npd6 Design Document

So what must npd6 do in functional terms?

See Neighbor Solicitations. EITHER respond to them directly OR respond via the existing mechanisms. Log activity. Report status. Receive Neighbor Solicitations

The daemon needs to receive incoming neighbor solcitations from a designated port(s). I currently have no idea if this is an easy hook to make [...]

Linux file-sharing in a home wifi network

The scenario: the home network is centered around a Linux server. This acts as (amongst a number of other things) a large data repository. All our media files, photos, music and so on are stored on it. Apart from the convenience of having it all centrally located, it also provides data security: all critical data is archived hourly using rsnapshot, such that there is always a backup from at least one month ago in the event of data being e.g. accidentally deleted. It uses a single 1TB disk as the main data store, with a second 1TB disk for the snapshots. Then in addition to that, really really critical data (the irreplaceable stuff) is archived every night to an off-site location. Anyway, in recent times my children have discovered the pleasures of photography… Vast quantities of pictures to be put on a PC and secured. To date it’s gone like this:

Kids use a single laptop, running Linux.
Each has an account on the laptop.
Plug camera in to laptop and pull the pictures on to the laptop.
In background, cron archives them off to the server using rsync over ssh.

As far as the kids themselves are concerned, there’s (a) a single laptop and (b) it has all their photos on it and (c) papa has assured them that if something terrible happened to the laptop, the pictures can be restored from the server.

Thus far, fine.

The network expands

Time to change… Precipitated by an additional laptop, things get kinda complicated. I want the laptops to be “floating”, and used by either child. No “the HP is mine, the IBM is his”. However that then makes it tricky: with only the single laptop it is the primary (since only) data store for their photos. Backups aside, it’s straightforward. So I need to shift the primary data stores off the laptops themselves and having them full-time on the server, and accessed over the network. Which is fine, except that performance it going to be an issue: these are laptops, and they are connected to the home network using wifi, so network file systems are potentially a problem (you ever tried regularly scanning several thousand photos over a wifi connection…? …it’s not what you want to do regularly!)

So we’re going to need network file systems with some sort of magical optimisation…

Continue reading Linux file-sharing in a home wifi network

Content filtering in a home network

With two young children starting to make increasing use of the Internet, my attention has turned in recent times to the thorny subject of Content Filtering. This posting is actually going to look at a technical approach I settled upon, however one cannot help mentioning, at least in passing, some of the wider issues involved.

As a parent I do not believe in raising children in some sort of bubble, totally devoid of anything that could possibly “harm” them. That applies to the Internet too – my hope is to raise children who are able to understand and deal with things, rather than require protection from them. To that end, Internet access for my children involves their parents first and foremost! They use a laptop, after asking permission, in the kitchen, in view of everyone else. I’m interested in what they are doing on it (genuinely so, not as some excuse to snoop!) and they want me to help and guide them. Email? Sure, make full use of it. But all emails sent to your address also get forwarded to me too guys… Why? So I can see what you’re receiving! Very open. Very honest. Nothing underhand. Those are the rules in this house.

And that approach actually covers probably 90% of what is required. However there’s still a small part that needs attention. As most adults know, there’s some weird stuff in some corners of the Internet. Really weird. Disturbingly weird. Stuff which I do not want my young children to see, even if accidentally. Being a very liberal sort, and totally anti-censorship with regard to what consenting adults view, I do not support any move to remove such stuff from the Internet. Weird, sick, depraved, whatever… Some of it may not be at all nice, but it’s there and it can be found. I just don’t want young children to accidentally find it. So what is a network engineer father to do…?

Content filtering – 4 approaches

Broadly speaking there are four way of approaching content filtering in the home environment:

Workstation filtering
Network filtering
ISP filtering
DNS blocking

Continue reading Content filtering in a home network

OpenVPN over IPv6

Previous articles have detailed various aspects of getting IPv6 running on a home-gateway router. The aim is to migrate as much as possible towards an IPv6-only situation.

Here I cover the steps required to implement a simple point-to-point OpenVPN (SSL) VPN tunnel using PSK over IPv6 infrastructure.

One key element for me is to migrate my VPN connection to a remote host I own off IPv4 and entirely onto IPv6. This was not entirely straightforward! In fact it took hours and hours of research and experimentation to get this working. The eventual config required is not so mind-boggling. But getting there was tricky. As I’ve found out so many times before with regard to IPv6, the building bricks are lying around, but there are very few sources of information to help you stack them up. Once the steps are laid out, as you’ll see below, it’s actually pretty easy.

Migrating from what to OpenVPN IPv6?

We’re going to migrate an IPv4 OpenVPN point-to-point PSK VPN tunnel on Linux to an equivalent on native IPv6 infrastructure. We’re not trying to have an IPv4 tunnel over IPv6, nor an IPv6 tunnel over IPv4 (both of which are possible and useful in different situations). Here I aim to have an IPv6 OpenVPN SSL tunnel over pure IPv6 infrastructure.

My current VPN set up is:

Home gateway running Ubuntu 10.04 (Lucid)
Remote host running the same
Fixed public IPv4 and IPv6 (global) addresses on each.
OpenVPN point-to-point tunnel between them.
Simple PSK authentication.
Shorewall config as appropriate to OpenVPN.

To put some detail on it, there is a standard build of OpenVPN installed, with a config file such as /etc/openvpn/otherhost.conf:

Continue reading OpenVPN over IPv6

IPv6 and DNS

IPv6 DNS – It works for me….. but it shouldn’t.

When in my IPv6 environment I perform a test ping to, say, Google, it seems to work great:

ping6 ipv6.google.com

PING ipv6.google.com(2a00:1450:8006::6a) 56 data bytes

64 bytes from 2a00:1450:8006::6a: icmp_seq=1 ttl=55 time=49.3 ms

64 bytes from 2a00:1450:8006::6a: icmp_seq=2 ttl=55 time=44.6 ms

Which is lovely. But I then ask myself how the ping6 command actually gets to know that name ipv6.google.com lives at IPv6 global address 2a00:1450:8006::6a. How is the domain name being resolved? And I find that I actually don’t know. I’m perfectly familiar with IPv4 DNS. So what’s going on here?

I’m cheating

I discover, upon investigation, that in fact I’m “cheating”. By that I mean that my attempt to set up a “pure” IPv6 environment (albeit in parallel with IPv4) that does not rely upon or touch IPv4 in any way has not been achieved – It turns out that my DNS is currently entirely dependent upon the existing IPv4 infrastructure! And before going ahead and trying to rectify that, it’s actually rather educational to understand how it is actually working at all.

Continue reading IPv6 and DNS

IPv6 – Proxy the neighbors (or come back ARP – we loved you really)

After three articles, where am I with my venture in to IPv6? What have we really achieved so far? Well, in functional terms, not so very much yet!!

To recap:

Here I covered a lot of ground, getting basic IPv6 running on a Linux gateway box connected to an ISP providing native IPv6, while remembering stuff like the need to set up a firewall.
Here I looked at the issue of IPv6 firewall logging
And here I looked at the need to set up a default route out of the gateway device pointing back towards the internet.

And what can I now actually do? Well……. from the gateway box I can ping out successfully to any IPv6 device on the Internet. In other words, logged in to the device in green on this diagram, I can ping out of eth0 over the Internet. And from an IPv6 device on the Internet I can successfully ping towards my green box, using the address of eth0. So I can ping from the Internet to (these are of course made-up addresses!) 123::456.

Continue reading IPv6 – Proxy the neighbors (or come back ARP – we loved you really)

IPv6 and default routes

Following on from my first tutorial, we have a box set up which has basic IPv6 connectivity. There’s a firewall in place with a simple but sufficient configuration. And we can ping6 from this box to remote IPv6 destinations.

All of this has, so far, made use only of one network interface (in my case eth0) to set things up. However looking ahead to the next step I am aware that I will want devices inside my network (i.e. my workstations, etc.) to have IPv6 connectivity through this device I am setting up. In other words, this device must, as it does today for IPv4, act as a router.

With IPv4 this is, at a basic level (so forgetting about firewalling and so on) very easy: enable IPv4 forwarding and away you go.

For IPv6? A little more complicated…

Continue reading IPv6 and default routes

IPv6 – logging and shorewall6

Following on from my early success at get IPv6 running, I soon hit a significant issue: firewall logging.

Now this need not be a “blocker” for everyone, but I take my firewall logging duties quite seriously…!

shorewall IPv4 logging

Currently I have IPv4 shorewall configured to log not using the standard syslog mechanism, but instead to use ulogd. This allows me to easily log firewall activity to an entirely separate set of log files very easily. It is absolutely not mandatory, but it’s neat and tidy. I then have fwlogwatch to nightly analyse the logs and automatically email the interesting bits to me for occasional checking.

To enable this I have appropriate pointers to use of ULOG in shorewall’s policy and rules files as follows:

Continue reading IPv6 – logging and shorewall6

IPv6 at home – a guide to getting started

With IPv6 slowly becoming more visible, it was time to get to grips with it. While absolutely not essential (yet!) it seemed like a fun idea: my ADSL provider offers native IPv6 in parallel with IPv4, and my hosting provider is running an IPv6 beta. So I can do native IPv6 end to end between my home and a remote host. “Home” in this case consists of a Linux firewall running iptables, fronted by shorewall. Two ethernet ports: one to the ADSL modem (my “external” interface) and one to the house infrastructure (“internal”)

The Ubuntu server distribution in use is, like most Linux distros, fully IPv6 ready. For example, do an ifconfig and we see

Link encap:Ethernet HWaddr 00:40:63:f5:f9:3c

inet addr:88.XXX.XX.XXX Bcast:88.XXX.XXX.255 Mask:255.255.255.0

inet6 addr: fe80::240:63ff:fef5:XXX/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:14086899 errors:0 dropped:0 overruns:0 frame:0

TX packets:15607323 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:1837525573 (1.8 GB) TX bytes:666354591 (666.3 MB)

Interrupt:16 Base address:0×8000

Now I may not know much about IPv6 on Linux yet, but I can see that I’ve got a line beginning “inet addr” which looks kinda IPv6-ish. Good start. Let’s go…

Continue reading IPv6 at home – a guide to getting started

ipsidixit.net

Recent Posts