Migrating Small Business Networks to Ipv6

Migrating Small Business Networks To IPv6

eingreicht von: Sylvia Schuh

Diplomarbeit

zur Erlangung des akademischen Grades

Magister rerum socialium oeconomicarumque

Magister der Sozial- und Wirtschaftswissenschaften

(Mag. rer. soc. oec.)

Fakultät für Wirtschaftswissenschaften und Informatik, Universität Wien Fakultät für Technische Naturwissenschaften und Informatik, Technische Universität Wien Studienrichtung: Wirtschaftsinformatik Begutachter: O. Univ. Prof. Dr. A Min Tjoa Wien am 21.2.2006

1 Contents

1 The setting-up of my IPv4 network 8 1.1 Maggie and her asterisk server[1][2] ...... 9 1.1.1 FXO, FXS, IAX, SIP ...... 11 1.1.2 Maggie’s dialplan ...... 12 1.1.3 Digium card details ...... 13 1.1.4 Configuring Sipura SPA-2000 [40] [5] ...... 14 1.2 Marge and the CUPS problem ...... 15 1.2.1 Installing CUPS [6, 8, 7] ...... 15 1.3 Bart and Snowball are getting their iptables[9] ...... 18 1.4 Maggie: MySQL server[33] ...... 24 1.5 Installing OpenVPN on snowball and bart ...... 25 1.5.1 Setting up your Certification Authority (CA) [13] . . 26 1.5.2 Generating certificates and keys ...... 27 1.5.3 Diffie-Hellman parameters [14] ...... 27 1.5.4 Distributing the files ...... 28 1.5.5 Advantages when using this security model . . . . . 28 1.5.6 Configuring OpenVPN ...... 29 1.6 Other services provided by marge.sylvia.test ...... 33 1.6.1 web server apache ...... 33 1.6.2 dynamic host addressing dhcpd [17] ...... 34 1.6.3 DNS server BIND [7][19][20] ...... 35 1.6.4 Mail transfer agent exim4 [21] [22] [23] ...... 37 1.6.5 POP3 server qpopper [9] ...... 39 1.6.6 web traffic monitoring with webalizer [11][26] [27] . 40 1.6.7 web caching and proxying with squid [28] [29] . . . . 41 1.6.8 arpwatch [30] ...... 42 1.7 Other services provided by bart ...... 42

i CONTENTS ii

1.7.1 network time protocol daemon ntpd [3] ...... 42 1.7.2 ntop ...... 43 1.8 Services provided by homer ...... 44 1.8.1 File sharing ...... 44 1.8.2 Active directory [32] [33] ...... 45

2 The initial lab-topology 52 2.1 The main ofﬁce ...... 52 2.1.1 hostname: bart - 192.168.200.1 ...... 52 2.1.2 hostname: marge, alias: ns1, www, proxy - 192.168.200.5 54 2.1.3 hostname: maggie - 192.168.200.8 ...... 55 2.1.4 hostname: homer - 192.168.200.12 ...... 56 2.1.5 hostname: apu - 192.168.200.33 ...... 57 2.1.6 hostname: nelson - 192.168.200.34 ...... 58 2.1.7 hostname: lisa - 192.168.200.35 ...... 59 2.1.8 allnet1 - 192.168.200.130 ...... 60 2.1.9 grandstream1 - 192.168.200.129 ...... 60 2.2 Branch ofﬁce ...... 60 2.2.1 hostname: snowball - 192.168.201.1 ...... 60 2.2.2 hostname: snowball2 - 192.168.201.17 ...... 61 2.2.3 hostname: sipura - 192.168.201.129 ...... 62

3 Testing and Benchmarking the Network 68 3.1 Tools and their usage ...... 68 3.1.1 MRTG [1] ...... 68 3.1.2 Smokeping [9] ...... 75 3.1.3 bing [10] ...... 75 3.1.4 iperf [11] [12] ...... 77 3.1.5 netperf [13] ...... 78 3.1.6 netio [14] ...... 78 3.1.7 netbench [15] ...... 79 3.1.8 sipp [16] [17] ...... 80 3.1.9 copying files ...... 81 3.1.10 digging DNS ...... 81 3.1.11 open a file from a share ...... 82 3.1.12 downloading files ...... 82 3.1.13 ethereal [18] ...... 82 3.1.14 tcpdump [19] ...... 83 CONTENTS iii

3.1.15 nmap [20] ...... 83

4 Theory of IPv6 86 4.1 IPv6 Addresses [1] [2] ...... 87 4.1.1 Unicast IPv6 addresses ...... 89 4.1.2 Multicast IPv6 addresses ...... 95 4.1.3 Anycast IPv6 addresses ...... 97 4.1.4 Addresses set on an IPv6 enabled host ...... 97 4.1.5 Address Autoconﬁguration Process ...... 98 4.1.6 DHCPv6 [9] ...... 100 4.2 IPv6 Header ...... 101 4.3 ICMPv6 ...... 104 4.3.1 ICMPv6 Error messages ...... 105 4.3.2 ICMPv6 Informational messages ...... 107 4.3.3 Multicast Listener Discovery [12] ...... 107 4.4 Neighbor Discovery [23] ...... 109 4.4.1 Neighbor Discovery messages ...... 109 4.4.2 Neighbor Discovery Process ...... 114 4.5 IPv6 Routing ...... 118 4.5.1 Route determination process ...... 119 4.5.2 IPv6 Delivery Process ...... 119 4.5.3 IPv6 Routing protocols ...... 122 4.6 IPv6 and Name Resolution ...... 124 4.7 Migration to IPv6 [15] ...... 125 4.7.1 6over4 ...... 125 4.7.2 6to4 ...... 127 4.7.3 ISATAP ...... 128 4.7.4 Teredo ...... 129 4.7.5 PortProxy ...... 131

5 Migration to IPv6 135 5.1 Making your system IPv6-ready [1] ...... 135 5.1.1 Debian Linux ...... 136 5.1.2 Windows ...... 137 5.2 Testing primary connectivity [8] ...... 140 5.2.1 Debian Linux ...... 140 5.2.2 Windows [9] ...... 143 5.3 Getting reachable globally via IPv6 ...... 146 CONTENTS iv

5.3.1 Installing AICCU ...... 147 5.3.2 Allocating the addresses ...... 148 5.3.3 Configuring the global addresses ...... 149 5.3.4 Setting routes manually ...... 151 5.3.5 Testing connectivity with traceroute ...... 153 5.4 More routing issues ...... 154 5.5 Networking basics ...... 160 5.5.1 advertising routes with radvd [20] [21] [22] [23] . . . 160 5.5.2 DHCPv6 using dibbler [27] ...... 163 5.5.3 DNS [30] [29] ...... 171 5.6 Migrating the services [31] ...... 176 5.6.1 Browsers: Firefox and Internet Explorer ...... 176 5.6.2 Web-Proxy: Privoxy [32] ...... 176 5.6.3 http-server: apache ...... 178 5.6.4 database: MySQL ...... 179 5.6.5 filesharing using Windows ...... 180 5.6.6 filesharing: WebDAV [38] [39] ...... 184 5.6.7 filesharing: ftp ...... 187 5.6.8 email: exim ...... 188 5.6.9 email: courier [41] ...... 189 5.6.10 mail-client: thunderbird ...... 191 5.6.11 mail-client: outlook and outlook express ...... 192 5.6.12 VoIP: asterisk [42] [43] ...... 193 5.6.13 time: ntpd, ntpdate ...... 193 5.6.14 domain controller: Active Directory ...... 194 5.6.15 printing: cups ...... 195 5.6.16 radio: Virgin radio ...... 196 5.6.17 instant messaging: irc, msn ...... 197 5.6.18 authentication: ipsec6 ...... 198 5.6.19 encryption: OpenSWAN ...... 203 5.6.20 Remote control: ssh ...... 206 5.6.21 VNC: TightVNC ...... 206 5.6.22 Remote control: telnet ...... 207 5.6.23 Monitoring traffic: ntop ...... 207 5.6.24 monitoring privoxy: webalizer ...... 208 5.6.25 monitoring ports: nmap ...... 209 5.6.26 firewall: iptables ...... 210 5.7 Testing ...... 210 CONTENTS v

5.7.1 iperf ...... 210 5.7.2 Netserver/ Netperf ...... 211 5.7.3 Smokeping ...... 211 5.7.4 mrtg/ SNMP [47] ...... 213

6 Conclusion and Summary 222

7 Configuration Files 227 7.1 IPv4 related configuration ...... 227 7.1.1 APT ...... 227 7.1.2 Asterisk ...... 228 7.1.3 CUPS ...... 242 7.1.4 Apache2 ...... 244 7.1.5 dhcpd ...... 250 7.1.6 BIND ...... 251 7.1.7 exim4 ...... 255 7.1.8 The Webalizer ...... 256 7.1.9 squid ...... 258 7.1.10 arpwatch ...... 261 7.1.11 ntpd ...... 261 7.1.12 Active Directory ...... 262 7.1.13 mrtg ...... 263 7.1.14 SmokePing ...... 267 7.2 IPv6-related Configuration files ...... 271 7.2.1 Apache ...... 271 7.2.2 Smokeping ...... 272 7.2.3 mrtg ...... 276 7.2.4 firewall: iptables ...... 279 Eidesstattliche Erklärung

Ich erkläre an Eides statt, daß ich die vorliegende Arbeit selbstständig und ohne fremde Hilfe verfasst, andere als die angegebenen Quellen nicht benützt und die den benutzten Quellen wörtlich oder inhaltlich ent- nommenen Stellen als solche kenntlich gemacht habe. Wien am 21.2.2006

1 Acknowledgement

I want to start my acknowledgements by thanking my parents and my grandma for making it possible to study by providing me the ﬁnancial prerequisites. Besides that I have to give my mother my special thanks for coping with my moods while writing on this (from happy to desper- ate) and my father for answering me questions and helping me with basic problems of networking. In addition to this I want to thank my friends keeping me up-to-date, although I seemed to have vanished in a small chamber for the duration of my master thesis. Another huge thank you goes to the director of the Berufsförderungsin- stitut Burgenland, Mr. Peter Maier for providing me the hardware, the informations and the place to make my idea of my master thesis come true! Thank you very much! I would also like to express my gratitude for those nameless people answering to my newsgroup and forum-postings, to the maintainers of software helping me (like Tomasz Mrugalski from dibbler, etc.) and to Mr. Schabus, supplying me with informations from the Microsoft way of implementing IPv6. Another big thank you is for two employees of the IT at the Berufsförderungsinstitut Burgenland, Andreas Grabner and Thomas Jölly, for being interested in my subject and providing me with tips and tricks. Furthermore I want to thank Mustafa Sahin, a student at a university in Istanbul writing his thesis about IPv6 as well, for listening to my IPv6- and non-IPv6-related problems and for having good ideas on how we can take over the world using IPv6. In addition to these I want to thank my supervisor O. Univ. Prof A Min Tjoa for supervising my thesis and Mag. Markus Klemen for answering me a lot of questions.

2 CONTENTS 3

The last two people I want to thank here are my grandmother Ida Ulreich and my grandfather Ing. Karl Schuh, who both passed away while I was writing this thesis. “Love is stronger than death even though it can’t stop death from happening, but no matter how hard death tries it can’t separate people from love. It can’t take away our memories either. In the end, life is stronger than death.” (author unknown) Preface

When it came to the point of my study where I had to choose which subject I want to write about for master thesis I really didn’t have to think long: I wanted to write something in the field of networks to improve my network administration skills and to learn a lot things in the field of administering Linux servers. With the previous knowledge I acquired at working in this field and when I took my CCNA I wanted to get further and write a thesis that could be of great use for other users as well and which is an upcoming subject and so one beautiful day I had the idea of writing about IPv6. Then I looked on the internet for IPv6-related articles and found a lot of things concerning the standards of IPv6, how the header is made up and how huge the new address space is. I found very often such things like: already IPv6 enabled and became more and more curious how IPv6 would conduct in a productive environment, and that’s where the idea for my master thesis was born. I wanted to set up an IPv4 network with all services you need to supply mail, data, www-connectivity and many others and when this is done, I wanted to try to migrate this structure to IPv6. The first important problem I had was to get the structure of a well-functioning network and the hardware I would need. For I had to move out of my apartment at that time I thought I could put all the devices needed for the thesis in my new apartment. I talked to some companies and tried to find people interested in my work so much that they would want to support me and finally found the Berufsförderungsinstut Burgenland (http://www.bfi-burgenland.at). The Berufsförderungsinstut Burgenland is a non-profit organisation working in the field of vocational training in many different skills. From becoming a registered masseur to driving diggers or starting your system administrators career you can learn anything you want in one of the several offices throughout the Bur-

4 CONTENTS 5 genland. (By the way, if you don’t know, Burgenland is the easternmost federal state of Austria and is world-wide one of the most important wine- suppliers for excelent red and white wine. http://www.burgenland.at). The Berufsförderungsinstut Burgenland supplied me with their network structure and the knowledge they gained through the productive use of this structure. In addition to this they cleared out a room for me and supplied me the hardware I needed (which are several PC’s, screens, switches, SIP-phones, and so on). After putting all this stuff together the former storage room became more and more homely. While setting up all services needed I learned the most about the use of Linux based systems. Of course, as you might have guessed, you learn something about it on university, but if you are in private not very into it, the things you learn at university will be forgotten soon. So I set up one service after the other and learned a lot within. And then, the big day came, IPv6 needed to be implemented. But let’s start step by step. My thesis is composed of several chapters: the first chapter is about the setting up of the IPv4-part of the network, then there is a chapter about the theory of IPv6 and the most important chapter is the one about the actual migration to IPv6. You will find everything you need to know in order to set up an IPv6 enabled network within this thesis. The idea when writing this thesis was to create a hands-on guide for everyone interested in this subject for I found it very difficult to get the informations I needed. I want to supply facts about each service I used and tested, whether it worked or not, if there is a workaround and how a minimum configuration is achieved. So the point is that you can migrate your home or business network to IPv6 without reading hundreds of pages about the theory, simply take a look at the chapter about migration and try it. I wanted to sum up all I found out about the use of IPv6 in order to make it easier for others to deploy its use and start to write more and more applications taking use of the advantages provided by IPv6. I want to show everyone afraid how easy it can be migrating to IPv6 and everyone interested that there are already lots of things that can be done using IPv6. But let’s talk about advantages and disadvantes at the end of the thesis. Introduction

Motivation

Probably every paper or thesis about IPv6 will start with the words “because of address shortage ... “, and this of course is one major reason to think about IPv6. NAT became a much used workaround for this problem but also imposes different drawbacks like restrictions in the field of peer to peer computing and so on. We all may know that several countries already switched their IT infrastructure to IPv6-based communication and many task forces all over the world try to propagate its use more and more. My main goal for writing this thesis was not to write yet another theory-prone description of how an IPv6 header is set up and how big the address space is but rather a hands-on guide for people interested in it and don’t want to read all the theory first. My work usually is more of the try-and-error kind (I am not really into reading long descriptions first) and so I wanted to supply a paper you can work with without spending hours on reading but rather just try it, work with it and learn it by doing. This thesis could be an interesting source of information for people administering and setting up services in a network the first time and for those who still not know if they need IPv6 but are interested. I was very interested in what benefits IPv6 has and which of them can really be brought into production use. The whole thesis is devided into three logical parts: first the network is set up using IPv4, then there is an IPv6 theory part (every thesis needs it theory ;-) ) and the last one is about the migration of the services to IPv6. I wanted to create a complete guide for which you don’t really need any previous knowledge. While I was working on the setting up of the IPv4 network I found it pretty difficult to get a quick and

6 CONTENTS 7 dirty configuration of several services, and thats the reason why I decided to append all configuration files I used during my work in order to supply a basic and working configuration.

Problem Statement

The main reason for switching to an IPv6 environment is of course address space and the limitations imposed by workarounds like NAT, but there are more benefits than that when using IPv6. The biggest advantage for “normal” users will be traffic that is always encrypted and therefore more secure to sniffing (I am not talking about the advantages gained through hierarchical routing and so on for this is only interesting for ISPs). In addition to this more concern is put on flow control and Quality of Service which will emerge to a very interesting topic for everyone pretty soon (just think of priorizing VoIP and videoconferencing over usual web-traffic). There are as well IPv4-approaches to all of these aspects but I don’t see much sense in patching a very old protocol so it can handle something the new one was designed for. Although, and I guess you might have noticed by now, I am a fan of IPv6 I have to confess that most benefits do not work as they should, yet. Of course, I could migrate all services and get a working IPv6 infrastructure, but I could not uninstall IPv4 for various reasons and some basic features still lack implementation. Nevertheless I am advocating IPv6 and am totally convinced that after people find out the possibilites we didn’t yet think about because it was not feasable using IPv4, IPv6 will become state- of-the-art very soon. Chapter 1

The setting-up of my IPv4 network

For the sake of completeness I want to write about the setting-up and the troubles related with that approach of the IPv4 Network as well. When I got the news that the Berufsförderungsinstitut Burgenland was going to support my work not only by wishing me luck but by giving me the hardware I need and by lending me a room to put in all the stuff I needed I was all excited. After putting together the pieces of hardware (and in fact, they came in pieces; please see the pictures) to some functional thing one would have called a PC a few years ago I became more and more a notion of the upcoming work. This was sometime in June 2005. Later in June I went to the Linux Tag 2005 in Karlsruhe which gave me even more inspiration for starting my work with the full capacity of motivation I had. Returned from Germany in July I started documenting my work in more detail. My first entries are from the week between the 20th and the 26th July. After setting up the operating systems on all hosts in the network the configuration of the services started. One of the first things done was the installation of the asterisk server together with the Digium-card.

8 CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 9

1.1 Maggie and her asterisk server[1][2]

After putting in the Digium card I got from the company (they think about switching to asterisk-only internal telephony in a few months) several things were missing. Maggie is set up with a Debian Sarge 3.1 with kernel 2.4.27-2-686 but was missing kernel-headers and the kernel-source which had to be installed seperately. Following additional packets have been installed with “apt-get install”:

openssl, libncurses-dev, libssl-dev, zlib1g-dev, cvs With the help of cvs I got the newest versions of zaptel, libpri and of course asterisk: cd /usr/src export CVSROOT=:pserver:[email protected]:/usr/\\ cvsroot cvs login --> password=anoncvs Don’t get confused by a error popping up when you use cvs the ﬁrst time. It will just inform you that a ﬁle (for the password) that has not been existing is being created. cvs checkout zaptel libpri asterisk Now you are getting the sources for the three packets you need. After data has been sent you can start installing the new software by changing the working directory to the packet you want to install and then make the sources. Zaptel is the Telephony Card driver and is only needed with this kind of hardware. cd zaptel make clean make install cd ../libpri make clean make install cd ../asterisk make clean CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 10

make install make samples In order to make the samples you need the packet progdocs. The Zaptel driver mentioned above needs to be loaded with: (don’t forget to permanently add the module to the /etc/modules file) modprobe zaptel For configuring regional parameters and how each port on your telephony card is used you have a configuration file. /etc/zaptel.conf Here you can define local signalling options and make the distinction between FXO and FXS ports. When you are working with FX interfaces, the hardware is described based on what it connects to, the signalling how- ever, needs to define the device we are emulating. Since the O in FXO stands for Office and is connecting to an Office our software needs to em- ulate a station here. The opposite is true for FXS, with the S standing for station. After the zaptel.conf file is edited you must load the driver. modprobe wcfxs Note: the Zaptel driver is always loaded first in the memory. Then drivers for the devices (FXO, FXS, ztdummy, ..) are following. After you have configured your hardware you need to take a look at asterisk itself. After you made the source there are, of course, some configuration files left to configure. To start with a simple configuration and experience some success soon you can load sample configuration files. Asterisk will by default look for configuration files in /etc/asterisk which has to be made manually. mkdir /etc/asterisk The promised sample configuration can be found in /usr/src/asterisk/configs and obtained by copying them to the /etc/asterisk folder (if you don’t have them there by default as i did). cd /usr/src/asterisk/configs CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 11

cp ./modem.conf.sample /etc/asterisk/modem.conf cp ./modules.conf.sample /etc/asterisk/modules.conf cp ./phone.conf.sample /etc/asterisk/phone.conf cp ./voicemail.conf.sample /etc/asterisk/voicemail.conf cp ./zapata.conf.sample /etc/asterisk/zapata.conf Now you can start your asterisk server for the first time /usr/sbin/asterisk -cvvv The three “v” stand for verbose mode and can even be extended to five for detailled verbosity. Now you have a working installation of asterisk with a CLI*> prompt waiting for calls to make. But before you can enjoy calling others via VoIP there are some configuration issues ahead. A catchword in the world of asterisk is “channel”. Channel is the logical connection to the various transmission and signalling paths which asterisk uses to handle calls. You could also describe it as a driver between the various kinds of VoIP protocols and to hardware that connect to the PSTN. The rules that are followed by asterisk for this purpose can be found in the so-called dial plan, where we define what kind of channels we need and how they are useable for the system. Before you can set up the dial plan you have to define the channels to use. In my lab we only had FXO, FXS, IAX and SIP channels in use which I am going to describe now. (Check appendix for config-files.)

1.1.1 FXO, FXS, IAX, SIP

First I want to describe the terms FXO and FXS in more detail. They have their origin in an old telephone service called Foreign eXchange (FX). The confusing part about FXO and FXS is, that FX cards are not named by what they are but what they connect to. Therefore, an FXS card is connected to a station and has to behave like a central office (FXO, of course, behaves vice-versa). A FXS interface is the same as a standard analog line a phone company provides to most houses and supplies you e.g. with a dial tone, ringing voltage and DTMF detection. The FXO is the side connecting to a central CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 12 office and is generating DTMF, detecting dial tone and detecting ringing. Both kinds of interfaces are described and configured in the /etc/asterisk/ zaptel.conf. IAX on the other hand, the Inter-Asterisk eXchange protocol, is an IP- based media transport protocol and is configured in the iax.conf file. In my topology we will later tunnel the IAX traffic through OpenVPN to our branch office. The Session Initation Protocol (SIP) is becoming the most supported kind of VoIP protocol because itâs like IAX pretty easy to set up. Sip telephony is set up in the sip.conf file where u define IP-address, port and other options in order to let the phone on the other side can authenticate to the asterisk server.

1.1.2 Maggie’s dialplan

The dialplan is said to be the heart of any asterisk system for it defines how asterisk should handle each call. These list of instructions are found in the file /etc/asterisk/extensions.conf and is devided into different parts called contexts. In them extensions, priorities and applications are defined. Contexts play an organizational role within the dialplan and define scopes. Within the context, extensions, character strings triggering events, are defined. Here you define things like which phone should ring when a certain phone number is called or what the system should do if no one picks up the phone and so on. Priorities are numbered steps in the execution of each extension and each priority calls a specific application, which in turn performs a certain action like playing sounds or hanging up the call. So the syntax of this file looks generally like this: [] exten => , , e.g.: exten => 555, 1, Dial(Zap/1,20) At the end of July I managed to have a working telephony system with analogous telephones, a sipura adapter with two analogous phones and CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 13 two SIP-phones (Grandstream BudgeTone 100 and an Allnet ALL7950). Both SIP-phones and the Sipura Adapter can be configured through a webinterface included in the devices.

Grandstream Budgetone 100: http://192.168.200.129 password: foo Allnet ALL7950: http://192.168.200.130:9999 user: elsylo password: foo Sipura SPA-2000 http://192.168.201.129/admin

1.1.3 Digium card details

The Digium card used in this lab is a TDM400P, or to be more precise TDM31B. TDM31B describes the composition of FXO and FXS channels.

Figure 1.1: The naming convention for the TDM bundles is as follows: TDM X Y B. Where "TDM" denotes that the card is TDM, "X" denotes the number of FXS modules, "Y" denotes the number of FXO modules, and "B" indicates that that this product is a bundle.[41] CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 14

1.1.4 Conﬁguring Sipura SPA-2000 [40] [5]

After plugging in the Sipura SPA-2000 device its web interface is reachable through the network. If you don’t know which IP address the device has at the moment, simply type “****” on a phone plugged in the Sipura adapter. A male voice welcomes you to “Sipura Conﬁguration Menu” and asks you to enter a option followed by the pound key. You now can, type e.g. “110#” and he reads the IP address of the phone adapter back to you. Next step is to browse http://192.168.201.129/admin and change to the advanced mode of the conﬁguration interface.

Figure 1.2: some Sipura options you can query on a touch tone telephone[4]

By default two users called “admin” and “user” exitst with a blank password which you can set if you like. Remember that, whatever you change on the web interface, the changes only take effect when pressing the “Sub- mit All Changes”. In the “System” tab you can either set the IP address statically or dynamically via DHCP (default: DHCP: On). In the “Line 1” tab following changes to the default conﬁguration have been made: The Proxy is set to the IP address of the local asterisk server (192.168.201.1), the “Register Expires” value is lowered to “20” (default: 3600). In the section “Subscriber Information” the “Display Name”, as well as “User ID” and CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 15

“Password” are set to “301”. In the last subsection “Audio Conﬁguration” the “DTMF Tx Method” is set to “AVT”, sending the dialled numbers as AVT events conforming to RFC 2833. The same settings, except for the “Display Name”, “User ID” and “Password” are used for tab “Line 2”. These options were set to the value “302” this time. In tabs “User 1” and “User 2” I changed in the section “Ring settings” the “Default Ring” to “2”, “Hold Reminder Ring” to “8” and “Call Back Ring” to “7”.

1.2 Marge and the CUPS problem

At the time I tried to set up asterisk in my environment, I also got my printer for the lab, a HP Laserjet 1300 connected via USB to marge. I decided to use CUPS as printer manager here.

1.2.1 Installing CUPS [6, 8, 7]

In order to have CUPS on your system you need to install some packets with “apt-get install”. The packets in brackets are those I had to install additionally in order to get the ones I needed. python-dev, libsnmp5-dev (libssl-dev, libssl0.9.7e-3), libcupsys2-dev (libgnutls11-dev, libtasn1-2-dev), python-qt3, lsb When you are done with this you need to download and install the driver for the printer. To be more precise, you need to download the HPLIP tar ﬁle from http://hpinkjet.sourceforge.net. The ﬁle you get is a *.tar.gz and needs to be extracted with the command “tar xvfz *.tar.gz”. After that a folder is made and after switching in that folder you can ./configure --prefix=/usr make make install (you need to be su for that) /etc/init.d/hplip restart /etc/init.d/cups restart CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 16

Now the only thing left to do is to add the printer to CUPS. This is usually done via web-interface but because i did not install any window- environment on my linux computers i decided to use lynx, a text-based web-browser instead. lynx http://localhost:631 In the âPrintersâ-section you can “Add Printer” and have to type in a printer name, which should be meaningful and must not contain spaces. In the next step you are prompted to define the device you use exactly. For a USB device choose e.g.: usb://HP/LaserJet%201300 In the next step you have to choose which make your printer is, what in my case is HP. The last step is to choose the model of the printer (LaserJet 1300) and this was the step that ruined my otherwise perfect installation of the printer. There are several LaserJet 1300 printer drivers in this list and I chose the one with the note “Recommended”. What I did not know and/or see at this time was, that this was a driver for a PostScript Printer and did not really suit my needs. The diabolical thing about this mistake was that the printer worked with linux clients printing on it without any troubles (I had some layout difficulties; the borders needed to be defined manually) and even worked with some Windows applications. But when it came to the point when I wanted to install the printer on my Windows 2000 I found the spoolsv service to occupy about 90% of my system load and the programs tended to crash when printing something or even when installing the printer. My first thought, of course, was that Windows, especially Windows 2000, is not suited for the use with CUPS but I was proven wrong when a collegue installed the not-recommended CUPS driver and everything worked fine. (In fact, finding out what the problem was has not been such a quick thing, but I leave out the boring details.) Note: Having a spoolsv with a huge CPU-load in most cases indicates the existence of a virus on the system. These can be some Trojans or more precise, e.g.: the agobot worm/backdoor infecting *.exe files on your PC. Having had troubles with agobot on other systems before I checked the usual registry keys agobot uses:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 17

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ RunServices\ After I could rule out this possiblity I also found information about printer jobs stuck in the printer queue producing similar behavior (check the Microsoft Image Writer queue). Look for the Windows Printer queue in %SYSTEMROOT%\system32\spool CUPS-printers can be accessed via

http://marge.sylvia.test:631/printers/HP_LaserJet_1300 There you have a very user-friendly printer management interface where you can access the printer queue and of course all printers added to the CUPS. After this problem was solved, I no longer had problems with the CUPS system, could print even from my Windows 2000 PC and had the correct alignment on the sheets. With each Windows PC you only have to add a new Network Printer, choose the location http://marge.sylvia.test:631/ printers/HP_LaserJet_1300 and add the correct printer driver (hplj1300m6.inf) I downloaded from the HP-homepage. If you feel you need more information on the topic of installing a CUPS printer on a Windows System Iâd recommend the page http://www.owlfish.com/thoughts/winipp-cups- 2003-07-20.html. For Linux systems even this was easier. The only thing after apt-get install cupsys-client you have to edit is the /etc/cups/client.conf file to the following: --- [snip] --- ServerName marge.sylvia.test Now you have an accessable printer from your linux system and try it on the config-file command-line based with lp /etc/cups/client.conf CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 18

Figure 1.3: the management interface of CUPS, the ﬁrst printer is the working one, the second the one with the wrong driver-type

1.3 Bart and Snowball are getting their iptables[9]

Iptables, the tool for creating packet-filtering and NAT rules, is on both hosts one of the most important services for it is preventing unallowed traffic to leave and get into the network. The rules on both nodes are the same and therefore I will only show one of them. The firewalling rules here should be taken as minimum-security but were sufficient for my needs. #!/bin/bash FWVER=1.0 # for Sylvias Project master thesis CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 19

echo -e "\nLade Firewall - Version $FWVER..\n" IPTABLES=/sbin/iptables LSMOD=/sbin/lsmod DEPMOD=/sbin/depmod MODPROBE=/sbin/modprobe GREP=/bin/grep AWK=/usr/bin/awk SED=/bin/sed IFCONFIG=/sbin/ifconfig #deﬁne the interfaces to use EXTIF="eth0" INTIF="eth1" echo " External Interface: $EXTIF" echo " INternal INterface: $INTIF" echo " ---" EXTIP="192.168.150.7" echo " External IP: $EXTIP" echo " ---" #deﬁne the networks to use INTNET="192.168.201.0/24" # we have a server network; servers have low ip-addresses and have # different rights (from clients) SERVNET="192.168.201.0/27" HAUPTNET="192.168.150.0/24" INTIP="192.168.201.1/24" echo " Internal Network: $INTNET" echo " Server Netzerkteil: $SERVNET" echo " Internal IP: $INTIP" echo " ---" UNIVERSE="0.0.0.0/0" echo " -Verifying that all kernel modules are ok" $DEPMOD -a echo -en "Loading kernel modules: " CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 20

echo -en "ip_tables, " if [ -z "‘ $LSMOD | $GREP ip_tables | $AWK ’print $1’ ‘" ]; then $MODPROBE ip_tables fi echo -en "ip_conntrack, " if [ -z "‘ $LSMOD | $GREP ip_conntrack | $AWK ’print $1’ ‘" ]; then $MODPROBE ip_conntrack fi echo -e "ip_conntrack_ftp" if [ -z "‘ $LSMOD | $GREP ip_conntrack_ftp | $AWK ’print $1’ ‘" ]; then $MODPROBE ip_conntrack_ftp fi echo -en "ip_conntrack_irc" if [ -z "‘$LSMOD | $GREP ip_conntrack_IRC | $AWK ’print $1’ ‘" ]; then $MODPROBE ip_conntrack_irc fi echo -en "iptabel_nat" if [ -z "‘$LSMOD |$GREP iptable_nat| $AWK ’print $1’ ‘" ]; then $MODPROBE iptable_nat fi echo -e "ip_nat_ftp" if [ -z "‘ $LSMOD | $GREP ip_nat_ftp | $AWK ’print $1’ ‘" ]; then $MODPROBE ip_nat_ftp fi echo -e "ip_nat_irc" if [ -z "‘ $LSMOD | $GREP ip_nat_irc | $AWK ’print $1’ ‘" ]; then $MODPROBE ip_nat_irc fi # !!! forwarding !!! echo "---" echo " ENABLING FORWARDING! " echo "1" > /proc/sys/net/ipv4/ip_forward echo " Clearing any existing rules and setting default policy to DROP -" CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 21

# dropping chains before editing them $IPTABLES -P INPUT DROP $IPTABLES -F INPUT $IPTABLES -P OUTPUT DROP $IPTABLES -F OUTPUT $IPTABLES -P FORWARD DROP $IPTABLES -F FORWARD $IPTABLES -F -t nat if [ -n "‘$IPTABLES -L | $GREP drop-and-log-it‘" ]; then $IPTABLES -F drop-and-log-it fi $IPTABLES -X $IPTABLES -Z echo " CREATING a DROP chain" $IPTABLES -N drop-and-log-it $IPTABLES -A drop-and-log-it -j LOG --log-level info $IPTABLES -A drop-and-log-it -j DROP echo -e "\n - loading INPUT rulesets" # Input rules; 1st one is for the OpenVPN tunnel interface $IPTABLES -A INPUT -i tun+ -j ACCEPT $IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j \\ ACCEPT $IPTABLES -A INPUT -i $EXTIF -s $HAUPTNET -d $UNIVERSE -j \\ ACCEPT $IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j \\ ACCEPT $IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it $IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state -state ESTABLISHED,RELATED -j ACCEPT echo -e " allowing external interfaces to access the www" CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 22

$IPTABLES -A INPUT -i $EXTIF -m state -state NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP -dport 80 -j ACCEPT $IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it echo -e " Loading OUTPUT RULESETS !!!!!! " # Output rules; 1st one is for the OpenVPN tunnel interface $IPTABLES -A OUTPUT -o tun+ -j ACCEPT $IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j \\ ACCEPT $IPTABLES -A OUTPUT -o $EXTIF -s $INTIP -d $UNIVERSE -j\\ ACCEPT $IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j \\ ACCEPT $IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j \\ ACCEPT $IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it $IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j \\ ACCEPT $IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j \\ drop-and-log-it echo -e " - loading forwarding ruleset" # Forwarding rules; 1st two rules for the OpenVPN tunnel interface $IPTABLES -A FORWARD -i tun+ -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o tun+ -s $INTIP -j ACCEPT echo " - FWD : Allow all connections out and only existing or related in" $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -s $HAUPTNET -d $UNIVERSE -j ACCEPT $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state -state ESTABLISHED,RELATED -j ACCEPT #you could choose to allow all trafﬁc for the servers here

$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $SERVNET -j \\ CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 23

ACCEPT # web-Trafﬁc allowed for proxy only

## $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s 192.168.200.5 \\ -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -p tcp -destination-port 80:443 -j drop-and-log-it # end web-trafﬁc

$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT $IPTABLES -A FORWARD -j drop-and-log-it echo "NAT : enabling SNAT functionality on $EXTIF" # enabling postrouted NAT

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to \\ $EXTIP echo -e "\nStronger rc.firewall-2.4 $FWVER done. HAVE A NICE DAY.\n" #setting the default route route add default gw 192.168.150.5 echo -e "\nDefault-Route set for Jormannsdorf.\n" This is the ruleset loaded at /etc/rc2.d/S12ﬁrewall on host snowball. Note: Dropped packages are by default displayed on the monitor while they occur. Because this is not really good working with I decided to log the packages in /var/log/messages. In order to do that you have to modify the ﬁle /etc/init.d/klogd and change the variable KLOGD to KLOGD=”-c 4” CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 24

1.4 Maggie: MySQL server[33]

Maggie is not only our asterisk server in this environment but because she has pretty good hardware we decided to make her the database server as well. The database chosen is MySQL because of its widespread popularity and the multiple uses. For there is no binary for Debian available I downloaded the sources from http://dev.mysql.com/downloads/mysql/4.1.html (at this time MySQL 5.0 was not yet available). For installing you need gunzip, tar, gcc and make and the following commands: # creating a group and a user mysql shell> groupadd mysql shell> useradd -g mysql mysql shell> gunzip < mysql-VERSION.tar.gz | tar -xvf - shell> cd mysql-VERSION # ./configure -help shows you configure options; here I chose to install mysql to /usr/local/mysql shell> ./configure --prefix=/usr/local/mysql shell> make shell> make install # setting up a sample configuration file

shell> cp support-files/my-medium.cnf /etc/my.cnf shell> cd /usr/local/mysql # if u haven’t installed MySQL before, you have to install the grant tables shell> bin/mysql_install_db --user=mysql # change the owner of the binaries to root, the owner of the data to mysql shell> chown -R root . shell> chown -R mysql var shell> chgrp -R mysql . # initializing and testing after: shell> bin/mysqld_safe --user=mysql & CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 25

# if you like to have the MySQL server in the startup, use the skript located in support-files/mysql.server # if you want to create a new user “user” with all rights from every host with password “password”; creates an entry in the database “mysql” in table “user”

grant all on *.* to user@* identified by “password” # for logging mkdir /var/log/mysql chown mysql.mysql /var/log/mysql # in my.ini specifying the log-directory (slash at the end is important!) bin-log=/var/log/mysql/

1.5 Installing OpenVPN on snowball and bart

OpenVPN [5] is a program written by James Yonan providing the ability of setting up SSL encrypted Virtual Private Networks. The SSL encryption is provided by OpenSSL and there are three possibilities of authenticating peers. One is with the use of certificates, being maximum secure, and another one takes username/password pairs so that clients no longer have to hold their own certificates. The easiest way of having an SSL encrypted tunnel is with the help of preshared keys. There are several drawbacks for this static key approach like a limited scalability or the fact that the key has to exist on each host in plain text. You can download the OpenVPN package either on the homepage http://openvpn.net or get it with a simple “apt-get install openvpn” on Debian based systems. The first thing after you have installed OpenVPN is to decide whether to use a routed or a bridged VPN. The choice to make is about whether the connected network or host should be treated as a member of the other CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 26 network or if traffic between these is treated as if there was a router inbetween. In a bridged VPN you have broadcasts traversing the tunnel and no routing entries to make. An easy-to-use choice for road warriors but not scalable very well and less efficient than routing. Overall, in most cases you will use routing instead of bridging, it is easy to set up and provides better access-control. Bridging on the other hand should be used if you are using non-IP protocols such as IPX, running applications rely- ing on broadcasts or want browsing of Windows file shares made possible without setting up WINS. As you might have guessed, I decided to use a routed VPN.

1.5.1 Setting up your Certiﬁcation Authority (CA) [13]

If you don’t already have a PKI (public key infrastructure) you should start by building one. Authentication is supported bidirectionally meaning the server is authenticating the client and the client is also in turn authenticating the server before a secure connection can be established. Both authenticate by verifying that the certificate was signed by certification authority and afterwards by checking the certificate header for things like certificate common name or certification type. This requires the existance of key pairs (public and private) for each host wanting to connect to the VPN and a certification authority signing them. If you don’t want and need an offi- cial authority to sign the keys you can also build your own authority what is described below. In your /usr/share/doc/openvpn/examples directory is a directory called easy-rsa. Best practice is to copy that folder into your /etc folder so that future package upgrades don’t effect your configuration. Then you have to modify your ./vars file with the informations about KEY_COUNTRY, KEY_PROVINCE, KEY-CITY, KEY-ORG and KEY_EMAIL (don’t leave any of them blank). To initialize the PKI you only have to: ./vars ./clean-all ./build-ca Note: In my case, the first command setting the global parameters for building the PKI ./vars did not work so I chose the hands-on CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 27

method of adding the exported parameters from the ./vars file to /root/.profile file myself. The last command ./build-ca creates the CA and invokes an interactive openssl command where you have to give needed information. As set before, the information provided through the ./vars file is defaulted here. Only the Common Name has to be added here and in my case this is “snowball”.

1.5.2 Generating certiﬁcates and keys

With a Certification Authority up and running the next step is to generate a certificate and private key for the server. ./build-key-server snowball Common Name: snowball sign certificate: yes 1 out of 1 certificate certified: yes All other queried parameters can be defaulted except for the three mentioned above. The last two options require positive responses. Building the keys for the clients in the VPN network is as easy as building the server key. Building keys for two clients is done by ./build-key client1 ./build-key client2 where client1 and client2 are the unique Common Names for the two clients. If you would like to have password-protected keys use ./build- key-pass instead. Last but surely not least important is the generation of Diffie Hellman parameters.

1.5.3 Difﬁe-Hellman parameters [14]

Diffie-Hellman references the Diffie-Hellman key agreement protocol which is a certain technique for negotiating a secret key over an insecure medium like the internet. The protocol is also called an “exponential key CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 28 agreement” and was thought of by Diffie and Hellman. Diffie-Hellman is very secure because it uses very large integers to compute their keys. The only vulnerability is to man-in-the-middle attacks. Because data is not been authenticated initially, an attacker could negotiate a seperate key with both nodes without anyone noticing. The parameters are generated on the server: (this will take some time) ./build-dh

1.5.4 Distributing the ﬁles

The last step is to distribute the key files generated on the server over a secure channel to the clients where they have to reside for future encrypted and authenticated connections. Of course, you could also generate the client-keys on the clients themselves and by submitting Certificate Signing Requests (CSR) signing them at the key-signing machine. Then .key files don’t have to leave your harddisk. In my lab i chose the secure way of putting the files on a floppy and carrying it to the clients (old school but secure). Below you have a list of files created in the process of setting up the PKI.

1.5.5 Advantages when using this security model

• The server only has to store it’s own certificate/key. • The server only accepts signed certificates and this check is fulfilled with the server’s public key (which means that the private key could even reside on a machine not connected to the network. • Keys that have been compromised can easily be added to the CRL (certificate revocation list) • Servers can enforce access-rights through embedded information like Common Names. CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 29

1.5.6 Conﬁguring OpenVPN

The easiest way to configure OpenVPN is when starting with the sample- config-files provided in the package. So begin by cp /usr/share/doc/openvpn/examples/sample-config-files/\\ server.conf /etc/openvpn/ for the server configuration and cp /usr/share/doc/openvpn/examples/sample-config-files/\\ client.conf /etc/openvpn/ for the client.

1.5.6.1 server.conf (snowball.sylvia.test)

(Comments are shortend) port 1194 proto udp ## routed VPN dev tun ## setting the path to Root CA certificate, Server certificate, Server key ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/server.crt key /etc/openvpn/easy-rsa/keys/server.key # This file should be kept secret ## setting the path to Diffie-Hellman dh /etc/openvpn/easy-rsa/keys/dh1024.pem ## supply a VPN subnet address server 10.8.0.0 255.255.255.0 ## Maintain a record of clients ifconfig-pool-persist ipp.txt ## Push routes to the client to reach subnet behind the server CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 30

push "route 192.168.201.0 255.255.255.0" ## assign a given IP address to a specific host client-config-dir ccd ## route for the server route 192.168.200.0 255.255.255.0 ## allowing the subnet behind the client to access the VPN client-config-dir ccd route 10.8.0.0 255.255.255.252 ## sends ping like packages every 10 seconds, assumes ## that host is down after 120 seconds keepalive 10 120 ## Enable compression on the VPN link. comp-lzo ## reduce the OpenVPN daemon’s privileges after ## initialization. user nobody group nobody # avoid accessing certain resources on restart # that may no longer be accessible persist-key persist-tun ## Output a short status file status openvpn-status.log ## set verbosity verb 3

1.5.6.2 client.conf (bart.sylvia.test)

(Comments are shortend) Note: When modifying client.conf look out for what the server setting are. ## Specify that we are a client client CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 31

dev tun ## 10.8.0.2 is the client, 10.8.0.1 the server ifconfig 10.8.0.2 10.8.0.1 proto udp ## The hostname/IP and port of the server ## don’t use the tunnel-endpoint address here! ## otherwise you get: udpv4 link local: [undef] remote 192.168.150.7 1194 ## Keep trying indefinitely to resolve host name resolv-retry infinite ## Don’t bind to specific local port nobind ## Downgrade privileges after initialization (non-Win only) user nobody group nobody ## Try to preserve some state across restarts. persist-key persist-tun ## paths for Root CA certificate, client1 certificate, ## client1 key ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/client1.crt key /etc/openvpn/easy-rsa/keys/client1.key ## Enable compression on the VPN link comp-lzo ## Set log file verbosity. verb 3

1.5.6.3 Additional settings and notes to the installation

In my case, the group “nobody” didn’t exist so I had to make a new one with addgroup nobody Next step is to allow the new traffic flows in your firewall with following rules: CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 32

$IPTABLES -A INPUT -i tun+ -j ACCEPT $IPTABLES -A OUTPUT -o tun+ -j ACCEPT $IPTABLES -A FORWARD -i tun+ -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o tun+ -s $INTIP -j ACCEPT The first rule is to accept traffic coming from the tunnel interface and the second one accepts traffic going out of the tunnel interface. Rule three and four concern the forwarding of traffic coming from the tunnel, or in rule four, coming from the internal interface going out of the tunnel interface with an IP from the local IP-range. As I forgot rule four in the first place it seemed to me the most important rule. The error that occurred was that traffic from a host located at the LAN behind the tunnel was dropped. Looking at “ifconfig” on both hosts showed me that the server got a new device called tun0 with IP 10.8.0.1 whereas the client had 10.8.0.6. At that time my ping only worked in one direction, so the fact the client didn’t use 10.8.0.2 wasn’t at big importance for me. Checking the netstat routing entries helped me to get further. The client needs an entry (if not generated automatically) for destination 10.8.0.1 via device tun0. On the server-side of the connection the routes have to be checked as well. Make sure there is an opposite route heading at 10.8.0.2 (or whatever your client address is at that time) via device tun0. Then pinging each side has to be possible. As you might have noticed in the last paragraph, the client address changed from 10.8.0.6 to 10.8.0.2. This has to be configured seperately in a file named after the Common Name of the client. So you need a new directory in /etc/openvpn on your server side of the connection with the file /etc/openvpn/ccd/client1 (both file and folder have user and group set to root) with following lines in it: iroute 192.168.200.0 255.255.255.0 ifconfig-push 10.8.0.2 10.8.0.1 The second line pushes the reserved client address. Then, after restarting, ping in both directions, and even from the LANs behind the tunnelend- points works. CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 33

For opening the openVPN connection at startup I wrote a small startup script called startup residing at /etc/openvpn/ containing openvpn /etc/openvpn/server.conf --daemon Don’t forget to chmod 755 /etc/openvpn/startup ln -s /etc/openvpn/startup /etc/rc2.d/S23openvpn The command “openvpn /etc/openvpn/server.conf –daemon” starts the openvpn daemon searching for the configuration file at “/etc/openvpn/server.conf”. The option “–daemon” defines that openvpn is logged in /var/log/messages instead of the monitor.

1.6 Other services provided by marge.sylvia.test

Above I described one of marge’s services, cups, but marge has more to offer than only a printer server. Marge is what I would call “the heart” of my network providing dynamic host addressing, domain name service, mail server, web server, web-proxy and some other services. Below I will describe each one brieﬂy.

1.6.1 web server apache

Apache, the most popular http-server nowadays , available for almost all platforms, was developed about 1995 and deduced from NCSA HTTPd server that was pretty popular back then. Because the first approach to building apache was patching the NCSA HTTPd it is said the name “apache” is derived from “ a patchy” server. With apache2 v.2.0.54 installed (–> apt-get install) one can start configuring the whole thing. In former times you had to modify /etc/apache2/httpd.conf which is nothing more than a container for backward compatibility reasons by now. Apache2 now uses /etc/apache2/apache2.conf. For a simple configuration of apache you usually don’t even have to change anything. Just browse to http://marge.sylvia.test and you should see the wel- CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 34 come screen at http://marge.sylvia.test/apache2-default, proving your installation has been successful. To publish files on your server you simply have to add them in your document root. If you are not perfectly sure which directory this is, simply look into /etc/apache2/sites-enabled/000-default In the appendix you will find the apache2.conf file. If you need additional support go and see the website of Apache Software Foundation [10] or another nice tutorial (for apache 1.x) at KPLUG [16].

1.6.2 dynamic host addressing dhcpd [17]

For distributing dynamic addresses in the network dhcpd is used. Dhcpd is based on the Dynamic Host Configuration Protocol and provides and distributes informations a host needs to join a network. After defining an address range to use by the server, hosts that are configured to request an IP address after startup are supplied one. You can also set up the server so that only predefined MAC-addresses are allowed to get an IP address. This can be wanted if you are monitoring the traffic log files permanently and don’t want to figure out which computer had which address at a given time or if you want to prevent people from plugging in PC’s not allowed in your network. When a host is added to a network a client broadcast is made to find possible available servers for the configuration with DHCP, the so-called DHCPDISCOVER. When a server notices a host asking for a DHCP address and the host is allowed to this network, the server sends him back a broadcast DHCPOFFER with an IP address he should use. The client then accepts the offer with a broadcast DHCPREQUEST, telling the server that he wants to take the given address (this double-check is needed in case two clients needing IP addresses simultaneously accept the DHCPREQUEST). The last step in handing out the IP address is a broadcast DHCPACK by the server. Only now the client can configure its interface with the given parameters. The address given is valid until either the client sends a DHCPRELEASE or the lease time, the serversided predefined time the address is valid, expires. See the appendix for the configuration file. As you will see the IP addresses for the hosts are not defined in the dhcpd.conf, CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 35 but require DNS inbetween in order to resolve the hostnames. A sample entry: host nelson.sylvia.test { hardware ethernet 00:60:97:11:D5:F0; fixed-address nelson.sylvia.test; }

1.6.3 DNS server BIND [7][19][20]

The de facto standard in Domain Name Service is BIND, the Berkeley In- ternet Name Domain. It stores centralized domain name/IP address pairs in order to be accessible for all clients on the network. BIND is e.g. responsible for providing you with the IP address if you enter a hostname in your webbrowser. The entry BIND looks up is called an A record, while there are several others like e.g. CNAME indicating an alias for a given A record. Several files are needed in order for BIND to work. Best practice is to start with /etc/bind/named.conf.* files where you define the zones in your network. The named.conf itself has entries for the zone “localhost”. If you’re adding zones rather than modifying them you should better do this in the named.conf.local file. A sample zone entry looks like this and defines which file to search for gathering host information about the zone specified. zone "sylvia.test" IN { type master; file "/etc/bind/db.sylvia.test"; }; In order to support reverse lookup (that is translation from IP address to name) you need seperate zone entries. The name of the reverse zone for the network 192.168.200.0 is by default “200.168.192.in-addr.arpa” where in-addr.arpa is a pseudo-domain that holds the entries in least- to-most significant order. Here’s a sample reverse zone entry from the /etc/named.conf.local: zone "200.168.192.in-addr.arpa" { CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 36

type master; file "/etc/bind/db.200.168.192"; }; Now you are done with the named.conf.* files and you have to move on to the files specified above. As you can see I put them in /etc/bind/. The most important file of course is /etc/bind/db.sylvia.test holding all host/ip pairs for my domain. Sample entries for marge.sylvia.test defining the IP address and giving her two aliases called “proxy” and “www” are: marge A 192.168.200.5 proxy CNAME marge www CNAME marge

The corresponding reverse lookup entry located in /etc/bind/db.200.168.192 looks like this (don’t forget the “.” at the end of the entry): 5 IN PTR marge.sylvia.test.

Before you start testing your conﬁguration: don’ t forget to point to your own DNS-server in /etc/resolv.conf. Testing name resolution is possible with the command “nslookup ” (or respectively “dig ”): root@0[knoppix]# nslookup www Server: 192.168.200.5 Address: 192.168.200.5#53 www.sylvia.test canonical name = marge.sylvia.test. Name: marge.sylvia.test Address: 192.168.200.5 For testing reverse lookups you can use “dig -x ” root@0[knoppix]# dig -x 192.168.200.5 ; «» DiG 9.2.4 «» -x 192.168.200.5 ;; global options: printcmd ;; Got answer: ;; -»HEADER«- opcode: QUERY, status: NOERROR, id: 53688 CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 37

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; QUESTION SECTION: ;5.200.168.192.in-addr.arpa. IN PTR ;; ANSWER SECTION: 5.200.168.192.in-addr.arpa. 604800 IN PTR marge.sylvia.test. ;; AUTHORITY SECTION: 200.168.192.in-addr.arpa. 604800 IN NS ns1.sylvia.test. ;; ADDITIONAL SECTION: ns1.sylvia.test. 604800 IN A 192.168.200.5 ns1.sylvia.test. 604800 IN AAAA 2001:16d8:ff47:1203:2::5 ;; Query time: 7 msec ;; SERVER: 192.168.200.5#53(192.168.200.5) ;; WHEN: Sun Dec 4 09:13:10 2005 ;; MSG SIZE rcvd: 137

1.6.4 Mail transfer agent exim4 [21] [22] [23]

A mail transfer agent or MTA is a service that receives mail and stores it in the recipient’s mailbox. It receives it’s mails from another mail transfer agent, a mail submission agent (MSA) receiving mails from an mail user agent or directly from a mail user agent (MUA). A mail submission agent is nothing else than a interstation between a mail user agent, or simple a mail client, and a mail transfer agent. Often an MUA acts as a MSA as well. Installing exim4 with “apt-get install exim4” will have “debconf” appear- ing with several configuration issues discussed below. First it asks you whether you want to have the configuration put into one file or into several files. I chose to use one file. For I want ougoing mail be delivered to the Berufsföderungsinstitut Burgenland’s own mailserver, i chose “mail sent by smarthost; received via SMTP or fetchmail” in the next step. Then you are prompted for the system mail name which should CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 38 be the fully qualified domain name “marge.sylvia.test”. If you don’t have DNS in your network, add the domain name to the /etc/hosts file. If you want to connect to exim4 with other hosts than localhost, you should alter the IP address the server listens on (which is by default 127.0.0.1) to “192.168.200.5” here. After that, you need to decide for which other destinations your host is the final destination. If you have a DNS domain across your network enter the domain name and its associated top level domain here(“sylvia.test:marge”). Now you define the networks exim4 accepts incoming mails from. In my topology “192.168.0.0/16” fits my needs best. Because we defined using a smarthost before, we are prompted to give its domain name here (“mail.bfi-burgenland.at”). The last two questions are, if you would like to have your header rewritten for a mail leaving your network, what I answered with “no”, and if you would like to minimize DNS queries, where I put in a “yes”. Now you have new settings in /etc/exim4/update-exim4.conf. If you want to change the settings we made while debconf afterwards you can either change the file /etc/exim4/update-exim4.conf and /etc/mailname (which only holds the mailservers fully qualified domain name) or run dpkg-reconfigure exim4-config In the directory /usr/share/doc/exim-base/examples you will find commented example files for what is needed when installing exim4. Next you modify the alias file, usually located in /etc/alias and holding a table of all mail users in the system. It is vital to give the email address of the postmaster here, so he can receive the system’s mail problems. Setting the mailer-daemon to the postmaster is done that the messages from those people replying to bounce messages (bounce message is an automated email from the receiver’s mail system telling the sender that the message could not be delivered for several reasons; it is also called a Delivery Status Notifiaction (DSN) message ) are sent to the postmaster. The last thing you should not foget, besides adding the users, is to map messages destined to “root” to the postmaster. CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 39

1.6.5 POP3 server qpopper [9]

Qpopper is a widely used server for the POP3 (Post Office Protocol) protocol which allows users to fetch their mail from their mailboxes stored by your mail transfer agent, which is exim4 in our network. After downloading the *.tar.gz file containing qpopper from the homepage referenced in the caption you can quick start after uncompressing with “./configure” creating a makefile followed by “make” and “make install”. This should compile qpopper and install the server as well as the man pages that came with the packet. “make clean” deletes all executables and the compiled code. For configuring qpopper you have to define which way to use qpopper. You can either have a standalone server or it can be run by inetd. In the first case you need to add a startup-skript in your runlevel-matching /etc/rcx.d directory (where x stands for your runlevel; if you want to know which runlevel you are using simply type “runlevel” at your unix- prompt). In the second case the file /etc/inetd.conf needs to be configured. Inetd is a daemon on many unix-flavored systems managing In- ternet services such as FTP, telnet and of course POP3. It is more efficient than using standalone services because inetd launches the appropriate service only when a matching packet is received. The port number hereby is the criteria upon launching the service. This way of starting services is preferable for services not used all the time (where dedicated servers surely have more advantages). To configure a service with inetd you have to check the /etc/services file, to see if the port is mapped to the service, and the /etc/inetd.conf file. Below the example entries for qpopper assuming your executable is held by /usr/local/lib: pop3 stream tcp nowait root /usr/local/lib/popper qpopper -s It is recommended to set nowait. e.g.: nowait.400 for large networks with lots of hosts querying the server in order to prevent inetd from killing qpopper assuming it is looping. The file /etc/services only needs the line pop3 110/tcp #Post office

I chose to run qpopper as a dedicated server. The configuration that has CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 40 to take place in order to have a functioning pop3-system is small. It is important that you have a symbolic link from directory /var/spool/mail to /var/mail where the actual mails reside. There you have a file for each user in the mailing system. Other configuration issues can be found in /etc/qpopper.conf. The options set within this file can also be set when appending the needed option to the “./configure”-command. For a non- complex mailing system you won’t have to set any options here (qpopper.conf in fact is a blank file in my configuration). For a detailled description about the options available read the comments in /etc/qpopper.conf or look for /usr/share/doc/qpopper/GUIDE.pdf.gz.

1.6.6 web trafﬁc monitoring with webalizer [11][26] [27]

Webalizer is a commonly used tool to generate web pages analyzing different criterias like hits, visits, referers from access and usage logs of your webserver. It is also possible to use it with the proxy “squid”, what I used to have control over the web-traffic. You can install webalizer from source or binary distribution, or as i did it with “apt-get install webalizer”. Webalizer usually searches for the configuration file in the current directory and in /etc/, and will then process any other files or options defined when starting. When you use the default configuration file /etc/webalizer.conf you can revoke the program with “webalizer”, otherwise you have to define the file used “webalizer -c my- configurationfile.conf”. To get a list of all command line options simply type “webalizer -h”. After you typed the “webalizer” command forcing webalizer to analyse the log file specified in the given configuration file, a new file “index.html” is created in the directory set for the HTML output. In my configuration I used /etc/webalizer.conf for configuring the HTML output directory /var/www/webalizer and the log file /var/log/squid/access.log. The webalizer graphs therefore are reachable at www.sylvia.test/webalizer. Don’t forget to repeatedly force webalizer to analyse the logs in the crontab. Look for the configuration files in the appendix. CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 41

1.6.7 web caching and proxying with squid [28] [29]

Squid is a widely used web caching and proxying server, that can provide access restriction by various criteria. Its advantages lie in speeding up the repsonse time of a network service by caching requests for repeated use. Everytime you request a site, squid first of all checks if it is already loaded in the cache. If it is not, the site is fetched from the internet and stored in the cache. Otherwise the cached sites age is checked whether it has expired inbetween (every site is stored for a predefined amount of time) and the content from the cache is sent to the requesting client in case the site is still valid. Caching works for several protocols but is primarily used for HTTP and FTP. ISPs (Internet Service Providers) or LANs sharing a network connection tend to use caching. Users browsing the internet in such an infrastructure use the squid cache as a HTTP proxy decreasing bandwidth consumption, and have some additional security and anonymity features because the proxy requests the sites on behalf of the “real” client. A huge advantage for each web administrator is the possibilty to content filter the web sites requested. You can download squid from the website cited or install it directly with “apt-get install squid”. You will find the configuration file in /etc/squid/squid.conf. For a simple startup you only have to define a few options. One is the “cache_dir” to define the directory devoted for caching data. “http_port” is the port squid listens to (default 3128). “http_access” defines who is allowed to use squid and is defaulted to deny all hosts until explicitly allowed in ACL (access control lists) which you have to set in order to fit your requirements. The two last options needed are “cache_effective_user” and “cache_effective_group” which define the person having permission to read and write in the cache directory and in the log files. By default squid is configured in proxy mode and is now ready for use. After setting the properties of the client’s web browsers to using the proxy at server:“proxy.sylvia.test” and port:”3128” all web traffic is led through squid. You find these properties for Firefox in the “Tools” menu. In the options window, click “General” and on the right lower side of the window “Connection settings”. There you can define the server and the port of the proxy and which protocols it serves (In some Linux-versions of Firefox you will find the “Options”-dialog in the “Edit” menu). For Microsoft’s Internet Explorer you have the same changes to make under CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 42

“Tools” menu entry “Internet Options”. Click on the tab labelled “Con- nections” and then on the button at the bottom named “LAN settings”. Check out my configuration file in the appendix and at your installation for it contains lots of information. Note: In my network i chose to allow direct network access only to the servers of my network (take a look at iptables). No client can therefore request something from the internet that is intercepted by squid, which can be sites not allowed by the content check, by the acl or by download restrictions (size, file-type, ...).

1.6.8 arpwatch [30]

Arpwatch is a tool developed by Lawrence Berkeley National Laboratory that monitors IP/MAC address pairings. “arpwatch -d” forks the service in the background and sends reports via email. “arpwatch -f <filename>” defines the database filename which is by default “/var/lib/arpwatch/arp.dat”. Before you start arpwatch the first time an empty arp.dat file has to be created. This program is destined at bringing some extra-security into your network by noticing new PC’s in your network or spoofed MAC addresses. Look for documentation in related man-pages. If you are setting global arpwatch options use /etc/default/arpwatch, interface-specific ones are stored in /etc/arpwatch.conf. Look for the configuration files in the appendix.

1.7 Other services provided by bart

Bart is not only the gateway router and tunnel-endpoint for OpenVPN but host to ntpd and ntop.

1.7.1 network time protocol daemon ntpd [3]

Ntpd is a daemon synchronizing the system time with time servers from the internet. It acts as a time server for your local network and is able to CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 43 broadcast time as well. You define which internet servers to use in file /etc/ntp.conf and you have a seperate log file at /var/log/ntpd where you can see the time being synchronized. Within the /etc/ntp.conf “logfile”, “driftsfile” (frequency file) and “statsdir” (directory for statistics) are defined. An option that might be interesting to set is “panic ” what is defaulted with 1000. This sets the maximum sanity limit for a time synchronization i.e. if your time correction is more than 1000 seconds ntpd doesn’t set the time itself but prompts you to set system time manually. You can trick ntpd into doing it with either “ntpd -g -q” for doing it once, or by setting “panic 0” for always correcting time regardless how big the correction is. See the appendix for more information about the configuration.

1.7.2 ntop

Ntop is a network traffic probe for a detailled view of what your machines are doing. You have several subdivided parts where you can see graphs and details about categories like summed up IP-traffic, whether traffic was destined unicast/multicast/broadcast, throughputs, and so on. While the installation of the *.deb package with “dpkg -i” you have debconf asking you for details of the installation. In the first step you define which interfaces to monitor and in second step which user runs the service (in my case: “ntop”). You can re-launch the configuration with command “dpkg-reconfigure ntop”. Before starting ntop the first time you have to set the administrator’s password with command “ntop -A” prompting you for the password to use (this will also cause the service to start automatically upon each re- boot). You can start ntop, if needed, manually with “/etc/init.d/ntop start” which points to a init-file “/etc/default/ntop” where in turn “/var/lib/ntop/init.cfg” is included. Inside “/var/lib/ntop/init.cfg” two variables are set: “user” and “interfaces”. These values are set by the “dpkg-reconfigure ntop” I mentioned below. If you want to add additonal parameters like “-M” to seperate the counters for multiple interfaces, you have to modify “/etc/init.d/ntop” yourself. To access ntop’s html output simply browse to port 3000 of your server with the ntop-installation CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 44

(http://bart.sylvia.test:3000).

1.8 Services provided by homer

Homer is a Windows 2000 server providing ﬁle sharing and active directory.

1.8.1 File sharing

To make a directory accessible for others on the network you need to share the folder. You can do this with a right-click on the destined folder in the “Windows-Explorer”. The context-menu opened contains an entry “sharing...” which opens a dialog where you can define the name of the network share. Besides defining the name you have to define who is allowed to browse your files and what rights he/she has on your files. Therefore you have the button “permissions” where you can choose the users to access your shared directory. Although I don’t have a good explanation for it, I won’t recommend using the user “everyone” here, if you want to grant permissions to everyone. I didn’t experience great success with that but with adding the users seperately. The network shares I made were “\\192.168.200.12\daten” and “\\192.168.200.12\download” holding the data produced while building my lab and the programs downloaded. For accessing the shares on Windows bases systems I used the command “Map Network Drives” in the Tools menu in Windows-Explorer or “net use * \\192.168.200.12\daten” on the command line. For linux based systems I first had to install the package “smbfs” with “apt-get install” and could then mount the network drives. After creating a mount- point with “mkdir /mnt/daten” and “mkdir /mnt/download” I could mount the shares with the command mount -t smbfs -o username=elsylo //192.168.200.12/daten /mnt/daten mount -t cifs -o username=elsylo //192.168.200.12/daten /mnt/daten (respectively) CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 45 prompting you for the password in the next line. CIFS (Common Internet File System) is nothing else than a renamed new version of SMB (Server Message Block) enriched with some additional features.

1.8.2 Active directory [32] [33]

Active directory is an implementation of LDAP (Lightweight Directory Access Protocol) directory services for the use in Windows environment. It allows you to set enterprise or group wide policies or deploy programs or updates to several computers more easily. It is a centralized database storing information about the people, services and ressources used in the network. Therefore each object stored in active directory either is a person, a computer or a service. Active directory is responsible for objects and their attributes, their organization and their access rights and security options. An object represents a single entity and can be a container for other objects as well. Sample objects are e.g. a single person or a PC and are uniquely identified by their names. Each object belongs to at least one class which contains a set of attributes for each object. The attributes of a class are described in a schema file. The schema itself is made up of two types of objects: schema class objects and schema attribute objects. At the top of the structure holding all the objects as a framework is the Forest containing one or more Trees. You start configuring your Windows 2000 active directory server at the “Windows 2000 Configure Your Server” screen asking you what kind of service you would like to configure (if you have chosen to close this window earlier you can open it again from the Start menu-Programs- Administrative Tools-Configure Your Server). First, the server is configured with the option “One or more servers are already running in my network” (The option “This is the only server in the network” installs not only Active directory but DHCP and DNS as well). Now you have to choose which service to install from menu at the left side in the Installa- tion Wizard. For installing Active Directory you need at least one partition formated with NTFS otherwise you have to cancel setup and proceed after creating such a partition. Next step is starting the Active Directory wizard opening a new dialog. For this was the only domain controller in my local network i chose to use “Domain controller for a new domain” here and CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 46

“Create a new domain tree” in the next step (you could otherwise create a new child domain in an existing domain tree here). Like in nature, trees usually grow in a forest and as for nature we have to define the forest to add our new tree (I chose a new forest). In the next step you have to define the domain name used for the domain which is “sylvia.test” (a domain name consists of two parts seperated with a “.” for Windows; if you choose not to have to parts, Windows will add “.DOM” to your domain name). You could also choose to have a domain name called “sylvia.com” because it is not used on the internet. If you have older PC’s than operating system Windows 2000 installed in your network you have to use “NetBIOS” and provide an extra “NetBIOS Domain name” (I recommend to accept the default). Next step is to define Active Directory database and log location which requires 200MB free disk space. Next, the directory for the “SYSVOL” folder is defined and has to reside on a partition formated NTFS. The SYSVOL folder will later be visible as part of the “Network Neighborhood” or “My Network Places” and will contain user specific public files (and has to have NTFS because of enabled access rights en- forcement). Accept the Pre-Windows 2000 compatible permissions and enter a Restore Mode administrator’s password. In the last step review the settings made and click “next” if you want Active Directory to configure what is needed. After restarting you can start adding the objects needed. Note: Never click “Cancel” while Active Directory goes through the various steps of installing; it will wreck your computer! If something crosses your mind that you might have configured something wrong: let Active Directory finish its work and start “dcpromo” (i.e. the command starting the Active Directory wizard from “cmd”) again afterwards. When your installation was successful you have added all Active Direc- tory management tools to the menu “Administrative Tools”. Run “Ac- tive Directory Users and Computers” to see your domain in the tree on the left side of the window, containing different container objects called “Builtin”, “Computers”, “Domain Controllers”, “ForeignSecurityPrinci- pals” and “Users”. Similar to the way you are adding new folders or empty files to a directory you can add objects to the containers mentioned. Clicking on the “Users” directory opens the list of users in your system (even if you not added one manually by now, you will see some default CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 47 users like “Administrator”). Right-clicking on the right side of the window opens up a context menu containing “New” with the items “Com- puter”, “Contact”, “Group”, “Printer”, “Person” and some more. When you add any of these objects you are asked to give details to it in a wizard- like window. In my domain I only have added one user account, “elsylo”, and the computers apu and nelson. This is something like a minimum configuration in order to allow the clients apu and nelson to logon to active directory. Both users created are server-side stored users. The advantages are you don’t have to create users locally on a PC in the network. Wher- ever “elsylo” wants to log on with her profile, she has a computer with her settings made e.g. the desktop, and gains instant access to all services or netshares she is used to have. Besides this you have more centralized administrative power like deactivating an account, setting passwords and of course, as mentioned above, setting qualities and rights to an account (e.g. certain persons may not be allowed to access FTP-sites). The second tool served together with Active Directory is “Active Directory Sites and Services”. Within you have a container called “Sites” what in turn contains the container “Default-First-Site-Name” which holds the “Server” object with the Active Directory server name just installed. Remeber that we allowed DNS server BIND to dynamically update records from the Ac- tive Directory server (SRV records). This becomes very important by now, because otherwise the correct DNS entries would be missing for clients trying to log on to Active Directory while startup. For troubleshooting see the Microsoft Knowledge Base [35] or another nice article I found written by Daniel Petri [34]. The pysical storage of all Active Directory objects for a single forest is provided by the Active Directory database file NTDS.dit stored in the folder given at installation (default: C:\WINNT\NTDS\). For there are no configuration files I can add to my appendix I put in a screenshot of how adding a new user to Active Directory. Bibliography

[1] Asterisk Wiki: Asterisk introduction (2005). http://www.voip- info.org/wiki-Asterisk/view/Asterisk+introduction (2005-12-01) [2] The Asterisk Documentation Project: Vol- ume One: An Introduction to Asterisk (2004). http://www.asteriskdocs.org/modules/tinycontent/content/docbook/\\ current_v1/docs-html/book1.html (2005-12-01) [3] Sipura Technology: Welcome to Sipura Technology Technical Support (2005). http://www.sipura.com/support.index.html (2005-12-06) [4] Sipura Technology: SPA-2000 Quickstart Guide (200). http://www.sipura.com/Documents/SPA2000QuickStart.doc (2005-12-06) [5] Sipura Technology: ATA User Guide (2005). http://www.sipura.com/Documents/SipuraSPAUserGuidev2.0.9.pdf (2005-12-06) [6] Hewlett Packard: Download Drivers and Software for LaserJet 1300 (2004). http://hpinkjet.sourceforge.net/install.php (2005-12-01) [7] Colin Steward: How to make Windows use CUPS IPP (2005). http://www.owlﬁsh.com/thoughts/winipp-cups-2003-07-20.html (2005-12-01) [8] Kurt Pfeiﬂe: CUPS Troubleshooting and Asking for help HOWTO (2002). http://www.cups.org/cups-help.html (2005-12-01) [9] Linux Documentation Project, David A. Ranch: Linux IP Masquerade HOWTO (2005).

48 BIBLIOGRAPHY 49

http://www.linux.org/docs/ldp/howto/IP-Masquerade- HOWTO/stronger-ﬁrewall-examples.html#RC.FIREWALL- IPTABLES-STRONGER (2005-12-01) [10] MySQL: MySQL 3.23, 4.0, 4.1 Reference Manual (2005). http://dev.mysql.com/doc/refman/4.1/en/index.html (2005- 12-01) [11] digium, Inc.: Wildcard TDM400P, TDM31B (2005). http://www.digium.com/index.php?menu=product_detail&category=\\ hardware&product=TDM400P (2005-12-02) [12] OpenVPN Solutions LLC: OpenVPN (2005). http://openvpn.net/ (2005-12-02) [13] OpenVPN Solutions LLC: OpenVPN 2.0 HOWTO (2005). http://openvpn.net/hoto.html#quick/ (2005-12-02) [14] RSA Security: What is Difﬁe-Hellman? (2004). http://www.rsasecurity.com/rsalabs/node.asp?id=2248 (2005- 12-02) [15] Apache Software Foundation: Apache HTTP Server Version 2.0 Doc- umentation (2005). http://httpd.apache.org/docs/2.0/en (2005-12- 03) [16] KPLUG: KPLUG Apache Tutorial (2005). http://www.kplug.org/apache_tutorial (2005-12-03) [17] Internet Systems Consortium: DHCP Distribution Version 3.0.3 README File (2005). http://www.isc.org/index.pl?/sw/dhcp (2005-12-03) [18] BIND9.NET: DNS, BIND, DHCP, LDAP and Directory Services (2005). http://www.bind9.net (2005-12-03) [19] BIND9: BIND 9 Administrator Reference Manual (9.3.1) (2005). http://www.bind9.net/manuals (2005-12-03) [20] www.traum-projekt.com: TP: Bind 9 - DNS - Tutorial :) (2005). http://traum-projekt.com/forum/sitemap/t-33562.html (2005-12- 03) BIBLIOGRAPHY 50

[21] exim: Exim 4.50 specification (2005). http://www.exim.org/exim.html-4.50/doc/html/spec.html (2005- 12-04) [22] Jason Boxman: Installing and Configuring Exim4 (2005). http://www.trekweb.com/~jasonb/articles/exim4_courier/exim4.html (2005-12-04) [23] Koivisto Justin: Installting and Configuring Exim 4 on Debian (2005). http://koivi.com/exim4-config/ (2005-12-04) [24] Eudora: Qpopper (2005). http//www.eudora.com/products/unsupported/\\ qpopper (2005-12-05) [25] Mrunix: The Webalizer What is your web server doing today? (2005). http://www.mrunix.net/webalizer (2005-12-05) [26] Mrunix: Installation Instructions for The Webalizer (2005). ftp://ftp.mrunix.net/pub/webalizer/INSTALL (2005-12-05) [27] Mrunix: Simpletons Guide to Web Server Analysis (2005). http://www.mrunix.net/webalizer/simpleton.html (2005-12-05) [28] www.squid-cache.org: Squid Web Proxy Cache (2005). http://www.squid-cache.org (2005-12-05) [29] ViSolve Open Source Solutions: Welcome to ViSolve Squid Support (2005). http://squid.visolve.com/squid/index.html (2005-12-05) [30] Lawrence Berkeley National Laboratory: LBNL’s Network Research Group (2005). http://www-nrg.ee.lbl.gov/ (2005-12-05) [31] Mills: ntpd - Network time protocol (NTP) daemon (2005). http://www.eecis.udel.edu/~mills/ntp/html/ntpd.html (2005-12- 05) [32] Helmig Johannes: Windows 2000 Server: Configure Active Directory (2001). http://www.windowsnetworking.com/articles_tutorials/w2ksvrin.html (2005-12-05) [33] Daniel Petri: How do I install Active Direc- tory on my Windows 2000 server? (2005). http://www.petri.co.il/how_to_install_active_directory_on_w2k.htm (2005-12-06) BIBLIOGRAPHY 51

[34] Daniel Petri: What are the most common DNS related Dcpromo errors? How doI ﬁx them? (2005). http://www.petri.co.il/troubleshooting_dcpromo_errors.htm (2005-12-06) [35] Microsoft: Help and Support (2005). http://support.microsoft.com (2005-12-06) Chapter 2

The initial lab-topology

With all the needs specified in the chapters above, the topology of the network evolved to what it is today. For the sake of simplicity the lab consists not of all the computers and services really used at the “Berufs- förderungsinstitut Burgenland”. The lab consists of two big parts, the main office and the branch office. The main focus lies of course on the main office, running the majority of the services and having to cope with the biggest load. My model of the main office consists of three servers, three clients and a gateway router. At the branch office only a router, offering several services as well, and a client are located.

2.1 The main ofﬁce

The main ofﬁce has an IP-address range of 192.168.200.0/24.

2.1.1 hostname: bart - 192.168.200.1

Hardware details

CPU: Pentium 2, 350 MHz

52 CHAPTER 2. THE INITIAL LAB-TOPOLOGY 53

RAM: 128 MB OS: Debian Sarge 2.6.8-1-686 [1] HD-capacity: 4 GB

Services:

Bart acts as a gateway between a simulated "Internet" - an outside-world for the network - and the main office. It’s main task is to have NAT and routing enabled for the hosts on the network being able to have secure internet traffic. Both is handled by a self-written script inspired by "The Linux Documentation Project" (http://www.linux.org/docs/ldp/index.html). In addition to this a default route is also set at this point. While these things don’t create lots of load we also decided to put other small services on this host. A ntpd time-server supplys the Linux hosts via ntpdate and the Windows hosts via Clox (http://www.mirage1.u- net.com/clox.htm) with the correct time. As resource for accurate time we chose pool.ntp.org. In addition to this ntop was installed which can be accessed at http://bart.sylvia.test:3000/. Last but not least, especially regarding the importance of the service, OpenVPN (http://openvpn.net/) has been added to connect the main and the branch office through a secure link.

Service details:

• iptables v1.3.1 [2] - packet ﬁltering and nat • ntpd v4.2.0 [3] - synchronizing the clock through a network • ntop v3.0 [4] - a tool that shows the network usage similar to the “top”-command • openVPN v2.0 [5] - a SSL based VPN solution CHAPTER 2. THE INITIAL LAB-TOPOLOGY 54

2.1.2 hostname: marge, alias: ns1, www, proxy - 192.168.200.5

Hardware details:

CPU: Pentium 3, 450 MHz RAM: 128 MB OS: Debian Sarge 2.6.8-1-686 [1] HD-capacity: 8 GB

Services:

Marge can be seen as the "heart" of our network combining the most important services. First of all, she provides DHCP-distributed IPv4 addresses for the clients in the network. The DHCP server we chose is dhcpd3 by the Internet Systems Consortium (http://www.isc.org/index.pl?/\\ sw/dhcp/).The second big service located at marge comes from the In- ternet System Consortium (http://www.isc.org/index.pl?/sw/bind/) as well and provides domain name resolution. Besides these vital parts of a network mail traffic is also guided by exim4 and qpopper on this host. In addition to these services we provide the Apache http-server on this host which can be found online at http://www.apache.org. To get a notion of what happens on the web Webalizer (www.mrunix.net/webalizer/) ana- lyzes the log file of the webserver. Arpwatch (http://www-nrg.ee.lbl.gov) is another tool configured on this machine that keeps a database of all MAC-addresses used in this network. In addition to all these services marge also acts as a cups-printer server (www.cups.org) and has a hp LaserJet 1300 plugged in directly via USB. Squid adds the the proxy ca- pability here.

Service details:

• dhcpd v3.0.1 [6] - dynamic addressing of hosts • bind9 [7] - an implementation of Domain Name System providing tables mapping IP addresses to domain names CHAPTER 2. THE INITIAL LAB-TOPOLOGY 55

• exim4 [8] - message transfer agent • qpopper v4.0 [9] - POP3 server • apache2 [10] - highly ﬂexible http-server from the Apache Software Foundation • webalizer v2.01-10 [11] - web-server log ﬁle analysis tool producing charts and reports • arpwatch v2.1a13 [12] - an ethernet monitoring programm for keeping track of ethernet/ip address pairings • cups v1.2.0b1 [13] - standard printing system on Unix providing communication via IPP (Internet Printing Protocol) and network browsing of jobs and printers • squid v2.5 [14] - proxying and caching features for a variety of protocols

2.1.3 hostname: maggie - 192.168.200.8

Hardware details:

CPU: AMD Athlon 900 MHz RAM: 512 MB OS: Debian Sarge 2.4.27-2-k7 [1] HD-capacity: 120 GB

Services:

Maggie is responsible for information-critical services in our network. On one hand she is running the database of our company. We are using again OpenSource, this time the software we use is MySQL from http://www.mysql.com. The other very critical service, and that’s why we chose the most powerful computer here, is Voice over IP with the help of Asterisk which you can get for free at http://www.asterisk.org. This CHAPTER 2. THE INITIAL LAB-TOPOLOGY 56 was one of the requests the BFI Burgenland made, for giving me the equipment I needed. In return they wanted me to use this replica of their network to test the setting up and the use of asterisk without interfering their every-day business. Differing from the other PC’s I added a digium TDM400 card [41] in order to plug in two analog GESKO Ikarus 1000 phones.

Service details:

• mySQL v4.1 [33] - the world’s most popular open source database • asterisk [16] - a complete PBX software providing everything you would expect from a PBX. It does Voice over IP in many protocols, and can interoperate with almost all telephony equipment (softphone, hardphone, analog phones, ...)

2.1.4 hostname: homer - 192.168.200.12

Hardware details:

CPU: AMD Duron RAM: 128 MB OS: Windows 2000 Server Service Pack 4 [17] HD-capacity: 40 GB

Services:

Homer is the only server in our lab topology running Windows 2000 Server. His work is mainly to act as a ﬁle server that can be accessed from all PC’s in the topology, and to be the domain controller for the main network (192.168.200.0). We used the Active Directory software implemented in the Server Distribution. CHAPTER 2. THE INITIAL LAB-TOPOLOGY 57

Service details:

• Active Directory [18] - providing a repository for computers, people and any other ressource in a company • ﬁle sharing [19] - providing network shares to all users of the network; accessible for all operating systems

2.1.5 hostname: apu - 192.168.200.33

Hardware details:

CPU: AMD Duron RAM: 64 MB OS: Windows 2000 Service Pack 4 [20] HD-capacity: 8,4 GB

Usage:

Apu is one of the client-only machines in this network. Although usually you only have Windows XP in companies there are always still some Windows 2000 or even older computers in a company, which, e.g. run programs that are no longer supported by newer operating systems. That’s why I wanted to keep one PC of the old generation in that lab to see how he can handle the new stack. This host symbolizes a usual workstation with every-day programs. I installed Microsoft Office 2000 and in addition to this the openOffice 2.0 beta to have some open source spirit on this PC as well. For browsing the internet I decided to add Firefox 1.0.6 to the existing Internet Explorer 6.0. Every workstation needs a mail client as well and this time I chose to install to the pre-installed Outlook express and the Outlook that came with the Microsoft Office the mail client from the Mozilla Project, Thunderbird 1.0.2. Acrobat Reader, WinZip, Paintshop Pro 5.03 and XnView are rounding the perfect illusion of a workstation in use. The security measures taken on that computer are Sygate Personal CHAPTER 2. THE INITIAL LAB-TOPOLOGY 58

Firewall 5.5 and Antivir of the German company H+B EDV. For my con- venience and for testing purposes I added WinSCP3 and puTTY as well.

Software details:

• Microsoft Office 2000 [21] - Office software suite • openOffice 2.0 beta [22] - open source office software suite • Firefox 1.0.6 [23] - open source internet browser of the Mozilla project • Thunderbird 1.0.2 [24] - open source email client of the Mozilla project • Acrobat Reader [25] - Adobe’s free *.pdf-Reader • WinZip [26] - zip file utility for Windows • Paintshop Pro 5.03 [27] - picture editing software • XnView [28] - free graphic viewer • Sygate Personal Firewall 5.5 [29] - free home firewall • Antivir [30] - virus protection from H+BEDV • WinSCP3 [31] - open source SFTP client for Windows • puTTY [32] - free Telnet/SSH client

2.1.6 hostname: nelson - 192.168.200.34

Hardware details:

CPU: Pentium II 350 MHz RAM: 192 MB OS: Windows XP Service Pack 2 [20] HD-capacity: 8,4 GB CHAPTER 2. THE INITIAL LAB-TOPOLOGY 59

Usage:

Nelson is the client-computer with the most up-to-date operating system from Microsoft in my initial lab topology. Like with apu, nelson is just a client workstation providing its users programs like Microsoft Ofﬁce 2003 [21], openOfﬁce 2.0 beta [22], Internet Explorer 6.0, Firefox 1.0.6 [23], Out- look express, Outlook, Thunderbird [24], puTTY [32] and WinSCP3 [31]. In addition to these programs, which I have described in more detail before, I added the softphone SJphone 1.60.

Program details:

• SJphone 1.60 [33] - Voice over IP softphone

2.1.7 hostname: lisa - 192.168.200.35

Hardware details:

CPU: AMD Duron 1200 RAM: 128 MB OS: SuSE 2.6.8-24-default [34] HD-capacity: 40 GB

Usage:

In order to have one non-Windows client in the network (again here I had the wish of the company to test the use of SuSE System as a normal workstation in heteregenous systems) I chose a SuSE 9.2 distribution. This host is running only client programs like openOfﬁce 2.0 beta [22], Konqueror, Mozilla and Firefox [23]. As mail clients I used Kmail and Evolution. CHAPTER 2. THE INITIAL LAB-TOPOLOGY 60

Program details:

• Konqueror • Kmail [36] - free KDE mail client • Evolution [37] - groupware client for Linux Besides the computers used in the main ofﬁce and the two phones I mentioned above I also used two VoIP hardphones.

2.1.8 allnet1 - 192.168.200.130

The hardphone allnet1 is a ALL7950 SIP [39] phone and is located between the switch and the host apu.

2.1.9 grandstream1 - 192.168.200.129

The second hardphone with the hostname grandstream1 is a Grandstream Budgetone 100 [38] and is put between the switch and lisa.

2.2 Branch ofﬁce

The branch ofﬁce in my topology with its two computers emulates one of the many locations the BFI Burgenland has to supply with information and connection all over the Burgenland. IP-address range: 192.168.201.0/24

2.2.1 hostname: snowball - 192.168.201.1

Hardware details:

CPU: Pentium2 350 Mhz CHAPTER 2. THE INITIAL LAB-TOPOLOGY 61

RAM: 128 mb OS: Debian Sarge 2.4.27-2-686 [1] HD-capacity: 8 GB

Services:

Snowball is the gateway computer for the branch ofﬁce and therefore has to handle all the things bart has to cope with. This includes of course such vital things as routing, iptables and is of course the other endpoint of our OpenVPN[5] tunnel. In addition to this there is also another asterisk [16] and apache [10] server installed on this node. The asterisk servers from the main and the branch ofﬁce are connected via IAX.

2.2.2 hostname: snowball2 - 192.168.201.17

Hardware details:

CPU: Pentium2 350 Mhz RAM: 128 mb OS: Windows Xp Service Pack 2 [20] HD-capacity: 4,3 GB

Usage:

Snowball2 is the sole client on behalf of other computers possible in this network. It’s tasks are not very challenging as they are the same you saw with nelson, apu or lisa. There are Internet Explorer 6, Firefox 1.0.6 [23], Outlook, Outlook express and Thunderbird [24] installed to cover the Internet-dependant applications. Microsoft Ofﬁce XP [21] and OpenOfﬁce [22] for every-day-usage and puTTY [32] together with WinSCP [31] for testing purposes complete the choice of software. The only more special thing in this environment is the softphone SJphone 1.6 [33]. CHAPTER 2. THE INITIAL LAB-TOPOLOGY 62

2.2.3 hostname: sipura - 192.168.201.129

This SPA-2000 Sipura Adapter [40] allows you to plug two standard telephones or fax machines into it and connect them to IP-based data networks. It features two POTS ports for connecting analog phones and one Ethernet interface for connecting with the LAN. Each port can be handled totally independent with the software on the small webserver built into this device. CHAPTER 2. THE INITIAL LAB-TOPOLOGY 63 Bibliography

[1] Debian: debian (2005). http://www.debian.org (2005-12-02) [2] netfilter project: firewalling, NAT and packet mangling for Linux (2005). http://www.netfilter.org (2005-12-01) [3] ntpd: network time protocol daemon (2005). http://www.eecis.udel.edu/~mills/ntp/html/ntpd.html (2005- 12-01) [4] ntop: network usage grapher (2005). http://www.ntop.org (2005-12- 01) [5] openVPN: a full-featured SSL VPN solution (2005). http://openvpn.net (2005-12-01) [6] ISC: dhcpd - Dynamic Host Configuration Protocol Distribution (2005). http://www.isc.org/index.pl?/sw/dhcp/ (2005-12-01) [7] ISC: bind9 - Berkeley Internet Name Domain (2005). http://www.isc.org/index.pl?/sw/bind/ (2005-12-01) [8] exim4: The exim home page (2005). http://www.exim.org (2005-12- 01) [9] Eudora: qpopper - the most widely used POP3 server (2005). http://www.eudora.com/products/unsupported/qpopper/index.html (2005-12-01) [10] The Apache Software Foundation: HTTP Server Project (2005). http://httpd.apache.org/ (2005-12-01)

64 BIBLIOGRAPHY 65

[11] MrUnix: The Webalizer - What is your webserver doing today? (2005). http://www.mrunix.net/webalizer (2005-12-01) [12] LBNL’s Network Research Group - arpwatch (2005). http://www- nrg.ee.lbl.gov (2005-12-01) [13] Easy Software Products: CUPS Common Unix Printing System (2005). http://cups.org/ (2005-12-01) [14] Duane Wessels: Squid Web Proxy Cache (2005). http://www.squid- cache.org/ (2005-12-01) [15] MySQL AB: mySQL - The world’s most popular open source database (2005). http://www.mysql.com (2005-12-01) [16] Digium: asterisk - The Open Source PBX (2005). http://www.asterisk.org (2005-12-01) [17] Microsoft: Windows Server 2000 (2004). http://www.microsoft.com/windows2000 /default.mspx (2005- 12-02) [18] Microsoft: Windows 2000 Directory Services (2005). http://www.microsoft.com/windows2000/technologies/directory/\\ default.mspx (2005-12-01) [19] Microsoft: 7 Ways to Share Information with Co-workers (2004). http://www.microsoft.com/atwork/worktogether/sharing.mspx#\\ EPDAC (2005-12-02) [20] Microsoft: Windows Familiy Homepage (2005). http://www.microsoft.com/windows/default.mspx (2005-12-02) [21] Microsoft: Office Online (2005). http://office.microsoft.com/en- us/default.aspx (2005-12-02) [22] OpenOffice.org: die freie Office Suite (2005). http://de.openoffice.org/ (2005-12-02) [23] mozilla: Firefox (2005). http://www.mozilla.com/firefox/ (2005-12- 02) [24] mozilla: Thunderbird (2005). http://www.mozilla.com/thunderbird/ (2005-12-02) BIBLIOGRAPHY 66

[25] Adobe: Adobe Reader (2005). http://www.adobe.de/products/acrobat/\\ readstep2.html (2005-12-02) [26] WinZip International LLC: WinZip (2005). http://www.winzip.com (2005-12-02) [27] Corel: Paint Shop Pro (2005). http://www.corel.de/servlet/Satellite?\\ pagename=Corel3De /Products/Display&pﬁd=1047024666092&pid=\\ 1047025530410 (2005-12-02) [28] Pierre Gougelet: XnView (2005). http://www.xnview.com/ (2005-12- 02) [29] Sygate: Sygate Personal Firewall (2005). http://soho.sygate.com/products/\\ spf_standard.htm (2005-12-02) [30] H+BEDV: Antivir (2005). http://www.antivir.de/en/index.html (2005-12-02) [31] WinSCP: WinSCP (2005). http://winscp.net/eng/index.php (2005- 12-02) [32] Simon Tatham: PuTTY (2005). http://www.chiark.greenend.org.uk/\\ ~sgtatham/putty/ (2005-12-02) [33] SJ Labs: Voice over IP Software (2005). http://www.sjlabs.com (2005- 12-02) [34] Novell: Novell SUSE Linux (2005). http://www.novell.com/linux/suse/ (2005-12-02) [35] konqueror.org: Konqueror (2005). http://www.konqueror.org/ (2005-12-02) [36] Kmail: the KDE mail client (2005). http://kmail.kde.org/ (2005-12- 02) [37] Novell: E-mail, Calendaring and Collaboration Evolution 2 (2005). http://www.novell.com/products/desktop/features/evolution.html (2005-12-02) [38] Grandstream: BudgeTone 100 (2003). http://www.grandstream.com/y-bt100.htm (2005-12-02) BIBLIOGRAPHY 67

[39] Allnet Deutschland GmbH: ALL 7950 SIP Komfort Telefon (2005). http://www.allnet.de/product_info_allnet.php?cPath=_&products_id=99927 (2005-12-02) [40] Sipura technology, inc.: SPA-2000 Analog Telephone Adapter (2003). http://www.sipura.com/products/spa2000.htm [41] digium, Inc.: Wildcard TDM400P, TDM31B (2005). http://www.digium.com/index.php?menu=product_detail&category=\\ hardware &product=TDM400P (2005-12-02) Chapter 3

Testing and Benchmarking the Network

Having services is one crucial step in setting up a working network but nothing is more important than the performance of these. Questions like: “What is my througput?”, “How long is the bandwidth sufﬁcient?” and “What do the services do when no one watches?” are those keeping system administrators awake at night. A possibility to diminish the risk of something unexpected happening is to monitor the network closely. But, monitoring is only half the battle. Collecting data is only as useful as the adaption and the consequences that are drawn. The main reason for monitoring my network is in order to compare IPv4 baselines with those of the IPv6 protocol. First of all I want to describe the tools I used.

3.1 Tools and their usage

3.1.1 MRTG [1]

MRTG, Multi Router Trafﬁcs Grapher, is a tool to monitor various things like trafﬁc load using SNMP (Simple Network Management Protocol). It generates HTML pages and graphs the values measured periodically. It

68 CHAPTER 3. TESTING AND BENCHMARKING THE NETWORK 69 was originally developed to monitor routers but can now supply data from every device running a SNMP agent. When conﬁgured, it can also send you warning emails when thresholds are exceeded. But let’s start with SNMP.

3.1.1.1 SNMP [2] [3] [4] [5]

The Simple Network Management Protocol is part of the IP protocol and monitors network-attached devices. SNMP was designed with one goal in mind: simplicity. Usable on nearly every network device known today it is viewed as a security threat by some, while others think it’s the best way of centralized data manipulation for their key systems. SNMP uses UDP (User Datagram Protocol), a stateless, fast but unreliable protocol sending traffic without checking for the reception of the data at the other node. SNMP design is pretty simple for it consists of a managing system and several agents running on servers, workstations, and so on. The agents are the devices being monitored while the manager is the one asking for the information the agents gathered and storing it centralized for further processing. The manager is often also refered to as Network Management Station or NMS for short. SNMP has a small set of primitives comprising “GET”, “GET-NEXT” and set”SET”. “GET” is used to retrieve a single piece of information while “GET-NEXT” returns more than one item. It is used if you want to sequentially retrieve data. Use “SET” when you want to set a particular variable to a certain value. There are on the other hand two control-primitives the responder (i.e. agent) uses to reply and these are “GET-RESPONSE” and “TRAP”. “GET-RESPONSE” is used in response of the requester’s direct query and “TRAP” is an asyn- chronous response to obtain the requester’s attention. In later versions of SNMP traps are called “notifications”. As you could see, both, manager and agent, can initiate communication. In my lab I used SNMPv1 providing very little security measures (Authentication is performed by a “community string” a password transmitted in plain text). SNMPv2c in- troduces new primitives and the same security scheme SNMPv1 is using. SNMPv3 is considered to be state-of-the-art providing stronger security measures. Talking about primitives used in an SNMP-managed network the next CHAPTER 3. TESTING AND BENCHMARKING THE NETWORK 70 question to be answered is: What is get through GET? The types of data exchanged between the manager and the agents are stored on the agent in a database called “management information base” or short “MIB”. Each value tracked in a MIB is an object. The MIB is used to translate text queries to OIDs. Each object in the MIB represents a specific entity on the managed device, this can be everything from “hostname” to “number of established IP connections” or “version of operating system”. These MIBs use a hierarchical namespace containing object identifiers or short OIDs. If you want to know which OIDs your system is monitoring look into the folder /usr/share/snmp/mibs/ on Linux based systems. You’ll find different MIB files containing entries such as hrMemorySize OBJECT-TYPE SYNTAX KBytes UNITS "KBytes" MAX-ACCESS read-only STATUS current DESCRIPTION "The amount of physical read-write main memory, typically RAM, contained by the host." ::= hrStorage 2

Querying an OID with snmpwalk looks like this:

marge:~# snmpwalk -v1 -c public localhost hrMemorySize HOST-RESOURCES-MIB::hrMemorySize.0 = INTEGER: 126924 \\ KBytes Snmpwalk searches for every OID starting with the string you provided in the MIB. So if you don’t know what to search for you can also start with “snmpwalk -v1 -c public localhost hr” or even “snmpwalk -v1 -c public localhost” displaying a full list of MIBs. On the other hand, snmpget is conﬁgured to return only the value that exactly matches the OID-string. Look what happens when I snmpget the same I did before:

marge:~# snmpget -v1 -c public localhost hrMemorySize Error in Packet CHAPTER 3. TESTING AND BENCHMARKING THE NETWORK 71

Reason: (noSuchName) There is no such variable name in this MIB. Failed object: HOST-RESOURCES-MIB::hrMemorySize So what happend here? We saw SNMPWALK querying the parameter and SNMPGET saying that the requested object does not exist. The solution lies in the structure of OIDs. Many times the text aliases in a MIB only reference the OID branch and not the OID the data located in a leaf ending in an additional number like “.0” or “.1”. Watching closely the output of SNMPWALK you can see “hrMemorySize.0” being displayed. When SNMPGETting this value we get the expected output:

marge:~# snmpget -v1 -c public localhost hrMemorySize.0 HOST-RESOURCES-MIB::hrMemorySize.0 = INTEGER: 126924 \\ KBytes Now, preparing the clients for use with mrtg, snmp agents have to be installed and configured on the hosts. On Linux hosts I used “apt-get install snmpd” and configured them in the file /etc/snmp/snmpd.conf with following lines for a very basic usage: rocommunity public disk /home disk /var These lines sets the community password needed for the query to “public” and defines two disk paths that will be monitored by my MRTG. For Windows Systems you have to install the SNMP agent in the Control Panel. Select “Add or Remove Programs” and then click “Add/Remove Windows Components”. In the components, select “Management and Monitoring Tools” where you will find an entry you can check labelled “Simple Network Management Protocol”. Windows will prompt you to insert the CD during installation. To configure the freshly installed service go to the Control Panel again and there choose “Administrative tools”. Within theses click “Services” showing you a list of all services configured this host. One of them is called “SNMP Service” and with double-clicking it you can open its properties. Open the “Security” tab for it contains the possibilities of setting authentication traps, adding community names and setting their rights. You can also specify whether to accept SNMP packets CHAPTER 3. TESTING AND BENCHMARKING THE NETWORK 72 from all hosts or not.

3.1.1.2 installing and conﬁguring MRTG [6] [7] [8]

In order to install MRTG successfully, you need serveral libraries installed before mrtg. Notice that you may have some of them already on your system. You need the packets “zlib” (compress the graphics you created), “libpng” (is required by gd and creates *.png files) and “gd” (a basic graph drawing library). Last but not least you need mrtg, available at http://people.ee.ethz.ch/~oetiker/webtools/mrtg/pub. If you have all libraries installed you can ./configure --prefix=/usr/bin/mrtg Otherwise you might need to specify where to find the libraries mentioned above. See “./configure –help” for more details. After “make” and “make install” you have mrtg installed at /usr/local/mrtg-2. Naturally you need to have a web-server running to present the results of MRTG#s work. The document root for MRTG is “/var/ww/mrtg” on my server. For defining what to monitor in your network you have to create a “mrtg.cfg” file. You can either do this on your own or let the “home/mrtg/cfg” script do the dirty work. Read the cfgmaker manpage for further details and options to the script. If you prefer to do the configuration file on your own read the mrtg-reference manpage. You can start mrtg with /usr/bin/mrtg /etc/mrtg.cfg There will be several complaints about missing log files the first time you start mrtg. Don’t worry about that for it vanishes after the third startup. When you configured mrtg to your needs it will be more handy to periodically start mrtg in the crontab rather than manually. */5 * * * * root /usr/bin/mrtg /etc/mrtg.cfg This will force mrtg to launch every five minutes for gathering current data and graphing it. But now I want to take a closer look to the contents of “mrtg.cfg”. One sample section graphing the percentage of free memory on the system from the mrtg.cfg CHAPTER 3. TESTING AND BENCHMARKING THE NETWORK 73

Title[server.mempercent]: Percentage Free Memory PageTop[server.mempercent]:

Percentage Free Memory \\

Target[server.mempercent]: ( memAvailReal.0&memAvailReal.0:[email protected] ) * 100 / ( memTotalReal.0&memTotalReal.0:[email protected] ) Options[server.mempercent]: growright,gauge,transparent,\\ nopercent Unscaled[server.mempercent]: ymwd MaxBytes[server.mempercent]: 30 YLegend[server.mempercent]: Memory % ShortLegend[server.mempercent]: Percent LegendI[server.mempercent]: Free LegendO[server.mempercent]: Free Legend1[server.mempercent]: Percentage Free Memory Legend2[server.mempercent]: Percentage Free Memory Above you have a small part of a mrtg.conf file where the configuration for one monitored item is set. The structure of each entry is as follows: Parameter[name of graph]: value “LegendI” is the parameter for the Input graph, “LegendO” for Output; for there’s little space at the graphs you have an expansion for the labels of both Legends called “Legend1” (corresponding LegendI) and “Legend2” (corresponding LegendO). “YLegend” is the legend of the Y axis, the value you are trying to compare. “Options” parameters provide graph format- ting information. “Title” defines the title written on the summary page, “PageTop” the title for the detailled view page. “MaxBytes” defines the maximum amount of data MRTG will plot on a graph and “Unscaled[]: ymwd” sets yearly, monthly, weekly and daily graphs unscaled, meaning that the highest value measured is not graphed close to the top (usually mrtg tries to adjust its graphs so that the largest value plotted on the graph is always close to the top). The “Target” parameter contains the MIB OIDs. Because MRTG always compares two values you have to provide two MIB OID objects and the password and the IP-address of the monitored host. CHAPTER 3. TESTING AND BENCHMARKING THE NETWORK 74

After you finished your configuration you have to generate the HTML-file that can be opened in the browser with

indexmaker --output=/var/www/mrtg/index.html /etc/\\ mrtg.cfg Now you can access your graphs at http://bart.sylvia.test/mrtg/index.html. I chose to monitor several hosts so I wrote a mrtg.cfg-file for each host (don’t forget to add those to the crontab as well). See the appendix for a full mrtg.cfg file for Linux. Monitoring Windows machines works the same way, except for some different MIBs you have to use. I wanted to monitor the same objects I did with the Linux machines but left out the disk monitoring (for it isn’t as interesting here). Nearly all OIDs could be re-used except for the CPU monitoring. If you are curious how I found out which OID to use, check out www.somix.com for they provide a full repository of OIDs for all kinds of devices and snips you can copy-paste for your mrtg file .

Figure 3.1: Screenshot of http://www.sylvia.test/mrtg/index.html showing monitored details of bart.sylvia.test CHAPTER 3. TESTING AND BENCHMARKING THE NETWORK 75

3.1.2 Smokeping [9]

SmokePing is a latency measurement tool that can measure store and display latency, latency distribution and packet loss. You can configure SmokePing to trigger alarms for thresholds for certain loss patterns. It can even handle dynamic addressing by comparing SNMP-fingerprints. For a working installation of SmokePing you need several other packages before: RRDtool (for graphing), FPing (reports round trip times), a working web server installation like apache (it has to run CGI scripts), Perl, SpeedyCGI (for SmokePing is optimized for the use of it and it speeds up perl scripts dramatically) and CGI::Carp If this seems too much work you can also use the lazy way as I did by “apt-get install smokeping”. I installed SmokePing on marge.sylvia.test and snowball.sylvia.test in order to have round trip times from each network. After configuring /etc/smokeping/config you can watch it updating every five minutes. The files and graphs produced are stored in /var/www/smokeping. Search the appendix for a sample /etc/smokeping/\\ config file.

3.1.3 bing [10]

Bing is a tool that measures bandwidth of connections. It computes throughput between two nodes by producing two sizes of ICMP ECHO_REQUESTS. It is available as *.deb and therefore can be installed via “dpgk -i *.deb”. After bing is installed you can use it with command bing client1 client2 with client1 being the source node and client2 the destination (example: bart:~# bing bart snowball) producing output like this:

Read the bing man page for detailled informations about the options provided by bing such as -D for displaying measured throughput for CHAPTER 3. TESTING AND BENCHMARKING THE NETWORK 76

Figure 3.2: Screenshot of Last 3 and Last 30 hours roundtrip measurements taken from marge to bart

Figure 3.3: output when using bing CHAPTER 3. TESTING AND BENCHMARKING THE NETWORK 77 each packet received, -u for increasing packet size each of ECHO_REQUEST or -f <filename> for saving the results to the file <filename>.

3.1.4 iperf [11] [12]

Iperf was developed in order to be a modern and easy-to-use alternative to other TCP and UDP bandwidth measuring tools. It measures bandwidth, packet loss and jitter. The server can handle multiple connections, you can create UDP streams of specified bandwidth, it is multicast and IPv6 capable, can run for a specified time rather than for an amount of data to transfer, and many more. Iperf can be obtained at the homepage linked above for both, Linux and Windows environments. “apt-get install iperf” can shorten the installation for the homepage only provides sources. A simple test is sparked off with snowball:~# iperf -s bart:~# iperf -c snowball The first command start the server on snowball with default port 5001 (for opening the server on port 3000 type “iperf -s -p 3000”). The second command starts the client on bart pointing to server “snowball” (“iperf -c snowball -p 3000” for port 3000). The output produced looks like this:

------Client connecting to snowball, TCP port 5001 TCP window size: 16.0 KByte (default) ------[ 3] local 10.8.0.2 port 3906 connected with \\ 192.168.201.1 port 5001 [ 3] 0.0-10.0 sec 12.8 MBytes 10.7 Mbits/sec For doing UDP testing simply add “-u”: snowball:~# iperf -s -u bart:~# iperf -c snowball -u CHAPTER 3. TESTING AND BENCHMARKING THE NETWORK 78

3.1.5 netperf [13]

Netperf is a benchmark that is used to measure the performance of different types of networking. It provides tests for unidirectional througput as well as end-to-end latency. You can either download the sources and make the installation yourself or “apt-get install netperf”. Making the installation yourself requires a folder /opt/netperf before installing. You can either run the service by inetd or as a standalone service. For netperf being run by inetd you need the line “netperf 12865/tcp” in your /etc/services ﬁle and the line “netperf stream tcp nowait root /opt/netperf/netserver netserver” in your /etc/inetd.conf ﬁle. After restarting inetd with “kill -HUP the service should be registered with inetd. I chose to run the service as standalone starting netserver manually by typing snowball:~# netserver -p bart:~# netperf -H snowball -p The second line starts the client and connects to host (running netperf server) snowball at given port producing following results: TCP STREAM TEST from 0.0.0.0 (0.0.0.0) port 0 AF_INET to snowball.sylvia.test (192.168.201.1) port 0 AF_INET Recv Send Send Socket Socket Message Elapsed Size Size Size Time bytes bytes bytes secs. 106 bits/sec 87380 16384 16384 10.02

Throughput 14.47

3.1.6 netio [14]

Netio measures the net throughput of a network via TCP/IP (and Net- BIOS on Windows and OS/2) using various different packet sizes. This is done with 6 different sizes of packets each with 10 seconds testing CHAPTER 3. TESTING AND BENCHMARKING THE NETWORK 79 duration. A huge advantage is its compatibility with each operating system. You can download it at http://ftp.leo.org/historic/comp/os/ os2/leo/systools/netio123.zip containing binaries for Linux, Windows and OS/2.

snowball:~# /home/elsylo/download/netio/bin/linux-i386 -s bart:~# /home/elsylo/download/netio/bin/linux-i386 -t \\ snowball The ﬁrst command starts the server for TCP and UDP connections, the second command starts the client for a TCP test to server “snowball”(If needed you can also specify the port to test with the option “- p” appended to the ﬁrst command and written before specifying the server address in the client command). The output produced looks like this:

NETIO - Network Throughput Benchmark, Version 1.23 (C) 1997-2003 Kai Uwe Rommel TCP connection established. Packet size 1k bytes: 962 KByte/s Tx, 1507 KByte/s Rx. Packet size 2k bytes: 1358 KByte/s Tx, 1387 KByte/s Rx. Packet size 4k bytes: 1398 KByte/s Tx, 1402 KByte/s Rx. Packet size 8k bytes: 1409 KByte/s Tx, 1391 KByte/s Rx. Packet size 16k bytes: 1410 KByte/s Tx, 1411 KByte/s Rx. Packet size 32k bytes: 1482 KByte/s Tx, 1408 KByte/s Rx. Done.

3.1.7 netbench [15]

Netbench is a portable benchmark program that measures how well a file server handles file I/O requests from Windows clients by requesting the server for network file operations. It reports throughput as well as client response time. When downloading the software you will have “SETUP.EXE” files for both, the controller and the client. In- stalling netbench is done in four simple steps: First you have to exe- cute the setup for the controller then modify the client ID files. The CHAPTER 3. TESTING AND BENCHMARKING THE NETWORK 80 client ID file can be found on the controller in the directory \CLIENTIDS\CLIENT.CDB. For each client in your testing environment you have to add an entry containing its IP address and a unique identifier. Then go to each client executing the client’s SETUP.EXE. On the clients you have to modify the hosts file residing at \system32\drivers\etc with an entry for the controller looking like this: “192.168.200.12 controller”. To start the test choose “Start Log In” from the “Clients” menu on your controller. The controller now awaits incoming connections from clients. Before you can start testing you need each client to map the server volume to drive F: (you could of course choose another driver letter which requires additional modifications). On each client now start the netbench client software. When you return to the controller you will see a an entry started by a yellow circle for each client connected. After clicking “Yes” you can proceed to adding a test suite with several tests to choose from (I decided to use DM.TST). Then enter the result file and watch it benchmarking.

3.1.8 sipp [16] [17]

SIPp is an Open Source test tool and trafﬁc generator for the SIP protocol. It works with integrated scenarios establishing and releasing multiple calls with INVITE and BYE methods. It dynamically displays statistics about round trip delay or call rate. It can be used for various SIP equipments and is very useful for emulating thousands of user agents calling your SIP system. Run the embedded server scenario /usr/src/sipp/sipp -sn uas and on the same host the embedded client scenario /usr/src/sipp/sipp -sn uac 127.0.0.1 There are different scenarios available for SIPp and you can also create your own XML scenarios for testing. The software can be obtained with a simple “apt-get install sipp”. CHAPTER 3. TESTING AND BENCHMARKING THE NETWORK 81

Figure 3.4: Screenshot of a SIPp Output

3.1.9 copying ﬁles

“Copying files” is no brand new piece of software testing your network to the bones but rather the old fashioned and easy comparable idea of measuring the time it takes to copy files. I chose to copy several different sizes of files from the file server homer.sylvia.test to all clients. For Linux-based computers I mounted the share with file system smbfs and with adding “time” before the copy-command the duration of the activity simply is written back to you. test1: 200 times 512 Bytes test2: 100 times 1 KB test3: 40 times 25 KB test4: 30 times 1 MB test5: once 1 GB

3.1.10 digging DNS

Another simple but important thing to check in your network is how long it takes to dig a hostname. time dig snowball.sylvia.test CHAPTER 3. TESTING AND BENCHMARKING THE NETWORK 82

3.1.11 open a ﬁle from a share

A every-day task and very likely an every day annoyance is to open a file you work on from a network share. I assumed to have one big and one small file for a word processor and for a spreadsheet lying on the server and being accessed from my clients in the network. These are apu, lisa and nelson, with apu and nelson having installed both, Microsoft Office and OpenOffice. Lisa, the SUSE client, only provides OpenOffice. Then I was measuring the time it takes, with the specified program already opened, until the file was fully loaded.

3.1.12 downloading ﬁles

Measuring the time it takes to download files with various sizes from a web server is the next test I took. For I didn’t want the traffic from the internet interfering with my analysis I decided to load the files from an internal web server used by the Berufsförderungsinstitut Burgenland. The files downloaded are pictures with file size 80 KB, 250 KB and 2,74 MB.

3.1.13 ethereal [18]

Ethereal is not really a benchmarking tool but has a lot to do with testing your network and that’s why I chose to add this tool in this chapter. Ethereal is a network packet analyzer trying to capture network packets and dissect them into maximum detail. It takes every packet sent in a network (and that’s why i switched from using a switch to using a hub in my lab) and displays everything starting from the header and ending at the real data embodied. Ethereal is the first open source tool providing this amount of features and assists you in troubleshooting your network, examining security problems, debugging protocols and learning the in- ternals of a protocol. There are many other advantages connected to the use of ethereal like the support for all major platforms, detailed protocol information, several filter possibilites, various statistics, and so on. For I don’t have a GUI installed for any of my Linux computers, I installed Ethereal on some Windows hosts. Installing ethereal on Debian works CHAPTER 3. TESTING AND BENCHMARKING THE NETWORK 83 with “apt-get install ethereal”. For Windows you need to download the binary at the web site cited above and start the setup. Since Ethereal version 0.10.12 the WinPcap installer has become part of the Ethereal installer so you don’t need to worry about forgetting it anymore. When Ethereal is installed you need to choose which interface to monitor in the “Capture” menu. The entry “Interfaces ...” will open a dialog containing all interfaces Ethereal found on your host. When you once chose an interface you can start a new capture by clicking “Start” in the same menu. You will see a small window with the number of packets captured with the corresponding protocol. When stopping the live capture captured data is loaded and you have one line for each packet. In newer versions you even have a color scheme flagging certain kinds of protocols. When clicking one of the packets the entry is highlighted and the details are displayed below. You will find several Ethereal sniffs throughout my thesis because, and I really want to emphasize this, it helped me solving nearly every problem I experienced.

3.1.14 tcpdump [19]

When mentioning Ethereal I also have to mention it’s command-line based equivalent tcpdump helping me to sniff packets on those PCs without a graphical interface. Installed with “apt-get install tcpdump” it provides not as-easy-to-read but as-interesting output as known from Ethereal.

3.1.15 nmap [20]

Not only known by network administrators but also from the movie “The Matrix Reloaded” I also used nmap to scan my hosts for open ports. It detects open ports,the services running and the operating system used. In a network it is used for penetration testing and for general computer security. Unless other tools aiming at assessing host vulnerabilities nmap is built not to interfere with the normal operation of the networks or computers scanned. Bibliography

[1] Oetiker, Rand: MRTG Multi Router Trafﬁc Grapher (2005). http://people.ee.ethz.ch/~oetiker/webtools/mrtg (2005-12-06) [2] Linux Home Networking: Advanced MRTG for Linux (2005). http://www.linuxhomenetworking.com/linux-hn/mrtg- advanced.htm (2005-12-06) [3] Windowsnetworking: Introduction to the Sim- ple Network Management Protocol (SNMP) Part 1. http://www.windowsnetworking.com/articles_tutorials/Introduction- SNMP-Part1.html (2005-12-06) [4] OpManager - Network Monitoring Software: In- stalling SNMP agent on Windows Systems (2005). http://manageengine.adventnet.com/products/opmanager/help /user_guide/snmp_installation/install_snmp_win.html (2005-12- 06) [5] OpManager - Network Monitoring Soft- ware: Conﬁguring SNMP Agents (2005). http://manageengine.adventnet.com/products/opmanager/help/user_guide /snmp_installation/conf_snmp_agents.html (2005-12-06) [6] Linux et autres sottises 2003: mrtg.cfg (2003). http://www.linux- sottises.net/mrtg/linux-sottises.cfg (2005-12-07) [7] Somix: The MIB archive (2005). http://www.somix.com/support/\\ mib_resources.php (2005-12-07) [8] Somix: MRTG Repository (2005). http://www.somix.com/support/\\ mrtg_repository.php (2005-12-07)

84 BIBLIOGRAPHY 85

[9] Tobias Oetiker: About SmokePing (2005). http://people.ee.ethz.ch/~oetiker/webtools /smokeping/ (2005- 12-07) [10] SecRobot: Bing - Measures bandwidth between two point-to-point conncetions (2003). http://linux.maruhn.com/sec/bing.html (2005- 12-07) [11] Distributed Applications Support Team: Iperf Version 2.0.2 (2005). http://dast.nlanr.net/Projects/Iperf (2005-12-07) [12] Distributed Applications Support Team: Iperf Version 1.1.1 (2005). http://dast.nlanr.net/Projects/Iperf1.1.1 (2005-12-07) [13] Rick Jones: Welcome to Netperf Homepage (2005). http://www.netperf.org/netpwerf/NetperfPage.html (2005-12- 07) [14] network lab: Netzwerkperformance mit NetIO messen (2005). http://www.nwlab.net/art/netio/netio.html (2005-12-07) [15] VeriTest: NetBench (2002). http://www.veritest.com/benchmarks/\\ netbench/default.asp (2005-12-07) [16] hp: SIPp Welcome to SIPp (2005). http://sipp.sourceforge.net/ (2005- 12-07) [17] hp: SIPp Reference documentation v1.1 (2005). http://sipp.sourceforge.net/doc1.1/reference.html#Main+features (2005-12-07) [18] Ethereal: Powerful Multi-Platform Analysis (2005). http://www.ethereal.com (2005-12-07) [19] www.tcpdump.org: tcpdump/libcap (2005). http://www.tcpdump.org/ (2005-12-07) [20] insecure.org: What is your operating system letting others do? (2005) http://www.insecure.org/nmap/ (2005-12-07) Chapter 4

Theory of IPv6

The Internet Protocol IP is a best effort datagram service and the version widely used by now is 4. This version also was the first version of IP in production use and formed the basis of the current Internet. It has been described by IETF RFC 791 first published in 1981. The addressing scheme of 32 bit limits the number of addresses to 4.294.967.295 which seemed to be enough back then. Through bad address distribution and a shortsighted idea of how much the internet will grow addresses are near to exhaustion. An USA-centric view of the internet also made it possible that a single col- lege got a bigger address range than whole China. There have been some approaches to this issue like a tighter control by Regional Internet Reg- istries, network renumbering, DHCP, NAT and of course the introduction of IPv6. Predictions from the year 2004 claim an address pool exhaustion for 2016 and a complete exhaustion for 2023. Although predictions in the field of computer science are always a bit vague, the need for IP address will addionally grow with the new market of mobile and domestic devices which will sooner or later make it inevitable to introduce IPv6. One huge limitation of IPv4 is the address shortage discussed above. All measures taken against this problem could not solve as a whole without imposing other troubles. E.g. take a look at NAT: Network administrators around the world got used to having public and private addresses in their networks translating private into public addresses and vice-versa in order to reach the internet with the disadvantage of creating a performance and application bottleneck.

86 CHAPTER 4. THEORY OF IPV6 87

Another need for the change in the protocol is to scale down the number of routing table entries in backbone routers which is currently near 85.000 entries. With a growing network infrastructure the need for easier conﬁguration of hosts in the network was also an issue lacking a solution when using IPv4. Because the majority of all attacks on a network are from within a company people also demand for security comprising authentication and encryption at IP level. In addition to this supporting QoS for production use is demanded. All these concerns are handled by IPv6. In this chapter I will talk about the key features of IPv6 and why I think, together with countries like Japan and China or institutions like the Pen- tagon (switching to IPv6 2006), that IPv6 is the future and that we can not overcome the diffuculties we have with IPv4 with inventing more and more makeshifts.

4.1 IPv6 Addresses [1] [2]

The most obvious reason for switching to IPv6 is of course the address space. Instead of 32 bit with IPv4 we now can use 128 bit with IPv6 providing the unbelievable number of 340.282.366.920.938.463.463.374.607.431.768.\\ 211.456 possible addresses. The decision to make the address 128 bits long was made in order to provide hierarchical routing domains. An address assigned to an interface is composed of a 64-bit subnet identifier and a 64-bit interface identifier. Similar to the way the address space was allo- cated with IPv4 the high-order bits in IPv6 addresses define several address types as well. These high-order bits are also called Format Prefix (FP). Global unicast addresses 001 Link-local unicast addresses 1111 1110 10 Site-local unicast addresses 1111 1110 11 Multicast addresses 1111 1111

Above you see the high-order bits for the most important kinds of addresses. But let’s talk about the syntax of an IPv6 address ﬁrst. CHAPTER 4. THEORY OF IPV6 88

We already know that an IPv6 address is represented by 128 bits. IPv4 addresses consist of 32 bit with each 8 bits represented as decimal number from 0 to 255. Doing the same with IPv6 addresses would result in 16 decimal numbers which, we know from practical use, no one would remember. Rather than using decimal numbers the hexadecimal numbering system is used. Here you have 8 hex-numbers each representing 16 bits. For those needing to remember addresses this has the advantage of a shorter address and everyone else not able to read hex doesn’t need to remember them anyway for end users will usually prefer names over addresses. The hex-numbers within an address are seperated by colons and long sequences of zeros can be represented by a double colon (but only once). FF02:30:0:0:0:0:0:5 can be represented as FF02:30::5 2001:16d8:0:0:4:0:0:1 can be represented as 2001:16d8::4:0:0:1 In the first example I simply left out the 5 zeroes and substituted them with ::. The second example is a bit more complicated for we have twice a sequence of zeros to be substituted. In these cases, the first sequence of zeros is substituted and the second has to be written as usual. Otherwise you would have no chance finding out how many zeros are left out at each double colon. To find out how many hex-zeros are represented by a double colon simply count the number of hex-blocks in the address and subtract it from 8. There are three types of addresses used with IPv6 • Unicast • Multicast • Anycast CHAPTER 4. THEORY OF IPV6 89

4.1.1 Unicast IPv6 addresses

4.1.1.1 Global addresses [3]

This kind of address is identified by an FP of 001 and according to their scope can be compared to public IPv4 addresses. A global address therefore either starts with 2xxx: or 3xxx: with x representing a hex-digit. These addresses are globally reachable and routable and because of a better structure of the address hierarchical routing is possible. A global address is made up of a routing prefix, a subnet identifier and a interface identifier. In theory, each part can have any size but in practice the routing prefix is made up of 48 bits, the subnet ID (a number identifying the subnet within a site) of 16 bits and the remaining 64 bits are used for the interface ID.

Figure 4.1: The structure of a global address [3]

4.1.1.2 Link-local address

A link local address is derived by stateless autoconfiguration and is identified by a FP of 1111 1110 10 or in hex: fe8x, fe9x, feax, febx with x representing a hex-digit. At the moment only fe8x is used for link-local addressing with x being usually “0”. This address is configured in order to provide communication with neighbours like: Anyone else here? and Anyone with a special address here (e.g. a router)? Packets with a link-local destination address are never routed. Link-local addresses are therefore only used on a particular local link i.e. a physical network and are used for “Neighbor Discovery” which I will describe later on. A link-local address therefore is composed of a 64-bit link-local prefix and a 64-bit Interface identifier. CHAPTER 4. THEORY OF IPV6 90

4.1.1.3 Site-local address

Site-local addresses are defined by a FP of 1111 1110 11 or in hex by fecx, fedx, feex or fefx with x representing a hex-digit. These addresses can be compared to the private addresses used with IPv4 such as 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16. These addresses have the scope of a site or an entire organization and therefore border routers must not route traffic outside a site. Site-local addresses are not assigned automatically but either through stateful or stateless address autoconfiguration (see radvd for this issue). The structure of these addresses is very similar to a global address for it is composed of a 48-bit fixed identifier like fec0::/48, a 16- bit site ID and a 64 bit interface ID. This implies that you can also build network routes using only site-local interfaces within the site. Remember that you can assign these addresses regardless of using global addresses as well - an IPv6 enabled interface can have several different IP addresses. If you want to know more about this kind of addressing read RFC 1918. Note: There have been considerations on depreciating site-local addresses although they are very useful for testing purposes. See RFC 3879.

4.1.1.4 Special addresses

4.1.1.4.1 Unspeciﬁed address The unspeciﬁed address 0:0:0:0:0:0:0:0 represented by :: is only used in absence of an address and can not be used as a destination address.

4.1.1.4.2 Loopback address 0:0:0:0:0:0:0:1 or short ::1 is the loopback address for an interface. Remember IPv4 loopback address of 127.0.0.1.

4.1.1.4.3 Privacy extensions When using a non-changing interface identifier in order to form an address the risk is very high that a sniffer placed strategically can find out a lot about you. Eavesdroppers and other persons or organizations interested in what you are doing may find out what you do and when you do it, what imposes huge security and privacy problems. In order to prevent that, privacy extensions (described in RFC 3041) can be generated appending a computed identifier made up from your CHAPTER 4. THEORY OF IPV6 91

MAC address and a number chosen randomly to your prefix. This address is valid for a predefined period of time (some hours to a few days) and makes it more difficult to keep track of your online activities. Sysad- mins in companies won’t like this, since it will impose problems with ac- counting, access lists and other address based rules.

4.1.1.5 Compatibility addresses

In order to faciliate the transition from IPv4 to IPv6 there are several types of addresses to provide coexistence of the two protocols.

4.1.1.5.1 IPv4-compatible addresses An IPv4-compatible address written 0:0:0:0:0:0:w.x.y.z or ::w.x.y.z with the last 32 bit representing the IPv4 address. Note that these transition mechanism is no longer used.It was used by IPv6/IPv4 nodes communicating with IPv6 over an IPv4 network.

4.1.1.5.2 IPv4-mapped adresses The structure of this address is deﬁned 0:0:0:0:0:ffff:w.x.y.z with the last 32 bit representing the IPv4 address and is used for internal representation of an IPv4-only node to an IPv6-node. It is normally used to represent IPv4 addresses to IPv6 applications. The big advantage here is that servers providing a service for both, IPv4 and IPv6, only need one listening socket. IPv4 address: 192.0.2.128 IPv4-mapped address: ::ffff:192.0.2.128 or ::ffff:c000:280

4.1.1.5.3 6over4 addresses 6over4 is a transition mechanism meant to transmit IPv6 packets between dual-stack nodes using IPv4 as a virtual data link layer on which IPv6 can be run. A host wanting to join this 6over4 network can set up a virtual IPv6 interface with a link local derived as follows: The unicast 64-bit preﬁx (fec0::/64 in this example) and the appended hexadecimal representation of the IPv4 addresses. IPv4 address: 192.0.2.128 6over4 address: fec0::c000:280 CHAPTER 4. THEORY OF IPV6 92

Suggested further reading is RFC 2529. Note: ISATAP is a more complex alternative to 6over4 and does not rely on IPv4 multicast.

4.1.1.5.4 6to4 addresses 6to4 addresses are used together with a special tunneling mechanism that is used to provide unicast IPv6 connectivity between IPv6 sites across the IPv4 network. The address is made up of following parts: 2002:wwxx:yyzz:SubnetID:InterfaceID IPv4 address: 192.0.2.128 on site number 5 6to4 address: 2002:c000:280:5:[InterfaceID] For sending a packet through this conﬁguration the IPv6 packet is embedded in a IPv4 header and the protocol type of the IPv4 header is set to “41”. The destination address is retrieved from the 32-bit in the 6to4 address representing the IPv4 address. See RFCs 3056, 2893, 3068 and 3964 for further informations.

4.1.1.5.5 ISATAP addresses ISATAP is a transition mechanism transmitting IPv6 packets between dual-stack nodes on top of an IPv4 network without requiring IPv4 to support multicast. An ISATAP (Intra-site Auto- matic Tunnel Addressing Protocol) address is derived from a 64-bit unicast preﬁx, an appendend :0:5efe: part and the IPv4 address.

ISATAP Prefix for link-local: fe80:0:0:0:0:0:5efe: IPv4 address: 192.0.2.128 ISATAP address: fe80::5efe:c000:280 ISATAP techniques can also be used together with global address preﬁxes. Like 6over4 and 6to4 ISATAP addresses contain the IPv4 addresses that can be used to derive IPv4 destination address from when tunneling the trafﬁc through the IPv4 network. See RFC 4214 for more details on ISATAP. CHAPTER 4. THEORY OF IPV6 93

4.1.1.5.6 Teredo addresses Teredo is also known as IPv4 NAT-traversal for IPv6 provides tunneling mechanisms via UDP-encapsulation through NAT for IPv6 traffic. Because Protocol 41, as set in the IPv4 header used to embed IPv6 traffic, is not a common feature of NAT and therefore this kind of traffic might not traverse NAT. UDP packets on the other hand can be translated by most NATs and even can flow through multiple layers of NAT. The Teredo technology is only used by Windows XP and Win- dows 2003 and is said to be a last resort transition technique. With more and more NATs supporting 6to4 Teredo will be used less and less until discarded. Teredo prefix is 3ffe:831f::/32. Further reading is RFC 3904.

4.1.1.6 Interface Identiﬁer [4] [5]

Several addresses discussed above like the global, the link-local and the site-local address are composed of a prefix and a 64-bit Interface Identifier. Let’s take a look how this Interface Identifier is derived. There are several ways how you can set your interface identifier. You could let DHCPv6 do the work for you, you could set the addresses manually or you could as well choose the way discussed above in the chapter about privacy extensions where the Interface ID is computed using MAC address and a randomly chosen number. If you wish to remember some computer’s IP addresses easily you might go for the manual setting of the Interface Iden- tifier. In my network the global addresses have been planned manually and set via DHCPv6. For site-local and link-local addresses on the other hand I chose the autoconfigured Interface Identifier to be appended to the prefix. In those cases the Interface Identifier is set automatically to the Extended Unique Identifier (EUI)-64 address defined by IEEE. The EUI-64 is a new type of MAC address outdating the old IEEE 802 format which was set up of the company ID (24 bit) and an extension or device ID (24 bit) making each network adapter unique. In the new IEEE EUI-64 addresses the company ID part stays 24 bits long but the extension ID is extended to 40 bit. But let’s take a closer look on how an EUI-64 address is derived. Let’s start in the first line with the IEEE 802 address, or simply the MAC CHAPTER 4. THEORY OF IPV6 94

Figure 4.2: How to derive the IPv6 interface identifier from the IEEE 802 address [6] address as we know it. The shaded part is the 24 bit company ID and the white part is the 24 bit extension ID that is distributed within the company. The two bits within the company ID written “00” instead of the c’s are the Universal/Local (U/L) and the Individual/Group (I/G) bits. When Individual/Group is set to 0 the address is unicast, otherwise multicast is denoted. More important is the Universal/Local bit for our needs for it defines if it is universally administered (“0”) or locally (“1”). In order to get to the next step, the creation of an EUI-64 address 16 bits have to be added between company and extension ID. Here we find a little inconsistency with the specification made by IEEE. Usually you create an EUI-64 address out of a IEEE 802 (or also called MAC-48) address by appending FF-FF to the company ID but in order to derive the IPv6 used Interface ID you have to append FF-FE or 11111111 11111110 instead. The last step in the creation of the Interface Identifier used by IPv6 is to com- plement the Universal/Local bit in the company ID (seventh bit in the first byte) i.e. changing it from zero to one or vice-versa. CHAPTER 4. THEORY OF IPV6 95

4.1.2 Multicast IPv6 addresses

With IPv6 the “bulk” addressing methods have changed and the good- old broadcast has been outdated. Instead the use of multicast has been extended. Each Multicast address starts with the ﬁrst 8 bits set to 1, thus an address starting with FF is always a multicast address. The structure of the multicast address is as follows:

Figure 4.3: structure of an IPv6 multicast address [7]

The only flag defined in the “Flags” section is the Transient flag (T). When set to 0 it indicates that the address is permanently assigned, when set to 1 it is a transient (non-permanent) address. The Scope ID indicates the scope of the IPv6 network for which the multicast traffic is intended.

Figure 4.4: Scope ID values [7]

The Group ID identiﬁes the multicast group and is unique within the scope. The following addresses are deﬁned: CHAPTER 4. THEORY OF IPV6 96

FF01::1 node-local scope all-nodes multicast address FF02::1 link-local scope all-nodes multicast address FF01::2 node-local scope all-routers multicast address FF02::2 link-local scope all-routers multicast address FF05::2 site-local scope all-routers multicast address

Solicited-node multicast address

In addition to the multicast addresses each unicast address also has a a special multicast address called its solicited-node address created through special mapping of the unicast address. These addresses are used by the Neighbor Discovery protocol to provide efﬁcient address resolution. In- stead of using a link-local all-nodes multicast message to resolve the link- layer address of a host, the corresponding solicited-node multicast address of the interesting host is used. Since a host not only listens on his unicast- address, but also on his solicited-node multicast address, it replies with a unicast neighbor advertisment message. Therefore no other nodes on the network are disturbed.

Figure 4.5: How a solicited-node multicast address is derived [7]

FF02 is the preﬁx for the link-local multicast trafﬁc. To the address part “FF02:0:0:0:0:1:FF” simply the last 24 bit of the unicast address the solicited node is calculated from, is appended. CHAPTER 4. THEORY OF IPV6 97

4.1.3 Anycast IPv6 addresses

Anycast addresses are new to the IP Protocol and are based on the RFC 1546. Anycasting is a conceptual cross between unicast and multicast addressing and is intended to send messages to any host of this group instead of sending to one host (unicast) or every host (multicast). Dis- tinguishing which member of the group receives the message is done by routing terms. This technique enables possibilites not implemented with IPv4 and is intended for the use with several servers or routers running a service when you don’t really care which of those provide it. This can as well used for load sharing and is helpful if one of your routers goes out of service. Instead of having an addressing scheme anycast addresses are simply displayed as unicast and are identiﬁed automatically the moment a unicast address is assigned to more than one interface. Anycast addresses that are set across a huge network are hard to implement because of the routing entries that have to be made. Nowadays, due to the inexperience of the Internet Community anycast is only used by routers but not by hosts.

4.1.4 Addresses set on an IPv6 enabled host

On a host with IPv6 enabled there are, in contrast to IPv4 where you only had one address assigned to an interface, several addresses configured. • a link-local address derived automatically • the loopback-address ::1 derived automatically • an optional site-local address defined manually or by using radvd • one or more optional global addresses defined either manually or by using radvd or DHCP Additionally to these addresses an IPv6 nodes listens to the following addresses: • FF01::1 - node-local scope all-nodes multicast address • FF02::1 - link-local scope all-nodes multicast address CHAPTER 4. THEORY OF IPV6 98

• solicited node addresses for each unicast address set • multicast addresses of joined groups In the list above I left out the special transition techniques set automatically when using Windows (e.g. ISATAP, TEREDO, ...). In contrast to a host routers may have joined anycast groups on which they have to listen as well and they are conﬁgured with more multicast addresses (FF01::2, FF02::2 and FF05::2) for all-routers multicasts.

4.1.5 Address Autoconﬁguration Process

As mentioned before, one of the biggest advantages of IPv6 is the ability to configure itself. By default a host can configure a link-local address automatically and when using router discovery additional parameters, default routes and multiple addresses can also be derived. There are two types of autoconfiguration: stateful and stateless. Stateful address autoconfiguration relys on a stateful autoconfiguration protocol such as DHCPv6. In opposite to stateful configuration the stateless configuration receives the address via Router Advertisements with Managed Address Configuration and Other Stateful Configuration flags set to zero. Below you can see the detailled autoconfiguration process starting with the deriving of the link-local address and the verification of its uniqueness. This is done by sending a Neighbor Solicitation with the target address of the tentative link-local address (FE80::/64 and the EUI-64). Tentative means that the address is in the process of being verified as unique. In this state the host can not receive unicast messages targeted to this address but still is able to listen to multicast Neighbor Advertisement messages sent in response to the Neighbor Solicitation. If no Neighbor Advertisement is received the link-local address is initialized and set valid. The next step is to send a Router Solicitation and if there is a Router Adver- tisement received the options provided are received. If there are no prefix informations supplied and Managed Address Configuration and Other Stateful Configuration are set to 1 stateful address is used and the autoconfiguration process is stopped. If there are Prefix Informations supplied CHAPTER 4. THEORY OF IPV6 99

Figure 4.6: Address autoconﬁguration [1] (Picture 8-2)

Figure 4.7: Address autoconﬁguration [1] (Picture 8-3) CHAPTER 4. THEORY OF IPV6 100 stateless addresses are derived and no Neighbor Advertisement response is received the new address is initalized.

Figure 4.8: Lifetime of an autoconﬁgured address [8]

A node can only receive traffic when it’s state is preferred or deprecated; a tentative or an invalid address can not be used for the destination of traffic. You can find out more about autoconfiguration of interfaces in RFC 2462. Note: I left out special technologies used by default by Microsoft in the configuration process (e.g. ISATAP, Teredo, ...)

4.1.6 DHCPv6 [9]

Instead of using stateless autoconfiguration, as discussed above, you can also use stateful autoconfiguration in order to obtain parameters and/or IP addresses. One prominent way of stateful autoconfiguration is DHCP, which has also been updated for the use with IPv6. Although the operations used by DHCPv6 are pretty the same as with DHCPv4 but the undelaying protocol has been rewritten (DHCPv6 is not based on the old DHCP or on BOOTP). It still uses UDP but has new port numbers, a new message format and restructured options. Link-local based communication is enabled for DHCPv6 making stateful autoconfiguration possible before an IP address has been derived. The destination address set by the client hereby is a reserved, link-scoped multicast address. There are two different sets of messages exchanged when retrieving informations. If only parameter informations (e.g.: DNS server address) has to be exchanged and the host doesn’t need an IP address to be assigned by DHCPv6, the client-server exchange involves two messages. The client sends an Information-Request message to the CHAPTER 4. THEORY OF IPV6 101

All_DHCP_Relay_Agents_and_Servers multicast address and immediately receives a Reply from the server. In order to request the assignment of an IP address and parameter informations first a DHCPv6 server is located and then the client sends a Solicit message to the All_DHCP_Relay_Agents_and_Servers multicast address. A server meeting the requirements responds with an Advertise message. Then the client can choose which server to use and sends a Request message asking for confirmation of the address and other configuration information. The last step is the server answering with a Reply message containing confirmed address and configuration. After an address has been used for a specific time the address has to be re- newed which is done by the client sending a Renew message to the server which in turn answers with a reply containing the new lifetime value.

4.2 IPv6 Header

Now that we have learned which addresses are configured on a host running IPv6 it is also important to find out what has changed in the header of the IPv6. For I don’t want to write another essay about header formats I will try to keep that chapter as short as possible. Because of the longer IP address used by IPv6 the structure of the header needed to be redesigned in order to allow efficient data transfer and to clean up the header from unneccessary und unused fields as we had it with IPv4. An IPv4 header has a length between 20 and 60 bytes which is pretty long regarding the very short address. The structure of an IPv6 packet is made up of a 40 byte IPv6 header, one or more extension headers if needed and the data. The Version field indicates the version of the IP protocol used and the Traf- fic Class replaces the Type Of Service field from IPv4 and uses the new Differentiated Services method (DS) defined in RFC 2474. The next field called the Flow Label provides additional support for Quality Of Service features and indicates whether a packet belongs to a specific sequence of packets requiring special handling (e.g. video streaming, ...). The Pay- load Length replaces the “Total Length” field from IPv4 and comprises the CHAPTER 4. THEORY OF IPV6 102

Figure 4.9: IPv6 Header [10] extension headers if present and the upper-layer PDU. The Next Header field is a replacement for the Protocol field and either indicates the pres- ence of the first extension header or, if there is no extension header, is set to the protocol of the upper-layer PDU (e.g.: TCP, UDP, ICMP, ...). The Hop Limit is similar to the TTL field and indicated the maximum number of links a packet is allowed to traverse. Last but not least the source and destination addresses are appended. The next header field is said to be the most important innovation to the IP header for it allows a modular use of headers when needed. The next header field in the IPv6 Header indicates whether there is an extension header or not, and in turn, each extension header has a next header field as well pointing to the next extension header if present. If no extension header is appended here, the next header field simply points to the protocol of the upper-layer PDU again. There are following extension headers available (in the same order as they are used; you will find the next-header values indicating the extension header appended within brackets): • Hop-by-Hop Options Header (0) - defines some options that are intended to be examined by all devices during transmission (RFC 2460) CHAPTER 4. THEORY OF IPV6 103

• Destination Options Header (60) (for intermediate destinations when the Routing header is present) - deﬁnes some options that are intended to be examined by all devices during transmission (RFC 2460) • Routing Header (43) - the source device is allowed to set a route for the datagram within (RFC 2460) • Fragment Header (44) - if the datagram contains only a fragment of the original message this header is set (RFC 2460) • Authentication Header (51) - informations to verify the authentication of a packet (RFC 2402) • Encapsulating Security Payload Header, ESP (50) - holds information on the encryption of the packet (RFC 2406) • Destination Options Header - for the ﬁnal destination

Figure 4.10: IPv6 datagram without and with extension headers [11]

The first datagram only consists of the IPv6 header with a Next Header field set to 6 indicating a TCP-traffic. The second datagram has the Next Header field of the IPv6 header set to 0, which is the Hop-by-Hop Options Header. Within the Hop-by-Hop Options header the succeeding extension header, in this case the Fragment Header, is defined by setting its Next CHAPTER 4. THEORY OF IPV6 104

Header field to 44. In the last extension header the Next Header field is set to 6 referring to TCP traffic again. The minimum MTU required by IPv6 is set to 1.280 bytes forcing links that do not supply that much to fragment the packet transparent to IPv6. If a link has a configurable MTU size it is recommended to at least set it to 1.500 bytes. IPv6 also provides a Path MTU Discovery process in order to find out the PMTU (Path Maximum Transmission unit) which is the smallest link MTU supported on a specific path. The PMTU is derived by the sending node by assuming that the destination PMTU is the link MTU of the interface the packet is sent and simply tests this by sending a packet this size. If a router on the way to it’s destination is not able to forward the packet it responds with an ICMPv6 Packet Too Big Message containing the link MTU of the router. The sending node then can set the PMTU to the link MTU received by the router and retry to transmit the packet. Current TCP, UDP and ICMP implementations for IPv4 include a pseudo- header in their checksum. This pseudo-header contains source and destination addresses as well and therefore need to be modified for IPv6 (simply exchange the addresses). The new pseudo-header must be used by TCP, UDP and ICMPv6 and includes besides the addresses mentioned a field containing the upper-layer packet length and a next header field indicating the upper-layer protocol for which the checksum has been calculated. Note: Any transport or other upper-layer protocol including the source and destination addresses from the IP header in its computation must be modified for the use with IPv6 in order to include the 128- bit addresses. Therefore the so-called pseudo-header has to be modified. (RFC 2460)

4.3 ICMPv6

For IP itself is designed to provide the basic functionality of transmitting packets there is not even a mechanism to report back errors. This task is handled by the Internet Control Message Protocol version 6 (ICMPv6) instead which is pretty similar to the ICMPv4 used with IPv4. Besides CHAPTER 4. THEORY OF IPV6 105 reporting delivery and forwarding errors and providing echo service ICMPv6 is enhanced by Neighbor Discovery (used for node-to-node communication; see next section) and Multicast Listener Discovery (a protocol similar to IGMP, Internet Group Management Protocol). The Multicast Listener Discovery (MLD) is a set of three messages exchanged by routers and hosts by which routers can discover a list of multicast addresses for which there is at least one listener (RFC 2710). MLD will be described in this chapter in more detail. An ICMP header is composed of a Type field, the Code field specifiying the type of message, the checksum and the message body. ICMPv6 messages can be devided into two big groups of messages: ICMPv6 Error messages and ICMPv6 Informational messages.

4.3.1 ICMPv6 Error messages

Note: ICMPv6 Error messages are not sent for every error encounted but rather have to satisfy a rate limit which can be set based on a timer or a percentage of bandwidth.

4.3.1.1 Destination Unreachable (ICMPv6 Type 1)

A Destination Unreachable message is sent when a packet cannot be forwarded to a destination node or an upper-layer protocol and has “1” set in it’s Type ﬁeld of the ICMP header. CHAPTER 4. THEORY OF IPV6 106

Code Field Value Description 0 - No Route to Destination No route matching the destination found in the routing table 1 - Communication with Destina- Communication is prohibited by tion Administratively Prohibited administrative policy; typically discarded by a ﬁrewall 3 - Address Unreachable Usually when the link-layer address could not be resolved 4 - Port Unreachable Typically sent when an IPv6 packet containing UDP arrived at a host with no listener on given port Note: Code Field Value 2 is according to RFC 2463 unassigned. In the book “Understanding IPv6” [1] the Code Field Value 2 was deﬁned with: Beyond scope of source address - Sent when a packet is forwarded using an interface that is not in the scoped zone of the source address (although it also references RFC 2463)!!

4.3.1.2 Packet Too Big (ICMPv6 Type 2)

In the header of a Packet Too Big message the Type is set to 2, the Code to 0 and following the checksum ﬁeld there is a new header ﬁeld called MTU storing the link MTU of the host sending the ICMP message. Note that this is discussed in the “IPv6 header” part of this chapter.

4.3.1.3 Time Exceeded (ICMPv6 Type 3)

The Time Exceeded message is usually sent when the hop-limit ﬁeld becomes zero after decrementing it during forwarding. The Type is set 3 and the Code Value can be either “0” - Hop Limit Exceeded by Transit or “1” - Fragment Reassembly Time Exceeded indicating the fragmentation reassembly time expired at the destination host. CHAPTER 4. THEORY OF IPV6 107

4.3.1.4 Parameter Problem (ICMPv6 Type 4)

A Parameter Problem ICMP message is sent when there’s an error either in the header or in one of the extension headers preventing IPv6 from performing additional processing. We also have a modified header with the Parameter Problem for the “Pointer” field is added after the checksum which is an offset that points to the byte in the packet where the error occurred. The Type field is set to 4 and the Code can be set to the following values: Code Field Value Description 0 - Erroreous Header Field En- An error in a field within one of countered the headers encountered 1 - Unrecognized Next Header unrecognized value encountered Type Encountered 2 - Unrecognized IPv6 Option En- unrecognized IPv6 option encountered countered

4.3.2 ICMPv6 Informational messages

Informational ICMPv6 messages comprise the troubleshooting all-stars commands: Echo Request and Echo Reply. An Echo Request is sent in order to solicit an Echo Reply message. This simple technique assures basic connectivity between two nodes. The Type field in an Echo Request is set to 128 and in an Echo Reply to 129. In both cases the Code field is set to zero. Taking the usual structure of an ICMPv6 message in both, Echo Request and Reply, two fields called Identifier and Sequence Number are appended after the checksum field in order to match incoming Request and Reply messages in a host. Both fields are set sender-sided.

4.3.3 Multicast Listener Discovery [12]

One special kind of ICMPv6 messages are those subsummed as “Multicast Listener Discovery” or MLD. These are used by routers in order to discover listeners for multicast groups and keeps track of all multicast groups used at the moment on each interface. CHAPTER 4. THEORY OF IPV6 108

MLD is a sub-protocol of ICMPv6 and is identified by the next-header value of 58. All MLD messages are sent with a link-local source address, a hop-limit set to “1” and an IPv6 Router Alert Option in the Hop-by-Hop Options header (causes routers to examine MLD messages sent to multicast addresses in which the routers themselves have no interest). The header of an MLD-message consists of Type, Code and Checksum fields, as we had it with usual ICMPv6 and the additional fields Maximum Re- sponse Delay, Reserved and Multicast Address. The three different types of messages are:

4.3.3.1 Multicast Listener Query (ICMPv6 Type 130)

This message is used in order to find out details about multicast group membership on this link. There are two types of Multicast Listener Queries which can be distinguished by the Destination Address set in the IPv6 header and the Multicast Address set in the Multicast Listener Query message. The first one is the “General query” sent unsolicited and periodically with a Destination Address set to the link-local all-nodes multicast address (FF02::1) and the Multicast Address set to the unspecified address (::). The other type of Multicast Listener Query message is the multicast- address-specific query querying all hosts on a subnet belonging to a specific multicast group. This time the Destination Address and the Multicast Address is set to the specific multicast address that is being queried. The “Maximum Response Delay” is the time within a multicast group member must report its membership.

4.3.3.2 Multicast Listener Report (ICMPv6 Type 131)

This message is used by a node on a link either to respond to a Multi- cast Listener Query or to report its interest in receiving multicast traffic at a specific multicast address. The Destination Address and Multicast Ad- dress fields are both set to the specified multicast address being reported. CHAPTER 4. THEORY OF IPV6 109

4.3.3.3 Multicast Listener Done (ICMPv6 Type 132)

The Multicast Listener Done message is used to inform the routers that there might be no more listener for a specific multicast address on a link because the sending node announces to leave the multicast group with this message. This Multicast Listener Done message is sent when the group member that responded to the last Multicast Listener Query wants to leave the multicast group. For this host might not really be the last multicast member on the link (and routers, as mentioned above, do not keep track of how many listeners are found on a link for a specific multicast group), a local router has to immediately send a multicast-address-specific query for the specific multicast group in order to find members listening on the link. The Destination Address of a Multicast Listener Done message is set to the link-local scope all-routers multicast address (FF02::2) and the Multicast Address to the multicast address used by the multicast group for which there might be no more listeners on the link. Please see RFC 2710 for more details on the Multicast Listener Discovery.

4.4 Neighbor Discovery [23]

The Neighbor Discovery protocol, or short ND, is one of the biggest new inventions to IPv6 for it replaces ARP, ICMP router discovery and the ICMP redirect message and in addition to this provides additional techniques IPv4 was not capable of. It is used by nodes to determine link-local addresses of other nodes and changes of these, to ﬁnd routers willing to forward their trafﬁc and keeps track of which neighbors are reachable.

4.4.1 Neighbor Discovery messages

Neighbor Discovery messages use the structure of an ICMPv6 message and appends an Neighbor Discovery Message Header and zero or more Neighbor Discovery Message Options to it. There are several types of Neighbour Discovery Options formatted in type-length-value (TLV) format (i.e. the header consists of these ﬁelds): CHAPTER 4. THEORY OF IPV6 110

• Source Link-Layer Address (Type 1) - indicates the link-layer address of the ND message sender and is not included if the source link-layer address is the unspecified address; value = link-layer address • Target Link-Layer Address (Type 2) - indicates the target link-layer address of the neighboring node to which packets should be di- rected: value = link-layer address • Prefix Information (Type 3) - indicates both address prefixes and information about address autoconfiguration. There can be several Prefix Information Options indicating multiple prefixes. The structure of this option is more complicated and comprehends several fields: Prefix Length, On-link Flag (indicating that an address using the provided prefix is available on the interface the message was received), Autonomous Flag (forks stateless address configuration), Router Address Flag (for mobile nodes to discover global addresses), Site Prefix Flag (indicates that the site prefix received can be used to update the host-based site prefix table), Reserved1, Valid Lifetime (in seconds), Preferred Lifetime (in seconds), Reserved2, Site Prefix Length and Prefix. • Redirected Header (Type 4) - specifies the IPv6 packet causing the router to send a redirect message. It can contain the whole or only part of the message causing the trouble. • MTU (Type 5) - used in Router Advertisements in order to define the MTU of an unknown link. • Advertisement Interval (Type 6) - specifies the interval (maximum time in milliseconds) between consecutive unsolicited Router Ad- vertisements • Home Agent Information (Type 7) - sent by a home agent to specify its configuration • Route Information (Type 8) - specifies routes for individual hosts. It again consists of several interesting fields like Prefix Length, Prefer- ence (of the route), Route Lifetime (in seconds) and the Prefix. To ensure that ND messages have originated from a node on the link the hop limit is set to 255 (With a hop-limit of 255 no router could have forwarded this message). Following ND message types exist: CHAPTER 4. THEORY OF IPV6 111

4.4.1.1 Router Solicitation (ICMPv6 Type 133)

The Router Solicitation message is sent by a host e.g. when UPed in order to get a solicited Router Advertisement in response immediately instead of waiting for the next unsolicited Router Advertisement. The Source Ad- dress ﬁeld is set to either the link-local address or the unspeciﬁed address (::), the destination address is set to the link-local all-routers multicast address (FF02::2) and the Hop-Limit is set to 255.

4.4.1.2 Router Advertisement (ICMPv6 Type 134)

Router Advertisements are either sent pseudo-periodically or on receipt of a Router Solicitation. Its Destination Address field is set to either link-local scope all-nodes multicast address (FF02::1) or the unicast IPv6 address of the host that sent the Router Solicitation. The fields within a Router Ad- vertisement are: • Type - 134 • Code - 0 • Checksum • Current Hop Limit - defines the default Hop Limit set for packets sent by nodes that received this Router Advertisement • Managed Address Configuration Flag - if set, the receiving host must use a stateful address configuration protocol (e.g.: DHCPv6) to obtain additional addresses • Other Stateful Configuration Flag - if set, the receiving host must use a stateful address configuration protocol (e.g.: DHCPv6) to obtain non-address configuration • Home Agent Flag - if set, the advertising router is also a home agent • Default Router Preference - indicates the level of preference for a route received. For you can have multiple routers on a link you can set different preference levels. Valid vlaues are 01 (High), 00 (Medium) and 11 (Low). This technique is useful for fault tolerance reasons. CHAPTER 4. THEORY OF IPV6 112

• Reserved • Router Lifetime - defines how long a router is a default router (in seconds). 0 indicates that it is no default router. • Reachable Time - defines how long a node can consider a Neighbor reachable after receiving a reachability confirmation • Retransmission Timer - amount of time between retransmission of Neighbor Solicitation messages during neighbor unreachability detection • Source Link-Layer Address option - if present, contains the link-layer address of the interface on which the Router Advertisement was sent • MTU option - if present, it contains the MTU of the link • Prefix Information Options - contains on-link prefixes when present • Advertisement Interval Option - when present, contains the interval of unsolicited Router Advertisement messages • Home Agent Information Option - when present, contains informations on the home agent • Route Information Options - when present, contains routes to add to the routing table of the host

4.4.1.3 Neighbor Solicitation (ICMPv6 Type 135)

Neighbor Solicitation is used to determine the link-layer address of an on- link node. Typically these messages are multicast for address resolution and unicast for reachability testing of another node. The Source Address field is either set to a unicast IPv6 address or to the unspecified address during duplicate address detection. The Destination Address field is either set to the solicited-node address of the target for multicast or to the unicast address for unicast Neighbor Solicitation. CHAPTER 4. THEORY OF IPV6 113

4.4.1.4 Neighbor Advertisement (ICMPv6 Type 136)

An IPv6 Neighbor Advertisement is sent both, periodically and in response to a Neighbor Solicitation. The periodical Neighbor Advertise- ments are important for propagating changes of an address or of the role of a node in the network. The Destination is, similar to the Router Advertise- ment, therefore either set the link-local scope all-nodes multicast address or a unicast address (in response to a solicitation). Several fields are new in the structure of an Neighbor Advertisement message: • Router flag - when set, the host is a router • Solicited flag - when set indicates that the Neighbor Advertisement was sent in response to a Neighbor Solicitation • Override flag - when set indicates that the link-layer address received within the Target Link-Layer Address option should override the existing neighbor cache entry • Target address - indicates the address being advertised • Target link-layer address option - when present, contains the link- layer address of the target which is the sender of the Neighbor Ad- vertisement.

4.4.1.5 Redirect (ICMPv6 Type 137)

Redirect messages are sent in order to inform others of a better first-hop address for a specific destination. These messages are only sent by routers for unicast traffic via unicast. The Target Address within the message indicates the better next-hop address and the Destination Address holds the address of the destination that caused the router to send the redirect. Op- tionally Target Link-Layer Address Option and Redirected Header option are appended.

Adding up all these things ND provides: • Router discovery CHAPTER 4. THEORY OF IPV6 114

• Preﬁx discovery • Parameter discovery • Address autoconﬁguration • Address resolution • Next-hop determination • Neighbor unreachability detection • Duplicate address detection • Redirect function Let’s take a closer look at some of these.

4.4.2 Neighbor Discovery Process

In order to provide the Neighbor Discovery Processes mentioned below following data structures need to be present at each host participating: • Neighbor cache - stores on-link IP addresses of neighbors and corresponding link-layer addresses with an indication of the node’s reachability • Destination cache - stores information on next-hop IP addresses for destinations traffic recently has been sent • Prefix list - stores on-link prefixes • Default router list - stores on-link routers that have sent Router Ad- vertisements

4.4.2.1 Address Resolution

If the destination of a datagram to be sent is local, it requires that we know the physical layer or layer two address of the device. Getting layer two address for layer three address is known as the address resolution problem. CHAPTER 4. THEORY OF IPV6 115

The sending node sends a Neighbor Solicitation message with the solicited- node multicast address derived from the destination IP address which also includes the link-layer address of the sending host. When the target host receives this message it ﬁrst updates its Neighbor cache with the data from the sending node and then sends a unicast Neighbor Solicitation message containing its own link-layer address. The formerly sending host updates its Neighbor cache as well and then the packet can be sent.

4.4.2.2 Router Discovery

Router Discovery is the process of discovering all routers on a local link and is pretty similar to what we already know from IPv4. An enhancement to the old Router Discovery is provided by the use of Neighbor Unreacha- bility Detection. IPv6 has, like IPv4, a Router Lifetime field indicating how long a router can be considered the default router. If, within this time, the router goes offline, hosts using IPv4 usually waited for the Router Life- time to expire. Now hosts that are down are detected through Neighbor Unreachability Detection and another router is chosen from the default routers list. If there is no other router on this list a Router Solicitation message is sent in order to determine other routers on the link. Additonaly to finding a default router Router Discovery also configures Hop-Limit, whether stateful address configuration is used, timers, network prefixes, MTU and routes to be set.

4.4.2.3 Neighbor Unreachability Detection

A node is considered reachable if there has been recent conﬁrmations upon the receipt of a message (please note that Neighbor reachability simply indicates the reachability of the ﬁrst-hop node not end-to-end reachability). One way of ensuring the reachability of a node is by sending a unicast Neighbor Solicitation message. If a Neighbor Advertisement is received in response, the host sending the Neighbor Advertisement is considered reachable. The host that sent the Neighbor Solicitation message is not automatically also considered reachable. So if host A sends a Neighbor Solic- itation to host B and host B replies the Neighbor Advertisement only host CHAPTER 4. THEORY OF IPV6 116

B is considererd reachable. In order that host A is also reachable it has to answer to another Neighbor Solicitation from host B. Another way of ensuring reachability is when upper-layer protocols like TCP confirm progress for sent data. You could also say that if end-to-end connectivity is proven by TCP you can deduce the reachability of the first- hop node. An entry in the Neighbor cache can have several states: • Incomplete - address resolution is in progress with link-layer address not yet determined • Reachable - neighbor has been reachable recently • Stale - no longer known to be reachable but until traffic is sent to the neighbor no attempt to determine reachability should be made • Delay - the neighbor is no longer known to be reachable and traffic has recently be sent, but probing is delayed for a short while in order to wait for upper-layer protocols providing reachability informations • Probe - neighbor is no longer known to be reachable and Neighbor Solicitation probes are being sent

4.4.2.4 Redirect

Redirect messages are either sent when there is a shorter way in routing terms for sending the packet (e.g. if you have more than one routers on a link) or when a packet’s destination is on-link without the sending host knowing it (because it might lack the prefix in the hosts prefix list). The Redirect process starts with the sending of a packet from host 1 to its default router R1 destined at host 2 residing at Network 2. The router processes the packet and finds out that the originating hosts address and the next-hop address (R2) are on the same link.Router R1 sends to originating node H1 a Redirect message with the Target Address Field in the Redirect Message set to the next-hop address of the node to which the originating host should send subsequent packets addressed to this destination. The router R1 inbetween sends the packets already sent by host 1 to R2 in order to reach Network 2 and its destination. Upon receipt of the Redirect CHAPTER 4. THEORY OF IPV6 117

Figure 4.11: Redirect process [14] CHAPTER 4. THEORY OF IPV6 118 message host 1 updates its destination cache with the address in the Target Address ﬁeld. Redirect messages are only sent by the ﬁrst router in the path. Hosts never send Redirect messages and routing tables are never altered upon the receipt of a Redirect message.

4.4.2.5 Duplicate Address Detection

If a host is UPed and wants to use an address derived by autoconfiguration its uniqueness has to be ensured first. This is done by sending a Neighbor Solicitation message by the host wanting to use this IP address with the Destination Address set to this newly computed address. The source address is set to the unspecified address (::) for an address may not be used until its duplication can be ruled out. If there is a Neighbor Advertisement sent in reply there already is a host with the same IP address (this message must be sent link-local all-nodes multicast); if not, the address can be initialized on the interface.

4.4.2.6 Next-Hop determination

This is the first thing to be done by a host when sending a datagram. The device hereby looks at the destination address and decides whether direct or indirect delivery is needed which is done by the prefix informations supplied by the router or by manual configuration of the interface. If the destination is not local the next-hop is chosen from the device’s list of routers (which is either derived by ND methods or entered manually). For improving efficiency, this check is not done for every packet but rather it is stored in the destination cache for future uses.

4.5 IPv6 Routing

IPv6 routing entries can either be entered manually or can be added upon the receipt of an Router Advertisement message. A routing table has to CHAPTER 4. THEORY OF IPV6 119 be present on each IPv6 node in order to determine how speciﬁc networks can be reached for sending a packet. Before the IPv6 routing table is checked the destination cache is checked for an entry matching the destination address. If there is no destination cache entry for the destination address, the IPv6 routing table determines the interface that has to be used for forwarding and the next-hop address. This information in turn is stored in the destination cache for future use. The routing table can contain the following types of routes: directly attached network routes, remote network routes, host routes and default routes.

4.5.1 Route determination process

In order to make the right forwarding decision the routing table entries have to be searched. For each entry in the routing table the bits of the network prefix are compared to the same bits in the destination address. If all bits of the network prefix length for the route match all bits in the destination IPv6 address the route is a match for the destination. The route that has the largest prefix length matching a packet is chosen for it is the most specific route to the destination. If multiple routes with the longest match are found the decision is made upon the metric. For any given destination first host routes and then network routes are searched. If both don’t exist, the default route is used. If the route determination process on the sending host fails to find a route, IPv6 assumes the destination is locally reachable. If the route determination process fails on a router an ICMPv6 Destination Unreachable - No Route to Destination message is sent to the sending host and the packet is discarded.

4.5.2 IPv6 Delivery Process

4.5.2.1 Sending an IPv6 packet

This is the process when a packet is sent on an IPv6 enabled host. 1. Hop limit is set to default or application-speciﬁed value CHAPTER 4. THEORY OF IPV6 120

2. The destination cache is searched for an entry matching the destination 3. If an entry is found in the destination cache, retrieve next-hop address and interface to use. Go to step 6. 4. If no entry is found in the destination cache, search the routing table for the longest matching lowest metric route available 5. If an entry is found in the routing table, retrieve next-hop address and interface to use. If no entry matches the routing table the destination address is assumed to be directly reachable 6. destination cache is updated 7. Neighbor cache is checked for an entry matching the next-hop address 8. If an entry is found, retrieve the link-layer address 9. If no entry is found, use address resolution to obtain the link-layer address; if address resolution fails an error is indicated 10. The packet is sent using the link-layer address of the neighbor cache entry

4.5.2.2 Routing an IPv6 packet

This describes how a packet is processed in a router. 1. Header error checks are perfomed (Version = 6, source address is no multicast or loopback address) 2. If the destination address is the router itself, the packet is processed as seen in the process below “Receiving an IPv6 packet” 3. Hop-Limit value is decremented by 1. If the Hop-Limit reaches zero an ICMPv6 Time Exceeded - Hop Limit Exceeded in Transit message is sent 4. The new Hop-Limit is set if greater 1 5. Destination cache is checked for an entry matching the destination CHAPTER 4. THEORY OF IPV6 121

6. If an entry is found in the destination cache, retrieve next-hop address and interface to use. Go to step 9. 7. Routing table is checked for the longest matching lowest metric route available 8. If an entry is found in the routing table, retrieve next-hop address and interface to use. If no route is found, an ICMPv6 Destination Un- reachable - No Route to Destination message is sent and the packet is discarded 9. Destination cache is updated 10. If the interface the packet is received is the same as the interface on which the packet is being forwarded, the interface is a point-to-point link and the Destination Address field matches a prefix assigned to the interface an ICMPv6 Destination Unreachable - Address Un- reachable message in order to prevent “ping-pong” forwarding of packets. 11. If the interface the packet is received is the same as the interface on which the packet is being forwarded and the Source Address field matches a prefix assigned to the interface a Redirect message is sent. 12. The link MTU of the next-hop interface is compared to the size of the packet. If the link MTU is smaller than the packet size, a ICMPv6 Packet Too Big message is sent. 13. Neighbor cache is checked for an entry matching the next-hop address. 14. If an entry is found in the neighbor cache, retrieve link-layer address. 15. If no entry is found in the neighbor cache, use address resolution. If address resolution fails, an ICMPv6 Destination Unreachable - Ad- dress Unreachable message is sent. 16. The packet is forwarded.

4.5.2.3 Receiving an IPv6 packet

That is what has to be done when receiving an IPv6 packet. CHAPTER 4. THEORY OF IPV6 122

1. Header error checks are perfomed (Version = 6, source address is no multicast or loopback address) 2. The destination address is checked whether it corresponds to an address configured on the host. If the destination address in the packet is not assigned to a local host interface the packet is silently discarded. 3. The extension headers are, based on the next header field, processed. The next-header values are verified and an ICMPv6 Parameter Prob- lem - Unrecognized Next Header Type Encountered message replied if the values are wrong. 4. If the upper-layer PDU is not TCP segment or UDP message, pass the upper-layer PDU to the appropriate protocol. 5. If the upper-layer PDU is a TCP segment or UDP message, check the destination port. If no application exists for the UDP destination port an ICMPv6 Destination Unreachable - Port Unreachable message is replied. If no application exists for the TCP destination port a TCP Connection Reset segment is replied. 6. If an application exists for the TCP or UDP destination port, process the contents of the packet.

4.5.3 IPv6 Routing protocols

Instead of having a static router, i.e. the routes are set manually, you can also use dynamically conﬁgured routes which of course have big advantages when there are changes in the topology (which a dynamic router notices automatically).

4.5.3.1 Routing Protocol Technologies

There are several methods of propagating routes on a network. CHAPTER 4. THEORY OF IPV6 123

4.5.3.1.1 Distance Vector With Distance Vector routing informations (network ID and “distance” i.e. hop count) is propagated via periodical advertisements which are unsynchronized and unacknowledged. Dis- tance Vector is easy to set up but does not scale very well and produces a lot of trafﬁc.

4.5.3.1.2 Link State Via Link State Advertisements upon startup and upon changes in the topology the network preﬁxes and their assigned costs are distributed. Link state is an easy to scale low trafﬁc method but can be complex to set up.

4.5.3.1.3 Path Vector Path Vector is also used to distribute sequences of hop-numbers with indicating the path for a route. It is like the Link State protocol easy to scale with low network overhead but can be complex to set up.

4.5.3.2 Routing Protocols for IPv6

4.5.3.2.1 RIPng for IPv6 RIPng for IPv6 is a protocol implementing Dis- tance Vector. When a router is conﬁgured RIPng it sends a General Request message on all interfaces in order to receive the routes from neighboring routers. Routes are then periodically announced depending on whether Split Horizon (routes are not announced on the interface where they were learnt) or Split Horizon with poison reverse (routes are announced unreachable on the interface where they were learnt) is conﬁgured. See RFC 2080.

4.5.3.2.2 OSPF for IPv6 OSPF uses Link State with possible costs like delay, bandwidth and monetary costs possible. See RFC 2740 for more information.

4.5.3.2.3 Integrated Intermediate System-to-Intermediate System (IS- IS) for IPv6 Integrated IS-IS or also known as dual-IS uses link state as well and is pretty similar to OSPF. See ISO 10589 for more details. CHAPTER 4. THEORY OF IPV6 124

4.5.3.2.4 BGP-4 The Border Gateway Protocol uses Path Vector and is designed to exchange informations between autonomous systems. It creates a logical path tree which discribes all connections. For more information read RFC 1771, 2545 and 2858.

4.5.3.2.5 Inter-Domain Routing Protocol version 2 The IDRP is also a path vector protocol and is deﬁned in the ISO 10747.

4.6 IPv6 and Name Resolution

With IPv6 name resolution becomes even more important than with IPv4 for it is unreasonable to expect any end user to remember an IPv6 address. The structure of the DNS entries did not really changed but for the type of DNS record used (type 28). AAAA or also called “quad-A” records are comparable to A records used for IPv4 name resolution. (They are called AAAA because the address is four times as long as an A record.) In order to provide reverse queries the usual pointer record is used, the only thing that changed is the representation of the record (nibbles instead of decimal numbers). For reverse lookup the domain “.ip6.arpa.” is used (“.ip6.int.” is outdated). IPv6 address: 4321:0:1:2:3:4:567:89ab reverse lookup domain name: b.a.9.8.7.6.5.0.4.0.0.0.3.0.0.0.2.0.0.0.1.0.0. 0.0.0.0.0.1.2.3.4.ip6.arpa. In order to resolve a name usually the local hosts file is being queried first. This file can include hostnames to be resolved locally rather than by DNS. If there is no entry in the host file for a specific name, DNS is queried. Please note that IPv6 no longer supports Network Basic Input Output System (NetBIOS). A DNS query may return several addresses for a hostname. These can be IPv4 and IPv6 addresses and because a host may have several IPv6 addresses (site-local, global, coexistence, ..) address selection is not an easy task here. See RFC 3484 for details on this subject. CHAPTER 4. THEORY OF IPV6 125

4.7 Migration to IPv6 [15]

To change the protocol of a network is always a big task but there are severel techniques supplied in order to make less troubles. The easiest, and in fact the only method that really can be used today, is the coexistence of both protocols on a node so that it responds to both protocols. A Dual-IP-Layer includes an IPv4 and an IPv6 layer implementation and share one implementation of the Host-to-Host layer protocols such as TCP and UDP. A dual stack infrastructure as well has IPv4 and IPv6 network- layers but each having their own Host-to-Host protocol layers. Both techniques provide IPv4 and IPv6 connectivity to a host. With using IPv6 over IPv4 tunneling IPv6 packets are encapsulated in an IPv4 header and sent over the IPv4 infrastructure (tunnels can be set between two routers, between two hosts or between a router and a host). Another thing needed in a working IPv4/IPv6 infrastructure is a DNS infrastructure resolving hostnames to both, IPv4 and IPv6 addresses. Below, I will discuss several transition techniques more detailled.

4.7.1 6over4

Please note that the structure of the 6over4 address is discussed in “IPv6 Unicast addresses” part of this chapter. 6over4, also known as IPv4 multicast tunneling is a host-to-host, router-to- router and host-to-router automatic tunneling technique for unicast and multicast connectivity which is, because it relys on IPv4 multicasting, not very widely used. It provides IPv6 connectivity across an IPv4 internet and treats the IPv4 infrastructure as a single link with multicasting capa- bilities. See RFC 2529 for further reading. CHAPTER 4. THEORY OF IPV6 126

Figure 4.12: 6over4 conﬁguration and logical equivalent [15] CHAPTER 4. THEORY OF IPV6 127

4.7.2 6to4

Please note that the structure of the 6to4 address is discussed in “IPv6 Unicast addresses” part of this chapter. This technique is an address assignment and router-to-router automatic tunneling technique providing unicast IPv6 connectivity across an IPv4 network. Its details are described in the RFC 3056 where following terms are defined: • 6to4 host - a host configured with an autoconfigured 6to4 address • 6to4 router - an IPv4/IPv6 router is supporting the use of a 6to4 tunnel interface and is used to forward traffic (may need additional configuration) • 6to4 relay router - forwards 6to4 traffic between 6to4 routers

Figure 4.13: 6to4 infrastructure [15] CHAPTER 4. THEORY OF IPV6 128

Within a site local routers advertise the 6to4 prefix so that hosts can create autoconfigured addresses and routes. All IPv6 traffic that does not match a 64-bit prefix used by the subnets within the site is forwarded to the 6to4 router on the site boarder. In the example picture host A can communicate with host B via router 1 using a default route. In order for host A to communicate with host C the router 1 has to encapsulate the traffic in an IPv4 header and send it over the IPv4 internet to router 2. Following kinds of communication are possible: • 6to4 host with another 6to4 host on the same site - like communication between host A and host B; Connectivity is provided by the routing table. • 6to4 host with another 6to4 host across the internet - like communication between host A and host C; the data is encapsulated by the site boarder router 1 in an IPv4 packet and sent to the site border router 2 which in turn removes the IPv4 header and delivers the packet to host C. • 6to4 host with IPv6 host on the internet - like communication between host A and host D; the local-site router 1 tunnels the data to the 6to4 relay router which removes the IPv4 portion of the packet and forwards it to the appropriate host. Note: This technique only requires one IPv4 address to obtain global IPv6 reachability and therefore might be widely used.

4.7.3 ISATAP

Please note that the structure of the ISATAP address is discussed in “IPv6 Unicast addresses” part of this chapter. The Intra-Site Automatic Tunnel Addressing Protocol is an address assignment and host-to-host, router-to-router and router-to-host automatic tunneling technology used to provide unicast IPv6 connectivity across an IPv4 internet. ISATAP addresses are derived by autoconﬁguration mechanisms. When using ISATAP, communication between ISATAP nodes on the same CHAPTER 4. THEORY OF IPV6 129

Figure 4.14: ISATAP conﬁguration [15] link is possible but not with other IPv6 addresses on other subnets. To communicate outside the logical subnet packets must be tunneled by an ISATAP router. An ISATAP router is an IPv6 router performing the following: • Forwarding packets between ISATAP hosts and hosts on other subnets (IPv4 or IPv6) • Is a default router for ISATAP hosts • Advertises address preﬁxes An ISATAP host that receives a Router Advertisement from an ISATAP router sets its default route to this router and every packet destined to locations outside the subnet are tunneled via the ISATAP router. Further reading is found in RFC 4214.

4.7.4 Teredo

Please note that the structure of the Teredo address is discussed in “IPv6 Unicast addresses” part of this chapter. CHAPTER 4. THEORY OF IPV6 130

This technique is also known as IPv4 network address transloter traversal for IPv6 provides address assignment and host-to-host automatic tunneling for unicast IPv6 communication across the IPv4 network when hosts are located behind one or multiple NATs. For protocol 41 translation (indicating IPv4-encapsulated IPv6 data) is not supported by most of the routers Teredo, which encapsulates the data in IPv6 UDP messages, is used.

Figure 4.15: Components of a Teredo infrastructure

• Teredo client - an IPv4/IPv6 node supporting Teredo tunneling interface which can communicate with other Teredo clients or nodes on the IPv6 internet (through a Teredo relay) • Teredo server - Teredo node that is connected to IPv4 and IPv6 internet. It assists in the initial conﬁguration of a Teredo client to faciliate initial communication • Teredo relay - can forward packets between Teredo clients on the IPv4 internet and IPv6 only nodes CHAPTER 4. THEORY OF IPV6 131

• Teredo host-speciﬁc relay - Teredo node that is connected to IPv4 and IPv6 internet and can communicate directly with Teredo clients on the IPv4 internet without the need of an intermediate Teredo relay (either obtained through direct connection to the IPv6 internet or a transition technique like 6to4). Note: Teredo is designed to be a last-resort transition technique and is not used if there is native IPv6, 6to4 or ISATAP present. More and more NATs are also updated to support protocol 41 nowadays. See RFC 3904 for more information.

4.7.5 PortProxy

To allow for communication between nodes or applications not using the same Internet Layer protocol (IPv4 or IPv6) you can use portproxy in order to proxy: • IPv4 to IPv4 - TCP traffic to an IPv4 address is proxied to TCP traffic to another IPv4 address • IPv4 to IPv6 - in order to make an IPv4 node access a service of an IPv6 node; the PortProxy inbetween does the same we already know from usual proxying: the IPv4 node establishes a connection to the PortProxy which in turn establishes a connection to the IPv6-only application • IPv6 to IPv6 - TCP traffic to an IPv6 address is proxied to TCP traffic to another IPv6 address • IPv6 to IPv4 - an IPv6 node hereby can access an IPv4-only application The last type of PortProxy for example allows an IPv6 node to access a service not yet IPv6-enabled e.g. Telnet on Windows 2003. Although there is an IPv6-enabled Telnet client there is no IPv6 enabled Telnet server available. You could establish a IPv6 to IPv4 PortProxy to port 23 used by Telnet on the computer running Telnet server. Therefore an IPv6 Telnet request is proxied to the IPv4 Telnet server application. CHAPTER 4. THEORY OF IPV6 132

Note: This only works for applications that do not embed address or port information inside the upper-layer PDU. PortProxy has no capabilites of changing embedded information. Bibliography

[1] Davies, Joseph: Understanding IPv6 - Redmond, Washington: Mi- crosoft Press, 2002 [2] Charles M. Kozierok: The TCP/IP Guide (2005). http://www.tcpipguide.com (2006-01-10) [3] The TCP/IP GUIDE: IPv6 Global Unicast Address Format (2005). http://www.tcpipguide.com/free/t_IPv6GlobalUnicastAddressFormat- 2.htm (2006-01-10) [4] IEEE: Guidelines for 64-bit Global Identi- fier (EUI-64) Registration Authority (2005). http://standards.ieee.org/regauth/oui/tutorials/EUI64.html (2006-01-10) [5] Microsoft: IPv6 Interface Identifier(2006). http://www.microsoft.com/resources/documentation/windows/xp /all/proddocs/en-us/sag_ip_v6_imp_addr7.mspx (2006-01-11) [6] The TCP/IP GUIDE: IPv6 Interface Identi- fiers and Physical Address Mapping (2005). http://www.tcpipguide.com/free/t_IPv6InterfaceIdentifiersand PhysicalAddressMapping-2.htm (2006-01-11) [7] The TCP/IP GUIDE: IPv6 Multicast and Anycast Addressing (2005). http://www.tcpipguide.com/free/t_IPv6MulticastandAnycastAddressing.htm (2006-01-11) [8] Microsoft: IPv6 Address Autoconfiguration (2004). http://msdn.microsoft.com/library/default.asp?url=/library/en-

133 BIBLIOGRAPHY 134

us/wcetcpip/html/cmconipv6addressautoconﬁguration.asp (2006- 01-11) [9] Droms, Bound, Volz, Lemon, Perkins, Carney: RFC 3315 - Dynamic Host Conﬁguration Protocol for IPv6 (DHCPv6)(2003) .http://www.faqs.org/rfcs/rfc3315.html (2006-01-14) [10] Wikipedia: IPv6 (2006). http://en.wikipedia.org/wiki/Ipv6 (2006- 01-12) [11] The TCP/IP GUIDE: IPv6 Datagram Extension Headers (2005). http://www.tcpipguide.com/free/t_IPv6DatagramExtensionHeaders- 2.htm (2006-01-12) [12] Deering, Fenner, Haberman: RFC 2710 - Multicast Listener Discov- ery (MLD) for IPv6 (1999). http://www.faqs.org/rfcs/rfc2710.html (2006-01-12) [13] Narten, Nordmark, Simpson: RFC 2461 - Neighbor Discovery for IP Version 6 (IPv6) (1998). http://www.faqs.org/rfcs/rfc2461.html (2006-01-12) [14] The TCP/IP GUIDE: IPv6 ND Redirect Function (2005). http://www.tcpipguide.com/free/t_IPv6NDRedirectFunction.htm (2006-01-13) [15] Windows Server 2003: IPv6 Transition Technologies (2003). http://www.microsoft.com/windowsserver2003/techinfo/overview/\\ ipv6coexist.mspx (2006-01-13) Chapter 5

Migration to IPv6

Now it’s time to start doing what the title of this thesis promises: migrating the network to IPv6. This section will cover everything from initial considerations, the deployment of IPv6 and the migration of the services used. I want to give a detailed plan for those interested what is to be done and describe the problems I experienced and the measures to be taken.

5.1 Making your system IPv6-ready [1]

Before doing anything else I had to install the IPv6 stack on each computer in my network. Because not all services used in a network have an IPv6 enabled version, as you will see in this chapter, it is nowadays usual to configure your PC dual-stack in order to have IPv4 and IPv6 connectivity. While I was configuring the network for the next generation of network protocols I requested an IPv6 address for reaching IPv6-only services in the internet as well. I decided to request a tunnel from SixXS, reachable at www.sixxs.net. SixXS is an IPv6 Deployment and Tunnel Broker distributing IPv6 tunnels first, and after your tunnel has been up for a certain time you earned enough credits to request your own subnet. The uptime aquired is usually about one week. When you request your first tunnel at SixXS you have to fill out a form describing why you think you need an address and what you want to do with it. They want to receive very

135 CHAPTER 5. MIGRATION TO IPV6 136 verbose discriptions of what is done with their addresses so I wrote down accurately my ideas for the whole project and within a few days I held my own IPv6 address in my hands. The structure of the network at the Berufsförderungsinstitut Burgenland required the tunnelendpoint not to be laid directly into my lab but to the gateway router for both of my networks. Because this computer belongs to the production network of the company I was not allowed to install any software and had to call the system administrators to set up the tunnel. Later in this chapter I will describe what had to be done. Now back to the initial conﬁguration needed at each PC.

5.1.1 Debian Linux

First I want to talk about the migration of Debian Linux PCs to IPv6. Ker- nel 2.4.x upwards is what is recommended for use with IPv6. In the portion of the test-network I administer I only used 2.4.x and 2.6.x kernels which reduces the problems loading the module needed. The only computer with a kernel 2.2.x was the one which was conﬁgured as the tunnelendpoint. For 2.2.x kernels are not IPv6-up-to-date the system administrators decided to compile a new 2.6.x kernel [2] . For the installation of the tunnel software aiccu please read the section about the services of IPv6. You can check if the module you need is already loaded by /proc/net/if_inet6 You should see something like this for your interfaces of the PC:

00000000000000000000000000000001 01 80 10 80 lo fe800000000000000250fcfffe60d6d6 02 40 20 80 eth0 Here you have a loopback entry for lo and a link local address for eth0. This is the proof that your ipv6 module is loaded but you can also check with lsmod | grep ipv6 CHAPTER 5. MIGRATION TO IPV6 137 listing you the ipv6 module if loaded. Systems where both checks fail have very likely not loaded the module needed. You can do this by modprobe ipv6 or, for repeated use after startup just add it to the /etc/modules ﬁle (which should not be necessary for 2.4.x and 2.6.x). With these simple steps you can be sure your Linux PC is IPv6 ready. Now, let’s look at the Windows- side-of-computing:

5.1.2 Windows

When searching the internet for Windows and IPv6 you will ﬁnd the notes that IPv6 is fully supported by all operating systems starting with Win- dows 2000. As I had one Windows 2000 client, one Windows 2000 server and two Windows XP clients I was glad I could start migrating without any upgrades to make, or so i thought.

5.1.2.1 Windows 2000 Client and Server [3] [4]

For both Windows 2000 Client and Server the installation of the IPv6 stack is the same. For it is not included in the usual installation you have to load additional files from the internet [5]. After saving the downloaded file “tpipv6-001205.exe” on the file server I unzipped it to my local harddisk automatically creating a folder called “IPv6Kit”. Now you have to open a console window and start the setup by typing “setup.exe -x” in turn extracting another bunch of files to a subfolder it prompts you to give a name for. I chose to call it “files” as recommended in the Microsoft description. From the folder “files” now open the textfile “”Hotfix.inf” and modify it for your system. Depending on what Service Pack you installed you have to change following line in the subsection called [Version]: entry for Service Pack 1: NTServicePackVersion=256 entry for Service Pack 2: NTServicePackVersion=512 entry for Service Pack 3: NTServicePackVersion=768 entry for Service Pack 4: NTServicePackVersion=1024 CHAPTER 5. MIGRATION TO IPV6 138

After saving the modifications made run the “Hotfix.exe” from the “files”- folder. Now, I think you have guessed already, you have to restart your computer in order to make the changes take effect. Then the protocol stack is installed on your computer but not yet used. If you also want to use the protocol you have to open the dialog for configuring your network settings (Control Panel - network and dial- up connections). Open the properties of your ethernet-based connection listed within, usually called “Local Area Connection”. Another dialog is opened with a button labelled “Install ...” opening in turn another window where you can choose what kind of network component you want to install additionally. In this list you will find the entry “Network Proto- col” and with clicking that you can finally choose to install the “Microsoft IPv6 Protocol”. Now the IPv6 driver “tcpip6.sys” is installed to %SYS- TEMROOT%\system32\drivers and other files like the Winsock helper “wship.dll” and all additional applications like “ipv6.exe, “ping6.exe”, and so on are installed to %SYSTEMROOT%\system32. You should now have an entry “Microsoft IPv6 Protocol” in the properties of your “Local Area Connection”. By default, each interface has an automatically distributed link-local address. For a quick verification simply use the console-based command ipv6 if listing your ipv6 interfaces and their automatically assigned addresses. In the output produced by this command you should see several interfaces labelled with “Loopback Pseudo-Interface”, “Tunnel Pseudo-Interface”, “6-over-4 Virtual Interface” and “Local Area Connection”. The first interface is for loopbacks only, the second interface is used for configured tunneling, automatic tunneling and 6to4 tunneling. “6-over-4” [6] is an automatic tunneling technology used to provide IPv6 connectivity between IPv6 sites and hosts across the IPv4 Internet. 6-to-4 traffic is encapsulated by 6-to-4 routers in a IPv4 header and sent to the destination. The last interface in the list is the one that is most interesting because the “Local Area Connection” is the one we are going to configure later on. Please note that the order of the interfaces and the numbering can vary. CHAPTER 5. MIGRATION TO IPV6 139

5.1.2.2 Windows XP and 2003 Server [7]

Installing IPv6 on Windows XP with Service Pack 1 or Service Pack 2 and 2003 Server is a bit easier because you can leave out the part where you have to download the hotfix for your operating system. The software needed for IPv6 support is already installed but has to be activated on the properties of your “Local Area Connection” exactly as you did with Win- dows 2000. Just select “Install” and choose to add a “Network Protocol” (please see the section above). If you are more into command-line configuring you could type following command instead: netsh interface ipv6 install The installation of the IPv6 protocol on a PC using Windows XP without any service pack can only be done by typing following command to the command line: ipv6 install You might remember the command “ipv6” from the section about Win- dows 2000 above where I used it to list my interfaces. “ipv6” is used only by Windows 2000 and Windows XP SP1 whereas newer versions include the interactive “netsh” command replacing “ipv6”. Note that after the installation of IPv6 via “ipv6 install” on a Windows XP PC without Service Pack no entry in the properties of the “Local Area Connection” for the IPv6 protocol will be generated. You can only verify the success of the installation by typing “ipv6 if” and check if it has configured your interfaces. Windows XP’s version of the IPv6 implementation is seen to be a developer preview, while XP Service Pack 1 and 2’s version of IPv6 is a production-capable and supported protocol. All versions of XP support file and print sharing and following programs: ipv6.exe, ping6.exe and tracert6.exe. Note: These programs are not supplied by Windows 2003. Their functionality is supplied by following substitute programs: (which are recommended to be used with Windows XP SP 1 and SP 2 as well) ipv6 substituted by netsh CHAPTER 5. MIGRATION TO IPV6 140

ping6 substituted by ping tracert6 substituted by tracert

An additional feature of Windows XP SP 2 and Windows 2003 server compared to Windows XP and Windows XP SP 1 is the support for Teredo and a new Windows Firewall.

5.2 Testing primary connectivity [8]

5.2.1 Debian Linux

Testing primary connectivity starts with checking which IP addresses are assigned to which interface. In order to display the IPv6 addresses you could either read the output of ifconfig or, if you want to narrow it down to the IPv6 only parts simply use the “ip” -command. ip -6 address show This is the command to display the interfaces available and their addresses that have been assigned automatically. (If you don’t have the ip-command installed yet go for “apt-get install iproute”.) 1: lo: mtu 16436 inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: mtu 1500 qlen 1000 inet6 fec0::1:250:fcff:fe60:d6d6/64 scope site dynamic valid_lft 2591986sec preferred_lft 604786sec inet6 fe80::250:fcff:fe60:d6d6/64 scope link valid_lft forever preferred_lft forever

You can see that your lo-interface is configured to IP-address ::1 be- ingt the IPv6-equivalent to 127.0.0.1. Then the “real” interfaces are CHAPTER 5. MIGRATION TO IPV6 141 listed. In this case it’s only one, eth0, having two ipv6 addresses. The first one, fec0::1:250:fcff:fe60:d6d6, has scope site and the second one, fe80::250:fcff:fe60:d6d6, has scope link. This refers to the different kinds of addresses as described in the last chapter. Each IPv6 enabled interface can have several kinds of addresses; a link local address is assigned automatically and is derived from the MAC address. Therefore it is unique and assures simple connectivity. The link local address shall ease configuration issues of PCs freshly added to the network and serves only communication issues like “anyone else here on this link?” and “is there some special device? (like router, etc.)”. A packet with a link local address as destination will not pass a router. If you don’t have the second kind of address, the site local address in your initial configuration: Don’t panic! It is comparable to the private address space we know from good-old IPv4 times and can be assigned if needed (see my IPv6 radvd configuration below). There is a discussion about depreciating this kind of addresses. The fact that it will be sometimes useful for testing purposes and that you can assign an additional global address anyway is enough reason to set one. In this example no global address has been assigned. For testing simple connectivity you need nothing more than two PCs with an enabled IPv6 module. The first thing to try is to display configured IPv6 neighbours. marge: # ip -6 neigh show fe80::250:4ff:fe68:ce8 dev eth0 lladdr 00:50:04:68:0c:e8 router nud stale One PC is found using device eth0 with address fe80::250:4ff:fe68:ce8 (bart.sylvia.test) having link layer address 00:50:04:68:0c:e8 and being the router to this subnet. The ip neighbour command displays the bindings between protocol addresses and link layer addresses stored in a table. The IPv4 neighbour table also know as the ARP-table. “nud” is an abbrivia- tion for Neighbour Unreachability Detection and tells you the state of the neighbour entry. “stale” stands for “valid but suspicious” (Read the ip man page for details). Other commands that might be useful in this context are ip neighbour [delete | add | flush ] to delete or add and entry or to flush all entries. If you had output from the command discussed above, you can be sure you got some connectivity to at least one other host on this network. If CHAPTER 5. MIGRATION TO IPV6 142 this didn’t work either the correspondent PC on the network has not been configured correctly or you are in some trouble on your local machine. A good thing to try is to ping home with ping6 ::1 to see if the protocol works on the interface. Please note that there is a extra command “ping6” for pinging IPv6 enabled interfaces on Linux. Now we can move on to pinging another host’s link local address. marge: # ping6 fe80::250:4ff:fe68:ce8 -I eth0 PING fe80::250:4ff:fe68:ce8(fe80::250:4ff:fe68:ce8) from fe80::200:21ff:fe00:5b8e eth0: 56 data bytes 64 bytes from fe80::250:4ff:fe68:ce8: icmp_seq=1 ttl=64 time=0.250 ms ... 64 bytes from fe80::250:4ff:fe68:ce8: icmp_seq=8 ttl=64 time=0.173 ms -- fe80::250:4ff:fe68:ce8 ping statistics -- 8 packets transmitted, 8 received, 0 rtt min/avg/max/mdev = 0.166/0.180/0.250/0.028 ms pings the specified link local address. The option “-I” is needed for pinging IPv6 link local addresses and specifies the source interface to use. Note: Forgetting this additional option will promt the error: “connect: Invalid argument”. If you are using the “ping” command rather than “ping6” you will get the error message: “ping: unknown host fe80::250:4ff:fe68:ce8”. Note: If you ever wondered which options are responsible for the autoconfiguration issues with IPv6: cat /proc/sys/net/ipv6/conf/eth0/accept_ra Set to “1” this option allows the PC to accept Router Advertisements. cat /proc/sys/net/ipv6/conf/eth0/autoconf CHAPTER 5. MIGRATION TO IPV6 143

Set to “1” this option tells the PC to compute the link local address.

5.2.2 Windows [9]

As mentioned above you have, depending on the Windows version you use, several possibilities for displaying your IPv6 addresses. Similar to the Linux part here you can also display them with the old-fashioned command for it: ipconfig /all Specialized command for this on Windows XP SP2 or higher [10]

Figure 5.1: netsh interface ipv6 show address

on Windows XP SP1 or lower: C:\> ipv6 if Interface 4 (site 1): LAN-Verbindung uses Neighbor Discovery link-level address: 00-00-21-00-5b-bc CHAPTER 5. MIGRATION TO IPV6 144

preferred address fec0::1:200:21ff:fe00:5bbc, 2591997s/604797s (addrconf) preferred address fe80::200:21ff:fe00:5bbc, infinite/infinite multicast address ff02::1, 1 refs, not reportable multicast address ff02::1:ff00:5bbc, 2 refs, last reporter link MTU 1500 (true link MTU 1500) current hop limit 64 reachable time 29000ms (base 30000ms) retransmission interval 1000ms DAD transmits 1 Interface 3 (site 1): 6-over-4 Virtual Interface ... You can see above that each interface on your PC, also the virtual ones, have an Interface number or “Scope ID”. These numbers (for our example the scope ID for the LAN-Verbindung would be “4” in both cases) are important for pinging link local IP addresses. As we have seen with Linux you need to deﬁne which source interface to use for pinging and on Win- dows computers you do this by using the scope. To be consistent with the Linux part above, let’s ﬁrst check for neighbour entries. This can either be done with ipv6 or netsh for newer versions. netsh interface ipv6 show neighbours ipv6 nc The netsh output looks like this (please see the picture below):

Pinging another PC on Windows can always be done with the command “ping6” although it is sufﬁcient to use “ping” with Windows XP SP 2 and higher. In both cases the command looks like this: ping6 fe80::250:4ff:fe68:ce8%4 The appended “%4” deﬁnes the scope and therefore the interface to use. If you accidently forget to add the scope you will get the error “Destination CHAPTER 5. MIGRATION TO IPV6 145

Figure 5.2: netsh interface ipv6 show neighbors not reachable”. The message indicating the wrong command for pinging (if you use ping instead of ping6 on Windows XP SP1 and older) is “Un- known host fe80::250:4ff:fe68:ce8%4.” Firewall: Due to a IPv6 firewall you can experience connectivity troubles in the beginning. For the sake of simplicity I disabled it in my lab. I found two commands on the internet to do so for Windows XP SP2 and higher/2003 (I only used the first command): netsh interface ipv6 set interface interface=LAN-Verbindung firewall=disabled netsh firewall set adapter LAN-Verbindung filter=disabled Privacy: When IPv6 was introduced people complained about the over- simplification of monitoring hosts. For IPv6 global addresses don’t change you could place a sniffer strategically and easily find out things like how long an employee was active that day or simply for marketing reasons. To prevent that the RFC 3041 defines privacy extensions, temporary global addresses generated randomly using the MAC address. These addresses are valid a few hours to a few days CHAPTER 5. MIGRATION TO IPV6 146

and shall protect your privacy and enhance security. Although this sounds pretty interesting I recommend to disable privacy addresses on Windows PCs to ease the ﬁrst steps with IPv6. [11] [12]

netsh interface ipv6 set privacy disabled persistent Windows2k: I have experienced an interesting behaviour when pinging a link local address on a Windows 2000 computer. The ping command didn’t work until I used it that way: ping6 -s % Now that we are done with the connectivity tests, we can move on to as- signing globally reachable addresses.

5.3 Getting reachable globally via IPv6

For being reachable globally we need some global IPv6 addresses as you might have guessed. There are several ISP’s selling IPv6 addresses and address ranges but not affordable for a poor student. So I decided to look for IPv6 addresses for free and found the IPv6 tunnel broker www.sixxs.net. SixXS (Six Access) is not a company but rather a privately conducted de- velopment of software by only three people running SixXS. Their main issue is to maintain the POP’s provided by several ISPs. As an enduser you can request a tunnel at SixXS allowing you to test IPv6 in a profes- sional manner now. With an existing RIPE, APNIC, ARIN, LACNIC or AFRINIC handle you can signup to SixXS and request a tunnel to one of the POPs. Usually the POP is chosen for you on connectivity reasons. If you don’t have a handle yet you can get one at e.g. RIPE [13]. For requesting a tunnel you need to provide the IPv4 address of your tunnelendpoint and a reason why you think you should join the IPv6 community. If you don’t have a static IPv4 address you can also try out IPv6 with the help of SixXS heartbeat client. It sends packets to the POP to activate the tunnel with the given dynamic IPv4 address. If there is no heartbeat for 300 seconds the tunnel is disabled and auto-enabled when brought up again. Any conﬁgurations concerning the address that has changed is hereby done automatically [14]. CHAPTER 5. MIGRATION TO IPV6 147

5.3.1 Installing AICCU

In the network of the Berufsförderungsinstitut Burgenland AICCU was installed on the gateway router in order to avoid NAT-realated troubles. This gateway router is running Debian Linux and is not maintained by me, so the network administrators had to download and install the software needed. On the homepage of SixXS you can download a tool called AICCU, short for Automatic IPv6 Connectivity Client Utility, and install it. There is a deb-package as well as an apt-get source available [15]. Af- ter installing the software you simply need to modify the configuration file /etc/aiccu.conf and you are done. Notice that you need to enable the requested tunnel after approval on the webinterface (this can even take a few hours). On this webinterface you also have graphs showing you your latency and packet loss for your tunnel endpoint. First take a look at the configuration details: # username is your NIC handle username KS36-6BONE password foo ipv4_interface eth1 ipv6_interface sixxs tunnel_id T1234 verbose true daemonize true automatic true The entry ipv4_interface refers to the interface used on your PC, the ipv6_interface is an interface automatically generated when starting AICCU. The tunnel_id is set according to your approval email and can be derived at SixXS-Homepage. Now you can start the tunnel with typing /etc/init.d/aiccu start prompting you connection details on success. You can also watch the new output of “ifconfig” showing you the new interface sixxs with its details. When using AICCU you don’t have to worry about setting IPv6 addresses or routes, everything needed is done by this piece of software. And now, for the moment we all have been waiting for, pinging IPv6 into the internet with pinging the POP’s endpoint of the tunnel: ping6 2001:16d8:ff00:7b::1 CHAPTER 5. MIGRATION TO IPV6 148 and if this worked you can ping any IPv6 enabled address on the whole internet. An all-time classic is kame’s homepage at www.kame.net. You can also run AICCU on other operating systems like Windows, MAC OS, etc. There is even a GUI for configuring Windows-based AICCU in- stallations. Find out more about the different ways of using and configuring AICCU on their homepage [15] [16]. In a paragraph above I mentioned that we tried to avoid NAT-related troubles. There is an approach to overcome this in the italian network with a software called AYIYA [17]. I want to make a few comments on the rulesfor tunnels at SixXS. SixXS has established a credit-system starting at only enough credits (25) to request a tunnel. When this tunnel is up for one week you have earned enough credits to request another tunnel, or, a whole /48 subnet. For each tunnel being up one week you earn 5 credit points. But be careful with your tunnels! If your tunnel is down for one day it costs you 5 credits and if it’s even down for a whole week it will cost you 50 credits and the tunnel will be automatically disabled (you can enable it on the webinterface again). SixXS will send you an automated email when one of your tunnels is down.

5.3.2 Allocating the addresses

After my tunnel was running I requested a subnet for having global addresses in my lab as well. A day or two later the approval came and 2001:16d8:ff47::/48 was mine. First some decisions concerning the address allocation has been made. Although I really had enough addresses I didn’t want to make the same mistake made with IPv4 and be to generous in distributing addresses. (The reason why it really makes sense thinking of this is that the Berufsförderungsinstitut Burgenland wants to use these addresses even when I am no longer working on my thesis. So we decided to adopt an expandable code for the building I was in first.) The building number I am working in was chosen 1203 subnetting my address space to 2001:16d8:ff47:1203::/64 and still leaving 64 bits for the addressing of the computers in one building. As you will rememeber, my network consists of three networks: The CHAPTER 5. MIGRATION TO IPV6 149 main office, the branch office and the network inbetween. The main office is addresses 2001:16d8:ff47:1203:2::/80 (former 192.168.200.0/24), the branch office 2001:16d8:ff47:1203:3::/80 (former 192.168.201.0/24) and the network inbetween 2001:16d8:ff47:1203:1::/80 (former 192.168.150.0/24). The host part of the addresses has been recomputed to hex-numbers. For example bart’s 192.168.200.1 became 2001:16d8:ff47:1203:2::1, apu’s 192.168.200.33 became 2001:16d8:ff47:1203:2::21, and so on. (Please see the new network plan for details)

5.3.3 Conﬁguring the global addresses

5.3.3.1 Debian Linux

There are two ways to conﬁgure an IPv6 address manually. You could either do it with the “ip” command, which I chose to use, or with “ifconﬁg”.

ip -6 address add / dev ip -6 address add 2001:16d8:ff47:1203:2::5 dev eth0 This sets a default subnet /128. For deleting the address simply exchange the word “add” with “del”:

ip -6 address del / dev ip -6 address del 2001:16d8:ff47:1203:2::5 dev eth0 You get the same result with using ifconfig eth0 add 2001:16d8:ff47:1203:2::5 ifconfig eth0 del 2001:16d8:ff47:1203:2::5 If you do not specify a subnet after the IP address /0 is defaulted. The configured addresses can be seen in both cases with “ip -6 address show” or “ifconfig”. These addresses are stored persistently. If you are more into configuring /etc/network/interface you can also add an entry for each IPv6-enabled interface looking like this: auto eth0 CHAPTER 5. MIGRATION TO IPV6 150

iface eth0 inet6 static # for being perfectly safe you can add following line once ## pre-up modprobe ipv6 address 2001:16d8:ff47:1203:2::5 netmask 128

5.3.3.2 Microsoft Windows

Windows2k: All configuration done with ipv6 is non-persistent which means that it is not stored and all configuration is lost after re- boot.(There is a documented solution using option “-p” to store configuration added by “ipv6” in the registry but it didn’t work for me. [4]) This is one huge reason for me to say that Windows 2000 is not suitable for convenient use with IPv6. I handled this problem with writing a small skript adding the needed configuration after startup. If, after startup, IPv6 is turned off enable it by typing “net start tcpip6”. With the ipv6.exe in the older versions of Windows you can set an IP address simply with the line ipv6 adu /

ipv6 adu 5/2001:16d8:ff47:1203:2::21 For deleting the address again simply set it’s lifetime to 0 with:

ipv6 adu /

life ipv6 adu 5/2001:16d8:ff47:1203:2::21 life 0 Doing the same using netsh looks like the following: netsh interface ipv6 add address interface= address=

netsh interface ipv6 add address

netsh interface ipv6 add address LAN-Verbindung 2001:16d8:ff47:1203:2::22 CHAPTER 5. MIGRATION TO IPV6 151

The InterfaceString is the label you see when typing “netsh interface ipv6 show address”. For deleting: netsh interface ipv6 delete address interface= address=

netsh interface ipv6 delete address

netsh interface ipv6 delete address LAN-Verbindung 2001:16d8:ff47:1203:2::22

5.3.4 Setting routes manually

Although we will be using radvd for distributing routes automatically it is always important to know how to set them manually as well. Let’s start with Linux again.

5.3.4.1 Debian Linux

Some routes will be set automatically on your system, some you will have to conﬁgure. Anything that is done with routes can be done with two different commands, similar to the conﬁguration of the address we discussed before. This time we have “ip”, my all-time-favorite, and “route” or “netstat” for displaying them. ip -6 route show netstat -nr -A inet6 To set and to delete a route you have these possibilities: ip -6 route add via dev ip -6 route add default 2001:16d8:ff47:1203:2::1 dev eth0 ip -6 route add 2000::/3 via 2001:16d8:ff47:1203:2::1 dev eth0 ip -6 route del via dev CHAPTER 5. MIGRATION TO IPV6 152

ip -6 route del default 2001:16d8:ff47:1203:2::1 dev eth0 ip -6 route del 2000::/3 via 2001:16d8:ff47:1203:2::1 dev eth0 route -A inet6 add / gw dev route -A inet6 add 2000::/3 gw 2001:16d8:ff47:1203:2::1 dev eth0 route -A inet6 add ::/0 gw 2001:16d8:ff47:1203:2::1 dev eth0 route -A inet6 del / gw dev route -A inet6 del 2000::/3 gw 2001:16d8:ff47:1203:2::1 dev eth0 route -A inet6 del ::/0 gw 2001:16d8:ff47:1203:2::1 dev eth0 Above you see examples for both, ip and route command for adding and deleting entries. In the ip section I used 2000::/3, which is a special address representing default and which is said to circumvent troubles often related to older Linux systems when using the term “default”. In the “route” part another representation of “default” is used: “::/0”. Note: Linux kernels 2.4.17 and older don’t support default routes. Instead you need to use “2000::/3”. (The IPv6 unicast space encompasses the entire address range except for ff00::/8 - we will come across these addresses again - but the unicast address assignment space is currently limited to 2000::/3, so this is much like “default” on IPv4.) [18]

5.3.4.2 Microsoft Windows

As you surely will remember we have the distinction between older or newer than Windows XP SP1. For the older generation: To display the routing table use: ipv6 rt netsh interface ipv6 show routes CHAPTER 5. MIGRATION TO IPV6 153

To add a new default route use:

ipv6 rtu / ipv6 rtu ::/0 4/2001:16d8:ff47:1203:1::5 For deleting it again set the lifetime to “0”. ipv6 rtu / life ipv6 rtu ::/0 4/2001:16d8:ff47:1203:1::5 life 0 The netsh-way of handling this is with the command netsh interface ipv6 add route netsh interface ipv6 add route ::/0 Lan-Verbindung 2001:16d8:ff47:1203:2::1 netsh interface ipv6 delete route netsh interface ipv6 del route ::/0 Lan-Verbindung 2001:16d8:ff47:1203:2::1 Note: I will not go into detail how to conﬁgure each host because we will take advantage of the autoconﬁguration of routes provided by radvd.

5.3.5 Testing connectivity with traceroute

Traceroute is a very useful utility for checking which way a packet takes over the internet in order to reach its destination. The output is a list of all hops done until reaching the target. This is done by setting the TTL (time to live) of the packets sent. The ﬁrst packet has a time to live of one (the second packet of two, and so on) and is sent to a host, which decrements the TTL by one and usually forwards it to the next hop. When the TTL has reached zero the packet is sent back to the sender giving him a “ICMP CHAPTER 5. MIGRATION TO IPV6 154

Time exceeded” error. From the source addresses of these returned ICMP errors you can make the list needed: a table with all hosts passed by a packet. For the use of traceroute with Linux you need the package iputils installed. You can either download the sources via anonymous ftp [19] or “apt-get install iputils-tracepath”. traceroute6 www.kame.net For tracerouting an address with Windows you can use either tracert www.kame.net tracert6 www.kame.net When using tracert and the host you are pinging is reachable via both IP versions, IPv6 is chosen over IPv4. Hosts you can try to ping/traceroute: www.kame.net (IPv4/IPv6) www.ipv6.uni-muenster.de (IPv6) www.join.uni-muenster.de (IPv4/IPv6)

5.4 More routing issues

In the last chapter I wrote about the basic configuration of address and routes on IPv6 enabled hosts, now I want to talk more detailed about what had to be done in my network. Now let’s get our hands on the configuration. In order to have IPv6 reachable hosts to on all subnets we need to configure the three routers. The router in the network called “GesAK” is the one with the configured SixXS tunnel endpoint and therefore supplies IPv6 connectivity. All IPv6 traffic must be routed through this host to reach the tunnel. Keep that in mind when configuring the default routes on the gateway routers of our network, i.e. bart and snowball. But let’s do it step by step. CHAPTER 5. MIGRATION TO IPV6 155

Figure 5.3: Network Overview with IPv4 and IPv6 addressing

Assuring IPv6 connectivity to 2001:16d8:ff47:1203:1::5 (192.168.150.5)

On this host AICCU has been installed (please see chapter above) and therefore you might not need to change any routing entries. Be sure that there is a default route set for the IPv6 trafﬁc via the tunnel endpoint (2001:16d8:ff00:7b::1) using “sixxs” device. If you experience troubles connecting to the IPv6 net and your kernel version is not absolutely up-to- date (<= 2.4.17) you can add another entry targeting “2000::/3” and hope it helps. (You will see that I often prefered 2000::/3 over the term default. In most cases it is only a relict from a time there was an older kernel on the PCs. Anyway, as long as both ways work it doesn’t matter which to use.). The routes you should have by now are: CHAPTER 5. MIGRATION TO IPV6 156

2001:16d8:ff00:7b::/64 via :: dev sixxs metric 256 mtu 1200 advmss 1220 2001:16d8:ff47:1203:1::/80 dev eth1 metric 256 mtu 1500 advmss 1440 fe80::/64 dev eth0 metric 256 mtu 1500 advmss 1220 fe80::/64 dev eth1 metric 256 mtu 1500 advmss 1220 fe80::/64 via :: dev sixxs metric 256 mtu 1280 advmss 1220 default via 2001:16d8:ff00:7b::1 dev sixxs metric 1024 mtu 1280 advmss 1220 2000::/3 via 2001:16d8:ff00:7b::1 dev sixxs metric 1024 mtu 1280 advmss 1220 ff00::/8 dev eth0 metric 256 mtu 1500 advmss 1220 ff00::/8 dev eth1 metric 256 mtu 1500 advmss 1220 ff00::/8 dev sixxs metric 256 mtu 1280 advmss 1220 All these routes have been generated automatically except for the entry targeting at 2000::/3. It can be added with following command and is, as already discussed, another way of writing a default route:

ip -6 route add 2000::/3 via 2001:16d8:ff00:7b::1 \\ dev sixxs The ﬁrst route in the routing table is generated by AICCU and sets the tunnel-network reachable via the virtual interface “sixxs”. The second route does the same for the network 2001:16d8:ff47:1203:1::/80 via eth1. Routes three to ﬁve destined at fe80::/64 are for link level communication. In order to allow e.g. link local based ICMP pings or neighbour discovery there need to be routes set on each interface. As you might have guessed this will impose problems when sending a packet to a link local address: the routing table cannot distinguish which route to use. There- fore you always have to specify which interface to use when operating on link local level (please see chapter “Testing primary connectivity”). I CHAPTER 5. MIGRATION TO IPV6 157 talked about routing entries number six and seven before for they are both default routes to the IPv6 network. The one using the term “default” is added automatically by AICCU. The last three routes are multicast routes. Don’t forget to ping6 some IPv6 nodes.

Getting bart IPv6-reachable

The ﬁrst step for bart is to set his default route to our IPv6 gateway. This is done with

ip -6 route add 2000::/3 via 2001:16d8:ff47:1203:1::5 \\ dev eth1 Then your routing table should look something like this: 2001:16d8:ff47:1203:1::/80 dev eth1 metric 256 mtu 1500 advmss 1440 hoplimit 64 2001:16d8:ff47:1203:2::/80 dev eth0 metric 256 mtu 1500 advmss 1440 hoplimit 64 2000::/3 via 2001:16d8:ff47:1203:1::5 dev eth1 metric 1024 mtu 1500 advmss 1440 hoplimit 64 fe80::/64 dev eth0 metric 256 mtu 1500 advmss 1440 hoplimit 64 fe80::/64 dev eth1 metric 256 mtu 1500 advmss 1440 hoplimit 64 ff00::/8 dev eth0 metric 256 mtu 1500 advmss 1440 hoplimit 1 ff00::/8 dev eth1 metric 256 mtu 1500 advmss 1440 hoplimit 1 unreachable default dev lo proto none metric -1 error -101 hoplimit 255 Again, the first two routes refer to the networks directly connected, the third one was just added by me, fe80::/64 routes for link local and ff00::/8 routes for multicast connectivity. This configuration of the routing table is sufficient to reach the IPv6 gateway but will not, believe me or just try it, result in successful pinging. Of course we have to enable IP forwarding on CHAPTER 5. MIGRATION TO IPV6 158 the IPv6 gateway before. Check if enabled or not by looking at the “cat” command and set it with “echo”. (on host: 2001:16d8:ff47:1203:1::5 - GesAK) cat /proc/sys/net/ipv6/conf/all/forwarding echo “1” > /proc/sys/net/ipv6/conf/all/forwarding Now you can ping6 a host residing on the internet from router bart.

Doing the same for snowball

The only thing you have to manually add, as seen above, is the default route targeted at 2001:16d8:ff47:1203:1::5. 2001:16d8:ff47:1203:1::/80 dev eth0 metric 256 mtu 1500 advmss 1440 hoplimit 64 2001:16d8:ff47:1203:3::/80 dev eth1 metric 256 mtu 1500 advmss 1440 hoplimit 64 2000::/3 via 2001:16d8:ff47:1203:1::5 dev eth1 metric 1024 mtu 1500 advmss 1440 hoplimit 64 fe80::/64 dev eth0 metric 256 mtu 1500 advmss 1440 hoplimit 64 fe80::/64 dev eth1 metric 256 mtu 1500 advmss 1440 hoplimit 64 ff00::/8 dev eth0 metric 256 mtu 1500 advmss 1440 hoplimit 1 ff00::/8 dev eth1 metric 256 mtu 1500 advmss 1440 hoplimit 1 unreachable default dev lo proto none metric -1 error -101 hoplimit 255

Conﬁgurations to make the main ofﬁce obtain IPv6 reachability

Bart’s conﬁguration is nearly done except for the IP forwarding. Bart is a gateway router to the main ofﬁce network and therefore has to forward packets destined at IPv6 global addresses. (host: 2001:16d8:ff47:1203:1::6 - bart) CHAPTER 5. MIGRATION TO IPV6 159

cat /proc/sys/net/ipv6/conf/all/forwarding echo “1” > /proc/sys/net/ipv6/conf/all/forwarding Echoing “1” enables IP forwading, “0” disables. But still any ping from a host behind bart won’t be successful. The problem still left: Although the packets are sent to the correct destination, the packets that come in reply are not forwarded by the router 2001:16d8:ff47:1203:1::5 for it lacks the matching routes. After adding the route retour for network 2001:16d8:ff47:1203:2::/80 on server 2001:16d8:ff47:1203:1::5 the ping for all clients on the main ofﬁce subnet works. (host: 2001:16d8:ff47:1203:1::5 - GesAK) ip -6 route add 2001:16d8:ff47:1203:2::/80 via 2001:16d8:ff47:1203:1::6 dev eth eth0 Note: Don’t forget to set the client’s default route to the router of the subnet (i.e. bart) before testing connectivity.

And now for the branch ofﬁce

Similar to the part above we simply have to enable IP forwarding and set an appropriate route back to the network 2001:16d8:ff47:1203:3::/80 on host 2001:16d8:ff47:1203:1::5, the gateway router for the network GesAK. (host: 2001:16d8:ff47:1203:1::7 - snowball) echo 1 > /proc/sys/net/ipv6/conf/all/forwarding (host: 2001:16d8:ff47:1203:1::5 - GesAK) ip -6 route add 2001:16d8:ff47:1203:3::/80 via 2001:16d8:ff47:1203:1::7 dev eth eth0 Now that I conﬁgured the routers there is still one thing left: the routes of the clients. Every client needs a default route to the gateway router of its subnet in order to reach IPv6 network. This could be done manually, what can really take some time in big networks, or by using automated solutions like radvd. CHAPTER 5. MIGRATION TO IPV6 160

5.5 Networking basics

5.5.1 advertising routes with radvd [20] [21] [22] [23]

Automatically configuring hosts that just UPed is one big reason to use IPv6 over IPv4. Instead of manually configuring IP address and routes on each host new to your network you now have the possibility to let them configure themselves. The only host the administrator still has to configure is the router with a program running on the router answering autoconfiguration requests. Radvd, the Router ADvertisement Daemon is such a program, running on BSD and Linux, listening to Router Solicita- tions (RS) and sending Router Advertisements (RA). When a new host is UPed it sends a multicast Router Solicitation and, when there is a correctly configured router running radvd on the subnet, it receives a Router Adver- tisement. Besides sending requested Router Advertisements there are also sent unsolicited ones inbetween. The information sent includes address prefixes, the MTU of the link and details about the default routers. I installed radvd with “apt-get install radvd”. There is a verbose and a very simple radvd.conf example file that come with the installation. I chose to copy the simple one and copy it to my /etc. cp /usr/share/doc/radvd/examples/simple-radvd.conf /etc/radvd.conf If you want to force e.g. a Windows XP PC to renew its settings obtained by router advertisements you can do this with:

netsh interface ipv6 renew interface=”Lan-Verbindung” It is supposed to also work with “ipv6 renew ” but it didn’t work with me. On Linux based systems simply restart the interface with “ifup –force eth0”. But now let’s take a closer look on how to conﬁgure radvd. A very simple radvd.conf could look like this: interface eth0 { CHAPTER 5. MIGRATION TO IPV6 161

AdvSendAdvert on; prefix 2001:16d8:ff47:1203:2::/80 { AdvOnLink on; AdvAutonomous on; }; };

The first option in the eth0 part, “AdvSendAdvert on;” in fact turns on the radvd; it specifies whether it should periodically send router advertisements and listen to router solicitations. It no longer needs to be the first option written in the radvd.conf but it needs to be set to on (default: off). The line “prefix 2001:16d8:ff47:1203:2::/80” defines the prefix to distribute. Options to this prefix are AdvOnLink and AdvAutonomous, both set to “on”. AdvOnLink on tells the receiving host that packets with the same prefix as distributed can be sent using the interface the router advertisement was received on (default: on). AdvAutonomous set to on means that the prefix distibuted can be used in order to automatically configure an IPv6 address composed of the prefix and the MAC address (default: on). In this context let’s take a closer look to the prefix that is subnetted with 80 bits. This has something to do with the network media used and its hardware address length. For we are using Ethernet we have a 48-bit long hardware address part leaving maximum 80 bits to the network prefix. Note: It is vital that the prefix length plus interface token length sums 128. Otherwise the prefix is ignored and no address is set. [24] Example for a automatically configured address [21]:

Announced preﬁx 5f15:9100:c2dd:1400:8000:0000:0000:0000 Link-layer token 0800:0040:1726 Conﬁgured address 5f15:9100:c2dd:1400:8000:0800:0040:1726

Additionally, the source address of the router advertisement (by deﬁnition the link local address), can be used to conﬁgure the default route. CHAPTER 5. MIGRATION TO IPV6 162

Note: Radvd will not start unless IP forwarding is enabled (or if debugging is enabled) [25]. My own /etc/radvd.conf looks a little bit different for I didn’t want to distribute random global addresses, since I wanted to use DHCP: interface eth0 { AdvSendAdvert on; MaxRtrAdvInterval 100; MinRtrAdvInterval 35; AdvManagedFlag on; prefix 2001:16d8:ff47:1203:2::/80 { AdvPreferredLifetime 500; AdvValidLifetime 700; AdvAutonomous off; }; # for site local addresses, added by me! prefix fec0:0:0:1::/80 { }; };

In this configuration I set eth0 the interface listening to router solicitations and sending router advertisements. In my config file I first enabled router advertisements and then set MaxRtrAdvInterval and MinRtrAdvInterval which is the span of time a new unsolicited router advertisement is sent. A random number inbetween these two numbers is calculated after an advertisement is sent out defining when the next one is to be sent. The AdvManagedFlag set to “on” indicates the use of the administered (stateful) protocol for autoconfiguration. In this case there is a server keeping track of the addresses used and therefore guarantee their uniqueness. You can find further information on this topic in RFC 2462 [26] and in docu- mentations of DHCPv6. Next the prefix is set with a preferred and a valid lifetime. The time is set in seconds and they have default values for preferred lifetime of 604.800 (7 days) and for valid lifetime of infinite (0xffffffff seconds). In my config CHAPTER 5. MIGRATION TO IPV6 163

I chose to disable AdvAutonomous. I did this for I wanted to distribute more “readable” addresses and for administrative reasons (later I will install DHCPv6 server to distribute the addresses). Besides supplying the prefix for global addresses I also send a prefix for site local addresses. With AdvAutonomous defaulted to enable I don’t have to add anything else to the config of the site local addresses. Troubleshooting: When using radvd I would recommend you to install radvdump, a program pretty similar to a sniffer, printing out the contents of router advertisements. One big advantage is that the values that are set by default are also displayed. Note: Radvd is configured and used on bart.sylvia.test for serving the network 2001:16d8:ff47:1203:2::/80 and on snowball.sylvia.test for the network 2001:16d8:ff47:1203:3::/80. Note: Although mentioned before: radvd does not propagate informations to itself. Every configuration you want to have on your host running radvd has to be done manually (global and site local IP addresses, routes, etc. )

5.5.2 DHCPv6 using dibbler [27]

As mentioned in the section about radvd, I did not distribute my global IPv6 addresses with radvd. The reason: I have no chance to have any other than addresses made up of network prefix and appended MAC address. In good old IPv4 manner I want to stick to my address scheme (low numbers for servers, high numbers for clients) which will e.g. ease the configuration of a firewall. When searching for a DHCPv6 server I did not come across lot of alternatives. I found dhcpv6 on sourceforge, which has not been very appealing to me because it lacked documentation, dhcpv6d which was only for hp- ux and dibbler, with clients running on Windows and Linux. I didn’t take me long to go for the dibbler-solution, especially because it came with a nice manual. After downloading and installing the .deb package you have an /etc/dibbler directory containing client.conf, server.conf and relay.conf, the config files for all three types of service. To run each of the CHAPTER 5. MIGRATION TO IPV6 164 services type the appropriate dibbler-client start dibbler-server start dibbler-relay start “Start” starts a daemon of the service selected running in the background detached from the console. If you are using dibbler the first time you might want to see the messages posted directly in the console. If so, simply exchange “start” with “run” (e.g.: “dibbler-server run”). For stopping, you might have guessed, use “stop” and if you want to see the status of dibbler append “status” to the selected service.

Conﬁguring the server

As mentioned above the conﬁguration is found in /etc/dibbler/server.conf. My dibbler server is installed on marge.sylvia.test, a host residing in the 2001:16d8:ff47:1203:2::/80 network. The simplest form of server.conf would be the following: iface eth0 { class { pool 2001:16d8:ff47:1203:2::/80 } }

We deﬁne which interface to use for distributing the dynamically assigned addresses and the address pool to take the addresses from. The pool can also be written pool minaddress-maxaddress and if you need to assign addresses on one interface with different address pools you can’t describe by these ways, simply add another class-entry holding the next pool of addresses you want to use. In addition to the many other options dibbler is capable of deﬁning white and black lists, i.e. users you explicitly want to allow (“accept-only”) or users you want to ban (“reject-clients”) [28]. CHAPTER 5. MIGRATION TO IPV6 165

But now take a look at my server conﬁguration for it is prepared for the use with relays. For distributing the addresses to 2001:16d8:ff47:1203:3::/80 as well while running only one dibbler server you need to relay the DHCP packets. Therefore dibbler-relays need to be installed on both gateways, bart and snowball, but let’s discuss that later on. (See the ﬁgure at the end of the chapter for clarity) log-level 7 log-mode short iface relay1 { relay eth0 interface-id 1007 } iface relay2 { relay relay1 interface-id 3001 T1 500 T2 700 prefered-lifetime 600 valid-lifetime 800 class { pool 2001:16d8:ff47:1203:3::/80 } }

iface eth0 { T1 500 T2 700 prefered-lifetime 600 valid-lifetime 800 class { pool 2001:16d8:ff47:1203:2::/80 } CHAPTER 5. MIGRATION TO IPV6 166

option dns-server 2001:16d8:ff47:1203:2::5 option domain sylvia.test option ntp-server 2001:16d8:ff47:1203:2::1 }

Let’s begin with the part of the conﬁguration we already discussed, “iface eth0”. There are several new options used in here. “T1” is the time after which the client is instructed to renew its address, “T2” the time after the client should send a REBIND. For preferred and valid lifetime are self- explanatory I move on to the options section below the class-part. With the options you can specify which other information shall be distributed besides the IP address. In this case I supply DNS server address, domain name and NTP server address. Now for the part of the conﬁguration concerning the relays. The important thing is to start thinking at the portion of the network the client resides at, which is 2001:16d8:ff47:1203:3::/80. The client needs to send the DHCP request to snowball, the gateway and DHCP relay at his site. The message from the client is encapsulated as RELAY_FORW message and sent to the next “hop”. It is vital for the server to know where the relayed message was originally received; therefore the “interface-id” is sent together with the encapsulated message. At the next “hop”, that would be bart in my case, the message is encapsulated again and the “interface-id” of bart is added. Then the message is sent to the server. Replies from the server are sent as RELAY_REPL. iface relay1 { relay eth0 interface-id 1007 }

The snip of the config file above tells the server that it can reach the service “relay1” on the physical interface eth0 (“relay eth0”) and that it’s interface- id is set to 1007. The part for relay2 starts again with the information on reaching relay2 using relay1 (“relay relay1”) what in fact makes the core of the relay configuration. The only additional thing you must not forget is the class-part for configuring the IP-address pool that should be used at CHAPTER 5. MIGRATION TO IPV6 167 the remote network. Note: Setting log-level to 5 or less can result in strange behavior. Note: Log-file is located at /var/lib/dibbler/server.log

Conﬁguring the relays

After we made it this far the conﬁguration of the relays is pretty easy. Let’s start with bart’s /etc/dibbler/client.conf ﬁle. log-level 8 log-mode short #connected network: 2001:16d8:ff47:1203:2::/80 iface eth0 { server multicast yes }

#connected network: 2001:16d8:ff47:1203:1::/80 iface eth1 { client unicast 2001:16d8:ff47:1203:1::6 interface-id 1007 }

“server multicast yes” makes eth0 send DHCP messages that has been forwarded to the server with a multicast destination (remember that all DHCP messages sent during the negotiation of the address is done via multicast). On eth1 on the other hand bart only listens to packets from clients destined at 2001:16d8:ff47:1203:1::6. “interface-id”, as discussed, is an identifier for a particular interface and has to be unique (you might think of it as kind of “ethernet segment identifier”). And at last the configuration of snowball is still left: log-level 8 log-mode short #connected network: 2001:16d8:ff47:1203:1::/80 CHAPTER 5. MIGRATION TO IPV6 168

iface eth0 { server unicast 2001:16d8:ff47:1203:1::6 }

#connected network: 2001:16d8:ff47:1203:3::/80 iface eth1 { client multicast yes interface-id 3001 }

“server unicast 2001:16d8:ff47:1203:1::6” tells the relay to send forwarded messages to the speciﬁed address (which is bart in my case; the next hop for snowball). On eth1, the side where the clients are connected, snowball listens to client messages with multicast destination (a client that is UPed sends a multicasted DHCPDISCOVER ﬁrst). The “interface-id” is set to 3001.

Figure 5.4: Message ﬂow of a client-initiated DHCP message via 2 relays

Conﬁguring a client

Now that we have configured server and relays we need to think about the clients as well. The easiest way to configure a client is not configuring CHAPTER 5. MIGRATION TO IPV6 169 it, which means: if you don’t want to have special configuration except for a randomly chosen IPv6 address from the address pool specified on the server on each interface on a dibbler-running client you can leave the configuration file empty. On the other hand, if you want to receive DNS and NTP server details from dibbler server, it has to be set in the client.conf. You can also define an IP address if you want a client to always get the same. A (Windows) client configuration file would look like this (there’s no difference between Windows and Linux config files except for the term used for the interface: “Local Area Connection” (“LAN-Verbindung”) on Windows, eth0 (you don’t need quotes here) on Linux): log-mode short log-level 7 iface "LAN-Verbindung" { option dns-server option domain option ntp-server ia { address { 2001:16d8:ff47:1203:3::11 } } }

If you want to set some options in your client.conf but don’t care which address your host gets clear the “ia {...}”-part and replace it with “ia”. “ia” stands for Identitiy Association and is a logical unit representing address(es) used to perform some functions. The correct use of the term ia is: “ia ” where number is defaulted to 1 and stands for the number of IA’s that should be requested (i.e. setting “ia 2” makes you recieve 2 addresses; see the manual for details). One thing that came to my mind when conﬁguring my dibbler clients was how unhandy it is to go to each client in a network and conﬁgure it locally for you can’t always access each client in a big network. I wrote Tomasz CHAPTER 5. MIGRATION TO IPV6 170

Mrugalski, one of the two developers of dibbler, and he had an idea how to deﬁne a speciﬁc client’s address server-sided. Snip from a server.conf he sent me: class { accept-only fe80::2e0:7dff:fe01:15a2 pool 2000::1 } class { accept-only 0x000100064306ed0900609711d5f0 pool 2000::2 } class { pool 2000::3-2000::ff }

This configuration would allow only the host with link-local address fe80::2e0:7dff:fe01:15a2 to get an address from the address-”pool” 2000::1/128 and a host with DUID 0x000100064306ed0900609711d5f0 to get the address 2000::2. All other hosts would receive addresses from the pool specified in the last class-section. This way changes in address relocation can be made on the server only. I’d recommend to run dibbler-client, after testing its configuration (“Client run in console”), as a service in order to startup automatically. Don’t forget to start the client for the first time manually after having it installed as service. Troubleshooting: For troubleshooting dibbler I would recommend, of course, to read the log file (in Windows systems located directly in the directory dibbler is installed), and, my all-time-favorite tool: ethereal. To see which port it is running I used “netstat -lnptu” showing you services behind each port for nmap only provides TCP scans by now. (There is a patch for nmap doing IPv6 UDP scans on http://nmap6.sourceforge.net - see the nmap-section below) SUSE: When installing dibbler-client on SUSE the client could not be started until I manually created a directory /var/lib/dibbler and “chmod 777 /var/lib/dibbler” (I know, this is not beautiful but it CHAPTER 5. MIGRATION TO IPV6 171

works). Note: I chose not to conﬁgure my dibbler-relays by a dibbler-client but rather have static IP addressing. The main reason was that I experienced troubles bringing all of the services up in the right order after weather related power failures.

5.5.3 DNS [30] [29]

For I am using BIND9 I do not have to install any other software or patch for it supports IPv6 natively (BIND9 is the first version fully supporting IPv6; use version >9.1.3 for there are some security problems patched). If you are familiar with the use of IPv4 DNS records you won’t experience any troubles here for the only thing changed is the type of records used. For IPv4 you use the resource records “A” and for IPv6 it’s “AAAA” or spoken “Quad-A”. Reverse lookup is as well stored in a “PTR” Resource Record (i.e. “pointer”) but it is represented differently. For reverse lookup a special domain rooted “IP6.ARPA.” is defined assuring the mapping of IPv6 addresses to hostnames. It is represented by a sequence of dot-seperated nibbles encoded in reverse order. Example reverse lookup domain name for given IP: 2001:16d8:ff47:1203:3::1 1.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.2.1.7.4.f.f.\\ 8.d.6.1.1.0.0.2.IP6.ARPA. In order to have IPv6 lookup you have to add IPv6 entries to your database and enable to handle IPv6 requests. You can either choose to set both, an A and an AAAA record on one host name, or create IPv6-only hostnames. A DNS lookup for a hostname configured with both addresses returns both. An IPv6 address is then preferred over IPv4, for any other communication issue. homer A 192.168.200.12 AAAA 2001:16d8:ff47:1203:2::12 flanders6 AAAA 2001:16d8:ff47:1203:2::24 CHAPTER 5. MIGRATION TO IPV6 172

After adding the AAAA records we can start coping with reverse lookup. First of all you need to include the zone-ﬁles in /etc/bind/named.conf. For I am having two different subnets, 2001:16d8:ff47:1203:2::/80 and 2001:16d8:ff47:1203:3::/80, I wrote two zone ﬁles called “db.2” and “db.3” included by these lines: # /etc/bind/named.conf zone "2.0.0.0.3.0.2.1.7.4.f.f.8.d.6.1.1.0.0.2.ip6.arpa" { type master; file "/etc/bind/db.2";

}; zone "3.0.0.0.3.0.2.1.7.4.f.f.8.d.6.1.1.0.0.2.ip6.arpa" { type master; file "/etc/bind/db.3";

}; The corresponding PTR-records are defined in the zonefiles. See /etc/bind/db.3 for an example IPv6 reverse lookup zonefile: ; ; BIND reverse data file for zone branch office ; $TTL 604800 @ IN SOA localhost. root.localhost. ( 2005081901 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS ns1.sylvia.test. 1.0.0.0.0.0.0.0.0.0.0.0 IN PTR snowball.sylvia.test. 1.1.0.0.0.0.0.0.0.0.0.0 IN PTR snowball2.sylvia.test.

Now you are done with setting your address-details but there are some conﬁgurations to BIND left. One thing is to tell it to listen to IPv6 request. This is done in /etc/bind/named.conf.options (this ﬁle is included CHAPTER 5. MIGRATION TO IPV6 173 by /etc/bind/named.conf). options { directory "/var/cache/bind"; forwarders { 192.168.100.2; }; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; allow-query { internal-net; }; }; acl internal-net { 127.0.0.1; 192.168.0.0/16; ::1/128; 2001:16d8:ff47:1203::/64; };

In here we have the rules for IPv4 and IPv6 communication. 192.168.100.2 is the Berufsförderungsinsitut Burgenland name server that is queried and “allow-query { internal-net;};” defines that all subnets defined in the acl named “internal-net” are allowed to query the server. Added to the existing configuration is the very important listen-on-v6 { any; }; directive allowing any host to contact via IPv6. You can not bind certain addresses here, the only options allowed are “any” and “none” (please note that this can be a security risk). In the acl (short for Access Control List) “internal-net” I added ::1/128; 2001:16d8:ff47:1203::/64; in order to allow localhost and the whole test network I set up to query the nameserver. After restarting bind you can see it listening on IPv6 interfaces using “netstat -lnptu | grep named”. The address for the IPv6-reachable nameserver CHAPTER 5. MIGRATION TO IPV6 174 is already distributed by dibbler so I don’t have to change any DNS- settings on the clients. The first thing you now should try is to connect to bind via an IPv6 address with a simple dig localhost @::1 If this returns an answer you can move on querying a hostname with A and quad-A entry like (you need type -t set to any in order all found entries to a hostname are returned; otherwise only an A record is sent back.) marge:~# dig -t any homer.sylvia.test @::1

Figure 5.5: Output for dig -t any homer.sylvia.test @::1

Note: If you only get the old configuration displayed without the added IPv6 entries flush your DNS cache and try again. For Windows use “ipconfig /flushdns” and on the Linux PC running BIND you can do the same with “rndc flush”. Be also sure to try this on other hosts to see if the acl does not exclude hosts that should have access to the nameserver. Another way of testing your DNS server is using the command “host” knoppix@1[knoppix]$ host -t aaaa homer.sylvia.test 2001:16d8:ff47:1203:2::5 CHAPTER 5. MIGRATION TO IPV6 175

Using domain server: Name: 2001:16d8:ff47:1203:2::5 Address: 2001:16d8:ff47:1203:2::5#53 Aliases: homer.sylvia.test has AAAA address 2001:16d8:ff47:1203:2::12 To test reverse lookup functionality use dig -x 2001:16d8:ff47:1203:2::5 With routes advertised, addresses distributed and DNS entrys set we can say we do have a running IPv6 network by now. We have pinged and tracerouted even IPv6 hosts residing somewhere on the internet, so what else could there be? ;o) Note: When doing name resolution with Linux, IPv6 is also used as protocol for the query. Microsoft has not yet enabled this functionality. The next step is to ensure IPv6 connectivity to the services already used in the network running IPv4 to be ready when someday there are IPv6-only networks. CHAPTER 5. MIGRATION TO IPV6 176

5.6 Migrating the services [31]

Now that each PC on the network is IPv6 enabled we need services that make use of it.First let’s go online and see the dancing turtle!

5.6.1 Browsers: Firefox and Internet Explorer

When you try to access an IPv6-hosted homepage don’t forget to disable proxying for the squid running on the system does not support IPv6 and therefore will not connect. After changing my ﬁrefox’s preferences to directly accessing the internet I tried to surf to http://www.kame.net and if the IPv6 conﬁguration works, you can see why I was talking about a dancing turtle. This site is reachable via IPv4 and IPv6 but if you can see the turtle dancing you connected to this website via IPv6! In additon to this you can read your IPv6 address at the very bottom of this page. This has been worth all the trouble, am I right? There’s nothing else left to explain when using the Internet Explorer 6. Simply uncheck the use-proxy option and go for www.kame.net.

5.6.2 Web-Proxy: Privoxy [32]

There are several web-proxies supporting IPv6 connections: wwwoffle v2.7, there’s a patch for squid v2.5, privoxy v3.1.1, www6to4 v1.5, Prome- teo v1.4, ffproxy v1.6-RC1 and polipo v0.9.x . Among all these possibilites I chose to use the Junkbuster-based privoxy for it is offering huge possibilities in the field of filtering, access control, cookie management and the removing of ads, banners and pop-ups and because I wanted to try some new software besides always using squid. You will find executables for several operating systems on the home page and there is as well a CVS repository you can use. I chose to wget the sources and make them. When trying to run “make” my PC was prompting me to install “autoconf” (apt-get install autoconf). CHAPTER 5. MIGRATION TO IPV6 177

After re-running “make” and switching to “su” you can see where your files will be installed with “make -n install”. If you are pleased with what’s going on “make install”. Then I had to “adduser privoxy” and “addgroup privoxy”. Your privoxy installation resides at /usr/local/etc/privoxy and the logfile is located /var/log/privoxy. First step now is to modify the config file /usr/local/etc/\\ privoxy/config. confdir /usr/local/etc/privoxy logdir /var/log/privoxy # The actions file(s) to use actionsfile standard # Internal purpose, recommended actionsfile default # Main actions file actionsfile user # User customizations filterfile default.filter logfile logfile jarfile jarfile # error page at untrusted sites trust-info-url http://www.example.com/why_we_block.html trust-info-url http://www.example.com/what_we_allow.html debug 512 # common log format # address and port the server is listening on listen-address 127.0.0.1:8118 listen-address [2001:16d8:ff47:1203:2::5]:8118

# toggle off disables any filtering, blocking, etc. toggle 0 enable-remote-toggle 0 enable-edit-actions 0 permit-access [2001:16d6:ff47:1203:2::]/80

buffer-limit 4096 The changes I made were the settings for the confdir, the debug level, listen-address, all toggling options and the permit-access option. After setting the values appropriate to your system you can start privoxy with /etc/init.d/privoxy start. After setting the proxy settings of a ﬁrefox used in the network to CHAPTER 5. MIGRATION TO IPV6 178

[2001:16d8:ff47:1203:2::5] (you could also use “marge6” instead) at port 8118 you can surf the net using privoxy. For configuring privoxy more detailled there is a web-interface you can access locally. For I am not using GUI on my Debian system I configured my lynx to use privoxy as a proxy in /etc/lynx.conf (set the line “http_proxy:http://127.0.0.1:8118/”) and then “lynx http://config.privoxy.org”. If you want to set the new IPv6 proxy on Internet Explorer you can only use the term “marge6” (or the fully qualified domain name) but not the address itself. If you try to use the address Internet Explorer will not warn you or tell you he could not find the proxy but rather just doesn’t use it and access the internet directly. Taking a look at the settings of the proxy again you will see something like this:

Figure 5.6: Proxy settings with Internet Explorer 6

Note: I used the IP address display at www.kame.net to see whether the proxy was used or not. Windows2k: Although I could ping6 marge6.sylvia.test and ping6 www.\\ kame.net I could not manage to display a site reached using the IPv6 proxy on both, Firefox and Internet Explorer. Firefox told me that the proxy could not be found and Internet Explorer that the site could not be displayed.

5.6.3 http-server: apache

Now that we can access IPv6 sites on the internet, lets make our own http- server IPv6 reachable. There are patches for apache 1.3 to support IPv6 but I’d recommend using >= 2.0.14 (I use 2.0.54) for it supports IPv6 natively. Native support is always a good thing because it reduces the things you have to do to a minimum. With apache, you now only have to add a “Listen” directive, telling it to also listen to IPv6 requests, then restart and CHAPTER 5. MIGRATION TO IPV6 179 you are done. This entry has to be made in /etc/apache2/ports.conf and looks like this (this is the only entry in here): Listen [2001:16d8:ff47:1203:2::5]:80 After restarting apache you can access your apache installation with Fire- fox at (both is possible here) http://marge6.sylvia.test http://[2001:16d8:ff47:1203:2::5] Internet Explorer only supports the FQDN for an address here. In order do define a virtual IPv6 host you can change /etc/apache2/sites- available/www6 and be sure that there is a symbolic link from /etc/apache2/\\ sites-enabled/ to this file. To have a virtual host responding to the request “www6.schuh-tv.at” add ServerName www6.schuh-tv.at ServerAdmin [email protected] in the section. See my www6 file in the code appendix.

Figure 5.7: HTTP_GET command from snowball2 (2001:16d8:ff47:1203:3::11) to the webserver marge (also called ns1.sylvia.test)

5.6.4 database: MySQL

The currently available MySQL-versions (4.x, 5.0) do not support IPv6. MySQL 5.1 could be the first version supporting it (At the time I am writing this 5.1 alpha is released and there is no information on the implementation of IPv6 available in the documentation of 5.1.). [33] PostgreSQL v8.0 on the other hand does support IPv6. As far as i could find out it is included by default and hosts contacting the database need to be specified in “pg_hba.conf”. [34] CHAPTER 5. MIGRATION TO IPV6 180

5.6.5 ﬁlesharing using Windows

When I started migrating the network, or better, before I started I was very afraid of migrating such vital things like DNS, routing, etc. and had the opinion that as soon as you change the protocol used to IPv6 all services will work instantly. I was proven wrong when I tried to do filesharing with Windows. For I was using Windows 2000 advanced server for filesharing via IPv4 there were no needs for me to change the system for the use with IPv6, or so i thought. After reading nearly every entry found by google matching the word “IPv6” I decided to ask those who should know about it: The people from Microsoft (I also bought the Microsoft-suggested book “Understanding IPv6” for it holds a chapter concerning IPv6 file sharing. If you think of buying it: Take my advice and don’t do it!). Some technician then told me that sharing files is only supported for Windows Server 2003 and gave me a link as starting point for my research [35]. I got myself a new PC and installed Windows 2003 advanced server on it. The hostname is wiggum.sylvia.test with IP addresses 192.168.200.19 and 2001:16d8:ff47:1203:2::13 (installing IPv6 on W2k3 is the same as WXP). After installing some basic services I was very eager to try IPv6 file sharing. I defined some folders to share and tried to connect to the server from a Windows XP PC by typing \\wiggum in Windows Explorer. For I was getting meaningless errors I decided to switch to the commandline and try every connect with net use * \\host\share to get better informations about the error. My error code was 59 with the message that an unexpected network error has occurred or error 53 “network path not found”. Then, I thought to myself, before trying and hoping that Windows XP is able to cope with IPv6 data sharing, I better set up another Windows 2003 advanced server. This time I used former homer.sylvia.test because Windows 2000 only supports IPv6 to the extent of pinging and tracerouting. (Before I cleared the harddisk I copied the data stored for Active Directory. Read the Active Directory chapter below). The new Windows 2003 server had hostname flanders.sylvia.test and IP addresses 192.168.200.36 and 2001:16d8:ff47:1203:2::24. CHAPTER 5. MIGRATION TO IPV6 181

Trying to “net use * \\wiggum6.sylvia.test\daten” (wiggum6 is an AAAA record pointing at a global address) between these two nodes first resulted in error 67. Looking for workarounds or solutions to this error I found out that restarting the distributed file system on the file server could help. Af- ter I the restart I got error 1231 “network location cannot be reached” I read some article about reinstalling your NIC to get rid of these troubles. In addition to these errors I had events 1030 and 1058 in my event log, which usually are indicators for a not running DFS (distributed file system). So you might be curious if I now have a working file sharing system via IPv6 and the proud answer is yes. So what had to be done in order to work: First I got myself a new harddisk and put it in my wiggum.sylvia.test and set up a fresh Windows 2003 server again (this was just because I got more and more daring when trying to solve the errors and reconfigured nearly everything). So with two totally clean and newly set-up Windows 2003 PCs I tried it again and it didn’t work until I got the idea of using site local addresses instead of global addresses. As you saw in the chapter concerning radvd I distribute site local addresses with prefix fec0:0:0:1::/80 dynamically. For easier use I decided to save a DNS record for the site local file server address in bind. wiggum AAAA fec0::1:20a:5eff:fe22:afd6

Before trying to connect to the network share be sure to have IPv6 firewall disabled and IPv6 file sharing enabled . To disable the firewall simply type: netsh interface ipv6 set interface interface="LAN-Verbindung" firewall=disabled To enable IPv6 file (and print-) sharing go to the “control panel” and open the “network connections”. In the menu “Advanced” (“Erweitert”) you will find an entry called “advanced settings” (or maybe it is called “advanced properties” - I am lacking an english Windows version here; in german it is called “erweiterte Einstellungen...”). In the advanced settings, be sure that you check everything you find concerning IPv6 ;-) for the activated LAN connection. Now, if you dare, type CHAPTER 5. MIGRATION TO IPV6 182

Figure 5.8: The menu “Advanced” in German

net use * \\wiggum.sylvia.test\daten and your network share will be connected via IPv6. If you don’t trust your computer, simply sniff it using ethereal. Please see mine below and note that these packets are not the beginning of the communication nor the end, just one nice part you can show off with because it reveals the folder opened. fec0::1:250:baff:fe17:2d3d is site local address for ﬂanders. The connection also works when typing \\wiggum.sylvia.test\daten in your Windows explorer. For the sake of completeness I also have to write about the last error I had before I got that far: It was error 52 indicating a duplicate host or cname entry for one IP address. The advice Microsofts knowledge base gave me was to check DNS or WINS settings or change the host name on one of the clients. The thing that went wrong here was the DNS conﬁguration for it was holding an A and an AAAA record for the same hostname. Although it should have also worked that way I decided wiggum should be an IPv6 only record. Note: By the way, if you are curious which port Microsoft uses: look for 445 named “microsoft-ds” with “nmap -6 wiggum”. Note: Differing from older MIcrosoft operating systems, Windows 2003 sets network shares per default read-only. I then set the permission for user “everyone” to read/write what didn’t help a lot. Only after CHAPTER 5. MIGRATION TO IPV6 183

Figure 5.9: The dialog popping up when choosing the “advanced settings”

Figure 5.10: Some packets during IPv6 ﬁlesharing; packet number 33 holds the path opened

setting every user in my system (ok, I only have two) the permission to read/write I had write access to the remote folder. Linux: Much to my suprise I had to ﬁnd out that there was currently no IPv6 capable smb-client. There is a patch available for Samba versions 2.2.3 - 2.2.5 from year 2002 but when posting to some newsgroups whether this worked for someone I got no positive responses. [36] I guess one can not measure the time I spent on this little problem and like so many times it is always a combination of several problems. While I was trying to set up ﬁlesharing in vain I also decided to look for alternatives and found WebDAV. CHAPTER 5. MIGRATION TO IPV6 184

Note: Referring to a paper [37] updating the book “Understanding IPv6” and a mail I received from Microsft Austria ﬁle sharing should be possible with IPv6 global addresses as well. In the mail I got a registry key to enter in order to enable it. Set a DWORD with value “1e” and name “IPv6Protection” to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\\\ Smb\Parameters. This did not work for me.

5.6.6 ﬁlesharing: WebDAV [38] [39]

The way Tim Berners-Lee initally thought of the internet was a read- and writeable medium. With the internet growing it turned itself into a read only medium; and this is exactly the point where WebDAV is starting. WebDAV is short for Web-based Distributed Authoring and Versioning and refers to the IETF working group as well as the HTTP extension they defined. It has abilities to create, change and move documents on a remote server and can be used for authoring or simple storage of data. The data can be accessed via http port 80, so you won’t have firewall-related problems. It is platform independent and most operating systems have built-in features to support WebDAV. In order to have a workig WebDAV implementation you need a HTTP server. On the Windows side of life you could use IIS for Windows Server 2003 which should support IPv6 (I did not find the proof on the internet nor tried it myself) or simply use Apache. As you might have guessed I used Apache. In the mods-available folder of your /etc/apache2 directory you will find three modules concerning WebDAV called “dav.load”, “dav_fs.conf” and “dav_fs.load”. The first step to enable this modules is simply make a symbolic link from the folder /etc/apache2/mods-enables to these three modules. ln -s /etc/apache2/mods-available/dav* /etc/apache2/mods-enabled Next step is to append the following paragraph to the /etc/apache2/apache2.conf file: ## my changes for webDAV CHAPTER 5. MIGRATION TO IPV6 185

DAVLockDB /tmp/DAVLock DAVMinTimeout 600 DAV On AuthType Basic AuthName "WebDAV Restricted" AuthUserFile /var/www/webdavpasswd Require valid-user This sets a WebDAV directory for the folder “dav” in your document root with authentication type “Basic” and authentication information that can be found in /var/www/webdavpasswd. Now you have to create a new directory called “dav” in your document root /var/www. If you are not sure where your document root is look at the file /etc/apache2/sites-enabled/default. This directory has to have user and group changed to www-data and correct permissions have to be set. chown www-data.www-data /var/www/dav chmod 775 /var/www/dav Next step is to create username and password in order to have users allowed to access the WebDAV contents which is done by htpasswd -c /var/www/webdavpasswd username htpasswd /var/www/webdavpasswd otherUsername The first line “htpasswd -c /var/www/webdavpasswd username” creates a new file (-c indicates the creation of a new file, so be careful not to append this when adding additional users) called /var/www/webdavpasswd (as defined in apache2.conf) storing information on the user called “username”. The second line shows how to add an additional user called “otherUsername”. After restarting Apache your WebDAV is ready to use. In order to test my WebDAV I installed a Linux command-line based Web- DAV client called cadaver. cadaver http://marge.sylvia.test/dav CHAPTER 5. MIGRATION TO IPV6 186 prompts me for the password and opens the WebDAV folder. Use commands like put, get, ls, less, cat, delete, copy, move and many more to perform actions on files. To have WebDAV functionality on Windows you have to do a little bit more. If you want to have the WebDAV resource as an entry in your “My Network Places” choose “Add network Place” within your “My network place”. The “Add Network Place Wizard” pops up and in the next two steps you simply supply the address for the resource and the username- password pair and everything works fine, or so I thought. In my case I got the error “the folder you entered does not appear to be valid” indicating that you are lacking • software update for web-folders ( knowledge base kb892211) • a DWORD called “UseBasicAuth” with value set to 1 at HKEY_LOCAL_MACHINE\\SYSTEM\CurrentControlSet\Services \WebClient\Parameters\ Another tip I found on the internet that was working for one of the PC’s (running WinXP SP2) was appending :80 to the address of the ressource (http://marge.sylvia.test:80/dav) which is loading the old Windows 2000 driver (that might be more likely to work in this context). Then, after doing all this troubleshooting, some of my Windows computers could do Web- DAV filesharing and some didn’t. Like so often during the work on my thesis I decided to use Ethereal in order to find out what really happened and this brought the solution for me: Be sure not to use a Proxy when connecting to WebDAV (you can guess that system administrators won’t like that for they are loosing control). After these simple steps my WebDAV directory was reachable via Windows as well.

Figure 5.11: packets sent during the login to the WebDAV server

In the picture above you see three packets during the login to a WebDAV server from bart to marge (i.e. webdavserver) indicating that authentica- CHAPTER 5. MIGRATION TO IPV6 187 tion is required. The third packet shows which folder is opened and I only added the part below the grey line to show that IPv6 is used here ;-). Note: I experienced an interesting behavior when trying to access a Web- DAV share via web-browser. There was no user authentication and data could be transferred without any restrictions.

5.6.7 ﬁlesharing: ftp

Another method to supply files using IPv6 is ftp. I installed an ftp server for Linux on marge.sylvia.test. I chose to use pure-ftpd version 1.0.19- 7. Setting it up was pretty easy using apt-get for you simply need the package pure-ftp-common and pure-ftpd. This installs the ftp server to /usr/sbin/ and sets configuration details in /etc/pure-ftpd. I chose to run pure-ftpd as a daemon (“dpkg-reconfigure pure-ftpd-common” to change that). Before starting the server with “/usr/sbin/pure-ftpd -S 777 &” be sure that you have a user “ftp” on your system creating a home directory that is accessed when using anonymous ftp. Anonymous ftp is enabled by default and so you can try loggin in either by not supplying user information or by using an user-account on the system. In the latter case the corresponding home directory is opened. In order to access the ftp-server I chose a Windows-enabled FTP client called Nc-FTP [40]. In the downloaded /bin -directory you will find ncftp.exe starting a command lineftp tool. When typing “open” the address book is opened and you can add a target with all address information needed. Don’t forget to fill in the port chosen if you decided to use other than 21 (I chose 777). Note: There is a huge list of alternative ftp-software: Servers: proFTPD 1.2.9, moftpd, tnftpd/lukemftpd, wu-ftpd, ftpd 0.17 patched, fftpd, ftpd-bsd 0.3.3, ProFTPD 1.2.9, troll-ftpd 1.2.8 patched, ginseng-ftpd 1.6, and many more for linux. For Windows there are two FTP servers, but both intended for developer only Windows: FTP server in Windows CE .NET and MSRIPv6 FTP server. There are also several FTP-clients like: lftp 2.6.5, tnftp 2.0, cftp 0.12, wget and the ftp- version supplied by Windows XP/2003. CHAPTER 5. MIGRATION TO IPV6 188

5.6.8 email: exim

Next step is to implement a working mailing structure to our company network. The mail server running at the moment is exim4 v4.50 which supports IPv6 when set at compile-time. You have to set “HAVE_IPV6=YES” and might also need “IPV6_INCLUDE=YES” and “IPV6_LIBS=YES” in your Local/Makefile. I set all three options in the first try and then tried to recompile the source. Experiencing several errors like the one that it could not find db.h at compile-time I then chose to remove all IPv6 options again to see whether it would work. Because this worked without any troubles I then simply set “HAVE_IPV6=YES” and successfully recompiled. (I experienced some troubles concerning the LOOKUP_LIBS when compiling (e.g. “cannot find -llber”). There are references to several things like LDAP defaulted which I simply commented out for I don’t use them.) After exim is reinstalled supporting IPv6, you have to configure two files: /etc/exim4/update-exim4.conf.conf and /etc/exim4/mailname. The file /etc/exim4/mailname has to be changed to following content: marge6.sylvia.test and the file /etc/exim4/update-exim4.conf.conf now looks like this: dc_eximconfig_configtype=’smarthost’ dc_primary_hostname=’marge6.sylvia.test’ dc_other_hostnames=’sylvia.test:marge:marge6.sylvia.test’ dc_local_interfaces=’192.168.200.5 : 2001::16d8::ff47::1203::2::::5’ dc_readhost=” dc_relay_domains=” dc_minimaldns=’false’ dc_relay_nets=’192.168.0.0/16:2001::16d8::ff47::1203::::/64’ dc_smarthost=’mail.bfi-burgenland.at’ CFILEMODE=’644’ dc_use_split_config=’false’ dc_hide_mailname=’false’ dc_mailname_in_oh=’true’ As you might remember from the chapter where I set up the IPv4 network, CHAPTER 5. MIGRATION TO IPV6 189 you could, instead of altering these files as well use “dpkg -reconfigure exim-config”. One important thing to keep in mind when editing update- exim4.conf.conf is that the double colon acts as a seperator in this file. Therefore you have to double each double quote that is used in an IPv6 address. After editing these files manually you have to run update- exim4.conf in order to make the changes take effect. Now you are the proud user of a system that can send emails, but not get any. Therefore we have to see whether qpopper is IPv6 enabled. Note: Other mail transfer agents supporting IPv6 are: Zmailer 2.99.55, sendmail 8.12.9, qmail 1.03 patched, postfix 2.0.18 patched and courier 0.42.2.

5.6.9 email: courier [41]

For qpopper does not support IPv6 there are several alternative mailbox daemons: solidpop3d 0.15, courier-pop3d 0.42.2, courier-imapd 0.42.2, cyrus-imapd 2.2.1-BETA, dovecot 0.99.10.6 and bincimapd 1.2.10. Because the homepage of solidpop3d was down the day I wanted to install the software and cyrus-imapd had some strange errors after installation about a missing connection to my mailserver I decided to use courier-imapd. You could either install courier-imapd using the sources or from the apt- repository as I chose to. First you have to install courier-authdaemon with its configuration file at /etc/courier/authdaemonrc using authpam and then install courier-imapd (I use version 3.0.8-4). Other interesting files in this context are /etc/courier/imapd and /etc/pam.d/imap. If you want you can additionally install courier-doc providing information on courier. When trying to login I got the error: FATAL ERROR: Maildir: no such file or directory. In the file /etc/courier/imapd the last entry is about the maildirectory setting it to MAILDIRPATH=${home}/Maildir Now we have to face the fact that by default exim stores the mails in a single file while courier needs a directory to be set. As a consequence we have to modify /etc/exim4/configure first. CHAPTER 5. MIGRATION TO IPV6 190

First update the transports section by exchanging the transport “lo- cal_delivery” with what is written below. Please be sure that the old transport “local_delivery”, setting mail delivery to a single ﬁle, is commented out. ### from transports section local_delivery: driver = appendfile group = mail mode = 0660 mode_fail_narrower = false envelope_to_add = true return_path_add = true directory = ${home}/Maildir maildir_format = true prefix = "" ${home} is expanded to the user directory of each mail user and is the default value here. I chose to be more conservative here and instead of editing the part discussed above I set the address_directory transport to the following in order to allow per user Maildir only: ### from transports section address_directory: driver = appendfile no_from_hack prefix = "" suffix = "" maildir_format Next step is to edit the userforward director to contain the following. ### from routers configuration section userforward: driver = forwardfile check_local_user file = $home/.forward no_verify check_ancestor file_transport = address_file CHAPTER 5. MIGRATION TO IPV6 191

pipe_transport = address_pipe reply_transport = address_reply directory_transport = address_directory modemask = 002 filter Now the directory_transport points to the address_directory specified before. When uncommenting the “filter” option, you can use .forward files in order to have Exim filtering. Using this configuration every user that wants mail to be stored in a maildir needs a “.forward” file pointing to that maildir:

echo /home/elsylo/Maildir/ > /home/elsylo/.forward echo /home/sylvia/Maildir/ > /home/sylvia/.forward Be sure that each “.forward” file is owned by the appropriate user and that you did not forget the trailing slash at “/home/elsylo/Maildir/”. Now everything that has to be configured is done and you can test your configuration. Note: Because the directories for the mails are not created yet I experienced that courier worked after sending the second mail (it automatically creates the folder needed when the first mail is sent - you might want to create them first).

5.6.10 mail-client: thunderbird

Thunderbird 1.0.2 is IPv6 enabled and therefore simply can be conﬁg- ured using marge6.sylvia.test port 143 for imap and port 25 for SMTP use. Thunderbird was not capable of using the IPv6 addresses in the conﬁgura- tion of the email-address options (not even when put in square brackets). FQDN’s had to be used. CHAPTER 5. MIGRATION TO IPV6 192

Figure 5.12: The sending of an email from a Windows host

5.6.11 mail-client: outlook and outlook express

As far as I could ﬁnd out on the internet outlook and outlook express both don’t support IPv6. I also tried making a new account with the mailservers set to marge6.sylvia.test or [2001.16d8:ff47:1203:2:.5] respectively but both just resulted in an error message that the server could not be found.

Figure 5.13: Error when sending a message with Outlook telling that the servers could not be found

Note: Other email clients supporting IPv6 are: mozilla-mai 1.4, ximian- evolution 1.4.5, pine 4.58 patched, mutt 1.41, sylpheed 0.9.6, sylpheed- claws 0.9.5 and Kmail 3.1.2. CHAPTER 5. MIGRATION TO IPV6 193

5.6.12 VoIP: asterisk [42] [43]

Much to my regret I have to ﬁnd out that asterisk is not yet IPv6 capable. There is a patch providing some IPv6 connectivity features but which is not very widely used. There has also been a bounty for writing an IPv6 patch but although the time has expired no patch is available by now. There are two Linux-based softphones available called linphone and kphone supporting IPv6 and two SIP-phones, one from Moimstone (IP250) and one from FreeBit Business Phone.

5.6.13 time: ntpd, ntpdate

Both ntpd and ntpdate are IPv6 capable and work without troubles. The ntpd version installed is 4.2.0 and the only thing I had to do is to set an IPv6 time server in the /etc/ntp.conf. Here’s a list of some IPv6 capable servers with stratum 1: ntp.rhrk.uni-kl.de (IPv4 and IPv6) ntp6.remco.org (IPv6) chime3.ipv6.surfnet.nl (IPv6) ntp.ipv6.viagenie.qc.ca (IPv6) I chose the one from surfnet. Ntp itself should be IPv6 capable when installed on an IPv6 enabled host. Now, if you want to query your ntpd simply type ntpdate 2001:16d8:ff47:1203:2::1 on marge.sylviat.test and time will be adjusted to the time set on bart.sylvia.test, using IPv6.

Figure 5.14: ntpdate from marge (i.e. webdavserver) to bart CHAPTER 5. MIGRATION TO IPV6 194

The big world of Windows applications has no free IPv6 ntp-client (and one client to buy that might work) to set time on Windows hosts.

5.6.14 domain controller: Active Directory

When I started migrating I thought that Active Directory, together with file sharing, will not produce a lot of troubles because most websites claimed full support for IPv6 on Windows (in fact that’s mostly all information I could get on the websites of Microsoft). On most sites I could read a lot about transition techniques like several different tunnel and so on but there was not much written about the services that really support IPv6 on Windows PC’s and that’s what made my search for help pretty hard. When I found out that a host is not logging onto Active Directory via netlogon using IPv6 per default I tried such tricks like setting the IPv4 address to a non-existing value so that he might have to use IPv6. As you might have guessed, it didn’t work. The interesting thing was, on the other hand, that during netlogon DNS was queried for the domain controller and for I am using dynamic updates from the host running Active Directory there even was an AAAA entry replied to the querying host. But let’s start from the beginning. The first thing I changed in my network topology was the server running Active Directory. When reading this thesis cover to cover you might remember that Active Directory formerly ran on a Windows 2000 Advanced Server and that this server was updated to Windows 2003 Server in order to enable file sharing between Windows hosts. So Active Directory has to be set up again (which was not that much work for I only entered two users). Then I had to enable dynamic updating for the new domain controller in my bind configuration. This is done by updating /etc/bind/named.conf.local: zone "sylvia.test" IN { type master; file "/etc/bind/db.sylvia.test"; allow-update { 192.168.200.19; 2001:16d8:ff47:1203:2::13; }; }; The line “allow-update” enables dynamic updating i.e. services can regis- CHAPTER 5. MIGRATION TO IPV6 195 ter themselves to DNS. This may take some minutes until DNS is updated for the first time and will create a journal file *.jnl with * being the name of the corresponding zone file. The latter is updated with the information retrieved from the .jnl file which results in following zone entries:

Figure 5.15: some of the dynamic DNS entries produced by Windows 2003

When snifﬁng the whole longon process I found out that although DNS is queried and returns wiggum.sylvia.test for the services needed (wiggum is an AAAA site-local entry) everything is done using IPv4. I then tried to query newsgroups, mailing lists and lots of homepages for this issue and found someone telling me he had a working Active Directory system using IPv6. For I could not get more details from him I decided to ask Microsoft again. They told me that Windows 2003 server does not support IPv6, or in more detail, Kerberos as well as LDAP will fail but SMB negotiation will work. You can only guess how long it took me to get such a detailled answer. ;o) Tip: OpenLDAP v2.0 natively supports IPV6.

5.6.15 printing: cups

CUPS versions older than 1.2 do not support IPv6 and therefore I installed a newer version on my marge.sylvia.test. I downloaded the sources of cups-1.2.x-r4608 and installed them. You can type “lpstat -t” in order to see all printers configured with all details available, or, as before, you could as well use the GUI at http://localhost:631. After trying to configure this cups version a lot, I downloaded an even newer version of CUPS (1.2svn- r4929). In the file /etc/cups/cupsd.conf add two entries in order to listen to IPv6 addresses: Listen [::1]:631 Listen [2001:16d8:ff47:1203:2::5]:631 CHAPTER 5. MIGRATION TO IPV6 196

For conﬁguring a client you simply have to set the CUPS IPv6 server address in the ﬁle “/etc/cups/client.conf”: ServerName [2001:16d8:ff47:1203:2::5] You can test your IPv6-capable printer by typing: lpr

Figure 5.16: CUPS using IPv6

Note: Only from reading the comments on the snapshots I was able to ﬁnd out that earlier 1.2 snapshots experience troubles using IPv6 addresses. Windows: I could not manage to connect to the CUPS server using Win- dows.

5.6.16 radio: Virgin radio

Some very nice but as well very important use of IPv6 is when listening to IPv6-only radio. The University of Southampton has a live- stream of Virgin radio supporting IPv6 only and can be listened to by using e.g. Windows Media Player 10, iTunes 4.5, zinf, etc. Check it out at: http://www.ipv6.ecs.soton.ac.uk/virginradio/. Below you see some packets from the initialization phase of Virgin radio. CHAPTER 5. MIGRATION TO IPV6 197

Figure 5.17: initialization of virgin radio

5.6.17 instant messaging: irc, msn

Another funny way of using IPv6 is by using an instant message service like msn and IRC. There are several IRC clients already IPv6 enabled you can use. I chose TurboIRC, a small IRC client for Windows based systems and checked out some IPv6 servers.

Figure 5.18: IRC chatting via IPv6

Another cool thing is to enable IPv6 with msn, and to make msn even cooler you can add the software called threedegrees from www.threedegrees.com (which have gone ofﬂine by now). But don’t be sad, you can still get it from Microsoft at http://download.microsoft.com/download/b/3/2/b3251b5b- 76fb-46f7-bd6c-f5644713dff6/squiggles.exe. Using this piece of software you can watch pictures and listen to music with up to ten people around the world at once (this could be considered Microsoft’s answer to ﬁle sharing). I tried this software together with my friend Mustafa from Turkey, working on IPv6 as well, and pretty enjoyed adding items to a shared playlist and listening to the songs together. This is an approach showing people what Peer-to-Peer and IPv6 can do for the people not already rec- ognizing the advantages. [44] CHAPTER 5. MIGRATION TO IPV6 198

Figure 5.19: Peer2Peer communication with my friend Mustafa (2001:4bd0:2031::4) using 3degree

5.6.18 authentication: ipsec6

Ipsec6 is a Windows command-line application in order to provide data authentication and data integrity. It is not for production use yet for it does not supply encryption mechanisms and relies on static keying with keys being stored plain text on the host. Ipsec6 can be used to configure policies and security associations between two hosts. In a security association (SA) authentication is provided by using an either MD5- (Message Digest 5) or SHA1-hashed (Secure Hash Algorithm 1) Authentication Header (AH). To set up an ipsec6 environment I started by creating a folder on my harddisk, go to this folder using command-line and then type ipsec6 s thesis This command creates a blank security association (thesis.sad) and a security policy (thesis.spd) file (usually containing already one entry) called “thesis”. Ipsec6 is available for computers running Windows XP Service Pack 1 and higher and Windows 2003 Server. I chose to enable ipsec6 between my two Windows 2003 server computers. client1: wiggum.sylvia.test site-local address: fec0::1:20a:5eff:fe22:afd6 client2: flanders.sylvia.test site-local address: fec0::1:250:baff:fe17:2d3d I started configuring client1 with setting the “thesis.spd” file. Add the new entry before the one already existing in the file. Please note that policies must be placed in decreasing order. CHAPTER 5. MIGRATION TO IPV6 199

Field Name Value Policy 2 RemoteIPAddr - fec0::1:250:baff:fe17:2d3d LocalIPAddr -* Protocol -* RemotePort -* LocalPort -* IPSecProtocol AH IPSecMode TRANSPORT RemoteGWIPAddr * SABundleIndex NONE Direction BIDIRECT Action APPLY InterfaceIndex 0 Important: It is very important to add a trailing semicolon in each line and not to use tab-stopps instead of spaces. After setting the values to the *.spd file you can continue with altering the *.sad file. Here we will need two new lines which I will indicate by typing them in two columns. Field Name Value for Line 1 Value for Line 2 SAEntry 2 1 SPI 3001 3000 SADestIPAddr fec0::1:250:baff:fe17:2d3d fec0::1:250:baff:fe17:2d3d DestIPAddr POLICY POLICY SrcIPAddr POLICY POLICY Protocol POLICY POLICY DestPort POLICY POLICY SrcPort POLICY POLICY AuthAlg HMAC-MD5 HMAC-MD5 KeyFile myfile.key myfile.key Direction OUTBOUND INBOUND SecPolicyIndex 2 2 Don’t forget the semicolon at the end of each line again! Two SA-entries have been made, one for outbound and one for inbound traffic. Both require a keyfile called “myfile.key”. You could also use different keyfiles for CHAPTER 5. MIGRATION TO IPV6 200 inbound and outbound communication but for this way of using ipsec6 isn’t secure anyway, I decided to keep the same. SA-entries are added in decreasing order as well. The keyfile is a simple plain-text file residing in the same folder as the two files processed above. Set the file you created to the name “myfile.key” and be very careful what you type in this file: each space or linefeed makes a difference and this file must be identical to the one residing at the client2 in the ipsec6 communication. On client2 (flanders), you need the same configuration as well. Start by creating the files “ipsec6 s thesis” and then edit the “thesis.spd” file first. (Don’t forget to create this entry before the existing entry): Field Name Value Policy 2 RemoteIPAddr - fec0::1:20a:5eff:fe22:afd6 LocalIPAddr -* Protocol -* RemotePort -* LocalPort -* IPSecProtocol AH IPSecMode TRANSPORT RemoteGWIPAddr * SABundleIndex NONE Direction BIDIRECT Action APPLY InterfaceIndex 0 After you put a semicolon at the end of the line, edit “thesis.sad”: CHAPTER 5. MIGRATION TO IPV6 201

Field Name Value for Line 1 Value for Line 2 SAEntry 2 1 SPI 3001 3000 SADestIPAddr fec0::1:20a:5eff:fe22:afd6 fec0::1:20a:5eff:fe22:afd6 DestIPAddr POLICY POLICY SrcIPAddr POLICY POLICY Protocol POLICY POLICY DestPort POLICY POLICY SrcPort POLICY POLICY AuthAlg HMAC-MD5 HMAC-MD5 KeyFile myfile.key myfile.key Direction OUTBOUND INBOUND SecPolicyIndex 2 2 Don’t forget the semicolons at the end of each line and then create a “myfile.key” on client2 as well, containing the same word(s) like on client1. In order to load the Security Associations and the Security Policy on a PC you have to type the following command on each client: ipsec6 l thesis In case of an error you made in creating one of the files you will have some message that the security assosciation or the security policy could not be added. One of my problems was that in the first try I used tab-stopps instead of spaces (error message was about an invalid address range), and another problem was that I had too many spaces in each line (error message is something like: line too long). Simply clear some of the spaces and it will work. Don’t wonder if it tells you only one Security Policy is added, the one that already was in the file is loaded by default upon startup (The command we used in the beginning called ipsec6s “thesis” simply looks on your computer for security associations and policies available and prints them in a file. If you would do the same command now, it would print the new data we added in the files.) Please keep in mind that the policies and associations added by this technique are not persistent and have to be loaded manually after startup. To see which Security associations are set at the moment, type : ipsec sa To do the same for security policies use: CHAPTER 5. MIGRATION TO IPV6 202

ipsec sp If you want to delete the Security Association number 2 type: ipsec d sa 2 You can use a similar command for deleting Security Policy number 2: ipsec d sp 2 Now we are able to try our ipsec6 implementation by pinging the host with the address used in the ﬁles (I tried this with link-local addresses with ZoneID and Site-Local addresses consecutively). When pinging the other client you can see the Authentication Header being appended to each packet:

Figure 5.20: ping from client1 (wiggum) to client2 (ﬂanders) with Authen- tication Header

Above you see one of the ICMPv6 packets sent by client1 and below you have the details containing the Authentication header. You can see the SPI set above as well (0xbb9 = 3001). This all looks pretty well, and everything worked except for the Echo reply when using ipsec6. I guess I tried this ten times and always had the same result: ping going out but no reply is sent back (time-out). I did not ﬁnd any errors reported in the event-log, nor when I looked at the ICMPv6 errors (netstat -s -p icmpv6). Because I was already in contact with Microsoft, I asked them if ipsec6 worked for them and got the answer from someone my mails concerning IPv6 were forwarded to, that this only works sometimes when he conﬁgured it and CHAPTER 5. MIGRATION TO IPV6 203 because it is not production use anyway it wouldn’t be that interesting. He also assured me Windows Vista would have a better ipsec support for IPv6. And so my ping never came back ... But, of course, I was eager to try something providing this functionality and therefore I tried OpenSWAN on Linux.

5.6.19 encryption: OpenSWAN

To be precise, there are two ways of sending your packets when encrypt- ing: tunnel mode and transport mode. In transport mode (which I chose) only the payload is encrypted and the IP header is left out while in tunnel mode the whole packet is encryted with a new header appended. IPSec, as seen before, needs the exchange of keys in order to provide authenticated and encrypted communication. There are two ways providing authentication: through pre-shared keys (simple) or by using RSA keys. I chose to have a pre-shared key environment in my lab. The next thing to choose is which IKE daemon you want to use: On one side there is “racoon” and on the other “pluto”, which is said to be a bit less difficult to configure. “Racoon” is derived from the KAME project and “pluto” is included in distributions from the *S/WAN projects. The first project was FreeS/WAN which ended in 2004 and produced two successors: strongSWAN and OpenSWAN. I decided to use OpenSWAN. Configuring OpenSWAN is not a big deal. You start with the config file /etc/ipsec.conf (at marge.sylvia.test): version 2.0 config setup include /etc/ipsec.d/examples/no_oe.conf conn ipv6-p1-p2 /> connaddrfamily=ipv6 />left=2001:16d8:ff47:1203:2::5 />right=2001:16d8:ff47:1203:2::1 />authby=secret />esp=aes128-sha1 CHAPTER 5. MIGRATION TO IPV6 204

/>ike=aes128-sha-modp1024 />type=transport />compress=no />auto=add

The line “conn ipv6-p1-p2” defines the connection to use for you can define multiple connections to multiple hosts. This connection is established between marge.sylvia.test, 2001:16d8:ff47:1203:2::5, here defined as “left”, and bart.sylvia.test, 2001:16d8:ff47:1203:2::1, here denoted as “right”. Please note that this config-file is taken from marge.sylvia.test. Important for the use with IPv6 is only the line “connaddrfamily=ipv6”. The pre-shared key environment, the encryption type and the type of usage (transport) are also defined here. Next, and last, step is to provide a key. This is done by setting the key used between these hosts in the file /etc/ipsec.secrets:

2001:16d8:ff47:1203:2::5 2001:16:d8:ff47:1203:2::1 : \\ psk "foo" Setting the same options on the second host participating in this encrypted communication (bart.sylvia.test) is the last step here. Now we have to test our conﬁguration. Start ipsec with /etc/init.d/ipsec start Then the speciﬁc connection you want to use (mine is called “ipv6-p1-p2”) has to be UPed on one of the peers by typing: ipsec auto --up ipv6-p1-p2 You should see following ouput with the line “IPSec SA established” proving that the payload will be encrypted between these two hosts by now: 104 "ipv6-p1-p2" #1: STATE_MAIN_I1: initiate 003 "ipv6-p1-p2" #1: received Vendor ID payload [Openswan (this version) 2.4.0 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR] 003 "ipv6-p1-p2" #1: received Vendor ID payload [Dead Peer Detection] CHAPTER 5. MIGRATION TO IPV6 205

106 "ipv6-p1-p2" #1: STATE_MAIN_I2: sent MI2, expecting MR2 108 "ipv6-p1-p2" #1: STATE_MAIN_I3: sent MI3, expecting MR3 004 "ipv6-p1-p2" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY\\ _PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp1024} 117 "ipv6-p1-p2" #2: STATE_QUICK_I1: initiate 004 "ipv6-p1-p2" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x4701be00 <0xd52c991d xfrm=AES_128-HMAC_SHA1 NATD=none DPD=none} The “setkey” command, e.g. “setkey -D” will also give you detailled information on a running IPSec environment.

Figure 5.21: pinging and digging between marge (ns1) and bart, encrypted

Above you can see some packets from the communication between marge and bart. This has been some ICMP echo requests and replies and a dig command. I know this because I did this sniff; the data is of course encrypted and you can not ﬁgure out what really happend ;o). The protocol used is ESP, Encapsulating Security Payload. The IP header on the other hand is plain-text. Note: There are several other daemons for conﬁguring a Virtual Pri- vate Network: Linux has implemented IPSec features you can use with kernel 2.6.x, yavipin 0.9.6, openVPN 1.6.0, freeSWAN 2.06, openSWAN 2.2.0 and strongSWAN 2.1.3. CHAPTER 5. MIGRATION TO IPV6 206

Hint: You can also conﬁgure e.g. OpenSWAN to work with your Win- dows 2000 or Windows XP when using IPv4. [45]

5.6.20 Remote control: ssh

Another important application is the remote login using SSH. SSH and SSHd for Linux both support IPv6 since version 3.6.1. You can use the command “ssh” either by appending the hostname or the IP-address, both ways work. Windows does not supply an IPv6-capable SSH client but I’d recommend to use PuTTY (v 0.58) on Windows-based clients. Simply put in the hostname, the FQDN or the IPv6-address and everything will just work without troubles.

Figure 5.22: SSH using PuTTY from nelson (2001:16d8:ff47:1203:2::22) to marge (ns1.sylvia.test)

5.6.21 VNC: TightVNC

Virtual Network Computing is a platform-independant desktop-sharing system which can be used via IPv6 using a patched version [46]. TightVNC is available for Windows and Linux and works pretty quick. I experienced some troubles when running the WinVNC server on Windows XP but it may have something to do with having huge CPU load on this PC. So I decided to run TightVNC server on Windows 2003 (wiggum6.sylvia.test) and the client on this Windows XP (nelson6.sylvia.test). The connection only worked after I checked the option “Allow loopback connections” in the advanced settings of the WinVNC server (before I checked it I experienced following error: “Local-loop back connections are disabled”). CHAPTER 5. MIGRATION TO IPV6 207

TightVNC has encrypted method of sending the passwords but does not supply encryption for the trafﬁc itself. It is recommended to use VNC only on trusted networks or via an encrypted tunnel on untrusted networks.

5.6.22 Remote control: telnet

Although Microsoft’s telnet server is not IPv6-enabled per default, you can use it. First simply check whether typing “telnet wiggum6” for connecting to a Windows 2003 server running an IPv4 telnet server works. If not, you can make it IPv6-enabled yourself. Because telnet is a protcol that does not add any information to upper-layer PDU’s you can simply proxy the data. Therefore you need a PortProxy proxying trafﬁc destined at IPv6 port 23 to IPv4 port 23. This is done with: netsh interface portproxy add v6tov4 23 When you “nmap -6” the host running the telnet server you can see the port being open on IPv6 as well. Then, I simply used PuTTY to establish a connection using telnet and here you can see it worked:

Figure 5.23: Telnet connection between nelson6 and wiggum6 (server)

5.6.23 Monitoring trafﬁc: ntop

When monitoring trafﬁc, established connections and things like protocol use you will very likely use ntop. It’s an easy to use graphical tool logging trafﬁc in your network and even making colorful graphs. But the best thing is: You don’t have to do anything in order to support IPv6. Here’s my overall protocol use graph: CHAPTER 5. MIGRATION TO IPV6 208

Figure 5.24: Protocols used in my network

5.6.24 monitoring privoxy: webalizer

In order to use webalizer for privoxy you need to make some changes. First create a new configuration file (Note that I do not alter the old one. For IPv6 migration can not take place fully by now I still want to keep an eye on what squid is doing as well). This new configuration file is called “/etc/webalizerPrivoxy.conf” and should update the following lines: LogFile /var/log/privoxy/logfile LogType CLF OutputDir /var/www/webalizerPrivoxy You need to define another log file than the default log file for this is used for logging errors encountered when analyzing squid. Privoxy uses a different LogType called Common Log Format or short CLF. If you forget to put this here, webalizer will not be able to read the log files produced by privoxy. The last thing that had to be changed is the OutputDir, so that both webalizer instances don’t overwrite each other. Note: If not done yet, you might need to set your Privoxy to log in Com- mon Log Format. This is done in the config-file by setting “debug CHAPTER 5. MIGRATION TO IPV6 209

512”. Last but not least you need to add an entry to the /etc/crontab for the new instance of webalizer (“-c /etc/webalizerPrivoxy.conf” sets the conﬁgura- tion ﬁle used to /etc/webalizerPrivoxy.conf).

0 * * * * root webalizer -c /etc/webalizerPrivoxy.conf

Figure 5.25: Webalizer graph for privoxy

5.6.25 monitoring ports: nmap

Newer versions of nmap are per default IPv6-enabled but lack different scanning mechanisms for IPv6 like UDP scans. In order to use other methods than -sT, -sP and -sL I found a nice patch on the internet. First you need an older version of nmap “nmap-2.54BETA36” which you can get in the code repository at http://www.insecure.org/nmap/dist- old/. After unzipping and untarring I changed the install directory of the conﬁgure ﬁle in order to not interfere with the existing nmap- installation. Next thing is to patch the sources using the patch found at http://nmap6.sourceforge.net: patch -d < After patching the sources ./configure CHAPTER 5. MIGRATION TO IPV6 210

make su make install and try it with e.g. a localhost UDP Scan: ./nmap -6 -sU -P0 ::1

5.6.26 ﬁrewall: iptables

Although iptables can filter for IPv6 traffic as well, stateful filtering is only available with Linux kernel 2.6.12 and higher. For I do not have a computer with this kernel version I only implemented an IPv6 firewall with stateless packet filtering. See the appendix for my firewall- implementation.

5.7 Testing

Now after we could migrate most of the services used, or could find some service instead for those not possible, let’s take a quick look at testing the network for performance issues. When working with IPv4 I could find loads of applications testing some more or less important network features but with IPv6 the software to choose from is very limited. When I asked the participants of the [email protected] newsgroup most of them told me that they were writing their tests themselves like measuring the time it takes for putting or getting a file using FTP.

5.7.1 iperf

I use iperf version 2.0.2 with native IPv6 support. The handling for IPv6 is pretty the same as for IPv4. The server is started using iperf -V -s CHAPTER 5. MIGRATION TO IPV6 211 and the client is started with: iperf -V -c I tested the connection between bart (server) and marge (client). The ServerAddress can be either supplied as FQDN or as IPv6-address.

Figure 5.26: iperf using IPv6

Iperf also works with Windows and therefore is the only IPv6 testing tool that can make signiﬁcant conclusions.

5.7.2 Netserver/ Netperf

Netserver and its client netperf was also used in my IPv4 testing run and supports IPv6 testing for versions 2.3 and later for Linux only. Start the server using: netserver -6 -p 123456 on port 123456, and the client by typing: netperf -H -6 -p 123456 ServerAddress again can be FQDN or the IPv6-address.

5.7.3 Smokeping

Smokeping can be easily configured for the use with IPv6. You simply need to use fping6 instead of fping in the cofiguration file. But let’s start step by step. First I downloaded fping6 utility at http://unfix.org/profects/ipv6/\\ fping-2.4b2_to-ipv6.tar.gz. Then I edit following lines in the /etc/smokeping/config file in order to support IPv6: CHAPTER 5. MIGRATION TO IPV6 212

Figure 5.27: netserver/ netperf using IPv6

*** Probes *** + FPing6 binary = /usr/sbin/fping6 *** Targets *** probe = FPing6 For smokeping does not support IPv4 and IPv6 within one config file and I wanted to graph both, IPv4 and IPv6 roundtrip time, I simply had to run two instances of smokeping. First I copied the config file I used for IPv4 and made the changes as written above. Then, in the “General” section, I had to change the *.pid file used because the default pid-file is used by the IPv4 instance of smokeping. Next step is to change the output-file to

cgiurl = http://snowball/cgi-bin/smokepingv6.cgi Besides setting the new targets to IPv6-addresses this is what had to be done concerning the configuration file. The next problem was that smokeping per default uses “/etc/smokeping/config” and I could not find a way for setting a path to another config file. Before searching for a command I simply copied the smokeping executable “/usr/sbin/smokeping”, renamed it to “/usr/sbin/smokepingv6” and edited the line defining which configuration file to use: Smokeping::main("/etc/smokeping/configv6"); Now you can run smokeping and smokepingv6 on one PC. See the Code Appendix for the whole configuration file. Below you can see the ICMPv6 roundtrip-graph for snowball generated on marge. CHAPTER 5. MIGRATION TO IPV6 213

Figure 5.28: Smokeping running on marge: snowball.sylvia.test

5.7.4 mrtg/ SNMP [47]

First step is to make snmpd listen to IPv6. This is done in “/etc/default/snmpd” by editing the value for the parameter SNMPDOPTS: SNMPDOPTS=’-Lsd -Lf /dev/null -p /var/run/snmpd.pid udp6:161 udp:161’ For Linux-kernels 2.6.x you have to explicitly allow both, IPv4 and IPv6. Then, the /etc/snmp/snmpd.conf file has to be changed. I chose a very simple way and just added: rwcommunity6 public Now SNMP is ready for testing. snmpwalk -v 1 -c public udp6:[::1] sysname snmpwalk -v 1 -c public udp6:[2001:16d8:ff47:1203:2::1] sysname The latter asks 2001:16d8:ff47:1203:2::1 for its sysname (see the sniff below). Now, the only thing left is the configuration of mrtg. As you might remember, mrtg uses a *.cfg file for each host monitored. What you have CHAPTER 5. MIGRATION TO IPV6 214

Figure 5.29: SNMP using IPv6 between marge (ns1.sylvia.test) and bart (bart6.sylvia.test) to do now, in order to have SNMP traffic via IPv6 when using mrtg, is to copy the IPv4 configuration file for each host you also want to monitor using IPv6. First of all set IPv6 enabled by setting: EnableIPv6: yes Then, make sure that you chose new names for the graphs (otherwise it would overwrite the IPv4-ones) and we are done (see the whole config file in the Code Appendix). Create the html-file with: indexmaker -output=/var/www/mrtg/bart6.html /etc/mrtgbart6.cfg Before mrtg can graph something you need to poll some data manually by typing following command a few times: mrtg /etc/mrtgbart.cfg If this worked without errors you can append the command above to your crontab and look at the output at http://marge.sylvia.test/mrtg/bart6.html.

Figure 5.30: mrtg for bart6.sylvia.test

Note: Please keep in mind that the only thing changed is the protocol used for querying SNMPd. The data queried is the same as within the IPv4-based configuration files. In order to have IPv6-specific data you have to include ipv6-MIBs! CHAPTER 5. MIGRATION TO IPV6 215

Windows: Windows does not support SNMP via IPv6. CHAPTER 5. MIGRATION TO IPV6 216 Bibliography

[1] Peter Bieringer: Linux IPv6 HOWTO (2005). http://linuxreviews.org/howtos/networking/IPv6- LinuxHowto/en/index.html (2005-12-09) [2] Digital Hermit, Kwan Lowe: Kernel Rebuild Guide (2003). http://www.digitalhermit.com/linux/Kernel-Build-HOWTO.html (2005-12-09) [3] Microsoft, msdn: Microsoft IPv6 Tech- nology Preview for Windows 2000 (2002). http://msdn.microsoft.com/downloads/sdks/platform/tpipv6.asp (2005-12-09) [4] Microsoft: msdn (2004). http://msdn.microsoft.com/library/default.asp?\\ url=/library/en-us/wcetcpip/html/cmrefIpv6Adu.asp (2005-12-29) [5] Microsoft, Download Center: IPv6 Tech- nology Preview for Windows 2000 (2003). http://www.microsoft.com/downloads/details.aspx?FamilyId=27B1E6A6- BBDD-43C9-AF57-DAE19795A088&displaylang=en (2005-12-09) [6] Microsoft, TechNet: The Cable Guy Using IPv6 Today (2001). http://www.microsoft.com/technet/community/columns/cableguy/\\ cg0701.mspx (2005-12-09) [7] Microsoft, Microsoft Windows Server 2003: IPv6 Protocol for the Windows Server 2003 Family: Frequently Asked Questions (2005). http://www.microsoft.com/windowsserver2003/techinfo/overview/\\ ipv6faq.mspx (2005-12-09)

217 BIBLIOGRAPHY 218

[8] Telscom: Configuration of IPv6 features (2004). http://www.telscom.ch/configuration_of_ipv6_features.htm (2005- 12-27) [9] Microsoft Windows Server System: Updating IPv6.exe Commands to Netsh Commands (2002). http://www.microsoft.com/windowsserver2003/technologies/ipv6\\ /ipv62netshtable.mspx (2005-12-27) [10] Microsoft TechNet: Netsh commands for Interface IPv6 (2005). http://www.microsoft.com/technet/prodtechnol/windowsserver2003\\ /library/ServerHelp/f953fa20-f037-4609-89eb-0178240f103b.mspx (2005-12-30) [11] Narten, Draves: Privacy Extensions for stateless Address Au- toconfiguration in IPv6 - RFC3041(2001). ftp://ftp.isi.edu/in- notes/rfc3041.txt (2005-12-27) [12] T. Chown: IPv6 Implications for TCP/UDP Port Scan- ning draft-chown-v6ops-port-scanning-implications-00 (2003). http://www.6net.org/publications/standards/draft-chown- v6ops-port-scanning-implications-00.txt [13] RIPE: Updating the RIPE Whois Database (2005). http://www.ripe.net/fcgi-bin/webupdates.pl (2005-12-27) [14] SixXS: Heartbeat Information (2005). http://www.sixxs.net/tools/heartbeat/ (2005-12–27) [15] SixXS: Automatic IPv6 Connectivity Client Utility (2005). http://www.sixxs.net/tools/aiccu/ (2005-12-27) [16] SixXS: FAQ: Account: 10 easy steps to IPv6 (2005). http://www.sixxs.net/faq/account/?faq=10steps (2005-12-27) [17] SixXS: Anything in Anything (AYIYA) (2005). http://www.sixxs.net/tools/ayiya/ (2005-12-27) [18] IANA: INTERNET PROTOCOL VERSION 6 ADDRESS SPACE (2005). http://www.iana.org/assignments/ipv6-address-space (2005-12-28) BIBLIOGRAPHY 219

[19] Index von ftp://ftp.inr.ac.ru/ip-routing (2005). ftp://ftp.inr.ac.ru/ip-routing/iputils-current.tar.gz (2005-12-28) [20] psavola: Linux IPv6 Router Advertisement Daemon (2005). http://v6web.litech.org/radvd/ (2005-12-28) [21] Lars Fennberg: RADVD Introduction (1997). http://www.cs- ipv6.lancs.ac.uk/ipv6/systems/linux/faq/radvd.html (2005-12-28) [22] Linux Reviews: man radvd.conf (2001). http://linuxreviews.org/man/radvd.conf/ (2005-12-28) [23] Narten, Nordmark, Simpson: RFC 2461 - Neighbor Discovery for IP Version 6 (IPv6) (1998). http://www.faqs.org/rfcs/rfc2461.html [24] Thomson, Bellcore, Narten: RFC 1971 - IPv6 Stateless Address Auto- conﬁguration (1996). http://www.dnsstuff.com/pages/rfc1971.htm (200-12-28) [25] man: radvd (2001). http://linuxcommand.org/man_pages/radvd8.html (2005-12-28) [26] Thomson, Bellcore, Narten: RFC 2462 - IPv6 Stateless Address Auto- conﬁguration (1998). http://www.faqs.org/rfcs/rfc2462.html [27] Tomasz Mrugalski: Dibbler - a portable DHCPv6 (2005). http://klub.com.pl/dhcpv6/ (2005-12-28) [28] Tomasz Mrugalski: Dibbler - a portable DHCPv6 Documenta- tion(2005). http://klub.com.pl/dhcpv6/dibbler/dibbler-0.4.1- doc.tar.gz (2005-12-28) [29] JOIN: Nameservice und IPv6 (2003). http://www.join.uni- muenster.de/Dokumente/Howtos/Howto_IPv6-Nameservice.php (2005-12-29) [30] Thomson, Huitema, Ksinant, Souissi: RFC 3596 - DNS Extensions to support IP version 6 (2003). http://rfc.net/rfc3596.html (2005-12-29) [31] Bieringer, Baraldi, Piunno, Tortonesi, Toselli, Tumiati: Cur- rent Status of IPv6 support for networking applications (2004). http://www.deepspace6.net/docs/ipv6_status_page_apps.html (2005-12-29) BIBLIOGRAPHY 220

[32] Privoxy Developers: Privoxy - Home Page (2005). http://www.privoxy.org/ (2005-12-29) [33] Glowiak: Mysql vs postgres (2005). http://monstera.man.poznan.pl/wiki/index.php/Mysql_vs_postgres (2005-12-30) [34] PostgreSQL: Chapter 20. Client Authentication (2005) http://www.postgresql.org/docs/8.1/interactive/client- authentication.html#AUTH-PG-HBA-CONF (2005-12-30) [35] Microsoft Windows Server System: Internet Protocol Version 6 (2005). http://www.microsoft.com/ipv6 (2005-12-30) [36] lutchann: Samba IPv6 Support (2002). http://v6web.litech.org/samba/ (2005-12-30) [37] Microsoft Windows Server 2003: Up- dates to Understanding IPv6 (2005). http://www.microsoft.com/downloads/details.aspx?FamilyID=42bf4711- 27af-4c4c-8300-7bcf900de5c3&DisplayLang=en (2006-01-16) [38] jason: Webdav in Apache2 to share Mozilla Thunderbird Calender or Sunbird (2005). http://nmglug.org/phorum/read.php?5,30,30 (2006-01-14) [39] Kenichi Takahashi: Instant File Sharing with IPv6 and WebDAV (2003). http://www.ipv6style.jp/en/tryout/20030320/index.shtml (2006-01-14) [40] Jun-ya KATO: ncFTP 3.1.8 (2005). http://win6.jp/NcFTP/index.html (2006-01-18) [41] Jason Boxman: Conﬁguring Exim and Courier IMAP under Debian GNU/Linux (2004). http://talk.trekweb.com/~jasonb/articles/exim_maildir_imap.shtml (2006) [42] Bernhard Schmidt: Asterisk bounty IPv6 (2005). http://www.voip- info.org/wiki-Asterisk+bounty+IPv6 (2006-01-14) [43] Rapaz: initial IPv6 VoIP patch (2005). http://www.voip- info.org/wiki/view/IPv6+VoIP (2006-01-14) BIBLIOGRAPHY 221

[44] Nate Mook: Microsoft P2p Not All Fun and Games Yet (2003). http://www.betanews.com/article/1046403618 (2006-01-16) [45] Nate Carlson (2005) http://www.natecarlson.com/linux/ipsec- x509.php#installing (2006-01-17) [46] Diego Andres Acosta: TightVNC over IPv6 (2004). http://jungla.dit.upm.es/~acosta/paginas/vncIPv6.html (2006- 01-17) [47] debian: Having v6 with Debian for the ﬁrst time (2004).http://debian.fabbione.net/how.html (2006-01-18) Chapter 6

Conclusion and Summary

In the preceding chapter you could see step by step that nearly anything that has to be done in a network can be done using IPv6. It is important for me to mention that not every service could be migrated, especially with the Microsoft-based software used, and that there has not been much effort yet to write software exploiting the advantages of IPv6. As you could see, things that could not be migrated easily were e.g. Active Directory, which could be replaced by an elaborate configuration of OpenLDAP, or ntp- clients using IPv6 for Windows systems. In fact, I do not consider the last problem as very big for it is not possible running IPv6-only networks at the moment. Besides such “unimportant” things like time synchronizing, Microsoft does not yet support DNS or SNMP querying using IPv6, which is more important in a productive environment. As a little summary one could say that a network running Linux-flavoured operating systems is 99% migrateable while Windows systems simply impose more problems in migrating. One huge aspect of my thesis was to examine closely whether the transition phase could have also taken place in a real productive environment with people working on the services I migrate. In most of the cases I have to say: yes. I think everybody will know that from her or his own experience, there are services that just crash while reconfiguring them and you have to spend a few hours on them until they work again. I guess such things just have to happen and in fact did happen in my environment as well. Most of the services I migrated “simply” needed to be configured for

222 CHAPTER 6. CONCLUSION AND SUMMARY 223 listening to IPv6 requests as well and therefore just had to be reconfigured. Therefore you could say that the time the service was offline was confined to the time the restart of the service took. On the other hand, to be perfectly sure that your migration does not collide with important services like database or file access, I’d recommend you to try them after hours in case troubles occur. This thesis and the contained actual migration of a network was made under the condition that the services provided via IPv4 can also be accessed using IPv6. I started with Windows 2000 server to find out during migration, that running IPv6 services on Windows-based machines is a bad idea. This is the point where I have to mock about the informations provided by Microsoft regarding IPv6. I think I found 20 homepages telling me that Windows systems support IPv6 and how you can ping each other, but as soon as you get to the point where you really need detailled facts like: “Does Active Directory support IPv6”, your are lost. I guess it took me a few months to find out (on www-search, newsgroups, forums, writing to Microsoft) to get the answer “no” and that is what I want to critizise. Microsoft is the most popular operating system in the world and is afraid to tell its customers what the software is capable of, or so it seems. To be honest, I don’t really see the point in providing half of the information except if you want to conceal something. My tip: write what your software can do and what it can’t - it saves you huge amounts of time when using your software. Concerning my experiences with Microsoft I also want to thank Microsoft Austria’s Academic Relations Manager Mr. Schabus for providing contact with someone at Microsoft really working with IPv6 and providing me with honest answers. The fact that I needed to switch to different operating systems and services within the transition is the reason why there are no significant testing or benchmarking results. Every throughput or bandwidth test made in the IPv4-only network is no longer comparable with tests you would make now in a IPv4/IPv6 environment. Things like neighbor discovery or duplicate SNMP-queries (IPv4 and IPv6) would also affect IPv4 traffic for which I have no IPv4 values I really can compare. In addition to this the use of different services than before imposes a problem as well, for their performance will highly influence the results. This brings me to the advantages and disadvantages of IPv6. To be com- CHAPTER 6. CONCLUSION AND SUMMARY 224 pletely honest I really loved working with IPv6. There is only a small community in the European region working on problems concerning IPv6 and you quickly become to know everyone from newsgroups, etc. It really is fun working together and helping each other with problems most of the IT-professionals did not deal before (of course, this can also be pretty hin- dering when you have a problem, google it and get something like two results, both in strange languages). In my opinion, the advantages of IPv6 are obvious: We have the huge address space bringing mobile computing and peer to peer computing to a next level, we have encrypted and authenticated traffic for securing your company from its employees and we have huge improvements concerning priorized traffic like video streams and autoconfiguration of hosts. These advantages and a relative easy transition will make IPv6 more and more important in the next years. At the moment, I have to confess, switching to IPv6 only is something for those wanting to be on the pulse of technology. Today its benefits may not be enough in order to deploy IPv6 all over the company but it is good to be aware of this technology very early for it will become predominant very soon. Today it might only be “cool” to tell your costumers that you have already updated your company to IPv6, in a few years it will be standard, and that’s why I want to propagate IPv6 with this thesis. For IPv6 depends on the basic structure IPv4 has used there are not really “disadvantages” you are not used to from using IPv4. One thing that might be something like a “disadvantage” is the training of the IT-staff that will cost money and time, as you always have with new versions of anything, but this money is not lost. Always keep in mind that using IPv6 today and trying its features only faciliates the things you have to do the day IPv6 has to be used. It’s an investment in the future of network technology and will bring money in return. Even today big companys have already saved big spendings by using the autoconfiguration techniques provided instead of configuring manually. Think also of the benefits you have when doing secure communication without tunneling over the internet or when having road warriors in your company. Another point I want to mention at the end is the financial aspect of migrating. I did not really have to buy additional hardware for my needs, but if I would have wanted to use my Cisco Routers and Switches I would have needed additional software and memory, for which I did not find a sponsor (so I stick to using hubs and Linux routers). In the field of VoIP CHAPTER 6. CONCLUSION AND SUMMARY 225 you would need different hardware as well, but as long as asterisk does not fully support IPv6 there was no need to look for them. I did not experience many problems from software compatibility for most of my services run Linux and therefore Open Source solutions are available. On the other hand, I did not manage to find a free ntp-client running IPv6 for Windows; I guess that’s pretty all I needed from hardware and software side. When it comes to the point of information gathering I have to confess: Yes, I bought “Understanding IPv6” and another IPv6-theory book (which I did not read in fact), both a few Euros each. The most expensive thing in the whole migration of my test-network was, of course, the time I spent on it. It is very hard to define how much time it took me to migrate my services (for I had to do different things beside) but it might be something about 23 to 30 days (Monday - Friday: 9-11 hours a day, Saturdays and Sundays 4-5 hours a day). You might guess that this is just an estimated value including also the time I spent reading about the new protocol. As the very last paragraph in this master thesis I again want to ensure everyone who is not yet believing me: IPv4 will be outdated soon and IPv6 is, if there is some additional work done, the perfect successor. Again I want to thank everyone making this project possible and everyone reading this thesis to the end :-) . Appendix

226 Chapter 7

Conﬁguration Files

The first part of the Appendix is destined at providing all configuration files mentioned in the thesis. As I always had been glad when people provided me their full configuration files for services i just tried to install, I’ll put in here everything i configured throughout my research. Because I only had to see if the basic concepts are working, you won’t find any security issues covered. So if you are searching for quick-and-dirty solutions you are invited to take a look. (Lines that were commented out in the inital config file are left out or shortened)

7.1 IPv4 related conﬁguration

7.1.1 APT

/etc/apt/sources.list deb http://ftp.tu-graz.ac.at/mirror/debian unstable main non-free contrib

227 CHAPTER 7. CONFIGURATION FILES 228

7.1.2 Asterisk

/etc/zaptel.conf loadzone=at defaultzone=at # für unsere TDM31: 1* FXO + 3* FXS # Steckplatz 1 bei Steckern fxoks=1-3 fxsks=4

/etc/asterisk/asterisk.conf [directories] astetcdir => /etc/asterisk astmoddir => /usr/lib/asterisk/modules astvarlibdir => /var/lib/asterisk astagidir => /var/lib/asterisk/agi-bin astspooldir => /var/spool/asterisk astrundir => /var/run astlogdir => /var/log/asterisk ; Changing the following lines may compromise your security. ;[files] ;astctlpermissions = 0660 ;astctlowner = root ;astctlgroup = apache ;astctl = asterisk.ctl

/etc/asterisk/extensions.conf

; extensions.conf auf maggie, server in der Zentrale des BFI ; [general] ; static=yes ; CHAPTER 7. CONFIGURATION FILES 229

writeprotect=no ; autofallthrough=yes ; clearglobalvars=no ; The "Globals" category contains global variables that can ; be referenced in the dialplan with ${VARIABLE} or ; ${ENV(VARIABLE)} for Environmental variable [globals] CONSOLE=Console/dsp ; Console interface for demo 2210=misdn/1/10 ; Vermittlung 2211=misdn/1/11 ; Natalie FREILER 2212=misdn/1/12 ; Peter 2213=misdn/1/13 ; Jürgen GRANDITS 2214=misdn/1/14 ; Thomas MÜLLNER 2215=misdn/1/15 ; Susanne STIPSITS 2216=misdn/1/16 ; Eveline WEINHOFER 2217=misdn/1/17 ; Sabine SWATEK-VENUS 2218=misdn/1/18 ; Anita DIENER 2219=misdn/1/19 ; Personalraum 2220=misdn/1/20 ; Johanna EBERL 2221=misdn/1/21 ; Anita IMREK 2222=misdn/1/22 ; Dorli CSECSINOVITS 2223=misdn/1/23 ; Hotline 2224=misdn/1/24 ; Baldur FLECK 2225=misdn/1/25 ; Karl SCHUH 2232=misdn/1/32 ; Rudolf ERKINGER 2235=misdn/1/35 ; Tamara TAUS 2236=misdn/1/36 ; Andreas GRABNER ; 2921=SIP/2921 ; grandstream bt100 2925=SIP/2925 ; grandstream 2000 2936=SIP/2936 ; allnet 7950 ;2314=Zap/4 ;211=Zap/1 ;212=Zap/2 ;213=Zap/3 ; CHAPTER 7. CONFIGURATION FILES 230

[macro-voicemail] ; für SIP-Apparate exten => s,1,Dial(${ARG1},20,tr) exten => s,2,Goto(s-${DIALSTATUS},1) exten => s-NOANSWER,1,Voicemail(u${MACRO_EXTEN}) exten => s-NOANSWER,2,Hangup() exten => s-BUSY,1,Voicemail(b${MACRO_EXTEN}) exten => s-BUSY,2,Hangup() exten => _s-.,1,Goto(s-NOANSWER,1) ; [macro-standard] exten => s,1,Dial(${ARG1},20,tr) exten => s,2,Hangup() ; [macro-isdn-voicemail] exten => s,1,Dial(${ARG1}) exten => s,2,Goto(s-${DIALSTATUS},1) exten => s-NOANSWER,1,Voicemail(u${MACRO_EXTEN}) exten => s-NOANSWER,2,Hangup() exten => s-BUSY,1,Voicemail(b${MACRO_EXTEN}) exten => s-BUSY,2,Hangup() exten => _s-.,1,Goto(s-NOANSWER,1) ; ; ======; for incoming calls ; [default] exten => s,1,Answer() exten => s,2,Playback(demo-nogo) exten => s,3,Hangup() ; [unauth] exten => s,1,Answer() exten => s,2,Playback(demo-nogo) exten => s,3,Hangup() ; [voll] include => demo CHAPTER 7. CONFIGURATION FILES 231

include => intern include => filiale include => national include => international include => always-out-amt ; [in-isdn] ; calls coming from isdn ; können abhängig von der MSN (leider nur 3) rufen exten => 50,1,Macro(voicemail,${2221}) exten => 511,1,Macro(voicemail,${2225}) exten => 512,1,Macro(voicemail,${2236}) ; [iax-intern-in] exten => _22XX,1,GoTo(intern,${EXTEN},1) ; ;======; outgoing calls ; [demo] ; Create an extension, 2998, for dialing the ; Asterisk demo. ; exten => 2998,1,Playback(demo-abouttotry) ; Let them know what’s going on exten => 2998,n,Dial(IAX2/[email protected]/s@default) ; Call the Asterisk demo exten => 2998,n,Playback(demo-nogo) ; Couldn’t connect to the demo site exten => 2998,n,Hangup() ; ; Create an extension, 2399, for evalating echo latency. ; exten => 2999,1,Playback(demo-echotest) ; Let them know what’s going on exten => 2999,n,Echo ; Do the echo test exten => 2999,n,Playback(demo-echodone) CHAPTER 7. CONFIGURATION FILES 232

; Let them know it’s over exten => 2999,n,Hangup() ;; [intern] ; hier werden alle Apparate am Standort des Servers gerufen ; auch die IAX-Anrufe aus den Filialen kommen direkt ;hier herein ;user mit voicemail exten => 2210,1,Macro(isdn-voicemail,${2210}) exten => 2211,1,Macro(isdn-voicemail,${2211}) exten => 2212,1,Macro(isdn-voicemail,${2212}) exten => 2213,1,Macro(isdn-voicemail,${2213}) exten => 2214,1,Macro(isdn-voicemail,${2214}) exten => 2215,1,Macro(isdn-voicemail,${2215}) exten => 2216,1,Macro(isdn-voicemail,${2216}) exten => 2217,1,Macro(isdn-voicemail,${2217}) exten => 2218,1,Macro(isdn-voicemail,${2218}) exten => 2219,1,Macro(isdn-voicemail,${2219}) exten => 2220,1,Macro(isdn-voicemail,${2220}) exten => 2221,1,Macro(isdn-voicemail,${2221}) exten => 2222,1,Macro(isdn-voicemail,${2222}) exten => 2223,1,Macro(isdn-voicemail,${2223}) exten => 2224,1,Macro(isdn-voicemail,${2224}) exten => 2225,1,Macro(isdn-voicemail,${2225}) exten => 2232,1,Macro(isdn-voicemail,${2232}) exten => 2235,1,Macro(isdn-voicemail,${2235}) exten => 2236,1,Macro(isdn-voicemail,${2236}) ; exten => 2921,1,Macro(voicemail,${2921}) exten => 2925,1,Macro(voicemail,${2925}) exten => 2936,1,Macro(voicemail,${2936}) ; user ohne voicemail ;exten => 2314,1,Macro(standard,${2314}) ; ; for our voiceMailSystem to call it exten => 2290,1,Ringing exten => 2290,2,Wait(2) exten => 2290,3,VoicemailMain CHAPTER 7. CONFIGURATION FILES 233

; ; Or a conference room (you’ll need to edit ; meetme.conf to enable this room) ;exten => 8600,1,Meetme(1234) ; ; for invalid numbers and timeouts exten => i,1,Playback(pbx-invalid) exten => i,2,Hangup() exten => t,1,Playback(vm-goodbye) exten => t,2,Hangup() ; ; ende von [intern] ; ; [filiale] exten => _23XX,1,Dial(IAX2/zur-inform/${EXTEN}) exten => _23XX,2,Hangup exten => _23XX,102,Hangup ; exten => _24XX,1,Dial(IAX2/nach-jo/${EXTEN}) exten => _24XX,2,Hangup exten => _24XX,102,Hangup ; ;exten => _33XX ?? ; ;exten => _44XX ?? ; [always-out-amt] ; emergency calls using ISDN exten => _1XX,1,Dial(misdn/1/${EXTEN}) exten => _1XX,2,Congestion exten => _1XX,3,Hangup exten => _1XX,102,Congestion exten => _1XX,103,Hangup ; [local] ; users can only call within the city ; Teilnehmer können nur Ortsgespräche führen CHAPTER 7. CONFIGURATION FILES 234

; die Amtsholung erfolgt mit 0, die beim Dial-Befehl ; wieder entfernt wird da mISDN an einer Amtsleitung ; angeschlossen ist exten => _0N.,1,Dial(misdn/1/${EXTEN:1}) ; [national] ; users can not call foreign countries ; Teilnehmer können nur Ferngespräche im Inland ; führen die Amtsholung erfolgt mit 0, die beim ; Dial-Befehl wieder entfernt wird da mISDN an ; einer Amtsleitung angeschlossen ist exten => _00X.,1,Dial(misdn/1/${EXTEN:1}) ; [international] ; international calls ; Teilnehmer können auch Ferngespräche ins Ausland ; führen die Amtsholung erfolgt mit 0, die beim ; Dial-Befehl wieder entfernt wird da mISDN an ; einer Amtsleitung angeschlossen ist exten => _000X.,1,Dial(misdn/1/${EXTEN:1})

/etc/asterisk/iax.conf ; Inter-Asterisk eXchange driver definition ; [general] bindport=4569 ; bindport and bindaddr may be specified language=de bandwidth=low ;allow=all ; same as bandwidth=high ;disallow=g723.1 ; Hm... Proprietary, don’t use it... disallow=lpc10 ; Icky sound quality... Mr. Roboto. ;allow=gsm ; Always allow GSM, it’s cool :) ; jitterbuffer=no forcejitterbuffer=no ;dropcount=2 CHAPTER 7. CONFIGURATION FILES 235

;maxjitterbuffer=1000 ;maxjitterinterps=10 ;resyncthreshold=1000 ;maxexcessbuffer=80 ;minexcessbuffer=10 ;jittershrinkrate=1 ;trunkfreq=20 ; How frequently to send ; trunk msgs (in ms) ; ; You can disable authentication debugging to ; reduce the amount of debugging traffic. ; authdebug=yes ; tos=lowdelay ; autokill=yes ; ; ; Guest sections for unauthenticated connection ; attempts. Just specify an empty secret, or ; provide no secret section. ; [guest] type=user context=unauth callerid="Guest IAX User" ; ; [von-inform] type=user host=192.168.250.178 ;host=192.168.123.5 context=iax-intern-in trunk=yes ; [zur-inform] type=peer CHAPTER 7. CONFIGURATION FILES 236

host=192.168.123.5 ; [von-jo] type=user host=192.168.150.7 ;username=elsylo ;secret=fanta4 context=intern trunk=yes ;auth=md5,plaintext,rsa ;setvar=foo=bar ;notransfer=yes ; Disable IAX native transfer ;jitterbuffer=yes ; Override global setting ; an enable jitter buffer ; ; for this user ;callerid="Mark Spencer" <(256) 428-6275> ;deny=0.0.0.0/0.0.0.0 ;accountcode=markster0101 ;permit=209.16.236.73/255.255.255.0 ;language=en ; Use english as default language ; ; Peers may also be specified, with a secret and ; a remote hostname. ; [nach-jo] type=peer ;username=elsylo ;secret=fanta4 host=192.168.150.7 ;sendani=no ;host=asterisk.linux-support.net ;port=5036 ;mask=255.255.255.255 ;qualify=yes ; Make sure this peer is alive ;jitterbuffer=no ; Turn off jitter buffer ; for this peer CHAPTER 7. CONFIGURATION FILES 237

/etc/asterisk/indications.conf [general] country=at [at] description = Austria ringcadance = 1000,5000 ; Reference: http://www.itu.int/ITU-T/inr/forms/files/\\ tones-0203.pdf dial = 420 busy = 420/400,0/400 ring = 420/1000,0/5000 congestion = 420/200,0/200 callwaiting = 420/40,0/1960 dialrecall = 420 ; RECORDTONE - not specified record = 1400/80,0/14920 info = 950/330,1450/330,1850/330,0/1000 stutter = 380+420 [de] description = Germany ; Reference: http://www.itu.int/ITU-T/inr/forms/files/\\ tones-0203.pdf ringcadance = 1000,4000 dial = 425 busy = 425/480,0/480 ring = 425/1000,0/4000 congestion = 425/240,0/240 callwaiting = !425/200,!0/200,!425/200,!0/5000,!425/200,\\ !0/200,!425/200,!0/5000,!425/200,!0/200,\\ !425/200,!0/5000,!425/200,!0/200,\\ !425/200,!0/5000,!425/200,!0/200,!425/200,0 ; DIALRECALL - not specified dialrecall = !425/100,!0/100,!425/100,!0/100,!425/100,\\ !0/100,425 ; RECORDTONE - not specified record = 1400/80,0/15000 info = 950/330,1400/330,1800/330,0/1000 CHAPTER 7. CONFIGURATION FILES 238

stutter = 425+400 [hu] description = Hungary ; Reference: http://www.itu.int/ITU-T/inr/forms/files/\\ tones-0203.pdf ringcadance = 1250,3750 dial = 425 busy = 425/300,0/300 ring = 425/1250,0/3750 congestion = 425/300,0/300 callwaiting = 425/40,0/1960 dialrecall = 425+450 ; RECORDTONE - not specified record = 1400/400,0/15000 info = !950/330,!1400/330,!1800/330,!0/1000,!950/330,\\ !1400/330,!1800/330,!0/1000,!950/330,!1400/330,\\ !1800/330,!0/1000,0 stutter = 350+375+400

/etc/asterisk/sip.conf ; ; SIP Configuration example for Asterisk [general] context=unauth realm=ow.bfi-bgld.at bindport=5060 bindaddr=0.0.0.0 srvlookup=yes ;tos=184 ;tos=lowdelay disallow=all allow=alaw ;allow=ilbc language=de nat=no ; CHAPTER 7. CONFIGURATION FILES 239

; [2925] ; Grandstream 2000 type=friend host=dynamic ;host=192.168.160.xxx defaultip=192.168.112.72 context=voll username=2225 secret=2225 callerid="Karl Schuh" <2925> mailbox=2225 reinvite=no canreinvite=no ;dtmf-mode f sipura rfc2833, f. grandstream info dtmfmode=info qualify=1000 disallow=all allow=gsm allow=alaw callgroup=1 pickupgroup=1 ; [2921] ; grandstream BT100 type=friend username=2221 secret=2221 context=voll callerid=Karl SCHUH <2921> host=192.168.112.70 canreinvite=no dtmfmode=info disallow=all allow=ulaw allow=alaw ; Asterisk only supports g723.1 pass-thru! mailbox=2221 pickupgroup=1 CHAPTER 7. CONFIGURATION FILES 240

reinvite = no qualify = 1000 [2936] ; Allnet 7950 type=friend username=2236 secret=2236 context=voll host=dynamic defaultip=192.168.112.71 pickupgroup=1 callgroup=1 reinvite=no canreinvite=no qualify=1000 dtmfmode=info mailbox=2236 disallow=all allow=ulaw allow=alaw callerid="Andreas GRABNER" <2936> [229] ; Turn off silence suppression in X-Lite ; ("Transmit Silence"=YES)! ; Note that Xlite sends NAT keep-alive packets, ; so qualify=yes is not needed type=friend user=229 secret=229 callerid="Sylvia SCHUH mobil" <229> host=dynamic ; This device needs to register defaultip=192.168.201.17 ;reinvite=no ;canreinvite=no ; Typically set to NO if behind NAT ;disallow=all allow=all dtmfmode=rfc2833 context=verwalt CHAPTER 7. CONFIGURATION FILES 241

/etc/asterisk/zapata.conf ; ; Zapata telephony interface ; ; Configuration file [channels] ; language=de usecallerid=yes callwaiting=yes echocancel=yes echocancelwhenbridged=yes ; rxgain=0.0 txgain=0.0 ; ; context=verwalt ; group=2 ; signalling=fxo_ks mailbox=211 callerid="Green Phone"<211> channel => 1 ; signalling=fxo_ks mailbox=212 callerid="Black Phone"<212> channel => 2 ; signalling=fxo_ks mailbox=213 callerid="Yellow Phone"<213> channel => 3 ; context=in-amt CHAPTER 7. CONFIGURATION FILES 242

group=1 signalling=fxs_ks callerid=asreceived channel => 4

7.1.3 CUPS

/etc/cups/cupsd.conf: ######## Server Identity ######## Server Options AccessLog /var/log/cups/access_log DefaultCharset notused ErrorLog /var/log/cups/error_log LogLevel debug2 Printcap /var/run/cups/printcap RemoteRoot karls ######## Fax Support ######## Encryption Support ######## Filter Options User lp Group lp RunAsUser Yes ## added by me! mario! ######## Network Options #Port 80 #Port 443 #Port 631 Listen *:631 ######## Browsing Options Browsing On ## windows troubleshooting #BrowseAddress 192.168.200.255 ###BrowseAddress 192.168.201.255 BrowseAddress 255.255.255.255 ##windows troublesooting ende ######## Security Options CHAPTER 7. CONFIGURATION FILES 243

Order Deny,Allow Deny From None Allow From All Order Deny,Allow Deny From None Allow From All Order Deny,Allow Deny From None Allow From All Order Deny, Allow Deny From None Allow From All Order Deny,Allow Deny From None Allow From All AuthType Basic AuthClass User Order Deny,Allow Deny From None Allow From All AuthType BasicDigest AuthClass Group AuthGroupName sys Order Deny,Allow Deny From None CHAPTER 7. CONFIGURATION FILES 244

Allow From All

/etc/cups/printers.conf

(automatically generated when you add a printer via webinterface) # Printer configuration file for CUPS v1.2.0b1 # Written by cupsd on Sun 02 Oct 2005 06:31:01 PM CEST Info HP LaserJet 1300 DeviceURI usb://HP/LaserJet%201300 State Idle Accepting Yes Shared Yes JobSheets none none QuotaPeriod 0 PageLimit 0 KLimit 0 ErrorPolicy stop-printer

7.1.4 Apache2

/etc/apache2/apache2.conf ServerRoot "/etc/apache2" LockFile /var/lock/apache2/accept.lock PidFile /var/run/apache2.pid Timeout 300 KeepAlive On MaxKeepAliveRequests 100 KeepAliveTimeout 15 StartServers 5 MinSpareServers 5 MaxSpareServers 10 CHAPTER 7. CONFIGURATION FILES 245

MaxClients 20 MaxRequestsPerChild 0 StartServers 2 MaxClients 150 MinSpareThreads 25 MaxSpareThreads 75 ThreadsPerChild 25 MaxRequestsPerChild 0 NumServers 5 StartThreads 5 MinSpareThreads 5 MaxSpareThreads 10 MaxThreadsPerChild 20 MaxRequestsPerChild 0 AcceptMutex fcntl User www-data Group www-data LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%\\ {User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common LogFormat "%{Referer}i -> %U" referer LogFormat "%{User-agent}i" agent ErrorLog /var/log/apache2/error.log ## include modules Include /etc/apache2/mods-enabled/*.load Include /etc/apache2/mods-enabled/*.conf ## include user configuration Include /etc/apache2/httpd.conf Include /etc/apache2/ports.conf Include /etc/apache2/conf.d/[^.#]* Alias /icons/ "/usr/share/apache2/icons/" Options Indexes MultiViews CHAPTER 7. CONFIGURATION FILES 246

AllowOverride None Order allow,deny Allow from all Alias /error/ "/usr/share/apache2/error/" AllowOverride None Options IncludesNoExec AddOutputFilter Includes html AddHandler type-map var Order allow,deny Allow from all LanguagePriority en es de fr ForceLanguagePriority Prefer Fallback ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.\\ html.var ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.\\ html.var ErrorDocument 410 /error/HTTP_GONE.html.var ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.\\ html.var ErrorDocument 412 /error/HTTP_PRECONDITION_\\ FAILED.html.var ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_\\ TOO_LARGE.\\ html.var ErrorDocument 414 /error/HTTP_REQUEST_URI_\\ TOO_LARGE.html.var ErrorDocument 415 /error/HTTP_SERVICE_\\ UNAVAILABLE.html.var ErrorDocument 500 /error/HTTP_INTERNAL_\\ CHAPTER 7. CONFIGURATION FILES 247

SERVER_ERROR.\\ html.var ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.\\ var ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.\\ html.var ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.\\ html.var DirectoryIndex index.html index.cgi index.pl index.php \\ index.xhtml AccessFileName .htaccess Order allow,deny Deny from all UseCanonicalName Off TypesConfig /etc/mime.types DefaultType text/plain HostnameLookups Off IndexOptions FancyIndexing VersionSort AddIconByEncoding (CMP,/icons/compressed.gif) x-compress\\ x-gzip AddIconByType (TXT,/icons/text.gif) text/* AddIconByType (IMG,/icons/image2.gif) image/* AddIconByType (SND,/icons/sound2.gif) audio/* AddIconByType (VID,/icons/movie.gif) video/* AddIcon /icons/binary.gif .bin .exe AddIcon /icons/binhex.gif .hqx AddIcon /icons/tar.gif .tar AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip AddIcon /icons/a.gif .ps .ai .eps AddIcon /icons/layout.gif .html .shtml .htm .pdf AddIcon /icons/text.gif .txt AddIcon /icons/c.gif .c CHAPTER 7. CONFIGURATION FILES 248

AddIcon /icons/p.gif .pl .py AddIcon /icons/f.gif .for AddIcon /icons/dvi.gif .dvi AddIcon /icons/uuencoded.gif .uu AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl AddIcon /icons/tex.gif .tex AddIcon /icons/bomb.gif core AddIcon /icons/back.gif .. AddIcon /icons/hand.right.gif README AddIcon /icons/folder.gif ^^DIRECTORY^^ AddIcon /icons/blank.gif ^^BLANKICON^^ DefaultIcon /icons/unknown.gif ReadmeName README.html HeaderName HEADER.html IndexIgnore .??* *~ *# HEADER* RCS CVS *,t AddEncoding x-compress Z AddEncoding x-gzip gz tgz AddLanguage da .dk AddLanguage nl .nl AddLanguage en .en AddLanguage et .et AddLanguage fr .fr AddLanguage de .de AddLanguage el .el AddLanguage it .it AddLanguage ja .ja AddLanguage pl .po AddLanguage ko .ko AddLanguage pt .pt AddLanguage no .no AddLanguage pt-br .pt-br AddLanguage ltz .ltz AddLanguage ca .ca AddLanguage es .es AddLanguage sv .se AddLanguage cz .cz AddLanguage ru .ru AddLanguage tw .tw CHAPTER 7. CONFIGURATION FILES 249

AddLanguage zh-tw .tw LanguagePriority en da nl et fr de el it ja ko no pl pt\\ pt-br ltz ca es sv tw AddCharset ISO-8859-1 .iso8859-1 .latin1 AddCharset ISO-8859-2 .iso8859-2 .latin2 .cen AddCharset ISO-8859-3 .iso8859-3 .latin3 AddCharset ISO-8859-4 .iso8859-4 .latin4 AddCharset ISO-8859-5 .iso8859-5 .latin5 .cyr .iso-ru AddCharset ISO-8859-6 .iso8859-6 .latin6 .arb AddCharset ISO-8859-7 .iso8859-7 .latin7 .grk AddCharset ISO-8859-8 .iso8859-8 .latin8 .heb AddCharset ISO-8859-9 .iso8859-9 .latin9 .trk AddCharset ISO-2022-JP .iso2022-jp .jis AddCharset ISO-2022-KR .iso2022-kr .kis AddCharset ISO-2022-CN .iso2022-cn .cis AddCharset Big5 .Big5 .big5 AddCharset WINDOWS-1251 .cp-1251 .win-1251 AddCharset CP866 .cp866 AddCharset KOI8-r .koi8-r .koi8-ru AddCharset KOI8-ru .koi8-uk .ua AddCharset ISO-10646-UCS-2 .ucs2 AddCharset ISO-10646-UCS-4 .ucs4 AddCharset UTF-8 .utf8 AddCharset GB2312 .gb2312 .gb AddCharset utf-7 .utf7 AddCharset utf-8 .utf8 AddCharset big5 .big5 .b5 AddCharset EUC-TW .euc-tw AddCharset EUC-JP .euc-jp AddCharset EUC-KR .euc-kr AddCharset shift_jis .sjis AddType application/x-tar .tgz SetOutputFilter INCLUDES BrowserMatch "Mozilla/2" nokeepalive BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0\\ force-response-1.0 CHAPTER 7. CONFIGURATION FILES 250

BrowserMatch "RealPlayer 4\.0" force-response-1.0 BrowserMatch "Java/1\.0" force-response-1.0 BrowserMatch "JDK/1\.0" force-response-1.0 BrowserMatch "Microsoft Data Access Internet Publishing \\ Provider" redirect-carefully BrowserMatch "^WebDrive" redirect-carefully BrowserMatch "^gnome-vfs" redirect-carefully BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully Include /etc/apache2/sites-enabled/[^.#]*

7.1.5 dhcpd

/etc/dhcp3/dhcpd.conf

# no dns update is done when lease is confirmed ddns-update-style none; option domain-name "sylvia.test"; option domain-name-servers ns1.sylvia.test; default-lease-time 6000; max-lease-time 7200; log-facility local7; subnet 192.168.200.0 netmask 255.255.255.0 { range 192.168.200.65 192.168.200.96; option routers bart.sylvia.test; option domain-name "sylvia.test"; option domain-name-servers 192.168.200.5; } host maggie.sylvia.test { hardware ethernet 00:0a:5e:22:af:a7; fixed-address maggie.sylvia.test; } host homer.sylvia.test { hardware ethernet 00:50:ba:17:2d:3d; fixed-address homer.sylvia.test; } host apu.sylvia.test { CHAPTER 7. CONFIGURATION FILES 251

hardware ethernet 00:00:21:00:5b:bc; fixed-address apu.sylvia.test; } host lisa { hardware ethernet 00:10:dc:2c:6a:0d; fixed-address lisa.sylvia.test; } host bart.sylvia.test { hardware ethernet 00:50:04:68:0C:E8; fixed-address 192.168.200.1; } host nelson.sylvia.test { hardware ethernet 00:60:97:11:D5:F0; fixed-address nelson.sylvia.test; } host grandstream1.sylvia.test { hardware ethernet 00:0b:82:03:87:dc; fixed-address grandstream1.sylvia.test; } host allnet1.sylvia.test { hardware ethernet 00:0f:c9:01:4f:94; fixed-address allnet1.sylvia.test; } host sipura.sylvia.test { hardware ethernet 00:0e:08:ad:ca:a5; fixed-address sipura.sylvia.test; }

7.1.6 BIND

/etc/bind/named.conf.local

(there have been no changes made to the named.conf) You will ﬁnd the “allow-update” directive speciﬁes which hosts are allowed to submit Dy- namic DNS updates for master zones. Allowing updated based on the IP address is insecure but was necessary here to have the Active Direc- CHAPTER 7. CONFIGURATION FILES 252 tory server (Maybe you wonder why there are suddenly two AD-servers; later on in the phase of migrating the network it will become necessary to replace Windows 2000 server with Windows 2003 server called wiggum.sylvia.test with IP 192.168.200.19) propagate their services to DNS. zone "sylvia.test" IN { type master; file "/etc/bind/db.sylvia.test"; allow-update { 192.168.200.12; 192.168.200.19; }; }; zone "200.168.192.in-addr.arpa" { type master; file "/etc/bind/db.200.168.192"; }; zone "201.168.192.in-addr.arpa" { type master; file "/etc/bind/db.201.168.192"; };

/etc/bind/db.sylvia.test

Dynamic entries you ﬁnd in here are made for a Windows 2003 server called wiggum.sylvia.test. Please read notes for named.conf.local above. $ORIGIN . $TTL 600 ; 10 minutes sylvia.test IN SOA marge.sylvia.test. root.\\ marge.sylvia.test. ( 2005081961 ; serial 604800 ; refresh (1 week) 86400 ; retry (1 day) 2419200 ; expire (4 weeks) 604800 ; minimum (1 week) ) NS ns1.sylvia.test. $TTL 600 ; 10 minutes A 192.168.200.12 A 192.168.200.19 CHAPTER 7. CONFIGURATION FILES 253

$TTL 604800 ; 1 week MX 10 mail.sylvia.test. $ORIGIN _msdcs.sylvia.test. $TTL 600 ; 10 minutes 96ee99d9-b18c-4124-b1d1-871cf84a8bac CNAME wiggum.sylvia.test. $ORIGIN _tcp.Standardname-des-ersten-Standorts._sites.dc.\\ _msdcs.sylvia.test. _kerberos SRV 0 100 88 wiggum.sylvia.test. _ldap SRV 0 100 389 wiggum.sylvia.test. $ORIGIN _tcp.dc._msdcs.sylvia.test. _kerberos SRV 0 100 88 wiggum.sylvia.test. _ldap SRV 0 100 389 wiggum.sylvia.test. $ORIGIN domains._msdcs.sylvia.test. _ldap._tcp.8b1150a1-3690-45c9-999c-194456648354 SRV 0 \\ 100 389 wiggum.sylvia.test. _ldap._tcp.f6731b90-9fe0-492a-8685-eaf32b5da1ce SRV 0 \\ 100 389 wiggum.sylvia.test. $ORIGIN _msdcs.sylvia.test. eecd0355-53fd-442f-8eb5-0ed2237c4d3e CNAME wiggum.sylvia.test. $ORIGIN gc._msdcs.sylvia.test. _ldap._tcp.Standardname-des-ersten-Standorts._sites SRV 0 \\ 100 3268 wiggum.sylvia.test. _ldap._tcp SRV 0 100 3268 wiggum.sylvia.test. $ORIGIN _msdcs.sylvia.test. _ldap._tcp.pdc SRV 0 100 389 wiggum.sylvia.test. $ORIGIN _tcp.Standardname-des-ersten-Standorts._sites.\\ sylvia.test. _gc SRV 0 100 3268 wiggum.sylvia.test. _kerberos SRV 0 100 88 wiggum.sylvia.test. _ldap SRV 0 100 389 wiggum.sylvia.test. $ORIGIN _tcp.sylvia.test. _gc SRV 0 100 3268 wiggum.sylvia.test. _kerberos SRV 0 100 88 wiggum.sylvia.test. _kpasswd SRV 0 100 464 wiggum.sylvia.test. _ldap SRV 0 100 389 wiggum.sylvia.test. $ORIGIN _udp.sylvia.test. _kerberos SRV 0 100 88 wiggum.sylvia.test. _kpasswd SRV 0 100 464 wiggum.sylvia.test. CHAPTER 7. CONFIGURATION FILES 254

$ORIGIN sylvia.test. $TTL 604800 ; 1 week allnet1 A 192.168.200.130 apu A 192.168.200.33 bart A 192.168.200.1 edv-nb1 A 192.168.200.16 flanders A 192.168.200.36 grandstream1 A 192.168.200.129 homer A 192.168.200.12 lisa A 192.168.200.35 maggie A 192.168.200.8 marge A 192.168.200.5 nelson A 192.168.200.34 ns1 A 192.168.200.5 proxy CNAME marge sipura A 192.168.200.131 snowball A 192.168.201.1 snowball2 A 192.168.201.17 wiggumold A 192.168.200.19 www CNAME marge

/etc/bind/db.200.168.192.in-addr.arpa

As mentioned in chapter 3: Don’t forget the “.” at the end of each entry.

; BIND reverse data file for zone 192.168.200.0/24 ; $TTL 604800 @ IN SOA localhost. root.localhost. ( 2005050801 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL

; CHAPTER 7. CONFIGURATION FILES 255

@ IN NS ns1.sylvia.test. 1 IN PTR bart.sylvia.test. 5 IN PTR marge.sylvia.test. 8 IN PTR maggie.sylvia.test. 12 IN PTR homer.sylvia.test. 16 IN PTR edv-nb1.sylvia.test. 19 IN PTR wiggum.sylvia.test. 33 IN PTR apu.sylvia.test. 34 IN PTR nelson.sylvia.test. 35 IN PTR lisa.sylvia.test. 36 IN PTR flanders.sylvia.test. 129 IN PTR grandstream1.sylvia.test. 130 IN PTR allnet1.sylvia.test. 131 IN PTR sipura.sylvia.test.

/etc/resolv.conf search sylvia.test nameserver 192.168.200.5

7.1.7 exim4

/etc/exim4/update-exim4.conf

(generated from dpkg-reconﬁgure exim4-conﬁg) dc_eximconfig_configtype=’smarthost’ dc_primary_hostname=’marge.sylvia.test’ dc_other_hostnames=’sylvia.test:marge’ dc_local_interfaces=’192.168.200.5’ dc_readhost=” dc_relay_domains=” dc_minimaldns=’false’ dc_relay_nets=’192.168.0.0/16’ dc_smarthost=’mail.bfi-burgenland.at’ CFILEMODE=’644’ dc_use_split_config=’false’ CHAPTER 7. CONFIGURATION FILES 256

dc_hide_mailname=’false’ dc_mailname_in_oh=’true’

/etc/mailname marge6.sylvia.test

/etc/aliases mailer-daemon: postmaster postmaster: root nobody: root hostmaster: root usenet: root news: root webmaster: root www: root ftp: root abuse: root noc: root security: root root: elsylo k.schuh: karls s.schuh: elsylo

7.1.8 The Webalizer

/etc/webalizer.conf ## defining log file and type LogFile /var/log/squid/access.log LogType squid ## define where HTML output is stored OutputDir /var/www/webalizer ## Incremental processing allows multiple partial log files ## to be used instead of one huge one. CHAPTER 7. CONFIGURATION FILES 257

Incremental yes # ReportTitle is the text to display as the title ReportTitle Wos gsoerft worn is bei ## HostName defines the hostname for the reportand is ## used in title HostName marge ## The Quiet option suppresses output messages... Quiet yes ## Debug prints additional information for error messages. Debug yes ## The "Top" options below define the number of entries ## for each table. Defaults are Sites=30, URL’s=30, ## Referrers=30 and Agents=15, and Countries=50. Tables ## may be disabled by using zero (0) for the value. TopKSites 30 TopKURLs 30 TopUsers 20 # Your own site/referrer/direct-requests should be hidden HideSite *marge HideReferrer marge/ HideReferrer Direct Request # Usually you want to hide these HideURL *.gif HideURL *.GIF HideURL *.jpg HideURL *.JPG HideURL *.ra # Grouping options GroupURL /cgi-bin/* ## The Ignore* keywords allow you to completely ignore ## log records based on hostname, URL, user agent or ## referrer. IgnoreSite localhost IgnoreReferrer localhost ## How much the MangleAgents should mangle user agent names. ## Level 4 adds minor version numer MangleAgents 4 CHAPTER 7. CONFIGURATION FILES 258

/etc/crontab

Add this line to your crontab in order to analyse the logﬁle every hour. 0 * * * * root webalizer

7.1.9 squid

/etc/squid/squid.conf # NETWORK OPTIONS # ------# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM # ------# TAG: hierarchy_stoplist # A list of words which, if found in a URL, # cause the object to # be handled directly by this cache. # hierarchy_stoplist cgi-bin ? # TAG: no_cache # A list of ACL elements which, if matched, # cause the request to # not be satisfied from the cache and the reply # to not be cached. acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY # OPTIONS WHICH AFFECT THE CACHE SIZE # ------# LOGFILE PATHNAMES AND CACHE DIRECTORIES # ------# OPTIONS FOR EXTERNAL SUPPORT PROGRAMS # ------hosts_file /etc/hosts refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 ACCESS CONTROLS CHAPTER 7. CONFIGURATION FILES 259

# ------acl all src 0.0.0.0/0.0.0.0 # our acl acl allowed_hosts src 192.168.200.0/255.255.255.0 acl allowed_hosts src 192.168.201.0/255.255.255.0 acl allowed_hosts src 192.168.150.0/255.255.255.0 # end our acl acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 # https, snews acl SSL_ports port 873 # rsync acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 631 # cups acl Safe_ports port 873 # rsync acl Safe_ports port 901 # SWAT acl purge method PURGE acl CONNECT method CONNECT #Recommended minimum configuration: # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Only allow purge requests from localhost http_access allow purge localhost http_access deny purge # Deny requests to unknown ports http_access deny !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports CHAPTER 7. CONFIGURATION FILES 260

# unsere Freigabe http_access allow allowed_hosts # ende unsere Freigabe # Example rule allowing access from your local # networks. Adapt to list your (internal) IP networks # from where browsing should be allowed http_access allow localhost # And finally deny all other access to this proxy http_access deny all # and finally allow by default http_reply_access allow all # TAG: icp_access # Allowing or Denying access to the ICP port icp_access allow allowed_hosts icp_access deny all ADMINISTRATIVE PARAMETERS # ------# TAG: visible_hostname # If you want to present a special hostname in # error messages, visible_hostname proxy.sylvia.test OPTIONS FOR THE CACHE REGISTRATION SERVICE # ------HTTPD-ACCELERATOR OPTIONS # ------MISCELLANEOUS # ------DELAY POOL PARAMETERS (all require DELAY_POOLS compilation option) # ------# Leave coredumps in the first cache dir coredump_dir /var/spool/squid CHAPTER 7. CONFIGURATION FILES 261

7.1.10 arpwatch

/etc/default/arpwatch # Global options for arpwatch(8). # Debian: don’t report bogons, don’t use PROMISC. ARGS="-N -p" # Debian: run as ‘arpwatch’ user. Empty this to run as root. RUNAS="arpwatch"

/etc/arpwatch.conf eth0 -m root+eth0

7.1.11 ntpd

/etc/ntp.conf # /etc/ntp.conf, configuration for ntpd # ntpd will use syslog() if logfile is not defined logfile /var/log/ntpd driftfile /var/lib/ntp/ntp.drift statsdir /var/log/ntpstats/ statistics loopstats peerstats clockstats filegen loopstats file loopstats type day enable filegen peerstats file peerstats type day enable filegen clockstats file clockstats type day enable ## server pool to synchronize with server chime3.ipv6.surfnet.nl server europe.pool.ntp.org server 127.127.1.0 fudge 127.127.1.0 stratum 13 # By default, exchange time with everybody, but don’t # allow configuration. See # /usr/share/doc/ntp-doc/html/accopt.html for details. restrict default kod notrap nomodify nopeer noquery # Local users may interrogate the ntp server more closely. CHAPTER 7. CONFIGURATION FILES 262

restrict 127.0.0.1 nomodify # If you want to provide time to your local subnet, # change the next line. broadcast 192.168.200.255

7.1.12 Active Directory

Adding a new user to Active Directory “User”-container (forgive me the german installation; Crash-course in learning german: Neu = new, Kontakt = contact, Gruppe = group, Drucker = printer, Benutzer = user, Freigegebener Ordner = shared folder)

Figure 7.1: adding a user to Active Directory CHAPTER 7. CONFIGURATION FILES 263

7.1.13 mrtg

/etc/mrtg.conf

Desribes a Debian Linux host. ### Global Config Options WorkDir: /var/www/mrtg ## Load the files where the MIBs you query are located LoadMIBs: /usr/share/snmp/mibs/UCD-SNMP-MIB.txt,\\ /usr/share/snmp/mibs/TCP-MIB.txt EnableIPv6: no WorkDir: /var/www/mrtg Options[_]: growright,bits ############################################# # System: bart # Description: Linux bart 2.6.8-1-686 #1 # Tue Sep 14 00:22:58 EDT 2004 i686 # Contact: "Sylvia Schuh" # Location: "Schloss Jormannsdorf Lager" ############################################## ## querying eth0 Target[192.168.200.1_eth0]: \eth0:[email protected]: SetEnv[192.168.200.1_eth0]: MRTG_INT_IP="192.168.200.1" \\ MRTG_INT_DESCR="eth0" MaxBytes[192.168.200.1_eth0]: 12500000 Title[192.168.200.1_eth0]: 192.168.200.1 -- bart PageTop[192.168.200.1_eth0]:

192.168.200.1 -- bart

CHAPTER 7. CONFIGURATION FILES 264

System:	bart in "Schloss Jormannsdorf \\ Lager"
Maintainer:	"Sylvia Schuh"
Description:	eth0
ifType:	ethernetCsmacd (6)
ifName:	Zentrale
Max Speed:	100.0 Mbits/s
Ip:	192.168.200.1 (bart.sylvia.\\ test)

##querying eth1 Target[192.168.200.1_eth1]: \eth1:[email protected]: SetEnv[192.168.200.1_eth1]: MRTG_INT_IP="192.168.150.6" \\ MRTG_INT_DESCR="eth1" MaxBytes[192.168.200.1_eth1]: 12500000 Title[192.168.200.1_eth1]: 192.168.150.6 -- bart PageTop[192.168.200.1_eth1]:

192.168.150.6 -- bart

System:	bart in "Schloss Jormannsdorf \\ Lager"
Maintainer:	"Sylvia Schuh"
Description:	eth1
ifType:	ethernetCsmacd (6)
ifName:	Internet
Max Speed:	100.0 Mbits/s
Ip:	192.168.150.6 ()

##cpu monitoring (www.linuxhomenetworking.com) Target[server.cpu]:ssCpuRawUser.0&ssCpuRawUser.0:public@\\ 192.168.200.1 + ssCpuRawSystem.0&ssCpuRawSystem.0:[email protected] + ssCpuRawNice.0&ssCpuRawNice.0:[email protected] Title[server.cpu]: Server CPU Load PageTop[server.cpu]:

CPU-Load - System, User and \\ Nice Processes

MaxBytes[server.cpu]: 20 ShortLegend[server.cpu]: % YLegend[server.cpu]: CPU Utilization Legend1[server.cpu]: current CPU percentage load LegendI[server.cpu]: Used LegendO[server.cpu]: Options[server.cpu]: growright, nopercent Unscaled[server.cpu]: ymwd ## memory monitoring total versus available Target[server.memory]:memAvailReal.0&memTotalReal.0:public@\\ 192.168.200.1 CHAPTER 7. CONFIGURATION FILES 265

Title[server.memory]: Free Memory PageTop[server.memory]:

Free Memory

MaxBytes[server.memory]: 100000000000 ShortLegend[server.memory]: B YLegend[server.memory]: Bytes LegendI[server.memory]: Free LegendO[server.memory]: Total Legend1[server.memory]: Free memory, not including \\ swap, in bytes Legend2[server.memory]: Total memory Options[server.memory]: gauge,growright,nopercent kMG[server.memory]: k,M,G,T,P,X ## memory monitoring percentage Title[server.mempercent]: Percentage Free Memory PageTop[server.mempercent]:

Percentage Free \\ Memory

New Tcp connections

CHAPTER 7. CONFIGURATION FILES 266

MaxBytes[server.newconns]: 1000000000 ShortLegend[server.newconns]: c/s YLegend[server.newconns]: Conns / Min LegendI[server.newconns]: In LegendO[server.newconns]: Out Legend1[server.newconns]: New inbound connections Legend2[server.newconns]: New outbound connections Options[server.newconns]: growright,nopercent,perminute ## Established TCP COnnections Target[server.estabcons]: tcpCurrEstab.0&tcpCurrEstab.0:\\ [email protected] Title[server.estabcons]: Currently Established TCP \\ Connections PageTop[server.estabcons]:

Established TCP \\ Connections

MaxBytes[server.estabcons]: 10000000000 ShortLegend[server.estabcons]: YLegend[server.estabcons]: Connections LegendI[server.estabcons]: In LegendO[server.estabcons]: Legend1[server.estabcons]: Established connections Legend2[server.estabcons]: Options[server.estabcons]: growright,nopercent,gauge ## Disk usage monitoring ## Note: in order for dskPercent.1 and dskPercent.2 ## to work you need the entries “disk /var/” ## from the “/etc/snmpd.conf”the order in the file ## defines which disk is accessed by *.1 and *.2 Target[server.disk]: dskPercent.1&dskPercent.2:\\ [email protected] Title[server.disk]: Disk Partition Usage PageTop[server.disk]:

Disk Partition Usage /home \\ and /var

MaxBytes[server.disk]: 100 ShortLegend[server.disk]: % YLegend[server.disk]: Utilization LegendI[server.disk]: /home LegendO[server.disk]: /var CHAPTER 7. CONFIGURATION FILES 267

Options[server.disk]: gauge,growright,nopercent Unscaled[server.disk]: ymwd

7.1.14 SmokePing

/etc/smokeping/conﬁg

################################################ # DON’T TOUCH UNLESS YOU KNOW WHAT YOU’RE DOING # BETWEEN THESE MARKS! ################################################ sendmail = /usr/lib/sendmail imgcache = /var/www/smokeping imgurl = ../smokeping datadir = /var/lib/smokeping piddir = /var/run/smokeping smokemail = /etc/smokeping/smokemail ################################################ # END OF DON’T TOUCH SECTION ################################################ owner = sylle contact = [email protected] cgiurl = http://marge/cgi-bin/smokeping.cgi mailhost = marge.sylvia.test syslogfacility = local0 ## not all probes at the same time offset=random *** Alerts *** to = [email protected] from = [email protected] +bigloss type = loss # in percent pattern = ==0%,==0%,==0%,==0%,>0%,>0%,>0% comment = suddenly there is packet loss +someloss CHAPTER 7. CONFIGURATION FILES 268

type = loss # in percent pattern = >0%,*12*,>0%,*12*,>0% comment = loss 3 times in a row +startloss type = loss # in percent pattern = ==S,>0%,>0%,>0% comment = loss at startup +rttdetect type = rtt # in milli seconds pattern = <10,<10,<10,<10,<10,<100,>100,>100,>100 comment = routing mesed up again ? *** Database *** step = 300 pings = 20 # consfn mrhb steps total AVERAGE 0.5 1 1008 AVERAGE 0.5 12 4320 MIN 0.5 12 4320 MAX 0.5 12 4320 AVERAGE 0.5 144 720 MAX 0.5 144 720 MIN 0.5 144 720 *** Presentation *** template = /etc/smokeping/basepage.html + overview width = 600 height = 50 range = 10h + detail width = 600 height = 200 unison_tolerance = 2 "Last 3 Hours" 3h "Last 30 Hours" 30h "Last 10 Days" 10d CHAPTER 7. CONFIGURATION FILES 269

"Last 400 Days" 400d *** Probes *** + FPing binary = /usr/bin/fping *** Targets *** probe = FPing menu = Top title = Network Latency Grapher remark = Welcome to the SmokePing website of ’A poorly \ mantained site running Debian.’ + World menu = World title = Worldwide Connectivity #mein teil ++ Europe menu = Europe title =European Connectivity +++ Switzerland menu = Switzerland title =Swiss Connectivity alerts = bigloss,someloss,startloss +++ Austria menu = Austria title = Austria alerts = bigloss,someloss,startloss ++++ TU-Wien menu = TuWien title = TuWien host = www.tuwien.ac.at ++++ Hauptuni menu = Hauptuni title = Hauptuni host = www.univie.ac.at +++ UK menu = United Kingdom title = United Kingdom ++ USA menu = North America CHAPTER 7. CONFIGURATION FILES 270

title =North American Connectivity ## entries for each host that is tested + Lokal menu = Lokal title = Lokal ++ snowball menu = snowball title = snowball lokale Erreichbarkeit host = snowball.sylvia.test ++ maggie menu = maggie title = maggie lokale Erreichbarkeit host = maggie.sylvia.test ++ bart menu = bart title = bart lokale Erreichbarkeit host = bart.sylvia.test ++ apu menu = apu title = apu W2k host = apu.sylvia.test ++ nelson menu = nelson title = nelson WXP host = nelson.sylvia.test ++ lisa menu = lisa title = lisa suse host = lisa.sylvia.test ++ snowball2 menu = snowball2 title = snowball2 WXP host = snowball2.sylvia.test CHAPTER 7. CONFIGURATION FILES 271

7.2 IPv6-related Conﬁguration ﬁles

In this section you will find configuration files related with the use of IPv6. Please also see the chapter “Migration to IPv6” for it contains a lot of in- text configuration file issues.

7.2.1 Apache

/etc/apache2/sites-available/www6 NameVirtualHost * ServerName www6.schuh-tv.at ServerAdmin k.schuhschuh-tv.at DocumentRoot /var/www6/ Options FollowSymLinks AllowOverride None Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all # This directive allows us to have apache2’s # default start page in /apache2-default/, #but still have / go to the right place ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ AllowOverride None Options ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all ErrorLog /var/log/apache2/error.log CHAPTER 7. CONFIGURATION FILES 272

# Possible values include: debug, info, notice, warn, # error, crit, alert, emerg. LogLevel warn CustomLog /var/log/apache2/access.log combined ServerSignature On Alias /mrtg/ "/var/www/mrtg/" Options Indexes MultiViews FollowSymLinks AllowOverride None Order deny,allow Deny from all Allow from 127.0.0.0/255.0.0.0 ::1/128 Alias /doc/ "/usr/share/doc/" Options Indexes MultiViews FollowSymLinks AllowOverride None Order deny,allow Deny from all Allow from 127.0.0.0/255.0.0.0 ::1/128

7.2.2 Smokeping

/etc/smokeping/conﬁgv6 *** General *** ################################################ # DON’T TOUCH UNLESS YOU KNOW WHAT YOU’RE DOING # BETWEEN THESE MARKS! ################################################ sendmail = /usr/lib/sendmail imgcache = /var/www/smokeping imgurl = ../smokeping datadir = /var/lib/smokeping CHAPTER 7. CONFIGURATION FILES 273

### pid dir changed bec. auf 2nd instance of smokeping piddir = /var/run/smokepingv6 smokemail = /etc/smokeping/smokemail ################################################ # END OF DON’T TOUCH SECTION ################################################ owner = sylle contact = [email protected] ## another cgi for smokepingv6 cgiurl = http://snowball/cgi-bin/smokepingv6.cgi mailhost = marge.sylvia.test syslogfacility = local0 offset=random *** Alerts *** to = [email protected] from = [email protected] +bigloss type = loss # in percent pattern = ==0%,==0%,==0%,==0%,>0%,>0%,>0% comment = suddenly there is packet loss +someloss type = loss # in percent pattern = >0%,*12*,>0%,*12*,>0% comment = loss 3 times in a row +startloss type = loss # in percent pattern = ==S,>0%,>0%,>0% comment = loss at startup +rttdetect type = rtt # in milli seconds pattern = <10,<10,<10,<10,<10,<100,>100,>100,>100 comment = routing mesed up again ? *** Database *** step = 300 CHAPTER 7. CONFIGURATION FILES 274

pings = 20 # consfn mrhb steps total AVERAGE 0.5 1 1008 AVERAGE 0.5 12 4320 MIN 0.5 12 4320 MAX 0.5 12 4320 AVERAGE 0.5 144 720 MAX 0.5 144 720 MIN 0.5 144 720 *** Presentation *** template = /etc/smokeping/basepage.html + overview width = 600 height = 50 range = 10h + detail width = 600 height = 200 unison_tolerance = 2 "Last 3 Hours" 3h "Last 30 Hours" 30h "Last 10 Days" 10d "Last 400 Days" 400d *** Probes *** + FPing6 binary = /usr/sbin/fping6 *** Targets *** probe = FPing6 menu = Top title = Network Latency Grapher remark = Welcome to the SmokePing website of ’A poorly \ mantained site running Debian.’ + World menu = World title = Worldwide Connectivity #mein teil ++ Europe menu = Europe CHAPTER 7. CONFIGURATION FILES 275

title =European Connectivity +++ Switzerland menu = Switzerland title =Swiss Connectivity alerts = bigloss,someloss,startloss +++ Austria menu = Austria title = Austria alerts = bigloss,someloss,startloss ++++ Kame menu = Kame title = Kame host = www.kame.net ++++ Sixxs menu = Sixxs title = Sixxs host = www.sixxs.net +++ UK menu = United Kingdom title = United Kingdom ++ USA menu = North America title =North American Connectivity + Lokal menu = Lokal title = Lokal ++ snowball6 menu = snowball6 title = snowball6 lokale Erreichbarkeit host = snowball6.sylvia.test ++ maggie6 menu = maggie6 title = maggie6 lokale Erreichbarkeit host = maggie6.sylvia.test ++ bart6 menu = bart6 title = bart6 lokale Erreichbarkeit host = bart6.sylvia.test CHAPTER 7. CONFIGURATION FILES 276

++ apu6 menu = apu6 title = apu6 W2k host = apu6.sylvia.test ++ nelson6 menu = nelson6 title = nelson6 WXP host = nelson6.sylvia.test ++ lisa6 menu = lisa6 title = lisa6 suse host = lisa6.sylvia.test ++ snowball26 menu = snowball26 title = snowball26 WXP host = snowball26.sylvia.test ++ wiggum6 menu = wiggum6 title = wiggum6 W2k3 host = wiggumold.sylvia.test ++ flanders6 menu = flanders6 title = flanders6 W2k3 host = flanders6.sylvia.test Note: I did not modify the “World”-part very carefully. Surely you could leave out some things here or modify them.

7.2.3 mrtg

/etc/mrtgbart6.cfg WorkDir: /var/www/mrtg LoadMIBs: /usr/share/snmp/mibs/UCD-SNMP-MIB.txt,\\ /usr/share/snmp/mibs/TCP-MIB.txt # or for NT # WorkDir: c:\mrtgdata CHAPTER 7. CONFIGURATION FILES 277

### Global Defaults # to get bits instead of bytes and graphs growing # to the right Options[_]: growright, bits EnableIPv6: yes WorkDir: /var/www/mrtg Options[_]: growright,bits ############################################### # System: bart # Description: Linux bart 2.6.8-1-686 #1 # Tue Sep 14 00:22:58 EDT 2004 i686 # Contact: "Sylvia Schuh" # Location: "Schloss Jormannsdorf Lager" ################################################ Target[bart6_eth0]: \eth0:public@bart6: SetEnv[bart6_eth0]: MRTG_INT_IP="2001:16d8:ff47:1203:2::1"\\ MRTG_INT_DESCR="eth0" MaxBytes[bart6_eth0]: 12500000 Title[bart6_eth0]: 2001:16d8:ff47:1203:2::1 -- bart PageTop[bart6_eth0]:

2001:16d8:ff47:1203:2::1 -- bart

System:	bart in "Schloss Jormannsdorf\\ Lager"
Maintainer:	"Sylvia Schuh"
Description:	eth0
ifType:	ethernetCsmacd (6)
ifName:	Zentrale
Max Speed:	100.0 Mbits/s
Ip:	2001:16d8:ff47:1203:2::1 \\ (bart.sylvia.test)

Target[bart6_eth1]: \eth1:public@bart6: SetEnv[bart6_eth1]: MRTG_INT_IP="2001:16d8:ff47:1203:1::6"\\ MRTG_INT_DESCR="eth1" MaxBytes[bart6_eth1]: 12500000 Title[bart6_eth1]: 2001:16d8:ff47:1203:1::6 -- bart PageTop[bart6_eth1]:

2001:16d8:ff47:1203:1::6 \\ -- bart

CHAPTER 7. CONFIGURATION FILES 278

System:	bart in "Schloss Jormannsdorf \\ Lager"
Maintainer:	"Sylvia Schuh"
Description:	eth1
ifType:	ethernetCsmacd (6)
ifName:	Internet
Max Speed:	100.0 Mbits/s
Ip:	2001:16d8:ff47:1203:1::6 ()

##cpu monitoring laut www.linuxhomenetworking.com Target[server6.cpu]:ssCpuRawUser.0&ssCpuRawUser.0:public@bart6 + ssCpuRawSystem.0&ssCpuRawSystem.0:public@bart6 + ssCpuRawNice.0&ssCpuRawNice.0:public@bart6 Title[server6.cpu]: Server CPU Load PageTop[server6.cpu]:

CPU-Load - System, User and Nice \\ Processes

MaxBytes[server6.cpu]: 20 ShortLegend[server6.cpu]: % YLegend[server6.cpu]: CPU Utilization Legend1[server6.cpu]: current CPU percentage load LegendI[server6.cpu]: Used LegendO[server6.cpu]: Options[server6.cpu]: growright, nopercent Unscaled[server6.cpu]: ymwd ## new TCP connection monitoring Target[server6.newconns]: tcpPassiveOpens.0&tcpPassiveOpens.0:public@bart6 + tcpActiveOpens.0&tcpActiveOpens.0:public@bart6 Title[server6.newconns]: Newly Created TCP Connections PageTop[server6.newconns]:

New Tcp connections

MaxBytes[server6.newconns]: 1000000000 ShortLegend[server6.newconns]: c/s YLegend[server6.newconns]: Conns / Min LegendI[server6.newconns]: In LegendO[server6.newconns]: Out Legend1[server6.newconns]: New inbound connections CHAPTER 7. CONFIGURATION FILES 279

Legend2[server6.newconns]: New outbound connections Options[server6.newconns]: growright,nopercent,perminute ## Established TCP COnnections Target[server6.estabcons]: tcpCurrEstab.0&tcpCurrEstab.0:\\ public@bart6 Title[server6.estabcons]: Currently Established TCP \\ Connections PageTop[server6.estabcons]:

Established TCP \\ Connections

MaxBytes[server6.estabcons]: 10000000000 ShortLegend[server6.estabcons]: YLegend[server6.estabcons]: Connections LegendI[server6.estabcons]: In LegendO[server6.estabcons]: Legend1[server6.estabcons]: Established connections Legend2[server6.estabcons]: Options[server6.estabcons]: growright,nopercent,gauge

7.2.4 ﬁrewall: iptables #!/bin/bash # IPv6 Firewall script IPTABLES6=/sbin/ip6tables EXTIF1="eth1" SIXXS="2001:6f8:900:587::2/64" ANY6="::/0" LOCALHOST6="::1/128" TRUSTED6="2001:16d8:ff47:1203::/64" ## Netz Jormannsdorf # For future use BLACKLIST6="" SURFER6="" POSTLER6="" ## BACKUPDIR="/var/log/backups/firewall" case "$1" in flush) echo -e "Flushing Firewall: " CHAPTER 7. CONFIGURATION FILES 280

$IPTABLES6 -F > > /dev/null 2>&1 $IPTABLES6 -X > > /dev/null 2>&1 echo -e "setting Defaults to ACCEPT!" echo -e "FireWall OFFEN !!!!!" # ip -6 route del 2000::/3 via 2001:6f8:900:587::1 $IPTABLES6 -P INPUT ACCEPT $IPTABLES6 -P OUTPUT ACCEPT $IPTABLES6 -P FORWARD ACCEPT ;; start|reload) echo -n "Starting Firewall: " TIME=‘date +%s‘ tar -czf $BACKUPDIR/firewall.$TIME.tar.gz /etc/init.d/firewall* # mail an: mail [email protected] -s "Firewall restarted" < $0 sleep 1 echo "Forwarding ipv6 einschalten..." echo "1" > /proc/sys/net/ipv6/conf/all/forwarding $IPTABLES6 -F > > /dev/null 2>&1 $IPTABLES6 -X > > /dev/null 2>&1 $IPTABLES6 -P INPUT DROP $IPTABLES6 -P OUTPUT DROP $IPTABLES6 -P FORWARD DROP # DROP ANDI LOG !! $IPTABLES6 --new drop-and-log $IPTABLES6 -A drop-and-log -j LOG --log-level info \\ --log-prefix "IPV6 DROP: " $IPTABLES6 -A drop-and-log -j DROP ## $IPTABLES6 -A INPUT -s $LOCALHOST6 -d $LOCALHOST6 -j \\ ACCEPT $IPTABLES6 -A OUTPUT -s $LOCALHOST6 -d $LOCALHOST6 -j \\ ACCEPT for i in $TRUSTED6 do $IPTABLES6 -A INPUT -s $i -d $SIXXS -p tcp --dport 22 \\ -j ACCEPT $IPTABLES6 -A OUTPUT -d $i -s $SIXXS -p tcp --sport 22 \\ CHAPTER 7. CONFIGURATION FILES 281

-j ACCEPT done $IPTABLES6 -A INPUT -p icmpv6 -j ACCEPT $IPTABLES6 -A OUTPUT -p icmpv6 -j ACCEPT $IPTABLES6 -A FORWARD -p icmpv6 -j ACCEPT $IPTABLES6 -A FORWARD -p tcp --dport 80 -j ACCEPT $IPTABLES6 -A FORWARD -p tcp --sport 80 -j ACCEPT $IPTABLES6 -A INPUT -j drop-and-log $IPTABLES6 -A OUTPUT -j drop-and-log $IPTABLES6 -A FORWARD -j drop-and-log ip -6 route add 2000::/3 via 2001:6f8:900:587::1 ;; show) echo "Firewall IPv6 EF: " $IPTABLES6 -L -nv ;; *) echo "Usage: $0 {flush|start|reload|show}" exit 1 ;; esac echo "... Fertig" exit 0