IPv6 addresses

As we prepare to enable IPv6 on the “static self-managed” wires, there are a few aspects to IPv6 addressing which you need to know.

The most obvious difference between IPv4 and IPv6 addresses is that the latter are 128 bits log.  They’re conventionally divided up into eight 16-bit chunks, written in hex and separated by colons.  Leading zeros can be omitted, and the longest consecutive run of all-zero chunks can be elided to “::”.

For global addresses, this 128-bit space is divided up into two 64-bit parts: there’s a 64-bit prefix, which essentially identifies the site and the subnet within it; and there’s a 64-bit “interface identifier” (“IID”) which identifies the host within the subnet.

So, for example 2001:630:3c1:33::1:15 has a prefix of
2001:630:3c1:33::, which itself breaks down to the University’s prefix of 2001:630:3c1:: and the subnet number 33, and an IID of ::1:15.

The prefix is fixed for the subnet, and is generally obtained automatically from the Router Advertisement packets which our switches multicast every few seconds on all of our IPv6-enabled subnets.  The IID is formed in one of three ways:

  1. It can be set explicitly by the host’s manager (in some system-specific way). We can support this, and can enter explicit addresses into the inf.ed.ac.uk domain.  We prefer not to do things this way, though, because it means liaison with machines’ managers, which can take time, and is more prone to errors.  The example above is one of these explicit addresses.
  2. The host can configure itself using StateLess Address AutoConfiguration (“SLAAC”).  This uses the host’s MAC address, transformed in a couple of simple ways, to produce an address which is unique to the machine while requiring no management intervention.  For example, 2001:630:3c1:2:4a0f:cfff:fe5b:e69a is the IPv6 address of one of the student lab machines.  Because we have the MAC addresses registered for all of the machines on the SM164 and SM197 wires we can automatically generate DNS entries in inf.ed.ac.uk, making the entire process completely automatic.  This is the mechanism we prefer.
  3. It can be a “privacy address”, generated periodically by the host in a cryptographically secure way such that it is very unlikely to duplicate any other IID on the subnet.  The reason for this type of address is that it avoids the possibility that a laptop might be tracked across networks as its owner moves from site to site, as would be the case if it were to use a fixed SLAAC-style IID.  For servers it makes little sense to use this type of address, and because it changes frequently we have no way to to add it to our DNS.  The distribution you have installed on your servers may have this turned on if its main audience is laptops and non-enterprise users.  If so, we strongly suggest you turn it off, though how you do so will be system-dependent.

There is one other form of address which your machine will have.  This is a “link-local” address, using fe80:: as its prefix and a SLAAC-style IID part.  Traffic for addresses of this form is never routed off-subnet.  Within the subnet it is just as valid an address as one of the above forms, and can be used anywhere a global address can be used.  It can’t go in the DNS, though, which makes it inconvenient for anything other than low-level network management tasks.  Your IPv6 default router address will probably be link-local, for example.

The address-search box on the netmon front page knows how to handle all of the above forms, though the information available for privacy addresses is necesarily more limited than for the other forms.

The home page for the development project which introduced IPv6 to Informatics has a number of useful links, including to the relevant RFCs.

Posted in Uncategorized | 1 Comment

IPv6 for the Forum static-self-managed subnets

Following the introduction of IPv6 for the Forum self-managed dynamic-address subnet (and the ironing out of a couple of teething problems), we would now like to roll IPv6 out to the two “static-self-managed” subnets (“SM164” and “SM197”).

We propose enabling this on Monday 10th February, at lunch-time.  To do this we will set up the routers for the subnets so that they start sending Router Advertisements, at which point we expect that IPv6-enabled hosts on the subnets will automatically configure “SLAAC” style IPv6 addresses and add the appropriate default routes.

We will then enable the generation of DNS entries to correspond with these addresses, and reconfigure the edge firewalls so that where there are holes opened for ports using IPv4 there will be corresponding holes for those same ports using IPv6.

Your machines will then start to receive IPv6 traffic, so it is important that you ensure that any access controls you have configured are correct.  You should not assume that any defaults will be reasonable!

We do have the ability to add static (non-SLAAC) IPv6 addresses if really necessary, though our experience to date has been that they very rarely are.  We can also turn off the generation of the DNS entries on a per-host basis, with any firewall holes then also disappearing.  Please contact us using the support form in the usual way to discuss this.  We do not have the ability to add “privacy” addresses to the DNS, and in any case it really doesn’t make a lot of sense to do so, so you may also have to adjust your machines’ configurations so as not to try to use these.

Reminder: the documents we produced as part of our original IPv6 investigation project are here.  In particular, there is one discussing IPv6 addressing here.  SLAAC (“StateLess Address AutoConfiguration”) addresses are defined in RFC 4862.

Posted in Uncategorized | Leave a comment

IPv6 for Forum self-managed subnets

It’s now more than three years since we implemented IPv6 for the School’s managed Linux (DICE) desktops and servers, and in that time we have seen very few issues which were specifically related to IPv6.  We were not, unfortunately, able to roll it out to the “self-managed” subnets at that time, for a few reasons, but we now believe it is time to give it a try there too.

So, on Tuesday 19th November we will be enabling IPv6 for the “DHCP” subnet.  (Specifically, we will start sending out Router Advertisements, which will cause any IPv6-aware machine on the subnet to configure itself automatically with at least one IPv6 address.)  If there are significant problems we can easily and quickly back the change out again.  Note that no DNS entries will be added for machines on this subnet.

All being well, we would then propose turning on IPv6 for the self-managed server wires SM164 and SM197 some time in the new year.  There are a couple of reasons for this: it will allow you to gain IPv6 experience with machines on the DHCP subnet in advance; and, more particularly, it will give you time to ensure that any access controls you have in place are correct for IPv6 as well as IPv4.  We’ll post more details nearer the time.

Our IPv6 deployment project’s final report is here, and the project’s home page has links to sundry IPv6 resources.

 

Posted in Uncategorized | Leave a comment

Change Freeze during strike action from 21st November 2019 to 10th December 2019

In order to minimise the risk to computing facilities during the strike action there will be a ‘change freeze’ for those computing systems managed by the School’s computing staff: the University’s Information Services are implementing a similar ‘change freeze’. This ‘change freeze’ is being extended to cover the online class exams on Thursday 5th, Friday 6th and Tuesday 10th December.

The combined ‘change freeze’ will be effective from noon on Thursday 21st November to noon on Tuesday 10th December (or the end of the industrial action).

Obviously there may be some business critical changes required – these will be referred to CEG (Computing Executive Group) for approval. Should all CEG members be on strike (or otherwise unavailable), the Director of Professional Services (Joy Candlish) will be consulted to determine the business criticality of any proposed change. She may choose to confer with others.

I hope that you understand and support my reasoning behind introducing this freeze.

Alastair Scobie (Head of Computing)

Posted in Uncategorized | Leave a comment

Review of www.inf.ed.ac.uk CGIs

For security reasons we are reviewing our use of user authored CGI scripts that are currently running on our web services.

Those CGIs that run as the author, such as those on homepages.inf.ed.ac.uk and sweb.inf.ed.ac.uk, are not under review at the moment, but other CGIs that run as the web server daemon are.

The main services this affects are CGIs on www.inf.ed.ac.uk and those on groups.inf.ed.ac.uk.

In the first instance we’ve looked at the accesses of all CGIs on www.inf.ed.ac.uk, and if a CGI has not been accessed in the last 6 months, we no longer serve it from the web server. There is also a default deny for any new CGIs added to www.inf, so those that have access to the CGI area of www.inf will need to ask computing staff to enable serving of any new CGI. At this point we’ll want to review its contents, and discuss how accessible it needs to be, e.g. do you expect only current students and staff to access it.

We’ll then start security reviewing the remaining active CGIs, and contacting authors/owners where appropriate.

This is only the beginning of a longer process, and we’ll start looking at CGIs on groups.inf.ed.ac.uk next.

If you have any old CGIs that are nolonger used, then removing them will help us with our review, and increase the security of the Informatics services.

Neil

Posted in News, Service Update | Leave a comment

What Do You Want From A Network File System?

We’ve been using OpenAFS as the School’s network file system (i.e. the thing that lets you access your DICE home directory and research group space on pretty much any machine from pretty much anywhere in the world) for the best part of 15 years. That’s a awfully long time in the fast moving world of computing and so one of the development projects I have on my plate at the moment is to look into whether OpenAFS is still the most appropriate fit to the School’s needs.

From my ivory tower, I can draw up a long list of filesystem features and capabilities which I think might be desirable but at the end of the day, what’s useful and what’s unnecessary can only be determined by you, the end user.

So please take a few moments to let me know what you think about the existing School network filesystem. Tell me about what you like about it, what you dislike about it and missing features you would like to see in a replacement. There’s no guarantee that any requests can be met but at least they can be taken into account. You can make your opinions heard by leaving a comment after this article or emailing me at

cms @ inf.ed.ac.uk

Remember, it’s the School’s network file system I’m interested in, your DICE home directory and research group space stored on the School’s file servers and accessed via a pathname beginning /afs/inf.ed.ac.uk/…. I’m not concerned at the moment with any centrally provided file space or data stored on self-managed machines.

I look forward to hearing from you!

Craig.

Posted in Uncategorized | 6 Comments

Virtual DICE has been updated

We’ve updated Virtual DICE! Both “little” and “large” VMs have been updated.
There are two changes compared to last month’s release:

  1. VirtualBox Guest Additions has been updated to a much newer version, so the Virtual DICE VM should now be better integrated with the rest of your computer environment. For example, the focus will be more likely to follow the mouse – the VM should no longer capture your mouse and keyboard by default.
  2. DICE changes since September are included in the latest Virtual DICE releases.

You can find out more at:

If you have any problems with the new version please contact us using the computing support form. Thanks.

Posted in Uncategorized | Leave a comment

macOS Catalina

We advise waiting a while before updating your Mac to the new macOS version, Catalina, for two reasons: firstly it has bugs, which Apple is steadily fixing; secondly it introduces a security system which is causing problems for software which hasn’t been adapted to deal with it. At the time of writing, VirtualBox is an example. For more details, and some helpful links, see our computing.help page on macOS releases.

Posted in Uncategorized | Leave a comment

A new Virtual DICE for 2019-20

A new version of Virtual DICE is out – in fact, two new versions! They have the software for the 2019-20 session. Virtual DICE is the lightweight DICE-like virtual machine which you can install and run on your own computer. Here’s how to get it.

We release a new version of Virtual DICE twice a year. This time we’ve made two versions called little and large. Software on Virtual DICE explains why.

If you have an earlier version of Virtual DICE you should upgrade to the new version. To do that, make backup copies of whatever files you want to keep (for example, copy them to your AFS home directory – and here’s how to access AFS from Virtual DICE) then shut down and delete your Virtual DICE version, then install the new version instead.

To find out more read the Virtual DICE help pages.

Posted in Uncategorized | Leave a comment

OpenVPN configuration files

The new OpenVPN configuration files which we have been beta-testing for the last month or so have now gone live, and our computing.help pages have been updated.

These configuration files are intended to have essentially the same effect as the previous ones.  The only difference is that some configuration statements have been updated in line with the syntax expected by newer OpenVPN versions.  If the configuration files you currently use work then there is no particular reason to install the new ones immediately, other than that IPv6 is now enabled through the tunnel. However, you may want to do so anyway, in case an upgrade to your machine results in the old ones no longer being accepted and you lose OpenVPN access at an inconvenient time.

We have changed the naming of the new files, partly so that the intended behaviour is clearer, and partly so that the new ones can be installed alongside the old ones.  The new structure is explained in the README that goes with the configuration files.

We have also introduced the ability to have a separate “/ovpn” secondary identity, for those users who find it uncomfortable having their mobile devices remembering their DICE password.  This identity provides OpenVPN access only; it does not allow access to any other Informatics services.  If you would like to make use of this feature, please contact us through the support form in the usual way.

Posted in Uncategorized | Leave a comment