From 2f1e3b150b013114415fcb51ba0e36f89eecda20 Mon Sep 17 00:00:00 2001 From: binh <> Date: Fri, 28 Jan 2005 19:01:23 +0000 Subject: [PATCH] Slowly getting there.... :) Do not publish under any circumstances!!!! Binh. --- .../docbook/Linux-Networking/Foreward.xml | 2 +- LDP/guide/docbook/Linux-Networking/IPv6.xml | 6250 ----------------- .../Linux-Networking/Linux-Networking.xml | 14 +- .../docbook/Linux-Networking/Web-Serving.xml | 2508 +------ 4 files changed, 26 insertions(+), 8748 deletions(-) diff --git a/LDP/guide/docbook/Linux-Networking/Foreward.xml b/LDP/guide/docbook/Linux-Networking/Foreward.xml index 5faddc00..2cb1ea85 100644 --- a/LDP/guide/docbook/Linux-Networking/Foreward.xml +++ b/LDP/guide/docbook/Linux-Networking/Foreward.xml @@ -279,7 +279,7 @@ This is known as FDM, (Frequency Domain Multiplexing). Similar to FDM, WDM (Wavelength Division Multiplexing) uses each wavelength of light to transmit a signal. WDM is for fiber optic systems. The number of wavelengths per fiber, currently available, is about 300. Each wavelength can carry about 10Gbps. -This makes 3Tbps. AT&T predict that up to 1024 wavelengths may be available in the future. +This makes 3Tbps. AT&T predict that up to 1024 wavelengths may be available in the future. The hub/optical hub is clearly an analogue device - input signals are reflected to all outputs. It is also called passive, because it does not introduce any power to the signal diff --git a/LDP/guide/docbook/Linux-Networking/IPv6.xml b/LDP/guide/docbook/Linux-Networking/IPv6.xml index 5a9d24a6..5805a8f9 100644 --- a/LDP/guide/docbook/Linux-Networking/IPv6.xml +++ b/LDP/guide/docbook/Linux-Networking/IPv6.xml @@ -4,88 +4,6 @@ -The goal of the Linux IPv6 HOWTO is to answer both basic and advanced -questions about IPv6 on the Linux operating system. This HOWTO will provide -the reader with enough information to install, configure, and use IPv6 -applications on Linux machines. - ------------------------------------------------------------------------------ -1.7.2. Document related - -1.7.2.1. Long code line wrapping signal char - -The special character "¬" is used for signaling that this code line is -wrapped for better viewing in PDF and PS files. ------------------------------------------------------------------------------ - -1.7.2.2. Placeholders - -In generic examples you will sometimes find the following: - - - -For real use on your system command line or in scripts this has to be -replaced with relevant content (removing the < and > of course), the result -would be e.g. -1.2.3.4 - ------------------------------------------------------------------------------ - -1.7.2.3. Commands in the shell - -Commands executable as non-root user begin with $, e.g. -$ whoami - - -Commands executable as root user begin with #, e.g. -# whoami - ------------------------------------------------------------------------------ - -1.8. Requirements for using this HOWTO - -1.8.1. Personal prerequisites - -1.8.1.1. Experience with Unix tools - -You should be familiar with the major Unix tools e.g. grep, awk, find, ... , -and know about their most commonly used command-line options. ------------------------------------------------------------------------------ - -1.8.1.2. Experience with networking theory - -You should know about layers, protocols, addresses, cables, plugs, etc. If -you are new to this field, here is one good starting point for you: [http:// -www.linuxports.com/howto/intro_to_networking/] linuxports/howto/ -intro_to_networking ------------------------------------------------------------------------------ - -1.8.1.3. Experience with IPv4 configuration - -You should definitely have some experience in IPv4 configuration, otherwise -it will be hard for you to understand what is really going on. ------------------------------------------------------------------------------ - -1.8.1.4. Experience with the Domain Name System (DNS) - -Also you should understand what the Domain Name System (DNS) is, what it -provides and how to use it. ------------------------------------------------------------------------------ - -1.8.1.5. Experience with network debugging strategies - -You should at least understand how to use tcpdump and what it can show you. -Otherwise, network debugging will very difficult for you. ------------------------------------------------------------------------------ - -1.8.2. Linux operating system compatible hardware - -Surely you wish to experiment with real hardware, and not only read this -HOWTO to fall asleep here and there. ;-7) ------------------------------------------------------------------------------ - -Chapter 2. Basics - 2.1. What is IPv6? IPv6, sometimes also referred to as IPng (IP Next Generation) @@ -179,6172 +97,4 @@ development release. Hopefully the 2.6.x kernel series will contain a true and up-to-date IPv6 implementation. ----------------------------------------------------------------------------- -2.3. What do IPv6 addresses look like? - -As previously mentioned, IPv6 addresses are 128 bits long. This number of -bits generates very high decimal numbers with up to 39 digits: -2^128-1: 340282366920938463463374607431768211455 - - -Such numbers are not really addresses that can be memorized. Also the IPv6 -address schema is bitwise orientated (just like IPv4, but that's not often -recognized). Therefore a better notation of such big numbers is hexadecimal. -In hexadecimal, 4 bits (also known as "nibble") are represented by a digit or -character from 0-9 and a-f (10-15). This format reduces the length of the -IPv6 address to 32 characters. -2^128-1: 0xffffffffffffffffffffffffffffffff - - -This representation is still not very convenient (possible mix-up or loss of -single hexadecimal digits), so the designers of IPv6 chose a hexadecimal -format with a colon as separator after each block of 16 bits. In addition, -the leading "0x" (a signifier for hexadecimal values used in programming -languages) is removed: -2^128-1: ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff - - -A usable address (see address types later) is e.g.: -3ffe:ffff:0100:f101:0210:a4ff:fee3:9566 - - -For simplifications, leading zeros of each 16 bit block can be omitted: -3ffe:ffff:0100:f101:0210:a4ff:fee3:9566 -> -¬ 3ffe:ffff:100:f101:210:a4ff:fee3:9566 - - -One sequence of 16 bit blocks containing only zeroes can be replaced with ":: -". But not more than one at a time, otherwise it is no longer a unique -representation. -3ffe:ffff:100:f101:0:0:0:1 -> 3ffe:ffff:100:f101::1 - - -The biggest reduction is seen by the IPv6 localhost address: -0000:0000:0000:0000:0000:0000:0000:0001 -> ::1 - - -There is also a so-called compact (base85 coded) representation defined -[http://www.faqs.org/rfcs/rfc1924.html] RFC 1924 / A Compact Representation -of IPv6 Addresses (published on 1. April 1996), never seen in the wild, -probably an April fool's joke, but here is an example: -# ipv6calc --addr_to_base85 3ffe:ffff:0100:f101:0210:a4ff:fee3:9566 -Itu&-ZQ82s>J%s99FJXT - - - - Info: ipv6calc is an IPv6 address format calculator and converter program - and can be found here: [http://www.deepspace6.net/projects/ipv6calc.html] - ipv6calc homepage ([http://mirrors.bieringer.de/www.deepspace6.net/ - projects/ipv6calc.html] Mirror) - ------------------------------------------------------------------------------ -2.4. FAQ (Basics) - -2.4.1. Why is the name IPv6 and not IPv5 as successor for IPv4? - -On any IP header, the first 4 bits are reserved for protocol version. So -theoretically a protocol number between 0 and 15 is possible: - -  * 4: is already used for IPv4 - -  * 5: is reserved for the Stream Protocol (STP, [http://www.faqs.org/rfcs/ - rfc1819.html] RFC 1819 / Internet Stream Protocol Version 2) (which never - really made it to the public) - - -The next free number was 6. Hence IPv6 was born! ------------------------------------------------------------------------------ - -2.4.2. IPv6 addresses: why such a high number of bits? - -During the design of IPv4, people thought that 32 bits were enough for the -world. Looking back into the past, 32 bits were enough until now and will -perhaps be enough for another few years. However, 32 bits are not enough to -provide each network device with a global address in the future. Think about -mobile phones, cars (including electronic devices on its CAN-bus), toasters, -refrigerators, light switches, and so on... - -So designers have chosen 128 bits, 4 times more in length and 2^96 greater in -size than in IPv4 today. - -The usable size is smaller than it may appear however. This is because in the -currently defined address schema, 64 bits are used for interface identifiers. -The other 64 bits are used for routing. Assuming the current strict levels of -aggregation (/48, /32, ...), it is still possible to "run out" of space, but -hopefully not in the near future. - -See also for more information [http://www.faqs.org/rfcs/rfc1715.html] RFC -1715 / The H Ratio for Address Assignment Efficiency and [http://www.faqs.org -/rfcs/rfc3194.html] RFC 3194 / The Host-Density Ratio for Address Assignment -Efficiency. ------------------------------------------------------------------------------ - -2.4.3. IPv6 addresses: why so small a number of bits on a new design? - -While, there are (possibly) some people (only know about Jim Fleming...) on -the Internet who are thinking about IPv8 and IPv16, their design is far away -from acceptance and implementation. In the meantime 128 bits was the best -choice regarding header overhead and data transport. Consider the minimum -Maximum Transfer Unit (MTU) in IPv4 (576 octets) and in IPv6 (1280 octets), -the header length in IPv4 is 20 octets (minimum, can increase to 60 octets -with IPv4 options) and in IPv6 is 48 octets (fixed). This is 3.4 % of MTU in -IPv4 and 3.8 % of MTU in IPv6. This means the header overhead is almost -equal. More bits for addresses would require bigger headers and therefore -more overhead. Also, consider the maximum MTU on normal links (like Ethernet -today): it's 1500 octets (in special cases: 9k octets using Jumbo frames). -Ultimately, it wouldn't be a proper design if 10 % or 20 % of transported -data in a Layer-3 packet were used for addresses and not for payload. ------------------------------------------------------------------------------ - -Chapter 3. Address types - -Like IPv4, IPv6 addresses can be split into network and host parts using -subnet masks. - -IPv4 has shown that sometimes it would be nice, if more than one IP address -can be assigned to an interface, each for a different purpose (aliases, -multi-cast). To remain extensible in the future, IPv6 is going further and -allows more than one IPv6 address to be assigned to an interface. There is -currently no limit defined by an RFC, only in the implementation of the IPv6 -stack (to prevent DoS attacks). - -Using this large number of bits for addresses, IPv6 defines address types -based on some leading bits, which are hopefully never going to be broken in -the future (unlike IPv4 today and the history of class A, B, and C). - -Also the number of bits are separated into a network part (upper 64 bits) and -a host part (lower 64 bits), to facilitate auto-configuration. BTW: a good -URL for displaying a given IPv6 address in detail is the [http:// -steinbeck.ucs.indiana.edu:47401/] Advanced Network Management Laboratory / -IPv6 Address Oracle. ------------------------------------------------------------------------------ - -3.1. Addresses without a special prefix - -3.1.1. Localhost address - -This is a special address for the loopback interface, similiar to IPv4 with -its "127.0.0.1". With IPv6, the localhost address is: -0000:0000:0000:0000:0000:0000:0000:0001 - - -or compressed: -::1 - - -Packets with this address as source or destination should never leave the -sending host. ------------------------------------------------------------------------------ - -3.1.2. Unspecified address - -This is a special address like "any" or "0.0.0.0" in IPv4 . For IPv6 it's: -0000:0000:0000:0000:0000:0000:0000:0000 - - -or: -:: - - -These addresses are mostly used/seen in socket binding (to any IPv6 address) -or routing tables. - -Note: the unspecified address cannot be used as destination address. ------------------------------------------------------------------------------ - -3.1.3. IPv6 address with embedded IPv4 address - -There are two addresses which contain an IPv4 address. ------------------------------------------------------------------------------ - -3.1.3.1. IPv4-mapped IPv6 address - -IPv4-only IPv6-compatible addresses are sometimes used/shown for sockets -created by an IPv6-enabled daemon, but only binding to an IPv4 address. - -These addresses are defined with a special prefix of length 96 (a.b.c.d is -the IPv4 address): -0:0:0:0:0:ffff:a.b.c.d/96 - - -or in compressed format -::ffff:a.b.c.d/96 - - -For example, the IPv4 address 1.2.3.4 looks like this: -::ffff:1.2.3.4 - ------------------------------------------------------------------------------ - -3.1.3.2. IPv4-compatible IPv6 address - -Used for automatic tunneling ([http://www.faqs.org/rfcs/rfc2893.html] RFC -2893 / Transition Mechanisms for IPv6 Hosts and Routers), which is being -replaced by 6to4 tunneling. -0:0:0:0:0:0:a.b.c.d/96 - - -or in compressed format -::a.b.c.d/96 - ------------------------------------------------------------------------------ - -3.2. Network part, also known as prefix - -Designers defined some address types and left a lot of scope for future -definitions as currently unknown requirements arise. [http://www.faqs.org/ -rfcs/rfc2373.html] RFC 2373 [July 1998] / IP Version 6 Addressing -Architecture defines the current addressing scheme but there is already a new -draft available: [ftp://ftp.ietf.org/internet-drafts/] -draft-ietf-ipngwg-addr-arch-*.txt. - -Now lets take a look at the different types of prefixes (and therefore -address types): ------------------------------------------------------------------------------ - -3.2.1. Link local address type - -These are special addresses which will only be valid on a link of an -interface. Using this address as destination the packet would never pass -through a router. It's used for link communications such as: - -  * anyone else here on this link? - -  * anyone here with a special address (e.g. looking for a router)? - - -They begin with ( where "x" is any hex character, normally "0") -fe8x: <- currently the only one in use. -fe9x: -feax: -febx: - - -An address with this prefix is found on each IPv6-enabled interface after -stateless auto-configuration (which is normally always the case). ------------------------------------------------------------------------------ - -3.2.2. Site local address type - -These are addresses similar to the [http://www.faqs.org/rfcs/rfc1918.html] -RFC 1918 / Address Allocation for Private Internets in IPv4 today, with the -added advantage that everyone who use this address type has the capability to -use the given 16 bits for a maximum number of 65536 subnets. Comparable with -the 10.0.0.0/8 in IPv4 today. - -Another advantage: because it's possible to assign more than one address to -an interface with IPv6, you can also assign such a site local address in -addition to a global one. - -It begins with: -fecx: <- most commonly used. -fedx: -feex: -fefx: - - -(where "x" is any hex character, normally "0") - -Note that there are discussions going on in deprecating this kind of -addresses because there are several issues. Read the current draft for more: -[http://www.ietf.org/internet-drafts/] -draft-ietf-ipv6-deprecate-site-local-XY.txt. - -For test in labs, such addresses are still a good choice in my humble -opinion. ------------------------------------------------------------------------------ - -3.2.3. Global address type "(Aggregatable) global unicast" - -Today, there is one global address type defined (the first design, called -"provider based," was thrown away some years ago [http://www.faqs.org/rfcs/ -rfc1884.html] RFC 1884 / IP Version 6 Addressing Architecture [obsolete], you -will find some remains in older Linux kernel sources). - -It begins with (x are hex characters) -2xxx: -3xxx: - - -Note: the prefix "aggregatable" is thrown away in current drafts. There are -some further subtypes defined, see below: ------------------------------------------------------------------------------ - -3.2.3.1. 6bone test addresses - -These were the first global addresses which were defined and in use. They all -start with -3ffe: - - -Example: -3ffe:ffff:100:f102::1 - - -A special 6bone test address which will be never be globally unique begins -with -3ffe:ffff: - - -and is mostly shown in examples, because if real addresses are shown, its -possible for someone to do a copy & paste to their configuration files. Thus -inadvertently causing duplicates on a globally unique address. This would -cause serious problems for the original host (e.g. getting answer packets for -request that were never sent). You can still apply for one of these prefixes, -see here [http://www.6bone.net/6bone_hookup.html] How to join 6bone. Also -some tunnel brokers still distribute 6bone test address prefixes. ------------------------------------------------------------------------------ - -3.2.3.2. 6to4 addresses - -These addresses, designed for a special tunneling mechanism [[http:// -www.faqs.org/rfcs/rfc3056.html] RFC 3056 / Connection of IPv6 Domains via -IPv4 Clouds and [http://www.faqs.org/rfcs/rfc2893.html] RFC 2893 / Transition -Mechanisms for IPv6 Hosts and Routers], encode a given IPv4 address and a -possible subnet and begin with -2002: - - -For example, representing 192.168.1.1/5: -2002:c0a8:0101:5::1 - - -A small shell command line can help you generating such address out of a -given IPv4 one: -ipv4="1.2.3.4"; sla="5"; printf "2002:%02x%02x:%02x%02x:%04x::1" `echo $ipv4 -¬ | tr "." " "` $sla - - -See also tunneling using 6to4 and information about 6to4 relay routers. ------------------------------------------------------------------------------ - -3.2.3.3. Assigned by provider for hierarchical routing - -These addresses are delegated to Internet service providers (ISP) and begin -with -2001: - - -Prefixes to major (backbone owning) ISPs (also known as LIRs) are delegated -by local registries and currently they got a prefix with length 32 assigned. - -Any ISP customer can get a prefix with length 48. ------------------------------------------------------------------------------ - -3.2.3.4. Addresses reserved for examples and documentation - -Currently, two address ranges are reserved for examples and documentation: -3ffe:ffff::/32 -2001:0DB8::/32 EXAMPLENET-WF - - -These address ranges should be filtered based on source addresses and should -NOT be routed on border routers to the internet, if possible. ------------------------------------------------------------------------------ - -3.2.4. Multicast addresses - -Multicast addresses are used for related services. - -They alway start with (xx is the scope value) -ffxy: - - -They are split into scopes and types: ------------------------------------------------------------------------------ - -3.2.4.1. Multicast scopes - -Multicast scope is a parameter to specify the maximum distance a multicast -packet can travel from the sending entity. - -Currently, the following regions (scopes) are defined: - -  * ffx1: node-local, packets never leave the node. - -  * ffx2: link-local, packets are never forwarded by routers, so they never - leave the specified link. - -  * ffx5: site-local, packets never leave the site. - -  * ffx8: organization-local, packets never leave the organization (not so - easy to implement, must be covered by routing protocol). - -  * ffxe: global scope. - -  * others are reserved - - ------------------------------------------------------------------------------ -3.2.4.2. Multicast types - -There are many types already defined/reserved (see [http://www.faqs.org/rfcs/ -rfc2373.html] RFC 2373 / IP Version 6 Addressing Architecture for details). -Some examples are: - -  * All Nodes Address: ID = 1h, addresses all hosts on the local node (ff01: - 0:0:0:0:0:0:1) or the connected link (ff02:0:0:0:0:0:0:1). - -  * All Routers Address: ID = 2h, addresses all routers on the local node - (ff01:0:0:0:0:0:0:2), on the connected link (ff02:0:0:0:0:0:0:2), or on - the local site (ff05:0:0:0:0:0:0:2) - - ------------------------------------------------------------------------------ -3.2.4.3. Solicited node link-local multicast address - -Special multicast address used as destination address in neighborhood -discovery, because unlike in IPv4, ARP no longer exists in IPv6. - -An example of this address looks like -ff02::1:ff00:1234 - - -Used prefix shows that this is a link-local multicast address. The suffix is -generated from the destination address. In this example, a packet should be -sent to address "fe80::1234", but the network stack doesn't know the current -layer 2 MAC address. It replaces the upper 104 bits with "ff02:0:0:0:0:1: -ff00::/104" and leaves the lower 24 bits untouched. This address is now used -`on-link' to find the corresponding node which has to send a reply containing -its layer 2 MAC address. ------------------------------------------------------------------------------ - -3.2.5. Anycast addresses - -Anycast addresses are special addresses and are used to cover things like -nearest DNS server, nearest DHCP server, or similar dynamic groups. Addresses -are taken out of the unicast address space (aggregatable global or site-local -at the moment). The anycast mechanism (client view) will be handled by -dynamic routing protocols. - -Note: Anycast addresses cannot be used as source addresses, they are only -used as destination addresses. ------------------------------------------------------------------------------ - -3.2.5.1. Subnet-router anycast address - -A simple example for an anycast address is the subnet-router anycast address. -Assuming that a node has the following global assigned IPv6 address: -3ffe:ffff:100:f101:210:a4ff:fee3:9566/64 <- Node's address - - -The subnet-router anycast address will be created blanking the suffix (least -significant 64 bits) completely: -3ffe:ffff:100:f101::/64 <- subnet-router anycast address - ------------------------------------------------------------------------------ - -3.3. Address types (host part) - -For auto-configuration and mobility issues, it was decided to use the lower -64 bits as host part of the address in most of the current address types. -Therefore each single subnet can hold a large amount of addresses. - -This host part can be inspected differently: ------------------------------------------------------------------------------ - -3.3.1. Automatically computed (also known as stateless) - -With auto-configuration, the host part of the address is computed by -converting the MAC address of an interface (if available), with the EUI-64 -method, to a unique IPv6 address. If no MAC address is available for this -device (happens e.g. on virtual devices), something else (like the IPv4 -address or the MAC address of a physical interface) is used instead. - -Consider again the first example -3ffe:ffff:100:f101:210:a4ff:fee3:9566 - - -here, -210:a4ff:fee3:9566 - - -is the host part and computed from the NIC's MAC address -00:10:A4:E3:95:66 - - -using the [http://standards.ieee.org/regauth/oui/tutorials/EUI64.html] -IEEE-Tutorial EUI-64 design for EUI-48 identifiers. ------------------------------------------------------------------------------ - -3.3.1.1. Privacy problem with automatically computed addresses and a solution - -Because the "automatically computed" host part is globally unique (except -when a vendor of a NIC uses the same MAC address on more than one NIC), -client tracking is possible on the host when not using a proxy of any kind. - -This is a known problem, and a solution was defined: privacy extension, -defined in [http://www.faqs.org/rfcs/rfc3041.html] RFC 3041 / Privacy -Extensions for Stateless Address Autoconfiguration in IPv6 (there is also -already a newer draft available: [ftp://ftp.ietf.org/internet-drafts/] -draft-ietf-ipngwg-temp-addresses-*.txt). Using a random and a static value a -new suffix is generated from time to time. Note: this is only reasonable for -outgoing client connections and isn't really useful for well-known servers. ------------------------------------------------------------------------------ - -3.3.2. Manually set - -For servers it's probably easier to remember simpler addresses, this can also -be accommodated. It is possible to assign an additional IPv6 address to an -interface, e.g. -3ffe:ffff:100:f101::1 - - -For manual suffixes like "::1" shown in the above example it's required that -the 7th most significant bit is set to 0 (the universal/local bit of the -automatically generated identifier). Also some other (otherwise unchosen ) -bit combinations are reserved for anycast addresses, too. ------------------------------------------------------------------------------ - -3.4. Prefix lengths for routing - -In the early design phase it was planned to use a fully hierarchical routing -approach to reduce the size of the routing tables maximally. The reasoning -behind this approach were the number of current IPv4 routing entries in core -routers (> 104 thousand in May 2001), reducing the need of memory in hardware -routers (ASIC "Application Specified Integrated Circuit" driven) to hold the -routing table and increase speed (fewer entries hopefully result in faster -lookups). - -Todays view is that routing will be mostly hierarchically designed for -networks with only one service provider. With more than one ISP connections, -this is not possible, and subject to an issue named multi-homing (infos on -multi-homing: [http://www.ietf.org/internet-drafts/ -draft-van-beijnum-multi6-isp-int-aggr-00.txt] Procider-Internal Aggregation -based on Geography to Support Multihoming in IPv6; [http://www.ietf.org/ -internet-drafts/draft-by-multi6-gapi-00.txt] GAPI: A Geographically -Aggregatable Provider Independent Address Space to Support Multihoming in -IPv6; [http://www.ietf.org/internet-drafts/ -draft-bagnulo-multi6-mhexthdr-00.txt] Extension Header for Site-Multi-homing -support; [http://arneill-py.sacramento.ca.us/ipv6mh/] IPv6 Multihoming -Solutions) ------------------------------------------------------------------------------ - -3.4.1. Prefix lengths (also known as "netmasks") - -Similar to IPv4, the routable network path for routing to take place. Because -standard netmask notation for 128 bits doesn't look nice, designers employed -the IPv4 Classless Inter Domain Routing (CIDR, [http://www.faqs.org/rfcs/ -rfc1519.html] RFC 1519 / Classless Inter-Domain Routing) scheme, which -specifies the number of bits of the IP address to be used for routing. It is -also called the "slash" notation. - -An example: -3ffe:ffff:100:1:2:3:4:5/48 - - -This notation will be expanded: - -  * Network: - - -3ffe:ffff:0100:0000:0000:0000:0000:0000 - - -  * Netmask: - - -ffff:ffff:ffff:0000:0000:0000:0000:0000 - ------------------------------------------------------------------------------ - -3.4.2. Matching a route - -Under normal circumstances (no QoS) a lookup in a routing table results in -the route with the most significant number of address bits means the route -with the biggest prefix length matches first. - -For example if a routing table shows following entries (list is not -complete): -3ffe:ffff:100::/48 :: U 1 0 0 sit1 -2000::/3 ::192.88.99.1 UG 1 0 0 tun6to4 - - -Shown destination addresses of IPv6 packets will be routed through shown -device -3ffe:ffff:100:1:2:3:4:5/48 -> routed through device sit1 -3ffe:ffff:200:1:2:3:4:5/48 -> routed through device tun6to4 - ------------------------------------------------------------------------------ - -Chapter 4. IPv6-ready system check - -Before you can start using IPv6 on a Linux host, you have to test, whether -your system is IPv6-ready. You may have to do some work to enable it first. ------------------------------------------------------------------------------ - -4.1. IPv6-ready kernel - -Modern Linux distributions already contain IPv6-ready kernels, the IPv6 -capability is generally compiled as a module, but it's possible that this -module is not loaded automatically on startup. - -See [http://www.bieringer.de/linux/IPv6/status/ -IPv6+Linux-status-distributions.html] IPv6+Linux-Status-Distribution page for -most up-to-date information. - -Note: you shouldn't anymore use kernel series 2.2.x, because it's not -IPv6-up-to-date anymore. ------------------------------------------------------------------------------ - -4.1.1. Check for IPv6 support in the current running kernel - -To check, whether your current running kernel supports IPv6, take a look into -your /proc-file-system. Following entry must exists: -/proc/net/if_inet6 - - -A short automatical test looks like: -# test -f /proc/net/if_inet6 && echo "Running kernel is IPv6 ready" - - -If this fails, it is quite likely, that the IPv6 module is not loaded. ------------------------------------------------------------------------------ - -4.1.2. Try to load IPv6 module - -You can try to load the IPv6 module executing -# modprobe ipv6 - - -If this is successful, this module should be listed, testable with following -auto-magically line: -# lsmod |grep -w 'ipv6' && echo "IPv6 module successfully loaded" - - -And the check shown above should now run successfully. - -Note: unloading the module is currently not supported and can result, under -some circumstances, in a kernel crash. ------------------------------------------------------------------------------ - -4.1.2.1. Automatically loading of module - -Its possible to automatically load the IPv6 module on demand. You only have -to add following line in the configuration file of the kernel module loader -(normally /etc/modules.conf or /etc/conf.modules): -alias net-pf-10 ipv6 # automatically load IPv6 module on demand - - -It's also possible to disable automatically loading of the IPv6 module using -following line -alias net-pf-10 off # disable automatically load of IPv6 module on demand - - -Additional note: in future kernels (newer 2.5 series and above), the module -loader mechanism was changed. The new configuration file has to be named /etc -/modprobe.conf instead of /etc/modules.conf but there is a translate-script -available. For further details see [http://his.luky.org/ftp/mirrors/linux/ -kernel/people/rusty/modules/] module-init-tool. ------------------------------------------------------------------------------ - -4.1.3. Compile kernel with IPv6 capabilities - -If both above shown results were negative and your kernel has no IP6 support, -than you have the following options: - -  * Update your distribution to a current one which supports IPv6 - out-of-the-box (recommended for newbies), see here again: [http:// - www.bieringer.de/linux/IPv6/status/IPv6+Linux-status-distributions.html] - IPv6+Linux-Status-Distribution - -  * Compile a new vanilla kernel (easy, if you know which options you needed) - -  * Recompile kernel sources given by your Linux distribution (sometimes not - so easy) - -  * Compile a kernel with USAGI extensions - - -If you decide to compile a kernel, you should have previous experience in -kernel compiling and read the [http://www.tldp.org/HOWTO/Kernel-HOWTO.html] -Linux Kernel HOWTO. - -A mostly up-to-time comparison between vanilla and USAGI extended kernels is -available on [http://www.bieringer.de/linux/IPv6/status/ -IPv6+Linux-status-kernel.html] IPv6+Linux-Status-Kernel. ------------------------------------------------------------------------------ - -4.1.3.1. Compiling a vanilla kernel - -More detailed hints about compiling an IPv6-enabled kernel can be found e.g. -on [http://www.bieringer.de/linux/IPv6/IPv6-HOWTO/IPv6-HOWTO-2.html#kernel] -IPv6-HOWTO-2#kernel. - -Note: you should use whenever possible kernel series 2.4.x or above, because -the IPv6 support in series 2.2.x is not so in current state and needs some -patches for ICMPv6 and 6to4 support (can be found on [ftp://ftp.bieringer.de/ -pub/linux/IPv6/kernel] kernel series 2.2.x IPv6 patches). ------------------------------------------------------------------------------ - -4.1.3.2. Compiling a kernel with USAGI extensions - -Same as for vanilla kernel, only recommend for advanced users, which are -already familiar with IPv6 and kernel compilation. See also [http:// -www.linux-ipv6.org/faq.html] USAGI project / FAQ and [http:// -www.deepspace6.net/docs/best_ipv6_support.html] Obtaining the best IPv6 -support with Linux (Article) ([http://mirrors.bieringer.de/www.deepspace6.net -/docs/best_ipv6_support.html] Mirror). ------------------------------------------------------------------------------ - -4.1.4. IPv6-ready network devices - -Not all existing network devices have already (or ever) the capability to -transport IPv6 packets. A current status can be found at [http:// -www.bieringer.de/linux/IPv6/status/IPv6+Linux-status-kernel.html#transport] -IPv6+Linux-status-kernel.html#transport. - -A major issue is that because of the network layer structure of kernel -implementation an IPv6 packet isn't really recognized by it's IP header -number (6 instead of 4). It's recognized by the protocol number of the Layer -2 transport protocol. Therefore any transport protocol which doesn't use such -protocol number cannot dispatch IPv6 packets. Note: the packet is still -transported over the link, but on receivers side, the dispatching won't work -(you can see this e.g. using tcpdump). ------------------------------------------------------------------------------ - -4.1.4.1. Currently known never "IPv6 capable links" - -  * Serial Line IP (SLIP, [http://www.faqs.org/rfcs/rfc1055.html] RFC 1055 / - SLIP), should be better called now to SLIPv4, device named: slX - -  * Parallel Line IP (PLIP), same like SLIP, device names: plipX - -  * ISDN with encapsulation rawip, device names: isdnX - - ------------------------------------------------------------------------------ -4.1.4.2. Currently known "not supported IPv6 capable links" - -  * ISDN with encapsulation syncppp, device names: ipppX (design issue of the - ipppd, will be merged into more general PPP layer in kernel series 2.5.x) - - ------------------------------------------------------------------------------ -4.2. IPv6-ready network configuration tools - -You wont get very far, if you are running an IPv6-ready kernel, but have no -tools to configure IPv6. There are several packages in existence which can -configure IPv6. ------------------------------------------------------------------------------ - -4.2.1. net-tools package - -The net-tool package includes some tools like ifconfig and route, which helps -you to configure IPv6 on an interface. Look at the output of ifconfig -? or -route -?, if something is shown like IPv6 or inet6, then the tool is -IPv6-ready. - -Auto-magically check: -# /sbin/ifconfig -? 2>& 1|grep -qw 'inet6' && echo "utility 'ifconfig' is -¬ IPv6-ready" - - -Same check can be done for route: -# /sbin/route -? 2>& 1|grep -qw 'inet6' && echo "utility 'route' is IPv6-ready" - ------------------------------------------------------------------------------ - -4.2.2. iproute package - -Alexey N. Kuznetsov (current a maintainer of the Linux networking code) -created a tool-set which configures networks through the netlink device. -Using this tool-set you have more functionality than net-tools provides, but -its not very well documented and isn't for the faint of heart. -# /sbin/ip 2>&1 |grep -qw 'inet6' && echo "utility 'ip' is IPv6-ready" - - -If the program /sbin/ip isn't found, then I strongly recommend you install -the iproute package. - -  * You can get it from your Linux distribution (if contained) - -  * You can download the tar-ball and recompile it: [ftp://ftp.inr.ac.ru/ - ip-routing/] Original FTP source and mirror (missing) - -  * You're able to look for a proper RPM package at [http://rpmfind.net/linux - /rpm2html/search.php?query=iproute] RPMfind/iproute (sometimes rebuilding - of a SRPMS package is recommended) - - ------------------------------------------------------------------------------ -4.3. IPv6-ready test/debug programs - -After you have prepared your system for IPv6, you now want to use IPv6 for -network communications. First you should learn how to examine IPv6 packets -with a sniffer program. This is strongly recommended because for debugging/ -troubleshooting issues this can aide in providing a diagnosis very quickly. ------------------------------------------------------------------------------ - -4.3.1. IPv6 ping - -This program is normally included in package iputils. It is designed for -simple transport tests sending ICMPv6 echo-request packets and wait for -ICMPv6 echo-reply packets. - -Usage -# ping6 -# ping6 -# ping6 [-I ] - - -Example -# ping6 -c 1 ::1 -PING ::1(::1) from ::1 : 56 data bytes -64 bytes from ::1: icmp_seq=0 hops=64 time=292 usec ---- ::1 ping statistics --- -1 packets transmitted, 1 packets received, 0% packet loss -round-trip min/avg/max/mdev = 0.292/0.292/0.292/0.000 ms - - -Hint: ping6 needs raw access to socket and therefore root permissions. So if -non-root users cannot use ping6 then there are two possible problems: - - 1. ping6 is not in users path (probably, because ping6 is generally stored - in /usr/sbin -> add path (not really recommended) - - 2. ping6 doesn't execute properly, generally because of missing root - permissions -> chmod u+s /usr/sbin/ping6 - - ------------------------------------------------------------------------------ -4.3.1.1. Specifying interface for IPv6 ping - -Using link-local addresses for an IPv6 ping, the kernel does not know through -which (physically or virtual) device it must send the packet - each device -has a link-local address. A try will result in following error message: -# ping6 fe80::212:34ff:fe12:3456 -connect: Invalid argument - - -In this case you have to specify the interface additionally like shown here: -# ping6 -I eth0 -c 1 fe80::2e0:18ff:fe90:9205 -PING fe80::212:23ff:fe12:3456(fe80::212:23ff:fe12:3456) from -¬ fe80::212:34ff:fe12:3478 eth0: 56 data bytes -64 bytes from fe80::212:23ff:fe12:3456: icmp_seq=0 hops=64 time=445 usec ---- fe80::2e0:18ff:fe90:9205 ping statistics --- -1 packets transmitted, 1 packets received, 0% packet loss round-trip -¬ min/avg/max/mdev = 0.445/0.445/0.445/0.000 ms - ------------------------------------------------------------------------------ - -4.3.1.2. Ping6 to multicast addresses - -An interesting mechanism to detect IPv6-active hosts on a link is to ping6 to -the link-local all-node multicast address: -# ping6 -I eth0 ff02::1 -PING ff02::1(ff02::1) from fe80:::2ab:cdff:feef:0123 eth0: 56 data bytes -64 bytes from ::1: icmp_seq=1 ttl=64 time=0.104 ms -64 bytes from fe80::212:34ff:fe12:3450: icmp_seq=1 ttl=64 time=0.549 ms (DUP!) - - -Unlike in IPv4, where replies to a ping on the broadcast address can be -disabled, in IPv6 currently this behavior cannot be disable except by local -IPv6 firewalling. ------------------------------------------------------------------------------ - -4.3.2. IPv6 traceroute6 - -This program is normally included in package iputils. It's a program similar -to IPv4 traceroute. Below you will see an example: -# traceroute6 www.6bone.net -traceroute to 6bone.net (3ffe:b00:c18:1::10) from 3ffe:ffff:0000:f101::2, 30 -¬ hops max, 16 byte packets - 1 localipv6gateway (3ffe:ffff:0000:f101::1) 1.354 ms 1.566 ms 0.407 ms - 2 swi6T1-T0.ipv6.switch.ch (3ffe:2000:0:400::1) 90.431 ms 91.956 ms 92.377 ms - 3 3ffe:2000:0:1::132 (3ffe:2000:0:1::132) 118.945 ms 107.982 ms 114.557 ms - 4 3ffe:c00:8023:2b::2 (3ffe:c00:8023:2b::2) 968.468 ms 993.392 ms 973.441 ms - 5 3ffe:2e00:e:c::3 (3ffe:2e00:e:c::3) 507.784 ms 505.549 ms 508.928 ms - 6 www.6bone.net (3ffe:b00:c18:1::10) 1265.85 ms * 1304.74 ms - - -Note: unlike some modern versions of IPv4 traceroute, which can use ICMPv4 -echo-request packets as well as UDP packets (default), current -IPv6-traceroute is only able to send UDP packets. As you perhaps already -know, ICMP echo-request packets are more accepted by firewalls or ACLs on -routers inbetween than UDP packets. ------------------------------------------------------------------------------ - -4.3.3. IPv6 tracepath6 - -This program is normally included in package iputils. It's a program like -traceroute6 and traces the path to a given destination discovering the MTU -along this path. Below you will see an example: -# tracepath6 www.6bone.net - 1?: [LOCALHOST] pmtu 1480 - 1: 3ffe:401::2c0:33ff:fe02:14 150.705ms - 2: 3ffe:b00:c18::5 267.864ms - 3: 3ffe:b00:c18::5 asymm 2 266.145ms pmtu 1280 - 3: 3ffe:3900:5::2 asymm 4 346.632ms - 4: 3ffe:28ff:ffff:4::3 asymm 5 365.965ms - 5: 3ffe:1cff:0:ee::2 asymm 4 534.704ms - 6: 3ffe:3800::1:1 asymm 4 578.126ms !N -Resume: pmtu 1280 - ------------------------------------------------------------------------------ - -4.3.4. IPv6 tcpdump - -On Linux, tcpdump is the major tool for packet capturing. Below you find some -examples. IPv6 support is normally built-in in current releases of version -3.6. - -tcpdump uses expressions for filtering packets to minimize the noise: - -  * icmp6: filters native ICMPv6 traffic - -  * ip6: filters native IPv6 traffic (including ICMPv6) - -  * proto ipv6: filters tunneled IPv6-in-IPv4 traffic - -  * not port ssh: to suppress displaying SSH packets for running tcpdump in a - remote SSH session - - -Also some command line options are very useful to catch and print more -information in a packet, mostly interesting for digging into ICMPv6 packets: - -  * "-s 512": increase the snap length during capturing of a packet to 512 - bytes - -  * "-vv": really verbose output - -  * "-n": don't resolve addresses to names, useful if reverse DNS resolving - isn't working proper - - ------------------------------------------------------------------------------ -4.3.4.1. IPv6 ping to 3ffe:ffff:100:f101::1 native over a local link - -# tcpdump -t -n -i eth0 -s 512 -vv ip6 or proto ipv6 -tcpdump: listening on eth0 -3ffe:ffff:100:f101:2e0:18ff:fe90:9205 > 3ffe:ffff:100:f101::1: icmp6: echo -¬ request (len 64, hlim 64) -3ffe:ffff:100:f101::1 > 3ffe:ffff:100:f101:2e0:18ff:fe90:9205: icmp6: echo -¬ reply (len 64, hlim 64) - ------------------------------------------------------------------------------ - -4.3.4.2. IPv6 ping to 3ffe:ffff:100::1 routed through an IPv6-in-IPv4-tunnel - -1.2.3.4 and 5.6.7.8 are tunnel endpoints (all addresses are examples) -# tcpdump -t -n -i ppp0 -s 512 -vv ip6 or proto ipv6 -tcpdump: listening on ppp0 -1.2.3.4 > 5.6.7.8: 2002:ffff:f5f8::1 > 3ffe:ffff:100::1: icmp6: echo request -¬ (len 64, hlim 64) (DF) (ttl 64, id 0, len 124) -5.6.7.8 > 1.2.3.4: 3ffe:ffff:100::1 > 2002:ffff:f5f8::1: icmp6: echo reply (len -¬ 64, hlim 61) (ttl 23, id 29887, len 124) -1.2.3.4 > 5.6.7.8: 2002:ffff:f5f8::1 > 3ffe:ffff:100::1: icmp6: echo request -¬ (len 64, hlim 64) (DF) (ttl 64, id 0, len 124) -5.6.7.8 > 1.2.3.4: 3ffe:ffff:100::1 > 2002:ffff:f5f8::1: icmp6: echo reply (len -¬ 64, hlim 61) (ttl 23, id 29919, len 124) - ------------------------------------------------------------------------------ - -4.4. IPv6-ready programs - -Current distributions already contain the most needed IPv6 enabled client and -servers. See first on [http://www.bieringer.de/linux/IPv6/status/ -IPv6+Linux-status-distributions.html] IPv6+Linux-Status-Distribution. If -still not included, you can check [http://www.bieringer.de/linux/IPv6/status/ -IPv6+Linux-status-apps.html] IPv6 & Linux - Current Status - Applications -whether the program is already ported to IPv6 and usable with Linux. For -common used programs there are some hints available at [http:// -www.bieringer.de/linux/IPv6/IPv6-HOWTO/IPv6-HOWTO-3.html] IPv6 & Linux - -HowTo - Part 3 and [http://www.bieringer.de/linux/IPv6/IPv6-HOWTO/ -IPv6-HOWTO-4.html] IPv6 & Linux - HowTo - Part 4. ------------------------------------------------------------------------------ - -4.5. IPv6-ready client programs (selection) - -To run the following shown tests, it's required that your system is IPv6 -enabled, and some examples show addresses which only can be reached if a -connection to the 6bone is available. ------------------------------------------------------------------------------ - -4.5.1. Checking DNS for resolving IPv6 addresses - -Because of security updates in the last years every Domain Name System (DNS) -server should run newer software which already understands the (intermediate) -IPv6 address-type AAAA (the newer one named A6 isn't still common at the -moment because only supported using BIND9 and newer and also the non-existent -support of root domain IP6.ARPA). A simple test whether the used system can -resolve IPv6 addresses is -# host -t AAAA www.join.uni-muenster.de - - -and should show something like following: -www.join.uni-muenster.de. is an alias for tolot.join.uni-muenster.de. -tolot.join.uni-muenster.de. has AAAA address 2001:638:500:101:2e0:81ff:fe24:37c6 - ------------------------------------------------------------------------------ - -4.5.2. IPv6-ready telnet clients - -IPv6-ready telnet clients are available. A simple test can be done with -$ telnet 3ffe:400:100::1 80 -Trying 3ffe:400:100::1... -Connected to 3ffe:400:100::1. -Escape character is '^]'. -HEAD / HTTP/1.0 -HTTP/1.1 200 OK -Date: Sun, 16 Dec 2001 16:07:21 -GMT Server: Apache/2.0.28 (Unix) -Last-Modified: Wed, 01 Aug 2001 21:34:42 GMT -ETag: "3f02-a4d-b1b3e080" -Accept-Ranges: bytes -Content-Length: 2637 -Connection: close -Content-Type: text/html; charset=ISO-8859-1 -Connection closed by foreign host. - - -If the telnet client don't understand the IPv6 address and says something -like "cannot resolve hostname", then it's not IPv6-enabled. ------------------------------------------------------------------------------ - -4.5.3. IPv6-ready ssh clients - -4.5.3.1. openssh - -Current versions of openssh are IPv6-ready. Depending on configuring before -compiling it has two behavior. - -  * --without-ipv4-default: the client tries an IPv6 connect first - automatically and fall back to IPv4 if not working - -  * --with-ipv4-default: default connection is IPv4, IPv6 connection must be - force like following example shows - - -$ ssh -6 ::1 -user@::1's password: ****** -[user@ipv6host user]$ - - -If your ssh client doesn't understand the option "-6" then it's not -IPv6-enabled, like most ssh version 1 packages. ------------------------------------------------------------------------------ - -4.5.3.2. ssh.com - -SSH.com's SSH client and server is also IPv6 aware now and is free for all -Linux and FreeBSD machine regardless if used for personal or commercial use. ------------------------------------------------------------------------------ - -4.5.4. IPv6-ready web browsers - -A current status of IPv6 enabled web browsers is available at [http:// -www.bieringer.de/linux/IPv6/status/IPv6+Linux-status-apps.html#HTTP] -IPv6+Linux-status-apps.html#HTTP. - -Most of them have unresolved problems at the moment - - 1. If using an IPv4 only proxy in the settings, IPv6 requests will be sent - to the proxy, but the proxy will fail to understand the request and the - request fails. Solution: update proxy software (see later). - - 2. Automatic proxy settings (*.pac) cannot be extended to handle IPv6 - requests differently (e.g. don't use proxy) because of their nature - (written in Java-script and well hard coded in source like to be seen in - Maxilla source code). - - -Also older versions don't understand an URL with IPv6 encoded addresses like -[http://[3ffe:400:100::1]/] http://[3ffe:400:100::1]/ (this given URL only -works with an IPv6-enabled browser!). - -A short test is to try shown URL with a given browser and using no proxy. ------------------------------------------------------------------------------ - -4.5.4.1. URLs for testing - -A good starting point for browsing using IPv6 is [http://www.kame.net/] http: -//www.kame.net/. If the turtle on this page is animated, the connection is -via IPv6, otherwise the turtle is static. ------------------------------------------------------------------------------ - -4.6. IPv6-ready server programs - -In this part of this HOWTO, more client specific issues are mentioned. -Therefore hints for IPv6-ready servers like sshd, httpd, telnetd, etc. are -shown below in Hints for IPv6-enabled daemons. ------------------------------------------------------------------------------ - -4.7. FAQ (IPv6-ready system check) - -4.7.1. Using tools - -4.7.1.1. Q: Cannot ping6 to link-local addresses - -Error message: "connect: Invalid argument" - -Kernel doesn't know, which physical or virtual link you want to use to send -such ICMPv6 packets. Therefore it displays this error message. - -Solution: Specify interface like: "ping6 -I eth0 fe80::2e0:18ff:fe90:9205", -see also program ping6 usage. ------------------------------------------------------------------------------ - -4.7.1.2. Q: Cannot ping6 or traceroute6 as normal user - -Error message: "icmp socket: Operation not permitted" - -These utilities create special ICMPv6 packets and send them out. This is done -by using raw sockets in the kernel. But raw sockets can only be used by the -"root" user. Therefore normal users get such error message. - -Solution: If it's really needed that all users should be able to use these -utilities, you can add the "suid" bit using "chmod u+s /path/to/program", see -also program ping6 usage. If not all users should be able to, you can change -the group of the program to e.g. "wheel", add these power users to this group -and remove the execution bit for other users using "chmod o-rwx /path/to/ -program". Or configure "sudo" to enable your security policy. ------------------------------------------------------------------------------ - -Chapter 5. Configuring interfaces - -5.1. Different network devices - -On a node, there exist different network devices. They can be collected in -classes - -  * Physically bounded, like eth0, tr0 - -  * Virtually existing, like ppp0, tun0, tap0, sit0, isdn0, ippp0 - - ------------------------------------------------------------------------------ -5.1.1. Physically bounded - -Physically bounded interfaces like Ethernet or Token-Ring are normal ones and -need no special treatment. ------------------------------------------------------------------------------ - -5.1.2. Virtually bounded - -Virtually bounded interfaces always need special support ------------------------------------------------------------------------------ - -5.1.2.1. IPv6-in-IPv4 tunnel interfaces - -These interfaces are normally named sitx. The name sit is a shortcut for -Simple Internet Transition. This device has the capability to encapsulate -IPv6 packets into IPv4 ones and tunnel them to a foreign endpoint. - -sit0 has a special meaning and cannot be used for dedicated tunnels. ------------------------------------------------------------------------------ - -5.1.2.2. PPP interfaces - -PPP interfaces get their IPv6 capability from an IPv6 enabled PPP daemon. ------------------------------------------------------------------------------ - -5.1.2.3. ISDN HDLC interfaces - -IPv6 capability for HDLC with encapsulation ip is already built-in in the -kernel ------------------------------------------------------------------------------ - -5.1.2.4. ISDN PPP interfaces - -ISDN PPP interfaces (ippp) aren't IPv6 enabled by kernel. Also there are also -no plans to do that because in kernel 2.5.+ they will be replaced by a more -generic ppp interface layer. ------------------------------------------------------------------------------ - -5.1.2.5. SLIP + PLIP - -Like mentioned earlier, this interfaces don't support IPv6 transport (sending -is OK, but dispatching on receiving don't work). ------------------------------------------------------------------------------ - -5.1.2.6. Ether-tap device - -Ether-tap devices are IPv6-enabled and also stateless configured. For use, -the module "ethertap" has to be loaded before. ------------------------------------------------------------------------------ - -5.1.2.7. tun devices - -Currently not tested by me. ------------------------------------------------------------------------------ - -5.1.2.8. ATM - -01/2002: Aren't currently supported by vanilla kernel, supported by USAGI -extension ------------------------------------------------------------------------------ - -5.1.2.9. Others - -Did I forget an interface?... ------------------------------------------------------------------------------ - -5.2. Bringing interfaces up/down - -Two methods can be used to bring interfaces up or down. ------------------------------------------------------------------------------ - -5.2.1. Using "ip" - -Usage: -# ip link set dev up -# ip link set dev down - - -Example: -# ip link set dev eth0 up -# ip link set dev eth0 down - ------------------------------------------------------------------------------ - -5.2.2. Using "ifconfig" - -Usage: -# /sbin/ifconfig up -# /sbin/ifconfig down - - -Example: -# /sbin/ifconfig eth0 up -# /sbin/ifconfig eth0 down - ------------------------------------------------------------------------------ - -Chapter 6. Configuring IPv6 addresses - -There are different ways to configure an IPv6 address on an interface. You -can use use "ifconfig" or "ip". ------------------------------------------------------------------------------ - -6.1. Displaying existing IPv6 addresses - -First you should check, whether and which IPv6 addresses are already -configured (perhaps auto-magically during stateless auto-configuration). ------------------------------------------------------------------------------ - -6.1.1. Using "ip" - -Usage: -# /sbin/ip -6 addr show dev - - -Example for a static configured host: -# /sbin/ip -6 addr show dev eth0 -2: eth0: - - -Example (output filtered with grep to display only IPv6 addresses). Here you -see different IPv6 addresses with different scopes. -# /sbin/ifconfig eth0 |grep "inet6 addr:" -inet6 addr: fe80::210:a4ff:fee3:9566/10 Scope:Link -inet6 addr: 3ffe:ffff:0:f101::1/64 Scope:Global -inet6 addr: fec0:0:0:f101::1/64 Scope:Site - ------------------------------------------------------------------------------ - -6.2. Add an IPv6 address - -Adding an IPv6 address is similar to the mechanism of "IP ALIAS" addresses in -Linux IPv4 addressed interfaces. ------------------------------------------------------------------------------ - -6.2.1. Using "ip" - -Usage: -# /sbin/ip -6 addr add / dev - - -Example: -# /sbin/ip -6 addr add 3ffe:ffff:0:f101::1/64 dev eth0 - ------------------------------------------------------------------------------ - -6.2.2. Using "ifconfig" - -Usage: -# /sbin/ifconfig inet6 add / - - -Example: -# /sbin/ifconfig eth0 inet6 add 3ffe:ffff:0:f101::1/64 - ------------------------------------------------------------------------------ - -6.3. Removing an IPv6 address - -Not so often needed, be carefully with removing non existent IPv6 address, -sometimes using older kernels it results in a crash. ------------------------------------------------------------------------------ - -6.3.1. Using "ip" - -Usage: -# /sbin/ip -6 addr del / dev - - -Example: -# /sbin/ip -6 addr del 3ffe:ffff:0:f101::1/64 dev eth0 - ------------------------------------------------------------------------------ - -6.3.2. Using "ifconfig" - -Usage: -# /sbin/ifconfig inet6 del / - - -Example: -# /sbin/ifconfig eth0 inet6 del 3ffe:ffff:0:f101::1/64 - ------------------------------------------------------------------------------ - -Chapter 7. Configuring normal IPv6 routes - -If you want to leave your link and want to send packets in the world wide -IPv6-Internet, you need routing. If there is already an IPv6 enabled router -on your link, it's possible enough to add IPv6 routes. ------------------------------------------------------------------------------ - -7.1. Displaying existing IPv6 routes - -First you should check, whether and which IPv6 addresses are already -configured (perhaps auto-magically during auto-configuration). ------------------------------------------------------------------------------ - -7.1.1. Using "ip" - -Usage: -# /sbin/ip -6 route show [dev ] - - -Example: -# /sbin/ip -6 route show dev eth0 -3ffe:ffff:0:f101::/64 proto kernel metric 256 mtu 1500 advmss 1440 -fe80::/10 proto kernel metric 256 mtu 1500 advmss 1440 -ff00::/8 proto kernel metric 256 mtu 1500 advmss 1440 -default proto kernel metric 256 mtu 1500 advmss 1440 - ------------------------------------------------------------------------------ - -7.1.2. Using "route" - -Usage: -# /sbin/route -A inet6 - - -Example (output is filtered for interface eth0). Here you see different IPv6 -routes for different addresses on a single interface. -# /sbin/route -A inet6 |grep -w "eth0" -3ffe:ffff:0:f101 ::/64 :: UA 256 0 0 eth0 <- Interface route for global -¬ address -fe80::/10 :: UA 256 0 0 eth0 <- Interface route for link-local -¬ address -ff00::/8 :: UA 256 0 0 eth0 <- Interface route for all multicast -¬ addresses -::/0 :: UDA 256 0 0 eth0 <- Automatic default route - ------------------------------------------------------------------------------ - -7.2. Add an IPv6 route through a gateway - -Mostly needed to reach the outside with IPv6 using an IPv6-enabled router on -your link. ------------------------------------------------------------------------------ - -7.2.1. Using "ip" - -Usage: -# /sbin/ip -6 route add / via -¬ [dev ] - - -Example: -# /sbin/ip -6 route add 2000::/3 via 3ffe:ffff:0:f101::1 - ------------------------------------------------------------------------------ - -7.2.2. Using "route" - -Usage: -# /sbin/route -A inet6 add / gw -¬ [dev ] - - -A device can be needed, too, if the IPv6 address of the gateway is a link -local one. - -Following shown example adds a route for all currently global addresses -(2000::/3) through gateway 3ffe:ffff:0:f101::1 -# /sbin/route -A inet6 add 2000::/3 gw 3ffe:ffff:0:f101::1 - ------------------------------------------------------------------------------ - -7.3. Removing an IPv6 route through a gateway - -Not so often needed manually, mostly done by network configure scripts on -shutdown (full or per interface) ------------------------------------------------------------------------------ - -7.3.1. Using "ip" - -Usage: -# /sbin/ip -6 route del / via -¬ [dev ] - - -Example: -# /sbin/ip -6 route del 2000::/3 via 3ffe:ffff:0:f101::1 - ------------------------------------------------------------------------------ - -7.3.2. Using "route" - -Usage: -# /sbin/route -A inet6 del / [dev ] - - -Example for removing upper added route again: -# /sbin/route -A inet6 del 2000::/3 gw 3ffe:ffff:0:f101::1 - ------------------------------------------------------------------------------ - -7.4. Add an IPv6 route through an interface - -Not often needed, sometimes in cases of dedicated point-to-point links. ------------------------------------------------------------------------------ - -7.4.1. Using "ip" - -Usage: -# /sbin/ip -6 route add / dev -¬ metric 1 - - -Example: -# /sbin/ip -6 route add 2000::/3 dev eth0 metric 1 - - -Metric "1" is used here to be compatible with the metric used by route, -because the default metric on using "ip" is "1024". ------------------------------------------------------------------------------ - -7.4.2. Using "route" - -Usage: -# /sbin/route -A inet6 add / dev - - -Example: -# /sbin/route -A inet6 add 2000::/3 dev eth0 - ------------------------------------------------------------------------------ - -7.5. Removing an IPv6 route through an interface - -Not so often needed to use by hand, configuration scripts will use such on -shutdown. ------------------------------------------------------------------------------ - -7.5.1. Using "ip" - -Usage: -# /sbin/ip -6 route del / dev - - -Example: -# /sbin/ip -6 route del 2000::/3 dev eth0 - ------------------------------------------------------------------------------ - -7.5.2. Using "route" - -Usage: -# /sbin/route -A inet6 del / dev - - -Example: -# /sbin/route -A inet6 del 2000::/3 dev eth0 - ------------------------------------------------------------------------------ - -7.6. FAQ for IPv6 routes - -7.6.1. Support of an IPv6 default route - -One idea of IPv6 was a hierachical routing, therefore only less routing -entries are needed in routers. - -There are some issues in current Linux kernels: ------------------------------------------------------------------------------ - -7.6.1.1. Clients (not routing any packet!) - -Client can setup a default route like prefix "::/0", they also learn such -route on autoconfiguration e.g. using radvd on the link like following -example shows: -# ip -6 route show | grep ^default -default via fe80::212:34ff:fe12:3450 dev eth0 proto kernel metric 1024 expires -¬ 29sec mtu 1500 advmss 1440 - ------------------------------------------------------------------------------ - -7.6.1.2. Routers in case of packet forwarding - -Current mainstream Linux kernel (at least <= 2.4.17) don't support default -routes. You can set them up, but the route lookup fails when a packet should -be forwarded (normal intention of a router). - -Therefore at this time "default routing" can be setup using the currently -only global address prefix "2000::/3". - -The USAGI project already supports this in their extension with a hack. - -Note: take care about default routing without address filtering on edge -routers. Otherwise unwanted multicast or site-local traffic leave the edge. ------------------------------------------------------------------------------ - -Chapter 8. Neighbor Discovery - -Neighbor discovery was the IPv6 successor for the ARP (Address Resolution -Protocol) in IPv4. You can retrieve information about the current neighbors, -in addition you can set and delete entries. The kernel keeps tracking of -successful neighbor detection (like ARP in IPv4). You can dig into the learnt -table using "ip". ------------------------------------------------------------------------------ - -8.1. Displaying neighbors using "ip" - -With following command you can display the learnt or configured IPv6 -neighbors -# ip -6 neigh show [dev ] - - -The following example shows one neighbor, which is a reachable router -# ip -6 neigh show -fe80::201:23ff:fe45:6789 dev eth0 lladdr 00:01:23:45:67:89 router nud reachable - ------------------------------------------------------------------------------ - -8.2. Manipulating neighbors table using "ip" - -8.2.1. Manually add an entry - -With following command you are able to manually add an entry -# ip -6 neigh add lladdr dev - - -Example: -# ip -6 neigh add fec0::1 lladdr 02:01:02:03:04:05 dev eth0 - ------------------------------------------------------------------------------ - -8.2.2. Manually delete an entry - -Like adding also an entry can be deleted: -# ip -6 neigh del lladdr dev - - -Example: -# ip -6 neigh del fec0::1 lladdr 02:01:02:03:04:05 dev eth0 - ------------------------------------------------------------------------------ - -8.2.3. More advanced settings - -The tool "ip" is less documentated, but very strong. See online "help" for -more: -# ip -6 neigh help -Usage: ip neigh { add | del | change | replace } { ADDR [ lladdr LLADDR ] - [ nud { permanent | noarp | stale | reachable } ] - | proxy ADDR } [ dev DEV ] - ip neigh {show|flush} [ to PREFIX ] [ dev DEV ] [ nud STATE ] - - -Looks like some options are only for IPv4...if you can contribute information -about flags and advanced usage, pls. send. ------------------------------------------------------------------------------ - -Chapter 9. Configuring IPv6-in-IPv4 tunnels - -If you want to leave your link you have no IPv6 capable network around you, -you need IPv6-in-IPv4 tunneling to reach the world wide IPv6-Internet. - -There are some kind of tunnel mechanism and also some possibilities to setup -tunnels. ------------------------------------------------------------------------------ - -9.1. Types of tunnels - -There are more than one possibility to tunnel IPv6 packets over IPv4-only -links. ------------------------------------------------------------------------------ - -9.1.1. Static point-to-point tunneling: 6bone - -A point-to-point tunnel is a dedicated tunnel to an endpoint, which knows -about your IPv6 network (for backward routing) and the IPv4 address of your -tunnel endpoint and defined in [http://www.faqs.org/rfcs/rfc2893.html] RFC -2893 / Transition Mechanisms for IPv6 Hosts and Routers. Requirements: - -  * IPv4 address of your local tunnel endpoint must be static, global unique - and reachable from the foreign tunnel endpoint - -  * A global IPv6 prefix assigned to you (see 6bone registry) - -  * A foreign tunnel endpoint which is capable to route your IPv6 prefix to - your local tunnel endpoint (mostly remote manual configuration required) - - ------------------------------------------------------------------------------ -9.1.2. Automatically tunneling - -Automatic tunneling occurs, when a node directly connects another node gotten -the IPv4 address of the other node before. ------------------------------------------------------------------------------ - -9.1.3. 6to4-Tunneling - -6to4 tunneling ([http://www.faqs.org/rfcs/rfc3056.html] RFC 3056 / Connection -of IPv6 Domains via IPv4 Clouds) uses a simple mechanism to create automatic -tunnels. Each node with a global unique IPv4 address is able to be a 6to4 -tunnel endpoint (if no IPv4 firewall prohibits traffic). 6to4 tunneling is -mostly not a one-to-one tunnel. This case of tunneling can be divided into -upstream and downstream tunneling. Also, a special IPv6 address indicates -that this node will use 6to4 tunneling for connecting the world-wide IPv6 -network ------------------------------------------------------------------------------ - -9.1.3.1. Generation of 6to4 prefix - -The 6to4 address is defined like following (schema is taken from [http:// -www.faqs.org/rfcs/rfc3056.html] RFC 3056 / Connection of IPv6 Domains via -IPv4 Clouds): -| 3+13 | 32 | 16 | 64 bits | -+---+------+-----------+--------+--------------------------------+ -| FP+TLA | V4ADDR | SLA ID | Interface ID | -| 0x2002 | | | | -+---+------+-----------+--------+--------------------------------+ - - -FP and TLA together (16 bits) have the value 0x2002. V4ADDR is the node's -global unique IPv4 address (in hexadecimal notation). SLA is the subnet -identifier (65536 local subnets possible) and are usable to represent your -local network structure. - -For gateways, such prefix is generated by normally using SLA "0000" and -suffix "::1" (not a must, can be an arbitrary one with local-scope) and -assigned to the 6to4 tunnel interface. Note that Microsoft Windows uses -V4ADDR also for suffix. ------------------------------------------------------------------------------ - -9.1.3.2. 6to4 upstream tunneling - -The node has to know to which foreign tunnel endpoint its in IPv4 packed IPv6 -packets should be send to. In "early" days of 6to4 tunneling, dedicated -upstream accepting routers were defined. See [http://www.kfu.com/~nsayer/6to4 -/] NSayer's 6to4 information for a list of routers. - -Nowadays, 6to4 upstream routers can be found auto-magically using the anycast -address 192.88.99.1. In the background routing protocols handle this, see -[http://www.faqs.org/rfcs/rfc3068.html] RFC 3068 / An Anycast Prefix for 6to4 -Relay Routers for details. ------------------------------------------------------------------------------ - -9.1.3.3. 6to4 downstream tunneling - -The downstream (6bone -> your 6to4 enabled node) is not really fix and can -vary from foreign host which originated packets were send to. There exist two -possibilities: - -  * Foreign host uses 6to4 and sends packet direct back to your node (see - below) - -  * Foreign host sends packets back to the world-wide IPv6 network and - depending on the dynamic routing a relay router create a automatic tunnel - back to your node. - - ------------------------------------------------------------------------------ -9.1.3.4. Possible 6to4 traffic - -  * from 6to4 to 6to4: is normally directly tunneled between the both 6to4 - enabled hosts - -  * from 6to4 to non-6to4: is sent via upstream tunneling - -  * non-6to4 to 6to4: is sent via downstream tunneling - - ------------------------------------------------------------------------------ -9.2. Displaying existing tunnels - -9.2.1. Using "ip" - -Usage: -# /sbin/ip -6 tunnel show [] - - -Example: -# /sbin/ip -6 tunnel show -sit0: ipv6/ip remote any local any ttl 64 nopmtudisc -sit1: ipv6/ip remote 195.226.187.50 local any ttl 64 - ------------------------------------------------------------------------------ - -9.2.2. Using "route" - -Usage: -# /sbin/route -A inet6 - - -Example (output is filtered to display only tunnels through virtual interface -sit0): -# /sbin/route -A inet6 | grep "\Wsit0\W*$" -::/96 :: U 256 2 0 sit0 -2002::/16 :: UA 256 0 0 sit0 -2000::/3 ::193.113.58.75 UG 1 0 0 sit0 -fe80::/10 :: UA 256 0 0 sit0 -ff00::/8 :: UA 256 0 0 sit0 - ------------------------------------------------------------------------------ - -9.3. Setup of point-to-point tunnel - -There are 3 possibilities to add or remove point-to-point tunnels. - -A good additional information about tunnel setup using "ip" is [http:// -www.deepspace6.net/docs/iproute2tunnel-en.html] Configuring tunnels with -iproute2 (article) ([http://mirrors.bieringer.de/www.deepspace6.net/docs/ -iproute2tunnel-en.html] Mirror). ------------------------------------------------------------------------------ - -9.3.1. Add point-to-point tunnels - -9.3.1.1. Using "ip" - -Common method at the moment for a small amount of tunnels. - -Usage for creating a tunnel device (but it's not up afterward, also a TTL -must be specified because the default value is 0). -# /sbin/ip tunnel add mode sit ttl remote -¬ local - - -Usage (generic example for three tunnels): -# /sbin/ip tunnel add sit1 mode sit ttl remote -¬ local -# /sbin/ip link set dev sit1 up -# /sbin/ip -6 route add dev sit1 metric 1 -# /sbin/ip tunnel add sit2 mode sit ttl local -# /sbin/ip link set dev sit2 up -# /sbin/ip -6 route add dev sit2 metric 1 -# /sbin/ip tunnel add sit3 mode sit ttl local -# /sbin/ip link set dev sit3 up -# /sbin/ip -6 route add dev sit3 metric 1 - ------------------------------------------------------------------------------ - -9.3.1.2. Using "ifconfig" and "route" (deprecated) - -This not very recommended way to add a tunnel because it's a little bit -strange. No problem if adding only one, but if you setup more than one, you -cannot easy shutdown the first ones and leave the others running. - -Usage (generic example for three tunnels): -# /sbin/ifconfig sit0 up -# /sbin/ifconfig sit0 tunnel -# /sbin/ifconfig sit1 up -# /sbin/route -A inet6 add dev sit1 -# /sbin/ifconfig sit0 tunnel -# /sbin/ifconfig sit2 up -# /sbin/route -A inet6 add dev sit2 -# /sbin/ifconfig sit0 tunnel -# /sbin/ifconfig sit3 up -# /sbin/route -A inet6 add dev sit3 - - -Important: DON'T USE THIS, because this setup implicit enable "automatic -tunneling" from anywhere in the Internet, this is a risk, and it should not -be advocated. ------------------------------------------------------------------------------ - -9.3.1.3. Using "route" only - -It's also possible to setup tunnels in Non Broadcast Multiple Access (NBMA) -style, it's a easy way to add many tunnels at once. But none of the tunnel -can be numbered (which is a not required feature). - -Usage (generic example for three tunnels): -# /sbin/ifconfig sit0 up -# /sbin/route -A inet6 add gw -¬ :: dev sit0 -# /sbin/route -A inet6 add gw -¬ :: dev sit0 -# /sbin/route -A inet6 add gw -¬ :: dev sit0 - - -Important: DON'T USE THIS, because this setup implicit enable "automatic -tunneling" from anywhere in the Internet, this is a risk, and it should not -be advocated. ------------------------------------------------------------------------------ - -9.3.2. Removing point-to-point tunnels - -Manually not so often needed, but used by scripts for clean shutdown or -restart of IPv6 configuration. ------------------------------------------------------------------------------ - -9.3.2.1. Using "ip" - -Usage for removing a tunnel device: -# /sbin/ip tunnel del - - -Usage (generic example for three tunnels): -# /sbin/ip -6 route del dev sit1 -# /sbin/ip link set sit1 down -# /sbin/ip tunnel del sit1 -# /sbin/ip -6 route del dev sit2 -# /sbin/ip link set sit2 down -# /sbin/ip tunnel del sit2 -# /sbin/ip -6 route del dev sit3 -# /sbin/ip link set sit3 down -# /sbin/ip tunnel del sit3 - ------------------------------------------------------------------------------ - -9.3.2.2. Using "ifconfig" and "route" (deprecated because not very funny) - -Not only the creation is strange, the shutdown also...you have to remove the -tunnels in backorder, means the latest created must be removed first. - -Usage (generic example for three tunnels): -# /sbin/route -A inet6 del dev sit3 -# /sbin/ifconfig sit3 down -# /sbin/route -A inet6 del dev sit2 -# /sbin/ifconfig sit2 down -# /sbin/route -A inet6 add dev sit1 -# /sbin/ifconfig sit1 down -# /sbin/ifconfig sit0 down - ------------------------------------------------------------------------------ - -9.3.2.3. Using "route" - -This is like removing normal IPv6 routes. - -Usage (generic example for three tunnels): -# /sbin/route -A inet6 del gw -¬ :: dev sit0 -# /sbin/route -A inet6 del gw -¬ :: dev sit0 -# /sbin/route -A inet6 del gw -¬ :: dev sit0 -# /sbin/ifconfig sit0 down - ------------------------------------------------------------------------------ - -9.3.3. Numbered point-to-point tunnels - -Sometimes it's needed to configure a point-to-point tunnel with IPv6 -addresses like in IPv4 today. This is only possible with the first -(ifconfig+route - deprecated) and third (ip+route) tunnel setup. In such -cases, you can add the IPv6 address to the tunnel interface like shown on -interface configuration. ------------------------------------------------------------------------------ - -9.4. Setup of 6to4 tunnels - -Pay attention that the support of 6to4 tunnels currently lacks on vanilla -kernel series 2.2.x (see systemcheck/kernel for more information). Also note -that that the prefix length for a 6to4 address is 16 because of from network -point of view, all other 6to4 enabled hosts are on the same layer 2. ------------------------------------------------------------------------------ - -9.4.1. Add a 6to4 tunnel - -First, you have to calculate your 6to4 prefix using your local assigned -global routable IPv4 address (if your host has no global routable IPv4 -address, in special cases NAT on border gateways is possible): - -Assuming your IPv4 address is -1.2.3.4 - - -the generated 6to4 prefix will be -2002:0102:0304:: - - -Local 6to4 gateways should (but it's not a must, you can choose an arbitrary -suffix with local-scope, if you feel better) always assigned the suffix ":: -1", therefore your local 6to4 address will be -2002:0102:0304::1 - - -Use e.g. following for automatic generation: -ipv4="1.2.3.4"; printf "2002:%02x%02x:%02x%02x::1" `echo $ipv4 | tr "." " "` - - -There are two ways possible to setup 6to4 tunneling now. ------------------------------------------------------------------------------ - -9.4.1.1. Using "ip" and a dedicated tunnel device - -This is now the recommended way (a TTL must be specified because the default -value is 0). - -Create a new tunnel device -# /sbin/ip tunnel add tun6to4 mode sit ttl remote any local - - -Bring interface up -# /sbin/ip link set dev tun6to4 up - - -Add local 6to4 address to interface (note: prefix length 16 is important!) -# /sbin/ip -6 addr add /16 dev tun6to4 - - -Add (default) route to the global IPv6 network using the all-6to4-routers -IPv4 anycast address -# /sbin/ip -6 route add 2000::/3 via ::192.88.99.1 dev tun6to4 metric 1 - - -It was reported that some versions of "ip" (e.g. SuSE Linux 9.0) don't -support IPv4-compatible IPv6 addresses for gateways, in this case the related -IPv6 address has to be used: -# /sbin/ip -6 route add 2000::/3 via 2002:c058:6301::1 dev tun6to4 metric 1 - ------------------------------------------------------------------------------ - -9.4.1.2. Using "ifconfig" and "route" and generic tunnel device "sit0" -(deprecated) - -This is now deprecated because using the generic tunnel device sit0 doesn't -let specify filtering per device. - -Bring generic tunnel interface sit0 up -# /sbin/ifconfig sit0 up - - -Add local 6to4 address to interface -# /sbin/ifconfig sit0 add /16 - - -Add (default) route to the global IPv6 network using the all-6to4-relays IPv4 -anycast address -# /sbin/route -A inet6 add 2000::/3 gw ::192.88.99.1 dev sit0 - ------------------------------------------------------------------------------ - -9.4.2. Remove a 6to4 tunnel - -9.4.2.1. Using "ip" and a dedicated tunnel device - -Remove all routes through this dedicated tunnel device -# /sbin/ip -6 route flush dev tun6to4 - - -Shut down interface -# /sbin/ip link set dev tun6to4 down - - -Remove created tunnel device -# /sbin/ip tunnel del tun6to4 - ------------------------------------------------------------------------------ - -9.4.2.2. Using "ifconfig" and "route" and generic tunnel device "sit0" -(deprecated) - -Remove (default) route through the 6to4 tunnel interface -# /sbin/route -A inet6 del 2000::/3 gw ::192.88.99.1 dev sit0 - - -Remove local 6to4 address to interface -# /sbin/ifconfig sit0 del /16 - - -Shut down generic tunnel device (take care about this, perhaps it's still in -use...) -# /sbin/ifconfig sit0 down - ------------------------------------------------------------------------------ - -Chapter 10. Configuring IPv4-in-IPv6 tunnels - -This will be filled in the future. At the moment, such tunnels are more used -in test environments but it looks like that support is missing currently for -Linux (03/2004). - -More information in the meantime: [http://www.faqs.org/rfcs/rfc2473.html] RFC -2473 / Generic Packet Tunneling in IPv6 Specification ------------------------------------------------------------------------------ - -Chapter 11. Kernel settings in /proc-filesystem - -Note: the source of this section is mostly the file "ip-sysctl.txt" which is -included in current kernel sources in directory "Documentation/networking". -Credits to Pekka Savola for maintaining the IPv6-related part in this file. -Also some text is more or less copied & pasted into this document. ------------------------------------------------------------------------------ - -11.1. How to access the /proc-filesystem - -11.1.1. Using "cat" and "echo" - -Using "cat" and "echo" is the simplest way to access the /proc filesystem, -but some requirements are needed for that - -  * The /proc-filesystem had to be enabled in kernel, means on compiling - following switch has to be set - - -CONFIG_PROC_FS=y - - -  * The /proc-filesystem was mounted before, which can be tested using - - -# mount | grep "type proc" -none on /proc type proc (rw) - - -  * You need read and sometimes also write access (normally root only) to the - /proc-filesystem - - -Normally, only entries in /proc/sys/* are writable, the others are readonly -and for information retrieving only. ------------------------------------------------------------------------------ - -11.1.1.1. Retrieving a value - -The value of an entry can be retrieved using "cat": -# cat /proc/sys/net/ipv6/conf/all/forwarding -0 - ------------------------------------------------------------------------------ - -11.1.1.2. Setting a value - -A new value can be set (if entry is writable) using "echo": -# echo "1" >/proc/sys/net/ipv6/conf/all/forwarding - ------------------------------------------------------------------------------ - -11.1.2. Using "sysctl" - -Using the "sysctl" program to access the kernel switches is a modern method -today. You can use it also, if the /proc-filesystem isn't mounted. But you -have only access to /proc/sys/*! - -The program "sysctl" is included in package "procps" (on Red Hat Linux -systems). - -  * The sysctl-interface had to be enabled in kernel, means on compiling - following switch has to be set - - -CONFIG_SYSCTL=y - ------------------------------------------------------------------------------ - -11.1.2.1. Retrieving a value - -The value of an entry can be retrieved now: -# sysctl net.ipv6.conf.all.forwarding -net.ipv6.conf.all.forwarding = 0 - ------------------------------------------------------------------------------ - -11.1.2.2. Setting a value - -A new value can be set (if entry is writable): -# sysctl -w net.ipv6.conf.all.forwarding=1 -net.ipv6.conf.all.forwarding = 1 - - -Note: Don't use spaces around the "=" on setting values. Also on multiple -values per line, quote them like e.g. -# sysctl -w net.ipv4.ip_local_port_range="32768 61000" -net.ipv4.ip_local_port_range = 32768 61000 - ------------------------------------------------------------------------------ - -11.1.2.3. Additionals - -Note: There are sysctl versions in the wild which displaying "/" instead of -the "." - -For more details take a look into sysctl's manpage. - -Hint: for digging fast into the settings, use the option "-a" (display all -entries) in conjunction with "grep". ------------------------------------------------------------------------------ - -11.1.3. Values found in /proc-filesystems - -There are several formats seen in /proc-filesystem: - -  * BOOLEAN: simple a "0" (false) or a "1" (true) - -  * INTEGER: an integer value, can be unsigned, too - -  * more sophisticated lines with several values: sometimes a header line is - displayed also, if not, have a look into the kernel source to retrieve - information about the meaning of each value... - - ------------------------------------------------------------------------------ -11.2. Entries in /proc/sys/net/ipv6/ - -11.2.1. conf/default/* - -Change the interface-specific default settings. ------------------------------------------------------------------------------ - -11.2.2. conf/all/* - -Change all the interface-specific settings. - -Exception: "conf/all/forwarding" has a different meaning here ------------------------------------------------------------------------------ - -11.2.2.1. conf/all/forwarding - -  * Type: BOOLEAN - - -This enables global IPv6 forwarding between all interfaces. - -In IPv6 you can't control forwarding per device, forwarding control has to be -done using IPv6-netfilter (controlled with ip6tables) rulesets and specify -input and output devices (see Firewalling/Netfilter6 for more). This is -different to IPv4, where you are able to control forwarding per device -(decision is made on interface where packet came in). - -This also sets all interfaces' Host/Router setting 'forwarding' to the -specified value. See below for details. This referred to as global -forwarding. - -If this value is 0, no IPv6 forwarding is enabled, packets never leave -another interface, neither physical nor logical like e.g. tunnels. ------------------------------------------------------------------------------ - -11.2.3. conf/interface/* - -Change special settings per interface. - -The functional behaviour for certain settings is different depending on -whether local forwarding is enabled or not. ------------------------------------------------------------------------------ - -11.2.3.1. accept_ra - -  * Type: BOOLEAN - -  * Functional default: enabled if local forwarding is disabled. disabled if - local forwarding is enabled. - - -Accept Router Advertisements, and autoconfigure this interface with received -data. ------------------------------------------------------------------------------ - -11.2.3.2. accept_redirects - -  * Type: BOOLEAN - -  * Functional default: enabled if local forwarding is disabled. disabled if - local forwarding is enabled. - - -Accept Redirects sent by an IPv6 router. ------------------------------------------------------------------------------ - -11.2.3.3. autoconf - -  * Type: BOOLEAN - -  * Default: TRUE - - -Configure link-local addresses (see also Addresstypes) using L2 hardware -addresses. E.g. this generates automagically an address like "fe80::201:23ff: -fe45:6789" on an interface with a L2-MAC address. ------------------------------------------------------------------------------ - -11.2.3.4. dad_transmits - -  * Type: INTEGER - -  * Default: 1 - - -The amount of Duplicate Address Detection probes to send. ------------------------------------------------------------------------------ - -11.2.3.5. forwarding - -  * Type: BOOLEAN - -  * Default: FALSE if global forwarding is disabled (default), otherwise TRUE - - -Configure interface-specific Host/Router behaviour. - -Note: It is recommended to have the same setting on all interfaces; mixed -router/host scenarios are rather uncommon. - -  * Value FALSE: By default, Host behaviour is assumed. This means: - - - 1. IsRouter flag is not set in Neighbour Advertisements. - - 2. Router Solicitations are being sent when necessary. - - 3. If accept_ra is TRUE (default), accept Router Advertisements (and do - autoconfiguration). - - 4. If accept_redirects is TRUE (default), accept Redirects. - - -  * Value TRUE: If local forwarding is enabled, Router behaviour is assumed. - This means exactly the reverse from the above: - - - 1. IsRouter flag is set in Neighbour Advertisements. - - 2. Router Solicitations are not sent. - - 3. Router Advertisements are ignored. - - 4. Redirects are ignored. - - ------------------------------------------------------------------------------ -11.2.3.6. hop_limit - -  * Type: INTEGER - -  * Default: 64 - - -Default Hop Limit to set. ------------------------------------------------------------------------------ - -11.2.3.7. mtu - -  * Type: INTEGER - -  * Default: 1280 (IPv6 required minimum) - - -Default Maximum Transfer Unit ------------------------------------------------------------------------------ - -11.2.3.8. router_solicitation_delay - -  * Type: INTEGER - -  * Default: 1 - - -Number of seconds to wait after interface is brought up before sending Router -Solicitations. ------------------------------------------------------------------------------ - -11.2.3.9. router_solicitation_interval - -  * Type: INTEGER - -  * Default: 4 - - -Number of seconds to wait between Router Solicitations. ------------------------------------------------------------------------------ - -11.2.3.10. router_solicitations - -  * Type: INTEGER - -  * Default: 3 - - -Number of Router Solicitations to send until assuming no routers are present. ------------------------------------------------------------------------------ - -11.2.4. neigh/default/* - -Change default settings for neighbor detection and some special global -interval and threshold values: ------------------------------------------------------------------------------ - -11.2.4.1. gc_thresh1 - -  * Type: INTEGER - -  * Default: 128 - - -More to be filled. ------------------------------------------------------------------------------ - -11.2.4.2. gc_thresh2 - -  * Type: INTEGER - -  * Default: 512 - - -More to be filled. ------------------------------------------------------------------------------ - -11.2.4.3. gc_thresh3 - -  * Type: INTEGER - -  * Default: 1024 - - -Tuning parameter for neighbour table size. - -Increase this value if you have a lot of interfaces and problem with routes -start to act mysteriously and fail. Or if a running [http://www.zebra.org/] -Zebra (routing daemon) reports: -ZEBRA: netlink-listen error: No buffer space available, type=RTM_NEWROUTE(24), seq=426, pid=0 - ------------------------------------------------------------------------------ - -11.2.4.4. gc_interval - -  * Type: INTEGER - -  * Default: 30 - - -More to be filled. ------------------------------------------------------------------------------ - -11.2.5. neigh/interface/* - -Change special settings per interface for neighbor detection. ------------------------------------------------------------------------------ - -11.2.5.1. anycast_delay - -  * Type: INTEGER - -  * Default: 100 - - -More to be filled. ------------------------------------------------------------------------------ - -11.2.5.2. gc_stale_time - -  * Type: INTEGER - -  * Default: 60 - - -More to be filled. ------------------------------------------------------------------------------ - -11.2.5.3. proxy_qlen - -  * Type: INTEGER - -  * Default: 64 - - -More to be filled. ------------------------------------------------------------------------------ - -11.2.5.4. unres_qlen - -  * Type: INTEGER - -  * Default: 3 - - -More to be filled. ------------------------------------------------------------------------------ - -11.2.5.5. app_solicit - -  * Type: INTEGER - -  * Default: 0 - - -More to be filled. ------------------------------------------------------------------------------ - -11.2.5.6. locktime - -  * Type: INTEGER - -  * Default: 0 - - -More to be filled. ------------------------------------------------------------------------------ - -11.2.5.7. retrans_time - -  * Type: INTEGER - -  * Default: 100 - - -More to be filled. ------------------------------------------------------------------------------ - -11.2.5.8. base_reachable_time - -  * Type: INTEGER - -  * Default: 30 - - -More to be filled. ------------------------------------------------------------------------------ - -11.2.5.9. mcast_solicit - -  * Type: INTEGER - -  * Default: 3 - - -More to be filled. ------------------------------------------------------------------------------ - -11.2.5.10. ucast_solicit - -  * Type: INTEGER - -  * Default: 3 - - -More to be filled ------------------------------------------------------------------------------ - -11.2.5.11. delay_first_probe_time - -  * Type: INTEGER - -  * Default: 5 - - -More to be filled. ------------------------------------------------------------------------------ - -11.2.5.12. proxy_delay - -  * Type: INTEGER - -  * Default: 80 - - -More to be filled. ------------------------------------------------------------------------------ - -11.2.6. route/* - -Change global settings for routing. ------------------------------------------------------------------------------ - -11.2.6.1. flush - -Removed in newer kernel releases - more to be filled. ------------------------------------------------------------------------------ - -11.2.6.2. gc_interval - -  * Type: INTEGER - -  * Default: 30 - - -More to be filled. ------------------------------------------------------------------------------ - -11.2.6.3. gc_thresh - -  * Type: INTEGER - -  * Default: 1024 - - -More to be filled. ------------------------------------------------------------------------------ - -11.2.6.4. mtu_expires - -  * Type: INTEGER - -  * Default: 600 - - -More to be filled. ------------------------------------------------------------------------------ - -11.2.6.5. gc_elasticity - -  * Type: INTEGER - -  * Default: 0 - - -More to be filled. ------------------------------------------------------------------------------ - -11.2.6.6. gc_min_interval - -  * Type: INTEGER - -  * Default: 5 - - -More to be filled. ------------------------------------------------------------------------------ - -11.2.6.7. gc_timeout - -  * Type: INTEGER - -  * Default: 60 - - -More to be filled. ------------------------------------------------------------------------------ - -11.2.6.8. min_adv_mss - -  * Type: INTEGER - -  * Default: 12 - - -More to be filled. ------------------------------------------------------------------------------ - -11.2.6.9. max_size - -  * Type: INTEGER - -  * Default: 4096 - - -More to be filled. ------------------------------------------------------------------------------ - -11.3. IPv6-related entries in /proc/sys/net/ipv4/ - -At the moment (and this will be until IPv4 is completly converted to an -independend kernel module) some switches are also used here for IPv6. ------------------------------------------------------------------------------ - -11.3.1. ip_* - -11.3.1.1. ip_local_port_range - -This control setting is used by IPv6 also. ------------------------------------------------------------------------------ - -11.3.2. tcp_* - -This control settings are used by IPv6 also. ------------------------------------------------------------------------------ - -11.3.3. icmp_* - -This control settings are not used by IPv6. To enable ICMPv6 rate limiting -(which is very recommended because of the capability of ICMPv6 storms) -netfilter-v6 rules must be used. ------------------------------------------------------------------------------ - -11.3.4. others - -Unknown, but probably not used by IPv6. ------------------------------------------------------------------------------ - -11.4. IPv6-related entries in /proc/net/ - -In /proc/net there are several read-only entries available. You cannot -retrieve information using "sysctl" here, so use e.g. "cat". ------------------------------------------------------------------------------ - -11.4.1. if_inet6 - -  * Type: One line per addresss containing multiple values - - -Here all configured IPv6 addresses are shown in a special format. The example -displays for loopback interface only. The meaning is shown below (see "net/ -ipv6/addrconf.c" for more). -# cat /proc/net/if_inet6 -00000000000000000000000000000001 01 80 10 80 lo -+------------------------------+ ++ ++ ++ ++ ++ -| | | | | | -1 2 3 4 5 6 - - - 1. IPv6 address displayed in 32 hexadecimal chars without colons as - separator - - 2. Netlink device number (interface index) in hexadecimal (see "ip addr" , - too) - - 3. Prefix length in hexadecimal - - 4. Scope value (see kernel source " include/net/ipv6.h" and "net/ipv6/ - addrconf.c" for more) - - 5. Interface flags (see "include/linux/rtnetlink.h" and "net/ipv6/ - addrconf.c" for more) - - 6. Device name - - ------------------------------------------------------------------------------ -11.4.2. ipv6_route - -  * Type: One line per route containing multiple values - - -Here all configured IPv6 routes are shown in a special format. The example -displays for loopback interface only. The meaning is shown below (see "net/ -ipv6/route.c" for more). -# cat /proc/net/ipv6_route -00000000000000000000000000000000 00 00000000000000000000000000000000 00 -+------------------------------+ ++ +------------------------------+ ++ -| | | | -1 2 3 4 -¬ 00000000000000000000000000000000 ffffffff 00000001 00000001 00200200 lo -¬ +------------------------------+ +------+ +------+ +------+ +------+ ++ -¬ | | | | | | -¬ 5 6 7 8 9 10 - - - 1. IPv6 destination network displayed in 32 hexadecimal chars without colons - as separator - - 2. IPv6 destination prefix length in hexadecimal - - 3. IPv6 source network displayed in 32 hexadecimal chars without colons as - separator - - 4. IPv6 source prefix length in hexadecimal - - 5. IPv6 next hop displayed in 32 hexadecimal chars without colons as - separator - - 6. Metric in hexadecimal - - 7. Reference counter - - 8. Use counter - - 9. Flags - -10. Device name - - ------------------------------------------------------------------------------ -11.4.3. sockstat6 - -  * Type: One line per protocol with description and value - - -Statistics about used IPv6 sockets. Example: -# cat /proc/net/sockstat6 -TCP6: inuse 7 -UDP6: inuse 2 -RAW6: inuse 1 -FRAG6: inuse 0 memory 0 - ------------------------------------------------------------------------------ - -11.4.4. tcp6 - -To be filled. ------------------------------------------------------------------------------ - -11.4.5. udp6 - -To be filled. ------------------------------------------------------------------------------ - -11.4.6. igmp6 - -To be filled. ------------------------------------------------------------------------------ - -11.4.7. raw6 - -To be filled. ------------------------------------------------------------------------------ - -11.4.8. ip6_flowlabel - -To be filled. ------------------------------------------------------------------------------ - -11.4.9. rt6_stats - -To be filled. ------------------------------------------------------------------------------ - -11.4.10. snmp6 - -  * Type: One line per SNMP description and value - - -SNMP statistics, can be retrieved via SNMP server and related MIB table by -network management software. ------------------------------------------------------------------------------ - -11.4.11. ip6_tables_names - -Available netfilter6 tables ------------------------------------------------------------------------------ - -Chapter 12. Netlink-Interface to kernel - -To be filled...I have no experience with that... ------------------------------------------------------------------------------ - -Chapter 13. Network debugging - -13.1. Server socket binding - -13.1.1. Using "netstat" for server socket binding check - -It's always interesting which server sockets are currently active on a node. -Using "netstat" is a short way to get such information: - -Used options: -nlptu - -Example: -# netstat -nlptu -Active Internet connections (only servers) -Proto Recv-Q Send-Q Local Address Foreign Address State -¬ PID/Program name -tcp 0 0 0.0.0.0:32768 0.0.0.0:* LISTEN -¬ 1258/rpc.statd -tcp 0 0 0.0.0.0:32769 0.0.0.0:* LISTEN -¬ 1502/rpc.mountd -tcp 0 0 0.0.0.0:515 0.0.0.0:* LISTEN -¬ 22433/lpd Waiting -tcp 0 0 1.2.3.1:139 0.0.0.0:* LISTEN -¬ 1746/smbd -tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN -¬ 1230/portmap -tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN -¬ 3551/X -tcp 0 0 1.2.3.1:8081 0.0.0.0:* LISTEN -¬ 18735/junkbuster -tcp 0 0 1.2.3.1:3128 0.0.0.0:* LISTEN -¬ 18822/(squid) -tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN -¬ 30734/named -tcp 0 0 ::ffff:1.2.3.1:993 :::* LISTEN -¬ 6742/xinetd-ipv6 -tcp 0 0 :::13 :::* LISTEN -¬ 6742/xinetd-ipv6 -tcp 0 0 ::ffff:1.2.3.1:143 :::* LISTEN -¬ 6742/xinetd-ipv6 -tcp 0 0 :::53 :::* LISTEN -¬ 30734/named -tcp 0 0 :::22 :::* LISTEN -¬ 1410/sshd -tcp 0 0 :::6010 :::* LISTEN -¬ 13237/sshd -udp 0 0 0.0.0.0:32768 0.0.0.0:* -¬ 1258/rpc.statd -udp 0 0 0.0.0.0:2049 0.0.0.0:* -¬ - -udp 0 0 0.0.0.0:32770 0.0.0.0:* -¬ 1502/rpc.mountd -udp 0 0 0.0.0.0:32771 0.0.0.0:* -¬ - -udp 0 0 1.2.3.1:137 0.0.0.0:* -¬ 1751/nmbd -udp 0 0 0.0.0.0:137 0.0.0.0:* -¬ 1751/nmbd -udp 0 0 1.2.3.1:138 0.0.0.0:* -¬ 1751/nmbd -udp 0 0 0.0.0.0:138 0.0.0.0:* -¬ 1751/nmbd -udp 0 0 0.0.0.0:33044 0.0.0.0:* -¬ 30734/named -udp 0 0 1.2.3.1:53 0.0.0.0:* -¬ 30734/named -udp 0 0 127.0.0.1:53 0.0.0.0:* -¬ 30734/named -udp 0 0 0.0.0.0:67 0.0.0.0:* -¬ 1530/dhcpd -udp 0 0 0.0.0.0:67 0.0.0.0:* -¬ 1530/dhcpd -udp 0 0 0.0.0.0:32858 0.0.0.0:* -¬ 18822/(squid) -udp 0 0 0.0.0.0:4827 0.0.0.0:* -¬ 18822/(squid) -udp 0 0 0.0.0.0:111 0.0.0.0:* -¬ 1230/portmap -udp 0 0 :::53 :::* -¬ 30734/named - ------------------------------------------------------------------------------ - -13.2. Examples for tcpdump packet dumps - -Here some examples of captured packets are shown, perhaps useful for your own -debugging... - -...more coming next... ------------------------------------------------------------------------------ - -13.2.1. Router discovery - -13.2.1.1. Router advertisement - -15:43:49.484751 fe80::212:34ff:fe12:3450 > ff02::1: icmp6: router -¬ advertisement(chlim=64, router_ltime=30, reachable_time=0, -¬ retrans_time=0)(prefix info: AR valid_ltime=30, preffered_ltime=20, -¬ prefix=2002:0102:0304:1::/64)(prefix info: LAR valid_ltime=2592000, -¬ preffered_ltime=604800, prefix=3ffe:ffff:0:1::/64)(src lladdr: -¬ 0:12:34:12:34:50) (len 88, hlim 255) - - -Router with link-local address "fe80::212:34ff:fe12:3450" send an -advertisement to the all-node-on-link multicast address "ff02::1" containing -two prefixes "2002:0102:0304:1::/64" (lifetime 30 s) and "3ffe:ffff:0:1::/64" -(lifetime 2592000 s) including its own layer 2 MAC address "0:12:34:12:34: -50". ------------------------------------------------------------------------------ - -13.2.1.2. Router solicitation - -15:44:21.152646 fe80::212:34ff:fe12:3456 > ff02::2: icmp6: router solicitation -¬ (src lladdr: 0:12:34:12:34:56) (len 16, hlim 255) - - -Node with link-local address "fe80::212:34ff:fe12:3456" and layer 2 MAC -address "0:12:34:12:34:56" is looking for a router on-link, therefore sending -this solicitation to the all-router-on-link multicast address "ff02::2". ------------------------------------------------------------------------------ - -13.2.2. Neighbor discovery - -13.2.2.1. Neighbor discovery solicitation for duplicate address detection - -Following packets are sent by a node with layer 2 MAC address "0:12:34:12:34: -56" during autoconfiguration to check whether a potential address is already -used by another node on the link sending this to the solicited-node -link-local multicast address. - -  * Node wants to configure its link-local address "fe80::212:34ff:fe12: - 3456", checks for duplicate now - - -15:44:17.712338 :: > ff02::1:ff12:3456: icmp6: neighbor sol: who has -¬ fe80::212:34ff:fe12:3456(src lladdr: 0:12:34:12:34:56) (len 32, hlim 255) - - -  * Node wants to configure its global address "2002:0102:0304:1:212:34ff: - fe12:3456" (after receiving advertisement shown above), checks for - duplicate now - - -15:44:21.905596 :: > ff02::1:ff12:3456: icmp6: neighbor sol: who has -¬ 2002:0102:0304:1:212:34ff:fe12:3456(src lladdr: 0:12:34:12:34:56) (len 32, -¬ hlim 255) - - -  * Node wants to configure its global address "3ffe:ffff:0:1:212:34ff:fe12: - 3456" (after receiving advertisement shown above), checks for duplicate - now - - -15:44:22.304028 :: > ff02::1:ff12:3456: icmp6: neighbor sol: who has -¬ 3ffe:ffff:0:1:212:34ff:fe12:3456(src lladdr: 0:12:34:12:34:56) (len 32, hlim -¬ 255) - ------------------------------------------------------------------------------ - -13.2.2.2. Neighbor discovery solicitation for looking for host or gateway - -  * Node wants to send packages to "3ffe:ffff:0:1::10" but has no layer 2 MAC - address to send packet, so send solicitation now - - -13:07:47.664538 2002:0102:0304:1:2e0:18ff:fe90:9205 > ff02::1:ff00:10: icmp6: -¬ neighbor sol: who has 3ffe:ffff:0:1::10(src lladdr: 0:e0:18:90:92:5) (len 32, -¬ hlim 255) - - -  * Node looks for "fe80::10" now - - -13:11:20.870070 fe80::2e0:18ff:fe90:9205 > ff02::1:ff00:10: icmp6: neighbor -¬ sol: who has fe80::10(src lladdr: 0:e0:18:90:92:5) (len 32, hlim 255) - ------------------------------------------------------------------------------ - -Chapter 14. Support for persistent IPv6 configuration in Linux distributions - -Some Linux distribution contain already support of a persistent IPv6 -configuration using existing or new configuration and script files and some -hook in the IPv4 script files. ------------------------------------------------------------------------------ - -14.1. Red Hat Linux and "clones" - -Since starting writing the [http://www.bieringer.de/linux/IPv6/] IPv6 & Linux -- HowTo it was my intention to enable a persistent IPv6 configuration which -catch most of the wished cases like host-only, router-only, dual-homed-host, -router with second stub network, normal tunnels, 6to4 tunnels, and so on. -Nowadays there exists a set of configuration and script files which do the -job very well (never heard about real problems, but I don't know how many use -the set). Because this configuration and script files are extended from time -to time, they got their own homepage: [http://www.deepspace6.net/projects/ -initscripts-ipv6.html] initscripts-ipv6 homepage ([http:// -mirrors.bieringer.de/www.deepspace6.net/projects/initscripts-ipv6.html] -Mirror). Because I began my IPv6 experience using a Red Hat Linux 5.0 clone, -my IPv6 development systems are mostly Red Hat Linux based now, it's kind a -logic that the scripts are developed for this kind of distribution (so called -historic issue). Also it was very easy to extend some configuration files, -create new ones and create some simple hook for calling IPv6 setup during -IPv4 setup. - -Fortunately, in Red Hat Linux since 7.1 a snapshot of my IPv6 scripts is -included, this was and is still further on assisted by Pekka Savola. - -Mandrake since version 8.0 also includes an IPv6-enabled initscript package, -but a minor bug still prevents usage ("ifconfig" misses "inet6" before -"add"). ------------------------------------------------------------------------------ - -14.1.1. Test for IPv6 support of network configuration scripts - -You can test, whether your Linux distribution contain support for persistent -IPv6 configuration using my set. Following script library should exist: -/etc/sysconfig/network-scripts/network-functions-ipv6 - - -Auto-magically test: -# test -f /etc/sysconfig/network-scripts/network-functions-ipv6 && echo "Main -¬ IPv6 script library exists" - - -The version of the library is important if you miss some features. You can -get it executing following (or easier look at the top of the file): -# source /etc/sysconfig/network-scripts/network-functions-ipv6 && -¬ getversion_ipv6_functions -20011124 - - -In shown example, the used version is 20011124. Check this against latest -information on [http://www.deepspace6.net/projects/initscripts-ipv6.html] -initscripts-ipv6 homepage ([http://mirrors.bieringer.de/www.deepspace6.net/ -projects/initscripts-ipv6.html] Mirror) to see what has been changed. You -will find there also a change-log. ------------------------------------------------------------------------------ - -14.1.2. Short hint for enabling IPv6 on current RHL 7.1, 7.2, 7.3, ... - -  * Check whether running system has already IPv6 module loaded - - -# modprobe -c | grep net-pf-10 -alias net-pf-10 off - - -  * If result is "off", then enable IPv6 networking by editing /etc/sysconfig - /network, add following new line - - -NETWORKING_IPV6=yes - - -  * Reboot or restart networking using - - -# service network restart - - -  * Now IPv6 module should be loaded - - -# modprobe -c | grep ipv6 -alias net-pf-10 ipv6 - - -If your system is on a link which provides router advertisement, -autoconfiguration will be done automatically. For more information which -settings are supported see /usr/share/doc/initscripts-$version/sysconfig.txt. ------------------------------------------------------------------------------ - -14.2. SuSE Linux - -In newer 7.x versions there is a really rudimentary support available, see / -etc/rc.config for details. - -Because of the really different configuration and script file structure it is -hard (or impossible) to use the set for Red Hat Linux and clones with this -distribution. In versions 8.x they completly change their configuration -setup. ------------------------------------------------------------------------------ - -14.2.1. SuSE Linux 7.3 - -  * [http://www.feyrer.de/IPv6/SuSE73-IPv6+6to4-setup.html] How to setup 6to4 - IPv6 with SuSE 7.3 - - ------------------------------------------------------------------------------ -14.2.2. SuSE Linux 8.0 - -14.2.2.1. IPv6 address configuration - -Edit file /etc/sysconfig/network/ifcfg- and setup following -value -IP6ADDR="/" - ------------------------------------------------------------------------------ - -14.2.2.2. Additional information - -See file /usr/share/doc/packages/sysconfig/README ------------------------------------------------------------------------------ - -14.2.3. SuSE Linux 8.1 - -14.2.3.1. IPv6 address configuration - -Edit file /etc/sysconfig/network/ifcfg- and setup following -value -IPADDR="/" - ------------------------------------------------------------------------------ - -14.2.3.2. Additional information - -See file /usr/share/doc/packages/sysconfig/Network ------------------------------------------------------------------------------ - -14.3. Debian Linux - -Following information was contributed by Stephane Bortzmeyer - - 1. Be sure that IPv6 is loaded, either because it is compiled into the - kernel or because the module is loaded. For the latest, three solutions, - adding it to /etc/modules, using the pre-up trick shown later or using - kmod (not detailed here). - - 2. Configure your interface. Here we assume eth0 and address (3ffe:ffff: - 1234:5::1:1). Edit /etc/network/interfaces: - - -iface eth0 inet6 static - pre-up modprobe ipv6 - address 3ffe:ffff:1234:5::1:1 - # To suppress completely autoconfiguration: - # up echo 0 > /proc/sys/net/ipv6/conf/all/autoconf - netmask 64 - # The router is autoconfigured and has no fixed address. - # It is magically - # found. (/proc/sys/net/ipv6/conf/all/accept_ra). Otherwise: - #gateway 3ffe:ffff:1234:5::1 - - -And you reboot or you just -# ifup --force eth0 - - -and you have your static address. ------------------------------------------------------------------------------ - -14.3.1. Further information - -  * [http://people.debian.org/~csmall/ipv6/] IPv6 on Debian Linux by Craig - Small - -  * Jean-Marc V. Liotier's [http://www.jipo.org/jim/ - Jims_LAN_IPv6_global_connectivity_howto.html] HOWTO for Freenet6 & Debian - Users (announced 24.12.2002 on mailinglist users@ipv6.org ) - - ------------------------------------------------------------------------------ -Chapter 15. Auto-configuration and mobility - -15.1. Stateless auto-configuration - -Is supported and seen on the assigned link-local address after an -IPv6-enabled interface is up. ------------------------------------------------------------------------------ - -15.2. Stateful auto-configuration using Router Advertisement Daemon (radvd) - -to be filled. See radvd daemon autoconfiguration below. ------------------------------------------------------------------------------ - -15.3. Dynamic Host Configuration Protocol v6 (DHCPv6) - -After a long time discussing issues, finally [http://www.faqs.org/rfcs/ -rfc3315.html] RFC 3315 / Dynamic Host Configuration Protocol for IPv6 -(DHCPv6) was finished. At time updating this part (03/2004) currently two -implementations are available: - -  * [http://klub.com.pl/dhcpv6/] http://klub.com.pl/dhcpv6/ by Tomasz - Mrugalski - -  * [http://dhcpv6.sourceforge.net/] DHCPv6 on Sourceforge - - ------------------------------------------------------------------------------ -15.4. Mobility - -to be filled. - -For the moment, see [http://www.mipl.mediapoli.com/] Mobile IPv6 for Linux -(MIPL) homepage for more details. Further infos can be found here (please -report broken links): - -  * [http://www.ietf.org/internet-drafts/] draft-oneill-mipv6-cao-??.txt / - MIPv6 Care of Address Option - -  * [http://www.ietf.org/internet-drafts/] - draft-mccann-mobileip-80211fh-??.txt / Mobile IPv6 Fast Handovers for - 802.11 Networks - -  * [http://www.ietf.org/internet-drafts/] - draft-haberman-ipv6-anycast-rr-??.txt / IPv6 Anycast Binding using Return - Routability - -  * [http://www.ietf.org/internet-drafts/] - draft-mun-aaa-localkm-mobileipv6-??.txt / Localized Key Management for - AAA in MobileIPv6 - -  * [http://www.ietf.org/internet-drafts/] - draft-thubert-nemo-ro-taxonomy-??.txt / Taxonomy of Route Optimization - Models in the NEMO Context - -  * [http://www.ietf.org/internet-drafts/] - draft-le-aaa-diameter-mobileipv6-??.txt / Diameter Mobile IPv6 - Application - -  * [http://www.ietf.org/internet-drafts/] - draft-wakikawa-manet-globalv6-??.txt / Global Connectivity for IPv6 - Mobile Ad Hoc Networks - -  * [http://www.ietf.org/internet-drafts/] - draft-ietf-mobileip-fast-mipv6-??.txt / Fast Handovers for Mobile IPv6 - -  * [http://www.ietf.org/internet-drafts/] draft-ietf-mobileip-ipv6-??.txt / - Mobility Support in IPv6 - -  * [http://www.ietf.org/internet-drafts/] - draft-ohnishi-mobileip-v6vpngateway-??.txt / Mobile IPv6 VPN using - Gateway Home Agent - -  * [http://www.ietf.org/internet-drafts/] draft-ietf-mobileip-hmipv6-??.txt - / Hierarchical MIPv6 mobility management (HMIPv6) - -  * [http://www.ietf.org/internet-drafts/] draft-mkhalil-ipv6-fastra-??.txt / - IPv6 Fast Router Advertisement - -  * [http://www.ietf.org/internet-drafts/] draft-okazaki-mobileip-abk-??.txt - / Securing MIPv6 Binding Updates Using Address Based Keys (ABKs) - -  * [http://www.ietf.org/internet-drafts/] draft-vriz-mobileip-hbhlmap-??.txt - / Hop-by-Hop Local Mobility Agents Probing for Mobile IPv6 - -  * [http://www.ietf.org/internet-drafts/] - draft-thubert-nemo-reverse-routing-header-??.txt / IPv6 Reverse Routing - Header and its application to Mobile Networks - -  * [http://www.ietf.org/internet-drafts/] - draft-ietf-mobileip-mipv6-ha-ipsec-??.txt / Using IPsec to Protect Mobile - IPv6 Signaling between Mobile Nodes and Home Agents - -  * [http://www.ietf.org/internet-drafts/] draft-suh-rmm-??.txt / Regional - Mobile IPv6 mobility management - -  * [http://www.ietf.org/internet-drafts/] - draft-mccann-mobileip-ipv6mipv4-??.txt / IPv6 over Mobile IPv4 - -  * [http://www.ietf.org/internet-drafts/] - draft-kempf-mobileip-fmipv6-sem-??.txt / Improving the Architectural - Alignment for FMIPv6 - -  * [http://www.ietf.org/internet-drafts/] - draft-le-aaa-mipv6-requirements-??.txt / Mobile IPv6 Authentication, - Authorization, and Accounting Requirements - -  * [http://www.ietf.org/internet-drafts/] draft-hwang-rohc-mipv6-??.txt / - RObust Header Compression (ROHC): A Compression Profile for Mobile IPv6 - -  * [http://comet.ctr.columbia.edu/cellularip/] Cellular IP on Columbia - University, USA - -  * [http://www.computer.org/internet/v2n1/perkins.htm] Mobile Networking - Through Mobile IP by Charles E. Perkins, Sun Microsystems - -  * [http://www.cs-ipv6.lancs.ac.uk/ipv6/MobileIP/] LANCASTER MOBILE IPv6 - PACKAGE - -  * [http://gsyc.escet.urjc.es/Mobiquo/Mind/documentacion/ - MontajeMaquetaIPv6_en/MontajeMaquetaIPv6_en.html] Testbed for MIND - project on IPv6 - -  * [http://hs247.com/modules.php?name=Web_Links&l_op=viewlink&cid=16] HS247/ - Mobile IP Web Links - -  * [http://www.piuha.net/~jarkko/publications/mipv6/MIPv6-Issues.html] - Mobile IPv6 Issue List - - ------------------------------------------------------------------------------ -Chapter 16. Firewalling - -IPv6 firewalling is important, especially if using IPv6 on internal networks -with global IPv6 addresses. Because unlike at IPv4 networks where in common -internal hosts are protected automatically using private IPv4 addresses like -[http://www.faqs.org/rfcs/rfc1918.html] RFC 1918 / Address Allocation for -Private Internets or Automatic Private IP Addressing (APIPA)[http:// -www.google.com/search?q=apipa+microsoft] Google search for Microsoft + APIPA, -in IPv6 normally global addresses are used and someone with IPv6 connectivity -can reach all internal IPv6 enabled nodes. ------------------------------------------------------------------------------ - -16.1. Firewalling using netfilter6 - -Native IPv6 firewalling is only supported in kernel versions 2.4+. In older -2.2- you can only filter IPv6-in-IPv4 by protocol 41. - -Attention: no warranty that described rules or examples can really protect -your system! - -Audit your ruleset after installation, see Section 17.3 for more. - -Note also that the USAGI project is currently working on finishing the -connection tracking for IPv6! This will make ruleset easier and more secure -in the future! ------------------------------------------------------------------------------ - -16.1.1. More information - -  * [http://www.netfilter.org/] Netfilter project - -  * [http://lists.samba.org/pipermail/netfilter/] maillist archive of - netfilter users - -  * [http://lists.samba.org/pipermail/netfilter-devel/] maillist archive of - netfilter developers - -  * [http://www.bieringer.de/linux/IPv6/status/IPv6+Linux-status-kernel.html# - netfilter6 ] Unofficial status informations - - ------------------------------------------------------------------------------ -16.2. Preparation - -16.2.1. Get sources - -Get the latest kernel source: [http://www.kernel.org/] http://www.kernel.org/ - -Get the latest iptables package: - -  * Source tarball (for kernel patches): [http://www.netfilter.org/] http:// - www.netfilter.org/ - -  * Source RPM for rebuild of binary (for RedHat systems): [ftp:// - ftp.redhat.com/redhat/linux/rawhide/SRPMS/SRPMS/] ftp://ftp.redhat.com/ - redhat/linux/rawhide/SRPMS/SRPMS/ or perhaps also at [http:// - www.netcore.fi/pekkas/linux/ipv6/ ] http://www.netcore.fi/pekkas/linux/ - ipv6/ - - ------------------------------------------------------------------------------ -16.2.2. Extract sources - -Change to source directory: -# cd /path/to/src - - -Unpack and rename kernel sources -# tar z|jxf kernel-version.tar.gz|bz2 -# mv linux linux-version-iptables-version+IPv6 - - -Unpack iptables sources -# tar z|jxf iptables-version.tar.gz|bz2 - ------------------------------------------------------------------------------ - -16.2.3. Apply latest iptables/IPv6-related patches to kernel source - -Change to iptables directory -# cd iptables-version - - -Apply pending patches -# make pending-patches KERNEL_DIR=/path/to/src/linux-version-iptables-version/ - - -Apply additional IPv6 related patches (still not in the vanilla kernel -included) -# make patch-o-matic KERNEL_DIR=/path/to/src/linux-version-iptables-version/ - - -Say yes at following options (iptables-1.2.2) - -  * ah-esp.patch - -  * masq-dynaddr.patch (only needed for systems with dynamic IP assigned WAN - connections like PPP or PPPoE) - -  * ipv6-agr.patch.ipv6 - -  * ipv6-ports.patch.ipv6 - -  * LOG.patch.ipv6 - -  * REJECT.patch.ipv6 - - -Check IPv6 extensions -# make print-extensions -Extensions found: IPv6:owner IPv6:limit IPv6:mac IPv6:multiport - ------------------------------------------------------------------------------ - -16.2.4. Configure, build and install new kernel - -Change to kernel sources -# cd /path/to/src/linux-version-iptables-version/ - - -Edit Makefile -- EXTRAVERSION = -+ EXTRAVERSION = -iptables-version+IPv6-try - - -Run configure, enable IPv6 related - Code maturity level options - Prompt for development and/or incomplete code/drivers : yes - Networking options - Network packet filtering: yes - The IPv6 protocol: module - IPv6: Netfilter Configuration - IP6 tables support: module - All new options like following: - limit match support: module - MAC address match support: module - Multiple port match support: module - Owner match support: module - netfilter MARK match support: module - Aggregated address check: module - Packet filtering: module - REJECT target support: module - LOG target support: module - Packet mangling: module - MARK target support: module - - -Configure other related to your system, too - -Compilation and installing: see the kernel section here and other HOWTOs ------------------------------------------------------------------------------ - -16.2.5. Rebuild and install binaries of iptables - -Make sure, that upper kernel source tree is also available at /usr/src/linux/ - -Rename older directory -# mv /usr/src/linux /usr/src/linux.old - - -Create a new softlink -# ln -s /path/to/src/linux-version-iptables-version /usr/src/linux - - -Rebuild SRPMS -# rpm --rebuild /path/to/SRPMS/iptables-version-release.src.rpm - - -Install new iptables packages (iptables + iptables-ipv6) - -  * On RH 7.1 systems, normally, already an older version is installed, - therefore use "freshen" - - -# rpm -Fhv /path/to/RPMS/cpu/iptables*-version-release.cpu.rpm - - -  * If not already installed, use "install" - - -# rpm -ihv /path/to/RPMS/cpu/iptables*-version-release.cpu.rpm - - -  * On RH 6.2 systems, normally, no kernel 2.4.x is installed, therefore the - requirements don't fit. Use "--nodeps" to install it - - -# rpm -ihv --nodeps /path/to/RPMS/cpu/iptables*-version-release.cpu.rpm - - -Perhaps it's necessary to create a softlink for iptables libraries where -iptables looks for them -# ln -s /lib/iptables/ /usr/lib/iptables - ------------------------------------------------------------------------------ - -16.3. Usage - -16.3.1. Check for support - -Load module, if so compiled -# modprobe ip6_tables - - -Check for capability -# [ ! -f /proc/net/ip6_tables_names ] && echo "Current kernel doesn't support -¬ 'ip6tables' firewalling (IPv6)!" - ------------------------------------------------------------------------------ - -16.3.2. Learn how to use ip6tables - -16.3.2.1. List all IPv6 netfilter entries - -  * Short - - -# ip6tables -L - - -  * Extended - - -# ip6tables -n -v --line-numbers -L - ------------------------------------------------------------------------------ - -16.3.2.2. List specified filter - -# ip6tables -n -v --line-numbers -L INPUT - ------------------------------------------------------------------------------ - -16.3.2.3. Insert a log rule at the input filter with options - -# ip6tables --table filter --append INPUT -j LOG --log-prefix "INPUT:" -¬ --log-level 7 - ------------------------------------------------------------------------------ - -16.3.2.4. Insert a drop rule at the input filter - -# ip6tables --table filter --append INPUT -j DROP - ------------------------------------------------------------------------------ - -16.3.2.5. Delete a rule by number - -# ip6tables --table filter --delete INPUT 1 - ------------------------------------------------------------------------------ - -16.3.2.6. Allow ICMPv6 - -Using older kernels (unpatched kernel 2.4.5 and iptables-1.2.2) no type can -be specified - -  * Accept incoming ICMPv6 through tunnels - - -# ip6tables -A INPUT -i sit+ -p icmpv6 -j ACCEPT - - -  * Allow outgoing ICMPv6 through tunnels - - -# ip6tables -A OUTPUT -o sit+ -p icmpv6 -j ACCEPT - - -Newer kernels allow specifying of ICMPv6 types: -# ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT - ------------------------------------------------------------------------------ - -16.3.2.7. Rate-limiting - -Because it can happen (author already saw it to times) that an ICMPv6 storm -will raise up, you should use available rate limiting for at least ICMPv6 -ruleset. In addition logging rules should also get rate limiting to prevent -DoS attacks against syslog and storage of log file partition. An example for -a rate limited ICMPv6 looks like: -# ip6tables -A INPUT --protocol icmpv6 --icmpv6-type echo-request -¬ -j ACCEPT --match limit --limit 30/minute - ------------------------------------------------------------------------------ - -16.3.2.8. Allow incoming SSH - -Here an example is shown for a ruleset which allows incoming SSH connection -from a specified IPv6 address - -  * Allow incoming SSH from 3ffe:ffff:100::1/128 - - -# ip6tables -A INPUT -i sit+ -p tcp -s 3ffe:ffff:100::1/128 --sport 512:65535 -¬ --dport 22 -j ACCEPT - - -  * Allow response packets (at the moment IPv6 connection tracking isn't in - mainstream netfilter6 implemented) - - -# ip6tables -A OUTPUT -o sit+ -p tcp -d 3ffe:ffff:100::1/128 --dport 512:65535 -¬ --sport 22 ! --syn j ACCEPT - ------------------------------------------------------------------------------ - -16.3.2.9. Enable tunneled IPv6-in-IPv4 - -To accept tunneled IPv6-in-IPv4 packets, you have to insert rules in your -IPv4 firewall setup relating to such packets, for example - -  * Accept incoming IPv6-in-IPv4 on interface ppp0 - - -# iptables -A INPUT -i ppp0 -p ipv6 -j ACCEPT - - -  * Allow outgoing IPv6-in-IPv4 to interface ppp0 - - -# iptables -A OUTPUT -o ppp0 -p ipv6 -j ACCEPT - - -If you have only a static tunnel, you can specify the IPv4 addresses, too, -like - -  * Accept incoming IPv6-in-IPv4 on interface ppp0 from tunnel endpoint - 1.2.3.4 - - -# iptables -A INPUT -i ppp0 -p ipv6 -s 1.2.3.4 -j ACCEPT - - -  * Allow outgoing IPv6-in-IPv4 to interface ppp0 to tunnel endpoint 1.2.3.4 - - -# iptables -A OUTPUT -o ppp0 -p ipv6 -d 1.2.3.4 -j ACCEPT - ------------------------------------------------------------------------------ - -16.3.2.10. Protection against incoming TCP connection requests - -VERY RECOMMENDED! For security issues you should really insert a rule which -blocks incoming TCP connection requests. Adapt "-i" option, if other -interface names are in use! - -  * Block incoming TCP connection requests to this host - - -# ip6tables -I INPUT -i sit+ -p tcp --syn -j DROP - - -  * Block incoming TCP connection requests to hosts behind this router - - -# ip6tables -I FORWARD -i sit+ -p tcp --syn -j DROP - - -Perhaps the rules have to be placed below others, but that is work you have -to think about it. Best way is to create a script and execute rules in a -specified way. ------------------------------------------------------------------------------ - -16.3.2.11. Protection against incoming UDP connection requests - -ALSO RECOMMENDED! Like mentioned on my firewall information it's possible to -control the ports on outgoing UDP/TCP sessions. So if all of your local IPv6 -systems are using local ports e.g. from 32768 to 60999 you are able to filter -UDP connections also (until connection tracking works) like: - -  * Block incoming UDP packets which cannot be responses of outgoing requests - of this host - - -# ip6tables -I INPUT -i sit+ -p udp ! --dport 32768:60999 -j DROP - - -  * Block incoming UDP packets which cannot be responses of forwarded - requests of hosts behind this router - - -# ip6tables -I FORWARD -i sit+ -p udp ! --dport 32768:60999 -j DROP - ------------------------------------------------------------------------------ - -16.3.3. Demonstration example - -Following lines show a more sophisticated setup as an example. Happy -netfilter6 ruleset creation.... -# ip6tables -n -v -L -Chain INPUT (policy DROP 0 packets, 0 bytes) - pkts bytes target prot opt in out source destination - 0 0 extIN all sit+ * ::/0 ::/0 - 4 384 intIN all eth0 * ::/0 ::/0 - 0 0 ACCEPT all * * ::1/128 ::1/128 - 0 0 ACCEPT all lo * ::/0 ::/0 - 0 0 LOG all * * ::/0 ::/0 -¬ LOG flags 0 level 7 prefix `INPUT-default:' - 0 0 DROP all * * ::/0 ::/0 - -Chain FORWARD (policy DROP 0 packets, 0 bytes) - pkts bytes target prot opt in out source destination -¬ - 0 0 int2ext all eth0 sit+ ::/0 ::/0 - 0 0 ext2int all sit+ eth0 ::/0 ::/0 - 0 0 LOG all * * ::/0 ::/0 -¬ LOG flags 0 level 7 prefix `FORWARD-default:' - 0 0 DROP all * * ::/0 ::/0 - -Chain OUTPUT (policy DROP 0 packets, 0 bytes) - pkts bytes target prot opt in out source destination -¬ - 0 0 extOUT all * sit+ ::/0 ::/0 - 4 384 intOUT all * eth0 ::/0 ::/0 - 0 0 ACCEPT all * * ::1/128 ::1/128 - 0 0 ACCEPT all * lo ::/0 ::/0 - 0 0 LOG all * * ::/0 ::/0 -¬ LOG flags 0 level 7 prefix `OUTPUT-default:' - 0 0 DROP all * * ::/0 ::/0 - -Chain ext2int (1 references) - pkts bytes target prot opt in out source destination -¬ - 0 0 ACCEPT icmpv6 * * ::/0 ::/0 - 0 0 ACCEPT tcp * * ::/0 ::/0 -¬ tcp spts:1:65535 dpts:1024:65535 flags:!0x16/0x02 - 0 0 LOG all * * ::/0 ::/0 -¬ LOG flags 0 level 7 prefix `ext2int-default:' - 0 0 DROP tcp * * ::/0 ::/0 - 0 0 DROP udp * * ::/0 ::/0 - 0 0 DROP all * * ::/0 ::/0 - -Chain extIN (1 references) - pkts bytes target prot opt in out source destination -¬ - 0 0 ACCEPT tcp * * 3ffe:400:100::1/128 ::/0 -¬ tcp spts:512:65535 dpt:22 - 0 0 ACCEPT tcp * * 3ffe:400:100::2/128 ::/0 -¬ tcp spts:512:65535 dpt:22 - 0 0 ACCEPT icmpv6 * * ::/0 ::/0 - 0 0 ACCEPT tcp * * ::/0 ::/0 -¬ tcp spts:1:65535 dpts:1024:65535 flags:!0x16/0x02 - 0 0 ACCEPT udp * * ::/0 ::/0 -¬ udp spts:1:65535 dpts:1024:65535 - 0 0 LOG all * * ::/0 ::/0 -¬ limit: avg 5/min burst 5 LOG flags 0 level 7 prefix `extIN-default:' - 0 0 DROP all * * ::/0 ::/0 - -Chain extOUT (1 references) - pkts bytes target prot opt in out source destination -¬ - 0 0 ACCEPT tcp * * ::/0 -¬ 3ffe:ffff:100::1/128tcp spt:22 dpts:512:65535 flags:!0x16/0x02 - 0 0 ACCEPT tcp * * ::/0 -¬ 3ffe:ffff:100::2/128tcp spt:22 dpts:512:65535 flags:!0x16/0x02 - 0 0 ACCEPT icmpv6 * * ::/0 ::/0 - 0 0 ACCEPT tcp * * ::/0 ::/0 -¬ tcp spts:1024:65535 dpts:1:65535 - 0 0 ACCEPT udp * * ::/0 ::/0 -¬ udp spts:1024:65535 dpts:1:65535 - 0 0 LOG all * * ::/0 ::/0 -¬ LOG flags 0 level 7 prefix `extOUT-default:' - 0 0 DROP all * * ::/0 ::/0 - -Chain int2ext (1 references) - pkts bytes target prot opt in out source destination -¬ - 0 0 ACCEPT icmpv6 * * ::/0 ::/0 - 0 0 ACCEPT tcp * * ::/0 ::/0 -¬ tcp spts:1024:65535 dpts:1:65535 - 0 0 LOG all * * ::/0 ::/0 -¬ LOG flags 0 level 7 prefix `int2ext:' - 0 0 DROP all * * ::/0 ::/0 - 0 0 LOG all * * ::/0 ::/0 -¬ LOG flags 0 level 7 prefix `int2ext-default:' - 0 0 DROP tcp * * ::/0 ::/0 - 0 0 DROP udp * * ::/0 ::/0 - 0 0 DROP all * * ::/0 ::/0 - -Chain intIN (1 references) - pkts bytes target prot opt in out source destination -¬ - 0 0 ACCEPT all * * ::/0 -¬ fe80::/ffc0:: - 4 384 ACCEPT all * * ::/0 ff02::/16 - -Chain intOUT (1 references) - pkts bytes target prot opt in out source destination -¬ - 0 0 ACCEPT all * * ::/0 -¬ fe80::/ffc0:: - 4 384 ACCEPT all * * ::/0 ff02::/16 - 0 0 LOG all * * ::/0 ::/0 -¬ LOG flags 0 level 7 prefix `intOUT-default:' - 0 0 DROP all * * ::/0 ::/0 - ------------------------------------------------------------------------------ - -Chapter 17. Security - -17.1. Node security - -It's very recommended to apply all available patches and disable all not -necessary services. Also bind services to the needed IPv4/IPv6 addresses only -and install local firewalling. - -More to be filled... ------------------------------------------------------------------------------ - -17.2. Access limitations - -Many services uses the tcp_wrapper library for access control. Below is -described the use of tcp_wrapper. - -More to be filled... ------------------------------------------------------------------------------ - -17.3. IPv6 security auditing - -Currently there are no comfortable tools out which are able to check a system -over network for IPv6 security issues. Neither [http://www.nessus.org/] -Nessus nor any commercial security scanner is as far as I know able to scan -IPv6 addresses. ------------------------------------------------------------------------------ - -17.3.1. Legal issues - -ATTENTION: always take care that you only scan your own systems or after -receiving a written order, otherwise legal issues are able to come up to you. -CHECK destination IPv6 addresses TWICE before starting a scan. ------------------------------------------------------------------------------ - -17.3.2. Security auditing using IPv6-enabled netcat - -With the IPv6-enabled netcat (see [http://www.bieringer.de/linux/IPv6/status/ -IPv6+Linux-status-apps.html#security-auditing] IPv6+Linux-status-apps/ -security-auditing for more) you can run a portscan by wrapping a script -around which run through a port range, grab banners and so on. Usage example: -# nc6 ::1 daytime -13 JUL 2002 11:22:22 CEST - ------------------------------------------------------------------------------ - -17.3.3. Security auditing using IPv6-enabled nmap - -[http://www.insecure.org/nmap/] NMap, one of the best portscaner around the -world, supports IPv6 since version 3.10ALPHA1. Usage example: -# nmap -6 -sT ::1 -Starting nmap V. 3.10ALPHA3 ( www.insecure.org/nmap/ ) -Interesting ports on localhost6 (::1): -(The 1600 ports scanned but not shown below are in state: closed) -Port State Service -22/tcp open ssh -53/tcp open domain -515/tcp open printer -2401/tcp open cvspserver -Nmap run completed -- 1 IP address (1 host up) scanned in 0.525 seconds - ------------------------------------------------------------------------------ - -17.3.4. Security auditing using IPv6-enabled strobe - -Strobe is a (compared to NMap) more a low budget portscanner, but there is an -IPv6-enabling patch available (see [http://www.bieringer.de/linux/IPv6/status -/IPv6+Linux-status-apps.html#security-auditing] IPv6+Linux-status-apps/ -security-auditing for more). Usage example: -# ./strobe ::1 strobe 1.05 (c) 1995-1999 Julian Assange . -::1 2401 unassigned unknown -::1 22 ssh Secure Shell - RSA encrypted rsh -::1 515 printer spooler (lpd) -::1 6010 unassigned unknown -::1 53 domain Domain Name Server - - -Note: strobe isn't really developed further on, the shown version number -isn't the right one. ------------------------------------------------------------------------------ - -17.3.5. Audit results - -If the result of an audit mismatch your IPv6 security policy, use IPv6 -firewalling to close the holes, e.g. using netfilter6 (see Firewalling/ -Netfilter6 for more). - -Info: More detailed information concerning IPv6 Security can be found here: - -  * [http://www.ietf.org/internet-drafts/] Firewalling Considerations for - IPv6 / draft-savola-v6ops-firewalling-??.txt - -  * [http://www.ietf.org/internet-drafts/] IPv6 Neighbour Discovery trust - models and threats / draft-ietf-send-psreq-??.txt - -  * [http://www.ietf.org/internet-drafts/] Security Considerations for 6to4 / - draft-savola-v6ops-6to4-security-??.txt - -  * [http://www.ietf.org/internet-drafts/] Access Control Prefix Router - Advertisement Option for IPv6 / draft-bellovin-ipv6-accessprefix-??.txt - -  * [http://www.ietf.org/internet-drafts/] Requirements for Plug and Play - IPsec for IPv6 applications / - draft-kobayakawa-ipsec-ipv6-pnpipsec-reqts-??.txt - -  * [http://www.ietf.org/internet-drafts/] Security of IPv6 Routing Header - and Home Address Options / draft-savola-ipv6-rh-ha-security-??.txt - - ------------------------------------------------------------------------------ -Chapter 18. Encryption and Authentication - -Unlike in IPv4 encryption and authentication is a mandatory feature of IPv6. -This features are normally implemented using IPsec (which can be also used by -IPv4). - -But because of the independence of encryption and authentication from the key -exchange protocol there exists currently some interoperability problems -regarding this issue. ------------------------------------------------------------------------------ - -18.1. Support in kernel - -18.1.1. Support in vanilla Linux kernel 2.4.x - -Currently missing in vanilla 2.4. There is an issue about keeping the Linux -kernel source free of export/import-control-laws regarding encryption code. -This is also one case why [http://www.freeswan.org/] FreeS/WAN project (IPv4 -only IPsec) isn't still contained in vanilla source. ------------------------------------------------------------------------------ - -18.1.2. Support in USAGI kernel - -The USAGI project has taken over in July 2001 the IPv6 enabled FreeS/WAN code -from the [http://www.ipv6.iabg.de/downloadframe/] IABG / IPv6 Project and -included in their kernel extensions. Nowadays they are working on -implementing IPsec into 2.5.x series. ------------------------------------------------------------------------------ - -18.1.3. Support in vanilla Linux kernel 2.5.x - -Currently, the IPsec extensions of the USAGI kernel are on the way being -migrated into 2.5.x developer kernels. ------------------------------------------------------------------------------ - -18.2. Usage - -In difference to FreeS/WAN, in IPsec of 2.5.x the IKE daemon "racoon" (taken -from KAME) is used instead of "pluto" of FreeS/WAN. It has a different -configuration syntax than "pluto", note also that the IPsec setup is splitted -into 2 parts (IKE and topology setup). Until some documentation is filled -here, take a look at [http://lartc.org/howto/lartc.ipsec.html] Linux Advanced -Routing & Traffic Control HOWTO / IPSEC. ------------------------------------------------------------------------------ - -Chapter 19. Quality of Service (QoS) - -IPv6 supports QoS with use of Flow Labels and Traffic Classes. This can be -controlled using "tc" (contained in package "iproute"). - -Additional infos: - -  * [http://www.ietf.org/internet-drafts/draft-ietf-ipv6-flow-label-03.txt] - IPv6 Flow Label Specification - - -more to be filled... ------------------------------------------------------------------------------ - -Chapter 20. Hints for IPv6-enabled daemons - -Here some hints are shown for IPv6-enabled daemons. ------------------------------------------------------------------------------ - -20.1. Berkeley Internet Name Daemon BIND (named) - -IPv6 is supported since version 9. Always use newest available version. At -least version 9.1.3 must be used, older versions can contain remote -exploitable security holes. ------------------------------------------------------------------------------ - -20.1.1. Listening on IPv6 addresses - -Note: unlike in IPv4 current versions doesn't allow to bind a server socket -to dedicated IPv6 addresses, so only any or none are valid. Because this can -be a security issue, check the Access Control List (ACL) section below, too! ------------------------------------------------------------------------------ - -20.1.1.1. Enable BIND named for listening on IPv6 address - -To enable IPv6 for listening, following options are requested to change -options { - # sure other options here, too - listen-on-v6 { any; }; -}; - - -This should result after restart in e.g. -# netstat -lnptu |grep "named\W*$" -tcp 0 0 :::53 :::* LISTEN 1234/named -¬ # incoming TCP requests -udp 0 0 1.2.3.4:53 0.0.0.0:* 1234/named -¬ # incoming UDP requests to IPv4 1.2.3.4 -udp 0 0 127.0.0.1:53 0.0.0.0:* 1234/named -¬ # incoming UDP requests to IPv4 localhost -udp 0 0 0.0.0.0:32868 0.0.0.0:* 1234/named -¬ # dynamic chosen port for outgoing queries -udp 0 0 :::53 :::* 1234/named -¬ # incoming UDP request to any IPv6 - - -And a simple test looks like -# dig localhost @::1 - - -and should show you a result. ------------------------------------------------------------------------------ - -20.1.1.2. Disable BIND named for listening on IPv6 address - -To disable IPv6 for listening, following options are requested to change -options { - # sure other options here, too - listen-on-v6 { none; }; -}; - ------------------------------------------------------------------------------ - -20.1.2. IPv6 enabled Access Control Lists (ACL) - -IPv6 enabled ACLs are possible and should be used whenever it's possible. An -example looks like following: -acl internal-net { - 127.0.0.1; - 1.2.3.0/24; - 3ffe:ffff:100::/56; - ::1/128; - ::ffff:1.2.3.4/128; -}; -acl ns-internal-net { - 1.2.3.4; - 1.2.3.5; - 3ffe:ffff:100::4/128; - 3ffe:ffff:100::5/128; -}; - - -This ACLs can be used e.g. for queries of clients and transfer zones to -secondary name-servers. This prevents also your caching name-server to be -used from outside using IPv6. -options { - # sure other options here, too - listen-on-v6 { none; }; - allow-query { internal-net; }; - allow-transfer { ns-internal-net; }; -}; - - -It's also possible to set the allow-query and allow-transfer option for most -of single zone definitions, too. ------------------------------------------------------------------------------ - -20.1.3. Sending queries with dedicated IPv6 address - -This option is not required, but perhaps needed: -query-source-v6 address port ; - ------------------------------------------------------------------------------ - -20.1.4. Per zone defined dedicated IPv6 addresses - -It's also possible to define per zone some IPv6 addresses. ------------------------------------------------------------------------------ - -20.1.4.1. Transfer source address - -Transfer source address is used for outgoing zone transfers: -transfer-source-v6 [port port]; - ------------------------------------------------------------------------------ - -20.1.4.2. Notify source address - -Notify source address is used for outgoing notify messages: -notify-source-v6 [port port]; - ------------------------------------------------------------------------------ - -20.1.5. IPv6 DNS zone files examples - -Some information can be also found at [http://www.isi.edu/~bmanning/ -v6DNS.html] IPv6 DNS Setup Information (article). Perhaps also helpful is the -[http://tools.fpsn.net/ipv6-inaddr/] IPv6 Reverse DNS zone builder for BIND 8 -/9 (webtool). ------------------------------------------------------------------------------ - -20.1.6. Serving IPv6 related DNS data - -For IPv6 new types and root zones for reverse lookups are defined: - -  * AAAA and reverse IP6.INT: specified in [http://www.faqs.org/rfcs/ - rfc1886.html] RFC 1886 / DNS Extensions to support IP version 6, usable - since BIND version 4.9.6 - -  * A6, DNAME (DEPRECATED NOW!) and reverse IP6.ARPA: specified in [http:// - www.faqs.org/rfcs/rfc2874.html] RFC 2874 / DNS Extensions to Support IPv6 - Address Aggregation and Renumbering, usable since BIND 9, but see also an - information about the current state at [http://www.ietf.org/ - internet-drafts/] draft-ietf-dnsext-ipv6-addresses-00.txt - - -Perhaps filled later more content, for the meantime take a look at given RFCs -and - -  * AAAA and reverse IP6.INT: [http://www.isi.edu/~bmanning/v6DNS.html] IPv6 - DNS Setup Information - -  * A6, DNAME (DEPRECATED NOW!) and reverse IP6.ARPA: take a look into - chapter 4 and 6 of the BIND 9 Administrator Reference Manual (ARM) - distributed which the bind-package or get this here: [http:// - www.nominum.com/content/documents/bind9arm.pdf] BIND version 9 ARM (PDF) - - -Because IP6.INT is deprecated (but still in use), a DNS server which will -support IPv6 information has to serve both reverse zones. ------------------------------------------------------------------------------ - -20.1.6.1. Current best practice - -Because there are some troubles around using the new formats, current best -practice is: - -Forward lookup support: - -  * AAAA - - -Reverse lookup support: - -  * Reverse nibble format for zone ip6.int (FOR BACKWARD COMPATIBILITY) - -  * Reverse nibble format for zone ip6.arpa (RECOMMENDED) - - ------------------------------------------------------------------------------ -20.1.7. Checking IPv6-enabled connect - -To check, whether BIND is listening on an IPv6 socket and serving data see -following examples. ------------------------------------------------------------------------------ - -20.1.7.1. IPv6 connect, but denied by ACL - -Specifying a dedicated server for the query, an IPv6 connect can be forced: -$ host -t aaaa www.6bone.net 3ffe:ffff:200:f101::1 -Using domain server: -Name: 3ffe:ffff:200:f101::1 -Address: 3ffe:ffff:200:f101::1#53 -Aliases: -Host www.6bone.net. not found: 5(REFUSED) - - -Related log entry looks like following: -Jan 3 12:43:32 gate named[12347]: client -¬ 3ffe:ffff:200:f101:212:34ff:fe12:3456#32770: - query denied - - -If you see such entries in the log, check whether requests from this client -should be allowed and perhaps review your ACL configuration. ------------------------------------------------------------------------------ - -20.1.7.2. Successful IPv6 connect - -A successful IPv6 connect looks like following: -$ host -t aaaa www.6bone.net 3ffe:ffff:200:f101::1 -Using domain server: -Name: 3ffe:ffff:200:f101::1 -Address: 3ffe:ffff:200:f101::1#53 -Aliases: -www.6bone.net. is an alias for 6bone.net. -6bone.net. has AAAA address 3ffe:b00:c18:1::10 - ------------------------------------------------------------------------------ - -20.2. Internet super daemon (xinetd) - -IPv6 is supported since [http://www.xinetd.org/] xinetd version around 1.8.9. -Always use newest available version. At least version 2.3.3 must be used, -older versions can contain remote exploitable security holes. - -Some Linux distribution contain an extra package for the IPv6 enabled xinetd, -some others start the IPv6-enabled xinetd if following variable is set: -NETWORKING_IPV6="yes", mostly done by /etc/sysconfig/network (only valid for -Red Hat like distributions). In newer releases, one binary supports IPv4 and -IPv6. - -If you enable a built-in service like e.g. daytime by modifying the -configuration file in /etc/xinetd.d/daytime like -# diff -u /etc/xinetd.d/daytime.orig /etc/xinetd.d/daytime ---- /etc/xinetd.d/daytime.orig Sun Dec 16 19:00:14 2001 -+++ /etc/xinetd.d/daytime Sun Dec 16 19:00:22 2001 -@@ -10,5 +10,5 @@ - protocol = tcp - user = root - wait = no -- disable = yes -+ disable = no - } - - -After restarting the xinetd you should get a positive result like: -# netstat -lnptu -A inet6 |grep "xinetd*" -tcp 0 0 ::ffff:192.168.1.1:993 :::* LISTEN 12345/xinetd-ipv6 -tcp 0 0 :::13 :::* LISTEN 12345/xinetd-ipv6 <- service -¬ daytime/tcp -tcp 0 0 ::ffff:192.168.1.1:143 :::* LISTEN 12345/xinetd-ipv6 - - -Shown example also displays an IMAP and IMAP-SSL IPv4-only listening xinetd. - -Note: earlier versions had a problem that an IPv4-only xinetd won't start on -an IPv6-enabled node and also the IPv6-enabled xinetd won't start on an -IPv4-only node. This is known to be fixed in later versions, at least version -2.3.11. ------------------------------------------------------------------------------ - -20.3. Webserver Apache2 (httpd2) - -Apache web server supports IPv6 native by maintainers since 2.0.14. Available -patches for the older 1.3.x series are not current and shouldn't be used in -public environment, but available at [ftp://ftp.kame.net/pub/kame/misc/] KAME -/ Misc. ------------------------------------------------------------------------------ - -20.3.1. Listening on IPv6 addresses - -Note: virtual hosts on IPv6 addresses are broken in versions until 2.0.28 (a -patch is available for 2.0.28). But always try latest available version first -because earlier versions had some security issues. ------------------------------------------------------------------------------ - -20.3.1.1. Virtual host listen on an IPv6 address only - -Listen [3ffe:ffff:100::1]:80 - - ServerName ipv6only.yourdomain.yourtopleveldomain - # ...sure more config lines - - ------------------------------------------------------------------------------ - -20.3.1.2. Virtual host listen on an IPv6 and on an IPv4 address - -Listen [3ffe:ffff:100::2]:80 -Listen 1.2.3.4:80 - - ServerName ipv6andipv4.yourdomain.yourtopleveldomain - # ...sure more config lines - - - -This should result after restart in e.g. -# netstat -lnptu |grep "httpd2\W*$" -tcp 0 0 1.2.3.4:80 0.0.0.0:* LISTEN 12345/httpd2 -tcp 0 0 3ffe:ffff:100::1:80 :::* LISTEN 12345/httpd2 -tcp 0 0 3ffe:ffff:100::2:80 :::* LISTEN 12345/httpd2 - - -For simple tests use the telnet example already shown. ------------------------------------------------------------------------------ - -20.3.1.3. Additional notes - -  * Apache2 supports a method called "sendfile" to speedup serving data. Some - NIC drivers also support offline checksumming. In some cases, this can - lead to connection problems and invalid TCP checksums. In this cases, - disable "sendfile" either by recompiling using configure option - "--without-sendfile" or by using the "EnableSendfile off" directive in - configuration file. - - ------------------------------------------------------------------------------ -20.4. Router Advertisement Daemon (radvd) - -The router advertisement daemon is very useful on a LAN, if clients should be -auto-configured. The daemon itself should run on the Linux default IPv6 -gateway router (it's not required that this is also the default IPv4 gateway, -so pay attention who on your LAN is sending router advertisements). - -You can specify some information and flags which should be contained in the -advertisement. Common used are - -  * Prefix (needed) - -  * Lifetime of the prefix - -  * Frequency of sending advertisements (optional) - - -After a proper configuration, the daemon sends advertisements through -specified interfaces and clients are hopefully receive them and -auto-magically configure addresses with received prefix and the default -route. ------------------------------------------------------------------------------ - -20.4.1. Configuring radvd - -20.4.1.1. Simple configuration - -Radvd's config file is normally /etc/radvd.conf. An simple example looks like -following: -interface eth0 { - AdvSendAdvert on; - MinRtrAdvInterval 3; - MaxRtrAdvInterval 10; - prefix 3ffe:ffff:0100:f101::/64 { - AdvOnLink on; - AdvAutonomous on; - AdvRouterAddr on; - }; -}; - - -This results on client side in -# ip -6 addr show eth0 -3: eth0: mtu 1500 qdisc pfifo_fast qlen 100 - inet6 3ffe:ffff:100:f101:2e0:12ff:fe34:1234/64 scope global dynamic - valid_lft 2591992sec preferred_lft 604792sec - inet6 fe80::2e0:12ff:fe34:1234/10 scope link - - -Because no lifetime was defined, a very high value was used. ------------------------------------------------------------------------------ - -20.4.1.2. Special 6to4 configuration - -Version since 0.6.2pl3 support the automatic (re)-generation of the prefix -depending on an IPv4 address of a specified interface. This can be used to -distribute advertisements in a LAN after the 6to4 tunneling has changed. -Mostly used behind a dynamic dial-on-demand Linux router. Because of the sure -shorter lifetime of such prefix (after each dial-up, another prefix is -valid), the lifetime configured to minimal values: -interface eth0 { - AdvSendAdvert on; - MinRtrAdvInterval 3; - MaxRtrAdvInterval 10; - prefix 0:0:0:f101::/64 { - AdvOnLink off; - AdvAutonomous on; - AdvRouterAddr on; - Base6to4Interface ppp0; - AdvPreferredLifetime 20; - AdvValidLifetime 30; - }; -}; - - -This results on client side in (assuming, ppp0 has currently 1.2.3.4 as local -IPv4 address): -# /sbin/ip -6 addr show eth0 -3: eth0: mtu 1500 qdisc pfifo_fast qlen 100 - inet6 2002:0102:0304:f101:2e0:12ff:fe34:1234/64 scope global dynamic - valid_lft 22sec preferred_lft 12sec - inet6 fe80::2e0:12ff:fe34:1234/10 scope link - - -Because a small lifetime was defined, such prefix will be thrown away -quickly, if no related advertisement was received. - -Additional note: if you do not used special 6to4 support in initscripts, you -have to setup a special route on the internal interface on the router, -otherwise you will get some backrouting problems. for the example showh here: -# /sbin/ip -6 route add 2002:0102:0304:f101::/64 dev eth0 metric 1 - - -This route needs to be replaced every time the prefix changes, which is the -case after a new IPv4 address was assigned to the dial-up interface. ------------------------------------------------------------------------------ - -20.4.2. Debugging - -A program called "radvdump" can help you looking into sent or received -advertisements. Simple to use: -# radvdump -Router advertisement from fe80::280:c8ff:feb9:cef9 (hoplimit 255) - AdvCurHopLimit: 64 - AdvManagedFlag: off - AdvOtherConfigFlag: off - AdvHomeAgentFlag: off - AdvReachableTime: 0 - AdvRetransTimer: 0 - Prefix 2002:0102:0304:f101::/64 - AdvValidLifetime: 30 - AdvPreferredLifetime: 20 - AdvOnLink: off - AdvAutonomous: on - AdvRouterAddr: on - Prefix 3ffe:ffff:100:f101::/64 - AdvValidLifetime: 2592000 - AdvPreferredLifetime: 604800 - AdvOnLink: on - AdvAutonomous: on - AdvRouterAddr: on - AdvSourceLLAddress: 00 80 12 34 56 78 - - -Output shows you each advertisement package in readable format. You should -see your configured values here again, if not, perhaps it's not your radvd -which sends the advertisement...look for another router on the link (and take -the LLAddress, which is the MAC address for tracing). ------------------------------------------------------------------------------ - -20.5. tcp_wrapper - -tcp_wrapper is a library which can help you to protect service against -misuse. ------------------------------------------------------------------------------ - -20.5.1. Filtering capabilities - -You can use tcp_wrapper for - -  * Filtering against source addresses (IPv4 or IPv6) - -  * Filtering against users (requires a running ident daemon on the client) - - ------------------------------------------------------------------------------ -20.5.2. Which program uses tcp_wrapper - -Following are known: - -  * Each service which is called by xinetd (if xinetd is compiled using - tcp_wrapper library) - -  * sshd (if compiled using tcp_wrapper) - - ------------------------------------------------------------------------------ -20.5.3. Usage - -tcp_wrapper is controlled by two files name /etc/hosts.allow and /etc/ -hosts.deny. For more information see -$ man hosts.allow - ------------------------------------------------------------------------------ - -20.5.3.1. Example for /etc/hosts.allow - -In this file, each service which should be positive filtered (means connects -are accepted) need a line. -sshd: 1.2.3. [3ffe:ffff:100:200::]/64 -daytime-stream: 1.2.3. [3ffe:ffff:100:200::]/64 - - -Note: there are broken implementations around, which uses following broken -IPv6 network description: [3ffe:ffff:100:200::/64]. Hopefully, such versions -will be fixed soon. ------------------------------------------------------------------------------ - -20.5.3.2. Example for /etc/hosts.deny - -This file contains all negative filter entries and should normally deny the -rest using -ALL: ALL - - -If this node is a more sensible one you can replace the standard line above -with this one, but this can cause a DoS attack (load of mailer and spool -directory), if too many connects were made in short time. Perhaps a logwatch -is better for such issues. -ALL: ALL: spawn (echo "Attempt from %h %a to %d at `date`" - | tee -a /var/log/tcp.deny.log | mail root@localhost) - ------------------------------------------------------------------------------ - -20.5.4. Logging - -Depending on the entry in the syslog daemon configuration file /etc/ -syslog.conf the tcp_wrapper logs normally into /var/log/secure. ------------------------------------------------------------------------------ - -20.5.4.1. Refused connection - -A refused connection via IPv4 to an xinetd covered daytime service produces a -line like following example -Jan 2 20:40:44 gate xinetd-ipv6[12346]: FAIL: daytime-stream libwrap -¬ from=::ffff:1.2.3.4 -Jan 2 20:32:06 gate xinetd-ipv6[12346]: FAIL: daytime-stream libwrap - from=3ffe:ffff:100:200::212:34ff:fe12:3456 - - -A refused connection via IPv4 to an dual-listen sshd produces a line like -following example -Jan 2 20:24:17 gate sshd[12345]: refused connect from ::ffff:1.2.3.4 -¬ (::ffff:1.2.3.4) -Jan 2 20:39:33 gate sshd[12345]: refused connect - from 3ffe:ffff:100:200::212:34ff:fe12:3456 -¬ (3ffe:ffff:100:200::212:34ff:fe12:3456) - ------------------------------------------------------------------------------ - -20.5.4.2. Permitted connection - -A permitted connection via IPv4 to an xinetd covered daytime service produces -a line like following example -Jan 2 20:37:50 gate xinetd-ipv6[12346]: START: daytime-stream pid=0 -¬ from=::ffff:1.2.3.4 -Jan 2 20:37:56 gate xinetd-ipv6[12346]: START: daytime-stream pid=0 - from=3ffe:ffff:100:200::212:34ff:fe12:3456 - - -A permitted connection via IPv4 to an dual-listen sshd produces a line like -following example -Jan 2 20:43:10 gate sshd[21975]: Accepted password for user from ::ffff:1.2.3.4 -¬ port 33381 ssh2 -Jan 2 20:42:19 gate sshd[12345]: Accepted password for user - from 3ffe:ffff:100:200::212:34ff:fe12:3456 port 33380 ssh2 - ------------------------------------------------------------------------------ - -20.6. vsftpd - -20.6.1. Listening on IPv6 addresses - -Edit the configuration file, ususally /etc/vsftpd/vsftpd.conf, and adjust the -listen option like -listen_ipv6=yes - - -That's all. ------------------------------------------------------------------------------ - -20.7. proftpd - -20.7.1. Listening on IPv6 addresses - -Edit the configuration file, ususally /etc/proftpd.conf, but take care, not -100% logical in virtual host setup - - ... - Bind 2001:0DB8::1 - ... - - - -That's all. ------------------------------------------------------------------------------ - -20.8. Other daemons - -Nowadays it's mostly simple, look for either a command line option or a -configuration value to enable IPv6 listening. See manual page of the daemon -or check related FAQs. It can happen that you can bind a daemon only to the -IPv6-"any"-address (::) and not to bind to a dedicated IPv6 address, because -the lack of support (depends on that what the programmer has implemented so -far...). ------------------------------------------------------------------------------ - -Chapter 21. Programming (using API) - -I have no experience in IPv6 programming, perhaps this chapter will be filled -by others or moved away to another HOWTO. - -More Information can be found here: - -  * [http://www.faqs.org/rfcs/rfc2553.html] RFC 2553 / Basic Socket Interface - Extensions for IPv6 - -  * [http://www.ietf.org/internet-drafts/] Draft / Advanced Sockets API for - IPv6 / draft-ietf-ipngwg-rfc2292bis-XY.txt - -  * [http://jungla.dit.upm.es/~ecastro/IPv6-web/ipv6.html] Porting - applications to IPv6 HowTo by Eva M. Castro - - ------------------------------------------------------------------------------ -Chapter 22. Interoperability - -There are some projects around the world which checks the interoperability of -different operating systems regarding the implementation of IPv6 features. -Here some URLs: - -  * [http://www.tahi.org/] TAHI Project - - -More coming next... ------------------------------------------------------------------------------ - -Chapter 23. Further information and URLs - -23.1. Paper printed books, articles, online reviews (mixed) - -23.1.1. Printed Books (English) - -23.1.1.1. Cisco - -  * Cisco Self-Study: [http://www.amazon.com/exec/obidos/tg/detail/-/ - 1587050862/copernicshopper/103-1420916-1341420] Implementing IPv6 - Networks (IPV6), by Regis Desmeules. Cisco Press; ISBN 1587050862; 500 - pages; 1st edition (April 11, 2003). Note: This item will be published on - April 11, 2003. - -  * [http://www.amazon.com/exec/obidos/tg/detail/-/1928994849/copernicshopper - /103-1420916-1341420] Configuring IPv6 with Cisco IOS, by Sam Brown, Sam - Browne, Neal Chen, Robbie Harrell, Edgar, Jr. Parenti (Editor), Eric - Knipp (Editor), Paul Fong (Editor)362 pages; Syngress Media Inc; ISBN - 1928994849; (July 12, 2002). - - ------------------------------------------------------------------------------ -23.1.1.2. General - -  * [http://www.sunny.ch/publications/f_ipv6.htm] IPv6 Essentials by Silvia - Hagen, July 2002, O'Reilly [http://www.oreilly.com/catalog/ipv6ess/] - Order Number: 1258, ISBN 0-5960-0125-8, 352 pages. [http:// - www.oreilly.com/catalog/ipv6ess/] ToC, Index, Sample Chapter etc.; [http: - //press.oreilly.com/ipv6ess.html] O'Reilly Pressrelease - -  * IPv6: The New Internet Protocol. By Christian Huitema; Published by - Prentice-Hall; ISBN 0138505055. Description: This book, written by - Christian Huitema - a member of the InternetArchitecture Board, gives an - excellent description of IPv6, how it differs from IPv4, and the hows and - whys of it's development. Source: [http://www.cs.uu.nl/wais/html/na-dir/ - internet/tcp-ip/resource-list.html] http://www.cs.uu.nl/wais/html/na-dir/ - internet/tcp-ip/resource-list.html - -  * [http://www.epinions.com/book_mu-3402412/display_~full_specs] IPv6 - Networks by Niles, Kitty; (ISBN 0070248079); 550 pages; Date Published 05 - /01/1998. - -  * [http://www.amazon.com/exec/obidos/tg/detail/-/0764545892/copernicshopper - /103-1420916-1341420] Implementing IPV6. Supporting the Next Generation - Internet Protocols by P. E. Miller, Mark A. Miller; Publisher: John Wiley - & Sons; ISBN 0764545892; 2nd edition (March 15, 2000); 402 pages. - -  * [http://www.amazon.com/exec/obidos/tg/detail/-/0126167702/copernicshopper - /103-1420916-1341420] Big Book of Ipv6 Addressing Rfcs by Peter H. Salus - (Compiler), Morgan Kaufmann Publishers, April 2000, 450 pages ISBN - 0126167702. - -  * [http://www.epinions.com/book_mu-3922588/display_~full_specs] - Understanding IPV6 by Davies, Joseph; ISBN 0735612455; Date Published 05/ - 01/2001; Number of Pages: 350. [http://www.microsoft.com/MSPress/books/ - 4883.asp] Understanding IPV6 by Davies, Joseph; ISBN 0735612455; Date - Published 13/11/2002; Number of Pages 544. - -  * [http://www.amazon.com/exec/obidos/tg/detail/-/0471498920/copernicshopper - /103-1420916-1341420] Migrating to IPv6 - IPv6 in Practice. By Marc - Blanchet Publisher: John Wiley & Sons; ISBN 0471498920; 1st edition - (November 2002); 368 pages. - -  * [http://www.amazon.de/exec/obidos/ASIN/0672323443/qid%3D1038151777/ - 028-1904439-6654140] Programming IPv6 by Sean Walton; 560 pages; - Addison-Wesley Professional; ISBN 0672323443 Note: Will be published - August 1, 2003. - -  * [http://www.nwfusion.com/news/2000/1023ipv6.html] Wireless boosting IPv6 - by Carolyn Duffy Marsan, 10/23/2000. - -  * [http://www.oreillynet.com/search/index.ncsp?sp-q=IPv6] O'reilly Network - search for keyword IPv6 results in 29 hits (28. January 2002). - - ------------------------------------------------------------------------------ -23.1.2. Printed Books (German) - -  * Technik der IP-Netze (TCP/IP incl. IPv6) [http://www.amazon.de/exec/ - obidos/ASIN/3446215018/] bei Amazon.de Anatol Badach, Erwin Hoffmann Carl - Hanser Verlag München, Wien, 2001 ISBN 3-446-21501-8 Kap. 6: Protokoll - IPv6 S.205-242 Kap. 7: Plug&Play-Unterstützung bei IPv6 S.243-276 Kap. 8: - Migration zum IPv6-Einsatz S.277-294 Kap. 9.3.4: RIP für das Protokoll - IPv6 (RIPng) S.349-351 Kap. 9.4.6: OSPF für IPv6 S.384-385 Kommentar: tw. - nicht ganz up-to-date bzw. nicht ganz fehlerfreie Abbildungen [http:// - www.fehcom.de/tipn/tipn.html] Homepage des Buches und Tabelle mit Fixes - -  * Internet-Sicherheit (Browser, Firewalls und Verschlüsselung) [http:// - www.amazon.de/exec/obidos/ASIN/3446217258/] bei Amazon.de Kai Fuhrberg 2. - akt. Auflage 2000 Carl Hanser Verlag München, Wien, ISBN 3-446-21333-3 - Kap.2.3.1.4. IPv6 S.18-22 Kurz angerissen werden: RFC1825 - Security - Association Konzept RFC1826 - IP authentication Header RFC1827 - IP - Encapsulation Security Payload - -  * IPv6. Das neue Internet- Protokoll. Technik, Anwendung, Migration [http:/ - /www.amazon.de/exec/obidos/ASIN/389864149X] bei Amazon Hans Peter Dittler - 2. akt. und erweiterte Auflage 2002 dpunkt.verlag, ISBN 3-89864-149-X - -  * Das neue Internetprotokoll IPv6 [http://www.amazon.de/exec/obidos/ASIN/ - 3446216855] bei Amazon Herbert Wiese 2002 Carl Hanser Verlag, ISBN - 3446216855 - - ------------------------------------------------------------------------------ -23.1.3. Articles, eBooks, Online Reviews (mixed) - -  * [http://www.onlamp.com/pub/a/onlamp/2001/06/01/ipv6_tutorial.html] - Getting Connected with 6to4 by Huber Feyrer, 06/01/2001 - -  * [http://researchcenter.zdnet.com/data/detail?id=1001711171_237&type=RES&x - =120054357] How Long the Aversion to IP Version 6 - Review of META Group, - Inc., full access needs (free) registration at META Group, Inc. - -  * Transient Addressing for Related Processes: Improved Firewalling by Using - IPv6 and Multiple Addresses per Host; written by Peter M. Gleiz, Steven - M. Bellovin ([http://www.securiteinfo.com/ebooks/pdf/tarp.pdf] - PC-PDF-Version; [http://www.securiteinfo.com/ebooks/palm/tarp.pdf] - Palm-PDF-Version; [http://www.securiteinfo.com/ebooks/pdb/tarp.pdb] - PDB-Version) - -  * [http://www.oreilly.fr/catalogue/ipv6-3ed.html] IPv6, théorie et pratique - (french) 3e édition, mars 2002, O'Reilly, ISBN 2-84177-139-3 - -  * [http://www.securiteinfo.com/crypto/IPSec.shtml] IPSec (language: french) - -  * [http://www.ip6.com/index.html] Internetworking IPv6 with Cisco Routers - by Silvano Gai, McGrawHill Italia, 1997. The 13 chapters and appendix A-D - are downloadable as PDF-documents. - -  * [http://www.vermicelli.pasta.cs.uit.no/ipv6/students/vegars/] Secure and - Dynamic Tunnel Broker by Vegar Skaerven Wang, Master of Engineering - Thesis in Computer Science, 2.June 2000, Faculty of Science, Dep.of - Computer Science, University of Tromso, Norway. - -  * [http://www.netobjectdays.org/pdf/99/stja/doering.pdf] Aufbruch in die - neue Welt - IPv6 in IPv4 Netzen von Dipl.Ing. Ralf Döring, TU Illmenau, - 1999 - -  * [http://www.csc.fi/~psavola/residential.html] Migration and Co-existence - of IPv4 and IPv6 in Residential Networks by Pekka Savola, CSC/FUNET, 2002 - - ------------------------------------------------------------------------------ -23.1.4. Science Publications (abstracts, bibliographies, online resources) - -  * [http://www.ist-ipv6.org/standards/IPv6STDReptDec02.pdf] Standardisation - Report, December 2002 published by [http://www.ist-ipv6.org/] IPv6 - Cluster, 1mb (every 4 months the Standards report will be updated under: - [http://www.ist-ipv6.org/standards.html] http://www.ist-ipv6.org/ - standards.html). - -  * [http://www.ipv6.ac.uk/gtpv6/workplan.html] GEANT IPv6 Workplan - -  * [http://citeseer.nj.nec.com/perkins96mobility.html] Mobility support in - IPv6 by C.E. Perkins and D.B. Johnson. In Proceedings of the Second - Annual International Conference on Mobile (1996). - -  * [http://www.ingenta.com/isis/searching/ExpandSearch/ingenta?year_to=2002& - year_from=1997&date_type=range&title=IPv6&title_type=tka&database=1& - newMatches=false&pageStart=1&index=1] A simulation study on the - performance of Mobile IPv6 in a WLAN-based cellular network, by Perez - Costa X.; Hartenstein H. -- Computer Networks, September 2002, vol. 40, - no. 1, pp. 191-204(14) -- Elsevier Science. - -  * [http://www.ipv6.ac.uk/bermuda2/] IPv6 Trials on UK Academic Networks: - Bermuda Project Aug.2002: Participants - Getting connected - Project - deliverables - Network topology - Address assignments - Wireless IPv6 - access - IPv6 migration - Project presentations - Internet 2 - Other IPv6 - projects - IPv6 fora and standards Bermuda 2... - -  * [http://www.ipv6.ac.uk/] http://www.ipv6.ac.uk/ - -  * [http://www.ingenta.com/isis/searching/ExpandSearch/ingenta?year_to=2002& - year_from=1997&date_type=range&title=IPv6&title_type=tka&database=1& - newMatches=false&pageStart=1&index=2] A scalable parallel internet router - that enables the QoS through merging ATM with IPv6. By Song S. -- - Computer Communications, 1 May 2002, vol. 25, no. 7, pp. 647-651(5) -- - Elsevier Science. - -  * [http://liinwww.ira.uka.de/cgi-bin/bibshow?e=Pt0mjovy.kpvsobm/vojrvf] - Linux IPv6: Which One to Deploy? Linux Journal, Vol. 96, p. 86, 88-90, - April 2002. - -  * [http://www.ingenta.com/isis/searching/ExpandSearch/ingenta?year_to=2002& - year_from=1997&date_type=range&title=IPv6&title_type=tka&database=1& - newMatches=false&pageStart=1&index=3] An overview and analysis of mobile - Internet protocols in cellular environments. Chao H-C. -- Internet - Research: Electronic Networking Applications and Policy, 24 October 2001, - vol. 11, no. 5, pp. 435-450(16) -- MCB University Press - -  * [http://www.ingenta.com/isis/searching/ExpandSearch/ingenta?year_to=2002& - year_from=1997&date_type=range&title=IPv6&title_type=tka&database=1& - newMatches=false&pageStart=1&index=5] IPv6 for Future Wireless - NetworksToftegaard Nielsen T. -- Wireless Personal Communications, June - 2001, vol. 17, no. 2/3, pp. 237-247(11) -- Kluwer Academic Publishers, - Dordrecht, The Netherlands - -  * [http://www.ipv6.ecs.soton.ac.uk/] IPv6 at the University of Southampton - -  * [http://www.ingenta.com/isis/searching/ExpandSearch/ingenta?year_to=2002& - year_from=1997&date_type=range&title=IPv6&title_type=tka&database=1& - newMatches=false&pageStart=1&index=4] Seamless Support for Mobile - Internet Protocol Based Cellular EnvironmentsChao H-C.; Chu Y-M. -- - International Journal of Wireless Information Networks, July 2001, vol. - 8, no. 3, pp. 133-153(21) -- Kluwer Academic/Plenum Publishers, New York, - U.S.A. - -  * [http://liinwww.ira.uka.de/cgi-bin/bibshow?e=Njtd0MODT0modt3111/vojrvf] - IPv6: The Solution for Future Universal Networks. Lecture Notes in - Computer Science, Vol. 1818, p. 82-??, 2000. - -  * [http://www.ingenta.com/isis/searching/ExpandSearch/ingenta?year_to=2002& - year_from=1997&date_type=range&title=IPv6&title_type=tka&database=1& - newMatches=false&pageStart=1&index=8] Modeling and performance analysis - for IPv6 traffic with multiple QoS classes. Zhang L.; Zheng L. -- - Computer Communications, 1 October 2001, vol. 24, no. 15, pp. 1626-1636 - (11) -- Elsevier Science. - -  * [http://liinwww.ira.uka.de/cgi-bin/bibshow?e=Njtd0MODT0modt3111/vojrvf] - Threshold-Based Registration (TBR) in Mobile IPv6. Lecture Notes in - Computer Science, Vol. 1818, p. 150-??, 2000. - -  * [http://liinwww.ira.uka.de/cgi-bin/bibshow?e=Njtd0MODT0modt3111/vojrvf] - IPv6 Performance Analysis on FreeBSD Workstation Using Simple - Applications. Lecture Notes in Computer Science, Vol. 1961, p. 33-??, - 2000. - -  * Microsoft Research IPv6 Implementation (MSRIPv6): [http:// - www.research.microsoft.com/msripv6/] MSRIPv6 Configuring 6to4 - - Connectivity with MSR IPv6 - Our 6Bone Node... - -  * [http://www.ingenta.com/isis/searching/ExpandSearch/ingenta?year_to=2002& - year_from=1997&date_type=range&title=IPv6&title_type=tka&database=1& - newMatches=false&pageStart=1&index=9] New frontiers in cybersegmentation: - marketing success in cyberspace depends on IP address. Louvieris P.; - Driver J. -- Qualitative Market Research: An International Journal, 27 - June 2001, vol. 4, no. 3, pp. 169-181(13) -- MCB University Press. - -  * [http://liinwww.ira.uka.de/cgi-bin/bibshow?e=Njtd0MODT0modt3113c/vojrvf] - QoS-Conditionalized Handoff for Mobile IPv6. Lecture Notes in Computer - Science, Vol. 2345, p. 721-??, 2002. - - ------------------------------------------------------------------------------ -23.1.5. Others - -See following URL for more: [http://www.switch.ch/lan/ipv6/references.html] -SWITCH IPv6 Pilot / References ------------------------------------------------------------------------------ - -23.2. Conferences, Meetings, Summits - -23.2.1. 2002 - -  * [http://www.renater.fr/IPv6-2002/] Renater - Conférence IPv6 2002 - -  * [http://www.ipv6summit.com/] IPv6 Deployment Summit at INET 2002 - - -Something missing? Suggestions are welcome! ------------------------------------------------------------------------------ - -23.2.2. 2003 - -Suggestions are welcome! ------------------------------------------------------------------------------ - -23.3. Online information - -23.3.1. Join the IPv6 backbone - -More to be filled later...suggestions are welcome! ------------------------------------------------------------------------------ - -23.3.1.1. Global registries - -  * IPv6 test backbone: [http://www.6bone.net/] 6bone, [http://www.6bone.net/ - 6bone_hookup.html] How to join 6bone, [http://www.join.uni-muenster.de/ - 6bone/6bone-teilnahme.html] Teilnahme am 6bone (german language), [http:/ - /www.join.uni-muenster.de/6bone/6bone-participation.html] 6bone - participation (english language) - - ------------------------------------------------------------------------------ -23.3.1.2. Major regional registries - -  * America: [http://www.arin.net/] ARIN, [http://www.arin.net/registration/ - ipv6/index.html] ARIN / registration page, [http://www.arin.net/library/ - index.htm] ARIN / IPv6 guidelines - -  * EMEA: [http://www.ripe.net/] Ripe NCC, [http://www.ripe.net/ripencc/ - mem-services/registration/] Ripe NCC / registration page, [http:// - www.ripe.net/ripencc/mem-services/registration/ipv6/ipv6.html] Ripe NCC / - IPv6 registration - -  * Asia/Pacific: [http://www.apnic.net/] APNIC, [http://www.apnic.net/ - services/ipv6_guide.html] APNIC / IPv6 ressource guide - -  * Latin America and Caribbea: [http://lacnic.org/] LACNIC, [http:// - lacnic.net/en/bt-IPv6.html] IPv6 Registration Services, [http:// - lacnic.net/en/chapter-4-en.pdf] IPv6 Allocation Policy - -  * Africa: [http://www.afrinic.org/] AfriNIC - - -Also a list of major (prefix length 32) allocations per local registry is -available here: [http://www.ripe.net/ripencc/mem-services/registration/ipv6/ -ipv6allocs.html] Ripe NCC / IPv6 allocations. ------------------------------------------------------------------------------ - -23.3.1.3. Tunnel brokers - -Note: A list of available Tunnel broker can be found in the section Tunnel -broker below. - -  * [http://www.vermicelli.pasta.cs.uit.no/ipv6/students/vegars/TunnelBroker - /] Sourcecode used in Vermicellis Master thesis about tunnelbroker, - University of Tromso. - -  * Former IPng. Tunnelbroker and IPv6 resources, now migrated to the [http:/ - /www.sixxs.net/main/] SixXs System. - -  * Eckes' [http://sites.inka.de/lina/linux/ipv6.html] IPv6-with-Linux Page. - -  * [http://www.ripe6.net/] RIPE6.net: Configure an IPv6 Tunnel to a - tunnelbroker; Route ipv6-ips from your router to other clients in your - network... - -  * tunnelc - a perl based tunnel client script: freshmeat.net: [http:// - freshmeat.net/projects/tunnelc] Project details for tunnel client - SourceForge: [http://sourceforge.net/projects/tunnelc] Project Info - - tunnelc (also [http://tunnelc.sourceforge.net/] here) - -  * [http://www.ipv6.uni-leipzig.de/~6bone/tb/maillist.html] Tunnelbroker - Maillingliste - -  * Linux Advanced Routing & Traffic Control HOWTO, [http:// - howtos.linuxbroker.com/howtoreader.shtml?file=Adv-Routing-HOWTO.html# - LARTC.TUNNEL-IPV6.ADDRESSING] Chapter 6: IPv6 tunneling with Cisco and/or - 6bone. - - -See also here for more information and URLs: [http://www.ipv6-net.de/] -ipv6-net.org. ------------------------------------------------------------------------------ - -23.3.1.4. 6to4 - -  * [http://www.kfu.com/~nsayer/6to4/] NSayer's 6to4 information - -  * [http://www.faqs.org/rfcs/rfc3068.html] RFC 3068 / An Anycast Prefix for - 6to4 Relay Routers - - ------------------------------------------------------------------------------ -23.3.1.5. ISATAP - -  * [http://www.join.uni-muenster.de/Dokumente/Howtos/Howto_ISATAP.php?lang= - en] ISATAP (Intra-Site Automatic Tunnel Access Protocol) Information by - [http://www.join.uni-muenster.de/] JOIN - - ------------------------------------------------------------------------------ -23.3.2. Latest news - -More to be filled later...suggestions are welcome! - -  * [http://hs247.com/] hs247 / IPv6 news and information - -  * [http://bofh.st/ipv6/] bofh.st / latest IPv6 news (but currently [Jan - 2002] outdated...), also homepage for #IPv6 channel on IRCnet - -  * [http://www.ipv6-net.de/] ipv6-net.org, German forum - - ------------------------------------------------------------------------------ -23.3.3. Protocol references - -23.3.3.1. IPv6-related Request For Comments (RFCs) - -Publishing the list of IPv6-related RFCs is beyond the scope of this -document, but given URLs will lead you to such lists: - -  * List sorted by [http://playground.sun.com/pub/ipng/html/specs/ - standards.html] IPng Standardization Status or [http://playground.sun.com - /pub/ipng/html/specs/specifications.html] IPng Current Specifications by - Robert Hinden - -  * [http://www.ipv6.org/specs.html] IPv6 Related Specifications on IPv6.org - - ------------------------------------------------------------------------------ -23.3.3.2. Current drafts of working groups - -Current (also) IPv6-related drafts can be found here: - -  * [http://www.ietf.org/ids.by.wg/ipv6.html] IP Version 6 (ipv6) - -  * [http://www.ietf.org/ids.by.wg/ngtrans.html] Next Generation Transition - (ngtrans) - -  * [http://www.ietf.org/ids.by.wg/dhc.html] Dynamic Host Configuration (dhc) - -  * [http://www.ietf.org/ids.by.wg/dnsext.html] Domain Name System Extension - (dnsext) - -  * [http://www.ietf.org/ids.by.wg/mobileip.html] Mobile IP (mobileip) - -  * [http://playground.sun.com/pub/ipng/html/ipng-main.html] Get any - information about IPv6, from overviews, through RFCs & drafts, to - implementations (including availability of stacks on various platforms & - source code for IPv6 stacks) - -  * [http://www.sumitomo.com/htmls/randd/ipv6/doc.html] IPv6 specifications - - Latest RFCs and Internet Drafts Collection. - - ------------------------------------------------------------------------------ -23.3.3.3. Others - -  * [http://www.networksorcery.com/enp/protocol/ipv6.htm] Network Sorcery / - IPv6, Internet Protocol version 6, IPv6 protocol header - -  * [http://www.switch.ch/lan/ipv6/references.html] SWITCH IPv6 Pilot / - References, big list of IPv6 references maintained by Simon Leinen - -  * [http://steinbeck.ucs.indiana.edu:47401/] Advanced Network Management - Laboratory / IPv6 Address Oracle shows you IPv6 addresses in detail - - ------------------------------------------------------------------------------ -23.3.4. More information - -More to be filled later...suggestions are welcome! - -[http://www.deepspace6.net/sections/links.html] DeepSpace6 / more interesting -links ------------------------------------------------------------------------------ - -23.3.4.1. Linux related - -  * [http://www.deepspace6.net/] DeepSpace6 / (Not only) Linux IPv6 Portal - - Italy ([http://mirrors.bieringer.de/www.deepspace6.net/] Mirror) - -  * [http://www.bieringer.de/linux/IPv6/] IPv6-HowTo for Linux by Peter - Bieringer - Germany, and his [ftp://ftp.bieringer.de/pub/linux/IPv6/] - Bieringer / IPv6 - software archive - -  * [http://www.bieringer.de/linux/IPv6/status/IPv6+Linux-status.html] - Linux+IPv6 status by Peter Bieringer - Germany (going obsolete) - -  * [http://www.deepspace6.net/docs/ipv6_status_page_apps.html] DeepSpace6 / - IPv6 Status Page - Italy ([http://mirrors.bieringer.de/www.deepspace6.net - /docs/ipv6_status_page_apps.html] Mirror) (will superseed upper one) - -  * [http://www.linux-ipv6.org/] USAGI project - Japan, and their [ftp:// - ftp.linux-ipv6.org/pub/] USAGI project - software archive - -  * [http://www.bugfactory.org/~gav/ipv6/] Gav's Linux IPv6 Page - -  * [http://www.tldp.org/HOWTO/OLSR-IPv6-HOWTO/] Linux Optimized Link State - Routing Protocol (OLSR) IPv6 HOWTO - - ------------------------------------------------------------------------------ -23.3.4.2. Linux related per distribution - -PLD - [http://www.pld-linux.org/] PLD Linux Distribution ("market leader" in - containing IPv6 enabled packages) - -Red Hat - [http://www.redhat.com/] Red Hat Linux, [http://www.netcore.fi/pekkas/ - linux/ipv6/] Pekka Savola's IPv6 packages - -Debian - [http://www.debian.org/] Debian Linux, [http://people.debian.org/~csmall/ - ipv6/] Craig Small's IPv6 information and status, [http://www.jipo.org/ - jim/Jims_LAN_IPv6_global_connectivity_howto.html] Jim's insignificant LAN - IPv6 global connectivity HOWTO - -SuSE - [http://www.suse.com/] SuSE Linux - -Mandrake - [http://www.linux-mandrake.com/] Linux Mandrake - - -For more see the [http://www.bieringer.de/linux/IPv6/status/ -IPv6+Linux-status-distributions.html] IPv6+Linux Status Distributions page. ------------------------------------------------------------------------------ - -23.3.4.3. General - -  * [http://www.ipv6.org/] IPv6.org - -  * [http://www.6bone.net/] 6bone - -  * [http://www.cs-ipv6.lancs.ac.uk/] UK IPv6 Resource Centre - UK - -  * [http://www.join.uni-muenster.de/JOIN/ipv6/texte-englisch/ - informationsquellen.html] JOIN: IPv6 information - Germany, by the JOIN - project team maintaining also [http://www.join.uni-muenster.de/JOIN/ipv6/ - texte-englisch/www.html] Links to external WWW pages comprising IPv6/ - IPng. - -  * [http://tipster6.ik.bme.hu/tipster6_en.html] TIPSTER6 project - Hungary, - "Testing Experimental IPv6 Technology and Services in Hungary". - -  * [http://www.v6.wide.ad.jp/] WIDE project - Japan - -  * [http://www.switch.ch/lan/ipv6/] SWITCH IPv6 Pilot - Switzerland - -  * [http://www.feyrer.de/IPv6/] IPv6 Corner of Hubert Feyrer - Germany - -  * [http://www.vermicelli.pasta.cs.uit.no/ipv6/] Vermicelli Project - Norway - -  * [http://www.ipv6forum.com/] IPv6 Forum - a world-wide consortium of - leading Internet vendors, Research & Education Networks... - -  * [http://playground.sun.com/pub/ipng/html/ipng-main.html] - Playground.sun.com / IPv6 Info Page - maintained by Robert Hinden, Nokia. - Get any information about IPv6, from overviews, through RFCs & drafts, to - implementations (including availability of stacks on various platforms & - source code for IPv6 stacks). - -  * [http://www.nas.nasa.gov/Groups/LAN/IPv6/] NASA Ames Research Center (old - content) - -  * [http://www.6init.com/] 6INIT - IPv6 Internet Initiative - an EU Fifth - Framework Project under the IST Programme. - -  * [http://www.ipv6-taskforce.org/] IPv6 Task Force (European Union) - -  * [http://www.v6.sfc.wide.ad.jp/v6doc/] IPv6 Document Project (Japanese - language) - -  * [http://www.6init.org/] 6init - IPv6 INternet IniTiative - -  * [http://www.isoc.org/HMP/PAPER/PT1/html/pt1.html.hinden] IP Next - Generation Overview - -  * [http://ganges.cs.tcd.ie/4ba2/ipng/] The IPng Group's home page. - -  * [http://www.usenix.org/publications/library/proceedings/ana97/summaries/ - deering.html] IPv6: The New Version of the Internet Protocol, by Steve - Deering. - -  * [http://www.garykessler.net/library/ipv6_exp.html] IPv6: The Next - Generation Internet Protocol, by Gary C. Kessler. - -  * [http://www.3com.com/nsc/ipv6.html] IPv6: Next Generation Internet - Protocol - 3Com - -  * [http://www.mediaport.org/~iamano/lr.zip] Literature Research IPv6 - (IPng), by Mike Crawfurd. - -  * [http://www.ngi.gov/] Next Generation Internet Initiative - -  * [http://www.internet2.org/] internet || site and [http:// - ipv6.internet2.edu/] internet2 Working Group - [http://ipv6.internet2.edu - /presentations/] Presentation (HTML + PPT) from IPv6 Workshops: - (Stateless Autoconfiguration, IPv6 Addressing, USAGI, Provider - Independent IPv6 Addressing and other topics). - -  * NetworkWorldFusion: Search / Doc Finder: [http://search.nwfusion.com/ - query.html?qt=IPv6&qp=&ch=cn&] searched for IPv6 (102 documents found - 22.12.2002) - -  * [http://www.theregister.co.uk/] The Register (Search for IPv6 will result - in 30 documents, 22.12.2002) - -  * [http://zdnet.search.com/search?cat=279&q=IPv6] ZDNet Search for IPv6 - -  * [http://whatis.techtarget.com/wsearchResults/1,290214,sid9,00.html?query= - IPv6] TechTarget Search for IPv6 - -  * [http://www.faqs.org/faqs/internet/tcp-ip/resource-list/index.html] IPv6 - & TCP Resources List - -  * [http://ipv6.klingon.nl/] Klingon IPv6 tools, [http://www.ipv6.klingon.nl - /] Klingon IPv6 tools (native IPv6 only access): IPv6 firewall examples, - bandwith testing and portscanner - - -Something missing? Suggestions are welcome! ------------------------------------------------------------------------------ - -23.3.4.4. Market Research - -  * [http://www.seminarinformation.com/wconnect/wc.dll?sis~details0~307~TSN] - A Tale of Two Wireless Technology Trends: Processor Development - Outsourcing and IPv6Yankee Group - 4/1/2002 - 12 Pages - ID: YANL768881 - -  * [http://www.marketresearch.com/product/display.asp?SID= - 88602378-241489274-186851952&ProductID=803907] The World Atlas of the - Internet: Americas; IDATE - 2/1/2002 - 242 PAges - ID: IDT803907. - Countries covered: Central America, North America, South America; List: - Price: $ 3,500.00; excerpt: Panorama of Internet access markets across - the globe. Market assessment and forecasts up to 2006 for 34 countries: - market structure: main ISPs and market shares; number of subscribers, of - ISPs. - -  * [http://www.amazon.com/exec/obidos/tg/detail/-/B000065T8E/copernicshopper - /103-1420916-1341420] Early Interest Rising for IPv6 by IDC (Author); - List Price: $1,500.00; Edition: e-book (Acrobat Reader); Publisher: IDC; - ISBN B000065T8E; (March 1, 2002) - - ------------------------------------------------------------------------------ -23.3.4.5. Patents - -  * Canadian Patent Database: [http://patents1.ic.gc.ca/intro-e.html] Home, - [http://patents1.ic.gc.ca/srch_sim-e.html] Search (Basic Search, just - enter IPv6 in the search field ;-); 84 documents found 22.12.2002) - -  * [http://www.european-patent-office.org/espacenet/info/index.htm] - Espacenet - European patent information: [http:// - www.european-patent-office.org/espacenet/info/access.htm] National - Offices, Members of Espacenet(IPv6: 84 documents, 22.12.2002) - -  * Delphion Research: [http://www.delphion.com/research/] Patent Search - Page. Basic (free) registration needed. Examples found 21.12.2002 - searching for IPv6: [http://www.delphion.com/details?pn=US06118784__] - Communicating method between IPv4 terminal and IPv6 terminal and - IPv4-IPv6 converting apparatus [http://www.delphion.com/details?pn= - US06038233__] Translator for IP networks, network system using the - translator, and IP network coupling method therefor - - ------------------------------------------------------------------------------ -23.3.5. By countries - -23.3.5.1. Europe - -  * [http://www.ist-ipv6.org/] www.ist-ipv6.org: IST IPv6 Cluster, European - IPv6 Research and Development Projects - -  * [http://www.euro6ix.org/] Euro6IX: European IPv6 Internet Exchanges - Backbone - - ------------------------------------------------------------------------------ -23.3.5.2. Austria - -  * [http://www.ikn.tuwien.ac.at/~ipv6/] IPv6@IKNnet and MIPv6 Research - Group: TU Vienna, Austria (IPv6: project, publications, diploma / doctor - thesis, Conference Proceedings etc.) - - ------------------------------------------------------------------------------ -23.3.5.3. Australia - -  * [http://oversteer.bl.echidna.id.au/IPv6/] Carl's Australian IPv6 Pages - (old content) - - ------------------------------------------------------------------------------ -23.3.5.4. Belgium - -  * [http://vivaldi.belnet.be/ipv6/] BELNET: the Belgian Research Network - -  * [http://www.ipv6.euronet.be/] Euronet: one of the biggest ISP's of - Belgium... - - ------------------------------------------------------------------------------ -23.3.5.5. Brazil - -  * [http://www.6bone.rnp.br/] BR6bone - -  * [http://www.ipv6summit.com.br/] IPv6 Summit in Brazil - -  * [http://www.ipv6dobrasil.com.br/] IPv6 do Brasil - - ------------------------------------------------------------------------------ -23.3.5.6. China - -  * [http://www.ipv6.com.cn/] Nokia China - IPv6 Site - -  * [http://www.internet6.com.cn/] Internet6 Initiative by Nokia China - - ------------------------------------------------------------------------------ -23.3.5.7. Czech - -  * [http://bsd-ipv6.vol.cz/] IPv6 in Czech On Line - - ------------------------------------------------------------------------------ -23.3.5.8. Germany - -  * [http://www.ipv6-net.de/] IPv6-net.org: German IPv6 forum - - ------------------------------------------------------------------------------ -23.3.5.9. France - -  * [http://www.renater.fr/Projets/IPv6/index.htm] Renater: Renater IPv6 - Project Page - -  * [http://www.inria.fr/recherche/equipes/ipv6.fr.html] IPv6 - RSVP - ATM at - INRIA - -  * [http://www.netbsd.org/fr/Documentation/network/ipv6/] NetBSD IPv6 - Documentation - - ------------------------------------------------------------------------------ -23.3.5.10. Hungary - -  * [http://tipster6.ik.bme.hu/tipster6_en.html] Testing Experimental IPv6 - Technology and Services in Hungary - -  * [http://www.ipv6.fsz.bme.hu/] Hungarian IPv6 Information Page - - ------------------------------------------------------------------------------ -23.3.5.11. India - -  * [http://ipv6.bits-pilani.ac.in/] IPv6 at BITS - - ------------------------------------------------------------------------------ -23.3.5.12. Italy - -  * [http://project6.ferrara.linux.it/] Project6: IPv6 networking with Linux - -  * [http://www.6bone.it/] Edisontel: IPv6 Portal of Edisontel - - ------------------------------------------------------------------------------ -23.3.5.13. Japan - -  * [http://www.v6.linux.or.jp/] Linux IPv6 Users Group JP - -  * [http://www.rtpro.yamaha.co.jp/RT/ipv6/] Yamaha IPv6 (sorry, all in - japanese native ...) - - ------------------------------------------------------------------------------ -23.3.5.14. Korea - -  * [http://www.krv6.net/] ETRI: Electronics and Telecommunications Research - Institut - -  * [http://www.ipv6.or.kr/english/index.new.htm] IPv6 Forum Korea: Korean - IPv6 Deployment Project - - ------------------------------------------------------------------------------ -23.3.5.15. Mexico - -  * [http://www.ipv6.unam.mx/] IPv6 Mexico (spain & english version): IPv6 - Project Hompeage of The National Autonomous University of Mexico (UNAM) - - ------------------------------------------------------------------------------ -23.3.5.16. Netherland - -  * [http://www.ipv6.surfnet.nl/] SURFnet: SURFnet IPv6 Backbone - -  * [http://www.stack.nl/] STACK, [http://www.stack.nl/ipv6/] STACK (IPv6): - Students' computer association of the Eindhoven University of Technology, - Netherland - -  * [http://www.ipng.nl/] IPng.nl: collaboration between WiseGuys and Intouch - - ------------------------------------------------------------------------------ -23.3.5.17. Portugal - -  * [http://ipng.ip6.fc.ul.pt/] IPv6 pages of Miguel Rosa (broken?) - -  * [http://www.fccn.pt/projectos/ipv6/index_html] FCCN (National Foundation - for the Scientific Computation) - -  * [http://www.ipv6.ualg.pt/] University of Algarve, Portugal - -  * [http://www.ipv6.mfa.eti.br/] IPv6 - MFA - - ------------------------------------------------------------------------------ -23.3.5.18. Russia - -  * [http://www.ipv6.ru/] IPv6 Forum for Russia: Yaroslavl State University - Internet Center - - ------------------------------------------------------------------------------ -23.3.5.19. Switzerland - -  * [http://www.switch.ch/network/ipv6/references.html] SWITCH: The Swiss - Education & Research Network - - ------------------------------------------------------------------------------ -23.3.5.20. United Kingdom - -  * [http://www.ipv6.org.uk/] IPv6 in the UK - -  * [http://www.cs-ipv6.lancs.ac.uk/] UK IPv6 Resource Center - -  * [http://www.bt.com/ipv6/] British Telecom IPv6 Home: BT's ISP IPv6 Trial, - UK's first IPv6 Internet Exchange etc. - - ------------------------------------------------------------------------------ -23.3.6. By operating systems - -23.3.6.1. *BSD - -  * [http://www.kame.net/] KAME project (*BSD) - -  * [http://www.netbsd.org/Documentation/network/ipv6/] NetBSD's IPv6 - Networking FAQ - -  * [http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipv6.html] - FreeBSD Documentation Project - -  * [http://www.freebsd.org/ports/ipv6.html] FreeBSD Ports: Ipv6 - -  * BUGAT - BSD Usergroup Austria - [http://www.bugat.at/] www.bugat.at: - [http://www.bugat.at/inforum/contentview.php/mini-howto/ - freebsd-ipv6.ihtml] FreeBSD IPv6 Tunnel (German language) - - ------------------------------------------------------------------------------ -23.3.6.2. Cisco IOS - -  * [http://www.cisco.com/warp/public/732/Tech/ipv6/] Cisco IOS IPv6 Entry - Page - -  * [http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft - /122t/122t2/ipv6/ftipv6c.htm] IPv6 for Cisco IOS Software, File 2 of 3: - Aug 2002 -- Table of Contents: IPv6 for Cisco IOS Software; Configuring - Documentation Specifics; Enabling IPv6 Routing and Configuring; IPv6 - Addressing; Enabling IPv6 Processing Globally. - -  * Cisco Internet Networking Handbook, [http://www.cisco.com/univercd/cc/td/ - doc/cisintwk/ito_doc/ipv6.htm] Chapter IPv6 - - ------------------------------------------------------------------------------ -23.3.6.3. Compaq - -  * [http://www.compaq.com/ipv6/] IPv6 at Compaq - Presentations, White - Papers, Documentation... - - ------------------------------------------------------------------------------ -23.3.6.4. HPUX - -  * [http://www.faqs.org/faqs/hp/hpux-faq/index.html] comp.sys.hp.hpux FAQ - - ------------------------------------------------------------------------------ -23.3.6.5. IBM - -  * Now that IBM's announced the availability of z/OS V1.4, [http:// - search390.techtarget.com/ateQuestionNResponse/ - 0,289625,sid10_cid486367_tax292523,00.html] what's new in this release? - This question was posed on 15 August 2002 - - ------------------------------------------------------------------------------ -23.3.6.6. Microsoft - -  * [http://www.microsoft.com/windows2000/technologies/communications/ipv6/ - default.asp] Microsoft Windows 2000 IPv6 - -  * [http://www.research.microsoft.com/msripv6] MSRIPv6 - Microsoft Research - Network - IPv6 Homepage - -  * [http://msdn.microsoft.com/downloads/sdks/platform/tpipv6/start.asp] - Getting Started with the Microsoft IPv6 Technology Preview for Windows - 2000 - -  * [http://support.microsoft.com/default.aspx?scid=kb;en-us;306203] Internet - Connection Firewall Does Not Block Internet Protocol Version 6 Traffic - (6.11.2001) - -  * [http://support.microsoft.com/default.aspx?scid=kb;en-us;289892] Internet - Protocol Numbers (8.10.2002) - -  * [http://support.microsoft.com/default.aspx?scid=kb;en-us;273826] IPv6 - Technology Preview Refresh (16.10.2002) - -  * [http://support.microsoft.com/default.aspx?scid=kb;en-us;325449] HOW TO: - Install and Configure IP Version 6 in Windows .NET Enterprise Server - (26.10.2002) - -  * [http://support.microsoft.com/default.aspx?scid=kb;en-us;329984] Windows - .NET Server 6to4 Router Service Quits When You Advertise a 2002 Address - on the Public Interface (28.10.2002) - -  * [http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ - wcetcpip/htm/cmconIPv6exe.asp] msdn - Microsoft Windows CE .NET - IPv6 - commands - -  * [http://search.microsoft.com/default.asp?qu=IPv6&boolean=ALL&nq=NEW&so= - RECCNT&p=1&ig=01&i=00&i=01&i=02&i=03&i=04&i=05&i=06&i=07&i=08&i=09&i=10&i - =11&i=12&i=13&i=14&i=15&i=16&i=17&i=18&i=19&i=20&i=21&i=22&i=23&i=24&i=25 - &i=26&i=27&i=28&i=29&i=30&i=31&i=32&i=33&i=34&i=35&i=36&i=37&i=38&i=39&i= - 40&i=41&siteid=us/dev] msdn - search for IPv6 (100 results, 22.12.2002) - - ------------------------------------------------------------------------------ -23.3.6.7. Solaris - -  * [http://www.sun.com/solaris/ipv6/] Sun Microsystems IPv6 Page for Solaris - 8 - -  * [http://www.cs.uu.nl/wais/html/na-dir/Solaris2/FAQ.html] Solaris 2 - Frequently Asked Questions (FAQ) 1.73 - - ------------------------------------------------------------------------------ -23.3.6.8. Sumitoma - -  * [http://playground.sun.com/pub/ipng/html/ipng-implementations.html# - Sumitomo] Sumitomo Electric has implemented IPv6 on Suminet 3700 family - routers - - ------------------------------------------------------------------------------ -23.3.6.9. ZebOS - -  * IpInfusion's [http://www.ipinfusion.com/products/server/ - products_server.html] ZebOS Server Routing Software - - ------------------------------------------------------------------------------ -23.3.7. IPv6 Security - -  * Internet Security Systems: Security Center, [http://www.iss.net/ - security_center/search.php?type=3&type=3&pattern=IPv6] X-Force Database - Search (21.12.2002 - 6 topics found relating to IPv6) - -  * [http://csrc.nist.gov/ipsec/] NIST IPsec Project ( National Institute of - Standards and Technology, NIST) - -  * [http://www.infosecuritymag.com/index.shtml] Information Security, [http: - //search.atomz.com/search/?sp-q=IPv6&sp-a=sp1000c0bf] Search for IPv6 - (21.12.2002 - 9 articles found) - -  * [http://neworder.box.sk/search.php3?srch=IPv6] NewOrder.box.sk (search - for IPv6) (Articles, exploits, files database etc.) - - ------------------------------------------------------------------------------ -23.3.8. Application lists - -  * [http://www.ipv6.org/v6-apps.html] IPv6.org / IPv6 enabled applications - -  * [http://freshmeat.net/search/?q=IPv6] Freshmeat / IPv6 search, currently - (14 Dec 2002) 62 projects - -  * IPv6 Forum: [http://www.ipv6forum.com/navbar/links/v6routerlist.htm] IPv6 - Router List - - ------------------------------------------------------------------------------ -23.3.8.1. Analyzer tools - -  * [http://ethereal.planetmirror.com/] Ethereal - Ethereal is a free network - protocol analyzer for Unix and Windows - -  * [http://www.ip6.com/us/analyzer.htm] Radcom RC100-WL - Download Radcom - RC100-WL protocol analyzer version 3.20 - - ------------------------------------------------------------------------------ -23.3.8.2. IPv6 Products - -  * [http://www.6wind.com/] 6wind - solutions for IPv4/IPv6 Router, QoS, - Multicast, Mobility, Security/VPN/Firewall. - -  * [http://www.fefe.de/dns/] Fefe's patches for IPv6 with djbdnsAug 2002 -- - What is djbdns and why does it need IPv6? djbdns is a full blown DNS - server which outperforms BIND in nearly all respects. - -  * [http://www.v6.hitachi.co.jp/] Hitachi, Ltd. IPv6 Home PageIPv6 Products - GR2000 - IPv6 router; Toolnet6 - Protocol Exchange software for IPv6. - -  * [http://www.ipinfusion.com/products/server/products_server.html] ZebOS - Server Routing Suite - -  * [http://download.com.com/3000-2165-10153543.html?tag=lst-0-21] SPA Mail - Server 2.21 - -  * [http://download.com.com/3000-2165-8202652.html?tag=lst-0-2] Inframail - (Advantage Server Edition) 4.0 - -  * [http://download.com.com/3000-2377-10149393.html?tag=lst-0-1] HTTrack - Website Copier 3.2 - -  * [http://download.com.com/3000-2085-10132748.html?tag=lst-0-1] CommView - 3.4 - -  * [http://download.com.com/3000-2104-10149750.html?tag=lst-0-1] Posadis - 0.50.6 - -  * [http://download.com.com/3000-2070-10132771.html?tag=lst-0-1] Xceed - Winsock Library 1.2 - -  * [http://download.com.com/300-2085-10132748.html?tag=lst-0-1] CommView 3.4 - -  * [ftp://ftp.porcupine.org/pub/ipv6/] TCP Wrapper (IPv6 aware) - - ------------------------------------------------------------------------------ -23.3.8.3. SNMP - -  * [http://www.cs.uu.nl/wais/html/na-dir/snmp-faq/part1.html] - comp.protocpols.snmp SNMP FAQ Part 1 of 2 - - ------------------------------------------------------------------------------ -23.4. IPv6 Infrastructure - -23.4.1. Statistics - -  * [http://www.space.net/~gert/RIPE/] IPv6 routing table history created by - Gert Döring, [http://www.space.net/] Space.Net - -  * Usage Statistics for [http://ftp2.no.netbsd.org/statistics/webalizer/ - www6.vermicelli.pasta.cs.uit.no/] www6.vermicelli.pasta.cs.uit.no (last - 12 months) - -  * [http://6bone.informatik.uni-leipzig.de/ipv6/stats/stats.php3] Official - 6bone Webserver list Statisic - -  * [http://www.ripe.net/ripe/meetings/archive/ripe-42/presentations/ - ripe42-ipv6-survey/sld001.html] IPv6 Allocation Data & Survey Results, - IPv6 WG, Ripe 42, Ripe NCC - - ------------------------------------------------------------------------------ -23.4.2. Internet Exchanges - -Another list of IPv6 Internet Exchanges can be found here: [http:// -www.v6nap.net/] IPv6 Exchanges Web Site or [http://www.euro-ix.net/isp/ -choosing/search/matrix.php] IPv6 status of IXPs in Europe ------------------------------------------------------------------------------ - -23.4.2.1. Estonia - -  * [http://tix.estpak.ee/] TIX (tallinn interneti exchange with ipv6 - support) - - ------------------------------------------------------------------------------ -23.4.2.2. Europe - -  * [http://www.euro6ix.net/] Euro6IX, European IPv6 Internet Exchange - Backbone - - ------------------------------------------------------------------------------ -23.4.2.3. France - -  * [http://www.fnix6.net/] French National Internet Exchange IPv6 (since - 1.11.2002 active). FNIX6 provides a free and reliable high speed - FastEthernet interconnection between ISP located in TeleCity Paris. - - ------------------------------------------------------------------------------ -23.4.2.4. Germany - -  * [http://www.inxs.de/] INXS: (Cable & Wireless) Munich and Hamburg - - ------------------------------------------------------------------------------ -23.4.2.5. Japan - -  * [http://www.wide.ad.jp/nspixp6/] NSPIXP-6: IPv6-based Internet Exchange - in Tokyo - -  * [http://www.jpix.co.jp/] JPIX, Tokyo - - ------------------------------------------------------------------------------ -23.4.2.6. Korea - -  * [http://www.ngix.ne.kr/] 6NGIX - - ------------------------------------------------------------------------------ -23.4.2.7. Netherlands - -  * [http://www.ams-ix.net/home.html] AMS-IX: Amsterdam Internet Exchange - - ------------------------------------------------------------------------------ -23.4.2.8. UK - -  * [http://www.uk6x.com/] UK6X: London - -  * [http://www.xchangepoint.net/] XchangePoint: London - - ------------------------------------------------------------------------------ -23.4.2.9. USA - -  * [http://www.6tap.net] 6TAP: Chicago. Supports peerings around the globe. - -  * [http://www.ny6ix.net/] NY6IX: New York City IPv6 based Internet Exchange - -  * [http://www.6iix.net/] 6IIX: New York, Los Angeles and Santa Clara - -  * [http://www.paix.net/] PAIX: Palo Alto - - ------------------------------------------------------------------------------ -23.4.3. Tunnel broker - -See also: [http://www.deepspace6.net/docs/tunnelbrokers.html] http:// -www.deepspace6.net/docs/tunnelbrokers.html ------------------------------------------------------------------------------ - -23.4.3.1. Belgium - -  * [http://tunnel.be.wanadoo.com/] Wanadoo - - ------------------------------------------------------------------------------ -23.4.3.2. Canada - -  * [http://www.freenet6.net/] Freenet6 - /48 Delegation, Canada [http:// - www.linuxjournal.com/article.php?sid=5963&mode=thread&order=0] Getting - IPv6 Using Freenet6 on Debian [http://www.viagenie.qc.ca/en/index.shtml] - Freenet6 creater - - ------------------------------------------------------------------------------ -23.4.3.3. China - -  * [http://tb.6test.edu.cn/] CERNET-Nokia - - ------------------------------------------------------------------------------ -23.4.3.4. Estonia - -  * [http://tunnelbroker.ipv6.estpak.ee/?tunnel&PHPSESSID= - aa2184190cc2cc6d3a6f6ddd01ae3635] Estpak - - ------------------------------------------------------------------------------ -23.4.3.5. Europe - -  * [http://www.xs26.net/] XS26 Distributed Tunnel Broker, USA & Europe - - ------------------------------------------------------------------------------ -23.4.3.6. Germany - -  * [http://www.join.uni-muenster.de/welcome-e.html] JOIN, University of - Münster - -  * [http://joshua.informatik.uni-leipzig.de/] Tunnelbroker Leipzig, Germany - - DialupUsers with dynamic IP's can get a fix IPv6 IP... [http:// - tunnel.ipv6-net.de/] JOIN, Tunnelbroker Leipzig, (currently offline ?) - [http://tunnel.ipv6-net.de/] Das offizielle IPv6 Forum, Leipziger - Tunnelbroker [http://aopteryx.informatik.uni-leipzig.de:8000/live.mp3] - Experimental Live IPv6 Stream! [http://6bone.informatik.uni-leipzig.de/] - 6bone Knoten Leipzig [http://www.mail-archive.com/ipv6@uni-muenster.de/ - msg00056.html] Info bez. Hackangriff (2001) [http:// - bbackbone.informatik.uni-leipzig.de/] Tunnelbroker for JOIN. This tunnel - broker is only available for students and staff members of colleges and - universities - -  * [http://fix.ipv6.berkom.de/cgi-bin/tb.pl] Berkom - - ------------------------------------------------------------------------------ -23.4.3.7. Italy - -  * [https://carmen.cselt.it/ipv6tb/] Centro Studi e Laboratory - Telecomunicazioni ( [http://carmen.cselt.it/cgi-bin/download.pl?pkg= - TunnelBroker] Downloadpage: TunnelBroker Version 2.1.) IPv6 Tunnel - Broker: [http://carmen.cselt.it/ipv6/tools/ipv6tb/Installing-ipv6tb.html] - Installation instructions - -  * [http://www.6bone.it/] EdisonTel - -  * [http://www.comv6.com/] Comv6 - -  * [http://www.bersafe.it] Bersafe (Italian language) - -  * [http://carmen.ipv6.tilab.com/] Telecom Italia LAB ([http:// - carmen.ipv6.tilab.com/cgi-bin/download.pl?pkg=TunnelBroker] Tunnelbroker - Software Downloadpage) - - ------------------------------------------------------------------------------ -23.4.3.8. Japan - -  * [http://www.iij.ad.jp/en/IPv6/] Internet Initiative Japan ([http:// - www.iij.ad.jp/IPv6/] Japanese language) - with IPv6 native line service - and IPv6 tunneling Service - - ------------------------------------------------------------------------------ -23.4.3.9. Malaysia - -  * [http://tbroker.manis.net.my/] Manis - - ------------------------------------------------------------------------------ -23.4.3.10. Netherlands - -  * [http://www.xs26.net/] XS26 - "Access to Six" - with POPs in Slovak - Republic, Czech Republic, Netherlands, Germany and Hungary. - -  * [http://www.ipng.nl/] IPng Netherland - Intouch, SurfNet, AMS-IX, UUNet, - Cistron, RIPE NCC and AT&T are connected at the AMS-IX. It is possible - (there are requirements...) to get an static tunnel. - -  * [http://www.ipv6.surfnet.nl/] SURFnet Customers - - ------------------------------------------------------------------------------ -23.4.3.11. Norway - -  * [http://www.uninett.no/testnett/index.en.html] UNINETT - Pilot IPv6 - Service (for Customers): tunnelbroker & address allocation [http:// - tunnelbroker.uninett.no] UNINETT's Tunnel Broker (link correct, but - inavailable - 23.12.2002) [http://www.guruz.de/Uninett-Autoupdate-HOWTO] - Uninett-Autoupdate-HOWTO - - ------------------------------------------------------------------------------ -23.4.3.12. Spain - -  * [http://tb.consulintel.euro6ix.org/] Consulintel - - ------------------------------------------------------------------------------ -23.4.3.13. Switzerland - -  * [http://tunnelbroker.as8758.net/] Tunnelbroker AS8758, Dolphins Network - Systems (since 20.12.2002 online) - - ------------------------------------------------------------------------------ -23.4.3.14. UK - -  * [http://www.uk.v6.ntt.net/] NTT Europe, [http://www.nttv6.net/] NTT, - United Kingdom - IPv6 Trial. IPv4 Tunnel and native IPv6 leased Line - connections. POPs are located in London, UK Dusseldorf, Germany New - Jersey, USA (East Coast) Cupertino, USA (West Coast) Tokyo, Japan - -  * [https://tb.ipv6.btexact.com/] BtexacT IPv6 Tunnel Broker Service - -  * [http://ipng.org.uk/] IPNG-UK - - ------------------------------------------------------------------------------ -23.4.3.15. USA - -  * [http://www.es.net/hypertext/welcome/pr/ipv6.html] ESnet, USA - Energy - Sciences Network: Tunnel Registry & Address Delegation for directly - connected ESnet sites and ESnet collaborators. - -  * [http://www.6ren.net/] 6REN, USA - The 6ren initiative is being - coordinated by the Energy Sciences Network (ESnet), the network for the - Energy Research program of the US Dept. of Energy, located at the - University of California's Lawrence Berkeley National Laboratory. - -  * [http://www.xs26.net/] XS26 Distributed Tunnel Broker, USA & Europe - -  * [http://ipv6tb.he.net/] Hurricane Electric, US backbone; [http:// - tunnelbroker.net/] Hurrican Electric Tunnelbroker (also available under - [http://tunnelbroker.com/] http://tunnelbroker.com/) Press Release: - [http://www.he.net/releases/release6.html] Hurricane Electric Upgrades - IPv6 Tunnel Broker [http://ipv6.he.net/tunnelbroker-update.php] Tunnel - Broker Endpoint Autoupdate, Perl Script - -  * [http://www6.mondoservices.net/] Mondo Services - -  * [http://www.dhis.org/atncp/] DHIS Dynamic Tunnel, Dynamic Host - Information System, University of Bradford - - ------------------------------------------------------------------------------ -23.4.3.16. Singapore - -  * [http://tunnel-broker.singnet.com.sg/] http:// - tunnel-broker.singnet.com.sg/, with NAT and IPsec option - - ------------------------------------------------------------------------------ -23.4.3.17. More Tunnel brokers... - -  * [http://www.kfu.com/~nsayer/6to4/] Public 6to4 relay routers (MS IIE - boycott!) - - ------------------------------------------------------------------------------ -23.4.4. Native IPv6 Services - -Note: These services are only available with a valid IPv6 connection! ------------------------------------------------------------------------------ - -23.4.4.1. Game Server - -  * [http://www.viagenie.qc.ca/en/ipv6/quake2/ipv6-quake2.shtml] Quake2 over - IPv6 - - ------------------------------------------------------------------------------ -23.4.4.2. IRC Server - -  * [http://ipv6.cyconet.org/?id=server] Cyconet (Cyconet IRCnet Servers over - IPv6) - - ------------------------------------------------------------------------------ -23.4.4.3. Radio Stations, Music Streams - -  * [http://aopteryx.informatik.uni-leipzig.de:8000/live.mp3] Experimental - Live IPv6 Stream!, University of Leipzig, Germany - - ------------------------------------------------------------------------------ -23.4.4.4. Webserver - -  * [http://www.ipv6.bieringer.de/] Peter Bieringer's Home of Linux IPv6 - HOWTO - - -Something missing? Suggestions are welcome! ------------------------------------------------------------------------------ - -23.5. Maillists - -Lists of maillists are available at: - -  * [http://www.join.uni-muenster.de/JOIN/ipv6/texte-englisch/ - ipv6.infoquellen.html] JOIN Project / List of IPv6-related maillists - -  * [http://www.deepspace6.net/sections/lists.html] DeepSpace6 / Mailling - Lists - - -Major Mailinglists are listed in following table: - -. - -+--------------+-----------------------+-----------+-----------------------+-----------+---------------------------+ -| Focus |Request e-mail address | What to |Maillist e-mail address| Language | Access through WWW | -| | | subscribe | | | | -+--------------+-----------------------+-----------+-----------------------+-----------+---------------------------+ -| Linux kernel | majordomo (at) | netdev |netdev (at) oss.sgi.com| English | [http://oss.sgi.com/ | -| networking | oss.sgi.com | | | | projects/netdev/archive/] | -|including IPv6| | | | | Archive | -+--------------+-----------------------+-----------+-----------------------+-----------+---------------------------+ -|Linux and IPv6| majordomo (at) |linux-ipv6 | linux-ipv6 (at) | English | | -|in general (1)| list.f00f.org | | list.f00f.org | | | -| | | | (moderated) | | | -+--------------+-----------------------+-----------+-----------------------+-----------+---------------------------+ -| Linux | Web-based, see URL | | project6 (at) | English | [http:// | -|implementation| | | ferrara.linux.it | |project6.ferrara.linux.it/ | -| of the IPv6 | | | | |sections/lists.html] Info, | -| protocol | | | | | [http:// | -| | | | | | mailman.ferrara.linux.it/ | -| | | | | | listinfo/project6] | -| | | | | | Subscription | -+--------------+-----------------------+-----------+-----------------------+-----------+---------------------------+ -|Mobile IP(v6) | majordomo (at) | mipl | mipl (at) | English | [http:// | -| for Linux |list.mipl.mediapoli.com| |list.mipl.mediapoli.com| | www.mipl.mediapoli.com/ | -| | | | | | mailinglist.html] Info, | -| | | | | | [http:// | -| | | | | | www.mipl.mediapoli.com/ | -| | | | | | mail-archive/] Archive | -+--------------+-----------------------+-----------+-----------------------+-----------+---------------------------+ -| Linux IPv6 | usagi-users-ctl (at) | | usagi-users (at) | English |[http://www.linux-ipv6.org/| -| users using | linux-ipv6.org | | linux-ipv6.org | |ml/index.html#usagi-users] | -| USAGI | | | | | Info / Search, [http:// | -| extension | | | | | www.linux-ipv6.org/ml/ | -| | | | | | usagi-users/] Archive | -+--------------+-----------------------+-----------+-----------------------+-----------+---------------------------+ -|IPv6 on Debian| Web-based, see URL | | debian-ipv6 (at) | English | [http://lists.debian.org/ | -| Linux | | | lists.debian.org | | debian-ipv6/] Info/ | -| | | | | | Subscription/Archive | -+--------------+-----------------------+-----------+-----------------------+-----------+---------------------------+ -|IPv6/6bone in | majordomo (at) | ipv6 | ipv6 (at) | German/ | [http:// | -| Germany | atlan.uni-muenster.de | | uni-muenster.de | English | www.join.uni-muenster.de/ | -| | | | | | JOIN/ipv6/texte-englisch/ | -| | | | | | mailingliste.html] Info, | -| | | | | | [http:// | -| | | | | | www.join.uni-muenster.de/ | -| | | | | | local/majordomo/ipv6/] | -| | | | | | Archive | -+--------------+-----------------------+-----------+-----------------------+-----------+---------------------------+ -| 6bone |majordomo (at) isi.edu | 6bone | 6bone (at) isi.edu | English | [http://www.6bone.net/ | -| | | | | | 6bone_email.html] Info, | -| | | | | | [http://mailman.isi.edu/ | -| | | | | | pipermail/6bone/] Archive | -+--------------+-----------------------+-----------+-----------------------+-----------+---------------------------+ -| IPv6 | majordomo (at) | ipng | ipng (at) | English |[http://playground.sun.com/| -| discussions | sunroof.eng.sun.com | | sunroof.eng.sun.com | | pub/ipng/html/ | -| | | | | | instructions.html] Info, | -| | | | | |[ftp://playground.sun.com/ | -| | | | | | pub/ipng/mail-archive/] | -| | | | | | Archive, [http:// | -| | | | | |www.wcug.wwu.edu/lists/ipng| -| | | | | | /] Mirror of archive | -+--------------+-----------------------+-----------+-----------------------+-----------+---------------------------+ -|IPv6 users in |majordomo (at) ipv6.org| users | users (at) ipv6.org | English | [http://www.ipv6.org/ | -| general | | | | | mailing-lists.html] Info, | -| | | | | | [http://news.gmane.org/ | -| | | | | | thread.php?group= | -| | | | | |gmane.network.ipv6.general]| -| | | | | | Archive | -+--------------+-----------------------+-----------+-----------------------+-----------+---------------------------+ -|Bugtracking of|bugtraq-subscribe (at) | | bugtraq (at) | English | [http:// | -| Internet | securityfocus.com | | securityfocus.com | | online.securityfocus.com/ | -| applications | | | (moderated) | | popups/forums/bugtraq/ | -| (2) | | | | |intro.shtml] Info, [http://| -| | | | | | online.securityfocus.com/ | -| | | | | | archive/1] Archive | -+--------------+-----------------------+-----------+-----------------------+-----------+---------------------------+ -| IPv6 in | Web-based, see URL | | ipv6 (at) ipng.nl | English | [http://mailman.ipng.nl/ | -| general | | | | | mailman/listinfo/ipv6/] | -| | | | | |Info/Subscription, [http://| -| | | | | |mailman.ipng.nl/pipermail/ | -| | | | | | ipv6/] Archive | -+--------------+-----------------------+-----------+-----------------------+-----------+---------------------------+ -|majordomo (at)| majordomo (at) | ipv6 | ipv6 (at) mfa.eti.br |Portuguese |[http://www.marcelo.pro.br/| -| mfa.eti.br | mfa.eti.br | | | |mailman/listinfo/ipv6] Info| -+--------------+-----------------------+-----------+-----------------------+-----------+---------------------------+ - -(1) recommended for common Linux & IPv6 issues. - -(2) very recommended if you provide server applications. - -Something missing? Suggestions are welcome! - -Following other maillinglists & newsgroups are available via web: - -  * [http://www.tile.net/lists/showlists.php?list_id=35905] ipv6 (France) - Description: ipv6 Cette liste existe pour discuter en francais de IP - version 6. Elle s'adresse aux personnes desirant demarer des aujourd'hui - des tests IPv6. Ce n'est en aucun cas un substitut des listes de l'IETF. - Pour de plus amples informations: [http://www.urec.fr/IPng] http:// - www.urec.fr/IPng - -  * [http://www.ipv6.uni-leipzig.de/~6bone/tb/maillist.html] Tunnelbroker - Maillingliste (Germany) - -  * [http://www.tile.net/lists/showlists.php?list_id=36611] ipv6 (Hungary) - Description: ipv6 Az IPv6 protokoll listaja Konfiguracios es - adminisztracios kerdesek az IPv6-al kapcsolatban. [http:// - www.ipv6.fsz.bme.hu/mlists/ipv6/ipv6.html] (Archivum) - -  * [http://groups.yahoo.com/group/student-ipv6] student-ipv6 (India) - Description: This is the group for the Student Awareness group of IPv6 in - India - -  * [http://www.lsoft.com/scripts/wl.exe?SL1=IPV6-CNR&H=LISTSERV.CNR.IT] - IPV6-CNR@LISTSERV.CNR.IT (Italy) Description: Gruppo di interesse IPv6 - del CNR - -  * [http://www.tile.net/lists/showlists.php?list_id=14761] ipv6-jp (Japan) - -  * [http://www.tile.net/lists/showlists.php?list_id=37305] ipv6 (Japan) - -  * [http://www.lsoft.com/scripts/wl.exe?SL1=IPV6&H=LISTS.UTWENTE.NL] - IPV6@LISTS.UTWENTE.NL (Netherlands) Description: IPv6 overleg - -  * [http://www.lsoft.com/scripts/wl.exe?SL1=IPV6&H=NIC.SURFNET.NL] - IPV6@NIC.SURFNET.NL (Netherlands) Description: AMS-IX list for IPv6 - related matters - -  * [http://groups.yahoo.com/group/sun-ipv6-users] sun-ipv6-users - Description: Please report problems/suggestions regarding SUN - Microsystems IPng implementation - -  * [http://groups.yahoo.com/group/IPv6-BITS] IPv6-BITS Description: This - List will co-ordinate the working of Project Vertebrae. - -  * [http://www.tile.net/lists/showlists.php?list_id=23220] openbsd-ipv6 - -  * [http://www.tile.net/lists/showlists.php?list_id=35203] IPv6 Description: - This mailing list is for technical discussion of the possibilities of - ipv6/ipsec WRT OpenBSD. - -  * [http://groups.yahoo.com/group/linux-bangalore-ipv6] linux-bangalore-ipv6 - Description: The IPv6 deployment list of the Bangalore Linux User Group - -  * [http://www.tile.net/lists/showlists.php?list_id=32034] gab Description: - The intent is to discuss geographic addressing plans for IPv6. - -  * [http://www.tile.net/lists/showlists.php?list_id=37430] ipv6-bsd-user - Description: This mailing list is about the INRIA/IMAG IPv6 - implementation. Cette liste de discussion est au sujet de - l'implementation INRIA/IMAG IPv6. Elle est bilingue Francais/Anglais. The - mailing list is biligual, French & English. If you wish to contact the - implementors, try ipv6-bsd-core@imag.fr Si vous voulez contacter les - implementeurs, essayez ipv6-bsd-core@imag.fr - -  * [http://www.tile.net/lists/showlists.php?list_id=41375] gated-ipv6 - -  * [http://groups.yahoo.com/group/packet-switching] packet-switching - Description: This mailing list provides a forum for discussion of packet - switching theory, technology, implementation and application in any - relevant aspect including without limitation LAPB, X.25, SDLC, P802.1d, - LLC, IP, IPv6, IPX, DECNET, APPLETALK, FR, PPP, IP Telephony, LAN PBX - systems, management protocols like SNMP, e-mail, network transparent - window systems, protocol implementation, protocol verification, - conformance testing and tools used in maintaining or developing packet - switching systems. - -  * [http://groups.yahoo.com/group/mumbaiinternetgroup] mumbaiinternetgroup - Description: This Forum will discuss current issues & developments in the - field of Internet In Asia Pacific region.. This will cover discussion - on..IPv4, IPv6, Multilingual DNS, Autonomous System Numbers, Internet - Governence & Much more.... - -  * de.comm.protocols.tcp-ip Description: Umstellung auf IPv6 Source: [http:/ - /www.faqs.org/faqs/de-newsgroups/chartas/index.html] Chartas der - Newsgruppen in de.* - -  * [http://ipv6.he.net/forum/] Hurricane Electric IPv6 Forum - -  * Google Group: [http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF8 - &safe=off&group=comp.protocols.tcp-ip] comp.protocols.tcp-ip - -  * Google Group: [http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF8 - &safe=off&group=linux.debian.maint.ipv6] linux.debian.maint.ipv6 - -  * Google Group: [http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF8 - &safe=off&group=microsoft.public.platformsdk.networking.ipv6] - microsoft.public.platformsdk.networking.ipv6 - -  * Google Group: [http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF8 - &safe=off&group=fa.openbsd.ipv6] fa.openbsd.ipv6 - - ------------------------------------------------------------------------------ -23.6. Online tools - -23.6.1. Testing tools - -  * finger, nslookup, ping, traceroute, whois: [http:// - www.cs-ipv6.lancs.ac.uk/ipv6/testing/] UK IPv6 Resource Centre / The test - page - -  * ping, traceroute, tracepath, 6bone registry, DNS: [http:// - www.join.uni-muenster.de/lab/testtools.html] JOIN / Testtools (German - language only, but should be no problem for non German speakers) - -  * traceroute6, whois: [http://www.ipng.nl/] IPng.nl - -  * AAAA Lookup Checker [http://www.cnri.dit.ie/cgi-bin/check_aaaa.pl] http:/ - /www.cnri.dit.ie/cgi-bin/check_aaaa.pl - - ------------------------------------------------------------------------------ -23.6.2. Information retrievement - -  * [http://www.kessens.com/~david/6bone/] 6BONE Registry - -  * [http://www.dfn.de/service/ipv6/ipv6aggis.html] List of worldwide all - IPv6-aggregated IP-Blocks (daily update) [http://www.ripe.net/ripencc/ - mem-services/registration/ipv6/ipv6allocs.html] same service from Ripe - - ------------------------------------------------------------------------------ -23.6.3. IPv6 Looking Glasses - -  * [http://lookingglass.imag.fr/] IMAG, France - -  * [http://linux.uninet.edu/lg/] IPv6 Looking Glass at SURRIEL - -  * [http://www.jp.apan.net/cgi-bin/ipv6/mrlg] APAN, Japan (APAN-JP) - -  * [http://www.v6.dren.net/lg/] DRENv6 Looking Glass - - ------------------------------------------------------------------------------ -23.6.4. Helper applications - -  * [http://www.tdoi.org/prefcalc.php] IPv6 Prefix Calculator by [http:// - www.tdoi.org/] TDOI - -  * [http://www.maths.tcd.ie/cgi-bin/check_dns.pl] DNS record checker - - ------------------------------------------------------------------------------ -23.7. Trainings, Seminars - -  * [http://www.aerasec.de/workshops/ipv6.html] IPv6 Training and Workshop, - AERAsec, Germany (German language only at this time) - -  * [http://www.seminarinformation.com/wconnect/wc.dll?sis~details0~194045] - Migrating to IPv6, Learning Tree International - -  * [http://www.e-trainonline.com/html/ciw_internetworking_profession.html# - IPv6] CIW Internetworking Professional Training CBT CD - -  * [http://www.trainingpages.net/x/category.html?kw=125] Training Pages, - U.K. - Search for IPv6 (13 Courses, 22.12.2002) - - -Something missing? Suggestions are welcome! ------------------------------------------------------------------------------ - -23.8. 'The Online Discovery' ... - -[http://www.amazon.com/exec/obidos/tg/detail/-/B00006334Y/copernicshopper/ -103-1420916-1341420] IPv6: Addressing The Needs Of the Future [DOWNLOAD: PDF] -by Yankee Group (Author) List Price: $595.00 Edition: e-book (Acrobat Reader) -Pages: 3 (three) Publisher: MarketResearch.com; ISBN B00006334Y; (November 1, -2001) - diff --git a/LDP/guide/docbook/Linux-Networking/Linux-Networking.xml b/LDP/guide/docbook/Linux-Networking/Linux-Networking.xml index 9f22fbae..7fd4b2f5 100644 --- a/LDP/guide/docbook/Linux-Networking/Linux-Networking.xml +++ b/LDP/guide/docbook/Linux-Networking/Linux-Networking.xml @@ -16,7 +16,7 @@ -Linux Networking +Linux Networking Study Guide Version 0.05 2004-10-02 @@ -41,10 +41,14 @@ tendency of people to dislike change. Hence, this document will cover the theory computer networking, as well as its use and implementation under Linux which is one of the more popular derivatives of Unix. It is meant to be distribution-independant and to be accessible to all members of the Linux community. However, a working knowledge of Linux as -well as its CLI (Command Line Interface) is assumed. Please note that little consideration -towards security is made. For such issues please consult other pieces of documentation such -as those made available at the Linux Documentation Project, -http://www.tldp.org. +well as its CLI (Command Line Interface) is assumed. Please note that this guide is not +meant to be an all encompassing guide of networking under Linux and that little consideration +towards security is made. It was only designed to provide an overview of this subject and + + +For such issues please consult other pieces of documentation such +as those made available at the Linux Documentation Project, +http://www.tldp.org. diff --git a/LDP/guide/docbook/Linux-Networking/Web-Serving.xml b/LDP/guide/docbook/Linux-Networking/Web-Serving.xml index 4fd8aa06..5914e480 100644 --- a/LDP/guide/docbook/Linux-Networking/Web-Serving.xml +++ b/LDP/guide/docbook/Linux-Networking/Web-Serving.xml @@ -10,7 +10,9 @@ the Internet to its current level. In the simplest case, a Web client Web server using a simple request/response protocol called HTTP (Hypertext Transfer Protocol), and requests HTML (Hypertext Markup Language) pages, images, Flash and other objects. + + In mode modern situations, the Web server can also geneate pages dynamically based on information returned from the user. Either way setting up your own Web server is extremely simple. There are many @@ -19,7 +21,9 @@ such as Apache, and are perfect for small and large sites alike. Other servers programmed to be light and fast, and to have only a limited feature set to reduce complexity. A search on freshmeat.net will reveal a multitude of servers. + + Most Linux distributions include Apache . Apache is the number one server on the internet according to http://www.netcraft.co.uk/survey/ . More than a half of all internet @@ -28,29 +32,27 @@ include its modular design, stability and speed. Given the appropriate hardware and configuration it can support the highest loads: Yahoo, Altavista, GeoCities, and Hotmail are based on customized versions of this server. + + Optional support for SSL (which enables secure transactions) is also available at: + · http://www.apache-ssl.org/ · http://raven.covalent.net/ · http://www.c2.net/ - Related HOWTOs: - - · http://metalab.unc.edu/mdw/HOWTO/WWW-HOWTO.html - · http://metalab.unc.edu/mdw/HOWTO/Virtual-Services-HOWTO.html - · http://metalab.unc.edu/mdw/HOWTO/Intranet-Server-HOWTO.html - · Web servers for Linux - - Dynamic Web content generation + Web scripting languages are even more common on Linux than databases - basically, every language is available. This includes CGI, PHP 3 and 4, Perl, JSP, ASP (via closed source applications from Chill!soft and Halycon Software) and ColdFusion. + + PHP is an open source scripting language designed to churn out dynamically produced Web content ranging from databases to browsers. This inludes not only HTML, but also graphics, Macromedia Flash and @@ -63,2490 +65,12 @@ languages, developers (or those that employ them) can add their own functions into the source to improve it. Supported databases include those in the Database serving section and most ODBC compliant databases. The language itself borrows its structure from Perl and C. - -A number of web browsers exist for the Linux platform. Netscape -Navigator has been one of the choices from the very beginning and the -upcoming Mozilla (http://www.mozilla.org) will have a Linux version. -Another popular text based web browser is lynx. It is fast and handy -when no graphical environment is available. - - · Browser software for Linux - - · http://metalab.unc.edu/mdw/HOWTO/mini/Public-Web-Browser.html - -Web browsers and servers speak an application protocol that runs on -top of TCP/IP, using it simply as a way to pass strings of bytes back -and forth. This protocol is called HTTP (Hyper-Text Transfer Protocol) -and we've already seen one command in it ?? the GET shown above. - -When the GET command goes to www.tldp.org's webserver with service number 80, -it will be dispatched to a server daemon listening on port 80. Most Internet -services are implemented by server daemons that do nothing but wait on ports, -watching for and executing incoming commands. - -If the design of the Internet has one overall rule, it's that all the parts -should be as simple and human-accessible as possible. HTTP, and its relatives -(like the Simple Mail Transfer Protocol, SMTP, that is used to move -electronic mail between hosts) tend to use simple printable-text commands -that end with a carriage-return/line feed. - -This is marginally inefficient; in some circumstances you could get more -speed by using a tightly-coded binary protocol. But experience has shown that -the benefits of having commands be easy for human beings to describe and -understand outweigh any marginal gain in efficiency that you might get at the -cost of making things tricky and opaque. - -Therefore, what the server daemon ships back to you via TCP/IP is also text. -The beginning of the response will look something like this (a few headers -have been suppressed): -HTTP/1.1 200 OK -Date: Sat, 10 Oct 1998 18:43:35 GMT -Server: Apache/1.2.6 Red Hat -Last-Modified: Thu, 27 Aug 1998 17:55:15 GMT -Content-Length: 2982 -Content-Type: text/html - -These headers will be followed by a blank line and the text of the web page -(after which the connection is dropped). Your browser just displays that -page. The headers tell it how (in particular, the Content-Type header tells -it the returned data is really HTML). - Linux WWW HOWTO - by Wayne Leister, n3mtr@qis.net - v0.82, 19 November 1997 - - This document contains information about setting up WWW services under - Linux (both server and client). It tries not to be a in detail manual - but an overview and a good pointer to further information. - - Archived Document Notice: This document has been archived by the LDP - because it is severely out-of-date. If you are interested in - maintaining this document, contact The Linux Documentation Project. - ______________________________________________________________________ - - 1. Introduction - - - Many people are trying Linux because they are looking for a really - good Internet capable operating system. Also, there are institutes, - universities, non-profits, and small businesses which want to set up - Internet sites on a small budget. This is where the WWW-HOWTO comes - in. This document explains how to set up clients and servers for the - largest part of the Internet - The World Wide Web. - - All prices in this document are stated in US dollars. This document - assumes you are running Linux on an Intel platform. Instructions and - product availability my vary from platform to platform. There are - many links for downloading software in this document. Whenever - possible use a mirror site for faster downloading and to keep the load - down on the main server. - - The US government forbids US companies from exporting encryption - stronger than 40 bit in strength. Therefore US companies will usually - have two versions of software. The import version will usually - support 128 bit, and the export only 40 bit. This applies to web - browsers and servers supporting secure transactions. Another name for - secure transactions is Secure Sockets Layer (SSL). We will refer to - it as SSL for the rest of this document. - - - 1.1. Copyright - - This document is Copyright (c) 1997 by Wayne Leister. The original - author of this document was Peter Dreuw.(All versions prior to 0.8) - - - This HOWTO is free documentation; you can redistribute it - and/or modify it under the terms of the GNU General Public - License as published by the Free Software Foundation; either - version 2 of the License, or (at your option) any later ver­ - sion. - - - - This document is distributed in the hope that it will be - useful, but without any warranty; without even the implied - warranty of merchantability or fitness for a particular pur­ - pose. See the GNU General Public License for more details. - - - - You can obtain a copy of the GNU General Public License by - writing to the Free Software Foundation, Inc., 675 Mass Ave, - Cambridge, MA 02139, USA. - - - Trademarks are owned by there respective owners. - - - 1.2. Feedback - - Any feedback is welcome. I do not claim to be an expert. Some of - this information was taken from badly written web sites; there are - bound to be errors and omissions. But make sure you have the latest - version before you send corrections; It may be fixed in the next - version (see the next section for where to get the latest version). - Send feedback to n3mtr@qis.net. - - - 1.3. New versions of this Document - - New versions of this document can be retrieved in text format from - Sunsite at and - almost any Linux mirror site. You can view the latest HTML version on - the web at . There - are also HTML versions available on Sunsite in a tar archive. - - - 2. Setting up WWW client software - - The following chapter is dedicated to the setting up web browsers. - Please feel free to contact me, if your favorite web browser is not - mentioned here. In this version of the document only a few of the - browsers have there own section, but I tried to include all of them - (all I could find) in the overview section. In the future those - browsers that deserve there own section will have it. - - The overview section is designed to help you decide which browser to - use, and give you basic information on each browser. The detail - section is designed to help you install, configure, and maintain the - browser. - - Personally, I prefer the Netscape; it is the only browser that keeps - up with the latest things in HTML. For example, Frames, Java, - Javascript, style sheets, secure transactions, and layers. Nothing is - worse than trying to visit a web site and finding out that you can't - view it because your browser doesn't support some new feature. - - However I use Lynx when I don't feel like firing up the X- - windows/Netscape monster. - - - 2.1. Overview - - - ``Navigator/Communicator'' - Netscape Navigator is the only browser mentioned here, which is - capable of advanced HTML features. Some of these features are - frames, Java, Javascript, automatic update, and layers. It also - has news and mail capability. But it is a resource hog; it - takes up lots of CPU time and memory. It also sets up a - separate cache for each user wasting disk space. Netscape is a - commercial product. Companies have a 30 day trial period, but - there is no limit for individuals. I would encourage you to - register anyway to support Netscape in there efforts against - Microsoft (and what is a measly $40US). My guess is if - Microsoft wins, we will be forced to use MS Internet Explorer on - a Windows platform :( - - - ``Lynx'' - Lynx is the one of the smallest web browsers. It is the king of - text based browsers. It's free and the source code is available - under the GNU public license. It's text based, but it has many - special features. - - - Kfm - Kfm is part of the K Desktop Environment (KDE). KDE is a system - that runs on top of X-windows. It gives you many features like - drag an drop, sounds, a trashcan and a unified look and feel. - Kfm is the K File Manager, but it is also a web browser. Don't - be fooled by the name, for a young product it is very usable as - a web browser. It already supports frames, tables, ftp - downloads, looking into tar files, and more. The current - version of Kfm is 1.39, and it's free. Kfm can be used without - KDE, but you still need the librarys that come with KDE. For - more information about KDE and Kfm visit the KDE website at - . - - - ``Emacs'' - Emacs is the one program that does everything. It is a word - processor, news reader, mail reader, and web browser. It has a - steep learning curve at first, because you have to learn what - all the keys do. The X-windows version is easier to use, - because most of the functions are on menus. Another drawback is - that it's mostly text based. (It can display graphics if you are - running it under X-windows). It is also free, and the source - code is available under the GNU public license. - - - NCSA Mosaic - Mosaic is an X-windows browser developed by the National Center - for Supercomputing Applications (NCSA) at the University of - Illinois. NCSA spent four years on the project and has now - moved on to other things. The latest version is 2.6 which was - released on July 7, 1995. Source code is available for non- - commercial use. Spyglass Inc. has the - commercial rights to Mosaic. Its a solid X-windows browser, but - it lacks the new HTML features. For more info visit the NCSA - Mosaic home page at - . The software - can be downloaded from - . - - - Arena - Arena was a X-windows concept browser for the W3C (World Wide - Web Consortium) when they were testing HTML 3.0. Hence it - supports all the HTML 3.0 standards such as style sheets and - tables. Development was taken over by Yggdrasil Computing, with - the idea to turn it into a full fledge free X-windows browser. - However development has stopped in Feb 1997 with version 0.3.11. - Only part of the HTML 3.2 standard has been implemented. The - source code is released under the GNU public licence. For more - information see the web site at - . It can be - downloaded from . - - - Amaya - Amaya is the X-windows concept browser for the W3C for HTML 3.2. - Therefore it supports all the HTML 3.2 standards. It also - supports some of the features of HTML 4.0. It supports tables, - forms, client side image maps, put publishing, gifs, jpegs, and - png graphics. It is both a browser and authoring tool. The - latest public release is 1.0 beta. Version 1.1 beta is in - internal testing and is due out soon. For more information - visit the Amaya web site at . It can - be downloaded from . - - - Red Baron - Red Baron is an X-windows browser made by Red Hat Software. It - is bundled with The Official Red Hat Linux distribution. I - could not find much information on it, but I know it supports - frames, forms and SSL. If you use Red Baron, please help me - fill in this section. For more information visit the Red Hat - website at - - - Chimera - Chimera is a basic X-windows browser. It supports some of the - features of HTML 3.2. The latest release is 2.0 alpha 6 - released August 27, 1997. For more information visit the - Chimera website at . Chimera can - be downloaded from . - - - Qweb - Qweb is yet another basic X-windows browser. It supports - tables, forms, and server site image maps. The latest version - is 1.3. For more information visit the Qweb website at - The source is available from - The binaries are - available in a Red Hat RPM from - - - - Grail - Grail is an X-windows browser developed by the Corporation for - National Research Initiatives (CNRI). Grail is written entirely - in Python, a interpreted object-oriented language. The latest - version is 0.3 released on May 7, 1997. It supports forms, - bookmarks, history, frames, tables, and many HTML 3.2 things. - - - Internet Explorer - There are rumors, that Microsoft is going to port the Internet - Explorer to various Unix platforms - maybe Linux. If its true - they are taking their time doing it. If you know something more - reliable, please drop me an e-mail. - - - In my humble opinion most of the above software is unusable for - serious web browsing. I'm not trying to discredit the authors, I know - they worked very hard on these projects. Just think, if all of these - people had worked together on one project, maybe we would have a free - browser that would rival Netscape and Internet Explorer. - - In my opinion out of all of the broswers, Netscape and Lynx are the - best. The runners up would be Kfm, Emacs-W3 and Mosaic. - - - - 3. Lynx - - Lynx is one of the smaller (around 600 K executable) and faster web - browsers available. It does not eat up much bandwidth nor system - resources as it only deals with text displays. It can display on any - console, terminal or xterm. You will not need an X Windows system or - additional system memory to run this little browser. - - - 3.1. Where to get - - Both the Red Hat and Slackware distributions have Lynx in them. - Therefore I will not bore you with the details of compiling and - installing Lynx. - - The latest version is 2.7.1 and can be retrieved from - or from almost any friendly Linux FTP - server like ftp://sunsite.unc.edu under /pub/Linux/apps/www/broswers/ - or mirror site. - - For more information on Lynx try these locations: - - Lynx Links - - - Lynx Pages - - - Lynx Help Pages - - (the same pages you get from lynx --help and typing ? in lynx) - - Note: The Lynx help pages have recently moved. If you have an older - version of Lynx, you will need to change your lynx.cfg (in /usr/lib) - to point to the new address(above). - - I think the most special feature of Lynx against all other web - browsers is the capability for batch mode retrieval. One can write a - shell script which retrieves a document, file or anything like that - via http, FTP, gopher, WAIS, NNTP or file:// - url's and save it to - disk. Furthermore, one can fill in data into HTML forms in batch mode - by simply redirecting the standard input and using the -post_data - option. - - For more special features of Lynx just look at the help files and the - man pages. If you use a special feature of Lynx that you would like - to see added to this document, let me know. - - - - 4. Emacs-W3 - - There are several different flavors of Emacs. The two most popular - are GNU Emacs and XEmacs. GNU Emacs is put out by the Free Software - Foundation, and is the original Emacs. It is mainly geared toward - text based terminals, but it does run in X-Windows. XEmacs (formerly - Lucid Emacs) is a version that only runs on X-Windows. It has many - special features that are X-Windows related (better menus etc). - - - 4.1. Where to get - - - Both the Red Hat and Slackware distributions include GNU Emacs. - - The most recent GNU emacs is 19.34. It doesn't seem to have a web - site. The FTP site is at . - - The latest version of XEmacs is 20.2. The XEmacs FTP site is at - . For more information about XEmacs - goto see its web page at . - - Both are available from the Linux archives at ftp://sunsite.unc.edu - under /pub/Linux/apps/editors/emacs/ - - - If you got GNU Emacs or XEmacs installed, you probably got the W3 - browser running to. - - The Emacs W3 mode is a nearly fully featured web browser system - written in the Emacs Lisp system. It mostly deals with text, but can - display graphics, too - at least - if you run the emacs under the X - Window system. - - To get XEmacs in to W3 mode, goto the apps menu and select browse the - web. - - I don't use Emacs, so if someone will explain how to get it into the - W3 mode I'll add it to this document. Most of this information was - from the original author. If any information is incorrect, please let - me know. Also let me know if you think anything else should be added - about Emacs. - - - - 5. Netscape Navigator/Communicator - - - 5.1. Different versions and options. - - Netscape Navigator is the King of WWW browsers. Netscape Navigator - can do almost everything. But on the other hand, it is one of the most - memory hungry and resource eating program I've ever seen. - - There are 3 different versions of the program: - - Netscape Navigator includes the web browser, netcaster (push client) - and a basic mail program. - - Netscape Communicator includes the web browser, a web editor, an - advanced mail program, a news reader, netcaster (push client), and a - group conference utility. - - Netscape Communicator Pro includes everything Communicator has plus a - group calendar, IBM terminal emulation, and remote administration - features (administrators can update thousands of copies of Netscape - from their desk). - - In addition to the three versions there are two other options you must - pick. - - The first is full install or base install. The full install includes - everything. The base install includes enough to get you started. You - can download the additional components as you need them (such as - multimedia support and netcaster). These components can be installed - by the Netscape smart update utility (after installing goto - help->software updates). At this time the full install is not - available for Linux. - - The second option is import or export. If you are from the US are - Canada you have the option of selecting the import version. This - gives you the stronger 128 bit encryption for secure transactions - (SSL). The export version only has 40 bit encryption, and is the only - version allowed outside the US and Canada. - - The latest version of the Netscape Navigator/Communicator/Communicator - Pro is 4.03. There are two different versions for Linux. One is for - the old 1.2 series kernels and one for the new 2.0 kernels. If you - don't have a 2.0 kernel I suggest you upgrade; there are many - improvements in the new kernel. - - Beta versions are also available. If you try a beta version, they - usually expire in a month or so! - - - 5.2. Where to get - - - The best way to get Netscape software is to go through their web site - at . They have menu's to guide you - through the selection. When it ask for the Linux version, it is - referring to the kernel (most people should be using 2.0 by now). If - your not sure which version kernel you have run 'cat /proc/version'. - Going through the web site is the only way to get the import versions. - - If you want an export version you can download them directly from the - Netscape FTP servers. The FTP servers are also more up to date. For - example when I first wrote this the web interface did not have the - non-beta 4.03 for Linux yet, but it was on the FTP site. Here are the - links to the export Linux 2.0 versions: - - Netscape Navigator 4.03 is at - - - Netscape Communicator 4.03 for Linux 2.0 (kernel) is at - - - Communicator Pro 4.03 for Linux was not available at the time I wrote - this. - - These url's will change as new versions come out. If these links - break you can find them by fishing around at the FTP site - . - - These servers are heavily loaded at times. Its best to wait for off - peak hours or select a mirror site. Be prepared to wait, these - archives are large. Navigator is almost 8megs, and Communicator base - install is 10megs. - - - 5.3. Installing - - This section explains how to install version 4 of Netscape Navigator, - Communicator, and Communicator Pro. - - First unpack the archive to a temporary directory. Then run the ns- - install script (type ./ns-install). Then make a symbolic link from - the /usr/local/netscape/netscape binary to /usr/local/bin/netscape - (type ln -s /usr/local/netscape/netscape /usr/local/bin/netscape). - Finally set the system wide environment variable $MOZILLA_HOME to - /usr/local/netscape so Netscape can find its files. If you are using - bash for your shell edit your /etc/profile and add the lines: - - - - MOZILLA_HOME="/usr/local/netscape" - export MOZILLA_HOME - - - - After you have it installed the software can automatically update - itself with smart update. Just run Netscape as root and goto - help->software updates. If you only got the base install, you can - also install the Netscape components from there. - - Note: This will not remove any old versions of Netscape, you must - manually remove them by deleting the Netscape binary and Java class - file (for version 3). - - - - 6. Setting up WWW server systems - - This section contains information on different http server software - packages and additional server side tools like script languages for - CGI programs etc. There are several dozen web servers, I only covered - those that are fully functional. As some of these are commercial - products, I have no way of trying them. Most of the information in - the overview section was pieced together from various web sites. If - there is any incorrect or missing information please let me know. - - For a technical description on the http mechanism, take a look at the - RFC documents mentioned in the chapter "For further reading" of this - HOWTO. - - I prefer to use the Apache server. It has almost all the features you - would ever need and its free! I will admit that this section is - heavily biased toward Apache. I decided to concentrate my efforts on - the Apache section rather than spread it out over all the web servers. - I may cover other web servers in the future. - - - - 6.1. Overview - - - Cern httpd - This was the first web server. It was developed by the European - Laboratory for Particle Physics (CERN). CERN httpd is no longer - supported. The CERN httpd server is reported to have some ugly - bugs, to be quite slow and resource hungry. The latest version - is 3.0. For more information visit the CERN httpd home page at - . It is available for - download at - - (no it is not a typo, the extension is actually .tpz on the - site; probably should be .tgz) - - - NCSA HTTPd - The NCSA HTTPd server is the father to Apache (The development - split into two different servers). Therefore the setup files - are very similar. NCSA HTTPd is free and the source code is - available. This server not covered in this document, although - reading the Apache section may give you some help. The NCSA - server was once popular, but most people are replacing it with - Apache. Apache is a drop in replacement for the NCSA - server(same configuration files), and it fixes several - shortcomings of the NCSA server. NCSA HTTPd accounts for 4.9% - (and falling) of all web servers. (source September 1997 - Netcraft survey ). The latest - version is 1.5.2a. For more information see the NCSA website at - . - - - ``Apache'' - Apache is the king of all web servers. Apache and its source - code is free. Apache is modular, therefore it is easy to add - features. Apache is very flexible and has many, many features. - Apache and its derivatives makes up 44% of all web domains (50% - if you count all the derivatives). There are over 695,000 - Apache servers in operation (source November 1997 Netcraft - survey ). - - The official Apache is missing SSL, but there are two - derivatives that fill the gap. Stronghold is a commercial - product that is based on Apache. It retails for $995; an - economy version is available for $495 (based on an old version - of Apache). Stronghold is the number two secure server behind - Netscape (source C2 net - and Netcraft survey ). For - more information visit the Stronghold website at - . It was developed - outside the US, so it is available with 128 bit SSL everywhere. - - Apache-SSL is a free implementation of SSL, but it is not for - commercial use in the US (RSA has US patents on SSL technology). - It can be used for non-commercial use in the US if you link with - the free RSAREF library. For more information see the website - at . - - - Netscape Fast Track Server - Fast Track was developed by Netscape, but the Linux version is - put out by Caldera. The Caldera site lists it as Fast Track for - OpenLinux. I'm not sure if it only runs on Caldera OpenLinux or - if any Linux distribution will do (E-mail me if you have the - answer). Netscape servers account for 11.5% (and falling) of - all web servers (source September 1997 - ). The server sells for $295. - It is also included with the Caldera OpenLinux Standard - distribution which sells for $399 ($199.50 educational). The - web pages tell of a nice administration interface and a quick 10 - minute setup. The server has support for 40-bit SSL. To get - the full 128-bit SSL you need Netscape Enterprise Server. - Unfortunately that is not available for Linux :( The latest - version available for Linux is 2.0 (Version 3 is in beta, but - its not available for Linux yet). To buy a copy goto the - Caldera web site at - For - more information goto the Fast Track page at - - - - - WN WN has many features that make it attractive. First it is - smaller than the CERN, NCSA HTTPd, an Apache servers. It also - has many built-in features that would require CGI's. For - example site searches, enhanced server side includes. It can - also decompress/compress files on the fly with its filter - feature. It also has the ability to retrieve only part of a - file with its ranges feature. It is released under the GNU - public license. The current version is 1.18.3. For more - information see the WN website at . - - - AOLserver - AOLserver is made by America Online. I'll admit that I was - surprised by the features of a web server coming from AOL. In - addition to the standard features it supports database - connectivity. Pages can query a database by Structured Query - Language (SQL) commands. The database is access through Open - Database Connectivity (ODBC). It also has built-in search - engine and TCL scripting. If that is not enough you can add - your own modules through the c Application Programming Interface - (API). I almost forgot to mention support for 40 bit SSL. And - you get all this for free! For more information visit the - AOLserver site at - - - Zeus Server - Zeus Server was developed by Zeus Technology. They claim that - they are the fastest web server (using WebSpec96 benchmark). - The server can be configured and controlled from a web browser! - It can limit processor and memory resources for CGI's, and it - executes them in a secure environment (whatever that means). It - also supports unlimited virtual servers. It sells for $999 for - the standard version. If you want the secure server (SSL) the - price jumps to $1699. They are based outside the US so 128 bit - SSL is available everywhere. For more information visit the - Zeus Technology website at . The US - website is at . I'll warn you they are - cocky about the fastest web server thing. But they don't even - show up under top web servers in the Netcraft Surveys. - - - CL-HTTP - CL-HTTP stands for Common Lisp Hypermedia Server. If you are a - Lisp programmer this server is for you. You can write your CGI - scripts in Lisp. It has a web based setup function. It also - supports all the standard server features. CL-HTTP is free and - the source code is available. For more information visit the - CL-HTTP website at (could they make that url any longer?). - - If you have a commercial purpose (company web site, or ISP), I would - strongly recommend that you use Apache. If you are looking for easy - setup at the expense of advanced features then the Zeus Server wins - hands down. I've also heard that the Netscape Server is easy to - setup. If you have an internal use you can be a bit more flexible. - But unless one of them has a feature that you just have to use, I - would still recommend using one of the three above. - - This is only a partial listing of all the servers available. For a - more complete list visit Netcraft at - or Web Compare at - . - - - - 7. Apache - - The current version of Apache is 1.2.4. Version 1.3 is in beta - testing. The main Apache site is at . - Another good source of information is Apacheweek at - . The Apache documentation is ok, so I'm - not going to go into detail in setting up apache. The documentation - is on the website and is included with the source (in HTML format). - There are also text files included with the source, but the HTML - version is better. The documentation should get a whole lot better - once the Apache Documentation Project gets under way. Right now most - of the documents are written by the developers. Not to discredit the - developers, but they are a little hard to understand if you don't know - the terminology. - - - 7.1. Where to get - - Apache is included in the Red Hat, Slackware, and OpenLinux - distributions. Although they may not be the latest version, they are - very reliable binaries. The bad news is you will have to live with - their directory choices (which are totally different from each other - and the Apache defaults). - - The source is available from the Apache web site at - Binaries are are also available at - apache at the same place. You can also get binaries from sunsite at - . And for those of - us running Red Hat the latest binary RPM file can usually be found in - the contrib directory at - - - If your server is going to be used for commercial purposes, it is - highly recommended that you get the source from the Apache website and - compile it yourself. The other option is to use a binary that comes - with a major distribution. For example Slackware, Red Hat, or - OpenLinux distributions. The main reason for this is security. An - unknown binary could have a back door for hackers, or an unstable - patch that could crash your system. This also gives you more control - over what modules are compiled in, and allows you to set the default - directories. It's not that difficult to compile Apache, and besides - you not a real Linux user until you compile your own programs ;) - - - - 7.2. Compiling and Installing - - First untar the archive to a temporary directory. Next change to the - src directory. Then edit the Configuration file if you want to - include any special modules. The most commonly used modules are - already included. There is no need to change the rules or makefile - stuff for Linux. Next run the Configure shell script (./Configure). - Make sure it says Linux platform and gcc as the compiler. Next you - may want to edit the httpd.h file to change the default directories. - The server home (where the config files are kept) default is - /usr/local/etc/httpd/, but you may want to change it to just - /etc/httpd/. And the server root (where the HTML pages are served - from) default is /usr/local/etc/httpd/htdocs/, but I like the - directory /home/httpd/html (the Red Hat default for Apache). If you - are going to be using su-exec (see special features below) you may - want to change that directory too. The server root can also be - changed from the config files too. But it is also good to compile it - in, just encase Apache can't find or read the config file. Everything - else should be changed from the config files. Finally run make to - compile Apache. - - If you run in to problems with include files missing, check the - following things. Make sure you have the kernel headers (include - files) installed for your kernel version. Also make sure you have - these symbolic links in place: - - - /usr/include/linux should be a link to /usr/src/linux/include/linux - /usr/include/asm should be a link to /usr/src/linux/include/asm - /usr/src/linux should be a link to the Linux source directory (ex.linux-2.0.30) - - - - Links can be made with ln -s, it works just like the cp command except - it makes a link (ln -s source-dir destination-link) - - When make is finished there should be an executable named httpd in the - directory. This needs to be moved in to a bin directory. /usr/sbin - or /usr/local/sbin would be good choices. - - Copy the conf, logs, and icons sub-directories from the source to the - server home directory. Next rename 3 of the files files in the conf - sub-directory to get rid of the -dist extension (ex. httpd.conf-dist - becomes httpd.conf) - - There are also several support programs that are included with Apache. - They are in the support directory and must be compiled and installed - separately. Most of them can be make by using the makefile in that - directory (which is made when you run the main Configure script). You - don't need any of them to run Apache, but some of them make the - administrators job easier. - - 7.3. Configuring - - Now you should have four files in your conf sub-directory (under your - server home directory). The httpd.conf sets up the server daemon - (port number, user, etc). The srm.conf sets the root document tree, - special handlers, etc. The access.conf sets the base case for access. - Finally mime.types tells the server what mime type to send to the - browser for each extension. - - The configuration files are pretty much self-documented (plenty of - comments), as long as you understand the lingo. You should read - through them thoroughly before putting your server to work. Each - configuration item is covered in the Apache documentation. - - The mime.types file is not really a configuration file. It is used by - the server to translate file extensions into mime-types to send to the - browser. Most of the common mime-types are already in the file. Most - people should not need to edit this file. As time goes on, more mime - types will be added to support new programs. The best thing to do is - get a new mime-types file (and maybe a new version of the server) at - that time. - - Always remember when you change the configuration files you need to - restart Apache or send it the SIGHUP signal with kill for the changes - to take effect. Make sure you send the signal to the parent process - and not any of the child processes. The parent usually has the lowest - process id number. The process id of the parent is also in the - httpd.pid file in the log directory. If you accidently send it to one - of the child processes the child will die and the parent will restart - it. - - I will not be walking you through the steps of configuring Apache. - Instead I will deal with specific issues, choices to be made, and - special features. - - I highly recommend that all users read through the security tips in - the Apache documentation. It is also available from the Apache - website at . - - - 7.4. Hosting virtual websites - - Virtual Hosting is when one computer has more than one domain name. - The old way was to have each virtual host have its own IP address. - The new way uses only one IP address, but it doesn't work correctly - with browsers that don't support HTTP 1.1. - - My recommendation for businesses is to go with the IP based virtual - hosting until most people have browsers that support HTTP 1.1 (give it - a year or two). This also gives you a more complete illusion of - virtual hosting. While both methods can give you virtual mail - capabilities (can someone confirm this?), only IP based virtual - hosting can also give you virtual FTP as well. - - If it is for a club or personal page, you may want to consider shared - IP virtual hosting. It should be cheaper than IP based hosting and - you will be saving precious IP addresses. - - You can also mix and match IP and shared IP virtual hosts on the same - server. For more information on virtual hosting visit Apacheweek at - . - - - - 7.4.1. IP based virtual hosting - - In this method each virtual host has its own IP address. By - determining the IP address that the request was sent to, Apache and - other programs can tell what domain to serve. This is an incredible - waste of IP space. Take for example the servers where my virtual - domain is kept. They have over 35,000 virtual accounts, that means - 35,000 IP addresses. Yet I believe at last count they had less than - 50 servers running. - - Setting this up is a two part process. The first is getting Linux - setup to accept more than one IP address. The second is setting up - apache to serve the virtual hosts. - - The first step in setting up Linux to accept multiple IP addresses is - to make a new kernel. This works best with a 2.0 series kernel (or - higher). You need to include IP networking and IP aliasing support. - If you need help with compiling the kernel see the kernel howto - . - - Next you need to setup each interface at boot. If you are using the - Red Hat Distribution then this can be done from the control panel. - Start X-windows as root, you should see a control panel. Then double - click on network configuration. Next goto the interfaces panel and - select your network card. Then click alias at the bottom of the - screen. Fill in the information and click done. This will need to be - done for each virtual host/IP address. - - If you are using other distributions you may have to do it manually. - You can just put the commands in the rc.local file in /etc/rc.d - (really they should go in with the networking stuff). You need to - have a ifconfig and route command for each device. The aliased - addresses are given a sub device of the main one. For example eth0 - would have aliases eth0:0, eth0:1, eth0:2, etc. Here is an example of - configuring a aliased device: - - - ifconfig eth0:0 192.168.1.57 - route add -host 192.168.1.57 dev eth0:0 - - - - You can also add a broadcast address and a netmask to the ifconfig - command. If you have alot of aliases you may want to make a for loop - to make it easier. For more information see the IP alias mini howto - . - - Then you need to setup your domain name server (DNS) to serve these - new domains. And if you don't already own the domain names, you need - to contact the Internic to register the - domain names. See the DNS-howto for information on setting up your - DNS. - - Finally you need to setup Apache to server the virtual domain - correctly. This is in the httpd.conf configuration file near the end. - They give you an example to go by. All commands specific to that - virtual host are put in between the virtualhost directive tags. You - can put almost any command in there. Usually you set up a different - document root, script directory, and log files. You can have almost - unlimited number of virtual hosts by adding more virtualhost directive - tags. - - In rare cases you may need to run separate servers if a directive is - needed for a virtual host, but is not allowed in the virtual host - tags. This is done using the bindaddress directive. Each server - will have a different name and setup files. Each server only responds - to one IP address, specified by the bindaddress directive. This is an - incredible waste of system resources. - - - 7.4.2. Shared IP virtual hosting - - This is a new way to do virtual hosting. It uses a single IP address, - thus conserving IP addresses for real machines (not virtual ones). In - the same example used above those 30,000 virtual hosts would only take - 50 IP addresses (one for each machine). This is done by using the new - HTTP 1.1 protocol. The browser tells the server which site it wants - when it sends the request. The problem is browsers that don't support - HTTP 1.1 will get the servers main page, which could be setup to - provide a menu of virtual hosts available. That ruins the whole - illusion of virtual hosting. The illusion that you have your own - server. - - The setup is much simpler than the IP based virtual hosting. You - still need to get your domain from the Internic and setup your DNS. - This time the DNS points to the same IP address as the original - domain. Then Apache is setup the same as before. Since you are using - the same IP address in the virtualhost tags, it knows you want Shared - IP virtual hosting. - - There are several work arounds for older browsers. I'll explain the - best one. First you need to make your main pages a virtual host - (either IP based or shared IP). This frees up the main page for a - link list to all your virtual hosts. Next you need to make a back - door for the old browsers to get in. This is done using the - ServerPath directive for each virtual host inside the virtualhost - directive. For example by adding ServerPath /mysite/ to - www.mysite.com old browsers would be able to access the site by - www.mysite.com/mysite/. Then you put the default page on the main - server that politely tells them to get a new browser, and lists links - to all the back doors of all the sites you host on that machine. When - an old browser accesses the site they will be sent to the main page, - and get a link to the correct page. New browsers will never see the - main page and will go directly to the virtual hosts. You must - remember to keep all of your links relative within the web sites, - because the pages will be accessed from two different URL's - (www.mysite.com and www.mysite.com/mysite/). - - I hope I didn't lose you there, but its not an easy workaround. Maybe - you should consider IP based hosting after all. A very similar - workaround is also explained on the apache website at - . - - If anyone has a great resource for Shared IP hosting, I would like to - know about it. It would be nice to know what percent of browsers out - there support HTTP 1.1, and to have a list of which browsers and - versions support HTTP 1.1. - - - 7.5. CGI scripts - - There are two different ways to give your users CGI script capability. - The first is make everything ending in .cgi a CGI script. The second - is to make script directories (usually named cgi-bin). You could also - use both methods. For either method to work the scripts must be world - executable (chmod 711). By giving your users script access you are - creating a big security risk. Be sure to do your homework to minimize - the security risk. - - I prefer the first method, especially for complex scripting. It - allows you to put scripts in any directory. I like to put my scripts - with the web pages they work with. For sites with allot of scripts it - looks much better than having a directory full of scripts. This is - simple to setup. First uncomment the .cgi handler at the end of the - srm.conf file. Then make sure all your directories have the option - ExecCGI or All in the access.conf file. - - Making script directories is considered more secure. To make a script - directory you use the ScriptAlias directive in the srm.conf file. The - first argument is the Alias the second is the actual directory. For - example ScriptAlias /cgi-bin/ /usr/httpd/cgi-bin/ would make - /usr/httpd/cgi-bin able to execute scripts. That directory would be - used whenever someone asked for the directory /cgi-bin/. For security - reasons you should also change the properties of the directory to - Options none, AllowOveride none in the access.conf (just uncomment the - example that is there). Also do not make your script directories - subdirectories of your web page directories. For example if you are - serving pages from /home/httpd/html/, don't make the script directory - /home/httpd/html/cgi-bin; Instead make it /home/httpd/cgi-bin. - - If you want your users to have there own script directories you can - use multiple ScriptAlias commands. Virtual hosts should have there - ScriptAlias command inside the virtualhost directive tags. Does - anyone know a simple way to allow all users to have a cgi-bin - directory without individual ScriptAlias commands? - - - - 7.6. Users Web Directories - - There are two different ways to handle user web directories. The - first is to have a subdirectory under the users home directory - (usually public_html). The second is to have an entirely different - directory tree for web directories. With both methods make sure set - the access options for these directories in the access.conf file. - - The first method is already setup in apache by default. Whenever a - request for /~bob/ comes in it looks for the public_html directory in - bob's home directory. You can change the directory with the UserDir - directive in the srm.conf file. This directory must be world readable - and executable. This method creates a security risk because for - Apache to access the directory the users home directory must be world - executable. - - The second method is easy to setup. You just need to change the - UserDir directive in the srm.conf file. It has many different - formats; you may want to consult the Apache documentation for - clarification. If you want each user to have their own directory - under /home/httpd/, you would use UserDir /home/httpd. Then when the - request /~bob/ comes in it would translate to /home/httpd/bob/. Or if - you want to have a subdirectory under bob's directory you would use - UserDir /home/httpd/*/html. This would translate to - /home/httpd/bob/html/ and would allow you to have a script directory - too (for example /home/httpd/bob/cgi-bin/). - - - 7.7. Daemon mode vs. Inetd mode - - There are two ways that apache can be run. One is as a daemon that is - always running (Apache calls this standalone). The second is from the - inetd super-server. - - Daemon mode is far superior to inetd mode. Apache is setup for daemon - mode by default. The only reason to use the inetd mode is for very - low use applications. Such as internal testing of scripts, small - company Intranet, etc. Inetd mode will save memory because apache - will be loaded as needed. Only the inetd daemon will remain in - memory. - - If you don't use apache that often you may just want to keep it in - daemon mode and just start it when you need it. Then you can kill it - when you are done (be sure to kill the parent and not one of the child - processes). - - To setup inetd mode you need to edit a few files. First in - /etc/services see if http is already in there. If its not then add - it: - - - http 80/tcp - - - - Right after 79 (finger) would be a good place. Then you need to edit - the /etc/inetd.conf file and add the line for Apache: - - - http stream tcp nowait root /usr/sbin/httpd httpd - - - - Be sure to change the path if you have Apache in a different location. - And the second httpd is not a typo; the inet daemon requires that. If - you are not currently using the inet daemon, you may want to comment - out the rest of the lines in the file so you don't activate other ser­ - vices as well (FTP, finger, telnet, and many other things are usually - run from this daemon). - - If you are already running the inet deamon (inetd), then you only need - to send it the SIGHUP signal (via kill; see kill's man page for more - info) or reboot the computer for changes to take effect. If you are - not running inetd then you can start it manually. You should also add - it to your init files so it is loaded at boot (the rc.local file may - be a good choice). - - - 7.8. Allowing put and delete commands - - The newer web publishing tools support this new method of uploading - web pages by http (instead of FTP). Some of these products don't even - support FTP anymore! Apache does support this, but it is lacking a - script to handle the requests. This script could be a big security - hole, be sure you know what you are doing before attempting to write - or install one. - - If anyone knows of a script that works let me know and I'll include - the address to it here. - - For more information goto Apacheweek's article at - . - - - 7.9. User Authentication/Access Control - - - This is one of my favorite features. It allows you to password - protect a directory or a file without using CGI scripts. It also - allows you to deny or grant access based on the IP address or domain - name of the client. That is a great feature for keeping jerks out of - your message boards and guest books (you get the IP or domain name - from the log files). - To allow user authentication the directory must have AllowOverrides - AuthConfig set in the access.conf file. To allow access control (by - domain or IP address) AllowOverrides Limit must be set for that - directory. - - Setting up the directory involves putting an .htaccess file in the - directory. For user authentication it is usually used with an - .htpasswd and optionally a .htgroup file. Those files can be shared - among multiple .htaccess files if you wish. - - For security reasons I recommend that everyone use these directives in - there access.conf file: - - - - - order deny,allow - deny from all - - - - - If you are not the administrator of the system you can also put it in - your .htaccess file if AllowOverride Limit is set for your directory. - This directive will prevent people from looking into your access - control files (.htaccess, .htpasswd, etc). - - There are many different options and file types that can be used with - access control. Therefore it is beyond the scope of this document to - describe the files. For information on how to setup User - Authentication see the Apacheweek feature at - or the NCSA pages at - . - - - 7.10. su-exec - - The su-exec feature runs CGI scripts as the user of the owner. - Normally it is run as the user of the web server (usually nobody). - This allows users to access there own files in CGI scripts without - making them world writable (a security hole). But if you are not - careful you can create a bigger security hole by using the su-exec - code. The su-exec code does security checks before executing the - scripts, but if you set it up wrong you will have a security hole. - - The su-exec code is not for amateurs. Don't use it if you don't know - what you are doing. You could end up with a gaping security hole - where your users can gain root access to your system. Do not modify - the code for any reason. Be sure to read all the documentation - carefully. The su-exec code is hard to setup on purpose, to keep the - amateurs out (everything must be done manually, no make file no - install scripts). - - The su-exec code resides in the support directory of the source. - First you need to edit the suexec.h file for your system. Then you - need to compile the su-exec code with this command: - - - gcc suexec.c -o suexec - - - - Then copy the suexec executable to the proper directory. The Apache - default is /usr/local/etc/httpd/sbin/. This can be changed by editing - httpd.h in the Apache source and recompiling Apache. Apache will only - look in this directory, it will not search the path. Next the file - needs to be changed to user root (chown root suexec) and the suid bit - needs to be set (chmod 4711 suexec). Finally restart Apache, it - should display a message on the console that su-exec is being used. - - CGI scripts should be set world executable like normal. They will - automaticaly be run as the owner of the CGI script. If you set the - SUID (set user id) bit on the CGI scripts they will not run. If the - directory or file is world or group writable the script will not run. - Scripts owned by system users will not be run (root, bin, etc.). For - other security conditions that must be met see the su-exec - documentation. If you are having problems see the su-exec log file - named cgi.log. - - Su-exec does not work if you are running Apache from inetd, it only - works in daemon mode. It will be fixed in the next version because - there will be no inetd mode. If you like playing around in source - code, you can edit the http_main.c. You want to get rid of the line - where Apache announces that it is using the su-exec wrapper (It - wrongly prints this in front of the output of everything). - - Be sure and read the Apache documentation on su-exec. It is included - with the source and is available on the Apache web site at - - - - 7.11. Imagemaps - - Apache has the ability to handle server side imagemaps. Imagemaps are - images on webpages that take users to different locations depending on - where they click. To enable imagemaps first make sure the imagemap - module is installed (its one of the default modules). Next you need - to uncomment the .map handler at the end of the srm.conf file. Now - all files ending in .map will be imagemap files. Imagemap files map - different areas on the image to separate links. Apache uses map files - in the standard NCSA format. Here is an example of using a map file - in a web page: - - - - - - - - - In this example mapfile.map is the mapfile, and picture.gif is the - image to click on. - - There are many programs that can generate NCSA compatible map files or - you can create them yourself. For a more detailed discussion of - imagemaps and map files see the Apacheweek feature at - . - - - 7.12. SSI/XSSI - - Server Side Includes (SSI) adds dynamic content to otherwise static - web pages. The includes are embedded in the web page as comments. - The web server then parses these includes and passes the results to - the web server. SSI can add headers and footers to documents, add - date the document was last updated, execute a system command or a CGI - script. With the new eXtended Server Side Includes (XSSI) you can do - a whole lot more. XSSI adds variables and flow control statements - (if, else, etc). Its almost like having an programming language to - work with. - - Parsing all HTML files for SSI commands would waste allot of system - resources. Therefore you need to distinguish normal HTML files from - those that contain SSI commands. This is usually done by changing the - extension of the SSI enhanced HTML files. Usually the .shtml - extension is used. - - To enable SSI/XSSI first make sure that the includes module is - installed. Then edit srm.conf and uncomment the AddType and - AddHandler directives for .shtml files. Finally you must set Options - Includes for all directories where you want to run SSI/XSSI files. - This is done in the access.conf file. Now all files with the - extension .shtml will be parsed for SSI/XSSI commands. - - Another way of enabling includes is to use the XBitHack directive. If - you turn this on it looks to see if the file is executable by user. - If it is and Options Includes is on for that directory, then it is - treated as an SSI file. This only works for files with the mime type - text/html (.html .htm files). This is not the preferred method. - - There is a security risk in allowing SSI to execute system commands - and CGI scripts. Therefore it is possible to lock that feature out - with the Option IncludesNOEXEC instead of Option Includes in the - access.conf file. All the other SSI commands will still work. - - For more information see the Apache mod_includes documentation that - comes with the source. It is also available on the website at - . - - For a more detailed discussion of SSI/XSSI implementation see the - Apacheweek feature at . - - For more information on SSI commands see the NCSA documentation at - . - - For more information on XSSI commands goto - . - - - 7.13. Module system - - Apache can be extended to support almost anything with modules. There - are allot of modules already in existence. Only the general interest - modules are included with Apache. For links to existing modules goto - the - - Apache Module Registry at . - - For module programming information goto - - - - - 8. Web Server Add-ons - - Sorry this section has not been written yet. - - Coming soon: mSQL, PHP/FI, cgiwrap, Fast-cgi, MS frontpage extentions, - and more. - - - - 9. FAQ - - - There aren't any frequent asked questions - yet... - - - - 10. For further reading - - - - 10.1. O'Reilly & Associates Books - - In my humble opinion O'Reilly & Associates make the best technical - books on the planet. They focus mainly on Internet, Unix and - programming related topics. They start off slow with plenty of - examples and when you finish the book your an expert. I think you - could get by if you only read half of the book. They also add some - humor to otherwise boring subjects. - - They have great books on HTML, PERL, CGI Programming, Java, - JavaScript, C/C++, Sendmail, Linux and much much more. And the fast - moving topics (like HTML) are updated and revised about every 6 months - or so. So visit the O'Reilly & Associates web - site or stop by your local book store for more info. - - And remember if it doesn't say O'Reilly & Associates on the cover, - someone else probably wrote it. - - - 10.2. Internet Request For Comments (RFC) - - - · RFC1866 written by T. Berners-Lee and D. Connolly, "Hypertext - Markup Language - 2.0", 11/03/1995 - - · RFC1867 writtenm by E. Nebel and L. Masinter, "Form-based File - Upload in HTML", 11/07/1995 - - · RFC1942 written by D. Raggett, "HTML Tables", 05/15/1996 - - · RFC1945 by T. Berners-Lee, R. Fielding, H. Nielsen, "Hypertext - Transfer Protocol -- HTTP/1.0", 05/17/1996. - - · RFC1630 by T. Berners-Lee, "Universal Resource Identifiers in WWW: - A Unifying Syntax for the Expression of Names and Addresses of - Objects on the Network as used in the World-Wide Web", 06/09/1994 - - · RFC1959 by T. Howes, M. Smith, "An LDAP URL Format", 06/19/1996 - - - A mSQL and perl Web Server Mini HOWTO - Oliver Corff, corff@zedat.fu-berlin.de - v0.1, 17 September 1997 - - This Mini HOWTO, highly inspired by Michael Schilli's article - Gebunkert: Datenbankbedienung mit Perl und CGI, published in the ger- - man computer magazine iX 8/1997, describes how to build a SQL - client/server database using WWW and HTML for the user interface. - - 1. About this Document - - 1.1. Intended Audience - - Everybody who wants to install a web server database but does not know - which software is necessary and how it is installed should benefit - from reading this text. This text provides all information necessary - to get a SQL database for a web server going; it does not go into any - detail of CGI programming, nor does it explain the SQL database - language. Excellent books are available on both topics, and it is the - intention of this text to provide a working platform based on which a - user can then study CGI programming and SQL. - - For getting a small scale SQL system running (not the notorious - example of a major airline booking system, or space mission management - database) it will be sufficient to have the software described in this - text and the documentation accompanying it. The user manual of msql (a - database introduced in this text) provides sufficient information on - SQL for building your own database. - - The reader of this text should have a working knowledge of how to - obtain files via ftp if he has no access to CD-ROMs, and a basic - understanding of how to build binaries from sources. Anyway, all steps - explained in this text were tested on a real life system and should - also work on the reader's system. - - - 1.2. Conventions used in this text - - A user command: - - # make install - - - - Screen output from a program: - - - Program installed. Read README for details on how to start. - - - - Sample code of a file: - - ______________________________________________________________________ - # My comment - char letter; - ______________________________________________________________________ - - - - 2. Introduction - - It can be safely assumed that databases with a high volume of data or - a complicated relational setup (like, perhaps, a lexical database for - a living language) must be accessible to many users and operators at - the same time. Ideally, it should be possible to use existing - different hardware and software platforms that can be combined into - the actual system. In order to reduce the implementation cost, only - one system, the database server, needs to be powerful; the user - stations typically just display data and accept user commands, but the - processing is done on one machine only which led to the name client- - server database. In addition, the user interface should be easy to - maintain and should require as little as possible on the client side. - - A system which meets these criteria can be built around the following - items of protocols, concepts and software: - - 3. Installation Procedure - - 3.1. Hardware Requirements - - No general statement can be made about the hardware requirements of a - database server. Too much depends on the expected number of users, the - kind of application, the network load etc. In a small environment with - only a few users and little network traffic a i486-equivalent machine - with 16 MB of RAM can be completely sufficient. Linux, the operating - system, is very efficient in terms of resources, and can supply enough - horse-power for running a broad variety of applications at the same - time. Of course, faster processors and more RAM mean more speed, but - much more important than the processor is the amount of RAM. The more - RAM the system has the less it is forced to swap memory intensive - processes to disk in case a bottleneck occurs. - - Given anything like 32 MB RAM and a PCI bus, searches and sorting - operations can be done without much resorting to swap files etc., - resulting in lightening fast speed. - - The model installation described in this article was made on a IBM 686 - (133Mhz) with 32 MB RAM and a 1.2 GB IDE hard disk. Assuming that the - installation process starts from scratch, here is a list of the - necessary steps. - - - 3.2. Software Requirements - - - The software described in this article is available from the Internet - or from CD-ROM. The following products were used: - - o Red Hat Linux PowerTools: 6 CD's Complete Easy-to-Use Red Hat 4.2, - Summer '97; alternatively from http://www.redhat.com; - - o msql SQL database server: it is now available in two versions. The - versions have differences in the number of transactions they can - handle, the administration interface, etc. The elder version, - 1.0.16, is available from Sunsite mirrors. The ELF executable can - be found at sunsite:apps/database/sql/msql-1.0.16 or on CD-ROM - (here: disc 4 of InfoMagic Linux Developer's Resource, 6-CD set, - December 1996) or alternatively from the following URL: - http://www.infomagic.com. - - The newer version, 2.0.1, can be directly obtained from Hughes' - homepage in Australia (http://www.hughes.com.au) or from numerous - mirror sites around the world; - - o perl from CPAN: The Comprehensive Perl Archive Network. Walnut - Creek CDROM, ISBN 1-57176-077-6, May 1997; - - o Michael Schilli's CGI example program from computer journal iX - 8/1997, pages 150--152, available via ftp from ftp.uni- - paderborn.de:/doc/magazin/iX; - - - 3.3. Installing the Operating System - - Linux is installed in form of the Red Hat Linux Distribution 4.2. In - order to install successfully, the machine must either have a DOS- - accessible CD-ROM drive, a bootable CD-ROM drive, or else a boot disk - must be made following the instructions on the Linux CD. - - During installation the user has the choice to select and configure - numerous software packages. It is convenient to select the following - items now: - - - o TCP/IP network support, - - o the http server Apache, and - - o the scripting language perl, and - - o the X Window System, as well as - - o the browsers Arena (graphical) and Lynx (text-based). - - All these packages are provided with the Linux distribution. If you - do not install these packages now you still have the chance to do this - later with the assistance of glint, the graphical and intuitive - software package installation manager. Be sure to be root when - installing these packages. - - It is beyond the scope of this article to describe the network - installation and initialization procedure. Please consult the online - (manpages, HTML, texinfo) and printed (Linux Bible, etc. etc.) - documentation. - - The installation procedure of Red Hat is very mature and requires only - little user attention besides the usual choices (like providing host - names, etc.). Once the installation ends successfully, the system is - basically ready to go. - - Installing the X Window System is not mandatory for a pure server but - it makes local access and testing much easier. The X installation - procedure is done by any of several programs; XF86Setup offers the - most extensive self-testing facilities and needs the least handling of - hairy details (like video clock programming, etc.). The only - requirement is that the software can detect the video adapter. A cheap - accelerated graphics adapter (like Trio S64 based cards prior to - S64UV+) usually works ``out of the box''. - - At this point we assume that our system is up and running and that - Apache, Perl and the X Window System have been successfully installed. - We further assume that all standard structures like the file and - directory structure are kept as they are defined in the installation. - Last but not least we leave the host name as it is, and do at this - moment accept the name localhost. We'll use this name for testing the - installation; once the whole system works the true name can be added. - Please note that the network setup also requires editing the files - /etc/hosts, among others. Ideally this should be done with the - administration tools provided to user root. - - - 3.4. The http Server - - - The http server supplied with Linux is known as Apache to humans and - as httpd to the system. The manpage (man httpd) explains how to - install and start the http daemon (hence httpd) but, as mentioned, if - the installation went without problems then the server should be - running. You can verify the directory tree: there must be a directory - /home/httpd/ with three subdirectories: ../cgi-bin/, ../html/ and - ../icons/. In ../html/ there must be a file index.html. Later we will - manipulate or replace this file by our own index.html. All - configuration information is stored in/etc/httpd/conf/. The system is - well preconfigured and does not need further setup provided the - installation went without error. - - - 3.5. The Browsers - - - There are essentially three types of browsers available for Linux: - pure text-based systems like Lynx, experimental and simple ones like - Arena (free!) and commercial ones like Netscape (shareware!) with Java - support. While Lynx and Arena come with Linux, Netscape must be - procured from other sources. Netscape is available as a precombiled - binary for Linux on ix86 architectures and will run ``out of the box'' - as soon as the archive is unpacked. - 3.5.1. Configuring Lynx - - - Once Lynx is started it will look for a `default URL' which is usually - not very meaningful if the system does not have permanent Internet - access. In order to change the default URL (and lots of other - configuration details) the system administrator should edit - /usr/lib/lynx.cfg. The file is big, around 57000 bytes and contains - occasionally contradicting information. It states its own home as - /usr/local/lib/. Not far from top is a line beginning with STARTFILE. - We replace this line by the following entry: - STARTFILE:http://localhost and make sure that no spacing etc. is - inserted: - - ______________________________________________________________________ - # STARTFILE:http://www.nyu.edu/pages/wsn/subir/lynx.html - STARTFILE:http://localhost - ______________________________________________________________________ - - - After saving the file, Lynx should now reveal our index.html document - if started without arguments. - - - 3.5.2. Configuring Arena - - - Arena first looks for its own default URL when started without - arguments. This URL is hard-wired into the executable but can be - overrun by the environment variable WWW_HOME. The system administrator - can place a line saying WWW_HOME="http://localhost" in /etc/profile. - The variable must then be exported, either by a separate statement - (export WWW_HOME) or by appending WWW_HOME to the existing export - statement: - - ______________________________________________________________________ - WWW_HOME="http://localhost" - export WWW_HOME - ______________________________________________________________________ - - - After relaunching a login shell, the new default URL is now system- - wide known to Arena. - - - - 3.5.3. Installing and Configuring Netscape - - - Netscape is a commercial product and thus not included with the Linux - distributions. It is either downloadable from the Internet or - available from software collections on CDROM. Netscape comes in form - of precompiled binaries for every important hardware platform. For - installation purposes, it is useful to create a directory - /usr/local/Netscape/ where the archive is unpacked. The files can be - kept in place (except for the Java library: follow the instructions in - the README file that comes with the Netscape binary), and it is - sufficient to create a soft link in /usr/local/bin/ by issuing the - command - - # ln -s /usr/local/Netscape/netscape . - - - from within /usr/local/bin/. - - - Netscape is now ready for use and can be configured via the - ``Options'' menu. In ``General Preferences'' there is a card - ``Appearance'' with the entry ``Home Page Location''. Enter - http://localhost here and do not forget to save the options (via - ``Options'' --- ``Save Options'') before exiting Netscape. At the next - startup, Netscape will now show the Apache `homepage'. - - - 3.6. Cooperation of Apache and Browsers - - - You can now conduct the first real test of both the browser and the - http server: simply start any of the available browsers and the - Apache: Red Hat Linux Web Server page will pop up. This page shows - the file locations and other basics of http server installation. If - this page is not displayed please check whether the files mentioned - above are in place and whether the browser configuration is correct. - Close edited configuration files before you start the browser again. - If all files are in place and the browsers seem to be configured - correctly then examine the network setup of your machine. Either the - host name is different from what was entered in the configuration, or - the network setup as such is not correct. It is utterly important that - /etc/hosts contains at least a line like - - ______________________________________________________________________ - 127.0.0.1 localhost localhost.localdomain - ______________________________________________________________________ - - - which implies that you can connect locally to your machine. One can - verify this by issuing any network-sensitive command requiring a host - name as argument, like telnet localhost (provided telnet is - installed). If that does not work then the network setup must be veri- - fied before continuing with the main task. - - - - 3.7. The Database Engine and its Installation - - - Installing the database requires only little more preparation than the - previous installation steps. There are a few SQL database engines - available with different runtime and administrative requirements, and - possibly one of the most straightforward systems is msql, or ``Mini- - SQL'' by David Hughes. msql is shareware. Depending on the version - used, commercial sites are charged USD 250.00 and more, private users - are charged USD 65.00 and more, and only educational institutions and - registered non-profit organizations can use this software free of - charge. Please note that the exact figures are provided in the - licence notes of the database documentation. The figures given here - serve as a rough indicator only. - - A few words are in place here why the author chose msql. First of all, - there is personal experience. While searching for a database engine - the author found msql to be about the easiest to install and maintain, - and it provides enough coverage of the SQL language to meet general - needs. Only when writing these lines, the author discovered the - following words of praise in Alligator Descartes' DBI FAQ (perl - database interface FAQ): - - - From the current author's point of view, if the dataset is - relatively small, being tables of less than 1 million rows, - and less than 1000 tables in a given database, then mSQL is - a perfectly acceptable solution to your problem. This - database is extremely cheap, is wonderfully robust and has - excellent support. [...] - - - Msql is available in two versions now, msql-1.0.16 and msql-2.0.1, - which differ in performance (not noticeable in small scale projects) - and accompanying software (the newer version comes with more tools, - its own scripting language, etc.). We will describe both versions of - msql since their installion differs in a few points. - - - 3.7.1. Installing msql-1.0.16 - - - msql is available as source and as compiled executable with ELF - support. Using the ELF binaries makes installation easy since the - archive file msql-1.0.16.ELF.tgz contains a complete absolute - directory tree so that all directories are generated properly when - unpacked from /. - - If you decide to compile msql-1.0.16 yourself and are going to use the - MsqlPerl package rather than the DBI interface (see a detailed - discussion on the difference between these two further down) then be - prepared that MsqlPerl might complain during the test suites that some - instruction inside msql failed. In this case a patch may be necessary - which is described in the MsqlPerl documentation (file - patch.lost.tables). Notably, this demands including three lines in - msqldb.c after line 1400 which says entry->def = NULL;: - - *(entry->DB) = 0; - *(entry->table) = 0; - entry->age = 0; - - - The code fragment should now look like - - ______________________________________________________________________ - freeTableDef(entry->def); - safeFree(entry->rowBuf); - safeFree(entry->keyBuf); - entry->def = NULL; - *(entry->DB) = 0; - *(entry->table) = 0; - entry->age = 0; - ______________________________________________________________________ - - - - Compiling msql involves several steps. After unpacking the source - archive, it is necessary to build a target directory. This is done by - saying - - # make target - - - If successful, the system will then answer with - - - Build of target directory for Linux-2.0.30-i486 complete - - - - You must now change into this newly created directory and run a - - # ./setup - - command first. The ./ sequence is necessary to make sure that really - the command setup in this directory and not another command which hap- - pens to have the same name is executed. You will then be asked ques- - tions on the location of the source directory and whether a root - installation is desired. These questions answered, the system should - then run a number of tests checking for available software (compilers, - utilities etc.) and finally say - - - Ready to build mSQL. - - You may wish to check "common/site.h" although the defaults should be - fine. When you're ready, type "make all" to build the software - - - - We say - - # make all - - - If everything went as intended, we'll read: - - - make[2]: Leaving directory `/usr/local/Minerva/src/msql' - <-- [msql] done - - Make of mSQL complete. - You should now mSQL using make install - - NOTE : mSQL cannot be used free of charge at commercial sites. - Please read the doc/License file to see what you have to do. - - make[1]: Leaving directory `/usr/local/Minerva/src' - - - - All binaries must then be made visible to the search paths by creating - soft links in /usr/local/bin/. Change to that directory and issue the - command - - # ln -s /usr/local/Minerva/bin/* . - - - after which the links will be properly set. - - - 3.7.2. Testing msql-1 - - - After the installation it is now possible to test whether the database - works. Before anything else is done, the server daemon must be - started. The system administrator holding root privileges issues the - command - - # msqld & - - - (do not forget to add the &, otherwise msql won't run in the back- - ground.) after which the following screen message appears: - - - - mSQL Server 1.0.16 starting ... - - Warning : Couldn't open ACL file: No such file or directory - Without an ACL file global access is Read/Write - - - - This message tells us that everything so far worked since we did not - set up any access restrictions. For the moment it is sufficient to - start the msql daemon from within a shell but later we may want to - have the system startup automatically execute this command for us. - The command must then be mentioned in a suitable rc.d script. Only - now the administrator can issue the first genuine database command: - - # msqladmin create inventur - - - msql replies by saying Database "inventur" created.. As a further - proof, we find that the directory /usr/local/Minerva/msqldb/ contains - now the empty subdirectory ../inventur/. We could manipulate the newly - created database with the administration tools; these procedures are - all covered in detail in the msql documentation. - - - 3.7.3. Installing msql-2.0.1 - - - There is now a newer, more powerful version of Hughes' mSQL server - available the installation of which is different in a few points. - Installing msql-2 from scratch involves the following steps. Copy the - archive to your extraction point, e. g. /usr/local/msql-2/, then - untar the archive: - - # tar xfvz msql-2.0.1.tar.gz - - - - Change to the root direction of the install tree and issue a - - # make target - - - - Change to targets and look for your machine type. There should be a - new subdirectory Linux-(your version)-(your cpu)/. Change to that - directory and start the setup facility located here: - - # ./setup - - - - There is also a file site.mm which can be edited. Maybe you have got - used to the directory name /usr/local/Minerva/ and want to preserve - it? In this case change the INST_DIR=... line to your desired target - directory. Otherwise, leave everything as it is. - - Now you can start building the database: - - # make - # make install - - - - If everything went successfully, we'll see a message like: - - - [...] - - Installation of mSQL-2 complete. - - ********* - ** This is the commercial, production release of mSQL-2.0 - ** Please see the README file in the top directory of the - ** distribution for license information. - ********* - - - - After all is installed properly we have to take care of the - administration details. Here, the real differences from msql-1 begin. - First, a user msql is created which is responsible for database - administration. - - - # adduser msql - - - - Then we have to change all ownerships in the mSQL directory to msql by - saying: - - # cd /usr/local/Minerva - # chown -R msql:msql * - - - - Then we create soft links for all database binaries in /usr/local/bin/ - by saying: - - # ln -s /usr/local/Minerva/bin/* . - - - - 3.7.4. Testing msql-2 - - We can now start the database server by issuing the command msql2d & - and should get a response similar to this one: - - - Mini SQL Version 2.0.1 - Copyright (c) 1993-4 David J. Hughes - Copyright (c) 1995-7 Hughes Technologies Pty. Ltd. - All rights reserved. - - Loading configuration from '/usr/local/Minerva/msql.conf'. - Server process reconfigured to accept 214 connections. - Server running as user 'msql'. - Server mode is Read/Write. - - Warning : No ACL file. Using global read/write access. - - - - That looks perfect. The database is compiled and in place, and we can - now continue with the perl modules since these rely partially on the - presence of a working database server for testing. - - Accidentally, this is also a good moment to print the complete manual - that comes with msql-2.0.1: - - # gzip -d manual.ps.gz - # lpr manual.ps - - - - We can proceed to building the interfaces now, but it is a good idea - to keep the newly created SQL server up and running since that makes - testing the interface libraries somewhat simpler. - - - - 3.8. Choice of Interfaces: DBI/mSQL, MsqlPerl, and Lite - - A frequently quoted saying in the Camel Book (the authorative perl - documentation) states that there is more than one way to achieve a - result when using perl. This, alas, holds true for our model - application, too. Basically there are three ways to access an msql - database via CGI. First of all the question is whether or not perl - shall be used. If we use perl (on which this article focuses) then we - still have the choice between two completely different interface - models. Besides using perl, we can also employ msql's own scripting - language, called Lite, which is reasonably simple and a close clone of - C. - - - 3.8.1. DBI and DBD-mSQL - - By the time of this writing, using perl's generic database interface - called DBI is the method of choice. DBI has a few advantages: It - provides unified access control to a number of commercial databases - with a single command set. The actual database in use on a given - system is then contacted through a driver which effectively hides the - pecularities of that database from the programmer. Being such, using - DBI provides for a smooth transition between different databases by - different makers. In one single script it is even possible to contact - several different databases. Please refer to the DBI-FAQ for details. - There is, however, one drawback: The DBI interface is still under - development and shows rapidly galloping version numbers (sometimes - with updates taking place within less than a month). Similarly, the - individual database drivers are also frequently updated and may rely - on specific versions of the database interface. Users making first- - time installations should stick to the version numbers given in this - article since other versions may cause compilation and testing - problems the trouble shooting of which is nothing for the faint- - hearted. - - - - 3.8.2. MsqlPerl - - MsqlPerl is a library for directly accessing msql from perl scripts. - It bypasses the DBI interface and is fairly compact. Though it works - fine with both versions of msql, its usage is not promoted anymore in - favour of the generalized DBI interface. Nonetheless, in a given - installation it may prove to be the interface of choice since it is - small and easy to install. Notably, it has less version dependencies - than revealed by the interaction of DBI and particular database - drivers. - 3.8.3. msql's own scripting language: Lite - - Last but not least msql-2 comes with its own scripting language: Lite. - The language is a close relative of C stripped of its oddities with - additional shell-like features (in a way, something like a very - specialized version of perl). Lite is a simple language and is well - documented in the msql-2 manual. The msql-2 package also comes with a - sample application sporting Lite. - - We will not describe Lite here because it is well documented but - fairly specific to msql-2, and because it is assumed that the readers - of this article have a basic interest in and a basic understanding of - perl. Nonetheless it is highly recommended to have a closer look at - Lite: it may well be the case that Lite offers the solution of choice - in an exclusive msql-2 environment (implying no other databases are - involved) due to its simplicity and straightforward concept. - - - - 3.9. Going the generic way: DBI and DBD-msql - - We assume that perl was installed during the system setup or via the - package manager mentioned above. No further details will be given - here. Nonetheless we first test whether our version of perl is up to - date: - - - # perl -v - - - - perl should respond with the following message: - - - - This is perl, version 5.003 with EMBED - Locally applied patches: - SUIDBUF - Buffer overflow fixes for suidperl security - - built under linux at Apr 22 1997 10:04:46 - + two suidperl security patches - - Copyright 1987-1996, Larry Wall - [...] - - - - So far, everything is fine. The next step includes installing the perl - libraries for databases in general (DBI), the msql driver (DBD-mSQL) - and CGI. The CGI driver is necessary in any case. The following - archives are necessary: - - 1. DBI-0.81.tar.gz - - 2. DBD-mSQL-0.65.tar.gz - - 3. CGI.pm-2.31.tar.gz (or higher) - - A caveat is necessary here for beginners: the test installation - described here works fine using software with exactly these version - numbers, and combinations of other versions failed in one or the other - way. Debugging flawed version combinations is nothing for those who - are not very familiar with the intimate details of the calling - conventions etc. of the interfaces. Sometimes only a method is renamed - while performing the same task, but sometimes the internal structure - changes significantly. So, again, stick with these version numbers if - you want to be on the safe side even if you discover that version - numbers have increased in the meantime. Frequent updates of these - interfaces are the rule rather than the exception, so you should - really anticipate problems when installing other versions than those - indicated here. - - It is very important that the database driver for mSQL (DBD-mSQL) is - installed after the generic interface DBI. - - We start by creating the directory /usr/local/PerlModules/ as it is - very important to keep the original perl directory tree untouched. We - could also choose a different directory name since the name is - completely uncritical, and unfortunately that is not really mentioned - in the README files of the verious perl modules. Having copied the - above-mentioned archives to /usr/local/PerlModules/ we unpack them - saying - - # tar xzvf [archive-file] - - - - for every single of the three archives. Do not forget to supply the - real archive name to tar. The installation process for the three - modules is essentially stardardized; only the screen messages showing - important steps of individual packages are reproduced here. - - - 3.9.1. Installing perl's Database Interface DBI - - - The database interface must always be installed before installing the - specific database driver. Unpacking the DBI archive creates the - directory /usr/local/PerlModules/DBI-0.81/. Change to that directory. - There are a README file (you should read it) and a perl-specific - makefile. Now issue the command - - # perl Makefile.PL - - - - The system should answer with a lengthy message of which the most - important part is shown here:: - - - - [...] - MakeMaker (v5.34) - Checking if your kit is complete... - Looks good - NAME => q[DBI] - PREREQ_PM => { } - VERSION_FROM => q[DBI.pm] - clean => { FILES=>q[$(DISTVNAME)/] } - dist => { DIST_DEFAULT=>q[clean distcheck disttest [...] - Using PERL=/usr/bin/perl - - WARNING! By default new modules are installed into your 'site_lib' - directories. Since site_lib directories come after the normal library - directories you MUST delete old DBI files and directories from your - - Writing Makefile for DBI - - - - This looks good, as the program says, and we can proceed with the next - step: - - # make - - - If no error message occurs (the detailed protocol dumped on screen is - not an error message) we test the newly installed library with the - command - - # make test - - - Watch the output for the following lines (you can always scroll back - with [Shift]-[PgUp]): - - - [...] - t/basics............ok - t/dbidrv............ok - t/examp.............ok - All tests successful. - [...] - DBI test application $Revision$ - Switch: DBI-0.81 Switch by Tim Bunce, 0.81 - Available Drivers: ExampleP, NullP, Sponge - ExampleP: testing 2 sets of 5 connections: - Connecting... 1 2 3 4 5 - Disconnecting... - Connecting... 1 2 3 4 5 - Disconnecting... - Made 10 connections in 0 secs ( 0.00 usr 0.00 sys = 0.00 cpu) - - test.pl done - - - - The final step is to install all files in their proper directories. - The following command will take care of it: - - # make install - - - No more duties are left. If for some reason the installation failed - and you want to redo it do not forget to issue - - # make realclean - - - first. This will remove stale leftovers of the previous installation. - You can also remove the files which were installed by copying the - screen contents (shown abbreviated) - - - Installing /usr/lib/perl5/site_perl/i386-linux/./auto/DBI/DBIXS.h - Installing /usr/lib/perl5/site_perl/i386-linux/./auto/DBI/DBI.so - Installing /usr/lib/perl5/site_perl/i386-linux/./auto/DBI/DBI.bs - [...] - Writing /usr/lib/perl5/site_perl/i386-linux/auto/DBI/.packlist - Appending installation info to /usr/lib/perl5/i386-linux/5.003/perllocal.pod - - - - into a file, replacing every Installing with rm. Provided you named - the file uninstall you can then say - - # . uninstall - - - which will remove the recently installed files. - - - 3.9.2. perl's msql Driver DBD-mSQL - - - The msql driver can only be installed after a successful installation - of perl's generic database interface. - - The basic steps are the same as above; so first go through - - # perl Makefile.PL - - - - Here, the system should answer with an urgent warning to read the - accompanying documentation. It will then detect where msql resides, - and asks which version you use: - - - - $MSQL_HOME not defined. Searching for mSQL... - Using mSQL in /usr/local/Hughes - - -> Which version of mSQL are you using [1/2]? - - - - State your correct version number. Quite a few lines of text will fol- - low. Watch for the following ones: - - - Splendid! Your mSQL daemon is running. We can auto-detect your configuration! - - I've auto-detected your configuration to be running on port: 1114 - - - - You can now test the driver by saying - - # make test - - - Again, a lengthy output follows. If it ends with - - - Testing: $cursor->func( '_ListSelectedFields' ). This will fail. - ok: not a SELECT in msqlListSelectedFields! - Re-testing: $dbh->do( 'DROP TABLE testaa' ) - ok - *** Testing of DBD::mSQL complete! You appear to be normal! *** - - - - you are on the safe side of life and can install your driver by saying - - # make install - - You are now ready to go and can skip the next paragraph. - - - - 3.10. The MsqlPerl Interface - - If you decide to use the exclusive MsqlPerl interface then no generic - database driver is needed, only MsqlPerl-1.15.tar.gz, since, as - mentioned earlier, MsqlPerl provides a direct interface between perl - and the database server without using the DBI interface. Installing - and testing is straightforward. - - After saying perl Makefile.PL the make utility can be started. First - you have to answer the question where mSQL resides. If it resides in - /usr/local/Minerva/ the default answer can be confirmed. - - Then do a make test. Before doing so you must ensure that you have a - database named test and that you have read and write permissions for - it. This can be done by - - # msqladmin create test - - - - 3.11. perl's CGI library - - - Installing perl's CGI part is the simpliest of the three steps. - Execute the following commands in the given order and everything is - done: - - - # perl Makefile.PL - # make - # make install - - - - Unlike the previous drivers this interface does not have a test option - (# make test) whereas the other modules should be tested in any case. - - A subdirectory with CGI example scripts is also created. You can copy - the contents of this directory into /home/http/cgi-bin/ and use the - browser to experiment with the scripts. - - - - 3.12. Installation Checklist - - We went through the following steps, in this order: - - 1. Install Linux with networking support - - 2. Install a http server, e. g. Apache - - 3. Install a browser, e. g. Arena, lynx or Netscape - - 4. Install an SQL server, e. g. msql - - 5. Install a suitable perl SQL interface - - - 6. Install the CGI files - - Finally, you can do some clean-up. All source trees for msql and the - perl modules can be safely deleted (however, you should not delete - your archive files!) since the binaries and documentation are now - based in different directories. - - - 4. Running an Example Database - - - After completing the system installation we can now finally run a - model application. Depending on the version of msql installed and the - perl database interface used, we have to modify the sample programs in - a few points. - - First however, the file index.html residing in /home/httpd/html/ must - be modified to allow calling a sample database application. We can - place our database (which we call database.cgi or inventur.cgi here - despite its archive name perl.lst.ck) in /home/httpd/html/test/. - - We add one line (of course, depending on your installation choices) - similar to the following to index.html: - - ______________________________________________________________________ -
  • Test the Database, DBI:DBD-mSQL style! -
  • Test the Database, MsqlPerl style! - ______________________________________________________________________ - - - Usually you should only pick one of these two choices but if you have - both types of database interface installed you can leave both lines - here as they are. You can then compare performance, etc. - - - 4.1. Adapting the sample script for MsqlPerl - - Our sample script has to be told to use the MsqlPerl interface. The - modification takes place in several locations. First, near the - beginning of the file, we change the use clause: - - ______________________________________________________________________ - # - # use DBI; # Generisches Datenbank-Interface - use Msql; - ______________________________________________________________________ - - - - Then, near line 27, the MsqlPerl syntax does not require the - mentioning of a specific driver: - - ______________________________________________________________________ - # $dbh = DBI->connect($host, $database, '', $driver) || - $dbh = Msql->connect($host, $database) || - ______________________________________________________________________ - - - - Then, from line 33 onward throughout the whole script, we have to - change all instances of do against query: - - - - ______________________________________________________________________ - # $dbh->do("SELECT * FROM hw") || db_init($dbh); - $dbh->query("SELECT * FROM hw") || db_init($dbh); - ______________________________________________________________________ - - - - Finally, in MsqlPerl speak, line 207 can be commented out: - - ______________________________________________________________________ - # $sth->execute || msg("SQL Error:", $sth->errstr); - ______________________________________________________________________ - - - - In addition, it may become necessary to swap all errstr calls like the - one in the preceding code fragment against errmsg. This is also - version dependent. - - After these modifications, the script should run smoothly. - - - 4.2. Adapting the sample script for msql-2 - - The SQL syntax was redefined during the development of mslq-2. The - original script will fail to execute the table initialization - statements in lines 45 -- 58. The primary key modifier is no longer - supported by msql-2, and should simply be skipped: - - ______________________________________________________________________ - $dbh->do(<errstr; # Neue Personen-Tabelle - create table person ( - # We do not need the 'primary key' modifier anymore in msql-2! - # pn int primary key, # Personalnummer - pn int, # Personalnummer - name char(80), # Nachname, Vorname - raum int # Raumnummer - ) - EOT - $dbh->do(<errstr; # Neue Hardware-Tabelle - create table hw ( - # We do not need the 'primary key' modifier anymore in msql-2! - # asset int primary key, # Inventurnummer - asset int, # Inventurnummer - name char(80), # Bezeichnung - person int # Besitzer - ) - EOT - ______________________________________________________________________ - - - - Unfortunately, this specific script will then accept new entries with - identical personnel numbers; the msql-1 modifier primary key intends - to prevent exactly this behaviour. The msql-2 documentation shows how - to use the CREATE INDEX clause to create unique entries. - - - 5. Conclusion and Outlook - - If you have installed msql-2 on your system then you can have a look - at the sample programs written in Lite, msql-2's own scripting - language. - - Either version of msql comes with a basic set of administration tools - which allow the user to create and drop tables (msqladmin) and examine - database structures (relshow). - - The second generation msql (i.e. msql-2) has a few more genuinely - useful utilities: msqlimport and msqlexport. These allow the dumping - of flat line data files into and out of the SQL database. They can be - used for loading quantities of existing data d'un coup into existing - tables, or extract flat data from tables, and the user does not have - to deal with writing a single line of perl or SQL or whatever code for - this task. - - If you want to write your own perl scripts dealing with databases - you'll find sufficient support in the example files and the extensive - on-line documentation that comes with the DBI module. - - Anyway, you are now ready to go and present your data to the users of - your own network, or even the WWW. - + · http://metalab.unc.edu/mdw/HOWTO/WWW-HOWTO.html + · http://metalab.unc.edu/mdw/HOWTO/Virtual-Services-HOWTO.html + · http://metalab.unc.edu/mdw/HOWTO/Intranet-Server-HOWTO.html + · Web servers for Linux + +