Alex Broque

Author Archives: Alex Broque

Exporting NetFlow from Linux to a collector over IPv6

There is another project out there in the ether that I have a hand in providing input for. One of the features that I felt was necessary for it is exporting NetFlow information from traffic the Linux machine handled, to a collector. This is dual-stack traffic, but I have the collector listening on IPv6.

Firstly, I needed something that would gather and export the data, so I found softflowd. My ubuntu server had it in the repo, so a quick apt install got it onto the machine easily enough. You need to edit /etc/default/softflowd and set what interface(s) you want it capturing & generating flow data from, and what options to feed to the daemon, like what server:port to export that data to:

INTERFACE="eth#"
OPTIONS="-v 9 -n [x:x:x:x::x]:9995"

Fill in the correct interface name you want to gather data from. The -v 9 option tells it to use Netflow v9, which has IPv6 support The -n option is used for specifying the collector machine’s IP and port, and fill in for the correct IPv6 address of that collector. Above is the format for specifying an IPv6 host running a collector, like nfcapd. Then you can fire up the softflowd daemon, Continue reading

IPv6 in my streaming media? More likely than you think!

Not that I go out of my way to endorse one project/product over another, there is one that I have recently fallen in love with for streaming my media. Especially when it can use IPv6! So I needed a cross-platform solution for my streaming media needs. I was originally using XBMC, but only had it tied into the TV. I use several other computers and devices, in other locations outside of the house. So I read up on Plex. Got it installed with little to no effort, and could readily access my content where ever I was. I even tested this on my last trip to London, UK and was able to get a decent 1.2mbit/s stream from my house. Only issue was that it wasn’t using IPv6 in the app or accessing via plex.tv (server on that site only comes up with an IPv4 address).

So poking around I discovered 2 things: 1) I could access the Plex server directly at the IP/hostname of the server, and 2) there was a checkbox to enable IPv6!!

plex-ipv6

Simply browse to your Plex server, click on the settings icon (screwdriver + wrench), select Server, click on Networking and then “Show Continue reading

“Fun” with RFC4620 Section 6.4 and discovering IPv4 information over IPv6

As part of a request at work to figure out IPv4 addresses of devices on a network where broadcast pings don’t work, and no administrative access to the switches/routers, I took a look at solving this with IPv6. We know that you can ping6 the all-nodes multicast address, and get DUP! replies from IPv6 enabled hosts on that LAN segment. These will typically be link-local addresses, from which you can determine a MAC address. How to resolve that MAC address on a client host and not the router/switch, I was thinking reverse ARP or something, but support for that wasn’t present in my Ubuntu 13.10 kernel on the main machine I was working with. I started looking around for other options using IPv6 and found RFC4620, Section 6.4.

The gist of it is that you send an ICMPv6 Type 139 packet to an IPv6 address, asking if it has any IPv4 addresses configured either on that interface the target address is on, or any interfaces on the machine itself. And this is why this is disabled by default on hosts, and *IF* you insist on filtering ICMP6 Types, definitely make certain this is one of them. It works Continue reading

A brief departure from talking IPv6

There is a lot of news surrounding Net Neutrality, and potential repercussions of decisions made by courts, and some players out there that want to grab as much cash as they can, and claim it is in the best interest of their customers.

Netflix is just an example people love citing because it is bandwidth intensive, yet is not the entire story itself. Take a moment and understand how the Internet is pieced together. The Internet is a mass of interconnections between networks. These interconnections happen basically 1 of 3 ways:

transit: network A pays network B to reach every other network that isn’t A or B. Good networks usually get multiple transits for failover, and/or alternate paths to those other networks. You can buy multiple ports for bonding to increase capacity, etc. Average transit price without a Service Level Agreement (SLA, guaranteed connectivity or you can yell at us a lot and we credit you) is around $1-2/mbit, and with a SLA can hit upwards of $10/mbit. These are current avg. prices when buying 10G at a time of connectivity/capacity right now.

peering (settlement free, or “free”): Network A spends a bunch of money to get into popular Continue reading

T-Mobile IPv6 in the US

Swapped from AT&T to T-Mobile in order to take advantage of their 4G/LTE IPv6 network. Since I dogfood IPv6 every chance I get, and the cost to swap saved me a whopping $0.50, I moved forward with it. I find that if I set their EPC.TMOBILE.COM APN to IPv4/IPv6, I don’t really see much in the way of dual-stack actually working on the phone. So I set it from the default IPv4 to just IPv6, and that got it working with native IPv6 and using CLAT+NAT64/DNS64 for IPv4 sites. Screenshot from my Galaxy Nexus running 4.3:

Screenshot_2013-10-11-15-51-06

IPv6 with A10 Load Balancers

So I got to do some honest IPv6 related work at the job the last 2 weeks. One task was to verify we had IPv6 working on the load balancers to hosts behind it. I was a bit wary of the state of IPv6 security on these A10 LBs, so I opted to keep the globally routed IPv6 space on the LB’s uplink interface, and the VIPs. And behind the scenes, use ULA.

Step 1: I generated a /48 of ULA for the location, and assigned a /64 for use on the VLAN that the inside interface of the LB sits on with the servers themselves.

Step 2: Configure ::1/64 on the LB inside vlan interface, and ::2/64 on a server, and verified that they could reach each other.

Step 3: I installed lighttpd on the server and configured it to listen on the ULA address.

Step 4: From my ARIN allocation, I have a /64 reserved for configuring /126s on device links to the router, so I configured it on the LB’s dedicated interface on the router. Using ::1/126 on the router; ::2/126 on the LB’s interface; ::3/126 as the VIP.

Step 5: Create on the LB an “IPv6 Continue reading

My first received spam delivered over IPv6!

Not certain how much this actually counts as “Spam over IPV6″ though. It was only the last bit of delivery to my account where IPv6 was involved. It still originated from IPv4.

 
Received from relay-6.dlfw.twtelecom.net ([2001:4870:6082:1::72]) by he.net for ; Tue, 13 Nov 2012 11:57:38 -0800

Received from localhost (unknown [127.0.0.1]) by relay-6.dlfw.twtelecom.net (Postfix) with ESMTP id 223346021E; Tue, 13 Nov 2012 12:47:42 -0700 (MST)

Received from relay-6.dlfw.twtelecom.net ([127.0.0.1]) by localhost (relay-6.dlfw.twtelecom.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TMxIEAmBj2TU; Tue, 13 Nov 2012 12:47:42 -0700 (MST)

Received from aol.com (unknown [209.234.184.51]) by relay-6.dlfw.twtelecom.net (Postfix) with SMTP id D73BD60094; Tue, 13 Nov 2012 12:47:32 -0700 (MST)

IPv6 and flows (using nfsen)

This will be about already having nfsen/nfdump configured, and are looking to just make a flow profile to graph IPv6 traffic from your routers. If you are looking to get nfsen iniitially configured, definitely follow their instructions on their site.

Say you have an sFlow capable router like…picking one totally not at random…..a Brocade XMR or MLX(e), and you want some basic flow data, especially IPv6. Depending on how many routers you are going to collect flow data from, will determine how beefy of a machine you will need. I know that at $lastjob, it was a hefty CPU (and definitely more than 1), tons of RAM, and hardware RAID. Right now, I’m using dual quad-core Xeon, tons of RAM and a small hardware RAID, but this machine serves many purposes. Right now I’m also only polling 4 MLX routers.

Go ahead and access your nfsen website, and on the Profiles pulldown, select “New Profile …”. In the creation dialog, give the profile whatever title you like; I went with the generic title of “IPv6″. If you want to add it to a group or make one for it, do as you please. I left that alone so I’d Continue reading

Today is World IPv6 Launch Day!

After the success of last year’s World IPv6 Day, where success was measured with little to no problems reported, World IPv6 Launch Day has arrived! For a while major players like Google and Facebook had been white-listing their AAAA records to specific ISP recursive nameservers. This meant you had to query one of those in order to see IPv6 entries for their websites. Now that white-listing has been removed and all properly operating recursive nameservers will now serve up these records. They aren’t the only companies participating of course! Take a look at this list to see whom else signed up to promote their enabling of IPv6. Want some stats, take a look at the following:

But what does this mean to the non-techies out there? It is meant to be a passive change. You shouldn’t notice much in the way of interruptions. Perhaps your ISP will have a shorter route to a destination over IPv6, and you might get what you are trying to access a tiny bit quicker. If you like video/chat applications, this will soon mean that you’ll be Continue reading