Getting Started with IPv6 (Mark Hollinger)
-
Host queries will return both v4 and v6 records:
overkill(shand)$ host ipv6.hp.com ipv6.hp.com has address 156.152.32.70 ipv6.hp.com has IPv6 address 2620::a00:f101:156:152:32:70 -
Term "subnet" has been replaced with the term "link" or "prefix"
- v6 addresses have a scope and a lifetime
- v6 doesn't have broadcast addresses, use multicast instead
- Made up of two parts, the prefix plus and interface id, so the routing information is separated from who you are
- Link local addressees start with fe80, they are automatically configured for each interface and only usable on local network
- A partial address ending in "::" means fill remaining address space with 0's
-
Top level network prefixes and conventions which it's useful to know:
::/128 unspecified address, all zeros ::1/128 loopback address 2001:db8::/32 is for documentation only 2002::/16 6to4 addresses fc00::/8 globally unique local addresses fd00::/8 ula RFC4193 (equiv to RFC1918) ff00::/8 multicast -
Neighbour discovery is roughly equivalent to arp
- Stateless address auto-configuration means the host gets it's own IP based on an advertised router prefix
- Stateful address configuration means you use DHCPv6
- Right hand part of address used to be based on MAC address, this was great except had significant security concerns, fixed by using random number instead of MAC (RFC3041) vista uses this even for link local addresses (can be disabled)
- DHCPv6 can generate the RFC3041 randomised IP addresses for clients
- v6 allows you to have multiple IP's interfaces and you can regenerate RFC3041 addresses as often as you like. so you can regenerate IP's every 30 minutes and even have different browser windows (or applications) bound to different IP's. You could even have one IP for your work personality and another for your personal activity.
- Dynamic DNS exists for v6 and is increasingly important to deal with the length of v6 addresses
- You can put v6 addresses into URLs by using square brackets eg, http://[2620::...]/
- Google works on http://ipv6.google.com/
Implementing and Managing Linux and Solaris on Proliant (Marc Semadeni)
- HP is working hard to build a strong set of Linux management tools.
- Most people running Solaris (as opposed to Linux) are using it to host bespoke applications
- SSST (SmartStart Scripting Toolkit) mass deployment tools including firmware updates and configuration (RAID, HBA, iLO). Looks like it integrates with Kickstart on Linux.
- SIM (Systems Insight Manager) ... looks like OA interface for all HP stuff?
- ICE (Insight Control Environment) for Linux - role based access, bare metal discovery and deployment, power contorl, monitoring for alerts, history and reporting/graphing
- ServiceGuard - HA system for Oracle and SAP on both Solaris and Linux. Also supports Apache, MySQL, NFS, PostgreSQL, Samba, Sendmail and Tomcat. Multi server and multi data centre failover.
Networking Technology Roadmap
- SFP+ is a new lower power/cost version of an XFP (backed by Cisco but standards based?)
- New POE standard 802.3at can deliver up to 24W over cat5e
- WiMax has personal (802.16) and mobile versions (802.20)
- 802.11p is a new protocol to allow cars to talk to each other (eg. so one car can tell a car behind it that it's slammed on the brakes) cute.
- Evolution of GSM is LTE ... combined voice/data upto 100Mbps (down) and 50Mbps (up) at up to 15kph and up to 120kps at bullet train speeds.
- Power requirements are the main hold back on 10G-BASE-T
- 802.3az is a new low power spec for ethernet, it will use 2-3W less per ethernet port (yikes!)
- There's a new PCI spec for allowing virtualised hosts to talk directly to the hardware (scary ...)
- New term, wireless RAN for "Rolling Area Network"
- Information at http://www.hp.com/go/HPCpodcasts
Introduction to SELinux
- Utilities mostly use "-Z" switch for displaying SELinux info. (eg. "ls -Z", "ps -Z" or "id -Z")
- Manage security contexts with "chcon" and "restorecon"
- Commands "getenforce" and "setenforce" enable/disable SELinux
- RHEL SELinux supports three modes, enforcing (require SELinux to be configured correctly for the app), permissive (only warns instead of enforces) and disabled.
- "audit2allow" will let you create a security policy from the log file
- Dan Walsh is Red Hat SELinux project manager - http://danwalsh.livejournal.com/
- "SELinux by Example" by Frank Mayer is a great resource
- "SELinux: A New Approach to Secure Systems" white paper by Chris Runge
- Policy data is stored in the file inode and so it requires filesystem support.
- It can support files over NFS but only with a SELinux aware NFS server.