ONLamp.com    
 Published on ONLamp.com (http://www.onlamp.com/)
 See this if you're having trouble printing code examples


IPv6, Meet FreeBSD

by Mike DeGraw-Bertsch
02/22/2002

So what's this IPv6 stuff that's being bandied about the Net? It's Internet Protocol version 6, or the next generation Internet Protocol (IPng). It replaces the current IP, which is version 4. Why? Well, the most obvious reason is that IPv6 addresses are 128 bits, opposed to IPv4's 32 bits. IPv6 also mandates autoconfiguration--much like DHCP does for IPv4. Other advantages include built-in security via IPsec, enhanced multicast capabilities, and traffic labeling.

IPv6 addresses are somewhat different than those in IPv4. They're represented as 8 pairs of 16-bit hexadecimals, separated by colons. For example, 3ffe:0b80:0447:0002:0000:0000:0000:0001. Kind of bulky. There are, fortunately, conventions to reduce that bulk. Leading zeros need not appear, and a block of null pairs (zeros) can be represented with a double colon. The address now becomes 3ffe:b80:447:2::1. The double colon can only appear once, since any more is ambiguous.

IPv4's netmasks are called prefixes in IPv6. They're also represented with the familiar /SIZE style.

Because an interface can have multiple IPv6 addresses of differing types, addressing can get somewhat complex. This article only examines simple, single unicast addresses. For more information, look to the IETF's IPng working group and its associated RFCs (2373 in particular) and drafts.

Why Use IPv6?

IPv6 is great from many standpoints, but odds are you're not using it. The transition from IPv4 has been, and still is, a slow and somewhat painful process. IPv4 works pretty well right now, and many are reluctant to go through the effort of migration until absolutely forced to. (To many, running out of IPv4 addresses is the only thing that will force them to migrate.) There are still some open issues with IPv6. So why bother with it? First of all, if no one bothers, then migration slows to an obvious halt. Many want early experience before they are forced into using it because they have run out of IPs. Some of us just want to play with cool new technology. And some might just want to see the dancing kame at www.kame.net! (A dancing turtle that only dances when viewed via IPv6.)

On the plus side, many applications now support IPv6. From the standard ping and traceroute utilities (called ping6 and traceroute6) to OpenSSH, Apache, and Mozilla. So if you try it out, you'll have all the tools you need.

The 6bone

The migration of all Internet-connected hosts to IPv6 won't happen in a vacuum. To that end, the 6bone project is a testbed IPv6 network. Originally, all IPv6 connections were tunneled or encapsulated in IPv4. Slowly, however, native connections to the 6bone are appearing. Chances are, though, that you'll still need an IPv4 tunnel to get your connectivity going.

In the rest of this article, we'll discuss how to connect to the 6bone network.

Sounds Good. What Do I Do?

You'll need to configure FreeBSD to support IPv6, get an address and a prefix. Then set up routing, DNS entries, and any other hosts on your LAN (if desired), and you're golden.

FreeBSD 4.0 and beyond contains native support for IPv6. Prior to 4.0, you can visit kame.net and install a SNAP kit--though this article only discusses the native implementation.

System Setup

To enable IPv6, you'll need to make sure you have a couple of kernel options enabled (they are by default). The most important is options INET6. Assuming your ISP doesn't natively support IPv6 connections, you'll also need an IP tunneling device. There are a few available, but we'll only be working with gif(4) tunnels--enabled via pseudo-device gif 4.

FreeBSD 4.1 and later versions introduce minor changes to the gif(4) IP tunneling devices. Specifically, you don't tell the kernel the number of devices to initialize--instead, they're created on the fly with the command ifconfig gifX create, where X is the device number (typically starting with 0). The devices can also be destroyed with the command ifconfig gifX destroy.

After confirming your kernel configuration, you'll need to make a couple changes to /etc/rc.conf. If you're going to run a stand-alone IPv6 host, you'll just need to add ipv6_enable="YES". If you want your FreeBSD box to forward IPv6 traffic, you'll also need the following lines:

ipv6_gateway_enable="YES"
rtadvd_enable="YES"

The first line enables the host to forward IPv6 packets. The second starts the router advertisement daemon--which tells your uplink about the hosts on your network, and allows autoconfiguration of hosts connected to your network. Be sure /etc/rtadvd.conf is properly configured before you enable rtadvd--more on that to come.

Get an Address and Tunnel

Now that your machine is configured to use IPv6, you'll need your address space and tunnel endpoint. There are a few ways to do this, but only one--using Freenet6--is discussed here. For more information on your other options, which are best suited for use with static IP addresses, read How to join the 6bone on the 6bone.net site

Use Freenet6

Freenet6 is a quick and easy way to get an IPv6 address and establish a tunnel. What makes it so easy is its Tunnel Setup Protocol (TSP) client. The program, available here, automatically gets your IPv6 address and establishes a tunnel with the Freenet6 servers. The program can be run without registering, but registration lets you get a /48 prefix (anonymous connections are given /64 addresses), and it lets you keep the same address, regardless of IPv4 address changes.

To get your /48 prefix, first register with Freenet6. Then download and extract the client. Run

make install target=freebsd 
installdir=/usr/local/freenet6

Predictably, this installs the client and all necessary files to /usr/local/freenet6. Edit /usr/local/freenet6/bin/tspc.conf. Change your username and password to their appropriate values. Ensure template=freebsd4, and change if_prefix to your external network interface. If you want a /48 prefix to run an IPv6 network, add the following lines:

host_type=router
prefixlen=48

To get the /48, you'll also need to have your server configured to act as an IPv6 gateway, as discussed above.

With the client configured, make sure you have your GIF device created, if necessary. Now run ./tspc -v -c tspc.conf. After the client runs, you're now connected to the 6bone! Try ping6 www.6bone.net or traceroute6 post.radioactivedata.org to confirm your tunnel is working. Now configure tspc to run at startup--generally through an executable .sh script in /usr/local/etc/rc.d/, such as /usr/local/etc/rc.d/ipv6.sh:

#!/bin/sh
# Automatically run tspc on boot
/usr/local/freenet6/bin/tspc -c /usr/local/freenet6/bin/tspc.conf

One downside--tspc doesn't reside as a daemon. So if your IPv4 address changes, you'll need to rerun the client to reconfigure your tunnel and establish a new connection to the tunnel server. Not a huge problem, though--an enterprising soul could hack their DHCP client to run --tspc whenever the address changes.

Configuring Your Gateway Machine

Feel free to skip this section if you're only running IPv6 on one host.

Otherwise, make sure you got a /48 address (shown as TSP_PREFIXLEN 48 in the output of -- tspc), and confirm your gateway is configured as such, discussed above.

First assign IPv6 addresses to your gateway interface(s). On my home network, I run both wireless and wired networks. The wireless interface's address is 3ffe:b80:447:77::1, while the wired NIC is 3ffe:b80:447:2::1.

You'll now need to configure rtadvd, the router advertisement daemon--the program that allows autoconfiguration of your clients (a bit trickier at first, but much easier than manual in the long run). The file is in printcap format--you've been warned. Let's look at an example /etc/rtadvd.conf:

#ep0:\
#   :addrs#1:\
#   :addr="3ffe:0b80:0447:0001::":prefixlen#64:tc=ether:
wi0:\
   :addrs#1:\
   :addr="3ffe:0b80:0447:0077::":prefixlen#64:tc=ether:

Simple enough, really. ep0 is the external interface. Unless you want to run BGP4+ (way beyond this article's scope), you won't want to advertise your routes on the external interface. So we turn to wi0, the wireless gateway device. The first line, addrs#1, tells rtadvd that the interface has only one IPv6 prefix. (Note that if you have more than one prefix for the device, read rtadvd.conf's man page, as that's also a bit beyond this article.) The next line's addr="3ffe..." obviously specifies what the interface's prefix is. Your prefixlen# will almost always be 64, and tc will be ether. More options and details are discussed in the rtadvd.conf man page.

DNS and BIND

Related Reading

DNS and BIND
By Paul Albitz, Cricket Liu

Add a line for each interface on which you want to advertise routes. Check and double-check your configuration, and start daemon. In the command line, specify the interfaces that should advertise routes--for the above example:

rtadvd -d wi0

At this point, you should make some changes to your rc.conf file, to keep your changes around after a reboot. A quick look at the new settings:

ifconfig_wi0_alias0="inet6 3ffe:b80:447:77::1 prefixlen 
64"
ifconfig_ep0_alias0="inet6 3ffe:b80:447:1::1 prefixlen 64"

Client Settings

Thanks to the route advertisement daemon running on your gateway, client configuration is a cinch. Simply add the following lines to your rc.conf file:

ipv6_enable="YES"
ipv6_network_interfaces="auto"

Bada-bing, you're client is ready to use IPv6. Reboot, and you're on your way. If you already have IPv6 enabled on the client, but the interface isn't configured, don't reboot--just run rtsol [interface_id].

Related Articles:

IPv6: An Interview with Itojun -- Hubert Feyrer interviews Jun-ichiro "itojun" Hagino, one of the core IPv6 developers involved with the KAME project.

Introduction to IPv6 -- You have been told the Internet is running out of IP addresses and all your friends say NAT is the answer, but what is IPv6 and how is it different from what you are using now?

DNS

The last topic, and a biggie. If you run a DNS server, you'll likely want to add forward and reverse lookups for your IPv6 address space.

Forward lookups are, of course, the simplest. Just add AAAA records for your IPv6 addresses in the appropriate zone files. For example, in my radioactivedata.org zone file, I can simply add an AAAA record for my new IPv6 gateway:

post            IN      AAAA    
3ffe:b80:447:1::1

Setting up reverse DNS is a bit more complicated. You need create and load a new zone file. Demonstrated is the zone file, named reverse-3ffe-b80-447.ip6.int, for the 3ffe:b80:447/48 prefix:

;
; IPv6 reverse zone
; Prefix 3ffe:b80:447/48
$TTL 1D

@       IN      SOA     ipv6.radioactivedata.org. root.radioactivedata.org. (
                               2001122601      ; serial
                               3H              ; refresh
                               15M             ; retry
                               1W              ; expiry
                               1D )            ; minimum
       IN      NS      ns1.radioactivedata.org.

; Our host address
; 3ffe:0b80:0447:0001:0000:0000:0000:0001

; Origin prefix, 48 bits
$ORIGIN 7.4.4.0.0.8.b.0.e.f.f.3.ip6.int.

; Hosts section
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0         in ptr  post.ipv6.radioactivedata.or

Bind must then be configured to use serve the new zone, by adding the following lines to named.conf:

 zone "7.4.4.0.0.8.b.0.e.f.f.3.ip6.int" {
        type master;
        file "reverse-3ffe-b80-447.ip6.int";
};

Now it's just the small matter of adding the following line to your tspc.conf file, to get Freenet6 to delegate the reverse lookups to your DNS server:

dns_server=ns1.radioactivedata.org:ns2.radioactivedata.org

The client is then rerun, and after a few minutes, reverse lookups for the 3ffe:b80:447/48 prefix are delegated to ns1.radioactivedata.org.

To check for proper deligation, do a reverse lookup:

dig 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.7.4.4.0.0.8.b.0.e.f.f.3.ip6.int ptr

Yep, it's a bit lengthy (it would be on all one line), but you hopefully won't have to do that manually too frequently.

To apply this example to your prefix, simply change the IP addresses, hostnames, and the zone filename, and follow the outlined steps.

Rerun the client, wait a few minutes, and perform a reverse lookup. You'll be happy to see that you're now serving IPv6 forward and reverse lookups!

Conclusion

Congratulations! Having worked through the steps outlined above, you're now connected to the ultra-cool IPv6 testbed network! You're an early adopter, a pioneer in the new Internet. Enjoy it.

Shortly, I'll follow up this article with an article on how to set up an IPv6-only network--yep, no IPv4 needed! I'm writing this article on a laptop with no IPv4 address, and it's pretty cool.

Mike DeGraw-Bertsch is a security and Unix system administration consultant in the Boston, Mass. area. When he's not at a job, writing, hacking with Perl, or playing with his wireless network, he can usually be found playing goal in ice hockey.


Return to the BSD DevCenter.

Copyright © 2009 O'Reilly Media, Inc.