It's actually easier than you might think. :-)
The problem we face is that our ISP's don't generally have IPV6 routing set up. If they won't carry our packets, just how are we going to carry on a conversation with an IPv6 machine somewhere?
The approach we'll take is to tunnel our ipv6 traffic inside ipv4 packets to a site on the Internet that does have the ability to move our ipv6 traffic for us. Our ISP just sees normal ipv4 traffic, nothing more. We see a full IPV6 connections for all our machines.
For this example, I'll show you how to work with www.freenet6.net, a tunnel broker. They have kindly offered to accept connections from people like us, people whose ISP's don't know how to talk ipv6. When we send them an ipv6 packet stuffed inside an ipv4 header, they unwrap that packet and send it on. When the response comes back from the ipv6 server, they wrap that response back up in an ipv4 header and ship the response back to the real ipv4 address of our gateway.
For this to work, your ipv6 gateway box needs at least one real ipv4 address. It also needs sufficient access through any firewalls on the way out to the Internet to allow outbound connections to tcp ports 3653 and 4343, and both outbound and inbound protocol 41 packets. The former handle authentication with the freenet6 site, the latter actually carry the ipv6 traffic inside ipv4 headers. The traffic on these ports and protocol 41 will only be to machines on the 206.123.31.0/24 network if you want to lock down traffic a bit on your firewall.
Once this is set up, the gateway box will provide a huge number of addresses to the machines behind it. Those machines can run any operating system that supports IPV6. In fact, the gateway itself can run a range of operating systems, although the step-by-step instructions I'll provide show the setup on a linux box. The Freenet6 download page lists support for Windows, Freebsd, Linux, Solaris, Openbsd, Netbsd, and Cisco routers.
In addition to providing the tunnel service, www.freenet6.net also provides a free program that authenticates you to freenet6 and sets up the routing. First, install the radvd routing daemon. If your distribution doesn't have it, check rpmfind.net or the software's home site. This program will hand out addresses to your client machines, much like a dhcp server did on ipv4. It only needs to be installed on your gateway. You don't need to do anything about configuring it or running it; this will be handled automatically.
The other piece of software to install (only on the gateway) is the freenet6 client. This can be found at the Freenet6 download area. I installed the i386 rpm by pulling it down to my hard drive, then running:
rpm -Uvh freenet6-0.9.7-1.i386.rpm
Don't worry too much if the versions seem a bit whacky; they advertise version 1.0.0 on the front page of the site, but it doesn't seem to be actually available for download. No problem, 0.9.7 seems to work just fine.
The next step is to apply for an account. Pick a username of at least 8 characters, and enter it and your contact email address. The password to use will be mailed to that account.
Now you need to edit the file /usr/local/tsp/bin/tspc.conf . This file holds your network settings. Here are the lines you need to change, and a quick description.
less
/proc/net/dev and make sure it's not there. If it already
exists, the software setup will come back with odd errors.
Now start up the ipv6 tunnel with:
/etc/rc.d/init.d/freenet start
If it gives you errors, see if you can figure out what the problem is. Otherwise, check that this machine has a live ipv6 connection with the command:
ping6 -n www.ipv6.org
It should provide output similar to:
[root@gateway bin]# ping6 -n www.ipv6.org PING www.ipv6.org(2001:6b0:1:ea:a00:20ff:fe8f:708f) from zzzzzzz : 56 data bytes 64 bytes from 2001:6b0:1:ea:a00:20ff:fe8f:708f: icmp_seq=1 ttl=249 time=616 ms 64 bytes from 2001:6b0:1:ea:a00:20ff:fe8f:708f: icmp_seq=2 ttl=249 time=507 ms 64 bytes from 2001:6b0:1:ea:a00:20ff:fe8f:708f: icmp_seq=3 ttl=249 time=650 ms 64 bytes from 2001:6b0:1:ea:a00:20ff:fe8f:708f: icmp_seq=4 ttl=249 time=561 ms
While that's running, you can watch the tunneled packets with:
tcpdump -i eth1 -qtnp 'net 206.123.31'
which will show the packets heading to and coming from the tunnel servers at 206.123.31.114 and 206.123.31.115 . Substitute the outside network interface of your gateway for eth1.
To see what network block you received, try:
ip -f inet6 route show
Which should return, among others, lines similar to:
[root@gateway bin]# ip -f inet6 route show 3ffe:bc0:zzzz:1::/64 dev tap1 metric 256 mtu 1500 advmss 1440 3ffe:bc0:zzzz::/48 dev tap1 metric 1 mtu 1500 advmss 1440 [snip] default dev sit2 metric 1 mtu 1480 advmss 1420
That /48 is the block you now have for your machines.
ifconfig will show what address is assigned to your local
interfaces; you're interested in the lines with "Scope:Global" as these
are the addresses you can actually use for IPV6 Internet conversations.
"Scope:Link" addresses are only for local use on your network cable,
similar to RFC1918 addresses in IPV4.
As long as the client computer has the ability to autoconfigure an ipv6 address and routing, you're done! The same:
ping6 -n www.ipv6.org
test should show a live ping to the remote end. The same tcpdump above should show the tunneled packets going back and forth.
Thanks to all the people who have worked to make IPV6 a reality and the people that implemented IPV6 in Linux. Also, special thanks to the Freenet6 team at Hexago for providing this public service at no cost. Thanks also to David Coulson for putting up with some rather silly questions.
Bill Stearns wrote this text.
William is an Open-Source developer, enthusiast, and advocate from New Hampshire, USA. His day job at SANS pays him to work on network security and Linux projects.
This document is Copyright 2003, William Stearns <[email protected]>.
Last updated 12/2/2003.