News of 2014

SixXS wishes everybody a happy and fruitful 2014!

As in all other years, in case of questions, comments or problems don't hesitate to contact us.

SixXS will be present and presenting at the upcoming IPv6 Kongress 2014 in Frankfurt, Germany.

Our presentation is currently scheduled for the second day, in the In-Depth track. We will be presenting on what SixXS has been, is doing and going to do doing.

With German users being a third of our user base we will be looking forward to meeting you and more importantly: receiving your comments and feedback directly. We'll be around the conference floor on both days, hence don't hesitate to speak up.

For 12 long years Concepts ICT has been extremely supportive of SixXS as is evident of the various news articles of them providing hardware, and connectivity for SixXS servers. They hosted our noc.sixxs.net machine which acts as the central nervous system of SixXS, gatey.sixxs.net which contributed to a major part of the IPv6Gate traffic and of course also the nlams01 PoP.

Internet companies are hot items though, and KPN bought Concepts last year and have decided to merge Concepts into their Telfort brand. The consequence of which is that they are not a business oriented ISP anymore and thus are closing down their datacenter facilities.

This thus means that the three above mentioned services will be closing down. We have moved the functions provided by our trusty noc and gatey hosts to other services (newspost will follow about this) and we have asked the users who have enjoyed nlams01 for more than 12 years to migrate to a different PoP, of course with a kind 50 ISK bonus per tunnel.

We'd like to thank the great people at Concepts ICT for their amazing support over the years: effectively since the beginning of our migration from IPng.nl to SixXS. Thanks for all the fish Concepts!

In case of questions, comments or problems don't hesitate to contact us.

We recently found out that on one of our IPv6Gate hosts the upstream DNS was being modified, filtering various sites that users wanted to access. As the DNS entries where removed from DNS, IPv6Gate thought that the IPv4 or IPv6 address for the requested host did not exist and thus properly returned a 504/506 HTTP error as it does for such hosts.

As this caused confusion to users who assumed we, SixXS, where causing those blocks we have now added DNS diagnostical output, good old 'dig' to those errors. This shows what the DNS servers we are using are thinking exists in DNS. We have also elaborated the behavior of our IPv6Gate on the IPv6Gate webpage.

As usual, in case of problems, do not hesitate to contact us.

The up/down notifications for PoPs have been available for a while already as a mixed RSS feed which contains all the PoPs. As we have been making big backend changes, one thing that we changed too is how we check PoPs for being up/down and how we internally distribute that information and communicate that to the website, RSS feeds, twitter and the IRC robot which echos it in our status-only IRC channels.

Due to these changes we can now also provider per-PoP up/down status RSS feed. Go to the PoP page that you are interested in and a handy RSS link will provide the feed that only provides details for that PoP.

As announced previously we did our presensation at the IPv6 Kongress in Frankfurt, Germany today. It is always good fun to present in a cinema (especially entertaining was the Godzilla 3D soundtrack from the other in-use-for-movies rooms; too bad that a demonstration of IPv6 Quake3 didn't work quickly on that big screen...).

We'd like to thank DE-CIX, Heise Netze and iX for the invitation to give the talk and of course the people who attended and commented during the presentation and during the rest of congress.

The slides can be found at our presentations page.

Scarlet, which renamed from Cybercomm in 2003, is changing name to Stipte. We have updated relevant logos and links to reflect this change.

As mentioned in the previous news post we have now shut down nlams01.

We like to thank Concepts ICT again for 12 years of super support to SixXS: THANKS!

OCCAID has opened up not one, but two new SixXS PoPs: Sydney and Brisbane.

We'll be notifying existing Australian users that they can move to these PoPs. The PoPs will be open for Australian endpoints which should give everybody down under much better latencies into IPv6.

Several ISPs (primarily of German nature) have chosen to deploy DSlite to avoid running out of IPv4 address space. Typically this is done so that they can use the IPv4 space previously used by consumers for their business customers who will pay extra for having an IPv4 address. The end-user thus receives native IPv6 (great) over which IPv4 is tunneled. The IPv4 connectivity is then NATted by the provider, the so called CGN or Carrier-Grade-NAT, this on top of the NAT that the user will perform to hook up the devices in their homes. The end result is that the end-user does not have a single public IPv4 address anymore.

As the provider performs the NAT function uPNP does not work anymore either which gives fun problems with services like Xbox Live and the Playstation Network, not even considering various other Peer-to-Peer kind of protocols like BitTorrent that rely on the ability to connect to listening ports on public IP addresses. Because of the tunneling of IPv4 inside IPv6 one should also expect a lot of fun with various Corporate VPNs and also with issues concerning MTU size especially for non-TCP protocols where a MSS hack which typically is deployed on the CGN, does not work, thus expect problems with UDP and SCTP. More importantly users who would like to connect to their machine at home, cannot anymore as they typically are used to using IPv4.

Various sources seem to have recently start recommending to get a SixXS tunnel to create a IPv6-in-IPv4 tunnel. The problem is that most people read this as terminating the tunnel on their home-router, that is the device that already has IPv6 connectivity. Which thus would end up in tunneling IPv6 (the SixXS tunnel) over IPv4 (NAT) inside IPv6 (due to DSLite) and thus providing just another IPv6 address which one already has as it has native IPv6.

As such, when reading an article like the "Die DS-Lite-Falle - Kein fernzugang bei DS-Lite" in the PC Magazin (PCM) November 2014 issue (page 54/55) read the words carefully, it states to terminate the tunnel in the remote location.

Thus, if you have DSLite at home, and only have IPv4 at work/parents/friends, first ask the ISP in that location what their plans for IPv6 are (it is 2014 after all!), then if their answer is inconclusive (quite likely if they still don't have IPv6 today) request an account and tunnel and get IPv6 going in that location. Do note that the programs that you are using need to be IPv6 aware.

Please also note that AVMs great Fritz!Box product only supports Heartbeat tunnels which are protocol 41 based. As such, when the Fritz!Box is behind a NAT, which is the case in a DSLite/CGN setup, it cannot terminate an IPv6 tunnel as there is no public IPv4 address it can use. As you are behind DSLite though, you already have IPv6 and thus do not need an IPv6 tunnel to get connectivity. In the situation one is behind a NAT provided by the provider but do not receive IPv6 one can of course opt for an AYIYA tunnel, though one has to terminate this on a different device (laptop, raspberry, phone, etc).

Hopefully this short article clarifies why one will get a tunnel rejection when you request a tunnel towards a location that is behind DSLite: it does not solve any problem, you already have IPv6 there.

Switzerland received first snow yesterday in the more lower (read: 900m) sections of the country and as it seems PoPs like the warmer weather as OCCAID spawned a new one in sunny Los Angeles, California USA!

This will be our third iteration of a PoP in LA, hence uslax03, but with the great track record of OCCAID we are in good hands.

The PoP is available as of today for the general use in the US and close-by countries. Enjoy!

Details about the PoP can be found on the OCCAID PoP page.

One of the many great things of SixXS is the sheer amount of PoPs the various ISPs around the world are donating to this project. A cool side effect is that when doing a software upgrade, one is really rebooting hosts all around the world.

As very little is actually running on the PoPs there is a small attack service and thus little need to even reboot the hosts themselves as there are very few security issues when one has little amount of code enabled on a host. We thus indeed have a host with an uptime of 1530 days! Or as another example the old hardware of nlams04 which recently gave up life after 12 years of 24/7 service (ignoring quick software upgrades).

More importantly for SixXS though is that our daemon, sixxsd stays up and running as that *is* the PoP. It handles the forwarding of the packets, performing the actual tunneling and handles all the statistics collection (latency and traffic).

Before we did this fleet-wide sixxsd update we checked how long it was actually running, which indicates at least how litle the PoP was rebooted as there are no sixxsd crashes. Following is the top 25:

PoP	sixxsd uptime
brudi01	592 days	23:35:50
czprg01	592 days	23:35:38
deham01	592 days	23:35:28
deolo01	592 days	23:35:15
noosl01	592 days	23:31:32
usanc01	592 days	23:26:37
usbos01	592 days	23:26:30
uschi02	592 days	23:26:23
iedub01	579 days	05:56:43
deham02	477 days	12:50:42
bebru02	467 days	10:16:10
dkcph01	421 days	08:13:01
dedus01	406 days	07:12:55
usqas01	404 days	18:18:34
chzrh02	400 days	07:34:33
ittrn01	341 days	20:18:07
nlede01	306 days	13:54:02
fihel01	293 days	07:31:24
hubud01	285 days	14:50:22
hubud02	285 days	13:07:37
nlhaa01	281 days	14:41:50
iedub02	197 days	10:50:32
sesto01	190 days	14:02:39
lulux01	186 days	10:57:49
grath01	170 days	15:34:45

The time difference between the first few entries is merely from the upgrade time as they are upgraded in sequence. Indeed, that is 19 months of uptime, pretty impressive for code touching so many packets.

Having code that is that stable and happily forwarding lots of packets daily is a pretty nice thing. Thankfully most PoPs are also very stable.

Now that this update is running, we have prepared the sixxsd infrastructure for some upcoming new features. Time will show when these arrive, as they still need to be finalized and properly tested in our test PoPs before they can be released to these production PoPs and to the users who can then use them.

SHA-1 is considered broken by the security community. Because of that recent versions of Chrome/Chromium have started warning about SHA-1 signed certificates. Though it is funny to see that quite a few sites uses SHA-1 and that the fingerprints and other hashes remain SHA-1 and MD-5.

The SSL Certificate used by SixXS (for *.sixxs.net) was affected by this and hence we have Regenerated the certificate at Gandi who has made SHA-2 certificates available. Fortunately Gandi allows such a procedure for free, even though this is the second time this year this had to be performed (Heartblead was the previous reason)

These new SHA-2 based certificates are now installed and thus your experience in contacting the SixXS website and other properties that use this cert should be fully secure.

The new fingerprints are:

• SHA-1: 8E 5A 19 72 37 9F 36 B3 64 F5 65 CF 57 99 59 BD AB 9F 65 25
• MD-5: 63 10 82 FF 5D 3E 57 23 83 56 70 59 2B DE 5D FC

As an extra precaution we have added Public Key Pinning headers to our frontend-servers. This should make your browser, when it supports this, pin the SSL certificate and thus make man-in-the-middle attacks even a bit more tricker in the case that an organisation is able to fake a certificate.

Support for the Public-Key-Pins header is available in Firefox 32+ and Chrome 35+.

One can use the hpkp tool, originally by Hanno Böck, to achieve the same for your own site.

A recurring annoyance on the Internet is harassment of people who are doing great work on the Internet, typically to benefit the public good.

If you notice harassment or bullying either online or offline, stand up against it and help people out where possible by discussing the problem with them. Bullying and harassment is not acceptable.

For more details see the excellent Tor Blog post: Solidarity against online harassment.