Linux TCP/IP networking: net-tools vs. iproute2 – Linux FAQ

Linux TCP/IP networking: net-tools vs. iproute2 – Linux FAQ.

via Linux TCP/IP networking: net-tools vs. iproute2 – Linux FAQ.

OpenWRT adds IPv6, preps for IoT future · LinuxGizmos.com

[object Window]

via OpenWRT adds IPv6, preps for IoT future ·  LinuxGizmos.com.

ipv6 part2: soho ipv6

In this series for small office and home office (soho) I will discuss connecting via ipv6 to the outside world, and back.
In this 2nd post, I will look at ipv6 in my linux machines.

There are 3 desktops and as many laptops in my network, all running one or the other Debian like distro. Regardless, what I will talk about in this post should be similar to most linux distros. I realize that this is a highly technical post. The most important thing is that you try some or many of the things in this post for yourself. A practical approach is the best to learn: you ask yourself questions, next, you’re bound to look for answers.

ipv6 on my desktop

3 years ago, we had a world wide ipv6 day: On 8 June, 2011, top websites and Internet service providers around the world, including Google, Facebook, Yahoo!, Akamai and Limelight Networks joined together with more than 1000 other participating websites in World IPv6 Day for a successful global scale trial of the new Internet Protocol, IPv6.

I’m sure that this was not the first, neither the last ipv6 day, but it was the first that caught my attention. With 3 people, we did some experiments that day, involving windows and linux machines. Unfortunately, our first steps were on a Link local ipv6 network only, and such a network is not representative for the ipv6 internet. I will talk about link-local networks at the end of the series, but now only mention them when they appear without going deeper.
In January 2014, mysteriously ipv6 global links appeared out of nothing: my provider was rolling out ipv6.

hands on

No network-manager enabled, No avahi-daemon.
The most simple configuration in /etc/network/interfaces

bert@lx24:~$ cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth1
iface eth1 inet dhcp

Starting with no cable attached and a two minutes waiting time for the network (not to come up), we get the following situation:

bert@lx24:~$ ifconfig
eth1 Link encap:Ethernet HWaddr 08:00:27:07:b6:19
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
‌
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0

Notice that this machine is ipv6 enabled, the local loopback address ::1 is configured for ipv6. Any linux kernel from 2.6 onwards (and some even before), are ipv6 ready. Unless you still have a SuSE-Linux-9.0 from 2004 running you should be ok;
The /128 means that ::1 sits in its own address space. In ipv4 it would look like a /32.

As soon as we connect a network cable, the situation changes.

I first connect to a network without ipv6 access (ipv4 only):

bert@lx24:~$ ifconfig
eth1 Link encap:Ethernet HWaddr 08:00:27:07:b6:19
inet addr:10.0.0.74 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fe07:b619/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:462 errors:0 dropped:0 overruns:0 frame:0
TX packets:182 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:69963 (69.9 KB) TX bytes:24713 (24.7 KB)
‍
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:72 errors:0 dropped:0 overruns:0 frame:0
TX packets:72 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:5632 (5.6 KB) TX bytes:5632 (5.6 KB)

We get ipv4 addresses but in ipv6 we only get a Link-local address. We already had a loopback address.
If we look at the link local address we notice a /64. The first 64 bits or 16 hexes are network identifier, the next 16 hexes should be unique host-addresses in the entire network. I underlined the part of the mac address that is repeated in the ipv6 address. If MAC-addresses are unique (and they are), your Link-local addresses are also unique.

Now I connect the same network adapter to an ipv6/ipv4 network:

bert@lx24:~$ ifconfig
eth1 Link encap:Ethernet HWaddr 08:00:27:07:b6:19
inet addr:10.0.1.150 Bcast:10.0.1.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fe07:b619/64 Scope:Link
inet6 addr: 2a02:1811:e100:e100:a9cc:a9c8:c2bb:f335/64 Scope:Global
inet6 addr: 2a02:1811:e100:e100:a00:27ff:fe07:b619/64 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:530 errors:0 dropped:0 overruns:0 frame:0
TX packets:233 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:82428 (82.4 KB) TX bytes:33056 (33.0 KB)
‍
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:188 errors:0 dropped:0 overruns:0 frame:0
TX packets:188 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:14880 (14.8 KB) TX bytes:14880 (14.8 KB)

Almost immediately I get two global ipv6 addresses. Only minutes later the ipv4 addresses appear.

This raises some questions:

  • Why are there two ipv6 GLOBAL addresses and not one?
  • How does my system find the right subnet,
    and from where does it get an answer?
  • Did I get a default ipv6 gateway?
  • How and Whom can I ping?

Why are there two ipv6 GLOBAL addresses and not one?

Instead of using ‘ifconfig‘, I will use the ‘ip addr‘ command. Slowly but surely the older familiar commands are replaced by newer ones. The ‘ip’ command set is different, but more powerfull. Let’s use this hidden powers to analyze the ipv6 configuration:

bert@lx24:~$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 08:00:27:07:b6:19 brd ff:ff:ff:ff:ff:ff
inet 10.0.1.150/24 brd 10.0.1.255 scope global eth1
inet6 2a02:1811:e100:e100:a9cc:a9c8:c2bb:f335/64 scope global temporary dynamic
valid_lft 566728sec preferred_lft 47728sec
inet6 2a02:1811:e100:e100:a00:27ff:fe07:b619/64 scope global dynamic
valid_lft 603626sec preferred_lft 85226sec
inet6 fe80::a00:27ff:fe07:b619/64 scope link
valid_lft forever preferred_lft forever

Both GLOBAL ipv6 addresses are type dynamic; they don’t come from a dhcp6 server, but are self generated by a process called Stateless Address Autoconfiguration (SLAAC). Now if we look at the second global dynamic ipv6 address, we notice that it is constructed around the MAC, in the same way as the Link-Local address. If my computer will connect to a website, that ipv6 address can be harvested. However, in today’s ipv4 world, only the public ipv4 address of my router would be seen, and my private addresses would become obscured by NAT.

Does that matter? Well, yes, it could mean less privacy, and for that reason there is a process in my linux machine creating temporary global dynamic ipv6 addresses.

Now there is a problem: if my system creates a new ipv6 address every day, the old sockets would not survive. So we keep old addresses alive for a longer period, lets say a week, but we start new connections with the most recently created ipv6 global temporary dynamic address. We will keep the old sockets alive for a week. In the long run, we will have several auto-created global temporary dynamic addresses.

In my world, this way of working is not good, not good at all. I keep a lot of SSH sessions running permanently. So I can configure a static ipv6 address (in another part of this series), and use that all the time.

How does my system find the right subnet,
and from where does it get an answer?
Did I get a default ipv6 gateway?

To find this out, I started a wireshark sniffing session on my network. I used a capture filterIP6‘. This is what I saw:

No.     Time           Source                     Destination     Protocol Length Info
6 1.540652000 fe80::a00:27ff:fe07:b619   ff02::2                  ICMPv6   70     Router Solicitation from 08:00:27:07:b6:19
7 1.543190000 fe80::5e35:3bff:fe5c:8b35  fe80::a00:27ff:fe07:b619 ICMPv6   206    Router Advertisement from 5c:35:3b:5c:8b:35

Remember that my system autocreated Link-Local addresses regardless whether it was on an ipv6 network. It now uses this address to ask whether an ipv6-router exist on the network. That is the first packet (6).

It sends the solicitation to a multicast address, ff02::2

In ipv6 the designers got rid of annoying broadcasts. They replaced them by task-specific multicast addresses.
An ipv6 multicast address starts with a binary 11111111/8 or ff in hexes.

Link Local Multicasts start with FF02 (www.iana.org)

And an FF02::2 means All Routers Address

So the link local address is used to multicast to all routers and asks for their presence and information.
A unicast answer, packet (7), is sent by all routers (in this case and in most SOHO cases only one) to advertise themselves.

In the body of this packet we find the following intersting parts:

Ethernet II, 
Src: CompalBr_5c:8b:35 (5c:35:3b:5c:8b:35), 
Dst: CadmusCo_07:b6:19 (08:00:27:07:b6:19)
    Type: IPv6 (0x86dd)
Internet Protocol Version 6, 
Src: fe80::5e35:3bff:fe5c:8b35
Dst: fe80::a00:27ff:fe07:b619
    Next header: ICMPv6 (58)
Internet Control Message Protocol v6
    Type: Router Advertisement (134)
    Cur hop limit: 64
        ...0 1... = Prf (Default Router Preference): High (1)
    Router lifetime (s): 1800
    ICMPv6 Option (Prefix information : 2a02:1811:e100:e100::/64)
    ICMPv6 Option (Recursive DNS Server 2a02:1800:100::41:2 2a02:1800:100::41:1)
        Recursive DNS Servers: 2a02:1800:100::41:2 (2a02:1800:100::41:2)
        Recursive DNS Servers: 2a02:1800:100::41:1 (2a02:1800:100::41:1)
    ICMPv6 Option (DNS Search List Option telenet.be)
        Domain Names: telenet.be
    ICMPv6 Option (Source link-layer address : 5c:35:3b:5c:8b:35)

I snipped away most of the jargon. We see a subnet, DNS-servers (2) and a domain name from my ISP (telenet.be), and the MAC address of the router. The ipv6 address of the router sits inside the ipv6 header.

How and Whom can I ping?

Does it all work? Let me do a ping:

bert@lx24:~$ ping6 google.com
PING google.com(ea-in-x64.1e100.net) 56 data bytes
64 bytes from ea-in-x64.1e100.net: icmp_seq=1 ttl=52 time=16.7 ms
64 bytes from ea-in-x64.1e100.net: icmp_seq=2 ttl=52 time=17.9 ms
64 bytes from ea-in-x64.1e100.net: icmp_seq=3 ttl=52 time=17.8 ms
...
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
...
bert@lx24:~$ ping6 -n google.com
PING google.com(2a00:1450:4013:c01::64) 56 data bytes
64 bytes from 2a00:1450:4013:c01::64: icmp_seq=1 ttl=52 time=15.7 ms
64 bytes from 2a00:1450:4013:c01::64: icmp_seq=2 ttl=52 time=16.9 ms
64 bytes from 2a00:1450:4013:c01::64: icmp_seq=3 ttl=52 time=17.9 ms

it’s obvious that it works …
and that I can ping the world; I’ll come back to this in a next post

Finally, let’s have a look at the routing table:

bert@lx24:~$ route -n6
Kernel IPv6 routing table
Destination                    Next Hop                   Flag  Met Ref Use If
2a02:1811:e100:e100::/64       ::                         UAe    256 0   0 eth1
fe80::/64                      ::                         U      256 0   0 eth1
::/0                  fe80::5e35:3bff:fe5c:8b35  UGDAe 1024 0   0 eth1
::/0                           ::                         !n   -1  1   111 lo
::1/128                        ::                         Un   0   1    13 lo
2a02:1811:e100:e100:a00:27ff:fe07:b619/128 ::             Un   0   1     0 lo
2a02:1811:e100:e100:18bf:ef2:ce5e:ae2a/128 ::             Un   0   1    22 lo
fe80::a00:27ff:fe07:b619/128   ::                         Un   0   1     9 lo
ff00::/8                       ::                         U    256 0     0 eth1
::/0                           ::                         !n   -1  1   111 lo

A final remark on the default gateway

Well, the pinging works, once we have a global unicast address. We use a local-link address of the gateway to go outside. This is not necessary, we can also use a static global unicast address for it. The latter looks more familiar, but it doesn’t have to be; after all, your default gateway in ipv4 is usually a private address too.

What’s next:

In part 3 we will be looking at DNS / traceroute / … how do I do “this” in ipv6

References:

IPv6 temporary addresses and privacy extensions

IPv6 Multicast Address Space Registry

Observing Router Advertisements

IPv6: Goodbye to broadcast, say hello to Multicast

Multicast Listener Discovery Version 2 (MLDv2) for IPv6

ICMP Version 6 (ICMPv6) Informational Message Types and Formats

Marking Packets

IPv6-ready kernel

Post Scriptum:

It is difficult to create posts like this in WordPress. All themes generally messed up the lay-out I wanted. Double spacing where single spacing was required, joining two paragraphs where only one was available, separating one paragraph into several parts, etc ….

I started editing in WP, then switched to LibreOffice, next to Google Docs. Google Docs used a lot less lay-out, but still too much for WP. I’m slightly disappointend 🙂

ipv6 for home / small business — part 1

about:

In this series I will discuss connecting via ipv6 to the outside world, and back.

In this first post, I will peek at ipv6 in my cable-modem router. We are talking about a decent cable modem from compal: Gateway-CH6643E

docsis_7594

The router itself is about 3 years old, routes coax-cable-internet to LAN and WiFi using NAT, and it is capable of doing this via ipv4 as well as ipv6. The latter has been slowly rolled out by my provider, telenet.be, owned by Liberty Global.

some ipv6 basics

In January 2014 I noticed that my PC showed a “global” IPV6 address:
inet6 addr: 2a02:1811:e100:e100::27ff:fe2d:ba0c/64 Scope:Global

Global ipv6 addresses in 2014 must start with a binary 001 mask /3
This means that in practice, the hex global addresses currently assigned, must start with a 2 (0010) or a 3 (0011).

So any ipv6 address starting with 2 or 3 in the highest position is a global unicast address. IPV6 Global Unicast addresses are routable on the ipv6 internet.

Before I only ‘owned’ an ipv6 link local unicast address:
inet6 addr: fe80::76d4:35ff:fe80:b46c/64 Scope:Link

Link-local unicast addresses start with a binary 11111110 10 mask /10 In practice, the hex form of the address always starts with fe8 (1111 1110 1000),
fe9 (1111 1110 1001), fea (1111 1110 1010) or feb (1111 1110 1011).

The link-local address is most often self generated containing a unique MAC-address or by using a pseudo randomizing algorithm. Link local addresses are not routable on the internet.

Another very important address is ::1 the local loopback address; you’re familiar with it in the ipv4 world as 127.0.0.1

If you’re interested in reading a routing table in ipv6 it is important to know that the default gateway points to ::

in the ipv4 world known as 0.0.0.0

the router

What does my cable router tell me:

LAN-configuration:

LAN-subnet-ipv4: 10.0.1.0/24
LAN-subnet-ipv6: 2a02:1811:e100:e100::/64
LAN-IPv4: 10.0.1.1
LAN-IPv6: 2a02:1811:e100:e100:5e35:3bff:fe5c:8b35

WAN-configuration:

IPv4-adres: 94.225.67.23/19
IPv6-adres: 2a02:181f:1:4142:29fc:39b:2213:df3e

the network ipv4

In ipv4 we see two networks connected to the docsis router:

A private 10.0.1.0/24 with 254 host-ip-adresses and a public address routable on the internet. The 32bit private address is divided into a 24bit net-id and 8 bits for hosts. The docsis will do Network-Address-Translation.

The public address resides into a large ISP metro-net 94.225.64.0-94.225.95.255 with 19 bits reserved for the network and 13 bits for hosts (leaving up to 8000+ addresses in this network).

the network ipv6

There are two networks connecting to the docsis router. Both are global unicast networks.

Basically this means that “our” ipv6 network, on the right side of the docsis router, — 2a02:1811:e100:e100::/64 — is reachable from outside and routable on the internet. This is not a private ip-range, and there is no NAT, only pure routing.

In my case there was no danger for visitors from outside, since the docsis router in default ipv6 settings, functions as a firewall blocking all traffic that has not been originating/initiated from inside. However this might not be the case with your isp and/or with your access-router. It might be a good thing to check this as soon as you discover global unicast ipv6 addresses on your systems.

From a hacker’s point of view the ipv6 world today is a paradise of unprotected machines as well as a desert where these machines are extremely difficult to find.

The network assigned to me has 64bit assigned as network portion: 2a02:1811:e100:e100// . This is a HUGE network, and I can do with it what I want !!! Every hex-number contains four bits. These 16 hex-numbers (2a02:1811:e100:e100) are fixed for my network.

There is another 64 bits space left for me to fill in. While in the unaware state, unaware that my machines had given themselves an ipv6 address, these addresses were created on a temporary base and semi-random.

If a hacker could guess my net-ID, (s)he could then randomly test addresses in that 64 bit space. This is however rather unlikely today:

2 to the power of 64 is 1.800 000 000 000 000 000. I can devide my own network space into 4 billion networks, the size of today’s ipv4 internet.
In most lottery systems around the globe, today, you have a chance of one out of 10 billion to win. The hacker has a chance of 4 out of 2 quintillion to correctly guess an address. It’s still very lonely in the ipv6 internet 🙂

If you randomly test 100 ipv4 addresses in today’s internet, I’m sure you get more than 10 responses. If you randomly test 1 000 000 global unicast ipv6 addresses, your response is probably going to be zero.

 

Next Some Hands ON

… –>> Where do I start … that will be the subject of next post.