Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

HOWTO: IPv6 via tunneling (6in4)

Options
  • 12-06-2011 11:17pm
    #1
    Tungsten Tide
    Registered Users Posts: 62 ✭✭


    What is IPv6?:
    Read This.

    What is IP tunneling - 6in4?:
    Read This.

    What do i need?:
    1. An OS with IPv6 enabled by default i.e Windows Vista + 7 and Linux 2.6.
    2. An Router with IPv6 Support bonus if Linux based. Some Routers may require a firmware upgrade.
    3. A tunnel broker Account i.e Hurricane Electric and SixXS.net account with them - its a free service.

    How do i setup tunneling then?:
    Well u create a tunnel of course. See Tunnel Broker in FAQ.

    I'm confused. Any videos to show how?:
    https://www.youtube.com/watch?v=A1azHWSv2ok


    What on IPv4 endpoint address?:
    See in FAQ. Its the routers WAN address.

    How do i test if i can access a IPv6 address?:
    test-ipv6.com
    ping -6 ipv6.google.com | windows ping
    ping6 ipv6.google.com | linux ping6

    How do I get my router IPv6 supported?:
    There are many ways.
    1. Go to the Routers Hardware Site and look for new Firmware to that model.
    2. Find a custom build Firmware with IPv6 Support.
    3. Ask your ISP if they have new Firmware for their Router with IPv6 Support.

    What Routers are IPv6 Supported?:
    Eircom Routers - P-660HW-T1 v3
    Linksys WRT54G with Custom Firmware see blog.

    Why would i do this now? Is there any need?:
    Two Answers Short and Long:
    Short: No but it can help u.
    Long: At least enable Dual-Stacking. A lot of sites are offering it.
    RIPE - World IPv6 Day Connectivity Chart
    test-ipv6.com statistics

    Can watch i BBC iPlayer?:
    Yes but U will need a UK Tunnel Server IP.

    What now?
    Catch up on the news on Twitter:
    SixXS
    Hurricane Electric
    IPv6

    IPv6 CheetSheet
    Any Questions. Just Ask I will update this Post.
    Tagged:


«1

Comments

  • Options
    #2
    Sponge Bob
    Banned (with Prison Access) Posts: 25,234 ✭✭✭✭Sponge Bob


    Can you 'obtain' an IP6 address via a tunnel as you can an ip from a VPN ...eg a UK one to watch BBC iPlayer for example. ?


  • Options
    #3
    Tungsten Tide
    Registered Users Posts: 62 ✭✭Tungsten Tide


    Yes. Its free. u need to signup via a tunnel broker. Its gives u an account and u create a tunnel. The tunnel gets u an IPv6 via a UK Tunnel Server.


  • Options
    #4
    Sponge Bob
    Banned (with Prison Access) Posts: 25,234 ✭✭✭✭Sponge Bob


    This is Ireland, the e-hub of Europe mar dhea.

    We will wait another 10 years for IP6 while Comreg has a consultation or 10 about some arcane bullsh1t they find important. Meanwhile the World will pass us by.

    So a tunneling we must :(


  • Options
    #5
    Tungsten Tide
    Registered Users Posts: 62 ✭✭Tungsten Tide


    If only internet providers can provide routers with IPv6 Support and DNSv6 Support, there wouldn't be a need to tunnel.
    With IPv4 running out of space their goin to do dual-stacking in 5 of those 10 yrs.


  • Options
    #6
    conor.hogan.2
    Registered Users Posts: 5,246 ✭✭✭conor.hogan.2


    Why would i do this now? Is there any need?


  • Advertisement
  • Options
    #7
    daffy_duc
    Registered Users Posts: 194 ✭✭daffy_duc


    Sponge Bob wrote: »
    We will wait another 10 years for IP6 while Comreg has a consultation or 10 about some arcane bullsh1t they find important. Meanwhile the World will pass us by.

    So a tunneling we must :(

    Comreg has nothing to do with it. Its down to the ISPs to implement this.
    ISPs aren't going to start supporting IPv6 until there's a good enough reason to do so.
    If it's really that important to you, maybe you should express your desire for native IPv6 support by moving to an ISP that supports it, and explaining your reason for leaving to your old ISP.

    I already have native IPv6 from my ISP. And there are a few other ISPs already offering it.


  • Options
    #8
    Tungsten Tide
    Registered Users Posts: 62 ✭✭Tungsten Tide


    conor.hogan.2 wrote: »
    Why would i do this now? Is there any need?
    See above.


  • Options
    #9
    roast
    Registered Users Posts: 2,320 ✭✭✭roast


    daffy_duc wrote: »
    Comreg has nothing to do with it. Its down to the ISPs to implement this.
    ISPs aren't going to start supporting IPv6 until there's a good enough reason to do so.
    If it's really that important to you, maybe you should express your desire for native IPv6 support by moving to an ISP that supports it, and explaining your reason for leaving to your old ISP.

    I already have native IPv6 from my ISP. And there are a few other ISPs already offering it.

    Yeah, its down to the ISPs to implement it, but its down to comreg to get them to take the fingers out...

    By any chance, does anyone have a list of Irish ISPs that do and don't support IPv6?


  • Options
    #10
    Tungsten Tide
    Registered Users Posts: 62 ✭✭Tungsten Tide


    I Sent a post to eircom's thread to wake up and admit IPv4 is dead like elvis. I don't know why they haven't done this. I'm on IPv6 with OpenDNS.


  • Options
    #11
    daffy_duc
    Registered Users Posts: 194 ✭✭daffy_duc


    roast wrote: »
    Yeah, its down to the ISPs to implement it, but its down to comreg to get them to take the fingers out...

    I fail to see how this is an issue for Comreg.
    The ISPs are providing you Internet access. Does it matter what underlying protocol they're using to do this?
    At this point in time, there's no reason for any regulatory involvement, for the simple reason that people without IPv6 aren't being denied access to anything.
    Perhaps Comreg can get involved at a later date, when there is a significant amount of content and services that are _only_ accessible on IPv6.
    But for now, this is a non-issue.


  • Advertisement
  • Options
    #12
    Jonathan
    Moderators, Education Moderators, Home & Garden Moderators Posts: 8,107 Mod ✭✭✭✭Jonathan


    You can also get a tunnel and /48 subnet from SixXS.

    In Ireland, this is provided by HEAnet, so generally a SixXS tunnel provides lower pings than a HE tunnel.


  • Options
    #13
    Tungsten Tide
    Registered Users Posts: 62 ✭✭Tungsten Tide


    Thanks, Jonathan. ;)


  • Options
    #14
    conor.hogan.2
    Registered Users Posts: 5,246 ✭✭✭conor.hogan.2


    Eircom still use copper, ipv6 yes they will be first to implement it………


  • Options
    #15
    Tungsten Tide
    Registered Users Posts: 62 ✭✭Tungsten Tide


    bump Added IPv6 CheatSheet.


  • Options
    #16
    Jonathan
    Moderators, Education Moderators, Home & Garden Moderators Posts: 8,107 Mod ✭✭✭✭Jonathan


    You also need to mention IPv6 firewalling. Most users don't realise that enabling IPv6 creates a large security hole, and have gotten lazy when it comes to firewalling because of NAT.

    Below is a minimal ip6tables config which should protect your network.

    # Flush existing entries
ip6tables -F

# Allow ICMPv6 everywhere
ip6tables -A INPUT  -p icmpv6 -j ACCEPT
ip6tables -I OUTPUT -p icmpv6 -j ACCEPT
ip6tables -I FORWARD -p icmpv6 -j ACCEPT

# Allow anything on the local loopback link
ip6tables -A INPUT  -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT

# Allow anything out on the internet
ip6tables -A OUTPUT -o eth0.1 -j ACCEPT

# Allow the localnet access us:
ip6tables -A INPUT  -i br-lan -j ACCEPT
ip6tables -A OUTPUT -o br-lan -j ACCEPT

# Filter all packets that have RH0 headers:
ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP

# Allow Link-Local addresses
ip6tables -A INPUT -s fe80::/10 -j ACCEPT
ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT

# Allow multicast
ip6tables -A INPUT -s ff00::/8 -j ACCEPT
ip6tables -A OUTPUT -s ff00::/8 -j ACCEPT

# Allow forwarding
ip6tables -A FORWARD -i br-lan -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Set the default policy
ip6tables -P INPUT   DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT  DROP


  • Options
    #17
    Tungsten Tide
    Registered Users Posts: 62 ✭✭Tungsten Tide


    Can't edit the post now but good info.
    A Mod can add a link to the first post.;)

    bump
    IPv6 Firewalling


  • Options
    #18
    MrO
    Registered Users Posts: 193 ✭✭MrO


    daffy_duc wrote: »
    I fail to see how this is an issue for Comreg.
    The ISPs are providing you Internet access. Does it matter what underlying protocol they're using to do this?
    At this point in time, there's no reason for any regulatory involvement, for the simple reason that people without IPv6 aren't being denied access to anything.
    Perhaps Comreg can get involved at a later date, when there is a significant amount of content and services that are _only_ accessible on IPv6.
    But for now, this is a non-issue.

    Agreed - right now there is really no reason for the end user to send and receive data using IPv6...in reality only service providers, content providers and hardware manufacturers need to worry about it...so they can sell more cr@p to people who don't need it :D


  • Options
    #19
    Tungsten Tide
    Registered Users Posts: 62 ✭✭Tungsten Tide


    MrO wrote: »
    Agreed - right now there is really no reason for the end user to send and receive data using IPv6...in reality only service providers, content providers and hardware manufacturers need to worry about it...so they can sell more cr@p to people who don't need it :D

    I got 1 line to say to people like you:
    nmap -sT -6 -v ::1

    How many open ports do u see?:cool:


  • Options
    #20
    Jonathan
    Moderators, Education Moderators, Home & Garden Moderators Posts: 8,107 Mod ✭✭✭✭Jonathan


    MrO wrote: »
    Agreed - right now there is really no reason for the end user to send and receive data using IPv6...in reality only service providers, content providers and hardware manufacturers need to worry about it...so they can sell more cr@p to people who don't need it :D
    I disagree.

    My home network is IPv6 enabled, and it is very handy for accessing my servers from outside the network. No more SSH bouncing through my router. :)


  • Options
    #21
    Sponge Bob
    Banned (with Prison Access) Posts: 25,234 ✭✭✭✭Sponge Bob


    And ye won't be able to emigrate to Asia without 6 experience lads, spot of Natting and Stun don't cut the mustard over there :cool:


  • Advertisement
  • Options
    #22
    Tungsten Tide
    Registered Users Posts: 62 ✭✭Tungsten Tide


    MrO wrote: »
    Agreed - right now there is really no reason for the end user to send and receive data using IPv6...in reality only service providers, content providers and hardware manufacturers need to worry about it...so they can sell more cr@p to people who don't need it :D

    10 Reasons why to switch to IPv6:
    1. More Space to expand to Networks you have.
    2. no more NAT.
    3. no more ARP.
    4. mobile IPv6.
    5. easy IP renumbering.
    6. jumbograms up to 4 GiB.
    7. mandatory IPSec Support.
    8. stateless address configuration without DHCP.
    9. no more broadcasts.
    10. improved multcasting.

    Cool stuff :cool:


  • Options
    #23
    Wcool
    Registered Users Posts: 631 ✭✭✭Wcool


    What about privacy and IPV6?

    Correct me if i am wrong: the MAC address is stamped on the IPV6 address. This is ideal for any advertising company as with IPV4 you can only be traced to the next (sub)network. With IPV6 the device name from where I sent it will be on every packet? This means that no matter which network I use, other people know the device which is almost always a 1-to-1 relationship.

    Is there anyway I can configure my router to put in a dummy value in the mac address part of the IPv6 address and have only my IPV6 home router translate this into the physical mac address when the package comes back from the internet?


  • Options
    #24
    Tungsten Tide
    Registered Users Posts: 62 ✭✭Tungsten Tide


    Wcool wrote: »
    What about privacy and IPV6?

    Correct me if i am wrong: the MAC address is stamped on the IPV6 address. This is ideal for any advertising company as with IPV4 you can only be traced to the next (sub)network. With IPV6 the device name from where I sent it will be on every packet? This means that no matter which network I use, other people know the device which is almost always a 1-to-1 relationship.

    Is there anyway I can configure my router to put in a dummy value in the mac address part of the IPv6 address and have only my IPV6 home router translate this into the physical mac address when the package comes back from the internet?

    What an interesting question might i say but i'm not clear i finally understand it by the way u wrote it.

    1. MAC's are now known as EUI-64 (in IPv6) on the WAN.
    2. RFC 4291 explains in detail pg 20 on a Modified EUI-64 Format.

    I hope this explains it or u could go into more detail.


  • Options
    #25
    Wcool
    Registered Users Posts: 631 ✭✭✭Wcool


    Tungsten Tide wrote: »
    What an interesting question might i say but i'm not clear i finally understand it by the way u wrote it.

    1. MAC's are now known as EUI-64 (in IPv6) on the WAN.
    2. RFC 4291 explains in detail pg 20 on a Modified EUI-64 Format.

    I hope this explains it or u could go into more detail.

    Well i could be wrong but this is my understanding:

    Situation 1
    IP4, Company LAN with 10000 devices. Device 101 contacts facebook.com.
    Facebook will 'see' the IP address of device 101 but *ALL* 10000 devices on this particular LAN will have the same IP address to Facebook. Any specific device on the LAN can not be identified by Facebook

    Situation 2
    IP6, Each IP address also includes the MAC address of the device that sends it. So if device 101 contacts Facebook, Facebook knows which device sent it.
    Now, let's say device 101 is a laptop and brings it home. Let's say it contacts Facebook from there. Now Facebook has a pretty good idea of the live and times of the owner of device 101 all because the MAC address is sent.

    If this is all hogwash, I stand corrected, but that is my understanding...
    So my question is: is it possible to send a dummy MAC?


  • Options
    #26
    Knasher
    Registered Users Posts: 2,370 ✭✭✭Knasher


    Wcool wrote: »
    So my question is: is it possible to send a dummy MAC?

    Yes it's possible. You can either set a static address, a fake MAC or have an incrementing address.

    To be honest though, I find the information your browser sends as part of its UserAgent string much more revealing than knowing a computers manufacturer.


  • Options
    #27
    Tungsten Tide
    Registered Users Posts: 62 ✭✭Tungsten Tide


    Wcool wrote: »
    Well i could be wrong but this is my understanding:

    Situation 1
    IP4, Company LAN with 10000 devices. Device 101 contacts facebook.com.
    Facebook will 'see' the IP address of device 101 but *ALL* 10000 devices on this particular LAN will have the same IP address to Facebook. Any specific device on the LAN can not be identified by Facebook

    Situation 2
    IP6, Each IP address also includes the MAC address of the device that sends it. So if device 101 contacts Facebook, Facebook knows which device sent it.
    Now, let's say device 101 is a laptop and brings it home. Let's say it contacts Facebook from there. Now Facebook has a pretty good idea of the live and times of the owner of device 101 all because the MAC address is sent.

    If this is all hogwash, I stand corrected, but that is my understanding...
    So my question is: is it possible to send a dummy MAC?

    MAC spoofing     was always a local thing Link layer i.e It is never sent outside the network ur on. So Facebook never sees that Interface ID.


  • Options
    #28
    Jonathan
    Moderators, Education Moderators, Home & Garden Moderators Posts: 8,107 Mod ✭✭✭✭Jonathan


    Wcool wrote: »
    Well i could be wrong but this is my understanding:
    Your understanding is correct.
    Tungsten Tide wrote: »

    MAC spoofing     was always a local thing Link layer i.e It is never sent outside the network ur on. So Facebook never sees that Interface ID.
    You have it all wrong. The lower 64 bits of IPv6 address is autogenerated from the MAC address so yes, facebook can see your MAC address. They can therefore track your machine as it moves from network to network.

    To answer Wcool's question, the IETF realised this was an issue and issued RFC 4941.
    http://www.rfc-editor.org/rfc/rfc4941.txt

    This assigns a second IPv6 address to your interfaces. A pseudorandom address, in addition to the proper MAC based address. Outgoing IPv6 traffic then goes out over the pseudorandom address. As far as I know this is enabled by default in Windows 7, but not in Linux.


  • Options
    #29
    Tungsten Tide
    Registered Users Posts: 62 ✭✭Tungsten Tide


    Jonathan wrote: »
    Your understanding is correct.


    You have it all wrong. The lower 64 bits of IPv6 address is autogenerated from the MAC address so yes, facebook can see your MAC address. They can therefore track your machine as it moves from network to network.

    To answer Wcool's question, the IETF realised this was an issue and issued RFC 4941.
    http://www.rfc-editor.org/rfc/rfc4941.txt

    This assigns a second IPv6 address to your interfaces. A pseudorandom address, in addition to the proper MAC based address. Outgoing IPv6 traffic then goes out over the pseudorandom address. As far as I know this is enabled by default in Windows 7, but not in Linux.

    That last message referred to IPv4 and that makes it true.
    Ur right also. so to summarise:

    1.The last 64-bits of a IPv6 address is a Interface ID and is autoconfigured by DHCPv6 that includes Linux.;)
    2. The Interface ID is sent across the Network 1-1 relationship.
    3. You can either set a static address, a fake EUI-64 or have an incrementing address.

    On a final note, System Administrators will be able to filter spoofed addresses on their network by identifying local network cards and access controls like passwords to log in etc etc.


  • Options
    #30
    Jonathan
    Moderators, Education Moderators, Home & Garden Moderators Posts: 8,107 Mod ✭✭✭✭Jonathan


    Tungsten Tide wrote: »
    1.The last 64-bits of a IPv6 address is a Interface ID and is autoconfigured by DHCPv6 that includes Linux.;)
    DHCPv6 doesn't auto-configure anything. It is stateful, and requires human intervention to set up a pool of valid Interface IDs etc. The alternative is Stateless IPv6 Auto-Configuration which is what we are talking about here. This uses the interface's MAC address as the lower 64 bits of the IP address.

    Wcool's point was that a MAC address is globally unique, so it doesn't matter what the upper 64 bits of the address is, the server can still identify the user by the unique MAC address residing in the lower half of the address. Stateless addressing is a core part of IPv6, and is supported by Linux, MAC and Windows.

    What I said, was that this problem of being able to be tracked across networks was addressed by RFC 4941. This creates a second, temporary address which makes it harder for your computer to be tracked. As, I said, this is enabled by default in Windows. Check ipconfig for yourself, you should see IPv6 Address and Temporary IPv6 Address.

    This is not enabled on Linux. See recent mailing list discussion debating whether to enable it in the upcoming version of Debian. I did not say that DHCPv6 was not enabled in Linux.



    EDIT, this might be helpful: http://superuser.com/questions/243669/how-to-avoid-exposing-my-mac-address-when-using-ipv6


  • Advertisement
  • Options
    #31
    Tungsten Tide
    Registered Users Posts: 62 ✭✭Tungsten Tide


    Jonathan wrote: »
    DHCPv6 doesn't auto-configure anything. It is stateful, and requires human intervention to set up a pool of valid Interface IDs etc. The alternative is Stateless IPv6 Auto-Configuration which is what we are talking about here. This uses the interface's MAC address as the lower 64 bits of the IP address.

    Wrong. DHCPv6 is described in two RFC papers RFC 3315 for StateFul Autoconfigurations and RFC 4862 for Stateless Autoconfigurations which u mentioned in part.
    Jonathan wrote: »
    This is not enabled on Linux. See recent mailing list discussion debating whether to enable it in the upcoming version of Debian. I did not say that DHCPv6 was not enabled in Linux.

    Privacy Addressing is still experimental see here. In short RFC 4941 isn't prefect yet, as some people will malconfigure the settings and screw up the network and create timing problems if enabled. They will enable it in future Linux's when its ready not before.


Advertisement