ipng.png

IPng

DNS Pollution

An important problem solved with IPv6 is the enormous amount of new IP numbers that can be given out. To this extent, even the smallest node of Internet (a cable modem/dailup) gets a staggering amount of IPs. Normally, somewhere in the range of 2^64 to 2^80.

With this new address space, people are more easily delegated address space resolving via a reversed DNS zone. The main problem we face is that inexperience and ignorance leads people to pollute their DNS zones.

A hostname on Internet is of the form: hostname.domain.tld Perhaps, if you are a delegation within the 'domain.tld' domain, you will receive a subdomain, which makes your hostname: hostname.subdomain.domain.tld This addressing scheme, which is documented in RFC1178, was devised to organize DNS as a logical hierarchy.

Having hostnames like 'I.am.the.king.of.internet.domain.tld' or any other form of sentence, phrase, are without any doubt, in disagreement with the hierarchical definition of the global naming system (DNS).

One of the biggest problems with this DNS pollution in general is the fact that the IP's for these 'vhosts' could have been used for a company providing dailup services, SSL webservers and other useful reasons instead of a 'nice vhost on irc'.

As a general rule of thumb; a hostname belongs to an interface on a machine. This interface should get a hierarchical name, named after the machine or a name describing the interface. Eg. 'raven.example.org', this box is called raven and is in the example.org domain. 'raven-adsl.example.org' which is raven's ADSL interface. 'crow.wlan.example.net' could then for instance be a laptop using the wireless LAN network of example.net.

Hostnames that consist of phrases, bogus domains, bad language or in other forms undesirable textual data, are considered to be: DNS pollution and this form of behaviour will be acted upon on #IPv6,#cu2.nl and #linux.nl (IRCNet) Also IRCNet itself has a nice policy.

Joost 'Garion' Vunderink created a spam calculation script which can be found at http://spamcalc.net, this allows semi-automatic checks for dnsspam.

Information

IPng stands for IP Next Generation, and it is a different name for the global IPv6 network that is currently being deployed. Ever since 1997, students of the University of Technology in Eindhoven (TU/e) have been active on the 6bone. One of these students, Pim van Pelt, started collaborating with Intouch in late 1999. At Intouch, he has been building a production network with usage of the IPv6 protocol. In early 2000, Intouch joined the Group of Six, six large network operators at the Amsterdam Internet Exchange (AMS-IX) in a unique project, which involves native IPv6 transit over an IX. Basically, the AMS-IX board have granted us a dedicated vlan on the shared medium which we use to interconnect our routers without the usage of intermediate tunnels. We are:

Basically, Intouch provides IPv6 connectivity and services to those of you interested in connecting to and working with the 6bone. IPng provides endusers free IPv6 tunnels along with a subnet allocation on request for non-commercial and/or research purposes.

IPng has been migrated to the SixXS system. If you desire to have a tunnel and/or subnet from IPng. You should check the SixXS website. There you can signup for an account and request tunnels and subnets to multiple POPs amongst which IPng is present.

Contact

IPng is a collaboration between WiseGuys and Intouch. These companies spend their time and resources on IPng, to keep the routers up and the software and servers running.

The main contact address for IPng is info@ipng.nl. All questions, comments and somewhat everything else should be directed there..

For (BGP) peering requests, contact peering@ipng.nl.

Abuse and related messages should be sent directly to abuse@ipng.nl along with suitable proof.

However, also a select group of individuals, all having their own distinct qualities, maintain and expand the IPng functionality and network. They are:

DNS Setup

For those of you not yet familiar with the topic 'reversed DNS' or the in-addr.arpa files, please read up on that and when you are confident that you are running a working named (Bind 8.2.2+ will do fine) with a 'standard issue reversed DNS zone' like 0.168.192.in-addr.arpa, continue here.

Here's some examples out of the delegation for Intouch:

First, declare our authority (analogous to IPv4 zones).
$ORIGIN 0.0.0.0.4.1.1.8.e.f.f.3.ip6.int.
@ IN SOA ipv6.intouch.net. hostmaster.ipv6.intouch.net.
(2000090602 3600 900 1209600 43200)
NS ipv6.intouch.net.
NS ns1.wise-guys.nl.
TXT "Native Intouch IPv6 network"

Remember to use $ORIGIN a lot. This makes the address 3ffe:3001:6::1 resolve
$ORIGIN 0.0.0.0.0.0.0.0.0.0.0.0.4.1.1.8.e.f.f.3.ip6.int.
1.0.0.0.0.0.0.0.0.0.0.0 PTR amsterdam.core.ipv6.intouch.net.

Here, we delegate 3ffe:8114:2000:0000::/64 to Cliff Albert (CA2-6BONE)
$ORIGIN 0.0.0.2.4.1.1.8.e.f.f.3.ip6.int.
0.0.0.0 NS ns1.oisec.net.
NS ns2.oisec.net.

OS Setup

When you recieve a tunnel from IPng, you will get the following information via email. It is very important, so write it down somewhere before continuing. We will mail the instructions to the first email address we find in the person-object at the whois database. The information is: IPv4 tunnel info: 212.19.192.219 <-> [Your IPv4] Our IPv6 address : 3ffe:8114:1000::xx/127 (our 'tunnelendpoint') Your IPv6 address: 3ffe:8114:1000::xx/127 (your 'tunnelendpoint') Your 6bone handle: nic-hdl Setting up the tunnel consists of the following steps:

  1. Chose the OS you will run
  2. Make sure it is IPv6 ready
  3. Configure the tunnel to IPng
  4. Done

Click on Next to continue.

Note that on the SixXS website there is an extended FAQ topic about this covering more platforms.

Mailinglist

The ipv6@ipng.nl mailing list is the IPng forum for open discussion on the IPv6 protocol and its deployment in a European and global scale. The subscription and unsubscription are open, but posting is restricted to members only, thus spam free. We keep a public archive of the topics discussed on the web, see below. Each IPng tunnelbroker user is automatically added to the mailinglist but they can request removal freely.

To post a message to all the list members, send an email to ipv6@ipng.nl.
You can subscribe to the list, or change your existing subscription, here.

Mailinglist Management
Mailinglist Archives

Our numberplan

Intouch-NL is a pTLA: 3ffe:8110::/28
IPng has a large delegation: 3ffe:8114::/32

Tunnelspace

Network: 3ffe:8114:1000::/48
Description: This network consists of tiny /127 networks. Each of these in turn consist of the IPng side (even IPv6 number) and the tunnel enduser side (odd IPv6 number).
Example: 3ffe:8114:1000::0 -> 3ffe:8114:1000::1/127 is Tunnel1.
Example: 3ffe:8114:1000::2 -> 3ffe:8114:1000::3/127 is Tunnel2.

Static Tunnel Delegations

Network: 3ffe:8114:2000::/48
Description: This network consists of /64 delegations (a total of 16384). Each user is granted a /64 and can request up to a maximum of 16 consequtive /64's. We therefore reserve 4 bits address space for each tunnel. We number them as follows.

Example: 3ffe:8114:2000:0000::/64 is Delegation1
(3ffe:8114:2000:0001::/64 - 3ffe:8114:2000:000F::/64 is reserved for Delegation1)

Example: 3ffe:8114:2000:0010::/64 is Delegation2
(3ffe:8114:2000:0011::/64 - 3ffe:8114:2000:001F::/64 is reserved for Delegation2)

Future expansion

Network: 3ffe:8114:8000::/33
Description: This network consists of half of the IPng space. We will expand our networks as we see fit in the future. It will remain unused for the time being (as of December 2000)

Frequently Asked Questions / Q&A

Following is a list of frequently asked questions. If your question and answer is not on the list, don't hesitate to ask on the ipv6@ipng.nl mailinglist or to the staff at info@ipng.nl.

Q. I want a tunnel at IPng.nl What do I do ?

A. If you have a permanent, static Internet connection, you can request a tunnel to IPng.nl. You can find details on the Static Tunnel pages.

Q. I do not have a 24/7 connection. Can I have a tunnel ?

A. No. The reason for this is, that when you disconnect from the internet, and the next user gets your dialup IP, the next user can get traffic sent to his IP from the IPng.nl router. We send all IPv6 traffic through your tunnel to the IPv4 endpoint with proto-41/IP traffic. If someone starts pinging your IPv6 address, some user who has nothing to do with you or IPng.nl can receive unwanted traffic. This is why we do not do non permanent tunnels.

Q. I want a /60 delegation. What do I have to do for it ?

A. Several things. We do not play around with IPv6 space, even though this is 6bone. Your pingtimes must be under 150 ms on average in the last 7 days, and packet loss cannot exceed 10%. You can check this at your statistics page: http://www.ipng.nl/user.php?hdl=6BONE-HDL You have to be an administrator of some nameserver (bind8+) and this has to be yours, not some free-DNS like Cranitecanyon or such. If you meet these criteria, send a freeform email to info@ipng.nl and request a subnet delegation. We need your 6BONE-HDL, and nameserver IP. Also see Getting a /60.

Q. I configured my nameserver. Do you have the zone ?

A. You can check this yourself: man dig
Assuming you have the subnet 3ffe:8114:2000:1230::/60 type: $ dig @ns1.ipng.nl 3.2.1.0.0.0.2.4.1.1.8.e.f.f.3.ip6.int. NS
and you will see our nameservers listed in the answer section. Another way ofcourse is to check your User page. It will also show all the reverses you added. Reverse zones will be transfered four (4) times a day to bfib.ipng.nl which will filter them and place them into the zone files which will be distributed to the secondaries. Watch out for dnsspam.

Q. I checked the users page. What do the Status and DNS fields mean ?

A. Status and DNS are explained below:
Status reflects our current view of your tunnel. If the ping times are under 150 ms, and the packet loss is lower than 10%, it is marked good. If either packetloss exceeds 10% or pingtimes exceed 150ms, we mark it as slow. If your tunnel does not receive any ping (100% loss) we mark it a down . DNS reflects our current view of your DNS zone. If our namserver ns1.ipng.nl does not have the zone, you are marked down. If our parser has found errors in your zone, it is marked ERR and you can click the link to find out what is wrong. If the zonefile looks okay to us, we will mark it a nice and green okay.

Q. Someone is abusing his/her/it's/* IPng.nl connection!

A. Report this directly to abuse@ipng.nl, send along proof of the actions of these users. We provide full information about all our users through the Users page. This hopefully discourages persons to abuse IPng.nl as a hiding ground. We keep close contacts with IRC network operators and other tunnel providers to avoid these problems.

Q. I got some other tunnels on my machine and now I can't use IRC anymore from them.

A. If you do not understand how source based routing works for your OS, kindly either delete the foreign tunnels, or request deletion of your IPng.nl tunnel and delegation from us. We are not willing to haul other AS:es traffic over our tunnels to you, nor do we accept it from you.

We refuse to route your other network space over our infrastructure and will act upon further abuse from your side with permanent removal from our tunnel broker if we see more unwanted traffic in the future.
We are currently DROPPING any traffic which should not be originating from your tunnel.
In short this means only your tunnel endpoint and delegation address are allowed, abuse is not tolerated.
It's not the fact that you shouldn't use your tunnel, but when you use it, route the correct space over it.

Q. Is there a common IPng.nl mailinglist?

A. Yes there is, it's ipv6@ipng.nl, one can subscribe to it using the mailman interface. All IPng.nl users are automatically subscribed to it, but are allowed to unsubscribe from the list.
The ipv6@ipng.nl list is open for subscribers, if you want to join you can so here.
Notez bien; it's a closed list, only subscribers can post to it, so join up first.
Q. Emails with the subject "[IPng] Prolonged Downtime" A. This basicaly means your side is not replying pings. This can be for several reasons.

  1. You are blocking ICMPv6.
  2. You are rerouting the ICMPv6 echo-reply through another tunnel.
  3. Your IPv4 path to IPng.nl is broken for proto-41

IPng.nl tests your connection by pinging using ICMPv6 packets from ping.ipng.nl (3ffe:8114::1) to your IPv6 tunnel endpoint. One way to easily find out if you have a setup problem is by doing a tcpdump and pinging ping.ipng.nl and checking if you see a response coming back if that's the case leave your tcpdump running and see if you get the hourly ping.