171 beats per minute (allegro).

2.5 centimeters long (bellissimo).

Jumped onto what used to be the 6bone the other day.  I even set up the IPv6 route prefixes on my FreeBSD router, but it looks like route advertisements and router solicitations aren't working properly (probably because of my firewall).  My understanding is that IPv6 also relies a lot on multicast, so I'm going to see if I can get the right multicast routes set up such that at least DNS and NTP work on the clients without having to set anything up in DHCP/DHCPv6.

Fortunately, pf already supports IPv6 side-by-side with IPv4, so I won't have to tear up my new firewall policy just for experimentation's sake.

UPDATE: rtadvd wasn't running on the correct set of network interfaces, hence router solicitation wasn't working.  After restarting rtadvd and running "netsh interface ipv6 renew" (view the address assignments with "netsh interface ipv6 show address"), I can finally see the dancing KAME!

TCP and UDP port scans from multiple subnets.  Nice.  I need to get the IDS running so that I can start blackholing this kind of crap.

Required background information:

• Technical description of OSPF (from the Cisco Internetworking Technology Handbook)
• Technical description of RIPv2 (also from Cisco)
  
• Quagga reference documentation
• A good OSPF configuration example (from the Linux Advanced Routing and Traffic Control how-to)

In OSPF terms, the OpenVPN tunnels form the backbone network (area 0.0.0.0). In order to get OSPF working over the OpenVPN tunnels, one should use the tap(4) interface driver, which supports the multicast and broadcast traffic types employed by OSPF. (Unicast communications are possible but require hard coding border router addresses, defeating the purpose of an automatically configured routing hierarchy.) One must also ensure that each participating router does not filter the OSPF traffic in or out of the appropriate interfaces. The last required configuration change involves removing all route, push "route ...", and iroute commands from the OpenVPN configuration files, as they will not be necessary once OSPF is operational.

The installation and configuration of Quagga is a lot simpler than it might seem at first. On FreeBSD, install Quagga from ports using a command like:

portinstall --batch quagga

Then enable and start the service with commands similar to the following:

echo 'quagga_enable=YES' >> /etc/rc.conf
echo 'quagga_daemons="zebra ospfd"' >> /etc/rc.conf
touch /usr/local/etc/quagga/{zebra,ospfd}.conf
/usr/local/etc/rc.d/quagga start

Rather than creating a new configuration out of nothing, it's easier to create empty configuration files and then use vtysh to set up the zebra and ospfd services. The initial configuration can be very simple. Assuming that each site's internal networks are allocated out of 10.0.0.0/8 and that the OpenVPN backbone network lives somewhere in 172.16.0.0/12, each router can be configured with commands reminiscent of Cisco IOS:

# vtysh
hostname# configure terminal
hostname(config)# log syslog
hostname(config)# router ospf
hostname(config-router)# log-adjacency-changes
hostname(config-router)# network 172.16.0.0/12 area 0.0.0.0
hostname(config-router)# network 10.0.0.0/8 area WWW.XXX.YYY.ZZZ
hostname(config-router)# end
hostname# copy running-config startup-config
hostname# quit

Replace "WWW.XXX.YYY.ZZZ" with a unique area identifier for each site (e.g., "0.0.0.1" for the first site, "0.0.0.2" for the second, and so on).

I also happen to be running OpenVPN and Quagga on WRT54G/GS access points that run the OpenWRT Linux distribution. Installing and configuring Quagga is a little more difficult in this instance, given the space limitations typical of embedded hardware and because the current OpenWRT distribution (Kamikaze 7.09) does not include binary packages for Quagga. One can install older Quagga binaries built for a previous Kamikaze release using the following commands:

ipkg install http://downloads.openwrt.org/kamikaze/7.06/brcm-2.4/packages/quagga_0.98.6-1_mipsel.ipk
ipkg install http://downloads.openwrt.org/kamikaze/7.06/brcm-2.4/packages/quagga-libzebra_0.98.6-1_mipsel.ipk
ipkg install http://downloads.openwrt.org/kamikaze/7.06/brcm-2.4/packages/quagga-libospf_0.98.6-1_mipsel.ipk
ipkg install http://downloads.openwrt.org/kamikaze/7.06/brcm-2.4/packages/quagga-ospfd_0.98.6-1_mipsel.ipk

(Be sure to use binary packages compiled for the proper hardware platform.  The example above will only work on Broadcom hardware.)

The enable and start the service with the following commands:

echo "password accesspassword" > /etc/quagga/zebra.conf
echo "enable password enablepassword" >> /etc/quagga/zebra.conf
cp /etc/quagga/zebra.conf /etc/quagga/ospfd.conf
/etc/init.d/quagga enable
/etc/init.d/quagga start

My WRT54GS doesn't have enough room for the vtysh binary and its dependencies (readline, ncurses), so I had to configure Quagga by using telnet to connect to its service ports: 2601/tcp for zebra and 2604/tcp for ospfd:

# telnet localhost 2601
Password: accesspassword
hostname> enable
Password: enablepassword
hostname# configure terminal
hostname(config)# log syslog
hostname(config)# end
hostname# copy running-config startup-config
hostname# quit
# telnet localhost 2604
Password: accesspassword
hostname> enable
Password: enablepassword
hostname# configure terminal
hostname(config)# log syslog
hostname(config)# router ospf
hostname(config-router)# log-adjacency-changes
hostname(config-router)# network 172.16.0.0/12 0.0.0.0
hostname(config-router)# network 10.0.0.0/8 WWW.XXX.YYY.ZZZ
hostname(config-router)# end
hostname# copy running-config startup-config
hostname# quit

Again, replace "WWW.XXX.YYY.ZZZ" with a unique area identifier for each site (e.g., "0.0.0.1" for the first site, "0.0.0.2" for the second, and so on).  Once satisfied that Quagga is configured properly, remove the password and enable password settings in /etc/quagga/zebra.conf and /etc/quagga/ospfd.conf to disable remote administrative access to the routing software.

Please put up your hands for Terry Bisson!