Monitoring and IPv6 interact with each other in a number of ways far from obvious. After a quick review of IPv6 from the monitoring perspective, these questions are addressed: How do monitoring systems use IPv6 for communications between servers and agents? Why can't Ssh entirely hide IPv6 from monitoring tools like Nagios? What additional services do we have to monitor in an IPv6 environment? How are existing services affected once IPv6 is enabled, and how do we have to update our monitoring configurations? Which plugins may need an update? How can we support IPv6 in an existing environment if we don't want to move the running monitoring setup out of its IPv4-only environment? What are our options with regard to protocol-translating proxies and how do they compare to each other? Finally, IPv6 offers a number of features that may be useful for new monitoring tool developments---it isn't all just extra work. The talk closes with a few thoughts on what IPv6 has to offer with regard to monitoring.

1. c 2009
Benedikt
Stockebrand
Monitoring (and) IPv6
Benedikt Stockebrand
Dipl. Inform.
<me@benedikt-stockebrand.de>
October 28, 2009
Open Source Monitoring Conference
N¨urnberg, Germany
<<< << >> >>> 1/26

2. c 2009
Benedikt
Stockebrand
Introduction
IPv6 and Monitoring
Monitoring and IPv6 Deployment
What is IPv6?
The IPv6 (Non-)Impact
<<< << Introduction >> >>> 2/26

3. c 2009
Benedikt
Stockebrand
IPv6 and Monitoring
Intended Audiences
◮ Monitoring tool users
◮ Check script/plugin developers
◮ Monitoring tool developers
Relationships between Monitoring and IPv6
◮ Monitoring and IPv6 Deployments
◮ Monitoring IPv6
◮ Monitoring with IPv6
<<< << Introduction IPv6 and Monitoring >> >>> 3/26

4. c 2009
Benedikt
Stockebrand
Monitoring and IPv6 Deployment
◮ Most things won’t break when IPv6 is deployed,
◮ . . . but IPv6 can potentially break anything.
◮ During a deployment, make sure everything works.
◮ Don’t deploy IPv6 without comprehensive
monitoring.
◮ Help management understand the importance of
monitoring:-)
<<< << Introduction Monitoring and IPv6 Deployment >> >>> 4/26

5. c 2009
Benedikt
Stockebrand
What is IPv6? I
Application
Layer
Transport
Layer
Network
Layer
Link
Layer
DNS SSH SMTP IMAP HTTP · · ·
TCP UDP · · ·
IP(v4)
IGMP ICMP
IPv6
MLD ICMP6
Ethernet PPP
Token
Ring
· · ·
<<< << Introduction What is IPv6? >> >>> 5/26

6. c 2009
Benedikt
Stockebrand
What is IPv6? II
◮ IPv4 and IPv6 can be run in parallel.
◮ IPv6 can’t solve problems outside the network layer.
◮ IPv6 can’t solve fundamental design deficiencies of
the TCP/IP stack.
◮ Application porting should be easy. . .
◮ . . . but still must be done.
◮ Monitoring should be affected in only few areas.
<<< << Introduction What is IPv6? >> >>> 6/26

7. c 2009
Benedikt
Stockebrand
The IPv6 (Non-)Impact
Unaffected are:
◮ Local checks (disk usage, CPU load, . . . )
◮ Anything IPv4-specific
Possibly affected are:
◮ Network applications (depending on check method)
◮ Network communications within monitoring
software (depending on transport used)
Always affected are:
◮ IPv6-specific checks
◮ New monitoring features requiring IPv6
<<< << Introduction The IPv6 (Non-)Impact >> >>> 7/26

8. c 2009
Benedikt
Stockebrand
Monitoring and the IPv6 Way of Networking
Scopes
IPv6 Addressing
Helpful New Mechanisms
<<< << Monitoring and the IPv6 Way of Networking >> >>> 8/26

9. c 2009
Benedikt
Stockebrand
Scopes
◮ Link-local scope is new.
◮ Site-local scope is still available.
◮ ARP has become ICMPv6 Neighbor Discovery
(ND).
◮ Link-local features may require a satellite
(NRPE or such) per subnet.
◮ Consider a 802.1Q trunk interface
on your monitoring server.
<<< << Monitoring and the IPv6 Way of Networking Scopes >> >>> 9/26

10. c 2009
Benedikt
Stockebrand
Plain Vanilla Unicast Addresses
◮ NAT is dead.
◮ . . . and so is STUN.
◮ There are enough addresses.
◮ Use Unique-local Addresses (ULA) with site-local
scope where applicable.
◮ Multiple addresses per interface:
◮ Check all, not just a “primary” one.
◮ Hosts may use randomized temporary addresses
(aka. “Privacy Extensions”, RFC 3041).
◮ Multiple addresses from DNS:
◮ Check services with all.
◮ Watch for excessive timeouts.
◮ Beware of ping6 limitations.
◮ Check DNS queries via TCP.
<<< << Monitoring and the IPv6 Way of Networking IPv6 Addressing >> >>> 10/26

11. c 2009
Benedikt
Stockebrand
Multicast
IPv6 multicast offers
◮ all the addresses you need,
◮ actually working multicast routing
(within scalability limits) and
◮ enormous potential for new functionalities.
Multicast routing monitoring:
◮ Use multicast ping (with mcjoin) for simple tests.
◮ Possibly check from multiple subnets.
<<< << Monitoring and the IPv6 Way of Networking IPv6 Addressing >> >>> 11/26

12. c 2009
Benedikt
Stockebrand
Anycast
◮ Now a standard, no longer a hack
◮ Difficult to test without actual failover
◮ Use whitebox style local checks
<<< << Monitoring and the IPv6 Way of Networking IPv6 Addressing >> >>> 12/26

13. c 2009
Benedikt
Stockebrand
Helpful New Mechanisms
Autoconfiguration
◮ Much better than DHCP address management.
◮ Check lifetimes locally on host.
◮ Check for (possibly multiple) default routes on hosts.
Duplicate Address Detection
◮ Should appear locally in syslog.
<<< << Monitoring and the IPv6 Way of Networking Helpful New Mechanisms >> >>> 13/26

14. c 2009
Benedikt
Stockebrand
Monitoring Dual Stack Environments
Tunnels
Gateway Mechanisms
Where to Put Your Monitoring Server
<<< << Monitoring Dual Stack Environments >> >>> 14/26

15. c 2009
Benedikt
Stockebrand
Tunnels
◮ Do IPv6 blackbox tests through tunnels.
◮ Do IPv4 whitebox tests of tunnel routes if possible.
◮ Check for unexpected tunnels
in security-critical environments
(especially Teredo, UDP 3544).
<<< << Monitoring Dual Stack Environments Tunnels >> >>> 15/26

16. c 2009
Benedikt
Stockebrand
Gateway Mechanisms
◮ Application level gateways/proxies are basically
unchanged.
◮ Protocol translators (TRT, NAT-PT) can be
troublesome.
◮ Avoid them, they are deprecated anyway.
◮ Don’t rely on ping to work through them.
◮ Check the application instead.
◮ Transparent proxies (socat et al.)
can also be somewhat troublesome.
◮ Pings are answered by the proxy.
<<< << Monitoring Dual Stack Environments Gateway Mechanisms >> >>> 16/26

17. c 2009
Benedikt
Stockebrand
Where to Put Your Monitoring Server
◮ Preferably keep your monitoring server
dual-stacked.
◮ This may require a minor downtime of the
monitoring server.
◮ Consider adding a dedicated IPv6 interface,
rather than dual-stacking an existing one.
◮ If that’s impossible, use satellites.
◮ If that’s impossible, use (transparent) proxies.
◮ Don’t force all clients to be dual-stacked.
<<< << Monitoring Dual Stack Environments Where to Put Your Monitoring Server >> >>> 17/26

18. c 2009
Benedikt
Stockebrand
Monitoring With IPv6
Intermediate Protocols
Monitoring Protocols
Adding IPv6 Support
Summary
<<< << Monitoring With IPv6 >> >>> 18/26

19. c 2009
Benedikt
Stockebrand
Ssh and SSL
◮ Ssh works without problems.
◮ SSL too, unless openssl s client and s server
are used with popen(3) or scripts.
◮ The multiple addresses issue may cause
undesirable effects.
<<< << Monitoring With IPv6 Intermediate Protocols >> >>> 19/26

20. c 2009
Benedikt
Stockebrand
Standard Protocols
SNMP
◮ netsnmp works fine.
◮ But many appliances (routers, switches, . . . ) don’t.
Syslog
◮ The Linux sysklogd doesn’t support IPv6.
◮ Use syslog-ng or rsyslog on Linux.
◮ Many appliances don’t support IPv6.
Workarounds:
◮ make the monitoring servers/satellites dual stacked,
◮ use satellites,
◮ or proxies.
<<< << Monitoring With IPv6 Monitoring Protocols >> >>> 20/26

21. c 2009
Benedikt
Stockebrand
Nagios and IPv6 I
◮ Works fine over Ssh.
◮ Works fine through Apache.
◮ But (sorry about the nagging. . . ):
<<< << Monitoring With IPv6 Monitoring Protocols >> >>> 21/26

22. c 2009
Benedikt
Stockebrand
Nagios and IPv6 II
From: Jens Link [. . . ]
Subject: IPv6 Monitoring
Moin,
was fuer deinen Vortrag. Falls du einen der
Entwickler dabei hast.
root@calo-ila# ./check nrpe -H 2001:6f8:1138::1
Invalid host name ’2001:6f8:1138::1’
(Auch mit nur Hostname, [], ...)
root@calo-ila# ./check nrpe
Incorrect command line arguments supplied
NRPE Plugin for Nagios
Copyright (c) 1999-2008 Ethan Galstad
(nagios@nagios.org)
Version: 2.12
Last Modified: 03-10-2008
Jens
<<< << Monitoring With IPv6 Monitoring Protocols >> >>> 22/26

23. c 2009
Benedikt
Stockebrand
Adding IPv6 Support
◮ Software is usually easy to port,
◮ . . . but still requires doing so.
◮ Code samples at my home page
http://www.benedikt-stockebrand.de/
◮ TCP is simple, UDP can involve a bit of work.
◮ Alternative I: Run over existing protocols, like Ssh.
◮ Alternative II: Use a high level language.
◮ Review all code sections touching raw IP
addresses.
◮ Expect minor fun with configuration syntax issues.
Show that Open Source is a step (or ten) ahead!
<<< << Monitoring With IPv6 Adding IPv6 Support >> >>> 23/26

24. c 2009
Benedikt
Stockebrand
Making Use of IPv6
Developers
◮ Multicast routing is worth some real thought.
◮ Neighbor Discovery may simplify
ARPwatch style functionality.
Users
◮ Consider using dedicated addresses for monitoring
access.
Everybody
◮ Forget about NAT, STUN and similar diseases.
<<< << Monitoring With IPv6 Adding IPv6 Support >> >>> 24/26

25. c 2009
Benedikt
Stockebrand
Summary: Monitoring With IPv6
◮ IPv6 needs proper monitoring.
◮ Monitoring stays largely unchanged.
◮ Some details need work.
◮ IPv6 simplifies monitoring in a number of respects.
◮ IPv6 offers some nice infrastructure features.
<<< << Monitoring With IPv6 Summary >> >>> 25/26

26. c 2009
Benedikt
Stockebrand
Contact Information
Benedikt Stockebrand
Dipl.-Inform.
Fichardstr. 38
D-60322 Frankfurt/Main
contact@benedikt-stockebrand.de
http://www.benedikt-stockebrand.de/
<<< << Contact Information >> >>> 26/26