Difference between revisions of "IPv6"

From the Linux and Unix Users Group at Virginia Teck Wiki
Jump to: navigation, search
imported>Echarlie
imported>Pew
Line 1: Line 1:
 +
TODO: Merge this into [[Networking]]
 +
 
VTLUUG has not had IPv6 on machines since the [[CVL eviction]]. This information is mostly academic.
 
VTLUUG has not had IPv6 on machines since the [[CVL eviction]]. This information is mostly academic.
  

Revision as of 03:23, 3 January 2018

TODO: Merge this into Networking

VTLUUG has not had IPv6 on machines since the CVL eviction. This information is mostly academic.


Overview

Most Internet-connected computers communicate using Internet Protocol version 4, usually abbreviated IPv4. IPv4 assigns an address to each computer. These addresses are 32 bits long, and can be written as a period-separated list of four numbers from zero to 255. One example would be 192.168.1.1, an address commonly given to home networking equipment. The 32-bit address space of IPv4 allows for about four billion addresses. Given that there are over six billion people on the planet, it's clear that these addresses will eventually run out. It turns out that due to the way these addresses are allocated in blocks, we actually already have run out.

Enter IP version 6, or IPv6. IPv6 uses 128 bits for each address, but is not yet very widely used. Virginia Tech, being the cutting edge institution it is, already supports IPv6 campus-wide. While this does not directly affect your computing experience, connecting your computer to a native IPv6 networks has a few implications you should be aware of.

Stateless Autoconfiguration and Privacy Extensions

In IPv4, a computer would need to be told its address either manually or by using a network service called DHCP. In DHCP, the computer asks a server to assign it an IP address that is not in use by anyone else.

In IPv6, the address space is so large that a mechanism called "stateless autoconfiguration" can be used. In stateless autoconfiguration, a computer asks a nearby router for the network prefix (the first few digits of the IP address that will be the same for all computers on the network), and then the computer fills in the rest of the bits by using the hardware address of the network adapter. This means that by default, your IP address could be used to uniquely identify your computer anywhere on the Internet, threatening your privacy online.

That's where privacy extensions come in. You can configure your Linux machine to generate an address randomly rather than by using the hardware address. We do that by adding a udev rule that enables temporary addresses when a network interface is enabled.

In Ubuntu and Debian, enable temporary addresses by opening a terminal and typing

   sudo -i
   echo 'ACTION=="add", SUBSYSTEM=="net", RUN="/sbin/sysctl -w net.ipv6.conf.%k.use_tempaddr=2"' > /etc/udev/rules.d/custom-ipv6privacy.rules

And then reboot your machine. You can verify that it worked by running

   ip addr show | grep inet6

from a terminal. If there are any lines which end in "global temporary dynamic" or "global secondary dynamic" you're good to go.

Transition Technologies

Since some of Blacksburg's ISPs (such as Comcast and NTC) still do not support IP, there are several common tools available to enable users to get IPv6 access:

  • Teredo tunneling: This can be done by individual hosts to get an IPv6 address tunneled through a dual-stack server over a TCP port. Public Teredo gateways are available by many providers, including Microsoft, and work through a NAT. While this is handy for public wifi, this does not support reverse DNS, authentication, prefix delegation, or arbitrary address space.[1]
  • 6to4 tunneling: this assigns a /48 block to each global IPv4 address on the internet by encapsulating IPv6 packets within IPv4 packets. This generally must be set-up at the router level, as it cannot traverse NATs automatically. In order to access non-6to4 IPv6 hosts, a relay router must be used at the ISP level. With the advent of tunnel brokers, 6to4 is considered by some to be obsolete. [2] [3]
  • Tunnel brokers: these combine a variety of IPv6 transition methods and allow ISPs to route a portion of their IPv6 address space to users' computers or routers. This is potentially the most robust method, as it supports many different network topologies, reverse DNS, and prefix delegation. Unlike 6to4 and Teredo tunnels, this doesn't necessarily expose the user's IPv4 address. Hurricane Electric is a popular tunnel broker among VTLUUG members; it assigns a /64 and/or /48 to each user and supports rDNS. [4]

Adoption at Virginia Tech

CNS manages Virginia Tech's network, which has one of the greatest percentage of IPv6 traffic compared to other Autonomous Systems. [5] A dual-stack topology is present for all campus ethernet portals and wireless access points.

The following services still lack IPv6:

  • Central web hosting (due to a lack of IPv6 support in the load balancers)
  • Campus email (Exchange, legacy POP/SMTP, but not the new Google services)
  • VT_WLAN authentication (anyone can access the IPv6 internet without entering VT credentials)

VT DNS resolvers have AAAA records:

  • yardbird.cns.vt.edu 2001:468:c80:2101:0:100:0:22
  • jeru.cns.vt.edu 2001:468:c80:4101:0:100:0:42
  • milo.cns.vt.edu 2001:468:c80:6101:0:100:0:62

Departmental Subnet Routing

Since CNS doesn't officially support departments operating their own routers, only single addresses (/128) are routed to each ethernet port. This is problematic for those that wish to distribute global IPv6 addresses to internal networks, and has a limited number of known solutions:

  • Use a NDP proxy on the router to send all router solicitations/advertisements over the WAN, and relay the response. This can optionally be used with DHCPv6 to distribute custom DNS servers and IP addresses. By using IP addresses that are not generated by SLAAC, there is no need to update the DNS records for the machine if the NIC is ever swapped.
  • Bridge IPv6, while NATing IPv4 on the router. This would (in theory) have less overhead, but there doesn't appear to be an easy way to do this.

References