SixXS::Sunset 2017-06-06

Tunnel Information and Control protocol (TIC)

The Tunnel Information and Control protocol allows programs to retrieve configuration settings in the SixXS system. This allows automatic tunnel client configuration and setup without much user intervention or knowlegde of either IPv6 or tunneling.

IANA has allocated port 3874 for this service.

Servers

The SixXS server, which is the default in AICCU, is: tic.sixxs.net.
Our server is STARTTLS enabled. One can thus configure AICCU to require TLS with the 'requiretls yes' option in the configuration file.

Client Implementations

The following clients have TIC support:

  • SixXS AICCU and all the distributions that use it, amongst which also various router/NAT-devices from vendors like Motorola, Draytek and many others
  • AVM Fritz!Box

Protocol

This configuration service uses a client/server protocol somewhat like SMTP using "200" for noting successful commands and "400" for noting unsuccessful commands. We advise that clients make connections to tic.sixxs.net, this has only an IPv4 address, even though the protocol is of course address family independent, this overcomes problems with timeouts when IPv6 seems to be available but really isn't. The protocol is primarily used for configuring hosts to get IPv6 connectivity thus this should not be an issue of any kind.

Commands

The protocol has the following commands during a variety of stages.

Global
get unixtimeGet UnixTime in seconds sincs 1970 for verifying that the client time is correct
Initial
starttlsStart TLS negotation
client TIC/<version> <name>/<version> <osname>/<version>Client version information
username <nic-hdl>Select the username to use
Challenge
challenge clear|md5|cookieSelect the challenge to use for authentication
Authenticate
authenticate clear|md5|cookie <response>Authenticate using the response based upon the challenge and the method
Logged
tunnel listList tunnels owned by this user
tunnel show <tunnel-id>Show information about this tunnel
pop listList the available PoPs
pop show <pop-name>Show information about a PoP
route(not implemented yet)

Authentication

The SixXS system doesn't know any cleartext passwords and only has md5sum's of the cleartext passwords of the users, thus to authenticate the following comparison is used:

md5sum(md5sum(clearpass).challenge) == md5sum(storedpass.challenge)

A client sends the first part, while TIC has the second part. Knowing the md5sum of the cleartext password is thus sufficient to authenticate in this case, but that would mean one has access to more of the system and can do other things as well so that is not seen as a threat.

Typical Session

Following is a typical session captured from the line. We can post the challenge response here as there is no way of reversing that part. The only information that should still be hidden is the Password field though.

S200 TIC on tic.sixxs.net ready (https://www.sixxs.net)
Cclient TIC/draft-00 AICCU/2004.08.24 WinNT/5.1.2600-SP2
S200 Client Identity accepted
Cusername EXAMPLE-SIXXS
S200 Choose your authentication challenge please
Cchallenge md5
S200 60d11a81a26df3738026b1839644a1ae
Cauthenticate md5 4dc85220692080e76f773f0fbd8c8e31
S200 Successfully logged in using md5 as EXAMPLE-SIXXS (Example User) from 192.0.2.1
Ctunnel list
S201 Listing tunnels
ST123456789 2001:db8:1900:aa::2 heartbeat euexa01
S202
Ctunnel show T123456789
S201 Showing tunnel information for T123456789
STunnelId: 123456789
SType: 6in4
SIPv6 Endpoint: 2001:db8:1900:aa::2
SIPv6 PoP: 2001:db8:1900:aa::1
SIPv6 PrefixLength: 64
SPoP Name: euexa01
SIPv4 Endpoint: heartbeat
SIPv4 PoP: 192.0.2.2
SUserState: enabled
SAdminState: enabled
SPassword: 4dc85220692080e76f773f0fbd8c8e31
SHeartbeat_Interval: 60
STunnel MTU: 1280
S202 Done
Cquit What a nice day it was again
S200 Thank you for using this SixXS Service
Static Sunset Edition of SixXS
©2001-2017 SixXS - IPv6 Deployment & Tunnel Broker