npd6 moved to GitHub

Hello GitHub…

My npd6 (neighbor proxy daemon IPv6) project has now fully relocated to GitHub: https://github.com/npd6/npd6

All code has been moved, with full branching history, tagging, commits, etc. Fully replicated under git.

Bugs are harder to move, but it’s been done. Unfortunately we lose some info on the way, mainly email information for commenters. Obfuscated emails are retrained, but not the originals. Not a huge problem I feel.

Bye Google…

It was with great reluctance that I left GoogleCode – however it had to happen. Google seem unwilling to formally pull the plug on Google Code – yet give every impression that they have no intention of going anywhere with it. Bug fixes are non-existant. News or blogs posts dried up long ago.

The final straw, however, was their decision to disallow binary file downloads as of January this year. (And yes, I’m aware that GitHub did this too for a while – until they came to their senses!)

LaunchPad…? Not really

Toyed with LaunchPad – like Google Code, it *was* great. Yet while the run down of it is far less obvious than that of Google Code, it too seems to have been cast somewhat by the wayside by its owners. I will still use LaunchPad as a binary Ubuntu repository for npd6 – but not for code or bug tracking.

So, if you’re after NPD6, do please visit at https://github.com/npd6/npd6

NPD6 – Starts 2013 with version 1.0.0

IPv6 LogoThe ongoing project of npd6 (Neighbor Proxy Daemon IPv6) kicks off 2013 with a bright, shiny new release!!!!

Some history is here, and the project page itself is over here.

Or go straight to the download section.

The new version has a host of fixes, tweaks and tuning. Also some asked-for new features (address masks, unlimited interface support, wildcards, etc.) The changelog and bug tracker is the place to go for details.

Happy IPv6-ing.

IPv6 temporary addresses and privacy extensions

On a fairly vanilla install of Ubuntu 12.04 (i.e. current) in an environment with full IPv4 and IPv6 connectivity one may seem some (at first sight) strange things concerning the IPv6 addresses in use.

The network has a single gateway router/server, and provides full IPv6 to the devices in the house using radvd and npd6. Any device on the house network which is IPv6 capable will be able to make full use of IPv6 and IPv4 for Internet access.

On one of those PCs, which has a single ethernet interface, I do a

ifconfig eth0

and see this (bold added by me):

eth0 Link encap:Ethernet HWaddr 00:18:8b:86:f3:52 
inet addr:192.168.0.3 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: 2a01:e35:8b25:aaaa:2c3f:dfa6:f982:157a/64 Scope:Global
inet6 addr: 2a01:e35:8b25:aaaa:d0c3:1874:60e7:98ae/64 Scope:Global
inet6 addr: 2a01:e35:8b25:aaaa:e5bd:10da:e98d:e06a/64 Scope:Global
inet6 addr: 2a01:e35:8b25:aaaa:218:8bff:fe86:f352/64 Scope:Global
inet6 addr: fe80::218:8bff:fe86:f352/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:364957 errors:0 dropped:0 overruns:0 frame:0
TX packets:12414 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000 
RX bytes:124450596 (124.4 MB) TX bytes:1833074 (1.8 MB)
Interrupt:19

And I ask myself “What on earth are all those IPv6 addresses doing there….?”

Let’s find out…

Continue reading IPv6 temporary addresses and privacy extensions

Tinkering

Tinkering. One of those lovely, evocative words which seems to have a whiff of quaintness about it.

In a Google+ post today, in the comment stream for this article, someone used it and made an interesting remark. Regarding the whole “messing around with computers” meme, he made the point that “our parents” tinkered around with electronics, since everything was discrete components and ICs had not really got going. Then computers themselves came to the hobbyist, and they all started tinkering around with software. And he was really asking what do us types tinker around with today…?

Which is both a good question and, for me, a very evocative point, since I am one of those “our parents” mentioned. I’m on the downhill side of 45, so when I got into electronics ICs were just beginning to come in to the mainstream. ICs were something which had 8 or 14 legs on them, contained a bunch of NPN or PNPs, and could take a bloody good scalding while you nuked them into place with your appalling soldering technique. Fancier stuff was out there, but you treated it with caution since it cost a lot… an analogue filter or (wowser!) an ADC. Esoteric. If it didn’t have a model number beginning with 74… I probably couldn’t afford it. Early CPUs of course were appearing too (Z80, 6502, and so on) but they were kinda “special” and separate – not electronics. They were to do with computers. Which of course one duly got into. Tinkering around with assembler. Tinkering around with device drivers. Tinker tinker tinker.

But today it seems harder for kids to tinker around with electronics and IT. It’s become so sophisticated and advanced that only a very few seem to get into it. They write a spreadsheet macro and call it “programming”. Which sounds elitist and snobby (“Humph! That’s not REAL programming…”) but really is born of a memory of the sheer fun and excitement of “ye good old days” tinkering with bit shifting and binary complements.

I end up wondering if this is simply a function of getting older, and happens to every generation (“Pah! Call that music… kids today!”) or true… I watch my kids grow and do ask myself how they can tinker with electronics and IT… And haven’t yet seen how. A tribute to how far and how fast the industry has come, but maybe a shame for the young ones.

Scouts and discrimination

Another UK newspaper article about the Scouts today, with yet more nonsense hiding the nature of this discriminatory organisation.

Various of the great and good in scouting say, as quoted by The Guardian:

“…scouting is continuing to move with the times and adapt to the growing number of people from different communities who are choosing to be a part of the movement. Scouting has something to offer everyone, no matter your religion, ethnicity or belief, and I’m so proud that we offer an environment for people of all backgrounds to come together and enjoy themselves.”

That is a lie. They do not welcome people of all backgrounds. If you are an atheist, you are not welcome and are prohibited from joining.

It’s essential to continue to make scouting accessible to all. We welcome all communities and this initiative helps to ensure that no one misses out on the numerous benefits and adventure of scouting…

That is a lie. It is not accessible to all. It does not welcome all communities.  If you are an atheist, you are not welcome and are prohibited from joining.

It doesn’t matter who you are, what you are or what colour your skin is or what faith you are.

That is a lie. It does matter who you are. You are required to “have a faith”.  If you are an atheist, you are not welcome and are prohibited from joining.

What saddens me even more than the fact such discrimination still exists is the fact that in 2012, in an apparently developed, western country, this sort of discrimination is entirely legal and, apparently, tolerated by the citizens.

That, and the hypocrisy of the people who run the Scouts… If you profess membership of a religion, any religion, they will bend over backwards to “accommodate” you. As per today’s news story, they might even be prepared to wind back several decades of female emancipation and ensure that you do not sexually excite men by showing an elbow. That’s fine. You’re “a believer” of….. something. Anything. And that’s ALL that matters.

But if you happen to not believe in a God or Gods, you are flat out not allowed to join. You are unsuitable. You are not welcome. Go away. We don’t want you.

What a very sad, somewhat unpleasant, group of people.

 

npd6 – Software now available

As per previous posts and discussions, my project to develop npd6 (Neighbor Proxy Daemon 6) is now advancing very rapidly.

If you have a Linux gateway router terminating your ISP feed supporting IPv6, this may be just what you need. To summarise the problem it solves: your ISP has given you an /64 (or some other size) IPv6 prefix, with the last 64 bits (or whatever) entirely for your own use on a private-side of the network. The IPv6 addresses in use by your own devices may well not even be known to you – it’s possible that you use DHCP6 to statically pre-allocate them (yuck!) or more likely you are using radvd on the gateway to advertise the ISP-supplied IPv6 prefix and let the devices themselves choose what they wish to tag on to that. It may be vaguely predictable (based upon the device’s Ethernet MAC address) or totally unpredictable (as per the Windows 7 box I looked at the other day!)

For these devices to be able to reach the outside IPv6 world, there is a good chance that your ISP will use the ICMP6 Neighbor Solicitation mechanism – and your gateway needs to play along. Other articles on this site go into painful details about this mechanism, so let’s sum it up as: in a very vaguely similar way to IPv4 ARPs, a device may receive an IPv6 Neighbor Solicitation for a specific global address and, if it knows how to reach it, respond with a Neighbor Advertisement. So for example, your ISP has given you the global prefix:

AAAA:AAAA:AAAA:AAAA:

and your home devices thus all end up with addresses using this prefix plus a variable suffix, of the form:

AAAA:AAAA:AAAA:AAAA:BBBB:BBBB:BBBB:BBBB

So the Windows workstation which has chosen the 128-bit global address AAAA:AAAA:AAAA:AAAA:BBBB:BBBB:BBBB:BBBB tries to connect to ipv6.google.com. Out goes the connection, and when the response comes back, the ISP’s router says to your gateway: “Neighbor Solicitation: Do you know how to reach AAAA:AAAA:AAAA:AAAA:BBBB:BBBB:BBBB:BBBB?”

And you want to say back “Neighbor Advertisement: Sure, AAAA:AAAA:AAAA:AAAA:BBBB:BBBB:BBBB:BBBB is known to me – send me his traffic.”

And to do this today you need to statically pre-configure that full address into the Linux system. And if it changes, you need to change it. And if a new one appears, you need to ad it. And so on. Oh, and to add insult to injury, you cannot even display a list of which ones you have already configured in the system!!

And thus I offer npd6 as a solution: it runs on the gateway, and requires little configuration. You tell it your prefix and which is the ISP’s interface. There are a few optional knobs and levers. Then it runs and automatically responds to any Neighbor Solicitation received from the ISP for a device with your prefix.

Status

The code today is working well. It is easy to build on any typical Linux system. Soon I will package it and offer .debs, RPMs etc. It is highly efficient and low-impact in terms of CPU an so on.  Also, extensive debug options are built in, to assist if any problems occur.

To get it, please visit the GoogleCode hosting site at: http://code.google.com/p/npd6/ and specifically the code at: http://code.google.com/p/npd6/source/checkout (Subversion) or a tarball at https://code.google.com/p/npd6/downloads/list

If you want to try it out, please do download and build it. If you need help, please ask! Feel free to raise issues via: http://code.google.com/p/npd6/issues/list

Good luck!

npd6 – IPv6 neighbor proxy daemon – It lives!

As threatened in article IPv6 neighbor proxy daemon – npd6 and the associated design ramblings here, the npd6 project now lives and breathes.

EDIT: 22 July – The project has really taken shape. Version 0.3 is now useful enough to be considered a working beta version. Building is very simple – do please try it out and let me know of any issues, good or bad.

It’s absolutely early days, but, with plenty of limits and as-of-yet-unknown bugs, it does work…

I’m hosting it on Googlecode. It’s here. For a while yet I’ll not be making any binary or packaged versions available, or even autoconf/configure shenanigans – strictly source + Makefile.

If you want to give it a spin, do feel free. It’s going to change a LOT – we’re probably a month or so away from something I’d call “a usable, early beta“. Today it’s a “works for me pre-alpha“!

IPv6 neighbor proxy daemon – npd6

I admit defeat… You know how it is: you’re searching for a solution to a technical problem, and you KNOW that someone else has had the same problem. In fact thousands of people have had the same problem. And it was fixed years ago. If I can just find that solution…

EDIT: 22 July – The project has really taken shape. Version 0.3 is now useful enough to be considered a working beta version. Building is very simple – do please try it out and let me know of any issues, good or bad.

And find it, eventually (Google, Bing et al – Thank You!)  you do.

Except when you don’t. Back in this post I wrote about a specific, but key, problem in implementing an IPv6 firewall/router on a Linux box, when attached to a “normal” ISP.

What was the problem?

In a nutshell, it was as follows. My ISP gives me a full IPv6 service, with a staticically allocated (i.e. fixed) global IPv6 address. They give me a /64, so I in turn have a full /64 to play with in my private net. Enough to network every dust particle in the house. (And this is one dusty house).

As I found, not surprisingly the ISP does not let me advertise address space back to them regarding which devices in my private-but-globally-addressed network actually exist. Given that, I rather naively hoped that they would thus blindly forward anything that was addressed to my (global prefix + private part) network to me regardless, and treat my gateway device as, in effect, a sort of default route for my IPv6 prefix.

Continue reading IPv6 neighbor proxy daemon – npd6

Linux file-sharing in a home wifi network

The scenario: the home network is centered around a Linux server. This acts as (amongst a number of other things) a large data repository. All our media files, photos, music and so on are stored on it. Apart from the convenience of having it all centrally located, it also provides data security: all critical data is archived hourly using rsnapshot, such that there is always a backup from at least one month ago in the event of data being e.g. accidentally deleted. It uses a single 1TB disk as the main data store, with a second 1TB disk for the snapshots. Then in addition to that, really really critical data (the irreplaceable stuff) is archived every night to an off-site location. Anyway, in recent times my children have discovered the pleasures of photography… Vast quantities of pictures to be put on a PC and secured. To date it’s gone like this:

  • Kids use a single laptop, running Linux.
  • Each has an account on the laptop.
  • Plug camera in to laptop and pull the pictures on to the laptop.
  • In background, cron archives them off to the server using rsync over ssh.

As far as the kids themselves are concerned, there’s (a) a single laptop and (b) it has all their photos on it and (c) papa has assured them that if something terrible happened to the laptop, the pictures can be restored from the server.

Thus far, fine.

The network expands

Time to change… Precipitated by an additional laptop, things get kinda complicated. I want the laptops to be “floating”, and used by either child. No “the HP is mine, the IBM is his”. However that then makes it tricky: with only the single laptop it is the primary (since only) data store for their photos. Backups aside, it’s straightforward. So I need to shift the primary data stores off the laptops themselves and having them full-time on the server, and accessed over the network. Which is fine, except that performance it going to be an issue: these are laptops, and they are connected to the home network using wifi, so network file systems are potentially a problem (you ever tried regularly scanning several thousand photos over a wifi connection…? …it’s not what you want to do regularly!)

So we’re going to need network file systems with some sort of magical optimisation…

Continue reading Linux file-sharing in a home wifi network

Content filtering in a home network

With two young children starting to make increasing use of the Internet, my attention has turned in recent times to the thorny subject of Content Filtering. This posting is actually going to look at a technical approach I settled upon, however one cannot help mentioning, at least in passing, some of the wider issues involved.

As a parent I do not believe in raising children in some sort of bubble, totally devoid of anything that could possibly “harm” them. That applies to the Internet too – my hope is to raise children who are able to understand and deal with things, rather than require protection from them. To that end, Internet access for my children involves their parents first and foremost! They use a laptop, after asking permission, in the kitchen, in view of everyone else. I’m interested in what they are doing on it (genuinely so, not as some excuse to snoop!) and they want me to help and guide them. Email? Sure, make full use of it. But all emails sent to your address also get forwarded to me too guys… Why? So I can see what you’re receiving! Very open. Very honest. Nothing underhand. Those are the rules in this house.

And that approach actually covers probably 90% of what is required. However there’s still a small part that needs attention. As most adults know, there’s some weird stuff in some corners of the Internet. Really weird. Disturbingly weird. Stuff which I do not want my young children to see, even if accidentally. Being a very liberal sort, and totally anti-censorship with regard to what consenting adults view, I do not support any move to remove such stuff from the Internet. Weird, sick, depraved, whatever… Some of it may not be at all nice, but it’s there and it can be found. I just don’t want young children to accidentally find it. So what is a network engineer father to do…?

Content filtering – 4 approaches

Broadly speaking there are four way of approaching content filtering in the home environment:

  • Workstation filtering
  • Network filtering
  • ISP filtering
  • DNS blocking

Continue reading Content filtering in a home network