Adventures in Cisco IOS Land: IPv6

 Cisco  No Responses »
Sep 292012
 

Just like previously, please read the disclaimerbefore proceeding; I ain’t no CCIE! Several points before diving off into the configuration :-

  1. Somewhat surprisingly, the most difficult part of getting IPv6 up and running was not the configuration nor the process of switching ISP to one that supported native IPv6. The most difficult part was acquiring a version of IOS that was not riddled with bugs related to (I think) running IPv6 over PPP. If you are undertaking this task, I would suggest making sure you have a very recent version of IOS – the one I am now running was released in July 2012.
  2. If you need a UK ISP that supports IPv6 for customers, I would suggest AAISP.
  3. Throughout this document, I am using the IPv6 documentation network 2001:db8/32, or more specifically 2001:db8:face/48. That doesn’t guarantee that I know what I’m talking about, but at least it doesn’t guarantee that I know nothing … as would be the case if I were using some random real IPv6 address.
  4. None of the following should interfere with anything you might be doing with IPv4. With the exception of times when I reloaded the router out of frustration, and occasionally to load a new firmware, my IPv4 connectivity was up and running continuously.

Before starting you need an IPv6 address to configure; unless you have a large internal network it doesn’t make sense to start playing with a ULA address. So get an allocation from your ISP. If you have a half-reasonable ISP, they will allocate you something like 2001:db8:face/48 which will give you 65536 different subnets to play with – perhaps slightlyover the top for a home network! To start with, you need to configure the router itself to enable IPv6 :-

ipv6 source-route
ipv6 general-prefix MYISP 2001:db8:face::/48
ipv6 unicast-routing
ipv6 cef

This basically enables IPv6 routing (with no routing protocols – only static and learnt routes) and configures a “general prefix” with the network details of what your ISP has provided you with. This can be used later to configure addresses in a way that means that changing ISP isn’t quite so painful, and in a way that is less error prone – typing in IPv6 addresses is a lot more prone to typos than IPv4 addresses. Once that is done, it is time to look at IPv6 security … normally people suggest getting everything working first, but as I am more of a security geek than a networking geek, I would suggest security comes first. This is not a great deal different to IPv4 security except that forgetting about NAT makes things simpler :-

ipv6 inspect routing-header
ipv6 inspect name ipv6-allowed-out icmp
ipv6 inspect name ipv6-allowed-out tcp
ipv6 inspect name ipv6-allowed-out udp
ipv6 inspect name ipv6-allowed-out ftp

This basically defines what traffic is allowed out (assuming it’s applied appropriately to an interface). Nothing really odd here … basically everything is allowed out, and I ask the router to inspect for routing information that might be available. The next bit is the incoming ACL :-

ipv6 access-list access-to-servers
 permit icmp any any
 permit tcp any host 2001:db8:face:f00d::c0:ffee eq 22
 deny ipv6 any any log

Several key points about this ACL :-

  1. All IPv6 ACLs are “extended”.
  2. All IPv6 ACLs are named rather than numbered.
  3. The ICMP bit looks a little permissive, but ICMP is very much more required for a functioning IPv6 network than an IPv4 network. It can be tuned down somewhat, but you need ICMP for your network to work.
  4. The rule that allows access to my server on port 22 does not allow the use of the previously defined general-prefix. Come on Cisco, do the right thing here!

And another ACL for access to the router’s SSH port :-

ipv6 access-list authorised-v6
 permit ipv6 2001:db8:face::/48 any
 deny ipv6 any any

And we might as well apply that last ACL right away :-

line vty 0 4
  ipv6 access-class authorised-v6 in

Now we have the basics ready, we can start to configure interfaces. Before you start, it is worth figuring out what network addresses to use. IPv6 does of course allow the possibility of using wildly inappropriate hexspell words as network address, or you could be very sensible and come up with an appropriate allocation scheme.  For larger networks, it is well worth reserving a large swathe of networks (such as 0000-7ffff) for someone to come along later to create a “better” scheme … as somebody who has dealt with a large IPv4 network where the original allocation scheme was somewhat suboptimal, I firmly believe that later network administrators should have the freedom to change the scheme in the light of more experience. You will often encounter the assumption that the host part of a network is always 64 bits (or the network mask is always /64). Whilst this is not a requirement at all, there are popular features of IPv6 that only work on a network that size such as address auto-configuration (SLAAC). In practice this means that you should always create networks with a /64 netmask, unless you have a very good reason not to (for instance when configuring statically configured links between routers). Even if you have no intention of allowing address auto-configuration. As a minimum, you will need two networks – one for the external interface, and one for the internal interface(s). As you may have guessed, we have already specified what the internal network is: 2001:db8:face:f00d/64, and I will use 2001:db8:face:1ced/64as the external interface. The first interface to configure is the internal network :-

interface Vlan101
 ipv6 address MYISP 0:0:0:F00D::1/64
 ipv6 enable 
 ipv6 nd prefix 2001:db8:face:f00d::1/61
 ipv6 nd router-preference High

The command to give the network and the interface an address requires a little explanation. First of all, we’re lucky enough to be able to use the “general-prefix” that we defined earlier. This “general-prefix” is merged with the unusual looking address that follows it :-

MYISP general-prefix 2001 db8 face
Address to merge 0 0 0 F00D::1/64
Result 2001 db8 face F00D::1/64

This provides the interface with an address. The next command simply enables IPv6 on the interface. The ipv6 nd prefix command tells the router what “prefix” to advertise to clients wishing to autoconfigure (using SLAAC).

As an aside, the whole topic of managing IPv6 addresses on clients is worth an article on its own – auto-configuration sounds like a good option (and indeed may be a good choice), but there are situations where you would prefer to not allow auto-configuration. And not all clients work equally well with all options.

The next command (ipv6 nd router-preference High) is a weak attempt to guard against false Router Advertisement messages – advertising this router as a High preference one may prioritise it’s use over any other mysterious routers that appear on this network. In practice, it is necessary to block RA messages from non-router ports using a switch feature such as ipv6 nd raguard. Once this interface is configured, you may well start to see IPv6 hosts with the command show ipv6 neighbours. And onto the configuration of the outside interface :-

interface Dialer0
 ipv6 address MYISP ::1ced:0:0:0:1/64
 ipv6 enable
 no ipv6 nd ra suppress
 ipv6 inspect ipv6-allowed-out out
 ipv6 traffic-filter access-to-servers in
 ipv6 virtual-reassembly in

This starts off in much the same way as the previous interface configuration, but in this case I also :-

  1. Explicitly enable RA messages on the interface with no ipv6 nd ra suppress. This is to ensure that the RA messages get out to the ISP’s router on the “other end”.
  2. Uses ipv6 inspect ipv6-allowed-out out so that IPv6 traffic is allowed out (and any associated packets are allowed back in again!).
  3. Uses ipv6 traffic-filter access-to-servers in to allow any unsolicited IPv6 traffic necessary in.
  4. Uses ipv6 virtual-reassembly in to use Cisco’s VFR feature to protect against fragmentation attacks.

Note that I have statically configured the address on this interface. Some ISPs require this, and some require that the interface is set to auto-configuration (ipv6 address autoconfig or ipv6 address dhcp). The last step is to configure a default route :-

ipv6 route ::/0 Dialer0

Some misconceptions I’ve come across through googling for tips and assistance :-

  1. There are plenty of examples which show internal interfaces configured with ipv6 nd prefix XXX in addition to the interface address. As far as I can see (and as demonstrated by my home network actually networking), there is no need to specify this prefix unless you are advertising multiple prefixes on an interface, or doing something even stranger.
  2. Examples often include ipv6 nd ra interval ${some-value}, which as far as I can see is somewhat unnecessary except that the default value of 200s means that connected hosts may take a while to spot the router.
  3. There are plenty of examples for setting up IPv6 with a tunnel within IPv4 where the IPv6 MTU is set to some value lower than the default such as ipv6 mtu 1280. Tuning the MTU for native IPv6 should not be necessary, and even if it is, the right value would be somewhat higher.

And of course, if anyone believes I’ve done something wrong, please let me know!

Are Julian Assange’s “Hacktivists” Becoming Mindless Thugs ?

 Computing, Media, Security  No Responses »
Aug 312012
 

There comes a moment in some violent anti-capitalist protests where genuine if illegal protest becomes mindless thuggery; for example turning from daubing slogans on the windows of the nearest bank, to throwing objects through the windows of the small independent shop next door. And you do have to wonder if those “hacktivists” who are supporting Julian Assange’s wish to be given safe passage to Ecuador have reached beyond that point.

First of all, I should point out that whilst I’m a supporter of WikiLeaks – or at least the idea of a website where whistleblowers can responsibly publish leaked material in raw form – I’m no supporter of Julian Assange in his attempt at escaping justice. A mentioned previously, I believe he should go back to Sweden to face the charges that will be made once he arrives.

But neither do I think that Julian Assange’s supporters should be silenced however mistaken they are about the situation. They have a right to protest, and I’m not even opposed to a bit of responsible “hacktivism” – in my private life I’m quite willing to go along with the ideal that sometimes it is ethical to break the law. But I also believe that the current flood of ‘hacktivism” is going just a little bit too far.

Those who have been reading just the mainstream media (and here) may be under the impression that the hacktivists have been attacking just a few places; more relevant media makes it plain that there is something more widespread. The first story mentions Cambridge University; none of the stories mentions that the hacktivists have claimed to have broken into up to 5 universities. The list of victims of this week’s surge seems to include :-

  • Up to 5 UK Universities.
  • One or possibly two UK police forces.
  • A UK recruitment agency (which just so happens to mention a couple of UK government bodies).
  • A Pakistani agency specialising in assisting students to come to the UK, or other English-speaking countries.
  • Plus a few UK government agencies.

And this list looks a little random to me.

It’s not that difficult to break into a website – even I could do it, but the question to ask is just how many websites did they rattle the doorknobs of before they found these low-hanging fruits? And it’s always worth remembering the old classic cartoon by xkcd.com :-

Of course they didn’t just widdle a picture of Julian Assange over the front page of a web site; they also broke into some databases and stole some personal information! That’s a bit more serious. And in the case of the information grabbed from the police, it’s a lot more serious.

But if you look closely at the data stolen from the UK universities involved, it becomes a little less dramatic. It would appear that the hackers have managed to break into a few databases used by various departmental web applications. Web applications often use databases as a convenient place to “stash” stuff including account details, which is what appears to have been leaked here. These account details are normally separate from any other account details (unless of course the owner of the account uses the same password), and give access only to the web application itself.

It does not appear that any core business function data has been exposed by this – i.e. the personal details of all the students for example. If it were not for Julian Assange’s name being attached to the incident, it is very likely that the media would not be interested in the story itself which would make it far less serious for the institutions concerned.

When you come down to it, Julian Assange’s real supporters should probably be a bit dismayed by this mindless thuggery – it doesn’t reflect well on their protests if it appears the best hacktivists that they can get to support them are rather on the low end of the scale. Of course a conspiracy theorist might take this as evidence that the hacktivists here are actually deliberate making the supporters of Julian Assange look bad.

Samsung vs. Apple: Part II

 Computing  No Responses »
Aug 292012
 

Quite an amusing Internet rumour came about today: That Samsung had paid their fine to Apple by sending around 30 trucks filled to the brim with nickles (which is apparently a 5¢ coin). Of course it eventually transpired that this was all an amusing hoax, which makes more sense – after all Samsung is hardly going to pay Apple until after they have tried appealing.

But the popularity of this story may be some small indication that Apple’s victory in the US courts over this patent dispute is not really seen as fair by most.

Apple, Samsung, Intellectual Property Rights, and That Trial

 Computing  No Responses »
Aug 252012
 

So apparently a US court with a US jury found against a Korean company and in favour of a US company. Well that is a surprise! Who would imagine?

There are several aspects of this trial that should require closer inspection before making any judgments :-

  1. The jury only spent 48 hours deliberating when the available evidence amounted to “hundreds of questions, 109 pages of jury instruction and the most complex muddle of law on the planet”. Given the mind boggling complexity of this case, I would not be at all surprised if the jury colluded in coming up with a snap judgment that at least gets them out of jury service rather than a properly considered verdict.
  2. The judge kept advising the two companies to come to a negotiated settlement but obviously Apple and Samsung ignored this.
  3. This is just one legal battle; Apple and Samsung are fighting tooth and nail in many cases: As of December 2011, Apple and Samsung are fighting more than 20 cases in 10 countries. It would seem that it would be better by far if someone were to band the respective CEOs heads together and force both companies to make a negotiated settlement.

It is easy for an observer who does not pay close attention to technical matters to consider Apple to be a radical innovator in the smartphone arena; certainly at the very least the iPhone was a game changer. But not because itself was a dramatic innovation in technological terms, but because it brought previous technical innovations together into a well designed and easy to use product. And frankly a comparatively limited one – much smartphone functionality present in the original iPhone’s competitors was missing from the original iPhone.

If you look at the list of patents that Samsung supposedly infringed, you will come across numerous examples that someone in the technical field will wonder if it should really be a patent. Or maybe at most should be a ‘half-patent’ (if there were such a thing). Some of the features that Samsung supposedly infringed :-

  1. The “rubber band” effect that occur when you scroll a list by touch and hit the end of the list. This to a limited extent falls foul of the “obviousness” test – if you had used a scroll by touch interface without the equivalent of this, you would think “Hey! Someone ought to come up with something that tells me when the end of the list is”.
  2. The gestures “pinch to zoom” and “twist to rotate”. I’m sorry but these really are too obvious to patent. Certainly “twist to rotate” is merely aping what we do in the real world to rotate – ever “twisted” a plate to rotate it so that the food you are going to dive into next is closer? And similarly “pinch to zoom” is effectively a touch-screen equivalent of dragging out a box onscreen using a mouse to zoom in on that particular area.
  3. Touch to drag a document? Ever used drag and drop with a mouse?
  4. The other elements in the list are in relation to physical design of the handset, but is a rectangle with rounded corners really so radical ? I’m pretty sure almost all of my phones have been rectangular with rounded corners since well before the original iPhone.

The trouble with this judgement is that whilst it may protect innovation to a tiny degree, it will also have the effect of limiting choice to the consumer in the US. Because Apple is going to look to ban imports of Samsung devices as soon as it can wheel a lawyer into court. Wouldn’t it be better by far for the court to decide that yes Samsung has infringed the pinch to zoom function, so they should pay for a license for that patent at a rate of 10¢ per device? Rather than insist on Apple being paid a ridiculous amount of damages and allowing Apple to set a ridiculous license cost for use of the patent.

The whole issue of intellectual property rights is a complete mess, and I’m not sure that even the judge in this case would disagree. Patents were originally developed to protect inventors from companies simply stealing their ideas and going ahead and making money whilst the inventor gets nothing. They were not designed to stop competitors from using the ideas of an inventor – they would simply have to pay a fair price for the idea. And patents were not supposed to be blindingly obvious either.

It is also worth pointing out that Apple have already lost pretty much the same legal battle in the UK, Germany, and South Korea. So we have the ridiculous situation where Samsung “stole” ideas as decided by a US jury, but also didn’t as decided by court victories elsewhere in the world. Who is right? Who knows?

Intellectual property rights are long overdue for a radical overhaul :-

  1. Make the UN the deciding body for patent infringements. This will eliminate all the conflicting decisions that go on around the world, and reduce to a minimum conscious or unconscious bias that a US jury (or a US judge) might weigh against a South Korean company.
  2. Review each patent rigorously to examine whether they are too obvious to patent.
  3. Use an independent party to decide licensing fees, and make licensing fees a percentage of the final purchase price of the product. Want to make a Rolex replica exact in every way ? Well, the panel might decide you can do so … as long as you pay Rolex 100% of the purchase price. Want to use “pinch to zoom” on your device ? Expect to pay Apple a tiny amount like 0.5% of the purchase price.

Of course none of this is likely to happen. Intellectual property rights are too much of a cash cow for IP trolls and IP lawyers for any big changes.

The Custom Wallpaper Script

 Linux  1 Response »
Jun 302012
 

Warning: This page details a shell script that I’ve produced for my own amusement; it isn’t a product. It hasn’t been tested in lots of environments, and it will take some hacking to get it to work for you. If you’re looking for something to use, move along; if you’re looking for ideas to improve a real wallpaper setting program, you might want to read on.

So elsewhere I’ve admitted to driving a stake through the heart of GNOME’s wallpaper plugin to allow my own wallpaper script to work. Well, I could hardly do that and not announce it could I? So here goes :-

  1. It doesn’t actually set the wallpaper; it lets hsetroot do that.
  2. It requires a parameter to determine which directory to choose – i.e. ~/lib/backgrounds/one~/lib/backgrounds/two, etc.
  3. It uses xrandr to pick out the “regions” of the default screen.
  4. It puts portrait images on my portrait monitor, and landscape images on my landscape monitor by overlaying them onto an overall image the size of both monitors added together.
  5. It waits a set duration, and then repeats.

If you’re still interested in getting a copy it’s available at http://zonky.org/src/set-random-background.

 Older Entries  Newer Entries