If you want the Linux version, it’s Oracle Solaris Studio Express, for Linux. Nope, that’s not confusing at all.

So if we want to authenticate neighbour routers in OSPFv3, IPSec AH needs to be set up. Cisco makes this fairly easy, however it’s a little harder under Linux because the routing service doesn’t handle the encryption internally.

Let’s start with a working OSPFv3 configuration without any authentication. Here are two Linux machines with a few network interfaces set up. Eth1 is the interface connecting the two routers over which we’ll be talking OSPF, and eth2 is an interface with a global unicast IPv6 /64 behind it – this is the subnet for which we’ll be exchanging routes across OSPF:

root@router1:~# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 08:00:27:9a:df:25 brd ff:ff:ff:ff:ff:ff
    inet 172.31.250.41/24 brd 172.31.250.255 scope global eth0
    inet6 fe80::a00:27ff:fe9a:df25/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 08:00:27:7e:8d:0f brd ff:ff:ff:ff:ff:ff
    inet 172.31.251.11/24 brd 172.31.251.255 scope global eth1
    inet6 fe80::a00:27ff:fe7e:8d0f/64 scope link
       valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 08:00:27:96:4d:f6 brd ff:ff:ff:ff:ff:ff
    inet6 2002:f0f0:f0f0:1001::1/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fe96:4df6/64 scope link
       valid_lft forever preferred_lft forever
root@router1:~# 

root@router2:~# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 08:00:27:6b:2f:c3 brd ff:ff:ff:ff:ff:ff
    inet 172.31.250.61/24 brd 172.31.250.255 scope global eth0
    inet6 fe80::a00:27ff:fe6b:2fc3/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 08:00:27:b4:ce:0d brd ff:ff:ff:ff:ff:ff
    inet 172.31.251.12/24 brd 172.31.251.255 scope global eth1
    inet6 fe80::a00:27ff:feb4:ce0d/64 scope link
       valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 08:00:27:0e:99:57 brd ff:ff:ff:ff:ff:ff
    inet6 2002:f0f0:f0f0:1002::1/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fe0e:9957/64 scope link
       valid_lft forever preferred_lft forever
root@router2:~# 

root@router1:~# ip -6 route
2002:f0f0:f0f0:1001::/64 dev eth2  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev eth1  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev eth0  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev eth2  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
root@router1:~# 

root@router2:~# ip -6 route
2002:f0f0:f0f0:1002::/64 dev eth2  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev eth1  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev eth0  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev eth2  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
root@router2:~# 

I’m using quagga as the OSPF implementation in these examples, however BIRD or XORP would also work. Here’s the OSPF configuration for each of the routers:

root@router1:~# VTYSH_PAGER=cat vtysh
Hello, this is Quagga (version 0.99.13).
Copyright 1996-2005 Kunihiro Ishiguro, et al.
router1# show run
Building configuration...
Current configuration:
!
end
!
debug ospf6 lsa unknown
!
interface eth0
 ipv6 nd suppress-ra
!
interface eth1
 ipv6 nd suppress-ra
 ipv6 ospf6 cost 1
 ipv6 ospf6 dead-interval 40
 ipv6 ospf6 hello-interval 10
 ipv6 ospf6 instance-id 0
 ipv6 ospf6 priority 1
 ipv6 ospf6 retransmit-interval 5
 ipv6 ospf6 transmit-delay 1
!
interface eth2
 ipv6 nd suppress-ra
!
interface lo
!
router ospf6
 router-id 172.31.250.41
 redistribute kernel
 redistribute connected
 redistribute static
 interface eth1 area 172.31.250.0
!
line vty
!
router1# 

root@router2:~# VTYSH_PAGER=cat vtysh
Hello, this is Quagga (version 0.99.13).
Copyright 1996-2005 Kunihiro Ishiguro, et al.
router2# show run
Building configuration...
Current configuration:
!
end
!
debug ospf6 lsa unknown
!
interface eth0
 ipv6 nd suppress-ra
!
interface eth1
 ipv6 nd suppress-ra
 ipv6 ospf6 cost 1
 ipv6 ospf6 dead-interval 40
 ipv6 ospf6 hello-interval 10
 ipv6 ospf6 instance-id 0
 ipv6 ospf6 priority 1
 ipv6 ospf6 retransmit-interval 5
 ipv6 ospf6 transmit-delay 1
!
interface eth2
 ipv6 nd suppress-ra
!
interface lo
!
router ospf6
 router-id 172.31.250.61
 redistribute kernel
 redistribute connected
 redistribute static
 interface eth1 area 172.31.250.0
!
line vty
!
router2# 

After starting quagga on both sides, the vtysh command ’show ipv6 ospf neighbor’ will list the other routers the OSPF process has discovered. After a minute or so, the ’state’ column in the command’s output will change to ‘Full’, and the routers will begin exchanging routes:

root@router1:~# /etc/init.d/quagga start
Loading capability module if not yet done.
Starting Quagga daemons (prio:10): zebra ospf6d.
root@router1:~#

root@router2:~# /etc/init.d/quagga start
Loading capability module if not yet done.
Starting Quagga daemons (prio:10): zebra ospf6d.
root@router2:~#

root@router1:~# VTYSH_PAGER=cat vtysh
Hello, this is Quagga (version 0.99.13).
Copyright 1996-2005 Kunihiro Ishiguro, et al.
router1# show ipv6 ospf6 neighbor
Neighbor ID     Pri    DeadTime  State/IfState         Duration I/F[State]
172.31.250.61     1    00:00:32   Init/DROther         00:00:08 eth1[Waiting]
router1# show ipv6 ospf6 neighbor
Neighbor ID     Pri    DeadTime  State/IfState         Duration I/F[State]
172.31.250.61     1    00:00:37   Full/DR              00:00:03 eth1[BDR]
router1# show ipv6 ospf6 route
*N E1 2002:f0f0:f0f0:1002::/64       fe80::a00:27ff:feb4:ce0d    eth1 00:00:06
router1# exit
root@router1:~#

root@router2:~# VTYSH_PAGER=cat vtysh
Hello, this is Quagga (version 0.99.13).
Copyright 1996-2005 Kunihiro Ishiguro, et al.
router2# show ipv6 ospf6 neighbor
Neighbor ID     Pri    DeadTime  State/IfState         Duration I/F[State]
172.31.250.41     1    00:00:32   Full/BDR             00:00:26 eth1[DR]
router2# show ipv6 ospf6 route
*N E1 2002:f0f0:f0f0:1001::/64       fe80::a00:27ff:fe7e:8d0f    eth1 00:00:29
router2# exit
root@router2:~#

These routes can also be viewed in the kernel’s route table:

root@router1:~# ip -6 route
2002:f0f0:f0f0:1001::/64 dev eth2  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
2002:f0f0:f0f0:1002::/64 via fe80::a00:27ff:feb4:ce0d dev eth1  proto zebra  metric 1  mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev eth1  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev eth0  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev eth2  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
root@router1:~#

root@router2:~# ip -6 route
2002:f0f0:f0f0:1001::/64 via fe80::a00:27ff:fe7e:8d0f dev eth1  proto zebra  metric 1  mtu 1500 advmss 1440 hoplimit 0
2002:f0f0:f0f0:1002::/64 dev eth2  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev eth1  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev eth0  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev eth2  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
root@router2:~#

The output of tcpdump while this process is happening looks like this:

root@router1:~# tcpdump -ni eth1 ip6 protochain ospf
Warning: Kernel filter failed: Invalid argument
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
11:11:19.802890 IP6 fe80::a00:27ff:fe7e:8d0f > ff02::5: OSPFv3, Hello, length 36
11:11:20.971742 IP6 fe80::a00:27ff:feb4:ce0d > ff02::5: OSPFv3, Hello, length 36
11:11:29.803137 IP6 fe80::a00:27ff:fe7e:8d0f > ff02::5: OSPFv3, Hello, length 40
11:11:30.969685 IP6 fe80::a00:27ff:feb4:ce0d > ff02::5: OSPFv3, Hello, length 40
11:11:39.812934 IP6 fe80::a00:27ff:fe7e:8d0f > ff02::5: OSPFv3, Hello, length 40
11:11:40.969455 IP6 fe80::a00:27ff:feb4:ce0d > ff02::5: OSPFv3, Hello, length 40
11:11:49.824862 IP6 fe80::a00:27ff:fe7e:8d0f > ff02::5: OSPFv3, Hello, length 40
11:11:50.974595 IP6 fe80::a00:27ff:feb4:ce0d > ff02::5: OSPFv3, Hello, length 40
11:11:59.813984 IP6 fe80::a00:27ff:fe7e:8d0f > fe80::a00:27ff:feb4:ce0d: OSPFv3, Database Description, length 28
11:11:59.829019 IP6 fe80::a00:27ff:fe7e:8d0f > ff02::5: OSPFv3, Hello, length 40
11:12:00.972114 IP6 fe80::a00:27ff:feb4:ce0d > fe80::a00:27ff:fe7e:8d0f: OSPFv3, Database Description, length 28
11:12:00.972334 IP6 fe80::a00:27ff:fe7e:8d0f > fe80::a00:27ff:feb4:ce0d: OSPFv3, Database Description, length 68
11:12:00.972925 IP6 fe80::a00:27ff:feb4:ce0d > fe80::a00:27ff:fe7e:8d0f: OSPFv3, LS-Request, length 40
11:12:00.972937 IP6 fe80::a00:27ff:feb4:ce0d > fe80::a00:27ff:fe7e:8d0f: OSPFv3, Database Description, length 68
11:12:00.973037 IP6 fe80::a00:27ff:fe7e:8d0f > fe80::a00:27ff:feb4:ce0d: OSPFv3, LS-Update, length 100
11:12:00.973157 IP6 fe80::a00:27ff:fe7e:8d0f > fe80::a00:27ff:feb4:ce0d: OSPFv3, LS-Request, length 40
11:12:00.973263 IP6 fe80::a00:27ff:fe7e:8d0f > fe80::a00:27ff:feb4:ce0d: OSPFv3, Database Description, length 28
11:12:00.974227 IP6 fe80::a00:27ff:feb4:ce0d > ff02::5: OSPFv3, Hello, length 40
11:12:00.974241 IP6 fe80::a00:27ff:feb4:ce0d > fe80::a00:27ff:fe7e:8d0f: OSPFv3, LS-Update, length 100
11:12:00.974245 IP6 fe80::a00:27ff:feb4:ce0d > ff02::5: OSPFv3, LS-Update, length 92
11:12:00.975881 IP6 fe80::a00:27ff:fe7e:8d0f > ff02::5: OSPFv3, LS-Update, length 60
11:12:03.978931 IP6 fe80::a00:27ff:fe7e:8d0f > ff02::5: OSPFv3, LS-Ack, length 96
11:12:03.980485 IP6 fe80::a00:27ff:feb4:ce0d > ff02::5: OSPFv3, LS-Ack, length 76
11:12:09.833885 IP6 fe80::a00:27ff:fe7e:8d0f > ff02::5: OSPFv3, Hello, length 40
^C
24 packets captured
36 packets received by filter
0 packets dropped by kernel
root@router1:~#

So that’s OSPF running – now we need to wrap some authentication around it. In order to make the configuration simpler, I’m setting up manually keyed AH using setkey, which is part of IPsec-Tools. Manual keying means the ISAKMP step can be skipped entirely, and using AH rather than ESP the OSPF packets will be visible on the wire with the AH header attached.

The setkey script being run at each side is identical:

root@router1:~# cat linux-linux.setkey
#!/usr/sbin/setkey -f

# Router1 is fe80::a00:27ff:fe7e:8d0f
# Router2 is fe80::a00:27ff:feb4:ce0d

flush;
spdflush;

add -6 fe80::a00:27ff:fe7e:8d0f ff02::5 ah 0x10001 -A hmac-sha1 "ospfv3 shared secret";
add -6 fe80::a00:27ff:feb4:ce0d ff02::5 ah 0x10002 -A hmac-sha1 "ospfv3 shared secret";

add -6 fe80::a00:27ff:feb4:ce0d fe80::a00:27ff:fe7e:8d0f ah 0x20001 -A hmac-sha1 "ospfv3 shared secret";
add -6 fe80::a00:27ff:fe7e:8d0f fe80::a00:27ff:feb4:ce0d ah 0x20001 -A hmac-sha1 "ospfv3 shared secret";

spdadd ::/0 ::/0 ospf -P out ipsec ah/transport//require;
spdadd ::/0 ::/0 ospf -P in ipsec ah/transport//require;
root@router1:~# 

root@router2:~# cat linux-linux.setkey
#!/usr/sbin/setkey -f

# Router1 is fe80::a00:27ff:fe7e:8d0f
# Router2 is fe80::a00:27ff:feb4:ce0d

flush;
spdflush;

add -6 fe80::a00:27ff:fe7e:8d0f ff02::5 ah 0x10001 -A hmac-sha1 "ospfv3 shared secret";
add -6 fe80::a00:27ff:feb4:ce0d ff02::5 ah 0x10002 -A hmac-sha1 "ospfv3 shared secret";

add -6 fe80::a00:27ff:feb4:ce0d fe80::a00:27ff:fe7e:8d0f ah 0x20001 -A hmac-sha1 "ospfv3 shared secret";
add -6 fe80::a00:27ff:fe7e:8d0f fe80::a00:27ff:feb4:ce0d ah 0x20001 -A hmac-sha1 "ospfv3 shared secret";

spdadd ::/0 ::/0 ospf -P out ipsec ah/transport//require;
spdadd ::/0 ::/0 ospf -P in ipsec ah/transport//require;
root@router2:~# 

The four ‘add’ lines create the four security associations. The first two allow for packets sent from eth1’s link-locak address on each router to ff02::5, which is the “All OSPFv3 Routers” link-local reserved multicast address. The second pair allow for AH-protected direct communication between the two routers. The ’spdadd’ lines configure the network stack to require AH authentication for all inbound and outbound OSPF traffic.

After loading the setkey script, the security association database can be viewed by running ’setkey -D’:

root@router1:~# ./linux-linux.setkey
root@router1:~# setkey -D
fe80::a00:27ff:fe7e:8d0f fe80::a00:27ff:feb4:ce0d
        ah mode=transport spi=131073(0x00020001) reqid=0(0x00000000)
        A: hmac-sha1  6f737066 76332073 68617265 64207365 63726574
        seq=0x00000000 replay=0 flags=0x00000000 state=mature
        created: Apr 16 11:04:56 2010   current: Apr 16 11:04:58 2010
        diff: 2(s)      hard: 0(s)      soft: 0(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=1 pid=2511 refcnt=0
fe80::a00:27ff:feb4:ce0d fe80::a00:27ff:fe7e:8d0f
        ah mode=transport spi=131073(0x00020001) reqid=0(0x00000000)
        A: hmac-sha1  6f737066 76332073 68617265 64207365 63726574
        seq=0x00000000 replay=0 flags=0x00000000 state=mature
        created: Apr 16 11:04:56 2010   current: Apr 16 11:04:58 2010
        diff: 2(s)      hard: 0(s)      soft: 0(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=2 pid=2511 refcnt=0
fe80::a00:27ff:feb4:ce0d ff02::5
        ah mode=transport spi=65538(0x00010002) reqid=0(0x00000000)
        A: hmac-sha1  6f737066 76332073 68617265 64207365 63726574
        seq=0x00000000 replay=0 flags=0x00000000 state=mature
        created: Apr 16 11:04:56 2010   current: Apr 16 11:04:58 2010
        diff: 2(s)      hard: 0(s)      soft: 0(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=3 pid=2511 refcnt=0
fe80::a00:27ff:fe7e:8d0f ff02::5
        ah mode=transport spi=65537(0x00010001) reqid=0(0x00000000)
        A: hmac-sha1  6f737066 76332073 68617265 64207365 63726574
        seq=0x00000000 replay=0 flags=0x00000000 state=mature
        created: Apr 16 11:04:56 2010   current: Apr 16 11:04:58 2010
        diff: 2(s)      hard: 0(s)      soft: 0(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=0 pid=2511 refcnt=0
root@router1:~# 

Restart Quagga (assuming it’s not already running), and the adjacency will appear in the list as before:

root@router1:~# /etc/init.d/quagga start
Loading capability module if not yet done.
Starting Quagga daemons (prio:10): zebra ospf6d.
root@router1:~#

root@router2:~# /etc/init.d/quagga start
Loading capability module if not yet done.
Starting Quagga daemons (prio:10): zebra ospf6d.
root@router2:~#

root@router1:~# VTYSH_PAGER=cat vtysh
Hello, this is Quagga (version 0.99.13).
Copyright 1996-2005 Kunihiro Ishiguro, et al.
router1# show ipv6 ospf6 neighbor
Neighbor ID     Pri    DeadTime  State/IfState         Duration I/F[State]
172.31.250.61     1    00:00:30   Init/DROther         00:00:09 eth1[Waiting]
router1# show ipv6 ospf6 neighbor
Neighbor ID     Pri    DeadTime  State/IfState         Duration I/F[State]
172.31.250.61     1    00:00:36   Full/DR              00:00:04 eth1[BDR]
router1# exit
root@router1:~#

root@router1:~# ip -6 route
2002:f0f0:f0f0:1001::/64 dev eth2  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
2002:f0f0:f0f0:1002::/64 via fe80::a00:27ff:feb4:ce0d dev eth1  proto zebra  metric 1  mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev eth1  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev eth0  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev eth2  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0
root@router1:~#

This time, however, tcpdump shows that the traffic between the routers has the AH header attached, with a cryptographic signature verifying the identity of the neighbour router:

root@router1:~# tcpdump -ni eth1 ip6 protochain ospf
Warning: Kernel filter failed: Invalid argument
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
11:15:02.997348 IP6 fe80::a00:27ff:fe7e:8d0f > ff02::5: AH(spi=0x00010001,seq=0x1): OSPFv3, Hello, length 36
11:15:04.701022 IP6 fe80::a00:27ff:feb4:ce0d > ff02::5: AH(spi=0x00010002,seq=0x1): OSPFv3, Hello, length 36
11:15:13.001028 IP6 fe80::a00:27ff:fe7e:8d0f > ff02::5: AH(spi=0x00010001,seq=0x2): OSPFv3, Hello, length 40
11:15:14.706083 IP6 fe80::a00:27ff:feb4:ce0d > ff02::5: AH(spi=0x00010002,seq=0x2): OSPFv3, Hello, length 40
11:15:23.011476 IP6 fe80::a00:27ff:fe7e:8d0f > ff02::5: AH(spi=0x00010001,seq=0x3): OSPFv3, Hello, length 40
11:15:24.711929 IP6 fe80::a00:27ff:feb4:ce0d > ff02::5: AH(spi=0x00010002,seq=0x3): OSPFv3, Hello, length 40
11:15:33.021316 IP6 fe80::a00:27ff:fe7e:8d0f > ff02::5: AH(spi=0x00010001,seq=0x4): OSPFv3, Hello, length 40
11:15:34.716145 IP6 fe80::a00:27ff:feb4:ce0d > ff02::5: AH(spi=0x00010002,seq=0x4): OSPFv3, Hello, length 40
11:15:43.012602 IP6 fe80::a00:27ff:fe7e:8d0f > fe80::a00:27ff:feb4:ce0d: AH(spi=0x00020001,seq=0x1): OSPFv3, Database Description, length 28
11:15:43.025608 IP6 fe80::a00:27ff:fe7e:8d0f > ff02::5: AH(spi=0x00010001,seq=0x5): OSPFv3, Hello, length 40
11:15:44.704244 IP6 fe80::a00:27ff:feb4:ce0d > fe80::a00:27ff:fe7e:8d0f: AH(spi=0x00020001,seq=0x1): OSPFv3, Database Description, length 28
11:15:44.704499 IP6 fe80::a00:27ff:fe7e:8d0f > fe80::a00:27ff:feb4:ce0d: AH(spi=0x00020001,seq=0x2): OSPFv3, Database Description, length 68
11:15:44.705260 IP6 fe80::a00:27ff:feb4:ce0d > fe80::a00:27ff:fe7e:8d0f: AH(spi=0x00020001,seq=0x2): OSPFv3, LS-Request, length 40
11:15:44.705281 IP6 fe80::a00:27ff:feb4:ce0d > fe80::a00:27ff:fe7e:8d0f: AH(spi=0x00020001,seq=0x3): OSPFv3, Database Description, length 68
11:15:44.705406 IP6 fe80::a00:27ff:fe7e:8d0f > fe80::a00:27ff:feb4:ce0d: AH(spi=0x00020001,seq=0x3): OSPFv3, LS-Update, length 100
11:15:44.705472 IP6 fe80::a00:27ff:fe7e:8d0f > fe80::a00:27ff:feb4:ce0d: AH(spi=0x00020001,seq=0x4): OSPFv3, LS-Request, length 40
11:15:44.705510 IP6 fe80::a00:27ff:fe7e:8d0f > fe80::a00:27ff:feb4:ce0d: AH(spi=0x00020001,seq=0x5): OSPFv3, Database Description, length 28
11:15:44.706691 IP6 fe80::a00:27ff:feb4:ce0d > fe80::a00:27ff:fe7e:8d0f: AH(spi=0x00020001,seq=0x4): OSPFv3, LS-Update, length 100
11:15:44.706716 IP6 fe80::a00:27ff:feb4:ce0d > ff02::5: AH(spi=0x00010002,seq=0x5): OSPFv3, LS-Update, length 92
11:15:44.716271 IP6 fe80::a00:27ff:feb4:ce0d > ff02::5: AH(spi=0x00010002,seq=0x6): OSPFv3, Hello, length 40
11:15:47.712150 IP6 fe80::a00:27ff:fe7e:8d0f > ff02::5: AH(spi=0x00010001,seq=0x6): OSPFv3, LS-Ack, length 96
11:15:47.712389 IP6 fe80::a00:27ff:feb4:ce0d > ff02::5: AH(spi=0x00010002,seq=0x7): OSPFv3, LS-Ack, length 56
11:15:49.711795 IP6 fe80::a00:27ff:fe7e:8d0f > fe80::a00:27ff:feb4:ce0d: AH(spi=0x00020001,seq=0x6): OSPFv3, LS-Update, length 60
11:15:52.716154 IP6 fe80::a00:27ff:feb4:ce0d > ff02::5: AH(spi=0x00010002,seq=0x8): OSPFv3, LS-Ack, length 36
11:15:53.025925 IP6 fe80::a00:27ff:fe7e:8d0f > ff02::5: AH(spi=0x00010001,seq=0x7): OSPFv3, Hello, length 40
11:15:54.722931 IP6 fe80::a00:27ff:feb4:ce0d > ff02::5: AH(spi=0x00010002,seq=0x9): OSPFv3, Hello, length 40
11:16:03.032684 IP6 fe80::a00:27ff:fe7e:8d0f > ff02::5: AH(spi=0x00010001,seq=0x8): OSPFv3, Hello, length 40
11:16:04.726516 IP6 fe80::a00:27ff:feb4:ce0d > ff02::5: AH(spi=0x00010002,seq=0xa): OSPFv3, Hello, length 40
11:16:13.041695 IP6 fe80::a00:27ff:fe7e:8d0f > ff02::5: AH(spi=0x00010001,seq=0x9): OSPFv3, Hello, length 40
11:16:14.732027 IP6 fe80::a00:27ff:feb4:ce0d > ff02::5: AH(spi=0x00010002,seq=0xb): OSPFv3, Hello, length 40
^C
30 packets captured
42 packets received by filter
0 packets dropped by kernel
root@router1:~# 

The box with the gear in it arrived a couple of days later.  Despite several layers of bubble wrap and bunched up newspaper, PBT had done their best to cause as much damage as possible.  The photos tell it better than I can:

The 2600 came out best - minor damage to the front panel and a dent in the right rear corner of the chassis.

The 3640's front panel was completely destroyed...

...with enough force to drive plastic between the lid and case.

The handles for those removable modules are supposed to be horizontal

One corner of the rear panel of the power supply was bashed in a bit. That metal is close to 1mm thick.

Assorted pieces of the front panels. The mainly whole one was from the RPS power supply, but the clips that hold it onto the chassis are long gone.

Given that there’s significant damage to both the front and back of the gear, I suspect it’s been dropped (or had stuff dropped onto it) more than once.  Needless to say I’ll be doing my best to avoid PBT from now on.

The good news is that the damage seems to be all cosmetic – all the equipment powers on and seems to function as it should.

Plugging it into the laptop running OpenSolaris, the MicroSD reader and CDRom device were detected by the kernel and appeared in Gnome’s file manager without any issues, however there was no sign of the serial device:

Jan 28 14:09:13 pkunk usba: [ID 912658 kern.info] USB 1.10 device (usb1199,fff) operating at full speed (USB 1.x) on USB 1.10 root hub: storage@2, scsa2usb2 at bus address 3
Jan 28 14:09:13 pkunk usba: [ID 349649 kern.info] Sierra Wireless USB MMC Storage SWOC22905731
Jan 28 14:09:13 pkunk genunix: [ID 936769 kern.info] scsa2usb2 is /pci@0,0/pci1028,188@1d,3/storage@2
Jan 28 14:09:13 pkunk genunix: [ID 408114 kern.info] /pci@0,0/pci1028,188@1d,3/storage@2 (scsa2usb2) online
Jan 28 14:09:14 pkunk scsi: [ID 193665 kern.info] sd4 at scsa2usb2: target 0 lun 0
Jan 28 14:09:14 pkunk genunix: [ID 936769 kern.info] sd4 is /pci@0,0/pci1028,188@1d,3/storage@2/disk@0,0
Jan 28 14:09:14 pkunk genunix: [ID 408114 kern.info] /pci@0,0/pci1028,188@1d,3/storage@2/disk@0,0 (sd4) online
Jan 28 14:09:14 pkunk scsi: [ID 193665 kern.info] sd5 at scsa2usb2: target 0 lun 1
Jan 28 14:09:14 pkunk genunix: [ID 936769 kern.info] sd5 is /pci@0,0/pci1028,188@1d,3/storage@2/disk@0,1
Jan 28 14:09:14 pkunk genunix: [ID 408114 kern.info] /pci@0,0/pci1028,188@1d,3/storage@2/disk@0,1 (sd5) online
Jan 28 14:09:14 pkunk genunix: [ID 314293 kern.info] device pciclass,030000@0(display#0) keeps up device sd@0,0(disk#4), but the latter is not power managed
Jan 28 14:09:14 pkunk genunix: [ID 314293 kern.info] device pciclass,030000@0(display#0) keeps up device sd@0,1(disk#5), but the latter is not power managed

The device can operate in two different modes – by default it’ll put itself in ‘Tru Install’ mode, which hides the modem device and exposes the virtual CDRom drive containing the drivers.  The other mode hides the CDRom device and allows the modem to be used to dial out, and it’s up to the driver to perform the switch.

Obviously the Windows driver that comes with the device won’t work under OpenSolaris, but a gent called Patrick Arnoux has written a utility to enable the modem.  I found it attached to this mailing list post, but I’ve put up a copy here in case the mailing list archives ever go away.

As the comments at the top of the source file describe, some other configuration needs to be in place before it’ll work.  Specifically, you need to tell OpenSolaris which driver to use for the USB devices:

pkunk:~ # update_drv -a -i 'usb1199,fff' ugen
devfsadm: driver failed to attach: ugen
Warning: Driver (ugen) successfully added to system but failed to attach
pkunk:~ # update_drv -a -i 'usb1199,23' usbsacm
devfsadm: driver failed to attach: usbsacm
Warning: Driver (usbsacm) successfully added to system but failed to attach
pkunk:~ #

The first command tells the OS to use the generic USB character device driver for the initial device that gets detected (vendor id 1199, device id 0fff).  I’m not entirely sure whether or not this is necessary, but haven’t experimented.  It does have the effect of preventing the Micro SD and CDRom devices appearing.  The second command ties the USB ACM driver to the modem device (vendor id 1199, device id 0023).  This device ID is different from the one in the source code comments, but it will vary from modem to modem.  0023 is the correct value for the Sierra Wireless 597.

After running those two commands, the following lines will appear in /etc/driver_aliases:

pkunk:~ $ grep usb1199 /etc/driver_aliases
ugen "usb1199,fff"
usbsacm "usb1199,23"
pkunk:~ $

At this point I needed to reboot; I imagine because the other driver had already attached itself to the USB device. After rebooting, when the modem is attached dmesg isn’t quite as noisy, and the storage devices will no longer appear in gnome file manager:

Jan 28 14:36:12 pkunk usba: [ID 912658 kern.info] USB 1.10 device (usb1199,fff) operating at full speed (USB 1.x) on USB 1.10 root hub: storage@2, ugen1 at bus address 3
Jan 28 14:36:12 pkunk usba: [ID 349649 kern.info] Sierra Wireless USB MMC Storage SWOC22905731
Jan 28 14:36:12 pkunk genunix: [ID 936769 kern.info] ugen1 is /pci@0,0/pci1028,188@1d,3/storage@2
Jan 28 14:36:12 pkunk genunix: [ID 408114 kern.info] /pci@0,0/pci1028,188@1d,3/storage@2 (ugen1) online

The next step is to build the source.  It needs the SUNWusbu (libUSB headers) package installed, and obviously a C compiler.  I also found I was missing /usr/sfw/include/usb.h (as described here).  The file can be found on src.opensolaris.org; once I’d downloaded it and put it into /usr/sfw/include/ I could run make fine, and build myself a switch2modem binary.  Running it looks something like this:

pkunk:~ $ ./switch2modem/switch2modem
Switching Sierra device to Modem mode - Successful !
There should be nothing to release
This is an expected error
pkunk:~ $

And lo, some serial devices appear:

pkunk:~ $ ls -l /dev/cua/
total 2
lrwxrwxrwx 1 root root 52 2009-01-28 14:37 0 -> ../../devices/pci@0,0/pci1028,188@1d,3/device@2:0,cu
lrwxrwxrwx 1 root root 52 2009-01-28 14:37 1 -> ../../devices/pci@0,0/pci1028,188@1d,3/device@2:1,cu
lrwxrwxrwx 1 root root 52 2009-01-28 14:37 2 -> ../../devices/pci@0,0/pci1028,188@1d,3/device@2:2,cu
lrwxrwxrwx 1 root root 52 2009-01-28 14:37 3 -> ../../devices/pci@0,0/pci1028,188@1d,3/device@2:3,cu
pkunk:~ $

It turns out /dev/cua/0 is the modem device in my case; after installing SUNWbnu and adding entries for the four devices to /etc/uucp/Devices, I was able to use cu to talk to it:

sam@pkunk:~$ cu -lcua/0
Connected
AT
OK
ATI
Manufacturer: Sierra Wireless, Inc.
Model: C597 Rev 1.0 (2)
Revision: p2314500,4012 [Mar 06 2008 17:19:08]
[...]

All that remains is to set up PPP!  I symlinked /dev/term/0 to /dev/evdo, then copied bits of Andrew McMillan’s configuration and created /etc/ppp/peers/Telecom3G:

nodetach
evdo
230400
noauth
passive
defaultroute
usepeerdns
noccp
novj
user "mobile@jamamobile"
show-password
crtscts
connect '/usr/bin/chat -V -t15 -f /etc/ppp/Telecom3G-chat'

And /etc/ppp/Telecom3G-chat:

'' 'ATZ'
'OK' 'ATE0V1&F&D2&C1&C2S0=0'
'OK' 'ATE0V1'
'OK' 'ATS7=60'
'OK' 'ATDT#777'
CONNECT ''

And added a line to /etc/ppp/pap-secrets:

mobile@jamamobile * telecom

Once that’s done, pppd dials out happily:

pkunk:~ $ sudo pppd call Telecom3G
ATZ
OK
ATE0V1&F&D2&C1&C2S0=0
OK
ATE0V1
OK

OK

CONNECTSerial connection established.
Using interface sppp0
Connect: sppp0 <--> /dev/evdo
local  IP address 166.179.151.107
remote IP address 166.179.144.1
primary   DNS address 202.27.158.40
secondary DNS address 202.27.156.72

And I have a new network interface:

pkunk:~ $ /sbin/ifconfig sppp0
sppp0: flags=10010008d1<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST,IPv4,FIXEDMTU> mtu 1500 index 3
inet 166.179.151.107 --> 166.179.144.1 netmask ffff0000
pkunk:~ $

Unfortunately pppd seems to be writing its nameservers to /etc/ppp/resolv.conf rather than /etc/resolv.conf; I haven’t looked into how to change this behaviour yet.

So far it’s been pretty good – the live CD and installer are really slick.  The wireless in my laptop Just Worked (though amusingly enough the wired network didn’t – there doesn’t seem to be a Broadcom 4401 driver in the default install).  When I installed to the hard disk it even carried across the wireless SSID and WPA key I’d configured while booted into the livecd.  Getting the wired network going shouldn’t be a huge hassle – it looks like there’s a third party driver available for it, so I’ll try that out tonight.

X worked without much trouble, and came up antialiased by default.  Unfortunately it doesn’t feel like I’ve got hardware graphics acceleration (I’m using a Radeon Mobility X300), so Xorg uses 50%+ CPU whenever there’s a lot of graphical updates.  Fixing that may just be a matter of changing the driver X is selecting though; I haven’t spent much time looking into it.

There’s now a graphical package manager (closely modeled on Synaptic) with retrieval from Internet package repositories – a lot easier than downloading stuff by hand and installing it with pkgadd.  The package manager is also used to notify users about available updates, much the same as Ubuntu.

I even managed to get my USB EVDO modem working, but I’ll go into that in detail later.

In fact, there’s been remarkably little that hasn’t worked.  The only issue I’ve got currently (aside from what I’ve mentioned above) is that edge scrolling on the Synaptics trackpad doesn’t work at the moment.  And again, this may just be a matter of messing around with xorg.conf.

Would it really be that hard to make the setting stick between major revision updates?  I had it turned off in Firefox 2, why is it back on again in Firefox 3?  Most of my other settings managed to transfer over ok.

I want to know when I’m installing software on my computer.  I don’t want it to be done without my permission.

Also, fuck you.