Zanchey's questions

We have a medium sized network with IPv4 and IPv6 across it, and our upstream provider is making IPv6 go away for two weeks while they do... something. (It's "experimental" and we don't pay for it, but it's been stable for years so we turned it on across the board.)

We have 150ish hosts on our network of at least a dozen different operating systems, plus a wireless network for people's phones and laptops, so disabling IPv6 on all our devices is a non-starter.

I would like to avoid too much of the classical broken IPv6 behaviour with long timeouts before failover to IPv4, and I am wondering what the best way of doing that is.

• Should I block outgoing IPv6 packets at the border and return an unreachable message, or will that cause hosts to be marked unreachable without falling back to IPv4?
• Is disabling AAAA resolution through our BIND nameserver feasible (and if so, how), and if so, is it sensible?
• Alternatively, will turning off RADVD do the job? We do use static configuration on some of our servers, but there's few enough of those to do them by hand.

I have a Solaris machine sitting out in the ether somewhere that I would like to make part of my network via IPsec. I have this working between Solaris machines but not between Solaris and Linux.

I think the basic problem is that Solaris only does IPsec tunnel mode in the same ways as Cisco IPsec Virtual Tunnel Interfaces - i.e. an IP-in-IP tunnel secured by IPsec. I don't really know how to replicate this on Linux. I do want the tunnel to have an IP address, because the remote host isn't routing a local network - just itself.

Solaris

The Solaris config looks like this:

# ipsecinit.conf
{tunnel ip.tun0 negotiate tunnel}
  ipsec {encr_algs AES-CBC encr_auth_algs HMAC-SHA1 auth_algs HMAC-SHA1 sa shared}
# hsotname.ip.tun0
130.95.13.254 130.95.13.253 tsrc 192.168.13.20 tdst 130.95.13.20 router up
# ike.config
{ label "manduba192-musundo"
  local_addr 192.168.13.20
  remote_addr 130.95.13.20
  p1_xform
   { auth_method preshared oakley_group 5 auth_alg sha1 encr_alg aes }
  p2_pfs 5
}

This produces SAs that look like this:

SA: flags=0xc0038000 < X_USED X_PAIRED X_OUTBOUND X_UNIQUE X_TUNNEL >
SRC: Source address (proto=4/ipip)
SRC: AF_INET: port 0, 192.168.13.20 (manduba192.ucc.gu.uwa.edu.au).
DST: Destination address (proto=4/ipip)
DST: AF_INET: port 0, 130.95.13.20 (musundo.ucc.gu.uwa.edu.au).
INS: Inner source address (proto=0/<unspecified>)
INS: AF_INET: port 0, 0.0.0.0 <unspecified>.
IND: Inner destination address (proto=0/<unspecified>)
IND: AF_INET: port 0, 0.0.0.0 <unspecified>.
KMC: Protocol 1, cookie="manduba192-musundo" (3)

Linux

I don't really know how to replicate this in Linux. I've tried this:

spdadd 0.0.0.0/0 0.0.0.0/0 any -P out ipsec
    esp/tunnel/130.95.13.126-192.168.13.20/use
    ah/tunnel/130.95.13.126-192.168.13.20/use;

spdadd 0.0.0.0/0 0.0.0.0/0 any -P in ipsec
    esp/tunnel/192.168.13.20-130.95.13.126/use
    ah/tunnel/192.168.13.20-130.95.13.126/use;

which I can then presumably put an IPIP tunnel over the top of? But the IKE negotiation fails due to SPD mismatch.

Any ideas?

My organisation currently has two active IPv6 ranges available to it, and we're cutting over from one to the other. I would like to have them both working at once, but it appears that Linux does not support policy routing for IPv6. Our Linux-based router is running 2.6.26-2-686 on Debian Lenny.

Here's what I would like to do:

# ip -6 rule add from 2001:388:7094:4080::/58 lookup oldv6 (policy route the old v6 range using table oldv6)

# ip -6 route add throw 2001:388:7094:4080::/58 table oldv6 (throw back to the main routing table for local routing)

# ip -6 route add default via 2001:388:7094:1::1 dev eth1 (otherwise use the 'old' default router)

However, the second line doesn't work: RTNETLINK answers: No such device

Having read through the available documentation, it appears that Linux doesn't support real policy routing for IPv6 ([2] - see section 9.2, [3]), and only fakes it when you add tables. Of course, being Linux, these documents haven't been updated for more than five years, and so I'm wondering if anyone has any brilliant insights - is there a parameter or documentation I've missed? There's a 2007 thread suggesting it doesn't work but I would be keen to hear otherwise.

We have a router running Debian Lenny that has been happily routing IPv6 for several months. Our upstream has advised that our address range is changing, and both are currently operational, so I thought I'd add the second address for testing.

ip -6 addr add 2405:3c00:1:13::2/64 dev eth1

# ping6 2405:3c00:1:13:: (our upstream router)
64 bytes from 2405:3c00:1:13::2: icmp_seq=1 ttl=64 time=0.089 ms

What?

# ip -6 route get 2405:3c00:1:13::
local 2405:3c00:1:13:: from :: via :: dev lo  table local  proto none  src 2405:3c00:1:13::2  metric 0  mtu 16436 advmss 16376 hoplimit 4294967295
# route -6 | grep 2405
2405:3c00:1:13::/64        ::                    U    256 0     1 eth1
2405:3c00:1:13::/128       ::                    Un   0   1     0 lo
2405:3c00:1:13::2/128      ::                    Un   0   1     0 lo

I am curious how the ...13::/128 route arrived. It appears about two seconds after I add the address to the interface. radvd(8) is not enabled on the interface, unsetting accept_ra and autoconf makes no difference.

Is there any easy way to keep an eye on which process is modifying the routing table? Does anyone have any brilliant ideas about what the culprit might be?