***: ziyourenxiang has joined #arpnetworks
jdoe: vsftpd, but I'd recommend not using ftp at all if you can avoid it.
RandalSchwartz: sftp ftw
jdoe: ^^^
RandalSchwartz: ftp wtf. :)
jdoe: haha.
^^^ again.
RandalSchwartz: and ftp requires complex firewall rules
jdoe: hrm... I wonder if a rewrite with POE is a better alternative to Net::Server::Multiplex
RandalSchwartz: what protocol?
jdoe: tcp
RandalSchwartz: yes... above that?
you doing http?
jdoe: naw, proprietary protocol
plaintext though, delimited by n
***: ziyourenxiang has quit IRC (Quit: ziyourenxiang)
cedwards has joined #arpnetworks
viq has joined #arpnetworks
cedwards: anyone care to handle an ipv6 question?
jdoe: might as well ask, you never know.
cedwards: I've only played with ipv6 in a lab environment, and I've not yet done anything with my allotment here.
jdoe: so what's the problem?
cedwards: sorry, got sidetracked by my kids.
my current ipv6 config for my arp box is: 2607:f2f8:46c0::3 prefixlen 48
what does that translate to? how many addresses is that?
or, I guess that is just a single IP/48
(again, really new to ipv6)
toddf_: typical IPV6 allocation goes like this
cedwards: so if I wanted to add AAAA records to BIND, I would add '2607:f2f8:46c0::3'
toddf_: /32 = 65535 /48's (allocated to isp's like arpnetworks)
/48 = 65535 /64's (allocated to individual customers, arp is gracious enough to consider a vm customer a `customer')
/64 = 2^64 IPv6 IP's on an ethernet subnet (typical allocation for an ethernet subnet)
forward/reverse uses the full nibbles in hex
cedwards: 18446744073709551616. WAY more than you'll ever use :)
toddf_: 3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.c.6.4.8.f.2.f.7.0.6.2.ip6.arpa IN PTR yourhostname.example.com
there are 128 bits total, so take the cidr bitmask and subtract that from 128 to get the power to raise to 2 for the # of addresses in the allocation
so 2^(128-32) = 79228162514264337593543950336 IP's for arp to dish out
cedwards: and 2^(128-48) for each of us?
dxtr: yep
-: cedwards 's mind is blown
dxtr: Think of the possibilites!
possibilities!
With that many IP addresses I'll never have to use the same IP twice!
cedwards: dxtr: it's like the number of excuses you had against actually reading your books for your reports!
dxtr: cedwards: I've only done one so far
Just started on the second one :P
I intended to do them yesterday. But lots of beer got in my way
cedwards: while that is a mind-blowingly large number, what is the practical application to a VPS customer?
dxtr: Of all these IPs?
Or ipv6 in general?
cedwards: ie; I've got two boxes with ARP, and each has a few jails. In that case I'd use, what, a half-dozen of my gazillion IPs?
dxtr: Kind of :D
There's no real practical use for all these IPs
A /96 would be like... 4294967296 addresses
As in todays entire address space :P
toddf_: just keep in mind things like auto configuration (rtadvd/rtsol) work only with /64 on the wire
personally I use one /64 at arpnetworks and plan to tunnel the other 65534 /64's to remote systems
dxtr: How do one do that?
toddf_: depends on the os in general
dxtr: fbsd..?
toddf_: step 1 involves requesting that arpnetworks presents a /64 to the network and routes the rest of the /48 to your vm
I'm an OpenBSD junkie/dev/etc
dxtr: Right
Presents a /64 to the network?
toddf_: aka he needs to do 'ifconfig vlanX inet6 alias delete <yournetwork>' 'ifconfig vlanX inet6 alias <yournetwork> prefixlen 64'
then save that in /etc/hostname.vlanX for your net on his openbsd v6 router *grin*
cedwards: so, easing into things here, if I want to assign ipv6 addresses to each of my jails (currently configured on lo1) I'd do:
ifconfig_lo1_alias0="inet6 foo prefixlen bar" ?
toddf_: I'm no freebsd expert but whatever prefixlen arp has for their router you need to match that on your 'prefixlen' option otherwise the default gateway won't be reachable
cedwards: my current config is:
ipv6_enable="YES"
ipv6_defaultrouter="2607:f2f8:46c0::1"
ipv6_ifconfig_em0="2607:f2f8:46c0::3 prefixlen 48"
my other box is 2607:f2f8:4603::2 prefixlen 48. I'm assuming at this point I can start assigning ::4, ::5, ::6?
toddf_: you can address 2607:f2f8:f6c0:: , 2607:f2f8:f6c0::2 - 2607:f2f8:f6c0:ffff:ffff:ffff:ffff:ffff on your vm's / jails / etc
cedwards: (note: I've not been able to actually test this as I can't get tunneling to work at home)
toddf_: I don't note that either ::2 or ::3 responds to a ping
do you have a 'block all' on your firewall by chance?
note that v6 uses multicast which can be blocked by pf for its mac address resolution (called `ndp')
cedwards: I have 'block in all log'
dxtr: Yay! I got an A in my programming course :)
toddf_: # block in log
# XXX the next 5 lines are required as opposed to the above one
# because v6 fragments are not handled by pf
block in log inet
block in log inet6 proto udp
block in log inet6 proto tcp
block in log inet6 proto icmp6
block in log inet6 proto esp
block in log inet6 proto ipv6
pass in inet6 proto icmp6 from { fe80::/16 (egress:network) } icmp6-type { echorep fqdnrep }
pass in inet6 proto icmp6 icmp6-type { neighbradv routeradv neighbrsol }
pass in inet6 proto icmp6 icmp6-type { echoreq fqdnreq }
that should let v6 work
dxtr: toddf_: My home firewall is running openbsd btw +o
o
toddf_: o/
|
/ [11:57] <cedwards> toddf_: I added those lines. It should be pingable now?
bah
dxtr: Gaga
Hahah
toddf_: what do you see on pflog0 and on your external interface, I still can't ping6 it
'tcpdump ... -i em0 ip6' saves you the v4 deluge
dxtr: I'm thinking about upgrading it to 4.7
toddf_: this works on many releases not just 4.7 but there are other reasons to upgrade if you can
dxtr: "this" as in..?
toddf_: I've got a mailserver with a postgresql database i must upgrade that took 16h to dump and restore last time, will have to halt mail during that time, trying to find a way around that .. ;-)
`this' as in the above v6 stuff, sorry confused you with cedwards momentarily
dxtr: I've got v6 up and running on it
toddf_: so I can't just upgrade .. must plan
cedwards: toddf_: I see this in tcpdump when I ping from my second box:
13:07:02.154906 IP6 2607:f2f8:46c0::2 > ff02::1:ff00:3: ICMP6, neighbor solicitation, who has 2607:f2f8:46c0::3, length 32
***: toddf_ is now known as toddf
cedwards: the ping doesn't show success on the source
-: viq waves to toddf ;)
***: ChanServ sets mode: +o toddf
-: toddf waves to viq
cedwards: .. the only ipv6 addresses I can ping are my locally assigned ones. I can't even ping the defaultrouter address.
toddf: that wuld be a problem
doublecheck your ips are right
cedwards: unless i'm doing it wrong(tm)
toddf: ping6 -n -w ff02::2%em0
that should show your router ip
the %em0 == linklocal
cedwards: my second box tcpdump shows this when I run that: 13:13:48.580637 IP6 fe80::5054:ff:fe27:2374 > ff02::2: ICMP6, who-are-you request node information query (DNS name, subject=ff02::2), length 32
toddf: note routers should be linklocal not global, the global happens to work but is a .. way advocated by vendors who do not know better imho
the ff02::2 should respond with any routers with v6
the ff02::1 should respond with any nodes with v6
take out the -w for all non kame based nodes, aka linux and cisco on the same link
(kame is the group that engineered the bsd v6 stack, basically)
cedwards: with that I see this on my tcpdump: 13:16:36.984632 IP6 fe80::5054:ff:fe27:2374 > ff02::2: ICMP6, echo request, seq 3, length 16
toddf: no response from my vm:
$ ping6 -n -w ff02::1%em0
PING6(72=40+8+24 bytes) fe80::5054:ff:fe27:2122%em0 --> ff02::1%em0
40 bytes from fe80::5054:ff:fe27:2122%em0: 0.v.freedaemon.com.
44 bytes from fe80::5054:ff:fe27:9007%em0: s3.lax.arpnetworks.com.
40 bytes from fe80::5054:ff:fe27:2122%em0: 0.v.freedaemon.com.
44 bytes from fe80::5054:ff:fe27:9007%em0: s3.lax.arpnetworks.com.
^C
--- ff02::1%em0 ping6 statistics ---
2 packets transmitted, 2 packets received, +2 duplicates, 0.0% packet loss
$ ping6 -n -w ff02::2%em0
PING6(72=40+8+24 bytes) fe80::5054:ff:fe27:2122%em0 --> ff02::2%em0
^C
--- ff02::2%em0 ping6 statistics ---
5 packets transmitted, 0 packets received, 100.0% packet loss
$ on the ff02::2, interesting trick arp is doing
$ netstat -nr -f inet6 | grep default
default fe80::5054:ff:fe27:9007%em0 UGS 12 2247695 - 8 em0
do you get anything in pflog0 or on the ff02::1%em0 ping besides your hosts?
cedwards: [root@stringer ~]# ping6 -n ff02::2%em0
PING6(56=40+8+8 bytes) fe80::5054:ff:fe27:2374%em0 --> ff02::2%em0
^C
nothing ever comes back from that.
::1 responds
-: cedwards is thinking he doesn't have things configured properly, but it might have to wait.
toddf: what do you get from ::1 ?
I noted above even on my own vm ::2 doesn't respond either
it should, I suspect over zealous firewalling at the router
since routers respond if forwarding is enabled, which it is, i know, my packets get through ;-)
cedwards: ping responds at ::1 from either host.
using ping6 -n ff02::1%em0
if I add the -w it responds, and with my own hostname.
is ff02::1 equivalent to 127.0.0.1?
and the % specifies the interface to use?
toddf: ff02::/8 is multicast
::1 all by itself is equiv of 127.0.0.1
cedwards: i find i can't ping ipv6.google.com anymore either. i swore i did that before.
toddf: % specifies the interface for link localk
dxtr: beer + study o
***: nerdd has joined #arpnetworks
nerdd_ has quit IRC (Ping timeout: 264 seconds)
cedwards: I'm trying to configure my FreeBSD jail to use MSP instead of a full MTA, but it seems to be ignoring my /etc/aliases. Is that to be expected?
***: cedwards has quit IRC (Changing host)
cedwards has joined #arpnetworks
AndrewBC has quit IRC (Ping timeout: 240 seconds)
AndrewBC has joined #arpnetworks
ziyourenxiang has joined #arpnetworks
cmeiklejohn has joined #arpnetworks
cmeiklejohn has quit IRC (Changing host)
cmeiklejohn has joined #arpnetworks
heavysixer has quit IRC (Quit: heavysixer)
ziyourenxiang has quit IRC (Quit: ziyourenxiang)
boogeyman has joined #arpnetworks
hsbt has quit IRC (Ping timeout: 248 seconds)
hsbt has joined #arpnetworks
boogeyman has quit IRC (Ping timeout: 265 seconds)