IPv6
IPv6 Introduction
Internet Protocol version 6 (IPv6) is the successor to the well known IPv4 protocol, commonly known as IP. Your Ubuntu system comes with all you will need to use IPv6. This section focuses on getting IPv6 properly configured and running.
In the early 1990s, growth of the Internet led to various problems with IPv4, including:
Running out of subnets. This was deferred by conversion to Classless Inter-Domain Routing (CIDR), currently described by RFC4632
Running out of addresses. This was deferred by using RFC1918 private address space (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16) hiding behind Network Address Translation (NAT) devices, in which a single public IPv4 address can be shared by multiple computers, e.g. all the users connected through a DSL/Cable modem. But NAT has its own problems. Besides NAT, in some cases during the transition to IPv6, multiple internet connections will share IPv4 addresses via dual-stack-lite. And as of 2011, a growing number of nodes on the Internet only speak ipv6 since unassigned IPv4 addresses started to run out.
- Routing table were getting too large. This is still a concern today.
IPv6 deals with these and many other issues:
128 bit address space, with a design goal of supporting 240 subnets organizing 250 hosts. While theoretically there are 340,282,366,920,938,463,463,374,607,431,768,211,456 addresses possible, this is unattainable in practice. IPv6 does offer multitudes of addresses per person, so we are unlikely to run out again.
- Each computer can have its own globally routable address. There is no need for NAT in IPv6, returning us an architecture more similar to the peer-to-peer internet of the 1980's.
- Smaller routing tables. Due to both better geographic and more hierarchical allocation strategies, IPv6 subnets currently generate only 1/7th as many routes as IPv4 subnets. As IPv4 continues to grow into old age, the IPv4 routing table will likely become less stable and less complete as it grows beyond the capacity of certain routers on the Internet. These routers will be forced to begin filtering out certain IPv4 routes believed to be redundant but there is the increasing potential for lost traffic as time goes on.
There are also lots of other useful features of IPv6 such as:
- Address autoconfiguration (RFC2462)
- Anycast addresses (“one-out-of many”)
- Mandatory multicast addresses
- IPsec (IP security)
- Simplified header structure
- Mobile IP
- IPv6-to-IPv4 transition mechanisms
For more information see:
Background on IPv6 Addresses
There are different types of IPv6 addresses: Unicast, Anycast and Multicast.
Unicast addresses are the well known addresses. A packet sent to a unicast address arrives exactly at the interface belonging to the address.
Anycast addresses are syntactically indistinguishable from unicast addresses but they address a group of interfaces. The packet destined for an anycast address will arrive at the nearest (in router metric) interface. Anycast addresses may only be used by routers.
Multicast addresses identify a group of interfaces. A packet destined for a multicast address will arrive at all interfaces belonging to the multicast group.
Note: The IPv4 broadcast address (usually xxx.xxx.xxx.255) is expressed by multicast addresses in IPv6.
Reading IPv6 Addresses
The full form is represented as 8 hexquad parcels of 16 bits each written in lower case hexadecimal, separated by colons (:). For example 2001:0db8:382b:23c1:aa49:4592:4efe:9982.
Often an address will have long substrings of all zeros; the longest and first run of all zero hexquads is abbreviated as a double colon (“::”). Since :: is variable length, it can only be used once per address. Leading “0”s are also omitted, up to three per hexquad. For example, fe80::1 is the canonical form of fe80:0000:0000:0000:0000:0000:0000:0001 and 2001:db8:b:23c1:49:4592:efe:9982 is the canonical form of 2001:0db8:000b:23c1:0049:4592:0efe:9982.
A third form is to write the last 32 bits in the well known dotted decimal IPv4 style. For example 2002::10.0.0.1 corresponds to the (hexadecimal) long representation 2002:0000:0000:0000:0000:0000:0a00:0001 with canonical form 2002::a00:1.
By now the reader should be able to understand the following:
# ip addr 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:25:ad:2c:af:17 brd ff:ff:ff:ff:ff:ff inet 192.168.1.2/24 scope global eth0 inet6 fe80::225:adff:fe2c:af17/64 scope link valid_lft forever preferred_lft forever
fe80::225:adff:fe2c:af17 of interface eth0 is an autoconfigured link-local address. It is generated as an IEEE EUI-64 style identifier from the device's hardware IEEE EUI-48(MAC) address as part of the autoconfiguration.
For further information on the structure of IPv6 addresses see RFC3513.
Special IPv6 address ranges
Address ranges are specified using a prefix. This is similar to the IPv4 concept of a network prefix and netmask, but in IPv6 we always use CIDR notation to specify the number of bits at the start of the mask that are 1. For example, the address range fe80::/10 includes all addresses that are the same as the address fe80:: in the first 10 bits, i.e. all beginning with the bit pattern 1111 1110 10. One hex digit corresponds to four bits: 1111 is f, 1110 is e. 10 is the most significant two bits of 1000 which is 8 in hex, but since this length is not a multiple of 4, the range also includes addresses with this digit set to 9 (1001), a (1010) and b (1011). Obviously a network prefix of length 128 specifies an individual address.
IPv6 address |
Prefix length (bits) |
Description |
Notes |
|||
:: |
128 |
unspecified |
Used for default route and router solicitations. cf. 0.0.0.0 in IPv4 |
|||
::1 |
128 |
loopback address |
cf. 127.0.0.1 in IPv4 |
|||
::ffff:a.b.c.d |
96 |
IPv4 mapped IPv6 address |
The lower 32 bits are the IPv4 address. Used in socket API's to represent IPv4 hosts. |
|||
fe80:: |
10 |
link-local |
Unroutable autoconfigured addresses used on a LAN, e.g. for DHCPv6 |
|||
fc00:: |
7 |
unique local |
Addresses used only within an autonomous system, unroutable globally. Cf. RFC 1918 addresses such as used in NAT. |
|||
ff00:: |
8 |
multicast |
||||
2000:: |
3 |
global unicast |
All global unicast addresses currently begin with 2. |
Some IPv6 address prefixes have been deprecated, and should no longer be used.
deprecated IPv6 address |
Prefix length (bits) |
Description |
Notes |
|||
3ffe:: |
16 |
6bone prefix |
Used 1998-2006. |
|||
::a.b.c.d |
96 |
embedded IPv4 |
96 zero bits followed by 32 IPv4 bits. Also called “IPv4 compatible IPv6 address”. Replaced by mapped addresses. |
|||
fec0:: |
10 |
site-local |
Replaced by Unique Local Addresses |
Some address prefixes are special use:
special IPv6 address |
Prefix length (bits) |
Description |
Notes |
|||
2001:db8:: |
32 |
documentation examples |
Not to be routed. |
|||
2001:0:: |
32 |
Teredo tunnels |
the remaining bits come from a Teredo server and the client NAT device. |
|||
2002:: |
16 |
6to4 tunnels |
the next 32 bits are the client IPv4 address |
Getting Connected
Here you have more than one option:
Native IPv6 connections
Contact your Internet Service Provider to see if they offer IPv6 yet. Only a few Internet Service Providers (ISP) currently offer native IPv6 service, though by 2015 probably all of them will.
If your uplink involves a wifi router or broadband modem, those devices will need to support IPv6. Cable-Modems need to support DOCSIS 3.0 or 2.0+IPv6. As of 2010, very few DSL-Modems support IPv6; this will change by 2012.
If your hardware or ISP does not support native IPv6, which is the best kind, you might still be able to use IPv6 tunneled over IPv4 instead.
Tunneled IPv6
If your uplink only passes IPv4 traffic, you will need to tunnel your IPv6 traffic to a compatible relay somewhere. Most tunnels use IPv4 protocol 41 encapsulation (6in4), where the data payload is just the IPv6 packet itself. Not all firewalls and NATs can properly pass protocol 41. Alternatively providers might provide AYIYA or TSP tunnels which send their tunneled packets over UDP, which is generally accepted by most firewalls and supported by most NATs Note: ICMP is protocol 1, IGMP is protocol 2, TCP is protocol 6, UDP is protocol 17.
point to point tunnels
Various companies and organizations provide free IPv6 in IPv4 tunneling.
freenet6 (TSP)
Hurricane Electric (6in4)
'''SixXS''' (6in4, 6in4-heartbeat or AYIYA)
6to4 tunnels
Tunnel via 6to4 (RFC3068). Your firewall has to pass protocol 41 (IPv6 in IP) and you need a global, public IPv4 address. The relay address is the special anycast destination 192.88.99.1 or a relay that is local; your IPv6 address uses the special 2002::/16 prefix. A good script to bring a 6to4 tunnel up or down can be found at anyweb
UDP over NAT tunnels
- AYIYA or TSP from the above providers
The Teredo protocol client is the Miredo package. It can be used by dual-stack clients on private IPv4 addresses behind NAT routers or firewalls which don't pass protocol 41. Your IPv6 address uses the special 2001:0::/32 prefix.
Get connected with Hurricane Electric
First you need to register on the TunnelBroker.net Website. You will be emailed your username and password. Login and in the User Functions Box on the left side click the Create Regular Tunnel link. Put in your IPv4 address and Select a server close to you. Go to the tunnel details page. Run gksudo gedit /etc/network/interfaces and add the following, editing as directed by the comments:
auto he-ipv6 iface he-ipv6 inet6 v4tunnel address 2001:470:a:d29f::2 netmask 64 mtu 1280 local 200.200.2.183 endpoint 216.218.226.238 ttl 255 gateway 2001:470:a:d29f::1
Replace the endpoint setting (216.218.226.238) with the Server IPv4 address field from the tunnel details page and the address setting (2001:470:a:d29f::2) with Client IPv6 address field from the tunnel details page. Save the file.
Right click on the network manager icon in the tray and click Edit Connections. Select the connection to your local network and click Edit. Go to the IPv6 Settings tab and set the Method to Manual. Click Add. For the address put the first address in your Routed 64. (In this example it would be 2001:470:b:d29f::1 -- please note that this address is in a different /64 subnet ("b") than the tunnel endpoint.) For the prefix put in 64. For the gateway, put in the address from the "Client IPv6 address" of the tunnel details page (in this example it would be 2001:470:a:d29f::2). Click apply.
Run sudo ifup he-ipv6 and you should have IPv6 connectivity.
To configure your box to give out addresses to the LAN from your /64, see Configure your Ubuntu box as an IPv6 router.
Get connected with SixXS
First you need an account on the SixXS Website. Please consider that they manually approve your information and that you should provide them with correct data about you. The system is very easy to use. For the creation of your account you are going to receive some credit points. You can then use these credits for requesting new tunnels and subnets. A tunnel costs you 15 credits. If you are able to use the requested tunnels you are going to receive 10 Credits after a week.
You need to perform the following steps:
- Create an account
- Request a tunnel
- 2.1. Wait for tunnel approval
- Request a subnet
- 3.1. Wait for subnet approval
The approval of your requests are done manually, so be patient. Normally you will receive the approval within the hour.
Note: If you only want to connect one computer, you can skip Step 3 and perform subsections "Synchronize with a timeserver" and "Install aiccu".
After your tunnel and the subnet are approved, you should have received an email like the following:
Dear Generic User, The SixXS Staff have honored your request for a subnet on the following tunnel: ------- PoP Name : chzrh01 (ch.thermelec [AS20932]) Subnet IPv6 : 2001:xxxx:xxxx::/48 Routed to : 2001:xxxx:xxxx:xx::2/64 Your IPv4 : ayiya ------- Please visit your home on the website for more information and options regarding this subnet. Regards, The SixXS tunnelrobot.
Note: The addresses suplied in this howto are fakes. Please use your addresses supplied in your e-mail. Otherwise you will not have a working network. This means replace 2001:xxxx:xxxx::/48 with your address!
Subnet IPv6: This is the address of your /48 subnet routed to you. We need this address later to configure the prefix of the Router Advertising daemon and for your Routers local IPv6 network address. For a local subnet only /64 subnet should be used. Because of that we configure radvd with a /64 bit prefix and also the network interface.
Routed to: This is the address of your sixxs tunnel interface.
Your IPv4: If you have no static IPv4 address, ayiya should stand here. Otherwise your public IPv4 address.
Replace also eth0 with the name of the network interface connected to your local network. The command line tool ip is your friend if you do not know.
Synchronize with a timeserver
If you have no ntp daemon installed to keep your time synchronised. Then install openntpd or any other ntp daemon you want. This is because we are going to install aiccu, the IPv6 auto tunneling daemon, from SixXS. The tunnel will not work if the time difference of your clock is bigger than 120 seconds.
Install aiccu
aiccu is the SixXS client application. If aiccu runs in the daemon mode, it will make sure your tunnel endpoint is always up to date due to the heartbeat protocol, this thus allows one to have a dynamic IPv4 endpoint. Note that AICCU is only needed for heartbeat and AYIYA tunnels. Static tunnels can be configured using interfaces(5).
Install aiccu:
sudo aptitude install aiccu
The installer will automatically prompt for username, password, and the tunnel_id you want to configure.
Note: If you don't know the tunnel_id then go to http://www.sixxs.net/home/ and check your tunnel information.
Note: The Tunnel id should also be in your "Tunnel Approval" email.
Configure local network interface
We also have to configure the local network interface with an IPv6 address. I prefer an easy to memorize address for my router so I choose 2001:xxxx:xxxx::1. According the information I got from sixxs, this is the First address I can use. Open the config file /etc/network/interfaces with an editor and add:
iface eth0 inet6 static address 2001:xxxx:xxxx::1 netmask 64
Note: replace eth0 with the interface name you used in the /etc/radvd.conf config file.
To configure your box to give out addresses to the LAN from your /64, see Configure your Ubuntu box as an IPv6 router.
Reboot or restart services
You can simply reboot now if you want that all changes taking effect or if this is not an option because you run other services that are needed run:
- Restart network
sudo ip link set eth0 down && sudo ip link set eth0 up
- Let aiccu configure your tunnel
sudo /etc/init.d/aiccu restart
So that's really all. You should now be able to connect to the IPv6 internet with every IPv6 capable client automatically. See section "Conclusion" for testing.
Get connected with freenet6 / TSP
Tunnel Setup Protocol (TSP) is a signalling protocol used to negotiate tunnel setup parameters between two tunnel end-points. This protocol is most commonly used to create IPv6-In-IPv4 tunnels, allowing a person to use IPv6 on his native IPv4 network.
TSPC (client) starts an end-to-end tunnel with the TSP server(tunnel broker). After negotiation of tunnel setup parameters has been done the software goes into daemon mode and maintains the tunnel alive.
Gogo6
Like it was mentioned above, TSPC requires a TSP Server (tunnel broker) to work. The default configuration file is ready for you to use your tunnel, however, it's configured for anonymous access only, which has a few limitations.
I recommend registering on GOGO6. The following sections of this page will be dedicated to those who created an account there.
TSP in Ubuntu
The client software is called tspc in Intrepid and earlier, gw6c in Karmic and Lucid, and gogoc from Maverick onwards and is available on official repositories.
Configuring TSPC
Configuration file: /etc/gogoc/gogoc.conf Configuration file: /etc/gw6c/gw6c.conf Configuration file: /etc/tsp/tspc.conf
On this configuration file there are three things that we need to change (username, password and server).
Locate the username field and change it to the information you entered on the Go6.net website. Do the same for the password field.
As for the server, the one used by default (anon.freenet6.net) is used only for anonymous accounts. Since we registered an account we will have to use broker.freenet6.net for our tunnel to work.
Testing the tunnel
Check /var/log/tspc.log to see if any errors were reported. This will only work for tspc. For gogoc or gw6c, you will need to edit the configuration file and set log_file to a value between 1 and 3, with 3 being the most verbose. The log file will then be /var/log/gogoc.log or /var/log/gw6c.log respectively.
For a network test using ping6 see the "Conclusion" section
Configure your Ubuntu box as a IPv6 router
Edit /etc/sysctl.conf
Uncomment the line which contains net.ipv6.conf.default.forwarding=1. This is a common step to enable IPv6 routing.
You can learn how to install and enable DHCPv6 on your network here.
Alternatively, if you want to use radvd which will advertise your prefix and let the network's systems select their own IP address:
- Install radvd
sudo aptitude install radvd
Edit /etc/radvd.conf (see following sample)
Note: If the computer is only routing IPv6, then only uncomment net.ipv6.conf.default.forwarding=1 and leave the IPv4 stuff unchanged.
Note: /etc/radvd.conf: This file does not exist after a fresh install. You can look at the sample configuration files in usr/share/doc/radvd/examples/ for further studies.
Sample /etc/radvd.conf:
interface eth0 { AdvSendAdvert on; prefix 2001:xxxx:xxxx::/64 { AdvOnLink on; AdvAutonomous on; }; };
eth0 is the interface which is used for the Router Advertising messages (RAs). If you are not sure about the interface, check with <tt>ip addr</tt> on the command line.
The prefix you have to take from the information given by SixXS or Hurricane Electric.
Restart the router advertising daemon to propagate your IPv6 address space
sudo /etc/init.d/radvd restart
Now router should automatically send "Router Advertising Messages" to your network and your IPv6 clients should auto configure them self.
Get connected with Miredo
Ubuntu includes a package named miredo that can tunnel IPv6 through IPv4 connections. Miredo is an implementation of Teredo, which is a way to tunnel IPv6-traffic over IPv4-UDP-traffic. As IPv4-UDP will pass NAT-devices, miredo will work behind most NAT-devices. A further advantage of miredo/teredo is that you don't need to define tunnel-endpoints or tunnel-accounts: just activate miredo, and you'll have IPv6 connectivity.
Install miredo:
sudo aptitude install miredo
After this command, you should see an IPv6 address beginning with "2001:0:" in your network settings (use 'ip addr'). If so, you're connected to the IPv6 world.
For more information, see the miredo package information.
IPv6 enabled software and services
The basic unix tools normally have ipv6 support. Network tools like "ping" or "traceroute" have a IPv6 companion like "ping6" or "traceroute6". Tools like ssh are working out of the box.
Web
Almost every web browser I know can communicate over IPv6. There are a lot of IPv6 enabled Websites out there, but they are sometimes hard to find. For a start you can search with ipv6.google.com or see the dancing "Kame" on kame.net. More links are available at Gogo6, SixXS or sixy.ch.
IRC
IRSSI supports IPv6 as well as our favorite IRC network (Freenode).
IRSSI needs to be configured to prefer IPv6 to IPv4. In order to do this, please use the command /SET resolve_prefer_ipv6 ON when on IRSSI. As for Freenode, connect to ipv6.chat.freenode.net to test your new IPv6 tunnel or choose another server from their IRC Servers list
Troubleshooting
If you get a "Not starting gogoc - no server key" error, see http://gogonet.gogo6.com/forum/topics/ubuntu-not-starting-gogoc-no or http://www.tumblr.com/tagged/gogoc
Conclusion
You should now be able to ping and surf IPv6 enabled sites like ipv6.google.com or www.kame.net. For a ping perform ping6 ipv6.google.com. It's a good idea to think about firewalling within your clients, because all clients have now a public reachable IPv6 IP. In Ubuntu this is also an very easy task with the new UbuntuFirewall (ufw or uncomplicated firewall), just edit /etc/default/ufw to have IPV6=yes and reload the firewall to get started.
Have fun!!!
ufw and Routing
To allow routing you need to uncoment the following lines in /etc/ufw/sysctl.conf
net/ipv6/conf/default/forwarding=1 net/ipv6/conf/all/forwarding=1
If you only want outgoing connections you also need to change
DEFAULT_FORWARD_POLICY="DROP"
in /etc/default/ufw and add the following lines to /etc/ufw/before6.rules
-A ufw6-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A ufw6-before-forward -i eth0 -o sixxs -m conntrack --ctstate NEW -j ACCEPT
where eth0 is your internal interface.
IPv6 on APT Repositories
IPv6 is available on Canonical-maintained APT repositories including security.ubuntu.com and archive.ubuntu.com as of 2013 March 12. See Launchpad bug report and RT ticket (SSO login required).
Disabling IPv6
The Ubuntu Community wiki has instructions on disabling IPv6.
Some people chose to do this because of primarily two issues:
- DNS server dropping queries for AAAA records
- Broken IPv6 connectivity. This is less of a problem with Happy Eyeballs, but nonetheless can cause problems when certain network configuration is beyond the control of the end user. Whenever possible, you should attempt to correct the source of the broken IPv6 connectivity instead of disabling IPv6.
See the article for more details.
Copyright Notice
The IPv6 introduction was largely copied and modified from the FreeBSD Handbook. Copyright © 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008 The FreeBSD Documentation Project.
IPv6 (last edited 2016-01-26 07:16:40 by 184-105-177-106)