Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
ipv6 query multicast address to get unicast address
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2516

PostPosted: Sat Apr 06, 2019 5:15 am    Post subject: ipv6 query multicast address to get unicast address Reply with quote

Hi,

I would like to use a bash shell to query a multicast ipv6 address and get back a list of unicast addresses.

For example, I would like to ping ff05::101 and get back a list of ntp servers on my site. Or ping ff05::2 to get all the routers.

Ping doesn't work. It doesn't have to be ping, I just want something that will give me all listeners for some multicast address for the scope specified.

I know that the multicast address is only supposed to be a destination address, so you won't ever get a response from that multicast address. The remote service is supposed to respond with its unicast address, either link-local or site-local or whatever.

I thought I had this figured out once. I lost it.

Thanks.
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5595

PostPosted: Sat Apr 06, 2019 4:43 pm    Post subject: Reply with quote

I think you want ff02, not ff05...
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2516

PostPosted: Sat Apr 06, 2019 4:58 pm    Post subject: Reply with quote

For routers yes, for ntp servers ff05 is correct.
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5595

PostPosted: Sat Apr 06, 2019 5:24 pm    Post subject: Reply with quote

I can't seem to get it to work either...
Code:
~ # ping ff02::2%eth0
PING ff02::2%eth0(ff02::2%eth0) 56 data bytes
64 bytes from fe80::x:6753%eth0: icmp_seq=1 ttl=64 time=0.044 ms
64 bytes from fe80::y:b95e%eth0: icmp_seq=1 ttl=64 time=0.445 ms (DUP!)
64 bytes from fe80::z:681e%eth0: icmp_seq=1 ttl=64 time=0.691 ms (DUP!)
^C
~ # ping ff05::101%eth0
ping: ff05::101%eth0: Name or service not known

ff02::101 doesn't get a reply but doesn't fail either. I'm running chrony, and its manpage mentions that address, so I thought it'd work.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 42596
Location: 56N 3W

PostPosted: Sat Apr 06, 2019 5:55 pm    Post subject: Reply with quote

Team,

Code:
 $ ping ff05::2
PING ff05::2(ff05::2) 56 data bytes
64 bytes from 2a02:8010:c002:3:329:7b89:85e8:62a1: icmp_seq=1 ttl=64 time=0.883 ms
That's my routers global address on the output side of shorewall6.

Code:
$ ping ff05::101
PING ff05::101(ff05::101) 56 data bytes
^C
--- ff05::101 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 42ms
is the right result.
I don't have any IPv6 ntp servers.

I was surprised that I did not need to specify an interface.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2516

PostPosted: Sun Apr 07, 2019 3:20 am    Post subject: Reply with quote

So there's more complication than this.

There are three systems I'm using:

Raspberry pi, raspbian:

This is a stratum 1 time server using GPS.


  1. Can ping6 ff05::2 (Gets global ipv6 address)
  2. Can ping6 ff02::2%eth0 (gets fe80 address)
  3. Can't ping6 ff05::101
  4. Can't ping6 ff02::101%eth0 (shouldn't be able to, the docs say ntp is site scope but I'm trying it for the sake of being thorough)


Code:

# ntpq -c rv
associd=0 status=0118 leap_none, sync_pps, 1 event, no_sys_peer,
version="ntpd 4.2.8p6@1.3265-o Wed Sep 14 17:22:48 UTC 2016 (3)",
processor="armv6l", system="Linux/4.9.35+", leap=00, stratum=1,
precision=-18, rootdelay=0.000, rootdisp=1.135, refid=GPS,
reftime=e053e4ba.ddd6ecff  Sat, Apr  6 2019 21:53:46.866,
clock=e053e4c4.96e39c0f  Sat, Apr  6 2019 21:53:56.589, peer=41578, tc=4,
mintc=3, offset=0.001304, frequency=-6.926, sys_jitter=0.003815,
clk_jitter=0.004, clk_wander=0.000
# ntpq -nc peers
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
o127.127.22.0    .GPS.            0 l   10   16  377    0.000    0.001   0.004
 50.205.244.27   .XFAC.          16 u    - 1024    0    0.000    0.000   0.000
+128.138.141.172 .NIST.           1 u   15   64  355   45.495   -3.595   0.642
 131.107.13.100  .XFAC.          16 u    - 1024    0    0.000    0.000   0.000
*74.117.214.3    .PPS.            1 u   58   64  377  109.205    3.735   1.654
-216.229.0.49    128.252.19.1     2 u   31   64  377   45.490    7.445   1.229
-45.79.111.114   216.218.192.202  2 u   57   64  377   69.129    9.205   3.330
-2001:4998:58:18 98.139.133.62    2 u   57   64  377   76.631    6.499   1.409
+50.205.244.20   50.205.244.28    2 u   18   64  377   48.250    0.496   1.657


So the ntp server is using ipv6 because one of the peers is an ipv6 address.
The pi has both fe80 addresses and also has a global IPV6.
The pi can reach ipv6 sites on the Internet and make IPV6 connections locally using both fe80 and global addresses. I won't bug you with that stuff.

Code:
# netstat -tunlgp | grep ntp
udp        0      0 192.168.99.91:123       0.0.0.0:*                           457/ntpd       
udp        0      0 192.168.99.2:123        0.0.0.0:*                           457/ntpd       
udp        0      0 127.0.0.1:123           0.0.0.0:*                           457/ntpd       
udp        0      0 0.0.0.0:123             0.0.0.0:*                           457/ntpd       
udp6       0      0 fe80::ba27:ebff:fec:123 :::*                                457/ntpd       
udp6       0      0 dad:ea75:dead:beef::123 :::*                                457/ntpd       
udp6       0      0 ::1:123                 :::*                                457/ntpd       
udp6       0      0 :::123                  :::*                                457/ntpd


So the server is listening on ipv4, ipv6-global and ipv6-link-local.

But it does not seem to be binding to a multicast?

Ubuntu 18.04:

  1. Can't ping6 ff05::2 (hangs)
  2. Can ping6 ff02::%enp3s0
  3. Can't ping6 ff05::101 (hangs)
  4. Can't ping6 ff02::101%enp3s0 (hangs)


Ubuntu has a fully functional dual ipv4+ipv6 stack. I won't bother you with the evidence.
It's ntp statistics show that it is also getting ipv4 and ipv6 addresses as peers.

Gentoo:
    2001:48f8:1044:717
  1. Can ping ff05::2 (gets global router address)
  2. Con ping ff02::2%eth1 (gets fe80 address)
  3. Can't ping ff05::101 (hangs)
  4. Can't ping ff02::101%eth1 (hangs)


Gentoo also shows ipv6 and ipv4 addresses in the peers list for ntpq.

Observations

  1. I never knew that you could ping ff05::2 and get your global router. I've spent hours looking for how to do that from the command line. Never occurred to try the thing that makes most sense.
  2. I don't recall reading anywhere that router multicast worked on any more than link-local scope. So I never tried ff05::2
  3. My Ubuntu box does not know about ff05::2. Must be one of Lennart's improvements?
  4. My stratum 1 time server seems to know about IPV6 but does not seem to bind to the multicast address.
  5. This must be a configuration problem. I'm gonna try Google with different search terms.


As I have determined that this is not strictly a Gentoo problem I don't mind if you don't continue to help. But I'll post a solution if I can figure it out.
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5595

PostPosted: Sun Apr 07, 2019 11:10 am    Post subject: Reply with quote

Now that I've tried ff05::* (without interface scope), I get identical results as above: 2 works, 101 does not. I'm still a bit confused that it errors out instantly with an interface specified.

I know I do have working multicast support in the kernel despite all this (using avahi for distcc etc).
Back to top
View user's profile Send private message
UberLord
Retired Dev
Retired Dev


Joined: 18 Sep 2003
Posts: 6737
Location: Blighty

PostPosted: Sun Apr 07, 2019 11:36 am    Post subject: Reply with quote

Have you configured the NTP server for multicast?
https://groups.google.com/forum/#!topic/comp.protocols.time.ntp/SpUkoQcu-q0

About the scope - I think FF05 needs to be configured whereas FF02 works on any decent IPv6 host.
So try ff02::101%interface.

Works for me.
_________________
Use dhcpcd for all your automated network configuration needs
Use dhcpcd-ui (GTK+/Qt) as your System Tray Network tool
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 42596
Location: 56N 3W

PostPosted: Sun Apr 07, 2019 11:38 am    Post subject: Reply with quote

1clue,

Code:
[ ]   IP: multicasting 
is an optional extra in the kernel, as is
Code:
 [ ]   IPv6: multicast routing

Do you need them?
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2516

PostPosted: Wed Apr 10, 2019 11:55 pm    Post subject: Reply with quote

NeddySeagoon wrote:
1clue,

Code:
[ ]   IP: multicasting 
is an optional extra in the kernel, as is
Code:
 [ ]   IPv6: multicast routing

Do you need them?


Neddy, the last question doesn't really compute.

In the literal sense I don't, because I've been running with this setup for awhile now.

That said, now that I noticed my ntp server is not working the way ntp servers are supposed to work, and that it's not.....Let's just say that it's going to burn my butt until I get it right. As the system in question is Raspbian I don't know if the multicast routing is turned on. I'll investigate. But it does know what multicast is, so I'm going to say the first option is turned on.

It also happens that the devices I'm using are all on the same physical subnet. So ff05::101 should work.


@Ant P: It seems to be different per distro. I started playing with it and found that on some distros, if you do ff02::something without specifying interface it chooses the default route's interface. Others no. The ntp server's only defined multicast is site-local so ff02::101 is not really defined. IMO it would make sense for some things (DNS, ntp servers, etc) to allow scopes like city, state/provice, nation or continent. Assuming of course that there were some way of validating a server once the volunteer comes back from the multicast.

Reading this again, I wonder if you mean scope on the site-local (ff05) addresses? Should not be necessary the way I understand the spec, and none of my Linux boxes requires it.

@Uberlord: I tried the configuration options without authentication on the server. Based on that thread you posted, authentication may be required even for local network only. I've done ff02::101%interface, no joy. And no sign that it's actually configured as multicast on the server.
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2516

PostPosted: Thu Apr 11, 2019 12:01 am    Post subject: Reply with quote

Again, server is a Raspberry Pi running Raspbian for full disclosure.

From the server:

Code:

# /usr/sbin/ntpd --version
ntpd 4.2.8p6@1.3265-o Wed Sep 14 17:22:48 UTC 2016 (3)



Code:
# netstat -ng
IPv6/IPv4 Group Memberships
Interface       RefCnt Group
--------------- ------ ---------------------
lo              1      224.0.0.1
eth0            1      224.0.0.251
eth0            1      224.0.0.1
lo              1      ff02::1
lo              1      ff01::1
eth0            1      ff02::fb
eth0            1      ff02::1:ff82:108d
eth0            1      ff02::1:ffc4:8a7
eth0            1      ff02::1
eth0            1      ff01::1


Server's config file, but note that I've been throwing crap in here to see if it works so it's not exactly trim:
Code:
# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help

driftfile /var/lib/ntp/ntp.drift


# Enable this if you want statistics to be logged.
statsdir /var/log/ntpstats/

statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable


# You do need to talk to an NTP server or two (or three).
#server ntp.your-provider.example

# pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
# pick a different set every time it starts up.  Please consider joining the
# pool: <http://www.pool.ntp.org/join.html>
server 127.127.22.0 minpoll 4 maxpoll 4
fudge 127.127.22.0 refid GPS
server 0.debian.pool.ntp.org iburst prefer
server 50.205.244.27 iburst
server 128.138.141.172 iburst
server 131.107.13.100 iburst
server 0.us.pool.ntp.org iburst
server 1.us.pool.ntp.org iburst
server 2.us.pool.ntp.org iburst
server 3.us.pool.ntp.org iburst


# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
# details.  The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
# might also be helpful.
#
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.

# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery

# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1

# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
#restrict 192.168.123.0 mask 255.255.255.0 notrust


# If you want to provide time to your local subnet, change the next line.
# (Again, the a# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help

driftfile /var/lib/ntp/ntp.drift


# Enable this if you want statistics to be logged.
statsdir /var/log/ntpstats/

statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable


# You do need to talk to an NTP server or two (or three).
#server ntp.your-provider.example

# pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
# pick a different set every time it starts up.  Please consider joining the
# pool: <http://www.pool.ntp.org/join.html>
server 127.127.22.0 minpoll 4 maxpoll 4
fudge 127.127.22.0 refid GPS
server 0.debian.pool.ntp.org iburst prefer
server 50.205.244.27 iburst
server 128.138.141.172 iburst
server 131.107.13.100 iburst
server 0.us.pool.ntp.org iburst
server 1.us.pool.ntp.org iburst
server 2.us.pool.ntp.org iburst
server 3.us.pool.ntp.org iburst


# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
# details.  The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
# might also be helpful.
#
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.

# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery

# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1

# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
#restrict 192.168.123.0 mask 255.255.255.0 notrust


# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
#broadcast 192.168.123.255
broadcast ff05::101 ttl 2
broadcast 224.0.1.1 ttl 2
broadcast ff02::101%eth0 ttl 2

# If you want to listen to time broadcasts on your local subnet, de-comment the
# next lines.  Please do this only if you trust everybody on the network!
#disable auth
#broadcastclient
ddress is an example only.)
#broadcast 192.168.123.255
broadcast ff05::101 ttl 2
broadcast 224.0.1.1 ttl 2
broadcast ff02::101%eth0 ttl 2

# If you want to listen to time broadcasts on your local subnet, de-comment the
# next lines.  Please do this only if you trust everybody on the network!
#disable auth
#broadcastclient
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2516

PostPosted: Thu Apr 11, 2019 12:36 am    Post subject: Reply with quote

I'm going to put my ntp.conf aside and re-read the man page and whatever other documentation I can get. It seems I need authentication or validation, and a manycastserver and manycastclient statement. Or something.

The man page mentions ff05::101 and originally it seemed that the manycast* directives accessed the pre-existing listener on ff05::101 but now it seems that it may actually be telling it to listen, and they have all this authentication and cryptographic stuff.

In the abstract I can see the value of a secure clock. In reality it seems a bit excessive.

Says the guy who built a stratum 1 time server.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum