Get IPv6 Now with Freenet6

How to set up an IPv6-over-IPv4 tunnel and provide IPv6 networking to hosts behind a gateway.

IPv6 is the successor to our current internet protocol, IPv4. It offers many new features, including a vastly increased address space (128 bits of address vs. IPv4's measly 32 bits), easier autoconfiguration and better support for encryption. The Debian Project has done a good job of making its distribution IPv6-ready. Here, I show you how to set up an IPv6-over-IPv4 tunnel and provide IPv6 networking to hosts behind a gateway using the free Freenet6 tunnel service and radvd. Note that I'm assuming you're using Debian Woody (3.0) or unstable (SID) and that you understand how to install packages through apt. I'm also assuming you know a little bit about IPv6, such as what an address looks like.

You'll need a publicly addressable IPv4 address on the gateway you're using. The kernel on that gateway and any hosts you want to connect also must support IPv6; Debian's standard kernels support IPv6 by default. If you're not sure whether yours does, check for a /proc/sys/net/ipv6 directory. Also, see if the output of ifconfig contains any IPv6 addresses, such as fe80::24f:49ff:fe07:2552. Make sure your firewall isn't blocking IPv6 tunnel packets; IP protocol 41 (ipv6 over ipv4) must not be blocked in either direction.

IPv6 tunneling will fail if you're behind a NAT router, but the good news is that you don't need a static IPv4 address from your service provider to have a static IPv6 address.

First of all, install the Freenet6 client software with apt. The Debian package is called freenet6 and is available in Woody and later releases. RPM and source packages are also available from www.freenet6.net/download.shtml. Once it's installed, Freenet6 automatically gets an IPv6 address based on your existing IPv4 address; no configuration is required.

The /etc/init.d/freenet6 script simply starts the tunneling client, called Tunnel Setup Protocol Client (tspc). At this point, if your IPv4 address changes, so does your IPv6 address. That's right, simply by installing Freenet6, everything will work right out of the box on most systems. However, we want to go a step further; we want to get our own IPv6 subnet. To do this, we need a user account.

Go to www.freenet6.net, and click on the “Create your account” link, which should be under TSP Server on the left-hand menu. After filling in your user name and e-mail address, you will get mail containing the password for the user ID you requested.

Open /etc/freenet6/tspc.conf in your favorite editor. This configuration file controls tspc and defaults to making an anonymous connection. Find the user ID and password lines and change their values to the ones in the e-mail. If you restart Freenet6, run /etc/init.d/freenet6 restart and stop here; you'll have a perfectly functional IPv6 setup with a single static IPv6 address. If this is all you need, you can stop reading right now.

Assuming you do need more, the next step is to request your /48 prefix. Again, this is done by editing tspc.conf. Add the following lines to the end of your tspc.conf file:

host_type=router
prefixlen=48
if_prefix=eth0

The if_prefix option controls which interface will be regarded as your internal network. Freenet6 automatically enables IPv6 forwarding between this interface and your Freenet6 tunnel. On most setups, eth0 will be correct. However, you can change this as required. For the rest of this article your internal network interface will be referred to as eth0. If your setup uses another interface, use that interface instead.

At this point, you can restart Freenet6; run /etc/init.d/freenet6 restart to load the new configuration. We're not going to be making any more changes to it. If you run ifconfig after restarting, you'll notice a new IPv6 address on eth0 in the form XXXX:XXXX:XXXX:1::1/64. Freenet6 automatically has given eth0 this new address from your /48 prefix. The XXXX:XXXX:XXXX part is the network part of your /48 prefix. You may want to make this address permanent by adding it to the eth0 section in /etc/network/interfaces. This will allow other hosts to find your gateway even if the Freenet6 software isn't running. To do this, find the section for eth0, which should look something like this:

iface eth0 inet static
        address 10.1.1.1
        netmask 255.255.255.0
        network 10.1.1.0
        broadcast 10.1.1.255

Add these lines (replacing 3ffe:0b80:083b:1::1 with the address Freenet6 assigned, without the /64 netmask) below:

iface eth0 inet6 static
        address 3ffe:0b80:083b:1::1
        netmask 64
Test this with ifdown eth0 and ifup eth0. One trick: if you're doing this remotely and eth0 is the interface you're connecting through, you can avoid losing your connection and having to walk to the actual computer you're working on by chaining those two commands together with a semicolon, ifdown eth0 ; ifup eth0. Your intrepid author did exactly this over an SSH connection (my test box is downstairs; I'm upstairs).

If everything's working fine up to this point, we can start on the radvd setup. IPv6 has a lot more support for autoconfiguration than IPv4. However, for this autoconfiguraton to work, the routers of a network must answer the autoconfiguration requests of the hosts. On Linux, the program to do this is called radvd (Router ADVertisement Dæmon). The actual autoconfiguration works by giving hosts new IPv6 addresses based on the 64-bit network address and their hardware Ethernet address. Hosts also are told what their default gateway should be. As with Freenet6, there is a Debian package for radvd.

Once radvd is installed, we need to edit the /etc/radvd.conf file. Debian's default configuration basically does nothing, so replace the whole lot with:

interface eth0
{
   AdvSendAdvert on;
   prefix 3ffe:b80:840:1::/64
   {
      AdvOnLink on;
      AdvAutonomous on;
   };
};

The prefix should be set to the network and netmask on eth0. For instance, if the IPv6 address Freenet6 assigned to eth0 is 3ffe:b80:83b:1::1/64, the prefix should be set to 3ffe:b80:83b:1::/64, which is the same as the IPv6 address only minus the host part of the address (the :1). Once you've done that, restart radvd.

After restarting, try running ifconfig on IPv6 hosts attached to your internal network. You should notice a new IPv6 address on the interface connected to your internal network. For example, using the prefix above, one such address might be 3ffe:b80:840:1:24f:49ff:fe07:2552/64. If no new address appears, check /var/log/syslog on the system on which radvd is running for errors; radvd does not log to the console.

To test your IPv6 connection, first try pinging something with the ping6 program on both the gateway and a connected host. You might find you don't have ping6 installed. If not, install the iputils-ping package. Some hosts to try ping6-ing include www.6bone.net and www.kame.net. If this isn't working, double-check that your firewall isn't blocking IPv6 packets. If this works, try connecting to www.kame.net with lynx, Mozilla or Konqueror. These browsers have IPv6 support in Debian testing. If everything is working, there will be a dancing “kame” at the top of the page and a little message at the bottom. If it still says you're using IPv4, and the ping6 test worked fine, double-check that you have the latest version of your web browser.

Installing an IPv6 tunnel may open up security holes. While IPv6 firewalling using iptables in 2.4.x kernels is possible, it is beyond the scope of this article. You are strongly advised to evaluate possible security issues. One quick way to check whether any IPv6 services are being opened up is to run the command netstat -l -A inet6. This will show you open, listening IPv6 sockets. If any are active, make sure it's okay for them to be publicly available.

Congratulations! You're on the next-generation Internet. Now that you have a basic IPv6, you will probably want to look into IPv6-enabling services such as Web and e-mail. The Debian IPv6 Project is a good start to find patched versions of Debian packages. While many client programs are already IPv6-compatible, there are a lot of basic server dæmons, such as inetd, apache, etc., that aren't in the mainstream Debian release. These packages are easy to install; add a few lines to your APT configuration, and run dist-upgrade. If you're interested, go to people.debian.org/~csmall/ipv6.

Resources

Peter Todd has been using Linux since he was 14. When he's not messing around with upcoming network protocols, he can be found at Woburn Collegiate working on pottery and film arts projects. He can be contacted at pete@petertodd.ca and has a self-hosted IPv4 and IPv6 web site, petertodd.ca.

______________________

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix