IPv6

From SOWNWiki
Jump to: navigation, search

logo-yellow.png

Update Needed
This page needs to be updated

This page is very much out of date and needs to be updated for SOWN's new IPv6 deployment.

SOWN has global IPv6 addressing provided by the University of Southampton. IPv6 represents the next generation Internet Protocol which is required for future global unique addressing as the address space available via IPv4 is now limited. SOWN has a /55 IPv6 prefix which represents approximately 6^20 unique addresses or 512 /64 networks or nodes.

Address Space Details

University-Of-Southampton have:  2001:630:d0::/48
Department of Electronics and Computer Science have:  2001:630:d0:f000::/52
ECS's `home agent' uses: 2001:630:d0:f400::/55
SOWN use:  2001:630:d0:f600::/55

SOWN 6core is set up as the SOWN IPv6 router and gateway on the SOWN network and parts of the /55 are routed from this to other servers, such as sown-dev (sown-vpn dev server)

gw setup

Refer to the Topology Diagram for the addresses which are used.

`gw' is the machine which sits between the sown network, and forwards IPv4 and IPv6 traffic between sown and the rest of the world. To enable this to work effectively we need the match module for ip6tables for which kernel-support is only available in kernels >2.6.22. (Note Debian 'etch' comes with user-space support, but not kernel-space support. Upgrade to Debian unstable to solve this!)

Firewall script (rcS.d/S41ip6tables):

 #!/bin/bash
 
 /sbin/modprobe nf_conntrack
 /sbin/modprobe nf_conntrack_ipv6
 
 ip6tables -F INPUT
 ip6tables -P INPUT DROP
 ip6tables -A INPUT -i eth0 -j ACCEPT
 ip6tables -A INPUT -i eth1 -p icmpv6 -j ACCEPT
 ip6tables -A INPUT -i eth1 -p pim -j ACCEPT
 ip6tables -A INPUT -i eth1 -d ff00::/8 -j ACCEPT
 
 ip6tables -F FORWARD
 #Drop all traffic by default
 ip6tables -P FORWARD DROP  
 
 #Allow ping6 traffic
 ip6tables -A FORWARD -p icmpv6 -j ACCEPT 
 
 #Allow incoming traceroute6 traffic
 ip6tables -A FORWARD -p udp --dport 33434:33523 -m state --state NEW -j ACCEPT
 
 # Block these ports again if a connection tries to establish itself, e.g. isn't traceroute6
 # This traffic would be caught by the policy, but it helps to make it obvious.
 ip6tables -A FORWARD -p udp --dport 33434:33523 -m state --state ESTABLISHED -j DROP
    
 #Allow all outgoing traffic
 ip6tables -A FORWARD -i eth0 -m state --state NEW -j ACCEPT 
    
 #Allow all incoming traffic which is related or established by an outgoing connection.
 ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT 
    
 #Allow all Protocol Independent Multicast
 ip6tables -A FORWARD -i eth1 -p pim -j ACCEPT
 
 #Allow all multicast groups in.
 ip6tables -A FORWARD -i eth1 -d ff00::/8 -j ACCEPT

Scripts

The SOWN servers network is setup statically. The following show EXAMPLES of the configuration lines which can be used in /etc/network/interfaces:

 iface eth0 inet6 static
   address 2001:630:d0:f700::1
   netmask 64
   up ifconfig eth0 add 2001:630:d0:f700::251
   up route -A inet6 add default gw 2001:630:d0:f700::251
   down route -A inet6 del default gw 2001:630:d0:f700::251
   
   up route -A inet6 add 2001:630:d0:f701::/64 gw 2001:630:d0:f700::250
   down route -A inet6 del 2001:630:d0:f701::/64 gw 2001:630:d0:f700::250


RADVD

The nodes themselves will run a router advertisements daemon (RADVD) which will advertise the prefix and default route of the IPv6 network.

The configuration file is very simple:

 interface eth0
 {
   AdvSendAdvert on;
   prefix 2001:630:d0:f701::/64
   {
   };
 };

OpenVPN Server

The OpenVPN server has a program which is run when a client connects or disconnects. This consults the database to add v4 routes to the subnet behind the tunnel. It then adds the 6addresses to the tap interface, and sets the v6 routes to the subnet behind the tunnel.

The reverse occurs when a node disconnects.

The following lines are added to the server configuration:

 client-connect /usr/local/bin/vpnRouteAdd
 client-disconnect /usr/local/bin/vpnRouteDel

OPEN-VPN CLIENT

OPEN-VPN requires up and down scripts to add IPv6 addresses. Example guide: http://www.join.uni-muenster.de/Dokumente/Howtos/Howto_OpenVPN_Tunnelbroker.php?lang=en


We add two lines to the VPN configuration, to bring v6 up and down when the tunnel connects.

 up /usr/local/bin/vpn6Up
 down /usr/local/bin/vpn6Down

Our up script looks like so:

 #!/bin/sh
 . /etc/functions.sh
 
 config_get tap0_6 tap0 ip6addr
 config_get ath0_6 ath0 ip6addr
 config_get ip6gateway tap0 ip6gateway
 
 [ -z "$ath0_6" ] || {
         echo "Adding ath0 IPV6 Address"
         /usr/sbin/ip -6 addr add $ath0_6 dev ath0
 }
 [ -z "$tap0_6" ] || {
         echo "Adding tap0 IPV6 Address"
         /usr/sbin/ip -6 addr add $tap0_6 dev tap0
 
         echo "Setting default 6-route"
         /usr/sbin/ip -6 route add default via $ip6gateway
 
         echo "Enabling IPV6 Forwarding"
         echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
 
         echo "Starting RAdvD"
         /etc/init.d/radvd start
 }
 
 exit 0;

Our down script is the reverse:

 #!/bin/sh
 . /etc/functions.sh
 
 config_get tap0_6 tap0 ip6addr
 config_get ath0_6 ath0 ip6addr
 config_get ip6gateway tap0 ip6gateway
 
 echo "Stopping RAdvD"
 /etc/init.d/radvd stop
 
 echo "Disabling IPv6 Forwarding"
 echo 0 > /proc/sys/net/ipv6/conf/all/forwarding
 
 echo "Removing default IPv6 route"
 /usr/sbin/ip -6 route del default via $ip6gateway
 
 [ -z "$ath0_6" ] || {
         echo "Removing ath0 IPV6 Address"
         /usr/sbin/ip -6 addr del $ath0_6 dev ath0
 }
 [ -z "$tap0_6" ] || {
         echo "Removing tap0 IPV6 Address"
         /usr/sbin/ip -6 addr del $tap0_6 dev tap0
 }
 
 exit 0;

'Exit 0' is needed to make sure we report success to OpenVPN, otherwise it may take the tunnel down.

In the future the 'up' script may include a 'ping6' line to make sure the link, or even the route-out work, before advertising.

The 'config_get' code at the top is retrieving the ipv6 addresses from OpenWRT configuration files. ip6addr is part of OpenWRT's kamikaze build, however it doesn't add the specified address at startup. (We need to get a serial cable on one of our nodes to find out why). ip6gateway is specific to sown, and isn't used by any other scripts.

To make all this work, our '/etc/config/network' looks like this:

 config interface tap0
       option ifname tap0
       option proto static
       option ipaddr 10.13.128.86
       option ip6addr 2001:630:d0:f780::86/126
       option ip6gateway 2001:630:d0:f780::85
       option netmask 255.255.255.252

Multicast IPv6

6core is being configured to become the IPv6 multicast router for SOWN.

Packages Required

The following seem to be needed to make sown.6core talk to the ford.6core (ecs.6core).

  • pimd
  • mrd6

No other configuration was required at this stage. Note though you you may have to tell some packages to use eth1 as the default multicast route/interface. Although this really shouldn't be required.

Testing 1 - SSM (Source Specific Multicast)

TEST 1 - sown.6core to the world (well Paris)

sown-6core.ecs.soton.ac.uk (2001:630:d0:f000::8:2) -> Univ-Paris13 (2001:660:3303:2bfe:2b::5)

 6core:/home/davetaz/ssmping-0.9# ./ssmping -I eth1 2001:660:3303:2bfe:2b::5
 ssmping joined (S,G) = (2001:660:3303:2bfe:2b::5,ff3e::4321:1234)
 pinging S from 2001:630:d0:f000::8:2
   unicast from 2001:660:3303:2bfe:2b::5, seq=1 dist=15 time=13.101 ms
   unicast from 2001:660:3303:2bfe:2b::5, seq=2 dist=15 time=12.476 ms
   unicast from 2001:660:3303:2bfe:2b::5, seq=3 dist=15 time=12.444 ms
   unicast from 2001:660:3303:2bfe:2b::5, seq=4 dist=15 time=12.473 ms
 multicast from 2001:660:3303:2bfe:2b::5, seq=6 dist=8 time=12.883 ms
   unicast from 2001:660:3303:2bfe:2b::5, seq=6 dist=15 time=13.137 ms
 multicast from 2001:660:3303:2bfe:2b::5, seq=7 dist=8 time=12.408 ms
   unicast from 2001:660:3303:2bfe:2b::5, seq=7 dist=15 time=12.658 ms
   unicast from 2001:660:3303:2bfe:2b::5, seq=8 dist=15 time=12.337 ms
 multicast from 2001:660:3303:2bfe:2b::5, seq=8 dist=8 time=13.402 ms
 multicast from 2001:660:3303:2bfe:2b::5, seq=9 dist=8 time=12.496 ms
   unicast from 2001:660:3303:2bfe:2b::5, seq=9 dist=15 time=12.750 ms
 multicast from 2001:660:3303:2bfe:2b::5, seq=10 dist=8 time=12.338 ms
   unicast from 2001:660:3303:2bfe:2b::5, seq=10 dist=15 time=12.587 ms
 multicast from 2001:660:3303:2bfe:2b::5, seq=11 dist=8 time=12.582 ms
   unicast from 2001:660:3303:2bfe:2b::5, seq=11 dist=15 time=12.842 ms
 multicast from 2001:660:3303:2bfe:2b::5, seq=12 dist=8 time=12.426 ms
   unicast from 2001:660:3303:2bfe:2b::5, seq=12 dist=15 time=12.679 ms

Test 2 nile.ecs (IAM VLAN) -> sown-6core.ecs

 root@nile:/home/dt302/ssmping-0.9# ./ssmping 2001:630:d0:f000::8:2
 ssmping joined (S,G) = (2001:630:d0:f000::8:2,ff3e::4321:1234)
 pinging S from 2001:630:d0:f111:230:48ff:fe72:7d08
   unicast from 2001:630:d0:f000::8:2, seq=1 dist=3 time=1.865 ms
   unicast from 2001:630:d0:f000::8:2, seq=2 dist=3 time=1.350 ms
 multicast from 2001:630:d0:f000::8:2, seq=2 dist=3 time=1.355 ms
   unicast from 2001:630:d0:f000::8:2, seq=3 dist=3 time=0.634 ms
 multicast from 2001:630:d0:f000::8:2, seq=3 dist=3 time=0.760 ms
   unicast from 2001:630:d0:f000::8:2, seq=4 dist=3 time=0.667 ms
 multicast from 2001:630:d0:f000::8:2, seq=4 dist=3 time=1.291 ms
   unicast from 2001:630:d0:f000::8:2, seq=5 dist=3 time=0.826 ms
 multicast from 2001:630:d0:f000::8:2, seq=5 dist=3 time=0.953 ms
  

Test 3 sown-6core.ecs -> ssmping.ecs (ECS DMZ)

 6core:/home/davetaz/ssmping-0.9# ./ssmping ssmping.ecs.soton.ac.uk
 ssmping joined (S,G) = (2001:630:d0:f104::de80,ff3e::4321:1234)
 pinging S from 2001:630:d0:f000::8:2
   unicast from 2001:630:d0:f104::de80, seq=1 dist=2 time=2.504 ms
 multicast from 2001:630:d0:f104::de80, seq=1 dist=2 time=305.933 ms
   unicast from 2001:630:d0:f104::de80, seq=2 dist=2 time=0.547 ms
 multicast from 2001:630:d0:f104::de80, seq=2 dist=2 time=0.586 ms
   unicast from 2001:630:d0:f104::de80, seq=3 dist=2 time=0.578 ms
 multicast from 2001:630:d0:f104::de80, seq=3 dist=2 time=0.602 ms

Testing 2 - ASM (Any Source Multicast)

TEST 1 - sown.6core to the world (well Paris)

  • FAILED
    • Status of FORD as follows:
   Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group,
   C - Connected, L - Local, I - Received Source Specific Host Report,
   P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set,
   J - Join SPT
   Timers: Uptime/Expires
   Interface state: Interface, State  
   
   (*, FF1E::1:4321:1234), 00:01:51/never, RP 2001:660:3007:300:1::, flags: SCJ
     Incoming interface: Tunnel3
     RPF nbr: FE80::C252:ADFD
     Immediate Outgoing interface list:
     FastEthernet2/0, Forward, 00:01:51/never


  • The same is seen from the internal VLANs (although the flags vary!), there is just an S flag here which suggest a successful join (eh?)


Test 2 nile.ecs (IAM VLAN) -> sown-6core.ecs

  • SUCCESS
 root@nile:/home/dt302/ssmping-0.9# ./asmping 2001:630:d0:f000::8:2 ff1e::1:4321:1234
 asmping joined (S,G) = (*,ff1e::1:4321:1234)
 pinging 2001:630:d0:f000::8:2 from 2001:630:d0:f111:230:48ff:fe72:7d08
   unicast from 2001:630:d0:f000::8:2, seq=1 dist=3 time=2.666 ms
   unicast from 2001:630:d0:f000::8:2, seq=2 dist=3 time=0.586 ms
 multicast from 2001:630:d0:f000::8:2, seq=2 dist=3 time=0.845 ms
   unicast from 2001:630:d0:f000::8:2, seq=3 dist=3 time=0.618 ms
 multicast from 2001:630:d0:f000::8:2, seq=3 dist=3 time=0.869 ms
   unicast from 2001:630:d0:f000::8:2, seq=4 dist=3 time=0.653 ms
 multicast from 2001:630:d0:f000::8:2, seq=4 dist=3 time=0.780 ms
  • Status of ford.6core (note the RP!)
 (*, FF1E::1:4321:1234), 00:00:39/00:02:50, RP 2001:660:3007:300:1::, flags: S
 Incoming interface: Tunnel3
 RPF nbr: FE80::C252:ADFD
 Immediate Outgoing interface list:
   FastEthernet1/0, Forward, 00:00:39/00:02:50

Test 2b nile.ecs (IAM VLAN) -> sown-6core.ecs via ff18

  • Organisation local scope
  • This should use a different RP (2001:630:d0:f000::1 - ford.6core)
  • SUCCESS
 root@nile:/home/dt302/ssmping-0.9# ./asmping 2001:630:d0:f000::8:2 ff18::1:4321:1234
 asmping joined (S,G) = (*,ff18::1:4321:1234)
 pinging 2001:630:d0:f000::8:2 from 2001:630:d0:f111:230:48ff:fe72:7d08
   unicast from 2001:630:d0:f000::8:2, seq=1 dist=3 time=2.363 ms
   unicast from 2001:630:d0:f000::8:2, seq=2 dist=3 time=0.631 ms
   unicast from 2001:630:d0:f000::8:2, seq=3 dist=3 time=0.540 ms
   unicast from 2001:630:d0:f000::8:2, seq=4 dist=3 time=0.576 ms
 multicast from 2001:630:d0:f000::8:2, seq=4 dist=3 time=20.560 ms
   unicast from 2001:630:d0:f000::8:2, seq=5 dist=3 time=0.607 ms
 multicast from 2001:630:d0:f000::8:2, seq=5 dist=3 time=0.733 ms
  • ford.6core:
 (*, FF18::1:4321:1234), 00:00:02/00:03:27, RP 2001:630:D0:F000::1, flags: S
 Incoming interface: Tunnel5
 RPF nbr: 2001:630:D0:F000::1
 Immediate Outgoing interface list:
   FastEthernet1/0, Forward, 00:00:02/00:03:27

Test 3 sown-6core.ecs -> ssmping.ecs (ECS DMZ)

  • SUCCESS
 6core:/home/davetaz/ssmping-0.9# ./asmping -6 ssmping.ecs.soton.ac.uk ff1e::2:4321:1234
 asmping joined (S,G) = (*,ff1e::2:4321:1234)
 pinging 2001:630:d0:f104::de80 from 2001:630:d0:f000::8:2
   unicast from 2001:630:d0:f104::de80, seq=1 dist=2 time=2.314 ms
   unicast from 2001:630:d0:f104::de80, seq=2 dist=2 time=0.572 ms
   unicast from 2001:630:d0:f104::de80, seq=3 dist=2 time=0.543 ms
   unicast from 2001:630:d0:f104::de80, seq=4 dist=2 time=0.616 ms
 multicast from 2001:630:d0:f104::de80, seq=4 dist=2 time=13.397 ms
   unicast from 2001:630:d0:f104::de80, seq=5 dist=2 time=0.657 ms
 multicast from 2001:630:d0:f104::de80, seq=5 dist=2 time=0.743 ms
   unicast from 2001:630:d0:f104::de80, seq=6 dist=2 time=0.543 ms
 multicast from 2001:630:d0:f104::de80, seq=6 dist=2 time=0.601 ms
  • status of ford.6core
 (*, FF1E::2:4321:1234), 00:00:10/never, RP 2001:660:3007:300:1::, flags: SCJ
 Incoming interface: Tunnel3
 RPF nbr: FE80::C252:ADFD
 Immediate Outgoing interface list:
   FastEthernet2/0, Forward, 00:00:10/never

Test 3b sown-6core.ecs -> ssmping.ecs via ff18

  • Organisation local scope
  • This should use a different RP (2001:630:d0:f000::1 - ford.6core)
  • SUCCESS
 6core:/home/davetaz/ssmping-0.9# ./asmping -6 ssmping.ecs.soton.ac.uk ff18::2:4321:1234
 asmping joined (S,G) = (*,ff18::2:4321:1234)
 pinging 2001:630:d0:f104::de80 from 2001:630:d0:f000::8:2
   unicast from 2001:630:d0:f104::de80, seq=1 dist=2 time=1.013 ms
 multicast from 2001:630:d0:f104::de80, seq=1 dist=2 time=1.033 ms
   unicast from 2001:630:d0:f104::de80, seq=2 dist=2 time=0.627 ms
 multicast from 2001:630:d0:f104::de80, seq=2 dist=2 time=0.665 ms
  • Status of ford.6core
 (*, FF18::2:4321:1234), 00:00:02/never, RP 2001:630:D0:F000::1, flags: SCJ
 Incoming interface: Tunnel5
 RPF nbr: 2001:630:D0:F000::1
 Immediate Outgoing interface list:
   FastEthernet2/0, Forward, 00:00:02/never