SYSADMIN IPv6
krockenmitte, photocase.com
Examining IPv6 on today’s Internet
NEXT GENERATION
Is the world ready for the next generation Internet Protocol? We take a look at Linux
with IPv6. BY JÖRG FRITSCH AND PATRICK NEST
T
he TCP/IP protocol, which began also provided other potential benefits ing [1]. The proliferation of
as an obscure experiment for a with an assortment of new rout- Internet-ready mobile phones and
handful of academics and U.S. ing, security, and quality of other embedded devices raises new
Department of Defense officials, sud- service features. (See concerns about the viability of IPv4 ad-
denly became popular in the late 1980s “IPv6 Benefits”.) dress space. At the same time, the prom-
and 1990s with the meteoric rise of the The indus- try was ise of sophisticated IPv6 quality of ser-
Internet. By the early 1990s, the IP ad- poised for a transition vice capabilities offers potential benefits
dress space – which had seemed quite to the new IP, but for for future voice and video applications
vast in the early days – was beginning various reasons, this great if developers will shift their focus to
to look all too finite, and the experts migration never really hap- writing for the IPv6 environment.
began to wonder what would pened. New techniques, such as In August 2007, the IETF published a
happen if the Internet ever Network Address Translation (NAT) and draft version of a transition plan for mi-
ran out of addresses. Classless Internet Domain Routing grating the Internet from “… a predomi-
Work began on a (CIDR), staved off the end of the old nantly IPv4-based connectivity model to
new version of the Inter- IPv4 address space, and although hard- a predominantly IPv6-based connectivity
net Protocol (IP) ware and software vendors implemented model” [2]. According to
that would put an end various forms of IPv6 support, Internet the plan – which theoreti-
to worries of overcrowd- service providers were slower to adopt. cally expires in February
ing. A plan for the new protocol, Because the specifications ensure the 2008 and may be updated
which came to be known as “IP Next compatibility of IPv6 with IPv4 environ-
Generation” (IPng), was adopted by the ments, the next generation protocol has
Internet Engineering Task Force (IETF) functioned more as a rarely used exten-
in 1994, and the details for the IPv6 pro- sion of IPv4 than as a separate environ-
tocol were released through a flotilla of ment with a full range of
documents surrounding the RFC 2460 new features.
IPv6 specification. Recently, however, the
The huge spaces within the 128-bit situation has been chang-
IPv6 address promised a nearly limitless
supply of unique addresses, and IPv6
66 ISSUE 88

SYSADMIN
IPv6
In a production environment, it is ob-
2007- 2009 2010 - 2011 viously not enough to set up a working
Preparation period Transition period
IPv6 topology. Businesses need at least a
working name server or directory server,
along with a web server, a mail server,
2012 - 2013
and possibly a proxy cache and a Samba
IPv6 mandatory
server to support heterogeneous envi-
ronments.
2008 2009 2010 2011 2012 2013
To access the Internet with IPv6, you
2007 2013
need the following:
• IPv6 connectivity via your ISP or, for
Figure 1: The IPv6 migration plan envisages final IPv6 migration between 2010 and 2011.
developers and testers, via an IPv6
by the time you read this article – the ficult to type and remember, despite the tunnel broker
transition will occur between 2010 and possible shortcuts (see the box titled • IPv6 Routing
2011 (Figure 1). At the end of this period, “IPv6 Shortcuts”). To make IPv6 easier • IPv6 DNS/Directory Services –
Internet providers will have to offer their to work with, you should use name and forward, reverse lookup
customers IPv6, which will reduce the directory services whenever you can.
Tunnel Brokers
incentive for software vendors to focus For your first steps in a trial environ-
ment, an /etc/hosts file is probably the
development around the more limited The IPv6 specifications provide a means
functionality of IPv4. right choice, but you will quickly dis- for encapsulating an IPv6 packet within
Governments and political organiza- cover the virtues of an IPv6 name server an IPv4 packet. Several tunnel brokers
tions are already starting to pay more at- that at least supports normal forward support delivery of IPv6 packets over the
tention to IPv6, and the first IPv6-only name resolution (name to IPv6 address). IPv4 Internet through tunneling. Typi-
production networks are projected to cally, a tunnel broker (RFC 3053) is the
IPv6 for Small Businesses
come online by July 2008. Given the re- only practical solution for operating IPv6
cent resurgence of interest, we decided Just because the administrator can ping networks on the Internet. Examples of
the time was right for a look at the cur- one host from another after setting up tunnel brokers include Hurricane [3] and
rent state of IPv6 in Linux environments. IPv6 does not mean that the network is SixXS [4].
ready for production use. A tunnel broker sets up an IP-IP tun-
Practical IPv6 Many Internet HOWTOs recommend nel, which is also known as Generic
Most Linux distributions included IPv6 the use of ping after completing the IPv6 Routing Encapsulation (GRE). The tun-
support. For some applications, you install to prove that all is well – but with nel connects the two endpoints via a
have to enable IPv6 in a configuration reverse lookup disabled for the IPv6 ad- normal IPv4 network. This configuration
dress of the response package (ping6 -n).
file. For example, the Bind name server creates virtual tunnel interfaces at both
typically needs an additional option, lis-
IPv6 Benefits
ten-on-v6 { any; }, in its named.conf.
For Sendmail, you need to modify the The creators of IPv6 weren’t just worried tually added to IPv4 through technolo-
sendmail.cf file to tell both the client and about the address space. IPv6 offers gies such as IPsec.
the daemon to listen on a defined IPv6 a number of additional benefits. Some • Payload – The payload of an IPv6
address (enter the inet6 address family of the new features are intended to packet can be as large as 4GB – an as-
in ClientPortOptions and DaemonPort- address problems with IPv4, and others tronomical increase over the 64KB
are simply an attempt to capitalize on
Options). payload capacity of an IPv4 packet.
new developments in the evolution of
Linux hosts, as well as Mac OS X These “jumbograms” could result in
networking.
hosts, Windows Vista systems, and most increased efficiency and throughput
Other changes include: over networks designed to accommo-
open source applications, support IPv6
date them.
• Autoconfiguration – IPv6 can be con-
after the first boot. In production envi-
figured automatically through a sys-
ronments, many admins just ignore IPv6 • Quality of Service – IPv6 provides a
tem of ICMP-based router discovery means for specifying the priority of a
and leave it running without any man-
messages. According to some reports, packet, which could lead to reduced
agement or control. The result is an un-
this feature could eventually replace latency for streaming video and other
managed TCP/IP protocol stack, which
DHCP. time-sensitive transmissions.
is a disaster from a security point of
• Multicasting – Multicasting, which was Of course, the IPv6 protocol primarily
view. Even if you don’t plan to roll out
added as an afterthought to IPv4, is provides a networking environment; it is
an IPv6-ready network implementation,
part of the IPv6 base specification. up to the applications on either end of
it makes sense to come to terms with
Multicasting lets you address a packet the connection to use these new features
IPv6 so you can manage the services
to a group of recipient addresses. effectively. Many of the best IPv6 fea-
that might already be running on your
• Security – IPv6 includes native support tures will not benefit the user until pro-
network.
for network-layer encryption and au- grammers start writing applications that
IPv6 means a lot of typing. The sheer
thentication, a feature that was even- leverage IPv6 enhancements.
length of IPv6 addresses makes them dif-
MARCH 2008 67
ISSUE 88

SYSADMIN IPv6
endpoints; the interfaces are then con- discovery does not
figured as if they were two physical work on all the
Application
interfaces connected directly by wire. nodes. The configu-
The administrator can configure these ration also relies on
interfaces with IPv6 addresses and use the tunnel working
TCP UDP
them as the default IPv6 route. The correctly and being
endpoint, which can be a single host available. For opera-
or a router, appears as if it were wired tional networks, the
directly to the rest of the native IPv6 tunnel broker op- IPv4 IPv6
world. This sounds complex, but de- tion is probably not
pending on your choice of operating a good idea.
system, the configuration requires just
DataLink / Ethernet
The First
six commands (see Listings 1 and 2).
IPv6 Request
Some tunnel brokers simplify IPv6
name resolution and reverse resolution After you set up the Figure 2: A dual-stack environment supports both IPv4 and IPv6.
in their Internet portals or offer the connection, it’s time
option of configuring Border Gateway for an initial test.
Protocol (BGP) as the routing protocol. You can start by accessing an IPv6-capa- ing IPv4 content, so the benefits of
Although a tunnel broker is easy to ble website in your browser. The results browsing with IPv6 on today’s Internet
configure, the solution comes with the of an ordinary browser session are typi- are limited.
same costs all IP tunnels have, such as cally quite sobering: When DNS name Big websites such CNN or Google are
overhead because of the smaller MTU resolution returns an IPv4 A Record and not reachable via IPv6, although some
and related data transfer issues if path an IPv6 AAAA record, all browsers use sites are preparing for the transition.
the IPv4 variant and request the IPv4 Google has reserved an IPv6 /20 subnet,
Automatic version of the HTML page. This is true of and there is some speculation as to
all applications that run in mixed IPv4/ whether Google might be planning to
Theoretically, an administrator can sim-
IPv6 environments. offer ISP services in the future. Ebay
ply configure the router on a network
Another problem you could face when was assigned a /41 subnet a couple of
with IPv6 interface identifiers (i.e., with
browsing with IPv6 is that is that many months ago.
EUI 64 addresses). Any clients that es-
of the IPv6-enabled sites have long dis-
tablish a connection to the network are
DNS Obstacles
appeared. IPv6 link lists are often fairly
automatically configured with an IPv6
address and router address (via Neigh- ancient, and at least half of the links If you want to offer or access network
bor Discovery, ND, and Router Adver- might not even exist. services, name resolution is imperative.
tisements, RA). You don’t need a DHCP The most reliable website we could For your first experiments, you can start
server. This method is referred to as by using an /etc/hosts file and relying
find with respect to IPv6 support is the
stateless autoconfiguration. Of course, on nsswitch.conf with the files option,
KAME project [5] (Figure 3). Some other
an autoconfigured network without
sites offer IPv6 support, but IPv6 content which tells the system to search the
name service isn’t much use because
is typically the same as the accompany- hosts file first for name resolution. This
it doesn’t support any kind of name res-
olution. The IPv6 address for the name
IPv6 Shortcuts
server does not autoconfigure.
IPv6 admins use two approaches for The second method is to define a con-
Various draft proposals have attempted
shortening the extremely long IPv6 stant prefix for your own network. In the
to improve this, for example, by Router
addresses. previous example, the prefix could be 20
Advertisements or Anycast addresses
01:0000:0000:0090::/60. If your ISP gives
The first approach is to collate multi-
(RFC 4339) to configure the DNS server.
you a subnet of /60, the prefix on your
ple leading zeros and just leave them
Thus far, none of these proposals has
own network will never change, so you
out. Each IPv6 address comprises
been implemented.
can define it in your applications and
eight hexadecimal integers separated
Even though the name server cannot be leave it out after doing so. The IPv6
by colons. Assuming you have the
located if you rely on stateless autocon- name server administrator would just
number :0090:, you can abbreviate
figuration, it does not actually cause any define this once, and you can then just
it to :90:, and if you just have zeros
work with the remaining four hexadeci-
problems in today’s dual-stack environ- between two colons, :0000:, you can
mal integers. The prefix need not be
ments (Figure 2) because each host has leave them out completely. This
mentioned in internal network plans, in
an IPv4 name server that can respond means that
documentation, or in correspondence.
with IPv6 address records, if necessary. 2001:0000:0000:0090:00AD:0000:1234:
abcd becomes 2001::90:AD:0000:1234: Right now, all native IPv6 addresses start
However, if this problem is not solved, it
with 2001:. Previous IPv4 addresses con-
abcd.
will eventually detract from the elegance
verted to IPv6 start with 2002:.
of the IPv6 network. Generally, you can To ensure uniqueness, the last group of
zeros can’t be abbreviated; otherwise it (The specifications define a way of calcu-
expect all servers to have static IP ad-
would be unclear how many zeros went lating unique IPv6 addresses from IPv4
dresses and all clients to self-configure
in each :: abbreviation space. addresses.)
using stateless autoconfiguration.
MARCH 2008
68 ISSUE 88

SYSADMIN
IPv6
so on, remain Managing this many IPv6 addresses
unchanged. with a spreadsheet would be difficult.
Expect some Instead, you should opt for an IP address
complications management tool. Currently, we are only
with configuring aware of commercial tools – for example,
name resolution BT INS IPControl [6], BlueCat Networks
because, again, [7], and Infoblox [8].
applications will
Network Equipment
look for IPv4 first.
Vendors
The “IPv6 Com-
mands” box The equipment supplied by most major
shows an over- network equipment vendors (e.g., Juni-
view of the tool per and Cisco) has had IPv6 support for
options. Vendors a couple of years, and you do not need
are inconsistent to worry about switches or routers. How-
with regard to the ever, there are some differences between
syntax of the IPv6 major network equipment suppliers with
DNS information respect to firewalls.
in the nsswitch. Cisco’s ASA firewall only supports
conf file. Red Hat IPv6 at the command line, but the Juni-
lets the adminis- per ISG Firewall can handle IPv6 ad-
trator keep the dresses at the command line and in its
dns keyword browser-based GUI. Cisco supports the
Figure 3: The KAME project offers reliable IPv6 support.
for IPv6, whereas dual IPv4/IPv6 protocol stack in wireless
SUSE insists on dns6, and Solaris
configuration works for IPv6, too. As networks. Other more specialized prod-
requires ipnodes.
with IPv4, you can add IPv6 host ad- ucts, like load balancers (such as F5 and
dresses and names to /etc/resolv.conf. Nortel Alteon), also support IPv6, and
IPAM
This solution will not scale, but it does often they have useful features for mi-
save some typing and trouble. Currently, IPv6-capable ISPs in Europe grating from IPv4 to IPv6. We did not
At a minimum, you’ll need to make typically assign /52 subnets to their cus- investigate the extent of IPv6 support
three major changes to the name server tomers. We would advise larger compa- for low-priced, consumer-grade hubs.
configuration: nies to apply for more addresses. In the
Native IPv6
• named.conf (must bind to the IPv6 United States, IPv6-capable ISPs are not
address of the network interface) as mean and have been known to assign Right now, the typical approach to using
• zone file AAAA (must exist in the /48 subnets to bigger customers. Con- IPv6 natively is a dual-stack implementa-
zone files for IPv6 hosts) verting these subnet numbers to abso- tion. You rent an IPv4 DSL connection
• reverse lookup file lute decimal numbers does not help or a leased line, and the ISP gives you
AAAA records are the IPv6 counterpart much; the number of IPv6 addresses in a a static /48 IPv6 subnet (equivalent to
65536 /64 subnets) via the same connec-
to the A records used by IPv4. All other /64 subnet – for an ADSL router or home
tion with dual stacking. Typically, the as-
attributes, such as MX RR, CNAME, and user – is greater than you can imagine.
signed IPv6 addresses are static, even if
your IPv4 addresses are assigned by
Listing 1: IP Tunnel with linux-route2 means of DHCP. IPv6 was advertised as
01 modprobe ipv6 a “service feature” with DSL four or five
years ago, but some ISPs have stopped
02 ip tunnel add he-ipv6 mode sit remote 209.51.161.14 local
actively promoting IPv6.
83.84.117.191 ttl 255
In the past three years, it has become
03 ip link set he-ipv6 up
increasingly difficult to use IPv6 on your
04 ip addr add 2001:470:1f06:12f::2/64 dev he-ipv6 own network.
05 ip route add ::/0 dev he-ipv6 Native IPv6 without IPv4 connectivity
does exist; however, it is very rarely of-
06 ip -f inet6 addr
fered, typically only in the U.S. and Asia.
After connecting your operational net-
Listing 2: IP Tunnel with *BSD and OS X work to the IPv6-only Internet, you can’t
even exchange email with the rest of the
01 ifconfig gif0 tunnel 83.84.117.191 209.51.161.14 world. Again, if you try to establish a
monoculture (either IPv4 or IPv6), you
02 ifconfig gif0 inet6 alias 2001:470:1f06:12f::2 2001:470:1f06:12f::1
will need to invest a fair amount of time
prefixlen 128
permanently disabling the other proto-
03 route -n add -inet6 default 2001:470:1f06:12f::1
col stack throughout your network.
MARCH 2008 69
ISSUE 88

SYSADMIN IPv6
IPv4 tunnel
IPv4 protocol 41
IPv4 tunnel IPv4 tunnel
IPv4
IPv6 IPv6
Legacy Internet
Internet IPv6 IPv6
IPv6 IPv6
Appears as a direct link
between router A and
router B.
Figure 4: Tunnel brokers provide tunneled access to an IPv6 network via IPv4.
Professional administrators should stack for the next couple of years makes All told, these trivial issues won’t keep
check to see whether new hardware they far more sense. IPv4 is unlikely to disap- IPv6 down for long. You can find a de-
intend to purchase (e.g., proxy caches, pear soon. tailed list of IPv6-capable applications
mail servers, and so on) supports IPv6. Basically, you can say that all IPv4 se- on the Internet [9].
Although IPv6 should not be a required curity settings are meaningless in IPv6
Conclusions
criterion for new acquisitions, it makes and vice versa. Administrators have to
sense to know what difficulties you’ll manage firewall rules for both worlds Although most network equipment and
face when migrating your own infra- separately – as if the neighboring world open source applications implement
structure to IPv6. does not even exist. This parallel con- IPv6, the “next-generation Internet” is
figuration is easier to handle than you nothing more than a neat experiment
Security: Fear of the might think. Because IPv6 is not very right now because of unresolved issues
Unknown widespread, a firewall with just a couple and ISP inertia. As of this writing, it is
Native IPv6 environments are hard to of rules and an IPv6 clean-up rule as a still impossible to build mission-critical
implement. Because of the affinity of catch-all will do the trick, and the same services on IPv6.
all operating systems and applications thing applies to access lists on routers. Still, IPv6 is a neat toy if you want to
to IPv4, it is difficult to imagine perma- But you have to be bold enough to trust demonstrate your skills and carve a
nently disabling IPv4. Living with a dual the IPv6 implementation on your fire- swath at the cutting edge of the network
wall device just as much as you trust the universe. I
IPv6 Commands IPv4 implementation.
INFO
For troubleshooting purposes, you’ll
Gaps in the Puzzle
need a tool that reveals routes, open [1] Government Computer News:
Currently, the future of IPv6 is full of
connections, and ports. netstat does not http://www.gcn.com/IPv6
gaps. The biggest problem is the lack of
understand IPv6 unless you insist on it [2] IPv6 migration plan:
commitment on the part of Internet ser-
with the -A inet6 option. For example, http://www.ietf.org/internet-drafts/
vice providers, which makes the use of
netstat -A inet6 -rn displays your routes. draft-jcurran-v6transitionplan-01.txt
IP tunnels (tunnel brokers) inevitable
The -n switch suppresses reverse
[3] Hurricane Electric Tunnel Broker:
lookup so that you will not wait forever (Figure 4). http://tunnelbroker.net
for a response if IPv6 reverse lookup is Draft proposals for DNS support in
[4] SixXS Tunnel Broker:
broken anywhere on the path. auto configuration have been around for http://www.sixxs.net
The IPv6 equivalent to ping is called years, but they remain drafts. And IPv6
[5] KAME.net: http://www.kame.net
ping6; again, it is a good idea to disable support from major network device sup-
[6] BT Diamond IP:
reverse lookup by specifying -n. pliers is still uneven. In our lab, devices
http://bt.ins.com/software
from two major vendors had trouble
The arp command does not exist for
[7] BlueCat Networks:
IPv6. The Neighbor Discovery Protocol with the ICMPv6 Neighbor Discovery
http://www.bluecatnetworks.com
replaces ARP. Some distributions and Protocol (counterpart to ARP).
[8] Infoblox: http://www.infoblox.com
*nixes use the ndp command instead, Although these issues have been fixed,
whereas others give you ip command [9] IPv6-capable open source applica-
customers looking for support often hear
options to display the same information, tions: http://www.deepspace6.net/
things like, “You’re the first one to ever
docs/ipv6_status_page_apps.html
such as ip -6 neigh.
ask me that.”
MARCH 2008
70 ISSUE 88