Published: 03-05-2014 | Author: Remy van Elst | Text only version of this article

For a long time most of my VPS are IPv6 enabled. Raymii.org is reachable over IPv6. I've not had IPv6 at home yet, over my residential DSL line. And as you know, providers are not that fast with rolling out IPv6 at home. A friend pointed me to SixXS, which provide IPv6 tunnels. I had looked at them in the past, only then you needed to have a static IP for the tunnel. These days you don't need that anymore. Read on to find out how my IPv6 setup works, including privacy extensions and a few annoyances with Arch Linux and Ubuntu.

If you like this article, consider sponsoring me by trying out a Digital Ocean VPS. With this link you'll get $100 credit for 60 days). (referral link)

The Tunnel

The tunnel is provided by SixXS. It is an AYIYA tunnel, AYIYA is a protocol for managing IP tunneling protocols in use between separated IP networks. It is most often used to provide IPv6 transit over an IPv4 network link when network address translation masquerades a private network with a single IP address that may change frequently because of DHCP provisioning by Internet service providers.

Which basically means that you can use it to easily set up an IPv6 tunnel which works over a NATted LAN and thus you don't need a static IP anymore. As example, even at Starbucks I can set up my IPv6 tunnel without any hassle.

At SixXS you need to register and request a tunnel. You will need to provide some information, which will be validated, so make sure it is correct. Then you also need to provide a reason for your tunnel. Mine was just a simple one, I want to experiment at home with IPv6. They find that a valid reason, so in two days I had my tunnel data.

Tunnel setup

My DSL provider modem does not support IPv6 sadly, so I've spun up a Virtual Machine which will do the routing for IPv6. It is an Ubuntu 12.04 server machine on KVM. OpenVZ wo'nt work because of the advanced networking involved. It also will work on a Raspberry Pi with Raspbian, for those who do not want or have a (VM) server running all the time.

You will need all your SixXS data, as in, your account, tunnel and subnet.

First install AICCU. It stands for: Automatic IPv6 Connectivity Client Utility. It is a tool to automatically configure IPv6 connectivity on a variety of platforms and it provides AYIYA and heartbeat protocol support.

apt-get install aiccu

During the installation you will be asked for your SixXS username and password. These are the ones you use to login to the SixXS website.

If you only have one tunnel and subnet, it will all be set up automagically. I don't have multiple tunnels yet, but I expect it will require more configuration.

I had to change one line in the aiccu config file to make it work.

vim /etc/aiccu.conf

Change the following from false to true and make sure it is not commented out:

behindnat true

Now we can start the aiccu daemon:

/etc/init.d/aiccu start

If you type the ip a command you should now see a new SixXS interface:

8: sixxs: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1280 qdisc pfifo_fast state UNKNOWN qlen 500 link/none inet6 2001:[...]998::2/64 scope global valid_lft forever preferred_lft forever

We can test it some more by accessing Google over IPv6:

curl -g [2a00:1450:4013:c00::64]

The -g option is needed otherwise you will get either an curl: (3) [globbing] error: bad range specification after pos 2 or an curl: (3) IPv6 numerical address used in URL without brackets error. See bug #30 on the Curl known bugs page

Response:

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"> <TITLE>302 Moved</TITLE></HEAD><BODY> <H1>302 Moved</H1> The document has moved <A HREF="http://www.google.com/">here</A>. </BODY></HTML>

The routing

The router needs to be able to forward IPv6 packets, so let's enable that. Edit /etc/sysctl.conf :

vim /etc/sysctl.conf

Add or uncomment the following:

net.ipv6.conf.all.forwarding=1

Apply the rule:

sysctl -p

To give other machines an IPv6 address we need to install radvd and dhcpv6 . Radvd will be used to provide addresses via SLAAC and dhcpv6 will provide compatibility and DNS addresses.

apt-get install wide-dhcpv6-server radvd

Configure Radvd via /etc/radvd.conf :

vim /etc/radvd.conf

This is the config I use:

interface eth0 { AdvSendAdvert on ; # Advertise at least every 30 seconds MaxRtrAdvInterval 30; # in order to force non RFC 6106 compliant clients to get a dns address AdvOtherConfigFlag on ; prefix $YOURSUBNET$/64 { AdvOnLink on; AdvAutonomous on; }; RDNSS 2001:14b8:0:3401::6 2001:1418:10:2::2 { }; };

Replace $YOURSUBNET$ with one of the subnets you gave from SixXS. The RDNSS option uses the europian DNS from SixXS. You can find other DNS cache servers here.

Now configure DHCPv6:

vim /etc/wide-dhcpv6/dhcp6s.conf

It has only the following line, to provide DNS:

option domain-name-servers 2001:14b8:0:3401::6 2001:1418:10:2::2;

Here again you should use the SixXS DNS cache servers in your region.

Restart them both:

/etc/init.d/radvd restart /etc/init.d/wide-dhcpv6-server restart

Privacy extensions

The global address is used in IPv6 to communicate with the outside world. This is thus the one that is used as source for any communication and thus in a way identify you on Internet. The global address is built by using the prefix and adding an identifier build with the hardware address.

For example, the hardware address is 00:22:15:64:42:bd and the global IPv6 address is ending with 22:15ff:fe64:42bd. It is thus easy to go from the IPv6 global address to the hardware address. To fix this issue and increase the privacy of network user, privacy extensions have been developed.

You can read the RFC here, it describes how to build and use temporary addresses that will be used as source address for connection to the outside world. The wikipedia page describes it a bit more.

The option is documented in the ip-sysctl.txt file:

use_tempaddr - INTEGER Preference for Privacy Extensions (RFC3041). <= 0 : disable Privacy Extensions == 1 : enable Privacy Extensions, but prefer public addresses over temporary addresses. > 1 : enable Privacy Extensions and prefer temporary addresses over public addresses. Default: 0 (for most devices) -1 (for point-to-point devices and loopback devices)

We can enable the privacy extensions on the Ubuntu/Debian router VM by defining it in /etc/sysctl.conf.

Edit /etc/sysctl.conf :

vim /etc/sysctl.conf

Add the following line

net.ipv6.conf.all.use_tempaddr=2

Apply it:

sysctl -p

We also need to restart the network:

/etc/init.d/networking restart

Using ip a you should now see a new address. It will expire after a while and a new one will be added. The default expiry time is one day. It can be changed with the following sysctl variable:

net.ipv6.conf.eth0.temp_prefered_lft=7200

Where 7200 is the value in minutes. Change eth0 to your network interface.

Don't set it to low, for me at 3600 I got errors like these:

ipv6_create_tempaddr(): retry temporary address regeneration. ipv6_create_tempaddr(): regeneration time exceeded. disabled temporary address support.

There are however some bugs in the ipv6 stack, so it might now all work as expected. For example, most of my laptops use Arch Linux with NetworkManager. Arch linux does not use /etc/sysctl.conf but uses /etc/sysctl.d/00-files . Therefore there is no /etc/sysctl.conf file. Networkmanager has hardcoded that it looks in /etc/sysctl.conf for the privacy extention setting. So that didn't work. You can set in in the config file for your network, for example, /etc/NetworkManager/system-connections/name :

[ipv6] method=auto ip6-privacy=2

However, for me that didn't work until I created the /etc/sysctl.conf file with the privacy setting. I needed some more settings to make it all work on Arch:

#cat /etc/sysctl.d/40-ipv6.conf net.ipv6.conf.all.use_tempaddr = 2 net.ipv6.conf.all.router_solicitation_delay=3 net.ipv6.conf.all.force_tllao=1 net.ipv6.conf.all.accept_dad=0 net.ipv6.conf.default.use_tempaddr = 2

Testing it

You should get an IPv6 address now. You can use sites like http://ipv6-test.com/ or by connecting to http://ipv6.google.com.

Tags: arch