headers
Brian A. Seklecki | 1 Jul 2009 01:30
Picon

Re: Cannot get IPv6 router working

On Tue, 2009-06-30 at 21:10 +0100, Roy Marples wrote:
> I get an inet6 fe80: address on pppoe0 which indicates IP6CP worked.

Shouldn't your WAN interface get IP space in 2000::/3 (via NDP or
PPPoE)?

FE80::/10 is reserved by IANA for link-local (autoconfig).

I don't see it being able to actually route.

Also, what /64 are you handing out to your ath0/LAN interface?  Are you
handing it out via rtadvd(8)?  What does rtadvd.conf(5) look like?

~BAS
Permalink | Reply | 5 comments |
headers
Steven M. Bellovin | 1 Jul 2009 03:29

Re: Cannot get IPv6 router working

On Tue, 30 Jun 2009 19:30:57 -0400
"Brian A. Seklecki" <seklecki <at> noc.cfi.pgh.pa.us> wrote:

> On Tue, 2009-06-30 at 21:10 +0100, Roy Marples wrote:
> > I get an inet6 fe80: address on pppoe0 which indicates IP6CP worked.
> 
> Shouldn't your WAN interface get IP space in 2000::/3 (via NDP or
> PPPoE)?
> 
> FE80::/10 is reserved by IANA for link-local (autoconfig).
> 
> I don't see it being able to actually route.
> 
> Also, what /64 are you handing out to your ath0/LAN interface?  Are
> you handing it out via rtadvd(8)?  What does rtadvd.conf(5) look like?
> 
I'm having rtadvd troubles, too, with or without rtadvd.conf.

tcpdump shows the messages being received, on both another NetBSD box
and a Mac.  Neither is creating non-link-local addresses with the
advertised prefix.  Both machines have correctly used v6 elsewhere.
Yes, I have the NetBSD box (both the advertiser and receiver are
running very recent -current) configured to accept router
advertisements:

	net.inet6.ip6.accept_rtadv = 1

Here's a tcpdump of the received message, with the addresses edited for
privacy:
(Continue reading)

Permalink | Reply | 2 comments |
headers
Roy Marples | 1 Jul 2009 09:48
Favicon
Gravatar

Re: Cannot get IPv6 router working

On Wednesday 01 July 2009 00:30:57 Brian A. Seklecki wrote:
> On Tue, 2009-06-30 at 21:10 +0100, Roy Marples wrote:
> > I get an inet6 fe80: address on pppoe0 which indicates IP6CP worked.
>
> Shouldn't your WAN interface get IP space in 2000::/3 (via NDP or
> PPPoE)?
>
> FE80::/10 is reserved by IANA for link-local (autoconfig).
>
> I don't see it being able to actually route.

There is a 2a01 address assigned to the wireless card, it should be able to 
route from there.

> Also, what /64 are you handing out to your ath0/LAN interface?  Are you
> handing it out via rtadvd(8)?  What does rtadvd.conf(5) look like?

rtadvd is handing it out.
I don't use a config - I didn't need to for the previous IPv6 tunnel I ran on 
the same box and I don't see why I should need to now.

And yes, I do have ip6 forwarding enabled in the kernel, ip6mode is set to 
router.

Thanks

Roy
Permalink | Reply | 0 comments |
headers
Roy Marples | 1 Jul 2009 11:11
Favicon
Gravatar

Re: Cannot get IPv6 router working

Roy Marples wrote:
> My NetBSD-5 IPv6 PPPoE router doesn't want to route :/

Turns out it was a problem with the PF firewall configuration

Faulty line:
nat on $ext_if from !($ext_if) -> ($ext_if:0)

Fixed line:
nat on $ext_if inet from !($ext_if) -> ($ext_if:0)

So basically we only NAT IPv4 traffic.

Anyone mind if I update /usr/share/examples/pf/faq-exammple1 to reflect 
this, or is this a bug with PF?

Thanks

Roy
Permalink | Reply | 4 comments |
headers
Ignatios Souvatzis | 1 Jul 2009 11:20
Picon

Re: Cannot get IPv6 router working

On Tue, Jun 30, 2009 at 07:30:57PM -0400, Brian A. Seklecki wrote:
> On Tue, 2009-06-30 at 21:10 +0100, Roy Marples wrote:
> > I get an inet6 fe80: address on pppoe0 which indicates IP6CP worked.
> 
> Shouldn't your WAN interface get IP space in 2000::/3 (via NDP or
> PPPoE)?
> 
> FE80::/10 is reserved by IANA for link-local (autoconfig).
> 
> I don't see it being able to actually route.

That's wrong. *If* there is a router listening on a link-local address
at the other end,

( ping6 ff02::1%pppoe0 to find the list of hosts on the link. )

it will work fine using that as the destination, or actually doing
what Roy wrote below should be ok, too, for PPP.

> I get an inet6 fe80: address on pppoe0 which indicates IP6CP
> worked.
> I add the route
>    -inet6 default fe80::2 -iface -ifp pppoe0
> add a /64 address from my /48 block to ath0 in the same box.

HTH
	-is
Permalink | Reply | 0 comments |
headers
Greg Troxel | 1 Jul 2009 13:51
Picon

Re: Cannot get IPv6 router working


"Steven M. Bellovin" <smb <at> cs.columbia.edu> writes:

> 21:26:30.393860 IP6 (hlim 255, next-header: ICMPv6 (58), length: 56) fe80::211:xxxx:xxxx:xxxx >
ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 56
>         hop limit 64, Flags [none], pref medium, router lifetime 1800s, reachable time 0s, retrans time 0s
>           source link-address option (1), length 8 (1): 00:yy:yy:yy:yy:yy
>             0x0000:  00yy yyyy yyyy
>           prefix info option (3), length 32 (4): 2001:zzz:z:zzz::/56, Flags [onlink, auto], valid time 2592000s,
pref. time 604800s
>             0x0000:  38c0 0027 8d00 0009 3a80 0000 0000 2001
>             0x0010:  zzzz zzzz zzzz 0000 0000 0000 0000
>
> Both speak v6 successfully with manually configured v6 addresses on that
> net.

/56??  It's fine for you to get a /56 from your provider (static or
BGP), but the convention is that prefixes for a link are /64.  So that's
probably running afoul of a sanity check later, at least for stateless
autoconfiguration.

If you have a /56, then that leaves you 8 bits for subnets.  Assuming
your tunnel uses some other addresses from your provider, I would assign
subnet 1 to your lan, and then use more as needed.

Hence 2001:pppp:pppp:ppp1::/64 as your prefix.
Permalink | Reply | 1 comment |
headers
Steven Bellovin | 1 Jul 2009 15:25

Re: Cannot get IPv6 router working


On Jul 1, 2009, at 7:51 AM, Greg Troxel wrote:

>
> "Steven M. Bellovin" <smb <at> cs.columbia.edu> writes:
>
>> 21:26:30.393860 IP6 (hlim 255, next-header: ICMPv6 (58), length:  
>> 56) fe80::211:xxxx:xxxx:xxxx > ff02::1: [icmp6 sum ok] ICMP6,  
>> router advertisement, length 56
>>        hop limit 64, Flags [none], pref medium, router lifetime  
>> 1800s, reachable time 0s, retrans time 0s
>>          source link-address option (1), length 8 (1):  
>> 00:yy:yy:yy:yy:yy
>>            0x0000:  00yy yyyy yyyy
>>          prefix info option (3), length 32 (4): 2001:zzz:z:zzz::/ 
>> 56, Flags [onlink, auto], valid time 2592000s, pref. time 604800s
>>            0x0000:  38c0 0027 8d00 0009 3a80 0000 0000 2001
>>            0x0010:  zzzz zzzz zzzz 0000 0000 0000 0000
>>
>> Both speak v6 successfully with manually configured v6 addresses on  
>> that
>> net.
>
> /56??  It's fine for you to get a /56 from your provider (static or
> BGP), but the convention is that prefixes for a link are /64.  So  
> that's
> probably running afoul of a sanity check later, at least for stateless
> autoconfiguration.
>
> If you have a /56, then that leaves you 8 bits for subnets.  Assuming
(Continue reading)

Permalink | Reply | 0 comments |
headers
David Brownlee | 1 Jul 2009 17:18
Gravatar

Re: aireplay-ng / Intel 4965 AGN

> From: Victor Dorneanu <victor <at> dornea.nu>
>
> Hello tech-net!
>
> I'm new to this mailing list and I hope this is the right place to put my 
> question.
>
> Due to my work as pentester, I've been using the aircrack-ng suite for 
> many years. A few weeks ago I've installed NetBSD 5.0 on my laptop and now 
> I'd like to fully "substitute" Linux by NetBSD. But there is one problem: 
> In order to generate arbitrary packets and such stuff (using aireplay), 
> I'll have to patch my driver as the man page indicates:
>
>       aireplay-ng supports single-NIC injection/monitor.
>       This feature needs driver patching.
>
> Is there any driver patch available (see below for hardware 
> specifications)? Or are there any other tools for these purposes?
>
> My hardware specifications:
> WiFi: 003:00:0: Intel PRO/Wireless LAN 4965AGN Mini-PCI Adapter 
> (miscellaneous network, revision 0x61)

I'm not aware of any such patches... Is there a specific API that aireplay 
is using to inject the packets?
Permalink | Reply | 0 comments |
headers
Roy Marples | 1 Jul 2009 18:26
Favicon
Gravatar

IPV6 router works, but clients fail

OK, I'm almost there with IPv6 now. The router is working fine by itself 
with IPv6. My test site is http://www.goscomb.net as it's my ISP and the 
transport is pure IPv6

wget -6 http://www.goscomb.net
works fine.

Clients at first appear fine as well, and can connect to 
ipv6.google.com, however this fails
wget -6 http://www.goscomb.net

What is really odd is the traceroute6 from ftp.netbsd.org to the client

$ traceroute6 2a01:348:31:2:20e:2eff:fe66:36ec
traceroute6 to 2a01:348:31:2:20e:2eff:fe66:36ec 
(2a01:348:31:2:20e:2eff:fe66:36ec) from 2001:4f8:3:7:230:48ff:fe31:43f2, 
64 hops max, 12 byte packets
  1  2001:4f8:3:7::1  1.363 ms  1.27 ms  0.734 ms
  2  int-0-1-0-0-606.r1.sfo2.isc.org  4.614 ms  4.901 ms  5.393 ms
  3  int-3-0-0.r1.pao1.isc.org  2.274 ms  1.964 ms  1.913 ms
  4  ge-1-11.r03.plalca01.us.bb.gin.ntt.net  2.35 ms  2.049 ms  2.315 ms
  5  ae-3.r21.plalca01.us.bb.gin.ntt.net  2.257 ms  2.236 ms  2.157 ms
  6  ae-1.r20.snjsca04.us.bb.gin.ntt.net  3.763 ms  3.527 ms  3.804 ms
  7  as-1.r21.chcgil09.us.bb.gin.ntt.net  59.208 ms  64.015 ms  64.135 ms
  8  ae-0.r20.chcgil09.us.bb.gin.ntt.net  59.49 ms  59.861 ms  64.139 ms
  9  as-1.r21.nycmny01.us.bb.gin.ntt.net  79.759 ms  78.668 ms  78.344 ms
10  ae-0.r20.nycmny01.us.bb.gin.ntt.net  83.645 ms  83.981 ms  83.694 ms
11  as-1.r22.londen03.uk.bb.gin.ntt.net  151.626 ms  155.074 ms  155.082 ms
12  po-4.r01.londen03.uk.bb.gin.ntt.net  316.029 ms  244.966 ms  350.231 ms
13  2001:728:0:5000::6e  156.617 ms  280.137 ms  153.643 ms
(Continue reading)

Permalink | Reply | 16 comments |
headers
Brian A. Seklecki | 1 Jul 2009 23:40
Picon

Re: Cannot get IPv6 router working

On Wed, 2009-07-01 at 10:11 +0100, Roy Marples wrote:
> 
> So basically we only NAT IPv4 traffic.

Just out of curiosity:  Does this mean your provider is handing you
FE80::/10 space on the WAN?  

This reminds me of ISPs that used to hand out RFC1918 IPv4 space for
WANs on DSL/Cable.

It works, IIRC, but foreign traceroutes always time out at your your
next-hop-router (or next-two depending on how extensive the ISP's
private network is).

I just assumed that we were past all of that using V6

> 
> Anyone mind if I update /usr/share/examples/pf/faq-exammple1 to
> reflect this, or is this a bug with PF?

Definitely!
Permalink | Reply | 3 comments |

Gmane