JFFNMS and IPv6

ipv6-google-rrt.png

One of the many Free Software projects I work on is JFFNMS, which is a network management system written in PHP. In light that the last IPv4 address blocks have now been allocated to APNIC it’s probably timely to look at how to manage network devices in a new IPv6 world.
First you need to get the basics sorted out and for that it is best to use the net-snmp command line utilities to check all is well. Then its onto what to do in JFFNMS itself.
Now fixed with proper markup, I hope.


## Special Agent 6
All devices that are capable of being managed with SNMP have an agent. It’s basically the “SNMP server” on the router, switch or server. The first step is to make sure it can accept and send traffic using IPv6. Depending on what the device is, it can be real simple.
For example, my little Juniper router its a matter of setting the community and access control, just like IPv4 settings:

> [email protected]# set snmp community public clients 2001:db8:62:d0::/64

And then run snmpget on the command line to check

> [email protected]$ snmpget -v 1 -c public udp6:2001:44b8:62:d0::4 system.sysObjectID.0
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.2636.1.1.1.2.41

We have success!
For Linux systems that use net-snmp you will need to make the snmp daemon listen on UDPv6 ports as well as adjusting the access control.
Access control is a matter of adding com2sec6 lines to /etc/snmp/snmpd.conf They are the same format as com2sec lines and are reasonably straight forward.
Next, get the daemon to listen to requests on the IPv6 ports as well. The snmpd(8) man page says:

> By default, snmpd listens for incoming SNMP requests on UDP port 161 on
all IPv4 interfaces. However, it is possible to modify this behaviour
by specifying one or more listening addresses as arguments to snmpd.

It wouldn’t of killed them to put “comma separated list” somewhere, now would it?
My /etc/default/snmpd file now looks like:

> SNMPDOPTS='-Lf /dev/null -u snmp -g snmp -I -smux -p /var/run/snmpd.pid udp:127.0.0.1,udp6:[::1]:161'

The bits in bold are the changes. Then its a quick check:

> [email protected]$ snmpget -v 1 -c public udp6:[::1] system.sysObjectID.0

SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10

And we have working agents!

## JFFNMS Changes
OK, we have a working IPv6 network and snmp works across our network so we can query devices. JFFNMS uses PHP so all should be well, shouldn’t it?

### Database Tables
This is an almost classic problem with converting IPv4 to IPv6. You have 15 bytes for a IP address string “111.222.333.444”. Ipv6 can be much larger than that. JFFNMS has things like

CREATE TABLE `hosts (
[...]
`ip` char(20) NOT NULL default '',

A simple fix to use a char(39) or varchar(39) will do the trick.

### Fixing the JFFNMS code
One of the most troubling problems with the host entries is that the values entered by a user can be a hostname, IP address or IP address and port separated by a colon. There are lots of bits of code that separate out the port or address by just finding the colon or use non-IPv6 aware functions like [gethostbyname()](http://php.net/gethostbyname) that will need to be fixed.
I’ve got a function to check for an IPv6 address, using the inet_pton() function.

function is_ipv6($addr)
{
$net_addr = @inet_pton($addr);
if ($net_addr === FALSE || strlen($net_addr) < 16)
return FALSE;
return TRUE;
}

## PHP functions
PHP still has the old IPv4 only functions, but unlike libc does not have the Address Family independent functions. The most significant absence is the replacement functions for gethostbyname(). There is [dns_get_record()](http://php.net/dns_get_record) but it is quite low-level (it won’t recurse lookups if you get alias or CNAME results).
It’s a little hit and miss in PHP-land with what functions work with IPv6 addresses and what ones do not. [fsockopen()](http://php.net/fsockopen) and [file()](http://php.net/file) do work with IPv6.

## PHP and SNMP
To query remote devices using SNMP, JFFNMS uses the PHP SNMP functions. Unfortunately, while there is some IPv6 support in PHP, it doesn’t extend to the SNMP functions. The library does it, as the net-snmp command lines use the same library, it is just that the small shim between the script and net-snmp that is PHP gets in the way.
Looking at the PHP code itself you find things like

strlcpy(hostname, a1, sizeof(hostname));
if ((pptr = strchr (hostname, ':'))) {
remote_port = strtol (pptr + 1, NULL, 0);
}

which definitely need to be fixed for IPv6. There is also some simple address lookup going on somewhere as well which will also need to fixed. In short, JFFNMS won’t be doing SNMP based queries over IPv6 until php5-snmp can do it.

## Reachability
JFFNMS also has a different sort of query called a reachability type. It’s essentially a ping from the server running JFFNMS out to the device being managed. It uses [fping](http://fping.sourceforge.net) to do this work, but there is also a program called fping6.
It’s a simple matter of checking the address type and then selecting fping or fping6 to do the reachability work. The JFFNMS code soon to be pushed into git has this change in it now.

## Anything Else?
The next stage is to find anything else that will work with IPv6. A likely candidate is the TCP and UDP port types as they use nmap to discover the ports and the fsockopen() function call to poll it. fsockopen() does handle IPv6 addresses if you escape them in square brackets.

Enhanced by Zemanta

2 thoughts on “JFFNMS and IPv6

  1. I am surprised to hear JFFNMS is still alive.
    I recently did some research into various network monitoring systems, and JFFNMS went in the “dead project” pile almost immediately. The last release listed on the website has a changelog ending in 2006 (and the “Development” download is broken). If the project is still active, may I suggest a release soon?
    We would up using Torrus, FWIW.

  2. I had a look at the website and yes I hadn’t even noticed the changelog entry. There was a pause in development as Javier was busy and I hadn’t taken over the project but there
    certainly has been releases since 2006. Only 2 of them but I’m getting close to another.
    I have had in the background some redevelopment of the website, I’ll bring that forward as the more I look at the existing site, the more I see that needs to be fixed. Thanks for your comments!

Comments are closed.