Cisco Router: startup auto secure

AutoSecure

auto secure

推奨セキュリティ設定機能。
ネットワークエンジニアは普通使わないとのこと。

R1#auto secure
                --- AutoSecure Configuration ---

*** AutoSecure configuration enhances the security of
the router, but it will not make it absolutely resistant
to all security attacks ***

AutoSecure will modify the configuration of your device.
All configuration changes will be shown. For a detailed
explanation of how the configuration changes enhance security
and any possible side effects, please refer to Cisco.com for
Autosecure documentation.
At any prompt you may enter '?' for help.
Use ctrl-c to abort this session at any prompt.

Gathering information about the router for AutoSecure

Is this router connected to internet? [no]:

Securing Management plane services...

Disabling service finger
Disabling service pad
Disabling udp & tcp small servers
Enabling service password encryption
Enabling service tcp-keepalives-in
Enabling service tcp-keepalives-out
Disabling the cdp protocol

Disabling the bootp server
Disabling the http server
Disabling the finger service
Disabling source routing
Disabling gratuitous arp

Here is a sample Security Banner to be shown
at every access to device. Modify it to suit your
enterprise requirements.

Authorized Access only
  This system is the property of So-&-So-Enterprise.
  UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
  You must have explicit permission to access this
  device. All activities performed on this device
  are logged. Any violations of access policy will result
  in disciplinary action.

Enter the security banner {Put the banner between
k and k, where k is any character}:

k
k
Enable secret is either not configured or
 is the same as enable password
Enter the new enable secret:
Confirm the enable secret :
Enter the new enable password:
Choose a password that's different from secret
Enter the new enable password:
Choose a password that's different from secret
Enter the new enable password:
Confirm the enable password:

Configuration of local user database
Enter the username: wataru
Enter the password:
Confirm the password:
Configuring AAA local authentication
Configuring Console, Aux and VTY lines for
local authentication, exec-timeout, and transport
Securing device against Login Attacks
Configure the following parameters

Blocking Period when Login Attack detected: 1

Maximum Login failures with the device:
Device not secured against 'login attacks'.


Configure SSH server? [yes]:
Enter the domain-name:
% No defaulting allowed
Enter the domain-name:
だるくなってきたので ^C で中断
R1#

auto secure no-interact

フルオートで running-config に設定が反映されていくとのこと。
稼働環境で使うのは禁忌らしい。

R1#terminal length 0
R1#sh run
Building configuration...

Current configuration : 1398 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
 log config
  hidekeys
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0
 no ip address
 shutdown
 clock rate 2000000
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/1
 no ip address
 shutdown
 clock rate 2000000
!
interface FastEthernet1/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial2/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/3
 no ip address
 shutdown
 serial restart-delay 0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
!
end
R1#auto secure no-interact
                --- AutoSecure Configuration ---

*** AutoSecure configuration enhances the security of
the router, but it will not make it absolutely resistant
to all security attacks ***

AutoSecure will modify the configuration of your device.
All configuration changes will be shown. For a detailed
explanation of how the configuration changes enhance security
and any possible side effects, please refer to Cisco.com for
Autosecure documentation.

Securing Management plane services...

Disabling service finger
Disabling service pad
Disabling udp & tcp small servers
Enabling service password encryption
Enabling service tcp-keepalives-in
Enabling service tcp-keepalives-out
Disabling the cdp protocol

Disabling the bootp server
Disabling the http server
Disabling the finger service
Disabling source routing
Disabling gratuitous arp

Configuring interface specific AutoSecure services
Disabling the following ip services on all interfaces:

 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
Disabling mop on Ethernet interfaces

Securing Forwarding plane services...

Enabling CEF (This might impact the memory requirements for your platform)

This is the configuration generated:

no service finger
no service pad
no service udp-small-servers
no service tcp-small-servers
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out
no cdp run
no ip bootp server
no ip http server
no ip finger
no ip source-route
no ip gratuitous-arps
no ip identd
security passwords min-length 6
security authentication failure rate 10 log
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
logging facility local2
logging trap debugging
service sequence-numbers
logging console critical
logging buffered
interface FastEthernet0/0
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
 no mop enabled
interface Serial0/0
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
interface FastEthernet0/1
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
 no mop enabled
interface Serial0/1
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
interface FastEthernet1/0
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
 no mop enabled
interface Serial2/0
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
interface Serial2/1
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
interface Serial2/2
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
interface Serial2/3
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
ip cef
!
end


Applying the config generated to running-config

R1#sh run
Building configuration...

Current configuration : 2328 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname R1
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 4096
logging console critical
!
no aaa new-model
memory-size iomem 5
no ip source-route
no ip gratuitous-arps
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip bootp server
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
 log config
  logging enable
  hidekeys
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
interface FastEthernet0/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 duplex auto
 speed auto
 no mop enabled
!
interface Serial0/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 clock rate 2000000
!
interface FastEthernet0/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 duplex auto
 speed auto
 no mop enabled
!
interface Serial0/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 clock rate 2000000
!
interface FastEthernet1/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 duplex auto
 speed auto
 no mop enabled
!
interface Serial2/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 serial restart-delay 0
!
interface Serial2/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 serial restart-delay 0
!
interface Serial2/2
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 serial restart-delay 0
!
interface Serial2/3
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 serial restart-delay 0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
logging trap debugging
logging facility local2
no cdp log mismatch duplex
no cdp run
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
!
end

差分を比較するとこうなる。

--- D:/junk/startup-config-a.txt    Sat Jan 06 09:58:24 2018
+++ D:/junk/startup-config-b.txt    Sat Jan 06 09:58:32 2018
@@ -1,27 +1,38 @@
 R1#sh run
 Building configuration...

-Current configuration : 1398 bytes
+Current configuration : 2328 bytes
 !
 version 12.4
-service timestamps debug datetime msec
-service timestamps log datetime msec
-no service password-encryption
+no service pad
+service tcp-keepalives-in
+service tcp-keepalives-out
+service timestamps debug datetime msec localtime show-timezone
+service timestamps log datetime msec localtime show-timezone
+service password-encryption
+service sequence-numbers
 !
 hostname R1
 !
 boot-start-marker
 boot-end-marker
 !
+security authentication failure rate 10 log
+security passwords min-length 6
+logging buffered 4096
+logging console critical
 !
 no aaa new-model
 memory-size iomem 5
+no ip source-route
+no ip gratuitous-arps
 no ip icmp rate-limit unreachable
 ip cef
 !
 !
 !
 !
+no ip bootp server
 no ip domain lookup
 !
 multilink bundle-name authenticated
@@ -48,6 +59,7 @@
 !
 archive
  log config
+  logging enable
   hidekeys
 !
 !
@@ -60,49 +72,79 @@
 !
 interface FastEthernet0/0
  no ip address
+ no ip redirects
+ no ip unreachables
+ no ip proxy-arp
  shutdown
  duplex auto
  speed auto
+ no mop enabled
 !
 interface Serial0/0
  no ip address
+ no ip redirects
+ no ip unreachables
+ no ip proxy-arp
  shutdown
  clock rate 2000000
 !
 interface FastEthernet0/1
  no ip address
+ no ip redirects
+ no ip unreachables
+ no ip proxy-arp
  shutdown
  duplex auto
  speed auto
+ no mop enabled
 !
 interface Serial0/1
  no ip address
+ no ip redirects
+ no ip unreachables
+ no ip proxy-arp
  shutdown
  clock rate 2000000
 !
 interface FastEthernet1/0
  no ip address
+ no ip redirects
+ no ip unreachables
+ no ip proxy-arp
  shutdown
  duplex auto
  speed auto
+ no mop enabled
 !
 interface Serial2/0
  no ip address
+ no ip redirects
+ no ip unreachables
+ no ip proxy-arp
  shutdown
  serial restart-delay 0
 !
 interface Serial2/1
  no ip address
+ no ip redirects
+ no ip unreachables
+ no ip proxy-arp
  shutdown
  serial restart-delay 0
 !
 interface Serial2/2
  no ip address
+ no ip redirects
+ no ip unreachables
+ no ip proxy-arp
  shutdown
  serial restart-delay 0
 !
 interface Serial2/3
  no ip address
+ no ip redirects
+ no ip unreachables
+ no ip proxy-arp
  shutdown
  serial restart-delay 0
 !
@@ -112,7 +154,10 @@
 no ip http server
 no ip http secure-server
 !
+logging trap debugging
+logging facility local2
 no cdp log mismatch duplex
+no cdp run
 !
 !
 !
@@ -143,3 +188,4 @@
 !
 !
 end
+

References

  1. Ciscoルータ – はじめての起動

Cisco Router

  • Cisco ISR(Integrated Services Router)
  • Cisco ISR G2

サービス統合型ルータ

G2 は +100 で見た目がもっとかっこよくなっている。

能力の記述がいい意味で中二病入っていて面白い。
ガンダムかな?と思う

License

GNS3 では IOS 12 系なので確認できなかった。
VIRL 1.2.64 でもコマンド入力できなかった。

Catalyst 3750 なら確認できるかと思ったけど、だめだった。
サポートしてないって。

DSW2#sh ver
Cisco IOS Software, C3750 Software (C3750-IPSERVICESK9-M), Version 15.0(2)SE4, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Wed 26-Jun-13 02:41 by prod_rel_team

ROM: Bootstrap program is C3750 boot loader
BOOTLDR: C3750 Boot Loader (C3750-HBOOT-M) Version 12.2(53r)SEY4, RELEASE SOFTWARE (fc1)

DSW2 uptime is 21 minutes
System returned to ROM by power-on
System image file is "flash:/c3750-ipservicesk9-mz.150-2.SE4/c3750-ipservicesk9-mz.150-2.SE4.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco WS-C3750V2-24TS (PowerPC405) processor (revision T0) with 131072K bytes of memory.
Processor board ID FDO1729Y0FV
Last reset from power-on
1 Virtual Ethernet interface
24 FastEthernet interfaces
2 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.

512K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address       : C0:8C:60:45:52:00
Motherboard assembly number     : 73-12635-01
Power supply part number        : 341-0328-02
Motherboard serial number       : FDO172905K2
Power supply serial number      : DCA1727M23E
Model revision number           : T0
Motherboard revision number     : G0
Model number                    : WS-C3750V2-24TS-E
System serial number            : FDO1729Y0FV
Top Assembly Part Number        : 800-33979-03
Top Assembly Revision Number    : C0
Version ID                      : V08
CLEI Code Number                : COMKM10DRB
Hardware Board Revision Number  : 0x01


Switch Ports Model              SW Version            SW Image
------ ----- -----              ----------            ----------
*    1 26    WS-C3750V2-24TS    15.0(2)SE4            C3750-IPSERVICESK9-M


Configuration register is 0xF

DSW2#sh license
% License not supported on this device
DSW2#sh license feature
% Incomplete command.

DSW2#sh license feature ?
  switch  Switch license information

DSW2#sh license feature switch
% Incomplete command.

DSW2#sh license feature switch ?
  <1-9>  Switch number

DSW2#sh license feature switch 1
% License not supported on this device

おじさんはがっかりだよ。

References

  1. Ciscoルータ – ISRシリーズ/ISR G2シリーズ
  2. Cisco IOSイメージ – ライセンス

Cisco: terminal log output

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#int f0/0
R1(config-if)#shut
R1(config-if)#
*Mar  1 01:03:46.359: %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to administratively down
*Mar  1 01:03:47.359: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down
R1(config-if)#
R2#
*Mar  1 01:10:16.051: %LINK-5-CHANGED: Interface FastEthernet1/0, changed state to administratively down
*Mar  1 01:10:17.051: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to down
R2#

terminal monitor

R2#terminal monitor
R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#end
R2#
*Mar  1 23:47:01.290: %SYS-5-CONFIG_I: Configured from console by vty1 (192.168.12.1)

service timestamps

month/day

R1(config)#^Z
R1#
*Mar  1 23:49:12.590: %SYS-5-CONFIG_I: Configured from console by console

uptime

R1(config)#service timestamps log uptime
R1(config)#^Z
R1#
23:49:30: %SYS-5-CONFIG_I: Configured from console by console

service timestamps log datetime

R1(config)#service timestamps log datetime
R1(config)#^Z
R1#
*Mar  1 23:51:03: %SYS-5-CONFIG_I: Configured from console by console
R1(config)#service timestamps log datetime msec localtime show-timezone
R1(config)#^Z
R1#
*Mar  1 23:52:46.042 UTC: %SYS-5-CONFIG_I: Configured from console by console

debug についても同様にすると

R1(config)#do debug ip icmp
ICMP packet debugging is on
R1(config)#do ping 192.168.12.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/8/12 ms
R1(config)#
*Mar  1 23:55:08.534: ICMP: echo reply rcvd, src 192.168.12.2, dst 192.168.12.1
*Mar  1 23:55:08.542: ICMP: echo reply rcvd, src 192.168.12.2, dst 192.168.12.1
*Mar  1 23:55:08.554: ICMP: echo reply rcvd, src 192.168.12.2, dst 192.168.12.1
*Mar  1 23:55:08.562: ICMP: echo reply rcvd, src 192.168.12.2, dst 192.168.12.1
*Mar  1 23:55:08.574: ICMP: echo reply rcvd, src 192.168.12.2, dst 192.168.12.1
R1(config)#service timestamps debug datetime msec localtime show-timezone
R1(config)#^Z
R1#
*Mar  1 23:55:54.534 UTC: %SYS-5-CONFIG_I: Configured from console by console
R1#ping 192.168.12.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/12/24 ms
R1#
*Mar  1 23:56:12.646 UTC: ICMP: echo reply rcvd, src 192.168.12.2, dst 192.168.12.1
*Mar  1 23:56:12.654 UTC: ICMP: echo reply rcvd, src 192.168.12.2, dst 192.168.12.1
*Mar  1 23:56:12.662 UTC: ICMP: echo reply rcvd, src 192.168.12.2, dst 192.168.12.1
*Mar  1 23:56:12.674 UTC: ICMP: echo reply rcvd, src 192.168.12.2, dst 192.168.12.1
*Mar  1 23:56:12.686 UTC: ICMP: echo reply rcvd, src 192.168.12.2, dst 192.168.12.1
R1#undebug all
All possible debugging has been turned off

したがって推奨設定は

service timestamps log datetime msec localtime show-timezone
service timestamps debug datetime msec localtime show-timezone

References

  1. Ciscoデバイスの操作 – Ciscoルータ – 出力されたログにあわてない

Cisco telnet

R2 側に必要な設定

enable secret password
line vty 0 15
password password
login
end

接続

R1#telnet 192.168.12.2
Trying 192.168.12.2 ... Open


User Access Verification

Password:
R2>en
Password:
R2#

ユーザ一覧

R1 から telnet してアクセスした場合

R2>show users
    Line       User       Host(s)              Idle       Location
   0 con 0                idle                 00:01:33
* 98 vty 0                idle                 00:00:00 192.168.12.1

  Interface    User               Mode         Idle     Peer Address

GNS3 上でのコンソールアクセスの場合

R2#show users
    Line       User       Host(s)              Idle       Location
*  0 con 0                idle                 00:00:00
  98 vty 0                idle                 00:00:41 192.168.12.1

  Interface    User               Mode         Idle     Peer Address

Exit Session

R2>exit

セッションの再開

[Connection to 192.168.12.2 closed by foreign host]

R1#telnet 192.168.12.2
Trying 192.168.12.2 ... Open


User Access Verification

Password:
R2>en
Password:
R2# ← Ctrl+Shift+6 X(or control+^ X)
R1#

R1#sh sessions
Conn Host                Address             Byte  Idle Conn Name
*  1 192.168.12.2        192.168.12.2           0     0 192.168.12.2

R1#resume 1
[Resuming connection 1 to 192.168.12.2 ... ]

R2#

telnet セッションを切断したい

Ctrl+Shift+6 X

R2# ← Ctrl+Shift+6 X(or control+^ X)
R1#disconnect
Closing connection to 192.168.12.2 [confirm]
R1#sh sessions
% No connections open

R2#sh users
    Line       User       Host(s)              Idle       Location
*  0 con 0                idle                 00:00:00

  Interface    User               Mode         Idle     Peer Address

放置されたセッション、悪意あるセッションを殺す

R1#telnet 192.168.12.2
Trying 192.168.12.2 ... Open


User Access Verification

Password:
R2>en
Password:
R2#

R2#sh users
    Line       User       Host(s)              Idle       Location
*  0 con 0                idle                 00:00:00
  98 vty 0                idle                 00:00:26 192.168.12.1

  Interface    User               Mode         Idle     Peer Address

駆逐してやる!

R2#clear line 98
[confirm]
 [OK]
R2#sh users
    Line       User       Host(s)              Idle       Location
*  0 con 0                idle                 00:00:00

  Interface    User               Mode         Idle     Peer Address

R1 側では

R2#
[Connection to 192.168.12.2 closed by foreign host]
R1#

実装時や実験環境ではセッションタイムアウトを無効にしていることが多い。

exec-timeout 0 0

References

  1. Ciscoデバイスの操作 – Telnet
  2. WS-C3550でTelnetログインできるようにする | | Beyond Future Yak Shaving
  3. Network Swiss Army Knife | Beyond Future Yak Shaving

IPv6 で IPv6 Ready なサーバの Nginx にアクセスしようとしたら 404 になったのと IPv6 のこれからの話し

IPv6 で自分のブログ(:80)にアクセスしたら 404 になってた件について

私のブログのリファラを辿ってどこからリンクされているのかなと興味があって見てみたのが発端。
なんかはてなブログから参照されているなーと思って私のブログへのリンクが貼られているのに加えてちょっと上に iframe の埋め込みと思われる Nginx の 404 画面が表示されていた。

はてなブログにほほえまーって思ってたらほほえましいのは私の方だった。
そして自分のブログへのリンクを踏んだら 404 になった。
リダイレクトされるはずだと思ってたが Nginx 404 になってる。
もしかして iframe で表示されてた 404 は私のサーバの Nginx が吐き出していたのである。

ここでの原因は Nginx 自身は IPv4 でしかリッスンしない設定になっていたことによるものである。

80 番ポートなんてリダイレクト専用のバーチャルホスト設定する以外に使わない。
こうでもしないと気付かなかったでしょう。

半年前ぐらいに、はてなブログから自分で持ってるこの WordPress ブログに移行してリダイレクトも設定したのだが
リダイレクトの設定したのははてなと WordPress の記事 URL の体系が異なっていたため。
旧来の記事参照アクセスはしばらくこのはてなブログの URL 体系でアクセスしてくるとかんがえられるため 301 リダイレクトをかましている。

IPv6 は最近のキャリア(ISP)はデフォルトでデュアルスタックでインターネット接続可能な IPv6 アドレスを払い出しているので、限界集落一歩手前の実家もご多分に漏れず IPv6 アドレスが払い出されていた。

さくらの VPS 上にサーバーを構築しているので IPv6 GUA(Global Unicast Address) はデフォルトで付与されていたので Route 53 に DNS レコードとして AAAA レコードも一緒に登録しておいたのでした。
IPv6 で遊んでみたいというのもあった。

Nginx のログを抜粋。ちなみに IPv6 のプレフィックスはドキュメント用のものに置換してあります。
IPv4 用の TEST-NET があったり、ドメイン名を example.com にするのと同様に IPv6 にも TEST-NET 相当のものがあります。

2001:db8::50:d7f8:c233:1 - - [01/Jan/2018:10:12:59 +0900] "GET /entry/2014/11/09/232916 HTTP/1.1" 404 564 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/537.36 (KHTML, like Geck
o) Chrome/63.0.3239.84 Safari/537.36" "-"


2001:db8::50:d7f8:c233:1 - - [01/Jan/2018:10:24:34 +0900] "GET /entry/2014/11/09/232916 HTTP/1.1" 404 564 "http://example.com/entry/2015/08/02/022855" "Mozilla/5.0 (Macintosh; Intel Mac
 OS X 10_13_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36" "-"


2001:db8::50:d7f8:c233:1 - - [01/Jan/2018:10:29:54 +0900] "GET /entry/2014/11/09/20141109232916/ HTTP/1.1" 404 63388 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/537.36 (KHTML
, like Gecko) Chrome/63.0.3239.84 Safari/537.36" "-"

2001:db8::50:d7f8:c233:1 - - [01/Jan/2018:10:30:55 +0900] "GET /embed/2014/11/09/232916 HTTP/1.1" 404 63358 "http://example.com/entry/2015/08/02/022855" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36" "-"

IPv6 からのアクセスとなっている。
盛大に自分のブログが見れなくなってれば実家についてさて記事書くぞと思ったら気付くはずだったんですが、
SSL 版は default の設定が入っていたので影響を受けなかったのでした。

/embed/ アクセス oEmbed があったのでそのリダイレクトルールも追記しておいた。
こうゆう標準的な埋め込みプロトコルアクセスもあるのね。

Before

server {
    listen 80;

    # from hatenablog access (normal)
    rewrite ^/entry/([a-zA-Z0-9]+)/([a-zA-Z0-9]+)/([a-zA-Z0-9]+)/(.+)$ https://blog.pg1x.com/$1/$2/$3/$1$2$3$4/ permanent;
    rewrite ^(.*)$ https://blog.pg1x.com$1 permanent;

}

server {
    listen 443 default ssl;

After

server {
    listen 80;
    listen [::]:80;

    # from hatenablog access (normal)
    rewrite ^/entry/([a-zA-Z0-9]+)/([a-zA-Z0-9]+)/([a-zA-Z0-9]+)/(.+)$ https://blog.pg1x.com/$1/$2/$3/$1$2$3$4/ permanent;
    # from hatenablog access (oEmbed)
    rewrite ^/embed/([a-zA-Z0-9]+)/([a-zA-Z0-9]+)/([a-zA-Z0-9]+)/(.+)$ https://blog.pg1x.com/$1/$2/$3/$1$2$3$4/embed permanent;
    rewrite ^(.*)$ https://blog.pg1x.com$1 permanent;

}

server {
    listen 443 default ssl;
    listen [::]:443 ssl;

重要なのは listen [::]:80, [::]:443 の記述です。

また、 1.3.4 以上の Nginx であれば ipv6only=on は不要です。

Option ipv6only=on might not be needed anymore and on the contrary potentially create issues.

http://nginx.org/en/CHANGES

Changes with nginx 1.3.4 31 Jul 2012

*) Change: the “ipv6only” parameter is now turned on by default for
listening IPv6 sockets.

[wnoguchi@mx1 ~]$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
http://blog.pg1x.com/entry/2014/11/09/232916
http://blog.pg1x.com/entry/2014/08/12/175950-mac-mavericks-vagrant-omnibus-nokogiri-install-failure

リダイレクトも、 oEmbed もうまく表示されるのを確認したらこれで完了。

これからの IPv6 の話をしよう

これからは IPv6 だと 10 年以上前に言われてぜんぜん IPv4 グローバル IP アドレスがなくなる気配を見せず、当時は IPv6 は私の生きている間にメジャーとなるのだろうかと思っておりました。
どっかで 「 IPv4 は石油みたいなもんだからな 」というブコメを見てなるほどなと思いました。

こうして今に至るわけですが、最近になってじわりじわりと確実にグローバル IPv6 アドレスが浸透しているのを感じます。
Google は普通に IPv6 に対応してるし、 AWS EC2, VPC も IPv6 に対応し始めている。
NURO も INTERLINK も au光 も、UQ WiMAX 等のモバイルルータもデフォルトで IPv6 を払い出しています。
たぶんインターネット接続を電気水道ガスと同じ感覚で使っている人たちは IPv6 が広まってきていることには気付かないと思います。
まあ、気づかないうちに IPv6 が広まっていくのが理想だと思います。
こうしてインターネットはありふれたインフラとなっているわけですね。
IPv4 がレガシーな Layer 3 プロトコルになるのも近いなと思った次第です。

しかし先日のMITのクラスA IPアドレスを一部 Amazon に売却したのには驚いた。
クラスA グローバルIPアドレスなんて滅多なことではお目にかかれない。
具体的には 18.145.0.0/16 のネットワークを売ったのかな?
ゆうに 65536 個(ネットワークアドレスとブロードキャストアドレスを除けば 65534 個)の連続したアドレス空間。

  1. MIT No Longer Owns 18.0.0.0/8 – Slashdot
  2. Whois-RWS
  3. MIT no longer owns 18.0.0.0/8