From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-we0-f171.google.com (mail-we0-f171.google.com [74.125.82.171]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id C66C22001DB for ; Sat, 10 Mar 2012 14:25:01 -0800 (PST) Received: by werm1 with SMTP id m1so3588399wer.16 for ; Sat, 10 Mar 2012 14:24:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=kNtRnqwGjYK3VB+3A3TpBxzxfUn/UVXmGjRwozq73GA=; b=QIc0pGnhJjM2DdhRrPVyPhlyi4YYXMASS2MrbMNkPR7Gwy+j5KJBa3MNN25vMINvQG P8GoW77NuNqMW1zeiucg4erQRBHTBSuTDtLyr/kgZTY/3gsVbFQjCeVqubYGWF+CRG/H XGZ6QUuLOgSR6C6Gyw7Vyw09LMITlaD3U7wlkykJ03ULVx1hPkqPSaBYvRbXpbvcT+la erFyl0xLPOYPFh8LH58F6P/E+lMde+nP73XdLoWFPYnFaEfQ2JjzeEqa3CbCnDi16mYJ BEcUJs3Icl0i2OYHtj+G1sn8ljZLCPsLE2md4doRDfqdFm/GYRu1Urggl+oSqRCSye5d W8mw== MIME-Version: 1.0 Received: by 10.180.80.104 with SMTP id q8mr15399035wix.14.1331418298999; Sat, 10 Mar 2012 14:24:58 -0800 (PST) Received: by 10.223.151.8 with HTTP; Sat, 10 Mar 2012 14:24:58 -0800 (PST) Date: Sat, 10 Mar 2012 22:24:58 +0000 Message-ID: From: Dave Taht To: cerowrt-devel@lists.bufferbloat.net Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: [Cerowrt-devel] testing 3.3rc6-3 out on jim (good, but tons of ipv6 issues) X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Mar 2012 22:25:02 -0000 Yesterday we got jim up and running on the latest build. https://plus.google.com/u/0/110299325941327120246/posts/DD5taJG6ixV I did some testing of the aqm scripts still under development, after some iterations, the results were rather good, but some more comprehensive work is needed. In particular, I had not been working on uplink speeds greater than about 4Mbit, nor thinking very hard about the effects of everything on very long RTT paths (of late! In part, why I went to paris was to be able to analyze those in the real world, rather than in emulation). More news on this as it happens. I'd like very much to have a few more dedicated routers and test boxes spread around the world (NZ/australia and europe, etc) sometime soon. Volunteers? We did run into some problems along the way. 0) we ran into a WEIRD bug with one of jim's printers. Although this printer is visible, has an ipv4 address, a distinct mac, attempts to access it via http would get re-routed to the *routers* web server for some reason. As this does not happen on ANY of the other devices on the lan, I'm inclined to think it's a problem with the printer's firmware, rather than some problem with icmp redirection, or a routing bug. That said, it's very weird. 1) Ipv6 issues A) Notably, 6to4 for some reason isn't spreading it's acquired ipv6 addresses across all the devices anymore. I have no idea why this is. It used to work. B) And relevant to that, the default firewall rules I have for ipv6 in this case do not appear to be restrictive enough. While it was cool to actually be able to do a smbclient -L //jims_ipv6_addresses/ and get responses all the way from california, I don't regard the cifs (windows filesharing) protocol as secure enough to actually run on the open internet. So I added to /etc/firewall.user stanzas to block the relevant ports incoming from the 6to4-ge01 device. I note that I have not kept up with enhancements to the samba protocol suite and for all I know samba 3.6.3 can actually be configured to be 'secure enough'. ? I WOULD like to keep open the possibility of running reasonably secure protocols over ipv6. In part, that's the whole point of restoring E2E connectivity to the internet with ipv6! ssh, https, imaps, kerberos, etc, all seem desirable to allow by default. Also protocols that work best in an E2E fashion (sip/rtp, snmp, dns, etc), and also newfangled protocols such as hip, shim6, etc. Also simple, useful file distribution protocols like torrent and rsync. Finding the right compromise between openness, research and security is going to be a PITA, and I welcome suggestions. I frankly would like to avoid a solution so like our existing ipv4 natted universe as to offer none of the benefits of ipv6. C) Propagating dynamically assigned ipv6 addresses requires fiddling with configurations of various other daemons. C1) /etc/xinetd.conf needs the local ipv6 address range permitted C2) in /etc/chroot/bin/etc/named/conf, the local ipv6 address range needs to be added to the acl. Also, it's helpful to actually run dns over ipv6 via the local ipv6 forwarder (comcast has those), C2A) reverse dns for ipv6 is a REAL PITA. C3) /etc/config/polipo needs the local ipv6 address range permitted C4) the mesh needs to pick up one delegation and distribute it via a /128 ip on all relevant interfaces C5) the mrd daemon appears to not work at all, and eats tons of cpu. I merely disabled it in this case /etc/init.d/mrd6 disable. Despite the size of the list, fixing by hand most of these takes only few minutes. 2) Mesh issues I'd mildly misconfigured the mesh interfaces by default - they need ip addresses assigned in the server case, statically, to 'just work'. Clients, just work, however, once a server is set up. It's kind of cool to just bring up a new cero box and see it automatically connect and route... 3) DNSSEC and ntp can take minutes to sort out on boot bug 113 MUST DIE. 4) Renumbering is a pita The sed script method is not really what we want. Renumbering needs to be fast, easy, and just work, if we ever are going to escape rfc1918 hell. 5) Renamig is a pita. See 4. Notably it's helpful to edit /etc/avahi/*.conf and change the name of the router to something unique, mdns proxying 'just worked', even with two devices proxying, it worries me. Similarly, I like having multiple dns servers if you are going to have multiple routers, and setting those up to mirror one another is a PITA. 6) I need to document how to set up an interior router better (especially as this is how I test and encourage others to test) --=20 Dave T=E4ht SKYPE: davetaht US Tel: 1-239-829-5608 http://www.bufferbloat.net