Professional Documents
Culture Documents
Networks To IPv6
Diplomarbeit
1
Contents
i
CONTENTS ii
4 Theory of IPv6 86
4.1 IPv6 Addresses [1] [2] . . . . . . . . . . . . . . . . . . . . . . . 87
4.1.1 Unicast IPv6 addresses . . . . . . . . . . . . . . . . . . 89
4.1.2 Multicast IPv6 addresses . . . . . . . . . . . . . . . . . 95
4.1.3 Anycast IPv6 addresses . . . . . . . . . . . . . . . . . 97
4.1.4 Addresses set on an IPv6 enabled host . . . . . . . . . 97
4.1.5 Address Autoconfiguration Process . . . . . . . . . . 98
4.1.6 DHCPv6 [9] . . . . . . . . . . . . . . . . . . . . . . . . 100
4.2 IPv6 Header . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
4.3 ICMPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
4.3.1 ICMPv6 Error messages . . . . . . . . . . . . . . . . . 105
4.3.2 ICMPv6 Informational messages . . . . . . . . . . . . 107
4.3.3 Multicast Listener Discovery [12] . . . . . . . . . . . . 107
4.4 Neighbor Discovery [23] . . . . . . . . . . . . . . . . . . . . . 109
4.4.1 Neighbor Discovery messages . . . . . . . . . . . . . 109
4.4.2 Neighbor Discovery Process . . . . . . . . . . . . . . 114
4.5 IPv6 Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
4.5.1 Route determination process . . . . . . . . . . . . . . 119
4.5.2 IPv6 Delivery Process . . . . . . . . . . . . . . . . . . 119
4.5.3 IPv6 Routing protocols . . . . . . . . . . . . . . . . . . 122
4.6 IPv6 and Name Resolution . . . . . . . . . . . . . . . . . . . . 124
4.7 Migration to IPv6 [15] . . . . . . . . . . . . . . . . . . . . . . 125
4.7.1 6over4 . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
4.7.2 6to4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
4.7.3 ISATAP . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
4.7.4 Teredo . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
4.7.5 PortProxy . . . . . . . . . . . . . . . . . . . . . . . . . 131
Ich erkläre an Eides statt, daß ich die vorliegende Arbeit selbstständig
und ohne fremde Hilfe verfasst, andere als die angegebenen Quellen
nicht benützt und die den benutzten Quellen wörtlich oder inhaltlich ent-
nommenen Stellen als solche kenntlich gemacht habe.
Wien am 21.2.2006
1
Acknowledgement
2
CONTENTS 3
The last two people I want to thank here are my grandmother Ida Ulreich
and my grandfather Ing. Karl Schuh, who both passed away while I was
writing this thesis. “Love is stronger than death even though it can’t stop
death from happening, but no matter how hard death tries it can’t separate
people from love. It can’t take away our memories either. In the end, life
is stronger than death.” (author unknown)
Preface
When it came to the point of my study where I had to choose which sub-
ject I want to write about for master thesis I really didn’t have to think
long: I wanted to write something in the field of networks to improve
my network administration skills and to learn a lot things in the field of
administering Linux servers. With the previous knowledge I acquired at
working in this field and when I took my CCNA I wanted to get further
and write a thesis that could be of great use for other users as well and
which is an upcoming subject and so one beautiful day I had the idea of
writing about IPv6. Then I looked on the internet for IPv6-related articles
and found a lot of things concerning the standards of IPv6, how the header
is made up and how huge the new address space is. I found very often
such things like: already IPv6 enabled and became more and more curious
how IPv6 would conduct in a productive environment, and that’s where
the idea for my master thesis was born. I wanted to set up an IPv4 net-
work with all services you need to supply mail, data, www-connectivity
and many others and when this is done, I wanted to try to migrate this
structure to IPv6. The first important problem I had was to get the struc-
ture of a well-functioning network and the hardware I would need. For I
had to move out of my apartment at that time I thought I could put all the
devices needed for the thesis in my new apartment. I talked to some com-
panies and tried to find people interested in my work so much that they
would want to support me and finally found the Berufsförderungsinstut
Burgenland (http://www.bfi-burgenland.at). The Berufsförderungsinstut
Burgenland is a non-profit organisation working in the field of vocational
training in many different skills. From becoming a registered masseur
to driving diggers or starting your system administrators career you can
learn anything you want in one of the several offices throughout the Bur-
4
CONTENTS 5
genland. (By the way, if you don’t know, Burgenland is the easternmost
federal state of Austria and is world-wide one of the most important wine-
suppliers for excelent red and white wine. http://www.burgenland.at).
The Berufsförderungsinstut Burgenland supplied me with their network
structure and the knowledge they gained through the productive use of
this structure. In addition to this they cleared out a room for me and sup-
plied me the hardware I needed (which are several PC’s, screens, switches,
SIP-phones, and so on). After putting all this stuff together the former
storage room became more and more homely. While setting up all ser-
vices needed I learned the most about the use of Linux based systems. Of
course, as you might have guessed, you learn something about it on uni-
versity, but if you are in private not very into it, the things you learn at
university will be forgotten soon. So I set up one service after the other
and learned a lot within. And then, the big day came, IPv6 needed to be
implemented. But let’s start step by step.
My thesis is composed of several chapters: the first chapter is about the
setting up of the IPv4-part of the network, then there is a chapter about
the theory of IPv6 and the most important chapter is the one about the
actual migration to IPv6. You will find everything you need to know in
order to set up an IPv6 enabled network within this thesis. The idea when
writing this thesis was to create a hands-on guide for everyone interested
in this subject for I found it very difficult to get the informations I needed.
I want to supply facts about each service I used and tested, whether it
worked or not, if there is a workaround and how a minimum configura-
tion is achieved. So the point is that you can migrate your home or busi-
ness network to IPv6 without reading hundreds of pages about the theory,
simply take a look at the chapter about migration and try it. I wanted to
sum up all I found out about the use of IPv6 in order to make it easier
for others to deploy its use and start to write more and more applications
taking use of the advantages provided by IPv6. I want to show everyone
afraid how easy it can be migrating to IPv6 and everyone interested that
there are already lots of things that can be done using IPv6. But let’s talk
about advantages and disadvantes at the end of the thesis.
Introduction
Motivation
Probably every paper or thesis about IPv6 will start with the words “be-
cause of address shortage ... “, and this of course is one major reason to
think about IPv6. NAT became a much used workaround for this problem
but also imposes different drawbacks like restrictions in the field of peer to
peer computing and so on. We all may know that several countries already
switched their IT infrastructure to IPv6-based communication and many
task forces all over the world try to propagate its use more and more. My
main goal for writing this thesis was not to write yet another theory-prone
description of how an IPv6 header is set up and how big the address space
is but rather a hands-on guide for people interested in it and don’t want
to read all the theory first. My work usually is more of the try-and-error
kind (I am not really into reading long descriptions first) and so I wanted
to supply a paper you can work with without spending hours on reading
but rather just try it, work with it and learn it by doing.
This thesis could be an interesting source of information for people admin-
istering and setting up services in a network the first time and for those
who still not know if they need IPv6 but are interested. I was very inter-
ested in what benefits IPv6 has and which of them can really be brought
into production use. The whole thesis is devided into three logical parts:
first the network is set up using IPv4, then there is an IPv6 theory part
(every thesis needs it theory ;-) ) and the last one is about the migration
of the services to IPv6. I wanted to create a complete guide for which you
don’t really need any previous knowledge. While I was working on the
setting up of the IPv4 network I found it pretty difficult to get a quick and
6
CONTENTS 7
dirty configuration of several services, and thats the reason why I decided
to append all configuration files I used during my work in order to supply
a basic and working configuration.
Problem Statement
For the sake of completeness I want to write about the setting-up and the
troubles related with that approach of the IPv4 Network as well. When
I got the news that the Berufsförderungsinstitut Burgenland was going
to support my work not only by wishing me luck but by giving me the
hardware I need and by lending me a room to put in all the stuff I needed
I was all excited. After putting together the pieces of hardware (and in
fact, they came in pieces; please see the pictures) to some functional thing
one would have called a PC a few years ago I became more and more a
notion of the upcoming work. This was sometime in June 2005. Later in
June I went to the Linux Tag 2005 in Karlsruhe which gave me even more
inspiration for starting my work with the full capacity of motivation I had.
Returned from Germany in July I started documenting my work in more
detail. My first entries are from the week between the 20th and the 26th
July.
After setting up the operating systems on all hosts in the network the con-
figuration of the services started. One of the first things done was the
installation of the asterisk server together with the Digium-card.
8
CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 9
After putting in the Digium card I got from the company (they think about
switching to asterisk-only internal telephony in a few months) several
things were missing. Maggie is set up with a Debian Sarge 3.1 with kernel
2.4.27-2-686 but was missing kernel-headers and the kernel-source which
had to be installed seperately.
Following additional packets have been installed with “apt-get install”:
make install
make samples
In order to make the samples you need the packet progdocs.
The Zaptel driver mentioned above needs to be loaded with: (don’t forget
to permanently add the module to the /etc/modules file)
modprobe zaptel
For configuring regional parameters and how each port on your telephony
card is used you have a configuration file.
/etc/zaptel.conf
Here you can define local signalling options and make the distinction be-
tween FXO and FXS ports. When you are working with FX interfaces, the
hardware is described based on what it connects to, the signalling how-
ever, needs to define the device we are emulating. Since the O in FXO
stands for Office and is connecting to an Office our software needs to em-
ulate a station here. The opposite is true for FXS, with the S standing for
station.
After the zaptel.conf file is edited you must load the driver.
modprobe wcfxs
Note: the Zaptel driver is always loaded first in the memory. Then drivers
for the devices (FXO, FXS, ztdummy, ..) are following.
After you have configured your hardware you need to take a look at aster-
isk itself. After you made the source there are, of course, some configura-
tion files left to configure. To start with a simple configuration and experi-
ence some success soon you can load sample configuration files. Asterisk
will by default look for configuration files in /etc/asterisk which has to be
made manually.
mkdir /etc/asterisk
The promised sample configuration can be found in /usr/src/asterisk/configs
and obtained by copying them to the /etc/asterisk folder (if you don’t
have them there by default as i did).
cd /usr/src/asterisk/configs
CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 11
cp ./modem.conf.sample /etc/asterisk/modem.conf
cp ./modules.conf.sample /etc/asterisk/modules.conf
cp ./phone.conf.sample /etc/asterisk/phone.conf
cp ./voicemail.conf.sample /etc/asterisk/voicemail.conf
cp ./zapata.conf.sample /etc/asterisk/zapata.conf
Now you can start your asterisk server for the first time
/usr/sbin/asterisk -cvvv
The three “v” stand for verbose mode and can even be extended to five for
detailled verbosity. Now you have a working installation of asterisk with
a CLI*> prompt waiting for calls to make. But before you can enjoy calling
others via VoIP there are some configuration issues ahead.
A catchword in the world of asterisk is “channel”. Channel is the logical
connection to the various transmission and signalling paths which asterisk
uses to handle calls. You could also describe it as a driver between the
various kinds of VoIP protocols and to hardware that connect to the PSTN.
The rules that are followed by asterisk for this purpose can be found in the
so-called dial plan, where we define what kind of channels we need and
how they are useable for the system.
Before you can set up the dial plan you have to define the channels to use.
In my lab we only had FXO, FXS, IAX and SIP channels in use which I am
going to describe now. (Check appendix for config-files.)
First I want to describe the terms FXO and FXS in more detail. They have
their origin in an old telephone service called Foreign eXchange (FX). The
confusing part about FXO and FXS is, that FX cards are not named by what
they are but what they connect to. Therefore, an FXS card is connected to
a station and has to behave like a central office (FXO, of course, behaves
vice-versa).
A FXS interface is the same as a standard analog line a phone company
provides to most houses and supplies you e.g. with a dial tone, ringing
voltage and DTMF detection. The FXO is the side connecting to a central
CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 12
office and is generating DTMF, detecting dial tone and detecting ringing.
Both kinds of interfaces are described and configured in the /etc/asterisk/
zaptel.conf.
IAX on the other hand, the Inter-Asterisk eXchange protocol, is an IP-
based media transport protocol and is configured in the iax.conf file. In
my topology we will later tunnel the IAX traffic through OpenVPN to our
branch office.
The Session Initation Protocol (SIP) is becoming the most supported kind
of VoIP protocol because itâs like IAX pretty easy to set up. Sip telephony
is set up in the sip.conf file where u define IP-address, port and other op-
tions in order to let the phone on the other side can authenticate to the
asterisk server.
The dialplan is said to be the heart of any asterisk system for it defines how
asterisk should handle each call. These list of instructions are found in
the file /etc/asterisk/extensions.conf and is devided into different parts
called contexts. In them extensions, priorities and applications are de-
fined.
Contexts play an organizational role within the dialplan and define scopes.
Within the context, extensions, character strings triggering events, are de-
fined. Here you define things like which phone should ring when a certain
phone number is called or what the system should do if no one picks up
the phone and so on. Priorities are numbered steps in the execution of
each extension and each priority calls a specific application, which in turn
performs a certain action like playing sounds or hanging up the call. So
the syntax of this file looks generally like this:
[<context-name>]
exten => <extension>, <priority>, <application>
e.g.: exten => 555, 1, Dial(Zap/1,20)
At the end of July I managed to have a working telephony system with
analogous telephones, a sipura adapter with two analogous phones and
CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 13
Figure 1.1: The naming convention for the TDM bundles is as follows:
TDM X Y B. Where "TDM" denotes that the card is TDM, "X" denotes the
number of FXS modules, "Y" denotes the number of FXO modules, and
"B" indicates that that this product is a bundle.[41]
CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 14
After plugging in the Sipura SPA-2000 device its web interface is reachable
through the network. If you don’t know which IP address the device has at
the moment, simply type “****” on a phone plugged in the Sipura adapter.
A male voice welcomes you to “Sipura Configuration Menu” and asks you
to enter a option followed by the pound key. You now can, type e.g. “110#”
and he reads the IP address of the phone adapter back to you. Next step
is to browse http://192.168.201.129/admin and change to the advanced
mode of the configuration interface.
Figure 1.2: some Sipura options you can query on a touch tone
telephone[4]
By default two users called “admin” and “user” exitst with a blank pass-
word which you can set if you like. Remember that, whatever you change
on the web interface, the changes only take effect when pressing the “Sub-
mit All Changes”. In the “System” tab you can either set the IP address
statically or dynamically via DHCP (default: DHCP: On). In the “Line 1”
tab following changes to the default configuration have been made: The
Proxy is set to the IP address of the local asterisk server (192.168.201.1), the
“Register Expires” value is lowered to “20” (default: 3600). In the section
“Subscriber Information” the “Display Name”, as well as “User ID” and
CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 15
In order to have CUPS on your system you need to install some packets
with “apt-get install”. The packets in brackets are those I had to install
additionally in order to get the ones I needed.
python-dev, libsnmp5-dev (libssl-dev,
libssl0.9.7e-3), libcupsys2-dev
(libgnutls11-dev, libtasn1-2-dev), python-qt3,
lsb
When you are done with this you need to download and install the driver
for the printer. To be more precise, you need to download the HPLIP tar
file from http://hpinkjet.sourceforge.net. The file you get is a *.tar.gz and
needs to be extracted with the command “tar xvfz *.tar.gz”. After that a
folder is made and after switching in that folder you can
./configure --prefix=/usr
make
make install (you need to be su for that)
/etc/init.d/hplip restart
/etc/init.d/cups restart
CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 16
Now the only thing left to do is to add the printer to CUPS. This is usu-
ally done via web-interface but because i did not install any window-
environment on my linux computers i decided to use lynx, a text-based
web-browser instead.
lynx http://localhost:631
In the âPrintersâ-section you can “Add Printer” and have to type in a
printer name, which should be meaningful and must not contain spaces.
In the next step you are prompted to define the device you use exactly. For
a USB device choose e.g.:
usb://HP/LaserJet%201300
In the next step you have to choose which make your printer is, what in
my case is HP. The last step is to choose the model of the printer (LaserJet
1300) and this was the step that ruined my otherwise perfect installation
of the printer. There are several LaserJet 1300 printer drivers in this list
and I chose the one with the note “Recommended”. What I did not know
and/or see at this time was, that this was a driver for a PostScript Printer
and did not really suit my needs. The diabolical thing about this mistake
was that the printer worked with linux clients printing on it without any
troubles (I had some layout difficulties; the borders needed to be defined
manually) and even worked with some Windows applications. But when
it came to the point when I wanted to install the printer on my Windows
2000 I found the spoolsv service to occupy about 90% of my system load
and the programs tended to crash when printing something or even when
installing the printer. My first thought, of course, was that Windows, espe-
cially Windows 2000, is not suited for the use with CUPS but I was proven
wrong when a collegue installed the not-recommended CUPS driver and
everything worked fine. (In fact, finding out what the problem was has
not been such a quick thing, but I leave out the boring details.)
Note: Having a spoolsv with a huge CPU-load in most cases indicates
the existence of a virus on the system. These can be some Trojans or
more precise, e.g.: the agobot worm/backdoor infecting *.exe files on
your PC. Having had troubles with agobot on other systems before I
checked the usual registry keys agobot uses:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 17
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices\
After I could rule out this possiblity I also found information about
printer jobs stuck in the printer queue producing similar behavior
(check the Microsoft Image Writer queue). Look for the Windows
Printer queue in
%SYSTEMROOT%\system32\spool
CUPS-printers can be accessed via
http://marge.sylvia.test:631/printers/HP_LaserJet_1300
There you have a very user-friendly printer management interface where
you can access the printer queue and of course all printers added to the
CUPS.
After this problem was solved, I no longer had problems with the CUPS
system, could print even from my Windows 2000 PC and had the correct
alignment on the sheets. With each Windows PC you only have to add
a new Network Printer, choose the location http://marge.sylvia.test:631/
printers/HP_LaserJet_1300 and add the correct printer driver (hplj1300m6.inf)
I downloaded from the HP-homepage. If you feel you need more informa-
tion on the topic of installing a CUPS printer on a Windows System Iâd
recommend the page http://www.owlfish.com/thoughts/winipp-cups-
2003-07-20.html.
For Linux systems even this was easier. The only thing after apt-get in-
stall cupsys-client you have to edit is the /etc/cups/client.conf file to the
following:
--- [snip] ---
ServerName marge.sylvia.test
Now you have an accessable printer from your linux system and try it on
the config-file command-line based with
lp /etc/cups/client.conf
CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 18
Figure 1.3: the management interface of CUPS, the first printer is the work-
ing one, the second the one with the wrong driver-type
Iptables, the tool for creating packet-filtering and NAT rules, is on both
hosts one of the most important services for it is preventing unallowed
traffic to leave and get into the network. The rules on both nodes are
the same and therefore I will only show one of them. The firewalling
rules here should be taken as minimum-security but were sufficient for
my needs.
#!/bin/bash
FWVER=1.0
# for Sylvias Project master thesis
CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 19
ACCEPT
# web-Traffic allowed for proxy only
Maggie is not only our asterisk server in this environment but because she
has pretty good hardware we decided to make her the database server as
well. The database chosen is MySQL because of its widespread popularity
and the multiple uses. For there is no binary for Debian available I down-
loaded the sources from http://dev.mysql.com/downloads/mysql/4.1.html
(at this time MySQL 5.0 was not yet available). For installing you need
gunzip, tar, gcc and make and the following commands:
# creating a group and a user mysql
shell> groupadd mysql
shell> useradd -g mysql mysql
shell> gunzip < mysql-VERSION.tar.gz | tar -xvf -
shell> cd mysql-VERSION
# ./configure -help shows you configure options; here I chose to install
mysql to /usr/local/mysql
shell> ./configure --prefix=/usr/local/mysql
shell> make
shell> make install
# setting up a sample configuration file
# if you like to have the MySQL server in the startup, use the skript located
in
support-files/mysql.server
# if you want to create a new user “user” with all rights from every host
with password “password”; creates an entry in the database “mysql” in
table “user”
If you don’t already have a PKI (public key infrastructure) you should start
by building one. Authentication is supported bidirectionally meaning the
server is authenticating the client and the client is also in turn authenticat-
ing the server before a secure connection can be established. Both authen-
ticate by verifying that the certificate was signed by certification authority
and afterwards by checking the certificate header for things like certifi-
cate common name or certification type. This requires the existance of key
pairs (public and private) for each host wanting to connect to the VPN and
a certification authority signing them. If you don’t want and need an offi-
cial authority to sign the keys you can also build your own authority what
is described below.
In your /usr/share/doc/openvpn/examples directory is a directory called
easy-rsa. Best practice is to copy that folder into your /etc folder so that
future package upgrades don’t effect your configuration. Then you have
to modify your ./vars file with the informations about KEY_COUNTRY,
KEY_PROVINCE, KEY-CITY, KEY-ORG and KEY_EMAIL (don’t leave
any of them blank). To initialize the PKI you only have to:
./vars
./clean-all
./build-ca
Note: In my case, the first command setting the global parameters for
building the PKI ./vars did not work so I chose the hands-on
CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 27
The last step is to distribute the key files generated on the server over a
secure channel to the clients where they have to reside for future encrypted
and authenticated connections. Of course, you could also generate the
client-keys on the clients themselves and by submitting Certificate Signing
Requests (CSR) signing them at the key-signing machine. Then .key files
don’t have to leave your harddisk. In my lab i chose the secure way of
putting the files on a floppy and carrying it to the clients (old school but
secure). Below you have a list of files created in the process of setting up
the PKI.
The easiest way to configure OpenVPN is when starting with the sample-
config-files provided in the package. So begin by
cp
/usr/share/doc/openvpn/examples/sample-config-files/\\
server.conf /etc/openvpn/
for the server configuration and
cp
/usr/share/doc/openvpn/examples/sample-config-files/\\
client.conf /etc/openvpn/
for the client.
dev tun
## 10.8.0.2 is the client, 10.8.0.1 the server
ifconfig 10.8.0.2 10.8.0.1
proto udp
## The hostname/IP and port of the server
## don’t use the tunnel-endpoint address here!
## otherwise you get: udpv4 link local: [undef]
remote 192.168.150.7 1194
## Keep trying indefinitely to resolve host name
resolv-retry infinite
## Don’t bind to specific local port
nobind
## Downgrade privileges after initialization (non-Win only)
user nobody
group nobody
## Try to preserve some state across restarts.
persist-key
persist-tun
## paths for Root CA certificate, client1 certificate,
## client1 key
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/client1.crt
key /etc/openvpn/easy-rsa/keys/client1.key
## Enable compression on the VPN link
comp-lzo
## Set log file verbosity.
verb 3
In my case, the group “nobody” didn’t exist so I had to make a new one
with
addgroup nobody
Next step is to allow the new traffic flows in your firewall with following
rules:
CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 32
Above I described one of marge’s services, cups, but marge has more to
offer than only a printer server. Marge is what I would call “the heart”
of my network providing dynamic host addressing, domain name service,
mail server, web server, web-proxy and some other services. Below I will
describe each one briefly.
Apache, the most popular http-server nowadays , available for almost all
platforms, was developed about 1995 and deduced from NCSA HTTPd
server that was pretty popular back then. Because the first approach
to building apache was patching the NCSA HTTPd it is said the name
“apache” is derived from “ a patchy” server.
With apache2 v.2.0.54 installed (–> apt-get install) one can start configur-
ing the whole thing. In former times you had to modify /etc/apache2/httpd.conf
which is nothing more than a container for backward compatibility rea-
sons by now. Apache2 now uses /etc/apache2/apache2.conf. For a sim-
ple configuration of apache you usually don’t even have to change any-
thing. Just browse to http://marge.sylvia.test and you should see the wel-
CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 34
The de facto standard in Domain Name Service is BIND, the Berkeley In-
ternet Name Domain. It stores centralized domain name/IP address pairs
in order to be accessible for all clients on the network. BIND is e.g. re-
sponsible for providing you with the IP address if you enter a hostname
in your webbrowser. The entry BIND looks up is called an A record, while
there are several others like e.g. CNAME indicating an alias for a given A
record.
Several files are needed in order for BIND to work. Best practice is to start
with /etc/bind/named.conf.* files where you define the zones in your
network. The named.conf itself has entries for the zone “localhost”. If
you’re adding zones rather than modifying them you should better do
this in the named.conf.local file. A sample zone entry looks like this and
defines which file to search for gathering host information about the zone
specified.
zone "sylvia.test" IN {
type master;
file "/etc/bind/db.sylvia.test";
};
In order to support reverse lookup (that is translation from IP address
to name) you need seperate zone entries. The name of the reverse zone
for the network 192.168.200.0 is by default “200.168.192.in-addr.arpa”
where in-addr.arpa is a pseudo-domain that holds the entries in least-
to-most significant order. Here’s a sample reverse zone entry from the
/etc/named.conf.local:
zone "200.168.192.in-addr.arpa" {
CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 36
type master;
file "/etc/bind/db.200.168.192";
};
Now you are done with the named.conf.* files and you have to move on
to the files specified above. As you can see I put them in /etc/bind/.
The most important file of course is /etc/bind/db.sylvia.test holding all
host/ip pairs for my domain. Sample entries for marge.sylvia.test defining
the IP address and giving her two aliases called “proxy” and “www” are:
marge A 192.168.200.5
proxy CNAME marge
www CNAME marge
Before you start testing your configuration: don’ t forget to point to your
own DNS-server in /etc/resolv.conf. Testing name resolution is pos-
sible with the command “nslookup <hostname>” (or respectively “dig
<fqdn>”):
root@0[knoppix]# nslookup www
Server: 192.168.200.5
Address: 192.168.200.5#53
www.sylvia.test canonical name = marge.sylvia.test.
Name: marge.sylvia.test
Address: 192.168.200.5
For testing reverse lookups you can use “dig -x <IP-address>”
root@0[knoppix]# dig -x 192.168.200.5
; «» DiG 9.2.4 «» -x 192.168.200.5
;; global options: printcmd
;; Got answer:
;; -»HEADER«- opcode: QUERY, status:
NOERROR, id: 53688
CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 37
A mail transfer agent or MTA is a service that receives mail and stores it
in the recipient’s mailbox. It receives it’s mails from another mail transfer
agent, a mail submission agent (MSA) receiving mails from an mail user
agent or directly from a mail user agent (MUA). A mail submission agent
is nothing else than a interstation between a mail user agent, or simple a
mail client, and a mail transfer agent. Often an MUA acts as a MSA as
well.
Installing exim4 with “apt-get install exim4” will have “debconf” appear-
ing with several configuration issues discussed below.
First it asks you whether you want to have the configuration put into one
file or into several files. I chose to use one file. For I want ougoing mail
be delivered to the Berufsföderungsinstitut Burgenland’s own mailserver,
i chose “mail sent by smarthost; received via SMTP or fetchmail” in the
next step. Then you are prompted for the system mail name which should
CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 38
Qpopper is a widely used server for the POP3 (Post Office Protocol) pro-
tocol which allows users to fetch their mail from their mailboxes stored
by your mail transfer agent, which is exim4 in our network. After down-
loading the *.tar.gz file containing qpopper from the homepage referenced
in the caption you can quick start after uncompressing with “./configure”
creating a makefile followed by “make” and “make install”. This should
compile qpopper and install the server as well as the man pages that came
with the packet. “make clean” deletes all executables and the compiled
code.
For configuring qpopper you have to define which way to use qpopper.
You can either have a standalone server or it can be run by inetd. In
the first case you need to add a startup-skript in your runlevel-matching
/etc/rcx.d directory (where x stands for your runlevel; if you want to
know which runlevel you are using simply type “runlevel” at your unix-
prompt). In the second case the file /etc/inetd.conf needs to be config-
ured. Inetd is a daemon on many unix-flavored systems managing In-
ternet services such as FTP, telnet and of course POP3. It is more efficient
than using standalone services because inetd launches the appropriate ser-
vice only when a matching packet is received. The port number hereby
is the criteria upon launching the service. This way of starting services
is preferable for services not used all the time (where dedicated servers
surely have more advantages). To configure a service with inetd you have
to check the /etc/services file, to see if the port is mapped to the service,
and the /etc/inetd.conf file. Below the example entries for qpopper as-
suming your executable is held by /usr/local/lib:
pop3 stream tcp nowait root /usr/local/lib/popper qpopper -s
It is recommended to set nowait.<timeout> e.g.: nowait.400 for large net-
works with lots of hosts querying the server in order to prevent inetd from
killing qpopper assuming it is looping. The file /etc/services only needs
the line
pop3 110/tcp #Post office
Squid is a widely used web caching and proxying server, that can provide
access restriction by various criteria. Its advantages lie in speeding up the
repsonse time of a network service by caching requests for repeated use.
Everytime you request a site, squid first of all checks if it is already loaded
in the cache. If it is not, the site is fetched from the internet and stored
in the cache. Otherwise the cached sites age is checked whether it has ex-
pired inbetween (every site is stored for a predefined amount of time) and
the content from the cache is sent to the requesting client in case the site
is still valid. Caching works for several protocols but is primarily used for
HTTP and FTP. ISPs (Internet Service Providers) or LANs sharing a net-
work connection tend to use caching. Users browsing the internet in such
an infrastructure use the squid cache as a HTTP proxy decreasing band-
width consumption, and have some additional security and anonymity
features because the proxy requests the sites on behalf of the “real” client.
A huge advantage for each web administrator is the possibilty to content
filter the web sites requested.
You can download squid from the website cited or install it directly
with “apt-get install squid”. You will find the configuration file in
/etc/squid/squid.conf. For a simple startup you only have to define a few
options. One is the “cache_dir” to define the directory devoted for caching
data. “http_port” is the port squid listens to (default 3128). “http_access”
defines who is allowed to use squid and is defaulted to deny all hosts
until explicitly allowed in ACL (access control lists) which you have to
set in order to fit your requirements. The two last options needed are
“cache_effective_user” and “cache_effective_group” which define the per-
son having permission to read and write in the cache directory and in the
log files. By default squid is configured in proxy mode and is now ready
for use. After setting the properties of the client’s web browsers to using
the proxy at server:“proxy.sylvia.test” and port:”3128” all web traffic is led
through squid. You find these properties for Firefox in the “Tools” menu.
In the options window, click “General” and on the right lower side of the
window “Connection settings”. There you can define the server and the
port of the proxy and which protocols it serves (In some Linux-versions
of Firefox you will find the “Options”-dialog in the “Edit” menu). For
Microsoft’s Internet Explorer you have the same changes to make under
CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 42
“Tools” menu entry “Internet Options”. Click on the tab labelled “Con-
nections” and then on the button at the bottom named “LAN settings”.
Check out my configuration file in the appendix and at your installation
for it contains lots of information.
Note: In my network i chose to allow direct network access only to the
servers of my network (take a look at iptables). No client can there-
fore request something from the internet that is intercepted by squid,
which can be sites not allowed by the content check, by the acl or by
download restrictions (size, file-type, ...).
Bart is not only the gateway router and tunnel-endpoint for OpenVPN but
host to ntpd and ntop.
Ntpd is a daemon synchronizing the system time with time servers from
the internet. It acts as a time server for your local network and is able to
CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 43
broadcast time as well. You define which internet servers to use in file
/etc/ntp.conf and you have a seperate log file at /var/log/ntpd where
you can see the time being synchronized. Within the /etc/ntp.conf “log-
file”, “driftsfile” (frequency file) and “statsdir” (directory for statistics) are
defined. An option that might be interesting to set is “panic <time in sec-
onds>” what is defaulted with 1000. This sets the maximum sanity limit
for a time synchronization i.e. if your time correction is more than 1000
seconds ntpd doesn’t set the time itself but prompts you to set system time
manually. You can trick ntpd into doing it with either “ntpd -g -q” for do-
ing it once, or by setting “panic 0” for always correcting time regardless
how big the correction is. See the appendix for more information about
the configuration.
1.7.2 ntop
Ntop is a network traffic probe for a detailled view of what your machines
are doing. You have several subdivided parts where you can see graphs
and details about categories like summed up IP-traffic, whether traffic was
destined unicast/multicast/broadcast, throughputs, and so on.
While the installation of the *.deb package with “dpkg -i” you have deb-
conf asking you for details of the installation. In the first step you define
which interfaces to monitor and in second step which user runs the service
(in my case: “ntop”). You can re-launch the configuration with command
“dpkg-reconfigure ntop”.
Before starting ntop the first time you have to set the administrator’s
password with command “ntop -A” prompting you for the password to
use (this will also cause the service to start automatically upon each re-
boot). You can start ntop, if needed, manually with “/etc/init.d/ntop
start” which points to a init-file “/etc/default/ntop” where in turn
“/var/lib/ntop/init.cfg” is included. Inside “/var/lib/ntop/init.cfg”
two variables are set: “user” and “interfaces”. These values are set by the
“dpkg-reconfigure ntop” I mentioned below. If you want to add additonal
parameters like “-M” to seperate the counters for multiple interfaces, you
have to modify “/etc/init.d/ntop” yourself. To access ntop’s html out-
put simply browse to port 3000 of your server with the ntop-installation
CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 44
(http://bart.sylvia.test:3000).
Homer is a Windows 2000 server providing file sharing and active direc-
tory.
To make a directory accessible for others on the network you need to share
the folder. You can do this with a right-click on the destined folder in the
“Windows-Explorer”. The context-menu opened contains an entry “shar-
ing...” which opens a dialog where you can define the name of the net-
work share. Besides defining the name you have to define who is allowed
to browse your files and what rights he/she has on your files. Therefore
you have the button “permissions” where you can choose the users to
access your shared directory. Although I don’t have a good explanation
for it, I won’t recommend using the user “everyone” here, if you want
to grant permissions to everyone. I didn’t experience great success with
that but with adding the users seperately. The network shares I made
were “\\192.168.200.12\daten” and “\\192.168.200.12\download” hold-
ing the data produced while building my lab and the programs down-
loaded. For accessing the shares on Windows bases systems I used the
command “Map Network Drives” in the Tools menu in Windows-Explorer
or “net use * \\192.168.200.12\daten” on the command line. For linux
based systems I first had to install the package “smbfs” with “apt-get in-
stall” and could then mount the network drives. After creating a mount-
point with “mkdir /mnt/daten” and “mkdir /mnt/download” I could
mount the shares with the command
mount -t smbfs -o username=elsylo
//192.168.200.12/daten /mnt/daten
mount -t cifs -o username=elsylo
//192.168.200.12/daten /mnt/daten
(respectively)
CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 45
prompting you for the password in the next line. CIFS (Common Internet
File System) is nothing else than a renamed new version of SMB (Server
Message Block) enriched with some additional features.
“Create a new domain tree” in the next step (you could otherwise create
a new child domain in an existing domain tree here). Like in nature, trees
usually grow in a forest and as for nature we have to define the forest
to add our new tree (I chose a new forest). In the next step you have to
define the domain name used for the domain which is “sylvia.test” (a do-
main name consists of two parts seperated with a “.” for Windows; if you
choose not to have to parts, Windows will add “.DOM” to your domain
name). You could also choose to have a domain name called “sylvia.com”
because it is not used on the internet. If you have older PC’s than op-
erating system Windows 2000 installed in your network you have to use
“NetBIOS” and provide an extra “NetBIOS Domain name” (I recommend
to accept the default). Next step is to define Active Directory database and
log location which requires 200MB free disk space. Next, the directory for
the “SYSVOL” folder is defined and has to reside on a partition formated
NTFS. The SYSVOL folder will later be visible as part of the “Network
Neighborhood” or “My Network Places” and will contain user specific
public files (and has to have NTFS because of enabled access rights en-
forcement). Accept the Pre-Windows 2000 compatible permissions and
enter a Restore Mode administrator’s password. In the last step review
the settings made and click “next” if you want Active Directory to con-
figure what is needed. After restarting you can start adding the objects
needed.
Note: Never click “Cancel” while Active Directory goes through the var-
ious steps of installing; it will wreck your computer! If some-
thing crosses your mind that you might have configured something
wrong: let Active Directory finish its work and start “dcpromo”
(i.e. the command starting the Active Directory wizard from “cmd”)
again afterwards.
When your installation was successful you have added all Active Direc-
tory management tools to the menu “Administrative Tools”. Run “Ac-
tive Directory Users and Computers” to see your domain in the tree on
the left side of the window, containing different container objects called
“Builtin”, “Computers”, “Domain Controllers”, “ForeignSecurityPrinci-
pals” and “Users”. Similar to the way you are adding new folders or
empty files to a directory you can add objects to the containers mentioned.
Clicking on the “Users” directory opens the list of users in your system
(even if you not added one manually by now, you will see some default
CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 47
48
BIBLIOGRAPHY 49
http://www.linux.org/docs/ldp/howto/IP-Masquerade-
HOWTO/stronger-firewall-examples.html#RC.FIREWALL-
IPTABLES-STRONGER (2005-12-01)
[10] MySQL: MySQL 3.23, 4.0, 4.1 Reference Manual (2005).
http://dev.mysql.com/doc/refman/4.1/en/index.html (2005-
12-01)
[11] digium, Inc.: Wildcard TDM400P, TDM31B (2005).
http://www.digium.com/index.php?menu=product_detail&category=\\
hardware&product=TDM400P (2005-12-02)
[12] OpenVPN Solutions LLC: OpenVPN (2005). http://openvpn.net/
(2005-12-02)
[13] OpenVPN Solutions LLC: OpenVPN 2.0 HOWTO (2005).
http://openvpn.net/hoto.html#quick/ (2005-12-02)
[14] RSA Security: What is Diffie-Hellman? (2004).
http://www.rsasecurity.com/rsalabs/node.asp?id=2248 (2005-
12-02)
[15] Apache Software Foundation: Apache HTTP Server Version 2.0 Doc-
umentation (2005). http://httpd.apache.org/docs/2.0/en (2005-12-
03)
[16] KPLUG: KPLUG Apache Tutorial (2005).
http://www.kplug.org/apache_tutorial (2005-12-03)
[17] Internet Systems Consortium: DHCP Distribution Version 3.0.3
README File (2005). http://www.isc.org/index.pl?/sw/dhcp
(2005-12-03)
[18] BIND9.NET: DNS, BIND, DHCP, LDAP and Directory Services
(2005). http://www.bind9.net (2005-12-03)
[19] BIND9: BIND 9 Administrator Reference Manual (9.3.1) (2005).
http://www.bind9.net/manuals (2005-12-03)
[20] www.traum-projekt.com: TP: Bind 9 - DNS - Tutorial :) (2005).
http://traum-projekt.com/forum/sitemap/t-33562.html (2005-12-
03)
BIBLIOGRAPHY 50
[34] Daniel Petri: What are the most common DNS re-
lated Dcpromo errors? How doI fix them? (2005).
http://www.petri.co.il/troubleshooting_dcpromo_errors.htm
(2005-12-06)
[35] Microsoft: Help and Support (2005). http://support.microsoft.com
(2005-12-06)
Chapter 2
With all the needs specified in the chapters above, the topology of the
network evolved to what it is today. For the sake of simplicity the lab
consists not of all the computers and services really used at the “Berufs-
förderungsinstitut Burgenland”.
The lab consists of two big parts, the main office and the branch office.
The main focus lies of course on the main office, running the majority of
the services and having to cope with the biggest load. My model of the
main office consists of three servers, three clients and a gateway router.
At the branch office only a router, offering several services as well, and a
client are located.
Hardware details
52
CHAPTER 2. THE INITIAL LAB-TOPOLOGY 53
RAM: 128 MB
OS: Debian Sarge 2.6.8-1-686 [1]
HD-capacity: 4 GB
Services:
Service details:
Hardware details:
Services:
Marge can be seen as the "heart" of our network combining the most im-
portant services. First of all, she provides DHCP-distributed IPv4 ad-
dresses for the clients in the network. The DHCP server we chose is
dhcpd3 by the Internet Systems Consortium (http://www.isc.org/index.pl?/\\
sw/dhcp/).The second big service located at marge comes from the In-
ternet System Consortium (http://www.isc.org/index.pl?/sw/bind/) as
well and provides domain name resolution. Besides these vital parts of a
network mail traffic is also guided by exim4 and qpopper on this host. In
addition to these services we provide the Apache http-server on this host
which can be found online at http://www.apache.org. To get a notion of
what happens on the web Webalizer (www.mrunix.net/webalizer/) ana-
lyzes the log file of the webserver. Arpwatch (http://www-nrg.ee.lbl.gov)
is another tool configured on this machine that keeps a database of all
MAC-addresses used in this network. In addition to all these services
marge also acts as a cups-printer server (www.cups.org) and has a hp
LaserJet 1300 plugged in directly via USB. Squid adds the the proxy ca-
pability here.
Service details:
Hardware details:
Services:
was one of the requests the BFI Burgenland made, for giving me the equip-
ment I needed. In return they wanted me to use this replica of their net-
work to test the setting up and the use of asterisk without interfering their
every-day business.
Differing from the other PC’s I added a digium TDM400 card [41] in order
to plug in two analog GESKO Ikarus 1000 phones.
Service details:
• mySQL v4.1 [33] - the world’s most popular open source database
• asterisk [16] - a complete PBX software providing everything you
would expect from a PBX. It does Voice over IP in many proto-
cols, and can interoperate with almost all telephony equipment (soft-
phone, hardphone, analog phones, ...)
Hardware details:
Services:
Homer is the only server in our lab topology running Windows 2000
Server. His work is mainly to act as a file server that can be accessed from
all PC’s in the topology, and to be the domain controller for the main net-
work (192.168.200.0). We used the Active Directory software implemented
in the Server Distribution.
CHAPTER 2. THE INITIAL LAB-TOPOLOGY 57
Service details:
Hardware details:
Usage:
Firewall 5.5 and Antivir of the German company H+B EDV. For my con-
venience and for testing purposes I added WinSCP3 and puTTY as well.
Software details:
Hardware details:
Usage:
Program details:
Hardware details:
Usage:
In order to have one non-Windows client in the network (again here I had
the wish of the company to test the use of SuSE System as a normal work-
station in heteregenous systems) I chose a SuSE 9.2 distribution. This host
is running only client programs like openOffice 2.0 beta [22], Konqueror,
Mozilla and Firefox [23]. As mail clients I used Kmail and Evolution.
CHAPTER 2. THE INITIAL LAB-TOPOLOGY 60
Program details:
• Konqueror
• Kmail [36] - free KDE mail client
• Evolution [37] - groupware client for Linux
Besides the computers used in the main office and the two phones I men-
tioned above I also used two VoIP hardphones.
The hardphone allnet1 is a ALL7950 SIP [39] phone and is located between
the switch and the host apu.
The branch office in my topology with its two computers emulates one
of the many locations the BFI Burgenland has to supply with information
and connection all over the Burgenland.
IP-address range: 192.168.201.0/24
Hardware details:
RAM: 128 mb
OS: Debian Sarge 2.4.27-2-686 [1]
HD-capacity: 8 GB
Services:
Snowball is the gateway computer for the branch office and therefore has
to handle all the things bart has to cope with. This includes of course such
vital things as routing, iptables and is of course the other endpoint of our
OpenVPN[5] tunnel. In addition to this there is also another asterisk [16]
and apache [10] server installed on this node. The asterisk servers from
the main and the branch office are connected via IAX.
Hardware details:
Usage:
This SPA-2000 Sipura Adapter [40] allows you to plug two standard tele-
phones or fax machines into it and connect them to IP-based data net-
works. It features two POTS ports for connecting analog phones and one
Ethernet interface for connecting with the LAN. Each port can be handled
totally independent with the software on the small webserver built into
this device.
CHAPTER 2. THE INITIAL LAB-TOPOLOGY 63
Bibliography
64
BIBLIOGRAPHY 65
[39] Allnet Deutschland GmbH: ALL 7950 SIP Komfort Telefon (2005).
http://www.allnet.de/product_info_allnet.php?cPath=_&products_id=99927
(2005-12-02)
[40] Sipura technology, inc.: SPA-2000 Analog Telephone Adapter (2003).
http://www.sipura.com/products/spa2000.htm
[41] digium, Inc.: Wildcard TDM400P, TDM31B (2005).
http://www.digium.com/index.php?menu=product_detail&category=\\
hardware &product=TDM400P (2005-12-02)
Chapter 3
68
CHAPTER 3. TESTING AND BENCHMARKING THE NETWORK 69
was originally developed to monitor routers but can now supply data
from every device running a SNMP agent. When configured, it can also
send you warning emails when thresholds are exceeded. But let’s start
with SNMP.
question to be answered is: What is get through GET? The types of data
exchanged between the manager and the agents are stored on the agent in
a database called “management information base” or short “MIB”. Each
value tracked in a MIB is an object. The MIB is used to translate text
queries to OIDs. Each object in the MIB represents a specific entity on
the managed device, this can be everything from “hostname” to “number
of established IP connections” or “version of operating system”. These
MIBs use a hierarchical namespace containing object identifiers or short
OIDs. If you want to know which OIDs your system is monitoring look
into the folder /usr/share/snmp/mibs/ on Linux based systems. You’ll
find different MIB files containing entries such as
hrMemorySize OBJECT-TYPE
SYNTAX KBytes
UNITS "KBytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The amount of physical read-write main
memory, typically RAM, contained by the host."
::= hrStorage 2
After you finished your configuration you have to generate the HTML-file
that can be opened in the browser with
Read the bing man page for detailled informations about the options
provided by bing such as -D for displaying measured throughput for
CHAPTER 3. TESTING AND BENCHMARKING THE NETWORK 76
--------------------------------------------------
Client connecting to snowball, TCP port 5001
TCP window size: 16.0 KByte (default)
--------------------------------------------------
[ 3] local 10.8.0.2 port 3906 connected with \\
192.168.201.1 port 5001
[ 3] 0.0-10.0 sec 12.8 MBytes 10.7 Mbits/sec
For doing UDP testing simply add “-u”:
snowball:~# iperf -s -u
bart:~# iperf -c snowball -u
CHAPTER 3. TESTING AND BENCHMARKING THE NETWORK 78
Throughput
14.47
Netio measures the net throughput of a network via TCP/IP (and Net-
BIOS on Windows and OS/2) using various different packet sizes. This
is done with 6 different sizes of packets each with 10 seconds testing
CHAPTER 3. TESTING AND BENCHMARKING THE NETWORK 79
snowball:~# /home/elsylo/download/netio/bin/linux-i386 -s
bart:~# /home/elsylo/download/netio/bin/linux-i386 -t \\
snowball
The first command starts the server for TCP and UDP connections,
the second command starts the client for a TCP test to server “snow-
ball”(If needed you can also specify the port to test with the option “-
p<portnumber>” appended to the first command and written before spec-
ifying the server address in the client command). The output produced
looks like this:
SIPp is an Open Source test tool and traffic generator for the SIP protocol.
It works with integrated scenarios establishing and releasing multiple calls
with INVITE and BYE methods. It dynamically displays statistics about
round trip delay or call rate. It can be used for various SIP equipments
and is very useful for emulating thousands of user agents calling your SIP
system. Run the embedded server scenario
/usr/src/sipp/sipp -sn uas
and on the same host the embedded client scenario
/usr/src/sipp/sipp -sn uac 127.0.0.1
There are different scenarios available for SIPp and you can also create
your own XML scenarios for testing. The software can be obtained with a
simple “apt-get install sipp”.
CHAPTER 3. TESTING AND BENCHMARKING THE NETWORK 81
Another simple but important thing to check in your network is how long
it takes to dig a hostname.
time dig snowball.sylvia.test
CHAPTER 3. TESTING AND BENCHMARKING THE NETWORK 82
A every-day task and very likely an every day annoyance is to open a file
you work on from a network share. I assumed to have one big and one
small file for a word processor and for a spreadsheet lying on the server
and being accessed from my clients in the network. These are apu, lisa and
nelson, with apu and nelson having installed both, Microsoft Office and
OpenOffice. Lisa, the SUSE client, only provides OpenOffice. Then I was
measuring the time it takes, with the specified program already opened,
until the file was fully loaded.
Measuring the time it takes to download files with various sizes from a
web server is the next test I took. For I didn’t want the traffic from the
internet interfering with my analysis I decided to load the files from an
internal web server used by the Berufsförderungsinstitut Burgenland. The
files downloaded are pictures with file size 80 KB, 250 KB and 2,74 MB.
Ethereal is not really a benchmarking tool but has a lot to do with test-
ing your network and that’s why I chose to add this tool in this chapter.
Ethereal is a network packet analyzer trying to capture network packets
and dissect them into maximum detail. It takes every packet sent in a net-
work (and that’s why i switched from using a switch to using a hub in
my lab) and displays everything starting from the header and ending at
the real data embodied. Ethereal is the first open source tool providing
this amount of features and assists you in troubleshooting your network,
examining security problems, debugging protocols and learning the in-
ternals of a protocol. There are many other advantages connected to the
use of ethereal like the support for all major platforms, detailed protocol
information, several filter possibilites, various statistics, and so on.
For I don’t have a GUI installed for any of my Linux computers, I installed
Ethereal on some Windows hosts. Installing ethereal on Debian works
CHAPTER 3. TESTING AND BENCHMARKING THE NETWORK 83
with “apt-get install ethereal”. For Windows you need to download the
binary at the web site cited above and start the setup. Since Ethereal ver-
sion 0.10.12 the WinPcap installer has become part of the Ethereal installer
so you don’t need to worry about forgetting it anymore. When Ethereal is
installed you need to choose which interface to monitor in the “Capture”
menu. The entry “Interfaces ...” will open a dialog containing all interfaces
Ethereal found on your host. When you once chose an interface you can
start a new capture by clicking “Start” in the same menu. You will see a
small window with the number of packets captured with the correspond-
ing protocol. When stopping the live capture captured data is loaded and
you have one line for each packet. In newer versions you even have a
color scheme flagging certain kinds of protocols. When clicking one of the
packets the entry is highlighted and the details are displayed below.
You will find several Ethereal sniffs throughout my thesis because, and I
really want to emphasize this, it helped me solving nearly every problem
I experienced.
Not only known by network administrators but also from the movie “The
Matrix Reloaded” I also used nmap to scan my hosts for open ports. It
detects open ports,the services running and the operating system used. In
a network it is used for penetration testing and for general computer se-
curity. Unless other tools aiming at assessing host vulnerabilities nmap is
built not to interfere with the normal operation of the networks or com-
puters scanned.
Bibliography
84
BIBLIOGRAPHY 85
Theory of IPv6
The Internet Protocol IP is a best effort datagram service and the version
widely used by now is 4. This version also was the first version of IP in
production use and formed the basis of the current Internet. It has been de-
scribed by IETF RFC 791 first published in 1981. The addressing scheme of
32 bit limits the number of addresses to 4.294.967.295 which seemed to be
enough back then. Through bad address distribution and a shortsighted
idea of how much the internet will grow addresses are near to exhaustion.
An USA-centric view of the internet also made it possible that a single col-
lege got a bigger address range than whole China. There have been some
approaches to this issue like a tighter control by Regional Internet Reg-
istries, network renumbering, DHCP, NAT and of course the introduction
of IPv6. Predictions from the year 2004 claim an address pool exhaustion
for 2016 and a complete exhaustion for 2023. Although predictions in the
field of computer science are always a bit vague, the need for IP address
will addionally grow with the new market of mobile and domestic devices
which will sooner or later make it inevitable to introduce IPv6.
One huge limitation of IPv4 is the address shortage discussed above. All
measures taken against this problem could not solve as a whole without
imposing other troubles. E.g. take a look at NAT: Network administrators
around the world got used to having public and private addresses in their
networks translating private into public addresses and vice-versa in order
to reach the internet with the disadvantage of creating a performance and
application bottleneck.
86
CHAPTER 4. THEORY OF IPV6 87
Another need for the change in the protocol is to scale down the num-
ber of routing table entries in backbone routers which is currently near
85.000 entries. With a growing network infrastructure the need for easier
configuration of hosts in the network was also an issue lacking a solution
when using IPv4. Because the majority of all attacks on a network are from
within a company people also demand for security comprising authenti-
cation and encryption at IP level. In addition to this supporting QoS for
production use is demanded. All these concerns are handled by IPv6.
In this chapter I will talk about the key features of IPv6 and why I think,
together with countries like Japan and China or institutions like the Pen-
tagon (switching to IPv6 2006), that IPv6 is the future and that we can
not overcome the diffuculties we have with IPv4 with inventing more and
more makeshifts.
The most obvious reason for switching to IPv6 is of course the address
space. Instead of 32 bit with IPv4 we now can use 128 bit with IPv6 provid-
ing the unbelievable number of 340.282.366.920.938.463.463.374.607.431.768.\\
211.456 possible addresses. The decision to make the address 128 bits long
was made in order to provide hierarchical routing domains. An address
assigned to an interface is composed of a 64-bit subnet identifier and a
64-bit interface identifier. Similar to the way the address space was allo-
cated with IPv4 the high-order bits in IPv6 addresses define several ad-
dress types as well. These high-order bits are also called Format Prefix
(FP).
Global unicast addresses 001
Link-local unicast addresses 1111 1110 10
Site-local unicast addresses 1111 1110 11
Multicast addresses 1111 1111
Above you see the high-order bits for the most important kinds of ad-
dresses. But let’s talk about the syntax of an IPv6 address first.
CHAPTER 4. THEORY OF IPV6 88
MAC address and a number chosen randomly to your prefix. This ad-
dress is valid for a predefined period of time (some hours to a few days)
and makes it more difficult to keep track of your online activities. Sysad-
mins in companies won’t like this, since it will impose problems with ac-
counting, access lists and other address based rules.
In order to faciliate the transition from IPv4 to IPv6 there are several types
of addresses to provide coexistence of the two protocols.
4.1.1.5.4 6to4 addresses 6to4 addresses are used together with a spe-
cial tunneling mechanism that is used to provide unicast IPv6 connectiv-
ity between IPv6 sites across the IPv4 network. The address is made up of
following parts:
2002:wwxx:yyzz:SubnetID:InterfaceID
IPv4 address: 192.0.2.128 on site number 5
6to4 address: 2002:c000:280:5:[InterfaceID]
For sending a packet through this configuration the IPv6 packet is em-
bedded in a IPv4 header and the protocol type of the IPv4 header is set
to “41”. The destination address is retrieved from the 32-bit in the 6to4
address representing the IPv4 address.
See RFCs 3056, 2893, 3068 and 3964 for further informations.
Several addresses discussed above like the global, the link-local and the
site-local address are composed of a prefix and a 64-bit Interface Identifier.
Let’s take a look how this Interface Identifier is derived. There are several
ways how you can set your interface identifier. You could let DHCPv6
do the work for you, you could set the addresses manually or you could
as well choose the way discussed above in the chapter about privacy ex-
tensions where the Interface ID is computed using MAC address and a
randomly chosen number. If you wish to remember some computer’s IP
addresses easily you might go for the manual setting of the Interface Iden-
tifier. In my network the global addresses have been planned manually
and set via DHCPv6. For site-local and link-local addresses on the other
hand I chose the autoconfigured Interface Identifier to be appended to the
prefix.
In those cases the Interface Identifier is set automatically to the Extended
Unique Identifier (EUI)-64 address defined by IEEE. The EUI-64 is a new
type of MAC address outdating the old IEEE 802 format which was set up
of the company ID (24 bit) and an extension or device ID (24 bit) making
each network adapter unique. In the new IEEE EUI-64 addresses the com-
pany ID part stays 24 bits long but the extension ID is extended to 40 bit.
But let’s take a closer look on how an EUI-64 address is derived.
Let’s start in the first line with the IEEE 802 address, or simply the MAC
CHAPTER 4. THEORY OF IPV6 94
Figure 4.2: How to derive the IPv6 interface identifier from the IEEE 802
address [6]
address as we know it. The shaded part is the 24 bit company ID and the
white part is the 24 bit extension ID that is distributed within the company.
The two bits within the company ID written “00” instead of the c’s are
the Universal/Local (U/L) and the Individual/Group (I/G) bits. When
Individual/Group is set to 0 the address is unicast, otherwise multicast is
denoted. More important is the Universal/Local bit for our needs for it
defines if it is universally administered (“0”) or locally (“1”).
In order to get to the next step, the creation of an EUI-64 address 16 bits
have to be added between company and extension ID. Here we find a lit-
tle inconsistency with the specification made by IEEE. Usually you create
an EUI-64 address out of a IEEE 802 (or also called MAC-48) address by
appending FF-FF to the company ID but in order to derive the IPv6 used
Interface ID you have to append FF-FE or 11111111 11111110 instead. The
last step in the creation of the Interface Identifier used by IPv6 is to com-
plement the Universal/Local bit in the company ID (seventh bit in the first
byte) i.e. changing it from zero to one or vice-versa.
CHAPTER 4. THEORY OF IPV6 95
With IPv6 the “bulk” addressing methods have changed and the good-
old broadcast has been outdated. Instead the use of multicast has been
extended. Each Multicast address starts with the first 8 bits set to 1, thus
an address starting with FF is always a multicast address. The structure of
the multicast address is as follows:
The only flag defined in the “Flags” section is the Transient flag (T). When
set to 0 it indicates that the address is permanently assigned, when set to 1
it is a transient (non-permanent) address. The Scope ID indicates the scope
of the IPv6 network for which the multicast traffic is intended.
The Group ID identifies the multicast group and is unique within the
scope. The following addresses are defined:
CHAPTER 4. THEORY OF IPV6 96
FF02 is the prefix for the link-local multicast traffic. To the address part
“FF02:0:0:0:0:1:FF” simply the last 24 bit of the unicast address the solicited
node is calculated from, is appended.
CHAPTER 4. THEORY OF IPV6 97
Anycast addresses are new to the IP Protocol and are based on the RFC
1546. Anycasting is a conceptual cross between unicast and multicast
addressing and is intended to send messages to any host of this group
instead of sending to one host (unicast) or every host (multicast). Dis-
tinguishing which member of the group receives the message is done by
routing terms. This technique enables possibilites not implemented with
IPv4 and is intended for the use with several servers or routers running a
service when you don’t really care which of those provide it. This can as
well used for load sharing and is helpful if one of your routers goes out of
service.
Instead of having an addressing scheme anycast addresses are simply dis-
played as unicast and are identified automatically the moment a unicast
address is assigned to more than one interface. Anycast addresses that are
set across a huge network are hard to implement because of the routing
entries that have to be made. Nowadays, due to the inexperience of the
Internet Community anycast is only used by routers but not by hosts.
On a host with IPv6 enabled there are, in contrast to IPv4 where you only
had one address assigned to an interface, several addresses configured.
• a link-local address derived automatically
• the loopback-address ::1 derived automatically
• an optional site-local address defined manually or by using radvd
• one or more optional global addresses defined either manually or by
using radvd or DHCP
Additionally to these addresses an IPv6 nodes listens to the following ad-
dresses:
• FF01::1 - node-local scope all-nodes multicast address
• FF02::1 - link-local scope all-nodes multicast address
CHAPTER 4. THEORY OF IPV6 98
A node can only receive traffic when it’s state is preferred or deprecated; a
tentative or an invalid address can not be used for the destination of traffic.
You can find out more about autoconfiguration of interfaces in RFC 2462.
Note: I left out special technologies used by default by Microsoft in the
configuration process (e.g. ISATAP, Teredo, ...)
Now that we have learned which addresses are configured on a host run-
ning IPv6 it is also important to find out what has changed in the header
of the IPv6. For I don’t want to write another essay about header formats
I will try to keep that chapter as short as possible.
Because of the longer IP address used by IPv6 the structure of the header
needed to be redesigned in order to allow efficient data transfer and to
clean up the header from unneccessary und unused fields as we had it
with IPv4. An IPv4 header has a length between 20 and 60 bytes which
is pretty long regarding the very short address. The structure of an IPv6
packet is made up of a 40 byte IPv6 header, one or more extension headers
if needed and the data.
The Version field indicates the version of the IP protocol used and the Traf-
fic Class replaces the Type Of Service field from IPv4 and uses the new
Differentiated Services method (DS) defined in RFC 2474. The next field
called the Flow Label provides additional support for Quality Of Service
features and indicates whether a packet belongs to a specific sequence of
packets requiring special handling (e.g. video streaming, ...). The Pay-
load Length replaces the “Total Length” field from IPv4 and comprises the
CHAPTER 4. THEORY OF IPV6 102
extension headers if present and the upper-layer PDU. The Next Header
field is a replacement for the Protocol field and either indicates the pres-
ence of the first extension header or, if there is no extension header, is set
to the protocol of the upper-layer PDU (e.g.: TCP, UDP, ICMP, ...). The
Hop Limit is similar to the TTL field and indicated the maximum number
of links a packet is allowed to traverse. Last but not least the source and
destination addresses are appended.
The next header field is said to be the most important innovation to the
IP header for it allows a modular use of headers when needed. The next
header field in the IPv6 Header indicates whether there is an extension
header or not, and in turn, each extension header has a next header field
as well pointing to the next extension header if present. If no extension
header is appended here, the next header field simply points to the proto-
col of the upper-layer PDU again. There are following extension headers
available (in the same order as they are used; you will find the next-header
values indicating the extension header appended within brackets):
• Hop-by-Hop Options Header (0) - defines some options that are in-
tended to be examined by all devices during transmission (RFC 2460)
CHAPTER 4. THEORY OF IPV6 103
Figure 4.10: IPv6 datagram without and with extension headers [11]
The first datagram only consists of the IPv6 header with a Next Header
field set to 6 indicating a TCP-traffic. The second datagram has the Next
Header field of the IPv6 header set to 0, which is the Hop-by-Hop Options
Header. Within the Hop-by-Hop Options header the succeeding extension
header, in this case the Fragment Header, is defined by setting its Next
CHAPTER 4. THEORY OF IPV6 104
Header field to 44. In the last extension header the Next Header field is set
to 6 referring to TCP traffic again.
The minimum MTU required by IPv6 is set to 1.280 bytes forcing links
that do not supply that much to fragment the packet transparent to IPv6.
If a link has a configurable MTU size it is recommended to at least set it
to 1.500 bytes. IPv6 also provides a Path MTU Discovery process in order
to find out the PMTU (Path Maximum Transmission unit) which is the
smallest link MTU supported on a specific path. The PMTU is derived by
the sending node by assuming that the destination PMTU is the link MTU
of the interface the packet is sent and simply tests this by sending a packet
this size. If a router on the way to it’s destination is not able to forward the
packet it responds with an ICMPv6 Packet Too Big Message containing the
link MTU of the router. The sending node then can set the PMTU to the
link MTU received by the router and retry to transmit the packet.
Current TCP, UDP and ICMP implementations for IPv4 include a pseudo-
header in their checksum. This pseudo-header contains source and desti-
nation addresses as well and therefore need to be modified for IPv6 (sim-
ply exchange the addresses). The new pseudo-header must be used by
TCP, UDP and ICMPv6 and includes besides the addresses mentioned a
field containing the upper-layer packet length and a next header field in-
dicating the upper-layer protocol for which the checksum has been calcu-
lated.
Note: Any transport or other upper-layer protocol including the source
and destination addresses from the IP header in its computation
must be modified for the use with IPv6 in order to include the 128-
bit addresses. Therefore the so-called pseudo-header has to be mod-
ified. (RFC 2460)
4.3 ICMPv6
Note: ICMPv6 Error messages are not sent for every error encounted but
rather have to satisfy a rate limit which can be set based on a timer
or a percentage of bandwidth.
In the header of a Packet Too Big message the Type is set to 2, the Code
to 0 and following the checksum field there is a new header field called
MTU storing the link MTU of the host sending the ICMP message. Note
that this is discussed in the “IPv6 header” part of this chapter.
The Time Exceeded message is usually sent when the hop-limit field be-
comes zero after decrementing it during forwarding. The Type is set 3
and the Code Value can be either “0” - Hop Limit Exceeded by Transit or
“1” - Fragment Reassembly Time Exceeded indicating the fragmentation
reassembly time expired at the destination host.
CHAPTER 4. THEORY OF IPV6 107
This message is used in order to find out details about multicast group
membership on this link. There are two types of Multicast Listener
Queries which can be distinguished by the Destination Address set in the
IPv6 header and the Multicast Address set in the Multicast Listener Query
message. The first one is the “General query” sent unsolicited and period-
ically with a Destination Address set to the link-local all-nodes multicast
address (FF02::1) and the Multicast Address set to the unspecified address
(::). The other type of Multicast Listener Query message is the multicast-
address-specific query querying all hosts on a subnet belonging to a spe-
cific multicast group. This time the Destination Address and the Multicast
Address is set to the specific multicast address that is being queried. The
“Maximum Response Delay” is the time within a multicast group member
must report its membership.
The Multicast Listener Done message is used to inform the routers that
there might be no more listener for a specific multicast address on a link
because the sending node announces to leave the multicast group with this
message. This Multicast Listener Done message is sent when the group
member that responded to the last Multicast Listener Query wants to leave
the multicast group. For this host might not really be the last multicast
member on the link (and routers, as mentioned above, do not keep track
of how many listeners are found on a link for a specific multicast group),
a local router has to immediately send a multicast-address-specific query
for the specific multicast group in order to find members listening on the
link. The Destination Address of a Multicast Listener Done message is
set to the link-local scope all-routers multicast address (FF02::2) and the
Multicast Address to the multicast address used by the multicast group
for which there might be no more listeners on the link.
Please see RFC 2710 for more details on the Multicast Listener Discovery.
The Neighbor Discovery protocol, or short ND, is one of the biggest new
inventions to IPv6 for it replaces ARP, ICMP router discovery and the
ICMP redirect message and in addition to this provides additional tech-
niques IPv4 was not capable of. It is used by nodes to determine link-local
addresses of other nodes and changes of these, to find routers willing to
forward their traffic and keeps track of which neighbors are reachable.
The Router Solicitation message is sent by a host e.g. when UPed in order
to get a solicited Router Advertisement in response immediately instead
of waiting for the next unsolicited Router Advertisement. The Source Ad-
dress field is set to either the link-local address or the unspecified address
(::), the destination address is set to the link-local all-routers multicast ad-
dress (FF02::2) and the Hop-Limit is set to 255.
• Reserved
• Router Lifetime - defines how long a router is a default router (in
seconds). 0 indicates that it is no default router.
• Reachable Time - defines how long a node can consider a Neighbor
reachable after receiving a reachability confirmation
• Retransmission Timer - amount of time between retransmission of
Neighbor Solicitation messages during neighbor unreachability de-
tection
• Source Link-Layer Address option - if present, contains the link-layer
address of the interface on which the Router Advertisement was sent
• MTU option - if present, it contains the MTU of the link
• Prefix Information Options - contains on-link prefixes when present
• Advertisement Interval Option - when present, contains the interval
of unsolicited Router Advertisement messages
• Home Agent Information Option - when present, contains informa-
tions on the home agent
• Route Information Options - when present, contains routes to add to
the routing table of the host
• Prefix discovery
• Parameter discovery
• Address autoconfiguration
• Address resolution
• Next-hop determination
• Neighbor unreachability detection
• Duplicate address detection
• Redirect function
Let’s take a closer look at some of these.
The sending node sends a Neighbor Solicitation message with the solicited-
node multicast address derived from the destination IP address which also
includes the link-layer address of the sending host. When the target host
receives this message it first updates its Neighbor cache with the data from
the sending node and then sends a unicast Neighbor Solicitation message
containing its own link-layer address. The formerly sending host updates
its Neighbor cache as well and then the packet can be sent.
4.4.2.4 Redirect
Redirect messages are either sent when there is a shorter way in routing
terms for sending the packet (e.g. if you have more than one routers on
a link) or when a packet’s destination is on-link without the sending host
knowing it (because it might lack the prefix in the hosts prefix list).
The Redirect process starts with the sending of a packet from host 1 to its
default router R1 destined at host 2 residing at Network 2. The router pro-
cesses the packet and finds out that the originating hosts address and the
next-hop address (R2) are on the same link.Router R1 sends to originating
node H1 a Redirect message with the Target Address Field in the Redirect
Message set to the next-hop address of the node to which the originating
host should send subsequent packets addressed to this destination. The
router R1 inbetween sends the packets already sent by host 1 to R2 in or-
der to reach Network 2 and its destination. Upon receipt of the Redirect
CHAPTER 4. THEORY OF IPV6 117
message host 1 updates its destination cache with the address in the Target
Address field.
Redirect messages are only sent by the first router in the path. Hosts never
send Redirect messages and routing tables are never altered upon the re-
ceipt of a Redirect message.
This is the first thing to be done by a host when sending a datagram. The
device hereby looks at the destination address and decides whether di-
rect or indirect delivery is needed which is done by the prefix informa-
tions supplied by the router or by manual configuration of the interface.
If the destination is not local the next-hop is chosen from the device’s list
of routers (which is either derived by ND methods or entered manually).
For improving efficiency, this check is not done for every packet but rather
it is stored in the destination cache for future uses.
IPv6 routing entries can either be entered manually or can be added upon
the receipt of an Router Advertisement message. A routing table has to
CHAPTER 4. THEORY OF IPV6 119
In order to make the right forwarding decision the routing table entries
have to be searched. For each entry in the routing table the bits of the
network prefix are compared to the same bits in the destination address.
If all bits of the network prefix length for the route match all bits in the
destination IPv6 address the route is a match for the destination. The route
that has the largest prefix length matching a packet is chosen for it is the
most specific route to the destination. If multiple routes with the longest
match are found the decision is made upon the metric. For any given
destination first host routes and then network routes are searched. If both
don’t exist, the default route is used.
If the route determination process on the sending host fails to find a route,
IPv6 assumes the destination is locally reachable. If the route determina-
tion process fails on a router an ICMPv6 Destination Unreachable - No
Route to Destination message is sent to the sending host and the packet is
discarded.
Instead of having a static router, i.e. the routes are set manually, you can
also use dynamically configured routes which of course have big advan-
tages when there are changes in the topology (which a dynamic router
notices automatically).
4.5.3.1.2 Link State Via Link State Advertisements upon startup and
upon changes in the topology the network prefixes and their assigned
costs are distributed. Link state is an easy to scale low traffic method but
can be complex to set up.
4.5.3.2.1 RIPng for IPv6 RIPng for IPv6 is a protocol implementing Dis-
tance Vector. When a router is configured RIPng it sends a General Request
message on all interfaces in order to receive the routes from neighboring
routers. Routes are then periodically announced depending on whether
Split Horizon (routes are not announced on the interface where they were
learnt) or Split Horizon with poison reverse (routes are announced un-
reachable on the interface where they were learnt) is configured. See RFC
2080.
4.5.3.2.2 OSPF for IPv6 OSPF uses Link State with possible costs like
delay, bandwidth and monetary costs possible. See RFC 2740 for more
information.
4.5.3.2.4 BGP-4 The Border Gateway Protocol uses Path Vector and is
designed to exchange informations between autonomous systems. It cre-
ates a logical path tree which discribes all connections. For more informa-
tion read RFC 1771, 2545 and 2858.
With IPv6 name resolution becomes even more important than with IPv4
for it is unreasonable to expect any end user to remember an IPv6 address.
The structure of the DNS entries did not really changed but for the type
of DNS record used (type 28). AAAA or also called “quad-A” records are
comparable to A records used for IPv4 name resolution. (They are called
AAAA because the address is four times as long as an A record.) In order
to provide reverse queries the usual pointer record is used, the only thing
that changed is the representation of the record (nibbles instead of decimal
numbers). For reverse lookup the domain “.ip6.arpa.” is used (“.ip6.int.”
is outdated).
IPv6 address: 4321:0:1:2:3:4:567:89ab
reverse lookup domain name:
b.a.9.8.7.6.5.0.4.0.0.0.3.0.0.0.2.0.0.0.1.0.0.
0.0.0.0.0.1.2.3.4.ip6.arpa.
In order to resolve a name usually the local hosts file is being queried
first. This file can include hostnames to be resolved locally rather than
by DNS. If there is no entry in the host file for a specific name, DNS is
queried. Please note that IPv6 no longer supports Network Basic Input
Output System (NetBIOS).
A DNS query may return several addresses for a hostname. These can
be IPv4 and IPv6 addresses and because a host may have several IPv6
addresses (site-local, global, coexistence, ..) address selection is not an
easy task here. See RFC 3484 for details on this subject.
CHAPTER 4. THEORY OF IPV6 125
To change the protocol of a network is always a big task but there are
severel techniques supplied in order to make less troubles. The easiest,
and in fact the only method that really can be used today, is the coexistence
of both protocols on a node so that it responds to both protocols.
A Dual-IP-Layer includes an IPv4 and an IPv6 layer implementation and
share one implementation of the Host-to-Host layer protocols such as TCP
and UDP. A dual stack infrastructure as well has IPv4 and IPv6 network-
layers but each having their own Host-to-Host protocol layers. Both tech-
niques provide IPv4 and IPv6 connectivity to a host.
With using IPv6 over IPv4 tunneling IPv6 packets are encapsulated in an
IPv4 header and sent over the IPv4 infrastructure (tunnels can be set be-
tween two routers, between two hosts or between a router and a host).
Another thing needed in a working IPv4/IPv6 infrastructure is a DNS in-
frastructure resolving hostnames to both, IPv4 and IPv6 addresses.
Below, I will discuss several transition techniques more detailled.
4.7.1 6over4
Please note that the structure of the 6over4 address is discussed in “IPv6
Unicast addresses” part of this chapter.
6over4, also known as IPv4 multicast tunneling is a host-to-host, router-to-
router and host-to-router automatic tunneling technique for unicast and
multicast connectivity which is, because it relys on IPv4 multicasting, not
very widely used. It provides IPv6 connectivity across an IPv4 internet
and treats the IPv4 infrastructure as a single link with multicasting capa-
bilities.
See RFC 2529 for further reading.
CHAPTER 4. THEORY OF IPV6 126
4.7.2 6to4
Please note that the structure of the 6to4 address is discussed in “IPv6
Unicast addresses” part of this chapter.
This technique is an address assignment and router-to-router automatic
tunneling technique providing unicast IPv6 connectivity across an IPv4
network. Its details are described in the RFC 3056 where following terms
are defined:
• 6to4 host - a host configured with an autoconfigured 6to4 address
• 6to4 router - an IPv4/IPv6 router is supporting the use of a 6to4 tun-
nel interface and is used to forward traffic (may need additional con-
figuration)
• 6to4 relay router - forwards 6to4 traffic between 6to4 routers
Within a site local routers advertise the 6to4 prefix so that hosts can create
autoconfigured addresses and routes. All IPv6 traffic that does not match
a 64-bit prefix used by the subnets within the site is forwarded to the 6to4
router on the site boarder. In the example picture host A can communicate
with host B via router 1 using a default route. In order for host A to com-
municate with host C the router 1 has to encapsulate the traffic in an IPv4
header and send it over the IPv4 internet to router 2. Following kinds of
communication are possible:
• 6to4 host with another 6to4 host on the same site - like communi-
cation between host A and host B; Connectivity is provided by the
routing table.
• 6to4 host with another 6to4 host across the internet - like communi-
cation between host A and host C; the data is encapsulated by the site
boarder router 1 in an IPv4 packet and sent to the site border router
2 which in turn removes the IPv4 header and delivers the packet to
host C.
• 6to4 host with IPv6 host on the internet - like communication be-
tween host A and host D; the local-site router 1 tunnels the data to
the 6to4 relay router which removes the IPv4 portion of the packet
and forwards it to the appropriate host.
Note: This technique only requires one IPv4 address to obtain global IPv6
reachability and therefore might be widely used.
4.7.3 ISATAP
Please note that the structure of the ISATAP address is discussed in “IPv6
Unicast addresses” part of this chapter.
The Intra-Site Automatic Tunnel Addressing Protocol is an address as-
signment and host-to-host, router-to-router and router-to-host automatic
tunneling technology used to provide unicast IPv6 connectivity across an
IPv4 internet. ISATAP addresses are derived by autoconfiguration mech-
anisms.
When using ISATAP, communication between ISATAP nodes on the same
CHAPTER 4. THEORY OF IPV6 129
link is possible but not with other IPv6 addresses on other subnets. To
communicate outside the logical subnet packets must be tunneled by an
ISATAP router. An ISATAP router is an IPv6 router performing the fol-
lowing:
• Forwarding packets between ISATAP hosts and hosts on other sub-
nets (IPv4 or IPv6)
• Is a default router for ISATAP hosts
• Advertises address prefixes
An ISATAP host that receives a Router Advertisement from an ISATAP
router sets its default route to this router and every packet destined to
locations outside the subnet are tunneled via the ISATAP router.
Further reading is found in RFC 4214.
4.7.4 Teredo
Please note that the structure of the Teredo address is discussed in “IPv6
Unicast addresses” part of this chapter.
CHAPTER 4. THEORY OF IPV6 130
4.7.5 PortProxy
Note: This only works for applications that do not embed address or port
information inside the upper-layer PDU. PortProxy has no capabilites of
changing embedded information.
Bibliography
133
BIBLIOGRAPHY 134
us/wcetcpip/html/cmconipv6addressautoconfiguration.asp (2006-
01-11)
[9] Droms, Bound, Volz, Lemon, Perkins, Carney: RFC 3315 -
Dynamic Host Configuration Protocol for IPv6 (DHCPv6)(2003)
.http://www.faqs.org/rfcs/rfc3315.html (2006-01-14)
[10] Wikipedia: IPv6 (2006). http://en.wikipedia.org/wiki/Ipv6 (2006-
01-12)
[11] The TCP/IP GUIDE: IPv6 Datagram Extension Headers (2005).
http://www.tcpipguide.com/free/t_IPv6DatagramExtensionHeaders-
2.htm (2006-01-12)
[12] Deering, Fenner, Haberman: RFC 2710 - Multicast Listener Discov-
ery (MLD) for IPv6 (1999). http://www.faqs.org/rfcs/rfc2710.html
(2006-01-12)
[13] Narten, Nordmark, Simpson: RFC 2461 - Neighbor Discovery for
IP Version 6 (IPv6) (1998). http://www.faqs.org/rfcs/rfc2461.html
(2006-01-12)
[14] The TCP/IP GUIDE: IPv6 ND Redirect Function (2005).
http://www.tcpipguide.com/free/t_IPv6NDRedirectFunction.htm
(2006-01-13)
[15] Windows Server 2003: IPv6 Transition Technologies (2003).
http://www.microsoft.com/windowsserver2003/techinfo/overview/\\
ipv6coexist.mspx (2006-01-13)
Chapter 5
Migration to IPv6
Now it’s time to start doing what the title of this thesis promises: migrat-
ing the network to IPv6. This section will cover everything from initial
considerations, the deployment of IPv6 and the migration of the services
used. I want to give a detailed plan for those interested what is to be done
and describe the problems I experienced and the measures to be taken.
Before doing anything else I had to install the IPv6 stack on each computer
in my network. Because not all services used in a network have an IPv6
enabled version, as you will see in this chapter, it is nowadays usual to
configure your PC dual-stack in order to have IPv4 and IPv6 connectivity.
While I was configuring the network for the next generation of network
protocols I requested an IPv6 address for reaching IPv6-only services in
the internet as well. I decided to request a tunnel from SixXS, reachable
at www.sixxs.net. SixXS is an IPv6 Deployment and Tunnel Broker dis-
tributing IPv6 tunnels first, and after your tunnel has been up for a certain
time you earned enough credits to request your own subnet. The uptime
aquired is usually about one week. When you request your first tunnel
at SixXS you have to fill out a form describing why you think you need
an address and what you want to do with it. They want to receive very
135
CHAPTER 5. MIGRATION TO IPV6 136
First I want to talk about the migration of Debian Linux PCs to IPv6. Ker-
nel 2.4.x upwards is what is recommended for use with IPv6. In the por-
tion of the test-network I administer I only used 2.4.x and 2.6.x kernels
which reduces the problems loading the module needed. The only com-
puter with a kernel 2.2.x was the one which was configured as the tunne-
lendpoint. For 2.2.x kernels are not IPv6-up-to-date the system adminis-
trators decided to compile a new 2.6.x kernel [2] . For the installation of the
tunnel software aiccu please read the section about the services of IPv6.
You can check if the module you need is already loaded by
/proc/net/if_inet6
You should see something like this for your interfaces of the PC:
00000000000000000000000000000001 01 80 10 80 lo
fe800000000000000250fcfffe60d6d6 02 40 20 80 eth0
Here you have a loopback entry for lo and a link local address for eth0.
This is the proof that your ipv6 module is loaded but you can also check
with
lsmod | grep ipv6
CHAPTER 5. MIGRATION TO IPV6 137
listing you the ipv6 module if loaded. Systems where both checks fail have
very likely not loaded the module needed. You can do this by
modprobe ipv6
or, for repeated use after startup just add it to the /etc/modules file (which
should not be necessary for 2.4.x and 2.6.x). With these simple steps you
can be sure your Linux PC is IPv6 ready. Now, let’s look at the Windows-
side-of-computing:
5.1.2 Windows
When searching the internet for Windows and IPv6 you will find the notes
that IPv6 is fully supported by all operating systems starting with Win-
dows 2000. As I had one Windows 2000 client, one Windows 2000 server
and two Windows XP clients I was glad I could start migrating without
any upgrades to make, or so i thought.
For both Windows 2000 Client and Server the installation of the IPv6 stack
is the same. For it is not included in the usual installation you have to
load additional files from the internet [5]. After saving the downloaded
file “tpipv6-001205.exe” on the file server I unzipped it to my local hard-
disk automatically creating a folder called “IPv6Kit”. Now you have to
open a console window and start the setup by typing “setup.exe -x” in
turn extracting another bunch of files to a subfolder it prompts you to give
a name for. I chose to call it “files” as recommended in the Microsoft de-
scription. From the folder “files” now open the textfile “”Hotfix.inf” and
modify it for your system. Depending on what Service Pack you installed
you have to change following line in the subsection called [Version]:
entry for Service Pack 1: NTServicePackVersion=256
entry for Service Pack 2: NTServicePackVersion=512
entry for Service Pack 3: NTServicePackVersion=768
entry for Service Pack 4: NTServicePackVersion=1024
CHAPTER 5. MIGRATION TO IPV6 138
After saving the modifications made run the “Hotfix.exe” from the “files”-
folder. Now, I think you have guessed already, you have to restart your
computer in order to make the changes take effect. Then the protocol stack
is installed on your computer but not yet used.
If you also want to use the protocol you have to open the dialog for
configuring your network settings (Control Panel - network and dial-
up connections). Open the properties of your ethernet-based connection
listed within, usually called “Local Area Connection”. Another dialog is
opened with a button labelled “Install ...” opening in turn another win-
dow where you can choose what kind of network component you want
to install additionally. In this list you will find the entry “Network Proto-
col” and with clicking that you can finally choose to install the “Microsoft
IPv6 Protocol”. Now the IPv6 driver “tcpip6.sys” is installed to %SYS-
TEMROOT%\system32\drivers and other files like the Winsock helper
“wship.dll” and all additional applications like “ipv6.exe, “ping6.exe”,
and so on are installed to %SYSTEMROOT%\system32. You should now
have an entry “Microsoft IPv6 Protocol” in the properties of your “Local
Area Connection”.
By default, each interface has an automatically distributed link-local ad-
dress. For a quick verification simply use the console-based command
ipv6 if
listing your ipv6 interfaces and their automatically assigned addresses. In
the output produced by this command you should see several interfaces
labelled with “Loopback Pseudo-Interface”, “Tunnel Pseudo-Interface”,
“6-over-4 Virtual Interface” and “Local Area Connection”. The first in-
terface is for loopbacks only, the second interface is used for configured
tunneling, automatic tunneling and 6to4 tunneling. “6-over-4” [6] is an au-
tomatic tunneling technology used to provide IPv6 connectivity between
IPv6 sites and hosts across the IPv4 Internet. 6-to-4 traffic is encapsulated
by 6-to-4 routers in a IPv4 header and sent to the destination. The last in-
terface in the list is the one that is most interesting because the “Local Area
Connection” is the one we are going to configure later on. Please note that
the order of the interfaces and the numbering can vary.
CHAPTER 5. MIGRATION TO IPV6 139
You can see that your lo-interface is configured to IP-address ::1 be-
ingt the IPv6-equivalent to 127.0.0.1. Then the “real” interfaces are
CHAPTER 5. MIGRATION TO IPV6 141
listed. In this case it’s only one, eth0, having two ipv6 addresses. The
first one, fec0::1:250:fcff:fe60:d6d6, has scope site and the second one,
fe80::250:fcff:fe60:d6d6, has scope link. This refers to the different kinds
of addresses as described in the last chapter. Each IPv6 enabled interface
can have several kinds of addresses; a link local address is assigned auto-
matically and is derived from the MAC address. Therefore it is unique and
assures simple connectivity. The link local address shall ease configuration
issues of PCs freshly added to the network and serves only communica-
tion issues like “anyone else here on this link?” and “is there some special
device? (like router, etc.)”. A packet with a link local address as destina-
tion will not pass a router. If you don’t have the second kind of address,
the site local address in your initial configuration: Don’t panic! It is com-
parable to the private address space we know from good-old IPv4 times
and can be assigned if needed (see my IPv6 radvd configuration below).
There is a discussion about depreciating this kind of addresses. The fact
that it will be sometimes useful for testing purposes and that you can as-
sign an additional global address anyway is enough reason to set one. In
this example no global address has been assigned.
For testing simple connectivity you need nothing more than two PCs with
an enabled IPv6 module. The first thing to try is to display configured
IPv6 neighbours.
marge: # ip -6 neigh show
fe80::250:4ff:fe68:ce8 dev eth0 lladdr
00:50:04:68:0c:e8 router nud stale
One PC is found using device eth0 with address fe80::250:4ff:fe68:ce8
(bart.sylvia.test) having link layer address 00:50:04:68:0c:e8 and being the
router to this subnet. The ip neighbour command displays the bindings
between protocol addresses and link layer addresses stored in a table. The
IPv4 neighbour table also know as the ARP-table. “nud” is an abbrivia-
tion for Neighbour Unreachability Detection and tells you the state of the
neighbour entry. “stale” stands for “valid but suspicious” (Read the ip
man page for details). Other commands that might be useful in this con-
text are ip neighbour [delete | add | flush ] to delete or add and entry or
to flush all entries.
If you had output from the command discussed above, you can be sure
you got some connectivity to at least one other host on this network. If
CHAPTER 5. MIGRATION TO IPV6 142
this didn’t work either the correspondent PC on the network has not been
configured correctly or you are in some trouble on your local machine. A
good thing to try is to ping home with
ping6 ::1
to see if the protocol works on the interface. Please note that there is a
extra command “ping6” for pinging IPv6 enabled interfaces on Linux.
Now we can move on to pinging another host’s link local address.
marge: # ping6 fe80::250:4ff:fe68:ce8 -I eth0
PING
fe80::250:4ff:fe68:ce8(fe80::250:4ff:fe68:ce8)
from fe80::200:21ff:fe00:5b8e eth0: 56 data
bytes
64 bytes from fe80::250:4ff:fe68:ce8:
icmp_seq=1 ttl=64 time=0.250 ms
...
64 bytes from fe80::250:4ff:fe68:ce8:
icmp_seq=8 ttl=64 time=0.173 ms
-- fe80::250:4ff:fe68:ce8 ping statistics --
8 packets transmitted, 8 received, 0
rtt min/avg/max/mdev = 0.166/0.180/0.250/0.028
ms
pings the specified link local address. The option “-I” is needed for ping-
ing IPv6 link local addresses and specifies the source interface to use.
Note: Forgetting this additional option will promt the error: “connect:
Invalid argument”. If you are using the “ping” command rather
than “ping6” you will get the error message: “ping: unknown host
fe80::250:4ff:fe68:ce8”.
Note: If you ever wondered which options are responsible for the auto-
configuration issues with IPv6:
cat /proc/sys/net/ipv6/conf/eth0/accept_ra
Set to “1” this option allows the PC to accept Router Advertisements.
cat /proc/sys/net/ipv6/conf/eth0/autoconf
CHAPTER 5. MIGRATION TO IPV6 143
Set to “1” this option tells the PC to compute the link local address.
not reachable”. The message indicating the wrong command for pinging
(if you use ping instead of ping6 on Windows XP SP1 and older) is “Un-
known host fe80::250:4ff:fe68:ce8%4.”
Firewall: Due to a IPv6 firewall you can experience connectivity troubles
in the beginning. For the sake of simplicity I disabled it in my lab. I
found two commands on the internet to do so for Windows XP SP2
and higher/2003 (I only used the first command):
netsh interface ipv6 set interface
interface=LAN-Verbindung firewall=disabled
netsh firewall set adapter LAN-Verbindung
filter=disabled
Privacy: When IPv6 was introduced people complained about the over-
simplification of monitoring hosts. For IPv6 global addresses don’t
change you could place a sniffer strategically and easily find out
things like how long an employee was active that day or simply for
marketing reasons. To prevent that the RFC 3041 defines privacy ex-
tensions, temporary global addresses generated randomly using the
MAC address. These addresses are valid a few hours to a few days
CHAPTER 5. MIGRATION TO IPV6 146
and shall protect your privacy and enhance security. Although this
sounds pretty interesting I recommend to disable privacy addresses
on Windows PCs to ease the first steps with IPv6. [11] [12]
For being reachable globally we need some global IPv6 addresses as you
might have guessed. There are several ISP’s selling IPv6 addresses and ad-
dress ranges but not affordable for a poor student. So I decided to look for
IPv6 addresses for free and found the IPv6 tunnel broker www.sixxs.net.
SixXS (Six Access) is not a company but rather a privately conducted de-
velopment of software by only three people running SixXS. Their main
issue is to maintain the POP’s provided by several ISPs. As an enduser
you can request a tunnel at SixXS allowing you to test IPv6 in a profes-
sional manner now. With an existing RIPE, APNIC, ARIN, LACNIC or
AFRINIC handle you can signup to SixXS and request a tunnel to one of
the POPs. Usually the POP is chosen for you on connectivity reasons. If
you don’t have a handle yet you can get one at e.g. RIPE [13].
For requesting a tunnel you need to provide the IPv4 address of your tun-
nelendpoint and a reason why you think you should join the IPv6 commu-
nity. If you don’t have a static IPv4 address you can also try out IPv6 with
the help of SixXS heartbeat client. It sends packets to the POP to activate
the tunnel with the given dynamic IPv4 address. If there is no heartbeat
for 300 seconds the tunnel is disabled and auto-enabled when brought
up again. Any configurations concerning the address that has changed is
hereby done automatically [14].
CHAPTER 5. MIGRATION TO IPV6 147
and if this worked you can ping any IPv6 enabled address on the whole
internet. An all-time classic is kame’s homepage at www.kame.net.
You can also run AICCU on other operating systems like Windows, MAC
OS, etc. There is even a GUI for configuring Windows-based AICCU in-
stallations. Find out more about the different ways of using and configur-
ing AICCU on their homepage [15] [16].
In a paragraph above I mentioned that we tried to avoid NAT-related trou-
bles. There is an approach to overcome this in the italian network with a
software called AYIYA [17].
I want to make a few comments on the rulesfor tunnels at SixXS. SixXS has
established a credit-system starting at only enough credits (25) to request
a tunnel. When this tunnel is up for one week you have earned enough
credits to request another tunnel, or, a whole /48 subnet. For each tun-
nel being up one week you earn 5 credit points. But be careful with your
tunnels! If your tunnel is down for one day it costs you 5 credits and if
it’s even down for a whole week it will cost you 50 credits and the tun-
nel will be automatically disabled (you can enable it on the webinterface
again). SixXS will send you an automated email when one of your tunnels
is down.
main office, the branch office and the network inbetween. The main of-
fice is addresses 2001:16d8:ff47:1203:2::/80 (former 192.168.200.0/24), the
branch office 2001:16d8:ff47:1203:3::/80 (former 192.168.201.0/24) and the
network inbetween 2001:16d8:ff47:1203:1::/80 (former 192.168.150.0/24).
The host part of the addresses has been recomputed to hex-numbers.
For example bart’s 192.168.200.1 became 2001:16d8:ff47:1203:2::1, apu’s
192.168.200.33 became 2001:16d8:ff47:1203:2::21, and so on. (Please see the
new network plan for details)
There are two ways to configure an IPv6 address manually. You could ei-
ther do it with the “ip” command, which I chose to use, or with “ifconfig”.
The InterfaceString is the label you see when typing “netsh interface ipv6
show address”. For deleting:
netsh interface ipv6 delete address
interface=<InterfaceString> address=<address>
netsh interface ipv6 delete address
<InterfaceString> <address>
netsh interface ipv6 delete address
LAN-Verbindung 2001:16d8:ff47:1203:2::22
Some routes will be set automatically on your system, some you will have
to configure. Anything that is done with routes can be done with two dif-
ferent commands, similar to the configuration of the address we discussed
before. This time we have “ip”, my all-time-favorite, and “route” or “net-
stat” for displaying them.
ip -6 route show
netstat -nr -A inet6
To set and to delete a route you have these possibilities:
ip -6 route add <destinationNetwork> via
<nexthopRouter> dev <deviceUsed>
ip -6 route add default
2001:16d8:ff47:1203:2::1 dev eth0
ip -6 route add 2000::/3 via
2001:16d8:ff47:1203:2::1 dev eth0
ip -6 route del <destinationNetwork> via
<nexthopRouter> dev <deviceUsed>
CHAPTER 5. MIGRATION TO IPV6 152
Traceroute is a very useful utility for checking which way a packet takes
over the internet in order to reach its destination. The output is a list of all
hops done until reaching the target. This is done by setting the TTL (time
to live) of the packets sent. The first packet has a time to live of one (the
second packet of two, and so on) and is sent to a host, which decrements
the TTL by one and usually forwards it to the next hop. When the TTL
has reached zero the packet is sent back to the sender giving him a “ICMP
CHAPTER 5. MIGRATION TO IPV6 154
Time exceeded” error. From the source addresses of these returned ICMP
errors you can make the list needed: a table with all hosts passed by a
packet.
For the use of traceroute with Linux you need the package iputils installed.
You can either download the sources via anonymous ftp [19] or “apt-get
install iputils-tracepath”.
traceroute6 www.kame.net
For tracerouting an address with Windows you can use either
tracert www.kame.net
tracert6 www.kame.net
When using tracert and the host you are pinging is reachable via both IP
versions, IPv6 is chosen over IPv4.
Hosts you can try to ping/traceroute:
www.kame.net (IPv4/IPv6)
www.ipv6.uni-muenster.de (IPv6)
www.join.uni-muenster.de (IPv4/IPv6)
In the last chapter I wrote about the basic configuration of address and
routes on IPv6 enabled hosts, now I want to talk more detailed about what
had to be done in my network. Now let’s get our hands on the configu-
ration. In order to have IPv6 reachable hosts to on all subnets we need to
configure the three routers.
The router in the network called “GesAK” is the one with the configured
SixXS tunnel endpoint and therefore supplies IPv6 connectivity. All IPv6
traffic must be routed through this host to reach the tunnel. Keep that in
mind when configuring the default routes on the gateway routers of our
network, i.e. bart and snowball. But let’s do it step by step.
CHAPTER 5. MIGRATION TO IPV6 155
On this host AICCU has been installed (please see chapter above) and
therefore you might not need to change any routing entries. Be sure that
there is a default route set for the IPv6 traffic via the tunnel endpoint
(2001:16d8:ff00:7b::1) using “sixxs” device. If you experience troubles con-
necting to the IPv6 net and your kernel version is not absolutely up-to-
date (<= 2.4.17) you can add another entry targeting “2000::/3” and hope
it helps. (You will see that I often prefered 2000::/3 over the term default.
In most cases it is only a relict from a time there was an older kernel on the
PCs. Anyway, as long as both ways work it doesn’t matter which to use.).
The routes you should have by now are:
CHAPTER 5. MIGRATION TO IPV6 156
talked about routing entries number six and seven before for they are both
default routes to the IPv6 network. The one using the term “default” is
added automatically by AICCU. The last three routes are multicast routes.
Don’t forget to ping6 some IPv6 nodes.
The first step for bart is to set his default route to our IPv6 gateway. This
is done with
the IPv6 gateway before. Check if enabled or not by looking at the “cat”
command and set it with “echo”.
(on host: 2001:16d8:ff47:1203:1::5 - GesAK)
cat /proc/sys/net/ipv6/conf/all/forwarding
echo “1” > /proc/sys/net/ipv6/conf/all/forwarding
Now you can ping6 a host residing on the internet from router bart.
The only thing you have to manually add, as seen above, is the default
route targeted at 2001:16d8:ff47:1203:1::5.
2001:16d8:ff47:1203:1::/80 dev eth0 metric 256
mtu 1500 advmss 1440 hoplimit 64
2001:16d8:ff47:1203:3::/80 dev eth1 metric 256
mtu 1500 advmss 1440 hoplimit 64
2000::/3 via 2001:16d8:ff47:1203:1::5 dev eth1
metric 1024 mtu 1500 advmss 1440 hoplimit 64
fe80::/64 dev eth0 metric 256 mtu 1500 advmss
1440 hoplimit 64
fe80::/64 dev eth1 metric 256 mtu 1500 advmss
1440 hoplimit 64
ff00::/8 dev eth0 metric 256 mtu 1500 advmss
1440 hoplimit 1
ff00::/8 dev eth1 metric 256 mtu 1500 advmss
1440 hoplimit 1
unreachable default dev lo proto none metric
-1 error -101 hoplimit 255
cat /proc/sys/net/ipv6/conf/all/forwarding
echo “1” > /proc/sys/net/ipv6/conf/all/forwarding
Echoing “1” enables IP forwading, “0” disables. But still any ping from
a host behind bart won’t be successful. The problem still left: Although
the packets are sent to the correct destination, the packets that come
in reply are not forwarded by the router 2001:16d8:ff47:1203:1::5 for it
lacks the matching routes. After adding the route retour for network
2001:16d8:ff47:1203:2::/80 on server 2001:16d8:ff47:1203:1::5 the ping for
all clients on the main office subnet works.
(host: 2001:16d8:ff47:1203:1::5 - GesAK)
ip -6 route add 2001:16d8:ff47:1203:2::/80 via
2001:16d8:ff47:1203:1::6 dev eth eth0
Note: Don’t forget to set the client’s default route to the router of the sub-
net (i.e. bart) before testing connectivity.
Automatically configuring hosts that just UPed is one big reason to use
IPv6 over IPv4. Instead of manually configuring IP address and routes
on each host new to your network you now have the possibility to let
them configure themselves. The only host the administrator still has to
configure is the router with a program running on the router answering
autoconfiguration requests. Radvd, the Router ADvertisement Daemon is
such a program, running on BSD and Linux, listening to Router Solicita-
tions (RS) and sending Router Advertisements (RA). When a new host is
UPed it sends a multicast Router Solicitation and, when there is a correctly
configured router running radvd on the subnet, it receives a Router Adver-
tisement. Besides sending requested Router Advertisements there are also
sent unsolicited ones inbetween. The information sent includes address
prefixes, the MTU of the link and details about the default routers.
I installed radvd with “apt-get install radvd”. There is a verbose and a
very simple radvd.conf example file that come with the installation. I
chose to copy the simple one and copy it to my /etc.
cp
/usr/share/doc/radvd/examples/simple-radvd.conf
/etc/radvd.conf
If you want to force e.g. a Windows XP PC to renew its settings obtained
by router advertisements you can do this with:
AdvSendAdvert on;
prefix 2001:16d8:ff47:1203:2::/80
{
AdvOnLink on;
AdvAutonomous on;
};
};
The first option in the eth0 part, “AdvSendAdvert on;” in fact turns on
the radvd; it specifies whether it should periodically send router adver-
tisements and listen to router solicitations. It no longer needs to be the
first option written in the radvd.conf but it needs to be set to on (default:
off). The line “prefix 2001:16d8:ff47:1203:2::/80” defines the prefix to dis-
tribute. Options to this prefix are AdvOnLink and AdvAutonomous, both
set to “on”. AdvOnLink on tells the receiving host that packets with the
same prefix as distributed can be sent using the interface the router adver-
tisement was received on (default: on). AdvAutonomous set to on means
that the prefix distibuted can be used in order to automatically configure
an IPv6 address composed of the prefix and the MAC address (default:
on). In this context let’s take a closer look to the prefix that is subnetted
with 80 bits. This has something to do with the network media used and
its hardware address length. For we are using Ethernet we have a 48-bit
long hardware address part leaving maximum 80 bits to the network pre-
fix.
Note: It is vital that the prefix length plus interface token length sums 128.
Otherwise the prefix is ignored and no address is set. [24]
Example for a automatically configured address [21]:
Note: Radvd will not start unless IP forwarding is enabled (or if debug-
ging is enabled) [25].
My own /etc/radvd.conf looks a little bit different for I didn’t want to
distribute random global addresses, since I wanted to use DHCP:
interface eth0
{
AdvSendAdvert on;
MaxRtrAdvInterval 100;
MinRtrAdvInterval 35;
AdvManagedFlag on;
prefix 2001:16d8:ff47:1203:2::/80
{
AdvPreferredLifetime 500;
AdvValidLifetime 700;
AdvAutonomous off;
};
# for site local addresses, added by me!
prefix fec0:0:0:1::/80
{
};
};
But now take a look at my server configuration for it is prepared for the use
with relays. For distributing the addresses to 2001:16d8:ff47:1203:3::/80 as
well while running only one dibbler server you need to relay the DHCP
packets. Therefore dibbler-relays need to be installed on both gateways,
bart and snowball, but let’s discuss that later on. (See the figure at the end
of the chapter for clarity)
log-level 7
log-mode short
iface relay1
{
relay eth0
interface-id 1007
}
iface relay2
{
relay relay1
interface-id 3001
T1 500
T2 700
prefered-lifetime 600
valid-lifetime 800
class
{
pool 2001:16d8:ff47:1203:3::/80
}
}
iface eth0
{
T1 500
T2 700
prefered-lifetime 600
valid-lifetime 800
class
{
pool 2001:16d8:ff47:1203:2::/80
}
CHAPTER 5. MIGRATION TO IPV6 166
Let’s begin with the part of the configuration we already discussed, “iface
eth0”. There are several new options used in here. “T1” is the time after
which the client is instructed to renew its address, “T2” the time after the
client should send a REBIND. For preferred and valid lifetime are self-
explanatory I move on to the options section below the class-part. With
the options you can specify which other information shall be distributed
besides the IP address. In this case I supply DNS server address, domain
name and NTP server address.
Now for the part of the configuration concerning the relays. The important
thing is to start thinking at the portion of the network the client resides at,
which is 2001:16d8:ff47:1203:3::/80. The client needs to send the DHCP
request to snowball, the gateway and DHCP relay at his site. The message
from the client is encapsulated as RELAY_FORW message and sent to the
next “hop”. It is vital for the server to know where the relayed message
was originally received; therefore the “interface-id” is sent together with
the encapsulated message. At the next “hop”, that would be bart in my
case, the message is encapsulated again and the “interface-id” of bart is
added. Then the message is sent to the server. Replies from the server are
sent as RELAY_REPL.
iface relay1
{
relay eth0
interface-id 1007
}
The snip of the config file above tells the server that it can reach the service
“relay1” on the physical interface eth0 (“relay eth0”) and that it’s interface-
id is set to 1007. The part for relay2 starts again with the information on
reaching relay2 using relay1 (“relay relay1”) what in fact makes the core
of the relay configuration. The only additional thing you must not forget
is the class-part for configuring the IP-address pool that should be used at
CHAPTER 5. MIGRATION TO IPV6 167
After we made it this far the configuration of the relays is pretty easy. Let’s
start with bart’s /etc/dibbler/client.conf file.
log-level 8
log-mode short
#connected network: 2001:16d8:ff47:1203:2::/80
iface eth0
{
server multicast yes
}
“server multicast yes” makes eth0 send DHCP messages that has been
forwarded to the server with a multicast destination (remember that all
DHCP messages sent during the negotiation of the address is done via
multicast). On eth1 on the other hand bart only listens to packets from
clients destined at 2001:16d8:ff47:1203:1::6. “interface-id”, as discussed, is
an identifier for a particular interface and has to be unique (you might
think of it as kind of “ethernet segment identifier”).
And at last the configuration of snowball is still left:
log-level 8
log-mode short
#connected network: 2001:16d8:ff47:1203:1::/80
CHAPTER 5. MIGRATION TO IPV6 168
iface eth0
{
server unicast 2001:16d8:ff47:1203:1::6
}
Configuring a client
Now that we have configured server and relays we need to think about
the clients as well. The easiest way to configure a client is not configuring
CHAPTER 5. MIGRATION TO IPV6 169
it, which means: if you don’t want to have special configuration except for
a randomly chosen IPv6 address from the address pool specified on the
server on each interface on a dibbler-running client you can leave the con-
figuration file empty. On the other hand, if you want to receive DNS and
NTP server details from dibbler server, it has to be set in the client.conf.
You can also define an IP address if you want a client to always get the
same. A (Windows) client configuration file would look like this (there’s
no difference between Windows and Linux config files except for the term
used for the interface: “Local Area Connection” (“LAN-Verbindung”) on
Windows, eth0 (you don’t need quotes here) on Linux):
log-mode short
log-level 7
iface "LAN-Verbindung"
{
option dns-server
option domain
option ntp-server
ia
{
address
{
2001:16d8:ff47:1203:3::11
}
}
}
If you want to set some options in your client.conf but don’t care which
address your host gets clear the “ia {...}”-part and replace it with “ia”.
“ia” stands for Identitiy Association and is a logical unit representing ad-
dress(es) used to perform some functions. The correct use of the term ia is:
“ia <number>” where number is defaulted to 1 and stands for the number
of IA’s that should be requested (i.e. setting “ia 2” makes you recieve 2
addresses; see the manual for details).
One thing that came to my mind when configuring my dibbler clients was
how unhandy it is to go to each client in a network and configure it locally
for you can’t always access each client in a big network. I wrote Tomasz
CHAPTER 5. MIGRATION TO IPV6 170
Mrugalski, one of the two developers of dibbler, and he had an idea how
to define a specific client’s address server-sided. Snip from a server.conf
he sent me:
class {
accept-only fe80::2e0:7dff:fe01:15a2
pool 2000::1
}
class {
accept-only 0x000100064306ed0900609711d5f0
pool 2000::2
}
class {
pool 2000::3-2000::ff
}
This configuration would allow only the host with link-local address
fe80::2e0:7dff:fe01:15a2 to get an address from the address-”pool” 2000::1/128
and a host with DUID 0x000100064306ed0900609711d5f0 to get the ad-
dress 2000::2. All other hosts would receive addresses from the pool spec-
ified in the last class-section. This way changes in address relocation can
be made on the server only.
I’d recommend to run dibbler-client, after testing its configuration (“Client
run in console”), as a service in order to startup automatically. Don’t forget
to start the client for the first time manually after having it installed as
service.
Troubleshooting: For troubleshooting dibbler I would recommend, of
course, to read the log file (in Windows systems located directly
in the directory dibbler is installed), and, my all-time-favorite tool:
ethereal. To see which port it is running I used “netstat -lnptu”
showing you services behind each port for nmap only provides TCP
scans by now. (There is a patch for nmap doing IPv6 UDP scans on
http://nmap6.sourceforge.net - see the nmap-section below)
SUSE: When installing dibbler-client on SUSE the client could not be
started until I manually created a directory /var/lib/dibbler and
“chmod 777 /var/lib/dibbler” (I know, this is not beautiful but it
CHAPTER 5. MIGRATION TO IPV6 171
works).
Note: I chose not to configure my dibbler-relays by a dibbler-client but
rather have static IP addressing. The main reason was that I experi-
enced troubles bringing all of the services up in the right order after
weather related power failures.
For I am using BIND9 I do not have to install any other software or patch
for it supports IPv6 natively (BIND9 is the first version fully supporting
IPv6; use version >9.1.3 for there are some security problems patched). If
you are familiar with the use of IPv4 DNS records you won’t experience
any troubles here for the only thing changed is the type of records used.
For IPv4 you use the resource records “A” and for IPv6 it’s “AAAA” or
spoken “Quad-A”. Reverse lookup is as well stored in a “PTR” Resource
Record (i.e. “pointer”) but it is represented differently.
For reverse lookup a special domain rooted “IP6.ARPA.” is defined as-
suring the mapping of IPv6 addresses to hostnames. It is represented by
a sequence of dot-seperated nibbles encoded in reverse order. Example
reverse lookup domain name for given IP:
2001:16d8:ff47:1203:3::1
1.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.2.1.7.4.f.f.\\
8.d.6.1.1.0.0.2.IP6.ARPA.
In order to have IPv6 lookup you have to add IPv6 entries to your database
and enable to handle IPv6 requests. You can either choose to set both, an A
and an AAAA record on one host name, or create IPv6-only hostnames. A
DNS lookup for a hostname configured with both addresses returns both.
An IPv6 address is then preferred over IPv4, for any other communication
issue.
homer A 192.168.200.12
AAAA 2001:16d8:ff47:1203:2::12
flanders6 AAAA 2001:16d8:ff47:1203:2::24
CHAPTER 5. MIGRATION TO IPV6 172
After adding the AAAA records we can start coping with reverse lookup.
First of all you need to include the zone-files in /etc/bind/named.conf.
For I am having two different subnets, 2001:16d8:ff47:1203:2::/80 and
2001:16d8:ff47:1203:3::/80, I wrote two zone files called “db.2” and “db.3”
included by these lines:
# /etc/bind/named.conf
zone "2.0.0.0.3.0.2.1.7.4.f.f.8.d.6.1.1.0.0.2.ip6.arpa" {
type master;
file "/etc/bind/db.2";
};
zone "3.0.0.0.3.0.2.1.7.4.f.f.8.d.6.1.1.0.0.2.ip6.arpa" {
type master;
file "/etc/bind/db.3";
};
The corresponding PTR-records are defined in the zonefiles. See /etc/bind/db.3
for an example IPv6 reverse lookup zonefile:
;
; BIND reverse data file for zone branch office
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
2005081901 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS ns1.sylvia.test.
1.0.0.0.0.0.0.0.0.0.0.0 IN PTR snowball.sylvia.test.
1.1.0.0.0.0.0.0.0.0.0.0 IN PTR snowball2.sylvia.test.
Now you are done with setting your address-details but there are some
configurations to BIND left. One thing is to tell it to listen to IPv6 re-
quest. This is done in /etc/bind/named.conf.options (this file is included
CHAPTER 5. MIGRATION TO IPV6 173
by /etc/bind/named.conf).
options {
directory "/var/cache/bind";
forwarders
{
192.168.100.2;
};
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
allow-query { internal-net; };
};
acl internal-net {
127.0.0.1;
192.168.0.0/16;
::1/128;
2001:16d8:ff47:1203::/64;
};
In here we have the rules for IPv4 and IPv6 communication. 192.168.100.2
is the Berufsförderungsinsitut Burgenland name server that is queried and
“allow-query { internal-net;};” defines that all subnets defined in the acl
named “internal-net” are allowed to query the server. Added to the exist-
ing configuration is the very important
listen-on-v6 { any; };
directive allowing any host to contact via IPv6. You can not bind certain
addresses here, the only options allowed are “any” and “none” (please
note that this can be a security risk). In the acl (short for Access Control
List) “internal-net” I added
::1/128;
2001:16d8:ff47:1203::/64;
in order to allow localhost and the whole test network I set up to query
the nameserver.
After restarting bind you can see it listening on IPv6 interfaces using “net-
stat -lnptu | grep named”. The address for the IPv6-reachable nameserver
CHAPTER 5. MIGRATION TO IPV6 174
Note: If you only get the old configuration displayed without the added
IPv6 entries flush your DNS cache and try again. For Windows use
“ipconfig /flushdns” and on the Linux PC running BIND you can do
the same with “rndc flush”.
Be also sure to try this on other hosts to see if the acl does not exclude hosts
that should have access to the nameserver.
Another way of testing your DNS server is using the command “host”
knoppix@1[knoppix]$ host -t aaaa
homer.sylvia.test 2001:16d8:ff47:1203:2::5
CHAPTER 5. MIGRATION TO IPV6 175
Now that each PC on the network is IPv6 enabled we need services that
make use of it.First let’s go online and see the dancing turtle!
After re-running “make” and switching to “su” you can see where your
files will be installed with “make -n install”. If you are pleased with what’s
going on “make install”.
Then I had to “adduser privoxy” and “addgroup privoxy”. Your privoxy
installation resides at /usr/local/etc/privoxy and the logfile is located
/var/log/privoxy. First step now is to modify the config file /usr/local/etc/\\
privoxy/config.
confdir /usr/local/etc/privoxy
logdir /var/log/privoxy
# The actions file(s) to use
actionsfile standard # Internal purpose, recommended
actionsfile default # Main actions file
actionsfile user # User customizations
filterfile default.filter
logfile logfile
jarfile jarfile
# error page at untrusted sites
trust-info-url http://www.example.com/why_we_block.html
trust-info-url http://www.example.com/what_we_allow.html
debug 512 # common log format
# address and port the server is listening on
listen-address 127.0.0.1:8118
listen-address [2001:16d8:ff47:1203:2::5]:8118
buffer-limit 4096
The changes I made were the settings for the confdir, the debug level,
listen-address, all toggling options and the permit-access option. After
setting the values appropriate to your system you can start privoxy with
/etc/init.d/privoxy start.
After setting the proxy settings of a firefox used in the network to
CHAPTER 5. MIGRATION TO IPV6 178
Now that we can access IPv6 sites on the internet, lets make our own http-
server IPv6 reachable. There are patches for apache 1.3 to support IPv6 but
I’d recommend using >= 2.0.14 (I use 2.0.54) for it supports IPv6 natively.
Native support is always a good thing because it reduces the things you
have to do to a minimum. With apache, you now only have to add a
“Listen” directive, telling it to also listen to IPv6 requests, then restart and
CHAPTER 5. MIGRATION TO IPV6 179
When I started migrating the network, or better, before I started I was very
afraid of migrating such vital things like DNS, routing, etc. and had the
opinion that as soon as you change the protocol used to IPv6 all services
will work instantly. I was proven wrong when I tried to do filesharing with
Windows. For I was using Windows 2000 advanced server for filesharing
via IPv4 there were no needs for me to change the system for the use with
IPv6, or so i thought. After reading nearly every entry found by google
matching the word “IPv6” I decided to ask those who should know about
it: The people from Microsoft (I also bought the Microsoft-suggested book
“Understanding IPv6” for it holds a chapter concerning IPv6 file sharing.
If you think of buying it: Take my advice and don’t do it!). Some technician
then told me that sharing files is only supported for Windows Server 2003
and gave me a link as starting point for my research [35].
I got myself a new PC and installed Windows 2003 advanced server on it.
The hostname is wiggum.sylvia.test with IP addresses 192.168.200.19 and
2001:16d8:ff47:1203:2::13 (installing IPv6 on W2k3 is the same as WXP).
After installing some basic services I was very eager to try IPv6 file shar-
ing. I defined some folders to share and tried to connect to the server from
a Windows XP PC by typing \\wiggum in Windows Explorer. For I was
getting meaningless errors I decided to switch to the commandline and try
every connect with
net use * \\host\share
to get better informations about the error. My error code was 59 with
the message that an unexpected network error has occurred or error 53
“network path not found”. Then, I thought to myself, before trying and
hoping that Windows XP is able to cope with IPv6 data sharing, I better
set up another Windows 2003 advanced server. This time I used former
homer.sylvia.test because Windows 2000 only supports IPv6 to the extent
of pinging and tracerouting. (Before I cleared the harddisk I copied the
data stored for Active Directory. Read the Active Directory chapter be-
low).
The new Windows 2003 server had hostname flanders.sylvia.test and IP
addresses 192.168.200.36 and 2001:16d8:ff47:1203:2::24.
CHAPTER 5. MIGRATION TO IPV6 181
Before trying to connect to the network share be sure to have IPv6 firewall
disabled and IPv6 file sharing enabled .
To disable the firewall simply type:
netsh interface ipv6 set interface
interface="LAN-Verbindung" firewall=disabled
To enable IPv6 file (and print-) sharing go to the “control panel” and open
the “network connections”. In the menu “Advanced” (“Erweitert”) you
will find an entry called “advanced settings” (or maybe it is called “ad-
vanced properties” - I am lacking an english Windows version here; in
german it is called “erweiterte Einstellungen...”).
In the advanced settings, be sure that you check everything you find con-
cerning IPv6 ;-) for the activated LAN connection.
Now, if you dare, type
CHAPTER 5. MIGRATION TO IPV6 182
Figure 5.9: The dialog popping up when choosing the “advanced settings”
Figure 5.10: Some packets during IPv6 filesharing; packet number 33 holds
the path opened
setting every user in my system (ok, I only have two) the permission
to read/write I had write access to the remote folder.
Linux: Much to my suprise I had to find out that there was currently no
IPv6 capable smb-client. There is a patch available for Samba ver-
sions 2.2.3 - 2.2.5 from year 2002 but when posting to some news-
groups whether this worked for someone I got no positive responses.
[36]
I guess one can not measure the time I spent on this little problem and like
so many times it is always a combination of several problems. While I was
trying to set up filesharing in vain I also decided to look for alternatives
and found WebDAV.
CHAPTER 5. MIGRATION TO IPV6 184
The way Tim Berners-Lee initally thought of the internet was a read- and
writeable medium. With the internet growing it turned itself into a read
only medium; and this is exactly the point where WebDAV is starting.
WebDAV is short for Web-based Distributed Authoring and Versioning
and refers to the IETF working group as well as the HTTP extension they
defined. It has abilities to create, change and move documents on a remote
server and can be used for authoring or simple storage of data. The data
can be accessed via http port 80, so you won’t have firewall-related prob-
lems. It is platform independent and most operating systems have built-in
features to support WebDAV.
In order to have a workig WebDAV implementation you need a HTTP
server. On the Windows side of life you could use IIS for Windows Server
2003 which should support IPv6 (I did not find the proof on the internet
nor tried it myself) or simply use Apache. As you might have guessed I
used Apache. In the mods-available folder of your /etc/apache2 direc-
tory you will find three modules concerning WebDAV called “dav.load”,
“dav_fs.conf” and “dav_fs.load”. The first step to enable this modules is
simply make a symbolic link from the folder /etc/apache2/mods-enables
to these three modules.
ln -s /etc/apache2/mods-available/dav*
/etc/apache2/mods-enabled
Next step is to append the following paragraph to the /etc/apache2/apache2.conf
file:
## my changes for webDAV
CHAPTER 5. MIGRATION TO IPV6 185
DAVLockDB /tmp/DAVLock
DAVMinTimeout 600
<Location /dav>
DAV On
AuthType Basic
AuthName "WebDAV Restricted"
AuthUserFile /var/www/webdavpasswd
<LimitExcept GET HEAD OPTIONS>
Require valid-user
</LimitExcept>
</Location>
This sets a WebDAV directory for the folder “dav” in your document root
with authentication type “Basic” and authentication information that can
be found in /var/www/webdavpasswd.
Now you have to create a new directory called “dav” in your document
root /var/www. If you are not sure where your document root is look
at the file /etc/apache2/sites-enabled/default. This directory has to have
user and group changed to www-data and correct permissions have to be
set.
chown www-data.www-data /var/www/dav
chmod 775 /var/www/dav
Next step is to create username and password in order to have users al-
lowed to access the WebDAV contents which is done by
htpasswd -c /var/www/webdavpasswd username
htpasswd /var/www/webdavpasswd otherUsername
The first line “htpasswd -c /var/www/webdavpasswd username” cre-
ates a new file (-c indicates the creation of a new file, so be careful not to ap-
pend this when adding additional users) called /var/www/webdavpasswd
(as defined in apache2.conf) storing information on the user called “user-
name”. The second line shows how to add an additional user called
“otherUsername”. After restarting Apache your WebDAV is ready to use.
In order to test my WebDAV I installed a Linux command-line based Web-
DAV client called cadaver.
cadaver http://marge.sylvia.test/dav
CHAPTER 5. MIGRATION TO IPV6 186
prompts me for the password and opens the WebDAV folder. Use com-
mands like put, get, ls, less, cat, delete, copy, move and many more to
perform actions on files.
To have WebDAV functionality on Windows you have to do a little bit
more. If you want to have the WebDAV resource as an entry in your “My
Network Places” choose “Add network Place” within your “My network
place”. The “Add Network Place Wizard” pops up and in the next two
steps you simply supply the address for the resource and the username-
password pair and everything works fine, or so I thought.
In my case I got the error “the folder you entered does not appear to be
valid” indicating that you are lacking
• software update for web-folders ( knowledge base kb892211)
• a DWORD called “UseBasicAuth” with value set to 1 at
HKEY_LOCAL_MACHINE\\SYSTEM\CurrentControlSet\Services
\WebClient\Parameters\
Another tip I found on the internet that was working for one of the PC’s
(running WinXP SP2) was appending :80 to the address of the ressource
(http://marge.sylvia.test:80/dav) which is loading the old Windows 2000
driver (that might be more likely to work in this context). Then, after doing
all this troubleshooting, some of my Windows computers could do Web-
DAV filesharing and some didn’t. Like so often during the work on my
thesis I decided to use Ethereal in order to find out what really happened
and this brought the solution for me: Be sure not to use a Proxy when con-
necting to WebDAV (you can guess that system administrators won’t like
that for they are loosing control). After these simple steps my WebDAV
directory was reachable via Windows as well.
Figure 5.11: packets sent during the login to the WebDAV server
In the picture above you see three packets during the login to a WebDAV
server from bart to marge (i.e. webdavserver) indicating that authentica-
CHAPTER 5. MIGRATION TO IPV6 187
tion is required. The third packet shows which folder is opened and I only
added the part below the grey line to show that IPv6 is used here ;-).
Note: I experienced an interesting behavior when trying to access a Web-
DAV share via web-browser. There was no user authentication and
data could be transferred without any restrictions.
Another method to supply files using IPv6 is ftp. I installed an ftp server
for Linux on marge.sylvia.test. I chose to use pure-ftpd version 1.0.19-
7. Setting it up was pretty easy using apt-get for you simply need the
package pure-ftp-common and pure-ftpd. This installs the ftp server to
/usr/sbin/ and sets configuration details in /etc/pure-ftpd. I chose to run
pure-ftpd as a daemon (“dpkg-reconfigure pure-ftpd-common” to change
that). Before starting the server with “/usr/sbin/pure-ftpd -S 777 &” be
sure that you have a user “ftp” on your system creating a home directory
that is accessed when using anonymous ftp. Anonymous ftp is enabled
by default and so you can try loggin in either by not supplying user infor-
mation or by using an user-account on the system. In the latter case the
corresponding home directory is opened.
In order to access the ftp-server I chose a Windows-enabled FTP client
called Nc-FTP [40]. In the downloaded /bin -directory you will find
ncftp.exe starting a command lineftp tool. When typing “open” the ad-
dress book is opened and you can add a target with all address informa-
tion needed. Don’t forget to fill in the port chosen if you decided to use
other than 21 (I chose 777).
Note: There is a huge list of alternative ftp-software: Servers: proFTPD
1.2.9, moftpd, tnftpd/lukemftpd, wu-ftpd, ftpd 0.17 patched, fftpd,
ftpd-bsd 0.3.3, ProFTPD 1.2.9, troll-ftpd 1.2.8 patched, ginseng-ftpd
1.6, and many more for linux. For Windows there are two FTP
servers, but both intended for developer only Windows: FTP server
in Windows CE .NET and MSRIPv6 FTP server. There are also sev-
eral FTP-clients like: lftp 2.6.5, tnftp 2.0, cftp 0.12, wget and the ftp-
version supplied by Windows XP/2003.
CHAPTER 5. MIGRATION TO IPV6 188
you could, instead of altering these files as well use “dpkg -reconfigure
exim-config”. One important thing to keep in mind when editing update-
exim4.conf.conf is that the double colon acts as a seperator in this file.
Therefore you have to double each double quote that is used in an IPv6
address. After editing these files manually you have to run update-
exim4.conf in order to make the changes take effect. Now you are the
proud user of a system that can send emails, but not get any. Therefore we
have to see whether qpopper is IPv6 enabled.
Note: Other mail transfer agents supporting IPv6 are: Zmailer 2.99.55,
sendmail 8.12.9, qmail 1.03 patched, postfix 2.0.18 patched and
courier 0.42.2.
For qpopper does not support IPv6 there are several alternative mailbox
daemons: solidpop3d 0.15, courier-pop3d 0.42.2, courier-imapd 0.42.2,
cyrus-imapd 2.2.1-BETA, dovecot 0.99.10.6 and bincimapd 1.2.10. Because
the homepage of solidpop3d was down the day I wanted to install the soft-
ware and cyrus-imapd had some strange errors after installation about a
missing connection to my mailserver I decided to use courier-imapd.
You could either install courier-imapd using the sources or from the apt-
repository as I chose to. First you have to install courier-authdaemon with
its configuration file at /etc/courier/authdaemonrc using authpam and
then install courier-imapd (I use version 3.0.8-4). Other interesting files in
this context are /etc/courier/imapd and /etc/pam.d/imap. If you want
you can additionally install courier-doc providing information on courier.
When trying to login I got the error: FATAL ERROR: Maildir: no such
file or directory. In the file /etc/courier/imapd the last entry is about the
maildirectory setting it to
MAILDIRPATH=${home}/Maildir
Now we have to face the fact that by default exim stores the mails in a
single file while courier needs a directory to be set. As a consequence we
have to modify /etc/exim4/configure first.
CHAPTER 5. MIGRATION TO IPV6 190
pipe_transport = address_pipe
reply_transport = address_reply
directory_transport = address_directory
modemask = 002
filter
Now the directory_transport points to the address_directory specified be-
fore. When uncommenting the “filter” option, you can use .forward files
in order to have Exim filtering. Using this configuration every user that
wants mail to be stored in a maildir needs a “.forward” file pointing to
that maildir:
As far as I could find out on the internet outlook and outlook express both
don’t support IPv6. I also tried making a new account with the mail-
servers set to marge6.sylvia.test or [2001.16d8:ff47:1203:2:.5] respectively
but both just resulted in an error message that the server could not be
found.
Figure 5.13: Error when sending a message with Outlook telling that the
servers could not be found
Note: Other email clients supporting IPv6 are: mozilla-mai 1.4, ximian-
evolution 1.4.5, pine 4.58 patched, mutt 1.41, sylpheed 0.9.6, sylpheed-
claws 0.9.5 and Kmail 3.1.2.
CHAPTER 5. MIGRATION TO IPV6 193
Much to my regret I have to find out that asterisk is not yet IPv6 capable.
There is a patch providing some IPv6 connectivity features but which is
not very widely used. There has also been a bounty for writing an IPv6
patch but although the time has expired no patch is available by now.
There are two Linux-based softphones available called linphone and
kphone supporting IPv6 and two SIP-phones, one from Moimstone (IP250)
and one from FreeBit Business Phone.
Both ntpd and ntpdate are IPv6 capable and work without troubles. The
ntpd version installed is 4.2.0 and the only thing I had to do is to set an
IPv6 time server in the /etc/ntp.conf. Here’s a list of some IPv6 capable
servers with stratum 1:
ntp.rhrk.uni-kl.de (IPv4 and IPv6)
ntp6.remco.org (IPv6)
chime3.ipv6.surfnet.nl (IPv6)
ntp.ipv6.viagenie.qc.ca (IPv6)
I chose the one from surfnet. Ntp itself should be IPv6 capable when in-
stalled on an IPv6 enabled host. Now, if you want to query your ntpd
simply type
ntpdate 2001:16d8:ff47:1203:2::1
on marge.sylviat.test and time will be adjusted to the time set on bart.sylvia.test,
using IPv6.
The big world of Windows applications has no free IPv6 ntp-client (and
one client to buy that might work) to set time on Windows hosts.
When I started migrating I thought that Active Directory, together with file
sharing, will not produce a lot of troubles because most websites claimed
full support for IPv6 on Windows (in fact that’s mostly all information
I could get on the websites of Microsoft). On most sites I could read a
lot about transition techniques like several different tunnel and so on but
there was not much written about the services that really support IPv6
on Windows PC’s and that’s what made my search for help pretty hard.
When I found out that a host is not logging onto Active Directory via netl-
ogon using IPv6 per default I tried such tricks like setting the IPv4 address
to a non-existing value so that he might have to use IPv6. As you might
have guessed, it didn’t work. The interesting thing was, on the other hand,
that during netlogon DNS was queried for the domain controller and for
I am using dynamic updates from the host running Active Directory there
even was an AAAA entry replied to the querying host. But let’s start from
the beginning.
The first thing I changed in my network topology was the server running
Active Directory. When reading this thesis cover to cover you might re-
member that Active Directory formerly ran on a Windows 2000 Advanced
Server and that this server was updated to Windows 2003 Server in or-
der to enable file sharing between Windows hosts. So Active Directory
has to be set up again (which was not that much work for I only en-
tered two users). Then I had to enable dynamic updating for the new
domain controller in my bind configuration. This is done by updating
/etc/bind/named.conf.local:
zone "sylvia.test" IN {
type master;
file "/etc/bind/db.sylvia.test";
allow-update { 192.168.200.19; 2001:16d8:ff47:1203:2::13; };
};
The line “allow-update” enables dynamic updating i.e. services can regis-
CHAPTER 5. MIGRATION TO IPV6 195
ter themselves to DNS. This may take some minutes until DNS is updated
for the first time and will create a journal file *.jnl with * being the name
of the corresponding zone file. The latter is updated with the information
retrieved from the .jnl file which results in following zone entries:
Figure 5.15: some of the dynamic DNS entries produced by Windows 2003
When sniffing the whole longon process I found out that although DNS is
queried and returns wiggum.sylvia.test for the services needed (wiggum
is an AAAA site-local entry) everything is done using IPv4. I then tried
to query newsgroups, mailing lists and lots of homepages for this issue
and found someone telling me he had a working Active Directory system
using IPv6.
For I could not get more details from him I decided to ask Microsoft again.
They told me that Windows 2003 server does not support IPv6, or in more
detail, Kerberos as well as LDAP will fail but SMB negotiation will work.
You can only guess how long it took me to get such a detailled answer. ;o)
Tip: OpenLDAP v2.0 natively supports IPV6.
CUPS versions older than 1.2 do not support IPv6 and therefore I installed
a newer version on my marge.sylvia.test. I downloaded the sources of
cups-1.2.x-r4608 and installed them. You can type “lpstat -t” in order to see
all printers configured with all details available, or, as before, you could
as well use the GUI at http://localhost:631. After trying to configure this
cups version a lot, I downloaded an even newer version of CUPS (1.2svn-
r4929). In the file /etc/cups/cupsd.conf add two entries in order to listen
to IPv6 addresses:
Listen [::1]:631
Listen [2001:16d8:ff47:1203:2::5]:631
CHAPTER 5. MIGRATION TO IPV6 196
For configuring a client you simply have to set the CUPS IPv6 server ad-
dress in the file “/etc/cups/client.conf”:
ServerName [2001:16d8:ff47:1203:2::5]
You can test your IPv6-capable printer by typing:
lpr <filename>
Note: Only from reading the comments on the snapshots I was able to
find out that earlier 1.2 snapshots experience troubles using IPv6 ad-
dresses.
Windows: I could not manage to connect to the CUPS server using Win-
dows.
Some very nice but as well very important use of IPv6 is when lis-
tening to IPv6-only radio. The University of Southampton has a live-
stream of Virgin radio supporting IPv6 only and can be listened to by
using e.g. Windows Media Player 10, iTunes 4.5, zinf, etc. Check it out
at: http://www.ipv6.ecs.soton.ac.uk/virginradio/. Below you see some
packets from the initialization phase of Virgin radio.
CHAPTER 5. MIGRATION TO IPV6 197
Another cool thing is to enable IPv6 with msn, and to make msn even
cooler you can add the software called threedegrees from www.threedegrees.com
(which have gone offline by now). But don’t be sad, you can still get it from
Microsoft at http://download.microsoft.com/download/b/3/2/b3251b5b-
76fb-46f7-bd6c-f5644713dff6/squiggles.exe. Using this piece of software
you can watch pictures and listen to music with up to ten people around
the world at once (this could be considered Microsoft’s answer to file shar-
ing). I tried this software together with my friend Mustafa from Turkey,
working on IPv6 as well, and pretty enjoyed adding items to a shared
playlist and listening to the songs together. This is an approach showing
people what Peer-to-Peer and IPv6 can do for the people not already rec-
ognizing the advantages. [44]
CHAPTER 5. MIGRATION TO IPV6 198
inbound and outbound communication but for this way of using ipsec6
isn’t secure anyway, I decided to keep the same. SA-entries are added in
decreasing order as well.
The keyfile is a simple plain-text file residing in the same folder as the two
files processed above. Set the file you created to the name “myfile.key”
and be very careful what you type in this file: each space or linefeed makes
a difference and this file must be identical to the one residing at the client2
in the ipsec6 communication.
On client2 (flanders), you need the same configuration as well. Start by
creating the files “ipsec6 s thesis” and then edit the “thesis.spd” file first.
(Don’t forget to create this entry before the existing entry):
Field Name Value
Policy 2
RemoteIPAddr - fec0::1:20a:5eff:fe22:afd6
LocalIPAddr -*
Protocol -*
RemotePort -*
LocalPort -*
IPSecProtocol AH
IPSecMode TRANSPORT
RemoteGWIPAddr *
SABundleIndex NONE
Direction BIDIRECT
Action APPLY
InterfaceIndex 0
After you put a semicolon at the end of the line, edit “thesis.sad”:
CHAPTER 5. MIGRATION TO IPV6 201
ipsec sp
If you want to delete the Security Association number 2 type:
ipsec d sa 2
You can use a similar command for deleting Security Policy number 2:
ipsec d sp 2
Now we are able to try our ipsec6 implementation by pinging the host
with the address used in the files (I tried this with link-local addresses
with ZoneID and Site-Local addresses consecutively). When pinging the
other client you can see the Authentication Header being appended to
each packet:
Figure 5.20: ping from client1 (wiggum) to client2 (flanders) with Authen-
tication Header
Above you see one of the ICMPv6 packets sent by client1 and below you
have the details containing the Authentication header. You can see the SPI
set above as well (0xbb9 = 3001). This all looks pretty well, and everything
worked except for the Echo reply when using ipsec6. I guess I tried this
ten times and always had the same result: ping going out but no reply is
sent back (time-out). I did not find any errors reported in the event-log,
nor when I looked at the ICMPv6 errors (netstat -s -p icmpv6). Because I
was already in contact with Microsoft, I asked them if ipsec6 worked for
them and got the answer from someone my mails concerning IPv6 were
forwarded to, that this only works sometimes when he configured it and
CHAPTER 5. MIGRATION TO IPV6 203
To be precise, there are two ways of sending your packets when encrypt-
ing: tunnel mode and transport mode. In transport mode (which I chose)
only the payload is encrypted and the IP header is left out while in tunnel
mode the whole packet is encryted with a new header appended. IPSec, as
seen before, needs the exchange of keys in order to provide authenticated
and encrypted communication. There are two ways providing authenti-
cation: through pre-shared keys (simple) or by using RSA keys. I chose to
have a pre-shared key environment in my lab. The next thing to choose is
which IKE daemon you want to use: On one side there is “racoon” and on
the other “pluto”, which is said to be a bit less difficult to configure.
“Racoon” is derived from the KAME project and “pluto” is included in
distributions from the *S/WAN projects. The first project was FreeS/WAN
which ended in 2004 and produced two successors: strongSWAN and
OpenSWAN. I decided to use OpenSWAN. Configuring OpenSWAN
is not a big deal. You start with the config file /etc/ipsec.conf (at
marge.sylvia.test):
version 2.0
config setup
include /etc/ipsec.d/examples/no_oe.conf
conn ipv6-p1-p2
/> connaddrfamily=ipv6
/>left=2001:16d8:ff47:1203:2::5
/>right=2001:16d8:ff47:1203:2::1
/>authby=secret
/>esp=aes128-sha1
CHAPTER 5. MIGRATION TO IPV6 204
/>ike=aes128-sha-modp1024
/>type=transport
/>compress=no
/>auto=add
The line “conn ipv6-p1-p2” defines the connection to use for you can
define multiple connections to multiple hosts. This connection is es-
tablished between marge.sylvia.test, 2001:16d8:ff47:1203:2::5, here defined
as “left”, and bart.sylvia.test, 2001:16d8:ff47:1203:2::1, here denoted as
“right”. Please note that this config-file is taken from marge.sylvia.test.
Important for the use with IPv6 is only the line “connaddrfamily=ipv6”.
The pre-shared key environment, the encryption type and the type of us-
age (transport) are also defined here.
Next, and last, step is to provide a key. This is done by setting the key used
between these hosts in the file /etc/ipsec.secrets:
2001:16d8:ff47:1203:2::5 2001:16:d8:ff47:1203:2::1 : \\
psk "foo"
Setting the same options on the second host participating in this encrypted
communication (bart.sylvia.test) is the last step here. Now we have to test
our configuration.
Start ipsec with
/etc/init.d/ipsec start
Then the specific connection you want to use (mine is called “ipv6-p1-p2”)
has to be UPed on one of the peers by typing:
ipsec auto --up ipv6-p1-p2
You should see following ouput with the line “IPSec SA established” prov-
ing that the payload will be encrypted between these two hosts by now:
104 "ipv6-p1-p2" #1: STATE_MAIN_I1: initiate
003 "ipv6-p1-p2" #1: received Vendor ID payload [Openswan (this version)
2.4.0 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
003 "ipv6-p1-p2" #1: received Vendor ID payload [Dead Peer Detection]
CHAPTER 5. MIGRATION TO IPV6 205
Figure 5.21: pinging and digging between marge (ns1) and bart, encrypted
Above you can see some packets from the communication between marge
and bart. This has been some ICMP echo requests and replies and a dig
command. I know this because I did this sniff; the data is of course en-
crypted and you can not figure out what really happend ;o). The protocol
used is ESP, Encapsulating Security Payload. The IP header on the other
hand is plain-text.
Note: There are several other daemons for configuring a Virtual Pri-
vate Network: Linux has implemented IPSec features you can use
with kernel 2.6.x, yavipin 0.9.6, openVPN 1.6.0, freeSWAN 2.06,
openSWAN 2.2.0 and strongSWAN 2.1.3.
CHAPTER 5. MIGRATION TO IPV6 206
Hint: You can also configure e.g. OpenSWAN to work with your Win-
dows 2000 or Windows XP when using IPv4. [45]
Another important application is the remote login using SSH. SSH and
SSHd for Linux both support IPv6 since version 3.6.1. You can use the
command “ssh” either by appending the hostname or the IP-address, both
ways work.
Windows does not supply an IPv6-capable SSH client but I’d recommend
to use PuTTY (v 0.58) on Windows-based clients. Simply put in the host-
name, the FQDN or the IPv6-address and everything will just work with-
out troubles.
TightVNC has encrypted method of sending the passwords but does not
supply encryption for the traffic itself. It is recommended to use VNC only
on trusted networks or via an encrypted tunnel on untrusted networks.
Although Microsoft’s telnet server is not IPv6-enabled per default, you can
use it. First simply check whether typing “telnet wiggum6” for connecting
to a Windows 2003 server running an IPv4 telnet server works. If not, you
can make it IPv6-enabled yourself. Because telnet is a protcol that does not
add any information to upper-layer PDU’s you can simply proxy the data.
Therefore you need a PortProxy proxying traffic destined at IPv6 port 23
to IPv4 port 23. This is done with:
netsh interface portproxy add v6tov4 23
When you “nmap -6” the host running the telnet server you can see the
port being open on IPv6 as well. Then, I simply used PuTTY to establish a
connection using telnet and here you can see it worked:
In order to use webalizer for privoxy you need to make some changes.
First create a new configuration file (Note that I do not alter the old one.
For IPv6 migration can not take place fully by now I still want to keep an
eye on what squid is doing as well). This new configuration file is called
“/etc/webalizerPrivoxy.conf” and should update the following lines:
LogFile /var/log/privoxy/logfile
LogType CLF
OutputDir /var/www/webalizerPrivoxy
You need to define another log file than the default log file for this is used
for logging errors encountered when analyzing squid. Privoxy uses a dif-
ferent LogType called Common Log Format or short CLF. If you forget to
put this here, webalizer will not be able to read the log files produced by
privoxy. The last thing that had to be changed is the OutputDir, so that
both webalizer instances don’t overwrite each other.
Note: If not done yet, you might need to set your Privoxy to log in Com-
mon Log Format. This is done in the config-file by setting “debug
CHAPTER 5. MIGRATION TO IPV6 209
512”.
Last but not least you need to add an entry to the /etc/crontab for the new
instance of webalizer (“-c /etc/webalizerPrivoxy.conf” sets the configura-
tion file used to /etc/webalizerPrivoxy.conf).
Newer versions of nmap are per default IPv6-enabled but lack different
scanning mechanisms for IPv6 like UDP scans. In order to use other
methods than -sT, -sP and -sL I found a nice patch on the internet.
First you need an older version of nmap “nmap-2.54BETA36” which you
can get in the code repository at http://www.insecure.org/nmap/dist-
old/. After unzipping and untarring I changed the install directory
of the configure file in order to not interfere with the existing nmap-
installation. Next thing is to patch the sources using the patch found at
http://nmap6.sourceforge.net:
patch -d <nmap-2.54BETA36 location> <
<nmap-2.54BETA36_ipv6.diff location>
After patching the sources
./configure
CHAPTER 5. MIGRATION TO IPV6 210
make
su
make install
and try it with e.g. a localhost UDP Scan:
./nmap -6 -sU -P0 ::1
Although iptables can filter for IPv6 traffic as well, stateful filtering is
only available with Linux kernel 2.6.12 and higher. For I do not have
a computer with this kernel version I only implemented an IPv6 fire-
wall with stateless packet filtering. See the appendix for my firewall-
implementation.
5.7 Testing
Now after we could migrate most of the services used, or could find some
service instead for those not possible, let’s take a quick look at testing the
network for performance issues. When working with IPv4 I could find
loads of applications testing some more or less important network features
but with IPv6 the software to choose from is very limited. When I asked
the participants of the users@ipv6.org newsgroup most of them told me
that they were writing their tests themselves like measuring the time it
takes for putting or getting a file using FTP.
5.7.1 iperf
I use iperf version 2.0.2 with native IPv6 support. The handling for IPv6 is
pretty the same as for IPv4. The server is started using
iperf -V -s
CHAPTER 5. MIGRATION TO IPV6 211
Iperf also works with Windows and therefore is the only IPv6 testing tool
that can make significant conclusions.
Netserver and its client netperf was also used in my IPv4 testing run and
supports IPv6 testing for versions 2.3 and later for Linux only.
Start the server using:
netserver -6 -p 123456
on port 123456, and the client by typing:
netperf -H <ServerAddress> -6 -p 123456
ServerAddress again can be FQDN or the IPv6-address.
5.7.3 Smokeping
Smokeping can be easily configured for the use with IPv6. You simply
need to use fping6 instead of fping in the cofiguration file. But let’s start
step by step. First I downloaded fping6 utility at http://unfix.org/profects/ipv6/\\
fping-2.4b2_to-ipv6.tar.gz. Then I edit following lines in the /etc/smokeping/config
file in order to support IPv6:
CHAPTER 5. MIGRATION TO IPV6 212
cgiurl = http://snowball/cgi-bin/smokepingv6.cgi
Besides setting the new targets to IPv6-addresses this is what had to
be done concerning the configuration file. The next problem was that
smokeping per default uses “/etc/smokeping/config” and I could not
find a way for setting a path to another config file. Before searching for a
command I simply copied the smokeping executable “/usr/sbin/smokeping”,
renamed it to “/usr/sbin/smokepingv6” and edited the line defining
which configuration file to use:
Smokeping::main("/etc/smokeping/configv6");
Now you can run smokeping and smokepingv6 on one PC.
See the Code Appendix for the whole configuration file. Below you can
see the ICMPv6 roundtrip-graph for snowball generated on marge.
CHAPTER 5. MIGRATION TO IPV6 213
Figure 5.29: SNMP using IPv6 between marge (ns1.sylvia.test) and bart
(bart6.sylvia.test)
to do now, in order to have SNMP traffic via IPv6 when using mrtg, is to
copy the IPv4 configuration file for each host you also want to monitor
using IPv6.
First of all set IPv6 enabled by setting:
EnableIPv6: yes
Then, make sure that you chose new names for the graphs (otherwise it
would overwrite the IPv4-ones) and we are done (see the whole config file
in the Code Appendix). Create the html-file with:
indexmaker -output=/var/www/mrtg/bart6.html
/etc/mrtgbart6.cfg
Before mrtg can graph something you need to poll some data manually by
typing following command a few times:
mrtg /etc/mrtgbart.cfg
If this worked without errors you can append the command above to your
crontab and look at the output at http://marge.sylvia.test/mrtg/bart6.html.
Note: Please keep in mind that the only thing changed is the protocol used
for querying SNMPd. The data queried is the same as within the
IPv4-based configuration files. In order to have IPv6-specific data
you have to include ipv6-MIBs!
CHAPTER 5. MIGRATION TO IPV6 215
217
BIBLIOGRAPHY 218
[44] Nate Mook: Microsoft P2p Not All Fun and Games Yet (2003).
http://www.betanews.com/article/1046403618 (2006-01-16)
[45] Nate Carlson (2005) http://www.natecarlson.com/linux/ipsec-
x509.php#installing (2006-01-17)
[46] Diego Andres Acosta: TightVNC over IPv6 (2004).
http://jungla.dit.upm.es/~acosta/paginas/vncIPv6.html (2006-
01-17)
[47] debian: Having v6 with Debian for the first time
(2004).http://debian.fabbione.net/how.html (2006-01-18)
Chapter 6
In the preceding chapter you could see step by step that nearly anything
that has to be done in a network can be done using IPv6. It is important
for me to mention that not every service could be migrated, especially with
the Microsoft-based software used, and that there has not been much effort
yet to write software exploiting the advantages of IPv6. As you could see,
things that could not be migrated easily were e.g. Active Directory, which
could be replaced by an elaborate configuration of OpenLDAP, or ntp-
clients using IPv6 for Windows systems. In fact, I do not consider the last
problem as very big for it is not possible running IPv6-only networks at
the moment. Besides such “unimportant” things like time synchronizing,
Microsoft does not yet support DNS or SNMP querying using IPv6, which
is more important in a productive environment. As a little summary one
could say that a network running Linux-flavoured operating systems is
99% migrateable while Windows systems simply impose more problems
in migrating.
One huge aspect of my thesis was to examine closely whether the transi-
tion phase could have also taken place in a real productive environment
with people working on the services I migrate. In most of the cases I have
to say: yes. I think everybody will know that from her or his own experi-
ence, there are services that just crash while reconfiguring them and you
have to spend a few hours on them until they work again. I guess such
things just have to happen and in fact did happen in my environment as
well. Most of the services I migrated “simply” needed to be configured for
222
CHAPTER 6. CONCLUSION AND SUMMARY 223
pletely honest I really loved working with IPv6. There is only a small
community in the European region working on problems concerning IPv6
and you quickly become to know everyone from newsgroups, etc. It really
is fun working together and helping each other with problems most of the
IT-professionals did not deal before (of course, this can also be pretty hin-
dering when you have a problem, google it and get something like two
results, both in strange languages). In my opinion, the advantages of IPv6
are obvious: We have the huge address space bringing mobile computing
and peer to peer computing to a next level, we have encrypted and au-
thenticated traffic for securing your company from its employees and we
have huge improvements concerning priorized traffic like video streams
and autoconfiguration of hosts. These advantages and a relative easy tran-
sition will make IPv6 more and more important in the next years. At the
moment, I have to confess, switching to IPv6 only is something for those
wanting to be on the pulse of technology. Today its benefits may not be
enough in order to deploy IPv6 all over the company but it is good to be
aware of this technology very early for it will become predominant very
soon. Today it might only be “cool” to tell your costumers that you have
already updated your company to IPv6, in a few years it will be standard,
and that’s why I want to propagate IPv6 with this thesis. For IPv6 depends
on the basic structure IPv4 has used there are not really “disadvantages”
you are not used to from using IPv4. One thing that might be something
like a “disadvantage” is the training of the IT-staff that will cost money
and time, as you always have with new versions of anything, but this
money is not lost. Always keep in mind that using IPv6 today and try-
ing its features only faciliates the things you have to do the day IPv6 has
to be used. It’s an investment in the future of network technology and will
bring money in return. Even today big companys have already saved big
spendings by using the autoconfiguration techniques provided instead of
configuring manually. Think also of the benefits you have when doing se-
cure communication without tunneling over the internet or when having
road warriors in your company.
Another point I want to mention at the end is the financial aspect of mi-
grating. I did not really have to buy additional hardware for my needs,
but if I would have wanted to use my Cisco Routers and Switches I would
have needed additional software and memory, for which I did not find a
sponsor (so I stick to using hubs and Linux routers). In the field of VoIP
CHAPTER 6. CONCLUSION AND SUMMARY 225
you would need different hardware as well, but as long as asterisk does
not fully support IPv6 there was no need to look for them. I did not experi-
ence many problems from software compatibility for most of my services
run Linux and therefore Open Source solutions are available. On the other
hand, I did not manage to find a free ntp-client running IPv6 for Windows;
I guess that’s pretty all I needed from hardware and software side.
When it comes to the point of information gathering I have to confess: Yes,
I bought “Understanding IPv6” and another IPv6-theory book (which I
did not read in fact), both a few Euros each. The most expensive thing in
the whole migration of my test-network was, of course, the time I spent
on it. It is very hard to define how much time it took me to migrate my
services (for I had to do different things beside) but it might be something
about 23 to 30 days (Monday - Friday: 9-11 hours a day, Saturdays and
Sundays 4-5 hours a day). You might guess that this is just an estimated
value including also the time I spent reading about the new protocol.
As the very last paragraph in this master thesis I again want to ensure
everyone who is not yet believing me: IPv4 will be outdated soon and IPv6
is, if there is some additional work done, the perfect successor. Again I
want to thank everyone making this project possible and everyone reading
this thesis to the end :-) .
Appendix
226
Chapter 7
Configuration Files
7.1.1 APT
/etc/apt/sources.list
deb http://ftp.tu-graz.ac.at/mirror/debian
unstable main non-free contrib
227
CHAPTER 7. CONFIGURATION FILES 228
7.1.2 Asterisk
/etc/zaptel.conf
loadzone=at
defaultzone=at
# für unsere TDM31: 1* FXO + 3* FXS
# Steckplatz 1 bei Steckern
fxoks=1-3
fxsks=4
/etc/asterisk/asterisk.conf
[directories]
astetcdir => /etc/asterisk
astmoddir => /usr/lib/asterisk/modules
astvarlibdir => /var/lib/asterisk
astagidir => /var/lib/asterisk/agi-bin
astspooldir => /var/spool/asterisk
astrundir => /var/run
astlogdir => /var/log/asterisk
; Changing the following lines may compromise your security.
;[files]
;astctlpermissions = 0660
;astctlowner = root
;astctlgroup = apache
;astctl = asterisk.ctl
/etc/asterisk/extensions.conf
writeprotect=no
;
autofallthrough=yes
;
clearglobalvars=no
; The "Globals" category contains global variables that can
; be referenced in the dialplan with ${VARIABLE} or
; ${ENV(VARIABLE)} for Environmental variable
[globals]
CONSOLE=Console/dsp ; Console interface for demo
2210=misdn/1/10 ; Vermittlung
2211=misdn/1/11 ; Natalie FREILER
2212=misdn/1/12 ; Peter
2213=misdn/1/13 ; Jürgen GRANDITS
2214=misdn/1/14 ; Thomas MÜLLNER
2215=misdn/1/15 ; Susanne STIPSITS
2216=misdn/1/16 ; Eveline WEINHOFER
2217=misdn/1/17 ; Sabine SWATEK-VENUS
2218=misdn/1/18 ; Anita DIENER
2219=misdn/1/19 ; Personalraum
2220=misdn/1/20 ; Johanna EBERL
2221=misdn/1/21 ; Anita IMREK
2222=misdn/1/22 ; Dorli CSECSINOVITS
2223=misdn/1/23 ; Hotline
2224=misdn/1/24 ; Baldur FLECK
2225=misdn/1/25 ; Karl SCHUH
2232=misdn/1/32 ; Rudolf ERKINGER
2235=misdn/1/35 ; Tamara TAUS
2236=misdn/1/36 ; Andreas GRABNER
;
2921=SIP/2921 ; grandstream bt100
2925=SIP/2925 ; grandstream 2000
2936=SIP/2936 ; allnet 7950
;2314=Zap/4
;211=Zap/1
;212=Zap/2
;213=Zap/3
;
CHAPTER 7. CONFIGURATION FILES 230
[macro-voicemail]
; für SIP-Apparate
exten => s,1,Dial(${ARG1},20,tr)
exten => s,2,Goto(s-${DIALSTATUS},1)
exten => s-NOANSWER,1,Voicemail(u${MACRO_EXTEN})
exten => s-NOANSWER,2,Hangup()
exten => s-BUSY,1,Voicemail(b${MACRO_EXTEN})
exten => s-BUSY,2,Hangup()
exten => _s-.,1,Goto(s-NOANSWER,1)
;
[macro-standard]
exten => s,1,Dial(${ARG1},20,tr)
exten => s,2,Hangup()
;
[macro-isdn-voicemail]
exten => s,1,Dial(${ARG1})
exten => s,2,Goto(s-${DIALSTATUS},1)
exten => s-NOANSWER,1,Voicemail(u${MACRO_EXTEN})
exten => s-NOANSWER,2,Hangup()
exten => s-BUSY,1,Voicemail(b${MACRO_EXTEN})
exten => s-BUSY,2,Hangup()
exten => _s-.,1,Goto(s-NOANSWER,1)
;
; =======================================================
; for incoming calls
;
[default]
exten => s,1,Answer()
exten => s,2,Playback(demo-nogo)
exten => s,3,Hangup()
;
[unauth]
exten => s,1,Answer()
exten => s,2,Playback(demo-nogo)
exten => s,3,Hangup()
;
[voll]
include => demo
CHAPTER 7. CONFIGURATION FILES 231
;
; Or a conference room (you’ll need to edit
; meetme.conf to enable this room)
;exten => 8600,1,Meetme(1234)
;
; for invalid numbers and timeouts
exten => i,1,Playback(pbx-invalid)
exten => i,2,Hangup()
exten => t,1,Playback(vm-goodbye)
exten => t,2,Hangup()
;
; ende von [intern]
;
;
[filiale]
exten => _23XX,1,Dial(IAX2/zur-inform/${EXTEN})
exten => _23XX,2,Hangup
exten => _23XX,102,Hangup
;
exten => _24XX,1,Dial(IAX2/nach-jo/${EXTEN})
exten => _24XX,2,Hangup
exten => _24XX,102,Hangup
;
;exten => _33XX ??
;
;exten => _44XX ??
;
[always-out-amt]
; emergency calls using ISDN
exten => _1XX,1,Dial(misdn/1/${EXTEN})
exten => _1XX,2,Congestion
exten => _1XX,3,Hangup
exten => _1XX,102,Congestion
exten => _1XX,103,Hangup
;
[local]
; users can only call within the city
; Teilnehmer können nur Ortsgespräche führen
CHAPTER 7. CONFIGURATION FILES 234
/etc/asterisk/iax.conf
; Inter-Asterisk eXchange driver definition
;
[general]
bindport=4569 ; bindport and bindaddr may be specified
language=de
bandwidth=low
;allow=all ; same as bandwidth=high
;disallow=g723.1 ; Hm... Proprietary, don’t use it...
disallow=lpc10 ; Icky sound quality... Mr. Roboto.
;allow=gsm ; Always allow GSM, it’s cool :)
;
jitterbuffer=no
forcejitterbuffer=no
;dropcount=2
CHAPTER 7. CONFIGURATION FILES 235
;maxjitterbuffer=1000
;maxjitterinterps=10
;resyncthreshold=1000
;maxexcessbuffer=80
;minexcessbuffer=10
;jittershrinkrate=1
;trunkfreq=20 ; How frequently to send
; trunk msgs (in ms)
;
; You can disable authentication debugging to
; reduce the amount of debugging traffic.
;
authdebug=yes
;
tos=lowdelay
;
autokill=yes
;
;
; Guest sections for unauthenticated connection
; attempts. Just specify an empty secret, or
; provide no secret section.
;
[guest]
type=user
context=unauth
callerid="Guest IAX User"
;
;
[von-inform]
type=user
host=192.168.250.178
;host=192.168.123.5
context=iax-intern-in
trunk=yes
;
[zur-inform]
type=peer
CHAPTER 7. CONFIGURATION FILES 236
host=192.168.123.5
;
[von-jo]
type=user
host=192.168.150.7
;username=elsylo
;secret=fanta4
context=intern
trunk=yes
;auth=md5,plaintext,rsa
;setvar=foo=bar
;notransfer=yes ; Disable IAX native transfer
;jitterbuffer=yes ; Override global setting
; an enable jitter buffer
; ; for this user
;callerid="Mark Spencer" <(256) 428-6275>
;deny=0.0.0.0/0.0.0.0
;accountcode=markster0101
;permit=209.16.236.73/255.255.255.0
;language=en ; Use english as default language
;
; Peers may also be specified, with a secret and
; a remote hostname.
;
[nach-jo]
type=peer
;username=elsylo
;secret=fanta4
host=192.168.150.7
;sendani=no
;host=asterisk.linux-support.net
;port=5036
;mask=255.255.255.255
;qualify=yes ; Make sure this peer is alive
;jitterbuffer=no ; Turn off jitter buffer
; for this peer
CHAPTER 7. CONFIGURATION FILES 237
/etc/asterisk/indications.conf
[general]
country=at
[at]
description = Austria
ringcadance = 1000,5000
; Reference: http://www.itu.int/ITU-T/inr/forms/files/\\
tones-0203.pdf
dial = 420
busy = 420/400,0/400
ring = 420/1000,0/5000
congestion = 420/200,0/200
callwaiting = 420/40,0/1960
dialrecall = 420
; RECORDTONE - not specified
record = 1400/80,0/14920
info = 950/330,1450/330,1850/330,0/1000
stutter = 380+420
[de]
description = Germany
; Reference: http://www.itu.int/ITU-T/inr/forms/files/\\
tones-0203.pdf
ringcadance = 1000,4000
dial = 425
busy = 425/480,0/480
ring = 425/1000,0/4000
congestion = 425/240,0/240
callwaiting = !425/200,!0/200,!425/200,!0/5000,!425/200,\\
!0/200,!425/200,!0/5000,!425/200,!0/200,\\
!425/200,!0/5000,!425/200,!0/200,\\
!425/200,!0/5000,!425/200,!0/200,!425/200,0
; DIALRECALL - not specified
dialrecall = !425/100,!0/100,!425/100,!0/100,!425/100,\\
!0/100,425
; RECORDTONE - not specified
record = 1400/80,0/15000
info = 950/330,1400/330,1800/330,0/1000
CHAPTER 7. CONFIGURATION FILES 238
stutter = 425+400
[hu]
description = Hungary
; Reference: http://www.itu.int/ITU-T/inr/forms/files/\\
tones-0203.pdf
ringcadance = 1250,3750
dial = 425
busy = 425/300,0/300
ring = 425/1250,0/3750
congestion = 425/300,0/300
callwaiting = 425/40,0/1960
dialrecall = 425+450
; RECORDTONE - not specified
record = 1400/400,0/15000
info = !950/330,!1400/330,!1800/330,!0/1000,!950/330,\\
!1400/330,!1800/330,!0/1000,!950/330,!1400/330,\\
!1800/330,!0/1000,0
stutter = 350+375+400
/etc/asterisk/sip.conf
;
; SIP Configuration example for Asterisk
[general]
context=unauth
realm=ow.bfi-bgld.at
bindport=5060
bindaddr=0.0.0.0
srvlookup=yes
;tos=184
;tos=lowdelay
disallow=all
allow=alaw
;allow=ilbc
language=de
nat=no
;
CHAPTER 7. CONFIGURATION FILES 239
;
[2925]
; Grandstream 2000
type=friend
host=dynamic
;host=192.168.160.xxx
defaultip=192.168.112.72
context=voll
username=2225
secret=2225
callerid="Karl Schuh" <2925>
mailbox=2225
reinvite=no
canreinvite=no
;dtmf-mode f sipura rfc2833, f. grandstream info
dtmfmode=info
qualify=1000
disallow=all
allow=gsm
allow=alaw
callgroup=1
pickupgroup=1
;
[2921]
; grandstream BT100
type=friend
username=2221
secret=2221
context=voll
callerid=Karl SCHUH <2921>
host=192.168.112.70
canreinvite=no
dtmfmode=info
disallow=all
allow=ulaw
allow=alaw ; Asterisk only supports g723.1 pass-thru!
mailbox=2221
pickupgroup=1
CHAPTER 7. CONFIGURATION FILES 240
reinvite = no
qualify = 1000
[2936]
; Allnet 7950
type=friend
username=2236
secret=2236
context=voll
host=dynamic
defaultip=192.168.112.71
pickupgroup=1
callgroup=1
reinvite=no
canreinvite=no
qualify=1000
dtmfmode=info
mailbox=2236
disallow=all
allow=ulaw
allow=alaw
callerid="Andreas GRABNER" <2936>
[229]
; Turn off silence suppression in X-Lite
; ("Transmit Silence"=YES)!
; Note that Xlite sends NAT keep-alive packets,
; so qualify=yes is not needed
type=friend
user=229
secret=229
callerid="Sylvia SCHUH mobil" <229>
host=dynamic ; This device needs to register
defaultip=192.168.201.17
;reinvite=no
;canreinvite=no ; Typically set to NO if behind NAT
;disallow=all
allow=all
dtmfmode=rfc2833
context=verwalt
CHAPTER 7. CONFIGURATION FILES 241
/etc/asterisk/zapata.conf
;
; Zapata telephony interface
;
; Configuration file
[channels]
;
language=de
usecallerid=yes
callwaiting=yes
echocancel=yes
echocancelwhenbridged=yes
;
rxgain=0.0
txgain=0.0
;
;
context=verwalt
;
group=2
;
signalling=fxo_ks
mailbox=211
callerid="Green Phone"<211>
channel => 1
;
signalling=fxo_ks
mailbox=212
callerid="Black Phone"<212>
channel => 2
;
signalling=fxo_ks
mailbox=213
callerid="Yellow Phone"<213>
channel => 3
;
context=in-amt
CHAPTER 7. CONFIGURATION FILES 242
group=1
signalling=fxs_ks
callerid=asreceived
channel => 4
7.1.3 CUPS
/etc/cups/cupsd.conf:
######## Server Identity
######## Server Options
AccessLog /var/log/cups/access_log
DefaultCharset notused
ErrorLog /var/log/cups/error_log
LogLevel debug2
Printcap /var/run/cups/printcap
RemoteRoot karls
######## Fax Support
######## Encryption Support
######## Filter Options
User lp
Group lp
RunAsUser Yes
## added by me! mario!
######## Network Options
#Port 80
#Port 443
#Port 631
Listen *:631
######## Browsing Options
Browsing On
## windows troubleshooting
#BrowseAddress 192.168.200.255
###BrowseAddress 192.168.201.255
BrowseAddress 255.255.255.255
##windows troublesooting ende
######## Security Options
CHAPTER 7. CONFIGURATION FILES 243
<Location />
Order Deny,Allow
Deny From None
Allow From All
</Location>
<Location /classes>
Order Deny,Allow
Deny From None
Allow From All
</Location>
<Location /classes/name>
Order Deny,Allow
Deny From None
Allow From All
</Location>
<Location /jobs>
Order Deny, Allow
Deny From None
Allow From All
</Location>
<Location /printers>
Order Deny,Allow
Deny From None
Allow From All
</Location>
<Location /printers/name>
AuthType Basic
AuthClass User
Order Deny,Allow
Deny From None
Allow From All
</Location>
<Location /admin>
AuthType BasicDigest
AuthClass Group
AuthGroupName sys
Order Deny,Allow
Deny From None
CHAPTER 7. CONFIGURATION FILES 244
/etc/cups/printers.conf
7.1.4 Apache2
/etc/apache2/apache2.conf
ServerRoot "/etc/apache2"
LockFile /var/lock/apache2/accept.lock
PidFile /var/run/apache2.pid
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15
<IfModule prefork.c>
StartServers 5
MinSpareServers 5
MaxSpareServers 10
CHAPTER 7. CONFIGURATION FILES 245
MaxClients 20
MaxRequestsPerChild 0
</IfModule>
<IfModule worker.c>
StartServers 2
MaxClients 150
MinSpareThreads 25
MaxSpareThreads 75
ThreadsPerChild 25
MaxRequestsPerChild 0
</IfModule>
<IfModule perchild.c>
NumServers 5
StartThreads 5
MinSpareThreads 5
MaxSpareThreads 10
MaxThreadsPerChild 20
MaxRequestsPerChild 0
AcceptMutex fcntl
</IfModule>
User www-data
Group www-data
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%\\
{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
ErrorLog /var/log/apache2/error.log
## include modules
Include /etc/apache2/mods-enabled/*.load
Include /etc/apache2/mods-enabled/*.conf
## include user configuration
Include /etc/apache2/httpd.conf
Include /etc/apache2/ports.conf
Include /etc/apache2/conf.d/[^.#]*
Alias /icons/ "/usr/share/apache2/icons/"
<Directory "/usr/share/apache2/icons">
Options Indexes MultiViews
CHAPTER 7. CONFIGURATION FILES 246
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<IfModule mod_negotiation.c>
<IfModule mod_include.c>
Alias /error/ "/usr/share/apache2/error/"
<Directory "/usr/share/apache2/error">
AllowOverride None
Options IncludesNoExec
AddOutputFilter Includes html
AddHandler type-map var
Order allow,deny
Allow from all
LanguagePriority en es de fr
ForceLanguagePriority Prefer Fallback
</Directory>
ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var
ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var
ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var
ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var
ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.\\
html.var
ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.\\
html.var
ErrorDocument 410 /error/HTTP_GONE.html.var
ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.\\
html.var
ErrorDocument 412 /error/HTTP_PRECONDITION_\\
FAILED.html.var
ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_\\
TOO_LARGE.\\
html.var
ErrorDocument 414 /error/HTTP_REQUEST_URI_\\
TOO_LARGE.html.var
ErrorDocument 415 /error/HTTP_SERVICE_\\
UNAVAILABLE.html.var
ErrorDocument 500 /error/HTTP_INTERNAL_\\
CHAPTER 7. CONFIGURATION FILES 247
SERVER_ERROR.\\
html.var
ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.\\
var
ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var
ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.\\
html.var
ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.\\
html.var
</IfModule>
</IfModule>
DirectoryIndex index.html index.cgi index.pl index.php \\
index.xhtml
AccessFileName .htaccess
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>
UseCanonicalName Off
TypesConfig /etc/mime.types
DefaultType text/plain
HostnameLookups Off
IndexOptions FancyIndexing VersionSort
AddIconByEncoding (CMP,/icons/compressed.gif) x-compress\\
x-gzip
AddIconByType (TXT,/icons/text.gif) text/*
AddIconByType (IMG,/icons/image2.gif) image/*
AddIconByType (SND,/icons/sound2.gif) audio/*
AddIconByType (VID,/icons/movie.gif) video/*
AddIcon /icons/binary.gif .bin .exe
AddIcon /icons/binhex.gif .hqx
AddIcon /icons/tar.gif .tar
AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
AddIcon /icons/a.gif .ps .ai .eps
AddIcon /icons/layout.gif .html .shtml .htm .pdf
AddIcon /icons/text.gif .txt
AddIcon /icons/c.gif .c
CHAPTER 7. CONFIGURATION FILES 248
7.1.5 dhcpd
/etc/dhcp3/dhcpd.conf
7.1.6 BIND
/etc/bind/named.conf.local
(there have been no changes made to the named.conf) You will find the
“allow-update” directive specifies which hosts are allowed to submit Dy-
namic DNS updates for master zones. Allowing updated based on the
IP address is insecure but was necessary here to have the Active Direc-
CHAPTER 7. CONFIGURATION FILES 252
tory server (Maybe you wonder why there are suddenly two AD-servers;
later on in the phase of migrating the network it will become necessary
to replace Windows 2000 server with Windows 2003 server called wig-
gum.sylvia.test with IP 192.168.200.19) propagate their services to DNS.
zone "sylvia.test" IN {
type master;
file "/etc/bind/db.sylvia.test";
allow-update { 192.168.200.12; 192.168.200.19; };
};
zone "200.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.200.168.192";
};
zone "201.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.201.168.192";
};
/etc/bind/db.sylvia.test
Dynamic entries you find in here are made for a Windows 2003 server
called wiggum.sylvia.test. Please read notes for named.conf.local above.
$ORIGIN .
$TTL 600 ; 10 minutes
sylvia.test IN SOA marge.sylvia.test. root.\\
marge.sylvia.test. (
2005081961 ; serial
604800 ; refresh (1 week)
86400 ; retry (1 day)
2419200 ; expire (4 weeks)
604800 ; minimum (1 week)
)
NS ns1.sylvia.test.
$TTL 600 ; 10 minutes
A 192.168.200.12
A 192.168.200.19
CHAPTER 7. CONFIGURATION FILES 253
$ORIGIN sylvia.test.
$TTL 604800 ; 1 week
allnet1 A 192.168.200.130
apu A 192.168.200.33
bart A 192.168.200.1
edv-nb1 A 192.168.200.16
flanders A 192.168.200.36
grandstream1 A 192.168.200.129
homer A 192.168.200.12
lisa A 192.168.200.35
maggie A 192.168.200.8
marge A 192.168.200.5
nelson A 192.168.200.34
ns1 A 192.168.200.5
proxy CNAME marge
sipura A 192.168.200.131
snowball A 192.168.201.1
snowball2 A 192.168.201.17
wiggumold A 192.168.200.19
www CNAME marge
/etc/bind/db.200.168.192.in-addr.arpa
As mentioned in chapter 3: Don’t forget the “.” at the end of each entry.
;
CHAPTER 7. CONFIGURATION FILES 255
@ IN NS ns1.sylvia.test.
1 IN PTR bart.sylvia.test.
5 IN PTR marge.sylvia.test.
8 IN PTR maggie.sylvia.test.
12 IN PTR homer.sylvia.test.
16 IN PTR edv-nb1.sylvia.test.
19 IN PTR wiggum.sylvia.test.
33 IN PTR apu.sylvia.test.
34 IN PTR nelson.sylvia.test.
35 IN PTR lisa.sylvia.test.
36 IN PTR flanders.sylvia.test.
129 IN PTR grandstream1.sylvia.test.
130 IN PTR allnet1.sylvia.test.
131 IN PTR sipura.sylvia.test.
/etc/resolv.conf
search sylvia.test
nameserver 192.168.200.5
7.1.7 exim4
/etc/exim4/update-exim4.conf
dc_hide_mailname=’false’
dc_mailname_in_oh=’true’
/etc/mailname
marge6.sylvia.test
/etc/aliases
mailer-daemon: postmaster
postmaster: root
nobody: root
hostmaster: root
usenet: root
news: root
webmaster: root
www: root
ftp: root
abuse: root
noc: root
security: root
root: elsylo
k.schuh: karls
s.schuh: elsylo
/etc/webalizer.conf
## defining log file and type
LogFile /var/log/squid/access.log
LogType squid
## define where HTML output is stored
OutputDir /var/www/webalizer
## Incremental processing allows multiple partial log files
## to be used instead of one huge one.
CHAPTER 7. CONFIGURATION FILES 257
Incremental yes
# ReportTitle is the text to display as the title
ReportTitle Wos gsoerft worn is bei
## HostName defines the hostname for the reportand is
## used in title
HostName marge
## The Quiet option suppresses output messages...
Quiet yes
## Debug prints additional information for error messages.
Debug yes
## The "Top" options below define the number of entries
## for each table. Defaults are Sites=30, URL’s=30,
## Referrers=30 and Agents=15, and Countries=50. Tables
## may be disabled by using zero (0) for the value.
TopKSites 30
TopKURLs 30
TopUsers 20
# Your own site/referrer/direct-requests should be hidden
HideSite *marge
HideReferrer marge/
HideReferrer Direct Request
# Usually you want to hide these
HideURL *.gif
HideURL *.GIF
HideURL *.jpg
HideURL *.JPG
HideURL *.ra
# Grouping options
GroupURL /cgi-bin/*
## The Ignore* keywords allow you to completely ignore
## log records based on hostname, URL, user agent or
## referrer.
IgnoreSite localhost
IgnoreReferrer localhost
## How much the MangleAgents should mangle user agent names.
## Level 4 adds minor version numer
MangleAgents 4
CHAPTER 7. CONFIGURATION FILES 258
/etc/crontab
Add this line to your crontab in order to analyse the logfile every hour.
0 * * * * root webalizer
7.1.9 squid
/etc/squid/squid.conf
# NETWORK OPTIONS
# --------------------------------------------------------
# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
# --------------------------------------------------------
# TAG: hierarchy_stoplist
# A list of words which, if found in a URL,
# cause the object to
# be handled directly by this cache.
# hierarchy_stoplist cgi-bin ?
# TAG: no_cache
# A list of ACL elements which, if matched,
# cause the request to
# not be satisfied from the cache and the reply
# to not be cached.
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
# OPTIONS WHICH AFFECT THE CACHE SIZE
# ---------------------------------------------------------
# LOGFILE PATHNAMES AND CACHE DIRECTORIES
# ---------------------------------------------------------
# OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
# ---------------------------------------------------------
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
ACCESS CONTROLS
CHAPTER 7. CONFIGURATION FILES 259
# ----------------------------------------------------------
acl all src 0.0.0.0/0.0.0.0
# our acl
acl allowed_hosts src 192.168.200.0/255.255.255.0
acl allowed_hosts src 192.168.201.0/255.255.255.0
acl allowed_hosts src 192.168.150.0/255.255.255.0
# end our acl
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 # https, snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
#Recommended minimum configuration:
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Only allow purge requests from localhost
http_access allow purge localhost
http_access deny purge
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
CHAPTER 7. CONFIGURATION FILES 260
# unsere Freigabe
http_access allow allowed_hosts
# ende unsere Freigabe
# Example rule allowing access from your local
# networks. Adapt to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# and finally allow by default
http_reply_access allow all
# TAG: icp_access
# Allowing or Denying access to the ICP port
icp_access allow allowed_hosts
icp_access deny all
ADMINISTRATIVE PARAMETERS
# --------------------------------------------------------
# TAG: visible_hostname
# If you want to present a special hostname in
# error messages,
visible_hostname proxy.sylvia.test
OPTIONS FOR THE CACHE REGISTRATION SERVICE
# ---------------------------------------------------------
HTTPD-ACCELERATOR OPTIONS
# ---------------------------------------------------------
MISCELLANEOUS
# ---------------------------------------------------------
DELAY POOL PARAMETERS (all require DELAY_POOLS
compilation option)
# ---------------------------------------------------------
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
CHAPTER 7. CONFIGURATION FILES 261
7.1.10 arpwatch
/etc/default/arpwatch
# Global options for arpwatch(8).
# Debian: don’t report bogons, don’t use PROMISC.
ARGS="-N -p"
# Debian: run as ‘arpwatch’ user. Empty this to run as root.
RUNAS="arpwatch"
/etc/arpwatch.conf
eth0 -m root+eth0
7.1.11 ntpd
/etc/ntp.conf
# /etc/ntp.conf, configuration for ntpd
# ntpd will use syslog() if logfile is not defined
logfile /var/log/ntpd
driftfile /var/lib/ntp/ntp.drift
statsdir /var/log/ntpstats/
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
## server pool to synchronize with
server chime3.ipv6.surfnet.nl
server europe.pool.ntp.org
server 127.127.1.0
fudge 127.127.1.0 stratum 13
# By default, exchange time with everybody, but don’t
# allow configuration. See
# /usr/share/doc/ntp-doc/html/accopt.html for details.
restrict default kod notrap nomodify nopeer noquery
# Local users may interrogate the ntp server more closely.
CHAPTER 7. CONFIGURATION FILES 262
7.1.13 mrtg
/etc/mrtg.conf
</TABLE>
##querying eth1
Target[192.168.200.1_eth1]: \eth1:public@192.168.200.1:
SetEnv[192.168.200.1_eth1]: MRTG_INT_IP="192.168.150.6" \\
MRTG_INT_DESCR="eth1"
MaxBytes[192.168.200.1_eth1]: 12500000
Title[192.168.200.1_eth1]: 192.168.150.6 -- bart
PageTop[192.168.200.1_eth1]: <H1>192.168.150.6 -- bart</H1>
<TABLE>
<TR><TD>System:</TD> <TD>bart in "Schloss Jormannsdorf \\
Lager"</TD></TR>
<TR><TD>Maintainer:</TD> <TD>"Sylvia Schuh"</TD></TR>
<TR><TD>Description:</TD><TD>eth1 </TD></TR>
<TR><TD>ifType:</TD> <TD>ethernetCsmacd (6)</TD></TR>
<TR><TD>ifName:</TD> <TD>Internet</TD></TR>
<TR><TD>Max Speed:</TD> <TD>100.0 Mbits/s</TD></TR>
<TR><TD>Ip:</TD> <TD>192.168.150.6 ()</TD></TR>
</TABLE>
##cpu monitoring (www.linuxhomenetworking.com)
Target[server.cpu]:ssCpuRawUser.0&ssCpuRawUser.0:public@\\
192.168.200.1 +
ssCpuRawSystem.0&ssCpuRawSystem.0:public@192.168.200.1
+
ssCpuRawNice.0&ssCpuRawNice.0:public@192.168.200.1
Title[server.cpu]: Server CPU Load
PageTop[server.cpu]: <H1>CPU-Load - System, User and \\
Nice Processes </H1>
MaxBytes[server.cpu]: 20
ShortLegend[server.cpu]: %
YLegend[server.cpu]: CPU Utilization
Legend1[server.cpu]: current CPU percentage load
LegendI[server.cpu]: Used
LegendO[server.cpu]:
Options[server.cpu]: growright, nopercent
Unscaled[server.cpu]: ymwd
## memory monitoring total versus available
Target[server.memory]:memAvailReal.0&memTotalReal.0:public@\\
192.168.200.1
CHAPTER 7. CONFIGURATION FILES 265
MaxBytes[server.newconns]: 1000000000
ShortLegend[server.newconns]: c/s
YLegend[server.newconns]: Conns / Min
LegendI[server.newconns]: In
LegendO[server.newconns]: Out
Legend1[server.newconns]: New inbound connections
Legend2[server.newconns]: New outbound connections
Options[server.newconns]: growright,nopercent,perminute
## Established TCP COnnections
Target[server.estabcons]: tcpCurrEstab.0&tcpCurrEstab.0:\\
public@192.168.200.1
Title[server.estabcons]: Currently Established TCP \\
Connections
PageTop[server.estabcons]: <H1> Established TCP \\
Connections </H1>
MaxBytes[server.estabcons]: 10000000000
ShortLegend[server.estabcons]:
YLegend[server.estabcons]: Connections
LegendI[server.estabcons]: In
LegendO[server.estabcons]:
Legend1[server.estabcons]: Established connections
Legend2[server.estabcons]:
Options[server.estabcons]: growright,nopercent,gauge
## Disk usage monitoring
## Note: in order for dskPercent.1 and dskPercent.2
## to work you need the entries “disk /var/”
## from the “/etc/snmpd.conf”the order in the file
## defines which disk is accessed by *.1 and *.2
Target[server.disk]: dskPercent.1&dskPercent.2:\\
public@192.168.200.1
Title[server.disk]: Disk Partition Usage
PageTop[server.disk]: <H1> Disk Partition Usage /home \\
and /var </H1>
MaxBytes[server.disk]: 100
ShortLegend[server.disk]: %
YLegend[server.disk]: Utilization
LegendI[server.disk]: /home
LegendO[server.disk]: /var
CHAPTER 7. CONFIGURATION FILES 267
Options[server.disk]: gauge,growright,nopercent
Unscaled[server.disk]: ymwd
7.1.14 SmokePing
/etc/smokeping/config
################################################
# DON’T TOUCH UNLESS YOU KNOW WHAT YOU’RE DOING
# BETWEEN THESE MARKS!
################################################
sendmail = /usr/lib/sendmail
imgcache = /var/www/smokeping
imgurl = ../smokeping
datadir = /var/lib/smokeping
piddir = /var/run/smokeping
smokemail = /etc/smokeping/smokemail
################################################
# END OF DON’T TOUCH SECTION
################################################
owner = sylle
contact = elsylo@sylvia.test
cgiurl = http://marge/cgi-bin/smokeping.cgi
mailhost = marge.sylvia.test
syslogfacility = local0
## not all probes at the same time
offset=random
*** Alerts ***
to = elslyo@sylvia.test
from = smokealert@sylvia.test
+bigloss
type = loss
# in percent
pattern = ==0%,==0%,==0%,==0%,>0%,>0%,>0%
comment = suddenly there is packet loss
+someloss
CHAPTER 7. CONFIGURATION FILES 268
type = loss
# in percent
pattern = >0%,*12*,>0%,*12*,>0%
comment = loss 3 times in a row
+startloss
type = loss
# in percent
pattern = ==S,>0%,>0%,>0%
comment = loss at startup
+rttdetect
type = rtt
# in milli seconds
pattern = <10,<10,<10,<10,<10,<100,>100,>100,>100
comment = routing mesed up again ?
*** Database ***
step = 300
pings = 20
# consfn mrhb steps total
AVERAGE 0.5 1 1008
AVERAGE 0.5 12 4320
MIN 0.5 12 4320
MAX 0.5 12 4320
AVERAGE 0.5 144 720
MAX 0.5 144 720
MIN 0.5 144 720
*** Presentation ***
template = /etc/smokeping/basepage.html
+ overview
width = 600
height = 50
range = 10h
+ detail
width = 600
height = 200
unison_tolerance = 2
"Last 3 Hours" 3h
"Last 30 Hours" 30h
"Last 10 Days" 10d
CHAPTER 7. CONFIGURATION FILES 269
In this section you will find configuration files related with the use of IPv6.
Please also see the chapter “Migration to IPv6” for it contains a lot of in-
text configuration file issues.
7.2.1 Apache
/etc/apache2/sites-available/www6
NameVirtualHost *
<VirtualHost *>
ServerName www6.schuh-tv.at
ServerAdmin k.schuhschuh-tv.at
DocumentRoot /var/www6/
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www6/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
# This directive allows us to have apache2’s
# default start page in /apache2-default/,
#but still have / go to the right place
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog /var/log/apache2/error.log
CHAPTER 7. CONFIGURATION FILES 272
7.2.2 Smokeping
/etc/smokeping/configv6
*** General ***
################################################
# DON’T TOUCH UNLESS YOU KNOW WHAT YOU’RE DOING
# BETWEEN THESE MARKS!
################################################
sendmail = /usr/lib/sendmail
imgcache = /var/www/smokeping
imgurl = ../smokeping
datadir = /var/lib/smokeping
CHAPTER 7. CONFIGURATION FILES 273
pings = 20
# consfn mrhb steps total
AVERAGE 0.5 1 1008
AVERAGE 0.5 12 4320
MIN 0.5 12 4320
MAX 0.5 12 4320
AVERAGE 0.5 144 720
MAX 0.5 144 720
MIN 0.5 144 720
*** Presentation ***
template = /etc/smokeping/basepage.html
+ overview
width = 600
height = 50
range = 10h
+ detail
width = 600
height = 200
unison_tolerance = 2
"Last 3 Hours" 3h
"Last 30 Hours" 30h
"Last 10 Days" 10d
"Last 400 Days" 400d
*** Probes ***
+ FPing6
binary = /usr/sbin/fping6
*** Targets ***
probe = FPing6
menu = Top
title = Network Latency Grapher
remark = Welcome to the SmokePing website of ’A poorly \
mantained site running Debian.’
+ World
menu = World
title = Worldwide Connectivity
#mein teil
++ Europe
menu = Europe
CHAPTER 7. CONFIGURATION FILES 275
++ apu6
menu = apu6
title = apu6 W2k
host = apu6.sylvia.test
++ nelson6
menu = nelson6
title = nelson6 WXP
host = nelson6.sylvia.test
++ lisa6
menu = lisa6
title = lisa6 suse
host = lisa6.sylvia.test
++ snowball26
menu = snowball26
title = snowball26 WXP
host = snowball26.sylvia.test
++ wiggum6
menu = wiggum6
title = wiggum6 W2k3
host = wiggumold.sylvia.test
++ flanders6
menu = flanders6
title = flanders6 W2k3
host = flanders6.sylvia.test
Note: I did not modify the “World”-part very carefully. Surely you could
leave out some things here or modify them.
7.2.3 mrtg
/etc/mrtgbart6.cfg
WorkDir: /var/www/mrtg
LoadMIBs: /usr/share/snmp/mibs/UCD-SNMP-MIB.txt,\\
/usr/share/snmp/mibs/TCP-MIB.txt
# or for NT
# WorkDir: c:\mrtgdata
CHAPTER 7. CONFIGURATION FILES 277
-j ACCEPT
done
$IPTABLES6 -A INPUT -p icmpv6 -j ACCEPT
$IPTABLES6 -A OUTPUT -p icmpv6 -j ACCEPT
$IPTABLES6 -A FORWARD -p icmpv6 -j ACCEPT
$IPTABLES6 -A FORWARD -p tcp --dport 80 -j ACCEPT
$IPTABLES6 -A FORWARD -p tcp --sport 80 -j ACCEPT
$IPTABLES6 -A INPUT -j drop-and-log
$IPTABLES6 -A OUTPUT -j drop-and-log
$IPTABLES6 -A FORWARD -j drop-and-log
ip -6 route add 2000::/3 via 2001:6f8:900:587::1
;;
show)
echo "Firewall IPv6 EF: "
$IPTABLES6 -L -nv
;;
*)
echo "Usage: $0 {flush|start|reload|show}"
exit 1
;;
esac
echo "... Fertig"
exit 0