User:NeddySeagoon/IPv6

Overview
This page helps you decide if you really want to add IPv6 and if you do, how to go about it.

Your ISP
Your ISP has just arrived in the 21st century and offered you a native IPv6 connection. A native IPv6 connection is not required, since its perfectly possible to tunnel IPv6 over IPv4. 'Tunnel brokers' have been around for years. Tunnelling is not described here.

Range of Addresses
IPv4 allows at most 232 different IP addresses. IPv6 allows 2128 different IP addresses.

Some tricks have been used to expand IPv4 such as Network Address Translation (NAT). This allows several internet connected devices to share a single public IP. For example, IP addresses in the 10.0.0.0/8 range are reserved for use behind NAT, as are 192.168.0.0/16 and others. This works as far as it goes but has some limitations.

If you don't understand the /8 and /16 concepts, read up about them now. IPv6 uses them exclusively. There is no more netmask.

Public IP Addresses
With IPv4, NAT provided a degree of protection against bad things coming in from the internet. Running a firewall was still a good thing, even if you are not paranoid.

With IPv6 all IP addresses are public. The concept of NAT does not exist. This means that if you are going to deploy IPv6 you either need a boundary IPv6 firewall or each IPv6 enabled device needs its own firewall.

Switching Over to IPv6
Switching to IPv6 only is not yet an option. At the time of writing the rest of the internet isn't there. If you want to use IPv6 it will be in addition to, not in place of your existing IPv4 setup. The two use completely different tools and are almost completely unaware of one another.

A Few Useful Conventions
IPv6 addresses are written in colon seperated hex, rather than dot separated decimal. Just like IPv4, IPv6 has the concept of self assigned link local addresses. They are only gaurenteed to be unique on your LAN so should not normally be allowed out on the internet. There are a few exceptions.

fe80::2e0:4cff:fe69:1509/64 is a self assigned link local address.

Link local addresses are made in one of two ways fe80::IPv4_address fe80::MAC_Address

fe80::/64 is the link local address space.



The :: is shorthand for any number of zero hex digits. IPv6 addresses may have a lot of consecutive zeros and it saves writing out and remembering all 32 hex digits. :: may appear only once in an address.

Software Support
Your kernel needs IPv6 support. IPv6 firewall support will be useful too. We will use iproute to manage IPv6 and ip6tables for IPv6 firewalling. Set USE=ipv6 in

if its not already on in your profile, then

Do check that ipv6 is on before the emerge goes ahead.

If you had to set USE=ipv6 for yourself, you will need to

too to get IPv6 support everywhere.

Connecting to The Internet
This is probably the last step you want to perform.

Your ISP assigned Prefix
Your ISP will have assigned you a /64 prefix beginning with 2. You need to know this later.

Just as you may have used 192.168.0/24 on your LAN, (the prefix here is 24) to allow up to 253 hosts to be on the same LAN segment, your ISP has allocated you a /64. That's 264 IPv6 addresses, or a lot more than there is in the entire IPv4 address space. This is the standard allocation.

Using Your Router
Your router needs to be IPv6 capable. If its not, there may be a firmware upgrade, if not, you need a new router. That can be an old PC, a low power system or even a kernel virtual machine (KVM). You could also buy a IPv6 capable router and follow the instructions.

As with any firmware upgrade, it runs the risk of 'bricking' the device if something goes wrong.

Using PPPoE
In the UK at least, much of the broadband is delivered using Personal Point of Presesce over Ethernet (PPPoE). That is similar to the way internet was delivered using real baseband modems. If you provide your own PPPoE end point, adding IPv6 to your IPv4, so ppp0 gets a public IPv6 address as well as the more familiar IPv4 address is a matter of editing

nano /etc/ppp/options and adding +ipv6 ipv6 last_16_hex_digits_of_IPv6_address Then restarting ppp0.

ip -6 addr show dev ppp0 should show that ppp0 now has an IPv6 address of the form ISP_assigned_prefix::last_16_hex_digits_of_IPv6_address

Hint: last_16_hex_digits_of_IPv6_address can be abbreviated as ::hex_digit where hex_digit>0

ping6 google.com should work now too.

You now have IPv6 connectivity from your system to the big bad internet. The big bad internet also has connectivity to your system, which in not quite so good.

You probably want to share your /64 with other systems on your LAN and will want to protect them with a firewall. In other words, you will want to use the system providing your PPPoE end point as an IPv6 router and firewall.

IPv6 Firewall
You probably already have an iptables based IPv4 firewall. The IPv6 equivelant is ip6tables. The two are completely complementary.

There are several tools for helping with setting up firewalls. I have used Shorewall for IPv4, so I will describe Shorewall6 (for IPv6) below.

My LAN is divided into three segments. Wired hosts, fully protected from the internet and my wireless hosts Wireless hosts, fully protected from the internet Servers, the internet is allowed limited access here

If this looks like a Smoothwall setup, once upon a time it was. I have even propagated the zone names from Smoothwall.

IPv6 Routing
When IPv6 was designed, routing was built in. Its set up the software and off you go. This means you get randomly seeming IPv6 addresses all over your LAN which can make firewalling difficult.

You can set static IPs and you will need to if you run servers, since you will need to set your AAAA records in the DNS to point to them.

Stateless IPv6 Setup
Use this method if your LAN is all in one zone. That is, if every device on your LAN is free to connect to every other device on your LAN. My view is that this insecure if you have any wireless devices, since they should not be permitted to connect to wired devices.

Stateful IPv6 Setup
Use this method if your LAN is divided into groups of related hosts and you want to control connectivity between them.

IPv6 Nameservers
Its all very well having IPv6 connectivity everywhere but it looks a bit tarnished if you are still using IPv4 for nameservers to get the IPv6 addresses you need for IPv6 to work. It works that way but until you have nameservers on IPv6 then your IPv6 will not be independent of IPv4.