We are looking at deploying our core network as IPv6, there are going to be some interesting problems to solve doing this. In the mean time we are learning as much as we can about it and here we will try and document some good inforation. FreeNet6 is one good, free way to get IPv6 addresses to your house via a tunnel.

Message from JerrittCollord posted to the MailingList in response to a question: (Below, JerrittCollord has added more material as his experience permits...)

Your computer will get a new network interface (probably called sit1) that is an IPv6-in-IPv4 tunnel to freenet6. The client they provide is a silly little thing that negotiates the tunnel setup with their server... all the real work is in the linux kernel itself and either the iproute2 or netkit packages. With the freenet6 client comes a "template" (a script that is run when the TSP succeeds) where you can see the actual tunnel interface commands executed, a default IPv6 gateway added, etc.

There is no magic... when the tunnel is "up" all that happens is that regular IP packets of protocol 41 (IPv6 encapsulation) are sent off to them, and hopefully appropriate responses come back. (Be sure to let them through your regular firewall!)

Be warned that a good portion of network software out-of-the-box won't know what the heck to do with an IPv6 connection. You'll need "ping6" instead of "ping" to ping out to the 6bone. DNS stuff actually works pretty well-- that's not where the hangup is. Newer versions of Mozilla, Exim, Apache, Bind work I know, and there's a list somewhere.

And, please take note that when you bring up your tunnel interface, you've essentially just joined a new public network with many of the same problems of the regular Internet. Namely, you'll have to run a separate firewall for the IPv6 interface. The Netfilter project has a set of kernel mods and userspace utils that are much like iptables, called predictably ip6tables. The only notable lame aspect of ip6tables is that it won't do connection tracking yet so will require a slightly different firewall style than "normal" now.

Getting a /48 is only a little different, use this if you want to run an IPv6 network behind your tunnel. You have to ask for it in TSP, you have to get the route right in the kernel table, then you have to run Routing Advertisement Daemon for IPv6 software in Linux called radvd. Then, any IPv6 interface brought up to accept router advertisements on the network segment on which radvd is running will autoconfigure its IPv6 address and know how to talk to the rest of the world. I haven't actually played this far.

JerrittCollord adds on 11/04/01:

Well, now I have played this far, and it's remarkably easy as long as your OS supports what you're trying to do. The radvd package included in Debian unstable routes out the /48 to whichever interfaces you tell it to in /etc/radvd.conf. Beware that the freenet6 package has a modified configuration script (linux.sh template) such that you'll have to configure the radvd.conf yourself and get it start/stop it, a functionality that the freenet6 client usually wants to do itself. Such is the Debian package maintainer's wisdom.

RedHat 7.1 is happy as a clam with IPv6... I did nothing more than modprobe ipv6 and ask Mozilla for a URL only accessible on the 6bone and away it went. Just for kicks, I'll go through what this process roughly is as I understand it, say to ftp://ftp.ipv6.opentransit.net:

1) Mozilla asks libresolv where the hell is ftp.ipv6.opentransit.net

2) libresolv asks its name server for an A record like normal, and getting none, asks for a AAAA record.

3) The name server (bind9 or better) hands back an AAAA record which has an IPv6 address.

4) Mozilla gets this IPv6 and asks the system to connect to it with a PF_INET6 TCP socket to port 21.

5) The IPv6 stack in the kernel is presumably unconfigured now, and upon this request sends out a Router Solicitation

6) Radvd on the gateway/tunnel machine sends back a Router Advertisement that gives the prefix of the IPv6 segment, and of course the link-level address of the router.

7) The IPv6 stack crafts an ethernet frame addressed to the router (gateway/tunnel) machine, puts it on the wire.

8) The router picks it up, encapsulates it in IPv4 and sends it off to the tunnel's other point (somewhere in Canada for me).

9) That tunnel endpoint routes the IPv6 out on the 6bone, a response is generated, etc.

10) Etc. notably of course the Router Solicitation/reply only happens once, until the router fails to respond.

My Debian sid based laptop will do this over 802.11b, but Debian woody PPC is appearantly not ready for IPv6.

So it is in this way all the security of a NAT-based home network is removed and all these junker machines are now addressable and accountable to the world. ;-)

Some links:

RFC 2461 Neighbor Discovery for IPv6. This covers the Router Discovery stuff too and is basically a replacement for ARP and DHCP in IPv4. This is what radvd implements. http://www.ietf.org/rfc/rfc2461.txt


IpVersion6 (last edited 2007-11-23 18:00:49 by localhost)