christophe at vandeplas.com

Normally, to configure IPv6 (and v4) forwarding on a Linux system you should edit the /etc/sysctl.conf file and change the lines like this:

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

# Uncomment the next line to enable packet forwarding for IPv6
net.ipv6.ip_forward=1

This way your kernel will load the forwarding parameters on next reboot.
To activate the feature without rebooting do:

# echo 1 > /proc/sys/net/ipv4/conf/all/forwarding 
# echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

But suddenly you get the following error with ipv6:

# echo 1 > /proc/sys/net/ipv6/conf/all/forwarding 
-bash: /proc/sys/net/ipv6/conf/all/forwarding: Permission denied

In my setup I run Linux as guest in OpenVZ. It seemed my OpenVZ wasn't fully configured to allow IPv6. (I run it trough Proxmox). To enable full IPv6 support I edited the /etc/vz/vz.conf file and set IPV6="yes".

This still didn't solve the problem, even after rebooting the server completely.
Currently I couldn't find a way to get it working correctly, so I created a fully virtualized machine with bridged networking.
I hope to find a way to get ipv6 forwarding working correctly in OpenVZ soon, a post with the solution will follow then.

Don't start debugging your radvd if your Virtual Guest doesn't work correctly with IPv6. All the VMware products have a problem with IPv6 route advertisements over a briged network connection going over a wireless link.
Your virtual machine will get an IPv6, but will not get the IPv6 gateway.

To disable IPv6 in Ubuntu add the following line blacklist ipv6 in the /etc/modprobe.d/blacklist file. If you don't want to reboot you can try to remove the IPv6 kernel module with the sudo rmmod command. But that failed with me as the module was in use.

VMWare filed this as bug #26078, communities forum link

To force Firefox to use IPv4 DNS resolution instead of IPv6 go in your about:config tab and change the value network.dns.disableIPv6 to true

The little story: Last week-end I started the migration of my private network from IPv4 to IPv6. As I'm temporarily back at my parents place I do have to maintain a certain internet-availability.
An IPv4 to IPv6 migration is not that easy, especially when your ISP is still speaking IPv4. This means I have to tunnel all my IPv6 traffic to a tunneling service.

All this means quite some complex configurations as I want to do all the intelligence on the Linksys WRT54GL v1.1. This device is a little limited in memory and is giving me some issues with the DD-WRT firmware and the extra software I need for this. Well, it just takes more time than expected. So having a mixed (working) IPv4 and (not working) IPv6 internet gave me an unexpected problem: Firefox will use IPv6 name resolution if available. If your IPv6 packets don't reach further than your router, you just can't access all the sites anymore...that's why forcing IPv4 in Firefox can be useful.

If you're busy with networking or security the following paper is certainly a good lecture. Understanding the protocols can lead to finding possible attacks. Reading about possible attacks can sometimes motivate people to learn more about the protocols...

Exploiting Tomorrow's Internet Today: Penetration testing with IPv6

This paper illustrates how IPv6-enabled systems with link-local and auto-configured addresses can be compromised using existing security tools. While most of the techniques described can apply to "real" IPv6 networks, the focus of this paper is to target IPv6-enabled systems on the local network.

This paper is written by H D Moore, he's the main author behind Metasploit and was invited at FOSDEM in 2007.

My colleague Niels created a syntax highlighting script for VIM.
Like he says:

Read the full article here.

Kris recently pointed me to Vyatta and XORP. I did a little evaluation and test of this Vyatta open source software router.

I do like their 'eval kit'.
It contains a guide to start using Vyatta in 30 minutes. It follows the same principle of the O'Reilly Developer Notebook series. In this fast growing IT world we don't really have the time to start reading 396 page-manuals before starting working on something. Discovering something without a manual is something we often do, but it has the disadvantage of loosing much time by figuring the stuff out. So having such a 14 pages quick-start manual is great!

Things I like:

• The CLI (code completion, ? for help, ...)
• The webGUI (fast to do some things)
• Changes you make are not applied live. You must first issue the commit statement.
• When someone else commits changes you see it in your terminal
• Package manager for updates, and apt-get as root for full package management
• Last but not least: It's Open Source

Things I don't like:

• I couldn't find support for cflow/sflow/...(and it isn't in the roadmap)
• My company won't see the advantage of this.

There are 3 editions:

1. Community Edition (Free): Patches and bug fixes every 6 months only, no access to Vyatta support
2. Professional Edition (starting at $647 US): All patches, bug fixes and enhancements and web-based support
3. Enterprise Edition (starting at $897 US): All professional services plus phone support and priority case management

I think these software-based network-devices will become more and more important with the constant evolution towards virtualization. It's certainly something we should keep an eye on.
But why do big companies don't see such benefits in open source? And prolly no benefit in such software based routers/firewalls?

I'd also like to find a table with performance comparisons and scaling info. What kind of hardware will get what kind of routing troughput and delay? (something more than this review)

This evening I was thinking about what I could write that could potentially interest fellow network and security people.
In my previous post I told a little story about tracerouting and connecting to a port using netcat and not Telnet. My plan is to write something about the difference between the two applications and when we should use one or the other. But not this evening.

Thinking about telnet... Last week I had a short discussion with my colleague concerning all these network-people that still use telnet to manage their network devices. In this 21^st century, and as a security person, I can't imagine creating such a security-hole in the network of my customers.

Why should(n't) we use the telnet protocol?

• + Telnet is widely used
• + Telnet is a fairly simple protocol
• + The Telnet client is installed by default on Microsoft Windows
• - Telnet is using clear text authentication
• - Telnet is using clear text data-transfer
• - Many Telnet daemons had several vulnerabilities
• - Secure alternatives like SSH exist

So why don't we all use SSH then?

It's very clear to all of us that Telnet is simply insecure-by-design®. But why are we still using it? Why do many sysadmins still leave that thing enabled by default, or why do they even enable it when it's turned off?

I think I finally discovered this during a discussion with that colleague. The reason can be resumed to only one, very simple, word.

It's just because we/they don't know by heart how to enable SSH. Enabling it is indeed a little more complex than Telnet. And why don't they look it up on the internet or in the documentation? Simply laziness...

Ok guys, now you don't have an excuse anymore ! Doh, this message is also published on the net, so they won't find it...

Enabling SSH on Cisco and HP devices

Even if I just realized it's completely useless to publish these commands once again on the net I'll just paste them here for my own future reference.

Cisco Switch with CatOS

set crypto key rsa 1024
set ip permit 10.0.0.0 255.255.255.0
set ip permit enable ssh
show ip permit
write memory

Cisco Router or Switch with IOS

hostname myrouter
ip domain-name vandeplas.lab
!--- generate the rsa keygen
cry key generate rsa
!--- allow authentication using local aaa
username chri password myVerySecurePassword
!--- Use SSH v2 as v1 is insecure
ip ssh version 2
ip ssh time-out 60
ip ssh authentication-retries 2
!--- Prevent non-SSH connections
transport input ssh
write memory

Cisco PIX/ASA

hostname mypix
domain-name vandeplas.lab

!--- generate the rsa key 
ca generate rsa key 1024
!--- or on newer versions
crypto key generate rsa modulus 1024
!--- don't forget to save the crypto key into the memory
ca save all
!--- allow ssh from the network 10.0.0.0/24 on the inside interface
ssh 10.0.0.0 255.255.255.0 inside
!--- allow authentication using local aaa
username chri password myVerySecurePassword
aaa authentication ssh console LOCAL
!--- save the running-config 
write memory

HP Procurve Switch

crypto key generate
ip ssh version 2
ip ssh
write memory

Useful links