Ipv6 Small Business

Migrating Small BusinessNetworks To IPv6

eingreicht von: Sylvia Schuh

Diplomarbeit

zur Erlangung des akademischen Grades

Magister rerum socialium oeconomicarumque

Magister der Sozial- und Wirtschaftswissenschaften

(Mag. rer. soc. oec.)

Fakultät für Wirtschaftswissenschaften und Informatik,

Universität Wien

Fakultät für Technische Naturwissenschaften und Informatik,

Technische Universität Wien

Studienrichtung: Wirtschaftsinformatik

Begutachter: O. Univ. Prof. Dr. A Min Tjoa Wien am 21.2.2006

1

Contents

1 The setting-up of my IPv4 network 81.1 Maggie and her asterisk server[1][2] . . . . . . . . . . . . . . 9

1.1.1 FXO, FXS, IAX, SIP . . . . . . . . . . . . . . . . . . . . 111.1.2 Maggie’s dialplan . . . . . . . . . . . . . . . . . . . . . 121.1.3 Digium card details . . . . . . . . . . . . . . . . . . . 131.1.4 Configuring Sipura SPA-2000 [40] [5] . . . . . . . . . 14

1.2 Marge and the CUPS problem . . . . . . . . . . . . . . . . . . 151.2.1 Installing CUPS [6, 8, 7] . . . . . . . . . . . . . . . . . 15

1.3 Bart and Snowball are getting their iptables[9] . . . . . . . . 181.4 Maggie: MySQL server[33] . . . . . . . . . . . . . . . . . . . 241.5 Installing OpenVPN on snowball and bart . . . . . . . . . . . 25

1.5.1 Setting up your Certification Authority (CA) [13] . . 261.5.2 Generating certificates and keys . . . . . . . . . . . . 271.5.3 Diffie-Hellman parameters [14] . . . . . . . . . . . . . 271.5.4 Distributing the files . . . . . . . . . . . . . . . . . . . 281.5.5 Advantages when using this security model . . . . . 281.5.6 Configuring OpenVPN . . . . . . . . . . . . . . . . . 29

1.6 Other services provided by marge.sylvia.test . . . . . . . . . 331.6.1 web server apache . . . . . . . . . . . . . . . . . . . . 331.6.2 dynamic host addressing dhcpd [17] . . . . . . . . . . 341.6.3 DNS server BIND [7][19][20] . . . . . . . . . . . . . . 351.6.4 Mail transfer agent exim4 [21] [22] [23] . . . . . . . . 371.6.5 POP3 server qpopper [9] . . . . . . . . . . . . . . . . . 391.6.6 web traffic monitoring with webalizer [11][26] [27] . 401.6.7 web caching and proxying with squid [28] [29] . . . . 411.6.8 arpwatch [30] . . . . . . . . . . . . . . . . . . . . . . . 42

1.7 Other services provided by bart . . . . . . . . . . . . . . . . . 42

i

CONTENTS ii

1.7.1 network time protocol daemon ntpd [3] . . . . . . . . 421.7.2 ntop . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

1.8 Services provided by homer . . . . . . . . . . . . . . . . . . . 441.8.1 File sharing . . . . . . . . . . . . . . . . . . . . . . . . 441.8.2 Active directory [32] [33] . . . . . . . . . . . . . . . . . 45

2 The initial lab-topology 522.1 The main office . . . . . . . . . . . . . . . . . . . . . . . . . . 52

2.1.1 hostname: bart - 192.168.200.1 . . . . . . . . . . . . . . 522.1.2 hostname: marge, alias: ns1, www, proxy - 192.168.200.5 542.1.3 hostname: maggie - 192.168.200.8 . . . . . . . . . . . . 552.1.4 hostname: homer - 192.168.200.12 . . . . . . . . . . . 562.1.5 hostname: apu - 192.168.200.33 . . . . . . . . . . . . . 572.1.6 hostname: nelson - 192.168.200.34 . . . . . . . . . . . 582.1.7 hostname: lisa - 192.168.200.35 . . . . . . . . . . . . . 592.1.8 allnet1 - 192.168.200.130 . . . . . . . . . . . . . . . . . 602.1.9 grandstream1 - 192.168.200.129 . . . . . . . . . . . . . 60

2.2 Branch office . . . . . . . . . . . . . . . . . . . . . . . . . . . . 602.2.1 hostname: snowball - 192.168.201.1 . . . . . . . . . . . 602.2.2 hostname: snowball2 - 192.168.201.17 . . . . . . . . . 612.2.3 hostname: sipura - 192.168.201.129 . . . . . . . . . . . 62

3 Testing and Benchmarking the Network 683.1 Tools and their usage . . . . . . . . . . . . . . . . . . . . . . . 68

3.1.1 MRTG [1] . . . . . . . . . . . . . . . . . . . . . . . . . 683.1.2 Smokeping [9] . . . . . . . . . . . . . . . . . . . . . . . 753.1.3 bing [10] . . . . . . . . . . . . . . . . . . . . . . . . . . 753.1.4 iperf [11] [12] . . . . . . . . . . . . . . . . . . . . . . . 773.1.5 netperf [13] . . . . . . . . . . . . . . . . . . . . . . . . 783.1.6 netio [14] . . . . . . . . . . . . . . . . . . . . . . . . . . 783.1.7 netbench [15] . . . . . . . . . . . . . . . . . . . . . . . 793.1.8 sipp [16] [17] . . . . . . . . . . . . . . . . . . . . . . . . 803.1.9 copying files . . . . . . . . . . . . . . . . . . . . . . . . 813.1.10 digging DNS . . . . . . . . . . . . . . . . . . . . . . . 813.1.11 open a file from a share . . . . . . . . . . . . . . . . . 823.1.12 downloading files . . . . . . . . . . . . . . . . . . . . . 823.1.13 ethereal [18] . . . . . . . . . . . . . . . . . . . . . . . . 823.1.14 tcpdump [19] . . . . . . . . . . . . . . . . . . . . . . . 83

CONTENTS iii

3.1.15 nmap [20] . . . . . . . . . . . . . . . . . . . . . . . . . 83

4 Theory of IPv6 864.1 IPv6 Addresses [1] [2] . . . . . . . . . . . . . . . . . . . . . . . 87

4.1.1 Unicast IPv6 addresses . . . . . . . . . . . . . . . . . . 894.1.2 Multicast IPv6 addresses . . . . . . . . . . . . . . . . . 954.1.3 Anycast IPv6 addresses . . . . . . . . . . . . . . . . . 974.1.4 Addresses set on an IPv6 enabled host . . . . . . . . . 974.1.5 Address Autoconfiguration Process . . . . . . . . . . 984.1.6 DHCPv6 [9] . . . . . . . . . . . . . . . . . . . . . . . . 100

4.2 IPv6 Header . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1014.3 ICMPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

4.3.1 ICMPv6 Error messages . . . . . . . . . . . . . . . . . 1054.3.2 ICMPv6 Informational messages . . . . . . . . . . . . 1074.3.3 Multicast Listener Discovery [12] . . . . . . . . . . . . 107

4.4 Neighbor Discovery [23] . . . . . . . . . . . . . . . . . . . . . 1094.4.1 Neighbor Discovery messages . . . . . . . . . . . . . 1094.4.2 Neighbor Discovery Process . . . . . . . . . . . . . . 114

4.5 IPv6 Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1184.5.1 Route determination process . . . . . . . . . . . . . . 1194.5.2 IPv6 Delivery Process . . . . . . . . . . . . . . . . . . 1194.5.3 IPv6 Routing protocols . . . . . . . . . . . . . . . . . . 122

4.6 IPv6 and Name Resolution . . . . . . . . . . . . . . . . . . . . 1244.7 Migration to IPv6 [15] . . . . . . . . . . . . . . . . . . . . . . 125

4.7.1 6over4 . . . . . . . . . . . . . . . . . . . . . . . . . . . 1254.7.2 6to4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1274.7.3 ISATAP . . . . . . . . . . . . . . . . . . . . . . . . . . . 1284.7.4 Teredo . . . . . . . . . . . . . . . . . . . . . . . . . . . 1294.7.5 PortProxy . . . . . . . . . . . . . . . . . . . . . . . . . 131

5 Migration to IPv6 1355.1 Making your system IPv6-ready [1] . . . . . . . . . . . . . . . 135

5.1.1 Debian Linux . . . . . . . . . . . . . . . . . . . . . . . 1365.1.2 Windows . . . . . . . . . . . . . . . . . . . . . . . . . . 137

5.2 Testing primary connectivity [8] . . . . . . . . . . . . . . . . . 1405.2.1 Debian Linux . . . . . . . . . . . . . . . . . . . . . . . 1405.2.2 Windows [9] . . . . . . . . . . . . . . . . . . . . . . . . 143

5.3 Getting reachable globally via IPv6 . . . . . . . . . . . . . . . 146

CONTENTS iv

5.3.1 Installing AICCU . . . . . . . . . . . . . . . . . . . . . 1475.3.2 Allocating the addresses . . . . . . . . . . . . . . . . . 1485.3.3 Configuring the global addresses . . . . . . . . . . . . 1495.3.4 Setting routes manually . . . . . . . . . . . . . . . . . 1515.3.5 Testing connectivity with traceroute . . . . . . . . . . 153

5.4 More routing issues . . . . . . . . . . . . . . . . . . . . . . . . 1545.5 Networking basics . . . . . . . . . . . . . . . . . . . . . . . . 160

5.5.1 advertising routes with radvd [20] [21] [22] [23] . . . 1605.5.2 DHCPv6 using dibbler [27] . . . . . . . . . . . . . . . 1635.5.3 DNS [30] [29] . . . . . . . . . . . . . . . . . . . . . . . 171

5.6 Migrating the services [31] . . . . . . . . . . . . . . . . . . . . 1765.6.1 Browsers: Firefox and Internet Explorer . . . . . . . . 1765.6.2 Web-Proxy: Privoxy [32] . . . . . . . . . . . . . . . . . 1765.6.3 http-server: apache . . . . . . . . . . . . . . . . . . . . 1785.6.4 database: MySQL . . . . . . . . . . . . . . . . . . . . . 1795.6.5 filesharing using Windows . . . . . . . . . . . . . . . 1805.6.6 filesharing: WebDAV [38] [39] . . . . . . . . . . . . . . 1845.6.7 filesharing: ftp . . . . . . . . . . . . . . . . . . . . . . 1875.6.8 email: exim . . . . . . . . . . . . . . . . . . . . . . . . 1885.6.9 email: courier [41] . . . . . . . . . . . . . . . . . . . . 1895.6.10 mail-client: thunderbird . . . . . . . . . . . . . . . . . 1915.6.11 mail-client: outlook and outlook express . . . . . . . 1925.6.12 VoIP: asterisk [42] [43] . . . . . . . . . . . . . . . . . . 1935.6.13 time: ntpd, ntpdate . . . . . . . . . . . . . . . . . . . . 1935.6.14 domain controller: Active Directory . . . . . . . . . . 1945.6.15 printing: cups . . . . . . . . . . . . . . . . . . . . . . 1955.6.16 radio: Virgin radio . . . . . . . . . . . . . . . . . . . . 1965.6.17 instant messaging: irc, msn . . . . . . . . . . . . . . . 1975.6.18 authentication: ipsec6 . . . . . . . . . . . . . . . . . . 1985.6.19 encryption: OpenSWAN . . . . . . . . . . . . . . . . . 2035.6.20 Remote control: ssh . . . . . . . . . . . . . . . . . . . . 2065.6.21 VNC: TightVNC . . . . . . . . . . . . . . . . . . . . . 2065.6.22 Remote control: telnet . . . . . . . . . . . . . . . . . . 2075.6.23 Monitoring traffic: ntop . . . . . . . . . . . . . . . . . 2075.6.24 monitoring privoxy: webalizer . . . . . . . . . . . . . 2085.6.25 monitoring ports: nmap . . . . . . . . . . . . . . . . . 2095.6.26 firewall: iptables . . . . . . . . . . . . . . . . . . . . . 210

5.7 Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

CONTENTS v

5.7.1 iperf . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2105.7.2 Netserver/ Netperf . . . . . . . . . . . . . . . . . . . . 2115.7.3 Smokeping . . . . . . . . . . . . . . . . . . . . . . . . 2115.7.4 mrtg/ SNMP [47] . . . . . . . . . . . . . . . . . . . . . 213

6 Conclusion and Summary 222

7 Configuration Files 2277.1 IPv4 related configuration . . . . . . . . . . . . . . . . . . . . 227

7.1.1 APT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2277.1.2 Asterisk . . . . . . . . . . . . . . . . . . . . . . . . . . 2287.1.3 CUPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2427.1.4 Apache2 . . . . . . . . . . . . . . . . . . . . . . . . . . 2447.1.5 dhcpd . . . . . . . . . . . . . . . . . . . . . . . . . . . 2507.1.6 BIND . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2517.1.7 exim4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2557.1.8 The Webalizer . . . . . . . . . . . . . . . . . . . . . . . 2567.1.9 squid . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2587.1.10 arpwatch . . . . . . . . . . . . . . . . . . . . . . . . . . 2617.1.11 ntpd . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2617.1.12 Active Directory . . . . . . . . . . . . . . . . . . . . . 2627.1.13 mrtg . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2637.1.14 SmokePing . . . . . . . . . . . . . . . . . . . . . . . . 267

7.2 IPv6-related Configuration files . . . . . . . . . . . . . . . . . 2717.2.1 Apache . . . . . . . . . . . . . . . . . . . . . . . . . . . 2717.2.2 Smokeping . . . . . . . . . . . . . . . . . . . . . . . . 2727.2.3 mrtg . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2767.2.4 firewall: iptables . . . . . . . . . . . . . . . . . . . . . 279

Eidesstattliche Erklärung

Ich erkläre an Eides statt, daß ich die vorliegende Arbeit selbstständigund ohne fremde Hilfe verfasst, andere als die angegebenen Quellennicht benützt und die den benutzten Quellen wörtlich oder inhaltlich ent-nommenen Stellen als solche kenntlich gemacht habe.

Wien am 21.2.2006

1

Acknowledgement

I want to start my acknowledgements by thanking my parents and mygrandma for making it possible to study by providing me the financialprerequisites. Besides that I have to give my mother my special thanksfor coping with my moods while writing on this (from happy to desper-ate) and my father for answering me questions and helping me with basicproblems of networking. In addition to this I want to thank my friendskeeping me up-to-date, although I seemed to have vanished in a smallchamber for the duration of my master thesis.

Another huge thank you goes to the director of the Berufsförderungsin-stitut Burgenland, Mr. Peter Maier for providing me the hardware, theinformations and the place to make my idea of my master thesis cometrue! Thank you very much!

I would also like to express my gratitude for those nameless people an-swering to my newsgroup and forum-postings, to the maintainers of soft-ware helping me (like Tomasz Mrugalski from dibbler, etc.) and to Mr.Schabus, supplying me with informations from the Microsoft way of im-plementing IPv6. Another big thank you is for two employees of the IT atthe Berufsförderungsinstitut Burgenland, Andreas Grabner and ThomasJölly, for being interested in my subject and providing me with tips andtricks. Furthermore I want to thank Mustafa Sahin, a student at a univer-sity in Istanbul writing his thesis about IPv6 as well, for listening to myIPv6- and non-IPv6-related problems and for having good ideas on howwe can take over the world using IPv6.

In addition to these I want to thank my supervisor O. Univ. Prof A MinTjoa for supervising my thesis and Mag. Markus Klemen for answeringme a lot of questions.

2

CONTENTS 3

The last two people I want to thank here are my grandmother Ida Ulreichand my grandfather Ing. Karl Schuh, who both passed away while I waswriting this thesis. “Love is stronger than death even though it can’t stopdeath from happening, but no matter how hard death tries it can’t separatepeople from love. It can’t take away our memories either. In the end, lifeis stronger than death.” (author unknown)

Preface

When it came to the point of my study where I had to choose which sub-ject I want to write about for master thesis I really didn’t have to thinklong: I wanted to write something in the field of networks to improvemy network administration skills and to learn a lot things in the field ofadministering Linux servers. With the previous knowledge I acquired atworking in this field and when I took my CCNA I wanted to get furtherand write a thesis that could be of great use for other users as well andwhich is an upcoming subject and so one beautiful day I had the idea ofwriting about IPv6. Then I looked on the internet for IPv6-related articlesand found a lot of things concerning the standards of IPv6, how the headeris made up and how huge the new address space is. I found very oftensuch things like: already IPv6 enabled and became more and more curioushow IPv6 would conduct in a productive environment, and that’s wherethe idea for my master thesis was born. I wanted to set up an IPv4 net-work with all services you need to supply mail, data, www-connectivityand many others and when this is done, I wanted to try to migrate thisstructure to IPv6. The first important problem I had was to get the struc-ture of a well-functioning network and the hardware I would need. For Ihad to move out of my apartment at that time I thought I could put all thedevices needed for the thesis in my new apartment. I talked to some com-panies and tried to find people interested in my work so much that theywould want to support me and finally found the BerufsförderungsinstutBurgenland (http://www.bfi-burgenland.at). The BerufsförderungsinstutBurgenland is a non-profit organisation working in the field of vocationaltraining in many different skills. From becoming a registered masseurto driving diggers or starting your system administrators career you canlearn anything you want in one of the several offices throughout the Bur-

4

CONTENTS 5

genland. (By the way, if you don’t know, Burgenland is the easternmostfederal state of Austria and is world-wide one of the most important wine-suppliers for excelent red and white wine. http://www.burgenland.at).The Berufsförderungsinstut Burgenland supplied me with their networkstructure and the knowledge they gained through the productive use ofthis structure. In addition to this they cleared out a room for me and sup-plied me the hardware I needed (which are several PC’s, screens, switches,SIP-phones, and so on). After putting all this stuff together the formerstorage room became more and more homely. While setting up all ser-vices needed I learned the most about the use of Linux based systems. Ofcourse, as you might have guessed, you learn something about it on uni-versity, but if you are in private not very into it, the things you learn atuniversity will be forgotten soon. So I set up one service after the otherand learned a lot within. And then, the big day came, IPv6 needed to beimplemented. But let’s start step by step.

My thesis is composed of several chapters: the first chapter is about thesetting up of the IPv4-part of the network, then there is a chapter aboutthe theory of IPv6 and the most important chapter is the one about theactual migration to IPv6. You will find everything you need to know inorder to set up an IPv6 enabled network within this thesis. The idea whenwriting this thesis was to create a hands-on guide for everyone interestedin this subject for I found it very difficult to get the informations I needed.I want to supply facts about each service I used and tested, whether itworked or not, if there is a workaround and how a minimum configura-tion is achieved. So the point is that you can migrate your home or busi-ness network to IPv6 without reading hundreds of pages about the theory,simply take a look at the chapter about migration and try it. I wanted tosum up all I found out about the use of IPv6 in order to make it easierfor others to deploy its use and start to write more and more applicationstaking use of the advantages provided by IPv6. I want to show everyoneafraid how easy it can be migrating to IPv6 and everyone interested thatthere are already lots of things that can be done using IPv6. But let’s talkabout advantages and disadvantes at the end of the thesis.

Introduction

Motivation

Probably every paper or thesis about IPv6 will start with the words “be-cause of address shortage ... “, and this of course is one major reason tothink about IPv6. NAT became a much used workaround for this problembut also imposes different drawbacks like restrictions in the field of peer topeer computing and so on. We all may know that several countries alreadyswitched their IT infrastructure to IPv6-based communication and manytask forces all over the world try to propagate its use more and more. Mymain goal for writing this thesis was not to write yet another theory-pronedescription of how an IPv6 header is set up and how big the address spaceis but rather a hands-on guide for people interested in it and don’t wantto read all the theory first. My work usually is more of the try-and-errorkind (I am not really into reading long descriptions first) and so I wantedto supply a paper you can work with without spending hours on readingbut rather just try it, work with it and learn it by doing.

This thesis could be an interesting source of information for people admin-istering and setting up services in a network the first time and for thosewho still not know if they need IPv6 but are interested. I was very inter-ested in what benefits IPv6 has and which of them can really be broughtinto production use. The whole thesis is devided into three logical parts:first the network is set up using IPv4, then there is an IPv6 theory part(every thesis needs it theory ;-) ) and the last one is about the migrationof the services to IPv6. I wanted to create a complete guide for which youdon’t really need any previous knowledge. While I was working on thesetting up of the IPv4 network I found it pretty difficult to get a quick and

6

CONTENTS 7

dirty configuration of several services, and thats the reason why I decidedto append all configuration files I used during my work in order to supplya basic and working configuration.

Problem Statement

The main reason for switching to an IPv6 environment is of course addressspace and the limitations imposed by workarounds like NAT, but thereare more benefits than that when using IPv6. The biggest advantage for“normal” users will be traffic that is always encrypted and therefore moresecure to sniffing (I am not talking about the advantages gained throughhierarchical routing and so on for this is only interesting for ISPs). In ad-dition to this more concern is put on flow control and Quality of Servicewhich will emerge to a very interesting topic for everyone pretty soon (justthink of priorizing VoIP and videoconferencing over usual web-traffic).There are as well IPv4-approaches to all of these aspects but I don’t seemuch sense in patching a very old protocol so it can handle something thenew one was designed for.

Although, and I guess you might have noticed by now, I am a fan of IPv6I have to confess that most benefits do not work as they should, yet. Ofcourse, I could migrate all services and get a working IPv6 infrastructure,but I could not uninstall IPv4 for various reasons and some basic featuresstill lack implementation. Nevertheless I am advocating IPv6 and am to-tally convinced that after people find out the possibilites we didn’t yetthink about because it was not feasable using IPv4, IPv6 will become state-of-the-art very soon.

Chapter 1

The setting-up of my IPv4network

For the sake of completeness I want to write about the setting-up and thetroubles related with that approach of the IPv4 Network as well. WhenI got the news that the Berufsförderungsinstitut Burgenland was goingto support my work not only by wishing me luck but by giving me thehardware I need and by lending me a room to put in all the stuff I neededI was all excited. After putting together the pieces of hardware (and infact, they came in pieces; please see the pictures) to some functional thingone would have called a PC a few years ago I became more and more anotion of the upcoming work. This was sometime in June 2005. Later inJune I went to the Linux Tag 2005 in Karlsruhe which gave me even moreinspiration for starting my work with the full capacity of motivation I had.Returned from Germany in July I started documenting my work in moredetail. My first entries are from the week between the 20th and the 26thJuly.

After setting up the operating systems on all hosts in the network the con-figuration of the services started. One of the first things done was theinstallation of the asterisk server together with the Digium-card.

8

CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 9

1.1 Maggie and her asterisk server[1][2]

After putting in the Digium card I got from the company (they think aboutswitching to asterisk-only internal telephony in a few months) severalthings were missing. Maggie is set up with a Debian Sarge 3.1 with kernel2.4.27-2-686 but was missing kernel-headers and the kernel-source whichhad to be installed seperately.

Following additional packets have been installed with “apt-get install”:

openssl, libncurses-dev, libssl-dev, zlib1g-dev, cvs

With the help of cvs I got the newest versions of zaptel, libpri and of courseasterisk:

cd /usr/srcexport CVSROOT=:pserver:[email protected]:/usr/ \\cvsrootcvs login --> password=anoncvs

Don’t get confused by a error popping up when you use cvs the first time.It will just inform you that a file (for the password) that has not been ex-isting is being created.

cvs checkout zaptel libpri asterisk

Now you are getting the sources for the three packets you need. Afterdata has been sent you can start installing the new software by changingthe working directory to the packet you want to install and then make thesources. Zaptel is the Telephony Card driver and is only needed with thiskind of hardware.

cd zaptelmake cleanmake installcd ../libprimake cleanmake installcd ../asteriskmake clean


make installmake samples

In order to make the samples you need the packet progdocs.

The Zaptel driver mentioned above needs to be loaded with: (don’t forgetto permanently add the module to the /etc/modules file)

modprobe zaptel

For configuring regional parameters and how each port on your telephonycard is used you have a configuration file.

/etc/zaptel.conf

Here you can define local signalling options and make the distinction be-tween FXO and FXS ports. When you are working with FX interfaces, thehardware is described based on what it connects to, the signalling how-ever, needs to define the device we are emulating. Since the O in FXOstands for Office and is connecting to an Office our software needs to em-ulate a station here. The opposite is true for FXS, with the S standing forstation.

After the zaptel.conf file is edited you must load the driver.

modprobe wcfxs

Note: the Zaptel driver is always loaded first in the memory. Then driversfor the devices (FXO, FXS, ztdummy, ..) are following.

After you have configured your hardware you need to take a look at aster-isk itself. After you made the source there are, of course, some configura-tion files left to configure. To start with a simple configuration and experi-ence some success soon you can load sample configuration files. Asteriskwill by default look for configuration files in /etc/asterisk which has to bemade manually.

mkdir /etc/asterisk

The promised sample configuration can be found in /usr/src/asterisk/configsand obtained by copying them to the /etc/asterisk folder (if you don’thave them there by default as i did).

cd /usr/src/asterisk/configs


cp ./modem.conf.sample /etc/asterisk/modem.confcp ./modules.conf.sample /etc/asterisk/modules.confcp ./phone.conf.sample /etc/asterisk/phone.confcp ./voicemail.conf.sample /etc/asterisk/voicemail.confcp ./zapata.conf.sample /etc/asterisk/zapata.conf

Now you can start your asterisk server for the first time

/usr/sbin/asterisk -cvvv

The three “v” stand for verbose mode and can even be extended to five fordetailled verbosity. Now you have a working installation of asterisk witha CLI*> prompt waiting for calls to make. But before you can enjoy callingothers via VoIP there are some configuration issues ahead.

A catchword in the world of asterisk is “channel”. Channel is the logicalconnection to the various transmission and signalling paths which asteriskuses to handle calls. You could also describe it as a driver between thevarious kinds of VoIP protocols and to hardware that connect to the PSTN.The rules that are followed by asterisk for this purpose can be found in theso-called dial plan, where we define what kind of channels we need andhow they are useable for the system.

Before you can set up the dial plan you have to define the channels to use.In my lab we only had FXO, FXS, IAX and SIP channels in use which I amgoing to describe now. (Check appendix for config-files.)

1.1.1 FXO, FXS, IAX, SIP

First I want to describe the terms FXO and FXS in more detail. They havetheir origin in an old telephone service called Foreign eXchange (FX). Theconfusing part about FXO and FXS is, that FX cards are not named by whatthey are but what they connect to. Therefore, an FXS card is connected toa station and has to behave like a central office (FXO, of course, behavesvice-versa).

A FXS interface is the same as a standard analog line a phone companyprovides to most houses and supplies you e.g. with a dial tone, ringingvoltage and DTMF detection. The FXO is the side connecting to a central


office and is generating DTMF, detecting dial tone and detecting ringing.

Both kinds of interfaces are described and configured in the /etc/asterisk/zaptel.conf.

IAX on the other hand, the Inter-Asterisk eXchange protocol, is an IP-based media transport protocol and is configured in the iax.conf file. Inmy topology we will later tunnel the IAX traffic through OpenVPN to ourbranch office.

The Session Initation Protocol (SIP) is becoming the most supported kindof VoIP protocol because itâs like IAX pretty easy to set up. Sip telephonyis set up in the sip.conf file where u define IP-address, port and other op-tions in order to let the phone on the other side can authenticate to theasterisk server.

1.1.2 Maggie’s dialplan

The dialplan is said to be the heart of any asterisk system for it defines howasterisk should handle each call. These list of instructions are found inthe file /etc/asterisk/extensions.conf and is devided into different partscalled contexts. In them extensions, priorities and applications are de-fined.

Contexts play an organizational role within the dialplan and define scopes.Within the context, extensions, character strings triggering events, are de-fined. Here you define things like which phone should ring when a certainphone number is called or what the system should do if no one picks upthe phone and so on. Priorities are numbered steps in the execution ofeach extension and each priority calls a specific application, which in turnperforms a certain action like playing sounds or hanging up the call. Sothe syntax of this file looks generally like this:

[<context-name>]exten => <extension>, <priority>, <application>e.g.: exten => 555, 1, Dial(Zap/1,20)

At the end of July I managed to have a working telephony system withanalogous telephones, a sipura adapter with two analogous phones and


two SIP-phones (Grandstream BudgeTone 100 and an Allnet ALL7950).Both SIP-phones and the Sipura Adapter can be configured through a web-interface included in the devices.

Grandstream Budgetone 100: http://192.168.200.129password: fooAllnet ALL7950: http://192.168.200.130:9999user: elsylopassword: fooSipura SPA-2000 http://192.168.201.129/admin

1.1.3 Digium card details

The Digium card used in this lab is a TDM400P, or to be more preciseTDM31B. TDM31B describes the composition of FXO and FXS channels.

Figure 1.1: The naming convention for the TDM bundles is as follows:TDM X Y B. Where "TDM" denotes that the card is TDM, "X" denotes thenumber of FXS modules, "Y" denotes the number of FXO modules, and"B" indicates that that this product is a bundle.[41]


1.1.4 Configuring Sipura SPA-2000 [40] [5]

After plugging in the Sipura SPA-2000 device its web interface is reachablethrough the network. If you don’t know which IP address the device has atthe moment, simply type “****” on a phone plugged in the Sipura adapter.A male voice welcomes you to “Sipura Configuration Menu” and asks youto enter a option followed by the pound key. You now can, type e.g. “110#”and he reads the IP address of the phone adapter back to you. Next stepis to browse http://192.168.201.129/admin and change to the advancedmode of the configuration interface.

Figure 1.2: some Sipura options you can query on a touch tonetelephone[4]

By default two users called “admin” and “user” exitst with a blank pass-word which you can set if you like. Remember that, whatever you changeon the web interface, the changes only take effect when pressing the “Sub-mit All Changes”. In the “System” tab you can either set the IP addressstatically or dynamically via DHCP (default: DHCP: On). In the “Line 1”tab following changes to the default configuration have been made: TheProxy is set to the IP address of the local asterisk server (192.168.201.1), the“Register Expires” value is lowered to “20” (default: 3600). In the section“Subscriber Information” the “Display Name”, as well as “User ID” and


“Password” are set to “301”. In the last subsection “Audio Configuration”the “DTMF Tx Method” is set to “AVT”, sending the dialled numbers asAVT events conforming to RFC 2833. The same settings, except for the“Display Name”, “User ID” and “Password” are used for tab “Line 2”.These options were set to the value “302” this time. In tabs “User 1” and“User 2” I changed in the section “Ring settings” the “Default Ring” to“2”, “Hold Reminder Ring” to “8” and “Call Back Ring” to “7”.

1.2 Marge and the CUPS problem

At the time I tried to set up asterisk in my environment, I also got myprinter for the lab, a HP Laserjet 1300 connected via USB to marge. I de-cided to use CUPS as printer manager here.

1.2.1 Installing CUPS [6, 8, 7]

In order to have CUPS on your system you need to install some packetswith “apt-get install”. The packets in brackets are those I had to installadditionally in order to get the ones I needed.

python-dev, libsnmp5-dev (libssl-dev,libssl0.9.7e-3), libcupsys2-dev(libgnutls11-dev, libtasn1-2-dev), python-qt3,lsb

When you are done with this you need to download and install the driverfor the printer. To be more precise, you need to download the HPLIP tarfile from http://hpinkjet.sourceforge.net. The file you get is a *.tar.gz andneeds to be extracted with the command “tar xvfz *.tar.gz”. After that afolder is made and after switching in that folder you can

./configure --prefix=/usrmakemake install (you need to be su for that)/etc/init.d/hplip restart/etc/init.d/cups restart


Now the only thing left to do is to add the printer to CUPS. This is usu-ally done via web-interface but because i did not install any window-environment on my linux computers i decided to use lynx, a text-basedweb-browser instead.

lynx http://localhost:631

In the âPrintersâ-section you can “Add Printer” and have to type in aprinter name, which should be meaningful and must not contain spaces.In the next step you are prompted to define the device you use exactly. Fora USB device choose e.g.:

usb://HP/LaserJet%201300

In the next step you have to choose which make your printer is, what inmy case is HP. The last step is to choose the model of the printer (LaserJet1300) and this was the step that ruined my otherwise perfect installationof the printer. There are several LaserJet 1300 printer drivers in this listand I chose the one with the note “Recommended”. What I did not knowand/or see at this time was, that this was a driver for a PostScript Printerand did not really suit my needs. The diabolical thing about this mistakewas that the printer worked with linux clients printing on it without anytroubles (I had some layout difficulties; the borders needed to be definedmanually) and even worked with some Windows applications. But whenit came to the point when I wanted to install the printer on my Windows2000 I found the spoolsv service to occupy about 90% of my system loadand the programs tended to crash when printing something or even wheninstalling the printer. My first thought, of course, was that Windows, espe-cially Windows 2000, is not suited for the use with CUPS but I was provenwrong when a collegue installed the not-recommended CUPS driver andeverything worked fine. (In fact, finding out what the problem was hasnot been such a quick thing, but I leave out the boring details.)

Note: Having a spoolsv with a huge CPU-load in most cases indicatesthe existence of a virus on the system. These can be some Trojans ormore precise, e.g.: the agobot worm/backdoor infecting *.exe files onyour PC. Having had troubles with agobot on other systems before Ichecked the usual registry keys agobot uses:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\

After I could rule out this possiblity I also found information aboutprinter jobs stuck in the printer queue producing similar behavior(check the Microsoft Image Writer queue). Look for the WindowsPrinter queue in

%SYSTEMROOT%\system32\spool

CUPS-printers can be accessed via

http://marge.sylvia.test:631/printers/HP_LaserJet_1300

There you have a very user-friendly printer management interface whereyou can access the printer queue and of course all printers added to theCUPS.

After this problem was solved, I no longer had problems with the CUPSsystem, could print even from my Windows 2000 PC and had the correctalignment on the sheets. With each Windows PC you only have to adda new Network Printer, choose the location http://marge.sylvia.test:631/printers/HP_LaserJet_1300 and add the correct printer driver (hplj1300m6.inf)I downloaded from the HP-homepage. If you feel you need more informa-tion on the topic of installing a CUPS printer on a Windows System Iâdrecommend the page http://www.owlfish.com/thoughts/winipp-cups-2003-07-20.html.

For Linux systems even this was easier. The only thing after apt-get in-stall cupsys-client you have to edit is the /etc/cups/client.conf file to thefollowing:

--- [snip] ---ServerName marge.sylvia.test

Now you have an accessable printer from your linux system and try it onthe config-file command-line based with

lp /etc/cups/client.conf


Figure 1.3: the management interface of CUPS, the first printer is the work-ing one, the second the one with the wrong driver-type

1.3 Bart and Snowball are getting their iptables[9]

Iptables, the tool for creating packet-filtering and NAT rules, is on bothhosts one of the most important services for it is preventing unallowedtraffic to leave and get into the network. The rules on both nodes arethe same and therefore I will only show one of them. The firewallingrules here should be taken as minimum-security but were sufficient formy needs.

#!/bin/bash

FWVER=1.0

# for Sylvias Project master thesis


echo -e "\nLade Firewall - Version $FWVER..\n"IPTABLES=/sbin/iptablesLSMOD=/sbin/lsmodDEPMOD=/sbin/depmodMODPROBE=/sbin/modprobeGREP=/bin/grepAWK=/usr/bin/awkSED=/bin/sedIFCONFIG=/sbin/ifconfig

#define the interfaces to use

EXTIF="eth0"INTIF="eth1"echo " External Interface: $EXTIF"echo " INternal INterface: $INTIF"echo " ---"EXTIP="192.168.150.7"echo " External IP: $EXTIP"echo " ---"

#define the networks to use

INTNET="192.168.201.0/24"

# we have a server network; servers have low ip-addresses and have

# different rights (from clients)

SERVNET="192.168.201.0/27"HAUPTNET="192.168.150.0/24"INTIP="192.168.201.1/24"echo " Internal Network: $INTNET"echo " Server Netzerkteil: $SERVNET"echo " Internal IP: $INTIP"echo " ---"UNIVERSE="0.0.0.0/0"echo " -Verifying that all kernel modules areok"$DEPMOD -aecho -en "Loading kernel modules: "


echo -en "ip_tables, "if [ -z "‘ $LSMOD | $GREP ip_tables | $AWK’print $1’ ‘" ]; then $MODPROBE ip_tablesfiecho -en "ip_conntrack, "if [ -z "‘ $LSMOD | $GREP ip_conntrack | $AWK’print $1’ ‘" ]; then $MODPROBE ip_conntrackfiecho -e "ip_conntrack_ftp"if [ -z "‘ $LSMOD | $GREP ip_conntrack_ftp |$AWK ’print $1’ ‘" ]; then $MODPROBEip_conntrack_ftpfiecho -en "ip_conntrack_irc"if [ -z "‘$LSMOD | $GREP ip_conntrack_IRC |$AWK ’print $1’ ‘" ]; then $MODPROBEip_conntrack_ircfiecho -en "iptabel_nat"if [ -z "‘$LSMOD |$GREP iptable_nat| $AWK’print $1’ ‘" ]; then $MODPROBE iptable_natfiecho -e "ip_nat_ftp"if [ -z "‘ $LSMOD | $GREP ip_nat_ftp | $AWK’print $1’ ‘" ]; then $MODPROBE ip_nat_ftpfiecho -e "ip_nat_irc"if [ -z "‘ $LSMOD | $GREP ip_nat_irc | $AWK’print $1’ ‘" ]; then $MODPROBE ip_nat_ircfi

# !!! forwarding !!!

echo "---"echo " ENABLING FORWARDING! "echo "1" > /proc/sys/net/ipv4/ip_forwardecho " Clearing any existing rules and settingdefault policy to DROP -"


# dropping chains before editing them

$IPTABLES -P INPUT DROP$IPTABLES -F INPUT$IPTABLES -P OUTPUT DROP$IPTABLES -F OUTPUT$IPTABLES -P FORWARD DROP$IPTABLES -F FORWARD$IPTABLES -F -t natif [ -n "‘$IPTABLES -L | $GREPdrop-and-log-it‘" ]; then $IPTABLES -Fdrop-and-log-itfi$IPTABLES -X$IPTABLES -Zecho " CREATING a DROP chain"$IPTABLES -N drop-and-log-it$IPTABLES -A drop-and-log-it -j LOG --log-level info$IPTABLES -A drop-and-log-it -j DROPecho -e "\n - loading INPUT rulesets"

# Input rules; 1st one is for the OpenVPN tunnel interface

$IPTABLES -A INPUT -i tun+ -j ACCEPT$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j \\ACCEPT$IPTABLES -A INPUT -i $EXTIF -s $HAUPTNET -d $UNIVERSE -j \\ACCEPT$IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j \\ACCEPT$IPTABLES -A INPUT -i $EXTIF -s $INTNET -d$UNIVERSE -j drop-and-log-it$IPTABLES -A INPUT -i $EXTIF -p ICMP -s$UNIVERSE -d $EXTIP -j ACCEPT$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d$EXTIP -m state -state ESTABLISHED,RELATED -jACCEPTecho -e " allowing external interfaces toaccess the www"


$IPTABLES -A INPUT -i $EXTIF -m state -stateNEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d$EXTIP -dport 80 -j ACCEPT$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE-j drop-and-log-itecho -e " Loading OUTPUT RULESETS !!!!!! "

# Output rules; 1st one is for the OpenVPN tunnel interface

$IPTABLES -A OUTPUT -o tun+ -j ACCEPT$IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j \\ACCEPT$IPTABLES -A OUTPUT -o $EXTIF -s $INTIP -d $UNIVERSE -j \\ACCEPT$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j \\ACCEPT$IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j \\ACCEPT$IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d$INTNET -j drop-and-log-it$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j \\ACCEPT$IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j \\drop-and-log-itecho -e " - loading forwarding ruleset"

# Forwarding rules; 1st two rules for the OpenVPN tunnel interface

$IPTABLES -A FORWARD -i tun+ -j ACCEPT$IPTABLES -A FORWARD -i $INTIF -o tun+ -s $INTIP -j ACCEPTecho " - FWD : Allow all connections out and only existingor related in"$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -s$HAUPTNET -d $UNIVERSE -j ACCEPT$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -mstate -state ESTABLISHED,RELATED -j ACCEPT

#you could choose to allow all traffic for the servers here

$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $SERVNET -j \\


ACCEPT

# web-Traffic allowed for proxy only

## $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s 192.168.200.5 \\-j ACCEPT$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -ptcp -destination-port 80:443 -jdrop-and-log-it

# end web-traffic

$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT$IPTABLES -A FORWARD -j drop-and-log-itecho "NAT : enabling SNAT functionality on $EXTIF"

# enabling postrouted NAT

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to \\$EXTIPecho -e "\nStronger rc.firewall-2.4 $FWVER done.HAVE A NICE DAY.\n"

#setting the default route

route add default gw 192.168.150.5echo -e "\nDefault-Route set for Jormannsdorf.\n"

This is the ruleset loaded at /etc/rc2.d/S12firewall on host snowball.

Note: Dropped packages are by default displayed on the monitor whilethey occur. Because this is not really good working with I decidedto log the packages in /var/log/messages. In order to do that youhave to modify the file /etc/init.d/klogd and change the variableKLOGD to

KLOGD=”-c 4”


1.4 Maggie: MySQL server[33]

Maggie is not only our asterisk server in this environment but because shehas pretty good hardware we decided to make her the database server aswell. The database chosen is MySQL because of its widespread popularityand the multiple uses. For there is no binary for Debian available I down-loaded the sources from http://dev.mysql.com/downloads/mysql/4.1.html(at this time MySQL 5.0 was not yet available). For installing you needgunzip, tar, gcc and make and the following commands:

# creating a group and a user mysql

shell> groupadd mysqlshell> useradd -g mysql mysqlshell> gunzip < mysql-VERSION.tar.gz | tar -xvf -shell> cd mysql-VERSION

# ./configure -help shows you configure options; here I chose to installmysql to /usr/local/mysql

shell> ./configure --prefix=/usr/local/mysqlshell> makeshell> make install

# setting up a sample configuration file

shell> cp support-files/my-medium.cnf /etc/my.cnfshell> cd /usr/local/mysql

# if u haven’t installed MySQL before, you have to install the grant tables

shell> bin/mysql_install_db --user=mysql

# change the owner of the binaries to root, the owner of the data to mysql

shell> chown -R root .shell> chown -R mysql varshell> chgrp -R mysql .

# initializing and testing after:

shell> bin/mysqld_safe --user=mysql &


# if you like to have the MySQL server in the startup, use the skript locatedin

support-files/mysql.server

# if you want to create a new user “user” with all rights from every hostwith password “password”; creates an entry in the database “mysql” intable “user”

grant all on *.* to user@* identified by “password”

# for logging

mkdir /var/log/mysqlchown mysql.mysql /var/log/mysql

# in my.ini specifying the log-directory (slash at the end is important!)

bin-log=/var/log/mysql/

1.5 Installing OpenVPN on snowball and bart

OpenVPN [5] is a program written by James Yonan providing the abilityof setting up SSL encrypted Virtual Private Networks. The SSL encryptionis provided by OpenSSL and there are three possibilities of authenticatingpeers. One is with the use of certificates, being maximum secure, andanother one takes username/password pairs so that clients no longer haveto hold their own certificates. The easiest way of having an SSL encryptedtunnel is with the help of preshared keys. There are several drawbacks forthis static key approach like a limited scalability or the fact that the keyhas to exist on each host in plain text.

You can download the OpenVPN package either on the homepagehttp://openvpn.net or get it with a simple “apt-get install openvpn” onDebian based systems.

The first thing after you have installed OpenVPN is to decide whether touse a routed or a bridged VPN. The choice to make is about whether theconnected network or host should be treated as a member of the other


network or if traffic between these is treated as if there was a router in-between. In a bridged VPN you have broadcasts traversing the tunneland no routing entries to make. An easy-to-use choice for road warriorsbut not scalable very well and less efficient than routing. Overall, in mostcases you will use routing instead of bridging, it is easy to set up and pro-vides better access-control. Bridging on the other hand should be usedif you are using non-IP protocols such as IPX, running applications rely-ing on broadcasts or want browsing of Windows file shares made possiblewithout setting up WINS. As you might have guessed, I decided to use arouted VPN.

1.5.1 Setting up your Certification Authority (CA) [13]

If you don’t already have a PKI (public key infrastructure) you should startby building one. Authentication is supported bidirectionally meaning theserver is authenticating the client and the client is also in turn authenticat-ing the server before a secure connection can be established. Both authen-ticate by verifying that the certificate was signed by certification authorityand afterwards by checking the certificate header for things like certifi-cate common name or certification type. This requires the existance of keypairs (public and private) for each host wanting to connect to the VPN anda certification authority signing them. If you don’t want and need an offi-cial authority to sign the keys you can also build your own authority whatis described below.

In your /usr/share/doc/openvpn/examples directory is a directory calledeasy-rsa. Best practice is to copy that folder into your /etc folder so thatfuture package upgrades don’t effect your configuration. Then you haveto modify your ./vars file with the informations about KEY_COUNTRY,KEY_PROVINCE, KEY-CITY, KEY-ORG and KEY_EMAIL (don’t leaveany of them blank). To initialize the PKI you only have to:

./vars

./clean-all

./build-ca

Note: In my case, the first command setting the global parameters forbuilding the PKI ./vars did not work so I chose the hands-on


method of adding the exported parameters from the ./vars file to/root/.profile file myself.

The last command ./build-ca creates the CA and invokes an interactiveopenssl command where you have to give needed information. As set be-fore, the information provided through the ./vars file is defaulted here.Only the Common Name has to be added here and in my case this is“snowball”.

1.5.2 Generating certificates and keys

With a Certification Authority up and running the next step is to generatea certificate and private key for the server.

./build-key-server snowballCommon Name: snowballsign certificate: yes1 out of 1 certificate certified: yes

All other queried parameters can be defaulted except for the three men-tioned above. The last two options require positive responses.

Building the keys for the clients in the VPN network is as easy as buildingthe server key. Building keys for two clients is done by

./build-key client1

./build-key client2

where client1 and client2 are the unique Common Names for the twoclients. If you would like to have password-protected keys use ./build-key-pass instead. Last but surely not least important is the generation ofDiffie Hellman parameters.

1.5.3 Diffie-Hellman parameters [14]

Diffie-Hellman references the Diffie-Hellman key agreement protocolwhich is a certain technique for negotiating a secret key over an insecuremedium like the internet. The protocol is also called an “exponential key


agreement” and was thought of by Diffie and Hellman. Diffie-Hellmanis very secure because it uses very large integers to compute their keys.The only vulnerability is to man-in-the-middle attacks. Because data isnot been authenticated initially, an attacker could negotiate a seperate keywith both nodes without anyone noticing.

The parameters are generated on the server: (this will take some time)

./build-dh

1.5.4 Distributing the files

The last step is to distribute the key files generated on the server over asecure channel to the clients where they have to reside for future encryptedand authenticated connections. Of course, you could also generate theclient-keys on the clients themselves and by submitting Certificate SigningRequests (CSR) signing them at the key-signing machine. Then .key filesdon’t have to leave your harddisk. In my lab i chose the secure way ofputting the files on a floppy and carrying it to the clients (old school butsecure). Below you have a list of files created in the process of setting upthe PKI.

1.5.5 Advantages when using this security model

• The server only has to store it’s own certificate/key.

• The server only accepts signed certificates and this check is fulfilledwith the server’s public key (which means that the private key couldeven reside on a machine not connected to the network.

• Keys that have been compromised can easily be added to the CRL(certificate revocation list)

• Servers can enforce access-rights through embedded informationlike Common Names.


1.5.6 Configuring OpenVPN

The easiest way to configure OpenVPN is when starting with the sample-config-files provided in the package. So begin by

cp/usr/share/doc/openvpn/examples/sample-config-files/ \\server.conf /etc/openvpn/

for the server configuration and

cp/usr/share/doc/openvpn/examples/sample-config-files/ \\client.conf /etc/openvpn/

for the client.

1.5.6.1 server.conf (snowball.sylvia.test)

(Comments are shortend)

port 1194proto udp## routed VPNdev tun## setting the path to Root CA certificate,Server certificate, Server keyca /etc/openvpn/easy-rsa/keys/ca.crtcert /etc/openvpn/easy-rsa/keys/server.crtkey /etc/openvpn/easy-rsa/keys/server.key #This file should be kept secret## setting the path to Diffie-Hellmandh /etc/openvpn/easy-rsa/keys/dh1024.pem## supply a VPN subnet addressserver 10.8.0.0 255.255.255.0## Maintain a record of clientsifconfig-pool-persist ipp.txt## Push routes to the client to reach subnetbehind the server


push "route 192.168.201.0 255.255.255.0"## assign a given IP address to a specifichostclient-config-dir ccd## route for the serverroute 192.168.200.0 255.255.255.0## allowing the subnet behind the client toaccess the VPNclient-config-dir ccdroute 10.8.0.0 255.255.255.252## sends ping like packages every 10 seconds,assumes## that host is down after 120 secondskeepalive 10 120## Enable compression on the VPN link.comp-lzo## reduce the OpenVPN daemon’s privilegesafter## initialization.user nobodygroup nobody# avoid accessing certain resources on restart# that may no longer be accessiblepersist-keypersist-tun## Output a short status filestatus openvpn-status.log## set verbosityverb 3

1.5.6.2 client.conf (bart.sylvia.test)

(Comments are shortend)

Note: When modifying client.conf look out for what the server setting are.

## Specify that we are a clientclient


dev tun## 10.8.0.2 is the client, 10.8.0.1 the serverifconfig 10.8.0.2 10.8.0.1proto udp## The hostname/IP and port of the server## don’t use the tunnel-endpoint address here!## otherwise you get: udpv4 link local: [undef]remote 192.168.150.7 1194## Keep trying indefinitely to resolve host nameresolv-retry infinite## Don’t bind to specific local portnobind## Downgrade privileges after initialization (non-Win only)user nobodygroup nobody## Try to preserve some state across restarts.persist-keypersist-tun## paths for Root CA certificate, client1 certificate,## client1 keyca /etc/openvpn/easy-rsa/keys/ca.crtcert /etc/openvpn/easy-rsa/keys/client1.crtkey /etc/openvpn/easy-rsa/keys/client1.key## Enable compression on the VPN linkcomp-lzo## Set log file verbosity.verb 3

1.5.6.3 Additional settings and notes to the installation

In my case, the group “nobody” didn’t exist so I had to make a new onewith

addgroup nobody

Next step is to allow the new traffic flows in your firewall with followingrules:


$IPTABLES -A INPUT -i tun+ -j ACCEPT$IPTABLES -A OUTPUT -o tun+ -j ACCEPT$IPTABLES -A FORWARD -i tun+ -j ACCEPT$IPTABLES -A FORWARD -i $INTIF -o tun+ -s $INTIP -j ACCEPT

The first rule is to accept traffic coming from the tunnel interface and thesecond one accepts traffic going out of the tunnel interface. Rule three andfour concern the forwarding of traffic coming from the tunnel, or in rulefour, coming from the internal interface going out of the tunnel interfacewith an IP from the local IP-range. As I forgot rule four in the first placeit seemed to me the most important rule. The error that occurred was thattraffic from a host located at the LAN behind the tunnel was dropped.

Looking at “ifconfig” on both hosts showed me that the server got a newdevice called tun0 with IP 10.8.0.1 whereas the client had 10.8.0.6. At thattime my ping only worked in one direction, so the fact the client didn’tuse 10.8.0.2 wasn’t at big importance for me. Checking the netstat routingentries helped me to get further. The client needs an entry (if not generatedautomatically) for destination 10.8.0.1 via device tun0. On the server-sideof the connection the routes have to be checked as well. Make sure thereis an opposite route heading at 10.8.0.2 (or whatever your client address isat that time) via device tun0. Then pinging each side has to be possible.

As you might have noticed in the last paragraph, the client addresschanged from 10.8.0.6 to 10.8.0.2. This has to be configured seperatelyin a file named after the Common Name of the client. So you need a newdirectory in /etc/openvpn on your server side of the connection with thefile

/etc/openvpn/ccd/client1(both file and folder have user and group set to root)

with following lines in it:

iroute 192.168.200.0 255.255.255.0ifconfig-push 10.8.0.2 10.8.0.1

The second line pushes the reserved client address. Then, after restarting,ping in both directions, and even from the LANs behind the tunnelend-points works.


For opening the openVPN connection at startup I wrote a small startupscript called startup residing at /etc/openvpn/ containing

openvpn /etc/openvpn/server.conf --daemon

Don’t forget to

chmod 755 /etc/openvpn/startupln -s /etc/openvpn/startup /etc/rc2.d/S23openvpn

The command “openvpn /etc/openvpn/server.conf –daemon” starts theopenvpn daemon searching for the configuration file at “/etc/openvpn/server.conf”.The option “–daemon” defines that openvpn is logged in /var/log/messagesinstead of the monitor.

1.6 Other services provided by marge.sylvia.test

Above I described one of marge’s services, cups, but marge has more tooffer than only a printer server. Marge is what I would call “the heart”of my network providing dynamic host addressing, domain name service,mail server, web server, web-proxy and some other services. Below I willdescribe each one briefly.

1.6.1 web server apache

Apache, the most popular http-server nowadays , available for almost allplatforms, was developed about 1995 and deduced from NCSA HTTPdserver that was pretty popular back then. Because the first approachto building apache was patching the NCSA HTTPd it is said the name“apache” is derived from “ a patchy” server.

With apache2 v.2.0.54 installed (–> apt-get install) one can start configur-ing the whole thing. In former times you had to modify /etc/apache2/httpd.confwhich is nothing more than a container for backward compatibility rea-sons by now. Apache2 now uses /etc/apache2/apache2.conf. For a sim-ple configuration of apache you usually don’t even have to change any-thing. Just browse to http://marge.sylvia.test and you should see the wel-


come screen at http://marge.sylvia.test/apache2-default, proving yourinstallation has been successful. To publish files on your server you sim-ply have to add them in your document root. If you are not perfectly surewhich directory this is, simply look into

/etc/apache2/sites-enabled/000-default

In the appendix you will find the apache2.conf file. If you need additionalsupport go and see the website of Apache Software Foundation [10] oranother nice tutorial (for apache 1.x) at KPLUG [16].

1.6.2 dynamic host addressing dhcpd [17]

For distributing dynamic addresses in the network dhcpd is used. Dhcpdis based on the Dynamic Host Configuration Protocol and provides anddistributes informations a host needs to join a network. After defining anaddress range to use by the server, hosts that are configured to request anIP address after startup are supplied one. You can also set up the serverso that only predefined MAC-addresses are allowed to get an IP address.This can be wanted if you are monitoring the traffic log files permanentlyand don’t want to figure out which computer had which address at a giventime or if you want to prevent people from plugging in PC’s not allowedin your network.

When a host is added to a network a client broadcast is made to findpossible available servers for the configuration with DHCP, the so-calledDHCPDISCOVER. When a server notices a host asking for a DHCP ad-dress and the host is allowed to this network, the server sends him back abroadcast DHCPOFFER with an IP address he should use. The client thenaccepts the offer with a broadcast DHCPREQUEST, telling the server thathe wants to take the given address (this double-check is needed in case twoclients needing IP addresses simultaneously accept the DHCPREQUEST).The last step in handing out the IP address is a broadcast DHCPACKby the server. Only now the client can configure its interface with thegiven parameters. The address given is valid until either the client sends aDHCPRELEASE or the lease time, the serversided predefined time the ad-dress is valid, expires. See the appendix for the configuration file. As youwill see the IP addresses for the hosts are not defined in the dhcpd.conf,


but require DNS inbetween in order to resolve the hostnames. A sampleentry:

host nelson.sylvia.test {hardware ethernet 00:60:97:11:D5:F0;fixed-address nelson.sylvia.test;}

1.6.3 DNS server BIND [7][19][20]

The de facto standard in Domain Name Service is BIND, the Berkeley In-ternet Name Domain. It stores centralized domain name/IP address pairsin order to be accessible for all clients on the network. BIND is e.g. re-sponsible for providing you with the IP address if you enter a hostnamein your webbrowser. The entry BIND looks up is called an A record, whilethere are several others like e.g. CNAME indicating an alias for a given Arecord.

Several files are needed in order for BIND to work. Best practice is to startwith /etc/bind/named.conf.* files where you define the zones in yournetwork. The named.conf itself has entries for the zone “localhost”. Ifyou’re adding zones rather than modifying them you should better dothis in the named.conf.local file. A sample zone entry looks like this anddefines which file to search for gathering host information about the zonespecified.

zone "sylvia.test" IN {type master;file "/etc/bind/db.sylvia.test";};

In order to support reverse lookup (that is translation from IP addressto name) you need seperate zone entries. The name of the reverse zonefor the network 192.168.200.0 is by default “200.168.192.in-addr.arpa”where in-addr.arpa is a pseudo-domain that holds the entries in least-to-most significant order. Here’s a sample reverse zone entry from the/etc/named.conf.local:

zone "200.168.192.in-addr.arpa" {


type master;file "/etc/bind/db.200.168.192";};

Now you are done with the named.conf.* files and you have to move onto the files specified above. As you can see I put them in /etc/bind/.The most important file of course is /etc/bind/db.sylvia.test holding allhost/ip pairs for my domain. Sample entries for marge.sylvia.test definingthe IP address and giving her two aliases called “proxy” and “www” are:

marge A 192.168.200.5proxy CNAME margewww CNAME marge

The corresponding reverse lookup entry located in /etc/bind/db.200.168.192looks like this (don’t forget the “.” at the end of the entry):

5 IN PTR marge.sylvia.test.

Before you start testing your configuration: don’ t forget to point to yourown DNS-server in /etc/resolv.conf. Testing name resolution is pos-sible with the command “nslookup <hostname>” (or respectively “dig<fqdn>”):

root@0[knoppix]# nslookup wwwServer: 192.168.200.5Address: 192.168.200.5#53www.sylvia.test canonical name = marge.sylvia.test.Name: marge.sylvia.testAddress: 192.168.200.5

For testing reverse lookups you can use “dig -x <IP-address>”

root@0[knoppix]# dig -x 192.168.200.5; «» DiG 9.2.4 «» -x 192.168.200.5;; global options: printcmd;; Got answer:;; -»HEADER«- opcode: QUERY, status:NOERROR, id: 53688


;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1,AUTHORITY: 1, ADDITIONAL: 2;; QUESTION SECTION:;5.200.168.192.in-addr.arpa. IN PTR;; ANSWER SECTION:5.200.168.192.in-addr.arpa. 604800 IN PTRmarge.sylvia.test.;; AUTHORITY SECTION:200.168.192.in-addr.arpa. 604800 IN NSns1.sylvia.test.;; ADDITIONAL SECTION:ns1.sylvia.test. 604800 IN A 192.168.200.5ns1.sylvia.test. 604800 IN AAAA2001:16d8:ff47:1203:2::5;; Query time: 7 msec;; SERVER: 192.168.200.5#53(192.168.200.5);; WHEN: Sun Dec 4 09:13:10 2005;; MSG SIZE rcvd: 137

1.6.4 Mail transfer agent exim4 [21] [22] [23]

A mail transfer agent or MTA is a service that receives mail and stores itin the recipient’s mailbox. It receives it’s mails from another mail transferagent, a mail submission agent (MSA) receiving mails from an mail useragent or directly from a mail user agent (MUA). A mail submission agentis nothing else than a interstation between a mail user agent, or simple amail client, and a mail transfer agent. Often an MUA acts as a MSA aswell.

Installing exim4 with “apt-get install exim4” will have “debconf” appear-ing with several configuration issues discussed below.

First it asks you whether you want to have the configuration put into onefile or into several files. I chose to use one file. For I want ougoing mailbe delivered to the Berufsföderungsinstitut Burgenland’s own mailserver,i chose “mail sent by smarthost; received via SMTP or fetchmail” in thenext step. Then you are prompted for the system mail name which should


be the fully qualified domain name “marge.sylvia.test”. If you don’t haveDNS in your network, add the domain name to the /etc/hosts file. If youwant to connect to exim4 with other hosts than localhost, you should al-ter the IP address the server listens on (which is by default 127.0.0.1) to“192.168.200.5” here. After that, you need to decide for which other desti-nations your host is the final destination. If you have a DNS domain acrossyour network enter the domain name and its associated top level domainhere(“sylvia.test:marge”). Now you define the networks exim4 accepts in-coming mails from. In my topology “192.168.0.0/16” fits my needs best.Because we defined using a smarthost before, we are prompted to give itsdomain name here (“mail.bfi-burgenland.at”). The last two questions are,if you would like to have your header rewritten for a mail leaving yournetwork, what I answered with “no”, and if you would like to minimizeDNS queries, where I put in a “yes”.

Now you have new settings in /etc/exim4/update-exim4.conf. If youwant to change the settings we made while debconf afterwards you caneither change the file /etc/exim4/update-exim4.conf and /etc/mailname(which only holds the mailservers fully qualified domain name) or run

dpkg-reconfigure exim4-config

In the directory /usr/share/doc/exim-base/examples you will find com-mented example files for what is needed when installing exim4. Next youmodify the alias file, usually located in /etc/alias and holding a table ofall mail users in the system. It is vital to give the email address of thepostmaster here, so he can receive the system’s mail problems. Setting themailer-daemon to the postmaster is done that the messages from thosepeople replying to bounce messages (bounce message is an automatedemail from the receiver’s mail system telling the sender that the messagecould not be delivered for several reasons; it is also called a Delivery StatusNotifiaction (DSN) message ) are sent to the postmaster. The last thing youshould not foget, besides adding the users, is to map messages destined to“root” to the postmaster.


1.6.5 POP3 server qpopper [9]

Qpopper is a widely used server for the POP3 (Post Office Protocol) pro-tocol which allows users to fetch their mail from their mailboxes storedby your mail transfer agent, which is exim4 in our network. After down-loading the *.tar.gz file containing qpopper from the homepage referencedin the caption you can quick start after uncompressing with “./configure”creating a makefile followed by “make” and “make install”. This shouldcompile qpopper and install the server as well as the man pages that camewith the packet. “make clean” deletes all executables and the compiledcode.

For configuring qpopper you have to define which way to use qpopper.You can either have a standalone server or it can be run by inetd. Inthe first case you need to add a startup-skript in your runlevel-matching/etc/rcx.d directory (where x stands for your runlevel; if you want toknow which runlevel you are using simply type “runlevel” at your unix-prompt). In the second case the file /etc/inetd.conf needs to be config-ured. Inetd is a daemon on many unix-flavored systems managing In-ternet services such as FTP, telnet and of course POP3. It is more efficientthan using standalone services because inetd launches the appropriate ser-vice only when a matching packet is received. The port number herebyis the criteria upon launching the service. This way of starting servicesis preferable for services not used all the time (where dedicated serverssurely have more advantages). To configure a service with inetd you haveto check the /etc/services file, to see if the port is mapped to the service,and the /etc/inetd.conf file. Below the example entries for qpopper as-suming your executable is held by /usr/local/lib:

pop3 stream tcp nowait root /usr/local/lib/popper qpopper -s

It is recommended to set nowait.<timeout> e.g.: nowait.400 for large net-works with lots of hosts querying the server in order to prevent inetd fromkilling qpopper assuming it is looping. The file /etc/services only needsthe line

pop3 110/tcp #Post office

I chose to run qpopper as a dedicated server. The configuration that has


to take place in order to have a functioning pop3-system is small. It is im-portant that you have a symbolic link from directory /var/spool/mail to/var/mail where the actual mails reside. There you have a file for eachuser in the mailing system. Other configuration issues can be found in/etc/qpopper.conf. The options set within this file can also be set whenappending the needed option to the “./configure”-command. For a non-complex mailing system you won’t have to set any options here (qpop-per.conf in fact is a blank file in my configuration). For a detailled descrip-tion about the options available read the comments in /etc/qpopper.confor look for /usr/share/doc/qpopper/GUIDE.pdf.gz.

1.6.6 web traffic monitoring with webalizer [11][26] [27]

Webalizer is a commonly used tool to generate web pages analyzing dif-ferent criterias like hits, visits, referers from access and usage logs ofyour webserver. It is also possible to use it with the proxy “squid”,what I used to have control over the web-traffic. You can install webal-izer from source or binary distribution, or as i did it with “apt-get in-stall webalizer”. Webalizer usually searches for the configuration file inthe current directory and in /etc/, and will then process any other filesor options defined when starting. When you use the default configu-ration file /etc/webalizer.conf you can revoke the program with “we-balizer”, otherwise you have to define the file used “webalizer -c my-configurationfile.conf”. To get a list of all command line options sim-ply type “webalizer -h”. After you typed the “webalizer” commandforcing webalizer to analyse the log file specified in the given configu-ration file, a new file “index.html” is created in the directory set for theHTML output. In my configuration I used /etc/webalizer.conf for config-uring the HTML output directory /var/www/webalizer and the log file/var/log/squid/access.log. The webalizer graphs therefore are reachableat www.sylvia.test/webalizer. Don’t forget to repeatedly force webalizerto analyse the logs in the crontab. Look for the configuration files in theappendix.


1.6.7 web caching and proxying with squid [28] [29]

Squid is a widely used web caching and proxying server, that can provideaccess restriction by various criteria. Its advantages lie in speeding up therepsonse time of a network service by caching requests for repeated use.Everytime you request a site, squid first of all checks if it is already loadedin the cache. If it is not, the site is fetched from the internet and storedin the cache. Otherwise the cached sites age is checked whether it has ex-pired inbetween (every site is stored for a predefined amount of time) andthe content from the cache is sent to the requesting client in case the siteis still valid. Caching works for several protocols but is primarily used forHTTP and FTP. ISPs (Internet Service Providers) or LANs sharing a net-work connection tend to use caching. Users browsing the internet in suchan infrastructure use the squid cache as a HTTP proxy decreasing band-width consumption, and have some additional security and anonymityfeatures because the proxy requests the sites on behalf of the “real” client.A huge advantage for each web administrator is the possibilty to contentfilter the web sites requested.

You can download squid from the website cited or install it directlywith “apt-get install squid”. You will find the configuration file in/etc/squid/squid.conf. For a simple startup you only have to define a fewoptions. One is the “cache_dir” to define the directory devoted for cachingdata. “http_port” is the port squid listens to (default 3128). “http_access”defines who is allowed to use squid and is defaulted to deny all hostsuntil explicitly allowed in ACL (access control lists) which you have toset in order to fit your requirements. The two last options needed are“cache_effective_user” and “cache_effective_group” which define the per-son having permission to read and write in the cache directory and in thelog files. By default squid is configured in proxy mode and is now readyfor use. After setting the properties of the client’s web browsers to usingthe proxy at server:“proxy.sylvia.test” and port:”3128” all web traffic is ledthrough squid. You find these properties for Firefox in the “Tools” menu.In the options window, click “General” and on the right lower side of thewindow “Connection settings”. There you can define the server and theport of the proxy and which protocols it serves (In some Linux-versionsof Firefox you will find the “Options”-dialog in the “Edit” menu). ForMicrosoft’s Internet Explorer you have the same changes to make under


“Tools” menu entry “Internet Options”. Click on the tab labelled “Con-nections” and then on the button at the bottom named “LAN settings”.Check out my configuration file in the appendix and at your installationfor it contains lots of information.

Note: In my network i chose to allow direct network access only to theservers of my network (take a look at iptables). No client can there-fore request something from the internet that is intercepted by squid,which can be sites not allowed by the content check, by the acl or bydownload restrictions (size, file-type, ...).

1.6.8 arpwatch [30]

Arpwatch is a tool developed by Lawrence Berkeley National Laboratorythat monitors IP/MAC address pairings. “arpwatch -d” forks the servicein the background and sends reports via email. “arpwatch -f <filename>”defines the database filename which is by default “/var/lib/arpwatch/arp.dat”.Before you start arpwatch the first time an empty arp.dat file has to becreated. This program is destined at bringing some extra-security intoyour network by noticing new PC’s in your network or spoofed MAC ad-dresses. Look for documentation in related man-pages.

If you are setting global arpwatch options use /etc/default/arpwatch,interface-specific ones are stored in /etc/arpwatch.conf. Look for the con-figuration files in the appendix.

1.7 Other services provided by bart

Bart is not only the gateway router and tunnel-endpoint for OpenVPN buthost to ntpd and ntop.

1.7.1 network time protocol daemon ntpd [3]

Ntpd is a daemon synchronizing the system time with time servers fromthe internet. It acts as a time server for your local network and is able to


broadcast time as well. You define which internet servers to use in file/etc/ntp.conf and you have a seperate log file at /var/log/ntpd whereyou can see the time being synchronized. Within the /etc/ntp.conf “log-file”, “driftsfile” (frequency file) and “statsdir” (directory for statistics) aredefined. An option that might be interesting to set is “panic <time in sec-onds>” what is defaulted with 1000. This sets the maximum sanity limitfor a time synchronization i.e. if your time correction is more than 1000seconds ntpd doesn’t set the time itself but prompts you to set system timemanually. You can trick ntpd into doing it with either “ntpd -g -q” for do-ing it once, or by setting “panic 0” for always correcting time regardlesshow big the correction is. See the appendix for more information aboutthe configuration.

1.7.2 ntop

Ntop is a network traffic probe for a detailled view of what your machinesare doing. You have several subdivided parts where you can see graphsand details about categories like summed up IP-traffic, whether traffic wasdestined unicast/multicast/broadcast, throughputs, and so on.

While the installation of the *.deb package with “dpkg -i” you have deb-conf asking you for details of the installation. In the first step you definewhich interfaces to monitor and in second step which user runs the service(in my case: “ntop”). You can re-launch the configuration with command“dpkg-reconfigure ntop”.

Before starting ntop the first time you have to set the administrator’spassword with command “ntop -A” prompting you for the password touse (this will also cause the service to start automatically upon each re-boot). You can start ntop, if needed, manually with “/etc/init.d/ntopstart” which points to a init-file “/etc/default/ntop” where in turn“/var/lib/ntop/init.cfg” is included. Inside “/var/lib/ntop/init.cfg”two variables are set: “user” and “interfaces”. These values are set by the“dpkg-reconfigure ntop” I mentioned below. If you want to add additonalparameters like “-M” to seperate the counters for multiple interfaces, youhave to modify “/etc/init.d/ntop” yourself. To access ntop’s html out-put simply browse to port 3000 of your server with the ntop-installation


(http://bart.sylvia.test:3000).

1.8 Services provided by homer

Homer is a Windows 2000 server providing file sharing and active direc-tory.

1.8.1 File sharing

To make a directory accessible for others on the network you need to sharethe folder. You can do this with a right-click on the destined folder in the“Windows-Explorer”. The context-menu opened contains an entry “shar-ing...” which opens a dialog where you can define the name of the net-work share. Besides defining the name you have to define who is allowedto browse your files and what rights he/she has on your files. Thereforeyou have the button “permissions” where you can choose the users toaccess your shared directory. Although I don’t have a good explanationfor it, I won’t recommend using the user “everyone” here, if you wantto grant permissions to everyone. I didn’t experience great success withthat but with adding the users seperately. The network shares I madewere “\\192.168.200.12\daten” and “\\192.168.200.12\download” hold-ing the data produced while building my lab and the programs down-loaded. For accessing the shares on Windows bases systems I used thecommand “Map Network Drives” in the Tools menu in Windows-Exploreror “net use * \\192.168.200.12\daten” on the command line. For linuxbased systems I first had to install the package “smbfs” with “apt-get in-stall” and could then mount the network drives. After creating a mount-point with “mkdir /mnt/daten” and “mkdir /mnt/download” I couldmount the shares with the command

mount -t smbfs -o username=elsylo//192.168.200.12/daten /mnt/datenmount -t cifs -o username=elsylo//192.168.200.12/daten /mnt/daten(respectively)


prompting you for the password in the next line. CIFS (Common InternetFile System) is nothing else than a renamed new version of SMB (ServerMessage Block) enriched with some additional features.

1.8.2 Active directory [32] [33]

Active directory is an implementation of LDAP (Lightweight DirectoryAccess Protocol) directory services for the use in Windows environment.It allows you to set enterprise or group wide policies or deploy programsor updates to several computers more easily. It is a centralized databasestoring information about the people, services and ressources used in thenetwork. Therefore each object stored in active directory either is a per-son, a computer or a service. Active directory is responsible for objectsand their attributes, their organization and their access rights and securityoptions. An object represents a single entity and can be a container forother objects as well. Sample objects are e.g. a single person or a PC andare uniquely identified by their names. Each object belongs to at least oneclass which contains a set of attributes for each object. The attributes of aclass are described in a schema file. The schema itself is made up of twotypes of objects: schema class objects and schema attribute objects. At thetop of the structure holding all the objects as a framework is the Forestcontaining one or more Trees.

You start configuring your Windows 2000 active directory server at the“Windows 2000 Configure Your Server” screen asking you what kindof service you would like to configure (if you have chosen to close thiswindow earlier you can open it again from the Start menu-Programs-Administrative Tools-Configure Your Server). First, the server is config-ured with the option “One or more servers are already running in my net-work” (The option “This is the only server in the network” installs notonly Active directory but DHCP and DNS as well). Now you have tochoose which service to install from menu at the left side in the Installa-tion Wizard. For installing Active Directory you need at least one partitionformated with NTFS otherwise you have to cancel setup and proceed aftercreating such a partition. Next step is starting the Active Directory wizardopening a new dialog. For this was the only domain controller in my localnetwork i chose to use “Domain controller for a new domain” here and


“Create a new domain tree” in the next step (you could otherwise createa new child domain in an existing domain tree here). Like in nature, treesusually grow in a forest and as for nature we have to define the forestto add our new tree (I chose a new forest). In the next step you have todefine the domain name used for the domain which is “sylvia.test” (a do-main name consists of two parts seperated with a “.” for Windows; if youchoose not to have to parts, Windows will add “.DOM” to your domainname). You could also choose to have a domain name called “sylvia.com”because it is not used on the internet. If you have older PC’s than op-erating system Windows 2000 installed in your network you have to use“NetBIOS” and provide an extra “NetBIOS Domain name” (I recommendto accept the default). Next step is to define Active Directory database andlog location which requires 200MB free disk space. Next, the directory forthe “SYSVOL” folder is defined and has to reside on a partition formatedNTFS. The SYSVOL folder will later be visible as part of the “NetworkNeighborhood” or “My Network Places” and will contain user specificpublic files (and has to have NTFS because of enabled access rights en-forcement). Accept the Pre-Windows 2000 compatible permissions andenter a Restore Mode administrator’s password. In the last step reviewthe settings made and click “next” if you want Active Directory to con-figure what is needed. After restarting you can start adding the objectsneeded.

Note: Never click “Cancel” while Active Directory goes through the var-ious steps of installing; it will wreck your computer! If some-thing crosses your mind that you might have configured somethingwrong: let Active Directory finish its work and start “dcpromo”(i.e. the command starting the Active Directory wizard from “cmd”)again afterwards.

When your installation was successful you have added all Active Direc-tory management tools to the menu “Administrative Tools”. Run “Ac-tive Directory Users and Computers” to see your domain in the tree onthe left side of the window, containing different container objects called“Builtin”, “Computers”, “Domain Controllers”, “ForeignSecurityPrinci-pals” and “Users”. Similar to the way you are adding new folders orempty files to a directory you can add objects to the containers mentioned.Clicking on the “Users” directory opens the list of users in your system(even if you not added one manually by now, you will see some default


users like “Administrator”). Right-clicking on the right side of the win-dow opens up a context menu containing “New” with the items “Com-puter”, “Contact”, “Group”, “Printer”, “Person” and some more. Whenyou add any of these objects you are asked to give details to it in a wizard-like window. In my domain I only have added one user account, “elsylo”,and the computers apu and nelson. This is something like a minimum con-figuration in order to allow the clients apu and nelson to logon to activedirectory. Both users created are server-side stored users. The advantagesare you don’t have to create users locally on a PC in the network. Wher-ever “elsylo” wants to log on with her profile, she has a computer withher settings made e.g. the desktop, and gains instant access to all servicesor netshares she is used to have. Besides this you have more centralizedadministrative power like deactivating an account, setting passwords andof course, as mentioned above, setting qualities and rights to an account(e.g. certain persons may not be allowed to access FTP-sites). The secondtool served together with Active Directory is “Active Directory Sites andServices”. Within you have a container called “Sites” what in turn con-tains the container “Default-First-Site-Name” which holds the “Server”object with the Active Directory server name just installed. Remeber thatwe allowed DNS server BIND to dynamically update records from the Ac-tive Directory server (SRV records). This becomes very important by now,because otherwise the correct DNS entries would be missing for clientstrying to log on to Active Directory while startup. For troubleshooting seethe Microsoft Knowledge Base [35] or another nice article I found writtenby Daniel Petri [34]. The pysical storage of all Active Directory objects fora single forest is provided by the Active Directory database file NTDS.ditstored in the folder given at installation (default: C:\WINNT\NTDS\).For there are no configuration files I can add to my appendix I put in ascreenshot of how adding a new user to Active Directory.

Bibliography

[1] Asterisk Wiki: Asterisk introduction (2005). http://www.voip-info.org/wiki-Asterisk/view/Asterisk+introduction (2005-12-01)

[2] The Asterisk Documentation Project: Vol-ume One: An Introduction to Asterisk (2004).http://www.asteriskdocs.org/modules/tinycontent/content/docbook/\\current_v1/docs-html/book1.html (2005-12-01)

[3] Sipura Technology: Welcome to Sipura Technology Technical Support(2005). http://www.sipura.com/support.index.html (2005-12-06)

[4] Sipura Technology: SPA-2000 Quickstart Guide (200).http://www.sipura.com/Documents/SPA2000QuickStart.doc(2005-12-06)

[5] Sipura Technology: ATA User Guide (2005).http://www.sipura.com/Documents/SipuraSPAUserGuidev2.0.9.pdf(2005-12-06)

[6] Hewlett Packard: Download Drivers and Software for LaserJet 1300(2004). http://hpinkjet.sourceforge.net/install.php (2005-12-01)

[7] Colin Steward: How to make Windows use CUPS IPP (2005).http://www.owlfish.com/thoughts/winipp-cups-2003-07-20.html(2005-12-01)

[8] Kurt Pfeifle: CUPS Troubleshooting and Asking for help HOWTO(2002). http://www.cups.org/cups-help.html (2005-12-01)

[9] Linux Documentation Project, David A.Ranch: Linux IP Masquerade HOWTO (2005).

48

BIBLIOGRAPHY 49

http://www.linux.org/docs/ldp/howto/IP-Masquerade-HOWTO/stronger-firewall-examples.html#RC.FIREWALL-IPTABLES-STRONGER (2005-12-01)

[10] MySQL: MySQL 3.23, 4.0, 4.1 Reference Manual (2005).http://dev.mysql.com/doc/refman/4.1/en/index.html (2005-12-01)

[11] digium, Inc.: Wildcard TDM400P, TDM31B (2005).http://www.digium.com/index.php?menu=product_detail&category=\\hardware&product=TDM400P (2005-12-02)

[12] OpenVPN Solutions LLC: OpenVPN (2005). http://openvpn.net/(2005-12-02)

[13] OpenVPN Solutions LLC: OpenVPN 2.0 HOWTO (2005).http://openvpn.net/hoto.html#quick/ (2005-12-02)

[14] RSA Security: What is Diffie-Hellman? (2004).http://www.rsasecurity.com/rsalabs/node.asp?id=2248 (2005-12-02)

[15] Apache Software Foundation: Apache HTTP Server Version 2.0 Doc-umentation (2005). http://httpd.apache.org/docs/2.0/en (2005-12-03)

[16] KPLUG: KPLUG Apache Tutorial (2005).http://www.kplug.org/apache_tutorial (2005-12-03)

[17] Internet Systems Consortium: DHCP Distribution Version 3.0.3README File (2005). http://www.isc.org/index.pl?/sw/dhcp(2005-12-03)

[18] BIND9.NET: DNS, BIND, DHCP, LDAP and Directory Services(2005). http://www.bind9.net (2005-12-03)

[19] BIND9: BIND 9 Administrator Reference Manual (9.3.1) (2005).http://www.bind9.net/manuals (2005-12-03)

[20] www.traum-projekt.com: TP: Bind 9 - DNS - Tutorial :) (2005).http://traum-projekt.com/forum/sitemap/t-33562.html (2005-12-03)

BIBLIOGRAPHY 50

[21] exim: Exim 4.50 specification (2005).http://www.exim.org/exim.html-4.50/doc/html/spec.html (2005-12-04)

[22] Jason Boxman: Installing and Configuring Exim4 (2005).http://www.trekweb.com/~jasonb/articles/exim4_courier/exim4.html(2005-12-04)

[23] Koivisto Justin: Installting and Configuring Exim 4 on Debian (2005).http://koivi.com/exim4-config/ (2005-12-04)

[24] Eudora: Qpopper (2005). http//www.eudora.com/products/unsupported/\\qpopper (2005-12-05)

[25] Mrunix: The Webalizer What is your web server doing today? (2005).http://www.mrunix.net/webalizer (2005-12-05)

[26] Mrunix: Installation Instructions for The Webalizer (2005).ftp://ftp.mrunix.net/pub/webalizer/INSTALL (2005-12-05)

[27] Mrunix: Simpletons Guide to Web Server Analysis (2005).http://www.mrunix.net/webalizer/simpleton.html (2005-12-05)

[28] www.squid-cache.org: Squid Web Proxy Cache (2005).http://www.squid-cache.org (2005-12-05)

[29] ViSolve Open Source Solutions: Welcome to ViSolve Squid Support(2005). http://squid.visolve.com/squid/index.html (2005-12-05)

[30] Lawrence Berkeley National Laboratory: LBNL’s Network ResearchGroup (2005). http://www-nrg.ee.lbl.gov/ (2005-12-05)

[31] Mills: ntpd - Network time protocol (NTP) daemon (2005).http://www.eecis.udel.edu/~mills/ntp/html/ntpd.html (2005-12-05)

[32] Helmig Johannes: Windows 2000 Server: Configure Active Directory(2001). http://www.windowsnetworking.com/articles_tutorials/w2ksvrin.html(2005-12-05)

[33] Daniel Petri: How do I install Active Direc-tory on my Windows 2000 server? (2005).http://www.petri.co.il/how_to_install_active_directory_on_w2k.htm(2005-12-06)

BIBLIOGRAPHY 51

[34] Daniel Petri: What are the most common DNS re-lated Dcpromo errors? How doI fix them? (2005).http://www.petri.co.il/troubleshooting_dcpromo_errors.htm(2005-12-06)

[35] Microsoft: Help and Support (2005). http://support.microsoft.com(2005-12-06)

Chapter 2

The initial lab-topology

With all the needs specified in the chapters above, the topology of thenetwork evolved to what it is today. For the sake of simplicity the labconsists not of all the computers and services really used at the “Berufs-förderungsinstitut Burgenland”.

The lab consists of two big parts, the main office and the branch office.The main focus lies of course on the main office, running the majority ofthe services and having to cope with the biggest load. My model of themain office consists of three servers, three clients and a gateway router.At the branch office only a router, offering several services as well, and aclient are located.

2.1 The main office

The main office has an IP-address range of 192.168.200.0/24.

2.1.1 hostname: bart - 192.168.200.1

Hardware details

CPU: Pentium 2, 350 MHz

52

CHAPTER 2. THE INITIAL LAB-TOPOLOGY 53

RAM: 128 MB

OS: Debian Sarge 2.6.8-1-686 [1]

HD-capacity: 4 GB

Services:

Bart acts as a gateway between a simulated "Internet" - an outside-worldfor the network - and the main office. It’s main task is to have NAT androuting enabled for the hosts on the network being able to have secureinternet traffic. Both is handled by a self-written script inspired by "TheLinux Documentation Project" (http://www.linux.org/docs/ldp/index.html).In addition to this a default route is also set at this point. Whilethese things don’t create lots of load we also decided to put othersmall services on this host. A ntpd time-server supplys the Linux hostsvia ntpdate and the Windows hosts via Clox (http://www.mirage1.u-net.com/clox.htm) with the correct time. As resource for accurate timewe chose pool.ntp.org. In addition to this ntop was installed which can beaccessed at http://bart.sylvia.test:3000/. Last but not least, especially re-garding the importance of the service, OpenVPN (http://openvpn.net/)has been added to connect the main and the branch office through a securelink.

Service details:

• iptables v1.3.1 [2] - packet filtering and nat

• ntpd v4.2.0 [3] - synchronizing the clock through a network

• ntop v3.0 [4] - a tool that shows the network usage similar to the“top”-command

• openVPN v2.0 [5] - a SSL based VPN solution


2.1.2 hostname: marge, alias: ns1, www, proxy - 192.168.200.5

Hardware details:

CPU: Pentium 3, 450 MHz

RAM: 128 MB

OS: Debian Sarge 2.6.8-1-686 [1]

HD-capacity: 8 GB

Services:

Marge can be seen as the "heart" of our network combining the most im-portant services. First of all, she provides DHCP-distributed IPv4 ad-dresses for the clients in the network. The DHCP server we chose isdhcpd3 by the Internet Systems Consortium (http://www.isc.org/index.pl?/\\sw/dhcp/).The second big service located at marge comes from the In-ternet System Consortium (http://www.isc.org/index.pl?/sw/bind/) aswell and provides domain name resolution. Besides these vital parts of anetwork mail traffic is also guided by exim4 and qpopper on this host. Inaddition to these services we provide the Apache http-server on this hostwhich can be found online at http://www.apache.org. To get a notion ofwhat happens on the web Webalizer (www.mrunix.net/webalizer/) ana-lyzes the log file of the webserver. Arpwatch (http://www-nrg.ee.lbl.gov)is another tool configured on this machine that keeps a database of allMAC-addresses used in this network. In addition to all these servicesmarge also acts as a cups-printer server (www.cups.org) and has a hpLaserJet 1300 plugged in directly via USB. Squid adds the the proxy ca-pability here.

Service details:

• dhcpd v3.0.1 [6] - dynamic addressing of hosts

• bind9 [7] - an implementation of Domain Name System providingtables mapping IP addresses to domain names


• exim4 [8] - message transfer agent

• qpopper v4.0 [9] - POP3 server

• apache2 [10] - highly flexible http-server from the Apache SoftwareFoundation

• webalizer v2.01-10 [11] - web-server log file analysis tool producingcharts and reports

• arpwatch v2.1a13 [12] - an ethernet monitoring programm for keep-ing track of ethernet/ip address pairings

• cups v1.2.0b1 [13] - standard printing system on Unix providingcommunication via IPP (Internet Printing Protocol) and networkbrowsing of jobs and printers

• squid v2.5 [14] - proxying and caching features for a variety of pro-tocols

2.1.3 hostname: maggie - 192.168.200.8

Hardware details:

CPU: AMD Athlon 900 MHz

RAM: 512 MB

OS: Debian Sarge 2.4.27-2-k7 [1]

HD-capacity: 120 GB

Services:

Maggie is responsible for information-critical services in our network.On one hand she is running the database of our company. We are us-ing again OpenSource, this time the software we use is MySQL fromhttp://www.mysql.com. The other very critical service, and that’s whywe chose the most powerful computer here, is Voice over IP with the helpof Asterisk which you can get for free at http://www.asterisk.org. This


was one of the requests the BFI Burgenland made, for giving me the equip-ment I needed. In return they wanted me to use this replica of their net-work to test the setting up and the use of asterisk without interfering theirevery-day business.

Differing from the other PC’s I added a digium TDM400 card [41] in orderto plug in two analog GESKO Ikarus 1000 phones.

Service details:

• mySQL v4.1 [33] - the world’s most popular open source database

• asterisk [16] - a complete PBX software providing everything youwould expect from a PBX. It does Voice over IP in many proto-cols, and can interoperate with almost all telephony equipment (soft-phone, hardphone, analog phones, ...)

2.1.4 hostname: homer - 192.168.200.12

Hardware details:

CPU: AMD Duron

RAM: 128 MB

OS: Windows 2000 Server Service Pack 4 [17]

HD-capacity: 40 GB

Services:

Homer is the only server in our lab topology running Windows 2000Server. His work is mainly to act as a file server that can be accessed fromall PC’s in the topology, and to be the domain controller for the main net-work (192.168.200.0). We used the Active Directory software implementedin the Server Distribution.


Service details:

• Active Directory [18] - providing a repository for computers, peopleand any other ressource in a company

• file sharing [19] - providing network shares to all users of the net-work; accessible for all operating systems

2.1.5 hostname: apu - 192.168.200.33

Hardware details:

CPU: AMD Duron

RAM: 64 MB

OS: Windows 2000 Service Pack 4 [20]

HD-capacity: 8,4 GB

Usage:

Apu is one of the client-only machines in this network. Although usu-ally you only have Windows XP in companies there are always still someWindows 2000 or even older computers in a company, which, e.g. run pro-grams that are no longer supported by newer operating systems. That’swhy I wanted to keep one PC of the old generation in that lab to see how hecan handle the new stack. This host symbolizes a usual workstation withevery-day programs. I installed Microsoft Office 2000 and in addition tothis the openOffice 2.0 beta to have some open source spirit on this PC aswell. For browsing the internet I decided to add Firefox 1.0.6 to the ex-isting Internet Explorer 6.0. Every workstation needs a mail client as welland this time I chose to install to the pre-installed Outlook express andthe Outlook that came with the Microsoft Office the mail client from theMozilla Project, Thunderbird 1.0.2. Acrobat Reader, WinZip, PaintshopPro 5.03 and XnView are rounding the perfect illusion of a workstation inuse. The security measures taken on that computer are Sygate Personal


Firewall 5.5 and Antivir of the German company H+B EDV. For my con-venience and for testing purposes I added WinSCP3 and puTTY as well.

Software details:

• Microsoft Office 2000 [21] - Office software suite

• openOffice 2.0 beta [22] - open source office software suite

• Firefox 1.0.6 [23] - open source internet browser of the Mozilla project

• Thunderbird 1.0.2 [24] - open source email client of the Mozillaproject

• Acrobat Reader [25] - Adobe’s free *.pdf-Reader

• WinZip [26] - zip file utility for Windows

• Paintshop Pro 5.03 [27] - picture editing software

• XnView [28] - free graphic viewer

• Sygate Personal Firewall 5.5 [29] - free home firewall

• Antivir [30] - virus protection from H+BEDV

• WinSCP3 [31] - open source SFTP client for Windows

• puTTY [32] - free Telnet/SSH client

2.1.6 hostname: nelson - 192.168.200.34

Hardware details:

CPU: Pentium II 350 MHz

RAM: 192 MB

OS: Windows XP Service Pack 2 [20]

HD-capacity: 8,4 GB


Usage:

Nelson is the client-computer with the most up-to-date operating systemfrom Microsoft in my initial lab topology. Like with apu, nelson is just aclient workstation providing its users programs like Microsoft Office 2003[21], openOffice 2.0 beta [22], Internet Explorer 6.0, Firefox 1.0.6 [23], Out-look express, Outlook, Thunderbird [24], puTTY [32] and WinSCP3 [31].In addition to these programs, which I have described in more detail be-fore, I added the softphone SJphone 1.60.

Program details:

• SJphone 1.60 [33] - Voice over IP softphone

2.1.7 hostname: lisa - 192.168.200.35

Hardware details:

CPU: AMD Duron 1200

RAM: 128 MB

OS: SuSE 2.6.8-24-default [34]

HD-capacity: 40 GB

Usage:

In order to have one non-Windows client in the network (again here I hadthe wish of the company to test the use of SuSE System as a normal work-station in heteregenous systems) I chose a SuSE 9.2 distribution. This hostis running only client programs like openOffice 2.0 beta [22], Konqueror,Mozilla and Firefox [23]. As mail clients I used Kmail and Evolution.


Program details:

• Konqueror

• Kmail [36] - free KDE mail client

• Evolution [37] - groupware client for Linux

Besides the computers used in the main office and the two phones I men-tioned above I also used two VoIP hardphones.

2.1.8 allnet1 - 192.168.200.130

The hardphone allnet1 is a ALL7950 SIP [39] phone and is located betweenthe switch and the host apu.

2.1.9 grandstream1 - 192.168.200.129

The second hardphone with the hostname grandstream1 is a GrandstreamBudgetone 100 [38] and is put between the switch and lisa.

2.2 Branch office

The branch office in my topology with its two computers emulates oneof the many locations the BFI Burgenland has to supply with informationand connection all over the Burgenland.

IP-address range: 192.168.201.0/24

2.2.1 hostname: snowball - 192.168.201.1

Hardware details:

CPU: Pentium2 350 Mhz


RAM: 128 mb

OS: Debian Sarge 2.4.27-2-686 [1]

HD-capacity: 8 GB

Services:

Snowball is the gateway computer for the branch office and therefore hasto handle all the things bart has to cope with. This includes of course suchvital things as routing, iptables and is of course the other endpoint of ourOpenVPN[5] tunnel. In addition to this there is also another asterisk [16]and apache [10] server installed on this node. The asterisk servers fromthe main and the branch office are connected via IAX.

2.2.2 hostname: snowball2 - 192.168.201.17

Hardware details:

CPU: Pentium2 350 Mhz

RAM: 128 mb

OS: Windows Xp Service Pack 2 [20]

HD-capacity: 4,3 GB

Usage:

Snowball2 is the sole client on behalf of other computers possible in thisnetwork. It’s tasks are not very challenging as they are the same yousaw with nelson, apu or lisa. There are Internet Explorer 6, Firefox 1.0.6[23], Outlook, Outlook express and Thunderbird [24] installed to cover theInternet-dependant applications. Microsoft Office XP [21] and OpenOffice[22] for every-day-usage and puTTY [32] together with WinSCP [31] fortesting purposes complete the choice of software. The only more specialthing in this environment is the softphone SJphone 1.6 [33].


2.2.3 hostname: sipura - 192.168.201.129

This SPA-2000 Sipura Adapter [40] allows you to plug two standard tele-phones or fax machines into it and connect them to IP-based data net-works. It features two POTS ports for connecting analog phones and oneEthernet interface for connecting with the LAN. Each port can be handledtotally independent with the software on the small webserver built intothis device.

Bibliography

[1] Debian: debian (2005). http://www.debian.org (2005-12-02)

[2] netfilter project: firewalling, NAT and packet mangling for Linux(2005). http://www.netfilter.org (2005-12-01)

[3] ntpd: network time protocol daemon (2005).http://www.eecis.udel.edu/~mills/ntp/html/ntpd.html (2005-12-01)

[4] ntop: network usage grapher (2005). http://www.ntop.org (2005-12-01)

[5] openVPN: a full-featured SSL VPN solution (2005).http://openvpn.net (2005-12-01)

[6] ISC: dhcpd - Dynamic Host Configuration Protocol Distribution(2005). http://www.isc.org/index.pl?/sw/dhcp/ (2005-12-01)

[7] ISC: bind9 - Berkeley Internet Name Domain (2005).http://www.isc.org/index.pl?/sw/bind/ (2005-12-01)

[8] exim4: The exim home page (2005). http://www.exim.org (2005-12-01)

[9] Eudora: qpopper - the most widely used POP3 server (2005).http://www.eudora.com/products/unsupported/qpopper/index.html(2005-12-01)

[10] The Apache Software Foundation: HTTP Server Project (2005).http://httpd.apache.org/ (2005-12-01)

64

BIBLIOGRAPHY 65

[11] MrUnix: The Webalizer - What is your webserver doing today?(2005). http://www.mrunix.net/webalizer (2005-12-01)

[12] LBNL’s Network Research Group - arpwatch (2005). http://www-nrg.ee.lbl.gov (2005-12-01)

[13] Easy Software Products: CUPS Common Unix Printing System(2005). http://cups.org/ (2005-12-01)

[14] Duane Wessels: Squid Web Proxy Cache (2005). http://www.squid-cache.org/ (2005-12-01)

[15] MySQL AB: mySQL - The world’s most popular open sourcedatabase (2005). http://www.mysql.com (2005-12-01)

[16] Digium: asterisk - The Open Source PBX (2005).http://www.asterisk.org (2005-12-01)

[17] Microsoft: Windows Server 2000 (2004).http://www.microsoft.com/windows2000 /default.mspx (2005-12-02)

[18] Microsoft: Windows 2000 Directory Services (2005).http://www.microsoft.com/windows2000/technologies/directory/\\default.mspx (2005-12-01)

[19] Microsoft: 7 Ways to Share Information with Co-workers (2004).http://www.microsoft.com/atwork/worktogether/sharing.mspx#\\EPDAC (2005-12-02)

[20] Microsoft: Windows Familiy Homepage (2005).http://www.microsoft.com/windows/default.mspx (2005-12-02)

[21] Microsoft: Office Online (2005). http://office.microsoft.com/en-us/default.aspx (2005-12-02)

[22] OpenOffice.org: die freie Office Suite (2005).http://de.openoffice.org/ (2005-12-02)

[23] mozilla: Firefox (2005). http://www.mozilla.com/firefox/ (2005-12-02)

[24] mozilla: Thunderbird (2005). http://www.mozilla.com/thunderbird/(2005-12-02)

BIBLIOGRAPHY 66

[25] Adobe: Adobe Reader (2005). http://www.adobe.de/products/acrobat/\\readstep2.html (2005-12-02)

[26] WinZip International LLC: WinZip (2005). http://www.winzip.com(2005-12-02)

[27] Corel: Paint Shop Pro (2005). http://www.corel.de/servlet/Satellite?\\pagename=Corel3De /Products/Display&pfid=1047024666092&pid=\\1047025530410 (2005-12-02)

[28] Pierre Gougelet: XnView (2005). http://www.xnview.com/ (2005-12-02)

[29] Sygate: Sygate Personal Firewall (2005).http://soho.sygate.com/products/\\spf_standard.htm (2005-12-02)

[30] H+BEDV: Antivir (2005). http://www.antivir.de/en/index.html(2005-12-02)

[31] WinSCP: WinSCP (2005). http://winscp.net/eng/index.php (2005-12-02)

[32] Simon Tatham: PuTTY (2005). http://www.chiark.greenend.org.uk/\\~sgtatham/putty/ (2005-12-02)

[33] SJ Labs: Voice over IP Software (2005). http://www.sjlabs.com (2005-12-02)

[34] Novell: Novell SUSE Linux (2005).http://www.novell.com/linux/suse/ (2005-12-02)

[35] konqueror.org: Konqueror (2005). http://www.konqueror.org/(2005-12-02)

[36] Kmail: the KDE mail client (2005). http://kmail.kde.org/ (2005-12-02)

[37] Novell: E-mail, Calendaring and Collaboration Evolution 2 (2005).http://www.novell.com/products/desktop/features/evolution.html(2005-12-02)

[38] Grandstream: BudgeTone 100 (2003).http://www.grandstream.com/y-bt100.htm (2005-12-02)

BIBLIOGRAPHY 67

[39] Allnet Deutschland GmbH: ALL 7950 SIP Komfort Telefon (2005).http://www.allnet.de/product_info_allnet.php?cPath=_&products_id=99927(2005-12-02)

[40] Sipura technology, inc.: SPA-2000 Analog Telephone Adapter (2003).http://www.sipura.com/products/spa2000.htm

[41] digium, Inc.: Wildcard TDM400P, TDM31B (2005).http://www.digium.com/index.php?menu=product_detail&category=\\hardware &product=TDM400P (2005-12-02)

Chapter 3

Testing and Benchmarking theNetwork

Having services is one crucial step in setting up a working network butnothing is more important than the performance of these. Questions like:“What is my througput?”, “How long is the bandwidth sufficient?” and“What do the services do when no one watches?” are those keeping sys-tem administrators awake at night. A possibility to diminish the risk ofsomething unexpected happening is to monitor the network closely. But,monitoring is only half the battle. Collecting data is only as useful as theadaption and the consequences that are drawn.

The main reason for monitoring my network is in order to compare IPv4baselines with those of the IPv6 protocol. First of all I want to describe thetools I used.

3.1 Tools and their usage

3.1.1 MRTG [1]

MRTG, Multi Router Traffics Grapher, is a tool to monitor various thingslike traffic load using SNMP (Simple Network Management Protocol). Itgenerates HTML pages and graphs the values measured periodically. It

68

CHAPTER 3. TESTING AND BENCHMARKING THE NETWORK 69

was originally developed to monitor routers but can now supply datafrom every device running a SNMP agent. When configured, it can alsosend you warning emails when thresholds are exceeded. But let’s startwith SNMP.

3.1.1.1 SNMP [2] [3] [4] [5]

The Simple Network Management Protocol is part of the IP protocol andmonitors network-attached devices. SNMP was designed with one goalin mind: simplicity. Usable on nearly every network device known to-day it is viewed as a security threat by some, while others think it’s thebest way of centralized data manipulation for their key systems. SNMPuses UDP (User Datagram Protocol), a stateless, fast but unreliable pro-tocol sending traffic without checking for the reception of the data at theother node. SNMP design is pretty simple for it consists of a managingsystem and several agents running on servers, workstations, and so on.The agents are the devices being monitored while the manager is the oneasking for the information the agents gathered and storing it centralizedfor further processing. The manager is often also refered to as NetworkManagement Station or NMS for short. SNMP has a small set of primi-tives comprising “GET”, “GET-NEXT” and set”SET”. “GET” is used to re-trieve a single piece of information while “GET-NEXT” returns more thanone item. It is used if you want to sequentially retrieve data. Use “SET”when you want to set a particular variable to a certain value. There areon the other hand two control-primitives the responder (i.e. agent) uses toreply and these are “GET-RESPONSE” and “TRAP”. “GET-RESPONSE”is used in response of the requester’s direct query and “TRAP” is an asyn-chronous response to obtain the requester’s attention. In later versionsof SNMP traps are called “notifications”. As you could see, both, man-ager and agent, can initiate communication. In my lab I used SNMPv1providing very little security measures (Authentication is performed by a“community string” a password transmitted in plain text). SNMPv2c in-troduces new primitives and the same security scheme SNMPv1 is using.SNMPv3 is considered to be state-of-the-art providing stronger securitymeasures.

Talking about primitives used in an SNMP-managed network the next


question to be answered is: What is get through GET? The types of dataexchanged between the manager and the agents are stored on the agent ina database called “management information base” or short “MIB”. Eachvalue tracked in a MIB is an object. The MIB is used to translate textqueries to OIDs. Each object in the MIB represents a specific entity onthe managed device, this can be everything from “hostname” to “numberof established IP connections” or “version of operating system”. TheseMIBs use a hierarchical namespace containing object identifiers or shortOIDs. If you want to know which OIDs your system is monitoring lookinto the folder /usr/share/snmp/mibs/ on Linux based systems. You’llfind different MIB files containing entries such as

hrMemorySize OBJECT-TYPESYNTAX KBytesUNITS "KBytes"MAX-ACCESS read-onlySTATUS current

DESCRIPTION"The amount of physical read-write mainmemory, typically RAM, contained by the host."

::= hrStorage 2

Querying an OID with snmpwalk looks like this:

marge:~# snmpwalk -v1 -c public localhost hrMemorySizeHOST-RESOURCES-MIB::hrMemorySize.0 = INTEGER: 126924 \\KBytes

Snmpwalk searches for every OID starting with the string you providedin the MIB. So if you don’t know what to search for you can also start with“snmpwalk -v1 -c public localhost hr” or even “snmpwalk -v1 -c publiclocalhost” displaying a full list of MIBs. On the other hand, snmpget isconfigured to return only the value that exactly matches the OID-string.Look what happens when I snmpget the same I did before:

marge:~# snmpget -v1 -c public localhost hrMemorySizeError in Packet


Reason: (noSuchName) There is no such variable namein this MIB.Failed object: HOST-RESOURCES-MIB::hrMemorySize

So what happend here? We saw SNMPWALK querying the parameter andSNMPGET saying that the requested object does not exist. The solutionlies in the structure of OIDs. Many times the text aliases in a MIB onlyreference the OID branch and not the OID the data located in a leaf endingin an additional number like “.0” or “.1”. Watching closely the outputof SNMPWALK you can see “hrMemorySize.0” being displayed. WhenSNMPGETting this value we get the expected output:

marge:~# snmpget -v1 -c public localhost hrMemorySize.0HOST-RESOURCES-MIB::hrMemorySize.0 = INTEGER: 126924 \\KBytes

Now, preparing the clients for use with mrtg, snmp agents have to be in-stalled and configured on the hosts. On Linux hosts I used “apt-get installsnmpd” and configured them in the file /etc/snmp/snmpd.conf with fol-lowing lines for a very basic usage:

rocommunity publicdisk /homedisk /var

These lines sets the community password needed for the query to “public”and defines two disk paths that will be monitored by my MRTG.

For Windows Systems you have to install the SNMP agent in the ControlPanel. Select “Add or Remove Programs” and then click “Add/RemoveWindows Components”. In the components, select “Management andMonitoring Tools” where you will find an entry you can check labelled“Simple Network Management Protocol”. Windows will prompt you toinsert the CD during installation. To configure the freshly installed servicego to the Control Panel again and there choose “Administrative tools”.Within theses click “Services” showing you a list of all services configuredthis host. One of them is called “SNMP Service” and with double-clickingit you can open its properties. Open the “Security” tab for it contains thepossibilities of setting authentication traps, adding community names andsetting their rights. You can also specify whether to accept SNMP packets


from all hosts or not.

3.1.1.2 installing and configuring MRTG [6] [7] [8]

In order to install MRTG successfully, you need serveral libraries installedbefore mrtg. Notice that you may have some of them already on your sys-tem. You need the packets “zlib” (compress the graphics you created),“libpng” (is required by gd and creates *.png files) and “gd” (a basicgraph drawing library). Last but not least you need mrtg, available athttp://people.ee.ethz.ch/~oetiker/webtools/mrtg/pub. If you have alllibraries installed you can

./configure --prefix=/usr/bin/mrtg

Otherwise you might need to specify where to find the libraries mentionedabove. See “./configure –help” for more details. After “make” and “makeinstall” you have mrtg installed at /usr/local/mrtg-2. Naturally you needto have a web-server running to present the results of MRTG#s work. Thedocument root for MRTG is “/var/ww/mrtg” on my server.

For defining what to monitor in your network you have to create a“mrtg.cfg” file. You can either do this on your own or let the “home/mrtg/cfg”script do the dirty work. Read the cfgmaker manpage for further detailsand options to the script. If you prefer to do the configuration file on yourown read the mrtg-reference manpage. You can start mrtg with

/usr/bin/mrtg /etc/mrtg.cfg

There will be several complaints about missing log files the first time youstart mrtg. Don’t worry about that for it vanishes after the third startup.When you configured mrtg to your needs it will be more handy to period-ically start mrtg in the crontab rather than manually.

*/5 * * * * root /usr/bin/mrtg /etc/mrtg.cfg

This will force mrtg to launch every five minutes for gathering currentdata and graphing it. But now I want to take a closer look to the contents of“mrtg.cfg”. One sample section graphing the percentage of free memoryon the system from the mrtg.cfg


Title[server.mempercent]: Percentage Free MemoryPageTop[server.mempercent]: <H1> Percentage Free Memory \\</H1>Target[server.mempercent]: (memAvailReal.0&memAvailReal.0:[email protected]) * 100 / (memTotalReal.0&memTotalReal.0:[email protected])Options[server.mempercent]: growright,gauge,transparent, \\nopercentUnscaled[server.mempercent]: ymwdMaxBytes[server.mempercent]: 30YLegend[server.mempercent]: Memory %ShortLegend[server.mempercent]: PercentLegendI[server.mempercent]: FreeLegendO[server.mempercent]: FreeLegend1[server.mempercent]: Percentage Free MemoryLegend2[server.mempercent]: Percentage Free Memory

Above you have a small part of a mrtg.conf file where the configurationfor one monitored item is set. The structure of each entry is as follows:

Parameter[name of graph]: value

“LegendI” is the parameter for the Input graph, “LegendO” for Output;for there’s little space at the graphs you have an expansion for the labels ofboth Legends called “Legend1” (corresponding LegendI) and “Legend2”(corresponding LegendO). “YLegend” is the legend of the Y axis, the valueyou are trying to compare. “Options” parameters provide graph format-ting information. “Title” defines the title written on the summary page,“PageTop” the title for the detailled view page. “MaxBytes” defines themaximum amount of data MRTG will plot on a graph and “Unscaled[]:ymwd” sets yearly, monthly, weekly and daily graphs unscaled, meaningthat the highest value measured is not graphed close to the top (usuallymrtg tries to adjust its graphs so that the largest value plotted on the graphis always close to the top). The “Target” parameter contains the MIB OIDs.Because MRTG always compares two values you have to provide two MIBOID objects and the password and the IP-address of the monitored host.


After you finished your configuration you have to generate the HTML-filethat can be opened in the browser with

indexmaker --output=/var/www/mrtg/index.html /etc/ \\mrtg.cfg

Now you can access your graphs at http://bart.sylvia.test/mrtg/index.html.I chose to monitor several hosts so I wrote a mrtg.cfg-file for each host(don’t forget to add those to the crontab as well). See the appendix fora full mrtg.cfg file for Linux. Monitoring Windows machines works thesame way, except for some different MIBs you have to use. I wanted tomonitor the same objects I did with the Linux machines but left out thedisk monitoring (for it isn’t as interesting here). Nearly all OIDs could bere-used except for the CPU monitoring. If you are curious how I foundout which OID to use, check out www.somix.com for they provide a fullrepository of OIDs for all kinds of devices and snips you can copy-pastefor your mrtg file .

Figure 3.1: Screenshot of http://www.sylvia.test/mrtg/index.html show-ing monitored details of bart.sylvia.test


3.1.2 Smokeping [9]

SmokePing is a latency measurement tool that can measure store anddisplay latency, latency distribution and packet loss. You can configureSmokePing to trigger alarms for thresholds for certain loss patterns. It caneven handle dynamic addressing by comparing SNMP-fingerprints. Fora working installation of SmokePing you need several other packages be-fore:

RRDtool (for graphing), FPing (reports round trip times), a working webserver installation like apache (it has to run CGI scripts), Perl, SpeedyCGI(for SmokePing is optimized for the use of it and it speeds up perl scriptsdramatically) and CGI::Carp

If this seems too much work you can also use the lazy way as I did by“apt-get install smokeping”. I installed SmokePing on marge.sylvia.testand snowball.sylvia.test in order to have round trip times from each net-work. After configuring /etc/smokeping/config you can watch it up-dating every five minutes. The files and graphs produced are stored in/var/www/smokeping. Search the appendix for a sample /etc/smokeping/\\config file.

3.1.3 bing [10]

Bing is a tool that measures bandwidth of connections. It computesthroughput between two nodes by producing two sizes ofICMP ECHO_REQUESTS. It is available as *.deb and therefore can be in-stalled via “dpgk -i *.deb”. After bing is installed you can use it withcommand

bing client1 client2

with client1 being the source node and client2 the destination (example:bart:~# bing bart snowball) producing output like this:

Read the bing man page for detailled informations about the optionsprovided by bing such as -D for displaying measured throughput for


Figure 3.2: Screenshot of Last 3 and Last 30 hours roundtrip measurementstaken from marge to bart

Figure 3.3: output when using bing


each packet received, -u <number> for increasing packet size each ofECHO_REQUEST or -f <filename> for saving the results to the file <file-name>.

3.1.4 iperf [11] [12]

Iperf was developed in order to be a modern and easy-to-use alternative toother TCP and UDP bandwidth measuring tools. It measures bandwidth,packet loss and jitter. The server can handle multiple connections, youcan create UDP streams of specified bandwidth, it is multicast and IPv6capable, can run for a specified time rather than for an amount of data totransfer, and many more. Iperf can be obtained at the homepage linkedabove for both, Linux and Windows environments. “apt-get install iperf”can shorten the installation for the homepage only provides sources. Asimple test is sparked off with

snowball:~# iperf -sbart:~# iperf -c snowball

The first command start the server on snowball with default port 5001(for opening the server on port 3000 type “iperf -s -p 3000”). The secondcommand starts the client on bart pointing to server “snowball” (“iperf -csnowball -p 3000” for port 3000). The output produced looks like this:

--------------------------------------------------Client connecting to snowball, TCP port 5001TCP window size: 16.0 KByte (default)--------------------------------------------------[ 3] local 10.8.0.2 port 3906 connected with \\192.168.201.1 port 5001[ 3] 0.0-10.0 sec 12.8 MBytes 10.7 Mbits/sec

For doing UDP testing simply add “-u”:

snowball:~# iperf -s -ubart:~# iperf -c snowball -u


3.1.5 netperf [13]

Netperf is a benchmark that is used to measure the performance of differ-ent types of networking. It provides tests for unidirectional througput aswell as end-to-end latency. You can either download the sources and makethe installation yourself or “apt-get install netperf”. Making the installa-tion yourself requires a folder /opt/netperf before installing. You can ei-ther run the service by inetd or as a standalone service. For netperf beingrun by inetd you need the line “netperf 12865/tcp” in your /etc/servicesfile and the line “netperf stream tcp nowait root /opt/netperf/netservernetserver” in your /etc/inetd.conf file. After restarting inetd with “kill-HUP <pid of inetd> the service should be registered with inetd. I choseto run the service as standalone starting netserver manually by typing

snowball:~# netserver -p <port number>bart:~# netperf -H snowball -p <port number>

The second line starts the client and connects to host (running netperfserver) snowball at given port producing following results:

TCP STREAM TEST from 0.0.0.0 (0.0.0.0) port 0AF_INET to snowball.sylvia.test(192.168.201.1) port 0 AF_INETRecv Send SendSocket Socket Message ElapsedSize Size Size Timebytes bytes bytes secs. 106 bits/sec87380 16384 16384 10.02

Throughput14.47

3.1.6 netio [14]

Netio measures the net throughput of a network via TCP/IP (and Net-BIOS on Windows and OS/2) using various different packet sizes. Thisis done with 6 different sizes of packets each with 10 seconds testing


duration. A huge advantage is its compatibility with each operatingsystem. You can download it at http://ftp.leo.org/historic/comp/os/os2/leo/systools/netio123.zip containing binaries for Linux, Windowsand OS/2.

snowball:~# /home/elsylo/download/netio/bin/linux-i386 -sbart:~# /home/elsylo/download/netio/bin/linux-i386 -t \\snowball

The first command starts the server for TCP and UDP connections,the second command starts the client for a TCP test to server “snow-ball”(If needed you can also specify the port to test with the option “-p<portnumber>” appended to the first command and written before spec-ifying the server address in the client command). The output producedlooks like this:

NETIO - Network Throughput Benchmark, Version 1.23(C) 1997-2003 Kai Uwe RommelTCP connection established.Packet size 1k bytes: 962 KByte/s Tx, 1507 KByte/s Rx.Packet size 2k bytes: 1358 KByte/s Tx, 1387 KByte/s Rx.Packet size 4k bytes: 1398 KByte/s Tx, 1402 KByte/s Rx.Packet size 8k bytes: 1409 KByte/s Tx, 1391 KByte/s Rx.Packet size 16k bytes: 1410 KByte/s Tx, 1411 KByte/s Rx.Packet size 32k bytes: 1482 KByte/s Tx, 1408 KByte/s Rx.Done.

3.1.7 netbench [15]

Netbench is a portable benchmark program that measures how well afile server handles file I/O requests from Windows clients by request-ing the server for network file operations. It reports throughput aswell as client response time. When downloading the software you willhave “SETUP.EXE” files for both, the controller and the client. In-stalling netbench is done in four simple steps: First you have to exe-cute the setup for the controller then modify the client ID files. The


client ID file can be found on the controller in the directory <CON-TROLLER_DIR>\CLIENTIDS\CLIENT.CDB. For each client in your test-ing environment you have to add an entry containing its IP addressand a unique identifier. Then go to each client executing the client’sSETUP.EXE. On the clients you have to modify the hosts file residingat <WINDOWS>\system32\drivers\etc with an entry for the controllerlooking like this: “192.168.200.12 controller”.

To start the test choose “Start Log In” from the “Clients” menu on yourcontroller. The controller now awaits incoming connections from clients.Before you can start testing you need each client to map the server volumeto drive F: (you could of course choose another driver letter which requiresadditional modifications). On each client now start the netbench clientsoftware. When you return to the controller you will see a an entry startedby a yellow circle for each client connected. After clicking “Yes” you canproceed to adding a test suite with several tests to choose from (I decidedto use DM.TST). Then enter the result file and watch it benchmarking.

3.1.8 sipp [16] [17]

SIPp is an Open Source test tool and traffic generator for the SIP protocol.It works with integrated scenarios establishing and releasing multiple callswith INVITE and BYE methods. It dynamically displays statistics aboutround trip delay or call rate. It can be used for various SIP equipmentsand is very useful for emulating thousands of user agents calling your SIPsystem. Run the embedded server scenario

/usr/src/sipp/sipp -sn uas

and on the same host the embedded client scenario

/usr/src/sipp/sipp -sn uac 127.0.0.1

There are different scenarios available for SIPp and you can also createyour own XML scenarios for testing. The software can be obtained with asimple “apt-get install sipp”.


Figure 3.4: Screenshot of a SIPp Output

3.1.9 copying files

“Copying files” is no brand new piece of software testing your network tothe bones but rather the old fashioned and easy comparable idea of mea-suring the time it takes to copy files. I chose to copy several different sizesof files from the file server homer.sylvia.test to all clients. For Linux-basedcomputers I mounted the share with file system smbfs and with adding“time” before the copy-command the duration of the activity simply iswritten back to you.

test1: 200 times 512 Bytestest2: 100 times 1 KBtest3: 40 times 25 KBtest4: 30 times 1 MBtest5: once 1 GB

3.1.10 digging DNS

Another simple but important thing to check in your network is how longit takes to dig a hostname.

time dig snowball.sylvia.test


3.1.11 open a file from a share

A every-day task and very likely an every day annoyance is to open a fileyou work on from a network share. I assumed to have one big and onesmall file for a word processor and for a spreadsheet lying on the serverand being accessed from my clients in the network. These are apu, lisa andnelson, with apu and nelson having installed both, Microsoft Office andOpenOffice. Lisa, the SUSE client, only provides OpenOffice. Then I wasmeasuring the time it takes, with the specified program already opened,until the file was fully loaded.

3.1.12 downloading files

Measuring the time it takes to download files with various sizes from aweb server is the next test I took. For I didn’t want the traffic from theinternet interfering with my analysis I decided to load the files from aninternal web server used by the Berufsförderungsinstitut Burgenland. Thefiles downloaded are pictures with file size 80 KB, 250 KB and 2,74 MB.

3.1.13 ethereal [18]

Ethereal is not really a benchmarking tool but has a lot to do with test-ing your network and that’s why I chose to add this tool in this chapter.Ethereal is a network packet analyzer trying to capture network packetsand dissect them into maximum detail. It takes every packet sent in a net-work (and that’s why i switched from using a switch to using a hub inmy lab) and displays everything starting from the header and ending atthe real data embodied. Ethereal is the first open source tool providingthis amount of features and assists you in troubleshooting your network,examining security problems, debugging protocols and learning the in-ternals of a protocol. There are many other advantages connected to theuse of ethereal like the support for all major platforms, detailed protocolinformation, several filter possibilites, various statistics, and so on.

For I don’t have a GUI installed for any of my Linux computers, I installedEthereal on some Windows hosts. Installing ethereal on Debian works


with “apt-get install ethereal”. For Windows you need to download thebinary at the web site cited above and start the setup. Since Ethereal ver-sion 0.10.12 the WinPcap installer has become part of the Ethereal installerso you don’t need to worry about forgetting it anymore. When Ethereal isinstalled you need to choose which interface to monitor in the “Capture”menu. The entry “Interfaces ...” will open a dialog containing all interfacesEthereal found on your host. When you once chose an interface you canstart a new capture by clicking “Start” in the same menu. You will see asmall window with the number of packets captured with the correspond-ing protocol. When stopping the live capture captured data is loaded andyou have one line for each packet. In newer versions you even have acolor scheme flagging certain kinds of protocols. When clicking one of thepackets the entry is highlighted and the details are displayed below.

You will find several Ethereal sniffs throughout my thesis because, and Ireally want to emphasize this, it helped me solving nearly every problemI experienced.

3.1.14 tcpdump [19]

When mentioning Ethereal I also have to mention it’s command-line basedequivalent tcpdump helping me to sniff packets on those PCs without agraphical interface. Installed with “apt-get install tcpdump” it providesnot as-easy-to-read but as-interesting output as known from Ethereal.

3.1.15 nmap [20]

Not only known by network administrators but also from the movie “TheMatrix Reloaded” I also used nmap to scan my hosts for open ports. Itdetects open ports,the services running and the operating system used. Ina network it is used for penetration testing and for general computer se-curity. Unless other tools aiming at assessing host vulnerabilities nmap isbuilt not to interfere with the normal operation of the networks or com-puters scanned.

Bibliography

[1] Oetiker, Rand: MRTG Multi Router Traffic Grapher (2005).http://people.ee.ethz.ch/~oetiker/webtools/mrtg (2005-12-06)

[2] Linux Home Networking: Advanced MRTG for Linux(2005). http://www.linuxhomenetworking.com/linux-hn/mrtg-advanced.htm (2005-12-06)

[3] Windowsnetworking: Introduction to the Sim-ple Network Management Protocol (SNMP) Part 1.http://www.windowsnetworking.com/articles_tutorials/Introduction-SNMP-Part1.html (2005-12-06)

[4] OpManager - Network Monitoring Software: In-stalling SNMP agent on Windows Systems(2005). http://manageengine.adventnet.com/products/opmanager/help/user_guide/snmp_installation/install_snmp_win.html (2005-12-06)

[5] OpManager - Network Monitoring Soft-ware: Configuring SNMP Agents (2005).http://manageengine.adventnet.com/products/opmanager/help/user_guide/snmp_installation/conf_snmp_agents.html (2005-12-06)

[6] Linux et autres sottises 2003: mrtg.cfg (2003). http://www.linux-sottises.net/mrtg/linux-sottises.cfg (2005-12-07)

[7] Somix: The MIB archive (2005). http://www.somix.com/support/\\mib_resources.php (2005-12-07)

[8] Somix: MRTG Repository (2005). http://www.somix.com/support/\\mrtg_repository.php (2005-12-07)

84

BIBLIOGRAPHY 85

[9] Tobias Oetiker: About SmokePing (2005).http://people.ee.ethz.ch/~oetiker/webtools /smokeping/ (2005-12-07)

[10] SecRobot: Bing - Measures bandwidth between two point-to-pointconncetions (2003). http://linux.maruhn.com/sec/bing.html (2005-12-07)

[11] Distributed Applications Support Team: Iperf Version 2.0.2 (2005).http://dast.nlanr.net/Projects/Iperf (2005-12-07)

[12] Distributed Applications Support Team: Iperf Version 1.1.1 (2005).http://dast.nlanr.net/Projects/Iperf1.1.1 (2005-12-07)

[13] Rick Jones: Welcome to Netperf Homepage (2005).http://www.netperf.org/netpwerf/NetperfPage.html (2005-12-07)

[14] network lab: Netzwerkperformance mit NetIO messen (2005).http://www.nwlab.net/art/netio/netio.html (2005-12-07)

[15] VeriTest: NetBench (2002). http://www.veritest.com/benchmarks/\\netbench/default.asp (2005-12-07)

[16] hp: SIPp Welcome to SIPp (2005). http://sipp.sourceforge.net/ (2005-12-07)

[17] hp: SIPp Reference documentation v1.1 (2005).http://sipp.sourceforge.net/doc1.1/reference.html#Main+features(2005-12-07)

[18] Ethereal: Powerful Multi-Platform Analysis (2005).http://www.ethereal.com (2005-12-07)

[19] www.tcpdump.org: tcpdump/libcap (2005).http://www.tcpdump.org/ (2005-12-07)

[20] insecure.org: What is your operating system letting others do? (2005)http://www.insecure.org/nmap/ (2005-12-07)

Chapter 4

Theory of IPv6

The Internet Protocol IP is a best effort datagram service and the versionwidely used by now is 4. This version also was the first version of IP inproduction use and formed the basis of the current Internet. It has been de-scribed by IETF RFC 791 first published in 1981. The addressing scheme of32 bit limits the number of addresses to 4.294.967.295 which seemed to beenough back then. Through bad address distribution and a shortsightedidea of how much the internet will grow addresses are near to exhaustion.An USA-centric view of the internet also made it possible that a single col-lege got a bigger address range than whole China. There have been someapproaches to this issue like a tighter control by Regional Internet Reg-istries, network renumbering, DHCP, NAT and of course the introductionof IPv6. Predictions from the year 2004 claim an address pool exhaustionfor 2016 and a complete exhaustion for 2023. Although predictions in thefield of computer science are always a bit vague, the need for IP addresswill addionally grow with the new market of mobile and domestic deviceswhich will sooner or later make it inevitable to introduce IPv6.

One huge limitation of IPv4 is the address shortage discussed above. Allmeasures taken against this problem could not solve as a whole withoutimposing other troubles. E.g. take a look at NAT: Network administratorsaround the world got used to having public and private addresses in theirnetworks translating private into public addresses and vice-versa in orderto reach the internet with the disadvantage of creating a performance andapplication bottleneck.

86

CHAPTER 4. THEORY OF IPV6 87

Another need for the change in the protocol is to scale down the num-ber of routing table entries in backbone routers which is currently near85.000 entries. With a growing network infrastructure the need for easierconfiguration of hosts in the network was also an issue lacking a solutionwhen using IPv4. Because the majority of all attacks on a network are fromwithin a company people also demand for security comprising authenti-cation and encryption at IP level. In addition to this supporting QoS forproduction use is demanded. All these concerns are handled by IPv6.

In this chapter I will talk about the key features of IPv6 and why I think,together with countries like Japan and China or institutions like the Pen-tagon (switching to IPv6 2006), that IPv6 is the future and that we cannot overcome the diffuculties we have with IPv4 with inventing more andmore makeshifts.

4.1 IPv6 Addresses [1] [2]

The most obvious reason for switching to IPv6 is of course the addressspace. Instead of 32 bit with IPv4 we now can use 128 bit with IPv6 provid-ing the unbelievable number of 340.282.366.920.938.463.463.374.607.431.768.\\211.456 possible addresses. The decision to make the address 128 bits longwas made in order to provide hierarchical routing domains. An addressassigned to an interface is composed of a 64-bit subnet identifier and a64-bit interface identifier. Similar to the way the address space was allo-cated with IPv4 the high-order bits in IPv6 addresses define several ad-dress types as well. These high-order bits are also called Format Prefix(FP).

Global unicast addresses 001Link-local unicast addresses 1111 1110 10Site-local unicast addresses 1111 1110 11Multicast addresses 1111 1111

Above you see the high-order bits for the most important kinds of ad-dresses. But let’s talk about the syntax of an IPv6 address first.


We already know that an IPv6 address is represented by 128 bits. IPv4addresses consist of 32 bit with each 8 bits represented as decimal num-ber from 0 to 255. Doing the same with IPv6 addresses would result in16 decimal numbers which, we know from practical use, no one wouldremember. Rather than using decimal numbers the hexadecimal number-ing system is used. Here you have 8 hex-numbers each representing 16bits. For those needing to remember addresses this has the advantage ofa shorter address and everyone else not able to read hex doesn’t need toremember them anyway for end users will usually prefer names over ad-dresses. The hex-numbers within an address are seperated by colons andlong sequences of zeros can be represented by a double colon (but onlyonce).

FF02:30:0:0:0:0:0:5can be represented as FF02:30::52001:16d8:0:0:4:0:0:1can be represented as 2001:16d8::4:0:0:1

In the first example I simply left out the 5 zeroes and substituted themwith ::. The second example is a bit more complicated for we have twicea sequence of zeros to be substituted. In these cases, the first sequence ofzeros is substituted and the second has to be written as usual. Otherwiseyou would have no chance finding out how many zeros are left out ateach double colon. To find out how many hex-zeros are represented by adouble colon simply count the number of hex-blocks in the address andsubtract it from 8.

There are three types of addresses used with IPv6

• Unicast

• Multicast

• Anycast


4.1.1 Unicast IPv6 addresses

4.1.1.1 Global addresses [3]

This kind of address is identified by an FP of 001 and according to theirscope can be compared to public IPv4 addresses. A global address there-fore either starts with 2xxx: or 3xxx: with x representing a hex-digit. Theseaddresses are globally reachable and routable and because of a betterstructure of the address hierarchical routing is possible. A global addressis made up of a routing prefix, a subnet identifier and a interface identifier.In theory, each part can have any size but in practice the routing prefix ismade up of 48 bits, the subnet ID (a number identifying the subnet withina site) of 16 bits and the remaining 64 bits are used for the interface ID.

Figure 4.1: The structure of a global address [3]

4.1.1.2 Link-local address

A link local address is derived by stateless autoconfiguration and is iden-tified by a FP of 1111 1110 10 or in hex: fe8x, fe9x, feax, febx with x repre-senting a hex-digit. At the moment only fe8x is used for link-local address-ing with x being usually “0”. This address is configured in order to pro-vide communication with neighbours like: Anyone else here? and Anyonewith a special address here (e.g. a router)? Packets with a link-local des-tination address are never routed. Link-local addresses are therefore onlyused on a particular local link i.e. a physical network and are used for“Neighbor Discovery” which I will describe later on. A link-local addresstherefore is composed of a 64-bit link-local prefix and a 64-bit Interfaceidentifier.


4.1.1.3 Site-local address

Site-local addresses are defined by a FP of 1111 1110 11 or in hex by fecx,fedx, feex or fefx with x representing a hex-digit. These addresses canbe compared to the private addresses used with IPv4 such as 10.0.0.0/8,172.16.0.0/12 and 192.168.0.0/16. These addresses have the scope of a siteor an entire organization and therefore border routers must not route traf-fic outside a site. Site-local addresses are not assigned automatically buteither through stateful or stateless address autoconfiguration (see radvdfor this issue). The structure of these addresses is very similar to a globaladdress for it is composed of a 48-bit fixed identifier like fec0::/48, a 16-bit site ID and a 64 bit interface ID. This implies that you can also buildnetwork routes using only site-local interfaces within the site. Rememberthat you can assign these addresses regardless of using global addressesas well - an IPv6 enabled interface can have several different IP addresses.If you want to know more about this kind of addressing read RFC 1918.

Note: There have been considerations on depreciating site-local addressesalthough they are very useful for testing purposes. See RFC 3879.

4.1.1.4 Special addresses

4.1.1.4.1 Unspecified address The unspecified address 0:0:0:0:0:0:0:0represented by :: is only used in absence of an address and can not beused as a destination address.

4.1.1.4.2 Loopback address 0:0:0:0:0:0:0:1 or short ::1 is the loopbackaddress for an interface. Remember IPv4 loopback address of 127.0.0.1.

4.1.1.4.3 Privacy extensions When using a non-changing interface iden-tifier in order to form an address the risk is very high that a sniffer placedstrategically can find out a lot about you. Eavesdroppers and other per-sons or organizations interested in what you are doing may find out whatyou do and when you do it, what imposes huge security and privacy prob-lems. In order to prevent that, privacy extensions (described in RFC 3041)can be generated appending a computed identifier made up from your


MAC address and a number chosen randomly to your prefix. This ad-dress is valid for a predefined period of time (some hours to a few days)and makes it more difficult to keep track of your online activities. Sysad-mins in companies won’t like this, since it will impose problems with ac-counting, access lists and other address based rules.

4.1.1.5 Compatibility addresses

In order to faciliate the transition from IPv4 to IPv6 there are several typesof addresses to provide coexistence of the two protocols.

4.1.1.5.1 IPv4-compatible addresses An IPv4-compatible address writ-ten 0:0:0:0:0:0:w.x.y.z or ::w.x.y.z with the last 32 bit representing the IPv4address. Note that these transition mechanism is no longer used.It wasused by IPv6/IPv4 nodes communicating with IPv6 over an IPv4 network.

4.1.1.5.2 IPv4-mapped adresses The structure of this address is defined0:0:0:0:0:ffff:w.x.y.z with the last 32 bit representing the IPv4 address andis used for internal representation of an IPv4-only node to an IPv6-node.It is normally used to represent IPv4 addresses to IPv6 applications. Thebig advantage here is that servers providing a service for both, IPv4 andIPv6, only need one listening socket.

IPv4 address: 192.0.2.128IPv4-mapped address: ::ffff:192.0.2.128or ::ffff:c000:280

4.1.1.5.3 6over4 addresses 6over4 is a transition mechanism meant totransmit IPv6 packets between dual-stack nodes using IPv4 as a virtualdata link layer on which IPv6 can be run. A host wanting to join this6over4 network can set up a virtual IPv6 interface with a link local derivedas follows: The unicast 64-bit prefix (fec0::/64 in this example) and theappended hexadecimal representation of the IPv4 addresses.

IPv4 address: 192.0.2.1286over4 address: fec0::c000:280


Suggested further reading is RFC 2529.

Note: ISATAP is a more complex alternative to 6over4 and does not relyon IPv4 multicast.

4.1.1.5.4 6to4 addresses 6to4 addresses are used together with a spe-cial tunneling mechanism that is used to provide unicast IPv6 connectiv-ity between IPv6 sites across the IPv4 network. The address is made up offollowing parts:

2002:wwxx:yyzz:SubnetID:InterfaceIDIPv4 address: 192.0.2.128 on site number 56to4 address: 2002:c000:280:5:[InterfaceID]

For sending a packet through this configuration the IPv6 packet is em-bedded in a IPv4 header and the protocol type of the IPv4 header is setto “41”. The destination address is retrieved from the 32-bit in the 6to4address representing the IPv4 address.

See RFCs 3056, 2893, 3068 and 3964 for further informations.

4.1.1.5.5 ISATAP addresses ISATAP is a transition mechanism trans-mitting IPv6 packets between dual-stack nodes on top of an IPv4 networkwithout requiring IPv4 to support multicast. An ISATAP (Intra-site Auto-matic Tunnel Addressing Protocol) address is derived from a 64-bit unicastprefix, an appendend :0:5efe: part and the IPv4 address.

ISATAP Prefix for link-local: fe80:0:0:0:0:0:5efe:IPv4 address: 192.0.2.128ISATAP address: fe80::5efe:c000:280

ISATAP techniques can also be used together with global address prefixes.Like 6over4 and 6to4 ISATAP addresses contain the IPv4 addresses thatcan be used to derive IPv4 destination address from when tunneling thetraffic through the IPv4 network.

See RFC 4214 for more details on ISATAP.


4.1.1.5.6 Teredo addresses Teredo is also known as IPv4 NAT-traversalfor IPv6 provides tunneling mechanisms via UDP-encapsulation throughNAT for IPv6 traffic. Because Protocol 41, as set in the IPv4 header usedto embed IPv6 traffic, is not a common feature of NAT and therefore thiskind of traffic might not traverse NAT. UDP packets on the other hand canbe translated by most NATs and even can flow through multiple layersof NAT. The Teredo technology is only used by Windows XP and Win-dows 2003 and is said to be a last resort transition technique. With moreand more NATs supporting 6to4 Teredo will be used less and less untildiscarded. Teredo prefix is 3ffe:831f::/32.

Further reading is RFC 3904.

4.1.1.6 Interface Identifier [4] [5]

Several addresses discussed above like the global, the link-local and thesite-local address are composed of a prefix and a 64-bit Interface Identifier.Let’s take a look how this Interface Identifier is derived. There are severalways how you can set your interface identifier. You could let DHCPv6do the work for you, you could set the addresses manually or you couldas well choose the way discussed above in the chapter about privacy ex-tensions where the Interface ID is computed using MAC address and arandomly chosen number. If you wish to remember some computer’s IPaddresses easily you might go for the manual setting of the Interface Iden-tifier. In my network the global addresses have been planned manuallyand set via DHCPv6. For site-local and link-local addresses on the otherhand I chose the autoconfigured Interface Identifier to be appended to theprefix.

In those cases the Interface Identifier is set automatically to the ExtendedUnique Identifier (EUI)-64 address defined by IEEE. The EUI-64 is a newtype of MAC address outdating the old IEEE 802 format which was set upof the company ID (24 bit) and an extension or device ID (24 bit) makingeach network adapter unique. In the new IEEE EUI-64 addresses the com-pany ID part stays 24 bits long but the extension ID is extended to 40 bit.But let’s take a closer look on how an EUI-64 address is derived.

Let’s start in the first line with the IEEE 802 address, or simply the MAC


Figure 4.2: How to derive the IPv6 interface identifier from the IEEE 802address [6]

address as we know it. The shaded part is the 24 bit company ID and thewhite part is the 24 bit extension ID that is distributed within the company.The two bits within the company ID written “00” instead of the c’s arethe Universal/Local (U/L) and the Individual/Group (I/G) bits. WhenIndividual/Group is set to 0 the address is unicast, otherwise multicast isdenoted. More important is the Universal/Local bit for our needs for itdefines if it is universally administered (“0”) or locally (“1”).

In order to get to the next step, the creation of an EUI-64 address 16 bitshave to be added between company and extension ID. Here we find a lit-tle inconsistency with the specification made by IEEE. Usually you createan EUI-64 address out of a IEEE 802 (or also called MAC-48) address byappending FF-FF to the company ID but in order to derive the IPv6 usedInterface ID you have to append FF-FE or 11111111 11111110 instead. Thelast step in the creation of the Interface Identifier used by IPv6 is to com-plement the Universal/Local bit in the company ID (seventh bit in the firstbyte) i.e. changing it from zero to one or vice-versa.


4.1.2 Multicast IPv6 addresses

With IPv6 the “bulk” addressing methods have changed and the good-old broadcast has been outdated. Instead the use of multicast has beenextended. Each Multicast address starts with the first 8 bits set to 1, thusan address starting with FF is always a multicast address. The structure ofthe multicast address is as follows:

Figure 4.3: structure of an IPv6 multicast address [7]

The only flag defined in the “Flags” section is the Transient flag (T). Whenset to 0 it indicates that the address is permanently assigned, when set to 1it is a transient (non-permanent) address. The Scope ID indicates the scopeof the IPv6 network for which the multicast traffic is intended.

Figure 4.4: Scope ID values [7]

The Group ID identifies the multicast group and is unique within thescope. The following addresses are defined:


FF01::1 node-local scope all-nodes multicast addressFF02::1 link-local scope all-nodes multicast addressFF01::2 node-local scope all-routers multicast addressFF02::2 link-local scope all-routers multicast addressFF05::2 site-local scope all-routers multicast address

Solicited-node multicast address

In addition to the multicast addresses each unicast address also has a aspecial multicast address called its solicited-node address created throughspecial mapping of the unicast address. These addresses are used by theNeighbor Discovery protocol to provide efficient address resolution. In-stead of using a link-local all-nodes multicast message to resolve the link-layer address of a host, the corresponding solicited-node multicast addressof the interesting host is used. Since a host not only listens on his unicast-address, but also on his solicited-node multicast address, it replies with aunicast neighbor advertisment message. Therefore no other nodes on thenetwork are disturbed.

Figure 4.5: How a solicited-node multicast address is derived [7]

FF02 is the prefix for the link-local multicast traffic. To the address part“FF02:0:0:0:0:1:FF” simply the last 24 bit of the unicast address the solicitednode is calculated from, is appended.


4.1.3 Anycast IPv6 addresses

Anycast addresses are new to the IP Protocol and are based on the RFC1546. Anycasting is a conceptual cross between unicast and multicastaddressing and is intended to send messages to any host of this groupinstead of sending to one host (unicast) or every host (multicast). Dis-tinguishing which member of the group receives the message is done byrouting terms. This technique enables possibilites not implemented withIPv4 and is intended for the use with several servers or routers running aservice when you don’t really care which of those provide it. This can aswell used for load sharing and is helpful if one of your routers goes out ofservice.

Instead of having an addressing scheme anycast addresses are simply dis-played as unicast and are identified automatically the moment a unicastaddress is assigned to more than one interface. Anycast addresses that areset across a huge network are hard to implement because of the routingentries that have to be made. Nowadays, due to the inexperience of theInternet Community anycast is only used by routers but not by hosts.

4.1.4 Addresses set on an IPv6 enabled host

On a host with IPv6 enabled there are, in contrast to IPv4 where you onlyhad one address assigned to an interface, several addresses configured.

• a link-local address derived automatically

• the loopback-address ::1 derived automatically

• an optional site-local address defined manually or by using radvd

• one or more optional global addresses defined either manually or byusing radvd or DHCP

Additionally to these addresses an IPv6 nodes listens to the following ad-dresses:

• FF01::1 - node-local scope all-nodes multicast address

• FF02::1 - link-local scope all-nodes multicast address


• solicited node addresses for each unicast address set

• multicast addresses of joined groups

In the list above I left out the special transition techniques set automati-cally when using Windows (e.g. ISATAP, TEREDO, ...).

In contrast to a host routers may have joined anycast groups on whichthey have to listen as well and they are configured with more multicastaddresses (FF01::2, FF02::2 and FF05::2) for all-routers multicasts.

4.1.5 Address Autoconfiguration Process

As mentioned before, one of the biggest advantages of IPv6 is the ability toconfigure itself. By default a host can configure a link-local address auto-matically and when using router discovery additional parameters, defaultroutes and multiple addresses can also be derived. There are two typesof autoconfiguration: stateful and stateless. Stateful address autoconfigu-ration relys on a stateful autoconfiguration protocol such as DHCPv6. Inopposite to stateful configuration the stateless configuration receives theaddress via Router Advertisements with Managed Address Configurationand Other Stateful Configuration flags set to zero.

Below you can see the detailled autoconfiguration process starting withthe deriving of the link-local address and the verification of its uniqueness.This is done by sending a Neighbor Solicitation with the target addressof the tentative link-local address (FE80::/64 and the EUI-64). Tentativemeans that the address is in the process of being verified as unique. In thisstate the host can not receive unicast messages targeted to this address butstill is able to listen to multicast Neighbor Advertisement messages sentin response to the Neighbor Solicitation. If no Neighbor Advertisement isreceived the link-local address is initialized and set valid.

The next step is to send a Router Solicitation and if there is a Router Adver-tisement received the options provided are received. If there are no prefixinformations supplied and Managed Address Configuration and OtherStateful Configuration are set to 1 stateful address is used and the auto-configuration process is stopped. If there are Prefix Informations supplied


Figure 4.6: Address autoconfiguration [1] (Picture 8-2)

Figure 4.7: Address autoconfiguration [1] (Picture 8-3)


stateless addresses are derived and no Neighbor Advertisement responseis received the new address is initalized.

Figure 4.8: Lifetime of an autoconfigured address [8]

A node can only receive traffic when it’s state is preferred or deprecated; atentative or an invalid address can not be used for the destination of traffic.You can find out more about autoconfiguration of interfaces in RFC 2462.

Note: I left out special technologies used by default by Microsoft in theconfiguration process (e.g. ISATAP, Teredo, ...)

4.1.6 DHCPv6 [9]

Instead of using stateless autoconfiguration, as discussed above, you canalso use stateful autoconfiguration in order to obtain parameters and/orIP addresses. One prominent way of stateful autoconfiguration is DHCP,which has also been updated for the use with IPv6. Although the op-erations used by DHCPv6 are pretty the same as with DHCPv4 but theundelaying protocol has been rewritten (DHCPv6 is not based on the oldDHCP or on BOOTP). It still uses UDP but has new port numbers, a newmessage format and restructured options. Link-local based communica-tion is enabled for DHCPv6 making stateful autoconfiguration possiblebefore an IP address has been derived. The destination address set by theclient hereby is a reserved, link-scoped multicast address. There are twodifferent sets of messages exchanged when retrieving informations.

If only parameter informations (e.g.: DNS server address) has to be ex-changed and the host doesn’t need an IP address to be assigned byDHCPv6, the client-server exchange involves two messages. The clientsends an Information-Request message to the


All_DHCP_Relay_Agents_and_Servers multicast address and immedi-ately receives a Reply from the server.

In order to request the assignment of an IP address and parameter infor-mations first a DHCPv6 server is located and then the client sends a Solicitmessage to the All_DHCP_Relay_Agents_and_Servers multicast address.A server meeting the requirements responds with an Advertise message.Then the client can choose which server to use and sends a Request mes-sage asking for confirmation of the address and other configuration in-formation. The last step is the server answering with a Reply messagecontaining confirmed address and configuration.

After an address has been used for a specific time the address has to be re-newed which is done by the client sending a Renew message to the serverwhich in turn answers with a reply containing the new lifetime value.

4.2 IPv6 Header

Now that we have learned which addresses are configured on a host run-ning IPv6 it is also important to find out what has changed in the headerof the IPv6. For I don’t want to write another essay about header formatsI will try to keep that chapter as short as possible.

Because of the longer IP address used by IPv6 the structure of the headerneeded to be redesigned in order to allow efficient data transfer and toclean up the header from unneccessary und unused fields as we had itwith IPv4. An IPv4 header has a length between 20 and 60 bytes whichis pretty long regarding the very short address. The structure of an IPv6packet is made up of a 40 byte IPv6 header, one or more extension headersif needed and the data.

The Version field indicates the version of the IP protocol used and the Traf-fic Class replaces the Type Of Service field from IPv4 and uses the newDifferentiated Services method (DS) defined in RFC 2474. The next fieldcalled the Flow Label provides additional support for Quality Of Servicefeatures and indicates whether a packet belongs to a specific sequence ofpackets requiring special handling (e.g. video streaming, ...). The Pay-load Length replaces the “Total Length” field from IPv4 and comprises the


Figure 4.9: IPv6 Header [10]

extension headers if present and the upper-layer PDU. The Next Headerfield is a replacement for the Protocol field and either indicates the pres-ence of the first extension header or, if there is no extension header, is setto the protocol of the upper-layer PDU (e.g.: TCP, UDP, ICMP, ...). TheHop Limit is similar to the TTL field and indicated the maximum numberof links a packet is allowed to traverse. Last but not least the source anddestination addresses are appended.

The next header field is said to be the most important innovation to theIP header for it allows a modular use of headers when needed. The nextheader field in the IPv6 Header indicates whether there is an extensionheader or not, and in turn, each extension header has a next header fieldas well pointing to the next extension header if present. If no extensionheader is appended here, the next header field simply points to the proto-col of the upper-layer PDU again. There are following extension headersavailable (in the same order as they are used; you will find the next-headervalues indicating the extension header appended within brackets):

• Hop-by-Hop Options Header (0) - defines some options that are in-tended to be examined by all devices during transmission (RFC 2460)


• Destination Options Header (60) (for intermediate destinations whenthe Routing header is present) - defines some options that are in-tended to be examined by all devices during transmission (RFC 2460)

• Routing Header (43) - the source device is allowed to set a route forthe datagram within (RFC 2460)

• Fragment Header (44) - if the datagram contains only a fragment ofthe original message this header is set (RFC 2460)

• Authentication Header (51) - informations to verify the authentica-tion of a packet (RFC 2402)

• Encapsulating Security Payload Header, ESP (50) - holds informationon the encryption of the packet (RFC 2406)

• Destination Options Header - for the final destination

Figure 4.10: IPv6 datagram without and with extension headers [11]

The first datagram only consists of the IPv6 header with a Next Headerfield set to 6 indicating a TCP-traffic. The second datagram has the NextHeader field of the IPv6 header set to 0, which is the Hop-by-Hop OptionsHeader. Within the Hop-by-Hop Options header the succeeding extensionheader, in this case the Fragment Header, is defined by setting its Next


Header field to 44. In the last extension header the Next Header field is setto 6 referring to TCP traffic again.

The minimum MTU required by IPv6 is set to 1.280 bytes forcing linksthat do not supply that much to fragment the packet transparent to IPv6.If a link has a configurable MTU size it is recommended to at least set itto 1.500 bytes. IPv6 also provides a Path MTU Discovery process in orderto find out the PMTU (Path Maximum Transmission unit) which is thesmallest link MTU supported on a specific path. The PMTU is derived bythe sending node by assuming that the destination PMTU is the link MTUof the interface the packet is sent and simply tests this by sending a packetthis size. If a router on the way to it’s destination is not able to forward thepacket it responds with an ICMPv6 Packet Too Big Message containing thelink MTU of the router. The sending node then can set the PMTU to thelink MTU received by the router and retry to transmit the packet.

Current TCP, UDP and ICMP implementations for IPv4 include a pseudo-header in their checksum. This pseudo-header contains source and desti-nation addresses as well and therefore need to be modified for IPv6 (sim-ply exchange the addresses). The new pseudo-header must be used byTCP, UDP and ICMPv6 and includes besides the addresses mentioned afield containing the upper-layer packet length and a next header field in-dicating the upper-layer protocol for which the checksum has been calcu-lated.

Note: Any transport or other upper-layer protocol including the sourceand destination addresses from the IP header in its computationmust be modified for the use with IPv6 in order to include the 128-bit addresses. Therefore the so-called pseudo-header has to be mod-ified. (RFC 2460)

4.3 ICMPv6

For IP itself is designed to provide the basic functionality of transmittingpackets there is not even a mechanism to report back errors. This taskis handled by the Internet Control Message Protocol version 6 (ICMPv6)instead which is pretty similar to the ICMPv4 used with IPv4. Besides


reporting delivery and forwarding errors and providing echo serviceICMPv6 is enhanced by Neighbor Discovery (used for node-to-node com-munication; see next section) and Multicast Listener Discovery (a protocolsimilar to IGMP, Internet Group Management Protocol). The MulticastListener Discovery (MLD) is a set of three messages exchanged by routersand hosts by which routers can discover a list of multicast addresses forwhich there is at least one listener (RFC 2710). MLD will be described inthis chapter in more detail.

An ICMP header is composed of a Type field, the Code field specifiying thetype of message, the checksum and the message body. ICMPv6 messagescan be devided into two big groups of messages: ICMPv6 Error messagesand ICMPv6 Informational messages.

4.3.1 ICMPv6 Error messages

Note: ICMPv6 Error messages are not sent for every error encounted butrather have to satisfy a rate limit which can be set based on a timeror a percentage of bandwidth.

4.3.1.1 Destination Unreachable (ICMPv6 Type 1)

A Destination Unreachable message is sent when a packet cannot be for-warded to a destination node or an upper-layer protocol and has “1” setin it’s Type field of the ICMP header.


Code Field Value Description0 - No Route to Destination No route matching the destination

found in the routing table1 - Communication with Destina-tion Administratively Prohibited

Communication is prohibited byadministrative policy; typicallydiscarded by a firewall

3 - Address Unreachable Usually when the link-layer ad-dress could not be resolved

4 - Port Unreachable Typically sent when an IPv6packet containing UDP arrived ata host with no listener on givenport

Note: Code Field Value 2 is according to RFC 2463 unassigned. In thebook “Understanding IPv6” [1] the Code Field Value 2 was definedwith: Beyond scope of source address - Sent when a packet is for-warded using an interface that is not in the scoped zone of the sourceaddress (although it also references RFC 2463)!!

4.3.1.2 Packet Too Big (ICMPv6 Type 2)

In the header of a Packet Too Big message the Type is set to 2, the Codeto 0 and following the checksum field there is a new header field calledMTU storing the link MTU of the host sending the ICMP message. Notethat this is discussed in the “IPv6 header” part of this chapter.

4.3.1.3 Time Exceeded (ICMPv6 Type 3)

The Time Exceeded message is usually sent when the hop-limit field be-comes zero after decrementing it during forwarding. The Type is set 3and the Code Value can be either “0” - Hop Limit Exceeded by Transit or“1” - Fragment Reassembly Time Exceeded indicating the fragmentationreassembly time expired at the destination host.


4.3.1.4 Parameter Problem (ICMPv6 Type 4)

A Parameter Problem ICMP message is sent when there’s an error eitherin the header or in one of the extension headers preventing IPv6 from per-forming additional processing. We also have a modified header with theParameter Problem for the “Pointer” field is added after the checksumwhich is an offset that points to the byte in the packet where the error oc-curred. The Type field is set to 4 and the Code can be set to the followingvalues:

Code Field Value Description0 - Erroreous Header Field En-countered

An error in a field within one ofthe headers encountered

1 - Unrecognized Next HeaderType Encountered

unrecognized value encountered

2 - Unrecognized IPv6 Option En-countered

unrecognized IPv6 option en-countered

4.3.2 ICMPv6 Informational messages

Informational ICMPv6 messages comprise the troubleshooting all-starscommands: Echo Request and Echo Reply. An Echo Request is sent inorder to solicit an Echo Reply message. This simple technique assures ba-sic connectivity between two nodes. The Type field in an Echo Request isset to 128 and in an Echo Reply to 129. In both cases the Code field is setto zero. Taking the usual structure of an ICMPv6 message in both, EchoRequest and Reply, two fields called Identifier and Sequence Number areappended after the checksum field in order to match incoming Requestand Reply messages in a host. Both fields are set sender-sided.

4.3.3 Multicast Listener Discovery [12]

One special kind of ICMPv6 messages are those subsummed as “MulticastListener Discovery” or MLD. These are used by routers in order to dis-cover listeners for multicast groups and keeps track of all multicast groupsused at the moment on each interface.


MLD is a sub-protocol of ICMPv6 and is identified by the next-headervalue of 58. All MLD messages are sent with a link-local source address, ahop-limit set to “1” and an IPv6 Router Alert Option in the Hop-by-HopOptions header (causes routers to examine MLD messages sent to mul-ticast addresses in which the routers themselves have no interest). Theheader of an MLD-message consists of Type, Code and Checksum fields,as we had it with usual ICMPv6 and the additional fields Maximum Re-sponse Delay, Reserved and Multicast Address. The three different typesof messages are:

4.3.3.1 Multicast Listener Query (ICMPv6 Type 130)

This message is used in order to find out details about multicast groupmembership on this link. There are two types of Multicast ListenerQueries which can be distinguished by the Destination Address set in theIPv6 header and the Multicast Address set in the Multicast Listener Querymessage. The first one is the “General query” sent unsolicited and period-ically with a Destination Address set to the link-local all-nodes multicastaddress (FF02::1) and the Multicast Address set to the unspecified address(::). The other type of Multicast Listener Query message is the multicast-address-specific query querying all hosts on a subnet belonging to a spe-cific multicast group. This time the Destination Address and the MulticastAddress is set to the specific multicast address that is being queried. The“Maximum Response Delay” is the time within a multicast group membermust report its membership.

4.3.3.2 Multicast Listener Report (ICMPv6 Type 131)

This message is used by a node on a link either to respond to a Multi-cast Listener Query or to report its interest in receiving multicast traffic ata specific multicast address. The Destination Address and Multicast Ad-dress fields are both set to the specified multicast address being reported.


4.3.3.3 Multicast Listener Done (ICMPv6 Type 132)

The Multicast Listener Done message is used to inform the routers thatthere might be no more listener for a specific multicast address on a linkbecause the sending node announces to leave the multicast group with thismessage. This Multicast Listener Done message is sent when the groupmember that responded to the last Multicast Listener Query wants to leavethe multicast group. For this host might not really be the last multicastmember on the link (and routers, as mentioned above, do not keep trackof how many listeners are found on a link for a specific multicast group),a local router has to immediately send a multicast-address-specific queryfor the specific multicast group in order to find members listening on thelink. The Destination Address of a Multicast Listener Done message isset to the link-local scope all-routers multicast address (FF02::2) and theMulticast Address to the multicast address used by the multicast groupfor which there might be no more listeners on the link.

Please see RFC 2710 for more details on the Multicast Listener Discovery.

4.4 Neighbor Discovery [23]

The Neighbor Discovery protocol, or short ND, is one of the biggest newinventions to IPv6 for it replaces ARP, ICMP router discovery and theICMP redirect message and in addition to this provides additional tech-niques IPv4 was not capable of. It is used by nodes to determine link-localaddresses of other nodes and changes of these, to find routers willing toforward their traffic and keeps track of which neighbors are reachable.

4.4.1 Neighbor Discovery messages

Neighbor Discovery messages use the structure of an ICMPv6 messageand appends an Neighbor Discovery Message Header and zero or moreNeighbor Discovery Message Options to it. There are several types ofNeighbour Discovery Options formatted in type-length-value (TLV) for-mat (i.e. the header consists of these fields):


• Source Link-Layer Address (Type 1) - indicates the link-layer addressof the ND message sender and is not included if the source link-layeraddress is the unspecified address; value = link-layer address

• Target Link-Layer Address (Type 2) - indicates the target link-layeraddress of the neighboring node to which packets should be di-rected: value = link-layer address

• Prefix Information (Type 3) - indicates both address prefixes and in-formation about address autoconfiguration. There can be severalPrefix Information Options indicating multiple prefixes. The struc-ture of this option is more complicated and comprehends severalfields: Prefix Length, On-link Flag (indicating that an address us-ing the provided prefix is available on the interface the message wasreceived), Autonomous Flag (forks stateless address configuration),Router Address Flag (for mobile nodes to discover global addresses),Site Prefix Flag (indicates that the site prefix received can be used toupdate the host-based site prefix table), Reserved1, Valid Lifetime(in seconds), Preferred Lifetime (in seconds), Reserved2, Site PrefixLength and Prefix.

• Redirected Header (Type 4) - specifies the IPv6 packet causing therouter to send a redirect message. It can contain the whole or onlypart of the message causing the trouble.

• MTU (Type 5) - used in Router Advertisements in order to define theMTU of an unknown link.

• Advertisement Interval (Type 6) - specifies the interval (maximumtime in milliseconds) between consecutive unsolicited Router Ad-vertisements

• Home Agent Information (Type 7) - sent by a home agent to specifyits configuration

• Route Information (Type 8) - specifies routes for individual hosts. Itagain consists of several interesting fields like Prefix Length, Prefer-ence (of the route), Route Lifetime (in seconds) and the Prefix.

To ensure that ND messages have originated from a node on the link thehop limit is set to 255 (With a hop-limit of 255 no router could have for-warded this message). Following ND message types exist:


4.4.1.1 Router Solicitation (ICMPv6 Type 133)

The Router Solicitation message is sent by a host e.g. when UPed in orderto get a solicited Router Advertisement in response immediately insteadof waiting for the next unsolicited Router Advertisement. The Source Ad-dress field is set to either the link-local address or the unspecified address(::), the destination address is set to the link-local all-routers multicast ad-dress (FF02::2) and the Hop-Limit is set to 255.

4.4.1.2 Router Advertisement (ICMPv6 Type 134)

Router Advertisements are either sent pseudo-periodically or on receipt ofa Router Solicitation. Its Destination Address field is set to either link-localscope all-nodes multicast address (FF02::1) or the unicast IPv6 address ofthe host that sent the Router Solicitation. The fields within a Router Ad-vertisement are:

• Type - 134

• Code - 0

• Checksum

• Current Hop Limit - defines the default Hop Limit set for packetssent by nodes that received this Router Advertisement

• Managed Address Configuration Flag - if set, the receiving host mustuse a stateful address configuration protocol (e.g.: DHCPv6) to ob-tain additional addresses

• Other Stateful Configuration Flag - if set, the receiving host must usea stateful address configuration protocol (e.g.: DHCPv6) to obtainnon-address configuration

• Home Agent Flag - if set, the advertising router is also a home agent

• Default Router Preference - indicates the level of preference for aroute received. For you can have multiple routers on a link youcan set different preference levels. Valid vlaues are 01 (High), 00(Medium) and 11 (Low). This technique is useful for fault tolerancereasons.


• Reserved

• Router Lifetime - defines how long a router is a default router (inseconds). 0 indicates that it is no default router.

• Reachable Time - defines how long a node can consider a Neighborreachable after receiving a reachability confirmation

• Retransmission Timer - amount of time between retransmission ofNeighbor Solicitation messages during neighbor unreachability de-tection

• Source Link-Layer Address option - if present, contains the link-layeraddress of the interface on which the Router Advertisement was sent

• MTU option - if present, it contains the MTU of the link

• Prefix Information Options - contains on-link prefixes when present

• Advertisement Interval Option - when present, contains the intervalof unsolicited Router Advertisement messages

• Home Agent Information Option - when present, contains informa-tions on the home agent

• Route Information Options - when present, contains routes to add tothe routing table of the host

4.4.1.3 Neighbor Solicitation (ICMPv6 Type 135)

Neighbor Solicitation is used to determine the link-layer address of an on-link node. Typically these messages are multicast for address resolutionand unicast for reachability testing of another node. The Source Addressfield is either set to a unicast IPv6 address or to the unspecified addressduring duplicate address detection. The Destination Address field is ei-ther set to the solicited-node address of the target for multicast or to theunicast address for unicast Neighbor Solicitation.


4.4.1.4 Neighbor Advertisement (ICMPv6 Type 136)

An IPv6 Neighbor Advertisement is sent both, periodically and in re-sponse to a Neighbor Solicitation. The periodical Neighbor Advertise-ments are important for propagating changes of an address or of the role ofa node in the network. The Destination is, similar to the Router Advertise-ment, therefore either set the link-local scope all-nodes multicast addressor a unicast address (in response to a solicitation). Several fields are newin the structure of an Neighbor Advertisement message:

• Router flag - when set, the host is a router

• Solicited flag - when set indicates that the Neighbor Advertisementwas sent in response to a Neighbor Solicitation

• Override flag - when set indicates that the link-layer address re-ceived within the Target Link-Layer Address option should overridethe existing neighbor cache entry

• Target address - indicates the address being advertised

• Target link-layer address option - when present, contains the link-layer address of the target which is the sender of the Neighbor Ad-vertisement.

4.4.1.5 Redirect (ICMPv6 Type 137)

Redirect messages are sent in order to inform others of a better first-hopaddress for a specific destination. These messages are only sent by routersfor unicast traffic via unicast. The Target Address within the message in-dicates the better next-hop address and the Destination Address holds theaddress of the destination that caused the router to send the redirect. Op-tionally Target Link-Layer Address Option and Redirected Header optionare appended.

Adding up all these things ND provides:

• Router discovery


• Prefix discovery

• Parameter discovery

• Address autoconfiguration

• Address resolution

• Next-hop determination

• Neighbor unreachability detection

• Duplicate address detection

• Redirect function

Let’s take a closer look at some of these.

4.4.2 Neighbor Discovery Process

In order to provide the Neighbor Discovery Processes mentioned belowfollowing data structures need to be present at each host participating:

• Neighbor cache - stores on-link IP addresses of neighbors and corre-sponding link-layer addresses with an indication of the node’s reach-ability

• Destination cache - stores information on next-hop IP addresses fordestinations traffic recently has been sent

• Prefix list - stores on-link prefixes

• Default router list - stores on-link routers that have sent Router Ad-vertisements

4.4.2.1 Address Resolution

If the destination of a datagram to be sent is local, it requires that we knowthe physical layer or layer two address of the device. Getting layer twoaddress for layer three address is known as the address resolution prob-lem.


The sending node sends a Neighbor Solicitation message with the solicited-node multicast address derived from the destination IP address which alsoincludes the link-layer address of the sending host. When the target hostreceives this message it first updates its Neighbor cache with the data fromthe sending node and then sends a unicast Neighbor Solicitation messagecontaining its own link-layer address. The formerly sending host updatesits Neighbor cache as well and then the packet can be sent.

4.4.2.2 Router Discovery

Router Discovery is the process of discovering all routers on a local linkand is pretty similar to what we already know from IPv4. An enhancementto the old Router Discovery is provided by the use of Neighbor Unreacha-bility Detection. IPv6 has, like IPv4, a Router Lifetime field indicating howlong a router can be considered the default router. If, within this time, therouter goes offline, hosts using IPv4 usually waited for the Router Life-time to expire. Now hosts that are down are detected through NeighborUnreachability Detection and another router is chosen from the defaultrouters list. If there is no other router on this list a Router Solicitation mes-sage is sent in order to determine other routers on the link. Additonalyto finding a default router Router Discovery also configures Hop-Limit,whether stateful address configuration is used, timers, network prefixes,MTU and routes to be set.

4.4.2.3 Neighbor Unreachability Detection

A node is considered reachable if there has been recent confirmations uponthe receipt of a message (please note that Neighbor reachability simply in-dicates the reachability of the first-hop node not end-to-end reachability).One way of ensuring the reachability of a node is by sending a unicastNeighbor Solicitation message. If a Neighbor Advertisement is receivedin response, the host sending the Neighbor Advertisement is consideredreachable. The host that sent the Neighbor Solicitation message is not au-tomatically also considered reachable. So if host A sends a Neighbor Solic-itation to host B and host B replies the Neighbor Advertisement only host


B is considererd reachable. In order that host A is also reachable it has toanswer to another Neighbor Solicitation from host B.

Another way of ensuring reachability is when upper-layer protocols likeTCP confirm progress for sent data. You could also say that if end-to-endconnectivity is proven by TCP you can deduce the reachability of the first-hop node.

An entry in the Neighbor cache can have several states:

• Incomplete - address resolution is in progress with link-layer addressnot yet determined

• Reachable - neighbor has been reachable recently

• Stale - no longer known to be reachable but until traffic is sent to theneighbor no attempt to determine reachability should be made

• Delay - the neighbor is no longer known to be reachable and traffichas recently be sent, but probing is delayed for a short while in orderto wait for upper-layer protocols providing reachability informations

• Probe - neighbor is no longer known to be reachable and NeighborSolicitation probes are being sent

4.4.2.4 Redirect

Redirect messages are either sent when there is a shorter way in routingterms for sending the packet (e.g. if you have more than one routers ona link) or when a packet’s destination is on-link without the sending hostknowing it (because it might lack the prefix in the hosts prefix list).

The Redirect process starts with the sending of a packet from host 1 to itsdefault router R1 destined at host 2 residing at Network 2. The router pro-cesses the packet and finds out that the originating hosts address and thenext-hop address (R2) are on the same link.Router R1 sends to originatingnode H1 a Redirect message with the Target Address Field in the RedirectMessage set to the next-hop address of the node to which the originatinghost should send subsequent packets addressed to this destination. Therouter R1 inbetween sends the packets already sent by host 1 to R2 in or-der to reach Network 2 and its destination. Upon receipt of the Redirect


Figure 4.11: Redirect process [14]


message host 1 updates its destination cache with the address in the TargetAddress field.

Redirect messages are only sent by the first router in the path. Hosts neversend Redirect messages and routing tables are never altered upon the re-ceipt of a Redirect message.

4.4.2.5 Duplicate Address Detection

If a host is UPed and wants to use an address derived by autoconfigu-ration its uniqueness has to be ensured first. This is done by sending aNeighbor Solicitation message by the host wanting to use this IP addresswith the Destination Address set to this newly computed address. Thesource address is set to the unspecified address (::) for an address maynot be used until its duplication can be ruled out. If there is a NeighborAdvertisement sent in reply there already is a host with the same IP ad-dress (this message must be sent link-local all-nodes multicast); if not, theaddress can be initialized on the interface.

4.4.2.6 Next-Hop determination

This is the first thing to be done by a host when sending a datagram. Thedevice hereby looks at the destination address and decides whether di-rect or indirect delivery is needed which is done by the prefix informa-tions supplied by the router or by manual configuration of the interface.If the destination is not local the next-hop is chosen from the device’s listof routers (which is either derived by ND methods or entered manually).For improving efficiency, this check is not done for every packet but ratherit is stored in the destination cache for future uses.

4.5 IPv6 Routing

IPv6 routing entries can either be entered manually or can be added uponthe receipt of an Router Advertisement message. A routing table has to


be present on each IPv6 node in order to determine how specific net-works can be reached for sending a packet. Before the IPv6 routing ta-ble is checked the destination cache is checked for an entry matching thedestination address. If there is no destination cache entry for the desti-nation address, the IPv6 routing table determines the interface that hasto be used for forwarding and the next-hop address. This information inturn is stored in the destination cache for future use. The routing table cancontain the following types of routes: directly attached network routes,remote network routes, host routes and default routes.

4.5.1 Route determination process

In order to make the right forwarding decision the routing table entrieshave to be searched. For each entry in the routing table the bits of thenetwork prefix are compared to the same bits in the destination address.If all bits of the network prefix length for the route match all bits in thedestination IPv6 address the route is a match for the destination. The routethat has the largest prefix length matching a packet is chosen for it is themost specific route to the destination. If multiple routes with the longestmatch are found the decision is made upon the metric. For any givendestination first host routes and then network routes are searched. If bothdon’t exist, the default route is used.

If the route determination process on the sending host fails to find a route,IPv6 assumes the destination is locally reachable. If the route determina-tion process fails on a router an ICMPv6 Destination Unreachable - NoRoute to Destination message is sent to the sending host and the packet isdiscarded.

4.5.2 IPv6 Delivery Process

4.5.2.1 Sending an IPv6 packet

This is the process when a packet is sent on an IPv6 enabled host.

1. Hop limit is set to default or application-specified value


2. The destination cache is searched for an entry matching the destina-tion

3. If an entry is found in the destination cache, retrieve next-hop ad-dress and interface to use. Go to step 6.

4. If no entry is found in the destination cache, search the routing tablefor the longest matching lowest metric route available

5. If an entry is found in the routing table, retrieve next-hop addressand interface to use. If no entry matches the routing table the desti-nation address is assumed to be directly reachable

6. destination cache is updated

7. Neighbor cache is checked for an entry matching the next-hop ad-dress

8. If an entry is found, retrieve the link-layer address

9. If no entry is found, use address resolution to obtain the link-layeraddress; if address resolution fails an error is indicated

10. The packet is sent using the link-layer address of the neighbor cacheentry

4.5.2.2 Routing an IPv6 packet

This describes how a packet is processed in a router.

1. Header error checks are perfomed (Version = 6, source address is nomulticast or loopback address)

2. If the destination address is the router itself, the packet is processedas seen in the process below “Receiving an IPv6 packet”

3. Hop-Limit value is decremented by 1. If the Hop-Limit reaches zeroan ICMPv6 Time Exceeded - Hop Limit Exceeded in Transit messageis sent

4. The new Hop-Limit is set if greater 1

5. Destination cache is checked for an entry matching the destination


6. If an entry is found in the destination cache, retrieve next-hop ad-dress and interface to use. Go to step 9.

7. Routing table is checked for the longest matching lowest metric routeavailable

8. If an entry is found in the routing table, retrieve next-hop addressand interface to use. If no route is found, an ICMPv6 Destination Un-reachable - No Route to Destination message is sent and the packetis discarded

9. Destination cache is updated

10. If the interface the packet is received is the same as the interface onwhich the packet is being forwarded, the interface is a point-to-pointlink and the Destination Address field matches a prefix assignedto the interface an ICMPv6 Destination Unreachable - Address Un-reachable message in order to prevent “ping-pong” forwarding ofpackets.

11. If the interface the packet is received is the same as the interface onwhich the packet is being forwarded and the Source Address fieldmatches a prefix assigned to the interface a Redirect message is sent.

12. The link MTU of the next-hop interface is compared to the size of thepacket. If the link MTU is smaller than the packet size, a ICMPv6Packet Too Big message is sent.

13. Neighbor cache is checked for an entry matching the next-hop ad-dress.

14. If an entry is found in the neighbor cache, retrieve link-layer address.

15. If no entry is found in the neighbor cache, use address resolution. Ifaddress resolution fails, an ICMPv6 Destination Unreachable - Ad-dress Unreachable message is sent.

16. The packet is forwarded.

4.5.2.3 Receiving an IPv6 packet

That is what has to be done when receiving an IPv6 packet.


1. Header error checks are perfomed (Version = 6, source address is nomulticast or loopback address)

2. The destination address is checked whether it corresponds to an ad-dress configured on the host. If the destination address in the packetis not assigned to a local host interface the packet is silently dis-carded.

3. The extension headers are, based on the next header field, processed.The next-header values are verified and an ICMPv6 Parameter Prob-lem - Unrecognized Next Header Type Encountered message repliedif the values are wrong.

4. If the upper-layer PDU is not TCP segment or UDP message, passthe upper-layer PDU to the appropriate protocol.

5. If the upper-layer PDU is a TCP segment or UDP message, check thedestination port. If no application exists for the UDP destination portan ICMPv6 Destination Unreachable - Port Unreachable message isreplied. If no application exists for the TCP destination port a TCPConnection Reset segment is replied.

6. If an application exists for the TCP or UDP destination port, processthe contents of the packet.

4.5.3 IPv6 Routing protocols

Instead of having a static router, i.e. the routes are set manually, you canalso use dynamically configured routes which of course have big advan-tages when there are changes in the topology (which a dynamic routernotices automatically).

4.5.3.1 Routing Protocol Technologies

There are several methods of propagating routes on a network.


4.5.3.1.1 Distance Vector With Distance Vector routing informations(network ID and “distance” i.e. hop count) is propagated via periodi-cal advertisements which are unsynchronized and unacknowledged. Dis-tance Vector is easy to set up but does not scale very well and produces alot of traffic.

4.5.3.1.2 Link State Via Link State Advertisements upon startup andupon changes in the topology the network prefixes and their assignedcosts are distributed. Link state is an easy to scale low traffic method butcan be complex to set up.

4.5.3.1.3 Path Vector Path Vector is also used to distribute sequences ofhop-numbers with indicating the path for a route. It is like the Link Stateprotocol easy to scale with low network overhead but can be complex toset up.

4.5.3.2 Routing Protocols for IPv6

4.5.3.2.1 RIPng for IPv6 RIPng for IPv6 is a protocol implementing Dis-tance Vector. When a router is configured RIPng it sends a General Requestmessage on all interfaces in order to receive the routes from neighboringrouters. Routes are then periodically announced depending on whetherSplit Horizon (routes are not announced on the interface where they werelearnt) or Split Horizon with poison reverse (routes are announced un-reachable on the interface where they were learnt) is configured. See RFC2080.

4.5.3.2.2 OSPF for IPv6 OSPF uses Link State with possible costs likedelay, bandwidth and monetary costs possible. See RFC 2740 for moreinformation.

4.5.3.2.3 Integrated Intermediate System-to-Intermediate System (IS-IS) for IPv6 Integrated IS-IS or also known as dual-IS uses link state aswell and is pretty similar to OSPF. See ISO 10589 for more details.


4.5.3.2.4 BGP-4 The Border Gateway Protocol uses Path Vector and isdesigned to exchange informations between autonomous systems. It cre-ates a logical path tree which discribes all connections. For more informa-tion read RFC 1771, 2545 and 2858.

4.5.3.2.5 Inter-Domain Routing Protocol version 2 The IDRP is also apath vector protocol and is defined in the ISO 10747.

4.6 IPv6 and Name Resolution

With IPv6 name resolution becomes even more important than with IPv4for it is unreasonable to expect any end user to remember an IPv6 address.The structure of the DNS entries did not really changed but for the typeof DNS record used (type 28). AAAA or also called “quad-A” records arecomparable to A records used for IPv4 name resolution. (They are calledAAAA because the address is four times as long as an A record.) In orderto provide reverse queries the usual pointer record is used, the only thingthat changed is the representation of the record (nibbles instead of decimalnumbers). For reverse lookup the domain “.ip6.arpa.” is used (“.ip6.int.”is outdated).

IPv6 address: 4321:0:1:2:3:4:567:89abreverse lookup domain name:b.a.9.8.7.6.5.0.4.0.0.0.3.0.0.0.2.0.0.0.1.0.0.0.0.0.0.0.1.2.3.4.ip6.arpa.

In order to resolve a name usually the local hosts file is being queriedfirst. This file can include hostnames to be resolved locally rather thanby DNS. If there is no entry in the host file for a specific name, DNS isqueried. Please note that IPv6 no longer supports Network Basic InputOutput System (NetBIOS).

A DNS query may return several addresses for a hostname. These canbe IPv4 and IPv6 addresses and because a host may have several IPv6addresses (site-local, global, coexistence, ..) address selection is not aneasy task here. See RFC 3484 for details on this subject.


4.7 Migration to IPv6 [15]

To change the protocol of a network is always a big task but there areseverel techniques supplied in order to make less troubles. The easiest,and in fact the only method that really can be used today, is the coexistenceof both protocols on a node so that it responds to both protocols.

A Dual-IP-Layer includes an IPv4 and an IPv6 layer implementation andshare one implementation of the Host-to-Host layer protocols such as TCPand UDP. A dual stack infrastructure as well has IPv4 and IPv6 network-layers but each having their own Host-to-Host protocol layers. Both tech-niques provide IPv4 and IPv6 connectivity to a host.

With using IPv6 over IPv4 tunneling IPv6 packets are encapsulated in anIPv4 header and sent over the IPv4 infrastructure (tunnels can be set be-tween two routers, between two hosts or between a router and a host).Another thing needed in a working IPv4/IPv6 infrastructure is a DNS in-frastructure resolving hostnames to both, IPv4 and IPv6 addresses.

Below, I will discuss several transition techniques more detailled.

4.7.1 6over4

Please note that the structure of the 6over4 address is discussed in “IPv6Unicast addresses” part of this chapter.

6over4, also known as IPv4 multicast tunneling is a host-to-host, router-to-router and host-to-router automatic tunneling technique for unicast andmulticast connectivity which is, because it relys on IPv4 multicasting, notvery widely used. It provides IPv6 connectivity across an IPv4 internetand treats the IPv4 infrastructure as a single link with multicasting capa-bilities.

See RFC 2529 for further reading.


Figure 4.12: 6over4 configuration and logical equivalent [15]


4.7.2 6to4

Please note that the structure of the 6to4 address is discussed in “IPv6Unicast addresses” part of this chapter.

This technique is an address assignment and router-to-router automatictunneling technique providing unicast IPv6 connectivity across an IPv4network. Its details are described in the RFC 3056 where following termsare defined:

• 6to4 host - a host configured with an autoconfigured 6to4 address

• 6to4 router - an IPv4/IPv6 router is supporting the use of a 6to4 tun-nel interface and is used to forward traffic (may need additional con-figuration)

• 6to4 relay router - forwards 6to4 traffic between 6to4 routers

Figure 4.13: 6to4 infrastructure [15]


Within a site local routers advertise the 6to4 prefix so that hosts can createautoconfigured addresses and routes. All IPv6 traffic that does not matcha 64-bit prefix used by the subnets within the site is forwarded to the 6to4router on the site boarder. In the example picture host A can communicatewith host B via router 1 using a default route. In order for host A to com-municate with host C the router 1 has to encapsulate the traffic in an IPv4header and send it over the IPv4 internet to router 2. Following kinds ofcommunication are possible:

• 6to4 host with another 6to4 host on the same site - like communi-cation between host A and host B; Connectivity is provided by therouting table.

• 6to4 host with another 6to4 host across the internet - like communi-cation between host A and host C; the data is encapsulated by the siteboarder router 1 in an IPv4 packet and sent to the site border router2 which in turn removes the IPv4 header and delivers the packet tohost C.

• 6to4 host with IPv6 host on the internet - like communication be-tween host A and host D; the local-site router 1 tunnels the data tothe 6to4 relay router which removes the IPv4 portion of the packetand forwards it to the appropriate host.

Note: This technique only requires one IPv4 address to obtain global IPv6reachability and therefore might be widely used.

4.7.3 ISATAP

Please note that the structure of the ISATAP address is discussed in “IPv6Unicast addresses” part of this chapter.

The Intra-Site Automatic Tunnel Addressing Protocol is an address as-signment and host-to-host, router-to-router and router-to-host automatictunneling technology used to provide unicast IPv6 connectivity across anIPv4 internet. ISATAP addresses are derived by autoconfiguration mech-anisms.

When using ISATAP, communication between ISATAP nodes on the same


Figure 4.14: ISATAP configuration [15]

link is possible but not with other IPv6 addresses on other subnets. Tocommunicate outside the logical subnet packets must be tunneled by anISATAP router. An ISATAP router is an IPv6 router performing the fol-lowing:

• Forwarding packets between ISATAP hosts and hosts on other sub-nets (IPv4 or IPv6)

• Is a default router for ISATAP hosts

• Advertises address prefixes

An ISATAP host that receives a Router Advertisement from an ISATAProuter sets its default route to this router and every packet destined tolocations outside the subnet are tunneled via the ISATAP router.

Further reading is found in RFC 4214.

4.7.4 Teredo

Please note that the structure of the Teredo address is discussed in “IPv6Unicast addresses” part of this chapter.


This technique is also known as IPv4 network address transloter traversalfor IPv6 provides address assignment and host-to-host automatic tunnel-ing for unicast IPv6 communication across the IPv4 network when hostsare located behind one or multiple NATs. For protocol 41 translation (in-dicating IPv4-encapsulated IPv6 data) is not supported by most of therouters Teredo, which encapsulates the data in IPv6 UDP messages, isused.

Figure 4.15: Components of a Teredo infrastructure

• Teredo client - an IPv4/IPv6 node supporting Teredo tunneling in-terface which can communicate with other Teredo clients or nodeson the IPv6 internet (through a Teredo relay)

• Teredo server - Teredo node that is connected to IPv4 and IPv6 inter-net. It assists in the initial configuration of a Teredo client to faciliateinitial communication

• Teredo relay - can forward packets between Teredo clients on theIPv4 internet and IPv6 only nodes


• Teredo host-specific relay - Teredo node that is connected to IPv4 andIPv6 internet and can communicate directly with Teredo clients onthe IPv4 internet without the need of an intermediate Teredo relay(either obtained through direct connection to the IPv6 internet or atransition technique like 6to4).

Note: Teredo is designed to be a last-resort transition technique and is notused if there is native IPv6, 6to4 or ISATAP present. More and moreNATs are also updated to support protocol 41 nowadays.

See RFC 3904 for more information.

4.7.5 PortProxy

To allow for communication between nodes or applications not using thesame Internet Layer protocol (IPv4 or IPv6) you can use portproxy in orderto proxy:

• IPv4 to IPv4 - TCP traffic to an IPv4 address is proxied to TCP trafficto another IPv4 address

• IPv4 to IPv6 - in order to make an IPv4 node access a service of anIPv6 node; the PortProxy inbetween does the same we already knowfrom usual proxying: the IPv4 node establishes a connection to thePortProxy which in turn establishes a connection to the IPv6-onlyapplication

• IPv6 to IPv6 - TCP traffic to an IPv6 address is proxied to TCP trafficto another IPv6 address

• IPv6 to IPv4 - an IPv6 node hereby can access an IPv4-only applica-tion

The last type of PortProxy for example allows an IPv6 node to access a ser-vice not yet IPv6-enabled e.g. Telnet on Windows 2003. Although there isan IPv6-enabled Telnet client there is no IPv6 enabled Telnet server avail-able. You could establish a IPv6 to IPv4 PortProxy to port 23 used by Telneton the computer running Telnet server. Therefore an IPv6 Telnet requestis proxied to the IPv4 Telnet server application.


Note: This only works for applications that do not embed address or portinformation inside the upper-layer PDU. PortProxy has no capabilites ofchanging embedded information.

Bibliography

[1] Davies, Joseph: Understanding IPv6 - Redmond, Washington: Mi-crosoft Press, 2002

[2] Charles M. Kozierok: The TCP/IP Guide (2005).http://www.tcpipguide.com (2006-01-10)

[3] The TCP/IP GUIDE: IPv6 Global Unicast Address Format (2005).http://www.tcpipguide.com/free/t_IPv6GlobalUnicastAddressFormat-2.htm (2006-01-10)

[4] IEEE: Guidelines for 64-bit Global Identi-fier (EUI-64) Registration Authority (2005).http://standards.ieee.org/regauth/oui/tutorials/EUI64.html(2006-01-10)

[5] Microsoft: IPv6 Interface Identifier(2006).http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_ip_v6_imp_addr7.mspx (2006-01-11)

[6] The TCP/IP GUIDE: IPv6 Interface Identi-fiers and Physical Address Mapping (2005).http://www.tcpipguide.com/free/t_IPv6InterfaceIdentifiersandPhysicalAddressMapping-2.htm (2006-01-11)

[7] The TCP/IP GUIDE: IPv6 Multicast and Anycast Addressing (2005).http://www.tcpipguide.com/free/t_IPv6MulticastandAnycastAddressing.htm(2006-01-11)

[8] Microsoft: IPv6 Address Autoconfiguration (2004).http://msdn.microsoft.com/library/default.asp?url=/library/en-

133

BIBLIOGRAPHY 134

us/wcetcpip/html/cmconipv6addressautoconfiguration.asp (2006-01-11)

[9] Droms, Bound, Volz, Lemon, Perkins, Carney: RFC 3315 -Dynamic Host Configuration Protocol for IPv6 (DHCPv6)(2003).http://www.faqs.org/rfcs/rfc3315.html (2006-01-14)

[10] Wikipedia: IPv6 (2006). http://en.wikipedia.org/wiki/Ipv6 (2006-01-12)

[11] The TCP/IP GUIDE: IPv6 Datagram Extension Headers (2005).http://www.tcpipguide.com/free/t_IPv6DatagramExtensionHeaders-2.htm (2006-01-12)

[12] Deering, Fenner, Haberman: RFC 2710 - Multicast Listener Discov-ery (MLD) for IPv6 (1999). http://www.faqs.org/rfcs/rfc2710.html(2006-01-12)

[13] Narten, Nordmark, Simpson: RFC 2461 - Neighbor Discovery forIP Version 6 (IPv6) (1998). http://www.faqs.org/rfcs/rfc2461.html(2006-01-12)

[14] The TCP/IP GUIDE: IPv6 ND Redirect Function (2005).http://www.tcpipguide.com/free/t_IPv6NDRedirectFunction.htm(2006-01-13)

[15] Windows Server 2003: IPv6 Transition Technologies (2003).http://www.microsoft.com/windowsserver2003/techinfo/overview/\\ipv6coexist.mspx (2006-01-13)

Chapter 5

Migration to IPv6

Now it’s time to start doing what the title of this thesis promises: migrat-ing the network to IPv6. This section will cover everything from initialconsiderations, the deployment of IPv6 and the migration of the servicesused. I want to give a detailed plan for those interested what is to be doneand describe the problems I experienced and the measures to be taken.

5.1 Making your system IPv6-ready [1]

Before doing anything else I had to install the IPv6 stack on each computerin my network. Because not all services used in a network have an IPv6enabled version, as you will see in this chapter, it is nowadays usual toconfigure your PC dual-stack in order to have IPv4 and IPv6 connectivity.While I was configuring the network for the next generation of networkprotocols I requested an IPv6 address for reaching IPv6-only services inthe internet as well. I decided to request a tunnel from SixXS, reachableat www.sixxs.net. SixXS is an IPv6 Deployment and Tunnel Broker dis-tributing IPv6 tunnels first, and after your tunnel has been up for a certaintime you earned enough credits to request your own subnet. The uptimeaquired is usually about one week. When you request your first tunnelat SixXS you have to fill out a form describing why you think you needan address and what you want to do with it. They want to receive very

135

CHAPTER 5. MIGRATION TO IPV6 136

verbose discriptions of what is done with their addresses so I wrote downaccurately my ideas for the whole project and within a few days I held myown IPv6 address in my hands.

The structure of the network at the Berufsförderungsinstitut Burgenlandrequired the tunnelendpoint not to be laid directly into my lab but to thegateway router for both of my networks. Because this computer belongsto the production network of the company I was not allowed to install anysoftware and had to call the system administrators to set up the tunnel.Later in this chapter I will describe what had to be done. Now back to theinitial configuration needed at each PC.

5.1.1 Debian Linux

First I want to talk about the migration of Debian Linux PCs to IPv6. Ker-nel 2.4.x upwards is what is recommended for use with IPv6. In the por-tion of the test-network I administer I only used 2.4.x and 2.6.x kernelswhich reduces the problems loading the module needed. The only com-puter with a kernel 2.2.x was the one which was configured as the tunne-lendpoint. For 2.2.x kernels are not IPv6-up-to-date the system adminis-trators decided to compile a new 2.6.x kernel [2] . For the installation of thetunnel software aiccu please read the section about the services of IPv6.

You can check if the module you need is already loaded by

/proc/net/if_inet6

You should see something like this for your interfaces of the PC:

00000000000000000000000000000001 01 80 10 80 lofe800000000000000250fcfffe60d6d6 02 40 20 80 eth0

Here you have a loopback entry for lo and a link local address for eth0.This is the proof that your ipv6 module is loaded but you can also checkwith

lsmod | grep ipv6


listing you the ipv6 module if loaded. Systems where both checks fail havevery likely not loaded the module needed. You can do this by

modprobe ipv6

or, for repeated use after startup just add it to the /etc/modules file (whichshould not be necessary for 2.4.x and 2.6.x). With these simple steps youcan be sure your Linux PC is IPv6 ready. Now, let’s look at the Windows-side-of-computing:

5.1.2 Windows

When searching the internet for Windows and IPv6 you will find the notesthat IPv6 is fully supported by all operating systems starting with Win-dows 2000. As I had one Windows 2000 client, one Windows 2000 serverand two Windows XP clients I was glad I could start migrating withoutany upgrades to make, or so i thought.

5.1.2.1 Windows 2000 Client and Server [3] [4]

For both Windows 2000 Client and Server the installation of the IPv6 stackis the same. For it is not included in the usual installation you have toload additional files from the internet [5]. After saving the downloadedfile “tpipv6-001205.exe” on the file server I unzipped it to my local hard-disk automatically creating a folder called “IPv6Kit”. Now you have toopen a console window and start the setup by typing “setup.exe -x” inturn extracting another bunch of files to a subfolder it prompts you to givea name for. I chose to call it “files” as recommended in the Microsoft de-scription. From the folder “files” now open the textfile “”Hotfix.inf” andmodify it for your system. Depending on what Service Pack you installedyou have to change following line in the subsection called [Version]:

entry for Service Pack 1: NTServicePackVersion=256entry for Service Pack 2: NTServicePackVersion=512entry for Service Pack 3: NTServicePackVersion=768entry for Service Pack 4: NTServicePackVersion=1024


After saving the modifications made run the “Hotfix.exe” from the “files”-folder. Now, I think you have guessed already, you have to restart yourcomputer in order to make the changes take effect. Then the protocol stackis installed on your computer but not yet used.

If you also want to use the protocol you have to open the dialog forconfiguring your network settings (Control Panel - network and dial-up connections). Open the properties of your ethernet-based connectionlisted within, usually called “Local Area Connection”. Another dialog isopened with a button labelled “Install ...” opening in turn another win-dow where you can choose what kind of network component you wantto install additionally. In this list you will find the entry “Network Proto-col” and with clicking that you can finally choose to install the “MicrosoftIPv6 Protocol”. Now the IPv6 driver “tcpip6.sys” is installed to %SYS-TEMROOT%\system32\drivers and other files like the Winsock helper“wship.dll” and all additional applications like “ipv6.exe, “ping6.exe”,and so on are installed to %SYSTEMROOT%\system32. You should nowhave an entry “Microsoft IPv6 Protocol” in the properties of your “LocalArea Connection”.

By default, each interface has an automatically distributed link-local ad-dress. For a quick verification simply use the console-based command

ipv6 if

listing your ipv6 interfaces and their automatically assigned addresses. Inthe output produced by this command you should see several interfaceslabelled with “Loopback Pseudo-Interface”, “Tunnel Pseudo-Interface”,“6-over-4 Virtual Interface” and “Local Area Connection”. The first in-terface is for loopbacks only, the second interface is used for configuredtunneling, automatic tunneling and 6to4 tunneling. “6-over-4” [6] is an au-tomatic tunneling technology used to provide IPv6 connectivity betweenIPv6 sites and hosts across the IPv4 Internet. 6-to-4 traffic is encapsulatedby 6-to-4 routers in a IPv4 header and sent to the destination. The last in-terface in the list is the one that is most interesting because the “Local AreaConnection” is the one we are going to configure later on. Please note thatthe order of the interfaces and the numbering can vary.


5.1.2.2 Windows XP and 2003 Server [7]

Installing IPv6 on Windows XP with Service Pack 1 or Service Pack 2 and2003 Server is a bit easier because you can leave out the part where youhave to download the hotfix for your operating system. The softwareneeded for IPv6 support is already installed but has to be activated on theproperties of your “Local Area Connection” exactly as you did with Win-dows 2000. Just select “Install” and choose to add a “Network Protocol”(please see the section above).

If you are more into command-line configuring you could type followingcommand instead:

netsh interface ipv6 install

The installation of the IPv6 protocol on a PC using Windows XP withoutany service pack can only be done by typing following command to thecommand line:

ipv6 install

You might remember the command “ipv6” from the section about Win-dows 2000 above where I used it to list my interfaces. “ipv6” is used onlyby Windows 2000 and Windows XP SP1 whereas newer versions includethe interactive “netsh” command replacing “ipv6”. Note that after the in-stallation of IPv6 via “ipv6 install” on a Windows XP PC without ServicePack no entry in the properties of the “Local Area Connection” for the IPv6protocol will be generated. You can only verify the success of the installa-tion by typing “ipv6 if” and check if it has configured your interfaces.

Windows XP’s version of the IPv6 implementation is seen to be a de-veloper preview, while XP Service Pack 1 and 2’s version of IPv6 is aproduction-capable and supported protocol. All versions of XP supportfile and print sharing and following programs: ipv6.exe, ping6.exe andtracert6.exe.

Note: These programs are not supplied by Windows 2003. Their func-tionality is supplied by following substitute programs: (which arerecommended to be used with Windows XP SP 1 and SP 2 as well)

ipv6 substituted by netsh


ping6 substituted by pingtracert6 substituted by tracert

An additional feature of Windows XP SP 2 and Windows 2003 server com-pared to Windows XP and Windows XP SP 1 is the support for Teredo anda new Windows Firewall.

5.2 Testing primary connectivity [8]

5.2.1 Debian Linux

Testing primary connectivity starts with checking which IP addresses areassigned to which interface. In order to display the IPv6 addresses youcould either read the output of

ifconfig

or, if you want to narrow it down to the IPv6 only parts simply use the“ip” -command.

ip -6 address show

This is the command to display the interfaces available and their addressesthat have been assigned automatically. (If you don’t have the ip-commandinstalled yet go for “apt-get install iproute”.)

1: lo: <LOOPBACK,UP> mtu 16436inet6 ::1/128 scope host

valid_lft forever preferred_lft forever2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qlen 1000

inet6 fec0::1:250:fcff:fe60:d6d6/64 scope site dynamicvalid_lft 2591986sec preferred_lft 604786sec

inet6 fe80::250:fcff:fe60:d6d6/64 scope linkvalid_lft forever preferred_lft forever

You can see that your lo-interface is configured to IP-address ::1 be-ingt the IPv6-equivalent to 127.0.0.1. Then the “real” interfaces are


listed. In this case it’s only one, eth0, having two ipv6 addresses. Thefirst one, fec0::1:250:fcff:fe60:d6d6, has scope site and the second one,fe80::250:fcff:fe60:d6d6, has scope link. This refers to the different kindsof addresses as described in the last chapter. Each IPv6 enabled interfacecan have several kinds of addresses; a link local address is assigned auto-matically and is derived from the MAC address. Therefore it is unique andassures simple connectivity. The link local address shall ease configurationissues of PCs freshly added to the network and serves only communica-tion issues like “anyone else here on this link?” and “is there some specialdevice? (like router, etc.)”. A packet with a link local address as destina-tion will not pass a router. If you don’t have the second kind of address,the site local address in your initial configuration: Don’t panic! It is com-parable to the private address space we know from good-old IPv4 timesand can be assigned if needed (see my IPv6 radvd configuration below).There is a discussion about depreciating this kind of addresses. The factthat it will be sometimes useful for testing purposes and that you can as-sign an additional global address anyway is enough reason to set one. Inthis example no global address has been assigned.

For testing simple connectivity you need nothing more than two PCs withan enabled IPv6 module. The first thing to try is to display configuredIPv6 neighbours.

marge: # ip -6 neigh showfe80::250:4ff:fe68:ce8 dev eth0 lladdr00:50:04:68:0c:e8 router nud stale

One PC is found using device eth0 with address fe80::250:4ff:fe68:ce8(bart.sylvia.test) having link layer address 00:50:04:68:0c:e8 and being therouter to this subnet. The ip neighbour command displays the bindingsbetween protocol addresses and link layer addresses stored in a table. TheIPv4 neighbour table also know as the ARP-table. “nud” is an abbrivia-tion for Neighbour Unreachability Detection and tells you the state of theneighbour entry. “stale” stands for “valid but suspicious” (Read the ipman page for details). Other commands that might be useful in this con-text are ip neighbour [delete | add | flush ] to delete or add and entry orto flush all entries.

If you had output from the command discussed above, you can be sureyou got some connectivity to at least one other host on this network. If


this didn’t work either the correspondent PC on the network has not beenconfigured correctly or you are in some trouble on your local machine. Agood thing to try is to ping home with

ping6 ::1

to see if the protocol works on the interface. Please note that there is aextra command “ping6” for pinging IPv6 enabled interfaces on Linux.

Now we can move on to pinging another host’s link local address.

marge: # ping6 fe80::250:4ff:fe68:ce8 -I eth0PINGfe80::250:4ff:fe68:ce8(fe80::250:4ff:fe68:ce8)from fe80::200:21ff:fe00:5b8e eth0: 56 databytes64 bytes from fe80::250:4ff:fe68:ce8:icmp_seq=1 ttl=64 time=0.250 ms...64 bytes from fe80::250:4ff:fe68:ce8:icmp_seq=8 ttl=64 time=0.173 ms-- fe80::250:4ff:fe68:ce8 ping statistics --8 packets transmitted, 8 received, 0rtt min/avg/max/mdev = 0.166/0.180/0.250/0.028ms

pings the specified link local address. The option “-I” is needed for ping-ing IPv6 link local addresses and specifies the source interface to use.

Note: Forgetting this additional option will promt the error: “connect:Invalid argument”. If you are using the “ping” command ratherthan “ping6” you will get the error message: “ping: unknown hostfe80::250:4ff:fe68:ce8”.

Note: If you ever wondered which options are responsible for the auto-configuration issues with IPv6:

cat /proc/sys/net/ipv6/conf/eth0/accept_ra

Set to “1” this option allows the PC to accept Router Advertisements.

cat /proc/sys/net/ipv6/conf/eth0/autoconf


Set to “1” this option tells the PC to compute the link local address.

5.2.2 Windows [9]

As mentioned above you have, depending on the Windows version youuse, several possibilities for displaying your IPv6 addresses. Similar to theLinux part here you can also display them with the old-fashioned com-mand for it:

ipconfig /all

Specialized command for this on Windows XP SP2 or higher [10]

Figure 5.1: netsh interface ipv6 show address

on Windows XP SP1 or lower:

C: \> ipv6 ifInterface 4 (site 1): LAN-Verbindunguses Neighbor Discoverylink-level address: 00-00-21-00-5b-bc


preferred address fec0::1:200:21ff:fe00:5bbc,2591997s/604797s (addrconf)preferred address fe80::200:21ff:fe00:5bbc,infinite/infinitemulticast address ff02::1, 1 refs, notreportablemulticast address ff02::1:ff00:5bbc, 2 refs,last reporterlink MTU 1500 (true link MTU 1500)current hop limit 64reachable time 29000ms (base 30000ms)retransmission interval 1000msDAD transmits 1Interface 3 (site 1): 6-over-4 VirtualInterface...

You can see above that each interface on your PC, also the virtual ones,have an Interface number or “Scope ID”. These numbers (for our examplethe scope ID for the LAN-Verbindung would be “4” in both cases) are im-portant for pinging link local IP addresses. As we have seen with Linuxyou need to define which source interface to use for pinging and on Win-dows computers you do this by using the scope.

To be consistent with the Linux part above, let’s first check for neighbourentries. This can either be done with ipv6 or netsh for newer versions.

netsh interface ipv6 show neighboursipv6 nc

The netsh output looks like this (please see the picture below):

Pinging another PC on Windows can always be done with the command“ping6” although it is sufficient to use “ping” with Windows XP SP 2 andhigher. In both cases the command looks like this:

ping6 fe80::250:4ff:fe68:ce8%4

The appended “%4” defines the scope and therefore the interface to use. Ifyou accidently forget to add the scope you will get the error “Destination


Figure 5.2: netsh interface ipv6 show neighbors

not reachable”. The message indicating the wrong command for pinging(if you use ping instead of ping6 on Windows XP SP1 and older) is “Un-known host fe80::250:4ff:fe68:ce8%4.”

Firewall: Due to a IPv6 firewall you can experience connectivity troublesin the beginning. For the sake of simplicity I disabled it in my lab. Ifound two commands on the internet to do so for Windows XP SP2and higher/2003 (I only used the first command):

netsh interface ipv6 set interfaceinterface=LAN-Verbindung firewall=disablednetsh firewall set adapter LAN-Verbindungfilter=disabled

Privacy: When IPv6 was introduced people complained about the over-simplification of monitoring hosts. For IPv6 global addresses don’tchange you could place a sniffer strategically and easily find outthings like how long an employee was active that day or simply formarketing reasons. To prevent that the RFC 3041 defines privacy ex-tensions, temporary global addresses generated randomly using theMAC address. These addresses are valid a few hours to a few days


and shall protect your privacy and enhance security. Although thissounds pretty interesting I recommend to disable privacy addresseson Windows PCs to ease the first steps with IPv6. [11] [12]

netsh interface ipv6 set privacy disabled persistent

Windows2k: I have experienced an interesting behaviour when pinging alink local address on a Windows 2000 computer. The ping commanddidn’t work until I used it that way: ping6 -s <sourceIP>%<scope><destinationIP>

Now that we are done with the connectivity tests, we can move on to as-signing globally reachable addresses.

5.3 Getting reachable globally via IPv6

For being reachable globally we need some global IPv6 addresses as youmight have guessed. There are several ISP’s selling IPv6 addresses and ad-dress ranges but not affordable for a poor student. So I decided to look forIPv6 addresses for free and found the IPv6 tunnel broker www.sixxs.net.SixXS (Six Access) is not a company but rather a privately conducted de-velopment of software by only three people running SixXS. Their mainissue is to maintain the POP’s provided by several ISPs. As an enduseryou can request a tunnel at SixXS allowing you to test IPv6 in a profes-sional manner now. With an existing RIPE, APNIC, ARIN, LACNIC orAFRINIC handle you can signup to SixXS and request a tunnel to one ofthe POPs. Usually the POP is chosen for you on connectivity reasons. Ifyou don’t have a handle yet you can get one at e.g. RIPE [13].

For requesting a tunnel you need to provide the IPv4 address of your tun-nelendpoint and a reason why you think you should join the IPv6 commu-nity. If you don’t have a static IPv4 address you can also try out IPv6 withthe help of SixXS heartbeat client. It sends packets to the POP to activatethe tunnel with the given dynamic IPv4 address. If there is no heartbeatfor 300 seconds the tunnel is disabled and auto-enabled when broughtup again. Any configurations concerning the address that has changed ishereby done automatically [14].


5.3.1 Installing AICCU

In the network of the Berufsförderungsinstitut Burgenland AICCU wasinstalled on the gateway router in order to avoid NAT-realated troubles.This gateway router is running Debian Linux and is not maintained byme, so the network administrators had to download and install the soft-ware needed. On the homepage of SixXS you can download a tool calledAICCU, short for Automatic IPv6 Connectivity Client Utility, and installit. There is a deb-package as well as an apt-get source available [15]. Af-ter installing the software you simply need to modify the configurationfile /etc/aiccu.conf and you are done. Notice that you need to enable therequested tunnel after approval on the webinterface (this can even take afew hours). On this webinterface you also have graphs showing you yourlatency and packet loss for your tunnel endpoint. First take a look at theconfiguration details:

# username is your NIC handleusername KS36-6BONEpassword fooipv4_interface eth1ipv6_interface sixxstunnel_id T1234verbose truedaemonize trueautomatic true

The entry ipv4_interface refers to the interface used on your PC, theipv6_interface is an interface automatically generated when starting AICCU.The tunnel_id is set according to your approval email and can be de-rived at SixXS-Homepage. Now you can start the tunnel with typing/etc/init.d/aiccu start prompting you connection details on success. Youcan also watch the new output of “ifconfig” showing you the new inter-face sixxs with its details. When using AICCU you don’t have to worryabout setting IPv6 addresses or routes, everything needed is done by thispiece of software. And now, for the moment we all have been waitingfor, pinging IPv6 into the internet with pinging the POP’s endpoint of thetunnel:

ping6 2001:16d8:ff00:7b::1


and if this worked you can ping any IPv6 enabled address on the wholeinternet. An all-time classic is kame’s homepage at www.kame.net.

You can also run AICCU on other operating systems like Windows, MACOS, etc. There is even a GUI for configuring Windows-based AICCU in-stallations. Find out more about the different ways of using and configur-ing AICCU on their homepage [15] [16].

In a paragraph above I mentioned that we tried to avoid NAT-related trou-bles. There is an approach to overcome this in the italian network with asoftware called AYIYA [17].

I want to make a few comments on the rulesfor tunnels at SixXS. SixXS hasestablished a credit-system starting at only enough credits (25) to requesta tunnel. When this tunnel is up for one week you have earned enoughcredits to request another tunnel, or, a whole /48 subnet. For each tun-nel being up one week you earn 5 credit points. But be careful with yourtunnels! If your tunnel is down for one day it costs you 5 credits and ifit’s even down for a whole week it will cost you 50 credits and the tun-nel will be automatically disabled (you can enable it on the webinterfaceagain). SixXS will send you an automated email when one of your tunnelsis down.

5.3.2 Allocating the addresses

After my tunnel was running I requested a subnet for having globaladdresses in my lab as well. A day or two later the approval cameand 2001:16d8:ff47::/48 was mine. First some decisions concerning theaddress allocation has been made. Although I really had enough ad-dresses I didn’t want to make the same mistake made with IPv4 and beto generous in distributing addresses. (The reason why it really makessense thinking of this is that the Berufsförderungsinstitut Burgenlandwants to use these addresses even when I am no longer working onmy thesis. So we decided to adopt an expandable code for the build-ing I was in first.) The building number I am working in was cho-sen 1203 subnetting my address space to 2001:16d8:ff47:1203::/64 andstill leaving 64 bits for the addressing of the computers in one build-ing. As you will rememeber, my network consists of three networks: The


main office, the branch office and the network inbetween. The main of-fice is addresses 2001:16d8:ff47:1203:2::/80 (former 192.168.200.0/24), thebranch office 2001:16d8:ff47:1203:3::/80 (former 192.168.201.0/24) and thenetwork inbetween 2001:16d8:ff47:1203:1::/80 (former 192.168.150.0/24).The host part of the addresses has been recomputed to hex-numbers.For example bart’s 192.168.200.1 became 2001:16d8:ff47:1203:2::1, apu’s192.168.200.33 became 2001:16d8:ff47:1203:2::21, and so on. (Please see thenew network plan for details)

5.3.3 Configuring the global addresses

5.3.3.1 Debian Linux

There are two ways to configure an IPv6 address manually. You could ei-ther do it with the “ip” command, which I chose to use, or with “ifconfig”.

ip -6 address add <IPaddress>/<subnet> dev <deviceUsed>ip -6 address add 2001:16d8:ff47:1203:2::5 dev eth0

This sets a default subnet /128. For deleting the address simply exchangethe word “add” with “del”:

ip -6 address del <IPaddress>/<subnet> dev <deviceUsed>ip -6 address del 2001:16d8:ff47:1203:2::5 dev eth0

You get the same result with using

ifconfig eth0 add 2001:16d8:ff47:1203:2::5ifconfig eth0 del 2001:16d8:ff47:1203:2::5

If you do not specify a subnet after the IP address /0 is defaulted. Theconfigured addresses can be seen in both cases with “ip -6 address show”or “ifconfig”. These addresses are stored persistently.

If you are more into configuring /etc/network/interface you can also addan entry for each IPv6-enabled interface looking like this:

auto eth0


iface eth0 inet6 static# for being perfectly safe you can add following line once## pre-up modprobe ipv6

address 2001:16d8:ff47:1203:2::5netmask 128

5.3.3.2 Microsoft Windows

Windows2k: All configuration done with ipv6 is non-persistent whichmeans that it is not stored and all configuration is lost after re-boot.(There is a documented solution using option “-p” to store con-figuration added by “ipv6” in the registry but it didn’t work for me.[4]) This is one huge reason for me to say that Windows 2000 isnot suitable for convenient use with IPv6. I handled this problemwith writing a small skript adding the needed configuration afterstartup. If, after startup, IPv6 is turned off enable it by typing “netstart tcpip6”.

With the ipv6.exe in the older versions of Windows you can set an IP ad-dress simply with the line

ipv6 adu <ScopeID>/<Address>ipv6 adu 5/2001:16d8:ff47:1203:2::21

For deleting the address again simply set it’s lifetime to 0 with:

ipv6 adu <ScopeID>/<Address> life <ValidLifetime>ipv6 adu 5/2001:16d8:ff47:1203:2::21 life 0

Doing the same using netsh looks like the following:

netsh interface ipv6 add addressinterface=<InterfaceString> address=<address>netsh interface ipv6 add address<InterfaceString> <address>netsh interface ipv6 add addressLAN-Verbindung 2001:16d8:ff47:1203:2::22


The InterfaceString is the label you see when typing “netsh interface ipv6show address”. For deleting:

netsh interface ipv6 delete addressinterface=<InterfaceString> address=<address>netsh interface ipv6 delete address<InterfaceString> <address>netsh interface ipv6 delete addressLAN-Verbindung 2001:16d8:ff47:1203:2::22

5.3.4 Setting routes manually

Although we will be using radvd for distributing routes automatically itis always important to know how to set them manually as well. Let’s startwith Linux again.

5.3.4.1 Debian Linux

Some routes will be set automatically on your system, some you will haveto configure. Anything that is done with routes can be done with two dif-ferent commands, similar to the configuration of the address we discussedbefore. This time we have “ip”, my all-time-favorite, and “route” or “net-stat” for displaying them.

ip -6 route shownetstat -nr -A inet6

To set and to delete a route you have these possibilities:

ip -6 route add <destinationNetwork> via<nexthopRouter> dev <deviceUsed>ip -6 route add default2001:16d8:ff47:1203:2::1 dev eth0ip -6 route add 2000::/3 via2001:16d8:ff47:1203:2::1 dev eth0ip -6 route del <destinationNetwork> via<nexthopRouter> dev <deviceUsed>


ip -6 route del default2001:16d8:ff47:1203:2::1 dev eth0ip -6 route del 2000::/3 via2001:16d8:ff47:1203:2::1 dev eth0route -A inet6 add <destination>/<subnet> gw<nexthopRouter> dev <deviceUsed>route -A inet6 add 2000::/3 gw2001:16d8:ff47:1203:2::1 dev eth0route -A inet6 add ::/0 gw2001:16d8:ff47:1203:2::1 dev eth0route -A inet6 del <destination>/<subnet> gw<nexthopRouter> dev <deviceUsed>route -A inet6 del 2000::/3 gw2001:16d8:ff47:1203:2::1 dev eth0route -A inet6 del ::/0 gw2001:16d8:ff47:1203:2::1 dev eth0

Above you see examples for both, ip and route command for adding anddeleting entries. In the ip section I used 2000::/3, which is a special addressrepresenting default and which is said to circumvent troubles often relatedto older Linux systems when using the term “default”. In the “route” partanother representation of “default” is used: “::/0”.

Note: Linux kernels 2.4.17 and older don’t support default routes. Insteadyou need to use “2000::/3”. (The IPv6 unicast space encompassesthe entire address range except for ff00::/8 - we will come acrossthese addresses again - but the unicast address assignment space iscurrently limited to 2000::/3, so this is much like “default” on IPv4.)[18]

5.3.4.2 Microsoft Windows

As you surely will remember we have the distinction between older ornewer than Windows XP SP1. For the older generation:

To display the routing table use:

ipv6 rtnetsh interface ipv6 show routes


To add a new default route use:

ipv6 rtu <destinationNetwork> <scopeID>/<nexthopRouter>ipv6 rtu ::/0 4/2001:16d8:ff47:1203:1::5

For deleting it again set the lifetime to “0”.

ipv6 rtu <destinationNetwork><scopeID>/<nexthopRouter> life <lifetime>ipv6 rtu ::/0 4/2001:16d8:ff47:1203:1::5 life0

The netsh-way of handling this is with the command

netsh interface ipv6 add route<destinationNetwork> <interfaceUsed><nexthopRouter>netsh interface ipv6 add route ::/0Lan-Verbindung 2001:16d8:ff47:1203:2::1netsh interface ipv6 delete route<destinationNetwork> <interfaceUsed><nexthopRouter>netsh interface ipv6 del route ::/0Lan-Verbindung 2001:16d8:ff47:1203:2::1

Note: I will not go into detail how to configure each host because wewill take advantage of the autoconfiguration of routes provided byradvd.

5.3.5 Testing connectivity with traceroute

Traceroute is a very useful utility for checking which way a packet takesover the internet in order to reach its destination. The output is a list of allhops done until reaching the target. This is done by setting the TTL (timeto live) of the packets sent. The first packet has a time to live of one (thesecond packet of two, and so on) and is sent to a host, which decrementsthe TTL by one and usually forwards it to the next hop. When the TTLhas reached zero the packet is sent back to the sender giving him a “ICMP


Time exceeded” error. From the source addresses of these returned ICMPerrors you can make the list needed: a table with all hosts passed by apacket.

For the use of traceroute with Linux you need the package iputils installed.You can either download the sources via anonymous ftp [19] or “apt-getinstall iputils-tracepath”.

traceroute6 www.kame.net

For tracerouting an address with Windows you can use either

tracert www.kame.nettracert6 www.kame.net

When using tracert and the host you are pinging is reachable via both IPversions, IPv6 is chosen over IPv4.

Hosts you can try to ping/traceroute:

www.kame.net (IPv4/IPv6)www.ipv6.uni-muenster.de (IPv6)www.join.uni-muenster.de (IPv4/IPv6)

5.4 More routing issues

In the last chapter I wrote about the basic configuration of address androutes on IPv6 enabled hosts, now I want to talk more detailed about whathad to be done in my network. Now let’s get our hands on the configu-ration. In order to have IPv6 reachable hosts to on all subnets we need toconfigure the three routers.

The router in the network called “GesAK” is the one with the configuredSixXS tunnel endpoint and therefore supplies IPv6 connectivity. All IPv6traffic must be routed through this host to reach the tunnel. Keep that inmind when configuring the default routes on the gateway routers of ournetwork, i.e. bart and snowball. But let’s do it step by step.


Figure 5.3: Network Overview with IPv4 and IPv6 addressing

Assuring IPv6 connectivity to 2001:16d8:ff47:1203:1::5 (192.168.150.5)

On this host AICCU has been installed (please see chapter above) andtherefore you might not need to change any routing entries. Be sure thatthere is a default route set for the IPv6 traffic via the tunnel endpoint(2001:16d8:ff00:7b::1) using “sixxs” device. If you experience troubles con-necting to the IPv6 net and your kernel version is not absolutely up-to-date (<= 2.4.17) you can add another entry targeting “2000::/3” and hopeit helps. (You will see that I often prefered 2000::/3 over the term default.In most cases it is only a relict from a time there was an older kernel on thePCs. Anyway, as long as both ways work it doesn’t matter which to use.).The routes you should have by now are:


2001:16d8:ff00:7b::/64 via :: dev sixxsmetric 256 mtu 1200 advmss 12202001:16d8:ff47:1203:1::/80 dev eth1 metric 256mtu 1500 advmss 1440fe80::/64 dev eth0 metric 256 mtu 1500 advmss1220fe80::/64 dev eth1 metric 256 mtu 1500 advmss1220fe80::/64 via :: dev sixxs metric 256 mtu1280 advmss 1220default via 2001:16d8:ff00:7b::1 dev sixxsmetric 1024 mtu 1280 advmss 12202000::/3 via 2001:16d8:ff00:7b::1 dev sixxsmetric 1024 mtu 1280 advmss 1220ff00::/8 dev eth0 metric 256 mtu 1500 advmss1220ff00::/8 dev eth1 metric 256 mtu 1500 advmss1220ff00::/8 dev sixxs metric 256 mtu 1280 advmss1220

All these routes have been generated automatically except for the entrytargeting at 2000::/3. It can be added with following command and is, asalready discussed, another way of writing a default route:

ip -6 route add 2000::/3 via 2001:16d8:ff00:7b::1 \\dev sixxs

The first route in the routing table is generated by AICCU and sets thetunnel-network reachable via the virtual interface “sixxs”. The secondroute does the same for the network 2001:16d8:ff47:1203:1::/80 via eth1.Routes three to five destined at fe80::/64 are for link level communica-tion. In order to allow e.g. link local based ICMP pings or neighbourdiscovery there need to be routes set on each interface. As you might haveguessed this will impose problems when sending a packet to a link localaddress: the routing table cannot distinguish which route to use. There-fore you always have to specify which interface to use when operatingon link local level (please see chapter “Testing primary connectivity”). I


talked about routing entries number six and seven before for they are bothdefault routes to the IPv6 network. The one using the term “default” isadded automatically by AICCU. The last three routes are multicast routes.Don’t forget to ping6 some IPv6 nodes.

Getting bart IPv6-reachable

The first step for bart is to set his default route to our IPv6 gateway. Thisis done with

ip -6 route add 2000::/3 via 2001:16d8:ff47:1203:1::5 \\dev eth1

Then your routing table should look something like this:

2001:16d8:ff47:1203:1::/80 dev eth1 metric 256mtu 1500 advmss 1440 hoplimit 642001:16d8:ff47:1203:2::/80 dev eth0 metric 256mtu 1500 advmss 1440 hoplimit 642000::/3 via 2001:16d8:ff47:1203:1::5 dev eth1metric 1024 mtu 1500 advmss 1440 hoplimit 64fe80::/64 dev eth0 metric 256 mtu 1500 advmss1440 hoplimit 64fe80::/64 dev eth1 metric 256 mtu 1500 advmss1440 hoplimit 64ff00::/8 dev eth0 metric 256 mtu 1500 advmss1440 hoplimit 1ff00::/8 dev eth1 metric 256 mtu 1500 advmss1440 hoplimit 1unreachable default dev lo proto none metric-1 error -101 hoplimit 255

Again, the first two routes refer to the networks directly connected, thethird one was just added by me, fe80::/64 routes for link local and ff00::/8routes for multicast connectivity. This configuration of the routing table issufficient to reach the IPv6 gateway but will not, believe me or just try it,result in successful pinging. Of course we have to enable IP forwarding on


the IPv6 gateway before. Check if enabled or not by looking at the “cat”command and set it with “echo”.

(on host: 2001:16d8:ff47:1203:1::5 - GesAK)cat /proc/sys/net/ipv6/conf/all/forwardingecho “1” > /proc/sys/net/ipv6/conf/all/forwarding

Now you can ping6 a host residing on the internet from router bart.

Doing the same for snowball

The only thing you have to manually add, as seen above, is the defaultroute targeted at 2001:16d8:ff47:1203:1::5.

2001:16d8:ff47:1203:1::/80 dev eth0 metric 256mtu 1500 advmss 1440 hoplimit 642001:16d8:ff47:1203:3::/80 dev eth1 metric 256mtu 1500 advmss 1440 hoplimit 642000::/3 via 2001:16d8:ff47:1203:1::5 dev eth1metric 1024 mtu 1500 advmss 1440 hoplimit 64fe80::/64 dev eth0 metric 256 mtu 1500 advmss1440 hoplimit 64fe80::/64 dev eth1 metric 256 mtu 1500 advmss1440 hoplimit 64ff00::/8 dev eth0 metric 256 mtu 1500 advmss1440 hoplimit 1ff00::/8 dev eth1 metric 256 mtu 1500 advmss1440 hoplimit 1unreachable default dev lo proto none metric-1 error -101 hoplimit 255

Configurations to make the main office obtain IPv6 reachability

Bart’s configuration is nearly done except for the IP forwarding. Bart isa gateway router to the main office network and therefore has to forwardpackets destined at IPv6 global addresses.

(host: 2001:16d8:ff47:1203:1::6 - bart)


cat /proc/sys/net/ipv6/conf/all/forwardingecho “1” > /proc/sys/net/ipv6/conf/all/forwarding

Echoing “1” enables IP forwading, “0” disables. But still any ping froma host behind bart won’t be successful. The problem still left: Althoughthe packets are sent to the correct destination, the packets that comein reply are not forwarded by the router 2001:16d8:ff47:1203:1::5 for itlacks the matching routes. After adding the route retour for network2001:16d8:ff47:1203:2::/80 on server 2001:16d8:ff47:1203:1::5 the ping forall clients on the main office subnet works.

(host: 2001:16d8:ff47:1203:1::5 - GesAK)ip -6 route add 2001:16d8:ff47:1203:2::/80 via2001:16d8:ff47:1203:1::6 dev eth eth0

Note: Don’t forget to set the client’s default route to the router of the sub-net (i.e. bart) before testing connectivity.

And now for the branch office

Similar to the part above we simply have to enable IP forwarding andset an appropriate route back to the network 2001:16d8:ff47:1203:3::/80 onhost 2001:16d8:ff47:1203:1::5, the gateway router for the network GesAK.

(host: 2001:16d8:ff47:1203:1::7 - snowball)echo 1 >/proc/sys/net/ipv6/conf/all/forwarding(host: 2001:16d8:ff47:1203:1::5 - GesAK)ip -6 route add 2001:16d8:ff47:1203:3::/80 via2001:16d8:ff47:1203:1::7 dev eth eth0

Now that I configured the routers there is still one thing left: the routesof the clients. Every client needs a default route to the gateway router ofits subnet in order to reach IPv6 network. This could be done manually,what can really take some time in big networks, or by using automatedsolutions like radvd.


5.5 Networking basics

5.5.1 advertising routes with radvd [20] [21] [22] [23]

Automatically configuring hosts that just UPed is one big reason to useIPv6 over IPv4. Instead of manually configuring IP address and routeson each host new to your network you now have the possibility to letthem configure themselves. The only host the administrator still has toconfigure is the router with a program running on the router answeringautoconfiguration requests. Radvd, the Router ADvertisement Daemon issuch a program, running on BSD and Linux, listening to Router Solicita-tions (RS) and sending Router Advertisements (RA). When a new host isUPed it sends a multicast Router Solicitation and, when there is a correctlyconfigured router running radvd on the subnet, it receives a Router Adver-tisement. Besides sending requested Router Advertisements there are alsosent unsolicited ones inbetween. The information sent includes addressprefixes, the MTU of the link and details about the default routers.

I installed radvd with “apt-get install radvd”. There is a verbose and avery simple radvd.conf example file that come with the installation. Ichose to copy the simple one and copy it to my /etc.

cp/usr/share/doc/radvd/examples/simple-radvd.conf/etc/radvd.conf

If you want to force e.g. a Windows XP PC to renew its settings obtainedby router advertisements you can do this with:

netsh interface ipv6 renew interface=”Lan-Verbindung”

It is supposed to also work with “ipv6 renew <scopeID>” but it didn’twork with me. On Linux based systems simply restart the interface with“ifup –force eth0”. But now let’s take a closer look on how to configureradvd.

A very simple radvd.conf could look like this:

interface eth0 {


AdvSendAdvert on;prefix 2001:16d8:ff47:1203:2::/80{

AdvOnLink on;AdvAutonomous on;

};};

The first option in the eth0 part, “AdvSendAdvert on;” in fact turns onthe radvd; it specifies whether it should periodically send router adver-tisements and listen to router solicitations. It no longer needs to be thefirst option written in the radvd.conf but it needs to be set to on (default:off). The line “prefix 2001:16d8:ff47:1203:2::/80” defines the prefix to dis-tribute. Options to this prefix are AdvOnLink and AdvAutonomous, bothset to “on”. AdvOnLink on tells the receiving host that packets with thesame prefix as distributed can be sent using the interface the router adver-tisement was received on (default: on). AdvAutonomous set to on meansthat the prefix distibuted can be used in order to automatically configurean IPv6 address composed of the prefix and the MAC address (default:on). In this context let’s take a closer look to the prefix that is subnettedwith 80 bits. This has something to do with the network media used andits hardware address length. For we are using Ethernet we have a 48-bitlong hardware address part leaving maximum 80 bits to the network pre-fix.

Note: It is vital that the prefix length plus interface token length sums 128.Otherwise the prefix is ignored and no address is set. [24]

Example for a automatically configured address [21]:

Announced prefix 5f15:9100:c2dd:1400:8000:0000:0000:0000Link-layer token 0800:0040:1726Configured address 5f15:9100:c2dd:1400:8000:0800:0040:1726

Additionally, the source address of the router advertisement (by definitionthe link local address), can be used to configure the default route.


Note: Radvd will not start unless IP forwarding is enabled (or if debug-ging is enabled) [25].

My own /etc/radvd.conf looks a little bit different for I didn’t want todistribute random global addresses, since I wanted to use DHCP:

interface eth0{

AdvSendAdvert on;MaxRtrAdvInterval 100;MinRtrAdvInterval 35;AdvManagedFlag on;prefix 2001:16d8:ff47:1203:2::/80{

AdvPreferredLifetime 500;AdvValidLifetime 700;AdvAutonomous off;

};# for site local addresses, added by me!prefix fec0:0:0:1::/80{};

};

In this configuration I set eth0 the interface listening to router solicitationsand sending router advertisements. In my config file I first enabled routeradvertisements and then set MaxRtrAdvInterval and MinRtrAdvIntervalwhich is the span of time a new unsolicited router advertisement is sent.A random number inbetween these two numbers is calculated after anadvertisement is sent out defining when the next one is to be sent. TheAdvManagedFlag set to “on” indicates the use of the administered (state-ful) protocol for autoconfiguration. In this case there is a server keepingtrack of the addresses used and therefore guarantee their uniqueness. Youcan find further information on this topic in RFC 2462 [26] and in docu-mentations of DHCPv6.

Next the prefix is set with a preferred and a valid lifetime. The time is setin seconds and they have default values for preferred lifetime of 604.800(7 days) and for valid lifetime of infinite (0xffffffff seconds). In my config


I chose to disable AdvAutonomous. I did this for I wanted to distributemore “readable” addresses and for administrative reasons (later I will in-stall DHCPv6 server to distribute the addresses).

Besides supplying the prefix for global addresses I also send a prefix forsite local addresses. With AdvAutonomous defaulted to enable I don’thave to add anything else to the config of the site local addresses.

Troubleshooting: When using radvd I would recommend you to installradvdump, a program pretty similar to a sniffer, printing out the con-tents of router advertisements. One big advantage is that the valuesthat are set by default are also displayed.

Note: Radvd is configured and used on bart.sylvia.test for serving the net-work 2001:16d8:ff47:1203:2::/80 and on snowball.sylvia.test for thenetwork 2001:16d8:ff47:1203:3::/80.

Note: Although mentioned before: radvd does not propagate informa-tions to itself. Every configuration you want to have on your hostrunning radvd has to be done manually (global and site local IP ad-dresses, routes, etc. )

5.5.2 DHCPv6 using dibbler [27]

As mentioned in the section about radvd, I did not distribute my globalIPv6 addresses with radvd. The reason: I have no chance to have anyother than addresses made up of network prefix and appended MAC ad-dress. In good old IPv4 manner I want to stick to my address scheme (lownumbers for servers, high numbers for clients) which will e.g. ease theconfiguration of a firewall.

When searching for a DHCPv6 server I did not come across lot of alterna-tives. I found dhcpv6 on sourceforge, which has not been very appealingto me because it lacked documentation, dhcpv6d which was only for hp-ux and dibbler, with clients running on Windows and Linux. I didn’t takeme long to go for the dibbler-solution, especially because it came witha nice manual. After downloading and installing the .deb package youhave an /etc/dibbler directory containing client.conf, server.conf and re-lay.conf, the config files for all three types of service. To run each of the


services type the appropriate

dibbler-client startdibbler-server startdibbler-relay start

“Start” starts a daemon of the service selected running in the backgrounddetached from the console. If you are using dibbler the first time youmight want to see the messages posted directly in the console. If so, sim-ply exchange “start” with “run” (e.g.: “dibbler-server run”). For stopping,you might have guessed, use “stop” and if you want to see the status ofdibbler append “status” to the selected service.

Configuring the server

As mentioned above the configuration is found in /etc/dibbler/server.conf.My dibbler server is installed on marge.sylvia.test, a host residing inthe 2001:16d8:ff47:1203:2::/80 network. The simplest form of server.confwould be the following:

iface eth0 {class{

pool 2001:16d8:ff47:1203:2::/80}

}

We define which interface to use for distributing the dynamically assignedaddresses and the address pool to take the addresses from. The pool canalso be written

pool minaddress-maxaddress

and if you need to assign addresses on one interface with different addresspools you can’t describe by these ways, simply add another class-entryholding the next pool of addresses you want to use. In addition to themany other options dibbler is capable of defining white and black lists,i.e. users you explicitly want to allow (“accept-only”) or users you wantto ban (“reject-clients”) [28].


But now take a look at my server configuration for it is prepared for the usewith relays. For distributing the addresses to 2001:16d8:ff47:1203:3::/80 aswell while running only one dibbler server you need to relay the DHCPpackets. Therefore dibbler-relays need to be installed on both gateways,bart and snowball, but let’s discuss that later on. (See the figure at the endof the chapter for clarity)

log-level 7log-mode shortiface relay1

{relay eth0interface-id 1007}

iface relay2{relay relay1interface-id 3001T1 500T2 700prefered-lifetime 600valid-lifetime 800class

{pool 2001:16d8:ff47:1203:3::/80

}}

iface eth0{T1 500T2 700prefered-lifetime 600valid-lifetime 800class

{pool 2001:16d8:ff47:1203:2::/80

}


option dns-server 2001:16d8:ff47:1203:2::5option domain sylvia.testoption ntp-server 2001:16d8:ff47:1203:2::1}

Let’s begin with the part of the configuration we already discussed, “ifaceeth0”. There are several new options used in here. “T1” is the time afterwhich the client is instructed to renew its address, “T2” the time after theclient should send a REBIND. For preferred and valid lifetime are self-explanatory I move on to the options section below the class-part. Withthe options you can specify which other information shall be distributedbesides the IP address. In this case I supply DNS server address, domainname and NTP server address.

Now for the part of the configuration concerning the relays. The importantthing is to start thinking at the portion of the network the client resides at,which is 2001:16d8:ff47:1203:3::/80. The client needs to send the DHCPrequest to snowball, the gateway and DHCP relay at his site. The messagefrom the client is encapsulated as RELAY_FORW message and sent to thenext “hop”. It is vital for the server to know where the relayed messagewas originally received; therefore the “interface-id” is sent together withthe encapsulated message. At the next “hop”, that would be bart in mycase, the message is encapsulated again and the “interface-id” of bart isadded. Then the message is sent to the server. Replies from the server aresent as RELAY_REPL.

iface relay1{relay eth0interface-id 1007}

The snip of the config file above tells the server that it can reach the service“relay1” on the physical interface eth0 (“relay eth0”) and that it’s interface-id is set to 1007. The part for relay2 starts again with the information onreaching relay2 using relay1 (“relay relay1”) what in fact makes the coreof the relay configuration. The only additional thing you must not forgetis the class-part for configuring the IP-address pool that should be used at


the remote network.

Note: Setting log-level to 5 or less can result in strange behavior.

Note: Log-file is located at /var/lib/dibbler/server.log

Configuring the relays

After we made it this far the configuration of the relays is pretty easy. Let’sstart with bart’s /etc/dibbler/client.conf file.

log-level 8log-mode short#connected network: 2001:16d8:ff47:1203:2::/80iface eth0

{server multicast yes}

#connected network: 2001:16d8:ff47:1203:1::/80iface eth1

{client unicast 2001:16d8:ff47:1203:1::6interface-id 1007}

“server multicast yes” makes eth0 send DHCP messages that has beenforwarded to the server with a multicast destination (remember that allDHCP messages sent during the negotiation of the address is done viamulticast). On eth1 on the other hand bart only listens to packets fromclients destined at 2001:16d8:ff47:1203:1::6. “interface-id”, as discussed, isan identifier for a particular interface and has to be unique (you mightthink of it as kind of “ethernet segment identifier”).

And at last the configuration of snowball is still left:

log-level 8log-mode short#connected network: 2001:16d8:ff47:1203:1::/80


iface eth0{server unicast 2001:16d8:ff47:1203:1::6}

#connected network: 2001:16d8:ff47:1203:3::/80iface eth1

{client multicast yesinterface-id 3001}

“server unicast 2001:16d8:ff47:1203:1::6” tells the relay to send forwardedmessages to the specified address (which is bart in my case; the next hopfor snowball). On eth1, the side where the clients are connected, snowballlistens to client messages with multicast destination (a client that is UPedsends a multicasted DHCPDISCOVER first). The “interface-id” is set to3001.

Figure 5.4: Message flow of a client-initiated DHCP message via 2 relays

Configuring a client

Now that we have configured server and relays we need to think aboutthe clients as well. The easiest way to configure a client is not configuring


it, which means: if you don’t want to have special configuration except fora randomly chosen IPv6 address from the address pool specified on theserver on each interface on a dibbler-running client you can leave the con-figuration file empty. On the other hand, if you want to receive DNS andNTP server details from dibbler server, it has to be set in the client.conf.You can also define an IP address if you want a client to always get thesame. A (Windows) client configuration file would look like this (there’sno difference between Windows and Linux config files except for the termused for the interface: “Local Area Connection” (“LAN-Verbindung”) onWindows, eth0 (you don’t need quotes here) on Linux):

log-mode shortlog-level 7iface "LAN-Verbindung"{

option dns-serveroption domainoption ntp-serveria{

address{

2001:16d8:ff47:1203:3::11}

}}

If you want to set some options in your client.conf but don’t care whichaddress your host gets clear the “ia {...}”-part and replace it with “ia”.“ia” stands for Identitiy Association and is a logical unit representing ad-dress(es) used to perform some functions. The correct use of the term ia is:“ia <number>” where number is defaulted to 1 and stands for the numberof IA’s that should be requested (i.e. setting “ia 2” makes you recieve 2addresses; see the manual for details).

One thing that came to my mind when configuring my dibbler clients washow unhandy it is to go to each client in a network and configure it locallyfor you can’t always access each client in a big network. I wrote Tomasz


Mrugalski, one of the two developers of dibbler, and he had an idea howto define a specific client’s address server-sided. Snip from a server.confhe sent me:

class {accept-only fe80::2e0:7dff:fe01:15a2pool 2000::1}

class {accept-only 0x000100064306ed0900609711d5f0pool 2000::2}

class {pool 2000::3-2000::ff}

This configuration would allow only the host with link-local addressfe80::2e0:7dff:fe01:15a2 to get an address from the address-”pool” 2000::1/128and a host with DUID 0x000100064306ed0900609711d5f0 to get the ad-dress 2000::2. All other hosts would receive addresses from the pool spec-ified in the last class-section. This way changes in address relocation canbe made on the server only.

I’d recommend to run dibbler-client, after testing its configuration (“Clientrun in console”), as a service in order to startup automatically. Don’t forgetto start the client for the first time manually after having it installed asservice.

Troubleshooting: For troubleshooting dibbler I would recommend, ofcourse, to read the log file (in Windows systems located directlyin the directory dibbler is installed), and, my all-time-favorite tool:ethereal. To see which port it is running I used “netstat -lnptu”showing you services behind each port for nmap only provides TCPscans by now. (There is a patch for nmap doing IPv6 UDP scans onhttp://nmap6.sourceforge.net - see the nmap-section below)

SUSE: When installing dibbler-client on SUSE the client could not bestarted until I manually created a directory /var/lib/dibbler and“chmod 777 /var/lib/dibbler” (I know, this is not beautiful but it


works).

Note: I chose not to configure my dibbler-relays by a dibbler-client butrather have static IP addressing. The main reason was that I experi-enced troubles bringing all of the services up in the right order afterweather related power failures.

5.5.3 DNS [30] [29]

For I am using BIND9 I do not have to install any other software or patchfor it supports IPv6 natively (BIND9 is the first version fully supportingIPv6; use version >9.1.3 for there are some security problems patched). Ifyou are familiar with the use of IPv4 DNS records you won’t experienceany troubles here for the only thing changed is the type of records used.For IPv4 you use the resource records “A” and for IPv6 it’s “AAAA” orspoken “Quad-A”. Reverse lookup is as well stored in a “PTR” ResourceRecord (i.e. “pointer”) but it is represented differently.

For reverse lookup a special domain rooted “IP6.ARPA.” is defined as-suring the mapping of IPv6 addresses to hostnames. It is represented bya sequence of dot-seperated nibbles encoded in reverse order. Examplereverse lookup domain name for given IP:

2001:16d8:ff47:1203:3::11.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.2.1.7.4.f.f. \\8.d.6.1.1.0.0.2.IP6.ARPA.

In order to have IPv6 lookup you have to add IPv6 entries to your databaseand enable to handle IPv6 requests. You can either choose to set both, an Aand an AAAA record on one host name, or create IPv6-only hostnames. ADNS lookup for a hostname configured with both addresses returns both.An IPv6 address is then preferred over IPv4, for any other communicationissue.

homer A 192.168.200.12AAAA 2001:16d8:ff47:1203:2::12

flanders6 AAAA 2001:16d8:ff47:1203:2::24


After adding the AAAA records we can start coping with reverse lookup.First of all you need to include the zone-files in /etc/bind/named.conf.For I am having two different subnets, 2001:16d8:ff47:1203:2::/80 and2001:16d8:ff47:1203:3::/80, I wrote two zone files called “db.2” and “db.3”included by these lines:

# /etc/bind/named.confzone "2.0.0.0.3.0.2.1.7.4.f.f.8.d.6.1.1.0.0.2.ip6.arpa" {

type master;file "/etc/bind/db.2";

};zone "3.0.0.0.3.0.2.1.7.4.f.f.8.d.6.1.1.0.0.2.ip6.arpa" {

type master;file "/etc/bind/db.3";

};

The corresponding PTR-records are defined in the zonefiles. See /etc/bind/db.3for an example IPv6 reverse lookup zonefile:

;; BIND reverse data file for zone branch office;$TTL 604800@ IN SOA localhost. root.localhost. (

2005081901 ; Serial604800 ; Refresh86400 ; Retry2419200 ; Expire604800 ) ; Negative Cache TTL

;@ IN NS ns1.sylvia.test.1.0.0.0.0.0.0.0.0.0.0.0 IN PTR snowball.sylvia.test.1.1.0.0.0.0.0.0.0.0.0.0 IN PTR snowball2.sylvia.test.

Now you are done with setting your address-details but there are someconfigurations to BIND left. One thing is to tell it to listen to IPv6 re-quest. This is done in /etc/bind/named.conf.options (this file is included


by /etc/bind/named.conf).

options {directory "/var/cache/bind";forwarders

{192.168.100.2;};

auth-nxdomain no; # conform to RFC1035listen-on-v6 { any; };allow-query { internal-net; };

};acl internal-net {

127.0.0.1;192.168.0.0/16;::1/128;2001:16d8:ff47:1203::/64;

};

In here we have the rules for IPv4 and IPv6 communication. 192.168.100.2is the Berufsförderungsinsitut Burgenland name server that is queried and“allow-query { internal-net;};” defines that all subnets defined in the aclnamed “internal-net” are allowed to query the server. Added to the exist-ing configuration is the very important

listen-on-v6 { any; };

directive allowing any host to contact via IPv6. You can not bind certainaddresses here, the only options allowed are “any” and “none” (pleasenote that this can be a security risk). In the acl (short for Access ControlList) “internal-net” I added

::1/128;2001:16d8:ff47:1203::/64;

in order to allow localhost and the whole test network I set up to querythe nameserver.

After restarting bind you can see it listening on IPv6 interfaces using “net-stat -lnptu | grep named”. The address for the IPv6-reachable nameserver


is already distributed by dibbler so I don’t have to change any DNS-settings on the clients. The first thing you now should try is to connectto bind via an IPv6 address with a simple

dig localhost @::1

If this returns an answer you can move on querying a hostname with Aand quad-A entry like (you need type -t set to any in order all found entriesto a hostname are returned; otherwise only an A record is sent back.)

marge:~# dig -t any homer.sylvia.test @::1

Figure 5.5: Output for dig -t any homer.sylvia.test @::1

Note: If you only get the old configuration displayed without the addedIPv6 entries flush your DNS cache and try again. For Windows use“ipconfig /flushdns” and on the Linux PC running BIND you can dothe same with “rndc flush”.

Be also sure to try this on other hosts to see if the acl does not exclude hoststhat should have access to the nameserver.

Another way of testing your DNS server is using the command “host”

knoppix@1[knoppix]$ host -t aaaahomer.sylvia.test 2001:16d8:ff47:1203:2::5


Using domain server:Name: 2001:16d8:ff47:1203:2::5Address: 2001:16d8:ff47:1203:2::5#53Aliases:homer.sylvia.test has AAAA address2001:16d8:ff47:1203:2::12

To test reverse lookup functionality use

dig -x 2001:16d8:ff47:1203:2::5

With routes advertised, addresses distributed and DNS entrys set we cansay we do have a running IPv6 network by now. We have pinged andtracerouted even IPv6 hosts residing somewhere on the internet, so whatelse could there be? ;o)

Note: When doing name resolution with Linux, IPv6 is also used as pro-tocol for the query. Microsoft has not yet enabled this functionality.

The next step is to ensure IPv6 connectivity to the services already used inthe network running IPv4 to be ready when someday there are IPv6-onlynetworks.


5.6 Migrating the services [31]

Now that each PC on the network is IPv6 enabled we need services thatmake use of it.First let’s go online and see the dancing turtle!

5.6.1 Browsers: Firefox and Internet Explorer

When you try to access an IPv6-hosted homepage don’t forget to disableproxying for the squid running on the system does not support IPv6 andtherefore will not connect. After changing my firefox’s preferences to di-rectly accessing the internet I tried to surf to

http://www.kame.net

and if the IPv6 configuration works, you can see why I was talking abouta dancing turtle. This site is reachable via IPv4 and IPv6 but if you can seethe turtle dancing you connected to this website via IPv6! In additon tothis you can read your IPv6 address at the very bottom of this page. Thishas been worth all the trouble, am I right?

There’s nothing else left to explain when using the Internet Explorer 6.Simply uncheck the use-proxy option and go for www.kame.net.

5.6.2 Web-Proxy: Privoxy [32]

There are several web-proxies supporting IPv6 connections: wwwofflev2.7, there’s a patch for squid v2.5, privoxy v3.1.1, www6to4 v1.5, Prome-teo v1.4, ffproxy v1.6-RC1 and polipo v0.9.x . Among all these possibilitesI chose to use the Junkbuster-based privoxy for it is offering huge possi-bilities in the field of filtering, access control, cookie management and theremoving of ads, banners and pop-ups and because I wanted to try somenew software besides always using squid. You will find executables forseveral operating systems on the home page and there is as well a CVSrepository you can use.

I chose to wget the sources and make them. When trying to run “make”my PC was prompting me to install “autoconf” (apt-get install autoconf).


After re-running “make” and switching to “su” you can see where yourfiles will be installed with “make -n install”. If you are pleased with what’sgoing on “make install”.

Then I had to “adduser privoxy” and “addgroup privoxy”. Your privoxyinstallation resides at /usr/local/etc/privoxy and the logfile is located/var/log/privoxy. First step now is to modify the config file /usr/local/etc/\\privoxy/config.

confdir /usr/local/etc/privoxylogdir /var/log/privoxy# The actions file(s) to useactionsfile standard # Internal purpose, recommendedactionsfile default # Main actions fileactionsfile user # User customizationsfilterfile default.filterlogfile logfilejarfile jarfile# error page at untrusted sitestrust-info-url http://www.example.com/why_we_block.htmltrust-info-url http://www.example.com/what_we_allow.htmldebug 512 # common log format# address and port the server is listening onlisten-address 127.0.0.1:8118listen-address [2001:16d8:ff47:1203:2::5]:8118

# toggle off disables any filtering, blocking, etc.toggle 0enable-remote-toggle 0enable-edit-actions 0permit-access [2001:16d6:ff47:1203:2::]/80

buffer-limit 4096

The changes I made were the settings for the confdir, the debug level,listen-address, all toggling options and the permit-access option. Aftersetting the values appropriate to your system you can start privoxy with/etc/init.d/privoxy start.

After setting the proxy settings of a firefox used in the network to


[2001:16d8:ff47:1203:2::5] (you could also use “marge6” instead) at port8118 you can surf the net using privoxy. For configuring privoxy moredetailled there is a web-interface you can access locally. For I am not usingGUI on my Debian system I configured my lynx to use privoxy as a proxyin /etc/lynx.conf (set the line “http_proxy:http://127.0.0.1:8118/”) andthen “lynx http://config.privoxy.org”. If you want to set the new IPv6proxy on Internet Explorer you can only use the term “marge6” (or thefully qualified domain name) but not the address itself. If you try to usethe address Internet Explorer will not warn you or tell you he could notfind the proxy but rather just doesn’t use it and access the internet directly.Taking a look at the settings of the proxy again you will see something likethis:

Figure 5.6: Proxy settings with Internet Explorer 6

Note: I used the IP address display at www.kame.net to see whether theproxy was used or not.

Windows2k: Although I could ping6 marge6.sylvia.test and ping6 www.\\kame.net I could not manage to display a site reached using the IPv6proxy on both, Firefox and Internet Explorer. Firefox told me that theproxy could not be found and Internet Explorer that the site couldnot be displayed.

5.6.3 http-server: apache

Now that we can access IPv6 sites on the internet, lets make our own http-server IPv6 reachable. There are patches for apache 1.3 to support IPv6 butI’d recommend using >= 2.0.14 (I use 2.0.54) for it supports IPv6 natively.Native support is always a good thing because it reduces the things youhave to do to a minimum. With apache, you now only have to add a“Listen” directive, telling it to also listen to IPv6 requests, then restart and


you are done. This entry has to be made in /etc/apache2/ports.conf andlooks like this (this is the only entry in here):

Listen [2001:16d8:ff47:1203:2::5]:80

After restarting apache you can access your apache installation with Fire-fox at (both is possible here)

http://marge6.sylvia.testhttp://[2001:16d8:ff47:1203:2::5]

Internet Explorer only supports the FQDN for an address here.

In order do define a virtual IPv6 host you can change /etc/apache2/sites-available/www6 and be sure that there is a symbolic link from /etc/apache2/\\sites-enabled/ to this file. To have a virtual host responding to the request“www6.schuh-tv.at” add

ServerName www6.schuh-tv.atServerAdmin [email protected]

in the <VirtualHost *> </VirtualHost> section. See my www6 file in thecode appendix.

Figure 5.7: HTTP_GET command from snowball2(2001:16d8:ff47:1203:3::11) to the webserver marge (also calledns1.sylvia.test)

5.6.4 database: MySQL

The currently available MySQL-versions (4.x, 5.0) do not support IPv6.MySQL 5.1 could be the first version supporting it (At the time I am writ-ing this 5.1 alpha is released and there is no information on the implemen-tation of IPv6 available in the documentation of 5.1.). [33]

PostgreSQL v8.0 on the other hand does support IPv6. As far as i couldfind out it is included by default and hosts contacting the database needto be specified in “pg_hba.conf”. [34]


5.6.5 filesharing using Windows

When I started migrating the network, or better, before I started I was veryafraid of migrating such vital things like DNS, routing, etc. and had theopinion that as soon as you change the protocol used to IPv6 all serviceswill work instantly. I was proven wrong when I tried to do filesharing withWindows. For I was using Windows 2000 advanced server for filesharingvia IPv4 there were no needs for me to change the system for the use withIPv6, or so i thought. After reading nearly every entry found by googlematching the word “IPv6” I decided to ask those who should know aboutit: The people from Microsoft (I also bought the Microsoft-suggested book“Understanding IPv6” for it holds a chapter concerning IPv6 file sharing.If you think of buying it: Take my advice and don’t do it!). Some technicianthen told me that sharing files is only supported for Windows Server 2003and gave me a link as starting point for my research [35].

I got myself a new PC and installed Windows 2003 advanced server on it.The hostname is wiggum.sylvia.test with IP addresses 192.168.200.19 and2001:16d8:ff47:1203:2::13 (installing IPv6 on W2k3 is the same as WXP).After installing some basic services I was very eager to try IPv6 file shar-ing. I defined some folders to share and tried to connect to the server froma Windows XP PC by typing \\wiggum in Windows Explorer. For I wasgetting meaningless errors I decided to switch to the commandline and tryevery connect with

net use * \\host\share

to get better informations about the error. My error code was 59 withthe message that an unexpected network error has occurred or error 53“network path not found”. Then, I thought to myself, before trying andhoping that Windows XP is able to cope with IPv6 data sharing, I betterset up another Windows 2003 advanced server. This time I used formerhomer.sylvia.test because Windows 2000 only supports IPv6 to the extentof pinging and tracerouting. (Before I cleared the harddisk I copied thedata stored for Active Directory. Read the Active Directory chapter be-low).

The new Windows 2003 server had hostname flanders.sylvia.test and IPaddresses 192.168.200.36 and 2001:16d8:ff47:1203:2::24.


Trying to “net use * \\wiggum6.sylvia.test\daten” (wiggum6 is an AAAArecord pointing at a global address) between these two nodes first resultedin error 67. Looking for workarounds or solutions to this error I found outthat restarting the distributed file system on the file server could help. Af-ter I the restart I got error 1231 “network location cannot be reached” I readsome article about reinstalling your NIC to get rid of these troubles. In ad-dition to these errors I had events 1030 and 1058 in my event log, whichusually are indicators for a not running DFS (distributed file system).

So you might be curious if I now have a working file sharing system viaIPv6 and the proud answer is yes. So what had to be done in order to work:First I got myself a new harddisk and put it in my wiggum.sylvia.test andset up a fresh Windows 2003 server again (this was just because I got moreand more daring when trying to solve the errors and reconfigured nearlyeverything). So with two totally clean and newly set-up Windows 2003PCs I tried it again and it didn’t work until I got the idea of using site localaddresses instead of global addresses. As you saw in the chapter con-cerning radvd I distribute site local addresses with prefix fec0:0:0:1::/80dynamically. For easier use I decided to save a DNS record for the sitelocal file server address in bind.

wiggum AAAA fec0::1:20a:5eff:fe22:afd6

Before trying to connect to the network share be sure to have IPv6 firewalldisabled and IPv6 file sharing enabled .

To disable the firewall simply type:

netsh interface ipv6 set interfaceinterface="LAN-Verbindung" firewall=disabled

To enable IPv6 file (and print-) sharing go to the “control panel” and openthe “network connections”. In the menu “Advanced” (“Erweitert”) youwill find an entry called “advanced settings” (or maybe it is called “ad-vanced properties” - I am lacking an english Windows version here; ingerman it is called “erweiterte Einstellungen...”).

In the advanced settings, be sure that you check everything you find con-cerning IPv6 ;-) for the activated LAN connection.

Now, if you dare, type


Figure 5.8: The menu “Advanced” in German

net use * \\wiggum.sylvia.test\daten

and your network share will be connected via IPv6. If you don’t trustyour computer, simply sniff it using ethereal. Please see mine below andnote that these packets are not the beginning of the communication northe end, just one nice part you can show off with because it reveals thefolder opened.

fec0::1:250:baff:fe17:2d3d is site local address for flanders. The connectionalso works when typing \\wiggum.sylvia.test\daten in your Windowsexplorer.

For the sake of completeness I also have to write about the last error I hadbefore I got that far: It was error 52 indicating a duplicate host or cnameentry for one IP address. The advice Microsofts knowledge base gave mewas to check DNS or WINS settings or change the host name on one of theclients. The thing that went wrong here was the DNS configuration for itwas holding an A and an AAAA record for the same hostname. Althoughit should have also worked that way I decided wiggum should be an IPv6only record.

Note: By the way, if you are curious which port Microsoft uses: look for445 named “microsoft-ds” with “nmap -6 wiggum”.

Note: Differing from older MIcrosoft operating systems, Windows 2003sets network shares per default read-only. I then set the permissionfor user “everyone” to read/write what didn’t help a lot. Only after


Figure 5.9: The dialog popping up when choosing the “advanced settings”

Figure 5.10: Some packets during IPv6 filesharing; packet number 33 holdsthe path opened

setting every user in my system (ok, I only have two) the permissionto read/write I had write access to the remote folder.

Linux: Much to my suprise I had to find out that there was currently noIPv6 capable smb-client. There is a patch available for Samba ver-sions 2.2.3 - 2.2.5 from year 2002 but when posting to some news-groups whether this worked for someone I got no positive responses.[36]

I guess one can not measure the time I spent on this little problem and likeso many times it is always a combination of several problems. While I wastrying to set up filesharing in vain I also decided to look for alternativesand found WebDAV.


Note: Referring to a paper [37] updating the book “Understanding IPv6”and a mail I received from Microsft Austria file sharing should bepossible with IPv6 global addresses as well. In the mail I got a reg-istry key to enter in order to enable it. Set a DWORD with value “1e”and name “IPv6Protection” toHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\\\Smb\Parameters. This did not work for me.

5.6.6 filesharing: WebDAV [38] [39]

The way Tim Berners-Lee initally thought of the internet was a read- andwriteable medium. With the internet growing it turned itself into a readonly medium; and this is exactly the point where WebDAV is starting.WebDAV is short for Web-based Distributed Authoring and Versioningand refers to the IETF working group as well as the HTTP extension theydefined. It has abilities to create, change and move documents on a remoteserver and can be used for authoring or simple storage of data. The datacan be accessed via http port 80, so you won’t have firewall-related prob-lems. It is platform independent and most operating systems have built-infeatures to support WebDAV.

In order to have a workig WebDAV implementation you need a HTTPserver. On the Windows side of life you could use IIS for Windows Server2003 which should support IPv6 (I did not find the proof on the internetnor tried it myself) or simply use Apache. As you might have guessed Iused Apache. In the mods-available folder of your /etc/apache2 direc-tory you will find three modules concerning WebDAV called “dav.load”,“dav_fs.conf” and “dav_fs.load”. The first step to enable this modules issimply make a symbolic link from the folder /etc/apache2/mods-enablesto these three modules.

ln -s /etc/apache2/mods-available/dav*/etc/apache2/mods-enabled

Next step is to append the following paragraph to the /etc/apache2/apache2.conffile:

## my changes for webDAV


DAVLockDB /tmp/DAVLockDAVMinTimeout 600<Location /dav>DAV OnAuthType BasicAuthName "WebDAV Restricted"AuthUserFile /var/www/webdavpasswd<LimitExcept GET HEAD OPTIONS>Require valid-user</LimitExcept></Location>

This sets a WebDAV directory for the folder “dav” in your document rootwith authentication type “Basic” and authentication information that canbe found in /var/www/webdavpasswd.

Now you have to create a new directory called “dav” in your documentroot /var/www. If you are not sure where your document root is lookat the file /etc/apache2/sites-enabled/default. This directory has to haveuser and group changed to www-data and correct permissions have to beset.

chown www-data.www-data /var/www/davchmod 775 /var/www/dav

Next step is to create username and password in order to have users al-lowed to access the WebDAV contents which is done by

htpasswd -c /var/www/webdavpasswd usernamehtpasswd /var/www/webdavpasswd otherUsername

The first line “htpasswd -c /var/www/webdavpasswd username” cre-ates a new file (-c indicates the creation of a new file, so be careful not to ap-pend this when adding additional users) called /var/www/webdavpasswd(as defined in apache2.conf) storing information on the user called “user-name”. The second line shows how to add an additional user called“otherUsername”. After restarting Apache your WebDAV is ready to use.

In order to test my WebDAV I installed a Linux command-line based Web-DAV client called cadaver.

cadaver http://marge.sylvia.test/dav


prompts me for the password and opens the WebDAV folder. Use com-mands like put, get, ls, less, cat, delete, copy, move and many more toperform actions on files.

To have WebDAV functionality on Windows you have to do a little bitmore. If you want to have the WebDAV resource as an entry in your “MyNetwork Places” choose “Add network Place” within your “My networkplace”. The “Add Network Place Wizard” pops up and in the next twosteps you simply supply the address for the resource and the username-password pair and everything works fine, or so I thought.

In my case I got the error “the folder you entered does not appear to bevalid” indicating that you are lacking

• software update for web-folders ( knowledge base kb892211)

• a DWORD called “UseBasicAuth” with value set to 1 atHKEY_LOCAL_MACHINE\\SYSTEM\CurrentControlSet\Services\WebClient\Parameters\

Another tip I found on the internet that was working for one of the PC’s(running WinXP SP2) was appending :80 to the address of the ressource(http://marge.sylvia.test:80/dav) which is loading the old Windows 2000driver (that might be more likely to work in this context). Then, after doingall this troubleshooting, some of my Windows computers could do Web-DAV filesharing and some didn’t. Like so often during the work on mythesis I decided to use Ethereal in order to find out what really happenedand this brought the solution for me: Be sure not to use a Proxy when con-necting to WebDAV (you can guess that system administrators won’t likethat for they are loosing control). After these simple steps my WebDAVdirectory was reachable via Windows as well.

Figure 5.11: packets sent during the login to the WebDAV server

In the picture above you see three packets during the login to a WebDAVserver from bart to marge (i.e. webdavserver) indicating that authentica-


tion is required. The third packet shows which folder is opened and I onlyadded the part below the grey line to show that IPv6 is used here ;-).

Note: I experienced an interesting behavior when trying to access a Web-DAV share via web-browser. There was no user authentication anddata could be transferred without any restrictions.

5.6.7 filesharing: ftp

Another method to supply files using IPv6 is ftp. I installed an ftp serverfor Linux on marge.sylvia.test. I chose to use pure-ftpd version 1.0.19-7. Setting it up was pretty easy using apt-get for you simply need thepackage pure-ftp-common and pure-ftpd. This installs the ftp server to/usr/sbin/ and sets configuration details in /etc/pure-ftpd. I chose to runpure-ftpd as a daemon (“dpkg-reconfigure pure-ftpd-common” to changethat). Before starting the server with “/usr/sbin/pure-ftpd -S 777 &” besure that you have a user “ftp” on your system creating a home directorythat is accessed when using anonymous ftp. Anonymous ftp is enabledby default and so you can try loggin in either by not supplying user infor-mation or by using an user-account on the system. In the latter case thecorresponding home directory is opened.

In order to access the ftp-server I chose a Windows-enabled FTP clientcalled Nc-FTP [40]. In the downloaded /bin -directory you will findncftp.exe starting a command lineftp tool. When typing “open” the ad-dress book is opened and you can add a target with all address informa-tion needed. Don’t forget to fill in the port chosen if you decided to useother than 21 (I chose 777).

Note: There is a huge list of alternative ftp-software: Servers: proFTPD1.2.9, moftpd, tnftpd/lukemftpd, wu-ftpd, ftpd 0.17 patched, fftpd,ftpd-bsd 0.3.3, ProFTPD 1.2.9, troll-ftpd 1.2.8 patched, ginseng-ftpd1.6, and many more for linux. For Windows there are two FTPservers, but both intended for developer only Windows: FTP serverin Windows CE .NET and MSRIPv6 FTP server. There are also sev-eral FTP-clients like: lftp 2.6.5, tnftp 2.0, cftp 0.12, wget and the ftp-version supplied by Windows XP/2003.


5.6.8 email: exim

Next step is to implement a working mailing structure to our companynetwork. The mail server running at the moment is exim4 v4.50 whichsupports IPv6 when set at compile-time. You have to set “HAVE_IPV6=YES”and might also need “IPV6_INCLUDE=YES” and “IPV6_LIBS=YES” inyour Local/Makefile. I set all three options in the first try and then tried torecompile the source. Experiencing several errors like the one that it couldnot find db.h at compile-time I then chose to remove all IPv6 options againto see whether it would work. Because this worked without any troublesI then simply set “HAVE_IPV6=YES” and successfully recompiled. (I ex-perienced some troubles concerning the LOOKUP_LIBS when compiling(e.g. “cannot find -llber”). There are references to several things like LDAPdefaulted which I simply commented out for I don’t use them.)

After exim is reinstalled supporting IPv6, you have to configure two files:/etc/exim4/update-exim4.conf.conf and /etc/exim4/mailname.

The file /etc/exim4/mailname has to be changed to following content:

marge6.sylvia.test

and the file /etc/exim4/update-exim4.conf.conf now looks like this:

dc_eximconfig_configtype=’smarthost’dc_primary_hostname=’marge6.sylvia.test’dc_other_hostnames=’sylvia.test:marge:marge6.sylvia.test’dc_local_interfaces=’192.168.200.5 :2001::16d8::ff47::1203::2::::5’dc_readhost=”dc_relay_domains=”dc_minimaldns=’false’dc_relay_nets=’192.168.0.0/16:2001::16d8::ff47::1203::::/64’dc_smarthost=’mail.bfi-burgenland.at’CFILEMODE=’644’dc_use_split_config=’false’dc_hide_mailname=’false’dc_mailname_in_oh=’true’

As you might remember from the chapter where I set up the IPv4 network,


you could, instead of altering these files as well use “dpkg -reconfigureexim-config”. One important thing to keep in mind when editing update-exim4.conf.conf is that the double colon acts as a seperator in this file.Therefore you have to double each double quote that is used in an IPv6address. After editing these files manually you have to run update-exim4.conf in order to make the changes take effect. Now you are theproud user of a system that can send emails, but not get any. Therefore wehave to see whether qpopper is IPv6 enabled.

Note: Other mail transfer agents supporting IPv6 are: Zmailer 2.99.55,sendmail 8.12.9, qmail 1.03 patched, postfix 2.0.18 patched andcourier 0.42.2.

5.6.9 email: courier [41]

For qpopper does not support IPv6 there are several alternative mailboxdaemons: solidpop3d 0.15, courier-pop3d 0.42.2, courier-imapd 0.42.2,cyrus-imapd 2.2.1-BETA, dovecot 0.99.10.6 and bincimapd 1.2.10. Becausethe homepage of solidpop3d was down the day I wanted to install the soft-ware and cyrus-imapd had some strange errors after installation about amissing connection to my mailserver I decided to use courier-imapd.

You could either install courier-imapd using the sources or from the apt-repository as I chose to. First you have to install courier-authdaemon withits configuration file at /etc/courier/authdaemonrc using authpam andthen install courier-imapd (I use version 3.0.8-4). Other interesting files inthis context are /etc/courier/imapd and /etc/pam.d/imap. If you wantyou can additionally install courier-doc providing information on courier.

When trying to login I got the error: FATAL ERROR: Maildir: no suchfile or directory. In the file /etc/courier/imapd the last entry is about themaildirectory setting it to

MAILDIRPATH=${home}/Maildir

Now we have to face the fact that by default exim stores the mails in asingle file while courier needs a directory to be set. As a consequence wehave to modify /etc/exim4/configure first.


First update the transports section by exchanging the transport “lo-cal_delivery” with what is written below. Please be sure that the old trans-port “local_delivery”, setting mail delivery to a single file, is commentedout.

### from transports sectionlocal_delivery:driver = appendfilegroup = mailmode = 0660mode_fail_narrower = falseenvelope_to_add = truereturn_path_add = truedirectory = ${home}/Maildirmaildir_format = trueprefix = ""

${home} is expanded to the user directory of each mail user and is thedefault value here. I chose to be more conservative here and instead ofediting the part discussed above I set the address_directory transport tothe following in order to allow per user Maildir only:

### from transports sectionaddress_directory:driver = appendfileno_from_hackprefix = ""suffix = ""maildir_format

Next step is to edit the userforward director to contain the following.

### from routers configuration sectionuserforward:driver = forwardfilecheck_local_userfile = $home/.forwardno_verifycheck_ancestorfile_transport = address_file


pipe_transport = address_pipereply_transport = address_replydirectory_transport = address_directorymodemask = 002filter

Now the directory_transport points to the address_directory specified be-fore. When uncommenting the “filter” option, you can use .forward filesin order to have Exim filtering. Using this configuration every user thatwants mail to be stored in a maildir needs a “.forward” file pointing tothat maildir:

echo /home/elsylo/Maildir/ > /home/elsylo/.forwardecho /home/sylvia/Maildir/ > /home/sylvia/.forward

Be sure that each “.forward” file is owned by the appropriate user and thatyou did not forget the trailing slash at “/home/elsylo/Maildir/”. Noweverything that has to be configured is done and you can test your config-uration.

Note: Because the directories for the mails are not created yet I experi-enced that courier worked after sending the second mail (it auto-matically creates the folder needed when the first mail is sent - youmight want to create them first).

5.6.10 mail-client: thunderbird

Thunderbird 1.0.2 is IPv6 enabled and therefore simply can be config-ured using marge6.sylvia.test port 143 for imap and port 25 for SMTP use.Thunderbird was not capable of using the IPv6 addresses in the configura-tion of the email-address options (not even when put in square brackets).FQDN’s had to be used.


Figure 5.12: The sending of an email from a Windows host

5.6.11 mail-client: outlook and outlook express

As far as I could find out on the internet outlook and outlook express bothdon’t support IPv6. I also tried making a new account with the mail-servers set to marge6.sylvia.test or [2001.16d8:ff47:1203:2:.5] respectivelybut both just resulted in an error message that the server could not befound.

Figure 5.13: Error when sending a message with Outlook telling that theservers could not be found

Note: Other email clients supporting IPv6 are: mozilla-mai 1.4, ximian-evolution 1.4.5, pine 4.58 patched, mutt 1.41, sylpheed 0.9.6, sylpheed-claws 0.9.5 and Kmail 3.1.2.


5.6.12 VoIP: asterisk [42] [43]

Much to my regret I have to find out that asterisk is not yet IPv6 capable.There is a patch providing some IPv6 connectivity features but which isnot very widely used. There has also been a bounty for writing an IPv6patch but although the time has expired no patch is available by now.

There are two Linux-based softphones available called linphone andkphone supporting IPv6 and two SIP-phones, one from Moimstone (IP250)and one from FreeBit Business Phone.

5.6.13 time: ntpd, ntpdate

Both ntpd and ntpdate are IPv6 capable and work without troubles. Thentpd version installed is 4.2.0 and the only thing I had to do is to set anIPv6 time server in the /etc/ntp.conf. Here’s a list of some IPv6 capableservers with stratum 1:

ntp.rhrk.uni-kl.de (IPv4 and IPv6)ntp6.remco.org (IPv6)chime3.ipv6.surfnet.nl (IPv6)ntp.ipv6.viagenie.qc.ca (IPv6)

I chose the one from surfnet. Ntp itself should be IPv6 capable when in-stalled on an IPv6 enabled host. Now, if you want to query your ntpdsimply type

ntpdate 2001:16d8:ff47:1203:2::1

on marge.sylviat.test and time will be adjusted to the time set on bart.sylvia.test,using IPv6.

Figure 5.14: ntpdate from marge (i.e. webdavserver) to bart


The big world of Windows applications has no free IPv6 ntp-client (andone client to buy that might work) to set time on Windows hosts.

5.6.14 domain controller: Active Directory

When I started migrating I thought that Active Directory, together with filesharing, will not produce a lot of troubles because most websites claimedfull support for IPv6 on Windows (in fact that’s mostly all informationI could get on the websites of Microsoft). On most sites I could read alot about transition techniques like several different tunnel and so on butthere was not much written about the services that really support IPv6on Windows PC’s and that’s what made my search for help pretty hard.When I found out that a host is not logging onto Active Directory via netl-ogon using IPv6 per default I tried such tricks like setting the IPv4 addressto a non-existing value so that he might have to use IPv6. As you mighthave guessed, it didn’t work. The interesting thing was, on the other hand,that during netlogon DNS was queried for the domain controller and forI am using dynamic updates from the host running Active Directory thereeven was an AAAA entry replied to the querying host. But let’s start fromthe beginning.

The first thing I changed in my network topology was the server runningActive Directory. When reading this thesis cover to cover you might re-member that Active Directory formerly ran on a Windows 2000 AdvancedServer and that this server was updated to Windows 2003 Server in or-der to enable file sharing between Windows hosts. So Active Directoryhas to be set up again (which was not that much work for I only en-tered two users). Then I had to enable dynamic updating for the newdomain controller in my bind configuration. This is done by updating/etc/bind/named.conf.local:

zone "sylvia.test" IN {type master;file "/etc/bind/db.sylvia.test";allow-update { 192.168.200.19; 2001:16d8:ff47:1203:2::13; };};

The line “allow-update” enables dynamic updating i.e. services can regis-


ter themselves to DNS. This may take some minutes until DNS is updatedfor the first time and will create a journal file *.jnl with * being the nameof the corresponding zone file. The latter is updated with the informationretrieved from the .jnl file which results in following zone entries:

Figure 5.15: some of the dynamic DNS entries produced by Windows 2003

When sniffing the whole longon process I found out that although DNS isqueried and returns wiggum.sylvia.test for the services needed (wiggumis an AAAA site-local entry) everything is done using IPv4. I then triedto query newsgroups, mailing lists and lots of homepages for this issueand found someone telling me he had a working Active Directory systemusing IPv6.

For I could not get more details from him I decided to ask Microsoft again.They told me that Windows 2003 server does not support IPv6, or in moredetail, Kerberos as well as LDAP will fail but SMB negotiation will work.You can only guess how long it took me to get such a detailled answer. ;o)

Tip: OpenLDAP v2.0 natively supports IPV6.

5.6.15 printing: cups

CUPS versions older than 1.2 do not support IPv6 and therefore I installeda newer version on my marge.sylvia.test. I downloaded the sources ofcups-1.2.x-r4608 and installed them. You can type “lpstat -t” in order to seeall printers configured with all details available, or, as before, you couldas well use the GUI at http://localhost:631. After trying to configure thiscups version a lot, I downloaded an even newer version of CUPS (1.2svn-r4929). In the file /etc/cups/cupsd.conf add two entries in order to listento IPv6 addresses:

Listen [::1]:631Listen [2001:16d8:ff47:1203:2::5]:631


For configuring a client you simply have to set the CUPS IPv6 server ad-dress in the file “/etc/cups/client.conf”:

ServerName [2001:16d8:ff47:1203:2::5]

You can test your IPv6-capable printer by typing:

lpr <filename>

Figure 5.16: CUPS using IPv6

Note: Only from reading the comments on the snapshots I was able tofind out that earlier 1.2 snapshots experience troubles using IPv6 ad-dresses.

Windows: I could not manage to connect to the CUPS server using Win-dows.

5.6.16 radio: Virgin radio

Some very nice but as well very important use of IPv6 is when lis-tening to IPv6-only radio. The University of Southampton has a live-stream of Virgin radio supporting IPv6 only and can be listened to byusing e.g. Windows Media Player 10, iTunes 4.5, zinf, etc. Check it outat: http://www.ipv6.ecs.soton.ac.uk/virginradio/. Below you see somepackets from the initialization phase of Virgin radio.


Figure 5.17: initialization of virgin radio

5.6.17 instant messaging: irc, msn

Another funny way of using IPv6 is by using an instant message servicelike msn and IRC. There are several IRC clients already IPv6 enabled youcan use. I chose TurboIRC, a small IRC client for Windows based systemsand checked out some IPv6 servers.

Figure 5.18: IRC chatting via IPv6

Another cool thing is to enable IPv6 with msn, and to make msn evencooler you can add the software called threedegrees from www.threedegrees.com(which have gone offline by now). But don’t be sad, you can still get it fromMicrosoft at http://download.microsoft.com/download/b/3/2/b3251b5b-76fb-46f7-bd6c-f5644713dff6/squiggles.exe. Using this piece of softwareyou can watch pictures and listen to music with up to ten people aroundthe world at once (this could be considered Microsoft’s answer to file shar-ing). I tried this software together with my friend Mustafa from Turkey,working on IPv6 as well, and pretty enjoyed adding items to a sharedplaylist and listening to the songs together. This is an approach showingpeople what Peer-to-Peer and IPv6 can do for the people not already rec-ognizing the advantages. [44]


Figure 5.19: Peer2Peer communication with my friend Mustafa(2001:4bd0:2031::4) using 3degree

5.6.18 authentication: ipsec6

Ipsec6 is a Windows command-line application in order to provide dataauthentication and data integrity. It is not for production use yet for it doesnot supply encryption mechanisms and relies on static keying with keysbeing stored plain text on the host. Ipsec6 can be used to configure policiesand security associations between two hosts. In a security association (SA)authentication is provided by using an either MD5- (Message Digest 5) orSHA1-hashed (Secure Hash Algorithm 1) Authentication Header (AH). Toset up an ipsec6 environment I started by creating a folder on my harddisk,go to this folder using command-line and then type

ipsec6 s thesis

This command creates a blank security association (thesis.sad) and a se-curity policy (thesis.spd) file (usually containing already one entry) called“thesis”. Ipsec6 is available for computers running Windows XP ServicePack 1 and higher and Windows 2003 Server. I chose to enable ipsec6 be-tween my two Windows 2003 server computers.

client1: wiggum.sylvia.testsite-local address: fec0::1:20a:5eff:fe22:afd6client2: flanders.sylvia.testsite-local address: fec0::1:250:baff:fe17:2d3d

I started configuring client1 with setting the “thesis.spd” file. Add the newentry before the one already existing in the file. Please note that policiesmust be placed in decreasing order.


Field Name ValuePolicy 2

RemoteIPAddr - fec0::1:250:baff:fe17:2d3dLocalIPAddr - *

Protocol - *RemotePort - *LocalPort - *

IPSecProtocol AHIPSecMode TRANSPORT

RemoteGWIPAddr *SABundleIndex NONE

Direction BIDIRECTAction APPLY

InterfaceIndex 0

Important: It is very important to add a trailing semicolon in each lineand not to use tab-stopps instead of spaces.

After setting the values to the *.spd file you can continue with altering the*.sad file. Here we will need two new lines which I will indicate by typingthem in two columns.

Field Name Value for Line 1 Value for Line 2SAEntry 2 1

SPI 3001 3000SADestIPAddr fec0::1:250:baff:fe17:2d3d fec0::1:250:baff:fe17:2d3d

DestIPAddr POLICY POLICYSrcIPAddr POLICY POLICYProtocol POLICY POLICYDestPort POLICY POLICYSrcPort POLICY POLICY

AuthAlg HMAC-MD5 HMAC-MD5KeyFile myfile.key myfile.key

Direction OUTBOUND INBOUNDSecPolicyIndex 2 2

Don’t forget the semicolon at the end of each line again! Two SA-entrieshave been made, one for outbound and one for inbound traffic. Both re-quire a keyfile called “myfile.key”. You could also use different keyfiles for


inbound and outbound communication but for this way of using ipsec6isn’t secure anyway, I decided to keep the same. SA-entries are added indecreasing order as well.

The keyfile is a simple plain-text file residing in the same folder as the twofiles processed above. Set the file you created to the name “myfile.key”and be very careful what you type in this file: each space or linefeed makesa difference and this file must be identical to the one residing at the client2in the ipsec6 communication.

On client2 (flanders), you need the same configuration as well. Start bycreating the files “ipsec6 s thesis” and then edit the “thesis.spd” file first.(Don’t forget to create this entry before the existing entry):

Field Name ValuePolicy 2

RemoteIPAddr - fec0::1:20a:5eff:fe22:afd6LocalIPAddr - *

Protocol - *RemotePort - *LocalPort - *

IPSecProtocol AHIPSecMode TRANSPORT

RemoteGWIPAddr *SABundleIndex NONE

Direction BIDIRECTAction APPLY

InterfaceIndex 0

After you put a semicolon at the end of the line, edit “thesis.sad”:


Field Name Value for Line 1 Value for Line 2SAEntry 2 1

SPI 3001 3000SADestIPAddr fec0::1:20a:5eff:fe22:afd6 fec0::1:20a:5eff:fe22:afd6

DestIPAddr POLICY POLICYSrcIPAddr POLICY POLICYProtocol POLICY POLICYDestPort POLICY POLICYSrcPort POLICY POLICY

AuthAlg HMAC-MD5 HMAC-MD5KeyFile myfile.key myfile.key

Direction OUTBOUND INBOUNDSecPolicyIndex 2 2

Don’t forget the semicolons at the end of each line and then create a “my-file.key” on client2 as well, containing the same word(s) like on client1.In order to load the Security Associations and the Security Policy on a PCyou have to type the following command on each client:

ipsec6 l thesis

In case of an error you made in creating one of the files you will have somemessage that the security assosciation or the security policy could not beadded. One of my problems was that in the first try I used tab-stopps in-stead of spaces (error message was about an invalid address range), andanother problem was that I had too many spaces in each line (error mes-sage is something like: line too long). Simply clear some of the spacesand it will work. Don’t wonder if it tells you only one Security Policyis added, the one that already was in the file is loaded by default uponstartup (The command we used in the beginning called ipsec6s “thesis”simply looks on your computer for security associations and policies avail-able and prints them in a file. If you would do the same command now,it would print the new data we added in the files.) Please keep in mindthat the policies and associations added by this technique are not persis-tent and have to be loaded manually after startup. To see which Securityassociations are set at the moment, type :

ipsec sa

To do the same for security policies use:


ipsec sp

If you want to delete the Security Association number 2 type:

ipsec d sa 2

You can use a similar command for deleting Security Policy number 2:

ipsec d sp 2

Now we are able to try our ipsec6 implementation by pinging the hostwith the address used in the files (I tried this with link-local addresseswith ZoneID and Site-Local addresses consecutively). When pinging theother client you can see the Authentication Header being appended toeach packet:

Figure 5.20: ping from client1 (wiggum) to client2 (flanders) with Authen-tication Header

Above you see one of the ICMPv6 packets sent by client1 and below youhave the details containing the Authentication header. You can see the SPIset above as well (0xbb9 = 3001). This all looks pretty well, and everythingworked except for the Echo reply when using ipsec6. I guess I tried thisten times and always had the same result: ping going out but no reply issent back (time-out). I did not find any errors reported in the event-log,nor when I looked at the ICMPv6 errors (netstat -s -p icmpv6). Because Iwas already in contact with Microsoft, I asked them if ipsec6 worked forthem and got the answer from someone my mails concerning IPv6 wereforwarded to, that this only works sometimes when he configured it and


because it is not production use anyway it wouldn’t be that interesting.He also assured me Windows Vista would have a better ipsec support forIPv6.

And so my ping never came back ...

But, of course, I was eager to try something providing this functionalityand therefore I tried OpenSWAN on Linux.

5.6.19 encryption: OpenSWAN

To be precise, there are two ways of sending your packets when encrypt-ing: tunnel mode and transport mode. In transport mode (which I chose)only the payload is encrypted and the IP header is left out while in tunnelmode the whole packet is encryted with a new header appended. IPSec, asseen before, needs the exchange of keys in order to provide authenticatedand encrypted communication. There are two ways providing authenti-cation: through pre-shared keys (simple) or by using RSA keys. I chose tohave a pre-shared key environment in my lab. The next thing to choose iswhich IKE daemon you want to use: On one side there is “racoon” and onthe other “pluto”, which is said to be a bit less difficult to configure.

“Racoon” is derived from the KAME project and “pluto” is included indistributions from the *S/WAN projects. The first project was FreeS/WANwhich ended in 2004 and produced two successors: strongSWAN andOpenSWAN. I decided to use OpenSWAN. Configuring OpenSWANis not a big deal. You start with the config file /etc/ipsec.conf (atmarge.sylvia.test):

version 2.0config setupinclude /etc/ipsec.d/examples/no_oe.confconn ipv6-p1-p2/> connaddrfamily=ipv6/>left=2001:16d8:ff47:1203:2::5/>right=2001:16d8:ff47:1203:2::1/>authby=secret/>esp=aes128-sha1


/>ike=aes128-sha-modp1024/>type=transport/>compress=no/>auto=add

The line “conn ipv6-p1-p2” defines the connection to use for you candefine multiple connections to multiple hosts. This connection is es-tablished between marge.sylvia.test, 2001:16d8:ff47:1203:2::5, here definedas “left”, and bart.sylvia.test, 2001:16d8:ff47:1203:2::1, here denoted as“right”. Please note that this config-file is taken from marge.sylvia.test.Important for the use with IPv6 is only the line “connaddrfamily=ipv6”.The pre-shared key environment, the encryption type and the type of us-age (transport) are also defined here.

Next, and last, step is to provide a key. This is done by setting the key usedbetween these hosts in the file /etc/ipsec.secrets:

2001:16d8:ff47:1203:2::5 2001:16:d8:ff47:1203:2::1 : \\psk "foo"

Setting the same options on the second host participating in this encryptedcommunication (bart.sylvia.test) is the last step here. Now we have to testour configuration.

Start ipsec with

/etc/init.d/ipsec start

Then the specific connection you want to use (mine is called “ipv6-p1-p2”)has to be UPed on one of the peers by typing:

ipsec auto --up ipv6-p1-p2

You should see following ouput with the line “IPSec SA established” prov-ing that the payload will be encrypted between these two hosts by now:

104 "ipv6-p1-p2" #1: STATE_MAIN_I1: initiate

003 "ipv6-p1-p2" #1: received Vendor ID payload [Openswan (this version)2.4.0 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]

003 "ipv6-p1-p2" #1: received Vendor ID payload [Dead Peer Detection]


106 "ipv6-p1-p2" #1: STATE_MAIN_I2: sent MI2, expecting MR2

108 "ipv6-p1-p2" #1: STATE_MAIN_I3: sent MI3, expecting MR3

004 "ipv6-p1-p2" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY\\_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp1024}

117 "ipv6-p1-p2" #2: STATE_QUICK_I1: initiate

004 "ipv6-p1-p2" #2: STATE_QUICK_I2: sent QI2, IPsec SA established{ESP=>0x4701be00 <0xd52c991d xfrm=AES_128-HMAC_SHA1 NATD=noneDPD=none}

The “setkey” command, e.g. “setkey -D” will also give you detailled in-formation on a running IPSec environment.

Figure 5.21: pinging and digging between marge (ns1) and bart, encrypted

Above you can see some packets from the communication between margeand bart. This has been some ICMP echo requests and replies and a digcommand. I know this because I did this sniff; the data is of course en-crypted and you can not figure out what really happend ;o). The protocolused is ESP, Encapsulating Security Payload. The IP header on the otherhand is plain-text.

Note: There are several other daemons for configuring a Virtual Pri-vate Network: Linux has implemented IPSec features you can usewith kernel 2.6.x, yavipin 0.9.6, openVPN 1.6.0, freeSWAN 2.06,openSWAN 2.2.0 and strongSWAN 2.1.3.


Hint: You can also configure e.g. OpenSWAN to work with your Win-dows 2000 or Windows XP when using IPv4. [45]

5.6.20 Remote control: ssh

Another important application is the remote login using SSH. SSH andSSHd for Linux both support IPv6 since version 3.6.1. You can use thecommand “ssh” either by appending the hostname or the IP-address, bothways work.

Windows does not supply an IPv6-capable SSH client but I’d recommendto use PuTTY (v 0.58) on Windows-based clients. Simply put in the host-name, the FQDN or the IPv6-address and everything will just work with-out troubles.

Figure 5.22: SSH using PuTTY from nelson (2001:16d8:ff47:1203:2::22) tomarge (ns1.sylvia.test)

5.6.21 VNC: TightVNC

Virtual Network Computing is a platform-independant desktop-sharingsystem which can be used via IPv6 using a patched version [46]. TightVNCis available for Windows and Linux and works pretty quick. I experiencedsome troubles when running the WinVNC server on Windows XP but itmay have something to do with having huge CPU load on this PC. So Idecided to run TightVNC server on Windows 2003 (wiggum6.sylvia.test)and the client on this Windows XP (nelson6.sylvia.test). The connectiononly worked after I checked the option “Allow loopback connections” inthe advanced settings of the WinVNC server (before I checked it I experi-enced following error: “Local-loop back connections are disabled”).


TightVNC has encrypted method of sending the passwords but does notsupply encryption for the traffic itself. It is recommended to use VNC onlyon trusted networks or via an encrypted tunnel on untrusted networks.

5.6.22 Remote control: telnet

Although Microsoft’s telnet server is not IPv6-enabled per default, you canuse it. First simply check whether typing “telnet wiggum6” for connectingto a Windows 2003 server running an IPv4 telnet server works. If not, youcan make it IPv6-enabled yourself. Because telnet is a protcol that does notadd any information to upper-layer PDU’s you can simply proxy the data.Therefore you need a PortProxy proxying traffic destined at IPv6 port 23to IPv4 port 23. This is done with:

netsh interface portproxy add v6tov4 23

When you “nmap -6” the host running the telnet server you can see theport being open on IPv6 as well. Then, I simply used PuTTY to establish aconnection using telnet and here you can see it worked:

Figure 5.23: Telnet connection between nelson6 and wiggum6 (server)

5.6.23 Monitoring traffic: ntop

When monitoring traffic, established connections and things like protocoluse you will very likely use ntop. It’s an easy to use graphical tool loggingtraffic in your network and even making colorful graphs. But the bestthing is: You don’t have to do anything in order to support IPv6. Here’smy overall protocol use graph:


Figure 5.24: Protocols used in my network

5.6.24 monitoring privoxy: webalizer

In order to use webalizer for privoxy you need to make some changes.First create a new configuration file (Note that I do not alter the old one.For IPv6 migration can not take place fully by now I still want to keep aneye on what squid is doing as well). This new configuration file is called“/etc/webalizerPrivoxy.conf” and should update the following lines:

LogFile /var/log/privoxy/logfileLogType CLFOutputDir /var/www/webalizerPrivoxy

You need to define another log file than the default log file for this is usedfor logging errors encountered when analyzing squid. Privoxy uses a dif-ferent LogType called Common Log Format or short CLF. If you forget toput this here, webalizer will not be able to read the log files produced byprivoxy. The last thing that had to be changed is the OutputDir, so thatboth webalizer instances don’t overwrite each other.

Note: If not done yet, you might need to set your Privoxy to log in Com-mon Log Format. This is done in the config-file by setting “debug


512”.

Last but not least you need to add an entry to the /etc/crontab for the newinstance of webalizer (“-c /etc/webalizerPrivoxy.conf” sets the configura-tion file used to /etc/webalizerPrivoxy.conf).

0 * * * * root webalizer -c /etc/webalizerPrivoxy.conf

Figure 5.25: Webalizer graph for privoxy

5.6.25 monitoring ports: nmap

Newer versions of nmap are per default IPv6-enabled but lack differentscanning mechanisms for IPv6 like UDP scans. In order to use othermethods than -sT, -sP and -sL I found a nice patch on the internet.First you need an older version of nmap “nmap-2.54BETA36” which youcan get in the code repository at http://www.insecure.org/nmap/dist-old/. After unzipping and untarring I changed the install directoryof the configure file in order to not interfere with the existing nmap-installation. Next thing is to patch the sources using the patch found athttp://nmap6.sourceforge.net:

patch -d <nmap-2.54BETA36 location> <<nmap-2.54BETA36_ipv6.diff location>

After patching the sources

./configure


makesumake install

and try it with e.g. a localhost UDP Scan:

./nmap -6 -sU -P0 ::1

5.6.26 firewall: iptables

Although iptables can filter for IPv6 traffic as well, stateful filtering isonly available with Linux kernel 2.6.12 and higher. For I do not havea computer with this kernel version I only implemented an IPv6 fire-wall with stateless packet filtering. See the appendix for my firewall-implementation.

5.7 Testing

Now after we could migrate most of the services used, or could find someservice instead for those not possible, let’s take a quick look at testing thenetwork for performance issues. When working with IPv4 I could findloads of applications testing some more or less important network featuresbut with IPv6 the software to choose from is very limited. When I askedthe participants of the [email protected] newsgroup most of them told methat they were writing their tests themselves like measuring the time ittakes for putting or getting a file using FTP.

5.7.1 iperf

I use iperf version 2.0.2 with native IPv6 support. The handling for IPv6 ispretty the same as for IPv4. The server is started using

iperf -V -s


and the client is started with:

iperf -V -c <ServerAddress>

I tested the connection between bart (server) and marge (client). TheServerAddress can be either supplied as FQDN or as IPv6-address.

Figure 5.26: iperf using IPv6

Iperf also works with Windows and therefore is the only IPv6 testing toolthat can make significant conclusions.

5.7.2 Netserver/ Netperf

Netserver and its client netperf was also used in my IPv4 testing run andsupports IPv6 testing for versions 2.3 and later for Linux only.

Start the server using:

netserver -6 -p 123456

on port 123456, and the client by typing:

netperf -H <ServerAddress> -6 -p 123456

ServerAddress again can be FQDN or the IPv6-address.

5.7.3 Smokeping

Smokeping can be easily configured for the use with IPv6. You simplyneed to use fping6 instead of fping in the cofiguration file. But let’s startstep by step. First I downloaded fping6 utility at http://unfix.org/profects/ipv6/\\fping-2.4b2_to-ipv6.tar.gz. Then I edit following lines in the /etc/smokeping/configfile in order to support IPv6:


Figure 5.27: netserver/ netperf using IPv6

*** Probes ***+ FPing6binary = /usr/sbin/fping6*** Targets ***probe = FPing6

For smokeping does not support IPv4 and IPv6 within one config file andI wanted to graph both, IPv4 and IPv6 roundtrip time, I simply had to runtwo instances of smokeping. First I copied the config file I used for IPv4and made the changes as written above. Then, in the “General” section, Ihad to change the *.pid file used because the default pid-file is used by theIPv4 instance of smokeping. Next step is to change the output-file to

cgiurl = http://snowball/cgi-bin/smokepingv6.cgi

Besides setting the new targets to IPv6-addresses this is what had tobe done concerning the configuration file. The next problem was thatsmokeping per default uses “/etc/smokeping/config” and I could notfind a way for setting a path to another config file. Before searching for acommand I simply copied the smokeping executable “/usr/sbin/smokeping”,renamed it to “/usr/sbin/smokepingv6” and edited the line definingwhich configuration file to use:

Smokeping::main("/etc/smokeping/configv6");

Now you can run smokeping and smokepingv6 on one PC.

See the Code Appendix for the whole configuration file. Below you cansee the ICMPv6 roundtrip-graph for snowball generated on marge.


Figure 5.28: Smokeping running on marge: snowball.sylvia.test

5.7.4 mrtg/ SNMP [47]

First step is to make snmpd listen to IPv6. This is done in “/etc/default/snmpd”by editing the value for the parameter SNMPDOPTS:

SNMPDOPTS=’-Lsd -Lf /dev/null -p/var/run/snmpd.pid udp6:161 udp:161’

For Linux-kernels 2.6.x you have to explicitly allow both, IPv4 and IPv6.Then, the /etc/snmp/snmpd.conf file has to be changed. I chose a verysimple way and just added:

rwcommunity6 public

Now SNMP is ready for testing.

snmpwalk -v 1 -c public udp6:[::1] sysnamesnmpwalk -v 1 -c publicudp6:[2001:16d8:ff47:1203:2::1] sysname

The latter asks 2001:16d8:ff47:1203:2::1 for its sysname (see the sniff be-low).

Now, the only thing left is the configuration of mrtg. As you might re-member, mrtg uses a *.cfg file for each host monitored. What you have


Figure 5.29: SNMP using IPv6 between marge (ns1.sylvia.test) and bart(bart6.sylvia.test)

to do now, in order to have SNMP traffic via IPv6 when using mrtg, is tocopy the IPv4 configuration file for each host you also want to monitorusing IPv6.

First of all set IPv6 enabled by setting:

EnableIPv6: yes

Then, make sure that you chose new names for the graphs (otherwise itwould overwrite the IPv4-ones) and we are done (see the whole config filein the Code Appendix). Create the html-file with:

indexmaker -output=/var/www/mrtg/bart6.html/etc/mrtgbart6.cfg

Before mrtg can graph something you need to poll some data manually bytyping following command a few times:

mrtg /etc/mrtgbart.cfg

If this worked without errors you can append the command above to yourcrontab and look at the output at http://marge.sylvia.test/mrtg/bart6.html.

Figure 5.30: mrtg for bart6.sylvia.test

Note: Please keep in mind that the only thing changed is the protocol usedfor querying SNMPd. The data queried is the same as within theIPv4-based configuration files. In order to have IPv6-specific datayou have to include ipv6-MIBs!


Windows: Windows does not support SNMP via IPv6.

Bibliography

[1] Peter Bieringer: Linux IPv6 HOWTO (2005).http://linuxreviews.org/howtos/networking/IPv6-LinuxHowto/en/index.html (2005-12-09)

[2] Digital Hermit, Kwan Lowe: Kernel Rebuild Guide (2003).http://www.digitalhermit.com/linux/Kernel-Build-HOWTO.html(2005-12-09)

[3] Microsoft, msdn: Microsoft IPv6 Tech-nology Preview for Windows 2000 (2002).http://msdn.microsoft.com/downloads/sdks/platform/tpipv6.asp(2005-12-09)

[4] Microsoft: msdn (2004). http://msdn.microsoft.com/library/default.asp?\\url=/library/en-us/wcetcpip/html/cmrefIpv6Adu.asp (2005-12-29)

[5] Microsoft, Download Center: IPv6 Tech-nology Preview for Windows 2000 (2003).http://www.microsoft.com/downloads/details.aspx?FamilyId=27B1E6A6-BBDD-43C9-AF57-DAE19795A088&displaylang=en (2005-12-09)

[6] Microsoft, TechNet: The Cable Guy Using IPv6 Today (2001).http://www.microsoft.com/technet/community/columns/cableguy/\\cg0701.mspx (2005-12-09)

[7] Microsoft, Microsoft Windows Server 2003: IPv6 Protocol for theWindows Server 2003 Family: Frequently Asked Questions (2005).http://www.microsoft.com/windowsserver2003/techinfo/overview/\\ipv6faq.mspx (2005-12-09)

217

BIBLIOGRAPHY 218

[8] Telscom: Configuration of IPv6 features (2004).http://www.telscom.ch/configuration_of_ipv6_features.htm (2005-12-27)

[9] Microsoft Windows Server System: UpdatingIPv6.exe Commands to Netsh Commands (2002).http://www.microsoft.com/windowsserver2003/technologies/ipv6\\/ipv62netshtable.mspx (2005-12-27)

[10] Microsoft TechNet: Netsh commands for Interface IPv6 (2005).http://www.microsoft.com/technet/prodtechnol/windowsserver2003\\/library/ServerHelp/f953fa20-f037-4609-89eb-0178240f103b.mspx(2005-12-30)

[11] Narten, Draves: Privacy Extensions for stateless Address Au-toconfiguration in IPv6 - RFC3041(2001). ftp://ftp.isi.edu/in-notes/rfc3041.txt (2005-12-27)

[12] T. Chown: IPv6 Implications for TCP/UDP Port Scan-ning draft-chown-v6ops-port-scanning-implications-00(2003). http://www.6net.org/publications/standards/draft-chown-v6ops-port-scanning-implications-00.txt

[13] RIPE: Updating the RIPE Whois Database (2005).http://www.ripe.net/fcgi-bin/webupdates.pl (2005-12-27)

[14] SixXS: Heartbeat Information (2005).http://www.sixxs.net/tools/heartbeat/ (2005-12–27)

[15] SixXS: Automatic IPv6 Connectivity Client Utility (2005).http://www.sixxs.net/tools/aiccu/ (2005-12-27)

[16] SixXS: FAQ: Account: 10 easy steps to IPv6 (2005).http://www.sixxs.net/faq/account/?faq=10steps (2005-12-27)

[17] SixXS: Anything in Anything (AYIYA) (2005).http://www.sixxs.net/tools/ayiya/ (2005-12-27)

[18] IANA: INTERNET PROTOCOL VERSION 6 ADDRESS SPACE(2005). http://www.iana.org/assignments/ipv6-address-space(2005-12-28)

BIBLIOGRAPHY 219

[19] Index von ftp://ftp.inr.ac.ru/ip-routing (2005).ftp://ftp.inr.ac.ru/ip-routing/iputils-current.tar.gz (2005-12-28)

[20] psavola: Linux IPv6 Router Advertisement Daemon (2005).http://v6web.litech.org/radvd/ (2005-12-28)

[21] Lars Fennberg: RADVD Introduction (1997). http://www.cs-ipv6.lancs.ac.uk/ipv6/systems/linux/faq/radvd.html (2005-12-28)

[22] Linux Reviews: man radvd.conf (2001).http://linuxreviews.org/man/radvd.conf/ (2005-12-28)

[23] Narten, Nordmark, Simpson: RFC 2461 - Neighbor Discovery for IPVersion 6 (IPv6) (1998). http://www.faqs.org/rfcs/rfc2461.html

[24] Thomson, Bellcore, Narten: RFC 1971 - IPv6 Stateless Address Auto-configuration (1996). http://www.dnsstuff.com/pages/rfc1971.htm(200-12-28)

[25] man: radvd (2001). http://linuxcommand.org/man_pages/radvd8.html(2005-12-28)

[26] Thomson, Bellcore, Narten: RFC 2462 - IPv6 Stateless Address Auto-configuration (1998). http://www.faqs.org/rfcs/rfc2462.html

[27] Tomasz Mrugalski: Dibbler - a portable DHCPv6 (2005).http://klub.com.pl/dhcpv6/ (2005-12-28)

[28] Tomasz Mrugalski: Dibbler - a portable DHCPv6 Documenta-tion(2005). http://klub.com.pl/dhcpv6/dibbler/dibbler-0.4.1-doc.tar.gz (2005-12-28)

[29] JOIN: Nameservice und IPv6 (2003). http://www.join.uni-muenster.de/Dokumente/Howtos/Howto_IPv6-Nameservice.php(2005-12-29)

[30] Thomson, Huitema, Ksinant, Souissi: RFC 3596 - DNS Extensions tosupport IP version 6 (2003). http://rfc.net/rfc3596.html (2005-12-29)

[31] Bieringer, Baraldi, Piunno, Tortonesi, Toselli, Tumiati: Cur-rent Status of IPv6 support for networking applications (2004).http://www.deepspace6.net/docs/ipv6_status_page_apps.html(2005-12-29)

BIBLIOGRAPHY 220

[32] Privoxy Developers: Privoxy - Home Page (2005).http://www.privoxy.org/ (2005-12-29)

[33] Glowiak: Mysql vs postgres (2005).http://monstera.man.poznan.pl/wiki/index.php/Mysql_vs_postgres(2005-12-30)

[34] PostgreSQL: Chapter 20. Client Authentication (2005)http://www.postgresql.org/docs/8.1/interactive/client-authentication.html#AUTH-PG-HBA-CONF (2005-12-30)

[35] Microsoft Windows Server System: Internet Protocol Version 6 (2005).http://www.microsoft.com/ipv6 (2005-12-30)

[36] lutchann: Samba IPv6 Support (2002).http://v6web.litech.org/samba/ (2005-12-30)

[37] Microsoft Windows Server 2003: Up-dates to Understanding IPv6 (2005).http://www.microsoft.com/downloads/details.aspx?FamilyID=42bf4711-27af-4c4c-8300-7bcf900de5c3&DisplayLang=en (2006-01-16)

[38] jason: Webdav in Apache2 to share Mozilla Thunderbird Calenderor Sunbird (2005). http://nmglug.org/phorum/read.php?5,30,30(2006-01-14)

[39] Kenichi Takahashi: Instant File Sharing with IPv6 and WebDAV(2003). http://www.ipv6style.jp/en/tryout/20030320/index.shtml(2006-01-14)

[40] Jun-ya KATO: ncFTP 3.1.8 (2005). http://win6.jp/NcFTP/index.html(2006-01-18)

[41] Jason Boxman: Configuring Exim and CourierIMAP under Debian GNU/Linux (2004).http://talk.trekweb.com/~jasonb/articles/exim_maildir_imap.shtml(2006)

[42] Bernhard Schmidt: Asterisk bounty IPv6 (2005). http://www.voip-info.org/wiki-Asterisk+bounty+IPv6 (2006-01-14)

[43] Rapaz: initial IPv6 VoIP patch (2005). http://www.voip-info.org/wiki/view/IPv6+VoIP (2006-01-14)

BIBLIOGRAPHY 221

[44] Nate Mook: Microsoft P2p Not All Fun and Games Yet (2003).http://www.betanews.com/article/1046403618 (2006-01-16)

[45] Nate Carlson (2005) http://www.natecarlson.com/linux/ipsec-x509.php#installing (2006-01-17)

[46] Diego Andres Acosta: TightVNC over IPv6 (2004).http://jungla.dit.upm.es/~acosta/paginas/vncIPv6.html (2006-01-17)

[47] debian: Having v6 with Debian for the first time(2004).http://debian.fabbione.net/how.html (2006-01-18)

Chapter 6

Conclusion and Summary

In the preceding chapter you could see step by step that nearly anythingthat has to be done in a network can be done using IPv6. It is importantfor me to mention that not every service could be migrated, especially withthe Microsoft-based software used, and that there has not been much effortyet to write software exploiting the advantages of IPv6. As you could see,things that could not be migrated easily were e.g. Active Directory, whichcould be replaced by an elaborate configuration of OpenLDAP, or ntp-clients using IPv6 for Windows systems. In fact, I do not consider the lastproblem as very big for it is not possible running IPv6-only networks atthe moment. Besides such “unimportant” things like time synchronizing,Microsoft does not yet support DNS or SNMP querying using IPv6, whichis more important in a productive environment. As a little summary onecould say that a network running Linux-flavoured operating systems is99% migrateable while Windows systems simply impose more problemsin migrating.

One huge aspect of my thesis was to examine closely whether the transi-tion phase could have also taken place in a real productive environmentwith people working on the services I migrate. In most of the cases I haveto say: yes. I think everybody will know that from her or his own experi-ence, there are services that just crash while reconfiguring them and youhave to spend a few hours on them until they work again. I guess suchthings just have to happen and in fact did happen in my environment aswell. Most of the services I migrated “simply” needed to be configured for

222

CHAPTER 6. CONCLUSION AND SUMMARY 223

listening to IPv6 requests as well and therefore just had to be reconfigured.Therefore you could say that the time the service was offline was confinedto the time the restart of the service took. On the other hand, to be per-fectly sure that your migration does not collide with important serviceslike database or file access, I’d recommend you to try them after hours incase troubles occur.

This thesis and the contained actual migration of a network was made un-der the condition that the services provided via IPv4 can also be accessedusing IPv6. I started with Windows 2000 server to find out during mi-gration, that running IPv6 services on Windows-based machines is a badidea. This is the point where I have to mock about the informations pro-vided by Microsoft regarding IPv6. I think I found 20 homepages tellingme that Windows systems support IPv6 and how you can ping each other,but as soon as you get to the point where you really need detailled factslike: “Does Active Directory support IPv6”, your are lost. I guess it tookme a few months to find out (on www-search, newsgroups, forums, writ-ing to Microsoft) to get the answer “no” and that is what I want to critizise.Microsoft is the most popular operating system in the world and is afraidto tell its customers what the software is capable of, or so it seems. To behonest, I don’t really see the point in providing half of the information ex-cept if you want to conceal something. My tip: write what your softwarecan do and what it can’t - it saves you huge amounts of time when us-ing your software. Concerning my experiences with Microsoft I also wantto thank Microsoft Austria’s Academic Relations Manager Mr. Schabusfor providing contact with someone at Microsoft really working with IPv6and providing me with honest answers.

The fact that I needed to switch to different operating systems and serviceswithin the transition is the reason why there are no significant testing orbenchmarking results. Every throughput or bandwidth test made in theIPv4-only network is no longer comparable with tests you would makenow in a IPv4/IPv6 environment. Things like neighbor discovery or du-plicate SNMP-queries (IPv4 and IPv6) would also affect IPv4 traffic forwhich I have no IPv4 values I really can compare. In addition to this theuse of different services than before imposes a problem as well, for theirperformance will highly influence the results.

This brings me to the advantages and disadvantages of IPv6. To be com-


pletely honest I really loved working with IPv6. There is only a smallcommunity in the European region working on problems concerning IPv6and you quickly become to know everyone from newsgroups, etc. It reallyis fun working together and helping each other with problems most of theIT-professionals did not deal before (of course, this can also be pretty hin-dering when you have a problem, google it and get something like tworesults, both in strange languages). In my opinion, the advantages of IPv6are obvious: We have the huge address space bringing mobile computingand peer to peer computing to a next level, we have encrypted and au-thenticated traffic for securing your company from its employees and wehave huge improvements concerning priorized traffic like video streamsand autoconfiguration of hosts. These advantages and a relative easy tran-sition will make IPv6 more and more important in the next years. At themoment, I have to confess, switching to IPv6 only is something for thosewanting to be on the pulse of technology. Today its benefits may not beenough in order to deploy IPv6 all over the company but it is good to beaware of this technology very early for it will become predominant verysoon. Today it might only be “cool” to tell your costumers that you havealready updated your company to IPv6, in a few years it will be standard,and that’s why I want to propagate IPv6 with this thesis. For IPv6 dependson the basic structure IPv4 has used there are not really “disadvantages”you are not used to from using IPv4. One thing that might be somethinglike a “disadvantage” is the training of the IT-staff that will cost moneyand time, as you always have with new versions of anything, but thismoney is not lost. Always keep in mind that using IPv6 today and try-ing its features only faciliates the things you have to do the day IPv6 hasto be used. It’s an investment in the future of network technology and willbring money in return. Even today big companys have already saved bigspendings by using the autoconfiguration techniques provided instead ofconfiguring manually. Think also of the benefits you have when doing se-cure communication without tunneling over the internet or when havingroad warriors in your company.

Another point I want to mention at the end is the financial aspect of mi-grating. I did not really have to buy additional hardware for my needs,but if I would have wanted to use my Cisco Routers and Switches I wouldhave needed additional software and memory, for which I did not find asponsor (so I stick to using hubs and Linux routers). In the field of VoIP


you would need different hardware as well, but as long as asterisk doesnot fully support IPv6 there was no need to look for them. I did not experi-ence many problems from software compatibility for most of my servicesrun Linux and therefore Open Source solutions are available. On the otherhand, I did not manage to find a free ntp-client running IPv6 for Windows;I guess that’s pretty all I needed from hardware and software side.

When it comes to the point of information gathering I have to confess: Yes,I bought “Understanding IPv6” and another IPv6-theory book (which Idid not read in fact), both a few Euros each. The most expensive thing inthe whole migration of my test-network was, of course, the time I spenton it. It is very hard to define how much time it took me to migrate myservices (for I had to do different things beside) but it might be somethingabout 23 to 30 days (Monday - Friday: 9-11 hours a day, Saturdays andSundays 4-5 hours a day). You might guess that this is just an estimatedvalue including also the time I spent reading about the new protocol.

As the very last paragraph in this master thesis I again want to ensureeveryone who is not yet believing me: IPv4 will be outdated soon and IPv6is, if there is some additional work done, the perfect successor. Again Iwant to thank everyone making this project possible and everyone readingthis thesis to the end :-) .

Appendix

226

Chapter 7

Configuration Files

The first part of the Appendix is destined at providing all configurationfiles mentioned in the thesis. As I always had been glad when people pro-vided me their full configuration files for services i just tried to install, I’llput in here everything i configured throughout my research. Because Ionly had to see if the basic concepts are working, you won’t find any secu-rity issues covered. So if you are searching for quick-and-dirty solutionsyou are invited to take a look. (Lines that were commented out in the initalconfig file are left out or shortened)

7.1 IPv4 related configuration

7.1.1 APT

/etc/apt/sources.list

deb http://ftp.tu-graz.ac.at/mirror/debianunstable main non-free contrib

227

CHAPTER 7. CONFIGURATION FILES 228

7.1.2 Asterisk

/etc/zaptel.conf

loadzone=atdefaultzone=at# für unsere TDM31: 1* FXO + 3* FXS# Steckplatz 1 bei Steckernfxoks=1-3fxsks=4

/etc/asterisk/asterisk.conf

[directories]astetcdir => /etc/asteriskastmoddir => /usr/lib/asterisk/modulesastvarlibdir => /var/lib/asteriskastagidir => /var/lib/asterisk/agi-binastspooldir => /var/spool/asteriskastrundir => /var/runastlogdir => /var/log/asterisk; Changing the following lines may compromise your security.;[files];astctlpermissions = 0660;astctlowner = root;astctlgroup = apache;astctl = asterisk.ctl

/etc/asterisk/extensions.conf

; extensions.conf auf maggie, server in der Zentrale des BFI;[general];static=yes;


writeprotect=no;autofallthrough=yes;clearglobalvars=no; The "Globals" category contains global variables that can; be referenced in the dialplan with ${VARIABLE} or; ${ENV(VARIABLE)} for Environmental variable[globals]CONSOLE=Console/dsp ; Console interface for demo2210=misdn/1/10 ; Vermittlung2211=misdn/1/11 ; Natalie FREILER2212=misdn/1/12 ; Peter2213=misdn/1/13 ; Jürgen GRANDITS2214=misdn/1/14 ; Thomas MÜLLNER2215=misdn/1/15 ; Susanne STIPSITS2216=misdn/1/16 ; Eveline WEINHOFER2217=misdn/1/17 ; Sabine SWATEK-VENUS2218=misdn/1/18 ; Anita DIENER2219=misdn/1/19 ; Personalraum2220=misdn/1/20 ; Johanna EBERL2221=misdn/1/21 ; Anita IMREK2222=misdn/1/22 ; Dorli CSECSINOVITS2223=misdn/1/23 ; Hotline2224=misdn/1/24 ; Baldur FLECK2225=misdn/1/25 ; Karl SCHUH2232=misdn/1/32 ; Rudolf ERKINGER2235=misdn/1/35 ; Tamara TAUS2236=misdn/1/36 ; Andreas GRABNER;2921=SIP/2921 ; grandstream bt1002925=SIP/2925 ; grandstream 20002936=SIP/2936 ; allnet 7950;2314=Zap/4;211=Zap/1;212=Zap/2;213=Zap/3;


[macro-voicemail]; für SIP-Apparateexten => s,1,Dial(${ARG1},20,tr)exten => s,2,Goto(s-${DIALSTATUS},1)exten => s-NOANSWER,1,Voicemail(u${MACRO_EXTEN})exten => s-NOANSWER,2,Hangup()exten => s-BUSY,1,Voicemail(b${MACRO_EXTEN})exten => s-BUSY,2,Hangup()exten => _s-.,1,Goto(s-NOANSWER,1);[macro-standard]exten => s,1,Dial(${ARG1},20,tr)exten => s,2,Hangup();[macro-isdn-voicemail]exten => s,1,Dial(${ARG1})exten => s,2,Goto(s-${DIALSTATUS},1)exten => s-NOANSWER,1,Voicemail(u${MACRO_EXTEN})exten => s-NOANSWER,2,Hangup()exten => s-BUSY,1,Voicemail(b${MACRO_EXTEN})exten => s-BUSY,2,Hangup()exten => _s-.,1,Goto(s-NOANSWER,1);; =======================================================; for incoming calls;[default]exten => s,1,Answer()exten => s,2,Playback(demo-nogo)exten => s,3,Hangup();[unauth]exten => s,1,Answer()exten => s,2,Playback(demo-nogo)exten => s,3,Hangup();[voll]include => demo


include => interninclude => filialeinclude => nationalinclude => internationalinclude => always-out-amt;[in-isdn]; calls coming from isdn; können abhängig von der MSN (leider nur 3) rufenexten => 50,1,Macro(voicemail,${2221})exten => 511,1,Macro(voicemail,${2225})exten => 512,1,Macro(voicemail,${2236});[iax-intern-in]exten => _22XX,1,GoTo(intern,${EXTEN},1);;===========================================================; outgoing calls;[demo]; Create an extension, 2998, for dialing the; Asterisk demo.;exten => 2998,1,Playback(demo-abouttotry); Let them know what’s going onexten => 2998,n,Dial(IAX2/[email protected]/s@default); Call the Asterisk demoexten => 2998,n,Playback(demo-nogo); Couldn’t connect to the demo siteexten => 2998,n,Hangup();; Create an extension, 2399, for evalating echo latency.;exten => 2999,1,Playback(demo-echotest); Let them know what’s going onexten => 2999,n,Echo; Do the echo testexten => 2999,n,Playback(demo-echodone)


; Let them know it’s overexten => 2999,n,Hangup();;[intern]; hier werden alle Apparate am Standort des Servers gerufen; auch die IAX-Anrufe aus den Filialen kommen direkt;hier herein;user mit voicemailexten => 2210,1,Macro(isdn-voicemail,${2210})exten => 2211,1,Macro(isdn-voicemail,${2211})exten => 2212,1,Macro(isdn-voicemail,${2212})exten => 2213,1,Macro(isdn-voicemail,${2213})exten => 2214,1,Macro(isdn-voicemail,${2214})exten => 2215,1,Macro(isdn-voicemail,${2215})exten => 2216,1,Macro(isdn-voicemail,${2216})exten => 2217,1,Macro(isdn-voicemail,${2217})exten => 2218,1,Macro(isdn-voicemail,${2218})exten => 2219,1,Macro(isdn-voicemail,${2219})exten => 2220,1,Macro(isdn-voicemail,${2220})exten => 2221,1,Macro(isdn-voicemail,${2221})exten => 2222,1,Macro(isdn-voicemail,${2222})exten => 2223,1,Macro(isdn-voicemail,${2223})exten => 2224,1,Macro(isdn-voicemail,${2224})exten => 2225,1,Macro(isdn-voicemail,${2225})exten => 2232,1,Macro(isdn-voicemail,${2232})exten => 2235,1,Macro(isdn-voicemail,${2235})exten => 2236,1,Macro(isdn-voicemail,${2236});exten => 2921,1,Macro(voicemail,${2921})exten => 2925,1,Macro(voicemail,${2925})exten => 2936,1,Macro(voicemail,${2936}); user ohne voicemail;exten => 2314,1,Macro(standard,${2314});; for our voiceMailSystem to call itexten => 2290,1,Ringingexten => 2290,2,Wait(2)exten => 2290,3,VoicemailMain


;; Or a conference room (you’ll need to edit; meetme.conf to enable this room);exten => 8600,1,Meetme(1234);; for invalid numbers and timeoutsexten => i,1,Playback(pbx-invalid)exten => i,2,Hangup()exten => t,1,Playback(vm-goodbye)exten => t,2,Hangup();; ende von [intern];;[filiale]exten => _23XX,1,Dial(IAX2/zur-inform/${EXTEN})exten => _23XX,2,Hangupexten => _23XX,102,Hangup;exten => _24XX,1,Dial(IAX2/nach-jo/${EXTEN})exten => _24XX,2,Hangupexten => _24XX,102,Hangup;;exten => _33XX ??;;exten => _44XX ??;[always-out-amt]; emergency calls using ISDNexten => _1XX,1,Dial(misdn/1/${EXTEN})exten => _1XX,2,Congestionexten => _1XX,3,Hangupexten => _1XX,102,Congestionexten => _1XX,103,Hangup;[local]; users can only call within the city; Teilnehmer können nur Ortsgespräche führen


; die Amtsholung erfolgt mit 0, die beim Dial-Befehl; wieder entfernt wird da mISDN an einer Amtsleitung; angeschlossen istexten => _0N.,1,Dial(misdn/1/${EXTEN:1});[national]; users can not call foreign countries; Teilnehmer können nur Ferngespräche im Inland; führen die Amtsholung erfolgt mit 0, die beim; Dial-Befehl wieder entfernt wird da mISDN an; einer Amtsleitung angeschlossen istexten => _00X.,1,Dial(misdn/1/${EXTEN:1});[international]; international calls; Teilnehmer können auch Ferngespräche ins Ausland; führen die Amtsholung erfolgt mit 0, die beim; Dial-Befehl wieder entfernt wird da mISDN an; einer Amtsleitung angeschlossen istexten => _000X.,1,Dial(misdn/1/${EXTEN:1})

/etc/asterisk/iax.conf

; Inter-Asterisk eXchange driver definition;[general]bindport=4569 ; bindport and bindaddr may be specifiedlanguage=debandwidth=low;allow=all ; same as bandwidth=high;disallow=g723.1 ; Hm... Proprietary, don’t use it...disallow=lpc10 ; Icky sound quality... Mr. Roboto.;allow=gsm ; Always allow GSM, it’s cool :);jitterbuffer=noforcejitterbuffer=no;dropcount=2


;maxjitterbuffer=1000;maxjitterinterps=10;resyncthreshold=1000;maxexcessbuffer=80;minexcessbuffer=10;jittershrinkrate=1;trunkfreq=20 ; How frequently to send

; trunk msgs (in ms);; You can disable authentication debugging to; reduce the amount of debugging traffic.;authdebug=yes;tos=lowdelay;autokill=yes;;; Guest sections for unauthenticated connection; attempts. Just specify an empty secret, or; provide no secret section.;[guest]type=usercontext=unauthcallerid="Guest IAX User";;[von-inform]type=userhost=192.168.250.178;host=192.168.123.5context=iax-intern-intrunk=yes;[zur-inform]type=peer


host=192.168.123.5;[von-jo]type=userhost=192.168.150.7;username=elsylo;secret=fanta4context=interntrunk=yes;auth=md5,plaintext,rsa;setvar=foo=bar;notransfer=yes ; Disable IAX native transfer;jitterbuffer=yes ; Override global setting

; an enable jitter buffer; ; for this user;callerid="Mark Spencer" <(256) 428-6275>;deny=0.0.0.0/0.0.0.0;accountcode=markster0101;permit=209.16.236.73/255.255.255.0;language=en ; Use english as default language;; Peers may also be specified, with a secret and; a remote hostname.;[nach-jo]type=peer;username=elsylo;secret=fanta4host=192.168.150.7;sendani=no;host=asterisk.linux-support.net;port=5036;mask=255.255.255.255;qualify=yes ; Make sure this peer is alive;jitterbuffer=no ; Turn off jitter buffer

; for this peer


/etc/asterisk/indications.conf

[general]country=at[at]description = Austriaringcadance = 1000,5000; Reference: http://www.itu.int/ITU-T/inr/forms/files/ \\tones-0203.pdfdial = 420busy = 420/400,0/400ring = 420/1000,0/5000congestion = 420/200,0/200callwaiting = 420/40,0/1960dialrecall = 420; RECORDTONE - not specifiedrecord = 1400/80,0/14920info = 950/330,1450/330,1850/330,0/1000stutter = 380+420[de]description = Germany; Reference: http://www.itu.int/ITU-T/inr/forms/files/ \\tones-0203.pdfringcadance = 1000,4000dial = 425busy = 425/480,0/480ring = 425/1000,0/4000congestion = 425/240,0/240callwaiting = !425/200,!0/200,!425/200,!0/5000,!425/200, \\!0/200,!425/200,!0/5000,!425/200,!0/200, \\!425/200,!0/5000,!425/200,!0/200, \\!425/200,!0/5000,!425/200,!0/200,!425/200,0; DIALRECALL - not specifieddialrecall = !425/100,!0/100,!425/100,!0/100,!425/100, \\!0/100,425; RECORDTONE - not specifiedrecord = 1400/80,0/15000info = 950/330,1400/330,1800/330,0/1000


stutter = 425+400[hu]description = Hungary; Reference: http://www.itu.int/ITU-T/inr/forms/files/ \\tones-0203.pdfringcadance = 1250,3750dial = 425busy = 425/300,0/300ring = 425/1250,0/3750congestion = 425/300,0/300callwaiting = 425/40,0/1960dialrecall = 425+450; RECORDTONE - not specifiedrecord = 1400/400,0/15000info = !950/330,!1400/330,!1800/330,!0/1000,!950/330, \\!1400/330,!1800/330,!0/1000,!950/330,!1400/330, \\!1800/330,!0/1000,0stutter = 350+375+400

/etc/asterisk/sip.conf

;; SIP Configuration example for Asterisk[general]context=unauthrealm=ow.bfi-bgld.atbindport=5060bindaddr=0.0.0.0srvlookup=yes;tos=184;tos=lowdelaydisallow=allallow=alaw;allow=ilbclanguage=denat=no;


;[2925]; Grandstream 2000type=friendhost=dynamic;host=192.168.160.xxxdefaultip=192.168.112.72context=vollusername=2225secret=2225callerid="Karl Schuh" <2925>mailbox=2225reinvite=nocanreinvite=no;dtmf-mode f sipura rfc2833, f. grandstream infodtmfmode=infoqualify=1000disallow=allallow=gsmallow=alawcallgroup=1pickupgroup=1;[2921]; grandstream BT100type=friendusername=2221secret=2221context=vollcallerid=Karl SCHUH <2921>host=192.168.112.70canreinvite=nodtmfmode=infodisallow=allallow=ulawallow=alaw ; Asterisk only supports g723.1 pass-thru!mailbox=2221pickupgroup=1


reinvite = noqualify = 1000[2936]; Allnet 7950type=friendusername=2236secret=2236context=vollhost=dynamicdefaultip=192.168.112.71pickupgroup=1callgroup=1reinvite=nocanreinvite=noqualify=1000dtmfmode=infomailbox=2236disallow=allallow=ulawallow=alawcallerid="Andreas GRABNER" <2936>[229]; Turn off silence suppression in X-Lite; ("Transmit Silence"=YES)!; Note that Xlite sends NAT keep-alive packets,; so qualify=yes is not neededtype=frienduser=229secret=229callerid="Sylvia SCHUH mobil" <229>host=dynamic ; This device needs to registerdefaultip=192.168.201.17;reinvite=no;canreinvite=no ; Typically set to NO if behind NAT;disallow=allallow=alldtmfmode=rfc2833context=verwalt


/etc/asterisk/zapata.conf

;; Zapata telephony interface;; Configuration file[channels];language=deusecallerid=yescallwaiting=yesechocancel=yesechocancelwhenbridged=yes;rxgain=0.0txgain=0.0;;context=verwalt;group=2;signalling=fxo_ksmailbox=211callerid="Green Phone"<211>channel => 1;signalling=fxo_ksmailbox=212callerid="Black Phone"<212>channel => 2;signalling=fxo_ksmailbox=213callerid="Yellow Phone"<213>channel => 3;context=in-amt


group=1signalling=fxs_kscallerid=asreceivedchannel => 4

7.1.3 CUPS

/etc/cups/cupsd.conf:

######## Server Identity######## Server OptionsAccessLog /var/log/cups/access_logDefaultCharset notusedErrorLog /var/log/cups/error_logLogLevel debug2Printcap /var/run/cups/printcapRemoteRoot karls######## Fax Support######## Encryption Support######## Filter OptionsUser lpGroup lpRunAsUser Yes## added by me! mario!######## Network Options#Port 80#Port 443#Port 631Listen *:631######## Browsing OptionsBrowsing On## windows troubleshooting#BrowseAddress 192.168.200.255###BrowseAddress 192.168.201.255BrowseAddress 255.255.255.255##windows troublesooting ende######## Security Options


<Location />Order Deny,AllowDeny From NoneAllow From All</Location><Location /classes>Order Deny,AllowDeny From NoneAllow From All</Location><Location /classes/name>Order Deny,AllowDeny From NoneAllow From All</Location><Location /jobs>Order Deny, AllowDeny From NoneAllow From All</Location><Location /printers>Order Deny,AllowDeny From NoneAllow From All</Location><Location /printers/name>AuthType BasicAuthClass UserOrder Deny,AllowDeny From NoneAllow From All</Location><Location /admin>AuthType BasicDigestAuthClass GroupAuthGroupName sysOrder Deny,AllowDeny From None


Allow From All</Location>

/etc/cups/printers.conf

(automatically generated when you add a printer via webinterface)

# Printer configuration file for CUPS v1.2.0b1# Written by cupsd on Sun 02 Oct 2005 06:31:01 PM CEST<DefaultPrinter HP_LaserJet_1300>Info HP LaserJet 1300DeviceURI usb://HP/LaserJet%201300State IdleAccepting YesShared YesJobSheets none noneQuotaPeriod 0PageLimit 0KLimit 0ErrorPolicy stop-printer</Printer>

7.1.4 Apache2

/etc/apache2/apache2.conf

ServerRoot "/etc/apache2"LockFile /var/lock/apache2/accept.lockPidFile /var/run/apache2.pidTimeout 300KeepAlive OnMaxKeepAliveRequests 100KeepAliveTimeout 15<IfModule prefork.c>StartServers 5MinSpareServers 5MaxSpareServers 10


MaxClients 20MaxRequestsPerChild 0</IfModule><IfModule worker.c>StartServers 2MaxClients 150MinSpareThreads 25MaxSpareThreads 75ThreadsPerChild 25MaxRequestsPerChild 0</IfModule><IfModule perchild.c>NumServers 5StartThreads 5MinSpareThreads 5MaxSpareThreads 10MaxThreadsPerChild 20MaxRequestsPerChild 0AcceptMutex fcntl</IfModule>User www-dataGroup www-dataLogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"% \\{User-Agent}i\"" combinedLogFormat "%h %l %u %t \"%r\" %>s %b" commonLogFormat "%{Referer}i -> %U" refererLogFormat "%{User-agent}i" agentErrorLog /var/log/apache2/error.log## include modulesInclude /etc/apache2/mods-enabled/*.loadInclude /etc/apache2/mods-enabled/*.conf## include user configurationInclude /etc/apache2/httpd.confInclude /etc/apache2/ports.confInclude /etc/apache2/conf.d/[^.#]*Alias /icons/ "/usr/share/apache2/icons/"<Directory "/usr/share/apache2/icons">

Options Indexes MultiViews


AllowOverride NoneOrder allow,denyAllow from all

</Directory><IfModule mod_negotiation.c><IfModule mod_include.c>

Alias /error/ "/usr/share/apache2/error/"<Directory "/usr/share/apache2/error">

AllowOverride NoneOptions IncludesNoExecAddOutputFilter Includes htmlAddHandler type-map varOrder allow,denyAllow from allLanguagePriority en es de frForceLanguagePriority Prefer Fallback

</Directory>ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.varErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.varErrorDocument 403 /error/HTTP_FORBIDDEN.html.varErrorDocument 404 /error/HTTP_NOT_FOUND.html.varErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED. \\

html.varErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT. \\

html.varErrorDocument 410 /error/HTTP_GONE.html.varErrorDocument 411 /error/HTTP_LENGTH_REQUIRED. \\

html.varErrorDocument 412 /error/HTTP_PRECONDITION_ \\

FAILED.html.varErrorDocument 413 /error/HTTP_REQUEST_ENTITY_ \\

TOO_LARGE.\\html.var

ErrorDocument 414 /error/HTTP_REQUEST_URI_ \\TOO_LARGE.html.var

ErrorDocument 415 /error/HTTP_SERVICE_ \\UNAVAILABLE.html.var

ErrorDocument 500 /error/HTTP_INTERNAL_ \\


SERVER_ERROR.\\html.var

ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html. \\var

ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.varErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE. \\

html.varErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES. \\

html.var</IfModule></IfModule>DirectoryIndex index.html index.cgi index.pl index.php \\index.xhtmlAccessFileName .htaccess<Files ~ "^\.ht">

Order allow,denyDeny from all

</Files>UseCanonicalName OffTypesConfig /etc/mime.typesDefaultType text/plainHostnameLookups OffIndexOptions FancyIndexing VersionSortAddIconByEncoding (CMP,/icons/compressed.gif) x-compress \\x-gzipAddIconByType (TXT,/icons/text.gif) text/*AddIconByType (IMG,/icons/image2.gif) image/*AddIconByType (SND,/icons/sound2.gif) audio/*AddIconByType (VID,/icons/movie.gif) video/*AddIcon /icons/binary.gif .bin .exeAddIcon /icons/binhex.gif .hqxAddIcon /icons/tar.gif .tarAddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .ivAddIcon /icons/compressed.gif .Z .z .tgz .gz .zipAddIcon /icons/a.gif .ps .ai .epsAddIcon /icons/layout.gif .html .shtml .htm .pdfAddIcon /icons/text.gif .txtAddIcon /icons/c.gif .c


AddIcon /icons/p.gif .pl .pyAddIcon /icons/f.gif .forAddIcon /icons/dvi.gif .dviAddIcon /icons/uuencoded.gif .uuAddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tclAddIcon /icons/tex.gif .texAddIcon /icons/bomb.gif coreAddIcon /icons/back.gif ..AddIcon /icons/hand.right.gif READMEAddIcon /icons/folder.gif ^^DIRECTORY^^AddIcon /icons/blank.gif ^^BLANKICON^^DefaultIcon /icons/unknown.gifReadmeName README.htmlHeaderName HEADER.htmlIndexIgnore .??* *~ *# HEADER* RCS CVS *,tAddEncoding x-compress ZAddEncoding x-gzip gz tgzAddLanguage da .dkAddLanguage nl .nlAddLanguage en .enAddLanguage et .etAddLanguage fr .frAddLanguage de .deAddLanguage el .elAddLanguage it .itAddLanguage ja .jaAddLanguage pl .poAddLanguage ko .koAddLanguage pt .ptAddLanguage no .noAddLanguage pt-br .pt-brAddLanguage ltz .ltzAddLanguage ca .caAddLanguage es .esAddLanguage sv .seAddLanguage cz .czAddLanguage ru .ruAddLanguage tw .tw


AddLanguage zh-tw .twLanguagePriority en da nl et fr de el it ja ko no pl pt \\pt-br ltz ca es sv twAddCharset ISO-8859-1 .iso8859-1 .latin1AddCharset ISO-8859-2 .iso8859-2 .latin2 .cenAddCharset ISO-8859-3 .iso8859-3 .latin3AddCharset ISO-8859-4 .iso8859-4 .latin4AddCharset ISO-8859-5 .iso8859-5 .latin5 .cyr .iso-ruAddCharset ISO-8859-6 .iso8859-6 .latin6 .arbAddCharset ISO-8859-7 .iso8859-7 .latin7 .grkAddCharset ISO-8859-8 .iso8859-8 .latin8 .hebAddCharset ISO-8859-9 .iso8859-9 .latin9 .trkAddCharset ISO-2022-JP .iso2022-jp .jisAddCharset ISO-2022-KR .iso2022-kr .kisAddCharset ISO-2022-CN .iso2022-cn .cisAddCharset Big5 .Big5 .big5AddCharset WINDOWS-1251 .cp-1251 .win-1251AddCharset CP866 .cp866AddCharset KOI8-r .koi8-r .koi8-ruAddCharset KOI8-ru .koi8-uk .uaAddCharset ISO-10646-UCS-2 .ucs2AddCharset ISO-10646-UCS-4 .ucs4AddCharset UTF-8 .utf8AddCharset GB2312 .gb2312 .gbAddCharset utf-7 .utf7AddCharset utf-8 .utf8AddCharset big5 .big5 .b5AddCharset EUC-TW .euc-twAddCharset EUC-JP .euc-jpAddCharset EUC-KR .euc-krAddCharset shift_jis .sjisAddType application/x-tar .tgz<FilesMatch "\.shtml(\..+)?$">

SetOutputFilter INCLUDES</FilesMatch>BrowserMatch "Mozilla/2" nokeepaliveBrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 \\force-response-1.0


BrowserMatch "RealPlayer 4\.0" force-response-1.0BrowserMatch "Java/1\.0" force-response-1.0BrowserMatch "JDK/1\.0" force-response-1.0BrowserMatch "Microsoft Data Access Internet Publishing \\Provider" redirect-carefullyBrowserMatch "^WebDrive" redirect-carefullyBrowserMatch "^gnome-vfs" redirect-carefullyBrowserMatch "^WebDAVFS/1.[012]" redirect-carefullyInclude /etc/apache2/sites-enabled/[^.#]*

7.1.5 dhcpd

/etc/dhcp3/dhcpd.conf

# no dns update is done when lease is confirmedddns-update-style none;option domain-name "sylvia.test";option domain-name-servers ns1.sylvia.test;default-lease-time 6000;max-lease-time 7200;log-facility local7;subnet 192.168.200.0 netmask 255.255.255.0 {range 192.168.200.65 192.168.200.96;option routers bart.sylvia.test;option domain-name "sylvia.test";option domain-name-servers 192.168.200.5;}host maggie.sylvia.test {hardware ethernet 00:0a:5e:22:af:a7;fixed-address maggie.sylvia.test;}host homer.sylvia.test {

hardware ethernet 00:50:ba:17:2d:3d;fixed-address homer.sylvia.test;}

host apu.sylvia.test {


hardware ethernet 00:00:21:00:5b:bc;fixed-address apu.sylvia.test;}host lisa {hardware ethernet 00:10:dc:2c:6a:0d;fixed-address lisa.sylvia.test;}

host bart.sylvia.test {hardware ethernet 00:50:04:68:0C:E8;fixed-address 192.168.200.1;}

host nelson.sylvia.test {hardware ethernet 00:60:97:11:D5:F0;fixed-address nelson.sylvia.test;}

host grandstream1.sylvia.test {hardware ethernet 00:0b:82:03:87:dc;fixed-address grandstream1.sylvia.test;}host allnet1.sylvia.test {hardware ethernet 00:0f:c9:01:4f:94;fixed-address allnet1.sylvia.test;}host sipura.sylvia.test {hardware ethernet 00:0e:08:ad:ca:a5;fixed-address sipura.sylvia.test;}

7.1.6 BIND

/etc/bind/named.conf.local

(there have been no changes made to the named.conf) You will find the“allow-update” directive specifies which hosts are allowed to submit Dy-namic DNS updates for master zones. Allowing updated based on theIP address is insecure but was necessary here to have the Active Direc-


tory server (Maybe you wonder why there are suddenly two AD-servers;later on in the phase of migrating the network it will become necessaryto replace Windows 2000 server with Windows 2003 server called wig-gum.sylvia.test with IP 192.168.200.19) propagate their services to DNS.

zone "sylvia.test" IN {type master;file "/etc/bind/db.sylvia.test";allow-update { 192.168.200.12; 192.168.200.19; };};

zone "200.168.192.in-addr.arpa" {type master;file "/etc/bind/db.200.168.192";};

zone "201.168.192.in-addr.arpa" {type master;file "/etc/bind/db.201.168.192";};

/etc/bind/db.sylvia.test

Dynamic entries you find in here are made for a Windows 2003 servercalled wiggum.sylvia.test. Please read notes for named.conf.local above.

$ORIGIN .$TTL 600 ; 10 minutessylvia.test IN SOA marge.sylvia.test. root. \\marge.sylvia.test. (

2005081961 ; serial604800 ; refresh (1 week)86400 ; retry (1 day)2419200 ; expire (4 weeks)604800 ; minimum (1 week))

NS ns1.sylvia.test.$TTL 600 ; 10 minutes

A 192.168.200.12A 192.168.200.19


$TTL 604800 ; 1 weekMX 10 mail.sylvia.test.

$ORIGIN _msdcs.sylvia.test.$TTL 600 ; 10 minutes96ee99d9-b18c-4124-b1d1-871cf84a8bac CNAME wiggum.sylvia.test.$ORIGIN _tcp.Standardname-des-ersten-Standorts._sites.dc. \\_msdcs.sylvia.test._kerberos SRV 0 100 88 wiggum.sylvia.test._ldap SRV 0 100 389 wiggum.sylvia.test.$ORIGIN _tcp.dc._msdcs.sylvia.test._kerberos SRV 0 100 88 wiggum.sylvia.test._ldap SRV 0 100 389 wiggum.sylvia.test.$ORIGIN domains._msdcs.sylvia.test._ldap._tcp.8b1150a1-3690-45c9-999c-194456648354 SRV 0 \\100 389 wiggum.sylvia.test._ldap._tcp.f6731b90-9fe0-492a-8685-eaf32b5da1ce SRV 0 \\100 389 wiggum.sylvia.test.$ORIGIN _msdcs.sylvia.test.eecd0355-53fd-442f-8eb5-0ed2237c4d3e CNAME wiggum.sylvia.test.$ORIGIN gc._msdcs.sylvia.test._ldap._tcp.Standardname-des-ersten-Standorts._sites SRV 0 \\100 3268 wiggum.sylvia.test._ldap._tcp SRV 0 100 3268 wiggum.sylvia.test.$ORIGIN _msdcs.sylvia.test._ldap._tcp.pdc SRV 0 100 389 wiggum.sylvia.test.$ORIGIN _tcp.Standardname-des-ersten-Standorts._sites. \\sylvia.test._gc SRV 0 100 3268 wiggum.sylvia.test._kerberos SRV 0 100 88 wiggum.sylvia.test._ldap SRV 0 100 389 wiggum.sylvia.test.$ORIGIN _tcp.sylvia.test._gc SRV 0 100 3268 wiggum.sylvia.test._kerberos SRV 0 100 88 wiggum.sylvia.test._kpasswd SRV 0 100 464 wiggum.sylvia.test._ldap SRV 0 100 389 wiggum.sylvia.test.$ORIGIN _udp.sylvia.test._kerberos SRV 0 100 88 wiggum.sylvia.test._kpasswd SRV 0 100 464 wiggum.sylvia.test.


$ORIGIN sylvia.test.$TTL 604800 ; 1 weekallnet1 A 192.168.200.130apu A 192.168.200.33bart A 192.168.200.1edv-nb1 A 192.168.200.16flanders A 192.168.200.36grandstream1 A 192.168.200.129homer A 192.168.200.12lisa A 192.168.200.35maggie A 192.168.200.8marge A 192.168.200.5nelson A 192.168.200.34ns1 A 192.168.200.5proxy CNAME margesipura A 192.168.200.131snowball A 192.168.201.1snowball2 A 192.168.201.17wiggumold A 192.168.200.19www CNAME marge

/etc/bind/db.200.168.192.in-addr.arpa

As mentioned in chapter 3: Don’t forget the “.” at the end of each entry.

; BIND reverse data file for zone 192.168.200.0/24;$TTL 604800@ IN SOA localhost. root.localhost. (

2005050801 ; Serial604800 ; Refresh86400 ; Retry2419200 ; Expire604800 ) ; Negative Cache TTL

;


@ IN NS ns1.sylvia.test.1 IN PTR bart.sylvia.test.5 IN PTR marge.sylvia.test.8 IN PTR maggie.sylvia.test.12 IN PTR homer.sylvia.test.16 IN PTR edv-nb1.sylvia.test.19 IN PTR wiggum.sylvia.test.33 IN PTR apu.sylvia.test.34 IN PTR nelson.sylvia.test.35 IN PTR lisa.sylvia.test.36 IN PTR flanders.sylvia.test.129 IN PTR grandstream1.sylvia.test.130 IN PTR allnet1.sylvia.test.131 IN PTR sipura.sylvia.test.

/etc/resolv.conf

search sylvia.testnameserver 192.168.200.5

7.1.7 exim4

/etc/exim4/update-exim4.conf

(generated from dpkg-reconfigure exim4-config)

dc_eximconfig_configtype=’smarthost’dc_primary_hostname=’marge.sylvia.test’dc_other_hostnames=’sylvia.test:marge’dc_local_interfaces=’192.168.200.5’dc_readhost=”dc_relay_domains=”dc_minimaldns=’false’dc_relay_nets=’192.168.0.0/16’dc_smarthost=’mail.bfi-burgenland.at’CFILEMODE=’644’dc_use_split_config=’false’


dc_hide_mailname=’false’dc_mailname_in_oh=’true’

/etc/mailname

marge6.sylvia.test

/etc/aliases

mailer-daemon: postmasterpostmaster: rootnobody: roothostmaster: rootusenet: rootnews: rootwebmaster: rootwww: rootftp: rootabuse: rootnoc: rootsecurity: rootroot: elsylok.schuh: karlss.schuh: elsylo

7.1.8 The Webalizer

/etc/webalizer.conf

## defining log file and typeLogFile /var/log/squid/access.logLogType squid## define where HTML output is storedOutputDir /var/www/webalizer## Incremental processing allows multiple partial log files## to be used instead of one huge one.


Incremental yes# ReportTitle is the text to display as the titleReportTitle Wos gsoerft worn is bei## HostName defines the hostname for the reportand is## used in titleHostName marge## The Quiet option suppresses output messages...Quiet yes## Debug prints additional information for error messages.Debug yes## The "Top" options below define the number of entries## for each table. Defaults are Sites=30, URL’s=30,## Referrers=30 and Agents=15, and Countries=50. Tables## may be disabled by using zero (0) for the value.TopKSites 30TopKURLs 30TopUsers 20# Your own site/referrer/direct-requests should be hiddenHideSite *margeHideReferrer marge/HideReferrer Direct Request# Usually you want to hide theseHideURL *.gifHideURL *.GIFHideURL *.jpgHideURL *.JPGHideURL *.ra# Grouping optionsGroupURL /cgi-bin/*## The Ignore* keywords allow you to completely ignore## log records based on hostname, URL, user agent or## referrer.IgnoreSite localhostIgnoreReferrer localhost## How much the MangleAgents should mangle user agent names.## Level 4 adds minor version numerMangleAgents 4


/etc/crontab

Add this line to your crontab in order to analyse the logfile every hour.

0 * * * * root webalizer

7.1.9 squid

/etc/squid/squid.conf

# NETWORK OPTIONS# --------------------------------------------------------# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM# --------------------------------------------------------# TAG: hierarchy_stoplist# A list of words which, if found in a URL,# cause the object to# be handled directly by this cache.# hierarchy_stoplist cgi-bin ?# TAG: no_cache# A list of ACL elements which, if matched,# cause the request to# not be satisfied from the cache and the reply# to not be cached.acl QUERY urlpath_regex cgi-bin \?no_cache deny QUERY# OPTIONS WHICH AFFECT THE CACHE SIZE# ---------------------------------------------------------# LOGFILE PATHNAMES AND CACHE DIRECTORIES# ---------------------------------------------------------# OPTIONS FOR EXTERNAL SUPPORT PROGRAMS# ---------------------------------------------------------hosts_file /etc/hostsrefresh_pattern ^ftp: 1440 20% 10080refresh_pattern ^gopher: 1440 0% 1440refresh_pattern . 0 20% 4320ACCESS CONTROLS


# ----------------------------------------------------------acl all src 0.0.0.0/0.0.0.0# our aclacl allowed_hosts src 192.168.200.0/255.255.255.0acl allowed_hosts src 192.168.201.0/255.255.255.0acl allowed_hosts src 192.168.150.0/255.255.255.0# end our aclacl manager proto cache_objectacl localhost src 127.0.0.1/255.255.255.255acl to_localhost dst 127.0.0.0/8acl SSL_ports port 443 563 # https, snewsacl SSL_ports port 873 # rsyncacl Safe_ports port 80 # httpacl Safe_ports port 21 # ftpacl Safe_ports port 443 563 # https, snewsacl Safe_ports port 70 # gopheracl Safe_ports port 210 # waisacl Safe_ports port 1025-65535 # unregistered portsacl Safe_ports port 280 # http-mgmtacl Safe_ports port 488 # gss-httpacl Safe_ports port 591 # filemakeracl Safe_ports port 777 # multiling httpacl Safe_ports port 631 # cupsacl Safe_ports port 873 # rsyncacl Safe_ports port 901 # SWATacl purge method PURGEacl CONNECT method CONNECT#Recommended minimum configuration:# Only allow cachemgr access from localhosthttp_access allow manager localhosthttp_access deny manager# Only allow purge requests from localhosthttp_access allow purge localhosthttp_access deny purge# Deny requests to unknown portshttp_access deny !Safe_ports# Deny CONNECT to other than SSL portshttp_access deny CONNECT !SSL_ports


# unsere Freigabehttp_access allow allowed_hosts# ende unsere Freigabe# Example rule allowing access from your local# networks. Adapt to list your (internal) IP networks# from where browsing should be allowedhttp_access allow localhost# And finally deny all other access to this proxyhttp_access deny all# and finally allow by defaulthttp_reply_access allow all# TAG: icp_access# Allowing or Denying access to the ICP porticp_access allow allowed_hostsicp_access deny all

ADMINISTRATIVE PARAMETERS# --------------------------------------------------------# TAG: visible_hostname# If you want to present a special hostname in# error messages,visible_hostname proxy.sylvia.testOPTIONS FOR THE CACHE REGISTRATION SERVICE# ---------------------------------------------------------HTTPD-ACCELERATOR OPTIONS# ---------------------------------------------------------MISCELLANEOUS# ---------------------------------------------------------DELAY POOL PARAMETERS (all require DELAY_POOLScompilation option)# ---------------------------------------------------------# Leave coredumps in the first cache dircoredump_dir /var/spool/squid


7.1.10 arpwatch

/etc/default/arpwatch

# Global options for arpwatch(8).# Debian: don’t report bogons, don’t use PROMISC.ARGS="-N -p"# Debian: run as ‘arpwatch’ user. Empty this to run as root.RUNAS="arpwatch"

/etc/arpwatch.conf

eth0 -m root+eth0

7.1.11 ntpd

/etc/ntp.conf

# /etc/ntp.conf, configuration for ntpd# ntpd will use syslog() if logfile is not definedlogfile /var/log/ntpddriftfile /var/lib/ntp/ntp.driftstatsdir /var/log/ntpstats/statistics loopstats peerstats clockstatsfilegen loopstats file loopstats type day enablefilegen peerstats file peerstats type day enablefilegen clockstats file clockstats type day enable## server pool to synchronize withserver chime3.ipv6.surfnet.nlserver europe.pool.ntp.orgserver 127.127.1.0fudge 127.127.1.0 stratum 13# By default, exchange time with everybody, but don’t# allow configuration. See# /usr/share/doc/ntp-doc/html/accopt.html for details.restrict default kod notrap nomodify nopeer noquery# Local users may interrogate the ntp server more closely.


restrict 127.0.0.1 nomodify# If you want to provide time to your local subnet,# change the next line.broadcast 192.168.200.255

7.1.12 Active Directory

Adding a new user to Active Directory “User”-container (forgive methe german installation; Crash-course in learning german: Neu = new,Kontakt = contact, Gruppe = group, Drucker = printer, Benutzer = user,Freigegebener Ordner = shared folder)

Figure 7.1: adding a user to Active Directory


7.1.13 mrtg

/etc/mrtg.conf

Desribes a Debian Linux host.

### Global Config OptionsWorkDir: /var/www/mrtg## Load the files where the MIBs you query are locatedLoadMIBs: /usr/share/snmp/mibs/UCD-SNMP-MIB.txt, \\/usr/share/snmp/mibs/TCP-MIB.txtEnableIPv6: noWorkDir: /var/www/mrtgOptions[_]: growright,bits############################################## System: bart# Description: Linux bart 2.6.8-1-686 #1# Tue Sep 14 00:22:58 EDT 2004 i686# Contact: "Sylvia Schuh"# Location: "Schloss Jormannsdorf Lager"################################################ querying eth0Target[192.168.200.1_eth0]: \eth0:[email protected]:SetEnv[192.168.200.1_eth0]: MRTG_INT_IP="192.168.200.1" \\MRTG_INT_DESCR="eth0"MaxBytes[192.168.200.1_eth0]: 12500000Title[192.168.200.1_eth0]: 192.168.200.1 -- bartPageTop[192.168.200.1_eth0]: <H1>192.168.200.1 -- bart</H1><TABLE><TR><TD>System:</TD> <TD>bart in "Schloss Jormannsdorf \\Lager"</TD></TR><TR><TD>Maintainer:</TD> <TD>"Sylvia Schuh"</TD></TR><TR><TD>Description:</TD><TD>eth0 </TD></TR><TR><TD>ifType:</TD> <TD>ethernetCsmacd (6)</TD></TR><TR><TD>ifName:</TD> <TD>Zentrale</TD></TR><TR><TD>Max Speed:</TD> <TD>100.0 Mbits/s</TD></TR><TR><TD>Ip:</TD> <TD>192.168.200.1 (bart.sylvia. \\test)</TD></TR>


</TABLE>##querying eth1Target[192.168.200.1_eth1]: \eth1:[email protected]:SetEnv[192.168.200.1_eth1]: MRTG_INT_IP="192.168.150.6" \\MRTG_INT_DESCR="eth1"MaxBytes[192.168.200.1_eth1]: 12500000Title[192.168.200.1_eth1]: 192.168.150.6 -- bartPageTop[192.168.200.1_eth1]: <H1>192.168.150.6 -- bart</H1><TABLE><TR><TD>System:</TD> <TD>bart in "Schloss Jormannsdorf \\Lager"</TD></TR><TR><TD>Maintainer:</TD> <TD>"Sylvia Schuh"</TD></TR><TR><TD>Description:</TD><TD>eth1 </TD></TR><TR><TD>ifType:</TD> <TD>ethernetCsmacd (6)</TD></TR><TR><TD>ifName:</TD> <TD>Internet</TD></TR><TR><TD>Max Speed:</TD> <TD>100.0 Mbits/s</TD></TR><TR><TD>Ip:</TD> <TD>192.168.150.6 ()</TD></TR></TABLE>##cpu monitoring (www.linuxhomenetworking.com)Target[server.cpu]:ssCpuRawUser.0&ssCpuRawUser.0:public@ \\192.168.200.1 +ssCpuRawSystem.0&ssCpuRawSystem.0:[email protected]+ssCpuRawNice.0&ssCpuRawNice.0:[email protected][server.cpu]: Server CPU LoadPageTop[server.cpu]: <H1>CPU-Load - System, User and \\Nice Processes </H1>MaxBytes[server.cpu]: 20ShortLegend[server.cpu]: %YLegend[server.cpu]: CPU UtilizationLegend1[server.cpu]: current CPU percentage loadLegendI[server.cpu]: UsedLegendO[server.cpu]:Options[server.cpu]: growright, nopercentUnscaled[server.cpu]: ymwd## memory monitoring total versus availableTarget[server.memory]:memAvailReal.0&memTotalReal.0:public@ \\192.168.200.1


Title[server.memory]: Free MemoryPageTop[server.memory]: <H1> Free Memory </H1>MaxBytes[server.memory]: 100000000000ShortLegend[server.memory]: BYLegend[server.memory]: BytesLegendI[server.memory]: FreeLegendO[server.memory]: TotalLegend1[server.memory]: Free memory, not including \\swap, in bytesLegend2[server.memory]: Total memoryOptions[server.memory]: gauge,growright,nopercentkMG[server.memory]: k,M,G,T,P,X## memory monitoring percentageTitle[server.mempercent]: Percentage Free MemoryPageTop[server.mempercent]: <H1> Percentage Free \\Memory </H1>Target[server.mempercent]: (memAvailReal.0&memAvailReal.0:[email protected]) * 100 / (memTotalReal.0&memTotalReal.0:[email protected])Options[server.mempercent]: growright,gauge,transparent, \\nopercentUnscaled[server.mempercent]: ymwdMaxBytes[server.mempercent]: 30YLegend[server.mempercent]: Memory %ShortLegend[server.mempercent]: PercentLegendI[server.mempercent]: FreeLegendO[server.mempercent]: FreeLegend1[server.mempercent]: Percentage Free MemoryLegend2[server.mempercent]: Percentage Free Memory## new TCP connection monitoringTarget[server.newconns]:tcpPassiveOpens.0&tcpPassiveOpens.0:[email protected]+tcpActiveOpens.0&tcpActiveOpens.0:[email protected][server.newconns]: Newly Created TCP ConnectionsPageTop[server.newconns]: <H1> New Tcp connections</H1>


MaxBytes[server.newconns]: 1000000000ShortLegend[server.newconns]: c/sYLegend[server.newconns]: Conns / MinLegendI[server.newconns]: InLegendO[server.newconns]: OutLegend1[server.newconns]: New inbound connectionsLegend2[server.newconns]: New outbound connectionsOptions[server.newconns]: growright,nopercent,perminute## Established TCP COnnectionsTarget[server.estabcons]: tcpCurrEstab.0&tcpCurrEstab.0: \\[email protected][server.estabcons]: Currently Established TCP \\ConnectionsPageTop[server.estabcons]: <H1> Established TCP \\Connections </H1>MaxBytes[server.estabcons]: 10000000000ShortLegend[server.estabcons]:YLegend[server.estabcons]: ConnectionsLegendI[server.estabcons]: InLegendO[server.estabcons]:Legend1[server.estabcons]: Established connectionsLegend2[server.estabcons]:Options[server.estabcons]: growright,nopercent,gauge## Disk usage monitoring## Note: in order for dskPercent.1 and dskPercent.2## to work you need the entries “disk /var/”## from the “/etc/snmpd.conf”the order in the file## defines which disk is accessed by *.1 and *.2Target[server.disk]: dskPercent.1&dskPercent.2: \\[email protected][server.disk]: Disk Partition UsagePageTop[server.disk]: <H1> Disk Partition Usage /home \\and /var </H1>MaxBytes[server.disk]: 100ShortLegend[server.disk]: %YLegend[server.disk]: UtilizationLegendI[server.disk]: /homeLegendO[server.disk]: /var


Options[server.disk]: gauge,growright,nopercentUnscaled[server.disk]: ymwd

7.1.14 SmokePing

/etc/smokeping/config

################################################# DON’T TOUCH UNLESS YOU KNOW WHAT YOU’RE DOING# BETWEEN THESE MARKS!################################################sendmail = /usr/lib/sendmailimgcache = /var/www/smokepingimgurl = ../smokepingdatadir = /var/lib/smokepingpiddir = /var/run/smokepingsmokemail = /etc/smokeping/smokemail################################################# END OF DON’T TOUCH SECTION################################################owner = syllecontact = [email protected] = http://marge/cgi-bin/smokeping.cgimailhost = marge.sylvia.testsyslogfacility = local0## not all probes at the same timeoffset=random*** Alerts ***to = [email protected] = [email protected]+biglosstype = loss# in percentpattern = ==0%,==0%,==0%,==0%,>0%,>0%,>0%comment = suddenly there is packet loss+someloss


type = loss# in percentpattern = >0%,*12*,>0%,*12*,>0%comment = loss 3 times in a row+startlosstype = loss# in percentpattern = ==S,>0%,>0%,>0%comment = loss at startup+rttdetecttype = rtt# in milli secondspattern = <10,<10,<10,<10,<10,<100,>100,>100,>100comment = routing mesed up again ?*** Database ***step = 300pings = 20# consfn mrhb steps totalAVERAGE 0.5 1 1008AVERAGE 0.5 12 4320MIN 0.5 12 4320MAX 0.5 12 4320AVERAGE 0.5 144 720MAX 0.5 144 720MIN 0.5 144 720*** Presentation ***template = /etc/smokeping/basepage.html+ overviewwidth = 600height = 50range = 10h+ detailwidth = 600height = 200unison_tolerance = 2"Last 3 Hours" 3h"Last 30 Hours" 30h"Last 10 Days" 10d


"Last 400 Days" 400d*** Probes ***+ FPingbinary = /usr/bin/fping*** Targets ***probe = FPingmenu = Toptitle = Network Latency Grapherremark = Welcome to the SmokePing website of ’A poorly \mantained site running Debian.’+ Worldmenu = Worldtitle = Worldwide Connectivity#mein teil++ Europemenu = Europetitle =European Connectivity+++ Switzerlandmenu = Switzerlandtitle =Swiss Connectivityalerts = bigloss,someloss,startloss+++ Austriamenu = Austriatitle = Austriaalerts = bigloss,someloss,startloss++++ TU-Wienmenu = TuWientitle = TuWienhost = www.tuwien.ac.at++++ Hauptunimenu = Hauptunititle = Hauptunihost = www.univie.ac.at+++ UKmenu = United Kingdomtitle = United Kingdom++ USAmenu = North America


title =North American Connectivity## entries for each host that is tested+ Lokalmenu = Lokaltitle = Lokal++ snowballmenu = snowballtitle = snowball lokale Erreichbarkeithost = snowball.sylvia.test++ maggiemenu = maggietitle = maggie lokale Erreichbarkeithost = maggie.sylvia.test++ bartmenu = barttitle = bart lokale Erreichbarkeithost = bart.sylvia.test++ apumenu = aputitle = apu W2khost = apu.sylvia.test++ nelsonmenu = nelsontitle = nelson WXPhost = nelson.sylvia.test++ lisamenu = lisatitle = lisa susehost = lisa.sylvia.test++ snowball2menu = snowball2title = snowball2 WXPhost = snowball2.sylvia.test


7.2 IPv6-related Configuration files

In this section you will find configuration files related with the use of IPv6.Please also see the chapter “Migration to IPv6” for it contains a lot of in-text configuration file issues.

7.2.1 Apache

/etc/apache2/sites-available/www6

NameVirtualHost *<VirtualHost *>

ServerName www6.schuh-tv.atServerAdmin k.schuhschuh-tv.atDocumentRoot /var/www6/<Directory />

Options FollowSymLinksAllowOverride None

</Directory><Directory /var/www6/>

Options Indexes FollowSymLinks MultiViewsAllowOverride NoneOrder allow,denyallow from all# This directive allows us to have apache2’s# default start page in /apache2-default/,#but still have / go to the right place

</Directory>ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/<Directory "/usr/lib/cgi-bin">

AllowOverride NoneOptions ExecCGI -MultiViews +SymLinksIfOwnerMatchOrder allow,denyAllow from all

</Directory>ErrorLog /var/log/apache2/error.log


# Possible values include: debug, info, notice, warn,# error, crit, alert, emerg.LogLevel warnCustomLog /var/log/apache2/access.log combinedServerSignature OnAlias /mrtg/ "/var/www/mrtg/"<Directory "/var/www/mrtg/">

Options Indexes MultiViews FollowSymLinksAllowOverride NoneOrder deny,allowDeny from allAllow from 127.0.0.0/255.0.0.0 ::1/128

</Directory>Alias /doc/ "/usr/share/doc/"<Directory "/usr/share/doc/">

Options Indexes MultiViews FollowSymLinksAllowOverride NoneOrder deny,allowDeny from allAllow from 127.0.0.0/255.0.0.0 ::1/128

</Directory></VirtualHost>

7.2.2 Smokeping

/etc/smokeping/configv6

*** General ***################################################# DON’T TOUCH UNLESS YOU KNOW WHAT YOU’RE DOING# BETWEEN THESE MARKS!################################################sendmail = /usr/lib/sendmailimgcache = /var/www/smokepingimgurl = ../smokepingdatadir = /var/lib/smokeping


### pid dir changed bec. auf 2nd instance of smokepingpiddir = /var/run/smokepingv6smokemail = /etc/smokeping/smokemail################################################# END OF DON’T TOUCH SECTION################################################owner = syllecontact = [email protected]## another cgi for smokepingv6cgiurl = http://snowball/cgi-bin/smokepingv6.cgimailhost = marge.sylvia.testsyslogfacility = local0offset=random*** Alerts ***to = [email protected] = [email protected]+biglosstype = loss# in percentpattern = ==0%,==0%,==0%,==0%,>0%,>0%,>0%comment = suddenly there is packet loss+somelosstype = loss# in percentpattern = >0%,*12*,>0%,*12*,>0%comment = loss 3 times in a row+startlosstype = loss# in percentpattern = ==S,>0%,>0%,>0%comment = loss at startup+rttdetecttype = rtt# in milli secondspattern = <10,<10,<10,<10,<10,<100,>100,>100,>100comment = routing mesed up again ?*** Database ***step = 300


pings = 20# consfn mrhb steps totalAVERAGE 0.5 1 1008AVERAGE 0.5 12 4320MIN 0.5 12 4320MAX 0.5 12 4320AVERAGE 0.5 144 720MAX 0.5 144 720MIN 0.5 144 720*** Presentation ***template = /etc/smokeping/basepage.html+ overviewwidth = 600height = 50range = 10h+ detailwidth = 600height = 200unison_tolerance = 2"Last 3 Hours" 3h"Last 30 Hours" 30h"Last 10 Days" 10d"Last 400 Days" 400d*** Probes ***+ FPing6binary = /usr/sbin/fping6*** Targets ***probe = FPing6menu = Toptitle = Network Latency Grapherremark = Welcome to the SmokePing website of ’A poorly \mantained site running Debian.’+ Worldmenu = Worldtitle = Worldwide Connectivity#mein teil++ Europemenu = Europe


title =European Connectivity+++ Switzerlandmenu = Switzerlandtitle =Swiss Connectivityalerts = bigloss,someloss,startloss+++ Austriamenu = Austriatitle = Austriaalerts = bigloss,someloss,startloss++++ Kamemenu = Kametitle = Kamehost = www.kame.net++++ Sixxsmenu = Sixxstitle = Sixxshost = www.sixxs.net+++ UKmenu = United Kingdomtitle = United Kingdom++ USAmenu = North Americatitle =North American Connectivity+ Lokalmenu = Lokaltitle = Lokal++ snowball6menu = snowball6title = snowball6 lokale Erreichbarkeithost = snowball6.sylvia.test++ maggie6menu = maggie6title = maggie6 lokale Erreichbarkeithost = maggie6.sylvia.test++ bart6menu = bart6title = bart6 lokale Erreichbarkeithost = bart6.sylvia.test


++ apu6menu = apu6title = apu6 W2khost = apu6.sylvia.test++ nelson6menu = nelson6title = nelson6 WXPhost = nelson6.sylvia.test++ lisa6menu = lisa6title = lisa6 susehost = lisa6.sylvia.test++ snowball26menu = snowball26title = snowball26 WXPhost = snowball26.sylvia.test++ wiggum6menu = wiggum6title = wiggum6 W2k3host = wiggumold.sylvia.test++ flanders6menu = flanders6title = flanders6 W2k3host = flanders6.sylvia.test

Note: I did not modify the “World”-part very carefully. Surely you couldleave out some things here or modify them.

7.2.3 mrtg

/etc/mrtgbart6.cfg

WorkDir: /var/www/mrtgLoadMIBs: /usr/share/snmp/mibs/UCD-SNMP-MIB.txt, \\/usr/share/snmp/mibs/TCP-MIB.txt# or for NT# WorkDir: c:\mrtgdata


### Global Defaults# to get bits instead of bytes and graphs growing# to the right Options[_]: growright, bitsEnableIPv6: yesWorkDir: /var/www/mrtgOptions[_]: growright,bits################################################ System: bart# Description: Linux bart 2.6.8-1-686 #1# Tue Sep 14 00:22:58 EDT 2004 i686# Contact: "Sylvia Schuh"# Location: "Schloss Jormannsdorf Lager"################################################Target[bart6_eth0]: \eth0:public@bart6:SetEnv[bart6_eth0]: MRTG_INT_IP="2001:16d8:ff47:1203:2::1" \\MRTG_INT_DESCR="eth0"MaxBytes[bart6_eth0]: 12500000Title[bart6_eth0]: 2001:16d8:ff47:1203:2::1 -- bartPageTop[bart6_eth0]: <H1>2001:16d8:ff47:1203:2::1 -- bart</H1><TABLE><TR><TD>System:</TD> <TD>bart in "Schloss Jormannsdorf \\Lager"</TD></TR><TR><TD>Maintainer:</TD> <TD>"Sylvia Schuh"</TD></TR><TR><TD>Description:</TD><TD>eth0 </TD></TR><TR><TD>ifType:</TD> <TD>ethernetCsmacd (6)</TD></TR><TR><TD>ifName:</TD> <TD>Zentrale</TD></TR><TR><TD>Max Speed:</TD> <TD>100.0 Mbits/s</TD></TR><TR><TD>Ip:</TD> <TD>2001:16d8:ff47:1203:2::1 \\(bart.sylvia.test)</TD></TR></TABLE>Target[bart6_eth1]: \eth1:public@bart6:SetEnv[bart6_eth1]: MRTG_INT_IP="2001:16d8:ff47:1203:1::6" \\MRTG_INT_DESCR="eth1"MaxBytes[bart6_eth1]: 12500000Title[bart6_eth1]: 2001:16d8:ff47:1203:1::6 -- bartPageTop[bart6_eth1]: <H1>2001:16d8:ff47:1203:1::6 \\-- bart</H1><TABLE>


<TR><TD>System:</TD> <TD>bart in "Schloss Jormannsdorf \\Lager"</TD></TR><TR><TD>Maintainer:</TD> <TD>"Sylvia Schuh"</TD></TR><TR><TD>Description:</TD><TD>eth1 </TD></TR><TR><TD>ifType:</TD> <TD>ethernetCsmacd (6)</TD></TR><TR><TD>ifName:</TD> <TD>Internet</TD></TR><TR><TD>Max Speed:</TD> <TD>100.0 Mbits/s</TD></TR><TR><TD>Ip:</TD> <TD>2001:16d8:ff47:1203:1::6 ()</TD></TR></TABLE>##cpu monitoring laut www.linuxhomenetworking.comTarget[server6.cpu]:ssCpuRawUser.0&ssCpuRawUser.0:public@bart6+ssCpuRawSystem.0&ssCpuRawSystem.0:public@bart6+ ssCpuRawNice.0&ssCpuRawNice.0:public@bart6Title[server6.cpu]: Server CPU LoadPageTop[server6.cpu]: <H1>CPU-Load - System, User and Nice \\Processes </H1>MaxBytes[server6.cpu]: 20ShortLegend[server6.cpu]: %YLegend[server6.cpu]: CPU UtilizationLegend1[server6.cpu]: current CPU percentage loadLegendI[server6.cpu]: UsedLegendO[server6.cpu]:Options[server6.cpu]: growright, nopercentUnscaled[server6.cpu]: ymwd## new TCP connection monitoringTarget[server6.newconns]:tcpPassiveOpens.0&tcpPassiveOpens.0:public@bart6+tcpActiveOpens.0&tcpActiveOpens.0:public@bart6Title[server6.newconns]: Newly Created TCP ConnectionsPageTop[server6.newconns]: <H1> New Tcp connections</H1>MaxBytes[server6.newconns]: 1000000000ShortLegend[server6.newconns]: c/sYLegend[server6.newconns]: Conns / MinLegendI[server6.newconns]: InLegendO[server6.newconns]: OutLegend1[server6.newconns]: New inbound connections


Legend2[server6.newconns]: New outbound connectionsOptions[server6.newconns]: growright,nopercent,perminute## Established TCP COnnectionsTarget[server6.estabcons]: tcpCurrEstab.0&tcpCurrEstab.0: \\public@bart6Title[server6.estabcons]: Currently Established TCP \\ConnectionsPageTop[server6.estabcons]: <H1> Established TCP \\Connections </H1>MaxBytes[server6.estabcons]: 10000000000ShortLegend[server6.estabcons]:YLegend[server6.estabcons]: ConnectionsLegendI[server6.estabcons]: InLegendO[server6.estabcons]:Legend1[server6.estabcons]: Established connectionsLegend2[server6.estabcons]:Options[server6.estabcons]: growright,nopercent,gauge

7.2.4 firewall: iptables

#!/bin/bash# IPv6 Firewall scriptIPTABLES6=/sbin/ip6tablesEXTIF1="eth1"SIXXS="2001:6f8:900:587::2/64"ANY6="::/0"LOCALHOST6="::1/128"TRUSTED6="2001:16d8:ff47:1203::/64" ## Netz Jormannsdorf# For future useBLACKLIST6=""SURFER6=""POSTLER6=""##BACKUPDIR="/var/log/backups/firewall"case "$1" inflush)echo -e "Flushing Firewall: "


$IPTABLES6 -F > > /dev/null 2>&1$IPTABLES6 -X > > /dev/null 2>&1echo -e "setting Defaults to ACCEPT!"echo -e "FireWall OFFEN !!!!!"# ip -6 route del 2000::/3 via 2001:6f8:900:587::1$IPTABLES6 -P INPUT ACCEPT$IPTABLES6 -P OUTPUT ACCEPT$IPTABLES6 -P FORWARD ACCEPT;;start|reload)echo -n "Starting Firewall: "TIME=‘date +%s‘tar -czf $BACKUPDIR/firewall.$TIME.tar.gz /etc/init.d/firewall*# mail an:mail [email protected] -s "Firewall restarted" < $0sleep 1echo "Forwarding ipv6 einschalten..."echo "1" > /proc/sys/net/ipv6/conf/all/forwarding$IPTABLES6 -F > > /dev/null 2>&1$IPTABLES6 -X > > /dev/null 2>&1$IPTABLES6 -P INPUT DROP$IPTABLES6 -P OUTPUT DROP$IPTABLES6 -P FORWARD DROP# DROP ANDI LOG !!$IPTABLES6 --new drop-and-log$IPTABLES6 -A drop-and-log -j LOG --log-level info \\--log-prefix "IPV6 DROP: "$IPTABLES6 -A drop-and-log -j DROP##$IPTABLES6 -A INPUT -s $LOCALHOST6 -d $LOCALHOST6 -j \\ACCEPT$IPTABLES6 -A OUTPUT -s $LOCALHOST6 -d $LOCALHOST6 -j \\ACCEPTfor i in $TRUSTED6do$IPTABLES6 -A INPUT -s $i -d $SIXXS -p tcp --dport 22 \\-j ACCEPT$IPTABLES6 -A OUTPUT -d $i -s $SIXXS -p tcp --sport 22 \\


-j ACCEPTdone$IPTABLES6 -A INPUT -p icmpv6 -j ACCEPT$IPTABLES6 -A OUTPUT -p icmpv6 -j ACCEPT$IPTABLES6 -A FORWARD -p icmpv6 -j ACCEPT$IPTABLES6 -A FORWARD -p tcp --dport 80 -j ACCEPT$IPTABLES6 -A FORWARD -p tcp --sport 80 -j ACCEPT$IPTABLES6 -A INPUT -j drop-and-log$IPTABLES6 -A OUTPUT -j drop-and-log$IPTABLES6 -A FORWARD -j drop-and-logip -6 route add 2000::/3 via 2001:6f8:900:587::1;;show)echo "Firewall IPv6 EF: "$IPTABLES6 -L -nv;;*)echo "Usage: $0 {flush|start|reload|show}"exit 1;;esacecho "... Fertig"exit 0

Ipv6 Small Business

Documents

Transcript of Ipv6 Small Business