Overblog Suivre ce blog
Administration Créer mon blog
11 juin 2013 2 11 /06 /juin /2013 16:44

 

We will see now, in this serie about Static IPv6 Networking, how to bring and use Internet Connectivity, ie Global Unicast addresses.

 

As ISPs have different ways of setting up IPv6 connectivity to the CPE, we'll use Hurricane Electric tunnel. It's free, easy, and everybody will be able to reproduce the exemples I'll describe.

 

Here is the topology used :

 

Static5f.gif

 

I had no problem creating the tunnel behind 3 home routers + CPE inline ( CPE+Router 1+Router 2+ Router 3 )

 

So first, let's setup a HE ( Hurricane Electric ) tunnel on a Windows PC

 

 

Hurricane Electric Tunnel setup on a Windows PC

 

 

To setup a HE Tunnel, first your CPE or Router-Modem have to be able to respond to Wan ping from the outside.

Setup corectly your CPE, x-DSL Router-Modem, for answering outside Wan ping.

 

Then, go to Hurricane Electric webpage.link

 

Do a quick registration and login with the account you created.

 

Then click the ' Create Regular Tunnel ' Button on the left of the page :

 

Static5a.gif

The next page gives a hint about our IPv4 public IP ( ie CPE Wan IP ).

Enter it in the box above, and choose a Tunnel Server close to your geographical location.

In case of doubt, use a ' what's my IP ' webpage to check your public IP.

 

Static5b.gif  

 

 

Click then ' Create Tunnel ' at the bottom of the page.

 

Static5c.gif

 

Our Tunnel is now created. Copy the Tunnel Informations displayed to you :

 

Static5d

 

We need the Server IPv4 and IPv6 Addresses ( [D] [E] ) as well as the client IPv4 and IPv6 Addresses [ A ] [ B ].

One important note here : If your Client PC is behind a NAT-ed CPE ( ie xDSL router-modem ), like the vastest majority, then we won't use our Public IPv4 IP ( [A ] ) but our PC Private IP. Do a quick ipconfig to check your IP.

 

Once the tunnel is created, we can logout of the Hurricane Electric page. The tunnel will remain, even if you reboot your PC.

 

 

Client PC Setup

 

 

We need to enter a few lines on the client PC. They are :

 

Static5g.gif

 

Replace [ Client IPv4 ], [ Server IPv4 ], [ Client IPv6 ] and [ Server IPv6 ] with the correct values and don't use brackets.

 

Remember to use your PC IP for [ Client IPv4 ], which is not your Public IP most of the cases.

 

These settings are persistants, and will remain after reboot. See below for how to delete them.

 

 

 

Let's add IPv6 DNS Servers. Here are some DNS Servers :

 

OpenDNS IPv6 :                     2620:0:ccc::2

                                                  2620:0:ccd::2

 

Google IPv6 DNS :                 2001:4860:4860::8888

                                                   2001:4860:4860::8844

 

On the Tunnels Details page of our Hurricane Electric Tunnel, there are som IPv4 and IPv6 DNS Servers provided too.

 

Go to network and sharing center ) Configure Network Connections )

Right click over your Network Adapter ) Properties ) IPv6 ) Properties

 

You can manually enter the IPv6 DNS IPs here.

 

 

Internet Connectivity tests

 

 

We can now try our IPv6 network connectivity.

 

We can type                                   tracert -d ipv6.google.com

 

 

these web sites are good tests too :

 

http://ipv6-test.com/     link

 

http://ipv6-test.com/speedtest/    link

 

http://test-ipv6.com/    link          ( very complete )

 

 

Beside all these, there is a neat Firefox plugin to try :

 

www.hunen.net/4or6/     link

 

That's it. Just remember that you are not behind a CPE firewall IPv6 wise.

You're essentially trusting your OS firewall. We'll see the firewall / security issues later on this blog.

 

 

 

Deleting the tunnel and the PC tunnel setup

 

 

To delete the Hurricane Electric tunnel, login to your account. There is a list of your tunnels down the page :

 

Static5e.gif

 

Click on the tunnel you want to delete, to access the Tunnel Details page, and click delete :

 

Static5i.gif

 

 

 

To delete the tunnel setup on our client PC, we will reverse the setup :

 

Static5h.gif

 

 

 

A little more network topology

 

Static5f

 

For those interested, you can trying to tracert the Server IPv4 address :

 

tracert -d [ Server IPv4 ]

 

and compare it with the Server IPv6 address :

tracert -d [ Server IPv6 ]

 

as we're tracing the route between the same hosts, you can really get a feel of the tunnelling effect, as there is many physical hops, but the IPv6 tunnel make it appear like a direct link.

 

Repost 0
Published by computer outlines - dans IPv6
commenter cet article
10 juin 2013 1 10 /06 /juin /2013 17:22

 

There are at least several reasons to comply to RFC 4193.

 

The first one is for futur sites mergings ( see previous post ), as well as security :

a pseudo random network ID will make it harder for local worms to crawl your ULA network. That's typical ' Security by Obscurity '.

 

The second one is that by dedicating the last 16 bits of your network prefix to subnets ID, you'll be able to create a well designed network topology, as well as seamless and neat route aggregation.

 

IPv6 Route Aggregation

 

 

The IPv6 address space is so vast, that we should go with nibble level prefixes.

For a reminder, ULA address= Network ID ( 48 bits ) + Subnet ID ( 16 bits ) = 64 bits subnets

 

a nibble = 4 bits = 1 Hex

 

so by using nibble level prefixes, we have 16 x 16 x 16 x 16 subnets for one ULA network.

 

Let's use Network ID fd07:432d:ce02::/48 as an exemple.

 

We could set a first groups of subnets :

 

Group 1 = fd07:432d:ce02:0000 to fd07:432d:ce02:000F

 

Group 2 = fd07:432d:ce02:0010 to fd07:432d:ce02:001F

 

 

then, we can use an aggregated route :

 

for Group 1 : fd07:432d:ce02: 0000::/60

 

for Group 2 : fd07:432d:ce02: 0010:/60

 

( nb the added space before 0000 and 0010 is to avoid the blog auto smiley generation ... : 0010: without the added space is a smiley code ... )

 

Further more, we can aggregate /60 subnets into /54 routes

 

and aggregate /54 subnets into /50 routes

 

 

So, we can organize our ULA network into 16 groups of 16 groups of 16 groups of 16 subnets

 

 

That is basically IPv6 route aggregation.

 

 

IPv6 Route Aggregation : a basic exemple

 

 

as an exemple, we can use the last topology of the previous post, and redesign our subnets topology, so to facilitate route aggregation.

 

 

Here is what the previous topology looked like. The green arrows show the default gateways downstreaming flow :

 

Static4b.gif

 

 

Let's change our fd07:432d:ce02:1::/64 subnet into fd07:432d:ce02:10:/64

 

The network topology then looks like this :

 

Static4f

 

 

PC 2 routing can now be simplified, from 3 routing entries :

 

Static4m.gif

 

into a single one :

 

Static4n.gif

 

 

 

If we further organize our network topology, an send Server behind Router 1, the situation becomes even clearer.

 

Here is the logical network topology we're getting in :

 

Static4h.gif

 

and here is Router 2 IPv6 Routing setup tab needed, as well as the IPv6 Routing Status Tab :

 

Static4k.gif

 

Static4l.gif

 

 

The Router performs the routing choice based on prefix lenght, choosing the longest prefix.

Here, fd07:432d:ce02:10::/64 has priority over fd07:432d:ce02::/64

If the prefix lenghts are the same, the lowest Metric value would win.

 

 

A few more words about Route Aggregation

 

 

As the number of host and nodes grow over a network, the number of routing rules grows exponentially, squared.

If n = the total number of hosts+nodes, and r the number of routing rules needed :

 

r = n^2

 

thus a clean route aggregation policy, as well as clever use of default gateways, is very important to lighten the routing needs.

 

As long as we're using static routing. Beyond a certain point or size, dynamic routing is needed : RIP, OSPF, ...

Repost 0
Published by computer outlines - dans IPv6
commenter cet article
5 juin 2013 3 05 /06 /juin /2013 10:21

For this next part in the Static IPv6 Networking serie, we're going to complicate our network topology a little bit more.

We will chain 2 IPv6 Routers, so to route 3 ULA subnets. We'll see how to make an IPv6 Router out of a Windows computer, in case you don't have a second IPv6 Router. Finally, we will try to add a third IPv6 Router, to route 4 ULA Subnets.

 

Here is the basic topologywe'll use :

 

Static3R2.gif

 

but first, let's see how to make an IPv6 Router from a Windows PC.

 

How to make a Windows PC into an IPv6 Router

 

Static3d.gif

 

 

It's very easy to turn a modern Windows OS ( starting with Vista ) into a Router. You just need the PC to have 2 interfaces cards.

 

First, identify your interfaces' Idx ( Index ) using the netsh int ipv6 show interface

Then, activate forwarding on both interfaces using netsh int ipv6 set interface [Idx] forwarding=enable

Here it is :

 

Static3e.gif

 

 

You don't have to create routes, they're automatically set up between the two network interfaces :

 

Static3f.gif

 

 

2 IPv6 Routers Setup : 1 Network Router + 1 Windows OS Router

 

 

Here is the network topology we will put in place :

 

Static3R1

 

 

 

There are three subnets :           fd07:432d:ce02:3::/64

                                                         fd07:432d:ce02:2::/64

                                                         fd07:432d:ce02:1::/64

 

D-Link DIR 626-L requires you to set a default gateway, so we'll assign it DG : fd07:432d:ce02:2::1

The other hosts or nodes are set without default gateway. We will setup routes manually.

 

First, we will loosen up a little our IPv6 ping firewall rules, as we want all the hosts and nodes on the network to be able to ping each other :

 

Static3h.gif

 

 

here we're using a IPv6 range fd07:432d:ce02:1::100- fd07:432d:ce02:10::254, thus allowing 10 subnets.

 

On the other side, we disable Wan ping from ouside, to tighten up a little our network security :

 

Static3g.gif

 

 

So are PC1 and PC2 able to ping each other ? Well, no. The core of the matter is routing.

 

To check the registered routes on a Windows OS, just type :

netsh int ipv6 show route :

 

Static3j.gif

 

To check the registered routes on our D-Link Dir 626L Router, check :

 

Status ) IPv6 Routing

 

 

Static3i.gif

 

 

 

When checking all routes, we see that :

 

PC 1 has no route to subnets fd07:432d:ce02:2::/64 and  fd07:432d:ce02:1::/64

Router 1 has route to all three subnets, thanks to its fd07:432d:ce02:2::1 Default Gateway

Router 2 has no route to subnet fd07:432d:ce02:3::/64

PC 2 has no route to subnets fd07:432d:ce02:2::/64 and  fd07:432d:ce02:3::/64

 

 

 

here is how we add the fd07:432d:ce02:2::/64 route to PC 1 :

 

identify the outgoing network interface          netsh int ipv6 show interface

add the route                                                      netsh int ipv6 add route [ destination network / prefix ] [ Idx ] [ gateway ]

check the new routing table                             netsh int ipv6 show route

 

Static3k.gif

 

 

likewise, we add on PC 1 the route to the fd07:432d:ce02:2::/64 network :

 

netsh int ipv6 add route fd07:432d:ce02:3::/64 10 fd07:432d:ce02:3::1

 

 

we add on Router 2 ( Windows OS ) the route to fd07:432d:ce02:3::/64 subnet :

 

netsh int ipv6 add route fd07:432d:ce02:3::/64 10 fd07:432d:ce02:2::230

 

 

we add on PC 2 the routes to fd07:432d:ce02:2::/64 and fd07:432d:ce02:3::/64 subnets :

 

netsh int ipv6 add route fd07:432d:ce02:2::/64 10 fd07:432d:ce02:1::254

netsh int ipv6 add route fd07:432d:ce02:3::/64 10 fd07:432d:ce02:1::254

 

 

 

all hosts and nodes on teh network are now able to ping each other. A tracert exemple :

 

Static3l.gif

 

 

 

2 IPv6 Routers Setup : 2 Network Routers

 

 

For this second setup, we will line two D-Link Dir 626 L Routers.

This time, we will use default gateway for all hosts and nodes on the network map, except for PC 2.

Its is a kind of downstreaming network topology.

 

 

Static3R2

 

The downstream topology :

 

Static3R2b.gif

 

The goal, this time again, is to have all host and nodes able to ping each other, plus PC 1 to remote

connect to the two Routers.

 

First, remember to check the firewalling rules. ( See above on this page )

We too have to add a firewall rule to Router 1 to allow Webadmin of Router 2 :

Advanced ) IPv6 Firewall

 

 

Static3m.gif

 

Then, check all routes using netsh on Windows or status tab on Network Routers

 

We have to set a route for PC 2 to subnets fd07:432d:ce02:2::/64 and fd07:432d:ce02:3::/64 :

 

netsh int ipv6 add route fd07:432d:ce02:2::/64 10 fd07:432d:ce02:1::254

netsh int ipv6 add route fd07:432d:ce02:3::/64 10 fd07:432d:ce02:1::254

 

 

We too have to set a route on Router 2 to subnet fd07:432d:ce02:3::/64 :

 

Static3n.gif

 

Here is the new Router 2 routing table :

 

Static3o.gif

 

Router 1 and PC 1 don't need no additionnal routes. All Hosts and nodes on the network can now ping each other.

As an exemple, let's ping PC 1 from Router 2, usin the Tools Tab  :

 

Static3p.gif

 

 

 

3 IPv6 Routers setup : 2 network routers + 1 Windows OS Router

 

 

 

Let's quickly check the network topology, and routing needs, if we add a Windows OS Router as a third IPv6 Router in our network. It looks like this :

 

Static3R3.gif

 

 

Here is the streaming topology that results from the DGs ( Default Gateways ) setup :

 

Static3R3b.gif

 

 

what are the routes that need to be added, for every host to be able to reach any host on the network ?

 

PC 1 needs no added route ( it has a unique fd07:432d:ce02:3::1 gateway )

 

PC 4 needs no added route ( it has a unique fd07:432d:ce02:4::200 gateway )

 

Router 1 needs a route to the fd07:432d:ce02:4::/64 subnet

 

Router 2 needs routes to the fd07:432d:ce02:3::/64 and the fd07:432d:ce02:4::/64 subnets

 

Router 3 ( ie Server ) needs a route to the fd07:432d:ce02:3::/64 subnet

 

PC 2 needs routes to the fd07:432d:ce02:2::/64 fd07:432d:ce02:3::/64 and fd07:432d:ce02:4::/64 subnets

 

Here is how we add these routes:

 

Router 1 :

 

Static3q.gif

 

Router 2 :

 

Static3r.gif

 

Router 3 :

 

Static3s.gif

 

 

PC 2 :

 

Static3t.gif

 

All network hosts can now reach each others.

 

 

Why not to set a default gateway to PC2 ? Well, we could obviously. But don't forget the true meaning of a default gateway : It's the EVERYTHING way, so for security reason, you might prefer to assign specific routes.

 

 

Conclusions

 

To summ it all up : a network host or node has knowledge of only the directly connected subnets ( ie the subnets he belongs to )

 

Make extensive use of ping, tracert, and netsh int ipv6 show route or Routers' route status to debug your network

 

Do this debugging FROM different places in your network

 

Don't forget to check your firewalls

Repost 0
Published by computer outlines - dans IPv6
commenter cet article
1 juin 2013 6 01 /06 /juin /2013 18:09

For this second step in IPv6 static networking, we will put in place an IPv6 router, to be able to route two ULA ( Unique Local Address ) subnets.

 

The network map is this :

 

Static2a.gif

 

We use the same ULA Network ID as the last post, RFC 4193 Compliant.

 

The Client PC is running Windows 7, the Server is running Windows Server 2008 R2. You can use any Vista, Seven, 8, Windows Server 2008, 2008 R2 or 2013 for this lab of course, you don't need a server OS.

the Router used is a neat, IPv6 capable, little Router : D-link DIR 626 L. For 40 $/€, it is fully IPv6 capable, and even has an USB port for a NAS function. You don't need expensive appliances to experiment with IPv6.

 

As we won't be networking beyond Router 2 for yet, you can replace Router 2 with a switch, or even use the switching side of a non IPv6-capable router. Just keep the IPv4 address to this Router 2 in the same subnet as Router 1 Wan Subnet, and disable DHCPv4, if IPv4 is too in use on this subnet.You can even completely do withot Router 2.

The network would then look like this :

 

Static2b.gif

 


The goal here is to have PC 1 and Server able to ping each other, and PC 1 able to have remote desktop access to the Server, using IPv6.

 

 

IPv6 Router Setup

IPv6.gif

 

1. Setup ) IPv6 ) Manual IPv6 Local Connectivity Setup )

    Uncheck ' Enable ULA '

See the ' more details part ' down the page for explainations about this choice


Local.gif

 

 

2. Setup ) IPv6 ) Manual IPv6 Internet Connection Setup )


We'll use these setings :

Static IPv6
Wan :                          fd07:432d:ce02:2::230
Default Gateway :     fd07:432d:ce02:2::1
DNS :                          nc
Lan :                            fd07:432d:ce02:3::1
Lan DHCPv6/SLAAC :     No

 

Static2c.gif

 

 

 

 

3. IPv6 Routes

 

Have a look at the Status Tab ) IPv6 Routing :

The routes between the two networks fd07:432d:ce02:2::/64 and fd07:432d:ce02:3::/64 have been automatically set up, as well as the default gateway route ( ::/0 )

 

Static2d.gif

 

 

( Just for info, here is a copy of the default, empty, IPv6 route page : Route2.gif )

 

 

4. IPv6 Firewall

 

 

The last thing we'll need to setup is the IPv6 Firewall.
Setup ) IPv6 ) Advanced ) IPv6 Firewall

Enable IPv6 Ingress Filtering :        Unchecked

Enable IPv6 Simple Security :        No

Mode :                    IPv6 Firewall ON and ALLOW rules listed

We'll create 2 rules for allowing ICMPv6 ( Ping6 ) trafic between the two hosts

plus a rule to allow RDP ( Remote Desktop ) trafic from PC1 to Server

Static2e.gif

 

This is a basic, hand-wired, all closed by default firewall rule. See the ' more details part ' down the page for explainations about the Dir-626 L IPv6 Firewall.

don't forget to setup properly PC 1 address :        fd07:432d:ce02:3::140/64 default gateway fd07:432d:ce02:3::1
and Server address :        fd07:432d:ce02:2::200/64 and default gateway fd07:432d:ce02:2::1

 

 

5. Server Settings

 

you can now try to ping Server with PC 1 and ... it doesn't work ... I'll leave you a minute to guess why, if you haven't yet ...

Yes, Server has no route to PC 1 fd07:432d:ce02:3::/64 network.

On the Server, to check the Server's routes :
>netsh int ipv6 show route

To add Server a route to the fd07:432d:ce02:3::/64 network :

First check its interface index ( Idx ) typing :

>netsh int ipv6 show interface

Then add the route :

>netsh int ipv6 add route fd07:432d:ce02:3::/64 [Idx] fd07:432d:ce02:2::230

( replace [Idx] with the right number for your case )


We can now do some IPv6 Ping between the two hosts, and use Remote Desktop to our Server, using its fd07:432d:ce02:2::200 IPv6 address.

 

Static2f

 

 

Static2g.gif

 

We can too admin our Router using its IPv6 address, just type [fd07:432d:ce02:3::1] in the address bar.
Don't forget the brackets, they are mandatory.

Status2.gif

 

 

 

More Details :


Why to Uncheck ' Enable ULA ' in ' Manual IPv6 Local Connectivity Setup '

Forget about your usual Lan side/Wan side setup, each with its own dedicated page in the Router's web admin page.
At least for this DLink Dir 626L.

Here, we have the pages :

 . Manual IPv6 Internet Connection Setup

 . Manual IPv6 Local Connectivity Setup

 

IPv6

 

The routing function, the Wan setup, the Router's Lan address, and even the DHCPv6 and SLAAC for the Lan side are in an only unique place : Manual IPv6 Internet Connection Setup

So what is the point of the ' Manual IPv6 Local Connectivity Setup ' page ?

Well, if you're only routing a private fd::/8 network, you don't use nor need it.

But IF, and if only, you want the router to route 2000::/3 global networks between the Wan and the Lan sides AND you want at the same time to use a FD::/8 ULA network on the LAN side, then this ' Manual IPv6 Local Connectivity Setup ' might prove usefull.


An interesting details : it is possible to set this up :

    Wan=   fd07:432d:ce02:2::/64
    Lan=    fd07:432d:ce02:3::/64
    ULA=   fd07:432d:ce02:4::/64

The Router will setup automatically the routes between it's Wann and Lan side


The ' Manual IPv6 Local Connectivity Setup ' default ULA prefix is a set prefix, that I suppose to be MAC-derived. It is static, supposed to be ' pseudo random enough ' to avoid ULA prefix collision, but doesn't fully comply with RFC 4193, which recommends a precise prefix setup, hashing the MAC address and Time sum, for a good pseudo-unique and changing at will ULA prefix.


The DLink DIR 626-L IPv6 Firewall

The IPv6 Firewall implemented here seems to have a BSD, IP Filter origin. The DIR 626 L manual doesn't document a lot its functions. I'll try to discover its way of functionning. All I can say is that IPv6 Simple Security seems to relate to RCF , which describes an easy default mode for Consumers IPv6 Firewalls that copies the IPv4 NAT Firewall fonctionning :
Allowing everything to go out, Denying everything to get in exept answers from previous outgoing requests.

 

 

 

Static2e

 

 

I'll try to fully test this firewall, and document in a comming post its functionning.

Repost 0
Published by computer outlines - dans IPv6
commenter cet article
28 mai 2013 2 28 /05 /mai /2013 11:41

In this article, we'll study a basic, static IPv6 networking. We'll use two computers and a switch.

 

You can use any Vista, Seven, 8, Windows Server 2008, 2008 R2 or 2012 for this lab of course, you don't need a server OS.

 

Here is the Network Map we will put in place, step by step, from this subnet, through the next following articles :

 

Static1a.gif

 

For a reminder, the relationship between Link-local and Unique-local scopes :

 

Static1b.gif

 

 

The first step is putting in place a first static subnet.

 

we use this link : link ( RFC 4193 algorithm )

 

or this one : link ( almost RFC 4193 algorithm )

 

to generate a pseudo-random pseudo-unique-enough ULA ( Unique Locale Address )

 

in our case, we use this Network ID :      fd07:432d:ce02::/48

 

The first subnet will be :                              fd07:432d:ce02:3::

 

 

Hosts, Switch, and a static ULA subnet

 

 

1. Enable IPv6 ping response

 

 

As we'll be doing quiet a lot of ping and tracert, the first thing we'll do is enable IPv6 ping response. For this, in Vista, Seven, Windows Server 2008 or 2008 R2 :


Control Panel ) Windows Firewall ) Advanced Firewall )

 

Incoming Rules ) New Rule )

 

. Personalized
. All programs
. Protocol : ICMPv6
. All IPs ( default )
. Authorize ( default )
. All network types ( default )
. Name : ICMPv6in

Ping6.gif

 

 

 

 

Clients Static IPv6 addresses

 

The next step will be to setup this first subnet, in the fd07:432d:ce02:3:/64 range, using static IPs.

 

Static1c.gif

 

Note the representation I use on the drawing for the Router : It's a switch inline with a Router, as a usual custommer router is combined with a switch on the lan side. I prefer for theorical clarity to keep on drawing the switching side, as a reminder.

 

As we won't be networking beyond Router#1 for yet, you can replace Router#1 with a switch, or even use the switching side of a non IPv6-capable router. Just assign a 192.168.3.1 IPv4 address to this Router #1 Lan Side, and disable DHCPv4.




First, we will assign static IP addresses to our two PCs.

        . PC#1 will be fd07:432d:ce02:3::210/64
        . PC#2 will be fd07:432d:ce02:3::140/64

 

NICStatic.gif

 

We set these static IPs using the network card properties, selecting IPv6 and clicking properties again.
Please note that, as we're just using the switching side of our router, this router doesn't need to support IPv6. Just set up its IPv4 address according to the same subnet as PC#1 and PC#2, ie 192.168.3.x, and turn off the Router DHCPv4.

We'll leave the default gateway and DNS fields blank, as we don't use them at this step.

As for the IPv4 addresses, we'll use :

    . PC#1 will be 192.168.3.210
    . PC#2 will be 192.168.3.140

again, leave the Default Gteway and DNS fields blank.

You can now check the IP addresses by typing >ipconfig or >ipconfig /all.

 

An fd00::/8 ULA address has now appeared beside the FE80::/64 Link-local address
The 2 PCs can ping each other, usin either the ULA ( Unique Local Address ) or the Link-local Address. Using as an exemple, from PC#2 to PC#1 :
>ping fd07:432d:ce02:3::140

 

Ping6b.gif

you could use >ping -6 fd07:432d:ce02:3::140 to explicit the will to use IPv6, but the fd00::/8 address already makes this clear

 

 

 

More Details

 

 

We can check the Routing table using the Command Prompt :

 

>netsh int ipv6 show route

 

notice these lines :
No      Manual    256  fd07:432d:ce02:3::/64                     10  Local Network Connection
No      Manual    256  fd07:432d:ce02:3::140/128            10  Local Network Connection

 

these two routes won't be published ( advertised on the link ) and they were set up manually.
fd07:432d:ce02:3::/64 is the subnet route and fd07:432d:ce02:3::140/128 is the interface route.
10 is the Index of the interface used.

Let's see the other lines :
No      Manual    256  ::1/128                     1  Loopback Pseudo-Interface 1
is the loopback interface route

No      Manual    256  fe80::/64                                           10  Local Network Connection
No      Manual    256  fe80::1728:cd23:8d82:42b/128   10  Local Network Connection

these are the link-local route, and the is the interface link-local route

No      Manual    256  ff00::/8                    1  Loopback Pseudo-Interface 1
No      Manual    256  ff00::/8                   10  Local Network Connection
these are the multicast route for each interface.


Repost 0
Published by computer outlines - dans IPv6
commenter cet article
27 mai 2013 1 27 /05 /mai /2013 10:46

 


When first encountering IPv6, one of the first questions that pops up to mind is : What are the address spaces, what have become of my private address ranges ( 10./8, 172.16./12 and 192.168./16 ). We will quickly review the addressing ranges of IPv6.

One important thing to note is that whereas in IPv4, a network interface has only one IP address, in IPv6 a network interface can have several addresses sumultaneously.



The practical over-simplified view :

 

 

IPv6 address=           Network ID:Host ID
                                         64 bits      64 bits

Host ID can be all 0 or all f ( ie 0:0:0:0 or ffff:ffff:ffff:ffff). There is no broadcast address or all zeros network address like in IPv4 )



fE80::/64 are link-local addresses. The host ID is autoconfigured. They are mandatory for IPv6 to function. You may use them, but you don't change / assign them.


2000::/64 to 3fff:ffff:ffff:fff/64 are Global Addresses. They are allocated by the ISP. They are the equivalent
of the IPv4 public IPs. You may assign the host ID. You may assign subnets' IDs if the ISP allocated you more than a single /64.


fd00::/64 to fdff:ffff:ffff:ffff/64 are Unique Local Addresses. They are not routable over the Internet. You can set them and assign them at will for your private use. They are the equivalent of IPv4 private IPs ( 10./8, 172.16./12, 192.168./16 )



The detailled view


IPv6 Address =           Network ID+Subnet ID    +         Host ID
                                     --------------64 bits--------      --------64 bits-----------


FE80: Link local Unicast address

Linklocal
Each Network interface has a link-local address. It is mandatory for IPv6 to function.
Link-local address is limited to the local link, ie. it'll reach a directly linked host, or pass through a switch, but won't pass through a router. It basically maps the old IPv4 Broadcast Domain, ie Subnet.

Link-local addresses official definition is fe80::/10 followed with 54 0 bits, thus :

fe80::/64+[Host ID]

So just look for fe80::/64 for all practical aims.

They remind a little of our IPv4 169./8 autoconfiguration addresses, though they have a broader role and are mandatory for Ipv6 to function properly.

You don't set them, they are auto-assigned. But you can toggle on/off the RFC 4941 state, which changes the way the Host ID is created

They are used for routing.




2001: Global Unicast Address


These are the Globally Routable Addresses. They pass through both Routers ( ie. they are Routable ) and The Internet ( ie. they are Globally Routable ).

They are the equivalent of our IPv4 public addresses

Their official definition is 2000/3 thus leading to an effective 2000::/64 to 3fff:ffff:ffff:fff/64

 The Network ID is assigned by the ISP. The Host ID may be assigned by you at your will ( Static, DHCP, SLAAC ). If the ISP assigned you with more than a single /64 ( ie a /63 for an exemple ), you can assign and use the subnet ID at will.




FD: Unique Local Address

Uniquelocal

 

These are Routable Addresses. They pass through Routers ( ie. they are Routable ), but won't pass through the Internet Routers( ie. they are not Globally Routable ).

 

Here is how they relate to Global Addresses :

 

Global

 

They are the equivalent of our IPv4 private addresses ( 10./8, 172.16/12, 192.168/16 ).

They are defined as fc00::/7 ( ie fc00::/8 and fd00::/8 ), but fc00::/8 is unassigned now.

Their official definition is fd/8+Network ID/40+Subnet ID/16.

( Actually it's fc00::/7 +L bit/1 +Network ID/40+Subnet ID/16 )

The Network ID should be randomly generated ( RFC 4193 ). Actually, the standard requires the 40 bits network ID to be randomly generated using the algorithm specified in the standard. Basically the algorithm performs the hashing of the sum ( MAC address + Time )

Here you can use the RFC 4193 algorithm : link

http://www.kame.net/~suz/gen-ula.html

Here an implementation, that doesn't use MAC address : link
http://unique-local-ipv6.com/

RFC 4193 : link
http://tools.ietf.org/html/rfc4193#section-3.2.1


The reason for this comes from the goal of Unique Local Addresses : They are for private local use, but may extend beyond the scope of a single site by use of private links ( Optical site to site connection, VPN, ... ). So to avoid the task of massive site network renumbering in case of 2 sites' merging, RFC 4193 requires pseudo-random numbering to be used, making mergings seamless and easy.

The Subnet ID part ( last 16 bits ) are used for subnet numbering, easiing route aggregation.


Note that for private non professionnal use ( ie home lan, network lab, server lab, ... ), clearly knowing that there won't be no merging or linking of sites, and because this fd address range is non-routable over the Internet, some people may choose to go without RFC 4193 randomness recomendation, and use a simpler scheme. Professionnals shouldn't/


Let's generate a ULA, using RFC 4193. We get : fd07:382d:ce43::/48

We can now use the last 16 bits for Subnet ID, thus giving us these 65536 subnets :

fd07:382d:ce43:0000::/64 to fd07:382d:ce43:ffff::/64


For easy memorization, we can map the IPv4 and the IPv6 addresses on our network. Some ULA exemples :

. simple flat ULA network : fd07:382d:ce43:0000::/64

. simple multi subnets ULA network numberings :

Host1=fd07:382d:ce43:0::1        host2=fd07:382d:ce43:0::2        host3=fd07:382d:ce43:0::3        <--- subnet1     fd07:382d:ce43:0::/64

host1b=fd07:382d:ce43:1::1    host2b=fd07:382d:ce43:1::2    host3b=fd07:382d:ce43:1::3    <---subnet2    fd07:382d:ce43:1::/64

etc...


. maping an 192.168.0.0/24 IPv4 subnet numbering to an IPv6 numbering for easy memorization :

Host1        192.168.0.14        fd07:382d:ce43:0:192:168:0:14
Host2        192.168.0.254      fd07:382d:ce43:0:192:168:0:254
etc ...


. maping two 192.168.x./24 IPv4 subnets numbering to two IPv6 subnets numbering for easy memorization :

Host1        192.168.0.14        fd07:382d:ce43:0:192:168:0:14        <-- network 1       fd07:382d:ce43:0::/64
Host2        192.168.0.254      fd07:382d:ce43:0:192:168:0:254

Host3        192.168.1.4        fd07:382d:ce43:1:192:168:1:4        <-- network 2       fd07:382d:ce43:0::/64
Host4        192.168.1.1        fd07:382d:ce43:1:192.168:1:1


. another maping of two 192.168.x./24 IPv4 subnets numbering to two IPv6 subnets numbering for easy memorization :

Host1        192.168.0.14        fd07:382d:ce43:0::14
Host2        192.168.0.254      fd07:382d:ce43:0::254

Host3        192.168.1.4        fd07:382d:ce43:1::4
Host4        192.168.1.1        fd07:382d:ce43:1::1



. maping a 10.0.0.0/8 subnet to an IPv6 subnet :

Host1        10.0.0.1        fd07:382d:ce43:0::1
Host2        10.0.1.4        fd07:382d:ce43:0::1:4
Host3        10.0.3.100    fd07:382d:ce43:0::3:100
Host4        10.1.0.1        fd07:382d:ce43:0::1:0:1


. another maping of a 10.0.0.0/8 subnet to an IPv6 subnet :

Host1        10.0.0.1        fd07:382d:ce43:0::10:0:0:1
Host2        10.0.1.4        fd07:382d:ce43:0::10:0:1:4
Host3        10.0.3.100    fd07:382d:ce43:0::10:0:3:100
Host4        10.1.0.1        fd07:382d:ce43:0::10:1:0:1



Repost 0
Published by computer outlines - dans IPv6
commenter cet article
27 mai 2013 1 27 /05 /mai /2013 10:02


This Article will simply and clearly sum up the IPv6 Address format, as a reminder and a memo guide.



Address format and Notation



an IPv6 Address = Network ID      +         Host ID

                                      64 bits                     64 bits


written in Hexadecimal Format.

 

Exemple :

2001:0db8:007a:0000:0000:000e:3254:4785


please note that 1 hex letter = 4 bits

1 hex quad = 16 bits


Please note that these are HEXADECIMAL numbers. Thus 2001 ( hex ) = 8193 ( decimal )

We're used with IPv4 addresses to use decimal numbers, and to relate them to binary numbers ( subnets masks, etc ... ). Ipv6 uses Hex numbers, related to binary numbers. Allways keep this in mind.


The IPv6 notation allows to ommit 1 to 3 consequitives ' left ' bits per Quad Hex.

 

Ex :

2001:0db8:007a:0000:0000:000e:3254:4785

can be written 2001:db8:7a:0:0:e:3254:4785

 

Furthermore, one only consequtive serie of zero hex-quads can be summed up by using ::
Leading the former exemple to be written :

2001:db8:7a::e:3254:4785


Pay attention that you can do this only once, to avoid ambiguity. Thus :

2001:db8:0:0:4:0:0:7

can be written either 2001:db8::4:0:0:7 or 2001:db8:00:4::7

but CAN'T be written 2001:db8::4::7 because it would lead to several interpretations ( ie 2001:db8:0:4:0:0:0:7, 2001:db8:0:0:4:0:0:7 or 2001:db8:0:0:0:4:0:7 )


Subnet Mask and CIDR notation


Like in IPv4, an IPv6 address is coupled with a subnet mask. The subnet mask desambiguates the Network ID part and the Host ID part in an IPv6 address. The subnet mask is written in CIDR notation,
and states the number of bits in the IPv6 address that are the Network ID.It is written after a ' slash ' symbol.


Ex : 2001:db8:0:0:4:0:0:7 /64


Here, the subnet mask is /64, thus the Network ID is 2001:db8:0:0/64

when encountering an IP address, a host compares the IP address Network ID with its own Network ID. If they are the same, then the IP address is considered to be on the Local-link, and is dealt with directly. If they are different, the IP address is considered to be out of the Local-link, and all communications with this address are performed through a Local-link Router ( Default Gateway most of the time ). Like in IPv4.


Special addresses


2001:db8::/32 is reserved for documentation purpose by RFC 3849

::/128            0:0:0:0:0:0:0:0/128           unspecified address, used for software self-configuration, reserved

::1/128         0:0:0:0:0:0:0:1/128            Loopback ( cf 127.0.0.1 )

ff02::2           ff02:0:0:0:0:0:0:2               Multicast to ' All link Routers '

ff02::1           ff02:0:0:0:0:0:0:1               Multicast to ' All link Nodes '       



Until now we've only been seeing unicast addresses. Notice the last two addresses, they belong to the Multicast Addresses. They are defined as ff00::/8, and play a very important role in IPv6 ( NDP protocol, DHCPv6, ... ).


One last note : if ff00::/8 defines multicast addresses, how does ff02::1 and ff02::2 fit in this definition ? Well .... because ff00::/8 in reality means ff/8 ( remember .. 4bits per hex ). ff02::1 doesn't fit in ff00::16, that's right, but it fits in ff00::/8.

This is the kind of little details you will have to pay attention for, while using IPv6.



   

Repost 0
Published by computer friendly - dans IPv6
commenter cet article
24 mai 2013 5 24 /05 /mai /2013 10:38

 

IPv6 and Privacy Concerns

 

 

IPv6, with all its valuable features such as large public address space, end of network broadcasts, end of NAT problems like IP-SEC, SIP, ... blocages, brought a new concern : privacy.

 

As each computer is no longer hidden behind the NATed public IP, it appears naked on the network, using a its own public IP.

 

The IPv6 address may be automatically generated using the network prefix in combination with the EUI-64IEEE interface identifier (MAC address) of the physical network interface. So the outside world sees exactly WHICH COMPUTER

on the ' no more private ' network made the connection.

 

Moreover, as it's the EUI-64 MAC address that is used, and is world unique, a mobile user can be tracked, while going from network to network, from home to workplace, from public wifi open spot to public wifi open spot.

 

 

Privacy Extensions

 

 

To address these concerns, Microsoft implemented 2 actions, that are often confused by the public.

 

 

Temporary IPv6 Address

 

 

First, beside the regular 2001: Global Unicast Address, another one is created, dubbed Temporary IPv6 Address on the Ipconfig result. This address is random, and used for outgoing connections.

 

The point is to have a fixed, static IPv6 address reachabled from the outside for server or personal use, while the Temporary IPv6 address is random, everchanging, and used for outgoing connections.

 

This temporary address is randomly Re-generated at each reboot, each IPv6 stack off/on cycle, or each reach of the time limit set.

 

To see the state of the IPv6 Temporary Addressing : netsh int ipv6 show privacy

 

To toogle the state of the IPv6 Temporary Addressing : netsh int ipv6 set privacy state=enable          ( disable )

 

 

RFC 4941

 

 

The two other addresses ( regular 2001: Global Unicast Address and FE80: Link local address ) use EUI-64 MAC generation. they simply take the MAC address, slice it in the middle, insert ff:fe in the middle, flip the 7th bit of the result, and add the network prefix.

 

Exemple for the MAC Address : 11-22-33-44-55-66

 

Slice :                     11-22-33      44-55-66

 

Insert :                    11-22-33-ff-fe-44-55-66

 

Flip :                        13-22-33-ff-fe-44-55-66

 

Add prefix :             [ Network Prefix ]:1322:33ff:fe44:5566

 

 

You can see how easy it is to track a Computer, and to guess its MAC Address.

 

To address this concern there is RFC 4941, which replaces this EUI-64 MACderived Host Address with a Random derived Host Address. RFC 4941 recommends not to turn this on by default, but Microsoft does so on Windows Client OS.

 

To see the RFC 4941 state : netsh int ipv6 show global

 

and check for the ' randomizeidentifiers ' state

 

To set the RFC 4941 state : netsh int ipv6 set global randomizeidentifiers=enable          ( disable )

 

 

How often is the randomized value changed is not clear, as well as how to toggle a new randomization.

Notice that if this value does change, it may disrupt server functions and from-outside reachability, thus forcing to

disable RFC 4941.

 

 

 

You can now experiment, and play around with these settings

Repost 0
Published by computer friendly - dans IPv6
commenter cet article
20 mai 2013 1 20 /05 /mai /2013 12:34

 

I will start a serie or arcticles dealing with IPv6, Windows Server 2008 R2, and the security issues around IPv6.

 

First, we'll lay down a few simple, easy and clear basics to understand IPv6.

 

Next, we'll step by step setup and use Windows Server 2008 R2, through its main networking related roles :

Basic setup, DHCP Server, DNS Server, Active Directory Server

always using and explaining both IPv4 and IPv6 use.

 

 Finally, we'll have a look at the issues IPv6 raises over Security, and at ways to deal with them neatly.

 

 IPv6 is a promising and already happening technology, silently installing itself, little piece by little piece. Windows has IPv6 activated and prefered over IPv4 by default, since Vista. Some ISPs are starting to enable IPv6 on their custommers' networks silently and by default. So some people are using IPv6, althought they may not be aware of this.

 

An IT Admin now has to be prepared and skilled over IPv6, and the Security issues it brings.

 

We'll Discover that, in an easy, step-by-step, way. As well as Windows Server 2008 R2 basic networking roles.

 

 

I hope you'll enjoy this serie

Repost 0
Published by computer outlines - dans IPv6
commenter cet article
10 mai 2013 5 10 /05 /mai /2013 12:19

We'll have a quick guide to the Raspberry PI / RASPBIAN setup, with a special focus over IPv6. As well as a quick network admin guide to RASPBIAN.

 

 

O5a.gif

 

 

 

Getting to know the RASPBERRI PI / RASPBIAN

 

The Raspberry PI houses an ARMv6 SOC. Raspbian is Debian based, adapted for the RPI ( Raspberry PI ) SOC, and compiled for it ( ARMv6 ).

The Raspbian image comes in the form of a .img file, that has to be 'sector-written ' to the SD card using a disk imager software.

Once the image file written, the SD card will contain 2 partitions :

 

O5b

 

The Firmware partition holds a software-firmware ( ie BIOS ), as there is no BIOS chip present on the RPI board.

At the time of this writing, the partition is 56 MiB in size ( 18 MiB filled )

 

The second partition holds the OS / Softwares and Documents.

At the time of this writing, the partition is 2.7 GiB in size ( 1.77 GiB filled )

 

Please note that the image needs to be expended, to be able to use the whole SD card capacity ( see installation )

At the time of this writing, on a 4GB Sd Card, 940 MiB unallocated.

 

 

Installation

We download the latest Raspbian image file (.img) + Win32DiskImager on http://www.raspberrypi.org/downloads

We flash the SDCard ( 4GB Minimum ) using Win32DiskImager ( No drag and drop ).

We start the RPI

( Default login = pi / raspberry )

 

 

 

First Setup
 

at first startup, the initial setup menu is automatically launched :

O5c

 

 

1. We set Internationalisation Options:

    . TimeZone

    . Keyboard    ( 105 keys intl / your country / all defaults )

2. We Change User Password

3. We Expand Filesystem

 

4. Finish

 

5. We reboot the RPI :


sudo reboot

 

 

Here are the important commands to know :


startx                                      ( to launch the Desktop Environment )

sudo reboot                         ( to reboot the RPI )

sudo shutdown -h now      ( to shutdown the RPI. Wait, and unplug finally )

sudo raspi-config                ( to relaunch the initial setup menu )
 

 

 

Editing configuration files of the RPI

 

With the Raspberry PI ( as well as other Linux Distros ), most configuration tasks can be performed using the command line, without the need to enter the graphical desktop environement ( LXDE ).
Furthermore, we need root rights to edit system files, so in Desktop mode, we have to launch a command prompt, to launch a text editor with root rights.

As an exemple, to edit the file /etc/network/interfaces, there are two ways :

without Desktop Environment :

sudo nano /etc/network/interfaces                                               ( use CTRL+X to save changes )

 

with Desktop Environment :

launch command line and type :

    sudo leafpad /etc/network/interfaces

do note that as a consequence of the command line being so powerfull, we can perform most setup tasks using telnet ( SSH ).

 

 

 

Static Network Setup of the Raspberry PI Raspbian


We edit /etc/network/interfaces :

( sudo leafpad /etc/network/interfaces )

 

and replace the ' iface eth0 inet dhcp ' line with :

iface eth0 inet static
address 192.168.1.81
netmask 255.255.255.0
gateway 192.168.1.254


to display the file using command line :
cat /etc/network/interfaces

reboot to apply changes ( sudo reboot )

 

 

Network verification


ifconfig        ( Linux equivalent to ipconfig )

ping 8.8.8.8
traceroute 8.8.8.8


DNS setup

 

We edit /etc/resolv.conf :

( sudo nano /etc/resolv.conf )

and add nameserver entries. ex :

nameserver 8.8.8.8
nameserver 8.8.4.4

to verify :

cat /etc/resolv.conf


We reboot to apply changes ( sudo reboot )


DNS test

we need the package dnsutils for nslookup and dig commands :

sudo apt-get update

sudo apt-get install dnsutils

and we then test DNS resolution :

ping www.wikipedia.org

nslookup www.wikipedia.org


time sync verification

The Raspberry PI has no hardware RTC ( Real Time Clock ).
Time is setup using internet NTP server. To check the sync is working ok we can use the ' date ' command.

date


Static IPv6 setup

 

O5a

 

The IPv6 Module is not loaded by default. To load it temporary :

sudo modprobe ipv6    ( temporary effect )

To set it up to be automatically loaded at each boot, we need to edit the /etc/modules file :

sudo leafpad /etc/modules

we just add ipv6 on a line by itself at the end of /etc/modules

sudo reboot


How to disable SLAAC on the RPI

As we're doing static networking, we will disable SLAAC. We need to edit /etc/sysctl.conf :

sudo nano /etc/sysctl.conf

and add this line :
net.ipv6.conf.all.autoconf=0
( net.ipv6.conf.eth0.autoconf=0 may eventually be needed too to erease any previous setup )

 

 

IPv6 and DNSv6 Addresses setup

 

we setup static IPv6 addresses, by adding some lines in /etc/network/interfaces :

sudo leafpad /etc/network/interfaces

                iface eth0 inet6 static
                address 2001:db8:0:0::40
                netmask 64
                gateway 2001:db8:0:0::1

we add the DNSv6 addresses by editing /etc/resolv.conf :

sudo nano /etc/resolv.conf

we add nameserver entries. ex :

nameserver 2001:4860:4860::8888
nameserver 2001:4860:4860::8844

to verify :

cat /etc/resolv.conf


we reboot to apply changes ( sudo reboot )


IPv6 tests

 

ping6 www.wikipedia.org
traceroute6 www.wikipedia.org
 

to force the use of a particular DNS server with nslookup ( ex to force DNSv6 resolution ) :

 

nslookup www.wikipedia.org [IPv4 DNS]
nslookup www.wikipedia.org [IPv6 DNS]

( it's the same as Windows nslookup )


( All complete /etc/interfaces and /etc/resolv.conf files will be provided at the bottom of this post as an exemple ).


Raspbian Network Notes

a more windows style tracert :

sudo traceroute -I www.wikipedia.org


to check routes :

ip route show

ip -6 route show


Please do note that no additional route creations are needed here for complete IPv4/IPv6 Internet connectivity.

 

 

 

SSH remote access using Windows

 

Telnet SSH is allowed by default, on port 22.

We just need to install Putty

 

and fill these settings :

 

[RPI IP] / Port ( 22 Default ) / SSH

 

 

 

Raspbian remote access using the Native Windows RDP Client

Raspbian Setup :

sudo apt-get install xrdp

sudo reboot


Windows OS :

we just use Windows Remote Desktop Connection and login using the RPI IP ( no user )

    we're then asked for our RPI credentials
 

 

 

To log out, we need to use the bottom-right red buttom on the Raspbian LXDE desktop

 

 

 

Raspbian Wireshark Install ( with non-root user limited privileges )
 

The right way to install Wireshark is with non-root user limited privileges ( the other way being to launch it fully root, which is not a good idea. Or ending unable to capture on the interfaces ).

It's very simple actually :

 

sudo apt-get install wireshark

dpkg-reconfigure wireshark-common

    ( answer YES )

sudo usermod -a -G wireshark pi

logout / login ( to apply permissions changes )

 

 

 

Keeping Raspbian Updates
 

To Update the Raspbian OS and the installed packages :

 

sudo apt-get update

sudo apt-get upgrade
 

 

 

To update the Firmware ( ie BIOS )

 

sudo apt-get update

( ' sudo apt-get install rpi-update ' if needed)

sudo rpi-update
 

 

 

Raspbian Command Line

 

Here are some basics bash commands :

 

 

cd                                                    change directory

ls                                                     list directory content

cp                                                    copy file

mv                                                   rename file

rm                                                   delete file

 

grep nameserver /etc/resolv.conf                                                      looks for the string ' nameserver ' in the file resolv.conf

grep -i nameserver /etc/resolv.conf                                                   the same as above, not case sensitive

 

cat /var/log/messages                 lists the system log file

dmesg log                                      full log

uname -a                                        displays the kernel version

 

 

Repost 0
Published by computer outlines - dans IPv6
commenter cet article

Présentation

  • : Computer Outlines Blog
  • : Blog mainly focused over IPv6, Windows Server, and Networking in general.
  • Contact

Recherche

Liens