IPv6 Redux

by Gr@ve_Rose

Hello everyone.

Since my last article touched upon an introduction to the IPv6 protocol, I thought a nice follow-up article on how to configure your network would be beneficial and some fun practice.  Without further adieu, let's get down to business.

My Network

As a point of reference, here is a (very) basic overview of my network at home.

Frankenserver is my Linux gateway, server, and basic all-in-one box running Red Hat EL3 and (((Check Point FW-1 NGFP4 R55))) connected to a 3 MB PPPoE connection.  My main desktop PC is Alice and she runs Mandrake Linux 10.0 (2.6.3-7mdk vanilla).  I have about five or six more computers but will only be focusing on Frank and Alice.

Tunnel Broker

I'm assuming that your current ISP does not offer native IPv6 connections.

If it does, you can probably stop reading here!

For the rest of us, we need to establish an IPv6 tunnel with a tunnel broker.  Tunnel broker's are organizations that will allocate you a network from their subnet that you can use.

Some of the ones out there include Hurricane Electric (ipv6tb.he.net) and Hexago (www.hexago.com) as well as many others.  I have used both of the aforementioned but will focus on Hexago as I have had good service with them.

Swing over to the Hexago site and, at the top right of the page, select the "Get IPv6 in 3 steps" link.

Go through the short registration process and get the Linux Tunnel Setup Protocol (TSP) client at the end.

Save the TSP client on your border router (Frank for me) and uncompress it.

Install it with the command:

$ tar xvzf tspc-2.1.1.tar.gz
$ cd tspc2/
$ make target=linux installdir=/usr/local/tspc install

which will compile & install the program in: /usr/local/tspc

Once you have installed the TSP client, switch to /usr/local/tspc/bin and edit the tspc.conf file.

Here are the main things you will need to have:

tsp_dir=/usr/local/tspc     # Location of the program
auth_method=any             # Choose the best for us
client_v4=auto              # Interface to peer with (external)
userid=                     # Username
passwd=                     # Password
template=linux              # Using Linux, right?
server=broker.freenet6.net  # Used for logging in
retry_delay=30              # 30 second retries
tunnel_mode=v6anyv4         # Leave this as it is
if_tunnel_v6v4=sit1         # Leave this as it is
if_tunnel_v6udpv4=tun       # Leave this as it is
proxy_client=no             # We are not a proxy server
keepalive=yes               # Always a good idea
keepalive_interval=30       # 30 second keepalive
host_type=router            # We are a router
prefixlen=48                # Obtain a /48 subnet
if_prefix=eth0              # Internal network card

Once you have configured this, save the file and run the command:

$ ./tspc -f ./tspc.conf -vwv

and you should see the transaction take place.

Any error messages you see if it fails are most likely in the Hexago FAQ pages.  Check there for more help.

Run an ifconfig -a and you should now see your sit1 interface with a /128 subnet (our tunneling mechanism) and eth0 should now have a global unicast IP address starting with 2001: with a /48 subnet.

Client Configuration

Head on over to your desktop PC (Alice, in my case) and, if you're running a (Linux) kernel pre-2.6, run insmod ipv6 to install the IPv6 module.

Wait for a few moments and then run an ifconfig -a and your Ethernet adapter should now have its own global unicast (2001:) IP address.

How did this happen?  Well, the TSP client also works as radv(d) which will advertise IP addresses for configuration.  Cool, eh?

Now, let's add DNS resolution.

Technically, any DNS server can give you an A6 record (dig -t AAAA servername.com) but we want to make sure of this.

Open /etc/resolv.conf add the following to the top:

options inet6
nameserver 2001:238::1

Yes, that is a valid IPv6 nameserver (at the time of this writing).

Once this is done, we should move on to the security portion...

Security Considerations

This is where things get tricky.

I'm running (((Check Point))) FW-1 and, although it does support IPv6, not all features are available yet.  As such, I have had to make some modifications to both Alice and Frank.

First off, I had to allow the Hexago IPv4 server to access Frank's IPv4 unrestricted to allow for different ports which may be used in the 6over4 tunnel.

Because of this, I performed a security audit on Frank to ensure that the only services listening are the ones I want to have running.  (This is good practice anyway.)

Right now, only HTTP(S) and SSH are listening on IPv6.

Second, although (((Check Point))) does support IPv6, it currently struggles with stateful inspection of tunneled traffic for IPv4 and IPv6.  This means that anyone can access any of the global-unicast IP addresses I've been assigned.

In layman's terms, Alice's IPv6 is unprotected.  A quick:

$ netstat -na | grep \:\:

revealed only SSH listening on :::22.

Hacking /etc/ssh/sshd_config and changing the ListenPorts to ::1 and 172.17.2.2, followed by a service sshd restart worked properly.

Now the only service on Alice listening on IPv6 is SSH listening on the loopback interface only.

Lastly, I created my IPv6 objects within the SmartDashboard of (((Check Point))):

[6]-Alice_v6_host_node
[6]-Frank_eth0_host_node
[6]-Frank_sit1_host_node 
[=|-]-Internal_v6_network

and allowed my Internal_v6_net work out without limitation.

Testing

If everything has gone correctly, you should be able to ping6 sites.

Try:

$ ping6 www.kame.net

which should return from orange.kame.net.

If DNS, doesn't work, their IP address is: 2001:200:0:8002:203:47ff:fea5:3085

How about websites?

The best one to test with is www.ipv6.bieringer.de because you can only access it from an IPv6-enabled machine.  IPv4 browsing will return a "Bad Gateway" error message.

What's really interesting to see are the actual packets going back and forth.  I suggest using Ethereal but even tcpdump will show you the IPv4 addresses followed by the (un)encapsulated IPv6 addresses.  Fun stuff!

Conclusion

I hope that this article has helped you on your way to learning more about IPv6 as well as how it functions.

I have some documents floating around on the web about IPv6 so if you can track them down, they should help you out as well.

Take a look at different websites out there and, bundled with the inquisitive nature I'm sure you possess, you'll be flying v6-style in no time!

Shouts: Ch1x0r, phoneboy, Bob Hinden, David Kessens, TAC_Kanata, elligirl, anyone I may have missed, and of course, eXoDuS (YNBABWARL!)
Return to $2600 Index