From jeff at digitalenvoy.net Tue Sep 1 20:58:23 2009 From: jeff at digitalenvoy.net (Jeff Burdette) Date: Tue, 01 Sep 2009 14:58:23 -0400 Subject: Linux IPv6 router In-Reply-To: <4A9403E3.1070307@rollernet.us> References: <4A9403E3.1070307@rollernet.us> Message-ID: <4A9D6ECF.8030300@digitalenvoy.net> Could someone contact me off-list concerning setting up an IPv6 router using Fedora (Core 11)? I have done all the things that I can find documented but seem to have some issue when it comes to getting the Fedora box to route the packet to the next hop (ISP's IPv6-enabled router). Fedora box acting as router can ping6 ISP's router and other hosts on the net (eg. ipv6.google.com) but other hosts in my local network can't ping anything except other local IPv6 boxes. Any help will be greatly appreciated. Sorry for if this is inappropriate for this list but I thought you guys could either help or point me in the right direction for help. Thanks. -Jeff -- ----------------------------------------------------------------- Jeff Burdette \ Director, Research & Development / Digital Envoy, Inc \ ----------------------------------------------------------------- From mludvig at logix.net.nz Wed Sep 2 01:12:05 2009 From: mludvig at logix.net.nz (Michal Ludvig) Date: Wed, 02 Sep 2009 11:12:05 +1200 Subject: Linux IPv6 router In-Reply-To: <4A9D6ECF.8030300@digitalenvoy.net> References: <4A9403E3.1070307@rollernet.us> <4A9D6ECF.8030300@digitalenvoy.net> Message-ID: <4A9DAA45.60004@logix.net.nz> Hi Jeff, > Could someone contact me off-list concerning setting up an IPv6 router > using Fedora (Core 11)? I have done all the things that I can find > documented but seem to have some issue when it comes to getting the > Fedora box to route the packet to the next hop (ISP's IPv6-enabled > router). Fedora box acting as router can ping6 ISP's router and other > hosts on the net (eg. ipv6.google.com) but other hosts in my local > network can't ping anything except other local IPv6 boxes. 1) is packet forwarding enabled? root at st-6-kth ~ # sysctl net.ipv6.conf.all.forwarding=1 net.ipv6.conf.all.forwarding = 1 2) are there any firewall rules blocking the traffic? root at st-6-kth ~ # ip6tables -L FORWARD Chain FORWARD (policy ACCEPT) target prot opt source destination if there is something in the firwall flush it for testing: ip6tables -F Michal -- * smtp-cli.logix.cz -- the ultimate IPv6 command line smtp client From sethm at rollernet.us Fri Sep 4 00:36:21 2009 From: sethm at rollernet.us (Seth Mattinen) Date: Thu, 03 Sep 2009 15:36:21 -0700 Subject: VZB IPv6 In-Reply-To: <4A9403E3.1070307@rollernet.us> References: <4A9403E3.1070307@rollernet.us> Message-ID: <4AA044E5.8090507@rollernet.us> Seth Mattinen wrote: > Martin List-Petersen wrote: >> Last time I had the opportunity to check AS701 did. And they also >> refused to let customers route their own PIv6. >> > Just to update: I very clearly said "BGP" and "/48" to at least four different people and in writing multiple times, and they all said it was fine. Their form had me fill out "does customer have PI from ARIN?" and I said yes and listed my /48. So far nobody has shot it down. I'll find out what happens tomorrow morning during the turn up conference call. ~Seth From alan.batie at peakinternet.com Fri Sep 4 02:53:31 2009 From: alan.batie at peakinternet.com (Alan Batie) Date: Thu, 03 Sep 2009 17:53:31 -0700 Subject: CPE firewalls In-Reply-To: <87fxb8z1nj.fsf@nemi.mork.no> References: <4A9AC81B.40500@rollernet.us> <84ECA8C8-717B-423A-91C1-4B96A20DF5EC@spawar.navy.mil> <87k50kz5f7.fsf@nemi.mork.no> <20090831095338.GA4472@capsaicin.mamane.lu> <87fxb8z1nj.fsf@nemi.mork.no> Message-ID: <4AA0650B.3020004@peakinternet.com> Bj?rn Mork wrote: > Right. Thanks for the idea. I do have a few places where I can push > things like that. This is maybe something for > http://www.ietf.org/id/draft-ietf-v6ops-ipv6-cpe-router-01.txt After reading this draft, I sent a request to the authors to include a firewall addition to the effect of "a CPE Router SHOULD default to blocking incoming TCP connection requests and incoming UDP packets". In essence, the router should provide the same basic default firewall capability that NAT gives now. While not full security, it at least provides network protection at the same level users have now, and without this default state or NAT6x, users are going to be highly vulnerable. There is a big difference between "I forgot to configure the router" or "I configured it wrong accidentally" and "I decided to make changes from the default and accidentally opened a hole". From alan.batie at peakinternet.com Fri Sep 4 02:59:16 2009 From: alan.batie at peakinternet.com (Alan Batie) Date: Thu, 03 Sep 2009 17:59:16 -0700 Subject: CPE firewalls In-Reply-To: <4AA0650B.3020004@peakinternet.com> References: <4A9AC81B.40500@rollernet.us> <84ECA8C8-717B-423A-91C1-4B96A20DF5EC@spawar.navy.mil> <87k50kz5f7.fsf@nemi.mork.no> <20090831095338.GA4472@capsaicin.mamane.lu> <87fxb8z1nj.fsf@nemi.mork.no> <4AA0650B.3020004@peakinternet.com> Message-ID: <4AA06664.1000303@peakinternet.com> Argh! I missed the link to a whole separate document on the issue, never mind... From d at teklibre.org Sun Sep 6 02:04:51 2009 From: d at teklibre.org (Dave =?utf-8?Q?T=C3=A4ht?=) Date: Sat, 05 Sep 2009 18:04:51 -0600 Subject: PTR records for v6 hosts References: <4A9C0DA7.1040103@venaas.com> Message-ID: <87ocppszto.fsf@mahal.sjds.teklibre.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Stig Venaas writes: > Mark Milhollan wrote: >> On Mon, 31 Aug 2009, Lionel Elie Mamane wrote: > [...] >> I expect an ISP provided, predefined generic name for every address >> in the entire allocation will predominate for many years, making >> things like Martin List-Petersen's pdns pipe very attractive (since >> it would kill BIND, and others, to actually populate such a zone). >> Perhaps using base 32 (or 64) encoding instead of merely 16, easy as >> it is to "see" the ip address when using hex. > > Do you know if anyone has written something like the pdns for BIND? I've > thought about writing something like that using BIND's sdb back-end. It > should be easy but I never got around to it. I might try to implement > one unless it's been done already... I'm not sure why you'd want to populate the entire reverse ip address space, merely populating the used ipv6 ips with the machines that need reverse ips should be enough. I just leave the reverses static as the machines involved are on a dedicated tunnel or a roaming tunnel. On bind9: For forward lookups, to dynamically update bind9, what I have done, on a small scale, is use the nsupdate utility, wrapped in a small script with tsig. To create a machine for the first time I: #mkroam.sh #!/bin/sh if [ $# = 1 ] then dnssec-keygen -a HMAC-MD5 -b 512 -r /dev/urandom -n USER $1 else echo must be a user domain name in the format name.example.org fi The resulting public key gets transmorphed (currently by hand) into a file on the name server called keys.conf. key dave.roam.example.com. { algorithm HMAC-MD5; secret "jvtC/ZRUI24A2BC$218jkH2X2hIi562a1o2/1vzm ljV9fiZjC/JHZds4p 4c5kHTJql32s5BJQuPGIM/1HrnvmsA=="; }; The latest alpha of bind9 (due out next week, I'm told) comes with a tool that generates keys in the correct format, so you don't have to use dnssec-keygen for it. And then the update script on the client pc (fired off a minute after the device initializes to give it time to acquire addresses) #!/bin/sh export SERVER=nsipv6.example.com export SUBDOMAIN=roam.example.com if [ $# = 2 ] then export USER=$1 export AAAA=$2 nsupdate -d -R /dev/urandom -k /etc/dnskey/K$USER.$SUBDOMAIN.*.private -v < > Stig > - -- Dave Taht http://the-edge.blogspot.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Processed by Mailcrypt 3.5.8+ iEYEARECAAYFAkqi/J8ACgkQpdejJcOV4uTkOwCfV6K1A8uobM0KJb2Xm/RqPquz jBoAn1wuSjpiwhDpdKhRq2F1cPClIiDY =dHR5 -----END PGP SIGNATURE----- From jeroen at unfix.org Sun Sep 6 12:11:37 2009 From: jeroen at unfix.org (Jeroen Massar) Date: Sun, 06 Sep 2009 12:11:37 +0200 Subject: PTR records for v6 hosts In-Reply-To: <87ocppszto.fsf@mahal.sjds.teklibre.org> References: <4A9C0DA7.1040103@venaas.com> <87ocppszto.fsf@mahal.sjds.teklibre.org> Message-ID: <4AA38AD9.2010100@spaghetti.zurich.ibm.com> Dave T?ht wrote: [..] > For forward lookups, to dynamically update bind9, what I have done, on a > small scale, is use the nsupdate utility, wrapped in a small script with > tsig. What about simply looking at: http://www.ops.ietf.org/dns/dynupd/secure-ddns-howto.html Note: $Id: secure-ddns-howto.html,v 1.65 2002/03/17 22:52:50 jakob Exp $ Exists some while already :) Windows Edition of the thing: http://unfix.org/~jeroen/archive/Windows_DynamicDNS_Update.zip Greets, Jeroen -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 196 bytes Desc: OpenPGP digital signature Url : http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20090906/a9b02772/attachment.bin From d at teklibre.org Sun Sep 6 14:52:49 2009 From: d at teklibre.org (Dave =?utf-8?Q?T=C3=A4ht?=) Date: Sun, 06 Sep 2009 06:52:49 -0600 Subject: PTR records for v6 hosts References: <4A9C0DA7.1040103@venaas.com> <87ocppszto.fsf@mahal.sjds.teklibre.org> <4AA38AD9.2010100@spaghetti.zurich.ibm.com> Message-ID: <87pra4s09q.fsf@mahal.sjds.teklibre.org> Jeroen Massar writes: > Dave T?ht wrote: > [..] >> For forward lookups, to dynamically update bind9, what I have done, on a >> small scale, is use the nsupdate utility, wrapped in a small script with >> tsig. > > What about simply looking at: > http://www.ops.ietf.org/dns/dynupd/secure-ddns-howto.html > > Note: > $Id: secure-ddns-howto.html,v 1.65 2002/03/17 22:52:50 jakob Exp $ > > Exists some while already :) when I looked at google for methods to do this, that url was nowhere near the top of google, and the existing examples at the top of google tended to use "example.com" rather than a subdomain like "roam.example.com". You suggest "laptop.example.com", but the world of mobile devices is much larger than that, thus "roam" and "home" were the two dns subzones I settled on for dynamic updates, and I mostly only use roam. Incidentally, I just built bind-9.7.0a2 and the name of the new utility that generates correctly formatted zones and keys is: ddns-confgen It uses hmac-sha256 by default. (I believe MD5 has issues nowadays) The howto is otherwise excellent. Anyway the surrounding context of this discussion is on how to do this well on cpe equipment, or in an automated fashion at the ISP. I would like very much to see local (and split, for ipv4) dns name services to be on the customer premise some day in the future, in more networks. I'm told one of the design goals of bind10 would be to have it run well on embedded gear, but looking over it now I don't see bind can get there from here. > > Windows Edition of the thing: > http://unfix.org/~jeroen/archive/Windows_DynamicDNS_Update.zip > > Greets, > Jeroen > -- Dave Taht http://the-edge.blogspot.com