Final IPv4 allocations; IPv6 readiness test; IPv6 world day

Final IPv4 allocations have been made today. Will this galvanize businesses to start moving to IPv6? We’ll see

 

If you’ve been following my “IPv6 at home” series, here’s a neat link to test your IPv6 readiness: http://test-ipv6.com/

 

Finally, “World IPv6 day” will be on June 8th 2011. Google, Facebook, Yahoo, Akamai and Limelight will turn on IPv6 for 24 hours. Results should be interesting to see. If you’d like to prepare for World IPv6 day today, go on over to their official site.

 

Compiling 64-bit mpir using VC++ 2008 Express

MPIR is a Windows-friendly fork of GMP. It can be used as a direct replacement of GMP. I wanted to have my pycrypto build use _fastmath, and that meant having GMP support.

Building a 64-bit version of MPIR is fully supported in Visual C++ 2010 Express. Not so, alas, for Visual C++ 2008 Express. The MPIR build.vc9 readme flatly states “the Express Edition cannot build 64bit binaries”.

Game over? No Python-compatible MPIR lib?

Luckily, the MPIR devs worked hard and provided command-line tools in build.vc9. Using those, even an Express edition of VC++ 2008 can build 64-bit MPIR binaries.

Preparing to compile:

• Install VC++ 2008 SP1 Express. The Express version of VC++ 2008 is still available: http://www.microsoft.com/express/Downloads/#2008-Visual-CPP. If you are nervous about whether it will remain available, download the ISO.

• You now also need the Windows SDK so you have the amd64 compiler, which isn’t included in the Express version. This needs to be the Win7 + Net 3.5 SDK, not the Win7 + Net 4.0 SDK. You can find it here: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c17ba869-9671-4330-a63e-1fd44e0e2505&displaylang=en , and again download  the ISO (the one for amd64 support though!) if nervous it may disappear. Install and make sure you install the “Visual C++ Compilers”.
• The vcvarsall.bat in VC++ 2008 Express looks for the amd64 vcvars64.bat in all the wrong places. The easiest way to work around that is to navigate to the VC\bin directory of your VC++ 2008 installation (in my case C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\bin). Copy vcvars64.bat, and paste into the VC\bin\amd64 subdirectory. Next, rename VC\bin\amd64\vcvars64.bat to VC\bin\amd64\vcvarsamd64.bat.
• You need yasm.exe to compile the assembly code in MPIR. Download the 64-bit version of yasm, rename the executable to yasm.exe, and copy it to the VC\bin directory of your VC++ 2008 installation.
• You need the yasm.rules file. Download the MPIR source tarball, and copy yasm.rules from the build.vc9 directory. It goes into your VCProjectDefaults directory (in my case C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\VCProjectDefaults).
• If you want to be able to automate the MPIR tests (that’s a really good idea), install Python. Chances are you are doing all this to use MPIR with Python and so it’s already installed. Just saying.

Compiling:

• From within the vc9.build directory, run configure. You can specify –cpu-x86_64 if you’d like to build a generic 64-bit library, rather than one specific to your CPU type. You may opt to specify –enable-shared if you want to build a DLL rather than a static library.
• Run make

Check that the compiled library works correctly:

• Run make check

Your libraries and include files will be in build.vc9\lib or build.vc9\dll, depending. You can now copy those to your VC\lib (.lib and .pdb files) and VC\include (.h files) directories, respectively. If you are looking to use the library with pycrypto, you’ll also want to copy mpir.lib to your Python installations \libs directory, since that is where setup.py will look for it. Well actually setup.py looks for gmp.lib – I’ll leave that as an exercise to the reader.

Additional speed.exe and try.exe utilities:

• Run make speed
• Run make try

These will be in build.vc9\x64\Release and build.vc9\try\x64\Release respectively and allow you to measure the speed of the MPIR library and test MPIR functions.

Compiling pycrypto on Win7-64

Having had occasion to compile pycrypto 2.3.1 for Win7-64 and Python 2.7.1-64, I’ll share the process, and the result.

TLDR first: Here’s an archive of the compiled pycrpyto library. It was built with VC++ 2008 SP1, and assumes you are using the x86-64 version of Python 2.7.x. Unpack this archive into your Python main directory. It’ll end up in Lib/site-packages/Crypto.

Compiling pycrypto on Win7-64 is very straightforward, unless you happen to use Visual Studio Express, not Visual Studio Pro. Compiling with Express takes a couple extra steps, which is what this post is about.

Preparing to compile:

• Install VC++ 2008 SP1 Express. Needs to be 2008, not 2010 – that goes back to an old tradition that modules need to be compiled with the version that Python was compiled with, which happens to be 2008 right now. The Express version of VC++ 2008 is still available: http://www.microsoft.com/express/Downloads/#2008-Visual-CPP. If you are nervous about whether it will remain available, download the ISO.

• You now also need the Windows SDK so you have the amd64 compiler, which isn’t included in the Express version. This needs to be the Win7 + Net 3.5 SDK, not the Win7 + Net 4.0 SDK. You can find it here: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c17ba869-9671-4330-a63e-1fd44e0e2505&displaylang=en , and again download  the ISO (the one for amd64 support though!) if nervous it may disappear. Install and make sure you install the “Visual C++ Compilers”.

• Python 2.7.1 has a bug where it will get confused with the paths that MS use for Express, which happen to be different than the paths used in Pro, which breaks vcvarsall.bat when attempting to build 64-bit binaries. This is a limitation of VC++ 2008 Express. The Python distutils team offers a work-around. Check the bug at http://bugs.python.org/issue7511 to see whether the issue has been resolved already in your version of Python. If not so, grab the diff attached to that bug report and apply it to your Python main directory using “patch”. The command line for this is “patch -p0 <vcvars4.diff”.
  If you don’t have a copy of “patch” already, the Cygwin default install + patch (not patchutils) will give you patch.

Now you’re ready to compile. This is pretty simple from here on out:

• pycrypto should be unpacked somewhere other than your Python dir, say c:\temp
• Then, from within the pycrypto directory, run these commands:
  • python setup.py build -c msvc
  • python setup.py install
  • python setup.py test

In my case, Python 3.1 is actually my registered default version, and I have python 2.7 renamed as python27.exe and pythonw27.exe. The build and install still works fine using python27 to invoke instead of python. Both my Python dirs are in the %path% to make my life easier. No PYTHON* env variables have been set.

ipv6 at home / small office: Verizon FIOS IPv6 trials

Verizon FIOS has entered into a month-long IPv6 trial on April 6th. It is a dual-stack trial carried out with Verizon employees in Reston, Virginia. The “custom CPE” that are mentioned in the article reflect the fact that precious few home routers have full, or even partial, IPv6 support at present. With both Verizon and Comcast testing the residential IPv6 waters, I expect router support to come along with them.

Warranty agreements for PC graphics cards

This post is to serve as a place for me to keep track of how different graphics card manufacturers handle warranty – in the US, that is, I’m not tracking Europe at all. Next time a graphics card fails on me, I’d like that to be an easy process.

After compiling this, it’s a pretty dismal picture. There are a lot of “original owner only” or “registration required” clauses. Be aware of what warranty is being offered and register if that’s required.

Asus:

3-year from date of manufacture

Asus’ website states that a customer would need to go through the reseller to get any kind of warranty service.

Warranty Page

BFG:

Limited lifetime if registered within 30 days, or 1 year from date of purchase if not registered

Registration within 30 days of purchase required

Original owner only, warranty does not transfer

Warranty Page

Diamond:

3-year warranty according to NewEgg

I had a hard time finding warranty information on their site – take a look around before deciding.

Warranty Page

ECS:

3-year NVidia cards, 1-year all other chipsets

Original invoice required as per web site. My experience is that S/N can be sufficient.

Warranty processing process is slow in my experience.

Warranty Page

EVGA:

1-year, 2-year, 3-year and lifetime agreements depending on model

Product needs to be registered 30 days from purchase

Warranty only extends to original purchaser

Warranty Page

Gainward:

1-year, 2-year, 3-year depending on model. Likely from date of manufacture or date of sale to distributor.

No direct warranty to end users, only to distributors, unless the card was bought directly from Gainward, say through their web shop.

Warranty will be voided if S/N sticker falls off, and for the usual technical “tampering” reasons.

Warranty Page

Gigabyte:

3-year from date of manufacture

Direct RMA available

Very speedy response from RMA dept. in my experience

Warranty Page

HIS:

2-year, presumably from date of invoice.

Original invoice required.

Direct RMA available.

Warranty Page

MSI:

2-year parts & labor, 3rd year parts only, from date of manufacture.

Direct RMA available.

Return shipping and handling paid by end user for 3rd-year warranty: US-$ 45.

Warranty Page

PNY:

3-year or lifetime, depending on model; 1-year if not registered

Registration required

Original invoice required, original owner only.

Warranty Page

PowerColor:

2-year from date of invoice

Original invoice required

Original owner only, warranty cannot be transferred.

Warranty Page

Sapphire:

2-year from date of invoice

Original invoice required

Sapphire’s website states that a customer would need to go through the reseller to get any kind of warranty service.

Warranty Page

XFX:

Limited lifetime warranty on graphics cards, or 3-year, depending on model

Warranty period starts from the date of invoice or packing slip

Direct RMA available

Original owner or one subsequent owner only. Subsequent owner needs to register product within 90 days of buying used, using the same ID that original owner used to register the product.

Warranty Page

IPv6 at home or office, part 4.1: 6in4 tunnel on Juniper ScreenOS firewall

This blog post is part of a series on ipv6. Part 4.0 describes requesting a Hurricane Electric tunnel; this part explains how to configure a Juniper ScreenOS firewall – SSG, ISG or Netscreen – to work with such a tunnel.

Sample environment

I am going to give an example based on ScreenOS 6.0.0 or later syntax. ScreenOS 5.4 is reported to support IPv6 6in4 tunnels, as well, though it does not expose the configuration to the web interface.

These settings can (almost) all be configured through the web interface. In the interest of brevity, I am going to show CLI commands instead.

Here are the interface names and addresses used in this example. In this example, I use the IPv6 documentation prefix. When configuring this, you get the real addresses from the Tunnel Details page.

External interface name: ethernet0/0, Untrust zone

Internal interface name: bgroup0, Trust zone

Tunnel interface name: tunnel.1, Untrust zone

Server IPv4 address: 255.254.253.252

Server IPv6 address: 2001:0db8:1:223::1/64

Client IPv6 address: 2001:0db8:1:223::2/64

Routed /64: 2001:0db8:2:223::/64

Anycasted IPv6 Caching Nameserver: 2001:0db8:1234::2

Enabling IPv6

This is the one step you must do from command line. Enter:

set envar ipv6=yes

and reboot. This will enable IPv6 features on your ScreenOS device.

Setting up the tunnel

The first step is to set up a tunnel interface that will allow you to encapsulate IPv6 packets in IPv4 packets.

set interface “tunnel.1″ zone “Untrust”
set interface “tunnel.1″ ipv6 mode “host”
set interface “tunnel.1″ ipv6 ip <Client IPv6 address>
set interface “tunnel.1″ ipv6 enable
set interface tunnel.1 tunnel encap ip6in4 manual
set interface tunnel.1 tunnel local-if <External interface> dst-ip <Server IPv4 address>
set interface tunnel.1 mtu 1480
unset interface tunnel.1 ipv6 nd nud
set interface tunnel.1 ipv6 nd dad-count 0
set route ::/0 interface tunnel.1 gateway <Server IPv6 address>

We’re creating the tunnel.1 interface, assign it to the “Untrust” zone, and give it its IP address, the “Client IPv6 address”.

Next we’re creating the tunnel itself, terminating on the external interface on one side and the Server IPv4 address on the other side.

We restrict MTU to 1480 as that is the largest packet that can go through without fragmentation, and disable Neighbor Unreachable Detection for good measure. I haven’t had issues with nud on, but others have.

Finally, create a default IPv6 route through the tunnel.1 interface, so our IPv6 traffic has somewhere to go.

Setting up IPv6 for the local network

Next, we’ll use the “Routed /64″ that HE gave us for our internal network.

set interface “bgroup0″ ipv6 mode “router”
set interface “bgroup0″ ipv6 ip 2001:0db8:2:223::1/64
set interface “bgroup0″ ipv6 enable
unset interface bgroup0 ipv6 ra link-address
set interface bgroup0 ipv6 ra preference high
set interface bgroup0 ipv6 ra other
set interface bgroup0 ipv6 ra transmit
set interface bgroup0 ipv6 nd nud
set interface bgroup0 ipv6 nd dad-count 0
set interface bgroup0 dhcp6 server
set interface bgroup0 dhcp6 server options dns dns1 <HE IPv6 Name Server>
set interface bgroup0 dhcp6 server enable

Here, we are giving the LAN interface an IPv6 address from the “Routed /64″ range – in the interest of simplicity, I chose “1″. We then enable Router Advertisement so that local machines can receive IPv6 addresses from this interface.

We’re also setting the RA “other” bit and enabling DHCPv6 to give out HE’s IPv6 DNS server. Those two steps are optional: It’ll mean that Google’s IPv6-enabled services will resolve with both an IPv4 and an IPv6 address – otherwise, Google will only be reachable by IPv4.

Setting up an IPv6 firewall policy

As an example, here is a very simple policy that allows all outgoing IPv6 traffic, and denies all incoming IPv6 traffic. Adjust as fits your environment.

set policy from “Trust” to “Untrust”  “Any-IPv6″ “Any-IPv6″ “ANY” permit
set policy from “Untrust” to “Trust”  “Any-IPv6″ “Any-IPv6″ “ANY” deny

IPv6 at home or office, part 4.0: tunnelbroker.net, IPv6 routers

This blog post is part of a series on ipv6. In part 1, I provided an overview of ipv6 and looked at Teredo, the technology built into Windows Vista; in part 2, I looked at AYIYA tunnels through aiccu, using sixxs net as a tunnel broker. Part 2.5 is a collection of useful ipv6 tidbits, and part 3 describes gogonet/freenet6 tunnels.

In part 4, I will describe the IPv6 tunnel I have been using all along since 2008: A Hurricane Electric 6in4 tunnel, typically terminating on a router, though it could be terminated on a PC, as well. I aim to break part 4 into chunks, each describing setup for a different make and model of router.

Provisioning of the tunnel

Make sure the router you will be using allows itself to be pinged from either “the Internet”, or at the least from HE’s server, currently66.220.2.74.

Sign up with Hurricane’s Electric tunnelbroker.net service.

Once signed in, under “user functions”, choose “Create Regular Tunnel”.

Enter the IPv4 endpoint, and hit “Submit”. If you are a home user, your IPv4 endpoint is the public IP your ISP assigned to you, see whatismyip.org.

And you are done. Helpfully, the tunnel details page also allows you to get sample configurations for a variety of PC and router operating systems, including Linux, Windows, Cisco IOS, Juniper JunOS and Juniper ScreenOS.

Updating your dynamic IPv4 address

If you are in a home environment, your public IPv4 address may change from time to time. You can update it from the tunnel details page, or you can use tunnelbroker.net’s ipv4 update page that is intended to be used from a script, for automatic updates.

Routers supporting 6in4 tunnels

Whether enterprise class or home router, here are some of the devices that support 6to4 with 6in4 tunnels today (February 2010). On the home router side, it’s clear that it is early days yet. Comcast’s ipv6 trials may change the competitive landscape here.

Juniper

Any SSG or ISG firewall running ScreenOS 6.0.0 or later, as well as (with some limitations) Netscreen firewalls on ScreenOS 5.4.0. Part 4.1 describes the setup.

Any JunOS router – J-Series, M-Series, E-Series, T-Series, &c. All the way back to JunOS 9.1 if need be.

Any SRX firewall, with the caveat that SRX does not yet support ipv6 firewalling as of JunOS 10.1, though it does support ipv6 tunneling and routing.

EX switches do not support ipv6 tunnels yet, though the feature is road-mapped.

Cisco

It’s the usual mess of IOS versions depending on model, paired with feature set. A very Cisco-savvy fellow over at the HE forums has an excellent breakdown. In a nutshell, IOS 12.4 or later should work, and you’ll need the right feature set.

Switch support for IPv6 is good. You’ll need to check model / IOS version / feature set here, too.

Apple

Apple Airport Extreme supports 6to4, and a one-click tunnel provisioning, too. This is the only home router that I’d be confident to use for IPv6 today, without needing to fear that a firmware update would break IPv6. Mainly because a firmware update did break IPv6, and Apple fixed it in v1.5. For this router, IPv6 is an officially supported feature.

[Update 2010-04-28] Comcast will use this router in their IPv6 dual-stack trials, as one of three choices.

Netgear

Comcast will use the Netgear WNR3500 and Netgear WNR1000 in their IPv6 dual-stack trials. Whether these routers support 6in4 tunnels is unknown to me at this point.

D-Link

[Update 2011-08-03: D-Link have updated their site with a list of devices supporting native IPv6] According to D-Link, the following router models support IPv6. Comcast are using the DIR-655 and DIR-825 in their native dualstack IPv6 trial.

D-Link IPv6 Certified Routers

• DIR-601 Wireless N 150 Home Router (Hardware Revision A1)
• DIR-615 Wireless N 300 Router (Hardware Revision E1)
• DIR-632 Wireless N 8-Port Router (Hardware Revision A1)
• DIR-655 Xtreme N Gigabit Router (Hardware Revision B1)
• DIR-825 Xtreme N Dual Band Gigabit Router (Hardware Revision B1)
• DHP-1320 Wireless N PowerLine Router (Hardware Revision A1)

Other IPv6 Certified Products

• DHP-W306AV PowerLine AV Wireless N Extender (Hardware Revision A1)
• DAP-1350 Wireless N Pocket Router and Access Point (Hardware Revision A1)
• DAP-1360 Wireless N Range Extender (Hardware Revision B1)
• DAP-2590 AirPremier N Dual Band PoE Access Point

D-Link state that their DSL modem routers, the DSL-2540B and DSL-2640B also support IPv6.

D-Link DGS-3200 and DGS-3600 switches officially support IPv6.

Linksys

WRT610N, with reports that firmware updates break ipv6 support and that Linksys support is firm that ipv6 is not an officially supported feature. More testing is in order here, too.

[Update] A Linksys live chat operator tells me that native IPv6 is supported on the WRT610N, and that there is no official documentation for this. No word on tunnels. I have reached out to their press office to get details and will update if/when I get an answer.

[Update] The Comcast trial forums float the WRVS4400N as supporting tunneled and native IPv6.

Buffalo Technology

A “number of” their wireless products support ipv6. I have reached out to their press office to get details and will update if/when I get an answer.

AVM

FRITZ!Box 7270 (experimental “Labor” version)

I have reached out to their press office to get details and will update if/when I get an answer.