Level Up to IPv6 with Ubuntu 10.10 on Comcast

452

Comcast has started IPv6 trials. If Comcast is your ISP, you can get started using IPv6 on Linux right away, with just a few simple steps. Ready to join the next-generation network? We’ll show you how to get Ubuntu 10.10 on Comcast IPv6 in no time.

Anyone on Comcast’s network can participate whether they are officially in the trial or not. In phase one of their trials they are relying on the tunneling mechanisms 6to4 and more recently 6RD (Rapid Deployment). Comcast has “open sourced” its solution based on OpenWRT if you happen to have a router supported by OpenWRT. I do not, so like any self-respecting Linux geek, I set out to do it with a Linux box. I found the documentation for doing so difficult to find. The 6rd documentation, including the man pages for iproute2 commands, seems to be missing.

First some background.

Why should I care about IPv6?

The current generation of IP, IPv4, has around 4.3 billion addresses and only about 3.7 billion are usable. The estimated consumption rate is several /8 blocks per year of which there are only 5 percent remaining. Each block contains more than 16 million addresses. The current estimates put all IPv4 addresses being assigned June 2, 2011, about 230 days from the writing of this article. Long before IPv4 address space is exhausted, it may become cost prohibitive for businesses to acquire new IPv4 address space due to supply and demand.

IPv6 has been around since the 1990’s. IPv6 has an address space of 2^128, an astronomical number to match the astronomical growth of internet connected devices. The problem is IPv6 is not backwards compatible with IPv4. They are two completely different protocols. So a native IPv4 stack cannot communicate with a native IPv6 stack without some intervention in between. This has been the chicken and egg problem preventing large networks from migrating to IPv6. Once you migrate who do you have connectivity with? Until we all migrate, the first adopters are isolated.

The time for implementing IPv6 has been here for a couple decades. As Ars Technica put it, there is no plan B.

Tunneling Mechanisms

Due to the lack of backward compatibility with IPv4, IPv6 adoption has been slow. This is where the tunneling mechanisms come in to get the ball rolling and allow IPv6 implementation to gain some momentum. Comcast’s plan is a sound one: Phase one, tunnel IPv6 over native IPv4; Phase two, dual stack both IPv6 and IPv4; Phase three, tunnel IPv4 over native IPv6.

Tunneling IPv4 over IPv6

All tunneling depends on IP within IP. This is where, in our case, the IPv6 packet is the data payload of an IPv4 packet. If you have ever set up a VPN using GRE, this is the same concept. In the 6to4 case, the tunnel is terminated on an IPv4/IPv6 border router that can be on any ISP’s network not necessarily your ISP’s network.

Tunneled IPv6 traffic is sent encapsulated in IPv4 packets to 192.88.99.1. All ISPs with boarder relays advertise the 192.88.99.0/24 network. So your tunneled traffic will go to the nearest (fewest hops or least cost) border relay regardless of which ISP runs it.

The upside of this is you can begin using IPv6 even if your ISP does not route IPv6. The downside is the ISPs with 6to4 boarder relays have no control over who uses their relays. Also you have no control over which border relay your traffic uses. This in theory* lowers the quality of service delivered by these relays. 6to4 uses the prefix 2002::/3 and appears to native IPv6 stacks as tunneled.

Rapid Deployment

6RD, or rapid deployment, is a special case of 6to4 developed by Rémi Desprès and first deployed by freebox.fr the French ISP. 6RD allows an ISP to use the production IPv6 address space 2001::/3 and specify their own IPv4/IPv6 boarder relay. This allows them to restrict traffic to their own customers and in theory* provide a higher quality of service. 6RD uses the production IPv6 address space 2001::/3 and appears to native IPv6 stacks as native IPv6.

Linux and IPv6

IPv6 has been implemented to some degree or another as far back as the 2.2.x kernels and 6to4 tunneling for almost as long. 6RD is a more recent arrival as of kernel 2.6.33. Any Linux distribution with a 2.6.33 or above kernel compiled with CONFIG_IPV6_SIT_6RD enabled and iproute2-2.6.33 or above installed can run 6RD tunnels.

As timing would have it, Ubuntu 10.10 Maverick has recently been released and has these features enabled thanks to this bug report by Nathan Lutchansky who is also a Comcast trial beta tester. So this is the distribution I chose for the 6RD setup. Nathan has a page on how to get 6RD working in Lucid.

Setting Up the 6rd Tunnel

This will walk you through setting up a Linux machine as a router and firewall tunneling IPv6 traffic via IPv4 using an ISP’s 6rd boarder router.

Example Configuration:

Comcast’s 6RD configuration:
6rd Prefix = 2001:55c
6rd prefix length = 32
6rd BR FQDN = 6rd.comcast.net
IPv4 mask length = 0
Example home network configuration:
Public Interface: eth0
Public IPv4 DHCP Addr: 10.10.10.10
Private Interface: eth1

Steps to Build the Tunnel:

Determine your public IPv4 address

In our example we are going to use an RFC 1918 private address. However, you will use the publically routable IPv4 address that your ISP hands out via DHCP. Here is an automated way to do so that will handle receiving a different DHCP IPv4 address when the pubilc interface comes up:

sudo echo $(ip -4 addr show dev eth0 | awk '/inet / {print $2}' | cut -d/ -f1)
10.10.10.10
Based on your public IPv4 address and your ISP’s IPv6 prefix determine your local IPv6 prefix
sudo echo $(printf "2001:55c:%02x%02x:%02x%02x" $(echo 10.10.10.10 | tr . ' '))
2001:55c:0a0a:0a0a
Bring up the 6rd tunnel:

The “ip tunnel 6rd” command with the 6rd-prefix argument is the magic virtually undocumented 6rd sauce. This makes it a 6rd tunnel by specifiying the ISPs PREFIX rather than 2002::/16 the “generic” 6to4 prefix.

sudo ip tunnel add 6rdtun mode sit local 10.10.10.10 ttl 64 
sudo ip tunnel 6rd dev 6rdtun 6rd-prefix 2001:55c::/32 
sudo ip link set 6rdtun up
Next, assign IPv6 addresses to the router’s interfaces:
 
Assign the tunnel interface with your local prefix and a “subnet” of 0 using the ISP’s prefix length.

sudo ip -6 addr add 2001:55c:0a0a:0a0a:0::1/32 dev 6rdtun

Assign the internal interface with your local prefix and a “subnet” of 1 using the full /64 prefix length.

sudo ip -6 addr add 2001:55c:0a0a:0a0a:1::1/64 dev eth1
Add route to IPv6 address space via the tunnel interface:
sudo ip -6 route add 2000::/3 via ::69.252.80.66 dev 6rdtun
Don’t want to do this every time you reboot? Here is a script to automate the above process to bring up the IPv6 6RD tunnel.
#!/bin/bash

WANIF=eth0
LANIF=eth1
SIXRDTUNIF=6rdtun
SIXRDTUNMTU=1280
SIXRDTUNTTL=64
WAN4IP=$(ip -4 addr show dev $WANIF | awk '/inet / {print $2}' | cut -d/ -f1)
ISP6RDPREFIX='2001:55c'
ISP6RDPREFIXLEN='32'
ISP6RDBR=`dig +short 6rd.comcast.net`
WAN4MASKLEN='0'
LOCAL6PREFIX=$(printf "$ISP6RDPREFIX:%02x%02x:%02x%02x" $(echo $WAN4IP | tr . ' '))
LOCAL6PREFIXLEN=64

# Setup the tunnel interface
ip tunnel add $SIXRDTUNIF mode sit local $WAN4IP ttl $SIXRDTUNTTL
# This is the magic virtually undocumented 6rd sauce
# This makes it a 6rd tunnel by specifiying the ISPs PREFIX 
# rather than 2002::/16 the "generic" 6to4 prefix
ip tunnel 6rd dev $SIXRDTUNIF 6rd-prefix $ISP6RDPREFIX::/$ISP6RDPREFIXLEN 
# Set the MTU 
ip link set $SIXRDTUNIF mtu $SIXRDTUNMTU
# Bring up the tunnel interface
ip link set $SIXRDTUNIF up
# Set the tunnel interface IPv6 address
ip -6 addr add $LOCAL6PREFIX:0::1/$ISP6RDPREFIXLEN dev $SIXRDTUNIF
# Set the LAN interface IPv6 address
ip -6 addr add $LOCAL6PREFIX:1::1/$LOCAL6PREFIXLEN dev $LANIF
# Set the default IPv6 route to the ISP's IPv4/IPv6 boarder router
ip -6 route add 2000::/3 via ::$ISP6RDBR dev $SIXRDTUNIF
 

Steps After You Have IPv6 Routing Configured

Autoconfigure your internal network with Linux IPv6 Router Advertisement Daemon (radvd). Your router is now routing IPv6 traffic. But you want all your devices on your internal network to be IPv6 enabled. radvd is a simple daemon to assign all of your IPv6 aware devices on your internal network with an IPv6 address on your new local subnet.

Install radvd and set up /etc/radvd.conf

sudo apt-get install radvd

Put the following into /etc/radvd.conf. Be sure to change the prefix to match yours as determined above.

interface eth1 {
   AdvSendAdvert on;
   MinRtrAdvInterval 3;
   MaxRtrAdvInterval 10;
   AdvLinkMTU 1280;
 prefix 2001:55c:0a0a:0a0a::/64 {
   AdvOnLink on;
   AdvAutonomous on;
   AdvRouterAddr on;
   AdvValidLifetime 86400;
   AdvPreferredLifetime 86400;
   };
};

# /etc/init.d/radvd restart

Check your other IPv6 aware devices, and you will find they have received an IPv6 address based on your local prefix and the device’s MAC address. Trying pinging your router from one of these devices

# ping6 2001:55c:0a0a:0a0a:1::1

Firewall Your IPv6 Traffic

You may be used to your internal network being on private RFC 1918 address space. Firewalling is still necessary when using NAT but some people neglect to do so assuming the NAT is protection enough. Now you are using publicly routable IPv6 addresses and firewalling is no longer an option. Any computer on IPv6 can come right into your network without it. If you are familiar with iptables, ip6tables will be a snap to impliment.

Here is an example script of a bare mininum ip6tables firewall.

#!/bin/bash
PUBIF=eth0
PRIVIF=eth1

#Clean Start
ip6tables -F

#Define Policy
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT ACCEPT

# Input to the router
# Allow all loopback traffic
ip6tables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT

#Allow unrestircted access on internal network
ip6tables -A INPUT -i $PRIVIF -j ACCEPT

#Allow unrestricted outgoing connections
ip6tables -A INPUT -i $PUBIF -m state --state RELATED,ESTABLISHED -j ACCEPT

# Drop everything else
ip6tables -A INPUT -i $PUBIF -j DROP

# Forwarding through to the internal network
# For now allow unrestircted access out from the internal network
ip6tables -A FORWARD -i $PRIVIF -j ACCEPT

#Allow unrestricted outgoing connections
ip6tables -A FORWARD -i $PUBIF -m state --state RELATED,ESTABLISHED -j ACCEPT

# Drop everything else
ip6tables -A FORWARD -i $PUBIF -j DROP

Now, test your setup and enjoy using IPv6! Check out some of the following sites to test your IPv6 setup:

http://whatismyv6.com/
http://ismyipv6working.com/
http://ipv6-speedtest.net/
http://ipv6.wcclan.net/bandwidthmeter/initialmeter.php

Use some of your favorites sites via IPv6

http://ipv6.google.com
http://ipv6.netflix.com
http://www.v6.facebook.com

IPv6 is coming slowly, but surely. Why wait? Get started now and you can enjoy IPv6 network services, and help test your applications for IPv6 compatibility, today.