aarnet Australia's Academic and Research Network
IPv6 network day
1. Agenda The previous two days training have investigated the IPv6 protocol and its configuration on Cisco Systems' IOS. Today this knowledge is put to use to construct a test network.
2. Test network
2.1 Topology The test network is a sample university network.
ISP
Border Firewall Core Switch
Figure 1. Sample university network.
To save time we will not configure a firewall, but will configure the network as if an OSPFv3speaking firewall is in place.
2.2 Addressing Each sample university is allocated an address range. From that you must develop an addressing plan which includes:
2.2.1 Host subnet addresses These will be EUI64 subnets. In a real network these addresses would be allocated in blocks which can be aggregated at each site edge. Our sample network is too small for this.
2.2.2 Link addresses for router-router links These will be /64 subnets. ::1 is used for the upstream, ::2 for the downstream. Router addresses are often replicated throughout router
— 1 — configurations, so using a /64 is more maintainable than the dynamic interface addresses of EUI64.
2.2.3 Control and administrative addresses for routers Most networking equipment assigns the router an interface in the control plane. Cisco IOS typically uses “Loopback0”. This is a /128 address. Some routers treat higher addresses as administrative domain addresses by default, so reserve the highest /64 for loopback addresses.
The DNS entry for control plane addresses usually contains the name of the router. A typical naming scheme is functioncount location.net.example.edu.au, although variations are plentiful. Unfortunately some monitoring systems only record the lefthandside of the device name, leading to all the necessary information needing to be packing into that part of the name.
Some routers distinguish control plane addresses from administrative plane addresses. For example, JunOS has “lo0” in the control plane and “fxp0” in the administrative plane. Most administrative plane networks are unrouted. Depending upon your security stance this network may use private addresses or use a /64 with a gateway controlling access from the routed network.
2.3 Addresses available
Address prefix Preliminary allocation
2001:388:3004::/48 University of Queensland
2001:388:3008::/48 CSIRO, Qld
2001:388:300C::/48 Queensland University of Technology
2001:388:3010::/48 University of Southern Queensland
2001:388:3014::/48 QMI
2001:388:3018::/48 Griffith University
2001:388:301C::/48 Central Queensland University
2001:388:3020::/48 Southern Cross University
2001:388:3024::/48 James Cook University
2001:388:3028::/48 Australian Catholic University, Qld
For the exercise we will need some temporary AS number allocations which do not duplicate any used in production networks. These AS numbers should not be used outside of this day.
— 2 — Address allocation AS number for exercise
2001:388:3004::/48 64750
2001:388:3008::/48 64751
2001:388:300C::/48 64752
2001:388:3010::/48 64753
2001:388:3014::/48 64754
2001:388:3018::/48 64755
2001:388:301C::/48 64756
2001:388:3020::/48 64757
2001:388:3024::/48 64758
2001:388:3028::/48 64759
Exercise 1
Each group will pretend to be one of the above institutions and develop an IPv6 addressing plan.
3. Configure a host network
3.1 Activate IPv6 On routers, unlike hosts, IPv6 support is not usually activated by default.
ipv6 unicast routing ipv6 cef ipv6 multicast-routing
3.2 Configure control plane address
interface Null0 no ip unreachables
interface Loopback0 description core-1-riverside.net.example.edu.au ip address 1.2.3.1 255.255.255.255 ipv6 enable ipv6 address 2001:388:302b:ffff::1/128 no ip redirects no ipv6 redirects no ip proxy-arp ip rsvp bandwidth no cdp enable service-policy input LOOPBACK0-IN-POLICY service-policy output LOOPBACK0-OUT-POLICY ip access-group LOOPBACK0-IN-LIST4 in ip access-group LOOPBACK0-OUT-LIST4 out ipv6 access-group LOOPBACK0-IN-LIST6 in
— 3 — ipv6 access-group LOOPBACK0-OUT-LIST6 out ip sap listen ip pim sparse-mode ipv6 ospf 64000 area 0
ip ftp source-interface Loopback0 ip telnet source-interface Loopback0 ip tftp source-interface Loopback0 ip flow-export source Loopback0 logging source-interface Loopback0 snmp-server trap-source Loopback0 ntp source Loopback0
3.3 EUI-64 EUI64 interfaces are used on hostfacing subnets.
interface GigabitEthernet0 description gig0.core-1-riverside.net.example.edu.au ipv6 enable ipv6 address 2001:388:1:201E::/64 eui-64 ipv6 verify unicast source reachable-via rx ipv6 access-group GIG0-IN-LIST6 in ipv6 access-group GIG0-OUT-LIST6 out ip access-group GIG0-IN-LIST4 in ip access-group GIG0-OUT-LIST4 out service-policy input GIG0-IN-POLICY service-policy output GIG0-OUT-POLICY ip flow ingress no ip proxy-arp ip pim sparse-mode ip igmp version 3 ip igmp query-interval 125 ip verify unicast source reachable-via rx no cdp enable ip rsvp bandwidth mpls traffic-eng tunnels ip ospf authentication message-digest ip ospf message-digest-key 1 md5 asdfjhaxs ipv6 ospf 64000 area 1.2.3.0 ipv6 ospf priority 1
3.4 Explicit /64 Subnets with explicit addressing are used for links between routers. This allows interfaces to be replaced without altering the router configuration.
interface GigabitEthernet1 ipv6 enable ipv6 address 2001:388:302b:fffc:1::1/64
— 4 — no ip proxy-arp no ip redirects no ipv6 redirects service-policy input GIG1-IN-POLICY service-policy output GIG1-OUT-POLICY ip pim sparse-mode ip igmp version 3 ip igmp query-interval 125 ip rsvp bandwidth mpls traffic-eng tunnels ip ospf authentication message-digest ip ospf message-digest-key 1 md5 asdfjhaxs ipv6 ospf 64000 area 0
3.5 Access lists IOS implicitly address implicitly adds this to the end of IPv6 access control lists
permit icmp any any nd-na permit icmp any any nd-ns deny ipv6 any any
Otherwise access lists work as you may expect. They use the most recent ACL syntax.
ipv6 access-list VTY-LIST6 remark Administrative subnet permit ipv6 2001:388:1:2000::/64 any
service tcp-keepalives-in service tcp-keepalives-out service nagle no service pad service linenumber
line vty 0 4 location Network transport preferred none transport input ssh transport output ssh telnet access-class VTY-LIST4 in ipv6 access-class VTY-LIST6 in password sadkfjks
Use access lists to limit packets passing through the forwarding and management planes. Use prefix lists to limit routes passing through the routing plane.
— 5 — Exercise 2: Interfaces
Configure Loopback, Gig0 and Gig1 interfaces. Gig0 is an upstream interface to another router. Gig1 is a host interface to a switch.
Configure an access list.
4. Configure interior routing IPv4 and IPv6 can use differing routing protocols: operating as “ships in the night” they do not exchange routing information. OSPFv3 is the recommended protocol: it is simpler than ISIS to configure, but unlike RIP or EIGRP is complex enough for universityscale networks.
4.1 OSPF design pattern for IPv4 and IPv6 There are two types of subnets: those between routers, and those between routers and hosts. There are no subnets between routers and between hosts, as these mixedpurpose subnets cause difficulty with QoS admission, source address checking, and so on.
Subnets between routers which interconnect sites go into the backbone area, area 0. Subnets between routers within a site go into that site's stub area.
Each site is configured as a stub area. Subnets with hosts go into the site's stub area. At the edge between the stub area and the backbone the area's IP addresses are aggregated. This limits visibility of flapping interfaces to the one site. The site's stub area is named after the major aggregated IPv4 network at that site.
Interfaces which face hosts are configured with OSPF as “passive”; that is, not sending or receiving OSPF packets. This prevents hosts from injecting false routing information. Note that marking an interface passive still allows the interface's network to be advertised out nonpassive interfaces.
The network core routers closest to the Internet links inject static routes which covers the address space allocation. Firewalls and other middleboxes on the path to the Internet link run OSPF. The border router to the Internet link uses the received OSPF route for the address space allocation to generate the BGP route to the ISP for the address space allocation. This design withdraws the BGP route if there is a failure in the border router, middleboxes or core router, thus allowing traffic to flow down any backup link.
— 6 — The border router injects a OSPF default route, using the OSPF “external network” route type. These “external” routes cannot be compared to “internal” routes, so all internal traffic will flow to the external default route, no matter what the internal metrics. This OSPF default route is withdrawn if there is a failure in the border router, middleboxes or core router, thus allowing traffic to flow towards any backup link.
For planned maintenance, the BGP MED and the OSPF external route metric can be altered between the primary and backup router, which will swap the sense of primary and backup. On Cisco IOS some clever coding can make this a twoline change of the BGP import and export routemaps, making the router configuration change at the start of planned maintenance a low risk.
4.2 OSPF and IPv6 OSPFv2 uses fixedlength fields in an attempt to be more efficient than the competing protocol ISIS which uses TLV fields. Unfortunately this design choice means that a new version of the OSPF format was needed for IPv6, this is OSPFv3.
The area ID for OSPFv3 is still 32bits. So area identifiers are still printed as if they are IPv4 addresses. Router IDs also remain at 32 bits.
It is possible to treat OSPFv2 and OSPFv3 as differing formats of the same OSPF protocol, although I know of no router which does so. However, it is wise to retain the same identifiers and topology between OSPFv2 and OSPFv3.
Since OSPFv3 need not carry IPv4 routes you should use OSPFv3 to carry IPv6 routes regardless of what IPv4 routing protocol you currently use.
OSPFv3 is configured on IOS differently from OSPFv2. It uses the Procket Networks' syntax of configuring the interface parts of the routing protocol in the “interface” stanza rather than in the “router ospf” stanza. This saves significant configuration hassle and removes messing about with reverse netmasks.
ipv6 router ospf 64600 router-id 1.2.3.4 log-adjacency-changes auto-cost reference-bandwidth 40 passive-interface default no passive-interface Loopback0 no passive-interface GigabitEthernet0 area 1.2.3.0 stub
— 7 — interface Loopback0 ipv6 ospf 64600 area 0
interface GigabitEthernet0 ipv6 ospf 64600 area 0
interface GigabitEthernet1 ipv6 ospf 64600 area 1.2.3.0
Note the use of the reference bandwidth to allow 40Gbps links to have a metric of 1 (best). By default 100Mbps links have a metric of 1. The referencebandwidth works well for campus networks: if you have a ISP network use the oneway delay in 10th seconds as the interface metric, as latency is the cost you are trying to minimise.
Note the use of passive-interface default. Most interfaces are host subnetwork interfaces and these do not need to send or receive OSPF information.
Cisco's OSPFv3 implementation is less capable than their OSPFv2 implementation. It lacks recent features such as incremental shortestpath first algorithms, nonstop forwarding, graceful restart, VRFs and MPLSTE.
Exercise 3: Interior routing
Configure OSPFv3 using area 0 for routerrouter links and a stub area for host links.
Optionally, aggregate the host links into a broader advertisement.
4.3 Static routes A static route is useful for injecting a summary route at core routers. In the absence of BGP is it useful for inserting a default route at the last hop to the ISP. Use beyond these two cases should be done with caution.
To inject a summary route into the forwarding table use:
ipv6 route 2001:388:3038::/48 Loopback0 254 254
Note that this does not insert the route from the forwarding table into the routing protocol's table.
As Cisco's OSPFv3 lacks a “network” command the route is injected with a redistribution. This is very easy to stuff up: redistribute as few routes as possible and preferably none. In most circumstances the “summaryprefix” command will be a better choice.
— 8 — ipv6 router ospf 64600 redistribute static route-map STATIC-TO-OSPF64600-ROUTE6
route-map STATIC-TO-OSPF64600-ROUTE6 permit match ipv6 address prefix-list AGGREGATE-PREFIX6 set tag 1 set metric 1 set metric-type type-1
ipv6 prefix-list AGGREGATE-PREFIX6 permit 2001:388:3038::/48
Note the use of OSPF external metric type 1. Type 1 routes are can be compared with type 1 routes and with OSPF interior routes, type 2 routes can only be compared with other type 2 routes. As a result type 1 routes have a varying metric, depending on the cost to the point of injection; whereas type 2 routes have the same metric throughout the network. Type 2 routes should be used for default routes. Type 1 routes should be used where we want to place an interior route into OSPF.
Exercise 4: Inject a route for the address allocation into OSPFv3
Use a default route and a redistribution to insert an OSPF route for your IPv6 address allocation into the core router(s).
4.4 OSPFv3 and IPSec OSPFv2 uses an optional MD5 hash with a shared secret to prevent bogus route packets. OSPFv3 uses the IPSec to authenticate routes.
interface GigabitEthernet0 ipv6 ospf authentication ipsec spi 1 sha1 0 1234567890123456789012345678901234567890
Support for IPSec authentication varies across IOS releases. Intervendor OSPFv3 authentication is a nightmare of IPSec configuration.
4.5 No need to configure router advertisement Hosts can use router advertisement to find IPv6 routers. This is most useful when multiple IPv6 routers service one host subnet.
IOS automatically configures router advertisement for IPv6. This is not so for JunOS.
— 9 — 5. Configure exterior routing
5.1 BGP design pattern BGP can run between IPv4 interface and IPv6 interfaces. BGP can carry IPv4 routing information and IPv6 routing information. AARNet uses BGP between IPv4 interfaces to carry IPv4 routes and BGP between IPv6 interfaces to carry IPv6 routes.
To export a route, arrange for the route to appear in the forwarding table of the router. This best way to do this is to get the interior routing protocol to put it into the forwarding table. Putting the route into the forwarding table using a static route does not allow for backup links to be dynamically selected. Use route filtering to ensure that only the route to be advertised is exported. Set MED on the exported route, I suggest 100 for the main link and 101 for the backup link. Using MED for parallel links reserves the use of the :90 and :80 community for links to other ISPs. Strip communities with your AS number from advertised routes.
To import a route, discard bogon routes, discard routes with long prefixes, and accept the remainder. Set a maximum to the number of received routes which allows the router not to run out of memory even if all neighbours go crazy. On imported routes set the Local Preference to 100, unless a community of :90 or :80 suggests otherwise. Set a BGP community value indicating the router which learned the route.
To set the OSPF default route, try and get a BGP default route. If not, insert a OSPF route anyway using default-information originate always with a route map to remove the default route should the loss of a selected incoming route suggest a loss of connectivity (eg, if a anycast root DNS server becomes unreachable). Set a OSPF tag on the OSPF default route indicating how it was generated.
5.2 Configure BGP neighbour BGP for IPv6 is basically the same as BGP for IPv4.
Firstly, establish a BGP routing process.
service tcp-keepalives-in service tcp-keepalives-out ip tcp timestamp ip tcp path-mtu-discovery ip bgp-community new-format
router bgp 64600 bgp router-id 1.2.3.4
— 10 — bgp log-neighbor-changes bgp deterministic-med
Now establish a neighbouring to the ISP.
router bgp 64600 neighbor 2001:388:3028:1::1 remote-as 64699 neighbor 2001:388:3028:1::1 description ISP address-family ipv4 unicast no neighbor 2001:388:3028:1::1 activate no auto-summary no synchronization exit-address-family address-family ipv4 multicast no neighbor 2001:388:3028:1::1 activate no auto-summary exit-address-family address-family ipv6 unicast neighbor 2001:388:3028:1::1 send-community neighbor 2001:388:3028:1::1 soft-reconfiguration inbound neighbor 2001:388:3028:1::1 route-map AS64699-1-MAIN-IN-ROUTE6 in neighbor 2001:388:3028:1::1 route-map AS64699-1-MAIN-OUT-ROUTE6 out no synchronization exit-address-family address-family ipv6 multicast neighbor 2001:388:3028:1::1 send-community neighbor 2001:388:3028:1::1 soft-reconfiguration inbound neighbor 2001:388:3028:1::1 route-map AS64699-1-MAIN-IN-ROUTE6 in neighbor 2001:388:3028:1::1 route-map AS64699-1-MAIN-OUT-ROUTE6 out exit-address-family
Exercise 5: Configure BGP neighbour
Configure a BGP neighbour to the ISP. Don't worry about the routemap definitions.
5.3 Output route generation and filtering We went to some trouble previously to put the summary route for our allocated network into OSPFv3 on the core router. Thanks to the marvels of routing protocols, that route is now in the border router's forwarding table.
All we need to is to import this forwarding table entry into the BGP routing table.
router bgp 64600 address-family ipv6 unicast network 2001:388:3038::/48 exit-address-family
— 11 — address-family ipv6 multicast network 2001:388:3038::/48 exit-address-family
Note carefully that our routing has been designed to that this network will disappear from the BGP routing table if the link to the core router is lost. This stops traffic blockholing on a faulty main borderfirewallcore link. Instead, the fault causes the BGP route to be withdrawn and traffic flows down the backup path.
BGP attributes are applied via a route map.
route-map AS64699-1-MAIN-OUT-ROUTE6 permit 10 match ipv6 address prefix-list AS64600-PREFIX6 set metric 100 set comm-list AS64600-COMMLIST delete
ipv6 prefix-list AS64600-PREFIX6 description AS64699 address allocation ipv6 prefix-list AS64600-PREFIX6 2001:388:3038::/48
ip community-list standard AS64600-ANY-COMMUNITY permit 64699:.*
The routemap for the backup link is similar.
route-map AS64699-1-BACKUP-OUT-ROUTE6 permit 10 match ipv6 address prefix-list AS64600-PREFIX6 set metric 101 set comm-list AS64600-ANY-COMMUNITY delete
Your router's configuration should try to allow just the names of the route maps to be altered to change from Main to Backup function. This is very useful for planned maintenance.
Note that we explicitly set MED for both links. Not all routers make Cisco's assumption that the default MED is 100, some follow the BGP RFC and prefer routes with MED over routes without MED. Setting MED all the time removes any ambiguity.
We also deleted all of our AS's communities. There is no need to leak that information.
5.4 Input route filtering The input filtering does three tasks: discard silly routes, implement BGP communities (:80, :90), and document the origin of the route.
We use …:10nnn as a POP counter and use …:2000n to indicate if the link is running as main or backup. The numbers are not special: they are chosen
— 12 — to be easily deleted by a regular expression and are greater than 1000 so they are out of the range usually used to communicate between ISPs.
route-map AS64699-1-MAIN-IN-ROUTE6 deny 10 match ipv6 address prefix-list AS64600-PREFIX6 route-map AS64699-1-MAIN-IN-ROUTE6 deny 20 match ipv6 address prefix-list DEFAULT-PREFIX6 route-map AS64699-1-MAIN-IN-ROUTE6 deny 30 match ipv6 address prefix-list BOGON-PREFIX6 route-map AS64688-1-MAIN-IN-ROUTE6 permit 40 match community-list AS64600-90-COMMUNITY set local-preference 90 set community 64600:10001 64600:20001 additive route-map AS64688-1-MAIN-IN-ROUTE6 permit 50 match community-list AS64600-80-COMMUNITY set local-preference 80 set community 64600:10001 64600:20001 additive route-map AS64688-1-MAIN-IN-ROUTE6 permit 60 set local-preference 100 set community 64600:10001 64600:20001 additive
! Unspecified, Loopback, IPv4-compatible, IPv6-mapped Ipv4 ipv6 prefix-list BOGON-PREFIX6 permit ::/96 le 128 ! Link local ipv6 prefix-list BOGON-PREFIX6 permit fe80::/10 le 128 ! Reserved (was site local) ipv6 prefix-list BOGON-PREFIX6 permit fec0::/10 le 128 ! Unique-local ipv6 prefix-list BOGON-PREFIX6 permit fc00::/8 le 128 ! Multicast ipv6 prefix-list BOGON-PREFIX6 permit ff00::/8 le 128 ! Documentation ipv6 prefix-list BOGON-PREFIX6 permit 2001:db8::/32 le 128
ipv6 prefix-list DEFAULT-PREFIX6 permit ::/0
ip community-list standard AS64600-90-COMMUNITY permit 64600:90
ip community-list standard AS64600-80-COMMUNITY permit 64600:80
The configuration for a backup link is similar.
route-map AS64699-1-BACKUP-IN-ROUTE6 deny 10 match ipv6 address prefix-list AS64600-PREFIX6 route-map AS64699-1-BACKUP-IN-ROUTE6 deny 20 match ipv6 address prefix-list DEFAULT-PREFIX6 route-map AS64699-1-BACKUP-IN-ROUTE6 deny 30 match ipv6 address prefix-list BOGON-PREFIX6 route-map AS64688-1-BACKUP-IN-ROUTE6 permit 40 match community-list AS64600-90-COMMUNITY set local-preference 89
— 13 — set community 64600:10001 64600:20002 additive route-map AS64688-1-BACKUP-IN-ROUTE6 permit 50 match community-list AS64600-80-COMMUNITY set local-preference 79 set community 64600:10001 64600:20002 additive route-map AS64688-1-BACKUP-IN-ROUTE6 permit 60 set local-preference 99 set community 64600:10001 64600:20002 additive
The main link uses the common localpreference value of 100 and the common MED of 100. The backup link uses a worse localpreference value of 99 and a worse MED of 101.
Exercise 6: Configure BGP policy
Augment the BGP neighbouring with a policy. Verify that the BGP advertisement of our address allocation is withdrawn when the link between the border router and the core router is down.
5.5 Default route injection The final task is to inject a default route. In a multiplelink scenario it's far best to ask the ISP to generate a default route. Tweak the routemap to permit the default route.
ipv6 router ospf 64600 default-information originate route-map OSPF7575-DEFAULT-ROUTE6
route-map OSPF64600-DEFAULT-ROUTE6 permit 10 match ipv6 address prefix-list DEFAULT-PREFIX6 match community MAIN-COMMUNITY set metric 1 set metric-type type-2 route-map OSPF64600-DEFAULT-ROUTE6 permit 20 match ipv6 address prefix-list DEFAULT-PREFIX6 match community BACKUP-COMMUNITY set metric 2 set metric-type type-2 route-map OSPF64600-DEFAULT-ROUTE6 permit 30 match ipv6 address prefix-list DEFAULT-PREFIX6 set metric 9999 set metric-type 2
ip community-list standard MAIN-COMMUNITY permit 64600:20001
ip community-list standard BACKUP-COMMUNITY permit 64600:20002
We use the main/backup community on the learned default route to set the metric on the OSPFv3 default route.
— 14 — Alternatively, use the address of a popular prefix (such as the root DNS servers) to trigger the default injection. Mark the prefix with a community string and use the presence of that community to inject default. On a commitless configuration language like IOS this allows the golden network to be altered without dropping the injection of OSPF default.
Exercise 7: Inject a default into OSPF
Inject a default route into OSPF. Verify that the default route injection is withdrawn if the BGP neighbouring fails.
6. Netflow Cisco's many NetFlow formats all encode the length of the IPv4 address in their formats. Cisco moved to a templatebased format for NetFlow v9, this also solved the problems Cisco were facing with the explosion in the number of NetFlow aggregation types.
The popular flowtools package does not support NetFlow v9, reflecting a slowing of flowtools development in recent years. Good alternatives seem to be flowc and pmacct, but an evaluation is called for. You can verify the operation of NetFlow using Wireshark to capture and decode the NetFlow packets.
ipv6 flow-export version 9 origin-as ipv6 flow-export destination 1.2.3.4 9991 ipv6 flow-export template ipv6 flow-export source Loopback0 ipv6 flow-cache timeout active 5
interface GigabitEthernet1 description Internet link ipv6 flow cache ipv6 flow ingress
The cost of implementing NetFlow v9 and extending accounting systems to IPv6 addresses are a major administrative cost in implementing IPv6. Do not buy a traffic accounting system that cannot handle IPv6: otherwise you will be buying another one within four years.
Exercise 8: Configure NetFlow
Configure NetFlow accounting for traffic out the Internet interface. Verify that NetFlow packets are produced. (You might want to drop the cache timeout to one minute to avoid waiting.)
— 15 — 7. Activating IPv6 on hosts
7.1 Interface configuration Ubuntu Linux runs IPv6 by default. Just restart the computer so that the interface obtains a IPv6 address and servers bind to the IPv6 address.
Red Hat Enterprise Linux and Fedora need /etc/sysconfig/network modified.
NETWORKING=yes NETWORKING_IPV6=yes HOSTNAME=example
Each interface is defined in /etc/sysconfig/network-scripts/ifcfg-*. Alter the configuration to start IPv6.
DEVICE=eth0 BOOTPROTO=dhcp HWADDR=00:12:34:56:78:9A ONBOOT=yes DHCP_HOSTNAME=example TYPE=Ethernet IPV6INIT=yes # Set these for servers PERSISTENT_DHCLIENT=no ZEROCONF=no
Use ifconfig to display the allocated IP address:
$ ifconfig eth0
7.2 Host firewalls
TCP Wrapper is configured using two files, /etc/hosts.allow and /etc/hosts.deny. The usual security stance has hosts.deny preventing unexpected connections:
ALL: ALL
Obviously we need to let traffic interior to the machine to connect. So the local IPv6 address as well as the local IPv4 address should be present in hosts.allow:
ALL: 127. ALL: [::1]/128
The remainder of hosts.allow contains entries for each allowed service.
sshd: ALL
— 16 — The Linux firewall iptables has a IPv6 variant named ip6tables. This uses the same underlying technology as iptables.
In Red Hat Linux or Fedora there is a IPv4 and IPv6 firewall configured during installation. The firewall configuration can be modified using system- config-securitylevel, which modifies the default firewall.
If you need to configure a more complex firewall than the eye candy allows then start the firewall for both IPv4 and IPv6,
# service iptables start use iptables and ip6tables to configure the firewall, then save the results.
# service iptables save
You can display any running IPv6 firewall using ip6tables -n --list. The configuration files in /etc/sysconfig/iptables and /etc/sysconfig/ip6tables contain the saved configuration of the firewall.
Ubuntu has no default firewall. An IPv4 firewall can be configured using Firestarter, but there is no convenient tool for IPv6. See Ubuntu's IptablesHowTo1 for the procedure for the manual configuration of iptables, similar steps can be used to configure ip6tables.
8.1 DHCPv6
ipv6 dhcp pool DHCP6 # Supplied using autoconf # prefix-delegation 2001:388:xxxx:xxxx::/64 00xx dns-server 2001:388:3000:40::40 interface … ipv6 dhcp server DHCP6 ipv6 nd other-config-flag
8.2 Records The DNS for IPv6 works much the same as DNS for IPv4.
There is a new AAAA record type for IPv6 which does the same task as the A record for IPv4.
$ORIGIN example.edu.au. fred IN A 1.2.3.4 fred IN AAAA 2001:8b0:c5:1::1
1 https://help.ubuntu.com/community/IptablesHowTo
— 17 — The PTR record is extended for IPv6 addresses. Each nybble (4 bits) of the reversed IPv6 address is separated by a dot. Thus DNS resolution can be delegated at any digit in the IPv6 hexadecimal address. For example, 2001:8b0:c5:1::1.
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.5.c.0.0.0.b.8.0.1.0.0.2.ip6.arpa . IN PTR fred.example.edu.au.
There is an alternative bitlabel format, which isn't much better but at least isn't backward.
\[x200108B000C500010000000000000001/128].ip6.arpa. IN PTR fred.example.edu.au.
Obviously you want to use a tool to generate the reverse file.
Rather than maintain the file by hand, using dynamic DNS is a good option. This implies moving host names into their own part of the DNS hierarchy.
This is a good idea in any case as DNSSEC deployment works best if publiclyknown DNS names have distinct parts of in the site's DNS hierarchy.
8.3 Resolution DNS resolution under Windows Vista attempts to resolve DNS names to IPv6 addresses if any external interface has been assigned a nonlocal IPv6 address. Linux's glibc will shortly use the same conditions.
When attempting to resolve a DNS name a AAAA query is sent. On success the returned IPv6 address is used. On failure or timeout an A query is sent. On success the returned IPv4 address is used.
Note that some broken firewalls discard DNS queries for a AAAA record type. This is a misconfiguration: a ICMP Administratively Denied should always be sent by a firewall when discarding outgoing traffic. This behaviour leads to the AAAA query timingout before an A query is tried, so all DNS lookups happen slowly when the host activates IPv6.
8.4 Load The larger IPv6 address increases the size of DNS responses. Support for the larger packet size of EDNS0 prevents queries using TCP. Even so, mis configured firewalls which prevent DNS over TCP will be more apparent when using IPv6.
— 18 — 9. Web HTTP and HTTPS both work over IPv6. Apache and other popular web servers have mature support for IPv6. These servers usually just require a restart to bind to the IPv6 address. Sometimes you will need to code the IPv6 address in /etc/httpd/conf/httpd.conf, something like this:
Listen 0.0.0.0:80 Listen [::]:80
IPv6 has a lot of address space, so you can configure addressbased virtual servers in preference to namebased virtual servers. You might want to do this as HTTPS certificates don't work well with namebased servers.
10. SMTP Sendmail and other popular mail transfer agents have mature support for IPv6. Networking other than localhost is usually not activated in the default configuration to prevent open SMTP relays.
DAEMON_OPTIONS(`Name=MTA-v4, Family=inet, Name=MTA-v6, Family=inet6 Port=smtp')dnl DAEMON_OPTIONS(`Name=MSP-v4, Family=inet, Name=MSP-v6, Familty=inet6, Port=submission')dnl LOCAL_DOMAIN(`ipv6-localhost')dnl
To assist hosts with IPv6 configured but no actual IPv6 connectivity configure the secondary mail server with a IPv4 address only. If the primary server is not reachable over IPv6 then the secondary server will be used.
11. IMAP CourierIMAP and Dovecot IMAP work without configuration change. Restart the daemons so they bind to the IPv6 address.
12. System utilities Most system daemons will work without change if the system is rebooted after IPv6 becomes available. When the daemon binds its listening port to interface addresses it will also bind to the IPv6 interfaces addresses.
Most utilities will try to use IPv6 and then try IPv4 if IPv6 is not present. Some system utilities have 4 and 6 switches to restrict operation to IPv4 or IPv6; this can be useful when there is a loss of IPv6 connectivity.
$ ssh example $ ssh -4 example $ ssh -6 example
— 19 — Some diagnostic utilities use just IPv4, particularly traceroute and ping. IPv6 can be tested using traceroute6 and ping6.
$ ping example $ ping6 example $ traceroute example $ traceroute6 example
Most performance measurement tools, such as ttcp and iperf, use IPv6.
Red Hat Linux includes the ipv6calc tool for manipulating IPv6 addresses in system scripts.
$ ipv6calc --action geneui64 --in mac --out eui64 00:17:f2:ca:79:2e 217:f2ff:feca:792e
13. Voice and multimedia The good news is that H.323 and SIP protocols can handle IPv6. Cisco's Skinny cannot, at least for now.
The bad news is that products which actually use IPv6 are scarce.
14. IPv6 deployment
14.1 IPv4 address exhaustion and equipment lifetimes Both Geoff Huston2 and Tony Hain3 track the likely exhaustion date of the unallocated IPv4 address pool. The current estimate is 3 May 2011.
Equipment and software being purchased and deployed now will need to support mechanisms for overcoming IPv4 address exhaustion. IPv6 is one of those mechanisms.
A low point of the IT industry was its response to Y2K. This could have been handled in the five years before the event with little additional effort. Instead the approaching problem was simply ignored until too late. By then the risk was so large that a huge auditing and risk amelioration effort was required to address what was in actuality a rare risk.
IPv4 address exhaustion is in a similar position today. Early deployment of IPv6 is one step to avoiding a Y2Kstyle lastminute panic.
2 http://www.potaroo.net/tools/ipv4/ 3 http://www.tndh.net/~tony/ietf/ipv4poolcombinedview.pdf
— 20 — 14.2 Firewalls The deployment of IPv6 in a campus needs to ensure that existing firewalls for IPv4 have parallel rules for IPv6. In some cases the firewall software supports both IPv4 and IPv6 but no IPv6 firewall is configured, allowing unfettered access.
NMap4 supports IPv6. This can be used against all known hosts to ensure that hosts offer no more services to IPv6 than offered to IPv4.
14.3 Equipment IPv4 and IPv6 are differing address families. Running IPv4 and IPv6 requires two sets of resources. Routers should have much more memory for routing tables than is required for just IPv4.
The allocation of resources needs to be dynamic. Allocating 25% of the CAM table to IPv6 addresses is not useful as the use of IPv6 grows.
In my experience, all products which claim to support IPv6 do not have the same feature set or IPv6 as they do for IPv4. For example, many NIC cards offer TCP checksum generation and TCP segment offload for IPv4 but not for IPv6.
IPv6 often requires newer software than may be advisable for production use. This used to be a major problem, but has become a lot better in the past two years.
Some products will support IPv6 in one plane but not the other. There are ethernet switches which support IPv6 management plane addresses but not IGMP6 snooping or the verification that IPv6 EUI64 addresses match the MAC address seen on the port.
Conversely many routing products support IPv6 in the forwarding and control plane, but not in the management plane.
Please don't accept manufacturer assurances of IPv6 support. Probe deeper.
14.4 Management systems Traffic accounting, provisioning, network management. Very few of these support IPv6.
4 http://insecure.org/nmap
— 21 —