USAGE (78012) | USAGE (78064) |
---|---|
1 USAGE | 1 USAGE 2 KAME Project 3 $KAME: USAGE,v 1.33 2000/11/22 10:22:57 itojun Exp $ 4 $FreeBSD: head/share/examples/IPv6/USAGE 78064 2001-06-11 12:39:29Z ume $ |
2 | 5 |
3 KAME Project 4 http://www.kame.net/newsletter/ 5 $FreeBSD: head/share/examples/IPv6/USAGE 78012 2001-06-10 20:25:24Z ume $ 6 | |
7This is a introduction of how to use the commands provided in the KAME 8kit. For more information, please refer to each man page. 9 | 6This is a introduction of how to use the commands provided in the KAME 7kit. For more information, please refer to each man page. 8 |
9 |
|
10<<<ifconfig>>> 11 12A link-local address is automatically assigned to each interface, when 13the interface becomes up for the first time. Even if you find an interface 14without a link-local address, do not panic. The link-local address will be 15assigned when it becomes up (with "ifconfig IF up"). 16 | 10<<<ifconfig>>> 11 12A link-local address is automatically assigned to each interface, when 13the interface becomes up for the first time. Even if you find an interface 14without a link-local address, do not panic. The link-local address will be 15assigned when it becomes up (with "ifconfig IF up"). 16 |
17If you do not see a link-local address assigned to an interface on "ifconfig 18up", the interface does not support IPv6 for some reasons - for example, 19if the interface does not support link-layer multicast (IFF_MULTICAST is not 20set), the interface cannot be used for IPv6. 21 |
|
17Some network drivers allow an interface to become up even without a 18hardware address (for example, PCMCIA network cards). In such cases, it is 19possible that an interface has no link-local address even if the 20interface is up. If you see such situation, please disable the 21interface once and then re-enable it (i.e. do `ifconfig IF down; 22ifconfig IF up'). 23 | 22Some network drivers allow an interface to become up even without a 23hardware address (for example, PCMCIA network cards). In such cases, it is 24possible that an interface has no link-local address even if the 25interface is up. If you see such situation, please disable the 26interface once and then re-enable it (i.e. do `ifconfig IF down; 27ifconfig IF up'). 28 |
24Pseudo interfaces (like "gif" tunnel device) will borrow IPv6 interface 25identifier (lowermost 64bit of the address) from EUI64/IEEE802 sources, 26like ethernet cards. Pseudo interfaces will be able to get IPv6 link-local 27address, if you have other "real" interface configured beforehand. 28If you have no EUI64/IEEE802 sources on the node, you may need to configure 29link-local address manually. Though we have last-resort code in the kernel, 30which generates interface identifier from MD5(hostname), it may not suitable 31for your usage (for example, if you configure same hostname on both sides 32of gif tunnel, you will be doomed). | 29Pseudo interfaces (like "gif" tunnel device) will borrow IPv6 30interface identifier (lowermost 64bit of the address) from 31EUI64/IEEE802 sources, like ethernet cards. Pseudo interfaces will be 32able to get an IPv6 link-local address, if you have other "real" 33interface configured beforehand. If you have no EUI64/IEEE802 sources 34on the node, we have last-resort code in the kernel, which generates 35interface identifier from MD5(hostname). MD5(hostname) may not be suitable 36for your usage (for example, if you configure same hostname on both sides of 37gif tunnel, you will be doomed), and if so, you may need to configure 38link-local address manually. 39See RFC2472 for more discussion on how to generate an interface ID for 40pseudo interfaces. |
33 34If you have a router announcing Router Advertisement, | 41 42If you have a router announcing Router Advertisement, |
35global addresses will be assigned automatically. So, "ifconfig" is not 36necessary for your *host*. (Please refer to "sysctl" section for configuring 37a host to accept Router Advertisement.) | 43global addresses will be assigned automatically. So, neither 44"ifconfig" nor "prefix" is necessary for your *host* (non-router node). 45(Please refer to "sysctl" section for configuring a host to accept 46Router Advertisement.) |
38 39If you want to set up a router, you need to assign global addresses | 47 48If you want to set up a router, you need to assign global addresses |
40for two or more interfaces by "ifconfig" or "prefix". (prefix command 41is described at next section) | 49for two or more interfaces by "ifconfig" or "prefix" (prefix command 50is described at next section). |
42If you want to assign a global address by "ifconfig", don't forget to 43specify the "alias" argument to keep the link-local address. 44 | 51If you want to assign a global address by "ifconfig", don't forget to 52specify the "alias" argument to keep the link-local address. 53 |
45# ifconfig de0 inet6 fec0:0:0:1000:200:f8ff:fe01:6317 alias | 54# ifconfig de0 inet6 3ffe:501:808:1:200:f8ff:fe01:6317 prefixlen 64 alias |
46# ifconfig de0 47de0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 | 55# ifconfig de0 56de0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 |
48 inet 172.16.202.12 netmask 0xffffff00 broadcast 172.16.202.255 49 inet6 fe80::200:f8ff:fe01:6317%de0 prefixlen 64 50 inet6 fec0:0:0:1000:200:f8ff:fe01:6317 prefixlen 64 51 inet6 fec0:0:0:1000:: prefixlen 64 anycast 52 ether 00:00:f8:01:63:17 53 media: autoselect (10baseT/UTP) status: active 54 supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP | 57 inet6 fe80::200:f8ff:fe01:6317%de0 prefixlen 64 scopeid 0x1 58 inet 163.221.202.12 netmask 0xffffff00 broadcast 163.221.202.255 59 inet6 3ffe:501:808:1:200:f8ff:fe01:6317 prefixlen 64 60 ether 00:00:f8:01:63:17 61 media: 100baseTX status: active |
55 56See also "/etc/rc.network6" for actual examples. 57 58<<prefix>> 59 | 62 63See also "/etc/rc.network6" for actual examples. 64 65<<prefix>> 66 |
60In IPv6 architecture, an IPv6 address of an interface can be generated 61from a prefix assigned to it, and a link-dependent identifier for the 62interface. Assigning a full IPv6 address by ifconfig is not 63necessary anymore, because, user can only take care of prefix, by letting 64system take care of interface identifier. | 67In the IPv6 architecture, an IPv6 address of an interface can be 68generated from a prefix assigned to the interface, and a 69link-dependent identifier for the interface. So assigning a full IPv6 70address by ifconfig is not necessary anymore, because user can only 71take care of prefix, by letting system take care of interface 72identifier. |
65 66The newly added "prefix" command enables user to just assign prefixes 67for interfaces, and let your system automatically generate IPv6 68addresses. Prefixes added by the "prefix" command is maintained in 69the kernel consistently with prefixes assigned by Router | 73 74The newly added "prefix" command enables user to just assign prefixes 75for interfaces, and let your system automatically generate IPv6 76addresses. Prefixes added by the "prefix" command is maintained in 77the kernel consistently with prefixes assigned by Router |
70Renumbering(in case of routers). | 78Advertisement (in case of hosts) and with prefixes assigned by Router 79Renumbering (in case of routers). Manual assignment of prefixes or 80change of prefix properties take precedence over ones assigned by 81Router Advertisement or Router Renumbering. |
71 | 82 |
72But "prefix" command can only be used on router, because host should be 73able to configure its addr automatically. Prefixes added by the "prefix" 74command are maintained independently from prefixes assigned by 75Router Advertisement. Those two type of prefixes should not coexist on 76a machine at the same time, and when it happens, it is considered to be 77miss configuration. | 83prefix command works only on routers. |
78 | 84 |
79Manual assignment of prefixes or change of prefix properties take 80precedence over ones assigned by Router Renumbering. 81 82If you want to assign a prefix(and consequently an address) manually, do | 85If you want to assign a prefix (and consequently address) manually, do |
83as follows: 84 | 86as follows: 87 |
85# prefix de0 fec0:0:0:1000:: | |
86# ifconfig de0 87de0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 | 88# ifconfig de0 89de0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 |
88 inet 172.16.202.12 netmask 0xffffff00 broadcast 172.16.202.255 89 inet6 fe80:1::200:f8ff:fe01:6317 prefixlen 64 90 inet6 fec0:0:0:1000:200:f8ff:fe01:6317 prefixlen 64 91 inet6 fec0:0:0:1000:: prefixlen 64 anycast 92 ether 00:00:f8:01:63:17 93 media: autoselect (10baseT/UTP) status: active 94 supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP | 90 inet6 fe80::200:f8ff:fe01:6317%de0 prefixlen 64 scopeid 0x1 91 inet 163.221.202.12 netmask 0xffffff00 broadcast 163.221.202.255 92 ether 00:00:f8:01:63:17 93 media: 100baseTX status: active 94# prefix de0 3ffe:501:808:1:: 95# ifconfig de0 96de0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 97 inet6 fe80::200:f8ff:fe01:6317%de0 prefixlen 64 scopeid 0x1 98 inet 163.221.202.12 netmask 0xffffff00 broadcast 163.221.202.255 99 inet6 3ffe:501:808:1:200:f8ff:fe01:6317 prefixlen 64 100 ether 00:00:f8:01:63:17 101 media: 100baseTX status: active |
95 | 102 |
96To check assigned prefix, use the "ndp" command. (See description of 97ndp command about its usage) | 103To check assigned prefix, use the "ndp" command (See description of 104ndp command about its usage). |
98 99# ndp -p | 105 106# ndp -p |
100fec0:0:0:1000::/64 if=de0 101 flags=LA, vltime=2592000, pltime=604800, expire=Never | 1073ffe:501:808:1::/64 if=de0 108 flags=LA, vltime=2592000, pltime=604800, expire=Never, origin=RR |
102 No advertising router 103 104The "prefix" command also has node internal prefix renumbering 105ability. 106 | 109 No advertising router 110 111The "prefix" command also has node internal prefix renumbering 112ability. 113 |
107If you have multiple prefixes which have fec0:0:0:1000:/56 at the top, 108and would like to renumber them to fec0:0:0:2000:/56, then use the | 114If you have multiple prefixes which have 3ffe:501:808:/48 at the top, 115and would like to renumber them to 3ffe:501:4819:/48, then use the |
109"prefix" command with the "matchpr" argument and the "usepr" argument. 110 111Suppose that current state of before renumbering as follows: 112 113# ifconfig de0 114de0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 | 116"prefix" command with the "matchpr" argument and the "usepr" argument. 117 118Suppose that current state of before renumbering as follows: 119 120# ifconfig de0 121de0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 |
115 inet 172.16.202.12 netmask 0xffffff00 broadcast 172.16.202.255 116 inet6 fe80:1::200:f8ff:fe01:6317 prefixlen 64 117 inet6 fec0:0:0:1000:200:f8ff:fe01:6317 prefixlen 64 118 inet6 fec0:0:0:1000:: prefixlen 64 anycast 119 ether 00:00:f8:01:63:17 120 media: autoselect (10baseT/UTP) status: active 121 supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP 122 | 122 inet6 fe80::200:f8ff:fe01:6317%de0 prefixlen 64 scopeid 0x1 123 inet 163.221.202.12 netmask 0xffffff00 broadcast 163.221.202.255 124 inet6 3ffe:501:808:1:200:f8ff:fe01:6317 prefixlen 64 125 ether 00:00:f8:01:63:17 126 media: 100baseTX status: active |
123# ifconfig de1 124de1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 | 127# ifconfig de1 128de1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 |
125 inet 172.16.203.12 netmask 0xffffff00 broadcast 172.16.203.255 126 inet6 fe80:1::200:f8ff:fe55:7011 prefixlen 64 127 inet6 fec0:0:0:1001:200:f8ff:fe55:7011 prefixlen 64 128 inet6 fec0:0:0:1001:: prefixlen 64 anycast | 129 inet6 fe80::200:f8ff:fe55:7011%de1 prefixlen 64 scopeid 0x2 130 inet 163.221.203.12 netmask 0xffffff00 broadcast 163.221.203.255 131 inet6 3ffe:501:808:2:200:f8ff:fe55:7011 prefixlen 64 |
129 ether 00:00:f8:55:70:11 | 132 ether 00:00:f8:55:70:11 |
130 media: autoselect (10baseT/UTP) status: active 131 supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP 132 | 133 media: 100baseTX status: active |
133# ndp -p | 134# ndp -p |
134fec0:0:0:1000::/64 if=de0 135 flags=LA, vltime=2592000, pltime=604800, expire=Never | 1353ffe:501:808:1::/64 if=de0 136 flags=LA, vltime=2592000, pltime=604800, expire=Never, origin=RR |
136 No advertising router | 137 No advertising router |
137fec0:0:0:1001::/64 if=de1 138 flags=LA, vltime=2592000, pltime=604800, expire=Never | 1383ffe:501:808:2::/64 if=de1 139 flags=LA, vltime=2592000, pltime=604800, expire=Never, origin=RR |
139 No advertising router 140 141Then do as follows: 142 | 140 No advertising router 141 142Then do as follows: 143 |
143# prefix -a matchpr fec0:0:0:1000:: mp_len 56 usepr fec0:0:0:2000:: up_uselen 56 change | 144# prefix -a matchpr 3ffe:501:808:: mp_len 48 usepr 3ffe:501:4819:: up_uselen 48 change |
144 145If command is successful, prefixes and addresses will be renumbered as 146follows. 147 148# ifconfig de0 149de0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 | 145 146If command is successful, prefixes and addresses will be renumbered as 147follows. 148 149# ifconfig de0 150de0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 |
150 inet 172.16.202.12 netmask 0xffffff00 broadcast 172.16.202.255 151 inet6 fe80:1::200:f8ff:fe01:6317 prefixlen 64 152 inet6 fec0:0:0:2000:200:f8ff:fe01:6317 prefixlen 64 153 inet6 fec0:0:0:2000:: prefixlen 64 anycast 154 ether 00:00:f8:01:63:17 155 media: autoselect (10baseT/UTP) status: active 156 supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP | 151 inet6 fe80::200:f8ff:fe01:6317%de0 prefixlen 64 scopeid 0x1 152 inet 163.221.202.12 netmask 0xffffff00 broadcast 163.221.202.255 153 inet6 3ffe:501:4819:1:200:f8ff:fe01:6317 prefixlen 64 154 ether 00:00:f8:01:63:17 155 media: 100baseTX status: active |
157# ifconfig de1 158de1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 | 156# ifconfig de1 157de1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 |
159 inet 172.16.203.12 netmask 0xffffff00 broadcast 172.16.203.255 160 inet6 fe80:1::200:f8ff:fe55:7011 prefixlen 64 161 inet6 fec0:0:0:2001:200:f8ff:fe55:7011 prefixlen 64 162 inet6 fec0:0:0:2001:: prefixlen 64 anycast | 158 inet6 fe80::200:f8ff:fe55:7011%de0 prefixlen 64 scopeid 0x2 159 inet 163.221.203.12 netmask 0xffffff00 broadcast 163.221.203.255 160 inet6 3ffe:501:4819:2:200:f8ff:fe55:7011 prefixlen 64 |
163 ether 00:00:f8:55:70:11 | 161 ether 00:00:f8:55:70:11 |
164 media: autoselect (10baseT/UTP) status: active 165 supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP | 162 media: 100baseTX status: active |
166# ndp -p | 163# ndp -p |
167fec0:0:0:2000::/64 if=de0 168 flags=LA, vltime=2592000, pltime=604800, expire=Never | 1643ffe:501:4819:1::/64 if=de0 165 flags=LA, vltime=2592000, pltime=604800, expire=Never, origin=RR |
169 No advertising router | 166 No advertising router |
170fec0:0:0:2001::/64 if=de1 171 flags=LA, vltime=2592000, pltime=604800, expire=Never | 1673ffe:501:4819:2::/64 if=de1 168 flags=LA, vltime=2592000, pltime=604800, expire=Never, origin=RR |
172 No advertising router 173 174See also "/etc/rc.network6" for actual examples. 175 | 169 No advertising router 170 171See also "/etc/rc.network6" for actual examples. 172 |
173 |
|
176<<<route>>> 177 | 174<<<route>>> 175 |
178If there is a router announcing Router Advertisement on the subnet, 179you don't need to add a default route for your host by yourself. 180(Please refer to "sysctl" section to accept Router Advertisement.) | 176If there is a router announcing Router Advertisement on a subnet, 177you need not to add a default route for your host by hand 178(Please refer to "sysctl" section to accept Router Advertisement). |
181 | 179 |
182If you want to add a default route manually, do as follows: | 180If you want to add a default route manually, do like: |
183 | 181 |
184# route add -inet6 default fe80::200:a2ff:fe0e:7543%de0 | 182# route add -inet6 default fe80::200:a2ff:fe0e:7543%ed0 |
185 | 183 |
186"default" means ::/0. | 184"default" means ::/0. In other cases, if "prefixlen" is omitted, 64 185is assumed for "prefixlen" to get along with the aggregatable address. |
187 | 186 |
188Note that, in IPv6, link-local address should be used as gateway 189("fe80::200:a2ff:fe0e:7543%de1" in the above). If you use global addresses, 190icmp6 redirect may not work properly. For ease of configuration we recommend 191you to avoid static routes and run a routing daemon (route6d for example) 192instead. | 187Note that, in IPv6, a link-local address should be used as gateway 188("fe80::200:a2ff:fe0e:7543%ed0" in the above). If you use global addresses, 189ICMPv6 redirect will not work properly. Also note that we use a special form 190of link-local address as gateway. See Section 1.3 of IMPLEMENTATION for 191more details. 192For ease of configuration we recommend you to avoid static routes and run 193a routing daemon (route6d for example) instead. |
193 | 194 |
194<<<ping6>>> (This might be integrated into "ping" as "ping -6" in the future.) | |
195 | 195 |
196<<<ping6>>> 197 |
|
196Reachability can be checked by "ping6". This "ping6" allows multicast 197for its argument. 198 | 198Reachability can be checked by "ping6". This "ping6" allows multicast 199for its argument. 200 |
199% ping6 -I xl0 ff02::1 200or 201% ping6 ff02::1%xl0 | 201% ping6 -n -I ed0 ff02::1 |
202 | 202 |
203PING6(56=40+8+8 bytes) fe80::5254:ff:feda:cb7d --> ff02::1 20456 bytes from fe80::5254:ff:feda:cb7d, icmp_seq=0 hlim=64 time=0.25 ms 20556 bytes from fe80::2a0:c9ff:fe84:ed6c, icmp_seq=0 hlim=64 time=1.333 ms(DUP!) 20656 bytes from fe80::5254:ff:feda:d161, icmp_seq=0 hlim=64 time=1.459 ms(DUP!) 20756 bytes from fe80::260:97ff:fec2:80bf, icmp_seq=0 hlim=64 time=1.538 ms(DUP!) | 203PING6(56=40+8+8 bytes) fe80::5254:ff:feda:cb7d --> ff02::1%ed0 20456 bytes from fe80::5254:ff:feda:cb7d%lo0, icmp_seq=0 hlim=64 time=0.25 ms 20556 bytes from fe80::2a0:c9ff:fe84:ed6c%ed0, icmp_seq=0 hlim=64 time=1.333 ms(DUP!) 20656 bytes from fe80::5254:ff:feda:d161%ed0, icmp_seq=0 hlim=64 time=1.459 ms(DUP!) 20756 bytes from fe80::260:97ff:fec2:80bf%ed0, icmp_seq=0 hlim=64 time=1.538 ms(DUP!) 20856 bytes from 3ffe:501:4819:2000:5054:ff:fedb:aa46, icmp_seq=0 hlim=255 time=1.615 ms(DUP!) |
208 | 209 |
210 |
|
209<<<ping6 -w>>> 210 211Name resolution is possible by ICMPv6 node information query message. 212This is very convenient for link-local addresses whose host name cannot be 213resolved by DNS. Specify the "-w" option to "ping6". 214 | 211<<<ping6 -w>>> 212 213Name resolution is possible by ICMPv6 node information query message. 214This is very convenient for link-local addresses whose host name cannot be 215resolved by DNS. Specify the "-w" option to "ping6". 216 |
215% ping6 -I xl0 -w ff02::1 | 217% ping6 -n -I ed0 -w ff02::1 |
216 | 218 |
21764 bytes from fe80::5254:ff:feda:cb7d: fto.kame.net 21867 bytes from fe80::5254:ff:feda:d161: banana.kame.net 21969 bytes from fe80::2a0:c9ff:fe84:ebd9: paradise.kame.net 22066 bytes from fe80::260:8ff:fe8b:447f: taroh.kame.net 22166 bytes from fe80::2a0:c9ff:fe84:ed6c: ayame.kame.net | 21964 bytes from fe80::5254:ff:feda:cb7d%lo0: fto.kame.net 22067 bytes from fe80::5254:ff:feda:d161%ed0: banana.kame.net 22169 bytes from fe80::2a0:c9ff:fe84:ebd9%ed0: paradise.kame.net 22266 bytes from fe80::260:8ff:fe8b:447f%ed0: taroh.kame.net 22366 bytes from fe80::2a0:c9ff:fe84:ed6c%ed0: ayame.kame.net 224 |
222 223<<<traceroute6>>> 224 225The route for a target host can be checked by "traceroute6". 226 227% traceroute6 tokyo.v6.wide.ad.jp 228 229traceroute to tokyo.v6.wide.ad.jp (3ffe:501:0:401:200:e8ff:fed5:8923), 30 hops max, 12 byte packets --- 4 unchanged lines hidden (view full) --- 234If the -l option is specified, both address and name are shown in each line. 235% traceroute6 -l tokyo.v6.wide.ad.jp 236 237traceroute to tokyo.v6.wide.ad.jp (3ffe:501:0:401:200:e8ff:fed5:8923), 30 hops max, 12 byte packets 238 1 nr60.v6.kame.net (3ffe:501:4819:2000:260:97ff:fec2:80bf) 1.23 ms 0.952 ms 0.92 ms 239 2 otemachi.v6.wide.ad.jp (3ffe:501:0:1802:260:97ff:feb6:7ff0) 27.345 ms 26.706 ms 26.563 ms 240 3 tokyo.v6.wide.ad.jp (3ffe:501:0:401:200:e8ff:fed5:8923) 26.329 ms 26.36 ms 28.63 ms 241 | 225 226<<<traceroute6>>> 227 228The route for a target host can be checked by "traceroute6". 229 230% traceroute6 tokyo.v6.wide.ad.jp 231 232traceroute to tokyo.v6.wide.ad.jp (3ffe:501:0:401:200:e8ff:fed5:8923), 30 hops max, 12 byte packets --- 4 unchanged lines hidden (view full) --- 237If the -l option is specified, both address and name are shown in each line. 238% traceroute6 -l tokyo.v6.wide.ad.jp 239 240traceroute to tokyo.v6.wide.ad.jp (3ffe:501:0:401:200:e8ff:fed5:8923), 30 hops max, 12 byte packets 241 1 nr60.v6.kame.net (3ffe:501:4819:2000:260:97ff:fec2:80bf) 1.23 ms 0.952 ms 0.92 ms 242 2 otemachi.v6.wide.ad.jp (3ffe:501:0:1802:260:97ff:feb6:7ff0) 27.345 ms 26.706 ms 26.563 ms 243 3 tokyo.v6.wide.ad.jp (3ffe:501:0:401:200:e8ff:fed5:8923) 26.329 ms 26.36 ms 28.63 ms 244 |
245 |
|
242<<<ndp>>> 243 244To display the current Neighbor cache, use "ndp": 245 246% ndp -a 247Neighbor Linklayer Address Netif Expire St Flgs Prbs | 246<<<ndp>>> 247 248To display the current Neighbor cache, use "ndp": 249 250% ndp -a 251Neighbor Linklayer Address Netif Expire St Flgs Prbs |
248nr60.v6.kame.net 0:60:97:c2:80:bf xl0 expired S R 249fec0:0:0:1000:2c0:cff:fe10 0:c0:c:10:3a:53 xl0 permanent R 250paradise.v6.kame.net 52:54:0:dc:52:17 xl0 expired S R 251fe80:1::200:eff:fe49:f929 0:0:e:49:f9:29 xl0 expired S R 252fe80:1::200:86ff:fe05:80da 0:0:86:5:80:da xl0 expired S 253fe80:1::200:86ff:fe05:c2d8 0:0:86:5:c2:d8 xl0 9s R | 252nr60.v6.kame.net 0:60:97:c2:80:bf ed0 expired S R 2533ffe:501:4819:2000:2c0:cff:fe 0:c0:c:10:3a:53 ed0 permanent R 254paradise.v6.kame.net 52:54:0:dc:52:17 ed0 expired S R 255fe80::200:eff:fe49:f929%ed0 0:0:e:49:f9:29 ed0 expired S R 256fe80::200:86ff:fe05:80da%ed0 0:0:86:5:80:da ed0 expired S 257fe80::200:86ff:fe05:c2d8%ed0 0:0:86:5:c2:d8 ed0 9s R |
254 | 258 |
255To flush the all NDP cache, execute the following by root. | 259To flush all of the NDP cache entries, execute the following as root. |
256 257# ndp -c 258 | 260 261# ndp -c 262 |
259To display the prefix list. | 263To display the prefix list: |
260 261% ndp -p | 264 265% ndp -p |
262fec0:0:0::1000::/64 if=xl0 263 flags=LA, vltime=2592000, pltime=604800, expire=29d23h59m58s | 2663ffe:501:4819:2000::/64 if=ed0 267 flags=LA, vltime=2592000, pltime=604800, expire=29d23h59m58s, origin=RA |
264 advertised by | 268 advertised by |
265 fe80::5254:ff:fedc:5217 266 fe80::260:97ff:fec2:80bf 267 fe80::200:eff:fe49:f929 | 269 fe80::5254:ff:fedc:5217%ed0 (reachable) 270 fe80::260:97ff:fec2:80bf%ed0 (reachable) 271 fe80::200:eff:fe49:f929%ed0 (no neighbor state) |
268 | 272 |
269To display the default router list. | 273To display the default router list: |
270 271% ndp -r | 274 275% ndp -r |
272fe80::260:97ff:fec2:80bf if=xl0, flags=, expire=29m55s 273fe80::5254:ff:fedc:5217 if=xl0, flags=, expire=29m7s 274fe80::200:eff:fe49:f929 if=xl0, flags=, expire=28m47s | 276fe80::260:97ff:fec2:80bf if=ed0, flags=, expire=29m55s 277fe80::5254:ff:fedc:5217 if=ed0, flags=, expire=29m7s 278fe80::200:eff:fe49:f929 if=ed0, flags=, expire=28m47s |
275 | 279 |
280 |
|
276<<<rtsol>>> 277 278To generate a Router Solicitation message right now to get global 279addresses, use "rtsol". 280 | 281<<<rtsol>>> 282 283To generate a Router Solicitation message right now to get global 284addresses, use "rtsol". 285 |
281# ifconfig xl0 282xl0: flags=8a43<UP,BROADCAST,RUNNING,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500 283 inet6 fe80:2::2a0:24ff:feab:839b%xl0 prefixlen 64 284 ether 0:a0:24:ab:83:9b 285 media: autoselect (10baseT/UTP) status: active 286 supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP 100baseTX <hw-loopback> | 286# ifconfig ef0 287ef0: flags=8863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST> 288 link type ether 0:a0:24:ab:83:9b mtu 1500 speed 10Mbps 289 media 10baseT status active 290 inet6 fe80::2a0:24ff:feab:839b%ef0 prefixlen 64 scopeid 0x2 291# rtsol ef0 292# ifconfig ef0 293ef0: flags=8863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST> 294 link type ether 0:a0:24:ab:83:9b mtu 1500 speed 10Mbps 295 media 10baseT status active 296 inet6 fe80::2a0:24ff:feab:839b%ef0 prefixlen 64 scopeid 0x2 297 inet6 3ffe:501:4819:2000:2a0:24ff:feab:839b prefixlen 64 |
287 | 298 |
288# rtsol xl0 289# ifconfig xl0 290xl0: flags=8a43<UP,BROADCAST,RUNNING,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500 291 inet6 fe80:2::2a0:24ff:feab:839b%xl0 prefixlen 64 292 inet6 fec0:0:0:1000:2a0:24ff:feab:839b prefixlen 64 293 ether 0:a0:24:ab:83:9b 294 media: autoselect (10baseT/UTP) status: active 295 supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP 100baseTX <hw-loopback> | |
296 | 299 |
297 | |
298<<<rtsold>>> 299 300rtsold is a daemon version of rtsol. If you run KAME IPv6 on a laptop 301computer and frequently move with it, the daemon is useful since it watches 302the interface and sends router solicitations when the status of the interface 303changes. Note, however, that the feature is disabled by default. Please | 300<<<rtsold>>> 301 302rtsold is a daemon version of rtsol. If you run KAME IPv6 on a laptop 303computer and frequently move with it, the daemon is useful since it watches 304the interface and sends router solicitations when the status of the interface 305changes. Note, however, that the feature is disabled by default. Please |
304add -m option at invocation of rtsold. | 306add -m option when invocation of rtsold. |
305 306rtsold also supports multiple interfaces. For example, you can 307invoke the daemon as follows: | 307 308rtsold also supports multiple interfaces. For example, you can 309invoke the daemon as follows: |
310 |
|
308# rtsold -m ep0 cnw0 309 | 311# rtsold -m ep0 cnw0 312 |
313 |
|
310<<<netstat>>> 311 312To see routing table: | 314<<<netstat>>> 315 316To see routing table: |
313 | 317 |
314# netstat -nr | 318# netstat -nr |
315# netstat -nrl (long format with Ref and Use) | 319# netstat -nrl 320 long format with Ref and Use. Note that bsdi4 does not support the 321 -l option. You should use the -O option instead. |
316 | 322 |
323 |
|
317<<<sysctl>>> 318 319If "net.inet6.ip6.accept_rtadv" is 1, Router Advertisement is 320accepted. This means that global addresses and default route are 321automatically set up. Otherwise, the announcement is rejected. The 322default value is 0. To set "net.inet6.ip6.accept_rtadv" to 1, execute 323as follows: 324 325# sysctl -w net.inet6.ip6.accept_rtadv=1 326 | 324<<<sysctl>>> 325 326If "net.inet6.ip6.accept_rtadv" is 1, Router Advertisement is 327accepted. This means that global addresses and default route are 328automatically set up. Otherwise, the announcement is rejected. The 329default value is 0. To set "net.inet6.ip6.accept_rtadv" to 1, execute 330as follows: 331 332# sysctl -w net.inet6.ip6.accept_rtadv=1 333 |
334 |
|
327<<<gifconfig>>> 328 329"gif" interface enables you to perform IPv{4,6} over IPv{4,6} 330protocol tunneling. To use this interface, you must specify the 331outer IPv{4,6} address by using gifconfig, like: 332 | 335<<<gifconfig>>> 336 337"gif" interface enables you to perform IPv{4,6} over IPv{4,6} 338protocol tunneling. To use this interface, you must specify the 339outer IPv{4,6} address by using gifconfig, like: 340 |
333# gifconfig gif0 172.16.198.61 172.16.11.21 | 341# gifconfig gif0 163.221.198.61 163.221.11.21 |
334 335"ifconfig gif0" will configure the address pair used for inner 336IPv{4,6} header. 337 338It is not required to configure inner IPv{4,6} address pair. If 339you do not configure inner IPv{4,6} address pair, tunnel link is 340considered as un-numbered link and the source address of inner 341IPv{4,6} address pair will be borrowed from other interfaces. 342 343The following example configures un-numbered IPv6-over-IPv4 tunnel: 344# gifconfig gif0 10.0.0.1 10.0.0.1 netmask 255.255.255.0 345 346The following example configures numbered IPv6-over-IPv4 tunnel: 347# gifconfig gif0 10.0.0.1 10.0.0.1 netmask 255.255.255.0 | 342 343"ifconfig gif0" will configure the address pair used for inner 344IPv{4,6} header. 345 346It is not required to configure inner IPv{4,6} address pair. If 347you do not configure inner IPv{4,6} address pair, tunnel link is 348considered as un-numbered link and the source address of inner 349IPv{4,6} address pair will be borrowed from other interfaces. 350 351The following example configures un-numbered IPv6-over-IPv4 tunnel: 352# gifconfig gif0 10.0.0.1 10.0.0.1 netmask 255.255.255.0 353 354The following example configures numbered IPv6-over-IPv4 tunnel: 355# gifconfig gif0 10.0.0.1 10.0.0.1 netmask 255.255.255.0 |
348# ifconfig gif0 inet6 fec0:0:0:3000::1 fec0:0:0:3000::2 prefixlen 64 alias | 356# ifconfig gif0 inet6 3ffe:501:808:5::1 3ffe:501:808:5::2 prefixlen 64 alias |
349 350IPv6 spec allows you to use point-to-point link without global IPv6 351address assigned to the interface. Routing protocol (such as RIPng) 352uses link-local addresses only. If you are to configure IPv6-over-IPv4 353tunnel, you need not to configure an address pair for inner IPv6 354header. We suggest you to use the former example (un-numbered | 357 358IPv6 spec allows you to use point-to-point link without global IPv6 359address assigned to the interface. Routing protocol (such as RIPng) 360uses link-local addresses only. If you are to configure IPv6-over-IPv4 361tunnel, you need not to configure an address pair for inner IPv6 362header. We suggest you to use the former example (un-numbered |
355IPv6-over-IPv4 tunnel) to connect to 6bone for simplicity, 356for router to router connection. | 363IPv6-over-IPv4 tunnel) to connect to 6bone for simplicity. |
357 358Note that it is so easy to make an infinite routing loop using gif 359interface, if you configure a tunnel using the same protocol family 360for inner and outer header (i.e. IPv4-over-IPv4). 361 362Refer to gifconfig(8) for more details. 363 | 364 365Note that it is so easy to make an infinite routing loop using gif 366interface, if you configure a tunnel using the same protocol family 367for inner and outer header (i.e. IPv4-over-IPv4). 368 369Refer to gifconfig(8) for more details. 370 |
371 372<<<6to4>>> 373 374WARNING: malicious party can abuse 6to4 relay routers/sites, read through 375internet draft draft-itojun-ipv6-transition-abuse-xx.txt before configuring it. 376 377"stf" interface enables you to perform 6to4 IPv6-over-IPv4 encapsulation, 378as documented in draft-ietf-ngtrans-6to4-06.txt. See stf(4) for details. 379 380 |
|
364<<<inetd>>> 365 366Inetd supports AF_INET and AF_INET6 sockets, with IPsec policy 367configuration support. 368 369Refer to inetd(8) for more details. 370 | 381<<<inetd>>> 382 383Inetd supports AF_INET and AF_INET6 sockets, with IPsec policy 384configuration support. 385 386Refer to inetd(8) for more details. 387 |
388 |
|
371<<<IPsec>>> 372 | 389<<<IPsec>>> 390 |
373The current KAME supports both transport mode and tunnel mode. 374However, tunnel mode comes with some restrictions. 375http://www.kame.net/newsletter/ has more comprehensive examples. | 391IPsec requires fairly complex configuration, so here we show transport 392mode only. http://www.kame.net/newsletter/ has more comprehensive 393examples. |
376 | 394 |
377Let's setup security association to deploy a secure channel between | 395Let us setup security association to deploy a secure channel between |
378HOST A (10.2.3.4) and HOST B (10.6.7.8). Here we show a little 379complicated example. From HOST A to HOST B, only old AH is used. 380From HOST B to HOST A, new AH and new ESP are combined. | 396HOST A (10.2.3.4) and HOST B (10.6.7.8). Here we show a little 397complicated example. From HOST A to HOST B, only old AH is used. 398From HOST B to HOST A, new AH and new ESP are combined. |
381 | 399 |
382Now we should choose algorithm to be used corresponding to "AH"/"new 383AH"/"ESP"/"new ESP". Please refer to the "setkey" man page to know 384algorithm names. Our choice is MD5 for AH, new-HMAC-SHA1 for new AH, 385and new-DES-expIV with 8 byte IV for new ESP. 386 387Key length highly depends on each algorithm. For example, key 388length must be equal to 16 bytes for MD5, 20 for new-HMAC-SHA1, 389and 8 for new-DES-expIV. Now we choose "MYSECRETMYSECRET", 390"KAMEKAMEKAMEKAMEKAME", "PASSWORD", respectively. 391 | 400Now we should choose algorithm to be used corresponding to "AH"/"new 401AH"/"ESP"/"new ESP". Please refer to the "setkey" man page to know 402algorithm names. Our choice is MD5 for AH, new-HMAC-SHA1 for new AH, 403and new-DES-expIV with 8 byte IV for new ESP. 404 405Key length highly depends on each algorithm. For example, key 406length must be equal to 16 bytes for MD5, 20 for new-HMAC-SHA1, 407and 8 for new-DES-expIV. Now we choose "MYSECRETMYSECRET", 408"KAMEKAMEKAMEKAMEKAME", "PASSWORD", respectively. 409 |
392OK, let's assign SPI (Security Parameter Index) for each protocol. | 410OK, let us assign SPI (Security Parameter Index) for each protocol. |
393Please note that we need 3 SPIs for this secure channel since three 394security headers are produced (one for from HOST A to HOST B, two for 395from HOST B to HOST A). Please also note that SPI MUST be greater 396than or equal to 256. We choose, 1000, 2000, and 3000, respectively. 397 398 399 (1) 400 HOST A ------> HOST B 401 402 (1)PROTO=AH 403 ALG=MD5(RFC1826) 404 KEY=MYSECRETMYSECRET 405 SPI=1000 406 407 (2.1) 408 HOST A <------ HOST B 409 <------ | 411Please note that we need 3 SPIs for this secure channel since three 412security headers are produced (one for from HOST A to HOST B, two for 413from HOST B to HOST A). Please also note that SPI MUST be greater 414than or equal to 256. We choose, 1000, 2000, and 3000, respectively. 415 416 417 (1) 418 HOST A ------> HOST B 419 420 (1)PROTO=AH 421 ALG=MD5(RFC1826) 422 KEY=MYSECRETMYSECRET 423 SPI=1000 424 425 (2.1) 426 HOST A <------ HOST B 427 <------ |
410 (2.2) | 428 (2.2) |
411 412 (2.1) 413 PROTO=AH 414 ALG=new-HMAC-SHA1(new AH) 415 KEY=KAMEKAMEKAMEKAMEKAME 416 SPI=2000 417 418 (2.2) 419 PROTO=ESP 420 ALG=new-DES-expIV(new ESP) 421 IV length = 8 422 KEY=PASSWORD 423 SPI=3000 424 | 429 430 (2.1) 431 PROTO=AH 432 ALG=new-HMAC-SHA1(new AH) 433 KEY=KAMEKAMEKAMEKAMEKAME 434 SPI=2000 435 436 (2.2) 437 PROTO=ESP 438 ALG=new-DES-expIV(new ESP) 439 IV length = 8 440 KEY=PASSWORD 441 SPI=3000 442 |
425Now, let's setup security association. Execute "setkey" on both HOST | 443Now, let us setup security association. Execute "setkey" on both HOST |
426A and B: 427 428# setkey -c 429add 10.2.3.4 10.6.7.8 ah 1000 -m transport -A keyed-md5 "MYSECRETMYSECRET" ; 430add 10.6.7.8 10.2.3.4 ah 2000 -m transport -A hmac-sha1 "KAMEKAMEKAMEKAMEKAME" ; 431add 10.6.7.8 10.2.3.4 esp 3000 -m transport -E des-cbc "PASSWORD" ; 432^D 433 434Actually, IPsec communication doesn't process until security policy 435entries will be defined. In this case, you must setup each host. 436 437At A: 438# setkey -c 439spdadd 10.2.3.4 10.6.7.8 any -P out ipsec 440 ah/transport/10.2.3.4-10.6.7.8/require ; 441^D 442 443At B: 444spdadd 10.6.7.8 10.2.3.4 any -P out ipsec | 444A and B: 445 446# setkey -c 447add 10.2.3.4 10.6.7.8 ah 1000 -m transport -A keyed-md5 "MYSECRETMYSECRET" ; 448add 10.6.7.8 10.2.3.4 ah 2000 -m transport -A hmac-sha1 "KAMEKAMEKAMEKAMEKAME" ; 449add 10.6.7.8 10.2.3.4 esp 3000 -m transport -E des-cbc "PASSWORD" ; 450^D 451 452Actually, IPsec communication doesn't process until security policy 453entries will be defined. In this case, you must setup each host. 454 455At A: 456# setkey -c 457spdadd 10.2.3.4 10.6.7.8 any -P out ipsec 458 ah/transport/10.2.3.4-10.6.7.8/require ; 459^D 460 461At B: 462spdadd 10.6.7.8 10.2.3.4 any -P out ipsec |
445 esp/transport/10.6.7.8-10.2.3.4/require ; 446spdadd 10.6.7.8 10.2.3.4 any -P out ipsec 447 ah/transport/10.6.7.8-10.2.3.4/require ; | 463 esp/transport//require 464 ah/transport//require ; |
448^D 449 450To utilize the security associations installed into the kernel, you 451must set the socket security level by using setsockopt(). 452This is per-application (or per-socket) security. For example, 453the "ping" command has the -P option with parameter to enable AH and/or ESP. 454 455For example: 456% ping -P "out ipsec \ | 465^D 466 467To utilize the security associations installed into the kernel, you 468must set the socket security level by using setsockopt(). 469This is per-application (or per-socket) security. For example, 470the "ping" command has the -P option with parameter to enable AH and/or ESP. 471 472For example: 473% ping -P "out ipsec \ |
457 ah/transport/10.0.1.1-10.0.2.2/use \ | 474 ah/transport//use \ |
458 esp/tunnel/10.0.1.1-10.0.1.2/require" 10.0.2.2 459 460If there are proper SAs, this policy specification causes ICMP packet 461to be AH transport mode inner ESP tunnel mode like below. 462 463 HOST C -----------> GATEWAY D ----------> HOST E 464 10.0.1.1 10.0.1.2 10.0.2.1 10.0.2.2 465 | | | | 466 | ======= ESP ======= | 467 ==================== AH ================== 468 469 | 475 esp/tunnel/10.0.1.1-10.0.1.2/require" 10.0.2.2 476 477If there are proper SAs, this policy specification causes ICMP packet 478to be AH transport mode inner ESP tunnel mode like below. 479 480 HOST C -----------> GATEWAY D ----------> HOST E 481 10.0.1.1 10.0.1.2 10.0.2.1 10.0.2.2 482 | | | | 483 | ======= ESP ======= | 484 ==================== AH ================== 485 486 |
470 471Another example using IPv6. 472 473ESP transport mode is recommended for TCP port number 110 between Host-A and 474Host-B. 475 476 ============ ESP ============ 477 | | 478 Host-A Host-B 479 fec0::10 -------------------- fec0::11 480 481Encryption algorithm is blowfish-cbc whose key is "kamekame", and 482authentication algorithm is hmac-sha1 whose key is "this is the test key". 483Configuration at Host-A: 484 485 # setkey -c <<EOF 486 spdadd fec0::10[any] fec0::11[110] tcp -P out ipsec 487 esp/transport/fec0::10-fec0::11/use ; 488 spdadd fec0::11[110] fec0::10[any] tcp -P in ipsec 489 esp/transport/fec0::11-fec0::10/use ; 490 add fec0::10 fec0::11 esp 0x10001 491 -m transport 492 -E blowfish-cbc "kamekame" 493 -A hmac-sha1 "this is the test key" ; 494 add fec0::11 fec0::10 esp 0x10002 495 -m transport 496 -E blowfish-cbc "kamekame" 497 -A hmac-sha1 "this is the test key" ; 498 EOF 499 500and at Host-B: 501 502 # setkey -c <<EOF 503 spdadd fec0::11[110] fec0::10[any] tcp -P out ipsec 504 esp/transport/fec0::11-fec0::10/use ; 505 spdadd fec0::10[any] fec0::11[110] tcp -P in ipsec 506 esp/transport/fec0::10-fec0::11/use ; 507 add fec0::10 fec0::11 esp 0x10001 -m transport 508 -E blowfish-cbc "kamekame" 509 -A hmac-sha1 "this is the test key" ; 510 add fec0::11 fec0::10 esp 0x10002 -m transport 511 -E blowfish-cbc "kamekame" 512 -A hmac-sha1 "this is the test key" ; 513 EOF 514 515Note the direction of SP. 516 517 518Tunnel mode between two security gateways 519 520Security protocol is old AH tunnel mode, i.e. specified by RFC1826, with 521keyed-md5 whose key is "this is the test" as authentication algorithm. 522 523 ======= AH ======= 524 | | 525 Network-A Gateway-A Gateway-B Network-B 526 10.0.1.0/24 ---- 172.16.0.1 ----- 172.16.0.2 ---- 10.0.2.0/24 527 528Configuration at Gateway-A: 529 530 # setkey -c <<EOF 531 spdadd 10.0.1.0/24 10.0.2.0/24 any -P out ipsec 532 ah/tunnel/172.16.0.1-172.16.0.2/require ; 533 spdadd 10.0.2.0/24 10.0.1.0/24 any -P in ipsec 534 ah/tunnel/172.16.0.2-172.16.0.1/require ; 535 add 172.16.0.1 172.16.0.2 ah-old 0x10003 -m any 536 -A keyed-md5 "this is the test" ; 537 add 172.16.0.2 172.16.0.1 ah-old 0x10004 -m any 538 -A keyed-md5 "this is the test" ; 539 540If port number field is omitted such above then "[any]" is employed. `-m' 541specifies the mode of SA to be used. "-m any" means wild-card of mode of 542security protocol. You can use this SA for both tunnel and transport mode. 543 544and at Gateway-B: 545 546 # setkey -c <<EOF 547 spdadd 10.0.2.0/24 10.0.1.0/24 any -P out ipsec 548 ah/tunnel/172.16.0.2-172.16.0.1/require ; 549 spdadd 10.0.1.0/24 10.0.2.0/24 any -P in ipsec 550 ah/tunnel/172.16.0.1-172.16.0.2/require ; 551 add 172.16.0.1 172.16.0.2 ah-old 0x10003 -m any 552 -A keyed-md5 "this is the test" ; 553 add 172.16.0.2 172.16.0.1 ah-old 0x10004 -m any 554 -A keyed-md5 "this is the test" ; 555 556 557Making SA bundle between two security gateways 558 559AH transport mode and ESP tunnel mode is required between Gateway-A and 560Gateway-B. In this case, ESP tunnel mode is applied first, and AH transport 561mode is next. 562 563 ========== AH ========= 564 | ======= ESP ===== | 565 | | | | 566 Network-A Gateway-A Gateway-B Network-B 567 fec0:0:0:1::/64 --- fec0:0:0:1::1 ---- fec0:0:0:2::1 --- fec0:0:0:2::/64 568 569Encryption algorithm is 3des-cbc, and authentication algorithm for ESP is 570hmac-sha1. Authentication algorithm for AH is hmac-md5. 571Configuration at Gateway-A: 572 573 # setkey -c <<EOF 574 spdadd fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out ipsec 575 esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require 576 ah/transport/fec0:0:0:1::1-fec0:0:0:2::1/require ; 577 spdadd fec0:0:0:2::/64 fec0:0:0:1::/64 any -P in ipsec 578 esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require 579 ah/transport/fec0:0:0:2::1-fec0:0:0:1::1/require ; 580 add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10001 -m tunnel 581 -E 3des-cbc "kamekame12341234kame1234" 582 -A hmac-sha1 "this is the test key" ; 583 add fec0:0:0:1::1 fec0:0:0:2::1 ah 0x10001 -m transport 584 -A hmac-md5 "this is the test" ; 585 add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10001 -m tunnel 586 -E 3des-cbc "kamekame12341234kame1234" 587 -A hmac-sha1 "this is the test key" ; 588 add fec0:0:0:2::1 fec0:0:0:1::1 ah 0x10001 -m transport 589 -A hmac-md5 "this is the test" ; 590 591 592Making SAs with the different end 593 594ESP tunnel mode is required between Host-A and Gateway-A. Encryption 595algorithm is cast128-cbc, and authentication algorithm for ESP is hmac-sha1. 596ESP transport mode is recommended between Host-A and Host-B. Encryption 597algorithm is rc5-cbc, and authentication algorithm for ESP is hmac-md5. 598 599 ================== ESP ================= 600 | ======= ESP ======= | 601 | | | | 602 Host-A Gateway-A Host-B 603 fec0:0:0:1::1 ---- fec0:0:0:2::1 ---- fec0:0:0:2::2 604 605Configuration at Host-A: 606 607 # setkey -c <<EOF 608 spdadd fec0:0:0:1::1[any] fec0:0:0:2::2[80] tcp -P out ipsec 609 esp/transport/fec0:0:0:1::1-fec0:0:0:2::2/use 610 esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require ; 611 spdadd fec0:0:0:2::1[80] fec0:0:0:1::1[any] tcp -P in ipsec 612 esp/transport/fec0:0:0:2::2-fec0:0:0:l::1/use 613 esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require ; 614 add fec0:0:0:1::1 fec0:0:0:2::2 esp 0x10001 615 -m transport 616 -E cast128-cbc "12341234" 617 -A hmac-sha1 "this is the test key" ; 618 add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10002 619 -E rc5-cbc "kamekame" 620 -A hmac-md5 "this is the test" ; 621 add fec0:0:0:2::2 fec0:0:0:1::1 esp 0x10003 622 -m transport 623 -E cast128-cbc "12341234" 624 -A hmac-sha1 "this is the test key" ; 625 add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10004 626 -E rc5-cbc "kamekame" 627 -A hmac-md5 "this is the test" ; 628 | |
629<<<EDNS0>>> 630 631EDNS0 is defined in RFC2671. With EDNS0, the resolver library can tell DNS 632server of its receiving buffer size, and permit DNS server to transmit large 633reply packet. EDNS0 is necessary to take advantage of larger minimum MTU 634in IPv6. KAME libinet6 includes resolver side support for EDNS0. 635Server side support for EDNS0 is included in ISC BIND9. 636 --- 18 unchanged lines hidden (view full) --- 655 "options edns0" against BIND 4/8 DNS server, you will never be able 656 to resolve names. 657- If you use IPv6 UDP as DNS transport, path MTU discovery may 658 affect the traffic. KAME box tries to fragment packet to 1280 659 bytes, however, BIND9 may not. 660- Some of our platforms do not use our extended resolver code in libinet6. 661 See COVERAGE for detail. 662 | 487<<<EDNS0>>> 488 489EDNS0 is defined in RFC2671. With EDNS0, the resolver library can tell DNS 490server of its receiving buffer size, and permit DNS server to transmit large 491reply packet. EDNS0 is necessary to take advantage of larger minimum MTU 492in IPv6. KAME libinet6 includes resolver side support for EDNS0. 493Server side support for EDNS0 is included in ISC BIND9. 494 --- 18 unchanged lines hidden (view full) --- 513 "options edns0" against BIND 4/8 DNS server, you will never be able 514 to resolve names. 515- If you use IPv6 UDP as DNS transport, path MTU discovery may 516 affect the traffic. KAME box tries to fragment packet to 1280 517 bytes, however, BIND9 may not. 518- Some of our platforms do not use our extended resolver code in libinet6. 519 See COVERAGE for detail. 520 |
521 522<<Further readings>> 523 524http://www.netbsd.org/Documentation/network/ipv6/ 525 Even if you are on non-netbsd operating system, the URL should be 526 useful. 527http://www.kame.net/ 528 |
|
663 <end of USAGE> | 529 <end of USAGE> |