IPv6 LAN

I just enabled IPv6 on my LAN, since next Wednesday is World IPv6 Test Day.

It was actually surprisingly simple. Here’s how:

  1. Since I don’t have a public IPv6 allocation, I picked a Unique Local Address (sort of the IPv6 equivalent of RFC 1918 private adddresses). The Unique Local Address prefix I picked is fc00:1:2:3::/64 fd00:1:2:3::/64. You could do the same, just change the 1:2:3 part (see IPv6 addresses). [Edit: see Alexander's comment]
  2. On a Linux server on my network, I edited /etc/radvd.conf. I uncommented the main block, and changed the prefix to the one I’d chosen above:
    interface eth0
    {
            AdvSendAdvert on;
            MinRtrAdvInterval 30;
            MaxRtrAdvInterval 100;
            prefix fd00:1:2:3::/64
            {
                    AdvOnLink on;
                    AdvAutonomous on;
                    AdvRouterAddr off;
            };
    };
    
  3. I enabled IPv6 forwarding on the same Linux server by adding the following line to /etc/sysconfig/network:
    IPV6FORWARDING=yes
    

    (Note this is likely to be different for Debian derivatives). I had to restart the network stack to make that change.

  4. I started up the radvd service:
    service radvd start
    chkconfig radvd on
    

That was it: the Linux machines on my network quickly acquired IPv6 addresses and I could ssh between them by number:

$ ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:E0:81:74:02:28  
          inet addr:192.168.0.128  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fd00:1:2:3:2e0:81ff:fe74:228/64 Scope:Global
          inet6 addr: fe80::2e0:81ff:fe74:228/64 Scope:Link
[...]
$ ssh fd00:1:2:3:224:d7ff:fe4c:7b78
The authenticity of host 'fd00:1:2:3:224:d7ff:fe4c:7b78 (fd00:1:2:3:224:d7ff:fe4c:7b78)' can't be established.
RSA key fingerprint is 92:2c:a1:e2:35:84:62:eb:d5:c9:a4:8d:f0:f2:c5:96.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'fd00:1:2:3:224:d7ff:fe4c:7b78' (RSA) to the list of known hosts.
Last login: Fri May  6 15:19:01 2011
$ last | head -1
rjones   pts/18       fd00:1:2:3:2e0:8 Thu Jun  2 17:48   still logged in

Now I just need to give them IPv6 DNS entries.

You need to be careful now since machines will be accessible over IPv6, which has implications for firewalls.

About these ads

8 Comments

Filed under Uncategorized

8 responses to “IPv6 LAN

  1. Using a non-random prefix like xxx:1:2:3 defeats the intent of the RFC4193 (even in fc00 where “authority” ought to assign those). If you insist on doing that, you would be better off by using fec0:1:2:3/64.

    • rich

      I don’t get it.

      Although using fc00 above is a mistake, can’t I just use the fd00::/8 space for whatever I want?

      • The main difference between 192.168/16 and fec0/16 it is routine for IPv6 environments to have tons of addresses on each interface, while it’s impossible or uncommon to have several IPv4 addresses. Note that sorting only fixes the problem if one of the endpoint is on a routable address. If applications at both endpoints have both fec0 and 2000 addresses available to them, how are they to select? If they select 2000, they run a risk of public-routing internal traffic. If they select fec0, they may end failing if they belong to different organizations. So, the fix is to make sure that everyone has a pseudo-unique address. The decision algorithm is simple, then: use prefix-matching to select an address. Or at least this is what I gather about the reasoning.

      • rich

        This would only be a problem for routing between LANs though? For my purposes I’m happy if it just works on my LAN. There’s no route for IPv6 traffic out (or in) from my LAN anyway.

      • FeRD (Frank Dana)

        In practice it probably won’t matter what addresses you use when all of the traffic is “internal”, because when you do have IPv6 transiting in and out of your network (presumably through a tunnelbroker, presumably routing through that same Linux server that you’ve already set up for IPV6FORWARDING and have radvd running on), you’ll be assigned a block of routable IPv6 addresses and you’ll modify /etc/radvd.conf to serve IPs out of that block instead of whatever private space you choose. So, at that point the private addresses will go away.
        (Therefore, it’s a good idea not to marry yourself to the numbering — use hostnames and avoid hardcoding any IPv6 addresses anywhere. Which is good advice in general, since by default your IPv6 hosts will build their IPs based partly on the interface MAC address… so even just swapping out a network card will change a given machine’s IP.)
        I *do* have IPv6 routing outside of my network, thanks to my tunnelbroker.net tunnel and the routed /64 they automatically assign, and my configs look almost exactly the same as yours. The only difference is the prefix configured in /etc/radvd.conf, and the extra configs in the server’s /etc/sysconfig/networking/profiles/default/ files to set up the tunnel.

      • Alexander Boström

        By using globally unique addresses even for local networks it becomes possible to route between these local networks (say, two companies merge and decides to link their internal networks) and avoid any need to ever renumber the internal networks. That’s why they designed the fd::/8 space to always contain a random number.

        “It’s not a problem for me, I won’t merge my network.” True, but it’s important that people understand why it’s designed this way so that they can make a conscious choice about following or violating it. That’s why you get these reactions when you write a “change the 1:2:3 part”. Too many will just pick 3:2:1 instead.

      • rich

        Thanks Alexander. This answer is very helpful. I’ve found it hard to get straight answers about IPv6.

  2. Also! If I decided to use the static assignment method, I’d use either fc01:0203:0405:1/64 or fc00:1:2:1/64 as the prefix. The ’3′ above goes into the local network number and why start from 3? I use 1 just to make it nonempty, zero should be fine too. The fc01:203:405:ffff/64 looks nice too.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s