Linux IPv6 HOWTO Author:Peter Bieringer pb@bieringer.de 译者: 陈敏剑 expns@yahoo.com Revision Release 0.31 2002-09-29 Revised by: PB 翻译日期: 2002-10-14 , 2002-11-19 第二次修正 _________________________________________________________________ Linux IPv6 HOWTO 的目地是回答在 Linux 作业系统上设定IPv6的基本/进阶问 题.这份HOWTO为用户在Linux作业系统上安装,设定和使用IPv6提供足够的资讯. _________________________________________________________________ 1. 概述 * 1.1 版本 * 1.2 版权,许可与其它 * 1.3 关於作者 * 1.4 联系 * 1.5 类别 * 1.6 版本, 历史和打算 * 1.7 历史 * 1.8 全部历史 * 1.9 打算 * 1.10 翻译 * 1.11 德语 * 1.12 其它的语系 * 1.13 波兰版 * 1.14 中译版 * 1.15 技术方面 * 1.16 代码封装 * 1.17 产生SGML * 1.18 2HTML版式的在线目录(linking/anchors) * 1.19 专用的页面 * 1.20 有多少个关於 Linux和IPv6 HOWTO的变动版本? * 1.21 Linux IPv6 FAQ/HOWTO (过时的) * 1.22 IPv6 & Linux - HowTo (正在维护当中) * 1.23 Linux IPv6 HOWTO (现在这份HOWTO) * 1.24 Long code line wrapping signal char * 1.25 Placeholders (占位符) * 1.26 Commands in the shell(shell 里的命令) * 1.27 使用这个HOWTO的必需条件 2. 什麽是IPv6? * 2.1 IPv6在Linux作业系统上的历史 * 2.2 开始 * 2.3 其间 * 2.4 现在 * 2.5 将来 * 2.6 IPv6 的地址会是什麽样 ? * 2.7 FAQ(基础) 3. 地址的类型 * 3.1 没有前缀的地址 * 3.2 网路部分,也叫做前缀 * 3.3 地址类型(主机) * 3.4 路由的前缀长度 4. 准备IPv6的运行系统 * 4.1 IPv6-ready kernel * 4.2 IPv6-ready 网路设定工具 * 4.3 IPv6-ready 测试/调式 程式 * 4.4 IPv6-ready programs(能和IPv6协同工作的程式) * 4.5 IPv6-ready 客户端程式 (selection) * 4.6 IPv6-ready server 程式 5. 设定interfaces(界面) * 5.1 不同的网路设备 * 5.2 Bringing interfaces up/down(设定界面的开/关) 6. 设定IPv6地址 * 6.1 列印当前的IPv6地址 * 6.2 增加一个IPv6地址 * 6.3 移除IPv6地址 7. 设定IPv6路由 * 7.1 列印现有的路由 * 7.2 设定IPv6路由通过闸道 * 7.3 移除 IPv6路由通过闸道 * 7.4 增加IPv6路由至interface(界面) * 7.5 从interface(界面)移除IPv6路由 * 7.6 FAQ for IPv6 routes(IPv6 路由的经常问答) 8. Neighbor Discovery(发现芳邻) * 8.1 Displaying neighbors using "ip" (用"ip"命令列印芳邻) * 8.2 用 "ip" 对芳邻的列印表进行处理 9. Configuring IPv6-in-IPv4 tunnels(设定遂道) * 9.1 遂道的类型 * 9.2 列印现存的tunnels(遂道) * 9.3 Setup of point-to-point tunnel(设定点对点的遂道) * 9.4 Setup of 6to4 tunnels (设定 IPv6至IPv4的遂道) 10. 设定 IPv4-in-IPv6 遂道 11. 核心设定 in /proc-filesystem * 11.1 怎样进入 /proc-filesystem * 11.2 /proc-filesystems 里的数值类型. * 11.3 Entries in /proc/sys/net/ipv6/ * 11.4 IPv6-related entries in /proc/sys/net/ipv4/ * 11.5 IPv6-related entries in /proc/net/ 12. Netlink-Interface to kernel 13. 网路 debugging * 13.1 Server socket binding(绑定) * 13.2 Using "netstat" for server socket binding check * 13.3 Examples for tcpdump packet dumps 14. Support for persistent IPv6 configuration in Linux distributions(在不同的发 行版中设定IPv6) * 14.1 Red Hat Linux and "clones"(小红帽和它的弟兄娣妹) * 14.2 Mandrake(曼德莱克)Linux * 14.3 SuSE(苏泽斯)Linux * 14.4 Debian(迪比安)Linux 15. 防火墙 * 15.1 使用 netfilter6防火墙 * 15.2 更多的资讯: * 15.3 准备 * 15.4 使用方法 * 15.5 使用ip6tables 16. 安全 * 16.1 Access limitations * 16.2 IPv6安全审核 * 16.3 Security auditing using IPv6-enabled netcat(使用适应IPv6 的netcat) * 16.4 Security auditing using IPv6-enabled nmap * 16.5 Security auditing using IPv6-enabled strobe * 16.6 审核结果 17. Encryption and Authentication(加密和认证) * 17.1 用法 18. 线上测试工具 19. 其它资讯 * 19.1 线上资讯 * 19.2 更多的资讯 * 19.3 通信论坛 20. 历史 _________________________________________________________________ 1. 概述 1.1 版本 Revision Release 0.31 2002-09-29 Revised by: PB See revision history for more Revision Release 0.30 2002-09-27 Revised by: PB See revision history for more Revision Release 0.29 2002-09-18 Revised by: PB 1.2 版权,许可与其它 版权所有: Peter Bieringer Copyright Written and Copyright (C) 2001-2002 by Peter Bieringer 1.1.2. License This Linux IPv6 HOWTO is published under GNU GPL version 2: The Linux IPv6 HOWTO, a guide how to configure and use IPv6 on Linux systems. Copyright (C) 2001-2002 Peter Bieringer This documentation is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 1.3 关於作者 作者接触 Internet/IPv6 的历史 1993: 由於使用e-mail和新闻组开始接触Internet. 1996: 受邀於一个IPv6的课程. 包括了Linux有关的IPv6. 1997: 开始写在Linux里安装,设定和使用IPv6的指南. 2001: 开始写这个新的HOWTO. 1.4 联系 可以通过e-mail pb@bieringer.de及首页 [1]http://www.bieringer.de/pb/ 他 现在住在Munich [northern part of Schwabing] / Bavaria / Germany (south) / Europe (middle) / Earth (surface/mainland). 1.5 类别 在"Networking/Protocols"里. 1.6 版本, 历史和打算 在最上头提过了. 1.7 历史 主要的历史 2001-11-30: 开始设定新的HOWTO 2002-01-02: 完成了一点,发表了第一章节 (version 0.10). 2002-01-14: 完成了更多,加了评论,发表了所有的内容(version 0.14). 2002-08-16: 波兰版的翻译正在进行. 2002-10-14: 中译版翻译刚开始. 1.8 全部历史 See revision history at the end of this document. 1.9 打算 补缺漏.完成内容的检视. 1.10 翻译 它们包含URL,版本号,原作的版权. 1.11 德语 它的版本由我自己完成(德语是我的母语)在版本每月都有变化的时候是不会完成 的. 并且我还要有空□的时间,如果您有时间,不妨试一试,大大方方地来接管吧. 1.12 其它的语系 一般情况下,请等到一个月以上无变动的时候进行翻译, version0.27 是最近的. 1.13 波兰版 自从 2002-08-16 Lukasz Jokiel Lukasz.Jokiel@klonex.com.pl开始,到现在. 他的起始版是 0.27 1.14 中译版 从 2002-10-14 起, 中译版的翻译完成了部份内容, 起始版是 0.31 1.15 技术方面 HOWTO的原始形式是 在Linux Red Hat7.3里用 LyX version 1.2.0 写的,格式 是SGML. http://cvsview.tldp.org/index.cgi/LDP/users/Peter-Bieringer/ 里可以取得. 1.16 代码封装 代码封装是由自己写的工具"lyxcodelinewrapper.pl" 来完成. 您可以 在http://cvsview.tldp.org/index.cgi/LDP/users/ 里取得 1.17 产生SGML 是用LyX的输出功能实现. 也有一些是用固定的代码.(参 照http://cvsview.tldp.org/index.cgi/LDP/users/Peter-Bieringer/) Export of LyX table does not create proper "colspan" tags - tool for fixing: "sgmllyxtabletagfix.pl" (fixed since LyX 1.2.0) LyX sometimes uses special left/right entities for quotes instead the normal one, which will still exist in generated HTML. Some browsers don't parse this very well (known: Opera 6 TP 2 or Konqueror) - tool for fixing: "sgmllyxquotefix.pl" 1.18 2HTML版式的在线目录(linking/anchors) 主索引 一般来说,是被推荐的 1.19 专用的页面 因为HTML版式是由SGML生成, HTML的文件名是随机的, 一些名称被定死.这是有 用的,并在以後不会改变. 如果您认为我漏了tag, 请让我知道,我会加进去的. 1.20 有多少个关於 Linux和IPv6 HOWTO的变动版本? 加上这个, 有三个呢. 抱歉,是有点太多. 1.21 Linux IPv6 FAQ/HOWTO (过时的) 第一个由 Eric Osborne 所写. 叫做 Linux IPv6 FAQ/HOWTO(http://www.linuxhq.com/IPv6/). 有谁知道它的初始日期,请 来e-mail告诉我, 用来写历史的. 1.22 IPv6 & Linux - HowTo (正在维护当中) 那里有一个我(Peter Bieringer)写的第二版, 叫做 IPv6 & Linux - HowTo(http://www.bieringer.de/linux/IPv6/), 格式是纯HTML, 1997年4月开 始, 并在同年7月发行了第一个英文版, 我会继续维护它. 但它会被慢慢地容合 进现在您读的这份HOWTO当中. 1.23 Linux IPv6 HOWTO (现在这份HOWTO) 由於IPv6 & Linux - HowTo(http://www.bieringer.de/linux/IPv6/) 是用 纯HTML写的, 与 Linux 文档计划(www.linuxdoc.org)不兼容. 我(Peter Bieringer)接到了一个将 IPv6 & Linux - HowTo 写成SGML格式的请求. 因为将 要停止写HOWTO(将来的IPv6 & Linux - HowTo), 并随著IPv6越来越标准化, 我 决定写一个新的在未来几年占主要地位的比较更持久的版本, 包括了基本的和高 级的版本. 动态的资讯依然会在将来的日子里添加到第二个HOWTO里去(IPv6 & Linux - HowTo).http://www.bieringer.de/linux/IPv6/ 1.24 Long code line wrapping signal char "?"这个特殊的字符是让编码在PDF 和 PS 文件中显得更好看. 1.25 Placeholders (占位符) 您可以常常在例子中看到如下的内容: < myipaddress > 在您的系统命令行或scripts里会被相应的内容所取代(当然是将 "< >" 去掉 啦), 结果变成这样: 1.2.3.4 1.26 Commands in the shell(shell 里的命令) 可执行的命令(非root用户),由 "$" 开头, 如: $ whoami 可执行的命令(root用户),由 "#" 开头, 如: # whoami 1.27 使用这个HOWTO的必需条件 个人所要必备的条件. 您必需熟悉主要的UNIX工具,如grep, awk, find, ... , 和它们的一般用法. 知道一些网路理论 您要知道layers, protocls, addresses , cables ,plugs, 等. 如果您刚进入 这个领域, 这个连结有助於您: [2] http://www.linuxports.com/howto/intro_to_networking/ 设定IPv4的经验 您必需有明确的IPv4的设定经验.不然,您将不知道如何进行下去. Domain Name System (DNS 动态名称侍服系统)的经验 您最少要知道如何使用tcpdump, 它告诉您的是什麽. 不然,对您来说然度相当 大. Linux 作业系统的兼容硬体 您必需有实际的操作经验, 并且不要在看HOWTO的时候到处打磕睡. :) 2. 什麽是IPv6? IPv6是新的第三层传输协议(参 考http://www.linuxports.com/howto/intro_to_networking/c4412.htm#PAGE10 3HTML),它将用来取代IPv4(也叫做IP). IPv4是很早以前设计的,现在对IPv4提供更多的地址和性能方面有著更高的要求. 在IPv6中主要的变革是重新设计了报头. 包括将地址位的大小从32 bits 增加到 128 bits. 因为第三层传输主要负责end-to-end(端对端)基於地址的数据包路 由. 它必需包含新的IPv6地址(来源和目标),这点就像IPv4一样. 下面这个连结提供了更多有关IPv6的资讯, 和RFC 的例表等等: http://www.switch.ch/lan/ipv6/references.html 2.1 IPv6在Linux作业系统上的历史 将要做的: 更好的时间排列, 更多的内容... 2.2 开始 第一次将与IPv6有关的代码加入 Linux kernel 2.1.8 的工作是由Pedro Roque 在1996年11月完成的. 它基於BSD API: ______________________________________________________________ diff -u --recursive --new-file v2.1.7/linux/include/linux/in6.h linux/include/linux/in6.h --- v2.1.7/linux/include/linux/in6.h Thu Jan 1 02:00:00 1970 +++ linux/include/linux/in6.h Sun Nov 3 11:04:42 1996 @@ -0,0 +1,99 @@ +/* + * Types and definitions for AF_INET6 + * Linux INET6 implementation + * + * Authors: + * Pedro Roque <******> + * + * Source: + * IPv6 Program Interfaces for BSD Systems + * ______________________________________________________________ 以上的代码来自patch-2.1.8 (e-mail 地址在复制&贴上时漏掉了) 2.3 其间 因为缺少人手, 在核心加入IPv6的计划不能按照讨论的或新的RFCs执行. 在2000年的10月, 一个叫做USAGI(http://www.linux-ipv6.org/)的计划在日本 正式启动. 目标是执行所有不见了的, 搁浅的(IPv6 support in Linux)计划. 计划紧随 KAME project (http://www.kame.net/) 的脚步. 依据 vanilla Linux 核心源代码进行遂步的改动. 2.4 现在 不幸的是 USAGI 的 patch(补丁)很大, Linux networking 维护人员无法将它包 含进现在Linux 2.4.x 系列的源代码当中去. 因此2.4.x 失去了一些(多数)括展 性, 并且不支持所有当前的设计和RFCs. 这导致了它和其它作业系统会产生一些 协同问题. 2.5 将来 USAGI 现在正在将当前的括展加入到 Linux 2.5.x 核心当中. 希望2.6.x 系列核心能有一个真正和最新的IPv6功能. 2.6 IPv6 的地址会是什麽样 ? 刚才提过, IPv6 的地址有128 bits 长. 这样的 bits 可以产生39个十进字数 字: ______________________________________________________________ 2^128-1: 340282366920938463463374607431768211455 ______________________________________________________________ 这样的地址很难记得住. IPv6的地址是逐位定位的(就像IPv4, 但这个观点不是 公认的). 所以十六进制能更好地代表这些数字, 4 bits(也叫做"nibble")表现 为数字(0-9)或字符 a-f(10-15). 这种格式将IPv6的地址长度缩减到个32字符. ______________________________________________________________ 2^128-1: 0xffffffffffffffffffffffffffffffff ______________________________________________________________ 这种表现形式仍然很不方便. (可能混淆或遗漏单个十六进制数字), 所以IPv6的 设计者将地址形式定为每16bit就用":"区分开来. 开头的"0x"(在程式设计当中 用来表示十六进制数值)被移除了: ______________________________________________________________ 2^128-1: ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff ______________________________________________________________ 一个有效的地址(稍後请看地址类型)如下: ______________________________________________________________ 3ffe:ffff:0100:f101:0210:a4ff:fee3:9566 ______________________________________________________________ 为了简化, 每个16bit开头的0可以被省略: ______________________________________________________________ 3ffe:ffff:0100:f101:0210:a4ff:fee3:9566 -> 3ffe:ffff:100:f101:210:a4ff:fee3:9566 ______________________________________________________________ 连续的并且数值为0的16bit地址段可以用"::"表示. 但是一个IPv6地址当中只能 出现一次, 不然这种方法保持不了多久. ______________________________________________________________ 3ffe:ffff:100:f101:0:0:0:1 -> 3ffe:ffff:100:f101::1 ______________________________________________________________ 简化得最短的IPv6 localhost地址: ______________________________________________________________ 0000:0000:0000:0000:0000:0000:0000:0001 -> ::1 ______________________________________________________________ 这种方法也叫做 compact (base85 coded) representation defined RFC 1924 / A IPv6紧凑地址表示法(定於1996), 但没有提起过, 例如: ______________________________________________________________ # ipv6calc --addr_to_base85 3ffe:ffff:0100:f101:0210:a4ff:fee3:9566 Itu&-ZQ82s>J%s99FJXT ______________________________________________________________ 资讯: ipv6calc 是一个IPv6地址格式的计算和转换的计划, 您可以在这里找到: http://www.bieringer.de/linux/IPv6/ipv6calc/ 2.7 FAQ(基础) 为什麽叫IPv6,而不能成为IPv4之後的IPv5 ? 在任何IP头, 前4bits 是为协议版本号所保留的. 所以理论上一个协议的版本号 在0和15之间是有效的: * 4 己经为IPv4所使用. * 5 为 Stream 协议所保留(STP, RFC 1819 http://rfc.net/rfc1819.html 没有公开过) IPv4之後可用的版本号是6, 因此 IPv6 就这样旦生了! IPv6 地址: 为什麽会有这麽长的bits 在设计IPv4的时候,人们认为32bit的长度足够全世界使用. 看一看这些年, 32bit 就现在和未来几年来说是足够的. 然而, 32bits 不能在将来满足全球各 种网路设备对IP地址的需求. 想一想将来要连结网路的移动电话, 汽车(包括电 子总控系统), 烤面包机,冰箱, 照明开关... 所以设计者采用了128bits, 是今天IPv4 大小(2^96)与长度的4倍. 实际使用的大小可能比它看起来的还要小. 因为现在的定义地址设计, 64bits 用於interface identifiers(界面标识). 另外64bits用於路由. 寄於现在严格 的层数集合(/48, /35, ...), IPv6 所能提供的地址空间还是可能不够, 希望这 种情况不要在往後的几年里发生. IPv6 地址: 为什麽在新的设计里bits这麽小? 虽然, (可能)有些人(在Internet里)考虑IPv8和IPv6, 设计无论从接受和执行都 是那麽的遥远. 在此其间128bit对於报头和数据传输来说是最佳的选择. 考虑到在IPv4里和IPv6里的最大/最小传输单位(MTU,它们分别是576byte 和 1280 byte), IPv4 的报头是20 byte(最小值,可以通过调节IPv4的选项增大 到60byte), IPv6 的报头是48 byte(固定不变的), 报头分别占它们MTU的3.4% 和3.8%, 这意昧著报头占了很大一部分开销. 更大bits的地址需要更大的报头, 因而占据更大的开销. 同样,顾及到MTU正常连结的最大值(像现在的以太网): 1500byte(除了特别的列 子:9k byte 应用在 Jumbo frames 当中). 最终,如果要传输在第三层数据包中 占10%或20%报头, 这样的IP地址在设计上也就没有意义了. 3. 地址的类型 3.1 没有前缀的地址 Localhost 地址 这是一个特别为loopback interface(回送界面或环绕)定义的地址, 就像IPv4的 "127.0.0.1" 对於IPv6 localhost address 是: ______________________________________________________________ 0000:0000:0000:0000:0000:0000:0000:0001 ______________________________________________________________ 或缩减成 ______________________________________________________________ ::1 ______________________________________________________________ 这个地址的数据包将它当作host(主机)发送的来源和目标. 未指明的地址 这是一个在IPv4当中表示 "所有" 或"0.0.0.0". 对於IPv6为: ______________________________________________________________ 0000:0000:0000:0000:0000:0000:0000:0000 ______________________________________________________________ 或者是: ______________________________________________________________ :: ______________________________________________________________ 这些地址大多 用在/显示 socket 捆绑(到所有IPv6地址)或路由表当中. 注意:未说明的地址不能当成目标地址来使用. 植入了IPv4地址的IPv6地址 它包含了两个地址其中一个为IPv4地址. IPv4映射IPv6地址 IPv4-only IPv6-compatible 是由IPv6後台产生的有时 用於或显示 sockets . 它只捆绑IPv4地址. 这些地址被定义为拥有长度为96的前缀特殊地址(a.b.c.d 是IPv4地址): ______________________________________________________________ 0:0:0:0:0:ffff:a.b.c.d/96 ______________________________________________________________ 或者使用缩写形式 ______________________________________________________________ ::ffff:a.b.c.d/96 ______________________________________________________________ 这些地址也用於自动遂道, 已经被6to4tunneling取代. 3.2 网路部分,也叫做前缀 设计者定义并预留了一部份空间以便於将来遇到像现在这样的需求. RFC 2373 [July 1998] / IP Version 6 Addressing Architecture (http://rfc.net/rfc2373.html) 定义了现在的地址设计, 但已经有了新的草案 (ftp://ftp.ietf.org/internet-drafts/)draft-ietf-ipngwg-addr-arch-*.txt 让我们来看一下不同的前缀定义(和地址类型): 连结本地地址的类型 这些地址不对外界(Internet)连接有效. 以这些地址为目标的数据包不会通过路 由器. 这种连结用於以下情形: * 同其它任意一个也使用这个连结的人进行通讯. * 同其它任意一个拥有特殊地址的连结进行通讯.(例如寻找路由) 它们的地址由以下这些开头("x"是任意的十六进制字符,一般是"0") ______________________________________________________________ fe8x: <- 目前只有这个在用. fe9x: feax: febx: ______________________________________________________________ 一个开头为以上这些前缀的地址, 由IPv6没有在界面指定IP地址的时候创立. 目前只有fe80在使用. 本地站点的地址定义 这些地址和IPv4相似(http://rfc.net/rfc1918.html RFC 1918 / Address Allocation for Private Internets) 它的优势: 只用16bits 就可以定义65536 个子网.同IPv4的10.0.0.0/8相似. 另一个优势:在IPv6的界面上可以定义多个IP地址, 在已有本地站点地址的基础 上还可以加上一个global(全局)地址. 它们的地址由以下这些开头("x"是任意的十六进制字符,一般是"0") ______________________________________________________________ fecx: <- 大多数使用这个 fedx: feex: fefx: ______________________________________________________________ Global(全局)地址类型 "(Aggregatable) global unicast"可聚合的全局唯一地址. 今天,只有一个全局地址类型的定义(第一个设计,也是多年以来一直使用的叫做 "provider based," [3]RFC 1884 / IP Version 6 Addressing Architecture [obsolete]) 您能在早期的核心源代码中找到一些. 它们的地址由以下这些开头("x"是任意的十六进制字符,一般是"0") ______________________________________________________________ 2xxx: 3xxx: ______________________________________________________________ 注意: 前缀"aggregatable" 被当前的草案抛弃了. 下面有一些更有意义的子类 型定义: 6bone test addresses 这些是最初定义和使用的全局地址. 它们的开头是 ______________________________________________________________ 3ffe: ______________________________________________________________ 例子 ______________________________________________________________ 3ffe:ffff:100:f102::1 ______________________________________________________________ 一个无唯一全局化的特别6bone例子 ______________________________________________________________ 3ffe:ffff:100:f102::1 ______________________________________________________________ 这些主要都是例子, 因为如果使用真实的地址,可能会有些人将它拷贝&贴上 到 他们自己的配置中去. 从而不注意地复制了全局唯一地址, 这样会导致原来拥有 这个地址的主机产生一些问题(比如,请求的回应包不会被发送.) 您可以从这些 前缀当中申请一个, 看这里: "如何加入6bone" 也有一些在 tunnel brokers 他 们发布用於测试6bone 的地址前缀. 6to4 地址 这些地址是为特别tunneling机制设计的. [4][RFC 3056 / Connection of IPv6 Domains via IPv4 Clouds 和 [5]RFC 2893 / Transition Mechanisms for IPv6 Hosts and Routers], 给IPv4地址和可能的子网编码并以类似下面的形式 开头: ______________________________________________________________ 2002: ______________________________________________________________ 例子,重新对192.168.1.1/5编码: ______________________________________________________________ 2002:c0a8:0101:5::1 ______________________________________________________________ 这个shell命令将帮助您用一个IPv4地址产生这样的地址: ______________________________________________________________ ipv4="1.2.3.4"; sla="5"; printf "2002:%02x%02x:%02x%02x:%04x::1" `echo $ipv4 | tr "." " "` $sla ______________________________________________________________ 参照tunneling using 6to4 and information about 6to4 relay routers. 从分级路由分配到的地址 这些地址分配给Internet服务供商(ISP)并且有类似如下的开头: ______________________________________________________________ 2001: ______________________________________________________________ 主ISP(拥有骨干网路)的前缀是由local registries分配的, 并且现在他们分配 的前缀长度为35. 主ISPs通常分配给下级ISPs的前缀长度为48. Multicast addresses(多点传送的地址) Multicast addresses 应用於服务当中. 它们总是有同下面相类似的开头(xx是□围值) ______________________________________________________________ ffxy: ______________________________________________________________ 它们有著不同的□围和类型: Multicast scopes(多点传达送□围) Multicast scope 是用来定义发送实体的multicast 数据包有效最远传输值的参 数. 通常,下面的□围已经被定义: * ffx1: 本地节点, 数据包不会离开节点. * ffx2: 本地连结, 数据包不会被路由,所以它们不会离开这个特别的连结. * ffx5: 本地站点, 数据包不会离开站点. * ffx8: 本地组织, 数据包不会离开组织(执行起来不那麽容易,必须依靠路由 协议) * ffxe: 全局□围. * 其它的都被保留 Multicast(多点传送)类型 许多类型都已经定义/保留(细节请参照 [6]RFC 2373 / IP Version 6 Addressing Architecture). 这里有一些例子: * 所有节点地址: ID=1h, 所有本地节点主机的地址(ff01:0:0:0:0:0:0:1) 或 已连接好的地址(ff02:0:0:0:0:0:0:1). * 所有路由地址:ID=2h,所有本地节点的路由地址(ff01:0:0:0:0:0:0:2), 已 连接的(ff02:0:0:0:0:0:0:2), 或本地站点(ff05:0:0:0:0:0:0:2). Solicited node link-local multicast address(本地多播请求的节点地址) 在neighborhood discovery(多播发现)中当成目标地址使用的特别多播地址. 与IPv4不同,ARP(地址解析协议)将不在IPv6中使用. 例子: ______________________________________________________________ ff02::1:ff00:1234 ______________________________________________________________ 使用前缀表示它是一个本地多播地址, 後缀由目标地址产生. 这个例子当中将有 一个数据包发往"fe80::1234", 但是网路堆栈并不知道第二层的MAC(多媒体通 路). 它将上部份的104 bits 更改为 "ff02:0:0:0:0:1:ff00::/104" 下部分24 bits 不变. 现在这个地址以on-link(在线)的形式寻找相应的节点(这个节点应 当发送了包含有第二层 MAC 地址的回应包) Anycast addresses(随播地址) Anycast addresses是一个特别的地址, 它用於邻近的DNS或DHCP服务, 或用於相 似的dynamic groups(动态组群). 地址从 unicast address (单播地 址aggregatable global or site-local at the moment)空间中取得. 随播地址 的机制(从客户端的观点来看)由动态路由协议控制. 注意:随播地址不能成为作为来源地址, 它必需以目标地址的身份出现. Subnet-router Anycast addresses(子网路随播路由器) 一个Subnet-router Anycast addresses的例子. 假设一个分配了如下IPv6地址 的节点: ______________________________________________________________ 3ffe:ffff:100:f101:210:a4ff:fee3:9566/64 <- 节点的地址 ______________________________________________________________ Subnet-router将使用没有後缀的地址 (least significant 64 bits): ______________________________________________________________ 3ffe:ffff:100:f101::/64 <- subnet-router anycast address ______________________________________________________________ 3.3 地址类型(主机) 因为自动的配制/随机分配,在当前的地址类型中主机使用更低的 64 bits地址. 因此每个subnet(子网)可以拥有大量的地址. 主机的地址分配可以有如下几种形式: 自动分配(also known as stateless) 在自动分配当中,主机的地址由界面的MAC地址决定. 使用EUI-64方法,指定一 个IPv6 地址. 如果没有可用的MAC(如:虚拟设备), 就用其它的代替(如IPv4地址 或物理界面的MAC地址) 再看一下前面的例子: ______________________________________________________________ 3ffe:ffff:100:f101:210:a4ff:fee3:9566 ______________________________________________________________ 这里: ______________________________________________________________ 210:a4ff:fee3:9566 ______________________________________________________________ 主机地址由NIC的MAC地址决定: ______________________________________________________________ 00:10:A4:E3:95:66 ______________________________________________________________ 用 [7]IEEE-Tutorial EUI-64 作为EUI-48 的标识符. 自动分配带来的隐私问题 因为自动分配的是唯一地址,客户端在不通过任何代理的情况下容易被跟踪. 这 是个公认的问题,它的解决方法是:privacy extension,定义於 [8]RFC 3041 / Privacy Extensions for Stateless Address Autoconfiguration in IPv6 这 里也有一个草案: [9]draft-ietf-ipngwg-temp-addresses-*.txt 使用不同的静 态数值, 每次产生一个新的後缀. 注意: 只对client 的连接有效, 对於servers 没有什麽用处. 手动设定 对於servers来说, 大概很容易记起简单的地址. 同时也可以向它的界面添加一 个IPv6地址: ______________________________________________________________ 3ffe:ffff:100:f101::1 ______________________________________________________________ 手动设定的後缀为"::1",例子当中最重要的第6 bits设定为"0", 它为anycast addresses(任意传送地址)保留 (the universal/local bit of the automatically generated identifier). 3.4 路由的前缀长度 在早期设计阶级,使用完全分离的路由分级来最大层度地缩小路由表. 论证的方 法是使用当前IPv4的核心路由数目(> 104 thousand in May 2001) 减少硬体记 忆体的需求来控制路由表和速度(较少的个数使查找速度加快). 前缀长度(也叫做子网路遮罩) 同IPv4相似, 网路产生可路由的路径. 因为128 bits标准的netmasks 看起来不 怎麽样. 设计者借鉴了IPv4的风格: Classless Inter Domain Routing (CIDR [10]RFC 1519 / Classless Inter-Domain Routing) 它们是用於IP地址路由 的bits号码. 也叫做"/" 例子: ______________________________________________________________ 3ffe:ffff:100:1:2:3:4:5/48 ______________________________________________________________ 它们可以被扩展成: ______________________________________________________________ 网路: 3ffe:ffff:0100:0000:0000:0000:0000:0000 ______________________________________________________________ ______________________________________________________________ 子网路遮罩: ffff:ffff:ffff:0000:0000:0000:0000:0000 ______________________________________________________________ Matching a route(路由匹配) 在一般情况下(no QoS), 在路由表里查找一个重要的地址数值意味著路由前缀的 长度必需先匹配. 例子, 如果路由表像下面那样(清单未完全例出): ______________________________________________________________ 3ffe:ffff:100::/48 :: U 1 0 0 sit1 2000::/3 ::192.88.99.1 UG 1 0 0 tun6to4 ______________________________________________________________ IPv6的目标地址将被下面的设备路由: ______________________________________________________________ 3ffe:ffff:100:1:2:3:4:5/48 -> routed through device sit1 3ffe:ffff:200:1:2:3:4:5/48 -> routed through device tun6to4 ______________________________________________________________ 4. 准备IPv6的运行系统 4.1 IPv6-ready kernel 现在的Linux发行版的核心都具备了运行IPv6的条件. IPv6功能被编译成一个可 载入模组. 在一般情况下模组不会在开机的时候自动载入. 参照更新的资讯: [11]IPv6+Linux-Status-Distribution 检察现在的系统是否支持IPv6 注意您的/proc-file-system.必需有如下的结构: ______________________________________________________________ /proc/net/if_inet6 ______________________________________________________________ 一个简单的测试: ______________________________________________________________ # test -f /proc/net/if_inet6 && echo "Running kernel is IPv6 ready" ______________________________________________________________ 如果失败, 表明模组没有载入. 试著载入模组 执行载入模组的命令: ______________________________________________________________ # modprobe ipv6 ______________________________________________________________ 如果成功, 模组会在列表中显示,执行如下命令: ______________________________________________________________ # lsmod |grep -w 'ipv6' && echo "IPv6 module successfully loaded" ______________________________________________________________ 让模组自动载入 模组是可以自动载入的,只要在核心模组设定文件( /etc/modules.conf 或 /etc/conf.modules)中加入: ______________________________________________________________ alias net-pf-10 ipv6 # automatically load IPv6 module on demand ______________________________________________________________ 也可以关掉IPv6模组的自动载入: ______________________________________________________________ alias net-pf-10 off # disable automatically load of IPv6 module on demand ______________________________________________________________ 编译有 IPv6 功能的核心 如果以上两个结果都证实了核心不具有IPv6功能, 您可以有如下选择: * 升级成外包装有IPv6支持说明的Linux发行版(推荐新手使用)再看一下这里: [12]IPv6+Linux-Status-Distribution * 编译一个新的vanilla核心(如果您知道该怎麽选择,会比较简单). * 重新编译您现在拥有的发行版核心(不太容易). * 将核心同 USAGI 的扩展一起编译. 如果您决定编译一个核心,您必需读过 [13]Linux Kernel HOWTO. 以及这方面的 经验. 注意:您必需使用核心2.4.x系列或更高. 因为IPv6对2.2.x系列缺少相应的支持. 并且需要ICMPv6 和 6to4 支持的补丁.(补丁可以在 [14]kernel series 2.2.x IPv6 patches找到). 将核心同 USAGI 的扩展一起编译. 只推荐熟悉核心编译和IPv6的用户使用. 参照: [15]USAGI project / FAQ. IPv6-ready network devices 不是所有的设备都有能力传输IPv6数据包, 这里有一个现状表: [16] IPv6+Linux-status-kernel.html#transport. 现阶段不会支持IPv6的连结 * Serial Line IP (SLIP, [17]RFC 1055), should be better called now to SLIPv4, device named: slX * Parallel Line IP (PLIP), same like SLIP, device names: plipX * ISDN with encapsulation rawip, device names: isdnX 在将来都不会支持IPv6的设备 * ISDN with encapsulation syncppp, device names: ipppX (design issue of the ipppd, will be merged into more general PPP layer in kernel series 2.5.x) 4.2 IPv6-ready 网路设定工具 别扯太远了, 如果您有一个正在运行IPv6的核心,怎麽会没有设定的工具呢? 安 装包里早就有几个这样的工具了. net-tools package net-tools package 包含一些工具如: ifconfig ,route. 这些可以令您在界面 上设定IPv6. 在命令行(shell) 用ifocnig -? 或 route -? 查看诸如IPv6 或 inet6.如果有,则说明具备IPv6设定能力. 输入以下命令进行检查: ______________________________________________________________ # /sbin/ifconfig -? 2>& 1|grep -qw 'inet6' && echo "utility 'ifconfig' is ?IPv6-ready" ______________________________________________________________ 也可以使用route: ______________________________________________________________ # /sbin/route -? 2>& 1|grep -qw 'inet6' && echo "utility 'route' is IPv6-ready" ______________________________________________________________ iproute package Alexey N. Kuznetsov (Linux 网路代码现阶段的维护者) 写了一个tool-set可 以通过netlink 设备来设定网路.它可以比net-tool提供更多的功能, 但没有多 少文档并且它不是为胆小的人设计的. ______________________________________________________________ # /sbin/ip 2>&1 |grep -qw 'inet6' && echo "utility 'ip' is IPv6-ready" ______________________________________________________________ 如果没有找到 /sbin/ip 那麽我极力推荐您安装iproute package. * 可以在您的发行版中找到(如果有的话) * 在 [18]Original FTP source下载并编译它. * 直接可以安装的RPM包: [19]RPMfind/iproute (推荐编译 SRPMS ) 4.3 IPv6-ready 测试/调式 程式 在为IPv6准备好了系统後,您可以用IPv6进行网路通讯. 首先您必需学习如何用 嗅探程式来检查IPv6数据包. 强烈推荐这样做,因为 在debugging/troubleshooting 中有利於快速诊断. IPv6 ping 这个程式一般在iputils包里, 用来测试简单传输发送 ICMPv6 回应请求并等 待ICMPv6 回应包. 用法: ______________________________________________________________ # ping6 < hostwithipv6address > # ping6 < ipv6address > # ping6 [-I < device >] < link-local-ipv6address > ______________________________________________________________ 例子: ______________________________________________________________ # ping6 -c 1 ::1 PING ::1(::1) from ::1 : 56 data bytes 64 bytes from ::1: icmp_seq=0 hops=64 time=292 usec --- ::1 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max/mdev = 0.292/0.292/0.292/0.000 ms ______________________________________________________________ 提示 ping6必需有适当的root权限才能使用, 如果不是root组用户,使用时可能 产生问题: 1.ping6 不在用户的路径当中 (probably, because ping6 is generally stored in /usr/sbin -> add path (not really recommended) 2.ping6 不能被正确执行, 通常没有适当的权限 chmod u+s /usr/sbin/ping6 为ping6指定界面 用local-addresses 作为ping6 目标必需指定一个界面. 否则核心将不知道数据 包发往哪个设备. 在没有指定的情况下会有这样的输出: ______________________________________________________________ # ping6 fe80::212:34ff:fe12:3456 connect: Invalid argument ______________________________________________________________ 为ping6指定界面的结果: ______________________________________________________________ # ping6 -I eth0 -c 1 fe80::2e0:18ff:fe90:9205 PING fe80::212:23ff:fe12:3456(fe80::212:23ff:fe12:3456) from ?fe80::212:34ff:fe12:3478 eth0: 56 data bytes 64 bytes from fe80::212:23ff:fe12:3456: icmp_seq=0 hops=64 time=445 usec --- fe80::2e0:18ff:fe90:9205 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip ?min/avg/max/mdev = 0.445/0.445/0.445/0.000 ms ______________________________________________________________ Ping6 to multicast addresses(多播地址) 一个发现IPv6-active hosts 的比较有趣的机制: ______________________________________________________________ # ping6 -I eth0 ff02::1 PING ff02::1(ff02::1) from fe80:::2ab:cdff:feef:0123 et h0: 56 data bytes 64 bytes from ::1: icmp_seq=1 ttl=64 time=0.104 ms 64 bytes from fe80::212:34ff:fe12:3450: icmp_seq=1 ttl=64 time=0.549 ms (DUP!) ______________________________________________________________ 与IPv4不同的是, ping 的回应在广播地址中是可以屏蔽的,目前只有IPv6防火墙 可以做到. IPv6 traceroute6 这个程式一般在iputils包里, 和IPv4的traceroute程式相似, 但与当前版本不 同的是IPv6不能正确地使用ICMP echo-request. 看下面这个例子: ______________________________________________________________ # traceroute6 www.6bone.net traceroute to 6bone.net (3ffe:b00:c18:1::10) from 3ffe:ffff:0000:f101::2, 30 ?hops max, 16 byte packets 1 localipv6gateway (3ffe:ffff:0000:f101::1) 1.354 ms 1.566 ms 0.407 ms 2 swi6T1-T0.ipv6.switch.ch (3ffe:2000:0:400::1) 90.431 ms 91.956 ms 92.377 ms 3 3ffe:2000:0:1::132 (3ffe:2000:0:1::132) 118.945 ms 107.982 ms 114.557 ms 4 3ffe:c00:8023:2b::2 (3ffe:c00:8023:2b::2) 968.468 ms 993.392 ms 973.441 ms 5 3ffe:2e00:e:c::3 (3ffe:2e00:e:c::3) 507.784 ms 505.549 ms 508.928 ms 6 www.6bone.net (3ffe:b00:c18:1::10) 1265.85 ms * 1304.74 ms ______________________________________________________________ IPv6 tracepath6 这个程式一般在iputils包里, 它用来追踪MTU的路径.看下面的例子: ______________________________________________________________ # tracepath6 www.6bone.net 1?: [LOCALHOST] pmtu 1480 1: 3ffe:401::2c0:33ff:fe02:14 150.705ms 2: 3ffe:b00:c18::5 267.864ms 3: 3ffe:b00:c18::5 asymm 2 266.145ms pmtu 1280 3: 3ffe:3900:5::2 asymm 4 346.632ms 4: 3ffe:28ff:ffff:4::3 asymm 5 365.965ms 5: 3ffe:1cff:0:ee::2 asymm 4 534.704ms 6: 3ffe:3800::1:1 asymm 4 578.126ms !N Resume: pmtu 1280 ______________________________________________________________ IPv6 tcpdump 在Linux作业系统中 tcpdump 是主要的数据包捕获工具.IPv6支持 3.6 的版本. tcpdump用於降低数据包杂讯的参数: * icmp6: 过滤本地ICMPv6通讯. * ip6: 过滤本地IPv6通讯.(包括 ICMPv6) * proto ipv6: filters tunneled IPv6-in-IPv4 traffic * not port ssh: 在远程SSH会话中禁止SSH数据包的显示. to suppress displaying SSH packets for running tcpdump in a remote SSH session 使用命令行参数也可以从一个数据包中捕获/列印资讯. * "-s 512": 增加捕获限定为512 bytes. * "-vv": 详细列印. * "-n": 不将地址转换成名称,在名称服务有问题时可以用到. IPv6 ping to 3ffe:ffff:100:f101::1 native over a local link ______________________________________________________________ # tcpdump -t -n -i eth0 -s 512 -vv ip6 or proto ipv6 tcpdump: listening on eth0 3ffe:ffff:100:f101:2e0:18ff:fe90:9205 > 3ffe:ffff:100:f101::1: icmp6: echo ?request (len 64, hlim 64) 3ffe:ffff:100:f101::1 > 3ffe:ffff:100:f101:2e0:18ff:fe90:9205: icmp6: echo ?reply (len 64, hlim 64) ______________________________________________________________ IPv6 ping to 3ffe:ffff:100::1 routed through an IPv6-in-IPv4-tunnel 1.2.3.4和5.6.7.8是遂道的终点(这些都是例子). ______________________________________________________________ # tcpdump -t -n -i ppp0 -s 512 -vv ip6 or proto ipv6 tcpdump: listening on ppp0 1.2.3.4 > 5.6.7.8: 2002:ffff:f5f8::1 > 3ffe:ffff:100::1: icmp6: echo request ?(len 64, hlim 64) (DF) (ttl 64, id 0, len 124) 5.6.7.8 > 1.2.3.4: 3ffe:ffff:100::1 > 2002:ffff:f5f8::1: icmp6: echo reply (len ?64, hlim 61) (ttl 23, id 29887, len 124) 1.2.3.4 > 5.6.7.8: 2002:ffff:f5f8::1 > 3ffe:ffff:100::1: icmp6: echo request ?(len 64, hlim 64) (DF) (ttl 64, id 0, len 124) 5.6.7.8 > 1.2.3.4: 3ffe:ffff:100::1 > 2002:ffff:f5f8::1: icmp6: echo reply (len ?64, hlim 61) (ttl 23, id 29919, len 124) ______________________________________________________________ 4.4 IPv6-ready programs(能和IPv6协同工作的程式) 在当前的发行版中已经包含了能和IPv6协同工作的程式(服务端/客户端) 参照: [20]IPv6+Linux-Status-Distribution. 或者检查 [21] http://www.bieringer.de/linux/IPv6/status/IPv6+Linux-status-apps.html 一些可用程式的线索: [22]IPv6 & Linux - HowTo - Part 3或 [23]IPv6 & Linux - HowTo - Part 4. 4.5 IPv6-ready 客户端程式 (selection) 想要进行下面的测试, 您的作业系统必需拥有IPv6能力. 有些例子是真实地连结 了6bone的情况下做的. 检查DNS对IPv6地址的解析能力 因为这几年Domain Name System (DNS)安全的不断升级, 它们中的大部份都具备 了对IPv6 地址类型AAAA的解析能力. (新的类型A6 只有BIND9和更高的版本支 持)检查DNS对IPv6地址的解析能力: ______________________________________________________________ # host -t AAAA www.join.uni-muenster.de ______________________________________________________________ 将得到下面的结果: ______________________________________________________________ www.join.uni-muenster.de. is an alias for ns.join.uni-muenster.de. ns.join.uni-muenster.de. has AAAA address 3ffe:400:10:100:201:2ff:feb5:3806 ______________________________________________________________ IPv6-ready telnet clients IPv6-ready telnet 客户端. 对它进行一个简单的测试: ______________________________________________________________ $ telnet 3ffe:400:100::1 80 Trying 3ffe:400:100::1... Connected to 3ffe:400:100::1. Escape character is '^]'. HEAD / HTTP/1.0 HTTP/1.1 200 OK Date: Sun, 16 Dec 2001 16:07:21 GMT Server: Apache/2.0.28 (Unix) Last-Modified: Wed, 01 Aug 2001 21:34:42 GMT ETag: "3f02-a4d-b1b3e080" Accept-Ranges: bytes Content-Length: 2637 Connection: close Content-Type: text/html; charset=ISO-8859-1 Connection closed by foreign host. ______________________________________________________________ 如果telnet只出现"cannot resolve hostname", 说明作业系统的IPv6还未激活. openssh openssh已经支持IPv6, 但必需对它用以下的参数进行编译後才能使用: * --without-ipv4-default: the client tries an IPv6 connect first automatically and fall back to IPv4 if not working * --with-ipv4-default: default connection is IPv4, IPv6 connection must be force like following example shows: ______________________________________________________________ $ ssh -6 ::1 user@::1's password: ****** [user@ipv6host user]$ ______________________________________________________________ 如果您的ssh不能对 -6 进行反应, 可能作业系统的IPv6还未激活,或ssh的版本 太低. ssh.com 他们的客户/服务端程式是免费的. IPv6-ready web 流览器 目前支持IPv6的web 流览器列表: [24]IPv6+Linux-status-apps.html#HTTP. 这些流览器大部份都存在问题: * 如果 proxy(代理)只支持IPv4, IPv6的请求将会失败. 方法: 升级proxy * Automatic proxy settings (*.pac) 不能对IPv6的不同请求进行适当的处 理 (written in Java-script and well hard coded in source like to be seen in Maxilla source code). 一些早期的版本不能对IPv6地址进行正确的操作, 如: [25] http://[3ffe:400:100::1]/ 一个小测试,显示在没有代理的情况下的 URL 和 流览器. URLs for testing 测试IPv6最方便的方法是访问: [26]http://www.kame.net/. 如果海龟是活动 的, 说明连接是通过IPv6进行的, 它不动的话, 说明连接是通过IPv4进行的. 4.6 IPv6-ready server 程式 包括:sshd, httpd, telnetd, 5. 设定interfaces(界面) 5.1 不同的网路设备 一个节点存在不同的网路设备, 可以对它们进行如下分类: * Physically bounded, like eth0, tr0 * Virtually existing, like ppp0, tun0, tap0, sit0, isdn0, ippp0 Physically bounded(物理绑定) 包括 Ethernet 或者 Token-Ring 它们不需要特别的处理. Virtually bounded(虚拟绑定) 需要特别的支持. IPv6-in-IPv4 tunnel interfaces 这个interfaces(界面)也称作sitx, sit 是"Simple Internet Transition" 的 缩写. 它可以将IPv6的数据包塞进IPv4, 通过IPv4到达另一个地点. sit0 不能使用在专用的tunnels 上. 5.1.2.2. PPP interfaces PPP interfaces 从IPv6 enabled PPP daemon 那里获得 IPv6 的能力. 5.1.2.3. ISDN HDLC interfaces 具有IP封装的HDLC IPv6 能力以经包含在核心当中. 5.1.2.4. ISDN PPP interfaces 目前不支持 ISDN PPP interfaces (ippp) aren't IPv6 enabled by kernel. Also there are also no plans to do that because in kernel 2.5.+ they will be replaced by a more generic ppp interface layer. 5.1.2.5. SLIP + PLIP 目前不支持Like mentioned earlier, this interfaces don't support IPv6 transport (sending is OK, but dispatching on receiving don't work). 5.1.2.6. Ether-tap device Ether-tap devices使用自动的设定.在使用之前先将 "ethertap" 模组挂进来. 5.1.2.7. tun devices 就连我都还没试过呢! Currently not tested by me. 5.1.2.8. ATM 01/2002: vanilla的核心目前不支持, USAGI 的扩展支持ATM-IPv6 5.1.2.9. 其它的 我漏掉了什麽? 5.2 Bringing interfaces up/down(设定界面的开/关) 使用 "ip" 使用方法: ______________________________________________________________ # ip link set dev up # ip link set dev down ______________________________________________________________ 例子: ______________________________________________________________ # ip link set dev eth0 up # ip link set dev eth0 down ______________________________________________________________ 使用 "ifconfig" 使用方法: ______________________________________________________________ # /sbin/ifconfig up # /sbin/ifconfig down ______________________________________________________________ 例子: ______________________________________________________________ # /sbin/ifconfig eth0 up # /sbin/ifconfig eth0 down ______________________________________________________________ 6. 设定IPv6地址 6.1 列印当前的IPv6地址 使用 "ip" 使用方法: ______________________________________________________________ # /sbin/ip -6 addr show dev ______________________________________________________________ 例子:一个静态的主机地址 ______________________________________________________________ # /sbin/ip -6 addr show dev eth0 2: eth0: mtu 1500 qdisc pfifo_ fast qlen 100 inet6 fe80::210:a4ff:fee3:9566/10 scope link inet6 3ffe:ffff:0:f101::1/64 scope global inet6 fec0:0:0:f101::1/64 scope site ______________________________________________________________ 自动设定的地址和它的存活时间: ______________________________________________________________ # /sbin/ip -6 addr show dev eth0 3: eth0: mtu 1500 qdisc pfifo_fast qlen ? 100 inet6 2002:d950:f5f8:f101:2e0:18ff:fe90:9205/64 scope global dynamic valid_lft 16sec preferred_lft 6sec inet6 3ffe:400:100:f101:2e0:18ff:fe90:9205/64 scope global dynamic valid_lft 2591997sec preferred_lft 604797sec inet6 fe80::2e0:18ff:fe90:9205/10 ? scope link ______________________________________________________________ 使用 "ifconfig" 使用方法: ______________________________________________________________ # /sbin/ifconfig ______________________________________________________________ 例子, 它只列印IPv6地址: ______________________________________________________________ # /sbin/ifconfig eth0 |grep "inet6 addr:" inet6 addr: fe80::210:a4ff:fee3:9566/10 Scope:Link inet6 addr: 3ffe:ffff:0:f101::1/64 Scope:Global inet6 addr: fec0:0:0:f101::1/64 Scope:Site ______________________________________________________________ 6.2 增加一个IPv6地址 其原理同IPv4的"IP ALIAS"(IP别名)相同 使用 "ip" 使用方法: ______________________________________________________________ # /sbin/ip -6 addr add / dev ______________________________________________________________ 例子: ______________________________________________________________ # /sbin/ip -6 addr add 3ffe:ffff:0:f101::1/64 dev eth0 ______________________________________________________________ 使用 "ifconfig" 使用方法: ______________________________________________________________ # /sbin/ifconfig inet6 add / ______________________________________________________________ 例子: ______________________________________________________________ # /sbin/ifconfig eth0 inet6 add 3ffe:ffff:0:f101::1/64 ______________________________________________________________ 6.3 移除IPv6地址 这个不常用, 不要用它移除不存在的地址, 一些早期的核心会因为受不了而挂 掉. 使用 "ip" 使用方法: ______________________________________________________________ # /sbin/ip -6 addr del / dev ______________________________________________________________ 例子: ______________________________________________________________ # /sbin/ip -6 addr del 3ffe:ffff:0:f101::1/64 dev eth0 ______________________________________________________________ 使用 "ifconfig" 使用方法: ______________________________________________________________ # /sbin/ifconfig inet6 del / ______________________________________________________________ 例子: ______________________________________________________________ # /sbin/ifconfig eth0 inet6 del 3ffe:ffff:0:f101::1/64 ______________________________________________________________ 7. 设定IPv6路由 7.1 列印现有的路由 使用"ip" 使用方法: ______________________________________________________________ # /sbin/ip -6 route show [dev ] ______________________________________________________________ 例子: ______________________________________________________________ # /sbin/ip -6 route show dev eth0 3ffe:ffff:0:f101::/64 proto kernel metric 256 mtu 1500 advmss 1440 fe80::/10 proto kernel metric 256 mtu 1500 advmss 1440 ff00::/8 proto kernel metric 256 mtu 1500 advmss 1440 default proto kernel metric 256 mtu 1500 advmss 1440 ______________________________________________________________ 使用 "route" 使用方法: ______________________________________________________________ # /sbin/route -A inet6 ______________________________________________________________ 例子:在同一个界面上不同的IPv6路由. ______________________________________________________________ # /sbin/ip -6 route show dev eth0 # /sbin/route -A inet6 |grep -w "eth0" 3ffe:ffff:0:f101 ::/64 :: UA 256 0 0 eth0 <- Interface route for global ? address fe80::/10 :: UA 256 0 0 eth0 <- Interface route for link-local ? address ff00::/8 :: UA 256 0 0 eth0 <- Interface route for all multicast ? addresses ::/0 :: UDA 256 0 0 eth0 <- Automatic default route ______________________________________________________________ 7.2 设定IPv6路由通过闸道 使用"ip" 使用方法: ______________________________________________________________ # /sbin/ip -6 route add / via ? [dev ] ______________________________________________________________ 例子: ______________________________________________________________ # /sbin/ip -6 route add 2000::/3 via 3ffe:ffff:0:f101::1 ______________________________________________________________ 使用 "route" 使用方法: ______________________________________________________________ # /sbin/route -A inet6 add / gw ? [dev ] ______________________________________________________________ 例子:为当前所有的(全局地址global addresses 2000::/3)址通过闸 道3ffe:ffff:0:f101::1 ______________________________________________________________ # /sbin/route -A inet6 add 2000::/3 gw 3ffe:ffff:0:f101::1 ______________________________________________________________ 7.3 移除 IPv6路由通过闸道 使用"ip" 使用方法: ______________________________________________________________ # /sbin/ip -6 route del / via ? [dev ] ______________________________________________________________ 例子: ______________________________________________________________ # /sbin/ip -6 route del 2000::/3 via 3ffe:ffff:0:f101::1 ______________________________________________________________ 使用 "route" 使用方法: ______________________________________________________________ # /sbin/route -A inet6 del / [dev ] ______________________________________________________________ 例子:移除前所有的(全局地址global addresses 2000::/3)址通过闸 道3ffe:ffff:0:f101::1 ______________________________________________________________ # /sbin/route -A inet6 del 2000::/3 gw 3ffe:ffff:0:f101::1 ______________________________________________________________ 7.4 增加IPv6路由至interface(界面) 使用 "ip" 使用方法: ______________________________________________________________ # /sbin/ip -6 route add / dev ? metric 1 ______________________________________________________________ 例子: ______________________________________________________________ # /sbin/ip -6 route add 2000::/3 dev eth0 metric 1 ______________________________________________________________ 使用 "route" 使用方法: ______________________________________________________________ # /sbin/route -A inet6 add / dev ______________________________________________________________ 例子: ______________________________________________________________ # /sbin/route -A inet6 add 2000::/3 dev eth0 ______________________________________________________________ 7.5 从interface(界面)移除IPv6路由 使用 "ip" 使用方法: ______________________________________________________________ # /sbin/ip -6 route del / dev ? metric 1 ______________________________________________________________ 例子: ______________________________________________________________ # /sbin/ip -6 route del 2000::/3 dev eth0 ______________________________________________________________ 使用 "route" 使用方法: ______________________________________________________________ # /sbin/route -A inet6 del / dev ______________________________________________________________ 例子: ______________________________________________________________ # /sbin/route -A inet6 del 2000::/3 dev eth0 ______________________________________________________________ 7.6 FAQ for IPv6 routes(IPv6 路由的经常问答) Support of an IPv6 default route IPv6的一个方法是hierachical routing(分级路由).因此,分级当中最少需要一 个路由. 在目前的核心中有一些问题: Clients (not routing any packet!)没有任何数据包被路由. Clinets 可以设定一个缺省的prefix "::/0"(前缀为 ::/0 的路由). ______________________________________________________________ # ip -6 route show | grep ^default default via fe80::212:34ff:fe12:3450 dev eth0 proto kernel metric 1024 expires ? 29sec mtu 1500 advmss 1440 ______________________________________________________________ Routers on packet forwarding (路由包转寄) 目前主流的Linux核心(最少是 <=2.4.17) 不支持缺省路由. 您可以设定它们,但 在发送数据包时环绕会失败. 所以,目前的缺省路由可以被设定成 前缀 为"2000::/3"的 global (全局地址). USAGI 对这个有著良好的支持. 注意: 注意没有地址筛选的边缘路由器的缺省路由, 不然会有多馀的multicast 或 site-local 传输从边缘溢出. 8. Neighbor Discovery(发现芳邻) IPv6 的 Neighbor Discovery继承了IPv4 的 ARP (Address Resolution Protocol地址解析协议). 您可以重新得到芳邻的资讯. 并且可以编辑/删除它. Neighbor detection(对芳邻进行探测) 核心负责对探测成功的芳邻进行追踪. 您可以用 "ip" 来挖掘其中的信息. 8.1 Displaying neighbors using "ip" (用"ip"命令列印芳邻) 使用以下的命令,您可以知道芳邻的设定. ______________________________________________________________ # ip -6 neigh show [dev ] ______________________________________________________________ 下面的例子当中列印了一个芳邻,它是一个可到达的路由器. ______________________________________________________________ # ip -6 neigh show fe80::201:23ff:fe45:6789 dev eth0 lladdr 00:01:23:45:67:89 router nud reachable ______________________________________________________________ 8.2 用 "ip" 对芳邻的列印表进行处理 用以下的命令可以加入一个entry(列印项) ______________________________________________________________ # ip -6 neigh add lladdr dev ______________________________________________________________ 例子: ______________________________________________________________ # ip -6 neigh add fec0::1 lladdr 02:01:02:03:04:05 dev eth0 ______________________________________________________________ 用以下的命令可以移除一个entry(列印项) ______________________________________________________________ # ip -6 neigh del lladdr dev ______________________________________________________________ 例子: ______________________________________________________________ # ip -6 neigh del fec0::1 lladdr 02:01:02:03:04:05 dev eth0 ______________________________________________________________ 更高阶的设定 "ip"工具非常强大, 但没有足够的帮助资讯. ______________________________________________________________ # ip -6 neigh help Usage: ip neigh { add | del | change | replace } { ADDR [ lladdr LLADDR ] [ nud { permanent | noarp | stale | reachable } ] | proxy ADDR } [ dev DEV ] ip neigh {show|flush} [ to PREFIX ] [ dev DEV ] [ nud STATE ] ______________________________________________________________ 有点像IPv4的列印, 如果您知道它的详细用法,请帮我 send 一份过来. 9. Configuring IPv6-in-IPv4 tunnels(设定遂道) 9.1 遂道的类型 将IPv6数据包传输到IPv4连结不只有一种可能. Static point-to-point tunneling: 6bone (以点对点方式构建的遂道) IPv6和IPv4的遂道定义在 [27]RFC 2893 / Transition Mechanisms for IPv6 Hosts and Routers 必备条件: * 遂道另一端的IPv4地址必需是static(静态的).global unique and reachable from the foreign tunnel endpoint * 您以经拥有的一个global IPv6 prefix(前缀),参照 6bone registry. * 有一个可以将您的IPv6 prefix 路由到本地端的外界tunnel端(通常需要进 行远端操作) Automatically tunneling(遂道操作自动化) 当一个节点直接同另一个节点进行连结,在得到节点IPv4地址之前,节点就会执行 遂道操作自动化. 6to4-Tunneling(遂道操作) 它使用一个简单的机制实行Tunneling(遂道操作) [28]RFC 3056 / Connection of IPv6 Domains via IPv4 Clouds. 每个节点的global unique IPv4 (唯一全 局地址)可以成为 6to4 tunnel 的终点(如果没有IPv4防火墙限制通讯). 6to4-Tunneling(遂道操作)不是专用於一对一的遂道, 这个案例可以分开针 对upstream and downstream (上级和下级)的遂道操作. 同样,一个特别的IPv6 地址会指出这个节点使用6to4-Tunnel同全世界的 IPv6 网路进行连结. Generation of 6to4 prefix(产生6to4的前缀). 6to4 的地址像下面这样定义:(源自 [29]RFC 3056 / Connection of IPv6 Domains via IPv4 Clouds) ______________________________________________________________ __________________________________________________________________ | 3+13 | 32 | 16 | 64 bits | +---+------+-----------+--------+--------------------------------+ | FP+TLA | V4ADDR | SLA ID | Interface ID | | 0x2002 | | | | +---+------+-----------+--------+--------------------------------+ ______________________________________________________________ FP是global addresses(全局地址)的前缀. TLA是top level aggregator(最高层 集) V4ADDR是IPv4全局唯一地址((in hexadecimal notation). SLA是子网路标 致(65536 local subnets possible). 这些前缀产生时的SLA 为"0000" 後缀是 "::1" 并分配到6to4 tunnel interface(界面). 6to4 upstream tunneling(上级遂道操作) 节点知道向哪里发送含有IPv6数据包的IPv4数据包. 早期的6to4遂道,必需设定 一个专用的上级路由器接受这种操作. 参照 [30]NSayer's 6to4 information 里的路由列印. 现在 6to4上级路由器可以使用anycast address 192.88.99.1 它由後台的路由协议控制. 参照 [31]RFC 3068 / An Anycast Prefix for 6to4 Relay Routers 6to4 downstream tunneling(下级遂道操作) The downstream (6bone -> your 6to4 enabled node) is not really fix and can vary from foreign host which originated packets were send to. There exist two possibilities: 它还没有正式修正对数据包来源的确定, 存 在以下两种可能: * 外部主机直接使用6to4把IPv6数据包发回给您. * 外部主机通过全球IPv6网路, 依靠动态路建立一个automatic tunnel 由 将IPv6数据包发回给您. Possible 6to4 traffic(6to4的几种通讯方法) * 从 6to4 到 6to4: 通常在两个 6to4 enabled 主机之间直接进行遂道操作 tunneled between the * 从 6to4 到 non-6to4: 通过上级遂道操作发送数据包. * 从 non-6to4 到 6to4: 通过下级遂道操作发送数据包. 9.2 列印现存的tunnels(遂道) 使用 "ip" 用法: ______________________________________________________________ # /sbin/ip -6 tunnel show [] ______________________________________________________________ 例子: ______________________________________________________________ # /sbin/ip -6 tunnel show sit0: ipv6/ip remote any local any ttl 64 nopmtudisc sit1: ipv6/ip remote 195.226.187.50 local any ttl 64 ______________________________________________________________ 使用 "route" 用法: ______________________________________________________________ # /sbin/route -A inet6 ______________________________________________________________ 例子:只列印从sit0界面通过的遂道. ______________________________________________________________ # /sbin/route -A inet6 | grep "\Wsit0\W*$" ::/96 :: U 256 2 0 sit0 2002::/16 :: UA 256 0 0 sit0 2000::/3 ::193.113.58.75 UG 1 0 0 sit0 fe80::/10 :: UA 256 0 0 sit0 ff00::/8 :: UA 256 0 0 sit0 ______________________________________________________________ 9.3 Setup of point-to-point tunnel(设定点对点的遂道) 有3种方法可以加入/移除point-to-point tunnel Add point-to-point tunnels (加入) 使用 "ip" 目前针对少量tunnels的方法 设定tunnel device (它不会立既启用.TTL必需指定, 因为初始值是0) ______________________________________________________________ # /sbin/ip tunnel add < device > mode sit ttl < ttldefault > remote ? < ipv4addressofforeigntunnel > local < ipv4addresslocal > ______________________________________________________________ 用法(这个例子中有三个遂道) ______________________________________________________________ # /sbin/ip tunnel add sit1 mode sit ttl remote ? local # /sbin/ip set dev sit1 up # /sbin/ip -6 route add dev sit1 metric 1 # /sbin/ip tunnel add sit2 mode sit ttl ? local # /sbin/ip set dev sit2 up # /sbin/ip -6 route add dev sit2 metric 1 # /sbin/ip tunnel add sit3 mode sit ttl ? local # /sbin/ip set dev sit3 up # /sbin/ip -6 route add dev sit3 metric 1 ______________________________________________________________ 使用 "ifconfig" and "route" (deprecated) 不推荐一次就 Non Broadcast Multiple Access (NBMA)这麽多,因为您如果只想 关闭第一个但又要让其它的继续运行,有点难啊.只加一个是没有问题的. ______________________________________________________________ # /sbin/ifconfig sit0 up # /sbin/ifconfig sit0 tunnel # /sbin/ifconfig sit1 up # /sbin/route -A inet6 add dev sit1 # /sbin/ifconfig sit0 tunnel # /sbin/ifconfig sit2 up # /sbin/route -A inet6 add dev sit2 # /sbin/ifconfig sit0 tunnel # /sbin/ifconfig sit3 up # /sbin/route -A inet6 add dev sit3 ______________________________________________________________ 警告:这样做有很大的风险, 因为任何人可以从Internet的任何地点使 用"automatic tunneling"同您进行连结.我不推荐您这样做. 使用 "route" only 当然可以设定tunnel使用 Non Broadcast Multiple Access (NBMA)非多地址广 播的方式 这种方法可以一次就加入很多tunnel. 使用方法 (三个tunnel的基本 例子): ______________________________________________________________ # /sbin/ifconfig sit0 up # /sbin/route -A inet6 add gw ? :: dev sit0 # /sbin/route -A inet6 add gw ? :: dev sit0 # /sbin/route -A inet6 add gw ? :: dev sit0 ______________________________________________________________ 警告:这样做有很大的风险, 因为任何人可以从Internet的任何地点使 用"automatic tunneling"同您进行连结.我不推荐您这样做. Removing point-to-point tunnels(移除遂道) 手工方式不经常使用,可以用scripts移除/重新设定IPv6tunnels 使用 "ip" 移除遂道设备的用法: ______________________________________________________________ # /sbin/ip tunnel del ______________________________________________________________ Usage (三个tunnel的基本例子): ______________________________________________________________ # /sbin/ip -6 route del dev sit1 # /sbin/ip set sit1 down # /sbin/ip tunnel del sit1 # /sbin/ip -6 route del dev sit2 # /sbin/ip set sit2 down # /sbin/ip tunnel del sit2 # /sbin/ip -6 route del dev sit3 # /sbin/ip set sit3 down # /sbin/ip tunnel del sit3 ______________________________________________________________ 使用 "ifconfig" and "route" (因为不怎麽有趣所以不赞成这麽做) Usage (三个tunnel的基本例子):您必需反向移除它们, 也就是先建立的必需先 移除. ______________________________________________________________ # /sbin/route -A inet6 del dev sit3 # /sbin/ifconfig sit3 down # /sbin/route -A inet6 del dev sit2 # /sbin/ifconfig sit2 down # /sbin/route -A inet6 add dev sit1 # /sbin/ifconfig sit1 down # /sbin/ifconfig sit0 down ______________________________________________________________ 使用 "route" 移除IPv6路由. 使用方法 (三个tunnel的基本例子): ______________________________________________________________ # /sbin/route -A inet6 del gw ? :: dev sit0 # /sbin/route -A inet6 del gw ? :: dev sit0 # /sbin/route -A inet6 del gw ? :: dev sit0 # /sbin/ifconfig sit0 down ______________________________________________________________ Numbered point-to-point tunnels(有限的点对点遂道) 有时需要设定一个point-to-point 遂道 和IPv6地址, 但方法中只有第一 个(ifconfig+route - deprecated)和第三个(ip+route)可行. 在这些案例中您 可以加入一个IPv6地址到 tunnel interface(用於遂道操作的那个界面) 9.4 Setup of 6to4 tunnels (设定 IPv6至IPv4的遂道) 注意:6to4 tunnels 目前缺乏vanilla 2.2.x系列核心的支持. 同样要注意的 是6to4地址的前缀长度是16 所有的 6to4 主机都在相同的第二层. Add a 6to4 tunnel(增加一个 6to4 遂道) 首先, 您必需用可路由的本地IPv4 global 地址来计算 6to4 的前缀. (如果您 的主机没有可路由的本地IPv4 global 地址, 在闸道边缘的NAT地址也行 in special cases NAT on border gateways is possible): 假定您的IPv4地址为: ______________________________________________________________ 1.2.3.4 ______________________________________________________________ 产生的6to4 prefix(前缀)为 : ______________________________________________________________ 2002:0102:0304:: ______________________________________________________________ 本地的 6to4 闸道需要手工设定後缀为"::1", 因此您的6to4地址就成为: ______________________________________________________________ 2002:0102:0304::1 ______________________________________________________________ 以下依据指定的IPv4地址产生6to4地址: ______________________________________________________________ ipv4="1.2.3.4"; printf "2002:%02x%02x:%02x%02x::1" `echo $ipv4 | tr "." " "` ______________________________________________________________ 目前有两种方法可以设定6to4遂道 使用 "ip" 和专用的遂道设备. 这是被推荐的做法. 创建一个遂道设备. ______________________________________________________________ # /sbin/ip tunnel add tun6to4 mode sit remote any local ______________________________________________________________ Bring interface up(激活它) ______________________________________________________________ # /sbin/ip link set dev tun6to4 up ______________________________________________________________ 将本地6to4地址加入到界面.(注意:它的前缀长度必需是16) ______________________________________________________________ # /sbin/ip -6 addr add /16 dev tun6to4 ______________________________________________________________ 加入一个用all-6to4-routers IPv4 anycast 地址作为到达global IPv6 网路的 路由(缺省的路由) ______________________________________________________________ # /sbin/ip -6 route add 2000::/3 via ::192.88.99.1 dev tun6to4 metric 1 ______________________________________________________________ 使用 "ifconfig" and "route" and generic tunnel device "sit0" (不被推荐的做法) 不被推荐是因为tunnel device sit0 不支持特别的过虑器应用在每个设备上. Bring generic tunnel interface sit0 up(将界面sit0激活) ______________________________________________________________ # /sbin/ifconfig sit0 up ______________________________________________________________ Add local 6to4 address to interface(向界面添加本地 6to4 地址) ______________________________________________________________ # /sbin/ifconfig sit0 add /16 ______________________________________________________________ 加入一个用all-6to4-relays IPv4 anycast地址作为到达global IPv6 网路的路 由(缺省的路由) ______________________________________________________________ # /sbin/route -A inet6 add 2000::/3 gw ::192.88.99.1 dev sit0 ______________________________________________________________ Remove a 6to4 tunnel(移除 6to4 遂道) 使用 "ip" and a 专用遂道设备 从dedicated tunnel device 移除所有路由 ______________________________________________________________ # /sbin/ip -6 route flush dev tun6to4 ______________________________________________________________ Shut down interface(关闭界面) ______________________________________________________________ # /sbin/ip link set dev tun6to4 down ______________________________________________________________ Remove created tunnel device(移除遂道设备) ______________________________________________________________ # /sbin/ip tunnel del tun6to4 ______________________________________________________________ 使用 "ifconfig" and "route" and generic tunnel device "sit0" (不被推荐的做法) 移除 6to4 界面上遂道的路由 ______________________________________________________________ # /sbin/route -A inet6 del 2000::/3 gw ::192.88.99.1 dev sit0 ______________________________________________________________ Remove local 6to4 address to interface(从界面移除本地 6to4 地址) ______________________________________________________________ # /sbin/ifconfig sit0 del /16 ______________________________________________________________ 并闭 generic tunnel device (当心, 可能它还在使用当中) ______________________________________________________________ # /sbin/ifconfig sit0 down ______________________________________________________________ 10. 设定 IPv4-in-IPv6 遂道 这里的内容会在将来添加,目前这种遂道处在试验阶段.参照: [32]RFC 2473 / Generic Packet Tunneling in IPv6 Specification 11. 核心设定 in /proc-filesystem 11.1 怎样进入 /proc-filesystem 使用 "cat"和 "echo" 使用 "cat"和 "echo" 是进入 /proc-filesystem的最简单方法. 但必需具备下 面几个条件: * 在核心中打开 /proc-filesystem 支持, 在编译的时候可以通过 CONFIG_PROC_FS=y 做到. * /proc-filesystem 已经挂进系统,可以用以下的方法测试: ______________________________________________________________ # mount | grep "type proc" none on /proc type proc (rw) ______________________________________________________________ * 您必需知道对/proc-filesystem 的各种操作. 通常/proc/sys/* 都是可写的, 其它的都是只读或只提供相关资讯. 得到一个值 可以使用 "cat" 得到一个值. ______________________________________________________________ # cat /proc/sys/net/ipv6/conf/all/forwarding 0 ______________________________________________________________ 设定一个值 可以使用 "echo" 设定一个值. ______________________________________________________________ # echo "1" >/proc/sys/net/ipv6/conf/all/forwarding ______________________________________________________________ 使用 "sysctl" 使用 "sysctl" 设定核心是当前流行的方法, 您也能用. 如果/proc-filesystem 没有挂进来, 那麽您只可以访问/proc/sys/* "sysctl"程式在"procps"安装包中.(Red Hat Linux systems) sysctl-interface 需要在核心中进行激活, 在编译的时候可以通过以下选项完 成: ______________________________________________________________ CONFIG_SYSCTL=y ______________________________________________________________ 设定一个值 A new value can be set (if entry is writable): ______________________________________________________________ # sysctl -w net.ipv6.conf.all.forwarding=1 net.ipv6.conf.all.forwarding = 1 ______________________________________________________________ 在 "=" 两边不能出现spaces符号,也不能像下面那样一次设定多个值: ______________________________________________________________ # sysctl -w net.ipv4.ip_local_port_range="32768 61000" net.ipv4.ip_local_port_range = 32768 61000 ______________________________________________________________ 另外 sysctl使用 "/" 代替 "." 详细资讯请看sysctl的manpage 提示:快速查找设定的资讯,可以联合使用带"-a"的grep. 11.2 /proc-filesystems 里的数值类型. * BOOLEAN: simple a "0" (false) or a "1" (true) * INTEGER: an integer value, can be unsigned, too * more sophisticated lines with several values: sometimes a header line is displayed also, if not, have a look into the kernel source to retrieve information about the meaning of each value... 11.3 Entries in /proc/sys/net/ipv6/ conf/default/* Change the interface-specific default settings conf/all/* 改变所有 interface-specific 设定. 除了: "conf/all/forwarding" 它有不同的含义. conf/all/forwarding * Type: BOOLEAN 在两个界面之间进行global IPv6 forwarding (数据包转寄.) IPv6 当中您不能单独控制一个设备的 forwarding (数据包转寄). forwarding 的控制由IPv6-netfilter 完成. 当值为"0"时 数据包转寄的能力被关闭,数据包 不会离开各自的界面(包括物理/虚拟)比如 tunnel. 当值为"1"时 数据包转寄的 能力被开启. conf/interface/* 改变单个界面的设定. 依据local forwarding 是 enabled 或 not. accept_ra * Type: BOOLEAN * 默认值: enabled if local forwarding is disabled. disabled if local forwarding is enabled. 接受IPv6路由广告.并且根据得到的信息自动设定. accept_redirectsc * Type: BOOLEAN * Functional default: enabled if local forwarding is disabled. disabled if local forwarding is enabled. 接受IPv6路由器的重定向. autoconf * Type: BOOLEAN * Default: TRUE 设定本地连结地址使用L2硬体地址. 它依据界面的L2-MAC address自动产生一个 地址如:"fe80::201:23ff:fe45:6789" dad_transmits * Type: INTEGER * Default: 1 发送重复地址嗅探的总数. forwarding * Type: BOOLEAN * Default: FALSE if global forwarding is disabled (default), otherwise TRUE 设定主机/路由的interface-specific动作. 注意:推荐所有interface(界面)使用相同的设定.混合路由器/主机的想法真是难 得. * Value FALSE: By default, Host behaviour is assumed. This means: + IsRouter 标致没有在Neighbour Advertisements当中. + 当需要的时候就发送路由请求. + 如果accept_ra是TRUE (default), 接受路由广告. + 如果accept_redirects 是 TRUE (default), 接受重定向. * Value TRUE: 如果具备本地forwarding(转寄),路由器动作为假定.这和上面 的情况相反: + IsRouter 标致存在於Neighbour Advertisements当中. + 不发送路由请求. + 忽略路由广告. + 忽略重定向. hop_limit * Type: INTEGER * Default: 64 缺省hop限制. mtu * Type: INTEGER * Default: 1280 (IPv6 要求的最小值) 缺省最大传输单元. router_solicitation_delay * Type: INTEGER * Default: 1 在发送路由请求之前界面的等待时间(秒). router_solicitation_interval * Type: INTEGER * Default: 4 在每个路由请求之间的等待时间(秒). router_solicitations * Type: INTEGER * Default: 3 假定没有路由的情况下发送的请求个数. neigh/default/* Change default settings for neighbor detection and some special global interval and threshold values: gc_thresh1 * Type: INTEGER * Default: 128 More to be filled. gc_thresh2 * Type: INTEGER * Default: 512 More to be filled. gc_thresh3 * Type: INTEGER * Default: 1024 芳邻列印表大小的调节项. 如果您有许多界面,或路由表现反常 试著增大数值. Or if a running Zebra (routing daemon) reports: ______________________________________________________________ ZEBRA: netlink-listen error: No buffer space available, type=RTM_NEWROUTE(24), seq=426, pid=0 ______________________________________________________________ gc_interval * Type: INTEGER * Default: 30 More to be filled. neigh/interface/* Change special settings per interface for neighbor detection. anycast_delay * Type: INTEGER * Default: 100 More to be filled. gc_stale_time * Type: INTEGER * Default: 60 More to be filled. proxy_qlen * Type: INTEGER * Default: 64 More to be filled. unres_qlen * Type: INTEGER * Default: 3 More to be filled. app_solicit * Type: INTEGER * Default: 0 More to be filled. locktime * Type: INTEGER * Default: 0 More to be filled. retrans_time * Type: INTEGER * Default: 100 More to be filled. base_reachable_time * Type: INTEGER * Default: 30 More to be filled. mcast_solicit * Type: INTEGER * Default: 3 More to be filled. ucast_solicit * Type: INTEGER * Default: 3 More to be filled. delay_first_probe_time * Type: INTEGER * Default: 5 More to be filled. proxy_delay * Type: INTEGER * Default: 80 More to be filled. route/* 设定global(全局)路由 flush Removed in newer kernel releases - more to be filled. gc_interval * Type: INTEGER * Default: 30 More to be filled. gc_thresh * Type: INTEGER * Default: 1024 More to be filled. mtu_expires * Type: INTEGER * Default: 600 More to be filled. gc_elasticity * Type: INTEGER * Default: 0 More to be filled. gc_min_interval * Type: INTEGER * Default: 5 More to be filled. gc_timeout * Type: INTEGER * Default: 60 More to be filled. min_adv_mss * Type: INTEGER * Default: 12 More to be filled. max_size * Type: INTEGER * Default: 4096 More to be filled. 11.4 IPv6-related entries in /proc/sys/net/ipv4/ 目前(直到IPv4全部成为核心模组),一些开关也可以为IPv6所使用. ip_* ip_local_port_range 也可以为IPv6使用. tcp_* 也可以为IPv6使用. ICMP_* 不能为IPv6使用. 激活 ICMPv6 比率限制 rate limting (极力推荐,因为它有抵 御 ICMPv6 网路风暴的能力) netfilter-v6 rules must be used. 其它 不知道, 不能为IPv6使用吧. 11.5 IPv6-related entries in /proc/net/ 这个地方是只读的, 您不能通过 "sysctl" 得到资讯,可以使用 "cat" if_inet6 每一行地址包含多个值. 这里IPv6地址是用特殊的格式列印的,例子只列印环绕interface(界面)含义在下 面 ______________________________________________________________ # cat /proc/net/if_inet6 00000000000000000000000000000001 01 80 10 80 lo +------------------------------+ ++ ++ ++ ++ ++ | | | | | | 1 2 3 4 5 6 ______________________________________________________________ 1. 地址用32个不包含":"的十六进制列印. 2. 连结的设备数值(interface index)使用十六进制列印. 3. 前缀的长度使用十六进制列印. 4. Scope value (see kernel source " include/net/ipv6.h" and "net/ipv6/addrconf.c" for more) 5. Interface flags (see "include/linux/rtnetlink.h" and "net/ipv6/addrconf.c" for more) 6. 设备名. ipv6_route 每一行地址包含多个值. 这里IPv6地址是用特殊的格式列印的,例子只列印环绕interface(界面)含义在下 面 ______________________________________________________________ # cat /proc/net/ipv6_route 00000000000000000000000000000000 00 00000000000000000000000000000000 00 +------------------------------+ ++ +------------------------------+ ++ | | | | 1 2 3 4 ? 00000000000000000000000000000000 ffffffff 00000001 00000001 00200200 lo ? +------------------------------+ +------+ +------+ +------+ +------+ ++ ? | | | | | | ? 5 6 7 8 9 10 ______________________________________________________________ 1. IPv6目标网路用32个不包含":"的十六进制列印. 2. IPv6prefix(前缀)的长度使用十六进制列印. 3. IPv6来源网路用32个不包含":"的十六进制列印. 4. IPv6来源prefix(前缀)的长度使用十六进制列印. 5. IPv6下一个hop(跃点)用32个不包含":"的十六进制列印. 6. Metric in hexadecimal 7. Reference counter 8. Use counter 9. Flags(标致) 10.Device name sockstat6 每一行地址包含多个值. IPv6 sockets统计: ______________________________________________________________ # cat /proc/net/sockstat6 TCP6: inuse 7 UDP6: inuse 2 RAW6: inuse 1 FRAG6: inuse 0 memory 0 ______________________________________________________________ tcp6 To be filled. udp6 To be filled. igmp6 To be filled. raw6 To be filled. ip6_flowlabel To be filled. rt6_stats To be filled. snmp6 Type: One line per SNMP description and value SNMP statistics, can be retrieved via SNMP server and related MIB table by netw ork management software. ip6_tables_names Available netfilter6 tables 12. Netlink-Interface to kernel 内容有待增加... 这方面我没什麽经验... 13. 网路 debugging 13.1 Server socket binding(绑定) 13.2 Using "netstat" for server socket binding check 使用 "netstat" 是得到这些信息的捷径. 使用选项: -nlptu 例子: ______________________________________________________________ # netstat -nlptu Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State ? PID/Program name tcp 0 0 0.0.0.0:32768 0.0.0.0:* LISTEN ? 1258/rpc.statd tcp 0 0 0.0.0.0:32769 0.0.0.0:* LISTEN ? 1502/rpc.mountd tcp 0 0 0.0.0.0:515 0.0.0.0:* LISTEN ? 22433/lpd Waiting tcp 0 0 1.2.3.1:139 0.0.0.0:* LISTEN ? 1746/smbd tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN ? 1230/portmap tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN ? 3551/X tcp 0 0 1.2.3.1:8081 0.0.0.0:* LISTEN ? 18735/junkbuster tcp 0 0 1.2.3.1:3128 0.0.0.0:* LISTEN ? 18822/(squid) tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN ? 30734/named tcp 0 0 ::ffff:1.2.3.1:993 :::* LISTEN ? 6742/xinetd-ipv6 tcp 0 0 :::13 :::* LISTEN ? 6742/xinetd-ipv6 tcp 0 0 ::ffff:1.2.3.1:143 :::* LISTEN ? 6742/xinetd-ipv6 tcp 0 0 :::53 :::* LISTEN ? 30734/named tcp 0 0 :::22 :::* LISTEN ? 1410/sshd tcp 0 0 :::6010 :::* LISTEN ? 13237/sshd udp 0 0 0.0.0.0:32768 0.0.0.0:* ? 1258/rpc.statd udp 0 0 0.0.0.0:2049 0.0.0.0:* ? - udp 0 0 0.0.0.0:32770 0.0.0.0:* ? 1502/rpc.mountd udp 0 0 0.0.0.0:32771 0.0.0.0:* ? - udp 0 0 1.2.3.1:137 0.0.0.0:* ? 1751/nmbd udp 0 0 0.0.0.0:137 0.0.0.0:* ? 1751/nmbd udp 0 0 1.2.3.1:138 0.0.0.0:* ? 1751/nmbd udp 0 0 0.0.0.0:138 0.0.0.0:* ? 1751/nmbd udp 0 0 0.0.0.0:33044 0.0.0.0:* ? 30734/named udp 0 0 1.2.3.1:53 0.0.0.0:* ? 30734/named udp 0 0 127.0.0.1:53 0.0.0.0:* ? 30734/named udp 0 0 0.0.0.0:67 0.0.0.0:* ? 1530/dhcpd udp 0 0 0.0.0.0:67 0.0.0.0:* ? 1530/dhcpd udp 0 0 0.0.0.0:32858 0.0.0.0:* ? 18822/(squid) udp 0 0 0.0.0.0:4827 0.0.0.0:* ? 18822/(squid) udp 0 0 0.0.0.0:111 0.0.0.0:* ? 1230/portmap udp 0 0 :::53 :::* ? 30734/named ______________________________________________________________ 13.3 Examples for tcpdump packet dumps 下面是一些被捕获的数据包 ...下一次我会多弄一点来...: Router discovery(路由发现) Router advertisement ______________________________________________________________ 15:43:49.484751 fe80::212:34ff:fe12:3450 > ff02::1: icmp6: router ? advertisement(chlim=64, router_ltime=30, reachable_time=0, ? retrans_time=0)(prefix info: AR valid_ltime=30, preffered_ltime=20, ? prefix=2002:0102:0304:1::/64)(prefix info: LAR valid_ltime=2592000, ? preffered_ltime=604800, prefix=3ffe:ffff:0:1::/64)(src lladdr: ? 0:12:34:12:34:50) (len 88, hlim 255) ______________________________________________________________ 路由器使用link-local 地址 "fe80::212:34ff:fe12:3450" 发送广告至 all-node-on-link multicast address "ff02::1" 在它自己的 layer 2 MAC 地址 "0:12:34:12:34:50"中, 包含两个前缀2002:0102:0304:1::/64" (lifetime 30 s) 和 "3ffe:ffff:0:1::/64" (lifetime 2592000 s) Router solicitation(路由请求) ______________________________________________________________ 15:44:21.152646 fe80::212:34ff:fe12:3456 > ff02::2: icmp6: router solicitation ? (src lladdr: 0:12:34:12:34:56) (len 16, hlim 255) ______________________________________________________________ 拥有link-local地址 "fe80::212:34ff:fe12:3456" 和 layer 2 MAC 地址 "0:12:34:12:34:56"的节点寻找在线的 路由器. 所以发送一个路由请求到所有 在线的路由器地址multicast address "ff02::2" Neighbor discovery(发现芳邻) Neighbor discovery solicitation for duplicate address detection(对网路芳邻当 中 "重复的地址" 进行检查) 随著数据包从layer 2 MAC 地址 "0:12:34:12:34:56" 发送出去的同时检查是否 有节点用相同的地址发送数据包. Following packets are sent by a node with layer 2 MAC address "0:12:34:12:34:56" during autoconfiguration to check whether a potential address is already used by another node on the link sending this to the solicited-node link-local multicast address * 当节点将使用地址"fe80::212:34ff:fe12:3456"作为本地连结时检查重复的 地址. ______________________________________________________________ 15:44:17.712338 :: > ff02::1:ff12:3456: icmp6: neighbor sol: who has ? fe80::212:34ff:fe12:3456(src lladdr: 0:12:34:12:34:56) (len 32, hlim 255) ______________________________________________________________ * 当节点将使用地址"2002:0102:0304:1:212:34ff:fe12:3456"作为global(全 局)连结时检查重复的地址(得到上面的广告之後). ______________________________________________________________ 15:44:21.905596 :: > ff02::1:ff12:3456: icmp6: neighbor s ol: who has ? 2002:0102:0304:1:212:34ff:fe12:3456(src lladdr: 0:12:34 :12:34:56) (len 32, ? hlim 255) ______________________________________________________________ * 当节点将使用地址"3ffe:ffff:0:1:212:34ff:fe12:3456" 作为global(全 局)连结时检查重复的地址(得到上面的广告之後). ______________________________________________________________ 15:44:22.304028 :: > ff02::1:ff12:3456: icmp6: neighbor s ol: who has ? 3ffe:ffff:0:1:212:34ff:fe12:3456(src lladdr: 0:12:34:12 :34:56) (len 32, hlim ? 255) ______________________________________________________________ Neighbor discovery solicitation for looking for host or gateway(查找一台主机 或闸道) * 节点想要发送数据包至"3ffe:ffff:0:1::10",但是没有layer 2 MAC 的发送 地址,於是发送请求. ______________________________________________________________ 13:07:47.664538 2002:0102:0304:1:2e0:18ff:fe90:9205 > ff0 2::1:ff00:10: icmp6: ? neighbor sol: who has 3ffe:ffff:0:1::10(src lladdr: 0:e 0:18:90:92:5) (len 32, ? hlim 255) ______________________________________________________________ * 节点现在查找"fe80::10" ______________________________________________________________ 13:11:20.870070 fe80::2e0:18ff:fe90:9205 > ff02::1:ff00: 10: icmp6: neighbor ? sol: who has fe80::10(src lladdr: 0:e0:18:90:92:5) (le n 32, hlim 255) ______________________________________________________________ 14. Support for persistent IPv6 configuration in Linux distributions(在不同的发 行版中设定IPv6) 14.1 Red Hat Linux and "clones"(小红帽和它的弟兄娣妹) 自从我开始写 [33]IPv6 & Linux - HowTo.我打算设定一个持久的IPv6配置,包 含: host-only, router-only, dual-homed-host, router with second stub network, normal tunnels, 6to4 tunnels 和其它.现在我写了一 个configuration and script files 这个script有自己的HOWTO: [34]IPv6-HOWTO/scripts/current. 够运的是, Red Hat Linux 从 7.1 开始就 包含了这个script.多亏了Pekka Savola的帮助. 14.2 Mandrake(曼德莱克)Linux 从8.0後也包含了 IPv6-enabled initscript package但是有点小问 题("ifconfig" misses "inet6" before "add"). 支持IPv6的网路设定 scripts 测试 script library应该存在: ______________________________________________________________ /etc/sysconfig/network-scripts/network-functions-ipv6 ______________________________________________________________ 自动测试: ______________________________________________________________ # test -f /etc/sysconfig/network-scripts/network-functions -ipv6 && echo "Main ? IPv6 script library exists" ______________________________________________________________ library的版本很重要, 更高的版本包含了更多的功能.您可以通过这个检视它: ______________________________________________________________ # source /etc/sysconfig/network-scripts/network-functions- ipv6 && ? getversion_ipv6_functions 20011124 ______________________________________________________________ Short hint for enabling IPv6 on current RHL 7.1, 7.2, 7.3, ...(一些小提示) * 检视IPv6模组是否已经挂进系统. ______________________________________________________________ # modprobe -c | grep net-pf-10 alias net-pf-10 off ______________________________________________________________ * 如果是"off" 在 /etc/sysconfig/network 中加入IPv6的支持. ______________________________________________________________ NETWORKING_IPV6=yes ______________________________________________________________ * 重新初始网路: ______________________________________________________________ # service network restart ______________________________________________________________ * IPv6模组应该挂进来了: ______________________________________________________________ # modprobe -c | grep ipv6 alias net-pf-10 ipv6 ______________________________________________________________ 如果您提供路由广告autoconfiguration 会自动为您设定, 更多的资讯请看 /usr/share/doc/initscripts-$version/sysconfig.txt. 14.3 SuSE(苏泽斯)Linux 7.x 以上, 支持IPv6. 在/etc/rc.config 里有更多的资讯. 因为不同的设定方 法和scripts结构, 所以不能将Red Hat Linux 当中的方法照搬过来. 更详尽的资讯请看: [35]How to setup 6to4 IPv6 with SuSE 7.3 14.4 Debian(迪比安)Linux 参照: [36]IPv6 on Debian Linux 15. 防火墙 15.1 使用 netfilter6防火墙 netfilter6防火墙只支持2.4以上的核心.早期的2.2核心您只能用41号协议过 滤IPv6-in-IPv4. 警告: 按照例子那样设定并不能真正地保护您的作业系统. 15.2 更多的资讯: * [37]Netfilter project * [38]maillist archive of netfilter users * [39]maillist archive of netfilter developers * [40]Unofficial status informations 15.3 准备 下载最新的核心: [41]http://www.kernel.org/ 下载最新的iptables: tar: [42]http://www.netfilter.org/ Source RPM for rebuild of binary (for RedHat systems): [43]ftp://ftp.redhat.com/redhat/linux/rawhide/SRPMS/SRPMS/ 解开源代码 解开源代码与更名 ______________________________________________________________ # tar z|jxf kernel-version.tar.gz|bz2 # mv linux linux-version-iptables-version+IPv6 ______________________________________________________________ 解开 iptables 源代码 ______________________________________________________________ # tar z|jxf iptables-version.tar.gz|bz2 ______________________________________________________________ Apply pending patches ______________________________________________________________ # make pending-patches KERNEL_DIR=/path/to/src/linux-version-iptables- version/ ______________________________________________________________ Apply additional IPv6 related patches (still not in the vanilla kernel included) ______________________________________________________________ # make patch-o-matic KERNEL_DIR=/path/to/src/linux-version-iptables-ve rsion/ ______________________________________________________________ 在下面的选单中回答yes: * ah-esp.patch * masq-dynaddr.patch (only needed for systems with dynamic IP assigned WAN connections like PPP or PPPoE) * ipv6-agr.patch.ipv6 * ipv6-ports.patch.ipv6 * LOG.patch.ipv6 * REJECT.patch.ipv6 检视IPv6括展: ______________________________________________________________ # make print-extensions Extensions found: IPv6:owner IPv6:limit IPv6:mac IPv6:multiport ______________________________________________________________ Configure, build and install new kernel(设定,编译,安装新的核心) 进入代码目录: ______________________________________________________________ # cd /path/to/src/linux-version-iptables-version/ ______________________________________________________________ 改变Makefile ______________________________________________________________ - EXTRAVERSION = + EXTRAVERSION = -iptables-version+IPv6-try ______________________________________________________________ 运行相关的设定:Run configure, enable IPv6 related ______________________________________________________________ Code maturity level options Prompt for development and/or incomplete code/drivers : yes Networking options Network packet filtering: yes The IPv6 protocol: module IPv6: Netfilter Configuration IP6 tables support: module All new options like following: limit match support: module MAC address match support: module Multiple port match support: module Owner match support: module netfilter MARK match support: module Aggregated address check: module Packet filtering: module REJECT target support: module LOG target support: module Packet mangling: module MARK target support: module ______________________________________________________________ 在系统的其它方面进行相应的修改. Rebuild and install binaries of iptables (打造一个新的iptables) 确定您的核心源代码存在於: /usr/src/linux/ Rename older directory ______________________________________________________________ # mv /usr/src/linux /usr/src/linux.old ______________________________________________________________ Create a new softlink ______________________________________________________________ # ln /path/to/src/linux-version-iptables-version /usr/src/linux ______________________________________________________________ Rebuild SRPMS ______________________________________________________________ # rpm --rebuild /path/to/SRPMS/iptables-version-release.src.rpm ______________________________________________________________ Install new iptables packages (iptables + iptables-ipv6) 安装新 的iptables * On RH 7.1 systems, 通常已经有一个更早的版本, therefore use "freshen" ______________________________________________________________ # rpm -Fhv /path/to/RPMS/cpu/iptables*-version-release.cpu.rpm ______________________________________________________________ * 如果没有安装,您就亲自来吧: ______________________________________________________________ # rpm -ihv /path/to/RPMS/cpu/iptables*-version-release.cpu.rpm ______________________________________________________________ * 如果在RH6.2上安装,要加上"--nodep": ______________________________________________________________ # rpm -ihv --nodep /path/to/RPMS/cpu/iptables*-version-release.cpu.rpm ______________________________________________________________ * 可能要为iptables加上一个softlink: ______________________________________________________________ # ln -s /lib/iptables/ /usr/lib/iptables ______________________________________________________________ 15.4 使用方法 检视 将模组挂进来: ______________________________________________________________ # modprobe ip6_tables ______________________________________________________________ 检视 ______________________________________________________________ # [ ! -f /proc/net/ip6_tables_names ] && echo "Current kernel doesn't support ? 'ip6tables' firewalling (IPv6)!" ______________________________________________________________ 15.5 使用ip6tables 16.3.2.1. List all IPv6 netfilter entries Short # ip6tables -L Extended # ip6tables -n -v --line-numbers -L List specified filter # ip6tables -n -v --line-numbers -L INPUT 加入一个日志: # ip6tables --table filter --append INPUT -j LOG --log-prefix "INPUT:" ? --log-level 7 加入一个入站丢弃的条件: # ip6tables --table filter --append INPUT -j DROP 移除一个条件: # ip6tables --table filter --delete INPUT 1 允许 ICMPv6: Using older kernels (unpatched kernel 2.4.5 and iptables-1.2.2) no type can be specified 允许入站 ICMPv6 经过 tunnels # ip6tables -A INPUT -i sit+ -p icmpv6 -j ACCEPT 允许出站 ICMPv6 经过 tunnels # ip6tables -A OUTPUT -o sit+ -p icmpv6 -j ACCEPT Newer kernels allow specifying of ICMPv6 types: # ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT 限制Rate-limiting Because it can happen (author already saw it to times) that an ICMPv6 storm wil l raise up, you should use available rate limiting for at least ICMPv6 ruleset. In addition logging rules should also get rate limiting to prevent DoS attacks against syslog and storage of log file partition. An example for a rate limite d ICMPv6 looks like: # ip6tables -A INPUT --protocol icmpv6 --icmpv6-type echo-request -j ACCEPT --m atch limit --limit 30/minute 允许入站的 SSH Here an example is shown for a ruleset which allows incoming SSH connection fro m a specified IPv6 address 允许来自 3ffe:ffff:100::1/128 的 SSH 入站 # ip6tables -A INPUT -i sit+ -p tcp -s 3ffe:ffff:100::1/128 --sport 512:65535 ? --dport 22 -j ACCEPT 允许回应包Allow response packets (此刻 IPv6 连结追踪不在 mainstream netfilter6 implemented 当中) # ip6tables -A OUTPUT -o sit+ -p tcp -d 3ffe:ffff:100::1/128 --dport 512:65535 ? --sport 22 ! --syn j ACCEPT 充许 tunneled IPv6-in-IPv4 Tto accept tunneled IPv6-in-IPv4 packets, 在IPv4 防火墙做相应的设定 firewall se tup relating to such packets, for example 充许 interface ppp0 的 IPv6-in-IPv4 入站 # iptables -A INPUT -i ppp0 -p ipv6 -j ACCEPT 充许 interface ppp0 的 IPv6-in-IPv4 出站 # iptables -A OUTPUT -o ppp0 -p ipv6 -j ACCEPT If you have only a static tunnel, you can specify the IPv4 addresses, too, like 充许来自 endpoint 1.2.3.4 的 IPv6-in-IPv4 通过 interface ppp0 入站 # iptables -A INPUT -i ppp0 -p ipv6 -s 1.2.3.4 -j ACCEPT 充许来自 endpoint 1.2.3.4 的 IPv6-in-IPv4 通过 interface ppp0 入站 # iptables -A OUTPUT -o ppp0 -p ipv6 -d 1.2.3.4 -j ACCEPT 16.3.2.10. Protection against incoming TCP connection requests 极力推荐! 出於安全考虑 您应当加入一个阻止TCP 连结请求入站的条件 . Adapt "-i" op tion, if other interface names are in use! 阻止入站的 TCP 连结请求 # ip6tables -I INPUT -i sit+ -p tcp --syn -j DROP 在路由器後面 阻止入站的 TCP 连结请求 # ip6tables -I FORWARD -i sit+ -p tcp --syn -j DROP 可能这些条件以经存在其它地方,但这是您想当然的想法.最好建一个包含很多条件的 scri pt 然後执行. 16.3.2.11.阻止入站的 UDP 连结请求 极力推荐! 提起过我的防火墙资讯可以控制出站 UDP/TCP 会话的端口. 所以如果您的本地 IPv6系统使用本地端口 比如:从 32768 至 60999 您也可以像这样过滤UDP连结 (直到连结 跟踪正常工作) like: 阻止入站的 UDP 数据包 , 斩断请求出站的回应数据包 # ip6tables -I INPUT -i sit+ -p udp ! --dport 32768:60999 -j DROP 在路由器上面阻止入站的 UDP 数据包转寄到路由器後面的主机 ip6tables -I FORWARD -i sit+ -p udp ! --dport 32768:60999 -j DROP 实例: 下面这个实例是一个经典, 由 Happy netfilter6 ruleset 生成: ______________________________________________________________ # ip6tables -n -v -L Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 extIN all sit+ * ::/0 ::/0 4 384 intIN all eth0 * ::/0 ::/0 0 0 ACCEPT all * * ::1/128 ::1/128 0 0 ACCEPT all lo * ::/0 ::/0 0 0 LOG all * * ::/0 ::/0 ? LOG flags 0 level 7 prefix `INPUT-default:' 0 0 DROP all * * ::/0 ::/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination ? 0 0 int2ext all eth0 sit+ ::/0 ::/0 0 0 ext2int all sit+ eth0 ::/0 ::/0 0 0 LOG all * * ::/0 ::/0 ? LOG flags 0 level 7 prefix `FORWARD-default:' 0 0 DROP all * * ::/0 ::/0 Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination ? 0 0 extOUT all * sit+ ::/0 ::/0 4 384 intOUT all * eth0 ::/0 ::/0 0 0 ACCEPT all * * ::1/128 ::1/128 0 0 ACCEPT all * lo ::/0 ::/0 0 0 LOG all * * ::/0 ::/0 ? LOG flags 0 level 7 prefix `OUTPUT-default:' 0 0 DROP all * * ::/0 ::/0 Chain ext2int (1 references) pkts bytes target prot opt in out source destination ? 0 0 ACCEPT icmpv6 * * ::/0 ::/0 0 0 ACCEPT tcp * * ::/0 ::/0 ? tcp spts:1:65535 dpts:1024:65535 flags:!0x16/0x02 0 0 LOG all * * ::/0 ::/0 ? LOG flags 0 level 7 prefix `ext2int-default:' 0 0 DROP tcp * * ::/0 ::/0 0 0 DROP udp * * ::/0 ::/0 0 0 DROP all * * ::/0 ::/0 Chain extIN (1 references) pkts bytes target prot opt in out source destination ? 0 0 ACCEPT tcp * * 3ffe:400:100::1/128 ::/0 ? tcp spts:512:65535 dpt:22 0 0 ACCEPT tcp * * 3ffe:400:100::2/128 ::/0 ? tcp spts:512:65535 dpt:22 0 0 ACCEPT icmpv6 * * ::/0 ::/0 0 0 ACCEPT tcp * * ::/0 ::/0 ? tcp spts:1:65535 dpts:1024:65535 flags:!0x16/0x02 0 0 ACCEPT udp * * ::/0 ::/0 ? udp spts:1:65535 dpts:1024:65535 0 0 LOG all * * ::/0 ::/0 ? limit: avg 5/min burst 5 LOG flags 0 level 7 prefix `extIN-default:' 0 0 DROP all * * ::/0 ::/0 Chain extOUT (1 references) pkts bytes target prot opt in out source destination ? 0 0 ACCEPT tcp * * ::/0 ? 3ffe:ffff:100::1/128tcp spt:22 dpts:512:65535 flags:!0x16/0x02 0 0 ACCEPT tcp * * ::/0 ? 3ffe:ffff:100::2/128tcp spt:22 dpts:512:65535 flags:!0x16/0x02 0 0 ACCEPT icmpv6 * * ::/0 ::/0 0 0 ACCEPT tcp * * ::/0 ::/0 ? tcp spts:1024:65535 dpts:1:65535 0 0 ACCEPT udp * * ::/0 ::/0 ? udp spts:1024:65535 dpts:1:65535 0 0 LOG all * * ::/0 ::/0 ? LOG flags 0 level 7 prefix `extOUT-default:' 0 0 DROP all * * ::/0 ::/0 Chain int2ext (1 references) pkts bytes target prot opt in out source destination ? 0 0 ACCEPT icmpv6 * * ::/0 ::/0 0 0 ACCEPT tcp * * ::/0 ::/0 ? tcp spts:1024:65535 dpts:1:65535 0 0 LOG all * * ::/0 ::/0 ? LOG flags 0 level 7 prefix `int2ext:' 0 0 DROP all * * ::/0 ::/0 0 0 LOG all * * ::/0 ::/0 ? LOG flags 0 level 7 prefix `int2ext-default:' 0 0 DROP tcp * * ::/0 ::/0 0 0 DROP udp * * ::/0 ::/0 0 0 DROP all * * ::/0 ::/0 Chain intIN (1 references) pkts bytes target prot opt in out source destination ? 0 0 ACCEPT all * * ::/0 ? fe80::/ffc0:: 4 384 ACCEPT all * * ::/0 ff02::/16 Chain intOUT (1 references) pkts bytes target prot opt in out source destination ? 0 0 ACCEPT all * * ::/0 ? fe80::/ffc0:: 4 384 ACCEPT all * * ::/0 ff02::/16 0 0 LOG all * * ::/0 ::/0 ? LOG flags 0 level 7 prefix `intOUT-default:' 0 0 DROP all * * ::/0 ::/0 ______________________________________________________________ 16. 安全 16.1 Access limitations 有许多服务使用 tcp_wrapper library 控制访问.Below is described the use of tcp_wrapper 内容有待增加... 16.2 IPv6安全审核 目前没有什麽较好的商业工具来进行 Legal issues 警告:您只能扫瞄自己的系统,不然,可能会触及法律.开始之前,请检察您要扫瞄 的IPv6目标地址两次!. 16.3 Security auditing using IPv6-enabled netcat(使用适应IPv6的netcat) 关於IPv6-enabled netcat的详细资讯请参照: [44] IPv6?status-apps/security-auditing 例子: ______________________________________________________________ # nc6 ::1 daytime 13 JUL 2002 11:22:22 CEST ______________________________________________________________ 16.4 Security auditing using IPv6-enabled nmap 全世界最为优秀的扫瞄程式之一.它的首页: [45] http://www.insecure.org/nmap/ 从 3.10ALPHA1 的版本开始支持IPv6. 例子: ______________________________________________________________ # nmap -6 -sT ::1 Starting nmap V. 3.10ALPHA3 ( www.insecure.org/nmap/ ) Interesting ports on localhost6 (::1): (The 1600 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh 53/tcp open domain 515/tcp open printer 2401/tcp open cvspserver Nmap run completed -- 1 IP address (1 host up) scanned in 0.525 second s ______________________________________________________________ 16.5 Security auditing using IPv6-enabled strobe Strobe 同 NMap相比更不具灵活性,但已经有 IPv6-enabling patch (see IPv6?status-apps/security-auditing for more). Usage example: ______________________________________________________________ # ./strobe ::1 strobe 1.05 (c) 1995-1999 Julian Assange . ::1 2401 unassigned unknown ::1 22 ssh Secure Shell - RSA encrypted rsh ::1 515 printer spooler (lpd) ::1 6010 unassigned unknown ::1 53 domain Domain Name Server ______________________________________________________________ 16.6 审核结果 如果审核结果同您的IPv6安全策略有出入, 请堵上检测出的漏洞. 17. Encryption and Authentication(加密和认证) Support in kernel Currently missing in 2.4, perhaps in 2.5 (see below). There is an issue about keeping the Linux kernel source free of export/import-control-laws regarding encryption code. This is also one case why [46]FreeS/WAN project (IPv4 only IPsec) isn't still contained in vanilla source. Support in USAGI kernel The USAGI project has taken over in July 2001 the IPv6 enabled FreeS/WAN code from the [47]IABG / IPv6 Project and included in their kernel extensions, but still work in progress, means that not all IABG features are already working in USAGI extension. 17.1 用法 参照: [48]FreeS/WAN / Online documentation 18. 线上测试工具 内容有待增加... 欢迎提建议! * finger, nslookup, ping, traceroute, whois: [49]UK IPv6 Resource Centre / The test page * ping, traceroute, tracepath, 6bone registry, DNS: [50]JOIN / Testtools (German language only, but should be no problem for non German speakers) * traceroute6, whois: [51]IPng.nl 19. 其它资讯 19.1 线上资讯 加入IPv6 backbone骨干网路 IPv6 test backbone: [52]6bone, [53]How to join 6bone 主要的注册区域 * America: [54]ARIN [55]Ripe * Asia/Pacific: [56]APNIC * Latin America and Caribbea: [57]LACNIC Also a list of major (prefix length 35) allocations per local registry is available here: [58]Ripe NCC / IPv6 allocations Tunnel brokers * [59]Freenet6 Canada * [60]Hurricane Electric US backbone * [61]Centro Studi e Laboratory Telecomunicazioni Italy * [62]Wanadoo Belgium * [63]CERTNET-Nokia China * [64]Tunnelbroker Leipzig Germany - DialupUsers with dynamic IP's can get a fix IPv6 IP... * [65]Internet Initiative Japan Japan - with IPv6 native line service and IPv6 tunneling Service * [66]XS26 - Access to SixNetherland - with POPs in Slovak Republic, Czech Republic, Netherlands, Germany and Hungary. * [67]IPng Netherland Netherland - Intouch, SurfNet, AMS-IX, UUNet, Cistron, RIPE NCC and AT& T are connected at the AMS-IX. It is possible (there are requirements...) to get an static tunnel. * [68]UNINETT Norway - Pilot IPv6 Service (for Customers): tunnelbroker & address allocation * [69]NTT Europe [70]NTT Euroope United Kingdom - IPv6 Trial. IPv4 Tunnel and native IPv6 leased Line connections. POPs are located in London, UK Dusseldorf, Germany New Jersey, USA (East Coast) Cupertino, USA (West Coast) Tokyo, Japan * [71]ESnet USA - Energy Sciences Network: Tunnel Registry & Address Delegation for directly connected ESnet sites and ESnet collaborators. * [72]6REN USA - The 6ren initiative is being coordinated by the Energy Sciences Network (ESnet), the network for the Energy Research program of the US Dept. of Energy, located at the University of California's Lawrence Berkeley National Laboratory 更多的IPv6资讯: [73]ipv6-net.org 6to4 * [74]NSayer's 6to4 information * [75]RFC 3068 / An Anycast Prefix for 6to4 Relay Routers Latest news * [76]http://hs247.com/ name="hs247 / IPv6 news and information"> also homepage for #ipv6 channel on EFnet * [77]bofh.st / latest IPv6 news but currently Jan 2002 outdated..., also homepage for IPv6 channel on IRCnet * [78]ipv6-net.org German forum 有关协议的参考 * [79]HS247 / IPv6 RFC list Publishing the list of IPv6-related RFCs is beyond the scope of this document, but given URLs will lead you to such lists: * [80]IPng Standardization Status a little bit out-of-sync at the moment * [81]IPv6 Related Specifications on IPv6.org 目前与IPv6有关的草案: * [82]IP Version 6 ipv6 * [83]Next Generation Transitition * [84]Dynamic Host Configuration * [85]Domain Name System Extension * [86]Mobile IP mobileip 其它 * [87]Network Sorcery / IPv6, Internet Protocol version 6 IPv6 protocol header * [88]SWITCH IPv6 Pilot / References big list of IPv6 references maintained by Simon Leinen * [89]Advanced Network Management Laboratory / IPv6 Address Oracle shows you IPv6 addresses in detail 统计 * [90]IPv6 routing table history created by Gert Ding 19.2 更多的资讯 期待加入更多的内容,欢迎提建议! Linux related * [91]IPv6-HowTo for Linux by Peter Bieringer - Germany, and his * [92]Bieringer / IPv6 - software archive * [93]Linux+IPv6 status by Peter Bieringer Germany * [94]USAGI project Japan, and their * [95]USAGI project - software archive * [96]Gav's Linux IPv6 Page * [97]Project6 - IPv6 Networking For Linux Italy, and their * [98]Project6 - software archive 19.3 通信论坛 +------------------------------------------------------------------------------ ------------------------------------------------------------------------------- -------------------------------------------------------------+ | | | Focus Request e-mail address What to subscribe Maillist e-mail address Language Access through WWW | +------------------------------------------------------------------------------ ------------------------------------------------------------------------------- -------------------------------------------------------------+ | Linux kernel majordomo (at) oss.sgi.com netdev netdev (at) oss.sgi.com English http://oss.sgi.com/proj ects/netdev/archive/ | | networking | | including | | IPv6 | +------------------------------------------------------------------------------ ------------------------------------------------------------------------------- -------------------------------------------------------------+ | Linux and majordomo (at) linux-ipv6 linux-ipv6 (at) list.f00f.org English | | list.f00f.org | | IPv6 in (moderated) | | general (1) | +------------------------------------------------------------------------------ ------------------------------------------------------------------------------- -------------------------------------------------------------+ | Mobile IP majordomo (at) mipl (at) list.mipl. English http://www.mipl.mediapo li.com/mailinglist.html | | (v6) for list.mipl.mediapoli.com mipl mediapoli.com http://www.mipl.mediapo li.com/mail-archive/ | | Linux | | | +------------------------------------------------------------------------------ ------------------------------------------------------------------------------- -------------------------------------------------------------+ |Linux IPv6 usagi-users-ctl usagi-users English http://www.mipl.mediapo li.com/mailinglist.html | |users using (at) linux-ipv6.org (at) linux-ipv6.org http://www.mipl.mediapo li.com/mail-archive/ | |USAGI | |extension | +------------------------------------------------------------------------------ ------------------------------------------------------------------------------- -------------------------------------------------------------+ | | |IPv6 on Debian debian-ipv6 (at) English http://lists.debian.org /debian-ipv6/ | |Linux Web-based, see URL lists.debian.org | |Web-based | | | +------------------------------------------------------------------------------ ------------------------------------------------------------------------------- -------------------------------------------------------------+ | | |IPv6/6bone in majordomo (at) ipv6 (at) German/English http://www.join.uni-mue nster.de/JOIN/ipv6/texte-englisch/mailingliste.html | | Germany atlan.uni-muenster.de ipv6 uni-muenster.de http://www.join.uni-mue nster.de/local/majordomo/ipv6/ | | | +------------------------------------------------------------------------------ ------------------------------------------------------------------------------- -------------------------------------------------------------+ | | | 6bone majordomo (at) 6bone 6bone (at) English http://www.6bone.net/6b one_email.html | | isi.edu isi.edu http://ryouko.dgim.crc. ca/ipv6/ | | http://www.wcug.wwu.edu /lists/6bone/ | | | +------------------------------------------------------------------------------ ------------------------------------------------------------------------------- -------------------------------------------------------------+ | | |IPv6 majordomo (at) ipng ipng (at) English http://playground.sun.c om/pub/ipng/html/instructions.html | |discussions sunroof.eng.sun.com sunroof.eng.sun.com ftp://playground.sun.co m/pub/ipng/mail-archive/ | | http://www.wcug.wwu.edu /lists/ipng/ | +------------------------------------------------------------------------------ ------------------------------------------------------------------------------- -------------------------------------------------------------+ | | | IPv6 users majordomo (at) users users (at) ipv6.org English http://www.ipv6.org/mai ling-lists.html | | in general ipv6.org | | | +------------------------------------------------------------------------------ ------------------------------------------------------------------------------- -------------------------------------------------------------+ | | | Bugtracking of bugtraq-subscribe (at) bugtraq (at) English http://online.securityf ocus.com/popups/forums/bugtraq/intro.shtml | | Internet securityfocus.com securityfocus.com (moderated) http://online.securityf ocus.com/archive/1 | | applications (2) | | | +------------------------------------------------------------------------------ ------------------------------------------------------------------------------- -------------------------------------------------------------+ | | | IPv6 in general Web-based, see URL ipv6 (at) ipng.nl English http://mailman.ipng.nl/m ailman/listinfo/ipv6/ | | http://mailman.ipng.nl/p ipermail/ipv6/ | | | +------------------------------------------------------------------------------ ------------------------------------------------------------------------------- -------------------------------------------------------------+ | | | | | | | | | majordomo (at) majordomo (at) ipv6 ipv6 (at) mfa.eti.br Portuguese http://www.mfa.eti.br/li stas.html | | mfa.eti.br mfa.eti.br | | | +------------------------------------------------------------------------------ ------------------------------------------------------------------------------- -------------------------------------------------------------+ (1) recommended for common Linux & IPv6 issues. (2) very recommended if you provide server applications. 是不是有什麽遗漏? 欢迎你的建议! 这里还有另一份清单: http://www.join.uni-muenster.de/JOIN/ipv6/texte-eng lisch/ipv6.infoquellen.html 有关的发行版 * [99]Polish(ed) Linux Distribution ("market leader" in containing IPv6 enabled packages) * [100]Red Hat Linux * [101]Pekka Savola's IPv6 packages Germany * [102]Debian Linux * [103]Craig Small's IPv6 information and status * [104]SuSE Linux * [105]Linux Mandrake 20. 历史 x.y版本 发布在Internet上. x.y.z 表示正在进行的版本and only published as LyX file on CVS. Releases 0.x 0.31 2002-09-29/PB: Extend information in proc-filesystem entries 0.30 2002-09-27/PB: Add some maillists 0.29 2002-09-18/PB: Update statement about nmap (triggered by Fyodor) 0.28.1 2002-09-16/PB: Add note about ping6 to multicast addresses, add some labels 0.28 2002-08-17/PB: Fix broken LDP/CVS links, add info about Polish translation, add URL of the IPv6 Address Oracle 0.27 2002-08-10/PB: Some minor updates 0.26.2 2002-07-15/PB: Add information neighbor discovery, split of firewalling (got so me updates) and security into extra chapters 0.26.1 2002-07-13/PB: Update nmap/IPv6 information 0.26 2002-07-13/PB: Fill /proc-filesystem chapter, update DNS information about depr icated A6/DNAME, change P-t-P tunnel setup to use of "ip" only 0.25.2 2002-07-11/PB: Minor spelling fixes 0.25.1 2002-06-23/PB: Minor spelling and other fixes 0.25 2002-05-16/PB: Cosmetic fix for 2\^{ }128, thanks to Jos□ Ab□lio Oliveira Mat os for help with LyX 0.24 2002-05-02/PB: Add entries in URL list, minor spelling fixes 0.23 2002-03-27/PB: Add entries in URL list and at maillists, add a label and minor information about IPv6 on RHL 0.22 2002-03-04/PB: Add info about 6to4 support in kernel series 2.2.x and add an en try in URL list and at maillists 0.21 2002-02-26/PB: Migrate next grammar checks submitted by John Ronan 0.20.4 2002-02-21/PB: Migrate more grammar checks submitted by John Ronan, add some ad ditional hints at DNS section 0.20.3 2002-02-12/PB: Migrate a minor grammar check patch submitted by John Ronan 0.20.2 2002-02-05/PB: Add mipl to maillist table 0.20.1 2002-01-31/PB: Add a hint how to generate 6to4 addresses 0.20 2002-01-30/PB: Add a hint about default route problem, some minor updates 0.19.2 2002-01-29/PB: Add many new URLs 0.19.1 2002-01-27/PB: Add some forgotten URLs 0.19 2002-01-25/PB: Add two German books, fix quote entinities in exported SGML code 0.18.2 2002-01-23/PB: Add a FAQ on the program chapter 0.18.1 2002-01-23/PB: Move "the end" to the end, add USAGI to maillists 0.18 2002-01-22/PB: Fix bugs in explanation of multicast address types 0.17.2 2002-01-22/PB: Cosmetic fix double existing text in history (at 0.16), move all credits to the end of the document 0.17.1 2002-01-20/PB: Add a reference, fix URL text in online-test-tools 0.17 2002-01-19/PB: Add some forgotten information and URLs about global IPv6 addres ses 0.16 2002-01-19/PB: Minor fixes, remove "bold" and "emphasize" formats on code lines , fix "too long unwrapped code lines" using selfmade utility, extend list of UR Ls. 0.15 2002-01-15/PB: Fix bug in addresstype/anycast, move content related credits to end of document 0.14 2002-01-14/PB: Minor review at all, new chapter "debugging", review "addresses" , spell checking, grammar checking (from beginning to 3.4.1) by Martin Krafft, add tcpdump examples, copy firewalling/netfilter6 from IPv6+Linux-HowTo, minor enhancements 0.13 2002-01-05/PB: Add example BIND9/host, move revision history to end of document , minor extensions 0.12 2002-01-03/PB: Merge review of David Ranch 0.11 2002-01-02/PB: Spell checking and merge review of Pekka Savola 0.10 2002-01-02/PB: First public release of chapter 1 References 1. http://www.bieringer.de/pb/ 2. http://www.linuxports.com/howto/intro_to_networking/ 3. http://rfc.net/rfc1884.html 4. http://rfc.net/rfc3056.html/ 5. http://rfc.net/rfc2893.html 6. http://rfc.net/rfc2373.html 7. http://standards.ieee.org/regauth/oui/tutorials/EUI64.html 8. http://rfc.net/rfc3041.html 9. ftp://ftp.ietf.org/internet-drafts/ 10. http://rfc.net/rfc1519.html 11. http://www.bieringer.de/linux/IPv6/status/IPv6+Linux-status-distributions.html 12. http://www.bieringer.de/linux/IPv6/status/IPv6+Linux-status-distributions.html 13. http://www.linuxdoc.org/HOWTO/Kernel-HOWTO.html 14. ftp://ftp.bieringer.de/pub/linux/IPv6/kernel 15. http://www.linux-ipv6.org/faq.html 16. http://www.bieringer.de/linux/IPv6/status/IPv6+Linux-status-kernel.html#transport 17. http://rfc.net/rfc1055.html 18. ftp://ftp.inr.ac.ru/ip-routing/ 19. http://rpmfind.net/linux/rpm2html/search.php?query=iproute 20. http://www.bieringer.de/linux/IPv6/status/IPv6+Linux-status-distributions.html 21. file://localhost/tmp/zh-sgmltools.21666/IPv6&Linux-CurrentStatus-Applications 22. http://www.bieringer.de/linux/IPv6/IPv6-HOWTO/IPv6-HOWTO-3.html 23. http://www.bieringer.de/linux/IPv6/IPv6-HOWTO/IPv6-HOWTO-4.html 24. http://www.bieringer.de/linux/IPv6/status/IPv6+Linux-status-apps.html#HTTP 25. http://[3ffe:400:100::1]/ 26. http://www.kame.net/ 27. http://rfc.net/rfc2893.html 28. http://rfc.net/rfc3056.html 29. http://rfc.net/rfc3056.html 30. http://www.kfu.com/~nsayer/6to4/ 31. http://www.faqs.org/rfcs/rfc3068.html 32. http://rfc.net/rfc2473.html 33. http://www.bieringer.de/linux/IPv6/ 34. http://www.bieringer.de/linux/IPv6/IPv6-HOWTO/scripts/current/ 35. http://www.feyrer.de/IPv6/SuSE73-IPv6+6to4-setup.html 36. http://people.debian.org/~csmall/ipv6/ 37. http://www.netfilter.org/ 38. http://lists.samba.org/pipermail/netfilter/ 39. http://lists.samba.org/pipermail/netfilter-devel/ 40. http://www.bieringer.de/linux/IPv6/status/IPv6+Linux-status-kernel.html#netfilter6 41. http://www.kernel.org/ 42. http://www.netfilter.org/ 43. ftp://ftp.redhat.com/redhat/linux/rawhide/SRPMS/SRPMS/ 44. http://www.bieringer.de/linux/IPv6/status/IPv6?status-apps.html#security-auditing 45. http://www.insecure.org/nmap/ 46. http://www.freeswan.org/ 47. http://www.ipv6.iabg.de/downloadframe/ 48. http://www.freeswan.org/doc.html 49. file://localhost/tmp/zh-sgmltools.21666/Linux-IPv6-HOWTO.txt.html 50. http://www.join.uni-muenster.de/lab/testtools.html 51. http://www.ipng.nl/ 52. http://www.6bone.net/6bone_hookup.html 53. http://www.6bone.net/6bone_hookup.html 54. http://www.arin.net/ 55. http://www.ripe.net/ 56. http://www.apnic.net/ 57. http://lacnic.org/ 58. http://www.ripe.net/ripencc/mem-services/registration/ipv6/ipv6allocs.html 59. http://www.freenet6.net/ 60. http://ipv6tb.he.net/ 61. https://carmen.cselt.it/ipv6tb/ 62. http://tunnel.be.wanadoo.com/ 63. http://tb.6test.edu.cn/ 64. http://joshua.informatik.uni-leipzig.de/ 65. http://www.iij.ad.jp/IPv6/index-e.html 66. http://www.xs26.net/ 67. http://www.ipng.nl/ 68. http://www.uninett.no/testnett/index.en.html 69. http://www.uk.v6.ntt.net/ 70. http://www.nttv6.net/ 71. http://www.es.net/hypertext/welcome/pr/ipv6.html 72. http://www.6ren.net/ 73. http://www.ipv6-net.de/ 74. http://www.kfu.com/~nsayer/6to4/ 75. http://www.faqs.org/rfcs/rfc3068.html 76. http://hs247.com/ 77. http://bofh.st/ipv6/ 78. http://www.ipv6-net.de/ 79. http://www.hs247.com/ipv6rfc.html 80. http://playground.sun.com/pub/ipng/html/specs/standards.html 81. http://www.ipv6.org/specs.html 82. http://www.ietf.org/ids.by.wg/ipv6.html 83. http://www.ietf.org/ids.by.wg/ngtrans.html 84. http://www.ietf.org/ids.by.wg/dhc.html 85. http://www.ietf.org/ids.by.wg/dnsext.html 86. http://www.ietf.org/ids.by.wg/mobileip.html 87. http://www.networksorcery.com/enp/protocol/ipv6.htm 88. http://www.switch.ch/lan/ipv6/references.html 89. http://steinbeck.ucs.indiana.edu:47401/ 90. http://www.space.net/~gert/RIPE/ 91. http://www.bieringer.de/linux/IPv6/ 92. ftp://ftp.bieringer.de/pub/linux/IPv6/ 93. http://www.bieringer.de/linux/IPv6/status/IPv6+Linux-status.html 94. http://www.linux-ipv6.org/ 95. ftp://ftp.linux-ipv6.org/pub/ 96. http://www.bugfactory.org/~gav/ipv6/ 97. http://project6.ferrara.linux.it/ 98. ftp://ftp.ferrara.linux.it/pub/project6/ 99. http://www.pld.org.pl/ 100. http://www.redhat.com/ 101. http://www.netcore.fi/pekkas/linux/ipv6/ 102. http://www.debian.org/ 103. http://people.debian.org/~csmall/ipv6/ 104. http://www.suse.com/ 105. http://www.linux-mandrake.com/