User:NeddySeagoon/IPv6
Overview
This page helps you decide if you really want to add IPv6 and if you do, how to go about it.
You can have IPv6 ... but should you?
Your ISP
Your ISP has just arrived in the 21st century and offered you a native IPv6 connection. A native IPv6 connection is not required, since its perfectly possible to tunnel IPv6 over IPv4. 'Tunnel brokers' have been around for years. Tunnelling is not described here.
Key Differentiators between IPv4 and IPv6
Range of Addresses
IPv4 allows at most 232 different IP addresses. IPv6 allows 2128 different IP addresses.
Some tricks have been used to expand IPv4 such as Network Address Translation (NAT). This allows several internet connected devices to share a single public IP. For example, IP addresses in the 10.0.0.0/8 range are reserved for use behind NAT, as are 192.168.0.0/16 and others. This works as far as it goes but has some limitations.
If you don't understand the /8 and /16 concepts, read up about CIDR now. IPv6 uses them exclusively. There is no more netmask.
In IPv6 speak, the entire IPv4 address space is a /96.
Public IP Addresses and Firewalls
With IPv4, Network Address Translation (NAT) provided a degree of protection against bad things coming in from the internet. NAT does not stop bad things phoning home after they are in. Running a firewall was still a good thing, even if you are not paranoid. As there are not enough public IP addresses to go around, NAT is a workaround. Behind you router, your network uses one of the private address ranges. 192.168.x.y is popular.
With IPv6 all IP addresses beginning with a digit 2 are public. ifconfig will show scopeid 0x0<global> The concept of NAT does not exist. This means that if you are going to deploy IPv6 you either need a boundary IPv6 firewall or each IPv6 enabled device needs its own firewall. Think about IPv6 firewalling before you bring up a public IPv6 connection.
To put that into context, the IPv4 address space was fully allocated by 25 November 2019. This means that any random address is likely to be in use. so automated port scanners, dictionary attackers, etc don't heed to try many addresses before something responds. In comparison, the IPv6 address space is almost empty. That makes port scanning of random IPs far less productive.
Switching Over to IPv6
Switching to IPv6 only is not yet an option. At the time of writing the rest of the internet isn't there. If you want to use IPv6 it will be in addition to, not in place of your existing IPv4 setup. The two use completely different tools and are almost completely unaware of one another.
A Few Useful Conventions
IPv6 Addresses
IPv6 addresses are written in colon separated hex, rather than dot separated decimal. Just like IPv4, IPv6 has the concept of self assigned link local addresses. They are only guaranteed to be unique on your LAN so should not normally be allowed out on the internet. There are a few exceptions.
fe80::2e0:4cff:fe69:1509/64
is a self assigned link local address.
Link local addresses are made in one of two ways
fe80::IPv4_address fe80::MAC_Address
fe80::/64
is the link local address space.
::1
is localhost
The :: is shorthand for any number of zero hex digits. IPv6 addresses may have a lot of consecutive zeros and it saves writing out and remembering all 32 hex digits. :: may appear only once in an address.
IPv6 Enabled Software
Some commands like route, take a switch -4 or -6 to determine if they should work with IPv4 or IPv6.
Others have two versions. like ping and ping6.
Either way, IPv6 is not yet the default.
Software Support
Your kernel needs IPv6 support. IPv6 firewall support will be useful too. We will use iproute to manage IPv6 and ip6tables for IPv6 firewalling.
We will also use dhcpcd and radvd, which will be introduced as they are required.
Set
USE=ipv6
in
root #nano /etc/portage/make.confif its not already on in your profile, then
root #emerge -av sys-apps/iproute2 net-firewall/iptablesDo check that ipv6 is on before the emerge goes ahead.
If you had to set
USE=ipv6
for yourself, you will need to
root #emerge -N @worldtoo to get IPv6 support everywhere.
Connecting to The Internet
This is probably the last step you want to perform as you don't have an IPv6 firewall yet but its useful for testing in the next steps.
Your ISP assigned /64 Prefix
Your ISP will have assigned you a /64 prefix beginning with 2. However, some ISPs will assign the prefix dynamically, much like they do with IPv4 addresses. The method described here will work with either statically or dynamically assigned prefixes.
Just as you may have used 192.168.0/24 on your LAN, (the prefix here is 24) to allow up to 253 hosts to be on the same LAN segment, your ISP has allocated you a /64. That's 264 IPv6 addresses, or a lot more than there is in the entire IPv4 address space. This is the standard allocation for a single network segment. You are not supposed to subnet it further. Its just for your uplink.
The more enlightened ISPs will also have allocated you a /48 prefix or a /56 prefix for use on your LAN. Again, this can be static or dynamic.
Your ISP assigned /48 Prefix
ISPs vary, you might have got a /56 instead. Whatever, this is yours to subnet as you see fit for your LAN segments. A really parsimonious ISP may only give you a single /64 prefix. This is the IPv6 equivalent of a single IPv4 address. This guide is not for you.
Your Router
Your router needs to be IPv6 capable. If its not, there may be a firmware upgrade, if not, you need a new router. That can be an old PC, a low power system or even a kernel virtual machine (KVM). You could also buy a IPv6 capable router and follow the instructions.
As with any firmware upgrade, it runs the risk of 'bricking' the device if something goes wrong.
The router used in this guide is a KVM running hardened Gentoo.
PPPoE
In the UK at least, much of the broadband is delivered using Personal Point of Presence over Ethernet (PPPoE). That is similar to the way internet was delivered using real baseband modems. If you provide your own PPPoE end point, adding IPv6 to your IPv4, so ppp0 gets a public IPv6 address as well as the more familiar IPv4 address is a matter of editing
root #nano /etc/ppp/optionsand adding at the end
+ipv6
That's enough to tell ppp that it should enable IPv6 as well as IPv4.
Optionally you may also add
ipv6 ::last_16_hex_digits_of_IPv6_address
which assigns a static IPv6 address to your end of the ppp link. Its possible to use a one digit address, instead of the 16 digit EUI-64 address you will get otherwise.
Then restart ppp0.
root #/etc/init.d/net.ppp0 restartroot #ip -6 addr show dev ppp0should show that ppp0 now has an IPv6 address of the form
ISP_assigned_prefix::last_16_hex_digits_of_IPv6_address
root #ping6 google.comshould work now too.
You now have IPv6 connectivity from your router to the big bad internet. The big bad internet also has connectivity to your router, which in not quite so good.
dhcpcd
dhcpcd is going to do two things for us
- aquire our delegated prefix
- delegate smaller prefixes to the router interfaces
Installing dhcpcd
You may already be using dhcpcd for IPV4, so you may be able to skip this step
root #emerge -av dhcpcdCheck that its built with USE=ipv6
Take care with the configuration. The following options get an address for ppp0 and a delegated prefix
root #nano /etc/dhcpcd.confnoipv6rs
interface ppp0
ipv6rs
ia_na
ia_pd
dhcpcd will then allocate a /64 prefix to every interface in the router from the delegated prefix - except the WAN interface.
Start (restart) dhcpcd and add it to the default runlevel if its not there already, then test.
Testing dhcpcd
Check for IPv6 addresses and IPv6 routes being allocated.
IPv6 Global Scope Addresses
root #ip -6 addr show1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
inet6 2001:db8:beef:2::1/64 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::cf13:3f55:d4d1:caae/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
inet6 2001:db8:beef:3::1/64 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::2b21:51fb:ebd1:f66f/64 scope link
valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
inet6 2001:db8:beef:4::1/64 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::a090:7c68:c6d2:bb83/64 scope link
valid_lft forever preferred_lft forever
5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
inet6 2001:db8:beef:5::1/64 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::606b:bcc:8200:541c/64 scope link
valid_lft forever preferred_lft forever
7: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qlen 3
inet6 2001:db8:cafe:2::f/64 scope global mngtmpaddr dynamic
valid_lft 17854sec preferred_lft 1654sec
inet6 fe80::f/10 scope link
valid_lft forever preferred_lft forever
IPv6 Global Scope Routes
root #ip -6 route show2001:db8:beef:2::/64 dev eth0 proto kernel metric 202 pref medium
2001:db8:beef:3::/64 dev eth1 proto kernel metric 203 pref medium
2001:db8:beef:4::/64 dev eth2 proto kernel metric 204 pref medium
2001:db8:beef:5::/64 dev eth3 proto kernel metric 205 pref medium
unreachable 2001:db8:beef::/48 dev lo metric 1024 error -101 pref medium
2001:db8:cafe:2::/64 dev ppp0 proto kernel metric 256 expires 17929sec pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
fe80::/64 dev eth2 proto kernel metric 256 pref medium
fe80::/64 dev eth3 proto kernel metric 256 pref medium
fe80::/10 dev ppp0 metric 1 pref medium
fe80::/10 dev ppp0 proto kernel metric 256 pref medium
ff00::/8 dev eth0 metric 256 pref medium
ff00::/8 dev eth1 metric 256 pref medium
ff00::/8 dev eth2 metric 256 pref medium
ff00::/8 dev eth3 metric 256 pref medium
ff00::/8 dev ppp0 metric 256 pref medium
default via fe80::230:88ff:fe16:ec4f dev ppp0 proto ra metric 1024 expires 1129sec hoplimit 64 pref medium
Notice that each interface has its own global scope/64 prefix assigned from the 2001:db8:beef::/48 prefix which is from a different range to the 2001:db8:cafe:2::/64 prefix assigned to ppp0 for the uplink.
It all works with dynamic prefix assignments too. If your ISP only provides a single /64, the above won't work for you. Until this step works, there is no point in continuing with this guide.
root #ping6 google.comshould still work too.
radvd
Now each interface has both its global IP and route the route can be advertised to the hosts on each interface.
Router Advertisment Daemon runs on your router. It advertises the IPv6 prefix it has on the interfaces its configured to. By default, all of them. This provides the information that hosts connected to those interfaces need to configure their own global scope IPv6 address and default route.
Installing radvd
root #emerge -av radvd
Edit your /etc/radvd.conf
root #nano /etc/radvd.confinterface eth1
{
## (Send advertisement messages to other hosts)
AdvSendAdvert on;
## (Fragmentation is bad(tm))
AdvLinkMTU 1280;
MaxRtrAdvInterval 300;
## (IPv6 subnet prefix we've been assigned by our ISP)
prefix ::/64
{
AdvOnLink on;
AdvAutonomous on;
};
};
The
prefix ::/64
statement tells radvd to advertise whatever prefix it finds on the interface. In this case,
interface eth1
This is a good thing if your ISP provides dynamically allocated IPv6 prefixes. A static prefix can be used.
Read that over before you save it. Its a really bad thing to send Router Advertisment messages to the entire internet, so its important that the interface statement is correct.
Save the changes, start radvd in the usual way and add it to the default runlevel.
Testing radvd has to be done on a host, downstream of the router.
Summary So Far
At this point, the router is configured for IPv6, it has global scope routes and addresses on all its interfaces and is configured to broadcast router advertisment messages at least every 5 minutes.
There has been no firewall set up and no host set up and testing
Host Configuration
Restart eth0 on the selected test host.
Check IP6 Address and Route
root #ip -6 addr show1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
inet6 2001:db8:beef:3:2ce7:23e:e628:2578/64 scope global noprefixroute dynamic
valid_lft 86234sec preferred_lft 14234sec
inet6 fe80::2585:48ba:8c89:3ca5/64 scope link
valid_lft forever preferred_lft forever
root #ip -6 route show2001:db8:beef:3::/64 dev eth0 proto kernel metric 202 mtu 1280 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
ff00::/8 dev eth0 metric 256 pref medium
default via fe80::2b21:51fb:ebd1:f66f dev eth0 metric 202 mtu 1280 pref medium
Notice the route to 2001:db8:beef:3::/64 and the address 2001:db8:beef:3:2ce7:23e:e628:2578/64. This ties in nicely with the routers eth1.
The default route is the link local IPv6 of eth1 in the router too.
root #ping6 google.comshould work to demonstrate IPv6 from the test host, through the router to the rest of the IPv6 connected world and from the entire IPv6 connected world back to your host.
IPv6 Firewall
If you don't have an IPv4 firewall but you have NAT and are fully aware of the risks in the internet exposed services you run, that's OK. Its your IPv4 risk management.
IPv4 firewalls are based on iptables. The IPv6 equivelant is ip6tables. The two are completely complementary.
There are several tools for helping with setting up firewalls. I have used Shorewall for IPv4, so I will describe Shorewall6 (for IPv6) below.
My LAN is divided into three segments.
- Wired hosts - fully protected from the internet, wireless hosts and servers
- Wireless hosts -fully protected from the internet and servers
- Servers - internet exposed devices with limited external access
If this looks like a Smoothwall setup, once upon a time it was. I have even propagated the zone names from Smoothwall.
The firewall set up is to deny everything going anywhere then to add rules to permit traffic as required.
The normal domestic router by contrast, runs a 'half open' setup, where anything is allowed out but packets are allowed in response to an outgoing request. This is simpler and faster to set up but has the disadvantage of allowing anything that does get in to phone home.
You will be surprised at the amount of things that appear to work but want to phone home for their own reasons too.
Shorewall6
Shorewall6 keeps its configuration files in /etc/shorewall6. For getting a IPv6 firewall working many of them can be left empty. Only the files listed below need to be edited
- interfaces - describe your interfaces to Shorewall6
- params - constants you define for use in other files to make them easier to read
- zones describe the network topology to shorewall6
- policy - the defaults for each zone
- rules - your firewall pules
- shorewall6.conf - control logging and so on
They all have their own man page which you are encouraged to read.
Shorewall6 can do timed access and Quality of Service too, in case you need to throttle your teenagers. Those topics are out of scope of this document.
/etc/shorewall6/interfaces
#ZONE INTERFACE OPTIONS net ppp0 dmz eth0 nosmurfs blue eth3 dhcp,nosmurfs green eth1 dhcp,nosmurfs,routeback # green protected interface # blue protected interface - can't get to wired # dmz servers # net big bad internet # net can be eth2 or ppp0
/etc/shorewall6/params
############################################################################### LOG=info ### IP addresses where we run particular services ### This avoids using name resolution in rules ### and at the same time, lets us use names for IP addresses # Convention is initial capital letters for parameters
Notice the definition of
LOG=info
This allows us to write $LOG in other files.
Conversely, changing the LOG= here and restarting shorewall6 will change the log level everywhere that $LOG is used.
This file will grow as you write your rules. My /etc/shorewall/params (for IPv4) contains the following definitions. These will be migrated to /etc/shorewall6/params in due course. However, all the IPv6 addresses will be public, so I don't want to share them here. Of course, if my firewall works, any incoming connection attempts may be dropped
# Public IP address Public=<Public IPv4 Address Withhelh> # All IPs in dmz are static # Raspberry Pi Timeserver Ntp=192.168.10.3 # Local IP of Webserver Web=192.168.10.123 # Local IP of Shell Server (ssh) Shell=192.168.10.123 # Local IP of Mail server Mail=192.168.10.119 # Local IP of Gentoo Source Code Proxy Source=192.168.10.119 # Local IP of Portage Mirror Portage=192.168.10.119 # Local IP of LAPC1200 Wireless Access Point WAP2=192.168.54.150 ############################################################################# # Local IP of Media Server # Its in green Media=192.168.100.55 # Local IP of BluRay Player # Its in green Bluray=192.168.100.180 # Local IP of OBi110 # Its in green just now but needs to move to blue OBI110=192.168.100.80
These definitions allow the use of $Public $Ntp ... $Bluray and $OBI110 wherever the IP Address is needed in a rule.
You can also define constants to be used as port numbers or port number ranges here, in case
/etc/services
does not have the port numbers you need.
/etc/shorewall6/policy
This file says that anything coming from the internet to anywhere gets dropped. The originator will not even get an error message and everything else is rejected. That means, that you will get an error message if you try to connect to one of your own servers (in the dmz) from a wired host (green) until you write a rule.
############################################################################### #SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: # LEVEL BURST MASK net dmz DROP $LOG net blue DROP $LOG net green DROP $LOG net $FW DROP $LOG all all REJECT $LOG
The policy is applied when ip6tables gets to the end of the rules and still has not routed the packet.
/etc/shorewall6/rules
/etc/shorewall6/shorewall6.conf
/etc/shorewall6/zones
You don't need the comments and the names only need be unique.
############################################################################### #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS # The firewall is its own zone fw firewall # # Green is the wired network green ipv6 # # The internet is allowed to the dmz - servers go here dmz ipv6 # # Connect your WAP here - Wireless devices blue ipv6 # # The big bad internet net ipv6
IPv6 Routing
When IPv6 was designed, routing was built in. Its set up the software and off you go. This means you get randomly seeming IPv6 addresses all over your LAN which can make firewalling difficult.
You can set static IPs and you will need to if you run servers, since you will need to set your AAAA records in the DNS to point to them.
Stateless IPv6 Setup
Use this method if your LAN is all in one zone. That is, if every device on your LAN is free to connect to every other device on your LAN. My view is that this insecure if you have any wireless devices, since they should not be permitted to connect to wired devices.
Privacy
Stateful IPv6 Setup
Use this method if your LAN is divided into groups of related hosts and you want to control connectivity between them.
IPv6 Nameservers
Its all very well having IPv6 connectivity everywhere but it looks a bit tarnished if you are still using IPv4 for nameservers to get the IPv6 addresses you need for IPv6 to work. It works that way but until you have nameservers on IPv6 then your IPv6 will not be independent of IPv4.