Linux IPv6 HOWTO
Linux IPv6 HOWTO
Author:Peter Bieringer pb@bieringer.de
译者: 陈敏剑 expns@yahoo.com
Revision Release 0.31 2002-09-29 Revised by: PB 翻译日期: 2002-10-14 ,
2002-11-19 第二次修正
_________________________________________________________________
Linux IPv6 HOWTO 的目地是回答在 Linux 作业系统上设定IPv6的基本/进阶问
题.这份HOWTO为用户在Linux作业系统上安装,设定和使用IPv6提供足够的资讯.
_________________________________________________________________
1. 概述
* 1.1 版本
* 1.2 版权,许可与其它
* 1.3 关于作者
* 1.4 联系
* 1.5 类别
* 1.6 版本, 历史和打算
* 1.7 历史
* 1.8 全部历史
* 1.9 打算
* 1.10 翻译
* 1.11 德语
* 1.12 其它的语系
* 1.13 波兰版
* 1.14 中译版
* 1.15 技术方面
* 1.16 代码封装
* 1.17 产生SGML
* 1.18 2HTML版式的在线目录(linking/anchors)
* 1.19 专用的页面
* 1.20 有多少个关于 Linux和IPv6 HOWTO的变动版本?
* 1.21 Linux IPv6 FAQ/HOWTO (过时的)
* 1.22 IPv6 & Linux - HowTo (正在维护当中)
* 1.23 Linux IPv6 HOWTO (现在这份HOWTO)
* 1.24 Long code line wrapping signal char
* 1.25 Placeholders (占位符)
* 1.26 Commands in the shell(shell 里的命令)
* 1.27 使用这个HOWTO的必需条件
2. 什么是IPv6?
* 2.1 IPv6在Linux作业系统上的历史
* 2.2 开始
* 2.3 其间
* 2.4 现在
* 2.5 将来
* 2.6 IPv6 的地址会是什么样 ?
* 2.7 FAQ(基础)
3. 地址的类型
* 3.1 没有前缀的地址
* 3.2 网路部分,也叫做前缀
* 3.3 地址类型(主机)
* 3.4 路由的前缀长度
4. 准备IPv6的运行系统
* 4.1 IPv6-ready kernel
* 4.2 IPv6-ready 网路设定工具
* 4.3 IPv6-ready 测试/调式 程式
* 4.4 IPv6-ready programs(能和IPv6协同工作的程式)
* 4.5 IPv6-ready 客户端程式 (selection)
* 4.6 IPv6-ready server 程式
5. 设定interfaces(界面)
* 5.1 不同的网路设备
* 5.2 Bringing interfaces up/down(设定界面的开/关)
6. 设定IPv6地址
* 6.1 列印当前的IPv6地址
* 6.2 增加一个IPv6地址
* 6.3 移除IPv6地址
7. 设定IPv6路由
* 7.1 列印现有的路由
* 7.2 设定IPv6路由通过闸道
* 7.3 移除 IPv6路由通过闸道
* 7.4 增加IPv6路由至interface(界面)
* 7.5 从interface(界面)移除IPv6路由
* 7.6 FAQ for IPv6 routes(IPv6 路由的经常问答)
8. Neighbor Discovery(发现芳邻)
* 8.1 Displaying neighbors using "ip" (用"ip"命令列印芳邻)
* 8.2 用 "ip" 对芳邻的列印表进行处理
9. Configuring IPv6-in-IPv4 tunnels(设定遂道)
* 9.1 遂道的类型
* 9.2 列印现存的tunnels(遂道)
* 9.3 Setup of point-to-point tunnel(设定点对点的遂道)
* 9.4 Setup of 6to4 tunnels (设定 IPv6至IPv4的遂道)
10. 设定 IPv4-in-IPv6 遂道
11. 核心设定 in /proc-filesystem
* 11.1 怎样进入 /proc-filesystem
* 11.2 /proc-filesystems 里的数值类型.
* 11.3 Entries in /proc/sys/net/ipv6/
* 11.4 IPv6-related entries in /proc/sys/net/ipv4/
* 11.5 IPv6-related entries in /proc/net/
12. Netlink-Interface to kernel
13. 网路 debugging
* 13.1 Server socket binding(绑定)
* 13.2 Using "netstat" for server socket binding check
* 13.3 Examples for tcpdump packet dumps
14. Support for persistent IPv6 configuration in Linux distributions(在不同的发
行版中设定IPv6)
* 14.1 Red Hat Linux and "clones"(小红帽和它的弟兄娣妹)
* 14.2 Mandrake(曼德莱克)Linux
* 14.3 SuSE(苏泽斯)Linux
* 14.4 Debian(迪比安)Linux
15. 防火墙
* 15.1 使用 netfilter6防火墙
* 15.2 更多的资讯:
* 15.3 准备
* 15.4 使用方法
* 15.5 使用ip6tables
16. 安全
* 16.1 Access limitations
* 16.2 IPv6安全审核
* 16.3 Security auditing using IPv6-enabled netcat(使用适应IPv6
的netcat)
* 16.4 Security auditing using IPv6-enabled nmap
* 16.5 Security auditing using IPv6-enabled strobe
* 16.6 审核结果
17. Encryption and Authentication(加密和认证)
* 17.1 用法
18. 线上测试工具
19. 其它资讯
* 19.1 线上资讯
* 19.2 更多的资讯
* 19.3 通信论坛
20. 历史
_________________________________________________________________
1. 概述
1.1 版本
Revision Release 0.31 2002-09-29 Revised by: PB
See revision history for more
Revision Release 0.30 2002-09-27 Revised by: PB
See revision history for more
Revision Release 0.29 2002-09-18 Revised by: PB
1.2 版权,许可与其它
版权所有: Peter Bieringer
Copyright
Written and Copyright (C) 2001-2002 by Peter Bieringer
1.1.2. License
This Linux IPv6 HOWTO is published under GNU GPL version 2:
The Linux IPv6 HOWTO, a guide how to configure and use IPv6 on Linux systems.
Copyright (C) 2001-2002 Peter Bieringer
This documentation is free software; you can redistribute it and/or modify
it
under the terms of the GNU General Public License as published by the Free
Software Foundation; either version 2 of the License, or (at your option)
any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
1.3 关于作者
作者接触 Internet/IPv6 的历史
1993: 由于使用e-mail和新闻组开始接触Internet.
1996: 受邀于一个IPv6的课程. 包括了Linux有关的IPv6.
1997: 开始写在Linux里安装,设定和使用IPv6的指南.
2001: 开始写这个新的HOWTO.
1.4 联系
可以通过e-mail pb@bieringer.de及首页 [1]http://www.bieringer.de/pb/ 他
现在住在Munich [northern part of Schwabing] / Bavaria / Germany
(south) / Europe (middle) / Earth (surface/mainland).
1.5 类别
在"Networking/Protocols"里.
1.6 版本, 历史和打算
在最上头提过了.
1.7 历史
主要的历史
2001-11-30: 开始设定新的HOWTO
2002-01-02: 完成了一点,发表了第一章节 (version 0.10).
2002-01-14: 完成了更多,加了评论,发表了所有的内容(version 0.14).
2002-08-16: 波兰版的翻译正在进行.
2002-10-14: 中译版翻译刚开始.
1.8 全部历史
See revision history at the end of this document.
1.9 打算
补缺漏.完成内容的检视.
1.10 翻译
它们包含URL,版本号,原作的版权.
1.11 德语
它的版本由我自己完成(德语是我的母语)在版本每月都有变化的时候是不会完成
的. 并且我还要有空闲的时间,如果您有时间,不妨试一试,大大方方地来接管吧.
1.12 其它的语系
一般情况下,请等到一个月以上无变动的时候进行翻译, version0.27 是最近的.
1.13 波兰版
自从 2002-08-16 Lukasz Jokiel Lukasz.Jokiel@klonex.com.pl开始,到现在.
他的起始版是 0.27
1.14 中译版
从 2002-10-14 起, 中译版的翻译完成了部份内容, 起始版是 0.31
1.15 技术方面
HOWTO的原始形式是 在Linux Red Hat7.3里用 LyX version 1.2.0 写的,格式
是SGML. http://cvsview.tldp.org/index.cgi/LDP/users/Peter-Bieringer/
里可以取得.
1.16 代码封装
代码封装是由自己写的工具"lyxcodelinewrapper.pl" 来完成. 您可以
在http://cvsview.tldp.org/index.cgi/LDP/users/ 里取得
1.17 产生SGML
是用LyX的输出功能实现. 也有一些是用固定的代码.(参
照http://cvsview.tldp.org/index.cgi/LDP/users/Peter-Bieringer/) Export
of LyX table does not create proper "colspan" tags - tool for fixing:
"sgmllyxtabletagfix.pl" (fixed since LyX 1.2.0)
LyX sometimes uses special left/right entities for quotes instead the
normal one, which will still exist in generated HTML. Some browsers
don't parse this very well (known: Opera 6 TP 2 or Konqueror) - tool
for fixing: "sgmllyxquotefix.pl"
1.18 2HTML版式的在线目录(linking/anchors)
主索引 一般来说,是被推荐的
1.19 专用的页面
因为HTML版式是由SGML生成, HTML的文件名是随机的, 一些名称被定死.这是有
用的,并在以后不会改变. 如果您认为我漏了tag, 请让我知道,我会加进去的.
1.20 有多少个关于 Linux和IPv6 HOWTO的变动版本?
加上这个, 有三个呢. 抱歉,是有点太多.
1.21 Linux IPv6 FAQ/HOWTO (过时的)
第一个由 Eric Osborne 所写. 叫做 Linux IPv6
FAQ/HOWTO(http://www.linuxhq.com/IPv6/). 有谁知道它的初始日期,请
来e-mail告诉我, 用来写历史的.
1.22 IPv6 & Linux - HowTo (正在维护当中)
那里有一个我(Peter Bieringer)写的第二版, 叫做 IPv6 & Linux -
HowTo(http://www.bieringer.de/linux/IPv6/), 格式是纯HTML, 1997年4月开
始, 并在同年7月发行了第一个英文版, 我会继续维护它. 但它会被慢慢地容合
进现在您读的这份HOWTO当中.
1.23 Linux IPv6 HOWTO (现在这份HOWTO)
由于IPv6 & Linux - HowTo(http://www.bieringer.de/linux/IPv6/) 是用
纯HTML写的, 与 Linux 文档计划(www.linuxdoc.org)不兼容. 我(Peter
Bieringer)接到了一个将 IPv6 & Linux - HowTo 写成SGML格式的请求. 因为将
要停止写HOWTO(将来的IPv6 & Linux - HowTo), 并随著IPv6越来越标准化, 我
决定写一个新的在未来几年占主要地位的比较更持久的版本, 包括了基本的和高
级的版本. 动态的资讯依然会在将来的日子里添加到第二个HOWTO里去(IPv6 &
Linux - HowTo).http://www.bieringer.de/linux/IPv6/
1.24 Long code line wrapping signal char
"?"这个特殊的字符是让编码在PDF 和 PS 文件中显得更好看.
1.25 Placeholders (占位符)
您可以常常在例子中看到如下的内容:
< myipaddress >
在您的系统命令行或scripts里会被相应的内容所取代(当然是将 "< >" 去掉
啦), 结果变成这样:
1.2.3.4
1.26 Commands in the shell(shell 里的命令)
可执行的命令(非root用户),由 "$" 开头, 如:
$ whoami
可执行的命令(root用户),由 "#" 开头, 如:
# whoami
1.27 使用这个HOWTO的必需条件
个人所要必备的条件.
您必需熟悉主要的UNIX工具,如grep, awk, find, ... , 和它们的一般用法.
知道一些网路理论
您要知道layers, protocls, addresses , cables ,plugs, 等. 如果您刚进入
这个领域, 这个连结有助于您: [2]
http://www.linuxports.com/howto/intro_to_networking/
设定IPv4的经验
您必需有明确的IPv4的设定经验.不然,您将不知道如何进行下去.
Domain Name System (DNS 动态名称侍服系统)的经验
您最少要知道如何使用tcpdump, 它告诉您的是什么. 不然,对您来说然度相当
大.
Linux 作业系统的兼容硬体
您必需有实际的操作经验, 并且不要在看HOWTO的时候到处打磕睡. :)
2. 什么是IPv6?
IPv6是新的第三层传输协议(参
考http://www.linuxports.com/howto/intro_to_networking/c4412.htm#PAGE10
3HTML),它将用来取代IPv4(也叫做IP).
IPv4是很早以前设计的,现在对IPv4提供更多的地址和性能方面有著更高的要求.
在IPv6中主要的变革是重新设计了报头. 包括将地址位的大小从32 bits 增加到
128 bits. 因为第三层传输主要负责end-to-end(端对端)基于地址的数据包路
由. 它必需包含新的IPv6地址(来源和目标),这点就像IPv4一样.
下面这个连结提供了更多有关IPv6的资讯, 和RFC 的例表等等:
http://www.switch.ch/lan/ipv6/references.html
2.1 IPv6在Linux作业系统上的历史
将要做的: 更好的时间排列, 更多的内容...
2.2 开始
第一次将与IPv6有关的代码加入 Linux kernel 2.1.8 的工作是由Pedro Roque
在1996年11月完成的. 它基于BSD API:
______________________________________________________________
diff -u --recursive --new-file v2.1.7/linux/include/linux/in6.h
linux/include/linux/in6.h
--- v2.1.7/linux/include/linux/in6.h Thu Jan 1 02:00:00 1970
+++ linux/include/linux/in6.h Sun Nov 3 11:04:42 1996
@@ -0,0 +1,99 @@
+/*
+ * Types and definitions for AF_INET6
+ * Linux INET6 implementation
+ * + * Authors:
+ * Pedro Roque <******>
+ *
+ * Source:
+ * IPv6 Program Interfaces for BSD Systems
+ * <draft-ietf-ipngwg-bsd-api-05.txt>
______________________________________________________________
以上的代码来自patch-2.1.8 (e-mail 地址在复制&贴上时漏掉了)
2.3 其间
因为缺少人手, 在核心加入IPv6的计划不能按照讨论的或新的RFCs执行.
在2000年的10月, 一个叫做USAGI(http://www.linux-ipv6.org/)的计划在日本
正式启动. 目标是执行所有不见了的, 搁浅的(IPv6 support in Linux)计划.
计划紧随 KAME project (http://www.kame.net/) 的脚步. 依据 vanilla
Linux 核心源代码进行遂步的改动.
2.4 现在
不幸的是 USAGI 的 patch(补丁)很大, Linux networking 维护人员无法将它包
含进现在Linux 2.4.x 系列的源代码当中去. 因此2.4.x 失去了一些(多数)括展
性, 并且不支持所有当前的设计和RFCs. 这导致了它和其它作业系统会产生一些
协同问题.
2.5 将来
USAGI 现在正在将当前的括展加入到 Linux 2.5.x 核心当中.
希望2.6.x 系列核心能有一个真正和最新的IPv6功能.
2.6 IPv6 的地址会是什么样 ?
刚才提过, IPv6 的地址有128 bits 长. 这样的 bits 可以产生39个十进字数
字:
______________________________________________________________
2^128-1: 340282366920938463463374607431768211455
______________________________________________________________
这样的地址很难记得住. IPv6的地址是逐位定位的(就像IPv4, 但这个观点不是
公认的). 所以十六进制能更好地代表这些数字, 4 bits(也叫做"nibble")表现
为数字(0-9)或字符 a-f(10-15). 这种格式将IPv6的地址长度缩减到个32字符.
______________________________________________________________
2^128-1: 0xffffffffffffffffffffffffffffffff
______________________________________________________________
这种表现形式仍然很不方便. (可能混淆或遗漏单个十六进制数字), 所以IPv6的
设计者将地址形式定为每16bit就用":"区分开来. 开头的"0x"(在程式设计当中
用来表示十六进制数值)被移除了:
______________________________________________________________
2^128-1: ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
______________________________________________________________
一个有效的地址(稍后请看地址类型)如下:
______________________________________________________________
3ffe:ffff:0100:f101:0210:a4ff:fee3:9566
______________________________________________________________
为了简化, 每个16bit开头的0可以被省略:
______________________________________________________________
3ffe:ffff:0100:f101:0210:a4ff:fee3:9566 ->
3ffe:ffff:100:f101:210:a4ff:fee3:9566
______________________________________________________________
连续的并且数值为0的16bit地址段可以用"::"表示. 但是一个IPv6地址当中只能
出现一次, 不然这种方法保持不了多久.
______________________________________________________________
3ffe:ffff:100:f101:0:0:0:1 -> 3ffe:ffff:100:f101::1
______________________________________________________________
简化得最短的IPv6 localhost地址:
______________________________________________________________
0000:0000:0000:0000:0000:0000:0000:0001 -> ::1
______________________________________________________________
这种方法也叫做 compact (base85 coded) representation defined RFC 1924
/ A IPv6紧凑地址表示法(定于1996), 但没有提起过, 例如:
______________________________________________________________
# ipv6calc --addr_to_base85 3ffe:ffff:0100:f101:0210:a4ff:fee3:9566
Itu&-ZQ82s>J%s99FJXT
______________________________________________________________
资讯: ipv6calc 是一个IPv6地址格式的计算和转换的计划, 您可以在这里找到:
http://www.bieringer.de/linux/IPv6/ipv6calc/
2.7 FAQ(基础)
为什么叫IPv6,而不能成为IPv4之后的IPv5 ?
在任何IP头, 前4bits 是为协议版本号所保留的. 所以理论上一个协议的版本号
在0和15之间是有效的:
* 4 己经为IPv4所使用.
* 5 为 Stream 协议所保留(STP, RFC 1819 http://rfc.net/rfc1819.html
没有公开过)
IPv4之后可用的版本号是6, 因此 IPv6 就这样旦生了!
IPv6 地址: 为什么会有这么长的bits
在设计IPv4的时候,人们认为32bit的长度足够全世界使用. 看一看这些年,
32bit 就现在和未来几年来说是足够的. 然而, 32bits 不能在将来满足全球各
种网路设备对IP地址的需求. 想一想将来要连结网路的移动电话, 汽车(包括电
子总控系统), 烤面包机,冰箱, 照明开关...
所以设计者采用了128bits, 是今天IPv4 大小(2^96)与长度的4倍.
实际使用的大小可能比它看起来的还要小. 因为现在的定义地址设计, 64bits
用于interface identifiers(界面标识). 另外64bits用于路由. 寄于现在严格
的层数集合(/48, /35, ...), IPv6 所能提供的地址空间还是可能不够, 希望这
种情况不要在往后的几年里发生.
IPv6 地址: 为什么在新的设计里bits这么小?
虽然, (可能)有些人(在Internet里)考虑IPv8和IPv6, 设计无论从接受和执行都
是那么的遥远. 在此其间128bit对于报头和数据传输来说是最佳的选择.
考虑到在IPv4里和IPv6里的最大/最小传输单位(MTU,它们分别是576byte 和
1280 byte), IPv4 的报头是20 byte(最小值,可以通过调节IPv4的选项增大
到60byte), IPv6 的报头是48 byte(固定不变的), 报头分别占它们MTU的3.4%
和3.8%, 这意昧著报头占了很大一部分开销. 更大bits的地址需要更大的报头,
因而占据更大的开销.
同样,顾及到MTU正常连结的最大值(像现在的以太网): 1500byte(除了特别的列
子:9k byte 应用在 Jumbo frames 当中). 最终,如果要传输在第三层数据包中
占10%或20%报头, 这样的IP地址在设计上也就没有意义了.
3. 地址的类型
3.1 没有前缀的地址
Localhost 地址
这是一个特别为loopback interface(回送界面或环绕)定义的地址, 就像IPv4的
"127.0.0.1" 对于IPv6 localhost address 是:
______________________________________________________________
0000:0000:0000:0000:0000:0000:0000:0001
______________________________________________________________
或缩减成
______________________________________________________________
::1
______________________________________________________________
这个地址的数据包将它当作host(主机)发送的来源和目标.
未指明的地址
这是一个在IPv4当中表示 "所有" 或"0.0.0.0". 对于IPv6为:
______________________________________________________________
0000:0000:0000:0000:0000:0000:0000:0000
______________________________________________________________
或者是:
______________________________________________________________
::
______________________________________________________________
这些地址大多 用在/显示 socket 捆绑(到所有IPv6地址)或路由表当中.
注意:未说明的地址不能当成目标地址来使用.
植入了IPv4地址的IPv6地址
它包含了两个地址其中一个为IPv4地址.
IPv4映射IPv6地址
IPv4-only IPv6-compatible 是由IPv6后台产生的有时 用于或显示 sockets .
它只捆绑IPv4地址.
这些地址被定义为拥有长度为96的前缀特殊地址(a.b.c.d 是IPv4地址):
______________________________________________________________
0:0:0:0:0:ffff:a.b.c.d/96
______________________________________________________________
或者使用缩写形式
______________________________________________________________
::ffff:a.b.c.d/96
______________________________________________________________
这些地址也用于自动遂道, 已经被6to4tunneling取代.
3.2 网路部分,也叫做前缀
设计者定义并预留了一部份空间以便于将来遇到像现在这样的需求. RFC 2373
[July 1998] / IP Version 6 Addressing Architecture
(http://rfc.net/rfc2373.html) 定义了现在的地址设计, 但已经有了新的草案
(ftp://ftp.ietf.org/internet-drafts/)draft-ietf-ipngwg-addr-arch-*.txt
让我们来看一下不同的前缀定义(和地址类型):
连结本地地址的类型
这些地址不对外界(Internet)连接有效. 以这些地址为目标的数据包不会通过路
由器. 这种连结用于以下情形:
* 同其它任意一个也使用这个连结的人进行通讯.
* 同其它任意一个拥有特殊地址的连结进行通讯.(例如寻找路由)
它们的地址由以下这些开头("x"是任意的十六进制字符,一般是"0")
______________________________________________________________
fe8x: <- 目前只有这个在用.
fe9x:
feax:
febx:
______________________________________________________________
一个开头为以上这些前缀的地址, 由IPv6没有在界面指定IP地址的时候创立.
目前只有fe80在使用.
本地站点的地址定义
这些地址和IPv4相似(http://rfc.net/rfc1918.html RFC 1918 / Address
Allocation for Private Internets) 它的优势: 只用16bits 就可以定义65536
个子网.同IPv4的10.0.0.0/8相似.
另一个优势:在IPv6的界面上可以定义多个IP地址, 在已有本地站点地址的基础
上还可以加上一个global(全局)地址.
它们的地址由以下这些开头("x"是任意的十六进制字符,一般是"0")
______________________________________________________________
fecx: <- 大多数使用这个
fedx:
feex:
fefx:
______________________________________________________________
Global(全局)地址类型 "(Aggregatable) global unicast"可聚合的全局唯一地址.
今天,只有一个全局地址类型的定义(第一个设计,也是多年以来一直使用的叫做
"provider based," [3]RFC 1884 / IP Version 6 Addressing Architecture
[obsolete]) 您能在早期的核心源代码中找到一些.
它们的地址由以下这些开头("x"是任意的十六进制字符,一般是"0")
______________________________________________________________
2xxx:
3xxx:
______________________________________________________________
注意: 前缀"aggregatable" 被当前的草案抛弃了. 下面有一些更有意义的子类
型定义:
6bone test addresses
这些是最初定义和使用的全局地址. 它们的开头是
______________________________________________________________
3ffe:
______________________________________________________________
例子
______________________________________________________________
3ffe:ffff:100:f102::1
______________________________________________________________
一个无唯一全局化的特别6bone例子
______________________________________________________________
3ffe:ffff:100:f102::1
______________________________________________________________
这些主要都是例子, 因为如果使用真实的地址,可能会有些人将它拷贝&贴上 到
他们自己的配置中去. 从而不注意地复制了全局唯一地址, 这样会导致原来拥有
这个地址的主机产生一些问题(比如,请求的回应包不会被发送.) 您可以从这些
前缀当中申请一个, 看这里: "如何加入6bone" 也有一些在 tunnel brokers 他
们发布用于测试6bone 的地址前缀.
6to4 地址
这些地址是为特别tunneling机制设计的. [4][RFC 3056 / Connection of IPv6
Domains via IPv4 Clouds 和 [5]RFC 2893 / Transition Mechanisms for
IPv6 Hosts and Routers], 给IPv4地址和可能的子网编码并以类似下面的形式
开头:
______________________________________________________________
2002:
______________________________________________________________
例子,重新对192.168.1.1/5编码:
______________________________________________________________
2002:c0a8:0101:5::1
______________________________________________________________
这个shell命令将帮助您用一个IPv4地址产生这样的地址:
______________________________________________________________
ipv4="1.2.3.4"; sla="5"; printf "2002:%02x%02x:%02x%02x:%04x::1" `echo $ipv4 |
tr "." " "` $sla
______________________________________________________________
参照tunneling using 6to4 and information about 6to4 relay routers.
从分级路由分配到的地址
这些地址分配给Internet服务供商(ISP)并且有类似如下的开头:
______________________________________________________________
2001:
______________________________________________________________
主ISP(拥有骨干网路)的前缀是由local registries分配的, 并且现在他们分配
的前缀长度为35.
主ISPs通常分配给下级ISPs的前缀长度为48.
Multicast addresses(多点传送的地址)
Multicast addresses 应用于服务当中.
它们总是有同下面相类似的开头(xx是范围值)
______________________________________________________________
ffxy:
______________________________________________________________
它们有著不同的范围和类型:
Multicast scopes(多点传达送范围)
Multicast scope 是用来定义发送实体的multicast 数据包有效最远传输值的参
数.
通常,下面的范围已经被定义:
* ffx1: 本地节点, 数据包不会离开节点.
* ffx2: 本地连结, 数据包不会被路由,所以它们不会离开这个特别的连结.
* ffx5: 本地站点, 数据包不会离开站点.
* ffx8: 本地组织, 数据包不会离开组织(执行起来不那么容易,必须依靠路由
协议)
* ffxe: 全局范围.
* 其它的都被保留
Multicast(多点传送)类型
许多类型都已经定义/保留(细节请参照 [6]RFC 2373 / IP Version 6
Addressing Architecture). 这里有一些例子:
* 所有节点地址: ID=1h, 所有本地节点主机的地址(ff01:0:0:0:0:0:0:1) 或
已连接好的地址(ff02:0:0:0:0:0:0:1).
* 所有路由地址:ID=2h,所有本地节点的路由地址(ff01:0:0:0:0:0:0:2), 已
连接的(ff02:0:0:0:0:0:0:2), 或本地站点(ff05:0:0:0:0:0:0:2).
Solicited node link-local multicast address(本地多播请求的节点地址)
在neighborhood discovery(多播发现)中当成目标地址使用的特别多播地址.
与IPv4不同,ARP(地址解析协议)将不在IPv6中使用.
例子:
______________________________________________________________
ff02::1:ff00:1234
______________________________________________________________
使用前缀表示它是一个本地多播地址, 后缀由目标地址产生. 这个例子当中将有
一个数据包发往"fe80::1234", 但是网路堆栈并不知道第二层的MAC(多媒体通
路). 它将上部份的104 bits 更改为 "ff02:0:0:0:0:1:ff00::/104" 下部分24
bits 不变. 现在这个地址以on-link(在线)的形式寻找相应的节点(这个节点应
当发送了包含有第二层 MAC 地址的回应包)
Anycast addresses(随播地址)
Anycast addresses是一个特别的地址, 它用于邻近的DNS或DHCP服务, 或用于相
似的dynamic groups(动态组群). 地址从 unicast address (单播地
址aggregatable global or site-local at the moment)空间中取得. 随播地址
的机制(从客户端的观点来看)由动态路由协议控制.
注意:随播地址不能成为作为来源地址, 它必需以目标地址的身份出现.
Subnet-router Anycast addresses(子网路随播路由器)
一个Subnet-router Anycast addresses的例子. 假设一个分配了如下IPv6地址
的节点:
______________________________________________________________
3ffe:ffff:100:f101:210:a4ff:fee3:9566/64 <- 节点的地址
______________________________________________________________
Subnet-router将使用没有后缀的地址 (least significant 64 bits):
______________________________________________________________
3ffe:ffff:100:f101::/64 <- subnet-router anycast address
______________________________________________________________
3.3 地址类型(主机)
因为自动的配制/随机分配,在当前的地址类型中主机使用更低的 64 bits地址.
因此每个subnet(子网)可以拥有大量的地址.
主机的地址分配可以有如下几种形式:
自动分配(also known as stateless)
在自动分配当中,主机的地址由界面的MAC地址决定. 使用EUI-64方法,指定一
个IPv6 地址. 如果没有可用的MAC(如:虚拟设备), 就用其它的代替(如IPv4地址
或物理界面的MAC地址)
再看一下前面的例子:
______________________________________________________________
3ffe:ffff:100:f101:210:a4ff:fee3:9566
______________________________________________________________
这里:
______________________________________________________________
210:a4ff:fee3:9566
______________________________________________________________
主机地址由NIC的MAC地址决定:
______________________________________________________________
00:10:A4:E3:95:66
______________________________________________________________
用 [7]IEEE-Tutorial EUI-64 作为EUI-48 的标识符.
自动分配带来的隐私问题
因为自动分配的是唯一地址,客户端在不通过任何代理的情况下容易被跟踪. 这
是个公认的问题,它的解决方法是:privacy extension,定义于 [8]RFC 3041 /
Privacy Extensions for Stateless Address Autoconfiguration in IPv6 这
里也有一个草案: [9]draft-ietf-ipngwg-temp-addresses-*.txt 使用不同的静
态数值, 每次产生一个新的后缀. 注意: 只对client 的连接有效, 对于servers
没有什么用处.
手动设定
对于servers来说, 大概很容易记起简单的地址. 同时也可以向它的界面添加一
个IPv6地址:
______________________________________________________________
3ffe:ffff:100:f101::1
______________________________________________________________
手动设定的后缀为"::1",例子当中最重要的第6 bits设定为"0", 它为anycast
addresses(任意传送地址)保留 (the universal/local bit of the
automatically generated identifier).
3.4 路由的前缀长度
在早期设计阶级,使用完全分离的路由分级来最大层度地缩小路由表. 论证的方
法是使用当前IPv4的核心路由数目(> 104 thousand in May 2001) 减少硬体记
忆体的需求来控制路由表和速度(较少的个数使查找速度加快).
前缀长度(也叫做子网路遮罩)
同IPv4相似, 网路产生可路由的路径. 因为128 bits标准的netmasks 看起来不
怎么样. 设计者借鉴了IPv4的风格: Classless Inter Domain Routing (CIDR
[10]RFC 1519 / Classless Inter-Domain Routing) 它们是用于IP地址路由
的bits号码. 也叫做"/"
例子:
______________________________________________________________
3ffe:ffff:100:1:2:3:4:5/48
______________________________________________________________
它们可以被扩展成:
______________________________________________________________
网路:
3ffe:ffff:0100:0000:0000:0000:0000:0000
______________________________________________________________
______________________________________________________________
子网路遮罩:
ffff:ffff:ffff:0000:0000:0000:0000:0000
______________________________________________________________
Matching a route(路由匹配)
在一般情况下(no QoS), 在路由表里查找一个重要的地址数值意味著路由前缀的
长度必需先匹配.
例子, 如果路由表像下面那样(清单未完全例出):
______________________________________________________________
3ffe:ffff:100::/48 :: U 1 0 0 sit1
2000::/3 ::192.88.99.1 UG 1 0 0 tun6to4
______________________________________________________________
IPv6的目标地址将被下面的设备路由:
______________________________________________________________
3ffe:ffff:100:1:2:3:4:5/48 -> routed through device sit1
3ffe:ffff:200:1:2:3:4:5/48 -> routed through device tun6to4
______________________________________________________________
4. 准备IPv6的运行系统
4.1 IPv6-ready kernel
现在的Linux发行版的核心都具备了运行IPv6的条件. IPv6功能被编译成一个可
载入模组. 在一般情况下模组不会在开机的时候自动载入.
参照更新的资讯: [11]IPv6+Linux-Status-Distribution
检察现在的系统是否支持IPv6
注意您的/proc-file-system.必需有如下的结构:
______________________________________________________________
/proc/net/if_inet6
______________________________________________________________
一个简单的测试:
______________________________________________________________
# test -f /proc/net/if_inet6 && echo "Running kernel is IPv6 ready"
______________________________________________________________
如果失败, 表明模组没有载入.
试著载入模组
执行载入模组的命令:
______________________________________________________________
# modprobe ipv6
______________________________________________________________
如果成功, 模组会在列表中显示,执行如下命令:
______________________________________________________________
# lsmod |grep -w 'ipv6' && echo "IPv6 module successfully loaded"
______________________________________________________________
让模组自动载入
模组是可以自动载入的,只要在核心模组设定文件( /etc/modules.conf 或
/etc/conf.modules)中加入:
______________________________________________________________
alias net-pf-10 ipv6 # automatically load IPv6 module on demand
______________________________________________________________
也可以关掉IPv6模组的自动载入:
______________________________________________________________
alias net-pf-10 off # disable automatically load of IPv6 module on demand
______________________________________________________________
编译有 IPv6 功能的核心
如果以上两个结果都证实了核心不具有IPv6功能, 您可以有如下选择:
* 升级成外包装有IPv6支持说明的Linux发行版(推荐新手使用)再看一下这里:
[12]IPv6+Linux-Status-Distribution
* 编译一个新的vanilla核心(如果您知道该怎么选择,会比较简单).
* 重新编译您现在拥有的发行版核心(不太容易).
* 将核心同 USAGI 的扩展一起编译.
如果您决定编译一个核心,您必需读过 [13]Linux Kernel HOWTO. 以及这方面的
经验.
注意:您必需使用核心2.4.x系列或更高. 因为IPv6对2.2.x系列缺少相应的支持.
并且需要ICMPv6 和 6to4 支持的补丁.(补丁可以在 [14]kernel series 2.2.x
IPv6 patches找到).
将核心同 USAGI 的扩展一起编译.
只推荐熟悉核心编译和IPv6的用户使用. 参照: [15]USAGI project / FAQ.
IPv6-ready network devices
不是所有的设备都有能力传输IPv6数据包, 这里有一个现状表: [16]
IPv6+Linux-status-kernel.html#transport.
现阶段不会支持IPv6的连结
* Serial Line IP (SLIP, [17]RFC 1055), should be better called now
to SLIPv4, device named: slX
* Parallel Line IP (PLIP), same like SLIP, device names: plipX
* ISDN with encapsulation rawip, device names: isdnX
在将来都不会支持IPv6的设备
* ISDN with encapsulation syncppp, device names: ipppX (design issue
of the ipppd, will be merged into more general PPP layer in kernel
series 2.5.x)
4.2 IPv6-ready 网路设定工具
别扯太远了, 如果您有一个正在运行IPv6的核心,怎么会没有设定的工具呢? 安
装包里早就有几个这样的工具了.
net-tools package
net-tools package 包含一些工具如: ifconfig ,route. 这些可以令您在界面
上设定IPv6. 在命令行(shell) 用ifocnig -? 或 route -? 查看诸如IPv6 或
inet6.如果有,则说明具备IPv6设定能力.
输入以下命令进行检查:
______________________________________________________________
# /sbin/ifconfig -? 2>& 1|grep -qw 'inet6' && echo "utility 'ifconfig' is
?IPv6-ready"
______________________________________________________________
也可以使用route:
______________________________________________________________
# /sbin/route -? 2>& 1|grep -qw 'inet6' && echo "utility 'route' is IPv6-ready"
______________________________________________________________
iproute package
Alexey N. Kuznetsov (Linux 网路代码现阶段的维护者) 写了一个tool-set可
以通过netlink 设备来设定网路.它可以比net-tool提供更多的功能, 但没有多
少文档并且它不是为胆小的人设计的.
______________________________________________________________
# /sbin/ip 2>&1 |grep -qw 'inet6' && echo "utility 'ip' is IPv6-ready"
______________________________________________________________
如果没有找到 /sbin/ip 那么我极力推荐您安装iproute package.
* 可以在您的发行版中找到(如果有的话)
* 在 [18]Original FTP source下载并编译它.
* 直接可以安装的RPM包: [19]RPMfind/iproute (推荐编译 SRPMS )
4.3 IPv6-ready 测试/调式 程式
在为IPv6准备好了系统后,您可以用IPv6进行网路通讯. 首先您必需学习如何用
嗅探程式来检查IPv6数据包. 强烈推荐这样做,因为
在debugging/troubleshooting 中有利于快速诊断.
IPv6 ping
这个程式一般在iputils包里, 用来测试简单传输发送 ICMPv6 回应请求并等
待ICMPv6 回应包.
用法:
______________________________________________________________
# ping6 < hostwithipv6address >
# ping6 < ipv6address >
# ping6 [-I < device >] < link-local-ipv6address >
______________________________________________________________
例子:
______________________________________________________________
# ping6 -c 1 ::1
PING ::1(::1) from ::1 : 56 data bytes
64 bytes from ::1: icmp_seq=0 hops=64 time=292 usec
--- ::1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/mdev = 0.292/0.292/0.292/0.000 ms
______________________________________________________________
提示 ping6必需有适当的root权限才能使用, 如果不是root组用户,使用时可能
产生问题:
1.ping6 不在用户的路径当中 (probably, because ping6 is generally
stored in /usr/sbin -> add path (not really recommended)
2.ping6 不能被正确执行, 通常没有适当的权限 chmod u+s /usr/sbin/ping6
为ping6指定界面
用local-addresses 作为ping6 目标必需指定一个界面. 否则核心将不知道数据
包发往哪个设备. 在没有指定的情况下会有这样的输出:
______________________________________________________________
# ping6 fe80::212:34ff:fe12:3456
connect: Invalid argument
______________________________________________________________
为ping6指定界面的结果:
______________________________________________________________
# ping6 -I eth0 -c 1 fe80::2e0:18ff:fe90:9205
PING fe80::212:23ff:fe12:3456(fe80::212:23ff:fe12:3456) from
?fe80::212:34ff:fe12:3478 eth0: 56 data bytes
64 bytes from fe80::212:23ff:fe12:3456: icmp_seq=0 hops=64 time=445 usec
--- fe80::2e0:18ff:fe90:9205 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss round-trip
?min/avg/max/mdev = 0.445/0.445/0.445/0.000 ms
______________________________________________________________
Ping6 to multicast addresses(多播地址)
一个发现IPv6-active hosts 的比较有趣的机制:
______________________________________________________________
# ping6 -I eth0 ff02::1 PING ff02::1(ff02::1) from fe80:::2ab:cdff:feef:0123 et
h0: 56 data bytes
64 bytes from ::1: icmp_seq=1 ttl=64 time=0.104 ms
64 bytes from fe80::212:34ff:fe12:3450: icmp_seq=1 ttl=64 time=0.549 ms (DUP!)
______________________________________________________________
与IPv4不同的是, ping 的回应在广播地址中是可以屏蔽的,目前只有IPv6防火墙
可以做到.
IPv6 traceroute6
这个程式一般在iputils包里, 和IPv4的traceroute程式相似, 但与当前版本不
同的是IPv6不能正确地使用ICMP echo-request. 看下面这个例子:
______________________________________________________________
# traceroute6 www.6bone.net
traceroute to 6bone.net (3ffe:b00:c18:1::10) from 3ffe:ffff:0000:f101::2, 30
?hops max, 16 byte packets
1 localipv6gateway (3ffe:ffff:0000:f101::1) 1.354 ms 1.566 ms 0.407 ms
2 swi6T1-T0.ipv6.switch.ch (3ffe:2000:0:400::1) 90.431 ms 91.956 ms 92.377 ms
3 3ffe:2000:0:1::132 (3ffe:2000:0:1::132) 118.945 ms 107.982 ms 114.557 ms
4 3ffe:c00:8023:2b::2 (3ffe:c00:8023:2b::2) 968.468 ms 993.392 ms 973.441 ms
5 3ffe:2e00:e:c::3 (3ffe:2e00:e:c::3) 507.784 ms 505.549 ms 508.928 ms
6 www.6bone.net (3ffe:b00:c18:1::10) 1265.85 ms * 1304.74 ms
______________________________________________________________
IPv6 tracepath6
这个程式一般在iputils包里, 它用来追踪MTU的路径.看下面的例子:
______________________________________________________________
# tracepath6 www.6bone.net
1?: [LOCALHOST] pmtu 1480
1: 3ffe:401::2c0:33ff:fe02:14 150.705ms
2: 3ffe:b00:c18::5 267.864ms
3: 3ffe:b00:c18::5 asymm 2 266.145ms pmtu 1280
3: 3ffe:3900:5::2 asymm 4 346.632ms
4: 3ffe:28ff:ffff:4::3 asymm 5 365.965ms
5: 3ffe:1cff:0:ee::2 asymm 4 534.704ms
6: 3ffe:3800::1:1 asymm 4 578.126ms !N
Resume: pmtu 1280
______________________________________________________________
IPv6 tcpdump
在Linux作业系统中 tcpdump 是主要的数据包捕获工具.IPv6支持 3.6 的版本.
tcpdump用于降低数据包杂讯的参数:
* icmp6: 过滤本地ICMPv6通讯.
* ip6: 过滤本地IPv6通讯.(包括 ICMPv6)
* proto ipv6: filters tunneled IPv6-in-IPv4 traffic
* not port ssh: 在远程SSH会话中禁止SSH数据包的显示. to suppress
displaying SSH packets for running tcpdump in a remote SSH session
使用命令行参数也可以从一个数据包中捕获/列印资讯.
* "-s 512": 增加捕获限定为512 bytes.
* "-vv": 详细列印.
* "-n": 不将地址转换成名称,在名称服务有问题时可以用到.
IPv6 ping to 3ffe:ffff:100:f101::1 native over a local link
______________________________________________________________
# tcpdump -t -n -i eth0 -s 512 -vv ip6 or proto ipv6
tcpdump: listening on eth0
3ffe:ffff:100:f101:2e0:18ff:fe90:9205 > 3ffe:ffff:100:f101::1: icmp6: echo
?request (len 64, hlim 64)
3ffe:ffff:100:f101::1 > 3ffe:ffff:100:f101:2e0:18ff:fe90:9205: icmp6: echo
?reply (len 64, hlim 64)
______________________________________________________________
IPv6 ping to 3ffe:ffff:100::1 routed through an IPv6-in-IPv4-tunnel
1.2.3.4和5.6.7.8是遂道的终点(这些都是例子).
______________________________________________________________
# tcpdump -t -n -i ppp0 -s 512 -vv ip6 or proto ipv6
tcpdump: listening on ppp0
1.2.3.4 > 5.6.7.8: 2002:ffff:f5f8::1 > 3ffe:ffff:100::1: icmp6: echo request
?(len 64, hlim 64) (DF) (ttl 64, id 0, len 124)
5.6.7.8 > 1.2.3.4: 3ffe:ffff:100::1 > 2002:ffff:f5f8::1: icmp6: echo reply (len
?64, hlim 61) (ttl 23, id 29887, len 124)
1.2.3.4 > 5.6.7.8: 2002:ffff:f5f8::1 > 3ffe:ffff:100::1: icmp6: echo request
?(len 64, hlim 64) (DF) (ttl 64, id 0, len 124)
5.6.7.8 > 1.2.3.4: 3ffe:ffff:100::1 > 2002:ffff:f5f8::1: icmp6: echo reply (len
?64, hlim 61) (ttl 23, id 29919, len 124)
______________________________________________________________
4.4 IPv6-ready programs(能和IPv6协同工作的程式)
在当前的发行版中已经包含了能和IPv6协同工作的程式(服务端/客户端)
参照: [20]IPv6+Linux-Status-Distribution.
或者检查 [21]
http://www.bieringer.de/linux/IPv6/status/IPv6+Linux-status-apps.html
一些可用程式的线索: [22]IPv6 & Linux - HowTo - Part 3或 [23]IPv6 &
Linux - HowTo - Part 4.
4.5 IPv6-ready 客户端程式 (selection)
想要进行下面的测试, 您的作业系统必需拥有IPv6能力. 有些例子是真实地连结
了6bone的情况下做的.
检查DNS对IPv6地址的解析能力
因为这几年Domain Name System (DNS)安全的不断升级, 它们中的大部份都具备
了对IPv6 地址类型AAAA的解析能力. (新的类型A6 只有BIND9和更高的版本支
持)检查DNS对IPv6地址的解析能力:
______________________________________________________________
# host -t AAAA www.join.uni-muenster.de
______________________________________________________________
将得到下面的结果:
______________________________________________________________
www.join.uni-muenster.de. is an alias for ns.join.uni-muenster.de.
ns.join.uni-muenster.de. has AAAA address 3ffe:400:10:100:201:2ff:feb5:3806
______________________________________________________________
IPv6-ready telnet clients
IPv6-ready telnet 客户端. 对它进行一个简单的测试:
______________________________________________________________
$ telnet 3ffe:400:100::1 80
Trying 3ffe:400:100::1...
Connected to 3ffe:400:100::1.
Escape character is '^]'.
HEAD / HTTP/1.0
HTTP/1.1 200 OK
Date: Sun, 16 Dec 2001 16:07:21
GMT Server: Apache/2.0.28 (Unix)
Last-Modified: Wed, 01 Aug 2001 21:34:42 GMT
ETag: "3f02-a4d-b1b3e080"
Accept-Ranges: bytes
Content-Length: 2637
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Connection closed by foreign host.
______________________________________________________________
如果telnet只出现"cannot resolve hostname", 说明作业系统的IPv6还未激活.
openssh
openssh已经支持IPv6, 但必需对它用以下的参数进行编译后才能使用:
* --without-ipv4-default: the client tries an IPv6 connect first
automatically and fall back to IPv4 if not working
* --with-ipv4-default: default connection is IPv4, IPv6 connection
must be force like following example shows:
______________________________________________________________
$ ssh -6 ::1
user@::1's password: ******
[user@ipv6host user]$
______________________________________________________________
如果您的ssh不能对 -6 进行反应, 可能作业系统的IPv6还未激活,或ssh的版本
太低.
ssh.com
他们的客户/服务端程式是免费的.
IPv6-ready web 流览器
目前支持IPv6的web 流览器列表: [24]IPv6+Linux-status-apps.html#HTTP.
这些流览器大部份都存在问题:
* 如果 proxy(代理)只支持IPv4, IPv6的请求将会失败. 方法: 升级proxy
* Automatic proxy settings (*.pac) 不能对IPv6的不同请求进行适当的处
理 (written in Java-script and well hard coded in source like to
be seen in Maxilla source code).
一些早期的版本不能对IPv6地址进行正确的操作, 如: [25]
http://[3ffe:400:100::1]/
一个小测试,显示在没有代理的情况下的 URL 和 流览器.
URLs for testing
测试IPv6最方便的方法是访问: [26]http://www.kame.net/. 如果海龟是活动
的, 说明连接是通过IPv6进行的, 它不动的话, 说明连接是通过IPv4进行的.
4.6 IPv6-ready server 程式
包括:sshd, httpd, telnetd,
5. 设定interfaces(界面)
5.1 不同的网路设备
一个节点存在不同的网路设备, 可以对它们进行如下分类:
* Physically bounded, like eth0, tr0
* Virtually existing, like ppp0, tun0, tap0, sit0, isdn0, ippp0
Physically bounded(物理绑定)
包括 Ethernet 或者 Token-Ring 它们不需要特别的处理.
Virtually bounded(虚拟绑定)
需要特别的支持.
IPv6-in-IPv4 tunnel interfaces
这个interfaces(界面)也称作sitx, sit 是"Simple Internet Transition" 的
缩写. 它可以将IPv6的数据包塞进IPv4, 通过IPv4到达另一个地点.
sit0 不能使用在专用的tunnels 上.
5.1.2.2. PPP interfaces
PPP interfaces 从IPv6 enabled PPP daemon 那里获得 IPv6 的能力.
5.1.2.3. ISDN HDLC interfaces
具有IP封装的HDLC IPv6 能力以经包含在核心当中.
5.1.2.4. ISDN PPP interfaces
目前不支持 ISDN PPP interfaces (ippp) aren't IPv6 enabled by kernel.
Also there are also no plans to do that because in kernel 2.5.+ they
will be replaced by a more generic ppp interface layer.
5.1.2.5. SLIP + PLIP
目前不支持Like mentioned earlier, this interfaces don't support IPv6
transport (sending is OK, but dispatching on receiving don't work).
5.1.2.6. Ether-tap device
Ether-tap devices使用自动的设定.在使用之前先将 "ethertap" 模组挂进来.
5.1.2.7. tun devices
就连我都还没试过呢! Currently not tested by me.
5.1.2.8. ATM
01/2002: vanilla的核心目前不支持, USAGI 的扩展支持ATM-IPv6
5.1.2.9. 其它的
我漏掉了什么?
5.2 Bringing interfaces up/down(设定界面的开/关)
使用 "ip"
使用方法:
______________________________________________________________
# ip link set dev <interface> up
# ip link set dev <interface> down
______________________________________________________________
例子:
______________________________________________________________
# ip link set dev eth0 up
# ip link set dev eth0 down
______________________________________________________________
使用 "ifconfig"
使用方法:
______________________________________________________________
# /sbin/ifconfig <interface> up
# /sbin/ifconfig <interface> down
______________________________________________________________
例子:
______________________________________________________________
# /sbin/ifconfig eth0 up
# /sbin/ifconfig eth0 down
______________________________________________________________
6. 设定IPv6地址
6.1 列印当前的IPv6地址
使用 "ip"
使用方法:
______________________________________________________________
# /sbin/ip -6 addr show dev <interface>
______________________________________________________________
例子:一个静态的主机地址
______________________________________________________________
# /sbin/ip -6 addr show dev eth0
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_ fast qlen 100
inet6 fe80::210:a4ff:fee3:9566/10 scope link
inet6 3ffe:ffff:0:f101::1/64 scope global
inet6 fec0:0:0:f101::1/64 scope site
______________________________________________________________
自动设定的地址和它的存活时间:
______________________________________________________________
# /sbin/ip -6 addr show dev eth0
3: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen
? 100
inet6 2002:d950:f5f8:f101:2e0:18ff:fe90:9205/64 scope global dynamic
valid_lft 16sec preferred_lft 6sec
inet6 3ffe:400:100:f101:2e0:18ff:fe90:9205/64 scope global dynamic
valid_lft 2591997sec preferred_lft 604797sec inet6 fe80::2e0:18ff:fe90:9205/10
? scope link
______________________________________________________________
使用 "ifconfig"
使用方法:
______________________________________________________________
# /sbin/ifconfig <interface>
______________________________________________________________
例子, 它只列印IPv6地址:
______________________________________________________________
# /sbin/ifconfig eth0 |grep "inet6 addr:"
inet6 addr: fe80::210:a4ff:fee3:9566/10 Scope:Link
inet6 addr: 3ffe:ffff:0:f101::1/64 Scope:Global
inet6 addr: fec0:0:0:f101::1/64 Scope:Site
______________________________________________________________
6.2 增加一个IPv6地址
其原理同IPv4的"IP ALIAS"(IP别名)相同
使用 "ip"
使用方法:
______________________________________________________________
# /sbin/ip -6 addr add <ipv6address>/<prefixlength> dev <interface>
______________________________________________________________
例子:
______________________________________________________________
# /sbin/ip -6 addr add 3ffe:ffff:0:f101::1/64 dev eth0
______________________________________________________________
使用 "ifconfig"
使用方法:
______________________________________________________________
# /sbin/ifconfig <interface> inet6 add <ipv6address>/<prefixlength>
______________________________________________________________
例子:
______________________________________________________________
# /sbin/ifconfig eth0 inet6 add 3ffe:ffff:0:f101::1/64
______________________________________________________________
6.3 移除IPv6地址
这个不常用, 不要用它移除不存在的地址, 一些早期的核心会因为受不了而挂
掉.
使用 "ip"
使用方法:
______________________________________________________________
# /sbin/ip -6 addr del <ipv6address>/<prefixlength> dev <interface>
______________________________________________________________
例子:
______________________________________________________________
# /sbin/ip -6 addr del 3ffe:ffff:0:f101::1/64 dev eth0
______________________________________________________________
使用 "ifconfig"
使用方法:
______________________________________________________________
# /sbin/ifconfig <interface> inet6 del <ipv6address>/<prefixlength>
______________________________________________________________
例子:
______________________________________________________________
# /sbin/ifconfig eth0 inet6 del 3ffe:ffff:0:f101::1/64
______________________________________________________________
7. 设定IPv6路由
7.1 列印现有的路由
使用"ip"
使用方法:
______________________________________________________________
# /sbin/ip -6 route show [dev <device>]
______________________________________________________________
例子:
______________________________________________________________
# /sbin/ip -6 route show dev eth0
3ffe:ffff:0:f101::/64 proto kernel metric 256 mtu 1500 advmss 1440
fe80::/10 proto kernel metric 256 mtu 1500 advmss 1440
ff00::/8 proto kernel metric 256 mtu 1500 advmss 1440
default proto kernel metric 256 mtu 1500 advmss 1440
______________________________________________________________
使用 "route"
使用方法:
______________________________________________________________
# /sbin/route -A inet6
______________________________________________________________
例子:在同一个界面上不同的IPv6路由.
______________________________________________________________
# /sbin/ip -6 route show dev eth0
# /sbin/route -A inet6 |grep -w "eth0"
3ffe:ffff:0:f101 ::/64 :: UA 256 0 0 eth0 <- Interface route for global
? address
fe80::/10 :: UA 256 0 0 eth0 <- Interface route for link-local
? address
ff00::/8 :: UA 256 0 0 eth0 <- Interface route for all multicast
? addresses
::/0 :: UDA 256 0 0 eth0 <- Automatic default route
______________________________________________________________
7.2 设定IPv6路由通过闸道
使用"ip"
使用方法:
______________________________________________________________
# /sbin/ip -6 route add <ipv6network>/<prefixlength> via <ipv6address>
? [dev <device>]
______________________________________________________________
例子:
______________________________________________________________
# /sbin/ip -6 route add 2000::/3 via 3ffe:ffff:0:f101::1
______________________________________________________________
使用 "route"
使用方法:
______________________________________________________________
# /sbin/route -A inet6 add <ipv6network>/<prefixlength> gw
? <ipv6address> [dev <device>]
______________________________________________________________
例子:为当前所有的(全局地址global addresses 2000::/3)址通过闸
道3ffe:ffff:0:f101::1
______________________________________________________________
# /sbin/route -A inet6 add 2000::/3 gw 3ffe:ffff:0:f101::1
______________________________________________________________
7.3 移除 IPv6路由通过闸道
使用"ip"
使用方法:
______________________________________________________________
# /sbin/ip -6 route del <ipv6network>/<prefixlength> via <ipv6address>
? [dev <device>]
______________________________________________________________
例子:
______________________________________________________________
# /sbin/ip -6 route del 2000::/3 via 3ffe:ffff:0:f101::1
______________________________________________________________
使用 "route"
使用方法:
______________________________________________________________
# /sbin/route -A inet6 del <network>/<prefixlength> [dev <device>]
______________________________________________________________
例子:移除前所有的(全局地址global addresses 2000::/3)址通过闸
道3ffe:ffff:0:f101::1
______________________________________________________________
# /sbin/route -A inet6 del 2000::/3 gw 3ffe:ffff:0:f101::1
______________________________________________________________
7.4 增加IPv6路由至interface(界面)
使用 "ip"
使用方法:
______________________________________________________________
# /sbin/ip -6 route add <ipv6network>/<prefixlength> dev <device>
? metric 1
______________________________________________________________
例子:
______________________________________________________________
# /sbin/ip -6 route add 2000::/3 dev eth0 metric 1
______________________________________________________________
使用 "route"
使用方法:
______________________________________________________________
# /sbin/route -A inet6 add <network>/<prefixlength> dev <device>
______________________________________________________________
例子:
______________________________________________________________
# /sbin/route -A inet6 add 2000::/3 dev eth0
______________________________________________________________
7.5 从interface(界面)移除IPv6路由
使用 "ip"
使用方法:
______________________________________________________________
# /sbin/ip -6 route del <ipv6network>/<prefixlength> dev <device>
? metric 1
______________________________________________________________
例子:
______________________________________________________________
# /sbin/ip -6 route del 2000::/3 dev eth0
______________________________________________________________
使用 "route"
使用方法:
______________________________________________________________
# /sbin/route -A inet6 del <network>/<prefixlength> dev <device>
______________________________________________________________
例子:
______________________________________________________________
# /sbin/route -A inet6 del 2000::/3 dev eth0
______________________________________________________________
7.6 FAQ for IPv6 routes(IPv6 路由的经常问答)
Support of an IPv6 default route
IPv6的一个方法是hierachical routing(分级路由).因此,分级当中最少需要一
个路由.
在目前的核心中有一些问题:
Clients (not routing any packet!)没有任何数据包被路由.
Clinets 可以设定一个缺省的prefix "::/0"(前缀为 ::/0 的路由).
______________________________________________________________
# ip -6 route show | grep ^default
default via fe80::212:34ff:fe12:3450 dev eth0 proto kernel metric 1024 expires
? 29sec mtu 1500 advmss 1440
______________________________________________________________
Routers on packet forwarding (路由包转寄)
目前主流的Linux核心(最少是 <=2.4.17) 不支持缺省路由. 您可以设定它们,但
在发送数据包时环绕会失败. 所以,目前的缺省路由可以被设定成 前缀
为"2000::/3"的 global (全局地址). USAGI 对这个有著良好的支持.
注意: 注意没有地址筛选的边缘路由器的缺省路由, 不然会有多余的multicast
或 site-local 传输从边缘溢出.
8. Neighbor Discovery(发现芳邻)
IPv6 的 Neighbor Discovery继承了IPv4 的 ARP (Address Resolution
Protocol地址解析协议). 您可以重新得到芳邻的资讯. 并且可以编辑/删除它.
Neighbor detection(对芳邻进行探测)
核心负责对探测成功的芳邻进行追踪. 您可以用 "ip" 来挖掘其中的信息.
8.1 Displaying neighbors using "ip" (用"ip"命令列印芳邻)
使用以下的命令,您可以知道芳邻的设定.
______________________________________________________________
# ip -6 neigh show [dev <device>]
______________________________________________________________
下面的例子当中列印了一个芳邻,它是一个可到达的路由器.
______________________________________________________________
# ip -6 neigh show
fe80::201:23ff:fe45:6789 dev eth0 lladdr 00:01:23:45:67:89 router nud reachable
______________________________________________________________
8.2 用 "ip" 对芳邻的列印表进行处理
用以下的命令可以加入一个entry(列印项)
______________________________________________________________
# ip -6 neigh add <IPv6 address> lladdr <link-layer address> dev <device>
______________________________________________________________
例子:
______________________________________________________________
# ip -6 neigh add fec0::1 lladdr 02:01:02:03:04:05 dev eth0
______________________________________________________________
用以下的命令可以移除一个entry(列印项)
______________________________________________________________
# ip -6 neigh del <IPv6 address> lladdr <link-layer address> dev <device>
______________________________________________________________
例子:
______________________________________________________________
# ip -6 neigh del fec0::1 lladdr 02:01:02:03:04:05 dev eth0
______________________________________________________________
更高阶的设定
"ip"工具非常强大, 但没有足够的帮助资讯.
______________________________________________________________
# ip -6 neigh help
Usage: ip neigh { add | del | change | replace } { ADDR [ lladdr LLADDR ]
[ nud { permanent | noarp | stale | reachable } ]
| proxy ADDR } [ dev DEV ]
ip neigh {show|flush} [ to PREFIX ] [ dev DEV ] [ nud STATE ]
______________________________________________________________
有点像IPv4的列印, 如果您知道它的详细用法,请帮我 send 一份过来.
9. Configuring IPv6-in-IPv4 tunnels(设定遂道)
9.1 遂道的类型
将IPv6数据包传输到IPv4连结不只有一种可能.
Static point-to-point tunneling: 6bone (以点对点方式构建的遂道)
IPv6和IPv4的遂道定义在 [27]RFC 2893 / Transition Mechanisms for IPv6
Hosts and Routers
必备条件:
* 遂道另一端的IPv4地址必需是static(静态的).global unique and
reachable from the foreign tunnel endpoint
* 您以经拥有的一个global IPv6 prefix(前缀),参照 6bone registry.
* 有一个可以将您的IPv6 prefix 路由到本地端的外界tunnel端(通常需要进
行远端操作)
Automatically tunneling(遂道操作自动化)
当一个节点直接同另一个节点进行连结,在得到节点IPv4地址之前,节点就会执行
遂道操作自动化.
6to4-Tunneling(遂道操作)
它使用一个简单的机制实行Tunneling(遂道操作) [28]RFC 3056 / Connection
of IPv6 Domains via IPv4 Clouds. 每个节点的global unique IPv4 (唯一全
局地址)可以成为 6to4 tunnel 的终点(如果没有IPv4防火墙限制通讯).
6to4-Tunneling(遂道操作)不是专用于一对一的遂道, 这个案例可以分开针
对upstream and downstream (上级和下级)的遂道操作. 同样,一个特别的IPv6
地址会指出这个节点使用6to4-Tunnel同全世界的 IPv6 网路进行连结.
Generation of 6to4 prefix(产生6to4的前缀).
6to4 的地址像下面这样定义:(源自 [29]RFC 3056 / Connection of IPv6
Domains via IPv4 Clouds)
______________________________________________________________
__________________________________________________________________
| 3+13 | 32 | 16 | 64 bits |
+---+------+-----------+--------+--------------------------------+
| FP+TLA | V4ADDR | SLA ID | Interface ID |
| 0x2002 | | | |
+---+------+-----------+--------+--------------------------------+
______________________________________________________________
FP是global addresses(全局地址)的前缀. TLA是top level aggregator(最高层
集) V4ADDR是IPv4全局唯一地址((in hexadecimal notation). SLA是子网路标
致(65536 local subnets possible). 这些前缀产生时的SLA 为"0000" 后缀是
"::1" 并分配到6to4 tunnel interface(界面).
6to4 upstream tunneling(上级遂道操作)
节点知道向哪里发送含有IPv6数据包的IPv4数据包. 早期的6to4遂道,必需设定
一个专用的上级路由器接受这种操作. 参照 [30]NSayer's 6to4 information
里的路由列印. 现在 6to4上级路由器可以使用anycast address 192.88.99.1
它由后台的路由协议控制. 参照 [31]RFC 3068 / An Anycast Prefix for 6to4
Relay Routers
6to4 downstream tunneling(下级遂道操作)
The downstream (6bone -> your 6to4 enabled node) is not really fix and
can vary from foreign host which originated packets were send to.
There exist two possibilities: 它还没有正式修正对数据包来源的确定, 存
在以下两种可能:
* 外部主机直接使用6to4把IPv6数据包发回给您.
* 外部主机通过全球IPv6网路, 依靠动态路建立一个automatic tunnel 由
将IPv6数据包发回给您.
Possible 6to4 traffic(6to4的几种通讯方法)
* 从 6to4 到 6to4: 通常在两个 6to4 enabled 主机之间直接进行遂道操作
tunneled between the
* 从 6to4 到 non-6to4: 通过上级遂道操作发送数据包.
* 从 non-6to4 到 6to4: 通过下级遂道操作发送数据包.
9.2 列印现存的tunnels(遂道)
使用 "ip"
用法:
______________________________________________________________
# /sbin/ip -6 tunnel show [<device>]
______________________________________________________________
例子:
______________________________________________________________
# /sbin/ip -6 tunnel show
sit0: ipv6/ip remote any local any ttl 64 nopmtudisc
sit1: ipv6/ip remote 195.226.187.50 local any ttl 64
______________________________________________________________
使用 "route"
用法:
______________________________________________________________
# /sbin/route -A inet6
______________________________________________________________
例子:只列印从sit0界面通过的遂道.
______________________________________________________________
# /sbin/route -A inet6 | grep "\Wsit0\W*$"
::/96 :: U 256 2 0 sit0
2002::/16 :: UA 256 0 0 sit0
2000::/3 ::193.113.58.75 UG 1 0 0 sit0
fe80::/10 :: UA 256 0 0 sit0
ff00::/8 :: UA 256 0 0 sit0
______________________________________________________________
9.3 Setup of point-to-point tunnel(设定点对点的遂道)
有3种方法可以加入/移除point-to-point tunnel
Add point-to-point tunnels (加入)
使用 "ip"
目前针对少量tunnels的方法
设定tunnel device (它不会立既启用.TTL必需指定, 因为初始值是0)
______________________________________________________________
# /sbin/ip tunnel add < device > mode sit ttl < ttldefault > remote
? < ipv4addressofforeigntunnel > local < ipv4addresslocal >
______________________________________________________________
用法(这个例子中有三个遂道)
______________________________________________________________
# /sbin/ip tunnel add sit1 mode sit ttl <ttldefault> remote
? <ipv4addressofforeigntunnel1> local <ipv4addresslocal>
# /sbin/ip set dev sit1 up
# /sbin/ip -6 route add <prefixtoroute1> dev sit1 metric 1
# /sbin/ip tunnel add sit2 mode sit ttl <ttldefault>
? <ipv4addressofforeigntunnel2> local <ipv4addresslocal>
# /sbin/ip set dev sit2 up
# /sbin/ip -6 route add <prefixtoroute2> dev sit2 metric 1
# /sbin/ip tunnel add sit3 mode sit ttl <ttldefault>
? <ipv4addressofforeigntunnel3> local <ipv4addresslocal>
# /sbin/ip set dev sit3 up
# /sbin/ip -6 route add <prefixtoroute3> dev sit3 metric 1
______________________________________________________________
使用 "ifconfig" and "route" (deprecated)
不推荐一次就 Non Broadcast Multiple Access (NBMA)这么多,因为您如果只想
关闭第一个但又要让其它的继续运行,有点难啊.只加一个是没有问题的.
______________________________________________________________
# /sbin/ifconfig sit0 up
# /sbin/ifconfig sit0 tunnel <ipv4addressofforeigntunnel1>
# /sbin/ifconfig sit1 up
# /sbin/route -A inet6 add <prefixtoroute1> dev sit1
# /sbin/ifconfig sit0 tunnel <ipv4addressofforeigntunnel2>
# /sbin/ifconfig sit2 up
# /sbin/route -A inet6 add <prefixtoroute2> dev sit2
# /sbin/ifconfig sit0 tunnel <ipv4addressofforeigntunnel3>
# /sbin/ifconfig sit3 up
# /sbin/route -A inet6 add <prefixtoroute3> dev sit3
______________________________________________________________
警告:这样做有很大的风险, 因为任何人可以从Internet的任何地点使
用"automatic tunneling"同您进行连结.我不推荐您这样做.
使用 "route" only
当然可以设定tunnel使用 Non Broadcast Multiple Access (NBMA)非多地址广
播的方式 这种方法可以一次就加入很多tunnel. 使用方法 (三个tunnel的基本
例子):
______________________________________________________________
# /sbin/ifconfig sit0 up
# /sbin/route -A inet6 add <prefixtoroute1> gw
? ::<ipv4addressofforeigntunnel1> dev sit0
# /sbin/route -A inet6 add <prefixtoroute2> gw
? ::<ipv4addressofforeigntunnel2> dev sit0
# /sbin/route -A inet6 add <prefixtoroute3> gw
? ::<ipv4addressofforeigntunnel3> dev sit0
______________________________________________________________
警告:这样做有很大的风险, 因为任何人可以从Internet的任何地点使
用"automatic tunneling"同您进行连结.我不推荐您这样做.
Removing point-to-point tunnels(移除遂道)
手工方式不经常使用,可以用scripts移除/重新设定IPv6tunnels
使用 "ip"
移除遂道设备的用法:
______________________________________________________________
# /sbin/ip tunnel del <device>
______________________________________________________________
Usage (三个tunnel的基本例子):
______________________________________________________________
# /sbin/ip -6 route del <prefixtoroute1> dev sit1
# /sbin/ip set sit1 down
# /sbin/ip tunnel del sit1
# /sbin/ip -6 route del <prefixtoroute2> dev sit2
# /sbin/ip set sit2 down
# /sbin/ip tunnel del sit2
# /sbin/ip -6 route del <prefixtoroute3> dev sit3
# /sbin/ip set sit3 down
# /sbin/ip tunnel del sit3
______________________________________________________________
使用 "ifconfig" and "route" (因为不怎么有趣所以不赞成这么做)
Usage (三个tunnel的基本例子):您必需反向移除它们, 也就是先建立的必需先
移除.
______________________________________________________________
# /sbin/route -A inet6 del <prefixtoroute3> dev sit3
# /sbin/ifconfig sit3 down
# /sbin/route -A inet6 del <prefixtoroute2> dev sit2
# /sbin/ifconfig sit2 down
# /sbin/route -A inet6 add <prefixtoroute1> dev sit1
# /sbin/ifconfig sit1 down
# /sbin/ifconfig sit0 down
______________________________________________________________
使用 "route"
移除IPv6路由. 使用方法 (三个tunnel的基本例子):
______________________________________________________________
# /sbin/route -A inet6 del <prefixtoroute1> gw
? ::<ipv4addressofforeigntunnel1> dev sit0
# /sbin/route -A inet6 del <prefixtoroute2> gw
? ::<ipv4addressofforeigntunnel2> dev sit0
# /sbin/route -A inet6 del <prefixtoroute3> gw
? ::<ipv4addressofforeigntunnel3> dev sit0
# /sbin/ifconfig sit0 down
______________________________________________________________
Numbered point-to-point tunnels(有限的点对点遂道)
有时需要设定一个point-to-point 遂道 和IPv6地址, 但方法中只有第一
个(ifconfig+route - deprecated)和第三个(ip+route)可行. 在这些案例中您
可以加入一个IPv6地址到 tunnel interface(用于遂道操作的那个界面)
9.4 Setup of 6to4 tunnels (设定 IPv6至IPv4的遂道)
注意:6to4 tunnels 目前缺乏vanilla 2.2.x系列核心的支持. 同样要注意的
是6to4地址的前缀长度是16 所有的 6to4 主机都在相同的第二层.
Add a 6to4 tunnel(增加一个 6to4 遂道)
首先, 您必需用可路由的本地IPv4 global 地址来计算 6to4 的前缀. (如果您
的主机没有可路由的本地IPv4 global 地址, 在闸道边缘的NAT地址也行 in
special cases NAT on border gateways is possible):
假定您的IPv4地址为:
______________________________________________________________
1.2.3.4
______________________________________________________________
产生的6to4 prefix(前缀)为 :
______________________________________________________________
2002:0102:0304::
______________________________________________________________
本地的 6to4 闸道需要手工设定后缀为"::1", 因此您的6to4地址就成为:
______________________________________________________________
2002:0102:0304::1
______________________________________________________________
以下依据指定的IPv4地址产生6to4地址:
______________________________________________________________
ipv4="1.2.3.4"; printf "2002:%02x%02x:%02x%02x::1" `echo $ipv4 | tr "." " "`
______________________________________________________________
目前有两种方法可以设定6to4遂道
使用 "ip" 和专用的遂道设备.
这是被推荐的做法. 创建一个遂道设备.
______________________________________________________________
# /sbin/ip tunnel add tun6to4 mode sit remote any local <localipv4address>
______________________________________________________________
Bring interface up(激活它)
______________________________________________________________
# /sbin/ip link set dev tun6to4 up
______________________________________________________________
将本地6to4地址加入到界面.(注意:它的前缀长度必需是16)
______________________________________________________________
# /sbin/ip -6 addr add <local6to4address>/16 dev tun6to4
______________________________________________________________
加入一个用all-6to4-routers IPv4 anycast 地址作为到达global IPv6 网路的
路由(缺省的路由)
______________________________________________________________
# /sbin/ip -6 route add 2000::/3 via ::192.88.99.1 dev tun6to4 metric 1
______________________________________________________________
使用 "ifconfig" and "route" and generic tunnel device "sit0" (不被推荐的做法)
不被推荐是因为tunnel device sit0 不支持特别的过虑器应用在每个设备上.
Bring generic tunnel interface sit0 up(将界面sit0激活)
______________________________________________________________
# /sbin/ifconfig sit0 up
______________________________________________________________
Add local 6to4 address to interface(向界面添加本地 6to4 地址)
______________________________________________________________
# /sbin/ifconfig sit0 add <local6to4address>/16
______________________________________________________________
加入一个用all-6to4-relays IPv4 anycast地址作为到达global IPv6 网路的路
由(缺省的路由)
______________________________________________________________
# /sbin/route -A inet6 add 2000::/3 gw ::192.88.99.1 dev sit0
______________________________________________________________
Remove a 6to4 tunnel(移除 6to4 遂道)
使用 "ip" and a 专用遂道设备
从dedicated tunnel device 移除所有路由
______________________________________________________________
# /sbin/ip -6 route flush dev tun6to4
______________________________________________________________
Shut down interface(关闭界面)
______________________________________________________________
# /sbin/ip link set dev tun6to4 down
______________________________________________________________
Remove created tunnel device(移除遂道设备)
______________________________________________________________
# /sbin/ip tunnel del tun6to4
______________________________________________________________
使用 "ifconfig" and "route" and generic tunnel device "sit0" (不被推荐的做法)
移除 6to4 界面上遂道的路由
______________________________________________________________
# /sbin/route -A inet6 del 2000::/3 gw ::192.88.99.1 dev sit0
______________________________________________________________
Remove local 6to4 address to interface(从界面移除本地 6to4 地址)
______________________________________________________________
# /sbin/ifconfig sit0 del <local6to4address>/16
______________________________________________________________
并闭 generic tunnel device (当心, 可能它还在使用当中)
______________________________________________________________
# /sbin/ifconfig sit0 down
______________________________________________________________
10. 设定 IPv4-in-IPv6 遂道
这里的内容会在将来添加,目前这种遂道处在试验阶段.参照: [32]RFC 2473 /
Generic Packet Tunneling in IPv6 Specification
11. 核心设定 in /proc-filesystem
11.1 怎样进入 /proc-filesystem
使用 "cat"和 "echo"
使用 "cat"和 "echo" 是进入 /proc-filesystem的最简单方法. 但必需具备下
面几个条件:
* 在核心中打开 /proc-filesystem 支持, 在编译的时候可以通过
CONFIG_PROC_FS=y 做到.
* /proc-filesystem 已经挂进系统,可以用以下的方法测试:
______________________________________________________________
# mount | grep "type proc"
none on /proc type proc (rw)
______________________________________________________________
* 您必需知道对/proc-filesystem 的各种操作.
通常/proc/sys/* 都是可写的, 其它的都是只读或只提供相关资讯.
得到一个值
可以使用 "cat" 得到一个值.
______________________________________________________________
# cat /proc/sys/net/ipv6/conf/all/forwarding
0
______________________________________________________________
设定一个值
可以使用 "echo" 设定一个值.
______________________________________________________________
# echo "1" >/proc/sys/net/ipv6/conf/all/forwarding
______________________________________________________________
使用 "sysctl"
使用 "sysctl" 设定核心是当前流行的方法, 您也能用. 如果/proc-filesystem
没有挂进来, 那么您只可以访问/proc/sys/*
"sysctl"程式在"procps"安装包中.(Red Hat Linux systems)
sysctl-interface 需要在核心中进行激活, 在编译的时候可以通过以下选项完
成:
______________________________________________________________
CONFIG_SYSCTL=y
______________________________________________________________
设定一个值
A new value can be set (if entry is writable):
______________________________________________________________
# sysctl -w net.ipv6.conf.all.forwarding=1
net.ipv6.conf.all.forwarding = 1
______________________________________________________________
在 "=" 两边不能出现spaces符号,也不能像下面那样一次设定多个值:
______________________________________________________________
# sysctl -w net.ipv4.ip_local_port_range="32768 61000"
net.ipv4.ip_local_port_range = 32768 61000
______________________________________________________________
另外
sysctl使用 "/" 代替 "." 详细资讯请看sysctl的manpage
提示:快速查找设定的资讯,可以联合使用带"-a"的grep.
11.2 /proc-filesystems 里的数值类型.
* BOOLEAN: simple a "0" (false) or a "1" (true)
* INTEGER: an integer value, can be unsigned, too
* more sophisticated lines with several values: sometimes a header
line is displayed also, if not, have a look into the kernel source
to retrieve information about the meaning of each value...
11.3 Entries in /proc/sys/net/ipv6/
conf/default/*
Change the interface-specific default settings
conf/all/*
改变所有 interface-specific 设定.
除了: "conf/all/forwarding" 它有不同的含义.
conf/all/forwarding
* Type: BOOLEAN
在两个界面之间进行global IPv6 forwarding (数据包转寄.)
IPv6 当中您不能单独控制一个设备的 forwarding (数据包转寄). forwarding
的控制由IPv6-netfilter 完成. 当值为"0"时 数据包转寄的能力被关闭,数据包
不会离开各自的界面(包括物理/虚拟)比如 tunnel. 当值为"1"时 数据包转寄的
能力被开启.
conf/interface/*
改变单个界面的设定. 依据local forwarding 是 enabled 或 not.
accept_ra
* Type: BOOLEAN
* 默认值: enabled if local forwarding is disabled. disabled if local
forwarding is enabled.
接受IPv6路由广告.并且根据得到的信息自动设定.
accept_redirectsc
* Type: BOOLEAN
* Functional default: enabled if local forwarding is disabled.
disabled if local forwarding is enabled.
接受IPv6路由器的重定向.
autoconf
* Type: BOOLEAN
* Default: TRUE
设定本地连结地址使用L2硬体地址. 它依据界面的L2-MAC address自动产生一个
地址如:"fe80::201:23ff:fe45:6789"
dad_transmits
* Type: INTEGER
* Default: 1
发送重复地址嗅探的总数.
forwarding
* Type: BOOLEAN
* Default: FALSE if global forwarding is disabled (default),
otherwise TRUE
设定主机/路由的interface-specific动作.
注意:推荐所有interface(界面)使用相同的设定.混合路由器/主机的想法真是难
得.
* Value FALSE: By default, Host behaviour is assumed. This means:
+ IsRouter 标致没有在Neighbour Advertisements当中.
+ 当需要的时候就发送路由请求.
+ 如果accept_ra是TRUE (default), 接受路由广告.
+ 如果accept_redirects 是 TRUE (default), 接受重定向.
* Value TRUE: 如果具备本地forwarding(转寄),路由器动作为假定.这和上面
的情况相反:
+ IsRouter 标致存在于Neighbour Advertisements当中.
+ 不发送路由请求.
+ 忽略路由广告.
+ 忽略重定向.
hop_limit
* Type: INTEGER
* Default: 64
缺省hop限制.
mtu
* Type: INTEGER
* Default: 1280 (IPv6 要求的最小值)
缺省最大传输单元.
router_solicitation_delay
* Type: INTEGER
* Default: 1
在发送路由请求之前界面的等待时间(秒).
router_solicitation_interval
* Type: INTEGER
* Default: 4
在每个路由请求之间的等待时间(秒).
router_solicitations
* Type: INTEGER
* Default: 3
假定没有路由的情况下发送的请求个数.
neigh/default/*
Change default settings for neighbor detection and some special global
interval and threshold values:
gc_thresh1
* Type: INTEGER
* Default: 128
More to be filled.
gc_thresh2
* Type: INTEGER
* Default: 512
More to be filled.
gc_thresh3
* Type: INTEGER
* Default: 1024
芳邻列印表大小的调节项.
如果您有许多界面,或路由表现反常 试著增大数值. Or if a running Zebra
(routing daemon) reports:
______________________________________________________________
ZEBRA: netlink-listen error: No buffer space available, type=RTM_NEWROUTE(24),
seq=426, pid=0
______________________________________________________________
gc_interval
* Type: INTEGER
* Default: 30
More to be filled.
neigh/interface/*
Change special settings per interface for neighbor detection.
anycast_delay
* Type: INTEGER
* Default: 100
More to be filled.
gc_stale_time
* Type: INTEGER
* Default: 60
More to be filled.
proxy_qlen
* Type: INTEGER
* Default: 64
More to be filled.
unres_qlen
* Type: INTEGER
* Default: 3
More to be filled.
app_solicit
* Type: INTEGER
* Default: 0
More to be filled.
locktime
* Type: INTEGER
* Default: 0
More to be filled.
retrans_time
* Type: INTEGER
* Default: 100
More to be filled.
base_reachable_time
* Type: INTEGER
* Default: 30
More to be filled.
mcast_solicit
* Type: INTEGER
* Default: 3
More to be filled.
ucast_solicit
* Type: INTEGER
* Default: 3
More to be filled.
delay_first_probe_time
* Type: INTEGER
* Default: 5
More to be filled.
proxy_delay
* Type: INTEGER
* Default: 80
More to be filled.
route/*
设定global(全局)路由
flush
Removed in newer kernel releases - more to be filled.
gc_interval
* Type: INTEGER
* Default: 30
More to be filled.
gc_thresh
* Type: INTEGER
* Default: 1024
More to be filled.
mtu_expires
* Type: INTEGER
* Default: 600
More to be filled.
gc_elasticity
* Type: INTEGER
* Default: 0
More to be filled.
gc_min_interval
* Type: INTEGER
* Default: 5
More to be filled.
gc_timeout
* Type: INTEGER
* Default: 60
More to be filled.
min_adv_mss
* Type: INTEGER
* Default: 12
More to be filled.
max_size
* Type: INTEGER
* Default: 4096
More to be filled.
11.4 IPv6-related entries in /proc/sys/net/ipv4/
目前(直到IPv4全部成为核心模组),一些开关也可以为IPv6所使用.
ip_*
ip_local_port_range
也可以为IPv6使用.
tcp_*
也可以为IPv6使用.
ICMP_*
不能为IPv6使用. 激活 ICMPv6 比率限制 rate limting (极力推荐,因为它有抵
御 ICMPv6 网路风暴的能力) netfilter-v6 rules must be used.
其它
不知道, 不能为IPv6使用吧.
11.5 IPv6-related entries in /proc/net/
这个地方是只读的, 您不能通过 "sysctl" 得到资讯,可以使用 "cat"
if_inet6
每一行地址包含多个值.
这里IPv6地址是用特殊的格式列印的,例子只列印环绕interface(界面)含义在下
面
______________________________________________________________
# cat /proc/net/if_inet6
00000000000000000000000000000001 01 80 10 80 lo
+------------------------------+ ++ ++ ++ ++ ++
| | | | | |
1 2 3 4 5 6
______________________________________________________________
1. 地址用32个不包含":"的十六进制列印.
2. 连结的设备数值(interface index)使用十六进制列印.
3. 前缀的长度使用十六进制列印.
4. Scope value (see kernel source " include/net/ipv6.h" and
"net/ipv6/addrconf.c" for more)
5. Interface flags (see "include/linux/rtnetlink.h" and
"net/ipv6/addrconf.c" for more)
6. 设备名.
ipv6_route
每一行地址包含多个值.
这里IPv6地址是用特殊的格式列印的,例子只列印环绕interface(界面)含义在下
面
______________________________________________________________
# cat /proc/net/ipv6_route
00000000000000000000000000000000 00 00000000000000000000000000000000 00
+------------------------------+ ++ +------------------------------+ ++
| | | |
1 2 3 4
? 00000000000000000000000000000000 ffffffff 00000001 00000001 00200200 lo
? +------------------------------+ +------+ +------+ +------+ +------+ ++
? | | | | | |
? 5 6 7 8 9 10
______________________________________________________________
1. IPv6目标网路用32个不包含":"的十六进制列印.
2. IPv6prefix(前缀)的长度使用十六进制列印.
3. IPv6来源网路用32个不包含":"的十六进制列印.
4. IPv6来源prefix(前缀)的长度使用十六进制列印.
5. IPv6下一个hop(跃点)用32个不包含":"的十六进制列印.
6. Metric in hexadecimal
7. Reference counter
8. Use counter
9. Flags(标致)
10.Device name
sockstat6
每一行地址包含多个值.
IPv6 sockets统计:
______________________________________________________________
# cat /proc/net/sockstat6
TCP6: inuse 7
UDP6: inuse 2
RAW6: inuse 1
FRAG6: inuse 0 memory 0
______________________________________________________________
tcp6
To be filled.
udp6
To be filled.
igmp6
To be filled.
raw6
To be filled.
ip6_flowlabel
To be filled.
rt6_stats
To be filled.
snmp6
Type: One line per SNMP description and value
SNMP statistics, can be retrieved via SNMP server and related MIB table by netw
ork management software.
ip6_tables_names
Available netfilter6 tables
12. Netlink-Interface to kernel
内容有待增加... 这方面我没什么经验...
13. 网路 debugging
13.1 Server socket binding(绑定)
13.2 Using "netstat" for server socket binding check
使用 "netstat" 是得到这些信息的捷径.
使用选项: -nlptu
例子:
______________________________________________________________
# netstat -nlptu
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
? PID/Program name
tcp 0 0 0.0.0.0:32768 0.0.0.0:* LISTEN
? 1258/rpc.statd
tcp 0 0 0.0.0.0:32769 0.0.0.0:* LISTEN
? 1502/rpc.mountd
tcp 0 0 0.0.0.0:515 0.0.0.0:* LISTEN
? 22433/lpd Waiting
tcp 0 0 1.2.3.1:139 0.0.0.0:* LISTEN
? 1746/smbd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
? 1230/portmap
tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN
? 3551/X
tcp 0 0 1.2.3.1:8081 0.0.0.0:* LISTEN
? 18735/junkbuster
tcp 0 0 1.2.3.1:3128 0.0.0.0:* LISTEN
? 18822/(squid)
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN
? 30734/named
tcp 0 0 ::ffff:1.2.3.1:993 :::* LISTEN
? 6742/xinetd-ipv6
tcp 0 0 :::13 :::* LISTEN
? 6742/xinetd-ipv6
tcp 0 0 ::ffff:1.2.3.1:143 :::* LISTEN
? 6742/xinetd-ipv6
tcp 0 0 :::53 :::* LISTEN
? 30734/named
tcp 0 0 :::22 :::* LISTEN
? 1410/sshd
tcp 0 0 :::6010 :::* LISTEN
? 13237/sshd
udp 0 0 0.0.0.0:32768 0.0.0.0:*
? 1258/rpc.statd
udp 0 0 0.0.0.0:2049 0.0.0.0:*
? -
udp 0 0 0.0.0.0:32770 0.0.0.0:*
? 1502/rpc.mountd
udp 0 0 0.0.0.0:32771 0.0.0.0:*
? -
udp 0 0 1.2.3.1:137 0.0.0.0:*
? 1751/nmbd
udp 0 0 0.0.0.0:137 0.0.0.0:*
? 1751/nmbd
udp 0 0 1.2.3.1:138 0.0.0.0:*
? 1751/nmbd
udp 0 0 0.0.0.0:138 0.0.0.0:*
? 1751/nmbd
udp 0 0 0.0.0.0:33044 0.0.0.0:*
? 30734/named
udp 0 0 1.2.3.1:53 0.0.0.0:*
? 30734/named
udp 0 0 127.0.0.1:53 0.0.0.0:*
? 30734/named
udp 0 0 0.0.0.0:67 0.0.0.0:*
? 1530/dhcpd
udp 0 0 0.0.0.0:67 0.0.0.0:*
? 1530/dhcpd
udp 0 0 0.0.0.0:32858 0.0.0.0:*
? 18822/(squid)
udp 0 0 0.0.0.0:4827 0.0.0.0:*
? 18822/(squid)
udp 0 0 0.0.0.0:111 0.0.0.0:*
? 1230/portmap
udp 0 0 :::53 :::*
? 30734/named
______________________________________________________________
13.3 Examples for tcpdump packet dumps
下面是一些被捕获的数据包 ...下一次我会多弄一点来...:
Router discovery(路由发现)
Router advertisement
______________________________________________________________
15:43:49.484751 fe80::212:34ff:fe12:3450 > ff02::1: icmp6: router
? advertisement(chlim=64, router_ltime=30, reachable_time=0,
? retrans_time=0)(prefix info: AR valid_ltime=30, preffered_ltime=20,
? prefix=2002:0102:0304:1::/64)(prefix info: LAR valid_ltime=2592000,
? preffered_ltime=604800, prefix=3ffe:ffff:0:1::/64)(src lladdr:
? 0:12:34:12:34:50) (len 88, hlim 255)
______________________________________________________________
路由器使用link-local 地址 "fe80::212:34ff:fe12:3450" 发送广告至
all-node-on-link multicast address "ff02::1"
在它自己的 layer 2 MAC 地址 "0:12:34:12:34:50"中,
包含两个前缀2002:0102:0304:1::/64" (lifetime 30 s) 和
"3ffe:ffff:0:1::/64" (lifetime 2592000 s)
Router solicitation(路由请求)
______________________________________________________________
15:44:21.152646 fe80::212:34ff:fe12:3456 > ff02::2: icmp6: router solicitation
? (src lladdr: 0:12:34:12:34:56) (len 16, hlim 255)
______________________________________________________________
拥有link-local地址 "fe80::212:34ff:fe12:3456" 和 layer 2 MAC 地址
"0:12:34:12:34:56"的节点寻找在线的 路由器. 所以发送一个路由请求到所有
在线的路由器地址multicast address "ff02::2"
Neighbor discovery(发现芳邻)
Neighbor discovery solicitation for duplicate address detection(对网路芳邻当
中 "重复的地址" 进行检查)
随著数据包从layer 2 MAC 地址 "0:12:34:12:34:56" 发送出去的同时检查是否
有节点用相同的地址发送数据包. Following packets are sent by a node
with layer 2 MAC address "0:12:34:12:34:56" during autoconfiguration
to check whether a potential address is already used by another node
on the link sending this to the solicited-node link-local multicast
address
* 当节点将使用地址"fe80::212:34ff:fe12:3456"作为本地连结时检查重复的
地址.
______________________________________________________________
15:44:17.712338 :: > ff02::1:ff12:3456: icmp6: neighbor
sol: who has
? fe80::212:34ff:fe12:3456(src lladdr: 0:12:34:12:34:56)
(len 32, hlim 255)
______________________________________________________________
* 当节点将使用地址"2002:0102:0304:1:212:34ff:fe12:3456"作为global(全
局)连结时检查重复的地址(得到上面的广告之后).
______________________________________________________________
15:44:21.905596 :: > ff02::1:ff12:3456: icmp6: neighbor s
ol: who has
? 2002:0102:0304:1:212:34ff:fe12:3456(src lladdr: 0:12:34
:12:34:56) (len 32,
? hlim 255)
______________________________________________________________
* 当节点将使用地址"3ffe:ffff:0:1:212:34ff:fe12:3456" 作为global(全
局)连结时检查重复的地址(得到上面的广告之后).
______________________________________________________________
15:44:22.304028 :: > ff02::1:ff12:3456: icmp6: neighbor s
ol: who has
? 3ffe:ffff:0:1:212:34ff:fe12:3456(src lladdr: 0:12:34:12
:34:56) (len 32, hlim
? 255)
______________________________________________________________
Neighbor discovery solicitation for looking for host or gateway(查找一台主机
或闸道)
* 节点想要发送数据包至"3ffe:ffff:0:1::10",但是没有layer 2 MAC 的发送
地址,于是发送请求.
______________________________________________________________
13:07:47.664538 2002:0102:0304:1:2e0:18ff:fe90:9205 > ff0
2::1:ff00:10: icmp6:
? neighbor sol: who has 3ffe:ffff:0:1::10(src lladdr: 0:e
0:18:90:92:5) (len 32,
? hlim 255)
______________________________________________________________
* 节点现在查找"fe80::10"
______________________________________________________________
13:11:20.870070 fe80::2e0:18ff:fe90:9205 > ff02::1:ff00:
10: icmp6: neighbor
? sol: who has fe80::10(src lladdr: 0:e0:18:90:92:5) (le
n 32, hlim 255)
______________________________________________________________
14. Support for persistent IPv6 configuration in Linux distributions(在不同的发
行版中设定IPv6)
14.1 Red Hat Linux and "clones"(小红帽和它的弟兄娣妹)
自从我开始写 [33]IPv6 & Linux - HowTo.我打算设定一个持久的IPv6配置,包
含: host-only, router-only, dual-homed-host, router with second stub
network, normal tunnels, 6to4 tunnels 和其它.现在我写了一
个configuration and script files 这个script有自己的HOWTO:
[34]IPv6-HOWTO/scripts/current. 够运的是, Red Hat Linux 从 7.1 开始就
包含了这个script.多亏了Pekka Savola的帮助.
14.2 Mandrake(曼德莱克)Linux
从8.0后也包含了 IPv6-enabled initscript package但是有点小问
题("ifconfig" misses "inet6" before "add").
支持IPv6的网路设定 scripts 测试
script library应该存在:
______________________________________________________________
/etc/sysconfig/network-scripts/network-functions-ipv6
______________________________________________________________
自动测试:
______________________________________________________________
# test -f /etc/sysconfig/network-scripts/network-functions
-ipv6 && echo "Main
? IPv6 script library exists"
______________________________________________________________
library的版本很重要, 更高的版本包含了更多的功能.您可以通过这个检视它:
______________________________________________________________
# source /etc/sysconfig/network-scripts/network-functions-
ipv6 &&
? getversion_ipv6_functions
20011124
______________________________________________________________
Short hint for enabling IPv6 on current RHL 7.1, 7.2, 7.3, ...(一些小提示)
* 检视IPv6模组是否已经挂进系统.
______________________________________________________________
# modprobe -c | grep net-pf-10
alias net-pf-10 off
______________________________________________________________
* 如果是"off" 在 /etc/sysconfig/network 中加入IPv6的支持.
______________________________________________________________
NETWORKING_IPV6=yes
______________________________________________________________
* 重新初始网路:
______________________________________________________________
# service network restart
______________________________________________________________
* IPv6模组应该挂进来了:
______________________________________________________________
# modprobe -c | grep ipv6
alias net-pf-10 ipv6
______________________________________________________________
如果您提供路由广告autoconfiguration 会自动为您设定, 更多的资讯请看
/usr/share/doc/initscripts-$version/sysconfig.txt.
14.3 SuSE(苏泽斯)Linux
7.x 以上, 支持IPv6. 在/etc/rc.config 里有更多的资讯. 因为不同的设定方
法和scripts结构, 所以不能将Red Hat Linux 当中的方法照搬过来.
更详尽的资讯请看:
[35]How to setup 6to4 IPv6 with SuSE 7.3
14.4 Debian(迪比安)Linux
参照: [36]IPv6 on Debian Linux
15. 防火墙
15.1 使用 netfilter6防火墙
netfilter6防火墙只支持2.4以上的核心.早期的2.2核心您只能用41号协议过
滤IPv6-in-IPv4.
警告: 按照例子那样设定并不能真正地保护您的作业系统.
15.2 更多的资讯:
* [37]Netfilter project
* [38]maillist archive of netfilter users
* [39]maillist archive of netfilter developers
* [40]Unofficial status informations
15.3 准备
下载最新的核心:
[41]http://www.kernel.org/
下载最新的iptables:
tar:
[42]http://www.netfilter.org/
Source RPM for rebuild of binary (for RedHat systems):
[43]ftp://ftp.redhat.com/redhat/linux/rawhide/SRPMS/SRPMS/
解开源代码
解开源代码与更名
______________________________________________________________
# tar z|jxf kernel-version.tar.gz|bz2
# mv linux linux-version-iptables-version+IPv6
______________________________________________________________
解开 iptables 源代码
______________________________________________________________
# tar z|jxf iptables-version.tar.gz|bz2
______________________________________________________________
Apply pending patches
______________________________________________________________
# make pending-patches KERNEL_DIR=/path/to/src/linux-version-iptables-
version/
______________________________________________________________
Apply additional IPv6 related patches (still not in the vanilla kernel
included)
______________________________________________________________
# make patch-o-matic KERNEL_DIR=/path/to/src/linux-version-iptables-ve
rsion/
______________________________________________________________
在下面的选单中回答yes:
* ah-esp.patch
* masq-dynaddr.patch (only needed for systems with dynamic IP
assigned WAN connections like PPP or PPPoE)
* ipv6-agr.patch.ipv6
* ipv6-ports.patch.ipv6
* LOG.patch.ipv6
* REJECT.patch.ipv6
检视IPv6括展:
______________________________________________________________
# make print-extensions
Extensions found: IPv6:owner IPv6:limit IPv6:mac IPv6:multiport
______________________________________________________________
Configure, build and install new kernel(设定,编译,安装新的核心)
进入代码目录:
______________________________________________________________
# cd /path/to/src/linux-version-iptables-version/
______________________________________________________________
改变Makefile
______________________________________________________________
- EXTRAVERSION =
+ EXTRAVERSION = -iptables-version+IPv6-try
______________________________________________________________
运行相关的设定:Run configure, enable IPv6 related
______________________________________________________________
Code maturity level options
Prompt for development and/or incomplete code/drivers : yes
Networking options
Network packet filtering: yes
The IPv6 protocol: module
IPv6: Netfilter Configuration
IP6 tables support: module
All new options like following:
limit match support: module
MAC address match support: module
Multiple port match support: module
Owner match support: module
netfilter MARK match support: module
Aggregated address check: module
Packet filtering: module
REJECT target support: module
LOG target support: module
Packet mangling: module
MARK target support: module
______________________________________________________________
在系统的其它方面进行相应的修改.
Rebuild and install binaries of iptables (打造一个新的iptables)
确定您的核心源代码存在于: /usr/src/linux/
Rename older directory
______________________________________________________________
# mv /usr/src/linux /usr/src/linux.old
______________________________________________________________
Create a new softlink
______________________________________________________________
# ln /path/to/src/linux-version-iptables-version /usr/src/linux
______________________________________________________________
Rebuild SRPMS
______________________________________________________________
# rpm --rebuild /path/to/SRPMS/iptables-version-release.src.rpm
______________________________________________________________
Install new iptables packages (iptables + iptables-ipv6) 安装新
的iptables
* On RH 7.1 systems, 通常已经有一个更早的版本, therefore use
"freshen"
______________________________________________________________
# rpm -Fhv /path/to/RPMS/cpu/iptables*-version-release.cpu.rpm
______________________________________________________________
* 如果没有安装,您就亲自来吧:
______________________________________________________________
# rpm -ihv /path/to/RPMS/cpu/iptables*-version-release.cpu.rpm
______________________________________________________________
* 如果在RH6.2上安装,要加上"--nodep":
______________________________________________________________
# rpm -ihv --nodep /path/to/RPMS/cpu/iptables*-version-release.cpu.rpm
______________________________________________________________
* 可能要为iptables加上一个softlink:
______________________________________________________________
# ln -s /lib/iptables/ /usr/lib/iptables
______________________________________________________________
15.4 使用方法
检视
将模组挂进来:
______________________________________________________________
# modprobe ip6_tables
______________________________________________________________
检视
______________________________________________________________
# [ ! -f /proc/net/ip6_tables_names ] && echo "Current kernel doesn't
support
? 'ip6tables' firewalling (IPv6)!"
______________________________________________________________
15.5 使用ip6tables
16.3.2.1. List all IPv6 netfilter entries
Short
# ip6tables -L
Extended
# ip6tables -n -v --line-numbers -L
List specified filter
# ip6tables -n -v --line-numbers -L INPUT
加入一个日志:
# ip6tables --table filter --append INPUT -j LOG --log-prefix "INPUT:"
? --log-level 7
加入一个入站丢弃的条件:
# ip6tables --table filter --append INPUT -j DROP
移除一个条件:
# ip6tables --table filter --delete INPUT 1
允许 ICMPv6:
Using older kernels (unpatched kernel 2.4.5 and iptables-1.2.2) no type can be
specified
允许入站 ICMPv6 经过 tunnels
# ip6tables -A INPUT -i sit+ -p icmpv6 -j ACCEPT
允许出站 ICMPv6 经过 tunnels
# ip6tables -A OUTPUT -o sit+ -p icmpv6 -j ACCEPT
Newer kernels allow specifying of ICMPv6 types:
# ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
限制Rate-limiting
Because it can happen (author already saw it to times) that an ICMPv6 storm wil
l raise up, you should use available rate limiting for at least ICMPv6 ruleset.
In addition logging rules should also get rate limiting to prevent DoS attacks
against syslog and storage of log file partition. An example for a rate limite
d ICMPv6 looks like:
# ip6tables -A INPUT --protocol icmpv6 --icmpv6-type echo-request -j ACCEPT --m
atch limit --limit 30/minute
允许入站的 SSH
Here an example is shown for a ruleset which allows incoming SSH connection fro
m a specified IPv6 address
允许来自 3ffe:ffff:100::1/128 的 SSH 入站
# ip6tables -A INPUT -i sit+ -p tcp -s 3ffe:ffff:100::1/128 --sport 512:65535
? --dport 22 -j ACCEPT
允许回应包Allow response packets (此刻 IPv6 连结追踪不在 mainstream netfilter6
implemented 当中)
# ip6tables -A OUTPUT -o sit+ -p tcp -d 3ffe:ffff:100::1/128 --dport 512:65535
? --sport 22 ! --syn j ACCEPT
充许 tunneled IPv6-in-IPv4
Tto accept tunneled IPv6-in-IPv4 packets, 在IPv4 防火墙做相应的设定 firewall se
tup relating to such packets, for example
充许 interface ppp0 的 IPv6-in-IPv4 入站
# iptables -A INPUT -i ppp0 -p ipv6 -j ACCEPT
充许 interface ppp0 的 IPv6-in-IPv4 出站
# iptables -A OUTPUT -o ppp0 -p ipv6 -j ACCEPT
If you have only a static tunnel, you can specify the IPv4 addresses, too, like
充许来自 endpoint 1.2.3.4 的 IPv6-in-IPv4 通过 interface ppp0 入站
# iptables -A INPUT -i ppp0 -p ipv6 -s 1.2.3.4 -j ACCEPT
充许来自 endpoint 1.2.3.4 的 IPv6-in-IPv4 通过 interface ppp0 入站
# iptables -A OUTPUT -o ppp0 -p ipv6 -d 1.2.3.4 -j ACCEPT
16.3.2.10. Protection against incoming TCP connection requests
极力推荐! 出于安全考虑 您应当加入一个阻止TCP 连结请求入站的条件 . Adapt "-i" op
tion, if other interface names are in use!
阻止入站的 TCP 连结请求
# ip6tables -I INPUT -i sit+ -p tcp --syn -j DROP
在路由器后面 阻止入站的 TCP 连结请求
# ip6tables -I FORWARD -i sit+ -p tcp --syn -j DROP
可能这些条件以经存在其它地方,但这是您想当然的想法.最好建一个包含很多条件的 scri
pt 然后执行.
16.3.2.11.阻止入站的 UDP 连结请求
极力推荐! 提起过我的防火墙资讯可以控制出站 UDP/TCP 会话的端口. 所以如果您的本地
IPv6系统使用本地端口 比如:从 32768 至 60999 您也可以像这样过滤UDP连结 (直到连结
跟踪正常工作) like:
阻止入站的 UDP 数据包 , 斩断请求出站的回应数据包
# ip6tables -I INPUT -i sit+ -p udp ! --dport 32768:60999 -j DROP
在路由器上面阻止入站的 UDP 数据包转寄到路由器后面的主机
ip6tables -I FORWARD -i sit+ -p udp ! --dport 32768:60999 -j DROP
实例:
下面这个实例是一个经典, 由 Happy netfilter6 ruleset 生成:
______________________________________________________________
# ip6tables -n -v -L
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 extIN all sit+ * ::/0 ::/0
4 384 intIN all eth0 * ::/0 ::/0
0 0 ACCEPT all * * ::1/128 ::1/128
0 0 ACCEPT all lo * ::/0 ::/0
0 0 LOG all * * ::/0 ::/0
? LOG flags 0 level 7 prefix `INPUT-default:'
0 0 DROP all * * ::/0 ::/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
?
0 0 int2ext all eth0 sit+ ::/0 ::/0
0 0 ext2int all sit+ eth0 ::/0 ::/0
0 0 LOG all * * ::/0 ::/0
? LOG flags 0 level 7 prefix `FORWARD-default:'
0 0 DROP all * * ::/0 ::/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
?
0 0 extOUT all * sit+ ::/0 ::/0
4 384 intOUT all * eth0 ::/0 ::/0
0 0 ACCEPT all * * ::1/128 ::1/128
0 0 ACCEPT all * lo ::/0 ::/0
0 0 LOG all * * ::/0 ::/0
? LOG flags 0 level 7 prefix `OUTPUT-default:'
0 0 DROP all * * ::/0 ::/0
Chain ext2int (1 references)
pkts bytes target prot opt in out source destination
?
0 0 ACCEPT icmpv6 * * ::/0 ::/0
0 0 ACCEPT tcp * * ::/0 ::/0
? tcp spts:1:65535 dpts:1024:65535 flags:!0x16/0x02
0 0 LOG all * * ::/0 ::/0
? LOG flags 0 level 7 prefix `ext2int-default:'
0 0 DROP tcp * * ::/0 ::/0
0 0 DROP udp * * ::/0 ::/0
0 0 DROP all * * ::/0 ::/0
Chain extIN (1 references)
pkts bytes target prot opt in out source destination
?
0 0 ACCEPT tcp * * 3ffe:400:100::1/128 ::/0
? tcp spts:512:65535 dpt:22
0 0 ACCEPT tcp * * 3ffe:400:100::2/128 ::/0
? tcp spts:512:65535 dpt:22
0 0 ACCEPT icmpv6 * * ::/0 ::/0
0 0 ACCEPT tcp * * ::/0 ::/0
? tcp spts:1:65535 dpts:1024:65535 flags:!0x16/0x02
0 0 ACCEPT udp * * ::/0 ::/0
? udp spts:1:65535 dpts:1024:65535
0 0 LOG all * * ::/0 ::/0
? limit: avg 5/min burst 5 LOG flags 0 level 7 prefix `extIN-default:'
0 0 DROP all * * ::/0 ::/0
Chain extOUT (1 references)
pkts bytes target prot opt in out source destination
?
0 0 ACCEPT tcp * * ::/0
? 3ffe:ffff:100::1/128tcp spt:22 dpts:512:65535 flags:!0x16/0x02
0 0 ACCEPT tcp * * ::/0
? 3ffe:ffff:100::2/128tcp spt:22 dpts:512:65535 flags:!0x16/0x02
0 0 ACCEPT icmpv6 * * ::/0 ::/0
0 0 ACCEPT tcp * * ::/0 ::/0
? tcp spts:1024:65535 dpts:1:65535
0 0 ACCEPT udp * * ::/0 ::/0
? udp spts:1024:65535 dpts:1:65535
0 0 LOG all * * ::/0 ::/0
? LOG flags 0 level 7 prefix `extOUT-default:'
0 0 DROP all * * ::/0 ::/0
Chain int2ext (1 references)
pkts bytes target prot opt in out source destination
?
0 0 ACCEPT icmpv6 * * ::/0 ::/0
0 0 ACCEPT tcp * * ::/0 ::/0
? tcp spts:1024:65535 dpts:1:65535
0 0 LOG all * * ::/0 ::/0
? LOG flags 0 level 7 prefix `int2ext:'
0 0 DROP all * * ::/0 ::/0
0 0 LOG all * * ::/0 ::/0
? LOG flags 0 level 7 prefix `int2ext-default:'
0 0 DROP tcp * * ::/0 ::/0
0 0 DROP udp * * ::/0 ::/0
0 0 DROP all * * ::/0 ::/0
Chain intIN (1 references)
pkts bytes target prot opt in out source destination
?
0 0 ACCEPT all * * ::/0
? fe80::/ffc0::
4 384 ACCEPT all * * ::/0 ff02::/16
Chain intOUT (1 references)
pkts bytes target prot opt in out source destination
?
0 0 ACCEPT all * * ::/0
? fe80::/ffc0::
4 384 ACCEPT all * * ::/0 ff02::/16
0 0 LOG all * * ::/0 ::/0
? LOG flags 0 level 7 prefix `intOUT-default:'
0 0 DROP all * * ::/0 ::/0
______________________________________________________________
16. 安全
16.1 Access limitations
有许多服务使用 tcp_wrapper library 控制访问.Below is described the use
of tcp_wrapper
内容有待增加...
16.2 IPv6安全审核
目前没有什么较好的商业工具来进行
Legal issues
警告:您只能扫瞄自己的系统,不然,可能会触及法律.开始之前,请检察您要扫瞄
的IPv6目标地址两次!.
16.3 Security auditing using IPv6-enabled netcat(使用适应IPv6的netcat)
关于IPv6-enabled netcat的详细资讯请参照: [44]
IPv6?status-apps/security-auditing
例子:
______________________________________________________________
# nc6 ::1 daytime
13 JUL 2002 11:22:22 CEST
______________________________________________________________
16.4 Security auditing using IPv6-enabled nmap
全世界最为优秀的扫瞄程式之一.它的首页: [45]
http://www.insecure.org/nmap/ 从 3.10ALPHA1 的版本开始支持IPv6. 例子:
______________________________________________________________
# nmap -6 -sT ::1
Starting nmap V. 3.10ALPHA3 ( www.insecure.org/nmap/ )
Interesting ports on localhost6 (::1):
(The 1600 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
53/tcp open domain
515/tcp open printer
2401/tcp open cvspserver
Nmap run completed -- 1 IP address (1 host up) scanned in 0.525 second
s
______________________________________________________________
16.5 Security auditing using IPv6-enabled strobe
Strobe 同 NMap相比更不具灵活性,但已经有 IPv6-enabling patch (see
IPv6?status-apps/security-auditing for more). Usage example:
______________________________________________________________
# ./strobe ::1 strobe 1.05 (c) 1995-1999 Julian Assange <proff@iq.org>
.
::1 2401 unassigned unknown
::1 22 ssh Secure Shell - RSA encrypted rsh
::1 515 printer spooler (lpd)
::1 6010 unassigned unknown
::1 53 domain Domain Name Server
______________________________________________________________
16.6 审核结果
如果审核结果同您的IPv6安全策略有出入, 请堵上检测出的漏洞.
17. Encryption and Authentication(加密和认证)
Support in kernel
Currently missing in 2.4, perhaps in 2.5 (see below). There is an
issue about keeping the Linux kernel source free of
export/import-control-laws regarding encryption code. This is also one
case why [46]FreeS/WAN project (IPv4 only IPsec) isn't still contained
in vanilla source.
Support in USAGI kernel
The USAGI project has taken over in July 2001 the IPv6 enabled
FreeS/WAN code from the [47]IABG / IPv6 Project and included in their
kernel extensions, but still work in progress, means that not all IABG
features are already working in USAGI extension.
17.1 用法
参照: [48]FreeS/WAN / Online documentation
18. 线上测试工具
内容有待增加... 欢迎提建议!
* finger, nslookup, ping, traceroute, whois: [49]UK IPv6 Resource
Centre / The test page
* ping, traceroute, tracepath, 6bone registry, DNS: [50]JOIN /
Testtools (German language only, but should be no problem for non
German speakers)
* traceroute6, whois: [51]IPng.nl
19. 其它资讯
19.1 线上资讯
加入IPv6 backbone骨干网路
IPv6 test backbone: [52]6bone, [53]How to join 6bone
主要的注册区域
* America: [54]ARIN [55]Ripe
* Asia/Pacific: [56]APNIC
* Latin America and Caribbea: [57]LACNIC
Also a list of major (prefix length 35) allocations per local registry
is available here:
[58]Ripe NCC / IPv6 allocations
Tunnel brokers
* [59]Freenet6 Canada
* [60]Hurricane Electric US backbone
* [61]Centro Studi e Laboratory Telecomunicazioni Italy
* [62]Wanadoo Belgium
* [63]CERTNET-Nokia China
* [64]Tunnelbroker Leipzig Germany - DialupUsers with dynamic IP's
can get a fix IPv6 IP...
* [65]Internet Initiative Japan Japan - with IPv6 native line
service and IPv6 tunneling Service
* [66]XS26 - Access to SixNetherland - with POPs in Slovak Republic,
Czech Republic, Netherlands, Germany and Hungary.
* [67]IPng Netherland Netherland - Intouch, SurfNet, AMS-IX, UUNet,
Cistron, RIPE NCC and AT& T are connected at the AMS-IX. It is
possible (there are requirements...) to get an static tunnel.
* [68]UNINETT Norway - Pilot IPv6 Service (for Customers):
tunnelbroker & address allocation
* [69]NTT Europe [70]NTT Euroope United Kingdom - IPv6 Trial. IPv4
Tunnel and native IPv6 leased Line connections. POPs are located
in London, UK Dusseldorf, Germany New Jersey, USA (East Coast)
Cupertino, USA (West Coast) Tokyo, Japan
* [71]ESnet USA - Energy Sciences Network: Tunnel Registry & Address
Delegation for directly connected ESnet sites and ESnet
collaborators.
* [72]6REN USA - The 6ren initiative is being coordinated by the
Energy Sciences Network (ESnet), the network for the Energy
Research program of the US Dept. of Energy, located at the
University of California's Lawrence Berkeley National Laboratory
更多的IPv6资讯: [73]ipv6-net.org
6to4
* [74]NSayer's 6to4 information
* [75]RFC 3068 / An Anycast Prefix for 6to4 Relay Routers
Latest news
* [76]http://hs247.com/ name="hs247 / IPv6 news and information">
also homepage for #ipv6 channel on EFnet
* [77]bofh.st / latest IPv6 news but currently Jan 2002 outdated...,
also homepage for IPv6 channel on IRCnet
* [78]ipv6-net.org German forum
有关协议的参考
* [79]HS247 / IPv6 RFC list Publishing the list of IPv6-related RFCs
is beyond the scope of this document, but given URLs will lead you
to such lists:
* [80]IPng Standardization Status a little bit out-of-sync at the
moment
* [81]IPv6 Related Specifications on IPv6.org
目前与IPv6有关的草案:
* [82]IP Version 6 ipv6
* [83]Next Generation Transitition
* [84]Dynamic Host Configuration
* [85]Domain Name System Extension
* [86]Mobile IP mobileip
其它
* [87]Network Sorcery / IPv6, Internet Protocol version 6 IPv6
protocol header
* [88]SWITCH IPv6 Pilot / References big list of IPv6 references
maintained by Simon Leinen
* [89]Advanced Network Management Laboratory / IPv6 Address Oracle
shows you IPv6 addresses in detail
统计
* [90]IPv6 routing table history created by Gert Ding
19.2 更多的资讯
期待加入更多的内容,欢迎提建议!
Linux related
* [91]IPv6-HowTo for Linux by Peter Bieringer - Germany, and his
* [92]Bieringer / IPv6 - software archive
* [93]Linux+IPv6 status by Peter Bieringer Germany
* [94]USAGI project Japan, and their
* [95]USAGI project - software archive
* [96]Gav's Linux IPv6 Page
* [97]Project6 - IPv6 Networking For Linux Italy, and their
* [98]Project6 - software archive
19.3 通信论坛
+------------------------------------------------------------------------------
-------------------------------------------------------------------------------
-------------------------------------------------------------+
|
|
| Focus Request e-mail address What to subscribe
Maillist e-mail address Language Access through
WWW |
+------------------------------------------------------------------------------
-------------------------------------------------------------------------------
-------------------------------------------------------------+
| Linux kernel majordomo (at) oss.sgi.com netdev
netdev (at) oss.sgi.com English http://oss.sgi.com/proj
ects/netdev/archive/ |
| networking
|
| including
|
| IPv6
|
+------------------------------------------------------------------------------
-------------------------------------------------------------------------------
-------------------------------------------------------------+
| Linux and majordomo (at) linux-ipv6
linux-ipv6 (at) list.f00f.org English
|
| list.f00f.org
|
| IPv6 in
(moderated)
|
| general (1)
|
+------------------------------------------------------------------------------
-------------------------------------------------------------------------------
-------------------------------------------------------------+
| Mobile IP majordomo (at)
mipl (at) list.mipl. English http://www.mipl.mediapo
li.com/mailinglist.html |
| (v6) for list.mipl.mediapoli.com mipl
mediapoli.com http://www.mipl.mediapo
li.com/mail-archive/ |
| Linux
|
|
|
+------------------------------------------------------------------------------
-------------------------------------------------------------------------------
-------------------------------------------------------------+
|Linux IPv6 usagi-users-ctl
usagi-users English http://www.mipl.mediapo
li.com/mailinglist.html |
|users using (at) linux-ipv6.org
(at) linux-ipv6.org http://www.mipl.mediapo
li.com/mail-archive/ |
|USAGI
|
|extension
|
+------------------------------------------------------------------------------
-------------------------------------------------------------------------------
-------------------------------------------------------------+
|
|
|IPv6 on Debian
debian-ipv6 (at) English http://lists.debian.org
/debian-ipv6/ |
|Linux Web-based, see URL
lists.debian.org
|
|Web-based
|
|
|
+------------------------------------------------------------------------------
-------------------------------------------------------------------------------
-------------------------------------------------------------+
|
|
|IPv6/6bone in majordomo (at)
ipv6 (at) German/English http://www.join.uni-mue
nster.de/JOIN/ipv6/texte-englisch/mailingliste.html |
| Germany atlan.uni-muenster.de ipv6
uni-muenster.de http://www.join.uni-mue
nster.de/local/majordomo/ipv6/ |
|
|
+------------------------------------------------------------------------------
-------------------------------------------------------------------------------
-------------------------------------------------------------+
|
|
| 6bone majordomo (at) 6bone
6bone (at) English http://www.6bone.net/6b
one_email.html |
| isi.edu
isi.edu http://ryouko.dgim.crc.
ca/ipv6/ |
|
http://www.wcug.wwu.edu
/lists/6bone/ |
|
|
+------------------------------------------------------------------------------
-------------------------------------------------------------------------------
-------------------------------------------------------------+
|
|
|IPv6 majordomo (at) ipng
ipng (at) English http://playground.sun.c
om/pub/ipng/html/instructions.html |
|discussions sunroof.eng.sun.com
sunroof.eng.sun.com ftp://playground.sun.co
m/pub/ipng/mail-archive/ |
|
http://www.wcug.wwu.edu
/lists/ipng/ |
+------------------------------------------------------------------------------
-------------------------------------------------------------------------------
-------------------------------------------------------------+
|
|
| IPv6 users majordomo (at) users
users (at) ipv6.org English http://www.ipv6.org/mai
ling-lists.html |
| in general ipv6.org
|
|
|
+------------------------------------------------------------------------------
-------------------------------------------------------------------------------
-------------------------------------------------------------+
|
|
| Bugtracking of bugtraq-subscribe (at)
bugtraq (at) English http://online.securityf
ocus.com/popups/forums/bugtraq/intro.shtml |
| Internet securityfocus.com
securityfocus.com (moderated) http://online.securityf
ocus.com/archive/1 |
| applications (2)
|
|
|
+------------------------------------------------------------------------------
-------------------------------------------------------------------------------
-------------------------------------------------------------+
|
|
| IPv6 in general Web-based, see URL
ipv6 (at) ipng.nl English http://mailman.ipng.nl/m
ailman/listinfo/ipv6/ |
|
http://mailman.ipng.nl/p
ipermail/ipv6/ |
|
|
+------------------------------------------------------------------------------
-------------------------------------------------------------------------------
-------------------------------------------------------------+
|
|
|
|
|
|
|
|
| majordomo (at) majordomo (at) ipv6
ipv6 (at) mfa.eti.br Portuguese http://www.mfa.eti.br/li
stas.html |
| mfa.eti.br mfa.eti.br
|
|
|
+------------------------------------------------------------------------------
-------------------------------------------------------------------------------
-------------------------------------------------------------+
(1) recommended for common Linux & IPv6 issues.
(2) very recommended if you provide server applications.
是不是有什么遗漏? 欢迎你的建议!
这里还有另一份清单: http://www.join.uni-muenster.de/JOIN/ipv6/texte-eng
lisch/ipv6.infoquellen.html
有关的发行版
* [99]Polish(ed) Linux Distribution ("market leader" in containing
IPv6 enabled packages)
* [100]Red Hat Linux
* [101]Pekka Savola's IPv6 packages Germany
* [102]Debian Linux
* [103]Craig Small's IPv6 information and status
* [104]SuSE Linux
* [105]Linux Mandrake
20. 历史
x.y版本 发布在Internet上.
x.y.z 表示正在进行的版本and only published as LyX file on CVS.
Releases 0.x
0.31
2002-09-29/PB: Extend information in proc-filesystem entries
0.30
2002-09-27/PB: Add some maillists
0.29
2002-09-18/PB: Update statement about nmap (triggered by Fyodor)
0.28.1
2002-09-16/PB: Add note about ping6 to multicast addresses, add some labels
0.28
2002-08-17/PB: Fix broken LDP/CVS links, add info about Polish translation, add
URL of the IPv6 Address Oracle
0.27
2002-08-10/PB: Some minor updates
0.26.2
2002-07-15/PB: Add information neighbor discovery, split of firewalling (got so
me updates) and security into extra chapters
0.26.1
2002-07-13/PB: Update nmap/IPv6 information
0.26
2002-07-13/PB: Fill /proc-filesystem chapter, update DNS information about depr
icated A6/DNAME, change P-t-P tunnel setup to use of "ip" only
0.25.2
2002-07-11/PB: Minor spelling fixes
0.25.1
2002-06-23/PB: Minor spelling and other fixes
0.25
2002-05-16/PB: Cosmetic fix for 2\^{ }128, thanks to Jos□ Ab□lio Oliveira Mat
os for help with LyX
0.24
2002-05-02/PB: Add entries in URL list, minor spelling fixes
0.23
2002-03-27/PB: Add entries in URL list and at maillists, add a label and minor
information about IPv6 on RHL
0.22
2002-03-04/PB: Add info about 6to4 support in kernel series 2.2.x and add an en
try in URL list and at maillists
0.21
2002-02-26/PB: Migrate next grammar checks submitted by John Ronan
0.20.4
2002-02-21/PB: Migrate more grammar checks submitted by John Ronan, add some ad
ditional hints at DNS section
0.20.3
2002-02-12/PB: Migrate a minor grammar check patch submitted by John Ronan
0.20.2
2002-02-05/PB: Add mipl to maillist table
0.20.1
2002-01-31/PB: Add a hint how to generate 6to4 addresses
0.20
2002-01-30/PB: Add a hint about default route problem, some minor updates
0.19.2
2002-01-29/PB: Add many new URLs
0.19.1
2002-01-27/PB: Add some forgotten URLs
0.19
2002-01-25/PB: Add two German books, fix quote entinities in exported SGML code
0.18.2
2002-01-23/PB: Add a FAQ on the program chapter
0.18.1
2002-01-23/PB: Move "the end" to the end, add USAGI to maillists
0.18
2002-01-22/PB: Fix bugs in explanation of multicast address types
0.17.2
2002-01-22/PB: Cosmetic fix double existing text in history (at 0.16), move all
credits to the end of the document
0.17.1
2002-01-20/PB: Add a reference, fix URL text in online-test-tools
0.17
2002-01-19/PB: Add some forgotten information and URLs about global IPv6 addres
ses
0.16
2002-01-19/PB: Minor fixes, remove "bold" and "emphasize" formats on code lines
, fix "too long unwrapped code lines" using selfmade utility, extend list of UR
Ls.
0.15
2002-01-15/PB: Fix bug in addresstype/anycast, move content related credits to
end of document
0.14
2002-01-14/PB: Minor review at all, new chapter "debugging", review "addresses"
, spell checking, grammar checking (from beginning to 3.4.1) by Martin Krafft,
add tcpdump examples, copy firewalling/netfilter6 from IPv6+Linux-HowTo, minor
enhancements
0.13
2002-01-05/PB: Add example BIND9/host, move revision history to end of document
, minor extensions
0.12
2002-01-03/PB: Merge review of David Ranch
0.11
2002-01-02/PB: Spell checking and merge review of Pekka Savola
0.10
2002-01-02/PB: First public release of chapter 1
References
1. http://www.bieringer.de/pb/
2. http://www.linuxports.com/howto/intro_to_networking/
3. http://rfc.net/rfc1884.html
4. http://rfc.net/rfc3056.html/
5. http://rfc.net/rfc2893.html
6. http://rfc.net/rfc2373.html
7. http://standards.ieee.org/regauth/oui/tutorials/EUI64.html
8. http://rfc.net/rfc3041.html
9. ftp://ftp.ietf.org/internet-drafts/
10. http://rfc.net/rfc1519.html
11. http://www.bieringer.de/linux/IPv6/status/IPv6+Linux-status-distributions.html
12. http://www.bieringer.de/linux/IPv6/status/IPv6+Linux-status-distributions.html
13. http://www.linuxdoc.org/HOWTO/Kernel-HOWTO.html
14. ftp://ftp.bieringer.de/pub/linux/IPv6/kernel
15. http://www.linux-ipv6.org/faq.html
16. http://www.bieringer.de/linux/IPv6/status/IPv6+Linux-status-kernel.html#transport
17. http://rfc.net/rfc1055.html
18. ftp://ftp.inr.ac.ru/ip-routing/
19. http://rpmfind.net/linux/rpm2html/search.php?query=iproute
20. http://www.bieringer.de/linux/IPv6/status/IPv6+Linux-status-distributions.html
21. file://localhost/tmp/zh-sgmltools.21666/IPv6&Linux-CurrentStatus-Applications
22. http://www.bieringer.de/linux/IPv6/IPv6-HOWTO/IPv6-HOWTO-3.html
23. http://www.bieringer.de/linux/IPv6/IPv6-HOWTO/IPv6-HOWTO-4.html
24. http://www.bieringer.de/linux/IPv6/status/IPv6+Linux-status-apps.html#HTTP
25. http://[3ffe:400:100::1]/
26. http://www.kame.net/
27. http://rfc.net/rfc2893.html
28. http://rfc.net/rfc3056.html
29. http://rfc.net/rfc3056.html
30. http://www.kfu.com/~nsayer/6to4/
31. http://www.faqs.org/rfcs/rfc3068.html
32. http://rfc.net/rfc2473.html
33. http://www.bieringer.de/linux/IPv6/
34. http://www.bieringer.de/linux/IPv6/IPv6-HOWTO/scripts/current/
35. http://www.feyrer.de/IPv6/SuSE73-IPv6+6to4-setup.html
36. http://people.debian.org/~csmall/ipv6/
37. http://www.netfilter.org/
38. http://lists.samba.org/pipermail/netfilter/
39. http://lists.samba.org/pipermail/netfilter-devel/
40. http://www.bieringer.de/linux/IPv6/status/IPv6+Linux-status-kernel.html#netfilter6
41. http://www.kernel.org/
42. http://www.netfilter.org/
43. ftp://ftp.redhat.com/redhat/linux/rawhide/SRPMS/SRPMS/
44. http://www.bieringer.de/linux/IPv6/status/IPv6?status-apps.html#security-auditing
45. http://www.insecure.org/nmap/
46. http://www.freeswan.org/
47. http://www.ipv6.iabg.de/downloadframe/
48. http://www.freeswan.org/doc.html
49. file://localhost/tmp/zh-sgmltools.21666/Linux-IPv6-HOWTO.txt.html
50. http://www.join.uni-muenster.de/lab/testtools.html
51. http://www.ipng.nl/
52. http://www.6bone.net/6bone_hookup.html
53. http://www.6bone.net/6bone_hookup.html
54. http://www.arin.net/
55. http://www.ripe.net/
56. http://www.apnic.net/
57. http://lacnic.org/
58. http://www.ripe.net/ripencc/mem-services/registration/ipv6/ipv6allocs.html
59. http://www.freenet6.net/
60. http://ipv6tb.he.net/
61. https://carmen.cselt.it/ipv6tb/
62. http://tunnel.be.wanadoo.com/
63. http://tb.6test.edu.cn/
64. http://joshua.informatik.uni-leipzig.de/
65. http://www.iij.ad.jp/IPv6/index-e.html
66. http://www.xs26.net/
67. http://www.ipng.nl/
68. http://www.uninett.no/testnett/index.en.html
69. http://www.uk.v6.ntt.net/
70. http://www.nttv6.net/
71. http://www.es.net/hypertext/welcome/pr/ipv6.html
72. http://www.6ren.net/
73. http://www.ipv6-net.de/
74. http://www.kfu.com/~nsayer/6to4/
75. http://www.faqs.org/rfcs/rfc3068.html
76. http://hs247.com/
77. http://bofh.st/ipv6/
78. http://www.ipv6-net.de/
79. http://www.hs247.com/ipv6rfc.html
80. http://playground.sun.com/pub/ipng/html/specs/standards.html
81. http://www.ipv6.org/specs.html
82. http://www.ietf.org/ids.by.wg/ipv6.html
83. http://www.ietf.org/ids.by.wg/ngtrans.html
84. http://www.ietf.org/ids.by.wg/dhc.html
85. http://www.ietf.org/ids.by.wg/dnsext.html
86. http://www.ietf.org/ids.by.wg/mobileip.html
87. http://www.networksorcery.com/enp/protocol/ipv6.htm
88. http://www.switch.ch/lan/ipv6/references.html
89. http://steinbeck.ucs.indiana.edu:47401/
90. http://www.space.net/~gert/RIPE/
91. http://www.bieringer.de/linux/IPv6/
92. ftp://ftp.bieringer.de/pub/linux/IPv6/
93. http://www.bieringer.de/linux/IPv6/status/IPv6+Linux-status.html
94. http://www.linux-ipv6.org/
95. ftp://ftp.linux-ipv6.org/pub/
96. http://www.bugfactory.org/~gav/ipv6/
97. http://project6.ferrara.linux.it/
98. ftp://ftp.ferrara.linux.it/pub/project6/
99. http://www.pld.org.pl/
100. http://www.redhat.com/
101. http://www.netcore.fi/pekkas/linux/ipv6/
102. http://www.debian.org/
103. http://people.debian.org/~csmall/ipv6/
104. http://www.suse.com/
105. http://www.linux-mandrake.com/
Linux IPv6 HOWTO相关推荐
- linux ipv6模块,有关Linux ipv6模块加载失败的问题
有关Linux ipv6模块加载失败的问题 同事一个SUSE11sp3环境配置ipv6地址失败,提示不支持IPv6,请求帮助,第一反应是应该ipv6相关内核模块没有加载. 主要检查内容: ipv6地址 ...
- Linux LVM HOWTO
一份非常内行的Linux LVM HOWTO 蓝森林 http://www.lslnet.com 2000年12月29日 17:43 作 者: 谢启发 1. 绪论 欢迎你,亲爱的读者. 写这个文档的目 ...
- linux ipv6内核编译,linux ipv6内核设置
linux ipv6内核设置,进入/proc/sys/net/ipv6: conf/all/forwarding Type: BOOLEAN 在两个接口之间进行global IPv6 forwardi ...
- linux ipv6临时地址
在Ubuntu系统上想要通过ipv6来上网,结果发现通过DHCP获取到了ipv6地址却无法连接外网. ping6 ipv6.google.com 数据包有去无回,100% loss . 奇怪的是通过D ...
- 本地win7ping VM linux ipv6地址问题
前述 在windows和linux同时安装ipv6之后,系统将会自动分配一个link-local(链接本地)地址 也就是ifconfig -a看到的一行[inet6 addr: fe80::20c:2 ...
- [zz]一份非常内行的Linux LVM HOWTO
作 者: 谢启发 1. 绪论 欢迎你,亲爱的读者. 写这个文档的目的是为了告诉你什么是LVM,它怎样工作,你怎样运用它使你的生活变得更容易.虽然有一份LVM FAQ,但仍是德文的,它是从不同的角度来描 ...
- Linux IPv6 UDP套接字编程示例
udp ipv6套接字编程和ipv4接口类似,参数略有不同,流程都包括创建套接字.绑定地址.发送等. 下面是一个udp ipv6 demo, 包括创建ipv6套接字.绑定地址和发送数据等. 首先先在l ...
- 如何配置 Linux ipv6 6RD隧道
如何使用 Linux 6RD ©2010-2011 Nathan Lutchansky,保留所有权利 最后修改日期:2011-01-23 介绍 本文描述如何在Linux上安装基本的6RD支持,主要是针 ...
- linux ipv6添加路由器,使用Linux搭建IPV6路由器(CentOS版)
Building a IPV6 Router with Linux(CentOS) Version 1.0.0 Date 2010-11-20 Author ipcpu Website http:// ...
最新文章
- linux 有线网卡,linux下有线网卡出现ADDRCONF(NETDEV_UP): eth0: link is not ready的解决方法...
- centos6.5编译安装php7
- 令人作呕的OpenSSL
- postgresql日常操作命令
- SSD固态存储大观(二)
- Resource stopwords not found. Please use the NLTK Downloader to obtain the r
- uml 时序图_程序猿都应学习的语言:看 25 张图学 UML
- ehcache 手动刷新缓存_清空DNS缓存的两个小方法
- springboot集成mybati 后又使用mybatisPlus 出现的问题 BindingException:Invalid bound statement
- 如何在虚拟机安装并使用NTFS for Mac 15
- 恕我直言,你完全没有把IDEA的Diagram功能发挥出来...
- 激励机制中的经济学和博弈论模型(2)
- HTML5系列代码:信纸效果
- 关于“善念科技”的思考
- 进程管理——PV操作
- 使用TTP224触摸芯片时出现的一些问题
- python 删除pdf页面_删除PDF其中几页的方法
- Oracle 中的序列
- 使用vue echarts 制作地图map
- 蒂特ft232_芯片资料-FT232.pdf