IPv6 Guide

From Buici

Jump to: navigation, search

News of the readiness of existing computer systems for IPv6 is exaggerated somewhat. While the most systems include code to support the new Internet protocols, there are some still some gaps to be filled in and some workarounds for implementing IPv6 for leaf network.

This guide presents some experiences in implementing IPv6 over an existing IPv4. It should help others who wish to begin usings the contemporary features that IPv6 offers.

Contents

[edit]

IPv6 Addressing

The very first thing to establish, before configuring a single piece of equipment, is what sort of IPv6 numbering a network will use. There are many web pages devoted to the same overview of potential solutions, so I won't repeat them here. Instead, I'll focus on three.

  • Native IPv6 allocation
  • 6to4
  • Brokered tunnels

Native IPv6. According to my ISP, there is a significant hurdle to deploying native IPv6 on their end. APNIC is asking a large annual fee for an address allocation. While the whole story is unclear, fees appear to be based on the value of existing IP address holdings. Thus, large ISP will owe big fees to get into IPv6 even though they may have very few customers who need it.

6to4. The 6to4 addressing scheme turns any existing IPv4 address into a routable IPv6 address. An IPv4 address of the for A.B.C.D becomes maps to the network 2002:aabb:ccdd::/48 where aa is the hexadecimal equivalent of A and similarly for B, C, and D. For example, 10.1.2.64 is 2002:0a1:240::/48.

6to4 is very simple to configure. Only a handful of commands are necessary to set it up on a Linux or BSD host. It's biggest weakness is that it depends on the presence of 6to4 router gateways to inject traffic into the IPv6 Internet. A frequent complaint from people who use 6to4 is that the "Internet is slow". It isn't the Internet, per se, that is the problem, but the fact that there are few 6to4 gateway routers and the ones that exist are predominantly in Europe.

There are two saving features of 6to4. It routes over the existing IPv4 network. For a pair of hosts connected to the Internet via IPv4 addresses and using 6to4 IPv6 addresses, the latency should be the same whether using IPv4 or IPv6--an important consideration in our deployment strategy. Secondly, 6to4 provides a return path for IPv6 traffic from a host that has access to a IPv6 tunnel than can act as an ingress router which is the Hybrid solution below.

The only requirement for using 6to4 is availability of a routable IPv4 address. This may be a problem for some users who depend on a Cable/DSL router to NAT their LAN to the Internet. Unfortunately, I don't have any specific advice for you.

Brokered Tunnels. In the absence of native IPv6, brokered tunnels are the best way to inject traffic into the IPv6 Internet. There are several reliable tunnel brokers, more in Europe than in the US. Some will grant a site allocation of /48, but don't count on it.

The advantages of a brokered tunnel is that given sufficiently low latency, it may be used as a semi-permanent conduit to the IPv6 Internet. Some brokers will exchange BGP routing for a fee. The disadvantage of a tunnel is that the latency of traffic to the broker is guaranteed to be higher than would be available from your ISP.

The Hybrid. So, given these options, there is a workable solution. Configure the LAN for 6to4 addresses. Given a single, routable IPv4 address you've got a /48 site allocation. Broker a tunnel for all outbound traffic. The absence of public 6to4 gateways is circumvented by routing all IPv6 traffic thorugh the tunnel. The combination should give IPv4-comparable downstream performance and reasonable upstream performance.

[edit]

Configuring 6to4 on Debian GNU/Linux Router

First, we configure the Debian GNU/Linux IPv6 gateway router. This network is connected to the Internet via DSL. The DSL modem passes traffic directly to an Ethernet interface.

Given that the GNU/Linux host Internet connected Ethernet interface is eth0 and that the routed IP address given to us by the ISP is 10.1.2.3, we add the following clauses to /etc/network/interfaces. 

iface eth0 inet6 static
  address 2002:0a01:0203::1   # 6to4 of 10.1.2.3
  netmask 64

auto sit6to4
iface sit6to4 inet6 v4tunnel
  endpoint any
  ttl 64
  up ip -6 route add 2002::/16 via ::192.88.99.1 dev sit6to4
  up /etc/network/ipv6.sh

The IP address ::192.88.99.1 is a special anycast address for the nearest 6to4 router. In our case, it ought never be used because the only packets we route over this tunnel are other 6to4 addresses and those packets will be automatically re-packaged as IPv4 packets and sent to the Internet endpoint responsible for routing that network.

We have to assign an address to the Ethernet interface for two reasons. First, this host must have a global IPv6 address for use as a source address. Outbound IPv6 traffic will us this address and because it is a 6to4 address, packets will return through the 6to4 tunnel. Second, we want to be able to assign addresses to other LAN hosts and make sure that packets for those hosts have a route to this machine.

Also, because of the open nature of the 6to4 tunnel, we want to make sure to limit traffic into our network. For the time being, let's limit connections to ssh. 

#!/bin/sh
# /etc/network/ipv6.sh
I=/sbin/ip6tables
i=" -i sit+"

$I -F
$I -A INPUT   $i -p tcp --dport ssh -j ACCEPT
$I -A FORWARD $i -p tcp --dport ssh -j ACCEPT
$I -A INPUT   $i -p tcp --syn -j DROP
$I -A FORWARD $i -p tcp --syn -j DROP
$I -A INPUT   $i -p udp \! --dport 32768:60999 -j DROP
$I -A FORWARD $i -p udp \! --dport 32768:60999 -j DROP
# This is a router, so act like one
echo 0 > /proc/sys/net/ipv6/conf/all/autoconf
echo 0 > /proc/sys/net/ipv6/conf/all/accept_ra
echo 0 > /proc/sys/net/ipv6/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv6/conf/all/router_solicitations
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

The use of -i sit+ combined with the fact that all of our IPv6 tunnels begin with the prefix sit means that these rules apply to all traffic entering on external interfaces.

And, here are some references. Note that our solution is slightly different, on purpose, from those listed below.

[edit]

Configuring the Brokered Tunnel

Description Macro
IPv4 address of broker's endpoint $IP4_REMOTE
IPv6 address of local endpoint $IP6_LOCAL
IPv4 address of local endpoint $IP4_LOCAL
Prefix length for local endpoint $IP6_LOCAL_NETMASK

We won't go into to much detail on getting a brokered tunnel. Searches on the Internet should yield sufficient resources. If you are really lost, look to www.freenet6.org. There is even an Installable daemon for Debian to maintain the tunnel automatically. We won't cover this. Instead, we'll see how to configure a tunnel given the necessary data from the broker.

Once you've been allocated a tunnel, you should have the data summarized in the table.

Add the following clause to /etc/network/interfaces replacing the macros with the appropriate values. 

auto sit6bone
iface sit6bone inet6 v4tunnel
  endpoint $IP4_REMOTE
  ttl 64
  address $IP6_LOCAL
  netmask $IP6_LOCAL_NETMASK  
  local $IP4_LOCAL
  up ip route add 2000::/3 dev sit6bone

In this case, we're routing all of the presently allocation IPv6 address space through this interface. The network stack will send traffic matching a longer prefix through a different interface. This tunnel, sit6bone, handles traffic as a last resort.

The address and netmask are not strictly necessary. Most tunnel brokers will allocate these addresses from the routable address space. You may choose to leave off the address and netmask.

Most tunnel brokers will allocate either a /64 or a /48 network for your use. Because we're using 6to4 addressing for our LAN hosts, and because the tunnel is only used for out-bound traffic, there isn't a compelling reason to do anything with their site allocation.

[edit]

Testing the IPv6 Router

First thing, bring up the interfaces. This will happen automatically when the machine boots. 

ifup sit6to4
ifup sit6bone

You'll need the IPv6 enabled applications. On Debian, this may mean fetching a few packages. 

apt-get install iputils-ping iputils-tracepath iproute dnsutils

The first thing to do is verify that you have connectivity. For this, you'll need the IPv6 address of a host on the Internet. 

dig www.ipv6.org aaaa

It should return at least one AAAA. If it doesn't try the same for www.kame.net.

Then, take that address and see if you can ping6 it 

ping6 2001:6b0:1:ea:202:a5ff:fecd:13a6

The round-trip-time may be quite long, as much as 1000ms. That is to be expected when using a tunnel.

If it doesn't work, there are a couple of things to check.

  • Can you ping the remote endpoint of the 6to4 tunnel?
  • Is your IPv4 firewall permitting protocol 41 to pass?
  • Does your kernel include support.

You'll also want to check that you can tracepath6 to that address. 

tracepath6 2001:6b0:1:ea:202:a5ff:fecd:13a6

If this works, too, try loading http://www.ipv6.org with an IPv6 enabled browser such as Firefox. The web page should tell you that you are connecting with an IPv6 address.

[edit]

Auto-configuring LAN Connected Hosts

Once the router is working, it should be easy to bring other computers on the LAN online. We'll use stateless autoconfiguration since it's easy and should be sufficient.

Get the radvd package. 

apt-get install radvd

It won't run until we give it a configuration file. By default, the package doesn't install a configuration file. If you already have one, you should know how to add to your existing configuration. Keep in mind, though, that as of Linux kernel version 2.6.11, the IPv6 stack doesn't perform source address selection. This means that you should only allocation one IPv6 network address on your LAN. In fact, this is part of the reason we're using 6to4 and not the tunnel broker's allocation.

Replace $IP6_6TO4_LOCAL with the prefix you calculated before, e.g. 2002:0a01:0203 for 10.1.2.3. 

# /etc/radvd.conf
interface eth0
{
  AdvSendAdvert on;
  MaxRtrAdvInterval 90;

  prefix $IP6_6TO4_LOCAL::/64
  {
    AdvOnLink on;
    AdvAutonomous on;
    AdvValidLifetime 300;
    AdvPreferredLifetime 120;
    AdvRouterAddr off;
  };
};

We use rapidly expiring addresses because it means that any problem with the IPv6 router will rapidly propagate to the LAN hosts.

Restart the radvd daemon. 

/etc/init.d/radvd restart

At this point, you can rerun, on other LAN hosts, the tests previously performed on the router. On a Linux workstation, use the command ip addr to verify that an IPv6 address has been autoconfigured.

[edit]

Newly Available Features

This setup provides few opportunities for showing-off the capabilities of IPv6. However, if you have access to another IPv6 network, there are some things you can do.

SSH. The IPv6 addressing scheme means that all machines in the network are accessible from the Internet. The firewall is configured to permit only ssh traffic, but it would be straightforward to allow other protocols such as HTTP or FTP.

Assuming that you network is numbered 10.1.2.3, and you've got a workstation with MAC address 00:01:02:03:04:05, it will have address 2002:0a01:0203:0:0201:02ff:fe03:0405 based on EUI64 encoding. From another IPv6 network, you will be able to connect to that workstation by address. 

ssh 2002:0a01:0203:0:0201:02ff:fe03:0405

Though it's a mouthful of an address, it demonstrates how IPv6 grants you access to machines in your network where IPv4 requires NAT, blocking ingress.

IPSEC VLANs. IPSEC is a required feature of all IPv6 capable hosts. You can encrypt all traffic between two LANs by requring encryption when two networks communicate. There is no longer a need for complex VPN configurations as it's implicit in the hosts-to-host communication.

--Elf 16:47, 6 April 2006 (PDT)

Retrieved from "http://wiki.buici.com/wiki/IPv6_Guide"
Personal tools