Static IPv6 configuration in Fedora14

December 24, 2010 Cody DNS

So you have a Fedora server that is connected to a ipv6 capable router or your ISP has assigned you a static ipv6 block, now what? How does Fedora handle IPv6 Stateless Auto-configuration? How do you assign a static IPv6 address? How do you configure IPv6 nameservers? How do you test IPv6 connectivity? I will cover all of these scenarios and hopefully you will be pinging ipv6 addresses via your own ipv6 network connection.

By default IPv6 will use stateless auto-configuration in Fedora Linux to get a Global network address from the router based upon the active network adapters MAC address using an ipv6 Link-Local address. The server will first generate then check this address with the router to ensure that it passes the “Link-Local Address Uniqueness Test” If the test passes then the network device is assigned a Link-Local address and begins the process of requesting a Global route-able IPv6 address from the router. The ipv6 router can respond in two ways: First it can generate an unique ipv6 address from its ip block and the servers MAC address or Second it can tell the server what the address is to a DHCPv6 server that will then assign a Global ipv6 address to the server.

The following is an excerpt the the site I recommend below to get a better understanding of IPv6.

“In IPv4, IP addresses have no relationship to the addresses used for underlying data link layer network technologies. A host that connects to a TCP/IP network using an Ethernet network interface card (NIC) has an Ethernet MAC address and an IP address, but the two numbers are distinct and unrelated in any way. IP addresses are assigned manually by administrators without any regard for the underlying physical address.

The Payoff of IPv6’s Very Large Address Size

With the overhaul of addressing in IPv6, an opportunity presented itself to create a better way of mapping IP unicast addresses and physical network addresses. Implementing this superior mapping technique was one of the reasons why IPv6 addresses were made so large. With 128 total bits, as we saw in the previous topic, even with a full 45 bits reserved for network prefix and 16 bits for site subnet, we are still left with 64 bits to use for the interface identifier, which is analogous to the host ID under IPv4.

Having so many bits at our disposal gives us great flexibility. Instead of using arbitrary “made-up” identifiers for hosts, we can base the interface ID on the underlying data link layer hardware address, as long as that address is no greater than 64 bits in length. Since virtually all devices use layer two addresses of 64 bits or fewer, there is no problem in using those addresses for the interface identifier in IP addresses. This provides an immediate benefit: it makes networks easier to administer, since we don’t have to record two arbitrary numbers for each host. The IP address can be derived from the MAC address and the network identifier. It also means we can in the future tell the IP address from the MAC address and vice-versa.”

Please see the following article if you would like to understand how the Stateless Auto-configuration works or how a router can advise the server on which dhcpv6 server to use to register for an ipv6 address.

IPv6 Auto-configuration and Renumbering

Activating the IPv6 tcp/ip stack in Fedora14

First you will need to check the following file

nano /etc/sysconfig/network

and look for the following line called “NETWORKING_IPv6=yes”.

NETWORKING=yes
NETWORKING_IPv6=yes
HOSTNAME=foo.foo-domain.com

This will tell the network scripts to load the kernel module “net-pf-10” so that we can use the tcp/ip v6 kernel stack. You can confirm this using the following method.

modprobe -c | grep net-pf-10

alias net-pf-10 ipv6
alias net-pf-10-proto-0-type-6 dccp_ipv6
alias net-pf-10-proto-33-type-6 dccp_ipv6
alias net-pf-10-proto-132 sctp

Configuring the Network Device File

Now you will need to edit the network device file and insert a few new strings to activate Ipv6 on the interface and then decide if you want to use Auto-configuration or not. You can also specify your static Global IPv6 address in the network device file.

In my example I will be configuring the eth0 network device for ipv6.

nano /etc/sysconfig/network-scripts/ifcfg-eth0

And inside this file you will want to insert the following two lines to activate ipv6 on eth0 and then to specify the static ipv6 address we will be using. I have included a few extra statements that may be useful in configuring IPv6.

#Active IPv6 on interface
IPV6INIT=yes
#Set default ipv6 route thru this interface
#IPV6_DEFROUTE=yes
IPV6ADDR=****:c000:0:2:0:0:0:3/64
#Set default gateway for ipv6 traffic
#IPV6_DEFAULTGW=****:c000:0:2:0::1/64
#Disable IPv6 auto configuration = no
IPV6_AUTOCONF=no

Here is my example with everything.

DEVICE=eth0
NM_CONTROLLED=yes
ONBOOT=yes
HWADDR=00:18:8b:72:**:**
TYPE=Ethernet
BOOTPROTO=none
IPADDR=10.127.61.146
PREFIX=29
GATEWAY=10.***.***.***
DNS1=10.15.129.205
DNS2=10.15.129.206
DOMAIN=foo-domain.com
DEFROUTE=yes
IPV4_FAILURE_FATAL=yes
IPV6INIT=yes
IPV6ADDR=****:c000:0:2:0:0:0:1/64
IPV6_AUTOCONF=no
NAME=”System eth0″
UUID=5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03
NETMASK=255.255.255.248
USERCTL=no

If you would like to disable IPv6 auto-configuration then you will need to put the following line into the network device file. I feel adding the statement ‘IPV6_AUTOCONF=no’ is important on a server network interface due to security. I do not want the network interface to ever acknowledge or process a RA (Router Advertisement) packet. This protects you from a rogue RA daemon whether it is malicious or not. On a server I *ONLY* want a static ip address and that means to disable any auto-configuration. I do not want an unknown global address to compromise security or stability of the system.

IPV6_AUTOCONF=no

Now you can issue the following ‘service’ command to restart the network stack and activate ipv6 and assign your ipv6 address or it will auto-generate an ipv6 address and have it approved by the ipv6 router.

service network restart

Displaying the IPv6 Kernel Routing Table

You can check your ipv6 routing tables via two different commands:

ip -f inet6 route

or

route -A inet6 -vn

****:c000:0:1::/64 dev eth0 proto kernel metric 256 expires 2147157sec mtu 1500 advmss 1440 hoplimit 0
****:c000:0:2::/64 dev eth0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev eth0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 0
default via fe80::213:7fff:fe14:6d44 dev eth0 proto kernel metric 1024 expires 1730sec mtu 1500 advmss 1440 hoplimit 64

Declaring IPv6 Nameservers in /etc/resolv.conf

Next we will declare our ipv4 and ipv6 Nameservers in ‘/etc/resolv.conf’.

nano /etc/resolv.conf

# Generated by NetworkManager
# Updated by Human
search foo-domain.com
;
;Hurricane Electric IPv6+IPv4 public Anycast DNS
;
nameserver 2001:470:20::2
nameserver 74.82.42.42
;
;GBLX public ipv6
nameserver 2001:450:2005::
;
;Google Public DNS ipv4 & AAAA records
nameserver 8.8.8.8
nameserver 4.4.4.4

Remember that “/etc/resolv.conf” will only use the first THREE nameservers listed no matter if they are ipv6 or ipv4. I suggest adding the Hurricane Electric ipv6 Anycast servers and then one of the Public Google DNS servers since they are reachable over ipv4 and will return ipv6 AAAA records. Then for the third nameserver you can use your default ISP or such that will always be available and in a worst case resolve the ipv4 address of a domain.

If you need ideas for an IPv6 DNS server or AAAA record capable ipv4 DNS server then check out the list @ http://www.chatz6.com/files/resolv.conf

Testing your IPv6 Connectivity

Lastly lets ping an ipv6 website and make sure we have connectivity. There are a few different options for this: ipv6.google.com and he.net are two. Both of these domains have AAAA records on ipv4 public DNS servers that should return the ipv6 address for you.

ping6 -n ipv6.google.com

PING ipv6.google.com(2001:4860:800b::68) 56 data bytes
64 bytes from 2001:4860:800b::68: icmp_seq=1 ttl=56 time=64.1 ms
64 bytes from 2001:4860:800b::68: icmp_seq=2 ttl=56 time=63.9 ms
64 bytes from 2001:4860:800b::68: icmp_seq=3 ttl=56 time=63.8 ms
64 bytes from 2001:4860:800b::68: icmp_seq=4 ttl=56 time=63.9 ms
— ipv6.google.com ping statistics —
4 packets transmitted, 4 received, 0% packet loss, time 3002ms
rtt min/avg/max/mdev = 63.805/63.956/64.128/0.115 ms

Lets resolve some AAAA DNS records over ipv4 and ipv6 before we say everything is working 100%.

We can use the command “dig” to query the DNS servers in ‘/etc/resolv.conf’ for A and AAAA DNS records over IPv4 and IPv6 with the switch -4 and -6 respectfully.

dig +short -6 aaaa he.net

2001:470:0:76::2

dig +short -6 a he.net

216.218.186.2

dig +short -4 aaaa he.net

2001:470:0:76::2

dig +short -4 a he.net

216.218.186.2

As you can see we can make DNS queries over IPv4 and IPv6 networks while requesting either A or AAAA records.

Troubleshooting

Do not forget to allow traffic through iptables using the command “ip6tables”. Also if you have a Global ipv6 address then do not just set an ANY<>ANY traffic rule for ipv6 on eth0. This will allow anyone full access to any port listening for ipv6 connections.

You can modify the commands below to open and close ports using “ip6tables”.

#accept incoming connection if established outbound connection exists
ip6tables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
#important for ipv6 network health and testing
ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
#Allow traffic for ‘lo’ device
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -i lo -j ACCEPT
#allow new ssh connections
ip6tables -A INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT
#allow new website connections on port 80
ip6tables -A INPUT -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT
#Allow new outbound connections to anywhere
ip6tables -A OUTPUT -m state –state NEW -p all -s ::0/0 -d ::0/0

Maybe next time I will show how to configure your Fedora server to be a IPv6 router and ipv6 tunnel broker so you can share you IPv6 addresses via a 6_over_4_tunnel.


Leave a Reply

Your email address will not be published. Required fields are marked *

Powered by WordPress. Designed by elogi.