(Firewall)
(Windows 7)
Line 149: Line 149:
 
Link-local IPv6 Address . . . . . : fe80::e8c2:8568:259f:3e46%10(Preferred)
 
Link-local IPv6 Address . . . . . : fe80::e8c2:8568:259f:3e46%10(Preferred)
 
</PRE>
 
</PRE>
 +
 +
Additionally, Windows 7 (and Vista) creates a temporary global IPv6 address (RFC 3041). There are concerns hosts using auto-configuration always obtains the same address and this can lead to privacy concerns. The temporary address is used for outgoing client traffic such as web browsers.

Revision as of 11:42, 8 January 2012

Preamble

It has been a couple of years since I last played with IPv6, and since then my ISP Internode has introduced IPv6 as a production service - dual stack, native IPv6. Hence, it is now time to get more serious and have a go implementing IPv6 on the home network.

What is IPv6

IPv6 is the new Internet Protocol Version 6 defined by RFC 2460 and set to replace the current Internet Protocol Version 4 (IPv4). The address space for IPv4 is only 32 bits long, and with the proliferation of IP devices from desktop computers, tablets, smart phones, set-top boxes, VoIP telephones etc, the world is quickly running out of Internet Addresses.

While the main objective of IPv6 is a much larger address space, IPv6 can also offer these other advantages:

  • Stateless Address Auto-configuration
  • No NAT (Network Address Translation)
  • Easy Address Renumbering
  • Multiple Addresses per Interface
  • Improved Network Security

IPv6 Address Formats

Version 6 Internet Protocol (IP) addresses are 128 bits long and written in hexadecimal with pairs of bytes separated by colons. A IPv6 address looks like :

2001:44b8:0219:6400:0000:0000:0000:0001

but can be shortened to

2001:44b8:219:6400::1

by removing leading zeros and substituting zero blocks with two colons.

Scopes

With IPv4, RFC 1918 "Address Allocation for Private Internets" outlined private or non route-able address spaces e.g. 192.168.0.0/16

IPv6 defines a range of scopes, some of the more common are listed below:

  • Link-local Scope : Addresses that are not routable and are limited to the local subnet or link. These addresses start with a prefix of fe80::/64
  • Global Scope : Addresses that can be globally routed over the entire IPv6 inter-network. Currently prefixes with 2000::/3 have been allocated.

In addition to the above scopes, ff00::0/12 is reserved for multicast addresses.

Stateless address autoconfiguration

IPv6 introduces stateless address autoconfiguration allowing a host to automatically configure an IPv6 address.

As the interface ID component of the IPv6 address is 64 bits long, auto-configuration can use the interface's MAC address to generate the Interface ID (or lower 64 bits of the IPv6 address). This is referred to as an IEEE EUI-64 Identifier and is specified under RFC 4291.

The host then creates a link-local (fe80::/64) address using the interface ID and performs duplicate address detection (DAD).

The next stage is to try to configure a global address. The host will query all the routers on the subnet with a router solicitation (RS) message and ask for a list of prefixes. It then adds the prefix to Interface ID to create additional IPv6 addresses.

The host will keep listing for router advertisements (RA) and made address changes as the network changes.

IPv6 Router Advertisement Daemon (radvd)

The IPv6 Router Advertisement Daemon periodically sends router advertisement (RA) messages to a local ethernet LAN advertising among other things, the prefix and router address. RA messages can also be requested on demand using a router solicitation (RS) message.

The source for radvd can be downloaded from http://www.litech.org/radvd/

A default radvd.conf file is shown below advertising an address prefix provided by Internode.

interface eth0 {
	AdvSendAdvert on;
	MinRtrAdvInterval 3;
	MaxRtrAdvInterval 10;
	prefix 2001:44b8:219:6400::/64 {
		AdvOnLink on;
		AdvAutonomous on;
	};
};

Options

  • AdvSendAdvert: Enable router to send periodic router advertisements and respond to router solicitations.
  • MinRtrAdvInterval: Minimum time between sending unsolicited multicast router advertisements (seconds)
  • MaxRtrAdvInterval: Maximum time between sending unsolicited multicast router advertisements (seconds). Must be no greater than 1800 seconds (30 Minutes)
  • Prefix: Prefix Definition
    • AdvOnLink: Indicates if prefix can be used for on-link determination.
    • AdvAutonomous: When set, indicates that this prefix can be used for autonomous address configuration as specified in RFC 4862.
    • AdvRouterAddr: When set, indicates that the address of interface is sent instead of network prefix

Wide DHCPv6

Before the ISP will route your allocated IPv6 subnet, a lease needs to be acquired. This can be done using DHCPv6 over the PPP interface.

The source for WIDE-DHCPv6 can be downloaded from http://sourceforge.net/projects/wide-dhcpv6/

Use the following dhcp6c.conf file :

interface ppp0 {
    send ia-pd 0;
    script "/etc/wide-dhcpv6/dhcp6c-script";
};

id-assoc pd {
    prefix-interface eth0 {
            sla-id 0;
            sla-len 8;
    };
};

dhcp6c can be started using:

dhcp6c -c /etc/wide-dhcpv6/dhcp6c.conf ppp0

Please note that once IPv6 forwarding is enabled, linux will ignore subsequent DHCPv6 messages. This prevents your prefix lease being renewed and routing will stop. To prevent this, you need to allow unsolicited UDP traffic coming in on port 546.

Routing

The routing table can be displayed using:

/sbin/ip -6 route show

To add the ppp0 interface as the default route use:

ip -6 route add default dev ppp0 

IPv6 Forwarding

IPv6 forwarding can be enabled by

echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

Firewall

ip6tables can be used to filter traffic, just like iptables was to IPv4.

ip6tables -A INPUT -m state --state NEW -m udp -p udp --dport 546 --sport 547 -s fe80::/10 -d fe80::/10 -j ACCEPT

Windows 7

Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:44b8:219:6400:e8c2:8568:xxxx:xxxx(Preferred)
Temporary IPv6 Address. . . . . . : 2001:44b8:219:6400:edb6:e829:9a37:e5f0(Preferred)
Link-local IPv6 Address . . . . . : fe80::e8c2:8568:259f:3e46%10(Preferred)

Additionally, Windows 7 (and Vista) creates a temporary global IPv6 address (RFC 3041). There are concerns hosts using auto-configuration always obtains the same address and this can lead to privacy concerns. The temporary address is used for outgoing client traffic such as web browsers.