On IPv6

What the hell is IPv6, and why should I care?

It’s the next generation of Internet protocol. You’re probably heard that the world has pretty much run out of IPv4 addresses. Sure, four billion sounded like a lot of endpoints when it was first drafted, but absolutely predicted this sort of growth. In layman’s terms, the v4 internet is full, and we need to build a bigger one.

A lot of people thing that the differences in IPv6 ended there. Hell, that’s what I thought when I first heard about it. The fact is, they’ve changed how things are done, and it’s not what’s been added – it’s what’s been removed.

OK, so what’s different?

A move from 32bit to 128bit addressing. This equates to a practically unlimited amount of addresses. It’s a 29-digit number – We’ll never fill it.

Network Address Translation is gone. Well, it’s supposed to be. To cut it short, you don’t hide an entire network behind a single IP. Every machine has its own unique address. The original idea of NAT was to allow multiple machines to share an Internet connection, but IT administrators the world over have used NAT as a security model to prevent machines from inside their network from being reachable from the outside world. This IPv6 approach is much simpler: packet filters. That’s all there is to it.

There’s been a lot of debate about the removal of NAT. There’s a bunch of backwards IT nutjobs that want to take the approach of “we’ve been doing it wrong for this long, and we want the right to do it wrong going forward”. These people are pushing for NAT in IPv6. These people need to shut up and adapt for the good of the Internet. Once you realise that NAT would bring absolutely nothing to the table in IPv6, you’d be glad it’s gone.

Unique global IP addresses for everyone

You’ve probably guessed by now that there’s no IP sharing. Once you have a global IP, you’re addressable from anywhere on the Internet. It sounds scary, but you can simply tweak the packet filter on your gateway if you don’t want your ports open to everyone.

A new way of expressing addresses
A full IPv6 address would look like this:

2001:0db8:0000:0000:0000:0000:0000:0001

However, it can be shortened to “2001:0db8::1”. Some people think this is new and clever, but it’s always been IPv4. For example, “127.1” is the same as “127.0.0.1” (ping it if you don’t believe me!)

DHCP has been replaced with “Router Advertisements“

Basically, instead of running the isc DHCP server, you run radvd (Router Advertisement Daemon). This program makes your gateway discoverable, so machines on the network can find their way out onto the internet.

Another cool thing is what they call “stateless address autoconfiguration” (SLAAC). Each machine has what’s called a “link-local” address. Link local addresses are only visible one the inside of a gateway (much like the 192.168.* or 10.* subnets in IPv4). Your address is derived from your MAC address. So a machine with a MAC of 00:24:1d:23:50:67 will have a link-local IP of fe80::224:1dff:fe23:5067/64. This address would be visible to all machines on a local network.

Bigger Packets

Our links have gotten much faster and more reliable over the years. Packets are designed as a unit of data that can be checked and re-transmitted if there is an error. A 1500-byte packet made sense over a dial-up modem, but when you’re hitting the gigabit speeds we’re approaching now, you’re talking about hundreds of thousands of packets per second – each with its own sequence number and checksum. The amount of packet overhead is just silly with this amount of fragmentation, and it just causes congestion. IPv6 allows for much, much larger packets (up to 4GB), which means a higher throughput. We won’t be pushing packets that large any time soon, but it’s thinking of the future.

So, should I switch?

I wouldn’t call it “switching”. The current standard approach is to implement both at once in what’s called a “dual stack”. This opens your network up to the IPv6 world without touching your current IPv4 configuration in any way. I’ve tried browsing the net in IPv6-only mode, and I’ve found that the majority of it is missing or broken. At this point, you’d want to keep IPv4 running as well. This will change in the future, but that’s in a very, very distant future.

If you’re thinking that an IPv6 tunnel may slow down your internet, just remember that aarnet is one of the fastest networks in Australia, and the use of jumbo frames between nodes and whatnot, you’ll actually get significantly faster speeds, particularly across oceans.

For example, here’s a comparative speed test to California:

Convinced? So, let’s get started, shall we?

Configuring IPv6 on an Ubuntu 12.04 Server

1. Sign up with a Tunnel Service.
   If you’re in Australia, I recommend the AARNET IPv6 Broker Tunnel. It’s free, and reasonably easy to create an account on. Other common providers are SixXS and gogo6.
2. Install gogoc
   

   sudo apt-get install gogoc

   Once installed, edit /etc/gogoc/gogoc.conf and make the following changes:

   • userid=your_user_id
   • passwd=your_user_id
   • server=broker.aarnet.edu.au
   • auth_method=any
   • host_type=router
   • if_prefix=eth0
   • tunnel_mode=v6anyv4
3. Start the gogoc service:
   

   sudo service gogoc start

   Take a peek at the logfile at /var/log/gogoc/gogoc.log. If your login succeeded, you’ll get a line like this one:

   2012/06/28 07:28:58 I gogoc: Your IPv6 prefix is 2001:XXXX:XXXX:XXXX:0000:0000:0000:0000/56.

   Take note of this address prefix. Being a /56, the first 5 blocks will be set by your IPv6 broker. radvd must be configured to advertise this block as available to the rest of your network. You may get assigned a /64 address or perhaps a /48. If so, be sure to substitute it in the following steps.

   To test that everything works, try pinging Google:

   # ping6 google.com
   PING google.com(2404:6800:4006:804::1002) 56 data bytes
   64 bytes from 2404:6800:4006:804::1002: icmp_seq=1 ttl=58 time=27.3 ms
   64 bytes from 2404:6800:4006:804::1002: icmp_seq=2 ttl=58 time=21.8 ms
   64 bytes from 2404:6800:4006:804::1002: icmp_seq=3 ttl=58 time=23.0 ms
   
   --- google.com ping statistics ---
   3 packets transmitted, 3 received, 0% packet loss, time 2003ms
   rtt min/avg/max/mdev = 21.884/24.093/27.322/2.337 ms

4. Give your server a static IPv6 address
   Edit /etc/network/interfaces and define a static IPv6 address. This must use the same prefix that you were assigned in the previous step. Also, we’re adding a firewall in the next step. The pre-up command configure the firewall as the IPv6 interface comes online. Do not remove any existing definitions for IPv4 or the loopback interface. This should be appended to any existing IPv4 config.

   iface eth0 inet6 static
           pre-up modprobe ipv6
           pre-up ip6tables-restore < /etc/ip6tables.rules
           address 2001:388:e000:a100::1
           netmask 56

   Note that I’ve simply tacked a “::1” onto the prefix to address the server. This is the easiest to remember, but you can have some fun here. I’ve seen “::cafe:beef” and “::face:b00c” out in the wild. Note this IP, because we need to use it in quite a few places later on.

5. Configure ip6tables
   If you haven’t done so already, install iptables.

   sudo apt-get install iptables

   Now edit the file /etc/ip6tables.rules, and configure it as follows:

   *filter
   :INPUT ACCEPT [314:30142]
   :FORWARD ACCEPT [0:0]
   :OUTPUT ACCEPT [174:25710]
   -A INPUT -i tun -m state --state RELATED,ESTABLISHED -j ACCEPT
   -A INPUT -i tun -p icmpv6 -j ACCEPT
   -A INPUT -i tun -p tcp -m tcp -d 2001:XXXX:XXXX:XXXX::1 --dport 80 -j ACCEPT
   -A INPUT -i tun -p tcp -m tcp -d 2001:XXXX:XXXX:XXXX::1 --dport 22 -j ACCEPT
   -A INPUT -i tun -j DROP
   COMMIT

   For the purpose of example, I have punched two holes for the firewall for SSH and HTTP. This allows the server to be visible on these ports over IPv6. Feel free to add/remove any other firewall rules.
   You may also notice here that there is no NAT whatsoever. This firewall configuration acts as a filter, not a NAT. If you want to open a port on another machine behind the firewall, simply specify its IPv6 address (you may want to make it static) and the port number in a rule. Remember that every machine’s IPv6 address is globally unique, and globally addressable.

   All incoming requests not explicitly defined here will be dropped.

   Restart the networking service to bring up the new config:

   service networking restart

   Note: If you fail to perform this step, every machine on your network will be exposed to the public internet on every port. Make absolutely sure it’s working before enabling router advertisements – which brings us to the next step:

6. Install and configure radvd:
   Radvd is the Router Advertisement Daemon. This broadcasts packets over your LAN to advertise the gateway out to the internet. It plays a similar role to DHCP, but does not require negotiation like DHCP does. An IPv6-enabled client on the network will receive a router advertisement broadcast, and configure itself without any further assistance. Radvd doesn’t need to manage address leases or any retarded stuff like that. IPv6 addresses use a stateless autoconfiguration based on MAC address, so they’ll be unique without a central server to manage them.

   sudo apt-get install radvd

   Modify /etc/radvd.conf to read as follows. Be sure to enter the prefix obtained in the previous step. It’s safe to replace the trailing zeroes with a double colon (::).

   interface eth0
   {
   	AdvSendAdvert on;
   	prefix 2001:XXXX:XXXX:XXXX::/56
   	{
   		AdvOnLink on;
   		AdvAutonomous on;
   	};
   	RDNSS 2001:XXXX:XXXX:XXXX::1 {
   	};
   };

   Note: The RDNSS points to an IPv6 DNS server. If you’re running bind9 on the same machine, use the machines static IPv6 address here. Otherwise, Google’s public DNS (2001:4860:4860::8888) should work. You can omit the RDNSS altogether, but DNS lookups will be performed through IPv4 as a result.

   Now start radvd:

   service radvd start

   At this point, other ipv6-enabled machines on your network should be able to get out to the internet. Perhaps visit http://ipv6-test.com/ to put your connection through its paces.