 |
|
Tunnel Information and Control protocol (TIC)
The Tunnel Information and Control protocol allows programs to retrieve configuration settings in the SixXS system. This allows automatic tunnel client configuration and setup without much user intervention or knowlegde of either IPv6 or tunneling.
IANA has allocated port 3874 for this service.
Client Implementations
The following clients have TIC support:
- SixXS AICCU and all the distributions that use it
- AVM Fritz!Box
Protocol
This configuration service uses a client/server protocol somewhat like SMTP using "200" for noting successful commands and "400" for noting unsuccessful commands. We advise that clients make connections to tic.sixxs.net, this has only an IPv4 address, even though the protocol is of course address family independent, this overcomes problems with timeouts when IPv6 seems to be available but really isn't. The protocol is primarily used for configuring hosts to get IPv6 connectivity thus this should not be an issue of any kind.
Commands
The protocol has the following commands during a variety of stages.
| Global | |
get unixtime | Get UnixTime in seconds sincs 1970 for verifying that the client time is correct |
| Initial | |
starttls | Start TLS negotation |
client TIC/<version> <name>/<version> <osname>/<version> | Client version information |
username <nic-hdl> | Select the username to use |
| Challenge | |
challenge clear|md5|cookie | Select the challenge to use for authentication |
| Authenticate | |
authenticate clear|md5|cookie <response> | Authenticate using the response based upon the challenge and the method |
| Logged | |
tunnel list | List tunnels owned by this user |
tunnel show <tunnel-id> | Show information about this tunnel |
pop list | List the available PoPs |
pop show <pop-name> | Show information about a PoP |
route | (not implemented yet) |
Authentication
The SixXS system doesn't know any cleartext passwords and only has md5sum's of the cleartext passwords of the users, thus to authenticate the following comparison is used:
md5sum(md5sum(clearpass).challenge) == md5sum(storedpass.challenge)
A client sends the first part, while TIC has the second part. Knowing the md5sum of the cleartext password is thus sufficient to authenticate in this case, but that would mean one has access to more of the system and can do other things as well so that is not seen as a threat.
Typical Session
Following is a typical session captured from the line. We can post the challenge response here as there is no way of reversing that part. The only information that should still be hidden is the Password field though.
| S | 200 TIC on noc.sixxs.net ready (http://www.sixxs.net) |
| C | client TIC/draft-00 AICCU/2004.08.24 WinNT/5.1.2600-SP2 |
| S | 200 Client Identity accepted |
| C | username JRM1-RIPE |
| S | 200 Choose your authentication challenge please |
| C | challenge md5 |
| S | 200 60d11a81a26df3738026b1839644a1ae |
| C | authenticate md5 4dc85220692080e76f773f0fbd8c8e31 |
| S | 200 Successfully logged in using md5 as JRM1-RIPE (Jeroen Massar) from 195.64.92.136 |
| C | tunnel list |
| S | 201 Listing tunnels |
| S | T1396 2001:768:1900:aa::2 heartbeat demun01 |
| S | 202 |
| C | tunnel show T1396 |
| S | 201 Showing tunnel information for T1396 |
| S | TunnelId: 1396 |
| S | Type: 6in4 |
| S | IPv6 Endpoint: 2001:db8:1900:aa::2 |
| S | IPv6 PoP: 2001:db8:1900:aa::1 |
| S | IPv6 PrefixLength: 64 |
| S | PoP Name: demun01 |
| S | IPv4 Endpoint: heartbeat |
| S | IPv4 PoP: 195.143.155.2 |
| S | UserState: enabled |
| S | AdminState: enabled |
| S | Password: 4dc85220692080e76f773f0fbd8c8e31 |
| S | Heartbeat_Interval: 60 |
| S | Tunnel MTU: 1280 |
| S | 202 Done |
| C | quit What a nice day it was again |
| S | 200 Thank you for using this SixXS Service |
|
©2001-2012 SixXS - IPv6 Deployment & Tunnel Broker |
