Loopback Filter with Truman Boyes

I thought that I should write this post after I began discussing a method to covert between these base 10, base 2, and base 16 methods of conveying numbers; and since Phil and I were talking about this today, I figured the information would possibly be of use for some people out there that deal with IP’s, subnetting, and even making sense of IPv6 addresses. I am going to take only a slightly mathematical approach, and gear this for the completely practical or more visual mind.

Let’s say that you have the IP address of 192.168.20.1 and you need to represent this in binary for some reason. How would you do this? First you should understand that what you are looking at in the dotted decimal notation is bytes or rather 8 bits. Secondly, it is important to consider that each bit has a given value that can be either on or off.

The left-most bit is the most significant bit (or has the highest value), so we could think of the bits as having the following values: 128, 64, 32, 16, 8, 4, 2, 0. In this list we have 8 different bits and combinations of these bits can be on to form a total possible value of 255. If we want to represent the IP address of 192.168.20.1, we can simplify our task by working through each each bits, one at a time.

192 = 11000000

168 = 10101000

20   = 00010100

1     = 00000001

You could write the entire IP in binary form as: 11000000.10101000.00010100.00000001

Then you may want to convert to Hexidecimal, this is very easy to do and it similar to the approach that we just took in converting to binary form. However a notable difference with Hexidecimal is that it is a base 16 system, so the values look like this: 0,1,2,3,4,5,6,7,8,9,A,B,C,D,E,F. You can think of a mapping relationship  as A=10, B=11, … , and F=15.

If we want to convert the first octet (8 bits) with the value 192 to hexidecimal, you can do the following: Take the binary value of ‘11000000′ and split it into two equal parts of 4 bits. For example: 1100 and 0000. Now you can associate bit values to each bit just like we did when converting to decimal. For the set of ‘0000′ we can safely assume that the value is ‘0′. For the set of ‘1100′ we can say that the most significant bit is worth a value of ‘8′, the second bit is ‘4′, so we sum these and get the value of ‘12′. Now in hex the decimal value of ‘12′ is ‘C’.

We have ‘C’ and ‘0′, so we can write this as ‘0xC0′. This value is the same as decimal value 192.

Now onto some slightly harder stuff. Lets take the IPV6 address of : 2001:470:8859:beef:21f:f3ff:fed2:d571, which just happens to exist on my network. Let’s say that for some application programming that I am working on requires that I convert the network value of ‘2001:470:8859:beef’ to binary notation. Here is what I would do:

2001 = 20 01

20 = 00100000

01 = 00000001

04  = 00000100

70 =  01110000

88 =  10001000

59 =  01011001

BE  =  10111110

EF  =  11101111

Put that all together and you have:
0010000000000001:0000010001110000:1000100001110000:1000100001011001:101111101110111

Easy as pie.

Secure Computing Magazine states that IPv6 presents a clear and present danger to the security of many operating systems. As true as this blanked statement is, it also lacks the necessary qualification of the real problems that lie in having a loose definition of perimeters and trust models. I tried to correct or leave a comment for them on their site but it appears they have some server-side issues with their comments plug-in.

My comments were to state that for one thing, they didn’t get the maths around IPv6 address sizing correct, likely because their HTML skills didn’t allow for using exponents. The number of addresses in IPv6 is 2^128 or 3.4 * 10^38.

Additionally, the discussion around IPv6 enabled OS causing issues does not describe the fact that most IPv6 enabled computers do not automatically tunnel with Teredo or 6in4 or 6to4, instead they get link local addresses on their ethernet links. Yes, Apple Airport Extreme will also allow for 6to4 mode and then assign global scoped addresses to IPv6 clients, but this is not truly default behavior. As IPv6 is a direction that we need to go, the more hurdles and security propaganda that is positioned to scare us away from using the technology, the harder and longer it will be to take the path to co-existence with IPv4.

The following grep and egrep commands will match on IPv6 address blocks that have been assigned so far ( I updated this to match on the AFRINIC block ) :

grep smtp /var/log/maillog| egrep “(\[2[0,4,6,8]0[1-3]:|\[2A00:|\[2C00:)"

Which shows logs like the following:

May 28 05:00:50 inanna postfix/smtpd[25029]: connect from mout4.freenet.de[2001:748:100:40::2:6]
May 28 05:00:50 inanna postfix/smtpd[25029]: setting up TLS connection from mout4.freenet.de[2001:748:100:40::2:6]
May 28 05:00:50 inanna postfix/smtpd[25029]: TLS connection established from mout4.freenet.de[2001:748:100:40::2:6]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
May 28 05:00:50 inanna postfix/smtpd[25029]: NOQUEUE: reject: RCPT from mout4.freenet.de[2001:748:100:40::2:6]: 450 <truman@suspicious.org>: Recipient address rejected: Greylisted for 300 seconds (see http://isg.ee.ethz.ch/tools/postgrey/help/suspicious.org.html); from=<anthony_steven200888@live.com> to=<truman@suspicious.org> proto=ESMTP helo=<mout4.freenet.de>
May 28 05:00:51 inanna postfix/smtpd[25029]: disconnect from mout4.freenet.de[2001:748:100:40::2:6]
May 28 06:19:02 inanna postfix/smtpd[25551]: connect from mout4.freenet.de[2001:748:100:40::2:6]
May 28 06:19:03 inanna postfix/smtpd[25551]: setting up TLS connection from mout4.freenet.de[2001:748:100:40::2:6]
May 28 06:19:03 inanna postfix/smtpd[25551]: TLS connection established from mout4.freenet.de[2001:748:100:40::2:6]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)

Since I enabled IPv6 on Postfix and ensured the DNS records are correct, we have been sending and receiving email with various IPv6-enabled sites. So far it is looking good, even the TLS encrypted sessions are working with IPv6. Next step is to make sure that some of the other mail related programs will correctly handle IPv6, such as postgrey and some of the RBL sites that are enabled.

I will post some regex that I put together for grepping ipv6 connections out of the maillogs. Currently I am in the Qantas Club using a shared computer and my flight is boarding for Wellington. Post more later.

Finally got around to enabling IPv6 on postfix for suspicious.org. For the longest time the IPv6 tunnel was up to Hurricane Electric, and yet aside from ping6, traceroute6, and the webserver, we weren’t really using production IPv6 services. I think the real killer app on Internet is still email even if it is pale in comparison to the bandwidth of p2p traffic flows; without email being seamlessly carried over IPv6 networks, we don’t have a chance in hell of converting the masses to the new protocol. My main goal is to provide all the same services on ipv6 as we do on ipv4 and then when I have some time I will setup some v6-only services that create an incentive for the switch.

Postfix is now fully IPv6 enabled. Our main box, inanna is running Linux and we have SIT interfaces for the IP-IP tunnels back to the tunnelbrokers. If speakeasy starts providing native IPv6 services I would easily switch over to a dual stack setup with them, in the meantime the tunnelbroker service is in NYC and the round trip time is less than 15ms from our box. Not too bad.

Setting up Postfix for IPV6 services is as simple as this statement in main.cf:

inet_protocols = ipv4,ipv6

The hard part after setting this up and restarting Postfix is finding an IPv6 SMTP server on the Internet. I would love to see some stats about reachable IPv6 SMTP servers because most of the sites I checked that even talked about IPv6 did not turn up IPv6 SMTP. That being said, after some digging, I found that the Pittsburgh Supercomputer Center (psc.edu) has IPv6 enabled MTAs and I tested some random addresses at their server, and hoped for a bounce message with some information that indicated the message was sent via IPv6:

<test@psc.edu>: host mailer1.psc.edu[2001:5e8:1:3a::64] said: 550 5.1.1
<test@psc.edu>… User unknown (in reply to RCPT TO command)
Reporting-MTA: dns; dns.suspicious.org
X-Postfix-Queue-ID: 68F217CE4
X-Postfix-Sender: rfc822; truman@suspicious[nospam].org
Arrival-Date: Sat, 24 May 2008 04:16:10 -0400 (EDT)

Final-Recipient: rfc822; test@psc.edu
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; host mailer1.psc.edu[2001:5e8:1:3a::64] said: 550
5.1.1 <test@psc.edu>… User unknown (in reply to RCPT TO command)

Then I wanted to very the outbound message from our MTA to their MTA was sent via IPv6, doing this I just checked the logs:

[root @ inanna : /etc/postfix]>grep smtp /var/log/maillog | grep “\[2001"
May 25 00:24:57 inanna postfix/smtp[8108]: 6781615C6B: to=<test@psc.edu>, relay=mailer1.psc.edu[2001:5e8:1:3a::64], delay=2, status=bounced (host mailer1.psc.edu[2001:5e8:1:3a::64] said: 550 5.1.1 <test@psc.edu>… User unknown (in reply to RCPT TO command))

I haven’t yet testing inbound IPv6 to our MTA, but I presume it is working because I have setup A and AAAA records for the MX record for our domains. Subscribing to a mailing list that uses IPv6 MTAs should be a good test.