User:NeddySeagoon/IPv6

Overview
This page helps you decide if you really want to add IPv6 and if you do, how to go about it.

Your ISP
Your ISP has just arrived in the 21st century and offered you a native IPv6 connection. A native IPv6 connection is not required, since its perfectly possible to tunnel IPv6 over IPv4. 'Tunnel brokers' have been around for years. Tunnelling is not described here.

Range of Addresses
IPv4 allows at most 232 different IP addresses. IPv6 allows 2128 different IP addresses.

Some tricks have been used to expand IPv4 such as Network Address Translation (NAT). This allows several internet connected devices to share a single public IP. For example, IP addresses in the 10.0.0.0/8 range are reserved for use behind NAT, as are 192.168.0.0/16 and others. This works as far as it goes but has some limitations.

If you don't understand the /8 and /16 concepts, read up about CDIR now. IPv6 uses them exclusively. There is no more netmask.

In IPv6 speak, the entire IPv4 address space is a /96.

Public IP Addresses and Firewalls
With IPv4, Network Address Translation (NAT) provided a degree of protection against bad things coming in from the internet. NAT does not stop bad things phoning home after they are in. Running a firewall was still a good thing, even if you are not paranoid. As there are not enough public IP addresses to go around, NAT is a workaround. Behind you router, your network uses one of the private address ranges. 192.168.x.y is popular.

With IPv6 all IP addresses beginning with a digit 2 are public. ifconfig will show  The concept of NAT does not exist. This means that if you are going to deploy IPv6 you either need a boundary IPv6 firewall or each IPv6 enabled device needs its own firewall. Think about IPv6 firewalling before you bring up a public IPv6 connection.

To put that into context, the IPv4 address space was fully allocated by 25 November 2019. This means that any random address is likely to be in use. so automated port scanners, dictionary attackers, etc don't heed to try many addresses before something responds. In comparison, the IPv6 address space is almost empty. That makes port scanning of random IPs far less productive.

Switching Over to IPv6
Switching to IPv6 only is not yet an option. At the time of writing the rest of the internet isn't there. If you want to use IPv6 it will be in addition to, not in place of your existing IPv4 setup. The two use completely different tools and are almost completely unaware of one another.

IPv6 Addresses
IPv6 addresses are written in colon separated hex, rather than dot separated decimal. Just like IPv4, IPv6 has the concept of self assigned link local addresses. They are only guaranteed to be unique on your LAN so should not normally be allowed out on the internet. There are a few exceptions.

fe80::2e0:4cff:fe69:1509/64 is a self assigned link local address.

Link local addresses are made in one of two ways fe80::IPv4_address fe80::MAC_Address

fe80::/64 is the link local address space.



The :: is shorthand for any number of zero hex digits. IPv6 addresses may have a lot of consecutive zeros and it saves writing out and remembering all 32 hex digits. :: may appear only once in an address.

IPv6 Enabled Software
Some commands like route, take a switch -4 or -6 to determine if they should work with IPv4 or IPv6.

Others have two versions. like ping and ping6.

Either way, IPv6 is not yet the default.

Software Support
Your kernel needs IPv6 support. IPv6 firewall support will be useful too. We will use iproute to manage IPv6 and ip6tables for IPv6 firewalling.

We will also use dhcpcd and radvd, which will be introduced as they are required.

Set USE=ipv6 in

if its not already on in your profile, then

Do check that ipv6 is on before the emerge goes ahead.

If you had to set USE=ipv6 for yourself, you will need to

too to get IPv6 support everywhere.

Connecting to The Internet
This is probably the last step you want to perform as you don't have an IPv6 firewall yet but its useful for testing in the next steps.

Your ISP assigned /64 Prefix
Your ISP will have assigned you a /64 prefix beginning with 2. However, some ISPs will assign the prefix dynamically, much like they do with IPv4 addresses. The method described here will work with either statically or dynamically assigned prefixes. Just as you may have used 192.168.0/24 on your LAN, (the prefix here is 24) to allow up to 253 hosts to be on the same LAN segment, your ISP has allocated you a /64. That's 264 IPv6 addresses, or a lot more than there is in the entire IPv4 address space. This is the standard allocation for a single network segment. You are not supposed to subnet it further. Its just for your uplink.

The more enlightened ISPs will also have allocated you a /48 prefix or a /56 prefix for use on your LAN. Again, this can be static or dynamic.

Your ISP assigned /48 Prefix
ISPs vary, you might have got a /56 instead. Whatever, this is yours to subnet as you see fit for your LAN segments. A really parsimonious ISP may only give you a single /64 prefix. This is the IPv6 equivalent of a single IPv4 address. This guide is not for you.

Your Router
Your router needs to be IPv6 capable. If its not, there may be a firmware upgrade, if not, you need a new router. That can be an old PC, a low power system or even a kernel virtual machine (KVM). You could also buy a IPv6 capable router and follow the instructions.

As with any firmware upgrade, it runs the risk of 'bricking' the device if something goes wrong.

The router used in this guide is a KVM running hardened Gentoo.

PPPoE
In the UK at least, much of the broadband is delivered using Personal Point of Presence over Ethernet (PPPoE). That is similar to the way internet was delivered using real baseband modems. If you provide your own PPPoE end point, adding IPv6 to your IPv4, so ppp0 gets a public IPv6 address as well as the more familiar IPv4 address is a matter of editing

and adding at the end +ipv6 That's enough to tell ppp that it should enable IPv6 as well as IPv4.

Optionally you may also add ipv6 ::last_16_hex_digits_of_IPv6_address which assigns a static IPv6 address to your end of the ppp link. Its possible to use a one digit address, instead of the 16 digit EUI-64 address you will get otherwise.

Then restart ppp0.

should show that ppp0 now has an IPv6 address of the form ISP_assigned_prefix::last_16_hex_digits_of_IPv6_address

should work now too.

You now have IPv6 connectivity from your router to the big bad internet. The big bad internet also has connectivity to your router, which in not quite so good.

dhcpcd
dhcpcd is going to do two things for us
 * 1) aquire our delegated prefix
 * 2) delegate smaller prefixes to the router interfaces

Installing dhcpcd
You may already be using dhcpcd for IPV4, so you may be able to skip this step

Check that its built with USE=ipv6

Take care with the configuration. The following options get an address for ppp0 and a delegated prefix

noipv6rs interface ppp0 ipv6rs ia_na ia_pd dhcpcd will then allocate a /64 prefix to every interface in the router from the delegated prefix - except the WAN interface.

Start (restart) dhcpcd and add it to the default runlevel if its not there already, then test.

Testing dhcpcd
Check for IPv6 addresses and IPv6 routes being allocated.

IPv6 Global Scope Routes
Notice that each interface has its own global scope/64 prefix assigned from the 2001:db8:beef::/48 prefix which is from a different range to the 2001:db8:cafe:2::/64 prefix assigned to ppp0 for the uplink.

It all works with dynamic prefix assignments too. If your ISP only provides a single /64, the above won't work for you. Until this step works, there is no point in continuing with this guide.

should still work too.

radvd
Now each interface has both its global IP and route the route can be advertised to the hosts on each interface.

Router Advertisment Daemon runs on your router. It advertises the IPv6 prefix it has on the interfaces its configured to. By default, all of them. This provides the information that hosts connected to those interfaces need to configure their own global scope IPv6 address and default route.

Installing radvd
Edit your /etc/radvd.conf

interface eth1 {       ## (Send advertisement messages to other hosts) AdvSendAdvert on; ## (Fragmentation is bad(tm)) AdvLinkMTU 1280; MaxRtrAdvInterval 300; ## (IPv6 subnet prefix we've been assigned by our ISP)

prefix ::/64

{              	AdvOnLink on; AdvAutonomous on; }; };

The prefix ::/64 statement tells radvd to advertise whatever prefix it finds on the interface. In this case, interface eth1 This is a good thing if your ISP provides dynamically allocated IPv6 prefixes. A static prefix can be used.

Read that over before you save it. Its a really bad thing to send Router Advertisment messages to the entire internet, so its important that the interface statement is correct.

Save the changes, start radvd in the usual way and add it to the default runlevel.

Testing radvd has to be done on a host, downstream of the router.

Summary So Far
At this point, the router is configured for IPv6, it has global scope routes and addresses on all its interfaces and is configured to broadcast router advertisment messages at least every 5 minutes.

There has been no firewall set up and no host set up and testing

Host Configuration
Restart eth0 on the selected test host.

Check IP6 Address and Route
Notice the route to 2001:db8:beef:3::/64 and the address 2001:db8:beef:3:2ce7:23e:e628:2578/64. This ties in nicely with the routers eth1.

The default route is the link local IPv6 of eth1 in the router too.

should work to demonstrate IPv6 from the test host, through the router to the rest of the IPv6 connected world and from the entire IPv6 connected world back to your host.

IPv6 Firewall
If you don't have an IPv4 firewall but you have NAT and are fully aware of the risks in the internet exposed services you run, that's OK. Its your IPv4 risk management. IPv4 firewalls are based on iptables. The IPv6 equivelant is ip6tables. The two are completely complementary.

There are several tools for helping with setting up firewalls. I have used Shorewall for IPv4, so I will describe Shorewall6 (for IPv6) below.

My LAN is divided into three segments.
 * 1) Wired hosts - fully protected from the internet, wireless hosts and servers
 * 2) Wireless hosts -fully protected from the internet and servers
 * 3) Servers - internet exposed devices with limited external access

If this looks like a Smoothwall setup, once upon a time it was. I have even propagated the zone names from Smoothwall.

The firewall set up is to deny everything going anywhere then to add rules to permit traffic as required.

The normal domestic router by contrast, runs a 'half open' setup, where anything is allowed out but packets are allowed in response to an outgoing request. This is simpler and faster to set up but has the disadvantage of allowing anything that does get in to phone home.

You will be surprised at the amount of things that appear to work but want to phone home for their own reasons too.

Shorewall6
Shorewall6 keeps its configuration files in /etc/shorewall6. For getting a IPv6 firewall working many of them can be left empty. Only the files listed below need to be edited
 * interfaces - describe your interfaces to Shorewall6
 * params - constants you define for use in other files to make them easier to read
 * zones describe the network topology to shorewall6
 * policy - the defaults for each zone
 * rules - your firewall pules
 * shorewall6.conf - control logging and so on

They all have their own man page which you are encouraged to read.

Shorewall6 can do timed access and Quality of Service too, in case you need to throttle your teenagers. Those topics are out of scope of this document.

/etc/shorewall6/interfaces
net              ppp0 dmz              eth0            nosmurfs blue             eth3            dhcp,nosmurfs green            eth1            dhcp,nosmurfs,routeback
 * 1) ZONE          INTERFACE               OPTIONS


 * 1) green         protected interface
 * 2) blue          protected interface - can't get to wired
 * 3) dmz           servers
 * 4) net           big bad internet
 * 5) net can be eth2 or ppp0

/etc/shorewall6/params
LOG=info


 * 1) IP addresses where we run particular services
 * 2) This avoids using name resolution in rules
 * 3) and at the same time, lets us use names for IP addresses
 * 4) Convention is initial capital letters for parameters

Notice the definition of LOG=info This allows us to write $LOG in other files.

Conversely, changing the LOG= here and restarting shorewall6 will change the log level everywhere that $LOG is used.

This file will grow as you write your rules. My /etc/shorewall/params (for IPv4) contains the following definitions. These will be migrated to /etc/shorewall6/params in due course. However, all the IPv6 addresses will be public, so I don't want to share them here. Of course, if my firewall works, any incoming connection attempts may be dropped

Public=
 * 1) Public IP address


 * 1) All IPs in dmz are static

Ntp=192.168.10.3
 * 1) Raspberry Pi Timeserver

Web=192.168.10.123
 * 1) Local IP of Webserver

Shell=192.168.10.123
 * 1) Local IP of Shell Server (ssh)

Mail=192.168.10.119
 * 1) Local IP of Mail server

Source=192.168.10.119
 * 1) Local IP of Gentoo Source Code Proxy

Portage=192.168.10.119
 * 1) Local IP of Portage Mirror

WAP2=192.168.54.150
 * 1) Local IP of LAPC1200 Wireless Access Point

Media=192.168.100.55
 * 1) Local IP of Media Server
 * 2) Its in green
 * 1) Its in green

Bluray=192.168.100.180
 * 1) Local IP of BluRay Player
 * 2) Its in green

OBI110=192.168.100.80
 * 1) Local IP of OBi110
 * 2) Its in green just now but needs to move to blue

These definitions allow the use of $Public $Ntp ... $Bluray and $OBI110 wherever the IP Address is needed in a rule.

You can also define constants to be used as port numbers or port number ranges here, in case /etc/services does not have the port numbers you need.

/etc/shorewall6/policy
This file says that anything coming from the internet to anywhere gets dropped. The originator will not even get an error message and everything else is rejected. That means, that you will get an error message if you try to connect to one of your own servers (in the dmz) from a wired host (green) until you write a rule.

net    dmz     DROP            $LOG net    blue    DROP            $LOG net    green   DROP            $LOG net    $FW     DROP            $LOG all    all     REJECT          $LOG The policy is applied when ip6tables gets to the end of the rules and still has not routed the packet.
 * 1) SOURCE DEST   POLICY          LOG     LIMIT:          CONNLIMIT:
 * 2)                               LEVEL   BURST           MASK
 * 1)                               LEVEL   BURST           MASK

/etc/shorewall6/zones
You don't need the comments and the names only need be unique. fw     firewall green  ipv6 dmz    ipv6 blue   ipv6 net    ipv6
 * 1) ZONE  TYPE            OPTIONS         IN                      OUT
 * 2)                                       OPTIONS                 OPTIONS
 * 3)       The firewall is its own zone
 * 1)       The firewall is its own zone
 * 1)       Green is the wired network
 * 1)       Green is the wired network
 * 1)       The internet is allowed to the dmz - servers go here
 * 1)       The internet is allowed to the dmz - servers go here
 * 1)       Connect your WAP here - Wireless devices
 * 1)       Connect your WAP here - Wireless devices
 * 1)       The big bad internet
 * 1)       The big bad internet

IPv6 Routing
When IPv6 was designed, routing was built in. Its set up the software and off you go. This means you get randomly seeming IPv6 addresses all over your LAN which can make firewalling difficult.

You can set static IPs and you will need to if you run servers, since you will need to set your AAAA records in the DNS to point to them.

Stateless IPv6 Setup
Use this method if your LAN is all in one zone. That is, if every device on your LAN is free to connect to every other device on your LAN. My view is that this insecure if you have any wireless devices, since they should not be permitted to connect to wired devices.

Stateful IPv6 Setup
Use this method if your LAN is divided into groups of related hosts and you want to control connectivity between them.

IPv6 Nameservers
Its all very well having IPv6 connectivity everywhere but it looks a bit tarnished if you are still using IPv4 for nameservers to get the IPv6 addresses you need for IPv6 to work. It works that way but until you have nameservers on IPv6 then your IPv6 will not be independent of IPv4.