178064Sume USAGE 278064Sume KAME Project 378064Sume $KAME: USAGE,v 1.33 2000/11/22 10:22:57 itojun Exp $ 478064Sume $FreeBSD$ 557522Sshin 6108106StrhodesThis is an introduction of how to use the commands provided in the KAME 757522Sshinkit. For more information, please refer to each man page. 857522Sshin 978064Sume 1057522Sshin<<<ifconfig>>> 1157522Sshin 1257522SshinA link-local address is automatically assigned to each interface, when 1357522Sshinthe interface becomes up for the first time. Even if you find an interface 1457522Sshinwithout a link-local address, do not panic. The link-local address will be 1557522Sshinassigned when it becomes up (with "ifconfig IF up"). 1657522Sshin 1778064SumeIf you do not see a link-local address assigned to an interface on "ifconfig 1878064Sumeup", the interface does not support IPv6 for some reasons - for example, 1978064Sumeif the interface does not support link-layer multicast (IFF_MULTICAST is not 2078064Sumeset), the interface cannot be used for IPv6. 2178064Sume 2257522SshinSome network drivers allow an interface to become up even without a 2357522Sshinhardware address (for example, PCMCIA network cards). In such cases, it is 2457522Sshinpossible that an interface has no link-local address even if the 2557522Sshininterface is up. If you see such situation, please disable the 2657522Sshininterface once and then re-enable it (i.e. do `ifconfig IF down; 2757522Sshinifconfig IF up'). 2857522Sshin 2978064SumePseudo interfaces (like "gif" tunnel device) will borrow IPv6 3078064Sumeinterface identifier (lowermost 64bit of the address) from 3178064SumeEUI64/IEEE802 sources, like ethernet cards. Pseudo interfaces will be 3278064Sumeable to get an IPv6 link-local address, if you have other "real" 3378064Sumeinterface configured beforehand. If you have no EUI64/IEEE802 sources 3478064Sumeon the node, we have last-resort code in the kernel, which generates 3578064Sumeinterface identifier from MD5(hostname). MD5(hostname) may not be suitable 3678064Sumefor your usage (for example, if you configure same hostname on both sides of 3778064Sumegif tunnel, you will be doomed), and if so, you may need to configure 3878064Sumelink-local address manually. 3978064SumeSee RFC2472 for more discussion on how to generate an interface ID for 4078064Sumepseudo interfaces. 4157522Sshin 4257522SshinIf you have a router announcing Router Advertisement, 4378064Sumeglobal addresses will be assigned automatically. So, neither 4478064Sume"ifconfig" nor "prefix" is necessary for your *host* (non-router node). 4578064Sume(Please refer to "sysctl" section for configuring a host to accept 4678064SumeRouter Advertisement.) 4757522Sshin 4857522SshinIf you want to set up a router, you need to assign global addresses 4978064Sumefor two or more interfaces by "ifconfig" or "prefix" (prefix command 5078064Sumeis described at next section). 5157522SshinIf you want to assign a global address by "ifconfig", don't forget to 5257522Sshinspecify the "alias" argument to keep the link-local address. 5357522Sshin 5478064Sume# ifconfig de0 inet6 3ffe:501:808:1:200:f8ff:fe01:6317 prefixlen 64 alias 5557522Sshin# ifconfig de0 5657522Sshinde0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 5778064Sume inet6 fe80::200:f8ff:fe01:6317%de0 prefixlen 64 scopeid 0x1 5878064Sume inet 163.221.202.12 netmask 0xffffff00 broadcast 163.221.202.255 5978064Sume inet6 3ffe:501:808:1:200:f8ff:fe01:6317 prefixlen 64 6078064Sume ether 00:00:f8:01:63:17 6178064Sume media: 100baseTX status: active 6257522Sshin 6357522SshinSee also "/etc/rc.network6" for actual examples. 6457522Sshin 6557522Sshin<<prefix>> 6657522Sshin 6778064SumeIn the IPv6 architecture, an IPv6 address of an interface can be 6878064Sumegenerated from a prefix assigned to the interface, and a 6978064Sumelink-dependent identifier for the interface. So assigning a full IPv6 7078064Sumeaddress by ifconfig is not necessary anymore, because user can only 7178064Sumetake care of prefix, by letting system take care of interface 7278064Sumeidentifier. 7357522Sshin 7457522SshinThe newly added "prefix" command enables user to just assign prefixes 7557522Sshinfor interfaces, and let your system automatically generate IPv6 7657522Sshinaddresses. Prefixes added by the "prefix" command is maintained in 7757522Sshinthe kernel consistently with prefixes assigned by Router 7878064SumeAdvertisement (in case of hosts) and with prefixes assigned by Router 7978064SumeRenumbering (in case of routers). Manual assignment of prefixes or 8078064Sumechange of prefix properties take precedence over ones assigned by 8178064SumeRouter Advertisement or Router Renumbering. 8257522Sshin 8378064Sumeprefix command works only on routers. 8457522Sshin 8578064SumeIf you want to assign a prefix (and consequently address) manually, do 8657522Sshinas follows: 8757522Sshin 8857522Sshin# ifconfig de0 8957522Sshinde0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 9078064Sume inet6 fe80::200:f8ff:fe01:6317%de0 prefixlen 64 scopeid 0x1 9178064Sume inet 163.221.202.12 netmask 0xffffff00 broadcast 163.221.202.255 9278064Sume ether 00:00:f8:01:63:17 9378064Sume media: 100baseTX status: active 9478064Sume# prefix de0 3ffe:501:808:1:: 9578064Sume# ifconfig de0 9678064Sumede0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 9778064Sume inet6 fe80::200:f8ff:fe01:6317%de0 prefixlen 64 scopeid 0x1 9878064Sume inet 163.221.202.12 netmask 0xffffff00 broadcast 163.221.202.255 9978064Sume inet6 3ffe:501:808:1:200:f8ff:fe01:6317 prefixlen 64 10078064Sume ether 00:00:f8:01:63:17 10178064Sume media: 100baseTX status: active 10257522Sshin 10378064SumeTo check assigned prefix, use the "ndp" command (See description of 10478064Sumendp command about its usage). 10557522Sshin 10657522Sshin# ndp -p 10778064Sume3ffe:501:808:1::/64 if=de0 10878064Sume flags=LA, vltime=2592000, pltime=604800, expire=Never, origin=RR 10957522Sshin No advertising router 11057522Sshin 11157522SshinThe "prefix" command also has node internal prefix renumbering 11257522Sshinability. 11357522Sshin 11478064SumeIf you have multiple prefixes which have 3ffe:501:808:/48 at the top, 11578064Sumeand would like to renumber them to 3ffe:501:4819:/48, then use the 11657522Sshin"prefix" command with the "matchpr" argument and the "usepr" argument. 11757522Sshin 11857522SshinSuppose that current state of before renumbering as follows: 11957522Sshin 12057522Sshin# ifconfig de0 12157522Sshinde0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 12278064Sume inet6 fe80::200:f8ff:fe01:6317%de0 prefixlen 64 scopeid 0x1 12378064Sume inet 163.221.202.12 netmask 0xffffff00 broadcast 163.221.202.255 12478064Sume inet6 3ffe:501:808:1:200:f8ff:fe01:6317 prefixlen 64 12578064Sume ether 00:00:f8:01:63:17 12678064Sume media: 100baseTX status: active 12757522Sshin# ifconfig de1 12857522Sshinde1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 12978064Sume inet6 fe80::200:f8ff:fe55:7011%de1 prefixlen 64 scopeid 0x2 13078064Sume inet 163.221.203.12 netmask 0xffffff00 broadcast 163.221.203.255 13178064Sume inet6 3ffe:501:808:2:200:f8ff:fe55:7011 prefixlen 64 13257522Sshin ether 00:00:f8:55:70:11 13378064Sume media: 100baseTX status: active 13457522Sshin# ndp -p 13578064Sume3ffe:501:808:1::/64 if=de0 13678064Sume flags=LA, vltime=2592000, pltime=604800, expire=Never, origin=RR 13757522Sshin No advertising router 13878064Sume3ffe:501:808:2::/64 if=de1 13978064Sume flags=LA, vltime=2592000, pltime=604800, expire=Never, origin=RR 14057522Sshin No advertising router 14157522Sshin 14257522SshinThen do as follows: 14357522Sshin 14478064Sume# prefix -a matchpr 3ffe:501:808:: mp_len 48 usepr 3ffe:501:4819:: up_uselen 48 change 14557522Sshin 14657522SshinIf command is successful, prefixes and addresses will be renumbered as 14757522Sshinfollows. 14857522Sshin 14957522Sshin# ifconfig de0 15057522Sshinde0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 15178064Sume inet6 fe80::200:f8ff:fe01:6317%de0 prefixlen 64 scopeid 0x1 15278064Sume inet 163.221.202.12 netmask 0xffffff00 broadcast 163.221.202.255 15378064Sume inet6 3ffe:501:4819:1:200:f8ff:fe01:6317 prefixlen 64 15478064Sume ether 00:00:f8:01:63:17 15578064Sume media: 100baseTX status: active 15657522Sshin# ifconfig de1 15757522Sshinde1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 15878064Sume inet6 fe80::200:f8ff:fe55:7011%de0 prefixlen 64 scopeid 0x2 15978064Sume inet 163.221.203.12 netmask 0xffffff00 broadcast 163.221.203.255 16078064Sume inet6 3ffe:501:4819:2:200:f8ff:fe55:7011 prefixlen 64 16157522Sshin ether 00:00:f8:55:70:11 16278064Sume media: 100baseTX status: active 16357522Sshin# ndp -p 16478064Sume3ffe:501:4819:1::/64 if=de0 16578064Sume flags=LA, vltime=2592000, pltime=604800, expire=Never, origin=RR 16657522Sshin No advertising router 16778064Sume3ffe:501:4819:2::/64 if=de1 16878064Sume flags=LA, vltime=2592000, pltime=604800, expire=Never, origin=RR 16957522Sshin No advertising router 17057522Sshin 17157522SshinSee also "/etc/rc.network6" for actual examples. 17257522Sshin 17378064Sume 17457522Sshin<<<route>>> 17557522Sshin 17678064SumeIf there is a router announcing Router Advertisement on a subnet, 17778064Sumeyou need not to add a default route for your host by hand 17878064Sume(Please refer to "sysctl" section to accept Router Advertisement). 17957522Sshin 18078064SumeIf you want to add a default route manually, do like: 18157522Sshin 18278064Sume# route add -inet6 default fe80::200:a2ff:fe0e:7543%ed0 18357522Sshin 18478064Sume"default" means ::/0. In other cases, if "prefixlen" is omitted, 64 18578064Sumeis assumed for "prefixlen" to get along with the aggregatable address. 18657522Sshin 18778064SumeNote that, in IPv6, a link-local address should be used as gateway 18878064Sume("fe80::200:a2ff:fe0e:7543%ed0" in the above). If you use global addresses, 18978064SumeICMPv6 redirect will not work properly. Also note that we use a special form 19078064Sumeof link-local address as gateway. See Section 1.3 of IMPLEMENTATION for 19178064Sumemore details. 19278064SumeFor ease of configuration we recommend you to avoid static routes and run 19378064Sumea routing daemon (route6d for example) instead. 19457522Sshin 19557522Sshin 19678064Sume<<<ping6>>> 19778064Sume 19857522SshinReachability can be checked by "ping6". This "ping6" allows multicast 19957522Sshinfor its argument. 20057522Sshin 20178064Sume% ping6 -n -I ed0 ff02::1 20257522Sshin 20378064SumePING6(56=40+8+8 bytes) fe80::5254:ff:feda:cb7d --> ff02::1%ed0 20478064Sume56 bytes from fe80::5254:ff:feda:cb7d%lo0, icmp_seq=0 hlim=64 time=0.25 ms 20578064Sume56 bytes from fe80::2a0:c9ff:fe84:ed6c%ed0, icmp_seq=0 hlim=64 time=1.333 ms(DUP!) 20678064Sume56 bytes from fe80::5254:ff:feda:d161%ed0, icmp_seq=0 hlim=64 time=1.459 ms(DUP!) 20778064Sume56 bytes from fe80::260:97ff:fec2:80bf%ed0, icmp_seq=0 hlim=64 time=1.538 ms(DUP!) 20878064Sume56 bytes from 3ffe:501:4819:2000:5054:ff:fedb:aa46, icmp_seq=0 hlim=255 time=1.615 ms(DUP!) 20957522Sshin 21078064Sume 21157522Sshin<<<ping6 -w>>> 21257522Sshin 21357522SshinName resolution is possible by ICMPv6 node information query message. 21457522SshinThis is very convenient for link-local addresses whose host name cannot be 21557522Sshinresolved by DNS. Specify the "-w" option to "ping6". 21657522Sshin 21778064Sume% ping6 -n -I ed0 -w ff02::1 21857522Sshin 21978064Sume64 bytes from fe80::5254:ff:feda:cb7d%lo0: fto.kame.net 22078064Sume67 bytes from fe80::5254:ff:feda:d161%ed0: banana.kame.net 22178064Sume69 bytes from fe80::2a0:c9ff:fe84:ebd9%ed0: paradise.kame.net 22278064Sume66 bytes from fe80::260:8ff:fe8b:447f%ed0: taroh.kame.net 22378064Sume66 bytes from fe80::2a0:c9ff:fe84:ed6c%ed0: ayame.kame.net 22478064Sume 22557522Sshin 22657522Sshin<<<traceroute6>>> 22757522Sshin 22857522SshinThe route for a target host can be checked by "traceroute6". 22957522Sshin 23057522Sshin% traceroute6 tokyo.v6.wide.ad.jp 23157522Sshin 23257522Sshintraceroute to tokyo.v6.wide.ad.jp (3ffe:501:0:401:200:e8ff:fed5:8923), 30 hops max, 12 byte packets 23357522Sshin 1 nr60.v6.kame.net 1.239 ms 0.924 ms 0.908 ms 23457522Sshin 2 otemachi.v6.wide.ad.jp 28.953 ms 31.451 ms 26.567 ms 23557522Sshin 3 tokyo.v6.wide.ad.jp 26.549 ms 26.58 ms 26.186 ms 23657522Sshin 23757522SshinIf the -l option is specified, both address and name are shown in each line. 23857522Sshin% traceroute6 -l tokyo.v6.wide.ad.jp 23957522Sshin 24057522Sshintraceroute to tokyo.v6.wide.ad.jp (3ffe:501:0:401:200:e8ff:fed5:8923), 30 hops max, 12 byte packets 24157522Sshin 1 nr60.v6.kame.net (3ffe:501:4819:2000:260:97ff:fec2:80bf) 1.23 ms 0.952 ms 0.92 ms 24257522Sshin 2 otemachi.v6.wide.ad.jp (3ffe:501:0:1802:260:97ff:feb6:7ff0) 27.345 ms 26.706 ms 26.563 ms 24357522Sshin 3 tokyo.v6.wide.ad.jp (3ffe:501:0:401:200:e8ff:fed5:8923) 26.329 ms 26.36 ms 28.63 ms 24457522Sshin 24578064Sume 24657522Sshin<<<ndp>>> 24757522Sshin 24857522SshinTo display the current Neighbor cache, use "ndp": 24957522Sshin 25057522Sshin% ndp -a 25157522SshinNeighbor Linklayer Address Netif Expire St Flgs Prbs 25278064Sumenr60.v6.kame.net 0:60:97:c2:80:bf ed0 expired S R 25378064Sume3ffe:501:4819:2000:2c0:cff:fe 0:c0:c:10:3a:53 ed0 permanent R 25478064Sumeparadise.v6.kame.net 52:54:0:dc:52:17 ed0 expired S R 25578064Sumefe80::200:eff:fe49:f929%ed0 0:0:e:49:f9:29 ed0 expired S R 25678064Sumefe80::200:86ff:fe05:80da%ed0 0:0:86:5:80:da ed0 expired S 25778064Sumefe80::200:86ff:fe05:c2d8%ed0 0:0:86:5:c2:d8 ed0 9s R 25857522Sshin 25978064SumeTo flush all of the NDP cache entries, execute the following as root. 26057522Sshin 26157522Sshin# ndp -c 26257522Sshin 26378064SumeTo display the prefix list: 26457522Sshin 26557522Sshin% ndp -p 26678064Sume3ffe:501:4819:2000::/64 if=ed0 26778064Sume flags=LA, vltime=2592000, pltime=604800, expire=29d23h59m58s, origin=RA 26857522Sshin advertised by 26978064Sume fe80::5254:ff:fedc:5217%ed0 (reachable) 27078064Sume fe80::260:97ff:fec2:80bf%ed0 (reachable) 27178064Sume fe80::200:eff:fe49:f929%ed0 (no neighbor state) 27257522Sshin 27378064SumeTo display the default router list: 27457522Sshin 27557522Sshin% ndp -r 27678064Sumefe80::260:97ff:fec2:80bf if=ed0, flags=, expire=29m55s 27778064Sumefe80::5254:ff:fedc:5217 if=ed0, flags=, expire=29m7s 27878064Sumefe80::200:eff:fe49:f929 if=ed0, flags=, expire=28m47s 27957522Sshin 28078064Sume 28157522Sshin<<<rtsol>>> 28257522Sshin 28357522SshinTo generate a Router Solicitation message right now to get global 28457522Sshinaddresses, use "rtsol". 28557522Sshin 28678064Sume# ifconfig ef0 28778064Sumeef0: flags=8863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST> 28878064Sume link type ether 0:a0:24:ab:83:9b mtu 1500 speed 10Mbps 28978064Sume media 10baseT status active 29078064Sume inet6 fe80::2a0:24ff:feab:839b%ef0 prefixlen 64 scopeid 0x2 29178064Sume# rtsol ef0 29278064Sume# ifconfig ef0 29378064Sumeef0: flags=8863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST> 29478064Sume link type ether 0:a0:24:ab:83:9b mtu 1500 speed 10Mbps 29578064Sume media 10baseT status active 29678064Sume inet6 fe80::2a0:24ff:feab:839b%ef0 prefixlen 64 scopeid 0x2 29778064Sume inet6 3ffe:501:4819:2000:2a0:24ff:feab:839b prefixlen 64 29857522Sshin 29957522Sshin 30057522Sshin<<<rtsold>>> 30157522Sshin 30257522Sshinrtsold is a daemon version of rtsol. If you run KAME IPv6 on a laptop 30357522Sshincomputer and frequently move with it, the daemon is useful since it watches 30457522Sshinthe interface and sends router solicitations when the status of the interface 30557522Sshinchanges. Note, however, that the feature is disabled by default. Please 30678064Sumeadd -m option when invocation of rtsold. 30757522Sshin 30857522Sshinrtsold also supports multiple interfaces. For example, you can 30957522Sshininvoke the daemon as follows: 31078064Sume 31157522Sshin# rtsold -m ep0 cnw0 31257522Sshin 31378064Sume 31457522Sshin<<<netstat>>> 31557522Sshin 31657522SshinTo see routing table: 31778064Sume 31857522Sshin# netstat -nr 31978064Sume# netstat -nrl 32078064Sume long format with Ref and Use. Note that bsdi4 does not support the 32178064Sume -l option. You should use the -O option instead. 32257522Sshin 32378064Sume 32457522Sshin<<<sysctl>>> 32557522Sshin 32657522SshinIf "net.inet6.ip6.accept_rtadv" is 1, Router Advertisement is 32757522Sshinaccepted. This means that global addresses and default route are 32857522Sshinautomatically set up. Otherwise, the announcement is rejected. The 32957522Sshindefault value is 0. To set "net.inet6.ip6.accept_rtadv" to 1, execute 33057522Sshinas follows: 33157522Sshin 33296397Sdd# sysctl net.inet6.ip6.accept_rtadv=1 33357522Sshin 33478064Sume 33557522Sshin<<<gifconfig>>> 33657522Sshin 33757522Sshin"gif" interface enables you to perform IPv{4,6} over IPv{4,6} 33857522Sshinprotocol tunneling. To use this interface, you must specify the 33957522Sshinouter IPv{4,6} address by using gifconfig, like: 34057522Sshin 34178064Sume# gifconfig gif0 163.221.198.61 163.221.11.21 34257522Sshin 34357522Sshin"ifconfig gif0" will configure the address pair used for inner 34457522SshinIPv{4,6} header. 34557522Sshin 34657522SshinIt is not required to configure inner IPv{4,6} address pair. If 34757522Sshinyou do not configure inner IPv{4,6} address pair, tunnel link is 34857522Sshinconsidered as un-numbered link and the source address of inner 34957522SshinIPv{4,6} address pair will be borrowed from other interfaces. 35057522Sshin 35157522SshinThe following example configures un-numbered IPv6-over-IPv4 tunnel: 35257522Sshin# gifconfig gif0 10.0.0.1 10.0.0.1 netmask 255.255.255.0 35357522Sshin 35457522SshinThe following example configures numbered IPv6-over-IPv4 tunnel: 35557522Sshin# gifconfig gif0 10.0.0.1 10.0.0.1 netmask 255.255.255.0 35678064Sume# ifconfig gif0 inet6 3ffe:501:808:5::1 3ffe:501:808:5::2 prefixlen 64 alias 35757522Sshin 35857522SshinIPv6 spec allows you to use point-to-point link without global IPv6 35957522Sshinaddress assigned to the interface. Routing protocol (such as RIPng) 36057522Sshinuses link-local addresses only. If you are to configure IPv6-over-IPv4 36157522Sshintunnel, you need not to configure an address pair for inner IPv6 36257522Sshinheader. We suggest you to use the former example (un-numbered 36378064SumeIPv6-over-IPv4 tunnel) to connect to 6bone for simplicity. 36457522Sshin 36557522SshinNote that it is so easy to make an infinite routing loop using gif 36657522Sshininterface, if you configure a tunnel using the same protocol family 36757522Sshinfor inner and outer header (i.e. IPv4-over-IPv4). 36857522Sshin 36957522SshinRefer to gifconfig(8) for more details. 37057522Sshin 37178064Sume 37278064Sume<<<6to4>>> 37378064Sume 37478064SumeWARNING: malicious party can abuse 6to4 relay routers/sites, read through 37578064Sumeinternet draft draft-itojun-ipv6-transition-abuse-xx.txt before configuring it. 37678064Sume 37778064Sume"stf" interface enables you to perform 6to4 IPv6-over-IPv4 encapsulation, 37878064Sumeas documented in draft-ietf-ngtrans-6to4-06.txt. See stf(4) for details. 37978064Sume 38078064Sume 38157522Sshin<<<inetd>>> 38257522Sshin 38357522SshinInetd supports AF_INET and AF_INET6 sockets, with IPsec policy 38457522Sshinconfiguration support. 38557522Sshin 38657522SshinRefer to inetd(8) for more details. 38757522Sshin 38878064Sume 38957522Sshin<<<IPsec>>> 39057522Sshin 39178064SumeIPsec requires fairly complex configuration, so here we show transport 39278064Sumemode only. http://www.kame.net/newsletter/ has more comprehensive 39378064Sumeexamples. 39457522Sshin 39578064SumeLet us setup security association to deploy a secure channel between 39657522SshinHOST A (10.2.3.4) and HOST B (10.6.7.8). Here we show a little 39757522Sshincomplicated example. From HOST A to HOST B, only old AH is used. 39857522SshinFrom HOST B to HOST A, new AH and new ESP are combined. 39978064Sume 40057522SshinNow we should choose algorithm to be used corresponding to "AH"/"new 40157522SshinAH"/"ESP"/"new ESP". Please refer to the "setkey" man page to know 40257522Sshinalgorithm names. Our choice is MD5 for AH, new-HMAC-SHA1 for new AH, 40357522Sshinand new-DES-expIV with 8 byte IV for new ESP. 40457522Sshin 40557522SshinKey length highly depends on each algorithm. For example, key 40657522Sshinlength must be equal to 16 bytes for MD5, 20 for new-HMAC-SHA1, 40757522Sshinand 8 for new-DES-expIV. Now we choose "MYSECRETMYSECRET", 40857522Sshin"KAMEKAMEKAMEKAMEKAME", "PASSWORD", respectively. 40957522Sshin 41078064SumeOK, let us assign SPI (Security Parameter Index) for each protocol. 41157522SshinPlease note that we need 3 SPIs for this secure channel since three 41257522Sshinsecurity headers are produced (one for from HOST A to HOST B, two for 41357522Sshinfrom HOST B to HOST A). Please also note that SPI MUST be greater 41457522Sshinthan or equal to 256. We choose, 1000, 2000, and 3000, respectively. 41557522Sshin 41657522Sshin 41757522Sshin (1) 41857522Sshin HOST A ------> HOST B 41957522Sshin 42057522Sshin (1)PROTO=AH 42157522Sshin ALG=MD5(RFC1826) 42257522Sshin KEY=MYSECRETMYSECRET 42357522Sshin SPI=1000 42457522Sshin 42557522Sshin (2.1) 42657522Sshin HOST A <------ HOST B 42757522Sshin <------ 42878064Sume (2.2) 42957522Sshin 43057522Sshin (2.1) 43157522Sshin PROTO=AH 43257522Sshin ALG=new-HMAC-SHA1(new AH) 43357522Sshin KEY=KAMEKAMEKAMEKAMEKAME 43457522Sshin SPI=2000 43557522Sshin 43657522Sshin (2.2) 43757522Sshin PROTO=ESP 43857522Sshin ALG=new-DES-expIV(new ESP) 43957522Sshin IV length = 8 44057522Sshin KEY=PASSWORD 44157522Sshin SPI=3000 44257522Sshin 44378064SumeNow, let us setup security association. Execute "setkey" on both HOST 44457522SshinA and B: 44557522Sshin 44657522Sshin# setkey -c 44757522Sshinadd 10.2.3.4 10.6.7.8 ah 1000 -m transport -A keyed-md5 "MYSECRETMYSECRET" ; 44857522Sshinadd 10.6.7.8 10.2.3.4 ah 2000 -m transport -A hmac-sha1 "KAMEKAMEKAMEKAMEKAME" ; 44957522Sshinadd 10.6.7.8 10.2.3.4 esp 3000 -m transport -E des-cbc "PASSWORD" ; 45057522Sshin^D 45157522Sshin 45257522SshinActually, IPsec communication doesn't process until security policy 45357522Sshinentries will be defined. In this case, you must setup each host. 45457522Sshin 45557522SshinAt A: 45657522Sshin# setkey -c 45757522Sshinspdadd 10.2.3.4 10.6.7.8 any -P out ipsec 45857522Sshin ah/transport/10.2.3.4-10.6.7.8/require ; 45957522Sshin^D 46057522Sshin 46157522SshinAt B: 46257522Sshinspdadd 10.6.7.8 10.2.3.4 any -P out ipsec 46378064Sume esp/transport//require 46478064Sume ah/transport//require ; 46557522Sshin^D 46657522Sshin 46757522SshinTo utilize the security associations installed into the kernel, you 46857522Sshinmust set the socket security level by using setsockopt(). 46957522SshinThis is per-application (or per-socket) security. For example, 47057522Sshinthe "ping" command has the -P option with parameter to enable AH and/or ESP. 47157522Sshin 47257522SshinFor example: 47357522Sshin% ping -P "out ipsec \ 47478064Sume ah/transport//use \ 47557522Sshin esp/tunnel/10.0.1.1-10.0.1.2/require" 10.0.2.2 47657522Sshin 47757522SshinIf there are proper SAs, this policy specification causes ICMP packet 47857522Sshinto be AH transport mode inner ESP tunnel mode like below. 47957522Sshin 48057522Sshin HOST C -----------> GATEWAY D ----------> HOST E 48157522Sshin 10.0.1.1 10.0.1.2 10.0.2.1 10.0.2.2 48257522Sshin | | | | 48357522Sshin | ======= ESP ======= | 48457522Sshin ==================== AH ================== 48557522Sshin 48657522Sshin 48778012Sume<<<EDNS0>>> 48878012Sume 48978012SumeEDNS0 is defined in RFC2671. With EDNS0, the resolver library can tell DNS 49078012Sumeserver of its receiving buffer size, and permit DNS server to transmit large 49178012Sumereply packet. EDNS0 is necessary to take advantage of larger minimum MTU 49278012Sumein IPv6. KAME libinet6 includes resolver side support for EDNS0. 49378012SumeServer side support for EDNS0 is included in ISC BIND9. 49478012Sume 49578012Sume query packet with EDNS0 49678012Sume tells receive buffer size 49778012SumeKAME box -----------------------------> BIND9 DNS server 49878012SumeKAME box <----------------------------- BIND9 DNS server 49978012Sume can transmit jumbo reply, since DNS server 50078012Sume knows receive buffer size of KAME box 50178012Sume 50278012SumeHow to play with it: 50378012Sume- prepare KAME box and BIND9 DNS server (can be a same node) 50478012Sume- add the following into /etc/resolv.conf on KAME box: 50578012Sume options edns0 <--- enables EDNS0 50678012Sume nameserver <IPv4 or v6 address of BIND9 box> 50778012Sume- run applications compiled with libinet6 (like /usr/local/v6/bin/telnet), 50878012Sume see EDNS0 packet fly on the wire by tcpdump or some other method. 50978012Sume 51078012SumeCaveats: 51178012Sume- BIND 4/8 DNS server will choke with EDNS0 packet, so you must not 51278012Sume turn the option on if you have BIND 4/8 DNS server. If you enable 51378012Sume "options edns0" against BIND 4/8 DNS server, you will never be able 51478012Sume to resolve names. 51578012Sume- If you use IPv6 UDP as DNS transport, path MTU discovery may 51678012Sume affect the traffic. KAME box tries to fragment packet to 1280 51778012Sume bytes, however, BIND9 may not. 51878012Sume- Some of our platforms do not use our extended resolver code in libinet6. 51978012Sume See COVERAGE for detail. 52078012Sume 52178064Sume 52278064Sume<<Further readings>> 52378064Sume 52478064Sumehttp://www.netbsd.org/Documentation/network/ipv6/ 52578064Sume Even if you are on non-netbsd operating system, the URL should be 52678064Sume useful. 52778064Sumehttp://www.kame.net/ 52878064Sume 52957522Sshin <end of USAGE> 530