 Okay. So, this thing on? Yeah? You hear me? All right. Wow. Nice turnout. Thanks, everybody. My name is Stuart Sheldon. I'm president and founder of ActUSA. I also serve as the director of technology for the Southern California Elects Exposed. So, the network you're on today is either my victory or my failure. Thank you very much. Today, I'm talking about Linux as a IPv6 dual stack router and firewall. How many people here run a IPv4 firewall? Show of hands? All right. Awesome. Good. Because I'm not going to talk about IPv4 firewalls much at all or how to get a Linux router configured to start with. What we're really going to talk about is how to get mood forward into IPv6 on your device. Okay? So, I'm going to go over some very boring stuff as quickly as I can. I'm sure most of you already know this, but for the people that haven't had any exposure to IPv6, I want to cover it a little bit. The address format for IPv6 is long and frightening. We've got 816-bit hexadecimal groups separated by colons. Makes for a really, really difficult address to read. They're all set. The total number of bits in the address space is 128. That's two to the 128th. There's 340 billion, billion, billion, billion addresses. Or enough addresses to replace the grains of sand on all the planets in our solar system. Minimum network size is 64 bits, so we split it in half. This drives people crazy because, God, I got all this address space. Why do I want 18 billion, billion devices on my LAN? We do that because of auto configuration. We're going to talk about that a little bit too. IPv6 supports unicast addresses, multicast addresses, and anycast addresses. Now, a little bit more. It also supports auto configuration as well as network discovery. This is cool because a client can actually get and create its own IP address for IPv6. You don't have to run a DHCP server, but you do have to properly advertise the address out on your LAN from your router. It also supports router discovery. What that basically means is if you're running BRRP or some other protocol to have multiple routers on your network, you automatically get that with IPv6. As a matter of fact, with DHCP v6, you do not get normally a gateway from your system automatically set. Now, it also covers duplicate address detection, which is even cooler. How many people here have had somebody come up on the same address on their LAN? Isn't that fun to find? The way it works is it comes up and it randomly chooses an address based on certain rules, and it looks to see if that address is being used by any other device on the network. If it is, it immediately drops the address, creates a new address randomly, and tests that address until it finds one that's not in use. IPv6 does not support network broadcasts. There's no network broadcasts in IPv6. Does not support network address translation. How many people are upset about that? How many people have had issues with trying to get services to work that don't do network address translation? It's kind of unfortunate. There's a lot of people that have come up in the industry. I've been in this a little while. But a lot of the newer network administrators and operations people really aren't used to the concept of an actual firewall. Network address translation, by default, can be a firewall, but it is not firewall by itself. And we should not be relying on our security just on network address translation. Again, I'll mention it does not officially support longer net mass than the slash 64, and that's because of the auto generation of the addresses. Yes, of course, you can do a slash 126 or something along that line. So if you have a point-to-point interface, how many people here actually deal with point-to-points? Okay, I got a couple out there. It's actually, there's this two schools have thought about that. One school of thought is that if for whatever reason you end up with some sort of obscure multicast communication between the two routing devices, you're going to end up in trouble because it's not going to see it as the same contiguous network. But also they say that you could have basically a arc storm as a denial service on the interface. Personally, I said all mine to slash 64 and I leave it at that. You guys can study later on what you guys really want to do. It also doesn't support practice packet fragmentation. So anywhere along the entire layer three protocol, we have to be able to move 1280 bytes. Okay, I'll be done in a minute. I get no respect. All right, talk a little bit about the addresses. We have some address shortcuts. This is a fully populated IPv6 address. We can remove groups of zeros and replace them with colon colon. So we can shrink this whole address down to this. And we also can remove leading zeros. Get rid of that one in front of the D. And this is the actual IPv6 address that you can program into your system. So the address isn't that big. Oh, see it changed. I went past it. Gosh, darn it. Okay. Sorry about that. All right. So about addresses, we have a new address type called link local addresses in IPv6. They're designed to only communicate on the network. So in other words, the link local address will not go across routers. And a link local address will only talk to or can only be addressed by another device on your land. And every IPv6 interface must have one program. Now, most of the systems take care of that for us. It automatically comes up. As a matter of fact, if you do an IF config on a Linux system and look at the address, you always have that FE8 address in there, which is your link local. Okay. That's even if you don't have a global address. Only used on the local land, never routed. Multiple interfaces can have the same link local address. So you could have ETH0, ETH1, ETH2, or multiple VLAN interfaces all utilizing the same local address. Okay. That is why whenever we use it, we must also specify the interface that we're going to have that packet go out on to find that link local address. We do that by adding a percent and the interface name at the end of the link local during our connection process. And now, also, we talked about automatic addresses. Anybody here familiar with EUI64? You guys know what that is? I got one person here. And I know him. He works for one of my uplinks. Anyway, basically, that's the act of being able to take a standard MAC address or excuse me, a standard MAC address and convert it into an IPv6 address. This is done by taking the network address, which would be the first 64 bits of the address, taking the first 12 bits of the MAC address, adding an FFFE in the middle, and the last 12 bits of the MAC address. And then just to make it more difficult, we have to invert the seventh bit of the host portion of the MAC address. What that basically means is, if your MAC address, let's see, I thought I had it here. Okay, no. And then invert it. So, to specify, I'm missing a section of the slide, but that's all right. I'll try to wing it. What basically happens with this is it allows the system to automatically define its link local address and get a starting point for what it may be able to use as its global address. Now, how many people have tried to set up IPv6? Okay. How many people? The first thing they do is I want to know if I can do IPv6. You jump right to the browser. You type in the MAC address or type in the IPv6 address and hit enter and it blows up. Doesn't do anything. That's because the address has colons in it. And what does a colon mean in a HTTP address? Port address. So the way we get around that is we put the address in square brackets. And that's when I think one of the questions on the cards. So there's a freebie for you. Now, here's some of the address groups. You've got link local unicast. It's always going to be on the FE80 slash 10 network. Global unicast. This is the stuff that gets routed on the open internet. That's on the 2000 slash three network. Local IPv6 addresses. This is something I don't get. So we don't have network address translation. But we have a classification for local IPv6 addresses. You must be involved with Aaron, too. Anyway, the point is that you'd never be able to run them on the internet. So if we're not going to have NAT, why have local addresses? Unless you're government. Anyway, also very common address is the loop back address, which is one slash 128. And an IPv4 mapped address to IPv6 colon colon with four F's and the standard IPv4 address. How many people have seen this in their Apache logs? Yeah, all right. You know me crazy. The first all my scripts broke. Right. Trying to find when I was searching logs. God, what's this terrible thing IPv6? You also have your route any cast address. So what the route any cast address is is the first 64 bit network portion of the address followed by two colons. When you bring up a Linux firewall or a Linux router, it will automatically specify that address on every router on your network. Okay. Any cast addresses basically respond to our request, but they never initiate an our request from that device. Okay, using that address. So basically what you have is you have a address that you can set as your default route on your network without having to worry about figuring out what the address is. That makes sense to everybody? All right. Then of course, everything colon colon slash zero. Now IPv6 has privacy. RFC 49 41 hat is a RFC that basically defines the rent the ability to randomize client IP addresses so that you can have multiple public IP addresses on an interface and then rotate through those as you're connecting on the internet so they can't trace back what machine it is. Okay, part of the privacy specification. It's on by default by on by default windows. Where's my boo? It's off by default in Linux. Yay. And ironically, Windows also uses random addresses for auto configuration as well. It doesn't use the EUI 64. So I used to think, All right, all the systems use that but apparently Windows decided they weren't going to. And you know, I hate to admit it. That's a pretty good idea. Don't you think? All right. And IPv6 tunneling IPv6 tunneling is designed for as transition, where we can take IPv6 traffic and push it down a tunnel on an IPv4 network. How many people have heard of Torito? How many people hate Torito? Really quick, what it's on by default on older Windows systems. It allows for global routing behind that, which I think is very bad. It completely disables your security in most cases. Yes, sir. XP or older. My understanding is that it was turned off in Vista. At least that's what Google says. And if it's on the internet, it must be true, right? All right, so 64 tunneling 64 tunneling is right now the most popular tunneling protocol used for people that are doing exactly what we're going to try to do here. And that is create our own IPv6 firewall. And we would basically connect to a tunnel broker, such as tunnelbroker.net. And thank you Hurricane Electric, wherever you are. Oh, and allows for point to point tunneling of IPv6 data between network endpoints via IPv4. God, I can't sum it up any better than that. 64 tunneling. And it's a network tunneling protocol that was really designed for ISPs and enterprises to create a router that would allow IPv6 only clients to attach and create tunnels with other IPv6 624 tunnel systems in order to transfer their data without permanent tunnels. Got really limited adoption because you basically are relying on a bunch of ISPs to do something at the same time. I've never seen that happen. So we won't talk much about that at all. Anyway, all right. So how do we configure the clients? We have DHCP v6 and we have auto configuration. We can talk about the pros on DHCP 6 address tracking. You can track a MAC address to the address that it's given by the DHCP server. Fixed address assignment just like we have with IPv4. We can assign our address to the device based on its MAC address. DNS server assignment is a lot easier with DHCP v6. And it's a lot easier to push down dynamic PTR and quad A records when you're running a DHCP v6 server. The cons are that it's complicated to implement. It's also the client compatibility is mixed at best. What I mean by that is how many people are on Macs in here? Okay. DHCP v6 works awesome on a Macintosh if you turn it on for your interface. Goes out, it'll get an IPv6 DNS server, it'll get a fully advertised address from the DHCP server and works great. I run Debian, I have to do modifications and all sorts of other stuff to get it to work in Debian. It's not terrible but I don't really need to do it. The reason I don't need to do it is I've got auto configuration. The pros to auto configuration is set up as much less complicated. Almost all clients support it out of the box. Less system overhead. The cons are that you can't track the address. It's based on the Mac address. So unless you're saying for an enterprise and are really concerned about that, I wouldn't worry about it too much. Also we have limited ability to do DHCP, excuse me, DNS server push down. There are protocols available to do it, however, and it's also included in the auto configuration specification under another RFC. But you have to run demon software on the client to be able to accept that. Okay. Now how many people here think you need a IPv6 address DNS server to do IPv6 connections? Anybody here think that? Well, sorry. You're wrong. If we can, it will return both the quad A which is the IPv6 record and the A record which is IPv4. So in essence, if you're running dual stack and I don't know anybody in this room that would implement without that, all you really need is your IPv4 name servers. So if I was to do DHCP version six, I would need to have the I have a couple different choices. I have the ISC DHCP server and the client or wide DHCP server and client. In all the implementations that I've used, as a matter of fact, we're running a IPv6 DHCP server on the network here today. I use the ISC DHCP server. Now it's important to note this. If you're running a DNS server or a DHCP server, it doesn't matter. Sorry, I hate acronym. Because you have to run a completely separate demon for an IPv6 DHCP server. It's a completely separate program. So you're increasing overhead. Just another reason to do auto configuration. For auto configuration, you have to run some sort of demon on your router. Anybody here use Quagga? All right. Got one person out there. I happen to like Quagga because we were kind of a corporate level ISP and I do a BGP and stuff with Linux routers. So works awesome. And it also emulates Cisco command. So it's fairly easy to transition into. We also have the router advertisement demon. This does the same thing. Although it doesn't have the routing protocols. It strictly is for auto configuration. And we have the RDNS SD client. And that's a client you have to run on the tunnel broker routing a slash 64 that tunnel broker is routing into our router with. We're going to use auto configuration and we're going to use Quagga to advertise the addresses. And we're going to do our firewall supplied by IPv tables and IPv6 tables. It was IP tables not IPv tables. It's been a long day. That's even better. Okay. Hardware. I use regular PC hardware. I happen to like Super Micro because I think it's price right and I get good support for Linux from it. You guys are welcome to build this on anything even build it on a tower if you want all you really need or two interfaces. We have a little box that we use a lot that is just strictly designed to do purposeful things like routers and firewalls. But any of these will work. How many people have created a tunnel tunnel broker. All right. So the screen should look familiar to you. You're going to go in create your tunnel. It hopefully will come up automatically with your end point. Allow you to select the end point that you want to connect on their side. You're going to create the tunnel. But it being but a boom. You now have your tunnel. You have your end point IP address as well as their end point IP address. You have their end point IPv6 address and your end point IPv6 address. They offer you any cast DNS servers if you want to go ahead and point towards their servers. Most of the time I think you're probably running your own DNS server caching server should rain of links firewall maybe not. If for whatever reason you're running your ISPs DNS servers and they do not support IPv6 lookups. You can use these. It also gives me a slash 64. I don't even have to ask him for it anymore. It automatically gives me that that I can run on my network. And if I click under example configs it's going to tell me what I just need to cut and paste into the command line to bring up that tunnel. We have any questions so far. OK. I'm sorry. Nobody. OK. All right. So we're we can do this to test everything. But eventually we're going to want to make it so we can auto boot the system have it come up with a tunnel and everything else automatically. So this is what we're going to modify on our firewall. We're going to add the IPv6 tunnel to our Etsy Networks interfaces file. We're going to add the IPv6 routed network to our interface file on our inside interface. We're going to change our IPv6 routing setting in our CIS CTL or CIS CTL.com file. We're going to install if we don't already have it on and configure the Quagga Demon for auto configuration. And I'm going to show you how to change the VT YSH pager so you don't have to hit the space bar every time you go in to make configurations. So hopefully everybody here is familiar with this file. And what we're going to be doing we've got our outside interface or E0. Here's our inside interface with our reserved IP address that we're running Network Address Translation on right now. We're going to add IPv6 as an iNet6 static address and that's the one that we got from Tunnel Broker for our endpoint or excuse me for our network. I can try. Is that better? All right. Okay. We're having some fun now. Okay so we're going to go ahead and add the IP address or the IPv6 address stack to our internal interface that this is going to be our router address for our internal IPv6 network. And we're going to just set the net mass to 64. And we're going to create a six in four tunnel adapter. And this is all. And by the way I promise these slides will be up. Okay so you'll be able to steal this. Excuse me. Use this. Patent pending. No. Anyway. Microsoft. There we go. Anyway. Getting back to where I was. This particular setup I've also added the up command down here to set the default route to go out this tunnel. Okay. We have any questions so far. Yes sir. Yes. That's correct. And that's a really good question. What size shirt do you wear? What size shirt do you wear? You wear a large? Give me a shirt. Here. All the way in the back. Keep going. There we go. All right. And the hand. Okay. So now we're going to go into our Etsy CIS CTO dot com file. And we're going to go ahead and we're going to uncomment the net dot IPv6 dot com dot all dot forwarding equals one. Yeah. I know. Cool. All right. Once we've done that, if we haven't already installed Quagga, we can do an app get install Quagga. That's all tips. Okay. Once we've done that, we're going to touch the Etsy Quagga zebra dot com file. And we're going to change the ownership to the Quagga user for that file. And we're going to echo this export command for the btysh underscore pager equals more because everybody here probably runs less, right? Yeah, because I misspelled it. Thank you. Give the man a shirt. Then once we get this export in and I'll fix it before I put them on zebra as in a zebra. Nice try though now. But keep thinking. A little bit of history. A matter of fact, I'll give you a little bit of history real quick. Quagga used to be called zebra. Okay. And I'm not really sure why the name got changed. Maybe Africa had patented the word zebra. I don't know. But anyway. All right. What we're going to do is we're just going to echo this into our Etsy bash dot bash RC. And this changes the pager for the btysh interface, which is kind of like a shell interface for Quagga to more. So you don't have to, it doesn't have to end every time you type anything in. Okay, it'll act actually like a pager. Then we're going to go in and we're going to edit how many people here use VI? Oh, no, no, no. How many people use Nano? Oh, use Edlin. How many people remember Edlin? I had, I had a guy tell me one time that he wrote his senior thesis with Edlin. I hired him on the spot. Anyway, fired him two days later. He was a liar. Anyway. All right. So we're going to edit this file. It's called Etsy Quagga Demons. And this is specific to a Debian. Okay. We're going to change zebra equals no, we're going to change it to yes. Okay. And also, you know, if you guys want to play with BGP, you guys want to play with OSPF, both IPv4, IPv6 and learn a little bit about routing protocols. This is a tool to do it with. Once we do that, we're going to reboot the machine. When we reboot the machine, we're going to log back in. And at the, after we log in, we're going to type in the command btysh. And it's going to give us a new command. We're going to type config terminal. Does anyone look familiar to anybody here? Absolutely. It's just control dash p. Yeah, you could. The reason that I, the reason that I have a heavy reboot is so you log back in. So you get the export that we did for the, yeah, I mean, yes, you can do it without rebooting. I always get people that ask me that. Dude, it's a router. Get over it. What's that shirt you wear? Yeah, my shirt. But you like pink? He give it, he give it. Okay, where was I? Anyway, we're going to type in interface eth1. And we're going to turn off the suppression of the router advertisement on that interface. Okay, so by doing that, it's going to start saying I'm a router. I'm a router. Come send me your packets IPv6. And we're going to add our network discovery prefix. And this is the internal slash 64 that we got from tunnel broker. And we're going to exit and write and exit T. I seem to remember a company using this interface, but I can't put my finger on it. Anyway, warning, you now have a fully functional IPv6 gateway and there is no firewall. You need all the devices on the network when they go and get their address now or wide open on the internet. So what do you think we should do now? Think we should do a firewall? You think? All right. This is like my simple, simple, simple IPv4 firewall. What's that? Can't see where you're looking. All right. What's I sure if you wear? Okay, so all I'm doing up here guys is I'm flushing the current rules, right? Because I'm going to reload the whole thing. I'm deleting any tables that I may have created along the lines. I just want to start with a clean slate. What I'm going to do here is I'm going to go ahead and accept anything that comes into the local loop adapter because it's only going to get something from the local loop adapter. I am going to accept every ICMP packet that comes in on my network. Oh my God, it's a router get over it. We use ICMP to communicate with other routers, whether we like it or not. We can do adjustments on what packets we accept. But at the end of the day, it needs to be available for people to run tests as well. Okay. And you know what? If you really want to block it, be my guest. But I truly recommend you keep ICMP for your router open. Now, this is on my input chain. So this is only for my router. Now, but you are right. You can see I got this forward rule here. But we're also we're a network management company. I do a lot of diagnostics. So the bottom line is this. If I tell somebody, hey, I need you to ping my desktop. And we do use real addresses on our desktops because we do a lot of kind of strange stuff. But I want them to be able to ping it. And in today's bandwidth with today's gateways, and especially to run a Linux gateway, it's gonna be pretty hard for them to ping a desk yet. Now, if you run a Windows server, I guess you should protect that. But you know, we don't run Windows on our network. So anyway, yeah, so my recommendation is run ICMP. We can argue about it all day, but I don't want to do that either. Right here, I've got an interesting rule. I'm allowing protocol 41, which is the six and four tunnel from Tunnel Broker. So I want to set that inbound on my outside interface, which is E0. And then of course, everything I trust everything on the inside of my network. How many people trust everything on the inside going out of their network? Yeah, like I said, it's a really simple firewall. Okay, where I, you know, we could go through all sorts of stuff, but I want to want to make sure that you have something to go with it. Now, simple enough, I'm going to allow input of only established and related packets in my external interface, and I'm going to drop everything else. Here. Here's my post routing. I have a static IP. So I don't need to use masquerade. I'm going to do a SNAT to my source on the outside for everything that goes out my E0 interface. And now at the bottom, I'm going to forward everything that E1 or my internal interface wants to forward out to the Internet. Like I said, simple firewall, you guys can go chase your protocols later. And I'm going to allow anything that's established and related back in. And I'm going to drop everything else. Any questions about this? Remembering I already explained the ICMP. All right, great. So what are we going to add? Well, for IPv6, we're going to have to clear the same rules. Only differences. Look at the table that's missing. We have no NAT table. Okay? Yeah. All right. You know what it is? It's got my finger over a little button there. What's that? Another typo? Right. Okay. All right. It is probably a typo. Oh my God. Yeah, manage, manage. All right. Who did it? Who said it? At what? What size shirt? Medium. Or we have large and extra large. You want large? All right. Okay. So yes, it's mingle. All right. Okay. Oh, for God's sake. Okay. Now let's go ahead now and take a look at our loopback. We're going to do the same thing with IPv6. But we're going to specify each and every interface that runs IPv6. What's what interfaces conspicuously missing here? No, don't look. You may find another typo. I'll just tell you. The interface that's conspicuously missing is E0 because we aren't going to get any IPv6 traffic on E0. We're only going to get it in our tunnel that exists on E0. Okay. Now the reason that we do this for every single interface is remember I told you about the IPv, the link local address and how you have to tell it what interface to go out on or it won't make a connection. Same thing holds standard for this. Okay. All right. Now we have the IPv6 input rules. Here's the four. On the six. Pretty much the same thing except I've added these two rules right here for two multicast packets. Okay. Two multicast ranges. The reason I'm doing that is those are router discovery multicast ranges. We need to accept those packets. Remember we have no broadcasts. We only have multicast with IPv6. So it changes the model. I once told somebody that the worst thing about IPv6 is you think it's IPv4 with more address space. Where it really is it's another protocol that's a lot like IPv4 but if you make the assumption you'll end up hitting your toe with a hammer. All right. So and we're going to also down here allow input that is related from our external and everything else we're going to drop. And this is only for input chain. Okay. Then we need to set up our forwarding rules and this is what we actually had for forwarding on IPv4. And it's pretty much the exact same thing. Of course the only difference is the interface. Oh and gosh. Let's say I want to run some services. I had a web server or something. If I was running IPv4 I'd be doing pre routing commands to push it back on port 8 back to my local reserve address. And then I I want to a lot back in from this standpoint on IPv6. What do I got to do. I got to permit the ports in. That's it. Nothing more. No worries about network address translation. We're good. You it you are. Oh on IPv4. I can do that. This is coming from an ISP that fights about giving static addresses people. I'm sorry. Anybody got questions. Yes sir. From the router yes. But let's let's see that we're we get a phone call from some pornographic magazine store saying that somebody on your network ordered four thousand dollars worth of pornographic magazine. And you're a business and that's against the rules. You probably going to want to know at the time that order took place who had that IP address. That answer your question. That's a good question. What's I sure you are. Yes. Can you say a little bit louder so everybody could hear access control list. Yes. Quagga supports pretty much all the commands that you're used to in Cisco for ACLs routing the whole nine yards. I could have put the route the fault route in Quagga. Okay. If I wanted to. Did you have a question. I'm sorry. Any other questions. Yes sir. IPv6 what. Well it's kind of did now but well so with IPv6 and look I come from an ISP background. So you can you can get your own address space. All you got to do is pay Aaron if it's that important to you. And I don't argue the point actually I believe in the three six current I only read at one place I didn't read anywhere else so but it's on the Internet's got to be true. There is code that is being incorporated in the kernel to do one to one net. Which is along the same lines of transitioning the prefix. Okay. So there's no chance out there. Let's be honest I hate net. Okay but in the world we have net. And there's a lot of people that want net and there's a lot of people have concerns in what you do. And the industry drives the consumer drives what the industry does. Right. So just yell real loud at your vendor. All right. All right. So another question back there. Oh my god. Oh and how are you. Yes sir. No and it doesn't. What shirt size do you wear on. You're next to large over there. Yeah. And all in the shirts going to cost you. You telling everybody what range they need to permit. But wait. I permitted the whole network. No slash. Yeah. I want the shirt. No. More questions. Yes sir. Excellent question. Okay. Yes. It's all the same with the exception that routers are allowed to advertise that they are a router. So you like well no because network time can be a broadcast as well. So no it's a multicast conversation between the client and the router. And it's a I get calls all the time when somebody has multiple routers the first time they set this up. They go I've got five default routes. Well yeah you do. You know and if one fails guess what it's going to our fountain boom you're going to be on the other outbound. So for my standpoint you know I hate VRRP. I know this guy should that probably love everybody here know what VRRP is virtual. OK basically it allows you to have multiple routers and a default route IP address that moves on the inside from the different routers based on whether it's talking on the outside or the systems up. So it's for redundancy. Virtual redundant routing protocol. I got that one right. Oh OK. Virtual router. Thank you. What's that. Oh you already have a shirt. Oh would you like a shirt David. Hey you see the guys in the back of the room that got the jerseys on. See them. These guys are scale volunteers. OK. How many people know that exactly exactly. This is a 100% volunteer supported show. Everybody that you see walking around the staff badge or a jersey or that answers your question is doing it for free. They're doing it for fun and they're doing it for open source. Any more questions. Yes sir. Not a damn thing. Actually has I believe authenticated router advertisement that's not incorporated into Quagga although what keeps them from popping any device up on your network. What keeps them from popping an art bomb up on your network. Hopefully you trust the people on your network. Yes sir. I love Cisco. Yes of course. Yes. Missing shirts. Oh my God. What's your shirt. Can I what.