Setting up IPv6

In this document, this is example data and this is data to be entered at the keyboard

To use IPv6 on my network, as the ISP may change, I use private addressing as the primary range, with native and/or 6to4 when compatible ISP is connected.

Users could also used configured 6in4 tunnelling but that involves interaction with a third party and won’t be quite as fast, but may allow the use of more advanced features like reverse DNS and multicast. 6to4 is probably the fastest for sites without pure ipv6 access.

Summary of private site ipv6

if an interface on vlan f00d has MAC of AC:DE:48:23:45:67

builtin link address, similar to 169.254.RAN.DOM/16
fe80::aede:48ff:fe23:4567/64
simple site local lan address, similar to 192.168.VLAN.NODE/24 style addressing, it may be deprecated but still useful until geoip can be a standard.
fec0:0:0:f00d:aede:48ff:fe23:4567/64
alternate site local lan address with randomised prefix in place of 00:0000:0000, suggest from a key
fd00:0000:0000:f00d:aede:48ff:fe23:4567/64
Got a site ipv4 address of 192.0.2.1?; systems may have an 6to4 address like this:
2002:c000:0201:f00d:aede:48ff:fe23:4567/64
Got native ipv6 from ISP d0be; might have an address like this:
2001:db8:d0be:f00d:aede:48ff:fe23:4567/64

Site local addresses might now be stored locally in home.arpa. rather than local. as used by multicast dns, and protects site addressing from being misrouted by the drop catch of expiry revokation of ip address space.

forward zone
SOA example.home.arpa.
forward record
example.lan.home.arpa. IN AAAA fec0:0:0:f00d:aede:48ff:fe23:4567
forward alias
www.home.arpa. IN AAAA fec0:0:0:f00d:aede:48ff:fe23:4567
reverse
7.6.5.4.3.2.e.f.f.f.8.4.e.d.e.a.d.0.0.f.0.0.0.0.0.0.0.0.0.c.e.f.ip6.arpa. IN PTR example.lan.home.arpa.

Recommend configure 6to4?

This enables IPv4 capable sites to reach other IPv4 capable sites and tunnel IPv6 in it.

There remains use in configuring this on an IPv4 site even together with native ipv6, as sites may not be able to rely on 192.88.99.1 to reach native sites except as a last resort, so in most cases is a recommendation whilst public IPv4 is in use.

The exception is if the endpoints machines are internal and are never allowed to communicate directly to the internet, it is imagined that only link-local and site-local and/or unique local addressing will be configured, along with private ipv4 addressing if applicable.

This is usual for things like appliances, management interfaces where the security cannot be trusted, and maybe for stations whom are only to use a proxy or mirror to access Internet services.

How to configure 6to4

6to4 gives each IPv4 machine rather large range of IPv6 addresses to use. The upper 48 bits contain the 6to4 identifier, and the IPv4 address of that machine, so other computers on the Internet know where to send the replies. The remaining 48 bits are used flexibly. Usually the lower 64 bits contain a variation of a machine’s ethernet address when used on an ethernet network, leaving 16 bits to identify the network or vlan, or other use of the addresses. The 48 bits can be aligned with any native IPv6 prefixes that are also in use, for ease of management.

You first will have to enable ipv6, usually by loading its module. Then could add some lines to a file in /etc/network/interfaces.d/

Originally the following can be used, it also works for the DMZ host behind a NAT, when routerip is altered to return the NAT public IP address. How to do this varies from NATbox to NATbox, but often you can script a screenscrape of a NATbox web page or telnet session.

You need the debian packages iproute, grep and sed for this to be useful.

iface sit0 inet6 static
        address `printf "2002:%02x%02x:%02x%02x::" \`ip route get 192.88.99.1 | sed $'s/.*src//\nq' | tr "." " "\``
        netmask 16
        gateway ::192.88.99.1

Newer systems that are not behind any NAT can also use the following:

The line containing int0 is an example to provide ipv6 to an ethernet interface, which may be a bridge to allow the use of ebtables even with only the one interface.

iface tun6to4 inet manual
        up /sbin/ip tunnel add tun6to4 mode sit ttl 64 remote any local $(ip --family inet route get 192.88.99.1 | sed $'s/.*src//\nq')
        up /sbin/ip link set dev tun6to4 up
        up /sbin/ip -6 addr add $(ipv6calc --in ipv4addr --out ipv6addr --action conv6to4 \
				$(ip --family inet route get 192.88.99.1 | sed $'s/.*src//\nq'))/16 dev tun6to4
	up ifconfig add int0 $(ipv6calc --in prefix+mac --out ipv6addr --action prefixmac2ipv6 \
                                 $(grep ^2002.*tun6to4$ /proc/net/if_inet6 | cut --output-delimiter=":" --characters=1-4,5-8,9-12):1::/64 \
                                 $(cat /sys/class/net/int0/address) \
                                 )
        up /sbin/ip -6 route add 2000::/3 via ::192.88.99.1 dev tun6to4 metric 1
	up ip route get 192.88.99.1 | sed $'s/.*src//\nq' > /etc/sv/tinydns4/env/IP
	up ipv6calc --in ifinet6 --out ipv6addr $(grep ^2002.*int0$ /proc/net/if_inet6| cut -f1 -d" ") > /etc/sv/dnscache6/env/IP
	up ipv6calc --in ifinet6 --out ipv6addr --printuncompressed \
                $(grep ^2002.*tun6to4$ /proc/net/if_inet6| cut -f1 -d" ") > /etc/sv/tinydns6/env/IP
        down /sbin/ip -6 route flush dev tun6to4
        down /sbin/ip link set dev tun6to4 down
        down /sbin/ip tunnel del tun6to4

Firewall

Only ip6tables could protect the 6to4 system from being used as an anonymous IP forwarder, even if all the applications running were considered secure. Here I have 2 local interfaces using IPv6 addresses, and block data from tun6to4 from turning round and falling back in, in reality one may be more strict than this.

As ip4tables does not have a routine to match the inner ipv6 address at the ipv4 level, so use bpf to ensure that it is for us, so we do not particpate in a reflection attack, in particular require the 6to4 source address to contain the actual origin ipv4 before linux tun6in4 interface strips it away. This assumes dsl0 is a ppp interface. Replace the example addresses to use.

  1. iptables -A INPUT -d 192.0.2.0/32 -i dsl0 -p 41 -m bpf --bytecode \
  2. "`tcpdump -ddd -i dsl0 \
  3. link[0x2c:2] = 0x2002 and \
  4. link[0x2e:4] = link[0x10:4] and \
  5. link[0x32:2] = 0 and \
  6. link[0x34:4] = 0 and \
  7. link[0x38:4] = 0 and \
  8. link[0x1c:2] = 0x2002 and \
  9. link[0x1e:4] = link[0xc:4] \
  10. | tr "\n" ","`" -j ACCEPT

It is still prudent to additionally configure all applications to reject usage from unauthorised sources wherever possible. This provides an additional layer of protection in case system comes up without firewall rules loading 😿

This means ALL: ALL in /etc/hosts.deny, then add permitted applications one by one in /etc/hosts.allow

For samba hosts deny = 0.0.0.0/0 ::/0 with explicit allows for required hosts is useful.

Unless there are exotic requirements, usually allow system to communicate with itself

Let the system communicate with the outside world where the system initiates communication. Exceptions can be added to permit incoming communications such as to ports providing internet services.

Let an internal interface communicate freely with system, and to the outside world where the internal side initiates the communication.

It is good to set the firewall policy to drop so that we fail secure, when the rules are verified.

Run netfilter-persistent save to write out current rules so they start

Then, provided you start 6to4 after your internet connection, you have IPv6. If the system shares a machine with Windows XP, you may substitute 2002:%02x%02x:%02x%02x:: for 2002:%02x%02x:%02x%02x::%02x%02x:%02x%02x and echo $ip for echo $ip.$ip to generate the same address as that OS will give itself. There are also other ways

6to4 and native together?

We can set up multiple routing tables so endstations can reach both 6to4 and native remote nodes, using the 6to4 address to communicate with remote 6to4 nodes and native otherwise. The system will generally not send encapsulated traffic to 192.88.99.1, as 2002:: addresses usually communicate with other 2002:: addresses, with the local station selecting its site or global address to talk with remote stations in thore addressing classes.

Usually we will use tc, iptables and iproute2 together

echo 6to4 4 > /etc/iproute2/rt_tables

For network interfaces:

up /sbin/ip -6 rule add from 2002:xxxx:xxxx::/48 lookup 6to4
up /sbin/ip -6 route add 2002::/16 table 6to4 dev tun6to4
up /sbin/ip -6 route add 2000::/3 table 6to4 via ::192.88.99.1 dev tun6to4

This means if the gateway receives a packet from 2002:xxxx:xxxx::/48 then consider the 6to4 routing table.

Sharing IPv6 on local ethernet

In 2018 I am using link-local (fe80::/64) , site-local(fec0::/64), 6to4 (2002::/16), and global addressing. The link-local and site-local can be redarded as fixed, with 6to4 and native subject to ISP changes, thus all except linklocal are advertised via radvd/slaac

Stations then can select site-local to communicate locally, this would not be affected by use of dynamic IP or provider switching. Multiple providers can be active and then there will be even more prefix advertised.

The ultimate configuration could advertise 6to4 and native only when the ISP is online, giving all stations immediate visibility on whether they can use the "Internet". local communications would use local addresses by default.

For 6to4 space, downstream interfaces have added a 2002 address formed from each serving public ipv4 address. Add these lines under gateway ::192.88.99.1:, changing d0be for desired network or vlan number.

	up ifconfig $IFACE add `ifconfig sit0 | grep "inet6 addr: 2002" | cut -d : -f 
2-4`:1:`c(){ echo ${5:0:1}$(printf %x $((${5:1:1}^2)))${5:3:2}:${5:6:2}ff:fe${5:9:2}:${5:12:2}${5:15:2};};c $(ifconfig $IFACE)`/64
	down ifconfig $IFACE del `ifconfig sit0 | grep "inet6 addr: 2002" | cut -d : -f 2-4`:d0be:
`c(){ echo ${5:0:1}$(printf %x $((${5:1:1}^2)))${5:3:2}:${5:6:2}ff:fe${5:9:2}:${5:12:2}${5:15:2};};c $(ifconfig $IFACE)`/64

Your machine has to tell the others to use it as gateway. To do this, you install radvd which acts a bit like DHCP but for IPv6 in that it tells other machines their addresses, and who to use as gateway to the Internet.

radvd requires a configuration file to say which addresses to give out. You can generate this automatically from your sit0 address, especially reccommended if you don’t have a fixed public IP address. You could generate a config file as follows, assuming your internal interface is int0 and that it’s already configured with it’s own public v6 address as above, then start radvd up with /etc/init.d/radvd start. Multiple ethernet interfaces could also be handled separately by giving each their own interface block in radvd.conf if you prefer that, instead of bridging them together as here.

The MTU of 6to4 routes may need to restrict to 1480 if the corresponding IPv4 tunnel or 6to4 is limited to an MTU of 1500. If using native IPv6, then an AdvLinkMTU of 1500 or more is likely to be possible. If it is not set then TCP or UDP find their too-large packets are thrown away rather than knowing not to send them, and do not work as well as they could.

#!/bin/sh
IFACE=int0
NET=`ifconfig $IFACE | grep "inet6 addr: 2002" | cut -d : -f 2-5`
echo 'interface '$IFACE'
{
	AdvLinkMTU 1480;
	AdvSendAdvert on;
	prefix '$NET'::/64
	{
		AdvOnLink on;
		AdvAutonomous on;
	};
};' > /etc/radvd.conf

DHCPv6

radvd gives computers their site and ISP IPv6 addresses, such as a native and a 6to4 address. Also, internet address of nameservers, and a dns search list. isc dhcp has an ipv6 mode used to issue DNS tu UEFI IPV6 pxe bios and microsoft windows.

Reverse DNS

It’s useful to create a reverse DNS zone on nameservers so that machines can have DNS names, even for 6to4 users. They can set up reverse dns delegation as well.

Annex for users of Sky ADSL

Users of this service have to use the supplied Netgear ADSL router, and it changes IP address periodically. Users may set a DMZ machine in its configuration, and its inbuilt DHCP server can be set to fix the IP allocation for this machine and others by MAC Address. This machine can provide 6to4 service to the other computers.

for the /etc/network/interfaces

iface sit0 inet6 static
        up /usr/local/sbin/6to4guard
        up /sbin/ifconfig int0 add $(/usr/local/sbin/lanip)
        up /etc/init.d/radvd reload
        down /sbin/ifconfig int0 del $(ifconfig int0 | grep "inet6 addr: 2002" | tr -s " " | cut -d" " -f4)
        address `printf "2002:%02x%02x:%02x%02x::" \`routerip | tr "." " "\``
        netmask 16
        gateway ::192.88.99.1

source code of routerip

#!/bin/sh
# sky router screenscraper

while test -z "${IP2}"
do
        IP=$(wget -O - --user=admin --password=sky -q http://192.168.0.1/s_status.htm | grep -A 2 "IP Address" | head -2 | tail -1)
        IP2=$(cut -d$'>' -f2 <<<"${IP}" | cut -d$'<' -f1)
        sleep 1
done
echo $IP2

source of lanip

LAN=$(/sbin/ifconfig sit0 | grep 2002 | tr -s " " | cut -d" " -f4 | cut -d":" -f1-3)
IP=:`c(){ echo ${5:0:1}$(printf %x $((${5:1:1}^2)))${5:3:2}:${5:6:2}ff:fe${5:9:2}:${5:12:2}${5:15:2};};c $(ifconfig int0)`/64
echo ${LAN}$':1'${IP}

echo -ne $'interface int0\n{
AdvSendAdvert on;\n
prefix '${LAN}$':1'${IP}$'\n{AdvOnLink on;\nAdvAutonomous on;\nAdvRouterAddr on;\n};\n};' > /etc/radvd.conf

Users may use the same 6to4guard script as above.

Experiment of MAC OS X 6to4 via a Belkin router

This is partially complete, the Mac OS X would not originate 2002:: packets unless the embedded IPv4 address is configured to an interface, though that will then be inserted into outgoing packets too, which may need to be changed for the router to accept it.

ROUTERIP=$(2>/dev/null curl -q http://192.168.2.1/ | grep 'var wan_ip' | cut -d\" -f2)
ifconfig stf0 inet6 $(printf "2002:%02x%02x:%02x%02x::" $(<<<"${ROUTERIP}" tr . " ") prefixlen 16 -alias
ifconfig stf0 inet6 $(printf "2002:%02x%02x:%02x%02x::" $(<<<"${ROUTERIP}" tr . " ") prefixlen 16
ifconfig en1 ${ROUTERIP} alias

Altering of Gateway MTU on Mac OS X

To drop MTU use a startup file although it is preferred to use route instead of ifconfig to set MTU, as you might be using standard size frames or even jumbograms on your local network but be restricted to 1500 sized Ethernet or even less to reach the Internet.

This example appleis if your ISP provides an MTU of 1492 (8 less than the ethernet max 1500) and want to use 6to4 tunnelling, which will subtract another 20 giving 1472. Mac OS X seems very picky about ordering of options hence these notes.

route -vn change default -mtu 1492
route -vn change -inet6 default -mtu 1472
netstat -nrl

Network Manager

We can create vlan entries in /etc/NetworkManager/system-connections/ where `uuid` is replaced with a generated UUID.

We suppose for example purposes that the device has a MAC of AC:DE:48:23:45:67

We change autoconnect to true, to bring up when device enp0s0 comes up

id=experiment
uuid=`uuid`
type=vlan
autoconnect=false

[ipv6]
method=manual
addresses1=2001:db8:0:40:aede:48ff:fe23:4567/64;::
never-default=true

[vlan]
parent=enp0s0
id=40

[ipv4]
method=manual
addresses1=192.168.40.20;24;0.0.0.0;

If the vlan device is not intended for direct IP usage, then it can be setup without.

>/etc/NetworkManager/system-connections/printer echo "
[connection]
id=printer
uuid="`uuidgen -t`"
type=vlan
autoconnect=true

[ipv6]
method=ignore

[vlan]
parent=enp0s0
id=30

[ipv4]
method=disabled
"

Once the file is set, use nmcli con up id experiment but notice that nmcli will complain Error: Unknown connection:/ if the file is present and either incorrect or readable to users other than root.

Some distributions of GNOME3 hide applets from the system tray or notification area.

The End

Some extra info for trying IPv6 on Windows XP and tg582n