Ipv6

From Stu2
Jump to navigation Jump to search

Notes about IPv6

Manual Configurations

Using iproute2 commands to add an address to an interface.

ip -6 addr add <IPv6>/<MASK> dev eth0
ip -6 route add default via <IPv6 GW>

To see the routing table:

ip -6 route show

<IP>::/64 dev eth0  proto kernel  metric 256 
fe80::/64 dev eth0  proto kernel  metric 256 
default via <IP> dev eth0  metric 1024 

Setting up the tunnel

In /etc/network/interfaces:

iface eth0 inet6 static
  pre-up modprobe ipv6
  address 2001:470:x:x::1 -> address of the physical interface (my internal network)
  gateway 2001:470:y:y::2 -> My side of the tunnel
  netmask 64              -> /64 

# Set up the tunnel
auto tun6
iface tun6 inet6 v4tunnel 
     address  2001:470:y:y::2       -> this side of the tunnel
     netmask  64
     endpoint 216.66.22.2           -> IPv4 endpoint
     up ip -6 route add 2001:470:x:x::/64 dev eth0  -> route my network out eth0 
     up ip -6 route add 2000::/3 dev tun6             -> everything else goes over the tunnel
     down ip -6 route flush dev tun6
     down ip -6 route flush dev eth0 

Set up the firewall to account for IPv6. (deny all unless expressly permitted) IPv6 addresses are fully routable. No more NAT.

adding default gateway from the command line

 ip -6 route add default dev tun6

Sometimes, the tunnel doesn't come up on reboot. So you can do this:

ip link set tun6 down
ip link set tun6 up
ip -6 route add default dev tun6

Raspberry Pi and IPv6

Expletive. I spent hours figuring this out. The above doesn't work on a Raspberry PI. 1) Some fine person made the decision to scrap /etc/network/interfaces in favor of dchpcd5. 2) /etc/network/interfaces doesn't work they way you think.

Here's what I did to get IPv6 working with Hurricane Electric.

apt-get remove dhcpcd5

Create a file as per the HE instructions (verbatim with the #!/bin/bash added) and put it into /etc/network/if-up.d/ipv6:

#!/bin/bash
modprobe ipv6
ip tunnel add tun6 mode sit remote 216.66.22.2 local <IP address of outside Interface> ttl 255
ip link set tun6 up
ip addr add <ipv6 address of endpoint>/64 dev tun6
ip route add ::/0 dev tun6
ip -f inet6 addr

Next, fix /etc/network/interfaces like this:

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
   address 192.168.x.x                # IPv4 address of eth0
   netmask 255.255.255.0          
   up ip -6 addr add y:y/64 dev eth0  # IPv6 address of eth0

auto eth1
iface eth1 inet static
   address 192.168.z.z                # IPv4 address of eth1
   netmask 255.255.255.0
   gateway 192.168.G.G                # gateway address
   up ip -6 addr add z:z/64 dev eth1  # IPv6 address of eth1

The key point is to use the IProute2 commands in the file. The old way, where you use 'iface eth1 inet6 static' doesn't work!!! Why did they screw this up?

The file, /etc/network/if-up.d/ipv6 will execute after the network interfaces are set up. This will set up the HE tunnel. Don't forget to turn on the IPv6 firewall because the tunnel opens your network to the outside.

Scapy

Manual traceroute. Increment hlim, send SYN packets to port 80.

>>> ans,unans=sr(IPv6(dst="www.google.com",hlim=(1,8))/TCP(dport=[80],flags="S"))
>>> for snd,rcv in ans:
...  print snd.hlim, rcv.src
... 

There is a built in traceroute6 function, too:

>>> traceroute6("mail.server.gov",maxttl=6)

To send a packet directly to a service, do this:

>>> sr1(IPv6(dst="www.server.com")/TCP(dport=[80],flags="S"))

You should get a SYN/ACK packet back.

Since the kernel isn't listening on the src port, it may send a RST back to the web server. Or, it may not, in which case you can close the connection manually like this:

>>> send(IPv6(dst="www.server.com")/TCP(dport=[80],flags="R"))

Sometimes, the kernel may

DHCP6

M is the managed flag - if set, get addresses from DHCPv6. O is the OtherFlag, if set, get other info from DHCPv6. A is the autonomous flag, which essentially enables SLAAC. A=1 for SLAAC and A=0 for no SLAAC. I find the best way is to set up DHCPv6 and SLAAC. That way, everybody on the LAN is happy. Get used to multiple IPv6 interface addresses.

M=1 O=1   DHCPv6 is used for addresses and other information
M=0 O=0   No DHCP Infrastructure, use RA to get network addresses
M=0 O=1   DHCPv6 Stateless, get info from DHCP, but use RA for addresses
M=1 O=1   DHCPv6 is used for addresses, Get other info.

Radvd.conf
interface enp1s0
{
    AdvSendAdvert on;
    MinRtrAdvInterval 3;
    MaxRtrAdvInterval 10;
    # M Flag - on = dhcp
    AdvManagedFlag on;
    # O Flag - get info from dhcp
    AdvOtherConfigFlag on;

    # Prefix for LAN
    prefix 2002:490:ffff:dead::/64
    {
      AdvOnLink on;
      # SLAAC = on
      AdvAutonomous on;
      # Send Interface address, must be on.
      AdvRouterAddr on;
    };
};


Tayga for NAT64

It seems simple, but the examples don't tell the whole story. It's simple in Ubuntu. Just install tayga, then edit /etc/tayga.conf and /etc/default/tayga. This works fine with HE.net tunnels.

/etc/tayga.conf

tun-device nat64              # the interface device
ipv4-addr 192.168.255.100     # IPv4 address for Tayga, using one from pool below
ipv6-addr 2001:db8:1::2       # IPv6 address for Tayga, use anything not in LAN environment
prefix 64:ff9b::/96           # Prefix used by DNS64, use Google's DNS64 servers
dynamic-pool 192.168.255.0/24 # Pool to use. Gives 252 addresses to use in NAT
data-dir /var/spool/tayga     # Data directory, make sure it exists

/etc/default/tayga
RUN="yes"                            # Yes, run
CONFIGURE_IFACE="yes"                # Yes, configure the interface
CONFIGURE_NAT44="yes"                # Yes, set up the NAT44 stuff, no need for iptables rules you see on the Internet
DAEMON_OPTS=""                       # No options
IPV4_TUN_ADDR="192.168.1.254"       # IPv4 address of inside interface
IPV6_TUN_ADDR="2001:470:e:ffff::1"  # IPv6 address of inside interface

systemctl start tayga

Use Google's DNS64 servers as forwarders in your local instance of DNS. https://developers.google.com/speed/public-dns/docs/dns64

XP

XP can only use stateless autoconfig or manual addressing.

Ubuntu

There's some sort of problem with dhcp client. It times out while DAD is going on. I don't know if this is the right answer (not), but I had to add a delay to the IPv6 start up in my Ubuntu test server VM.

iface eth0 inet6 dhcp
 pre-up sleep 10

I also had to turn on the FQDN stuff in dhclient.conf

send host-name "cloud";
send fqdn.fqdn "cloud.stu2labs.net";
send fqdn.encoded on;
send fqdn.server-update on;

Stateless or Stateful Config

XP must use RA. For DNS, use IPv4 - > means XP must go away for a full IPv6 network.