IPv6 applications for Linux networks

Source: Internet
Author: User
Article title: IPv6 applications in Linux networks. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

IPv6 (Internet Protocol Version 6) is a next-generation network agreement that replaces IPv4. it has many new features and functions. As the next-generation Internet connection Protocol, IPv6, which is generated and developed by the IP address crisis, has been recognized by all parties. in the future, the development of Internet connection is inseparable from the support and application of IPv6. The Ipv6 and Ipv4 protocols are not similar in terms of structure or system tools. Linux is the first IPv6 support in all operating systems. here we will introduce the IPv6 address, route settings, firewall settings, and security tools in Linux, this allows you to quickly transition from IPv4 to IPv6 in a Linux network environment.

Set Ipv6 protocol

The following describes how to deploy IPv6 in Linux using the example of Mandrake 9.1 Linux.

1. load the IPv6 module

Compared with Windows systems, Linux provides better Ipv6 support. generally, Ipv6 can be used directly in Linux versions based on the 2.4 Kernel. before using IPv6, it depends on whether the system Ipv6 module is loaded, if you do not have one, you can use the command to manually load the file. This requires the permissions of the ultimate user. Then run the command to check that the IPv6 address (inet6

Addr: fe80: 200: e8ff: fea0: 2586/64) confirm that IPv6 has been loaded. Bbs.bitsCN.com

# Modprobe IPv6

# Ifconfig-

The following content is displayed:

Show IPv6 address loaded

2. use the Ping command to check whether the IPv6 address of the NIC is valid.

Different from IPv4 when using the Ping6 command, you must specify a Nic Interface. Otherwise, the system will not know which network device to send data packets to. I indicates Interface, eth0

Is the first Nic, c indicates the loop, 3 indicates Ping6 operation three times. The results are as follows:

# Ping6-I eth0-c 1 fe80 :: 200: e8ff: fea0: 2586

3. use IP commands

The IP command is a powerful network setting tool in the iproute2 package. it can replace some traditional network management tools. For example, ifconfig and route. BitsCN_com

(1) run the "ip" command to view the IPv6 route table:

#/Sbin/ip-6 route show dev eth0

(2) use the "IP" command to add a route table:

#/Sbin/route-A inet6 add 2000:/3 gw 3ffe: ffff: 0: f101: 1

(3) use the IP command to set the multi-point propagation Neighbor Solicitation of IPv6

IPv6 Neighbor Discovery inherits IPv4's ARP (Address Resolution

Protocol Address Resolution Protocol). you can obtain information about the network neighbor again and edit/delete it. use the IP command to know the network neighbor settings (where, 00: 01: 24: 45: 67: 89 is the MAC address of the data link layer of the network device ):

# Ip-6 neigh show fe80: 201: 23ff: fe45: 6789 dev eth0 ll addr 00: 01: 24: 45: 67: 89

Router nud reachable

BBS.bitsCN.com network management forum for Linux Ipv6 network environment

Installation:

The key to firewall based on Linux2.4 kernel is iptables. In the 2.2 series, he replaced ipchains and ipfwadm before the 2.0 series. If you want to use all forms of firewalls, you need to install iptables.

(1) Download Ipv6 version of iptables, Download link: linux/arklinux/1.0-0. alpha8.2/i586/iptables-ipv6-1.2.7a-1ark.i586.rpm "> ftp://ftp.uni-bayreuth.de/pub/linux/arklinux/1.0-0.alpha8.2/i586/iptables-ipv6-1.2.7a-1ark.i586.rpm

(2) install the firewall:

# Rpm-ivh iptables-ipv6-1.2.7a-1ark.i586.rpm

Set iptables

Iptables is an IP information packet filtering system integrated with the mainstream Linux kernel version 2.4.x. If the Linux system is connected to the Internet or LAN, server, or proxy server connected to the LAN and internet

The system provides better control over IP information packet filtering and firewall settings. Netfilter/iptables IP

The information packet filtering system is a powerful tool that can be used to add, edit, and remove rules. these rules are the rules that the firewall follows and compose when determining the information packet filtering. These rules are stored in a dedicated information packet filtering table, which is integrated into the China Network Management Forum.

Linux

In the kernel. In the information packet filtering table, rules are grouped in a chain. We will discuss these rules in detail and how to create them and group them in the chain.

:

-F: clear all predefined rules;

-X: kills all tables created by users ).

-Z: returns the count and traffic statistics of all chains to zero.

(2) establish policies

# Ip6tables [-t tables] [-P] [INPUT, OUTPUT, FORWARD,

PREROUTING, OUTPUT, POSTROUTING] [ACCEPT, DROP] [-p TCP, UDP] [-s IP/network]

[? Sport ports] [-d IP/network] [? Dport ports]-j

Parameter description:

-T: defines a table ).

Tables: table name,

-P: defines the Policy ).

INPUT: the data packet is the direction of the INPUT host;

OUTPUT: the data packet is the direction of the OUTPUT host;

FORWARD: The direction in which data packets are transmitted out of the host;

PREROUTING: work performed before the route entry;

OUTPUT: the data packet is the direction of the OUTPUT host; bitscn.com

POSTROUTING: work performed after entering the route.

TCP: TCP packet.

UDP: UDP data packets;

-S: IP address or network of the source data packet.

? Sport: Port of the source data packet (

Port) number.

-D: IP address or network of the target host.

? Dport: the port number of the target host.

ACCEPT: ACCEPT this packet.

DROP: drops data packets.

(3) example:

1. allow ICMPv6 data packets to enter the host (that is, you can Ping the Ipv6 address of the host ):

#/Sbin/ip6tables-a input-I sit +-p icmpv6-j ACCEPT

2. allow ICMPv6 data packets to be output from the host: www_bitscn_com

# Ip6tables-a output-o sit +-p icmpv6-j ACCEPT

3. the IP address allowed is 3ffe: ffff: 100: 1/128. SSH is used for data.

# Ip6tables-a input-I sit +-p tcp-s 3ffe: ffff: 100: 1/128? Sport 512: 65535

? ? Dport 22-j ACCEPT

The full name of SSH is Secure SHell. By using SSH, you can encrypt all transmitted data, so that the "intermediate server" attack method is impossible, and it can also prevent DNS and IP spoofing. Another advantage is that the data transmitted is compressed, so it can speed up transmission. SSH has many functions. it can replace telnet and provide a secure "channel" for ftp, pop, and even ppp ". SSH is bound to port 22, and its connections are encrypted using RSA through negotiation. After the authentication is complete, all subsequent traffic is encrypted using IDEA. The SSH (Secure Shell) program can log on to a remote host over the network and execute commands. The SSH encrypted tunnel only protects the security of intermediate transmission, so that all common sniffing tool software cannot obtain the sent content. Www.bitsCN.com

Security tools for IPv6 networks

Nmap is the GNU

Fyodor is released under General Public License (GPL) for R & D and maintenance. it can be downloaded from www.insecure.org/nmap for free. Nmap is an excellent port scanning tool running on a single host and a large network. it features high speed, confidentiality, and can bypass the firewall. It supports multiple protocols, such as TCP, UDP, and ICMP. Nmap also has many features of high performance and reliability, such as dynamic latency computing, packet timeout resending, parallel port scanning, and whether the host is crashed through parallel ping6. He has supported IPv6. Download chain: http://gd.tuwien.ac.at/infosys/security/nmap/nmap-3.48.tgz

The nmap Installation and compilation process is as follows:

# Tar zxvf nmap-3.48.tgz

# Cd nmap-3.48 BBS.bitsCN.com Network Management Forum

#./Configure; # make install

The syntax is quite simple: different nmap options and the-s flag form different scanning types. the Ipv6 nmap supports two scanning methods:

-ST: Port

Scanning is usually called Port Scanning.

-SS is tcp syn, which is usually called semi-R & D scanning.

Nmap scan Port instance:

# Nmap-6-sT

: 1

Starting nmap 3.48 (http://www.insecure.org/nmap/)

UTC

All 1657 scanned ports on: 1 are: closed

Nmap run

Completed? 1 IP address (1 host up) scanned in 20.521 seconds

The output scan report shows that Nmap has scanned 1657 ports. one is enabled, and the other is disabled.

Note: If you plan to use Nmap in an IPv6 network, the following experiences may help you:

● Avoid misunderstanding. Do not randomly select the scan target to test Nmap. Many organizations regard port scanning as malicious, so testing Nmap is best performed on the internal network. If necessary, tell your colleagues that you are experimenting with port scanning because scanning may cause IDS alarms and other network problems. BBS.bitsCN.com Network Management Forum

Establish security benchmarks. With the help of Nmap, the next step is to establish a security benchmark from these known systems and services after hardening the network and figuring out which systems and services may be attacked, in the future, if you want to enable a new service or server, you can easily implement it based on this security benchmark.

If you want to see Linux programs working on Ipv6 networks can access: http://www.netcore.fi/pekkas/linux/ipv6/

Here we can find many RPM packages supported by IPv6.

Table 1 Comparison of IPv4 and IPv6 functions in Linux

IPv4

The IPv4 address is 127.0.0.1.

The source and target addresses are both 32 characters in length (4 bytes ). IPv4 can provide 4294967296 addresses. Bitscn.com

IPv4 uses the Internet Group Management Communication Protocol (IGMP) to manage the identity of the sub-network group members of the local machine.

IPSec support is optional.

In IPv4

In the packet header, the router does not recognize the payload for QoS processing.

Both the router and the transmission host support data segments.

The header includes the check value.

Baotou includes options.

Address Resolution communication protocol

(ARP) use the broadcast ARP Request message box to resolve an IPv4 address to a link layer address.

Use Internet Group Management Communication Protocol (IGMP)

Manage the identities of the sub-network groups of the local machine.

Use

ICMP Router Discovery determines the IPv4 address (optional) with the best preset gateway ).

Transmit a broadcast address to all nodes on the subnetwork.

You must manually set or use

DHCP settings.

Use the host address (A) bitsCN_com in the Network domain name system (DNS)

Resource Record, which maps the host name to an IPv4 address.

Maps an IPv4 address to the host name using the index (PTR) resource record in the IN-ADDR.ARPA DNS domain.

IPv6

The IPv6 loop address is 0000: 0000: 0000: 0000: 0000: 0000: 0000: 0001.

The source and target addresses are both 128 characters long (16

Bytes ). IPv6 increases the original 32-bit address space to 128 bits, and the number is the power of 2 to 128. it can provide 6 × 1023 network addresses per square meter on the Earth.

Use Multicast for IPv6

The Listener Discovery (MLD) message replaces IGMP.

IPSec support is required.

In IPv6 headers, routers use Flow

The Label field identifies the payload for QoS processing.

Vro does not support data segments. Only data fragments are supported by the transmission host.

The header does not include the check value.

All options are moved to the IPv6 expansion header.

Multi-Point propagation

The Neighbor Solicitation message replaces the ARP Request.

Use Multicast Listener Discovery (MLD)

Messages replace IGMP. Www_bitscn_com

Replace ICMPv4 with ICMPv6 Router Solicitation and Router Advertisement messages

Router Discovery, which is required.

No IPv6 broadcast address. Instead, use the link-the multi-point propagation address of all nodes in the local machine field.

You do not need to manually set or use DHCP.

Use the host address (AAAA) in the Network domain name system (DNS)

Resource Record, which maps the host name to the IPv6 address.

Use the index (PTR) in the IPv6.INT DNS domain)

Resource Record, which maps the IPv6 address to the host name.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.