Tag Archive for 'Ipv6'

Page 2 of 3

Hurricane-Electric IPv6 certification

Published on August 16, 2010 09:08 Tags: , , .

I think you have heard already of IPv4 address depletion. A new version of Internet addressing (New Internet protocol) system was prepared many years ago. But since everyone was using IPv4 address, the migration has not been implemented in a large scale. If we continue to use IPv4 address as on today, the entire range would be used up in less than one years. (Hurricane-Electric has a very nice counter.) Public IPv4 addresses are mainly used by Internet servers. Other PCs or Servers can use private IPv4 address which are not reachable from Internet. Although many methods like NAT (Network Address Translation) and CIDR (Classless Inter Domain Routing) were implemented to stretch the IPv4 address usage, it seems that it is reaching a level of saturation now.

It is sure that everyone must migrate to IPv6 address within a couple of months/ years. Some Internet registries are not so liberal in assigning free IPv4 address now. If you want to learn about IPv6 and make sure that you have skills to administer IPv6 address and servers, Hurricane Electric free IPv6 certification is a really great way to begin. You can register for this certification at: he.net. I will give you a brief overview of the tests in the following section.

Through this test set you will be able to:

-> Prove that you have IPv6 connectivity
-> Prove that you have a working IPv6 web server
-> Prove that you have a working IPv6 email address
-> Prove that you have working forward IPv6 DNS
-> Prove that you have working reverse IPv6 DNS for your mail server
-> Prove that you have name servers can respond to queries via IPv6
-> Prove your knowledge of IPv6 technologies through quick and easy testing

There are seven levels of certification available. The breakdown of each are given below:

Newb: Read the primer stuff, be able to answer some quick and easy questions.

Explorer: Verify that you can access ipv6.he.net over IPv6

Enthusiast: Verify that you have an IPv6 capable web server that we can connect to and fetch information from. This should be entered as a FQDN and not an IPv6 address, or you will have issues once you start working on the Guru level.

Administrator: Verify that you have a working IPv6 capable MTA by sending you an email only over IPv6.

Professional: Verify that your MTA has working reverse DNS (ex: dig mx $domain +short ; dig AAAA $mx +short ; dig -x $mx AAAA +short)

Guru: Verify that the authoritative NS for your domain have AAAA records, and respond to queries for the domain (ex: step 1 is dig ns $domain ; dig AAAA $ns | step 2 is dig AAAAA $domain @$nsAAAA)

Sage: Check to see if your domain’s authoritative NS have IPv6 glue with their listed TLD servers. Meaning the TLD server can directly answer for the host record (ex: dig +trace ns $domain to get the TLD server list then dig aaaa $ns @TLD +short for the glue).

After each test you will get a new certificate:

IPv6 Commands

Published on August 14, 2010 08:29 Tags: , , , .

Some IPv6 commands for daily use





Print the route packets trace to IPv6 network host.

1

traceroute6 ipv6.idrobot.net

Lookup AAAA record.

1

dig AAAA ipv6.idrobot.net


IPv6 DIG PTR reccord.

1

dig -x 2001:470:1f0b:1604::254

Check redirector.name glue records by dig command.
As it is a .name domain first we should check root servers for .net by the following command:

1

dig NS name

You will get 10 root servers:

1
2
3
4
5
6
7
8
9
10
11

;; ANSWER SECTION:
name.                   10800   IN      NS      m6.nstld.com.
name.                   10800   IN      NS      d6.nstld.com.
name.                   10800   IN      NS      k6.nstld.com.
name.                   10800   IN      NS      f6.nstld.com.
name.                   10800   IN      NS      h6.nstld.com.
name.                   10800   IN      NS      g6.nstld.com.
name.                   10800   IN      NS      a6.nstld.com.
name.                   10800   IN      NS      j6.nstld.com.
name.                   10800   IN      NS      l6.nstld.com.
name.                   10800   IN      NS      c6.nstld.com.

You can choose any root server for next query , I will take g6.nstld.com

1

dig ns1.redirector.name @g6.nstld.com

As output I get:

1
2
3
4

;; ADDITIONAL SECTION:
ns1.redirector.name.    10800   IN      A       188.40.116.206
ns1.redirector.name.    10800   IN      AAAA    2001:470:1f0b:1604::3
ns2.redirector.name.    10800   IN      A       188.40.116.216

IPv6 and ip6tables

Published on July 24, 2010 21:00 Tags: , , , , .

I describe a little bit how to secure your IPv6 server with Netfilter-ip6tables.

Refer to the IANA message types.

My example IPv6 firewall script:

Earlier predefined variables:

1
2

IPT6="/sbin/ip6tables"
OUTER="eth0"
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52

# Clean old IPv6 firewall
$IPT6 -F
$IPT6 -X
 
# Clean old iptables v6 tables
for chain in mangle filter
do
    $IPT6 -t $chain -F
    $IPT6 -t $chain -X
done
 
# Set IPv6 default chains
$IPT6 -P INPUT DROP 
$IPT6 -P FORWARD DROP
$IPT6 -P OUTPUT ACCEPT
 
$IPT6 -A INPUT -i $OUTER -m state --state RELATED,ESTABLISHED -j ACCEPT
 
$IPT6 -A INPUT -i lo -j ACCEPT
 
# Allow SSH from Hetzner IPv6-NET
$IPT6 -A INPUT -s 2001:470:1f0b:1604::/64 -i $OUTER -p tcp -m tcp --dport 22 -j ACCEPT
 
# Allow SSH from Home IPv6-NET
$IPT6 -A INPUT -s 2001:470:1f0b:1514::/64 -i $OUTER -p tcp -m tcp --dport 22 -j ACCEPT
 
# Allow ICMP from Hetzner IPv6-NET
$IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 15/sec -s 2001:470:1f0b:1604::/64 -j ACCEPT
$IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 15/sec -s 2001:470:1f0b:1604::/64 -j ACCEPT
 
# Allow ICMP from Home IPv6-NET
$IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 15/sec -s 2001:470:1f0b:1514::/64 -j ACCEPT
$IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 15/sec -s 2001:470:1f0b:1514::/64 -j ACCEPT
 
$IPT6 -A INPUT -i $OUTER -p tcp -m tcp --dport 25 -j ACCEPT     # SMTP  
$IPT6 -A INPUT -i $OUTER -p tcp -m tcp --dport 53 -j ACCEPT     # DNS via TCP
$IPT6 -A INPUT -i $OUTER -p udp -m udp --dport 53 -j ACCEPT     # DNS via UDP
$IPT6 -A INPUT -i $OUTER -p tcp -m tcp --dport 80 -j ACCEPT     # HTTP
$IPT6 -A INPUT -i $OUTER -p tcp -m tcp --dport 110 -j ACCEPT    # POP3
$IPT6 -A INPUT -i $OUTER -p tcp -m tcp --dport 143 -j ACCEPT    # IMAP
$IPT6 -A INPUT -i $OUTER -p tcp -m tcp -s 2001:470:1f0b:1604::3/64 --dport 4949 -j ACCEPT
 
$IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m hl --hl-eq 255 -j ACCEPT
$IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m hl --hl-eq 255 -j ACCEPT
$IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m hl --hl-eq 255 -j ACCEPT
$IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT
$IPT6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 137 -m hl --hl-eq 255 -j ACCEPT
 
$IPT6 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 
# Example of logging
$IPT6 -A INPUT -p ipv6-icmp -j LOG --log-prefix "Dropped ICMPv6 Packets "

Persistent IPv6 Address

Published on July 21, 2010 22:41 Tags: , , , , , .

I show you, how to add a secondary IPv6 Address to your existing one.
You need only to edit “vim /etc/network/interfaces” file and add the IPv6 networking configuration.

1
2
3
4
5
6
7
8
9
10
11
12
13

# The loopback network interface
auto lo
iface lo inet loopback
 
# The primary network interface
auto eth0
iface eth0 inet static
 address 10.1.100.4
 gateway 10.1.100.1
 netmask 255.255.255.0
 pre-up modprobe ipv6
 post-up ip addr add 2001:470:1f0b:1514::4/64 dev eth0 
 post-up ip route add default via 2001:470:1f0b:1514::1 dev eth0

Another way to do the same:

1
2
3
4
5
6

pre-up modprobe ipv6
 
iface eth0 inet6 static
 address 2001:470:1f0b:1514::4
 netmask 64
 gateway 2001:470:1f0b:1514::1

Also you can put the ipv6 module in to “/etc/modules” instead of “pre-up modprobe ipv6″

Test it:

1

ping6 ipv6.google.com

Some complexe example:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

# The loopback network interface
auto lo
iface lo inet loopback
 
# The primary network interface
allow-hotplug eth0
iface eth0 inet static
        address 188.40.116.234
        netmask 255.255.255.0
        network 188.40.116.0
        broadcast 188.40.116.255
        gateway 188.40.116.206
 
auto eth0:1
iface eth0:1 inet static
        address 192.168.2.70
        netmask 255.255.255.0
 
# IPv6 over tunnel-broker
auto he-ipv6
iface he-ipv6 inet6 v4tunnel
 endpoint   216.66.80.30
 ttl        255
 address    2001:470:1f0a:1604::2
 netmask    64
 mtu        1480
 post-up ip addr add 2001:470:1f0b:1604::1/64 dev eth0
 post-up ip route add ::/0 dev he-ipv6

Windows 7 and IPv6

Published on July 18, 2010 13:28 Tags: , , , .

IPv6 has been “the ultimate next generation of TCP/IP protocols” for so long that you can be forgiven for thinking that it will never be useful. However, with Windows 7, developer of Microsoft has finally given network administrators and normal users a reason to consider using IPv6.

This screen shot shows you, how easy it is to configure IPv6 address: