IPv6 Deployment Example
Howto add IPv6 to a small business network - while your ISP only talks v4
This article describes how we deployed IPv6 on our internal network - a couple of VLAN with around hundred nodes.
To Tunnel or Not To Tunnel
Since IPv6 is such a brand new technology and our ISP was obviously caught by surprise, we dont’t get native IPv6 Internet traffic. We don’t get it now nor in the near future. Internet infrastructure is a pain in Austria, in serveral ways.
With no native IPv6 available a common procedure is to tunnel IPv6 pakets using IPv4 tunnels and there are still free services available you can use. Sixxx (sixxx.net) shutdown its service in 2016, asking all customers to tell their IPv4-only ISP the fact the current version of the Internet Protocol has been released twenty years ago and running business solely on obsolete technology is … (complete the sentence on your own).
Another still active tunnel service provider is Hurricane Electric’s Tunnelbroker.
Using a tunnel on top of your internet connection, will certainly not improve your bandwith and latency. Check the tunnel endpoints location and provider.
With both IP versions configured, which one will be used? Operating Systems and browsers will compare the performance of v6 and v4 traffic and choose the “quicker one”, if both options are available for a destination.
Network Layout
Our network is a typical small office network, with some network services:
- public accessible services: WWW, Mail, DNS, VPN, SSH
- internal services: DNS-Resolver, SSH, NFS
- guest network
With additional services like VPN and the separation of management interfaces we ended up with several VLAN.
+------------+
| +-------------------- internet
| Router A |
| +----+--------------- 100 dmz
+------------+ |
|
+------+-----+
| +--------- 200 prod
| +--------- 300 infra
| +--------- 400 office
| Router B +--------- 500 vpn
| +--------- 600 mgmt
| +--------- 610 ipmi
| +--------- 900 guest
+------------+
Router A
- Tunnel Endpoint
- Gateway in DMZ VLAN
- Stateful firewall
Router B
- Host in DMZ network
- Gateway in all other VLAN
- Stateful firewall
- Load balancer
In our concrete case, one of the reasons for choosing this layout was the connection to our ISP. The IPv4 connectivity is established by DHCP and getting a DHCP IPv4 address also triggers the routing of our assigned IPv4 /28 network. All this IPv4 stuff doesn’t matter here in our exercise - just for your information…
Since public IPv4 addresses are a rare resource, only one subnet is using public addresses - the DMZ, all other use RFC1918 addresses.
In version 6 we don’t have this limitation, we plan in public space - in global unicast address space.
Prefix
Your ISP provides the IPv6 prefix to you - except your ISP is as
incapable as mine. In this case the tunnel provider is the IPv6 ISP and
provides the prefix. On tunnelbroker we requested a /48 prefix and got
something like 2001:db8:db8::/48.
Currently ISP typically provide a /48, /56, or /60 prefix to their customers (RFC 7934).
Info: the prefix in this text belongs to the documentation prefix
area 2001:db8::/32, documented in RFC 3849.
With the prefix 2001:db8:db8::/48 the first 48 bits of each address is
given, the rest we can define. Following a general recommendation we
will create networks with a /64 prefix.
In theory we could create a lot of networks now: 64 minus 48 is 16 bits and 2^16 is 65,536 networks, each with 2^64 possible IPv6 addresses.
We usually get the assigned prefix from the IPv6 ISP and we use this address space for all our machines. But what happens when we change the provider? The prefix will most likely change too - but the address part we have choosen (starting with the 49th bit) can stay the same. Even better - this process can also be automated.
Tunnel Setup
How do we configure our network components?
We already have two routers in place - currently running IPv4 only.
Beside the new prefix the tunnel providers has additional information for you:
Tunnel ID 1234
Server IPv4 198.51.100.20
Client IPv4 192.0.2.10 (your IP)
Server IPv6 2001:db8:db6:1::1/64
Client IPv6 2001:db8:db6:1::2/64
Routed /64 2001:db8:db7:1::/64
Routed /48 2001:db8:db8::/48
The tunnel is using the existing IPv4 connectivity to establish a tunnel between the IPv4 client and server. The two endpoints get the IPv6 addresses assigned and the listed networks are routed from the provider to your endpoint.
To get the tunnel up and running, tunnelbroker.net has a configuration generator. In OpenBSD the tunnel can be created with those three commands:
$ ifconfig gif0 tunnel 192.0.2.10 198.51.100.20
$ ifconfig gif0 inet6 alias 2001:db8:db6:1::2 2001:db8:db6:1::1 prefixlen 128
$ route -n add -inet6 default 2001:db8:db6:1::1
The permanent configuration in OpenBSD is done by creating a new
interface configuration file /etc/hostname.gif0:
tunnel 192.0.2.10 198.51.100.20
!ifconfig gif0 inet6 2001:db8:db6:1::2 2001:db8:db6:1::1 prefixlen 128
!route -n add -inet6 default 2001:db8:db6:1::1
# !route -n add -inet6 2001:db8:db8::/48 2001:db8:db8:100::1
up
We are now up and running! If not check your firewall logs.
The second route command in the interface config is still comment out, we will later set it to route all of our IPv6 pakets to router B.
Providing Addresses
There are several mechanisms to provide addresses to your hosts - beside the manual assignment on the host itself.
Using Stateless Address Autoconfiguration (SLAAC) [RFC4862]
The simplest way is SLAAC - it doesn’t depend on a stateful service and can easily be used. The preferred option for client hosts. To use this assignment method you only need the Neighbor Discovery Protocol (see below), wich is part of every IPv6 implementation.
Using stateful DHCPv6 address assignment [RFC3315]
Stateful DHCPv6 address assignment is similar to its predecessor in IPv4. A central point of configuration requires more administration, but puts you in full control in the address assignment and service configuration. The accounting uses a DUID for refering to the hardware link. DUID can direct relate to a MAC, a MAC plus timestamp or a user defined identifier.
DHCPv6 Prefix Delegation (PD) [RFC3633]
Prefix delegation (PD) is the method of segmenting a prefix (recursively). Assume we start with our delegated /48 prefix, one could create an additional layer of /56 prefixes in side the /48 prefix. Each router with an assigned /56 prefix may again delegate a /64 prefix in an additional layer below. A prefix of /64 can not be divided further.
The PD method may also be valid client assignment method, where each host gets a /64 prefix assigned.
Neighbor Discovery Protocol
IPv4 uses the ARP protocol as connection to layer 3. In version 6 this area has been redesigned and the functionality is bundled as Neighbor Discovery Protocol. Technically this is implemented as ICMPv6 message types - making ICMP even more important now.
-
Router Solicitation (Type 133): Hosts inquire with Router Solicitation messages to locate routers on an attached link. Routers which forward packets not addressed to them generate Router Advertisements immediately upon receipt of this message rather than at their next scheduled time.
-
Router Advertisement (Type 134): Routers advertise their presence together with various link and Internet parameters either periodically, or in response to a Router Solicitation message.
-
Neighbor Solicitation (Type 135): Neighbor solicitations are used by nodes to determine the link layer address of a neighbor, or to verify that a neighbor is still reachable via a cached link layer address.
-
Neighbor Advertisement (Type 136): Neighbor advertisements are used by nodes to respond to a Neighbor Solicitation message.
-
Redirect (Type 137): Routers may inform hosts of a better first hop router for a destination.
Configuration
The first VLAN we create is the DMZ and router A is the gateway of the DMZ. We add a new IPv6 address with the DMZ prefix to the internal interface (here called trunk0) of router A:
ifconfig trunk0 inet6 alias 2001:db8:db8:100:: prefixlen 64
or in the persistent way
# add to /etc/hostname.trunk0
inet6 alias 2001:db8:db8:100:: 64
Since we configure the gateway of this network (DMZ), we wanna provide some basic information, like the prefix, the DNS server and search domains to others on this network. That’s exactly what router advertisements from the Neighbor Discovery Protocol are for.
To set up the Router Advertisement daemon rtadvd(8), put this lines into
the config file /etc/rtadvd.conf:
trunk0:\
:addr="2001:db8:db8:100::":\
:prefixlen#64:\
:rdnss="2001:db8:db8:100::53":\
:dnssl="example.com":
and enable the daemon with
rcctl enable rtadvd
rcctl set rtadvd flags -s trunk0
rcctl start rtadvd
From now on other connected IPv6 links will already get new IPv6 addresses.
We’ll later repeat this step for the other VLAN.