aarnet Australia's Academic and Research Network

IPv6 network day

1. Agenda The previous two days training have investigated the IPv6 protocol and its configuration on Cisco Systems' IOS. Today this knowledge is put to use to construct a test network.

2. Test network

2.1 Topology The test network is a sample university network.

ISP

Border Firewall Core Switch

Figure 1. Sample university network.

To save time we will not configure a firewall, but will configure the network as if an OSPFv3­speaking firewall is in place.

2.2 Addressing Each sample university is allocated an address range. From that you must develop an addressing plan which includes:

2.2.1 Host subnet addresses These will be EUI­64 subnets. In a real network these addresses would be allocated in blocks which can be aggregated at each site edge. Our sample network is too small for this.

2.2.2 Link addresses for router-router links These will be /64 subnets. ::1 is used for the upstream, ::2 for the downstream. Router addresses are often replicated throughout router

— 1 — configurations, so using a /64 is more maintainable than the dynamic interface addresses of EUI­64.

2.2.3 Control and administrative addresses for routers Most networking equipment assigns the router an interface in the control plane. Cisco IOS typically uses “Loopback0”. This is a /128 address. Some routers treat higher addresses as administrative domain addresses by default, so reserve the highest /64 for loopback addresses.

The DNS entry for control plane addresses usually contains the name of the router. A typical naming scheme is function­count­ location.net.example.edu.au, although variations are plentiful. Unfortunately some monitoring systems only record the left­hand­side of the device name, leading to all the necessary information needing to be packing into that part of the name.

Some routers distinguish control plane addresses from administrative plane addresses. For example, JunOS has “lo0” in the control plane and “fxp0” in the administrative plane. Most administrative plane networks are unrouted. Depending upon your security stance this network may use private addresses or use a /64 with a gateway controlling access from the routed network.

2.3 Addresses available

Address prefix Preliminary allocation

2001:388:3004::/48 University of Queensland

2001:388:3008::/48 CSIRO, Qld

2001:388:300C::/48 Queensland University of Technology

2001:388:3010::/48 University of Southern Queensland

2001:388:3014::/48 QMI

2001:388:3018::/48 Griffith University

2001:388:301C::/48 Central Queensland University

2001:388:3020::/48 Southern Cross University

2001:388:3024::/48 James Cook University

2001:388:3028::/48 Australian Catholic University, Qld

For the exercise we will need some temporary AS number allocations which do not duplicate any used in production networks. These AS numbers should not be used outside of this day.

— 2 — Address allocation AS number for exercise

2001:388:3004::/48 64750

2001:388:3008::/48 64751

2001:388:300C::/48 64752

2001:388:3010::/48 64753

2001:388:3014::/48 64754

2001:388:3018::/48 64755

2001:388:301C::/48 64756

2001:388:3020::/48 64757

2001:388:3024::/48 64758

2001:388:3028::/48 64759

Exercise 1

Each group will pretend to be one of the above institutions and develop an IPv6 addressing plan.

3. Configure a host network

3.1 Activate IPv6 On routers, unlike hosts, IPv6 support is not usually activated by default.

ipv6 unicast routing ipv6 cef ipv6 multicast-routing

3.2 Configure control plane address

interface Null0 no ip unreachables

interface Loopback0 description core-1-riverside.net.example.edu.au ip address 1.2.3.1 255.255.255.255 ipv6 enable ipv6 address 2001:388:302b:ffff::1/128 no ip redirects no ipv6 redirects no ip proxy-arp ip rsvp bandwidth no cdp enable service-policy input LOOPBACK0-IN-POLICY service-policy output LOOPBACK0-OUT-POLICY ip access-group LOOPBACK0-IN-LIST4 in ip access-group LOOPBACK0-OUT-LIST4 out ipv6 access-group LOOPBACK0-IN-LIST6 in

— 3 — ipv6 access-group LOOPBACK0-OUT-LIST6 out ip sap listen ip pim sparse-mode ipv6 ospf 64000 area 0

ip ftp source-interface Loopback0 ip telnet source-interface Loopback0 ip tftp source-interface Loopback0 ip flow-export source Loopback0 logging source-interface Loopback0 snmp-server trap-source Loopback0 ntp source Loopback0

3.3 EUI-64 EUI­64 interfaces are used on host­facing subnets.

interface GigabitEthernet0 description gig0.core-1-riverside.net.example.edu.au ipv6 enable ipv6 address 2001:388:1:201E::/64 eui-64 ipv6 verify unicast source reachable-via rx ipv6 access-group GIG0-IN-LIST6 in ipv6 access-group GIG0-OUT-LIST6 out ip access-group GIG0-IN-LIST4 in ip access-group GIG0-OUT-LIST4 out service-policy input GIG0-IN-POLICY service-policy output GIG0-OUT-POLICY ip flow ingress no ip proxy-arp ip pim sparse-mode ip igmp version 3 ip igmp query-interval 125 ip verify unicast source reachable-via rx no cdp enable ip rsvp bandwidth mpls traffic-eng tunnels ip ospf authentication message-digest ip ospf message-digest-key 1 md5 asdfjhaxs ipv6 ospf 64000 area 1.2.3.0 ipv6 ospf priority 1

3.4 Explicit /64 Subnets with explicit addressing are used for links between routers. This allows interfaces to be replaced without altering the router configuration.

interface GigabitEthernet1 ipv6 enable ipv6 address 2001:388:302b:fffc:1::1/64

— 4 — no ip proxy-arp no ip redirects no ipv6 redirects service-policy input GIG1-IN-POLICY service-policy output GIG1-OUT-POLICY ip pim sparse-mode ip igmp version 3 ip igmp query-interval 125 ip rsvp bandwidth mpls traffic-eng tunnels ip ospf authentication message-digest ip ospf message-digest-key 1 md5 asdfjhaxs ipv6 ospf 64000 area 0

3.5 Access lists IOS implicitly address implicitly adds this to the end of IPv6 access control lists

permit icmp any any nd-na permit icmp any any nd-ns deny ipv6 any any

Otherwise access lists work as you may expect. They use the most recent ACL syntax.

ipv6 access-list VTY-LIST6 remark Administrative subnet permit ipv6 2001:388:1:2000::/64 any

service tcp-keepalives-in service tcp-keepalives-out service nagle no service pad service linenumber

line vty 0 4 location Network transport preferred none transport input ssh transport output ssh telnet access-class VTY-LIST4 in ipv6 access-class VTY-LIST6 in password sadkfjks

Use access lists to limit packets passing through the forwarding and management planes. Use prefix lists to limit routes passing through the routing plane.

— 5 — Exercise 2: Interfaces

Configure Loopback, Gig0 and Gig1 interfaces. Gig0 is an upstream interface to another router. Gig1 is a host interface to a switch.

Configure an access list.

4. Configure interior routing IPv4 and IPv6 can use differing routing protocols: operating as “ships in the night” they do not exchange routing information. OSPFv3 is the recommended protocol: it is simpler than IS­IS to configure, but unlike RIP or EIGRP is complex enough for university­scale networks.

4.1 OSPF design pattern for IPv4 and IPv6 There are two types of subnets: those between routers, and those between routers and hosts. There are no subnets between routers and between hosts, as these mixed­purpose subnets cause difficulty with QoS admission, source address checking, and so on.

Subnets between routers which interconnect sites go into the backbone area, area 0. Subnets between routers within a site go into that site's stub area.

Each site is configured as a stub area. Subnets with hosts go into the site's stub area. At the edge between the stub area and the backbone the area's IP addresses are aggregated. This limits visibility of flapping interfaces to the one site. The site's stub area is named after the major aggregated IPv4 network at that site.

Interfaces which face hosts are configured with OSPF as “passive”; that is, not sending or receiving OSPF packets. This prevents hosts from injecting false routing information. Note that marking an interface passive still allows the interface's network to be advertised out non­passive interfaces.

The network core routers closest to the Internet links inject static routes which covers the address space allocation. Firewalls and other middleboxes on the path to the Internet link run OSPF. The border router to the Internet link uses the received OSPF route for the address space allocation to generate the BGP route to the ISP for the address space allocation. This design withdraws the BGP route if there is a failure in the border router, middleboxes or core router, thus allowing traffic to flow down any backup link.

— 6 — The border router injects a OSPF default route, using the OSPF “external network” route type. These “external” routes cannot be compared to “internal” routes, so all internal traffic will flow to the external default route, no matter what the internal metrics. This OSPF default route is withdrawn if there is a failure in the border router, middleboxes or core router, thus allowing traffic to flow towards any backup link.

For planned maintenance, the BGP MED and the OSPF external route metric can be altered between the primary and backup router, which will swap the sense of primary and backup. On Cisco IOS some clever coding can make this a two­line change of the BGP import and export route­maps, making the router configuration change at the start of planned maintenance a low risk.

4.2 OSPF and IPv6 OSPFv2 uses fixed­length fields in an attempt to be more efficient than the competing protocol IS­IS which uses TLV fields. Unfortunately this design choice means that a new version of the OSPF format was needed for IPv6, this is OSPFv3.

The area ID for OSPFv3 is still 32­bits. So area identifiers are still printed as if they are IPv4 addresses. Router IDs also remain at 32 bits.

It is possible to treat OSPFv2 and OSPFv3 as differing formats of the same OSPF protocol, although I know of no router which does so. However, it is wise to retain the same identifiers and topology between OSPFv2 and OSPFv3.

Since OSPFv3 need not carry IPv4 routes you should use OSPFv3 to carry IPv6 routes regardless of what IPv4 routing protocol you currently use.

OSPFv3 is configured on IOS differently from OSPFv2. It uses the Procket Networks' syntax of configuring the interface parts of the routing protocol in the “interface” stanza rather than in the “router ospf” stanza. This saves significant configuration hassle and removes messing about with reverse netmasks.

ipv6 router ospf 64600 router-id 1.2.3.4 log-adjacency-changes auto-cost reference-bandwidth 40 passive-interface default no passive-interface Loopback0 no passive-interface GigabitEthernet0 area 1.2.3.0 stub

— 7 — interface Loopback0 ipv6 ospf 64600 area 0

interface GigabitEthernet0 ipv6 ospf 64600 area 0

interface GigabitEthernet1 ipv6 ospf 64600 area 1.2.3.0

Note the use of the reference bandwidth to allow 40Gbps links to have a metric of 1 (best). By default 100Mbps links have a metric of 1. The reference­bandwidth works well for campus networks: if you have a ISP network use the one­way delay in 10th seconds as the interface metric, as latency is the cost you are trying to minimise.

Note the use of passive-interface default. Most interfaces are host subnetwork interfaces and these do not need to send or receive OSPF information.

Cisco's OSPFv3 implementation is less capable than their OSPFv2 implementation. It lacks recent features such as incremental shortest­path first algorithms, non­stop forwarding, graceful restart, VRFs and MPLS­TE.

Exercise 3: Interior routing

Configure OSPFv3 using area 0 for router­router links and a stub area for host links.

Optionally, aggregate the host links into a broader advertisement.

4.3 Static routes A static route is useful for injecting a summary route at core routers. In the absence of BGP is it useful for inserting a default route at the last hop to the ISP. Use beyond these two cases should be done with caution.

To inject a summary route into the forwarding table use:

ipv6 route 2001:388:3038::/48 Loopback0 254 254

Note that this does not insert the route from the forwarding table into the routing protocol's table.

As Cisco's OSPFv3 lacks a “network” command the route is injected with a redistribution. This is very easy to stuff up: redistribute as few routes as possible and preferably none. In most circumstances the “summary­prefix” command will be a better choice.

— 8 — ipv6 router ospf 64600 redistribute static route-map STATIC-TO-OSPF64600-ROUTE6

route-map STATIC-TO-OSPF64600-ROUTE6 permit match ipv6 address prefix-list AGGREGATE-PREFIX6 set tag 1 set metric 1 set metric-type type-1

ipv6 prefix-list AGGREGATE-PREFIX6 permit 2001:388:3038::/48

Note the use of OSPF external metric type 1. Type 1 routes are can be compared with type 1 routes and with OSPF interior routes, type 2 routes can only be compared with other type 2 routes. As a result type 1 routes have a varying metric, depending on the cost to the point of injection; whereas type 2 routes have the same metric throughout the network. Type 2 routes should be used for default routes. Type 1 routes should be used where we want to place an interior route into OSPF.

Exercise 4: Inject a route for the address allocation into OSPFv3

Use a default route and a redistribution to insert an OSPF route for your IPv6 address allocation into the core router(s).

4.4 OSPFv3 and IPSec OSPFv2 uses an optional MD5 hash with a shared secret to prevent bogus route packets. OSPFv3 uses the IPSec to authenticate routes.

interface GigabitEthernet0 ipv6 ospf authentication ipsec spi 1 sha1 0 1234567890123456789012345678901234567890

Support for IPSec authentication varies across IOS releases. Inter­vendor OSPFv3 authentication is a nightmare of IPSec configuration.

4.5 No need to configure router advertisement Hosts can use router advertisement to find IPv6 routers. This is most useful when multiple IPv6 routers service one host subnet.

IOS automatically configures router advertisement for IPv6. This is not so for JunOS.

— 9 — 5. Configure exterior routing

5.1 BGP design pattern BGP can run between IPv4 interface and IPv6 interfaces. BGP can carry IPv4 routing information and IPv6 routing information. AARNet uses BGP between IPv4 interfaces to carry IPv4 routes and BGP between IPv6 interfaces to carry IPv6 routes.

To export a route, arrange for the route to appear in the forwarding table of the router. This best way to do this is to get the interior routing protocol to put it into the forwarding table. Putting the route into the forwarding table using a static route does not allow for backup links to be dynamically selected. Use route filtering to ensure that only the route to be advertised is exported. Set MED on the exported route, I suggest 100 for the main link and 101 for the backup link. Using MED for parallel links reserves the use of the :90 and :80 community for links to other ISPs. Strip communities with your AS number from advertised routes.

To import a route, discard bogon routes, discard routes with long prefixes, and accept the remainder. Set a maximum to the number of received routes which allows the router not to run out of memory even if all neighbours go crazy. On imported routes set the Local Preference to 100, unless a community of :90 or :80 suggests otherwise. Set a BGP community value indicating the router which learned the route.

To set the OSPF default route, try and get a BGP default route. If not, insert a OSPF route anyway using default-information originate always with a route map to remove the default route should the loss of a selected incoming route suggest a loss of connectivity (eg, if a anycast root DNS server becomes unreachable). Set a OSPF tag on the OSPF default route indicating how it was generated.

5.2 Configure BGP neighbour BGP for IPv6 is basically the same as BGP for IPv4.

Firstly, establish a BGP routing process.

service tcp-keepalives-in service tcp-keepalives-out ip tcp timestamp ip tcp path-mtu-discovery ip bgp-community new-format

router bgp 64600 bgp router-id 1.2.3.4

— 10 — bgp log-neighbor-changes bgp deterministic-med

Now establish a neighbouring to the ISP.

router bgp 64600 neighbor 2001:388:3028:1::1 remote-as 64699 neighbor 2001:388:3028:1::1 description ISP address-family ipv4 unicast no neighbor 2001:388:3028:1::1 activate no auto-summary no synchronization exit-address-family address-family ipv4 multicast no neighbor 2001:388:3028:1::1 activate no auto-summary exit-address-family address-family ipv6 unicast neighbor 2001:388:3028:1::1 send-community neighbor 2001:388:3028:1::1 soft-reconfiguration inbound neighbor 2001:388:3028:1::1 route-map AS64699-1-MAIN-IN-ROUTE6 in neighbor 2001:388:3028:1::1 route-map AS64699-1-MAIN-OUT-ROUTE6 out no synchronization exit-address-family address-family ipv6 multicast neighbor 2001:388:3028:1::1 send-community neighbor 2001:388:3028:1::1 soft-reconfiguration inbound neighbor 2001:388:3028:1::1 route-map AS64699-1-MAIN-IN-ROUTE6 in neighbor 2001:388:3028:1::1 route-map AS64699-1-MAIN-OUT-ROUTE6 out exit-address-family

Exercise 5: Configure BGP neighbour

Configure a BGP neighbour to the ISP. Don't worry about the route­map definitions.

5.3 Output route generation and filtering We went to some trouble previously to put the summary route for our allocated network into OSPFv3 on the core router. Thanks to the marvels of routing protocols, that route is now in the border router's forwarding table.

All we need to is to import this forwarding table entry into the BGP routing table.

router bgp 64600 address-family ipv6 unicast network 2001:388:3038::/48 exit-address-family

— 11 — address-family ipv6 multicast network 2001:388:3038::/48 exit-address-family

Note carefully that our routing has been designed to that this network will disappear from the BGP routing table if the link to the core router is lost. This stops traffic block­holing on a faulty main border­firewall­core link. Instead, the fault causes the BGP route to be withdrawn and traffic flows down the backup path.

BGP attributes are applied via a route map.

route-map AS64699-1-MAIN-OUT-ROUTE6 permit 10 match ipv6 address prefix-list AS64600-PREFIX6 set metric 100 set comm-list AS64600-COMMLIST delete

ipv6 prefix-list AS64600-PREFIX6 description AS64699 address allocation ipv6 prefix-list AS64600-PREFIX6 2001:388:3038::/48

ip community-list standard AS64600-ANY-COMMUNITY permit 64699:.*

The route­map for the backup link is similar.

route-map AS64699-1-BACKUP-OUT-ROUTE6 permit 10 match ipv6 address prefix-list AS64600-PREFIX6 set metric 101 set comm-list AS64600-ANY-COMMUNITY delete

Your router's configuration should try to allow just the names of the route­ maps to be altered to change from Main to Backup function. This is very useful for planned maintenance.

Note that we explicitly set MED for both links. Not all routers make Cisco's assumption that the default MED is 100, some follow the BGP RFC and prefer routes with MED over routes without MED. Setting MED all the time removes any ambiguity.

We also deleted all of our AS's communities. There is no need to leak that information.

5.4 Input route filtering The input filtering does three tasks: discard silly routes, implement BGP communities (:80, :90), and document the origin of the route.

We use …:10nnn as a POP counter and use …:2000n to indicate if the link is running as main or backup. The numbers are not special: they are chosen

— 12 — to be easily deleted by a regular expression and are greater than 1000 so they are out of the range usually used to communicate between ISPs.

route-map AS64699-1-MAIN-IN-ROUTE6 deny 10 match ipv6 address prefix-list AS64600-PREFIX6 route-map AS64699-1-MAIN-IN-ROUTE6 deny 20 match ipv6 address prefix-list DEFAULT-PREFIX6 route-map AS64699-1-MAIN-IN-ROUTE6 deny 30 match ipv6 address prefix-list BOGON-PREFIX6 route-map AS64688-1-MAIN-IN-ROUTE6 permit 40 match community-list AS64600-90-COMMUNITY set local-preference 90 set community 64600:10001 64600:20001 additive route-map AS64688-1-MAIN-IN-ROUTE6 permit 50 match community-list AS64600-80-COMMUNITY set local-preference 80 set community 64600:10001 64600:20001 additive route-map AS64688-1-MAIN-IN-ROUTE6 permit 60 set local-preference 100 set community 64600:10001 64600:20001 additive

! Unspecified, Loopback, IPv4-compatible, IPv6-mapped Ipv4 ipv6 prefix-list BOGON-PREFIX6 permit ::/96 le 128 ! Link local ipv6 prefix-list BOGON-PREFIX6 permit fe80::/10 le 128 ! Reserved (was site local) ipv6 prefix-list BOGON-PREFIX6 permit fec0::/10 le 128 ! Unique-local ipv6 prefix-list BOGON-PREFIX6 permit fc00::/8 le 128 ! Multicast ipv6 prefix-list BOGON-PREFIX6 permit ff00::/8 le 128 ! Documentation ipv6 prefix-list BOGON-PREFIX6 permit 2001:db8::/32 le 128

ipv6 prefix-list DEFAULT-PREFIX6 permit ::/0

ip community-list standard AS64600-90-COMMUNITY permit 64600:90

ip community-list standard AS64600-80-COMMUNITY permit 64600:80

The configuration for a backup link is similar.

route-map AS64699-1-BACKUP-IN-ROUTE6 deny 10 match ipv6 address prefix-list AS64600-PREFIX6 route-map AS64699-1-BACKUP-IN-ROUTE6 deny 20 match ipv6 address prefix-list DEFAULT-PREFIX6 route-map AS64699-1-BACKUP-IN-ROUTE6 deny 30 match ipv6 address prefix-list BOGON-PREFIX6 route-map AS64688-1-BACKUP-IN-ROUTE6 permit 40 match community-list AS64600-90-COMMUNITY set local-preference 89

— 13 — set community 64600:10001 64600:20002 additive route-map AS64688-1-BACKUP-IN-ROUTE6 permit 50 match community-list AS64600-80-COMMUNITY set local-preference 79 set community 64600:10001 64600:20002 additive route-map AS64688-1-BACKUP-IN-ROUTE6 permit 60 set local-preference 99 set community 64600:10001 64600:20002 additive

The main link uses the common local­preference value of 100 and the common MED of 100. The backup link uses a worse local­preference value of 99 and a worse MED of 101.

Exercise 6: Configure BGP policy

Augment the BGP neighbouring with a policy. Verify that the BGP advertisement of our address allocation is withdrawn when the link between the border router and the core router is down.

5.5 Default route injection The final task is to inject a default route. In a multiple­link scenario it's far best to ask the ISP to generate a default route. Tweak the route­map to permit the default route.

ipv6 router ospf 64600 default-information originate route-map OSPF7575-DEFAULT-ROUTE6

route-map OSPF64600-DEFAULT-ROUTE6 permit 10 match ipv6 address prefix-list DEFAULT-PREFIX6 match community MAIN-COMMUNITY set metric 1 set metric-type type-2 route-map OSPF64600-DEFAULT-ROUTE6 permit 20 match ipv6 address prefix-list DEFAULT-PREFIX6 match community BACKUP-COMMUNITY set metric 2 set metric-type type-2 route-map OSPF64600-DEFAULT-ROUTE6 permit 30 match ipv6 address prefix-list DEFAULT-PREFIX6 set metric 9999 set metric-type 2

ip community-list standard MAIN-COMMUNITY permit 64600:20001

ip community-list standard BACKUP-COMMUNITY permit 64600:20002

We use the main/backup community on the learned default route to set the metric on the OSPFv3 default route.

— 14 — Alternatively, use the address of a popular prefix (such as the root DNS servers) to trigger the default injection. Mark the prefix with a community string and use the presence of that community to inject default. On a commit­less configuration language like IOS this allows the golden network to be altered without dropping the injection of OSPF default.

Exercise 7: Inject a default into OSPF

Inject a default route into OSPF. Verify that the default route injection is withdrawn if the BGP neighbouring fails.

6. Netflow Cisco's many NetFlow formats all encode the length of the IPv4 address in their formats. Cisco moved to a template­based format for NetFlow v9, this also solved the problems Cisco were facing with the explosion in the number of NetFlow aggregation types.

The popular flow­tools package does not support NetFlow v9, reflecting a slowing of flow­tools development in recent years. Good alternatives seem to be flowc and pmacct, but an evaluation is called for. You can verify the operation of NetFlow using Wireshark to capture and decode the NetFlow packets.

ipv6 flow-export version 9 origin-as ipv6 flow-export destination 1.2.3.4 9991 ipv6 flow-export template ipv6 flow-export source Loopback0 ipv6 flow-cache timeout active 5

interface GigabitEthernet1 description Internet link ipv6 flow cache ipv6 flow ingress

The cost of implementing NetFlow v9 and extending accounting systems to IPv6 addresses are a major administrative cost in implementing IPv6. Do not buy a traffic accounting system that cannot handle IPv6: otherwise you will be buying another one within four years.

Exercise 8: Configure NetFlow

Configure NetFlow accounting for traffic out the Internet interface. Verify that NetFlow packets are produced. (You might want to drop the cache time­out to one minute to avoid waiting.)

— 15 — 7. Activating IPv6 on hosts

7.1 Interface configuration Ubuntu Linux runs IPv6 by default. Just restart the computer so that the interface obtains a IPv6 address and servers bind to the IPv6 address.

Red Hat Enterprise Linux and Fedora need /etc/sysconfig/network modified.

NETWORKING=yes NETWORKING_IPV6=yes HOSTNAME=example

Each interface is defined in /etc/sysconfig/network-scripts/ifcfg-*. Alter the configuration to start IPv6.

DEVICE=eth0 BOOTPROTO=dhcp HWADDR=00:12:34:56:78:9A ONBOOT=yes DHCP_HOSTNAME=example TYPE=Ethernet IPV6INIT=yes # Set these for servers PERSISTENT_DHCLIENT=no ZEROCONF=no

Use ifconfig to display the allocated IP address:

$ ifconfig eth0

7.2 Host firewalls

TCP Wrapper is configured using two files, /etc/hosts.allow and /etc/hosts.deny. The usual security stance has hosts.deny preventing unexpected connections:

ALL: ALL

Obviously we need to let traffic interior to the machine to connect. So the local IPv6 address as well as the local IPv4 address should be present in hosts.allow:

ALL: 127. ALL: [::1]/128

The remainder of hosts.allow contains entries for each allowed service.

sshd: ALL

— 16 — The Linux firewall iptables has a IPv6 variant named ip6tables. This uses the same underlying technology as iptables.

In Red Hat Linux or Fedora there is a IPv4 and IPv6 firewall configured during installation. The firewall configuration can be modified using system- config-securitylevel, which modifies the default firewall.

If you need to configure a more complex firewall than the eye candy allows then start the firewall for both IPv4 and IPv6,

# service iptables start use iptables and ip6tables to configure the firewall, then save the results.

# service iptables save

You can display any running IPv6 firewall using ip6tables -n --list. The configuration files in /etc/sysconfig/iptables and /etc/sysconfig/ip6tables contain the saved configuration of the firewall.

Ubuntu has no default firewall. An IPv4 firewall can be configured using Firestarter, but there is no convenient tool for IPv6. See Ubuntu's IptablesHowTo1 for the procedure for the manual configuration of iptables, similar steps can be used to configure ip6tables.

8. Domain name system

8.1 DHCPv6

ipv6 dhcp pool DHCP6 # Supplied using autoconf # prefix-delegation 2001:388:xxxx:xxxx::/64 00xx dns-server 2001:388:3000:40::40 interface … ipv6 dhcp server DHCP6 ipv6 nd other-config-flag

8.2 Records The DNS for IPv6 works much the same as DNS for IPv4.

There is a new AAAA record type for IPv6 which does the same task as the A record for IPv4.

$ORIGIN example.edu.au. fred IN A 1.2.3.4 fred IN AAAA 2001:8b0:c5:1::1

1 https://help.ubuntu.com/community/IptablesHowTo

— 17 — The PTR record is extended for IPv6 addresses. Each nybble (4 bits) of the reversed IPv6 address is separated by a dot. Thus DNS resolution can be delegated at any digit in the IPv6 hexadecimal address. For example, 2001:8b0:c5:1::1.

1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.5.c.0.0.0.b.8.0.1.0.0.2.ip6.arpa . IN PTR fred.example.edu.au.

There is an alternative bitlabel format, which isn't much better but at least isn't backward.

\[x200108B000C500010000000000000001/128].ip6.arpa. IN PTR fred.example.edu.au.

Obviously you want to use a tool to generate the reverse file.

Rather than maintain the file by hand, using dynamic DNS is a good option. This implies moving host names into their own part of the DNS hierarchy.

This is a good idea in any case as DNSSEC deployment works best if publicly­known DNS names have distinct parts of in the site's DNS hierarchy.

8.3 Resolution DNS resolution under Windows Vista attempts to resolve DNS names to IPv6 addresses if any external interface has been assigned a non­local IPv6 address. Linux's glibc will shortly use the same conditions.

When attempting to resolve a DNS name a AAAA query is sent. On success the returned IPv6 address is used. On failure or timeout an A query is sent. On success the returned IPv4 address is used.

Note that some broken firewalls discard DNS queries for a AAAA record type. This is a misconfiguration: a ICMP Administratively Denied should always be sent by a firewall when discarding outgoing traffic. This behaviour leads to the AAAA query timing­out before an A query is tried, so all DNS lookups happen slowly when the host activates IPv6.

8.4 Load The larger IPv6 address increases the size of DNS responses. Support for the larger packet size of EDNS0 prevents queries using TCP. Even so, mis­ configured firewalls which prevent DNS over TCP will be more apparent when using IPv6.

— 18 — 9. Web HTTP and HTTPS both work over IPv6. Apache and other popular web servers have mature support for IPv6. These servers usually just require a restart to bind to the IPv6 address. Sometimes you will need to code the IPv6 address in /etc/httpd/conf/httpd.conf, something like this:

Listen 0.0.0.0:80 Listen [::]:80

IPv6 has a lot of address space, so you can configure address­based virtual servers in preference to name­based virtual servers. You might want to do this as HTTPS certificates don't work well with name­based servers.

10. SMTP Sendmail and other popular mail transfer agents have mature support for IPv6. Networking other than localhost is usually not activated in the default configuration to prevent open SMTP relays.

DAEMON_OPTIONS(`Name=MTA-v4, Family=inet, Name=MTA-v6, Family=inet6 Port=smtp')dnl DAEMON_OPTIONS(`Name=MSP-v4, Family=inet, Name=MSP-v6, Familty=inet6, Port=submission')dnl LOCAL_DOMAIN(`ipv6-localhost')dnl

To assist hosts with IPv6 configured but no actual IPv6 connectivity configure the secondary mail server with a IPv4 address only. If the primary server is not reachable over IPv6 then the secondary server will be used.

11. IMAP Courier­IMAP and Dovecot IMAP work without configuration change. Restart the daemons so they bind to the IPv6 address.

12. System utilities Most system daemons will work without change if the system is rebooted after IPv6 becomes available. When the daemon binds its listening port to interface addresses it will also bind to the IPv6 interfaces addresses.

Most utilities will try to use IPv6 and then try IPv4 if IPv6 is not present. Some system utilities have ­4 and ­6 switches to restrict operation to IPv4 or IPv6; this can be useful when there is a loss of IPv6 connectivity.

$ ssh example $ ssh -4 example $ ssh -6 example

— 19 — Some diagnostic utilities use just IPv4, particularly traceroute and ping. IPv6 can be tested using traceroute6 and ping6.

$ ping example $ ping6 example $ traceroute example $ traceroute6 example

Most performance measurement tools, such as ttcp and iperf, use IPv6.

Red Hat Linux includes the ipv6calc tool for manipulating IPv6 addresses in system scripts.

$ ipv6calc --action geneui64 --in mac --out eui64 00:17:f2:ca:79:2e 217:f2ff:feca:792e

13. Voice and multimedia The good news is that H.323 and SIP protocols can handle IPv6. Cisco's Skinny cannot, at least for now.

The bad news is that products which actually use IPv6 are scarce.

14. IPv6 deployment

14.1 IPv4 address exhaustion and equipment lifetimes Both Geoff Huston2 and Tony Hain3 track the likely exhaustion date of the unallocated IPv4 address pool. The current estimate is 3 May 2011.

Equipment and software being purchased and deployed now will need to support mechanisms for overcoming IPv4 address exhaustion. IPv6 is one of those mechanisms.

A low point of the IT industry was its response to Y2K. This could have been handled in the five years before the event with little additional effort. Instead the approaching problem was simply ignored until too late. By then the risk was so large that a huge auditing and risk amelioration effort was required to address what was in actuality a rare risk.

IPv4 address exhaustion is in a similar position today. Early deployment of IPv6 is one step to avoiding a Y2K­style last­minute panic.

2 http://www.potaroo.net/tools/ipv4/ 3 http://www.tndh.net/~tony/ietf/ipv4­pool­combined­view.pdf

— 20 — 14.2 Firewalls The deployment of IPv6 in a campus needs to ensure that existing firewalls for IPv4 have parallel rules for IPv6. In some cases the firewall software supports both IPv4 and IPv6 but no IPv6 firewall is configured, allowing unfettered access.

NMap4 supports IPv6. This can be used against all known hosts to ensure that hosts offer no more services to IPv6 than offered to IPv4.

14.3 Equipment IPv4 and IPv6 are differing address families. Running IPv4 and IPv6 requires two sets of resources. Routers should have much more memory for routing tables than is required for just IPv4.

The allocation of resources needs to be dynamic. Allocating 25% of the CAM table to IPv6 addresses is not useful as the use of IPv6 grows.

In my experience, all products which claim to support IPv6 do not have the same feature set or IPv6 as they do for IPv4. For example, many NIC cards offer TCP checksum generation and TCP segment offload for IPv4 but not for IPv6.

IPv6 often requires newer software than may be advisable for production use. This used to be a major problem, but has become a lot better in the past two years.

Some products will support IPv6 in one plane but not the other. There are ethernet switches which support IPv6 management plane addresses but not IGMP6 snooping or the verification that IPv6 EUI­64 addresses match the MAC address seen on the port.

Conversely many routing products support IPv6 in the forwarding and control plane, but not in the management plane.

Please don't accept manufacturer assurances of IPv6 support. Probe deeper.

14.4 Management systems Traffic accounting, provisioning, network management. Very few of these support IPv6.

4 http://insecure.org/nmap

— 21 —