SolarScale Blog

www.ipv6.solarscale.de

If you got a dual-stack ipv4/ipv6 box you can maybe check out www.ipv6.solarscale.de. The front page should indicate that it's IPv6 down at the bottom. The reason you need dualstack is because the DNS is in ipv4 land and I can't help it because my registrar doesn't support ipv6.

I noticed some people tried to reach this in ipv4 land. It won't work, you gotta have v6. Here is the address again in IPv6 notation:

• http://[2001:a60:f074::2]/

I noticed that in firefox you can't tell it to exclude ::/0 from the proxy that's configured which sucks, however it happily does 2000::/8 which should cover the entire ipv6 spectrum so far (at least for ip6 notation).

OpenBSD Donation

OpenBSD is accepting donations for a new CVS server and two routers. I had almost two euros in my paypal account still and was able to make a donation of $1.45 to OpenBSD. Now all we need is almost 4827 people to make the same donation, and we'll have the new cvs.openbsd.org.

UPDATE Tue Mar 3 12:34:43 CET 2009

Date: Mon, 2 Mar 2009 17:14:50 -0600
From: Marco Peereboom 
To: misc [at] openbsd [dot] org
Subject: Re: upgrades for the project

After lots of very generous donations we today breached the required
amount!!  Thank you very very much everyone who donated!!

The r200s have been ordered and the 2950 will be ordered later today.

Thanks again to everyone who participated,
/marco

My SSH Tunnel

As mentioned in the last article (Why I chose static) I have an SSH tunnel to my VPS (virtual private server). The tunnel carries 3 protocols (SMTP, POP3 and HTTP). I want to focus on HTTP and show you what I did. I used squid web proxy on the VPS to cache and forward my data through the port forwarding of ssh. Here is its config to make it bind only to localhost and turn everything else off.

# Squid normally listens to port 3128                                           
http_port 127.0.0.1:3128                                                        
icp_port 0                                                                      
htcp_port 0                                                                     
snmp_port 0                                                                     
cache_mem 32 MB                                                                 
cache_dir ufs /var/cache/squid/sqache 100 16 256                                
                                                                                
acl all src 0.0.0.0/0.0.0.0                                                     
http_access allow all                

In my firefox I set this setting for the proxy:

And in my $HOME/ssh/config file I put the forwarding ports:

 LocalForward 3128 127.0.0.1:3128
 LocalForward 9110 127.0.0.1:110
 LocalForward 9025 127.0.0.1:25

So now when I want to browse the web I first have to authenticate with ssh on the remote server which will then set up the ports for me to do that. The browsing is slightly slower, but when some images are cached in the 100 MB of disk on the VPS I get a faster load. Also I appear to be coming from "proteus.solarscale.de" when I browse like this.

Why I chose static

I recently (1 month ago) requested a static IP from my ISP (who allows static IP's luckily). Another feature that I found useful (that I also got) was that my ISP had an override to a daily disconnect that the german telekom (deutsche telekom) imposed on most DSL users in Germany. This disconnect prompted me to write a security advisory to bugtraq 2.5 years ago because it could have been abused by getting other people's private information. Even though the chances were slim that someone could have gotten data out of my SSH tunnel, I decided to go static despite. The trick to the advisory was that you had to disconnect and reconnect often to gain the data spoken about, but this can also be done by groups to make it slower and thus seem more natural to network admins. One person disconnects and reconnects one minute and the next person the next minute and so on, would be enough to escape log-watching admins. Anyhow I feel much safer with my static IP and I'm listening to the advice of others who said that a static IP is a good workaround to the hijacking that I described in the advisory.

Traceroute

I'm slowly adding stuff again that was on my webpages/presence before. Here is a write-up of traceroute and how it can easily be manipulated to people who traceroute.

On my last virtual host instance I had a small iptables rule:

iptables -A INPUT -m ttl --ttl-eq 1 -j DROP

The end of flavair.com

Feb 17 19:35:22 proteus wildcarddnsd[15843]: request on descriptor 4 
interface "62.75.160.180" from xxx.xxx.xxx.xxx for "flavair.com." type=2 
class=1, answering "NXDOMAIN"

I knew this could be done, didn't think that anyone would do it. Seems more of a waste of a .com domain.

UPDATE: Thu Feb 26 12:23:47 CET 2009, the plot thickens, possibly the owner of the domains did a dig on flavair.com and a bunch of others as well (possibly to check whether they were going to my nameserver too). I now know he lives in the US where bellsouth is active.

pjp@proteus:/var/log> grep  74.166.174.117 all | awk '{print $15}' | sort -u \
| awk '{printf("%s", $1);} END {printf("\n");}'                                    
"flavair.com.""flavait.com.""flavait-naturally.com.""flavaitnaturally.com.""flavaleeds.com."             

I understand I'm doing non-conscious advertising for this cybersquatter.

IPv6.solarscale.de

I've configured ipv6.solarscale.de and ipv6.centroid.eu, there is an httpd answering on the ipv6 internet but so far it only shows the apache start page. I was able to make the configs with wildcarddnsd my own dns server and I'm fairly proud it works. Perhaps in the future I'll put some clever content on ipv6.solarscale.de, so if you have ipv6 check it out some day.

;; ANSWER SECTION:
ipv6.solarscale.de.     3541    IN      AAAA    2001:a60:f074::2

;; AUTHORITY SECTION:
ipv6.solarscale.de.     86341   IN      NS      margaret.centroid.eu.
ipv6.solarscale.de.     86341   IN      NS      proteus.solarscale.de.
ipv6.solarscale.de.     86341   IN      NS      uranus.centroid.eu.

;; ADDITIONAL SECTION:
margaret.centroid.eu.   3541    IN      A       212.114.251.91
margaret.centroid.eu.   3541    IN      AAAA    2001:a60:f074::2
uranus.centroid.eu.     81826   IN      A       212.114.251.91

This should work with dual stacked (ipv4/ipv6) machines but it doesn't work with solely ipv6 machines unfortunately since my isp doesn't have ipv6 connectivity for its nameservers.

Back on the IPv6 Net!

Well it's been 10 years almost with no IPv6 connectivity and I finally got around to getting another tunnel in order to be fully connected.

margaret$ ping6 ipv6.google.com
PING6(56=40+8+8 bytes) 2001:a60:f074::2 --> 2001:4860:0:1001::68
16 bytes from 2001:4860:0:1001::68, icmp_seq=0 hlim=59 time=72.702 ms
16 bytes from 2001:4860:0:1001::68, icmp_seq=1 hlim=59 time=63.446 ms
^C
--- ipv6.l.google.com ping6 statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 63.446/68.074/72.702/4.628 ms

I use sixxs.net and getting it configured was very easy, now I'm just looking at getting this blog on the IPv6 Internet as well.

A thought on the Economic Crisis

Just a small speculation. Could it be that money created to bail out any companies on either side of the atlantic is used indirectly or directly to break down companies on the opposite side of the atlantic (who then need a bailout or more money)?! :-)

Sorta like spoofing a packet to an echo port to be coming from another echo port on the Internet. It would create a never ending echo'ing cycle.

A New Beginning

I reinstalled the vps that hosts this site. Everything went smooth until I mistakenly used a tar -cvzf instead of an -xvzf on the backup file so I'll have to rebuild everything by hand. Some stuff will be gone for good. Oh well.