I’ve been working with IPv6 a bit recently and have been discovering lots of interesting implementation issues with both Windows and Linux. Generally dual stack where interfaces have both IPv4 and IPv6 enabled works fine on most systems. However running on a pure IPv6 network with NAT64 and DNS64 shows a few issues with several operating systems. I’ve focused on stateless autoconfiguration for the moment, DHCPv6 is on my todo list

Windows XP is the worst offender on pure IPv6 networks because it appears to be impossible to get the DNS resolver to query non-IPv4 DNS servers. I’ve seen several ‘fixes’ which involve manually configuring the DNS but they have failed to work on the XP systems I’ve had the misfortune to encounter, maybe a different set of updates and service packs are required. XP comes with a set of site-local IPv6 addresses preconfigured for the DNS resolver but it doesn’t appear to be able to query them either. I’m of the opinion that the only way to get XP to work properly on pure IPv6 networks is to install an IPv6 capable DNS server on each machine and point the XP DNS resolver at the IPv4 localhost (127.0.0.1). Its certainly the approach I’m going to be exploring in the future.

Windows Vista and Windows 7 both appear to behave reasonably well on pure IPv6 networks, all machines appear to stateless autoconfigure reasonably well and pick up the router advertisements. Some systems don’t pick up the DNS and I’m still trying to work out the conditions under which this happens. However it can always be fixed by a quick manual setting in the interface IPv6 configuration.

In the Debian Linux world things are generally much better apart from the Debian squeeze installer which is unable to pickup any networking from IPv6. The only way I’ve managed to install successfully on a pure IPv6 network is to do a non-networking install, bring up the system then configure networking, set the aptitude repositories followed by a quick “apt-get update”, “apt-get upgrade”. After this everything works just fine. I’ve not tested the Ubuntu installer on a pure IPv6 network but I expect it to be the same story.

Getting access to the IPv4 world from an IPv6 only network is best achieved using NAT64 and DNS64. Once it is properly setup things work smoothly and completely transparently to the user. The only times they will notice the difference is when they want to go to a system which is not in DNS and they try to type the IPv4 address in the form 192.168.0.1. The problem is their machine will try to open an IPv4 connection and discovers that there are no network interfaces configured with IPv4. This is easily rectified by either putting the target host into DNS or prefixing the IPv4 address with the 96 bit IPv6 prefix for the NAT64. Its a little annoying at first but becomes second nature after a while.

Both NAT64 and DNS64 are very new and implementations are still trying to catch up with the recommendations. For NAT64 I’ve settled on Tayga which is easy to compile and doesn’t require any kernel hacking. DNS64 is best done using Bind 9.8 or later. In both cases with Debian stable you have to manually build them from sources. To get your gateway system to transmit IPv6 router advertisements you need to install and configure radvd. Again the Debian stable version is a little out of date and if you want the client machines to pickup the DNS server information you will have to upgrade radvd to a later version (Debian testing). Make sure you install rdnssd on your client Linux systems if you want them to pick up DNS from the radvd advertisements.

Getting an IPv6 connection from your ISP is a little harder, in my case in Qatar it is impossible, so I am using the Hurricane Electric tunnelbroker service. They offer a free 6 in 4 connection where IPv6 is delivered over the normal IPv4 connection but uses protocol 41 instead of TCP/UDP etc. I’ve configured my home gateway machine to DNAT any packets with protocol 41 to a VirtualBox VM on my home network which does all the IPv4 tunnel, NAT64 and DNS64 stuff. I now have a home LAN which runs dual stack on 192.168.1.0/24 and Ipv6 only on a VLAN. Hurricane Electric will delegate a /48 address block to you so you can setup the rest of your IPv6 network and make it properly routable which is what I did. 64K subnets of /64 should be enough for (almost) anyone!

During testing with Oracle VirtualBox I noticed a strange thing when I tried to bridge the raw Ethernet device into the VM and setup VLANs within the VM. This was that the radvd IPv6 advertisements did not get the VLAN packet headers attached and they were all coming out as untagged (native) packets. Other IPv6 traffic behaved as expected. I solved this by creating the VLAN interfaces in the host machine and bridging them to the VM which then saw them as eth0, eth1 etc. I’ll have to investigate this later when I get time, something very strange was going on.

Once you have your IPv6 connectivity up and going your entire network is fully accessible to the rest of the IPv6 world, this includes your printers and your NAS box with those compromising photographs. Fortunately ip6tables is fully developed and it is an easy matter to control incoming connections on your IPv6 gateway. Its prudent to check incoming traffic from the Internet to ensure that it doesn’t have a source address within your delegated address block (spoofing) and to add a blackhole route for your delegated address block to prevent you sending your internal traffic up the link back to your provider.

If you are wanting to use QOS on your IPv6 interfaces don’t be fooled into thinking that the U32 classifier only supports IPv4. I went digging into the IPROUTE2 code for tc and found complete, but undocumented support. If you want to know how to use it with IPv6 see my last posting on this blog on IPROUTE2. Please let me know if you find any errors.

I’ll write this up properly when I get some time along with details about ip6tables, NAT64 and DNS64.

I thought that this is a stupid situation and started to dig into the iproute tc sources with a view to adding IPv6 support and feeding the changes back to the maintainer. During my digging I was astonished to find that U32 has full support for IPv6 already in the code and fully functional (see f_u32.c). Simply use “match ip6″ instead of “match ip” and away you go. The code is clever enough to chop up the IPv6 address into 32bit chunks and only match as many as required to satisfy the netmask. You have the following ip6 directives available to you (addresses are examples):

• src 2001:0DB8:100:1::0/64
• dst 2001::0/16
• priority 123 0xff
• protocol 2 0xff – This is the IPv6 next-header field
• flowlabel 123456 0x000fffff
• dport 53 0xffff – Looks in the TCP/UDP header, make sure you check protocol first!
• sport 53 0xffff – Looks in the TCP/UDP header, make sure you check protocol first!
• icmp_type 1 0xff – Looks in the ICMP header, make sure you check protocol first!
• icmp_code 1 0xff – Looks in the ICMP header, make sure you check protocol first!

Some values for the protocol field:

• 6 – TCP
• 17 – UDP
• 58 – ICMPv6

An example tc filter:

# clean out existing filters
tc qdisc del dev wlan0 root
#
# Create root to attach filters
tc qdisc add dev wlan0 root handle 1: htb default 20
#
# example filter: checks for a DNS packet between two specified subnets and assigns it to a queue
tc filter add dev wlan0 parent 1:0 prio 10 u32 \
match ip6 dst 2001:0DB8:101:0::0/48 \
match ip6 src 2001:0DB8:10::0/64 \
match ip6 protocol 17 0xff \
match ip6 dport 53 0xffff \
flowid 1:1
#
# have a look at the generated u32 filters
tc -s -d filter show dev wlan0
#
filter parent 1: protocol [768] pref 10 u32
filter parent 1: protocol [768] pref 10 u32 fh 800: ht divisor 1
filter parent 1: protocol [768] pref 10 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:1
match 20010db8/ffffffff at 24
match 01010000/ffff0000 at 28
match 20010db8/ffffffff at 8
match 00100000/ffffffff at 12
match 00001100/0000ff00 at 4
match 00000035/0000ffff at 40


The Linux kernel TC classifier code only performs 32 bit matches. 8 bit (U8) and 16 bit (U16) tests are converted to the appropriate U32 match aligned on a 4 byte boundary by the tc command. As we move towards a IPv6 world there would be a lot of sense in creating a U64 lump of code which could take advantage of the 64 bit architecture now becoming common, this would allow a complete 128 bit IPv6 address to be tested in 2 matches in place of the current 4 matches and most of the time a single match on a /64 would suffice. It would involve hacking the kernel and TC then trying to get the different maintainers to accept the changes which appears to be a very lengthy process. The increased throughput on a heavily loaded router running QOS could be substantial though.

I can’t find a manpage for the U32 classifier on my system at and at present there is no official place to put this description. I’m open to suggestions if someone can point me at a place to formally document the IPv6 support in the U32 classifier.

• Types of queues
• Use of HTB to manage bandwidth
• Inbound traffic policing
• Use of Intermediate Queues (IMQ)
• Traffic classification using “tc filter” and IP tables

I’ve not covered TOS/DSCP marking or how to set the required QOS in the application. Maybe I’ll cover it in the future if there is sufficient demand.

You are welcome to
download and share the PDF.

The person setting up the stations didn’t see the obvious joke in the sign.

The idea is that I drop incoming NTP packets from offenders who exceed a given number of packets per second averaged over a period. After a while they will give up and try a different server.

This has the advantage that it self resets once they get below the threshold, the two lines below will do this with my Debian server (adjust -i to match your interface)

# iptables -A INPUT -i eth0 -p udp -m udp --dport 123 -m recent --set --name NTPTRAFFIC --rsource
# iptables -A INPUT -i eth0 -p udp -m udp --dport 123 -m recent --update --seconds 60 --hitcount 7 --name NTPTRAFFIC --rsource -j DROP

You can view the connecting hosts by looking at the conntrack table:

# cat /proc/net/ip_conntrack | grep dport=123

And you can see what sort of performance you are getting by looking at
the iptables stats

# iptables -n -L -v | grep 123

I’ve been running this for a while and the abusive clients disappeared almost instantly. If I check now it shows very few attempts:

# iptables -n -L -v | grep 123

1038K 79M DROP udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 state NEW recent: UPDATE seconds: 60 hit_count: 7 name: NTPTRAFFIC side: source
74M 5613M udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 state NEW recent: SET name: NTPTRAFFIC side: source

But I’m serving a lot of ntp clients (between 5k and 8k different IPs per minute):

# cat /proc/net/ip_conntrack | grep dport=123 | wc -l
8104

There is a balance between conntrack table size and count period. A limit of 7 packets in one minute for a client appears to work well and allows clients to use iburst without being dropped.

The solution to this is to change your wireless MAC address every time it locks you out then reconnect. I’m running Ubuntu so the easiest way is to use macchanger-gtk. The procedure is simple:

1. Disable wireless
2. Run macchanger as root and set a fake MAC address
3. Enable Wireless
4. Reconnect to the Internet and accept the new 45 minutes.

I also flushed the browser cache and cookies just to be safe.

Hope it works well for you too. There are a lot of programs out there to change your MAC address.

Over the years I have been equally distressed by the unquestioning support governments of the UK[1] and USA for what amounts to regular breaches of human rights and international law by Israel. I know there is a long history in the Middle East and the UK doesn’t exactly stand out as a shining example of how to do things correctly.

One thing which continually surprises me is the deliberate cruelty of the Israeli state to Gaza and the West bank which constitutes an international crime and this doesn’t include the murders on unarmed people including children which were committed in Gaza in the last armed invasion. Its not surprising if they build little rockets and fire them over the border when you keep them in what amounts to a large prison (Gaza) for years. Even the UN say that the ‘permitted’ imports are a quarter of what is required for a civilised life in the area. Theft of land and degrading treatment of the resident Arabs are only part of it. Jews have suffered persecution for hundreds of years in various countries and they know what it is like to be on the receiving end of such treatment. More shame on them for making others endure such things.

Then we have the Nuclear issue, Israel is a nuclear state with an estimated 200 warheads in the hands of an aggressive administration who appear to have tried to sell the technology to the Apartheid South African Government in the past. Yet there are no sanctions imposed on them, indeed the UK and USA finance the country and appear to give them whatever technology they want on generous terms. I get angry when I consider the treatment meted out to Iran on the nuclear issue who are trying to build up an industry. As far as I am concerned Iran is perfectly entitled to build such weapons up to and including the number that Israel has. Anyone wanting them to reduce their planned stockpile should enforce the same reductions on Israel! Anything else is both grossly unfair and unreasonable.

What should be done? Well, in the first case Israel should be treated in the same way as Apartheid South African, trade should be limited to essential food and medicines. All other commerce prohibited and all loans should be called in by the lenders. The leaders of Israel should be summoned to the international court (they probably won’t go) in the same way as other war criminals have been prosecuted in the past. Whilst this won’t immediately fix things it delivers an unmistakable message. Finally Lebanon, Gaza, West Bank and other states should have their international borders guaranteed and enforced by force by the international community.

This is the first time I’ve written about this situation. The killings on the Turkish ship in an attack which I regard as state sponsored piracy in International waters finally pushed me over the tipping point. Maybe the international reaction these events might finally bring real pressure on Israel, it certainly made me speak out for the first time. I suppose I’ll have my website attacked as a result of writing this.

Andy

[1] Yes I am British and frequently feel a mixture of shame and anger about our politicians from both main parties. Trade and commerce is important but you shouldn’t sacrifice your essential principles of right and wrong.

On the face of it they offer an attractive package including online banking, good interest rates on deposits and a Credit card after 3 months.

Unfortunately they did not live up to expectations. The ATM card they issued did not work outside Qatar despite repeated assurance that it was working – every time I went to their branch I ended up waiting for an hour before being able to see anyone and then didn’t get any practical assistance. I never got a Credit card from them either.

Eventually I requested an ATM card with my name on it rather than a default name – its hard getting retailers to accept a debit card with the name “Speed” apparently this new card was guaranteed to work abroad. Well I never got chance to find out. The replacement card which I paid QAR50 for never arrived in my post box and they cancelled my old card within a week of me asking for a new card leaving me with no way of accessing my money. After checking my post for two weeks I went to the branch again to sort it out they said that they could issue me an unnamed “Speed” card for QAR50 straight away only I would have to come back the next day because they didn’t have one.

I pointed out that I was going to be travelling in three days time and I didn’t have time to spend another hour waiting the next day for a card which might be there (she couldn’t guarantee that they would have them the next day) and therefore would they please arrange to transfer the balance of my account to another person I was travelling with. Her response was that they couldn’t do transfers that day (it was Saturday) or even schedule a transfer for the next day – I would have to come in again.

At that point I had had enough, with the non existent service and requested that they paid me the balance of my account and immediately close the account. She was unable to do that too. I had to go to the reception counter and get them to write me a cheque for cash and then wait 90 minutes for my turn at the cashier to convert it to cash. However during this 90 minutes they decided to close the branch for an hour and threw everyone who was waiting for service out until they reopened it.

There were also had problems with their Internet security and reliability. About half the time I tried to use the online banking service to make a transfer it came up with service unavailable. The method for adding payees for transfers was laughable. You added a new payee to the system and entered a telephone number for them to confirm it with you. They then phoned you within a day or so and asked you to confirm your identity number to authenticate yourself and permit transfers to the payee. Just in case you forgot your identity number they helpfully displayed it at the top of the page where you entered the telephone number. Anyone see the basic flaw?

At least I got my money back. Its now been paid into a non-QNB bank account of a friend ready for my next trip.

I’ve now got to find another bank. Maybe I’ll try IBQ this time.

I don’t have a problem with ISPs blocking outbound port 25 other than their own mail servers – that is a sensible anti-spam precaution. However blocking inbound connections can only be used to prevent the running of mail servers and the only reason I can think of for them preventing this is to force people to use their MPLS based Internet leased line which cost over USD 1500/month for 512K last time I looked at the price.

Using nmap on a server in Amsterdam I quickly discovered it was only port 25 which was blocked. Other ports remained unaffected.

So my problem was to find a way of getting mail into my server using a port other than 25 (SMTP). Internet mail requires access to port 25 so I had to find another machine to forward mail into my ADSL line in Qatar. Fortunately I have access to such machines running Debian and postfix in Amsterdam.

The solution turned out to be surprisingly easy:

1. Arrange for the ADSL link gateway to port forward traffic from a free port (I chose 200) to port 25 on the internal mail server. I used IPTABLES to do this but the same can be done with almost any ADSL gateway – look for “Application Sharing”. This can be tested by using netcat (nc) to the gateway from a machine in the outside world (some names obscured):

ams1:~# nc www.mydomain.com 200
220 www.mydomain.com ESMTP Postfix (Debian/GNU)
helo www.x31.com
250 www.mydomain.com
quit
221 2.0.0 Bye

2. Configure the relay machine (mine is in Amsterdam) to accept mail for the ADSL connected system (my system in Qatar). To do this edit /etc/postfix/main.cf and add the domain to the end of the line (note the use of the comma ‘,’):

relay_domains = $mydestination, mydomain.com

3. Setup a special delivery transport for mydomain.com. To do this edit /etc/postfix/transport and add the following lines (myddnshost.dyndns.org is the dynamic dns hostname for my system in Qatar and the 200 is the port number I am using):

mydomain.com smtp:[myddnshost.dyndns.org]:200
.mydomain.com smtp:[myddnshost.dyndns.org]:200


Now rebuild the map file:
$ postmap /etc/postfix/transport


and edit /etc/postfix/main.cf again. Ensure the following line is present:
transport_maps = hash:/etc/postfix/transport

Finally restart postfix:
$ /etc/init.d/postfix restart

4. Now update your DNS and point the MX record at the relay machine. Wait for things to settle down (can take a few hours) and your mail will start to be delivered into your ADSL connected server.

I run Debian Etch and Lenny systems with a mostly standard postfix configuration which uses hash tables. If your system is different then you may need to specify a different format. The /etc/postfix/transport file is extremely powerful and I recommend you look at “man transport” before making changes.