Linux IPv6 Configuration
IPv6 1 supersede IPv4 (also known as IP) RFC 2460 2 …modern Linux distributions already contain IPv6-ready kernels. Most network devices support dual-stacking …interoperate equally with IPv4 and IPv6 devices …transition is driven by DNS depending on responds address.
# ...test if the kernel supports IPv6
test -f /proc/net/if_inet6 && echo "Running kernel is IPv6 ready"
# ...check if the kernel module is loaded
lsmod | grep -w 'ipv6' && echo "IPv6 module successfully loaded"
Kernel settings 3 to completely disable IPv6…
# ...requires a reboot to take effect
cat > /etc/sysctl.d/40-ipv6-disable.conf <<EOF
net.ipv6.conf.all.disable_ipv6 = 1
EOF
# ...disable IPv6 at runtime
sysctl -w net.ipv6.conf.all.disable_ipv6=1
echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
128 bit addresses
Header redesign …128 bit addresses…
- …provide each network device with a global address in the futur
- …best choice regarding header overhead and data transport (compared to IPv8 or IPv16)
- …64 bits are used for routing …network part (upper 64 bits)
- …64 bits are used for interface identifiers …host part (lower 64 bits)
# ...decimal number up to 39 digits
2^128-1: 340282366920938463463374607431768211455
# ...32 cahracters in hexadecimal
2^128-1: 0xffffffffffffffffffffffffffffffff
# ...colon as separator after each block of 16 bits
2^128-1: ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
# ...example of a usable addresses
2001:0db8:0100:f101:0210:a4ff:fee3:9566
# ...leading zeros of each 16 bit block can be omitted
2001:db8:100:f101:210:a4ff:fee3:9566
# ...sequence of 16 bit blocks containing only zeroes can be replaced with “::“
2001:0db8:100:f101:0:0:0:1 -> 2001:db8:100:f101::1
# ...any ...or ”0.0.0.0” in IPv4
0000:0000:0000:0000:0000:0000:0000:0000 -> ::
# ...localhost
0000:0000:0000:0000:0000:0000:0000:0001 -> ::1
Split into network and host parts using subnet masks …network part, also known as prefix
Address | Description |
---|---|
fe8x: |
Link local …valid on a link of an interface …never pass through a router |
fecx: |
Site local …like private Internets in IPv4 …comparable to 10.0.0.0/8 |
fdxx: |
Unicast addresses |
ffxy: |
Multicast addresses (y indicates the scope) |
2xxx: or 3xxx: |
Global address (x are hex characters) |
2001: |
Hierarchical routing …delegated to Internet service providers (ISP) |
2002: |
6to4 addresses …special tunneling mechanism …encode IPv4 address/subnet |
3fff:ffff::/32 |
Example and documentation addresses |
Support for embedded IPv4 addresses …special prefix of length 96
# ...a.b.c.d is the IPv4 address
0:0:0:0:0:ffff:a.b.c.d/96 -> ::ffff:a.b.c.d/96
# IPv4-compatible IPv6 addresses ...used for automatic tunneling
0:0:0:0:0:0:a.b.c.d/96 -> ::a.b.c.d/96
Address Assignment
Assign a globally unique address to communicate outside its local segment…
Option | Description |
---|---|
Manual | Configure an IPv6 address manually …not scalable |
DHCPv6 | DHCP server dynamically assigning addresses to hosts |
SLACC | IPv6 auto-addressing …defined in RFC 4862 |
DHCPv6
Stateful address assignment where the DHCPv6 server (UDP port 546) keeps records which client receives a lease for an IPv6 address.
SLACC
Stateless address auto-configuration (SLAAC) …in an IPv6 enabled network. Each host on the network auto-configures a unique IPv6 address …no central server that keeps track of assignment (stateful) …does not provide DNS server addresses to hosts.
Pre-requisite for the SLAAC…
- Auto-configure link-local address …enables Layer-3 communication in the local segment …combining link-local prefix
fe80::/64
…with EUI-64 interface identifier generated from the interface MAC-address - Ensure that the link-local address is unique (using DAD)
# ...interface MAC-address
70:07:12:34:56:78
# ...insert 0xfffe in the middle
7007 12ff fe34 5678
# ...flip the 7th bit of the address to create an EUI-64 identifier
7207 12ff fe34 5678
# ...combine with link-local prefix
fe80::7207:12ff:fe34:5678/64
Auto-Configuration
Use link-local address to…
- Send ICMPv6 message called Router Solicitation (RS) …ask routers of this network segment about the global unicast prefix. Responds called Router Advertisement (RA) …includes global IPv6 prefix on the link and the prefix length.
- Configure the host global unicast address …combine advertises prefix with EUI-64 interface identifier. Set responding router as IPv6 default gateway.
- Host joins the auto-generated solicited-node multicast group …ensure unicast address is unique by sending a ICMPv6 message called Neighbor Solicitation. Wait if a node replies back …otherwise start to communicated outside the local segment.
Router advertisement flags …where to get DNS information?
Flag | Description |
---|---|
M |
Set to 1 …use DHCPv6 server for addresses and DNS information |
O |
Set to 1 …auto-configure address via SLAAC …ask the DHCP server for DNS information |
Prf |
Default router preference …determine which router to prefer as a default gateway |
Privacy Extensions
RFC 4941) …prevent the possibility to derive MAC address of a device from the IPv6 address. Linux kernel generates a temporary address mangled from the original auto-configured address (requires reboot to take effect).
# Enable IPv6 Privacy Extensions
cat > /etc/sysctl.d/40-ipv6.conf <<EOF
net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.use_tempaddr = 2
EOF
/etc/dhcpcd.conf
…supports a slaac private
option implementing RFC7217, to change the address each time the host is connected to a network. Use the slaac hwaddr
option for a stable address.
# ...same for NetworkManager
cat > /etc/NetworkManager/conf.d/ip6-privacy.conf <<EOF
[connection]
ipv6.ip6-privacy=2
EOF
# ...or systemd-networkd
cat > /etc/systemd/networkd.conf.d/ipv6-privacy-extensions.conf <<EOF
[Network]
IPv6PrivacyExtensions=yes
EOF
IPv6 Linux Tools
Normally included in the iputils
package 4…
ping6
Included in the iputils
package …simple transport tests
- …send a ICMPv6 echo-request packets …wait for ICMPv6 echo-reply packets
- …needs raw access to socket and therefore root permissions
# ...localhost
ping6 -c 1 ::1
# ...required to specifiy and interface
ping6 -I eth0 -c 1 fe80::2e0:18ff:fe90:9205
ping6 -c 1 fe80::2e0:18ff:fe90:9205%eth0
tracepath6
Traces the path to a given destination …discover MTU along this path
- …does not require superuser privileges
- …first column shows TTL of the probe
- …second column shows the network hop (address of router)
- …rest of line miscellaneous information …can show Path MTU
tracepath ipv6.google.com
tracepath 2a00:1450:4001:827::200e
# ...note that new versions for traceroute have support for IPv6
traceroute -I -n ipv6.google.com
ip
The iproute
package support IPv6 network device configuration
# ...locally configured ipv6 address ...includes link-local address
ip -6 addr
ip -6 addr show dev $interface
# ...show global reachable addresses
ip -6 addr show scope global
# ...add & remove IPv6 interface addresses
ip -6 addr add $address/$prefix dev $interface
ip -6 addr add 2001:0db8:0:f101::1/64 dev eth0
ip -6 addr del 2001:0db8:0:f101::1/64 dev eth0
# ...display IPv6 routes
ip -6 route show
ip -6 route show dev $interface
# ...route through an IPv6 gateway
ip -6 route add $network/$prefix via $address
ip -6 route add default via 2001:0db8:0:f101::1
ip -6 route show | grep ^default
# ...display neighbors
ip -6 neigh show
DNS Resolution
# forward lookup
dig AAAA +short $hostname
# reverse lookup
dig +short -x $ipv6_address
Hostname mapped to IPv6 addresses by AAAA
resource records…
- …dual-stack hosts send two DNS requests
A
andAAAA
. - …preferences configure address selection rules (RFC 6724)
The ip6.arpa
reverse zone is needed for DNS reverse records.
Dual-Stack
Operate both protocols - IPv4 and IPv6 - side by side, which is useful as transition path to IPv6-only networks. Dual stack provide reachability for both address families:
- IPv6-capable hosts are configured with IPv4 and IPv6
- IPv4-only applications are only reachable via IPv4
- IPv6-only applications are only reachable via IPv6
New connections determine the source protocol by the following rules:
- Use a native IPv6 connection
- Use a native IPv4 connection
- No native connections fall back to NATted IPv4
- if everything fails use a tunneled IPv6 connection
Footnotes
Linux IPv6 HOWTO
https://tldp.org/HOWTO/Linux+IPv6-HOWTO↩︎RFC 2460 - Internet Protocol, Version 6 (IPv6) Specification
http://www.faqs.org/rfcs/rfc2460.html↩︎IPv6 Kernel Settings
https://tldp.org/HOWTO/Linux+IPv6-HOWTO/ch11s02.html↩︎Fedora
iputils
Package
https://packages.fedoraproject.org/pkgs/iputils/iputils↩︎