-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathnins.html
410 lines (395 loc) · 12.5 KB
/
nins.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
<!DOCTYPE html> <!-- HTML 5 -->
<html lang="en">
<head>
<title>IPv6 Utility for the Name Service</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<meta name="keywords" content="IPv6, DDNS">
<style type="text/css">
body {
font-family: helvetica, sans-serif;
font-size: 0.9em;
}
#wrapper {
width: 47em;
margin: auto;
}
.decimal {
list-style-type:decimal;
}
pre {
background-color: #ffffcc;
overflow: auto;
}
</style>
</head>
<body>
<div id="wrapper">
<h1>Ninsd an utility for DDNS with IPv6</h1>
<h2>Client IP Adress assignement and routing</h2>
<h3>IPv6 radvd/dhcpd v6</h3>
<p>
In order to provide routing information to the system within
the LAN, the daemon <strong>radvd</strong> must be launched.
With <strong>radvd</strong> the connected system can auto configure themselves
(stateless mode) and a valid IPv6 Address based on the
Mac Address of the interface or a temporary address which
help to provide anonymity is generated.
</p>
<p>
The IPv6 Address can also be assigned by the <strong>dhcpd</strong> server.
The routing informations are always to be provided by the
router advertisement, the dhcp-v6 implememtation has some deficiencies.
</p>
<h2>Name resolution</h2>
<p>
If we have two system within the LAN (alice and bob)
which offer different services we must use a name server
which know the systems and therefore we need fixed addresses
and an entry within the name service configuration.
</p>
<h3>The DHCPv6 server</h3>
<p>
The DHCPv6 server don't presently allow to update the
name server with the information about the attached systems.
We will not be able, for example, to display a web page
offered by alice by typing the URL http://alice.example.com
on the bob system. We must enter a complicated IPv6 address
in order to do this.<br>
Further more passing routing informations don't work well
at this time. This implies that for now the router advertisement
daemon must be launched.
</p>
<h3>The avahi discovery system</h3>
<p>
On linux based system the avahi components allows to publish
informations about the different services offered by the
system. Avahi provide also a multicast DNS service which
should allows to address the different systems on the LAN
with there name e.g. alice.local or bob.local.
</p>
<p>
Some aspect of the specification for these services are
not very good and the adresses returned by the resolver
library mdns are not OK or not available. Due to this
avahi don't solve the DNS problem.
</p>
<h2>An icmp-v6 based approach</h2>
<p>
The system on the LAN communicate always via the Internet
Control Message Protocol v6 in order to exchange information
as, for example, the routing information send by radvd.
</p>
<p>
The icmp-v6 protocol know a node information extention
(ninfo) which can be used in order to get the name or
the IPv6 addresses od the systems within the lan.
Unfortunately this is not implemented within the Linux
kernel.
</p>
<h3>The ninfod daemon</h3>
<p>
The requirements stated within rfc 4620 are fullfilled
by the daemon ninfod. The only binary which allows
to send Node Informations request is ping6 (I have
not discovered programs which handle these information).
</p>
<p>
If we install the ninfod server on all systems we will
be able to get all wanted information with the ping6 utility,
but this is not a very way.
</p>
<p>
The solution is therefore to use a dedicated server which
listen for icmp-v6 message and if some messages are
detected to query the wanted information.
</p>
<h3>ninsd</h3>
<p>
Ninsd (None Information Name Server Daemon) is such a daemon which
listen on the router advertisement messages and if a new
system is recognised, look for the IPv6 adress and name of
the systems.
</p>
<p>
Two approach are primary possible:
<ol class="decimal">
<li>
<p>ninsd is installed on all systems and act as helper
for the DNS resolver.
</p>
</li>
<li><p>ninsd is installed on the server and provide a normal
name server as bind with the name and address of the
newly detected systems.
</p>
</li>
</ol>
</p>
<p>
The second approach what choosed, this implies that the
name server and ninsd are running on the same machine. The
server address is "::1" so that we will not have troubles
if an update come from global addresses. In order to
work ninsd require that the router advertisement daemon
radvd work also if the adress assignement is done by dhcp.
If you have a subrouter you will also be able to update
the name server.
</p>
<h3>NetworkManager and /etc/resolv.conf</h3>
<p>
The NetworkManager (at least on the Ubuntu 11.04 used for
tests) don't update the file resolv.conf if the network
what plugged out and the in. Due to this the file resolv.conf
don't contain valid informations.
</p>
<h3>Rdnssd</h3>
<p>
The actual version of rdnssd don't taken into account the
domain search list which can be provided by <strong>radvd</strong>.
</p>
<h3>Radvc</h3>
<p>
The <strong>radvc</strong> daemon what created in order to remedy to this.
In case the connection is lost, the kernel will send some
messages to the radvd daemon which will send an router
advertissement message. This message contain enough informations
in order to build the file /etc/resolv.conf.
</p>
<p>
Please note that <strong>rdnssd</strong> will be able to update
the domain search list for in the future (at this time we have
the version 1.0.2) and therefore will obsolete <strong>radvc</strong>.
</p>
<h2>Features</h2>
<p>
Ninsd make some assumptions which will not be a problem within
a normal home environment but may cause problems in corporate
deployement.
<ul>
<li>
The domain for DDNS must be the first domain stated into
the radvd search list
</li>
<li>
Multiple global IPv6 adresses are not supported.
</li>
<li>
The name of the clients shall be unique within the network
but if there a are not unique the DNS name will be
append by -[a-z].
</li>
</ul>
</p>
<p>
For the use within your small office or at home you will benefit
from:
<ul>
<li>Support for name server which support some kind of update.</li>
<li>Support for DNS64/NAT64 with tayga.</li>
<li>Access from IPv6/IPv4 to IPv4/IPv6 devices, if tayga
is installed.</li>
</ul>
<ul>
<li>Clients don't need special configuration, only 2 little
utilities are to be installed.
</li>
</ul>
</p>
<h2>Network example</h2>
<div style="width:28em;margin:auto;">
<img src="nins.png" alt="Network example" title="Network example" style="width:100%;">
</div>
<p>
The CPE provide Router adverstisement, the DHCP (IPv4) server is disabled.
The DHCPv6 Server may work, the priority is to be set to a level less as
the priority for the DHCPv6 Server on our own DNS system. I recommand to
use dnsmasq.
</p>
<p>
The PC with subnet act as router and use a dhcp forwarder (from the
same author as dnsmasq. The client for the PC with subnet will get
there IPv6 Adress via SLAAC or DHCPv6 according to the configuration
of dnsmasq, the local radvd process and the ability of the client.
</p>
<p>
IPv4 Systeme within the subnet get the IPv4 Adresse via DHCP from the
main DNS/DHCP server and possibly also there IPv6 Address.
</p>
<p>
The ninsd daemon on the subnet server send the update data via
a script which use nc, ncat or netcat. The ninsd saemon on the
dns sever get these informations and update the name server.
</p>
<h2>Configuration for our example network: Name server</h2>
<p>
The name server is a rasperrypi which has a low power
consumption and enough has enough performance for our
tasks.
</p>
<h3>/etc/hosts</h3>
<pre>
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
# our adds
192.168.178.2 ns.my-home-is-my.castel ns
2001:DB8:CAFE:1::2 ns.my-home-is-my.castel ns
192.168.178.3 sub.my-home-is-my.castel sub
2001:DB8:CAFE:1::3 sub.my-home-is-my.castel sub
</pre>
<p>
The lines below "# our adds" are for the ip addresses for
the nameserver (ns) itself and for the PC which act as
router for our subnet.
</p>
<h3>/etc/dnsmasq.conf</h3>
<pre>
listen-address=192.168.178.2
listen-address=2001:DB8:CAFE:1::2
server=192.168.178.1
expand-hosts
no-resolv
dhcp-authoritative
domain=my-home-is-my.castel
dhcp-range=192.168.178.20,192.168.178.200,1h
dhcp-range=set:teen,10.1.1.10,10.1.1.254,proxy,255.255.255.0,10.1.1.255,1h
dhcp-range=2001:DB8:CAFE:1::A,2001:DB8:CAFE:1::ff,1h
dhcp-leasefile=/var/run/dnsmasq/dnsmasq.lease
pid-file=/var/run/dnsmasq/dnsmasq.pid
addn-hosts=/var/run/dnsmasq/hosts
dhcp-option=option:router,192.168.178.1
dhcp-option=tag:teen,option:router,10.1.1.1
</pre>
<h3>/etc/default/ninsd</h3>
<pre>
NINSD_OPTIONS='-i eth0 -s /usr/sbin/update_dnsmasq.sh -P 530'
</pre>
<h3>/usr/sbin/update_dnsmasq.sh</h3>
<pre>
#!/bin/sh
update_hosts -f /var/run/dnsmasq/hosts
pkill -SIGHUP dnsmasq
</pre>
<h3>Configuration for the "subnet" PC</h3>
<p>
The System for our subnet has static addresses but the
subnet is created by calculating all addresse within
a script which provide configurations file and start
the required processes.
</p>
<pre>
#!/bin/sh
ExtIf=wlan0
IF=eth0
Domain=my-home-is-my.castel
IPv4=10.1.1.1
IPv4Ro=10.1.1
if [ $# -eq 2 ]
then
IF=$1
shift;
fi
# Get IPv4 address on the external if
ExtIp=`ip a s dev $ExtIf | sed -n 's/.*inet \(.*\)\/.*/\1/p'`
start()
{
# Get IPv6 subnet
dibbler-client start
sleep 1
IPv6Ro=`sed -n 's/.*<prefix.*>\(.*\)<\/prefix>/\1/p' /var/lib/dibbler/client-CfgMgr.xml`
IPv6=${IPv6Ro}1
IPv6NS=`echo $IPv6Ro | awk -F':' '{ printf "%s:%s:%s:1::2", $1, $2, $3 }'`
# Get IPv4 address on the external if
ExtIp=`ip a s dev $ExtIf | sed -n 's/.*inet \(.*\)\/.*/\1/p'`
sysctl net.ipv4.conf.all.forwarding=1
sysctl net.ipv6.conf.all.forwarding=1
sysctl net.ipv6.conf.all.proxy_ndp=1
sysctl net.ipv6.conf.default.forwarding=1
sysctl net.ipv6.conf.default.proxy_ndp=1
sysctl net.ipv6.conf.wlan0.forwarding=1
sysctl net.ipv6.conf.wlan0.proxy_ndp=1
ip a a $IPv4/24 dev $IF
ip a a $IPv6/64 dev p4p1
ip r a $IPv6Ro/64 via $IPv6 dev p4p1
iptables -t nat -A POSTROUTING -s $IPv4Ro/24 -o $ExtIf -j SNAT --to $ExtIp
cat > /tmp/radvd-$IF.conf <<!
interface $IF {
IgnoreIfMissing on;
AdvSendAdvert on;
AdvManagedFlag on;
AdvOtherConfigFlag on;
#MinRtrAdvInterval 30;
#MaxRtrAdvInterval 60;
prefix $IPv6Ro/64
{
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr on;
};
# Recursive DNS server
RDNSS $IPv6NS { };
# DNS Search List
DNSSL $Domain { };
};
!
chmod 640 /tmp/radvd-$IF.conf
chown root:radvd /tmp/radvd-$IF.conf
nsIP=`echo ExtIp | awk -F'.' '{ printf "%s.%s.%s.2",$1,$2,$3 }'`
radvd -C /tmp/radvd-$IF.conf -u radvd -p /tmp/radvd-$IF.pid
dhcp-helper -s $nsIP -i p4p1 -b wlan0 -e wlan0 -r /tmp/dhcp-helper-p4p1.pid
ninsd -i $IF -p /tmp/ninsd-$IF.pid \
-s /usr/local/bin/dnsmasqupdc.sh -T 255 -D net.fritz.box -P 530
npd6
}
stop_process() {
for p in radvd dhcp-helper ninsd
do
kill `cat /tmp/$p-$IF.pid`
rm -f /tmp/$p-$IF.pid
done
pkill npd6
pkill dibbler-client
}
stop()
{
stop_process $IF
IPv6Ro=`sed -n 's/.*<prefix.*>\(.*\)<\/prefix>/\1/p' /var/lib/dibbler/client-CfgMgr.xml`
IPv6=${IPv6Ro}1
ip r d $IPv6Ro/64 via $IPv6 dev $IF
ip a d $IPv6/64 dev $IF
iptables -t nat -D POSTROUTING -s $IPv4Ro/24 -o $ExtIf -j SNAT --to $ExtIp
ip a d $IPv4/24 dev $IF
}
case $1 in
start) start;;
stop) stop;;
esac
</pre>
<p>
My CPE allow subnet only if there are delegated via the build-in
DHCPv6 server. In order to get the subnet we use dibbler-client which
work better as the standard dhcp client but don't allow to declare
a configurations file.
</p>
<p>
All IP Adresses are calculated from the script.
</p>
<h2>/etc/dibbler/client.conf</h2>
<pre>
log-mode short
log-level 8
downlink-prefix-ifaces eth0
strict-rfc-no-routing
iface wlan0 {
pd
}
</pre>
<p>
Dibbler don't allow to define alternate configurations file
so the data are eventually to be adapted to your needs,
</p>
</div>
</body>