# IP 6 anyone ?

## ScarletPimpFromHell

The Australian Government has released a tender this morning for a fibre installation network to residesial parts of Tasmania as part of their National Broadband Network initiative.

I'm well aware that "fibre to the home" networks are nothing new and that most European countries, Japan and North America have had fibre distribution to residencial parts of their cities for quite some time.

What has occured to me is that by the time it is readily available to Australian households the current IP 4 address space might well have been exausted. This could be quite embarresssing for our current Government not to mention absolutely disasterous for the thousands of households wanting to use the fibre broadband network.

So I wanted to put a few questions out there for the general community.

1) Is fiber broadband available in your neck of the woods ?

2) If you are using it, does your ISP have any thing to say about using IP 6 ?

3) In General are you aware or ready for IP 6 ?

----------

## poly_poly-man

I've never seen ipv6 properly configured - I have -ipv6 in my USE (tried it once for my home network, realized it was far too hard to get working, gave up, got annoyed when ipv6 support made my system not boot without serious manual intervention.

Supposedly, my brother's old college campus (Dartmouth) had ipv6 - saw the address a few times in ifconfig - never actually worked, though...

I like ipv4 - I think we should expand the use of ports as an extension of the address - like, use 8 bits of the port for another computer identifier, then tack the poirt number at the end...

----------

## gentoo_ram

My broadband doesn't provide global IPv6 that I know of.  So I took matters into my own hands and configured my local home network to use IPv6.  With Macs and Linux boxes, I knew there shouldn't be any problems.  And I wanted to understand what it would take to get IPv6 running on my local network.

First, I created a network address based on the description in RFC 4193.  Then I configured my Linux gateway, installed 'radvd' to broadcast the network configuration on my network, and started putting addresses in my local name server.  I'm letting the machines configure themselves with stateless auto-configuration.

It's great: my Linux boxes, Macs, and even Vista machines talk to each other over IPv6.

I'm all set to go IPv6 whenever my provider wants to go down that path (whenever that will be).

In these examples, the network address I created was fd05:efaa:4a1b::/64

```
gw:~> ip a s

[...]

3: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000

    link/ether 00:07:e9:1f:bc:2c brd ff:ff:ff:ff:ff:ff

    inet 192.168.0.1/24 brd 192.168.0.255 scope global eth2

    inet6 fd05:efaa:4a1b:0:250:8dff:fe9f:19f4/64 scope global 

       valid_lft forever preferred_lft forever

    inet6 fe80::207:e9ff:fe1f:bc2c/64 scope link 

       valid_lft forever preferred_lft forever

gw:~> cat /etc/radvd.conf

interface eth2

{

        AdvSendAdvert on;

        MinRtrAdvInterval 3;

        MaxRtrAdvInterval 10;

        prefix fd05:efaa:4a1b::/64

        {

                AdvOnLink on;

                AdvAutonomous on;

                AdvRouterAddr on;

        };

};

gw:~> host gw

gw.local has address 192.168.0.1

gw.local has IPv6 address fd05:efaa:4a1b:0:250:8dff:fe9f:19f4

```

----------

## pa4wdh

Hi,

I'm using IPv6 for a long time now. To answer your questions:

 *Quote:*   

> 
> 
> 1) Is fiber broadband available in your neck of the woods ?
> 
> 

 

Not yet where i live, but note that IPv6 is not a fiber-only thing. I'm using DSL.

 *Quote:*   

> 
> 
> 2) If you are using it, does your ISP have any thing to say about using IP 6 ? 
> 
> 

 

Depends on what you do. If you want native IPv6 you're going to need your provider to support it, if you use a tunnel than the worst thing your provider can do is filter those tunnels which -for me- would be a reason to switch to a different provider.

In my case i'm using a tunnel provided by my ISP providing me 1.208.925.819.614.629.174.706.176 IPv6 addresses  :Smile: , on my home network i use a dual stack setup (IPv4 and IPv6 native).

If you want a tunnel to experiment with but your provide doesn't provide one, try one of these: http://en.wikipedia.org/wiki/List_of_IPv6_tunnel_brokers

 *Quote:*   

> 
> 
> 3) In General are you aware or ready for IP 6 ?
> 
> 

 

I'm as ready as i can be: Services listening on IPv4 and IPv6, statefull firewalling for both, ipv6 USE flag is set everywhere, my DNS has IPv4 and IPv6 records ... anything missing ?  :Smile: 

 *Quote:*   

> 
> 
> I like ipv4 - I think we should expand the use of ports as an extension of the address - like, use 8 bits of the port for another computer identifier, then tack the poirt number at the end...
> 
> 

 

This is more or less what NAT does: taking care that every combination of src/dst IP and port is unique so they can be tracked back to the internal PC that made the connection.

I think IPv6 is great, it better to be prepared for it because once there will be a need to use IPv6 and then it's better to have some experience with it.

Best regards,

pa4wdh

----------

## UberLord

My ISP (http://www.goscomb.net/) does native IPv6 via DSL.

I need to use a PPPoA -> PPPoE bridge and run PPP on my server/router as it's very hard to get a PPPoA DSL pci card or PPPoA IPv6 modem (other than expensive Cisco 877) for ADSL2+

The downside because of this is that I need to clamp the MSS to 1420 so that IPv6 clients on my LAN work due the the PPPoE bridge.

Aside from that downside, setup is a snap - I'm fully IPv6 enabled, and so is my site - http://roy.marples.name

----------

## ScarletPimpFromHell

Wow, its good to see some people taking the plunge.

It looks like we all have more or less agreed on the eaiest way to start. That is, build services with the IPv6 flag, then register an address in DNS for local use. 

I thought that the Link Local address would have been the easiest address to use, it's easy to remember and every machine will have a unique address based on its MAC address. The Link Local addrress uses the format "FE80::[most significant 3 octets of MAC]:FF:FE:[least significant 3 octetct of MAC]", for example the address of my lappy could be fe80::021d:09ff:fe00a4:4f6c/64 scope link local.

I never thought about RFC 4193 prefixes until I read the post from gentoo-ram. When you think about it, it could be an easy way for  organizational sized LANs to get started now and be ready for translation services when their ISP has them on offer.

I haven't looked into what services my ISP offers yet, I really should see if they are offering Globaly Scoped prefixes. It would be nice to be in front of the pack for a change.

Some great ideas guys.

----------

## abhicary

I am waiting for this thing to happen in India. I don't know when that day will come?

----------

## pa4wdh

Don't wait for IPv6 to come to you, go to IPv6  :Smile: 

Don't wait for your provider to support IPv6, support IPv6 yourself  :Smile: 

Check the tunnel brokers listed on the wikipedia link i posted, those will provide you a tunnel and some addresses for free to you can experiment with IPv6 and be ready when you really need it. It works best of you have a fixed public IPv4 address but some can also work with a dynamic IPv4 address.

Have fun  :Smile: 

----------

## Marq

You guys are writing so nice about ipv6 but i would like to know, what about performance? I'd like to have ipv6 on my home network but from my provider i have and ipv4 address, and i'm wondering if the router can handle with packet translation from ipv4 packets to ipv6 packets and if there will be any performance losses?

----------

## UberLord

 *Marq wrote:*   

> You guys are writing so nice about ipv6 but i would like to know, what about performance? I'd like to have ipv6 on my home network but from my provider i have and ipv4 address, and i'm wondering if the router can handle with packet translation from ipv4 packets to ipv6 packets and if there will be any performance losses?

 

There is generally a 10% performance loss running IPv6 via a tunnel.

However, the real issue is that you have to depend on the tunnel broker being up and congestion free as well as your ISP.

My IPv6 experience is now very good and it's now about 1-2% slower than IPv4. This is purely due to the increased overhead of using IPv6 and I've had to clamp MSS on the router to 1420. On the other hand, the slight decrease I don't really notice as my ADSL2+ is fast anyway.

You lose nothing by trying a tunnel and it it works for you then good - if it doesn't then at least you gain some IPv6 experience  :Smile: 

----------

## Marq

actually i thought about some kind of NAT from home ipv6 based network to internet ipv4 packet on my router. I mean, on my home network PCs are communicating with ipv6 addresses, but when i want to communicate with internet, router are doing 'nat' from ipv6 address to ipv4 address. Can do that on my poor asus and openwrt without an significant bandwidth loose?

----------

## UberLord

http://en.wikipedia.org/wiki/6to4

May help then  :Smile: 

----------

## cach0rr0

I'm absolutely dreading this move, as it means I have something new to learn - something which I find wholly uninteresting and dry, no matter how useful it may be (as well, it'll likely be the end of NAT)

----------

## UberLord

Removing the need for NAT is the main driving reason for me to go IPv6 native.

NAT just sucks - i should and need to be able to talk to machines directly  :Smile: 

----------

## poly_poly-man

 *UberLord wrote:*   

> Removing the need for NAT is the main driving reason for me to go IPv6 native.
> 
> NAT just sucks - i should and need to be able to talk to machines directly 

 ummm... you realize that NAT isn't primarily for sharing addresses (well, it is, but nowadays...), it's primarily a great firewalling tool - if you can't access a machine, you can't hack it.

----------

## ScarletPimpFromHell

NAT and PAT are band-aid solutions to the current Internet address space crisis. Port Address Translation has adapted well to it's translational firewall role, but that was never the original intension. It has just become the easiest and cheapest solution for throw away routing platforms.

IMO, I think the IPv6 charge will be lead by the mobile phones companies. With more and more media being accessable via the various 3G network carriers and generation Y and generation Z having to be surgically removed from their handsets, it seems only logical that if the phone manufactures want to maintain their business and increase market share they will have to migrate to IPv6.

----------

## UberLord

 *poly_poly-man wrote:*   

>  *UberLord wrote:*   Removing the need for NAT is the main driving reason for me to go IPv6 native.
> 
> NAT just sucks - i should and need to be able to talk to machines directly  ummm... you realize that NAT isn't primarily for sharing addresses (well, it is, but nowadays...), it's primarily a great firewalling tool - if you can't access a machine, you can't hack it.

 

NAT is not a firewall, it just gives the illusion of a barrier.

On the other hand, I have a real firewall which stops all IPv6 traffic from hitting the LAN, except for those matching state created from outbound connections.

Would you have an IPv4 firewall on your NAT device?

----------

## Cyker

I have dabbled but early experimenting with IPv6 has not been encouraging for me.

The problem is that, like moving to AMD64, it is a lot of effort for 0 gain.

IPv6 doesn't give me anything that I can't do already, but is vastly more complicated to set up, esp. since most of the devices on my network don't and will never support IPv6 due to their age.

The other thing I was trying before was leaving my network as IPv4 and seeing if devices could NAT out to multiple IPv6 addresses (In a similar way to Multiple Private <-> Multiple Public IP address NAT) just in case the IPv6 revolution ever occurred, but I ended up just flailing around with this whole broker thing.

The whole 6-4 interop thing is just a big mess at the moment. I dare say it's actually even more ridiculous than the SPX/IPX <-> TCP/IP interop my old university used 'back in the day'!!

----------

## simoncion

 *Cyker wrote:*   

> I have dabbled but early experimenting with IPv6 has not been encouraging for me.
> 
> The problem is that, like moving to AMD64, it is a lot of effort for 0 gain.

 

Addressing more than 64GB of RAM and adding a boatload of registers is not a gain?

 *Cyker wrote:*   

> 
> 
> IPv6 doesn't give me anything that I can't do already, but is vastly more complicated to set up

 

If you have an OpenWRT device, set up a tunnel with Hurricane Electric, then follow these instructions:

http://www.tunnelbroker.net/forums/index.php?topic=106.0

(The OpenWRT wiki link in that forum post should go here: http://oldwiki.openwrt.org/IPv6_howto.html )

It took me an hour or so to do, and I could do it again from scratch in ten minutes or so. Moreover, I only ever have to touch the config when my ISP changes my IP address.

 *Cyker wrote:*   

>  esp. since most of the devices on my network don't and will never support IPv6 due to their age.

 

There's not much that can be done about this.  :Sad: 

 *Cyker wrote:*   

> The other thing I was trying before was leaving my network as IPv4 and seeing if devices could NAT out to multiple IPv6 addresses (In a similar way to Multiple Private <-> Multiple Public IP address NAT)

 

I think that you're looking for this: http://en.wikipedia.org/wiki/Teredo_tunneling  IIRC, Vista supports this out of the box.

 *Cyker wrote:*   

> The whole 6-4 interop thing is just a big mess at the moment.

 

What sort of interop are you looking for? v6 and v4 data can flow across the same media. Dual stack hosts can talk to v6 and v4-only hosts with ease. v6-only and v4-only hosts can't talk to one another without a dual stack proxy somewhere.

----------

## simoncion

 *poly_poly-man wrote:*   

> {NAT is} primarily a great firewalling tool - if you can't access a machine, you can't hack it.

 

```

# ip6tables -L | head -n 4

Chain INPUT (policy DROP)

target     prot opt source               destination         

DROP       all  --  anywhere             anywhere            state INVALID 

ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 

```

This seems to duplicate the "firewall" functionality that NAT "provides". Do you disagree?

----------

## poly_poly-man

 *simoncion wrote:*   

>  *poly_poly-man wrote:*   {NAT is} primarily a great firewalling tool - if you can't access a machine, you can't hack it. 
> 
> ```
> 
> # ip6tables -L | head -n 4
> ...

 it's true... however, I was arguing that NAT is still great for that purpose - keeping computers you don't want on the web off the web (but letting them access it)

----------

## simoncion

 *poly_poly-man wrote:*   

> it's true... however, I was arguing that NAT is still great for that purpose - keeping computers you don't want on the web off the web (but letting them access it)

 

NAT was not built to isolate machines from the Greater Internet, it is an address space extension mechanism. It extends the IPv4 address space by sixteen bits by erasing the distinction between a host and a service running on said host.  Read RFC 1631  and RFC 3022 for info on the IETF's notion of the purpose of NAT.

Anyway. A NAT-less Internet has addresses that look like

```

32_Bits_Of_Host_Address : One_Of_65K_Services_On_That_Host

```

But you seem to want a NAT-ed Internet with addresses that look like

```

Top_32_Bits_Of_Host_Address : Bottom_16_Bits_Of_Host_Address

```

How do I contact a host in a NAT-ed Internet? I can't, really. I can only hit a single service on a host.

A correctly configured firewall allows a network admin to prevent inbound traffic from reaching a machine, while giving him the option to easily allow direct access if he chooses. Such a configuration is trivial to create. NAT prevents inbound traffic from reaching a machine, while having the side effect of only permitting direct access to a single machine for each redirected port. Do you want to host two port 80 Apache instances behind the same router? You can't do it if your connection is NAT-ed!

If you want a firewall, you should learn to use iptables. It's really easy to do, and well worth your time. (You've already learned a *LOT* about iptables if you're configuring a Linux based NAT device.) Here's a little script that will drop incoming traffic, while permitting outbound and related traffic; giving you what you claim are the major benefits of a NAT device, with none of the detrimental effects of irreversibly isolating hosts from the Internet.

```

#!/bin/bash

#NB: I will blow away all existing iptables rules when you run me!

iptables -F INPUT                                                                         

iptables -F OUTPUT                                                                        

iptables -F FORWARD  

iptables -P INPUT DROP

iptables -A INPUT --state INVALID -j DROP

iptables -A INPUT --state RELATED,ESTABLISHED -j ACCEPT

```

You can run that script, and then do an 

```

/etc/init.d/iptables/save

```

to save the changes, and add iptables to your boot runlevel to restore those settings on each boot.

Edit: You haven't answered UberLord's question:  *UberLord wrote:*   

> Would you have an IPv4 firewall on your NAT device?

 

I would add: "Why or why not?"

----------

## cach0rr0

Whether you like RBL's or not, this'll also likely mean the end of them as a usable tool. 

They *do* work - I'm not debating this with anyone right now, I've done the analysis, this was part of my last job of 5 years, sitting there digging through TB of logs for this gibberish - reputation services of any sort still do have a considerable amount of utility whether people like it or not. 

The sheer number of addresses available is going to make them go byebye. 

Addresses are going to be easily disposed of without a second thought. 

For the *good* reputation lists, that don't simply can you for being on dynamic address space (CBL is brilliant), this'll mean their end. There will no longer be any point in listing single hosts - if you're only listing hosts who have actually committed an offence, you'll be listing singular throw-away addresses. If you start listing huge chunks of address space without their having committed any offence, I stop using you as a before-queue filter. 

Not to say ipv6 is a bad thing, because ultimately it's the same sort of amazing leap 64bit instruction was, it's just....inconvenient for me personally, and for people who lean heavily on reputation services.

----------

## poly_poly-man

 *simoncion wrote:*   

>  *poly_poly-man wrote:*   it's true... however, I was arguing that NAT is still great for that purpose - keeping computers you don't want on the web off the web (but letting them access it) 
> 
> NAT was not built to isolate machines from the Greater Internet, it is an address space extension mechanism. It extends the IPv4 address space by sixteen bits by erasing the distinction between a host and a service running on said host.  Read RFC 1631  and RFC 3022 for info on the IETF's notion of the purpose of NAT.
> 
> 

 yes, I mis-spoke on my first post on the matter - I did not mean to imply that I thought that NAT's primary purpose is firewalling, although many people do use it as such (only a firewall, not adding addresses in any useful way).

it's a firewall in the sense that any port not specifically forwarded from a host behind it cannot be accessed from the internet. *Quote:*   

> 
> 
> Anyway. A NAT-less Internet has addresses that look like
> 
> ```
> ...

 annoying if you're hosting services, not if you're blocking them. *Quote:*   

> 
> 
> A correctly configured firewall allows a network admin to prevent inbound traffic from reaching a machine, while giving him the option to easily allow direct access if he chooses. Such a configuration is trivial to create. NAT prevents inbound traffic from reaching a machine, while having the side effect of only permitting direct access to a single machine for each redirected port. Do you want to host two port 80 Apache instances behind the same router? You can't do it if your connection is NAT-ed!
> 
> 

 so you need two addresses - same as without NAT. My point is, NAT is amazing for the case where you're NOT hosting services. *Quote:*   

> 
> 
> If you want a firewall, you should learn to use iptables. It's really easy to do, and well worth your time. (You've already learned a *LOT* about iptables if you're configuring a Linux based NAT device.) Here's a little script that will drop incoming traffic, while permitting outbound and related traffic; giving you what you claim are the major benefits of a NAT device, with none of the detrimental effects of irreversibly isolating hosts from the Internet.
> 
> ```
> ...

 I have iptables running on my openwrt router - just using its NAT rules to get everyone past internet, and to forward port 22 to my computer... this is a great setup for me, because I don't have to specifically set up firewalls (it's really a good block-by-default setup that allows for full outgoing capability) for any host I want to quickly put on the internet.

Besides, I *like* the idea of a local network... how does that work in ipv6 (I really don't know...) - as in, no matter how many times my public address changes (dynamic internet... damn verizon), that computer over there is always going to be 192.168.1.169, and this one will always be 192.168.1.122... how does that work with ipv6 and the non-NAT setup?

----------

## simoncion

 *poly_poly-man wrote:*   

> yes, I mis-spoke on my first post on the matter - I did not mean to imply that I thought that NAT's primary purpose is firewalling

 

Understood.

 *poly_poly-man wrote:*   

> although many people do use it as such (only a firewall, not adding addresses in any useful way).

 

Seriously? I find it hard to believe that there are many NAT devices which only have a single computer behind them.

 *poly_poly-man wrote:*   

> ...it's a firewall in the sense that any port not specifically forwarded from a host behind it cannot be accessed from the internet.

 

<froth>But, but, NAT IS NOT A FIREWALL!</froth>  :Wink: 

 *poly_poly-man wrote:*   

> annoying if you're hosting services, not if you're blocking them.

 

We should all be hosting our own services, IMO.

 *poly_poly-man wrote:*   

> NAT is a great setup for me, because I don't have to specifically set up firewalls (it's really a good block-by-default setup that allows for full outgoing capability) for any host I want to quickly put on the internet.

 

Every modern OS *should* have a "block-by-default, but permit outbound" firewall configured out of the box. I'd be willing to be that Windows and Ubuntu are configured this way.

 *poly_poly-man wrote:*   

> 
> 
> Besides, I *like* the idea of a local network... how does that work in ipv6 (I really don't know...)

 

One's link-local addresses never change (Unless you ask your OS to make pseudo-random local addresses). How the global addresses work is entirely up to your ISP, but I know how it works with Hurricane Electric's tunnel broker service:

You configure a /64 or a /48 tunnel to your site. You advertise the route on your LAN. That route never gets renumbered -unless you delete the tunnel and create a new one- so the globally routable addresses that the machines on your LAN create from that advertisement will remain the same forever.

----------

## poly_poly-man

 *simoncion wrote:*   

>  *poly_poly-man wrote:*   although many people do use it as such (only a firewall, not adding addresses in any useful way). 
> 
> Seriously? I find it hard to believe that there are many NAT devices which only have a single computer behind them.

 Here I'm thinking not of the business or even the geek world - my network is entirely one subnet (I turned all my routers into switches, or rather, am just using the switch part of them). However, look at consumer routers - it's easy to get a consumer wired 4-port router (which pretty much guarantees you a NAT) for $5 new... wireless router for $40 - however, a switch will run you $50, and an access point $80... it's just easier for a consumer (and often done by them - consider the "consumer" internet devices - routers, which people will hook one computer up to) to set up a NAT. Another similar setup is the problem of a multi-subnet LAN - for example, 192.168.0.x will have 3 hosts - the router and a computer, and a wireless router, then the wireless router sets up 192.168.1.x, which will have a few more hosts... completely useless use of NAT. The one-computer internet use is a better example of what I'm trying to say, though - think about how many old/dumb people there are with a router provided to them by the ISP, a local address given by DHCP on that router, and only that computer hooked into the internet (but still under a local subnet for some reason) *Quote:*   

> 
> 
>  *poly_poly-man wrote:*   ...it's a firewall in the sense that any port not specifically forwarded from a host behind it cannot be accessed from the internet. 
> 
> <froth>But, but, NAT IS NOT A FIREWALL!</froth> 
> ...

 define firewall, and make sure your definition doesn't cover NAT. *Quote:*   

> 
> 
>  *poly_poly-man wrote:*   annoying if you're hosting services, not if you're blocking them. 
> 
> We should all be hosting our own services, IMO.

 not a single residential ISP actually allows that here in america... except FiOS, which on certain plans allows port 80. *Quote:*   

> 
> 
>  *poly_poly-man wrote:*   NAT is a great setup for me, because I don't have to specifically set up firewalls (it's really a good block-by-default setup that allows for full outgoing capability) for any host I want to quickly put on the internet. 
> 
> Every modern OS *should* have a "block-by-default, but permit outbound" firewall configured out of the box. I'd be willing to be that Windows and Ubuntu are configured this way.

 windows asks if you want that set up for you (doesn't do it by default as of XP), and I don't know about ubuntu. I agree that it should be set up like that by default everywhere. *Quote:*   

> 
> 
>  *poly_poly-man wrote:*   
> 
> Besides, I *like* the idea of a local network... how does that work in ipv6 (I really don't know...) 
> ...

 so basically you talk to your local machines with their global addresses, or is it possible to have multiplle addresses depending on from where the traffic originates? also, is it possible to have seperate ipv6 firewall rules for local hosts and global hosts (I want to be able to use every service on every machine on my network, but I don't trust opening them up to the internet)? If so, this is kind of cool... I actually know very little about ipv6, and probably won't switch over any time soon (I'm on really bad dynamic-addressed adsl, and I still have windows ME hosts on my network).

----------

