| View previous topic :: View next topic |
| Author |
Message |
1clue
Advocate
Joined: 05 Feb 2006
Posts: 2569
|
 Posted: Sat Apr 06, 2019 5:15 am Post subject: ipv6 query multicast address to get unicast address |
 |
|
Hi,
I would like to use a bash shell to query a multicast ipv6 address and get back a list of unicast addresses.
For example, I would like to ping ff05::101 and get back a list of ntp servers on my site. Or ping ff05::2 to get all the routers.
Ping doesn't work. It doesn't have to be ping, I just want something that will give me all listeners for some multicast address for the scope specified.
I know that the multicast address is only supposed to be a destination address, so you won't ever get a response from that multicast address. The remote service is supposed to respond with its unicast address, either link-local or site-local or whatever.
I thought I had this figured out once. I lost it.
Thanks. |
|
| Back to top |
|
 |
Ant P.
Watchman
Joined: 18 Apr 2009
Posts: 6920
|
| Posted: Sat Apr 06, 2019 4:43 pm Post subject: |
|
|
| I think you want ff02, not ff05... |
|
| Back to top |
|
|
1clue
Advocate
Joined: 05 Feb 2006
Posts: 2569
|
| Posted: Sat Apr 06, 2019 4:58 pm Post subject: |
|
|
| For routers yes, for ntp servers ff05 is correct. |
|
| Back to top |
|
|
Ant P.
Watchman
Joined: 18 Apr 2009
Posts: 6920
|
| Posted: Sat Apr 06, 2019 5:24 pm Post subject: |
|
|
I can't seem to get it to work either...
| Code: | ~ # ping ff02::2%eth0
PING ff02::2%eth0(ff02::2%eth0) 56 data bytes
64 bytes from fe80::x:6753%eth0: icmp_seq=1 ttl=64 time=0.044 ms
64 bytes from fe80::y:b95e%eth0: icmp_seq=1 ttl=64 time=0.445 ms (DUP!)
64 bytes from fe80::z:681e%eth0: icmp_seq=1 ttl=64 time=0.691 ms (DUP!)
^C
~ # ping ff05::101%eth0
ping: ff05::101%eth0: Name or service not known |
ff02::101 doesn't get a reply but doesn't fail either. I'm running chrony, and its manpage mentions that address, so I thought it'd work. |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54831
Location: 56N 3W
|
| Posted: Sat Apr 06, 2019 5:55 pm Post subject: |
|
|
Team,
| Code: | $ ping ff05::2
PING ff05::2(ff05::2) 56 data bytes
64 bytes from 2a02:8010:c002:3:329:7b89:85e8:62a1: icmp_seq=1 ttl=64 time=0.883 ms |
That's my routers global address on the output side of shorewall6.
| Code: | $ ping ff05::101
PING ff05::101(ff05::101) 56 data bytes
^C
--- ff05::101 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 42ms |
is the right result.
I don't have any IPv6 ntp servers.
I was surprised that I did not need to specify an interface.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
1clue
Advocate
Joined: 05 Feb 2006
Posts: 2569
|
| Posted: Sun Apr 07, 2019 3:20 am Post subject: |
|
|
So there's more complication than this.
There are three systems I'm using:
Raspberry pi, raspbian:
This is a stratum 1 time server using GPS.
- Can ping6 ff05::2 (Gets global ipv6 address)
- Can ping6 ff02::2%eth0 (gets fe80 address)
- Can't ping6 ff05::101
- Can't ping6 ff02::101%eth0 (shouldn't be able to, the docs say ntp is site scope but I'm trying it for the sake of being thorough)
| Code: |
# ntpq -c rv
associd=0 status=0118 leap_none, sync_pps, 1 event, no_sys_peer,
version="ntpd 4.2.8p6@1.3265-o Wed Sep 14 17:22:48 UTC 2016 (3)",
processor="armv6l", system="Linux/4.9.35+", leap=00, stratum=1,
precision=-18, rootdelay=0.000, rootdisp=1.135, refid=GPS,
reftime=e053e4ba.ddd6ecff Sat, Apr 6 2019 21:53:46.866,
clock=e053e4c4.96e39c0f Sat, Apr 6 2019 21:53:56.589, peer=41578, tc=4,
mintc=3, offset=0.001304, frequency=-6.926, sys_jitter=0.003815,
clk_jitter=0.004, clk_wander=0.000
# ntpq -nc peers
remote refid st t when poll reach delay offset jitter
==============================================================================
o127.127.22.0 .GPS. 0 l 10 16 377 0.000 0.001 0.004
50.205.244.27 .XFAC. 16 u - 1024 0 0.000 0.000 0.000
+128.138.141.172 .NIST. 1 u 15 64 355 45.495 -3.595 0.642
131.107.13.100 .XFAC. 16 u - 1024 0 0.000 0.000 0.000
*74.117.214.3 .PPS. 1 u 58 64 377 109.205 3.735 1.654
-216.229.0.49 128.252.19.1 2 u 31 64 377 45.490 7.445 1.229
-45.79.111.114 216.218.192.202 2 u 57 64 377 69.129 9.205 3.330
-2001:4998:58:18 98.139.133.62 2 u 57 64 377 76.631 6.499 1.409
+50.205.244.20 50.205.244.28 2 u 18 64 377 48.250 0.496 1.657
|
So the ntp server is using ipv6 because one of the peers is an ipv6 address.
The pi has both fe80 addresses and also has a global IPV6.
The pi can reach ipv6 sites on the Internet and make IPV6 connections locally using both fe80 and global addresses. I won't bug you with that stuff.
| Code: | # netstat -tunlgp | grep ntp
udp 0 0 192.168.99.91:123 0.0.0.0:* 457/ntpd
udp 0 0 192.168.99.2:123 0.0.0.0:* 457/ntpd
udp 0 0 127.0.0.1:123 0.0.0.0:* 457/ntpd
udp 0 0 0.0.0.0:123 0.0.0.0:* 457/ntpd
udp6 0 0 fe80::ba27:ebff:fec:123 :::* 457/ntpd
udp6 0 0 dad:ea75:dead:beef::123 :::* 457/ntpd
udp6 0 0 ::1:123 :::* 457/ntpd
udp6 0 0 :::123 :::* 457/ntpd
|
So the server is listening on ipv4, ipv6-global and ipv6-link-local.
But it does not seem to be binding to a multicast?
Ubuntu 18.04:
- Can't ping6 ff05::2 (hangs)
- Can ping6 ff02::%enp3s0
- Can't ping6 ff05::101 (hangs)
- Can't ping6 ff02::101%enp3s0 (hangs)
Ubuntu has a fully functional dual ipv4+ipv6 stack. I won't bother you with the evidence.
It's ntp statistics show that it is also getting ipv4 and ipv6 addresses as peers.
Gentoo:
2001:48f8:1044:717
- Can ping ff05::2 (gets global router address)
- Con ping ff02::2%eth1 (gets fe80 address)
- Can't ping ff05::101 (hangs)
- Can't ping ff02::101%eth1 (hangs)
Gentoo also shows ipv6 and ipv4 addresses in the peers list for ntpq.
Observations
- I never knew that you could ping ff05::2 and get your global router. I've spent hours looking for how to do that from the command line. Never occurred to try the thing that makes most sense.
- I don't recall reading anywhere that router multicast worked on any more than link-local scope. So I never tried ff05::2
- My Ubuntu box does not know about ff05::2. Must be one of Lennart's improvements?
- My stratum 1 time server seems to know about IPV6 but does not seem to bind to the multicast address.
- This must be a configuration problem. I'm gonna try Google with different search terms.
As I have determined that this is not strictly a Gentoo problem I don't mind if you don't continue to help. But I'll post a solution if I can figure it out. |
|
| Back to top |
|
|
Ant P.
Watchman
Joined: 18 Apr 2009
Posts: 6920
|
| Posted: Sun Apr 07, 2019 11:10 am Post subject: |
|
|
Now that I've tried ff05::* (without interface scope), I get identical results as above: 2 works, 101 does not. I'm still a bit confused that it errors out instantly with an interface specified.
I know I do have working multicast support in the kernel despite all this (using avahi for distcc etc). |
|
| Back to top |
|
|
UberLord
Retired Dev
Joined: 18 Sep 2003
Posts: 6835
Location: Blighty
|
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54831
Location: 56N 3W
|
| Posted: Sun Apr 07, 2019 11:38 am Post subject: |
|
|
1clue,
| Code: | | [ ] IP: multicasting |
is an optional extra in the kernel, as is | Code: | | [ ] IPv6: multicast routing |
Do you need them?
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
1clue
Advocate
Joined: 05 Feb 2006
Posts: 2569
|
| Posted: Wed Apr 10, 2019 11:55 pm Post subject: |
|
|
| NeddySeagoon wrote: | 1clue,
| Code: | | [ ] IP: multicasting |
is an optional extra in the kernel, as is | Code: | | [ ] IPv6: multicast routing |
Do you need them? |
Neddy, the last question doesn't really compute.
In the literal sense I don't, because I've been running with this setup for awhile now.
That said, now that I noticed my ntp server is not working the way ntp servers are supposed to work, and that it's not.....Let's just say that it's going to burn my butt until I get it right. As the system in question is Raspbian I don't know if the multicast routing is turned on. I'll investigate. But it does know what multicast is, so I'm going to say the first option is turned on.
It also happens that the devices I'm using are all on the same physical subnet. So ff05::101 should work.
@Ant P: It seems to be different per distro. I started playing with it and found that on some distros, if you do ff02::something without specifying interface it chooses the default route's interface. Others no. The ntp server's only defined multicast is site-local so ff02::101 is not really defined. IMO it would make sense for some things (DNS, ntp servers, etc) to allow scopes like city, state/provice, nation or continent. Assuming of course that there were some way of validating a server once the volunteer comes back from the multicast.
Reading this again, I wonder if you mean scope on the site-local (ff05) addresses? Should not be necessary the way I understand the spec, and none of my Linux boxes requires it.
@Uberlord: I tried the configuration options without authentication on the server. Based on that thread you posted, authentication may be required even for local network only. I've done ff02::101%interface, no joy. And no sign that it's actually configured as multicast on the server. |
|
| Back to top |
|
|
1clue
Advocate
Joined: 05 Feb 2006
Posts: 2569
|
| Posted: Thu Apr 11, 2019 12:01 am Post subject: |
|
|
Again, server is a Raspberry Pi running Raspbian for full disclosure.
From the server:
| Code: |
# /usr/sbin/ntpd --version
ntpd 4.2.8p6@1.3265-o Wed Sep 14 17:22:48 UTC 2016 (3)
|
| Code: | # netstat -ng
IPv6/IPv4 Group Memberships
Interface RefCnt Group
--------------- ------ ---------------------
lo 1 224.0.0.1
eth0 1 224.0.0.251
eth0 1 224.0.0.1
lo 1 ff02::1
lo 1 ff01::1
eth0 1 ff02::fb
eth0 1 ff02::1:ff82:108d
eth0 1 ff02::1:ffc4:8a7
eth0 1 ff02::1
eth0 1 ff01::1
|
Server's config file, but note that I've been throwing crap in here to see if it works so it's not exactly trim:
| Code: | # /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
driftfile /var/lib/ntp/ntp.drift
# Enable this if you want statistics to be logged.
statsdir /var/log/ntpstats/
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
# You do need to talk to an NTP server or two (or three).
#server ntp.your-provider.example
# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will
# pick a different set every time it starts up. Please consider joining the
# pool: <http://www.pool.ntp.org/join.html>
server 127.127.22.0 minpoll 4 maxpoll 4
fudge 127.127.22.0 refid GPS
server 0.debian.pool.ntp.org iburst prefer
server 50.205.244.27 iburst
server 128.138.141.172 iburst
server 131.107.13.100 iburst
server 0.us.pool.ntp.org iburst
server 1.us.pool.ntp.org iburst
server 2.us.pool.ntp.org iburst
server 3.us.pool.ntp.org iburst
# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
# details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
# might also be helpful.
#
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.
# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery
# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1
# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
#restrict 192.168.123.0 mask 255.255.255.0 notrust
# If you want to provide time to your local subnet, change the next line.
# (Again, the a# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
driftfile /var/lib/ntp/ntp.drift
# Enable this if you want statistics to be logged.
statsdir /var/log/ntpstats/
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
# You do need to talk to an NTP server or two (or three).
#server ntp.your-provider.example
# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will
# pick a different set every time it starts up. Please consider joining the
# pool: <http://www.pool.ntp.org/join.html>
server 127.127.22.0 minpoll 4 maxpoll 4
fudge 127.127.22.0 refid GPS
server 0.debian.pool.ntp.org iburst prefer
server 50.205.244.27 iburst
server 128.138.141.172 iburst
server 131.107.13.100 iburst
server 0.us.pool.ntp.org iburst
server 1.us.pool.ntp.org iburst
server 2.us.pool.ntp.org iburst
server 3.us.pool.ntp.org iburst
# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
# details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
# might also be helpful.
#
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.
# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery
# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1
# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
#restrict 192.168.123.0 mask 255.255.255.0 notrust
# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
#broadcast 192.168.123.255
broadcast ff05::101 ttl 2
broadcast 224.0.1.1 ttl 2
broadcast ff02::101%eth0 ttl 2
# If you want to listen to time broadcasts on your local subnet, de-comment the
# next lines. Please do this only if you trust everybody on the network!
#disable auth
#broadcastclient
ddress is an example only.)
#broadcast 192.168.123.255
broadcast ff05::101 ttl 2
broadcast 224.0.1.1 ttl 2
broadcast ff02::101%eth0 ttl 2
# If you want to listen to time broadcasts on your local subnet, de-comment the
# next lines. Please do this only if you trust everybody on the network!
#disable auth
#broadcastclient
|
|
|
| Back to top |
|
|
1clue
Advocate
Joined: 05 Feb 2006
Posts: 2569
|
| Posted: Thu Apr 11, 2019 12:36 am Post subject: |
|
|
I'm going to put my ntp.conf aside and re-read the man page and whatever other documentation I can get. It seems I need authentication or validation, and a manycastserver and manycastclient statement. Or something.
The man page mentions ff05::101 and originally it seemed that the manycast* directives accessed the pre-existing listener on ff05::101 but now it seems that it may actually be telling it to listen, and they have all this authentication and cryptographic stuff.
In the abstract I can see the value of a secure clock. In reality it seems a bit excessive.
Says the guy who built a stratum 1 time server. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
