... This topic is a quick help to enable IP routing as fast as possible on various systems & platforms without needing to another program to be run or so on.
Beginners Note:
IP routing also known as IP Forwarding, needs when the system has more than one NIC or network interface or network connection (such as LAN connection, PPP,...) & you want to route between them to provide for example a gateway, NAT, firewall,... .
1. Cisco Routers/Access Servers :
IP routing is automatically enabled in the Cisco IOS software for routers. To reenable IP routing if it has been disabled on "Global Configuration" type: IP Routing
2. All Microsoft Windows Platforms :
Run "regedit" program and go to the following path :
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters"
then change the REG_DWORD value (or add new if no exists) from "0" to "1" and reboot the system.
3. Linux :
Add the following command to "/etc/rc.local" then reboot :
echo 1 > /proc/sys/net/ipv4/ip_forward
Or ff you're running Debian linux, you can just put :
ip_forward=yes
spoofprotect=yes
in /etc/network/options
4. BSD Unix Family :
On "/etc/rc.conf" change the following variable to "YES" then reboot :
gateway_enable=YES
For on demand routing enable/disable using sysctl for "net.inet.ip.forwarding" either to "1" or "0".
5. Sun Solaris :
Run this command at prompt:
ndd -set /dev/tcp ip_forwarding 1
But this only lasts until reboot.
To make this happen every boot, put it in a shellscript in /etc/rc2.d -- it must run after S69inet, so call it something like S70ipforwarding
Under certain circumstances (such as more than one interface and no default router), ip_forwarding is automatically turned on, but the precise circumstances vary with Solaris releases, and never suit everyone.
6. Novell Netware :
Edit autoexec.ncf, look for the "load tcpip" line.
Change it to read "load tcpip forward=yes".
Reboot.
Sunday, December 25, 2005
Saturday, December 24, 2005
Before You Connect a New Computer to the Internet
... I called two sections for this topic: 1. General guidelines. 2. OS specific.
By now, I'm going to write about (1). I decide to write as simple as & short so you
can read as fast as.You can do (2) with refer to your OS website,... .If desired ask here.
1. General Guidelines:
a) For CD/DVD/Local HDD installation, unplug the network connection GOTO (c) !
b) If you cannot unplug the network connection because of the network installation, then do at least one of the following:
- Put system behind the firewall.
- Using private IP addresses.
- Create private segmentation using VLANs or so on.
OR any way that you cann't see the Internet!
c) Intall the Antivirus.
d) If exist enable the OS specific firewall, such as WindowsXP firewall GOTO (f).
e) Install personal firewall (Optional - if enterprise firewall exist & the system is behind it).
f) Apply any service pack & update, so on, which can be found local or on private network.
g) Plug the network connection & connect to the Internet then update the system online.
By now, I'm going to write about (1). I decide to write as simple as & short so you
can read as fast as.You can do (2) with refer to your OS website,... .If desired ask here.
1. General Guidelines:
a) For CD/DVD/Local HDD installation, unplug the network connection GOTO (c) !
b) If you cannot unplug the network connection because of the network installation, then do at least one of the following:
- Put system behind the firewall.
- Using private IP addresses.
- Create private segmentation using VLANs or so on.
OR any way that you cann't see the Internet!
c) Intall the Antivirus.
d) If exist enable the OS specific firewall, such as WindowsXP firewall GOTO (f).
e) Install personal firewall (Optional - if enterprise firewall exist & the system is behind it).
f) Apply any service pack & update, so on, which can be found local or on private network.
g) Plug the network connection & connect to the Internet then update the system online.
Thursday, December 15, 2005
IP Routing Protocols AD
... I'm writing some tips after that for network administrators to be a quick reference instead of searching the Cisco or so on.By the way, you may know or remember IP routing protocols AD (Administrative Distance) but don't remember some of them or are unknown for you.Ask me the ones.Meanwhile I'll tell the quick command related to changing ADs.
Connected interface = 0
Static route = 1
Enhanced Interior Gateway Routing Protocol (EIGRP) summary route = 5
External Border Gateway Protocol (BGP) = 20
Internal EIGRP = 90
IGRP = 100
OSPF = 110
Intermediate System-to-Intermediate System (IS-IS) = 115
Routing Information Protocol (RIP) = 120
Exterior Gateway Protocol (EGP) = 140
On Demand Routing (ODR) = 160
External EIGRP = 170
Internal BGP = 200
Unknown = 255
Tip-1:
To change the AD :
-For EIGRP:
Router(config)#distance eigrp [internal-distance] [external-distance]
-For other protocols:
Router(config-router)#distance [weight] ...
Connected interface = 0
Static route = 1
Enhanced Interior Gateway Routing Protocol (EIGRP) summary route = 5
External Border Gateway Protocol (BGP) = 20
Internal EIGRP = 90
IGRP = 100
OSPF = 110
Intermediate System-to-Intermediate System (IS-IS) = 115
Routing Information Protocol (RIP) = 120
Exterior Gateway Protocol (EGP) = 140
On Demand Routing (ODR) = 160
External EIGRP = 170
Internal BGP = 200
Unknown = 255
Tip-1:
To change the AD :
-For EIGRP:
Router(config)#distance eigrp [internal-distance] [external-distance]
-For other protocols:
Router(config-router)#distance [weight] ...
Monday, November 07, 2005
Pass CCNA 640-801
Yesterday I passed CCNA 640-801 with score 974 (for the first time & 2 months study).
I'm going to take CCNP about two months later I think (means if I ready)...
I'm going to take CCNP about two months later I think (means if I ready)...
Monday, September 12, 2005
Nokia secret codes
*#06# Show serial no.
*#0000# Show version.
*#7760# Show production serial no.
*#92702689# = *#war0anty# Show and edit warranty information.
*#2820# Show Bluetooth info.
*#73# Reset phone timers and game scores.
*#335738# Deletes automatically added MMS and GPRS profiles received from your mobile operator through SMS.
*#7370925538# Delete all the content of the wallet and the wallet code.
*#7780# Restore phone to factory settings.
*#7370# Soft format—erases all telefone memory.
*#0000# Show version.
*#7760# Show production serial no.
*#92702689# = *#war0anty# Show and edit warranty information.
*#2820# Show Bluetooth info.
*#73# Reset phone timers and game scores.
*#335738# Deletes automatically added MMS and GPRS profiles received from your mobile operator through SMS.
*#7370925538# Delete all the content of the wallet and the wallet code.
*#7780# Restore phone to factory settings.
*#7370# Soft format—erases all telefone memory.
Windows2000 manual update!
You may never have been seen this problem or noticed to it.Then read and beware.
... Last week I saw unusual behavior from one of my servers related to automatic update, then did it manually but it fails and microsoft tell that I should change one of my MSIE security setting to update could be done. I did any thing that it said and search any where with no result!I decided to try to solve the problem by my self.The solution was:
In Windows 2000 automatic update I changed the setting to Automatic (recommended).
Meanwhile in your MSIE check the
"Security" tab ->" Internet Zone" -> "Custom Level" -> "Miscellaneous" section "Userdata Persistence" should be "enable".
... Last week I saw unusual behavior from one of my servers related to automatic update, then did it manually but it fails and microsoft tell that I should change one of my MSIE security setting to update could be done. I did any thing that it said and search any where with no result!I decided to try to solve the problem by my self.The solution was:
In Windows 2000 automatic update I changed the setting to Automatic (recommended).
Meanwhile in your MSIE check the
"Security" tab ->" Internet Zone" -> "Custom Level" -> "Miscellaneous" section "Userdata Persistence" should be "enable".
Tuesday, April 12, 2005
Getting PGP Desktop 8.1 for Win/Mac
I'm using about 6 years from PGP. Those days PGP only has command line version but now a days with Windows Desktop version you can use more options such as Global Directory or so on.
The latest version is 9 beta but its license will expire on 7 may.
Get PGP Desktop 8.1 for Windows now.
The latest version is 9 beta but its license will expire on 7 may.
Get PGP Desktop 8.1 for Windows now.
Monday, April 11, 2005
Mozila Firefox or Microsoft IE?
...I was working on Firefox about 6 months and IE too at the same time.
The advantage of firefox is only: more safe than IE; because IE is most popular than Firefox so it'll be the attackers target more than Firefox.
It seems Firefox downloading files faster than IE (use more bandwidth by open more sessions) and with the resume support.But Firefox opens web pages slower than IE, specially if you open many pages at the same time or to the same destination (website).Maybe it depends on TCP sessions that Firefox opens or so on.
Finally, some websites could not be appear correctly in Firefox but in IE or netscape can be open .It seems the web pages style & structure viewer is different in Firefox.
Any comment?
...
The advantage of firefox is only: more safe than IE; because IE is most popular than Firefox so it'll be the attackers target more than Firefox.
It seems Firefox downloading files faster than IE (use more bandwidth by open more sessions) and with the resume support.But Firefox opens web pages slower than IE, specially if you open many pages at the same time or to the same destination (website).Maybe it depends on TCP sessions that Firefox opens or so on.
Finally, some websites could not be appear correctly in Firefox but in IE or netscape can be open .It seems the web pages style & structure viewer is different in Firefox.
Any comment?
...
Security Alert: Microsoft issues DNS poisoning advisory
After the Internet Storm Center raised its warning level over the pharming-related vulnerability the software behemoth updated its advice for people running Windows servers...
DNS cache poisoning involves the practice of hacking into domain name servers and replacing the numeric addresses of legitimate Web sites with the addresses of malicious sites. The scheme typically redirects Internet users to bogus Web pages where they may be asked for sensitive information or have spyware installed on their PCs, an online assault that has also become known as pharming.
On Windows 2000 SP3 and above, the DNS server DOES protect against DNS cache pollution by default. The registry key to protect against the poisoning is not necessary: the value is TRUE if the registry key does not exist. Microsoft has now corrected the KB article that we published earlier with this information.
On Windows 2000, you should manage the DNS cache protection security setting through the DNS Management Console. On Windows 2000 below SP3, the "Secure cache against pollution" is not the default so you should enable it using the DNS Management Console. On Windows 2000 SP3 and above (and Windows 2003), the secure setting is the default (even if the registry key does not exist).
Our recommendation is to only set the registry key (HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters) on Windows NT4. Otherwise, use the DNS Management Console. If you are on Windows 2000 and you created the key already, you are safe to leave it in place as long as the value is "1".
More info about How to prevent DNS cache pollution .
DNS cache poisoning involves the practice of hacking into domain name servers and replacing the numeric addresses of legitimate Web sites with the addresses of malicious sites. The scheme typically redirects Internet users to bogus Web pages where they may be asked for sensitive information or have spyware installed on their PCs, an online assault that has also become known as pharming.
On Windows 2000 SP3 and above, the DNS server DOES protect against DNS cache pollution by default. The registry key to protect against the poisoning is not necessary: the value is TRUE if the registry key does not exist. Microsoft has now corrected the KB article that we published earlier with this information.
On Windows 2000, you should manage the DNS cache protection security setting through the DNS Management Console. On Windows 2000 below SP3, the "Secure cache against pollution" is not the default so you should enable it using the DNS Management Console. On Windows 2000 SP3 and above (and Windows 2003), the secure setting is the default (even if the registry key does not exist).
Our recommendation is to only set the registry key (HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters) on Windows NT4. Otherwise, use the DNS Management Console. If you are on Windows 2000 and you created the key already, you are safe to leave it in place as long as the value is "1".
More info about How to prevent DNS cache pollution .
Enabling "automatic logon" on Windows NT/2000/XP
Sometimes maybe you need some of your servers logon after reboot automatically ...
The following registry hack details the registry keys which control automatic logon:
..
Hive: HKEY_LOCAL_MACHINE
Key: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Name: AutoAdminLogon
Type: REG_SZ
Value: 1 enable auto logon
Value: 0 disable auto logon
Hive: HKEY_LOCAL_MACHINE
Key: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Name: DefaultUserName
Type: REG_SZ
Value: account to logon automatically
Hive: HKEY_LOCAL_MACHINE
Key: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Name: DefaultPassword
Type: REG_SZ
Value: pw for DefaultUserName above
Caution: Password is stored in clear text. Set security permissions on Winlogon subkey to protect the account used.
Hive: HKEY_LOCAL_MACHINE
Key: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Name: DefaultDomainName
Type: REG_SZ
Value: if domain account, domain name; if local account, server name
Windows 2000 / XP has an additional registry setting to force autologon and ignore bypass attempts. This can be valuable with a kiosk environment:
Hive: HKEY_LOCAL_MACHINE
Key: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Name: ForceAutoLogon
Type: REG_SZ
Value: 1
The following registry values must not exist: LegalNoticeCaption, LegalNoticeText. These values force a person logging into a PC to acknowledge having read the notice. If these values exist, the legal notice dialog hangs until someone hits enter. Don't just null out the values. Delete them.
The value DontDisplayLastUserName determines whether the logon dialog box displays the username of the last user that logged onto the PC. The value does not exist by default. If it exists, you must set it to 0 or the value of DefaultUser will be wiped and autologon will fail.
Finally, the value RunLogonScriptSync determines whether a logon script will run synchronously or asynchronously. It should not effect this process but there have been reports that setting the value=1, that is, sychronous, is more stable.
Whether you use the Autologon utility or the registry approach, there are times when you must logon as another user or need the logon dialog to appear. Hold down the shift key until during boot until the logon dialog appears. For the control freaks, even the shift override can be blocked (also see ForceAutoLogon above) :
Hive: HKEY_LOCAL_MACHINE
Key: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Name: IgnoreShiftOverride
Type: REG_SZ
Value: 1
If you want to enable autologon for a certain number of times, follow the above instructins and use the following Windows NT / W2K / XP registry hack:
Hive: HKEY_LOCAL_MACHINE
Key: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Name: AutoLogonCount
Type: REG_SZ
Value: # autologons you want to allow
The following registry hack details the registry keys which control automatic logon:
..
Hive: HKEY_LOCAL_MACHINE
Key: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Name: AutoAdminLogon
Type: REG_SZ
Value: 1 enable auto logon
Value: 0 disable auto logon
Hive: HKEY_LOCAL_MACHINE
Key: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Name: DefaultUserName
Type: REG_SZ
Value: account to logon automatically
Hive: HKEY_LOCAL_MACHINE
Key: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Name: DefaultPassword
Type: REG_SZ
Value: pw for DefaultUserName above
Caution: Password is stored in clear text. Set security permissions on Winlogon subkey to protect the account used.
Hive: HKEY_LOCAL_MACHINE
Key: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Name: DefaultDomainName
Type: REG_SZ
Value: if domain account, domain name; if local account, server name
Windows 2000 / XP has an additional registry setting to force autologon and ignore bypass attempts. This can be valuable with a kiosk environment:
Hive: HKEY_LOCAL_MACHINE
Key: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Name: ForceAutoLogon
Type: REG_SZ
Value: 1
The following registry values must not exist: LegalNoticeCaption, LegalNoticeText. These values force a person logging into a PC to acknowledge having read the notice. If these values exist, the legal notice dialog hangs until someone hits enter. Don't just null out the values. Delete them.
The value DontDisplayLastUserName determines whether the logon dialog box displays the username of the last user that logged onto the PC. The value does not exist by default. If it exists, you must set it to 0 or the value of DefaultUser will be wiped and autologon will fail.
Finally, the value RunLogonScriptSync determines whether a logon script will run synchronously or asynchronously. It should not effect this process but there have been reports that setting the value=1, that is, sychronous, is more stable.
Whether you use the Autologon utility or the registry approach, there are times when you must logon as another user or need the logon dialog to appear. Hold down the shift key until during boot until the logon dialog appears. For the control freaks, even the shift override can be blocked (also see ForceAutoLogon above) :
Hive: HKEY_LOCAL_MACHINE
Key: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Name: IgnoreShiftOverride
Type: REG_SZ
Value: 1
If you want to enable autologon for a certain number of times, follow the above instructins and use the following Windows NT / W2K / XP registry hack:
Hive: HKEY_LOCAL_MACHINE
Key: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Name: AutoLogonCount
Type: REG_SZ
Value: # autologons you want to allow
Wednesday, February 16, 2005
IPv6 Part - B-3 : Address types (host part)
For auto-configuration and mobility issues, it was decided to use the lower 64 bits as host part of the address in most of the current address types. Therefore each single subnet can hold a large amount of addresses.
This host part can be inspected differently:
- Automatically computed (also known as stateless)
With auto-configuration, the host part of the address is computed by converting the MAC address of an interface (if available), with the EUI-64 method, to a unique IPv6 address. If no MAC address is available for this device (happens e.g. on virtual devices), something else (like the IPv4 address or the MAC address of a physical interface) is used instead.
Consider again the first example
3ffe:ffff:100:f101:210:a4ff:fee3:9566
here,
210:a4ff:fee3:9566
is the host part and computed from the NIC's MAC address
00:10:A4:E3:95:66
using the IEEE-Tutorial EUI-64 design for EUI-48 identifiers.
- Privacy problem with automatically computed addresses and a solution
Because the "automatically computed" host part is globally unique (except when a vendor of a NIC uses the same MAC address on more than one NIC), client tracking is possible on the host when not using a proxy of any kind.
This is a known problem, and a solution was defined: privacy extension, defined in RFC 3041 / Privacy Extensions for Stateless Address Autoconfiguration in IPv6 (there is also already a newer draft available: draft-ietf-ipngwg-temp-addresses-*.txt). Using a random and a static value a new suffix is generated from time to time. Note: this is only reasonable for outgoing client connections and isn't really useful for well-known servers.
- Manually set
For servers it's probably easier to remember simpler addresses, this can also be accommodated. It is possible to assign an additional IPv6 address to an interface, e.g.
3ffe:ffff:100:f101::1
For manual suffixes like "::1" shown in the above example it's required that the 7th most significant bit is set to 0 (the universal/local bit of the automatically generated identifier). Also some other (otherwise unchosen ) bit combinations are reserved for anycast addresses, too.
This host part can be inspected differently:
- Automatically computed (also known as stateless)
With auto-configuration, the host part of the address is computed by converting the MAC address of an interface (if available), with the EUI-64 method, to a unique IPv6 address. If no MAC address is available for this device (happens e.g. on virtual devices), something else (like the IPv4 address or the MAC address of a physical interface) is used instead.
Consider again the first example
3ffe:ffff:100:f101:210:a4ff:fee3:9566
here,
210:a4ff:fee3:9566
is the host part and computed from the NIC's MAC address
00:10:A4:E3:95:66
using the IEEE-Tutorial EUI-64 design for EUI-48 identifiers.
- Privacy problem with automatically computed addresses and a solution
Because the "automatically computed" host part is globally unique (except when a vendor of a NIC uses the same MAC address on more than one NIC), client tracking is possible on the host when not using a proxy of any kind.
This is a known problem, and a solution was defined: privacy extension, defined in RFC 3041 / Privacy Extensions for Stateless Address Autoconfiguration in IPv6 (there is also already a newer draft available: draft-ietf-ipngwg-temp-addresses-*.txt). Using a random and a static value a new suffix is generated from time to time. Note: this is only reasonable for outgoing client connections and isn't really useful for well-known servers.
- Manually set
For servers it's probably easier to remember simpler addresses, this can also be accommodated. It is possible to assign an additional IPv6 address to an interface, e.g.
3ffe:ffff:100:f101::1
For manual suffixes like "::1" shown in the above example it's required that the 7th most significant bit is set to 0 (the universal/local bit of the automatically generated identifier). Also some other (otherwise unchosen ) bit combinations are reserved for anycast addresses, too.
Thursday, January 27, 2005
IPv6 Part - B-2 : Network part, also known as prefix
Now lets take a look at the different types of prefixes (and therefore address types):
- Link local address type
These are special addresses which will only be valid on a link of an interface. Using this address as destination the packet would never pass through a router. It's used for link communications such as:
- anyone else here on this link?
- anyone here with a special address (e.g. looking for a router)?
They begin with ( where "x" is any hex character, normally "0")
fe8x: <- currently the only one in use.
fe9x:
feax:
febx:
An address with this prefix is found on each IPv6-enabled interface
after stateless auto-configuration (which is normally always the case).
- Site local address type
These are addresses similar to the RFC 1918 / Address Allocation for Private Internets in IPv4 today, with the added advantage that everyone who use this address type has the capability to use the given 16 bits for a maximum number of 65536 subnets. Comparable with the 10.0.0.0/8 in IPv4 today.
Another advantage: because it's possible to assign more than one address to an interface with IPv6, you can also assign such a site local address in addition to a global one.
It begins with:
fecx: <- most commonly used.
fedx:
feex:
fefx:(where "x" is any hex character, normally "0")
- Global address type "(Aggregatable) global unicast"
Today, there is one global address type defined (the first design, called "provider based," was thrown away some years ago RFC 1884 / IP Version 6 Addressing Architecture [obsolete], you will find some remains in older Linux kernel sources).
It begins with (x are hex characters)
2xxx:
3xxx:
Note: the prefix "aggregatable" is thrown away in current drafts.There are some further subtypes defined…
- Multicast addresses
Multicast addresses are used for related services.
They alway start with (xx is the scope value)
ffxy:
They are split into scopes and types:
1. Multicast scopes:
Multicast scope is a parameter to specify the maximum distance a multicast packet can travel from the sending entity.
Currently, the following regions (scopes) are defined:
- ffx1: node-local, packets never leave the node.
- ffx2: link-local, packets are never forwarded by routers, so they never leave the specified link.
- ffx5: site-local, packets never leave the site.
- ffx8: organization-local, packets never leave the organization (not so easy to implement, must be covered by routing protocol).
- ffxe: global scope.
- others are reserved.
2. Multicast types:
There are many types already defined/reserved (see RFC 2373 / IP Version 6 Addressing Architecture for details). Some examples are:
- All Nodes Address: ID = 1h, addresses all hosts on the local node (ff01:0:0:0:0:0:0:1) or the connected link (ff02:0:0:0:0:0:0:1).
- All Routers Address: ID = 2h, addresses all routers on the local node (ff01:0:0:0:0:0:0:2), on the connected link (ff02:0:0:0:0:0:0:2), or on the local site (ff05:0:0:0:0:0:0:2).
3. Solicited node link-local multicast address:
Special multicast address used as destination address in neighborhood discovery, because unlike in IPv4, ARP no longer exists in IPv6.
An example of this address looks like ff02::1:ff00:1234
Used prefix shows that this is a link-local multicast address. The suffix is generated from the destination address. In this example, a packet should be sent to address "fe80::1234", but the network stack doesn't know the current layer 2 MAC address. It replaces the upper 104 bits with "ff02:0:0:0:0:1:ff00::/104" and leaves the lower 24 bits untouched. This address is now used `on-link' to find the corresponding node which has to send a reply containing its layer 2 MAC address.
- Anycast addresses
Anycast addresses are special addresses and are used to cover things like nearest DNS server, nearest DHCP server, or similar dynamic groups. Addresses are taken out of the unicast address space (aggregatable global or site-local at the moment). The anycast mechanism (client view) will be handled by dynamic routing protocols.
Note: Anycast addresses cannot be used as source addresses, they are only used as destination addresses:
- Subnet-router anycast address:
A simple example for an anycast address is the subnet-router anycast address. Assuming that a node has the following global assigned IPv6 address:
3ffe:ffff:100:f101:210:a4ff:fee3:9566/64 <- Node's address The subnet-router anycast address will be created blanking the suffix (least significant 64 bits) completely:
3ffe:ffff:100:f101::/64 <- subnet-router anycast address.
Monday, January 24, 2005
IPv6 Part - B-1 : Address Space Forms
I'll start with two useful questions :
Q: Why is the name IPv6 and not IPv5 as successor for IPv4?
A: On any IP header, the first 4 bits are reserved for protocol version. So theoretically a protocol number between 0 and 15 is possible:
A:During the design of IPv4, people thought that 32 bits were enough for the world. Looking back into the past, 32 bits were enough until now and will perhaps be enough for another few years. However, 32 bits are not enough to provide each network device with a global address in the future. Think about mobile phones, cars (including electronic devices on its CAN-bus), toasters, refrigerators, light switches, and so on...So designers have chosen 128 bits, 4 times more in length and 2^96 greater in size than in IPv4 today.The usable size is smaller than it may appear however. This is because in the currently defined address schema, 64 bits are used for interface identifiers. The other 64 bits are used for routing. Assuming the current strict levels of aggregation (/48, /32, ...), it is still possible to "run out" of space, but hopefully not in the near future.
- Addresses without a special prefix
This is a special address for the loopback interface, similiar to IPv4 with its "127.0.0.1". With IPv6, the localhost address is:
0000:0000:0000:0000:0000:0000:0000:0001 or compressed ::1
- Unspecified address
This is a special address like "any" or "0.0.0.0" in IPv4 . For IPv6 it's:
0000:0000:0000:0000:0000:0000:0000:0000 or ::
These addresses are mostly used/seen in socket binding (to any IPv6 address) or routing tables.
Note: the unspecified address cannot be used as destination address.
- IPv6 address with embedded IPv4 address
1. IPv4-mapped IPv6 address:
0:0:0:0:0:0:a.b.c.d/96 or ::a.b.c.d/96
Q: Why is the name IPv6 and not IPv5 as successor for IPv4?
A: On any IP header, the first 4 bits are reserved for protocol version. So theoretically a protocol number between 0 and 15 is possible:
-
4: is already used for IPv4
-
5: is reserved for the Stream Protocol (STP, RFC 1819 / Internet Stream Protocol Version 2) (which never really made it to the public)
The next free number was 6. Hence IPv6 was born!
A:During the design of IPv4, people thought that 32 bits were enough for the world. Looking back into the past, 32 bits were enough until now and will perhaps be enough for another few years. However, 32 bits are not enough to provide each network device with a global address in the future. Think about mobile phones, cars (including electronic devices on its CAN-bus), toasters, refrigerators, light switches, and so on...So designers have chosen 128 bits, 4 times more in length and 2^96 greater in size than in IPv4 today.The usable size is smaller than it may appear however. This is because in the currently defined address schema, 64 bits are used for interface identifiers. The other 64 bits are used for routing. Assuming the current strict levels of aggregation (/48, /32, ...), it is still possible to "run out" of space, but hopefully not in the near future.
- Addresses without a special prefix
This is a special address for the loopback interface, similiar to IPv4 with its "127.0.0.1". With IPv6, the localhost address is:
0000:0000:0000:0000:0000:0000:0000:0001 or compressed ::1
- Unspecified address
This is a special address like "any" or "0.0.0.0" in IPv4 . For IPv6 it's:
0000:0000:0000:0000:0000:0000:0000:0000 or ::
These addresses are mostly used/seen in socket binding (to any IPv6 address) or routing tables.
Note: the unspecified address cannot be used as destination address.
- IPv6 address with embedded IPv4 address
1. IPv4-mapped IPv6 address:
IPv4-only IPv6-compatible addresses are sometimes used/shown for sockets created by an IPv6-enabled daemon, but only binding to an IPv4 address.
These addresses are defined with a special prefix of length 96 (a.b.c.d is the IPv4 address):
0:0:0:0:0:ffff:a.b.c.d/96 or ::ffff:a.b.c.d/96
For example, the IPv4 address 1.2.3.4 looks like this: ::ffff:1.2.3.4
- IPv4-compatible IPv6 address
Used for automatic tunneling (RFC 2893 / Transition Mechanisms for IPv6 Hosts and Routers), which is being replaced by 6to4 tunneling.0:0:0:0:0:0:a.b.c.d/96 or ::a.b.c.d/96
Protect your browser from attack ads
A newly discovered security flaw in Internet Explorer 6 is being exploited by virus writers to spread a worm via online advertisements...
The bug is caused by the way iFrames – the HTML commands for displaying frames on a Web page – are processed in IE6. When you click the attack program's link, it triggers a buffer overflow error, causing the browser to fail. A clever attacker can then load his or her own program onto your PC and take over your machine. If you don't click the malicious ad, your computer will not be attacked.
Poeple using Windows XP Service Pack 2 are not affected by the bug. Prior versions of Windows, however, from 98 through XP Service Pack 1, are vulnerable. Users should install Microsoft's patch to block potential attacks. The patch is also a cumulative update for IE, so you will get all the previous patches in this single download.
Saturday, January 15, 2005
Linux vendors release security patches
Red Hat, SuSE and Mandrakesoft have all released patches for their Linux products to fix security flaws - some of which are rated 'critical'.
Linux vendors Red Hat, Novell and Mandrakesoft on Wednesday released patches for several vulnerabilities, ranging from flaws that could allow denial-of-service (DoS) attacks to buffer overflows.
Linux vendors Red Hat, Novell and Mandrakesoft on Wednesday released patches for several vulnerabilities, ranging from flaws that could allow denial-of-service (DoS) attacks to buffer overflows.
Five of the updates released were rated "highly critical" on Thursday by security information company Secunia. Red Hat released three updates, while Novell's SuSE and Mandrakesoft each released one.
SuSE issued updates to resolve flaws including a vulnerability that could allow malicious code to cause a local DoS attack using a specially created Acrobat document. The vulnerabilities would affect most SuSE Linux-based products.
Another vulnerability in the Linux system components used to route network traffic could allow a malicious person to execute a local DoS attack by inserting erroneous information into the netfilter data stream, according to SuSE.
Red Hat, meanwhile, issued a package of updates for its desktop, enterprise and advanced-workstation software.
An updated libtiff package was released to address vulnerabilities involving various integer overflows. The vulnerabilities would enable an attacker who has tricked a user into opening a malicious image file in the TIFF format to make a libtiff-related application crash or have the potential to compromise the computer with arbitrary code.
Red Hat also released updates for Xpdf packages to address a vulnerability to a potential buffer overflow. Xpdf is a stand-alone application for reading Portable Document Format documents and is also used by many Linux programs to process PDF files. This vulnerability could enable an attacker to create a PDF file that would crash Xpdf and possibility execute arbitrary code when opened, according to Red Hat's update.
Red Hat also released multiple patches to resolve flaws in its Xpm library. The XPixMap (XPM) format enables colour images to be stored in an easily portable file.
Several stack overflow flaws and an integer overflow vulnerability were found in the libXpm library, which, in turn, is used to decode XPM images. If an attacker creates an XPM file that causes an application to crash, a computer system could be compromised.
Mandrakesoft also released an update for Imlib, a standard set of code used by older versions of the GNOME desktop to process graphics.
Image-related vulnerabilities have cropped up recently in other Linux software.
Last month, a couple of Linux groups issued patches for several flaws in common Linux code used in older GNOME desktop versions for processing graphics. Those vulnerabilities could enable attackers to compromise computers that display a malicious image file.
Microsoft: DRM Trojan hole is not a vulnerability
Microsoft has responded to security warnings about its Media Player by saying that Windows XP SP2 will protect its customers from malware...
Microsoft has denied that an anti-piracy "feature" in its Windows Media Player that allows a Trojan horse to run on a user's PC is a vulnerability.
Microsoft has denied that an anti-piracy "feature" in its Windows Media Player that allows a Trojan horse to run on a user's PC is a vulnerability.
Panda Software warned earlier this week that hackers are using the player's DRM tool to fool people into downloading spyware and viruses.
The Spanish security company said that virus writers had released licence-protected multimedia files containing Trojan horses (WmvDownloader.A and WmvDownloader.B) that can exploit the anti-piracy features in version 10 of the Media Player and Windows XP SP2.
Despite Panda's warning that the Trojan can download a cocktail of malware, Microsoft denies there is a flaw in its software.
"This Trojan appears to utilise a function of the Windows Media DRM designed to enable licence delivery scenarios as part of a social engineering attack," said Microsoft in an emailed statement.
"There is no way to automatically force the user to run the malicious software. This function is not a security vulnerability in Windows Media Player or DRM."
But Microsoft didn't say whether Windows XP SP2 fully protected users from unwanted downloads.
"Internet Explorer for Windows XP SP2 helps prevent downloads from automatically launching. Users who have installed Windows XP SP2 and turned on the pop-up blocker have an added layer of defence from this Trojan's attempt to deliver malicious software," said Microsoft.The Redmond giant also said that people should go to the police if they think they have been attacked by such Trojans
Monday, January 10, 2005
Bypass filtering method 2
Some ISP's don't allow to you that connecting to the known proxy servers and ports.
For who they have this problem download JAP then:
Install it, and let it to configure your browser.Then run it from "Start->programs" and browse any where.
For who they have this problem download JAP then:
Install it, and let it to configure your browser.Then run it from "Start->programs" and browse any where.
IRAN web filtering goes stupid!
...The problem is these days they're filtering so many other sites such as "Orkut". They changed their ways in web filtering.
Here're the list of proxy servers which you can use it to bypass the censorship.
Enter one of these addresses into your explorer "Proxy Settings".I've checked all of them.
--------------------------------------------
planlab1.cs.caltech.edu:3128
planetlab2.cs.purdue.edu:3128
planetlab1.ucsd.edu:3128
planetlab-1.Stanford.EDU:3128
planetlab1.lcs.mit.edu:3128
planetlab1.eecs.umich.edu:3128
planetlab1.csres.utexas.edu:3128
planetlab1.cs.Virginia.EDU:3128
planetlab1.cs.umass.edu:3128
planetlab1.cs.uiuc.edu:3128
Planetlab1.CS.UCLA.EDU:3128
planetlab1.cs.ubc.ca:3128
planetlab-1.CS.Princeton.EDU:3128
planetlab1.cs.duke.edu:3128
planetlab1.cs.cornell.edu:3128
planetlab1.comet.columbia.edu:3128
PLANETLAB-1.CMCL.CS.CMU.EDU:3128
planetlab1.cis.upenn.edu:3128
planetlab-02.bu.edu:3128
planetlab01.cs.washington.edu:3128
planet2.cs.rochester.edu:3128
planet1.scs.cs.nyu.edu:3128
planet1.cs.ucsb.edu:3128
planet1.cc.gt.atl.ga.us:3128
---------------------------------------------
Another useful source to such this servers & bypass censorship are here:
http://www.web.freerk.com/proxylist.htm
Here're the list of proxy servers which you can use it to bypass the censorship.
Enter one of these addresses into your explorer "Proxy Settings".I've checked all of them.
--------------------------------------------
planlab1.cs.caltech.edu:3128
planetlab2.cs.purdue.edu:3128
planetlab1.ucsd.edu:3128
planetlab-1.Stanford.EDU:3128
planetlab1.lcs.mit.edu:3128
planetlab1.eecs.umich.edu:3128
planetlab1.csres.utexas.edu:3128
planetlab1.cs.Virginia.EDU:3128
planetlab1.cs.umass.edu:3128
planetlab1.cs.uiuc.edu:3128
Planetlab1.CS.UCLA.EDU:3128
planetlab1.cs.ubc.ca:3128
planetlab-1.CS.Princeton.EDU:3128
planetlab1.cs.duke.edu:3128
planetlab1.cs.cornell.edu:3128
planetlab1.comet.columbia.edu:3128
PLANETLAB-1.CMCL.CS.CMU.EDU:3128
planetlab1.cis.upenn.edu:3128
planetlab-02.bu.edu:3128
planetlab01.cs.washington.edu:3128
planet2.cs.rochester.edu:3128
planet1.scs.cs.nyu.edu:3128
planet1.cs.ucsb.edu:3128
planet1.cc.gt.atl.ga.us:3128
---------------------------------------------
Another useful source to such this servers & bypass censorship are here:
http://www.web.freerk.com/proxylist.htm
IPv6 Part - A : Introduction
... I decide to write about IPv6 after this time, because we'll need it sooner or later.
The first part is "Introduction".
The first part is "Introduction".
This set of Web pages provides information of Internet Protocol Version 6 (IPv6). IPv6 is sometimes also called the Next Generation Internet Protocol or IPng. IPv6 was recommended by the IPng Area Directors of the Internet Engineering Task Force at the Toronto IETF meeting on July 25, 1994 in RFC 1752, The Recommendation for the IP Next Generation Protocol . The recommendation was approved by the Internet Engineering Steering Group and made a Proposed Standard on November 17, 1994.
The core set of IPv6 protocols were made an IETF Draft Standard on August 10, 1998.
Internet Protocol Version 6 is abbreviated to IPv6 (where the "6" refers to it being assigned version number 6). The previous version of the Internet Protocol is version 4 (referred to as IPv4).
IPv6 is a new version of IP which is designed to be an evolutionary step from IPv4. It is a natural increment to IPv4. It can be installed as a normal software upgrade in internet devices and is interoperable with the current IPv4. Its deployment strategy is designed to not have any flag days or other dependencies. IPv6 is designed to run well on high performance networks (e.g. Gigabit Ethernet, OC-12, ATM, etc.) and at the same time still be efficient for low bandwidth networks (e.g. wireless). In addition, it provides a platform for new internet functionality that will be required in the near future.
IPv6 includes a transition mechanism which is designed to allow users to adopt and deploy IPv6 in a highly diffuse fashion and to provide direct interoperability between IPv4 and IPv6 hosts. The transition to a new version of the Internet Protocol must be incremental, with few or no critical interdependencies, if it is to succeed. The IPv6 transition allows the users to upgrade their hosts to IPv6, and the network operators to deploy IPv6 in routers, with very little coordination between the two.
Saturday, January 08, 2005
Monday, January 03, 2005
Largest IPv6 network launched in China
...China China China! Who are the chinese realy? We have to believe them I think.They're aiming to become the leading player in the creation of the next generation of the Internet.
An IPv6-based network linking 25 universities in 20 cities across China began operating on Saturday.
An IPv6-based network linking 25 universities in 20 cities across China began operating on Saturday.
The China Education and Research Network Information Center (CERNIC) announced the launch of the network, called CERNET2, which is thought to be the largest single IPv6 network yet created. CERNIC claimed it makes China a world leader in the race to build the next generation of the Internet.
China's National Development Reform Commission (NDRC) has set aside 1.4bn yuan (US$169m) to support six next-generation Internet networks, according to People's Daily , China's main daily newspaper. Half of it will be used on projects linked to the university network, with the remaining money given to five telecom operators.
China is not the only Asian country with a strong interest in IPv6. Japan has already implemented an IPv6 production network, which is used by every service provider in the country. South Korea is working with the EU to develop applications and services using IPv6.
IPv6 exponentially increases the number of possible Internet protocol (IP) addresses. It has been created and deployed in response to the fear that the existing Internet address pool could run dry within a few years as more people go online, especially as Web use in Asia rises sharply.
IPv4, the incumbent Internet protocol standard, gives its data packets just 32 bits of address space. By increasing this to 128 bits, IPv6 provides billions more IP addresses and allows many more devices to be simultaneously linked to the Internet.
Many network operators and equipment vendors are pushing IPv6. However, most companies have been reluctant to spend the money needed to make their networks IPv6-compatable by upgrading IP stacks on network gear, applications, PCs and servers.
Some have said that techniques such as network address translation (NAT) -- which lets up to 257 nodes in a corporation sit behind a single IP address -- mean it is possible to work around IPv4's limitations.
Some experts have predicted that once China have embraced IPv6, Western countries who wish to do business with Asia will have to upgrade their own networks.
Windows XP flaw opens door to Trojan attack
The 'Phel' program works through Internet Explorer's 'Help' controls to allow an infection passed from a Web site to open up an infected computer to external control.
Online miscreants have released a Trojan horse that can infect computers running Microsoft's Windows XP, installing programs to remotely control a victim's system.
Online miscreants have released a Trojan horse that can infect computers running Microsoft's Windows XP, installing programs to remotely control a victim's system.
Symantec warned in an advisory this week that the program -- dubbed "Phel", an anagram of "Help" -- infects visitors to a maliciously created Web site through Internet Explorer's Help controls. A bug in the malicious program may prevent it from infecting some computers, the security company said.
The Symantec advisory can be found on the company's Web site.
The Trojan horse exploits a vulnerability, found in October, in how Internet Explorer and Windows XP Service Pack 2 handle help files called from Web pages.
The flaw is unrelated to the recent help-file flaws outed by a Chinese security company last week. In that instance, Microsoft took the Chinese security group to task for disclosing the vulnerability without giving the company a chance to develop a way to fix the problem.
A company spokesperson said: "Microsoft is working to forensically analyse the malicious code in Phel and will work with law enforcement to identify and bring to justice those responsible for this malicious activity."
A patch is not yet available from Microsoft for the October flaw, nor the most recent flaws, but the software giant said its programmers are working on the issue.
"Microsoft is taking this vulnerability very seriously, and an update to correct the vulnerability is currently in development," the spokesperson said. "We will release the security update when the development and testing process is complete, and the update is found to effectively correct the vulnerability."
Linux distro tackles spam
Astaro claims to have added sophisticated spam-blocking features in the latest version of its distribution, but security experts say it's nothing new.
The latest version of Astaro Security Linux includes various features that can be optionally enabled to improve spam protection.
Astaro Security Linux is a distribution of Linux that includes integrated security features such as a firewall, VPN gateway and antivirus capabilities. The Astaro distribution was started in 2000 and is now used to protect over 20,000 networks, according to the company.
Astaro Security Linux 5.1, released last week, includes functionality that can verify the source of the email by using the Sender Policy Framework (SPF). Other features include quarantining emails and greylisting, which can block some spam by requesting the mail agent to send the email a second time.
Other features include easy integration with network management systems, and a tool to allow customers to monitor bandwidth usage.
Astaro chief executive Jan Hichert said that the improvements in the new version will make the systems more resilient and easier to manage.
"Astaro Security Linux 5.1 builds on all the award-winning features available with 5.0 by adding sophisticated spam-blocking features and management tools that eliminate threats and empower IT staff to act quickly, thereby ensuring overall security of corporate IT assets," said Hichert in a statement.
But Graham Cluley, senior technology consultant for security firm Sophos, said the features added by Astaro are standard anti-spam technology.
"From that shortlist it doesn't sound like anything earth-shattering," said Cluley. "Features such as quarantining and greylisting have been available for months, if not years, in anti-spam products."
The latest version of Astaro Security Linux includes various features that can be optionally enabled to improve spam protection.
Astaro Security Linux is a distribution of Linux that includes integrated security features such as a firewall, VPN gateway and antivirus capabilities. The Astaro distribution was started in 2000 and is now used to protect over 20,000 networks, according to the company.
Astaro Security Linux 5.1, released last week, includes functionality that can verify the source of the email by using the Sender Policy Framework (SPF). Other features include quarantining emails and greylisting, which can block some spam by requesting the mail agent to send the email a second time.
Other features include easy integration with network management systems, and a tool to allow customers to monitor bandwidth usage.
Astaro chief executive Jan Hichert said that the improvements in the new version will make the systems more resilient and easier to manage.
"Astaro Security Linux 5.1 builds on all the award-winning features available with 5.0 by adding sophisticated spam-blocking features and management tools that eliminate threats and empower IT staff to act quickly, thereby ensuring overall security of corporate IT assets," said Hichert in a statement.
But Graham Cluley, senior technology consultant for security firm Sophos, said the features added by Astaro are standard anti-spam technology.
"From that shortlist it doesn't sound like anything earth-shattering," said Cluley. "Features such as quarantining and greylisting have been available for months, if not years, in anti-spam products."
Subscribe to:
Posts (Atom)
