Difference between pages "Keychain" and "IPv6 Networking"

From Funtoo
(Difference between pages)
Jump to: navigation, search
(Specifying Agents)
 
(ISPs who currently have IPv6 enabled for residential customers)
 
Line 1: Line 1:
== Introduction ==
+
= Introduction =
  
<tt>Keychain</tt> helps you to manage ssh and GPG keys in a convenient and secure manner. It acts as a frontend to <tt>ssh-agent</tt> and <tt>ssh-add</tt>, but allows you to easily have one long running <tt>ssh-agent</tt> process per system, rather than the norm of one <tt>ssh-agent</tt> per login session.
+
[[wikipedia:IPv6|IPv6]] is an redesigned and improved version of the IPv4 protocol, and is intended to start replacing IPv4 in 2011 and beyond as the [[wikipedia:IPv4_address_exhaustion|IPv4 global address space becomes exhausted]]. IPv6 includes a number of improvements over IPv4, including most notably 128-bit addressing, simplified protocol header, integrated IPSec and Multicast implementations, improved discovery, flexibility and router interaction, and improved facilities for auto-configuration. IPv6 also marks the end of [[wikipedia:Network_address_translation|Network Address Translation]] (NAT), which is not recommended or necessary with IPv6. While it's possible to use non-routable addresses with IPv6, this is not a requirement and it is possible for any IPv6 device to have its own globally routable IP address if desired.
  
This dramatically reduces the number of times you need to enter your passphrase. With <tt>keychain</tt>, you only need to enter a passphrase once every time your local machine is rebooted. <tt>Keychain</tt> also makes it easy for remote cron jobs to securely &quot;hook in&quot; to a long running <tt>ssh-agent</tt> process, allowing your scripts to take advantage of key-based logins.
+
== Addressing ==
  
== Download and Resources ==
+
IPv6 addresses consist of 128 bits. The first 64 bits are used for the network and subnet portion of the address, while the remaining 64 bits are used for the host portion of the address. For more information on how to represent IPv6 addresses, please see the Presentation section of the [[wikipedia:IPv6_address|IPv6 address]] page on Wikipedia.
  
The latest release of keychain is version <tt>2.7.1</tt>, and was released on May 7, 2010. The current version of keychain supports <tt>gpg-agent</tt> as well as <tt>ssh-agent</tt>.
+
=== Network Masks ===
  
Keychain is compatible with many operating systems, including <tt>AIX</tt>, <tt>*BSD</tt>, <tt>Cygwin</tt>, <tt>MacOS X</tt>, <tt>Linux</tt>, <tt>HP/UX</tt>, <tt>Tru64 UNIX</tt>, <tt>IRIX</tt>, <tt>Solaris</tt> and <tt>GNU Hurd</tt>.
+
IPv6 addresses also have an associated network mask, which is typically written as a trailing "/64" or "/48" at the end of the address, which specifies what bits of the address are used for network and subnet parts. For example, a "/48" mask specifies that addresses use a 48-bit network part, followed by a 16-bit subnet part (allowing for 2^16 subnets), followed by a 64-bit host part (allowing for up to 2<sup>64</sup> hosts for each of the 2<sup>16</sup> subnets to be specified.) In contrast, a "/64" mask specifies that addresses use a 64-bit network part, no subnet part, and a 64-bit host part (allowing up to 2<sup>64</sup> hosts total to be specified.) This means that if you are issued a "/64" set of addresses, you will not be able to define any subnets, but if you are issued a "/48" set of addresses, you will be able to define up to 2<sup>16</sup> subnets.
  
=== Download ===
+
=== Address Space and Security ===
  
* ''Release Archive''
+
IPv6 also uses a global, flat address space. IPv6 is designed so that any device that needs to communicate on the Internet is able to have a unique globally-routable address. With IPv6, there is no need for using [[wikipedia:Network_address_translation|Network Address Translation]] (NAT). With IPv4, NAT is often used as a means of protecting systems from being accessed by malicious users. With IPv6, firewalls are typically used instead of NAT for restricting access to systems. With IPv6, it is normal for all machines on your home network to have "globally routable" addresses, the equivalent of a "public IP" in the world of IPv4. It is important to understand that this is the way that IPv6 is intended to be used for the majority of users, and that an IPv6-enabled router will no longer be performing NAT for you.
** [http://www.funtoo.org/archive/keychain/keychain-2.7.1.tar.bz2 keychain 2.7.1]
+
  
* ''Apple MacOS X Packages''
+
=== Using IPv6 ===
** [http://www.funtoo.org/archive/keychain/keychain-2.7.1-macosx.tar.gz keychain 2.7.1 MacOS X package]
+
  
 +
There are several ways to use IPv6 with Funtoo Linux. Here are some possibilities:
  
Keychain development sources can be found in the [http://www.github.com/funtoo/keychain keychain git repository]. Please use the [http://groups.google.com/group/funtoo-dev funtoo-dev mailing list] and [irc://irc.freenode.net/funtoo #funtoo irc channel] for keychain support questions as well as bug reports.
+
* Participating in an existing IPv6 network
 +
* Creating a local IPv6 over IPv4 tunnel
 +
* Enabling IPv6 on your router, possibly via a tunnel (several ISP uses '''6rd'''...)
 +
* Unique Local IPv6 Unicast Addresses (site local)
  
== Quick Setup ==
+
==== Participating in IPv6 Network ====
  
=== Linux ===
+
The first approach is an option if your Funtoo Linux system happens to be on an IPv6 network, or you desire to set up an IPv6 network. In this case, the Funtoo Linux system simply needs to be configured to participate in this IPv6 network -- and can also participate in an IPv4 network simultaneously. If you will be configuring an IPv6-compatible router, then you will simply configure your Funtoo Linux system to participate in this network.
  
To install under Gentoo or Funtoo Linux, type
+
==== Local IPv6 over IPv4 Tunnel ====
<console>
+
###i## emerge keychain
+
</console>. For other Linux distributions, use your distribution's package manager, or download and install using the source tarball above. Then generate RSA/DSA keys if necessary. The quick install docs assume you have a DSA key pair named <tt>id_dsa</tt> and <tt>id_dsa.pub</tt> in your <tt>~/.ssh/</tt> directory. Add the following to your <tt>~/.bash_profile</tt>:
+
{{File
+
|~/.bash_profile|<pre>
+
eval `keychain --eval --agents ssh id_rsa`
+
</pre>}}
+
If you want to take advantage of GPG functionality, ensure that GNU Privacy Guard is installed and omit the <tt>--agents ssh</tt> option above.
+
  
=== Apple MacOS X ===
+
Another approach for using IPv6 is to configure an IPv6 over IPv4 tunnel locally on your Funtoo Linux system, in cooperation with a tunnel provider. This will allow you to use an existing IPv4 network to connect a single Funtoo Linux system to IPv6. It is also possible to configure this system to serve as an IPv6 router.
  
To install under MacOS X, install the MacOS X package for keychain. Assuming you have an <tt>id_dsa</tt> and <tt>id_dsa.pub</tt> key pair in your <tt>~/.ssh/</tt> directory, add the following to your <tt>~/.bash_profile</tt>:
+
==== Enabling IPv6 on Your Router ====
  
{{File
+
If you have a router that is capable of supporting IPv6, then it is possible to configure your router so that an IPv6 network is available, at which point you can simply configure your Funtoo Linux system to participate in it. Note that many popular home/office routers can be configured to use an IPv6 over IPv4 tunnel, which provides a convenient option for home networks or smaller organizations to participate in IPv6. Using this approach, your computer systems behind the router are simply configured to participate in an IPv6 network, and your router handles tunneling the IPv6 traffic back and forth between your tunnel provider. This is typically the most flexible option for exploring IPv6 as it allows you to have multiple computer systems in your home or office to participate in an IPv6 network while your router takes care of everything transparently.
|~/.bash_profile|<pre>
+
eval `keychain --eval --agents ssh --inherit any id_dsa`
+
</pre>}}
+
{{Note}}The <tt>--inherit any</tt> option above causes keychain to inherit any ssh key passphrases stored in your Apple MacOS Keychain. If you would prefer for this to not happen, then this option can be omitted.
+
  
== Background ==
+
==== Using Unique Local IPv6 Unicast Addresses ====
  
You're probably familiar with <tt>ssh</tt>, which has become a secure replacement for the venerable <tt>telnet</tt> and <tt>rsh</tt> commands.
+
If you don't have public IPv6 connectivity or you don't wish to open an IPv6 tunnel over an IPv4 network, you can use a mechanism similar to IPv4 private addresses ranges. This mechanism consists of concatenating the prefix FC00::/7 with a globally unique identifier and a subnet identifier to form the upper 64 bits of the IPv6 address. Details of the mechanisms to forge a unique local IPv6 unicast address are documented in [http://tools.ietf.org/html/rfc4193 RFC 4193], however unique local IPv6 unicast addresses are made of the following components:
  
Typically, when one uses <tt>ssh</tt> to connect to a remote system, one supplies a secret passphrase to <tt>ssh</tt>, which is then passed in encrypted form over the network to the remote server. This passphrase is used by the remote <tt>sshd</tt> server to determine if you should be granted access to the system.
+
<pre>
 +
      | 7 bits |1|  40 bits  |  16 bits  |          64 bits          |
 +
      +--------+-+------------+-----------+----------------------------+
 +
      | Prefix |L| Global ID  | Subnet ID |        Interface ID        |
 +
      +--------+-+------------+-----------+----------------------------+
 +
</pre>
  
However, `OpenSSH` and nearly all other SSH clients and servers have the ability to perform another type of authentication, called asymmetric public key authentication, using the RSA or DSA authentication algorithms. They are very useful, but can also be complicated to use. <tt>keychain</tt> has been designed to make it easy to take advantage of the benefits of RSA and DSA authentication.
+
* Prefix (7 bits): always FC00::/7
 +
* L (1 bits): must be set to 1 (1 = prefix is locally assigned, 0 is undefined so far and must not be used)
 +
* Global ID: A random identifier (see [http://tools.ietf.org/html/rfc4193 RFC 4193] for details about the generation algorithm
 +
* Interface ID: Host interface ID as defined in [http://tools.ietf.org/html/rfc3513 RFC 3513]
  
== Generating a Key Pair ==
+
{{fancynote|Just like with private IPv4 addresses, an IPv6 router must not route a unique local IPv6 unicast address outside the organization local network.}}
  
To use RSA and DSA authentication, first you use a program called <tt>ssh-keygen</tt> (included with OpenSSH) to generate a ''key pair'' -- two small files. One of the files is the ''public key''. The other small file contains the ''private key''. <tt>ssh-keygen</tt> will ask you for a passphrase, and this passphrase will be used to encrypt your private key. You will need to supply this passphrase to use your private key. If you wanted to generate a DSA key pair, you would do this:
+
= Requirements =
  
<console># ##i##ssh-keygen -t dsa
+
IPv6 requires CONFIG_IPV6 to be enabled in your kernel (either compiled in or as a module). If compiled as a module (e.g. if your kernel was compiled by genkernel), ensure the module is loaded.
Generating public/private dsa key pair.</console>
+
<console>
You would then be prompted for a location to store your key pair. If you do not have one currently stored in <tt>~/.ssh</tt>, it is fine to accept the default location:
+
###i## lsmod | grep ipv6
 +
</console>
  
<console>Enter file in which to save the key (/root/.ssh/id_dsa): </console>
+
If this returns nothing, load the module with:
Then, you are prompted for a passphrase. This passphrase is used to encrypt the ''private key'' on disk, so even if it is stolen, it will be difficult for someone else to use it to successfully authenticate as you with any accounts that have been configured to recognize your public key.
+
<console>
 +
###i## modprobe ipv6
 +
</console>
  
Note that conversely, if you '''do not''' provide a passphrase for your private key file, then your private key file '''will not''' be encrypted. This means that if someone steals your private key file, ''they will have the full ability to authenticate with any remote accounts that are set up with your public key.''
+
= Commands =
  
Below, I have supplied a passphrase so that my private key file will be encrypted on disk:
+
; ping6
 +
: IPv6 ping command
 +
; route -6
 +
: show IPv6 routes
 +
; ip -6 neigh show
 +
: show all IPv6 neighbors on the local LAN
  
<console>Enter passphrase (empty for no passphrase): ##i#########
+
= Configuration =
Enter same passphrase again: ##i#########
+
Your identification has been saved in /var/tmp/id_dsa.
+
Your public key has been saved in /var/tmp/id_dsa.pub.
+
The key fingerprint is:
+
5c:13:ff:46:7d:b3:bf:0e:37:1e:5e:8c:7b:a3:88:f4 root@devbox-ve
+
The key's randomart image is:
+
+--[ DSA 1024]----+
+
|          .      |
+
|          o  . |
+
|          o . ..o|
+
|      . . . o  +|
+
|        S    o. |
+
|            . o.|
+
|        .  ..++|
+
|        . o . =o*|
+
|        . E .+*.|
+
+-----------------+</console>
+
  
== Setting up Authentication ==
+
== Participating in an Existing IPv6 Network ==
  
Here's how you use these files to authenticate with a remote server. On the remote server, you would append the contents of your ''public key'' to the <tt>~.ssh/authorized_keys</tt> file, if such a file exists. If it doesn't exist, you can simply create a new <tt>authorized_keys</tt> file in the remote account's <tt>~/.ssh</tt> directory that contains the contents of your local <tt>id_dsa.pub</tt> file.
+
If your local network already supports IPv6, then you can simply configure Funtoo Linux to participate in this IPv6 network. Here is a sample configuration that might be used to configure an ethernet interface (netif.eth0) to participate in both an IPv4 and IPv6 network:
 
+
Then, if you weren't going to use <tt>keychain</tt>, you'd perform the following steps. On your local client, you would start a program called <tt>ssh-agent</tt>, which runs in the background. Then you would use a program called <tt>ssh-add</tt> to tell <tt>ssh-agent</tt> about your secret private key. Then, if you've set up your environment properly, the next time you run <tt>ssh</tt>, it will find <tt>ssh-agent</tt> running, grab the private key that you added to <tt>ssh-agent</tt> using <tt>ssh-add</tt>, and use this key to authenticate with the remote server.
+
 
+
Again, the steps in the previous paragraph is what you'd do if <tt>keychain</tt> wasn't around to help. If you are using <tt>keychain</tt>, and I hope you are, you would simply add the following line to your <tt>~/.bash_profile</tt> or if a regular user to<tt>~/.bashrc</tt> :
+
  
 
{{File
 
{{File
|~/.bash_profile|<pre>
+
|/etc/netif.d/netif.eth0|<pre>
eval `keychain --eval id_dsa`
+
template="interface"
 +
ipaddr="10.0.1.200/24 2001:470:d:c2c:218:51ff:feea:ee21/64"
 +
gateway="10.0.1.1"
 +
nameservers="10.0.1.1 2001:470:20::2"
 +
domain="funtoo.org"
 +
multicast="yes"
 +
routes="2000::/3 via fe80::daa2:5eff:fe7a:83de dev eth0"
 
</pre>}}
 
</pre>}}
The next time you log in or source your <tt>~/.bash_profile</tt> or if you use <tt>~/.bashrc</tt>, <tt>keychain</tt> will start, start <tt>ssh-agent</tt> for you if it has not yet been started, use <tt>ssh-add</tt> to add your <tt>id_dsa</tt> private key file to <tt>ssh-agent</tt>, and set up your shell environment so that <tt>ssh</tt> will be able to find <tt>ssh-agent</tt>. If <tt>ssh-agent</tt> is already running, <tt>keychain</tt> will ensure that your <tt>id_dsa</tt> private key has been added to <tt>ssh-agent</tt> and then set up your environment so that <tt>ssh</tt> can find the already-running <tt>ssh-agent</tt>. It will look something like this:
 
  
Note that when <tt>keychain</tt> runs for the first time after your local system has booted, you will be prompted for a passphrase for your private key file if it is encrypted. But here's the nice thing about using <tt>keychain</tt> -- even if you are using an encrypted private key file, you will only need to enter your passphrase when your system first boots (or in the case of a server, when you first log in.) After that, <tt>ssh-agent</tt> is already running and has your decrypted private key cached in memory. So if you open a new shell, you will see something like this:
+
Above, we use the <tt>interface</tt> template, and specify both an IPv4 and IPv6 address (with network mask) for <tt>ipaddr</tt>. In addition, an IPv4 and IPv6 nameserver is specified. For routing, we use the <tt>gateway</tt> command to specify an IPv4 gateway, while we use the <tt>routes</tt> command to specify a route to our router, which in this case has address <tt>fe80::daa2:5eff:fe7a:83de</tt> and is reachable on device eth0.
  
This means that you can now <tt>ssh</tt> to your heart's content, without supplying a passphrase.
+
Note that we specify a route for "2000::/3" rather than "::/0" or "default", and this is a bit unusual. This is to work around a bug in many Linux kernels that prevents the default route from being handled properly. "2000::/3" maps to all routable IP addresses and has the benefit of being compatible with all Linux kernels.
  
You can also execute batch <tt>cron</tt> jobs and scripts that need to use <tt>ssh</tt> or <tt>scp</tt>, and they can take advantage of passwordless RSA/DSA authentication as well. To do this, you would add the following line to the top of a bash script:
+
=== Many Addresses and Stateless Autoconfiguration ===
  
{{File
+
Also note that if we did not specify an IPv6 address in the <tt>ipaddr</tt> variable, then eth0 would still get at least one IPv6 address anyway. First, it would get a link-local address, starting in <tt>fe80::/16</tt>, and it would also automatically use ''stateless autoconfiguration'' to grab an unused IPv6 address from the range used by your IPv6 router. This works similarly to the way a DHCP client works with IPv4, but is built-in to the IPv6 protocol and does not require a DHCP server to function. It works because with IPv6, routers send out ICMP packets to advertise themselves to systems on your network, and your Funtoo Linux system can use this information to automatically grab an unused address. It is important to understand this behavior because it means that by default, your Funtoo Linux system will grab a globally-routable ("public") IPv6 address from your router with no steps necessary on your part and thus may be accessible from the Internet if no firewall is in place. However, in most cases the default IPv6 route must be specified in the <tt>routes</tt> variable for IPv6 to function properly, so this auto-configuration isn't completely automatic at this time.
|~/.bash_profile|<pre>
+
eval `keychain --noask --eval id_dsa` || exit 1
+
</pre>}}
+
The extra <tt>--noask</tt> option tells <tt>keychain</tt> that it should not prompt for a passphrase if one is needed. Since it is not running interactively, it is better for the script to fail if the decrypted private key isn't cached in memory via <tt>ssh-agent</tt>.
+
  
== Keychain Options ==
+
== Local IPv6 over IPv4 Tunnelling ==
  
=== Specifying Agents ===
+
Tunnelling is the process of encapsulating IPv6 packets within an IPv4 packet so that it can be transmitted over an IPv4 network. This process happens at a local ''tunnel entry point'', which can be a Linux machine or a router, such as an Apple AirPort. The packet then traverses the IPv4 network, until reaches the ''tunnel endpoint'', which ''de-encapsulates'' the packet and places it on an IPv6 network. There are several different types of IPv6 tunnels. There are also several IPv6 tunnel providers that offer free tunnelling services, making it convenient to start using IPv6, even on your home network.
  
In the images above, you will note that <tt>keychain</tt> starts <tt>ssh-agent</tt>, but also starts <tt>gpg-agent</tt>. Modern versions of <tt>keychain</tt> also support caching decrypted GPG keys via use of <tt>gpg-agent</tt>, and will start <tt>gpg-agent</tt> by default if it is available on your system. To avoid this behavior and only start <tt>ssh-agent</tt>, modify your <tt>~/.bash_profile</tt> as follows:
+
Note that if you want configure an IPv6 over IPv4 tunnel on your router, such as an Apple AirPort, then you will simply need to sign up with one of the tunnel providers and use their instructions to configure your router. At this point, your router will be IPv6 enabled and you can then configure your Funtoo Linux system to participate in an existing IPv6 network using the instructions in the previous section. If this is not an option for you, then it is also possible to set up the IPv6 over IPv4 tunnel directly on your Funtoo Linux system. This means that only your Funtoo Linux system will be able to participate in IPv6, at least to start (later, you could configure your Funtoo Linux system to route IPv6 for other machines on your network) Follow the instructions in this section to set up local tunneling on your Funtoo Linux system.
  
{{File
+
=== Tunnel providers ===
|~/.bash_profile|<pre>
+
; [http://gogonet.gogo6.com/page/freenet6-tunnelbroker freenet6]
eval `keychain --agents ssh --eval id_dsa` || exit 1
+
: Supports anonymous tunnels and works behind NAT. You can connect to with your login or as anonymous from anywhere. This can be configured under Funtoo Linux by emerging the '''net-misc/gogoc''' ebuild.
</pre>}}
+
; [http://tunnelbroker.net/ Hurricane Electric]
The additional <tt>--agents ssh</tt> option tells <tt>keychain</tt> just to manage <tt>ssh-agent</tt>, and ignore <tt>gpg-agent</tt> even if it is available.
+
: Configured '''6in4''' tunnel, with support for dynamic IPv4 addresses, and Apple AirPorts can be configured to use this tunnel - see [http://www.nedprod.com/Niall_stuff/addingIPv6toyourhome.html this link]. Also see [http://ipv6.he.net/certification/faq.php ipv6.he.net FAQ] You can setup this tunnel with ifconfig and iproute2, or configure your router to be the tunnel entry point  -- the point at which IPv6 traffic is encapsulated/de-encapsulated.
 +
; [http://en.wikipedia.org/wiki/Teredo_tunneling Teredo]/[http://www.remlab.net/miredo/ Miredo]
 +
: [http://tools.ietf.org/html/rfc4380 RFC4380] mandated transition mechanism. Works behind NAT. Assigns one "/128" per host.
  
=== Clearing Keys ===
+
=== Getting Started with gogoc ===
  
Sometimes, it might be necessary to flush all cached keys in memory. To do this, type:
+
Freenet6 is a free IPv6 access service provided by gogo6 via the [http://en.wikipedia.org/wiki/Tunnel_Setup_Protocol TSP tunnelling protocol].
 +
<code>gogoc</code> supports any TSP tunnel; perhaps one is provided by your ISP. We will focus on an anonymous tunnel via freenet6.
  
<console># ##i##keychain --clear</console>
+
You need ipv6 to be enabled in your kernel as well as the TUN module.
Any agent(s) will continue to run.
+
  
=== Improving Security ===
+
You can quickly get started by emerging {{Package|net-misc/gogoc}}, adding <code>gogoc</code> to your startup scripts and starting it.
 +
{{Package|net-misc/gogoc}} is currently keyworded unstable (on some architectures, see [https://bugs.gentoo.org/362549 gentoo bug #362549]). If you are running stable Funtoo, you may want to put an entry into your package.keywords/package.accept_keywords file.
 +
<console>
 +
###i## emerge gogoc
 +
###i## bzcat /usr/share/doc/gogoc-*/gogoc.conf.sample.bz2 >/etc/gogoc/gogoc.conf
 +
###i## rc-update add gogoc default
 +
###i## /etc/init.d/gogoc start
 +
</console>
  
To improve the security of <tt>keychain</tt>, some people add the <tt>--clear</tt> option to their <tt>~/.bash_profile</tt> <tt>keychain</tt> invocation. The rationale behind this is that any user logging in should be assumed to be an intruder until proven otherwise. This means that you will need to re-enter any passphrases when you log in, but cron jobs will still be able to run when you log out.
+
{{Note}}By default, <code>gogoc</code> will use an anonymous tunnel. If you wish to authenticate yourself, read and edit <code>/etc/gogoc/gogoc.conf</code>.
  
=== Stopping Agents ===
+
=== Getting started with Teredo ===
  
If you want to stop all agents, which will also of course cause your keys/identities to be flushed from memory, you can do this as follows:
+
While this mechanism is officially called Teredo, the implementation of the Teredo service we will be using is called Miredo.
 +
{{Note}}{{Package|net-misc/miredo}} is currently keyworded unstable. If you are running stable Funtoo, you may want to put an entry into your package.keywords/package.accept_keywords file.}}
  
<console># ##i##keychain -k all</console>
+
Emerge <tt>net-misc/miredo</tt> and start it up (you can add it to your default runlevel if you wish):
If you have other agents running under your user account, you can also tell <tt>keychain</tt> to just stop only the agents that <tt>keychain</tt> started:
+
<console>
 +
###i## emerge net-misc/miredo
 +
###i## /etc/init.d/miredo start
 +
</console>
 +
 
 +
{{Note}}Miredo requires <code>CONFIG_TUN</code> enabled in your kernel. If it is compiled as a module, ensure the <tt>tun</tt> module is loaded.
 +
 
 +
If all goes well, you can check the assignment of an IPv6 address using <tt>/sbin/ip</tt>, for example:
 +
<console>
 +
###i## /sbin/ip addr show dev teredo
 +
4: teredo: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1280 qdisc pfifo_fast state UNKNOWN qlen 500
 +
    link/none
 +
    inet6 2001:0:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/32 scope global
 +
      valid_lft forever preferred_lft forever
 +
    inet6 fe80::ffff:ffff:ffff/64 scope link
 +
      valid_lft forever preferred_lft forever
 +
</console>
 +
 
 +
=== Tunnelling 6to4 ===
 +
 
 +
6to4 is an Internet transition mechanism for migrating from IPv4 to IPv6, a system that allows IPv6 packets to be transmitted over an IPv4 network (generally the IPv4 Internet) without the need to configure explicit tunnels.
 +
When using 6to4 your IPv6 golablly addressable IP is generated from you IPv4 IP address.
  
<console># ##i##keychain -k mine</console>
+
The anycast address of 192.88.99.1 has been allocated for the purpose of sending packets to a 6to4 relay router. Note that when converted to a 6to4 IPv6 address with the subnet and hosts fields set to zero this IPv4 address (192.88.99.1) becomes the IPv6 address 2002:c058:6301::.
  
== GPG ==
+
To use the funtoo network template method, write the config file for the interface /etc/conf.d/netif.6to4 (which will also handle the converting of your IPv4 address to your IPv6 address). Make sure you change "WAN" to your correct internet facing interface.
 +
<pre>
 +
template=ipv6-tunnel
 +
WAN="eth0"
 +
MTU="1280"
 +
ipv4=`ifconfig $WAN | sed -ne 's/[[:space:]]*inet addr:\([0-9.]*\).*/\1/p'`
 +
ipv6=`printf "2002:%02x%02x:%02x%02x::1" \`echo $ipv4 | tr "." " "\``
 +
remote=192.88.99.1
 +
local="$ipv4/24"
 +
ipaddr="$ipv6/48"
 +
routes="2000::/3 via 2002:c058:6301:: dev $WAN"
 +
</pre>
  
Keychain can ask you for your GPG passphrase if you provide it the GPG key ID. To find it out:
+
Then create the netif.6to4 symlink and add it to the default runlevel
 
<console>
 
<console>
$ gpg -k
+
###i## ln -s /etc/init.d/netif.tmpl /etc/init.d/netif.6to4
pub  2048R/DEADBEEF 2012-08-16
+
###i## rc-update add netif.6to4 default
uid                  Name (Comment) <email@host.tld>
+
###i## /etc/init.d/netif.6to4 start
sub  2048R/86D2FAC6 2012-08-16
+
 
</console>
 
</console>
  
Note the '''DEADBEEF''' above is the ID. Then, in your login script, do your usual
+
You should now be capable of connecting via IPv6:
 +
<console>
 +
###i## ping6 ipv6.google.com
 +
</console>
  
 +
To allow this host to be a router, a modified template is required:
 +
{{File
 +
|/etc/netif.d/ipv6-tunnel|<pre>
 +
#!/bin/sh
 +
 +
netif_pre_up() {
 +
        require local remote
 +
        try ip tunnel add $interface mode sit remote $remote local $local ttl 255
 +
        try ip addr add $ipaddr dev $interface
 +
        try ip addr add $ipaddr4 dev $interface
 +
}
 +
 +
netif_post_up() {
 +
        try ip route add ::/0 dev $interface
 +
}
 +
 +
netif_pre_down() {
 +
        ip route del ::/0 dev $interface
 +
}
 +
 +
netif_post_down() {
 +
        ip tunnel del $interface
 +
}
 +
</pre>}}
 +
 +
Then add the following line to <tt>/etc/conf.d/netif.6to4</tt>:
 +
{{File
 +
|/etc/conf.d/netif.6to4|<pre>
 +
ipaddr4="$ipv4/24"
 +
</pre>}}
 +
 +
After restarting the 6to4 interface radvd can be started:
 
<console>
 
<console>
keychain --dir ~/.ssh/.keychain ~/.ssh/id_rsa DEADBEEF
+
###i## /etc/init.d/netif.6to4 restart
source ~/.ssh/.keychain/$HOST-sh
+
###i## /etc/init.d/radvd start
source ~/.ssh/.keychain/$HOST-sh-gpg
+
 
</console>
 
</console>
  
== Learning More ==
+
== Optimization ==
  
The instructions above will work on any system that uses <tt>bash</tt> as its default shell, such as most Linux systems and Mac OS X.
+
=== Prefer IPv4 over IPv6 ===
  
To learn more about the many things that <tt>keychain</tt> can do, including alternate shell support, consult the keychain man page, or type <tt>keychain --help | less</tt> for a full list of command options.
+
Generally if your IPv6 connection is through a tunnel, it will be slower than an IPv4 connection. For this reason, if you are using an IPv6 tunnel, it can be best to configure your systems to ''prefer'' IPv4 if an IPv4 version of the site is available, and use IPv6 only when necessary. This way, you will avoid unnecessary encapsulation and de-encapsulation of IPv4 traffic. Here's how to do this for a number of operating systems:
 +
 
 +
==== Linux ====
 +
 
 +
Linux will prefer IPv6 if IPv6 support is enabled in the kernel. To prefer IPv4, edit <tt>/etc/gai.conf</tt> and add this line:
 +
{{File
 +
|/etc/gai.conf|<pre>
 +
precedence ::ffff:0:0/96 100
 +
</pre>}}
  
I also recommend you read my original series of articles about [http://www.openssh.com OpenSSH] that I wrote for IBM developerWorks, called <tt>OpenSSH Key Management</tt>. Please note that <tt>keychain</tt> 1.0 was released along with Part 2 of this article, which was written in 2001. <tt>keychain</tt> has changed quite a bit since then. In other words, read these articles for the conceptual and [http://www.openssh.com OpenSSH] information, but consult the <tt>keychain</tt> man page for command-line options and usage instructions :)
+
==== Windows 7, Server 2008, Vista ====
  
* [http://www.ibm.com/developerworks/library/l-keyc.html Common Threads: OpenSSH key management, Part 1] - Understanding RSA/DSA Authentication
+
These operating systems prefer IPv6 by default. See [http://msdn.microsoft.com/en-us/library/bb756941.aspx this link]. To prefer IPv4, use the following steps:
* [http://www.ibm.com/developerworks/library/l-keyc2/ Common Threads: OpenSSH key management, Part 2] - Introducing <tt>ssh-agent</tt> and <tt>keychain</tt>
+
* [http://www.ibm.com/developerworks/library/l-keyc3/ Common Threads: OpenSSH key management, Part 3] - Agent forwarding and <tt>keychain</tt> improvements
+
  
As mentioned at the top of the page, <tt>keychain</tt> development sources can be found in the [http://www.github.com/funtoo/keychain keychain git repository]. Please use the [http://groups.google.com/group/funtoo-dev funtoo-dev mailing list] and [irc://irc.freenode.net/funtoo #funtoo irc channel] for keychain support questions as well as bug reports.
+
# Start <tt>regedit</tt>.
 +
# Navigate to <tt>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TCPIP6\Parameters</tt>.
 +
# Create a new DWORD named <tt>DisabledComponents</tt>. Edit this new DWORD and set it to HEX value of <tt>20</tt> or a DECIMAL value of <tt>32</tt>.
 +
# Restart your computer.
  
== Project History ==
+
== ISPs who currently have IPv6 enabled for residential customers ==
  
Daniel Robbins originally wrote <tt>keychain</tt> 1.0 through 2.0.3. 1.0 was written around June 2001, and 2.0.3 was released in late August, 2002.
+
* Canada:
 +
** '''Videotron''': Videotron has a [http://support.videotron.com/residential/internet/ipv6/videotron-ipv6 beta-program] for residential customers who want to test IPv6 (no official technical support, it is possible they don't have enabled it in your area so check first before investing in new hardware). Although  at date of writing, a large part of their networks are IPv6, '''you must go through a 6rd tunnel''' because they still need to upgrade some of their equipments and '''your router must support the 6rd protocol''' (this requirement is documented). Videotron sells you a D-Link DIR-825 with a modified firmware however this model has a weird gotcha: it does not support IPv6 firewalling.''' This is not a Videotron specific issue''' (even the genuine firmwares coming  from the manufacturer has no support for IPv6 firewalling as of June 2011). A good alternative to recommend is the CISCO/LinkSYS E4200, more expensive (MSRP ~$180 US/CDN) but has IPv6 firewalling support.  Once the E4200 firmware has been upgraded go in Setup/IPv6 Setup disable "IPv6 - Automatic" (you should then see an IPv6 address in the DUID field) and leave "automatic" for the 6rd configuration. You should be in business and see all of the hosts on your network with an IPv6 stack enabled being assigned a public IPv6 address starting with 2607:f048.
 +
** '''Teksavvy''' : TekSavvy has a [http://teksavvy.com/ipv6 IPv6 beta-program] for residential customers who use their DSL service (no statement found for cable connections). Just ask them to enable IPv6 to your subscription and it should be available within the next 24 hours. Their IPv6 connectivity is native so you don't need to setup a tunnel.
 +
** '''Shaw''' (?)
 +
** '''Cogeco cable''' (?)
 +
** '''Telus''' (?)
 +
** '''Bell''' : Bell appears to have an official IPv6 support especially for its business subscribers (See http://ipv6.bell.ca) via a toolkit and various web pages on the subject.
  
After 2.0.3, <tt>keychain</tt> was maintained by various Gentoo developers, including Seth Chandler, Mike Frysinger and Robin H. Johnson, through July 3, 2003.
+
* France
 +
** '''Free'''
 +
** '''Nerim'''
 +
** '''the French Data Network (FDN)'''
 +
* United States:
 +
** '''Comcast''' (limited pilot in some areas only)
  
On April 21, 2004, Aron Griffis committed a major rewrite of <tt>keychain</tt> which was released as 2.2.0. Aron continued to actively maintain and improve <tt>keychain</tt> through October 2006 and the <tt>keychain</tt> 2.6.8 release. He also made a few commits after that date, up through mid-July, 2007. At this point, <tt>keychain</tt> had reached a point of maturity.
+
== Home routers compatible with IPv6 ==
  
In mid-July, 2009, Daniel Robbins migrated Aron's mercurial repository to git and set up a new project page on funtoo.org, and made a few bug fix commits to the git repo that had been collecting in [http://bugs.gentoo.org bugs.gentoo.org]. Daniel continues to maintain <tt>keychain</tt> and supporting documentation on funtoo.org, and plans to make regular maintenance releases of <tt>keychain</tt> as needed.
+
A few residential routers have support for IPv6 at date of writing and many more home networking devices will have robust IPv6 support in a more or less near futures. The following does not pretend to be exhaustive:
 +
* '''D-Link DIR-825 rev. 1B''' (June 2011): Has IPv6 support out of the box, however for somewhat reason the router has no support for IPv6 firewalling even with teh 2.05N revision of the firmware. Consequence for you is you have to deploy an IPv6 firewall on each of hosts concerned with a public IPv6 connectivity. The canadian ISP Videotron is selling a DIR-825 with a customized firmware as unfortunately, like with the genuine manufacturer firmware, no IPv6 firewalling possible :( .
 +
* '''CISCO/LinkSys E4200''' (June 2011): Advertised as being IPv6 compatible with a firmware update (available as of June 14th 2011 -> check for the version tagged 1.0.02 build 13 or later on the manufacturer website). The device supports native IPv6 and IPv6 through a 6rd tunnel (no support for any other tunneling protocol).
  
 +
== Resources ==
 +
*[http://ipv6.he.net/certification/cert-main.php free ipv6 certification program]
 +
*[http://ipv6-test.com/ Test ipv6 (ipv6-test.com)]
 +
*[http://test-ipv6.com/ Test ipv6 (test-ipv6.com)]
 +
*[http://www.comcast6.net/ Comcast's IPv6 page]
 +
*[http://tunnelbroker.net/ Hurricane Electric Tunnel Broker ]
 +
*[http://www.gentoo-wiki.info/HOWTO_IPv6 Gentoo Wiki IPv6 ]
 +
*[http://www.gentoo.org/doc/en/ipv6.xml Gentoo IPv6 Guide]
 +
with Apple airport extreme, etc:
 +
*[http://www.tunnelbroker.net/forums/index.php?topic=680.0 tunnelbroker.net forums post - airport config ]
 +
*[http://www.nedprod.com/Niall_stuff/addingIPv6toyourhome.html Adding IPv6 Support To Your Home]
 +
*[http://www.tunnelbroker.net/forums/index.php?topic=273.0 tunnelbroker.net forums post - Gentoo config (won't work in Funtoo)]
 +
Nice Overview over IPv6
 +
* [http://www.linux.com/learn/tutorials/428331-ipv6-crash-course-for-linux IPv6 Crash Course for Linux] and page 2 [http://www.linux.com/learn/tutorials/432537:another-ipv6-crash-course-for-linux-real-ipv6-addresses-routing-name-services IPv6 Crash Course for routing name services]
 +
* [http://livre.g6.asso.fr/index.php/Accueil IPv6 Théorie et Pratique (in french only)] revised online version of the O'Reilly book published in 2005 by a collective researchers and IT actors.
 
[[Category:HOWTO]]
 
[[Category:HOWTO]]
[[Category:Projects]]
+
[[Category:Networking]]
 +
[[Category:Featured]]

Revision as of 17:08, 24 January 2014

Contents

Introduction

IPv6 is an redesigned and improved version of the IPv4 protocol, and is intended to start replacing IPv4 in 2011 and beyond as the IPv4 global address space becomes exhausted. IPv6 includes a number of improvements over IPv4, including most notably 128-bit addressing, simplified protocol header, integrated IPSec and Multicast implementations, improved discovery, flexibility and router interaction, and improved facilities for auto-configuration. IPv6 also marks the end of Network Address Translation (NAT), which is not recommended or necessary with IPv6. While it's possible to use non-routable addresses with IPv6, this is not a requirement and it is possible for any IPv6 device to have its own globally routable IP address if desired.

Addressing

IPv6 addresses consist of 128 bits. The first 64 bits are used for the network and subnet portion of the address, while the remaining 64 bits are used for the host portion of the address. For more information on how to represent IPv6 addresses, please see the Presentation section of the IPv6 address page on Wikipedia.

Network Masks

IPv6 addresses also have an associated network mask, which is typically written as a trailing "/64" or "/48" at the end of the address, which specifies what bits of the address are used for network and subnet parts. For example, a "/48" mask specifies that addresses use a 48-bit network part, followed by a 16-bit subnet part (allowing for 2^16 subnets), followed by a 64-bit host part (allowing for up to 264 hosts for each of the 216 subnets to be specified.) In contrast, a "/64" mask specifies that addresses use a 64-bit network part, no subnet part, and a 64-bit host part (allowing up to 264 hosts total to be specified.) This means that if you are issued a "/64" set of addresses, you will not be able to define any subnets, but if you are issued a "/48" set of addresses, you will be able to define up to 216 subnets.

Address Space and Security

IPv6 also uses a global, flat address space. IPv6 is designed so that any device that needs to communicate on the Internet is able to have a unique globally-routable address. With IPv6, there is no need for using Network Address Translation (NAT). With IPv4, NAT is often used as a means of protecting systems from being accessed by malicious users. With IPv6, firewalls are typically used instead of NAT for restricting access to systems. With IPv6, it is normal for all machines on your home network to have "globally routable" addresses, the equivalent of a "public IP" in the world of IPv4. It is important to understand that this is the way that IPv6 is intended to be used for the majority of users, and that an IPv6-enabled router will no longer be performing NAT for you.

Using IPv6

There are several ways to use IPv6 with Funtoo Linux. Here are some possibilities:

  • Participating in an existing IPv6 network
  • Creating a local IPv6 over IPv4 tunnel
  • Enabling IPv6 on your router, possibly via a tunnel (several ISP uses 6rd...)
  • Unique Local IPv6 Unicast Addresses (site local)

Participating in IPv6 Network

The first approach is an option if your Funtoo Linux system happens to be on an IPv6 network, or you desire to set up an IPv6 network. In this case, the Funtoo Linux system simply needs to be configured to participate in this IPv6 network -- and can also participate in an IPv4 network simultaneously. If you will be configuring an IPv6-compatible router, then you will simply configure your Funtoo Linux system to participate in this network.

Local IPv6 over IPv4 Tunnel

Another approach for using IPv6 is to configure an IPv6 over IPv4 tunnel locally on your Funtoo Linux system, in cooperation with a tunnel provider. This will allow you to use an existing IPv4 network to connect a single Funtoo Linux system to IPv6. It is also possible to configure this system to serve as an IPv6 router.

Enabling IPv6 on Your Router

If you have a router that is capable of supporting IPv6, then it is possible to configure your router so that an IPv6 network is available, at which point you can simply configure your Funtoo Linux system to participate in it. Note that many popular home/office routers can be configured to use an IPv6 over IPv4 tunnel, which provides a convenient option for home networks or smaller organizations to participate in IPv6. Using this approach, your computer systems behind the router are simply configured to participate in an IPv6 network, and your router handles tunneling the IPv6 traffic back and forth between your tunnel provider. This is typically the most flexible option for exploring IPv6 as it allows you to have multiple computer systems in your home or office to participate in an IPv6 network while your router takes care of everything transparently.

Using Unique Local IPv6 Unicast Addresses

If you don't have public IPv6 connectivity or you don't wish to open an IPv6 tunnel over an IPv4 network, you can use a mechanism similar to IPv4 private addresses ranges. This mechanism consists of concatenating the prefix FC00::/7 with a globally unique identifier and a subnet identifier to form the upper 64 bits of the IPv6 address. Details of the mechanisms to forge a unique local IPv6 unicast address are documented in RFC 4193, however unique local IPv6 unicast addresses are made of the following components:

       | 7 bits |1|  40 bits   |  16 bits  |          64 bits           |
       +--------+-+------------+-----------+----------------------------+
       | Prefix |L| Global ID  | Subnet ID |        Interface ID        |
       +--------+-+------------+-----------+----------------------------+
  • Prefix (7 bits): always FC00::/7
  • L (1 bits): must be set to 1 (1 = prefix is locally assigned, 0 is undefined so far and must not be used)
  • Global ID: A random identifier (see RFC 4193 for details about the generation algorithm
  • Interface ID: Host interface ID as defined in RFC 3513
Note: Just like with private IPv4 addresses, an IPv6 router must not route a unique local IPv6 unicast address outside the organization local network.

Requirements

IPv6 requires CONFIG_IPV6 to be enabled in your kernel (either compiled in or as a module). If compiled as a module (e.g. if your kernel was compiled by genkernel), ensure the module is loaded.

# lsmod | grep ipv6

If this returns nothing, load the module with:

# modprobe ipv6

Commands

ping6
IPv6 ping command
route -6
show IPv6 routes
ip -6 neigh show
show all IPv6 neighbors on the local LAN

Configuration

Participating in an Existing IPv6 Network

If your local network already supports IPv6, then you can simply configure Funtoo Linux to participate in this IPv6 network. Here is a sample configuration that might be used to configure an ethernet interface (netif.eth0) to participate in both an IPv4 and IPv6 network:

template="interface"
ipaddr="10.0.1.200/24 2001:470:d:c2c:218:51ff:feea:ee21/64"
gateway="10.0.1.1"
nameservers="10.0.1.1 2001:470:20::2"
domain="funtoo.org"
multicast="yes"
routes="2000::/3 via fe80::daa2:5eff:fe7a:83de dev eth0"

Above, we use the interface template, and specify both an IPv4 and IPv6 address (with network mask) for ipaddr. In addition, an IPv4 and IPv6 nameserver is specified. For routing, we use the gateway command to specify an IPv4 gateway, while we use the routes command to specify a route to our router, which in this case has address fe80::daa2:5eff:fe7a:83de and is reachable on device eth0.

Note that we specify a route for "2000::/3" rather than "::/0" or "default", and this is a bit unusual. This is to work around a bug in many Linux kernels that prevents the default route from being handled properly. "2000::/3" maps to all routable IP addresses and has the benefit of being compatible with all Linux kernels.

Many Addresses and Stateless Autoconfiguration

Also note that if we did not specify an IPv6 address in the ipaddr variable, then eth0 would still get at least one IPv6 address anyway. First, it would get a link-local address, starting in fe80::/16, and it would also automatically use stateless autoconfiguration to grab an unused IPv6 address from the range used by your IPv6 router. This works similarly to the way a DHCP client works with IPv4, but is built-in to the IPv6 protocol and does not require a DHCP server to function. It works because with IPv6, routers send out ICMP packets to advertise themselves to systems on your network, and your Funtoo Linux system can use this information to automatically grab an unused address. It is important to understand this behavior because it means that by default, your Funtoo Linux system will grab a globally-routable ("public") IPv6 address from your router with no steps necessary on your part and thus may be accessible from the Internet if no firewall is in place. However, in most cases the default IPv6 route must be specified in the routes variable for IPv6 to function properly, so this auto-configuration isn't completely automatic at this time.

Local IPv6 over IPv4 Tunnelling

Tunnelling is the process of encapsulating IPv6 packets within an IPv4 packet so that it can be transmitted over an IPv4 network. This process happens at a local tunnel entry point, which can be a Linux machine or a router, such as an Apple AirPort. The packet then traverses the IPv4 network, until reaches the tunnel endpoint, which de-encapsulates the packet and places it on an IPv6 network. There are several different types of IPv6 tunnels. There are also several IPv6 tunnel providers that offer free tunnelling services, making it convenient to start using IPv6, even on your home network.

Note that if you want configure an IPv6 over IPv4 tunnel on your router, such as an Apple AirPort, then you will simply need to sign up with one of the tunnel providers and use their instructions to configure your router. At this point, your router will be IPv6 enabled and you can then configure your Funtoo Linux system to participate in an existing IPv6 network using the instructions in the previous section. If this is not an option for you, then it is also possible to set up the IPv6 over IPv4 tunnel directly on your Funtoo Linux system. This means that only your Funtoo Linux system will be able to participate in IPv6, at least to start (later, you could configure your Funtoo Linux system to route IPv6 for other machines on your network) Follow the instructions in this section to set up local tunneling on your Funtoo Linux system.

Tunnel providers

freenet6
Supports anonymous tunnels and works behind NAT. You can connect to with your login or as anonymous from anywhere. This can be configured under Funtoo Linux by emerging the net-misc/gogoc ebuild.
Hurricane Electric
Configured 6in4 tunnel, with support for dynamic IPv4 addresses, and Apple AirPorts can be configured to use this tunnel - see this link. Also see ipv6.he.net FAQ You can setup this tunnel with ifconfig and iproute2, or configure your router to be the tunnel entry point -- the point at which IPv6 traffic is encapsulated/de-encapsulated.
Teredo/Miredo
RFC4380 mandated transition mechanism. Works behind NAT. Assigns one "/128" per host.

Getting Started with gogoc

Freenet6 is a free IPv6 access service provided by gogo6 via the TSP tunnelling protocol. gogoc supports any TSP tunnel; perhaps one is provided by your ISP. We will focus on an anonymous tunnel via freenet6.

You need ipv6 to be enabled in your kernel as well as the TUN module.

You can quickly get started by emerging net-misc/gogoc, adding gogoc to your startup scripts and starting it. net-misc/gogoc is currently keyworded unstable (on some architectures, see gentoo bug #362549). If you are running stable Funtoo, you may want to put an entry into your package.keywords/package.accept_keywords file.

# emerge gogoc
# bzcat /usr/share/doc/gogoc-*/gogoc.conf.sample.bz2 >/etc/gogoc/gogoc.conf
# rc-update add gogoc default
# /etc/init.d/gogoc start

Note Note: By default, gogoc will use an anonymous tunnel. If you wish to authenticate yourself, read and edit /etc/gogoc/gogoc.conf.

Getting started with Teredo

While this mechanism is officially called Teredo, the implementation of the Teredo service we will be using is called Miredo. Note Note: net-misc/miredo is currently keyworded unstable. If you are running stable Funtoo, you may want to put an entry into your package.keywords/package.accept_keywords file.}}

Emerge net-misc/miredo and start it up (you can add it to your default runlevel if you wish):

# emerge net-misc/miredo
# /etc/init.d/miredo start

Note Note: Miredo requires CONFIG_TUN enabled in your kernel. If it is compiled as a module, ensure the tun module is loaded.

If all goes well, you can check the assignment of an IPv6 address using /sbin/ip, for example:

# /sbin/ip addr show dev teredo
4: teredo: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1280 qdisc pfifo_fast state UNKNOWN qlen 500
    link/none 
    inet6 2001:0:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/32 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::ffff:ffff:ffff/64 scope link 
       valid_lft forever preferred_lft forever

Tunnelling 6to4

6to4 is an Internet transition mechanism for migrating from IPv4 to IPv6, a system that allows IPv6 packets to be transmitted over an IPv4 network (generally the IPv4 Internet) without the need to configure explicit tunnels. When using 6to4 your IPv6 golablly addressable IP is generated from you IPv4 IP address.

The anycast address of 192.88.99.1 has been allocated for the purpose of sending packets to a 6to4 relay router. Note that when converted to a 6to4 IPv6 address with the subnet and hosts fields set to zero this IPv4 address (192.88.99.1) becomes the IPv6 address 2002:c058:6301::.

To use the funtoo network template method, write the config file for the interface /etc/conf.d/netif.6to4 (which will also handle the converting of your IPv4 address to your IPv6 address). Make sure you change "WAN" to your correct internet facing interface.

template=ipv6-tunnel
WAN="eth0"
MTU="1280" 
ipv4=`ifconfig $WAN | sed -ne 's/[[:space:]]*inet addr:\([0-9.]*\).*/\1/p'`
ipv6=`printf "2002:%02x%02x:%02x%02x::1" \`echo $ipv4 | tr "." " "\``
remote=192.88.99.1
local="$ipv4/24"
ipaddr="$ipv6/48"
routes="2000::/3 via 2002:c058:6301:: dev $WAN"

Then create the netif.6to4 symlink and add it to the default runlevel

# ln -s /etc/init.d/netif.tmpl /etc/init.d/netif.6to4
# rc-update add netif.6to4 default
# /etc/init.d/netif.6to4 start

You should now be capable of connecting via IPv6:

# ping6 ipv6.google.com

To allow this host to be a router, a modified template is required:

#!/bin/sh

netif_pre_up() {
        require local remote
        try ip tunnel add $interface mode sit remote $remote local $local ttl 255
        try ip addr add $ipaddr dev $interface
        try ip addr add $ipaddr4 dev $interface
}

netif_post_up() {
        try ip route add ::/0 dev $interface
}

netif_pre_down() {
        ip route del ::/0 dev $interface
}

netif_post_down() {
        ip tunnel del $interface
}

Then add the following line to /etc/conf.d/netif.6to4:

ipaddr4="$ipv4/24"

After restarting the 6to4 interface radvd can be started:

# /etc/init.d/netif.6to4 restart
# /etc/init.d/radvd start

Optimization

Prefer IPv4 over IPv6

Generally if your IPv6 connection is through a tunnel, it will be slower than an IPv4 connection. For this reason, if you are using an IPv6 tunnel, it can be best to configure your systems to prefer IPv4 if an IPv4 version of the site is available, and use IPv6 only when necessary. This way, you will avoid unnecessary encapsulation and de-encapsulation of IPv4 traffic. Here's how to do this for a number of operating systems:

Linux

Linux will prefer IPv6 if IPv6 support is enabled in the kernel. To prefer IPv4, edit /etc/gai.conf and add this line:

precedence ::ffff:0:0/96 100

Windows 7, Server 2008, Vista

These operating systems prefer IPv6 by default. See this link. To prefer IPv4, use the following steps:

  1. Start regedit.
  2. Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TCPIP6\Parameters.
  3. Create a new DWORD named DisabledComponents. Edit this new DWORD and set it to HEX value of 20 or a DECIMAL value of 32.
  4. Restart your computer.

ISPs who currently have IPv6 enabled for residential customers

  • Canada:
    • Videotron: Videotron has a beta-program for residential customers who want to test IPv6 (no official technical support, it is possible they don't have enabled it in your area so check first before investing in new hardware). Although at date of writing, a large part of their networks are IPv6, you must go through a 6rd tunnel because they still need to upgrade some of their equipments and your router must support the 6rd protocol (this requirement is documented). Videotron sells you a D-Link DIR-825 with a modified firmware however this model has a weird gotcha: it does not support IPv6 firewalling. This is not a Videotron specific issue (even the genuine firmwares coming from the manufacturer has no support for IPv6 firewalling as of June 2011). A good alternative to recommend is the CISCO/LinkSYS E4200, more expensive (MSRP ~$180 US/CDN) but has IPv6 firewalling support. Once the E4200 firmware has been upgraded go in Setup/IPv6 Setup disable "IPv6 - Automatic" (you should then see an IPv6 address in the DUID field) and leave "automatic" for the 6rd configuration. You should be in business and see all of the hosts on your network with an IPv6 stack enabled being assigned a public IPv6 address starting with 2607:f048.
    • Teksavvy : TekSavvy has a IPv6 beta-program for residential customers who use their DSL service (no statement found for cable connections). Just ask them to enable IPv6 to your subscription and it should be available within the next 24 hours. Their IPv6 connectivity is native so you don't need to setup a tunnel.
    • Shaw (?)
    • Cogeco cable (?)
    • Telus (?)
    • Bell : Bell appears to have an official IPv6 support especially for its business subscribers (See http://ipv6.bell.ca) via a toolkit and various web pages on the subject.
  • France
    • Free
    • Nerim
    • the French Data Network (FDN)
  • United States:
    • Comcast (limited pilot in some areas only)

Home routers compatible with IPv6

A few residential routers have support for IPv6 at date of writing and many more home networking devices will have robust IPv6 support in a more or less near futures. The following does not pretend to be exhaustive:

  • D-Link DIR-825 rev. 1B (June 2011): Has IPv6 support out of the box, however for somewhat reason the router has no support for IPv6 firewalling even with teh 2.05N revision of the firmware. Consequence for you is you have to deploy an IPv6 firewall on each of hosts concerned with a public IPv6 connectivity. The canadian ISP Videotron is selling a DIR-825 with a customized firmware as unfortunately, like with the genuine manufacturer firmware, no IPv6 firewalling possible :( .
  • CISCO/LinkSys E4200 (June 2011): Advertised as being IPv6 compatible with a firmware update (available as of June 14th 2011 -> check for the version tagged 1.0.02 build 13 or later on the manufacturer website). The device supports native IPv6 and IPv6 through a 6rd tunnel (no support for any other tunneling protocol).

Resources

with Apple airport extreme, etc:

Nice Overview over IPv6