Nick Edwards | 18 Jul 13:06 2011
Picon

ipv6

Hi there,
Currently running Slack 12 servers.
About to be migrating to ipv6, running dual stack.

Is slack 13.37 inet1.conf script ipv6 ready?

We have SSL hosts on servers so we need to up about 200 IP's, and in test it is fine if we use multiple /sbin/ifconfig eth0 inet6 add i:p:v:6:addy/64  in
rc.local. but, for a modern OS, its kind of unheard of, bringing up interfaces via rc.local, especially since slack has a dedicated script file to do it.

Thoughts?


Nik

_______________________________________________
slackware mailing list
slackware <at> mailman.lug.org.uk
https://mailman.lug.org.uk/mailman/listinfo/slackware
Gil Andre | 18 Jul 23:39 2011
Picon

Re: ipv6


Hi Nick,

On Mon, 18 Jul 2011 21:06:11 +1000 Nick Edwards <nick.z.edwards <at> gmail.com> wrote:
> Currently running Slack 12 servers.
> About to be migrating to ipv6, running dual stack.

Hmmmm... Maybe not such a good idea, dual stacks machines have been reported
as somewhat insecure.

> Is slack 13.37 inet1.conf script ipv6 ready?
> 
> We have SSL hosts on servers so we need to up about 200 IP's, and in test it
> is fine if we use multiple /sbin/ifconfig eth0 inet6 add i:p:v:6:addy/64  in
> rc.local. but, for a modern OS, its kind of unheard of, bringing up
> interfaces via rc.local, especially since slack has a dedicated script file
> to do it.
> 
> Thoughts?

I am not really shocked by interface init in /etc/rc.d/rc.local,
but that's because I use OpenBSD and NetBSD all the time...    :-)

Just put your "ifconfig" ipv6 commands in /etc/rc.d/rc.local, and
your interfaces should come up with ipv6 addresses enabled. As it
is written within this file, do the reverse in a new file named: 
''/etc/rc.d/rc.local_shutdown'' and you will also shutdown the
interfaces cleanly. That's not a big deal, and I am not sure other
Linuxes are managing this any better.

This being said, I don't have a 13.37 system here right now, so
I can't comment any further.

(I'll just shut up now & crawl back under a rock or something).

--

-- 
Gil ANDRE				   gil [at] panix [dot] com
				andre [dot] g [at] wanadoo [dot] fr
-------------------------------------------------------------------
"Il faut beaucoup philosopher, il faut beaucoup penser. Celui qui
pense peu se trompe beaucoup". Leonard de Vinci.
Noel Butler | 20 Jul 09:51 2011
Picon

Re: ipv6

On Mon, 2011-07-18 at 23:39 +0200, Gil Andre wrote:
Hi Nick, On Mon, 18 Jul 2011 21:06:11 +1000 Nick Edwards <nick.z.edwards <at> gmail.com> wrote: > Currently running Slack 12 servers. > About to be migrating to ipv6, running dual stack. Hmmmm... Maybe not such a good idea, dual stacks machines have been reported as somewhat insecure.

How so? There is a lot of FUD going around. The risk is more so with ipv6 and thats only coz there's no more NAT, and lazy people rely on that for security where now they'll need to configure security on each device, so long as they remember that in dual stacking they need to replicate their iptables rules with ip6tables as well, and that's going to be the case for years to come, because ipv6 is here to stay and ipv4 will not vanish overnight, it may take up to a decade to see it gone.

It sounds like Nick needs those machines accessible anyway with 200 hosts.

> Is slack 13.37 inet1.conf script ipv6 ready? > > We have SSL hosts on servers so we need to up about 200 IP's, and in test it > is fine if we use multiple /sbin/ifconfig eth0 inet6 add i:p:v:6:addy/64 in > rc.local. but, for a modern OS, its kind of unheard of, bringing up > interfaces via rc.local, especially since slack has a dedicated script file > to do it.

That's all the network scripts do, just with a lil bloat
Be it with ifconfig or ip, you could just write your own network file called from rc.M right after it calls rc.inet1
We dont have a down script, but we dont want ours being down, only up. We call it just as a normal bash file (like rc.local) but don't use rc.local for safety reasons..

eg:
(segments deleted to protect the guilty)


#!/bin/sh
/usr/sbin/ip -6 addr add 2:::::4/64 dev eth0
/usr/sbin/ip -6 addr add 2:::::5/64 dev eth0
/usr/sbin/ip -6 addr add 2:::::6/64 dev eth0
/usr/sbin/ip -6 addr add 2:::::7/64 dev eth0
/usr/sbin/ip -6 addr add 2:::::8/64 dev eth0
/usr/sbin/ip -6 addr add 2:::::9/64 dev eth0

.... etc.....


NOTE:   I hope you are prepared for the SSL certificate nightmares from hell ... unless you have a wildcard certificate for each domain that is.  Hrmm these cert issuers are gunna make a killing aren't they... bastards.... or you could duplicate the apache entry and give me a self signed cert for ipv6... given the pittance that is ipv6 traffic, you probably could get away with it for a while.

Unless there is another way around it that escapes me, but given the IP's differ, I doubt it to avoid MITM warnings.

Cheers


_______________________________________________
slackware mailing list
slackware <at> mailman.lug.org.uk
https://mailman.lug.org.uk/mailman/listinfo/slackware
Nick Edwards | 21 Jul 01:38 2011
Picon

Re: ipv6



.

It sounds like Nick needs those machines accessible anyway with 200 hosts.


Yes we run a small hosting environment as fro  another list, i think you know where.

> Is slack 13.37 inet1.conf script ipv6 ready? > > We have SSL hosts on servers so we need to up about 200 IP's, and in test it > is fine if we use multiple /sbin/ifconfig eth0 inet6 add i:p:v:6:addy/64 in > rc.local. but, for a modern OS, its kind of unheard of, bringing up > interfaces via rc.local, especially since slack has a dedicated script file > to do it.

That's all the network scripts do, just with a lil bloat
Be it with ifconfig or ip, you could just write your own network file called from rc.M right after it calls rc.inet1
We dont have a down script, but we dont want ours being down, only up. We call it just as a normal bash file (like rc.local) but don't use rc.local for safety reasons..

eg:
(segments deleted to protect the guilty)


#!/bin/sh
/usr/sbin/ip -6 addr add 2:::::4/64 dev eth0
/usr/sbin/ip -6 addr add 2:::::5/64 dev eth0
/usr/sbin/ip -6 addr add 2:::::6/64 dev eth0
/usr/sbin/ip -6 addr add 2:::::7/64 dev eth0
/usr/sbin/ip -6 addr add 2:::::8/64 dev eth0
/usr/sbin/ip -6 addr add 2:::::9/64 dev eth0

.... etc.....


Thanks, I see though in doing this, it is not aliases ether interfaces its under the main config?
Never seen that before.

 

NOTE:   I hope you are prepared for the SSL certificate nightmares from hell ... unless you have a wildcard certificate for each domain that is.  Hrmm these cert issuers are gunna make a killing aren't they...


I agree this sucks big time, some of the domains are wildcarded, but only 40 or so, leaving 160 odd problems, clients wont like forking out money for another certificate, and in which case we'd have to recreate a slightly different named vhost would we not? Essentially doubling the number of vhosts in apache?
 
bastards.... or you could duplicate the apache entry and give me a self signed cert for ipv6... given the

Give you? I assume that was a typo LOL :->
 
pittance that is ipv6 traffic, you probably could get away with it for a while.


I enabled IPv6 on our mail servers yesterday, a quick browse shows a LOT of connections, but you are possibly correct in so far as they are only servers, not end users, I will enable SSL on a few domains today with the ones who have wildcard certificates and will see how much traffic increases.


Unless there is another way around it that escapes me, but given the IP's differ, I doubt it to avoid MITM warnings.


MITM ?

Nik
_______________________________________________
slackware mailing list
slackware <at> mailman.lug.org.uk
https://mailman.lug.org.uk/mailman/listinfo/slackware
Noel Butler | 22 Jul 12:42 2011
Picon

Re: ipv6

On Thu, 2011-07-21 at 09:38 +1000, Nick Edwards wrote:


Thanks, I see though in doing this, it is not aliases ether interfaces its under the main config?
Never seen that before.

 


Normal, its not a sub (alias) interface.

I agree this sucks big time, some of the domains are wildcarded, but only 40 or so, leaving 160 odd problems, clients wont like forking out money for another certificate, and in which case we'd have to recreate a slightly different named vhost would we not? Essentially doubling the number of vhosts in apache?
 


Maybe not because the PTRs are different, not the hostname (I guess I should check it myself)

bastards.... or you could duplicate the apache entry and give me a self signed cert for ipv6... given the

Give you? I assume that was a typo LOL :->


haha , yes, I meant to say "em" as in them, if I had not got lazy you'd have seen that, my bad...,




Unless there is another way around it that escapes me, but given the IP's differ, I doubt it to avoid MITM warnings.



MITM ?

"man in the middle" attack



_______________________________________________
slackware mailing list
slackware <at> mailman.lug.org.uk
https://mailman.lug.org.uk/mailman/listinfo/slackware

Gmane