Slashdot Mirror

It's because it is much simpler than you assume.

I have just toggled "IPv6" checkbox on my ISP account. Then I went to http://www.kame.net/ and the turtle was dancing. Done.

Try to get yourself a /24 and you'll see that there IS an effect. It used to be that if you asked for a /24 you got it with no further questions. The way it is now, I'm expecting them to start requiring the results of your last colonoscopy and your astrological chart.

The first effects of people being on dual stack will be to cap how expensive v4 addresses might get. If enough people are dual stack, there's not much chance to price gouge as they run out.

Besides that, you can't see the dancing kame on v4 :-)

From the ipsec(4) manpage for Mac OS X 10.6, history section:

The implementation described herein appeared in WIDE/KAME IPv6/IPsec stack.

The KAME stack is the same stack used in NetBSD and FreeBSD.

Even though NeXTSTEP was forked earlier from the BSD codebase than the other BSD flavors there has still been considerable sharing between it, Mac OS X, and the other BSD flavors. OpenBSD is one exception to this since it tends to be a more closed ecosystem than the other BSD variants.

well, we DO have the dancing turtle on http://www.kame.net/ !

A dancing turtle is not enough?!?

I dunno, but I think free beer, porn, games and music downloads would make IPV6 a bit more, well, sexy.

A dancing turtle is not enough?!?

And if the issue is with neither the cable company nor the phone company offering IPv6 service, what next step do you recommend?

Turn to transitional solutions. You can already get an IPv6 tunnel via a tunnel broker, using 6to4 or Teredo (available standard on Windows 7 and available via Miredo on Linux, BSD and MacOS X) . Neither are ideal, but it is better than no solution at all. For a long time I have been using Sixxs as my tunnel broker, though there are others, such as Hurricane Electric.

If your router supports native IPv6 and IPv6 tunnels then it is a big plus. If you wish try experiment without the expenditure, then you can install a tunnel client on your computer. In all cases ensure you have a properly configured IPv6 firewall.

Once you have your IPv6 network up and running try connecting to http://ipv6.google.com/ or http://www.kame.net/ (you should see an animated turtle). Then you can start finding out which applications are IPv6 ready.

No compelling reason to switch to IPv6?? You're crazy. A dancing turtle isn't enough for you? What's it going to take to please you?

I suspect the animated logo is a tribute to http://www.kame.net./ The KAME project website displays an animated turtle if you visit it over IPv6. Historically it is one of the oldest IPv6 websites. It's useful for testing.

There is a lot of feet dragging going on, partly because too many business plans rely on short term spending. The irony is that some of the companies which you expect to be leading the way in IPv6 migration don't even have web sites that are IPv6 enabled. This includes IBM, Apple, Microsoft, RedHat and Cisco. I make the point because they should be picking up the torch now that research sites have already done their part, and showing that it is an achievable goal, and not some sort of pipe-dream. /. readers at the same time, should probably get to know and understand the technology, since it is not a question of whether it will happen, but when. When it happens if the IT crowd doesn't understand IPv6, then we really have issues.

If you want to get an IPv6 web site running there are number of solutions, including using Apache 2 with IPv6 support activated and making sure you have an OS that supports an IPv6 stack - most modern OSs do.

Migration technologies for people stuck behind IPv4 NATs include Aiccu and Teredo (Vista includes this, and for other OSs there is Miredo). If you are at home, then one of the 'consumer' routers to support IPv6 out of the box is the Airport Extreme. If others support it out of the box I am not aware of this.

When you are ready see the dancing turtle - if you don't see it you are accessing it via IPv4.

Other stuff you can do in the meantime is checking to see if some your favourite network based applications handle IPv6 and if they don't make some noise. Its best to make the noise now, when it doesn't matter so much, than waiting until it does. On the bonus side they can advertise the fact they are IPv6 ready.

I made a fairly determined effer to see if we could bring up a manageable lab with IPv6.
1) Our local provide (XO) doesn't even offer public IPv6 address space.
2) ARIN wants thousands of dollars PER YEAR for portable address space.
3) Identifying what/how-to use a substitute for the deprecated "site-local" addressing. Tracking this down took days of searching and piecing things together. All the docs agreed that site-local was deprected but rarely mentioned what was going to take its place. Here is some links to what was found, MS has surprising helpful documentation:
http://www.microsoft.com/technet/network/evaluate/ technol/tcpipfund/tcpipfund_ch03.mspx#EDAAE
http://book.itzero.com/read/cisco/0602/Cisco.Press .Deploying.IPv6.Networks.Feb.2006_html/1587052105/ ch02lev1sec1.html
Generate a global ID with either of the tools below:
http://www.kame.net/~suz/gen-ula.html
http://www.hznet.de/tools/generate-rfc4193-addr
Additionally it is nearly impossible to control the allocation of hosts to specific suffixes. We often organize customers address space so that global catalog for each site are at, say, .5, exchange at .7, proxy server at .13, etc using DHCP static leases, it make life easier on our field techs, they know exactly where key pieces of infrastructure are for troubleshooting. We can send them to different customers and they have an ingrained familiarity of how things are configured. Currently MS IPV6 does not have a usable IPv6 DHCP server, and the IPv6 clients do not allow such an address assignment even if the server could do reservations.
In a nutshell, IPv6 tools and implementation on hosts fall far short of the enterprise tools used define and organize a LAN for IPv4 and until ease of use is at least on par with MS IPv4 DHCP point/click environment it is going to continue to languish. It absolutely must have integrated DHCP server redundancy with automatic failover/failback/sync so sorely lacking, LO these many years in MS offerings.

ahh yes, security through obscurity, the model of the lazy admin. lol

  http://www.kame.net/newsletter/19980807/

For those in Japan, I suggest checking out IPv6 Promotion Council, WIDE, Internet Initiative Japan and the BSD folks over at KAME.

In general, you probably also want to check the IPv6 Information Page, which lists many IPv6 websites, FTP sites and even IRC sites not already listed. (Almost all the above sites are also IPv6-reachable.) This totally trashes the idea that there is NOBODY on IPv6, which is good because it is a delusion which prevents people from using IPv6.

I've used numerous IPv6 tunnels and will shortly be getting native IPv6 from my provider at home, so I cry "bullshit" to those who say it can't be done. Setting up an IPv6 tunnel through a broker requires knowing your public IP address and your MAC address, then running a simple script to set up the IPv6-over-IPv4 connection. It's all of a couple of minutes work, maximum. I dare those who say IPv6 isn't being used to actually set up such a tunnel, use IPv6, THEN come back and tell the rest of us why what they just did was so impossible.

Lack of IPv6 support on home ADSL routers really is a problem. If I bypass by Belkin router then I get to see the dancing turtle, otherwise I am just seeing a static image. The other problem is that there aren't any real work solutions for routing IPv6 over a NAT router, unless you modify the router itself.

I have tried FreeNet6, but this does not work on my Mac, so I am out of luck.

I am curious to see what the working solution is to allow people to have their own internal addresses, such as NAT provides, in the case of IPv6.

Also, are there still DNS servers that ignore the AAAA entry (IPv6 address entry)?

..is that I'm going to have to re-purchase all the networking equipment that companies are going to refuse to update. That being said, I'm already using IPv6 tunneled through Hurricane Electric and Freenet6. What's nice is the automatic DNS identification and the swimming turtle. Oh, and the price.

There has been a working and tested IPSec implementation from Kame Project in the vanilla Linux kernel for some time now. Why go with a competing and conflicting IPSec implementation that was once formed because the official Linus tree lacked the support. Diversity is a richness etc. on but in this case I feel like these efforts seem fruitless. But big companies such as Novell don't do things because they just can so maybe there's something I don't quite get. I'd love to be englightened, though.

Maybe you don't consider these as proper, so I would really like to know which IP implementations support secure multicast via IPSec, including group key management etc.

To my knowledge, the secure multicast concepts and potential implementations haven't left the research labs (except Secure Spread which I mentioned in another post and isn't based on IPSec).

I would be glad to be wrong and it would be nice if you could provide us with some implementation links... .)

While I like Linux and use it in some situations, I can tell you for sure that most distributions are far from competing with OpenBSD in terms of safety. You are right in saying that OpenBSD has a lot less resources than Linux, but they use their resources in a far more focused way.

• Yes, there are 3rd party patches which hack many anti-buffer overflow protections into the Linux kernel, similar to what OpenBSD has.

• Yes, there is a stateful firewall for Linux.

• Yes, there is ipv6 support for Linux.

But OpenBSD takes all of these things, which under Linux can be half baked and kludged, and packages them together as a polished, stable end product. Their PF work is quite frankly amazing. The features and documentation are unbeatable. Checkpoint and Cisco, watch out!

The key difference between GNU/Linux and the various BSDs is integration. The BSDs assure you that the various things will play together properly. Features are added more conservatively, but they are going to work. The system as a whole is stable.

You know that for example the buffer overflow protections are not going to break half your userland applications, because it has been thouroughly tested on the system as a whole. Some example results of this:

• You know that the packet filter will play nice with the IPv6 subsystem.
• You know that Systrace will work on an SMP kernel.

You also don't get silly things like stable kernels which corrupt your filesystem or ripping out the virtual memory subsystem in a stable kernel and completely changing it.

All these things are very nice when you are running serious production servers.

Linux can perform a large number of roles adequately.

OpenBSD can perform a smaller number of roles excellently

*BSD had (useful) IPv6 long before Linux thanks to kame. OpenBSD is also the last of them to get SMP support, even if it's pretty fresh in NetBSD too (a year or so).

• Loop-back encryption is kinda clunky. dm-crypt looks to be a cleaner way to do encrypted devices. And pam_mount can mount encrypted home directories on login.
• As for doing encryption in the filsystem, several people are at working at it.
• Your notion that OpenSSH only creates a tunnel while the "console" is open, is little more than FUD. Oh no! The console!. That's the whole point. SSH is largely interactive by its very nature.
• It's quite easy to setup OpenSSL in inetd mode for SSL'd services.
• Encrypted executables? Are you joking? WTF would that achieve? If someone has physical access to your machine, you're screwed anyway. And if someone has broken into your machine remotely then your executables are probably the last thing to worry about. On Unix/Linux systems you need root access to write to system executables. If an intruder has root access, they can do anything and don't need to modify your executable to screw around. This is a straw-man argument.
• Linux is very good as a VPN router. Not only do we have IPsec/IPV6 from the KAME project, there's also the (abandoned) FreeS/WAN project and the spin-off Openswan. But don't forget OpenVPN (available for quite a few platforms, not just Unix/Linux). If you're really desperate, you can always combine SSH and PPP to make a VPN.
• Tokens? You have heard of Kerberos haven't you?
  BTW, here's a good LDAPv3+SASL+KerberosV HowTo

My god you are a troll. Oh, and as others have pointed out, encryption does not instantly make something secure.

8:33pm up 2 days, 22:20, 1 user, load average: 0.00, 0.00, 0.00
37 processes: 35 sleeping, 2 running, 0 zombie, 0 stopped
CPU states: 0.0% user, 7.0% system, 0.0% nice, 93.0% idle
Mem: 2582324K av, 353544K used, 2228780K free, 0K shrd, 82364K buff
Swap: 1073016K av, 0K used, 1073016K free 90972K cached

[root@somewhere]# ipsec eroute | wc -l
393

Dedicated Hpaq Proliant DL380 G3 server, Xeon 2.8Ghz CPU, 2+GB RAM. Multiple site-to-site tunnels up to about 130 sites across WAN links of varying speed, but mostly between 3-8Mbit/s. Handles about 1.2GB of 3DES/MD5 encrypted/authenticated traffic per day. Runs like a champ, the box barely notices the encryption overhead, it just takes a while (2-3 minutes) to rebuild all the tunnels when you restart FreeS/WAN.

Only headache is deciding which open-source VPN/ipv6 software to use now that FreeS/WAN is at end-of-life.

Don't forget about KAME. It isn't just for IPv6, and also supports IPSec for both ipv4 and ipv6.

I don't think you're alone there. I myself have tried FreeS/wan several times over the years and have always found it a frustrating experience. I think the documentation should take a lot of the blame for the problem. It was never too clear and gave only a few wildly different (and sometimes conflicting) examples. Left side? Right side? They would often switch the left/right-side convention for no apparent reason. And it I found it wasn't always clear what configuration settings were required and how they interacted. Because of this it was hard to condense a working configuration out of the few examples they did give.

Many years ago I was trying to connect my network with my familys' network (linux to linux) I eventually went with vtun. It worked fairly well. More recently I went with OpenVPN when I needed to connect my dads' Win2K laptop back to the family network over a dial-up line. In both these examples I originally tried using FreeS/wan on the linux side(s). I thought it would be easier (especially with W2K in the second case) because IPsec is a standard. Nope. Now I'll go look at this new Kame port in the 2.6 kernel and IPsec-tools. Hopefully it's fairly easy to setup.

KAME project comes to mind, and its IKE key manager racoon in particular. It may not be the most up-to-date IKE implementation, but it's certainly one of the cleanest and well-designed ones compared to other major OpenSource IPsec projects.

KAME project comes to mind, and its IKE key manager racoon in particular. It may not be the most up-to-date IKE implementation, but it's certainly one of the cleanest and well-designed ones compared to other major OpenSource IPsec projects.

IPv6 is configured by default on macos X. Type ifconfig from a command prompt and you should get something like this:

lo0: flags=8049 mtu 16384
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
inet 127.0.0.1 netmask 0xff000000
gif0: flags=8010 mtu 1280
stf0: flags=0 mtu 1280
en0: flags=8863 mtu 1500
inet6 fe80::250:94af:feb1:aaad%en0 prefixlen 64 scopeid 0x5
inet 192.168.1.10 netmask 0xffffff00 broadcast 192.168.1.255
ether 00:5a:cd:bc:44:ac
media: autoselect (100baseTX ) status: active
supported media: none autoselect 10baseT/UTP 10baseT/UTP 100baseTX 100baseTX

(yes, IPs/MACs were modified, so if one/all don't add up, it's 'cause I changed them for privacy).

The inet6 line for en0 is the IPv6 IP.

You may need to make some changes to the default kernel and IP table settings using sysctl to do tunneling, I don't know (haven't done much with IPv6 myself - I mainly know about chunks of it from messing around with raccoon and IPSec)

OS X uses the KAME IPv6 distribution, so follow the faqs on that site for tunneling - it should be there somewhere.

You've obviously never used FreeBSD... The most unstable and buggy version of FreeBSD is a dramatic step-up from any Linux distro.

This is no troll, it's a fact, and extremely hard to dispute ("Linux never crashed for me" does not count).

My experiences with FreeBSD have been universally bad.

From the fact that it didn't support the built-in network card on my laptop (worked fine in Linux and Windows) to the fact that no less than 3 versions of the FreeBSD boot CD *and* floppy hard-locked on my desktop on install (worked fine in Linux and Windows). Then there's the fact that the POSIX threading support was bad enough to make our core application unusable on all versions of FreeBSD (up to 4.9, and it works fine on Linux and Solaris).

I also find the whole CURRENT/STABLE/RELEASE naming a little confusing, but I could live with that if FreeBSD actually provided any real-world benefit. The only areas where I've seen a real, measurable benefit to FreeBSD is in high-volume UDP servers (which is to say: DNS, or possibly NFS) or the IPv6 stack (thanks to the KAME project).

The fact is the FreeBSD technology is playing catch-up to Linux, and even if the technology were great, the childish "my OS is better than your OS" attitude of most FreeBSD users that I've met is what really makes FreeBSD stand out.

We already use IPv6, simply because it's more convenient. If you have multiple networks with 10.* or 192.168.* addresses, two things happen. Firstly it's very confusing, so you make mistakes and the routing stops working. Secondly you have to set up VPNs explicitly which is extra work.

With IPv6, none of this happens. All the organisations have an Internet connection, and that gives them the network part of the address. The host part of the address comes from the MAC address of the ethernet card. No room for confusion.

You might object that we had to go to the trouble of getting IPv6 Internet connections, but we didn't. IPv6 can be routed over IPv4. This means that we only need our regular Internet connections, and we don't have to run routing daemons or anything like that. The existing IPv4 infrastructure gets our packets from one site to another.

IPv6 is also much easier to configure because everything happens on the server. If a client has IPv6 enabled, all you have to do is plug it into the network and it will configure itself. Yes, in a way it's like DHCP, but the addresses don't change. This means that you can have long-lived DNS entries pointing to your boxes, that sort of thing, which you can't do easily with DHCP.

The one time I wouldn't use IPv6 is in a place with lots of old boxes that don't support it very well. But if you have modern Linux or BSD installations or Windows XP, enable it today. You won't regret it.

I'd quite like to set up a website which is only IPv6, to encourage people to upgrade (that is if I can't persuade Slashdot to drop support for legacy protocols). You only get to see the Dancing Kame if you are IPv6 enabled, but that probably isn't enough to tempt people to switch!

Maybe, but Kame isn't, and Apple has helped fix bugs with that project. Kame is how Apple does IPv6.

Having used 6to4 anycast tunnels for years and SixXS tunnels for months, I have to agree that they are an excellent form of IPv6 connectivity.

As far as IPv6 programming goes, there's really nothing to it, most of the trick is getaddrinfo. The excellent KAME summary should get you started.

As for the software side, lots of software works with IPv6 today. Just to pick web browsers as an example... IE (on XP) and mozilla (depends on the platform) both support it. Alas, Safari, Camino and OmniWeb do not. The only way I've found to see The Dancing Kame on a mac has been to set up my own little primitive Java proxy (that's right, the latest JRE for OS X is IPv6-aware! Yay!).

A ton of useful IPv6 information is available from Kame.Net -- once your setup is working, the turtle on the top of that page starts to dance :). I also found the Linux IPv6 HOWTO to be incredibly helpful.

-Fyodor
Concerned about your network security? Try the Free Nmap Security Scanner

NetBSD has KAME IPsec in the kernel source tree, but the GENERIC kernels have the option commented out (I don't know why):

% grep IPSEC /usr/src/sys/arch/i386/conf/GENERIC
#options IPSEC # IP security
#options IPSEC_ESP # IP security (encryption part; define w/IPSEC)
#options IPSEC_DEBUG # debug for IP security

I've got a NetBSD machine at home running a VPN to the office LAN and it works great.

Exactly what isn't compliant with IPv6 in the current (2.4) kernel? I'm currently using stock unpatched 2.4 to run a web server over IPv6 quite happily. It's the applications that are lacking support. Hell, with radvd it's functioning as a full 6-to-4 router for my home network.

Here's a little info . Doesn't go into specifics. Follow the links and you end up here .

They key is the "my home network" part. The router for an autonomous system would probably require full support. I'm running RH7.3 (kernel v2.4.18) and i don't see kame dancing.

Programming IPv6 apps is actually quite easy, and actually involves programming protocol family independent code if you want to do it right. On the client end, this basically involves using a function (getaddrinfo(3)) to get a linked list of all addresses associated with a given hostname in any protocol family (IPv4, v6, or even something fun like AppleTalk) and walking along the list until you get a good connection. This has the added advantage that if you are trying to connect to a host that has multiple IP addresses, and some of them are non-responsive (i.e. a round-robin DNS situation), your client will try connecting to each IP address until it succeeds.

If you're trying to learn how to configure and use IPv6 on your hosts, try some of these:

• Microsoft
• The Kame project (*BSD)
• The 6bone for general IPv6 stuff, as well as information on connecting to the experimental IPv6 backbone.
• Peter Bieringer's Linux IPv6 page.

The following list will keep you occupied about IPv6 for some time... oh just for the record ams-ix is doing NATIVE IPv6 since 1998 now... alongside NSPIXP6 and PAIX and some others to be found at v6nap.net.

First two nice repositories where you can find almost anything IPv6 related:
IPv6 News and Links (hs247)
Open Directory Project Computers/Internet/Protocols/IP/IPng/

And some others important ones which can also be found there:
6bone
Belnet
Bieringer's Linux IPv6 FAQ
Euronet Belgium
IPng
KAME
Kitame's Debian IPv6 Packages
Microsoft IPv6
PuTTY IPv6
SiXXS
Sun Solaris IPv6
Surfnet IPv6
Trumpet IPv6

IPv6 for the future (or something advocating like that :)

How about the enormous chunk of Linux webservers? Last I read, Linux has supported IPv6 for some time now.

Yes, but does your cable or DSL provider route IPv6 ? Do they help you get your own /48 routed to your home if you want it ? I wish my cable provider supported IPv6 and/or multicast.

And your Linux webserver might have a bit of a problem serving IPv6 clients out of the tarball. Apache 1.3.x still needs a set of patches (available from the kame ftp server). Apache 2.0, still in beta supports it now.

IPv6 does not have any more support for QoS than IPv4

Maybe it has something to do with the Kame project having QoS built-in. Someday I will have time to experiment with AltQ

Unfortunately, that day seems far away.

Hopefully they'll get it fully integrated in, like IPv4 for the final release. I'm running a beta of XP (NT5.1, not 6.0 :) right now, and to install IPv6, you run "ipv6 install" from the commandline. If you want to configure static addresses and routes, you do it from the commandline too. But it does work... I got to see the Dancing KAME from IE6.0 :)

I still wanna know where i can get public static IPv6 ips.

http://ipv6tb.he.net runs a tunnel broker and gives out /64 blocks. I've got 3ffe:1200:3028:81e7::/64, which gives me 2^64, or 18446744073709551616 addresses :)

Here's one guy's experience setting up a tunnel to the 6bone with OpenBSD. By doing it this way you get a connection the IPv6 backbone and you can run IPv6 in your local network without needing IPv6 services from your ISP.

Note that KAME is for BSD. If you really want Linux, try USAGI.

I've heard very bad things about pptp, which PoPTop implments. For a sample see this FAQ. Please consider an IPSec solution like FreeSwan for linux or Kame the BSD equivalent.

FreeBSD's 4.0-RELEASE branch supports IPv6. If you're interested in getting your own IPv6 Internet address and being connected to Internet6, the Kame project is what you're looking for.

And you don't even have to wait for your ISP to support it. Just turn on 6to4, and with one IPv4 address you can get quite a few IPv6 subnets (each of which contains 2^64 addresses).

Windows already supports 6to4, BSD probably does, and I don't know about Linux.

One is the KAME IPv6 project wich is a stack for FreeBSD/NetBSD/BSD/OS.

Another IPv6 stack for FreeBSd/NetBSD is made by INRIA IPv6.

Another interesting site is the Alternate Queueing (ALTQ) for queue and bandwidth management use under *BSDs.

And once you got this all working, why not play with OpenBSD and PGPnet VPN support.

Erik

www.kame.net

I don't know much about IPv6 and haven't done anything to set it up on my system--i use the same /etc stuff i used when we had only IPv4. On NetBSD-current, I can verify that 'telnet ::1' will get you a login prompt on the local machine. I didn't know ::1 was the loopback addr until I read it here, so obviously I don't know enough to answer your DISPLAY question. NetBSD-current has merged into both the kernel and the userland the IPv6 stack developed in Japan by KAME. KAME supports IPsec, and KAME's IPsec implementation in NetBSD contains strong cryptography which can be legally downloaded both inside and outside the US. One of the KAME developers is active on the NetBSD mailing list, and continues to directly support the NetBSD port of KAME. IPv6-aware versions of popular tools like apache are available in NetBSD's pkgsrc, as well as directly from KAME.

If you write domain name in URL, you do not need to say "ipv6". For example, www.kame.net has both A and AAAA records and you can just specify http://www.kame.net/, and you'll connect to either of them (just like when a web server have multiple IPv4 addresses).

Numeric IPv6 address is little trickier because they have colon inside. for this there are several draft submitted in IETF.