Prep for Tomorrow with an IPv6 Testbed

Yes, friends, I am afraid you do have to start paying attention to IPv6 (Internet Protocol version 6) (define). It's on its way, it's inevitable, and us ace network admins must learn to use it.

At this point, at least in the United States, it's a novelty along the the lines of the talking dog. It's not that it talks well, but that it talks at all; in other words, implementation here is very limited. IPv6 is not an extension to IPv4, but a whole new protocol. So the transition to IPv6 means building devices, like network cards, phones, and routers, that support both, and running them side-by-side as the entire freakin' Internet makes the changeover. And it means updating all manner of software. Some say it will take 10-20 years.

Security implications are largely unknown at this point, so it's best to test this on a little test network, and not with your real-life production machines.

Doubtless there will be lonely hermits lodged in mountain caves who will hold on to IPv4 to the bitter end. But much of the world is pressing for fast adoption. Japan is the leader in implementation, with China, most of Europe, and India not far behind. They are especially motivated because the United States hogs — I mean "has been allocated the largest share of" — IPv4 addresses, so they are already facing shortages.

IPv6 offers more than just a larger addressing space. It also features a number of significant improvements, such as standardized QoS (Quality of Service) (define), built-in security, speed, and simplified routing tables. For more background information, please visit the links in Resources. In this article we will look at getting connected to an IPv6 backbone via an IPv6-over-IPv4 tunnel, and setting up a local subnet (define) to play with.

Are You Already IPv6-ed?

It may be that your service provider has already rolled out IPv6. You can check by visiting any of these sites:

• KAME project
• Aerasec
• SixXS

If you are connecting over IPv6, you'll see animated logos at the top of the first two sites. SixXS merely displays a dignified text report. Most likely you're not, but it doesn't hurt to look.

Does Your Kernel Support IPv6

The thorny part is making sure your Linux kernel supports IPv6. Linux kernels since 2.2 have supported IPv6 via loadable kernel modules, but not all distributions ship IPv6-enabled kernels. Fedora comes ready to rock; most of the others don't. The easy way to check is look at your /boot/config-* file. If you see this:

# CONFIG_IPV6 is not set

Too bad so sad, you need to add the modules to your kernel (See Resources). This is what it looks like in Fedora:

$ cat config-2.6.5-1.386 | grep -i ipv6
CONFIG_IPV6=m
CONFIG_IPV6_PRIVACY=y
CONFIG_IPV6_TUNNEL=m
# IPV6: Netfilter Configuration
CONFIG_IPV6_NF_MATCH_IPV6HEADER=m

Also check for the existence of /proc/sys/net/ipv6.

IPv6 Network Utilities

Your old reliable friends ping and traceroute may not be IPv6-clueful, if they are too old. The latest iputils RPM supports both IPv4 and IPv6. On Debian, get the packages iputils-ping and iputils-tracepath.

Getting IPv6-ed

The fine folks at Hexago host a free service to allow us to play with real live IPv6. (This used to be on freenet6.net, for you oldtimers.) You need a static, routable IP address on your Internet gateway. First sign up for an account. Then download and install the client software, tspc-2.1-src.tgz. Stick it any directory you like:

$ mkdir -m 755 ~/tspc
$ cd ~/tspc
$ tar zxvf tspc-2.1-src.tgz
$ cd tspc2
$ make all target=linux

Then go to /tspc2/bin. Open tspc.conf.sample, and add the login and password for your Hexagon/Freenet6 account. Then comment out "server=anon.freenet6.net", and uncomment "server=broker.freenet6.net." Change the filename to tspc.conf.

Next, while you're still in /tspc2/bin, su to root, and start up your IPv6-over-IPv4 tunnel:

# ./tspc
tspc - Tunnel Setup Protocol Client v2.1
Initializing (use -h for help)

Connecting to server with reliable UDP
Got tunnel parameters from server, setting up local tunnel
Going daemon, check tspc.log for tunnel creation status

Well, OK! The connection is successful. Forget reading boring old logs — fire up a Web browser and connect to any of the sites listed above in "Are You Already IPv6-ed?" The KAME site will display an arthritic dancing turtle. Aerasec's main logo will do gentle gyrations. Have some patience, because tunneling IPv6-over-IPv4 is slow.

Take a look at the output from /sbin/ifconfig, you'll have a new section:

tun
Link encap:Point-to Point Protocol
inet6 addr: 2001:5c0:8fff:fffe::373/128 Scope:Global
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1280  Metric:1
RX packets:271 errors:0 dropped:0 overruns:0 frame:0
TX packets:304 errors:0 dropped:0 overruns:0 carrier:2
collisions:0 txqueuelen:10
RX bytes:192396 (187.8 KB)  TX bytes:42300 (41.2 KB)

Continued on page 2: Dealing with Problems

Continued From Page 1

Problems

The number one problem is them bad firewalls blocking your nice IPv6-over-IPv4 packets. Make sure port 41 is open, both incoming and outgoing. Problem number two is not having support in the kernel.

Building Your IPv6 Subnet

Now you can make your IPv6-enabled box into a nice IPv6 gateway for other hosts on your LAN. Go back into tspc.conf and add or uncomment these lines:

host_type=router
prefixlen=48
if_prefix=eth0

Then killall tspc, and re-run ./tspc, so that it will read the new configuration.

Now you'll need radvd, the Router ADVertisement Daemon, to tell your other hosts where their shiny new IPv6 gateway is. Here is what /etc/radvd.conf should look like:

interface eth0
{
   AdvSendAdvert on;
   prefix fe80::20a:e4ff:fe40:/64
   {
      AdvOnLink on;
      AdvAutonomous on;
   };
};

The prefix address is the IPv6 address assigned to eth0, minus the host part of the address:

$ /sbin/ifconfig
eth0
...
inet6 addr: 2001:5c0:80fd::fffe::1/64 Scope:Global
inet6 addr: fe80::20a:e4ff:fe40:8bfd/64 Scope:Link

Notice how eth0 has been assigned two addresses. IPv6 lets you directly assign multiple addresses to a NIC, without futzing with aliases. You want the Scope:Link address, because this defines your local pool of addresses.

Now when you run /sbin/ifconfig on your other hosts, they should display their brand-new IPv6 addresses, and you should be able to view the dancing turtle.

The Linux IPv6 Howto, by Peter Bieringer, is the ultimate HOWTO, start with it. Security implications are largely unknown at this point, so it's best to test this on a little test network, and not with your real-life production machines.

Resources

• Linux IPv6 Howto
• IPv6 Information Page
• Tips for Compiling and Installing a Linux 2.6 Kernel
• The Linux 2.6 Kernel Trilogy Ends: Go Configure
• ICANN Adds IPv6 to Root DNS
• Is Your Network Ready for IPv6?
• IPv6: Migration Issues Loom for Network Administrators
• Outlining advantages, an IPv6 leader urges U.S. adoption of the protocol
• FreeDNS
• Setting up IPv6 on Debian
• IPv6 on Fedora Core mini-HOWTO