IPv6 rebooted – IPv6 SAGE Certification Project (part1)

13 03 2012

IPv6 Certification Badge for blackundertone

Well – its official – I am an IPv6 consumer. I have a public facing IPv6 web & smtp server – and I have passed the requirements of the Hurricane Electric (he.net) IPv6 certification program to the SAGE level – http://ipv6.he.net/certification/

I already had IPv6 through Freenet6 – as I detailed in my previous IPv6 post here so I began the IPv6 certification program, and ran through the first few basic levels.

  • I can reach the site with IPv6- Check
  • he.net can reach my IPv6 website – Check
  • he.net can send me email (had to stand up postfix for this one) – Check

This got me to the Administrator level – anyone with IPv6 connectivity can easily get here – simply have a reachable IPv6 website & mail server.

This is where the fun came in. To get to the next level (Professional) – I needed a working reverse DNS entry for my mailserver. Now while this sounds simple – freenet6 doesnt appear to provide an easy way to configure reverse DNS entries for the IPv6 range they provide you – bummer.

My Astaro box provides built in support for several tunnel brokers gogo6 Freenet6, Hurricane Electric & SixXS

I had exhausted my energy trying to setup reverse DNS with Freenet6, so off to Hurricane Electric I went – seemed a logical choice considering I was doing their certification anyway. Signup was simple & within minutes I had a new IPv6 allocation. They initially allocate a single /64 – but once you have enabled your connection – you can request a /48 – which of course I did.

So – now that I have a new allocation, here is how I configured it on my network.

In Astro: Interfaces & Routing -> IPv6 (Click Enable) then from the Tunnel Broker tab, simply enter your tunnelbroker.net username & password.

Minutes later, the /64 range on your tunnelbroker.net account page should appear in the global tab.

A couple of tests later & I confirmed I could ping IPv6 addresses from my Astaro box (example here using the ns2.he.net nameserver address)

I decided to use the inital /64 I was allocated as the range for my Internal hosts, and then break up the /48 into subnets for other zones.

By far the easiest way to use IPv6 is let the “Stateless Auto Configuration” work its magic. It doesnt require DHCP, allows hosts to automatically find the router & get an address – pretty much works as it says on the box.

Simply add an IPv6 address to the FW interface you want to run IPv6 on, then advertise the subnet out.

Suddenly your internal hosts will be getting IPv6 addresses & will be EXTERNALLY REACHABLE <— This is important. Make sure you setup your firewall rules, host protection etc etc. I will not cover this step, but you need to ensure you understand that as soon as your box has an IPv6 address – it is publically routable from the outside world.

Repeat the addition of an IPv6 address (from another /64 subnet – broken up out of your /48 you requested from tunnelbroker.net) to the DMZ interface(s). I am not enabling the “Stateless Auto Configuration” on my DMZ segments, I am just manually assigning addresses to the couple of boxes in there.

Right – that covers the move to Hurricane Electric & how to re-address the internal & DMZ segments.

Next steps are re-addressing my public web & smtp server, updating the DNS forward & reverse zone entries – and what is needed to complete the rest of the certification.

Advertisements




IPv6 Adventures – Part 1

31 01 2012

So – I decided it was finally time to finish implementing & document my IPv6 config – mainly so I remember how I did it, but also to help others on their IPv6 journey to the interwebs

High Level:

– Get a IPv6 subnet (duh) – This will depend on your scenario, several ISP’s offer native IPv6 (Internode) – mine does not (Telstra Bigpond).
– Configure a router / firewall / host with IPv6 address from your subnet
– Configure an IPv6 DNS address on that device to resolve AAAA records
– Bask in the IPv6ness of the interwebs – it looks eerily like the IPv4ness of the interwebs.

My Journey:

– I was already running the awesome Astaro for my border FW & home – which has great IPv6 support built in.
– I signed up for a subnet with Freenet6 / gogonet – http://gogonet.gogo6.com/page/freenet6-ipv6-services

*STOP HERE*

Ok, before we move on with turning the IPv6 up – you need to plan out a couple of things.

– Your IPv6 address is PUBLIC – it is reachable from the outside world, consider the consequences & firewall appropriately, also turn off NAT for IPv6 if your FW supports it – it will be a PITA when testing with your web browser & getting a different IPv6 address than you expect.

– IPv6 Subnetting – depending on the provider, you will be allocated something like a /56 subnet (4722366482869645213696 host IP’s — SERIOUSLY)

I broke my /56 up into /64 subnets for each zone (INSIDE / DMZ1 / DMZ2 / DARKNET) – still giving me 256 subnets containing 18446744073709551616 host addresses each …. I dont think im going to run out of addresses any time soon.

I could have broken em up into /96 subnets, giving me 1099511627776 subnets with 4294967296 (4 billion) hosts in each …. but really, when we are talking numbers like this, its just academic – use whatever fits your network design. I figured that im not going to ever need 256 subnets or more, so I just broke it up there, and /64 is a nice subnet mask boundry.

So what does this actually look like ?

2406:A000:F006:A400::/56 – My allocated IPv6 subnet from my tunnel broker

You can get some good info about your subnet using tools like http://www.gestioip.net/cgi-bin/subnet_calculator.cgi

IP address: 2406:a000:f006:a400:0000:0000:0000:0000
type: GLOBAL-UNICASTnetwork2406:a000:f006:a400::
Prefix length: 56
Prefix address: ffff:ffff:ffff:ff00:0000:0000:0000:0000
address range start: 2406:a000:f006:a400:0000:0000:0000:0000
address range end: 2406:a000:f006:a4ff:ffff:ffff:ffff:ffff
total IP addresses: 4722366482869645213696

As I mentioned above, I carved out 4x /64 subnets from this.

You can do in offline, but I cheated & used this IPv6 subnet calc – http://www.subnetonline.com/pages/subnet-calculators/ipv6-subnet-calculator.php

Here we go – nice & neat /64 subnets – im using 4 from the possible 256.

2406:a000:f006:a400::/64
2406:a000:f006:a401::/64
2406:a000:f006:a402::/64
2406:a000:f006:a403::/64

ffff:ffff:ffff:ffff:0000:0000:0000:0000 – /64 Mask

Now that we have our subnets planned out, we can continue on to implementation

Next Time ….





When SIEM goes bad …

5 09 2011

Thats not an entirely true heading – it really was my fault …

A reminder to ensure you correctly scope your nmap / vuln scanning before you kick it off. I kicked off a network / vulnerability scan from OSSIM on my internal network – with a “slightly larger than I should have” scope and DOS’d myself ….. DOH !