(Firewall)
m (Stateless address autoconfiguration)
 
(9 intermediate revisions by one user not shown)
Line 1: Line 1:
 
== Preamble ==
 
 
It has been a couple of years since I last played with IPv6, and since then my ISP [http://www.internode.on.net Internode] has introduced IPv6 as a production service - dual stack, native IPv6. Hence, it is now time to get more serious and have a go implementing IPv6 on the home network.
 
  
 
== What is IPv6 ==
 
== What is IPv6 ==
  
IPv6 is the new Internet Protocol Version 6 defined by RFC 2460 and set to replace the current Internet Protocol Version 4 (IPv4). The address space for IPv4 is only 32 bits long, and with the proliferation of IP devices from desktop computers, tablets, smart phones, set-top boxes, VoIP telephones etc, the world is quickly running out of Internet Addresses.
+
IPv6 is the new Internet Protocol version 6 defined by RFC 2460 and set to replace the current Internet Protocol version 4 (IPv4). The address space for IPv4 is only 32 bits long, and with the proliferation of IP devices from desktop computers, tablets and smart phones to set-top boxes, VoIP telephones and air conditioners, the world is quickly running out of Internet Addresses.
  
 
While the main objective of IPv6 is a much larger address space, IPv6 can also offer these other advantages:
 
While the main objective of IPv6 is a much larger address space, IPv6 can also offer these other advantages:
  
* Stateless Address Auto-configuration
+
* Stateless Address Auto-configuration (SLAAC)
 
* No NAT (Network Address Translation)
 
* No NAT (Network Address Translation)
 
* Easy Address Renumbering
 
* Easy Address Renumbering
Line 18: Line 14:
 
== IPv6 Address Formats ==
 
== IPv6 Address Formats ==
  
Version 6 Internet Protocol (IP) addresses are 128 bits long and written in hexadecimal with pairs of bytes separated by colons. A IPv6 address looks like :
+
Version 6 Internet Protocol (IP) addresses are 128 bits long and written in hexadecimal with pairs of bytes separated by colons. An IPv6 address looks like :
  
2001:44b8:0219:6400:0000:0000:0000:0001
+
2003:42b8:2219:6400:0000:0000:0000:0001
  
 
but can be shortened to  
 
but can be shortened to  
  
2001:44b8:219:6400::1
+
2003:42b8:2219:6400::1
 +
 
 +
by removing leading zeros and substituting zero blocks with two colons.
  
by removing leading zeros and substituting zero blocks with two colons.
 
 
 
== Scopes ==
 
== Scopes ==
  
Line 49: Line 45:
 
The next stage is to try to configure a global address. The host will query all the routers on the subnet with a router solicitation (RS) message and ask for a list of prefixes. It then adds the prefix to Interface ID to create additional IPv6 addresses.  
 
The next stage is to try to configure a global address. The host will query all the routers on the subnet with a router solicitation (RS) message and ask for a list of prefixes. It then adds the prefix to Interface ID to create additional IPv6 addresses.  
  
The host will keep listing for router advertisements (RA) and made address changes as the network changes.
+
The host will keep listening for router advertisements (RA) and make address changes as the network dynamically changes.
  
 
== IPv6 Router Advertisement Daemon (radvd) ==
 
== IPv6 Router Advertisement Daemon (radvd) ==
Line 64: Line 60:
 
MinRtrAdvInterval 3;
 
MinRtrAdvInterval 3;
 
MaxRtrAdvInterval 10;
 
MaxRtrAdvInterval 10;
prefix 2001:44b8:219:6400::/64 {
+
prefix 2003:44b9:4219:6400::/64 {
 
AdvOnLink on;
 
AdvOnLink on;
 
AdvAutonomous on;
 
AdvAutonomous on;
Line 142: Line 138:
  
 
== Windows 7 ==  
 
== Windows 7 ==  
 +
 +
IPConfig in Windows will return something like :
  
 
<PRE>
 
<PRE>
Line 148: Line 146:
 
Temporary IPv6 Address. . . . . . : 2001:44b8:219:6400:edb6:e829:9a37:e5f0(Preferred)
 
Temporary IPv6 Address. . . . . . : 2001:44b8:219:6400:edb6:e829:9a37:e5f0(Preferred)
 
Link-local IPv6 Address . . . . . : fe80::e8c2:8568:259f:3e46%10(Preferred)
 
Link-local IPv6 Address . . . . . : fe80::e8c2:8568:259f:3e46%10(Preferred)
 +
</PRE>
 +
 +
Windows 7 doesn't use the IEEE EUI-64 Identifier as default for the Interface ID as per RFC 4291. If you want to use EUI-64 for the interface identifier, use
 +
 +
<PRE>
 +
netsh interface ipv6 set global randomizeidentifiers=disabled
 +
</PRE>
 +
 +
Additionally, Windows 7 (and Vista) creates a temporary global IPv6 address (RFC 3041). There are concerns hosts using auto-configuration will always obtain the same address and this can lead to privacy concerns. The  temporary address is used for outgoing client traffic such as web browsers, and has a lifetime after which the address will expire. 
 +
 +
The temporary IPv6 address can be disabled using
 +
<PRE>
 +
netsh interface ipv6 set privacy state=disable
 
</PRE>
 
</PRE>

Latest revision as of 05:58, 12 July 2015

What is IPv6

IPv6 is the new Internet Protocol version 6 defined by RFC 2460 and set to replace the current Internet Protocol version 4 (IPv4). The address space for IPv4 is only 32 bits long, and with the proliferation of IP devices from desktop computers, tablets and smart phones to set-top boxes, VoIP telephones and air conditioners, the world is quickly running out of Internet Addresses.

While the main objective of IPv6 is a much larger address space, IPv6 can also offer these other advantages:

  • Stateless Address Auto-configuration (SLAAC)
  • No NAT (Network Address Translation)
  • Easy Address Renumbering
  • Multiple Addresses per Interface
  • Improved Network Security

IPv6 Address Formats

Version 6 Internet Protocol (IP) addresses are 128 bits long and written in hexadecimal with pairs of bytes separated by colons. An IPv6 address looks like :

2003:42b8:2219:6400:0000:0000:0000:0001

but can be shortened to

2003:42b8:2219:6400::1

by removing leading zeros and substituting zero blocks with two colons.

Scopes

With IPv4, RFC 1918 "Address Allocation for Private Internets" outlined private or non route-able address spaces e.g. 192.168.0.0/16

IPv6 defines a range of scopes, some of the more common are listed below:

  • Link-local Scope : Addresses that are not routable and are limited to the local subnet or link. These addresses start with a prefix of fe80::/64
  • Global Scope : Addresses that can be globally routed over the entire IPv6 inter-network. Currently prefixes with 2000::/3 have been allocated.

In addition to the above scopes, ff00::0/12 is reserved for multicast addresses.

Stateless address autoconfiguration

IPv6 introduces stateless address autoconfiguration allowing a host to automatically configure an IPv6 address.

As the interface ID component of the IPv6 address is 64 bits long, auto-configuration can use the interface's MAC address to generate the Interface ID (or lower 64 bits of the IPv6 address). This is referred to as an IEEE EUI-64 Identifier and is specified under RFC 4291.

The host then creates a link-local (fe80::/64) address using the interface ID and performs duplicate address detection (DAD).

The next stage is to try to configure a global address. The host will query all the routers on the subnet with a router solicitation (RS) message and ask for a list of prefixes. It then adds the prefix to Interface ID to create additional IPv6 addresses.

The host will keep listening for router advertisements (RA) and make address changes as the network dynamically changes.

IPv6 Router Advertisement Daemon (radvd)

The IPv6 Router Advertisement Daemon periodically sends router advertisement (RA) messages to a local ethernet LAN advertising among other things, the prefix and router address. RA messages can also be requested on demand using a router solicitation (RS) message.

The source for radvd can be downloaded from http://www.litech.org/radvd/

A default radvd.conf file is shown below advertising an address prefix provided by Internode.

interface eth0 {
	AdvSendAdvert on;
	MinRtrAdvInterval 3;
	MaxRtrAdvInterval 10;
	prefix 2003:44b9:4219:6400::/64 {
		AdvOnLink on;
		AdvAutonomous on;
	};
};

Options

  • AdvSendAdvert: Enable router to send periodic router advertisements and respond to router solicitations.
  • MinRtrAdvInterval: Minimum time between sending unsolicited multicast router advertisements (seconds)
  • MaxRtrAdvInterval: Maximum time between sending unsolicited multicast router advertisements (seconds). Must be no greater than 1800 seconds (30 Minutes)
  • Prefix: Prefix Definition
    • AdvOnLink: Indicates if prefix can be used for on-link determination.
    • AdvAutonomous: When set, indicates that this prefix can be used for autonomous address configuration as specified in RFC 4862.
    • AdvRouterAddr: When set, indicates that the address of interface is sent instead of network prefix

Wide DHCPv6

Before the ISP will route your allocated IPv6 subnet, a lease needs to be acquired. This can be done using DHCPv6 over the PPP interface.

The source for WIDE-DHCPv6 can be downloaded from http://sourceforge.net/projects/wide-dhcpv6/

Use the following dhcp6c.conf file :

interface ppp0 {
    send ia-pd 0;
    script "/etc/wide-dhcpv6/dhcp6c-script";
};

id-assoc pd {
    prefix-interface eth0 {
            sla-id 0;
            sla-len 8;
    };
};

dhcp6c can be started using:

dhcp6c -c /etc/wide-dhcpv6/dhcp6c.conf ppp0

Please note that once IPv6 forwarding is enabled, linux will ignore subsequent DHCPv6 messages. This prevents your prefix lease being renewed and routing will stop. To prevent this, you need to allow unsolicited UDP traffic coming in on port 546.

Routing

The routing table can be displayed using:

/sbin/ip -6 route show

To add the ppp0 interface as the default route use:

ip -6 route add default dev ppp0 

IPv6 Forwarding

IPv6 forwarding can be enabled by

echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

Firewall

ip6tables can be used to filter traffic, just like iptables was to IPv4.

ip6tables -A INPUT -m state --state NEW -m udp -p udp --dport 546 --sport 547 -s fe80::/10 -d fe80::/10 -j ACCEPT

Windows 7

IPConfig in Windows will return something like :

Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:44b8:219:6400:e8c2:8568:xxxx:xxxx(Preferred)
Temporary IPv6 Address. . . . . . : 2001:44b8:219:6400:edb6:e829:9a37:e5f0(Preferred)
Link-local IPv6 Address . . . . . : fe80::e8c2:8568:259f:3e46%10(Preferred)

Windows 7 doesn't use the IEEE EUI-64 Identifier as default for the Interface ID as per RFC 4291. If you want to use EUI-64 for the interface identifier, use

netsh interface ipv6 set global randomizeidentifiers=disabled

Additionally, Windows 7 (and Vista) creates a temporary global IPv6 address (RFC 3041). There are concerns hosts using auto-configuration will always obtain the same address and this can lead to privacy concerns. The temporary address is used for outgoing client traffic such as web browsers, and has a lifetime after which the address will expire.

The temporary IPv6 address can be disabled using

netsh interface ipv6 set privacy state=disable