http://zechariah.casita.net/ copyright © 2015 richard m. troth, creative commons. other products...

Copyright © 2015 Richard M. Troth, Creative Commons. Other products and company names mentioned herein may be trademarks of their respective owners.

http://zechariah.casita.net/

Practical IPv6how, why, and keeping it simple

Rick Trothrogue programmer<[email protected]>http://www.casita.net/

COLUG, 2015 AugustCover My Meds, Columbus, Ohio

2

Disclaimer

The content of this presentation is informational only. The reader or attendee is responsible for his/her own use of the concepts and examples presented herein.

In other words: Your mileage may vary. “It Depends.” Results not typical. Actual mileage will probably be less. Use only as directed. Do not fold, spindle, or mutilate. Not to be taken on an empty stomach. Refrigerate after opening.

3

about:rick

Unix for 30+ yearsLinux since 0.99 (circa 1993)Obsessed with source-based systemsMoved to Columbus for Linux and V12NChased IPv6 for years w/o success (6bone)Very much into wireless (ham radio, WiFi)

4

Internet Protocol Version 6

6Bone 1996 (peak 2003)

Casita.Net 2011-March-9

World IPv6 Day 2011-June-8

World IPv6 Launch 2012-June-6

5

IPv6 for Linux, Windows, Mac ...

This is a personal odyssey

NOT discussing router config (maybe a little)

NOT detailing app upgrades (but it's easy)

NOT giving you the fire-and-brimstone

If IPv6 is a big yawn,that's kind of the point!

6


What really is IPv6 and why should we do it?

Where and How do I connect with IPv6?

What systems can talk IPv6?

How do we enable IPv6? on Linux, Windows, mainframes (z/VM)

Now what?? IPv6-specific Resources

7


Some history for reference

Some background on NAT

Address syntax (comparing V4 and V6)

DNS example

Security considerations

Comparing tunneled -vs- native

IPv6 is “the internet of things”

Agenda (for varying values of “Agenda”)

IPv6 is not new

9

What happened to IPv5?

Experimental Internet Stream Protocol

Not really called IPv5Protocol header says “5”

10

IPv6 is not ...

... a security risk… the exclusive realm of hackers... some future event… difficult or complicated... the end of the world (perhaps the beginning of the end of IPv4)

11


Port numbers do not change (TCP, UDP)

Funny syntax ... [2604:8800:12b::d]

“beyond mind boggling” addressability

External infrastructure (several years)

Consumer internet (reported at 95% now)

Internal infrastructure (your call)

V4 becomes vestigial

12

IPv4 Exhaustion

IANA doles out IPv4 blocks to the regional providers

13

IPv4 Exhaustion

14

IPv4 Exhaustion

15

IPv4 Exhaustion

16

IPv4 Exhaustion

IPv4 Exhaustion

US Gov/Mil Committed

Core support since 2008 Many, many tests Apps, systems, devices

21

Residential IPv6

Littleton, Colorado Pleasanton, California ... other markets

As of 2014 Summer, TWC serving both IPv4 and IPv6 to residential internet customers.

What's My IP Address?

Will report your IPv4 or IPv6 address: http://icanhazip.com/

http://www.sixxs.net/

http://ipv6.he.net/

http://test-ipv6.com/ ← try it

Reachable only via IPv6: http://zechariah.casita.net/

23

http://test-ipv6.com/

24

2014 view of http://test-ipv6.com/

IPv6 Tunnel Brokers

SixXS Hurricane Electric Gogo6 regionalsVPN

Much less need for tunnels in 2015 than in 2011. “Native IPv6” widely available.

IPv6 Tunnel Brokers

SixXS = Six Access AICCU /etc/aiccu.conf username aaaa-SIXXS

password sayitnot

protocol tic

server tic.sixxs.net

tunnel_id T59237

https://www.sixxs.net/

IPv6 Tunnel Brokers

IPv6 Tunnel Brokers

Hurricane Electric Example configurations – manual setup Worked for Linux/390 Worked for Linux 2.2 '486

https://www.tunnelbroker.net/

IPv6 Tunnel Brokers

IPv6 for Linux, mainframe, and ...

AIXSolaris - from 8 onwardWindows - XP, Vista, 7, 8Mac OS X, iOS NetBSD, OpenBSD, FreeBSD (4.4 onward)HP-UXAndroidMinix? (now using OpenBSD userland)

IPv6 at Home

new feature after upgrade

IPv6 at Home

disabled by default, try 6to4

IPv6 at Home

IPv6 for Linux - Fedora

To the file ... /etc/sysconfig/network-scripts/ifcfg-eth0

Add the lines ... IPV6INIT=yes

IPV6_AUTOCONF=no

IPV6ADDR=2604:8800:12b::25/48

IPV6_DEFROUTE=yes

IPV6_FAILURE_FATAL=no

IPv6 for Linux - OpenSUSE

To the file ... /etc/sysconfig/network/ifcfg-eth-id-macaddr

Add the lines ... LABEL_0='0'

IPADDR_0='2604:8800:12b::23'

PREFIXLEN_0='48'

IPv6 Routing

ifconfig eth0 add \2604:8800:12b::123/48

ip -6 route add default via \2604:8800:12b::d

ping6 ipv6.google.com

traceroute6 ipv6.google.com

IPv6 for Linux ... any Linux

IPv6 for z/VM

Since z/VM 5.1 'ping' and 'telnet' in z/VM 5.4 Remember “ENABLEIPV6” Home address /64 or /128 only No (known) tunneling ability

IPv6 for z/VM

DEVICE ETHDEV OSD 0200 NONROUTER AUTORESTART

LINK ETH0 QDIOETHERNET ETHDEV ENABLEIPV6

HOME

192.168.5.43 255.255.255.0 ETH0

2001:1938:81:209::2b/64 ETH0

GATEWAY

DEFAULTNET 192.168.5.20 ETH0 8992

DEFAULTNET6 2001:1938:81:8209::1 ETH0 8992

43

How to configure IPv6 on FreeBSD

http://support.arpnetworks.com/kb/main/how-to-configure-ipv6-on-freebsd

IPv6 Dangers

Stateless Autoconfig Considered Harmful (use DHCPv6 or static instead) Your “real address” is visible (counter-intuitive; end-to-end restored) IPv6 was first used by hackers (using V6 address as a covert channel)

Use static addrs and use DNS

A Personal Odyssey

What I use: SSH port tunnels VNC my own DNS automation!

Tried to connect with 6bone

The Small World of casita.net

co

gc nl

sb

pk

mv

sd

How Do IPv4 and IPv6 Compare?

bash-4.3# ping -c 3 ltroth1

PING ltroth1 (148.100.88.27) 56(84) bytes of data.

64 bytes from ltroth1.lf-dev.marist.edu (148.100.88.27): icmp_seq=1 ttl=48 time=36.5 ms

--- ltroth1.casita.net ping statistics ---

3 packets transmitted, 1 received, 66% packet loss, time 2000ms

rtt min/avg/max/mdev = 36.516/36.516/36.516/0.000 ms

How Do IPv4 and IPv6 Compare?

bash-4.3# ping6 -c 3 ltroth1

PING ltroth1 (ltroth1.lf-dev.marist.edu) 56 data bytes

64 bytes from ltroth1.lf-dev.marist.edu: icmp_seq=1 ttl=50 time=77.1 ms



--- ltroth1 ping statistics ---

3 packets transmitted, 3 received, 0% packet loss, time 2001ms

rtt min/avg/max/mdev = 73.438/75.135/77.128/1.537 ms

52

DNS at Casita.Net

/var/named/master/casita.net

/var/named/master/192.168.29

/var/named/master/2604:8800:12b

“internal” DNS has complete domain

“external” DNS has partial

IPv4 PTR records valid internally (v4 NAT)

IPv6 PTRs meaningful everywhere

53

DNS at Casita.Net

$TTL 4H

@ IN SOA @ [email protected]. ( 2011071300 7200 3600 3600000 86400 )

IN A 192.168.29.1

IN AAAA 2604:8800:12b::b

IN NS jeremiah.casita.net.

jeremiah IN A 192.168.29.11

jeremiah IN AAAA 2604:8800:12b::b

nehemiah IN A 192.168.29.12

nehemiah IN AAAA 2604:8800:12b::c

culdesac IN A 192.168.29.26

culdesac IN AAAA 2604:8800:12b::1a

54

External DNS at Casita.Net

$TTL 4H


;

IN AAAA 2604:8800:12b::b


;

jeremiah IN AAAA 2604:8800:12b::b

;

nehemiah IN AAAA 2604:8800:12b::c

;

culdesac IN AAAA 2604:8800:12b::1a

55

IPv4 Reverse - DNS at Casita.Net

$TTL 4H

$ORIGIN 29.168.192.IN-ADDR.ARPA.



11 IN PTR jeremiah.casita.net.

12 IN PTR nehemiah.casita.net.

26 IN PTR culdesac.casita.net.

56

IPv6 Reverse - DNS at Casita.Net

$TTL 4H

$ORIGIN b.2.1.0.0.0.8.8.4.0.6.2.ip6.arpa.



b.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR jeremiah.casita.net.

c.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR nehemiah.casita.net.

a.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR culdesac.casita.net.

RADVD

Router Advertisement Daemon

If a given host is listening (for radvd traffic) and already has an IPv6 route, which route is actually preferred?

Pick dynamic or static and then stick with it.

RADVD

/etc/radvd.conf

interface eth0

{

AdvSendAdvert on;

Prefix 2001:4830:1600:8552::/64

{

AdvOnLink on;

AdvAutonomous on;

AdvRouterAddr off;

};

};

Rick hates NAT

A way of life since '95

RFC 1918 (formerly RFC 1597)

Not just packets, but stateful

Port swizzling, pain for (eg) SIP, games

Lack of uniqueness

Looked for NAT in V6 ... but ... then ...

http://www.youtube.com/watch?v=v26BAlfWBm8

Rick hates NAT

NIST SP 800-119

“... can actually defeat certain aspects of the design intent of IPv4”

network layer end-to-end security peer-to-peer (host-to-host connectivity) and interoperability

Trouble in Paradise

Initial SixXS tunnel since February of 2011/48 network since March of 2011Replaced aging Linux FW/GW with CeroWRTGot a native IPv6 lease from TWC

Some addrs in the /48 network fail

2014 Q: Why?2015 A: rogue router

Trouble in Paradise

Occasional outages at SixXS POPs Usually (almost always) tracked at SixXS May be resolved by restarting AICCU

(your tunnel) but avoid that (they dislike it)

Some SixXS supporters shut down permanently

Trouble in Paradise

64

Trouble in Paradise

Not all DNS root servers talk IPv6 …

E.ROOT-SERVERS.NETG.ROOT-SERVERS.NET

OpenVPN

Supports either V4 or V6, for endpoints or for payload

proto tcp

server 192.168.29.160 255.255.255.240

proto tcp6

server-ipv6 2604:8800:12b:3::/112

66

Summary

The era of IPv6 is upon us.

The world is not ending.

The era of IPv4 has ended.

There are challenges.

This is manifestly doable.

Welcome to the 21st century.

http://zechariah.casita.net/ copyright © 2015 richard m. troth, creative commons. other products...

Documents