SixXS::Sunset 2017-06-06
Twitter Logo@tweetsix

News of 2014

This page contains the news items from the year of 2014.

Happy 2014!

Wednesday, January 1st, 2014

SixXS wishes everybody a happy and fruitful 2014!

As in all other years, in case of questions, comments or problems don't hesitate to contact us.

SixXS at IPv6 Kongress 2014 (22-23 May 2014), Frankfurt, Germany

Tuesday, February 25th, 2014

SixXS will be present and presenting at the upcoming IPv6 Kongress 2014 in Frankfurt, Germany.

Our presentation is currently scheduled for the second day, in the In-Depth track. We will be presenting on what SixXS has been, is doing and going to do doing.

With German users being a third of our user base we will be looking forward to meeting you and more importantly: receiving your comments and feedback directly. We'll be around the conference floor on both days, hence don't hesitate to speak up.

SixXS says a goodbye to Concepts ICT: nlams01 shutting down

Tuesday, April 15th, 2014

For 12 long years Concepts ICT has been extremely supportive of SixXS as is evident of the various news articles of them providing hardware, and connectivity for SixXS servers. They hosted our machine which acts as the central nervous system of SixXS, which contributed to a major part of the IPv6Gate traffic and of course also the nlams01 PoP.

Internet companies are hot items though, and KPN bought Concepts last year and have decided to merge Concepts into their Telfort brand. The consequence of which is that they are not a business oriented ISP anymore and thus are closing down their datacenter facilities.

This thus means that the three above mentioned services will be closing down. We have moved the functions provided by our trusty noc and gatey hosts to other services (newspost will follow about this) and we have asked the users who have enjoyed nlams01 for more than 12 years to migrate to a different PoP, of course with a kind 50 ISK bonus per tunnel.

We'd like to thank the great people at Concepts ICT for their amazing support over the years: effectively since the beginning of our migration from to SixXS. Thanks for all the fish Concepts!

In case of questions, comments or problems don't hesitate to contact us.

IPv6Gate DNS diagnostics to avoid DNS filtering

Monday, April 28th, 2014

We recently found out that on one of our IPv6Gate hosts the upstream DNS was being modified, filtering various sites that users wanted to access. As the DNS entries where removed from DNS, IPv6Gate thought that the IPv4 or IPv6 address for the requested host did not exist and thus properly returned a 504/506 HTTP error as it does for such hosts.

As this caused confusion to users who assumed we, SixXS, where causing those blocks we have now added DNS diagnostical output, good old 'dig' to those errors. This shows what the DNS servers we are using are thinking exists in DNS. We have also elaborated the behavior of our IPv6Gate on the IPv6Gate webpage.

As usual, in case of problems, do not hesitate to contact us.

Up-down RSS-feeds now available per PoP

Thursday, May 8th, 2014

The up/down notifications for PoPs have been available for a while already as a mixed RSS feed which contains all the PoPs. As we have been making big backend changes, one thing that we changed too is how we check PoPs for being up/down and how we internally distribute that information and communicate that to the website, RSS feeds, twitter and the IRC robot which echos it in our status-only IRC channels.

Due to these changes we can now also provider per-PoP up/down status RSS feed. Go to the PoP page that you are interested in and a handy RSS link will provide the feed that only provides details for that PoP.

IPv6 Kongress Presentation

Friday, May 23rd, 2014

As announced previously we did our presensation at the IPv6 Kongress in Frankfurt, Germany today. It is always good fun to present in a cinema (especially entertaining was the Godzilla 3D soundtrack from the other in-use-for-movies rooms; too bad that a demonstration of IPv6 Quake3 didn't work quickly on that big screen...).

We'd like to thank DE-CIX, Heise Netze and iX for the invitation to give the talk and of course the people who attended and commented during the presentation and during the rest of congress.

The slides can be found at our presentations page.

Scarlet changes name to Stipte

Sunday, June 1st, 2014

Scarlet, which renamed from Cybercomm in 2003, is changing name to Stipte. We have updated relevant logos and links to reflect this change.

Thanks for all the fish: Concepts ICT, nlams01 shut down

Monday, June 2nd, 2014

As mentioned in the previous news post we have now shut down nlams01.

We like to thank Concepts ICT again for 12 years of super support to SixXS: THANKS!

OCCAID Down Under: New Sydney and Brisbane PoPs

Tuesday, June 24th, 2014

OCCAID has opened up not one, but two new SixXS PoPs: Sydney and Brisbane.

We'll be notifying existing Australian users that they can move to these PoPs. The PoPs will be open for Australian endpoints which should give everybody down under much better latencies into IPv6.

Tunnels and DS-Lite

Wednesday, October 8th, 2014

Several ISPs (primarily of German nature) have chosen to deploy DSlite to avoid running out of IPv4 address space. Typically this is done so that they can use the IPv4 space previously used by consumers for their business customers who will pay extra for having an IPv4 address. The end-user thus receives native IPv6 (great) over which IPv4 is tunneled. The IPv4 connectivity is then NATted by the provider, the so called CGN or Carrier-Grade-NAT, this on top of the NAT that the user will perform to hook up the devices in their homes. The end result is that the end-user does not have a single public IPv4 address anymore.

As the provider performs the NAT function uPNP does not work anymore either which gives fun problems with services like Xbox Live and the Playstation Network, not even considering various other Peer-to-Peer kind of protocols like BitTorrent that rely on the ability to connect to listening ports on public IP addresses. Because of the tunneling of IPv4 inside IPv6 one should also expect a lot of fun with various Corporate VPNs and also with issues concerning MTU size especially for non-TCP protocols where a MSS hack which typically is deployed on the CGN, does not work, thus expect problems with UDP and SCTP. More importantly users who would like to connect to their machine at home, cannot anymore as they typically are used to using IPv4.

Various sources seem to have recently start recommending to get a SixXS tunnel to create a IPv6-in-IPv4 tunnel. The problem is that most people read this as terminating the tunnel on their home-router, that is the device that already has IPv6 connectivity. Which thus would end up in tunneling IPv6 (the SixXS tunnel) over IPv4 (NAT) inside IPv6 (due to DSLite) and thus providing just another IPv6 address which one already has as it has native IPv6.

As such, when reading an article like the "Die DS-Lite-Falle - Kein fernzugang bei DS-Lite" in the PC Magazin (PCM) November 2014 issue (page 54/55) read the words carefully, it states to terminate the tunnel in the remote location.

Thus, if you have DSLite at home, and only have IPv4 at work/parents/friends, first ask the ISP in that location what their plans for IPv6 are (it is 2014 after all!), then if their answer is inconclusive (quite likely if they still don't have IPv6 today) request an account and tunnel and get IPv6 going in that location. Do note that the programs that you are using need to be IPv6 aware.

Please also note that AVMs great Fritz!Box product only supports Heartbeat tunnels which are protocol 41 based. As such, when the Fritz!Box is behind a NAT, which is the case in a DSLite/CGN setup, it cannot terminate an IPv6 tunnel as there is no public IPv4 address it can use. As you are behind DSLite though, you already have IPv6 and thus do not need an IPv6 tunnel to get connectivity. In the situation one is behind a NAT provided by the provider but do not receive IPv6 one can of course opt for an AYIYA tunnel, though one has to terminate this on a different device (laptop, raspberry, phone, etc).

Hopefully this short article clarifies why one will get a tunnel rejection when you request a tunnel towards a location that is behind DSLite: it does not solve any problem, you already have IPv6 there.

First snow and back to the US West Coast with a new PoP: uslax03

Thursday, October 23rd, 2014

Switzerland received first snow yesterday in the more lower (read: 900m) sections of the country and as it seems PoPs like the warmer weather as OCCAID spawned a new one in sunny Los Angeles, California USA!

This will be our third iteration of a PoP in LA, hence uslax03, but with the great track record of OCCAID we are in good hands.

The PoP is available as of today for the general use in the US and close-by countries. Enjoy!

Details about the PoP can be found on the OCCAID PoP page.

We just rebooted the World

Sunday, October 26th, 2014

One of the many great things of SixXS is the sheer amount of PoPs the various ISPs around the world are donating to this project. A cool side effect is that when doing a software upgrade, one is really rebooting hosts all around the world.

As very little is actually running on the PoPs there is a small attack service and thus little need to even reboot the hosts themselves as there are very few security issues when one has little amount of code enabled on a host. We thus indeed have a host with an uptime of 1530 days! Or as another example the old hardware of nlams04 which recently gave up life after 12 years of 24/7 service (ignoring quick software upgrades).

More importantly for SixXS though is that our daemon, sixxsd stays up and running as that *is* the PoP. It handles the forwarding of the packets, performing the actual tunneling and handles all the statistics collection (latency and traffic).

Before we did this fleet-wide sixxsd update we checked how long it was actually running, which indicates at least how litle the PoP was rebooted as there are no sixxsd crashes. Following is the top 25:

PoPsixxsd uptime
brudi01592 days23:35:50
czprg01592 days23:35:38
deham01592 days23:35:28
deolo01592 days23:35:15
noosl01592 days23:31:32
usanc01592 days23:26:37
usbos01592 days23:26:30
uschi02592 days23:26:23
iedub01579 days05:56:43
deham02477 days12:50:42
bebru02467 days10:16:10
dkcph01421 days08:13:01
dedus01406 days07:12:55
usqas01404 days18:18:34
chzrh02400 days07:34:33
ittrn01341 days20:18:07
nlede01306 days13:54:02
fihel01293 days07:31:24
hubud01285 days14:50:22
hubud02285 days13:07:37
nlhaa01281 days14:41:50
iedub02197 days10:50:32
sesto01190 days14:02:39
lulux01186 days10:57:49
grath01170 days15:34:45

The time difference between the first few entries is merely from the upgrade time as they are upgraded in sequence. Indeed, that is 19 months of uptime, pretty impressive for code touching so many packets.

Having code that is that stable and happily forwarding lots of packets daily is a pretty nice thing. Thankfully most PoPs are also very stable.

Now that this update is running, we have prepared the sixxsd infrastructure for some upcoming new features. Time will show when these arrive, as they still need to be finalized and properly tested in our test PoPs before they can be released to these production PoPs and to the users who can then use them.

SHA-2 certificates for *

Tuesday, October 28th, 2014

SHA-1 is considered broken by the security community. Because of that recent versions of Chrome/Chromium have started warning about SHA-1 signed certificates. Though it is funny to see that quite a few sites uses SHA-1 and that the fingerprints and other hashes remain SHA-1 and MD-5.

The SSL Certificate used by SixXS (for * was affected by this and hence we have Regenerated the certificate at Gandi who has made SHA-2 certificates available. Fortunately Gandi allows such a procedure for free, even though this is the second time this year this had to be performed (Heartblead was the previous reason)

These new SHA-2 based certificates are now installed and thus your experience in contacting the SixXS website and other properties that use this cert should be fully secure.

The new fingerprints are:

  • SHA-1: 8E 5A 19 72 37 9F 36 B3 64 F5 65 CF 57 99 59 BD AB 9F 65 25
  • MD-5: 63 10 82 FF 5D 3E 57 23 83 56 70 59 2B DE 5D FC

HTTPS Public Key Pinning

Monday, November 17th, 2014

As an extra precaution we have added Public Key Pinning headers to our frontend-servers. This should make your browser, when it supports this, pin the SSL certificate and thus make man-in-the-middle attacks even a bit more tricker in the case that an organisation is able to fake a certificate.

Support for the Public-Key-Pins header is available in Firefox 32+ and Chrome 35+.

One can use the hpkp tool, originally by Hanno Böck, to achieve the same for your own site.

Solidarity against online harassment

Friday, December 12th, 2014

A recurring annoyance on the Internet is harassment of people who are doing great work on the Internet, typically to benefit the public good.

If you notice harassment or bullying either online or offline, stand up against it and help people out where possible by discussing the problem with them. Bullying and harassment is not acceptable.

For more details see the excellent Tor Blog post: Solidarity against online harassment.

Static Sunset Edition of SixXS
©2001-2017 SixXS - IPv6 Deployment & Tunnel Broker