We’ve just given our IPv6 Health Check a significant overhaul.

IPv6 is coming, and there’s a lot more to being ready for it than adding an AAAA record and enabling IPv6 on your web server. Google are often cited as an example of an IPv6-enabled website, but the truth is, in an IPv6-only world, nobody would ever find Google because none of their nameservers have IPv6 addresses:

Our IPv6 Health Check aims to reach the parts that other testers don’t reach to find out if your domain is really ready for IPv6.  Do your mail servers have IPv6 addresses?  Do they have reverse DNS for those addresses?  Do your SPF records include IPv6 addresses?

The latest version of our health check includes an experimental IPv6 nameserver delegation and glue test that checks that all nameservers the delegation chain between the root DNS servers and your zone have IPv6 addresses, and sufficient glue to allow you to find them in an IPv6-only world. This test has already uncovered some interesting anomalies which we’ll dig into further in a future post.

Thanks to Jonathan Wright who runs a very big website, for a nomination.

I’ve nominated Matt Smith, Rob McQueen and Neil McGovern.

Thanks to Ben Howe, our gap year student who’s adequately demonstrated to his colleagues the definition of a career limiting move by dunking a bucked of ice over his boss, The Haymakers for kindly providing the location for the company meeting, the chilled water and the ice, and the rest of my Mythic Beasts colleagues for filming and laughing.

We’ve been adding some more peering sessions to improve our network redundancy. We already had direct peering with every significant UK ISP, we’ve now enhanced this so that one peering session terminates at one of the Telehouse sites, and the second terminates at one of the Telecity or Equinix sites. Each peering session is on a different London Internet Exchange (LINX) network which are physically separate from each other, and where possible we’ve preferred peering sessions that remain within a single building.

We have equal capacity on both networks at LINX, so unlike many ISPs with a single peering port or unequal capacity, in the event of a severe failure (e.g. a whole network or data centre) we just automatically migrate our traffic to our other peering link, rather than falling back to burst bandwidth with our transit providers. We feel that’s a risky strategy because failures are likely to be correlated, lots of ISPs will fall back to transit all at the same time in a badly planned and uncoordinated fashion which could cause a huge traffic spike upstream.

We light our own fibre ring around our core Docklands data centres, and have full transit and peering at both of our core POPs, with dual routers in each, and can offer full or partial transit at any of our data centres.

Some ISPs have started to report that their IPv4 routing tables now exceed 512k individual routes. At present we’re only seeing 502k routes but we’re nearly there.

Now for us this isn’t going to make any difference, our routers can all easily handle the routing table of this size, and the full IPv6 routing table of 30k routes all at the same time. However, it may start to affect things within other ISPs that we connect to. The likely things that we’ll see happening are,

• Some ISPs will just drop some IPv4 routes, or cease processing updates, which means gradually odd bits of the internet will cease to work.
• Some ISPs may fall into a software routing mode reducing in reduced performance.
• Some ISPs will rely on filtering to reduce the routing table in size by aggregating routes together.
• Some ISPs will alter their configuration for Cisco CAT6500 routers and disable IPv6 in order to increase the memory available in their routers for IPv4.

So watch out for oddities, and expect them to occur more and more frequently as the growth in the routing table gradually reveals which ISPs are running into trouble having not planned ahead.

Mythic Beasts have added paypal functionality to our billing system. You can now pay by credit or debit card, paypal, direct debit, BACS transfer or even cheque. Just don’t post us an envelope full of used fivers – save those for the sorts of services where you don’t get a VAT invoice.

Although SSL for websites (HTTPS) has been commonplace for e-commerce sites for years, the vast majority of “ordinary” websites still use standard HTTP. In recent months, two things have happened which look set to change that:

• Firstly, on 8th April 2014 Microsoft finally ended support for Windows XP; and
• Secondly, two days ago, Google announced that HTTPS support would be seen as a positive signal when ranking websites in search results.

Whilst the importance of the second of these probably needs no further explanation, the relevance of the first may not be obvious.

Until now, one of the barriers to widespread adoption of SSL over HTTP is that, unlike non-SSL websites, each site requires its own IP address, and IP (or at least, IPv4) addresses are in short supply. This is because the HTTP request which specifies which website is being requested is only done after the SSL certificate has been presented, so if you have multiple sites on a single IP address, there is no way for the server to know which certificate to present.

A solution to this problem has existed for some years in the form of Server Name Indication (SNI). SNI is an extension to the SSL protocol, or more accurately its successor, the TLS protocol, which allows the site name to be included as part of the TLS negotiation so that the server can present the correct certificate.

Unfortunately, one widely-used platform had no support for SNI: Windows XP. With the ending of support for Windows XP, adopting SNI suddenly becomes a much more acceptable proposition.

Cheaper HTTPS hosting

The practical benefit of this is that hosting providers such as ourselves can offer much cheaper hosting of HTTPS sites, and that’s exactly what we’re doing. Buy one of our SSL Certificates and we’ll add an SNI-based HTTPS service to your Hosting Account at no extra charge.

If you’re a Debian Developer and you’re going to the annual Debian UK Barbeque we hope to see you there, and give you a beer to thank you for your hard work.

We’ve just rolled out a number of improvements to our server monitoring service. This service allows customers to receive SMS, email and prowl alerts about individual services.

Shared monitors for managed servers

Firstly, customers of our managed hosting service can now get access to the monitors that we have in place for your services through our control panel. Not only does this allow you to immediately check that we’re monitoring the right things, but you can add yourself to the alert list and be notified directly at the same time that we receive an alert.

We’ll be rolling this out to existing managed hosting customers in due course, but drop us an email if you’d like to be enabled quickly.

Satellite monitoring nodes

Secondly, we can now deploy “satellite” monitoring nodes, allowing us to deploy a monitoring server behind your firewall that can report status back to our central monitoring system. This makes it possible to monitor machines and services that are only accessible from behind your firewall.

New monitor types

Thirdly, we’ve added some new monitor types:

• DNS Black list monitoring – get an immediate alert if your mail server ends up on a black list
• HTTP Status Code – check that a URL is returning a specific HTTP code
• TCP connection – check that a server is accept TCP connections on an arbitrary port

More flexible alert lists

Finally, we’ve made alert lists more flexible, allowing you to add multiple groups of contacts to each monitor.

All of our servers come with free ping monitoring included. Enhanced monitoring of individual services can be added for just £5+VAT per month, and is included for managed hosting customers.

It is now possible to register domains directly within .uk, and not just under second level domains such as .co.uk, .org.uk and .me.uk.

Holders of existing .co.uk domains (or .org.uk if the .co.uk is not registered) are given the right to register the corresponding .uk domain. For example, if we owned example.co.uk, we would be automatically entitled to register example.uk.

If you already hold a .co.uk or .org.uk domain, either with us or with another registrar, and would like to register the corresponding .uk domain with us, then please contact support. Tell us the domain or domains you want to register, and for how long (up to 10 years) and we’ll do the rest!

If there is no existing .co.uk, org.uk, etc. domain which corresponds to the .uk that you want, then you can go ahead and register the domain with us in the normal way.

The new domains cost the same as the other domains within .uk: £6.50 for 1 year, £9 for 2 years, £21.50 for 5 years, or £39 for 10 years (prices include VAT). They come with all the standard benefits of Mythic Beasts domain registrations: DNS hosting including IPv6, SPF and TXT records, DNS API and Dynamic DNS.

Nat Morris, UK Network Operators Forum director recently gave a presentation to DNS Operations, Analysis and Research centre, which included this remarkably nice slide:

What is Anycast?

Normally a server has a globally unique IP address, and the Internet knows how to send traffic from any other machine in the world to that IP address. With Anycast we share a single address across multiple machines, and your traffic is sent to the nearest machine with that address. This means that UK customers can be answered from a server in the UK and Australian customers from a server in Australia allowing you to have very fast responses to things like DNS queries because you’re always served by a server that’s close by, rather than your query having to travel half way around the world.

To set up an Anycast network, you need your own address space, your own network number (ASN), multiple BGP-aware routers that can announce your address space, and multiple servers that can answer the queries. Typically this would require a pretty hefty budget, but if you’re Nat Morris and you know what you’re doing with software routing on Linux, and you know all the right providers then you can bring up a global Anycast network with 10+ servers and sites on an annual budget of well under $1,000.

The key to doing this is finding ISPs, ideally well-connnected ISPs in key internet hubs, who will provide you with a BGP feed to your hosted server. That’s where a UK clueful hosting company comes into the picture having excellent connectivity, inexpensive virtual machines (VMs) and a willingness to support customers with more unusual configurations.

Quick introduction to BGP and routing

Normally when you have a VM you get a default route, which looks like this:

# ip route 
...
default via 93.93.128.1 dev eth1 

which says that to get to anywhere on the internet, send packets to our router at 93.93.128.1.

Over BGP, instead we send you the whole routing table:

# ip route 
...
1.0.7.0/24 via 5.57.80.128 dev eth3.4  proto zebra  metric 1 
1.0.20.0/23 via 93.93.133.46 dev eth6.220  proto zebra  metric 142080 
... 
500,000 more lines like this

For every block on the whole internet you have a different gateway depending on what you’ve decided is the preferred route. At today’s count this is about 490,000 entries in the routing table. Don’t type ‘route’ if you’re logged in over 3G!

So for this VM, instead of having a default route, Nat has four full BGP sessions, two to each of our two routers to the site. On each router, one session provides 490,000 IPv4 routes, the other provides 18,000 IPv6 routes, and the VM gets to decide which router to send data to.

The other side of the BGP relationship, and the important bit for Anycasting, is that we receive an advert from Nat’s VM for his /24 of IPv4 space and /48 of IPv6 space, which we then advertise out to the world. The 10+ other providers in this Anycast setup will do the same, and hosts will direct traffic to whichever is nearest.

Filtering

As Paul Vixie pointed out in the first question to Nat, the main customers of VMs with BGP are spammers who hijack address space for nefarious usage. At Mythic Beasts we filter our announcements and our customer routes, so if Nat messes up his configuration and accidentally announces that his VM is responsible for the whole of Youtube we’ll drop the announcement rather than expecting one very small VM to handle one fifth of the internet.

BGP on a virtual or dedicated server

If you’re a DNS provider or a content delivery network, you’ll probably want to have an Anycast setup at some point. At Mythic Beasts we remember what it was like to be the little guy which is why we offer full BGP routing (including IPv6 BGP) as an option to any virtual server, dedicated server, colocated server or router. Providing you own your own ASN and IP space we can transit it for you and we can keep the start-up costs very low and scale with you. You can locate your VM or server directly with us in Telecity, mere tens of metres from LINX and LoNAP for minimal latency and maximal available bandwidth.

If you’ve no idea what an ASN, BGP, LIR, RIPE are, we can help arrange your ASN, IP space and BGP config.