From f061711eea265321ec140f3a0deab4063e065ceb Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sat, 15 Jul 2017 17:44:54 +0200 Subject: [PATCH] remove broken URL --- LDP/howto/docbook/Linux+IPv6-HOWTO.xml | 281 +++++++++++++------------ 1 file changed, 148 insertions(+), 133 deletions(-) diff --git a/LDP/howto/docbook/Linux+IPv6-HOWTO.xml b/LDP/howto/docbook/Linux+IPv6-HOWTO.xml index e8275b24..2e768c85 100644 --- a/LDP/howto/docbook/Linux+IPv6-HOWTO.xml +++ b/LDP/howto/docbook/Linux+IPv6-HOWTO.xml @@ -3,14 +3,14 @@ [ ]> - Linux IPv6 HOWTO (en) PeterBieringer
pb at bieringer dot de
 - 0.67wip 2016-12-15 PB + 0.67wip 2017-07-14 PB 0.66 2014-05-15 PB 0.65 2009-12-13 PB 0.64 2009-06-11 PB @@ -24,13 +24,13 @@ <!-- anchor id="general-copright" -->Copyright, license and others Copyright -Written and Copyright (C) 2001-2014 by Peter Bieringer +Written and Copyright (C) 2001-2017 by Peter Bieringer License This Linux IPv6 HOWTO is published under GNU GPL version 2: The Linux IPv6 HOWTO, a guide how to configure and use IPv6 on Linux systems. -Copyright © 2001-2014 Peter Bieringer +Copyright © 2001-2017 Peter Bieringer This documentation is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. @@ -39,12 +39,12 @@ Internet/IPv6 history of the author -1993: I got in contact with the Internet using console based e-mail and news client (e.g. look for “e91abier” on groups.google.com, that's me).1996: I got a request for designing a course on IPv6, including a workshop with the Linux operating system.1997: Started writing a guide on how to install, configure and use IPv6 on Linux systems, called IPv6 & Linux - HowTo (see IPv6 & Linux - HowTo/History for more information).2001: Started writing this new Linux IPv6 HOWTO. +1993: I got in contact with the Internet using console based e-mail and news client (e.g. look for ”e91abier” on groups.google.com, that's me).1996: I got a request for designing a course on IPv6, including a workshop with the Linux operating system.1997: Started writing a guide on how to install, configure and use IPv6 on Linux systems, called IPv6 & Linux - HowTo (see IPv6 & Linux - HowTo/History for more information).2001: Started writing this new Linux IPv6 HOWTO. Contact The author can be contacted via e-mail at <pb at bieringer dot de> and also via his homepage. He's currently living in Munich / Bavaria / Germany / Europe / Earth. <!-- anchor id="general-category" -->Category -This HOWTO should be listed in category “Networking/Protocols”. +This HOWTO should be listed in category ”Networking/Protocols”. Version, History and To-Do Version @@ -67,7 +67,7 @@ 2004-06-18: Greek translation is in progress 2005-07-25: Turkish translation is availble 2007-03-28: Portuguese-Brazil translation is in progress -2008-07-30: Spanish translation is available (but still in progress) +2008-07-30: Spanish translation is available (lost, URL no longer valid) 2011-05-09: Portuguese-Brazil translation is again in progress Full history See revision history at the end of this document. @@ -90,7 +90,7 @@ Spanish A member of the MontevideoLibre, a project in Uruguay (South America) started the translation into Spanish in wiki format some time ago, but the URL is no longer available. Italian -With 2003-10-16 a Italian translation was started by Michele Ferritto <m dot ferritto at virgilio dot it> for the ILDP (Italian Linux Documentation Project) and the first public version was published 2004-03-12. It's originally available on the ILDP at http://it.tldp.org/HOWTO/Linux+IPv6-HOWTO/. +With 2003-10-16 a Italian translation was started by Michele Ferritto <m dot ferritto at virgilio dot it> for the ILDP (Italian Linux Documentation Project) and the first public version was published 2004-03-12. It's originally available on the ILDP at http://www.pluto.it/ildp/howto/ipv6.html. Japanese On 2003-05-14 Shino Taketani <shino_1305 at hotmail dot com> send me a note that he planned to translate the HowTo into Japanese. Greek @@ -102,9 +102,9 @@ Technical <!-- anchor id="general-original-source" -->Original source of this HOWTO -This HOWTO is currently written with LyX version 1.6.1 on a Fedora 10 Linux system with template SGML/XML (DocBook book). It's available on github / tLDP / LDP / users / Peter-Bieringer for contribution. +This HOWTO is currently written with LyX version 2.2.2 on a Fedora 25 Linux system with template SGML/XML (DocBook book). It's available on github / tLDP / Linux-IPv6 for contribution. Code line wrapping -Code line wrapping is done using selfmade utility “lyxcodelinewrapper.pl”, you can get it from CVS for your own usage: TLDP-CVS / users / Peter-Bieringer +Code line wrapping is done using selfmade utility ”lyxcodelinewrapper.pl”, you can get it from GitHub for your own usage: github / tLDP / Linux-IPv6 SGML generation SGML/XML is generated using export function in LyX. On-line references to the HTML version of this HOWTO (linking/anchors) @@ -120,7 +120,7 @@ Including this, there are three (3) HOWTO documents available. Apologies, if that is too many ;-) Linux IPv6 FAQ/HOWTO (outdated) The first IPv6 related document was written by Eric Osborne and called Linux IPv6 FAQ/HOWTO (please use it only for historical issues). Latest version was 3.2.1 released July, 14 1997. -Please help: if someone knows the date of birth of this HOWTO, please send me an e-mail (information will be needed in “history”). +Please help: if someone knows the date of birth of this HOWTO, please send me an e-mail (information will be needed in ”history”). IPv6 & Linux - HowTo (maintained) There exists a second version called IPv6 & Linux - HowTo written by me (Peter Bieringer) in pure HTML. It was born April 1997 and the first English version was published in June 1997. I will continue to maintain it, but it will slowly fade (but not full) in favour of the Linux IPv6 HOWTO you are currently reading. Linux IPv6 HOWTO (this document) @@ -129,14 +129,14 @@ Network related -Base 10Well known decimal number system, represent any value with digit 0-9.Base 16Usually used in lower and higher programming languages, known also as hexadecimal number system, represent any value with digit 0-9 and char A-F (case insensitive).Base 85Representation of a value with 85 different digits/chars, this can lead to shorter strings but never seen in the wild.BitSmallest storage unit, on/true (1) or off/false (0)ByteMostly a collection of 8 (but not really a must - see older computer systems) bitsDeviceHere, hardware of network connection, see also NICDual homed hostA dual homed host is a node with two network (physical or virtual) interfaces on two different links, but does not forward any packets between the interfaces.HostGenerally a single homed host on a link. Normally it has only one active network interface, e.g. Ethernet or (not and) PPP.InterfaceMostly same as “device”, see also NICIP HeaderHeader of an IP packet (each network packet has a header, kind of is depending on network layer)LinkA link is a layer 2 network packet transport medium, examples are Ethernet, Token Ring, PPP, SLIP, ATM, ISDN, Frame Relay,...NodeA node is a host or a router.OctetA collection of 8 real bits, today also similar to “byte”.PortInformation for the TCP/UDP dispatcher (layer 4) to transport information to upper layersProtocolEach network layer contains mostly a protocol field to make life easier on dispatching transported information to upper layer, seen in layer 2 (MAC) and 3 (IP)RouterA router is a node with two or more network (physical or virtual) interfaces, capable of forwarding packets between the interfaces.SocketAn IP socket is defined by source and destination IP addresses and Ports and (binding) StackNetwork related a collection of layersSubnetmaskIP networks uses bit masks to separate local networks from remote onesTunnelA tunnel is typically a point-to-point connection over which packets are exchanged which carry the data of another protocol, e.g. an IPv6-in-IPv4 tunnel. +Base 10Well known decimal number system, represent any value with digit 0-9.Base 16Usually used in lower and higher programming languages, known also as hexadecimal number system, represent any value with digit 0-9 and char A-F (case insensitive).Base 85Representation of a value with 85 different digits/chars, this can lead to shorter strings but never seen in the wild.BitSmallest storage unit, on/true (1) or off/false (0)ByteMostly a collection of 8 (but not really a must - see older computer systems) bitsDeviceHere, hardware of network connection, see also NICDual homed hostA dual homed host is a node with two network (physical or virtual) interfaces on two different links, but does not forward any packets between the interfaces.HostGenerally a single homed host on a link. Normally it has only one active network interface, e.g. Ethernet or (not and) PPP.InterfaceMostly same as ”device”, see also NICIP HeaderHeader of an IP packet (each network packet has a header, kind of is depending on network layer)LinkA link is a layer 2 network packet transport medium, examples are Ethernet, Token Ring, PPP, SLIP, ATM, ISDN, Frame Relay,...NodeA node is a host or a router.OctetA collection of 8 real bits, today also similar to ”byte”.PortInformation for the TCP/UDP dispatcher (layer 4) to transport information to upper layersProtocolEach network layer contains mostly a protocol field to make life easier on dispatching transported information to upper layer, seen in layer 2 (MAC) and 3 (IP)RouterA router is a node with two or more network (physical or virtual) interfaces, capable of forwarding packets between the interfaces.SocketAn IP socket is defined by source and destination IP addresses and Ports and (binding) StackNetwork related a collection of layersSubnetmaskIP networks uses bit masks to separate local networks from remote onesTunnelA tunnel is typically a point-to-point connection over which packets are exchanged which carry the data of another protocol, e.g. an IPv6-in-IPv4 tunnel. <!-- anchor id="Glossar" -->Shortcuts ACLAccess Control ListAPIApplication Programming InterfaceASICApplication Specified Integrated CircuitBSDBerkeley Software DistributionCAN-BusController Area Network Bus (physical bus system)ISPInternet Service ProviderKAMEProject - a joint effort of six companies in Japan to provide a free IPv6 and IPsec (for both IPv4 and IPv6) stack for BSD variants to the world www.kame.netLIRLocal Internet RegistryNICNetwork Interface CardRFCRequest For Comments - set of technical and organizational notes about the InternetUSAGIUniverSAl playGround for Ipv6 Project - works to deliver the production quality IPv6 protocol stack for the Linux system. Document related Long code line wrapping signal char -The special character “¬” is used for signaling that this code line is wrapped for better viewing in PDF and PS files. +The special character ”¬” is used for signaling that this code line is wrapped for better viewing in PDF and PS files. Placeholders In generic examples you will sometimes find the following: @@ -201,7 +201,7 @@ What do IPv6 addresses look like? As previously mentioned, IPv6 addresses are 128 bits long. This number of bits generates very high decimal numbers with up to 39 digits: Such numbers are not really addresses that can be memorized. Also the IPv6 address schema is bitwise oriented (just like IPv4, but that's not often recognized). Therefore a better notation of such big numbers is hexadecimal. In hexadecimal, 4 bits (also known as “nibble”) are represented by a digit or character from 0-9 and a-f (10-15). This format reduces the length of the IPv6 address to 32 characters. +]]>Such numbers are not really addresses that can be memorized. Also the IPv6 address schema is bitwise oriented (just like IPv4, but that's not often recognized). Therefore a better notation of such big numbers is hexadecimal. In hexadecimal, 4 bits (also known as ”nibble”) are represented by a digit or character from 0-9 and a-f (10-15). This format reduces the length of the IPv6 address to 32 characters. This representation is still not very convenient (possible mix-up or loss of single hexadecimal digits), so the designers of IPv6 chose a hexadecimal format with a colon as separator after each block of 16 bits. In addition, the leading "0x" (a signifier for hexadecimal values used in programming languages) is removed: IPv6 addresses: why such a high number of bits? During the design of IPv4, people thought that 32 bits were enough for the world. Looking back into the past, 32 bits were enough until now and will perhaps be enough for another few years. However, 32 bits are not enough to provide each network device with a global address in the future. Think about mobile phones, cars (including electronic devices on its CAN-bus), toasters, refrigerators, light switches, and so on... So designers have chosen 128 bits, 4 times more in length than in IPv4 today. -The usable size is smaller than it may appear however. This is because in the currently defined address schema, 64 bits are used for interface identifiers. The other 64 bits are used for routing. Assuming the current strict levels of aggregation (/48, /32, ...), it is still possible to “run out” of space, but hopefully not in the near future. +The usable size is smaller than it may appear however. This is because in the currently defined address schema, 64 bits are used for interface identifiers. The other 64 bits are used for routing. Assuming the current strict levels of aggregation (/48, /32, ...), it is still possible to ”run out” of space, but hopefully not in the near future. See also for more information RFC 1715 / The H Ratio for Address Assignment Efficiency and RFC 3194 / The Host-Density Ratio for Address Assignment Efficiency. IPv6 addresses: why so small a number of bits on a new design? While, there are (possibly) some people (only know about Jim Fleming...) on the Internet who are thinking about IPv8 and IPv16, their design is far away from acceptance and implementation. In the meantime 128 bits was the best choice regarding header overhead and data transport. Consider the minimum Maximum Transfer Unit (MTU) in IPv4 (576 octets) and in IPv6 (1280 octets), the header length in IPv4 is 20 octets (minimum, can increase to 60 octets with IPv4 options) and in IPv6 is 40 octets (fixed). This is 3.4 % of minimum MTU in IPv4 and 3.1 % of minimum MTU in IPv6. This means the header overhead is almost equal. More bits for addresses would require bigger headers and therefore more overhead. Also, consider the maximum MTU on normal links (like Ethernet today): it's 1500 octets (in special cases: 9k octets using Jumbo frames). Ultimately, it wouldn't be a proper design if 10 % or 20 % of transported data in a Layer-3 packet were used for addresses and not for payload. @@ -241,13 +241,13 @@ Addresses without a special prefix Localhost address -This is a special address for the loopback interface, similiar to IPv4 with its “127.0.0.1”. With IPv6, the localhost address is: +This is a special address for the loopback interface, similiar to IPv4 with its ”127.0.0.1”. With IPv6, the localhost address is: or compressed: Packets with this address as source or destination should never leave the sending host. Unspecified address -This is a special address like “any” or “0.0.0.0” in IPv4 . For IPv6 it's: +This is a special address like ”any” or ”0.0.0.0” in IPv4 . For IPv6 it's: or: Now lets take a look at the different types of prefixes (and therefore address types): Link local address type These are special addresses which will only be valid on a link of an interface. Using this address as destination the packet would never pass through a router. It's used for link communications such as: -anyone else here on this link?anyone here with a special address (e.g. looking for a router)?They begin with ( where “x” is any hex character, normally “0”) +anyone else here on this link?anyone here with a special address (e.g. looking for a router)?They begin with ( where ”x” is any hex character, normally ”0”) (where “x” is any hex character, normally “0”) +]]>(where ”x” is any hex character, normally ”0”) This address type is now deprecated RFC 3879 / Deprecating Site Local Addresses, but for a test in a lab, such addresses are still a good choice in my humble opinion. Unique Local IPv6 Unicast Addresses Because the original defined site local addresses are not unique, this can lead to major problems, if two former independend networks would be connected later (overlapping of subnets). This and other issues lead to a new address type named RFC 4193 / Unique Local IPv6 Unicast Addresses. @@ -308,7 +308,7 @@ fdxx: <- currently the only one in use It begins with (x are hex characters) Note: the prefix “aggregatable” is thrown away in current drafts. +]]>Note: the prefix ”aggregatable” is thrown away in current drafts. There are some further subtypes defined, see below: 6bone test addresses These were the first global addresses which were defined and in use. They all start with @@ -382,9 +382,9 @@ Because IPv6 is now in production, this prefix is no longer be delegated and is Manually set For servers, it's probably easier to remember simpler addresses, this can also be accommodated. It is possible to assign an additional IPv6 address to an interface, e.g. For manual suffixes like “::1” shown in the above example, it's required that the 7th most significant bit is set to 0 (the universal/local bit of the automatically generated identifier). Also some other (otherwise unchosen ) bit combinations are reserved for anycast addresses, too. +]]>For manual suffixes like ”::1” shown in the above example, it's required that the 7th most significant bit is set to 0 (the universal/local bit of the automatically generated identifier). Also some other (otherwise unchosen ) bit combinations are reserved for anycast addresses, too. Prefix lengths for routing -In the early design phase it was planned to use a fully hierarchical routing approach to reduce the size of the routing tables maximally. The reasons behind this approach were the number of current IPv4 routing entries in core routers (> 400 thousand in 2013), reducing the need of memory in hardware routers (ASIC “Application Specified Integrated Circuit” driven) to hold the routing table and increase speed (fewer entries hopefully result in faster lookups). +In the early design phase it was planned to use a fully hierarchical routing approach to reduce the size of the routing tables maximally. The reasons behind this approach were the number of current IPv4 routing entries in core routers (> 400 thousand in 2013), reducing the need of memory in hardware routers (ASIC ”Application Specified Integrated Circuit” driven) to hold the routing table and increase speed (fewer entries hopefully result in faster lookups). Todays view is that routing will be mostly hierarchically designed for networks with only one service provider. With more than one ISP connections, this is not possible, and subject to an issue named multi-homing (infos on multi-homing: drafts-ietf-multi6-*,IPv6 Multihoming Solutions). Prefix lengths (also known as "netmasks") @@ -443,10 +443,10 @@ Because IPv6 is now in production, this prefix is no longer be delegated and is IPv6-ready network devices Not all existing network devices have already (or ever) the capability to transport IPv6 packets. A current status can be found at IPv6+Linux-status-kernel.html#transport. A major issue is that because of the network layer structure of kernel implementation an IPv6 packet isn't really recognized by it's IP header number (6 instead of 4). It's recognized by the protocol number of the Layer 2 transport protocol. Therefore any transport protocol which doesn't use such protocol number cannot dispatch IPv6 packets. Note: the packet is still transported over the link, but on receivers side, the dispatching won't work (you can see this e.g. using tcpdump). -Currently known never “IPv6 capable links” +Currently known never ”IPv6 capable links” Serial Line IP (SLIP, RFC 1055 / SLIP), should be better called now to SLIPv4, device named: slXParallel Line IP (PLIP), same like SLIP, device names: plipXISDN with encapsulation rawip, device names: isdnX -Currently known “not supported IPv6 capable links” +Currently known ”not supported IPv6 capable links” ISDN with encapsulation syncppp, device names: ipppX (design issue of the ipppd, will be merged into more general PPP layer in kernel series 2.5.x) IPv6-ready network configuration tools @@ -510,7 +510,9 @@ PING ff02::1(ff02::1) from fe80:::2ab:cdff:feef:0123 eth0: 56 data bytes Unlike in IPv4, where replies to a ping on the broadcast address can be disabled, in IPv6 currently this behavior cannot be disable except by local IPv6 firewalling. <!-- anchor id="program-traceroute6." -->IPv6 traceroute6 -This program is normally included in package iputils. It's a program similar to IPv4 traceroute. Below you will see an example: + +IPv6 traceroute6 (old) +This older program is normally included in package iputils. It's a program similar to IPv4 traceroute. Below you will see an example: Note: unlike some modern versions of IPv4 traceroute, which can use ICMPv4 echo-request packets as well as UDP packets (default), current IPv6-traceroute is only able to send UDP packets. As you perhaps already know, ICMP echo-request packets are more accepted by firewalls or ACLs on routers inbetween than UDP packets. -If a dedicated interface must be specified, this can be done by -i <device> or using <address>%<device>. +If a dedicated interface must be specified, this can be done by -i <device> or using <address>%<device>. +traceroute since version 2 +traceroute got native IPv6 support with version 2 and support all features as for IPv4. Below you will see an example for an ICMP (ping) traceroute (root permissions required) +If a dedicated interface must be specified, this can be done by -i <device>. <!-- anchor id="program-tracepath6." -->IPv6 tracepath6 This program is normally included in package iputils. It's a program like traceroute6 and traces the path to a given destination discovering the MTU along this path. Below you will see an example: Current distributions already contain the most needed IPv6 enabled client and servers. See first on IPv6+Linux-Status-Distribution. If still not included, you can check Current Status of IPv6 Support for Networking Applications whether the program is already ported to IPv6 and usable with Linux. For common used programs there are some hints available here later in this document. IPv6-ready client programs (selection) To run the following shown tests, it's required that your system is IPv6 enabled, and some examples show addresses which only can be reached if a connection to the global IPv6 network is available. -Note: if using names instead of dedicated IPv4/IPv6 addresses which resolves to IPv4 and IPv6 addresses, some command line clients support explicitly use of specified protocol. Usually such clients have option “-4” for IPv4 and “-6” for IPv6. +Note: if using names instead of dedicated IPv4/IPv6 addresses which resolves to IPv4 and IPv6 addresses, some command line clients support explicitly use of specified protocol. Usually such clients have option ”-4” for IPv4 and ”-6” for IPv6. Checking DNS for resolving IPv6 addresses Because of security updates in the last years every Domain Name System (DNS) server should run newer software which already understands the (intermediate) IPv6 address-type AAAA (the newer one named A6 isn't still common at the moment because only supported using BIND9 and newer and also the non-existent support of root domain IP6.ARPA). A simple test whether the used system can resolve IPv6 addresses is If the telnet client don't understand the IPv6 address and says something like “cannot resolve hostname”, then it's not IPv6-enabled. +]]>If the telnet client don't understand the IPv6 address and says something like ”cannot resolve hostname”, then it's not IPv6-enabled. IPv6-ready ssh clients openssh @@ -603,7 +617,7 @@ Connection closed by foreign host. If your ssh client doesn't understand the option “-6” then it's not IPv6-enabled, like most ssh version 1 packages. +]]>If your ssh client doesn't understand the option ”-6” then it's not IPv6-enabled, like most ssh version 1 packages. ssh.com SSH.com's SSH client and server is also IPv6 aware now and is free for all Linux and FreeBSD machine regardless if used for personal or commercial use. IPv6-ready web browsers @@ -624,11 +638,11 @@ user@::1's password: ****** Q: Cannot ping6 to link-local addresses Error message: "connect: Invalid argument" Kernel doesn't know, which physical or virtual link you want to use to send such ICMPv6 packets. Therefore it displays this error message. -Solution: Specify interface like: “ping6 -I eth0 fe80::2e0:18ff:fe90:9205”, see also program ping6 usage. +Solution: Specify interface like: ”ping6 -I eth0 fe80::2e0:18ff:fe90:9205”, see also program ping6 usage. Q: Cannot ping6 or traceroute6 as normal user -Error message: “icmp socket: Operation not permitted -These utilities create special ICMPv6 packets and send them out. This is done by using raw sockets in the kernel. But raw sockets can only be used by the “root” user. Therefore normal users get such error message. -Solution: If it's really needed that all users should be able to use these utilities, you can add the “suid” bit using ”chmod u+s /path/to/program”, see also program ping6 usage. If not all users should be able to, you can change the group of the program to e.g. “wheel”, add these power users to this group and remove the execution bit for other users using “chmod o-rwx /path/to/program”. Or configure “sudo” to enable your security policy. +Error message: ”icmp socket: Operation not permitted +These utilities create special ICMPv6 packets and send them out. This is done by using raw sockets in the kernel. But raw sockets can only be used by the ”root” user. Therefore normal users get such error message. +Solution: If it's really needed that all users should be able to use these utilities, you can add the ”suid” bit using ”chmod u+s /path/to/program”, see also program ping6 usage. If not all users should be able to, you can change the group of the program to e.g. ”wheel”, add these power users to this group and remove the execution bit for other users using ”chmod o-rwx /path/to/program”. Or configure ”sudo” to enable your security policy. <!-- anchor id="chapter-configuration-interface" -->Configuring interfaces Different network devices @@ -650,7 +664,7 @@ user@::1's password: ****** SLIP + PLIP Like mentioned earlier, this interfaces don't support IPv6 transport (sending is OK, but dispatching on receiving don't work). Ether-tap device -Ether-tap devices are IPv6-enabled and also stateless configured. For use, the module “ethertap” has to be loaded before. +Ether-tap devices are IPv6-enabled and also stateless configured. For use, the module ”ethertap” has to be loaded before. tun devices Currently not tested by me. ATM @@ -680,7 +694,7 @@ user@::1's password: ****** There are different ways to configure an IPv6 address on an interface. You can use use "ifconfig" or "ip". Displaying existing IPv6 addresses First you should check, whether and which IPv6 addresses are already configured (perhaps auto-magically during stateless auto-configuration). -Just note that addresses beginning with “fec0” are deprecated, but shown here for completness! +Just note that addresses beginning with ”fec0” are deprecated, but shown here for completness! Using "ip" Usage: @@ -744,7 +758,7 @@ inet6 addr: fec0:0:0:f101::1/64 Scope:Site Privacy Extension as described in RFC 4941 / Privacy Extensions for Stateless Address Autoconfiguration in IPv6 (obsoleted RFC 3041) is replacing the static interface ID (mostly based on word-wide unique MAC address) used during autoconfiguration by a pseudo-random one and generating from time to time a new one deprecating the old one. Enable Privacy Extension using sysctl Temporary activation -Enable privacy extension for e.g. interface “eth0” and prefer the generated address: +Enable privacy extension for e.g. interface ”eth0” and prefer the generated address: Afterwards, restart of the interface is necessary Test real use of Privacy Extension IPv6 Addresses -Whether the IPv6 address with an Interface ID generated by Privacy Extension is really used for outgoing connections, one can browse to http://ip.bieringer.de/, in case EUI64_SCOPE shows “iid-privacy”, then everything is working fine. +Whether the IPv6 address with an Interface ID generated by Privacy Extension is really used for outgoing connections, one can browse to http://ip.bieringer.de/, in case EUI64_SCOPE shows ”iid-privacy”, then everything is working fine. <!-- anchor id="chapter-configuration-route" -->Configuring normal IPv6 routes If you want to leave your link and want to send packets in the world wide IPv6-Internet, you need routing. If there is already an IPv6 enabled router on your link, it's possible enough to add IPv6 routes. -Just note that addresses beginning with “fec0” are deprecated, but shown here for completness! +Just note that addresses beginning with ”fec0” are deprecated, but shown here for completness! Displaying existing IPv6 routes First you should check, whether and which IPv6 addresses are already configured (perhaps auto-magically during auto-configuration). Using "ip" @@ -860,7 +874,7 @@ ff00::/8 :: UA 256 0 0 eth0 <- Interface route for all multicast ¬ metric 1 ]]>Example: Metric “1” is used here to be compatible with the metric used by route, because the default metric on using “ip” is “1024”. +]]>Metric ”1” is used here to be compatible with the metric used by route, because the default metric on using ”ip” is ”1024”. Using "route" Usage: / dev @@ -887,24 +901,24 @@ ff00::/8 :: UA 256 0 0 eth0 <- Interface route for all multicast One idea of IPv6 was a hierachical routing, therefore only less routing entries are needed in routers. There are some issues in current Linux kernels: Clients (not routing any packet!) -Client can setup a default route like prefix “::/0”, they also learn such route on autoconfiguration e.g. using radvd on the link like following example shows: +Client can setup a default route like prefix ”::/0”, they also learn such route on autoconfiguration e.g. using radvd on the link like following example shows: Routers in case of packet forwarding -Older Linux kernel (at least <= 2.4.17) don't support default routes. You can set them up, but the route lookup fails when a packet should be forwarded (normal intention of a router). If you're still using such older kernel, “default routing” can be setup using the currently used global address prefix “2000::/3”. +Older Linux kernel (at least <= 2.4.17) don't support default routes. You can set them up, but the route lookup fails when a packet should be forwarded (normal intention of a router). If you're still using such older kernel, ”default routing” can be setup using the currently used global address prefix ”2000::/3”. Note: take care about default routing without address filtering on edge routers. Otherwise unwanted multicast or site-local traffic can leave the edge. <!-- anchor id="chapter-Neighbor-Discovery" -->Neighbor Discovery -Neighbor discovery was the IPv6 successor for the ARP (Address Resolution Protocol) in IPv4. You can retrieve information about the current neighbors, in addition you can set and delete entries. The kernel keeps tracking of successful neighbor detection (like ARP in IPv4). You can dig into the learnt table using “ip”. -Displaying neighbors using “ip” +Neighbor discovery was the IPv6 successor for the ARP (Address Resolution Protocol) in IPv4. You can retrieve information about the current neighbors, in addition you can set and delete entries. The kernel keeps tracking of successful neighbor detection (like ARP in IPv4). You can dig into the learnt table using ”ip”. +Displaying neighbors using ”ip” With following command you can display the learnt or configured IPv6 neighbors ] ]]>The following example shows one neighbor, which is a reachable router -Manipulating neighbors table using “ip” +Manipulating neighbors table using ”ip” Manually add an entry With following command you are able to manually add an entry @@ -919,7 +933,7 @@ fe80::201:23ff:fe45:6789 dev eth0 lladdr 00:01:23:45:67:89 router nud reachable More advanced settings -The tool “ip” is less documentated, but very strong. See online “help” for more: +The tool ”ip” is less documentated, but very strong. See online ”help” for more: FP and TLA together (16 bits) have the value 0x2002. V4ADDR is the node's global unique IPv4 address (in hexadecimal notation). SLA is the subnet identifier (65536 local subnets possible) and are usable to represent your local network structure. -For gateways, such prefix is generated by normally using SLA “0000” and suffix “::1” (not a must, can be an arbitrary one with local-scope) and assigned to the 6to4 tunnel interface. Note that Microsoft Windows uses V4ADDR also for suffix. +For gateways, such prefix is generated by normally using SLA ”0000” and suffix ”::1” (not a must, can be an arbitrary one with local-scope) and assigned to the 6to4 tunnel interface. Note that Microsoft Windows uses V4ADDR also for suffix. 6to4 upstream tunneling -The node has to know to which foreign tunnel endpoint its in IPv4 packed IPv6 packets should be send to. In “early” days of 6to4 tunneling, dedicated upstream accepting routers were defined. See NSayer's 6to4 information for a list of routers. +The node has to know to which foreign tunnel endpoint its in IPv4 packed IPv6 packets should be send to. In ”early” days of 6to4 tunneling, dedicated upstream accepting routers were defined. See NSayer's 6to4 information for a list of routers. Nowadays, 6to4 upstream routers can be found auto-magically using the anycast address 192.88.99.1. In the background routing protocols handle this, see RFC 3068 / An Anycast Prefix for 6to4 Relay Routers for details. 6to4 downstream tunneling The downstream (IPv6 backbone -> your 6to4 enabled node) is not really fix and can vary from foreign host which originated packets were send to. There exist two possibilities: @@ -992,7 +1006,8 @@ ff00::/8 :: UA 256 0 0 sit0 ]]> <!-- anchor id="conf-ipv6-in-ipv4-point-to-point-tunnels" -->Setup of point-to-point tunnel There are 3 possibilities to add or remove point-to-point tunnels. -A good additional information about tunnel setup using “ip” is Configuring tunnels with iproute2 (article) (Mirror). +A good additional information about tunnel setup using ”ip” is Configuring tunnels with iproute2 (article) (Mirror). +Note: support of such kind of tunnels is provided by kernel module ”sit” (potentially not possible on Virtuozzo platforms) Add point-to-point tunnels Using "ip" @@ -1101,7 +1116,7 @@ ff00::/8 :: UA 256 0 0 sit0 the generated 6to4 prefix will be Local 6to4 gateways should (but it's not a must, you can choose an arbitrary suffix with local-scope, if you feel better) always assigned the suffix “::1”, therefore your local 6to4 address will be +]]>Local 6to4 gateways should (but it's not a must, you can choose an arbitrary suffix with local-scope, if you feel better) always assigned the suffix ”::1”, therefore your local 6to4 address will be Use e.g. following for automatic generation: /16 dev tun6to4 ]]>Add (default) route to the global IPv6 network using the all-6to4-routers IPv4 anycast address It was reported that some versions of “ip” (e.g. SuSE Linux 9.0) don't support IPv4-compatible IPv6 addresses for gateways, in this case the related IPv6 address has to be used: +]]>It was reported that some versions of ”ip” (e.g. SuSE Linux 9.0) don't support IPv4-compatible IPv6 addresses for gateways, in this case the related IPv6 address has to be used: -Using "ifconfig" and "route" and generic tunnel device “sit0” (deprecated) +Using "ifconfig" and "route" and generic tunnel device ”sit0” (deprecated) This is now deprecated because using the generic tunnel device sit0 doesn't let specify filtering per device. Bring generic tunnel interface sit0 up Remove created tunnel device -Using “ifconfig” and “route” and generic tunnel device “sit0” (deprecated) +Using ”ifconfig” and ”route” and generic tunnel device ”sit0” (deprecated) Remove (default) route through the 6to4 tunnel interface Remove local 6to4 address to interface @@ -1197,11 +1212,11 @@ ip6tnl1: ip/ipv6 remote fd00:0:0:2::a local fd00:0:0:2::1 dev eth1 encaplimit 4 # /sbin/ip -6 tunnel del ip6tnl3 ]]> <!-- anchor id="chapter-kernel-settings" -->Kernel settings in /proc-filesystem -Note: the source of this section is mostly the file “ip-sysctl.txt” which is included in current kernel sources in directory “Documentation/networking”. Credits to Pekka Savola for maintaining the IPv6-related part in this file. Also some text is more or less copied & pasted into this document. +Note: the source of this section is mostly the file ”ip-sysctl.txt” which is included in current kernel sources in directory ”Documentation/networking”. Credits to Pekka Savola for maintaining the IPv6-related part in this file. Also some text is more or less copied & pasted into this document. How to access the /proc-filesystem -Using “cat” and “echo” -Using “cat” and “echo” is the simplest way to access the /proc filesystem, but some requirements are needed for that +Using ”cat” and ”echo” +Using ”cat” and ”echo” is the simplest way to access the /proc filesystem, but some requirements are needed for that The /proc-filesystem had to be enabled in kernel, means on compiling following switch has to be set @@ -1211,17 +1226,17 @@ none on /proc type proc (rw) ]]> You need read and sometimes also write access (normally root only) to the /proc-filesystemNormally, only entries in /proc/sys/* are writable, the others are readonly and for information retrieving only. Retrieving a value -The value of an entry can be retrieved using “cat”: +The value of an entry can be retrieved using ”cat”: Setting a value -A new value can be set (if entry is writable) using “echo”: +A new value can be set (if entry is writable) using ”echo”: /proc/sys/net/ipv6/conf/all/forwarding ]]> -Using “sysctl” -Using the “sysctl” program to access the kernel switches is a modern method today. You can use it also, if the /proc-filesystem isn't mounted. But you have only access to /proc/sys/*! -The program “sysctl” is included in package “procps” (on Red Hat Linux systems). +Using ”sysctl” +Using the ”sysctl” program to access the kernel switches is a modern method today. You can use it also, if the /proc-filesystem isn't mounted. But you have only access to /proc/sys/*! +The program ”sysctl” is included in package ”procps” (on Red Hat Linux systems). The sysctl-interface had to be enabled in kernel, means on compiling following switch has to be set @@ -1234,24 +1249,24 @@ net.ipv6.conf.all.forwarding = 0 A new value can be set (if entry is writable): Note: Don't use spaces around the “=” on setting values. Also on multiple values per line, quote them like e.g. +]]>Note: Don't use spaces around the ”=” on setting values. Also on multiple values per line, quote them like e.g. Additionals -Note: There are sysctl versions in the wild which displaying “/” instead of the “.” +Note: There are sysctl versions in the wild which displaying ”/” instead of the ”.” For more details take a look into sysctl's manpage. -Hint: for digging fast into the settings, use the option “-a” (display all entries) in conjunction with “grep”. +Hint: for digging fast into the settings, use the option ”-a” (display all entries) in conjunction with ”grep”. Values found in /proc-filesystems There are several formats seen in /proc-filesystem: -BOOLEAN: simple a “0” (false) or a “1” (true)INTEGER: an integer value, can be unsigned, toomore sophisticated lines with several values: sometimes a header line is displayed also, if not, have a look into the kernel source to retrieve information about the meaning of each value... +BOOLEAN: simple a ”0” (false) or a ”1” (true)INTEGER: an integer value, can be unsigned, toomore sophisticated lines with several values: sometimes a header line is displayed also, if not, have a look into the kernel source to retrieve information about the meaning of each value... <!-- anchor id="proc-sys-net-ipv6." -->Entries in /proc/sys/net/ipv6/ conf/default/* Change the interface-specific default settings. conf/all/* Change all the interface-specific settings. -Exception: “conf/all/forwarding” has a different meaning here +Exception: ”conf/all/forwarding” has a different meaning here conf/all/forwarding Type: BOOLEANThis enables global IPv6 forwarding between all interfaces. @@ -1393,20 +1408,20 @@ net.ipv4.ip_local_port_range = 32768 61000 others Unknown, but probably not used by IPv6. <!-- anchor id="proc-net" -->IPv6-related entries in /proc/net/ -In /proc/net there are several read-only entries available. You cannot retrieve information using “sysctl” here, so use e.g. “cat”. +In /proc/net there are several read-only entries available. You cannot retrieve information using ”sysctl” here, so use e.g. ”cat”. if_inet6 -Type: One line per addresss containing multiple valuesHere all configured IPv6 addresses are shown in a special format. The example displays for loopback interface only. The meaning is shown below (see “net/ipv6/addrconf.c” for more). +Type: One line per addresss containing multiple valuesHere all configured IPv6 addresses are shown in a special format. The example displays for loopback interface only. The meaning is shown below (see ”net/ipv6/addrconf.c” for more). -IPv6 address displayed in 32 hexadecimal chars without colons as separatorNetlink device number (interface index) in hexadecimal (see “ip addr” , too)Prefix length in hexadecimalScope value (see kernel source “ include/net/ipv6.h” and “net/ipv6/addrconf.c” for more)Interface flags (see “include/linux/rtnetlink.h” and “net/ipv6/addrconf.c” for more)Device name +IPv6 address displayed in 32 hexadecimal chars without colons as separatorNetlink device number (interface index) in hexadecimal (see ”ip addr” , too)Prefix length in hexadecimalScope value (see kernel source ” include/net/ipv6.h” and ”net/ipv6/addrconf.c” for more)Interface flags (see ”include/linux/rtnetlink.h” and ”net/ipv6/addrconf.c” for more)Device name ipv6_route -Type: One line per route containing multiple valuesHere all configured IPv6 routes are shown in a special format. The example displays for loopback interface only. The meaning is shown below (see “net/ipv6/route.c” for more). +Type: One line per route containing multiple valuesHere all configured IPv6 routes are shown in a special format. The example displays for loopback interface only. The meaning is shown below (see ”net/ipv6/route.c” for more). Additional info can be found at Linux & IPv6: getaddrinfo and search domains - ResearchRFC 3484 on Linux Karl Auer's Blog: Controlling IPv6 source address selection , IPv6 Source Address Selection - what, why, howInto6: /etc/gai.conf - it ain't what you think it isAddress Resolver & Destination Address Selection Name to IPv4 or IPv6 address resolving is usually done using a libc resolver library. Usually the function getaddrinfo is used for that. In case of more than one IPv6 address is returned, according to RFC 3484 / Default Address Selection for Internet Protocol version 6 a sorting should be applied, which can be optionally configured. -The “magic” is controlled by a file named /etc/gai.conf (it can be that it is empty or missing by default). Default is usually somewhere stored in documentation, see “man gai.conf” or e.g. /usr/share/doc/glibc-common/gai.conf. +The ”magic” is controlled by a file named /etc/gai.conf (it can be that it is empty or missing by default). Default is usually somewhere stored in documentation, see ”man gai.conf” or e.g. /usr/share/doc/glibc-common/gai.conf. For controlling sort order by configuration following are needed for testing: A host in DNS returning more than one IPv6 address, e.g. Source Address Selection Source address selection in Linux is done automatically by kernel and usually only using information from routing tables and try to match the same scope of address. -Source Address Selection with “ip addrlabel” -With extension of internal “ip addrlabel” a source address can be bound to a destination address (e.g. selected via mechanisms above). Binding means here: “same label” (label is a number). -Default of “ip addrlabel” (here on CentOS 6): +Source Address Selection with ”ip addrlabel” +With extension of internal ”ip addrlabel” a source address can be bound to a destination address (e.g. selected via mechanisms above). Binding means here: ”same label” (label is a number). +Default of ”ip addrlabel” (here on CentOS 6): -Related tcpdump with filter “tcp and dst port 23” shows only the use of the upper local source IPv6 address +Related tcpdump with filter ”tcp and dst port 23” shows only the use of the upper local source IPv6 address 2001:4dd0:ff00:834::2.telnet: (src-A -> dst-A) IP6 2001:6f8:12d8:2:5054:ff:fefb:6582.45754 > 2a01:238:423d:8800:85b3:9e6b:3019:8909.telnet: (src-A -> dst-B) ]]> -Binding now source and destination with “ip addrlabel” +Binding now source and destination with ”ip addrlabel” -Resulting “ip addrlabel” +Resulting ”ip addrlabel” -Related tcpdump with filter “tcp and dst port 23” shows now the use of both local source IPv6 addresses according to the configured pairs A and B +Related tcpdump with filter ”tcp and dst port 23” shows now the use of both local source IPv6 addresses according to the configured pairs A and B 2001:4dd0:ff00:834::2.telnet: (src-A -> dst-A) IP6 2001:6f8:900:8cbc:5054:ff:fefb:6582.39632 > 2a01:238:423d:8800:85b3:9e6b:3019:8909.telnet: (src-B -> dst-B) -]]>Setup of persistent “ip addrtable” is probably currently not supported by Linux distributions, so extension of network init scripts or rc.local must be used for that. A script which uses information from /etc/gai.conf and configure “ip addrtable” accordingly can be found here: /etc/gai.conf - it ain't what you think it is +]]>Setup of persistent ”ip addrtable” is probably currently not supported by Linux distributions, so extension of network init scripts or rc.local must be used for that. A script which uses information from /etc/gai.conf and configure ”ip addrtable” accordingly can be found here: /etc/gai.conf - it ain't what you think it is <!-- anchor id="network-debugging" -->Network debugging Server socket binding -Using “netstat” for server socket binding check -It's always interesting which server sockets are currently active on a node. Using “netstat” is a short way to get such information: +Using ”netstat” for server socket binding check +It's always interesting which server sockets are currently active on a node. Using ”netstat” is a short way to get such information: Used options: -nlptu Example: Router with link-local address “fe80::212:34ff:fe12:3450” send an advertisement to the all-node-on-link multicast address “ff02::1” containing two prefixes “2002:0102:0304:1::/64” (lifetime 30 s) and “2001:0db8:0:1::/64” (lifetime 2592000 s) including its own layer 2 MAC address “0:12:34:12:34:50”. +]]>Router with link-local address ”fe80::212:34ff:fe12:3450” send an advertisement to the all-node-on-link multicast address ”ff02::1” containing two prefixes ”2002:0102:0304:1::/64” (lifetime 30 s) and ”2001:0db8:0:1::/64” (lifetime 2592000 s) including its own layer 2 MAC address ”0:12:34:12:34:50”. Router solicitation ff02::2: icmp6: router solicitation ¬ (src lladdr: 0:12:34:12:34:56) (len 16, hlim 255) -]]>Node with link-local address “fe80::212:34ff:fe12:3456” and layer 2 MAC address “0:12:34:12:34:56” is looking for a router on-link, therefore sending this solicitation to the all-router-on-link multicast address “ff02::2”. +]]>Node with link-local address ”fe80::212:34ff:fe12:3456” and layer 2 MAC address ”0:12:34:12:34:56” is looking for a router on-link, therefore sending this solicitation to the all-router-on-link multicast address ”ff02::2”. Neighbor discovery Neighbor discovery solicitation for duplicate address detection -Following packets are sent by a node with layer 2 MAC address “0:12:34:12:34:56” during autoconfiguration to check whether a potential address is already used by another node on the link sending this to the solicited-node link-local multicast address. -Node wants to configure its link-local address “fe80::212:34ff:fe12:3456”, checks for duplicate now +Following packets are sent by a node with layer 2 MAC address ”0:12:34:12:34:56” during autoconfiguration to check whether a potential address is already used by another node on the link sending this to the solicited-node link-local multicast address. +Node wants to configure its link-local address ”fe80::212:34ff:fe12:3456”, checks for duplicate now ff02::1:ff12:3456: icmp6: neighbor sol: who has ¬ fe80::212:34ff:fe12:3456(src lladdr: 0:12:34:12:34:56) (len 32, hlim 255) ]]> -Node wants to configure its global address “2002:0102:0304:1:212:34ff:fe12:3456” (after receiving advertisement shown above), checks for duplicate now +Node wants to configure its global address ”2002:0102:0304:1:212:34ff:fe12:3456” (after receiving advertisement shown above), checks for duplicate now ff02::1:ff12:3456: icmp6: neighbor sol: who has ¬ 2002:0102:0304:1:212:34ff:fe12:3456(src lladdr: 0:12:34:12:34:56) (len 32, ¬ hlim 255) ]]> -Node wants to configure its global address “2001:0db8:0:1:212:34ff:fe12:3456” (after receiving advertisement shown above), checks for duplicate now +Node wants to configure its global address ”2001:0db8:0:1:212:34ff:fe12:3456” (after receiving advertisement shown above), checks for duplicate now ff02::1:ff12:3456: icmp6: neighbor sol: who has ¬ 2001:0db8:0:1:212:34ff:fe12:3456(src lladdr: 0:12:34:12:34:56) (len 32, hlim ¬ 255) ]]> Neighbor discovery solicitation for looking for host or gateway -Node wants to send packages to “2001:0db8:0:1::10” but has no layer 2 MAC address to send packet, so send solicitation now +Node wants to send packages to ”2001:0db8:0:1::10” but has no layer 2 MAC address to send packet, so send solicitation now ff02::1:ff00:10: icmp6: ¬ neighbor sol: who has 2001:0db8:0:1::10(src lladdr: 0:e0:18:90:92:5) (len 32, ¬ hlim 255) ]]> -Node looks for “fe80::10” now +Node looks for ”fe80::10” now ff02::1:ff00:10: icmp6: neighbor ¬ sol: who has fe80::10(src lladdr: 0:e0:18:90:92:5) (len 32, hlim 255) ]]> <!-- anchor id="chapter-support-persistent-configuration" -->Support for persistent IPv6 configuration in Linux distributions Some Linux distribution contain already support of a persistent IPv6 configuration using existing or new configuration and script files and some hook in the IPv4 script files. -Red Hat Linux and “clones” +Red Hat Linux and ”clones” Since starting writing the IPv6 & Linux - HowTo it was my intention to enable a persistent IPv6 configuration which catch most of the wished cases like host-only, router-only, dual-homed-host, router with second stub network, normal tunnels, 6to4 tunnels, and so on. Nowadays there exists a set of configuration and script files which do the job very well (never heard about real problems, but I don't know how many use the set). Because this configuration and script files are extended from time to time, they got their own homepage: initscripts-ipv6 homepage (Mirror). Because I began my IPv6 experience using a Red Hat Linux 5.0 clone, my IPv6 development systems are mostly Red Hat Linux based now, it's kind a logic that the scripts are developed for this kind of distribution (so called historic issue). Also it was very easy to extend some configuration files, create new ones and create some simple hook for calling IPv6 setup during IPv4 setup. Fortunately, in Red Hat Linux since 7.1 a snapshot of my IPv6 scripts is included, this was and is still further on assisted by Pekka Savola. -Mandrake since version 8.0 also includes an IPv6-enabled initscript package, but a minor bug still prevents usage (“ifconfig” misses “inet6” before “add”). +Mandrake since version 8.0 also includes an IPv6-enabled initscript package, but a minor bug still prevents usage (”ifconfig” misses ”inet6” before ”add”). Test for IPv6 support of network configuration scripts You can test, whether your Linux distribution contain support for persistent IPv6 configuration using my set. Following script library should exist: -If result is “off”, then enable IPv6 networking by editing /etc/sysconfig/network, add following new line +If result is ”off”, then enable IPv6 networking by editing /etc/sysconfig/network, add following new line Reboot or restart networking using @@ -2134,11 +2149,11 @@ Chain intOUT (1 references) Firewalling using nftables -nftables adds in addition to protocol specific tables “ip” (IPv4) and “ip6” (IPv6) support for a IPv4/IPv6 aware table named “inet”. Using this table it's possible to add only one rule and match both protocols (in case of UDP and TCP). +nftables adds in addition to protocol specific tables ”ip” (IPv4) and ”ip6” (IPv6) support for a IPv4/IPv6 aware table named ”inet”. Using this table it's possible to add only one rule and match both protocols (in case of UDP and TCP). Take care if rules are contained in more than one table, because the tables are checked in sequence: table "ip" --> table "inet" --> further checks IPv6-Packet --> table "ip6" --> table "inet" --> further checks -]]>If table “ip6” accepts the packet, also table “inet” must accept the packet, otherwise it can be dropped by a later drop rule. +]]>If table ”ip6” accepts the packet, also table ”inet” must accept the packet, otherwise it can be dropped by a later drop rule. Preparation for nftables usage Install a Linux distribution which has nftables support already included. At time of writing (May 2014) at least Fedora Rawhide (upcoming version 21) has support in conjunction with nftables version 0.2.0. Basic nftables configuration @@ -2155,7 +2170,7 @@ IPv6-Packet --> table "ip6" --> table "inet" --> further checks ]]>Create input chain: -Simple filter policy with nftables using only table “inet” +Simple filter policy with nftables using only table ”inet” Configuration Allow packets which are related to existing connection tracking entries @@ -2196,13 +2211,13 @@ IPv6-Packet --> table "ip6" --> table "inet" --> further checks To enable logging, an additonal kernel module must be loaded BUT TAKE CARE, IT LOOKS LIKE THAT NO LOG LEVEL CAN BE SPEFICIED CURRENTLY IN nftables, resulting that events are logged with kern.emerg - POSSIBILITY OF FLODDING THE CONSOLE WITH LOG ENTRIES! -Fir initial test with logging it can be useful to disable kernel console logging in e.g. /etc/rsyslog.conf by putting a “#” in front of the related entry and restart logging daemon +Fir initial test with logging it can be useful to disable kernel console logging in e.g. /etc/rsyslog.conf by putting a ”#” in front of the related entry and restart logging daemon Rule from above accepting SSH on port 22, but now with logging: -Filter policy with nftables using tables “ip”, “ip6” and “inet” -As written above, if rules should be stored in related tables, it must be assured that earlier accepts are not discarded in the further table. This can be done using “meta mark set xxxx” on every accept rule and generic rules which accepts packets with “mark xxxx”. A resulting filter set would look like the following: +Filter policy with nftables using tables ”ip”, ”ip6” and ”inet” +As written above, if rules should be stored in related tables, it must be assured that earlier accepts are not discarded in the further table. This can be done using ”meta mark set xxxx” on every accept rule and generic rules which accepts packets with ”mark xxxx”. A resulting filter set would look like the following: Current versions (as time of writing 2.6.9 and upper) support native IPsec for IPv4 and IPv6. Implementation was helped by the USAGI project. Automatic key exchange (IKE) -IPsec requires a key exchange of a secret. This is mostly done automatically by so called IKE daemons. They also handle the authentication of the peers, either by a common known secret (so called “pre-shared secret”) or by RSA keys (which can also be used from X.509 certificates). +IPsec requires a key exchange of a secret. This is mostly done automatically by so called IKE daemons. They also handle the authentication of the peers, either by a common known secret (so called ”pre-shared secret”) or by RSA keys (which can also be used from X.509 certificates). Currently, two different IKE daemons are available for Linux, which totally differ in configuration and usage. -I prefer “pluto” from the *S/WAN implementation because of the easier and one-config-only setup. -IKE daemon “racoon” -The IKE daemon “racoon” is taken from the KAME project and ported to Linux. Modern Linux distributions contain this daemon in the package “ipsec-tools”. Two executables are required for a proper IPsec setup. Take a look on Linux Advanced Routing & Traffic Control HOWTO / IPSEC, too. -Manipulation of the IPsec SA/SP database with the tool “setkey” -“setkey” is important to define the security policy (SP) for the kernel. +I prefer ”pluto” from the *S/WAN implementation because of the easier and one-config-only setup. +IKE daemon ”racoon” +The IKE daemon ”racoon” is taken from the KAME project and ported to Linux. Modern Linux distributions contain this daemon in the package ”ipsec-tools”. Two executables are required for a proper IPsec setup. Take a look on Linux Advanced Routing & Traffic Control HOWTO / IPSEC, too. +Manipulation of the IPsec SA/SP database with the tool ”setkey” +”setkey” is important to define the security policy (SP) for the kernel. File: /etc/racoon/setkey.sh Example for an end-to-end encrypted connection in transport mode For the other peer, you have to replace “in” with “out”. -Configuration of the IKE daemon “racoon” -“racoon” requires a configuration file for proper execution. It includes the related settings to the security policy, which should be set up previously using “setkey”. +]]>For the other peer, you have to replace ”in” with ”out”. +Configuration of the IKE daemon ”racoon” +”racoon” requires a configuration file for proper execution. It includes the related settings to the security policy, which should be set up previously using ”setkey”. File: /etc/racoon/racoon.conf -Running IPsec with IKE daemon “racoon” +Running IPsec with IKE daemon ”racoon” At least the daemon needs to be started. For the first time, use debug and foreground mode. The following example shows a successful IKE phase 1 (ISAKMP-SA) and 2 (IPsec-SA) negotiation: 2001:db8:1:1::1 spi=253935531(0xf22bfab) 2005-01-01 20:31:10: INFO: IPsec-SA established: ¬ ESP/Tunnel 2001:db8:1:1::1->2001:db8:2:2::2 spi=175002564(0xa6e53c4) -]]>Each direction got its own IPsec-SA (like defined in the IPsec standard). With “tcpdump” on the related interface, you will see as result of an IPv6 ping: +]]>Each direction got its own IPsec-SA (like defined in the IPsec standard). With ”tcpdump” on the related interface, you will see as result of an IPv6 ping: 2001:db8:2:2::2: ESP(spi=0x0a6e53c4,seq=0x3) 20:35:55.537522 2001:db8:2:2::2 > 2001:db8:1:1::1: ESP(spi=0x0f22bfab,seq=0x3) ]]>As expected, the negotiated SPIs are being used here. -And using “setkey”, current active parameters are shown: +And using ”setkey”, current active parameters are shown: -IKE daemon “pluto” -The IKE daemon “pluto” is included in distributions of the *S/WAN projects. *S/WAN project starts at the beginning as FreeS/WAN. Unfortunately, the FreeS/WAN project stopped further development in 2004. Because of the slow pace of development in the past, two spin-offs started: strongSwan and Openswan. Today, readily installable packages are available for at least Openswan (included in Fedora Core 3). -A major difference to “racoon”, only one configuration file is required. Also, an initscript exists for automatic setup after booting. -Configuration of the IKE daemon “pluto” +IKE daemon ”pluto” +The IKE daemon ”pluto” is included in distributions of the *S/WAN projects. *S/WAN project starts at the beginning as FreeS/WAN. Unfortunately, the FreeS/WAN project stopped further development in 2004. Because of the slow pace of development in the past, two spin-offs started: strongSwan and Openswan. Today, readily installable packages are available for at least Openswan (included in Fedora Core 3). +A major difference to ”racoon”, only one configuration file is required. Also, an initscript exists for automatic setup after booting. +Configuration of the IKE daemon ”pluto” The configuration is very similar to the IPv4 one, only one important option is necessary. File: /etc/ipsec.conf File: /etc/ipsec.secrets -Running IPsec with IKE daemon “pluto” +Running IPsec with IKE daemon ”pluto” If installation of Openswan was successfully, an initscript should exist for starting IPsec, simply run (on each peer): Afterwards, start this connection on one peer. If you saw the line “IPsec SA established”, all worked fine. +]]>Afterwards, start this connection on one peer. If you saw the line ”IPsec SA established”, all worked fine. 0xa98b7710 <0xa51e1f22} -]]>Because *S/WAN and setkey/racoon do use the same IPsec implementation in Linux 2.6.x kernel, “setkey” can be used here too to show current active parameters: +]]>Because *S/WAN and setkey/racoon do use the same IPsec implementation in Linux 2.6.x kernel, ”setkey” can be used here too to show current active parameters: Additional informations: -On Linux Kernel 2.6.x you can get the policy and status of IPsec also using “ip”: +On Linux Kernel 2.6.x you can get the policy and status of IPsec also using ”ip”: ------- ]]> -Linux QoS using “tc” -Linux is using “tc” from the “iproute2” package to configure traffic shaping, generally described in the Linux Advanced Routing & Traffic Control HOWTO. +Linux QoS using ”tc” +Linux is using ”tc” from the ”iproute2” package to configure traffic shaping, generally described in the Linux Advanced Routing & Traffic Control HOWTO. Example for a constant bitrate queuing -With the “cbq” scheduler, pipes with constant bit rates can be defined. +With the ”cbq” scheduler, pipes with constant bit rates can be defined. Root qdisc definition Define root qdisc with a bandwidth of 1000 MBit/s on eth1 The rate result should be as defined in the classes (see above), the results on port 5002 should be very similar independend from used IP version. <!-- anchor id="chapter-hints-daemons" -->Hints for IPv6-enabled daemons Here some hints are shown for IPv6-enabled daemons. -<!-- anchor id="hints-daemons-bind" -->Berkeley Internet Name Domain (BIND) daemon “named” +<!-- anchor id="hints-daemons-bind" -->Berkeley Internet Name Domain (BIND) daemon ”named” IPv6 is supported since version 9. Always use newest available version. At least version 9.1.3 must be used, older versions can contain remote exploitable security holes. Listening on IPv6 addresses Note: unlike in IPv4 current versions doesn't allow to bind a server socket to dedicated IPv6 addresses, so only any or none are valid. Because this can be a security issue, check the Access Control List (ACL) section below, too! @@ -2720,7 +2735,7 @@ tcp 0 0 2001:0db8:100::2:80 :::* LISTEN 12345/httpd2 ]]>For simple tests use the telnet example already shown. Additional notes -Apache2 supports a method called “sendfile” to speedup serving data. Some NIC drivers also support offline checksumming. In some cases, this can lead to connection problems and invalid TCP checksums. In this cases, disable “sendfile” either by recompiling using configure option “--without-sendfile” or by using the "EnableSendfile off" directive in configuration file. +Apache2 supports a method called ”sendfile” to speedup serving data. Some NIC drivers also support offline checksumming. In some cases, this can lead to connection problems and invalid TCP checksums. In this cases, disable ”sendfile” either by recompiling using configure option ”--without-sendfile” or by using the "EnableSendfile off" directive in configuration file. <!-- anchor id="hints-daemons-radvd" -->Router Advertisement Daemon (radvd) The router advertisement daemon is very useful on a LAN, if clients should be auto-configured. The daemon itself should run on the Linux default IPv6 gateway router (it's not required that this is also the default IPv4 gateway, so pay attention who on your LAN is sending router advertisements). You can specify some information and flags which should be contained in the advertisement. Common used are @@ -2772,7 +2787,7 @@ tcp 0 0 2001:0db8:100::2:80 :::* LISTEN 12345/httpd2 This route needs to be replaced every time the prefix changes, which is the case after a new IPv4 address was assigned to the dial-up interface. Debugging -A program called “radvdump” can help you looking into sent or received advertisements. Simple to use: +A program called ”radvdump” can help you looking into sent or received advertisements. Simple to use: ISC Dynamic Host Configuration Server (dhcpd) ISC DHCP supports IPv6 since version 4.x. Configuration of the ISC DHCP server for IPv6 (dhcpd) -Note that currently, the ISC DHCP server can only serve IPv4 or IPv6, means you have to start the daemon twice (for IPv6 with option “-6”) to support both protocols. +Note that currently, the ISC DHCP server can only serve IPv4 or IPv6, means you have to start the daemon twice (for IPv6 with option ”-6”) to support both protocols. Simple configuration Create a dedicated configuration file /etc/dhcp/dhcpd6.conf for the IPv6 part of the dhcpd. Note, that the router requires to have a interface configured with an IPv6 address out of the defined subnet. Note that the “dhcp.client-id” no longer belongs to a MAC address, an unique ID is used instead! “dhcp6c” (see above) uses the file /var/lib/dhcpv6/dhcp6c_duid (would be created during first start, if not existing) as unique identity. It's a 14 byte long identifier, starting with a 2 byte length information (usually “0x000e”): +]]>Note that the ”dhcp.client-id” no longer belongs to a MAC address, an unique ID is used instead! ”dhcp6c” (see above) uses the file /var/lib/dhcpv6/dhcp6c_duid (would be created during first start, if not existing) as unique identity. It's a 14 byte long identifier, starting with a 2 byte length information (usually ”0x000e”): Usage @@ -3023,7 +3038,7 @@ Jan 2 20:42:19 gate sshd[12345]: Accepted password for user ]]>That's all. <!-- anchor id="hints-daemons-others" -->Other daemons -Nowadays it's mostly simple, look for either a command line option or a configuration value to enable IPv6 listening. See manual page of the daemon or check related FAQs. It can happen that you can bind a daemon only to the IPv6-“any”-address (::) and not to bind to a dedicated IPv6 address, because the lack of support (depends on that what the programmer has implemented so far...). +Nowadays it's mostly simple, look for either a command line option or a configuration value to enable IPv6 listening. See manual page of the daemon or check related FAQs. It can happen that you can bind a daemon only to the IPv6-”any”-address (::) and not to bind to a dedicated IPv6 address, because the lack of support (depends on that what the programmer has implemented so far...). <!-- anchor id="chapter-programming" -->Programming <!-- anchor id="chapter-section-using-API" --><!-- anchor id="chapter-programming-using-API" -->Programming using C-API @@ -3032,7 +3047,7 @@ Jan 2 20:42:19 gate sshd[12345]: Accepted password for user This section describes how to write IPv6 client-server applications under the Linux operating system. First thing's first, and credit must be given where it is due. The information contained in this section is derived from Chapters 2 through 4 of IPv6 Network Programming by Jun-ichiro itojun Hagino (ISBN 1-55558-318-0). The reader is encouraged to consult that book for more detailed information. It describes how to convert IPv4 applications to be IPv6 compatible in a protocol-independent way, and describes some of the common problems encountered during the conversion along with suggested solutions. At the time of this writing, this is the only book of which the author is aware that specifically addresses how to program IPv6 applications [since writing this section, the author has also become aware of the Porting applications to IPv6 HowTo by Eva M. Castro at http://jungla.dit.upm.es/~ecastro/IPv6-web/ipv6.html]. Unfortunately, of the almost 360 pages in the book, maybe 60 are actually useful (the chapters mentioned). Nevertheless, without the guidance of that book, the author would have been unable to perform his job duties or compose this HowTo. While most (but certainly not all) of the information in the Hagino book is available via the Linux 'man' pages, application programmers will save a significant amount of time and frustration by reading the indicated chapters of the book rather than searching through the 'man' pages and online documentation. -Other than the Hagino book, any other information presented in this HowTo was obtained through trial and error. Some items or explanations may not be entirely “correct” in the grand IPv6 scheme, but seem to work in practical application. +Other than the Hagino book, any other information presented in this HowTo was obtained through trial and error. Some items or explanations may not be entirely ”correct” in the grand IPv6 scheme, but seem to work in practical application. The discussion that follows assumes the reader is already experienced with the traditional TCP/IP socket API. For more information on traditional socket programming, the Internetworking with TCP/IP series of textbooks by Comer & Stevens is hard to beat, specifically Volume III: Client-Server Programming and Applications, Linux/POSIX Sockets Version (ISBN 0-13-032071-4). This HowTo also assumes that the reader has had at least a bare basic introduction to IPv6 and in particular the addressing scheme for network addresses (see Section 2.3). Address Structures This section provides a brief overview of the structures provided in the socket API to represent network addresses (or more specifically transport endpoints) when using the Internet protocols in a client-server application. @@ -3058,7 +3073,7 @@ Jan 2 20:42:19 gate sshd[12345]: Accepted password for user }; ]]>The sin6_family, sin6_port, and sin6_addr components of the structure have the same meaning as the corresponding fields in the sockaddr_in structure. However, the sin6_family member is set to AF_INET6 for IPv6 addresses, and the sin6_addr field holds a 128-bit address instead of only 32 bits. The sin6_flowinfo field is used for flow control, but is not yet standardized and can be ignored. -The sin6_scope_id field has an odd use, and it seems (at least to this naïve author) that the IPv6 designers took a huge step backwards when devising this. Apparently, 128-bit IPv6 network addresses are not unique. For example, it is possible to have two hosts, on separate networks, with the same link-local address (see Figure 1). In order to pass information to a specific host, more than just the network address is required; the scope identifier must also be specified. In Linux, the network interface name is used for the scope identifier (e.g. “eth0”) [be warned that the scope identifier is implementation dependent!]. Use the ifconfig(1M) command to display a list of active network interfaces. +The sin6_scope_id field has an odd use, and it seems (at least to this naïve author) that the IPv6 designers took a huge step backwards when devising this. Apparently, 128-bit IPv6 network addresses are not unique. For example, it is possible to have two hosts, on separate networks, with the same link-local address (see Figure 1). In order to pass information to a specific host, more than just the network address is required; the scope identifier must also be specified. In Linux, the network interface name is used for the scope identifier (e.g. ”eth0”) [be warned that the scope identifier is implementation dependent!]. Use the ifconfig(1M) command to display a list of active network interfaces. A colon-hex network address can be augmented with the scope identifier to produce a "scoped address”. The percent sign ('%') is used to delimit the network address from the scope identifier. For example, fe80::1%eth0 is a scoped IPv6 address where fe80::1 represents the 128-bit network address and eth0 is the network interface (i.e. the scope identifier). Thus, if a host resides on two networks, such as Host B in example below, the user now has to know which path to take in order to get to a particular host. In Figure 1, Host B addresses Host A using the scoped address fe80::1%eth0, while Host C is addressed with fe80::1%eth1. Getting back to the sockaddr_in6 structure, its sin6_scope_id field contains the index of the network interface on which a host may be found. Server applications will have this field set automatically by the socket API when they accept a connection or receive a datagram. For client applications, if a scoped address is passed as the node parameter to getaddrinfo(3) (described later in this HowTo), then the sin6_scope_id field will be filled in correctly by the system upon return from the function; if a scoped address is not supplied, then the sin6_scope_id field must be explicitly set by the client software prior to attempting to communicate with the remote server. The if_nametoindex(3) function is used to translate a network interface name into its corresponding index. It is declared in <net/if.h>. @@ -4883,7 +4898,7 @@ static void tod( int sckt ) Sun Java versions since 1.4 are IPv6 enabled, see e.g. Inet6Address (1.5/5.0) class. Hints are available in the Networking IPv6 User Guide for JDK/JRE 1.4 and 1.5 (5.0). Perl As of May 2007 it's not known that the Perl core itself already supports IPv6. It can be added by using following modules: -Socket6Anyway, some other modules exist for/with IPv6 support (e.g. Net::IP), search for “IPv6” on http://search.cpan.org/. +Socket6Anyway, some other modules exist for/with IPv6 support (e.g. Net::IP), search for ”IPv6” on http://search.cpan.org/. <!-- anchor id="chapter-interoperability" -->Interoperability The TAHI Project checks the interoperability of different operating systems regarding the implementation of IPv6 features. Linux kernel already got the IPv6 Ready Logo Phase 1. <!-- anchor id="chapter-information" -->Further information and URLs @@ -4956,7 +4971,7 @@ SourceForge: Project Info - DeepSpace6 / (Not only) Linux IPv6 Portal - Italy (Mirror)IPv6-HowTo for Linux by Peter Bieringer - Germany, and his Bieringer / IPv6 - software archiveLinux+IPv6 status by Peter Bieringer - Germany (going obsolete)DeepSpace6 / IPv6 Status Page - Italy (Mirror) (will superseed upper one)USAGI project - Japan, and their USAGI project - software archiveLinux Optimized Link State Routing Protocol (OLSR) IPv6 HOWTOLinShim6 Linux related per distribution -PLDPLD Linux Distribution (“market leader” in containing IPv6 enabled packages)Red HatRed Hat Enterprise Linux, Pekka Savola's IPv6 packages (Historic)FedoraFedora (Project) LinuxDebianDebian Linux, IPv6 with Debian LinuxSuSESuSE LinuxMandrivaMandriva (Historic)For more see the IPv6+Linux Status Distributions page. +PLDPLD Linux Distribution (”market leader” in containing IPv6 enabled packages)Red HatRed Hat Enterprise Linux, Pekka Savola's IPv6 packages (Historic)FedoraFedora (Project) LinuxDebianDebian Linux, IPv6 with Debian LinuxSuSESuSE LinuxMandrivaMandriva (Historic)For more see the IPv6+Linux Status Distributions page. General IPv6.org6boneWIDE project - JapanSWITCH IPv6 Pilot - SwitzerlandIPv6 Corner of Hubert Feyrer - GermanyIPv6 Forum - a world-wide consortium of leading Internet vendors, Research & Education Networks...Playground.sun.com / IPv6 Info Page - maintained by Robert Hinden, Nokia. Get any information about IPv6, from overviews, through RFCs & drafts, to implementations (including availability of stacks on various platforms & source code for IPv6 stacks).6INIT - IPv6 Internet Initiative - an EU Fifth Framework Project under the IST Programme.IPv6 Task Force (European Union)6init - IPv6 INternet IniTiative IPv6: The New Version of the Internet Protocol, by Steve Deering.IPv6: The Next Generation Internet Protocol, by Gary C. Kessler. IPv6: Next Generation Internet Protocol - 3Cominternet || site and internet2 Working GroupNetworkWorldFusion: Search / Doc Finder: searched for IPv6 (102 documents found 22.12.2002)The Register (Search for IPv6 will result in 30 documents, 22.12.2002)ZDNet Search for IPv6TechTarget Search for IPv6IPv6 & TCP Resources ListSomething missing? Suggestions are welcome! @@ -5047,7 +5062,7 @@ SourceForge: Project Info - IpInfusion's ZebOS Server Routing Software <!-- anchor id="information-ipv6andsecurity" -->IPv6 Security -Internet Security Systems: Security Center, X-Force Database Search (21.12.2002 - 6 topics found relating to IPv6)NIST IPsec Project ( National Institute of Standards and Technology, NIST)Information SecurityNewOrder.box.sk (search for IPv6) (Articles, exploits, files database etc.) +NIST IPsec Project ( National Institute of Standards and Technology, NIST)Information SecurityNewOrder.box.sk (search for IPv6) (Articles, exploits, files database etc.) Application lists DeepSpace6 / IPv6 Status Page (Mirror)IPv6.org / IPv6 enabled applicationsFreshmeat / IPv6 search, currently (14 Dec 2002) 62 projectsIPv6 Forum / Web Links @@ -5284,7 +5299,7 @@ Publisher: MarketResearch.com; ISBN B00006334Y; (November 1, 2001) Versions x.y.z are work-in-progress and published as LyX and SGML file on CVS. Because Deep Space 6 mirrors these SGML files and generate independend from TLDP public versions, this versions will show up there and also on its mirrors. Releases 0.x -0.67wip2015-08-18/PB: fix some broken URLs, 20151016/bie: remove broken URL to Spanish transation, 20161215/bie: update some URLs0.662010-04-20/PB: extend QoS section with examples, 20130513/PB: add IPv6 NAT hints, 20130521/PB: review dhcpd, 20131019/bie: general review, 20140502/bie: add hints for nftables, 20140513/bie: extend section regarding address resolution and add source/destination address selection information, 20140515/bie: add hints for activation of privacy extension0.652009-12-13/PB: minor fixes0.642009-06-11/PB: extend DHCP server examples (ISC DHCP, Dibbler)0.632009-02-14/PB: Fix FSF address, major update on 4in6 tunnels, add new section for address resolving, add some URLs, remove broken URLs0.622008-11-09/PB: Adjust URL to Turkish howto, add some HIP related URLs, remove broken URLs0.61.12007-11-11/PB: fix broken description of shortcut BIND0.612007-10-06/PB: fix broken URLs to TLDP-CVS, minor URL update.0.60.22007-10-03/PB: fix description of sysctl/autoconf (credits to Francois-Xavier Le Bail)0.60.12007-06-16/PB: speling fixes (credits to Larry W. Burton)0.602007-05-29/PB: import major contribution to Programming using C-API written by John Wenker, minor fixes0.522007-05-23/PB: update firewalling chapter, improve document for proper SGML validation, minor bugfixes0.512006-11-08/PB: remove broken URLs, add a new book (credits to Bryan Vukich)0.50.22006-10-25/PB: fix typo in dhcp6 section (credits to Michele Ferritto)0.50.12006-09-23/PB: add some URLs0.502006-08-24/PB: check RFC URLs, fix URL to Chinese translation, finalize for publishing0.49.52006-08-23/PB: fix/remove broken URLs0.49.42006-08-21/PB: some review, update and enhancement of the content, replace old 6bone example addresses with the current defined ones.0.49.32006-08-20/PB: fix bug in maillist entries, 'mobility' is now a separate chapter0.49.22006-08-20/PB: update and cleanup of maillist entries0.49.12006-06-13/PB: major update of mobility section (contributed by Benjamin Thery)0.492005-10-03/PB: add configuration hints for DHCPv6, major broken URL cleanup (credits to Necdet Yucel)0.48.12005-01-15/PB: minor fixes0.482005-01-11/PB: grammar check and minor review of IPv6 IPsec section0.47.12005-01-01/PB: add information and examples about IPv6 IPsec, add some URLs0.472004-08-30/PB: add some notes about proftpd, vsftpd and other daemons, add some URLs, minor fixes, update status of Spanish translation0.46.42004-07-19/PB: minor fixes0.46.32004-06-23/PB: add note about started Greek translation, replace Taiwanese with Chinese for related translation0.46.22004-05-22/PB: minor fixes0.46.12004-04-18/PB: minor fixes0.462004-03-04/PB: announce Italian translation, add information about DHCPv6, minor updates0.45.12004-01-12/PB: add note about the official example address space0.452004-01-11/PB: minor fixes, add/fix some URLs, some extensions0.44.22003-10-30/PB: fix some copy&paste text bugs0.44.12003-10-19/PB: add note about start of Italian translation0.442003-08-15/PB: fix URLs, add hint on tcp_wrappers (about broken notation in some versions) and Apache20.43.42003-07-26/PB: fix URL, add archive URL for maillist users at ipv6.org, add some ds6 URLs0.43.32003-06-19/PB: fix typos0.43.22003-06-11/PB: fix URL0.43.12003-06-07/PB: fix some URLs, fix credits, add some notes at IPsec0.432003-06-05/PB: add some notes about configuration in SuSE Linux, add URL of French translation0.422003-05-09/PB: minor fixes, announce French translation0.41.42003-05-02/PB: Remove a broken URL, update some others.0.41.32003-04-23/PB: Minor fixes, remove a broken URL, fix URL to Taiwanese translation0.41.22003-04-13/PB: Fix some typos, add a note about a French translation is in progress0.41.12003-03-31/PB: Remove a broken URL, fix another0.412003-03-22/PB: Add URL of German translation0.40.22003-02-27/PB: Fix a misaddressed URL0.40.12003-02-12/PB: Add Debian-Linux-Configuration, add a minor note on translations0.402003-02-10/PB: Announcing available German version0.39.22003-02-10/GK: Minor syntax and spelling fixes0.39.12003-01-09/PB: fix an URL (draft adopted to an RFC)0.392003-01-13/PB: fix a bug (forgotten 'link” on “ip link set” (credits to Yaniv Kaul)0.38.12003-01-09/PB: a minor fix0.382003-01-06/PB: minor fixes0.37.12003-01-05/PB: minor updates0.372002-12-31/GK: 270 new links added (searched in 1232 SearchEngines) in existing and 53 new (sub)sections0.36.12002-12-20/PB: Minor fixes0.362002-12-16/PB: Check of and fix broken links (credits to Georg Käfer), some spelling fixes0.352002-12-11/PB: Some fixes and extensions0.34.12002-11-25/PB: Some fixes (e.g. broken linuxdoc URLs)0.342002-11-19/PB: Add information about German translation (work in progress), some fixes, create a small shortcut explanation list, extend “used terms” and add two German books0.332002-11-18/PB: Fix broken RFC-URLs, add parameter ttl on 6to4 tunnel setup example0.322002-11-03/PB: Add information about Taiwanese translation0.31.12002-10-06/PB: Add another maillist0.312002-09-29/PB: Extend information in proc-filesystem entries0.302002-09-27/PB: Add some maillists0.292002-09-18/PB: Update statement about nmap (triggered by Fyodor)0.28.12002-09-16/PB: Add note about ping6 to multicast addresses, add some labels0.282002-08-17/PB: Fix broken LDP/CVS links, add info about Polish translation, add URL of the IPv6 Address Oracle0.272002-08-10/PB: Some minor updates0.26.22002-07-15/PB: Add information neighbor discovery, split of firewalling (got some updates) and security into extra chapters0.26.12002-07-13/PB: Update nmap/IPv6 information0.262002-07-13/PB: Fill /proc-filesystem chapter, update DNS information about depricated A6/DNAME, change P-t-P tunnel setup to use of “ip” only0.25.22002-07-11/PB: Minor spelling fixes0.25.12002-06-23/PB: Minor spelling and other fixes0.252002-05-16/PB: Cosmetic fix for 2^128, thanks to José Abílio Oliveira Matos for help with LyX0.242002-05-02/PB: Add entries in URL list, minor spelling fixes0.232002-03-27/PB: Add entries in URL list and at maillists, add a label and minor information about IPv6 on RHL0.222002-03-04/PB: Add info about 6to4 support in kernel series 2.2.x and add an entry in URL list and at maillists0.212002-02-26/PB: Migrate next grammar checks submitted by John Ronan 0.20.42002-02-21/PB: Migrate more grammar checks submitted by John Ronan, add some additional hints at DNS section 0.20.32002-02-12/PB: Migrate a minor grammar check patch submitted by John Ronan0.20.22002-02-05/PB: Add mipl to maillist table0.20.12002-01-31/PB: Add a hint how to generate 6to4 addresses0.202002-01-30/PB: Add a hint about default route problem, some minor updates0.19.22002-01-29/PB: Add many new URLs0.19.12002-01-27/PB: Add some forgotten URLs0.192002-01-25/PB: Add two German books, fix quote entinities in exported SGML code0.18.22002-01-23/PB: Add a FAQ on the program chapter0.18.12002-01-23/PB: Move “the end” to the end, add USAGI to maillists0.182002-01-22/PB: Fix bugs in explanation of multicast address types0.17.22002-01-22/PB: Cosmetic fix double existing text in history (at 0.16), move all credits to the end of the document0.17.12002-01-20/PB: Add a reference, fix URL text in online-test-tools0.172002-01-19/PB: Add some forgotten information and URLs about global IPv6 addresses0.162002-01-19/PB: Minor fixes, remove “bold” and “emphasize” formats on code lines, fix “too long unwrapped code lines” using selfmade utility, extend list of URLs.0.152002-01-15/PB: Fix bug in addresstype/anycast, move content related credits to end of document0.142002-01-14/PB: Minor review at all, new chapter “debugging”, review “addresses”, spell checking, grammar checking (from beginning to 3.4.1) by Martin Krafft, add tcpdump examples, copy firewalling/netfilter6 from IPv6+Linux-HowTo, minor enhancements0.132002-01-05/PB: Add example BIND9/host, move revision history to end of document, minor extensions0.122002-01-03/PB: Merge review of David Ranch0.112002-01-02/PB: Spell checking and merge review of Pekka Savola0.102002-01-02/PB: First public release of chapter 1 +0.67wip2015-08-18/PB: fix some broken URLs, 20151016/bie: remove broken URL to Spanish transation, 20161215/bie: update some URLs, 20170114/: update some URLs0.662010-04-20/PB: extend QoS section with examples, 20130513/PB: add IPv6 NAT hints, 20130521/PB: review dhcpd, 20131019/bie: general review, 20140502/bie: add hints for nftables, 20140513/bie: extend section regarding address resolution and add source/destination address selection information, 20140515/bie: add hints for activation of privacy extension0.652009-12-13/PB: minor fixes0.642009-06-11/PB: extend DHCP server examples (ISC DHCP, Dibbler)0.632009-02-14/PB: Fix FSF address, major update on 4in6 tunnels, add new section for address resolving, add some URLs, remove broken URLs0.622008-11-09/PB: Adjust URL to Turkish howto, add some HIP related URLs, remove broken URLs0.61.12007-11-11/PB: fix broken description of shortcut BIND0.612007-10-06/PB: fix broken URLs to TLDP-CVS, minor URL update.0.60.22007-10-03/PB: fix description of sysctl/autoconf (credits to Francois-Xavier Le Bail)0.60.12007-06-16/PB: speling fixes (credits to Larry W. Burton)0.602007-05-29/PB: import major contribution to Programming using C-API written by John Wenker, minor fixes0.522007-05-23/PB: update firewalling chapter, improve document for proper SGML validation, minor bugfixes0.512006-11-08/PB: remove broken URLs, add a new book (credits to Bryan Vukich)0.50.22006-10-25/PB: fix typo in dhcp6 section (credits to Michele Ferritto)0.50.12006-09-23/PB: add some URLs0.502006-08-24/PB: check RFC URLs, fix URL to Chinese translation, finalize for publishing0.49.52006-08-23/PB: fix/remove broken URLs0.49.42006-08-21/PB: some review, update and enhancement of the content, replace old 6bone example addresses with the current defined ones.0.49.32006-08-20/PB: fix bug in maillist entries, 'mobility' is now a separate chapter0.49.22006-08-20/PB: update and cleanup of maillist entries0.49.12006-06-13/PB: major update of mobility section (contributed by Benjamin Thery)0.492005-10-03/PB: add configuration hints for DHCPv6, major broken URL cleanup (credits to Necdet Yucel)0.48.12005-01-15/PB: minor fixes0.482005-01-11/PB: grammar check and minor review of IPv6 IPsec section0.47.12005-01-01/PB: add information and examples about IPv6 IPsec, add some URLs0.472004-08-30/PB: add some notes about proftpd, vsftpd and other daemons, add some URLs, minor fixes, update status of Spanish translation0.46.42004-07-19/PB: minor fixes0.46.32004-06-23/PB: add note about started Greek translation, replace Taiwanese with Chinese for related translation0.46.22004-05-22/PB: minor fixes0.46.12004-04-18/PB: minor fixes0.462004-03-04/PB: announce Italian translation, add information about DHCPv6, minor updates0.45.12004-01-12/PB: add note about the official example address space0.452004-01-11/PB: minor fixes, add/fix some URLs, some extensions0.44.22003-10-30/PB: fix some copy&paste text bugs0.44.12003-10-19/PB: add note about start of Italian translation0.442003-08-15/PB: fix URLs, add hint on tcp_wrappers (about broken notation in some versions) and Apache20.43.42003-07-26/PB: fix URL, add archive URL for maillist users at ipv6.org, add some ds6 URLs0.43.32003-06-19/PB: fix typos0.43.22003-06-11/PB: fix URL0.43.12003-06-07/PB: fix some URLs, fix credits, add some notes at IPsec0.432003-06-05/PB: add some notes about configuration in SuSE Linux, add URL of French translation0.422003-05-09/PB: minor fixes, announce French translation0.41.42003-05-02/PB: Remove a broken URL, update some others.0.41.32003-04-23/PB: Minor fixes, remove a broken URL, fix URL to Taiwanese translation0.41.22003-04-13/PB: Fix some typos, add a note about a French translation is in progress0.41.12003-03-31/PB: Remove a broken URL, fix another0.412003-03-22/PB: Add URL of German translation0.40.22003-02-27/PB: Fix a misaddressed URL0.40.12003-02-12/PB: Add Debian-Linux-Configuration, add a minor note on translations0.402003-02-10/PB: Announcing available German version0.39.22003-02-10/GK: Minor syntax and spelling fixes0.39.12003-01-09/PB: fix an URL (draft adopted to an RFC)0.392003-01-13/PB: fix a bug (forgotten 'link” on ”ip link set” (credits to Yaniv Kaul)0.38.12003-01-09/PB: a minor fix0.382003-01-06/PB: minor fixes0.37.12003-01-05/PB: minor updates0.372002-12-31/GK: 270 new links added (searched in 1232 SearchEngines) in existing and 53 new (sub)sections0.36.12002-12-20/PB: Minor fixes0.362002-12-16/PB: Check of and fix broken links (credits to Georg Käfer), some spelling fixes0.352002-12-11/PB: Some fixes and extensions0.34.12002-11-25/PB: Some fixes (e.g. broken linuxdoc URLs)0.342002-11-19/PB: Add information about German translation (work in progress), some fixes, create a small shortcut explanation list, extend ”used terms” and add two German books0.332002-11-18/PB: Fix broken RFC-URLs, add parameter ttl on 6to4 tunnel setup example0.322002-11-03/PB: Add information about Taiwanese translation0.31.12002-10-06/PB: Add another maillist0.312002-09-29/PB: Extend information in proc-filesystem entries0.302002-09-27/PB: Add some maillists0.292002-09-18/PB: Update statement about nmap (triggered by Fyodor)0.28.12002-09-16/PB: Add note about ping6 to multicast addresses, add some labels0.282002-08-17/PB: Fix broken LDP/CVS links, add info about Polish translation, add URL of the IPv6 Address Oracle0.272002-08-10/PB: Some minor updates0.26.22002-07-15/PB: Add information neighbor discovery, split of firewalling (got some updates) and security into extra chapters0.26.12002-07-13/PB: Update nmap/IPv6 information0.262002-07-13/PB: Fill /proc-filesystem chapter, update DNS information about depricated A6/DNAME, change P-t-P tunnel setup to use of ”ip” only0.25.22002-07-11/PB: Minor spelling fixes0.25.12002-06-23/PB: Minor spelling and other fixes0.252002-05-16/PB: Cosmetic fix for 2^128, thanks to José Abílio Oliveira Matos for help with LyX0.242002-05-02/PB: Add entries in URL list, minor spelling fixes0.232002-03-27/PB: Add entries in URL list and at maillists, add a label and minor information about IPv6 on RHL0.222002-03-04/PB: Add info about 6to4 support in kernel series 2.2.x and add an entry in URL list and at maillists0.212002-02-26/PB: Migrate next grammar checks submitted by John Ronan 0.20.42002-02-21/PB: Migrate more grammar checks submitted by John Ronan, add some additional hints at DNS section 0.20.32002-02-12/PB: Migrate a minor grammar check patch submitted by John Ronan0.20.22002-02-05/PB: Add mipl to maillist table0.20.12002-01-31/PB: Add a hint how to generate 6to4 addresses0.202002-01-30/PB: Add a hint about default route problem, some minor updates0.19.22002-01-29/PB: Add many new URLs0.19.12002-01-27/PB: Add some forgotten URLs0.192002-01-25/PB: Add two German books, fix quote entinities in exported SGML code0.18.22002-01-23/PB: Add a FAQ on the program chapter0.18.12002-01-23/PB: Move ”the end” to the end, add USAGI to maillists0.182002-01-22/PB: Fix bugs in explanation of multicast address types0.17.22002-01-22/PB: Cosmetic fix double existing text in history (at 0.16), move all credits to the end of the document0.17.12002-01-20/PB: Add a reference, fix URL text in online-test-tools0.172002-01-19/PB: Add some forgotten information and URLs about global IPv6 addresses0.162002-01-19/PB: Minor fixes, remove ”bold” and ”emphasize” formats on code lines, fix ”too long unwrapped code lines” using selfmade utility, extend list of URLs.0.152002-01-15/PB: Fix bug in addresstype/anycast, move content related credits to end of document0.142002-01-14/PB: Minor review at all, new chapter ”debugging”, review ”addresses”, spell checking, grammar checking (from beginning to 3.4.1) by Martin Krafft, add tcpdump examples, copy firewalling/netfilter6 from IPv6+Linux-HowTo, minor enhancements0.132002-01-05/PB: Add example BIND9/host, move revision history to end of document, minor extensions0.122002-01-03/PB: Merge review of David Ranch0.112002-01-02/PB: Spell checking and merge review of Pekka Savola0.102002-01-02/PB: First public release of chapter 1 <!-- anchor id="credits" -->Credits The quickest way to be added to this nice list is to send bug fixes, corrections, and/or updates to me ;-). If you want to do a major review, you can use the native LyX file (see original source) and send diffs against it, because diffs against SGML don't help too much. @@ -5298,7 +5313,7 @@ Publisher: MarketResearch.com; ISBN B00006334Y; (November 1, 2001) Authors of the LDP Author GuideB. Guillon: For his DocBook with LyX HOWTO <!-- anchor id="content-related-credits" -->Content related credits Credits for fixes and hints are listed here, will grow sure in the future -S .P. Meenakshi <meena at cs dot iitm dot ernet dot in>: For a hint using a “send mail” shell program on tcp_wrapper/hosts.denyFrank Dinies <FrankDinies at web dot de>: For a bugfix on IPv6 address explanationJohn Freed <jfreed at linux-mag dot com>: For finding a bug in IPv6 multicast address explanationCraig Rodrigues <crodrigu at bbn dot com>: For suggestion about RHL IPv6 setupFyodor <fyodor at insecure dot org>: Note me about outdated nmap informationMauro Tortonesi <mauro at deepspace6 dot net>: For some suggestionsTom Goodale <goodale at aei-potsdam dot mpg dot de>: For some suggestionsMartin Luemkemann <mluemkem at techfak dot uni-bielefeld dot de>: For a suggestionJean-Marc V. Liotier <jim at jipo dot com>: Finding a bugYaniv Kaul <ykaul at checkpoint dot com>: Finding a bugArnout Engelen <arnouten at bzzt dot net>: For sending note about a draft was adopted to RFC nowStephane Bortzmeyer <bortzmeyer at nic dot fr>: Contributing persistent configuration on Debianlithis von saturnsys <lithis at saturnsys dot com>: Reporting a misaddressed URLGuy Hulbert <gwhulbert at rogers dot com>: Send a note that RFC1924 is probably an April fool's jokeTero Pelander <tpeland at tkukoulu dot fi>: Reporting a broken URLWalter Jontofsohn <wjontof at gmx dot de>: Hints for SuSE Linux 8.0/8.1Benjamin Hofstetter <benjamin dot hofstetter at netlabs dot org>: Reporting a mispointing URLJ.P. Larocque <piranha at ely dot ath dot cx>: Reporting archive URL for maillist users at ipv6 dot orgJorrit Kronjee <jorrit at wafel dot org>: Reporting broken URLsColm MacCarthaigh <colm dot maccarthaigh at heanet dot ie>: Hint for sendfile issue on Apache2Tiago Camilo <tandre at ipg dot pt>: Contribute some URLs about Mobile IPv6Harald Geiger: Reporting a bug in how described the bit counting of the universal/global bitBjoern Jacke <bjoern at j3e dot de>: Triggered me to fix some outdated information on xinetdChristoph Egger <cegger at chrrr dot com>: Sending note about “ip” has problems with IPv4-compatible addresses on SuSE Linux 9.0 and trigger to add a hint on 6to4-radvd exampleDavid Lee Haw Ling <hawling at singnet dot com dot sg>: Sending information about a tunnel brokerMichael H. Warfield <mhw at iss dot net>: Sending note about suffix for 6to4 routersTomasz Mrugalski <thomson at klub dot com dot pl>: Sending updates for DHCPv6 sectionJan Minar <jjminar at fastmail dot fm>: Reporting minor bugsKalin KOZHUHAROV <kalin at tar dot bz>: Fixing a not so well explanationRoel van Dijk <rdvdijk at planet dot nl>: Reporting broken URLsCatalin Muresan <catalin dot muresan at astral dot ro>: Reporting minor bugsDennis van Dok <dvandok at quicknet dot nl>: Reporting minor bugsNecdet Yucel <nyucel at comu dot edu dot tr>: Reporting broken URLsBryan Vukich: Reporting a broken URLDaniele Masini: reporting a broken iptables exampleYao Zhao: reporting a bug in IPv6 route remove descriptionAaron Kunde: reporting a broken URL and a content related bugLarry W. Burton: speling fixesJustin Pryzby: reporting broken shortcut description of BIND +S .P. Meenakshi <meena at cs dot iitm dot ernet dot in>: For a hint using a ”send mail” shell program on tcp_wrapper/hosts.denyFrank Dinies <FrankDinies at web dot de>: For a bugfix on IPv6 address explanationJohn Freed <jfreed at linux-mag dot com>: For finding a bug in IPv6 multicast address explanationCraig Rodrigues <crodrigu at bbn dot com>: For suggestion about RHL IPv6 setupFyodor <fyodor at insecure dot org>: Note me about outdated nmap informationMauro Tortonesi <mauro at deepspace6 dot net>: For some suggestionsTom Goodale <goodale at aei-potsdam dot mpg dot de>: For some suggestionsMartin Luemkemann <mluemkem at techfak dot uni-bielefeld dot de>: For a suggestionJean-Marc V. Liotier <jim at jipo dot com>: Finding a bugYaniv Kaul <ykaul at checkpoint dot com>: Finding a bugArnout Engelen <arnouten at bzzt dot net>: For sending note about a draft was adopted to RFC nowStephane Bortzmeyer <bortzmeyer at nic dot fr>: Contributing persistent configuration on Debianlithis von saturnsys <lithis at saturnsys dot com>: Reporting a misaddressed URLGuy Hulbert <gwhulbert at rogers dot com>: Send a note that RFC1924 is probably an April fool's jokeTero Pelander <tpeland at tkukoulu dot fi>: Reporting a broken URLWalter Jontofsohn <wjontof at gmx dot de>: Hints for SuSE Linux 8.0/8.1Benjamin Hofstetter <benjamin dot hofstetter at netlabs dot org>: Reporting a mispointing URLJ.P. Larocque <piranha at ely dot ath dot cx>: Reporting archive URL for maillist users at ipv6 dot orgJorrit Kronjee <jorrit at wafel dot org>: Reporting broken URLsColm MacCarthaigh <colm dot maccarthaigh at heanet dot ie>: Hint for sendfile issue on Apache2Tiago Camilo <tandre at ipg dot pt>: Contribute some URLs about Mobile IPv6Harald Geiger: Reporting a bug in how described the bit counting of the universal/global bitBjoern Jacke <bjoern at j3e dot de>: Triggered me to fix some outdated information on xinetdChristoph Egger <cegger at chrrr dot com>: Sending note about ”ip” has problems with IPv4-compatible addresses on SuSE Linux 9.0 and trigger to add a hint on 6to4-radvd exampleDavid Lee Haw Ling <hawling at singnet dot com dot sg>: Sending information about a tunnel brokerMichael H. Warfield <mhw at iss dot net>: Sending note about suffix for 6to4 routersTomasz Mrugalski <thomson at klub dot com dot pl>: Sending updates for DHCPv6 sectionJan Minar <jjminar at fastmail dot fm>: Reporting minor bugsKalin KOZHUHAROV <kalin at tar dot bz>: Fixing a not so well explanationRoel van Dijk <rdvdijk at planet dot nl>: Reporting broken URLsCatalin Muresan <catalin dot muresan at astral dot ro>: Reporting minor bugsDennis van Dok <dvandok at quicknet dot nl>: Reporting minor bugsNecdet Yucel <nyucel at comu dot edu dot tr>: Reporting broken URLsBryan Vukich: Reporting a broken URLDaniele Masini: reporting a broken iptables exampleYao Zhao: reporting a bug in IPv6 route remove descriptionAaron Kunde: reporting a broken URL and a content related bugLarry W. Burton: speling fixesJustin Pryzby: reporting broken shortcut description of BIND The End Thanks for reading. Hope it helps! If you have any questions, subscribe to proper maillist and describe your problem providing as much as information as possible. \ No newline at end of file