1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
|
==============================================================
How to Configure Linux-2.4.X USAGI kernel
$USAGI: CONFIG.linux24,v 1.7 2001/12/26 15:57:52 yoshfuji Exp $
==============================================================
**CAUTION**
On most linux distributions, the maintainers apply many unofficial
patches against the original linux kernel for their products.
USAGI patches don't include such the patches. It includes only our
improvements, so you may get some troubles if you build a kernel
applying only the usagi patch.
To eliminate this (possible) issue, we provide binary packges basen on
our stable releases. If you want to build your kernel from original
kernel source, you have better to apply distribution-oriented patches
before applying the USAGI patch.
The binary packages are found at
<ftp://ftp.linux-ipv6.org/pub/usagi/stable/package/>.
---------------------------------------------------
Customizing the linux-2.4 kernerl with USAGI patch
---------------------------------------------------
We reccomend to configure kernel options as follows.
Code maturity level options --->
[*] Prompt for development and/or incomplete code/drivers
+ Enabling the option, you can use experimental features
including IPv6. Say Y.
Networking options --->
[*] Moderate SO_REUSEADDR behavior
*CONFIG_NET_MODERATE_REUSE
+ With this option, kernel restrict effect of SO_REUSEADDR to prevent
other users from performing 'binding closer' type attacks like NFS
theft. Say Y.
[ ] The IPsec protocol (EXPERIMENTAL)
*CONFIG_IPSEC
+ You can say Y here if you want to enable IPsec.
This options enable PF_KEY(V2), Security Association Database and
Security Policy Database.
And also you must enable each IP version IPsec.
[ ] IPsec: IPsec Debug messages
*CONFIG_IPSEC_DEBUG
+ You can say Y here if you want to get additional messages useful in
debugging the IPsec(IPsec6,PFKEY,SADB,SPD) code.
You can enable/disable these parameters via sysctl(/proc/net/ipsec/).
[ ] IPsec: IPsec Debug disable Default
*CONFIG_IPSEC_DEBUG_DISABLE_DEFAULT
+ Normally IPsec debugging messages are activated by default,
if you set CONFIG_IPSEC_DEBUG.
If you say Y here, it'll change this to off by default(boot time).
NOTICE: If you don't say Y here, you will receive tons of log messages.
<*> The IPv6 protocol (EXPERIMENTAL)
*CONFIG_IPV6
+ Say Y. In order to avoid some troubles, we recommend to build
IPv6 protocol stack as a build-in function. Of course you can
build it as a module. It's up to you.
[ ] IPv6: Verbose debugging messages
*CONFIG_IPV6_DEBUG
+ Debugging option. It makes a lot of debug messages. It's only
for debugging purpose. If you want to track some behaviours of
IPv6 protocol stack, you can enable the option, otherwise
say N.
[*] IPv6: drop packets with fake ipv4-mapped address(es)
*CONFIG_IPV6_DROP_FAKE_V4MAPPED
+ We reccomend to enable the option from security point of
view. Enabling the option, the linux kernel drops the
IPv6 packets which destination or source addresses are
IPv4-mapped IPv6 addresses. Say Y.
[*] IPv6: Moderate double binding behavior
*CONFIG_IPV6_MODERATE_DOUBLE_BIND
+ With this option, kernel will not allow other users to do double
binding. Say Y.
[ ] IPv6: 6to4-address in nexthop support
*CONFIG_IPV6_6TO4_NEXTHOP
+ Say N.
[ ] IPv6: Privacy Extensions (RFC 3041) Support
*CONFIG_IPV6_PRIVACY
+ Privacy Extensions for Stateless Address Autoconfiguration in IPv6
support. With this option, additional periodically-alter
pseudo-random global-scope unicast address(es) will assigned to
your interface(s). At this moment, automatic source address
selection won't choose temporary address, so this option is
only for testing purposes.
[ ] IPv6: anycast support
*CONFIG_IPV6_ANYCAST
[ ] IPv6: ISATAP interface support (EXPERIMENTAL)
*CONFIG_IPV6_ISATAP
[ ] IPv6: Neighbor Discovery debugging
*CONFIG_IPV6_NDISC_DEBUG
+ Debugging option, the kernel outputs verbose debugging
messages regarding Neighbour Discovery Protocol. Say N.
[ ] IPv6: Address Autoconfigration debugging
*CONFIG_IPV6_ACONF_DEBUG
+ Debugging option. the kernel outputs verbose debugging
messages regarding Stateless Auto Address Configuration.
Say N.
[ ] IPv6: Debug on source address selection
*
[ ] IPv6: Routing Informtation debugging
*CONFIG_IPV6_RT6_DEBUG
+ Debugging option. the kernel outputs verbose debugging
messages regarding IPv6 Routing Informations. Say N.
[*] IPv6: allow default route when forwarding is enabled
*CONFIG_IPV6_EN_DFLT
+ The original linux kernel doesn't recognize IPv6 default
routes when IPv6 forwarding is enabled. Enabling the option,
a kernel recognize IPv6 default routes as default routes
and forwards packets toward default router.
If you want to use a Linux box as an IPv6 router, Say Y.
[ ] IPv6: Multicast Listener Discovery debugging
*CONFIG_IPV6_MLD6_DEBUG
+ Debugging option. the kernel outputs verbose debugging
messages regarding Multicast Listener Discovery messages.
Say N.
[ ] IPv6: Do not suppress MLD6 Done message
*CONFIG_IPV6_MLD6_NO_SUPPRESS_DONE
+ Enabling the option, the kernel sends MLD6(Multicast Listener
Discovery Protocol, defined in RFC2710) done message when
your linux box leaves a multicast group. Say N.
[ ] IPv6: enable Node Information Queries
*CONFIG_IPV6_NODEINFO
+ Enabling the ICMP name lookup feature which described in
<draft-ietf-ipngwg-icmp-name-lookups-07>. Enabling the option,
your linux box answers its host name or its ipv6/4 address(es)
in reply to a Node Information Query. The information is
useful for administration, but it may also cause information
flaws. if unsure, say N.
[ ] IPv6: Node Information Queries debugging
*CONFIG_IPV6_NODEINFO_DEBUG
+ Debugging option. The kernel outputs verbose debugging messages
regarding ICMPv6 node-info queries. Say N.
[ ] IPv6: regard NIS domain as DNS domain
*CONFIG_IPV6_NODEINFO_USE_UTS_DOMAIN
+ The kernel replies a NIS domain name as a domain name of
ICMP name reply. If unsure, say N.
[ ] IPv6: IP Security Support (EXPERIMENTAL)
*CONFIG_IPV6_IPSEC
+ In the specification of IPv6, IPsec support is mandatory.
For further information, please read README.USAGI-IPSEC under doc
directory.
At this moment, IPsec for IPv6 support is not so stable and
only for testing puposes. If unsure, say 'N'.
NOTICE!:
USAGI IPsec(IPv6) stack and FreeS/WAN IPsec(IPv4) stack are
currently NOT compatible.
If you want to try to compile it,
please read the usagi/doc/HOWTO/IPSEC
[ ] IPv6 Apply IPsec to ICMPv6 packets
*CONFIG_APPLY_ICMPV6_IPSEC
+ You can say Y here if you want to apply IPsec to ICMPv6 packets.
NOTICE:
currently we can't apply to NDISC packets(NA or RA receiving).
[ ] IPv6: Mobility Support
*CONFIG_IPV6_MOBILITY
+ Support for the upcoming specification of Mobile IPv6.
Currently Mobile IPv6 support is available only as a module.
For more information and configuration details, see
http://www.mipl.mediapoli.com/.
If unsure, say N.
< > Kernel httpd acceleration (EXPERIMENTAL)
[ ] Use IPv6 socket for khttpd
*CONFIG_KHTTPD_IPV6
+ Enabling kernel httpd acceleration which is capable for IPv6.
For more details of khttpd, please see a help message of IPv4
Kernel httpd acceleration.
[ ] IPv6 Enhance for ATM
*CONFIG_ATM_IPV6
+ IPv6 support on a PVC link. To install and for usage, please refer
usagi/doc/HOWTO/ATM. If unsure, say N.
|
