I remembered this morning that World IPv6 day is coming up soon, on June 8, so I thought I might get ready in advance, and let any of you retro old tech IPv4 people know how you need to get up to speed.
I actually had native IPv6 ADSL many years ago, with the now defunct Black Cat Networks, although at some point ipv6 routing just stopped working, and actually apart from being able to ping6 my friend who had the same setup it was not terrible useful, although I did test all my code and make sure it was all ipv6 ready. But now there are actually compelling reasons for IPv6, like the fact it is getting harder to get IPv4 addresses. In particular I have been spending some time on Linux containers (lxc), and if you want to run network isolated containers they need addresses, and if you are doing this on many cloud services you cannot get extra IPv4 addresses, so either you use internal NAT, yuk, or use IPv6. Also the first steps towards Amazon web services supporting IPv6 came out the other day, with ELB supporting IPv6 termination, although there is not yet support for IPv6 addresses on EC2 instances directly, although you can add tunnels; see my answer on Quora for the current status.
So how do you go about getting yourself IPv6 enabled? First this blog, which is currently hosted on Slicehost, which does not yet have native IPv6 support, although they will have later in the year, as part of their full merger into Rackspace. I keep wondering about moving to Linode as it is cheaper, although the way they have set up IPv6 seems odd to me.
Stage one is signing up with someone who will give you an IPv6 tunnel to an IPv4 address. I would recommend using Hurricane Electric, as they have global tunnel endpoints and a good service. Sign up here, and you can have 5 free tunnels. It is very simple, just provide the IPv4 endpoint, and your details, choose an endpoint near your server, and you will get given an IPv6 /64 address and some helpful instructions as to how to configure it based on your OS. They had an endpoint in Dallas where my Slicehost is, which has a ping time of 1ms, which is nice. I used the modern style ip setup, which I just added to /etc/rc.local so it is recreated on reboot:
modprobe ipv6
ip tunnel add he-ipv6 mode sit remote 216.218.224.42 local 67.23.6.148 ttl 255
ip link set he-ipv6 up
ip addr add 2001:470:1f0e:6e6::2/64 dev he-ipv6
ip route add ::/0 dev he-ipv6
Very easy, no authentication or anything as it is all fixed by IP address. My IP is 2001:470:1f0e:6e6::2. Whats the /64 you ask? Thats a block of 18,446,744,073,709,551,616 IP addresses, minus the first and last which are not used. That is generally the smallest globally routable allocation, and should be find for an organization to allocate to their users and devices, including virtual devices and so on; it also makes it easy to autoconfigure devices, as they can use their MAC addresses or random numbers to pick an address within the allocated block, so configuration like DHCP is not generally needed.
Next we need to configure DNS records for IPv6, that is AAAA records in addition to the A records that give IPv4 addresses. If your DNS provider does not support AAAA records it is probably time to get a new one! I use Zerigo for my Blog domain, and it was very easy to add records pointing at 2001:470:1f0e:6e6::2.
After that you need to make sure your services are listening on IPv6. netstat lists IPv4 only listening sockets as *:*, while IPv6 sockets, which can listen on IPv4 addresses too as there is a legacy mapping, are listed as [::]:* instead. In my case, I had to change Nginx to listen on IPv6 too, with the config being listen [::]:80; instead of listen :80;. Restart the web server, and then you can use the IPv6 test site validator to check for you that everything is up and ready, and get your badge:
All very well, but you really want to test it yourself don’t you. And of course you have other software you need to test on IPv6, so you want to set up your desktop machine with IPv6 too. Time to make another tunnel. Now this is one of those cases where maybe you do want to try this at home. Or at least tell your sysadmin before setting it up in the office. With IPv6 machines are directly addressable on the internet, and the tunnel probably bypasses any firewalling. WIth all the IPv6 addresses, portscanning is really difficult, unlike IPv4, but you should treat machines as connected and keep them secure, which of course you do at home, but judging from the amount of IE6 around does not happen at work so much.
Now my home connection is ADSL with a not very good modem, that I have been meaning to replace with a proper one. The main issue is I don’t really know how stable my IP is, so just going to have to experiment. If I had a UK server I could make my own tunnel I suppose, but will see how I manage with a Hurricane Electric tunnel which I will have to recreate if the IPv4 address changes, possibly with a new IPv6 address too. My guess is the IPv4 address will be pretty stable, it was the same over a box reset just now. Also Hurricane Electric have an API call to change your tunnel address! They also have an endpoint in London, 20ms away from me.
First issue was that Hurricane Electric complained it could not ping my IP address. I looked through the config options on the O2 ADSL box (really a Speedtouch WL780) and there was nothing, so the internet found the answer. telnet to the box, login as SuperUser with password O2Br0ad64nd and type service system ifadd name=PING_RESPONDER group=wan, then saveall to write the config to flash and all will be well. There is a manual for the router online.
Next realization though was that I need to get the ADSL NAT to forward the encapsulated IPv6 traffic to my Linux box, as the router has no ability to do IPv6 itself. At some point I will move the termination to my nice ultra low power dual core 1GHz ARM Trimslice box. So back to the telnet and some helpful guides, all written in Dutch, thanks Chrome for the translations. Make sure you don’t translate the router commands! Replace YOURNATIP with the NAT address of your IPv6 endpoint.
expr add name=IPv6to4_prot_41 type=serv proto=41
firewall rule add chain=forward_host_service index=10 name=map_41 serv=IPv6to4_prot_41 log=enabled state=enabled action=accept
nat tmpladd group=wan type=nat outside_addr=0.0.0.1 inside_addr=YOURNATIP protocol=6to4 weight=50
saveall
Then set up the Hurricane Electric tunnel on the endpoint, using the NAT address:
modprobe ipv6
ip tunnel add he-ipv6 mode sit remote 216.66.80.26 local 192.168.1.77 ttl 255
ip link set he-ipv6 up
ip addr add 2001:470:1f08:1962::2/64 dev he-ipv6
ip route add ::/0 dev he-ipv6
Now you should be able to ping6 inbound, and outbound to your IPv6 address, and reach ipv6.google.com for example. Going to an IPv6 test site such as http://test-ipv6.com/ finds the IPv4 and IPv6 addresses. It does point out that the name server I am using does not have any IPv6 support though, which could cause issues with IPv6 only sites with IPv6 only name servers. Not going to fix that for the moment though. So we can browse the web on IPv6, at least, although it is quite hard to tell if you actually are. You can check your web server logs, IPv4 addresses are listed in IPv6 notation as ::ffff:188.220.243.64, while the real IPv6 we are browsing from are given in full, so we can see that Firefox for example will use IPv6 addresses by default when available.
One more thing is the rest of the machines on the network at home (or in the office!). We have our /64 allocation, so lets use it. All you need to do is run a server that will reply to the stateless autoconfiguration requests, which is radvd on Linux:
apt-get install radvd
sysctl -w net.ipv6.conf.all.forwarding=1
Set the sysctl setting in /etc/sysctl.conf too so it is persistent. This stops you receiving IPv6 router advertisements and lets you forward IPv6. Then create an /etc/radvd.conf for the interface you want to broadcast on, yes mine is br0 as I have an bridge setup for my VMs.
interface br0
{
AdvSendAdvert on;
MaxRtrAdvInterval 4;
prefix 2001:470:1f09:1962::/64
{
AdvRouterAddr on;
};
};
Now you can start radvd and set up the service to be auto restarted. And then by magic any computers in the vicinity that do not have IPv6 disabled will automagically get an IPv6 address, based on their MAC address and your prefix. Magic! My Linux netbook got one, but I could not ping anything. First issue was that my bridge (or in your case your network interface) did not have an IPv6 address, so I added one with ip addr add 2001:470:1f09:1962::2/64 dev br0. Now I could ping6 that, but no external routes worked. It turns out that IPv6 forwarding is all very well, but you need explicit routing tables too. So add ip -6 route add 2000::/3 via 2001:470:1f08:1962::1, where 2000::/3 is all global routes, and the 2001:470:1f08:1962::1 is the other end of your IP6 tunnel. Sorted! Well kind of, both the machines, Linux and Mac, that I am testing with are constantly losing routing and ability to ping6 the gateway. Odd, the gateway machine is fine. OK fixed, see this forum page, actually the link address is not the allocated routing address. 2001:470:1f08:1962::/64 is the network of the point to point link, but my routed network is the one after, that is 2001:470:1f09:1962::/64. This is listed when you login to Hurricane Electric again. I have changed the configs above now. Everything just working as expected on all the computers.
Note that you should be able to do all this with a Mac OSX machine or Windows machine as the router or server, the setup will be a little different, but Hurricane Electric should give you the help, along with your OS vendor. As for your routers, you may have to read some Dutch too!
So there you are, a quick guide to getting started with IPv6. Happy protocol upgrades!
Note: I have now moved my blog to Hetzner which has native IPv6 availability, which makes life much simpler. If you are selecting a new provider, always choose one that supports IPv6! Rackspace/Slicehost my former provider seems rather behind the times.
Tagged: ipv6
