2011年9月19日 星期一
2011年9月13日 星期二
IPv6 IP addresses
IPv6 IP addresses
IPv6 IP addresses are 128 bits long, compared to IPv4's 32-bit addresses. This gives room for many, many, many, many more addresses.
The number of IPv4 IPs available is 232, or 4,294,967,296. For IPv6, however, the number is 2128, or 340,282,366,920,938,463,463,374,607,431,768,211,456. That's a lot of IPs!
Now that we know the number of IPv6 addresses there are, we can get to the anatomy of the IPv6 address
The anatomy of IPv6 addresses
IPv4 addresses are generally in quad-dot notation, e.g. 192.168.73.200. IPv6 addresses use colons instead of dots and are larger that IPv4 addresses.
A fully qualified IPv6 address takes the format of XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX. An example fully-qualified address is FE80:0000:0000:0000:903A:1C1A:E802:11E4.
Do you see the long string of zeros? With IPv6 addresses, you can compress zeros to shorten the IP address.
You can compress zeros like this: FE80:0:0:0:903A:1C1A:E802:11E4, or like this: FE80::903A:1C1A:E802:11E4. Take note that you can only compress one set of zeros to ::.
Like in this IP: FE80:0000:0000:0000:903A:0000:0000:11E4, there are 2 sets of zeros. You could write it like this: FE80::903A:0:0:11E4, or like this: FE80:0:0:0:903A::11E4, but not like this: FE80::903A::11E4.
IPv6 subnetting
Just knowing how an IP address looks won't help you much when working with IPv6, you also need to know subnetting. You probably know how subnetting works in IPv4, and to make IPv6 subnetting easier, you should understand CIDR.
IPv6 does away with netmasks like 255.255.255.0 and goes to complete classless subnetting.
The smallest subnet available is a /64, which contains 18.4 quintillion IP addresses.
The way a /64 IP address is broken up is the first 64 bits of the IP is the subnet prefix, and the last 64 bits is the interface ID.
The following tables show how the subnet divides the IP address.
Breakout for fully qualified IP | /64 | ||||||
Subnet prefix | Interface ID | ||||||
0000 | 1111 | 2222 | 3333 | 4444 | 5555 | 6666 | 7777 |
Breakout for fully qualified IP | /48 | ||||||
Subnet prefix | Interface ID | ||||||
0000 | 1111 | 2222 | 3333 | 4444 | 5555 | 6666 | 7777 |
Breakout for fully qualified IP | /32 | ||||||
Subnet | Interface ID | ||||||
0000 | 1111 | 2222 | 3333 | 4444 | 5555 | 6666 | 7777 |
Private IPv6 addresses
With the number of IPv6 addresses available, you might think that private IPs are no longer needed. But IPv6 has a few private IP ranges that are not globally routable.
Link-local addresses
Link-local addresses are designed to only be used on a local physical link. They are like IPv4's 169.254.0.0/16 subnet.
In IPv6, the link-local address block is FE80::/10, this means that the subnet prefixes from FE80 to FEB0 are valid for link-local addressing
Link-local addresses are generated by either by converting the network interface's MAC address into a EUI-64 ID, or by generating a random ID.
An example link-local address with a random ID is FE80::903A:1C1A:E802:11E4. This one was generated by Windows 7 with default IPv6 settings.
Site-local addresses - DEPRECATED
Site-local addresses were designed to be used at a site, but they were deprecated in 2004 by RFC3879.
The site-local address block is/was FEC0::/10, spanning from FEC0 to FEF0
Private IP addresses
These addresses are for use in a private network, like IPv4's 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 IP ranges.
The private IP subnet is FD00::/7 with the eighth bit set to 1, so it's effectively FD00::/8. The subnet ranges from FD00 to FDFF.
These addresses have a specific format that you should generally be followed. The format is listed below.
Using the example IP FDC8:BF8B:E62C:ABCD:1111:2222:3333:4444, the breakout is as follows.
Prefix | Global ID | Subnet ID | Interface ID |
FD | C8BF8BE62C | ABCD | 1111:2222:3333:4444 |
An example of simple IPv6 private addresses is our network.
We use the IPv4 subnet 192.168.4.0/23, so and example IP is 192.168.4.120.
For IPv6, we just use FD00::4:120. It's easy to remember because it's derived from the IPv4 address.
This is the breakout of the Private IP:
Prefix | Global ID | Subnet ID | Interface ID |
FD | 0000000000 | 0000 | 0000:0000:0004:0120 |
So obviously the address isn't unique, and the IPv6 task force probably doesn't endorse the use of IPs like this, but for easier IPv4-IPv6 private network conversion, I say it's OK.
It's not like the IP is going to used on the Internet anyway. :)
2011年9月9日 星期五
ssh permitroot login
- Open up /etc/ssh/sshd_config and set "PermitRootLogin" to "yes". (Your ISP probably set it to "without-password")
- You also need to restart the sshd process. This is done by killing the existing one (use ps -aux|grep sshd to get the process ID, then use kill to zap it), then restarting /usr/sbin/sshd
2011年9月6日 星期二
Wireshark "The NPF driver isn’t running…
首先,你得確認自己安裝了winpcap(最好下載一個最新版本:官方下載,然後
(1) 如果你使用的是Linux、Ubuntu系統,請用>$ su Administrator命令切換到擁有最高權限的帳號,
然後再輸入命令:"net start npf"(如果不行自己查找類似命令)。
(2) 如果使用的是windows xp\me,請使用管理員帳號登錄,然後打開cmd,輸入命令:
"net start npf",會提示打開驅動服務成功。
(3) 如果使用的是Windows vista或者Windows 7,請找到"C:\Windows\System32"下的cmd.exe 文件,
右鍵點擊選擇"Run as administrator",然後在命令行模式下輸入命令"net start npf",
即可成功打開NPF的驅動,應該就是我前面找到過的npf.sys 文件被打開了。
最後,再重新打開Wireshark,就能正常運行了。
2011年9月5日 星期一
Configure static IPv6 networking under RHEL 5.x / Fedora / CentOS Linux
Append following line:
Append following config directives for IPv6:
Verify your configuration by pinging ipv6 enabled site such as ipv6.google.com:$ ping6 ipv6.google.com
Sample output:
IPv6
4.1 IPv6-ready kernel
現在的Linux發行版的核心都具備了運行IPv6的條件. IPv6功能被編譯成一個可載入模組. 在一般情況下模組不會在開機的時候自動載入.參照更新的資訊: IPv6+Linux-Status-Distribution
檢察現在的系統是否支持IPv6
注意您的/proc-file-system.必需有如下的結構:/proc/net/if_inet6
# test -f /proc/net/if_inet6 && echo "Running kernel is IPv6 ready"
試著載入模組
執行載入模組的命令:# modprobe ipv6
# lsmod |grep -w 'ipv6' && echo "IPv6 module successfully loaded"
讓模組自動載入
模組是可以自動載入的,只要在核心模組設定文件( /etc/modules.conf 或 /etc/conf.modules)中加入:alias net-pf-10 ipv6 # automatically load IPv6 module on demand
alias net-pf-10 off # disable automatically load of IPv6 module on demand
編譯有 IPv6 功能的核心
如果以上兩個結果都證實了核心不具有IPv6功能, 您可以有如下選擇:- 升級成外包裝有IPv6支持說明的Linux發行版(推薦新手使用)再看一下這裡: IPv6+Linux-Status-Distribution
- 編譯一個新的vanilla核心(如果您知道該怎麼選擇,會比較簡單).
- 重新編譯您現在擁有的發行版核心(不太容易).
- 將核心同 USAGI 的擴展一起編譯.
注意:您必需使用核心2.4.x系列或更高. 因為IPv6對2.2.x系列缺少相應的支持. 並且需要ICMPv6 和 6to4 支持的補丁.(補丁可以在 kernel series 2.2.x IPv6 patches找到).
將核心同 USAGI 的擴展一起編譯.
只推薦熟悉核心編譯和IPv6的用戶使用. 參照: USAGI project / FAQ.
IPv6-ready network devices
不是所有的設備都有能力傳輸IPv6數據包, 這裡有一個現狀表: IPv6+Linux-status-kernel.html#transport.
現階段不會支持IPv6的連結
- Serial Line IP (SLIP, RFC 1055), should be better called now to SLIPv4, device named: slX
- Parallel Line IP (PLIP), same like SLIP, device names: plipX
- ISDN with encapsulation rawip, device names: isdnX
在將來都不會支持IPv6的設備
- ISDN with encapsulation syncppp, device names: ipppX (design issue of the ipppd, will be merged into more general PPP layer in kernel series 2.5.x)
4.2 IPv6-ready 網路設定工具
別扯太遠了, 如果您有一個正在運行IPv6的核心,怎麼會沒有設定的工具呢? 安裝包裡早就有幾個這樣的工具了.
net-tools package
net-tools package 包含一些工具如: ifconfig ,route. 這些可以令您在界面上設定IPv6. 在命令行(shell) 用ifocnig -? 或 route -? 查看諸如IPv6 或 inet6.如果有,則說明具備IPv6設定能力.輸入以下命令進行檢查:
# /sbin/ifconfig -? 2>& 1|grep -qw 'inet6' && echo "utility 'ifconfig' is
?IPv6-ready"
# /sbin/route -? 2>& 1|grep -qw 'inet6' && echo "utility 'route' is IPv6-ready"
iproute package
Alexey N. Kuznetsov (Linux 網路代碼現階段的維護者) 寫了一個tool-set可以通過netlink 設備來設定網路.它可以比net-tool提供更多的功能, 但沒有多少文檔並且它不是為膽小的人設計的.# /sbin/ip 2>&1 |grep -qw 'inet6' && echo "utility 'ip' is IPv6-ready"
- 可以在您的發行版中找到(如果有的話)
- 在 Original FTP source下載並編譯它.
- 直接可以安裝的RPM包: RPMfind/iproute (推薦編譯 SRPMS )
4.3 IPv6-ready 測試/調式 程式
在為IPv6準備好了系統後,您可以用IPv6進行網路通訊. 首先您必需學習如何用嗅探程式來檢查IPv6數據包. 強烈推薦這樣做,因為在debugging/troubleshooting 中有利於快速診斷.
IPv6 ping
這個程式一般在iputils包裡, 用來測試簡單傳輸發送 ICMPv6 回應請求並等待ICMPv6 回應包.用法:
# ping6 < hostwithipv6address >
# ping6 < ipv6address >
# ping6 [-I < device >] < link-local-ipv6address >
# ping6 -c 1 ::1
PING ::1(::1) from ::1 : 56 data bytes
64 bytes from ::1: icmp_seq=0 hops=64 time=292 usec
--- ::1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/mdev = 0.292/0.292/0.292/0.000 ms
1.ping6 不在用戶的路徑當中 (probably, because ping6 is generally stored in /usr/sbin -> add path (not really recommended)
2.ping6 不能被正確執行, 通常沒有適當的權限 chmod u+s /usr/sbin/ping6
為ping6指定界面
用local-addresses 作為ping6 目標必需指定一個界面. 否則核心將不知道數據包發往哪個設備. 在沒有指定的情況下會有這樣的輸出:# ping6 fe80::212:34ff:fe12:3456
connect: Invalid argument
# ping6 -I eth0 -c 1 fe80::2e0:18ff:fe90:9205
PING fe80::212:23ff:fe12:3456(fe80::212:23ff:fe12:3456) from
?fe80::212:34ff:fe12:3478 eth0: 56 data bytes
64 bytes from fe80::212:23ff:fe12:3456: icmp_seq=0 hops=64 time=445 usec
--- fe80::2e0:18ff:fe90:9205 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss round-trip
?min/avg/max/mdev = 0.445/0.445/0.445/0.000 ms
Ping6 to multicast addresses(多播地址)
一個發現IPv6-active hosts 的比較有趣的機制:# ping6 -I eth0 ff02::1 PING ff02::1(ff02::1) from fe80:::2ab:cdff:feef:0123 eth0: 56 data bytes
64 bytes from ::1: icmp_seq=1 ttl=64 time=0.104 ms
64 bytes from fe80::212:34ff:fe12:3450: icmp_seq=1 ttl=64 time=0.549 ms (DUP!)
IPv6 traceroute6
這個程式一般在iputils包裡, 和IPv4的traceroute程式相似, 但與當前版本不同的是IPv6不能正確地使用ICMP echo-request. 看下面這個例子:# traceroute6 www.6bone.net
traceroute to 6bone.net (3ffe:b00:c18:1::10) from 3ffe:ffff:0000:f101::2, 30
?hops max, 16 byte packets
1 localipv6gateway (3ffe:ffff:0000:f101::1) 1.354 ms 1.566 ms 0.407 ms
2 swi6T1-T0.ipv6.switch.ch (3ffe:2000:0:400::1) 90.431 ms 91.956 ms 92.377 ms
3 3ffe:2000:0:1::132 (3ffe:2000:0:1::132) 118.945 ms 107.982 ms 114.557 ms
4 3ffe:c00:8023:2b::2 (3ffe:c00:8023:2b::2) 968.468 ms 993.392 ms 973.441 ms
5 3ffe:2e00:e:c::3 (3ffe:2e00:e:c::3) 507.784 ms 505.549 ms 508.928 ms
6 www.6bone.net (3ffe:b00:c18:1::10) 1265.85 ms * 1304.74 ms
IPv6 tracepath6
這個程式一般在iputils包裡, 它用來追蹤MTU的路徑.看下面的例子:# tracepath6 www.6bone.net
1?: [LOCALHOST] pmtu 1480
1: 3ffe:401::2c0:33ff:fe02:14 150.705ms
2: 3ffe:b00:c18::5 267.864ms
3: 3ffe:b00:c18::5 asymm 2 266.145ms pmtu 1280
3: 3ffe:3900:5::2 asymm 4 346.632ms
4: 3ffe:28ff:ffff:4::3 asymm 5 365.965ms
5: 3ffe:1cff:0:ee::2 asymm 4 534.704ms
6: 3ffe:3800::1:1 asymm 4 578.126ms !N
Resume: pmtu 1280
IPv6 tcpdump
在Linux作業系統中 tcpdump 是主要的數據包捕獲工具.IPv6支持 3.6 的版本.tcpdump用於降低數據包雜訊的參數:
- icmp6: 過濾本地ICMPv6通訊.
- ip6: 過濾本地IPv6通訊.(包括 ICMPv6)
- proto ipv6: filters tunneled IPv6-in-IPv4 traffic
- not port ssh: 在遠程SSH會話中禁止SSH數據包的顯示. to suppress displaying SSH packets for running tcpdump in a remote SSH session
- "-s 512": 增加捕獲限定為512 bytes.
- "-vv": 詳細列印.
- "-n": 不將地址轉換成名稱,在名稱服務有問題時可以用到.
IPv6 ping to 3ffe:ffff:100:f101::1 native over a local link
# tcpdump -t -n -i eth0 -s 512 -vv ip6 or proto ipv6
tcpdump: listening on eth0
3ffe:ffff:100:f101:2e0:18ff:fe90:9205 > 3ffe:ffff:100:f101::1: icmp6: echo
?request (len 64, hlim 64)
3ffe:ffff:100:f101::1 > 3ffe:ffff:100:f101:2e0:18ff:fe90:9205: icmp6: echo
?reply (len 64, hlim 64)
IPv6 ping to 3ffe:ffff:100::1 routed through an IPv6-in-IPv4-tunnel
1.2.3.4和5.6.7.8是遂道的終點(這些都是例子).# tcpdump -t -n -i ppp0 -s 512 -vv ip6 or proto ipv6
tcpdump: listening on ppp0
1.2.3.4 > 5.6.7.8: 2002:ffff:f5f8::1 > 3ffe:ffff:100::1: icmp6: echo request
?(len 64, hlim 64) (DF) (ttl 64, id 0, len 124)
5.6.7.8 > 1.2.3.4: 3ffe:ffff:100::1 > 2002:ffff:f5f8::1: icmp6: echo reply (len
?64, hlim 61) (ttl 23, id 29887, len 124)
1.2.3.4 > 5.6.7.8: 2002:ffff:f5f8::1 > 3ffe:ffff:100::1: icmp6: echo request
?(len 64, hlim 64) (DF) (ttl 64, id 0, len 124)
5.6.7.8 > 1.2.3.4: 3ffe:ffff:100::1 > 2002:ffff:f5f8::1: icmp6: echo reply (len
?64, hlim 61) (ttl 23, id 29919, len 124)
4.4 IPv6-ready programs(能和IPv6協同工作的程式)
在當前的發行版中已經包含了能和IPv6協同工作的程式(服務端/客戶端)參照: IPv6+Linux-Status-Distribution.或者檢查 http://www.bieringer.de/linux/IPv6/status/IPv6+Linux-status-apps.html一些可用程式的線索: IPv6 & Linux - HowTo - Part 3或 IPv6 & Linux - HowTo - Part 4.
4.5 IPv6-ready 客戶端程式 (selection)
想要進行下面的測試, 您的作業系統必需擁有IPv6能力. 有些例子是真實地連結了6bone的情況下做的.
檢查DNS對IPv6地址的解析能力
因為這幾年Domain Name System (DNS)安全的不斷升級, 它們中的大部份都具備了對IPv6 地址類型AAAA的解析能力. (新的類型A6 只有BIND9和更高的版本支持)檢查DNS對IPv6地址的解析能力:# host -t AAAA www.join.uni-muenster.de
www.join.uni-muenster.de. is an alias for ns.join.uni-muenster.de.
ns.join.uni-muenster.de. has AAAA address 3ffe:400:10:100:201:2ff:feb5:3806
IPv6-ready telnet clients
IPv6-ready telnet 客戶端. 對它進行一個簡單的測試:$ telnet 3ffe:400:100::1 80
Trying 3ffe:400:100::1...
Connected to 3ffe:400:100::1.
Escape character is '^]'.
HEAD / HTTP/1.0
HTTP/1.1 200 OK
Date: Sun, 16 Dec 2001 16:07:21
GMT Server: Apache/2.0.28 (Unix)
Last-Modified: Wed, 01 Aug 2001 21:34:42 GMT
ETag: "3f02-a4d-b1b3e080"
Accept-Ranges: bytes
Content-Length: 2637
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Connection closed by foreign host.
openssh
openssh已經支持IPv6, 但必需對它用以下的參數進行編譯後才能使用:- --without-ipv4-default: the client tries an IPv6 connect first automatically and fall back to IPv4 if not working
- --with-ipv4-default: default connection is IPv4, IPv6 connection must be force like following example shows:
$ ssh -6 ::1
user@::1's password: ******
[user@ipv6host user]$
ssh.com
他們的客戶/服務端程式是免費的.
IPv6-ready web 流覽器
目前支持IPv6的web 流覽器列表: IPv6+Linux-status-apps.html#HTTP.這些流覽器大部份都存在問題:
- 如果 proxy(代理)只支持IPv4, IPv6的請求將會失敗. 方法: 升級proxy
- Automatic proxy settings (*.pac) 不能對IPv6的不同請求進行適當的處理 (written in Java-script and well hard coded in source like to be seen in Maxilla source code).
一個小測試,顯示在沒有代理的情況下的 URL 和 流覽器.