Nostr notes by kasperd

Do you really need .exe if you already have .com?

2026-04-22T18:47:25Z

In reply to nevent1q…yzuz
_________________________

Do you really need .exe if you already have .com?

Client side failover is a necessity if you want reliability. Even ...

2026-04-19T11:52:11Z

In reply to nevent1q…gysx
_________________________

Client side failover is a necessity if you want reliability. Even when IPv4 is long gone, I predict the failover code is here to stay. The failover code may even get a little bit more sophisticated.

If we want to minimize client side complexity during the transition, then DNS64 is the way to go. Dual-stack and 464xlat both add complexity on the client side, which you can avoid when using DNS64.

I agree transition technologies should not stay forever. Had people been upgrading in due time, we would never have needed DNS64 and NAT64 in the first place.

I assume you never operated a public NAT64 service. There are ...

2026-04-19T09:32:25Z

In reply to nevent1q…p20a
_________________________

I assume you never operated a public NAT64 service. There are networks between the NAT64 gateway and the client which are completely outside of my control. But I can achieve high availability by running multiple NAT64 gateways in independent locations.

I have health checks of the gateways which automatically updates DNS64 accordingly. And I give clients addresses using multiple prefixes to allow for client-side failover. Client-side failover is crucial as sometimes individual clients are unable to reach specific gateways for reasons that are on networks that I don't use myself and thus outside the visibility of my health checks.

A client with a good implementation of fallback between AAAA records works great in this scenario. 464-xlat doesn't handle this as well.

Yeah, ipv4only.arpa exists on authoritative DNS servers and is ...

2026-04-18T23:58:32Z

In reply to nevent1q…9kxe
_________________________

Yeah, ipv4only.arpa exists on authoritative DNS servers and is served essentially like a name would have been served from any other TLD. As far as I recall there is an RFC recommending that DNS recursors hard-code that particular name in order to not need depend on authoritative DNS for that name. But last I checked BIND 9 would query authoritative servers for the name.

DNS64 can work just fine without special casing ipv4only.arpa. It can just translate it like any other IPv4-only domain name, and clients can use that for discovery.

I can definitely confirm that Android supports ipv4only.arpa for NAT64 discovery by default. It might support other methods as well, and I haven't verified which order it will try the methods on a network that supports different methods. None of the NAT64 deployments I have personally encountered used the well-known prefix. So I think falling back to the well-known prefix isn't a great option.

As an operator of public NAT64 gateways I will say that using ipv4only.arpa for NAT64 discovery is not perfect, but all the alternatives I have seen are worse. An inherent drawback of ipv4only.arpa is that it cannot handle scenarios where different NAT64 prefixes are being used depending on IPv4 range. That part is supported when DNS64 is being used.

Another drawback is more of an implementation shortcoming. 464-xlat implementations usually don't support use of multiple NAT64 prefixes for redundancy and will rather just pick one and stick with it. And it's not guaranteed that a client will pick up changes of prefix in a timely fashion.

So if a NAT64 gateway goes down for maintenance it may be necessary for 464-xlat users to disconnect and reconnect in order to switch to a different prefix. Use of PREF64 is worse for that use case. Users actually have to change their router configuration in order to apply the changes. There appears to exist no standardized mechanism for a public NAT64 service to communicate prefix changes to routers of users.

In theory a router could make use of ipv4only.arpa to do NAT64 prefix discovery and communicate this downstream using PREF64. But I haven't heard of any implementation doing this, and I don't see any advantage of this over the client doing discovery directly using ipv4only.arpa.

Problem is you can only do that if you have dual-stack on your ...

2026-04-04T13:08:38Z

In reply to nevent1q…3e4x
_________________________

Problem is you can only do that if you have dual-stack on your own network. Some of us have IPv6-only networks.

I see. Those are following the /64 mappings in RFC 6052. This is ...

2026-04-02T22:05:43Z

In reply to nevent1q…ds06
_________________________

I see. Those are following the /64 mappings in RFC 6052. This is not exactly the purpose that RFC 6052 is intended for. And you already identified the scalability challenges of that approach.

I am guessing they use duplicate-address-detection to ensure two machines don't pick the same address. if that guess is correct you can easily verify what happens. Just make have a machine use all of the addresses ending in c0:0:0:0 ti c0:0:700:0 before the test machine connects to the network.

If the implementation is even just a little bit sensible it will see that its preferred IPv6 addresses are already in use and pick a random IPv6 address instead. It can still use any address in the 192.0.0.0/29 range locally.

Why would the scope of 192.0.0.2/29 expand beyond the individual ...

2026-04-02T18:39:14Z

In reply to nevent1q…xy25
_________________________

Why would the scope of 192.0.0.2/29 expand beyond the individual host?

Something is very messed up with the rendering of that page. ...

2025-11-06T07:46:09Z

In reply to nevent1q…ek86
_________________________

Something is very messed up with the rendering of that page.

Did they deliver a working product, and is the product what was ...

2025-05-25T15:39:56Z

In reply to nevent1q…3lh3
_________________________

Did they deliver a working product, and is the product what was agreed upon?

Will reducing the client MTU actually solve this problem in ...

2025-04-27T07:37:49Z

In reply to nevent1q…v27w
_________________________

Will reducing the client MTU actually solve this problem in general?

I guess what happens when you do that is that the client knowing this lower MTU will advertise a smaller MSS so the server sends packets which are small enough to fit in the tunnel.

However I can think of a couple of scenarios where that would not help. If the protocol being used isn't TCP, but rather some other protocols such as one based on UDP, then you don't get the MSS negotiation. An application layer negotiation could help if the application layer protocol supports that. But then the applicaiton protocol also have to keep UDP payloads small enough, it couldn't take advantage of IP fragmentation since the IP layer is not going to know about the negotiated size.

Another scenario which won't work is if the client side is more than a single node. For example we have the need for clients to run a virtual network segment for Docker which communicates through a VPN connection. In that scenario the MSS sent by the client would be based on the Docker network and not the VPN tunnel. So the client will advertise an MSS of 1440, because that fits on the Docker network. The server will support that as well. Neither side knows about the VPN in advance, so PMTU discovery will need to work.

I think what's supposed to happen is that when the server sends a packet which won't fit in the PPPoE connection a packet-too-big error is returned to the server. And then WireGuard would need to take that into account for future packets. But if a misconfigured network drops the packet-too-big error messages, then that won't work.

What's the reason a few more weeks is enough?

2025-04-01T16:31:38Z

In reply to nevent1q…8pmt
_________________________

What's the reason a few more weeks is enough?

IPv6 first is what everyone should be doing. I have a frontend on ...

2025-03-20T19:18:47Z

In reply to nevent1q…vpl7
_________________________

IPv6 first is what everyone should be doing. I have a frontend on `116.202.1.213` that can be used to reach IPv6-only services by simply adding an A record. Works for all protocols using TLS-SNI and also works for HTTP and SMTP.

Your connection should include a static IPv4 address as well that ...

2025-03-20T19:06:41Z

In reply to nevent1q…ukhl
_________________________

Your connection should include a static IPv4 address as well that you can use to connect to your home from the legacy networks on those hotels.

If you choose to run your home network as IPv6-only, then that's absolutely a choice I can respect. But as you realized it does come with some challenges. I am running a couple of public services to help anyone running IPv6-only, since I want to see more IPv6-only networks.

Does this indicate a weakness in LastPass? Or is it simply a ...

2025-03-07T17:04:03Z

In reply to nevent1q…wx95
_________________________

Does this indicate a weakness in LastPass? Or is it simply a matter of users having used a weak master password which is vulnerable to brute force? How much entropy does a master password for a password manager need in order to resist such attacks?

It looks better than modern desktops.

2025-03-05T20:39:10Z

In reply to nevent1q…gvp7
_________________________

It looks better than modern desktops.

The rationale was that spammers are lazy and don't implement ...

2025-01-17T18:45:12Z

In reply to nevent1q…wljt
_________________________

The rationale was that spammers are lazy and don't implement the retry logic whereas legitimate senders will retry properly and the mail will get through once the greylisting period ends.

It would usually affect all senders equally (in principle a spamines score could be computed and used to adjust the greylisting period). However it will usually only affect the first mail from each sender. So people you communicate with repeatedly can email you without that delay.

If a particular sender generates a new sender address each time, they can be affected more often by greylisting than not.

Whether it's a good idea or not can be debated. Spam filters have unfortunately gotten so intrusive that sometimes they cause more harm than the spam they are intended to prevent. I will say that the delay caused by greylisting is a more acceptable behavior than completely blocking some legitimate mails.

Of course it's also entirely possible that it's just the one particular sender who has insufficient capacity.

Sometimes the delay is caused by the receiving server. ...

2025-01-17T03:23:59Z

In reply to nevent1q…tvk4
_________________________

Sometimes the delay is caused by the receiving server.

Greylisting is somewhat widespread. With greylisting the receiving server will initially respond to an email with a temporary error forcing the sender to wait and retry later.

The code setting the expiry time has no way of knowing how long that will take.

For a moment I thought it said flags would be at half-staff due ...

2025-01-04T18:31:47Z

In reply to nevent1q…da4y
_________________________

For a moment I thought it said flags would be at half-staff due to the passing of democracy.

That means it can't be used as substitute for L2TP. There ...

2024-10-13T15:44:59Z

In reply to nevent1q…7746
_________________________

That means it can't be used as substitute for L2TP. There will be users on networks where UDP-based protocols are the only options.

Can that be used through NAT? A typical use case for L2TP ...

2024-10-13T14:57:48Z

In reply to nevent1q…a20d
_________________________

Can that be used through NAT? A typical use case for L2TP involves a tunnel running through NAT444.

What is the recommended protocol for use cases that only need ...

2024-10-12T16:14:06Z

In reply to nevent1q…tcsy
_________________________

What is the recommended protocol for use cases that only need tunneling and don't need the cryptography offered by a full-blown VPN?

I know that Andrews & Arnold Ltd (AAISP) (npub1sv0…rq9x) is one well regarded ISP who includes L2TP tunnels as part of their offering.

I have often used MTU problems as an interview question. Good ...

2024-09-02T15:58:30Z

In reply to nevent1q…gw36
_________________________

I have often used MTU problems as an interview question. Good candidates would usually figure it out in 30 minutes. Not so good candidates would not figure it out in 60 minutes.

And then there was that one time I had a candidate who figured it out in 10 minutes. He was offered the position and then declined.

One example from my own experience is with DNS. Back in 2015 we ...

2024-08-26T21:46:53Z

In reply to nevent1q…g9qy
_________________________

One example from my own experience is with DNS. Back in 2015 we had a series of outages due to the provider who was hosting our DNS zones.

First the provider had a six hour outage during which we could do nothing, and we couldn't even get in touch with the provider.

Then we tried redundancy across two different DNS providers, which lead to another two outages when the first provider did not handle redundant setups correctly.

At that point I said we will never want to go through this again. And we decided to operate our own DNS servers with redundancy across four different hosting providers.

We have now used that setup for over nine years and not had a single outage of our DNS zone. We have of course had individual DNS servers be down for some time every now and then, but we never had all four go down.

Such a track record of course helps when I am making arguments for multi provider redundancy. I can point at this setup and say over nine years with 100% uptime, had we used Cloudflare we wouldn't have had such a high uptime.

I am thinking one should never trust a single supplier no matter ...

2024-08-26T20:28:58Z

In reply to nevent1q…ntpu
_________________________

I am thinking one should never trust a single supplier no matter how big and trustworthy you think they are.

One opinion I have heard a few times goes like this: It's not a problem if we are completely dependent on CloudFlare, GCE, or Amazon. If they go down many other systems will go down as well, and customers won't blame us.

The problem with that line of thinking is, that the bigger the provider is, the less important each customer is to the provider. There have been stories about individual customers of big providers getting into trouble.

But why did your router send destination unreachable errors? ...

2024-08-25T14:25:21Z

In reply to nevent1q…t65y
_________________________

But why did your router send destination unreachable errors?

Using tcpdump I saw `ICMP6, destination unreachable, unreachable address 2a05:87c6:1:1cc8::1, length 88` coming from 2a00:1098:2::7. And in the traceroute output above that is indicated as `!H`

That behavior from your router is one I would only expect if the next hop address did not respond to neighbor solicitation.

Did you verify that the address you pinged was identical to the next hop address currently in the routing table on that particular router?

That's not what I saw. When I used traceroute I got ...

2024-08-25T14:06:05Z

In reply to nevent1q…678w
_________________________

That's not what I saw. When I used traceroute I got destination unreachable errors from one of your routers. Here is the traceroute output I shared earlier:
```
traceroute to 2a05:87c6:1:1cc8::1 (2a05:87c6:1:1cc8::1), 30 hops max, 80 byte packets
1 2a00:1098:1::2d 0.284 ms 0.231 ms 0.217 ms
2 2a00:1098:2:ffff::9c 0.401 ms 0.387 ms 0.375 ms
3 2a00:1098:2:1::1c:1 0.437 ms 0.417 ms 0.453 ms
4 2a00:1098:2::7 0.323 ms 0.376 ms 0.365 ms
5 2a00:1098:2::7 3055.197 ms !H 3055.184 ms !H 3055.165 ms !H
```

I agree that is one of the most likely explanations of the root ...

2024-08-25T13:41:08Z

In reply to nevent1q…tt42
_________________________

I agree that is one of the most likely explanations of the root cause. It is something which could have been automatically detected when receiving the advertisements from the route server. But I do not know if any BGP implementation has the logic to detect and filter such faulty advertisements.

It does not look specific to A&A. One of the network paths ...

2024-08-25T12:46:40Z

In reply to nevent1q…ue7f
_________________________

It does not look specific to A&A. One of the network paths confirmed to be affected did not go through A&A.

It's confirmed which exchange the issue lies at. But it's unclear to me if the issue is with the destination network or the exchange itself. I do not have a presence at that exchange myself, so the only information I have to work from is output from traceroute and similar tools.

It looks to me like one aspect of the BGP implementation you are using is a contributing factor. But that may very well be standard behavior. For all I know it could be that all other BGP implementations would respond the same in this corner case.

A router server is indeed what I imagine as the most likely way ...

2024-08-25T11:29:47Z

In reply to nevent1q…24q9
_________________________

A router server is indeed what I imagine as the most likely way to get the same failure mode as what I saw with OSPF.

It's technically possible to verify that neighbor discovery works for the next hop that you receive from a route server. How to actually implement it depends on the underlying platform and could be complicated.

What did you verify on the data path? The traceroute command I tried failed before the packet reached the data path from 2a00:1098:2::7 to the next hop.

This reminds me of a failure mode I observed in OSPF. I don't ...

2024-08-25T10:46:49Z

In reply to nevent1q…ya79
_________________________

This reminds me of a failure mode I observed in OSPF. I don't know for certain if the same failure mode exists in BGP, but the symptoms sure look similar.

In OSPF the nodes connected to an Ethernet segment will elect a master. OSPF will verify that each node can communicate with the master, and this can be continuously verified with BFD.

OSPF will then assume that if two nodes can both communicate with the master, then they can also communicate directly with each other. If that assumption does not hold OSPF will configure routes which will always fail during the neighbor discovery step of the packet forwarding. I observed this behavior in two mainstream OSPF implementations.

Mythic Beasts (npub1wy5…64vc) Andrews & Arnold Ltd (AAISP) (npub1sv0…rq9x) Does the BGP implementation that you are using accept routes for which the advertised next hop does not respond to neighbor solicitation?

That hostname resolves to `2a05:87c6:1:1cc8::1` for me. I ...

2024-08-25T10:05:54Z

In reply to nevent1q…mwqh
_________________________

That hostname resolves to `2a05:87c6:1:1cc8::1` for me. I confirmed that the IP address is reachable from most networks I tried but it is not reachable from Mythic Beasts (npub1wy5…64vc) or Andrews & Arnold Ltd (AAISP) (npub1sv0…rq9x)

The problem seems to affect both ssh and ping. With both protocols I get an ICMPv6 error message back:
```
ICMP6, destination unreachable, unreachable address 2a05:87c6:1:1cc8::1, length 88
```

The origin of the ICMPv6 error message is 2001:8b0:0:53::109 or 2a00:1098:2::7 depending on which provider I connect from.

Here is an example traceroute output:
```
root@nat64-london:~# traceroute -n -I 2a05:87c6:1:1cc8::1
traceroute to 2a05:87c6:1:1cc8::1 (2a05:87c6:1:1cc8::1), 30 hops max, 80 byte packets
1 2a00:1098:1::2d 0.284 ms 0.231 ms 0.217 ms
2 2a00:1098:2:ffff::9c 0.401 ms 0.387 ms 0.375 ms
3 2a00:1098:2:1::1c:1 0.437 ms 0.417 ms 0.453 ms
4 2a00:1098:2::7 0.323 ms 0.376 ms 0.365 ms
5 2a00:1098:2::7 3055.197 ms !H 3055.184 ms !H 3055.165 ms !H
root@nat64-london:~#
```

The last hop limit exceeded message came from the same IP as the unreachable address. The later error message was delayed by 3 seconds.

In my experience the 3 second delay is most often caused by a neighbor discovery timeout. That indicates that 2a00:1098:2::7 and 2001:8b0:0:53::109 have a route forward towards the destination, but the next hop is not responding to neighbor solicitation messages.