LDP
/
LDP
mirror of https://github.com/tLDP/LDP
0
1
Fork 0
Code Releases Activity

Finalize version 0.49

This commit is contained in:
pbldp 2005-10-11 06:05:40 +00:00
parent c2a993fb92
commit 0d072522ba
4 changed files with 121 additions and 121 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
LDP/users/Peter-Bieringer/Linux+IPv6-HOWTO.de.lyx
View File

@ -51,8 +51,8 @@ Bieringer
<revhistory>
\layout SGML
<revision> <revnumber> 0.49work-in-progress.de.1</revnumber> <date>2005-10-03</date
> <authorinitials>PB</authorinitials> <revremark>Details siehe
<revision> <revnumber> 0.49.de.1</revnumber> <date>2005-10-03</date> <authorinitial
s>PB</authorinitials> <revremark>Details siehe
\begin_inset LatexCommand \ref[revision history]{revision-history}
\end_inset

4
LDP/users/Peter-Bieringer/Linux+IPv6-HOWTO.de.sgml
View File

@ -29,7 +29,7 @@ Bieringer
<revhistory>
<revision> <revnumber> 0.49work-in-progress.de.1</revnumber> <date>2005-10-03</date> <authorinitials>PB</authorinitials> <revremark>Details siehe <link linkend="revision-history">revision history</link></revremark></revision>
<revision> <revnumber> 0.49.de.1</revnumber> <date>2005-10-03</date> <authorinitials>PB</authorinitials> <revremark>Details siehe <link linkend="revision-history">revision history</link></revremark></revision>
<revision> <revnumber> 0.48.de.1</revnumber> <date>2005-01-11</date> <authorinitials>PB</authorinitials> <revremark>Details siehe <link linkend="revision-history">revision history</link></revremark></revision>
@ -57,7 +57,7 @@ Das Ziel des Linux IPv6 HOWTO ist die Beantwortung von Basis- und Experten-Frage
Allgemein
</title>
<remark>
CVS-ID: &dollar;Id: Linux+IPv6-HOWTO.de.lyx,v 1.42 2005/10/03 19:22:03 pbldp Exp &dollar;
CVS-ID: &dollar;Id: Linux+IPv6-HOWTO.de.lyx,v 1.43 2005/10/03 19:42:15 pbldp Exp &dollar;
</remark>
<para>
Informationen über verfügbare Übersetzungen finden Sie im Abschnitt <link linkend="general-translations">Übersetzungen</link>.

4
LDP/users/Peter-Bieringer/Linux+IPv6-HOWTO.lyx
View File

@ -51,8 +51,8 @@ Bieringer
<revhistory>
\layout SGML
<revision> <revnumber>Release 0.49work-in-progress</revnumber> <date>2005-10-03</
date> <authorinitials>PB</authorinitials> <revremark>See
<revision> <revnumber>Release 0.49</revnumber> <date>2005-10-03</date> <authorini
tials>PB</authorinitials> <revremark>See
\begin_inset LatexCommand \ref[revision history]{revision-history}
\end_inset

230
LDP/users/Peter-Bieringer/Linux+IPv6-HOWTO.sgml
View File

@ -29,7 +29,7 @@ Bieringer
<revhistory>
<revision> <revnumber>Release 0.49work-in-progress</revnumber> <date>2005-10-03</date> <authorinitials>PB</authorinitials> <revremark>See <link linkend="revision-history">revision history</link> for more</revremark></revision>
<revision> <revnumber>Release 0.49</revnumber> <date>2005-10-03</date> <authorinitials>PB</authorinitials> <revremark>See <link linkend="revision-history">revision history</link> for more</revremark></revision>
<revision> <revnumber>Release 0.48.1</revnumber> <date>2005-01-15</date> <authorinitials>PB</authorinitials> <revremark>See <link linkend="revision-history">revision history</link> for more</revremark></revision>
@ -69,7 +69,7 @@ The goal of the Linux IPv6 HOWTO is to answer both basic and advanced questions
General
</title>
<remark>
CVS-ID: &dollar;Id: Linux+IPv6-HOWTO.lyx,v 1.103 2005/10/03 19:22:03 pbldp Exp &dollar;
CVS-ID: &dollar;Id: Linux+IPv6-HOWTO.lyx,v 1.104 2005/10/03 19:42:15 pbldp Exp &dollar;
</remark>
<para>
Information about available translations you will find in section <link linkend="general-translations">Translations</link>.
@ -130,7 +130,7 @@ Internet/IPv6 history of the author
<itemizedlist>
<listitem>
<para>
1993: I got in contact with the Internet using console based e-mail and news client (e.g. look for &quot;e91abier&quot; on <ulink url="http://groups.google.com/">groups.google.com</ulink>, that's me).
1993: I got in contact with the Internet using console based e-mail and news client (e.g. look for &ldquo;e91abier&rdquo; on <ulink url="http://groups.google.com/">groups.google.com</ulink>, that's me).
</para>
</listitem>
@ -181,7 +181,7 @@ He's currently living in Munich &lsqb;northern part of Schwabing&rsqb; / Bavaria
Category
</title>
<para>
This HOWTO should be listed in category &quot;<emphasis>Networking</emphasis>/<emphasis>Protocols</emphasis>&quot;.
This HOWTO should be listed in category &ldquo;<emphasis>Networking</emphasis>/<emphasis>Protocols</emphasis>&rdquo;.
</para>
</sect1>
@ -423,7 +423,7 @@ This HOWTO is currently written with LyX version 1.2.0 on a Red Hat Linux 7.3 sy
Code line wrapping
</title>
<para>
Code line wrapping is done using selfmade utility &quot;lyxcodelinewrapper.pl&quot;, you can get it from CVS for your own usage: <ulink url="http://cvsview.tldp.org/index.cgi/LDP/users/Peter-Bieringer/">TLDP-CVS / users / Peter-Bieringer</ulink>
Code line wrapping is done using selfmade utility &ldquo;lyxcodelinewrapper.pl&rdquo;, you can get it from CVS for your own usage: <ulink url="http://cvsview.tldp.org/index.cgi/LDP/users/Peter-Bieringer/">TLDP-CVS / users / Peter-Bieringer</ulink>
</para>
</sect3>
@ -441,13 +441,13 @@ Also some fixes are have to be made to create proper SGML code (see also here fo
<itemizedlist>
<listitem>
<para>
Export of LyX table does not create proper &quot;colspan&quot; tags - tool for fixing: &quot;sgmllyxtabletagfix.pl&quot; (fixed since LyX 1.2.0)
Export of LyX table does not create proper &ldquo;colspan&rdquo; tags - tool for fixing: &ldquo;sgmllyxtabletagfix.pl&rdquo; (fixed since LyX 1.2.0)
</para>
</listitem>
<listitem>
<para>
LyX sometimes uses special left/right entities for quotes instead the normal one, which will still exist in generated HTML. Some browsers don't parse this very well (known: Opera 6 TP 2 or Konqueror) - tool for fixing: &quot;sgmllyxquotefix.pl&quot;
LyX sometimes uses special left/right entities for quotes instead the normal one, which will still exist in generated HTML. Some browsers don't parse this very well (known: Opera 6 TP 2 or Konqueror) - tool for fixing: &ldquo;sgmllyxquotefix.pl&rdquo;
</para>
</listitem>
@ -514,7 +514,7 @@ Linux IPv6 FAQ/HOWTO (outdated)
The first IPv6 related document was written by <emphasis>Eric Osborne</emphasis> and called <ulink url="http://www.linuxhq.com/IPv6/">Linux IPv6 FAQ/HOWTO</ulink> (please use it only for historical issues). Latest version was 3.2.1 released July, 14 1997.
</para>
<para>
Please help: if someone knows the date of birth of this HOWTO, please send me an e-mail (information will be needed in &quot;history&quot;).
Please help: if someone knows the date of birth of this HOWTO, please send me an e-mail (information will be needed in &ldquo;history&rdquo;).
</para>
</sect3>
@ -524,7 +524,7 @@ Please help: if someone knows the date of birth of this HOWTO, please send me an
IPv6 &amp; Linux - HowTo (maintained)
</title>
<remark>
This HOWTO is really named &quot;HowTo&quot;
This HOWTO is really named &ldquo;HowTo&rdquo;
</remark>
<para>
There exists a second version called <ulink url="http://www.bieringer.de/linux/IPv6/">IPv6 & Linux - HowTo</ulink> written by me (<emphasis>Peter Bieringer</emphasis>) in pure HTML. It was born April 1997 and the first English version was published in June 1997. I will continue to maintain it, but it will slowly fade (but not full) in favour of the Linux IPv6 HOWTO you are currently reading.
@ -632,7 +632,7 @@ Host
<varlistentry>
<term>
Interface
</term><listitem><para>Mostly same as &quot;device&quot;, see also NIC
</term><listitem><para>Mostly same as &ldquo;device&rdquo;, see also NIC
</para>
</listitem>
@ -668,7 +668,7 @@ Node
<varlistentry>
<term>
Octet
</term><listitem><para>A collection of 8 real bits, today also similar to &quot;byte&quot;.
</term><listitem><para>A collection of 8 real bits, today also similar to &ldquo;byte&rdquo;.
</para>
</listitem>
@ -860,7 +860,7 @@ Document related
Long code line wrapping signal char
</title>
<para>
The special character &quot;¬&quot; is used for signaling that this code line is wrapped for better viewing in PDF and PS files.
The special character &ldquo;¬&rdquo; is used for signaling that this code line is wrapped for better viewing in PDF and PS files.
</para>
</sect3>
@ -1092,7 +1092,7 @@ As previously mentioned, IPv6 addresses are 128 bits long. This number of bits g
]]>
</programlisting>
<para>
Such numbers are not really addresses that can be memorized. Also the IPv6 address schema is bitwise orientated (just like IPv4, but that's not often recognized). Therefore a better notation of such big numbers is hexadecimal. In hexadecimal, 4 bits (also known as &quot;nibble&quot;) are represented by a digit or character from 0-9 and a-f (10-15). This format reduces the length of the IPv6 address to 32 characters.
Such numbers are not really addresses that can be memorized. Also the IPv6 address schema is bitwise orientated (just like IPv4, but that's not often recognized). Therefore a better notation of such big numbers is hexadecimal. In hexadecimal, 4 bits (also known as &ldquo;nibble&rdquo;) are represented by a digit or character from 0-9 and a-f (10-15). This format reduces the length of the IPv6 address to 32 characters.
</para>
<programlisting>
<![CDATA[2^128-1: 0xffffffffffffffffffffffffffffffff
@ -1121,7 +1121,7 @@ For simplifications, leading zeros of each 16 bit block can be omitted:
]]>
</programlisting>
<para>
One sequence of 16 bit blocks containing only zeroes can be replaced with &quot;::&quot;. But not more than one at a time, otherwise it is no longer a unique representation.
One sequence of 16 bit blocks containing only zeroes can be replaced with &ldquo;::&ldquo;. But not more than one at a time, otherwise it is no longer a unique representation.
</para>
<programlisting>
<![CDATA[3ffe:ffff:100:f101:0:0:0:1 -> 3ffe:ffff:100:f101::1
@ -1194,7 +1194,7 @@ During the design of IPv4, people thought that 32 bits were enough for the world
So designers have chosen 128 bits, 4 times more in length and 2^96 greater in size than in IPv4 today.
</para>
<para>
The usable size is smaller than it may appear however. This is because in the currently defined address schema, 64 bits are used for interface identifiers. The other 64 bits are used for routing. Assuming the current strict levels of aggregation (/48, /32, ...), it is still possible to &quot;run out&quot; of space, but hopefully not in the near future.
The usable size is smaller than it may appear however. This is because in the currently defined address schema, 64 bits are used for interface identifiers. The other 64 bits are used for routing. Assuming the current strict levels of aggregation (/48, /32, ...), it is still possible to &ldquo;run out&rdquo; of space, but hopefully not in the near future.
</para>
<para>
See also for more information <ulink url="http://www.faqs.org/rfcs/rfc1715.html">RFC 1715 / The H Ratio for Address Assignment Efficiency</ulink> and <ulink url="http://www.faqs.org/rfcs/rfc3194.html">RFC 3194 / The Host-Density Ratio for Address Assignment Efficiency</ulink>.
@ -1243,7 +1243,7 @@ Addresses without a special prefix
Localhost address
</title>
<para>
This is a special address for the loopback interface, similiar to IPv4 with its &quot;127.0.0.1&quot;. With IPv6, the localhost address is:
This is a special address for the loopback interface, similiar to IPv4 with its &ldquo;127.0.0.1&rdquo;. With IPv6, the localhost address is:
</para>
<programlisting>
<![CDATA[0000:0000:0000:0000:0000:0000:0000:0001
@ -1267,7 +1267,7 @@ Packets with this address as source or destination should never leave the sendin
Unspecified address
</title>
<para>
This is a special address like &quot;any&quot; or &quot;0.0.0.0&quot; in IPv4 . For IPv6 it's:
This is a special address like &ldquo;any&rdquo; or &ldquo;0.0.0.0&rdquo; in IPv4 . For IPv6 it's:
</para>
<programlisting>
<![CDATA[0000:0000:0000:0000:0000:0000:0000:0000
@ -1387,7 +1387,7 @@ anyone here with a special address (e.g. looking for a router)?
</itemizedlist>
<para>
They begin with ( where <emphasis>&quot;x&quot;</emphasis> is any hex character, normally <emphasis>&quot;0</emphasis>&quot;)
They begin with ( where <emphasis>&ldquo;x&rdquo;</emphasis> is any hex character, normally <emphasis>&ldquo;0</emphasis>&rdquo;)
</para>
<programlisting>
<![CDATA[fe8]]><emphasis><![CDATA[x: <- currently the only one in use.]]></emphasis><![CDATA[
@ -1424,7 +1424,7 @@ It begins with:
]]>
</programlisting>
<para>
(where<emphasis> &quot;x&quot;</emphasis> is any hex character, normally <emphasis>&quot;0</emphasis>&quot;)
(where<emphasis> &ldquo;x&rdquo;</emphasis> is any hex character, normally <emphasis>&ldquo;0</emphasis>&rdquo;)
</para>
<para>
Note that there are discussions going on in deprecating this kind of addresses because there are several issues. Read the current draft for more: <ulink url="http://www.ietf.org/internet-drafts/">draft-ietf-ipv6-deprecate-site-local-XY.txt</ulink>.
@ -1451,7 +1451,7 @@ It begins with (<emphasis>x</emphasis> are hex characters)
]]>
</programlisting>
<para>
Note: the prefix &quot;aggregatable&quot; is thrown away in current drafts.
Note: the prefix &ldquo;aggregatable&rdquo; is thrown away in current drafts.
There are some further subtypes defined, see below:
</para>
<sect3>
@ -1668,7 +1668,7 @@ An example of this address looks like
]]>
</programlisting>
<para>
Used prefix shows that this is a link-local multicast address. The suffix is generated from the destination address. In this example, a packet should be sent to address &quot;fe80::1234&quot;, but the network stack doesn't know the current layer 2 MAC address. It replaces the upper 104 bits with &quot;ff02:0:0:0:0:1:ff00::/104&quot; and leaves the lower 24 bits untouched. This address is now used `on-link' to find the corresponding node which has to send a reply containing its layer 2 MAC address.
Used prefix shows that this is a link-local multicast address. The suffix is generated from the destination address. In this example, a packet should be sent to address &ldquo;fe80::1234&rdquo;, but the network stack doesn't know the current layer 2 MAC address. It replaces the upper 104 bits with &ldquo;ff02:0:0:0:0:1:ff00::/104&rdquo; and leaves the lower 24 bits untouched. This address is now used `on-link' to find the corresponding node which has to send a reply containing its layer 2 MAC address.
</para>
</sect3>
@ -1782,7 +1782,7 @@ For servers it's probably easier to remember simpler addresses, this can also be
]]>
</programlisting>
<para>
For manual suffixes like &quot;::1&quot; shown in the above example it's required that the 7th most significant bit is set to 0 (the universal/local bit of the automatically generated identifier). Also some other (otherwise unchosen ) bit combinations are reserved for anycast addresses, too.
For manual suffixes like &ldquo;::1&rdquo; shown in the above example it's required that the 7th most significant bit is set to 0 (the universal/local bit of the automatically generated identifier). Also some other (otherwise unchosen ) bit combinations are reserved for anycast addresses, too.
</para>
</sect2>
@ -1795,7 +1795,7 @@ For manual suffixes like &quot;::1&quot; shown in the above example it's require
Prefix lengths for routing
</title>
<para>
In the early design phase it was planned to use a fully hierarchical routing approach to reduce the size of the routing tables maximally. The reasoning behind this approach were the number of current IPv4 routing entries in core routers (&gt; 104 thousand in May 2001), reducing the need of memory in hardware routers (ASIC &quot;Application Specified Integrated Circuit&quot; driven) to hold the routing table and increase speed (fewer entries hopefully result in faster lookups).
In the early design phase it was planned to use a fully hierarchical routing approach to reduce the size of the routing tables maximally. The reasoning behind this approach were the number of current IPv4 routing entries in core routers (&gt; 104 thousand in May 2001), reducing the need of memory in hardware routers (ASIC &ldquo;Application Specified Integrated Circuit&rdquo; driven) to hold the routing table and increase speed (fewer entries hopefully result in faster lookups).
</para>
<para>
Todays view is that routing will be mostly hierarchically designed for networks with only one service provider. With more than one ISP connections, this is not possible, and subject to an issue named multi-homing (infos on multi-homing: <ulink url="http://www.ietf.org/internet-drafts/">drafts*multi6*</ulink>,<ulink url="http://arneill-py.sacramento.ca.us/ipv6mh/">IPv6 Multihoming Solutions</ulink>).
@ -2051,7 +2051,7 @@ A major issue is that because of the network layer structure of kernel implement
</para>
<sect3>
<title>
Currently known never &quot;IPv6 capable links&quot;
Currently known never &ldquo;IPv6 capable links&rdquo;
</title>
<itemizedlist>
<listitem>
@ -2079,7 +2079,7 @@ ISDN with encapsulation <emphasis>rawip</emphasis>, device names: isdnX
<sect3>
<title>
Currently known &quot;not supported IPv6 capable links&quot;
Currently known &ldquo;not supported IPv6 capable links&rdquo;
</title>
<itemizedlist>
<listitem>
@ -2369,19 +2369,19 @@ Also some command line options are very useful to catch and print more informati
<itemizedlist>
<listitem>
<para>
&quot;-s 512&quot;: increase the snap length during capturing of a packet to 512 bytes
&ldquo;-s 512&rdquo;: increase the snap length during capturing of a packet to 512 bytes
</para>
</listitem>
<listitem>
<para>
&quot;-vv&quot;: really verbose output
&ldquo;-vv&rdquo;: really verbose output
</para>
</listitem>
<listitem>
<para>
&quot;-n&quot;: don't resolve addresses to names, useful if reverse DNS resolving isn't working proper
&ldquo;-n&rdquo;: don't resolve addresses to names, useful if reverse DNS resolving isn't working proper
</para>
</listitem>
@ -2499,7 +2499,7 @@ IPv6-ready telnet clients are available. A simple test can be done with
]]>
</programlisting>
<para>
If the telnet client don't understand the IPv6 address and says something like &quot;cannot resolve hostname&quot;, then it's not IPv6-enabled.
If the telnet client don't understand the IPv6 address and says something like &ldquo;cannot resolve hostname&rdquo;, then it's not IPv6-enabled.
</para>
</sect2>
@ -2537,7 +2537,7 @@ Current versions of openssh are IPv6-ready. Depending on configuring before comp
]]>
</programlisting>
<para>
If your ssh client doesn't understand the option &quot;-6&quot; then it's not IPv6-enabled, like most ssh version 1 packages.
If your ssh client doesn't understand the option &ldquo;-6&rdquo; then it's not IPv6-enabled, like most ssh version 1 packages.
</para>
</sect3>
@ -2631,7 +2631,7 @@ Error message: &quot;<emphasis>connect: Invalid argument</emphasis>&quot;
Kernel doesn't know, which physical or virtual link you want to use to send such ICMPv6 packets. Therefore it displays this error message.
</para>
<para>
Solution: Specify interface like: &quot;ping6 -I eth0 fe80::2e0:18ff:fe90:9205&quot;, see also <link linkend="program-ping6">program ping6 usage</link>.
Solution: Specify interface like: &ldquo;ping6 -I eth0 fe80::2e0:18ff:fe90:9205&rdquo;, see also <link linkend="program-ping6">program ping6 usage</link>.
</para>
</sect3>
@ -2641,13 +2641,13 @@ Solution: Specify interface like: &quot;ping6 -I eth0 fe80::2e0:18ff:fe90:9205&q
Q: Cannot ping6 or traceroute6 as normal user
</title>
<para>
Error message: &quot;<emphasis>icmp socket: Operation not permitted</emphasis>&quot;
Error message: &ldquo;<emphasis>icmp socket: Operation not permitted</emphasis>&rdquo;
</para>
<para>
These utilities create special ICMPv6 packets and send them out. This is done by using raw sockets in the kernel. But raw sockets can only be used by the &quot;root&quot; user. Therefore normal users get such error message.
These utilities create special ICMPv6 packets and send them out. This is done by using raw sockets in the kernel. But raw sockets can only be used by the &ldquo;root&rdquo; user. Therefore normal users get such error message.
</para>
<para>
Solution: If it's really needed that all users should be able to use these utilities, you can add the &quot;suid&quot; bit using &quot;chmod u+s /path/to/program&quot;, see also <link linkend="program-ping6">program ping6 usage</link>. If not all users should be able to, you can change the group of the program to e.g. &quot;wheel&quot;, add these power users to this group and remove the execution bit for other users using &quot;chmod o-rwx /path/to/program&quot;. Or configure &quot;sudo&quot; to enable your security policy.
Solution: If it's really needed that all users should be able to use these utilities, you can add the &ldquo;suid&rdquo; bit using &rdquo;chmod u+s /path/to/program&rdquo;, see also <link linkend="program-ping6">program ping6 usage</link>. If not all users should be able to, you can change the group of the program to e.g. &ldquo;wheel&rdquo;, add these power users to this group and remove the execution bit for other users using &ldquo;chmod o-rwx /path/to/program&rdquo;. Or configure &ldquo;sudo&rdquo; to enable your security policy.
</para>
</sect3>
@ -2762,7 +2762,7 @@ Like mentioned earlier, this interfaces don't support IPv6 transport (sending is
Ether-tap device
</title>
<para>
Ether-tap devices are IPv6-enabled and also stateless configured. For use, the module &quot;ethertap&quot; has to be loaded before.
Ether-tap devices are IPv6-enabled and also stateless configured. For use, the module &ldquo;ethertap&rdquo; has to be loaded before.
</para>
</sect3>
@ -3260,7 +3260,7 @@ Example:
]]>
</programlisting>
<para>
Metric &quot;1&quot; is used here to be compatible with the metric used by route, because the default metric on using &quot;ip&quot; is &quot;1024&quot;.
Metric &ldquo;1&rdquo; is used here to be compatible with the metric used by route, because the default metric on using &ldquo;ip&rdquo; is &ldquo;1024&rdquo;.
</para>
</sect2>
@ -3360,7 +3360,7 @@ There are some issues in current Linux kernels:
Clients (not routing any packet!)
</title>
<para>
Client can setup a default route like prefix &quot;::/0&quot;, they also learn such route on autoconfiguration e.g. using radvd on the link like following example shows:
Client can setup a default route like prefix &ldquo;::/0&rdquo;, they also learn such route on autoconfiguration e.g. using radvd on the link like following example shows:
</para>
<programlisting>
<![CDATA[# ip -6 route show | grep ^default
@ -3379,7 +3379,7 @@ Routers in case of packet forwarding
Current mainstream Linux kernel (at least &lt;= 2.4.17) don't support default routes. You can set them up, but the route lookup fails when a packet should be forwarded (normal intention of a router).
</para>
<para>
Therefore at this time &quot;default routing&quot; can be setup using the currently only global address prefix &quot;2000::/3&quot;.
Therefore at this time &ldquo;default routing&rdquo; can be setup using the currently only global address prefix &ldquo;2000::/3&rdquo;.
</para>
<para>
The USAGI project already supports this in their extension with a hack.
@ -3404,11 +3404,11 @@ Note: take care about default routing without address filtering on edge routers.
Neighbor Discovery
</title>
<para>
Neighbor discovery was the IPv6 successor for the ARP (Address Resolution Protocol) in IPv4. You can retrieve information about the current neighbors, in addition you can set and delete entries. The kernel keeps tracking of successful neighbor detection (like ARP in IPv4). You can dig into the learnt table using &quot;ip&quot;.
Neighbor discovery was the IPv6 successor for the ARP (Address Resolution Protocol) in IPv4. You can retrieve information about the current neighbors, in addition you can set and delete entries. The kernel keeps tracking of successful neighbor detection (like ARP in IPv4). You can dig into the learnt table using &ldquo;ip&rdquo;.
</para>
<sect1>
<title>
Displaying neighbors using &quot;ip&quot;
Displaying neighbors using &ldquo;ip&rdquo;
</title>
<para>
With following command you can display the learnt or configured IPv6 neighbors
@ -3430,7 +3430,7 @@ The following example shows one neighbor, which is a reachable router
<sect1>
<title>
Manipulating neighbors table using &quot;ip&quot;
Manipulating neighbors table using &ldquo;ip&rdquo;
</title>
<sect2>
<title>
@ -3479,7 +3479,7 @@ Example:
More advanced settings
</title>
<para>
The tool &quot;ip&quot; is less documentated, but very strong. See online &quot;help&quot; for more:
The tool &ldquo;ip&rdquo; is less documentated, but very strong. See online &ldquo;help&rdquo; for more:
</para>
<programlisting>
<![CDATA[# ip -6 neigh help
@ -3585,7 +3585,7 @@ The 6to4 address is defined like following (schema is taken from <ulink url="htt
FP and TLA together (16 bits) have the value 0x2002. V4ADDR is the node's global unique IPv4 address (in hexadecimal notation). SLA is the subnet identifier (65536 local subnets possible) and are usable to represent your local network structure.
</para>
<para>
For gateways, such prefix is generated by normally using SLA &quot;0000&quot; and suffix &quot;::1&quot; (not a must, can be an arbitrary one with local-scope) and assigned to the 6to4 tunnel interface. Note that Microsoft Windows uses V4ADDR also for suffix.
For gateways, such prefix is generated by normally using SLA &ldquo;0000&rdquo; and suffix &ldquo;::1&rdquo; (not a must, can be an arbitrary one with local-scope) and assigned to the 6to4 tunnel interface. Note that Microsoft Windows uses V4ADDR also for suffix.
</para>
</sect3>
@ -3595,7 +3595,7 @@ For gateways, such prefix is generated by normally using SLA &quot;0000&quot; an
6to4 upstream tunneling
</title>
<para>
The node has to know to which foreign tunnel endpoint its in IPv4 packed IPv6 packets should be send to. In &quot;early&quot; days of 6to4 tunneling, dedicated upstream accepting routers were defined. See <ulink url="http://www.kfu.com/~nsayer/6to4/">NSayer's 6to4 information</ulink> for a list of routers.
The node has to know to which foreign tunnel endpoint its in IPv4 packed IPv6 packets should be send to. In &ldquo;early&rdquo; days of 6to4 tunneling, dedicated upstream accepting routers were defined. See <ulink url="http://www.kfu.com/~nsayer/6to4/">NSayer's 6to4 information</ulink> for a list of routers.
</para>
<para>
Nowadays, 6to4 upstream routers can be found auto-magically using the anycast address 192.88.99.1. In the background routing protocols handle this, see <ulink url="http://www.faqs.org/rfcs/rfc3068.html">RFC 3068 / An Anycast Prefix for 6to4 Relay Routers</ulink> for details.
@ -3726,7 +3726,7 @@ Setup of point-to-point tunnel
There are 3 possibilities to add or remove point-to-point tunnels.
</para>
<para>
A good additional information about tunnel setup using &quot;ip&quot; is <ulink url="http://www.deepspace6.net/docs/iproute2tunnel-en.html">Configuring tunnels with iproute2 (article)</ulink> (<ulink url="http://mirrors.bieringer.de/www.deepspace6.net/docs/iproute2tunnel-en.html">Mirror</ulink>).
A good additional information about tunnel setup using &ldquo;ip&rdquo; is <ulink url="http://www.deepspace6.net/docs/iproute2tunnel-en.html">Configuring tunnels with iproute2 (article)</ulink> (<ulink url="http://mirrors.bieringer.de/www.deepspace6.net/docs/iproute2tunnel-en.html">Mirror</ulink>).
</para>
<sect2>
<title>
@ -3966,7 +3966,7 @@ the generated 6to4 prefix will be
]]>
</programlisting>
<para>
Local 6to4 gateways should (but it's not a must, you can choose an arbitrary suffix with local-scope, if you feel better) always assigned the suffix &quot;::1&quot;, therefore your local 6to4 address will be
Local 6to4 gateways should (but it's not a must, you can choose an arbitrary suffix with local-scope, if you feel better) always assigned the suffix &ldquo;::1&rdquo;, therefore your local 6to4 address will be
</para>
<programlisting>
<![CDATA[2002:0102:0304::1
@ -4018,7 +4018,7 @@ Add (default) route to the global IPv6 network using the all-6to4-routers IPv4 a
]]>
</programlisting>
<para>
It was reported that some versions of &quot;ip&quot; (e.g. SuSE Linux 9.0) don't support IPv4-compatible IPv6 addresses for gateways, in this case the related IPv6 address has to be used:
It was reported that some versions of &ldquo;ip&rdquo; (e.g. SuSE Linux 9.0) don't support IPv4-compatible IPv6 addresses for gateways, in this case the related IPv6 address has to be used:
</para>
<programlisting>
<![CDATA[# /sbin/ip -6 route add 2000::/3 via 2002:c058:6301::1 dev tun6to4 metric 1
@ -4029,7 +4029,7 @@ It was reported that some versions of &quot;ip&quot; (e.g. SuSE Linux 9.0) don't
<sect3>
<title>
Using &quot;ifconfig&quot; and &quot;route&quot; and generic tunnel device &quot;sit0&quot; (deprecated)
Using &quot;ifconfig&quot; and &quot;route&quot; and generic tunnel device &ldquo;sit0&rdquo; (deprecated)
</title>
<para>
This is now deprecated because using the generic tunnel device sit0 doesn't let specify filtering per device.
@ -4095,7 +4095,7 @@ Remove created tunnel device
<sect3>
<title>
Using &quot;ifconfig&quot; and &quot;route&quot; and generic tunnel device &quot;sit0&quot; (deprecated)
Using &ldquo;ifconfig&rdquo; and &ldquo;route&rdquo; and generic tunnel device &ldquo;sit0&rdquo; (deprecated)
</title>
<para>
Remove (default) route through the 6to4 tunnel interface
@ -4148,7 +4148,7 @@ More information in the meantime: <ulink url="http://www.faqs.org/rfcs/rfc2473.h
Kernel settings in /proc-filesystem
</title>
<para>
<anchor id="proc-filesystem">Note: the source of this section is mostly the file &quot;ip-sysctl.txt&quot; which is included in current kernel sources in directory &quot;Documentation/networking&quot;. Credits to Pekka Savola for maintaining the IPv6-related part in this file. Also some text is more or less copied &amp; pasted into this document.
<anchor id="proc-filesystem">Note: the source of this section is mostly the file &ldquo;ip-sysctl.txt&rdquo; which is included in current kernel sources in directory &ldquo;Documentation/networking&rdquo;. Credits to Pekka Savola for maintaining the IPv6-related part in this file. Also some text is more or less copied &amp; pasted into this document.
</para>
<sect1>
<title>
@ -4156,10 +4156,10 @@ How to access the /proc-filesystem
</title>
<sect2>
<title>
Using &quot;cat&quot; and &quot;echo&quot;
Using &ldquo;cat&rdquo; and &ldquo;echo&rdquo;
</title>
<para>
Using &quot;cat&quot; and &quot;echo&quot; is the simplest way to access the /proc filesystem, but some requirements are needed for that
Using &ldquo;cat&rdquo; and &ldquo;echo&rdquo; is the simplest way to access the /proc filesystem, but some requirements are needed for that
</para>
<itemizedlist>
<listitem>
@ -4205,7 +4205,7 @@ Normally, only entries in /proc/sys/* are writable, the others are readonly and
Retrieving a value
</title>
<para>
The value of an entry can be retrieved using &quot;cat&quot;:
The value of an entry can be retrieved using &ldquo;cat&rdquo;:
</para>
<programlisting>
<![CDATA[# cat /proc/sys/net/ipv6/conf/all/forwarding
@ -4220,7 +4220,7 @@ The value of an entry can be retrieved using &quot;cat&quot;:
Setting a value
</title>
<para>
A new value can be set (if entry is writable) using &quot;echo&quot;:
A new value can be set (if entry is writable) using &ldquo;echo&rdquo;:
</para>
<programlisting>
<![CDATA[# echo "1" >/proc/sys/net/ipv6/conf/all/forwarding
@ -4234,13 +4234,13 @@ A new value can be set (if entry is writable) using &quot;echo&quot;:
<sect2>
<title>
Using &quot;sysctl&quot;
Using &ldquo;sysctl&rdquo;
</title>
<para>
Using the &quot;sysctl&quot; program to access the kernel switches is a modern method today. You can use it also, if the /proc-filesystem isn't mounted. But you have only access to /proc/sys/*!
Using the &ldquo;sysctl&rdquo; program to access the kernel switches is a modern method today. You can use it also, if the /proc-filesystem isn't mounted. But you have only access to /proc/sys/*!
</para>
<para>
The program &quot;sysctl&quot; is included in package &quot;procps&quot; (on Red Hat Linux systems).
The program &ldquo;sysctl&rdquo; is included in package &ldquo;procps&rdquo; (on Red Hat Linux systems).
</para>
<itemizedlist>
<listitem>
@ -4283,7 +4283,7 @@ A new value can be set (if entry is writable):
]]>
</programlisting>
<para>
Note: Don't use spaces around the &quot;=&quot; on setting values. Also on multiple values per line, quote them like e.g.
Note: Don't use spaces around the &ldquo;=&rdquo; on setting values. Also on multiple values per line, quote them like e.g.
</para>
<programlisting>
<![CDATA[# sysctl -w net.ipv4.ip_local_port_range="32768 61000"
@ -4298,13 +4298,13 @@ Note: Don't use spaces around the &quot;=&quot; on setting values. Also on multi
Additionals
</title>
<para>
Note: There are sysctl versions in the wild which displaying &quot;/&quot; instead of the &quot;.&quot;
Note: There are sysctl versions in the wild which displaying &ldquo;/&rdquo; instead of the &ldquo;.&rdquo;
</para>
<para>
For more details take a look into sysctl's manpage.
</para>
<para>
Hint: for digging fast into the settings, use the option &quot;-a&quot; (display all entries) in conjunction with &quot;grep&quot;.
Hint: for digging fast into the settings, use the option &ldquo;-a&rdquo; (display all entries) in conjunction with &ldquo;grep&rdquo;.
</para>
</sect3>
@ -4322,7 +4322,7 @@ There are several formats seen in /proc-filesystem:
<itemizedlist>
<listitem>
<para>
BOOLEAN: simple a &quot;0&quot; (false) or a &quot;1&quot; (true)
BOOLEAN: simple a &ldquo;0&rdquo; (false) or a &ldquo;1&rdquo; (true)
</para>
</listitem>
@ -4368,7 +4368,7 @@ conf/all/*
Change all the interface-specific settings.
</para>
<para>
Exception: &quot;conf/all/forwarding&quot; has a different meaning here
Exception: &ldquo;conf/all/forwarding&rdquo; has a different meaning here
</para>
<sect3>
<title>
@ -4481,7 +4481,7 @@ Default: TRUE
</itemizedlist>
<para>
Configure link-local addresses (see also <link linkend="chapter-addresstypes">Addresstypes</link>) using L2 hardware addresses. E.g. this generates automagically an address like &quot;fe80::201:23ff:fe45:6789&quot; on an interface with a L2-MAC address.
Configure link-local addresses (see also <link linkend="chapter-addresstypes">Addresstypes</link>) using L2 hardware addresses. E.g. this generates automagically an address like &ldquo;fe80::201:23ff:fe45:6789&rdquo; on an interface with a L2-MAC address.
</para>
</sect3>
@ -5451,7 +5451,7 @@ Unknown, but probably not used by IPv6.
IPv6-related entries in /proc/net/
</title>
<para>
In /proc/net there are several read-only entries available. You cannot retrieve information using &quot;sysctl&quot; here, so use e.g. &quot;cat&quot;.
In /proc/net there are several read-only entries available. You cannot retrieve information using &ldquo;sysctl&rdquo; here, so use e.g. &ldquo;cat&rdquo;.
</para>
<sect2>
<title>
@ -5467,7 +5467,7 @@ Type: One line per addresss containing multiple values
</itemizedlist>
<para>
Here all configured IPv6 addresses are shown in a special format. The example displays for loopback interface only. The meaning is shown below (see &quot;net/ipv6/addrconf.c&quot; for more).
Here all configured IPv6 addresses are shown in a special format. The example displays for loopback interface only. The meaning is shown below (see &ldquo;net/ipv6/addrconf.c&rdquo; for more).
</para>
<programlisting>
<![CDATA[# cat /proc/net/if_inet6
@ -5486,7 +5486,7 @@ IPv6 address displayed in 32 hexadecimal chars without colons as separator
</listitem>
<listitem>
<para>
Netlink device number (interface index) in hexadecimal (see &quot;ip addr&quot; , too)
Netlink device number (interface index) in hexadecimal (see &ldquo;ip addr&rdquo; , too)
</para>
</listitem>
@ -5498,13 +5498,13 @@ Prefix length in hexadecimal
</listitem>
<listitem>
<para>
Scope value (see kernel source &quot; include/net/ipv6.h&quot; and &quot;net/ipv6/addrconf.c&quot; for more)
Scope value (see kernel source &ldquo; include/net/ipv6.h&rdquo; and &ldquo;net/ipv6/addrconf.c&rdquo; for more)
</para>
</listitem>
<listitem>
<para>
Interface flags (see &quot;include/linux/rtnetlink.h&quot; and &quot;net/ipv6/addrconf.c&quot; for more)
Interface flags (see &ldquo;include/linux/rtnetlink.h&rdquo; and &ldquo;net/ipv6/addrconf.c&rdquo; for more)
</para>
</listitem>
@ -5533,7 +5533,7 @@ Type: One line per route containing multiple values
</itemizedlist>
<para>
Here all configured IPv6 routes are shown in a special format. The example displays for loopback interface only. The meaning is shown below (see &quot;net/ipv6/route.c&quot; for more).
Here all configured IPv6 routes are shown in a special format. The example displays for loopback interface only. The meaning is shown below (see &ldquo;net/ipv6/route.c&rdquo; for more).
</para>
<programlisting>
<![CDATA[# cat /proc/net/ipv6_route
@ -5756,10 +5756,10 @@ Server socket binding
</title>
<sect2>
<title>
Using &quot;netstat&quot; for server socket binding check
Using &ldquo;netstat&rdquo; for server socket binding check
</title>
<para>
It's always interesting which server sockets are currently active on a node. Using &quot;netstat&quot; is a short way to get such information:
It's always interesting which server sockets are currently active on a node. Using &ldquo;netstat&rdquo; is a short way to get such information:
</para>
<para>
Used options: -nlptu
@ -5872,7 +5872,7 @@ Router advertisement
]]>
</programlisting>
<para>
Router with link-local address &quot;fe80::212:34ff:fe12:3450&quot; send an advertisement to the all-node-on-link multicast address &quot;ff02::1&quot; containing two prefixes &quot;2002:0102:0304:1::/64&quot; (lifetime 30 s) and &quot;3ffe:ffff:0:1::/64&quot; (lifetime 2592000 s) including its own layer 2 MAC address &quot;0:12:34:12:34:50&quot;.
Router with link-local address &ldquo;fe80::212:34ff:fe12:3450&rdquo; send an advertisement to the all-node-on-link multicast address &ldquo;ff02::1&rdquo; containing two prefixes &ldquo;2002:0102:0304:1::/64&rdquo; (lifetime 30 s) and &ldquo;3ffe:ffff:0:1::/64&rdquo; (lifetime 2592000 s) including its own layer 2 MAC address &ldquo;0:12:34:12:34:50&rdquo;.
</para>
</sect3>
@ -5887,7 +5887,7 @@ Router solicitation
]]>
</programlisting>
<para>
Node with link-local address &quot;fe80::212:34ff:fe12:3456&quot; and layer 2 MAC address &quot;0:12:34:12:34:56&quot; is looking for a router on-link, therefore sending this solicitation to the all-router-on-link multicast address &quot;ff02::2&quot;.
Node with link-local address &ldquo;fe80::212:34ff:fe12:3456&rdquo; and layer 2 MAC address &ldquo;0:12:34:12:34:56&rdquo; is looking for a router on-link, therefore sending this solicitation to the all-router-on-link multicast address &ldquo;ff02::2&rdquo;.
</para>
</sect3>
@ -5904,12 +5904,12 @@ Neighbor discovery
Neighbor discovery solicitation for duplicate address detection
</title>
<para>
Following packets are sent by a node with layer 2 MAC address &quot;0:12:34:12:34:56&quot; during autoconfiguration to check whether a potential address is already used by another node on the link sending this to the solicited-node link-local multicast address.
Following packets are sent by a node with layer 2 MAC address &ldquo;0:12:34:12:34:56&rdquo; during autoconfiguration to check whether a potential address is already used by another node on the link sending this to the solicited-node link-local multicast address.
</para>
<itemizedlist>
<listitem>
<para>
Node wants to configure its link-local address &quot;fe80::212:34ff:fe12:3456&quot;, checks for duplicate now
Node wants to configure its link-local address &ldquo;fe80::212:34ff:fe12:3456&rdquo;, checks for duplicate now
</para>
</listitem>
@ -5923,7 +5923,7 @@ Node wants to configure its link-local address &quot;fe80::212:34ff:fe12:3456&qu
<itemizedlist>
<listitem>
<para>
Node wants to configure its global address &quot;2002:0102:0304:1:212:34ff:fe12:3456&quot; (after receiving advertisement shown above), checks for duplicate now
Node wants to configure its global address &ldquo;2002:0102:0304:1:212:34ff:fe12:3456&rdquo; (after receiving advertisement shown above), checks for duplicate now
</para>
</listitem>
@ -5938,7 +5938,7 @@ Node wants to configure its global address &quot;2002:0102:0304:1:212:34ff:fe12:
<itemizedlist>
<listitem>
<para>
Node wants to configure its global address &quot;3ffe:ffff:0:1:212:34ff:fe12:3456&quot; (after receiving advertisement shown above), checks for duplicate now
Node wants to configure its global address &ldquo;3ffe:ffff:0:1:212:34ff:fe12:3456&rdquo; (after receiving advertisement shown above), checks for duplicate now
</para>
</listitem>
@ -5960,7 +5960,7 @@ Neighbor discovery solicitation for looking for host or gateway
<itemizedlist>
<listitem>
<para>
Node wants to send packages to &quot;3ffe:ffff:0:1::10&quot; but has no layer 2 MAC address to send packet, so send solicitation now
Node wants to send packages to &ldquo;3ffe:ffff:0:1::10&rdquo; but has no layer 2 MAC address to send packet, so send solicitation now
</para>
</listitem>
@ -5975,7 +5975,7 @@ Node wants to send packages to &quot;3ffe:ffff:0:1::10&quot; but has no layer 2
<itemizedlist>
<listitem>
<para>
Node looks for &quot;fe80::10&quot; now
Node looks for &ldquo;fe80::10&rdquo; now
</para>
</listitem>
@ -6007,7 +6007,7 @@ Some Linux distribution contain already support of a persistent IPv6 configurati
</para>
<sect1>
<title>
Red Hat Linux and &quot;clones&quot;
Red Hat Linux and &ldquo;clones&rdquo;
</title>
<para>
Since starting writing the <ulink url="http://www.bieringer.de/linux/IPv6/">IPv6 & Linux - HowTo</ulink> it was my intention to enable a persistent IPv6 configuration which catch most of the wished cases like host-only, router-only, dual-homed-host, router with second stub network, normal tunnels, 6to4 tunnels, and so on. Nowadays there exists a set of configuration and script files which do the job very well (never heard about real problems, but I don't know how many use the set). Because this configuration and script files are extended from time to time, they got their own homepage: <ulink url="http://www.deepspace6.net/projects/initscripts-ipv6.html">initscripts-ipv6 homepage</ulink> (<ulink url="http://mirrors.bieringer.de/www.deepspace6.net/projects/initscripts-ipv6.html">Mirror</ulink>). Because I began my IPv6 experience using a Red Hat Linux 5.0 clone, my IPv6 development systems are mostly Red Hat Linux based now, it's kind a logic that the scripts are developed for this kind of distribution (so called <emphasis>historic issue</emphasis>). Also it was very easy to extend some configuration files, create new ones and create some simple hook for calling IPv6 setup during IPv4 setup.
@ -6016,7 +6016,7 @@ Since starting writing the <ulink url="http://www.bieringer.de/linux/IPv6/">IPv6
Fortunately, in Red Hat Linux since 7.1 a snapshot of my IPv6 scripts is included, this was and is still further on assisted by Pekka Savola.
</para>
<para>
Mandrake since version 8.0 also includes an IPv6-enabled initscript package, but a minor bug still prevents usage (&quot;ifconfig&quot; misses &quot;inet6&quot; before &quot;add&quot;).
Mandrake since version 8.0 also includes an IPv6-enabled initscript package, but a minor bug still prevents usage (&ldquo;ifconfig&rdquo; misses &ldquo;inet6&rdquo; before &ldquo;add&rdquo;).
</para>
<sect2>
<title>
@ -6073,7 +6073,7 @@ Check whether running system has already IPv6 module loaded
<itemizedlist>
<listitem>
<para>
If result is &quot;off&quot;, then enable IPv6 networking by editing /etc/sysconfig/network, add following new line
If result is &ldquo;off&rdquo;, then enable IPv6 networking by editing /etc/sysconfig/network, add following new line
</para>
</listitem>
@ -7557,27 +7557,27 @@ Implementation was helped by the USAGI project.
Automatic key exchange (IKE)
</title>
<para>
IPsec requires a key exchange of a secret. This is mostly done automatically by so called IKE daemons. They also handle the authentication of the peers, either by a common known secret (so called &quot;pre-shared secret&quot;) or by RSA keys (which can also be used from X.509 certificates).
IPsec requires a key exchange of a secret. This is mostly done automatically by so called IKE daemons. They also handle the authentication of the peers, either by a common known secret (so called &ldquo;pre-shared secret&rdquo;) or by RSA keys (which can also be used from X.509 certificates).
</para>
<para>
Currently, two different IKE daemons are available for Linux, which totally differ in configuration and usage.
</para>
<para>
I prefer &quot;pluto&quot; from the *S/WAN implementation because of the easier and one-config-only setup.
I prefer &ldquo;pluto&rdquo; from the *S/WAN implementation because of the easier and one-config-only setup.
</para>
<sect2>
<title>
IKE daemon &quot;racoon&quot;
IKE daemon &ldquo;racoon&rdquo;
</title>
<para>
The IKE daemon &quot;racoon&quot; is taken from the KAME project and ported to Linux. Modern Linux distributions contain this daemon in the package &quot;ipsec-tools&quot;. Two executables are required for a proper IPsec setup. Take a look on <ulink url="http://lartc.org/howto/lartc.ipsec.html">Linux Advanced Routing & Traffic Control HOWTO / IPSEC</ulink>, too.
The IKE daemon &ldquo;racoon&rdquo; is taken from the KAME project and ported to Linux. Modern Linux distributions contain this daemon in the package &ldquo;ipsec-tools&rdquo;. Two executables are required for a proper IPsec setup. Take a look on <ulink url="http://lartc.org/howto/lartc.ipsec.html">Linux Advanced Routing & Traffic Control HOWTO / IPSEC</ulink>, too.
</para>
<sect3>
<title>
Manipulation of the IPsec SA/SP database with the tool &quot;setkey&quot;
Manipulation of the IPsec SA/SP database with the tool &ldquo;setkey&rdquo;
</title>
<para>
&quot;setkey&quot; is important to define the security policy (SP) for the kernel.
&ldquo;setkey&rdquo; is important to define the security policy (SP) for the kernel.
</para>
<para>
File: /etc/racoon/setkey.sh
@ -7620,17 +7620,17 @@ Example for a end-to-end encrypted connection in tunnel mode
]]>
</programlisting>
<para>
For the other peer, you have to replace &quot;in&quot; with &quot;out&quot;.
For the other peer, you have to replace &ldquo;in&rdquo; with &ldquo;out&rdquo;.
</para>
</sect3>
<sect3>
<title>
Configuration of the IKE daemon &quot;racoon&quot;
Configuration of the IKE daemon &ldquo;racoon&rdquo;
</title>
<para>
&quot;racoon&quot; requires a configuration file for proper execution. It includes the related settings to the security policy, which should be set up previously using &quot;setkey&quot;.
&ldquo;racoon&rdquo; requires a configuration file for proper execution. It includes the related settings to the security policy, which should be set up previously using &ldquo;setkey&rdquo;.
</para>
<para>
File: /etc/racoon/racoon.conf
@ -7695,7 +7695,7 @@ File: /etc/racoon/psk.txt
<sect3>
<title>
Running IPsec with IKE daemon &quot;racoon&quot;
Running IPsec with IKE daemon &ldquo;racoon&rdquo;
</title>
<para>
At least the daemon needs to be started. For the first time, use debug and foreground mode. The following example shows a successful IKE phase 1 (ISAKMP-SA) and 2 (IPsec-SA) negotiation:
@ -7723,7 +7723,7 @@ At least the daemon needs to be started. For the first time, use debug and foreg
]]>
</programlisting>
<para>
Each direction got its own IPsec-SA (like defined in the IPsec standard). With &quot;tcpdump&quot; on the related interface, you will see as result of an IPv6 ping:
Each direction got its own IPsec-SA (like defined in the IPsec standard). With &ldquo;tcpdump&rdquo; on the related interface, you will see as result of an IPv6 ping:
</para>
<programlisting>
<![CDATA[20:35:55.305707 2001:db8:1:1::1 > 2001:db8:2:2::2: ESP(spi=0x0a6e53c4,seq=0x3)
@ -7734,7 +7734,7 @@ Each direction got its own IPsec-SA (like defined in the IPsec standard). With &
As expected, the negotiated SPIs are being used here.
</para>
<para>
And using &quot;setkey&quot;, current active parameters are shown:
And using &ldquo;setkey&rdquo;, current active parameters are shown:
</para>
<programlisting>
<![CDATA[# setkey -D
@ -7770,17 +7770,17 @@ And using &quot;setkey&quot;, current active parameters are shown:
<sect2>
<title>
IKE daemon &quot;pluto&quot;
IKE daemon &ldquo;pluto&rdquo;
</title>
<para>
The IKE daemon &quot;pluto&quot; is included in distributions of the *S/WAN projects. *S/WAN project starts at the beginning as <ulink url="http://www.freeswan.org/">FreeS/WAN</ulink>. Unfortunately, the FreeS/WAN project stopped further development in 2004. Because of the slow pace of development in the past, two spin-offs started: <ulink url="http://www.strongswan.org/">strongSwan</ulink> and <ulink url="http://www.openswan.org/">Openswan</ulink>. Today, readily installable packages are available for at least Openswan (included in Fedora Core 3).
The IKE daemon &ldquo;pluto&rdquo; is included in distributions of the *S/WAN projects. *S/WAN project starts at the beginning as <ulink url="http://www.freeswan.org/">FreeS/WAN</ulink>. Unfortunately, the FreeS/WAN project stopped further development in 2004. Because of the slow pace of development in the past, two spin-offs started: <ulink url="http://www.strongswan.org/">strongSwan</ulink> and <ulink url="http://www.openswan.org/">Openswan</ulink>. Today, readily installable packages are available for at least Openswan (included in Fedora Core 3).
</para>
<para>
A major difference to &quot;racoon&quot;, only one configuration file is required. Also, an initscript exists for automatic setup after booting.
A major difference to &ldquo;racoon&rdquo;, only one configuration file is required. Also, an initscript exists for automatic setup after booting.
</para>
<sect3>
<title>
Configuration of the IKE daemon &quot;pluto&quot;
Configuration of the IKE daemon &ldquo;pluto&rdquo;
</title>
<para>
The configuration is very similar to the IPv4 one, only one important option is necessary.
@ -7834,7 +7834,7 @@ File: /etc/ipsec.secrets
<sect3>
<title>
Running IPsec with IKE daemon &quot;pluto&quot;
Running IPsec with IKE daemon &ldquo;pluto&rdquo;
</title>
<para>
If installation of Openswan was successfully, an initscript should exist for starting IPsec, simply run (on each peer):
@ -7844,7 +7844,7 @@ If installation of Openswan was successfully, an initscript should exist for sta
]]>
</programlisting>
<para>
Afterwards, start this connection on one peer. If you saw the line &quot;IPsec SA established&quot;, all worked fine.
Afterwards, start this connection on one peer. If you saw the line &ldquo;IPsec SA established&rdquo;, all worked fine.
</para>
<programlisting>
<![CDATA[# ipsec auto --up ipv6-peer1-peer2
@ -7858,7 +7858,7 @@ Afterwards, start this connection on one peer. If you saw the line &quot;IPsec S
]]>
</programlisting>
<para>
Because *S/WAN and setkey/racoon do use the same IPsec implementation in Linux 2.6.x kernel, &quot;setkey&quot; can be used here too to show current active parameters:
Because *S/WAN and setkey/racoon do use the same IPsec implementation in Linux 2.6.x kernel, &ldquo;setkey&rdquo; can be used here too to show current active parameters:
</para>
<programlisting>
<![CDATA[# setkey -D
@ -7900,7 +7900,7 @@ Because *S/WAN and setkey/racoon do use the same IPsec implementation in Linux 2
Additional informations:
</title>
<para>
On Linux Kernel 2.6.x you can get the policy and status of IPsec also using &quot;ip&quot;:
On Linux Kernel 2.6.x you can get the policy and status of IPsec also using &ldquo;ip&rdquo;:
</para>
<programlisting>
<![CDATA[# ip xfrm policy
@ -7921,7 +7921,7 @@ On Linux Kernel 2.6.x you can get the policy and status of IPsec also using &quo
Quality of Service (QoS)
</title>
<para>
IPv6 supports QoS with use of Flow Labels and Traffic Classes. This can be controlled using &quot;tc&quot; (contained in package &quot;iproute&quot;).
IPv6 supports QoS with use of Flow Labels and Traffic Classes. This can be controlled using &ldquo;tc&rdquo; (contained in package &ldquo;iproute&rdquo;).
</para>
<para>
Additional infos:
@ -8392,7 +8392,7 @@ Additional notes
<itemizedlist>
<listitem>
<para>
Apache2 supports a method called &quot;sendfile&quot; to speedup serving data. Some NIC drivers also support offline checksumming. In some cases, this can lead to connection problems and invalid TCP checksums. In this cases, disable &quot;sendfile&quot; either by recompiling using configure option &quot;--without-sendfile&quot; or by using the &quot;EnableSendfile off&quot; directive in configuration file.
Apache2 supports a method called &ldquo;sendfile&rdquo; to speedup serving data. Some NIC drivers also support offline checksumming. In some cases, this can lead to connection problems and invalid TCP checksums. In this cases, disable &ldquo;sendfile&rdquo; either by recompiling using configure option &ldquo;--without-sendfile&rdquo; or by using the &quot;EnableSendfile off&quot; directive in configuration file.
</para>
</listitem>
@ -8540,7 +8540,7 @@ This route needs to be replaced every time the prefix changes, which is the case
Debugging
</title>
<para>
A program called &quot;radvdump&quot; can help you looking into sent or received advertisements. Simple to use:
A program called &ldquo;radvdump&rdquo; can help you looking into sent or received advertisements. Simple to use:
</para>
<programlisting>
<![CDATA[# radvdump
@ -8967,7 +8967,7 @@ That's all.
Other daemons
</title>
<para>
Nowadays it's mostly simple, look for either a command line option or a configuration value to enable IPv6 listening. See manual page of the daemon or check related FAQs. It can happen that you can bind a daemon only to the IPv6-&quot;any&quot;-address (::) and not to bind to a dedicated IPv6 address, because the lack of support (depends on that what the programmer has implemented so far...).
Nowadays it's mostly simple, look for either a command line option or a configuration value to enable IPv6 listening. See manual page of the daemon or check related FAQs. It can happen that you can bind a daemon only to the IPv6-&ldquo;any&rdquo;-address (::) and not to bind to a dedicated IPv6 address, because the lack of support (depends on that what the programmer has implemented so far...).
</para>
</sect1>
@ -9788,7 +9788,7 @@ Linux related per distribution
<varlistentry>
<term>
PLD
</term><listitem><para><ulink url="http://www.pld-linux.org/">PLD Linux Distribution</ulink> (&quot;market leader&quot; in containing IPv6 enabled packages)
</term><listitem><para><ulink url="http://www.pld-linux.org/">PLD Linux Distribution</ulink> (&ldquo;market leader&rdquo; in containing IPv6 enabled packages)
</para>
</listitem>
@ -12288,7 +12288,7 @@ Releases 0.x
<varlistentry>
<term>
0.39
</term><listitem><para>2003-01-13/PB: fix a bug (forgotten 'link&quot; on &quot;ip link set&quot; (credits to Yaniv Kaul)
</term><listitem><para>2003-01-13/PB: fix a bug (forgotten 'link&rdquo; on &ldquo;ip link set&rdquo; (credits to Yaniv Kaul)
</para>
</listitem>
@ -12369,7 +12369,7 @@ Releases 0.x
<varlistentry>
<term>
0.34
</term><listitem><para>2002-11-19/PB: Add information about German translation (work in progress), some fixes, create a small shortcut explanation list, extend &quot;used terms&quot; and add two German books
</term><listitem><para>2002-11-19/PB: Add information about German translation (work in progress), some fixes, create a small shortcut explanation list, extend &ldquo;used terms&rdquo; and add two German books
</para>
</listitem>
@ -12477,7 +12477,7 @@ Releases 0.x
<varlistentry>
<term>
0.26
</term><listitem><para>2002-07-13/PB: Fill /proc-filesystem chapter, update DNS information about depricated A6/DNAME, change P-t-P tunnel setup to use of &quot;ip&quot; only
</term><listitem><para>2002-07-13/PB: Fill /proc-filesystem chapter, update DNS information about depricated A6/DNAME, change P-t-P tunnel setup to use of &ldquo;ip&rdquo; only
</para>
</listitem>
@ -12630,7 +12630,7 @@ Releases 0.x
<varlistentry>
<term>
0.18.1
</term><listitem><para>2002-01-23/PB: Move &quot;the end&quot; to the end, add USAGI to maillists
</term><listitem><para>2002-01-23/PB: Move &ldquo;the end&rdquo; to the end, add USAGI to maillists
</para>
</listitem>
@ -12675,7 +12675,7 @@ Releases 0.x
<varlistentry>
<term>
0.16
</term><listitem><para>2002-01-19/PB: Minor fixes, remove &quot;bold&quot; and &quot;emphasize&quot; formats on code lines, fix &quot;too long unwrapped code lines&quot; using selfmade utility, extend list of URLs.
</term><listitem><para>2002-01-19/PB: Minor fixes, remove &ldquo;bold&rdquo; and &ldquo;emphasize&rdquo; formats on code lines, fix &ldquo;too long unwrapped code lines&rdquo; using selfmade utility, extend list of URLs.
</para>
</listitem>
@ -12693,7 +12693,7 @@ Releases 0.x
<varlistentry>
<term>
0.14
</term><listitem><para>2002-01-14/PB: Minor review at all, new chapter &quot;debugging&quot;, review &quot;addresses&quot;, spell checking, grammar checking (from beginning to 3.4.1) by Martin Krafft, add tcpdump examples, copy firewalling/netfilter6 from IPv6+Linux-HowTo, minor enhancements
</term><listitem><para>2002-01-14/PB: Minor review at all, new chapter &ldquo;debugging&rdquo;, review &ldquo;addresses&rdquo;, spell checking, grammar checking (from beginning to 3.4.1) by Martin Krafft, add tcpdump examples, copy firewalling/netfilter6 from IPv6+Linux-HowTo, minor enhancements
</para>
</listitem>
@ -12850,7 +12850,7 @@ Credits for fixes and hints are listed here, will grow sure in the future
<itemizedlist>
<listitem>
<para>
S .P. Meenakshi &lt;meena at cs dot iitm dot ernet dot in&gt;: For a hint using a &quot;send mail&quot; shell program on tcp_wrapper/hosts.deny
S .P. Meenakshi &lt;meena at cs dot iitm dot ernet dot in&gt;: For a hint using a &ldquo;send mail&rdquo; shell program on tcp_wrapper/hosts.deny
</para>
</listitem>
@ -12988,7 +12988,7 @@ Bjoern Jacke &lt;bjoern at j3e dot de&gt;: Triggered me to fix some outdated inf
</listitem>
<listitem>
<para>
Christoph Egger &lt;cegger at chrrr dot com&gt;: Sending note about &quot;ip&quot; has problems with IPv4-compatible addresses on SuSE Linux 9.0 and trigger to add a hint on 6to4-radvd example
Christoph Egger &lt;cegger at chrrr dot com&gt;: Sending note about &ldquo;ip&rdquo; has problems with IPv4-compatible addresses on SuSE Linux 9.0 and trigger to add a hint on 6to4-radvd example
</para>
</listitem>