Linux IPv6 Configuration

Linux

Network

Published

November 30, 2023

Modified

November 30, 2023

IPv6 ¹ supersede IPv4 (also known as IP) RFC 2460 ² …modern Linux distributions already contain IPv6-ready kernels. Most network devices support dual-stacking …interoperate equally with IPv4 and IPv6 devices …transition is driven by DNS depending on responds address.

# ...test if the kernel supports IPv6 
test -f /proc/net/if_inet6 && echo "Running kernel is IPv6 ready"

# ...check if the kernel module is loaded
lsmod | grep -w 'ipv6' && echo "IPv6 module successfully loaded"

Kernel settings ³ to completely disable IPv6…

# ...requires a reboot to take effect
cat > /etc/sysctl.d/40-ipv6-disable.conf <<EOF
net.ipv6.conf.all.disable_ipv6 = 1
EOF

# ...disable IPv6 at runtime
sysctl -w net.ipv6.conf.all.disable_ipv6=1
echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6

128 bit addresses

Header redesign …128 bit addresses…

…provide each network device with a global address in the futur
…best choice regarding header overhead and data transport (compared to IPv8 or IPv16)
…64 bits are used for routing …network part (upper 64 bits)
…64 bits are used for interface identifiers …host part (lower 64 bits)

# ...decimal number up to 39 digits
2^128-1: 340282366920938463463374607431768211455

# ...32 cahracters in hexadecimal
2^128-1: 0xffffffffffffffffffffffffffffffff

# ...colon as separator after each block of 16 bits
2^128-1: ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

# ...example of a usable addresses
2001:0db8:0100:f101:0210:a4ff:fee3:9566

# ...leading zeros of each 16 bit block can be omitted
2001:db8:100:f101:210:a4ff:fee3:9566

# ...sequence of 16 bit blocks containing only zeroes can be replaced with “::“
2001:0db8:100:f101:0:0:0:1 -> 2001:db8:100:f101::1

# ...any ...or ”0.0.0.0” in IPv4
0000:0000:0000:0000:0000:0000:0000:0000 -> ::

# ...localhost
0000:0000:0000:0000:0000:0000:0000:0001 -> ::1

Split into network and host parts using subnet masks …network part, also known as prefix

Address	Description
`fe8x:`	Link local …valid on a link of an interface …never pass through a router
`fecx:`	Site local …like private Internets in IPv4 …comparable to 10.0.0.0/8
`fdxx:`	Unicast addresses
`ffxy:`	Multicast addresses (`y` indicates the scope)
`2xxx:` or `3xxx:`	Global address (`x` are hex characters)
`2001:`	Hierarchical routing …delegated to Internet service providers (ISP)
`2002:`	6to4 addresses …special tunneling mechanism …encode IPv4 address/subnet
`3fff:ffff::/32`	Example and documentation addresses

Support for embedded IPv4 addresses …special prefix of length 96

# ...a.b.c.d is the IPv4 address
0:0:0:0:0:ffff:a.b.c.d/96 -> ::ffff:a.b.c.d/96

# IPv4-compatible IPv6 addresses ...used for automatic tunneling
0:0:0:0:0:0:a.b.c.d/96 -> ::a.b.c.d/96

Address Assignment

Assign a globally unique address to communicate outside its local segment…

Option	Description
Manual	Configure an IPv6 address manually …not scalable
DHCPv6	DHCP server dynamically assigning addresses to hosts
SLACC	IPv6 auto-addressing …defined in RFC 4862

DHCPv6

Stateful address assignment where the DHCPv6 server (UDP port 546) keeps records which client receives a lease for an IPv6 address.

SLACC

Stateless address auto-configuration (SLAAC) …in an IPv6 enabled network. Each host on the network auto-configures a unique IPv6 address …no central server that keeps track of assignment (stateful) …does not provide DNS server addresses to hosts.

Pre-requisite for the SLAAC…

Auto-configure link-local address …enables Layer-3 communication in the local segment …combining link-local prefix fe80::/64 …with EUI-64 interface identifier generated from the interface MAC-address
Ensure that the link-local address is unique (using DAD)

# ...interface MAC-address
70:07:12:34:56:78

# ...insert 0xfffe in the middle
7007 12ff fe34 5678

# ...flip the 7th bit of the address to create an EUI-64 identifier
7207 12ff fe34 5678

# ...combine with link-local prefix
fe80::7207:12ff:fe34:5678/64

Auto-Configuration

Use link-local address to…

Send ICMPv6 message called Router Solicitation (RS) …ask routers of this network segment about the global unicast prefix. Responds called Router Advertisement (RA) …includes global IPv6 prefix on the link and the prefix length.
Configure the host global unicast address …combine advertises prefix with EUI-64 interface identifier. Set responding router as IPv6 default gateway.
Host joins the auto-generated solicited-node multicast group …ensure unicast address is unique by sending a ICMPv6 message called Neighbor Solicitation. Wait if a node replies back …otherwise start to communicated outside the local segment.

Router advertisement flags …where to get DNS information?

Flag	Description
`M`	Set to 1 …use DHCPv6 server for addresses and DNS information
`O`	Set to 1 …auto-configure address via SLAAC …ask the DHCP server for DNS information
`Prf`	Default router preference …determine which router to prefer as a default gateway

Privacy Extensions

RFC 4941) …prevent the possibility to derive MAC address of a device from the IPv6 address. Linux kernel generates a temporary address mangled from the original auto-configured address (requires reboot to take effect).

# Enable IPv6 Privacy Extensions
cat > /etc/sysctl.d/40-ipv6.conf <<EOF
net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.use_tempaddr = 2
EOF

/etc/dhcpcd.conf…supports a slaac private option implementing RFC7217, to change the address each time the host is connected to a network. Use the slaac hwaddr option for a stable address.

# ...same for NetworkManager
cat > /etc/NetworkManager/conf.d/ip6-privacy.conf <<EOF
[connection]
ipv6.ip6-privacy=2
EOF

# ...or systemd-networkd
cat > /etc/systemd/networkd.conf.d/ipv6-privacy-extensions.conf <<EOF
[Network]
IPv6PrivacyExtensions=yes
EOF

IPv6 Linux Tools

Normally included in the iputils package ⁴…

`ping6`

Included in the iputils package …simple transport tests

…send a ICMPv6 echo-request packets …wait for ICMPv6 echo-reply packets
…needs raw access to socket and therefore root permissions

# ...localhost
ping6 -c 1 ::1

# ...required to specifiy and interface
ping6 -I eth0 -c 1 fe80::2e0:18ff:fe90:9205
ping6 -c 1 fe80::2e0:18ff:fe90:9205%eth0

`tracepath6`

Traces the path to a given destination …discover MTU along this path

…does not require superuser privileges
…first column shows TTL of the probe
…second column shows the network hop (address of router)
…rest of line miscellaneous information …can show Path MTU

tracepath ipv6.google.com
tracepath 2a00:1450:4001:827::200e

# ...note that new versions for traceroute have support for IPv6
traceroute -I -n ipv6.google.com

`ip`

The iproute package support IPv6 network device configuration

# ...locally configured ipv6 address ...includes link-local address
ip -6 addr
ip -6 addr show dev $interface

# ...show global reachable addresses
ip -6 addr show scope global 

# ...add & remove IPv6 interface addresses 
ip -6 addr add $address/$prefix dev $interface
ip -6 addr add 2001:0db8:0:f101::1/64 dev eth0
ip -6 addr del 2001:0db8:0:f101::1/64 dev eth0

# ...display IPv6 routes
ip -6 route show
ip -6 route show dev $interface

# ...route through an IPv6 gateway
ip -6 route add $network/$prefix via $address
ip -6 route add default via 2001:0db8:0:f101::1
ip -6 route show | grep ^default

# ...display neighbors
ip -6 neigh show

DNS Resolution

# forward lookup
dig AAAA +short $hostname

# reverse lookup
dig +short -x $ipv6_address

Hostname mapped to IPv6 addresses by AAAA resource records…

…dual-stack hosts send two DNS requests A and AAAA.
…preferences configure address selection rules (RFC 6724)

The ip6.arpa reverse zone is needed for DNS reverse records.

Dual-Stack

Operate both protocols - IPv4 and IPv6 - side by side, which is useful as transition path to IPv6-only networks. Dual stack provide reachability for both address families:

IPv6-capable hosts are configured with IPv4 and IPv6
IPv4-only applications are only reachable via IPv4
IPv6-only applications are only reachable via IPv6

New connections determine the source protocol by the following rules:

Use a native IPv6 connection
Use a native IPv4 connection
No native connections fall back to NATted IPv4
if everything fails use a tunneled IPv6 connection

Footnotes

Linux IPv6 HOWTO
https://tldp.org/HOWTO/Linux+IPv6-HOWTO ↩︎
RFC 2460 - Internet Protocol, Version 6 (IPv6) Specification
http://www.faqs.org/rfcs/rfc2460.html ↩︎
IPv6 Kernel Settings
https://tldp.org/HOWTO/Linux+IPv6-HOWTO/ch11s02.html ↩︎
Fedora iputils Package
https://packages.fedoraproject.org/pkgs/iputils/iputils ↩︎

--- title: Linux IPv6 Configuration categories: - Linux - Network date: 2023/11/30 date-modified: 2023/11/30 toc-expand: 3 --- IPv6 [^lqIga] supersede IPv4 (also known as IP) RFC 2460 [^VcJvq] ...modern Linux distributions already contain IPv6-ready kernels. Most network devices support dual-stacking ...interoperate equally with IPv4 and IPv6 devices ...transition is driven by DNS depending on responds address. [^lqIga]: Linux IPv6 HOWTO <https://tldp.org/HOWTO/Linux+IPv6-HOWTO> [^VcJvq]: RFC 2460 - Internet Protocol, Version 6 (IPv6) Specification <http://www.faqs.org/rfcs/rfc2460.html> ```sh # ...test if the kernel supports IPv6 test -f /proc/net/if_inet6 && echo "Running kernel is IPv6 ready" # ...check if the kernel module is loaded lsmod | grep -w 'ipv6' && echo "IPv6 module successfully loaded" ``` Kernel settings [^t8Xhz] to completely disable IPv6... ```sh # ...requires a reboot to take effect cat > /etc/sysctl.d/40-ipv6-disable.conf <<EOF net.ipv6.conf.all.disable_ipv6 = 1 EOF # ...disable IPv6 at runtime sysctl -w net.ipv6.conf.all.disable_ipv6=1 echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6 ``` [^t8Xhz]: IPv6 Kernel Settings <https://tldp.org/HOWTO/Linux+IPv6-HOWTO/ch11s02.html> # 128 bit addresses Header redesign ...128 bit addresses... - ...provide each network device with a global address in the futur - ...best choice regarding header overhead and data transport (compared to IPv8 or IPv16) - ...64 bits are used for routing ...network part (upper 64 bits) - ...64 bits are used for interface identifiers ...host part (lower 64 bits) ```sh # ...decimal number up to 39 digits 2^128-1: 340282366920938463463374607431768211455 # ...32 cahracters in hexadecimal 2^128-1: 0xffffffffffffffffffffffffffffffff # ...colon as separator after each block of 16 bits 2^128-1: ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff # ...example of a usable addresses 2001:0db8:0100:f101:0210:a4ff:fee3:9566 # ...leading zeros of each 16 bit block can be omitted 2001:db8:100:f101:210:a4ff:fee3:9566 # ...sequence of 16 bit blocks containing only zeroes can be replaced with “::“ 2001:0db8:100:f101:0:0:0:1 -> 2001:db8:100:f101::1 # ...any ...or ”0.0.0.0” in IPv4 0000:0000:0000:0000:0000:0000:0000:0000 -> :: # ...localhost 0000:0000:0000:0000:0000:0000:0000:0001 -> ::1 ``` Split into network and host parts using subnet masks ...network part, also known as prefix Address | Description --------|----------------------------------- `fe8x:` | Link local ...valid on a link of an interface ...never pass through a router `fecx:` | Site local ...like private Internets in IPv4 ...comparable to 10.0.0.0/8 `fdxx:` | Unicast addresses `ffxy:` | Multicast addresses (`y` indicates the scope) `2xxx:` or `3xxx:` | Global address (`x` are hex characters) `2001:` | Hierarchical routing ...delegated to Internet service providers (ISP) `2002:` | 6to4 addresses ...special tunneling mechanism ...encode IPv4 address/subnet `3fff:ffff::/32` | Example and documentation addresses Support for embedded IPv4 addresses ...special prefix of length 96 ```sh # ...a.b.c.d is the IPv4 address 0:0:0:0:0:ffff:a.b.c.d/96 -> ::ffff:a.b.c.d/96 # IPv4-compatible IPv6 addresses ...used for automatic tunneling 0:0:0:0:0:0:a.b.c.d/96 -> ::a.b.c.d/96 ``` # Address Assignment Assign a globally unique address to communicate outside its local segment... Option | Description -|-------------- Manual | Configure an IPv6 address manually ...not scalable DHCPv6 | DHCP server dynamically assigning addresses to hosts SLACC | IPv6 auto-addressing ...defined in RFC 4862 ## DHCPv6 **Stateful** address assignment where the DHCPv6 server (UDP port 546) keeps records which client receives a lease for an IPv6 address. ## SLACC **Stateless** address auto-configuration (SLAAC) ...in an IPv6 enabled network. Each host on the network auto-configures a unique IPv6 address ...no central server that keeps track of assignment (stateful) ...does not provide DNS server addresses to hosts. Pre-requisite for the SLAAC... 1. Auto-configure link-local address ...enables Layer-3 communication in the local segment ...combining link-local prefix `fe80::/64` ...with EUI-64 interface identifier generated from the interface MAC-address 2. Ensure that the link-local address is unique (using DAD) ```sh # ...interface MAC-address 70:07:12:34:56:78 # ...insert 0xfffe in the middle 7007 12ff fe34 5678 # ...flip the 7th bit of the address to create an EUI-64 identifier 7207 12ff fe34 5678 # ...combine with link-local prefix fe80::7207:12ff:fe34:5678/64 ``` ### Auto-Configuration Use link-local address to... 1. Send ICMPv6 message called **Router Solicitation** (RS) ...ask routers of this network segment about the global unicast prefix. Responds called **Router Advertisement** (RA) ...includes global IPv6 prefix on the link and the prefix length. 2. Configure the host global unicast address ...combine advertises prefix with EUI-64 interface identifier. Set responding router as IPv6 default gateway. 3. Host joins the auto-generated solicited-node multicast group ...ensure unicast address is unique by sending a ICMPv6 message called **Neighbor Solicitation**. Wait if a node replies back ...otherwise start to communicated outside the local segment. Router advertisement flags ...where to get DNS information? Flag | Description -|-------------- `M` | Set to 1 ...use DHCPv6 server for addresses and DNS information `O` | Set to 1 ...auto-configure address via SLAAC ...ask the DHCP server for DNS information `Prf` | Default router preference ...determine which router to prefer as a default gateway ### Privacy Extensions RFC 4941) ...prevent the possibility to derive MAC address of a device from the IPv6 address. Linux kernel generates a temporary address mangled from the original auto-configured address (requires reboot to take effect). ```sh # Enable IPv6 Privacy Extensions cat > /etc/sysctl.d/40-ipv6.conf <<EOF net.ipv6.conf.all.use_tempaddr = 2 net.ipv6.conf.default.use_tempaddr = 2 EOF ``` `/etc/dhcpcd.conf`...supports a `slaac private` option implementing RFC7217, to change the address each time the host is connected to a network. Use the `slaac hwaddr` option for a stable address. ```sh # ...same for NetworkManager cat > /etc/NetworkManager/conf.d/ip6-privacy.conf <<EOF [connection] ipv6.ip6-privacy=2 EOF # ...or systemd-networkd cat > /etc/systemd/networkd.conf.d/ipv6-privacy-extensions.conf <<EOF [Network] IPv6PrivacyExtensions=yes EOF ``` # IPv6 Linux Tools Normally included in the `iputils` package [^JxpkI]... [^JxpkI]: Fedora `iputils` Package <https://packages.fedoraproject.org/pkgs/iputils/iputils> ### `ping6` Included in the `iputils` package ...simple transport tests - ...send a ICMPv6 echo-request packets ...wait for ICMPv6 echo-reply packets - ...needs raw access to socket and therefore root permissions ```sh # ...localhost ping6 -c 1 ::1 # ...required to specifiy and interface ping6 -I eth0 -c 1 fe80::2e0:18ff:fe90:9205 ping6 -c 1 fe80::2e0:18ff:fe90:9205%eth0 ``` ### `tracepath6` Traces the path to a given destination ...discover MTU along this path - ...does not require superuser privileges - ...first column shows TTL of the probe - ...second column shows the network hop (address of router) - ...rest of line miscellaneous information ...can show Path MTU ```sh tracepath ipv6.google.com tracepath 2a00:1450:4001:827::200e # ...note that new versions for traceroute have support for IPv6 traceroute -I -n ipv6.google.com ``` ### `ip` The `iproute` package support IPv6 network device configuration ```sh # ...locally configured ipv6 address ...includes link-local address ip -6 addr ip -6 addr show dev $interface # ...show global reachable addresses ip -6 addr show scope global # ...add & remove IPv6 interface addresses ip -6 addr add $address/$prefix dev $interface ip -6 addr add 2001:0db8:0:f101::1/64 dev eth0 ip -6 addr del 2001:0db8:0:f101::1/64 dev eth0 # ...display IPv6 routes ip -6 route show ip -6 route show dev $interface # ...route through an IPv6 gateway ip -6 route add $network/$prefix via $address ip -6 route add default via 2001:0db8:0:f101::1 ip -6 route show | grep ^default # ...display neighbors ip -6 neigh show ``` # DNS Resolution ```sh # forward lookup dig AAAA +short $hostname # reverse lookup dig +short -x $ipv6_address ``` Hostname mapped to IPv6 addresses by **`AAAA` resource records**... - ...dual-stack hosts send two DNS requests `A` and `AAAA`. - ...preferences configure address selection rules (RFC 6724) The `ip6.arpa` reverse zone is needed for DNS reverse records. # Dual-Stack Operate both protocols - IPv4 and IPv6 - side by side, which is useful as transition path to IPv6-only networks. Dual stack provide reachability for both address families: - IPv6-capable hosts are configured with IPv4 and IPv6 - IPv4-only applications are only reachable via IPv4 - IPv6-only applications are only reachable via IPv6 New connections determine the source protocol by the following rules: 1. Use a native IPv6 connection 2. Use a native IPv4 connection 3. No native connections fall back to NATted IPv4 4. if everything fails use a tunneled IPv6 connection