Re: ssh & ipv6

From: Mike Manomohan (
Date: 01/07/04

  • Next message: Jason Williams: "Proper way to upgrade OpenSSH on FreeBSD 4.9"
    Date: Wed, 07 Jan 2004 08:12:44 -0500
    To: "Michael H. Warfield" <>

    Where (url, white paper) can I get a good technical/managerial review of
    comparison between ssl,ssh, and vpn technologies/protocols in relation to their
    strengths and weaknesses?

    "Michael H. Warfield" wrote:

    > On Tue, Jan 06, 2004 at 11:17:47AM +0900, David Diep wrote:
    > > Hi,
    > > I have a problem with ssh and ipv6.
    > > My host has the following address fe80::200:e2ff:fe28:3a85
    > > I can execute properly
    > > # ssh -6 ::1
    > > However when I use the host ipv6 address
    > > # ssh -6 fe80::200:e2ff:fe28:3a85
    > > I get an "Invalid argument" error. Do you know what my problem is?
    > You are using a "Scope:Link" address (i.e. Link Local address).
    > That's all of the fe80::/16 space. It's NOT guaranteed to be unique
    > between subnets. Consequently, you are very restricted in what you can
    > do with them. You can't even ping them unless you specify the interface
    > to the ping6 command (which you can not do for ssh).
    > Solution... Configure a "Scope:Global" address or "Scope:Site"
    > address and use that. Scope:Site is sort of like (almost) the private IPv4
    > space, it can't be routed to the global IPv6 space but it is unique within
    > your space. For site local, just change the "fe80" to "fec0" in your
    > address and add it to your interface configuration file on the server and on
    > the client (use the correct address from each interface from ifconfig). Then
    > you can connect to it from your client (assuming they are both on the same
    > SLA - SLA 0 and assuming you do the same thing for the client address).
    > Better yet, if you haven't already, get a global prefix, either a 6Bone
    > [3ffe::/16] (yes, I know it's due to be retired - in 2006, maybe) or
    > on the IPv6 production internet [2001::/16]. My network is 2001:470:104::/48.
    > Check out Freenet6 <> for 6Bone or
    > Hurricane Electric <> (v6 Internet) for getting
    > hooked up with a real prefix if you are in North America. IAC, check out
    > "IPv6 Style" <> for a lot more information on getting
    > started with IPv6.
    > You got a bit more to cover to get up and flying with IPv6. Like you
    > should NOT be using Link Local addresses for anything in user space (they're
    > primarily used in the kernel and lower level protocol stuff for things like
    > neighbor discovery and router solicitation. You can use them with certain
    > apps, like ping6, IF you know what you are doing. But not with apps which
    > don't understand what you are doing.
    > IPv6 is incredibly easy to set up and get working (I do damn near
    > everything over IPv6 lately) but it is not (I REPEAT - IT IS NOT) merely
    > IPv4 with bigger addresses. Some things, like address scopes, are just
    > not the same thing at all.
    > > I am using: Linux Kernel 2.4.20 Openssl-0.9.6k Openssh-3.7.1p1
    > > Best Regards,
    > > David
    > Mike
    > --
    > Michael H. Warfield | (770) 985-6132 |
    > /\/\|=mhw=|\/\/ | (678) 463-0932 |
    > NIC whois: MHW9 | An optimist believes we live in the best of all
    > PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
    > ------------------------------------------------------------------------
    > Part 1.2Type: application/pgp-signature

    Mike Manomohan
    Security Analyst
    301-713-1360 ext 122 (W)

  • Next message: Jason Williams: "Proper way to upgrade OpenSSH on FreeBSD 4.9"