Re: ssh & ipv6
From: Mike Manomohan (MIke.Manomohan_at_noaa.gov)
Date: Wed, 07 Jan 2004 08:12:44 -0500 To: "Michael H. Warfield" <firstname.lastname@example.org>
Where (url, white paper) can I get a good technical/managerial review of
comparison between ssl,ssh, and vpn technologies/protocols in relation to their
strengths and weaknesses?
"Michael H. Warfield" wrote:
> On Tue, Jan 06, 2004 at 11:17:47AM +0900, David Diep wrote:
> > Hi,
> > I have a problem with ssh and ipv6.
> > My host has the following address fe80::200:e2ff:fe28:3a85
> > I can execute properly
> > # ssh -6 ::1
> > However when I use the host ipv6 address
> > # ssh -6 fe80::200:e2ff:fe28:3a85
> > I get an "Invalid argument" error. Do you know what my problem is?
> You are using a "Scope:Link" address (i.e. Link Local address).
> That's all of the fe80::/16 space. It's NOT guaranteed to be unique
> between subnets. Consequently, you are very restricted in what you can
> do with them. You can't even ping them unless you specify the interface
> to the ping6 command (which you can not do for ssh).
> Solution... Configure a "Scope:Global" address or "Scope:Site"
> address and use that. Scope:Site is sort of like (almost) the private IPv4
> space, it can't be routed to the global IPv6 space but it is unique within
> your space. For site local, just change the "fe80" to "fec0" in your
> address and add it to your interface configuration file on the server and on
> the client (use the correct address from each interface from ifconfig). Then
> you can connect to it from your client (assuming they are both on the same
> SLA - SLA 0 and assuming you do the same thing for the client address).
> Better yet, if you haven't already, get a global prefix, either a 6Bone
> [3ffe::/16] (yes, I know it's due to be retired - in 2006, maybe) or
> on the IPv6 production internet [2001::/16]. My network is 2001:470:104::/48.
> Check out Freenet6 <http://www.freenet6.net> for 6Bone or
> Hurricane Electric <http://www.tunnelbroker.net> (v6 Internet) for getting
> hooked up with a real prefix if you are in North America. IAC, check out
> "IPv6 Style" <http://www.ipv6style.jp> for a lot more information on getting
> started with IPv6.
> You got a bit more to cover to get up and flying with IPv6. Like you
> should NOT be using Link Local addresses for anything in user space (they're
> primarily used in the kernel and lower level protocol stuff for things like
> neighbor discovery and router solicitation. You can use them with certain
> apps, like ping6, IF you know what you are doing. But not with apps which
> don't understand what you are doing.
> IPv6 is incredibly easy to set up and get working (I do damn near
> everything over IPv6 lately) but it is not (I REPEAT - IT IS NOT) merely
> IPv4 with bigger addresses. Some things, like address scopes, are just
> not the same thing at all.
> > I am using: Linux Kernel 2.4.20 Openssl-0.9.6k Openssh-3.7.1p1
> > Best Regards,
> > David
> Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com
> /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
> NIC whois: MHW9 | An optimist believes we live in the best of all
> PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
> Part 1.2Type: application/pgp-signature
-- Regards, Mike Manomohan Security Analyst 301-713-1360 ext 122 (W)