Build an IPv6 test environment on the Linux platform and IPv4 Environment

Source: Internet
Author: User
Tags openssl x509

Original link http://www.ibm.com/developerworks/cn/linux/l-cn-ipv6env/

 

Build an IPv6 test environment on the Linux platform and IPv4 Environment

 

Jiang yingyu
, Software engineer, EMC Jiang Ying Yu, IBM software engineer, engaged in uxspi-related software R & D and testing Yin yiming
Yinym@cn.ibm.com
), Software engineer, EMC Yin yiming, IBM software engineer, engaged in uxspi-related software R & D and Testing

Introduction:
With the development of Internet technology, the traditional IPv4 address cannot meet the needs of users.
The next generation of IPv6 protocol is also widely accepted and used. More and more software systems require support for IPv6 network protocols. However, the existing network environment for IPv6
The support is still very limited, which brings some difficulties to software development and testing. This article describes how to use Apache to build a simulated IPv6 in an existing IPv4 network.
Environment.

Label of this article:
Internet _ Technology
, Network

 

Build an IPv6 test environment on the Linux platform and IPv4 Environment

Back to Top

1 IPv6 Introduction

IPv6 (Internet Protocol version 6) is an upgraded version of IPv4. It is installed on devices and
Operation
System. The most direct answer to why IPv6 is needed is that IPv4, which is widely used, cannot provide enough IP addresses to meet the needs of rapidly growing networks. IPv4
32-bit address length, with only about 4.3 billion addresses, will soon be allocated. IPv6
The address length is 128 bits, and the address can be provided almost without restrictions. Of course, expanding the address space is only one of the most important advantages of IPv6. In addition, IPv6
It also improves the overall network throughput and service quality (QOS ).
), Better security, support for plug-and-play and mobility, and better implement multicast functions.

Since the establishment of the IPng Working Group in 1992, it has experienced more than a decade of development. Although IPv6 is still at the same level as IPv4, more and more support is available.
IPv6 devices are in use, and more software systems are beginning to support IPv6. IPv6 now provides DNS, web, email, FTP, and telnet
And other basic services. Windows, sun, apple, and other operating systems have or are about to support IPv6. IBM has been committed to IPv6
As early as 1997, IBM released AIX Supporting IPv6. Now DB2, Lotus, rational, Tivoli and
WebSphere is also gradually supporting IPv6 applications.

Back to Top

2. Simulate an IPv6 network in an IPv4 Environment

As described in the previous section, many software related to network applications have been added to IPv6 support, and a large number of software is currently in
Supported development stages. However, in terms of development, many development environments do not
It provides good support, especially when the developed applications need to go through older routes or even public networks. If you want to upgrade network devices to support the development environment, it will be a great deal of money, sometimes even unrealistic.
For example, you can upgrade the public network to support IPv6 ).

It is particularly important to study how to model the IPv6 environment in the existing IPv4 network environment so that the development and testing work can proceed smoothly. The following describes how to simulate the HTTP/HTTPS network development and testing environment of IPv6 through the Apache server on the Linux platform.

2.1 IPv6 network requirements and existing network environment

Figure 1 shows a typical HTTP network application. If IPv6 support is required for such a network application, developers and testers may encounter the following three situations:

The client and server run in the same LAN, 1-A

The client and server run in the same Intranet, and the network path between them needs to be routed, 1-B

The client and server are in different regions, and they are connected by the Internet, 1-C.

Figure 1. Three Typical HTTP network applications


In these three different situations, the IPv6 network environment requirements are different. In Case 1, only the operating system running on the client and server supports IPv6.
If you need to provide a global address for communication, you can run a software ipv6 route on a machine in the LAN.
Development and testing are relatively simple. In Case 2, because the routes between the client and the server run on the IP layer, all the routers that pass through the network must support IPv6.
This may be a major challenge because many intranet environments do not provide IPv6-supported routes. In case 3, the Internet is required to provide
IPv6 support. In the short term, it is unlikely that the Internet provides comprehensive IPv6 support.

Therefore, in circumstances 2 and 3, network hardware support will become the biggest obstacle for development and testing of network applications supporting IPv6, in section 2.2, we will show how to use the existing IPv4 network to develop and test IPv6 applications. At the same time, we will ensure that IPv6 applications run normally in a real IPv6 environment.

2.2 simulate an IPv6 environment using an existing IPv4 network

2.2.1 basic principles of simulated environment construction

Figure 2
-Figure 3
The diagram of the IPv6 simulation environment is displayed. There are two situations, but the specific configuration is similar.
Pair
The block diagram of the IPv6 application on the Development client is shown in Figure 2. The block diagram of the IPv6 application on the Development Server is shown in figure 3.
. The basic principle is to use the proxy technology
The client or server that is blocked by the network is mapped to the proxy server located in the same LAN, so that the "client" and "server" can implement IPv6-based network communication. In Figure 2
, We need the proxy server and the client to run in the same LAN, in the client's view, this proxy server is an IPv6
The "server" with support capabilities can be developed and tested on the client even if the real server does not support IPv6. In
In Figure 3, we need a machine and the server to run in the same LAN. In the Server View, this proxy server is a "client" with IPv6 support ".

Figure 2. Use a proxy to map the server to the same LAN as the client


Figure 3. Use a proxy to map the client to the same LAN as the server


The following uses the IPv6 environment of the client as an example to describe the entire Build Process of the simulated environment.

2.2.2 environment Establishment

Operating System Platform: Linux. The kernel must support IPv6. The best version is 2.6 or later,

Redhat Enterprise Linux 5 or SuSE Linux Enterprise Server 10 is recommended

Software: radvd (Router Advertisement Daemon ),
This is a software running on Linux platform that provides IPv6 routing configuration information. It can replace IPv6 Routing for automatic Stateless Address Configuration.

Apache, which is currently the most widely used Web server and requires a version later than 2.0

OpenSSL is a encryption and decryption toolkit that runs on the Linux platform to implement the SSL v2/V3 protocol.

2.2.3 start radvd

IPv6 addresses are obtained in different ways than IPv4 addresses. In IPv4, the Host IP address must be automatically configured by DHCP
This is called statefulautoconfiguration. in IPv6
Statelessautoconfiguration is also introduced in V6 ). This new technology does not require DHCP server support, all support
Each IPv6 router listens to the automatic configuration request packets sent by each host. The IPv6 router replies to these request packets, which contains the prefix of some IPv6 addresses.
) Information. After receiving such a package, the host can generate its own IPv6 address based on some existing information (such as the MAC address.

This article simulates the IPv6 environment in the existing IPv4 network environment. There is no physical IPv6 router, but the radvd on the Linux platform does not exist.
The tool can also simulate stateless automatic configuration. It can also listen to and respond to automatic configuration requests sent by IPv6 hosts in the LAN, so that these hosts can obtain their own IPv6
And use these addresses to communicate with each other. The client in figure X communicates with the proxy server in this way.

Here, the radvd-0.9-13.2 on the sles10 platform is used as an example to illustrate the configuration and Startup Process of radvd.

  1. Find the radvd-0.9-13.2.i586.rpm from the sles10 installation disc for Installation
           # rpm -ivh radvd-0.9-13.2.i586.rpm

  1. Configure the IPv6 address of the host running radvd

    # IP a 2002: 9ba: b4e: 6: 1/64 Dev ethx

    # Ip r a 2002: 9ba: b4e: 6:/64 Dev ethx

Ethx indicates the NIC device that the host listens to lan packets.

  1. After radvd is installed, the configuration file is located in/etc/radvd. conf. Add the configuration information to this file.
interface ethX
{
AdvSendAdvert on;
MinRtrAdvInterval 5;
MaxRtrAdvInterval 10;
AdvDefaultPreference low;

prefix 2002:9ba:b4e:6::/64
{
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr off;
};
};

Same as above, ethx indicates the NIC device that the host listens to lan packets. The prefix field indicates

Configure the IPv6 address prefix for the local network.

  1. Make sure that the system has enabled the IPv6 packet forwarding function.

    # Sysctl-W net. ipv6.conf. All. Forwarding = 1

  1. Start radvd

    #/Etc/init. d/radvd start

After radvd is started successfully, you can see that there is a radvd daemon in the system through the ps command.
The process is running. If you run the ifconfig command on other hosts in the LAN, you can see that these hosts have automatically configured the IPv6 address, its prefix (prefix
) Is consistent with the value in the radvd configuration file.

2.2.4 configure the Apache server

The Apache server is the core part of the entire simulated IPv6 environment. It listens to packets from IPv6 network connections and passes them through IPv4
The network is forwarded to the server. The mod_proxy module of the Apache server is used here. I believe the forward proxy provided by this module
Functions are well known and widely used. This module also provides the reverse proxy function, which is used in this article to implement the forwarding function. Run
The Apache server of reverse proxy is an actual Web server for the client.
The client obtains and uploads all data from the server. The configuration method is described as follows.

Apache servers have been installed on most Linux platforms. For platforms that have already installed Apache servers, you must ensure their support.
And the mod_proxy and mod_ssl modules are loaded. Of course, you can also compile a new Apache server from the Apache source code.

First, you need to determine the IPv6 address for the Apache server to listen to. Generally, the following is shown in httpd. conf:

    Listen 80

This indicates that the Apache server listens to all host addresses, including IPv6 addresses. If the original Apache server is configured with some specific listening addresses, make sure these addresses contain the IPv6 addresses used by the proxy server to communicate with the client.

For the proxy server configuration, use the proxypass In the mod_proxy module of the Apache server to add the following configuration statement to the Apache configuration file.

NameVirtualHost *:80

<VirtualHost *:80>
ServerAdmin webmaster@dummy-host.example.com
ServerName ipv6-server-proxy
ProxyRequests off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass /request http://www.server.com/request
ErrorLog "logs/proxypass-error_log"
CustomLog "logs/proxypass-access_log" common
</VirtualHost>

The proxypass directive indicates that all accesses to the/request directory of the Apache server will be forwarded
Http://www.server.com/request. If the IPv6 of the Apache server
If the address is 2002: 9ba: b4e: 6: 3

http://[2002:9ba:b4e:6::3]/request

The actual data obtained will come from

http://www.server.com/request

In this way, in the client's view, the server that communicates with it is a server that supports IPv6, but in fact the Apache proxy maps the remote server to the local IPv6 network. In this environment, the client can develop and test its own IPv6 support, without considering the server support for this Protocol.

The location of the preceding statement is determined by the structure of the configuration file of Apache. Currently, many versions of Apache use multiple configuration files, that is, one master configuration file.
Httpd. conf to include other sub-item configuration files, such as httpd-vhosts.conf, httpd-ssl.conf
File, instead of writing all the configuration information in the httpd. conf file. It is recommended to write the above configuration statement into the httpd-vhosts.conf here
File, and then add the following file to the main configuration file httpd. conf.

Include httpd-vhosts.conf

Here the default httpd-vhosts.conf is in the same directory as httpd. conf, and in most cases the relative path to add the httpd-vhosts.conf.

For applications that require HTTPS connection, the configuration of their Apache server is different. For more information, see section 2.2.5.

After the configuration, you can start/restart the Apache server to make the configuration take effect.

# /etc/init.d/httpd restart

2.2.5 use OpenSSL to generate authentication information required for HTTPS connections

Because the Apache server running reverse proxy is an actual Web server on the client
During connection, the client needs to verify the validity of its SSL signature. In this way, we need to add SSL authentication information to the configured Apache server to ensure that
HTTPS applications can run normally.

Self-Signed SSL authentication file generation

First, generate the root certificate file ca. CRT

# openssl genrsa -des3 -out ca.key 4096
# openssl req -new -x509 -days 365 -key ca.key -out ca.crt

The first step is to generate a key file for the root certificate. The system will require you to enter pass phase,
Write down the entered password, which will be used multiple times later. The second step uses this key.
File to generate the root certificate. During this step, the system will require you to enter a lot of information about the root certificate. It is worth noting that the common name (CN) is entered in this step.
The value should be different from the value entered when the server certificate is generated in the next step.

Then, generate the Server Certificate Signing Request file server. CSR, which is similar to generating the root certificate file.

# openssl genrsa -des3 -out server.key 4096
# openssl req -new -key server.key -out server.csr

Similarly, in step 2, a series of server information is required. The common name (CN) here should be the same as the address used by the client to access the server. For example:

Clients use http://proxyhost.com/
When accessing this server, the CN here should be proxyhost.com

The client uses http: // [2002: 9ba: b4e: 6: 3]/
When accessing this server, the CN here should be [2002: 9ba: b4e: 6: 3]

Why do they need to be the same? The HTTPS connection program of the client verifies the validity of the certificate provided by the server. If the CN in the certificate is different from the host name accessed by the actual client, the client will throw an invalid_cn error.

Finally, use the generated root certificate file ca. CRT to sign the (sign) server certificate signature request server. CSR.

# openssl x509 -req -days 365 -in server.csr -CA ca.crt /
-CAkey ca.key -set_serial 01 -out server.crt

Add the four Certificate-related files (ca. CRT, CA. key, server. CRT, server. key) then, the path and configuration information of these files will be added to the Apache configuration file.

Listen 443

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl

SSLPassPhraseDialog builtin

SSLSessionCache "shmcb:/usr/local/apache2/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300

SSLMutex "file:logs/ssl_mutex"

NameVirtualHost *:443
<VirtualHost *:443>

DocumentRoot "apache2/htdocs"
ServerName ipv6-server-proxy
ServerAdmin you@example.com
ErrorLog "ssl-error_log"
TransferLog "ssl-access_log"

SSLEngine on

SSLProtocol -all +TLSv1 +SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM

SSLCertificateFile "server.crt"

SSLCertificateKeyFile "server.key"

<Directory "/usr/local/apache2/cgi-bin">
SSLOptions +StdEnvVars
</Directory>

BrowserMatch ".*MSIE.*" /
nokeepalive ssl-unclean-shutdown /
downgrade-1.0 force-response-1.0

CustomLog "logs/ssl_request_log" /
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x /"%r/" %b"
SSLProxyEngine on
ProxyRequests off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass /request http://www.server.com/request

</VirtualHost>

Here proxypass is used again to create a proxy service.

As described in section 2.2.4 above, it is recommended that you write the configuration information to the httpd-ssl.conf and add the following line to httpd. conf to include it.

Include httpd-ssl.conf

After the configuration is complete, you can start/restart the Apache server to make the configuration take effect.

# /etc/init.d/httpd restart

Client HTTPS connection considerations

Because self-signed authentication is used to generate authentication files for the server, the client uses https
When you connect to the proxy server, an authentication error occurs. In this case, you need to add the certificate generated here to the trusted site list of the client. The specific addition method varies depending on the system used. Just
For ie on Windows, you can add the ca. CRT and server. CRT files generated above to IE
This will affect all programs that use the wininet library provided by IE for HTTP application development.

2.2.6 DNS considerations

In network applications, a client generally uses a domain name to access the server. In the IPv6 testing environment, IPv6 addresses must be used for access.
For a certain domain name, return its IPv6 address. Currently, you can use BIND 9 on the Linux platform to build such a DNS
Server. However, the configuration is relatively complex and you can use a relatively simple method. That is, the hosts supported by both Linux and Windows Platforms
File to pair the domain name with its corresponding IPv6 address. Add some IPv6 address configuration information to the corresponding hosts file of the client.

On the Linux platform, the hosts file is generally located in/etc/hosts. Add the following line to the file:

           2002:9ba:b4e:6::3    www.someipv6site.com

In this way, www.somew.6site.com is specified.
The IPv6 address of is 2002: 9ba: b4e: 6: 3. On Windows, the hosts file is located at % WINDIR %/system32/Drivers/etc/hosts, which is in the same format as on Linux.

2.3 IPv6 and IPv4 hybrid environment compatibility test

The transition from IPv4 to IPv6 is a long and complex process and cannot be fully converted in a short period of time. Therefore, in the product development and testing process, apart from considering IPv6
Communication in the network also needs to fully consider the hybrid environment of the IPv6 network and IPv4 network that may occur in the real network environment. This requires testing the compatibility of applications in this environment.
This section describes some situations that need to be simulated.

To simulate the following three network conditions, you must first
In the LAN environment, select a machine as the Routing Server and configure it according to section 2.2.3. In this way, the route is connected to the same switch.
An IPv6 address is automatically assigned to all computers on the instance. If the IPv6 address is still not obtained, disable the firewall on the computer and the Routing Server. Then follow 2.2.4
Select a computer as proxypass as the description in the Section.

2.3.1 both the client and server run in the IPv6 Network Environment

In this case, the verification is relatively simple. You only need to set the server address as the IPv6 address of proxypass configured earlier on the client to realize the interaction between the client and the server IPv6 to IPv6. This is what is described in section 2.2.

Figure 4. Both the client and server run in the IPv6 Network Environment

Figure 4. Both the client and server run in the IPv6 Network Environment


2.3.2 The client runs on IPv6
Network. The server runs on an IPv4 network.

When the client and server are in the IPv6 and IPv4 environments, you need to add a proxy in the LAN environment)
As a bridge between the two, the proxy and the above Routing Server are located in the same network, so it also has the IPv6 address and IPv4
. The destination server address set by the client is an IPv4 address, and the proxy address is the IPv6 address of the proxy.
The Protocol communicates with the proxy directly, and the proxy accepts the IPv4 format server address set by the client, then interacts with the server through the IPv4 protocol, thus simulating
IPv6 network while the server is in IPv4 network.

Figure 5 the client runs on the IPv6 network and the server runs on the IPv4 network

Figure 5. The client runs on the IPv6 network and the server runs on the IPv4 network


2.3.3 clients run on IPv4 networks and servers run on IPv6 Networks

To simulate the interaction between a client in an IPv4 network and a server in an IPv6 network, you must use proxy and proxypass.
To build the environment. The client sets the IPv6 address of proxypass to the address of the server, and sets the IPv4 address of the proxy
In this way, the client and the proxy communicate through the IPv4 protocol. The proxy obtains the IPv6 protocol proxypass configured on the client.
The address is then used to interact with proxypass through the IPv6 protocol. Proxypass
The Protocol is sent to the server in the IPv4 network for processing. In this way, the communication between the IPv4 network and the IPv6 network is simulated on the client.

Figure 6 the client runs on an IPv4 network and the server runs on an IPv6 network

Server

Figure 6. Use a proxy to map the client to the same LAN as the server


Back to Top

3. Conclusion

In this article, we use the existing IPv4 network and the Apache server on the Linux platform to simulate IPv6
The purpose of the HTTP/HTTPS network environment is to develop and test network application software for IPv6 under limited hardware resources.
. This technology can also be applied to other network protocols. You only need to use a proxy server similar to the Apache server forwarding technology. Therefore, this technology is universal.


References

  • If you want to learn more about IPv6 as soon as possible, please refer to the article building an IPv6 router with GNU/Linux
    .
  • Chapter 6 IPv6 Internals in FreeBSD development manual
    This section describes the implementation of IPv6 and IPSec.
  • For more information about SSL certificates, see creating Certificate Authorities and self-Signed SSL certificates.
    .
  • In the developerworks Linux Zone
    Find Linux developers (including new Linux beginners)
    For more information, see our most popular articles and tutorials.
    .
  • Learn all Linux tips on developerworks
    And Linux tutorials
    .

Author Profile


Jiang yingyu, a software engineer from IBM, is engaged in the development and testing of uxspi-related software.


Yin yiming, an IBM software engineer, is engaged in the development and testing of uxspi-related software.

 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.