Tunnel Information and Control protocol (TIC)
The Tunnel Information and Control protocol allows programs to retrieve configuration settings in the SixXS system.
This allows automatic tunnel client configuration and setup without much user intervention or knowlegde of either IPv6 or tunneling.
IANA has allocated port 3874 for this service.
The SixXS server, which is the default in AICCU, is: tic.sixxs.net.
Our server is STARTTLS enabled.
One can thus configure AICCU to require TLS
with the 'requiretls yes' option in the configuration file.
The following clients have TIC support:
- SixXS AICCU and all the distributions that use it, amongst which also various router/NAT-devices from vendors like Motorola, Draytek and many others
- AVM Fritz!Box
This configuration service uses a client/server protocol somewhat like SMTP using "200"
for noting successful commands and "400" for noting unsuccessful commands.
We advise that clients make connections to tic.sixxs.net, this has only an IPv4 address,
even though the protocol is of course address family independent, this
overcomes problems with timeouts when IPv6 seems to be available but really isn't.
The protocol is primarily used for configuring hosts to get IPv6 connectivity thus
this should not be an issue of any kind.
The protocol has the following commands during a variety of stages.
|Get UnixTime in seconds sincs 1970 for verifying that the client time is correct|
|Start TLS negotation|
client TIC/<version> <name>/<version> <osname>/<version>
|Client version information|
|Select the username to use|
|Select the challenge to use for authentication|
authenticate clear|md5|cookie <response>
|Authenticate using the response based upon the challenge and the method|
|List tunnels owned by this user|
tunnel show <tunnel-id>
|Show information about this tunnel|
|List the available PoPs|
pop show <pop-name>
|Show information about a PoP|
|(not implemented yet)|
The SixXS system doesn't know any cleartext passwords and only has md5sum's of the cleartext passwords of the users,
thus to authenticate the following comparison is used:
md5sum(md5sum(clearpass).challenge) == md5sum(storedpass.challenge)
A client sends the first part, while TIC has the second part.
Knowing the md5sum of the cleartext password is thus sufficient to authenticate in
this case, but that would mean one has access to more of the system and can do other
things as well so that is not seen as a threat.
Following is a typical session captured from the line.
We can post the challenge response here as there is no way of reversing that part.
The only information that should still be hidden is the Password field though.
|S||200 TIC on tic.sixxs.net ready (http://www.sixxs.net)|
|C||client TIC/draft-00 AICCU/2004.08.24 WinNT/5.1.2600-SP2|
|S||200 Client Identity accepted|
|S||200 Choose your authentication challenge please|
|C||authenticate md5 4dc85220692080e76f773f0fbd8c8e31|
|S||200 Successfully logged in using md5 as EXAMPLE-SIXXS (Example User) from 192.0.2.1|
|S||201 Listing tunnels|
|S||T123456789 2001:db8:1900:aa::2 heartbeat euexa01|
|C||tunnel show T123456789|
|S||201 Showing tunnel information for T123456789|
|S||IPv6 Endpoint: 2001:db8:1900:aa::2|
|S||IPv6 PoP: 2001:db8:1900:aa::1|
|S||IPv6 PrefixLength: 64|
|S||PoP Name: euexa01|
|S||IPv4 Endpoint: heartbeat|
|S||IPv4 PoP: 192.0.2.2|
|S||Tunnel MTU: 1280|
|C||quit What a nice day it was again|
|S||200 Thank you for using this SixXS Service|