Ipv6

From Stu2
Jump to navigation Jump to search

Notes about IPv6

Manual Configurations

Using iproute2 commands to add an address to an interface.

ip -6 addr add <IPv6>/<MASK> dev eth0
ip -6 route add default via <IPv6 GW>

To see the routing table:

ip -6 route show

<IP>::/64 dev eth0  proto kernel  metric 256 
fe80::/64 dev eth0  proto kernel  metric 256 
default via <IP> dev eth0  metric 1024 

Setting up the tunnel

In /etc/network/interfaces:

iface eth0 inet6 static
  pre-up modprobe ipv6
  address 2001:470:x:x::1 -> address of the physical interface (my internal network)
  gateway 2001:470:y:y::2 -> My side of the tunnel
  netmask 64              -> /64 

# Set up the tunnel
auto tun6
iface tun6 inet6 v4tunnel 
     address  2001:470:y:y::2       -> this side of the tunnel
     netmask  64
     endpoint 216.66.22.2           -> IPv4 endpoint
     up ip -6 route add 2001:470:x:x::/64 dev eth0  -> route my network out eth0 
     up ip -6 route add 2000::/3 dev tun6             -> everything else goes over the tunnel
     down ip -6 route flush dev tun6
     down ip -6 route flush dev eth0 

Set up the firewall to account for IPv6. (deny all unless expressly permitted) IPv6 addresses are fully routable. No more NAT.

adding default gateway from the command line

 ip -6 route add default dev tun6

Sometimes, the tunnel doesn't come up on reboot. So you can do this:

ip link set tun6 down
ip link set tun6 up
ip -6 route add default dev tun6

Raspberry Pi and IPv6

Expletive. I spent hours figuring this out. The above doesn't work on a Raspberry PI. 1) Some fine person made the decision to scrap /etc/network/interfaces in favor of dchpcd5. 2) /etc/network/interfaces doesn't work they way you think.

Here's what I did to get IPv6 working with Hurricane Electric.

apt-get remove dhcpcd5

Create a file as per the HE instructions (verbatim with the #!/bin/bash added) and put it into /etc/network/if-up.d/ipv6:

#!/bin/bash
modprobe ipv6
ip tunnel add tun6 mode sit remote 216.66.22.2 local <IP address of outside Interface> ttl 255
ip link set tun6 up
ip addr add <ipv6 address of endpoint>/64 dev tun6
ip route add ::/0 dev tun6
ip -f inet6 addr

Next, fix /etc/network/interfaces like this:

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
   address 192.168.x.x                # IPv4 address of eth0
   netmask 255.255.255.0          
   up ip -6 addr add y:y/64 dev eth0  # IPv6 address of eth0

auto eth1
iface eth1 inet static
   address 192.168.z.z                # IPv4 address of eth1
   netmask 255.255.255.0
   gateway 192.168.G.G                # gateway address
   up ip -6 addr add z:z/64 dev eth1  # IPv6 address of eth1

The key point is to use the IProute2 commands in the file. The old way, where you use 'iface eth1 inet6 static' doesn't work!!! Why did they screw this up?

The file, /etc/network/if-up.d/ipv6 will execute after the network interfaces are set up. This will set up the HE tunnel. Don't forget to turn on the IPv6 firewall because the tunnel opens your network to the outside.

Scapy

Manual traceroute. Increment hlim, send SYN packets to port 80.

>>> ans,unans=sr(IPv6(dst="www.google.com",hlim=(1,8))/TCP(dport=[80],flags="S"))
>>> for snd,rcv in ans:
...  print snd.hlim, rcv.src
... 

There is a built in traceroute6 function, too:

>>> traceroute6("mail.server.gov",maxttl=6)

To send a packet directly to a service, do this:

>>> sr1(IPv6(dst="www.server.com")/TCP(dport=[80],flags="S"))

You should get a SYN/ACK packet back.

Since the kernel isn't listening on the src port, it may send a RST back to the web server. Or, it may not, in which case you can close the connection manually like this:

>>> send(IPv6(dst="www.server.com")/TCP(dport=[80],flags="R"))

Sometimes, the kernel may

Generating IPv6 Addresses

Router advertisements are necessary for 1) gathering the default route and 2) potentially developing host addresses. Host addresses are created based on the M, O and A flags.

M is the managed flag - if set, get addresses from DHCPv6 and ignore O flag. (Ignoring the O flag is key to unraveling the mystery.) O flag is the OtherFlag, if set, get other info from DHCPv6. The A flag is the autonomous (automatic?) flag, which tells the host to generate and address. If Stateful DHCPv6 is on (M=1) and the A flag = 1, the host will generate multiple IPv6 address. One from DHCPv6 and perhaps 2 from auto-generating. (stable and temp address) The L flag is the on-link flag. Note - most modern operating systems generate 'stable' addresses instead of EUI-64. (RFC7214)

M=1       Stateful DHCPv6. DHCPv6 is used for addresses and other information, ignore O flag.
M=0 O=0   SLAAC, use network prefix in RA to generate address. (stable or temporary based on host's settings)
M=0 O=1   Stateless DHCPv6, use network prefix in RA to generate address, but get info from DHCPv6.

A = 1     Host will generate an address.
A = 0     Host will not generate an address. (e.g. static addresses everywhere)

L = 1     Host can communicate with other hosts on the subnet
L = 0     Host will send all traffic to the router (Might be a way to micro-segment at the cost of a bottle neck.)

Radvd.conf
interface enp1s0
{
    AdvSendAdvert on;
    MinRtrAdvInterval 3;
    MaxRtrAdvInterval 10;
    # M Flag 
    AdvManagedFlag on;
    # O Flag
    AdvOtherConfigFlag on;

    # Prefix for LAN
    prefix 2002:490:ffff:dead::/64
    {
      # On-link flag
      AdvOnLink on;
      # Host will create address
      AdvAutonomous on;
      # Send Interface address, must be on.
      AdvRouterAddr on;
    };
};

OPNsense has these modes:

              M  O  A  L
Router Only               Static addressing
Unmanaged           X  X  SLAAC
Stateless        X  X  X  Stateless DHCPv6 + SLAAC
Managed       X  X     X  Stateful DHCPv6 only
Assisted      X  X  X  X  Stateful DHCPv6 + SLAAC

Note that IPv6 addresses provided via DHCPv6 will show /128 because the DHCPv6 exchanged doesn't include the network prefix length.

Good reference: https://learningnetwork.cisco.com/s/blogs/a0D3i0000033K6zEAE/analyzing-dhcpv6-stateful-and-stateless

Tayga for NAT64

It seems simple, but the examples don't tell the whole story. It's simple in Ubuntu. Just install tayga, then edit /etc/tayga.conf and /etc/default/tayga. This works fine with HE.net tunnels.

/etc/tayga.conf

tun-device nat64              # the interface device
ipv4-addr 192.168.255.100     # IPv4 address for Tayga, using one from pool below
ipv6-addr 2001:db8:1::2       # IPv6 address for Tayga, use anything not in LAN environment
prefix 64:ff9b::/96           # Prefix used by DNS64, use Google's DNS64 servers
dynamic-pool 192.168.255.0/24 # Pool to use. Gives 252 addresses to use in NAT
data-dir /var/spool/tayga     # Data directory, make sure it exists

/etc/default/tayga
RUN="yes"                            # Yes, run
CONFIGURE_IFACE="yes"                # Yes, configure the interface
CONFIGURE_NAT44="yes"                # Yes, set up the NAT44 stuff, no need for iptables rules you see on the Internet
DAEMON_OPTS=""                       # No options
IPV4_TUN_ADDR="192.168.1.254"       # IPv4 address of inside interface
IPV6_TUN_ADDR="2001:470:e:ffff::1"  # IPv6 address of inside interface

systemctl start tayga

Use Google's DNS64 servers as forwarders in your local instance of DNS. https://developers.google.com/speed/public-dns/docs/dns64

XP

XP can only use stateless autoconfig or manual addressing.

Ubuntu

There's some sort of problem with dhcp client. It times out while DAD is going on. I don't know if this is the right answer (not), but I had to add a delay to the IPv6 start up in my Ubuntu test server VM.

iface eth0 inet6 dhcp
 pre-up sleep 10

I also had to turn on the FQDN stuff in dhclient.conf

send host-name "cloud";
send fqdn.fqdn "cloud.stu2labs.net";
send fqdn.encoded on;
send fqdn.server-update on;

Stateless or Stateful Config

XP must use RA. For DNS, use IPv4 - > means XP must go away for a full IPv6 network.

IP Address Selection

I'm wrestling with a well known problem regarding multi-homed sites. Ideally, I would like to avoid Network Prefix Translation (NPT). I think I can avoid NPT only if the final destination is directly connected to the dual homed network. It's possible to allow hosts to pick up an address for the default route to the ISP and another for the directly connected net. Then, the default source selection algorithm will choose the right address based on the destination address. It may be possible to fiddle with the network prefix policy table so the host chooses the right source address for an arbitrary network, but this isn't a good solution for an enterprise.

Remember - IPv6 must use Router Advertisements. You can either go with SLAAC, DHCP or (SLAAC and DHCP). DHCPv6 will only hand out 1 address, so you can't issue multiple addresses for a dual homed scenario. You can have one DHCP and one SLAAC on an interface.

The Linux policy table for destination addresses can be changed in /etc/gai.conf.

Powershell

get-netprefixpolicy
get-netipv6protocol

Good link to describe stable-address generation on different OS. https://www.nullzero.co.uk/ipv6-slaac-host-os-address-allocation/

RFC about choosing stable-addresses: https://datatracker.ietf.org/doc/html/rfc7217

RFC about source address selection: https://www.ietf.org/rfc/rfc6724.txt

How the policy table (aka netprefix policy) is used: http://resources.intenseschool.com/ipv6-source-address-selection/

Good explanation of the the sorting rules, especially rule 6. http://biplane.com.au/blog/?p=22

netsh interface ipv6 show prefixpolicies
netsh interface ipv6 set prefix ::/96 60 3

Command to show ipv6 mode..

nmcli connection show <connecion-name> | grep 'ip6\|gen-'

Linux default address selection table.

~$ ip addrlabel show
prefix ::1/128 label 0            Loopback
prefix ::/96 label 3              IPv4 compatible IPv6
prefix ::ffff:0.0.0.0/96 label 4  IPv4 mapped IPv6 address (any IPv4)
prefix 2001::/32 label 6          Teredo tunnel
prefix 2001:10::/28 label 7       
prefix 3ffe::/16 label 12         6Bone (deprecated)
prefix 2002::/16 label 2          6to4 Tunnel
prefix fec0::/10 label 11         Site Local (deprecated)
prefix fc00::/7 label 5           ULA
prefix ::/0 label 1               Any IPv6

Windows default address selection table.

Prefix       Precedence      Label
------       ----------      -----
3ffe::/16         1         12   6Bone address (deprecated)
fec0::/10         1         11   Site Local (deprecated)
::/96             1          3   IPv4 Compatible IPv6
fc00::/7          3         13   ULA
2001::/32         5          5   Teredo tunnel address
2002::/16        30          2   6to4 tunnel address
::ffff:0:0/96    35          4   IPv4 Mapped IPv6 address (any IPv4)
::/0             40          1   Any IPv6
::1/128          50          0   Loopback