Lucid Lynx with IPv6 – basic connectivity

Open Office has been building Linux networks for office automation since the last century. As we would like to be ready for the next century, we are currently doing IPv6 wherever possible.
In a series of articles, we will explain how to set up an Ubuntu 10.04 “ipv6 only” network of Linux machines: that is server, and desktops. In this episode: basic connectivity of the gateway.

There is lots of information on the internet about setting up an IPv6 network with Linux. The page I stumbled upon last time was http://www.pps.jussieu.fr/~jch/software/ipv6-connectivity.html; but actually, any IPv6 HOWTO or cook-book can help you out.

So I won’t make this another list of steps to take to get IPv6. Just a few remarks.

Native

If your ISP delivers native IPv6, just go for that. It will save you a whole lot of trouble.

6to4

If you happen to have a solid, fixed IPv4 address, you should first try to setup a 6to4 tunnel. For this to work, your provider, your router, your modem, your firewall and everyone else in between should leave protocol 41 unharmed. Please note: that is not port 41, it is protocol 41. A way to test this (as I figured out) is to run “nmap” and tcpdump. You will need a “remote” computer somewhere on the internet, to be able to test. Proceed as follows:

local# tcpdump -n -p -i ethX proto 41
remote# nmap -PO41 -p80 ip.address.of.other.pc

You should also do this the other way around:

remote# tcpdump -n -p -i ethX proto 41
local# nmap -PO41 -p80 ip.address.of.other.pc

In both cases, the side where TCPdump runs should see something like

13:53:13.142145 IP 293.301.26.275 > 285.243.97.150: [|ip6]

(please note that these IP addresses are totally bogus).

This test will show you if protocol 41 can travel from your IP address to another IP address; this is not a guarantee that it will travel from or to 192.88.99.1 or that the 6to4 tunnel will work; but it is a good indication. If you do not receive the “ip6” packets on one or both sides, then 6to4 is probably not going to work.

And even if you do see the packets enter the interface, you should still check your firewalling rules to see if it accepts protocol 41. The correct iptables statement would be something like:

iptables -A INPUT -p 41 -j ACCEPT

(And please note, that this is not a firewalling course, so you should not rely on the above statement to build firewalls; it is a statement to build IPv6 connectivity).

If you can both send and receive protocol 41 packets on your gateway and you have properly adjusted your firewalling rules, then you can add the proper 6to4 information to your /etc/networking/interfaces file. Follow, for example, the instructions at http://wiki.debian.org/DebianIPv6#IPv66to4Configuration to see how that works. It seems, by the way, that having comments on the lines (like the #fits address one) does not work. I could be wrong, however.

A 6to4 network will provide you with a /48 network, so you’ll instantly have 1208925819614629174706176 at your disposal. That is about a million billion billion IP addresses.

Teredo

Teredo is useful for a single client PC; but not for a network server or a gateway that will have to provide IPv6 to the inside. So we can not use it for our purpose.

SixXs

If you don’t have native or 6to4 IPv6, go to Sixxs.net and get your tunnel there. That is what I did. The advantage over 6to4 is, that Sixxs.net will work on any sort of network, i.e. there is no need to have a public IP address on your IPv6 gateway, nor is there the need to have protocol 41 connectivity at your ISP. A (sort of) disadvantage is, that there is a mandatory registration and a waiting period. No problem if you take IPv6 seriously; but a disadvantage if you only want to check out a few things.

So, all right, your gateway has an IPv6 connection now. Let’s move on to getting your clients connected.