Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Newer
Older
100644 673 lines (541 sloc) 28.652 kb
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
1 KAME FAQ
a7f7378 we finally have T-shirt page
itojun authored
2 $KAME: FAQ,v 1.88 2007/05/13 15:06:43 itojun Exp $
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
3
4
5 GENERAL
6 =======
7 Q: What is the KAME project?
50803e0 english proofread. Hal Snyder <hal@vailsys.com>
itojun authored
8 The KAME Project is a joint effort to create single solid software set,
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
9 especially targeted at IPv6/IPsec. Talented researchers from several
10 Japanese major companies joined the project. This joint effort will
9ebd0d7 line breaks
itojun authored
11 avoid unnecessary duplicated development in the same area, and
12 effectively provides a high quality, advanced featured package.
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
13
14 The project aims to revamp BSD sys/net* tree, and:
15
50803e0 english proofread. Hal Snyder <hal@vailsys.com>
itojun authored
16 - to provide a FREE IPv6 protocol stack for research/commercial use.
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
17 (under BSD copyright)
18 - to provide FREE IPsec to all over the world. (For free software,
19 crypto export from Japan seems to be legal.)
50803e0 english proofread. Hal Snyder <hal@vailsys.com>
itojun authored
20 - to provide FREE reference code for advanced internetworking.
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
21 (Advanced packet queuing, ATM, mobility, and whatever interesting.)
22
23 To understand more about the KAME project itself, please proceed to
24 http://www.kame.net/project-overview.html.
25
d8e3dc5 tips to get help (use mailing list/config detail is mandatory)
itojun authored
26 Q: I'm in trouble and would like to get help.
27 Please route your questions to public mailing lists, like
28 snap-users@kame.net or users@ipv6.org. Make sure to include
29 all of your configuration details, version numbers and ways to
30 repeat your issue, by going through the topmost portion of
31 http://www.kame.net/dev/send-pr.html.
32
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
33 Q: How can I contribute?
50803e0 english proofread. Hal Snyder <hal@vailsys.com>
itojun authored
34 - Implement "ports" or "pkgsrc" for IPv6 apps
35 Sometimes nontrivial steps are needed to install IPv6 applications,
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
36 because IPv6 patches are redistributed separately from the original
37 application. Please create FreeBSD/OpenBSD "ports", or NetBSD
38 "pkgsrc" and contribute those to *BSD projects.
39
50803e0 english proofread. Hal Snyder <hal@vailsys.com>
itojun authored
40 - Submit bug reports
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
41 PLEASE go through the top of http://www.kame.net/dev/send-pr.html
42 and supply enough information.
43
50803e0 english proofread. Hal Snyder <hal@vailsys.com>
itojun authored
44 - Review documents
4ab05d8 wording (I'm not sure if this one is really better than the previous …
jinmei authored
45 Since the KAME core team does not have a native English speaker,
ed1f4e9 - clarify a text in document review
jinmei authored
46 documents in English include many typos, wording mistakes,
47 and so forth. We would be very grateful if you review our
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
48 documents and send us updates.
49
fd879bf you can contribute by designing T-shirt
itojun authored
50 - Design a logo/T-shirt :-)
51
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
52 Q: What is the standard document the KAME code is based upon?
53 Which version of IPv6/IPsec does KAME support?
50803e0 english proofread. Hal Snyder <hal@vailsys.com>
itojun authored
54 The KAME project tries to support the latest specification possible.
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
55
56 For list of currently-supported standard documents, please refer to
ae7a02d correct URL
itojun authored
57 IMPLEMENTATION in the distribution kit, or
58 http://www.kame.net/dev/cvsweb.cgi/kame/IMPLEMENTATION.
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
59
959032e more grammar
jinmei authored
60 Q: Why does KAME separate ping6 from ping (for IPv4), and traceroute6 from
4b92918 ping6 vs ping issue
jinmei authored
61 traceroute (for IPv4)?
48586a6 ping6/ping
itojun authored
62 There have been many discussions on why we separate ping6(8)
63 and ping(8). Some people argued that it would be more
64 convenient to uniform the ping command for both IPv4 and
65 IPv6. The followings are an answer to the request.
66
50803e0 english proofread. Hal Snyder <hal@vailsys.com>
itojun authored
67 From a developer's point of view: since the underlying raw socket API
48586a6 ping6/ping
itojun authored
68 is totally different between IPv4 and IPv6, we would end
69 up having two types of code base. There would actually be
50803e0 english proofread. Hal Snyder <hal@vailsys.com>
itojun authored
70 less benefit to unify the two commands into a single
48586a6 ping6/ping
itojun authored
71 command from the developer's standpoint.
72
73 From an operator's point of view: unlike ordinary network
c8bb6ac wording
jinmei authored
74 applications like web, mail, and remote login tools, we are
75 usually aware of address family when using network management
76 tools. We do not just want to know the reachability to the
77 host, but want to know the reachability to the host via a
78 particular network protocol such as IPv6. Thus, even if we
79 had a unified ping(8) command for both IPv4 and IPv6, we would
80 usually type a -6 or -4 option (or something like those) to
81 specify the particular address family. This essentially means
82 that we have two different commands.
4b92918 ping6 vs ping issue
jinmei authored
83
17a867c other docs to check
itojun authored
84 Q: Are there other documents/FAQ lists I may want to check?
85 - Depending on which BSD you are using, you will want to check the
86 project webpages, like http://www.openbsd.org/,
87 http://www.netbsd.org/, or http://www.freebsd.org/.
9ebd0d7 line breaks
itojun authored
88 - If you are using a KAME patch kit (like weekly snap, not the
89 integrated *BSD releases), you really need to go through all the
90 documents shipped in tar.gz.
17a867c other docs to check
itojun authored
91 - http://www.kame.net/ has links to a set of good documents.
92 - http://www.ipv6.org/, and http://www.jp.ipv6.org/ (if you can read
93 Japanese texts).
914f75a many wording changes, addition of references, and such
itojun authored
94 - http://www.netbsd.org/Documentation/network/ipv6/
17a867c other docs to check
itojun authored
95
7944fc2 Q: Which operating systems/vendor routers use KAME stack?
itojun authored
96 Q: Which operating systems/vendor routers use KAME stack?
97 Operating systems:
98 - OpenBSD, http://www.openbsd.org/
99 - NetBSD, http://www.netbsd.org/
100 - FreeBSD, http://www.freebsd.org/
101 - BSD/OS, http://www.bsdi.com/
102 - Apple Darwin
103
104 Vendor routers:
105 - Hitachi GR2000, http://www.v6.hitachi.co.jp/GR2000/
106 - IIJ SEIL-T1, http://www.seil-t1.com/
107 - (more)
108
d5ed62e grammar
itojun authored
109 Q: How portable is the KAME stack? Is it possible to port it to embedded
251cc1e - english grammar (not sure if this is really correct, though)
jinmei authored
110 operating systems like VxWorks?
5ef96b7 portability of KAME
itojun authored
111 KAME stack assumes that the following items are available:
112 - mbuf for holding packet data
113 - software interrupts to handle incoming packets
114 - timer interrupts like timeout(9)
115 - spl for concurrency control with interrupting threads
116 i.e. we assume 4.4BSD kernel programming environment. We don't have
117 time to port it to VxWorks or any other operating systems, so if you
118 want to do it you need to port it on your own.
119
2924c7d missing an
itojun authored
120 We have heard of an Win95/98 port of KAME IPsec stack in the past.
5ef96b7 portability of KAME
itojun authored
121 Also it is apparent that some of the vendor routers are using KAME
122 stack on top of VxWorks.
123
2ab75db Q: How should "gif" be pronounced?
jinmei authored
124 Q: How should "gif" be pronounced?
125 To be answered.
17a867c other docs to check
itojun authored
126
30916ad why create/destroy does not work
itojun authored
127
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
128 INSTALLATION
129 ============
bcc5a47 more wording
itojun authored
130 Q: I heard that the *BSDs have integrated KAME code already.
131 Do I still need to install KAME patches?
e59602d 3 more Q/As:
itojun authored
132 Depends on your goal. Roughly speaking,
133 - If you want IPv6 for normal day-to-day use, you will be happy with
134 *BSD integrated code (no need for KAME patches).
135 - If you want a bleeding-edge IPv6 code (including experimental and
136 unstable ones) you'd need to install KAME patches.
137
138 http://www.kame.net/project-overview.html#release talks about this
139 topic in more detail.
140
55a4549 How/where can I get recent KAME stable (not snap) releases?
jinmei authored
141 Q: How/where can I get recent KAME stable (not snap) releases?
142 Since the KAME stack has been merged into all *BSD releases
143 officially, the KAME project will not release stable releases
144 from the project. These official *BSD releases should be
145 considered as stable releases instead.
146
50803e0 english proofread. Hal Snyder <hal@vailsys.com>
itojun authored
147 Q: I replaced the kernel and rebooted, and lost IPv4 connectivity. Why?
18435ba wording/English grammar/typo
jinmei authored
148 There are several possibilities, but it is almost always
50803e0 english proofread. Hal Snyder <hal@vailsys.com>
itojun authored
149 due to kernel configuration differences. If you have
150 been using a specific kernel configuration for your IPv4
bcc5a47 more wording
itojun authored
151 kernel, and you have installed a GENERIC.v6 kernel, you lose
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
152 your special configurations.
153
50803e0 english proofread. Hal Snyder <hal@vailsys.com>
itojun authored
154 One good way to deal with this problem is to, (1) copy
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
155 your original configuration file FOO into FOO.v6, (2)
50803e0 english proofread. Hal Snyder <hal@vailsys.com>
itojun authored
156 incorporate the difference between GENERIC and GENERIC.v6 into
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
157 FOO.v6, (3) carefully look at FOO.v6 and configure a new
18435ba wording/English grammar/typo
jinmei authored
158 kernel from that one.
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
159
160 Q: Is anything special required for network interface card drivers?
161 (freebsd and bsdi) For efficient processing of IPv6 chained headers,
50803e0 english proofread. Hal Snyder <hal@vailsys.com>
itojun authored
162 KAME assumes the network driver will pass the packet to upper layers
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
163 (IPv6 code), in the following form:
164
165 (1) single internal mbuf
bcc5a47 more wording
itojun authored
166 (2) single external (cluster) mbuf
167 (3) multiple external (cluster) mbufs
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
168
169 Some of traditional drivers will pass the packet to upper layers in
170 two linked internal mbufs. In this case, the driver must be modified.
171 You can check this situation by using netstat -sn.
172
bcc5a47 more wording
itojun authored
173 If you see the following line ("two or more mbufs") for your ethernet
174 card in netstat output (ip6 section), your driver needs to be modified.
175
176 Mbuf statistics:
177 58 one mbufs
178 two or more mbuf:
179 foo0 = 2 <--- foo0 needs modification
180 6486 one ext mbufs
181 0 two or more ext mbufs
182
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
183 The modification is very simple. You should check the use of MINCLSIZE
184 in the driver, change that to MHLEN. In this way you can avoid two
185 linked internal mbufs.
186
e8e56e3 typo and some wording nits
jinmei authored
187 (all operating systems) Multicast support is required for IPv6,
8e82fc2 multicast support in IF is mandatory for all operating systems
itojun authored
188 since IPv6 uses multicast for hardware address (MAC address) resolution.
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
189 Therefore, your network driver has to have multicast support,
914f75a many wording changes, addition of references, and such
itojun authored
190 and have IFF_MULTICAST properly set. Also be sure to check if
191 the driver handles multicast ioctls, like SIOCADDMULTI.
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
192
50803e0 english proofread. Hal Snyder <hal@vailsys.com>
itojun authored
193 Even though it is better to have a hardware multicast packet
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
194 filter, it is not mandatory; in most cases it is just fine
18435ba wording/English grammar/typo
jinmei authored
195 to use promiscuous mode as the last resort, if there's no
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
196 multicast packet filter support.
197
198
199 OPERATION AND PROGRAMMING
200 =========================
50803e0 english proofread. Hal Snyder <hal@vailsys.com>
itojun authored
201 Q: /etc/rc scripts do not work after replacing vanilla *BSD kernel by KAME
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
202 kernel.
203 /etc/rc scripts usually use tools in /sbin, like /sbin/ifconfig.
50803e0 english proofread. Hal Snyder <hal@vailsys.com>
itojun authored
204 In some cases, they do not work on a KAME kernel. Be very sure to
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
205 use tools in /usr/local/v6 instead.
206
914f75a many wording changes, addition of references, and such
itojun authored
207 Note, however, depending on the ordering of /etc/rc initialization,
208 /usr may not be ready when the network interfaces get initialized
209 (for NFS-mounted /usr support).
210 It may be safer to put network interface initialization into
211 /etc/rc.local, and remove all network configurations from /etc/rc.conf
68e3beb comment on diskless
itojun authored
212 and/or /etc/netstart (you won't be able to use diskless configuration,
213 however).
914f75a many wording changes, addition of references, and such
itojun authored
214
8654583 grammar
jinmei authored
215 Q: Why do link-local addresses in the kernel structure have
a2260a7 s6_addr16 is nonstandard.
itojun authored
216 s6_addr[2] and s6_addr[3] filled?
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
217 Due to the "scoped address" design in the IPv6 spec, the
218 kernel must treat link-local addresses in a special manner.
219 Link-local address has to be memorized with the incoming
a2260a7 s6_addr16 is nonstandard.
itojun authored
220 interface. KAME uses s6_addr[2-3] to keep the interface index
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
221 (ifp->if_index) in the kernel structure.
222
50803e0 english proofread. Hal Snyder <hal@vailsys.com>
itojun authored
223 Note that this is only for internal kernel structures.
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
224 Any data coming out of socket file descriptor is not
225 affected. KAME uses advanced API (rfc2292) for passing/getting
fe20b4c reverted the previous fix (based on a local discussion).
jinmei authored
226 interface index from/to userland.
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
227
228 Also note that this hack may go away in the near future,
50803e0 english proofread. Hal Snyder <hal@vailsys.com>
itojun authored
229 by introduction of the sin6_ifindex field in sockaddr_in6
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
230 structure.
231
50803e0 english proofread. Hal Snyder <hal@vailsys.com>
itojun authored
232 See the IMPLEMENTATION document for a full description.
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
233
234 Q: Does KAME support site-local addresses?
235 Yes and no.
236
237 KAME can handle site-local address, but it is not aware of
50803e0 english proofread. Hal Snyder <hal@vailsys.com>
itojun authored
238 the site boundary. Therefore, KAME cannot become a site-border
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
239 router.
240
50803e0 english proofread. Hal Snyder <hal@vailsys.com>
itojun authored
241 Site-local addressing (the spec itself, not KAME) has a
914f75a many wording changes, addition of references, and such
itojun authored
242 bunch of issues/twists to be solved, such as site-border management
50803e0 english proofread. Hal Snyder <hal@vailsys.com>
itojun authored
243 and name servers. We are trying very hard to solve them.
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
244
bcc5a47 more wording
itojun authored
245 On many of KAME-ready BSD systems, reject routes are installed in
246 /etc/rc for fec0::/10 as a precaution. If you plan to use site-local
247 addresses, you first need to remove the route.
248
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
249 Q: How can I implement address-family independent applications?
250 Q: How can I modify my application to support IPv6 as well as IPv4?
251 We have a short newsletter for that, titled "implementing AF-
252 independent application". Please visit
253 http://www.kame.net/newsletter/19980604/.
254
914f75a many wording changes, addition of references, and such
itojun authored
255 Craig Metz, "Protocol Independence Using the Sockets API",
256 Proceedings of the freenix track: 2000 USENIX annual
257 technical conference, June 2000.
258 http://www.usenix.org/event/usenix2000/freenix/metzprotocol.html
259
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
260 Q: route6d dies with "IPV6_ADD_MEMBERSHIP" failure.
261 This error occurs when you have configured an interface
262 that is not capable of handling IPv6 packets. This includes
50803e0 english proofread. Hal Snyder <hal@vailsys.com>
itojun authored
263 the slip interface (sl0) and some other interfaces. Please
264 remove those interfaces from the kernel configuration file.
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
265
266 Q: Which IPv6 routing daemon should I use?
267 For easy installation, route6d (implemented by Akira Kato) is
268 simple and easy-to-use, but not very configurable.
269
270 For production use, try zebra from http://www.zebra.org/.
271
50803e0 english proofread. Hal Snyder <hal@vailsys.com>
itojun authored
272 Q: How can I connect my host to the worldwide IPv6 network?
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
273 Visit http://www.6bone.net/, all the information you need is there.
274
275 http://www.kame.net/newsletter/19981224/ has detailed discussions
50803e0 english proofread. Hal Snyder <hal@vailsys.com>
itojun authored
276 on how you can be connected to 6bone. It also has a cgi script to
277 help you send a connection request.
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
278
279 Q: When I invoke ifconfig or netstat, garbled output is generated.
280 I suspect that you are invoking old (original) ifconfig or netstat.
281
fe20b4c reverted the previous fix (based on a local discussion).
jinmei authored
282 Currently the KAME kit does not overwrite existing userland
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
283 tools. Instead, tools provided by KAME will be installed
284 into /usr/local/v6/bin and alike. Therefore, to use
285 IPv6-enabled tools, you must invoke /usr/local/v6/sbin/ifconfig
50803e0 english proofread. Hal Snyder <hal@vailsys.com>
itojun authored
286 or such. You can of course add /usr/local/v6/bin to your
287 command search path. Consult the manpage for your shell.
89dc9a0 added a blank line, to be consistent with other items.
jinmei authored
288
592c1ae wording
jinmei authored
289 Q: How can I restrict RIPng route announcement for some particular interfaces?
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
290 First of all, you should choose appropriate routing daemon.
291
292 route6d (by Akira Kato) is designed to be simple and easy,
293 so it has no configuration option for ignoring some of the
294 interfaces. You cannot use this for the purpose.
295
50803e0 english proofread. Hal Snyder <hal@vailsys.com>
itojun authored
296 hroute6d (contributed from Hitachi) has a very complex
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
297 configuration file, which makes it possible to skip some
298 of the interfaces.
299
50803e0 english proofread. Hal Snyder <hal@vailsys.com>
itojun authored
300 bgpd (contributed from Toshiba) also uses a configuration
8e446ec two space after sentence termination
itojun authored
301 file. You can specify not to listen and/or advertise RIPng
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
302 messages on the specified interfaces.
303
304 Other routing daemons (zebra/mrt/whatever) may have
50803e0 english proofread. Hal Snyder <hal@vailsys.com>
itojun authored
305 configuration options, so please refer to the document
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
306 specific to the tool you chosen.
307
50803e0 english proofread. Hal Snyder <hal@vailsys.com>
itojun authored
308 Q: I would like to configure IPsec for IPv4 only, and I do not need IPv6.
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
309 Is it possible to configure KAME for this?
50803e0 english proofread. Hal Snyder <hal@vailsys.com>
itojun authored
310 Of course, it should work. Try configure a kernel without
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
311 "options INET6".
312
313 If it does not work well, add "options INET6" and ignore
314 any IPv6 related things appear on messages/command
315 options/whatever. It is safe to ignore those things.
316
3193125 grammar
jinmei authored
317 Q: IPv6 ping from other OSes does not seem to work.
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
318 Are you using link-local address for that? (fe80::x) If
50803e0 english proofread. Hal Snyder <hal@vailsys.com>
itojun authored
319 so, be sure to clear the 2nd 16-bit field to 0. KAME kernels
320 use those bits internally, and some older versions of ifconfig show
86ba34f improvements and corrections about link-local addresses;
jinmei authored
321 the value, but the value MUST NOT appear on the wire.
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
322
86ba34f improvements and corrections about link-local addresses;
jinmei authored
323 If ifconfig command shows that your KAME host has the
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
324 following address:
325
326 fe80:1::x:y:z:u
327
86ba34f improvements and corrections about link-local addresses;
jinmei authored
328 the address the host actually has is
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
329
330 fe80::x:y:z:u
331
914f75a many wording changes, addition of references, and such
itojun authored
332 Also, on many of existing operating systems, it is suggested (or even
86ba34f improvements and corrections about link-local addresses;
jinmei authored
333 mandatory) to specify the outgoing link, when you try to ping
914f75a many wording changes, addition of references, and such
itojun authored
334 (or ping6) link-local addresses. This is to disambiguate link-local
86ba34f improvements and corrections about link-local addresses;
jinmei authored
335 addresses on multiple links.
914f75a many wording changes, addition of references, and such
itojun authored
336
50803e0 english proofread. Hal Snyder <hal@vailsys.com>
itojun authored
337 Q: How do I configure a IPv6-over-IPv4 tunnel?
9ebd0d7 line breaks
itojun authored
338 The simplest way to do this is to configure outer IPv4 address only, by
339 the following command:
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
340
341 hostA# gifconfig gif0 a.a.a.1 b.b.b.1
342
343 hostB# gifconfig gif0 b.b.b.1 a.a.a.1
344
50803e0 english proofread. Hal Snyder <hal@vailsys.com>
itojun authored
345 As a gif interface has a link-local address, it is not
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
346 necessary to configure inner IPv6 addresses. Routing
347 daemons will work just fine and packets will get forwarded
50803e0 english proofread. Hal Snyder <hal@vailsys.com>
itojun authored
348 between the two routers. If you want to configure a global IPv6
349 address on such a host, configure it to an ethernet interface.
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
350
914f75a many wording changes, addition of references, and such
itojun authored
351 NOTE: on netbsd and openbsd, gifconfig is integrated into ifconfig(8).
352
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
353 Q: Some of my IPv6-ready programs show strange behavior after kernel update.
50803e0 english proofread. Hal Snyder <hal@vailsys.com>
itojun authored
354 As the IPv6 socket API is still an moving target, the KAME team
355 sometimes have to change important structure definitions
356 used in the socket API. We have experienced changes in struct
357 sockaddr_in6 several times already.
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
358
359 If you have installed your IPv6-ready programs before the
360 change, and the kernel is built from the KAME tree after
361 the change, your programs will not work properly. Be sure
fe20b4c reverted the previous fix (based on a local discussion).
jinmei authored
362 to update, or re-compile, userland tools too.
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
363
364 We try to announce important changes to snap-users mailing
365 list. Please subscribe to snap-users mailing list, if you
366 are willing to use SNAP kits. See http://www.kame.net/snap-users/
367 for detail.
368
369 Q: How do I configure IPsec?
370 http://www.kame.net/newsletter/19980626/ covers the topic.
371
50803e0 english proofread. Hal Snyder <hal@vailsys.com>
itojun authored
372 Q: I would like to connect from an IPv6-only host to an IPv4-only host.
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
373 You MUST have a translator box between those two host, for
374 protocol conversion. http://www.kame.net/newsletter/19981001/
375 covers the topic.
376
377 socks64, which is a modified version of socks5, can be used
50803e0 english proofread. Hal Snyder <hal@vailsys.com>
itojun authored
378 so that IPv6-only host can make a proxy connection via a
379 "socks64 server" on a dual-stack host. For implementation
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
380 please visit ftp://ftp.kame.net/pub/kame/misc/.
381
382 Q: How can I enable FAITH IPv6-to-IPv4 tcp relay?
ae7a02d correct URL
itojun authored
383 Please consult KAME faithd/README.* for details.
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
384
385 Q: How do I configure ATM PVC?
50803e0 english proofread. Hal Snyder <hal@vailsys.com>
itojun authored
386 KAME includes ATM PVC support, from the ALTQ package. No SVC support is
387 implemented. A very limited variety of ATM cards are supported.
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
388
389 http://www.kame.net/newsletter/19980701/ covers this topic
390 (though it is a bit dated).
391
50803e0 english proofread. Hal Snyder <hal@vailsys.com>
itojun authored
392 Q: I think I have problem with my tunnel; how do I track it?
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
393 assume that your tunnel interface is "gif0".
394
395 try: ping6 -I gif0 -n ff02::1
396
50803e0 english proofread. Hal Snyder <hal@vailsys.com>
itojun authored
397 If you get replies from two different nodes, your tunnel is
398 working right. It can be routing problem. The two nodes
399 are your node and the peer's node.
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
400
50803e0 english proofread. Hal Snyder <hal@vailsys.com>
itojun authored
401 If you get replies from single node only, you have a problem
402 with your tunnel. It could be a packet filter between your node
403 and peer (like a firewall), IPv4 routing screwup, or anything.
404 You need to make sure that IPv4 protocol # 41 goes through.
405 If you have a packet filter blocking you, ask your network
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
406 administrator to open up the filters.
407
50803e0 english proofread. Hal Snyder <hal@vailsys.com>
itojun authored
408 Another hint: always use "-n" when you try ping6 or
409 traceroute6. Reverse lookup timeouts can make it harder to track
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
410 down.
411
50803e0 english proofread. Hal Snyder <hal@vailsys.com>
itojun authored
412 Q: My operating system does not have gifconfig(8).
f547a94 removed some garbage white space.
jinmei authored
413 On FreeBSD 4.4, NetBSD, and OpenBSD, gifconfig(8) is integrated
414 into ifconfig(8), using the "tunnel" keyword (older OpenBSD
415 releases use "giftunnel" keyword).
e59602d 3 more Q/As:
itojun authored
416
50803e0 english proofread. Hal Snyder <hal@vailsys.com>
itojun authored
417 Q: I would like to know the merge status of KAME kit to *BSD.
e59602d 3 more Q/As:
itojun authored
418 See http://www.kame.net/dev/cvsweb.cgi/kame/COVERAGE.
419
914f75a many wording changes, addition of references, and such
itojun authored
420 Q: How can I differentiate IPv6 http connections from IPv4 ones on my
421 web page? (In other words, how can I provide dancing stuff for IPv6
422 users only, like www.kame.net?)
50803e0 english proofread. Hal Snyder <hal@vailsys.com>
itojun authored
423 If you are using an apache webserver, you can refer to environment
914f75a many wording changes, addition of references, and such
itojun authored
424 variable REMOTE_ADDR to know the address of the client (in textual
425 numeric representation). For example, the following perl script
426 fragment would print "IPv6 <address>" or "not IPv6 <address>"
427 depending on the clients' address.
428
429 if ($ENV{'REMOTE_ADDR'} =~ /^[a-fA-F0-9:]+$/) {
430 print "IPv6 " . $ENV{'REMOTE_ADDR'} . "\n";
431 } else {
432 print "not IPv6 " . $ENV{'REMOTE_ADDR'} . "\n";
433 }
434
8538509 wording
jinmei authored
435 Q: Won't you release new IPv6 patch for apache1.3.x?
e8e56e3 typo and some wording nits
jinmei authored
436 We focus on developing/enhancing apache2.x. Our IPv6 patch
1de6e41 english wording
jinmei authored
437 will never be merged into the apache1.3.x original distribution
438 since some include files for mod_xxx highly depend on IPv4
439 and our IPv6 patch strongly affects modules from 3rd parties.
440 Apache2.x already supports IPv6 and changes its APIs.
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
441
e8e56e3 typo and some wording nits
jinmei authored
442 martti.kuparinen@iki.fi takes over the maintenance. Latest
ac214db martti.kuparinen@iki.fi takes over the maintainance of IPv6 patch for
sumikawa authored
443 IPv6 patch are available at ftp://ftp.piuha.net/pub/misc/.
444
b6e8a44 Q: Why don't KAME's getaddrinfo/getnameinfo support PF_LOCAL?
jinmei authored
445 Q: Why don't KAME's getaddrinfo/getnameinfo support PF_LOCAL?
6711268 PF_LOCAL on get*info
itojun authored
446 We do not really like to support PF_LOCAL, unless there's
19a1036 more text about getxxxinfo issue.
jinmei authored
447 clear standard behavior for the AF_LOCAL case. For an AF
448 independent programming point of view, unlink(2) call issue is
449 really bitching us. NI_NUMERICxx, AI_NAMEREQD and
450 AI_NUMERICxx has no valid meaning on PF_LOCAL. Also, we
451 cannot just add incompatible functionality from others. Note
452 that glibc now drops it for security risks with /tmp race
453 conditions (they supported PF_LOCAL in the past), so we are
454 now compatible with glibc at this point.
6711268 PF_LOCAL on get*info
itojun authored
455
456 getaddrinfo/getnameinfo behavior itself is rather vaguely
457 defined in the standards (POSIX drafts as well as RFC2553/bis),
47214ec wording
itojun authored
458 and we don't want to add more jitter to them.
6711268 PF_LOCAL on get*info
itojun authored
459
19a1036 more text about getxxxinfo issue.
jinmei authored
460 Additionally, we've never heard of practical examples of
461 applications that need to the support of PF_LOCAL in get*info.
462 We don't think it is a good idea just to pursue superficial
463 uniformity without concrete usages, especially when we do not
464 have a standard specification of it.
465
6711268 PF_LOCAL on get*info
itojun authored
466 If it is really really necessary to play with it, we can probably
467 do that on KAME tree - but not on *BSD-current nor *BSD official
468 releases.
b6e8a44 Q: Why don't KAME's getaddrinfo/getnameinfo support PF_LOCAL?
jinmei authored
469
e1fa63e >Is there an API or other mechanism for a user level program (e.g.
itojun authored
470 Q: Is there an API or other mechanism for a user level program (e.g.
471 telnet) to inquire of the kernel whether AH/ESP is in use (i.e.
472 whether a security association exists between the local host and a
473 remote host)?
474 At this moment there's no API to tell if the traffic (packet) was
475 encrypted or not, from the kernel to userland. It is a bit difficult
6fe25d7 typo
itojun authored
476 API to implement/design, as the granularity is different between IP
e1fa63e >Is there an API or other mechanism for a user level program (e.g.
itojun authored
477 packet and sockets (TCP stream), and it is unclear what to tell the
478 userland (per-packet, or per-stream?).
479
480 What you can do now is to use setsockopt(IP_IPSEC_POLICY) and inject
481 policy like "in ipsec esp/transport//require" (use ipsec_set_policy(3)
482 to convert textual policy representation into binary). This way, you
483 can make sure that inbound packet is always encrypted (non-encrypted
484 packets get dropped). See sbin/ping for usage example.
e8e56e3 typo and some wording nits
jinmei authored
485 This is a KAME-only API. There's no standard API for this, as
486 far as we know.
e1fa63e >Is there an API or other mechanism for a user level program (e.g.
itojun authored
487
3a8472f two FAQ entry for kernel warning messages (with latest SNAP kit they
itojun authored
488 Q: I see a lot of messages like follows when I try to throw packets to
489 a gif tunnel interface:
490 nd6_output: failed to add route fora neighbor(ADDR), errno=17
491 The message gets generated when the kernel fails to create a neighbor
492 cache entry for NUD. The source of the problem is considered
493 operational. You need to change your configuration to solve the
494 problem (NOTE: with recent KAME kits, the message won't get generated
495 due to a couple of changes we made).
496
497 We are convinced that a tunnel interface has to have the either of
498 the following configuration:
499 ifconfig gif0 inet6 A B prefixlen 128 alias
500 ifconfig gif0 inet6 A prefixlen 64 alias
501 NOT the following:
502 ifconfig gif0 inet6 A B prefixlen 64 alias
503 since the last example is ambiguous when B is within A/64. The message
504 gets generated when you use the last (3rd) configuration, which is
505 not correct in our interpretation.
506
507 Q: I see a lot of messages like follows:
508 nd6_ns_input: invalid hlim(NUM) from FROM to TO on IF
509 The message gets generated when someone configures an IPv6 router
510 wrongly and neighbor solicitation messages are leaking from the router.
511 If you have time, send a note to the owner of the machine indicated
512 in FROM.
513
5747d6c nd6_ns_input message can be generated on *BSD releases too
itojun authored
514 The message gets generated only with older KAME SNAP kit, or *BSD
515 releases. Kernel upgrade is suggested if you are using KAME SNAP kit.
3a8472f two FAQ entry for kernel warning messages (with latest SNAP kit they
itojun authored
516
e8e56e3 typo and some wording nits
jinmei authored
517 Q: I have problem diagnosing IPsec issues. Are there any good tools?
e10176f netstat -sn for diagnosing ipsec issues
itojun authored
518 tcpdump and netstat -sn are your friend. Always try to take packet
519 dumps during your tests. Also, you can reveal many things with the
520 following operations:
521 % netstat -sn >/tmp/1
522 % (some operation)
523 % netstat -sn >/tmp/2
524 % diff -c1 /tmp/1 /tmp/2
525
01a58be interface direct route disappears after ifconfig(8)
jinmei authored
526 Q: When I configure an IPv6 address by ifconfig(8) on a node doing
527 stateless autoconfiguration, the interface route corresponding to the
528 configured with ifconfig(8) immediately disappears.
fb3fcf5 added description about why the interface route for a manually config…
jinmei authored
529 This is probably because the prefix corresponding to the
530 address is regarded as "detached". Check the output of
531 ndp(8). The entry for the prefix should have a "D" flag like
532 this:
533
534 3ffe:501:ffff::/64 if=exp0
535 flags=LD vltime=infinity, pltime=infinity, expire=Never, ref=0
536 No advertising router
537
538 The KAME kernel basically does not assume a mixture of
539 stateless autoconfiguration and manual configuration of
540 addresses, and, in such a case, prefers the autoconfigured
541 prefix by marking the manual prefix as "detached." Even with
542 this situation, however, reachability to neighbors covered by
543 the prefix should be ensured via a default router that
544 advertises an "attached" prefix.
545
546 For the notion of "detached", see Section 3.4 of the following
547 paper:
548 http://www.isoc.org/inet99/4s/4s_2.htm
01a58be interface direct route disappears after ifconfig(8)
jinmei authored
549
30916ad why create/destroy does not work
itojun authored
550 Q: Why "ifconfig gif* create/destroy" does not work?
551 In KAME kit, we have dropped support for create/destroy interfaces
552 in October 8, 2002. See the following changelog item for the reason.
553
554 Tue Oct 8 17:05:56 JST 2002 itojun@iijlab.net
555 * sys/net/if_*.c: drop support for cloning interfaces, to free us from
556 coping with *BSD differences. it is not our goal to cope with *BSD
557 differences, our goal is to provide high-quality networking code.
558 it's pity that *BSDs have a lot of differences...
559
560
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
561 LICENSE AND CRYPTO EXPORT
562 =========================
563 Q: What is the crypto export/import situation in Japan?
564 NOTE: the following description does not reflect intentions
565 of KAME participating companies, employers of KAME core
50803e0 english proofread. Hal Snyder <hal@vailsys.com>
itojun authored
566 team or KAME contributors, or such. The KAME project and other
18435ba wording/English grammar/typo
jinmei authored
567 parties are completely separate entity. Please do not
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
568 misinterpret.
569
570 As far as I checked, there's no legal restriction for
571 exporting/import crypto software, if it is done without
572 fee.
573
50803e0 english proofread. Hal Snyder <hal@vailsys.com>
itojun authored
574 Japan seems to be in the Wassenaar agreement, and the Wassenaar
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
575 agreement is reflected to the Japan's export/import control
8e446ec two space after sentence termination
itojun authored
576 law. It says that business parties must acquire approval
50803e0 english proofread. Hal Snyder <hal@vailsys.com>
itojun authored
577 for crypto export orders larger than 50000JPY.
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
578
50803e0 english proofread. Hal Snyder <hal@vailsys.com>
itojun authored
579 We checked with several attorneys to get answers which varied
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
580 widely. The answer reflected how aggressive/defensive the
18435ba wording/English grammar/typo
jinmei authored
581 attorney is :-)
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
582
583 See "crypto law survey page",
a6fd451 update crypto law URL
itojun authored
584 http://rechten.uvt.nl/koops/cryptolaw/cls2.htm#ja, for more
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
585 information. (the page is really great)
586
587 Q: Can I download KAME without infringing crypto law?
588 The question can be separated into two parts: export from
18435ba wording/English grammar/typo
jinmei authored
589 Japan and import to your country.
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
590
50803e0 english proofread. Hal Snyder <hal@vailsys.com>
itojun authored
591 For export from Japan, it looks that there's no restriction,
f0cb5e5 rm cross-reference for faqomatic
itojun authored
592 for free software. See the previous item for more info.
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
593
594 For import to your country, please check "crypto law survey
595 page" for your country. Please proceed to
915e8fa update crypto export/import issues URL
itojun authored
596 http://rechten.uvt.nl/koops/cryptolaw/index.htm.
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
597
50803e0 english proofread. Hal Snyder <hal@vailsys.com>
itojun authored
598 Q: Under what kind of license is the KAME kit redistributed?
599 The KAME kit itself obeys the following BSD-like AS-IS license.
d5088c2 wording in license
itojun authored
600 Contributed or derived software may be distributed under other licenses,
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
601 so please look at each of the files.
602
603 Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
604 All rights reserved.
605
606 Redistribution and use in source and binary forms, with or without
607 modification, are permitted provided that the following conditions
608 are met:
609 1. Redistributions of source code must retain the above copyright
610 notice, this list of conditions and the following disclaimer.
611 2. Redistributions in binary form must reproduce the above copyright
612 notice, this list of conditions and the following disclaimer in the
613 documentation and/or other materials provided with the distribution.
614 3. Neither the name of the project nor the names of its contributors
615 may be used to endorse or promote products derived from this software
616 without specific prior written permission.
617
618 THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
619 ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
620 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
621 ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
622 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
623 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
624 OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
625 HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
626 LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
627 OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
628 SUCH DAMAGE.
629
630
631 FUN STUFF
632 =========
633 Q: What is "KAME"? Why did you choose the name?
634 KAME is "turtle" in Japanese. Then, you may wonder why it is
635 "turtle"... :-) See answers below.
636
b4f22ca Karigome is our privious place.
jinmei authored
637 Official answer #1: Our office was once located at Karigome
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
638 village, Fujisawa, Kanagawa JAPAN. Take the very first
7ecd5a7 s/yea/yeah/
itojun authored
639 two letters and last two letters from KArigoME. Yeah, you
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
640 got KAME.
641
18435ba wording/English grammar/typo
jinmei authored
642 Official answer #2: In Asian/Indian mythology, the world
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
643 is on a tray supported by elephants, and the elephants are
644 on a giant turtle and a giant snake. The universe consists
645 of the turtle and the snake. We are trying to shake the
646 universe by our code, so the name is KAME.
647
648 Real answer: We got together in IPv6 hacking workshop at
649 JAIST university (http://www.jaist.ac.jp/). One of core
650 member, itojun, got very tired of tracking bugs. There
651 was big stuffed turtle (http://www.nui.org/Kame/) in the
50803e0 english proofread. Hal Snyder <hal@vailsys.com>
itojun authored
652 laboratory. Itojun hugged the turtle and mumbled, "Mr
3869cab kame faq, recovered from FAQ-o-matic
itojun authored
653 turtle please help me debug my code...".
654 (http://www.itojun.org/diary/19970930-1005/kame.html) This
655 is the real reason for the name.
63d3c5a official kame turtles (no longer available)
itojun authored
656
657 Q: Official stuffed turtles?
3c5d059 there are a couple of other guys sold KAME turtles, so s/itojun/we/
itojun authored
658 We have distributed official stuffed turtles at IETFs and other
63d3c5a official kame turtles (no longer available)
itojun authored
659 events, however, they are out of stock already. Too bad. Plat'home
660 (www.plathome.co.jp) may still have some, so order them over the web
661 (not sure about overseas shipping).
662
663 History: Nakajima corporation (specialized in stuffed animals)
664 had a really cute turtle, but they were discontinued. Some people
665 at KAME project and friends have ordered 2400 of them for re-issue.
666 The official turtles had a special label on them, which has the
667 URL of the KAME project webpage.
b0e734e T-shirt
itojun authored
668
669 Q: T-shirt? Mugs?
a7f7378 we finally have T-shirt page
itojun authored
670 Finally, there are! See http://www.kame.net/ for more details!
671 If you need more variety of goods (like mugs, teddybear or whatever)
672 just drop snap-users@kame a note.
Something went wrong with that request. Please try again.