Re: ssh & ipv6
From: Michael H. Warfield (mhw_at_wittsend.com)
Date: Tue, 6 Jan 2004 22:14:43 -0500 To: David Diep <email@example.com>
On Tue, Jan 06, 2004 at 11:17:47AM +0900, David Diep wrote:
> I have a problem with ssh and ipv6.
> My host has the following address fe80::200:e2ff:fe28:3a85
> I can execute properly
> # ssh -6 ::1
> However when I use the host ipv6 address
> # ssh -6 fe80::200:e2ff:fe28:3a85
> I get an "Invalid argument" error. Do you know what my problem is?
You are using a "Scope:Link" address (i.e. Link Local address).
That's all of the fe80::/16 space. It's NOT guaranteed to be unique
between subnets. Consequently, you are very restricted in what you can
do with them. You can't even ping them unless you specify the interface
to the ping6 command (which you can not do for ssh).
Solution... Configure a "Scope:Global" address or "Scope:Site"
address and use that. Scope:Site is sort of like (almost) the private IPv4
space, it can't be routed to the global IPv6 space but it is unique within
your space. For site local, just change the "fe80" to "fec0" in your
address and add it to your interface configuration file on the server and on
the client (use the correct address from each interface from ifconfig). Then
you can connect to it from your client (assuming they are both on the same
SLA - SLA 0 and assuming you do the same thing for the client address).
Better yet, if you haven't already, get a global prefix, either a 6Bone
[3ffe::/16] (yes, I know it's due to be retired - in 2006, maybe) or
on the IPv6 production internet [2001::/16]. My network is 2001:470:104::/48.
Check out Freenet6 <http://www.freenet6.net> for 6Bone or
Hurricane Electric <http://www.tunnelbroker.net> (v6 Internet) for getting
hooked up with a real prefix if you are in North America. IAC, check out
"IPv6 Style" <http://www.ipv6style.jp> for a lot more information on getting
started with IPv6.
You got a bit more to cover to get up and flying with IPv6. Like you
should NOT be using Link Local addresses for anything in user space (they're
primarily used in the kernel and lower level protocol stuff for things like
neighbor discovery and router solicitation. You can use them with certain
apps, like ping6, IF you know what you are doing. But not with apps which
don't understand what you are doing.
IPv6 is incredibly easy to set up and get working (I do damn near
everything over IPv6 lately) but it is not (I REPEAT - IT IS NOT) merely
IPv4 with bigger addresses. Some things, like address scopes, are just
not the same thing at all.
> I am using: Linux Kernel 2.4.20 Openssl-0.9.6k Openssh-3.7.1p1
> Best Regards,
-- Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
- application/pgp-signature attachment: stored