Friday, December 05, 2008

Making IPv6 work on Ubuntu, the quick and dirty way

One hears lots general things about IPv6 all the time, but not how to actually use it. So here a quick&dirty way to get it to work on a normal Ubuntu system. This works even when your provider does not support IPv6, since it sets up a tunnel via 6to4.

First some general explanations:

IPv6 addresses look like any of these:

2001:4860:0:1001::68
fe80::219:dbff:fe5b:fa17
fe80::219:dbff:fe5b:fa17/64

The first four characters are important, 2001 indicates a global addresses reachable from everywhere on the internet, fe80 on the other side indicates a link local address reachable only from the local network. You can think of fe80 as an analog to 192.168.0.0 style addresses (Edit: Actually the fe80 addresses are more like a IPv6 reachable MAC address then the 192.168.0.0 addresses, unique local addresses seem to reassemble them much more closely). The /64 at the end indicates the netmask and isn't part of the address so you need to leave it away when trying to run ping6, ping6 being the IPv6 version of the classic ping command. The last few bytes of an autoconfigured IPv6 address are the same bytes as your MAC address of your network card, with some slight changes.

When you try to ping an IPv6 address on your local network you will realize that it doesn't work:

$ ping6 fe80::4e00:10ff:fe53:e8d7
connect: Invalid argument

The reason for this is that fe80 is a link local address and only valid for a single network, which means you have to tell ping6 which interface (i.e. eth0) it should use to contact the address, this can be done by:

$ ping6 -I eth0 fe80::4e00:10ff:fe53:e8d7
PING fe80::4e00:10ff:fe53:e8d7(fe80::4e00:10ff:fe53:e8d7) from fe80::219:dbff:fe5b:fa17 eth0: 56 data bytes
64 bytes from fe80::4e00:10ff:fe53:e8d7: icmp_seq=1 ttl=64 time=1.19 ms

Know with those basics cleared up its time to setup the 6to4 tunnel, first download the 6to4 script:
Then simply run the script:

$ ./6to4 up YourIPv4Addr eth0

If all goes right that is already all of it, you should know be able to connect IPv6 hosts such as ipv6.google.com.

If you happen to run maradns you have to run contact ipv6.l.google.com instead, since maradns has a bug that doesn't allow it to resolve DNS aliases properly.

You can find out the raw IPv6 address via querying the AAAA record (which is the IPv6 version of the A record):

$ host -t AAAA ipv6.google.com
ipv6.google.com is an alias for ipv6.l.google.com.
$ host -t AAAA ipv6.l.google.com
ipv6.l.google.com has IPv6 address 2001:4860:0:1001::68

If you are running this on your router and want your clients behind the router to have access to IPv6 you have to:

$ apt-get install radvd

on the router and configure it as described in the comment in the 6to4 script. Your clients behind the router should then be able to automatically discover the router and be able to access IPv6 addresses.

Note that this opens up the clients behind the router to the internet, so you likely want to setup some firewall rules with ip6tables, something like this might work:

$ ip6tables -I INPUT -i tun64 -p tcp --syn -j DROP
$ ip6tables -I FORWARD -i tun64 -p tcp --syn -j DROP
$ ip6tables -I INPUT -i tun64 -p udp ! --dport 32768:60999 -j DROP
$ ip6tables -I FORWARD -i tun64 -p udp ! --dport 32768:60999 -j DROP

For more indepth information you might want to have a look at the Linux IPv6 HOWTO.

PS: This little descriptions likely contains errors and is inaccurate, its just meant as a quick&dirty way to show that getting IPv6 up and running isn't that hard.

1 comment:

haskell said...

You could just install miredo.