The Post-Office analogy

(This article is part of a series network-basics)

A nice way to illustrate the workings of an IP-network is to compare it’s addressing and routing to a traditional postal service.

In a computer network the material that needs to be transported is chopped into “packets”. Each packet has address information, the actual payload (the stuff that the user wants to transport) and then some. A packet could be compared to a single postcard or a letter send via post.

Continue reading

Computer networks

(This article is part of a series network-basics)

So you want to make a computer to “talk” to another computer? Here the word “talking” would mean using some communications protocol (we are interested in the Internet Protocol) to make these computers to send data packets to each other. These packets will amount to chat messages, electronic mail and transferring a file from one machine to another and many more things.

Continue reading

Two sites, one LAN

Scenario

This lab extends a LAN over VPN link to two different sites. These sites will be connected to the Internet and routed with BGP.

eBGP to “ISP router” and iBGP between the sites.

The two “sites” are my laptops and the hosts and routers running in these “sites” are Virtualbox guests. Router guests are Vyatta 6.5, servers guests Bodhi Linux.

All the routers have an IPv4 connection to “ISP-router” which is a Cisco.

IPv6 from r1a and r2b is tunneled over IPv4 link.
L2VPN between the sites is done over IPv4 link.

The end result should be that you can connect a host to either site, using the LAN prefix 2001:98:0013:004f::/64 and that host gets IPv6 Internet-connection. The connection should have automatic failover using the other link to the “ISP router”.

Network Diagram

two-sites-one-lan

I apologise for the crappy network diagram. I drew it as Google docs presentation and it felt a bit clumsy.

Set up the Lab

Install guests (the routers) on the two hosts.
Give routers IPv4 address.
Configure IPv4 routing so that guest routers can see each other, 0/0 points to the “ISP router”.
Try that all routers can ping each other with IPv4 addresses.

L2VPN

Create L2VPN between r3a and r4b, using the IPv4 network as transport.

generate openvpn key r3a-r4b

r3a
set interfaces bridge br2
set interfaces ethernet eth4 bridge‐group bridge br2
commit
set interfaces openvpn vtun2 mode site‐to‐site
set interfaces openvpn vtun2 remote‐host 10.1.4.2
set interfaces openvpn vtun2 shared‐secret‐key‐file /home/user/r3a-r4b
set interfaces openvpn vtun2 bridge‐group bridge br2
commit

r4b
set interfaces bridge br2
set interfaces ethernet eth5 bridge‐group bridge br2
commit
set interfaces openvpn vtun2 mode site‐to‐site
set interfaces openvpn vtun2 remote‐host 10.1.3.2
set interfaces openvpn vtun2 shared‐secret‐key‐file /home/user/r3a-r4b
set interfaces openvpn vtun2 bridge‐group bridge br2

commit

Give the lab-routers their IPv6 addresses

set interfaces ethernet eth4 ipv6 address eui64 2001:98:13:4f::/64
set interfaces ethernet eth4 ipv6 router-advert prefix 2001:98:13:4f::/64
set interfaces ethernet eth4 ipv6 router-advert other-config-flag true

IPv6 tunnels

If your virtualization software and network environment allows, you may skip this phase and give r1a and r2b their IPv6 link addresses directly. In my system I have VirtualBox and the link is over wifi. It will not allow me to directly use IPv6 in this interface.

That is why I use tunnels.

Create IPv6-over-IPv4 tunnels between

“ISP-router” – r1a
“ISP-router” – r2b

IPv6 addresses for the tunnels

“ISP-router” Cisco
2001:98:0013:004e::1/126
r1a
2001:98:0013:004e::2/126

“ISP-router” Cisco
2001:98:0013:004e::5/126
r2b
2001:98:0013:004e::6/126

Cisco config
interface Tunnel3
description IPv6 tunnel to r1a
no ip address
ipv6 address 2001:98:0013:004e::1/126
ipv6 enable
tunnel source 10.1.1.1
tunnel destination 10.1.1.2
tunnel mode ipv6ip

Vyatta config for r1a
edit interfaces tunnel tun3
set address 2001:98:0013:004e::2/126
set encapsulation sit
set local-ip 10.1.1.2
set remote-ip 10.1.1.1
set description "IPv6 tunnel to cisco"
exit
commit

Adjust accordingly for r2b.

Routing

Configure IPv6 eBGP from r1a and r2b to Internet-router.

r1a
set protocols bgp 65502 neighbor 2001:98:13:4e::1 address-family ipv6-unicast soft-reconfiguration inbound
set protocols bgp 65502 neighbor 2001:98:13:4e::1 remote-as 65501
set protocols bgp 65502 parameters router-id 10.1.1.2

cisco
router bgp 65501
no synchronization
bgp log-neighbor-changes
neighbor 2001:98:13:4E::2 remote-as 65502
no auto-summary
!
address-family ipv6
neighbor 2001:98:13:4E::2 activate
neighbor 2001:98:13:4E::2 next-hop-self
neighbor 2001:98:13:4E::2 soft-reconfiguration inbound
redistribute static
default-information originate
no synchronization
exit-address-family
!

Adjust accordingly for r2b

Configure IPv6 iBGP r1a – r2b

r2b
set protocols bgp 65502 neighbor 2001:98:13:4f:a00:27ff:fef7:eb81 address-family ipv6-unicast soft-reconfiguration inbound
set protocols bgp 65502 neighbor 2001:98:13:4f:a00:27ff:fef7:eb81 remote-as 65502
set protocols bgp 65502 neighbor 2001:98:13:4f:a00:27ff:fef7:eb81 address-family ipv6-unicast nexthop-self
set protocols bgp 65502 neighbor 2001:98:13:4f:a00:27ff:fef7:eb81 update-source 2001:98:13:4f:a00:27ff:fe97:1e3c

Adjust accordingly for r1a.
Inject the LAN prefix into BGP

r1a & r2b
set protocols bgp 65502 address-family ipv6-unicast network 2001:98:0013:004f::/64

Testing

Set up a host on both “sites”
Bring down routers, links, or the connection between sites. What happens?

My observations:

1. When I turn off routers, the routing changes to the other link immediately.

2. When I put down the main WAN link, it takes time to reroute. About a minute or two.

3. From my two “servers” the other one changes the first-hop immediately and automatically. The other one does not. Don’t know why. Both hosts are with automatic configs.

BGP AS-path prepending

BGP has its ways to choose a link to use. Which route did your routers choose to be the active one? Now we want to tell it that we would prefer to pass traffic via r1a. So put this configuration in r2b to make its path appear longer.

r2b
set policy route-map prepend-secondary rule 10 action permit
set policy route-map prepend-secondary rule 10 set as-path-prepend "65502 65502"
set protocols bgp 65502 neighbor 2001:98:13:4E::5 address-family ipv6-unicast route-map export prepend-secondary

IPv6 security; reflexive ACL on Cisco

[Originally posted Oct 21, 2012 10:53 AM by Antti Uitto]

So you got an IPv6 network up and running? Good!

If you have not done so, it is about the time to make sure only desired traffic from the Internet can get to your machines.

This example shows you how to set up a rather basic ACL (Access Control List) that is automated:

1) Allows all traffic from your network to Internet.
2) Keeps track of the connections opened from your network
3) Creates permit-rules to allow returning traffic
4) Removes those rules as they expire
5) Rejects all other traffic originating from the Internet

The technology used here is called Reflexive access-list, or IP Session Filtering.

We are going to monitor and evaluate the IPv6 traffic on the LAN interface, which in this case is Vlan1.

First create a list that checks inbound traffic on your interface and allows your own IPv6 net:

 ipv6 access-list interior-in6
 sequence 10 permit ipv6 2001:19:13:42::/64 any reflect my-net

When this traffic originating from your IPv6 network goes by, it is marked to a reflexive list called “my-net”

I also have this on interior-in6 list because I sometimes want to connect to my router by using the link-local address:

sequence 20 permit ipv6 FE80::/10 any

Then create another list that checks the outbound traffic on your LAN interface:

 ipv6 access-list interior-out6
 evaluate my-net sequence 1
 deny ipv6 any any sequence 1000

This list applies to returning packets and new connections that opened from the Internet. Now in this example it just checks if this connection is to be found from reflexive list “my-net”.  If it is, it will pass and if not, then it won’t. If you want to allow connections originating from the Internet to your own IPv6 net, ýou can add those rules to this list.

Last but not the least, assign these ACL’s to the LAN interface:

 interface Vlan1
 ipv6 traffic-filter interior-in6 in
 ipv6 traffic-filter interior-out6 out

Open some IPv6 sites and see how show ipv6 access-list looks like.

Resources
http://packetlife.net/blog/2008/nov/25/reflexive-access-lists/
http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/srfreflx.html
http://www.cisco.com/en/US/docs/ios/11_3/security/configuration/guide/screflex.html

IPv6 to go: PPTP VPN Cisco – Mac Book and an IPv6 tunnel

[Orginally posted Sep 2, 2012 10:53 AM by Antti Uitto   [ updated Sep 2, 2012 11:40 AM ]]

This article assumes that  you have a (Cisco) router that you can administer and that router is connected to both IPv4 and IPv6 networks.

It’s ok if you don’t have IPv5 yet.

We are going to make a PPTP VPN from a Mac to the router and then, using IPv4 address pair gained from VPN client pool, tunnel some IPv6. This way you can have your IPv6 address with you where ever you go.

First configure PPTP VPN service in your router.

configure terminal
vpdn enable
vpdn-group 1
accept-dialin
protocol pptp
virtual-template 1
exit
exit
interface Virtual-Template1
ip address 192.168.34.1 255.255.255.0
peer default ip address pool PPTP-Pool
no keepalive
ppp encrypt mppe 128
ppp authentication ms-chap ms-chap-v2
exit
ip local pool PPTP-Pool 192.168.34.200 192.168.34.210

Create a PPTP VPN user.

username usr1 password PASSWORD

Insert these lines to ensure that usr1 always gets address 192.168.34.200

aaa new-model
aaa authentication ppp default local
aaa authorization network default local

username usr1 aaa attribute list usr1
aaa attribute list usr1
attribute type addr 192.168.34.200 service ppp protocol ip mandatory

Create a tunnel interface for this user

interface Tunnel200
description IPv6 tunnel to MAC
no ip address
ipv6 address 2001:98:1:49:FFFF:FFFF:FFFF:FFFD/126
ipv6 enable
tunnel source 192.168.34.1
tunnel destination 192.168.34.200
tunnel mode ipv6ip
end

Those lines make a tunnel between PPTP VPN addresses (IPv4). This tunnel will be given IPv6 address from your resources.

Next configure your Mac.

Create a normal PPTP VPN connection using the OSX’s network configuration.

Then create a file called ipv6-tunnel-up on Mac, with this in it:

sudo route delete -inet6 default
sudo ifconfig gif200 create
sudo ifconfig gif200 tunnel 192.168.34.200 192.168.34.1
sudo ifconfig gif200 inet6 alias 2001:98:1:49:FFFF:FFFF:FFFF:FFFE  prefixlen 126
sudo route add -inet6 default -interface gif200

Make this file executable by saying
chmod +x ipv6-tunnel-up

You can make things even nicer by creating a similar file ipv6-tunnel-down that kills gif200 and removes ipv6 default route.

IPv6 Vyatta Lab – Part V; New site via eBGP

[Originally posted Jun 3, 2012 4:31 AM by Antti Uitto   [ updated Jun 3, 2012 10:05 AM ]]

In this part we are going to connect a new “customer” to our network. Previous episode featured a user connected directly to one of the core routers.  This time there will be CE-routers. There will be two of them, attached to two different core nodes and configured with sufficient services to handle failover in case the main connection breaks down.

vyatta-lab-with-loopacks3

IPv6 address allocation

Allocate a new prefix 2001:99:13:4c::/64, route it from the Internet router to FW and from FW to the first LAB router. This will be the IPv6 prefix used in the customer’s LAN.

Then allocate two more nets to be used as link addresses between our core routers and CE-routers:  2001:99:13:4d::/64 and 2001:99:13:4e::/64. Route them as well.

Connections and topology

Connect the new customer routers to your network. I connect these two via R6 and R8.
Configure the interfaces and define IPv6 BGP neighbors.
Our core network has ASN 65501 and this new site is going to be in ASN 65502.

cust2-gw1 (connected to R6)
set interfaces ethernet eth4 address 2001:99:0013:004d::2/64
set protocols bgp 65502 neighbor 2001:99:0013:004d::1 address-family ipv6-unicast soft-reconfiguration inbound
set protocols bgp 65502 neighbor 2001:99:0013:004d::1 remote-as 65501
set protocols bgp 65502 parameters router-id 172.2.2.1

Just make something up for router-id.

R6 (connected to cust2-gw1)
set interfaces ethernet eth5 address 2001:99:0013:004d::1/64
set protocols bgp 65501 neighbor 2001:99:0013:004d::2 address-family ipv6-unicast soft-reconfiguration inbound
set protocols bgp 65501 neighbor 2001:99:0013:004d::2 remote-as 65502

Create the links and bgp relationships between cust2-gw2 and R8 in similar way, using link network 2001:99:13:4e::/64.

Make sure you add these new link interfaces to your IGP (OSPF) in the core network so that your next-hop addresses will be available.

Create the LAN interface and turn on router advert

cust2-gw1
set interfaces ethernet eth5 ipv6 address eui64 2001:99:13:4c::/64
set interfaces ethernet eth5 ipv6 router-advert send-advert true
set interfaces ethernet eth5 ipv6 router-advert prefix 2001:99:13:4c::/64

Advertise the customer prefix into BGP.

cust2-gw1 & gw2
set protocols bgp 65502 address-family ipv6-unicast network 2001:99:13:4c::/64

Manipulate your routing

In my network gw1 was chosen as the primary route to the new customer site. This may be just fine but for the fun of doing so, I wanted to change this.

This configuration will be inserted into cust2-gw1 and it will prepend the AS PATH announced by this router. This will cause cust2-gw2 to become better than gw1.

set policy route-map as-prepend rule 1 set as-path-prepend “65502 65502”
set policy route-map as-prepend rule 1 action permit
set policy route-map as-prepend rule 1 match ipv6 address prefix-list as-prepend
set policy prefix-list6 as-prepend rule 1 action permit
set policy prefix-list6 as-prepend rule 1 prefix 2001:99:13:4c::/64
set protocols bgp 65502 neighbor 2001:99:13:4d::1 address-family ipv6-unicast route-map export as-prepend

The routing turned  to gw2 but still my computer in the cust2 LAN wanted to use gw1 as it’s primary gateway to the world.  In Cisco you can manipulate this by setting the gw2 router priority to “high”.

I don’t know how to do that in Vyatta at the moment. There is so much to learn.

Add a computer to the LAN

Now it is time to add a “customer’s” computer into this LAN and see if we reach our core network router’s loopbacks and perhaps even the Internet from it.

Check  ip -6 route  on the computer (if Linux). Which gateway it wants to talk to first?

Test your redundancy. Verify which route your computer uses to reach the Internet and then turn off that gw. Put it back on and turn off the other one. What happens? Do you lose many pings?

Check out this Packetlife article for more information on IPv6 ND providing first-hop redundancy.
http://packetlife.net/blog/2011/apr/18/ipv6-neighbor-discovery-high-availability/

More to do

It might be wise to make a prefix-list in the core routers R6 and R8 to prevent other networks than 2001:99:13:4c::/64 being advertised to our network.

I could easily add one here but I will not since there has to be stuff left for future articles!

IPv6 Vyatta LAB – Part IV ; BGP routes and a customer site

[Originally posted May 9, 2012 12:41 PM by Antti Uitto   [ updated May 9, 2012 1:17 PM ]]

In the previous chapter we created BGP connections for our network. In order to avoid configuring full mesh, connecting each router to each router (as iBGP would demand), we used Route Reflectors.

Now we should have all the BGP neighbors up and running but nothing is yet advertised using BGP.

In this exercise we shall inject some routes into this new BGP.

I have earlier configured a static default route in R1. (See the first episode)
Let’s make this ::/0 available to all the other routers as well.

R1
set protocols bgp 65501 neighbor 2001:99:13:4a::2 address-family ipv6-unicast default-originate
set protocols bgp 65501 neighbor 2001:99:13:4a::3 address-family ipv6-unicast default-originate
… etc …

Now you should see IPv6 default route on all the routers and be able to ping6 hosts outside your own lab. (Use loopbacks as source)

“Customer” site and a new prefix

Case study: Fake Ltd

The next job is to add an interface for a bogus client. My customer Fake Ltd has an IPv6 prefix 2001:99:13:4b::/64 and their non-existent main office is located in an made-up Business Center where the connections are provided by the Fairy-Tale ISP’s imaginary core router called R8.

A make-believe port eth6 has been provisioned for this customer.

This is the best thing you get when you want to buy services without using real money.

Route it from the Real World

Route the client’s prefix 2001:99:13:4b::/64  with a static route from Internet gw to FW and from the FW to R1 just like the you did with the lab prefix in the beginning.

Create an interface

R8
set interfaces ethernet eth6 address 2001:099:0013:004b::1/64
set interfaces ethernet eth6 ipv6 router-advert prefix 2001:099:0013:004b::/64
set interfaces ethernet eth6 ipv6 router-advert send-advert true

Now check IPv6 routing table in R8.  You will see it as connected network. Go check from your other routers. No 4b there?

It is not visible yet in the other lab routers because this configuration does not redistribute connected networks. You can either make the connected networks to be redistributed or give a network statement in R8.

We do the latter.

Inject the new prefix into BGP

R8
set protocols bgp 65501 address-family ipv6-unicast network 2001:99:13:4b::/64

After you commit this command in R8, the new network should appear in the routing tables across your lab network.

You can now connect a client computer to this interface. It should get an IPv6 address and default route information from R8. Note that this configuration does not yet give IPv6 DNS addresses. For those you will need DHCPv6 set up and “other-config-flag true” under the router interface.

https://sites.google.com/site/6filesb/home/blog/ipv6basicsaddressingahostandstaticrouting

It was worth every penny!

IPv6 Vyatta LAB – Part III BGP route reflectors and their clients

[Originally posted May 3, 2012 2:28 PM by Antti Uitto   [ updated May 9, 2012 12:43 PM ]]

Now that our lab routers have each other’s loopbacks in the routing tables, we can start defining internal BGP neighbors. We will use these loopback addresses to create the adjacencies.

The lab looks like this:

vyatta-lab-with-loopacks2

I have chosen R1 and R2 to be Route Reflectors in this network. (RR in the diagram)

The iBGP assumes full mesh topology between participating routers. So routes learned from a neighbor will not be handed over via iBGP to others.

Except if a router is a Route Reflector, then it may do so.

In order to avoid building a full mesh topology (creating a bgp neighbor relationship from each router to each router) we use Route Reflectors. Now every router will have BGP connections to these two reflectors only.

Let’s start configuring!

Say configure to your Vyatta and insert these:

Route Reflector R1
set protocols bgp 65501 address-family ipv6-unicast
set protocols bgp 65501 neighbor 2001:99:13:4a::2 address-family ipv6-unicast
set protocols bgp 65501 neighbor 2001:99:13:4a::2 remote-as 65501
set protocols bgp 65501 neighbor 2001:99:13:4a::2 address-family ipv6-unicast soft-reconfiguration inbound
set protocols bgp 65501 neighbor 2001:99:13:4a::2 address-family ipv6-unicast route-reflector-client
set protocols bgp 65501 neighbor 2001:99:13:4a::2 update-source 2001:99:13:4a::1

Do put the “router-reflector-client” under address-family ipv6-unicast or otherwise it will not reflect IPv6 routes!
Create the relationship from R1 to every other router in your lab network using these commands.
Then do the same from R2, adjusting the lines appropriately.

Other routers
set protocols bgp 65501 address-family ipv6-unicast
set protocols bgp 65501 neighbor 2001:99:13:4a::1 address-family ipv6-unicast
set protocols bgp 65501 neighbor 2001:99:13:4a::1 remote-as 65501
set protocols bgp 65501 neighbor 2001:99:13:4a::1 address-family ipv6-unicast soft-reconfiguration inbound
set protocols bgp 65501 neighbor 2001:99:13:4a::1 update-source 2001:99:13:4a::4
set protocols bgp 65501 neighbor 2001:99:13:4a::2 address-family ipv6-unicast
set protocols bgp 65501 neighbor 2001:99:13:4a::2 remote-as 65501
set protocols bgp 65501 neighbor 2001:99:13:4a::2 address-family ipv6-unicast soft-reconfiguration inbound
set protocols bgp 65501 neighbor 2001:99:13:4a::2 update-source 2001:99:13:4a::4

This links the router in question to both Route Reflectors.
Just change the update-source and paste to each router.

show ipv6 bgp summary

You should now see BGP adjacencies.

Then check

show ipv6 route bgp

and you will find that although BGP neighbors are defined and adjacencies are up, you have no BGP-learned IPv6 routes. We will change that in the next episode.

Sources
http://en.wikipedia.org/wiki/Route_reflector
http://en.wikipedia.org/wiki/Internal_border_gateway_protocol#Operation

IPv6 Vyatta LAB – Part II OSPF as IGP

[Originally posted May 1, 2012 10:48 AM by Antti Uitto   [ updated May 3, 2012 2:29 PM ]]

Part II    OSPF as IGP

 
In the previous part we gave our lab routers loopback addresses and verified that the routers do communicate via Internet Protocol version 6.The lab should now look like this:

vyatta-lab-with-loopacks



Let’s take a look at the IPv6 routing table.

show ipv6 route

You will see only addresses that are connected directly to that router. So if you are at R1, you will see 2001:99:13:4a::1/128 plus the link-local addresses of each interface on R1.

If you would try to ping R2 with address 2001:99:13:4a::2 it will not respond to you. The reason for this is that since there are no routes, R1 does not know where to send traffic that is supposed to go to 2001:99:13:4a::2 and even if it did, R2 does not know how to return packets.

In the next episode we will add BGP to this network and the BGP adjacencies will be created using lab router’s loopback addresses.  Since the loopbacks are now unreachable, this would not work.

Now you could write static route and thus tell R1 from where to find the address 2001:99:13:4a::2 but that would spoil the whole thing. We are trying to make a network that has a dynamic routing.

So we want to add an IGP.

The job of the Interior Gateway Protocol is to make sure that the core nodes of this network will find each other at all times. They need to find each other’s loopback addresses.

My choise for IGP in this lab is OSPF.

Here are the spells to get it going.

R1
set protocols ospfv3 area 0.0.0.0 interface eth0.12
set protocols ospfv3 area 0.0.0.0 interface eth0.13
set protocols ospfv3 area 0.0.0.0 interface eth0.14
set protocols ospfv3 area 0.0.0.0 interface eth1
set protocols ospfv3 area 0.0.0.0 interface eth2
set protocols ospfv3 area 0.0.0.0 interface lo
set protocols ospfv3 parameters router-id 10.5.5.1

Please adjust the interfaces to suit your configuration.

You  will want to add every interface that points to other routers in your core. Do not forget to add loopback as well. Give each router an id. This id is typically the the same as the IPv4 loopback address of your router.

Now check IPv6 routing table again.

show ipv6 route

You should see the loopbacks of all lab routers.

Ping them.

sudo ping6 2001:99:13:4a::8 -I 2001:99:13:4a::1

Other show-commands

show ipv6 route ospf6
show ipv6 ospfv3
show ipv6 ospfv3 neighbor
show ipv6 ospfv3 neighbor detail
show ipv6 ospfv3 route
show ipv6 ospfv3 route detail
show ipv6 ospfv3 interface eth0.12
show ipv6 ospfv3 database
show ipv6 ospfv3 area

Sources
http://en.wikipedia.org/wiki/Open_Shortest_Path_First
http://searchsecurity.techtarget.com/definition/IGP
http://en.wikipedia.org/wiki/Interior_gateway_protocol

IPv6 Vyatta LAB – Part I; the LAB connections and addresses

The Lab

In this exercise we will add IPv6 into my IPv4-speaking lab network. This lab consists of four switches, eight routers and one firewall. The firewall is connected to the NIC of my host system and provides access to the real world. All the lab hosts are Virtualbox guests on my  computer.

The switches in the middle are not relevant to this article and for that reason we will not go into their configurations.

Episodes in this story will be

Part I    The LAB; connections and addresses
Part II    OSPF as IGP
Part III   BGP route reflectors and their clients
Part IV   BGP routes
Part V   New site via eBGP

Here is the network diagram for this lab.
(Click to enlarge)

 

vyatta-lab

 

Each link between the routers and switches represents a Virtualbox intnet, each of them being unique. (Exeption: link between FW and Cisco goes through my wlan)

Because Virtualbox does not speak IPv6 over wlan interface, I have made a tunnel from the firewall to my real world router. There is also a tunnel between R1 and FW just because it is fun to make tunnels.

The prefix for my lab routers is 2001:099:0013:004a::/64. Each router will get a globally valid loopback address from this area.

I will use also other prefixes when it is time to add “customer” sites to the mix.

The Firewall is an ubuntu server, all other routers and switches are Vyatta 6.3.

There will be also ip6tables rules on the Firewall. I might write some more on firewalling later but you can find an example of a very basic firewall setup from my previous posting about IPv6 for residential user with tunnel service.

Here are the configurations for the tunnels used to connect the Real World to the Firewall and the Firewall to R1.
Feel free to skip them if you are not intending to use tunnels. The main beef in this lab will be the dynamic routing between routers from R1 to R8.

Tunnel from FW to r1

Firewall  (Ubuntu)
sudo ip tu ad sit203 mode sit local 4.4.4.1 remote 4.4.4.2 ttl 64
sudo ip ad ad dev sit203 2001:099:0013:004a:ffff:ffff:ffff:fffd/126
sudo ip li se dev sit203 up
sudo ip -6 ro ad 2001:099:0013:004a::/64 via 2001:099:0013:004a:ffff:ffff:ffff:fffe

R1  (Vyatta)
set interfaces tunnel tun203 encapsulation sit
set interfaces tunnel tun203 local-ip 4.4.4.2
set interfaces tunnel tun203 remote-ip 4.4.4.1
set interfaces tunnel tun203 address 2001:099:0013:004a:ffff:ffff:ffff:fffe/126
set protocols static route6 ::/0 next-hop 2001:099:0013:004a:ffff:ffff:ffff:fffd

Tunnel from FW to REAL WORLD (Cisco)

FW  (Ubuntu)
ip tu ad sit200 mode sit local 194.x.x.5 remote 194.x.x.1 ttl 64
ip ad ad dev sit200 2001:099:0013:0049:ffff:ffff:ffff:fffe/126
ip li se dev sit200 up
ip -6 ro ad ::/0 via 2001:099:0013:0049:ffff:ffff:ffff:fffd

Cisco
interface Tunnel200
no ip address
ipv6 address 2001:99:13:49:FFFF:FFFF:FFFF:FFFD/126
ipv6 enable
tunnel source 194.x.x.1
tunnel destination 194.x.x.5
tunnel mode ipv6ip
ipv6 route 2001:99:13:4A::/64 2001:99:13:49:FFFF:FFFF:FFFF:FFFE

Procedure

This is what we are going to be doing:

 

  1. Check IPv6 forwarding
  2. Verify IPv6 connectivity between the lab routers
  3. Route the lab prefix from the Internet router to LAB FW
  4. Route the lab prefix from LAB FW to R1
  5. Set IPv6 loopback addresses with mask /128 to each router
  6. Set up OSPFv3 and verify connectivity between routers
  7. Set up BGP
  8. Redistribute default route to BGP
  9. Set up a client interface with router advertisement and advertise with BGP
  10. Set up a client computer and test connectivity

 

Let’s get it started!

Check IPv6 forwarding

Vyatta routers

Vyatta 6.3 has IPv6 forwarding on by default. You can verify it with
show ipv6 forwarding

Firewall (Ubuntu server)

sudo nano /etc/sysctl.conf

Uncomment
net.ipv6.conf.all.forwarding=1

Reboot.

Verify IPv6 connectivity between the lab routers

Go to one of them, check which interfaces are connected to other routers and give it a try:

sudo ping6 -I eth0.12 ff02::1

If and when you get replies, you can try to connect to one of those neighbors directly:
ssh fe80::a00:27ff:fe96:c448%eth0.12

Routing the LAB Prefix

I have routed the LAB prefix from the Real World (Cisco router) to my virtual lab. The routing goes in two different tunnels.  You can see the commands used in static routing (Cisco, Ubuntu, Vyatta) in the tunnel examples above.

 

Router loopbacks

The last job in this episode is to assign each Vyatta router an address from our LAB Prefix.Let’s put the to the loopback interface.

Do this by commanding

user@r1  configure
user@r1 set interfaces loopback lo address 2001:99:13:4a::1/128
user@r1 commit
user@r1 save

user@r2 configure
user@r2 set interfaces loopback lo address 2001:99:13:4a::2/128
user@r2 commit
user@r2 save

user@r3 configure
user@r3 set interfaces loopback lo address 2001:99:13:4a::3/128
user@r3 commit
user@r3 save

….  etc ….

In the next episode we will set up OSPF as an IGP for the lab network.

Network tools

[Originally posted Apr 15, 2012 2:22 AM by Antti Uitto   [ updated Apr 24, 2012 12:56 PM]]

In this post I do my best to list the most useful network-related applications and commands, with heavy emphasis on Linux and IPv6. Commands often work for IPv4 with tiny and hopefully obvious modification.

The list will change and expand as I find out more.

Linux

Routing table

netstat -6rn
Displays routing table

ip -6 route show
Displays routing table

ip -6 route show root 2001:1517:1517:fe00::/56
2001:1517:1517:fe00::/64 dev eth0  proto kernel  metric 256
Displays routing table entries that have a longer mask than given in the command.

ip -6 ro sh match 2001:1517:1517:fe00:ba8d:12ff:fe03:474c
2001:1517:1517:fe00::/64 dev eth0  proto kernel  metric 256
default dev tun  metric 1
Displays routes that apply for given address.

ip -6 rule show
Displays routing rules.

ip -6 ro show table <table_name>
Displays entries in a specific routing table.

Interface configuration and status

ifconfig
Displays interface information; interface name, IPv4 and IPv6 addresses, hardware address, MTU.

ip -6 add
Displays IP addresses configured on the system.

ip -6 link
Displays links on your system. MTU and MAC address.

ip -6 tunnel show
Displays tunnels.

ethtool eth0
Displays basic information about ethernet nic.

netstat -i
Displays interface counters and errors.

Traffic monitoring & analysis

ping6 ipv6.google.com
ping6 2a00:1450:4016:800::1010
Ping hosts with hostname or global address.

mtr http://www.yahoo.com
Probes routers on the route path, shows packet loss and latency.

traceroute6 ipv6.google.com
Traces ipv6 routes.

traceroute6 ipv6.google.com -s 2001:998:13:42:223:14ff:fecf:4f9c
Traces ipv6 route using specific source address.

netstat
Print  network connections, routing tables, interface statistics, masquerade connections, and multicast memberships

sudo netstat -apn | more
Print network connections together with programs that initiate them.

sudo netstat -lp | more
Print listening ports on your system.

sudo netstat-nat
Displays current translations.

ntop
Displays network statistics in a web interface.

nmap -6 2001:997:5:5223:14ff:fecf:409c
Scans IPv6 host and displays it’s open services.

nmap -6 -p1-10000 -n 2001:997:5:5223:14ff:fecf:409c
Scans IPv6 host in defined port range, without discovering hostnames.

nmap -6A 2001:997:5:5223:14ff:fecf:409c
Scans IPv6 hosts and detects it’s Operating System.
Nmap has limited features with IPv6 and you can scan only one host at the time.

nmap 192.168.0.0/24
Displays which hosts are up and what services they have available.

nmap -sP 192.168.1.*
Pings hosts and shows the ones that are up.

ip6tables -nv -L
Traffic accounting with ip6tables. See how much traffic host 2001:5:5:5:5:5:fed6:32d2 sends or receives.
First put this into your routers firewall rules:
-A FORWARD -s 2001:5:5:5:5:5:fed6:32d2
-A FORWARD -d 2001:5:5:5:5:5:fed6:32d2

tcpdump -vvv -i eth0
Display packets going in and out from interface eth0 and be very verbose.

tcpdump host 2a00:1450:4010:c00::69 -i eth0
Display packets going to or coming from host 2a00:1450:4010:c00::69  in interface eth0

tcpflow

ngrep -l -q -d eth0 “User-Agent: ” tcp and port 80
Capture network traffic incoming to eth0 interface and show the HTTP User-Agent string

ngrep -d eth0 -x sex
Listens to interface eth0 and displays packets that have the word “sex” in them.

iptraf   (IPv4 only!)
Shows information about active connections.

iftop (IPv4 only!)
Shows information about active connections visually.

arping -I eth0 -c 2 -D 192.168.1.1
Check if you have a duplicate address. (IPv4 only!)

fping6 2:2:2::1 3:3:3::1 4:4:4::1
Ping multiple IPv6 hosts.

fping -ag 192.168.0.0/24
Ping multiple IPv4 hosts.

iperf
Test bandwidth between two hosts. Usage:
Server
iperf -V -s -B 2001:998:13:49::1
Client
iperf -V -c 2001:998:13:49::1

lsof -i6
List open files. The i is for IP sockets, 6 for IP version 6.

Other

host ipv6.google.com
Resolve the IP address of a host.

httping -GSb www.google.com
Tests latency of a web server using GET (gets the whole page), splitting the result in time to connect and time to exchange a request with the HTTP server. Shows the speed of the transfer.

Vyatta

 

Cisco

show ipv6 route
Displays the IPv6 routing table.

show ipv6 interfaces brief
Displays a brief list of IPv6 interfaces.

show ipv6 neighbors
Displays your IPv6 neighbors and their current states.

show ipv6 neighbors statistics
IPv6 ND statistics.

show bgp ipv6 unicast summary
Summary of IPv6 BGP neighbors, AS’s  and prefixes.

 
ping ipv6 ff02::1

Find your IPv6 neighbors. IOS will ask you to specify output interface.

debug ipv6 icmp
terminal monitor
Enables IPv6 ICMP debugging and shows results on terminal.

debug ipv6 packet detail
terminal monitor
Enables IPv6 packet debugging and shows results on terminal.

terminal no monitor
no debug ipv6 packet detail
Stops the flood of information on your terminal and then disables the IPv6 packet debugging.

Alcatel

Juniper

Windows

Mac OSX

Try out the commands listed under Linux.

netstat -rn
Displays the routing table (IPv4 and IPv6)

Sources
http://linux-ip.net/html/tools-ip-route.html
Carla Scroder: Linux Networking Cookbook
http://linux-hacks.blogspot.com/2008/02/howto-ipv6-ipv6-tunnel-and-ip4-ipv6.html
http://www.g-loaded.eu/2006/11/06/netcat-a-couple-of-useful-examples/
http://en.wikipedia.org/wiki/MTR_%28software%29
http://www.ntop.org/
http://www.enterprisenetworkingplanet.com/netos/article.php/3650131/Tips-and-Tricks-for–Linux-Admins-Discover-Map-and-Store.htm
http://nmap.org/book/man-misc-options.html
http://zeldor.biz/2010/07/nmap-ipv6-addresses/
http://wiki.openvz.org/Traffic_accounting_with_iptables
http://en.wikipedia.org/wiki/Ngrep
http://linux.die.net/man/1/httping
http://en.wikipedia.org/wiki/Lsof
http://www.cisco.com/en/US/docs/ios/ipv6/command/reference/ipv6_15.html

IPv6 snack; access for residential LAN via tunnel service

[Originally posted Mar 22, 2012 12:46 PM by Antti Uitto   [ updated Mar 23, 2012 6:17 AM ]]

My previous experiences with Sixxs service have been very positive but this time I used Freenet6 for no other reason but just to try out another one. And like Sixxs, this one seems to be well done. Setup was easy with two minor hiccups. (I will elaborate later in the text)

This site has a little LAN with an IPv4 Internet access through many-to-one NAT, via wireless router.  My plan was to use the old desktop machine and install Virtualbox on it. Then I would create a new virtual host with Ubuntu Server as OS and use this as my IPv6 router.

Steps taken

  1. Installed Ubuntu server (new virtual host)
  2. Enabled routing for IPv6
  3. Installed Gogo-client gogoc.
  4. Modified gogoc’s configuration
  5. Connected and pinged around
  6. Wrote ip6tables firewall rules
  7. Made things persist over reboots

 

Ubuntu Server

I installed Ubuntu Server to be my router. Nothing special here; bridged networking to host systems eth0, SSH server, static IPv4 address from our private network.

Routing IPv6

Because this machine is going to act as IPv6 router for other machines in the LAN I enabled IPv6 routing by editing file

/etc/sysctl.conf, uncommenting
net.ipv6.conf.all.forwarding=1

I then applied this change by rebooting the host.

You can also apply by running command
sudo /sbin/sysctl -q -p

Gogo-client

On Ubuntu router
sudo apt-get install gogoc

Gogo-client’s configuration

The config file for gogoc is at
/etc/gogoc/gogoc.conf

userid=MyUserName
passwd=MyPasswd
auth_method=any
host_type=router
prefixlen=56
if_prefix=eth0
tunnel_mode=v6udpv4

if_prefix means the interface on which I want my prefix to be advertised. This would be the interface facing the LAN with the client computers.

tunnel_mode The mode i chose is the one meant for hosts that are unfortunate enough to connect from behind NAT.

Connecting to IPv6 Internet

After modifying the gogoc config file, I attempted to connect. Here was a minor issue. I could make the connection to work if I changed the config to use anonymous connection. Connecting authenticated would not work. After wondering about for a while I found out (by running the client on foreground) that while attempting authenticated connection the client’s script was asking Yes/No question about wether or not I want to accept a servers key. I once accepted it and after that running client on background produced a working connection.

Run Gogo-client by commanding
sudo gogoc

Then check that you have a new tunnel interface with an IPv6 address and a globally valid-looking IPv6 address in your LAN interface.
ifconfig

Sometimes the connecting seems to take a while. Be patient and if you lose faith, check the log to see what is going on.

tail -F /var/log/gogoc/gogoc.log

You can increase logging verbosity by adjusting values in gogoc.conf.

Since I got connected after few tries, I was then able to ping and trace around

ping6 ipv6.google.com
traceroute6 ipv6.google.com

ip6tables firewall


Here is my ip6tables firewall config.

Save it for example to /home/admin/firewall6 and apply it by saying
sudo ip6tables-restore < /home/admin/firewall6

user@host:~$ cat /home/admin/firewall6

# Generated by ip6tables-save v1.4.10 on Thu Mar 22 17:55:32 2012
 *filter
 :INPUT DROP [7697:530851]
 :FORWARD DROP [53871:37157829]
 :OUTPUT ACCEPT [8129:2157811]
 #
 # == INPUT =====
 #
 # Allow anything on the local link
 -A INPUT -i lo -j ACCEPT
 #
 # Allow Link-Local addresses
 -A INPUT -s fe80::/10 -j ACCEPT
 #
 # Allow multicast
 -A INPUT -d ff00::/8 -j ACCEPT
 #
 # Allow ICMPv6 everywhere
 -I INPUT -p icmpv6 -j ACCEPT
 #
 # Allow established
 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 #
 # Allow SSH
 -I INPUT -p tcp --dport 22 -j ACCEPT
 #
 # Log
 -A INPUT -m limit --limit 5/min -j LOG --log-prefix "ip6tables input denied: " --log-level 7
 #
 # == FORWARD =====
 #
 -A FORWARD -m state --state NEW -i eth0 -o tun -s <my_ipv6_prefix>/56 -j ACCEPT
 -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 -A FORWARD -p tcp --dport 22 -j ACCEPT -I FORWARD -p icmpv6 -j ACCEPT
 #
 # Log
 -A FORWARD -m limit --limit 5/min -j LOG --log-prefix "ip6tables forwarding denied: " --log-level 7
 COMMIT

Things in the rc.local


In order to make my connections come up and firewall rules to be applied after reloading the system, I put these in /etc/rc.local

mkdir /var/run/gogoc &&
gogoc &&
ip6tables-restore < /home/admin/firewall6

That mkdir -command is there because of the second issue I experienced.

Every time I rebooted my host, gogoc would not connect because of missing

/var/run/gogoc

This is my quick and very dirty fix to that. You may want to try if you get it rolling without such ridiculous trick.

Conclusion


Everything works now the way I was hoping. Client computers can access Internet hosts with both IPv4 and IPv6. The configurations on my Linux router persist over reloads. Client computers use for now only IPv4-based name server.

Sources
http://gogonet.gogo6.com/page/freenet6-ipv6-services
http://www.chronos-tachyon.net/reference/debian-ipv6-and-hurricane-electric
http://www.sixxs.net/wiki/IPv6_Firewalling

IPv6 basic settings; addressing a host and static routing

[Originally posted Mar 20, 2012 12:01 PM by Antti Uitto   [ updated May 8, 2012 3:15 AM ]]

Once you have acquired yourself an globally valid IPv6 prefix, you may need to configure addresses on your hosts. By default computers will attempt to find themselves an IPv6 address automatically by using the processes of NDP or DHCPv6.

NDP (Neighbor Discovery Protocol)
http://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol

DHCPv6 ( Dynamic Host Configuration Protocol version 6)
http://en.wikipedia.org/wiki/DHCPv6

Manual configuration is needed for example if your host acts as an IPv6 router. In that case the host does not try to autoconfigure itself.

Here are the very basics you will need to get IPv6 going. Dynamic routing, access control etc are not covered here.

Ubuntu / Debian Linux

Give IPv6 address for an interface

sudo nano /etc/network/interfaces

example snippet for interface eth0

auto eth0
 iface eth0 inet6 static
 address 2001:05c0:1400:000a:0000:0000:0000:0055
 netmask 64
 gateway 2001:05c0:1400:000a:0000:0000:0000:0001

Save and exit editor, then restart network.

/etc/init.d/networking restart

Static routes

ip -6 route add 2000::/3 via 2001:0db8:0:f101::1

Write routes also to /etc/rc.local to make them persist over reboots.

Check

ip -6 add
ip -6 route
ip -6 neigh
ping6 ipv6.google.com

Turn on IPv6 forwarding (routing) if needed.

sudo nano /etc/sysctl.conf

Uncomment
net.ipv6.conf.all.forwarding=1

Install and set up radvd

If you want this host to advertise itself as a router to your LAN, install and set up radvd

sudo apt-get install radvd

sudo nano /etc/radvd.conf

interface eth0
 {
 AdvSendAdvert on;
 prefix 2001:db8::/64
 {
 };
 };

Cisco router

conf t
 ipv6 unicast-routing
 ipv6 cef
interface Gi0/1
 ipv6 enable
 ipv6 address 2001:05c0:1400:000a:0000:0000:0000:0002/64
 or
 ipv6 address 2001:05c0:1400:000a::/64 eui-64
 (ipv6 nd suppress-ra [*] )
(ipv6 nd other-config-flag [**] )
exit
ipv6 route ::/0 2001:05c0:1400:000a:0000:0000:0000:0001
ipv6 route 2001:998::/32 2001:05c0:1400:000a:0000:0000:0000:0007[*]

[*] If the router interface in question is not facing your LAN (where the client computers are), you may want to put ipv6 nd suppress-ra  under the interface configuration.  This will disable router advertisements on that interface.

[**] Use this if you want the router to provide other IPv6 configurations to your computers, for example IPv6 DNS addresses. If you do this, you must also set up a service such as ipv6 dhcp pool that will give out these settings.

Vyatta router

By default Vyatta has IPv6 forwarding on so you can just address your interfaces and write your routes.

Give IPv6 address to an interface

set interfaces ethernet eth0 address 2001:db8:2::1/64
( set interfaces ethernet eth0 ipv6 router-advert prefix 2001:099:0013:004b::/64 [*] )
( set interfaces ethernet eth0 ipv6 router-advert other-config-flag true [**] )
commit
save

[*] Turn router-advert on if this interface is serving as IPv6 gateway to computers in your LAN. If this interface is facing only another router(s) you might want to leave it out.

[**] Use this if you want the router to provide other IPv6 configurations to your computers, for example IPv6 DNS addresses. If you do this, you must also set up a service such as DHCPv6 that will give out these settings.

 

Static route

set protocols static route6 ::/0 next-hop 2001:db8:2::1
commit
save

Check

show interfaces
show ipv6 route
show ipv6 neighbors
ping6 2001:db8:2::2
traceroute6 2a00:1450:4016:800::1010

Windows 7

To configure IPv6 for static addressing

  1. Click Use the following IPv6 address, and then do one of the following:
    • For a local area connection, in IPv6 address, Subnet prefix length, and Default gateway, type the IP address, subnet prefix length, and default gateway address.
    • For all other connections, in IPv6 address, type the IP address.
  2. Click Use the following DNS server addresses.
  3. In Preferred DNS server and Alternate DNS server, type the primary and secondary DNS server addresses.

Check

Open command line  Start - Run - cmd
  ipconfig

Sources

http://technet.microsoft.com/en-us/library/cc732106.aspx
http://www.cyberciti.biz/faq/ubuntu-ipv6-networking-configuration/
http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-addrg_bsc_con.html
Carla Schroder: Linux Networking Cookbook
Vyatta documentation www.vyatta.org

IPv6 basics; connecting via link-local

[Originally posted Mar 18, 2012 4:40 AM by Antti Uitto   [ updated Mar 18, 2012 5:34 AM ]]

In today’s story we are attached to a local area network (LAN) with a bunch of IPv6-enabled hosts. We do not necessarily need to have a valid IPv6 router present, since we are just fooling around in this local segment, pinging each other and testing connections.

IPv6 is a protocol meant serve a worldwide network and it’s numerous hosts. There are however addresses called link-local in each IPv6-enabled host. This link-local address is generated automatically by your computer’s operating system and it is valid for connectivity between hosts that can see each other in L2, even in absence of IPv6 routers. These addresses are also used by IPv6’s Neighbor Discovery Protocol.

Does my host have IPv6?

If your operating system is from this millenia, it should have IPv6 available. But let’s check.

Linux

user@host:~$ ifconfig
eth0      Link encap:Ethernet  HWaddr 00:13:d4:3e:dd:b3  
          inet addr:192.168.1.140  Bcast:192.168.1.255      
          Mask:255.255.255.0          
          inet6 addr: fe80::213:d4ff:fe3e:ddb3/64 Scope:Link
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host

Mine seems to have. Note that both of my IPv6 addresses are such that they would not help me if I wanted connectivity in the global Internet. They are valid inside my own LAN segment.

Windows

ipconfig

MAC OSX

ifconfig

Pinging IPv6

Ping commands:

Linux ping6  (http://linux.die.net/man/8/ping6)
Windows ping -6 
Mac OSX ping6
Cisco router ping ipv6

Is there anybody out there?

I pinged with my Linux box to my own localhost address

user@host:~$ ping6 ::1
 PING ::1(::1) 56 data bytes
 64 bytes from ::1: icmp_seq=1 ttl=64 time=0.036 ms
 64 bytes from ::1: icmp_seq=2 ttl=64 time=0.044 ms

It works!

Next I will check if I can see any IPv6 neighbors

user@host:~$ ip -6 neighbor
user@host:~$

There was no-one there.

I will attempt to summon other hosts to become visible by pingin to address ff02::1 which is  ip6-allnodes. All other IPv6 hosts should respond to this call.

user@host:~$ ping6 -I eth0 ff02::1
 PING ff02::1(ff02::1) from fe80::213:d4ff:fe3e:ddb3 eth0: 56 data bytes
 64 bytes from fe80::213:d4ff:fe3e:ddb3: icmp_seq=1 ttl=64 time=0.051 ms
 64 bytes from fe80::ba8d:12ff:fe03:474c: icmp_seq=1 ttl=64 time=70.8 ms (DUP!)
 64 bytes from fe80::1636:5ff:fe19:2392: icmp_seq=1 ttl=64 time=204 ms (DUP!)

Note! You will need to insert the name of the interface in the ping command. ( -I eth0 in this case)

After pinging allnodes-address I check again my neighbors:

user@host:~$ ip -6 neigh
 fe80::ba8d:12ff:fe03:474c dev eth0 lladdr b8:8d:12:03:47:4c REACHABLE
 fe80::1636:5ff:fe19:2392 dev eth0 lladdr 14:36:05:19:23:92 STALE
 fe80::a667:6ff:fe87:6b71 dev eth0 lladdr a4:67:06:87:6b:71 STALE

I ping one of them directly using the same syntax:

user@host:~$ ping6 -I eth0 fe80::ba8d:12ff:fe03:474c
 PING fe80::ba8d:12ff:fe03:474c(fe80::ba8d:12ff:fe03:474c) from fe80::213:d4ff:fe3e:ddb3 eth0: 56 data bytes
 64 bytes from fe80::ba8d:12ff:fe03:474c: icmp_seq=1 ttl=64 time=22.9 ms
 64 bytes from fe80::ba8d:12ff:fe03:474c: icmp_seq=2 ttl=64 time=40.9 ms

And the ssh into the neighbor:

user@host:~$ ssh fe80::ba8d:12ff:fe03:474c%eth0
 Password:
 Last login: Sun Mar 18 13:14:22 2012 from host.local
 Another-host:~ ap$
 Another-host:~ ap$

Note!  When connecting with link-local addresses you will need to specify the interface for the connection. In this case it is given as  %eth0  in the end of the neighbors link-local address.

Sources
Carla Schroder: Linux Networking Cookbook
http://en.wikipedia.org/wiki/Link-local_address#IPv6

IPv6 basics: The protocol and addresses

[Originally posted Mar 16, 2012 10:25 AM by Antti Uitto   [ updated Mar 16, 2012 11:11 AM ]]

You will find 1001 of these articles in the Internet. Here are my notes on the topic.

Internet Protocol version 6

Internet Protocol version 6 (IPv6) is a successor for the current Internet Protocol version 4 (IPv4). IPv6 was designed to bring a solution to IPv4 address exhaustion and to simplify the routing in the Internet. The protocol has many advantages over its predecessor, the most notable being the vast address space of 128 bits.
 
IPv6 is a new protocol, not a mere extension to IPv4. For that reason, IPv6 does not play nice together with the previous protocol version.
Wikipedia: IPv6 does not implement interoperability features with IPv4, and creates essentially a parallel, independent network.
If your host has IPv4 address, it can connect to other hosts that use IPv4. If your host has IPv6 address, it can connect other hosts using IPv6. 
 
It is possible to have a dual-stack on your host. In this case the host has addresses from both protocols and can connect directly both IPv4 and IPv6 hosts in the Internet. 
 

There are also several transition mechanisms available to enable communication between hosts that use different protocol versions. http://en.wikipedia.org/wiki/IPv6_transition_mechanisms

 At current time (march 2012) all modern operating systems support IPv6 and network gear is ready to handle the new protocol. Major deployment of the next generation protocol still lingers on slowly because there are hardly any serious end-user benfits to it. Efforts have been made to further advance the usage of IPv6 in the Internet: World IPv6 day  was an event 8.6.2011 where major Internet players enabled IPv6 in their services for one day in order to test the access and find out possible problems that large scale IPv6 deployment could bring about.

2011 World IPv6 day http://www.worldipv6day.org
Velocity 2011: Ian Flint, “World IPv6 Day: What We Learned”
http://youtu.be/T04o6bQN8Ls

6.6.2012 will be a World IPv6 launch in which these same players will enable IPv6 permanently and others are encouraged to join in.

http://www.worldipv6launch.org

Key benefits of IPv6

  • Huge address space of 128 bits
  • Inbuilt support for IPSEC
  • Stateless autoconfiguration, ease of management
  • Simplified routing
  • New applications and innovation due to the flexibility and capabilities of IPv6

IPv6 addresses

Example of an address

Here’s how and IPv4 address looks like:
173.194.35.146

And this one’s IPv6:
2a00:1450:4016:0800:0000:0000:0000:1011

It can be compressed to 2a00:1450:4016:800::1011 by omitting leading zeros in group and replacing groups of zero values with two consecutive colons.

Address classes

IPv6 traffic can be unicast, multicast or anycast.

  • Unicast – one-to-one
  • Multicast – one-to-many (to all interfaces that have joined the corresponding multicast group)
  • Anycast – one-to-closest (to topologically nearest node in a group of potential receivers all identified by the same destination address)

Address types

Global Unicast address (2000::/3)
The addresses routed in the Internet.

Unique local address (fc00::/7)
Addresses that can be routed only in organizations own network,
just like RFC1918 private addresses in IPv4.
Can not be routed in the Internet.

Link-local address (FE80::/10)

Non-routable addresses used for communication over a local link (L2).
Used by autoconfiguration mechanisms (Neighbor Discovery, Stateless Address Autoconfiguration)
IPv6 requires a link-local address.

Special addresses

::/0 – Default route
::/128 – Unspecified address. Used only by software before learning appropriate source address for the connection.
::1/128 – Localhost, local loopback

Address allocation

Globally routable IPv6 addresses are allocated

  • /32 Internet Service Provider
  • /48 Organization
  • /64 Site

* See sources at the bottom of the page for more information on IPv6 address formats, classes and types.

Calculators to help you with IPv6 addresses

Linux

sipcalc (Ubuntu installation: apt-get install sipcalc)
ipv6calc (Ubuntu installation: apt-get install ipv6calc)

Web

http://www.ipv6calculator.net
http://www.subnetonline.com/pages/subnet-calculators/ipv6-subnet-calculator.php

 
 

Sources

http://en.wikipedia.org/wiki/IPv6
http://en.wikipedia.org/wiki/IPv6_address
http://en.wikipedia.org/wiki/Anycast
http://en.wikipedia.org/wiki/Multicast
http://www.helium.com/items/2086218-understanding-ipv6
http://blogs.citrix.com/2012/01/26/0606-ipv6-%E2%80%93-beginning-of-the-end-for-ipv4/
http://www.ipv6now.com.au/primers/benefits.php
http://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xml
http://chrisgrundemann.com/index.php/2012/introducing-ipv6-neighbor-discovery-slaac/
Carla Schroder: Linux Networking Cookbook

Networking with Linux; source routing

[Originally posted Mar 13, 2012 5:33 AM by Antti Uitto   [ updated Mar 13, 2012 5:34 AM ]]

This was my first attempt to do anything with source routing in it, in any platform, so I may not have it all correctly, let alone being according to any best practices. Anyway I was able produce the outcome I was hoping to get. Please feel free to comment!Inspiration to this lab exercise came from the LARTC tutorial and some other articles I found from the web. (See the resources section at the bottom of this post)
And of course there is always the desire to learn more what networking things you can do with just Linux boxes!

Scope

The scope of this exercise was to create a small lab net that routes IPv4. There are two user organizations in the network that are both supposed to reach a shared resource (Internet connection via firewall) and be able to communicate with other IP addresses in their own address range.

This outcome is to be produced by using Ubuntu Linuxes as routers and iproute2 program that comes with them.

The “customer” organizations and their routing tables are called “pizza” and “kebab”.

Network diagram

What counts as a success?

“Customer” addresses in the routing table “pizza” should be able to access other addresses that are in the routing table “pizza”. They should not be able to connect to hosts that are within the table “kebab”.

All hosts should be able to reach the Internet through my firewall, via NAT.

Result

The result of this configuration was what I hoped it to be. However, on a router I can ping between the host addresses of the local router, even when they belong in different sites. I assume this is because these single host addresses are visible in the routing table named “local”.

And maby rule for “local” table is read first?

linuxlab2:~$ ip rule show
0: from all lookup local
32760: from 192.168.13.0/24 lookup kebab
32761: from 192.168.12.0/24 lookup kebab
32762: from 192.168.11.0/24 lookup kebab
32763: from 192.168.3.0/24 lookup pizza
32764: from 192.168.2.0/24 lookup pizza
32765: from 192.168.1.0/24 lookup pizza
32766: from all lookup main
32767: from all lookup default
linuxlab2
linuxlab2:~$ ip route show table local match 192.168.2.1
local 192.168.2.1 dev eth1 proto kernel scope host src 192.168.2.1
linuxlab2:~$
linuxlab2:~$ ip ro sh ta local match 192.168.2.2
linuxlab2:~$

Procedure

1. Install router hosts with ssh, vlan and bridge-utils
2. Give password for root user
3. Turn on ip forwarding
4. Give link IP’s and test connectivity
5. Create both routing tables to all routers
6. Make “customer” interfaces
7. Add them to the appropriate routing tables
8. Make static routes
8. Create ip rules to all routers (“from”-rules)
9. Give default routes to both routing tables

(you can find routing and ip rule commands later in the post)

Create new routing tables
echo 1 pizza >> /etc/iproute2/rt_tables
echo 2 kebab >> /etc/iproute2/rt_tables

“Customer” addresses

pizza
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24

kebab
192.168.11.0/24
192.168.12.0/24
192.168.13.0/24

Notes

“Customer” site addresses are present in their own routing tables. Routing table called “main” has all the routes so that it can bring you the returning packets.

IP rules dictate that packets sourcing from “pizza” addresses are routed according to the “pizza” routing table. There are only “from” rules in my set.

The main table has no 0/0-route but the “pizza” and “kebab” tables do have it.

Configs per router

linuxlab1

“Customer” interfaces

# description pizza
auto eth3.10
iface eth3.10 inet static
address 192.168.1.1
netmask 255.255.255.0

# description kebab
auto eth3.20
iface eth3.20 inet static
address 192.168.11.1
netmask 255.255.255.0

Configs in /etc/rc.local
#
# ROUTES
#
ip route add 127.0.0.0/8 dev lo table pizza
ip route add 192.168.2.0/24 via 10.1.2.2 table pizza
ip route add 192.168.3.0/24 via 10.1.3.3 table pizza
ip route add 192.168.1.0/24 dev eth3.10 table pizza
ip route add default via 10.2.2.1 table pizza
ip route add 127.0.0.0/8 dev lo table kebab
ip route add 192.168.12.0/24 via 10.1.2.2 table kebab
ip route add 192.168.13.0/24 via 10.1.3.3 table kebab
ip route add 192.168.11.0/24 dev eth3.20 table kebab
ip route add default via 10.2.2.1 table kebab
ip route add 192.168.2.0/24 via 10.1.2.2
ip route add 192.168.12.0/24 via 10.1.2.2
ip route add 192.168.3.0/24 via 10.1.3.3
ip route add 192.168.13.0/24 via 10.1.3.3
#
# IP RULES
#
ip rule add from 192.168.1.0/24 table pizza
ip rule add from 192.168.2.0/24 table pizza
ip rule add from 192.168.3.0/24 table pizza
ip rule add from 192.168.11.0/24 table kebab
ip rule add from 192.168.12.0/24 table kebab
ip rule add from 192.168.13.0/24 table kebab

linuxlab2

“Customer” interfaces:

# description pizza
auto eth1
iface eth1 inet static
address 192.168.2.1
netmask 255.255.255.0

# description kebab
auto eth2
iface eth2 inet static
address 192.168.12.1
netmask 255.255.255.0

Configs in /etc/rc.local
#
# ROUTES
#
ip route add 127.0.0.0/8 dev lo table pizza
ip route add 192.168.2.0/24 dev eth1 table pizza
ip route add 192.168.3.0/24 via 10.1.2.1 table pizza
ip route add 192.168.1.0/24 via 10.1.2.1 table pizza
ip route add default via 10.1.2.1 table pizza
ip route add 127.0.0.0/8 dev lo table kebab
ip route add 192.168.12.0/24 dev eth2 table kebab
ip route add 192.168.13.0/24 via 10.1.2.1 table kebab
ip route add 192.168.11.0/24 via 10.1.2.1 table kebab
ip route add default via 10.1.2.1 table kebab
ip route add 192.168.1.0/24 via 10.1.2.1
ip route add 192.168.11.0/24 via 10.1.2.1
ip route add 192.168.3.0/24 via 10.1.2.1
ip route add 192.168.13.0/24 via 10.1.2.1
#
# IP RULES
#
ip rule add from 192.168.1.0/24 table pizza
ip rule add from 192.168.2.0/24 table pizza
ip rule add from 192.168.3.0/24 table pizza
ip rule add from 192.168.11.0/24 table kebab
ip rule add from 192.168.12.0/24 table kebab
ip rule add from 192.168.13.0/24 table kebab

linuxlab3

“Customer” interfaces

# description pizza
auto eth2
iface eth2 inet static
address 192.168.3.1
netmask 255.255.255.0

# description kebab
auto eth3
iface eth3 inet static
address 192.168.13.1
netmask 255.255.255.0

Configs in /etc/rc.local
#
# ROUTES
#
ip route add 127.0.0.0/8 dev lo table pizza
ip route add 192.168.2.0/24 via 10.1.3.1 table pizza
ip route add 192.168.3.0/24 dev eth2 table pizza
ip route add 192.168.1.0/24 via 10.1.3.1 table pizza
ip route add default via 10.1.3.1 table pizza
ip route add 127.0.0.0/8 dev lo table kebab
ip route add 192.168.12.0/24 via 10.1.3.1 table kebab
ip route add 192.168.13.0/24 dev eth3 table kebab
ip route add 192.168.11.0/24 via 10.1.3.1 table kebab
ip route add default via 10.1.3.1 table kebab
ip route add 192.168.1.0/24 via 10.1.3.1
ip route add 192.168.11.0/24 via 10.1.3.1
ip route add 192.168.2.0/24 via 10.1.3.1
ip route add 192.168.12.0/24 via 10.1.3.1
#
# IP RULES
#
ip rule add from 192.168.1.0/24 table pizza
ip rule add from 192.168.2.0/24 table pizza
ip rule add from 192.168.3.0/24 table pizza
ip rule add from 192.168.11.0/24 table kebab
ip rule add from 192.168.12.0/24 table kebab
ip rule add from 192.168.13.0/24 table kebab

Commands to verify and check stuff

ip rule show
ip route show
ip route show table pizza
ip route show (table pizza/kebab) match 192.168.2.5
ifconfig
ip address
ping 8.8.8.8 -I 192.168.2.1
traceroute 8.8.8.8 -s 192.168.12.1

And then what?

I don’t know. Perhaps add IPv6 to this? Is it possible? Why would it not be?
Or maby get Quagga and make these things to do dynamic routing?

Resources

http://www.linuxhorizon.ro/iproute2.html
http://kindlund.wordpress.com/2007/11/19/configuring-multiple-default-routes-in-linux/
http://lartc.org

TCP/IP by Douglas E. Comer

[Originally posted Mar 13, 2012 5:26 AM by Antti Uitto]

Just finished reading a book called “TCP/IP”.

(Original English title: Internetworking with TCP/IP Principles, Protocols and Architectures, Fourth Edition)

Catchy title pretty much tells what the book is about: it aims to give you the basics of how TCP/IP works and what is included.

This certainly is a book to read if you wan to learn about TCP/IP. I would say it is a bit dry read however. At times I found myself thinking that this info is more useful to someone coding software that uses TCP/IP rather than to someone administering networks. However, there was still plenty of useful info for a networker.

This book offers no tips and tricks, it’s all theory.

If you are impatient like me and prefer to learn from examples and configs, then some other material such as those published by Cisco Press may serve you better.

Topics covered

History of the Internet
Internet organizations
LAN and WAN technologies
IP addresses
ARP & RARP
Internet Protocol and routing
ICMP
TCP & UDP
Dynamic routing protocols
Multicast
Mobile IP
NAT & VPN
BOOTP & DHCP
DNS
Telnet, Rlogin, FTP, TFTP, SMTP….
VoIP
SNMP
Security aspects, Firewalls and IPsec
IPv6

… and a lot more …

One thing I re-learned from reading this book:
I should not buy tech books translated in my native language (Finnish). The attempts to create Finnish equivalent for some technical terms are at best irritating, but sometimes also confusing. English is the language of technology, computing and Internet and when I read geeky stuff, I will get my books in English from now on.

I am currently reading Carla Schroder’s “Linux Networking Cookbook”. Maybe a word or two about it a bit later.

And “IPv6 theory, protocol and practice” is waiting on the digital bookshelf!