shapeshifter.se

Note: This is about “intra-AS” IPv6 routing and networking as I haven’t had the opportunity to play with IPv6 BGP stuff.

I got a (insanely) large IPv6 address space from SixXS statically routed to me over a 6-in-4 tunnel, it’s connected to a static IPv4 address on a machine with plenty of bandwidth.  As I wanted IPv6 connectivity at multiple points I figured that instead of wasting a /48 for every location I could just as well setup my own “overlay” IPv6 network running on top of several IPv4 tunnels.

Oh, and to put things in perspective. An IPv6 address is 128 bits, 48-bits (aka /48) for the net leaves 80 bits for hosts. That’s 1.20892582 × 10²⁴ hosts, or 65536 /64 sub-nets with 1.84467441 × 10¹⁹ hosts in each. But of course you already knew that

Let’s kick start the post by showing a pretty picture of how the network looks.

IPv6 net

IPv6 is statically routed from the SixXS PoP to my IPv6 border router. The routers within my administrative zone are spread geographically and talk IPv6 to each other over 6-in-4 tunnels. They also run OSPFv3 for convenience and because static routing is a pain (I’ll admit that the current setup is doable with static routing, but if I add one or more routers things will get ugly).

6-in-4 tunnels

There are many ways to tunnel traffic. Since we’re dealing with public IP-addresses here (hence already insecure traffic) I didn’t feel the need to secure the traffic between my routers as the packets will be routed to the Internet in an insecure way anyhow. I therefore opted for one of the easier tunneling methods of simply putting the complete IPv6 packet directly into a IPv4 packet and setting protocol field to 41 (IPv6 protocol number). This kind of tunnel is available in most operating systems.  My routers run FreeBSD and the pseudo-interface gif(4) provides this functionality.

Numbering IPv6 point-to-point links

Numbering these links was not as easy as one would have though. These are point-to-point links and in IPv4 you would normally use a /30 (possibly a /31). However sub-netting in IPv6 is not as liberal as IPv4. RFC3513 section 2.5.4 says that the node id should be 64-bit (ie a /64 net). Using a /64 on one point-to-point link is not very attractive as it wastes A LOT of addresses (sure I have plenty, but it’s ugly).

Fortunately, more people feel this way and /127 nets have become popular on p2p-links. After reading RFC3627 “Use of /127 Prefix Length Between Routers Considered Harmful” and compared the pros and cons I decided to use /126 on my point-to-point links (which is equivalent to a /30 in the IPv4 world).

Configuring this is trivial, watch out for firewall issues though. You need to allow protocol 41 (same level as tcp and udp) between the IPv4 hosts.

gif1: flags=8051 metric 0 mtu 1280
	tunnel inet X.X.X.X --> Y.Y.Y.Y
	inet6 fe80::218:71ff:fe68:d071%gif1 prefixlen 64 scopeid 0x5
	inet6 2001:16d8:ffe5::1 prefixlen 126

The observant reader might notice the configured fe80::/10 network, which is an auto configured link-local network (only valid on the p2p-link). I didn’t initially have this configured, but it turned out that this was extremely important for reasons that will become clear in the following sections.

OSPFv3

As stated previously I run OSPFv3 (OSPF with IPv6 extensions) on the routers for flexibility.  I choose Quagga for this and the routers run ospf6d and zebra.

zebra

The zebra daemon handles the interaction with the kernel and installs the selected routes into the kernels forwarding table (FIB) (which quite erroneously is called routing table in most operating systems).

zebra configuration at the border router
Terminal access lists and settings have been left out for readability

hostname border
password somepassword
log file /var/log/quagga/zebra.log
!
# Static default route which is injected as an external route
# into OSPF
ipv6 route 2000::/3 2001:16d8:ff00:2be::1
!
# Enable IPv6 forwarding (if not already enabled by the OS)
ipv6 forwarding
!

Why are we injecting 2000::/3 as a default route?  Because 2001::/3 covers the currently valid global unicast addresses. See ipv6-unicast-address-assignments and RFC4147.

zebra configuration at internal routers
Terminal access lists and settings have been left out for readability

hostname router1
password somepassword
log file /var/log/quagga/zebra.log
!
# Enable RA (router advertisements) on the internal interface so that clients on the LAN
# are able to auto configure an IPv6 address within the correct prefix.
interface internal0
 link-detect
 ipv6 address 2001:16d8:ffe5:2::1/64
 no ipv6 nd suppress-ra
 ipv6 nd ra-interval 10
 ipv6 nd prefix 2001:16d8:ffe5:2::/64
!
# Enable IPv6 forwarding (if not already enabled by the OS)
ipv6 forwarding
!

ospf6d

ospf6d is the daemon in the Quagga suite that implements OSPFv3. My setup is quite simple and does not involve any areas.

ospf6d configuration at border router
Terminal access lists and settings have been left out for readability

password somepassword
log file /var/log/quagga/ospf6d.log
!
# Tunnel interface on which
interface gifX
ipv6 ospf6 instance-id 0
!
# Redistribute connected subnets and static (from zebra) routes to neighbors
router ospf6
router-id 0.0.0.1
redistribute connected
redistribute static
# Add one interface line for each tunnel
interface gifX area 0.0.0.0
!

ospf6d configuration at internal routers

password somepassword
log file /var/log/quagga/ospf6d.log
!
interface gifX
 ipv6 ospf6 instance-id 0
!
# The internal interface is configured as passive to suppress OSPF hello-messages
# on the internal network but still allow the configured subnet to be injected into
# OSPF
interface internal0
 ipv6 ospf6 instance-id 0
 ipv6 ospf6 passive
!
# Redistribute connected subnets
router ospf6
 router-id 0.0.0.2
 redistribute connected
 # Tunnel interface (external)
 interface gifX area 0.0.0.0
 # Internal interface, marked as passive above.
 interface internal0 area 0.0.0.0
!

Note that you need to remove the passive flag if you intend to have more OSPFv3 routers on the network connected to the internal interface. Otherwise they would be unable to find each other.

OSPFv3 on Point-to-point links

As I used numbered point-to-point links I figured this would “just work”. Turned out that it was not that simple.

The routers successfully formed an adjacency

router1# show ipv6 ospf6 neighbor
Neighbor ID     Pri    DeadTime  State/IfState         Duration I/F[State]
0.0.0.1           1    00:00:37   Full/PointToPoint    01:14:38 gif0[PointToPoint]

Routes were distributed correctly, but all received routes had the next hop set to :: which is the unspecified IPv6 address (equal to 0.0.0.0), which of course caused zebra to reject the route and not install it into the FIB.

Most routes have been left out from the output below

router1# show ipv6 ospf6 route
*N E1 2000::/3                       ::    gif0 01:14:45
...

I though this didn’t make any sense as a packet dump showed LSA being exchanged correctly. After actually reading the ospf6d source code and some of the OSPFv3 specifications it finally hit me. OSPFv3/IPv6 Point-to-point links must use the link-local address space fe80::/10. And what do you know, after I turned on auto link local addresses on the tunnel interfaces routes were properly exchanged and ospf6d set the next hop correctly on received routes.

router1# show ipv6 ospf6 route
*N E1 2000::/3                        fe80::218:71ff:fe68:d071   gif0 01:14:45
...

IPv6 clients

As ospf6d on the LAN router is configured to send router advertisements clients connected to the LAN simply needs to enable IPv6 (and accept router advertisements in case it’s disabled) to get an IPv6 address and a default route.  This kind of stateless auto configuration is one of the advantages of IPv6, but it has one big weakness. It’s not possible to distribute name server information without DHCPv6.

Currently all my clients are dual-stacked and get name server information through DHCPv4.  I plan to add a stateless DHCPv6 server that distribute information only (no addresses) so that it’s possible to get name server information without involving IPv4.

Firewall considerations

IPv6 needs to be protected by firewalls just as IPv4.

Protecting the tunnels and tunnel endpoints

The 6-in-4 tunnels requires a bit of special care, simply allowing everything on the tunnel interface could open up some nasty holes and allow traffic to daemons running on the routers.  How rules should be applied depends on which kind of tunnel type you are using, the following assumes an IPv6 packet directly inside a IPv4 packet without other encapsulation.

• Allow protocol 41(IPv6) inside IPv4 packets between the IPv4 endpoints.  This is similar to for example allowing TCP between two IPv4 hosts.
• Allow IPv6 traffic from/to fe80::/10 (link-local), fe00::/8 (multicast) and your configured /126.
• At the end router allow traffic to/from the configured /64 subnet.
• Make sure daemons (that are not supposed to be exposed) are listening on ::1/128 only or block traffic from other subnets than your own so that only valid hosts are able to create connections to IPv6 addresses configured on the router.

Protecting public services

No real difference from IPv4 services, only expose ports that should be exposed. If services and tunnels are running on the same machine make sure that it’s not possible to connect to the daemons through the IPv6 address configured at the tunnel (see previous section).

Protecting clients

Protecting LAN clients are a bit different from IPv4. IPv4 clients are usually behind NAT (unless you’ve got an insanely large IPv4 space and waste it on client hosts).  A fundamental consequence of NAT is that it’s impossible to establish inbound connections to hosts, thus providing protection from incoming connections from malicious hosts.

It’s tempting to simply block all incoming connections to IPv6 clients giving them the same level of protection as IPv4 NAT-hosts. This is however a quite bad idea, one of the advantages of IPv6 and the large address space is that clients are able to establish peer-to-peer (client to client) connections between each other. A large number of applications benefit from this, for example VoIP, Video-chat, file transfers etc.

Still, it’s probably a good idea to block incoming connections to commonly “abused” ports at the LAN border. For example

• 137/TCP, 138/UDP, 139/TCP – NetBIOS
• 135/TCP – RPC
• 445/TCP – SMB
• 389/TCP – LDAP
• 1512 – WINS
• 515 – LPD

Golden rule, don’t block too much, but don’t block too little either , clients should run a local firewall as well if possible.

References

• http://www.quagga.net/docs.php – Quagga Documentation
• http://tools.ietf.org/html/rfc4291 – IP Version 6 Addressing Architecture
• http://tools.ietf.org/html/rfc3627 – Use of /127 Prefix Length Between Routers Considered Harmful
• http://tools.ietf.org/html/rfc4861 – Neighbor Discovery for IP version 6 (IPv6)
• http://support.microsoft.com/kb/832017 – Service overview and network port requirements for the Windows Server system

This entry was posted on Sunday, November 2nd, 2008 at 2:55 pm and is filed under Tech. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.