Skip to main content

Raymii.org Logo (IEC resistor symbol)logo

Quis custodiet ipsos custodes?
Home | About | All pages | RSS Feed | Gopher

IPv6 at Home

Published: 03-05-2014 | Author: Remy van Elst | Text only version of this article


Table of Contents


ipv6-ready

For a long time most of my VPS are IPv6 enabled. Raymii.org is reachable overIPv6. I've not had IPv6 at home yet, over my residential DSL line. And as youknow, providers are not that fast with rolling out IPv6 at home. A friendpointed me to SixXS, which provide IPv6 tunnels. I had looked at them in thepast, only then you needed to have a static IP for the tunnel. These days youdon't need that anymore. Read on to find out how my IPv6 setup works, includingprivacy extensions and a few annoyances with Arch Linux and Ubuntu.

If you like this article, consider sponsoring me by trying out a Digital OceanVPS. With this link you'll get $100 credit for 60 days). (referral link)

The Tunnel

The tunnel is provided by SixXS. It is an AYIYA tunnel, AYIYA is aprotocol for managing IP tunneling protocols in use between separated IPnetworks. It is most often used to provide IPv6 transit over an IPv4 networklink when network address translation masquerades a private network with asingle IP address that may change frequently because of DHCP provisioning byInternet service providers.

Which basically means that you can use it to easily set up an IPv6 tunnel whichworks over a NATted LAN and thus you don't need a static IP anymore. As example,even at Starbucks I can set up my IPv6 tunnel without any hassle.

At SixXS you need to register and request a tunnel. You will need to providesome information, which will be validated, so make sure it is correct. Then youalso need to provide a reason for your tunnel. Mine was just a simple one, Iwant to experiment at home with IPv6. They find that a valid reason, so in twodays I had my tunnel data.

Tunnel setup

My DSL provider modem does not support IPv6 sadly, so I've spun up a VirtualMachine which will do the routing for IPv6. It is an Ubuntu 12.04 server machineon KVM. OpenVZ wo'nt work because of the advanced networking involved. It alsowill work on a Raspberry Pi with Raspbian, for those who do not want or have a(VM) server running all the time.

You will need all your SixXS data, as in, your account, tunnel and subnet.

First install AICCU. It stands for: Automatic IPv6 Connectivity ClientUtility. It is a tool to automatically configure IPv6 connectivity on a varietyof platforms and it provides AYIYA and heartbeat protocol support.

apt-get install aiccu

During the installation you will be asked for your SixXS username and password.These are the ones you use to login to the SixXS website.

If you only have one tunnel and subnet, it will all be set up automagically. Idon't have multiple tunnels yet, but I expect it will require moreconfiguration.

I had to change one line in the aiccu config file to make it work.

vim /etc/aiccu.conf

Change the following from false to true and make sure it is not commented out:

behindnat true

Now we can start the aiccu daemon:

/etc/init.d/aiccu start

If you type the ip a command you should now see a new SixXS interface:

8: sixxs: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1280 qdisc pfifo_fast state UNKNOWN qlen 500    link/none     inet6 2001:[...]998::2/64 scope global        valid_lft forever preferred_lft forever

We can test it some more by accessing Google over IPv6:

curl -g [2a00:1450:4013:c00::64]

The -g option is needed otherwise you will get either an curl: (3) [globbing]error: bad range specification after pos 2 or an curl: (3) IPv6 numericaladdress used in URL without brackets error. See bug #30 on the Curl known bugspage

Response:

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="http://www.google.com/">here</A>.</BODY></HTML>

The routing

The router needs to be able to forward IPv6 packets, so let's enable that. Edit/etc/sysctl.conf:

vim /etc/sysctl.conf

Add or uncomment the following:

net.ipv6.conf.all.forwarding=1

Apply the rule:

sysctl -p

To give other machines an IPv6 address we need to install radvd and dhcpv6.Radvd will be used to provide addresses via SLAAC and dhcpv6 will providecompatibility and DNS addresses.

apt-get install wide-dhcpv6-server radvd

Configure Radvd via /etc/radvd.conf:

vim /etc/radvd.conf

This is the config I use:

interface eth0 {      AdvSendAdvert on ;      # Advertise at least every 30 seconds      MaxRtrAdvInterval 30;      # in order to force non RFC 6106 compliant clients to get a dns address      AdvOtherConfigFlag on ;      prefix $YOURSUBNET$/64 {        AdvOnLink on;        AdvAutonomous on;      };      RDNSS 2001:14b8:0:3401::6 2001:1418:10:2::2 {      };};

Replace $YOURSUBNET$ with one of the subnets you gave from SixXS. The RDNSSoption uses the europian DNS from SixXS. You can find other DNS cache servershere.

Now configure DHCPv6:

vim /etc/wide-dhcpv6/dhcp6s.conf

It has only the following line, to provide DNS:

option domain-name-servers 2001:14b8:0:3401::6 2001:1418:10:2::2;

Here again you should use the SixXS DNS cache servers in your region.

Restart them both:

/etc/init.d/radvd restart/etc/init.d/wide-dhcpv6-server restart

Privacy extensions

The global address is used in IPv6 to communicate with the outside world. Thisis thus the one that is used as source for any communication and thus in a wayidentify you on Internet. The global address is built by using the prefix andadding an identifier build with the hardware address.

For example, the hardware address is 00:22:15:64:42:bd and the global IPv6address is ending with 22:15ff:fe64:42bd. It is thus easy to go from the IPv6global address to the hardware address. To fix this issue and increase theprivacy of network user, privacy extensions have been developed.

You can read the RFC here, it describes how to build and use temporaryaddresses that will be used as source address for connection to the outsideworld. The wikipedia page describes it a bit more.

The option is documented in the ip-sysctl.txt file:

use_tempaddr - INTEGER    Preference for Privacy Extensions (RFC3041).      <= 0 : disable Privacy Extensions      == 1 : enable Privacy Extensions, but prefer public             addresses over temporary addresses.      >  1 : enable Privacy Extensions and prefer temporary             addresses over public addresses.    Default:  0 (for most devices)             -1 (for point-to-point devices and loopback devices)

We can enable the privacy extensions on the Ubuntu/Debian router VM by definingit in /etc/sysctl.conf.

Edit /etc/sysctl.conf:

vim /etc/sysctl.conf

Add the following line

net.ipv6.conf.all.use_tempaddr=2

Apply it:

sysctl -p

We also need to restart the network:

/etc/init.d/networking restart

Using ip a you should now see a new address. It will expire after a while anda new one will be added. The default expiry time is one day. It can be changedwith the following sysctl variable:

net.ipv6.conf.eth0.temp_prefered_lft=7200

Where 7200 is the value in minutes. Change eth0 to your network interface.

Don't set it to low, for me at 3600 I got errors like these:

ipv6_create_tempaddr(): retry temporary address regeneration.ipv6_create_tempaddr(): regeneration time exceeded. disabled temporaryaddress support.

There are however some bugsinthe ipv6stack, so itmight now all work as expected. For example, most of my laptops use Arch Linuxwith NetworkManager. Arch linux does not use /etc/sysctl.conf but uses/etc/sysctl.d/00-files. Therefore there is no /etc/sysctl.conf file.Networkmanager has hardcoded that it looks in /etc/sysctl.conf for the privacyextention setting. So that didn't work. You can set in in the config file foryour network, for example, /etc/NetworkManager/system-connections/name:

[ipv6] method=auto ip6-privacy=2

However, for me that didn't work until I created the /etc/sysctl.conf filewith the privacy setting. I needed some more settings to make it all work onArch:

#cat /etc/sysctl.d/40-ipv6.conf net.ipv6.conf.all.use_tempaddr = 2net.ipv6.conf.all.router_solicitation_delay=3net.ipv6.conf.all.force_tllao=1net.ipv6.conf.all.accept_dad=0net.ipv6.conf.default.use_tempaddr = 2

Testing it

You should get an IPv6 address now. You can use sites likehttp://ipv6-test.com/ or by connecting to http://ipv6.google.com.

Tags: arch, blog, ip6, ip6tables, ipv6, radvd, saac, sixxs, ubuntu