diff --git a/LDP/howto/docbook/Linux+IPv6-HOWTO.sgml b/LDP/howto/docbook/Linux+IPv6-HOWTO.sgml index 1ec2206b..45b19454 100644 --- a/LDP/howto/docbook/Linux+IPv6-HOWTO.sgml +++ b/LDP/howto/docbook/Linux+IPv6-HOWTO.sgml @@ -8,12 +8,12 @@ Peter Bieringer
pb (at) bieringer.de
+ Release 0.27 2002-08-10 PB See revision history for more Release 0.26 2002-07-13 PB See revision history for more Release 0.25 2002-05-16 PB See revision history for more - Release 0.24 2002-05-02 PB See revision history for more The goal of the Linux IPv6 HOWTO is to answer both basic and advanced questions about IPv6 on the Linux operating system. This HOWTO will provide the reader with enough information to install, configure, and use IPv6 applications on Linux machines. -GeneralCVS-ID: $Id: Linux+IPv6-HOWTO.lyx,v 1.25 2002/07/13 09:38:37 pbldp Exp $Copyright, license and othersCopyrightWritten and Copyright (C) 2001-2002 by Peter Bieringer +GeneralCVS-ID: $Id: Linux+IPv6-HOWTO.lyx,v 1.28 2002/07/15 18:23:14 pbldp Exp $Copyright, license and othersCopyrightWritten and Copyright (C) 2001-2002 by Peter Bieringer LicenseThis Linux IPv6 HOWTO is published under GNU GPL version 2: @@ -182,7 +182,7 @@ You can still apply for one of these prefixes, see here IPv6-ready system checkBefore you can start using IPv6 on a Linux host, you have to test, whether your system is IPv6-ready. You may have to do some work to enable it first.IPv6-ready kernelModern Linux distributions already contain IPv6-ready kernels, the IPv6 capability is generally compiled as a module, but it's possible that this module is not loaded automatically on startup.See IPv6+Linux-Status-Distribution page for most up-to-date information.Check for IPv6 support in the current running kernelTo check, whether your current running kernel supports IPv6, take a look into your /proc-file-system. Following entry must exists: IPv6-ready system checkBefore you can start using IPv6 on a Linux host, you have to test, whether your system is IPv6-ready. You may have to do some work to enable it first.IPv6-ready kernelModern Linux distributions already contain IPv6-ready kernels, the IPv6 capability is generally compiled as a module, but it's possible that this module is not loaded automatically on startup.See IPv6+Linux-Status-Distribution page for most up-to-date information.Note: you shouldn't anymore use kernel series 2.2.x, because it's not IPv6-up-to-date anymore.Check for IPv6 support in the current running kernelTo check, whether your current running kernel supports IPv6, take a look into your /proc-file-system. Following entry must exists: A short automatical test looks like:If this fails, it is quite likely, that the IPv6 module is not loaded. Try to load IPv6 moduleYou can try to load the IPv6 module executing +Neighbor DiscoveryNeighbor discovery was the IPv6 successor for the ARP (Address Resolution Protocol) in IPv4. You can retrieve information about the current neighbors, in addition you can set and delete entries.Neighbor detectionThe kernel keeps tracking of successful neighbor detection (like ARP in IPv4). You can dig into the learnt table using "ip".Displaying neighbors using "ip"With following command you can display the learnt or configured IPv6 neighbors] +]]>The following example shows one neighbor, which is a reachable router +Manipulating neighbors table using "ip"Manually add an entryWith following command you are able to manually add an entry lladdr dev +]]>Example: +Manually delete an entryLike adding also an entry can be deleted: lladdr dev +]]>Example: +More advanced settingsThe tool "ip" is less documentated, but very strong. See online "help" for more:Looks like some options are only for IPv4...if you can contribute information about flags and advanced usage, pls. send. + + Configuring IPv6-in-IPv4 tunnelsIf you want to leave your link you have no IPv6 capable network around you, you need IPv6-in-IPv4 tunneling to reach the World Wide IPv6-Internet.There are some kind of tunnel mechanism and also some possibilities to setup tunnels.Types of tunnelsThere are more than one possibility to tunnel IPv6 packets over IPv4-only links.Static point-to-point tunneling: 6boneA point-to-point tunnel is a dedicated tunnel to an endpoint, which knows about your IPv6 network (for backward routing) and the IPv4 address of your tunnel endpoint and defined in RFC 2893 / Transition Mechanisms for IPv6 Hosts and Routers. Requirements:IPv4 address of your local tunnel endpoint must be static, global unique and reachable from the foreign tunnel endpointA global IPv6 prefix assigned to you (see 6bone registry)A foreign tunnel endpoint which is capable to route your IPv6 prefix to your local tunnel endpoint (mostly remote manual configuration required) Automatically tunnelingAutomatic tunneling occurs, when a node directly connects another node gotten the IPv4 address of the other node before. 6to4-Tunneling6to4 tunneling (RFC 3056 / Connection of IPv6 Domains via IPv4 Clouds) uses a simple mechanism to create automatic tunnels. Each node with a global unique IPv4 address is able to be a 6to4 tunnel endpoint (if no IPv4 firewall prohibits traffic). 6to4 tunneling is mostly not a one-to-one tunnel. This case of tunneling can be divided into upstream and downstream tunneling. Also, a special IPv6 address indicates that this node will use 6to4 tunneling for connecting the world-wide IPv6 networkGeneration of 6to4 prefixThe 6to4 address is defined like following (schema is taken from RFC 3056 / Connection of IPv6 Domains via IPv4 Clouds):Use e.g. following for automatic generation:There are two ways possible to setup 6to4 tunneling now.Using "ip" and a dedicated tunnel deviceThis is now the recommended way.Create a new tunnel device ]]>Bring interface upAdd local 6to4 address to interface/16 dev tun6to4 +]]>Add local 6to4 address to interface (note: prefix length 16 is imporant!)/16 dev tun6to4 ]]>Add (default) route to the global IPv6 network using the all-6to4-routers IPv4 anycast address Using "ifconfig" and "route" and generic tunnel device "sit0" (deprecated)This is now deprecated because using the generic tunnel device sit0 doesn't let specify filtering per device.Bring generic tunnel interface sit0 upIPv6-related entries in /proc/sys/net/ipv4/At the moment (and this will be until IPv4 is completly converted to an independend kernel module) some switches are also used here for IPv6.ip_*ip_local_port_rangeThis control setting is used by IPv6 also. tcp_*This control settings are used by IPv6 also. -icmp_*This control settings are not used by IPv6. +icmp_*This control settings are not used by IPv6. To enable ICMPv6 rate limting (which is very recommended because of the capability of ICMPv6 storms) netfilter-v6 rules must be used. othersUnknown, but probably not used by IPv6. IPv6-related entries in /proc/net/In /proc/net there are several read-only entries available. You cannot retrieve information using "sysctl" here, so use e.g. "cat".if_inet6Type: One line per addresss containing multiple valuesHere all configured IPv6 addresses are shown in a special format. The example displays for loopback interface only. The meaning is shown below (see "net/ipv6/addrconf.c" for more)SuSE LinuxIn newer 7.x versions there is a really rudimentary support available, see /etc/rc.config for details.Because of the really different configuration and script file structure it is hard (or impossible) to use the set for Red Hat Linux and clones with this distribution. In versions 8.x they completly change their configuration setup. Further informationHow to setup 6to4 IPv6 with SuSE 7.3 -Debian LinuxI still don't have any information weather a persistent IPv6 configuration can stored somewhere.Further informationIPv6 on Debian Linux +Debian LinuxI still don't have any information whether a persistent IPv6 configuration can be stored somewhere.Further informationIPv6 on Debian Linux Auto-configuration and mobilityStateless auto-configurationIs supported and seen on the assigned link-local address after an IPv6-enabled interface is up. @@ -780,21 +798,21 @@ In versions 8.x they completly change their configuration setup. < Dynamic Host Configuration Protocol v6 (DHCPv6)to be filled. Mobilityto be filled.For the moment, see Mobile IPv6 for Linux(MIPL) homepage for more details -Firewalling and security issuesIPv6 firewalling is important, especially if using IPv6 on internal networks with global IPv6 addresses. Because unlike at IPv4 networks where in common internal hosts are protected automatically using private IPv4 addresses like RFC 1918 / Address Allocation for Private Internets or APIPA / Automatic Private IP Addressing, in IPv6 normally global addresses are used and someone with IPv6 connectivity can reach all internal IPv6 enabled nodes.FirewallingFirewalling using netfilter6 Native IPv6 firewalling is only supported in kernel versions 2.4+. In older 2.2- you can only filter IPv6-in-IPv4 by protocol 41. Attention: no warranty that described rules or examples are really protect your system! Audit your ruleset after installation, see for more.More informationNetfilter projectmaillist archive of netfilter usersmaillist archive of netfilter developersUnofficial status informations - -PreparationGet sourcesGet the latest kernel source: http://www.kernel.org/Get the latest iptables package: Source tarball (for kernel patches): http://www.netfilter.org/Source RPM for rebuild of binary (for RedHat systems): ftp://ftp.redhat.com/redhat/linux/rawhide/SRPMS/SRPMS/ or perhaps also at http://www.netcore.fi/pekkas/linux/ipv6/ -Extract sourcesChange to source directory: FirewallingIPv6 firewalling is important, especially if using IPv6 on internal networks with global IPv6 addresses. Because unlike at IPv4 networks where in common internal hosts are protected automatically using private IPv4 addresses like RFC 1918 / Address Allocation for Private Internets or APIPA / Automatic Private IP Addressing, in IPv6 normally global addresses are used and someone with IPv6 connectivity can reach all internal IPv6 enabled nodes.Firewalling using netfilter6 Native IPv6 firewalling is only supported in kernel versions 2.4+. In older 2.2- you can only filter IPv6-in-IPv4 by protocol 41. Attention: no warranty that described rules or examples are really protect your system! Audit your ruleset after installation, see for more.More informationNetfilter projectmaillist archive of netfilter usersmaillist archive of netfilter developersUnofficial status informations + +PreparationGet sourcesGet the latest kernel source: http://www.kernel.org/Get the latest iptables package: Source tarball (for kernel patches): http://www.netfilter.org/Source RPM for rebuild of binary (for RedHat systems): ftp://ftp.redhat.com/redhat/linux/rawhide/SRPMS/SRPMS/ or perhaps also at http://www.netcore.fi/pekkas/linux/ipv6/ +Extract sourcesChange to source directory: Unpack and rename kernel sources Unpack iptables sources -Apply latest iptables/IPv6-related patches to kernel sourceChange to iptables directory +Apply latest iptables/IPv6-related patches to kernel sourceChange to iptables directory Apply pending patches Apply additional IPv6 related patches (still not in the vanilla kernel included) Say yes at following options (iptables-1.2.2) ah-esp.patch masq-dynaddr.patch (only needed for systems with dynamic IP assigned WAN connections like PPP or PPPoE) ipv6-agr.patch.ipv6 ipv6-ports.patch.ipv6 LOG.patch.ipv6 REJECT.patch.ipv6 Check IPv6 extensions -Configure, build and install new kernelChange to kernel sources +Configure, build and install new kernelChange to kernel sources Edit Makefile Run configure, enable IPv6 related < ]]>Configure other related to your system, too Compilation and installing: see the kernel section here and other HOWTOs -Rebuild and install binaries of iptablesMake sure, that upper kernel source tree is also available at /usr/src/linux/ Rename older directory Configure other related to your system, too Compilation and installing: see the kernel section here and other HOWTOs +Rebuild and install binaries of iptablesMake sure, that upper kernel source tree is also available at /usr/src/linux/ Rename older directory Create a new softlink Rebuild SRPMS Install new iptables packages (iptables + iptables-ipv6) On RH 7.1 systems, normally, already an older version is installed, therefore use "freshen" If not already installed, use "install" On RH 6.2 systems, normally, no kernel 2.4.x is installed, therefore the requirements don't fit. Use "--nodeps" to install it Perhaps it's necessary to create a softlink for iptables libraries where iptables looks for them - -UsageCheck for supportLoad module, if so compiled + +UsageCheck for supportLoad module, if so compiled Check for capability -Learn how to use ip6tablesList all IPv6 netfilter entries Short +Learn how to use ip6tablesList all IPv6 netfilter entries Short Extended List specified filter Insert a log rule at the input filter with options +List specified filter +Insert a log rule at the input filter with options Insert a drop rule at the input filter Delete a rule by number Allow ICMPv6, at the moment, with unpatched kernel 2.4.5 and iptables-1.2.2 no type can be specified Accept incoming ICMPv6 through tunnels +Insert a drop rule at the input filter +Delete a rule by number +Allow ICMPv6Using older kernels (unpatched kernel 2.4.5 and iptables-1.2.2) no type can be specifiedAccept incoming ICMPv6 through tunnels Allow outgoing ICMPv6 through tunnels Allow incoming SSH, here an example is shown for a ruleset which allows incoming SSH connection from a specified IPv6 address Allow incoming SSH from 3ffe:400:100::1/128 Newer kernels allow specifying of ICMPv6 types: +Rate-limitingBecause it can happen (author already saw it to times) that an ICMPv6 storm will raise up, you should use available rate limiting for at least ICMPv6 ruleset. In addition logging rules should also get rate limiting to prevent DoS attacks against syslog and storage of log file partition. An example for a rate limited ICMPv6 looks like: +Allow incoming SSHHere an example is shown for a ruleset which allows incoming SSH connection from a specified IPv6 address Allow incoming SSH from 3ffe:ffff:100::1/128 Allow response packets (at the moment IPv6 connection tracking isn't in mainstream netfilter6 implemented) Allow response packets (at the moment IPv6 connection tracking isn't in mainstream netfilter6 implemented) Enable tunneled IPv6-in-IPv4, to accept tunneled IPv6-in-IPv4 packets, you have to insert rules in your IPv4 firewall setup relating to such packets, for example Accept incoming IPv6-in-IPv4 on interface ppp0 +Enable tunneled IPv6-in-IPv4Tto accept tunneled IPv6-in-IPv4 packets, you have to insert rules in your IPv4 firewall setup relating to such packets, for example Accept incoming IPv6-in-IPv4 on interface ppp0 Allow outgoing IPv6-in-IPv4 to interface ppp0 If you have only a static tunnel, you can specify the IPv4 addresses, too, like Accept incoming IPv6-in-IPv4 on interface ppp0 from tunnel endpoint 1.2.3.4 Allow outgoing IPv6-in-IPv4 to interface ppp0 to tunnel endpoint 1.2.3.4 Protect against incoming TCP connection requests (VERY RECOMMENDED!), for security issues you should really insert a rule which blocks incoming TCP connection requests. Adapt "-i" option, if other interface names are in use! Block incoming TCP connection requests to this host +Protection against incoming TCP connection requestsVERY RECOMMENDED! For security issues you should really insert a rule which blocks incoming TCP connection requests. Adapt "-i" option, if other interface names are in use! Block incoming TCP connection requests to this host Block incoming TCP connection requests to hosts behind this router Perhaps the rules have to be placed below others, but that is work you have to think about it. Best way is to create a script and execute rules in a specified way. Protect against incoming UDP connection requests (ALSO RECOMMENDED!), like mentioned on my firewall information it's possible to control the ports on outgoing UDP/TCP sessions. So if all of your local IPv6 systems are use local ports e.g. from 32768 to 60999 you are able to filter UDP connections also (until connection tracking works) like: Block incoming UDP packets which cannot be responses of outgoing requests of this host Perhaps the rules have to be placed below others, but that is work you have to think about it. Best way is to create a script and execute rules in a specified way. +Protection against incoming UDP connection requestsALSO RECOMMENDED! Like mentioned on my firewall information it's possible to control the ports on outgoing UDP/TCP sessions. So if all of your local IPv6 systems are use local ports e.g. from 32768 to 60999 you are able to filter UDP connections also (until connection tracking works) like: Block incoming UDP packets which cannot be responses of outgoing requests of this host Block incoming UDP packets which cannot be responses of forwarded requests of hosts behind this router -Demonstration exampleFollowing lines show a more sophisticated setup as an example. Happy netfilter6 ruleset creation.... +Demonstration exampleFollowing lines show a more sophisticated setup as an example. Happy netfilter6 ruleset creation.... < ]]>< ]]> - +]]> -SecurityNode securityIt's very recommend to apply all available patches and disable all not necessary services.More to be filled... -Access limitationsMany services uses the tcp_wrapper library for access control. Below is described the use of tcp_wrapper.More to be filled... - -IPv6 security auditingCurrently there are no comfortable tools out which are able to check a system over network for IPv6 security issues. Neither NMap nor Nessus or any commercial security scanner is as far as I know able to scan IPv6 addresses.Legal issuesATTENTION: always take care that you only scan your own systems or after receiving a written order, otherwise legal issues are able to come up to you. + +SecurityNode securityIt's very recommend to apply all available patches and disable all not necessary services. Also bind services to the needed IPv4/IPv6 addresses only and install local firewalling.More to be filled... +Access limitationsMany services uses the tcp_wrapper library for access control. Below is described the use of tcp_wrapper.More to be filled... +IPv6 security auditingCurrently there are no comfortable tools out which are able to check a system over network for IPv6 security issues. Neither Nessus nor any commercial security scanner is as far as I know able to scan IPv6 addresses.Legal issuesATTENTION: always take care that you only scan your own systems or after receiving a written order, otherwise legal issues are able to come up to you. CHECK destination IPv6 addresses TWICE before starting a scan. Security auditing using IPv6-enabled netcatWith the IPv6-enabled netcat (see IPv6+Linux-status-apps/security-auditing for more) you can run a portscan by wrapping a script around which run through a port range, grab banners and so on. Usage example: +Security auditing using IPv6-enabled nmapNMap, one of the best portscaner around the world, is currently not IPv6-enabled out of the box, but there is a patch available (see IPv6+Linux-status-apps/security-auditing for more). Usage example:Note: the patch isn't really finished yet, you need at least option "-P0" or may not use "-O", otherwise you get such strange error message: Invalid argument +]]> Security auditing using IPv6-enabled strobeStrobe is a (compared to NMap) more a low budget portscanner, but there is an IPv6-enabling patch available (see IPv6+Linux-status-apps/security-auditing for more). Usage example:. ]]> ]]>Shown example also displays an IMAP and IMAP-SSL IPv4-only listening xinetd.Note: An IPv4-only xinetd won't start on an IPv6-enabled node and also the IPv6-enabled won't start on an IPv4-only node (will be hopefully fixed in the future). -Webserver Apache2 (httpd2)Apache web server supports IPv6 native by maintainers since 2.0.14. Available patches for the older 1.3.x series are not current and shouldn't be used in public environment, but available at KAME / Misc.Listening on IPv6 addressesNote: virtual hosts on IPv6 addresses are broken in versions until 2.0.28 (a patch is available for 2.0.28). But always try latest available version first.Virtual host listen on an IPv6 address onlyWebserver Apache2 (httpd2)Apache web server supports IPv6 native by maintainers since 2.0.14. Available patches for the older 1.3.x series are not current and shouldn't be used in public environment, but available at KAME / Misc.Listening on IPv6 addressesNote: virtual hosts on IPv6 addresses are broken in versions until 2.0.28 (a patch is available for 2.0.28). But always try latest available version first because earlier versions had some security issues.Virtual host listen on an IPv6 address only ]]> -Articles, Books, Online Reviews (mixed)Getting Connected with 6to4 by Huber Feyrer, 06/01/2001How Long the Aversion to IP Version 6 - Review of META Group, Inc., full access needs (free) registration at META Group, Inc.O'reilly Network search for keyword IPv6 results in 29 hits (28. January 2002)Wireless boosting IPv6 by Carolyn Duffy Marsan, 10/23/2000IPv6, théorie et pratique (french) 2e édition, mars 1999, O'Reilly (??? no newer one available ???) ISBN: 2-84177-085-0Internetworking IPv6 with Cisco Routers by Silvano Gai, McGrawHill Italia, 1997 13 chapters and appendix A-D are downloadable as PDF-documents.Secure and Dynamic Tunnel Broker by Vegar Skaerven Wang, Master of Engineering Thesis in Computer Science, 2.June 2000, Faculty of Science, Dep.of Computer Science, University of Tromso, Norway.Aufbruch in die neue Welt - IPv6 in IPv4 Netzen von Dipl.Ing. Ralf Döring, TU Illmenau, 1999Migration and Co-existence of IPv4 and IPv6 in Residential Networks by Pekka Savola, CSC/FUNET, 2002Book IPv6 Essentials written by Silvia Hagen, release planned for April 2002 +Articles, Books, Online Reviews (mixed)Getting Connected with 6to4 by Huber Feyrer, 06/01/2001How Long the Aversion to IP Version 6 - Review of META Group, Inc., full access needs (free) registration at META Group, Inc.O'reilly Network search for keyword IPv6 results in 29 hits (28. January 2002)Wireless boosting IPv6 by Carolyn Duffy Marsan, 10/23/2000IPv6, théorie et pratique (french) 2e édition, mars 1999, O'Reilly (??? no newer one available ???) ISBN: 2-84177-085-0Internetworking IPv6 with Cisco Routers by Silvano Gai, McGrawHill Italia, 1997 13 chapters and appendix A-D are downloadable as PDF-documents.Secure and Dynamic Tunnel Broker by Vegar Skaerven Wang, Master of Engineering Thesis in Computer Science, 2.June 2000, Faculty of Science, Dep.of Computer Science, University of Tromso, Norway.Aufbruch in die neue Welt - IPv6 in IPv4 Netzen von Dipl.Ing. Ralf Döring, TU Illmenau, 1999Migration and Co-existence of IPv4 and IPv6 in Residential Networks by Pekka Savola, CSC/FUNET, 2002IPv6 Essentials written by Silvia Hagen, July 2002, O'Reilly Order Number: 1258, ISBN 0-5960-0125-8 OthersSee following URL for more: SWITCH IPv6 Pilot / References Online informationJoin the IPv6 backboneMore to be filled later...suggestions are welcome!Global registriesIPv6 test backbone: 6bone, How to join 6bone @@ -1344,7 +1390,10 @@ Kurz angerissen werden: RFC1825 - Security Association Konzept RFC1826 - IP auth *very recommended if you provide server applications.Something missing? Suggestions are welcome!Another list is available at JOIN Project / List of IPv6-related maillists. -Revision history / Credits / The EndRevision historyVersions x.y are published on the Internet.Versions x.y.z are work-in-progress and only published as LyX file on CVS.Releases 0.x0.26 +Revision history / Credits / The EndRevision historyVersions x.y are published on the Internet.Versions x.y.z are work-in-progress and only published as LyX file on CVS.Releases 0.x0.27 +2002-08-10/PB: Some minor updates0.26.2 +2002-07-15/PB: Add information neighbor discovery, split of firewalling (got some updates) and security into extra chapters0.26.1 +2002-07-13/PB: Update nmap/IPv6 information0.26 2002-07-13/PB: Fill /proc-filesystem chapter, update DNS information about depricated A6/DNAME, change P-t-P tunnel setup to use of "ip" only0.25.2 2002-07-11/PB: Minor spelling fixes0.25.1 2002-06-23/PB: Minor spelling and other fixes0.25