AYIYA even if native IPv6 exists
Shadow Hawkins on Wednesday, 19 December 2012 09:46:17
Hey there.
I didn't find anything about this topic. If there is some info that I didn't find, please excuse and just point me to that.
To make long things short: What if a computer already has a working IPv6 connection and runs a Sixxs tunnel with AYIYA?
I plan to change a companies network to IPv6, since this would make routing and the overall network configuration (which is a couple of nested IPv4 NATs currently) a bit easier.
The "company" consist of four regular working people in an office as well as three to four external users. The external users don't come with their own devices but get one pre-configured mobile computer (I configure them and lock them to avoid them from being reconfigured). So the only thing the external users do is fetching a device at my office and connect it to whatever internet connection they have.
This brings kind of inconsistent IP connectivity. One external worker currently has a running native IPv6 connection. Another external worker currently has nut but most likely will receive in the next couple of month (German Telecom doesn't really tell their customers much about how fast the migration will be, but I'm sure they will migrate within the next year). And another worker doesn't have native IPv6 at all and most likely will not get.
Another point of inconsistent connectivity situation is: The external computers are mobile computers, and the workers are free to e.g. plug them to starbucks or other public hotspots where I don't know anything about IPv6 connectivity.
So, my question is: What happens if a computer already has an up and running IPv6 connection and additionally starts AYIYA?
Will this make AYIYA stop working or will AYIYA create a new IPv6 interface which might or might not overwrite the default ipv6 gateway?
Both sithation don't bother me much. But could also be a third one: "Don't do this, ever, since they will conflict and most likely make your IPv6 stop working completely".
There's another question about account sharing. I could open a new thread, but this would require me to copy most of the explanation about my network situation above. So I just drop it here. If you like me to switch to a separate thread, just tell me.
As I mentioned, my external workers might or might not have IPv6. So I plan to create separate tunnels for them and install the AYIYA client on each of the the external computers. Since it's a company network and all managed by me and the external workers are not allowed to do any configuration on their own, nor are they allowed to use the company computer for anything els then connectiong to the company network and work:
Is it allowed to create additional tunnels for each external worker within one single company account/role?
Your note at the FAQ part for additional account ("how many accounts (...)") only talks about "two accounts for on person in case of separation of business use".
Kind regards,
Stephan.
AYIYA even if native IPv6 exists
Jeroen Massar on Wednesday, 19 December 2012 11:05:56
Before answering your question, if you are going IPv6-only you might want to consider a mechanism ala Microsoft's DirectAcccess: giving hosts the IPSEC keying material and adding IPSEC Authentication to every packet being send to your servers, that way, based on IPSEC Authentication you can verify that the source is really who they say you are, and more importantly, anything that is not properly IPSEC authenticated can be silently dropped as it should not be there.
So, my question is: What happens if a computer already has an up and running IPv6 connection and additionally starts AYIYA?
First of all, AYIYA is a tunneling protocol, you are thus likely more meaning of AICCU, the tool.
Will this make AYIYA stop working or will AYIYA create a new IPv6 interface which might or might not overwrite the default ipv6 gateway?
It depends on the operating system more than anything, but likely you will end up with two default routes, and traffic will go over either the native or the tunnel.
But could also be a third one: "Don't do this, ever, since they will conflict and most likely make your IPv6 stop working completely".
It will be unpredictable, which is a bad thing.
Is it allowed to create additional tunnels for each external worker within one single company account/role?
Tricky question, but, in your specific case (you preconfig the machines), you are the network operator/administrator. As such, one account with multiple tunnels might be the right thing.
You can use the "TIC password" feature to have a per-tunnel password which is present in the aiccu.conf so that it does not disclose your main password.
The work/home account situation is for people who want to have connectivity at work they want to share with others that work there (thus that the network is used by people at work), while they can use the home one independently. This is especially important when one changes jobs so that they can request the account to be changed to the name of the new person in charge of that network.
AYIYA even if native IPv6 exists
Shadow Hawkins on Wednesday, 19 December 2012 12:08:13
Hi Jeroen.
Thank you for your response.
Ok, AYIYA is only the protocol, AICCU the tool. Noted.
If it's very likely to have two different IPv6 routes and the OS selects one, that's "not nice, but should work".
But since no single ISP will completely skip IPv4, I think about completely disabling native IPv6 on the machines network interface and totally go AICCU. Or create a little script that enables and disables AICCU on demand when detecting multiple public IPv6 routes.
But good to know that AICCU itselfe doesn't handle this case and have to take care myselfe.
The "tricky question" was exactly the reason for me to ask :). Since it's not the computer users responsibility sondern my responsibility of IT hardware and network maintainer to create proper networking, I thought a company account with multiple tunnels will be the right thing. Adding a per-tunnel password in TIC configuration was exactly what I had in mind. There's clearly no doubt about being able to create such a tunnel.
The only unclear thing was the legal case: If ths counts as unallowed account sharing or as allowed comany role usage.
So I'm sattisfied to hear you understanding it the way I understand it.
I just (not really "just", but yesterday evening) wrote an email to info@ and requested a company account, since I don't know if I will be the maintainer forever.
Thank you very much,
Stephan.
AYIYA even if native IPv6 exists
Jeroen Massar on Wednesday, 19 December 2012 12:14:04 Or create a little script that enables and disables AICCU on demand when detecting multiple public IPv6 routes.
Never ever automatically start/stop AICCU. It will just end up in some corner case where you end up hammering our TIC servers and then you being blocked.
But good to know that AICCU itselfe doesn't handle this case and have to take care myselfe.
AICCU cannot know this. You start it, thus it sets up a tunnel for you, as such it can only assume you are starting it because you want that tunnel, it cannot make any assumptions on how you configure/setup things.
The only unclear thing was the legal case:
Note that it has nothing to do with 'legal', it is a mere rule.
AYIYA even if native IPv6 exists
Shadow Hawkins on Wednesday, 19 December 2012 12:53:45
:) I wouldn't create start/stop scripts that flicker every now and then. As you said, this sounds like the most common way to annoy people.
I thought about creating an operation system startup script that skips completely starting AICCU if IPv6 connection is detected. That avoids connecting to TIC servers at all if native IPv6 is present and does no more connections to TIC then default starting AICCU would do itself. All goes as a one-shot on operationg system startup time.
I clearly will not creat something that tries to determine network configuration periodically and interact with AICCU by starting and stopping it.
But if you care your TIC servers that much (don't get me wrong, you're totally right to care), it might be better to disable native IPv6 completely on those computers that don't have IPv6 currently and go AICCU fromt the beginning. Then I can update to native IPv6 as soon as the ISP provides it by manually reconfiguring the machines.
Additionally, thank you for your response.
Kind regards,
Stephan.
AYIYA even if native IPv6 exists
Jeroen Massar on Thursday, 20 December 2012 10:36:52 But if you care your TIC servers that much (don't get me wrong, you're totally right to care),
The little forgotten part is that when they get, effectively, DoS'd that they are also unavailable for other users and then those users will in turn complain again as it does not work, that is why we care.
Also it is a useless waste of bandwidth and resources,, we rather avoid that completely.
it might be better to disable native IPv6 completely on those computers that don't have IPv6 currently and go AICCU fromt the beginning.
The big advantage of that being consistency but also the fact that you know the source addresses of hosts who are going to connect to your other hosts.
AYIYA even if native IPv6 exists
Shadow Hawkins on Thursday, 20 December 2012 10:46:35 The little forgotten part is that when they get, effectively, DoS'd
Nop, not forgotten but only not mentioned. That's the "don't get me wrong" part. Should be: "If I was you and if it was my responsibility, I would care as much as you do". I'm totally fine with you firing the harshest words you have to avoid someone attacking your infrastructure, even if it's just by accident.
Now I remain in silence and wait until somebody answers my email request for an additional company-bound account.
Regards,
Stephan.
Posting is only allowed when you are logged in. |