Using Broxy for Native IPv6 Support (Phase 1) Broxy is a software solution for phase 1 of Native IPv6 support. It comes preconfigured with a “4to6” squid proxy, forwarding “4to6” named servers and bridged IPv6 interface. It allows dual IP stack IPv4 scanner components communicate over proxies with IPv6 data center and also scan bridged IPv6-only targets. Preferred scan mode of Qualys Scanners is still IPv4 in the Phase-1. It means scanning by DNS/Hostname resolving to IPv6 address (AAAA) will fail. Only scanning by actual IPv6 addresses, not by names is supported. Support for scanning by hostnames is expected in Phase-2. In the following sections we’ll show you how to configure KVM host, broxy and a scanner VM to easily achieve this task. Installing LIBVIRT/KVM packages on KVM host Without going into a lot of details on how to configure a KVM host from scratch, the following gives you a basic idea on what packages are required and how to start the libvirt service on the host to continue further. ~]# yum upgrade -y ~]# yum install libvirt virt-install qemu-img qemu-kvm libguestfs-tools-c ntp ntpdate ~]# systemctl libvirtd start ~]# virsh version Creating the bridge on KVM host We need to enslave the KVM host’s physical adapter to bridge br0 and then use it to forward all IPv6 traffic transparently to/from our virtual scanners. Below is an example of a KVM host where the network settings are not managed by NetworkManager. Manually it can be done in this way: Step 1: Configure interface settings to enable bridging by editing ifcfg-<interface name> file as the example shows below ~]# cat >/etc/sysconfig/network-scripts/ifcfg-enp3s0 <<EOF TYPE=Ethernet BOOTPROTO=static DEVICE=enp3s0 ONBOOT=yes BRIDGE=br0 EOF Copyright 2019 by Qualys, Inc. All Rights Reserved. 1 Step 2: Configure a bridged interface with desired IPv6 address, IPv6 default GW and IPv6 DNS server address ~]# cat >/etc/sysconfig/network-scripts/ifcfg-br0 <<EOF TYPE=Bridge BOOTPROTO=static NOZEROCONF=yes IPV6INIT=yes IPV6_AUTOCONF=no IPV6ADDR=2001:470:8418:2800::10.40.0.12 IPV6_DEFAULTGW=2001:470:8418:2800::1 DEVICE=br0 ONBOOT=yes DNS1=2001:470:8418:2800::a EOF Step 3: Reboot The KVM host Setting up Broxy on LIBVIRT/KVM host Setting up Broxy requires a bridge on KVM host and a private/isolated network. KVM host network configurations KVM host by default has only one “default” NAT libvirt network. ~]# virsh net-dumpxml default <network> <name>default</name> <uuid>4d41a5a8-6fac-4816-961a-19580971646d</uuid> <forward mode='nat'> <nat> <port start='1024' end='65535'/> </nat> </forward> <bridge name='virbr0' stp='on' delay='0'/> <mac address='52:54:00:94:da:d6'/> <ip address='192.168.122.1' netmask='255.255.255.0'> <dhcp> <range start='192.168.122.2' end='192.168.122.254'/> Qualys Scanner 2 </dhcp> </ip> </network> You need to create a Bridged network (if you don’t have one already) and a Private one as shown in the next two sections. Create private isolated libvirt network ~]# virsh net-define /dev/stdin <<EOF <network> <name>private144</name> <bridge name="virbrp144" stp="off"/> </network> EOF Create host-bridged libvirt network, if you don't have one already ~]# virsh net-define /dev/stdin <<EOF <network> <name>host-bridge</name> <forward mode="bridge"/> <bridge name="br0"/> </network> EOF Start newly created networks ~]# virsh net-autostart host-bridge ~]# virsh net-autostart private144 ~]# virsh net-start host-bridge ~]# virsh net-start private144 Create bridged 4to6 proxy VM (Broxy) The Broxy image comes in tar.gz format and can be easily spun up as a VM on a KVM host. It comes preconfigured for environments with IPv6 address assignments using SLAAC or DHCPv6 protocols. Here are the steps to create a Broxy Server VM: Step 1: Download Broxy image and unpack using tar command ~]# tar xvfz broxy.tar.gz This will give you 2 files: broxy.xml and broxy-disk1.qcow2 Qualys Scanner 3 Step 2: Create Broxy VM using virt-clone command ~]# virt-clone --original-xml broxy.xml --name broxy --file /var/lib/libvirt/qemu/broxy-disk1.qcow2 Step 3: Review and edit network settings The Broxy image comes preconfigured with first source network name as ‘private144’ and second source network as ‘host-bridge’. This can be changed if you configured your KVM host networks with different names. To do that do the following: ~]# virsh edit broxy This will open the instance configuration file. Review and edit network settings as needed. First <interface type='network'> element should have <source network='private144'/> or the private network name set on the KVM host in the section above. Second <interface type='network'> element should be on <source network='host-bridge'/> or "host-bridge" network name set on the KVM host in the section above. Step 4: Modify /etc/named/forwarders It should have IPv6 address[es] of host’s DNS resolvers from /etc/resolv.conf as the example shows below ~]# virt-edit -d broxy /etc/named/forwarders forwarders { 2001:470:8418:2800::cafe; 2001:470:8418:2800::face; }; forward only; Step 5: Configure Broxy’s br0 interface IPv6 config If your IPv6 network has Router Advertisement Prefixes service enabled or DHCPv6 available, it’s all set. For static IPv6 configuration, edit Broxy’s ifcfg-br0 file as follows: ~]# virt-edit -d broxy /etc/sysconfig/network-scripts/ifcfg-br0 IPV6_AUTOCONF=no DHCPV6C=no IPV6ADDR=... IPV6_DEFAULTGW=... Qualys Scanner 4 Starting Broxy VM with console Now we can start broxy and check if it’s fully functional. ~]# virsh start --console broxy Sample logs displayed on Broxy console [root@qa-kvm-ipv6 ~]# virsh start --console broxy Domain broxy started Connected to domain broxy Escape character is ^] … Linux version 2.6.32-754.12.1.el6.x86_64 ([email protected]) (gcc version 4.4.7 20120313 (Red Hat 4.4.7-23) (GCC) ) #1 SMP Tue Apr 9 14:52:26 UTC 2019 Command line: ro root=UUID=6a2321b9-f1e6-40db-b156-44056de2ffe3 rd_NO_LUKS rd_NO_LVM LANG=en_US.UTF-8 rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=auto KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM console=tty0 console=ttyS0,115200n8 … CentOS release 6.10 (Final) Kernel 2.6.32-754.12.1.el6.x86_64 on an x86_64 broxy.local login: Test the connection from Broxy Login on secure serial TTY after starting the broxy console as root with initially empty password, change it if required. Serial console is the only access method, sshd is disabled by default. You can test the connection to Qualys servers as shown in following example: ~]# host qualysguard.qualys.com ~]# curl -kv https://qualysguard.qualys.com Broxy is now ready! Next we’ll create a Scanner VM and configure it to work with Broxy in order to route all traffic through the bridged interface created above. Qualys Scanner 5 Create QVSA scanner on private144 network Step 1: Download and unpack the Scanner qVSA image ~]# tar xvfz qVSA-2.5.xx-1.tar.gz This will give you two files: qVSA.i386-2.5.xx-1-libvirt.xml and qVSA.i386-2.5.xx-1.qcow2 Step 2: Create Scanner VM using virt-clone (similar to how you created Broxy instance) ~]# virt-clone --original-xml qVSA-2.5.xx-1-libvirt.xml --name qVSA-2.5.xx-1 --file /var/lib/libvirt/qemu/qVSA-2.5.xx-1.qcow2 Allocating ' qVSA-2.5.xx-x.qcow2' | 56 GB 00:00:01 Clone 'qVSA-2.5.xx-x' created successfully. Scanner activation Step 1: Get your PERSCODE from Qualys Log in to the Qualys UI. Go to Scans > Appliances > New > Virtual Scanner Appliance. Choose “I have my image” and click Continue. Follow the on screen instructions to configure your virtual scanner and get your personalization code. You’ll need this in the next few steps. Step 2: Add Broxy DNS name in scanner proxy settings Proxy must be accessed by special proxy.qualys.local DNS name given to Broxy VM we configured above, name server on Broxy resolves it to 192.168.144.1. The proxy value must be added to the Scanner before starting it up. This proxy is running on the Broxy VM that we created in the previous section. Step 3: Prepare encoded CONFIG: string Prepare the encoded CONFIG: string as follows. ~]# <<<$'PERSCODE=NNNNNNNNNNNNNN\nPROXY_URL=proxy.qualys.local:3128' gzip -c | openssl base64 -A Replace NNNNNN... with PERSCODE generated from Qualys UI. Step 4: Modify SMBIOS/serial field Modify the SMBIOS/serial field to inject base64-encoded string after CONFIG: tag ~]# virsh edit qVSA-2.5.xx-1 <domain type='kvm'> <name>qVSA-2.5.xx-1</name> ... <sysinfo type='smbios'> <system> Qualys Scanner 6 <entry name='serial'>CONFIG:H4sI...</entry> </system> </sysinfo> ... Step 5: Change default scanner network name You’ll need to change the default scanner network name to ‘private144’ ~]# virsh edit qVSA-2.5.xx-1 ... <interface type='network'> <mac address='52:54:xx:xx:xx:xx'/> <source network='private144'/> ... How to see scanner logs ~]# virsh start --console qVSA-2.5.xx-1 How to see scanner console/UI ~]# virsh vncdisplay qVSA-2.5.xx-1 :0 Connect to scanner console over VNC (using KVM server IPv6 address and port 5900, in case the output is :0 like above). :1 for 5901 and so on. TIP: If direct access to KVM server IPv6 address doesn’t work from VNC viewer, create ssh tunnel to open VNC connection. Example, ssh root@2001:470:8418:2800::a28:c -L 5900:127.0.0.1:5900 for above example, this opens an SSH tunnel to VNC port.. Enter 127.0.0.1:5900 in VNC viewer to connect to the scanner console.