Archive

Archive for the ‘Uncategorized’ Category

Super Mac IPv6 Sleeper: Airport Extreme does IPv6 tunneling AND firewalling!

June 6th, 2010 admin No comments

It’s been known for some time that Apple’s Airport Extreme base station can double as an IPv6 tunnel gateway. But the Extreme’s IPv6 support was kind of half-baked: it’s rudimentory “firewall” was all-or-nothing, and its NAT pass-through support was buggy. But Apple’s latest Extreme — the “Late 2009″ edition with 7.5x firmware– fixes those bugs AND adds a spiffy new IPv6 firewall. (Alas, older Extreme’s only support up through 7.4 firmware, which still has problems with IPv6).

It took me about five minutes to create a Hurricane Electric (http://tunnelbroker.net) account and configure the Extreme as an IPv6-over-IPv4 tunnel gateway, with the Extreme configured in transparent mode, using a private DHCP address acquired from the local LAN. I just plugged in the remote tunnel IPv4 address, local tunnel IPv6 endpoint address, the IPv6 default route, and the LAN’s IPv6 subnet address. (Note: Apple swapped the order of remote and local ipv6 in the upgrade from 7.4 to 7.5 firmware.) The tunnel popped into existence instantly. I had set up Google’s open IPv6-enabled DNS server (IPv4 address 8.8.8.8) for the LAN DNS server address.

The Extreme seems to have IPv6 Router Advertisements enabled by defaul, so IPv6 stateless autoconfig cheerfully gave everyone on the LAN a Global IPv6 address from the HE.net /64 assignment, and all the LAN systems were suddenly IPv6 enabled! This is too easy!

The Extreme’s IPv6 firewall option appears when you click “Block incoming IPv6 connections” (without which the Extreme allows all inbound connections), at which point a new “IPv6 Firewall” tab appears. (Apparently this has always been there but I never clicked the “Block incoming” box and so never saw it before. )You can permit Teredo tunnels if you like, as well as inbound IPsec connections, with a couple clicks. The “firewall” interface is primitive but gets the job done, letting you allow specific TCP and UDP protocols to specific inside IPv6 addresses. The Extreme IPv6 firewall is v6-only, however, so you still need a good IPv4 firewall.

So far I’ve only tried running an Extreme as an IPv6 gateway using its LAN-transparent mode, in which the device gets a LAN IP from your local DHCP server. I did this to avoid double-NAT. However, you should be able to set up IPv6 tunneling in routed mode — where the Extreme’s WAN port faces the Internet with a provider-assigned public IPv4 address. In this arrangement, the LAN ports create an IPv6 “sandbox” — as long as your border firewall supports passing GRE protocol (IP protocol 47) outbound. But at least you don’t have to open any pinholes to the Extreme or otherwise weaken your enterprise security stance.

The one missing bit: the Extreme has no built-in DHCPv6 server, so it can’t distribute name server settings to clients after stateless autoconfig. However, as long as your LAN IPv6 clients use an IPv6-enabled DNS server at an IPv4 address (Google’s 8.8.8.8 qualifies), then you can get to the IPv6 Internet via names without problem.

At $179, this is the cheapest easy-to-configure IPv6 gateway appliance on the market!

[UPDATE on 2010/06/06: A reader tells me that the IPv6 firewall has been in the Extreme for more than a year, but few people find it because it's hidden behind that "Block all incoming IPv6 connections" checkbox. I've edited this post to reflect that. -mel]

Categories: Uncategorized Tags:

Performance testing: where to get big files on a fat pipe

April 3rd, 2010 admin No comments

One of the best IPv6 performance tests is to simply run basic HTTP or FTP file transfers. This kind of testing can often reveal a lot more about your performance than those popular Java- and Flash-based speed-test widgets. For one thing, you can monitor the transfer in Wireshark and look for odd fragmentation, MTU problems, missing ACKs, and the like. But where to get big files on a fat IPv6 pipe? From http://speedtest.tele2.net, that’s where. Operated by Swedish ISP Tele2 Sverige AB, this site has test files ranging from 100MB to 1TB, accessible via both FTP and HTTP. Yes, it’s download testing only, but that’s where most problems get discovered anyway. I realize this isn’t a Mac-specific site, but Macs have to do performance testing too!

Categories: Uncategorized Tags:

MacOSX Leopard has a CLI IPv6 firewall

March 22nd, 2010 admin No comments

It’s called, cleverly enough, ipv6fw. Just type

man ip6fw

for the easy-to-follow ;) instruction guide.

Categories: Uncategorized Tags:

Apple Airport & Time Capsule have built-in IPv6 support

March 22nd, 2010 admin No comments

They can operate as a direct IPv6 gateway if your ISP supports IPv6, or it can operate as a tunneling device. To configure the tunneling option, follow these steps (courtesy of James Woodyatt):

1. Launch AirPort Utility.
2. Select your device from the sidebar and choose Manual Setup.
3. Select the [Internet] pane of the configuration window.
4. Select the TCP/IP tab.
5. At the “Configure IPv4″ pop-up, choose the “Manually” option.
6. Enter the statically assigned IPv4 WAN configuration parameters for your device:
+ IP Address
+ Subnet Mask
+ Router Address
+ DNS Servers
+ Domain Name [optional]
7. Select the [Advanced] pane of the configuration window.
8. Select the IPv6 tab.
9. At the “IPv6 Mode” pop-up, choose the “Tunnel” option.
10. At the “Configure IPv6″ pop-up, choose the “Manually” option.
11. Enter the statically assigned IPv6-in-IPv4 configuration parameters for your tunnel:
+ Remote IPv4 Address
+ Local IPv6 Address
+ Remote IPv6 Address
…also…
+ Enter the IPv6 address for a /64 LAN with a prefix that was assigned with your tunnel.
12. Click [Update] and wait for the AirPort/Time-Capsule to restart.

Categories: Uncategorized Tags:

How to determine the KAME version number of a MacOSX release

March 22nd, 2010 admin No comments

MacOSX uses the KAME project (http://www.kame.net) IPv6 protocol stack and tools.The KAME project was a joint effort of six companies in Japan to provide a free stack of IPv6, IPsec, and Mobile IPv6 for BSD variants. The project officially concluded in March 2006 and most of the components moved to FreeBSD, NetBSD, and MacOSX. Sometimes it’s helpful to see what the KAME version is in the MacOSX release you’re running. Here’s how:

sysctl -a | grep kame_version
net.inet6.ip6.kame_version: 20010528/apple-darwin

Categories: Uncategorized Tags:

How do you use scp with IPv6 on a Mac?

March 22nd, 2010 admin No comments

You can do this:

ssh root@2001:1234::1 (example address)

but you can’t do this:

scp root@2001:1234::1:/tmp/file .

because scp parses this as hostname 2001 and file path 1234::1:/etc/motd, yielding an error such as this one:

ssh: connect to host 2001 port 22: Connection refused

The scp manpage addresses this problem for -L and -R arguments (you can use the -6 option on scp to force all addresses to be interpreted as IPv6), but it is silent about using IPv6 when copying files.

The trick is to use square brackets to delimit the IPv6 address, which on the Mac also requires escaping the brackets, thusly:

scp root@\[2001:1234::1\]:/tmp/file .