NAT64/DNS64 in Gentoo

It was interesting when I posted a news article to the WIA regarding IPv6, how quickly it got shot down by “experts”.

A recent addition to our network was a 2008-model Apple MacBook, which I have dual-booting Gentoo and MacOS X 10.6.7 nicely.  One quirk of this particular laptop though, is that it will, when running its native OS, intermittently drop off the IPv4-only network.

The first tip-off to this is usually things like Skype ceasing to work.  Then I’ll notice DNS isn’t resolving (DNS is IPv6-accessible, but not many systems support RDNSS).

As a work-around to the problem, and also for my own self-education, I decided I’d have a crack at getting NAT64 and DNS64 to work.  What are they exactly?

NAT64 as the name suggests, is a variant of NAT that translates IPv6 to IPv4.  In doing so, allowing my MacBook that’s just disappeared from the face of the IPv4-only world, to still access the IPv4-part of the Internet.

DNS64 is a service that synthesizes AAAA records for host names that do not provide one.

The two work together to provide Internet access to an IPv6 only host.

What you will need to know

Make sure you have the following information on-hand.  I’ll use the following examples:

  • Your server’s IPv4 address on the local network: e.g.
  • IPv4 NAT address pool: This must not overlap with your existing networks.
    Examples use, I used
  • TAYGA’s tunnel IPv4 address: This will be the first address in the above subnet (i.e.
  • Your network’s IPv6 subnet: e.g. 2001:dead:beef:1200::/56
  • IPv6 NAT address pool: This needs to be a non-overlapping portion of your address space.  In my case, I’m borrowing a /56 from AARNet, and I used a /64 for this, setting the lower 8-bits of the prefix to 0x64.  It only needs to be /96 in size.
    Example used: 2001:dead:beef:1264::/96

NAT64 setup

To get NAT64 working; start by installing TAYGA.  This is a userspace daemon uses the TUN device to route between IPv4 and IPv6.  On Gentoo, begin by running emerge tayga.  (You may need to keyword it.)

This installs the binary, but crucially, it comes with no init scripts.  You will need to create one yourself like this:

# Copyright 1999-2004 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/sys-libs/gpm/files/gpm.rc6,v 1.12 2004/07/15 01:02:02 agriffis Exp $

depend() {
    need gw6c net.nat64

start() {
    ebegin "Starting tayga"
    start-stop-daemon --start --quiet -p /var/run/ \
        --exec /usr/sbin/tayga -- \
        -u nobody -g nogroup \
        --pidfile /var/run/
    eend ${?}

stop() {
    ebegin "Stopping tayga"
    start-stop-daemon --stop --quiet --pidfile /var/run/
    eend ${?}

Now, edit /etc/tayga.conf, using /etc/tayga.conf.example as a guide.  There are comments provided.  The following are the settings I used (with the above addresses):

# TAYGA's IPv4 address.  This is NOT your router's IPv4 address!  TAYGA
# requires its own address because it acts as an IPv4 and IPv6 router, and
# needs to be able to send ICMP messages.  TAYGA will also respond to ICMP
# echo requests (ping) at this address.
# This address can safely be located inside the dynamic-pool prefix.
# Mandatory.
# ... etc ...
# The NAT64 prefix.  The IPv4 address space is mapped into the IPv6 address
# space by prepending this prefix to the IPv4 address.  Using a /96 prefix is
# recommended in most situations, but all lengths specified in RFC 6052 are
# supported.
# This must be a prefix selected from your organization's IPv6 address space
# or the Well-Known Prefix 64:ff9b::/96.  Note that using the Well-Known
# Prefix will prohibit IPv6 hosts from contacting IPv4 hosts that have private
# (RFC1918) addresses, per RFC 6052.
# The NAT64 prefix need not be specified if all required address mappings are
# listed in `map' directives.  (See below.)
# Optional.
prefix 2001:dead:beef:1264::/96
# Dynamic pool prefix.  IPv6 hosts which send traffic through TAYGA (and do
# not correspond to a static map or an IPv4-translatable address in the NAT64
# prefix) will be assigned an IPv4 address from the dynamic pool.  Dynamic
# maps are valid for 124 minutes after the last matching packet is seen.
# If no unassigned addresses remain in the dynamic pool (or no dynamic pool is
# configured), packets from unknown IPv6 hosts will be rejected with an ICMP
# unreachable error.
# Optional.
# ... etc ...

Now, having done this… you just need to make sure the nat64 device gets created and initialised by openrc.  In /etc/conf.d/net:

# NAT64 configuration for TAYGA

preup() {
        case ${IFACE} in
                        /usr/sbin/tayga --mktun

Now, symlink /etc/init.d/net.lo to /etc/init.d/net.nat64, start the tayga service, and you should find that you can ping e.g. 2001:dead:beef:1264:: ( is Google DNS).

DNS64 setup

All good and well if you know the IP addresses, but most people don’t.  Now emerge totd.  Use /usr/share/doc/totd-VERSION/totd.conf.sample.bz2 as an example for configuring /etc/totd.conf:

; $Id: totd.conf.sample,v 1.9 2003/09/17 15:56:20 dillema Exp $
; Totd sample configuration file
; you can have multiple forwarders, totd will always prefer
; forwarders listed early and only use forwarders listed later
; if the first ones are unresponsive.
forwarder 2001:dead:beef:1234::1 port 65053
forwarder port 65053
forwarder port 53
forwarder port 53

; you can have multiple prefixes or even no prefixes at all
; totd uses them in round-robin fashion
prefix 2001:dead:beef:1264::
; the port totd listens on for incoming requests
port 53
; the pidfile to use (default: /var/run/
pidfile /var/run/
; interfaces totd listens on (UDP only for now and not on Linux)
; If left out totd will only open wildcard sockets.
;interfaces br0
; 6to4 reverse lookup

In my case, I have a local caching name-server (BIND), which I’ve moved to port 65053. The trick-or-treat daemon now sits on port 53 where the rest of the network expects it. You can now start the totd service, point your /etc/resolv.conf files to it, and everything should Just Work.


Easiest way is to shut off IPv4, and set up /etc/resolv.conf on your client with the IPv6 address of your server running totd.  You should now be able to browse IPv4-only sites as if IPv4 were running.  I achieved this test by plugging into Ethernet, turning off wicd (it kept wanting to start-up dhcpcd), then manually bringing the interface up and configuring /etc/resolv.conf.

World IPv6 Day

Well… has anyone noticed anything different about the ‘net?

stuartl@atomos ~ $ host is an alias for is an alias for has address has address has address has address has address has IPv6 address 2404:6800:4006:802::1011

I knew World IPv6 day was coming up, but it seems it snuck up on me and I barely noticed. Likely a testament to the fact we run a dual-stack network here, and so everything magically Just Worked™ as it should. Indeed, a lot of websites are now dual-stack, as is much of the infrastructure, Google (as seen above), FaceBook, and numerous other sites.

Sadly, a lot of ISPs here in Australia did the demented ostrich act when it came to IPv6. I wonder how many technical support calls they received, with users complaining about websites being slow to load up or failing to connect.

iTel, formerly “Global Info-Links”, now calling themselves “South East Community Telco“… were one of the masses that drove their RFC791-only heads in the sand and pretended that the entire Internet can be compressed into 32-bits of address space. We’ve been waiting to hear back from them on their plans for addressing since January as we’d like to upgrade the 512/128kbps ADSL link we use here. (Anyone noticed this site tends to load up a bit slow? That 128kbps figure is the reason why.)

We’ve been with this ISP since 1996. That’s quite a long innings… We’ve stayed put because until now we’ve been happy with the service. 512kbps was quite fast when we upgraded from 56kbps PSTN dialup (14.4kbps dialup when we first started… still have that modem too!). These days it plods along, but the 128kbps uplink is a notable thorn in my side with my telecommuting. So we’re looking at ADSL2+.

However, there’s one hitch. iTel is only a fairly small ISP. At the moment they do the noble thing of providing static public addresses on IPv4 for all fixed-broadband customers, but how long will that last? The last thing I want, is to sign up a contract for 12 months, then find out that in 6 months they need to move us behind CGN (Carrier grade NAT) to squeeze in some more customers. That won’t fly for us. I’d ideally like to ditch the 6-in-4 tunnel I have with AARNet and go native, or at the very least, swap it with one terminated at the ISP, but that doesn’t seem to be happening anytime soon.

At the moment there is only one ISP I know of that offers any sort of IPv6 connectivity. Internode. Kudos to them for taking the pioneering step! I’m seriously looking in their direction. I’m also hoping the NBN that we keep hearing about, is IPv6 enabled… and I’m holding out with the hope that our little suburb might soon be getting the long strands of glass laid down our street. If it’s only another year or so, it may be worth just hanging on with ADSL1 until then.

Thankfully, we do have the 6-in-4 tunnel through AARNet (and my greatest gratitude to them for providing it). There is a growing community on this newer protocol… I’m also happy to report absolutely 0 spam via IPv6… any spam or malware thus far has been via IPv4 … although I know this won’t last. The good news there is that with one unique address per computer (instead of per customer, or worse, per 100+ customers), it should be easier to track down the guilty party causing such Internet shenanigans. CGN by comparison is likely to be a spammer’s playground.

What am I doing about IPv6 deployment? Aside from my small-time tinkering with the network here… any socket programming I do today is at the very least dual-stack. One of my hobby projects is a digital mode stack for amateur radio… if I get my way it’ll be IPv6-only when used on a computer network.

One of my work projects involves interfacing some proprietary software to some power meters using RS-232 and RS-485 to Ethernet bridging devices. Even though the devices themselves are IPv4 only (and will be for the foreseeable future), I’m designing the software to handle IPv6. Doing this, future proofs the software. Surprisingly, I’m finding it easier to just design for dual-stack than it is to develop a IPv4-only application. If you’re building an application today, dual-stack IMHO must be part of the strategy if the application is going to work beyond this decade.

Some have asked about IPv6 on packet… sadly AX.25 packet does not go anywhere near fast enough to make IPv6 (or indeed, IPv4) networking a viable option on packet radio using existing TNCs… however I think IPv6 will, and should, play a much bigger part in amateur radio communications than it presently does… we can’t expect to hold on to the subnet for much longer.

To the ISPs that are lagging behind, I say get moving! IPv4 is older than I am! This is especially true of the smaller ISPs… if you don’t move, you will get squeezed out of the future Internet connection market as address space gets consumed. To the nay-sayers who keep telling us that something else will replace IPv4, to you I say get moving… you haven’t got long to invent this magical silver bullet, in fact I say you’ve left it too late.

{Insert Name Here} is inviting you to join FaceBook

Without wishing to sound harsh, two words: Don’t bother. 🙂

There are a few reasons why I’m not on FaceBook…


First and foremost, is a matter of need.

The primary reasons why someone would set up something on FaceBook is to enable their friends to be able to locate them on the Internet.  In my case, just about any search engine using either my real name, nickname, or callsign, will lead you in the right direction.  Even then, it isn’t hard for people to trade email addresses by out-of-band means, then pass a URL to a blog site that way.

Next is the keeping track of friends.  Again, plain old email is good for this… so is the telephone.  RSS is a pretty good broadcast mechanism for this purpose too, and guess what, most modern web browsers are able to subscribe to such feeds as Live Bookmarks.  This effectively means your web browser becomes the central switchboard by which you can keep track of what your friends are doing.

As for sharing photos… most blog hosting sites provide a means for uploading photos… a perfect way to share photos.

There’s actually bugger all that I consider worthwhile that can only be done via FaceBook.


These days I’m very busy in my daily life… too busy to sit in front of a computer checking up on online friends.  When I’m at work, I’m at work… I’m not browsing the web for personal pleasure.  Looking up things like FaceBook would be wrong and immoral usage of my employer’s Internet bandwidth.  So I don’t do it.

I can’t very well check FaceBook whilst in transit for two reasons: (1) I ride a bicycle, and need to watch where I am going, and (2) I don’t have any mobile Internet service.  I am usually on the amateur radio bands somewhere whilst mobile, but (ignoring IRLP/EchoLink/Allstar Link/APRS/etc…) you won’t find me via the Internet.  I answer my mobile phone too, but only after pulling over (I need a moment to switch headset cables over).

At home, yes I could be on FaceBook… but I find plenty of other things to occupy my time.  That, and sometimes it’s good to not have anything to do occasionally.


FaceBook is controlled by one company, and is a closed system.  Aside from a “we promise not to look”, there is nothing to stop them doing anything they like with the information you provide to the service.  Even if they don’t, who’s to say their system is completely secure?  Lots of people entrusted their credit card details to Sony… Ooopsie!

So what kind of information does one share on FaceBook?  Aside from your name, age… okay, not deeply personal… you set yourself up with that information.  Then what?

You start “friend”-ing people.  You start “like”-ing people and adding them to your list of friends.  You build up a social graph.  Graphs are a mathematical tool for representing relationships between objects.  In this case, the graph’s edges represent some connection (i.e. acquaintance, friend, lover, … etc.) between two people (represented as nodes).  And using all kinds of graph theory, it’s possible to deduce all kinds of personal information about you.

How dangerous is this?  You’re probably thinking… “So what?”  Mark Pesce gave a talk on this at this year.  If you’ve got a bit of time to spare, you can watch the video of the presentation, or have a read of the full transcript.  In short, a big part of what we do can be explained by what people are doing around us… we have a tendency to mimic those around us.  Knowing the group one participates in, is a pretty good way for someone with ulterior motives to figure out ways in which to manipulate you.

Your social graph is probably one of the most personal things you can reveal.

Keeping in touch

In order to keep in touch, you actually don’t need FaceBook.  Good ol’e email does a pretty good job.  So do blogs.  In my case, I post a lot of what I’ve been up to on this site.  This site broadcasts a stream using a format called RSS.  Guess what, most web browsers today (Firefox 3.5+, Internet Explorer 7+, Chrome, recent Opera…etc) support this in the form of “Live Bookmarks”.  Or you can use an external news aggregator… there are plenty to choose from.

Then in your web browser, subscribe to the feed.  In Firefox 4.0, under Bookmarks, choose “Subscribe to this page”.  Earlier releases have a button that appears in the address bar you can click.  Likewise for other web browsers… in fact, often you’re looking for an icon like this:

RSS feed icon

RSS feed icon (Source: Wikipedia)

Look for an icon like that on your web browser, click it, and follow the prompts.  Voila, you can now track that person through your web browser.  No one else needs to know about it, no need to log in to an extra site, it’s quick and easy.  Need something web-based for when you’re not at home?  There are plenty of web-based agregators.

Ohh, and you can track more than just friends this way.  News websites, companies… all sorts of things can be monitored this way.

But I want to be your friend!!!

Are you going to tell me this wasn’t possible before FaceBook?   Friends didn’t exist before Mr Zuckerberg invented this web-based forum?  Have people forgotten the art of face-to-face contact?  You don’t need FaceBook to have friends.  Give the old-school method a try some day. 🙂

“Ever thought of using a mobile phone instead”

This is a question raised on an earlier post of mine.

It’s an interesting comparison between radios and mobile phones.  And some are of the belief that all you do with a radio, is talk on it, or that mobile phones can completely replace radios.  Rather than respond there, I’ve decided there’s enough content there for a completely separate post.  I have highlighted my main arguments here for those who just want to quickly skim through.

Indeed, mobile phones do exist, and they are very handy things.  They do generally come with some sort of hands-free capability.  This is true of my Nokia 3310 … the connectors are available from JayCar, and the headset schematic is trivial.  This is not true of all mobile phones unfortunately.  Much the same is true of my radios, the FT-897D takes a standard RJ45 connector for the microphone, the FT-290R II takes a more obscure 8-pin “Foster” connector, but even they can be sourced if you look around.

RFI is a worse problem for mobile phones however, GSM seems to have a happy knack of being able to inject itself into almost anything unless you’re careful with your circuit design.

It’s worth considering what the primary point of the exercise is however, and how radio and mobile phones differ.

Mobile phones are great if you want to call someone specific. They are highly optimised for one-to-one conversations.  In fact, it’s highly expensive to do anything else.  Conference calls are a rare thing and you pay through the nose for the privilege.  Mobile phone charges are high enough already — I would not like to be paying for the cost of a one hour conference call twice daily on my way from/to work.

To contrast the fees, it costs me $20/month for a mobile phone service through Telstra (excluding calls).  I rarely see a phone bill above $30, but I’d probably see that climb to triple digits if I used it in the manner I use my radio.  The radio license costs me $65/year, regardless of whether I leave my station packed-up and inoperable, or whether I’m using it all 31557600 seconds of the year.

When I was riding frequently however, I regularly participated in discussions on my commutes.  It does make the ride more enjoyable when you can have a friendly chat on the way in.  The beauty of radio though is that you don’t all have to be in close enough proximity to hear each other baseband.

Radios are well suited to group discussions, since radio is an inherently shared medium. At most a repeater site which can relay the traffic between stations is all that is necessary.  I’ve also had quite successful simplex contacts on the 2m band over 50km, and overseas on the 40m band.  Mobile phones only achieve coverage over a few kilometres line-of-sight, coverage is extended by cellular towers which perform a similar function to repeaters.

If you’re in a discussion on the radio, good operating practice states that you leave a gap between transmissions so that other stations may break in if needed.  The breaking station may be someone wanting to get in touch with one of the other operators on frequency, may be an interested party, or could even be a person in distress.

It’s relatively simple for someone to jump in on a conversation.  Mobile phones however, prohibit this unless, once again, you pay severely for the privilege.  How often have you been in a situation where you’ve been trying to chase a caller off the phone so that the line is free for that important call you’ve been waiting for?  Not such a problem with radio.

Mobile phones give you a certain degree of privacy in communications.  Encryption standards vary between mobile phone standards, but all of them (except AMPS, which is now extinct) provide some means of privacy.  Radios generally don’t unless you pay through the nose for a set and a suitable license.  Encryption is also forbidden on amateur bands.

Both allow a certain amount of experimentation.  If you have a mobile phone that provides an antenna socket, it is theoretically possible to construct your own antennas.  You are not however able to alter the transmission mode or frequency of operation, nor are you able to construct your own mobile phone (homebrewing) without significant expense, as the device you construct must be tested and approved by local authorities before you may connect it to a network.  (In Australia, the body responsible is the ACMA, and the approval you need comes in the form of a “regulatory compliance mark”, formerly “A-tick”.)

You can however readily experiment with software running on top of modern smartphones, if you phone is that new.  (Mine isn’t)  Or, if you have a >= 3G capable phone (again, mine isn’t), you can hook a small computer up and use standard VoIP software.

Radios on the other hand, if your license permits it (mine does), can be completely constructed from scratch.  You choose the frequency and mode, there are boundaries where you cannot go, but there’s still a hell of a lot of freedom that mobile phones do not provide.  All amateur transceivers have socketed antennas, allowing experimentation with other antenna types.  Multi-band sets permit experimentation with different frequency bands, all of which differ in their properties.  Transmission modes include pretty much all analogue modes, and in most license classes, many forms of digital communication.

Mobile phones typically are fairly easy to use (there are people however that never seem to get it however), while radios almost always require a certain level of training.  Amateur radio requires you to sit two or three separate exams (usually two written exams for theory and regulations, and a practical test).

Some might ask why I use such an old mobile phone?  Well, you’ll notice the FT-290R II isn’t a spring chicken either.  I use stuff because they do the job.  The old Nokia 3310 has been solid and reliable.  There’s minimal “fluff” to cause problems.  Someone dials my number, it rings.  I dial a number, it calls that person.  Text messages, easy.  My needs don’t require anything more sophisticated.  Don’t unnecessarily complicate, I say.  When I’m out and about, this means I’m contactable two ways … primarily by radio, but if the phone rings, I can pull over and plug the phone in instead to take the call.

In my situation on a bicycle, it is also paramount that I do not have my hands tied up manipulating radio/phone controls. My solution was to wire up a small keypad which provides push-to-talk and four directional buttons.  On the mobile phone, the PTT becomes my answer button, and I can dial a person by momentarily pressing the button, waiting for the prompt, and announcing the “voice tag” of the person in the phone book.  The phone then rings that person automatically.

On the radio, I mainly use memory channels, so I’m moving up and down the memory channels.  Usually I just switch to a given frequency, and stay there.  When I want to talk, I press the button down — or, more recently I added a switch which is equivalent to “holding the button”.  So I just flick the switch to go to transmit, and flick it back again.  In the meantime, I’m able to use my hands for operating the bicycle.

Contrast this with trying to juggle a netbook computer running a VoIP package such as Skype.  It’d be a nightmare, those user interfaces are not designed for mobile operation. They’re simply not appropriate.  SIP-based VoIP is better in some ways as you can code your own application, but even then, you’re at the mercy of the mobile phone carrier’s network.  VoIP is very sensitive to NAT and dynamic IP addresses, and I think operating mobile in this manner would be a bit much to expect.  Skype also cannot handle a group as large as radio can.  (SIP can handle over 200 participants in a conference, limited by server bandwidth.  On the radio, I’ve regularly participated in nets with more than 10 people on air at a time.  Skype is limited to 5 IIRC, or maybe you pay for more.)

Amateur radio is largely infrastructure independent. On the bicycle I can get around obstacles that would be impassable in a car.  With high capacity batteries, and a reasonable power set on a high mountain top, I can achieve significant simplex range, thus allowing me to relay traffic over great distances, without any requirement for intermediate infrastructure.

“Ohh, I’ll just use the phone for that” you say.  Yeah, right.  Try that in the Lockyer Valley just now.  Many of the mobile phone towers went for a swim, as did the exchanges.  Areas around Grantham are without any forms of mobile or land-line based telephony.  And of course, no Internet.  The same situation was the case for people caught up in the Black Saturday bushfires down in Victoria.  I’d imagine communications are under very heavy strain in Christchurch at the moment.

Mark Pesce made a very valid point in his LCA2011 keynote, communications can also be disrupted for political reasons, such as what has happened in Egypt and Lybia.  What do you do then?  Radio’s not perfect, but it sure beats being left without a means to let people know you’re okay.  With mobile phones, you are dependent on others to bring online infrastructure, before you can make a call from your phone to the other.  (Unless you experiment with something like the Serval Batphone, which has its limitations.)

So one does not completely replace the other.  They are complementary. The theory requirement keeps a lot of people away from amateur radio, however I’m happy to report I’ve never received a telemarketing call on the radio. 🙂  More to the point, there is more to amateur radio than just talking to people, just like there’s more to the police force than just arresting people.

As for me, radio has fascinated me for a long time.  I first became interested in radio from a very young age, but I particularly got into it after studying how it worked at university.  This is what lead me on to amateur radio.  So for me, it’s as much technical as it is social.  I enjoy meeting up and talking with people, but I also enjoy the experimental aspect of it.

At the moment, a large amount of my energy is going into bicycle mobile operation, particularly with regards to HF communications.  This does necessitate big antennas.  Antenna installations are always a trade-off between physical size, efficiency and band-width, and it can be a real challenge to get things working, but it’s rewarding when it pays off.

Some would argue: “Why bother? Just use a mobile phone.”  That’s like asking a car enthusiast, “why muck around under the bonnet when you can take your car to the garage down the road?”  Or to the avid gardener, “Why bother growing your own veges, there’s a greengrocer in the shopping centre?”.  Yes, they do exist.

I also would like to point out that the commercial world has gained lots from home experimenters.  You use a NAT router for your home Internet connection?  What’s the OS it runs?  Many run Linux.  Did we get Linux from a big commercial organisation originally?  No, it came from an avid homebrewer of operating system kernels, and was never intended to be “big and professional like gnu”.  Did we get Single Sideband from the commercial world?  No, it was an Amateur Radio inspired invention.  Likewise with a lot of high frequency design techniques that are in mobile phones today.  Heck, in the future we’ll probably be adding Codec2 to that list.

The world needs amateurs of all persuasions.  For this reason, declaring something “obsolete” just because you can do the subset of things you do with another more contemporary technology, is a short-sighted way of viewing things.  The amateur world benefits from the professional world, and vice versa.  It’s often the case that someone who works in a particular industry for a living, goes home then hacks on various projects related to that industry for fun in his/her spare time.

So, “why not just use a mobile phone”?  Because I find radio fun, I enjoy it, and I hope that some day, what I learn can be shared and applied in a professional setting to improve technology as a whole.  After all, isn’t having fun what the world is all about?

IPv6 “will never take off, ever”

That was one of the comments made following my piece in this week’s WIA national news.

We better start thinking up a better protocol then if that’s the truth. And we’ve only got 5-10 years to do it apparently, and migrate everyone.  The IPng working group started their work in the early 90’s.  It took them 5 years just to come up with the protocol, and it took a further 5 years before consumer operating systems included support for it.

My tip; IPv6 migration will be the easy route.  For starters, operating systems already support it.  Much software already works with it.


IPv6 is completely incompatible with IPv4

Addressing-wise, maybe… but TCP and UDP still work the same way.  The only catch is that you now need 16 bytes to store an address, instead of 4.  If your application passes IP addresses around in the upper layers, you just need to find room for the extra 12 bytes.  Not impossible, and not a show-stopper if your protocol was designed right in the first place.

There’s plenty of /8s allocated to companies, we can use those for the next 5-10 years!

Mmm hmm, you think they’ll just graciously give us that space?  And that it’ll last forever?  China alone if it gave one address to each of its citizens could fill up a whole /2 on its own.  How big’s a /2? 230 =~ 1 073 741 800 addresses.  And they’re growing.

Fact is, this may delay the ultimate IPocalypse, but whatever we do, it will probably take 5 years to migrate.  So our best move is to start moving now.  Not wait until the crunch happens.

YubiKey ebuilds and patches for Gentoo

Hi all,

As promised I’ve put up some of the ebuilds needed to use the YubiKey in Gentoo.   This includes a PAM module for stand-alone authentication with the YubiKey, which I have patched to support concatenated two-factor authentication.  These are in a new overlay:

  • git://

Stand-alone two factor authentication: Password + YubiKey with YubiPAM

The procedure for setting this up is pretty simple.  First, grab the overlay:

stuartl@beast /home/portage/overlays $ git clone git://
Cloning into yubikey...
remote: Counting objects: 16, done.
remote: Compressing objects: 100% (13/13), done.
remote: Total 16 (delta 2), reused 16 (delta 2)
Receiving objects: 100% (16/16), 4.15 KiB, done.
Resolving deltas: 100% (2/2), done.

Now add it to your make.conf as per usual procedure, then unmask and install YubiPAM and ykpers ebuilds.  At last check, you need the live git ebuild for ykpers and libyubikey if you use the latest revision (2.2) keys like those handed out at  For the PAM module, I recommend using the non-live version, although a live ebuild is there for the adventurous (I had buffer overflow glitches).

# ( echo =sys-auth/yubipam-1.1_beta1
> echo =sys-auth/ykpers-99999999
> echo =sys-auth/libyubikey-99999999 ) >> /etc/portage/package.keywords
# emerge ykpers yubipam

This will install some tools to personalise the YubiKey and the PAM module.  At this step it’s now time to program the YubiKey.  This will break its ability to be used on the Yubico servers until you upload a copy of your new AES key to their site (see below).

Choose your public and private IDs, then program with the following command.  The fixed parameter should be 6-8 bytes long in hexadecimal.  If you intend to use this on Yubico servers later, it must be 6 bytes long, and must begin with ff.

# ykpersonalize -ofixed=$( modhex -h ffeeddccbbaa ) -ouid=112233445566
Firmware version 2.2.2 Touch level 1283 Program sequence 3
Passphrase to create AES key:
     Type in a long string of gobbledegook with lots of random letters,
     numbers and punctuation (not like this!) to keep people guessing.
     This will seed the AES keygen.
fixed: m:vvuuttrrnnll
uid: h:112233445566
key: h:afaaaa6021303d90740579cd7fc4e87f
acc_code: h:000000000000
ticket_flags: APPEND_CR

At the bottom it asks whether you wish to program the key.  It didn’t here because in fact I had snuck in a little parameter which I haven’t shown here.  You’ll want to make a note of the parameters it tells you though, especially the generated key.

Once complete, you then need to tell YubiPAM about it:

# ykpasswd -a -c -f ffeeddccbbaa -k afaaaa6021303d90740579cd7fc4e87f  -p 112233445566 \
        --user stuartl -o vvuuttrrnnlllrgjglvnicujhnhhecfeitjureidlcer
Adding Yubikey entry for stuartl
Using public UID: ff ee dd cc bb aa
Using private UID: 11 22 33 44 55 66
Passcode: Completed successfully.

The last bit should be generated from the YubiKey itself, just type the rest in then press the button and it should add you after asking for a passcode (which can be different to your regular system password).  The final step is to set it up with PAM.  This I’m not 100% sure of, but I achieved working authentication by configuring my /etc/pam.d/system-auth as follows:

vk4mslp2 yubikey # cat /etc/pam.d/system-auth
auth            required
auth            sufficient concat_two_factor
auth            required try_first_pass likeauth nullok

It should be noted; test the configuration in a new console session, do not log out or else you may lock yourself out.  There is a ykvalidate tool for testing, but it doesn’t seem to work properly with two-factor authentication.

The concat_two_factor parameter to pam_yubikey relies on a patch present in the ebuild, which I have sent up-stream, and is a work-around for (some would say, broken) PAM clients that do not support multiple Password fields such as KDM.

To log-in, type in your username.  In the password field, enter the passcode followed by a space, then tap the YubiKey to enter the OTP.  It should log you in.

Uploading the key to Yubico

First, a warning

The whole point of one-time password generators such as this, is to prevent someone intercepting your password and logging in to your systems.  If a one-time-password is captured, it’s useless because in the ideal case, all systems know it has already been used.  I say in the ideal case.  In this scenario, if you use the key on a public server, it is possible for someone to capture that OTP, and re-play it to the stand-alone system using YubiPAM to gain access.  They of course can only do this once, but that may be enough for them to make themselves at home.

With some care, you can reduce the risk of this … for instance making a point of gratuitously logging in to each system using the key immediately after using it on any of the systems is one way to try and manually synchronise the OTPs.  I’m giving this problem some thought, for my needs it isn’t such a big deal as it’s mostly for fun anyway, but this is a factor that must be considered when using the YubiKey (or any OTP device) in this manner.

How to

Go to  Enter the data as follows.

  • Your email address (needs no explanation)
  • The YubiKey’s serial number: printed on the back, 6 digit decimal code
  • YubiKey Prefix: This is also called the “fixed UID” and appears as the first 12 characters of the OTP.  It should be in modhex format.  In the above example, the prefix would be vvuuttrrnnll.
  • Internal identity: This is also called the “private UID”.  It should be in hexadecimal format.  In the above example, the internal identity would be 112233445566
  • AES Key: Again in hexadecimal… the key used in this example was afaaaa6021303d90740579cd7fc4e87f
  • Finally, an OTP from the device. Don’t fill this in yet.

Below this form there is a Capcha field to stop spambots.  Fill in the challenge and click the “I’m a human” button, and copy the text into the other box as it asks.  Now go back to the other form, click on the OTP field and press the YubiKey button.  You should then be able to test it on their demo server and use the key simultaneously on the web and your local systems.

Fun with the YubiKey

At, we all got given a YubiKey each.  These are a proprietary one-time-password generator device which plugs into USB and emulates a USB HID keyboard.  Full documentation on how the algorithm works is provided by Yubico and they have also provided a lot of software for interfacing to the keys under a quite liberal BSD license. The device itself, being a USB HID device, needs no drivers other than what the operating system provides. Plug it in, press the button, and you get:


And don’t bother trying to use that, I have deliberately mangled some of the characters so it isn’t valid. (I’ve also used it in a few places since, so it’s old anyway.) The first 12-16 characters form the public ID, and are always the same, but unique for each key. The remaining 32 characters form the OTP data, and is encrypted internally using a 128-bit AES key.  The data is a variant of hexadecimal called modhex — the digits have been mapped to keycodes that should be the same on every model of keyboard.  This means the key will still work whether the computer is configured for QWERTY, QWERTZ, AZERTY, etc.  Not sure if it handles Dvorak though.

I’ve been doing a bit of tinkering with mine.  They can be used out-of-the-box with Yubico’s authentication servers for things such as OpenID.  The programming tool however, lets you define your own parameters, and use them completely stand-alone.  Yubico have a facility for uploading the key’s new AES key when you do this.  The bonus  with doing this is that you can use the same key for both stand-alone services you might set up, and for web-based services (with the caveat that it does open to replay attacks).

By the second day of the conference, I had my Yeeloong authenticating me using YubiPAM, a stand-alone PAM module. I’ve since configured my other laptop the same way, although I notice I get a buffer overflow when the authentication succeeds — not sure why as the Yeeloong works fine. I’m looking into what’s needed for Gentoo. I haven’t figured out how to get two-factor authentication to work there with KDM. I’m thinking maybe pam_python, and a homebrew solution may give me the flexibility I’m after.

Today, I had another look at it. This time, I was looking at what services I use that could make use of it. The obvious candidates: this blog, and OpenID.

On the OpenID front, I initially toyed with a copy of Yubico’s OpenID server, which is a very crude thing intended as a demo. I thought maybe I could extend it, but couldn’t figure it out. Figuring there must be a better solution, I went hunting, and found Community-ID. I managed to get Community-ID installed on my server without too much sweat, I had single-factor authentication using either a password or the YubiKey working in minutes. My instance is here, and now my devspace homepage functions as an OpenID, as does my blog.

As for two-factor authentication, I went digging for how it processed the password. Community-ID has a very strict model-view-controller structure that made things very easy.  I wasn’t sure how to go about adding a new field, but I figured, I didn’t have to.  The database stores the prefix so that it can identify who the person is logging in, and from that, I know the OTP will be the length of that prefix, plus 32 characters.  I was able to modify Community-ID to take the last strlen(prefix)+32 characters, check that using Yubico’s servers, then process the remainder and compare that against the stored password.  Bingo, two-factor authentication with one password field.  The patch is already upstream.

Now if I can make YubiPAM do this, I’ll be very happy.

For the blog, I ended up doing both.  I found a WordPress plug-in that does OpenID authentication.  At first I couldn’t figure out how to link my new OpenID identity to my existing account, so I then turned to the YubiKey and installed a plug-in that performs that task.  No sooner had I got that going, then I spotted where the fields were for associating OpenIDs with accounts, so I’ve configured that.  My blog will now accept any of the three, although using single-factor authentication (unless I use OpenID).

Guess that’s enough for a blog, it’s not like someone can lock me out of it given I have database access anyway and the password is stored as a hash.

Needless to say though, you can expect some further improvements for things using these keys.  I’ve got some other places in mind for the thing.

The impending IPocalypse

The following was a news article that I intended to record and have included in this week’s WIA National News service, however I had problems cutting it down to the 1:30 required. So, I’ve put in additional information that there wasn’t time for, and I intend to put in a short piece for next week’s news.

For the technically minded, I do apologise if it seems a bit dumbed down, but not all the target audience are computer-savvy.

The IPocalypse is upon us, no I’m not talking about some new Apple product, I am talking about the Internet Protocol, specifically version 4.  IPv4 has been with us since 1980, and has come to dominate all aspects of computer networking.  In fact, so popular is this networking protocol, that earlier this week, the Internet Assigned Numbers Authority, ran out of addresses.

At the recently held conference in Brisbane, Google Vice President Dr. Vinton Cerf, and APNIC Chief Scientist Geoff Huston both gave talks covering this very issue.  For those who want an in-depth overview of the problem, I recommend viewing both these videos:

Back in 1973 when the beginnings of what became IPv4 was being conceived, it was decided that an address space of 2³² addresses (or 32-bits, about 4 billion) would be sufficient for what was considered, back then, an experiment.  The “Internet” (then known as ARPAnet) barely spanned 5 computers.  Computers occupied rooms and were not portable, nor was there any significant wireless telephony infrastructure at the time.  The problem is, the experiment never ended, and now IPv4 in this modern age of handheld computers and wireless Internet, is being pushed to its absolute limits.

Most people are familiar with using a telephone.  You need to know the number of the person you want to want to contact (or the phone number for directory assistance and quoting a name).  Only then can you place the call, and get in touch.  Now unlike a telephone network, where the call is established and a bi-directional connection exists for the duration of the contact, on the Internet, its more like dialling a voice mail service and leaving a message.  I need to leave that person my phone number so that they can get back in touch with me (or rather, leave a message in my voice mail box).

Extending the metaphor a bit, it is common for computers to have multiple connections going on at a time.  Servers also often run multiple services on the same system.  Thus, each system uses separate ports, akin to individual mailboxes.  Each computer has 65536 of them¹.  On the sending side, a free port is usually allocated at random and used for the duration of the connection.  At the server end, a fixed port is used to “listen” for incoming requests.  When sending data from one computer to another, the sender needs to tell the receiver which mailbox (or port) the data came from, and which it belongs in, so that data goes to the right place, and any replies can be correctly addressed.

The problem now, is that the address space on this global network is now in the hands of regional registries.  These regional centres look after the Internet services for a given geographic region.  Once those registries run out, it’s game over.  Internet service providers are forced into deciding between one of four actions:

  1. Turning away new users (the infamous “No Vacancy” sign)
  2. Implementing Carrier-wide Network Address Translators
  3. Becoming a walled garden
  4. Moving over to something new

I can see option 1 is not going to be popular, so I’m not even going to discuss it.

Option 2 is already happening in parts of Asia.  Rather than giving everyone a number that is recognised world-wide, they give you and fellow customers private ones.  They then employ an intermediate server, a Network Address Translator to re-write the addresses on the IP packets so that they appear to be sent from that server.  NATs of course are not just things that exist in ISPs, home internet routers often do exactly this.  Another example of NAT is Microsoft’s Internet Connection Sharing.

When a computer sitting behind the NAT wishes to contact a server outside, the NAT instead picks one of its ports, and places the outgoing message there.  It then replaces the source address and port with its publicly visible address, and the port number it chose, and forwards that on to the outside world.  When the reply comes back, it re-writes the destination on the reply to point to the original address and port number of the originating computer.

There isn’t a theoretical limit to the number of computers that can exist behind a NAT.  The limitation is the number of ports.  Ports may not be shared by two applications, if a program or service is already using a given port number, it is essentially unavailable for others until that program or service is finished.

That means that for any computer, there can be a maximum of 65536 connections at any one time.  NATs are not magical devices, and this limit applies to them too.  In this modern age of parallel computing, even web browsers will frequently launch multiple connections in parallel.  Some of these connections are short lived (such as the time taken to download the text off this page), some take a while (such as the time taken to download one of the keynote speeches linked to earlier).  The resource demand will change over time with user habits.

The first big problem with NATs though, comes when you have an application that needs to be contactable from the outside world.  The application for all intents and purposes is like a server, and is listening for connections.  The trouble is, this computer is behind a NAT, and its actual address is a private network address.  Even if an outside computer knew what it was, it wouldn’t know how to get there, and quite likely, wouldn’t be allowed even if it did.  So the only way to be contacted, is via this NAT box.

Now suppose you tell someone (or the application does on your behalf) your NAT box’s IP address, and the port number your application is listening on and an outsider tries to make contact.  The NAT box hears the request, but where does it send it?  It knows nothing about this port!  The NAT box has to be told to reserve one of its ports (which again must be unique), and to forward any packets sent there, to the right port on your computer.

The hardest bit here is that not all NAT devices work the same way in this regard, there is no de-jure standard for configuring a port-forward.  Microsoft UPNP is one of many de-facto standards that exist, and not all NAT devices or applications support it.  A lot of these also have lots of problems of their own.  In some cases, you have to set this up yourself.  Doable if the NAT device is under your control, but in the future we may be faced with NAT devices that are controlled by ISPs.

The applications that will be hardest hit by this will be any applications that rely on peer-to-peer communications.  This includes, amongst other things, the file-sharing services in instant messenger clients, peer-to-peer file sharing services such as Bit-Torrent, and Voice-over-Internet Protocol applications such as Skype and EchoLink.  IRLP, which relies on nodes having a static public IP address will be hit particularly hard, many ISPs already charge extra for the privilege of a static IP.

Hardware devices that use the Internet are not immune from this too — in fact the situation there may be made worse, since in a lot of cases, the port numbers used are hard coded in the device’s firmware.   You may ring up to get that special port forwarded, and already discover that another customer of the same ISP rang up 5 minutes ago and claimed it before you.

Ignoring these niggles, NATs don’t sound too bad if everyone is playing by the rules.  But what if someone decides to set up an Internet marketing company and starts filling up everyone’s email boxes with yet more “Discount Viagra” offers.  The way things are here in Australia, the ISP gives each customer a public IP address (which may be static, or it may change on a regular basis), and that is used as the public address on a NAT device owned by the customer.  If a customer were to do that, the IP address of that NAT device is visible in the emails sent — an ISP can simply look up who had that IP address at that time, and can immediately take action.

Now, suppose that instead, the ISP relied on NAT.  The IP address would be that of the ISP’s NAT box.  The culprit could be any one of the many users sitting behind it.  “Jjust log each connection on the NAT box” you say.  Deary me, could you imagine how slow that would be?  Not to mention the disk space used!

Now what happened if at the same time, other users were legitimately sending emails to that same network?  The logs point to a dozen users, which one was it?  If the complainant told you the source port used in the connection when the email was sent, maybe you can look that up, but I’m yet to see that sort of information recorded in system logs, email headers certainly don’t have them.

Clearly, this is not a solution.  It’ll make address space stretch a little further, but not without causing a world of pain for software developers who have to make their software compatible with differing standards, and causing the rest of us grief as we drown in a mountain of malware and spam.  If you think spam today is bad, you ain’t seen nothin’ yet!

The other way ISPs can go, is to close off from the world, and becoming a walled garden.  That is, you need to be a member of their network, to be in contact with other users that happen to also use their network.  Or if they provide connectivity to neighbours, it’s costly, and/or heavily controlled.  Anyone remember CompuServe, America Online, The Microsoft Network?  Ring any bells?  Those long-ago isolated bulletin board systems?  If they do, I apologise for stirring up bad memories.  If they don’t, count yourself lucky, and hope like hell ISPs don’t go back there!

I did say there was a fourth solution didn’t I?  Something new?  The Internet Engineering Task Force weren’t naïve enough to assume 32-bits would be enough.  They recognised that this would be a problem way back in the early 90’s.  They formed the Internet Protocol Next Generation working group, which in 1998 produced RFC2460Internet Protocol version 6.  IPv6 extends the address space to 128 bits, a big improvement on IPv4.  It also addresses a number of other bug-bears that people had with IPv4.

Some notable ones include: Mobile IPv6 extensions to allow a portable computer (such as a smart phone) to remain contactable at the same address as it roams between multiple networks, improved quality-of-service handling for real-time streaming and multimedia, automatic addressing and simplified headers to make routing easier.

The biggest feature though is the address space.  NAT is not implemented in IPv6, it is not necessary as there’s enough space to move around.  Rather than being given a single IPv4 address which you must share with all your computers, in IPv6, you get given a whole network address prefix.  Typically this prefix is 64-bits long, leaving you the remaining 64-bits of space to allocate to each of your computers.  How many addresses is that?  Remember the 4-billion (approximate) number I quoted for IPv4?  Square it!  If you have a computer network bigger than that, I do not want to see your power bill!

Modern computer operating systems can function on IPv6 already.  Microsoft Windows XP includes support, which can be enabled by following a few easy steps.  Windows Vista and 7 come with it enabled out-of-the-box, as do Mac OS X, Linux and the BSDs (FreeBSD, OpenBSD, NetBSD, etc…).  Hardware devices can be made to support IPv6 by a simple firmware upgrade, if one is available.  If a manufacturer has not published a firmware upgrade for a device you own to support IPv6, contact them now!

ISPs world wide are dragging the chain on IPv6 take-up.  There are some notable exceptions, here in Australia for instance Internode offer native IPv6 for their customers.  I’m unaware of others in Australia.  If your ISP is one of the IPv4 sheep, it’s now time to contact your ISP and ask them what they are doing about IPv6.  In the meantime, you can get an IPv6-in-4 tunnel from a tunnel broker such as AARnet, Hurricane Electric or Sixxs.

Many online services are slowly making the move over to IPv6.  Google can be accessed via for instance.  This blog is accessible via IPv6 (thanks to AARnet).  Sixxs have a big list of sites that are IPv6 enabled.  In June (the 8th to be exact) this year, there will be a world-wide test of IPv6.  Google (as in their entire site), FaceBook and Microsoft’s Bing search engine among many other sites will be going IPv6-enabled on World IPv6 day.  If you’re not already on IPv6, it’d be great if you could join us.

Openness is one of the things that made the Internet popular.   There is a very real threat that this openness or freedom we currently experience will be lost.  If you’re a software developer, we need you to ensure your software works with IPv6 for it to keep working into the future.  If you’re a network administrator, you need to ensure your network is IPv6 compatible.  If you’re a consumer, we need you to start pestering the help desks of these software companies, device manufacturers and ISPs to ensure the commercial world sees the user demand for this!

To quote Mark Pesce, “a resource shared is a resource squared”.  We need to ensure the Internet remains open and free, for all people into the future.

1. To be more accurate, there are 65536 TCP ports, and 65536 UDP ports. However, a UDP port cannot be used for TCP traffic, or vice versa.

2. RFC = Request for comment

LCA: Mark Pesce’s warning about centralised communication

Well, I won’t say much but point-to-point and point-to-multipoint does not have to be short-range or rely on centralised infrastructure.

People have been using a means of such communication for over 100 years, which allows for ad-hoc, distributed communications. Yes, it prohibits the use of encryption, but that doesn’t prevent us from using it as a means of communication over great distances.

Come join us.