SixXS - Thank you for your service! Let there be native IPv6 for everybody
Monday, June 5. 2017
Ok, we've established earlier, that IPv6 isnt' getting traction. ISPs are simply to lazy and they don't care about their customers, only their profits matter. It's really bad for profit to do improvements on their systems and networks. Meanwhile IPv4-addresses ran out on IANA, but ISPs don't care about that either, they stockpiled addresses and have plenty to go with.
To get IPv6 on my systems, I've been using free-of-charge service SixXS for almost 10 years. They provide IPv6-on-IPv4 -tunnels using IP-protocol 41 or 6in4. The tunnels I've been using in Finland have been provided by local ISP, DNA, again free-of-charge. During those years of service, I managed to accumulate almost 7000 ISK, that's 5 ISK per week per tunnel, if the tunnel is running without any problems.
On IPv6 day (6th June) 2017 SixSX will shut down all services. See, sunset announcement for their rationale for doing this. They pretty much say, that they ran tunnels for 17 years and don't want to do that anymore, ISPs should provide native IPv6 to every single customer they have. I'm totally agreeing with them. I'd like to keep my tunnels running, still.
It is what it is, decisions have been made and it's not going to change. So, my sincere thanks go to SixXS and DNA, and especially to all the hard working people on those organizations. Thank you for your service!
Advent calendar 2016
Thursday, December 1. 2016
Unlike last year, I didn't manage to get me an advent calendar this year. Unfortunately for me, Central European on-line stores won't do deliveries to Finland anymore.
This year I had to go for a much less elegant solution:
That's one for each of the 24 days.
Personally I'd prefer the real ones I had for the past couple years, but this will have to do.
Why is there no real commitment for IPv6?
Saturday, October 29. 2016
I've been an active IPv6-user for many many years. Of course my ISP doesn't offer a native IPv6, so I'm using a tunnel from SixXS. They have been providing such tunnels free-of-charge for years, and for that I thank them and the ISPs volunteering their capacity for us nerds to have decent IPv6-connectivity. SixXS got tired for IPv6 not getting any traction, the ISPs have almost zero commitment for allowing people to use real, native IPv6. SixXS has a campaign called "Call Your ISP for IPv6!", but I don't think that's going to make much of an impact. When any ISP is actually asked about their IPv6 support, they'll stall by "we'll announce it later" or "but we do support IPv6" (by some unusable mechanism).
When looking what's happening on the ISP-side, Telia (or Sonera, as we call it here in Finland) has enabled 6rd for their connections. It combines DHCPv4 by returning enough parameters for an IPv6 setup with a 64-bitmask to be done. It kinda works, but ... still not the real thing I'm after. Also Elisa and DNA, two big mobile telcos in Finland, started offering IPv6 (DNA, Elisa) for their customers, but ... I'm not going to change my home fiber for a mobile connection. So something is happening at the telco-scene. I'm just waiting my ISP (Elisa) to act on the wired side too.
The other side of the chicken-egg -problem are the services. There is no real commitment on their side either. For example Amazon AWS (a really huge infrastructure provider) really doesn't support IPv6, they have nice IPv6 support for Internet-facing load-balancers, their S3 storage and their content delivery net Cloudfront, to mention few. But when it comes to running a server instance with real native IPv6, no dice. So, you can market your service to be IPv6-ready, all the critical Internet-facing services really do support IPv6, but your infra runs on IPv4 private addresses. Not cool.
And when it comes to services, this is a typical scenario:
That's what's been happening for LinkedIn for I-don't-know-how long. At least this week.
Me being the nerd I am, some background investigation:
# telnet www.linkedin.com 80
Trying 2620:109:c007:102::5be1:f881...
telnet: connect to address 2620:109:c007:102::5be1:f881:
Connection timed out Trying 91.225.248.129...
Connected to www.linkedin.com.
Escape character is '^]'.
A classic.
Their IPv6 is down and they don't know about it. This is their level of commitment:
On September 2014, they announce to have done a "Permanent launch of IPv6". But none of them are using it themselves to realize it has been down for a week! The really scary thing is, that they cannot afford $10 a month for a Pingdom check.
That's what I recommend for everybody to use for monitoring on-line services. Any reputable admin needs to know the second a service is out of reach by general public. IMHO that should include also admins at LinkedIn.
When it comes to lack of IPv6, I need to come clean. This blog isn't running on IPv6 either. Since most of you don't have it, it is impossible for you to know. My co-location host cannot offer me the IPv6, so no avail.
But why? Why is there no real commitment for IPv6? What's blocking all sensible people for going all-in IPv6? Everybody knows, that all possible IPv4 addresses were allocated by IANA to telcos and ISPs in January 2011. So, there is no more. Of course there are plenty of available addresses in RIRs to allocate for regional telcos, so we're not completely bankrupt with IPv4-addresses. But that day is eventually coming, it's just a waiting game. Notable efforts like World IPv6 Launch Day yield no mentionable results.
So what's holding us back? I don't know anything else except everybody going on the path-of-least-resistance. Since there are available IPv4-addresses, why risk a change. With change things can go broken or something may shift so that some people will lose some and others will win some. Not that much of a risk, if you ask me. But here we are, inching towards IPv6 very slowly. Speed it up, goddamnit!
Fixing Google's new IPv6 mail policy with Postfix, part 2
Wednesday, September 14. 2016
I got a comment from Mr. Martin, that Google changed their SMTPd, so I'll have to revisit the article.
As suggested, new /etc/postfix/smtp_reply_filter
would be:
#New 2016/09:
/^5(\d\d )5(.*. \S+ - gsmtp.*)/ 4${1}4$2
Above one is working perfectly on my box.
Again, thanks for Mr. Martin for bringing this topic to my attention.
Amazon EC2 spot prices
Friday, August 26. 2016
I was about to do some testing with a cheap Elastic Compute Cloud Linux-instance, but ... AWS wouldn't allocate me one.
Here is the reason from Amazon EC2 Spot Instances Pricing:
Somebody really lost his marbles and is paying ludicrous price for a box.
Ok, in reality that has to be work of two (or more) automated systems competing with each other in a situation where capacity of i2.4xlarge instances is scarce. Any human would do what I did, just pick the bigger box and be happy about that. That instance type with normal pricing costs like $3.41 / hour, and with spot pricing it goes ~60 cents / hour, but not when automated bidding goes haywire.
Megazoning (or Laser Tagging)
Wednesday, June 29. 2016
I'll post something about not computers for a change. Its pretty close, but still, not about computers.
Any self-respecting nerd (such as me) loves video games. Doing first-person-shooter games IRL is always both fun and a lot more difficult than on a computer.
We had a company activity and went to nearby Megazone for couple rounds of always fun laser tag. Since it was my first time ever doing that, it was like a slap in the face. I'm a 2nd lieutenant in FDF reserve, so I have basic understanding of tactics in a battle. Also I've played video games since early 80s and FPS games since first Wolfenstein. On top of that I've been paintballing enough to know that there is enough realism in video games and paintballing to match real military tactics. However, anything I knew about combat, tactics and fighting at that point was usless.
In the game there were three teams and you, so pretty much everybody you see is an enemy. Megazone is mostly about movement and speedy tags of any visible opponents. The worst thing that can happen to you there is that you're unable to fire your weapon for 8 seconds. During a 25 minute round that's not too dangrous. In paintball or war you're out on the first "tag", here you aren't, it's just a game of accumulating points.
Here are my stats from first round:
I sucked!
My handle in the game was Macro (in the Red team), so being 8th out of 14 wasn't that good. Tactically the maze was a nightmare! In the original Wolfenstein it was possible to be hit only from front, back or sides. In Megazone there were 2 floors, but it was a metal grid walkway making it possible to shoot trough. That made it 5th direction where getting hit was possible. At best I found couple locations where it was possible to get some cover and get hit only from two directions. The only even semi-functional tactic I found was to ignore any defence, cover and cautiousness. Just going recklessly forward and out-gunning everybody on a reaction seemed to work good. Also sniping people long-range was a really good tactic, sometimes I could do 4-5 people from a single position. They never saw me. I also did try attacking enemy bases and defending own base, but they were totally pointless exercises in futility, I spent too much time trying to figure out the value of those.
Here is my second round:
Quite an improvement in points and ranking. I was best in our team and 3rd in total!
Megazone was great fun, but with my background, it'll never be my favorite thing. I want to see my opponents suffering when I hit them, in laser tag that doesn't happen.
Recycling used Samsung laser printer cartridges
Wednesday, January 6. 2016
Every now and then I need a paper copy of something. In Finland, which to my observations is quite far advanced in the paperless processes (working environment or otherwise), that's rare. The obvious exception to the rule is bookkeeping and banks. They won't live without a hard-copy of something. For the purpose of producing a printout I have a Samsung color laser printer. When it was new, I even made a humorous note of it.
The general grievance about modern printers is, that they cost around € 200,- and almost immediately run out of [insert a name of expensive supply product here]. In my case, nothing else than all colors cost way above € 300,-. But that's not my rant-of-the-day, I knew all about that when I decided to have the unit shipped to my front door. Korean engineers @ Samsung made the actual process of changing a color cartridge a very simple one. I have to say, that hardest part in that is un-boxing the new ones. They are so tightly vacuum-sealed. So, no groaning about that one either.
What do you do with those darned expired things, when you're done!!
I had replaced the black cartridge earlier, it always runs out first. In this instance, I replaced only the colour ones (CMY). So, only 3 useless boxes to throw out of the house.
From The Web, I found somebody having the same problem. This article is in Finnish, but it's pretty much about Samsung color cartridge not having any kind of recycling info in it. Samsun's rep reponnds, that "oh yes, there are instructions". This is the only thing I found about the subject:
It says to go to www.samsung.com/printer/recycle for information. I did and landed at Samsung S.T.A.R Programme (Samsung’s Takeback And Recycle). It has following information about returning used cartridges at How to return your used cartridge -page:
- Place your used cartridge in the bag and box which came with your new Samsung toner cartridge. In case you wish to send more than one cartridge for recycling, please put all cartridges in one big box, or tape the individual boxes together.
- Close the box using clear tape;
- Register yourself/your company on our STAR website. In case you have already registered yourself/your company, please log in using your user name and password. Chose the number of empty cartridges you would like to return and press the ‘get your label!’ button. Your order will be processed immediately. Only one (1) return label will be sent to your registered email address or will pop up at your screen;
- Print the return label and place it on the large side of the box. If the return label contains a bar code, please keep this bar code visible;
- Drop off your box at the nearest post office or include it in your usual mail collection.
Well, I guess I'll have to register to the site and get myself some clear packing tape. After doing that, it was possible to print following packing slip:
Looks like a valid customer return information required by postal services. Now the last thing is to go to a post office and leave the bundle there.
So, the information was there. Obviously the entire process is a bit more complex than just taking out the garbage, but I guess Samsung guys will properly handle all the troublesome waste there. That should save the Earth!
Advent calendar 2015
Sunday, November 15. 2015
Like last year, I happened to get me an advent calendar this year too. The layout is a classic 24 x 0,5L containing 24 lids for the days in random order:
There seems to be .... erhm.... problems transporting alcohol to Finland, and many European vendors have pulled Finland off their available destinations. Amazon.de still delivers Lieferello goodies to us, so I got my Drinks & Fun Die Weihnachtsbrauerei Bier-Adventskalender. The same thing at Lieferello site would be here.
Now I'm just waiting for the 1st of December.
Update 17th and 28th Dec:
To squash a FAQ: The beers in the calendar are different. It wouldn't make any sense to buy a 24 pack of beers and call it an advent calendar. See:
- Felsgold Premium Pilsener
- Carl Theodor Lager
- Felskrone Premium Pilsener
- Pilsator Pilsener
- Durlacher Hof Weissbier
- Brauburger Premium Pilsener
- Harboe Bear Beer Strong Stout 8%
- Eichbaum Red Beer
- Edel Bayer Urtyp Hell
- Darguner Pilsener
- Kress Bayrisch Zwickel
- Barbarossa Premium Schwarzbier
- 5.0 Original Pils
- Durlacher Hof Weissbier (Hefeweissbier)
- Frankenthaler Germania Premium Strong
- Regenten Pilsener
- Maisel St. Michaelsberg 1122 Premium Pilsener
- König Wilhelm Hefeweissbier
- Mecklenburger Pilsener
- Dinkelacker CD-Pils
- von Raven Pilsener
- Eichbaum Pilsener
- Barbarossa Brauerei Helles Hefeweizen
Fixing Yleisradio (The Finnish Broadcasting Company) HTTP proxy Fail
Monday, March 23. 2015
When it comes to unlimited supply of failures, one of my absolute favorites is YLE. Whatever they try, they seem to fail at it.
They have stumbled with their on-line service (Areena) a number of times. It took them years and years, but recently it has been at level, semi-decent service, no major failures, works even on iPad.
As they are having an uphill fight with piracy and people not obeying the country limitations they are forced by distribution agreements, they did the only sensible thing anybody can do: if you're using a HTTP proxy, then you're out! The only natural ruling can be that anybody using a proxy is accessing their service from abroad.
Like this:
The license of this radio show says that they will apply geo IP restrictions to it to limit audience in Finland only "( Kuunneltavissa vain Suomessa )". It will result in sorry-you're-not-in-Finland ("Ohjelma ei ole kuunneltavissa ulkomailla") and a refusal to play. However I am in Finland, I should be allowed access to that.
These guys are known for their inability to think smart. It is impossible to know if somebody abroad is using a Finnish proxy or not. The only possible detection method is checking for X-Forwarded-For HTTP-header.
That should be an easy fix. Let's see:
# host areena.yle.fi
areena.yle.fi has address 91.229.138.2
areena.yle.fi has address 91.229.138.6
Whois information for their IP-block is:
% Information related to '91.229.138.0/23AS57066'
route: 91.229.138.0/23
descr: Yleisradio Oy
origin: AS57066
mnt-by: DATANET-NOC
source: RIPE # Filtered
Adding this to /etc/squid/squid.conf
:
# Forwarded-for -stuff off for YLE
acl yle_areena dst 91.229.138.0/23
request_header_access X-Forwarded-For deny yle_areena
... and restart will do the trick! Squid-proxy fully supports this kind of behavior with acl
and request_header_access
-directives. Now YLE-people are blissfully ignorant about you using a proxy or not.
Update 24th Mar 2015 and 1st Jan 2016:
Also MTV katsomo.fi has gone for this stupidity. The fix is obviously:
acl mtv_katsomo dst 23.54.11.0/24 # Katsomo.fi (Akamai)
acl akamai dst 23.32.0.0/11 # Akamai
request_header_access X-Forwarded-For deny mtv_katsomo
request_header_access X-Forwarded-For deny akamai
Now they allow you to watch via proxy.
Finnish Pre-paid Data Plans reviewed
Saturday, March 7. 2015
As I test different network equipment regularily, I need SIM-cards and data plans for them. All of these are generally available and affordable, just go to nearest R-Kioski and get one.
Elisa (Saunalahti)
Elisa is the biggest telco with number of customers and market share. Their consumer products are under Saunalahti brand, including their pre-paid data plans.
Pre-paid data plans:
- One day 4G (100 Mbit/s) 1.90 €
- One week (21 Mbit/s) 6.60 €
- One month (0,25 Mbit/s) 6.60 €
- One month (4 Mbit/s) 14.90 €
- One month (21 Mbit/s) 16.90 €
- One month 4G (50 Mbit/s) 19.90 €
- Six months (0,25 Mbit/s) 27.80 €
Incoming access:
None. All pre-paid and post-paid data plans are NATed. Post-paid 3G data plans have the possbility of changing into a non-NATed one, but that options is not available for 4G. This is total crap!
TeliaSonera
TeliaSonera is the 2nd biggest telco in Finland. As they operate also in Sweden, Norway and Estonia in general, it is the biggest corporation of these three.
Pre-paid data plans:
- One week 4G (50 Mbit/s) 12,90 €
- One month 4G (50 Mbit/s) 23,90 €
Incoming access:
None. All pre-paid and post-paid data plans are NATed. Post-paid data plans have possibility of subscribing a service (for small fee), to allow public IP-address. Having a fixed IP instead a dynamically allocated one costs extra.
DNA
DNA is the smallest player (excluding virtual operators). When it comes to telcos, size does not matter. Their coverage is equal to bigger players.
Pre-paid data plans:
- 1 GiB transfer, six months 4G (150 Mbit/s) 9,90 €
- 10 GiB transfer, six months 4G (150 Mbit/s) 19,90 €
Incoming access:
All data plans are allocated a dynamically changing public IP-address.
List of open TCP-ports (IP-protocol 6) found with Nmap scanning my own IPv4-address:
- 500/tcp
- 1024/tcp
- 1723/tcp
- 2222/tcp
- 4002/tcp
- 5001/tcp
- 5800/tcp
- 5900/tcp
- 6001/tcp
- 7001/tcp
- 8001/tcp
- 8081/tcp
- 8082/tcp
- 8083/tcp
- 8088/tcp
- 8090/tcp
I also tested other incoming IP protocols and they seem to pass without limitations. Running VPN or IPv6-tunnels is completely possible.
Conclusion
The obvious winner is DNA. It is affordable, no NAT, incoming access is possible, although limited. The only drawback is for people requiring lot of transfer, there is limit for amount of bytes. If you run out, just add another 6 month package, and you're good to go.
2nd place goes for TeliaSonera post-paid Opengate-connection. It is still affordable (17,- € / month, incl. incoming access 3G/4G), no transfer limits and allows full incoming traffic without filtered ports.
3rd place goes for Saunalahti one day pre-paid. It offers speed, no transfer limits, but I had trouble comprehending their system. As I already had a pre-paid SIM, all I had to do is to add credits to its account, but ... I somehow didn't manage to do it. I did do it before, but ...
Slush 2014 survived
Thursday, November 20. 2014
I survived Slush 2014.
It takes a lot of energy, but is worth it. The event itself is quite an experiment. 5 stages full of talented people talking about their ideas and what they did wrong or right to deserve the right to be speaking to all of us. All the parties that are taking place, when the actual event is not will also consume a lot of energy.
Of all the events, speeches and pitches my personal picks are (I intentionally didn't include those, to whom I'm somehow affiliated with):
- Wooga's CEO Jens Begemann describing how they create hit games, aka. the hit-filter. This seems to be a working recipe from Supercell. The fact seems to be, that if there are 100.000 games in the App Store, only top-15 of them are making serious money. So, your game needs to be in top-15, not top-500.
- Dragonbox creator Jean-Baptiste Huynh telling how he wants to change the way kids are learning algebra with a completely new approach by playing a game. It seems that schooling everywhere in the world is sticking with 300 year old methods: to sit on your desk and in order to prepare yourself to work successfully by a conveyer belt of a factory, you must sit still and do as your teacher tells you to. Doesn't sound like 2010s to me. Huh!
- Kano founder Alex Klein wanting to turn kids into super-kids by freeing their thinking by introducing everybody into computers and programming. The apparent fact remains, that currently there exists over 8 billion computing devices in the world and only 50 million of us know how to program them (amateurs and professionals combined). His idea is to empower non-nerds to create nice things with computers too.
My thanks goes to Slush organizers, Tencent Games and Pocket Gamer.
My advent calendar
Sunday, November 16. 2014
For many many years I haven't waited the christmas that anxiously, that I would have an advent calendar. Not even a chocolate one. This year I chose to make an exception to that. I got a recommendation to get a proper one from Lieferello.de. Here it is:
This calendar contains 24 (as any advent calendar does) cans of beer. Nice! Finally a good reason to count days for the 1st of December.
If you want to order one, here is the direct link to Die Weihnachtsbrauerei Bier.
Nero displaying ads on Windows
Thursday, October 2. 2014
When I first saw an ad popping from my Windows 7 system tray I was pretty convinced, that my computer had been hijacked, keylogger installed, all my files sent to a Chinese server and police knocking down my door, because my machine is serving cp-pics in a torrent network. Then I realized, that the advertisement is about Nero. A software, that I bought and installed voluntarily. See:
As you can see from the dates on the pictures, that I've been waiting for this to happen again. This time I was ready and could confirm, that the culprit was indeed Nero. It is totally unclear to me, if I agreed to this in end user license agreement, but that's what they are doing. Perhaps I also gave the birth rights of my first born son like F-Secure did in London (see: Londoners give up eldest children in public Wi-Fi security horror show). Anyway, I'm not exactly happy, that they choose to do this. Nobody knows what else are they doing.
By googling, I found out, that I'm no alone with this problem. Nero's own discussion forum has a thread with topic Why do you think it's acceptable to spam people's PCs?, and there is actually removal instructions.
First go to Task Scheduler:
There is an own folder for Nero and in it, there is a NeroInfo running at install time every 2 days. It most certainly does not display ads every time it runs, but there is the master of this botnet somewhere giving instructions on when to run and what to display. Just delete the task:
And finish it off by deleting the files also:
Now it should stay off for a while! This is a fine specimen of paid software screwing you to the ass.
Google+ hijacked my company!
Wednesday, July 23. 2014
One day I got an e-mail from Google+ saying: "HQ Code Shop Oy hasn't shared anything on this page with you". I was more than puzzled. Sure I haven't shared anything with myself on Google+.
I clicked the link and got to the page. It had a Manage this page -button at the bottom:
It didn't do much good:
All it said was: "We are sorry, but you do not have access to this service. Please contact your domain administrator for access". Aow come on! Why did you have to create a page for something that you don't own and don't let the owner to control!
I went to my Google Apps administration console:
Yes, I have Google+ enabled for myself. However, that didn't change anything. I still was not able to manage my own company's page.
Many hours of surfing the web, reading many absurd attempts to fix the problem, and nothing. Then I went back to the Other Apps -section and started reading the descriptions:
It says "Add or edit your local business listing on Google Maps" next to Google Places -service, which I hadn't subscribed. I enabled that and hey presto! Suddenly I was able to manage the page. Naturally I had to pass the automated phone call test from Google, but I finally got control of my own property.
This is yet another shame-on-you-Google -thing they do while going towards world domination.
New Internet connection - Fiber to the Home
Friday, May 2. 2014
My blog has been on a low maintenance mode, due to the fact that I had other engagements. I was moving to a new house which has an FTTH or Fiber to the Home -connection.
The incoming connection is a 1000BASE-BX Ethernet and the connection carries also a IPTV streams in it. Of the given 1 Gbit/s I'm currently purchasing 250 Mbit/s downlink and 50 Mbit/s uplink. This costs me ~60 € per month. Not very expensive for such a quality bit, huh? There is a one-time building cost for 1800+ € for the connection, but that is not slowing me down.
In detail the connection is implemented with an Ethernet fiber to copper media converter and a CATV-module doing IPTV to DVB-C (SD-channels) and DVB-C2 (HD channels) media conversion. During the setup, the fiber-guy first built couple of meters of indoors cabling connected to the thick ground fiber. Indoor fiber connects to a Swedish made Inteno FG500 box. It looks like this:
In the first picture, there are 4 gigabit Ethernet (copper) connectors and a power connector to the CATV-module. Ethernet ports 1 to 3 are routed with a firewall and NAT, but luckily the port 4 is a bridged one and that's the one I'm using. From that I can get a public IP-address directly from ISP's DHCP-server.
The box splits into two halves, CATV and the "regular" Ethernet part. Parts are connected via power and fiber connectors:
The router has internal IP-address of 192.168.1.1 and it contains very typical web-interface for managing the box. Management looks like this:
WAN-parts are configured to copper Ethernet-ports with interface grouping:
It took me a while to figure all this out. It really matters to which LAN-port the cable is connected to. The WLAN-part can be deactivated and I did just that. I dislike those integrated crappy boxes very much, they are unreliable, insecure and what else ... Being a Linux-man I want to use my favorite Linksys and DD-WRT for any wireless needs.
This has got to be the best part of having a FTTH. The speed! Oh my god! Here are some sample results:
When analysing the results, two things come to my mind. First, Speedtest.net and the measuring servers it has don't go beyond 100 Mbit/s in any conditions (the software displays a maximum of 100 Mbit/s in it). Second, when measuring really fast speeds like I have here, the measurements are very unreliable and the results vary quite a lot when running number of tests in a sequence. In all cases, the downlink measurement is never 100 Mbit/s or even near it. 88 Mbit/s is pretty far from 100, or from the 250 Mbit/s what I'm paying. The uplink measurements are even worse. Those servers don't expect to be hit that hard (perhaps they see a DoS-burst?). Finally, ping 0 ms does not sound very reliable either. I'd assume 2-3 ms to be a best reading in the optimal conditions.
I've been running with this connection for a couple days only, but the assumption is that the uptimes it can keep are amazing. An ADSL-connection is pretty stable, but a fiber should be the rock-solid way to go, that's what I'm expecting from it.
Update Oct 2014:
Speedtest.net indeed goes beyond 100 Mbit/s: