                No
Type:                   Manual
Metric:                 256
SitePrefixLength        0
ValidLifeTime           Infinite
PreferredLifeTime       Infinite

Destination Prefix:     2001:db8:7:7:b9f7:e225:37d0:960f/128
Source Prefix:          ::/0
Interface Index:        11
Gateway/Interface Name: Local Area Connection
Publish:                No
Type:                   Manual
Metric:                 256
SitePrefixLength        0
ValidLifeTime           Infinite
PreferredLifeTime       Infinite
 <... omitted for brevity...>

 To check if you have a working IPv6 DNS server you would issue:
C:\Users\Ed>netsh interface ipv6 show dns
 <... omitted for brevity...>
Configuration for interface "Local Area Connection"
    DNS servers configured through DHCP:  None
    Register with which suffix:           Primary only
<... omitted for brevity...>

So in this particular case I am not being provided any IPv6 DNS name servers via DHCPv6 or statically on that interface. Alternately, as an example output if you had an IPv6 DNS server statically entered (like with the gogoClient) it would show:
<... omitted for brevity...>
    Statically Configured DNS Servers:    2001:5c0:1000:11::2
    Register with which suffix:           Primary only
<... omitted for brevity...>

From the above information I can determine that I am getting my IPv6 address via SLAAC, no DHCPv6 is running and I am getting an RA from the router and it is providing me with a default gateway that is using its link local address and not it's global unicast prefix address, which is the default behavior expected.

Now lets actually do something interesting next and use Chris' examples of netsh to shutoff Windows from doing 6to4 automatic tunneling. To do this you would issue:
C:\Users\Ed>netsh interface ipv6 6to4 set state state=disabled
Ok.

The netsh command provides confirmation that the command worked so if you are scripting you can parse the output to validate the change. Remember that 6to4 tunnel only happens if the Windows platform has a public IPv4 address assigned to it's interface and no other native IPv6 option is available. You will most commonly see 6to4 traffic in cases where servers are in a public DMZ with public IPv4 addresses and in cases where Windows clients are in "guest" networks where they are also provided public IPv4 addresses.

A more common scenario is wanting to disable Teredo tunneling since it is explicitly designed to work on devices that have IPv4 addresses behind a NAT device and with an RFC 1918 IP address. The majority of SMB and Enterprise networks are built this way today so the concern is valid.

Teredo can also be a problem for Windows 2008 deployments if the servers are in the DMZ or Inside network and functioning as stand alone devices that are not joined to an Active Directory domain. When Windows 7 and Server 2008 are NOT domain joined and have a valid RFC 1918 IPv4 address only, the OS's will attempt to run IPv6 on ISATAP first, if no DNS entry exist for ISATAP then they will attempt to use Teredo. So, Teredo is enabled by default but not necessarily active. Furthermore, if Teredo is the only IPv6 available the OS will NOT send AAAA queries in DNS by default - a good default protection behavior as it is unlikely the Teredo server you are connecting to is also a Teredo relay server which will forward traffic to the bigger IPv6 Internet on your behalf.

So, to keep your non-domain joined OS from randomly joining teredo.ipv6.microsoft.com (the default Teredo server entry in the OS) and happily exchanging traffic with others who do the same you can simply turn Teredo off with the following command:
C:\Users\Ed>netsh interface ipv6 set teredo disable
Ok.

As a final measure you can turn off ISATAP. This will prevent the OS from building out an IPv6 tunnel utilizing ISATAP which would be advertised in DNS. The alternate way of controlling this is by poisoning the isatap. entry in your DNS. Remember, ISATAP is typically deployed for a transition service so the nice thing about having ISATAP enabled in the network is that it prevents Teredo from running as ISATAP is preferred.
C:\Users\Ed>netsh interface ipv6 isatap set state state=disabled
Ok.

As a final thought, the nice thing about doing these commands is that you can still leave IPv6 enabled on the OS. This allows for supporting native IPv6 in a dual stack configuration in the future without breaking IPv6 completely. So when the time comes to start turning on IPv6 (Global or ULA) in your network the servers will behave properly. Remember, the rule of thumb for IPv6 is go native where you can, tunnel where you must. Take a look at Scott Hogg's blog post for a great write up on why going "Native" is important. Plus his daughter's artwork is awesome!
- Ed

Friday, February 18, 2011

IPv6 meet up at Microsoft 2011 MVP Summit

For those Microsoft MVP's attending the 2011 Summit who are interested in IPv6 I have scheduled a meet up. It is planned for Monday, Feb 28th from 12-2 in building 37 on the Redmond campus. I know many of you already have sessions scheduled for your specific MVP tracks but if you are interested in IPv6 please consider joining us.

The goal is the give MVP's and Microsoft blue badges a chance to chat about what is happening with IPv6, the road map Microsoft has planned for products and resources, challenges and opportunities IPv6 is presenting in the market place and events that are happening throughout 2011. A preliminary list of topics include:

Quick introductions - interest and involvement in IPv6, etc.

Current state of IPv6
    Service Provider
    Enterprise
    Consumer
    Gov / Ed

How are Enterprise professional learning about IPv6?
    Media
    Search (Bing/Google/Yahoo!)
    Task Force
    Conferences
      Upcoming important IPv6 conferences and events, and/or meetings? - wdix
      World IPv6 Day plans? What can MVPs do? - wdix
    Other
      Is there going to be an IPv6-specific MVP? Should there be one? - wdix
      How is Microsoft in general or the Microsoft partner program support IPv6 training for partners?
      Will there be an IPv6 training solution, or infrastructure solutions for partners? - wdix

Do consumers have to learn about IPv6?
   The sad state of consumer/soho ipv6 router support and the coming pain - barb

Points of interest around Microsoft:
    Matrix of products supporting IPv6 - roadmap of support would be nice too - mark
    What are Microsoft Windows product status in NIST IPV6 testing/certification? - wdix
    How is MS set up internally - who do I contact within MS about IPv6?
    Deployment guides - current and those in the works
    Labs - Tom and Joe
    Design and recommendations for migration to IPv6
    Specific transition technology options being supported by Microsoft
    What will be Microsoft's preferred recommendations around IPv6 be (if any)

If you are interested in participating (You have to be a current MVP or Microsoft Blue Badge) please comment below and I will add you to the list. We have limited space available for the room and we are almost full so please make sure you are willing to actually attend to participate. You will likely miss one of your sessions so check your schedule to see if it is one you are willing to forgo.

It is unlikely that most of the topic material will even get discussed given it is only 2 hours but having a large list of topics allows for people to break up and address specific topics offline after the meeting. If you have other suggestions of topic items to add to my list please comment and I will add them in.
- Ed

Thursday, February 17, 2011

IPv6 tunnel mode licensing in Cisco IOS

As part of the out reach I am trying to do on behalf of the CAv6TF a couple of friends and I set up the wired/wireless network for the Security B-Sides SF event which happened Feb 14-15 at the Zeum in San Francisco, CA. It was a lot of fun helping out and hopefully people who attended found it useful and perhaps interesting that they were getting IPv6 in addition to IPv4.

One of the items I noticed when setting up the IPv6 tunnel service to Hurricane Electric was that in the IP Base license the command to get the tunnel working was NOT available. Specifically you could not do:
tunnel mode ipv6ip

I had to change the license on the routing platform to include the "Data" license. This is on a newer Cisco IOS devices running 15.1(3)T code release. Granted the license showed a lifetime of some crazy number of years but I still don't understand why this feature would NOT be included in IP Base license. Given the fact that transition to IPv6 is going to become more and more important for everyone I find it surprising Cisco did this. It will make tunneling IPv6 across IPv4 only service networks a lot harder. Perhaps the plan is to recommend only have a single public tunnel endpoint and use IPv6 DMVPN instead? I'm not sure what the logic is but I will ask someone in the Cisco channel team and see if they know. Yet another annoying reason I had to reload the router.
- Ed

Monday, February 07, 2011

Why you should NOT disable IPv6 for Windows 7 or Server 2008R2

I was reviewing some Microsoft materials related to IPv6 for some presentations I am putting together and ran across some great material by Joseph Davies again that goes over some very specific reasons why it is bad to disable IPv6 on Windows Vista and Windows Server 2008 which of course also applies to Windows 7 and Server 2008R2.

In summary, you have the potential to break features in Remote Assistance, HomeGroup, DirectAccess, and Windows Mail. I would add BranchCache, Exchange Server 2007 and 2010, Microsoft Outlook and several of the tunneling methods.

I do believe there are legitimate reasons for wanting to control the IPv6 traffic that Windows 7 or Server 2008R2 is generating on your network. I would also argue that the way to do this is by having IPv6 deployed in your network so that you can have a consistent policy that matches much of what you do today for IPv4. Obviously there are different ways to deploy IPv6 but I think that a dual stack/native IPv6 deployment makes for the best solution long term. It allows the flexibility of getting to IPv6 resources and allows for a longer transition windows for IT groups to migrate all services to IPv6.

One of the surprises for many people deploying Windows Server with Exchange and using the recommended deployment practices from Microsoft is that you could have stand alone servers in a DMZ or outside your network that are NOT AD domain joined. They are in "workgroup" mode and this means that if they have a public IPv4 address they will generate a 6to4 tunnel automatically and if they are using RFC 1918 IPv4 addresses they will make use of teredo tunnels automatically. This behavior isn't desirable for most enterprises and can easily be resolved by either turning off IPv6 on those specific servers or by setting up a dual stack configuration for the server with appropriate firewall rules. Obviously you need a network firewall that can do IPv6 or rely on the Windows Firewall to do this function.

So for those that reference my earlier blog entry about turning off IPv6 tunneling - seriously consider if you really need to do that or not. You need to evaluate your scenario and determine what is right but if there is a chance you might need the OS to do one of the tunnels then doing some of the network blocking methods I mentioned might cause more work in the end.
- Ed

Thursday, February 03, 2011

Final /8 allocations from IANA to all RIR's happened this morning

IANA finally allocated out the last five /8 IPv4 address blocks this morning in a formal ceremony in Florida. So the free pool of IPv4 address block is done - there is nothing left to hand out to regional registries at all. I guess we are starting off the Chinese New Year with a bang. Silly little rabbit - IPv4 addresses are for kids!

Now I wondering how the IPv4 address request rates are doing at all the RIR's for this month. ARIN has their press release up on the event here.
- Ed

Wednesday, February 02, 2011

Upcoming IPv6 events for 2011

If you happen to be in France the days of Feb 8 - 11th then you can attend the v6 World Congress event happening in Paris. I would not be surprised to see some announcements coming out of the event. Though at this point I am not sure if IANA is going to wait much longer to announce the IPv4 pool is officially depleted and it is down to the RIR pools only. Given the run rate that APNIC is going through addresses they might not make it before reporting 0 /24's out of their current allocation. I suspect that IANA has already given them their /8 block if not two and they are all waiting for the right moment to announce things for maximum media effect.

If you are in the US and want to attend one of the premier IPv6 events stateside then check out the Rocky Mountain IPv6 Task Force 2011 IPv6 Summit. Scott Hogg puts on a wonderful event and has an impressive line up of material and sessions.

In addition, later in 2011 will be events from the California IPv6 Task Force, the Texas IPv6 Task Force and others. I will post more when those dates get closer.
- Ed

Monday, January 31, 2011

Jan 31, 2011 - IANA IPv4 delegation exhausted - up next the RIR's

For those keeping track of IANA's IPv4 /8 delegations to the Regional Internet Registries (RIR) the final blocks 2 /8's have been assigned, 39/8 and 106/8 went to APNIC. You can see the IANA IPv4 Address Space Registry for details of how things are delegated out not that it will help much but it is interesting to see some of the Legacy allocations.

So the next 5 /8's will be allocated automatically here shortly - guess IANA wanted to do that slower then all at once with the other 2 /8's going out to APNIC. So that is it - IPv4 address space is officially exhausted.


From a practical perspective not a lot will change until the RIR's start running out of address block. The rates will  vary for each RIR and Stephen Lagerholm has a great blog on the run rates and what the timing likely will be until they have no IPv4 addresses to hand out anymore.

So what will everyone do once that happens? Luckily the Answer to the Ultimate Question of Life, the Universe and Everything is 42... or is it 2^128?
- Ed

Pacific IT Professional San Francisco Meeting - Feb 1st

I will be hosting the PacITPros meeting in SF tomorrow at the Microsoft offices. On deck will be Citrix and AppSense going over how you can build some killer VDI solutions for iPad and lots of other platforms.

In addition, Microsoft will be presenting on their System Center product lines and some of the related products. Hopefully we can then get them back in to do a technical deep dive on a specific System Center product that the group finds most interesting.

Hope to see you there, as always the User Group meetings are free to attend. Please RSVP at the website so we know how much food to get.
- Ed

Monday, January 24, 2011

New CAv6TF website is finally up

I'm happy to say the new website for the California IPv6 Task Force is up and live. There are a couple of nice things about the site for those that are testing IPv6 connectivity. First, it displays the IP address you are connecting with - either IPv4 or IPv6, depending on which you used to connect to the site. Second, depending on if you connect with IPv6 or IPv4 you see a different image of the kame or turtle which is a tribute to The KAME Project which was started in 1998 and concluded in 2006. This was one of the early project supporting IPv6 and had one of the few early IPv6 websites I could actively test with back when I was doing beta testing of Windows Vista's IPv6 protocol support for the COSD team at Microsoft.

So next on the plate is the get the North American IPv6 Task Force website updated in the same fashion to make that available for general availability.

Friday, January 21, 2011

Howfunky.com - finally IPv6 enabled

I have been busy working on getting the California IPv6 Task Force website updated with the help of Jared Curtis and the new site has been launched, it is running on WordPress and should allow us some nice flexibility in pushing content out.

That got me thinking about my own blog. I've been talking and posting about IPv6 so much I forgot to do a simple thing - get my own blog up and running on IPv6. Well, as of Jan 20th, 2011 it is now IPv6 enabled.

As a sidebar, if you are using blogger to host your blog (as I am) and you want to enable your site for IPv6 then you should read this post. It goes over how to modify your DNS to enable IPv6 AAAA records for people to reach your blog site.

So there, it is official - the site is IPv6 ready!
- Ed

Monday, January 17, 2011

World IPv6 Day - June 8th, 2011 - Some thoughts

If you follow anything on IPv6 you likely noticed that several of the bigger Internet web companies like Google, Yahoo! and Facebook all announced support for World IPv6 Day via the Internet Society. The concept is pretty simple, these bigger web companies will enable IPv6 on their main websites - effectively adding a AAAA record for their primary web address.

Most of the current bigger players have IPv6 up and working already but are using an alternate name space to direct folks to a specific AAAA record. So, for instance, instead of http://www.google.com/ you go to http://ipv6.google.com/ - a minor thing for those in the know about IPv6. However, it makes it almost impossible to see the impact of publishing a super important fully qualified domain name space (like http://www.google.com) with a new AAAA record since only the people who already know about IPv6 and are likely technically savvy are using the alternate name space today.

So the challenge for the big boys who want to see what sort of impact publishing an AAAA record for their primary URL will be is the fact that losing any traffic impacts revenue. Because it is possible that an end user who is trying to get to Google and has a broken IPv6 connection will fail to see a webpage if Google has published a AAAA record. They might try a different search engine - say Yahoo! and if they do NOT have a AAAA record published the website will come up just fine on IPv4 assuming that is working for the end user. Lost revenue for Google. Executive types don't like that sort of thing... neither do shareholders.

So how do you solve this problem when you are a company like this? Effectively they have all gone in together and said let's all test the same day. That way if an end user is broken in regards to IPv6 connectivity they won't be able to get to Google but if they try Yahoo! the situation isn't any better. Neither company loses revenue to each other, they both might take a marginal hit but it is proportional and clearly acceptable if all parties are willing to be fair.

The interesting question is does this really impact end users at all? Is World IPv6 Day anything to really be excited about from an end user or even enterprise IT group perspective. Outside of being able to use the regular fully qualified domain name to reach a resource via IPv6 I would say no. Honestly, most organizations (actually almost all) do not fit in the category of having to worry how many millions of folks are reaching them and impacting their revenue day to day.

So, how can you best leverage IPv6 World Day? I would argue it would be a good day to already have IPv6 operationally running in your network, to have firewalls configured, routing working and end stations operational as a dual stack. If you have made it that far then IPv6 World Day means that those bigger web companies will actually get some meaningful data about IPv6, it's adoption rate and what they can do to better support it.

The end goal of all of this is to switch from "IPv6 World Day" to "IPv6 World" because the reality for the Internet is that the adoption has to happen and it needs to happen quickly. I don't have a problem with IPv6 World Day and I understand why the big web companies are doing it, I just think why wait? For everyone else there is little to nothing to lose but moving sooner rather than later. Chose the easier services like DNS and email to turn up on IPv6. Once that comfort level is there get the company website up on IPv6 too and you will be that much further ahead.
- Ed