Ipv6 Small Business

Migrating Small Business
Networks To IPv6
eingreicht von: Sylvia Schuh
Diplomarbeit
zur Erlangung des akademischen Grades
Magister rerum socialium oeconomicarumque
Magister der Sozial- und Wirtschaftswissenschaften
(Mag. rer. soc. oec.)
Fakultät für Wirtschaftswissenschaften und Informatik,

Universität Wien
Fakultät für Technische Naturwissenschaften und Informatik,
Technische Universität Wien
Studienrichtung: Wirtschaftsinformatik
Begutachter: O. Univ. Prof. Dr. A Min Tjoa Wien am 21.2.2006
1
Contents
1 The setting-up of my IPv4 network 8

1.1 Maggie and her asterisk server[1][2] . . . . . . . . . . . . . . 9
1.1.1 FXO, FXS, IAX, SIP . . . . . . . . . . . . . . . . . . . . 11
1.1.2 Maggie’s dialplan . . . . . . . . . . . . . . . . . . . . . 12
1.1.3 Digium card details . . . . . . . . . . . . . . . . . . . 13
1.1.4 Configuring Sipura SPA-2000 [40] [5] . . . . . . . . . 14
1.2 Marge and the CUPS problem . . . . . . . . . . . . . . . . . . 15
1.2.1 Installing CUPS [6, 8, 7] . . . . . . . . . . . . . . . . . 15
1.3 Bart and Snowball are getting their iptables[9] . . . . . . . . 18
1.4 Maggie: MySQL server[33] . . . . . . . . . . . . . . . . . . . 24
1.5 Installing OpenVPN on snowball and bart . . . . . . . . . . . 25
1.5.1 Setting up your Certification Authority (CA) [13] . . 26
1.5.2 Generating certificates and keys . . . . . . . . . . . . 27
1.5.3 Diffie-Hellman parameters [14] . . . . . . . . . . . . . 27
1.5.4 Distributing the files . . . . . . . . . . . . . . . . . . . 28
1.5.5 Advantages when using this security model . . . . . 28
1.5.6 Configuring OpenVPN . . . . . . . . . . . . . . . . . 29
1.6 Other services provided by marge.sylvia.test . . . . . . . . . 33
1.6.1 web server apache . . . . . . . . . . . . . . . . . . . . 33
1.6.2 dynamic host addressing dhcpd [17] . . . . . . . . . . 34
1.6.3 DNS server BIND [7][19][20] . . . . . . . . . . . . . . 35
1.6.4 Mail transfer agent exim4 [21] [22] [23] . . . . . . . . 37
1.6.5 POP3 server qpopper [9] . . . . . . . . . . . . . . . . . 39
1.6.6 web traffic monitoring with webalizer [11][26] [27] . 40
1.6.7 web caching and proxying with squid [28] [29] . . . . 41
1.6.8 arpwatch [30] . . . . . . . . . . . . . . . . . . . . . . . 42
1.7 Other services provided by bart . . . . . . . . . . . . . . . . . 42
i
CONTENTS ii
1.7.1 network time protocol daemon ntpd [3] . . . . . . . . 42

1.7.2 ntop . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
1.8 Services provided by homer . . . . . . . . . . . . . . . . . . . 44
1.8.1 File sharing . . . . . . . . . . . . . . . . . . . . . . . . 44
1.8.2 Active directory [32] [33] . . . . . . . . . . . . . . . . . 45
2 The initial lab-topology 52

2.1 The main office . . . . . . . . . . . . . . . . . . . . . . . . . . 52
2.1.1 hostname: bart - 192.168.200.1 . . . . . . . . . . . . . . 52
2.1.2 hostname: marge, alias: ns1, www, proxy - 192.168.200.5 54
2.1.3 hostname: maggie - 192.168.200.8 . . . . . . . . . . . . 55
2.1.4 hostname: homer - 192.168.200.12 . . . . . . . . . . . 56
2.1.5 hostname: apu - 192.168.200.33 . . . . . . . . . . . . . 57
2.1.6 hostname: nelson - 192.168.200.34 . . . . . . . . . . . 58
2.1.7 hostname: lisa - 192.168.200.35 . . . . . . . . . . . . . 59
2.1.8 allnet1 - 192.168.200.130 . . . . . . . . . . . . . . . . . 60
2.1.9 grandstream1 - 192.168.200.129 . . . . . . . . . . . . . 60
2.2 Branch office . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
2.2.1 hostname: snowball - 192.168.201.1 . . . . . . . . . . . 60
2.2.2 hostname: snowball2 - 192.168.201.17 . . . . . . . . . 61
2.2.3 hostname: sipura - 192.168.201.129 . . . . . . . . . . . 62
3 Testing and Benchmarking the Network 68

3.1 Tools and their usage . . . . . . . . . . . . . . . . . . . . . . . 68
3.1.1 MRTG [1] . . . . . . . . . . . . . . . . . . . . . . . . . 68
3.1.2 Smokeping [9] . . . . . . . . . . . . . . . . . . . . . . . 75
3.1.3 bing [10] . . . . . . . . . . . . . . . . . . . . . . . . . . 75
3.1.4 iperf [11] [12] . . . . . . . . . . . . . . . . . . . . . . . 77
3.1.5 netperf [13] . . . . . . . . . . . . . . . . . . . . . . . . 78
3.1.6 netio [14] . . . . . . . . . . . . . . . . . . . . . . . . . . 78
3.1.7 netbench [15] . . . . . . . . . . . . . . . . . . . . . . . 79
3.1.8 sipp [16] [17] . . . . . . . . . . . . . . . . . . . . . . . . 80
3.1.9 copying files . . . . . . . . . . . . . . . . . . . . . . . . 81
3.1.10 digging DNS . . . . . . . . . . . . . . . . . . . . . . . 81
3.1.11 open a file from a share . . . . . . . . . . . . . . . . . 82
3.1.12 downloading files . . . . . . . . . . . . . . . . . . . . . 82
3.1.13 ethereal [18] . . . . . . . . . . . . . . . . . . . . . . . . 82
3.1.14 tcpdump [19] . . . . . . . . . . . . . . . . . . . . . . . 83
CONTENTS iii
3.1.15 nmap [20] . . . . . . . . . . . . . . . . . . . . . . . . . 83
4 Theory of IPv6 86
4.1 IPv6 Addresses [1] [2] . . . . . . . . . . . . . . . . . . . . . . . 87
4.1.1 Unicast IPv6 addresses . . . . . . . . . . . . . . . . . . 89
4.1.2 Multicast IPv6 addresses . . . . . . . . . . . . . . . . . 95
4.1.3 Anycast IPv6 addresses . . . . . . . . . . . . . . . . . 97
4.1.4 Addresses set on an IPv6 enabled host . . . . . . . . . 97
4.1.5 Address Autoconfiguration Process . . . . . . . . . . 98
4.1.6 DHCPv6 [9] . . . . . . . . . . . . . . . . . . . . . . . . 100
4.2 IPv6 Header . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
4.3 ICMPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
4.3.1 ICMPv6 Error messages . . . . . . . . . . . . . . . . . 105
4.3.2 ICMPv6 Informational messages . . . . . . . . . . . . 107
4.3.3 Multicast Listener Discovery [12] . . . . . . . . . . . . 107
4.4 Neighbor Discovery [23] . . . . . . . . . . . . . . . . . . . . . 109
4.4.1 Neighbor Discovery messages . . . . . . . . . . . . . 109
4.4.2 Neighbor Discovery Process . . . . . . . . . . . . . . 114
4.5 IPv6 Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
4.5.1 Route determination process . . . . . . . . . . . . . . 119
4.5.2 IPv6 Delivery Process . . . . . . . . . . . . . . . . . . 119
4.5.3 IPv6 Routing protocols . . . . . . . . . . . . . . . . . . 122
4.6 IPv6 and Name Resolution . . . . . . . . . . . . . . . . . . . . 124
4.7 Migration to IPv6 [15] . . . . . . . . . . . . . . . . . . . . . . 125
4.7.1 6over4 . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
4.7.2 6to4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
4.7.3 ISATAP . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
4.7.4 Teredo . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
4.7.5 PortProxy . . . . . . . . . . . . . . . . . . . . . . . . . 131
5 Migration to IPv6 135

5.1 Making your system IPv6-ready [1] . . . . . . . . . . . . . . . 135
5.1.1 Debian Linux . . . . . . . . . . . . . . . . . . . . . . . 136
5.1.2 Windows . . . . . . . . . . . . . . . . . . . . . . . . . . 137
5.2 Testing primary connectivity [8] . . . . . . . . . . . . . . . . . 140
5.2.1 Debian Linux . . . . . . . . . . . . . . . . . . . . . . . 140
5.2.2 Windows [9] . . . . . . . . . . . . . . . . . . . . . . . . 143
5.3 Getting reachable globally via IPv6 . . . . . . . . . . . . . . . 146
CONTENTS iv
5.3.1 Installing AICCU . . . . . . . . . . . . . . . . . . . . . 147

5.3.2 Allocating the addresses . . . . . . . . . . . . . . . . . 148
5.3.3 Configuring the global addresses . . . . . . . . . . . . 149
5.3.4 Setting routes manually . . . . . . . . . . . . . . . . . 151
5.3.5 Testing connectivity with traceroute . . . . . . . . . . 153
5.4 More routing issues . . . . . . . . . . . . . . . . . . . . . . . . 154
5.5 Networking basics . . . . . . . . . . . . . . . . . . . . . . . . 160
5.5.1 advertising routes with radvd [20] [21] [22] [23] . . . 160
5.5.2 DHCPv6 using dibbler [27] . . . . . . . . . . . . . . . 163
5.5.3 DNS [30] [29] . . . . . . . . . . . . . . . . . . . . . . . 171
5.6 Migrating the services [31] . . . . . . . . . . . . . . . . . . . . 176
5.6.1 Browsers: Firefox and Internet Explorer . . . . . . . . 176
5.6.2 Web-Proxy: Privoxy [32] . . . . . . . . . . . . . . . . . 176
5.6.3 http-server: apache . . . . . . . . . . . . . . . . . . . . 178
5.6.4 database: MySQL . . . . . . . . . . . . . . . . . . . . . 179
5.6.5 filesharing using Windows . . . . . . . . . . . . . . . 180
5.6.6 filesharing: WebDAV [38] [39] . . . . . . . . . . . . . . 184
5.6.7 filesharing: ftp . . . . . . . . . . . . . . . . . . . . . . 187
5.6.8 email: exim . . . . . . . . . . . . . . . . . . . . . . . . 188
5.6.9 email: courier [41] . . . . . . . . . . . . . . . . . . . . 189
5.6.10 mail-client: thunderbird . . . . . . . . . . . . . . . . . 191
5.6.11 mail-client: outlook and outlook express . . . . . . . 192
5.6.12 VoIP: asterisk [42] [43] . . . . . . . . . . . . . . . . . . 193
5.6.13 time: ntpd, ntpdate . . . . . . . . . . . . . . . . . . . . 193
5.6.14 domain controller: Active Directory . . . . . . . . . . 194
5.6.15 printing: cups . . . . . . . . . . . . . . . . . . . . . . 195
5.6.16 radio: Virgin radio . . . . . . . . . . . . . . . . . . . . 196
5.6.17 instant messaging: irc, msn . . . . . . . . . . . . . . . 197
5.6.18 authentication: ipsec6 . . . . . . . . . . . . . . . . . . 198
5.6.19 encryption: OpenSWAN . . . . . . . . . . . . . . . . . 203
5.6.20 Remote control: ssh . . . . . . . . . . . . . . . . . . . . 206
5.6.21 VNC: TightVNC . . . . . . . . . . . . . . . . . . . . . 206
5.6.22 Remote control: telnet . . . . . . . . . . . . . . . . . . 207
5.6.23 Monitoring traffic: ntop . . . . . . . . . . . . . . . . . 207
5.6.24 monitoring privoxy: webalizer . . . . . . . . . . . . . 208
5.6.25 monitoring ports: nmap . . . . . . . . . . . . . . . . . 209
5.6.26 firewall: iptables . . . . . . . . . . . . . . . . . . . . . 210
5.7 Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
CONTENTS v
5.7.1 iperf . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

5.7.2 Netserver/ Netperf . . . . . . . . . . . . . . . . . . . . 211
5.7.3 Smokeping . . . . . . . . . . . . . . . . . . . . . . . . 211
5.7.4 mrtg/ SNMP [47] . . . . . . . . . . . . . . . . . . . . . 213
6 Conclusion and Summary 222
7 Configuration Files 227

7.1 IPv4 related configuration . . . . . . . . . . . . . . . . . . . . 227
7.1.1 APT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
7.1.2 Asterisk . . . . . . . . . . . . . . . . . . . . . . . . . . 228
7.1.3 CUPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
7.1.4 Apache2 . . . . . . . . . . . . . . . . . . . . . . . . . . 244
7.1.5 dhcpd . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
7.1.6 BIND . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
7.1.7 exim4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
7.1.8 The Webalizer . . . . . . . . . . . . . . . . . . . . . . . 256
7.1.9 squid . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
7.1.10 arpwatch . . . . . . . . . . . . . . . . . . . . . . . . . . 261
7.1.11 ntpd . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
7.1.12 Active Directory . . . . . . . . . . . . . . . . . . . . . 262
7.1.13 mrtg . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
7.1.14 SmokePing . . . . . . . . . . . . . . . . . . . . . . . . 267
7.2 IPv6-related Configuration files . . . . . . . . . . . . . . . . . 271
7.2.1 Apache . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
7.2.2 Smokeping . . . . . . . . . . . . . . . . . . . . . . . . 272
7.2.3 mrtg . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
7.2.4 firewall: iptables . . . . . . . . . . . . . . . . . . . . . 279
Eidesstattliche Erklärung
Ich erkläre an Eides statt, daß ich die vorliegende Arbeit selbstständig
und ohne fremde Hilfe verfasst, andere als die angegebenen Quellen
nicht benützt und die den benutzten Quellen wörtlich oder inhaltlich ent-
nommenen Stellen als solche kenntlich gemacht habe.
Wien am 21.2.2006
1
Acknowledgement
I want to start my acknowledgements by thanking my parents and my

grandma for making it possible to study by providing me the financial
prerequisites. Besides that I have to give my mother my special thanks
for coping with my moods while writing on this (from happy to desper-
ate) and my father for answering me questions and helping me with basic
problems of networking. In addition to this I want to thank my friends
keeping me up-to-date, although I seemed to have vanished in a small
chamber for the duration of my master thesis.
Another huge thank you goes to the director of the Berufsförderungsin-
stitut Burgenland, Mr. Peter Maier for providing me the hardware, the
informations and the place to make my idea of my master thesis come
true! Thank you very much!
I would also like to express my gratitude for those nameless people an-
swering to my newsgroup and forum-postings, to the maintainers of soft-
ware helping me (like Tomasz Mrugalski from dibbler, etc.) and to Mr.
Schabus, supplying me with informations from the Microsoft way of im-
plementing IPv6. Another big thank you is for two employees of the IT at
the Berufsförderungsinstitut Burgenland, Andreas Grabner and Thomas
Jölly, for being interested in my subject and providing me with tips and
tricks. Furthermore I want to thank Mustafa Sahin, a student at a univer-
sity in Istanbul writing his thesis about IPv6 as well, for listening to my
IPv6- and non-IPv6-related problems and for having good ideas on how
we can take over the world using IPv6.
In addition to these I want to thank my supervisor O. Univ. Prof A Min
Tjoa for supervising my thesis and Mag. Markus Klemen for answering
me a lot of questions.
2
CONTENTS 3
The last two people I want to thank here are my grandmother Ida Ulreich
and my grandfather Ing. Karl Schuh, who both passed away while I was
writing this thesis. “Love is stronger than death even though it can’t stop
death from happening, but no matter how hard death tries it can’t separate
people from love. It can’t take away our memories either. In the end, life
is stronger than death.” (author unknown)
Preface
When it came to the point of my study where I had to choose which sub-
ject I want to write about for master thesis I really didn’t have to think
long: I wanted to write something in the field of networks to improve
my network administration skills and to learn a lot things in the field of
administering Linux servers. With the previous knowledge I acquired at
working in this field and when I took my CCNA I wanted to get further
and write a thesis that could be of great use for other users as well and
which is an upcoming subject and so one beautiful day I had the idea of
writing about IPv6. Then I looked on the internet for IPv6-related articles
and found a lot of things concerning the standards of IPv6, how the header
is made up and how huge the new address space is. I found very often
such things like: already IPv6 enabled and became more and more curious
how IPv6 would conduct in a productive environment, and that’s where
the idea for my master thesis was born. I wanted to set up an IPv4 net-
work with all services you need to supply mail, data, www-connectivity
and many others and when this is done, I wanted to try to migrate this
structure to IPv6. The first important problem I had was to get the struc-
ture of a well-functioning network and the hardware I would need. For I
had to move out of my apartment at that time I thought I could put all the
devices needed for the thesis in my new apartment. I talked to some com-
panies and tried to find people interested in my work so much that they
would want to support me and finally found the Berufsförderungsinstut
Burgenland (http://www.bfi-burgenland.at). The Berufsförderungsinstut
Burgenland is a non-profit organisation working in the field of vocational
training in many different skills. From becoming a registered masseur
to driving diggers or starting your system administrators career you can
learn anything you want in one of the several offices throughout the Bur-
4
CONTENTS 5
genland. (By the way, if you don’t know, Burgenland is the easternmost
federal state of Austria and is world-wide one of the most important wine-
suppliers for excelent red and white wine. http://www.burgenland.at).
The Berufsförderungsinstut Burgenland supplied me with their network
structure and the knowledge they gained through the productive use of
this structure. In addition to this they cleared out a room for me and sup-
plied me the hardware I needed (which are several PC’s, screens, switches,
SIP-phones, and so on). After putting all this stuff together the former
storage room became more and more homely. While setting up all ser-
vices needed I learned the most about the use of Linux based systems. Of
course, as you might have guessed, you learn something about it on uni-
versity, but if you are in private not very into it, the things you learn at
university will be forgotten soon. So I set up one service after the other
and learned a lot within. And then, the big day came, IPv6 needed to be
implemented. But let’s start step by step.
My thesis is composed of several chapters: the first chapter is about the
setting up of the IPv4-part of the network, then there is a chapter about
the theory of IPv6 and the most important chapter is the one about the
actual migration to IPv6. You will find everything you need to know in
order to set up an IPv6 enabled network within this thesis. The idea when
writing this thesis was to create a hands-on guide for everyone interested
in this subject for I found it very difficult to get the informations I needed.
I want to supply facts about each service I used and tested, whether it
worked or not, if there is a workaround and how a minimum configura-
tion is achieved. So the point is that you can migrate your home or busi-
ness network to IPv6 without reading hundreds of pages about the theory,
simply take a look at the chapter about migration and try it. I wanted to
sum up all I found out about the use of IPv6 in order to make it easier
for others to deploy its use and start to write more and more applications
taking use of the advantages provided by IPv6. I want to show everyone
afraid how easy it can be migrating to IPv6 and everyone interested that
there are already lots of things that can be done using IPv6. But let’s talk
about advantages and disadvantes at the end of the thesis.
Introduction
Motivation
Probably every paper or thesis about IPv6 will start with the words “be-
cause of address shortage ... “, and this of course is one major reason to
think about IPv6. NAT became a much used workaround for this problem
but also imposes different drawbacks like restrictions in the field of peer to
peer computing and so on. We all may know that several countries already
switched their IT infrastructure to IPv6-based communication and many
task forces all over the world try to propagate its use more and more. My
main goal for writing this thesis was not to write yet another theory-prone
description of how an IPv6 header is set up and how big the address space
is but rather a hands-on guide for people interested in it and don’t want
to read all the theory first. My work usually is more of the try-and-error
kind (I am not really into reading long descriptions first) and so I wanted
to supply a paper you can work with without spending hours on reading
but rather just try it, work with it and learn it by doing.
This thesis could be an interesting source of information for people admin-
istering and setting up services in a network the first time and for those
who still not know if they need IPv6 but are interested. I was very inter-
ested in what benefits IPv6 has and which of them can really be brought
into production use. The whole thesis is devided into three logical parts:
first the network is set up using IPv4, then there is an IPv6 theory part
(every thesis needs it theory ;-) ) and the last one is about the migration
of the services to IPv6. I wanted to create a complete guide for which you
don’t really need any previous knowledge. While I was working on the
setting up of the IPv4 network I found it pretty difficult to get a quick and
6
CONTENTS 7
dirty configuration of several services, and thats the reason why I decided
to append all configuration files I used during my work in order to supply
a basic and working configuration.
Problem Statement
The main reason for switching to an IPv6 environment is of course address

space and the limitations imposed by workarounds like NAT, but there
are more benefits than that when using IPv6. The biggest advantage for
“normal” users will be traffic that is always encrypted and therefore more
secure to sniffing (I am not talking about the advantages gained through
hierarchical routing and so on for this is only interesting for ISPs). In ad-
dition to this more concern is put on flow control and Quality of Service
which will emerge to a very interesting topic for everyone pretty soon (just
think of priorizing VoIP and videoconferencing over usual web-traffic).
There are as well IPv4-approaches to all of these aspects but I don’t see
much sense in patching a very old protocol so it can handle something the
new one was designed for.
Although, and I guess you might have noticed by now, I am a fan of IPv6
I have to confess that most benefits do not work as they should, yet. Of
course, I could migrate all services and get a working IPv6 infrastructure,
but I could not uninstall IPv4 for various reasons and some basic features
still lack implementation. Nevertheless I am advocating IPv6 and am to-
tally convinced that after people find out the possibilites we didn’t yet
think about because it was not feasable using IPv4, IPv6 will become state-
of-the-art very soon.
Chapter 1
The setting-up of my IPv4

network
For the sake of completeness I want to write about the setting-up and the
troubles related with that approach of the IPv4 Network as well. When
I got the news that the Berufsförderungsinstitut Burgenland was going
to support my work not only by wishing me luck but by giving me the
hardware I need and by lending me a room to put in all the stuff I needed
I was all excited. After putting together the pieces of hardware (and in
fact, they came in pieces; please see the pictures) to some functional thing
one would have called a PC a few years ago I became more and more a
notion of the upcoming work. This was sometime in June 2005. Later in
June I went to the Linux Tag 2005 in Karlsruhe which gave me even more
inspiration for starting my work with the full capacity of motivation I had.
Returned from Germany in July I started documenting my work in more
detail. My first entries are from the week between the 20th and the 26th
July.
After setting up the operating systems on all hosts in the network the con-
figuration of the services started. One of the first things done was the
installation of the asterisk server together with the Digium-card.
8
CHAPTER 1. THE SETTING-UP OF MY IPV4 NETWORK 9
1.1 Maggie and her asterisk server[1][2]
After putting in the Digium card I got from the company (they think about
switching to asterisk-only internal telephony in a few months) several
things were missing. Maggie is set up with a Debian Sarge 3.1 with kernel
2.4.27-2-686 but was missing kernel-headers and the kernel-source which
had to be installed seperately.
Following additional packets have been installed with “apt-get install”:
openssl, libncurses-dev, libssl-dev, zlib1g-dev, cvs

With the help of cvs I got the newest versions of zaptel, libpri and of course
asterisk:
cd /usr/src
export CVSROOT=:pserver:anoncvs@cvs.digium.com:/usr/\\
cvsroot
cvs login --> password=anoncvs
Don’t get confused by a error popping up when you use cvs the first time.
It will just inform you that a file (for the password) that has not been ex-
isting is being created.
cvs checkout zaptel libpri asterisk
Now you are getting the sources for the three packets you need. After
data has been sent you can start installing the new software by changing
the working directory to the packet you want to install and then make the
sources. Zaptel is the Telephony Card driver and is only needed with this
kind of hardware.
cd zaptel
make clean
make install
cd ../libpri
make clean
make install
cd ../asterisk
make clean
make install
make samples
In order to make the samples you need the packet progdocs.
The Zaptel driver mentioned above needs to be loaded with: (don’t forget
to permanently add the module to the /etc/modules file)
modprobe zaptel
For configuring regional parameters and how each port on your telephony
card is used you have a configuration file.
/etc/zaptel.conf
Here you can define local signalling options and make the distinction be-
tween FXO and FXS ports. When you are working with FX interfaces, the
hardware is described based on what it connects to, the signalling how-
ever, needs to define the device we are emulating. Since the O in FXO
stands for Office and is connecting to an Office our software needs to em-
ulate a station here. The opposite is true for FXS, with the S standing for
station.
After the zaptel.conf file is edited you must load the driver.
modprobe wcfxs
Note: the Zaptel driver is always loaded first in the memory. Then drivers
for the devices (FXO, FXS, ztdummy, ..) are following.
After you have configured your hardware you need to take a look at aster-
isk itself. After you made the source there are, of course, some configura-
tion files left to configure. To start with a simple configuration and experi-
ence some success soon you can load sample configuration files. Asterisk
will by default look for configuration files in /etc/asterisk which has to be
made manually.
mkdir /etc/asterisk
The promised sample configuration can be found in /usr/src/asterisk/configs
and obtained by copying them to the /etc/asterisk folder (if you don’t
have them there by default as i did).
cd /usr/src/asterisk/configs
cp ./modem.conf.sample /etc/asterisk/modem.conf
cp ./modules.conf.sample /etc/asterisk/modules.conf
cp ./phone.conf.sample /etc/asterisk/phone.conf
cp ./voicemail.conf.sample /etc/asterisk/voicemail.conf
cp ./zapata.conf.sample /etc/asterisk/zapata.conf
Now you can start your asterisk server for the first time
/usr/sbin/asterisk -cvvv
The three “v” stand for verbose mode and can even be extended to five for
detailled verbosity. Now you have a working installation of asterisk with
a CLI*> prompt waiting for calls to make. But before you can enjoy calling
others via VoIP there are some configuration issues ahead.
A catchword in the world of asterisk is “channel”. Channel is the logical
connection to the various transmission and signalling paths which asterisk
uses to handle calls. You could also describe it as a driver between the
various kinds of VoIP protocols and to hardware that connect to the PSTN.
The rules that are followed by asterisk for this purpose can be found in the
so-called dial plan, where we define what kind of channels we need and
how they are useable for the system.
Before you can set up the dial plan you have to define the channels to use.
In my lab we only had FXO, FXS, IAX and SIP channels in use which I am
going to describe now. (Check appendix for config-files.)
1.1.1 FXO, FXS, IAX, SIP
First I want to describe the terms FXO and FXS in more detail. They have
their origin in an old telephone service called Foreign eXchange (FX). The
confusing part about FXO and FXS is, that FX cards are not named by what
they are but what they connect to. Therefore, an FXS card is connected to
a station and has to behave like a central office (FXO, of course, behaves
vice-versa).
A FXS interface is the same as a standard analog line a phone company
provides to most houses and supplies you e.g. with a dial tone, ringing
voltage and DTMF detection. The FXO is the side connecting to a central
office and is generating DTMF, detecting dial tone and detecting ringing.
Both kinds of interfaces are described and configured in the /etc/asterisk/
zaptel.conf.
IAX on the other hand, the Inter-Asterisk eXchange protocol, is an IP-
based media transport protocol and is configured in the iax.conf file. In
my topology we will later tunnel the IAX traffic through OpenVPN to our
branch office.
The Session Initation Protocol (SIP) is becoming the most supported kind
of VoIP protocol because itâs like IAX pretty easy to set up. Sip telephony
is set up in the sip.conf file where u define IP-address, port and other op-
tions in order to let the phone on the other side can authenticate to the
asterisk server.
1.1.2 Maggie’s dialplan
The dialplan is said to be the heart of any asterisk system for it defines how
asterisk should handle each call. These list of instructions are found in
the file /etc/asterisk/extensions.conf and is devided into different parts
called contexts. In them extensions, priorities and applications are de-
fined.
Contexts play an organizational role within the dialplan and define scopes.
Within the context, extensions, character strings triggering events, are de-
fined. Here you define things like which phone should ring when a certain
phone number is called or what the system should do if no one picks up
the phone and so on. Priorities are numbered steps in the execution of
each extension and each priority calls a specific application, which in turn
performs a certain action like playing sounds or hanging up the call. So
the syntax of this file looks generally like this:
[<context-name>]
exten => <extension>, <priority>, <application>
e.g.: exten => 555, 1, Dial(Zap/1,20)
At the end of July I managed to have a working telephony system with
analogous telephones, a sipura adapter with two analogous phones and
two SIP-phones (Grandstream BudgeTone 100 and an Allnet ALL7950).

Both SIP-phones and the Sipura Adapter can be configured through a web-
interface included in the devices.
Grandstream Budgetone 100: http://192.168.200.129

password: foo
Allnet ALL7950: http://192.168.200.130:9999
user: elsylo
password: foo
Sipura SPA-2000 http://192.168.201.129/admin
1.1.3 Digium card details
The Digium card used in this lab is a TDM400P, or to be more precise

TDM31B. TDM31B describes the composition of FXO and FXS channels.
Figure 1.1: The naming convention for the TDM bundles is as follows:
TDM X Y B. Where "TDM" denotes that the card is TDM, "X" denotes the
number of FXS modules, "Y" denotes the number of FXO modules, and
"B" indicates that that this product is a bundle.[41]
1.1.4 Configuring Sipura SPA-2000 [40] [5]
After plugging in the Sipura SPA-2000 device its web interface is reachable
through the network. If you don’t know which IP address the device has at
the moment, simply type “****” on a phone plugged in the Sipura adapter.
A male voice welcomes you to “Sipura Configuration Menu” and asks you
to enter a option followed by the pound key. You now can, type e.g. “110#”
and he reads the IP address of the phone adapter back to you. Next step
is to browse http://192.168.201.129/admin and change to the advanced
mode of the configuration interface.
Figure 1.2: some Sipura options you can query on a touch tone
telephone[4]
By default two users called “admin” and “user” exitst with a blank pass-
word which you can set if you like. Remember that, whatever you change
on the web interface, the changes only take effect when pressing the “Sub-
mit All Changes”. In the “System” tab you can either set the IP address
statically or dynamically via DHCP (default: DHCP: On). In the “Line 1”
tab following changes to the default configuration have been made: The
Proxy is set to the IP address of the local asterisk server (192.168.201.1), the
“Register Expires” value is lowered to “20” (default: 3600). In the section
“Subscriber Information” the “Display Name”, as well as “User ID” and
“Password” are set to “301”. In the last subsection “Audio Configuration”

the “DTMF Tx Method” is set to “AVT”, sending the dialled numbers as
AVT events conforming to RFC 2833. The same settings, except for the
“Display Name”, “User ID” and “Password” are used for tab “Line 2”.
These options were set to the value “302” this time. In tabs “User 1” and
“User 2” I changed in the section “Ring settings” the “Default Ring” to
“2”, “Hold Reminder Ring” to “8” and “Call Back Ring” to “7”.
1.2 Marge and the CUPS problem
At the time I tried to set up asterisk in my environment, I also got my

printer for the lab, a HP Laserjet 1300 connected via USB to marge. I de-
cided to use CUPS as printer manager here.
1.2.1 Installing CUPS [6, 8, 7]
In order to have CUPS on your system you need to install some packets
with “apt-get install”. The packets in brackets are those I had to install
additionally in order to get the ones I needed.
python-dev, libsnmp5-dev (libssl-dev,
libssl0.9.7e-3), libcupsys2-dev
(libgnutls11-dev, libtasn1-2-dev), python-qt3,
lsb
When you are done with this you need to download and install the driver
for the printer. To be more precise, you need to download the HPLIP tar
file from http://hpinkjet.sourceforge.net. The file you get is a *.tar.gz and
needs to be extracted with the command “tar xvfz *.tar.gz”. After that a
folder is made and after switching in that folder you can
./configure --prefix=/usr
make
make install (you need to be su for that)
/etc/init.d/hplip restart
/etc/init.d/cups restart
Now the only thing left to do is to add the printer to CUPS. This is usu-
ally done via web-interface but because i did not install any window-
environment on my linux computers i decided to use lynx, a text-based
web-browser instead.
lynx http://localhost:631
In the âPrintersâ-section you can “Add Printer” and have to type in a
printer name, which should be meaningful and must not contain spaces.
In the next step you are prompted to define the device you use exactly. For
a USB device choose e.g.:
usb://HP/LaserJet%201300
In the next step you have to choose which make your printer is, what in
my case is HP. The last step is to choose the model of the printer (LaserJet
1300) and this was the step that ruined my otherwise perfect installation
of the printer. There are several LaserJet 1300 printer drivers in this list
and I chose the one with the note “Recommended”. What I did not know
and/or see at this time was, that this was a driver for a PostScript Printer
and did not really suit my needs. The diabolical thing about this mistake
was that the printer worked with linux clients printing on it without any
troubles (I had some layout difficulties; the borders needed to be defined
manually) and even worked with some Windows applications. But when
it came to the point when I wanted to install the printer on my Windows
2000 I found the spoolsv service to occupy about 90% of my system load
and the programs tended to crash when printing something or even when
installing the printer. My first thought, of course, was that Windows, espe-
cially Windows 2000, is not suited for the use with CUPS but I was proven
wrong when a collegue installed the not-recommended CUPS driver and
everything worked fine. (In fact, finding out what the problem was has
not been such a quick thing, but I leave out the boring details.)
Note: Having a spoolsv with a huge CPU-load in most cases indicates
the existence of a virus on the system. These can be some Trojans or
more precise, e.g.: the agobot worm/backdoor infecting *.exe files on
your PC. Having had troubles with agobot on other systems before I
checked the usual registry keys agobot uses:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices\
After I could rule out this possiblity I also found information about
printer jobs stuck in the printer queue producing similar behavior
(check the Microsoft Image Writer queue). Look for the Windows
Printer queue in
%SYSTEMROOT%\system32\spool
CUPS-printers can be accessed via
http://marge.sylvia.test:631/printers/HP_LaserJet_1300
There you have a very user-friendly printer management interface where
you can access the printer queue and of course all printers added to the
CUPS.
After this problem was solved, I no longer had problems with the CUPS
system, could print even from my Windows 2000 PC and had the correct
alignment on the sheets. With each Windows PC you only have to add
a new Network Printer, choose the location http://marge.sylvia.test:631/
printers/HP_LaserJet_1300 and add the correct printer driver (hplj1300m6.inf)
I downloaded from the HP-homepage. If you feel you need more informa-
tion on the topic of installing a CUPS printer on a Windows System Iâd
recommend the page http://www.owlfish.com/thoughts/winipp-cups-
2003-07-20.html.
For Linux systems even this was easier. The only thing after apt-get in-
stall cupsys-client you have to edit is the /etc/cups/client.conf file to the
following:
--- [snip] ---
ServerName marge.sylvia.test
Now you have an accessable printer from your linux system and try it on
the config-file command-line based with
lp /etc/cups/client.conf
Figure 1.3: the management interface of CUPS, the first printer is the work-
ing one, the second the one with the wrong driver-type
1.3 Bart and Snowball are getting their iptables[9]
Iptables, the tool for creating packet-filtering and NAT rules, is on both
hosts one of the most important services for it is preventing unallowed
traffic to leave and get into the network. The rules on both nodes are
the same and therefore I will only show one of them. The firewalling
rules here should be taken as minimum-security but were sufficient for
my needs.
#!/bin/bash
FWVER=1.0
# for Sylvias Project master thesis
echo -e "\nLade Firewall - Version $FWVER..\n"

IPTABLES=/sbin/iptables
LSMOD=/sbin/lsmod
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
GREP=/bin/grep
AWK=/usr/bin/awk
SED=/bin/sed
IFCONFIG=/sbin/ifconfig
#define the interfaces to use
EXTIF="eth0"
INTIF="eth1"
echo " External Interface: $EXTIF"
echo " INternal INterface: $INTIF"
echo " ---"
EXTIP="192.168.150.7"
echo " External IP: $EXTIP"
echo " ---"
#define the networks to use
INTNET="192.168.201.0/24"
# we have a server network; servers have low ip-addresses and have
# different rights (from clients)
SERVNET="192.168.201.0/27"
HAUPTNET="192.168.150.0/24"
INTIP="192.168.201.1/24"
echo " Internal Network: $INTNET"
echo " Server Netzerkteil: $SERVNET"
echo " Internal IP: $INTIP"
echo " ---"
UNIVERSE="0.0.0.0/0"
echo " -Verifying that all kernel modules are
ok"
$DEPMOD -a
echo -en "Loading kernel modules: "
echo -en "ip_tables, "

if [ -z "‘ $LSMOD | $GREP ip_tables | $AWK
’print $1’ ‘" ]; then $MODPROBE ip_tables
fi
echo -en "ip_conntrack, "
if [ -z "‘ $LSMOD | $GREP ip_conntrack | $AWK
’print $1’ ‘" ]; then $MODPROBE ip_conntrack
fi
echo -e "ip_conntrack_ftp"
if [ -z "‘ $LSMOD | $GREP ip_conntrack_ftp |
$AWK ’print $1’ ‘" ]; then $MODPROBE
ip_conntrack_ftp
fi
echo -en "ip_conntrack_irc"
if [ -z "‘$LSMOD | $GREP ip_conntrack_IRC |
$AWK ’print $1’ ‘" ]; then $MODPROBE
ip_conntrack_irc
fi
echo -en "iptabel_nat"
if [ -z "‘$LSMOD |$GREP iptable_nat| $AWK
’print $1’ ‘" ]; then $MODPROBE iptable_nat
fi
echo -e "ip_nat_ftp"
if [ -z "‘ $LSMOD | $GREP ip_nat_ftp | $AWK
’print $1’ ‘" ]; then $MODPROBE ip_nat_ftp
fi
echo -e "ip_nat_irc"
if [ -z "‘ $LSMOD | $GREP ip_nat_irc | $AWK
’print $1’ ‘" ]; then $MODPROBE ip_nat_irc
fi
# !!! forwarding !!!
echo "---"
echo " ENABLING FORWARDING! "
echo "1" > /proc/sys/net/ipv4/ip_forward
echo " Clearing any existing rules and setting
default policy to DROP -"
# dropping chains before editing them

$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -F -t nat
if [ -n "‘$IPTABLES -L | $GREP
drop-and-log-it‘" ]; then $IPTABLES -F
drop-and-log-it
fi
$IPTABLES -X
$IPTABLES -Z
echo " CREATING a DROP chain"
$IPTABLES -N drop-and-log-it
$IPTABLES -A drop-and-log-it -j LOG --log-level info
$IPTABLES -A drop-and-log-it -j DROP
echo -e "\n - loading INPUT rulesets"
# Input rules; 1st one is for the OpenVPN tunnel interface
$IPTABLES -A INPUT -i tun+ -j ACCEPT
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j \\
ACCEPT
$IPTABLES -A INPUT -i $EXTIF -s $HAUPTNET -d $UNIVERSE -j \\
ACCEPT
$IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j \\
ACCEPT
$IPTABLES -A INPUT -i $EXTIF -s $INTNET -d
$UNIVERSE -j drop-and-log-it
$IPTABLES -A INPUT -i $EXTIF -p ICMP -s
$UNIVERSE -d $EXTIP -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d
$EXTIP -m state -state ESTABLISHED,RELATED -j
ACCEPT
echo -e " allowing external interfaces to
access the www"
$IPTABLES -A INPUT -i $EXTIF -m state -state

NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d
$EXTIP -dport 80 -j ACCEPT
$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE
-j drop-and-log-it
echo -e " Loading OUTPUT RULESETS !!!!!! "
# Output rules; 1st one is for the OpenVPN tunnel interface
$IPTABLES -A OUTPUT -o tun+ -j ACCEPT
$IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j \\
ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -s $INTIP -d $UNIVERSE -j\\
ACCEPT
$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j \\
ACCEPT
$IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j \\
ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d
$INTNET -j drop-and-log-it
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j \\
ACCEPT
$IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j \\
drop-and-log-it
echo -e " - loading forwarding ruleset"
# Forwarding rules; 1st two rules for the OpenVPN tunnel interface
$IPTABLES -A FORWARD -i tun+ -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o tun+ -s $INTIP -j ACCEPT
echo " - FWD : Allow all connections out and only existing
or related in"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -s
$HAUPTNET -d $UNIVERSE -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m
state -state ESTABLISHED,RELATED -j ACCEPT
#you could choose to allow all traffic for the servers here
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $SERVNET -j \\

ACCEPT
# web-Traffic allowed for proxy only
## $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s 192.168.200.5 \\

-j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -p
tcp -destination-port 80:443 -j
drop-and-log-it
# end web-traffic
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

$IPTABLES -A FORWARD -j drop-and-log-it
echo "NAT : enabling SNAT functionality on $EXTIF"
# enabling postrouted NAT
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to \\

$EXTIP
echo -e "\nStronger rc.firewall-2.4 $FWVER done.
HAVE A NICE DAY.\n"
#setting the default route
route add default gw 192.168.150.5
echo -e "\nDefault-Route set for Jormannsdorf.\n"
This is the ruleset loaded at /etc/rc2.d/S12firewall on host snowball.
Note: Dropped packages are by default displayed on the monitor while
they occur. Because this is not really good working with I decided
to log the packages in /var/log/messages. In order to do that you
have to modify the file /etc/init.d/klogd and change the variable
KLOGD to
KLOGD=”-c 4”
1.4 Maggie: MySQL server[33]
Maggie is not only our asterisk server in this environment but because she
has pretty good hardware we decided to make her the database server as
well. The database chosen is MySQL because of its widespread popularity
and the multiple uses. For there is no binary for Debian available I down-
loaded the sources from http://dev.mysql.com/downloads/mysql/4.1.html
(at this time MySQL 5.0 was not yet available). For installing you need
gunzip, tar, gcc and make and the following commands:
# creating a group and a user mysql
shell> groupadd mysql
shell> useradd -g mysql mysql
shell> gunzip < mysql-VERSION.tar.gz | tar -xvf -
shell> cd mysql-VERSION
# ./configure -help shows you configure options; here I chose to install
mysql to /usr/local/mysql
shell> ./configure --prefix=/usr/local/mysql
shell> make
shell> make install
# setting up a sample configuration file
shell> cp support-files/my-medium.cnf /etc/my.cnf

shell> cd /usr/local/mysql
# if u haven’t installed MySQL before, you have to install the grant tables
shell> bin/mysql_install_db --user=mysql
# change the owner of the binaries to root, the owner of the data to mysql
shell> chown -R root .
shell> chown -R mysql var
shell> chgrp -R mysql .
# initializing and testing after:
shell> bin/mysqld_safe --user=mysql &
# if you like to have the MySQL server in the startup, use the skript located
in
support-files/mysql.server
# if you want to create a new user “user” with all rights from every host
with password “password”; creates an entry in the database “mysql” in
table “user”
grant all on *.* to user@* identified by “password”

# for logging
mkdir /var/log/mysql
chown mysql.mysql /var/log/mysql
# in my.ini specifying the log-directory (slash at the end is important!)
bin-log=/var/log/mysql/
1.5 Installing OpenVPN on snowball and bart
OpenVPN [5] is a program written by James Yonan providing the ability

of setting up SSL encrypted Virtual Private Networks. The SSL encryption
is provided by OpenSSL and there are three possibilities of authenticating
peers. One is with the use of certificates, being maximum secure, and
another one takes username/password pairs so that clients no longer have
to hold their own certificates. The easiest way of having an SSL encrypted
tunnel is with the help of preshared keys. There are several drawbacks for
this static key approach like a limited scalability or the fact that the key
has to exist on each host in plain text.
You can download the OpenVPN package either on the homepage
http://openvpn.net or get it with a simple “apt-get install openvpn” on
Debian based systems.
The first thing after you have installed OpenVPN is to decide whether to
use a routed or a bridged VPN. The choice to make is about whether the
connected network or host should be treated as a member of the other
network or if traffic between these is treated as if there was a router in-

between. In a bridged VPN you have broadcasts traversing the tunnel
and no routing entries to make. An easy-to-use choice for road warriors
but not scalable very well and less efficient than routing. Overall, in most
cases you will use routing instead of bridging, it is easy to set up and pro-
vides better access-control. Bridging on the other hand should be used
if you are using non-IP protocols such as IPX, running applications rely-
ing on broadcasts or want browsing of Windows file shares made possible
without setting up WINS. As you might have guessed, I decided to use a
routed VPN.
1.5.1 Setting up your Certification Authority (CA) [13]
If you don’t already have a PKI (public key infrastructure) you should start
by building one. Authentication is supported bidirectionally meaning the
server is authenticating the client and the client is also in turn authenticat-
ing the server before a secure connection can be established. Both authen-
ticate by verifying that the certificate was signed by certification authority
and afterwards by checking the certificate header for things like certifi-
cate common name or certification type. This requires the existance of key
pairs (public and private) for each host wanting to connect to the VPN and
a certification authority signing them. If you don’t want and need an offi-
cial authority to sign the keys you can also build your own authority what
is described below.
In your /usr/share/doc/openvpn/examples directory is a directory called
easy-rsa. Best practice is to copy that folder into your /etc folder so that
future package upgrades don’t effect your configuration. Then you have
to modify your ./vars file with the informations about KEY_COUNTRY,
KEY_PROVINCE, KEY-CITY, KEY-ORG and KEY_EMAIL (don’t leave
any of them blank). To initialize the PKI you only have to:
./vars
./clean-all
./build-ca
Note: In my case, the first command setting the global parameters for
building the PKI ./vars did not work so I chose the hands-on
method of adding the exported parameters from the ./vars file to

/root/.profile file myself.
The last command ./build-ca creates the CA and invokes an interactive
openssl command where you have to give needed information. As set be-
fore, the information provided through the ./vars file is defaulted here.
Only the Common Name has to be added here and in my case this is
“snowball”.
1.5.2 Generating certificates and keys
With a Certification Authority up and running the next step is to generate

a certificate and private key for the server.
./build-key-server snowball
Common Name: snowball
sign certificate: yes
1 out of 1 certificate certified: yes
All other queried parameters can be defaulted except for the three men-
tioned above. The last two options require positive responses.
Building the keys for the clients in the VPN network is as easy as building
the server key. Building keys for two clients is done by
./build-key client1
./build-key client2
where client1 and client2 are the unique Common Names for the two
clients. If you would like to have password-protected keys use ./build-
key-pass instead. Last but surely not least important is the generation of
Diffie Hellman parameters.
1.5.3 Diffie-Hellman parameters [14]
Diffie-Hellman references the Diffie-Hellman key agreement protocol

which is a certain technique for negotiating a secret key over an insecure
medium like the internet. The protocol is also called an “exponential key
agreement” and was thought of by Diffie and Hellman. Diffie-Hellman

is very secure because it uses very large integers to compute their keys.
The only vulnerability is to man-in-the-middle attacks. Because data is
not been authenticated initially, an attacker could negotiate a seperate key
with both nodes without anyone noticing.
The parameters are generated on the server: (this will take some time)
./build-dh
1.5.4 Distributing the files
The last step is to distribute the key files generated on the server over a
secure channel to the clients where they have to reside for future encrypted
and authenticated connections. Of course, you could also generate the
client-keys on the clients themselves and by submitting Certificate Signing
Requests (CSR) signing them at the key-signing machine. Then .key files
don’t have to leave your harddisk. In my lab i chose the secure way of
putting the files on a floppy and carrying it to the clients (old school but
secure). Below you have a list of files created in the process of setting up
the PKI.
1.5.5 Advantages when using this security model
• The server only has to store it’s own certificate/key.

• The server only accepts signed certificates and this check is fulfilled
with the server’s public key (which means that the private key could
even reside on a machine not connected to the network.
• Keys that have been compromised can easily be added to the CRL
(certificate revocation list)
• Servers can enforce access-rights through embedded information
like Common Names.
1.5.6 Configuring OpenVPN
The easiest way to configure OpenVPN is when starting with the sample-
config-files provided in the package. So begin by
cp
/usr/share/doc/openvpn/examples/sample-config-files/\\
server.conf /etc/openvpn/
for the server configuration and
cp
/usr/share/doc/openvpn/examples/sample-config-files/\\
client.conf /etc/openvpn/
for the client.
1.5.6.1 server.conf (snowball.sylvia.test)
(Comments are shortend)

port 1194
proto udp
## routed VPN
dev tun
## setting the path to Root CA certificate,
Server certificate, Server key
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key #
This file should be kept secret
## setting the path to Diffie-Hellman
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
## supply a VPN subnet address
server 10.8.0.0 255.255.255.0
## Maintain a record of clients
ifconfig-pool-persist ipp.txt
## Push routes to the client to reach subnet
behind the server
push "route 192.168.201.0 255.255.255.0"

## assign a given IP address to a specific
host
client-config-dir ccd
## route for the server
route 192.168.200.0 255.255.255.0
## allowing the subnet behind the client to
access the VPN
client-config-dir ccd
route 10.8.0.0 255.255.255.252
## sends ping like packages every 10 seconds,
assumes
## that host is down after 120 seconds
keepalive 10 120
## Enable compression on the VPN link.
comp-lzo
## reduce the OpenVPN daemon’s privileges
after
## initialization.
user nobody
group nobody
# avoid accessing certain resources on restart
# that may no longer be accessible
persist-key
persist-tun
## Output a short status file
status openvpn-status.log
## set verbosity
verb 3
1.5.6.2 client.conf (bart.sylvia.test)
(Comments are shortend)

Note: When modifying client.conf look out for what the server setting are.
## Specify that we are a client
client
dev tun
## 10.8.0.2 is the client, 10.8.0.1 the server
ifconfig 10.8.0.2 10.8.0.1
proto udp
## The hostname/IP and port of the server
## don’t use the tunnel-endpoint address here!
## otherwise you get: udpv4 link local: [undef]
remote 192.168.150.7 1194
## Keep trying indefinitely to resolve host name
resolv-retry infinite
## Don’t bind to specific local port
nobind
## Downgrade privileges after initialization (non-Win only)
user nobody
group nobody
## Try to preserve some state across restarts.
persist-key
persist-tun
## paths for Root CA certificate, client1 certificate,
## client1 key
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/client1.crt
key /etc/openvpn/easy-rsa/keys/client1.key
## Enable compression on the VPN link
comp-lzo
## Set log file verbosity.
verb 3
1.5.6.3 Additional settings and notes to the installation
In my case, the group “nobody” didn’t exist so I had to make a new one
with
addgroup nobody
Next step is to allow the new traffic flows in your firewall with following
rules:
$IPTABLES -A INPUT -i tun+ -j ACCEPT

$IPTABLES -A OUTPUT -o tun+ -j ACCEPT
$IPTABLES -A FORWARD -i tun+ -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o tun+ -s $INTIP -j ACCEPT
The first rule is to accept traffic coming from the tunnel interface and the
second one accepts traffic going out of the tunnel interface. Rule three and
four concern the forwarding of traffic coming from the tunnel, or in rule
four, coming from the internal interface going out of the tunnel interface
with an IP from the local IP-range. As I forgot rule four in the first place
it seemed to me the most important rule. The error that occurred was that
traffic from a host located at the LAN behind the tunnel was dropped.
Looking at “ifconfig” on both hosts showed me that the server got a new
device called tun0 with IP 10.8.0.1 whereas the client had 10.8.0.6. At that
time my ping only worked in one direction, so the fact the client didn’t
use 10.8.0.2 wasn’t at big importance for me. Checking the netstat routing
entries helped me to get further. The client needs an entry (if not generated
automatically) for destination 10.8.0.1 via device tun0. On the server-side
of the connection the routes have to be checked as well. Make sure there
is an opposite route heading at 10.8.0.2 (or whatever your client address is
at that time) via device tun0. Then pinging each side has to be possible.
As you might have noticed in the last paragraph, the client address
changed from 10.8.0.6 to 10.8.0.2. This has to be configured seperately
in a file named after the Common Name of the client. So you need a new
directory in /etc/openvpn on your server side of the connection with the
file
/etc/openvpn/ccd/client1
(both file and folder have user and group set to root)
with following lines in it:
iroute 192.168.200.0 255.255.255.0
ifconfig-push 10.8.0.2 10.8.0.1
The second line pushes the reserved client address. Then, after restarting,
ping in both directions, and even from the LANs behind the tunnelend-
points works.
For opening the openVPN connection at startup I wrote a small startup

script called startup residing at /etc/openvpn/ containing
openvpn /etc/openvpn/server.conf --daemon
Don’t forget to
chmod 755 /etc/openvpn/startup
ln -s /etc/openvpn/startup /etc/rc2.d/S23openvpn
The command “openvpn /etc/openvpn/server.conf –daemon” starts the
openvpn daemon searching for the configuration file at “/etc/openvpn/server.conf”.
The option “–daemon” defines that openvpn is logged in /var/log/messages
instead of the monitor.
1.6 Other services provided by marge.sylvia.test
Above I described one of marge’s services, cups, but marge has more to
offer than only a printer server. Marge is what I would call “the heart”
of my network providing dynamic host addressing, domain name service,
mail server, web server, web-proxy and some other services. Below I will
describe each one briefly.
1.6.1 web server apache
Apache, the most popular http-server nowadays , available for almost all
platforms, was developed about 1995 and deduced from NCSA HTTPd
server that was pretty popular back then. Because the first approach
to building apache was patching the NCSA HTTPd it is said the name
“apache” is derived from “ a patchy” server.
With apache2 v.2.0.54 installed (–> apt-get install) one can start configur-
ing the whole thing. In former times you had to modify /etc/apache2/httpd.conf
which is nothing more than a container for backward compatibility rea-
sons by now. Apache2 now uses /etc/apache2/apache2.conf. For a sim-
ple configuration of apache you usually don’t even have to change any-
thing. Just browse to http://marge.sylvia.test and you should see the wel-
come screen at http://marge.sylvia.test/apache2-default, proving your

installation has been successful. To publish files on your server you sim-
ply have to add them in your document root. If you are not perfectly sure
which directory this is, simply look into
/etc/apache2/sites-enabled/000-default
In the appendix you will find the apache2.conf file. If you need additional
support go and see the website of Apache Software Foundation [10] or
another nice tutorial (for apache 1.x) at KPLUG [16].
1.6.2 dynamic host addressing dhcpd [17]
For distributing dynamic addresses in the network dhcpd is used. Dhcpd

is based on the Dynamic Host Configuration Protocol and provides and
distributes informations a host needs to join a network. After defining an
address range to use by the server, hosts that are configured to request an
IP address after startup are supplied one. You can also set up the server
so that only predefined MAC-addresses are allowed to get an IP address.
This can be wanted if you are monitoring the traffic log files permanently
and don’t want to figure out which computer had which address at a given
time or if you want to prevent people from plugging in PC’s not allowed
in your network.
When a host is added to a network a client broadcast is made to find
possible available servers for the configuration with DHCP, the so-called
DHCPDISCOVER. When a server notices a host asking for a DHCP ad-
dress and the host is allowed to this network, the server sends him back a
broadcast DHCPOFFER with an IP address he should use. The client then
accepts the offer with a broadcast DHCPREQUEST, telling the server that
he wants to take the given address (this double-check is needed in case two
clients needing IP addresses simultaneously accept the DHCPREQUEST).
The last step in handing out the IP address is a broadcast DHCPACK
by the server. Only now the client can configure its interface with the
given parameters. The address given is valid until either the client sends a
DHCPRELEASE or the lease time, the serversided predefined time the ad-
dress is valid, expires. See the appendix for the configuration file. As you
will see the IP addresses for the hosts are not defined in the dhcpd.conf,
but require DNS inbetween in order to resolve the hostnames. A sample

entry:
host nelson.sylvia.test {
hardware ethernet 00:60:97:11:D5:F0;
fixed-address nelson.sylvia.test;
}
1.6.3 DNS server BIND [7][19][20]
The de facto standard in Domain Name Service is BIND, the Berkeley In-
ternet Name Domain. It stores centralized domain name/IP address pairs
in order to be accessible for all clients on the network. BIND is e.g. re-
sponsible for providing you with the IP address if you enter a hostname
in your webbrowser. The entry BIND looks up is called an A record, while
there are several others like e.g. CNAME indicating an alias for a given A
record.
Several files are needed in order for BIND to work. Best practice is to start
with /etc/bind/named.conf.* files where you define the zones in your
network. The named.conf itself has entries for the zone “localhost”. If
you’re adding zones rather than modifying them you should better do
this in the named.conf.local file. A sample zone entry looks like this and
defines which file to search for gathering host information about the zone
specified.
zone "sylvia.test" IN {
type master;
file "/etc/bind/db.sylvia.test";
};
In order to support reverse lookup (that is translation from IP address
to name) you need seperate zone entries. The name of the reverse zone
for the network 192.168.200.0 is by default “200.168.192.in-addr.arpa”
where in-addr.arpa is a pseudo-domain that holds the entries in least-
to-most significant order. Here’s a sample reverse zone entry from the
/etc/named.conf.local:
zone "200.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.200.168.192";
};
Now you are done with the named.conf.* files and you have to move on
to the files specified above. As you can see I put them in /etc/bind/.
The most important file of course is /etc/bind/db.sylvia.test holding all
host/ip pairs for my domain. Sample entries for marge.sylvia.test defining
the IP address and giving her two aliases called “proxy” and “www” are:
marge A 192.168.200.5
proxy CNAME marge
www CNAME marge
The corresponding reverse lookup entry located in /etc/bind/db.200.168.192

looks like this (don’t forget the “.” at the end of the entry):
5 IN PTR marge.sylvia.test.
Before you start testing your configuration: don’ t forget to point to your
own DNS-server in /etc/resolv.conf. Testing name resolution is pos-
sible with the command “nslookup <hostname>” (or respectively “dig
<fqdn>”):
root@0[knoppix]# nslookup www
Server: 192.168.200.5
Address: 192.168.200.5#53
www.sylvia.test canonical name = marge.sylvia.test.
Name: marge.sylvia.test
Address: 192.168.200.5
For testing reverse lookups you can use “dig -x <IP-address>”
root@0[knoppix]# dig -x 192.168.200.5
; «» DiG 9.2.4 «» -x 192.168.200.5
;; global options: printcmd
;; Got answer:
;; -»HEADER«- opcode: QUERY, status:
NOERROR, id: 53688
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1,

AUTHORITY: 1, ADDITIONAL: 2
;; QUESTION SECTION:
;5.200.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
5.200.168.192.in-addr.arpa. 604800 IN PTR
marge.sylvia.test.
;; AUTHORITY SECTION:
200.168.192.in-addr.arpa. 604800 IN NS
ns1.sylvia.test.
;; ADDITIONAL SECTION:
ns1.sylvia.test. 604800 IN A 192.168.200.5
ns1.sylvia.test. 604800 IN AAAA
2001:16d8:ff47:1203:2::5
;; Query time: 7 msec
;; SERVER: 192.168.200.5#53(192.168.200.5)
;; WHEN: Sun Dec 4 09:13:10 2005
;; MSG SIZE rcvd: 137
1.6.4 Mail transfer agent exim4 [21] [22] [23]
A mail transfer agent or MTA is a service that receives mail and stores it
in the recipient’s mailbox. It receives it’s mails from another mail transfer
agent, a mail submission agent (MSA) receiving mails from an mail user
agent or directly from a mail user agent (MUA). A mail submission agent
is nothing else than a interstation between a mail user agent, or simple a
mail client, and a mail transfer agent. Often an MUA acts as a MSA as
well.
Installing exim4 with “apt-get install exim4” will have “debconf” appear-
ing with several configuration issues discussed below.
First it asks you whether you want to have the configuration put into one
file or into several files. I chose to use one file. For I want ougoing mail
be delivered to the Berufsföderungsinstitut Burgenland’s own mailserver,
i chose “mail sent by smarthost; received via SMTP or fetchmail” in the
next step. Then you are prompted for the system mail name which should
be the fully qualified domain name “marge.sylvia.test”. If you don’t have

DNS in your network, add the domain name to the /etc/hosts file. If you
want to connect to exim4 with other hosts than localhost, you should al-
ter the IP address the server listens on (which is by default 127.0.0.1) to
“192.168.200.5” here. After that, you need to decide for which other desti-
nations your host is the final destination. If you have a DNS domain across
your network enter the domain name and its associated top level domain
here(“sylvia.test:marge”). Now you define the networks exim4 accepts in-
coming mails from. In my topology “192.168.0.0/16” fits my needs best.
Because we defined using a smarthost before, we are prompted to give its
domain name here (“mail.bfi-burgenland.at”). The last two questions are,
if you would like to have your header rewritten for a mail leaving your
network, what I answered with “no”, and if you would like to minimize
DNS queries, where I put in a “yes”.
Now you have new settings in /etc/exim4/update-exim4.conf. If you
want to change the settings we made while debconf afterwards you can
either change the file /etc/exim4/update-exim4.conf and /etc/mailname
(which only holds the mailservers fully qualified domain name) or run
dpkg-reconfigure exim4-config
In the directory /usr/share/doc/exim-base/examples you will find com-
mented example files for what is needed when installing exim4. Next you
modify the alias file, usually located in /etc/alias and holding a table of
all mail users in the system. It is vital to give the email address of the
postmaster here, so he can receive the system’s mail problems. Setting the
mailer-daemon to the postmaster is done that the messages from those
people replying to bounce messages (bounce message is an automated
email from the receiver’s mail system telling the sender that the message
could not be delivered for several reasons; it is also called a Delivery Status
Notifiaction (DSN) message ) are sent to the postmaster. The last thing you
should not foget, besides adding the users, is to map messages destined to
“root” to the postmaster.
1.6.5 POP3 server qpopper [9]
Qpopper is a widely used server for the POP3 (Post Office Protocol) pro-
tocol which allows users to fetch their mail from their mailboxes stored
by your mail transfer agent, which is exim4 in our network. After down-
loading the *.tar.gz file containing qpopper from the homepage referenced
in the caption you can quick start after uncompressing with “./configure”
creating a makefile followed by “make” and “make install”. This should
compile qpopper and install the server as well as the man pages that came
with the packet. “make clean” deletes all executables and the compiled
code.
For configuring qpopper you have to define which way to use qpopper.
You can either have a standalone server or it can be run by inetd. In
the first case you need to add a startup-skript in your runlevel-matching
/etc/rcx.d directory (where x stands for your runlevel; if you want to
know which runlevel you are using simply type “runlevel” at your unix-
prompt). In the second case the file /etc/inetd.conf needs to be config-
ured. Inetd is a daemon on many unix-flavored systems managing In-
ternet services such as FTP, telnet and of course POP3. It is more efficient
than using standalone services because inetd launches the appropriate ser-
vice only when a matching packet is received. The port number hereby
is the criteria upon launching the service. This way of starting services
is preferable for services not used all the time (where dedicated servers
surely have more advantages). To configure a service with inetd you have
to check the /etc/services file, to see if the port is mapped to the service,
and the /etc/inetd.conf file. Below the example entries for qpopper as-
suming your executable is held by /usr/local/lib:
pop3 stream tcp nowait root /usr/local/lib/popper qpopper -s
It is recommended to set nowait.<timeout> e.g.: nowait.400 for large net-
works with lots of hosts querying the server in order to prevent inetd from
killing qpopper assuming it is looping. The file /etc/services only needs
the line
pop3 110/tcp #Post office
I chose to run qpopper as a dedicated server. The configuration that has

to take place in order to have a functioning pop3-system is small. It is im-

portant that you have a symbolic link from directory /var/spool/mail to
/var/mail where the actual mails reside. There you have a file for each
user in the mailing system. Other configuration issues can be found in
/etc/qpopper.conf. The options set within this file can also be set when
appending the needed option to the “./configure”-command. For a non-
complex mailing system you won’t have to set any options here (qpop-
per.conf in fact is a blank file in my configuration). For a detailled descrip-
tion about the options available read the comments in /etc/qpopper.conf
or look for /usr/share/doc/qpopper/GUIDE.pdf.gz.
1.6.6 web traffic monitoring with webalizer [11][26] [27]
Webalizer is a commonly used tool to generate web pages analyzing dif-

ferent criterias like hits, visits, referers from access and usage logs of
your webserver. It is also possible to use it with the proxy “squid”,
what I used to have control over the web-traffic. You can install webal-
izer from source or binary distribution, or as i did it with “apt-get in-
stall webalizer”. Webalizer usually searches for the configuration file in
the current directory and in /etc/, and will then process any other files
or options defined when starting. When you use the default configu-
ration file /etc/webalizer.conf you can revoke the program with “we-
balizer”, otherwise you have to define the file used “webalizer -c my-
configurationfile.conf”. To get a list of all command line options sim-
ply type “webalizer -h”. After you typed the “webalizer” command
forcing webalizer to analyse the log file specified in the given configu-
ration file, a new file “index.html” is created in the directory set for the
HTML output. In my configuration I used /etc/webalizer.conf for config-
uring the HTML output directory /var/www/webalizer and the log file
/var/log/squid/access.log. The webalizer graphs therefore are reachable
at www.sylvia.test/webalizer. Don’t forget to repeatedly force webalizer
to analyse the logs in the crontab. Look for the configuration files in the
appendix.
1.6.7 web caching and proxying with squid [28] [29]
Squid is a widely used web caching and proxying server, that can provide
access restriction by various criteria. Its advantages lie in speeding up the
repsonse time of a network service by caching requests for repeated use.
Everytime you request a site, squid first of all checks if it is already loaded
in the cache. If it is not, the site is fetched from the internet and stored
in the cache. Otherwise the cached sites age is checked whether it has ex-
pired inbetween (every site is stored for a predefined amount of time) and
the content from the cache is sent to the requesting client in case the site
is still valid. Caching works for several protocols but is primarily used for
HTTP and FTP. ISPs (Internet Service Providers) or LANs sharing a net-
work connection tend to use caching. Users browsing the internet in such
an infrastructure use the squid cache as a HTTP proxy decreasing band-
width consumption, and have some additional security and anonymity
features because the proxy requests the sites on behalf of the “real” client.
A huge advantage for each web administrator is the possibilty to content
filter the web sites requested.
You can download squid from the website cited or install it directly
with “apt-get install squid”. You will find the configuration file in
/etc/squid/squid.conf. For a simple startup you only have to define a few
options. One is the “cache_dir” to define the directory devoted for caching
data. “http_port” is the port squid listens to (default 3128). “http_access”
defines who is allowed to use squid and is defaulted to deny all hosts
until explicitly allowed in ACL (access control lists) which you have to
set in order to fit your requirements. The two last options needed are
“cache_effective_user” and “cache_effective_group” which define the per-
son having permission to read and write in the cache directory and in the
log files. By default squid is configured in proxy mode and is now ready
for use. After setting the properties of the client’s web browsers to using
the proxy at server:“proxy.sylvia.test” and port:”3128” all web traffic is led
through squid. You find these properties for Firefox in the “Tools” menu.
In the options window, click “General” and on the right lower side of the
window “Connection settings”. There you can define the server and the
port of the proxy and which protocols it serves (In some Linux-versions
of Firefox you will find the “Options”-dialog in the “Edit” menu). For
Microsoft’s Internet Explorer you have the same changes to make under
“Tools” menu entry “Internet Options”. Click on the tab labelled “Con-
nections” and then on the button at the bottom named “LAN settings”.
Check out my configuration file in the appendix and at your installation
for it contains lots of information.
Note: In my network i chose to allow direct network access only to the
servers of my network (take a look at iptables). No client can there-
fore request something from the internet that is intercepted by squid,
which can be sites not allowed by the content check, by the acl or by
download restrictions (size, file-type, ...).
1.6.8 arpwatch [30]
Arpwatch is a tool developed by Lawrence Berkeley National Laboratory

that monitors IP/MAC address pairings. “arpwatch -d” forks the service
in the background and sends reports via email. “arpwatch -f <filename>”
defines the database filename which is by default “/var/lib/arpwatch/arp.dat”.
Before you start arpwatch the first time an empty arp.dat file has to be
created. This program is destined at bringing some extra-security into
your network by noticing new PC’s in your network or spoofed MAC ad-
dresses. Look for documentation in related man-pages.
If you are setting global arpwatch options use /etc/default/arpwatch,
interface-specific ones are stored in /etc/arpwatch.conf. Look for the con-
figuration files in the appendix.
1.7 Other services provided by bart
Bart is not only the gateway router and tunnel-endpoint for OpenVPN but
host to ntpd and ntop.
1.7.1 network time protocol daemon ntpd [3]
Ntpd is a daemon synchronizing the system time with time servers from
the internet. It acts as a time server for your local network and is able to
broadcast time as well. You define which internet servers to use in file
/etc/ntp.conf and you have a seperate log file at /var/log/ntpd where
you can see the time being synchronized. Within the /etc/ntp.conf “log-
file”, “driftsfile” (frequency file) and “statsdir” (directory for statistics) are
defined. An option that might be interesting to set is “panic <time in sec-
onds>” what is defaulted with 1000. This sets the maximum sanity limit
for a time synchronization i.e. if your time correction is more than 1000
seconds ntpd doesn’t set the time itself but prompts you to set system time
manually. You can trick ntpd into doing it with either “ntpd -g -q” for do-
ing it once, or by setting “panic 0” for always correcting time regardless
how big the correction is. See the appendix for more information about
the configuration.
1.7.2 ntop
Ntop is a network traffic probe for a detailled view of what your machines
are doing. You have several subdivided parts where you can see graphs
and details about categories like summed up IP-traffic, whether traffic was
destined unicast/multicast/broadcast, throughputs, and so on.
While the installation of the *.deb package with “dpkg -i” you have deb-
conf asking you for details of the installation. In the first step you define
which interfaces to monitor and in second step which user runs the service
(in my case: “ntop”). You can re-launch the configuration with command
“dpkg-reconfigure ntop”.
Before starting ntop the first time you have to set the administrator’s
password with command “ntop -A” prompting you for the password to
use (this will also cause the service to start automatically upon each re-
boot). You can start ntop, if needed, manually with “/etc/init.d/ntop
start” which points to a init-file “/etc/default/ntop” where in turn
“/var/lib/ntop/init.cfg” is included. Inside “/var/lib/ntop/init.cfg”
two variables are set: “user” and “interfaces”. These values are set by the
“dpkg-reconfigure ntop” I mentioned below. If you want to add additonal
parameters like “-M” to seperate the counters for multiple interfaces, you
have to modify “/etc/init.d/ntop” yourself. To access ntop’s html out-
put simply browse to port 3000 of your server with the ntop-installation
(http://bart.sylvia.test:3000).
1.8 Services provided by homer
Homer is a Windows 2000 server providing file sharing and active direc-
tory.
1.8.1 File sharing
To make a directory accessible for others on the network you need to share
the folder. You can do this with a right-click on the destined folder in the
“Windows-Explorer”. The context-menu opened contains an entry “shar-
ing...” which opens a dialog where you can define the name of the net-
work share. Besides defining the name you have to define who is allowed
to browse your files and what rights he/she has on your files. Therefore
you have the button “permissions” where you can choose the users to
access your shared directory. Although I don’t have a good explanation
for it, I won’t recommend using the user “everyone” here, if you want
to grant permissions to everyone. I didn’t experience great success with
that but with adding the users seperately. The network shares I made
were “\\192.168.200.12\daten” and “\\192.168.200.12\download” hold-
ing the data produced while building my lab and the programs down-
loaded. For accessing the shares on Windows bases systems I used the
command “Map Network Drives” in the Tools menu in Windows-Explorer
or “net use * \\192.168.200.12\daten” on the command line. For linux
based systems I first had to install the package “smbfs” with “apt-get in-
stall” and could then mount the network drives. After creating a mount-
point with “mkdir /mnt/daten” and “mkdir /mnt/download” I could
mount the shares with the command
mount -t smbfs -o username=elsylo
//192.168.200.12/daten /mnt/daten
mount -t cifs -o username=elsylo
//192.168.200.12/daten /mnt/daten
(respectively)
prompting you for the password in the next line. CIFS (Common Internet
File System) is nothing else than a renamed new version of SMB (Server
Message Block) enriched with some additional features.
1.8.2 Active directory [32] [33]
Active directory is an implementation of LDAP (Lightweight Directory

Access Protocol) directory services for the use in Windows environment.
It allows you to set enterprise or group wide policies or deploy programs
or updates to several computers more easily. It is a centralized database
storing information about the people, services and ressources used in the
network. Therefore each object stored in active directory either is a per-
son, a computer or a service. Active directory is responsible for objects
and their attributes, their organization and their access rights and security
options. An object represents a single entity and can be a container for
other objects as well. Sample objects are e.g. a single person or a PC and
are uniquely identified by their names. Each object belongs to at least one
class which contains a set of attributes for each object. The attributes of a
class are described in a schema file. The schema itself is made up of two
types of objects: schema class objects and schema attribute objects. At the
top of the structure holding all the objects as a framework is the Forest
containing one or more Trees.
You start configuring your Windows 2000 active directory server at the
“Windows 2000 Configure Your Server” screen asking you what kind
of service you would like to configure (if you have chosen to close this
window earlier you can open it again from the Start menu-Programs-
Administrative Tools-Configure Your Server). First, the server is config-
ured with the option “One or more servers are already running in my net-
work” (The option “This is the only server in the network” installs not
only Active directory but DHCP and DNS as well). Now you have to
choose which service to install from menu at the left side in the Installa-
tion Wizard. For installing Active Directory you need at least one partition
formated with NTFS otherwise you have to cancel setup and proceed after
creating such a partition. Next step is starting the Active Directory wizard
opening a new dialog. For this was the only domain controller in my local
network i chose to use “Domain controller for a new domain” here and
“Create a new domain tree” in the next step (you could otherwise create
a new child domain in an existing domain tree here). Like in nature, trees
usually grow in a forest and as for nature we have to define the forest
to add our new tree (I chose a new forest). In the next step you have to
define the domain name used for the domain which is “sylvia.test” (a do-
main name consists of two parts seperated with a “.” for Windows; if you
choose not to have to parts, Windows will add “.DOM” to your domain
name). You could also choose to have a domain name called “sylvia.com”
because it is not used on the internet. If you have older PC’s than op-
erating system Windows 2000 installed in your network you have to use
“NetBIOS” and provide an extra “NetBIOS Domain name” (I recommend
to accept the default). Next step is to define Active Directory database and
log location which requires 200MB free disk space. Next, the directory for
the “SYSVOL” folder is defined and has to reside on a partition formated
NTFS. The SYSVOL folder will later be visible as part of the “Network
Neighborhood” or “My Network Places” and will contain user specific
public files (and has to have NTFS because of enabled access rights en-
forcement). Accept the Pre-Windows 2000 compatible permissions and
enter a Restore Mode administrator’s password. In the last step review
the settings made and click “next” if you want Active Directory to con-
figure what is needed. After restarting you can start adding the objects
needed.
Note: Never click “Cancel” while Active Directory goes through the var-
ious steps of installing; it will wreck your computer! If some-
thing crosses your mind that you might have configured something
wrong: let Active Directory finish its work and start “dcpromo”
(i.e. the command starting the Active Directory wizard from “cmd”)
again afterwards.
When your installation was successful you have added all Active Direc-
tory management tools to the menu “Administrative Tools”. Run “Ac-
tive Directory Users and Computers” to see your domain in the tree on
the left side of the window, containing different container objects called
“Builtin”, “Computers”, “Domain Controllers”, “ForeignSecurityPrinci-
pals” and “Users”. Similar to the way you are adding new folders or
empty files to a directory you can add objects to the containers mentioned.
Clicking on the “Users” directory opens the list of users in your system
(even if you not added one manually by now, you will see some default
users like “Administrator”). Right-clicking on the right side of the win-

dow opens up a context menu containing “New” with the items “Com-
puter”, “Contact”, “Group”, “Printer”, “Person” and some more. When
you add any of these objects you are asked to give details to it in a wizard-
like window. In my domain I only have added one user account, “elsylo”,
and the computers apu and nelson. This is something like a minimum con-
figuration in order to allow the clients apu and nelson to logon to active
directory. Both users created are server-side stored users. The advantages
are you don’t have to create users locally on a PC in the network. Wher-
ever “elsylo” wants to log on with her profile, she has a computer with
her settings made e.g. the desktop, and gains instant access to all services
or netshares she is used to have. Besides this you have more centralized
administrative power like deactivating an account, setting passwords and
of course, as mentioned above, setting qualities and rights to an account
(e.g. certain persons may not be allowed to access FTP-sites). The second
tool served together with Active Directory is “Active Directory Sites and
Services”. Within you have a container called “Sites” what in turn con-
tains the container “Default-First-Site-Name” which holds the “Server”
object with the Active Directory server name just installed. Remeber that
we allowed DNS server BIND to dynamically update records from the Ac-
tive Directory server (SRV records). This becomes very important by now,
because otherwise the correct DNS entries would be missing for clients
trying to log on to Active Directory while startup. For troubleshooting see
the Microsoft Knowledge Base [35] or another nice article I found written
by Daniel Petri [34]. The pysical storage of all Active Directory objects for
a single forest is provided by the Active Directory database file NTDS.dit
stored in the folder given at installation (default: C:\WINNT\NTDS\).
For there are no configuration files I can add to my appendix I put in a
screenshot of how adding a new user to Active Directory.
Bibliography
[1] Asterisk Wiki: Asterisk introduction (2005). http://www.voip-

info.org/wiki-Asterisk/view/Asterisk+introduction (2005-12-01)
[2] The Asterisk Documentation Project: Vol-
ume One: An Introduction to Asterisk (2004).
http://www.asteriskdocs.org/modules/tinycontent/content/docbook/\\
current_v1/docs-html/book1.html (2005-12-01)
[3] Sipura Technology: Welcome to Sipura Technology Technical Support
(2005). http://www.sipura.com/support.index.html (2005-12-06)
[4] Sipura Technology: SPA-2000 Quickstart Guide (200).
http://www.sipura.com/Documents/SPA2000QuickStart.doc
(2005-12-06)
[5] Sipura Technology: ATA User Guide (2005).
http://www.sipura.com/Documents/SipuraSPAUserGuidev2.0.9.pdf
(2005-12-06)
[6] Hewlett Packard: Download Drivers and Software for LaserJet 1300
(2004). http://hpinkjet.sourceforge.net/install.php (2005-12-01)
[7] Colin Steward: How to make Windows use CUPS IPP (2005).
http://www.owlfish.com/thoughts/winipp-cups-2003-07-20.html
(2005-12-01)
[8] Kurt Pfeifle: CUPS Troubleshooting and Asking for help HOWTO
(2002). http://www.cups.org/cups-help.html (2005-12-01)
[9] Linux Documentation Project, David A.
Ranch: Linux IP Masquerade HOWTO (2005).
48
BIBLIOGRAPHY 49
http://www.linux.org/docs/ldp/howto/IP-Masquerade-
HOWTO/stronger-firewall-examples.html#RC.FIREWALL-
IPTABLES-STRONGER (2005-12-01)
[10] MySQL: MySQL 3.23, 4.0, 4.1 Reference Manual (2005).
http://dev.mysql.com/doc/refman/4.1/en/index.html (2005-
12-01)
[11] digium, Inc.: Wildcard TDM400P, TDM31B (2005).
http://www.digium.com/index.php?menu=product_detail&category=\\
hardware&product=TDM400P (2005-12-02)
[12] OpenVPN Solutions LLC: OpenVPN (2005). http://openvpn.net/
(2005-12-02)
[13] OpenVPN Solutions LLC: OpenVPN 2.0 HOWTO (2005).
http://openvpn.net/hoto.html#quick/ (2005-12-02)
[14] RSA Security: What is Diffie-Hellman? (2004).
http://www.rsasecurity.com/rsalabs/node.asp?id=2248 (2005-
12-02)
[15] Apache Software Foundation: Apache HTTP Server Version 2.0 Doc-
umentation (2005). http://httpd.apache.org/docs/2.0/en (2005-12-
03)
[16] KPLUG: KPLUG Apache Tutorial (2005).
http://www.kplug.org/apache_tutorial (2005-12-03)
[17] Internet Systems Consortium: DHCP Distribution Version 3.0.3
README File (2005). http://www.isc.org/index.pl?/sw/dhcp
(2005-12-03)
[18] BIND9.NET: DNS, BIND, DHCP, LDAP and Directory Services
(2005). http://www.bind9.net (2005-12-03)
[19] BIND9: BIND 9 Administrator Reference Manual (9.3.1) (2005).
http://www.bind9.net/manuals (2005-12-03)
[20] www.traum-projekt.com: TP: Bind 9 - DNS - Tutorial :) (2005).
http://traum-projekt.com/forum/sitemap/t-33562.html (2005-12-
03)
BIBLIOGRAPHY 50
[21] exim: Exim 4.50 specification (2005).

http://www.exim.org/exim.html-4.50/doc/html/spec.html (2005-
12-04)
[22] Jason Boxman: Installing and Configuring Exim4 (2005).
http://www.trekweb.com/~jasonb/articles/exim4_courier/exim4.html
(2005-12-04)
[23] Koivisto Justin: Installting and Configuring Exim 4 on Debian (2005).
http://koivi.com/exim4-config/ (2005-12-04)
[24] Eudora: Qpopper (2005). http//www.eudora.com/products/unsupported/\\
qpopper (2005-12-05)
[25] Mrunix: The Webalizer What is your web server doing today? (2005).
http://www.mrunix.net/webalizer (2005-12-05)
[26] Mrunix: Installation Instructions for The Webalizer (2005).
ftp://ftp.mrunix.net/pub/webalizer/INSTALL (2005-12-05)
[27] Mrunix: Simpletons Guide to Web Server Analysis (2005).
http://www.mrunix.net/webalizer/simpleton.html (2005-12-05)
[28] www.squid-cache.org: Squid Web Proxy Cache (2005).
http://www.squid-cache.org (2005-12-05)
[29] ViSolve Open Source Solutions: Welcome to ViSolve Squid Support
(2005). http://squid.visolve.com/squid/index.html (2005-12-05)
[30] Lawrence Berkeley National Laboratory: LBNL’s Network Research
Group (2005). http://www-nrg.ee.lbl.gov/ (2005-12-05)
[31] Mills: ntpd - Network time protocol (NTP) daemon (2005).
http://www.eecis.udel.edu/~mills/ntp/html/ntpd.html (2005-12-
05)
[32] Helmig Johannes: Windows 2000 Server: Configure Active Directory
(2001). http://www.windowsnetworking.com/articles_tutorials/w2ksvrin.html
(2005-12-05)
[33] Daniel Petri: How do I install Active Direc-
tory on my Windows 2000 server? (2005).
http://www.petri.co.il/how_to_install_active_directory_on_w2k.htm
(2005-12-06)
BIBLIOGRAPHY 51
[34] Daniel Petri: What are the most common DNS re-
lated Dcpromo errors? How doI fix them? (2005).
http://www.petri.co.il/troubleshooting_dcpromo_errors.htm
(2005-12-06)
[35] Microsoft: Help and Support (2005). http://support.microsoft.com
(2005-12-06)
Chapter 2
The initial lab-topology
With all the needs specified in the chapters above, the topology of the
network evolved to what it is today. For the sake of simplicity the lab
consists not of all the computers and services really used at the “Berufs-
förderungsinstitut Burgenland”.
The lab consists of two big parts, the main office and the branch office.
The main focus lies of course on the main office, running the majority of
the services and having to cope with the biggest load. My model of the
main office consists of three servers, three clients and a gateway router.
At the branch office only a router, offering several services as well, and a
client are located.
2.1 The main office
The main office has an IP-address range of 192.168.200.0/24.
2.1.1 hostname: bart - 192.168.200.1
Hardware details
CPU: Pentium 2, 350 MHz
52
CHAPTER 2. THE INITIAL LAB-TOPOLOGY 53
RAM: 128 MB
OS: Debian Sarge 2.6.8-1-686 [1]
HD-capacity: 4 GB
Services:
Bart acts as a gateway between a simulated "Internet" - an outside-world

for the network - and the main office. It’s main task is to have NAT and
routing enabled for the hosts on the network being able to have secure
internet traffic. Both is handled by a self-written script inspired by "The
Linux Documentation Project" (http://www.linux.org/docs/ldp/index.html).
In addition to this a default route is also set at this point. While
these things don’t create lots of load we also decided to put other
small services on this host. A ntpd time-server supplys the Linux hosts
via ntpdate and the Windows hosts via Clox (http://www.mirage1.u-
net.com/clox.htm) with the correct time. As resource for accurate time
we chose pool.ntp.org. In addition to this ntop was installed which can be
accessed at http://bart.sylvia.test:3000/. Last but not least, especially re-
garding the importance of the service, OpenVPN (http://openvpn.net/)
has been added to connect the main and the branch office through a secure
link.
Service details:
• iptables v1.3.1 [2] - packet filtering and nat

• ntpd v4.2.0 [3] - synchronizing the clock through a network
• ntop v3.0 [4] - a tool that shows the network usage similar to the
“top”-command
• openVPN v2.0 [5] - a SSL based VPN solution
2.1.2 hostname: marge, alias: ns1, www, proxy - 192.168.200.5
Hardware details:
CPU: Pentium 3, 450 MHz

RAM: 128 MB
OS: Debian Sarge 2.6.8-1-686 [1]
HD-capacity: 8 GB
Services:
Marge can be seen as the "heart" of our network combining the most im-
portant services. First of all, she provides DHCP-distributed IPv4 ad-
dresses for the clients in the network. The DHCP server we chose is
dhcpd3 by the Internet Systems Consortium (http://www.isc.org/index.pl?/\\
sw/dhcp/).The second big service located at marge comes from the In-
ternet System Consortium (http://www.isc.org/index.pl?/sw/bind/) as
well and provides domain name resolution. Besides these vital parts of a
network mail traffic is also guided by exim4 and qpopper on this host. In
addition to these services we provide the Apache http-server on this host
which can be found online at http://www.apache.org. To get a notion of
what happens on the web Webalizer (www.mrunix.net/webalizer/) ana-
lyzes the log file of the webserver. Arpwatch (http://www-nrg.ee.lbl.gov)
is another tool configured on this machine that keeps a database of all
MAC-addresses used in this network. In addition to all these services
marge also acts as a cups-printer server (www.cups.org) and has a hp
LaserJet 1300 plugged in directly via USB. Squid adds the the proxy ca-
pability here.
Service details:
• dhcpd v3.0.1 [6] - dynamic addressing of hosts

• bind9 [7] - an implementation of Domain Name System providing
tables mapping IP addresses to domain names
• exim4 [8] - message transfer agent

• qpopper v4.0 [9] - POP3 server
• apache2 [10] - highly flexible http-server from the Apache Software
Foundation
• webalizer v2.01-10 [11] - web-server log file analysis tool producing
charts and reports
• arpwatch v2.1a13 [12] - an ethernet monitoring programm for keep-
ing track of ethernet/ip address pairings
• cups v1.2.0b1 [13] - standard printing system on Unix providing
communication via IPP (Internet Printing Protocol) and network
browsing of jobs and printers
• squid v2.5 [14] - proxying and caching features for a variety of pro-
tocols
2.1.3 hostname: maggie - 192.168.200.8
Hardware details:
CPU: AMD Athlon 900 MHz

RAM: 512 MB
OS: Debian Sarge 2.4.27-2-k7 [1]
HD-capacity: 120 GB
Services:
Maggie is responsible for information-critical services in our network.

On one hand she is running the database of our company. We are us-
ing again OpenSource, this time the software we use is MySQL from
http://www.mysql.com. The other very critical service, and that’s why
we chose the most powerful computer here, is Voice over IP with the help
of Asterisk which you can get for free at http://www.asterisk.org. This
was one of the requests the BFI Burgenland made, for giving me the equip-
ment I needed. In return they wanted me to use this replica of their net-
work to test the setting up and the use of asterisk without interfering their
every-day business.
Differing from the other PC’s I added a digium TDM400 card [41] in order
to plug in two analog GESKO Ikarus 1000 phones.
Service details:
• mySQL v4.1 [33] - the world’s most popular open source database
• asterisk [16] - a complete PBX software providing everything you
would expect from a PBX. It does Voice over IP in many proto-
cols, and can interoperate with almost all telephony equipment (soft-
phone, hardphone, analog phones, ...)
2.1.4 hostname: homer - 192.168.200.12
Hardware details:
CPU: AMD Duron

RAM: 128 MB
OS: Windows 2000 Server Service Pack 4 [17]
HD-capacity: 40 GB
Services:
Homer is the only server in our lab topology running Windows 2000
Server. His work is mainly to act as a file server that can be accessed from
all PC’s in the topology, and to be the domain controller for the main net-
work (192.168.200.0). We used the Active Directory software implemented
in the Server Distribution.
Service details:
• Active Directory [18] - providing a repository for computers, people

and any other ressource in a company
• file sharing [19] - providing network shares to all users of the net-
work; accessible for all operating systems
2.1.5 hostname: apu - 192.168.200.33
Hardware details:
CPU: AMD Duron

RAM: 64 MB
OS: Windows 2000 Service Pack 4 [20]
HD-capacity: 8,4 GB
Usage:
Apu is one of the client-only machines in this network. Although usu-

ally you only have Windows XP in companies there are always still some
Windows 2000 or even older computers in a company, which, e.g. run pro-
grams that are no longer supported by newer operating systems. That’s
why I wanted to keep one PC of the old generation in that lab to see how he
can handle the new stack. This host symbolizes a usual workstation with
every-day programs. I installed Microsoft Office 2000 and in addition to
this the openOffice 2.0 beta to have some open source spirit on this PC as
well. For browsing the internet I decided to add Firefox 1.0.6 to the ex-
isting Internet Explorer 6.0. Every workstation needs a mail client as well
and this time I chose to install to the pre-installed Outlook express and
the Outlook that came with the Microsoft Office the mail client from the
Mozilla Project, Thunderbird 1.0.2. Acrobat Reader, WinZip, Paintshop
Pro 5.03 and XnView are rounding the perfect illusion of a workstation in
use. The security measures taken on that computer are Sygate Personal
Firewall 5.5 and Antivir of the German company H+B EDV. For my con-
venience and for testing purposes I added WinSCP3 and puTTY as well.
Software details:
• Microsoft Office 2000 [21] - Office software suite

• openOffice 2.0 beta [22] - open source office software suite
• Firefox 1.0.6 [23] - open source internet browser of the Mozilla project
• Thunderbird 1.0.2 [24] - open source email client of the Mozilla
project
• Acrobat Reader [25] - Adobe’s free *.pdf-Reader
• WinZip [26] - zip file utility for Windows
• Paintshop Pro 5.03 [27] - picture editing software
• XnView [28] - free graphic viewer
• Sygate Personal Firewall 5.5 [29] - free home firewall
• Antivir [30] - virus protection from H+BEDV
• WinSCP3 [31] - open source SFTP client for Windows
• puTTY [32] - free Telnet/SSH client
2.1.6 hostname: nelson - 192.168.200.34
Hardware details:
CPU: Pentium II 350 MHz

RAM: 192 MB
OS: Windows XP Service Pack 2 [20]
HD-capacity: 8,4 GB
Usage:
Nelson is the client-computer with the most up-to-date operating system

from Microsoft in my initial lab topology. Like with apu, nelson is just a
client workstation providing its users programs like Microsoft Office 2003
[21], openOffice 2.0 beta [22], Internet Explorer 6.0, Firefox 1.0.6 [23], Out-
look express, Outlook, Thunderbird [24], puTTY [32] and WinSCP3 [31].
In addition to these programs, which I have described in more detail be-
fore, I added the softphone SJphone 1.60.
Program details:
• SJphone 1.60 [33] - Voice over IP softphone
2.1.7 hostname: lisa - 192.168.200.35
Hardware details:
CPU: AMD Duron 1200

RAM: 128 MB
OS: SuSE 2.6.8-24-default [34]
HD-capacity: 40 GB
Usage:
In order to have one non-Windows client in the network (again here I had
the wish of the company to test the use of SuSE System as a normal work-
station in heteregenous systems) I chose a SuSE 9.2 distribution. This host
is running only client programs like openOffice 2.0 beta [22], Konqueror,
Mozilla and Firefox [23]. As mail clients I used Kmail and Evolution.
Program details:
• Konqueror
• Kmail [36] - free KDE mail client
• Evolution [37] - groupware client for Linux
Besides the computers used in the main office and the two phones I men-
tioned above I also used two VoIP hardphones.
2.1.8 allnet1 - 192.168.200.130
The hardphone allnet1 is a ALL7950 SIP [39] phone and is located between
the switch and the host apu.
2.1.9 grandstream1 - 192.168.200.129
The second hardphone with the hostname grandstream1 is a Grandstream

Budgetone 100 [38] and is put between the switch and lisa.
2.2 Branch office
The branch office in my topology with its two computers emulates one
of the many locations the BFI Burgenland has to supply with information
and connection all over the Burgenland.
IP-address range: 192.168.201.0/24
2.2.1 hostname: snowball - 192.168.201.1
Hardware details:
CPU: Pentium2 350 Mhz

RAM: 128 mb
OS: Debian Sarge 2.4.27-2-686 [1]
HD-capacity: 8 GB
Services:
Snowball is the gateway computer for the branch office and therefore has
to handle all the things bart has to cope with. This includes of course such
vital things as routing, iptables and is of course the other endpoint of our
OpenVPN[5] tunnel. In addition to this there is also another asterisk [16]
and apache [10] server installed on this node. The asterisk servers from
the main and the branch office are connected via IAX.
2.2.2 hostname: snowball2 - 192.168.201.17
Hardware details:
CPU: Pentium2 350 Mhz

RAM: 128 mb
OS: Windows Xp Service Pack 2 [20]
HD-capacity: 4,3 GB
Usage:
Snowball2 is the sole client on behalf of other computers possible in this

network. It’s tasks are not very challenging as they are the same you
saw with nelson, apu or lisa. There are Internet Explorer 6, Firefox 1.0.6
[23], Outlook, Outlook express and Thunderbird [24] installed to cover the
Internet-dependant applications. Microsoft Office XP [21] and OpenOffice
[22] for every-day-usage and puTTY [32] together with WinSCP [31] for
testing purposes complete the choice of software. The only more special
thing in this environment is the softphone SJphone 1.6 [33].
2.2.3 hostname: sipura - 192.168.201.129
This SPA-2000 Sipura Adapter [40] allows you to plug two standard tele-
phones or fax machines into it and connect them to IP-based data net-
works. It features two POTS ports for connecting analog phones and one
Ethernet interface for connecting with the LAN. Each port can be handled
totally independent with the software on the small webserver built into
this device.
Bibliography
[1] Debian: debian (2005). http://www.debian.org (2005-12-02)

[2] netfilter project: firewalling, NAT and packet mangling for Linux
(2005). http://www.netfilter.org (2005-12-01)
[3] ntpd: network time protocol daemon (2005).
http://www.eecis.udel.edu/~mills/ntp/html/ntpd.html (2005-
12-01)
[4] ntop: network usage grapher (2005). http://www.ntop.org (2005-12-
01)
[5] openVPN: a full-featured SSL VPN solution (2005).
http://openvpn.net (2005-12-01)
[6] ISC: dhcpd - Dynamic Host Configuration Protocol Distribution
(2005). http://www.isc.org/index.pl?/sw/dhcp/ (2005-12-01)
[7] ISC: bind9 - Berkeley Internet Name Domain (2005).
http://www.isc.org/index.pl?/sw/bind/ (2005-12-01)
[8] exim4: The exim home page (2005). http://www.exim.org (2005-12-
01)
[9] Eudora: qpopper - the most widely used POP3 server (2005).
http://www.eudora.com/products/unsupported/qpopper/index.html
(2005-12-01)
[10] The Apache Software Foundation: HTTP Server Project (2005).
http://httpd.apache.org/ (2005-12-01)
64
BIBLIOGRAPHY 65
[11] MrUnix: The Webalizer - What is your webserver doing today?

(2005). http://www.mrunix.net/webalizer (2005-12-01)
[12] LBNL’s Network Research Group - arpwatch (2005). http://www-
nrg.ee.lbl.gov (2005-12-01)
[13] Easy Software Products: CUPS Common Unix Printing System
(2005). http://cups.org/ (2005-12-01)
[14] Duane Wessels: Squid Web Proxy Cache (2005). http://www.squid-
cache.org/ (2005-12-01)
[15] MySQL AB: mySQL - The world’s most popular open source
database (2005). http://www.mysql.com (2005-12-01)
[16] Digium: asterisk - The Open Source PBX (2005).
http://www.asterisk.org (2005-12-01)
[17] Microsoft: Windows Server 2000 (2004).
http://www.microsoft.com/windows2000 /default.mspx (2005-
12-02)
[18] Microsoft: Windows 2000 Directory Services (2005).
http://www.microsoft.com/windows2000/technologies/directory/\\
default.mspx (2005-12-01)
[19] Microsoft: 7 Ways to Share Information with Co-workers (2004).
http://www.microsoft.com/atwork/worktogether/sharing.mspx#\\
EPDAC (2005-12-02)
[20] Microsoft: Windows Familiy Homepage (2005).
http://www.microsoft.com/windows/default.mspx (2005-12-02)
[21] Microsoft: Office Online (2005). http://office.microsoft.com/en-
us/default.aspx (2005-12-02)
[22] OpenOffice.org: die freie Office Suite (2005).
http://de.openoffice.org/ (2005-12-02)
[23] mozilla: Firefox (2005). http://www.mozilla.com/firefox/ (2005-12-
02)
[24] mozilla: Thunderbird (2005). http://www.mozilla.com/thunderbird/
(2005-12-02)
BIBLIOGRAPHY 66
[25] Adobe: Adobe Reader (2005). http://www.adobe.de/products/acrobat/\\

readstep2.html (2005-12-02)
[26] WinZip International LLC: WinZip (2005). http://www.winzip.com
(2005-12-02)
[27] Corel: Paint Shop Pro (2005). http://www.corel.de/servlet/Satellite?\\
pagename=Corel3De /Products/Display&pfid=1047024666092&pid=\\
1047025530410 (2005-12-02)
[28] Pierre Gougelet: XnView (2005). http://www.xnview.com/ (2005-12-
02)
[29] Sygate: Sygate Personal Firewall (2005).
http://soho.sygate.com/products/\\
spf_standard.htm (2005-12-02)
[30] H+BEDV: Antivir (2005). http://www.antivir.de/en/index.html
(2005-12-02)
[31] WinSCP: WinSCP (2005). http://winscp.net/eng/index.php (2005-
12-02)
[32] Simon Tatham: PuTTY (2005). http://www.chiark.greenend.org.uk/\\
~sgtatham/putty/ (2005-12-02)
[33] SJ Labs: Voice over IP Software (2005). http://www.sjlabs.com (2005-
12-02)
[34] Novell: Novell SUSE Linux (2005).
http://www.novell.com/linux/suse/ (2005-12-02)
[35] konqueror.org: Konqueror (2005). http://www.konqueror.org/
(2005-12-02)
[36] Kmail: the KDE mail client (2005). http://kmail.kde.org/ (2005-12-
02)
[37] Novell: E-mail, Calendaring and Collaboration Evolution 2 (2005).
http://www.novell.com/products/desktop/features/evolution.html
(2005-12-02)
[38] Grandstream: BudgeTone 100 (2003).
http://www.grandstream.com/y-bt100.htm (2005-12-02)
BIBLIOGRAPHY 67
[39] Allnet Deutschland GmbH: ALL 7950 SIP Komfort Telefon (2005).
http://www.allnet.de/product_info_allnet.php?cPath=_&products_id=99927
(2005-12-02)
[40] Sipura technology, inc.: SPA-2000 Analog Telephone Adapter (2003).
http://www.sipura.com/products/spa2000.htm
[41] digium, Inc.: Wildcard TDM400P, TDM31B (2005).
http://www.digium.com/index.php?menu=product_detail&category=\\
hardware &product=TDM400P (2005-12-02)
Chapter 3
Testing and Benchmarking the

Network
Having services is one crucial step in setting up a working network but

nothing is more important than the performance of these. Questions like:
“What is my througput?”, “How long is the bandwidth sufficient?” and
“What do the services do when no one watches?” are those keeping sys-
tem administrators awake at night. A possibility to diminish the risk of
something unexpected happening is to monitor the network closely. But,
monitoring is only half the battle. Collecting data is only as useful as the
adaption and the consequences that are drawn.
The main reason for monitoring my network is in order to compare IPv4
baselines with those of the IPv6 protocol. First of all I want to describe the
tools I used.
3.1 Tools and their usage
3.1.1 MRTG [1]
MRTG, Multi Router Traffics Grapher, is a tool to monitor various things

like traffic load using SNMP (Simple Network Management Protocol). It
generates HTML pages and graphs the values measured periodically. It
68
CHAPTER 3. TESTING AND BENCHMARKING THE NETWORK 69
was originally developed to monitor routers but can now supply data
from every device running a SNMP agent. When configured, it can also
send you warning emails when thresholds are exceeded. But let’s start
with SNMP.
3.1.1.1 SNMP [2] [3] [4] [5]
The Simple Network Management Protocol is part of the IP protocol and

monitors network-attached devices. SNMP was designed with one goal
in mind: simplicity. Usable on nearly every network device known to-
day it is viewed as a security threat by some, while others think it’s the
best way of centralized data manipulation for their key systems. SNMP
uses UDP (User Datagram Protocol), a stateless, fast but unreliable pro-
tocol sending traffic without checking for the reception of the data at the
other node. SNMP design is pretty simple for it consists of a managing
system and several agents running on servers, workstations, and so on.
The agents are the devices being monitored while the manager is the one
asking for the information the agents gathered and storing it centralized
for further processing. The manager is often also refered to as Network
Management Station or NMS for short. SNMP has a small set of primi-
tives comprising “GET”, “GET-NEXT” and set”SET”. “GET” is used to re-
trieve a single piece of information while “GET-NEXT” returns more than
one item. It is used if you want to sequentially retrieve data. Use “SET”
when you want to set a particular variable to a certain value. There are
on the other hand two control-primitives the responder (i.e. agent) uses to
reply and these are “GET-RESPONSE” and “TRAP”. “GET-RESPONSE”
is used in response of the requester’s direct query and “TRAP” is an asyn-
chronous response to obtain the requester’s attention. In later versions
of SNMP traps are called “notifications”. As you could see, both, man-
ager and agent, can initiate communication. In my lab I used SNMPv1
providing very little security measures (Authentication is performed by a
“community string” a password transmitted in plain text). SNMPv2c in-
troduces new primitives and the same security scheme SNMPv1 is using.
SNMPv3 is considered to be state-of-the-art providing stronger security
measures.
Talking about primitives used in an SNMP-managed network the next
question to be answered is: What is get through GET? The types of data
exchanged between the manager and the agents are stored on the agent in
a database called “management information base” or short “MIB”. Each
value tracked in a MIB is an object. The MIB is used to translate text
queries to OIDs. Each object in the MIB represents a specific entity on
the managed device, this can be everything from “hostname” to “number
of established IP connections” or “version of operating system”. These
MIBs use a hierarchical namespace containing object identifiers or short
OIDs. If you want to know which OIDs your system is monitoring look
into the folder /usr/share/snmp/mibs/ on Linux based systems. You’ll
find different MIB files containing entries such as
hrMemorySize OBJECT-TYPE
SYNTAX KBytes
UNITS "KBytes"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The amount of physical read-write main
memory, typically RAM, contained by the host."
::= hrStorage 2
Querying an OID with snmpwalk looks like this:
marge:~# snmpwalk -v1 -c public localhost hrMemorySize

HOST-RESOURCES-MIB::hrMemorySize.0 = INTEGER: 126924 \\
KBytes
Snmpwalk searches for every OID starting with the string you provided
in the MIB. So if you don’t know what to search for you can also start with
“snmpwalk -v1 -c public localhost hr” or even “snmpwalk -v1 -c public
localhost” displaying a full list of MIBs. On the other hand, snmpget is
configured to return only the value that exactly matches the OID-string.
Look what happens when I snmpget the same I did before:
marge:~# snmpget -v1 -c public localhost hrMemorySize

Error in Packet
Reason: (noSuchName) There is no such variable name

in this MIB.
Failed object: HOST-RESOURCES-MIB::hrMemorySize
So what happend here? We saw SNMPWALK querying the parameter and
SNMPGET saying that the requested object does not exist. The solution
lies in the structure of OIDs. Many times the text aliases in a MIB only
reference the OID branch and not the OID the data located in a leaf ending
in an additional number like “.0” or “.1”. Watching closely the output
of SNMPWALK you can see “hrMemorySize.0” being displayed. When
SNMPGETting this value we get the expected output:
marge:~# snmpget -v1 -c public localhost hrMemorySize.0

HOST-RESOURCES-MIB::hrMemorySize.0 = INTEGER: 126924 \\
KBytes
Now, preparing the clients for use with mrtg, snmp agents have to be in-
stalled and configured on the hosts. On Linux hosts I used “apt-get install
snmpd” and configured them in the file /etc/snmp/snmpd.conf with fol-
lowing lines for a very basic usage:
rocommunity public
disk /home
disk /var
These lines sets the community password needed for the query to “public”
and defines two disk paths that will be monitored by my MRTG.
For Windows Systems you have to install the SNMP agent in the Control
Panel. Select “Add or Remove Programs” and then click “Add/Remove
Windows Components”. In the components, select “Management and
Monitoring Tools” where you will find an entry you can check labelled
“Simple Network Management Protocol”. Windows will prompt you to
insert the CD during installation. To configure the freshly installed service
go to the Control Panel again and there choose “Administrative tools”.
Within theses click “Services” showing you a list of all services configured
this host. One of them is called “SNMP Service” and with double-clicking
it you can open its properties. Open the “Security” tab for it contains the
possibilities of setting authentication traps, adding community names and
setting their rights. You can also specify whether to accept SNMP packets
from all hosts or not.
3.1.1.2 installing and configuring MRTG [6] [7] [8]
In order to install MRTG successfully, you need serveral libraries installed

before mrtg. Notice that you may have some of them already on your sys-
tem. You need the packets “zlib” (compress the graphics you created),
“libpng” (is required by gd and creates *.png files) and “gd” (a basic
graph drawing library). Last but not least you need mrtg, available at
http://people.ee.ethz.ch/~oetiker/webtools/mrtg/pub. If you have all
libraries installed you can
./configure --prefix=/usr/bin/mrtg
Otherwise you might need to specify where to find the libraries mentioned
above. See “./configure –help” for more details. After “make” and “make
install” you have mrtg installed at /usr/local/mrtg-2. Naturally you need
to have a web-server running to present the results of MRTG#s work. The
document root for MRTG is “/var/ww/mrtg” on my server.
For defining what to monitor in your network you have to create a
“mrtg.cfg” file. You can either do this on your own or let the “home/mrtg/cfg”
script do the dirty work. Read the cfgmaker manpage for further details
and options to the script. If you prefer to do the configuration file on your
own read the mrtg-reference manpage. You can start mrtg with
/usr/bin/mrtg /etc/mrtg.cfg
There will be several complaints about missing log files the first time you
start mrtg. Don’t worry about that for it vanishes after the third startup.
When you configured mrtg to your needs it will be more handy to period-
ically start mrtg in the crontab rather than manually.
*/5 * * * * root /usr/bin/mrtg /etc/mrtg.cfg
This will force mrtg to launch every five minutes for gathering current
data and graphing it. But now I want to take a closer look to the contents of
“mrtg.cfg”. One sample section graphing the percentage of free memory
on the system from the mrtg.cfg
Title[server.mempercent]: Percentage Free Memory

PageTop[server.mempercent]: <H1> Percentage Free Memory \\
</H1>
Target[server.mempercent]: (
memAvailReal.0&memAvailReal.0:public@192.168.200.1
) * 100 / (
memTotalReal.0&memTotalReal.0:public@192.168.200.1
)
Options[server.mempercent]: growright,gauge,transparent,\\
nopercent
Unscaled[server.mempercent]: ymwd
MaxBytes[server.mempercent]: 30
YLegend[server.mempercent]: Memory %
ShortLegend[server.mempercent]: Percent
LegendI[server.mempercent]: Free
LegendO[server.mempercent]: Free
Legend1[server.mempercent]: Percentage Free Memory
Above you have a small part of a mrtg.conf file where the configuration
for one monitored item is set. The structure of each entry is as follows:
Parameter[name of graph]: value
“LegendI” is the parameter for the Input graph, “LegendO” for Output;
for there’s little space at the graphs you have an expansion for the labels of
both Legends called “Legend1” (corresponding LegendI) and “Legend2”
(corresponding LegendO). “YLegend” is the legend of the Y axis, the value
you are trying to compare. “Options” parameters provide graph format-
ting information. “Title” defines the title written on the summary page,
“PageTop” the title for the detailled view page. “MaxBytes” defines the
maximum amount of data MRTG will plot on a graph and “Unscaled[]:
ymwd” sets yearly, monthly, weekly and daily graphs unscaled, meaning
that the highest value measured is not graphed close to the top (usually
mrtg tries to adjust its graphs so that the largest value plotted on the graph
is always close to the top). The “Target” parameter contains the MIB OIDs.
Because MRTG always compares two values you have to provide two MIB
OID objects and the password and the IP-address of the monitored host.
After you finished your configuration you have to generate the HTML-file
that can be opened in the browser with
indexmaker --output=/var/www/mrtg/index.html /etc/\\

mrtg.cfg
Now you can access your graphs at http://bart.sylvia.test/mrtg/index.html.
I chose to monitor several hosts so I wrote a mrtg.cfg-file for each host
(don’t forget to add those to the crontab as well). See the appendix for
a full mrtg.cfg file for Linux. Monitoring Windows machines works the
same way, except for some different MIBs you have to use. I wanted to
monitor the same objects I did with the Linux machines but left out the
disk monitoring (for it isn’t as interesting here). Nearly all OIDs could be
re-used except for the CPU monitoring. If you are curious how I found
out which OID to use, check out www.somix.com for they provide a full
repository of OIDs for all kinds of devices and snips you can copy-paste
for your mrtg file .
Figure 3.1: Screenshot of http://www.sylvia.test/mrtg/index.html show-

ing monitored details of bart.sylvia.test
3.1.2 Smokeping [9]
SmokePing is a latency measurement tool that can measure store and

display latency, latency distribution and packet loss. You can configure
SmokePing to trigger alarms for thresholds for certain loss patterns. It can
even handle dynamic addressing by comparing SNMP-fingerprints. For
a working installation of SmokePing you need several other packages be-
fore:
RRDtool (for graphing), FPing (reports round trip times), a working web
server installation like apache (it has to run CGI scripts), Perl, SpeedyCGI
(for SmokePing is optimized for the use of it and it speeds up perl scripts
dramatically) and CGI::Carp
If this seems too much work you can also use the lazy way as I did by
“apt-get install smokeping”. I installed SmokePing on marge.sylvia.test
and snowball.sylvia.test in order to have round trip times from each net-
work. After configuring /etc/smokeping/config you can watch it up-
dating every five minutes. The files and graphs produced are stored in
/var/www/smokeping. Search the appendix for a sample /etc/smokeping/\\
config file.
3.1.3 bing [10]
Bing is a tool that measures bandwidth of connections. It computes

throughput between two nodes by producing two sizes of
ICMP ECHO_REQUESTS. It is available as *.deb and therefore can be in-
stalled via “dpgk -i *.deb”. After bing is installed you can use it with
command
bing client1 client2
with client1 being the source node and client2 the destination (example:
bart:~# bing bart snowball) producing output like this:
Read the bing man page for detailled informations about the options
provided by bing such as -D for displaying measured throughput for
Figure 3.2: Screenshot of Last 3 and Last 30 hours roundtrip measurements

taken from marge to bart
Figure 3.3: output when using bing

each packet received, -u <number> for increasing packet size each of

ECHO_REQUEST or -f <filename> for saving the results to the file <file-
name>.
3.1.4 iperf [11] [12]
Iperf was developed in order to be a modern and easy-to-use alternative to

other TCP and UDP bandwidth measuring tools. It measures bandwidth,
packet loss and jitter. The server can handle multiple connections, you
can create UDP streams of specified bandwidth, it is multicast and IPv6
capable, can run for a specified time rather than for an amount of data to
transfer, and many more. Iperf can be obtained at the homepage linked
above for both, Linux and Windows environments. “apt-get install iperf”
can shorten the installation for the homepage only provides sources. A
simple test is sparked off with
snowball:~# iperf -s
bart:~# iperf -c snowball
The first command start the server on snowball with default port 5001
(for opening the server on port 3000 type “iperf -s -p 3000”). The second
command starts the client on bart pointing to server “snowball” (“iperf -c
snowball -p 3000” for port 3000). The output produced looks like this:
--------------------------------------------------
Client connecting to snowball, TCP port 5001
TCP window size: 16.0 KByte (default)
--------------------------------------------------
[ 3] local 10.8.0.2 port 3906 connected with \\
192.168.201.1 port 5001
[ 3] 0.0-10.0 sec 12.8 MBytes 10.7 Mbits/sec
For doing UDP testing simply add “-u”:
snowball:~# iperf -s -u
bart:~# iperf -c snowball -u
3.1.5 netperf [13]
Netperf is a benchmark that is used to measure the performance of differ-

ent types of networking. It provides tests for unidirectional througput as
well as end-to-end latency. You can either download the sources and make
the installation yourself or “apt-get install netperf”. Making the installa-
tion yourself requires a folder /opt/netperf before installing. You can ei-
ther run the service by inetd or as a standalone service. For netperf being
run by inetd you need the line “netperf 12865/tcp” in your /etc/services
file and the line “netperf stream tcp nowait root /opt/netperf/netserver
netserver” in your /etc/inetd.conf file. After restarting inetd with “kill
-HUP <pid of inetd> the service should be registered with inetd. I chose
to run the service as standalone starting netserver manually by typing
snowball:~# netserver -p <port number>
bart:~# netperf -H snowball -p <port number>
The second line starts the client and connects to host (running netperf
server) snowball at given port producing following results:
TCP STREAM TEST from 0.0.0.0 (0.0.0.0) port 0
AF_INET to snowball.sylvia.test
(192.168.201.1) port 0 AF_INET
Recv Send Send
Socket Socket Message Elapsed
Size Size Size Time
bytes bytes bytes secs. 106 bits/sec
87380 16384 16384 10.02
Throughput
14.47
3.1.6 netio [14]
Netio measures the net throughput of a network via TCP/IP (and Net-
BIOS on Windows and OS/2) using various different packet sizes. This
is done with 6 different sizes of packets each with 10 seconds testing
duration. A huge advantage is its compatibility with each operating

system. You can download it at http://ftp.leo.org/historic/comp/os/
os2/leo/systools/netio123.zip containing binaries for Linux, Windows
and OS/2.
snowball:~# /home/elsylo/download/netio/bin/linux-i386 -s
bart:~# /home/elsylo/download/netio/bin/linux-i386 -t \\
snowball
The first command starts the server for TCP and UDP connections,
the second command starts the client for a TCP test to server “snow-
ball”(If needed you can also specify the port to test with the option “-
p<portnumber>” appended to the first command and written before spec-
ifying the server address in the client command). The output produced
looks like this:
NETIO - Network Throughput Benchmark, Version 1.23

(C) 1997-2003 Kai Uwe Rommel
TCP connection established.
Packet size 1k bytes: 962 KByte/s Tx, 1507 KByte/s Rx.
Done.
3.1.7 netbench [15]
Netbench is a portable benchmark program that measures how well a

file server handles file I/O requests from Windows clients by request-
ing the server for network file operations. It reports throughput as
well as client response time. When downloading the software you will
have “SETUP.EXE” files for both, the controller and the client. In-
stalling netbench is done in four simple steps: First you have to exe-
cute the setup for the controller then modify the client ID files. The
client ID file can be found on the controller in the directory <CON-

TROLLER_DIR>\CLIENTIDS\CLIENT.CDB. For each client in your test-
ing environment you have to add an entry containing its IP address
and a unique identifier. Then go to each client executing the client’s
SETUP.EXE. On the clients you have to modify the hosts file residing
at <WINDOWS>\system32\drivers\etc with an entry for the controller
looking like this: “192.168.200.12 controller”.
To start the test choose “Start Log In” from the “Clients” menu on your
controller. The controller now awaits incoming connections from clients.
Before you can start testing you need each client to map the server volume
to drive F: (you could of course choose another driver letter which requires
additional modifications). On each client now start the netbench client
software. When you return to the controller you will see a an entry started
by a yellow circle for each client connected. After clicking “Yes” you can
proceed to adding a test suite with several tests to choose from (I decided
to use DM.TST). Then enter the result file and watch it benchmarking.
3.1.8 sipp [16] [17]
SIPp is an Open Source test tool and traffic generator for the SIP protocol.
It works with integrated scenarios establishing and releasing multiple calls
with INVITE and BYE methods. It dynamically displays statistics about
round trip delay or call rate. It can be used for various SIP equipments
and is very useful for emulating thousands of user agents calling your SIP
system. Run the embedded server scenario
/usr/src/sipp/sipp -sn uas
and on the same host the embedded client scenario
/usr/src/sipp/sipp -sn uac 127.0.0.1
There are different scenarios available for SIPp and you can also create
your own XML scenarios for testing. The software can be obtained with a
simple “apt-get install sipp”.
Figure 3.4: Screenshot of a SIPp Output
3.1.9 copying files
“Copying files” is no brand new piece of software testing your network to

the bones but rather the old fashioned and easy comparable idea of mea-
suring the time it takes to copy files. I chose to copy several different sizes
of files from the file server homer.sylvia.test to all clients. For Linux-based
computers I mounted the share with file system smbfs and with adding
“time” before the copy-command the duration of the activity simply is
written back to you.
test1: 200 times 512 Bytes
test2: 100 times 1 KB
test3: 40 times 25 KB
test4: 30 times 1 MB
test5: once 1 GB
3.1.10 digging DNS
Another simple but important thing to check in your network is how long
it takes to dig a hostname.
time dig snowball.sylvia.test
3.1.11 open a file from a share
A every-day task and very likely an every day annoyance is to open a file
you work on from a network share. I assumed to have one big and one
small file for a word processor and for a spreadsheet lying on the server
and being accessed from my clients in the network. These are apu, lisa and
nelson, with apu and nelson having installed both, Microsoft Office and
OpenOffice. Lisa, the SUSE client, only provides OpenOffice. Then I was
measuring the time it takes, with the specified program already opened,
until the file was fully loaded.
3.1.12 downloading files
Measuring the time it takes to download files with various sizes from a
web server is the next test I took. For I didn’t want the traffic from the
internet interfering with my analysis I decided to load the files from an
internal web server used by the Berufsförderungsinstitut Burgenland. The
files downloaded are pictures with file size 80 KB, 250 KB and 2,74 MB.
3.1.13 ethereal [18]
Ethereal is not really a benchmarking tool but has a lot to do with test-
ing your network and that’s why I chose to add this tool in this chapter.
Ethereal is a network packet analyzer trying to capture network packets
and dissect them into maximum detail. It takes every packet sent in a net-
work (and that’s why i switched from using a switch to using a hub in
my lab) and displays everything starting from the header and ending at
the real data embodied. Ethereal is the first open source tool providing
this amount of features and assists you in troubleshooting your network,
examining security problems, debugging protocols and learning the in-
ternals of a protocol. There are many other advantages connected to the
use of ethereal like the support for all major platforms, detailed protocol
information, several filter possibilites, various statistics, and so on.
For I don’t have a GUI installed for any of my Linux computers, I installed
Ethereal on some Windows hosts. Installing ethereal on Debian works
with “apt-get install ethereal”. For Windows you need to download the
binary at the web site cited above and start the setup. Since Ethereal ver-
sion 0.10.12 the WinPcap installer has become part of the Ethereal installer
so you don’t need to worry about forgetting it anymore. When Ethereal is
installed you need to choose which interface to monitor in the “Capture”
menu. The entry “Interfaces ...” will open a dialog containing all interfaces
Ethereal found on your host. When you once chose an interface you can
start a new capture by clicking “Start” in the same menu. You will see a
small window with the number of packets captured with the correspond-
ing protocol. When stopping the live capture captured data is loaded and
you have one line for each packet. In newer versions you even have a
color scheme flagging certain kinds of protocols. When clicking one of the
packets the entry is highlighted and the details are displayed below.
You will find several Ethereal sniffs throughout my thesis because, and I
really want to emphasize this, it helped me solving nearly every problem
I experienced.
3.1.14 tcpdump [19]
When mentioning Ethereal I also have to mention it’s command-line based

equivalent tcpdump helping me to sniff packets on those PCs without a
graphical interface. Installed with “apt-get install tcpdump” it provides
not as-easy-to-read but as-interesting output as known from Ethereal.
3.1.15 nmap [20]
Not only known by network administrators but also from the movie “The
Matrix Reloaded” I also used nmap to scan my hosts for open ports. It
detects open ports,the services running and the operating system used. In
a network it is used for penetration testing and for general computer se-
curity. Unless other tools aiming at assessing host vulnerabilities nmap is
built not to interfere with the normal operation of the networks or com-
puters scanned.
Bibliography
[1] Oetiker, Rand: MRTG Multi Router Traffic Grapher (2005).

http://people.ee.ethz.ch/~oetiker/webtools/mrtg (2005-12-06)
[2] Linux Home Networking: Advanced MRTG for Linux
(2005). http://www.linuxhomenetworking.com/linux-hn/mrtg-
advanced.htm (2005-12-06)
[3] Windowsnetworking: Introduction to the Sim-
ple Network Management Protocol (SNMP) Part 1.
http://www.windowsnetworking.com/articles_tutorials/Introduction-
SNMP-Part1.html (2005-12-06)
[4] OpManager - Network Monitoring Software: In-
stalling SNMP agent on Windows Systems
(2005). http://manageengine.adventnet.com/products/opmanager/help
/user_guide/snmp_installation/install_snmp_win.html (2005-12-
06)
[5] OpManager - Network Monitoring Soft-
ware: Configuring SNMP Agents (2005).
http://manageengine.adventnet.com/products/opmanager/help/user_guide
/snmp_installation/conf_snmp_agents.html (2005-12-06)
[6] Linux et autres sottises 2003: mrtg.cfg (2003). http://www.linux-
sottises.net/mrtg/linux-sottises.cfg (2005-12-07)
[7] Somix: The MIB archive (2005). http://www.somix.com/support/\\
mib_resources.php (2005-12-07)
[8] Somix: MRTG Repository (2005). http://www.somix.com/support/\\
mrtg_repository.php (2005-12-07)
84
BIBLIOGRAPHY 85
[9] Tobias Oetiker: About SmokePing (2005).

http://people.ee.ethz.ch/~oetiker/webtools /smokeping/ (2005-
12-07)
[10] SecRobot: Bing - Measures bandwidth between two point-to-point
conncetions (2003). http://linux.maruhn.com/sec/bing.html (2005-
12-07)
[11] Distributed Applications Support Team: Iperf Version 2.0.2 (2005).
http://dast.nlanr.net/Projects/Iperf (2005-12-07)
[12] Distributed Applications Support Team: Iperf Version 1.1.1 (2005).
http://dast.nlanr.net/Projects/Iperf1.1.1 (2005-12-07)
[13] Rick Jones: Welcome to Netperf Homepage (2005).
http://www.netperf.org/netpwerf/NetperfPage.html (2005-12-
07)
[14] network lab: Netzwerkperformance mit NetIO messen (2005).
http://www.nwlab.net/art/netio/netio.html (2005-12-07)
[15] VeriTest: NetBench (2002). http://www.veritest.com/benchmarks/\\
netbench/default.asp (2005-12-07)
[16] hp: SIPp Welcome to SIPp (2005). http://sipp.sourceforge.net/ (2005-
12-07)
[17] hp: SIPp Reference documentation v1.1 (2005).
http://sipp.sourceforge.net/doc1.1/reference.html#Main+features
(2005-12-07)
[18] Ethereal: Powerful Multi-Platform Analysis (2005).
http://www.ethereal.com (2005-12-07)
[19] www.tcpdump.org: tcpdump/libcap (2005).
http://www.tcpdump.org/ (2005-12-07)
[20] insecure.org: What is your operating system letting others do? (2005)
http://www.insecure.org/nmap/ (2005-12-07)
Chapter 4
Theory of IPv6
The Internet Protocol IP is a best effort datagram service and the version
widely used by now is 4. This version also was the first version of IP in
production use and formed the basis of the current Internet. It has been de-
scribed by IETF RFC 791 first published in 1981. The addressing scheme of
32 bit limits the number of addresses to 4.294.967.295 which seemed to be
enough back then. Through bad address distribution and a shortsighted
idea of how much the internet will grow addresses are near to exhaustion.
An USA-centric view of the internet also made it possible that a single col-
lege got a bigger address range than whole China. There have been some
approaches to this issue like a tighter control by Regional Internet Reg-
istries, network renumbering, DHCP, NAT and of course the introduction
of IPv6. Predictions from the year 2004 claim an address pool exhaustion
for 2016 and a complete exhaustion for 2023. Although predictions in the
field of computer science are always a bit vague, the need for IP address
will addionally grow with the new market of mobile and domestic devices
which will sooner or later make it inevitable to introduce IPv6.
One huge limitation of IPv4 is the address shortage discussed above. All
measures taken against this problem could not solve as a whole without
imposing other troubles. E.g. take a look at NAT: Network administrators
around the world got used to having public and private addresses in their
networks translating private into public addresses and vice-versa in order
to reach the internet with the disadvantage of creating a performance and
application bottleneck.
86
CHAPTER 4. THEORY OF IPV6 87
Another need for the change in the protocol is to scale down the num-
ber of routing table entries in backbone routers which is currently near
85.000 entries. With a growing network infrastructure the need for easier
configuration of hosts in the network was also an issue lacking a solution
when using IPv4. Because the majority of all attacks on a network are from
within a company people also demand for security comprising authenti-
cation and encryption at IP level. In addition to this supporting QoS for
production use is demanded. All these concerns are handled by IPv6.
In this chapter I will talk about the key features of IPv6 and why I think,
together with countries like Japan and China or institutions like the Pen-
tagon (switching to IPv6 2006), that IPv6 is the future and that we can
not overcome the diffuculties we have with IPv4 with inventing more and
more makeshifts.
4.1 IPv6 Addresses [1] [2]
The most obvious reason for switching to IPv6 is of course the address
space. Instead of 32 bit with IPv4 we now can use 128 bit with IPv6 provid-
ing the unbelievable number of 340.282.366.920.938.463.463.374.607.431.768.\\
211.456 possible addresses. The decision to make the address 128 bits long
was made in order to provide hierarchical routing domains. An address
assigned to an interface is composed of a 64-bit subnet identifier and a
64-bit interface identifier. Similar to the way the address space was allo-
cated with IPv4 the high-order bits in IPv6 addresses define several ad-
dress types as well. These high-order bits are also called Format Prefix
(FP).
Global unicast addresses 001
Link-local unicast addresses 1111 1110 10
Site-local unicast addresses 1111 1110 11
Multicast addresses 1111 1111
Above you see the high-order bits for the most important kinds of ad-
dresses. But let’s talk about the syntax of an IPv6 address first.
We already know that an IPv6 address is represented by 128 bits. IPv4

addresses consist of 32 bit with each 8 bits represented as decimal num-
ber from 0 to 255. Doing the same with IPv6 addresses would result in
16 decimal numbers which, we know from practical use, no one would
remember. Rather than using decimal numbers the hexadecimal number-
ing system is used. Here you have 8 hex-numbers each representing 16
bits. For those needing to remember addresses this has the advantage of
a shorter address and everyone else not able to read hex doesn’t need to
remember them anyway for end users will usually prefer names over ad-
dresses. The hex-numbers within an address are seperated by colons and
long sequences of zeros can be represented by a double colon (but only
once).
FF02:30:0:0:0:0:0:5
can be represented as FF02:30::5
2001:16d8:0:0:4:0:0:1
can be represented as 2001:16d8::4:0:0:1
In the first example I simply left out the 5 zeroes and substituted them
with ::. The second example is a bit more complicated for we have twice
a sequence of zeros to be substituted. In these cases, the first sequence of
zeros is substituted and the second has to be written as usual. Otherwise
you would have no chance finding out how many zeros are left out at
each double colon. To find out how many hex-zeros are represented by a
double colon simply count the number of hex-blocks in the address and
subtract it from 8.
There are three types of addresses used with IPv6
• Unicast
• Multicast
• Anycast
4.1.1 Unicast IPv6 addresses
4.1.1.1 Global addresses [3]
This kind of address is identified by an FP of 001 and according to their

scope can be compared to public IPv4 addresses. A global address there-
fore either starts with 2xxx: or 3xxx: with x representing a hex-digit. These
addresses are globally reachable and routable and because of a better
structure of the address hierarchical routing is possible. A global address
is made up of a routing prefix, a subnet identifier and a interface identifier.
In theory, each part can have any size but in practice the routing prefix is
made up of 48 bits, the subnet ID (a number identifying the subnet within
a site) of 16 bits and the remaining 64 bits are used for the interface ID.
Figure 4.1: The structure of a global address [3]
4.1.1.2 Link-local address
A link local address is derived by stateless autoconfiguration and is iden-

tified by a FP of 1111 1110 10 or in hex: fe8x, fe9x, feax, febx with x repre-
senting a hex-digit. At the moment only fe8x is used for link-local address-
ing with x being usually “0”. This address is configured in order to pro-
vide communication with neighbours like: Anyone else here? and Anyone
with a special address here (e.g. a router)? Packets with a link-local des-
tination address are never routed. Link-local addresses are therefore only
used on a particular local link i.e. a physical network and are used for
“Neighbor Discovery” which I will describe later on. A link-local address
therefore is composed of a 64-bit link-local prefix and a 64-bit Interface
identifier.
4.1.1.3 Site-local address
Site-local addresses are defined by a FP of 1111 1110 11 or in hex by fecx,

fedx, feex or fefx with x representing a hex-digit. These addresses can
be compared to the private addresses used with IPv4 such as 10.0.0.0/8,
172.16.0.0/12 and 192.168.0.0/16. These addresses have the scope of a site
or an entire organization and therefore border routers must not route traf-
fic outside a site. Site-local addresses are not assigned automatically but
either through stateful or stateless address autoconfiguration (see radvd
for this issue). The structure of these addresses is very similar to a global
address for it is composed of a 48-bit fixed identifier like fec0::/48, a 16-
bit site ID and a 64 bit interface ID. This implies that you can also build
network routes using only site-local interfaces within the site. Remember
that you can assign these addresses regardless of using global addresses
as well - an IPv6 enabled interface can have several different IP addresses.
If you want to know more about this kind of addressing read RFC 1918.
Note: There have been considerations on depreciating site-local addresses
although they are very useful for testing purposes. See RFC 3879.
4.1.1.4 Special addresses
4.1.1.4.1 Unspecified address The unspecified address 0:0:0:0:0:0:0:0

represented by :: is only used in absence of an address and can not be
used as a destination address.
4.1.1.4.2 Loopback address 0:0:0:0:0:0:0:1 or short ::1 is the loopback

address for an interface. Remember IPv4 loopback address of 127.0.0.1.
4.1.1.4.3 Privacy extensions When using a non-changing interface iden-

tifier in order to form an address the risk is very high that a sniffer placed
strategically can find out a lot about you. Eavesdroppers and other per-
sons or organizations interested in what you are doing may find out what
you do and when you do it, what imposes huge security and privacy prob-
lems. In order to prevent that, privacy extensions (described in RFC 3041)
can be generated appending a computed identifier made up from your
MAC address and a number chosen randomly to your prefix. This ad-
dress is valid for a predefined period of time (some hours to a few days)
and makes it more difficult to keep track of your online activities. Sysad-
mins in companies won’t like this, since it will impose problems with ac-
counting, access lists and other address based rules.
4.1.1.5 Compatibility addresses
In order to faciliate the transition from IPv4 to IPv6 there are several types
of addresses to provide coexistence of the two protocols.
4.1.1.5.1 IPv4-compatible addresses An IPv4-compatible address writ-

ten 0:0:0:0:0:0:w.x.y.z or ::w.x.y.z with the last 32 bit representing the IPv4
address. Note that these transition mechanism is no longer used.It was
used by IPv6/IPv4 nodes communicating with IPv6 over an IPv4 network.
4.1.1.5.2 IPv4-mapped adresses The structure of this address is defined

0:0:0:0:0:ffff:w.x.y.z with the last 32 bit representing the IPv4 address and
is used for internal representation of an IPv4-only node to an IPv6-node.
It is normally used to represent IPv4 addresses to IPv6 applications. The
big advantage here is that servers providing a service for both, IPv4 and
IPv6, only need one listening socket.
IPv4 address: 192.0.2.128
IPv4-mapped address: ::ffff:192.0.2.128
or ::ffff:c000:280
4.1.1.5.3 6over4 addresses 6over4 is a transition mechanism meant to

transmit IPv6 packets between dual-stack nodes using IPv4 as a virtual
data link layer on which IPv6 can be run. A host wanting to join this
6over4 network can set up a virtual IPv6 interface with a link local derived
as follows: The unicast 64-bit prefix (fec0::/64 in this example) and the
appended hexadecimal representation of the IPv4 addresses.
6over4 address: fec0::c000:280
Suggested further reading is RFC 2529.

Note: ISATAP is a more complex alternative to 6over4 and does not rely
on IPv4 multicast.
4.1.1.5.4 6to4 addresses 6to4 addresses are used together with a spe-
cial tunneling mechanism that is used to provide unicast IPv6 connectiv-
ity between IPv6 sites across the IPv4 network. The address is made up of
following parts:
2002:wwxx:yyzz:SubnetID:InterfaceID
IPv4 address: 192.0.2.128 on site number 5
6to4 address: 2002:c000:280:5:[InterfaceID]
For sending a packet through this configuration the IPv6 packet is em-
bedded in a IPv4 header and the protocol type of the IPv4 header is set
to “41”. The destination address is retrieved from the 32-bit in the 6to4
address representing the IPv4 address.
See RFCs 3056, 2893, 3068 and 3964 for further informations.
4.1.1.5.5 ISATAP addresses ISATAP is a transition mechanism trans-

mitting IPv6 packets between dual-stack nodes on top of an IPv4 network
without requiring IPv4 to support multicast. An ISATAP (Intra-site Auto-
matic Tunnel Addressing Protocol) address is derived from a 64-bit unicast
prefix, an appendend :0:5efe: part and the IPv4 address.
ISATAP Prefix for link-local: fe80:0:0:0:0:0:5efe:

ISATAP address: fe80::5efe:c000:280
ISATAP techniques can also be used together with global address prefixes.
Like 6over4 and 6to4 ISATAP addresses contain the IPv4 addresses that
can be used to derive IPv4 destination address from when tunneling the
traffic through the IPv4 network.
See RFC 4214 for more details on ISATAP.
4.1.1.5.6 Teredo addresses Teredo is also known as IPv4 NAT-traversal

for IPv6 provides tunneling mechanisms via UDP-encapsulation through
NAT for IPv6 traffic. Because Protocol 41, as set in the IPv4 header used
to embed IPv6 traffic, is not a common feature of NAT and therefore this
kind of traffic might not traverse NAT. UDP packets on the other hand can
be translated by most NATs and even can flow through multiple layers
of NAT. The Teredo technology is only used by Windows XP and Win-
dows 2003 and is said to be a last resort transition technique. With more
and more NATs supporting 6to4 Teredo will be used less and less until
discarded. Teredo prefix is 3ffe:831f::/32.
Further reading is RFC 3904.
4.1.1.6 Interface Identifier [4] [5]
Several addresses discussed above like the global, the link-local and the
site-local address are composed of a prefix and a 64-bit Interface Identifier.
Let’s take a look how this Interface Identifier is derived. There are several
ways how you can set your interface identifier. You could let DHCPv6
do the work for you, you could set the addresses manually or you could
as well choose the way discussed above in the chapter about privacy ex-
tensions where the Interface ID is computed using MAC address and a
randomly chosen number. If you wish to remember some computer’s IP
addresses easily you might go for the manual setting of the Interface Iden-
tifier. In my network the global addresses have been planned manually
and set via DHCPv6. For site-local and link-local addresses on the other
hand I chose the autoconfigured Interface Identifier to be appended to the
prefix.
In those cases the Interface Identifier is set automatically to the Extended
Unique Identifier (EUI)-64 address defined by IEEE. The EUI-64 is a new
type of MAC address outdating the old IEEE 802 format which was set up
of the company ID (24 bit) and an extension or device ID (24 bit) making
each network adapter unique. In the new IEEE EUI-64 addresses the com-
pany ID part stays 24 bits long but the extension ID is extended to 40 bit.
But let’s take a closer look on how an EUI-64 address is derived.
Let’s start in the first line with the IEEE 802 address, or simply the MAC
Figure 4.2: How to derive the IPv6 interface identifier from the IEEE 802
address [6]
address as we know it. The shaded part is the 24 bit company ID and the
white part is the 24 bit extension ID that is distributed within the company.
The two bits within the company ID written “00” instead of the c’s are
the Universal/Local (U/L) and the Individual/Group (I/G) bits. When
Individual/Group is set to 0 the address is unicast, otherwise multicast is
denoted. More important is the Universal/Local bit for our needs for it
defines if it is universally administered (“0”) or locally (“1”).
In order to get to the next step, the creation of an EUI-64 address 16 bits
have to be added between company and extension ID. Here we find a lit-
tle inconsistency with the specification made by IEEE. Usually you create
an EUI-64 address out of a IEEE 802 (or also called MAC-48) address by
appending FF-FF to the company ID but in order to derive the IPv6 used
Interface ID you have to append FF-FE or 11111111 11111110 instead. The
last step in the creation of the Interface Identifier used by IPv6 is to com-
plement the Universal/Local bit in the company ID (seventh bit in the first
byte) i.e. changing it from zero to one or vice-versa.
4.1.2 Multicast IPv6 addresses
With IPv6 the “bulk” addressing methods have changed and the good-
old broadcast has been outdated. Instead the use of multicast has been
extended. Each Multicast address starts with the first 8 bits set to 1, thus
an address starting with FF is always a multicast address. The structure of
the multicast address is as follows:
Figure 4.3: structure of an IPv6 multicast address [7]
The only flag defined in the “Flags” section is the Transient flag (T). When
set to 0 it indicates that the address is permanently assigned, when set to 1
it is a transient (non-permanent) address. The Scope ID indicates the scope
of the IPv6 network for which the multicast traffic is intended.
Figure 4.4: Scope ID values [7]
The Group ID identifies the multicast group and is unique within the
scope. The following addresses are defined:
FF01::1 node-local scope all-nodes multicast address

FF02::1 link-local scope all-nodes multicast address
FF01::2 node-local scope all-routers multicast address
FF02::2 link-local scope all-routers multicast address
FF05::2 site-local scope all-routers multicast address
Solicited-node multicast address
In addition to the multicast addresses each unicast address also has a a

special multicast address called its solicited-node address created through
special mapping of the unicast address. These addresses are used by the
Neighbor Discovery protocol to provide efficient address resolution. In-
stead of using a link-local all-nodes multicast message to resolve the link-
layer address of a host, the corresponding solicited-node multicast address
of the interesting host is used. Since a host not only listens on his unicast-
address, but also on his solicited-node multicast address, it replies with a
unicast neighbor advertisment message. Therefore no other nodes on the
network are disturbed.
Figure 4.5: How a solicited-node multicast address is derived [7]
FF02 is the prefix for the link-local multicast traffic. To the address part
“FF02:0:0:0:0:1:FF” simply the last 24 bit of the unicast address the solicited
node is calculated from, is appended.
4.1.3 Anycast IPv6 addresses
Anycast addresses are new to the IP Protocol and are based on the RFC
1546. Anycasting is a conceptual cross between unicast and multicast
addressing and is intended to send messages to any host of this group
instead of sending to one host (unicast) or every host (multicast). Dis-
tinguishing which member of the group receives the message is done by
routing terms. This technique enables possibilites not implemented with
IPv4 and is intended for the use with several servers or routers running a
service when you don’t really care which of those provide it. This can as
well used for load sharing and is helpful if one of your routers goes out of
service.
Instead of having an addressing scheme anycast addresses are simply dis-
played as unicast and are identified automatically the moment a unicast
address is assigned to more than one interface. Anycast addresses that are
set across a huge network are hard to implement because of the routing
entries that have to be made. Nowadays, due to the inexperience of the
Internet Community anycast is only used by routers but not by hosts.
4.1.4 Addresses set on an IPv6 enabled host
On a host with IPv6 enabled there are, in contrast to IPv4 where you only
had one address assigned to an interface, several addresses configured.
• a link-local address derived automatically
• the loopback-address ::1 derived automatically
• an optional site-local address defined manually or by using radvd
• one or more optional global addresses defined either manually or by
using radvd or DHCP
Additionally to these addresses an IPv6 nodes listens to the following ad-
dresses:
• FF01::1 - node-local scope all-nodes multicast address
• FF02::1 - link-local scope all-nodes multicast address
• solicited node addresses for each unicast address set

• multicast addresses of joined groups
In the list above I left out the special transition techniques set automati-
cally when using Windows (e.g. ISATAP, TEREDO, ...).
In contrast to a host routers may have joined anycast groups on which
they have to listen as well and they are configured with more multicast
addresses (FF01::2, FF02::2 and FF05::2) for all-routers multicasts.
4.1.5 Address Autoconfiguration Process
As mentioned before, one of the biggest advantages of IPv6 is the ability to

configure itself. By default a host can configure a link-local address auto-
matically and when using router discovery additional parameters, default
routes and multiple addresses can also be derived. There are two types
of autoconfiguration: stateful and stateless. Stateful address autoconfigu-
ration relys on a stateful autoconfiguration protocol such as DHCPv6. In
opposite to stateful configuration the stateless configuration receives the
address via Router Advertisements with Managed Address Configuration
and Other Stateful Configuration flags set to zero.
Below you can see the detailled autoconfiguration process starting with
the deriving of the link-local address and the verification of its uniqueness.
This is done by sending a Neighbor Solicitation with the target address
of the tentative link-local address (FE80::/64 and the EUI-64). Tentative
means that the address is in the process of being verified as unique. In this
state the host can not receive unicast messages targeted to this address but
still is able to listen to multicast Neighbor Advertisement messages sent
in response to the Neighbor Solicitation. If no Neighbor Advertisement is
received the link-local address is initialized and set valid.
The next step is to send a Router Solicitation and if there is a Router Adver-
tisement received the options provided are received. If there are no prefix
informations supplied and Managed Address Configuration and Other
Stateful Configuration are set to 1 stateful address is used and the auto-
configuration process is stopped. If there are Prefix Informations supplied
Figure 4.6: Address autoconfiguration [1] (Picture 8-2)
Figure 4.7: Address autoconfiguration [1] (Picture 8-3)

stateless addresses are derived and no Neighbor Advertisement response

is received the new address is initalized.
Figure 4.8: Lifetime of an autoconfigured address [8]
A node can only receive traffic when it’s state is preferred or deprecated; a
tentative or an invalid address can not be used for the destination of traffic.
You can find out more about autoconfiguration of interfaces in RFC 2462.
Note: I left out special technologies used by default by Microsoft in the
configuration process (e.g. ISATAP, Teredo, ...)
4.1.6 DHCPv6 [9]
Instead of using stateless autoconfiguration, as discussed above, you can

also use stateful autoconfiguration in order to obtain parameters and/or
IP addresses. One prominent way of stateful autoconfiguration is DHCP,
which has also been updated for the use with IPv6. Although the op-
erations used by DHCPv6 are pretty the same as with DHCPv4 but the
undelaying protocol has been rewritten (DHCPv6 is not based on the old
DHCP or on BOOTP). It still uses UDP but has new port numbers, a new
message format and restructured options. Link-local based communica-
tion is enabled for DHCPv6 making stateful autoconfiguration possible
before an IP address has been derived. The destination address set by the
client hereby is a reserved, link-scoped multicast address. There are two
different sets of messages exchanged when retrieving informations.
If only parameter informations (e.g.: DNS server address) has to be ex-
changed and the host doesn’t need an IP address to be assigned by
DHCPv6, the client-server exchange involves two messages. The client
sends an Information-Request message to the
All_DHCP_Relay_Agents_and_Servers multicast address and immedi-

ately receives a Reply from the server.
In order to request the assignment of an IP address and parameter infor-
mations first a DHCPv6 server is located and then the client sends a Solicit
message to the All_DHCP_Relay_Agents_and_Servers multicast address.
A server meeting the requirements responds with an Advertise message.
Then the client can choose which server to use and sends a Request mes-
sage asking for confirmation of the address and other configuration in-
formation. The last step is the server answering with a Reply message
containing confirmed address and configuration.
After an address has been used for a specific time the address has to be re-
newed which is done by the client sending a Renew message to the server
which in turn answers with a reply containing the new lifetime value.
4.2 IPv6 Header
Now that we have learned which addresses are configured on a host run-
ning IPv6 it is also important to find out what has changed in the header
of the IPv6. For I don’t want to write another essay about header formats
I will try to keep that chapter as short as possible.
Because of the longer IP address used by IPv6 the structure of the header
needed to be redesigned in order to allow efficient data transfer and to
clean up the header from unneccessary und unused fields as we had it
with IPv4. An IPv4 header has a length between 20 and 60 bytes which
is pretty long regarding the very short address. The structure of an IPv6
packet is made up of a 40 byte IPv6 header, one or more extension headers
if needed and the data.
The Version field indicates the version of the IP protocol used and the Traf-
fic Class replaces the Type Of Service field from IPv4 and uses the new
Differentiated Services method (DS) defined in RFC 2474. The next field
called the Flow Label provides additional support for Quality Of Service
features and indicates whether a packet belongs to a specific sequence of
packets requiring special handling (e.g. video streaming, ...). The Pay-
load Length replaces the “Total Length” field from IPv4 and comprises the
Figure 4.9: IPv6 Header [10]
extension headers if present and the upper-layer PDU. The Next Header
field is a replacement for the Protocol field and either indicates the pres-
ence of the first extension header or, if there is no extension header, is set
to the protocol of the upper-layer PDU (e.g.: TCP, UDP, ICMP, ...). The
Hop Limit is similar to the TTL field and indicated the maximum number
of links a packet is allowed to traverse. Last but not least the source and
destination addresses are appended.
The next header field is said to be the most important innovation to the
IP header for it allows a modular use of headers when needed. The next
header field in the IPv6 Header indicates whether there is an extension
header or not, and in turn, each extension header has a next header field
as well pointing to the next extension header if present. If no extension
header is appended here, the next header field simply points to the proto-
col of the upper-layer PDU again. There are following extension headers
available (in the same order as they are used; you will find the next-header
values indicating the extension header appended within brackets):
• Hop-by-Hop Options Header (0) - defines some options that are in-
tended to be examined by all devices during transmission (RFC 2460)
• Destination Options Header (60) (for intermediate destinations when

the Routing header is present) - defines some options that are in-
tended to be examined by all devices during transmission (RFC 2460)
• Routing Header (43) - the source device is allowed to set a route for
the datagram within (RFC 2460)
• Fragment Header (44) - if the datagram contains only a fragment of
the original message this header is set (RFC 2460)
• Authentication Header (51) - informations to verify the authentica-
tion of a packet (RFC 2402)
• Encapsulating Security Payload Header, ESP (50) - holds information
on the encryption of the packet (RFC 2406)
• Destination Options Header - for the final destination
Figure 4.10: IPv6 datagram without and with extension headers [11]
The first datagram only consists of the IPv6 header with a Next Header
field set to 6 indicating a TCP-traffic. The second datagram has the Next
Header field of the IPv6 header set to 0, which is the Hop-by-Hop Options
Header. Within the Hop-by-Hop Options header the succeeding extension
header, in this case the Fragment Header, is defined by setting its Next
Header field to 44. In the last extension header the Next Header field is set
to 6 referring to TCP traffic again.
The minimum MTU required by IPv6 is set to 1.280 bytes forcing links
that do not supply that much to fragment the packet transparent to IPv6.
If a link has a configurable MTU size it is recommended to at least set it
to 1.500 bytes. IPv6 also provides a Path MTU Discovery process in order
to find out the PMTU (Path Maximum Transmission unit) which is the
smallest link MTU supported on a specific path. The PMTU is derived by
the sending node by assuming that the destination PMTU is the link MTU
of the interface the packet is sent and simply tests this by sending a packet
this size. If a router on the way to it’s destination is not able to forward the
packet it responds with an ICMPv6 Packet Too Big Message containing the
link MTU of the router. The sending node then can set the PMTU to the
link MTU received by the router and retry to transmit the packet.
Current TCP, UDP and ICMP implementations for IPv4 include a pseudo-
header in their checksum. This pseudo-header contains source and desti-
nation addresses as well and therefore need to be modified for IPv6 (sim-
ply exchange the addresses). The new pseudo-header must be used by
TCP, UDP and ICMPv6 and includes besides the addresses mentioned a
field containing the upper-layer packet length and a next header field in-
dicating the upper-layer protocol for which the checksum has been calcu-
lated.
Note: Any transport or other upper-layer protocol including the source
and destination addresses from the IP header in its computation
must be modified for the use with IPv6 in order to include the 128-
bit addresses. Therefore the so-called pseudo-header has to be mod-
ified. (RFC 2460)
4.3 ICMPv6
For IP itself is designed to provide the basic functionality of transmitting

packets there is not even a mechanism to report back errors. This task
is handled by the Internet Control Message Protocol version 6 (ICMPv6)
instead which is pretty similar to the ICMPv4 used with IPv4. Besides
reporting delivery and forwarding errors and providing echo service

ICMPv6 is enhanced by Neighbor Discovery (used for node-to-node com-
munication; see next section) and Multicast Listener Discovery (a protocol
similar to IGMP, Internet Group Management Protocol). The Multicast
Listener Discovery (MLD) is a set of three messages exchanged by routers
and hosts by which routers can discover a list of multicast addresses for
which there is at least one listener (RFC 2710). MLD will be described in
this chapter in more detail.
An ICMP header is composed of a Type field, the Code field specifiying the
type of message, the checksum and the message body. ICMPv6 messages
can be devided into two big groups of messages: ICMPv6 Error messages
and ICMPv6 Informational messages.
4.3.1 ICMPv6 Error messages
Note: ICMPv6 Error messages are not sent for every error encounted but
rather have to satisfy a rate limit which can be set based on a timer
or a percentage of bandwidth.
4.3.1.1 Destination Unreachable (ICMPv6 Type 1)
A Destination Unreachable message is sent when a packet cannot be for-

warded to a destination node or an upper-layer protocol and has “1” set
in it’s Type field of the ICMP header.
Code Field Value Description

0 - No Route to Destination No route matching the destination
found in the routing table
1 - Communication with Destina- Communication is prohibited by
tion Administratively Prohibited administrative policy; typically
discarded by a firewall
3 - Address Unreachable Usually when the link-layer ad-
dress could not be resolved
4 - Port Unreachable Typically sent when an IPv6
packet containing UDP arrived at
a host with no listener on given
port
Note: Code Field Value 2 is according to RFC 2463 unassigned. In the
book “Understanding IPv6” [1] the Code Field Value 2 was defined
with: Beyond scope of source address - Sent when a packet is for-
warded using an interface that is not in the scoped zone of the source
address (although it also references RFC 2463)!!
4.3.1.2 Packet Too Big (ICMPv6 Type 2)
In the header of a Packet Too Big message the Type is set to 2, the Code
to 0 and following the checksum field there is a new header field called
MTU storing the link MTU of the host sending the ICMP message. Note
that this is discussed in the “IPv6 header” part of this chapter.
4.3.1.3 Time Exceeded (ICMPv6 Type 3)
The Time Exceeded message is usually sent when the hop-limit field be-
comes zero after decrementing it during forwarding. The Type is set 3
and the Code Value can be either “0” - Hop Limit Exceeded by Transit or
“1” - Fragment Reassembly Time Exceeded indicating the fragmentation
reassembly time expired at the destination host.
4.3.1.4 Parameter Problem (ICMPv6 Type 4)
A Parameter Problem ICMP message is sent when there’s an error either

in the header or in one of the extension headers preventing IPv6 from per-
forming additional processing. We also have a modified header with the
Parameter Problem for the “Pointer” field is added after the checksum
which is an offset that points to the byte in the packet where the error oc-
curred. The Type field is set to 4 and the Code can be set to the following
values:
Code Field Value Description
0 - Erroreous Header Field En- An error in a field within one of
countered the headers encountered
1 - Unrecognized Next Header unrecognized value encountered
Type Encountered
2 - Unrecognized IPv6 Option En- unrecognized IPv6 option en-
countered countered
4.3.2 ICMPv6 Informational messages
Informational ICMPv6 messages comprise the troubleshooting all-stars

commands: Echo Request and Echo Reply. An Echo Request is sent in
order to solicit an Echo Reply message. This simple technique assures ba-
sic connectivity between two nodes. The Type field in an Echo Request is
set to 128 and in an Echo Reply to 129. In both cases the Code field is set
to zero. Taking the usual structure of an ICMPv6 message in both, Echo
Request and Reply, two fields called Identifier and Sequence Number are
appended after the checksum field in order to match incoming Request
and Reply messages in a host. Both fields are set sender-sided.
4.3.3 Multicast Listener Discovery [12]
One special kind of ICMPv6 messages are those subsummed as “Multicast

Listener Discovery” or MLD. These are used by routers in order to dis-
cover listeners for multicast groups and keeps track of all multicast groups
used at the moment on each interface.
MLD is a sub-protocol of ICMPv6 and is identified by the next-header

value of 58. All MLD messages are sent with a link-local source address, a
hop-limit set to “1” and an IPv6 Router Alert Option in the Hop-by-Hop
Options header (causes routers to examine MLD messages sent to mul-
ticast addresses in which the routers themselves have no interest). The
header of an MLD-message consists of Type, Code and Checksum fields,
as we had it with usual ICMPv6 and the additional fields Maximum Re-
sponse Delay, Reserved and Multicast Address. The three different types
of messages are:
4.3.3.1 Multicast Listener Query (ICMPv6 Type 130)
This message is used in order to find out details about multicast group
membership on this link. There are two types of Multicast Listener
Queries which can be distinguished by the Destination Address set in the
IPv6 header and the Multicast Address set in the Multicast Listener Query
message. The first one is the “General query” sent unsolicited and period-
ically with a Destination Address set to the link-local all-nodes multicast
address (FF02::1) and the Multicast Address set to the unspecified address
(::). The other type of Multicast Listener Query message is the multicast-
address-specific query querying all hosts on a subnet belonging to a spe-
cific multicast group. This time the Destination Address and the Multicast
Address is set to the specific multicast address that is being queried. The
“Maximum Response Delay” is the time within a multicast group member
must report its membership.
4.3.3.2 Multicast Listener Report (ICMPv6 Type 131)
This message is used by a node on a link either to respond to a Multi-

cast Listener Query or to report its interest in receiving multicast traffic at
a specific multicast address. The Destination Address and Multicast Ad-
dress fields are both set to the specified multicast address being reported.
4.3.3.3 Multicast Listener Done (ICMPv6 Type 132)
The Multicast Listener Done message is used to inform the routers that
there might be no more listener for a specific multicast address on a link
because the sending node announces to leave the multicast group with this
message. This Multicast Listener Done message is sent when the group
member that responded to the last Multicast Listener Query wants to leave
the multicast group. For this host might not really be the last multicast
member on the link (and routers, as mentioned above, do not keep track
of how many listeners are found on a link for a specific multicast group),
a local router has to immediately send a multicast-address-specific query
for the specific multicast group in order to find members listening on the
link. The Destination Address of a Multicast Listener Done message is
set to the link-local scope all-routers multicast address (FF02::2) and the
Multicast Address to the multicast address used by the multicast group
for which there might be no more listeners on the link.
Please see RFC 2710 for more details on the Multicast Listener Discovery.
4.4 Neighbor Discovery [23]
The Neighbor Discovery protocol, or short ND, is one of the biggest new
inventions to IPv6 for it replaces ARP, ICMP router discovery and the
ICMP redirect message and in addition to this provides additional tech-
niques IPv4 was not capable of. It is used by nodes to determine link-local
addresses of other nodes and changes of these, to find routers willing to
forward their traffic and keeps track of which neighbors are reachable.
4.4.1 Neighbor Discovery messages
Neighbor Discovery messages use the structure of an ICMPv6 message

and appends an Neighbor Discovery Message Header and zero or more
Neighbor Discovery Message Options to it. There are several types of
Neighbour Discovery Options formatted in type-length-value (TLV) for-
mat (i.e. the header consists of these fields):
• Source Link-Layer Address (Type 1) - indicates the link-layer address

of the ND message sender and is not included if the source link-layer
address is the unspecified address; value = link-layer address
• Target Link-Layer Address (Type 2) - indicates the target link-layer
address of the neighboring node to which packets should be di-
rected: value = link-layer address
• Prefix Information (Type 3) - indicates both address prefixes and in-
formation about address autoconfiguration. There can be several
Prefix Information Options indicating multiple prefixes. The struc-
ture of this option is more complicated and comprehends several
fields: Prefix Length, On-link Flag (indicating that an address us-
ing the provided prefix is available on the interface the message was
received), Autonomous Flag (forks stateless address configuration),
Router Address Flag (for mobile nodes to discover global addresses),
Site Prefix Flag (indicates that the site prefix received can be used to
update the host-based site prefix table), Reserved1, Valid Lifetime
(in seconds), Preferred Lifetime (in seconds), Reserved2, Site Prefix
Length and Prefix.
• Redirected Header (Type 4) - specifies the IPv6 packet causing the
router to send a redirect message. It can contain the whole or only
part of the message causing the trouble.
• MTU (Type 5) - used in Router Advertisements in order to define the
MTU of an unknown link.
• Advertisement Interval (Type 6) - specifies the interval (maximum
time in milliseconds) between consecutive unsolicited Router Ad-
vertisements
• Home Agent Information (Type 7) - sent by a home agent to specify
its configuration
• Route Information (Type 8) - specifies routes for individual hosts. It
again consists of several interesting fields like Prefix Length, Prefer-
ence (of the route), Route Lifetime (in seconds) and the Prefix.
To ensure that ND messages have originated from a node on the link the
hop limit is set to 255 (With a hop-limit of 255 no router could have for-
warded this message). Following ND message types exist:
4.4.1.1 Router Solicitation (ICMPv6 Type 133)
The Router Solicitation message is sent by a host e.g. when UPed in order
to get a solicited Router Advertisement in response immediately instead
of waiting for the next unsolicited Router Advertisement. The Source Ad-
dress field is set to either the link-local address or the unspecified address
(::), the destination address is set to the link-local all-routers multicast ad-
dress (FF02::2) and the Hop-Limit is set to 255.
4.4.1.2 Router Advertisement (ICMPv6 Type 134)
Router Advertisements are either sent pseudo-periodically or on receipt of

a Router Solicitation. Its Destination Address field is set to either link-local
scope all-nodes multicast address (FF02::1) or the unicast IPv6 address of
the host that sent the Router Solicitation. The fields within a Router Ad-
vertisement are:
• Type - 134
• Code - 0
• Checksum
• Current Hop Limit - defines the default Hop Limit set for packets
sent by nodes that received this Router Advertisement
• Managed Address Configuration Flag - if set, the receiving host must
use a stateful address configuration protocol (e.g.: DHCPv6) to ob-
tain additional addresses
• Other Stateful Configuration Flag - if set, the receiving host must use
a stateful address configuration protocol (e.g.: DHCPv6) to obtain
non-address configuration
• Home Agent Flag - if set, the advertising router is also a home agent
• Default Router Preference - indicates the level of preference for a
route received. For you can have multiple routers on a link you
can set different preference levels. Valid vlaues are 01 (High), 00
(Medium) and 11 (Low). This technique is useful for fault tolerance
reasons.
• Reserved
• Router Lifetime - defines how long a router is a default router (in
seconds). 0 indicates that it is no default router.
• Reachable Time - defines how long a node can consider a Neighbor
reachable after receiving a reachability confirmation
• Retransmission Timer - amount of time between retransmission of
Neighbor Solicitation messages during neighbor unreachability de-
tection
• Source Link-Layer Address option - if present, contains the link-layer
address of the interface on which the Router Advertisement was sent
• MTU option - if present, it contains the MTU of the link
• Prefix Information Options - contains on-link prefixes when present
• Advertisement Interval Option - when present, contains the interval
of unsolicited Router Advertisement messages
• Home Agent Information Option - when present, contains informa-
tions on the home agent
• Route Information Options - when present, contains routes to add to
the routing table of the host
4.4.1.3 Neighbor Solicitation (ICMPv6 Type 135)
Neighbor Solicitation is used to determine the link-layer address of an on-

link node. Typically these messages are multicast for address resolution
and unicast for reachability testing of another node. The Source Address
field is either set to a unicast IPv6 address or to the unspecified address
during duplicate address detection. The Destination Address field is ei-
ther set to the solicited-node address of the target for multicast or to the
unicast address for unicast Neighbor Solicitation.
4.4.1.4 Neighbor Advertisement (ICMPv6 Type 136)
An IPv6 Neighbor Advertisement is sent both, periodically and in re-

sponse to a Neighbor Solicitation. The periodical Neighbor Advertise-
ments are important for propagating changes of an address or of the role of
a node in the network. The Destination is, similar to the Router Advertise-
ment, therefore either set the link-local scope all-nodes multicast address
or a unicast address (in response to a solicitation). Several fields are new
in the structure of an Neighbor Advertisement message:
• Router flag - when set, the host is a router
• Solicited flag - when set indicates that the Neighbor Advertisement
was sent in response to a Neighbor Solicitation
• Override flag - when set indicates that the link-layer address re-
ceived within the Target Link-Layer Address option should override
the existing neighbor cache entry
• Target address - indicates the address being advertised
• Target link-layer address option - when present, contains the link-
layer address of the target which is the sender of the Neighbor Ad-
vertisement.
4.4.1.5 Redirect (ICMPv6 Type 137)
Redirect messages are sent in order to inform others of a better first-hop

address for a specific destination. These messages are only sent by routers
for unicast traffic via unicast. The Target Address within the message in-
dicates the better next-hop address and the Destination Address holds the
address of the destination that caused the router to send the redirect. Op-
tionally Target Link-Layer Address Option and Redirected Header option
are appended.
Adding up all these things ND provides:

• Router discovery
• Prefix discovery
• Parameter discovery
• Address autoconfiguration
• Address resolution
• Next-hop determination
• Neighbor unreachability detection
• Duplicate address detection
• Redirect function
Let’s take a closer look at some of these.
4.4.2 Neighbor Discovery Process
In order to provide the Neighbor Discovery Processes mentioned below

following data structures need to be present at each host participating:
• Neighbor cache - stores on-link IP addresses of neighbors and corre-
sponding link-layer addresses with an indication of the node’s reach-
ability
• Destination cache - stores information on next-hop IP addresses for
destinations traffic recently has been sent
• Prefix list - stores on-link prefixes
• Default router list - stores on-link routers that have sent Router Ad-
vertisements
4.4.2.1 Address Resolution
If the destination of a datagram to be sent is local, it requires that we know

the physical layer or layer two address of the device. Getting layer two
address for layer three address is known as the address resolution prob-
lem.
The sending node sends a Neighbor Solicitation message with the solicited-
node multicast address derived from the destination IP address which also
includes the link-layer address of the sending host. When the target host
receives this message it first updates its Neighbor cache with the data from
the sending node and then sends a unicast Neighbor Solicitation message
containing its own link-layer address. The formerly sending host updates
its Neighbor cache as well and then the packet can be sent.
4.4.2.2 Router Discovery
Router Discovery is the process of discovering all routers on a local link

and is pretty similar to what we already know from IPv4. An enhancement
to the old Router Discovery is provided by the use of Neighbor Unreacha-
bility Detection. IPv6 has, like IPv4, a Router Lifetime field indicating how
long a router can be considered the default router. If, within this time, the
router goes offline, hosts using IPv4 usually waited for the Router Life-
time to expire. Now hosts that are down are detected through Neighbor
Unreachability Detection and another router is chosen from the default
routers list. If there is no other router on this list a Router Solicitation mes-
sage is sent in order to determine other routers on the link. Additonaly
to finding a default router Router Discovery also configures Hop-Limit,
whether stateful address configuration is used, timers, network prefixes,
MTU and routes to be set.
4.4.2.3 Neighbor Unreachability Detection
A node is considered reachable if there has been recent confirmations upon

the receipt of a message (please note that Neighbor reachability simply in-
dicates the reachability of the first-hop node not end-to-end reachability).
One way of ensuring the reachability of a node is by sending a unicast
Neighbor Solicitation message. If a Neighbor Advertisement is received
in response, the host sending the Neighbor Advertisement is considered
reachable. The host that sent the Neighbor Solicitation message is not au-
tomatically also considered reachable. So if host A sends a Neighbor Solic-
itation to host B and host B replies the Neighbor Advertisement only host
B is considererd reachable. In order that host A is also reachable it has to

answer to another Neighbor Solicitation from host B.
Another way of ensuring reachability is when upper-layer protocols like
TCP confirm progress for sent data. You could also say that if end-to-end
connectivity is proven by TCP you can deduce the reachability of the first-
hop node.
An entry in the Neighbor cache can have several states:
• Incomplete - address resolution is in progress with link-layer address
not yet determined
• Reachable - neighbor has been reachable recently
• Stale - no longer known to be reachable but until traffic is sent to the
neighbor no attempt to determine reachability should be made
• Delay - the neighbor is no longer known to be reachable and traffic
has recently be sent, but probing is delayed for a short while in order
to wait for upper-layer protocols providing reachability informations
• Probe - neighbor is no longer known to be reachable and Neighbor
Solicitation probes are being sent
4.4.2.4 Redirect
Redirect messages are either sent when there is a shorter way in routing
terms for sending the packet (e.g. if you have more than one routers on
a link) or when a packet’s destination is on-link without the sending host
knowing it (because it might lack the prefix in the hosts prefix list).
The Redirect process starts with the sending of a packet from host 1 to its
default router R1 destined at host 2 residing at Network 2. The router pro-
cesses the packet and finds out that the originating hosts address and the
next-hop address (R2) are on the same link.Router R1 sends to originating
node H1 a Redirect message with the Target Address Field in the Redirect
Message set to the next-hop address of the node to which the originating
host should send subsequent packets addressed to this destination. The
router R1 inbetween sends the packets already sent by host 1 to R2 in or-
der to reach Network 2 and its destination. Upon receipt of the Redirect
Figure 4.11: Redirect process [14]

message host 1 updates its destination cache with the address in the Target
Address field.
Redirect messages are only sent by the first router in the path. Hosts never
send Redirect messages and routing tables are never altered upon the re-
ceipt of a Redirect message.
4.4.2.5 Duplicate Address Detection
If a host is UPed and wants to use an address derived by autoconfigu-

ration its uniqueness has to be ensured first. This is done by sending a
Neighbor Solicitation message by the host wanting to use this IP address
with the Destination Address set to this newly computed address. The
source address is set to the unspecified address (::) for an address may
not be used until its duplication can be ruled out. If there is a Neighbor
Advertisement sent in reply there already is a host with the same IP ad-
dress (this message must be sent link-local all-nodes multicast); if not, the
address can be initialized on the interface.
4.4.2.6 Next-Hop determination
This is the first thing to be done by a host when sending a datagram. The
device hereby looks at the destination address and decides whether di-
rect or indirect delivery is needed which is done by the prefix informa-
tions supplied by the router or by manual configuration of the interface.
If the destination is not local the next-hop is chosen from the device’s list
of routers (which is either derived by ND methods or entered manually).
For improving efficiency, this check is not done for every packet but rather
it is stored in the destination cache for future uses.
4.5 IPv6 Routing
IPv6 routing entries can either be entered manually or can be added upon
the receipt of an Router Advertisement message. A routing table has to
be present on each IPv6 node in order to determine how specific net-

works can be reached for sending a packet. Before the IPv6 routing ta-
ble is checked the destination cache is checked for an entry matching the
destination address. If there is no destination cache entry for the desti-
nation address, the IPv6 routing table determines the interface that has
to be used for forwarding and the next-hop address. This information in
turn is stored in the destination cache for future use. The routing table can
contain the following types of routes: directly attached network routes,
remote network routes, host routes and default routes.
4.5.1 Route determination process
In order to make the right forwarding decision the routing table entries
have to be searched. For each entry in the routing table the bits of the
network prefix are compared to the same bits in the destination address.
If all bits of the network prefix length for the route match all bits in the
destination IPv6 address the route is a match for the destination. The route
that has the largest prefix length matching a packet is chosen for it is the
most specific route to the destination. If multiple routes with the longest
match are found the decision is made upon the metric. For any given
destination first host routes and then network routes are searched. If both
don’t exist, the default route is used.
If the route determination process on the sending host fails to find a route,
IPv6 assumes the destination is locally reachable. If the route determina-
tion process fails on a router an ICMPv6 Destination Unreachable - No
Route to Destination message is sent to the sending host and the packet is
discarded.
4.5.2 IPv6 Delivery Process
4.5.2.1 Sending an IPv6 packet
This is the process when a packet is sent on an IPv6 enabled host.

1. Hop limit is set to default or application-specified value
2. The destination cache is searched for an entry matching the destina-

tion
3. If an entry is found in the destination cache, retrieve next-hop ad-
dress and interface to use. Go to step 6.
4. If no entry is found in the destination cache, search the routing table
for the longest matching lowest metric route available
5. If an entry is found in the routing table, retrieve next-hop address
and interface to use. If no entry matches the routing table the desti-
nation address is assumed to be directly reachable
6. destination cache is updated
7. Neighbor cache is checked for an entry matching the next-hop ad-
dress
8. If an entry is found, retrieve the link-layer address
9. If no entry is found, use address resolution to obtain the link-layer
address; if address resolution fails an error is indicated
10. The packet is sent using the link-layer address of the neighbor cache
entry
4.5.2.2 Routing an IPv6 packet
This describes how a packet is processed in a router.

1. Header error checks are perfomed (Version = 6, source address is no
multicast or loopback address)
2. If the destination address is the router itself, the packet is processed
as seen in the process below “Receiving an IPv6 packet”
3. Hop-Limit value is decremented by 1. If the Hop-Limit reaches zero
an ICMPv6 Time Exceeded - Hop Limit Exceeded in Transit message
is sent
4. The new Hop-Limit is set if greater 1
5. Destination cache is checked for an entry matching the destination
6. If an entry is found in the destination cache, retrieve next-hop ad-

dress and interface to use. Go to step 9.
7. Routing table is checked for the longest matching lowest metric route
available
8. If an entry is found in the routing table, retrieve next-hop address
and interface to use. If no route is found, an ICMPv6 Destination Un-
reachable - No Route to Destination message is sent and the packet
is discarded
9. Destination cache is updated
10. If the interface the packet is received is the same as the interface on
which the packet is being forwarded, the interface is a point-to-point
link and the Destination Address field matches a prefix assigned
to the interface an ICMPv6 Destination Unreachable - Address Un-
reachable message in order to prevent “ping-pong” forwarding of
packets.
11. If the interface the packet is received is the same as the interface on
which the packet is being forwarded and the Source Address field
matches a prefix assigned to the interface a Redirect message is sent.
12. The link MTU of the next-hop interface is compared to the size of the
packet. If the link MTU is smaller than the packet size, a ICMPv6
Packet Too Big message is sent.
13. Neighbor cache is checked for an entry matching the next-hop ad-
dress.
14. If an entry is found in the neighbor cache, retrieve link-layer address.
15. If no entry is found in the neighbor cache, use address resolution. If
address resolution fails, an ICMPv6 Destination Unreachable - Ad-
dress Unreachable message is sent.
16. The packet is forwarded.
4.5.2.3 Receiving an IPv6 packet
That is what has to be done when receiving an IPv6 packet.

1. Header error checks are perfomed (Version = 6, source address is no

multicast or loopback address)
2. The destination address is checked whether it corresponds to an ad-
dress configured on the host. If the destination address in the packet
is not assigned to a local host interface the packet is silently dis-
carded.
3. The extension headers are, based on the next header field, processed.
The next-header values are verified and an ICMPv6 Parameter Prob-
lem - Unrecognized Next Header Type Encountered message replied
if the values are wrong.
4. If the upper-layer PDU is not TCP segment or UDP message, pass
the upper-layer PDU to the appropriate protocol.
5. If the upper-layer PDU is a TCP segment or UDP message, check the
destination port. If no application exists for the UDP destination port
an ICMPv6 Destination Unreachable - Port Unreachable message is
replied. If no application exists for the TCP destination port a TCP
Connection Reset segment is replied.
6. If an application exists for the TCP or UDP destination port, process
the contents of the packet.
4.5.3 IPv6 Routing protocols
Instead of having a static router, i.e. the routes are set manually, you can
also use dynamically configured routes which of course have big advan-
tages when there are changes in the topology (which a dynamic router
notices automatically).
4.5.3.1 Routing Protocol Technologies
There are several methods of propagating routes on a network.

4.5.3.1.1 Distance Vector With Distance Vector routing informations

(network ID and “distance” i.e. hop count) is propagated via periodi-
cal advertisements which are unsynchronized and unacknowledged. Dis-
tance Vector is easy to set up but does not scale very well and produces a
lot of traffic.
4.5.3.1.2 Link State Via Link State Advertisements upon startup and
upon changes in the topology the network prefixes and their assigned
costs are distributed. Link state is an easy to scale low traffic method but
can be complex to set up.
4.5.3.1.3 Path Vector Path Vector is also used to distribute sequences of

hop-numbers with indicating the path for a route. It is like the Link State
protocol easy to scale with low network overhead but can be complex to
set up.
4.5.3.2 Routing Protocols for IPv6
4.5.3.2.1 RIPng for IPv6 RIPng for IPv6 is a protocol implementing Dis-
tance Vector. When a router is configured RIPng it sends a General Request
message on all interfaces in order to receive the routes from neighboring
routers. Routes are then periodically announced depending on whether
Split Horizon (routes are not announced on the interface where they were
learnt) or Split Horizon with poison reverse (routes are announced un-
reachable on the interface where they were learnt) is configured. See RFC
2080.
4.5.3.2.2 OSPF for IPv6 OSPF uses Link State with possible costs like
delay, bandwidth and monetary costs possible. See RFC 2740 for more
information.
4.5.3.2.3 Integrated Intermediate System-to-Intermediate System (IS-

IS) for IPv6 Integrated IS-IS or also known as dual-IS uses link state as
well and is pretty similar to OSPF. See ISO 10589 for more details.
4.5.3.2.4 BGP-4 The Border Gateway Protocol uses Path Vector and is
designed to exchange informations between autonomous systems. It cre-
ates a logical path tree which discribes all connections. For more informa-
tion read RFC 1771, 2545 and 2858.
4.5.3.2.5 Inter-Domain Routing Protocol version 2 The IDRP is also a

path vector protocol and is defined in the ISO 10747.
4.6 IPv6 and Name Resolution
With IPv6 name resolution becomes even more important than with IPv4
for it is unreasonable to expect any end user to remember an IPv6 address.
The structure of the DNS entries did not really changed but for the type
of DNS record used (type 28). AAAA or also called “quad-A” records are
comparable to A records used for IPv4 name resolution. (They are called
AAAA because the address is four times as long as an A record.) In order
to provide reverse queries the usual pointer record is used, the only thing
that changed is the representation of the record (nibbles instead of decimal
numbers). For reverse lookup the domain “.ip6.arpa.” is used (“.ip6.int.”
is outdated).
IPv6 address: 4321:0:1:2:3:4:567:89ab
reverse lookup domain name:
b.a.9.8.7.6.5.0.4.0.0.0.3.0.0.0.2.0.0.0.1.0.0.
0.0.0.0.0.1.2.3.4.ip6.arpa.
In order to resolve a name usually the local hosts file is being queried
first. This file can include hostnames to be resolved locally rather than
by DNS. If there is no entry in the host file for a specific name, DNS is
queried. Please note that IPv6 no longer supports Network Basic Input
Output System (NetBIOS).
A DNS query may return several addresses for a hostname. These can
be IPv4 and IPv6 addresses and because a host may have several IPv6
addresses (site-local, global, coexistence, ..) address selection is not an
easy task here. See RFC 3484 for details on this subject.
4.7 Migration to IPv6 [15]
To change the protocol of a network is always a big task but there are
severel techniques supplied in order to make less troubles. The easiest,
and in fact the only method that really can be used today, is the coexistence
of both protocols on a node so that it responds to both protocols.
A Dual-IP-Layer includes an IPv4 and an IPv6 layer implementation and
share one implementation of the Host-to-Host layer protocols such as TCP
and UDP. A dual stack infrastructure as well has IPv4 and IPv6 network-
layers but each having their own Host-to-Host protocol layers. Both tech-
niques provide IPv4 and IPv6 connectivity to a host.
With using IPv6 over IPv4 tunneling IPv6 packets are encapsulated in an
IPv4 header and sent over the IPv4 infrastructure (tunnels can be set be-
tween two routers, between two hosts or between a router and a host).
Another thing needed in a working IPv4/IPv6 infrastructure is a DNS in-
frastructure resolving hostnames to both, IPv4 and IPv6 addresses.
Below, I will discuss several transition techniques more detailled.
4.7.1 6over4
Please note that the structure of the 6over4 address is discussed in “IPv6
Unicast addresses” part of this chapter.
6over4, also known as IPv4 multicast tunneling is a host-to-host, router-to-
router and host-to-router automatic tunneling technique for unicast and
multicast connectivity which is, because it relys on IPv4 multicasting, not
very widely used. It provides IPv6 connectivity across an IPv4 internet
and treats the IPv4 infrastructure as a single link with multicasting capa-
bilities.
See RFC 2529 for further reading.
Figure 4.12: 6over4 configuration and logical equivalent [15]

4.7.2 6to4
Please note that the structure of the 6to4 address is discussed in “IPv6
This technique is an address assignment and router-to-router automatic
tunneling technique providing unicast IPv6 connectivity across an IPv4
network. Its details are described in the RFC 3056 where following terms
are defined:
• 6to4 host - a host configured with an autoconfigured 6to4 address
• 6to4 router - an IPv4/IPv6 router is supporting the use of a 6to4 tun-
nel interface and is used to forward traffic (may need additional con-
figuration)
• 6to4 relay router - forwards 6to4 traffic between 6to4 routers
Figure 4.13: 6to4 infrastructure [15]

Within a site local routers advertise the 6to4 prefix so that hosts can create
autoconfigured addresses and routes. All IPv6 traffic that does not match
a 64-bit prefix used by the subnets within the site is forwarded to the 6to4
router on the site boarder. In the example picture host A can communicate
with host B via router 1 using a default route. In order for host A to com-
municate with host C the router 1 has to encapsulate the traffic in an IPv4
header and send it over the IPv4 internet to router 2. Following kinds of
communication are possible:
• 6to4 host with another 6to4 host on the same site - like communi-
cation between host A and host B; Connectivity is provided by the
routing table.
• 6to4 host with another 6to4 host across the internet - like communi-
cation between host A and host C; the data is encapsulated by the site
boarder router 1 in an IPv4 packet and sent to the site border router
2 which in turn removes the IPv4 header and delivers the packet to
host C.
• 6to4 host with IPv6 host on the internet - like communication be-
tween host A and host D; the local-site router 1 tunnels the data to
the 6to4 relay router which removes the IPv4 portion of the packet
and forwards it to the appropriate host.
Note: This technique only requires one IPv4 address to obtain global IPv6
reachability and therefore might be widely used.
4.7.3 ISATAP
Please note that the structure of the ISATAP address is discussed in “IPv6
The Intra-Site Automatic Tunnel Addressing Protocol is an address as-
signment and host-to-host, router-to-router and router-to-host automatic
tunneling technology used to provide unicast IPv6 connectivity across an
IPv4 internet. ISATAP addresses are derived by autoconfiguration mech-
anisms.
When using ISATAP, communication between ISATAP nodes on the same
Figure 4.14: ISATAP configuration [15]
link is possible but not with other IPv6 addresses on other subnets. To
communicate outside the logical subnet packets must be tunneled by an
ISATAP router. An ISATAP router is an IPv6 router performing the fol-
lowing:
• Forwarding packets between ISATAP hosts and hosts on other sub-
nets (IPv4 or IPv6)
• Is a default router for ISATAP hosts
• Advertises address prefixes
An ISATAP host that receives a Router Advertisement from an ISATAP
router sets its default route to this router and every packet destined to
locations outside the subnet are tunneled via the ISATAP router.
Further reading is found in RFC 4214.
4.7.4 Teredo
Please note that the structure of the Teredo address is discussed in “IPv6
This technique is also known as IPv4 network address transloter traversal

for IPv6 provides address assignment and host-to-host automatic tunnel-
ing for unicast IPv6 communication across the IPv4 network when hosts
are located behind one or multiple NATs. For protocol 41 translation (in-
dicating IPv4-encapsulated IPv6 data) is not supported by most of the
routers Teredo, which encapsulates the data in IPv6 UDP messages, is
used.
Figure 4.15: Components of a Teredo infrastructure
• Teredo client - an IPv4/IPv6 node supporting Teredo tunneling in-

terface which can communicate with other Teredo clients or nodes
on the IPv6 internet (through a Teredo relay)
• Teredo server - Teredo node that is connected to IPv4 and IPv6 inter-
net. It assists in the initial configuration of a Teredo client to faciliate
initial communication
• Teredo relay - can forward packets between Teredo clients on the
IPv4 internet and IPv6 only nodes
• Teredo host-specific relay - Teredo node that is connected to IPv4 and

IPv6 internet and can communicate directly with Teredo clients on
the IPv4 internet without the need of an intermediate Teredo relay
(either obtained through direct connection to the IPv6 internet or a
transition technique like 6to4).
Note: Teredo is designed to be a last-resort transition technique and is not
used if there is native IPv6, 6to4 or ISATAP present. More and more
NATs are also updated to support protocol 41 nowadays.
See RFC 3904 for more information.
4.7.5 PortProxy
To allow for communication between nodes or applications not using the

same Internet Layer protocol (IPv4 or IPv6) you can use portproxy in order
to proxy:
• IPv4 to IPv4 - TCP traffic to an IPv4 address is proxied to TCP traffic
to another IPv4 address
• IPv4 to IPv6 - in order to make an IPv4 node access a service of an
IPv6 node; the PortProxy inbetween does the same we already know
from usual proxying: the IPv4 node establishes a connection to the
PortProxy which in turn establishes a connection to the IPv6-only
application
• IPv6 to IPv6 - TCP traffic to an IPv6 address is proxied to TCP traffic
to another IPv6 address
• IPv6 to IPv4 - an IPv6 node hereby can access an IPv4-only applica-
tion
The last type of PortProxy for example allows an IPv6 node to access a ser-
vice not yet IPv6-enabled e.g. Telnet on Windows 2003. Although there is
an IPv6-enabled Telnet client there is no IPv6 enabled Telnet server avail-
able. You could establish a IPv6 to IPv4 PortProxy to port 23 used by Telnet
on the computer running Telnet server. Therefore an IPv6 Telnet request
is proxied to the IPv4 Telnet server application.
Note: This only works for applications that do not embed address or port
information inside the upper-layer PDU. PortProxy has no capabilites of
changing embedded information.
Bibliography
[1] Davies, Joseph: Understanding IPv6 - Redmond, Washington: Mi-

crosoft Press, 2002
[2] Charles M. Kozierok: The TCP/IP Guide (2005).
http://www.tcpipguide.com (2006-01-10)
[3] The TCP/IP GUIDE: IPv6 Global Unicast Address Format (2005).
http://www.tcpipguide.com/free/t_IPv6GlobalUnicastAddressFormat-
2.htm (2006-01-10)
[4] IEEE: Guidelines for 64-bit Global Identi-
fier (EUI-64) Registration Authority (2005).
http://standards.ieee.org/regauth/oui/tutorials/EUI64.html
(2006-01-10)
[5] Microsoft: IPv6 Interface Identifier(2006).
http://www.microsoft.com/resources/documentation/windows/xp
/all/proddocs/en-us/sag_ip_v6_imp_addr7.mspx (2006-01-11)
[6] The TCP/IP GUIDE: IPv6 Interface Identi-
fiers and Physical Address Mapping (2005).
http://www.tcpipguide.com/free/t_IPv6InterfaceIdentifiersand
PhysicalAddressMapping-2.htm (2006-01-11)
[7] The TCP/IP GUIDE: IPv6 Multicast and Anycast Addressing (2005).
http://www.tcpipguide.com/free/t_IPv6MulticastandAnycastAddressing.htm
(2006-01-11)
[8] Microsoft: IPv6 Address Autoconfiguration (2004).
http://msdn.microsoft.com/library/default.asp?url=/library/en-
133
BIBLIOGRAPHY 134
us/wcetcpip/html/cmconipv6addressautoconfiguration.asp (2006-
01-11)
[9] Droms, Bound, Volz, Lemon, Perkins, Carney: RFC 3315 -
Dynamic Host Configuration Protocol for IPv6 (DHCPv6)(2003)
.http://www.faqs.org/rfcs/rfc3315.html (2006-01-14)
[10] Wikipedia: IPv6 (2006). http://en.wikipedia.org/wiki/Ipv6 (2006-
01-12)
[11] The TCP/IP GUIDE: IPv6 Datagram Extension Headers (2005).
http://www.tcpipguide.com/free/t_IPv6DatagramExtensionHeaders-
2.htm (2006-01-12)
[12] Deering, Fenner, Haberman: RFC 2710 - Multicast Listener Discov-
ery (MLD) for IPv6 (1999). http://www.faqs.org/rfcs/rfc2710.html
(2006-01-12)
[13] Narten, Nordmark, Simpson: RFC 2461 - Neighbor Discovery for
IP Version 6 (IPv6) (1998). http://www.faqs.org/rfcs/rfc2461.html
(2006-01-12)
[14] The TCP/IP GUIDE: IPv6 ND Redirect Function (2005).
http://www.tcpipguide.com/free/t_IPv6NDRedirectFunction.htm
(2006-01-13)
[15] Windows Server 2003: IPv6 Transition Technologies (2003).
http://www.microsoft.com/windowsserver2003/techinfo/overview/\\
ipv6coexist.mspx (2006-01-13)
Chapter 5
Migration to IPv6
Now it’s time to start doing what the title of this thesis promises: migrat-
ing the network to IPv6. This section will cover everything from initial
considerations, the deployment of IPv6 and the migration of the services
used. I want to give a detailed plan for those interested what is to be done
and describe the problems I experienced and the measures to be taken.
5.1 Making your system IPv6-ready [1]
Before doing anything else I had to install the IPv6 stack on each computer
in my network. Because not all services used in a network have an IPv6
enabled version, as you will see in this chapter, it is nowadays usual to
configure your PC dual-stack in order to have IPv4 and IPv6 connectivity.
While I was configuring the network for the next generation of network
protocols I requested an IPv6 address for reaching IPv6-only services in
the internet as well. I decided to request a tunnel from SixXS, reachable
at www.sixxs.net. SixXS is an IPv6 Deployment and Tunnel Broker dis-
tributing IPv6 tunnels first, and after your tunnel has been up for a certain
time you earned enough credits to request your own subnet. The uptime
aquired is usually about one week. When you request your first tunnel
at SixXS you have to fill out a form describing why you think you need
an address and what you want to do with it. They want to receive very
135
CHAPTER 5. MIGRATION TO IPV6 136
verbose discriptions of what is done with their addresses so I wrote down

accurately my ideas for the whole project and within a few days I held my
own IPv6 address in my hands.
The structure of the network at the Berufsförderungsinstitut Burgenland
required the tunnelendpoint not to be laid directly into my lab but to the
gateway router for both of my networks. Because this computer belongs
to the production network of the company I was not allowed to install any
software and had to call the system administrators to set up the tunnel.
Later in this chapter I will describe what had to be done. Now back to the
initial configuration needed at each PC.
5.1.1 Debian Linux
First I want to talk about the migration of Debian Linux PCs to IPv6. Ker-
nel 2.4.x upwards is what is recommended for use with IPv6. In the por-
tion of the test-network I administer I only used 2.4.x and 2.6.x kernels
which reduces the problems loading the module needed. The only com-
puter with a kernel 2.2.x was the one which was configured as the tunne-
lendpoint. For 2.2.x kernels are not IPv6-up-to-date the system adminis-
trators decided to compile a new 2.6.x kernel [2] . For the installation of the
tunnel software aiccu please read the section about the services of IPv6.
You can check if the module you need is already loaded by
/proc/net/if_inet6
You should see something like this for your interfaces of the PC:
00000000000000000000000000000001 01 80 10 80 lo
fe800000000000000250fcfffe60d6d6 02 40 20 80 eth0
Here you have a loopback entry for lo and a link local address for eth0.
This is the proof that your ipv6 module is loaded but you can also check
with
lsmod | grep ipv6
listing you the ipv6 module if loaded. Systems where both checks fail have
very likely not loaded the module needed. You can do this by
modprobe ipv6
or, for repeated use after startup just add it to the /etc/modules file (which
should not be necessary for 2.4.x and 2.6.x). With these simple steps you
can be sure your Linux PC is IPv6 ready. Now, let’s look at the Windows-
side-of-computing:
5.1.2 Windows
When searching the internet for Windows and IPv6 you will find the notes
that IPv6 is fully supported by all operating systems starting with Win-
dows 2000. As I had one Windows 2000 client, one Windows 2000 server
and two Windows XP clients I was glad I could start migrating without
any upgrades to make, or so i thought.
5.1.2.1 Windows 2000 Client and Server [3] [4]
For both Windows 2000 Client and Server the installation of the IPv6 stack
is the same. For it is not included in the usual installation you have to
load additional files from the internet [5]. After saving the downloaded
file “tpipv6-001205.exe” on the file server I unzipped it to my local hard-
disk automatically creating a folder called “IPv6Kit”. Now you have to
open a console window and start the setup by typing “setup.exe -x” in
turn extracting another bunch of files to a subfolder it prompts you to give
a name for. I chose to call it “files” as recommended in the Microsoft de-
scription. From the folder “files” now open the textfile “”Hotfix.inf” and
modify it for your system. Depending on what Service Pack you installed
you have to change following line in the subsection called [Version]:
entry for Service Pack 1: NTServicePackVersion=256
After saving the modifications made run the “Hotfix.exe” from the “files”-
folder. Now, I think you have guessed already, you have to restart your
computer in order to make the changes take effect. Then the protocol stack
is installed on your computer but not yet used.
If you also want to use the protocol you have to open the dialog for
configuring your network settings (Control Panel - network and dial-
up connections). Open the properties of your ethernet-based connection
listed within, usually called “Local Area Connection”. Another dialog is
opened with a button labelled “Install ...” opening in turn another win-
dow where you can choose what kind of network component you want
to install additionally. In this list you will find the entry “Network Proto-
col” and with clicking that you can finally choose to install the “Microsoft
IPv6 Protocol”. Now the IPv6 driver “tcpip6.sys” is installed to %SYS-
TEMROOT%\system32\drivers and other files like the Winsock helper
“wship.dll” and all additional applications like “ipv6.exe, “ping6.exe”,
and so on are installed to %SYSTEMROOT%\system32. You should now
have an entry “Microsoft IPv6 Protocol” in the properties of your “Local
Area Connection”.
By default, each interface has an automatically distributed link-local ad-
dress. For a quick verification simply use the console-based command
ipv6 if
listing your ipv6 interfaces and their automatically assigned addresses. In
the output produced by this command you should see several interfaces
labelled with “Loopback Pseudo-Interface”, “Tunnel Pseudo-Interface”,
“6-over-4 Virtual Interface” and “Local Area Connection”. The first in-
terface is for loopbacks only, the second interface is used for configured
tunneling, automatic tunneling and 6to4 tunneling. “6-over-4” [6] is an au-
tomatic tunneling technology used to provide IPv6 connectivity between
IPv6 sites and hosts across the IPv4 Internet. 6-to-4 traffic is encapsulated
by 6-to-4 routers in a IPv4 header and sent to the destination. The last in-
terface in the list is the one that is most interesting because the “Local Area
Connection” is the one we are going to configure later on. Please note that
the order of the interfaces and the numbering can vary.
5.1.2.2 Windows XP and 2003 Server [7]
Installing IPv6 on Windows XP with Service Pack 1 or Service Pack 2 and

2003 Server is a bit easier because you can leave out the part where you
have to download the hotfix for your operating system. The software
needed for IPv6 support is already installed but has to be activated on the
properties of your “Local Area Connection” exactly as you did with Win-
dows 2000. Just select “Install” and choose to add a “Network Protocol”
(please see the section above).
If you are more into command-line configuring you could type following
command instead:
netsh interface ipv6 install
The installation of the IPv6 protocol on a PC using Windows XP without
any service pack can only be done by typing following command to the
command line:
ipv6 install
You might remember the command “ipv6” from the section about Win-
dows 2000 above where I used it to list my interfaces. “ipv6” is used only
by Windows 2000 and Windows XP SP1 whereas newer versions include
the interactive “netsh” command replacing “ipv6”. Note that after the in-
stallation of IPv6 via “ipv6 install” on a Windows XP PC without Service
Pack no entry in the properties of the “Local Area Connection” for the IPv6
protocol will be generated. You can only verify the success of the installa-
tion by typing “ipv6 if” and check if it has configured your interfaces.
Windows XP’s version of the IPv6 implementation is seen to be a de-
veloper preview, while XP Service Pack 1 and 2’s version of IPv6 is a
production-capable and supported protocol. All versions of XP support
file and print sharing and following programs: ipv6.exe, ping6.exe and
tracert6.exe.
Note: These programs are not supplied by Windows 2003. Their func-
tionality is supplied by following substitute programs: (which are
recommended to be used with Windows XP SP 1 and SP 2 as well)
ipv6 substituted by netsh
ping6 substituted by ping

tracert6 substituted by tracert
An additional feature of Windows XP SP 2 and Windows 2003 server com-

pared to Windows XP and Windows XP SP 1 is the support for Teredo and
a new Windows Firewall.
5.2 Testing primary connectivity [8]
5.2.1 Debian Linux
Testing primary connectivity starts with checking which IP addresses are

assigned to which interface. In order to display the IPv6 addresses you
could either read the output of
ifconfig
or, if you want to narrow it down to the IPv6 only parts simply use the
“ip” -command.
ip -6 address show
This is the command to display the interfaces available and their addresses
that have been assigned automatically. (If you don’t have the ip-command
installed yet go for “apt-get install iproute”.)
1: lo: <LOOPBACK,UP> mtu 16436
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qlen 1000
inet6 fec0::1:250:fcff:fe60:d6d6/64 scope site dynamic
valid_lft 2591986sec preferred_lft 604786sec
inet6 fe80::250:fcff:fe60:d6d6/64 scope link
valid_lft forever preferred_lft forever
You can see that your lo-interface is configured to IP-address ::1 be-
ingt the IPv6-equivalent to 127.0.0.1. Then the “real” interfaces are
listed. In this case it’s only one, eth0, having two ipv6 addresses. The
first one, fec0::1:250:fcff:fe60:d6d6, has scope site and the second one,
fe80::250:fcff:fe60:d6d6, has scope link. This refers to the different kinds
of addresses as described in the last chapter. Each IPv6 enabled interface
can have several kinds of addresses; a link local address is assigned auto-
matically and is derived from the MAC address. Therefore it is unique and
assures simple connectivity. The link local address shall ease configuration
issues of PCs freshly added to the network and serves only communica-
tion issues like “anyone else here on this link?” and “is there some special
device? (like router, etc.)”. A packet with a link local address as destina-
tion will not pass a router. If you don’t have the second kind of address,
the site local address in your initial configuration: Don’t panic! It is com-
parable to the private address space we know from good-old IPv4 times
and can be assigned if needed (see my IPv6 radvd configuration below).
There is a discussion about depreciating this kind of addresses. The fact
that it will be sometimes useful for testing purposes and that you can as-
sign an additional global address anyway is enough reason to set one. In
this example no global address has been assigned.
For testing simple connectivity you need nothing more than two PCs with
an enabled IPv6 module. The first thing to try is to display configured
IPv6 neighbours.
marge: # ip -6 neigh show
fe80::250:4ff:fe68:ce8 dev eth0 lladdr
00:50:04:68:0c:e8 router nud stale
One PC is found using device eth0 with address fe80::250:4ff:fe68:ce8
(bart.sylvia.test) having link layer address 00:50:04:68:0c:e8 and being the
router to this subnet. The ip neighbour command displays the bindings
between protocol addresses and link layer addresses stored in a table. The
IPv4 neighbour table also know as the ARP-table. “nud” is an abbrivia-
tion for Neighbour Unreachability Detection and tells you the state of the
neighbour entry. “stale” stands for “valid but suspicious” (Read the ip
man page for details). Other commands that might be useful in this con-
text are ip neighbour [delete | add | flush ] to delete or add and entry or
to flush all entries.
If you had output from the command discussed above, you can be sure
you got some connectivity to at least one other host on this network. If
this didn’t work either the correspondent PC on the network has not been
configured correctly or you are in some trouble on your local machine. A
good thing to try is to ping home with
ping6 ::1
to see if the protocol works on the interface. Please note that there is a
extra command “ping6” for pinging IPv6 enabled interfaces on Linux.
Now we can move on to pinging another host’s link local address.
marge: # ping6 fe80::250:4ff:fe68:ce8 -I eth0
PING
fe80::250:4ff:fe68:ce8(fe80::250:4ff:fe68:ce8)
from fe80::200:21ff:fe00:5b8e eth0: 56 data
bytes
64 bytes from fe80::250:4ff:fe68:ce8:
icmp_seq=1 ttl=64 time=0.250 ms
...
64 bytes from fe80::250:4ff:fe68:ce8:
icmp_seq=8 ttl=64 time=0.173 ms
-- fe80::250:4ff:fe68:ce8 ping statistics --
8 packets transmitted, 8 received, 0
rtt min/avg/max/mdev = 0.166/0.180/0.250/0.028
ms
pings the specified link local address. The option “-I” is needed for ping-
ing IPv6 link local addresses and specifies the source interface to use.
Note: Forgetting this additional option will promt the error: “connect:
Invalid argument”. If you are using the “ping” command rather
than “ping6” you will get the error message: “ping: unknown host
fe80::250:4ff:fe68:ce8”.
Note: If you ever wondered which options are responsible for the auto-
configuration issues with IPv6:
cat /proc/sys/net/ipv6/conf/eth0/accept_ra
Set to “1” this option allows the PC to accept Router Advertisements.
cat /proc/sys/net/ipv6/conf/eth0/autoconf
Set to “1” this option tells the PC to compute the link local address.
5.2.2 Windows [9]
As mentioned above you have, depending on the Windows version you

use, several possibilities for displaying your IPv6 addresses. Similar to the
Linux part here you can also display them with the old-fashioned com-
mand for it:
ipconfig /all
Specialized command for this on Windows XP SP2 or higher [10]
Figure 5.1: netsh interface ipv6 show address
on Windows XP SP1 or lower:

C:\> ipv6 if
Interface 4 (site 1): LAN-Verbindung
uses Neighbor Discovery
link-level address: 00-00-21-00-5b-bc
preferred address fec0::1:200:21ff:fe00:5bbc,

2591997s/604797s (addrconf)
preferred address fe80::200:21ff:fe00:5bbc,
infinite/infinite
multicast address ff02::1, 1 refs, not
reportable
multicast address ff02::1:ff00:5bbc, 2 refs,
last reporter
link MTU 1500 (true link MTU 1500)
current hop limit 64
reachable time 29000ms (base 30000ms)
retransmission interval 1000ms
DAD transmits 1
Interface 3 (site 1): 6-over-4 Virtual
Interface
...
You can see above that each interface on your PC, also the virtual ones,
have an Interface number or “Scope ID”. These numbers (for our example
the scope ID for the LAN-Verbindung would be “4” in both cases) are im-
portant for pinging link local IP addresses. As we have seen with Linux
you need to define which source interface to use for pinging and on Win-
dows computers you do this by using the scope.
To be consistent with the Linux part above, let’s first check for neighbour
entries. This can either be done with ipv6 or netsh for newer versions.
netsh interface ipv6 show neighbours
ipv6 nc
The netsh output looks like this (please see the picture below):
Pinging another PC on Windows can always be done with the command

“ping6” although it is sufficient to use “ping” with Windows XP SP 2 and
higher. In both cases the command looks like this:
ping6 fe80::250:4ff:fe68:ce8%4
The appended “%4” defines the scope and therefore the interface to use. If
you accidently forget to add the scope you will get the error “Destination
Figure 5.2: netsh interface ipv6 show neighbors
not reachable”. The message indicating the wrong command for pinging
(if you use ping instead of ping6 on Windows XP SP1 and older) is “Un-
known host fe80::250:4ff:fe68:ce8%4.”
Firewall: Due to a IPv6 firewall you can experience connectivity troubles
in the beginning. For the sake of simplicity I disabled it in my lab. I
found two commands on the internet to do so for Windows XP SP2
and higher/2003 (I only used the first command):
netsh interface ipv6 set interface
interface=LAN-Verbindung firewall=disabled
netsh firewall set adapter LAN-Verbindung
filter=disabled
Privacy: When IPv6 was introduced people complained about the over-
simplification of monitoring hosts. For IPv6 global addresses don’t
change you could place a sniffer strategically and easily find out
things like how long an employee was active that day or simply for
marketing reasons. To prevent that the RFC 3041 defines privacy ex-
tensions, temporary global addresses generated randomly using the
MAC address. These addresses are valid a few hours to a few days
and shall protect your privacy and enhance security. Although this
sounds pretty interesting I recommend to disable privacy addresses
on Windows PCs to ease the first steps with IPv6. [11] [12]
netsh interface ipv6 set privacy disabled persistent

Windows2k: I have experienced an interesting behaviour when pinging a
link local address on a Windows 2000 computer. The ping command
didn’t work until I used it that way: ping6 -s <sourceIP>%<scope>
<destinationIP>
Now that we are done with the connectivity tests, we can move on to as-
signing globally reachable addresses.
5.3 Getting reachable globally via IPv6
For being reachable globally we need some global IPv6 addresses as you
might have guessed. There are several ISP’s selling IPv6 addresses and ad-
dress ranges but not affordable for a poor student. So I decided to look for
IPv6 addresses for free and found the IPv6 tunnel broker www.sixxs.net.
SixXS (Six Access) is not a company but rather a privately conducted de-
velopment of software by only three people running SixXS. Their main
issue is to maintain the POP’s provided by several ISPs. As an enduser
you can request a tunnel at SixXS allowing you to test IPv6 in a profes-
sional manner now. With an existing RIPE, APNIC, ARIN, LACNIC or
AFRINIC handle you can signup to SixXS and request a tunnel to one of
the POPs. Usually the POP is chosen for you on connectivity reasons. If
you don’t have a handle yet you can get one at e.g. RIPE [13].
For requesting a tunnel you need to provide the IPv4 address of your tun-
nelendpoint and a reason why you think you should join the IPv6 commu-
nity. If you don’t have a static IPv4 address you can also try out IPv6 with
the help of SixXS heartbeat client. It sends packets to the POP to activate
the tunnel with the given dynamic IPv4 address. If there is no heartbeat
for 300 seconds the tunnel is disabled and auto-enabled when brought
up again. Any configurations concerning the address that has changed is
hereby done automatically [14].
5.3.1 Installing AICCU
In the network of the Berufsförderungsinstitut Burgenland AICCU was

installed on the gateway router in order to avoid NAT-realated troubles.
This gateway router is running Debian Linux and is not maintained by
me, so the network administrators had to download and install the soft-
ware needed. On the homepage of SixXS you can download a tool called
AICCU, short for Automatic IPv6 Connectivity Client Utility, and install
it. There is a deb-package as well as an apt-get source available [15]. Af-
ter installing the software you simply need to modify the configuration
file /etc/aiccu.conf and you are done. Notice that you need to enable the
requested tunnel after approval on the webinterface (this can even take a
few hours). On this webinterface you also have graphs showing you your
latency and packet loss for your tunnel endpoint. First take a look at the
configuration details:
# username is your NIC handle
username KS36-6BONE
password foo
ipv4_interface eth1
ipv6_interface sixxs
tunnel_id T1234
verbose true
daemonize true
automatic true
The entry ipv4_interface refers to the interface used on your PC, the
ipv6_interface is an interface automatically generated when starting AICCU.
The tunnel_id is set according to your approval email and can be de-
rived at SixXS-Homepage. Now you can start the tunnel with typing
/etc/init.d/aiccu start prompting you connection details on success. You
can also watch the new output of “ifconfig” showing you the new inter-
face sixxs with its details. When using AICCU you don’t have to worry
about setting IPv6 addresses or routes, everything needed is done by this
piece of software. And now, for the moment we all have been waiting
for, pinging IPv6 into the internet with pinging the POP’s endpoint of the
tunnel:
ping6 2001:16d8:ff00:7b::1
and if this worked you can ping any IPv6 enabled address on the whole
internet. An all-time classic is kame’s homepage at www.kame.net.
You can also run AICCU on other operating systems like Windows, MAC
OS, etc. There is even a GUI for configuring Windows-based AICCU in-
stallations. Find out more about the different ways of using and configur-
ing AICCU on their homepage [15] [16].
In a paragraph above I mentioned that we tried to avoid NAT-related trou-
bles. There is an approach to overcome this in the italian network with a
software called AYIYA [17].
I want to make a few comments on the rulesfor tunnels at SixXS. SixXS has
established a credit-system starting at only enough credits (25) to request
a tunnel. When this tunnel is up for one week you have earned enough
credits to request another tunnel, or, a whole /48 subnet. For each tun-
nel being up one week you earn 5 credit points. But be careful with your
tunnels! If your tunnel is down for one day it costs you 5 credits and if
it’s even down for a whole week it will cost you 50 credits and the tun-
nel will be automatically disabled (you can enable it on the webinterface
again). SixXS will send you an automated email when one of your tunnels
is down.
5.3.2 Allocating the addresses
After my tunnel was running I requested a subnet for having global

addresses in my lab as well. A day or two later the approval came
and 2001:16d8:ff47::/48 was mine. First some decisions concerning the
address allocation has been made. Although I really had enough ad-
dresses I didn’t want to make the same mistake made with IPv4 and be
to generous in distributing addresses. (The reason why it really makes
sense thinking of this is that the Berufsförderungsinstitut Burgenland
wants to use these addresses even when I am no longer working on
my thesis. So we decided to adopt an expandable code for the build-
ing I was in first.) The building number I am working in was cho-
sen 1203 subnetting my address space to 2001:16d8:ff47:1203::/64 and
still leaving 64 bits for the addressing of the computers in one build-
ing. As you will rememeber, my network consists of three networks: The
main office, the branch office and the network inbetween. The main of-
fice is addresses 2001:16d8:ff47:1203:2::/80 (former 192.168.200.0/24), the
branch office 2001:16d8:ff47:1203:3::/80 (former 192.168.201.0/24) and the
network inbetween 2001:16d8:ff47:1203:1::/80 (former 192.168.150.0/24).
The host part of the addresses has been recomputed to hex-numbers.
For example bart’s 192.168.200.1 became 2001:16d8:ff47:1203:2::1, apu’s
192.168.200.33 became 2001:16d8:ff47:1203:2::21, and so on. (Please see the
new network plan for details)
5.3.3 Configuring the global addresses
5.3.3.1 Debian Linux
There are two ways to configure an IPv6 address manually. You could ei-
ther do it with the “ip” command, which I chose to use, or with “ifconfig”.
ip -6 address add <IPaddress>/<subnet> dev <deviceUsed>

ip -6 address add 2001:16d8:ff47:1203:2::5 dev eth0
This sets a default subnet /128. For deleting the address simply exchange
the word “add” with “del”:
ip -6 address del <IPaddress>/<subnet> dev <deviceUsed>

ip -6 address del 2001:16d8:ff47:1203:2::5 dev eth0
You get the same result with using
ifconfig eth0 add 2001:16d8:ff47:1203:2::5
ifconfig eth0 del 2001:16d8:ff47:1203:2::5
If you do not specify a subnet after the IP address /0 is defaulted. The
configured addresses can be seen in both cases with “ip -6 address show”
or “ifconfig”. These addresses are stored persistently.
If you are more into configuring /etc/network/interface you can also add
an entry for each IPv6-enabled interface looking like this:
auto eth0
iface eth0 inet6 static

# for being perfectly safe you can add following line once
## pre-up modprobe ipv6
address 2001:16d8:ff47:1203:2::5
netmask 128
5.3.3.2 Microsoft Windows
Windows2k: All configuration done with ipv6 is non-persistent which

means that it is not stored and all configuration is lost after re-
boot.(There is a documented solution using option “-p” to store con-
figuration added by “ipv6” in the registry but it didn’t work for me.
[4]) This is one huge reason for me to say that Windows 2000 is
not suitable for convenient use with IPv6. I handled this problem
with writing a small skript adding the needed configuration after
startup. If, after startup, IPv6 is turned off enable it by typing “net
start tcpip6”.
With the ipv6.exe in the older versions of Windows you can set an IP ad-
dress simply with the line
ipv6 adu <ScopeID>/<Address>
ipv6 adu 5/2001:16d8:ff47:1203:2::21
For deleting the address again simply set it’s lifetime to 0 with:
ipv6 adu <ScopeID>/<Address> life <ValidLifetime>

ipv6 adu 5/2001:16d8:ff47:1203:2::21 life 0
Doing the same using netsh looks like the following:
netsh interface ipv6 add address
interface=<InterfaceString> address=<address>
<InterfaceString> <address>
LAN-Verbindung 2001:16d8:ff47:1203:2::22
The InterfaceString is the label you see when typing “netsh interface ipv6
show address”. For deleting:
netsh interface ipv6 delete address
interface=<InterfaceString> address=<address>
<InterfaceString> <address>
LAN-Verbindung 2001:16d8:ff47:1203:2::22
5.3.4 Setting routes manually
Although we will be using radvd for distributing routes automatically it

is always important to know how to set them manually as well. Let’s start
with Linux again.
5.3.4.1 Debian Linux
Some routes will be set automatically on your system, some you will have
to configure. Anything that is done with routes can be done with two dif-
ferent commands, similar to the configuration of the address we discussed
before. This time we have “ip”, my all-time-favorite, and “route” or “net-
stat” for displaying them.
ip -6 route show
netstat -nr -A inet6
To set and to delete a route you have these possibilities:
ip -6 route add <destinationNetwork> via
<nexthopRouter> dev <deviceUsed>
ip -6 route add default
2001:16d8:ff47:1203:2::1 dev eth0
ip -6 route add 2000::/3 via
2001:16d8:ff47:1203:2::1 dev eth0
ip -6 route del <destinationNetwork> via
ip -6 route del default

2001:16d8:ff47:1203:2::1 dev eth0
ip -6 route del 2000::/3 via
2001:16d8:ff47:1203:2::1 dev eth0
route -A inet6 add <destination>/<subnet> gw
route -A inet6 add 2000::/3 gw
2001:16d8:ff47:1203:2::1 dev eth0
route -A inet6 add ::/0 gw
2001:16d8:ff47:1203:2::1 dev eth0
route -A inet6 del <destination>/<subnet> gw
route -A inet6 del 2000::/3 gw
2001:16d8:ff47:1203:2::1 dev eth0
route -A inet6 del ::/0 gw
2001:16d8:ff47:1203:2::1 dev eth0
Above you see examples for both, ip and route command for adding and
deleting entries. In the ip section I used 2000::/3, which is a special address
representing default and which is said to circumvent troubles often related
to older Linux systems when using the term “default”. In the “route” part
another representation of “default” is used: “::/0”.
Note: Linux kernels 2.4.17 and older don’t support default routes. Instead
you need to use “2000::/3”. (The IPv6 unicast space encompasses
the entire address range except for ff00::/8 - we will come across
these addresses again - but the unicast address assignment space is
currently limited to 2000::/3, so this is much like “default” on IPv4.)
[18]
5.3.4.2 Microsoft Windows
As you surely will remember we have the distinction between older or

newer than Windows XP SP1. For the older generation:
To display the routing table use:
ipv6 rt
netsh interface ipv6 show routes
To add a new default route use:
ipv6 rtu <destinationNetwork> <scopeID>/<nexthopRouter>

ipv6 rtu ::/0 4/2001:16d8:ff47:1203:1::5
For deleting it again set the lifetime to “0”.
ipv6 rtu <destinationNetwork>
<scopeID>/<nexthopRouter> life <lifetime>
ipv6 rtu ::/0 4/2001:16d8:ff47:1203:1::5 life
0
The netsh-way of handling this is with the command
netsh interface ipv6 add route
<destinationNetwork> <interfaceUsed>
<nexthopRouter>
netsh interface ipv6 add route ::/0
Lan-Verbindung 2001:16d8:ff47:1203:2::1
netsh interface ipv6 delete route
<destinationNetwork> <interfaceUsed>
<nexthopRouter>
netsh interface ipv6 del route ::/0
Lan-Verbindung 2001:16d8:ff47:1203:2::1
Note: I will not go into detail how to configure each host because we
will take advantage of the autoconfiguration of routes provided by
radvd.
5.3.5 Testing connectivity with traceroute
Traceroute is a very useful utility for checking which way a packet takes
over the internet in order to reach its destination. The output is a list of all
hops done until reaching the target. This is done by setting the TTL (time
to live) of the packets sent. The first packet has a time to live of one (the
second packet of two, and so on) and is sent to a host, which decrements
the TTL by one and usually forwards it to the next hop. When the TTL
has reached zero the packet is sent back to the sender giving him a “ICMP
Time exceeded” error. From the source addresses of these returned ICMP
errors you can make the list needed: a table with all hosts passed by a
packet.
For the use of traceroute with Linux you need the package iputils installed.
You can either download the sources via anonymous ftp [19] or “apt-get
install iputils-tracepath”.
traceroute6 www.kame.net
For tracerouting an address with Windows you can use either
tracert www.kame.net
tracert6 www.kame.net
When using tracert and the host you are pinging is reachable via both IP
versions, IPv6 is chosen over IPv4.
Hosts you can try to ping/traceroute:
www.kame.net (IPv4/IPv6)
www.ipv6.uni-muenster.de (IPv6)
www.join.uni-muenster.de (IPv4/IPv6)
5.4 More routing issues
In the last chapter I wrote about the basic configuration of address and
routes on IPv6 enabled hosts, now I want to talk more detailed about what
had to be done in my network. Now let’s get our hands on the configu-
ration. In order to have IPv6 reachable hosts to on all subnets we need to
configure the three routers.
The router in the network called “GesAK” is the one with the configured
SixXS tunnel endpoint and therefore supplies IPv6 connectivity. All IPv6
traffic must be routed through this host to reach the tunnel. Keep that in
mind when configuring the default routes on the gateway routers of our
network, i.e. bart and snowball. But let’s do it step by step.
Figure 5.3: Network Overview with IPv4 and IPv6 addressing
Assuring IPv6 connectivity to 2001:16d8:ff47:1203:1::5 (192.168.150.5)
On this host AICCU has been installed (please see chapter above) and
therefore you might not need to change any routing entries. Be sure that
there is a default route set for the IPv6 traffic via the tunnel endpoint
(2001:16d8:ff00:7b::1) using “sixxs” device. If you experience troubles con-
necting to the IPv6 net and your kernel version is not absolutely up-to-
date (<= 2.4.17) you can add another entry targeting “2000::/3” and hope
it helps. (You will see that I often prefered 2000::/3 over the term default.
In most cases it is only a relict from a time there was an older kernel on the
PCs. Anyway, as long as both ways work it doesn’t matter which to use.).
The routes you should have by now are:
2001:16d8:ff00:7b::/64 via :: dev sixxs

metric 256 mtu 1200 advmss 1220
2001:16d8:ff47:1203:1::/80 dev eth1 metric 256
mtu 1500 advmss 1440
fe80::/64 dev eth0 metric 256 mtu 1500 advmss
1220
1220
fe80::/64 via :: dev sixxs metric 256 mtu
1280 advmss 1220
default via 2001:16d8:ff00:7b::1 dev sixxs
2000::/3 via 2001:16d8:ff00:7b::1 dev sixxs
ff00::/8 dev eth0 metric 256 mtu 1500 advmss
1220
1220
ff00::/8 dev sixxs metric 256 mtu 1280 advmss
1220
All these routes have been generated automatically except for the entry
targeting at 2000::/3. It can be added with following command and is, as
already discussed, another way of writing a default route:
ip -6 route add 2000::/3 via 2001:16d8:ff00:7b::1 \\

dev sixxs
The first route in the routing table is generated by AICCU and sets the
tunnel-network reachable via the virtual interface “sixxs”. The second
route does the same for the network 2001:16d8:ff47:1203:1::/80 via eth1.
Routes three to five destined at fe80::/64 are for link level communica-
tion. In order to allow e.g. link local based ICMP pings or neighbour
discovery there need to be routes set on each interface. As you might have
guessed this will impose problems when sending a packet to a link local
address: the routing table cannot distinguish which route to use. There-
fore you always have to specify which interface to use when operating
on link local level (please see chapter “Testing primary connectivity”). I
talked about routing entries number six and seven before for they are both
default routes to the IPv6 network. The one using the term “default” is
added automatically by AICCU. The last three routes are multicast routes.
Don’t forget to ping6 some IPv6 nodes.
Getting bart IPv6-reachable
The first step for bart is to set his default route to our IPv6 gateway. This
is done with
ip -6 route add 2000::/3 via 2001:16d8:ff47:1203:1::5 \\

dev eth1
Then your routing table should look something like this:
mtu 1500 advmss 1440 hoplimit 64
2000::/3 via 2001:16d8:ff47:1203:1::5 dev eth1
metric 1024 mtu 1500 advmss 1440 hoplimit 64
1440 hoplimit 64
1440 hoplimit 64
1440 hoplimit 1
1440 hoplimit 1
unreachable default dev lo proto none metric
-1 error -101 hoplimit 255
Again, the first two routes refer to the networks directly connected, the
third one was just added by me, fe80::/64 routes for link local and ff00::/8
routes for multicast connectivity. This configuration of the routing table is
sufficient to reach the IPv6 gateway but will not, believe me or just try it,
result in successful pinging. Of course we have to enable IP forwarding on
the IPv6 gateway before. Check if enabled or not by looking at the “cat”
command and set it with “echo”.
(on host: 2001:16d8:ff47:1203:1::5 - GesAK)
cat /proc/sys/net/ipv6/conf/all/forwarding
echo “1” > /proc/sys/net/ipv6/conf/all/forwarding
Now you can ping6 a host residing on the internet from router bart.
Doing the same for snowball
The only thing you have to manually add, as seen above, is the default
route targeted at 2001:16d8:ff47:1203:1::5.
2000::/3 via 2001:16d8:ff47:1203:1::5 dev eth1
metric 1024 mtu 1500 advmss 1440 hoplimit 64
1440 hoplimit 64
1440 hoplimit 64
1440 hoplimit 1
1440 hoplimit 1
unreachable default dev lo proto none metric
-1 error -101 hoplimit 255
Configurations to make the main office obtain IPv6 reachability
Bart’s configuration is nearly done except for the IP forwarding. Bart is

a gateway router to the main office network and therefore has to forward
packets destined at IPv6 global addresses.
(host: 2001:16d8:ff47:1203:1::6 - bart)
cat /proc/sys/net/ipv6/conf/all/forwarding
echo “1” > /proc/sys/net/ipv6/conf/all/forwarding
Echoing “1” enables IP forwading, “0” disables. But still any ping from
a host behind bart won’t be successful. The problem still left: Although
the packets are sent to the correct destination, the packets that come
in reply are not forwarded by the router 2001:16d8:ff47:1203:1::5 for it
lacks the matching routes. After adding the route retour for network
2001:16d8:ff47:1203:2::/80 on server 2001:16d8:ff47:1203:1::5 the ping for
all clients on the main office subnet works.
(host: 2001:16d8:ff47:1203:1::5 - GesAK)
ip -6 route add 2001:16d8:ff47:1203:2::/80 via
2001:16d8:ff47:1203:1::6 dev eth eth0
Note: Don’t forget to set the client’s default route to the router of the sub-
net (i.e. bart) before testing connectivity.
And now for the branch office
Similar to the part above we simply have to enable IP forwarding and

set an appropriate route back to the network 2001:16d8:ff47:1203:3::/80 on
host 2001:16d8:ff47:1203:1::5, the gateway router for the network GesAK.
(host: 2001:16d8:ff47:1203:1::7 - snowball)
echo 1 >
/proc/sys/net/ipv6/conf/all/forwarding
(host: 2001:16d8:ff47:1203:1::5 - GesAK)
ip -6 route add 2001:16d8:ff47:1203:3::/80 via
2001:16d8:ff47:1203:1::7 dev eth eth0
Now that I configured the routers there is still one thing left: the routes
of the clients. Every client needs a default route to the gateway router of
its subnet in order to reach IPv6 network. This could be done manually,
what can really take some time in big networks, or by using automated
solutions like radvd.
5.5 Networking basics
5.5.1 advertising routes with radvd [20] [21] [22] [23]
Automatically configuring hosts that just UPed is one big reason to use
IPv6 over IPv4. Instead of manually configuring IP address and routes
on each host new to your network you now have the possibility to let
them configure themselves. The only host the administrator still has to
configure is the router with a program running on the router answering
autoconfiguration requests. Radvd, the Router ADvertisement Daemon is
such a program, running on BSD and Linux, listening to Router Solicita-
tions (RS) and sending Router Advertisements (RA). When a new host is
UPed it sends a multicast Router Solicitation and, when there is a correctly
configured router running radvd on the subnet, it receives a Router Adver-
tisement. Besides sending requested Router Advertisements there are also
sent unsolicited ones inbetween. The information sent includes address
prefixes, the MTU of the link and details about the default routers.
I installed radvd with “apt-get install radvd”. There is a verbose and a
very simple radvd.conf example file that come with the installation. I
chose to copy the simple one and copy it to my /etc.
cp
/usr/share/doc/radvd/examples/simple-radvd.conf
/etc/radvd.conf
If you want to force e.g. a Windows XP PC to renew its settings obtained
by router advertisements you can do this with:
netsh interface ipv6 renew interface=”Lan-Verbindung”

It is supposed to also work with “ipv6 renew <scopeID>” but it didn’t
work with me. On Linux based systems simply restart the interface with
“ifup –force eth0”. But now let’s take a closer look on how to configure
radvd.
A very simple radvd.conf could look like this:
interface eth0 {
AdvSendAdvert on;
prefix 2001:16d8:ff47:1203:2::/80
{
AdvOnLink on;
AdvAutonomous on;
};
};
The first option in the eth0 part, “AdvSendAdvert on;” in fact turns on
the radvd; it specifies whether it should periodically send router adver-
tisements and listen to router solicitations. It no longer needs to be the
first option written in the radvd.conf but it needs to be set to on (default:
off). The line “prefix 2001:16d8:ff47:1203:2::/80” defines the prefix to dis-
tribute. Options to this prefix are AdvOnLink and AdvAutonomous, both
set to “on”. AdvOnLink on tells the receiving host that packets with the
same prefix as distributed can be sent using the interface the router adver-
tisement was received on (default: on). AdvAutonomous set to on means
that the prefix distibuted can be used in order to automatically configure
an IPv6 address composed of the prefix and the MAC address (default:
on). In this context let’s take a closer look to the prefix that is subnetted
with 80 bits. This has something to do with the network media used and
its hardware address length. For we are using Ethernet we have a 48-bit
long hardware address part leaving maximum 80 bits to the network pre-
fix.
Note: It is vital that the prefix length plus interface token length sums 128.
Otherwise the prefix is ignored and no address is set. [24]
Example for a automatically configured address [21]:
Announced prefix 5f15:9100:c2dd:1400:8000:0000:0000:0000

Link-layer token 0800:0040:1726
Configured address 5f15:9100:c2dd:1400:8000:0800:0040:1726
Additionally, the source address of the router advertisement (by definition

the link local address), can be used to configure the default route.
Note: Radvd will not start unless IP forwarding is enabled (or if debug-
ging is enabled) [25].
My own /etc/radvd.conf looks a little bit different for I didn’t want to
distribute random global addresses, since I wanted to use DHCP:
interface eth0
{
AdvSendAdvert on;
MaxRtrAdvInterval 100;
MinRtrAdvInterval 35;
AdvManagedFlag on;
prefix 2001:16d8:ff47:1203:2::/80
{
AdvPreferredLifetime 500;
AdvValidLifetime 700;
AdvAutonomous off;
};
# for site local addresses, added by me!
prefix fec0:0:0:1::/80
{
};
};
In this configuration I set eth0 the interface listening to router solicitations

and sending router advertisements. In my config file I first enabled router
advertisements and then set MaxRtrAdvInterval and MinRtrAdvInterval
which is the span of time a new unsolicited router advertisement is sent.
A random number inbetween these two numbers is calculated after an
advertisement is sent out defining when the next one is to be sent. The
AdvManagedFlag set to “on” indicates the use of the administered (state-
ful) protocol for autoconfiguration. In this case there is a server keeping
track of the addresses used and therefore guarantee their uniqueness. You
can find further information on this topic in RFC 2462 [26] and in docu-
mentations of DHCPv6.
Next the prefix is set with a preferred and a valid lifetime. The time is set
in seconds and they have default values for preferred lifetime of 604.800
(7 days) and for valid lifetime of infinite (0xffffffff seconds). In my config
I chose to disable AdvAutonomous. I did this for I wanted to distribute

more “readable” addresses and for administrative reasons (later I will in-
stall DHCPv6 server to distribute the addresses).
Besides supplying the prefix for global addresses I also send a prefix for
site local addresses. With AdvAutonomous defaulted to enable I don’t
have to add anything else to the config of the site local addresses.
Troubleshooting: When using radvd I would recommend you to install
radvdump, a program pretty similar to a sniffer, printing out the con-
tents of router advertisements. One big advantage is that the values
that are set by default are also displayed.
Note: Radvd is configured and used on bart.sylvia.test for serving the net-
work 2001:16d8:ff47:1203:2::/80 and on snowball.sylvia.test for the
network 2001:16d8:ff47:1203:3::/80.
Note: Although mentioned before: radvd does not propagate informa-
tions to itself. Every configuration you want to have on your host
running radvd has to be done manually (global and site local IP ad-
dresses, routes, etc. )
5.5.2 DHCPv6 using dibbler [27]
As mentioned in the section about radvd, I did not distribute my global

IPv6 addresses with radvd. The reason: I have no chance to have any
other than addresses made up of network prefix and appended MAC ad-
dress. In good old IPv4 manner I want to stick to my address scheme (low
numbers for servers, high numbers for clients) which will e.g. ease the
configuration of a firewall.
When searching for a DHCPv6 server I did not come across lot of alterna-
tives. I found dhcpv6 on sourceforge, which has not been very appealing
to me because it lacked documentation, dhcpv6d which was only for hp-
ux and dibbler, with clients running on Windows and Linux. I didn’t take
me long to go for the dibbler-solution, especially because it came with
a nice manual. After downloading and installing the .deb package you
have an /etc/dibbler directory containing client.conf, server.conf and re-
lay.conf, the config files for all three types of service. To run each of the
services type the appropriate

dibbler-client start
dibbler-server start
dibbler-relay start
“Start” starts a daemon of the service selected running in the background
detached from the console. If you are using dibbler the first time you
might want to see the messages posted directly in the console. If so, sim-
ply exchange “start” with “run” (e.g.: “dibbler-server run”). For stopping,
you might have guessed, use “stop” and if you want to see the status of
dibbler append “status” to the selected service.
Configuring the server
As mentioned above the configuration is found in /etc/dibbler/server.conf.

My dibbler server is installed on marge.sylvia.test, a host residing in
the 2001:16d8:ff47:1203:2::/80 network. The simplest form of server.conf
would be the following:
iface eth0 {
class
{
pool 2001:16d8:ff47:1203:2::/80
}
}
We define which interface to use for distributing the dynamically assigned

addresses and the address pool to take the addresses from. The pool can
also be written
pool minaddress-maxaddress
and if you need to assign addresses on one interface with different address
pools you can’t describe by these ways, simply add another class-entry
holding the next pool of addresses you want to use. In addition to the
many other options dibbler is capable of defining white and black lists,
i.e. users you explicitly want to allow (“accept-only”) or users you want
to ban (“reject-clients”) [28].
But now take a look at my server configuration for it is prepared for the use
with relays. For distributing the addresses to 2001:16d8:ff47:1203:3::/80 as
well while running only one dibbler server you need to relay the DHCP
packets. Therefore dibbler-relays need to be installed on both gateways,
bart and snowball, but let’s discuss that later on. (See the figure at the end
of the chapter for clarity)
log-level 7
log-mode short
iface relay1
{
relay eth0
interface-id 1007
}
iface relay2
{
relay relay1
interface-id 3001
T1 500
T2 700
prefered-lifetime 600
valid-lifetime 800
class
{
pool 2001:16d8:ff47:1203:3::/80
}
}
iface eth0
{
T1 500
T2 700
prefered-lifetime 600
valid-lifetime 800
class
{
pool 2001:16d8:ff47:1203:2::/80
}
option dns-server 2001:16d8:ff47:1203:2::5

option domain sylvia.test
option ntp-server 2001:16d8:ff47:1203:2::1
}
Let’s begin with the part of the configuration we already discussed, “iface
eth0”. There are several new options used in here. “T1” is the time after
which the client is instructed to renew its address, “T2” the time after the
client should send a REBIND. For preferred and valid lifetime are self-
explanatory I move on to the options section below the class-part. With
the options you can specify which other information shall be distributed
besides the IP address. In this case I supply DNS server address, domain
name and NTP server address.
Now for the part of the configuration concerning the relays. The important
thing is to start thinking at the portion of the network the client resides at,
which is 2001:16d8:ff47:1203:3::/80. The client needs to send the DHCP
request to snowball, the gateway and DHCP relay at his site. The message
from the client is encapsulated as RELAY_FORW message and sent to the
next “hop”. It is vital for the server to know where the relayed message
was originally received; therefore the “interface-id” is sent together with
the encapsulated message. At the next “hop”, that would be bart in my
case, the message is encapsulated again and the “interface-id” of bart is
added. Then the message is sent to the server. Replies from the server are
sent as RELAY_REPL.
iface relay1
{
relay eth0
interface-id 1007
}
The snip of the config file above tells the server that it can reach the service
“relay1” on the physical interface eth0 (“relay eth0”) and that it’s interface-
id is set to 1007. The part for relay2 starts again with the information on
reaching relay2 using relay1 (“relay relay1”) what in fact makes the core
of the relay configuration. The only additional thing you must not forget
is the class-part for configuring the IP-address pool that should be used at
the remote network.

Note: Setting log-level to 5 or less can result in strange behavior.
Note: Log-file is located at /var/lib/dibbler/server.log
Configuring the relays
After we made it this far the configuration of the relays is pretty easy. Let’s
start with bart’s /etc/dibbler/client.conf file.
log-level 8
log-mode short
#connected network: 2001:16d8:ff47:1203:2::/80
iface eth0
{
server multicast yes
}

iface eth1
{
client unicast 2001:16d8:ff47:1203:1::6
interface-id 1007
}
“server multicast yes” makes eth0 send DHCP messages that has been
forwarded to the server with a multicast destination (remember that all
DHCP messages sent during the negotiation of the address is done via
multicast). On eth1 on the other hand bart only listens to packets from
clients destined at 2001:16d8:ff47:1203:1::6. “interface-id”, as discussed, is
an identifier for a particular interface and has to be unique (you might
think of it as kind of “ethernet segment identifier”).
And at last the configuration of snowball is still left:
log-level 8
log-mode short
iface eth0
{
server unicast 2001:16d8:ff47:1203:1::6
}

iface eth1
{
client multicast yes
interface-id 3001
}
“server unicast 2001:16d8:ff47:1203:1::6” tells the relay to send forwarded

messages to the specified address (which is bart in my case; the next hop
for snowball). On eth1, the side where the clients are connected, snowball
listens to client messages with multicast destination (a client that is UPed
sends a multicasted DHCPDISCOVER first). The “interface-id” is set to
3001.
Figure 5.4: Message flow of a client-initiated DHCP message via 2 relays
Configuring a client
Now that we have configured server and relays we need to think about
the clients as well. The easiest way to configure a client is not configuring
it, which means: if you don’t want to have special configuration except for
a randomly chosen IPv6 address from the address pool specified on the
server on each interface on a dibbler-running client you can leave the con-
figuration file empty. On the other hand, if you want to receive DNS and
NTP server details from dibbler server, it has to be set in the client.conf.
You can also define an IP address if you want a client to always get the
same. A (Windows) client configuration file would look like this (there’s
no difference between Windows and Linux config files except for the term
used for the interface: “Local Area Connection” (“LAN-Verbindung”) on
Windows, eth0 (you don’t need quotes here) on Linux):
log-mode short
log-level 7
iface "LAN-Verbindung"
{
option dns-server
option domain
option ntp-server
ia
{
address
{
2001:16d8:ff47:1203:3::11
}
}
}
If you want to set some options in your client.conf but don’t care which
address your host gets clear the “ia {...}”-part and replace it with “ia”.
“ia” stands for Identitiy Association and is a logical unit representing ad-
dress(es) used to perform some functions. The correct use of the term ia is:
“ia <number>” where number is defaulted to 1 and stands for the number
of IA’s that should be requested (i.e. setting “ia 2” makes you recieve 2
addresses; see the manual for details).
One thing that came to my mind when configuring my dibbler clients was
how unhandy it is to go to each client in a network and configure it locally
for you can’t always access each client in a big network. I wrote Tomasz
Mrugalski, one of the two developers of dibbler, and he had an idea how
to define a specific client’s address server-sided. Snip from a server.conf
he sent me:
class {
accept-only fe80::2e0:7dff:fe01:15a2
pool 2000::1
}
class {
accept-only 0x000100064306ed0900609711d5f0
pool 2000::2
}
class {
pool 2000::3-2000::ff
}
This configuration would allow only the host with link-local address
fe80::2e0:7dff:fe01:15a2 to get an address from the address-”pool” 2000::1/128
and a host with DUID 0x000100064306ed0900609711d5f0 to get the ad-
dress 2000::2. All other hosts would receive addresses from the pool spec-
ified in the last class-section. This way changes in address relocation can
be made on the server only.
I’d recommend to run dibbler-client, after testing its configuration (“Client
run in console”), as a service in order to startup automatically. Don’t forget
to start the client for the first time manually after having it installed as
service.
Troubleshooting: For troubleshooting dibbler I would recommend, of
course, to read the log file (in Windows systems located directly
in the directory dibbler is installed), and, my all-time-favorite tool:
ethereal. To see which port it is running I used “netstat -lnptu”
showing you services behind each port for nmap only provides TCP
scans by now. (There is a patch for nmap doing IPv6 UDP scans on
http://nmap6.sourceforge.net - see the nmap-section below)
SUSE: When installing dibbler-client on SUSE the client could not be
started until I manually created a directory /var/lib/dibbler and
“chmod 777 /var/lib/dibbler” (I know, this is not beautiful but it
works).
Note: I chose not to configure my dibbler-relays by a dibbler-client but
rather have static IP addressing. The main reason was that I experi-
enced troubles bringing all of the services up in the right order after
weather related power failures.
5.5.3 DNS [30] [29]
For I am using BIND9 I do not have to install any other software or patch
for it supports IPv6 natively (BIND9 is the first version fully supporting
IPv6; use version >9.1.3 for there are some security problems patched). If
you are familiar with the use of IPv4 DNS records you won’t experience
any troubles here for the only thing changed is the type of records used.
For IPv4 you use the resource records “A” and for IPv6 it’s “AAAA” or
spoken “Quad-A”. Reverse lookup is as well stored in a “PTR” Resource
Record (i.e. “pointer”) but it is represented differently.
For reverse lookup a special domain rooted “IP6.ARPA.” is defined as-
suring the mapping of IPv6 addresses to hostnames. It is represented by
a sequence of dot-seperated nibbles encoded in reverse order. Example
reverse lookup domain name for given IP:
2001:16d8:ff47:1203:3::1
1.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.2.1.7.4.f.f.\\
8.d.6.1.1.0.0.2.IP6.ARPA.
In order to have IPv6 lookup you have to add IPv6 entries to your database
and enable to handle IPv6 requests. You can either choose to set both, an A
and an AAAA record on one host name, or create IPv6-only hostnames. A
DNS lookup for a hostname configured with both addresses returns both.
An IPv6 address is then preferred over IPv4, for any other communication
issue.
homer A 192.168.200.12
AAAA 2001:16d8:ff47:1203:2::12
flanders6 AAAA 2001:16d8:ff47:1203:2::24
After adding the AAAA records we can start coping with reverse lookup.
First of all you need to include the zone-files in /etc/bind/named.conf.
For I am having two different subnets, 2001:16d8:ff47:1203:2::/80 and
2001:16d8:ff47:1203:3::/80, I wrote two zone files called “db.2” and “db.3”
included by these lines:
# /etc/bind/named.conf
zone "2.0.0.0.3.0.2.1.7.4.f.f.8.d.6.1.1.0.0.2.ip6.arpa" {
type master;
file "/etc/bind/db.2";
};
zone "3.0.0.0.3.0.2.1.7.4.f.f.8.d.6.1.1.0.0.2.ip6.arpa" {
type master;
file "/etc/bind/db.3";
};
The corresponding PTR-records are defined in the zonefiles. See /etc/bind/db.3
for an example IPv6 reverse lookup zonefile:
;
; BIND reverse data file for zone branch office
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
2005081901 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS ns1.sylvia.test.
1.0.0.0.0.0.0.0.0.0.0.0 IN PTR snowball.sylvia.test.
1.1.0.0.0.0.0.0.0.0.0.0 IN PTR snowball2.sylvia.test.
Now you are done with setting your address-details but there are some
configurations to BIND left. One thing is to tell it to listen to IPv6 re-
quest. This is done in /etc/bind/named.conf.options (this file is included
by /etc/bind/named.conf).
options {
directory "/var/cache/bind";
forwarders
{
192.168.100.2;
};
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
allow-query { internal-net; };
};
acl internal-net {
127.0.0.1;
192.168.0.0/16;
::1/128;
2001:16d8:ff47:1203::/64;
};
In here we have the rules for IPv4 and IPv6 communication. 192.168.100.2
is the Berufsförderungsinsitut Burgenland name server that is queried and
“allow-query { internal-net;};” defines that all subnets defined in the acl
named “internal-net” are allowed to query the server. Added to the exist-
ing configuration is the very important
listen-on-v6 { any; };
directive allowing any host to contact via IPv6. You can not bind certain
addresses here, the only options allowed are “any” and “none” (please
note that this can be a security risk). In the acl (short for Access Control
List) “internal-net” I added
::1/128;
2001:16d8:ff47:1203::/64;
in order to allow localhost and the whole test network I set up to query
the nameserver.
After restarting bind you can see it listening on IPv6 interfaces using “net-
stat -lnptu | grep named”. The address for the IPv6-reachable nameserver
is already distributed by dibbler so I don’t have to change any DNS-

settings on the clients. The first thing you now should try is to connect
to bind via an IPv6 address with a simple
dig localhost @::1
If this returns an answer you can move on querying a hostname with A
and quad-A entry like (you need type -t set to any in order all found entries
to a hostname are returned; otherwise only an A record is sent back.)
marge:~# dig -t any homer.sylvia.test @::1
Figure 5.5: Output for dig -t any homer.sylvia.test @::1
Note: If you only get the old configuration displayed without the added
IPv6 entries flush your DNS cache and try again. For Windows use
“ipconfig /flushdns” and on the Linux PC running BIND you can do
the same with “rndc flush”.
Be also sure to try this on other hosts to see if the acl does not exclude hosts
that should have access to the nameserver.
Another way of testing your DNS server is using the command “host”
knoppix@1[knoppix]$ host -t aaaa
homer.sylvia.test 2001:16d8:ff47:1203:2::5
Using domain server:

Name: 2001:16d8:ff47:1203:2::5
Address: 2001:16d8:ff47:1203:2::5#53
Aliases:
homer.sylvia.test has AAAA address
2001:16d8:ff47:1203:2::12
To test reverse lookup functionality use
dig -x 2001:16d8:ff47:1203:2::5
With routes advertised, addresses distributed and DNS entrys set we can
say we do have a running IPv6 network by now. We have pinged and
tracerouted even IPv6 hosts residing somewhere on the internet, so what
else could there be? ;o)
Note: When doing name resolution with Linux, IPv6 is also used as pro-
tocol for the query. Microsoft has not yet enabled this functionality.
The next step is to ensure IPv6 connectivity to the services already used in
the network running IPv4 to be ready when someday there are IPv6-only
networks.
5.6 Migrating the services [31]
Now that each PC on the network is IPv6 enabled we need services that
make use of it.First let’s go online and see the dancing turtle!
5.6.1 Browsers: Firefox and Internet Explorer
When you try to access an IPv6-hosted homepage don’t forget to disable

proxying for the squid running on the system does not support IPv6 and
therefore will not connect. After changing my firefox’s preferences to di-
rectly accessing the internet I tried to surf to
http://www.kame.net
and if the IPv6 configuration works, you can see why I was talking about
a dancing turtle. This site is reachable via IPv4 and IPv6 but if you can see
the turtle dancing you connected to this website via IPv6! In additon to
this you can read your IPv6 address at the very bottom of this page. This
has been worth all the trouble, am I right?
There’s nothing else left to explain when using the Internet Explorer 6.
Simply uncheck the use-proxy option and go for www.kame.net.
5.6.2 Web-Proxy: Privoxy [32]
There are several web-proxies supporting IPv6 connections: wwwoffle

v2.7, there’s a patch for squid v2.5, privoxy v3.1.1, www6to4 v1.5, Prome-
teo v1.4, ffproxy v1.6-RC1 and polipo v0.9.x . Among all these possibilites
I chose to use the Junkbuster-based privoxy for it is offering huge possi-
bilities in the field of filtering, access control, cookie management and the
removing of ads, banners and pop-ups and because I wanted to try some
new software besides always using squid. You will find executables for
several operating systems on the home page and there is as well a CVS
repository you can use.
I chose to wget the sources and make them. When trying to run “make”
my PC was prompting me to install “autoconf” (apt-get install autoconf).
After re-running “make” and switching to “su” you can see where your
files will be installed with “make -n install”. If you are pleased with what’s
going on “make install”.
Then I had to “adduser privoxy” and “addgroup privoxy”. Your privoxy
installation resides at /usr/local/etc/privoxy and the logfile is located
/var/log/privoxy. First step now is to modify the config file /usr/local/etc/\\
privoxy/config.
confdir /usr/local/etc/privoxy
logdir /var/log/privoxy
# The actions file(s) to use
actionsfile standard # Internal purpose, recommended
actionsfile default # Main actions file
actionsfile user # User customizations
filterfile default.filter
logfile logfile
jarfile jarfile
# error page at untrusted sites
trust-info-url http://www.example.com/why_we_block.html
trust-info-url http://www.example.com/what_we_allow.html
debug 512 # common log format
# address and port the server is listening on
listen-address 127.0.0.1:8118
listen-address [2001:16d8:ff47:1203:2::5]:8118
# toggle off disables any filtering, blocking, etc.

toggle 0
enable-remote-toggle 0
enable-edit-actions 0
permit-access [2001:16d6:ff47:1203:2::]/80
buffer-limit 4096
The changes I made were the settings for the confdir, the debug level,
listen-address, all toggling options and the permit-access option. After
setting the values appropriate to your system you can start privoxy with
/etc/init.d/privoxy start.
After setting the proxy settings of a firefox used in the network to
[2001:16d8:ff47:1203:2::5] (you could also use “marge6” instead) at port

8118 you can surf the net using privoxy. For configuring privoxy more
detailled there is a web-interface you can access locally. For I am not using
GUI on my Debian system I configured my lynx to use privoxy as a proxy
in /etc/lynx.conf (set the line “http_proxy:http://127.0.0.1:8118/”) and
then “lynx http://config.privoxy.org”. If you want to set the new IPv6
proxy on Internet Explorer you can only use the term “marge6” (or the
fully qualified domain name) but not the address itself. If you try to use
the address Internet Explorer will not warn you or tell you he could not
find the proxy but rather just doesn’t use it and access the internet directly.
Taking a look at the settings of the proxy again you will see something like
this:
Figure 5.6: Proxy settings with Internet Explorer 6
Note: I used the IP address display at www.kame.net to see whether the

proxy was used or not.
Windows2k: Although I could ping6 marge6.sylvia.test and ping6 www.\\
kame.net I could not manage to display a site reached using the IPv6
proxy on both, Firefox and Internet Explorer. Firefox told me that the
proxy could not be found and Internet Explorer that the site could
not be displayed.
5.6.3 http-server: apache
Now that we can access IPv6 sites on the internet, lets make our own http-
server IPv6 reachable. There are patches for apache 1.3 to support IPv6 but
I’d recommend using >= 2.0.14 (I use 2.0.54) for it supports IPv6 natively.
Native support is always a good thing because it reduces the things you
have to do to a minimum. With apache, you now only have to add a
“Listen” directive, telling it to also listen to IPv6 requests, then restart and
you are done. This entry has to be made in /etc/apache2/ports.conf and

looks like this (this is the only entry in here):
Listen [2001:16d8:ff47:1203:2::5]:80
After restarting apache you can access your apache installation with Fire-
fox at (both is possible here)
http://marge6.sylvia.test
http://[2001:16d8:ff47:1203:2::5]
Internet Explorer only supports the FQDN for an address here.
In order do define a virtual IPv6 host you can change /etc/apache2/sites-
available/www6 and be sure that there is a symbolic link from /etc/apache2/\\
sites-enabled/ to this file. To have a virtual host responding to the request
“www6.schuh-tv.at” add
ServerName www6.schuh-tv.at
ServerAdmin k.schuh@schuh-tv.at
in the <VirtualHost *> </VirtualHost> section. See my www6 file in the
code appendix.
Figure 5.7: HTTP_GET command from snowball2

(2001:16d8:ff47:1203:3::11) to the webserver marge (also called
ns1.sylvia.test)
5.6.4 database: MySQL
The currently available MySQL-versions (4.x, 5.0) do not support IPv6.

MySQL 5.1 could be the first version supporting it (At the time I am writ-
ing this 5.1 alpha is released and there is no information on the implemen-
tation of IPv6 available in the documentation of 5.1.). [33]
PostgreSQL v8.0 on the other hand does support IPv6. As far as i could
find out it is included by default and hosts contacting the database need
to be specified in “pg_hba.conf”. [34]
5.6.5 filesharing using Windows
When I started migrating the network, or better, before I started I was very
afraid of migrating such vital things like DNS, routing, etc. and had the
opinion that as soon as you change the protocol used to IPv6 all services
will work instantly. I was proven wrong when I tried to do filesharing with
Windows. For I was using Windows 2000 advanced server for filesharing
via IPv4 there were no needs for me to change the system for the use with
IPv6, or so i thought. After reading nearly every entry found by google
matching the word “IPv6” I decided to ask those who should know about
it: The people from Microsoft (I also bought the Microsoft-suggested book
“Understanding IPv6” for it holds a chapter concerning IPv6 file sharing.
If you think of buying it: Take my advice and don’t do it!). Some technician
then told me that sharing files is only supported for Windows Server 2003
and gave me a link as starting point for my research [35].
I got myself a new PC and installed Windows 2003 advanced server on it.
The hostname is wiggum.sylvia.test with IP addresses 192.168.200.19 and
2001:16d8:ff47:1203:2::13 (installing IPv6 on W2k3 is the same as WXP).
After installing some basic services I was very eager to try IPv6 file shar-
ing. I defined some folders to share and tried to connect to the server from
a Windows XP PC by typing \\wiggum in Windows Explorer. For I was
getting meaningless errors I decided to switch to the commandline and try
every connect with
net use * \\host\share
to get better informations about the error. My error code was 59 with
the message that an unexpected network error has occurred or error 53
“network path not found”. Then, I thought to myself, before trying and
hoping that Windows XP is able to cope with IPv6 data sharing, I better
set up another Windows 2003 advanced server. This time I used former
homer.sylvia.test because Windows 2000 only supports IPv6 to the extent
of pinging and tracerouting. (Before I cleared the harddisk I copied the
data stored for Active Directory. Read the Active Directory chapter be-
low).
The new Windows 2003 server had hostname flanders.sylvia.test and IP
addresses 192.168.200.36 and 2001:16d8:ff47:1203:2::24.
Trying to “net use * \\wiggum6.sylvia.test\daten” (wiggum6 is an AAAA

record pointing at a global address) between these two nodes first resulted
in error 67. Looking for workarounds or solutions to this error I found out
that restarting the distributed file system on the file server could help. Af-
ter I the restart I got error 1231 “network location cannot be reached” I read
some article about reinstalling your NIC to get rid of these troubles. In ad-
dition to these errors I had events 1030 and 1058 in my event log, which
usually are indicators for a not running DFS (distributed file system).
So you might be curious if I now have a working file sharing system via
IPv6 and the proud answer is yes. So what had to be done in order to work:
First I got myself a new harddisk and put it in my wiggum.sylvia.test and
set up a fresh Windows 2003 server again (this was just because I got more
and more daring when trying to solve the errors and reconfigured nearly
everything). So with two totally clean and newly set-up Windows 2003
PCs I tried it again and it didn’t work until I got the idea of using site local
addresses instead of global addresses. As you saw in the chapter con-
cerning radvd I distribute site local addresses with prefix fec0:0:0:1::/80
dynamically. For easier use I decided to save a DNS record for the site
local file server address in bind.
wiggum AAAA fec0::1:20a:5eff:fe22:afd6
Before trying to connect to the network share be sure to have IPv6 firewall
disabled and IPv6 file sharing enabled .
To disable the firewall simply type:
netsh interface ipv6 set interface
interface="LAN-Verbindung" firewall=disabled
To enable IPv6 file (and print-) sharing go to the “control panel” and open
the “network connections”. In the menu “Advanced” (“Erweitert”) you
will find an entry called “advanced settings” (or maybe it is called “ad-
vanced properties” - I am lacking an english Windows version here; in
german it is called “erweiterte Einstellungen...”).
In the advanced settings, be sure that you check everything you find con-
cerning IPv6 ;-) for the activated LAN connection.
Now, if you dare, type
Figure 5.8: The menu “Advanced” in German
net use * \\wiggum.sylvia.test\daten

and your network share will be connected via IPv6. If you don’t trust
your computer, simply sniff it using ethereal. Please see mine below and
note that these packets are not the beginning of the communication nor
the end, just one nice part you can show off with because it reveals the
folder opened.
fec0::1:250:baff:fe17:2d3d is site local address for flanders. The connection
also works when typing \\wiggum.sylvia.test\daten in your Windows
explorer.
For the sake of completeness I also have to write about the last error I had
before I got that far: It was error 52 indicating a duplicate host or cname
entry for one IP address. The advice Microsofts knowledge base gave me
was to check DNS or WINS settings or change the host name on one of the
clients. The thing that went wrong here was the DNS configuration for it
was holding an A and an AAAA record for the same hostname. Although
it should have also worked that way I decided wiggum should be an IPv6
only record.
Note: By the way, if you are curious which port Microsoft uses: look for
445 named “microsoft-ds” with “nmap -6 wiggum”.
Note: Differing from older MIcrosoft operating systems, Windows 2003
sets network shares per default read-only. I then set the permission
for user “everyone” to read/write what didn’t help a lot. Only after
Figure 5.9: The dialog popping up when choosing the “advanced settings”
Figure 5.10: Some packets during IPv6 filesharing; packet number 33 holds
the path opened
setting every user in my system (ok, I only have two) the permission
to read/write I had write access to the remote folder.
Linux: Much to my suprise I had to find out that there was currently no
IPv6 capable smb-client. There is a patch available for Samba ver-
sions 2.2.3 - 2.2.5 from year 2002 but when posting to some news-
groups whether this worked for someone I got no positive responses.
[36]
I guess one can not measure the time I spent on this little problem and like
so many times it is always a combination of several problems. While I was
trying to set up filesharing in vain I also decided to look for alternatives
and found WebDAV.
Note: Referring to a paper [37] updating the book “Understanding IPv6”

and a mail I received from Microsft Austria file sharing should be
possible with IPv6 global addresses as well. In the mail I got a reg-
istry key to enter in order to enable it. Set a DWORD with value “1e”
and name “IPv6Protection” to
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\\\
Smb\Parameters. This did not work for me.
5.6.6 filesharing: WebDAV [38] [39]
The way Tim Berners-Lee initally thought of the internet was a read- and
writeable medium. With the internet growing it turned itself into a read
only medium; and this is exactly the point where WebDAV is starting.
WebDAV is short for Web-based Distributed Authoring and Versioning
and refers to the IETF working group as well as the HTTP extension they
defined. It has abilities to create, change and move documents on a remote
server and can be used for authoring or simple storage of data. The data
can be accessed via http port 80, so you won’t have firewall-related prob-
lems. It is platform independent and most operating systems have built-in
features to support WebDAV.
In order to have a workig WebDAV implementation you need a HTTP
server. On the Windows side of life you could use IIS for Windows Server
2003 which should support IPv6 (I did not find the proof on the internet
nor tried it myself) or simply use Apache. As you might have guessed I
used Apache. In the mods-available folder of your /etc/apache2 direc-
tory you will find three modules concerning WebDAV called “dav.load”,
“dav_fs.conf” and “dav_fs.load”. The first step to enable this modules is
simply make a symbolic link from the folder /etc/apache2/mods-enables
to these three modules.
ln -s /etc/apache2/mods-available/dav*
/etc/apache2/mods-enabled
Next step is to append the following paragraph to the /etc/apache2/apache2.conf
file:
## my changes for webDAV
DAVLockDB /tmp/DAVLock
DAVMinTimeout 600
<Location /dav>
DAV On
AuthType Basic
AuthName "WebDAV Restricted"
AuthUserFile /var/www/webdavpasswd
<LimitExcept GET HEAD OPTIONS>
Require valid-user
</LimitExcept>
</Location>
This sets a WebDAV directory for the folder “dav” in your document root
with authentication type “Basic” and authentication information that can
be found in /var/www/webdavpasswd.
Now you have to create a new directory called “dav” in your document
root /var/www. If you are not sure where your document root is look
at the file /etc/apache2/sites-enabled/default. This directory has to have
user and group changed to www-data and correct permissions have to be
set.
chown www-data.www-data /var/www/dav
chmod 775 /var/www/dav
Next step is to create username and password in order to have users al-
lowed to access the WebDAV contents which is done by
htpasswd -c /var/www/webdavpasswd username
htpasswd /var/www/webdavpasswd otherUsername
The first line “htpasswd -c /var/www/webdavpasswd username” cre-
ates a new file (-c indicates the creation of a new file, so be careful not to ap-
pend this when adding additional users) called /var/www/webdavpasswd
(as defined in apache2.conf) storing information on the user called “user-
name”. The second line shows how to add an additional user called
“otherUsername”. After restarting Apache your WebDAV is ready to use.
In order to test my WebDAV I installed a Linux command-line based Web-
DAV client called cadaver.
cadaver http://marge.sylvia.test/dav
prompts me for the password and opens the WebDAV folder. Use com-
mands like put, get, ls, less, cat, delete, copy, move and many more to
perform actions on files.
To have WebDAV functionality on Windows you have to do a little bit
more. If you want to have the WebDAV resource as an entry in your “My
Network Places” choose “Add network Place” within your “My network
place”. The “Add Network Place Wizard” pops up and in the next two
steps you simply supply the address for the resource and the username-
password pair and everything works fine, or so I thought.
In my case I got the error “the folder you entered does not appear to be
valid” indicating that you are lacking
• software update for web-folders ( knowledge base kb892211)
• a DWORD called “UseBasicAuth” with value set to 1 at
HKEY_LOCAL_MACHINE\\SYSTEM\CurrentControlSet\Services
\WebClient\Parameters\
Another tip I found on the internet that was working for one of the PC’s
(running WinXP SP2) was appending :80 to the address of the ressource
(http://marge.sylvia.test:80/dav) which is loading the old Windows 2000
driver (that might be more likely to work in this context). Then, after doing
all this troubleshooting, some of my Windows computers could do Web-
DAV filesharing and some didn’t. Like so often during the work on my
thesis I decided to use Ethereal in order to find out what really happened
and this brought the solution for me: Be sure not to use a Proxy when con-
necting to WebDAV (you can guess that system administrators won’t like
that for they are loosing control). After these simple steps my WebDAV
directory was reachable via Windows as well.
Figure 5.11: packets sent during the login to the WebDAV server
In the picture above you see three packets during the login to a WebDAV
server from bart to marge (i.e. webdavserver) indicating that authentica-
tion is required. The third packet shows which folder is opened and I only
added the part below the grey line to show that IPv6 is used here ;-).
Note: I experienced an interesting behavior when trying to access a Web-
DAV share via web-browser. There was no user authentication and
data could be transferred without any restrictions.
5.6.7 filesharing: ftp
Another method to supply files using IPv6 is ftp. I installed an ftp server
for Linux on marge.sylvia.test. I chose to use pure-ftpd version 1.0.19-
7. Setting it up was pretty easy using apt-get for you simply need the
package pure-ftp-common and pure-ftpd. This installs the ftp server to
/usr/sbin/ and sets configuration details in /etc/pure-ftpd. I chose to run
pure-ftpd as a daemon (“dpkg-reconfigure pure-ftpd-common” to change
that). Before starting the server with “/usr/sbin/pure-ftpd -S 777 &” be
sure that you have a user “ftp” on your system creating a home directory
that is accessed when using anonymous ftp. Anonymous ftp is enabled
by default and so you can try loggin in either by not supplying user infor-
mation or by using an user-account on the system. In the latter case the
corresponding home directory is opened.
In order to access the ftp-server I chose a Windows-enabled FTP client
called Nc-FTP [40]. In the downloaded /bin -directory you will find
ncftp.exe starting a command lineftp tool. When typing “open” the ad-
dress book is opened and you can add a target with all address informa-
tion needed. Don’t forget to fill in the port chosen if you decided to use
other than 21 (I chose 777).
Note: There is a huge list of alternative ftp-software: Servers: proFTPD
1.2.9, moftpd, tnftpd/lukemftpd, wu-ftpd, ftpd 0.17 patched, fftpd,
ftpd-bsd 0.3.3, ProFTPD 1.2.9, troll-ftpd 1.2.8 patched, ginseng-ftpd
1.6, and many more for linux. For Windows there are two FTP
servers, but both intended for developer only Windows: FTP server
in Windows CE .NET and MSRIPv6 FTP server. There are also sev-
eral FTP-clients like: lftp 2.6.5, tnftp 2.0, cftp 0.12, wget and the ftp-
version supplied by Windows XP/2003.
5.6.8 email: exim
Next step is to implement a working mailing structure to our company

network. The mail server running at the moment is exim4 v4.50 which
supports IPv6 when set at compile-time. You have to set “HAVE_IPV6=YES”
and might also need “IPV6_INCLUDE=YES” and “IPV6_LIBS=YES” in
your Local/Makefile. I set all three options in the first try and then tried to
recompile the source. Experiencing several errors like the one that it could
not find db.h at compile-time I then chose to remove all IPv6 options again
to see whether it would work. Because this worked without any troubles
I then simply set “HAVE_IPV6=YES” and successfully recompiled. (I ex-
perienced some troubles concerning the LOOKUP_LIBS when compiling
(e.g. “cannot find -llber”). There are references to several things like LDAP
defaulted which I simply commented out for I don’t use them.)
After exim is reinstalled supporting IPv6, you have to configure two files:
/etc/exim4/update-exim4.conf.conf and /etc/exim4/mailname.
The file /etc/exim4/mailname has to be changed to following content:
marge6.sylvia.test
and the file /etc/exim4/update-exim4.conf.conf now looks like this:
dc_eximconfig_configtype=’smarthost’
dc_primary_hostname=’marge6.sylvia.test’
dc_other_hostnames=’sylvia.test:marge:marge6.sylvia.test’
dc_local_interfaces=’192.168.200.5 :
2001::16d8::ff47::1203::2::::5’
dc_readhost=”
dc_relay_domains=”
dc_minimaldns=’false’
dc_relay_nets=’192.168.0.0/16:2001::16d8::ff47::1203::::/64’
dc_smarthost=’mail.bfi-burgenland.at’
CFILEMODE=’644’
dc_use_split_config=’false’
dc_hide_mailname=’false’
dc_mailname_in_oh=’true’
As you might remember from the chapter where I set up the IPv4 network,
you could, instead of altering these files as well use “dpkg -reconfigure
exim-config”. One important thing to keep in mind when editing update-
exim4.conf.conf is that the double colon acts as a seperator in this file.
Therefore you have to double each double quote that is used in an IPv6
address. After editing these files manually you have to run update-
exim4.conf in order to make the changes take effect. Now you are the
proud user of a system that can send emails, but not get any. Therefore we
have to see whether qpopper is IPv6 enabled.
Note: Other mail transfer agents supporting IPv6 are: Zmailer 2.99.55,
sendmail 8.12.9, qmail 1.03 patched, postfix 2.0.18 patched and
courier 0.42.2.
5.6.9 email: courier [41]
For qpopper does not support IPv6 there are several alternative mailbox
daemons: solidpop3d 0.15, courier-pop3d 0.42.2, courier-imapd 0.42.2,
cyrus-imapd 2.2.1-BETA, dovecot 0.99.10.6 and bincimapd 1.2.10. Because
the homepage of solidpop3d was down the day I wanted to install the soft-
ware and cyrus-imapd had some strange errors after installation about a
missing connection to my mailserver I decided to use courier-imapd.
You could either install courier-imapd using the sources or from the apt-
repository as I chose to. First you have to install courier-authdaemon with
its configuration file at /etc/courier/authdaemonrc using authpam and
then install courier-imapd (I use version 3.0.8-4). Other interesting files in
this context are /etc/courier/imapd and /etc/pam.d/imap. If you want
you can additionally install courier-doc providing information on courier.
When trying to login I got the error: FATAL ERROR: Maildir: no such
file or directory. In the file /etc/courier/imapd the last entry is about the
maildirectory setting it to
MAILDIRPATH=${home}/Maildir
Now we have to face the fact that by default exim stores the mails in a
single file while courier needs a directory to be set. As a consequence we
have to modify /etc/exim4/configure first.
First update the transports section by exchanging the transport “lo-

cal_delivery” with what is written below. Please be sure that the old trans-
port “local_delivery”, setting mail delivery to a single file, is commented
out.
### from transports section
local_delivery:
driver = appendfile
group = mail
mode = 0660
mode_fail_narrower = false
envelope_to_add = true
return_path_add = true
directory = ${home}/Maildir
maildir_format = true
prefix = ""
${home} is expanded to the user directory of each mail user and is the
default value here. I chose to be more conservative here and instead of
editing the part discussed above I set the address_directory transport to
the following in order to allow per user Maildir only:
### from transports section
address_directory:
driver = appendfile
no_from_hack
prefix = ""
suffix = ""
maildir_format
Next step is to edit the userforward director to contain the following.
### from routers configuration section
userforward:
driver = forwardfile
check_local_user
file = $home/.forward
no_verify
check_ancestor
file_transport = address_file
pipe_transport = address_pipe
reply_transport = address_reply
directory_transport = address_directory
modemask = 002
filter
Now the directory_transport points to the address_directory specified be-
fore. When uncommenting the “filter” option, you can use .forward files
in order to have Exim filtering. Using this configuration every user that
wants mail to be stored in a maildir needs a “.forward” file pointing to
that maildir:
echo /home/elsylo/Maildir/ > /home/elsylo/.forward

echo /home/sylvia/Maildir/ > /home/sylvia/.forward
Be sure that each “.forward” file is owned by the appropriate user and that
you did not forget the trailing slash at “/home/elsylo/Maildir/”. Now
everything that has to be configured is done and you can test your config-
uration.
Note: Because the directories for the mails are not created yet I experi-
enced that courier worked after sending the second mail (it auto-
matically creates the folder needed when the first mail is sent - you
might want to create them first).
5.6.10 mail-client: thunderbird
Thunderbird 1.0.2 is IPv6 enabled and therefore simply can be config-

ured using marge6.sylvia.test port 143 for imap and port 25 for SMTP use.
Thunderbird was not capable of using the IPv6 addresses in the configura-
tion of the email-address options (not even when put in square brackets).
FQDN’s had to be used.
Figure 5.12: The sending of an email from a Windows host
5.6.11 mail-client: outlook and outlook express
As far as I could find out on the internet outlook and outlook express both
don’t support IPv6. I also tried making a new account with the mail-
servers set to marge6.sylvia.test or [2001.16d8:ff47:1203:2:.5] respectively
but both just resulted in an error message that the server could not be
found.
Figure 5.13: Error when sending a message with Outlook telling that the
servers could not be found
Note: Other email clients supporting IPv6 are: mozilla-mai 1.4, ximian-
evolution 1.4.5, pine 4.58 patched, mutt 1.41, sylpheed 0.9.6, sylpheed-
claws 0.9.5 and Kmail 3.1.2.
5.6.12 VoIP: asterisk [42] [43]
Much to my regret I have to find out that asterisk is not yet IPv6 capable.
There is a patch providing some IPv6 connectivity features but which is
not very widely used. There has also been a bounty for writing an IPv6
patch but although the time has expired no patch is available by now.
There are two Linux-based softphones available called linphone and
kphone supporting IPv6 and two SIP-phones, one from Moimstone (IP250)
and one from FreeBit Business Phone.
5.6.13 time: ntpd, ntpdate
Both ntpd and ntpdate are IPv6 capable and work without troubles. The
ntpd version installed is 4.2.0 and the only thing I had to do is to set an
IPv6 time server in the /etc/ntp.conf. Here’s a list of some IPv6 capable
servers with stratum 1:
ntp.rhrk.uni-kl.de (IPv4 and IPv6)
ntp6.remco.org (IPv6)
chime3.ipv6.surfnet.nl (IPv6)
ntp.ipv6.viagenie.qc.ca (IPv6)
I chose the one from surfnet. Ntp itself should be IPv6 capable when in-
stalled on an IPv6 enabled host. Now, if you want to query your ntpd
simply type
ntpdate 2001:16d8:ff47:1203:2::1
on marge.sylviat.test and time will be adjusted to the time set on bart.sylvia.test,
using IPv6.
Figure 5.14: ntpdate from marge (i.e. webdavserver) to bart

The big world of Windows applications has no free IPv6 ntp-client (and
one client to buy that might work) to set time on Windows hosts.
5.6.14 domain controller: Active Directory
When I started migrating I thought that Active Directory, together with file
sharing, will not produce a lot of troubles because most websites claimed
full support for IPv6 on Windows (in fact that’s mostly all information
I could get on the websites of Microsoft). On most sites I could read a
lot about transition techniques like several different tunnel and so on but
there was not much written about the services that really support IPv6
on Windows PC’s and that’s what made my search for help pretty hard.
When I found out that a host is not logging onto Active Directory via netl-
ogon using IPv6 per default I tried such tricks like setting the IPv4 address
to a non-existing value so that he might have to use IPv6. As you might
have guessed, it didn’t work. The interesting thing was, on the other hand,
that during netlogon DNS was queried for the domain controller and for
I am using dynamic updates from the host running Active Directory there
even was an AAAA entry replied to the querying host. But let’s start from
the beginning.
The first thing I changed in my network topology was the server running
Active Directory. When reading this thesis cover to cover you might re-
member that Active Directory formerly ran on a Windows 2000 Advanced
Server and that this server was updated to Windows 2003 Server in or-
der to enable file sharing between Windows hosts. So Active Directory
has to be set up again (which was not that much work for I only en-
tered two users). Then I had to enable dynamic updating for the new
domain controller in my bind configuration. This is done by updating
/etc/bind/named.conf.local:
type master;
allow-update { 192.168.200.19; 2001:16d8:ff47:1203:2::13; };
};
The line “allow-update” enables dynamic updating i.e. services can regis-
ter themselves to DNS. This may take some minutes until DNS is updated
for the first time and will create a journal file *.jnl with * being the name
of the corresponding zone file. The latter is updated with the information
retrieved from the .jnl file which results in following zone entries:
Figure 5.15: some of the dynamic DNS entries produced by Windows 2003
When sniffing the whole longon process I found out that although DNS is
queried and returns wiggum.sylvia.test for the services needed (wiggum
is an AAAA site-local entry) everything is done using IPv4. I then tried
to query newsgroups, mailing lists and lots of homepages for this issue
and found someone telling me he had a working Active Directory system
using IPv6.
For I could not get more details from him I decided to ask Microsoft again.
They told me that Windows 2003 server does not support IPv6, or in more
detail, Kerberos as well as LDAP will fail but SMB negotiation will work.
You can only guess how long it took me to get such a detailled answer. ;o)
Tip: OpenLDAP v2.0 natively supports IPV6.
5.6.15 printing: cups
CUPS versions older than 1.2 do not support IPv6 and therefore I installed
a newer version on my marge.sylvia.test. I downloaded the sources of
cups-1.2.x-r4608 and installed them. You can type “lpstat -t” in order to see
all printers configured with all details available, or, as before, you could
as well use the GUI at http://localhost:631. After trying to configure this
cups version a lot, I downloaded an even newer version of CUPS (1.2svn-
r4929). In the file /etc/cups/cupsd.conf add two entries in order to listen
to IPv6 addresses:
Listen [::1]:631
Listen [2001:16d8:ff47:1203:2::5]:631
For configuring a client you simply have to set the CUPS IPv6 server ad-
dress in the file “/etc/cups/client.conf”:
ServerName [2001:16d8:ff47:1203:2::5]
You can test your IPv6-capable printer by typing:
lpr <filename>
Figure 5.16: CUPS using IPv6
Note: Only from reading the comments on the snapshots I was able to
find out that earlier 1.2 snapshots experience troubles using IPv6 ad-
dresses.
Windows: I could not manage to connect to the CUPS server using Win-
dows.
5.6.16 radio: Virgin radio
Some very nice but as well very important use of IPv6 is when lis-
tening to IPv6-only radio. The University of Southampton has a live-
stream of Virgin radio supporting IPv6 only and can be listened to by
using e.g. Windows Media Player 10, iTunes 4.5, zinf, etc. Check it out
at: http://www.ipv6.ecs.soton.ac.uk/virginradio/. Below you see some
packets from the initialization phase of Virgin radio.
Figure 5.17: initialization of virgin radio
5.6.17 instant messaging: irc, msn
Another funny way of using IPv6 is by using an instant message service

like msn and IRC. There are several IRC clients already IPv6 enabled you
can use. I chose TurboIRC, a small IRC client for Windows based systems
and checked out some IPv6 servers.
Figure 5.18: IRC chatting via IPv6
Another cool thing is to enable IPv6 with msn, and to make msn even
cooler you can add the software called threedegrees from www.threedegrees.com
(which have gone offline by now). But don’t be sad, you can still get it from
Microsoft at http://download.microsoft.com/download/b/3/2/b3251b5b-
76fb-46f7-bd6c-f5644713dff6/squiggles.exe. Using this piece of software
you can watch pictures and listen to music with up to ten people around
the world at once (this could be considered Microsoft’s answer to file shar-
ing). I tried this software together with my friend Mustafa from Turkey,
working on IPv6 as well, and pretty enjoyed adding items to a shared
playlist and listening to the songs together. This is an approach showing
people what Peer-to-Peer and IPv6 can do for the people not already rec-
ognizing the advantages. [44]
Figure 5.19: Peer2Peer communication with my friend Mustafa

(2001:4bd0:2031::4) using 3degree
5.6.18 authentication: ipsec6
Ipsec6 is a Windows command-line application in order to provide data

authentication and data integrity. It is not for production use yet for it does
not supply encryption mechanisms and relies on static keying with keys
being stored plain text on the host. Ipsec6 can be used to configure policies
and security associations between two hosts. In a security association (SA)
authentication is provided by using an either MD5- (Message Digest 5) or
SHA1-hashed (Secure Hash Algorithm 1) Authentication Header (AH). To
set up an ipsec6 environment I started by creating a folder on my harddisk,
go to this folder using command-line and then type
ipsec6 s thesis
This command creates a blank security association (thesis.sad) and a se-
curity policy (thesis.spd) file (usually containing already one entry) called
“thesis”. Ipsec6 is available for computers running Windows XP Service
Pack 1 and higher and Windows 2003 Server. I chose to enable ipsec6 be-
tween my two Windows 2003 server computers.
client1: wiggum.sylvia.test
site-local address: fec0::1:20a:5eff:fe22:afd6
client2: flanders.sylvia.test
site-local address: fec0::1:250:baff:fe17:2d3d
I started configuring client1 with setting the “thesis.spd” file. Add the new
entry before the one already existing in the file. Please note that policies
must be placed in decreasing order.
Field Name Value

Policy 2
RemoteIPAddr - fec0::1:250:baff:fe17:2d3d
LocalIPAddr -*
Protocol -*
RemotePort -*
LocalPort -*
IPSecProtocol AH
IPSecMode TRANSPORT
RemoteGWIPAddr *
SABundleIndex NONE
Direction BIDIRECT
Action APPLY
InterfaceIndex 0
Important: It is very important to add a trailing semicolon in each line
and not to use tab-stopps instead of spaces.
After setting the values to the *.spd file you can continue with altering the
*.sad file. Here we will need two new lines which I will indicate by typing
them in two columns.
Field Name Value for Line 1 Value for Line 2
SAEntry 2 1
SPI 3001 3000
SADestIPAddr fec0::1:250:baff:fe17:2d3d fec0::1:250:baff:fe17:2d3d
DestIPAddr POLICY POLICY
SrcIPAddr POLICY POLICY
Protocol POLICY POLICY
DestPort POLICY POLICY
SrcPort POLICY POLICY
AuthAlg HMAC-MD5 HMAC-MD5
KeyFile myfile.key myfile.key
Direction OUTBOUND INBOUND
SecPolicyIndex 2 2
Don’t forget the semicolon at the end of each line again! Two SA-entries
have been made, one for outbound and one for inbound traffic. Both re-
quire a keyfile called “myfile.key”. You could also use different keyfiles for
inbound and outbound communication but for this way of using ipsec6
isn’t secure anyway, I decided to keep the same. SA-entries are added in
decreasing order as well.
The keyfile is a simple plain-text file residing in the same folder as the two
files processed above. Set the file you created to the name “myfile.key”
and be very careful what you type in this file: each space or linefeed makes
a difference and this file must be identical to the one residing at the client2
in the ipsec6 communication.
On client2 (flanders), you need the same configuration as well. Start by
creating the files “ipsec6 s thesis” and then edit the “thesis.spd” file first.
(Don’t forget to create this entry before the existing entry):
Field Name Value
Policy 2
RemoteIPAddr - fec0::1:20a:5eff:fe22:afd6
LocalIPAddr -*
Protocol -*
RemotePort -*
LocalPort -*
IPSecProtocol AH
IPSecMode TRANSPORT
RemoteGWIPAddr *
SABundleIndex NONE
Direction BIDIRECT
Action APPLY
InterfaceIndex 0
After you put a semicolon at the end of the line, edit “thesis.sad”:
Field Name Value for Line 1 Value for Line 2

SAEntry 2 1
SPI 3001 3000
SADestIPAddr fec0::1:20a:5eff:fe22:afd6 fec0::1:20a:5eff:fe22:afd6
DestIPAddr POLICY POLICY
SrcIPAddr POLICY POLICY
Protocol POLICY POLICY
DestPort POLICY POLICY
SrcPort POLICY POLICY
AuthAlg HMAC-MD5 HMAC-MD5
KeyFile myfile.key myfile.key
Direction OUTBOUND INBOUND
SecPolicyIndex 2 2
Don’t forget the semicolons at the end of each line and then create a “my-
file.key” on client2 as well, containing the same word(s) like on client1.
In order to load the Security Associations and the Security Policy on a PC
you have to type the following command on each client:
ipsec6 l thesis
In case of an error you made in creating one of the files you will have some
message that the security assosciation or the security policy could not be
added. One of my problems was that in the first try I used tab-stopps in-
stead of spaces (error message was about an invalid address range), and
another problem was that I had too many spaces in each line (error mes-
sage is something like: line too long). Simply clear some of the spaces
and it will work. Don’t wonder if it tells you only one Security Policy
is added, the one that already was in the file is loaded by default upon
startup (The command we used in the beginning called ipsec6s “thesis”
simply looks on your computer for security associations and policies avail-
able and prints them in a file. If you would do the same command now,
it would print the new data we added in the files.) Please keep in mind
that the policies and associations added by this technique are not persis-
tent and have to be loaded manually after startup. To see which Security
associations are set at the moment, type :
ipsec sa
To do the same for security policies use:
ipsec sp
If you want to delete the Security Association number 2 type:
ipsec d sa 2
You can use a similar command for deleting Security Policy number 2:
ipsec d sp 2
Now we are able to try our ipsec6 implementation by pinging the host
with the address used in the files (I tried this with link-local addresses
with ZoneID and Site-Local addresses consecutively). When pinging the
other client you can see the Authentication Header being appended to
each packet:
Figure 5.20: ping from client1 (wiggum) to client2 (flanders) with Authen-
tication Header
Above you see one of the ICMPv6 packets sent by client1 and below you
have the details containing the Authentication header. You can see the SPI
set above as well (0xbb9 = 3001). This all looks pretty well, and everything
worked except for the Echo reply when using ipsec6. I guess I tried this
ten times and always had the same result: ping going out but no reply is
sent back (time-out). I did not find any errors reported in the event-log,
nor when I looked at the ICMPv6 errors (netstat -s -p icmpv6). Because I
was already in contact with Microsoft, I asked them if ipsec6 worked for
them and got the answer from someone my mails concerning IPv6 were
forwarded to, that this only works sometimes when he configured it and
because it is not production use anyway it wouldn’t be that interesting.

He also assured me Windows Vista would have a better ipsec support for
IPv6.
And so my ping never came back ...
But, of course, I was eager to try something providing this functionality
and therefore I tried OpenSWAN on Linux.
5.6.19 encryption: OpenSWAN
To be precise, there are two ways of sending your packets when encrypt-
ing: tunnel mode and transport mode. In transport mode (which I chose)
only the payload is encrypted and the IP header is left out while in tunnel
mode the whole packet is encryted with a new header appended. IPSec, as
seen before, needs the exchange of keys in order to provide authenticated
and encrypted communication. There are two ways providing authenti-
cation: through pre-shared keys (simple) or by using RSA keys. I chose to
have a pre-shared key environment in my lab. The next thing to choose is
which IKE daemon you want to use: On one side there is “racoon” and on
the other “pluto”, which is said to be a bit less difficult to configure.
“Racoon” is derived from the KAME project and “pluto” is included in
distributions from the *S/WAN projects. The first project was FreeS/WAN
which ended in 2004 and produced two successors: strongSWAN and
OpenSWAN. I decided to use OpenSWAN. Configuring OpenSWAN
is not a big deal. You start with the config file /etc/ipsec.conf (at
marge.sylvia.test):
version 2.0
config setup
include /etc/ipsec.d/examples/no_oe.conf
conn ipv6-p1-p2
/> connaddrfamily=ipv6
/>left=2001:16d8:ff47:1203:2::5
/>right=2001:16d8:ff47:1203:2::1
/>authby=secret
/>esp=aes128-sha1
/>ike=aes128-sha-modp1024
/>type=transport
/>compress=no
/>auto=add
The line “conn ipv6-p1-p2” defines the connection to use for you can
define multiple connections to multiple hosts. This connection is es-
tablished between marge.sylvia.test, 2001:16d8:ff47:1203:2::5, here defined
as “left”, and bart.sylvia.test, 2001:16d8:ff47:1203:2::1, here denoted as
“right”. Please note that this config-file is taken from marge.sylvia.test.
Important for the use with IPv6 is only the line “connaddrfamily=ipv6”.
The pre-shared key environment, the encryption type and the type of us-
age (transport) are also defined here.
Next, and last, step is to provide a key. This is done by setting the key used
between these hosts in the file /etc/ipsec.secrets:
2001:16d8:ff47:1203:2::5 2001:16:d8:ff47:1203:2::1 : \\
psk "foo"
Setting the same options on the second host participating in this encrypted
communication (bart.sylvia.test) is the last step here. Now we have to test
our configuration.
Start ipsec with
/etc/init.d/ipsec start
Then the specific connection you want to use (mine is called “ipv6-p1-p2”)
has to be UPed on one of the peers by typing:
ipsec auto --up ipv6-p1-p2
You should see following ouput with the line “IPSec SA established” prov-
ing that the payload will be encrypted between these two hosts by now:
104 "ipv6-p1-p2" #1: STATE_MAIN_I1: initiate
003 "ipv6-p1-p2" #1: received Vendor ID payload [Openswan (this version)
2.4.0 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
003 "ipv6-p1-p2" #1: received Vendor ID payload [Dead Peer Detection]
106 "ipv6-p1-p2" #1: STATE_MAIN_I2: sent MI2, expecting MR2

108 "ipv6-p1-p2" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "ipv6-p1-p2" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY\\
_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp1024}
117 "ipv6-p1-p2" #2: STATE_QUICK_I1: initiate
004 "ipv6-p1-p2" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0x4701be00 <0xd52c991d xfrm=AES_128-HMAC_SHA1 NATD=none
DPD=none}
The “setkey” command, e.g. “setkey -D” will also give you detailled in-
formation on a running IPSec environment.
Figure 5.21: pinging and digging between marge (ns1) and bart, encrypted
Above you can see some packets from the communication between marge
and bart. This has been some ICMP echo requests and replies and a dig
command. I know this because I did this sniff; the data is of course en-
crypted and you can not figure out what really happend ;o). The protocol
used is ESP, Encapsulating Security Payload. The IP header on the other
hand is plain-text.
Note: There are several other daemons for configuring a Virtual Pri-
vate Network: Linux has implemented IPSec features you can use
with kernel 2.6.x, yavipin 0.9.6, openVPN 1.6.0, freeSWAN 2.06,
openSWAN 2.2.0 and strongSWAN 2.1.3.
Hint: You can also configure e.g. OpenSWAN to work with your Win-
dows 2000 or Windows XP when using IPv4. [45]
5.6.20 Remote control: ssh
Another important application is the remote login using SSH. SSH and
SSHd for Linux both support IPv6 since version 3.6.1. You can use the
command “ssh” either by appending the hostname or the IP-address, both
ways work.
Windows does not supply an IPv6-capable SSH client but I’d recommend
to use PuTTY (v 0.58) on Windows-based clients. Simply put in the host-
name, the FQDN or the IPv6-address and everything will just work with-
out troubles.
Figure 5.22: SSH using PuTTY from nelson (2001:16d8:ff47:1203:2::22) to

marge (ns1.sylvia.test)
5.6.21 VNC: TightVNC
Virtual Network Computing is a platform-independant desktop-sharing

system which can be used via IPv6 using a patched version [46]. TightVNC
is available for Windows and Linux and works pretty quick. I experienced
some troubles when running the WinVNC server on Windows XP but it
may have something to do with having huge CPU load on this PC. So I
decided to run TightVNC server on Windows 2003 (wiggum6.sylvia.test)
and the client on this Windows XP (nelson6.sylvia.test). The connection
only worked after I checked the option “Allow loopback connections” in
the advanced settings of the WinVNC server (before I checked it I experi-
enced following error: “Local-loop back connections are disabled”).
TightVNC has encrypted method of sending the passwords but does not
supply encryption for the traffic itself. It is recommended to use VNC only
on trusted networks or via an encrypted tunnel on untrusted networks.
5.6.22 Remote control: telnet
Although Microsoft’s telnet server is not IPv6-enabled per default, you can
use it. First simply check whether typing “telnet wiggum6” for connecting
to a Windows 2003 server running an IPv4 telnet server works. If not, you
can make it IPv6-enabled yourself. Because telnet is a protcol that does not
add any information to upper-layer PDU’s you can simply proxy the data.
Therefore you need a PortProxy proxying traffic destined at IPv6 port 23
to IPv4 port 23. This is done with:
netsh interface portproxy add v6tov4 23
When you “nmap -6” the host running the telnet server you can see the
port being open on IPv6 as well. Then, I simply used PuTTY to establish a
connection using telnet and here you can see it worked:
Figure 5.23: Telnet connection between nelson6 and wiggum6 (server)
5.6.23 Monitoring traffic: ntop
When monitoring traffic, established connections and things like protocol

use you will very likely use ntop. It’s an easy to use graphical tool logging
traffic in your network and even making colorful graphs. But the best
thing is: You don’t have to do anything in order to support IPv6. Here’s
my overall protocol use graph:
Figure 5.24: Protocols used in my network
5.6.24 monitoring privoxy: webalizer
In order to use webalizer for privoxy you need to make some changes.
First create a new configuration file (Note that I do not alter the old one.
For IPv6 migration can not take place fully by now I still want to keep an
eye on what squid is doing as well). This new configuration file is called
“/etc/webalizerPrivoxy.conf” and should update the following lines:
LogFile /var/log/privoxy/logfile
LogType CLF
OutputDir /var/www/webalizerPrivoxy
You need to define another log file than the default log file for this is used
for logging errors encountered when analyzing squid. Privoxy uses a dif-
ferent LogType called Common Log Format or short CLF. If you forget to
put this here, webalizer will not be able to read the log files produced by
privoxy. The last thing that had to be changed is the OutputDir, so that
both webalizer instances don’t overwrite each other.
Note: If not done yet, you might need to set your Privoxy to log in Com-
mon Log Format. This is done in the config-file by setting “debug
512”.
Last but not least you need to add an entry to the /etc/crontab for the new
instance of webalizer (“-c /etc/webalizerPrivoxy.conf” sets the configura-
tion file used to /etc/webalizerPrivoxy.conf).
0 * * * * root webalizer -c /etc/webalizerPrivoxy.conf
Figure 5.25: Webalizer graph for privoxy
5.6.25 monitoring ports: nmap
Newer versions of nmap are per default IPv6-enabled but lack different
scanning mechanisms for IPv6 like UDP scans. In order to use other
methods than -sT, -sP and -sL I found a nice patch on the internet.
First you need an older version of nmap “nmap-2.54BETA36” which you
can get in the code repository at http://www.insecure.org/nmap/dist-
old/. After unzipping and untarring I changed the install directory
of the configure file in order to not interfere with the existing nmap-
installation. Next thing is to patch the sources using the patch found at
http://nmap6.sourceforge.net:
patch -d <nmap-2.54BETA36 location> <
<nmap-2.54BETA36_ipv6.diff location>
After patching the sources
./configure
make
su
make install
and try it with e.g. a localhost UDP Scan:
./nmap -6 -sU -P0 ::1
5.6.26 firewall: iptables
Although iptables can filter for IPv6 traffic as well, stateful filtering is
only available with Linux kernel 2.6.12 and higher. For I do not have
a computer with this kernel version I only implemented an IPv6 fire-
wall with stateless packet filtering. See the appendix for my firewall-
implementation.
5.7 Testing
Now after we could migrate most of the services used, or could find some
service instead for those not possible, let’s take a quick look at testing the
network for performance issues. When working with IPv4 I could find
loads of applications testing some more or less important network features
but with IPv6 the software to choose from is very limited. When I asked
the participants of the users@ipv6.org newsgroup most of them told me
that they were writing their tests themselves like measuring the time it
takes for putting or getting a file using FTP.
5.7.1 iperf
I use iperf version 2.0.2 with native IPv6 support. The handling for IPv6 is
pretty the same as for IPv4. The server is started using
iperf -V -s
and the client is started with:

iperf -V -c <ServerAddress>
I tested the connection between bart (server) and marge (client). The
ServerAddress can be either supplied as FQDN or as IPv6-address.
Figure 5.26: iperf using IPv6
Iperf also works with Windows and therefore is the only IPv6 testing tool
that can make significant conclusions.
5.7.2 Netserver/ Netperf
Netserver and its client netperf was also used in my IPv4 testing run and
supports IPv6 testing for versions 2.3 and later for Linux only.
Start the server using:
netserver -6 -p 123456
on port 123456, and the client by typing:
netperf -H <ServerAddress> -6 -p 123456
ServerAddress again can be FQDN or the IPv6-address.
5.7.3 Smokeping
Smokeping can be easily configured for the use with IPv6. You simply
need to use fping6 instead of fping in the cofiguration file. But let’s start
step by step. First I downloaded fping6 utility at http://unfix.org/profects/ipv6/\\
fping-2.4b2_to-ipv6.tar.gz. Then I edit following lines in the /etc/smokeping/config
file in order to support IPv6:
Figure 5.27: netserver/ netperf using IPv6
*** Probes ***

+ FPing6
binary = /usr/sbin/fping6
*** Targets ***
probe = FPing6
For smokeping does not support IPv4 and IPv6 within one config file and
I wanted to graph both, IPv4 and IPv6 roundtrip time, I simply had to run
two instances of smokeping. First I copied the config file I used for IPv4
and made the changes as written above. Then, in the “General” section, I
had to change the *.pid file used because the default pid-file is used by the
IPv4 instance of smokeping. Next step is to change the output-file to
cgiurl = http://snowball/cgi-bin/smokepingv6.cgi
Besides setting the new targets to IPv6-addresses this is what had to
be done concerning the configuration file. The next problem was that
smokeping per default uses “/etc/smokeping/config” and I could not
find a way for setting a path to another config file. Before searching for a
command I simply copied the smokeping executable “/usr/sbin/smokeping”,
renamed it to “/usr/sbin/smokepingv6” and edited the line defining
which configuration file to use:
Smokeping::main("/etc/smokeping/configv6");
Now you can run smokeping and smokepingv6 on one PC.
See the Code Appendix for the whole configuration file. Below you can
see the ICMPv6 roundtrip-graph for snowball generated on marge.
Figure 5.28: Smokeping running on marge: snowball.sylvia.test
5.7.4 mrtg/ SNMP [47]
First step is to make snmpd listen to IPv6. This is done in “/etc/default/snmpd”

by editing the value for the parameter SNMPDOPTS:
SNMPDOPTS=’-Lsd -Lf /dev/null -p
/var/run/snmpd.pid udp6:161 udp:161’
For Linux-kernels 2.6.x you have to explicitly allow both, IPv4 and IPv6.
Then, the /etc/snmp/snmpd.conf file has to be changed. I chose a very
simple way and just added:
rwcommunity6 public
Now SNMP is ready for testing.
snmpwalk -v 1 -c public udp6:[::1] sysname
snmpwalk -v 1 -c public
udp6:[2001:16d8:ff47:1203:2::1] sysname
The latter asks 2001:16d8:ff47:1203:2::1 for its sysname (see the sniff be-
low).
Now, the only thing left is the configuration of mrtg. As you might re-
member, mrtg uses a *.cfg file for each host monitored. What you have
Figure 5.29: SNMP using IPv6 between marge (ns1.sylvia.test) and bart
(bart6.sylvia.test)
to do now, in order to have SNMP traffic via IPv6 when using mrtg, is to
copy the IPv4 configuration file for each host you also want to monitor
using IPv6.
First of all set IPv6 enabled by setting:
EnableIPv6: yes
Then, make sure that you chose new names for the graphs (otherwise it
would overwrite the IPv4-ones) and we are done (see the whole config file
in the Code Appendix). Create the html-file with:
indexmaker -output=/var/www/mrtg/bart6.html
/etc/mrtgbart6.cfg
Before mrtg can graph something you need to poll some data manually by
typing following command a few times:
mrtg /etc/mrtgbart.cfg
If this worked without errors you can append the command above to your
crontab and look at the output at http://marge.sylvia.test/mrtg/bart6.html.
Figure 5.30: mrtg for bart6.sylvia.test
Note: Please keep in mind that the only thing changed is the protocol used
for querying SNMPd. The data queried is the same as within the
IPv4-based configuration files. In order to have IPv6-specific data
you have to include ipv6-MIBs!
Windows: Windows does not support SNMP via IPv6.

Bibliography
[1] Peter Bieringer: Linux IPv6 HOWTO (2005).

http://linuxreviews.org/howtos/networking/IPv6-
LinuxHowto/en/index.html (2005-12-09)
[2] Digital Hermit, Kwan Lowe: Kernel Rebuild Guide (2003).
http://www.digitalhermit.com/linux/Kernel-Build-HOWTO.html
(2005-12-09)
[3] Microsoft, msdn: Microsoft IPv6 Tech-
nology Preview for Windows 2000 (2002).
http://msdn.microsoft.com/downloads/sdks/platform/tpipv6.asp
(2005-12-09)
[4] Microsoft: msdn (2004). http://msdn.microsoft.com/library/default.asp?\\
url=/library/en-us/wcetcpip/html/cmrefIpv6Adu.asp (2005-12-29)
[5] Microsoft, Download Center: IPv6 Tech-
nology Preview for Windows 2000 (2003).
http://www.microsoft.com/downloads/details.aspx?FamilyId=27B1E6A6-
BBDD-43C9-AF57-DAE19795A088&displaylang=en (2005-12-09)
[6] Microsoft, TechNet: The Cable Guy Using IPv6 Today (2001).
http://www.microsoft.com/technet/community/columns/cableguy/\\
cg0701.mspx (2005-12-09)
[7] Microsoft, Microsoft Windows Server 2003: IPv6 Protocol for the
Windows Server 2003 Family: Frequently Asked Questions (2005).
http://www.microsoft.com/windowsserver2003/techinfo/overview/\\
ipv6faq.mspx (2005-12-09)
217
BIBLIOGRAPHY 218
[8] Telscom: Configuration of IPv6 features (2004).

http://www.telscom.ch/configuration_of_ipv6_features.htm (2005-
12-27)
[9] Microsoft Windows Server System: Updating
IPv6.exe Commands to Netsh Commands (2002).
http://www.microsoft.com/windowsserver2003/technologies/ipv6\\
/ipv62netshtable.mspx (2005-12-27)
[10] Microsoft TechNet: Netsh commands for Interface IPv6 (2005).
http://www.microsoft.com/technet/prodtechnol/windowsserver2003\\
/library/ServerHelp/f953fa20-f037-4609-89eb-0178240f103b.mspx
(2005-12-30)
[11] Narten, Draves: Privacy Extensions for stateless Address Au-
toconfiguration in IPv6 - RFC3041(2001). ftp://ftp.isi.edu/in-
notes/rfc3041.txt (2005-12-27)
[12] T. Chown: IPv6 Implications for TCP/UDP Port Scan-
ning draft-chown-v6ops-port-scanning-implications-00
(2003). http://www.6net.org/publications/standards/draft-chown-
v6ops-port-scanning-implications-00.txt
[13] RIPE: Updating the RIPE Whois Database (2005).
http://www.ripe.net/fcgi-bin/webupdates.pl (2005-12-27)
[14] SixXS: Heartbeat Information (2005).
http://www.sixxs.net/tools/heartbeat/ (2005-12–27)
[15] SixXS: Automatic IPv6 Connectivity Client Utility (2005).
http://www.sixxs.net/tools/aiccu/ (2005-12-27)
[16] SixXS: FAQ: Account: 10 easy steps to IPv6 (2005).
http://www.sixxs.net/faq/account/?faq=10steps (2005-12-27)
[17] SixXS: Anything in Anything (AYIYA) (2005).
http://www.sixxs.net/tools/ayiya/ (2005-12-27)
[18] IANA: INTERNET PROTOCOL VERSION 6 ADDRESS SPACE
(2005). http://www.iana.org/assignments/ipv6-address-space
(2005-12-28)
BIBLIOGRAPHY 219
[19] Index von ftp://ftp.inr.ac.ru/ip-routing (2005).

ftp://ftp.inr.ac.ru/ip-routing/iputils-current.tar.gz (2005-12-28)
[20] psavola: Linux IPv6 Router Advertisement Daemon (2005).
http://v6web.litech.org/radvd/ (2005-12-28)
[21] Lars Fennberg: RADVD Introduction (1997). http://www.cs-
ipv6.lancs.ac.uk/ipv6/systems/linux/faq/radvd.html (2005-12-28)
[22] Linux Reviews: man radvd.conf (2001).
http://linuxreviews.org/man/radvd.conf/ (2005-12-28)
[23] Narten, Nordmark, Simpson: RFC 2461 - Neighbor Discovery for IP
Version 6 (IPv6) (1998). http://www.faqs.org/rfcs/rfc2461.html
[24] Thomson, Bellcore, Narten: RFC 1971 - IPv6 Stateless Address Auto-
configuration (1996). http://www.dnsstuff.com/pages/rfc1971.htm
(200-12-28)
[25] man: radvd (2001). http://linuxcommand.org/man_pages/radvd8.html
(2005-12-28)
[26] Thomson, Bellcore, Narten: RFC 2462 - IPv6 Stateless Address Auto-
configuration (1998). http://www.faqs.org/rfcs/rfc2462.html
[27] Tomasz Mrugalski: Dibbler - a portable DHCPv6 (2005).
http://klub.com.pl/dhcpv6/ (2005-12-28)
[28] Tomasz Mrugalski: Dibbler - a portable DHCPv6 Documenta-
tion(2005). http://klub.com.pl/dhcpv6/dibbler/dibbler-0.4.1-
doc.tar.gz (2005-12-28)
[29] JOIN: Nameservice und IPv6 (2003). http://www.join.uni-
muenster.de/Dokumente/Howtos/Howto_IPv6-Nameservice.php
(2005-12-29)
[30] Thomson, Huitema, Ksinant, Souissi: RFC 3596 - DNS Extensions to
support IP version 6 (2003). http://rfc.net/rfc3596.html (2005-12-29)
[31] Bieringer, Baraldi, Piunno, Tortonesi, Toselli, Tumiati: Cur-
rent Status of IPv6 support for networking applications (2004).
http://www.deepspace6.net/docs/ipv6_status_page_apps.html
(2005-12-29)
BIBLIOGRAPHY 220
[32] Privoxy Developers: Privoxy - Home Page (2005).

http://www.privoxy.org/ (2005-12-29)
[33] Glowiak: Mysql vs postgres (2005).
http://monstera.man.poznan.pl/wiki/index.php/Mysql_vs_postgres
(2005-12-30)
[34] PostgreSQL: Chapter 20. Client Authentication (2005)
http://www.postgresql.org/docs/8.1/interactive/client-
authentication.html#AUTH-PG-HBA-CONF (2005-12-30)
[35] Microsoft Windows Server System: Internet Protocol Version 6 (2005).
http://www.microsoft.com/ipv6 (2005-12-30)
[36] lutchann: Samba IPv6 Support (2002).
http://v6web.litech.org/samba/ (2005-12-30)
[37] Microsoft Windows Server 2003: Up-
dates to Understanding IPv6 (2005).
http://www.microsoft.com/downloads/details.aspx?FamilyID=42bf4711-
27af-4c4c-8300-7bcf900de5c3&DisplayLang=en (2006-01-16)
[38] jason: Webdav in Apache2 to share Mozilla Thunderbird Calender
or Sunbird (2005). http://nmglug.org/phorum/read.php?5,30,30
(2006-01-14)
[39] Kenichi Takahashi: Instant File Sharing with IPv6 and WebDAV
(2003). http://www.ipv6style.jp/en/tryout/20030320/index.shtml
(2006-01-14)
[40] Jun-ya KATO: ncFTP 3.1.8 (2005). http://win6.jp/NcFTP/index.html
(2006-01-18)
[41] Jason Boxman: Configuring Exim and Courier
IMAP under Debian GNU/Linux (2004).
http://talk.trekweb.com/~jasonb/articles/exim_maildir_imap.shtml
(2006)
[42] Bernhard Schmidt: Asterisk bounty IPv6 (2005). http://www.voip-
info.org/wiki-Asterisk+bounty+IPv6 (2006-01-14)
[43] Rapaz: initial IPv6 VoIP patch (2005). http://www.voip-
info.org/wiki/view/IPv6+VoIP (2006-01-14)
BIBLIOGRAPHY 221
[44] Nate Mook: Microsoft P2p Not All Fun and Games Yet (2003).
http://www.betanews.com/article/1046403618 (2006-01-16)
[45] Nate Carlson (2005) http://www.natecarlson.com/linux/ipsec-
x509.php#installing (2006-01-17)
[46] Diego Andres Acosta: TightVNC over IPv6 (2004).
http://jungla.dit.upm.es/~acosta/paginas/vncIPv6.html (2006-
01-17)
[47] debian: Having v6 with Debian for the first time
(2004).http://debian.fabbione.net/how.html (2006-01-18)
Chapter 6
Conclusion and Summary
In the preceding chapter you could see step by step that nearly anything
that has to be done in a network can be done using IPv6. It is important
for me to mention that not every service could be migrated, especially with
the Microsoft-based software used, and that there has not been much effort
yet to write software exploiting the advantages of IPv6. As you could see,
things that could not be migrated easily were e.g. Active Directory, which
could be replaced by an elaborate configuration of OpenLDAP, or ntp-
clients using IPv6 for Windows systems. In fact, I do not consider the last
problem as very big for it is not possible running IPv6-only networks at
the moment. Besides such “unimportant” things like time synchronizing,
Microsoft does not yet support DNS or SNMP querying using IPv6, which
is more important in a productive environment. As a little summary one
could say that a network running Linux-flavoured operating systems is
99% migrateable while Windows systems simply impose more problems
in migrating.
One huge aspect of my thesis was to examine closely whether the transi-
tion phase could have also taken place in a real productive environment
with people working on the services I migrate. In most of the cases I have
to say: yes. I think everybody will know that from her or his own experi-
ence, there are services that just crash while reconfiguring them and you
have to spend a few hours on them until they work again. I guess such
things just have to happen and in fact did happen in my environment as
well. Most of the services I migrated “simply” needed to be configured for
222
CHAPTER 6. CONCLUSION AND SUMMARY 223
listening to IPv6 requests as well and therefore just had to be reconfigured.

Therefore you could say that the time the service was offline was confined
to the time the restart of the service took. On the other hand, to be per-
fectly sure that your migration does not collide with important services
like database or file access, I’d recommend you to try them after hours in
case troubles occur.
This thesis and the contained actual migration of a network was made un-
der the condition that the services provided via IPv4 can also be accessed
using IPv6. I started with Windows 2000 server to find out during mi-
gration, that running IPv6 services on Windows-based machines is a bad
idea. This is the point where I have to mock about the informations pro-
vided by Microsoft regarding IPv6. I think I found 20 homepages telling
me that Windows systems support IPv6 and how you can ping each other,
but as soon as you get to the point where you really need detailled facts
like: “Does Active Directory support IPv6”, your are lost. I guess it took
me a few months to find out (on www-search, newsgroups, forums, writ-
ing to Microsoft) to get the answer “no” and that is what I want to critizise.
Microsoft is the most popular operating system in the world and is afraid
to tell its customers what the software is capable of, or so it seems. To be
honest, I don’t really see the point in providing half of the information ex-
cept if you want to conceal something. My tip: write what your software
can do and what it can’t - it saves you huge amounts of time when us-
ing your software. Concerning my experiences with Microsoft I also want
to thank Microsoft Austria’s Academic Relations Manager Mr. Schabus
for providing contact with someone at Microsoft really working with IPv6
and providing me with honest answers.
The fact that I needed to switch to different operating systems and services
within the transition is the reason why there are no significant testing or
benchmarking results. Every throughput or bandwidth test made in the
IPv4-only network is no longer comparable with tests you would make
now in a IPv4/IPv6 environment. Things like neighbor discovery or du-
plicate SNMP-queries (IPv4 and IPv6) would also affect IPv4 traffic for
which I have no IPv4 values I really can compare. In addition to this the
use of different services than before imposes a problem as well, for their
performance will highly influence the results.
This brings me to the advantages and disadvantages of IPv6. To be com-
pletely honest I really loved working with IPv6. There is only a small
community in the European region working on problems concerning IPv6
and you quickly become to know everyone from newsgroups, etc. It really
is fun working together and helping each other with problems most of the
IT-professionals did not deal before (of course, this can also be pretty hin-
dering when you have a problem, google it and get something like two
results, both in strange languages). In my opinion, the advantages of IPv6
are obvious: We have the huge address space bringing mobile computing
and peer to peer computing to a next level, we have encrypted and au-
thenticated traffic for securing your company from its employees and we
have huge improvements concerning priorized traffic like video streams
and autoconfiguration of hosts. These advantages and a relative easy tran-
sition will make IPv6 more and more important in the next years. At the
moment, I have to confess, switching to IPv6 only is something for those
wanting to be on the pulse of technology. Today its benefits may not be
enough in order to deploy IPv6 all over the company but it is good to be
aware of this technology very early for it will become predominant very
soon. Today it might only be “cool” to tell your costumers that you have
already updated your company to IPv6, in a few years it will be standard,
and that’s why I want to propagate IPv6 with this thesis. For IPv6 depends
on the basic structure IPv4 has used there are not really “disadvantages”
you are not used to from using IPv4. One thing that might be something
like a “disadvantage” is the training of the IT-staff that will cost money
and time, as you always have with new versions of anything, but this
money is not lost. Always keep in mind that using IPv6 today and try-
ing its features only faciliates the things you have to do the day IPv6 has
to be used. It’s an investment in the future of network technology and will
bring money in return. Even today big companys have already saved big
spendings by using the autoconfiguration techniques provided instead of
configuring manually. Think also of the benefits you have when doing se-
cure communication without tunneling over the internet or when having
road warriors in your company.
Another point I want to mention at the end is the financial aspect of mi-
grating. I did not really have to buy additional hardware for my needs,
but if I would have wanted to use my Cisco Routers and Switches I would
have needed additional software and memory, for which I did not find a
sponsor (so I stick to using hubs and Linux routers). In the field of VoIP
you would need different hardware as well, but as long as asterisk does
not fully support IPv6 there was no need to look for them. I did not experi-
ence many problems from software compatibility for most of my services
run Linux and therefore Open Source solutions are available. On the other
hand, I did not manage to find a free ntp-client running IPv6 for Windows;
I guess that’s pretty all I needed from hardware and software side.
When it comes to the point of information gathering I have to confess: Yes,
I bought “Understanding IPv6” and another IPv6-theory book (which I
did not read in fact), both a few Euros each. The most expensive thing in
the whole migration of my test-network was, of course, the time I spent
on it. It is very hard to define how much time it took me to migrate my
services (for I had to do different things beside) but it might be something
about 23 to 30 days (Monday - Friday: 9-11 hours a day, Saturdays and
Sundays 4-5 hours a day). You might guess that this is just an estimated
value including also the time I spent reading about the new protocol.
As the very last paragraph in this master thesis I again want to ensure
everyone who is not yet believing me: IPv4 will be outdated soon and IPv6
is, if there is some additional work done, the perfect successor. Again I
want to thank everyone making this project possible and everyone reading
this thesis to the end :-) .
Appendix
226
Chapter 7
Configuration Files
The first part of the Appendix is destined at providing all configuration

files mentioned in the thesis. As I always had been glad when people pro-
vided me their full configuration files for services i just tried to install, I’ll
put in here everything i configured throughout my research. Because I
only had to see if the basic concepts are working, you won’t find any secu-
rity issues covered. So if you are searching for quick-and-dirty solutions
you are invited to take a look. (Lines that were commented out in the inital
config file are left out or shortened)
7.1 IPv4 related configuration
7.1.1 APT
/etc/apt/sources.list
deb http://ftp.tu-graz.ac.at/mirror/debian
unstable main non-free contrib
227
CHAPTER 7. CONFIGURATION FILES 228
7.1.2 Asterisk
/etc/zaptel.conf
loadzone=at
defaultzone=at
# für unsere TDM31: 1* FXO + 3* FXS
# Steckplatz 1 bei Steckern
fxoks=1-3
fxsks=4
/etc/asterisk/asterisk.conf
[directories]
astetcdir => /etc/asterisk
astmoddir => /usr/lib/asterisk/modules
astvarlibdir => /var/lib/asterisk
astagidir => /var/lib/asterisk/agi-bin
astspooldir => /var/spool/asterisk
astrundir => /var/run
astlogdir => /var/log/asterisk
; Changing the following lines may compromise your security.
;[files]
;astctlpermissions = 0660
;astctlowner = root
;astctlgroup = apache
;astctl = asterisk.ctl
/etc/asterisk/extensions.conf
; extensions.conf auf maggie, server in der Zentrale des BFI

;
[general]
;
static=yes
;
writeprotect=no
;
autofallthrough=yes
;
clearglobalvars=no
; The "Globals" category contains global variables that can
; be referenced in the dialplan with ${VARIABLE} or
; ${ENV(VARIABLE)} for Environmental variable
[globals]
CONSOLE=Console/dsp ; Console interface for demo
2210=misdn/1/10 ; Vermittlung
2211=misdn/1/11 ; Natalie FREILER
2212=misdn/1/12 ; Peter
2213=misdn/1/13 ; Jürgen GRANDITS
2214=misdn/1/14 ; Thomas MÜLLNER
2215=misdn/1/15 ; Susanne STIPSITS
2216=misdn/1/16 ; Eveline WEINHOFER
2217=misdn/1/17 ; Sabine SWATEK-VENUS
2218=misdn/1/18 ; Anita DIENER
2219=misdn/1/19 ; Personalraum
2220=misdn/1/20 ; Johanna EBERL
2221=misdn/1/21 ; Anita IMREK
2222=misdn/1/22 ; Dorli CSECSINOVITS
2223=misdn/1/23 ; Hotline
2224=misdn/1/24 ; Baldur FLECK
2225=misdn/1/25 ; Karl SCHUH
2232=misdn/1/32 ; Rudolf ERKINGER
2235=misdn/1/35 ; Tamara TAUS
2236=misdn/1/36 ; Andreas GRABNER
;
2921=SIP/2921 ; grandstream bt100
2925=SIP/2925 ; grandstream 2000
2936=SIP/2936 ; allnet 7950
;2314=Zap/4
;211=Zap/1
;212=Zap/2
;213=Zap/3
;
[macro-voicemail]
; für SIP-Apparate
exten => s,1,Dial(${ARG1},20,tr)
exten => s,2,Goto(s-${DIALSTATUS},1)
exten => s-NOANSWER,1,Voicemail(u${MACRO_EXTEN})
exten => s-NOANSWER,2,Hangup()
exten => s-BUSY,1,Voicemail(b${MACRO_EXTEN})
exten => s-BUSY,2,Hangup()
exten => _s-.,1,Goto(s-NOANSWER,1)
;
[macro-standard]
exten => s,1,Dial(${ARG1},20,tr)
exten => s,2,Hangup()
;
[macro-isdn-voicemail]
exten => s,1,Dial(${ARG1})
exten => s,2,Goto(s-${DIALSTATUS},1)
exten => s-NOANSWER,1,Voicemail(u${MACRO_EXTEN})
exten => s-NOANSWER,2,Hangup()
exten => s-BUSY,1,Voicemail(b${MACRO_EXTEN})
exten => s-BUSY,2,Hangup()
exten => _s-.,1,Goto(s-NOANSWER,1)
;
; =======================================================
; for incoming calls
;
[default]
exten => s,1,Answer()
exten => s,2,Playback(demo-nogo)
;
[unauth]
exten => s,1,Answer()
exten => s,2,Playback(demo-nogo)
;
[voll]
include => demo
include => intern

include => filiale
include => national
include => international
include => always-out-amt
;
[in-isdn]
; calls coming from isdn
; können abhängig von der MSN (leider nur 3) rufen
exten => 50,1,Macro(voicemail,${2221})
;
[iax-intern-in]
exten => _22XX,1,GoTo(intern,${EXTEN},1)
;
;===========================================================
; outgoing calls
;
[demo]
; Create an extension, 2998, for dialing the
; Asterisk demo.
;
exten => 2998,1,Playback(demo-abouttotry)
; Let them know what’s going on
exten => 2998,n,Dial(IAX2/guest@misery.digium.com/s@default)
; Call the Asterisk demo
exten => 2998,n,Playback(demo-nogo)
; Couldn’t connect to the demo site
exten => 2998,n,Hangup()
;
; Create an extension, 2399, for evalating echo latency.
;
exten => 2999,1,Playback(demo-echotest)
; Let them know what’s going on
exten => 2999,n,Echo
; Do the echo test
exten => 2999,n,Playback(demo-echodone)
; Let them know it’s over

exten => 2999,n,Hangup()
;;
[intern]
; hier werden alle Apparate am Standort des Servers gerufen
; auch die IAX-Anrufe aus den Filialen kommen direkt
;hier herein
;user mit voicemail
exten => 2210,1,Macro(isdn-voicemail,${2210})
;
; user ohne voicemail
;exten => 2314,1,Macro(standard,${2314})
;
; for our voiceMailSystem to call it
exten => 2290,1,Ringing
exten => 2290,2,Wait(2)
exten => 2290,3,VoicemailMain
;
; Or a conference room (you’ll need to edit
; meetme.conf to enable this room)
;exten => 8600,1,Meetme(1234)
;
; for invalid numbers and timeouts
exten => i,1,Playback(pbx-invalid)
exten => i,2,Hangup()
exten => t,1,Playback(vm-goodbye)
exten => t,2,Hangup()
;
; ende von [intern]
;
;
[filiale]
exten => _23XX,1,Dial(IAX2/zur-inform/${EXTEN})
exten => _23XX,2,Hangup
;
exten => _24XX,1,Dial(IAX2/nach-jo/${EXTEN})
;
;exten => _33XX ??
;
;exten => _44XX ??
;
[always-out-amt]
; emergency calls using ISDN
exten => _1XX,1,Dial(misdn/1/${EXTEN})
exten => _1XX,2,Congestion
exten => _1XX,102,Congestion
;
[local]
; users can only call within the city
; Teilnehmer können nur Ortsgespräche führen
; die Amtsholung erfolgt mit 0, die beim Dial-Befehl

; wieder entfernt wird da mISDN an einer Amtsleitung
; angeschlossen ist
exten => _0N.,1,Dial(misdn/1/${EXTEN:1})
;
[national]
; users can not call foreign countries
; Teilnehmer können nur Ferngespräche im Inland
; führen die Amtsholung erfolgt mit 0, die beim
; Dial-Befehl wieder entfernt wird da mISDN an
; einer Amtsleitung angeschlossen ist
exten => _00X.,1,Dial(misdn/1/${EXTEN:1})
;
[international]
; international calls
; Teilnehmer können auch Ferngespräche ins Ausland
; führen die Amtsholung erfolgt mit 0, die beim
; Dial-Befehl wieder entfernt wird da mISDN an
; einer Amtsleitung angeschlossen ist
exten => _000X.,1,Dial(misdn/1/${EXTEN:1})
/etc/asterisk/iax.conf
; Inter-Asterisk eXchange driver definition
;
[general]
bindport=4569 ; bindport and bindaddr may be specified
language=de
bandwidth=low
;allow=all ; same as bandwidth=high
;disallow=g723.1 ; Hm... Proprietary, don’t use it...
disallow=lpc10 ; Icky sound quality... Mr. Roboto.
;allow=gsm ; Always allow GSM, it’s cool :)
;
jitterbuffer=no
forcejitterbuffer=no
;dropcount=2
;maxjitterbuffer=1000
;maxjitterinterps=10
;resyncthreshold=1000
;maxexcessbuffer=80
;minexcessbuffer=10
;jittershrinkrate=1
;trunkfreq=20 ; How frequently to send
; trunk msgs (in ms)
;
; You can disable authentication debugging to
; reduce the amount of debugging traffic.
;
authdebug=yes
;
tos=lowdelay
;
autokill=yes
;
;
; Guest sections for unauthenticated connection
; attempts. Just specify an empty secret, or
; provide no secret section.
;
[guest]
type=user
context=unauth
callerid="Guest IAX User"
;
;
[von-inform]
type=user
host=192.168.250.178
;host=192.168.123.5
context=iax-intern-in
trunk=yes
;
[zur-inform]
type=peer
host=192.168.123.5
;
[von-jo]
type=user
host=192.168.150.7
;username=elsylo
;secret=fanta4
context=intern
trunk=yes
;auth=md5,plaintext,rsa
;setvar=foo=bar
;notransfer=yes ; Disable IAX native transfer
;jitterbuffer=yes ; Override global setting
; an enable jitter buffer
; ; for this user
;callerid="Mark Spencer" <(256) 428-6275>
;deny=0.0.0.0/0.0.0.0
;accountcode=markster0101
;permit=209.16.236.73/255.255.255.0
;language=en ; Use english as default language
;
; Peers may also be specified, with a secret and
; a remote hostname.
;
[nach-jo]
type=peer
;username=elsylo
;secret=fanta4
host=192.168.150.7
;sendani=no
;host=asterisk.linux-support.net
;port=5036
;mask=255.255.255.255
;qualify=yes ; Make sure this peer is alive
;jitterbuffer=no ; Turn off jitter buffer
; for this peer
/etc/asterisk/indications.conf
[general]
country=at
[at]
description = Austria
ringcadance = 1000,5000
; Reference: http://www.itu.int/ITU-T/inr/forms/files/\\
tones-0203.pdf
dial = 420
busy = 420/400,0/400
ring = 420/1000,0/5000
congestion = 420/200,0/200
callwaiting = 420/40,0/1960
dialrecall = 420
; RECORDTONE - not specified
record = 1400/80,0/14920
info = 950/330,1450/330,1850/330,0/1000
stutter = 380+420
[de]
description = Germany
tones-0203.pdf
dial = 425
busy = 425/480,0/480
ring = 425/1000,0/4000
congestion = 425/240,0/240
callwaiting = !425/200,!0/200,!425/200,!0/5000,!425/200,\\
!0/200,!425/200,!0/5000,!425/200,!0/200,\\
!425/200,!0/5000,!425/200,!0/200,\\
!425/200,!0/5000,!425/200,!0/200,!425/200,0
; DIALRECALL - not specified
dialrecall = !425/100,!0/100,!425/100,!0/100,!425/100,\\
!0/100,425
record = 1400/80,0/15000
info = 950/330,1400/330,1800/330,0/1000
stutter = 425+400
[hu]
description = Hungary
tones-0203.pdf
dial = 425
busy = 425/300,0/300
ring = 425/1250,0/3750
congestion = 425/300,0/300
callwaiting = 425/40,0/1960
dialrecall = 425+450
record = 1400/400,0/15000
info = !950/330,!1400/330,!1800/330,!0/1000,!950/330,\\
!1400/330,!1800/330,!0/1000,!950/330,!1400/330,\\
!1800/330,!0/1000,0
stutter = 350+375+400
/etc/asterisk/sip.conf
;
; SIP Configuration example for Asterisk
[general]
context=unauth
realm=ow.bfi-bgld.at
bindport=5060
bindaddr=0.0.0.0
srvlookup=yes
;tos=184
;tos=lowdelay
disallow=all
allow=alaw
;allow=ilbc
language=de
nat=no
;
;
[2925]
; Grandstream 2000
type=friend
host=dynamic
;host=192.168.160.xxx
defaultip=192.168.112.72
context=voll
username=2225
secret=2225
callerid="Karl Schuh" <2925>
mailbox=2225
reinvite=no
canreinvite=no
;dtmf-mode f sipura rfc2833, f. grandstream info
dtmfmode=info
qualify=1000
disallow=all
allow=gsm
allow=alaw
callgroup=1
pickupgroup=1
;
[2921]
; grandstream BT100
type=friend
username=2221
secret=2221
context=voll
callerid=Karl SCHUH <2921>
host=192.168.112.70
canreinvite=no
dtmfmode=info
disallow=all
allow=ulaw
allow=alaw ; Asterisk only supports g723.1 pass-thru!
mailbox=2221
pickupgroup=1
reinvite = no
qualify = 1000
[2936]
; Allnet 7950
type=friend
username=2236
secret=2236
context=voll
host=dynamic
defaultip=192.168.112.71
pickupgroup=1
callgroup=1
reinvite=no
canreinvite=no
qualify=1000
dtmfmode=info
mailbox=2236
disallow=all
allow=ulaw
allow=alaw
callerid="Andreas GRABNER" <2936>
[229]
; Turn off silence suppression in X-Lite
; ("Transmit Silence"=YES)!
; Note that Xlite sends NAT keep-alive packets,
; so qualify=yes is not needed
type=friend
user=229
secret=229
callerid="Sylvia SCHUH mobil" <229>
host=dynamic ; This device needs to register
defaultip=192.168.201.17
;reinvite=no
;canreinvite=no ; Typically set to NO if behind NAT
;disallow=all
allow=all
dtmfmode=rfc2833
context=verwalt
/etc/asterisk/zapata.conf
;
; Zapata telephony interface
;
; Configuration file
[channels]
;
language=de
usecallerid=yes
callwaiting=yes
echocancel=yes
echocancelwhenbridged=yes
;
rxgain=0.0
txgain=0.0
;
;
context=verwalt
;
group=2
;
signalling=fxo_ks
mailbox=211
callerid="Green Phone"<211>
channel => 1
;
signalling=fxo_ks
mailbox=212
callerid="Black Phone"<212>
channel => 2
;
signalling=fxo_ks
mailbox=213
callerid="Yellow Phone"<213>
channel => 3
;
context=in-amt
group=1
signalling=fxs_ks
callerid=asreceived
channel => 4
7.1.3 CUPS
/etc/cups/cupsd.conf:
######## Server Identity
######## Server Options
AccessLog /var/log/cups/access_log
DefaultCharset notused
ErrorLog /var/log/cups/error_log
LogLevel debug2
Printcap /var/run/cups/printcap
RemoteRoot karls
######## Fax Support
######## Encryption Support
######## Filter Options
User lp
Group lp
RunAsUser Yes
## added by me! mario!
######## Network Options
#Port 80
#Port 443
#Port 631
Listen *:631
######## Browsing Options
Browsing On
## windows troubleshooting
#BrowseAddress 192.168.200.255
###BrowseAddress 192.168.201.255
BrowseAddress 255.255.255.255
##windows troublesooting ende
######## Security Options
<Location />
Order Deny,Allow
Deny From None
Allow From All
</Location>
<Location /classes>
Order Deny,Allow
Deny From None
Allow From All
</Location>
<Location /classes/name>
Order Deny,Allow
Deny From None
Allow From All
</Location>
<Location /jobs>
Order Deny, Allow
Deny From None
Allow From All
</Location>
<Location /printers>
Order Deny,Allow
Deny From None
Allow From All
</Location>
<Location /printers/name>
AuthType Basic
AuthClass User
Order Deny,Allow
Deny From None
Allow From All
</Location>
<Location /admin>
AuthType BasicDigest
AuthClass Group
AuthGroupName sys
Order Deny,Allow
Deny From None
Allow From All

</Location>
/etc/cups/printers.conf
(automatically generated when you add a printer via webinterface)

# Printer configuration file for CUPS v1.2.0b1
# Written by cupsd on Sun 02 Oct 2005 06:31:01 PM CEST
<DefaultPrinter HP_LaserJet_1300>
Info HP LaserJet 1300
DeviceURI usb://HP/LaserJet%201300
State Idle
Accepting Yes
Shared Yes
JobSheets none none
QuotaPeriod 0
PageLimit 0
KLimit 0
ErrorPolicy stop-printer
</Printer>
7.1.4 Apache2
/etc/apache2/apache2.conf
ServerRoot "/etc/apache2"
LockFile /var/lock/apache2/accept.lock
PidFile /var/run/apache2.pid
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15
<IfModule prefork.c>
StartServers 5
MinSpareServers 5
MaxSpareServers 10
MaxClients 20
MaxRequestsPerChild 0
</IfModule>
<IfModule worker.c>
StartServers 2
MaxClients 150
MinSpareThreads 25
MaxSpareThreads 75
ThreadsPerChild 25
</IfModule>
<IfModule perchild.c>
NumServers 5
StartThreads 5
MinSpareThreads 5
MaxSpareThreads 10
MaxThreadsPerChild 20
AcceptMutex fcntl
</IfModule>
User www-data
Group www-data
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%\\
{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
ErrorLog /var/log/apache2/error.log
## include modules
Include /etc/apache2/mods-enabled/*.load
Include /etc/apache2/mods-enabled/*.conf
## include user configuration
Include /etc/apache2/httpd.conf
Include /etc/apache2/ports.conf
Include /etc/apache2/conf.d/[^.#]*
Alias /icons/ "/usr/share/apache2/icons/"
<Directory "/usr/share/apache2/icons">
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<IfModule mod_negotiation.c>
<IfModule mod_include.c>
Alias /error/ "/usr/share/apache2/error/"
<Directory "/usr/share/apache2/error">
AllowOverride None
Options IncludesNoExec
AddOutputFilter Includes html
AddHandler type-map var
Order allow,deny
Allow from all
LanguagePriority en es de fr
ForceLanguagePriority Prefer Fallback
</Directory>
ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var
ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var
ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var
ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var
ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.\\
html.var
ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.\\
html.var
ErrorDocument 410 /error/HTTP_GONE.html.var
ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.\\
html.var
ErrorDocument 412 /error/HTTP_PRECONDITION_\\
FAILED.html.var
ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_\\
TOO_LARGE.\\
html.var
ErrorDocument 414 /error/HTTP_REQUEST_URI_\\
TOO_LARGE.html.var
ErrorDocument 415 /error/HTTP_SERVICE_\\
UNAVAILABLE.html.var
ErrorDocument 500 /error/HTTP_INTERNAL_\\
SERVER_ERROR.\\
html.var
ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.\\
var
ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var
ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.\\
html.var
ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.\\
html.var
</IfModule>
</IfModule>
DirectoryIndex index.html index.cgi index.pl index.php \\
index.xhtml
AccessFileName .htaccess
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>
UseCanonicalName Off
TypesConfig /etc/mime.types
DefaultType text/plain
HostnameLookups Off
IndexOptions FancyIndexing VersionSort
AddIconByEncoding (CMP,/icons/compressed.gif) x-compress\\
x-gzip
AddIconByType (TXT,/icons/text.gif) text/*
AddIconByType (IMG,/icons/image2.gif) image/*
AddIconByType (SND,/icons/sound2.gif) audio/*
AddIconByType (VID,/icons/movie.gif) video/*
AddIcon /icons/binary.gif .bin .exe
AddIcon /icons/binhex.gif .hqx
AddIcon /icons/tar.gif .tar
AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
AddIcon /icons/a.gif .ps .ai .eps
AddIcon /icons/layout.gif .html .shtml .htm .pdf
AddIcon /icons/text.gif .txt
AddIcon /icons/c.gif .c
AddIcon /icons/p.gif .pl .py

AddIcon /icons/f.gif .for
AddIcon /icons/dvi.gif .dvi
AddIcon /icons/uuencoded.gif .uu
AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
AddIcon /icons/tex.gif .tex
AddIcon /icons/bomb.gif core
AddIcon /icons/back.gif ..
AddIcon /icons/hand.right.gif README
AddIcon /icons/folder.gif ^^DIRECTORY^^
AddIcon /icons/blank.gif ^^BLANKICON^^
DefaultIcon /icons/unknown.gif
ReadmeName README.html
HeaderName HEADER.html
IndexIgnore .??* *~ *# HEADER* RCS CVS *,t
AddEncoding x-compress Z
AddEncoding x-gzip gz tgz
AddLanguage da .dk
AddLanguage nl .nl
AddLanguage en .en
AddLanguage et .et
AddLanguage fr .fr
AddLanguage de .de
AddLanguage el .el
AddLanguage it .it
AddLanguage ja .ja
AddLanguage pl .po
AddLanguage ko .ko
AddLanguage pt .pt
AddLanguage no .no
AddLanguage pt-br .pt-br
AddLanguage ltz .ltz
AddLanguage ca .ca
AddLanguage es .es
AddLanguage sv .se
AddLanguage cz .cz
AddLanguage ru .ru
AddLanguage tw .tw
AddLanguage zh-tw .tw

LanguagePriority en da nl et fr de el it ja ko no pl pt\\
pt-br ltz ca es sv tw
AddCharset ISO-8859-1 .iso8859-1 .latin1
AddCharset ISO-8859-2 .iso8859-2 .latin2 .cen
AddCharset ISO-8859-5 .iso8859-5 .latin5 .cyr .iso-ru
AddCharset ISO-8859-6 .iso8859-6 .latin6 .arb
AddCharset ISO-8859-7 .iso8859-7 .latin7 .grk
AddCharset ISO-8859-8 .iso8859-8 .latin8 .heb
AddCharset ISO-8859-9 .iso8859-9 .latin9 .trk
AddCharset ISO-2022-JP .iso2022-jp .jis
AddCharset ISO-2022-KR .iso2022-kr .kis
AddCharset ISO-2022-CN .iso2022-cn .cis
AddCharset Big5 .Big5 .big5
AddCharset WINDOWS-1251 .cp-1251 .win-1251
AddCharset CP866 .cp866
AddCharset KOI8-r .koi8-r .koi8-ru
AddCharset KOI8-ru .koi8-uk .ua
AddCharset ISO-10646-UCS-2 .ucs2
AddCharset ISO-10646-UCS-4 .ucs4
AddCharset UTF-8 .utf8
AddCharset GB2312 .gb2312 .gb
AddCharset utf-7 .utf7
AddCharset utf-8 .utf8
AddCharset big5 .big5 .b5
AddCharset EUC-TW .euc-tw
AddCharset EUC-JP .euc-jp
AddCharset EUC-KR .euc-kr
AddCharset shift_jis .sjis
AddType application/x-tar .tgz
<FilesMatch "\.shtml(\..+)?$">
SetOutputFilter INCLUDES
</FilesMatch>
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0\\
force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0

BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0
BrowserMatch "Microsoft Data Access Internet Publishing \\
Provider" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^gnome-vfs" redirect-carefully
BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully
Include /etc/apache2/sites-enabled/[^.#]*
7.1.5 dhcpd
/etc/dhcp3/dhcpd.conf
# no dns update is done when lease is confirmed

ddns-update-style none;
option domain-name "sylvia.test";
option domain-name-servers ns1.sylvia.test;
default-lease-time 6000;
max-lease-time 7200;
log-facility local7;
subnet 192.168.200.0 netmask 255.255.255.0 {
range 192.168.200.65 192.168.200.96;
option routers bart.sylvia.test;
option domain-name "sylvia.test";
option domain-name-servers 192.168.200.5;
}
host maggie.sylvia.test {
hardware ethernet 00:0a:5e:22:af:a7;
fixed-address maggie.sylvia.test;
}
host homer.sylvia.test {
hardware ethernet 00:50:ba:17:2d:3d;
fixed-address homer.sylvia.test;
}
host apu.sylvia.test {
hardware ethernet 00:00:21:00:5b:bc;

fixed-address apu.sylvia.test;
}
host lisa {
hardware ethernet 00:10:dc:2c:6a:0d;
fixed-address lisa.sylvia.test;
}
host bart.sylvia.test {
hardware ethernet 00:50:04:68:0C:E8;
fixed-address 192.168.200.1;
}
host nelson.sylvia.test {
hardware ethernet 00:60:97:11:D5:F0;
fixed-address nelson.sylvia.test;
}
host grandstream1.sylvia.test {
hardware ethernet 00:0b:82:03:87:dc;
fixed-address grandstream1.sylvia.test;
}
host allnet1.sylvia.test {
hardware ethernet 00:0f:c9:01:4f:94;
fixed-address allnet1.sylvia.test;
}
host sipura.sylvia.test {
hardware ethernet 00:0e:08:ad:ca:a5;
fixed-address sipura.sylvia.test;
}
7.1.6 BIND
/etc/bind/named.conf.local
(there have been no changes made to the named.conf) You will find the
“allow-update” directive specifies which hosts are allowed to submit Dy-
namic DNS updates for master zones. Allowing updated based on the
IP address is insecure but was necessary here to have the Active Direc-
tory server (Maybe you wonder why there are suddenly two AD-servers;
later on in the phase of migrating the network it will become necessary
to replace Windows 2000 server with Windows 2003 server called wig-
gum.sylvia.test with IP 192.168.200.19) propagate their services to DNS.
type master;
allow-update { 192.168.200.12; 192.168.200.19; };
};
type master;
};
type master;
};
/etc/bind/db.sylvia.test
Dynamic entries you find in here are made for a Windows 2003 server
called wiggum.sylvia.test. Please read notes for named.conf.local above.
$ORIGIN .
$TTL 600 ; 10 minutes
sylvia.test IN SOA marge.sylvia.test. root.\\
marge.sylvia.test. (
2005081961 ; serial
604800 ; refresh (1 week)
86400 ; retry (1 day)
2419200 ; expire (4 weeks)
604800 ; minimum (1 week)
)
NS ns1.sylvia.test.
A 192.168.200.12
A 192.168.200.19
$TTL 604800 ; 1 week

MX 10 mail.sylvia.test.
$ORIGIN _msdcs.sylvia.test.
96ee99d9-b18c-4124-b1d1-871cf84a8bac CNAME wiggum.sylvia.test.
$ORIGIN _tcp.Standardname-des-ersten-Standorts._sites.dc.\\
_msdcs.sylvia.test.
_kerberos SRV 0 100 88 wiggum.sylvia.test.
_ldap SRV 0 100 389 wiggum.sylvia.test.
$ORIGIN _tcp.dc._msdcs.sylvia.test.
$ORIGIN domains._msdcs.sylvia.test.
_ldap._tcp.8b1150a1-3690-45c9-999c-194456648354 SRV 0 \\
100 389 wiggum.sylvia.test.
_ldap._tcp.f6731b90-9fe0-492a-8685-eaf32b5da1ce SRV 0 \\
eecd0355-53fd-442f-8eb5-0ed2237c4d3e CNAME wiggum.sylvia.test.
$ORIGIN gc._msdcs.sylvia.test.
_ldap._tcp.Standardname-des-ersten-Standorts._sites SRV 0 \\
_ldap._tcp SRV 0 100 3268 wiggum.sylvia.test.
_ldap._tcp.pdc SRV 0 100 389 wiggum.sylvia.test.
$ORIGIN _tcp.Standardname-des-ersten-Standorts._sites.\\
sylvia.test.
_gc SRV 0 100 3268 wiggum.sylvia.test.
$ORIGIN _tcp.sylvia.test.
_gc SRV 0 100 3268 wiggum.sylvia.test.
_kpasswd SRV 0 100 464 wiggum.sylvia.test.
$ORIGIN _udp.sylvia.test.
_kpasswd SRV 0 100 464 wiggum.sylvia.test.
$ORIGIN sylvia.test.
$TTL 604800 ; 1 week
allnet1 A 192.168.200.130
apu A 192.168.200.33
bart A 192.168.200.1
edv-nb1 A 192.168.200.16
flanders A 192.168.200.36
grandstream1 A 192.168.200.129
homer A 192.168.200.12
lisa A 192.168.200.35
maggie A 192.168.200.8
marge A 192.168.200.5
nelson A 192.168.200.34
ns1 A 192.168.200.5
proxy CNAME marge
sipura A 192.168.200.131
snowball A 192.168.201.1
snowball2 A 192.168.201.17
wiggumold A 192.168.200.19
www CNAME marge
/etc/bind/db.200.168.192.in-addr.arpa
As mentioned in chapter 3: Don’t forget the “.” at the end of each entry.
; BIND reverse data file for zone 192.168.200.0/24

;
$TTL 604800
@ IN SOA localhost. root.localhost. (
2005050801 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS ns1.sylvia.test.
1 IN PTR bart.sylvia.test.
5 IN PTR marge.sylvia.test.
8 IN PTR maggie.sylvia.test.
12 IN PTR homer.sylvia.test.
16 IN PTR edv-nb1.sylvia.test.
19 IN PTR wiggum.sylvia.test.
33 IN PTR apu.sylvia.test.
34 IN PTR nelson.sylvia.test.
35 IN PTR lisa.sylvia.test.
36 IN PTR flanders.sylvia.test.
129 IN PTR grandstream1.sylvia.test.
130 IN PTR allnet1.sylvia.test.
131 IN PTR sipura.sylvia.test.
/etc/resolv.conf
search sylvia.test
nameserver 192.168.200.5
7.1.7 exim4
/etc/exim4/update-exim4.conf
(generated from dpkg-reconfigure exim4-config)

dc_eximconfig_configtype=’smarthost’
dc_primary_hostname=’marge.sylvia.test’
dc_other_hostnames=’sylvia.test:marge’
dc_local_interfaces=’192.168.200.5’
dc_readhost=”
dc_relay_domains=”
dc_minimaldns=’false’
dc_relay_nets=’192.168.0.0/16’
dc_smarthost=’mail.bfi-burgenland.at’
CFILEMODE=’644’
dc_use_split_config=’false’
dc_hide_mailname=’false’
dc_mailname_in_oh=’true’
/etc/mailname
marge6.sylvia.test
/etc/aliases
mailer-daemon: postmaster
postmaster: root
nobody: root
hostmaster: root
usenet: root
news: root
webmaster: root
www: root
ftp: root
abuse: root
noc: root
security: root
root: elsylo
k.schuh: karls
s.schuh: elsylo
7.1.8 The Webalizer
/etc/webalizer.conf
## defining log file and type
LogFile /var/log/squid/access.log
LogType squid
## define where HTML output is stored
OutputDir /var/www/webalizer
## Incremental processing allows multiple partial log files
## to be used instead of one huge one.
Incremental yes
# ReportTitle is the text to display as the title
ReportTitle Wos gsoerft worn is bei
## HostName defines the hostname for the reportand is
## used in title
HostName marge
## The Quiet option suppresses output messages...
Quiet yes
## Debug prints additional information for error messages.
Debug yes
## The "Top" options below define the number of entries
## for each table. Defaults are Sites=30, URL’s=30,
## Referrers=30 and Agents=15, and Countries=50. Tables
## may be disabled by using zero (0) for the value.
TopKSites 30
TopKURLs 30
TopUsers 20
# Your own site/referrer/direct-requests should be hidden
HideSite *marge
HideReferrer marge/
HideReferrer Direct Request
# Usually you want to hide these
HideURL *.gif
HideURL *.GIF
HideURL *.jpg
HideURL *.JPG
HideURL *.ra
# Grouping options
GroupURL /cgi-bin/*
## The Ignore* keywords allow you to completely ignore
## log records based on hostname, URL, user agent or
## referrer.
IgnoreSite localhost
IgnoreReferrer localhost
## How much the MangleAgents should mangle user agent names.
## Level 4 adds minor version numer
MangleAgents 4
/etc/crontab
Add this line to your crontab in order to analyse the logfile every hour.
0 * * * * root webalizer
7.1.9 squid
/etc/squid/squid.conf
# NETWORK OPTIONS
# --------------------------------------------------------
# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
# --------------------------------------------------------
# TAG: hierarchy_stoplist
# A list of words which, if found in a URL,
# cause the object to
# be handled directly by this cache.
# hierarchy_stoplist cgi-bin ?
# TAG: no_cache
# A list of ACL elements which, if matched,
# cause the request to
# not be satisfied from the cache and the reply
# to not be cached.
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
# OPTIONS WHICH AFFECT THE CACHE SIZE
# ---------------------------------------------------------
# LOGFILE PATHNAMES AND CACHE DIRECTORIES
# ---------------------------------------------------------
# OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
# ---------------------------------------------------------
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
ACCESS CONTROLS
# ----------------------------------------------------------
acl all src 0.0.0.0/0.0.0.0
# our acl
acl allowed_hosts src 192.168.200.0/255.255.255.0
# end our acl
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 # https, snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
#Recommended minimum configuration:
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Only allow purge requests from localhost
http_access allow purge localhost
http_access deny purge
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
# unsere Freigabe
http_access allow allowed_hosts
# ende unsere Freigabe
# Example rule allowing access from your local
# networks. Adapt to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# and finally allow by default
http_reply_access allow all
# TAG: icp_access
# Allowing or Denying access to the ICP port
icp_access allow allowed_hosts
icp_access deny all
ADMINISTRATIVE PARAMETERS
# --------------------------------------------------------
# TAG: visible_hostname
# If you want to present a special hostname in
# error messages,
visible_hostname proxy.sylvia.test
OPTIONS FOR THE CACHE REGISTRATION SERVICE
# ---------------------------------------------------------
HTTPD-ACCELERATOR OPTIONS
# ---------------------------------------------------------
MISCELLANEOUS
# ---------------------------------------------------------
DELAY POOL PARAMETERS (all require DELAY_POOLS
compilation option)
# ---------------------------------------------------------
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
7.1.10 arpwatch
/etc/default/arpwatch
# Global options for arpwatch(8).
# Debian: don’t report bogons, don’t use PROMISC.
ARGS="-N -p"
# Debian: run as ‘arpwatch’ user. Empty this to run as root.
RUNAS="arpwatch"
/etc/arpwatch.conf
eth0 -m root+eth0
7.1.11 ntpd
/etc/ntp.conf
# /etc/ntp.conf, configuration for ntpd
# ntpd will use syslog() if logfile is not defined
logfile /var/log/ntpd
driftfile /var/lib/ntp/ntp.drift
statsdir /var/log/ntpstats/
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
## server pool to synchronize with
server chime3.ipv6.surfnet.nl
server europe.pool.ntp.org
server 127.127.1.0
fudge 127.127.1.0 stratum 13
# By default, exchange time with everybody, but don’t
# allow configuration. See
# /usr/share/doc/ntp-doc/html/accopt.html for details.
restrict default kod notrap nomodify nopeer noquery
# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1 nomodify

# If you want to provide time to your local subnet,
# change the next line.
broadcast 192.168.200.255
7.1.12 Active Directory
Adding a new user to Active Directory “User”-container (forgive me

the german installation; Crash-course in learning german: Neu = new,
Kontakt = contact, Gruppe = group, Drucker = printer, Benutzer = user,
Freigegebener Ordner = shared folder)
Figure 7.1: adding a user to Active Directory

7.1.13 mrtg
/etc/mrtg.conf
Desribes a Debian Linux host.

### Global Config Options
WorkDir: /var/www/mrtg
## Load the files where the MIBs you query are located
LoadMIBs: /usr/share/snmp/mibs/UCD-SNMP-MIB.txt,\\
/usr/share/snmp/mibs/TCP-MIB.txt
EnableIPv6: no
Options[_]: growright,bits
#############################################
# System: bart
# Description: Linux bart 2.6.8-1-686 #1
# Tue Sep 14 00:22:58 EDT 2004 i686
# Contact: "Sylvia Schuh"
# Location: "Schloss Jormannsdorf Lager"
##############################################
## querying eth0
Target[192.168.200.1_eth0]: \eth0:public@192.168.200.1:
SetEnv[192.168.200.1_eth0]: MRTG_INT_IP="192.168.200.1" \\
MRTG_INT_DESCR="eth0"
MaxBytes[192.168.200.1_eth0]: 12500000
Title[192.168.200.1_eth0]: 192.168.200.1 -- bart
PageTop[192.168.200.1_eth0]: <H1>192.168.200.1 -- bart</H1>
<TABLE>
<TR><TD>System:</TD> <TD>bart in "Schloss Jormannsdorf \\
Lager"</TD></TR>
<TR><TD>Maintainer:</TD> <TD>"Sylvia Schuh"</TD></TR>
<TR><TD>Description:</TD><TD>eth0 </TD></TR>
<TR><TD>ifType:</TD> <TD>ethernetCsmacd (6)</TD></TR>
<TR><TD>ifName:</TD> <TD>Zentrale</TD></TR>
<TR><TD>Max Speed:</TD> <TD>100.0 Mbits/s</TD></TR>
<TR><TD>Ip:</TD> <TD>192.168.200.1 (bart.sylvia.\\
test)</TD></TR>
</TABLE>
##querying eth1
Target[192.168.200.1_eth1]: \eth1:public@192.168.200.1:
SetEnv[192.168.200.1_eth1]: MRTG_INT_IP="192.168.150.6" \\
MaxBytes[192.168.200.1_eth1]: 12500000
Title[192.168.200.1_eth1]: 192.168.150.6 -- bart
PageTop[192.168.200.1_eth1]: <H1>192.168.150.6 -- bart</H1>
<TABLE>
Lager"</TD></TR>
<TR><TD>ifName:</TD> <TD>Internet</TD></TR>
<TR><TD>Ip:</TD> <TD>192.168.150.6 ()</TD></TR>
</TABLE>
##cpu monitoring (www.linuxhomenetworking.com)
Target[server.cpu]:ssCpuRawUser.0&ssCpuRawUser.0:public@\\
192.168.200.1 +
ssCpuRawSystem.0&ssCpuRawSystem.0:public@192.168.200.1
+
ssCpuRawNice.0&ssCpuRawNice.0:public@192.168.200.1
Title[server.cpu]: Server CPU Load
PageTop[server.cpu]: <H1>CPU-Load - System, User and \\
Nice Processes </H1>
MaxBytes[server.cpu]: 20
ShortLegend[server.cpu]: %
YLegend[server.cpu]: CPU Utilization
Legend1[server.cpu]: current CPU percentage load
LegendI[server.cpu]: Used
LegendO[server.cpu]:
Options[server.cpu]: growright, nopercent
Unscaled[server.cpu]: ymwd
## memory monitoring total versus available
Target[server.memory]:memAvailReal.0&memTotalReal.0:public@\\
192.168.200.1
Title[server.memory]: Free Memory

PageTop[server.memory]: <H1> Free Memory </H1>
MaxBytes[server.memory]: 100000000000
ShortLegend[server.memory]: B
YLegend[server.memory]: Bytes
LegendI[server.memory]: Free
LegendO[server.memory]: Total
Legend1[server.memory]: Free memory, not including \\
swap, in bytes
Legend2[server.memory]: Total memory
Options[server.memory]: gauge,growright,nopercent
kMG[server.memory]: k,M,G,T,P,X
## memory monitoring percentage
Title[server.mempercent]: Percentage Free Memory
PageTop[server.mempercent]: <H1> Percentage Free \\
Memory </H1>
Target[server.mempercent]: (
memAvailReal.0&memAvailReal.0:public@192.168.200.1
) * 100 / (
memTotalReal.0&memTotalReal.0:public@192.168.200.1
)
Options[server.mempercent]: growright,gauge,transparent,\\
nopercent
Unscaled[server.mempercent]: ymwd
MaxBytes[server.mempercent]: 30
YLegend[server.mempercent]: Memory %
ShortLegend[server.mempercent]: Percent
LegendI[server.mempercent]: Free
LegendO[server.mempercent]: Free
## new TCP connection monitoring
Target[server.newconns]:
tcpPassiveOpens.0&tcpPassiveOpens.0:public@192.168.200.1
+
tcpActiveOpens.0&tcpActiveOpens.0:public@192.168.200.1
Title[server.newconns]: Newly Created TCP Connections
PageTop[server.newconns]: <H1> New Tcp connections</H1>
MaxBytes[server.newconns]: 1000000000
ShortLegend[server.newconns]: c/s
YLegend[server.newconns]: Conns / Min
LegendI[server.newconns]: In
LegendO[server.newconns]: Out
Legend1[server.newconns]: New inbound connections
Legend2[server.newconns]: New outbound connections
Options[server.newconns]: growright,nopercent,perminute
## Established TCP COnnections
Target[server.estabcons]: tcpCurrEstab.0&tcpCurrEstab.0:\\
public@192.168.200.1
Title[server.estabcons]: Currently Established TCP \\
Connections
PageTop[server.estabcons]: <H1> Established TCP \\
Connections </H1>
MaxBytes[server.estabcons]: 10000000000
ShortLegend[server.estabcons]:
YLegend[server.estabcons]: Connections
LegendI[server.estabcons]: In
LegendO[server.estabcons]:
Legend1[server.estabcons]: Established connections
Legend2[server.estabcons]:
Options[server.estabcons]: growright,nopercent,gauge
## Disk usage monitoring
## Note: in order for dskPercent.1 and dskPercent.2
## to work you need the entries “disk /var/”
## from the “/etc/snmpd.conf”the order in the file
## defines which disk is accessed by *.1 and *.2
Target[server.disk]: dskPercent.1&dskPercent.2:\\
public@192.168.200.1
Title[server.disk]: Disk Partition Usage
PageTop[server.disk]: <H1> Disk Partition Usage /home \\
and /var </H1>
MaxBytes[server.disk]: 100
ShortLegend[server.disk]: %
YLegend[server.disk]: Utilization
LegendI[server.disk]: /home
LegendO[server.disk]: /var
Options[server.disk]: gauge,growright,nopercent
Unscaled[server.disk]: ymwd
7.1.14 SmokePing
/etc/smokeping/config
################################################
# DON’T TOUCH UNLESS YOU KNOW WHAT YOU’RE DOING
# BETWEEN THESE MARKS!
################################################
sendmail = /usr/lib/sendmail
imgcache = /var/www/smokeping
imgurl = ../smokeping
datadir = /var/lib/smokeping
piddir = /var/run/smokeping
smokemail = /etc/smokeping/smokemail
################################################
# END OF DON’T TOUCH SECTION
################################################
owner = sylle
contact = elsylo@sylvia.test
cgiurl = http://marge/cgi-bin/smokeping.cgi
mailhost = marge.sylvia.test
syslogfacility = local0
## not all probes at the same time
offset=random
*** Alerts ***
to = elslyo@sylvia.test
from = smokealert@sylvia.test
+bigloss
type = loss
# in percent
pattern = ==0%,==0%,==0%,==0%,>0%,>0%,>0%
comment = suddenly there is packet loss
+someloss
type = loss
# in percent
pattern = >0%,*12*,>0%,*12*,>0%
comment = loss 3 times in a row
+startloss
type = loss
# in percent
pattern = ==S,>0%,>0%,>0%
comment = loss at startup
+rttdetect
type = rtt
# in milli seconds
pattern = <10,<10,<10,<10,<10,<100,>100,>100,>100
comment = routing mesed up again ?
*** Database ***
step = 300
pings = 20
# consfn mrhb steps total
AVERAGE 0.5 1 1008
AVERAGE 0.5 12 4320
MIN 0.5 12 4320
MAX 0.5 12 4320
AVERAGE 0.5 144 720
MAX 0.5 144 720
MIN 0.5 144 720
*** Presentation ***
template = /etc/smokeping/basepage.html
+ overview
width = 600
height = 50
range = 10h
+ detail
width = 600
height = 200
unison_tolerance = 2
"Last 3 Hours" 3h
"Last 30 Hours" 30h
"Last 10 Days" 10d
"Last 400 Days" 400d

*** Probes ***
+ FPing
binary = /usr/bin/fping
*** Targets ***
probe = FPing
menu = Top
title = Network Latency Grapher
remark = Welcome to the SmokePing website of ’A poorly \
mantained site running Debian.’
+ World
menu = World
title = Worldwide Connectivity
#mein teil
++ Europe
menu = Europe
title =European Connectivity
+++ Switzerland
menu = Switzerland
title =Swiss Connectivity
alerts = bigloss,someloss,startloss
+++ Austria
menu = Austria
title = Austria
++++ TU-Wien
menu = TuWien
title = TuWien
host = www.tuwien.ac.at
++++ Hauptuni
menu = Hauptuni
title = Hauptuni
host = www.univie.ac.at
+++ UK
menu = United Kingdom
title = United Kingdom
++ USA
menu = North America
title =North American Connectivity

## entries for each host that is tested
+ Lokal
menu = Lokal
title = Lokal
++ snowball
menu = snowball
title = snowball lokale Erreichbarkeit
host = snowball.sylvia.test
++ maggie
menu = maggie
title = maggie lokale Erreichbarkeit
host = maggie.sylvia.test
++ bart
menu = bart
title = bart lokale Erreichbarkeit
host = bart.sylvia.test
++ apu
menu = apu
title = apu W2k
host = apu.sylvia.test
++ nelson
menu = nelson
title = nelson WXP
host = nelson.sylvia.test
++ lisa
menu = lisa
title = lisa suse
host = lisa.sylvia.test
++ snowball2
menu = snowball2
title = snowball2 WXP
host = snowball2.sylvia.test
7.2 IPv6-related Configuration files
In this section you will find configuration files related with the use of IPv6.
Please also see the chapter “Migration to IPv6” for it contains a lot of in-
text configuration file issues.
7.2.1 Apache
/etc/apache2/sites-available/www6
NameVirtualHost *
<VirtualHost *>
ServerName www6.schuh-tv.at
ServerAdmin k.schuhschuh-tv.at
DocumentRoot /var/www6/
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www6/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
# This directive allows us to have apache2’s
# default start page in /apache2-default/,
#but still have / go to the right place
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn,

# error, crit, alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/access.log combined
ServerSignature On
Alias /mrtg/ "/var/www/mrtg/"
<Directory "/var/www/mrtg/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
</VirtualHost>
7.2.2 Smokeping
/etc/smokeping/configv6
*** General ***
################################################
# DON’T TOUCH UNLESS YOU KNOW WHAT YOU’RE DOING
# BETWEEN THESE MARKS!
################################################
sendmail = /usr/lib/sendmail
imgcache = /var/www/smokeping
imgurl = ../smokeping
datadir = /var/lib/smokeping
### pid dir changed bec. auf 2nd instance of smokeping

piddir = /var/run/smokepingv6
smokemail = /etc/smokeping/smokemail
################################################
# END OF DON’T TOUCH SECTION
################################################
owner = sylle
contact = elsylo@sylvia.test
## another cgi for smokepingv6
cgiurl = http://snowball/cgi-bin/smokepingv6.cgi
mailhost = marge.sylvia.test
syslogfacility = local0
offset=random
*** Alerts ***
to = elslyo@sylvia.test
from = smokealert@sylvia.test
+bigloss
type = loss
# in percent
pattern = ==0%,==0%,==0%,==0%,>0%,>0%,>0%
comment = suddenly there is packet loss
+someloss
type = loss
# in percent
pattern = >0%,*12*,>0%,*12*,>0%
comment = loss 3 times in a row
+startloss
type = loss
# in percent
pattern = ==S,>0%,>0%,>0%
comment = loss at startup
+rttdetect
type = rtt
# in milli seconds
pattern = <10,<10,<10,<10,<10,<100,>100,>100,>100
comment = routing mesed up again ?
*** Database ***
step = 300
pings = 20
# consfn mrhb steps total
AVERAGE 0.5 1 1008
AVERAGE 0.5 12 4320
MIN 0.5 12 4320
MAX 0.5 12 4320
AVERAGE 0.5 144 720
MAX 0.5 144 720
MIN 0.5 144 720
*** Presentation ***
template = /etc/smokeping/basepage.html
+ overview
width = 600
height = 50
range = 10h
+ detail
width = 600
height = 200
unison_tolerance = 2
"Last 3 Hours" 3h
"Last 30 Hours" 30h
"Last 10 Days" 10d
"Last 400 Days" 400d
*** Probes ***
+ FPing6
binary = /usr/sbin/fping6
*** Targets ***
probe = FPing6
menu = Top
title = Network Latency Grapher
remark = Welcome to the SmokePing website of ’A poorly \
mantained site running Debian.’
+ World
menu = World
title = Worldwide Connectivity
#mein teil
++ Europe
menu = Europe
title =European Connectivity

+++ Switzerland
menu = Switzerland
title =Swiss Connectivity
+++ Austria
menu = Austria
title = Austria
++++ Kame
menu = Kame
title = Kame
host = www.kame.net
++++ Sixxs
menu = Sixxs
title = Sixxs
host = www.sixxs.net
+++ UK
menu = United Kingdom
title = United Kingdom
++ USA
menu = North America
title =North American Connectivity
+ Lokal
menu = Lokal
title = Lokal
++ snowball6
menu = snowball6
title = snowball6 lokale Erreichbarkeit
++ maggie6
menu = maggie6
title = maggie6 lokale Erreichbarkeit
host = maggie6.sylvia.test
++ bart6
menu = bart6
title = bart6 lokale Erreichbarkeit
host = bart6.sylvia.test
++ apu6
menu = apu6
title = apu6 W2k
host = apu6.sylvia.test
++ nelson6
menu = nelson6
title = nelson6 WXP
host = nelson6.sylvia.test
++ lisa6
menu = lisa6
title = lisa6 suse
host = lisa6.sylvia.test
++ snowball26
menu = snowball26
title = snowball26 WXP
++ wiggum6
menu = wiggum6
title = wiggum6 W2k3
host = wiggumold.sylvia.test
++ flanders6
menu = flanders6
title = flanders6 W2k3
host = flanders6.sylvia.test
Note: I did not modify the “World”-part very carefully. Surely you could
leave out some things here or modify them.
7.2.3 mrtg
/etc/mrtgbart6.cfg
LoadMIBs: /usr/share/snmp/mibs/UCD-SNMP-MIB.txt,\\
/usr/share/snmp/mibs/TCP-MIB.txt
# or for NT
# WorkDir: c:\mrtgdata
### Global Defaults

# to get bits instead of bytes and graphs growing
# to the right Options[_]: growright, bits
EnableIPv6: yes
Options[_]: growright,bits
###############################################
# System: bart
# Description: Linux bart 2.6.8-1-686 #1
# Tue Sep 14 00:22:58 EDT 2004 i686
# Contact: "Sylvia Schuh"
# Location: "Schloss Jormannsdorf Lager"
################################################
Target[bart6_eth0]: \eth0:public@bart6:
SetEnv[bart6_eth0]: MRTG_INT_IP="2001:16d8:ff47:1203:2::1"\\
MaxBytes[bart6_eth0]: 12500000
Title[bart6_eth0]: 2001:16d8:ff47:1203:2::1 -- bart
PageTop[bart6_eth0]: <H1>2001:16d8:ff47:1203:2::1 -- bart</H1>
<TABLE>
<TR><TD>System:</TD> <TD>bart in "Schloss Jormannsdorf\\
Lager"</TD></TR>
<TR><TD>ifName:</TD> <TD>Zentrale</TD></TR>
<TR><TD>Ip:</TD> <TD>2001:16d8:ff47:1203:2::1 \\
(bart.sylvia.test)</TD></TR>
</TABLE>
Target[bart6_eth1]: \eth1:public@bart6:
SetEnv[bart6_eth1]: MRTG_INT_IP="2001:16d8:ff47:1203:1::6"\\
MaxBytes[bart6_eth1]: 12500000
Title[bart6_eth1]: 2001:16d8:ff47:1203:1::6 -- bart
PageTop[bart6_eth1]: <H1>2001:16d8:ff47:1203:1::6 \\
-- bart</H1>
<TABLE>

Lager"</TD></TR>
<TR><TD>ifName:</TD> <TD>Internet</TD></TR>
<TR><TD>Ip:</TD> <TD>2001:16d8:ff47:1203:1::6 ()</TD></TR>
</TABLE>
##cpu monitoring laut www.linuxhomenetworking.com
Target[server6.cpu]:ssCpuRawUser.0&ssCpuRawUser.0:public@bart6
+
ssCpuRawSystem.0&ssCpuRawSystem.0:public@bart6
+ ssCpuRawNice.0&ssCpuRawNice.0:public@bart6
Title[server6.cpu]: Server CPU Load
PageTop[server6.cpu]: <H1>CPU-Load - System, User and Nice \\
Processes </H1>
MaxBytes[server6.cpu]: 20
ShortLegend[server6.cpu]: %
YLegend[server6.cpu]: CPU Utilization
Legend1[server6.cpu]: current CPU percentage load
LegendI[server6.cpu]: Used
LegendO[server6.cpu]:
Options[server6.cpu]: growright, nopercent
Unscaled[server6.cpu]: ymwd
## new TCP connection monitoring
Target[server6.newconns]:
tcpPassiveOpens.0&tcpPassiveOpens.0:public@bart6
+
tcpActiveOpens.0&tcpActiveOpens.0:public@bart6
Title[server6.newconns]: Newly Created TCP Connections
PageTop[server6.newconns]: <H1> New Tcp connections</H1>
MaxBytes[server6.newconns]: 1000000000
ShortLegend[server6.newconns]: c/s
YLegend[server6.newconns]: Conns / Min
LegendI[server6.newconns]: In
LegendO[server6.newconns]: Out
Legend1[server6.newconns]: New inbound connections
Legend2[server6.newconns]: New outbound connections

Options[server6.newconns]: growright,nopercent,perminute
## Established TCP COnnections
Target[server6.estabcons]: tcpCurrEstab.0&tcpCurrEstab.0:\\
public@bart6
Title[server6.estabcons]: Currently Established TCP \\
Connections
PageTop[server6.estabcons]: <H1> Established TCP \\
Connections </H1>
MaxBytes[server6.estabcons]: 10000000000
ShortLegend[server6.estabcons]:
YLegend[server6.estabcons]: Connections
LegendI[server6.estabcons]: In
LegendO[server6.estabcons]:
Legend1[server6.estabcons]: Established connections
Legend2[server6.estabcons]:
Options[server6.estabcons]: growright,nopercent,gauge
7.2.4 firewall: iptables

#!/bin/bash
# IPv6 Firewall script
IPTABLES6=/sbin/ip6tables
EXTIF1="eth1"
SIXXS="2001:6f8:900:587::2/64"
ANY6="::/0"
LOCALHOST6="::1/128"
TRUSTED6="2001:16d8:ff47:1203::/64" ## Netz Jormannsdorf
# For future use
BLACKLIST6=""
SURFER6=""
POSTLER6=""
##
BACKUPDIR="/var/log/backups/firewall"
case "$1" in
flush)
echo -e "Flushing Firewall: "
$IPTABLES6 -F > > /dev/null 2>&1

$IPTABLES6 -X > > /dev/null 2>&1
echo -e "setting Defaults to ACCEPT!"
echo -e "FireWall OFFEN !!!!!"
# ip -6 route del 2000::/3 via 2001:6f8:900:587::1
$IPTABLES6 -P INPUT ACCEPT
$IPTABLES6 -P OUTPUT ACCEPT
$IPTABLES6 -P FORWARD ACCEPT
;;
start|reload)
echo -n "Starting Firewall: "
TIME=‘date +%s‘
tar -czf $BACKUPDIR/firewall.$TIME.tar.gz /etc/init.d/firewall*
# mail an:
mail sysadmin@bfi-burgenland.at -s "Firewall restarted" < $0
sleep 1
echo "Forwarding ipv6 einschalten..."
echo "1" > /proc/sys/net/ipv6/conf/all/forwarding
$IPTABLES6 -F > > /dev/null 2>&1
$IPTABLES6 -X > > /dev/null 2>&1
$IPTABLES6 -P INPUT DROP
$IPTABLES6 -P OUTPUT DROP
$IPTABLES6 -P FORWARD DROP
# DROP ANDI LOG !!
$IPTABLES6 --new drop-and-log
$IPTABLES6 -A drop-and-log -j LOG --log-level info \\
--log-prefix "IPV6 DROP: "
$IPTABLES6 -A drop-and-log -j DROP
##
$IPTABLES6 -A INPUT -s $LOCALHOST6 -d $LOCALHOST6 -j \\
ACCEPT
$IPTABLES6 -A OUTPUT -s $LOCALHOST6 -d $LOCALHOST6 -j \\
ACCEPT
for i in $TRUSTED6
do
$IPTABLES6 -A INPUT -s $i -d $SIXXS -p tcp --dport 22 \\
-j ACCEPT
$IPTABLES6 -A OUTPUT -d $i -s $SIXXS -p tcp --sport 22 \\
-j ACCEPT
done
$IPTABLES6 -A INPUT -p icmpv6 -j ACCEPT
$IPTABLES6 -A OUTPUT -p icmpv6 -j ACCEPT
$IPTABLES6 -A FORWARD -p icmpv6 -j ACCEPT
$IPTABLES6 -A FORWARD -p tcp --dport 80 -j ACCEPT
$IPTABLES6 -A FORWARD -p tcp --sport 80 -j ACCEPT
$IPTABLES6 -A INPUT -j drop-and-log
$IPTABLES6 -A OUTPUT -j drop-and-log
$IPTABLES6 -A FORWARD -j drop-and-log
ip -6 route add 2000::/3 via 2001:6f8:900:587::1
;;
show)
echo "Firewall IPv6 EF: "
$IPTABLES6 -L -nv
;;
*)
echo "Usage: $0 {flush|start|reload|show}"
exit 1
;;
esac
echo "... Fertig"
exit 0

Ipv6 Small Business

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Ipv6 Small Business

Загружено:

Авторское право:

Доступные форматы

Migrating Small Business

eingreicht von: Sylvia Schuh

zur Erlangung des akademischen Grades

Magister rerum socialium oeconomicarumque

Magister der Sozial- und Wirtschaftswissenschaften

(Mag. rer. soc. oec.)

Fakultät für Wirtschaftswissenschaften und Informatik,

1 The setting-up of my IPv4 network 8

1.7.1 network time protocol daemon ntpd [3] . . . . . . . . 42

2 The initial lab-topology 52

3 Testing and Benchmarking the Network 68

3.1.15 nmap [20] . . . . . . . . . . . . . . . . . . . . . . . . . 83

5 Migration to IPv6 135

5.3.1 Installing AICCU . . . . . . . . . . . . . . . . . . . . . 147

5.7.1 iperf . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

6 Conclusion and Summary 222

7 Configuration Files 227

I want to start my acknowledgements by thanking my parents and my

The main reason for switching to an IPv6 environment is of course address

The setting-up of my IPv4

1.1 Maggie and her asterisk server[1][2]

openssl, libncurses-dev, libssl-dev, zlib1g-dev, cvs

1.1.1 FXO, FXS, IAX, SIP

1.1.2 Maggie’s dialplan

two SIP-phones (Grandstream BudgeTone 100 and an Allnet ALL7950).

Grandstream Budgetone 100: http://192.168.200.129

1.1.3 Digium card details

The Digium card used in this lab is a TDM400P, or to be more precise

1.1.4 Configuring Sipura SPA-2000 [40] [5]

“Password” are set to “301”. In the last subsection “Audio Configuration”

1.2 Marge and the CUPS problem

At the time I tried to set up asterisk in my environment, I also got my

1.2.1 Installing CUPS [6, 8, 7]

1.3 Bart and Snowball are getting their iptables[9]

echo -e "\nLade Firewall - Version $FWVER..\n"

echo -en "ip_tables, "

# dropping chains before editing them

$IPTABLES -A INPUT -i $EXTIF -m state -state

$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $SERVNET -j \\

## $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s 192.168.200.5 \\

$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to \\

1.4 Maggie: MySQL server[33]

shell> cp support-files/my-medium.cnf /etc/my.cnf

grant all on *.* to user@* identified by “password”

1.5 Installing OpenVPN on snowball and bart

OpenVPN [5] is a program written by James Yonan providing the ability

network or if traffic between these is treated as if there was a router in-

1.5.1 Setting up your Certification Authority (CA) [13]

method of adding the exported parameters from the ./vars file to

1.5.2 Generating certificates and keys

With a Certification Authority up and running the next step is to generate

1.5.3 Diffie-Hellman parameters [14]

Diffie-Hellman references the Diffie-Hellman key agreement protocol

agreement” and was thought of by Diffie and Hellman. Diffie-Hellman

1.5.4 Distributing the files

1.5.5 Advantages when using this security model

• The server only has to store it’s own certificate/key.

1.5.6 Configuring OpenVPN

1.5.6.1 server.conf (snowball.sylvia.test)

(Comments are shortend)

push "route 192.168.201.0 255.255.255.0"

1.5.6.2 client.conf (bart.sylvia.test)

(Comments are shortend)

grant all on . to user@* identified by “password”