Jan. 17, 2025
Since IPv6 is gaining momentum, and is generally operating alongside other protocols, it has become important to define the operating modes that may exist in any IPv6 environment. This allows for consistent communication and understanding of a fundamental part of operating a production network. Most of this hard work has been done by the IETF, and 99% of those definitions as can be referenced by engineers and architects when creating designs, proposals, and documentation, can be found in one really well crafted RFC.
Jan. 11, 2025
Cloudflare offers a powerful tunneling service that allows for a host on a private network to expose a service but retain protection using cloudflares’ powerful CDN tools. At the time of this post that service is a legacy IP first service, but with one minor tweak it can operate with IPv6-only hosts. Meaning one can provision an IPv6-only host, but provide a dual stacked service. If that sounds powerful, that’s because it is.
Jan. 3, 2025
An often overlooked dimension of data collection is flow data from hosts. This is not a new concept, there have been tools built for this for a very long time, but in many cases, and especially over the last 8-10 years, many system engineers have gravitated toward tooling like grafana and prometheus. While these are fine tools and if done well provide an excellent view of host health, they aren’t really a full picture of host behavior.
Dec. 21, 2024
One of the reasons for lack of blog post publishing is that my attention has been focused fairly heavily on working within the IETF. Toward the beginning of the COVID pandemic, the US Government published a new initiative - M-21-07, which requires the migration of all federally owned systems to IPv6-only. What does “IPv6-only” mean, you may ask. Well, that’s kinda nebulous. People define it in varying levels of extremism, I’ve chosen to define it as “a device that can operate without the use of IPv4 configured”.
Jul. 14, 2023
Over the last year there has been a slow hum, quietly building around the notion of building what has been called an “IPv6-mostly” network. What does this term mean? How do we do it? Why bother? Well, let me attempt to answer those questions. First, what is IPv6-mostly? Thankfully, it is pretty much what it sounds like - a network segment (i.e. a LAN segment) that is mostly IPv6, and only legacy IPv4 where it has to be.
Mar. 23, 2023
“Multihoming IPv6 is a pathway to many things some consider to be ……unnatural.” ―Darth Sidious, maybe. The current state of usability for multihoming IPv6 is fairly limited, and not terribly supportable. That said, it is doable, if you have the fortitude and hardware / software to make it happen. In this episode of MODEM, we get super nerdy about the current state of multihoming IPv6 and all of the gory details and exposed limitations.
Nov. 4, 2022
IPv6 unique local addressing has been a popular topic over the years. From its humble beginnings, replacing site-local, to the surge of interest within service providers, enterprise, and casual users due to the wealth of content now available on IPv6 and the prevalence of availability within major consumer ISPs, it has become quite a polarizing topic in the technical communities that are diving head first into the modern, current networking protocol - IPv6.
Apr. 9, 2022
Well there has been a lot of hubbub about IPv6 unique local addressing lately. You know, that address space defined by RFC 4193? The one that most folks think of as “RFC1918 for IPv6” (It’s not that)? Well, we recorded a podcast with Ed Horley over at modem.show to talk about it. Interested in how ULA is different than GUA (globally unique addressing)? Wanna understand what is broken about it (the list is significant)?
Feb. 10, 2021
IPv6 has been a hotly contested technology for as long as I can remember. It has always been “a few years out”, or something “no one is asking for”, depending on who is asked. In reality, and like most things, the truth lies somewhere in the middle. IPv6 has been slow to appear for certain demographics of networking, but a long standing pillar in others. It just so happens that IPv6 is not being asked for because when deployed correctly most users just don’t notice that it is there - and that’s by design.
Jan. 4, 2021
I have been sitting on this post for quite some time. This is a long, and personal story with some technical bits for those looking to solve the same problem I was. It was a long, complicated, frustrating journey of sad realization about the state of IPv6 for everyday users and those with business class connections over consumer focused network last mile networks. It is well documented and annoyingly understood thatI am a vocal proponent of IPv6.
Mar. 31, 2019
Over the last few days there has been a huge amount of FUD and panic surrounding two as-yet-to-be-published CVEs (found here and here) related to Mikrotik’s IPv6 implementation.It is my opinion that this entire process has been poorly handled, and that the community involved tends to be fairly sensitive to issues such as, and the cloak and dagger nature of the two issues has only exacerbated it. Mikrotik, as a company, is well known for being terse in their responses and tight lipped with their internal workings and dealings with these kinds of issues.
Sep. 1, 2018
IPv6 has been a crusade of mine for well over a decade. Wether it is teaching IPv6 workshops, offering advice to new users, answering questions, or evangelizing it ad nauseam, it is an important topic to me. The ISP world holds a special place in my heart since a good deal of my early experience came from building or assisting regional ISPs. Recently I had a fun opportunity to talk about deploying IPv6 on The Brothers WISP podcast.
Jul. 16, 2018
As a follow up to my last post, I wanted to dive a little deeper into the world of address translation and to suss out some of the more compelling details. As I’ve said on many occasions, it pains me to see NAT referenced as a security mechanism. That said, where PNAT can be beneficial is in an overall privacy strategy, however, even that is comparatively low value and given the current state of global IPv4 allocations, arguably a detriment to usability - we’ll get to that - before we do, it is important to understand what ’NAT” as we call it today actually is, and to do that we need to explain all of the types of address translation (yes, there are several).
May. 4, 2018
It’s no secret that RF technologies and what like to call “specialty networking” are two of my favorite things in the networking space. Put them together and it is like chocolate and peanut butter! Now, some may not consider Field Area Networking (FAN) to be “unconventional”, but it certainly falls well outside of the space of what is typically traditional enterprise networking. That said, Cisco’s FAN briefing at Network Field Day 17 really got me excited and thinking about the alternatives for the IoT space.
Sep. 8, 2014
I admit that the title was meant to be inflammatory. However, there are use cases that aren’t terribly uncommon where an in-line security appliance is just not the correct tool for the job. Someone once told me “a firewall protects a network like a fuse protects an electrical circuit”, and it’s mostly a correct statement. Firewall vendors will probably argue this and enterprise folks may discount this as heresy and call for burning me at the stake.
Aug. 12, 2014
I’ve blathered on about BGP forever. Say what you will about the venerable protocol, it runs the interwebs, is reliable, extendable and well documented. I’ve also espoused ad nauseam about IPv6, so none of this [admitted] rant should really be a surprise coming from me. As of 8/12/2014, according to the CIRD report (and many mailing lists), thedefault free global ipv4 routing table has reached 512k routes. This is a milestone from many perspectives, but more importantly, it solidifies the fact that there is a great deal of equipment in critical points in the internet that is out of date and cannot perform as intended in its current configuration or function.
Jul. 26, 2014
IP addressing and subnetting is a common interview subject. I assert that memorizing these things is useful for learning the concepts but ultimately futile in that it is time consuming and inefficient use of engineering time when tools can be utilized to accomplish the same goals in less time with fewer errors. Honestly, I gave up doing this kind of work manually around 10 years ago and have never regretted it, and in actuality, I’d probably struggle to do it at this point because it’s a repetitive process better suited by code.
Jan. 11, 2014
I am an absolutely huge fan of statistical and instrumentation data, especially when it comes to traffic analysis, visualization and baselining. I’ve rambled on about the importance of it at every opportunity. As a result of that, I have been doing work with netflow and netflow-like data for a fairly long time. My first collector was the OSU Flow tools based stuff back around 13 years ago. From there I played with all kinds of netflow tools, both commercial and open source, finally settling most of my focus on nfdump and nfsen.
Dec. 7, 2013
About a year ago I did a brief review of the “new Sonicwall”, specifically a smaller branch office device that was said should have had all of the features of the larger devices. I proposed that it had some significant limitations (much to the disagreement of a great deal of folks). However, I stand by my statements. If you ignore the fact that firewalls often cause more problems than they solve, that NAT is a nightmarish kludge (and not a security mechanism), andwill likely be phased out for better options eventually, the SonicOS I tested was pretty limited as far as what I believe should be features.
Aug. 5, 2013
I have been learning and using IPv6 for a quite a while, even before I worked in research and education, back in the ISP days. I thought I should learn it because, frankly, I figured we’d all be converted to it by now, already whole hog using it like it was the layer 3 addressing mechanism that it is. Flashback: My first IPv6 access was via a tunnel to HE a long, long time ago and before that I was reading what I could about it.
May. 17, 2013
There has been some recent chatter on the IPv6 Ops mailing list about the feature matrix. Sadly, I’ve let this sort of wither on the vine for a while in favor of OpenFlow and SDN. At the end of the day, though, as a whole we actually need IPv6 more than SDN and OpenFlow at this moment in time, so I’m resurrecting it. It is available here. A few additions have been made and there is now a “last edited” cell so folks can tell if the data is stale or not.
Mar. 28, 2013
Lately I’ve been lamenting the fact that there seems to be a lack of options in a very specific product level. Lets say you have a network that looks like this: Right Away you’re limited since you need MPLS and more than 2 10G interfaces. Even more so if you require full support for IPv6 and ISIS. If budget is of any concern, you’re in real trouble. For many, Cisco pricing and smartnet is potentially going to exclude anything reasonable from them.
Mar. 23, 2013
This week there was a lot of buzz about SDN (as usual). There was alightreading thread that I commented on and a fantastic read by Brent Salisbury about being the steamroller and not the road that got me thinking about OpenFlow and SDN in a way I had not before. <soapbox> All that is old is new again. I remember when internal networks were small and routing protocols were taboo in many internal environments.
Mar. 2, 2013
I’ve recently run into a situation where there was no longer enough space in the FIB to handle both the full IPv4 global table and the full IPv6 global table. We prefer to run a default-free network within this particular SP network, but in this case, until a hardware refresh can happen, we’ll need to adjust that. Given what we knew about the size of both tables, it made more sense to take a default IPv6 route from one transit provider and filter the rest.
Feb. 20, 2013
Recently SI6 released the IPv6 Toolkit 1.3 This release is on the heels of this IETF draft on IPv6 host scanning. It was long thought that scanning an IPv6 network was impossible. The address space was too large and reliably ascertaining the hosts from it would be too time consuming to even attempt. However, as Dr. Hans Zarkov says in the 1980 classic cult film of my youth, Flash Gordon, “You can’t beat the human spirit!
Jan. 9, 2013
I have a bunch of Apple wireless gear at my house. It’s inexpensive, feature rich and easy to maintain. However, with the update to mountain lion a while ago, the ability to install the older Airport Utility stopped. This is annoying since I have what apple now considers “advanced” features like IPv6 at my home and essentially all my gear here is a lab (except for the plex server =) I’ve been spending a lot of time on cacti lately, and I wanted to test out the syslog plugin….
Dec. 13, 2012
IPv6 is coming. Like SDN, we can’t ignore it. Are you ready? Are you apps ready? I’ll wager the answer is no. Mine aren’t. I’ve been working on IPv6 for about 11 years, from early days of tunnels to full native IPv6 at home and at work. In teaching the IPv6 workshop for internet2, one of the things that I always suggest is to have a dual stacked host and an IPv6 only host available for testing.
Jul. 30, 2011
I’m not a fan of IPv6 privacy addressing. I understand the logic behind it, I really doo, obfuscate the LLADDR (MAC address) of the host in question, but I really dont’t see the realistic purpose. If someone wanted to use my mac address, what good would that really get them, unless they’re on the same layer 2 segment? More importantly, if they;re on the same layer 2 segment, they have my MAC address anyway.
Jul. 26, 2011
It looks like MacOS 10.7 (Lion) has fully functioning DHCPv6. It’s about time.
Before:
After:
pfSense setup:
Using Internet Systems Consortium DHCP Server 4.2.1-P1 as the server (on my pfSense box) I am able to get not only a privacy address (via stateless autoconfigure) but also a normal EUI-64 address as well as an IPv6 address via dhcpv6.
I didn’t do anything except use the “Automatic” setting in the network control panel, so out of the box OSX 10.
Jul. 18, 2011
If anyone is interested in the talks I participated in at Joint Techs in Fairbanks, AK, they are now on the internet2 sites. IPv6 feature support
IPv6 campus panel discussion
They’re apparently not embeddable, but can be watched from the Joint Techs site.[[ This is a content summary only. Visit my website for full links, other content, and more! ]]
Mar. 16, 2011
I’ve been doing a lot of IPv6 stuff lately, and one of the things I didn’t find (and kinda just wanted to put one together for my own benefit) is a matrix of features I thought were important to have on the IPv6 side for common network hardware. Below is a work in progress of what I have so far, which will automatically publish changes from this spreadsheet. Please email me if you’re interested in adding to this or correcting anything I may be incorrect on.
Dec. 23, 2010
A quick screen grab from here[[ This is a content summary only. Visit my website for full links, other content, and more! ]]
Oct. 20, 2010
After enabling the IPv6 Flow based processing, we decided to get rolling with making our IPv6 path congruent with everything else (IPv4 unicast and multicast). With all of the other things we had going on, we thought this would be a low hanging fruit that would be easily plucked from the routing tree. Well, a minor oversight on our part caught us by surprise. According to this handy dandy matrix for JunOS 10.
Sep. 16, 2010
One of our plans is to consolidate as many of the egress trafic paths as possible. To facilitate this, we had to do some things like buy carrier grade equipment. Enter the SRX 5800. No one really does IPS/IDP+Firewall quite like the SRX. After extensive research and exhaustive hands on testing with quite a bit of equipment, that is what we settled on. Even the IBM “technical evangelist” guy that came to talk to us said “No one really does it like they do” when referring to Juniper and 10G firewall/IPS.
Sep. 3, 2010
I knew a tool like this had to exist, but I had never needed to look in the past. While debugging a RA problem, I come upon the need to view IPv6 router advertisements. How can one do this? tcpdump? Yeah, I guess that could work. It’s almost like using a bulldozer when a wheelbarrow is all you need, though. I could use ndpmon, I suppose, but that, too seems like overkill.