IPv6 is, big surprise, the new version of IP. The current internet runs on IPv4, which has some drawbacks. Practically both versions are the same: they allow connections from one host to another host. Technically however, there are some major differences, most notably the enlarged address space. For the moment, most hosts will run a dual-stack configuration.

I decided that it was time to implement IPv6 on my home network and get a IPv6 connection to the IPv6-Internet.

Getting IPv6 to work wasn’t difficult at all. All it took was to configure an address on my Linux-based router/firewall:

# ip -6 addr add dev eth0 2001:db8:1:2:1122:33ff:fe44:5566/64

I used EUI-64 type addresses to be consistent with the rest of the network, but you can choose freely. Note that the examples use IPv6 addresses reserved for documentation, don’t use these addresses!

Next, I configured radvd, the router advertisement daemon:

# /etc/radvd.conf

interface eth0 {
	AdvSendAdvert on;
	MaxRtrAdvInterval 600;
	AdvManagedFlag off;
	AdvOtherConfigFlag off;
	prefix 2001:db8:1:2::/64 {
		AdvAutonomous on;
		AdvValidLifetime 604800;
		AdvPreferredLifetime 86400;
	};
	RDNSS 2001:db8:1:2:1122:33ff:fe44:5566 {
	};
};

By the time I opened my System Preferences, my Mac had already assigned itself an IPv6 address and I was able to ping the router.

The IPv6 Internet

With the above configuration, I was running an IPv6 island. There was no way to communicate with the outside world (over IPv6). Since my ISP doesn’t know what IPv6 is, I needed another way to get a connection to the IPv6 internet. Sixxs.net provides exactly this. Note that all requests are manually processed, so it can take a while to get them all approved. Mine took around 24 hours from account-request to subnet approval.

Since my router has a public IP address, I chose the heartbeat tunnel, which uses plain IPv6-in-IPv4 (sit) tunneling. My AICCU configuration looks like this:

# /etc/aiccu.conf

username -SIXXS
password 

protocol tsp
server tic.sixxs.net
ipv6_interface sit_sixxs
verbose false
daemonize true
automatic true
requiretls false

Simply starting AICCU got my tunnel up and connected me to the IPv6 Internet:

# ip addr sh
<stripped>
160: sit_sixxs@NONE: <POINTOPOINT,NOARP,UP,10000> mtu 1280 qdisc noqueue
    link/sit <stripped> peer <stripped>
    inet6 2001:<stripped>:2/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::5740:191d/64 scope link
       valid_lft forever preferred_lft forever
    inet6 fe80::a11:ff01/64 scope link
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:0/64 scope link
       valid_lft forever preferred_lft forever
    inet6 fe80::a11:1/64 scope link
       valid_lft forever preferred_lft forever
    inet6 fe80::c0a8:ff01/64 scope link
       valid_lft forever preferred_lft forever
    inet6 fe80::a11:201/64 scope link
       valid_lft forever preferred_lft forever
<stripped>
# ping6 -n sixxs.net
PING sixxs.net(2001:838:1:1:210:dcff:fe20:7c7c) 56 data bytes
64 bytes from 2001:838:1:1:210:dcff:fe20:7c7c: icmp_seq=1 ttl=54 time=18.9 ms
64 bytes from 2001:838:1:1:210:dcff:fe20:7c7c: icmp_seq=2 ttl=54 time=18.2 ms
64 bytes from 2001:838:1:1:210:dcff:fe20:7c7c: icmp_seq=3 ttl=54 time=18.3 ms
^C
--- sixxs.net ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2011ms
rtt min/avg/max/mdev = 18.271/18.518/18.945/0.341 ms
#

Routed subnet

We now have IPv6 connectivity to the IPv6 internet from the router/firewall. The IPv4-way of getting that access to our internal hosts is to many-to-one-NAT all boxes behind this single public address. Since IPv6 has many more addresses, the normal way is to give each internal host its own public address. Sixxs.net also provides subnets on request, usually /48.

Once the subnet-request was approved, simply changing the IP of the firewall, changing the radvd.conf and restarting radvd was enough to get the IPv6 internet to the inside hosts. Since all hosts now have public addresses, it may be a wise choise to firewall them.

Privacy Extension

IPv6 provides a Privacy Extension feature which, surprise, enhances privacy. On MacOSX 10.5 Leopard this is disabled by default. Enabling it requires a sysctl:

# sysctl net.inet6.ip6.use_tempaddr
net.inet6.ip6.use_tempaddr: 0
# sysctl -w net.inet6.ip6.use_tempaddr=1
net.inet6.ip6.use_tempaddr: 0 -> 1
# sysctl net.inet6.ip6.use_tempaddr
net.inet6.ip6.use_tempaddr: 1

To make these changes permanent, Mac apparently uses the standard sysctl.conf:

# /etc/sysctl.conf
# Generate and use IPv6 Privacy Extension addresses
net.inet6.ip6.use_tempaddr=1

2 Comments

  1. bv says:

    So with IPv6 there is no need for a DHCP server?

  2. Niobos says:

    Correct, you can use DHCPv6 if you want, but it’s not required.

Leave a Reply

Anti-Spam Quiz: