 |
Tunnel Information and Control protocol (TIC)
The Tunnel Information and Control protocol allows programs to retrieve and modify configuration settings in the SixXS system. This allows automatic tunnel client configuration and setup without much user intervention or knowlegde of either IPv6 or tunneling.
AICCU supports and uses this service IANA has allocated port 3874 for this service.
Protocol
This Configuration service uses a client/server protocol somewhat like SMTP using "200" for noting successful commands and "400" for noting unsuccesful commands. We advise that clients make connections to tic.sixxs.net, this has only an IPv4 address, even though the protocol is of course address family independent, this overcomes problems with timeouts when IPv6 seems to be available but really isn't. The protocol is primarily used for configuring hosts to get IPv6 connectivity thus this should not be an issue of any kind.
Commands
The protocol has a number of commands that can be issued.
| Global | |
set prompt enabled|disabled | Enable or disable (default) the prompt |
get unixtime | Get UnixTime in seconds sincs 1970 |
help | Request help about this context |
exit | Exit the current context |
| Initial | |
starttls | Start TLS negotation |
client <name/version> | Client version information |
username <nic-hdl>|anonymous | Select the username to use |
| Challenge | |
challenge clear|md5|cookie | Select the challenge to use for authentication |
| Authenticate | |
authenticate clear|md5|cookie <response> | Authenticate using the response based upon the challenge and the method |
| Logged | |
tunnel list | List tunnels owned by this user |
tunnel show <tunnel-id> | Show information about this tunnel |
tunnel set <tunnel-id> endpoint {<new-ipv4>|current} | Set the endpoint of this tunnel |
tunnel set <tunnel-id> state {enabled|disabled} | Set the userstate of this tunnel |
tunnel put <tunnel-id> publickey <key> | Put and set a RSA public key for this tunnel |
tunnel get <tunnel-id> publickey | Get the RSA public key of this tunnel |
pop list | List the available PoPs |
pop show <pop-name> | Show information about a PoP |
pop get <pop-name> publickey | Get the RSA publickey of this PoP |
route | (not implemented yet) |
Authentication
The SixXS system doesn't know any cleartext passwords and only has md5sum's of the cleartext passwords of the users, thus to authenticate the following comparison is used:
md5sum(md5sum(clearpass).challenge) == md5sum(storedpass.challenge)
A client sends the first part, while TIC has the second part.
Knowing the md5sum of the cleartext password is thus sufficient to authenticate in
this case, but that would mean one has access to more of the system and can do other
things as well so that is not seen as a threat.
Typical Session
Following is a typical session captured from the line. We can post the challenge response here as there is no way of reversing that part. The only information that should still be hidden is the Password field though.
| S | 200 TIC on noc.sixxs.net ready (http://www.sixxs.net) |
| C | client AICCU/2004.08.24 WinNT/5.1.2600-SP2 |
| S | 200 Client Identity accepted |
| C | handle JRM1-RIPE |
| S | 200 Choose your authentication challenge please |
| C | challenge md5 |
| S | 200 60d11a81a26df3738026b1839644a1ae |
| C | authenticate md5 4dc85220692080e76f773f0fbd8c8e31 |
| S | 200 Succesfully logged in using md5 as JRM1-RIPE (Jeroen Massar) from 195.64.92.136 |
| C | tunnel list |
| S | 201 Listing tunnels |
| S | T1396 2001:768:1900:aa::2 heartbeat demun01 |
| S | 202 |
| C | tunnel show T1396 |
| S | 201 Showing tunnel information for T1396 |
| S | TunnelId: 1396 |
| S | Type: 6in4 |
| S | IPv6_Endpoint: 2001:768:1900:aa::2 |
| S | IPv6_PoP: 2001:768:1900:aa::1 |
| S | IPv6_PrefixLength: 64 |
| S | PoP_Name: demun01 |
| S | IPv4_Endpoint: heartbeat |
| S | IPv4_PoP: 195.143.155.2 |
| S | UserState: enabled |
| S | AdminState: enabled |
| S | Password: hskt |
| S | Heartbeat_Interval: 60 |
| S | 202 Done |
| C | put T1567 publickey |
| C | -----BEGIN RSA PUBLIC KEY----- |
| C | MIGJAoGBANspGTby4SufvCq/JdQVvdF9qJO5zhVfsbqxw8Ojdnmf1MtXOvmB4769 |
| C | ikou5JEyn+5h/Frv87uRZdAVJGLtWdo1482foIVAmGl4LDLP+GFS3sqDQEBIzTCQ |
| C | 9k343kTrewxEH2KgwbqmoYwD19gV4q6z+oVNCaFoNb5CgzY3C1VhAgMBAAE= |
| C | -----END RSA PUBLIC KEY----- |
| C | put end |
| S | 200 Set and synced the public key |
| C | get T1567 publickey |
| S | 201 Start of Public Key |
| C | -----BEGIN RSA PUBLIC KEY----- |
| C | MIGJAoGBANspGTby4SufvCq/JdQVvdF9qJO5zhVfsbqxw8Ojdnmf1MtXOvmB4769 |
| C | ikou5JEyn+5h/Frv87uRZdAVJGLtWdo1482foIVAmGl4LDLP+GFS3sqDQEBIzTCQ |
| C | 9k343kTrewxEH2KgwbqmoYwD19gV4q6z+oVNCaFoNb5CgzY3C1VhAgMBAAE= |
| C | -----END RSA PUBLIC KEY----- |
| S | 202 End of Public Key |
| C | exit |
| S | 200 Context set to main |
| C | pop |
| S | 200 Context set to pop |
| C | get nlams01 publickey |
| S | 201 Start of Public Key |
| C | -----BEGIN RSA PUBLIC KEY----- |
| C | MIGJAoGBAO0b8sbfgLlWIi3hH5ztdndOriY0FXszE2xXm9iGfEa+MsnMxyd6KEMB |
| C | wO50c8vzjUwWsjBE2Z60dascejr6Y9vxDKtkieqFgmhpLmhtO36gCAtj+9w2kZUj |
| C | OxHqqxEGpp1+hIxggvsXIt2MSs6GHAyPWwLVVOYI1XqNqFKyzK29AgMA//8= |
| C | -----END RSA PUBLIC KEY----- |
| S | 202 End of Public Key |
| C | quit |
| S | 200 Thank you for using this SixXS Service |
|
©2001-2008 SixXS - IPv6 Deployment & Tunnel Broker Last revision: Tue, 04 Nov 2008 08:28:42 CET |
