Introduction to IPv6
by Gr@ve_Rose
I'm sure you are all aware that we are running out of IPv4 addresses and that IPv6 is on its way in. This article is designed to be a basic introduction into IPv6 and the technology behind it. Let's get started.
A Brief History
IPv4 is a 32-bit addressing length of four octets of numbers known as an IP address.
These addresses are numbers starting at zero and moving up to 255 allowing for many different combinations of unique IP addresses. With the advent of mobile technology as well as Internet access, we are quickly running out of unique numbers to use.
As a temporary stopgap solution, RFC1918 was introduced to allow non-routable private IP ranges (NAT). However this poses an issue when VPNs are used - for security purposes as well as complicating network design.
IPv6 is the successor to IPv4 using a 128-bit addressing length.
As with IPv4, you still use an IP address but instead of being basic numbers, you now use hexadecimal ranges to represent your addresses. Subnets can go from /3 all the way to /128 and the old "dotted-decimal" notation for subnets has gone out the window. Why? Try dotting out a 128-bit length subnet and when your hand cramps up, you'll know.
Why IPv6?
IPv6 offers quite a lot more than IPv4.
IPv4 (TCP) was designed with error-checking in mind, hence TCP sequence numbers. It was also designed so that everyone could have a "live" IP address which, as we know, is not a reality anymore.
IPv6 is fully compatible with IPv4 which we will examine a little later. IPv6 also allows us to use encryption without the need of a VPN tunnel. There are some other really neat features which will be discussed throughout this article.
How
First, you will need to ensure you are running an IPv6-capable operating system.
Linux has support since the 2.2 kernel (if I'm not mistaken), Windows 2000 needs the Microsoft IPv6 add-on, Windows XP has it built in (but hidden away).
You should check the release notes of your OS for detailed information. After installing the IPv6 module into your operating system, do an ifconfig/ipconfig/whatever-config and you should have an address assigned to your new IPv6 stack, probably starting with the prefix of FE80: and resembling your MAC address of the NIC.
This address is known as a link-local address. Now would be a good time to segue into the prefix schema of IPv6:
FE80 - FEBF - These are link-local addresses only. They will not make it past a router and are really only good for quick "ad hoc" networks.
FEC0 - FEFF - These are private range site-local addresses. Think of these prefixes as RFC1918 addresses.
3FFE - This is the 6bone prefix. If you join the 6bone (6bone.net) you will be assigned this prefix.
2002:A:B:C:D:mask::1 - IPv4 addresses within IPv6 tunnels where A:B:C:D is the IPv4 address.
2001 - Prefixes assigned to ISPs to doll out addresses to customers.
FFXY - Multicast prefix where XY is:
Wow, that was confusing, huh? Let's break this down some more.
Every IPv6 IP address has a prefix associated with it to let the system know what kind of IP address it is.
For instance, a site local multicast would be: FF05::1
And a site local address could be: FEC0:C0FF:EE01::1
Notice the double colons in the addresses? You can substitute any zeroes with the :: indicator. The only trick to that is you can only use it once per address.
FEC0:C0FF:EE01::1 is valid, whereas 2001:A42::FFBB::10A is not.
O.K., we're at the point where we have a link local address and that's about it. Pretty boring, right? Yeah. Let's start looking at what's new with our stack.
Run a netstat -nr or a route -A inet6 and look at your routing table.
You should have your familiar look of the routing table but now with IPv6 enriched goodness. Most of it should be self explanatory, but to take note of your default gateway should prove interesting.
As you probably know, an IPv4 default gateway has an IP of 0.0.0.0 and, as mentioned earlier, with IPv6 you can shorten the zeroes so we end up with :: instead.
You're now probably asking yourself "Where's all the cool stuff you promised us?" and I'm about to deliver. For the next section, I will be using real-world examples from my lab setup at work.
The only thing I can't do (as a limitation at work) is 6-to-4 tunneling. I will, however, discuss the principles behind it.
As you can see, I have three IPv6 subnets in play with two hosts and two routers, one Madhatter with firewall software.
The first thing I did was assign site-local addresses to each unit.
I used ifconfig on Whiterabbit and ipv6 adu on Cheshire.
How?
In Linux, after you have loaded the IPv6 module, run ifconfig eth0 inet6 fec0:c0ff:ee01::1 which will add the IP address to eth0 and the subnet (/16) is automagically calculated.
With Windows, you first need to know the adapter interface number you are using for IPv6. You can obtain this with the ivp6 if command.
To add the IP address, run ipv6 if 4/fec2:c0ff:ee01::1 which tells Windows to use interface ID 4.
Both Madhatter and Redqueen use Nokia Voyager to configure this. You can add the addresses in the IPv6 Interface configuration from the main "Home" page.
How about default routes? How do the hosts know where to route packets?
A nice feature of IPv6 is that your routers can send out router advertisements via muticast so hosts will be able to update their routing tables accordingly. To ensure that packets can travel from one network to another, I set up Routing Internet Protocol (RIP) for IPv6 to automatically propagate my routes.
By adding a metric of 1 to each dynamically assigned route, my computers will automatically know which path to take to get from one network to another. Now that we have routing set up, we can use some programs which are IPv6 enabled.
SSH with the -6 flag will allow you to SSH to a machine. You have to ensure that your SSH daemon is set up for IPv6. Verify this with a netstat -na and look for ::22 [LISTENING] once set up.
Nmap also uses the -6 flag. At the time of this writing, only full TCP connect scans function.
HTTP(d) is very interesting. Although not bound by an RFC, the practice of surfing via IPv6 can be accomplished by using the following syntax: http(s)://[IPv6:add:ress::1]
For instance, to access Nokia Voyager on Redqueen, I use http://[fec1:c0ff:ee01::2] to configure the unit.
Ethereal is able to capture and properly decipher IPv6 packets. If you haven't used it before, you should use it now with your IPVv6 testing so you can see how the packets are formed, transmitted, and received.
More Info
Before this article becomes a book, I'll touch upon some of the other features of IPv6 as well as presenting suggested reading material to further your IPv6 research.
When your IPv6 enabled device comes online, it will send out DAD packets. These are Duplicate Address Detection (DAD) packets to make sure that nobody else has the same IP that the unit is requesting. If no packets are received back, stateless auto-configuration of your link local address occurs. If a DAD packet is received, you must manually configure the interface. You can set up a DHCP server to offer IPv6 addresses but with stateless auto-configuration, it becomes a moot point.
With IPv4, if your packet hit a router that couldn't handle the MTU, it would fragment the packet accordingly. With IPv6, only the sender can fragment packets. ICMP tracepath commands/packets will allow your computer to determine the MTU to a given host and fragment packets based on that information. ICMP is used quite often with IPv6 and the information which is gathered is almost staggering.
As I've mentioned before, you can set up 6- to-4 tunneling relays.
For this, you will use a virtual adapter (stof0) which you can use for 6-to-4 tunnels.
First, you need a tunnel endpoint to connect to. Public relays are found all around; Google is your friend. This setup will generate TCP/41 traffic from your host to the tunnel endpoint at which point the IPv6 is extracted and is sent along its way.
Joining the 6bone should also be a good test bed to advance your knowledge of IPv6.
Visit www.6bone.net and sign up for an IP address. You should make sure that your ISP can route IPv6 traffic or, at the least, ensure that they can pass TCP/41 so you can setup an endpoint tunnel with someone. Within the same aspect, DiG and nslookup also support IPv6 lookups for DNS records.
Take a peek at kame.net and you should see AAAA records for them... and yes, if you bring down an IPv6 DNS host, I'm sure it's quad damage. (Sorry. Couldn't resist. ^_^)
Suggested Reading
Linux IPv6 HOWTO (www.bieringer.de/linux/IPv6). This document is phenomenal for configuring IPv6 for Linux. It deals with the different types of addresses from unicast to anycast as well as a plethora of other configs to use.
IPv6 Essentials by Sylvia Hagen. By far the most concise and informative document I've read on IPv6. It covers pretty much everything you can think of and offers numerous examples of packet hacking and the breakdown thereof.
Windows 2000 Server: Introduction to IPv6 by Joseph Davies. Not overly technical as the other documents but still informative for the Windows operating system.
Voyager and CLI Reference Guides for Nokia IPSO (support.nokia.com). For official Nokia subscribers only. Although most of the audience will not have access to these documents, I'm sure there are Nokia subscribers who read 2600 where these will come in handy.
Shouts: TAC_Kanata, Bob Hinden, David Kessens, Ch1x0r, phoneboy, anyone who I've missed and, of course, eXoDuS. (YNBABWARL!)