Knowledge base IPv6
What is IPv6?
The Internet Protocol (IP) that we use at present is version 4 (known as IPv4). It had been around for many years, but does not scale well enough to last in the long term. The main problem is the address space - the number of IP addresses that exist. Whilst these are not running out quite yet, and careful management has meant they will last some time, they will eventually run out.
Existing IPv4 addresses use 32 bits which gives about 4 billion combinations. You may have seen IP addresses written like this, 192.168.1.2.
IPv6 is version 6 of IP (version 5 was allocated to an experimental resource control protocol called ST2+ which never got much use). It has a number of key changes, and some thought has gone in to the way the protocol works in the way that the world currently uses the internet. One of the key differences with IPv6 is the address space. It uses 128 bit addresses which is a lot of addresses (340282366920938463463374607431768211456 to be exact) - more than enough to give an address to every atom in the planet.
Why would I want to use it?
This is a good question, and for now there is not a good compelling reason. As time goes by more and more people will use IPv6 and more applications will support it, and some will start to require it. It does provide a lot of addresses. IPv6 also has various security aspects covered in the IP specifications, and the vast size of address space makes port scans by hackers virtually impossible.
Normally people would use a mixture of IPv4 and IPv6 addresses on their network, but eventually IPv6 only networks will start to be used.
How many IP addresses?
Normally a company would received 1208925819614629174706176 addresses to cover up to 65536 sites.
What is AAISP doing about IPv6?
We operate an IPv4 and IPv6 network. All of our servers have IPv6 addresses as well as IPv4 addresses. Most services we run use IPv6 happily, including email, web pages, and DNS. We provide IPv6 address allocations to customers (just ask support).
We can route your address allocations to your broadband line or lines as you wish. This can either be via an IPv4 tunnel (see below for typical setup instructions), or we can route IPv6 natively as IPv6 over PPPoA over ADSL. IPv6 functionality is just a part of our service and so includes multiple line bonding uplink and downlink for IPv6 addresses in the same way as we do IPv4 addresses.
Where tunneling IPv6, we sent from IPv4 address 81.187.81.6. You can use this as the endpoint to which you send tunnel traffic. You can also send 6to4 traffic relating to any of your IPv4 addresses using the 192.88.99.X gateway address.
Note: Native IPv6 requires router support at your end and such routers are often expensive. Also, we are aware that BT have some issues handling native IPv6 on some parts of their network which we are trying to resolve (Sep 2008) - we have a work around so please contact support if you have issues.
What systems support IPv6?
IPv6 is available for linux, windows and mac systems and many others. It is generally a optional item, and in some cases still under development.
Where can I find more?
If you search for IPv6 you will find lots of information. If you have any specific questions please ask us by email or in our newsgroup.
Firewalls
If you have a firewall and want to allow IPv6 tunnelled traffic, you will need to allow protocol 41 from 81.187.81.6. Note that your firewall will probably not have any facility to control IPv6 access. If you have a FireBrick you will need to change the UI settings to allow full protocol selection, and then in a filter you can select 41.
Setting up our control pages
Just like IPv4 addresses, you can set the line or lines to which your IPv6 block is sent. The only extra field is the tunnel endpoint. If set, then all traffic to you is wrapped in an IPv4 wrapper and sent to that IPv4 address down your line(s). If not set, then the IPv6 traffic is sent natively over PPPoA to your router. Only some types of router handle this. Just like IPv4 routing settings, changes only take effect on the next connection of your line(s).
Note that the old way to do this invloved ticking the "S" box for a static route, this sent trafffic via our old, and now redundant, IPv6 router endless. You should untick this now and tick your line number(s) instead - if not, you will still receive incoming traffic, but outbound traffic will fail our source filtering, and so not work.
Source checking
Just as with IPv4 addresses, we check the source address of traffic coming from your lines to ensure the source address is one of your addresses. This is done the same for native IPv6 packets. Also, any IPv6 packets wrapped in IPv4 wrappers sent to our IPv6 endpoint, or the generic 192.88.99.X endpoints will be unwrapped and the IPv6 source address checked.
You can use 6to4 addresses (2002::/16 prefix with an IPv4 address) either native or wrapped in an IPv4 wrapper. The IPv4 part of the IPv6 address is checked against your IPv4 allocations.
This helps ensure you will get the replies to your traffic, and that a misconfiguration cannot result in untracable nuisance traffic on the internet.
Setting up IPv6 on linux redhat/FC
Add /etc/sysconfig/network-scripts/ifcfg-tun0
TYPE=sit DEVICETYPE=sit ONBOOT=yes DEVICE=tun0 BOOTPROTO=none IPV6INIT=yes IPV6ADDR=2001:8B0:1234:5678::1/64 (your IPv6) USERCTL=no PEERDNS=no IPV6TUNNELIPV4=81.187.81.6 IPV6TUNNELIPV4LOCAL=217.169.0.1 (your IPv4) MTU=1400In /etc/sysconfig/network, add
NETWORKING_IPV6=yes IPV6_DEFAULTDEV=tun0
We then suggest editing /etc/radvd.conf and running radvd service to announce your IPv6 block to machines on your LAN.
Setting up IPv6 on Windows
Windows 2000 IPv6 info: http://msdn.microsoft.com/downloads/sdks/platform/tpipv6.asp
IPv6 not supported by MS on 98/ME/95. but can purchase 3rd party stacks from: http://www.trumpet.com.au/ipv6.htm
Windows XP IPV6 info: http://www.microsoft.com/windowsxp/pro/techinfo/administration/ipv6/default.asp
Setting up with RADV
If you have a linux box or similar on your LAN acting as an IPv6 gateway, perhaps tunneling IPv6 as described above, and you have RADV set up (to announce the IPv6 network to the LAN), then setting up additional boxes couldn't be simpler!
Modern linux clients just pick up the IPv6 announcements and start using it by default - no work needed.
Even the Nokia 9500 mobile phone picks up an IPv6 address from the LAN with no configuration changes using the RADV announcements!
On windows XP it is pretty simple - just go to the protocols section on the interface settings and add protocol IPv6. Then, your windows machines simply picks up an IPv6 address from the LAN by RADV and just works!
On a non IPv6 network but with real IP addresses allowing IPv6 tunnel wrappers over IPv4 to pass (such as a windows machine with ADSL modem connected directly), windows XP will happily work with 2002::/16 prefix 6to4 addresses, although the default outgoing tunnel enpoint appears to be a microsoft server in the US.
Bypassing security?!
Whilst IPv6 does not have have much in the way of advantage over IPv4 just yet, it does fool some security systems. This may be good or bad, depending on your point of view. If setting up a firewall you may want to consider IPv6 and IPv6 wrapped in IPv4 traffic. At an IPv4 level all you see if this IPv4 protocol 41 traffic to a single IPv4 endpoint - no separate sessions or ports or protocols.
For example, IPv6 bypasses all of the security on at least one common parental control package - Netintelligence. Anyone installing Netintelligence needs to consider if IPv6 is available. Bearing in mind that IPv6 installation on windows XP is a doddle, and it will work without any ISP support using IPv4 tunnels and 2002::/16 prefix address space!
If you think this is only a problem for accessing web sites that have IPv6 addresses, think again. There are IPv6 proxies, like sixxs.org, where simply suffixing any normal IPv4 web site with .sixxs.org allows access via an IPv6 proxy, so any site can easily be accessed, and not forgetting www.ipv6porn.com.
IPv6 Debian (Etch and presumably Ubuntu)/Ubuntu notes
Provided by a customer(thank you!)The following notes assume you have been allocated a /64 address range by A&A in the form 2001:08B0:XXXX:0001/64. Change the XXXX part to whatever matches your range.
Connecting one hostGetting a single host connected is very simple, but you do first need to ensure that your ADSL router will pass through packets with a protocol id of 41 to your selected host. Note that this is a *protocol* number and not a port number. This means the relevant traffic is not TCP (protocol 6) or UDP (protocol 17) but another one entirely.
On my Netgear DG834G the trick is to use the Any(ALL) service in the Firewall rules and allow any traffic from 81.187.81.6 (A&A's IPv6 tunnel gateway) to my selected host. You may be able to do something similar if your router doesn't allow you to configure protocols other than TCP and UDP explicitly.
You may need to install a couple of packages to give you all the tools you need. As root, type:
apt-get install iputils-ping iproute
Configuring your etch host then requires you just to edit /etc/network/interfaces and add the following stanza at the end:
auto 6in4
iface 6in4 inet6 v4tunnel
address 2001:08B0:XXXX:0001::1
netmask 124
endpoint 81.187.81.6
ttl 64
up ip link set mtu 1280 dev 6in4
up ip route add default via 2001:08B0:XXXX:0001::2 dev 6in4
remembering to change the XXXX to whatever value you've been allocated.
After that just type "ifup 6in4" (as root) and your link should be up.
Connecting an entire LANIf you want to connect an entire LAN to the IPv6 Internet then first select one machine to act as the gateway and configure basic connectivity for that machine using the instructions in the previous section.
Once that is working you need to work out an IPv6 address for your selected machine's Ethernet interface. To do this you need to know its MAC address. As root, type "ifconfig" and the output you get should be something like this:
eth0 Link encap:Ethernet HWaddr 00:01:6C:A8:9C:C3 ...
The HWaddr bit there is your Ethernet interface's MAC address. In this case that would be:
00:01:6C:A8:9C:C3
Take this and add 2 to the first number, giving:
02:01:6C:A8:9C:C3
Then shove FF:FE in the middle giving:
02:01:6C:FF:FE:A8:9C:C3
Then combine consecutive pairs to give:
0201:6CFF:FEA8:9CC3
and finally pre-pend this with your IPv6 range allocation from A&A, giving:
2001:08B0:XXXX:0001:0201:6CFF:FEA8:9CC3
This is the global IPv6 address for your Ethernet interface. Edit /etc/network/interfaces again and add the following clause:
iface eth0 inet6 static address 2001:08B0:XXXX:0001:0201:6CFF:FEA8:9CC3 netmask 64
Then do "ifdown eth0" and "ifup eth0" to get the new address configured.
Fortunately that's the only address you need to calculate for yourself. The rest are done automatically for you if you install radvd, so:
apt-get install radvd
cp /usr/share/doc/radvd/examples/simple-radvd.conf /etc/radvd.conf
and then edit /etc/radvd.conf. By default it reads:
interface eth0
{
AdvSendAdvert on;
prefix 2001:db8::/32
{
};
};
and you just need to change the "prefix" line so that it reads:
interface eth0
{
AdvSendAdvert on;
prefix 2001:08b0:XXXX:0001::/32
{
};
};
again replacing XXXX with the relevant part of your IPv6 allocation.
Then start radvd with:
/etc/init.d/radvd start
and it should be up and running. Note that the script which starts radvd automatically turns IPv6 forwarding on so you don't need to bother with that step separately.
Within a very few minutes, all the other IPv6 capable machines on your LAN should have configured themselves with correct IPv6 addresses and they will all be able to talk IPv6 through your gateway machine to the outside world.
********* DANGER, WILL ROBINSON! ********The above steps will bypass any existing firewall protection which you have for your LAN. All your machines will now be connected to the real IPv6 Internet with nothing filtering the traffic to and from them.
You almost certainly want to configure firewall rules on your gateway machine of a similar calibre to whatever you currently have.
