#!/bin/blog

September 1, 2010

IPv6

Filed under: Internet — Tags: — martin @ 7:54 am

On a whim, I decided to deploy IPv6. And all I can say is: It’s a lot easier than you think. I’m writing down a few notes here from the non-network-engineer’s point of view. This is supposed to be the first from a series of postings about my IPv6 deployment.

The Tunnel

Unless you’re hosted at an ISP that already supports IPv6, you’ll need a tunnel provider for tunnelled IPv6 access. Getting and configuring the tunnel is the hardest part of joining the IPv6 internet, but fear not, the tunnel providers have very good configuration tools to assist you.

I started out by registering with SixXS. They have a somewhat restrictive registration procedure, so it took me about 24 hours until I could finally request my tunnel for the home DSL connection. Setting up the tunnel using the AICCU application that was prepackaged on my OpenBSD firewall was a matter of minutes. Also, it was one of the rare occurences where things worked perfectly right at the first attempt. The tunnel was up immediately after the first start of the AICCU daemon.

Unfortunately, I didn’t have enough funny SixXS credits left after that and could not request a subnet, so all I had to work with was my IPv6 tunnel endpoint. This was not too satisfactory, so I, naively, started to configure NAT in OpenBSD’s pf.conf, which, much to my surprise and in contradiction to everything that’s being said on the net, worked immediately.

Choosing a Private Subnet

Choosing the IPv6 subnet for my internal network was unneccessarily hard. I went through several iterations of fec0::/10 “site local unicast” addresses, experimenting with /96, /112 and /120 subnets that seemed to be appropriate for what I run in my little office. In the end, I went with a “unique local unicast” /64 /48 subnet from the fd00::/8 range that I generated randomly at the SixXS unique local address registry.

Updated to add: Forget it. Use the subnet that the tunnel provider assigns to you. Don’t waste time applying IPv4 paradigms to your network by using “private” IP addresses. Remember to use a /64 subnet in order for autoconfiguration to work.

Autoconfiguration

Autoconfiguration of IPv6 clients works ad-hoc if the network uses a /64 prefix and the router responds to router solicitation requests. In the case of my OpenBSD firewall, I only had to run rtadvd and all clients autoconfigured their IPv6 immediately. DHCPv6 is only required if extended network attributes such as the DNS server need to be propagated to the clients. This is currently handled in IPv4 by DNSmasq at my site, so there is no need for DHCPv6 at the moment.

More Tunnels

After I had my DSL on IPv6, I wanted to move on to my hosting sites in USA and Europe, where there is no IPv6 available yet. For this purpose, I registered at Hurricane Electric’s Tunnelbroker service. The people at he.net are less discriminating than SixXS and will instantly give you a tunnel and a /64 subnet. They don’t provide a nice configuration utility such as AICCU, but generate the required tunnel configuration commands for every known relevant OS so they can readily be pasted into some local startup file.

An important difference between he.net and SixXS is that the tunnels from he.net can be initiated from both ends of the connection, so it’s important to open the firewall on the local tunnel endpoint for proto 41 (not port 41) from the remote endpoint.

Summary for now

If you have a dynamic IP address, sit tight and wait for the unconventional SixXS registration procedure to complete, as they explicitly support dynamic tunnels.

If you are on a static IP address, get instant IPv6 from he.net.

Once the tunnels are configured, everything in IPv6 works straighforward. Lots of experience with IPv4 may be helpful, but on the other hand, this experience might turn out to be a problem if you try to apply IPv4 paradigms such as tight subnets or NAT to the IPv6 world.

IPv6 is supported in every common client and server application and addressing works just as in IPv4, only with different notation.

IPv6 address records in DNS are of the AAAA type; everything else, such as MX records, works just like in IPv4. If you have experience with these in IPv4, you will easily find your way in IPv6.

As I said: It’s a lot easier than you think.

Advertisements

1 Comment »

  1. […] Martin's explanation of how it all fits in was sound, so I quickly applied for and got a tunnel. […]

    Pingback by Jan-Piet Mens » From 1 (IPv4) to extremely very muchos (IPv6) in 25 hours — October 31, 2010 @ 10:58 am


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.

%d bloggers like this: