Planet Redpill Linpro

21 January 2017

Tore Anderson

IPv6 roaming in the United Kingdom

Earlier this week I visited the United Kingdom to attend the excellent UKNOF36 meeting.

As I usually do when when going abroad, I spent some time testing to what extent IPv6 works while roaming in the various PLMNs I have access to.

The previous posts in this series are:

These posts contain some more technical background about the testing methodology, so I suggest you skim through them in order to better interpret the test results in this post.

Test results

O2 - MCCMNC 23410

Home PLMN Tech IPV6 PDP context IPV4V6 PDP context
Tele 2 Sweden 2G Fails (cause 33) IPv4-only connection
Tele 2 Sweden 3G Fails (cause 33) IPv4-only connection
Tele 2 Sweden 4G N/A N/A
Telenor Norway 2G Fails (cause 33) IPv4-only connection
Telenor Norway 3G Fails (cause 33) IPv4-only connection
Telenor Norway 4G N/A N/A

I was not able to get 4G coverage with any of my SIM cards in this network, which probably means that neither Tele 2 nor Telenor has a 4G roaming agreement with O2.

While in 2G and 3G coverage Tele 2 and Telenor’s HLR/HSS blacklisting trick comes into play. (See the IPv6 roaming in Belgium and Romania post for an explanation of what that trick is.)

Vodafone - MCCMNC 23415

Home PLMN Tech IPV6 PDP context IPV4V6 PDP context
Tele 2 Sweden 2G Fails (cause 33) IPv4-only connection
Tele 2 Sweden 3G Fails (cause 33) IPv4-only connection
Tele 2 Sweden 4G Fails IPv4-only connection
Telenor Norway 2G Fails (cause 33) IPv4-only connection
Telenor Norway 3G Fails (cause 33) IPv4-only connection
Telenor Norway 4G Works perfectly IPv4-only connection

In 2G and 3G coverage this looks like the standard HLR/HSS blacklisting trick. However the 4G behaviour is very unusual, as the blacklisting trick does not apply here.

IPv6-only PDP contexts work fine with my Telenor SIM card, but not with my Tele 2 one. My phone logs this latter failure as being due to an unknown/invalid cause code so I have no idea about what’s going on here.

Dual stack IPV4V6 PDP contexts do not work in 4G coverage with any of my SIM cards, and any attempt to use them results in IPv4-only connectivity. As this is not caused by Telenor and Tele 2’s blacklisting trick, the logical conclusion is that Vodafone is deliberately blocking dual stack PDP contexts from being used in their end.

I also saw very similar IPv6-hostile behaviour in Vodafone Romania’s network. I wonder if that is a coincidence or not.

3 - MCCMNC 23420

Home PLMN Tech IPV6 PDP context IPV4V6 PDP context
Tele 2 Sweden 2G N/A N/A
Tele 2 Sweden 3G Fails (cause 33) IPv4-only connection
Tele 2 Sweden 4G N/A N/A
Telenor Norway 2G N/A N/A
Telenor Norway 3G N/A N/A
Telenor Norway 4G N/A N/A

It appears Telenor doesn’t have a roaming agreement with this operator (my phone reported no access to network). With my Tele 2 SIM card I could not get neither 2G or 4G coverage, only 3G. In 3G coverage Tele 2’s HLR/HSS blacklisting trick comes into play.

EE - MCCMNC 23430

Home PLMN Tech IPV6 PDP context IPV4V6 PDP context
Tele 2 Sweden 2G Fails (cause 33) IPv4-only connection
Tele 2 Sweden 3G Fails (cause 33) IPv4-only connection
Tele 2 Sweden 4G Works perfectly Works perfectly
Telenor Norway 2G Fails (cause 27) IPv4-only connection
Telenor Norway 3G Fails (cause 27) IPv4-only connection
Telenor Norway 4G Works perfectly Works perfectly

This looks pretty much as expected for an operator where the HLR/HSS blacklisting trick is being used to block IPv6 in 2G and 3G coverage. However, it’s the first time I’ve seen this result in 3GPP cause code 27 (missing or unknown APN). Usually I see code 33 (requested service option not subscribed). Not sure if this difference is significant somehow, but the outcome is the same in any case.

When in 4G coverage, both IPv6-only and dual stack PDP contexts worked just fine.

That said, I did have trouble getting dual stack to work in EE 4G coverage when I used another one of phones. Unfortunately I did not have time to investigate that further during my brief visit. Next time, perhaps.

Sat 21 Jan 2017, 00:00

18 January 2017

Redpill Linpro Techblog

How to use Mule as a web server

Just the other day I sat at a customer, and they wanted a web application to present data, from there Mule integration application. The data should be presented to ...

Wed 18 Jan 2017, 23:00

Bjørn Ruberg

Icinga/Nagios check for Sophos antivirus signature freshness

I’ve been running Amavisd-new with scanner components like ClamAV and SpamAssassin on the mail relay for my personal mail for several years. Lately I’ve been thinking that since Amavis supports multiple content scanners I should add another antivirus product. Unfortunately there’s a limited number of free (for home/individual use) antivirus products running on Linux, and […]

by bjorn at Wed 18 Jan 2017, 20:19

17 January 2017

Bjørn Ruberg

How to produce AfterGlow diagrams from Cowrie

I’ve been receiving a few questions on how to produce the AfterGlow diagrams from Cowrie logs, described in an earlier blog post. Instead of repeating myself through email requests, an explanation here will be better. First of all, you will need to decide what you want to visualize. Showing the different attackers targeting a Cowrie […]

by bjorn at Tue 17 Jan 2017, 08:34

16 January 2017

Magnus Hagander

Another couple of steps on my backup crusade

For a while now, I've been annoyed with how difficult it is to set up good backups in PostgreSQL. The difficulty of doing this "right" has pushed people to use things like pg_dump for backups, which is not really a great option once your database reaches any non-toy size. And when visiting customers over the years I've seen a large number of home-written scripts to do PITR backups, most of them broken, and most of that breakage because the APIs provided were too difficult to use.

Over some time, I've worked on a number of ways to improve this situation, alone or with others. The bigger steps are:

  • 9.1 introduced pg_basebackup, making it easier to take base backups using the replication protocol
  • 9.2 introduced transaction log streaming to pg_basebackup
  • 9.6 introduced a new version of the pg_start_backup/pg_stop_backup APIs that are needed to do more advanced base backups, in particular using third party backup tools.

For 10.0, there are a couple of new things that have been done in the past couple of weeks:

by nospam@hagander.net (Magnus Hagander) at Mon 16 Jan 2017, 13:18

12 January 2017

Ingvar Hagelund

OCSP: What, why, how?

While debugging a problem with OCSP, I had to sit down and understand what it really does and why. So What is OCSP, and why do we use it?

Read the rest of this entry

by ingvar at Thu 12 Jan 2017, 07:30

10 January 2017

Redpill Linpro Techblog

OCSP: What, why, how?

While debugging a problem with OCSP, I had to sit down and understand what it really does and why. So What is OCSP, and why do we use it?

...

Tue 10 Jan 2017, 23:00

Bjørn Ruberg

Probes towards TCP/37777

Seems a new bot, possibly a strain of Mirai, is in the wild, targeting TCP port 37777. The last 24 hours I’ve seen close to 200 different IP addresses trying to connect to this port. DShield is also registering an increase. At the moment I can only guess what kind of product they’re probing for, […]

by bjorn at Tue 10 Jan 2017, 07:43

09 January 2017

Tore Anderson

IPv6 roaming in Belgium and Romania

I briefly visited Belgium and Romania last month. Using SIM cards from Tele 2 Sweden and Telenor Norway, both of which support the dual-stack IPV4V6 and IPv6-only IPV6 PDP context types, I spent some time testing whether or not I was able to get working IPv6 Internet connectivity while roaming in the various available PLMNs.

In many cases, IPv6-only connection attempts failed completely. Furthermore, dual stack connection attempts more often than not resulted in an IPv4-only Internet connection. Full test results below.

These frequent failures are however not as dramatic as they might sound. Both Tele 2 and Telenor are using a blacklisting trick that blocks their subscribers from using IPv6 when roaming in certain operators (whose IPv6 capabilities hasn’t yet been verified). See RFC 7445 section 3 and section 6 for technical details on how this trick works. When roaming in an operator blacklisted in this manner, IPv6-only connection attempts made in 2G/3G coverage will fail with 3GPP cause code 33 (requested service option not subscribed), while dual stack connection attempts will result in IPv4-only Internet connectivity.

The good news is that when my devices were set up to request dual-stacked IPV4V6 PDP contexts, they would in every single case get at least the same level of Internet connectivity as they would when requesting an IPv4-only IP PDP context; having the devices request dual-stacked connectivity had no downside whatsoever.

I’ve also performed the same kind of IPv6 roaming testing in Sweden a while back.

Test results

Belgian PLMNs

Proximus - MCCMNC 20601

Home PLMN Tech IPV6 PDP context IPV4V6 PDP context
Tele 2 Sweden 2G Fails (cause 33) IPv4-only connection
Tele 2 Sweden 3G Fails (cause 33) IPv4-only connection
Telenor Norway 2G Works perfectly Works perfectly
Telenor Norway 3G Works perfectly Works perfectly

I was not able to test in 4G/LTE coverage, as it appears that neither Tele 2 nor Telenor have a 4G/LTE roaming agreement with Proximus.

Tele 2 is applying the blacklisting trick described above. Telenor, on the other hand, does not and IPv6 works perfectly.

Orange - MCCMNC 20610

Home PLMN Tech IPV6 PDP context IPV4V6 PDP context
Tele 2 Sweden 2G Fails (cause 33) IPv4-only connection
Tele 2 Sweden 3G Fails (cause 33) IPv4-only connection
Telenor Norway 2G Fails (cause 33) IPv4-only connection
Telenor Norway 3G Fails (cause 33) IPv4-only connection

In the Orange PLMN I got identical behaviour with both my SIM cards. It appears both Tele 2 and Telenor are blacklisting, and there is no 4G/LTE roaming agreement.

As with Tele 2/Proximus, dual stack «works» in the sense that I get IPv4-only Internet connectivity.

BASE - MCCMNC 20620

Home PLMN Tech IPV6 PDP context IPV4V6 PDP context
Tele 2 Sweden 2G Fails (cause 33) IPv4-only connection
Tele 2 Sweden 3G Fails (cause 33) IPv4-only connection
Tele 2 Sweden 4G Works perfectly Works perfectly
Telenor Norway 2G Fails (cause 33) IPv4-only connection
Telenor Norway 3G Fails (cause 33) IPv4-only connection
Telenor Norway 4G Works perfectly Works perfectly

BASE demonstrates how the blacklisting trick only works on 2G/3G and not on 4G. Both Tele 2 and Telenor are blacklisting here, but nevertheless dual stack and IPv6-only works perfectly if the data PDP context is established while in 4G coverage.

Romanian PLMNs

Vodafone - MCCMNC 22601

Home PLMN Tech IPV6 PDP context IPV4V6 PDP context
Tele 2 Sweden 2G Fails (cause 32) IPv4-only connection
Tele 2 Sweden 3G Fails (cause 32) IPv4-only connection
Tele 2 Sweden 4G Fails (cause 32) IPv4-only connection
Telenor Norway 2G Fails (cause 32) IPv4-only connection
Telenor Norway 3G Fails (cause 32) IPv4-only connection
Telenor Norway 4G Fails (cause 32) IPv4-only connection

Vodafone is an interesting case. The fact that IPv6 and dual stack fails on 2G and 3G with 3GPP cause code 32 (service option not supported) instead of 33, and the fact that it also fails in the same way on 4G/LTE, indicate that this is not caused by the blacklisting trick. Instead, it would appear that Vodafone is deliberately blocking visitors from using of IPv6 on their network.

For operators such as Tele 2 and Telenor, this is not such a big deal, as dual-stack still «works» by falling back on IPv4-only connectivity. Operators using 464XLAT, on the other hand, will likely find Vodafone’s behaviour hugely problematic.

Telekom - MCCMNCs 22603 (2G) and 22606 (3G)

Home PLMN Tech IPV6 PDP context IPV4V6 PDP context
Tele 2 Sweden 2G Fails (cause 33) IPv4-only connection
Tele 2 Sweden 3G Fails (cause 33) IPv4-only connection
Telenor Norway 2G Fails (cause 33) IPv4-only connection
Telenor Norway 3G Fails (cause 33) IPv4-only connection

Identical results as with Orange in Belgium. I was unable to get 4G/LTE coverage, and both Tele 2 and Telenor applies blacklisting on 2G/3G.

Digi.Mobil - MCCMNC 22605

Neither Tele 2 nor Telenor seems to have any form of roaming agreement with this operator, at least I was completely unable to register in their network, and thus unable to perform any IPv6 testing.

Orange - MCCMNC 22610

Home PLMN Tech IPV6 PDP context IPV4V6 PDP context
Tele 2 Sweden 2G Fails (cause 33) IPv4-only connection
Tele 2 Sweden 3G Fails (cause 33) IPv4-only connection
Telenor Norway 2G Works perfectly Works perfectly
Telenor Norway 3G Works perfectly Works perfectly
Telenor Norway 4G Works perfectly Works perfectly

Tele 2 does not appear to have a 4G/LTE roaming agreement with Orange, and the blacklisting trick is being used on 2G/3G.

With Telenor, on the other hand, there’s no blacklisting and both IPv6-only and dual stack works perfectly on all technologies.

Mon 09 Jan 2017, 00:00

02 January 2017

Magnus Hagander

Financial updates in PostgreSQL Europe

As we say welcome to a new year, we have a couple of updates to the finances and payment handling in PostgreSQL Europe, that will affect our members and attendees of our events.

First of all, PostgreSQL Europe has unfortunately been forced to VAT register. This means that most of our invoices (details below) will now include VAT.

Second, we have enabled a new payment provider for those of you that can't or prefer not to use credit cards but that still allows for fast payments.

by nospam@hagander.net (Magnus Hagander) at Mon 02 Jan 2017, 12:40

01 January 2017

Magnus Hagander

Mail agents in the PostgreSQL community

A few weeks back, I noticed the following tweet from Michael Paquier:

tweet

And my first thought was "that can't be right" (spoiler: Turns out it wasn't. But almost.)

The second thought was "hmm, I wonder how that has actually changed over time". And of course, with today being a day off and generally "slow pace" (ahem), what better way than to analyze the data that we have. The PostgreSQL mailinglist archives are all stored in a PostgreSQL database of course, so running the analytics is a quick job.

by nospam@hagander.net (Magnus Hagander) at Sun 01 Jan 2017, 15:01

28 December 2016

Redpill Linpro Techblog

systemd comforts

One common complaint about systemd is that it does «too much», where the threshold for the appropriate amount of action is left unspecified. Some of the stuff it can do is hold your hand and offer some comfort functions.

...

Wed 28 Dec 2016, 23:00

25 December 2016

Redpill Linpro Techblog

This years SysAdvent calendar has ended

With the end of the advent, this years sysadvent calendar event is now over.

If you missed it, the articles are still ...

Sun 25 Dec 2016, 23:00

24 December 2016

Redpill Linpro Sysadvent

Thank you for visiting our SysAdvent Blog!

We hope you have enjoyed the articles in our second SysAdvent season!

This is the last post in this years sysadvent. If you want to read more, we have other blog entries at our main site, our techblog, our employees have personal blogs that are aggregated at

Sat 24 Dec 2016, 23:00

23 December 2016

Redpill Linpro Sysadvent

Running wallscreens using a Raspberry Pi

For the wallscreens within the operations department, we currently use Raspberry Pies and provision those using Ansible. We found that the USB sockets on a typical LCD TV do not provide enough power for a Raspberry Pi model 3, so we went for the cheaper – although a ...

Fri 23 Dec 2016, 23:00

22 December 2016

Redpill Linpro Sysadvent

Encrypted cloud backups with Duplicity

Duplicity is a piece of software that can perform encrypted backups to remote storage over the network. It uses the rsync algorithm to implement incremental backups, thus minimising the amount of data that needs to be transferred over the network and stored remotely. The GNU Privacy Guard ...

Thu 22 Dec 2016, 23:00

21 December 2016

Redpill Linpro Sysadvent

Systemd at 3am

A few of systemd features that helps you and your fellow sysadmins.

At 3am, I want to sleep. I do not want SMS with “Service X is down”, and I do not want my systems to wake the on-call personnel, so they can scratch their heads and call me about ...

Wed 21 Dec 2016, 23:00

20 December 2016

Redpill Linpro Sysadvent

Feeding the Elastic Stack

This is the last of three posts about Elastic Stack.

By now, we should have a reasonably secure Elastic Stack. It is sadly empty, so we should feed it some logs.

Logstash is a log processor. It can be configured with inputs, filters, and outputs.

  • Inputs are commonly ...

Tue 20 Dec 2016, 23:00

19 December 2016

Redpill Linpro Sysadvent

Enabling HTTP/2 for a site

When we installed the new frontend nodes for our main site, we wanted make use of some technologies that aren’t yet in broad use by our customers. The intention was both to gain more experience with said technologies, and to show that they are ready for production use. HTTP/2 ...

Mon 19 Dec 2016, 23:00

18 December 2016

Redpill Linpro Sysadvent

Small-scale honeynet with Raspberry Pi

The Raspberry Pi units are small and don’t use much power. If you have one or two to spare, why not use them to explore the sweet smell of honeypots?

Ye who enter here

First of all, a warning: Even though honeypot software is usually isolated from the ...

Sun 18 Dec 2016, 23:00

17 December 2016

Redpill Linpro Sysadvent

Deduplication of old filesystems

Modern filesystems, and even storage systems, might have built-in deduplication, but common filesystems still do not. So checking for redundant data and do deduplication when possible might save disk space.

...

Sat 17 Dec 2016, 23:00

16 December 2016

Redpill Linpro Sysadvent

JMole monitoring framework

Monitoring Java applications can be a painful operation that often require lots of onfiguration, with technologies like byte code instrumentation and JMX, you can literally have thousands of Metrics to choose from just from a single Java application. This ...

Fri 16 Dec 2016, 23:00

15 December 2016

Redpill Linpro Sysadvent

Fun with firewall activity plotting

A firewall activity plot for showing port access. The temptation was just a bit too great to ignore, so I chose to see it as a canvas for artwork. All I should need to do is to convert a PNG image to series of nmap commands, easy right?

...

Thu 15 Dec 2016, 23:00

Pros and cons of visualizing firewall activity

For some time now, I’ve been graphing all unsolicited network traffic destined for my network. For instance, it’s quite useful for detecting slow scans, which will show up as the diagonally aligned green scatter points in this plot (click to zoom):

Slow_portscan ...

Thu 15 Dec 2016, 23:00

Bjørn Ruberg

A different kind of Christmas scan

Those familiar with port scanning tools (like nmap), have probably heard of the Xmas scan option. This scanning strategy sets some unusual TCP flags, as the man page describes it: Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree. Yesterday, my firewall was systematically scanned with a combination of […]

by bjorn at Thu 15 Dec 2016, 10:54

14 December 2016

Redpill Linpro Sysadvent

Securing the Elastic Stack

This is the second of three posts about Elastic Stack.

The Elastic Stack service is available to anyone who can reach it by default. This allows you to choose your security level and tools to provide it.

A simple search on Shodan for kibana or elasticsearch will quickly ...

Wed 14 Dec 2016, 23:00

13 December 2016

Redpill Linpro Sysadvent

Use virt-manager to build disk-images

For cattle purposes, it makes sense to follow a build-once-run-many principle. This is what we prefer for the machines powering our infrastructure. The current build method for deployments uses the toolchain from the virt-manager project to achieve this.

Build targets

The combination of virt-install(1) and

Tue 13 Dec 2016, 23:00

Ingvar Hagelund

Bash: Random numbers for fun and profit

bash has many things that just works automagically. Did you know it has a built-in pseudorandom number generator? Let’s play some games! Read rest of the post here!

by ingvar at Tue 13 Dec 2016, 13:36

12 December 2016

Redpill Linpro Sysadvent

Bash: Random numbers for fun and profit

bash has many things that just works automagically. Did you know it has a built-in pseudorandom number generator? Let’s play games!

...

Mon 12 Dec 2016, 23:00

Jorge Enrique Barrera

VMware, i3 and multiple monitors

For a while now I’ve been trying to set up VMware to work with multiple monitors, in a Linux guest. With some windowmanagers it works out of the box without any issue, such as with Unity. I never figured out how to do it with xmonad, and recently I switched to i3 just to try something new. The damn “Cycle multiple monitors” button didn’t work here either. When I tried it, a message popped up saying:

The virtual machine must have up-to-date VMware Tools installed and running.

..which it had!

However, I found a solution! Place the following line in your i3 configuration file, whether it be ~/.i3/config or ~/.config/i3/config:

exec --no-startup-id vmware-user

..and that’s it! Reload your i3 configuration, and now you should be able to press the “Cycle multiple monitors” button and have dual monitors in your VMware guest!

by Jorge Enrique Barrera at Mon 12 Dec 2016, 06:01