|
|
 As per previous posts and discussions, my project to develop npd6 (Neighbor Proxy Daemon 6) is now advancing very rapidly.
If you have a Linux gateway router terminating your ISP feed supporting IPv6, this may be just what you need. To summarise the problem it solves: your ISP has given you an /64 (or some other size) IPv6 prefix, with the last 64 bits (or whatever) entirely for your own use on a private-side of the network. The IPv6 addresses in use by your own devices may well not even be known to you – it’s possible that you use DHCP6 to statically pre-allocate them (yuck!) or more likely you are using radvd on the gateway to advertise the ISP-supplied IPv6 prefix and let the devices themselves choose what they wish to tag on to that. It may be vaguely predictable (based upon the device’s Ethernet MAC address) or totally unpredictable (as per the Windows 7 box I looked at the other day!)
For these devices to be able to reach the outside IPv6 world, there is a good chance that your ISP will use the ICMP6 Neighbor Solicitation mechanism – and your gateway needs to play along. Other articles on this site go into painful details about this mechanism, so let’s sum it up as: in a very vaguely similar way to IPv4 ARPs, a device may receive an IPv6 Neighbor Solicitation for a specific global address and, if it knows how to reach it, respond with a Neighbor Advertisement. So for example, your ISP has given you the global prefix:
AAAA:AAAA:AAAA:AAAA:
and your home devices thus all end up with addresses using this prefix plus a variable suffix, of the form:
AAAA:AAAA:AAAA:AAAA:BBBB:BBBB:BBBB:BBBB
So the Windows workstation which has chosen the 128-bit global address AAAA:AAAA:AAAA:AAAA:BBBB:BBBB:BBBB:BBBB tries to connect to ipv6.google.com. Out goes the connection, and when the response comes back, the ISP’s router says to your gateway: “Neighbor Solicitation: Do you know how to reach AAAA:AAAA:AAAA:AAAA:BBBB:BBBB:BBBB:BBBB?”
And you want to say back “Neighbor Advertisement: Sure, AAAA:AAAA:AAAA:AAAA:BBBB:BBBB:BBBB:BBBB is known to me – send me his traffic.”
And to do this today you need to statically pre-configure that full address into the Linux system. And if it changes, you need to change it. And if a new one appears, you need to ad it. And so on. Oh, and to add insult to injury, you cannot even display a list of which ones you have already configured in the system!!
And thus I offer npd6 as a solution: it runs on the gateway, and requires little configuration. You tell it your prefix and which is the ISP’s interface. There are a few optional knobs and levers. Then it runs and automatically responds to any Neighbor Solicitation received from the ISP for a device with your prefix.
Status
The code today is working well. It is easy to build on any typical Linux system. Soon I will package it and offer .debs, RPMs etc. It is highly efficient and low-impact in terms of CPU an so on. Also, extensive debug options are built in, to assist if any problems occur.
To get it, please visit the GoogleCode hosting site at: http://code.google.com/p/npd6/ and specifically the code at: http://code.google.com/p/npd6/source/checkout (Subversion) or a tarball at https://code.google.com/p/npd6/downloads/list
If you want to try it out, please do download and build it. If you need help, please ask! Feel free to raise issues via: http://code.google.com/p/npd6/issues/list
Good luck!
As threatened in article IPv6 neighbor proxy daemon – npd6 and the associated design ramblings here, the npd6 project now lives and breathes.
EDIT: 22 July – The project has really taken shape. Version 0.3 is now useful enough to be considered a working beta version. Building is very simple – do please try it out and let me know of any issues, good or bad.
It’s absolutely early days, but, with plenty of limits and as-of-yet-unknown bugs, it does work…
I’m hosting it on Googlecode. It’s here. For a while yet I’ll not be making any binary or packaged versions available, or even autoconf/configure shenanigans – strictly source + Makefile.
If you want to give it a spin, do feel free. It’s going to change a LOT – we’re probably a month or so away from something I’d call “a usable, early beta“. Today it’s a “works for me pre-alpha“!
I admit defeat… You know how it is: you’re searching for a solution to a technical problem, and you KNOW that someone else has had the same problem. In fact thousands of people have had the same problem. And it was fixed years ago. If I can just find that solution…
EDIT: 22 July – The project has really taken shape. Version 0.3 is now useful enough to be considered a working beta version. Building is very simple – do please try it out and let me know of any issues, good or bad.
And find it, eventually (Google, Bing et al – Thank You!) you do.
Except when you don’t. Back in this post I wrote about a specific, but key, problem in implementing an IPv6 firewall/router on a Linux box, when attached to a “normal” ISP.
What was the problem?
In a nutshell, it was as follows. My ISP gives me a full IPv6 service, with a staticically allocated (i.e. fixed) global IPv6 address. They give me a /64, so I in turn have a full /64 to play with in my private net. Enough to network every dust particle in the house. (And this is one dusty house).
As I found, not surprisingly the ISP does not let me advertise address space back to them regarding which devices in my private-but-globally-addressed network actually exist. Given that, I rather naively hoped that they would thus blindly forward anything that was addressed to my (global prefix + private part) network to me regardless, and treat my gateway device as, in effect, a sort of default route for my IPv6 prefix.
Continue reading IPv6 neighbor proxy daemon – npd6
 The scenario: the home network is centered around a Linux server. This acts as (amongst a number of other things) a large data repository. All our media files, photos, music and so on are stored on it. Apart from the convenience of having it all centrally located, it also provides data security: all critical data is archived hourly using rsnapshot, such that there is always a backup from at least one month ago in the event of data being e.g. accidentally deleted. It uses a single 1TB disk as the main data store, with a second 1TB disk for the snapshots. Then in addition to that, really really critical data (the irreplaceable stuff) is archived every night to an off-site location. Anyway, in recent times my children have discovered the pleasures of photography… Vast quantities of pictures to be put on a PC and secured. To date it’s gone like this:
- Kids use a single laptop, running Linux.
- Each has an account on the laptop.
- Plug camera in to laptop and pull the pictures on to the laptop.
- In background, cron archives them off to the server using rsync over ssh.
As far as the kids themselves are concerned, there’s (a) a single laptop and (b) it has all their photos on it and (c) papa has assured them that if something terrible happened to the laptop, the pictures can be restored from the server.
Thus far, fine.
The network expands
Time to change… Precipitated by an additional laptop, things get kinda complicated. I want the laptops to be “floating”, and used by either child. No “the HP is mine, the IBM is his”. However that then makes it tricky: with only the single laptop it is the primary (since only) data store for their photos. Backups aside, it’s straightforward. So I need to shift the primary data stores off the laptops themselves and having them full-time on the server, and accessed over the network. Which is fine, except that performance it going to be an issue: these are laptops, and they are connected to the home network using wifi, so network file systems are potentially a problem (you ever tried regularly scanning several thousand photos over a wifi connection…? …it’s not what you want to do regularly!)
So we’re going to need network file systems with some sort of magical optimisation…
Continue reading Linux file-sharing in a home wifi network
 With two young children starting to make increasing use of the Internet, my attention has turned in recent times to the thorny subject of Content Filtering. This posting is actually going to look at a technical approach I settled upon, however one cannot help mentioning, at least in passing, some of the wider issues involved.
As a parent I do not believe in raising children in some sort of bubble, totally devoid of anything that could possibly “harm” them. That applies to the Internet too – my hope is to raise children who are able to understand and deal with things, rather than require protection from them. To that end, Internet access for my children involves their parents first and foremost! They use a laptop, after asking permission, in the kitchen, in view of everyone else. I’m interested in what they are doing on it (genuinely so, not as some excuse to snoop!) and they want me to help and guide them. Email? Sure, make full use of it. But all emails sent to your address also get forwarded to me too guys… Why? So I can see what you’re receiving! Very open. Very honest. Nothing underhand. Those are the rules in this house.
And that approach actually covers probably 90% of what is required. However there’s still a small part that needs attention. As most adults know, there’s some weird stuff in some corners of the Internet. Really weird. Disturbingly weird. Stuff which I do not want my young children to see, even if accidentally. Being a very liberal sort, and totally anti-censorship with regard to what consenting adults view, I do not support any move to remove such stuff from the Internet. Weird, sick, depraved, whatever… Some of it may not be at all nice, but it’s there and it can be found. I just don’t want young children to accidentally find it. So what is a network engineer father to do…?
Content filtering – 4 approaches
Broadly speaking there are four way of approaching content filtering in the home environment:
- Workstation filtering
- Network filtering
- ISP filtering
- DNS blocking
Continue reading Content filtering in a home network
 Love technology toys? Check. Read a lot? Check. Often would read if had remembered or had space to bring book? Checkitycheck.
I am absolutely in the prime target audience for a Kindle. Amazon having just launched their latest and greatest (by all accounts) Kindle 3, I was on the very brink of buying it. The concept has me completely won over. Having many books available in a easy to read, use and carry form is just what I want. Here in France Amazon have not yet opened up a localised Kindle store, but the international version would suffice for now.
Before plonking down the cash, I look to see how much it would cost to buy the last few books I bought, plus a few others I already have but would like to have on the Kindle. Now I know that there is also quite a lot of free Kindle content available - mainly out-of-copyright “classics” – that appeals greatly. But looking at the paid-for content, I was actually quite shocked at the prices. It’s going to be an imperfect comparison: the paper-version of a book has different attributes and drawbacks compared with the Kindle version. But ultimately the content is the key thing.
Shocked. I was shocked. Shocked was I. Was I shocked? Yes.
Continue reading Kindle-gouging
 VirtualBox. What a splendid piece of software.
Just a quick post to flag up this software, which deserves recognition. It’s a VMware lookalike, but entirely Free (as in beer and as in GNU GPL)
Digiblue boo
As owner of a Digital Blue QX5 microscope (one of the cheapest, greatest, ”serious educational toys” you can lay your hands on – and it’s not even clear if they still make it) my daughter wanted to use it the other day. It’s been unused for a while and during that period my only Windows machine has moved to Windows 7 64-bit. And the QX5 driver software supplied is, of course, Windows XP 32-bit. Off to the Digiblue web-site and relieved to see that they assure me that they have Windows 7 64-bit drivers available. Turns out to be a big fat lie. They have them available for a slightly revised model of the QX5. Not the original (different USB ids, etc.)
WINE?
Thoughts turn to Linux WINE. Hmmmm. Nope. USB drivers and WINE are one area that still doesn’t really do what it needs to do.
I need XP
OK – I realise that to get the thing working I need a Windows XP machine. Simple. Yet I can’t be arsed to set up a dual-boot or anything like that. So remember how neat VMware was all those years ago when I used to use it. I even bought a license for some early version! But I don’t fancy buying a new license which would cost about €130.
I have the dimmiest recollection of some sort of freebie workstation VM called virtual-something. Google around a bit and quickly find VirtualBox. And it’s just like the VMware I remember, but without the credit card requirement.
Now I’ve only used it in the simplest of manners: running an XP 32-bit VM on a Windows 7 64-bit host. Not tried any other permutation of host/VM, of which there are all sorts claimed. (Linux hosts, MAC, different Windows – and even more VMs, extending to the BSD and so on) But for what I wanted it’s absolutely spot on. Really neat.
Oracle, not a company I’ve ever been a fanatical supporter of, earns a few brownie points from me.
Previous articles have detailed various aspects of getting IPv6 running on a home-gateway router. The aim is to migrate as much as possible towards an IPv6-only situation.
Here I cover the steps required to implement a simple point-to-point OpenVPN (SSL) VPN tunnel using PSK over IPv6 infrastructure.
One key element for me is to migrate my VPN connection to a remote host I own off IPv4 and entirely onto IPv6. This was not entirely straightforward! In fact it took hours and hours of research and experimentation to get this working. The eventual config required is not so mind-boggling. But getting there was tricky. As I’ve found out so many times before with regard to IPv6, the building bricks are lying around, but there are very few sources of information to help you stack them up. Once the steps are laid out, as you’ll see below, it’s actually pretty easy.
Migrating from what to OpenVPN IPv6?
We’re going to migrate an IPv4 OpenVPN point-to-point PSK VPN tunnel on Linux to an equivalent on native IPv6 infrastructure. We’re not trying to have an IPv4 tunnel over IPv6, nor an IPv6 tunnel over IPv4 (both of which are possible and useful in different situations). Here I aim to have an IPv6 OpenVPN SSL tunnel over pure IPv6 infrastructure.
My current VPN set up is:
- Home gateway running Ubuntu 10.04 (Lucid)
- Remote host running the same
- Fixed public IPv4 and IPv6 (global) addresses on each.
- OpenVPN point-to-point tunnel between them.
- Simple PSK authentication.
- Shorewall config as appropriate to OpenVPN.
To put some detail on it, there is a standard build of OpenVPN installed, with a config file such as /etc/openvpn/otherhost.conf:
Continue reading OpenVPN over IPv6
 My much-loved Pinnacle Showcenter (written about previously here, for example) finally packed up. Not sure what killed it – did the obligatory open-it-up-and-buzz-it-a-bit routine. PSU seemed OK, but when the main board was connected up, something was dragging the PSU down big-time. No obviously failed components, so you are left with the likelihood that some chip somewhere has gone bad in a big way. So after shedding a tear, one quickly cheers up and realises that it’s a perfect excuse to replace it with something new!
Not self-build?
I wanted a device with similar functionality, to play my large collection of videos stored on a server and also allow occasional photo browsing. I didn’t have many hard and fast requirements, but as far as they went they were:
- support a wide range of media formats, particularly DivX variants and MKV hi-def.
- support a wide range of output (today we still have a large but rather old normal-def TV – I am sure in the lifetime of a new device our TV will get replaced with something HDMI-ish)
- smart networking: my house is a mixture of Ethernet-over-power and wi-fi, with little cabled Ethernet)
- Open. Very important. No proprietary crap, either in terms of what it can play or what I am allowed to do with it.
Given this and my propensity for building my own kit, a self-build seemed like an obvious idea. I toyed with the obvious mini-ITX options, with appropriately funky video cards and one of the Linux TV-based distros. But when I did a rough calculation of both the cost and the work required I couldn’t help but check if there was anything ready-built which would also do the job. I didn’t expect to find anything, to be honest. It was almost a “Due Diligence” exercise which I had to perform so that when I then spent day after day getting my self-build working OK I could mentally justify the effort. However the formality of proving there was nothing which met my needs turned out to have a surprise ending. Continue reading Netgear EVA9150
 Interesting appeal court decision in the UK yesterday. A certain Gary McFarlane, a “ Christian relationship counsellor” lost his appeal over a refusal to offer sex therapy to a gay couple.
The story seems fairly well covered here, here and here (lefties, right-wing and The BBC!) with similar reporting.
First off one cannot but wonder what a “Christian relationship counsellor” actually is. Is it like a “Christian car mechanic”, who we wonder is a car mechanic who goes to church, or a car mechanic who only works on Christian cars? And given, as we soon discover, that Mr McFarlane objects, in at least some form or another, to homosexuality, you have to wonder just who would choose to become a sex therapist when you have a hang up about a common sexual orientation.
But that is not the main issue here – the real issue is whether Mr McFarlane can claim supernatural beliefs permit him to discriminate against people in his working life. And the English courts have emphatically said “No”. In essence the court says that your beliefs are your own business, not anyone else’s. And if you choose to apply them to others you may find that they contradict the laws of the country. And at that point you have a problem.
Continue reading Evil secularists
|
|
Recent Comments