User:NeddySeagoon/IPv6

From Gentoo Wiki
Jump to:navigation Jump to:search

Overview

This page helps you decide if you really want to add IPv6 and if you do, how to go about it.

You can have IPv6 ... but should you?

Your ISP

Your ISP has just arrived in the 21st century and offered you a native IPv6 connection. A native IPv6 connection is not required, since its perfectly possible to tunnel IPv6 over IPv4. 'Tunnel brokers' have been around for years. Tunnelling is not described here.

Key Differentiators between IPv4 and IPv6

Range of Addresses

IPv4 allows at most 232 different IP addresses. IPv6 allows 2128 different IP addresses.

Some tricks have been used to expand IPv4 such as Network Address Translation (NAT). This allows several internet connected devices to share a single public IP. For example, IP addresses in the 10.0.0.0/8 range are reserved for use behind NAT, as are 192.168.0.0/16 and others. This works as far as it goes but has some limitations.

If you don't understand the /8 and /16 concepts, read up about CIDR now. IPv6 uses them exclusively. There is no more netmask.

In IPv6 speak, the entire IPv4 address space is a /96.

Public IP Addresses and Firewalls

With IPv4, Network Address Translation (NAT) provided a degree of protection against bad things coming in from the internet. NAT does not stop bad things phoning home after they are in. Running a firewall was still a good thing, even if you are not paranoid. As there are not enough public IP addresses to go around, NAT is a workaround. Behind you router, your network uses one of the private address ranges. 192.168.x.y is popular.

With IPv6 all IP addresses beginning with a digit 2 are public. ifconfig will show scopeid 0x0<global> The concept of NAT does not exist. This means that if you are going to deploy IPv6 you either need a boundary IPv6 firewall or each IPv6 enabled device needs its own firewall. Think about IPv6 firewalling before you bring up a public IPv6 connection.

To put that into context, the IPv4 address space was fully allocated by 25 November 2019. This means that any random address is likely to be in use. so automated port scanners, dictionary attackers, etc don't heed to try many addresses before something responds. In comparison, the IPv6 address space is almost empty. That makes port scanning of random IPs far less productive.

Switching Over to IPv6

Switching to IPv6 only is not yet an option. At the time of writing the rest of the internet isn't there. If you want to use IPv6 it will be in addition to, not in place of your existing IPv4 setup. The two use completely different tools and are almost completely unaware of one another.

A Few Useful Conventions

IPv6 Addresses

IPv6 addresses are written in colon separated hex, rather than dot separated decimal. Just like IPv4, IPv6 has the concept of self assigned link local addresses. They are only guaranteed to be unique on your LAN so should not normally be allowed out on the internet. There are a few exceptions.

fe80::2e0:4cff:fe69:1509/64

is a self assigned link local address.


Link local addresses are made in one of two ways

fe80::IPv4_address
fe80::MAC_Address


fe80::/64

is the link local address space.


::1

is localhost


The :: is shorthand for any number of zero hex digits. IPv6 addresses may have a lot of consecutive zeros and it saves writing out and remembering all 32 hex digits. :: may appear only once in an address.

IPv6 Enabled Software

Some commands like route, take a switch -4 or -6 to determine if they should work with IPv4 or IPv6.

Others have two versions. like ping and ping6.

Either way, IPv6 is not yet the default.

Software Support

Your kernel needs IPv6 support. IPv6 firewall support will be useful too. We will use iproute to manage IPv6 and ip6tables for IPv6 firewalling.

We will also use dhcpcd and radvd, which will be introduced as they are required.

Set

USE=ipv6

in

root #nano /etc/portage/make.conf

if its not already on in your profile, then

root #emerge -av sys-apps/iproute2 net-firewall/iptables

Do check that ipv6 is on before the emerge goes ahead.

If you had to set

USE=ipv6

for yourself, you will need to

root #emerge -N @world

too to get IPv6 support everywhere.

Connecting to The Internet

This is probably the last step you want to perform as you don't have an IPv6 firewall yet but its useful for testing in the next steps.

Your ISP assigned /64 Prefix

Your ISP will have assigned you a /64 prefix beginning with 2. However, some ISPs will assign the prefix dynamically, much like they do with IPv4 addresses. The method described here will work with either statically or dynamically assigned prefixes.

Just as you may have used 192.168.0/24 on your LAN, (the prefix here is 24) to allow up to 253 hosts to be on the same LAN segment, your ISP has allocated you a /64. That's 264 IPv6 addresses, or a lot more than there is in the entire IPv4 address space. This is the standard allocation for a single network segment. You are not supposed to subnet it further. Its just for your uplink.

The more enlightened ISPs will also have allocated you a /48 prefix or a /56 prefix for use on your LAN. Again, this can be static or dynamic.

Your ISP assigned /48 Prefix

ISPs vary, you might have got a /56 instead. Whatever, this is yours to subnet as you see fit for your LAN segments. A really parsimonious ISP may only give you a single /64 prefix. This is the IPv6 equivalent of a single IPv4 address. This guide is not for you.

Your Router

Your router needs to be IPv6 capable. If its not, there may be a firmware upgrade, if not, you need a new router. That can be an old PC, a low power system or even a kernel virtual machine (KVM). You could also buy a IPv6 capable router and follow the instructions.

As with any firmware upgrade, it runs the risk of 'bricking' the device if something goes wrong.

The router used in this guide is a KVM running hardened Gentoo.

PPPoE

In the UK at least, much of the broadband is delivered using Personal Point of Presence over Ethernet (PPPoE). That is similar to the way internet was delivered using real baseband modems. If you provide your own PPPoE end point, adding IPv6 to your IPv4, so ppp0 gets a public IPv6 address as well as the more familiar IPv4 address is a matter of editing

root #nano /etc/ppp/options

and adding at the end

+ipv6

That's enough to tell ppp that it should enable IPv6 as well as IPv4.

Optionally you may also add

ipv6 ::last_16_hex_digits_of_IPv6_address

which assigns a static IPv6 address to your end of the ppp link. Its possible to use a one digit address, instead of the 16 digit EUI-64 address you will get otherwise.

Then restart ppp0.

root #/etc/init.d/net.ppp0 restart
root #ip -6 addr show dev ppp0

should show that ppp0 now has an IPv6 address of the form

ISP_assigned_prefix::last_16_hex_digits_of_IPv6_address


root #ping6 google.com

should work now too.

You now have IPv6 connectivity from your router to the big bad internet. The big bad internet also has connectivity to your router, which in not quite so good.

dhcpcd

dhcpcd is going to do two things for us

  1. aquire our delegated prefix
  2. delegate smaller prefixes to the router interfaces

Installing dhcpcd

You may already be using dhcpcd for IPV4, so you may be able to skip this step

root #emerge -av dhcpcd

Check that its built with USE=ipv6

Take care with the configuration. The following options get an address for ppp0 and a delegated prefix

root #nano /etc/dhcpcd.conf
noipv6rs
interface ppp0
        ipv6rs
        ia_na
        ia_pd

dhcpcd will then allocate a /64 prefix to every interface in the router from the delegated prefix - except the WAN interface.

Start (restart) dhcpcd and add it to the default runlevel if its not there already, then test.


Testing dhcpcd

Check for IPv6 addresses and IPv6 routes being allocated.


IPv6 Global Scope Addresses
root #ip -6 addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
    inet6 2001:db8:beef:2::1/64 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fe80::cf13:3f55:d4d1:caae/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
    inet6 2001:db8:beef:3::1/64 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fe80::2b21:51fb:ebd1:f66f/64 scope link 
       valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
    inet6 2001:db8:beef:4::1/64 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fe80::a090:7c68:c6d2:bb83/64 scope link 
       valid_lft forever preferred_lft forever
5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
    inet6 2001:db8:beef:5::1/64 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fe80::606b:bcc:8200:541c/64 scope link 
       valid_lft forever preferred_lft forever
7: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qlen 3
    inet6 2001:db8:cafe:2::f/64 scope global mngtmpaddr dynamic 
       valid_lft 17854sec preferred_lft 1654sec
    inet6 fe80::f/10 scope link 
       valid_lft forever preferred_lft forever


IPv6 Global Scope Routes
root #ip -6 route show
2001:db8:beef:2::/64 dev eth0  proto kernel  metric 202  pref medium
2001:db8:beef:3::/64 dev eth1  proto kernel  metric 203  pref medium
2001:db8:beef:4::/64 dev eth2  proto kernel  metric 204  pref medium
2001:db8:beef:5::/64 dev eth3  proto kernel  metric 205  pref medium
unreachable 2001:db8:beef::/48 dev lo  metric 1024  error -101 pref medium
2001:db8:cafe:2::/64 dev ppp0  proto kernel  metric 256  expires 17929sec pref medium
fe80::/64 dev eth0  proto kernel  metric 256  pref medium
fe80::/64 dev eth1  proto kernel  metric 256  pref medium
fe80::/64 dev eth2  proto kernel  metric 256  pref medium
fe80::/64 dev eth3  proto kernel  metric 256  pref medium
fe80::/10 dev ppp0  metric 1  pref medium
fe80::/10 dev ppp0  proto kernel  metric 256  pref medium
ff00::/8 dev eth0  metric 256  pref medium
ff00::/8 dev eth1  metric 256  pref medium
ff00::/8 dev eth2  metric 256  pref medium
ff00::/8 dev eth3  metric 256  pref medium
ff00::/8 dev ppp0  metric 256  pref medium
default via fe80::230:88ff:fe16:ec4f dev ppp0  proto ra  metric 1024  expires 1129sec hoplimit 64 pref medium


Notice that each interface has its own global scope/64 prefix assigned from the 2001:db8:beef::/48 prefix which is from a different range to the 2001:db8:cafe:2::/64 prefix assigned to ppp0 for the uplink.

It all works with dynamic prefix assignments too. If your ISP only provides a single /64, the above won't work for you. Until this step works, there is no point in continuing with this guide.

root #ping6 google.com

should still work too.

radvd

Now each interface has both its global IP and route the route can be advertised to the hosts on each interface.

Router Advertisment Daemon runs on your router. It advertises the IPv6 prefix it has on the interfaces its configured to. By default, all of them. This provides the information that hosts connected to those interfaces need to configure their own global scope IPv6 address and default route.

Installing radvd

root #emerge -av radvd


Edit your /etc/radvd.conf

root #nano /etc/radvd.conf
interface eth1
{
        ## (Send advertisement messages to other hosts)
        AdvSendAdvert on;
        ## (Fragmentation is bad(tm))
        AdvLinkMTU 1280;
        MaxRtrAdvInterval 300;
        ## (IPv6 subnet prefix we've been assigned by our ISP)

       	prefix ::/64

       	{
               	AdvOnLink on;
                AdvAutonomous on;
        };
};

The

prefix ::/64

statement tells radvd to advertise whatever prefix it finds on the interface. In this case,

interface eth1

This is a good thing if your ISP provides dynamically allocated IPv6 prefixes. A static prefix can be used.

Read that over before you save it. Its a really bad thing to send Router Advertisment messages to the entire internet, so its important that the interface statement is correct.

Save the changes, start radvd in the usual way and add it to the default runlevel.

Testing radvd has to be done on a host, downstream of the router.

Summary So Far

At this point, the router is configured for IPv6, it has global scope routes and addresses on all its interfaces and is configured to broadcast router advertisment messages at least every 5 minutes.

There has been no firewall set up and no host set up and testing


Host Configuration

Restart eth0 on the selected test host.

Check IP6 Address and Route

root #ip -6 addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
    inet6 2001:db8:beef:3:2ce7:23e:e628:2578/64 scope global noprefixroute dynamic 
       valid_lft 86234sec preferred_lft 14234sec
    inet6 fe80::2585:48ba:8c89:3ca5/64 scope link 
       valid_lft forever preferred_lft forever


root #ip -6 route show
2001:db8:beef:3::/64 dev eth0  proto kernel  metric 202  mtu 1280 pref medium
fe80::/64 dev eth0  proto kernel  metric 256  pref medium
ff00::/8 dev eth0  metric 256  pref medium
default via fe80::2b21:51fb:ebd1:f66f dev eth0  metric 202  mtu 1280 pref medium


Notice the route to 2001:db8:beef:3::/64 and the address 2001:db8:beef:3:2ce7:23e:e628:2578/64. This ties in nicely with the routers eth1.


The default route is the link local IPv6 of eth1 in the router too.


root #ping6 google.com

should work to demonstrate IPv6 from the test host, through the router to the rest of the IPv6 connected world and from the entire IPv6 connected world back to your host.

IPv6 Firewall

If you don't have an IPv4 firewall but you have NAT and are fully aware of the risks in the internet exposed services you run, that's OK. Its your IPv4 risk management.

IPv4 firewalls are based on iptables. The IPv6 equivelant is ip6tables. The two are completely complementary.

There are several tools for helping with setting up firewalls. I have used Shorewall for IPv4, so I will describe Shorewall6 (for IPv6) below.

My LAN is divided into three segments.

  1. Wired hosts - fully protected from the internet, wireless hosts and servers
  2. Wireless hosts -fully protected from the internet and servers
  3. Servers - internet exposed devices with limited external access


If this looks like a Smoothwall setup, once upon a time it was. I have even propagated the zone names from Smoothwall.

The firewall set up is to deny everything going anywhere then to add rules to permit traffic as required.

The normal domestic router by contrast, runs a 'half open' setup, where anything is allowed out but packets are allowed in response to an outgoing request. This is simpler and faster to set up but has the disadvantage of allowing anything that does get in to phone home.

You will be surprised at the amount of things that appear to work but want to phone home for their own reasons too.

Shorewall6

Shorewall6 keeps its configuration files in /etc/shorewall6. For getting a IPv6 firewall working many of them can be left empty. Only the files listed below need to be edited

  • interfaces - describe your interfaces to Shorewall6
  • params - constants you define for use in other files to make them easier to read
  • zones describe the network topology to shorewall6
  • policy - the defaults for each zone
  • rules - your firewall pules
  • shorewall6.conf - control logging and so on

They all have their own man page which you are encouraged to read.

Shorewall6 can do timed access and Quality of Service too, in case you need to throttle your teenagers. Those topics are out of scope of this document.

/etc/shorewall6/interfaces

#ZONE           INTERFACE               OPTIONS
net               ppp0
dmz               eth0            nosmurfs
blue              eth3            dhcp,nosmurfs
green             eth1            dhcp,nosmurfs,routeback

# green         protected interface
# blue          protected interface - can't get to wired
# dmz           servers
# net           big bad internet
# net can be eth2 or ppp0

/etc/shorewall6/params

###############################################################################
LOG=info

### IP addresses where we run particular services
### This avoids using name resolution in rules
### and at the same time, lets us use names for IP addresses
# Convention is initial capital letters for parameters

Notice the definition of

LOG=info

This allows us to write $LOG in other files.

Conversely, changing the LOG= here and restarting shorewall6 will change the log level everywhere that $LOG is used.

This file will grow as you write your rules. My /etc/shorewall/params (for IPv4) contains the following definitions. These will be migrated to /etc/shorewall6/params in due course. However, all the IPv6 addresses will be public, so I don't want to share them here. Of course, if my firewall works, any incoming connection attempts may be dropped

# Public IP address
Public=<Public IPv4 Address Withhelh>

# All IPs in dmz are static

# Raspberry Pi Timeserver
Ntp=192.168.10.3

# Local IP of Webserver
Web=192.168.10.123

# Local IP of Shell Server (ssh)
Shell=192.168.10.123

# Local IP of Mail server
Mail=192.168.10.119

# Local IP of Gentoo Source Code Proxy
Source=192.168.10.119

# Local IP of Portage Mirror
Portage=192.168.10.119

# Local IP of LAPC1200 Wireless Access Point
WAP2=192.168.54.150

#############################################################################
# Local IP of Media Server
# Its in green
Media=192.168.100.55

# Local IP of BluRay Player
# Its in green
Bluray=192.168.100.180

# Local IP of OBi110
# Its in green just now but needs to move to blue
OBI110=192.168.100.80

These definitions allow the use of $Public $Ntp ... $Bluray and $OBI110 wherever the IP Address is needed in a rule.

You can also define constants to be used as port numbers or port number ranges here, in case

/etc/services

does not have the port numbers you need.

/etc/shorewall6/policy

This file says that anything coming from the internet to anywhere gets dropped. The originator will not even get an error message and everything else is rejected. That means, that you will get an error message if you try to connect to one of your own servers (in the dmz) from a wired host (green) until you write a rule.

###############################################################################
#SOURCE DEST    POLICY          LOG     LIMIT:          CONNLIMIT:
#                               LEVEL   BURST           MASK
net     dmz     DROP            $LOG
net     blue    DROP            $LOG
net     green   DROP            $LOG
net     $FW     DROP            $LOG
all     all     REJECT          $LOG

The policy is applied when ip6tables gets to the end of the rules and still has not routed the packet.

/etc/shorewall6/rules

/etc/shorewall6/shorewall6.conf

/etc/shorewall6/zones

You don't need the comments and the names only need be unique.

###############################################################################
#ZONE   TYPE            OPTIONS         IN                      OUT
#                                       OPTIONS                 OPTIONS
#       The firewall is its own zone 
fw      firewall
#
#       Green is the wired network
green   ipv6
#
#       The internet is allowed to the dmz - servers go here  
dmz     ipv6
#
#       Connect your WAP here - Wireless devices
blue    ipv6
#
#       The big bad internet
net     ipv6

IPv6 Routing

When IPv6 was designed, routing was built in. Its set up the software and off you go. This means you get randomly seeming IPv6 addresses all over your LAN which can make firewalling difficult.

You can set static IPs and you will need to if you run servers, since you will need to set your AAAA records in the DNS to point to them.

Stateless IPv6 Setup

Use this method if your LAN is all in one zone. That is, if every device on your LAN is free to connect to every other device on your LAN. My view is that this insecure if you have any wireless devices, since they should not be permitted to connect to wired devices.

Privacy

Stateful IPv6 Setup

Use this method if your LAN is divided into groups of related hosts and you want to control connectivity between them.

IPv6 Nameservers

Its all very well having IPv6 connectivity everywhere but it looks a bit tarnished if you are still using IPv4 for nameservers to get the IPv6 addresses you need for IPv6 to work. It works that way but until you have nameservers on IPv6 then your IPv6 will not be independent of IPv4.

/etc/hosts

Static IPs

Static Routes