Setting up IPv6

In this document, this is example data and this is data to be entered at the keyboard

To use IPv6 on my network, as the ISP doesn’t yet provide IPv6, I designate a machine to act as 6to4 router. Users could also used configured 6in4 tunnelling but that involves interaction with a third party and won’t be quite as fast, but may allow the use of more advanced features like reverse DNS and multicast. 6to4 is probably the fastest for sites without pure ipv6 access.

Setting up 6to4

6to4 gives each IPv4 machine rather large range of IPv6 addresses to play with. The upper 48 bits contain the 6to4 identifier, and the IPv4 address of that machine, so other computers on the Internet know where to send the replies. The remaining bits are yours to do with as you please. Usually the lower 64 bits contain a variation of a machine’s ethernet address when used on an ethernet subnet, leaving 16 bits to identify which subnet, or use you are putting the addresses to. If you have multiple machines to choose from, best use the one that is closest to the Internet.

You first will have to enable ipv6, usually by loading its module. Then you could add some lines to /etc/network/interfaces

Originally the following can be used, it also works for the DMZ host behind a NAT, when routerip is altered to return the NAT public IP address. How to do this varies from NATbox to NATbox, but often you can script a screenscrape of a NATbox web page or telnet session.

You need the debian packages iproute, grep and sed for this to be useful.

iface sit0 inet6 static
        address `printf "2002:%02x%02x:%02x%02x::" \`ip route get 192.88.99.1 | sed $'s/.*src//\nq' | tr "." " "\``
        netmask 16
        gateway ::192.88.99.1

Newer systems that are not behind any NAT can also use the following:

The line containing int0 is an example to provide ipv6 to an ethernet interface, which may be a bridge to allow the use of ebtables even with only the one interface.

iface tun6to4 inet manual
        up /sbin/ip tunnel add tun6to4 mode sit ttl 64 remote any local $(ip --family inet route get 192.88.99.1 | sed $'s/.*src//\nq')
        up /sbin/ip link set dev tun6to4 up
        up /sbin/ip -6 addr add $(ipv6calc --in ipv4addr --out ipv6addr --action conv6to4 \
				$(ip --family inet route get 192.88.99.1 | sed $'s/.*src//\nq'))/16 dev tun6to4
	up ifconfig add int0 $(ipv6calc --in prefix+mac --out ipv6addr --action prefixmac2ipv6 \
                                 $(grep ^2002.*tun6to4$ /proc/net/if_inet6 | cut --output-delimiter=":" --characters=1-4,5-8,9-12):1::/64 \
                                 $(cat /sys/class/net/int0/address) \
                                 )
        up /sbin/ip -6 route add 2000::/3 via ::192.88.99.1 dev tun6to4 metric 1
	up ip route get 192.88.99.1 | sed $'s/.*src//\nq' > /etc/sv/tinydns4/env/IP
	up ipv6calc --in ifinet6 --out ipv6addr $(grep ^2002.*int0$ /proc/net/if_inet6| cut -f1 -d" ") > /etc/sv/dnscache6/env/IP
	up ipv6calc --in ifinet6 --out ipv6addr --printuncompressed \
                $(grep ^2002.*tun6to4$ /proc/net/if_inet6| cut -f1 -d" ") > /etc/sv/tinydns6/env/IP
        down /sbin/ip -6 route flush dev tun6to4
        down /sbin/ip link set dev tun6to4 down
        down /sbin/ip tunnel del tun6to4

Firewall

Only ip6tables could protect the 6to4 system from being used as an anonymous IP forwarder, even if all the applications running were considered secure. Here I have 2 local interfaces using IPv6 addresses, and block data from tun6to4 from turning round and falling back in, in reality one may be more strict than this.

It is still prudent to additionally configure all applications to reject usage from unauthorised sources wherever possible. This provides an additional layer of protection in case system comes up without firewall rules loading 😿

This means ALL: ALL in /etc/hosts.deny, then add permitted applications one by one in /etc/hosts.allow

For samba hosts deny = 0.0.0.0/0 ::/0 with explicit allows for required hosts is useful.

Unless there are exotic requirements, usually allow system to communicate with itself

Let the system communicate with the outside world where the system initiates communication. Exceptions can be added to permit incoming communications such as to ports providing internet services.

Let an internal interface communicate freely with system, and to the outside world where the internal side initiates the communication.

It is good to set the firewall policy to drop so that we fail secure, when the rules are verified.

Run netfilter-persistent save to write out current rules so they start

Then, provided you start 6to4 after your internet connection, you have IPv6. If the system shares a machine with Windows XP, you may substitute 2002:%02x%02x:%02x%02x:: for 2002:%02x%02x:%02x%02x::%02x%02x:%02x%02x and echo $ip for echo $ip.$ip to generate the same address as that OS will give itself. There are also other ways

6to4 and native together?

We can set up multiple routing tables so endstations can reach both 6to4 and native remote nodes, using the 6to4 address to communicate withe remote 6to4 nodes and native otherwise.

Usually we will use tc, iptables and iproute2 together

echo 6to4 4 > /etc/iproute2/rt_tables

For network interfaces:

up /sbin/ip -6 rule add from 2002:xxxx:xxxx::/48 lookup 6to4
up /sbin/ip -6 route add 2002::/16 table 6to4 dev tun6to4
up /sbin/ip -6 route add 2000::/3 table 6to4 via ::192.88.99.1 dev tun6to4

This means if the gateway receives a packet from 2002:xxxx:xxxx::/48 then consider the 6to4 routing table.

Sharing IPv6 on your Ethernet network

Although you could setup 6to4 on all your LAN if you are graced with a public v4 subnet, it’s easier in the long run to just use the same arrangement that NAT users would have to, and leave 6to4 on your Internet gateway. All other machines will then configure themselves via parameters provided by that machine. It would make migrating to proper IPv6 easier and let you experiment with native ipv6 locally easier too.

First, your internal ethernet interface, or bridge for internal interfaces gets configured with a portion of your 6to4 space and its interface. Add these lines under gateway ::192.88.99.1:, assuming you want to use 1 as your subnet number.

	up ifconfig $IFACE add `ifconfig sit0 | grep "inet6 addr: 2002" | cut -d : -f 
2-4`:1:`c(){ echo ${5:0:1}$(printf %x $((${5:1:1}^2)))${5:3:2}:${5:6:2}ff:fe${5:9:2}:${5:12:2}${5:15:2};};c $(ifconfig $IFACE)`/64
	down ifconfig $IFACE del `ifconfig sit0 | grep "inet6 addr: 2002" | cut -d : -f 2-4`:1:
`c(){ echo ${5:0:1}$(printf %x $((${5:1:1}^2)))${5:3:2}:${5:6:2}ff:fe${5:9:2}:${5:12:2}${5:15:2};};c $(ifconfig $IFACE)`/64

Your machine has to tell the others to use it as gateway. To do this, you install radvd which acts a bit like DHCP but for IPv6 in that it tells other machines their addresses, and who to use as gateway to the Internet.

radvd requires a configuration file to say which addresses to give out. You can generate this automatically from your sit0 address, if you don’t have a fixed public IP address. You could generate a config file as follows, assuming your internal interface is int0 and that it’s already configured with it’s own public v6 address as above, then start radvd up with /etc/init.d/radvd start. Multiple ethernet interfaces could also be handled separately by giving each their own interface block in radvd.conf if you prefer that, instead of bridging them together as here.

If not using native IPv6, you may need to limit to a MTU of 1480 if your IPv4 tunnel or 6to4 is limited to an MTU of 1500. If using native IPv6, then an AdvLinkMTU of 1500 or more is likely to be possible. If it is not set then TCP or UDP find their too-large packets are thrown away rather than knowing not to send them, and do not work as well as they could.

#!/bin/sh
IFACE=int0
NET=`ifconfig $IFACE | grep "inet6 addr: 2002" | cut -d : -f 2-5`
echo 'interface '$IFACE'
{
	AdvLinkMTU 1480;
	AdvSendAdvert on;
	prefix '$NET'::/64
	{
		AdvOnLink on;
		AdvAutonomous on;
	};
};' > /etc/radvd.conf

DHCPv6

radvd only gives your computers their global IPv6 addresses, such as a native and a 6to4 address. Also, internet address of nameservers, and a dns search list which may well be sufficient. isc dhcp has an ipv6 mode that may do this though not fully explored so far.

Reverse DNS

It’s useful to create a reverse DNS zone on your nameservers so that machines can have DNS names, even for 6to4 users. They can set up reverse dns delegation as well.

Annex for users of Sky ADSL

Users of this service have to use the supplied Netgear ADSL router, and it changes IP address periodically. Users may set a DMZ machine in its configuration, and its inbuilt DHCP server can be set to fix the IP allocation for this machine and others by MAC Address. This machine can provide 6to4 service to the other computers.

for the /etc/network/interfaces

iface sit0 inet6 static
        up /usr/local/sbin/6to4guard
        up /sbin/ifconfig int0 add $(/usr/local/sbin/lanip)
        up /etc/init.d/radvd reload
        down /sbin/ifconfig int0 del $(ifconfig int0 | grep "inet6 addr: 2002" | tr -s " " | cut -d" " -f4)
        address `printf "2002:%02x%02x:%02x%02x::" \`routerip | tr "." " "\``
        netmask 16
        gateway ::192.88.99.1

source code of routerip

#!/bin/sh
# sky router screenscraper

while test -z "${IP2}"
do
        IP=$(wget -O - --user=admin --password=sky -q http://192.168.0.1/s_status.htm | grep -A 2 "IP Address" | head -2 | tail -1)
        IP2=$(cut -d$'>' -f2 <<<"${IP}" | cut -d$'<' -f1)
        sleep 1
done
echo $IP2

source of lanip

LAN=$(/sbin/ifconfig sit0 | grep 2002 | tr -s " " | cut -d" " -f4 | cut -d":" -f1-3)
IP=:`c(){ echo ${5:0:1}$(printf %x $((${5:1:1}^2)))${5:3:2}:${5:6:2}ff:fe${5:9:2}:${5:12:2}${5:15:2};};c $(ifconfig int0)`/64
echo ${LAN}$':1'${IP}

echo -ne $'interface int0\n{
AdvSendAdvert on;\n
prefix '${LAN}$':1'${IP}$'\n{AdvOnLink on;\nAdvAutonomous on;\nAdvRouterAddr on;\n};\n};' > /etc/radvd.conf

Users may use the same 6to4guard script as above.

Experiment of MAC OS X 6to4 via a Belkin router

This is partially complete, the Mac OS X would not originate 2002:: packets unless the embedded IPv4 address is configured to an interface, though that will then be inserted into outgoing packets too, which may need to be changed for the router to accept it.

ROUTERIP=$(2>/dev/null curl -q http://192.168.2.1/ | grep 'var wan_ip' | cut -d\" -f2)
ifconfig stf0 inet6 $(printf "2002:%02x%02x:%02x%02x::" $(<<<"${ROUTERIP}" tr . " ") prefixlen 16 -alias
ifconfig stf0 inet6 $(printf "2002:%02x%02x:%02x%02x::" $(<<<"${ROUTERIP}" tr . " ") prefixlen 16
ifconfig en1 ${ROUTERIP} alias

Altering of Gateway MTU on Mac OS X

To drop MTU use a startup file although it is preferred to use route instead of ifconfig to set MTU, as you might be using standard size frames or even jumbograms on your local network but be restricted to 1500 sized Ethernet or even less to reach the Internet.

This example appleis if your ISP provides an MTU of 1492 (8 less than the ethernet max 1500) and want to use 6to4 tunnelling, which will subtract another 20 giving 1472. Mac OS X seems very picky about ordering of options hence these notes.

route -vn change default -mtu 1492
route -vn change -inet6 default -mtu 1472
netstat -nrl

Network Manager

We can create vlan entries in /etc/NetworkManager/system-connections/ where `uuid` is replaced with a generated UUID.

We suppose for example purposes that the device has a MAC of AC:DE:48:23:45:67

We change autoconnect to true, to bring up when device enp0s0 comes up

id=experiment
uuid=`uuid`
type=vlan
autoconnect=false

[ipv6]
method=manual
addresses1=2001:db8:0:40:aede:48ff:fe23:4567/64;::
never-default=true

[vlan]
parent=enp0s0
id=40

[ipv4]
method=manual
addresses1=192.168.40.20;24;0.0.0.0;

If the vlan device is not intended for direct IP usage, then it can be setup without.

>/etc/NetworkManager/system-connections/printer echo "
[connection]
id=printer
uuid="`uuidgen -t`"
type=vlan
autoconnect=true

[ipv6]
method=ignore

[vlan]
parent=enp0s0
id=30

[ipv4]
method=disabled
"

Once the file is set, use nmcli con up id experiment but notice that nmcli will complain Error: Unknown connection:/ if the file is present and either incorrect or readable to users other than root.

Some distributions of GNOME3 hide applets from the system tray or notification area.

The End

Some extra info for trying IPv6 on Windows XP and tg582n