My long-term love/hate relationship is over

Today I dropped my much despised Motorolla Razr.  I've hated this phone for close to four years and today I can look its cracked screen and know that soon a new phone will be mine and this one will hit the electronics recycling pile.

But now what to do?  Transfer my number to a new 3G iPhone?  The company will pay for my cell phone plan but not a data plan.  This makes billing with the iPhone difficult but not unworkable.  With a bonus around the corner an iPhone might be the solution.  

Trouble is AT&T coverage at my house is crap.  I'll need to invest in a G3 repeater.  This adds another $350 or so to the overall package price but if the wife and I are both going to be proud iPhone owners it makes sense, I think.

First and foremost: look into 3G repeaters.

IPv6 on OpenWRT

Huzzah! It's working! I followed the recommended steps and got IPv6 working correctly with a couple minor adjustments to the documentation.

First departure from the norm: adjust /etc/ipkg.conf

Change "src packages http://downloads.openwrt.org/kamikaze/packages/mipsel" to "src packages http://downloads.openwrt.org/kamikaze/7.09/packages/mipsel" (add that '7.09' in there)

Second departure from the norm: adjust /etc/init.d/tun6to4

Change this line:
ipv4=`ip -4 addr | awk '/^[0-9]+[:] vlan1[:]/ {l=NR+1} /inet (([0-9]{1,3}\.){3}[0-9]{1,3})\// {if (NR == l) split($2,a,"/")} END {print a[1]}'`

to
ipv4=`ifconfig eth0.1 | grep "inet addr" | tr ':' ' ' | awk '{ print $3 }'`

That's it.
ping6 2001:4860:b002::68
PING 2001:4860:b002::68 (2001:4860:b002::68): 56 data bytes
64 bytes from 2001:4860:b002::68: icmp6_seq=0 ttl=57 time=205.7 ms
64 bytes from 2001:4860:b002::68: icmp6_seq=1 ttl=57 time=206.6 ms

(2001:4860:b002::68 is http://ipv6.google.com)

I'll test client connectivity tonight when I get to the Outer Banks but it should work.

cheap thoughts: VMware

Instead of using virtual RFC1918 IPv4 addresses for the 'vmnet#' interfaces VMware should use valid IPv6 addresses and thus not have the potential for RFC1918 address conflicts in corporate environments.

A cool new Linux device

Co-worker Heath Roberts alerted me to this new Linux machine that looks something like an Apple Airport Express (that wasn't designed in Cupertino). There is no dedicated audio out but it does have a USB 2.0 connector that could be used to play audio over a set of USB speakers.

If you can stomach the annoying-as-hell "float-over ads" check it out, it's kind of cool.

I have to admit, this could be a very cool use for Linux/Motion and a USB camera. Very cool indeed.

Build Your Own IPv6 Tunnel Broker Service

Like me I'm sure you stay up late at night thinking about IPv6. Lately I've been wondering about the software and hardware that runs IPv6 Tunnel Brokering services. I've never used a tunnel broker before as I've always opted for IPv6 6to4.

Turns out the software for a tunnel broker is OpenVPN. In fact a fellow from Denmark named Christian Strauf wrote detailed instructions and placed them on the web for all to see. Thanks, Christian!

I'd consider becoming a tunnel broker from my oodles of bandwidth IPv6 network down in Wilson but with 6to4 being so easy to set up and use I'm not sure I see the point.

How my Macbook Pro dims the screen

I love my Macbook Pro. Speed, backlit keyboard, glorious screen, four gigs of ram, etc. It's just a fantastic machine. The screen dims and brightens depending on lighting conditions and I've often wondered how it did this, i.e. where was the ligth sensor? On my wife's pervious generation MBP the location of her light sensor remains unknown but on mine the built-in camera is the light sensor.

I figured this out while cleaning the screen with the microfiber cleaner that was packaged with the laptop. While the camera was covered the screen dimmed. Ta-da.

Sorry, that was kind a wordy post for such a minor revelation and needn't have been.

IPv6 Rogue's Gallery

Chicken of the VNC: IPv6 not supported (fully tested, version ?.??)
Squidman: IPv6 still a mystery. Testing continues.
Apache: Oh hell yeal. Full pass.
OpenSSH: Oh hell yeah. Full pass.
Firefox: Oh big time. Love it. Use it.
Safari: YES! Passed. Flying colors.
Google Chrome: Not yet tested. Maybe this weekend.
Apple TV: Full bomb. IPv6 stateless autoconfiguration not seemingly supported.
Time Capsule: Big fail here! And so disappointing. No IPv6 support in Bridge Mode. Boo.
iPod Touch/iPhone: Still a disappointment. Fail.
Linux: So far so good!
BSD: So far so good!
OS X: still digging but look great. I think I'll be able to send print jobs via IPv6 and maybe via IPv6/IPsec (more testing needed)
M0n0wall: Two thumbs way up on the beta code. Great job you guys and gals!

I'm getting tired. Sleep needed.

I have to agree with Bill Vinson

Like Bill I think Hulu pulling content from the Apple TV (via Boxee) was just plain stupid, though I would agree it was probably the stupid lawyers working "for" the content providers that made the ultimate call.

Honestly what is the difference watching content via one device over another? Isn't the point of your content to be watched? I, for one, did not mind the short commercials embedded in the Hulu videos. Not one bit.

The whole episode just makes me shake my head and ask "why".

The IPv6 quest continues. Chapt. 4. Proxy Servers

I made a quick change this morning to my Squid (Squidman actually) running on my old G4 Mac mini in an attempt to make squid listen to the IPv6 loopback on port 8080. I have Squid(man) configured as a reverse ssh proxy that I sometimes use for remote administration tasks on my home LAN while afar.

Straight-up Squid is IPv6 aware starting with version 3.1. Squidman may or may not be IPv6 aware as I have no earthly idea if it or not. I'm still using the G4 mini that refuses to die otherwise I'd just run a Linux virtual machine and install my favorite distribution**. To complicate the matter further Peter Bieringer pointed out on one of his "IPv6 and Linux" webpages I may have incorrectly formatted my loopback ACL. I will reproduce Peter's ACL suggestions below but all credit goes to Mr. Bieringer for them. When I get home tonight I'll attempt to reconfigure Squid to see if I can make it listen on the IPv6 loopback, that is after verifying that Squidman is IPv6 capable in the first place. I think in the case of a reverse ssh proxy I only need to update the loopback ACL. We'll find out shortly, together.

• Binding of addresses
udp_outgoing_address ::
udp_incoming_address ::
tcp_outgoing_address ::
• ACLs
acl localhost src ::ffff:127.0.0.1 ::1
acl to_localhost dst ::ffff:127.0.0.1 ::1
acl all src ::/0
acl sitelocalsrc src fec0::/48
acl linklocalsrc src fe80::/64
acl globaldst dst 3ffe::/16 2000::/3
acl ipv4src src ::ffff:0:0/96
acl ipv4dst dst ::ffff:0:0/96
• Disable WCCP
wccp_router ::

**Yes I could, and probably should, just run Fink and be done with it. I'll admit ignorance regarding Fink's support for the G4 architecture now and going foward. Once the G4 dies, or I have the extra funds to replace it outright, I'll probably just go the virtual machine route.

Tweet..... you're in a tornado...

The Weather Channel is now* using Twitter to send severe weather alerts. This, I think, is a great use of Twitter! Now there's one more reason to get an iPhone - so I can access Twitter via 3G where and where there is no 802.11 Internet.

---
* I hate typos.

Greatest tech invention of the last 10 years

Reliable VPN technology. It's just fantastic.

This week is moving along

After the last two weeks which both seemed to move with all the speed of a glacier I'm pleased to announce that this week is starting to feel a bit more normal. Sure, I've still got a lot of problems to work out, looming deadlines and the like but I just don't feel so... filled with dread like the did the past two weeks.

Let's hope that feeling stays and the week does indeed movie along expeditiously.

XP on the mac

Seeing XP running in full-screen native mode on the mac is just so.. wrong.

My old Macbook

So I'm setting up the old Macbook for my pop out in Arizona (my family inherits all my old Macs). I set up OS X for him.. that was a snap. He's an avid geocacher and wants Windows on there as well so I tried to set up Boot Camp for the first time. Partitioning was easy enough and I have a valid XP license I used back in my University of Phoenix days. One thing struck me right off the bat about the XP installer: it's butt ugly!! Really.. that blue scree and horrible fonts. Ick.

I liked the OS X installer better but all truths told I prefer most Linux installers over both. Scritable and straight-forward Linux really seems to make installation easy.

Well crap. Bad news. My XP installer blue screened 'o death on me. I haven't seen the dreaded blue screen in two or three years. Better go figure out what bombed.

Caio.

Why IPv6 hosting is a cool idea

Say you're company "X" and you host a product or service of some kind that requires downloads on occasion (automated, user-initiated, whatever; drivers, patches, RPMs, whathaveyou). Everyone goes to your hosted website for the downloads and that ends up costing money (for all that bandwidth) or aggravation for the end user because of slow patches, etc.

You could have both an IPv4 and a IPv6 website on totally separate networks, one the "expensive business bandwidth" IPv6 and the cheap bandwidth (still with speedy up and downloads) on the IPv6 side. You could synch the two together in any way you see fit.

Company X would most likely use the IPv4 website as the primary though I'd suggest drinking the 128 bit kool-aid, installing 6to4 on the firewall, jumping in and joining the party. But that's me, not you, and your mileage my vary. Irregardless for any installed system needing patches that is on a forward-thinking IPv6 network it may know it's time for patching and look up the hostname of the patch server and commense to communicating with said server.

Since you've got both an IPv4 and IPv6 address configured in your DNS the server will go to IPv6 if they can and fall back to IPv4 if they can't. The IPv4 single stack machine will ignore the IPv6 response and go to the IPv4 patch machine.

You could say "unnecessary" and today it could be argued that you're right. But I'd also argue now is the time for action. Get ahead of the curve. IPv6 hosting and connectivity is dirt cheap if you know where to find it and thanks to DNS and dual stacks updateserver.companyx.com can point to totally different networks at opposite ends of the globe and the user (or the application) is none the wiser.

Of course you don't have to go the hosting route. You could get a nice, fat block of IPv6 addresses from your LIR and you'd be off to the races running a combined v4/v6 hosting enviornment yourself. But that's not fun, is it? :)

Conficker/Downadup virus

I wonder if this new virus had any origins in Microsoft Teredo. The Teredo open tunnel that allows Vista hosts behind NAT firewalls to be reachable via a bidirectional UDP tunnel from Teredo servers on the Internet is just BEGGING for exploit. Get in just one of the Teredo servers and you could have a path to nearly every Vista machine running on the Internet - including ones behind NAT firewalls. Nice, huh? Take it a step further and imagine that a single exploited Vista host on your network could then launch attacks against the existing XP and MS server OS base behind your firewall. Did that send a shiver up your IT spine? It should have.

You could take preemptive steps and do some trickey on the firewall to block outbound UDP to IPv6 ranges owned by Teredo. But most people don't, and they aren't even aware they need to. Furthermore most IDS systems are still running IPv4 only and are simply ignoring any IPv6 Teredo traffic.

Still I have no proof this is what's going on but I'd like to see how the worm gets started. Imagine doing your best corporate vigilance to keep your machines patched only to be compromised by a UDP tunnel through your NAT firewall over IPv6. What a shame that would be.

The worm exploits a bug in Microsoft's ubiquitous Windows software

This is not a repeat from 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007 or 2008.

How's that Trustworthy Computing thing going, Bill? The initiative at Microsoft is seven years old this past January the 15th. Can Mr. Ballmer give us an update soon?

This could be the last IPv6 post of the week

*COULD BE*

Ok, this is a quick one and it makes perfect logical sense. If a machine is running dual stacks (v4 and v6) the machine will try to connect with another dual stack device via IPv6 first and then it will try IPv4 should v6 be unable to connect for some reason.

I had it all backwards thinking the dual stack machine would connect via IPv4 first then v6. But if you think it about the reason for having that the other way around is kind of obvious. Obvious or not it slipped past me. Whoops. Let's try some hosts:

For a single stack host a name lookup will return only IPv4 addresses:
host cnn.com
cnn.com has address 157.166.226.25
cnn.com has address 157.166.226.26
cnn.com has address 157.166.224.25
cnn.com has address 157.166.224.26

However if a host is running dual IP stacks both addresses will be returned:
host m0n0.ch
m0n0.ch has address 80.254.71.228
m0n0.ch has IPv6 address 2a02:200:3:1::101

The requesting machine, being a part of the "in crowd" running IPv6 will try that address first. So, in the end, you don't have to point the same query to the same machine if you don't want; just set up DNS however you'd like**. This could be useful for v4 and v6 load balancers or who knows what.

Thanks for everyone for setting me straight on that one (including M0n0wall's maintainer Manuel Kasper).

** DNS and IPv6.. oh boy, that's a post for another day.

working out seems to be helping

I'll start off the discussion with a heaping helping of "DUH" to get us started. Working out and watching what I eat seems to be making a difference in my health.

Told you so, the "duh" part, that is. Even my posture while sitting at my desk is improved. I could draw much benefit from working out under a supervised personal trainer and maybe I'll take that route some day but for now riding my Schwinn Airdyne, walking and doing low weight, high rep weightlifting seems to be working for me.

I'll probably rejoin the YMCA this year. I should have never quit going in the first place.

Reader's Alert! Durham Book Exchange is closing!

For all the readers who know the Durham Book Exchange you realize what a loss the closure of this store will bring. The doors are closing forever this Saturday, the 14th of February. Books that are part of an educational curriculum are being sold for $10 per bag full. Get over there while you still can. There is still a great selection of classic literature.

Don't let this great books go to the dump!**

(** I'm not sure where they are going after this Saturday but neither are the employees. Get 'em while you can)

A cool IPv6 trick

Connect to m0n0wall's website via IPv4 and the page displays the static info you'd expect when connecting to the website. Connect with an IPv6 machine (or a dual stack machine) and the website displays your IPv6 address in an area normally left blank.


I'm let to wonder how they did this. So far all the IPv6 websites I've connected to had host names that were mapped to IPv6 addresses or the URL itself had something IPv6 specific contained therein (http://ipv6.google.com for instance).

So far this is the first website I've encountered that either connects via IPv6 first and then IPv4 or it is just simply gathering the address out of the connect statement and is pasting it on the page but still using IPv4 as the transport.

I guess I won't figure it out until break out the protocol analyzer.

If it would be possible to have one URL but direct clients to different hosts depending if they connected using IPv4 or IPv6, well, that would be pretty freaking awesome and a great way to do load balancing. I'm pretty sure the Big Iron F5 could do something like this but that's a whole other story. I think I'll write the m0n0 webmaster to see what trickery is going on back there.

My curiosity is piqued!

A minor IPv6 annoyance

It appears that M0n0wall, my most beloved firewall platform, does not like to run IPv6 only on LAN interfaces. I tried to set my secondary LAN interface to use IPv6 (via 6to4) and it balked when I tried to save the configuration sans a IPv4 address on the same interface.

Shoot. I could always block the IPv4 traffic using the firewall itself and I'll probably do that but it's rather annoying and I wish it would just allow for IPv6 only. Perhaps I managed to bungle the configuration steps in some way, that's always a possibility with me! I'll check it out later and see what I come up with.

Why would I want to run IPv6 only? I want to bite the bullet and see what I can really accomplish with IPv6 only. For instance Google has good IPv6 connectivity to the search engine using http://ipv6.google.com but what about mail, maps and everything else? What about Facebook, Twitter and Fark for that matter?

IPv6 is on the way, people. Sticking out collective heads in the sand and pining for the days of "endless" IPv4 addresses is behind us.

I'm also toying with the idea of IPv6 hosting (from a network with 100/100 bandwidth). Each host or cluster on the network would receive a /64 IPv6 network to do with as they choose and would have full access to the 100/100 bandwidth (until congestion starts to hit the wire at which time it would drop to a guarantee of 10/10 with burst rates to 100. That is unless you just want to have a dedicated 100/100 in which case that would obviously cost quite a bit more.

First, though, I have to do some testing around here and see what IPv6 only is really useful for. I suppose I could allow IPv4 and IPv6 addressing on the same box but in that case it would cost extra too as the ISP isn't just handing out IPv4 addresses like it was the early 90's.

Time to find a problem to match this solution. Remote backups? Yeah, I suppose that could be one use. Mac Mini hosting? Yeah, I could do that. At least the minis don't draw power like the 1U Apple servers! Linux, BSD and Windows? All are welcome, go into the light.

For those I've not get connected with on Facebook..

A photo from my recent trip to Easter Island.

If I've got a funny look on my face..

..it's because I'm thinking. Today is a deep-thinking day. Think. Think. Think. Now I'm thinking of growing up the son of am IBMer with "THINK" written in capital bold letters on tiny notepads, desktop "things", and nearly everything else.

Think. Think. Think.

If it were an IPv6 snake it would have bit me

I've wondered why my Apple Airport Extreme at the beach would create IPv6 networks with a /48 bit netmask and my Soekris M0n0wall router would create /64 netmask networks by default. The reason is glaringly obvious! The Apple Airport Extreme expects to create only one LAN network while M0n0wall is configured for multiple LAN (or wireless) interfaces hence the M0n0wall router will reserve the other 16 network bits for netmask.

This means that, should a M0n0wall device have enough umph it could, in theory, have a single WAN interface and 65535 LAN interfaces** all configured as a different subnet with each LAN having a full 64 bits left over for host identification (thus enabling IPv6 Stateless Address Autoconfiguration).

In a word - SWEET!!!

----------

** M0n0wall seems to start with the subnet of 0001 thus providing a real-world 65534 subnets each with a /64 bit host field.

Today has been a long day at the tail end of a LONGER week

This week is nearly over and I will be happy when it's behind me. Nothing terribly "wrong" is happening at work it's just that EVERYTHING is happening all at once! Could not some of these projects have waited until the other ones finished? Not only that but why do all the "mission critical" projects start at once?

Today I did not do my 2nd workout of the day when I got home. I went grocery shopping instead. The two "kids" that checked me at the, well, checkout isle both looked 10 years old! I'm sure they were at least whatever the minimum working age happens to be (16?). It's just confirmation that the big FOUR-OH is looming on the horizon like a giant sledgehammer waiting to bash me over the head. Yes, I'm getting ahead of myself as I'll turn 39 this year but for DECADES of being "the young guy" putting that behind is difficult but something I'm sure I'll grow accustomed to.

An unusual valediction

Watch those typo's people, some more worse and more funny than others. Today brings this closing gem on a (nearly) department-wide email:

Best Retards,

(EDITED)

Somehow I think he was going for "Best Regards,".

What's needed..

Lynch (Documentary)

The aptly titled "Lynch" is a Netflix streaming documentary that follows David Lynch during the filming of his then latest movie Inland Empire. Before I go much further I'll have to admit I did not watch the full film. The new LG Blu-Ray/Netflix box is still a bit unfamiliar and I managed to hit the wrong remote button ceasing display of the movie and taking me back to the "root menu" of the device. Whoops. Work was heating up right around then so I dropped the idea of a background movie and knuckled under to take care of business.

What I did see thus far was even more strange than I would have expected. David Lynch has an, well, unusual mind and it comes across in his very unusual films (Eraserhead, Twin Peaks: Fire Walk with Me, Mulholland Drive, Wild at Heart among others). Still I wasn't quite prepared for David Lynch the unfiltered man behind the lens. Random shots of him walking proclaiming to an unseen person "Watch that man! Watch that man! Watch that man!" were strange enough but the thing that struck me was, while on-set talking to his production crew he matter-of-factly stated "I want a fifteen year-old girl, an *ATTRACTIVE* fifteen year-old girl, a one-legged Asian woman and a monkey. Make it a spider monkey." The hilarious thing was nobody batted an eye! It was as if this was the most normal request that he could have made that particular day.

David Lynch must be an absolute trip to work with. If I could afford to I'd take time off from work and weasel my way into one of his sets as a production assistant and I don't care who I'd have to buy off to make it happen.

640k of ram should be enough for anybody

This quote, widely credited to Bill Gates (but denied by the same), really got me thinking today. "Back in the day", say, oh, around the early 1990's, before Windows and OS/2 really hit the mainstream, my rather large desktop computer had around half a meg of ram if I recall. I remember vividly the day I broke a meg and later four then an unheard of 64 megs of RAM. Around 1995 I watched Burton Floyd install a gig of ram on a card the size of a spiral notebook into a Silicon Graphics server the size of a dishwasher. I was amazed that a server could fit that much ram inside!

Now I'm sitting here with my new laptop running a cool 4 gigs of RAM. Goodness, how time does fly and Moore's Law keep chugging away. I haven't yet touched the 4 gig limit, but then again I don't yet have Final Cut Pro loaded so given enough time I'm sure something on my system will eventually page out or swap due to low memory.

Still, 4 gigs of RAM in a notebook (with an additional 256 megs of video RAM). Who would have thought such a thing just a few years ago?

Apple would you please consider the following:

1. enable IPv6 by default on the Apple TV and Time Capsule
2. enable IPv6 on the iPhone and iPod Touch

That is all. For right now.