mirror of https://github.com/tLDP/LDP
pbldp
parent
4f6c49d218
commit
2e057f62c1
|
|
@ -8,12 +8,12 @@
|
|||
<firstname>Peter </firstname><surname>Bieringer</surname><affiliation><address> <email>pb (at) bieringer.de</email> </address> </affiliation>
|
||||
</author>
|
||||
<revhistory>
|
||||
<revision> <revnumber>Release 0.27</revnumber> <date>2002-08-10</date> <authorinitials>PB</authorinitials> <revremark>See <link linkend="revision-history">revision history</link> for more</revremark></revision>
|
||||
<revision> <revnumber>Release 0.26</revnumber> <date>2002-07-13</date> <authorinitials>PB</authorinitials> <revremark>See <link linkend="revision-history">revision history</link> for more</revremark></revision>
|
||||
<revision> <revnumber>Release 0.25</revnumber> <date>2002-05-16</date> <authorinitials>PB</authorinitials> <revremark>See <link linkend="revision-history">revision history</link> for more</revremark></revision>
|
||||
<revision> <revnumber>Release 0.24</revnumber> <date>2002-05-02</date> <authorinitials>PB</authorinitials> <revremark>See <link linkend="revision-history">revision history</link> for more</revremark></revision>
|
||||
</revhistory>
|
||||
<abstract><para>The goal of the Linux IPv6 HOWTO is to answer both basic and advanced questions about IPv6 on the Linux operating system. This HOWTO will provide the reader with enough information to install, configure, and use IPv6 applications on Linux machines.</para></abstract></bookinfo>
|
||||
<chapter id="chapter-general"><title>General</title><remark>CVS-ID: $Id: Linux+IPv6-HOWTO.lyx,v 1.25 2002/07/13 09:38:37 pbldp Exp $</remark><sect1 id="general-copright"><title>Copyright, license and others</title><sect2><title>Copyright</title><para>Written and Copyright (C) 2001-2002 by Peter Bieringer</para></sect2>
|
||||
<chapter id="chapter-general"><title>General</title><remark>CVS-ID: $Id: Linux+IPv6-HOWTO.lyx,v 1.28 2002/07/15 18:23:14 pbldp Exp $</remark><sect1 id="general-copright"><title>Copyright, license and others</title><sect2><title>Copyright</title><para>Written and Copyright (C) 2001-2002 by Peter Bieringer</para></sect2>
|
||||
<sect2><title>License</title><para>This Linux IPv6 HOWTO is published under GNU GPL version 2:
|
||||
|
||||
|
||||
|
|
@ -182,7 +182,7 @@ You can still apply for one of these prefixes, see here <ulink url="http://www.6
|
|||
]]></programlisting></sect2>
|
||||
</sect1>
|
||||
</chapter>
|
||||
<chapter id="chapter-systemcheck"><title>IPv6-ready system check</title><para>Before you can start using IPv6 on a Linux host, you have to test, whether your system is IPv6-ready. You may have to do some work to enable it first.</para><sect1 id="systemcheck-kernel"><title>IPv6-ready kernel</title><para>Modern Linux distributions already contain IPv6-ready kernels, the IPv6 capability is generally compiled as a module, but it's possible that this module is not loaded automatically on startup.</para><para>See <ulink url="http://www.bieringer.de/linux/IPv6/status/IPv6+Linux-status-distributions.html">IPv6+Linux-Status-Distribution</ulink> page for most up-to-date information.</para><sect2><title>Check for IPv6 support in the current running kernel</title><para>To check, whether your current running kernel supports IPv6, take a look into your /proc-file-system. Following entry must exists: </para><programlisting><![CDATA[/proc/net/if_inet6
|
||||
<chapter id="chapter-systemcheck"><title>IPv6-ready system check</title><para>Before you can start using IPv6 on a Linux host, you have to test, whether your system is IPv6-ready. You may have to do some work to enable it first.</para><sect1 id="systemcheck-kernel"><title>IPv6-ready kernel</title><para>Modern Linux distributions already contain IPv6-ready kernels, the IPv6 capability is generally compiled as a module, but it's possible that this module is not loaded automatically on startup.</para><para>See <ulink url="http://www.bieringer.de/linux/IPv6/status/IPv6+Linux-status-distributions.html">IPv6+Linux-Status-Distribution</ulink> page for most up-to-date information.</para><para>Note: you shouldn't anymore use kernel series 2.2.x, because it's not IPv6-up-to-date anymore.</para><sect2><title>Check for IPv6 support in the current running kernel</title><para>To check, whether your current running kernel supports IPv6, take a look into your /proc-file-system. Following entry must exists: </para><programlisting><![CDATA[/proc/net/if_inet6
|
||||
]]></programlisting><para>A short automatical test looks like:</para><programlisting><![CDATA[# test -f /proc/net/if_inet6 && echo "Running kernel is IPv6 ready"
|
||||
]]></programlisting><para>If this fails, it is quite likely, that the IPv6 module is not loaded.</para></sect2>
|
||||
<sect2><title>Try to load IPv6 module</title><para>You can try to load the IPv6 module executing</para><programlisting><![CDATA[# modprobe ipv6
|
||||
|
|
@ -426,6 +426,24 @@ You can still apply for one of these prefixes, see here <ulink url="http://www.6
|
|||
</sect2>
|
||||
</sect1>
|
||||
</chapter>
|
||||
<chapter id="chapter-Neighbor-Discovery"><title>Neighbor Discovery</title><para>Neighbor discovery was the IPv6 successor for the ARP (Address Resolution Protocol) in IPv4. You can retrieve information about the current neighbors, in addition you can set and delete entries.</para><para>Neighbor detection</para><para>The kernel keeps tracking of successful neighbor detection (like ARP in IPv4). You can dig into the learnt table using "ip".</para><sect1><title>Displaying neighbors using "ip"</title><para>With following command you can display the learnt or configured IPv6 neighbors</para><programlisting><![CDATA[# ip -6 neigh show [dev <device>]
|
||||
]]></programlisting><para>The following example shows one neighbor, which is a reachable router</para><programlisting><![CDATA[# ip -6 neigh show
|
||||
]]><![CDATA[fe80::201:23ff:fe45:6789 dev eth0 lladdr 00:01:23:45:67:89 router nud reachable
|
||||
]]></programlisting></sect1>
|
||||
<sect1><title>Manipulating neighbors table using "ip"</title><sect2><title>Manually add an entry</title><para>With following command you are able to manually add an entry</para><programlisting><![CDATA[# ip -6 neigh add <IPv6 address> lladdr <link-layer address> dev <device>
|
||||
]]></programlisting><para>Example:</para><programlisting><![CDATA[# ip -6 neigh add fec0::1 lladdr 02:01:02:03:04:05 dev eth0
|
||||
]]></programlisting></sect2>
|
||||
<sect2><title>Manually delete an entry</title><para>Like adding also an entry can be deleted:</para><programlisting><![CDATA[# ip -6 neigh del <IPv6 address> lladdr <link-layer address> dev <device>
|
||||
]]></programlisting><para>Example:</para><programlisting><![CDATA[# ip -6 neigh del fec0::1 lladdr 02:01:02:03:04:05 dev eth0
|
||||
]]></programlisting></sect2>
|
||||
<sect2><title>More advanced settings</title><para>The tool "ip" is less documentated, but very strong. See online "help" for more:</para><programlisting><![CDATA[# ip -6 neigh help
|
||||
]]><![CDATA[Usage: ip neigh { add | del | change | replace } { ADDR [ lladdr LLADDR ]
|
||||
]]><![CDATA[ [ nud { permanent | noarp | stale | reachable } ]
|
||||
]]><![CDATA[ | proxy ADDR } [ dev DEV ]
|
||||
]]><![CDATA[ ip neigh {show|flush} [ to PREFIX ] [ dev DEV ] [ nud STATE ]
|
||||
]]></programlisting><para>Looks like some options are only for IPv4...if you can contribute information about flags and advanced usage, pls. send.</para></sect2>
|
||||
</sect1>
|
||||
</chapter>
|
||||
<chapter id="chapter-configuring-ipv6-in-ipv4-tunnels"><title>Configuring IPv6-in-IPv4 tunnels</title><para>If you want to leave your link you have no IPv6 capable network around you, you need IPv6-in-IPv4 tunneling to reach the World Wide IPv6-Internet.</para><para>There are some kind of tunnel mechanism and also some possibilities to setup tunnels.</para><sect1><title>Types of tunnels</title><para>There are more than one possibility to tunnel IPv6 packets over IPv4-only links.</para><sect2><title>Static point-to-point tunneling: 6bone</title><para>A point-to-point tunnel is a dedicated tunnel to an endpoint, which knows about your IPv6 network (for backward routing) and the IPv4 address of your tunnel endpoint and defined in <ulink url="http://rfc.net/rfc2893.html">RFC 2893 / Transition Mechanisms for IPv6 Hosts and Routers</ulink>. Requirements:</para><itemizedlist><listitem><para>IPv4 address of your local tunnel endpoint must be static, global unique and reachable from the foreign tunnel endpoint</para></listitem><listitem><para>A global IPv6 prefix assigned to you (see 6bone registry)</para></listitem><listitem><para>A foreign tunnel endpoint which is capable to route your IPv6 prefix to your local tunnel endpoint (mostly remote manual configuration required)</para></listitem></itemizedlist></sect2>
|
||||
<sect2><title>Automatically tunneling</title><para>Automatic tunneling occurs, when a node directly connects another node gotten the IPv4 address of the other node before.</para></sect2>
|
||||
<sect2 id="tunneling-6to4"><title>6to4-Tunneling</title><para>6to4 tunneling (<ulink url="http://rfc.net/rfc3056.html">RFC 3056 / Connection of IPv6 Domains via IPv4 Clouds</ulink>) uses a simple mechanism to create automatic tunnels. Each node with a global unique IPv4 address is able to be a 6to4 tunnel endpoint (if no IPv4 firewall prohibits traffic). 6to4 tunneling is mostly not a one-to-one tunnel. This case of tunneling can be divided into upstream and downstream tunneling. Also, a special IPv6 address indicates that this node will use 6to4 tunneling for connecting the world-wide IPv6 network</para><sect3><title>Generation of 6to4 prefix</title><para>The 6to4 address is defined like following (schema is taken from <ulink url="http://rfc.net/rfc3056.html">RFC 3056 / Connection of IPv6 Domains via IPv4 Clouds</ulink>):</para><programlisting><![CDATA[| 3+13 | 32 | 16 | 64 bits |
|
||||
|
|
@ -537,7 +555,7 @@ You can still apply for one of these prefixes, see here <ulink url="http://www.6
|
|||
]]></programlisting><para>Use e.g. following for automatic generation:</para><programlisting><![CDATA[ipv4="1.2.3.4"; printf "2002:%02x%02x:%02x%02x::1" `echo $ipv4 | tr "." " "`
|
||||
]]></programlisting><para>There are two ways possible to setup 6to4 tunneling now.</para><sect3><title>Using "ip" and a dedicated tunnel device</title><para>This is now the recommended way.</para><para>Create a new tunnel device</para><programlisting><![CDATA[# /sbin/ip tunnel add tun6to4 mode sit remote any local <localipv4address>
|
||||
]]></programlisting><para>Bring interface up</para><programlisting><![CDATA[# /sbin/ip link set dev tun6to4 up
|
||||
]]></programlisting><para>Add local 6to4 address to interface</para><programlisting><![CDATA[# /sbin/ip -6 addr add <local6to4address>/16 dev tun6to4
|
||||
]]></programlisting><para>Add local 6to4 address to interface (note: prefix length 16 is imporant!)</para><programlisting><![CDATA[# /sbin/ip -6 addr add <local6to4address>/16 dev tun6to4
|
||||
]]></programlisting><para>Add (default) route to the global IPv6 network using the all-6to4-routers IPv4 anycast address</para><programlisting><![CDATA[# /sbin/ip -6 route add 2000::/3 via ::192.88.99.1 dev tun6to4 metric 1
|
||||
]]></programlisting></sect3>
|
||||
<sect3><title>Using "ifconfig" and "route" and generic tunnel device "sit0" (deprecated)</title><para>This is now deprecated because using the generic tunnel device sit0 doesn't let specify filtering per device.</para><para>Bring generic tunnel interface sit0 up</para><programlisting><![CDATA[# /sbin/ifconfig sit0 up
|
||||
|
|
@ -618,7 +636,7 @@ You can still apply for one of these prefixes, see here <ulink url="http://www.6
|
|||
<sect1><title>IPv6-related entries in /proc/sys/net/ipv4/</title><para>At the moment (and this will be until IPv4 is completly converted to an independend kernel module) some switches are also used here for IPv6.</para><sect2><title>ip_*</title><sect3><title>ip_local_port_range</title><para>This control setting is used by IPv6 also.</para></sect3>
|
||||
</sect2>
|
||||
<sect2><title>tcp_*</title><para>This control settings are used by IPv6 also.</para></sect2>
|
||||
<sect2><title>icmp_*</title><para>This control settings are not used by IPv6.</para></sect2>
|
||||
<sect2><title>icmp_*</title><para>This control settings are not used by IPv6. To enable ICMPv6 rate limting (which is very recommended because of the capability of ICMPv6 storms) netfilter-v6 rules must be used.</para></sect2>
|
||||
<sect2><title>others</title><para>Unknown, but probably not used by IPv6.</para></sect2>
|
||||
</sect1>
|
||||
<sect1><title>IPv6-related entries in /proc/net/</title><para>In /proc/net there are several read-only entries available. You cannot retrieve information using "sysctl" here, so use e.g. "cat".</para><sect2><title>if_inet6</title><itemizedlist><listitem><para>Type: One line per addresss containing multiple values</para></listitem></itemizedlist><para>Here all configured IPv6 addresses are shown in a special format. The example displays for loopback interface only. The meaning is shown below (see "net/ipv6/addrconf.c" for more)</para><programlisting><![CDATA[# cat /proc/net/if_inet6
|
||||
|
|
@ -772,7 +790,7 @@ You can still apply for one of these prefixes, see here <ulink url="http://www.6
|
|||
<sect1><title>SuSE Linux</title><para>In newer 7.x versions there is a really rudimentary support available, see /etc/rc.config for details.</para><para>Because of the really different configuration and script file structure it is hard (or impossible) to use the set for Red Hat Linux and clones with this distribution.
|
||||
In versions 8.x they completly change their configuration setup. </para><sect2><title>Further information</title><itemizedlist><listitem><para><ulink url="http://www.feyrer.de/IPv6/SuSE73-IPv6+6to4-setup.html">How to setup 6to4 IPv6 with SuSE 7.3</ulink></para></listitem></itemizedlist></sect2>
|
||||
</sect1>
|
||||
<sect1><title>Debian Linux</title><para>I still don't have any information weather a persistent IPv6 configuration can stored somewhere.</para><sect2><title>Further information</title><itemizedlist><listitem><para><ulink url="http://people.debian.org/~csmall/ipv6/">IPv6 on Debian Linux</ulink></para></listitem></itemizedlist></sect2>
|
||||
<sect1><title>Debian Linux</title><para>I still don't have any information whether a persistent IPv6 configuration can be stored somewhere.</para><sect2><title>Further information</title><itemizedlist><listitem><para><ulink url="http://people.debian.org/~csmall/ipv6/">IPv6 on Debian Linux</ulink></para></listitem></itemizedlist></sect2>
|
||||
</sect1>
|
||||
</chapter>
|
||||
<chapter id="chapter-autoconfiguration"><title>Auto-configuration and mobility</title><sect1><title>Stateless auto-configuration</title><para>Is supported and seen on the assigned link-local address after an IPv6-enabled interface is up.</para></sect1>
|
||||
|
|
@ -780,21 +798,21 @@ In versions 8.x they completly change their configuration setup. </para><sect2><
|
|||
<sect1><title>Dynamic Host Configuration Protocol v6 (DHCPv6)</title><para>to be filled.</para></sect1>
|
||||
<sect1><title>Mobility</title><para>to be filled.</para><para>For the moment, see <ulink url="http://www.mipl.mediapoli.com/">Mobile IPv6 for Linux(MIPL) homepage</ulink> for more details</para></sect1>
|
||||
</chapter>
|
||||
<chapter id="chapter-firewalling-security"><title>Firewalling and security issues</title><para>IPv6 firewalling is important, especially if using IPv6 on internal networks with global IPv6 addresses. Because unlike at IPv4 networks where in common internal hosts are protected automatically using private IPv4 addresses like <ulink url="http://rfc.net/rfc1918.html">RFC 1918 / Address Allocation for Private Internets</ulink> or <ulink url="http://www.glossary-tech.com/apipa.htm">APIPA / Automatic Private IP Addressing</ulink>, in IPv6 normally global addresses are used and someone with IPv6 connectivity can reach all internal IPv6 enabled nodes.</para><sect1><title>Firewalling</title><sect2 id="firewalling-netfilter6"><title>Firewalling using netfilter6 </title><para>Native IPv6 firewalling is only supported in kernel versions 2.4+. In older 2.2- you can only filter IPv6-in-IPv4 by protocol 41. </para><para>Attention: no warranty that described rules or examples are really protect your system! </para><para>Audit your ruleset after installation, see <xref linkend="IPv6-security-auditing"> for more.</para><sect3><title>More information</title><itemizedlist><listitem><para><ulink url="http://www.netfilter.org/">Netfilter project</ulink></para></listitem><listitem><para><ulink url="http://lists.samba.org/pipermail/netfilter/">maillist archive of netfilter users</ulink></para></listitem><listitem><para><ulink url="http://lists.samba.org/pipermail/netfilter-devel/">maillist archive of netfilter developers</ulink></para></listitem><listitem><para><ulink url="http://www.bieringer.de/linux/IPv6/status/IPv6+Linux-status-kernel.html#netfilter6 ">Unofficial status informations</ulink></para></listitem></itemizedlist></sect3>
|
||||
</sect2>
|
||||
<sect2><title>Preparation</title><sect3><title>Get sources</title><para>Get the latest kernel source: <ulink url="http://www.kernel.org/">http://www.kernel.org/</ulink></para><para>Get the latest iptables package: </para><itemizedlist><listitem><para>Source tarball (for kernel patches): <ulink url="http://www.netfilter.org/">http://www.netfilter.org/</ulink></para></listitem><listitem><para>Source RPM for rebuild of binary (for RedHat systems): <ulink url="ftp://ftp.redhat.com/redhat/linux/rawhide/SRPMS/SRPMS/">ftp://ftp.redhat.com/redhat/linux/rawhide/SRPMS/SRPMS/</ulink> or perhaps also at <ulink url="http://www.netcore.fi/pekkas/linux/ipv6/ ">http://www.netcore.fi/pekkas/linux/ipv6/ </ulink></para></listitem></itemizedlist></sect3>
|
||||
<sect3><title>Extract sources</title><para>Change to source directory: </para><programlisting><![CDATA[# cd /path/to/src
|
||||
<chapter id="chapter-firewalling-security"><title>Firewalling</title><para>IPv6 firewalling is important, especially if using IPv6 on internal networks with global IPv6 addresses. Because unlike at IPv4 networks where in common internal hosts are protected automatically using private IPv4 addresses like <ulink url="http://rfc.net/rfc1918.html">RFC 1918 / Address Allocation for Private Internets</ulink> or <ulink url="http://www.glossary-tech.com/apipa.htm">APIPA / Automatic Private IP Addressing</ulink>, in IPv6 normally global addresses are used and someone with IPv6 connectivity can reach all internal IPv6 enabled nodes.</para><sect1 id="firewalling-netfilter6"><title>Firewalling using netfilter6 </title><para>Native IPv6 firewalling is only supported in kernel versions 2.4+. In older 2.2- you can only filter IPv6-in-IPv4 by protocol 41. </para><para>Attention: no warranty that described rules or examples are really protect your system! </para><para>Audit your ruleset after installation, see <xref linkend="IPv6-security-auditing"> for more.</para><sect2><title>More information</title><itemizedlist><listitem><para><ulink url="http://www.netfilter.org/">Netfilter project</ulink></para></listitem><listitem><para><ulink url="http://lists.samba.org/pipermail/netfilter/">maillist archive of netfilter users</ulink></para></listitem><listitem><para><ulink url="http://lists.samba.org/pipermail/netfilter-devel/">maillist archive of netfilter developers</ulink></para></listitem><listitem><para><ulink url="http://www.bieringer.de/linux/IPv6/status/IPv6+Linux-status-kernel.html#netfilter6 ">Unofficial status informations</ulink></para></listitem></itemizedlist></sect2>
|
||||
</sect1>
|
||||
<sect1><title>Preparation</title><sect2><title>Get sources</title><para>Get the latest kernel source: <ulink url="http://www.kernel.org/">http://www.kernel.org/</ulink></para><para>Get the latest iptables package: </para><itemizedlist><listitem><para>Source tarball (for kernel patches): <ulink url="http://www.netfilter.org/">http://www.netfilter.org/</ulink></para></listitem><listitem><para>Source RPM for rebuild of binary (for RedHat systems): <ulink url="ftp://ftp.redhat.com/redhat/linux/rawhide/SRPMS/SRPMS/">ftp://ftp.redhat.com/redhat/linux/rawhide/SRPMS/SRPMS/</ulink> or perhaps also at <ulink url="http://www.netcore.fi/pekkas/linux/ipv6/ ">http://www.netcore.fi/pekkas/linux/ipv6/ </ulink></para></listitem></itemizedlist></sect2>
|
||||
<sect2><title>Extract sources</title><para>Change to source directory: </para><programlisting><![CDATA[# cd /path/to/src
|
||||
]]></programlisting><para>Unpack and rename kernel sources </para><programlisting><![CDATA[# tar z|jxf kernel-version.tar.gz|bz2
|
||||
]]><![CDATA[# mv linux linux-version-iptables-version+IPv6
|
||||
]]></programlisting><para>Unpack iptables sources </para><programlisting><![CDATA[# tar z|jxf iptables-version.tar.gz|bz2
|
||||
]]></programlisting></sect3>
|
||||
<sect3><title>Apply latest iptables/IPv6-related patches to kernel source</title><para>Change to iptables directory </para><programlisting><![CDATA[# cd iptables-version
|
||||
]]></programlisting></sect2>
|
||||
<sect2><title>Apply latest iptables/IPv6-related patches to kernel source</title><para>Change to iptables directory </para><programlisting><![CDATA[# cd iptables-version
|
||||
]]></programlisting><para>Apply pending patches </para><programlisting><![CDATA[# make pending-patches KERNEL_DIR=/path/to/src/linux-version-iptables-version/
|
||||
]]></programlisting><para>Apply additional IPv6 related patches (still not in the vanilla kernel included) </para><programlisting><![CDATA[# make patch-o-matic KERNEL_DIR=/path/to/src/linux-version-iptables-version/
|
||||
]]></programlisting><para>Say yes at following options (iptables-1.2.2) </para><itemizedlist><listitem><para>ah-esp.patch </para></listitem><listitem><para>masq-dynaddr.patch (only needed for systems with dynamic IP assigned WAN connections like PPP or PPPoE) </para></listitem><listitem><para>ipv6-agr.patch.ipv6 </para></listitem><listitem><para>ipv6-ports.patch.ipv6 </para></listitem><listitem><para>LOG.patch.ipv6 </para></listitem><listitem><para>REJECT.patch.ipv6 </para></listitem></itemizedlist><para>Check IPv6 extensions </para><programlisting><![CDATA[# make print-extensions
|
||||
]]><![CDATA[Extensions found: IPv6:owner IPv6:limit IPv6:mac IPv6:multiport
|
||||
]]></programlisting></sect3>
|
||||
<sect3><title>Configure, build and install new kernel</title><para>Change to kernel sources </para><programlisting><![CDATA[# cd /path/to/src/linux-version-iptables-version/
|
||||
]]></programlisting></sect2>
|
||||
<sect2><title>Configure, build and install new kernel</title><para>Change to kernel sources </para><programlisting><![CDATA[# cd /path/to/src/linux-version-iptables-version/
|
||||
]]></programlisting><para>Edit Makefile </para><programlisting><![CDATA[- EXTRAVERSION =
|
||||
]]><![CDATA[+ EXTRAVERSION = -iptables-version+IPv6-try
|
||||
]]></programlisting><para>Run configure, enable IPv6 related </para><programlisting><![CDATA[ Code maturity level options
|
||||
|
|
@ -816,43 +834,56 @@ In versions 8.x they completly change their configuration setup. </para><sect2><
|
|||
]]><![CDATA[ LOG target support: module
|
||||
]]><![CDATA[ Packet mangling: module
|
||||
]]><![CDATA[ MARK target support: module
|
||||
]]></programlisting><para>Configure other related to your system, too </para><para>Compilation and installing: see the kernel section here and other HOWTOs </para></sect3>
|
||||
<sect3><title>Rebuild and install binaries of iptables</title><para>Make sure, that upper kernel source tree is also available at /usr/src/linux/ </para><para>Rename older directory </para><programlisting><![CDATA[# mv /usr/src/linux /usr/src/linux.old
|
||||
]]></programlisting><para>Configure other related to your system, too </para><para>Compilation and installing: see the kernel section here and other HOWTOs </para></sect2>
|
||||
<sect2><title>Rebuild and install binaries of iptables</title><para>Make sure, that upper kernel source tree is also available at /usr/src/linux/ </para><para>Rename older directory </para><programlisting><![CDATA[# mv /usr/src/linux /usr/src/linux.old
|
||||
]]></programlisting><para>Create a new softlink </para><programlisting><![CDATA[# ln /path/to/src/linux-version-iptables-version /usr/src/linux
|
||||
]]></programlisting><para>Rebuild SRPMS </para><programlisting><![CDATA[# rpm --rebuild /path/to/SRPMS/iptables-version-release.src.rpm
|
||||
]]></programlisting><para>Install new iptables packages (iptables + iptables-ipv6) </para><itemizedlist><listitem><para>On RH 7.1 systems, normally, already an older version is installed, therefore use "freshen" </para></listitem></itemizedlist><programlisting><![CDATA[# rpm -Fhv /path/to/RPMS/cpu/iptables*-version-release.cpu.rpm
|
||||
]]></programlisting><itemizedlist><listitem><para>If not already installed, use "install" </para></listitem></itemizedlist><programlisting><![CDATA[# rpm -ihv /path/to/RPMS/cpu/iptables*-version-release.cpu.rpm
|
||||
]]></programlisting><itemizedlist><listitem><para>On RH 6.2 systems, normally, no kernel 2.4.x is installed, therefore the requirements don't fit. Use "--nodeps" to install it </para></listitem></itemizedlist><programlisting><![CDATA[# rpm -ihv --nodep /path/to/RPMS/cpu/iptables*-version-release.cpu.rpm
|
||||
]]></programlisting><para>Perhaps it's necessary to create a softlink for iptables libraries where iptables looks for them </para><programlisting><![CDATA[# ln -s /lib/iptables/ /usr/lib/iptables
|
||||
]]></programlisting></sect3>
|
||||
</sect2>
|
||||
<sect2><title>Usage</title><sect3><title>Check for support</title><para>Load module, if so compiled </para><programlisting><![CDATA[# modprobe ip6_tables
|
||||
]]></programlisting></sect2>
|
||||
</sect1>
|
||||
<sect1><title>Usage</title><sect2><title>Check for support</title><para>Load module, if so compiled </para><programlisting><![CDATA[# modprobe ip6_tables
|
||||
]]></programlisting><para>Check for capability </para><programlisting><![CDATA[# [ ! -f /proc/net/ip6_tables_names ] && echo "Current kernel doesn't support
|
||||
]]><![CDATA[¬ 'ip6tables' firewalling (IPv6)!"
|
||||
]]></programlisting></sect3>
|
||||
<sect3><title>Learn how to use ip6tables</title><para>List all IPv6 netfilter entries </para><itemizedlist><listitem><para>Short </para></listitem></itemizedlist><programlisting><![CDATA[# ip6tables -L
|
||||
]]></programlisting></sect2>
|
||||
<sect2><title>Learn how to use ip6tables</title><sect3><title>List all IPv6 netfilter entries </title><itemizedlist><listitem><para>Short </para></listitem></itemizedlist><programlisting><![CDATA[# ip6tables -L
|
||||
]]></programlisting><itemizedlist><listitem><para>Extended </para></listitem></itemizedlist><programlisting><![CDATA[# ip6tables -n -v --line-numbers -L
|
||||
]]></programlisting><para>List specified filter </para><programlisting><![CDATA[# ip6tables -n -v --line-numbers -L INPUT
|
||||
]]></programlisting><para>Insert a log rule at the input filter with options </para><programlisting><![CDATA[# ip6tables --table filter --append INPUT -j LOG --log-prefix "INPUT:"
|
||||
]]></programlisting></sect3>
|
||||
<sect3><title>List specified filter </title><programlisting><![CDATA[# ip6tables -n -v --line-numbers -L INPUT
|
||||
]]></programlisting></sect3>
|
||||
<sect3><title>Insert a log rule at the input filter with options </title><programlisting><![CDATA[# ip6tables --table filter --append INPUT -j LOG --log-prefix "INPUT:"
|
||||
]]><![CDATA[¬ --log-level 7
|
||||
]]></programlisting><para>Insert a drop rule at the input filter </para><programlisting><![CDATA[# ip6tables --table filter --append INPUT -j DROP
|
||||
]]></programlisting><para>Delete a rule by number </para><programlisting><![CDATA[# ip6tables --table filter --delete INPUT 1
|
||||
]]></programlisting><para>Allow ICMPv6, at the moment, with unpatched kernel 2.4.5 and iptables-1.2.2 no type can be specified </para><itemizedlist><listitem><para>Accept incoming ICMPv6 through tunnels </para></listitem></itemizedlist><programlisting><![CDATA[# ip6tables -A INPUT -i sit+ -p icmpv6 -j ACCEPT
|
||||
]]></programlisting></sect3>
|
||||
<sect3><title>Insert a drop rule at the input filter </title><programlisting><![CDATA[# ip6tables --table filter --append INPUT -j DROP
|
||||
]]></programlisting></sect3>
|
||||
<sect3><title>Delete a rule by number </title><programlisting><![CDATA[# ip6tables --table filter --delete INPUT 1
|
||||
]]></programlisting></sect3>
|
||||
<sect3><title>Allow ICMPv6</title><para>Using older kernels (unpatched kernel 2.4.5 and iptables-1.2.2) no type can be specified</para><itemizedlist><listitem><para>Accept incoming ICMPv6 through tunnels </para></listitem></itemizedlist><programlisting><![CDATA[# ip6tables -A INPUT -i sit+ -p icmpv6 -j ACCEPT
|
||||
]]></programlisting><itemizedlist><listitem><para>Allow outgoing ICMPv6 through tunnels </para></listitem></itemizedlist><programlisting><![CDATA[# ip6tables -A OUTPUT -o sit+ -p icmpv6 -j ACCEPT
|
||||
]]></programlisting><para>Allow incoming SSH, here an example is shown for a ruleset which allows incoming SSH connection from a specified IPv6 address </para><itemizedlist><listitem><para>Allow incoming SSH from 3ffe:400:100::1/128 </para></listitem></itemizedlist><programlisting><![CDATA[# ip6tables -A INPUT -i sit+ -p tcp -s 3ffe:400:100::1/128 --sport 512:65535
|
||||
]]></programlisting><para>Newer kernels allow specifying of ICMPv6 types:</para><programlisting><![CDATA[# ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
|
||||
]]></programlisting></sect3>
|
||||
<sect3><title>Rate-limiting</title><para>Because it can happen (author already saw it to times) that an ICMPv6 storm will raise up, you should use available rate limiting for at least ICMPv6 ruleset. In addition logging rules should also get rate limiting to prevent DoS attacks against syslog and storage of log file partition. An example for a rate limited ICMPv6 looks like:</para><programlisting><![CDATA[# ip6tables -A INPUT --protocol icmpv6 --icmpv6-type echo-request -j ACCEPT --match limit --limit 30/minute
|
||||
]]></programlisting></sect3>
|
||||
<sect3><title>Allow incoming SSH</title><para>Here an example is shown for a ruleset which allows incoming SSH connection from a specified IPv6 address </para><itemizedlist><listitem><para>Allow incoming SSH from 3ffe:ffff:100::1/128 </para></listitem></itemizedlist><programlisting><![CDATA[# ip6tables -A INPUT -i sit+ -p tcp -s 3ffe:ffff:100::1/128 --sport 512:65535
|
||||
]]><![CDATA[¬ --dport 22 -j ACCEPT
|
||||
]]></programlisting><itemizedlist><listitem><para>Allow response packets (at the moment IPv6 connection tracking isn't in mainstream netfilter6 implemented) </para></listitem></itemizedlist><programlisting><![CDATA[# ip6tables -A OUTPUT -o sit+ -p tcp -d 3ffe:400:100::1/128 --dport 512:65535
|
||||
]]></programlisting><itemizedlist><listitem><para>Allow response packets (at the moment IPv6 connection tracking isn't in mainstream netfilter6 implemented) </para></listitem></itemizedlist><programlisting><![CDATA[# ip6tables -A OUTPUT -o sit+ -p tcp -d 3ffe:ffff:100::1/128 --dport 512:65535
|
||||
]]><![CDATA[¬ --sport 22 ! --syn j ACCEPT
|
||||
]]></programlisting><para>Enable tunneled IPv6-in-IPv4, to accept tunneled IPv6-in-IPv4 packets, you have to insert rules in your IPv4 firewall setup relating to such packets, for example </para><itemizedlist><listitem><para>Accept incoming IPv6-in-IPv4 on interface ppp0 </para></listitem></itemizedlist><programlisting><![CDATA[# iptables -A INPUT -i ppp0 -p ipv6 -j ACCEPT
|
||||
]]></programlisting></sect3>
|
||||
<sect3><title>Enable tunneled IPv6-in-IPv4</title><para>Tto accept tunneled IPv6-in-IPv4 packets, you have to insert rules in your IPv4 firewall setup relating to such packets, for example </para><itemizedlist><listitem><para>Accept incoming IPv6-in-IPv4 on interface ppp0 </para></listitem></itemizedlist><programlisting><![CDATA[# iptables -A INPUT -i ppp0 -p ipv6 -j ACCEPT
|
||||
]]></programlisting><itemizedlist><listitem><para>Allow outgoing IPv6-in-IPv4 to interface ppp0 </para></listitem></itemizedlist><programlisting><![CDATA[# iptables -A OUTPUT -o ppp0 -p ipv6 -j ACCEPT
|
||||
]]></programlisting><para>If you have only a static tunnel, you can specify the IPv4 addresses, too, like </para><itemizedlist><listitem><para>Accept incoming IPv6-in-IPv4 on interface ppp0 from tunnel endpoint 1.2.3.4 </para></listitem></itemizedlist><programlisting><![CDATA[# iptables -A INPUT -i ppp0 -p ipv6 -s 1.2.3.4 -j ACCEPT
|
||||
]]></programlisting><itemizedlist><listitem><para>Allow outgoing IPv6-in-IPv4 to interface ppp0 to tunnel endpoint 1.2.3.4 </para></listitem></itemizedlist><programlisting><![CDATA[# iptables -A OUTPUT -o ppp0 -p ipv6 -d 1.2.3.4 -j ACCEPT
|
||||
]]></programlisting><para>Protect against incoming TCP connection requests (VERY RECOMMENDED!), for security issues you should really insert a rule which blocks incoming TCP connection requests. Adapt "-i" option, if other interface names are in use! </para><itemizedlist><listitem><para>Block incoming TCP connection requests to this host </para></listitem></itemizedlist><programlisting><![CDATA[# ip6tables -I INPUT -i sit+ -p tcp --syn -j DROP
|
||||
]]></programlisting></sect3>
|
||||
<sect3><title>Protection against incoming TCP connection requests</title><para>VERY RECOMMENDED! For security issues you should really insert a rule which blocks incoming TCP connection requests. Adapt "-i" option, if other interface names are in use! </para><itemizedlist><listitem><para>Block incoming TCP connection requests to this host </para></listitem></itemizedlist><programlisting><![CDATA[# ip6tables -I INPUT -i sit+ -p tcp --syn -j DROP
|
||||
]]></programlisting><itemizedlist><listitem><para>Block incoming TCP connection requests to hosts behind this router </para></listitem></itemizedlist><programlisting><![CDATA[# ip6tables -I FORWARD -i sit+ -p tcp --syn -j DROP
|
||||
]]></programlisting><para>Perhaps the rules have to be placed below others, but that is work you have to think about it. Best way is to create a script and execute rules in a specified way. </para><para>Protect against incoming UDP connection requests (ALSO RECOMMENDED!), like mentioned on my firewall information it's possible to control the ports on outgoing UDP/TCP sessions. So if all of your local IPv6 systems are use local ports e.g. from 32768 to 60999 you are able to filter UDP connections also (until connection tracking works) like: </para><itemizedlist><listitem><para>Block incoming UDP packets which cannot be responses of outgoing requests of this host </para></listitem></itemizedlist><programlisting><![CDATA[# ip6tables -I INPUT -i sit+ -p udp ! --dport 32768:60999 -j DROP
|
||||
]]></programlisting><para>Perhaps the rules have to be placed below others, but that is work you have to think about it. Best way is to create a script and execute rules in a specified way. </para></sect3>
|
||||
<sect3><title>Protection against incoming UDP connection requests</title><para>ALSO RECOMMENDED! Like mentioned on my firewall information it's possible to control the ports on outgoing UDP/TCP sessions. So if all of your local IPv6 systems are use local ports e.g. from 32768 to 60999 you are able to filter UDP connections also (until connection tracking works) like: </para><itemizedlist><listitem><para>Block incoming UDP packets which cannot be responses of outgoing requests of this host </para></listitem></itemizedlist><programlisting><![CDATA[# ip6tables -I INPUT -i sit+ -p udp ! --dport 32768:60999 -j DROP
|
||||
]]></programlisting><itemizedlist><listitem><para>Block incoming UDP packets which cannot be responses of forwarded requests of hosts behind this router </para></listitem></itemizedlist><programlisting><![CDATA[ip6tables -I FORWARD -i sit+ -p udp ! --dport 32768:60999 -j DROP
|
||||
]]></programlisting></sect3>
|
||||
<sect3><title>Demonstration example</title><para>Following lines show a more sophisticated setup as an example. Happy netfilter6 ruleset creation.... </para><programlisting><![CDATA[# ip6tables -n -v -L
|
||||
</sect2>
|
||||
<sect2><title>Demonstration example</title><para>Following lines show a more sophisticated setup as an example. Happy netfilter6 ruleset creation.... </para><programlisting><![CDATA[# ip6tables -n -v -L
|
||||
]]><![CDATA[Chain INPUT (policy DROP 0 packets, 0 bytes)
|
||||
]]><![CDATA[ pkts bytes target prot opt in out source destination
|
||||
]]><![CDATA[ 0 0 extIN all sit+ * ::/0 ::/0
|
||||
|
|
@ -915,9 +946,9 @@ In versions 8.x they completly change their configuration setup. </para><sect2><
|
|||
]]><![CDATA[ pkts bytes target prot opt in out source destination
|
||||
]]><![CDATA[¬
|
||||
]]><![CDATA[ 0 0 ACCEPT tcp * * ::/0
|
||||
]]><![CDATA[¬ 3ffe:400:100::1/128tcp spt:22 dpts:512:65535 flags:!0x16/0x02
|
||||
]]><![CDATA[¬ 3ffe:ffff:100::1/128tcp spt:22 dpts:512:65535 flags:!0x16/0x02
|
||||
]]><![CDATA[ 0 0 ACCEPT tcp * * ::/0
|
||||
]]><![CDATA[¬ 3ffe:400:100::2/128tcp spt:22 dpts:512:65535 flags:!0x16/0x02
|
||||
]]><![CDATA[¬ 3ffe:ffff:100::2/128tcp spt:22 dpts:512:65535 flags:!0x16/0x02
|
||||
]]><![CDATA[ 0 0 ACCEPT icmpv6 * * ::/0 ::/0
|
||||
]]><![CDATA[ 0 0 ACCEPT tcp * * ::/0 ::/0
|
||||
]]><![CDATA[¬ tcp spts:1024:65535 dpts:1:65535
|
||||
|
|
@ -958,17 +989,32 @@ In versions 8.x they completly change their configuration setup. </para><sect2><
|
|||
]]><![CDATA[ 0 0 LOG all * * ::/0 ::/0
|
||||
]]><![CDATA[¬ LOG flags 0 level 7 prefix `intOUT-default:'
|
||||
]]><![CDATA[ 0 0 DROP all * * ::/0 ::/0
|
||||
]]></programlisting></sect3>
|
||||
</sect2>
|
||||
]]></programlisting></sect2>
|
||||
</sect1>
|
||||
<sect1><title>Security</title><sect2><title>Node security</title><para>It's very recommend to apply all available patches and disable all not necessary services.</para><para>More to be filled...</para></sect2>
|
||||
<sect2><title>Access limitations</title><para>Many services uses the tcp_wrapper library for access control. Below is described the <link linkend="hints-daemons-tcpwrapper">use of tcp_wrapper</link>.</para><para>More to be filled...</para></sect2>
|
||||
</sect1>
|
||||
<sect1 id="IPv6-security-auditing"><title>IPv6 security auditing</title><para>Currently there are no comfortable tools out which are able to check a system over network for IPv6 security issues. Neither <ulink url="http://www.insecure.org/nmap/">NMap</ulink> nor <ulink url="http://www.nessus.org/">Nessus</ulink> or any commercial security scanner is as far as I know able to scan IPv6 addresses.</para><sect2><title>Legal issues</title><para>ATTENTION: always take care that you only scan your own systems or after receiving a written order, otherwise legal issues are able to come up to you.
|
||||
</chapter>
|
||||
<chapter><title>Security</title><sect1><title>Node security</title><para>It's very recommend to apply all available patches and disable all not necessary services. Also bind services to the needed IPv4/IPv6 addresses only and install local firewalling.</para><para>More to be filled...</para></sect1>
|
||||
<sect1><title>Access limitations</title><para>Many services uses the tcp_wrapper library for access control. Below is described the <link linkend="hints-daemons-tcpwrapper">use of tcp_wrapper</link>.</para><para>More to be filled...</para></sect1>
|
||||
<sect1 id="IPv6-security-auditing"><title>IPv6 security auditing</title><para>Currently there are no comfortable tools out which are able to check a system over network for IPv6 security issues. Neither <ulink url="http://www.nessus.org/">Nessus</ulink> nor any commercial security scanner is as far as I know able to scan IPv6 addresses.</para><sect2><title>Legal issues</title><para>ATTENTION: always take care that you only scan your own systems or after receiving a written order, otherwise legal issues are able to come up to you.
|
||||
CHECK destination IPv6 addresses TWICE before starting a scan.</para></sect2>
|
||||
<sect2><title>Security auditing using IPv6-enabled netcat</title><para>With the IPv6-enabled netcat (see <ulink url="http://www.bieringer.de/linux/IPv6/status/IPv6+Linux-status-apps.html#security-auditing">IPv6+Linux-status-apps/security-auditing</ulink> for more) you can run a portscan by wrapping a script around which run through a port range, grab banners and so on. Usage example:</para><programlisting><![CDATA[# nc6 ::1 daytime
|
||||
]]><![CDATA[13 JUL 2002 11:22:22 CEST
|
||||
]]></programlisting></sect2>
|
||||
<sect2><title>Security auditing using IPv6-enabled nmap</title><para><ulink url="http://www.insecure.org/nmap/">NMap</ulink>, one of the best portscaner around the world, is currently not IPv6-enabled out of the box, but there is a patch available (see <ulink url="http://www.bieringer.de/linux/IPv6/status/IPv6+Linux-status-apps.html#security-auditing">IPv6+Linux-status-apps/security-auditing</ulink> for more). Usage example:</para><programlisting><![CDATA[# nmap -6 -sS -P0 ::1
|
||||
]]><![CDATA[Starting nmap V. 2.54BETA37 ( www.insecure.org/nmap/ )
|
||||
]]><![CDATA[Interesting ports on localhost6 (::1):
|
||||
]]><![CDATA[(The 1597 ports scanned but not shown below are in state: closed)
|
||||
]]><![CDATA[Port State Service
|
||||
]]><![CDATA[22/tcp open ssh
|
||||
]]><![CDATA[53/tcp open domain
|
||||
]]><![CDATA[515/tcp open printer
|
||||
]]><![CDATA[2401/tcp open cvspserver
|
||||
]]><![CDATA[Nmap run completed -- 1 IP address (1 host up) scanned in 3 seconds
|
||||
]]></programlisting><para>Note: the patch isn't really finished yet, you need at least option "-P0" or may not use "-O", otherwise you get such strange error message:</para><programlisting><![CDATA[# nmap -6 -sS -P0 -O ::1
|
||||
]]><![CDATA[Starting nmap V. 2.54BETA37 ( www.insecure.org/nmap/ )
|
||||
]]><![CDATA[sendto in send_tcp_raw6: sendto(4, packet, 60, 0, ::1, 28) => Invalid argument
|
||||
]]><![CDATA[Sleeping 15 seconds then retrying
|
||||
]]><![CDATA[caught SIGINT signal, cleaning up
|
||||
]]></programlisting></sect2>
|
||||
<sect2><title>Security auditing using IPv6-enabled strobe</title><para>Strobe is a (compared to NMap) more a low budget portscanner, but there is an IPv6-enabling patch available (see <ulink url="http://www.bieringer.de/linux/IPv6/status/IPv6+Linux-status-apps.html#security-auditing">IPv6+Linux-status-apps/security-auditing</ulink> for more). Usage example:</para><programlisting><![CDATA[# ./strobe ::1 strobe 1.05 (c) 1995-1999 Julian Assange <proff@iq.org>.
|
||||
]]><![CDATA[::1 2401 unassigned unknown
|
||||
]]><![CDATA[::1 22 ssh Secure Shell - RSA encrypted rsh
|
||||
|
|
@ -1070,7 +1116,7 @@ CHECK destination IPv6 addresses TWICE before starting a scan.</para></sect2>
|
|||
]]><![CDATA[¬ daytime/tcp
|
||||
]]><![CDATA[tcp 0 0 ::ffff:192.168.1.1:143 :::* LISTEN 12345/xinetd-ipv6
|
||||
]]></programlisting><para>Shown example also displays an IMAP and IMAP-SSL IPv4-only listening xinetd.</para><para>Note: An IPv4-only xinetd won't start on an IPv6-enabled node and also the IPv6-enabled won't start on an IPv4-only node (will be hopefully fixed in the future).</para></sect1>
|
||||
<sect1 id="hints-daemons-apache2"><title>Webserver Apache2 (httpd2)</title><para>Apache web server supports IPv6 native by maintainers since 2.0.14. Available patches for the older 1.3.x series are not current and shouldn't be used in public environment, but available at <ulink url="ftp://ftp.kame.net/pub/kame/misc/">KAME / Misc</ulink>.</para><sect2><title>Listening on IPv6 addresses</title><para>Note: virtual hosts on IPv6 addresses are broken in versions until 2.0.28 (a patch is available for 2.0.28). But always try latest available version first.</para><sect3><title>Virtual host listen on an IPv6 address only</title><programlisting><![CDATA[Listen [3ffe:ffff:100::1]:80
|
||||
<sect1 id="hints-daemons-apache2"><title>Webserver Apache2 (httpd2)</title><para>Apache web server supports IPv6 native by maintainers since 2.0.14. Available patches for the older 1.3.x series are not current and shouldn't be used in public environment, but available at <ulink url="ftp://ftp.kame.net/pub/kame/misc/">KAME / Misc</ulink>.</para><sect2><title>Listening on IPv6 addresses</title><para>Note: virtual hosts on IPv6 addresses are broken in versions until 2.0.28 (a patch is available for 2.0.28). But always try latest available version first because earlier versions had some security issues.</para><sect3><title>Virtual host listen on an IPv6 address only</title><programlisting><![CDATA[Listen [3ffe:ffff:100::1]:80
|
||||
]]><![CDATA[<VirtualHost [3ffe:ffff:100::1]:80>
|
||||
]]><![CDATA[ ServerName ipv6only.yourdomain.yourtopleveldomain
|
||||
]]><![CDATA[ # ...sure more config lines
|
||||
|
|
@ -1197,7 +1243,7 @@ Kai Fuhrberg
|
|||
2. akt. Auflage 2000 Carl Hanser Verlag München, Wien, ISBN: 3-446-21333-3
|
||||
Kap.2.3.1.4. IPv6 S.18-22
|
||||
Kurz angerissen werden: RFC1825 - Security Association Konzept RFC1826 - IP authentication Header RFC1827 - IP Encapsulation Security Payload</para></listitem></itemizedlist></sect2>
|
||||
<sect2><title>Articles, Books, Online Reviews (mixed)</title><itemizedlist><listitem><para><ulink url="http://www.onlamp.com/pub/a/onlamp/2001/06/01/ipv6_tutorial.html">Getting Connected with 6to4</ulink> by Huber Feyrer, 06/01/2001</para></listitem><listitem><para><ulink url="http://researchcenter.zdnet.com/data/detail?id=1001711171_237&type=RES&x=120054357">How Long the Aversion to IP Version 6</ulink> - Review of META Group, Inc., full access needs (free) registration at META Group, Inc.</para></listitem><listitem><para><ulink url="http://www.oreillynet.com/search/index.ncsp?sp-q=IPv6">O'reilly Network search for keyword IPv6</ulink> results in 29 hits (28. January 2002)</para></listitem><listitem><para><ulink url="http://www.nwfusion.com/news/2000/1023ipv6.html">Wireless boosting IPv6</ulink> by Carolyn Duffy Marsan, 10/23/2000</para></listitem><listitem><para><ulink url="http://www.oreilly.fr/catalogue/ipv6.html">IPv6, théorie et pratique</ulink> (french) 2e édition, mars 1999, O'Reilly (??? no newer one available ???) ISBN: 2-84177-085-0</para></listitem><listitem><para><ulink url="http://www.ip6.com/index.html">Internetworking IPv6 with Cisco Routers</ulink> by Silvano Gai, McGrawHill Italia, 1997 13 chapters and appendix A-D are downloadable as PDF-documents.</para></listitem><listitem><para><ulink url="http://www.vermicelli.pasta.cs.uit.no/ipv6/students/vegars/">Secure and Dynamic Tunnel Broker</ulink> by Vegar Skaerven Wang, Master of Engineering Thesis in Computer Science, 2.June 2000, Faculty of Science, Dep.of Computer Science, University of Tromso, Norway.</para></listitem><listitem><para><ulink url="http://www.netobjectdays.org/pdf/99/stja/doering.pdf">Aufbruch in die neue Welt - IPv6 in IPv4 Netzen</ulink> von Dipl.Ing. Ralf Döring, TU Illmenau, 1999</para></listitem><listitem><para><ulink url="http://www.csc.fi/~psavola/residential.html">Migration and Co-existence of IPv4 and IPv6 in Residential Networks</ulink> by Pekka Savola, CSC/FUNET, 2002</para></listitem><listitem><para>Book <ulink url="http://www.sunny.ch/publications/f_ipv6.htm">IPv6 Essentials</ulink> written by Silvia Hagen, release planned for April 2002</para></listitem></itemizedlist></sect2>
|
||||
<sect2><title>Articles, Books, Online Reviews (mixed)</title><itemizedlist><listitem><para><ulink url="http://www.onlamp.com/pub/a/onlamp/2001/06/01/ipv6_tutorial.html">Getting Connected with 6to4</ulink> by Huber Feyrer, 06/01/2001</para></listitem><listitem><para><ulink url="http://researchcenter.zdnet.com/data/detail?id=1001711171_237&type=RES&x=120054357">How Long the Aversion to IP Version 6</ulink> - Review of META Group, Inc., full access needs (free) registration at META Group, Inc.</para></listitem><listitem><para><ulink url="http://www.oreillynet.com/search/index.ncsp?sp-q=IPv6">O'reilly Network search for keyword IPv6</ulink> results in 29 hits (28. January 2002)</para></listitem><listitem><para><ulink url="http://www.nwfusion.com/news/2000/1023ipv6.html">Wireless boosting IPv6</ulink> by Carolyn Duffy Marsan, 10/23/2000</para></listitem><listitem><para><ulink url="http://www.oreilly.fr/catalogue/ipv6.html">IPv6, théorie et pratique</ulink> (french) 2e édition, mars 1999, O'Reilly (??? no newer one available ???) ISBN: 2-84177-085-0</para></listitem><listitem><para><ulink url="http://www.ip6.com/index.html">Internetworking IPv6 with Cisco Routers</ulink> by Silvano Gai, McGrawHill Italia, 1997 13 chapters and appendix A-D are downloadable as PDF-documents.</para></listitem><listitem><para><ulink url="http://www.vermicelli.pasta.cs.uit.no/ipv6/students/vegars/">Secure and Dynamic Tunnel Broker</ulink> by Vegar Skaerven Wang, Master of Engineering Thesis in Computer Science, 2.June 2000, Faculty of Science, Dep.of Computer Science, University of Tromso, Norway.</para></listitem><listitem><para><ulink url="http://www.netobjectdays.org/pdf/99/stja/doering.pdf">Aufbruch in die neue Welt - IPv6 in IPv4 Netzen</ulink> von Dipl.Ing. Ralf Döring, TU Illmenau, 1999</para></listitem><listitem><para><ulink url="http://www.csc.fi/~psavola/residential.html">Migration and Co-existence of IPv4 and IPv6 in Residential Networks</ulink> by Pekka Savola, CSC/FUNET, 2002</para></listitem><listitem><para><ulink url="http://www.sunny.ch/publications/f_ipv6.htm">IPv6 Essentials</ulink> written by Silvia Hagen, July 2002, O'Reilly <ulink url="http://www.oreilly.com/catalog/ipv6ess/">Order Number: 1258</ulink>, ISBN 0-5960-0125-8</para></listitem></itemizedlist></sect2>
|
||||
<sect2><title>Others</title><para>See following URL for more: <ulink url="http://www.switch.ch/lan/ipv6/references.html">SWITCH IPv6 Pilot / References</ulink></para></sect2>
|
||||
</sect1>
|
||||
<sect1 id="information-onlineinformation"><title>Online information</title><sect2 id="information-joinipv6"><title>Join the IPv6 backbone</title><para>More to be filled later...suggestions are welcome!</para><sect3 id="information-globalregistries"><title>Global registries</title><itemizedlist><listitem><para>IPv6 test backbone: <ulink url="http://www.6bone.net/6bone_hookup.html">6bone</ulink>, <ulink url="http://www.6bone.net/6bone_hookup.html">How to join 6bone</ulink></para></listitem></itemizedlist></sect3>
|
||||
|
|
@ -1344,7 +1390,10 @@ Kurz angerissen werden: RFC1825 - Security Association Konzept RFC1826 - IP auth
|
|||
</tgroup></informaltable>
|
||||
*very recommended if you provide server applications.</para><para>Something missing? Suggestions are welcome!</para><para>Another list is available at <ulink url="http://www.join.uni-muenster.de/JOIN/ipv6/texte-englisch/ipv6.infoquellen.html">JOIN Project / List of IPv6-related maillists</ulink>.</para></sect1>
|
||||
</chapter>
|
||||
<chapter><title>Revision history / Credits / The End</title><sect1 id="revision-history"><title>Revision history</title><para>Versions x.y are published on the Internet.</para><para>Versions x.y.z are work-in-progress and only published as LyX file on CVS.</para><sect2><title>Releases 0.x</title><variablelist><varlistentry><term>0.26
|
||||
<chapter><title>Revision history / Credits / The End</title><sect1 id="revision-history"><title>Revision history</title><para>Versions x.y are published on the Internet.</para><para>Versions x.y.z are work-in-progress and only published as LyX file on CVS.</para><sect2><title>Releases 0.x</title><variablelist><varlistentry><term>0.27
|
||||
</term><listitem><para>2002-08-10/PB: Some minor updates</para></listitem></varlistentry><varlistentry><term>0.26.2
|
||||
</term><listitem><para>2002-07-15/PB: Add information neighbor discovery, split of firewalling (got some updates) and security into extra chapters</para></listitem></varlistentry><varlistentry><term>0.26.1
|
||||
</term><listitem><para>2002-07-13/PB: Update nmap/IPv6 information</para></listitem></varlistentry><varlistentry><term>0.26
|
||||
</term><listitem><para>2002-07-13/PB: Fill /proc-filesystem chapter, update DNS information about depricated A6/DNAME, change P-t-P tunnel setup to use of "ip" only</para></listitem></varlistentry><varlistentry><term>0.25.2
|
||||
</term><listitem><para>2002-07-11/PB: Minor spelling fixes</para></listitem></varlistentry><varlistentry><term>0.25.1
|
||||
</term><listitem><para>2002-06-23/PB: Minor spelling and other fixes</para></listitem></varlistentry><varlistentry><term>0.25
|
||||
|
|
|
|||
Loading…
Reference in New Issue