Kitz Forum

Internet => General Internet => Topic started by: Weaver on January 09, 2016, 11:53:21 PM

Title: IPv6 users
Post by: Weaver on January 09, 2016, 11:53:21 PM
Would any IPv6 users say hello?
Title: Re: IPv6 users
Post by: currytop on January 10, 2016, 07:05:01 PM
Hello!  ;D

Not sure I can help with your quest but do use IPv6. Like you my ISP is A&A and my residential router supports IPv6. However most devices here use IPv4 behind NAT.
Title: Re: IPv6 users
Post by: Weaver on January 10, 2016, 09:44:05 PM
We also have CrazyTeeka another A & A user, I believe.

Any tunnelled IPv6 users?
Title: Re: IPv6 users
Post by: Weaver on January 10, 2016, 09:47:33 PM
Am I the only one who doesn't understand DHCPv6 snd how its usage gets selected during an RA?

I am after all pretty thick. I wonder if there is something out there that explains it at my drug-addled (NHS) brain's kind of level?
Title: Re: IPv6 users
Post by: currytop on January 10, 2016, 11:25:34 PM
Now who's thick? I don't even know what a 'RA' is. Too many acronyms.
Title: Re: IPv6 users
Post by: Weaver on January 10, 2016, 11:42:57 PM
 P ??? ;D
You're making me feel better.

"Router Advertisement".
Title: Re: IPv6 users
Post by: currytop on January 10, 2016, 11:58:02 PM
P ??? ;D
You're making me feel better.

"Router Advertisement".

Ah of course - I don't think it works quite like that. If a host is configured to get an IP lease via DHCP it issues a DHCP broadcast, usually restricted to a subnet. A DHCP relay is required to traverse across subnets. If received a DHCP server traverses it's configuration table and assembles a DHCP reply based on whether an existing lease can be honoured, a new unused address obtained from its table, or a fixed mapping entry is available. This is combined with the name of the local domain, the address of an available gateway, and the address of at least one nameserver. There are quite a few other facilities that have been added on to DHCP over the years that may or may not be used but that's the gist of it. There are a few fallback decisions that can be made depending on configuration. There's much more available than typically seen on a residential router with a built-in DHCP server.
Title: Re: IPv6 users
Post by: Weaver on January 11, 2016, 12:17:55 AM
What I meant was that, iirc, in a an RA, there are broadcast flags called M and O which tell clients whether or not to use DHCPv6 and be governed by DHCP's IPv6 address assignments, rather than using the standalone procedures for making up an IPv6 address themselves.

I was talking about how the use of DHCPv6 is selected or not, not about how DHCP itself works. Does that make sense? Are we on the same page, or have I misunderstood?
Title: Re: IPv6 users
Post by: currytop on January 11, 2016, 12:29:25 AM
Yes now I understand. Much of what I wrote was probably biased more towards IPv4. In an IPv6 environment hosts can as you say make up their own addresses. I haven't looked at how IPv6 hosts can receive network information before allocation of an 'official' address. Presumably as part of a reserved broadcast domain.

In my own case IPv4 hosts use DHCP, but IPv6 hosts are statically allocated.
Title: Re: IPv6 users
Post by: Weaver on January 11, 2016, 12:38:58 AM
IPv6 boxes can of course just make up their own addresses without any outside assistance. Obviously if they want a global address they need the subnet prefix, so they need to hear an RA for that.

Otherwise they can use FE80::/10 local addresses to get them going communicating inside the LAN. And whatever address type they use, local or global, they can spin the low-order bits for themselves. A host can either choose random bits for its low-order 64 subnet bits, or it can derive a unique address based on its MAC address extended to be 64-bits wide by padding it out.

You probably knew all that already, apol.
Title: Re: IPv6 users
Post by: Weaver on January 11, 2016, 12:47:44 AM
The bit I haven't really understood yet is exactly how hosts are ordered to obey DHCPv6 or are allowed to go their own way. The random addresses I use can be a nightmare for logging and admin purposes. How do you assign rights to them by firewalling?

(My firewall, the Firebrick, can handle MAC addresses in rules, I think, but that isn't a very clean way of doing things as whenever you swap kit out your firewall rules break. Of course in reality this makes no difference to how your boxes go about simply evading your firewall rules by choosing the wrong IPv6 address. If you assign an IP address by a mapping from a MAC address then at least there's only one place to have to mention the MAC address and only one place to have to change things in a swapout, and a firewall rules based on the IP remain valid across a swapout.)
Title: Re: IPv6 users
Post by: currytop on January 11, 2016, 11:35:19 AM
I don't think you can 'order' a host to obey DHCPv6 or not. Surely that is something you configure on the host at the same time you determine whether a host is going to use IPv4 or IPv6? I assume you only want to use firewall rules for administration convenience not security. It's very, very easy to spoof both MAC addresses or to change IP address to sidestep such a rule. Doubtless super smart managed switches may support some sort of authentication in order to access services, but I doubt a residential situation warrants the expense, power consumption or noise of such kit.
Title: Re: IPv6 users
Post by: aesmith on April 04, 2016, 01:08:06 PM
The bit I haven't really understood yet is exactly how hosts are ordered to obey DHCPv6 or are allowed to go their own way. The random addresses I use can be a nightmare for logging and admin purposes. How do you assign rights to them by firewalling?

It appears that Windows and some other OSs may by default disregard the RA settings for address assignment, and instead assign themselves "temporary" addresses.  This is explained as a security measure, so you don't expose your devices MAC addresses (although that doesn't explain why in Windows it also pre-empts manual static configuration, and stateful DHCP assignment).   However this might be what you're up against if you're seeing random addresses on your hosts.

http://www.sevenforums.com/tutorials/304071-ipv6-temporary-address-enable-disable.html
https://technet.microsoft.com/en-us/library/cc740203(v=ws.10).aspx

I need to do more because my test rig is over simplistic consisting of just the router and it's inbuilt DHCP capability, so doesn't represent a more typical example where the DHCP server would probably not be the default router, and quite likely not a router at all.
Title: Re: IPv6 users
Post by: Weaver on April 04, 2016, 10:14:27 PM
My favourite IPv6 bible is a Microsoft tome, so this may well have strongly influenced my world-view
Title: Re: IPv6 users
Post by: aesmith on April 06, 2016, 09:30:03 AM
Looking a bit more I can see the rationale for those temporary addresses, but clearly it would mess up firewall rules as you say.   As a slight side issue do you use DNS internally?    I was just thinking about how often we access stuff by IP address, and typing full v6 addresses is a pain in the backside, let alone remembering them.   It seems to me that in a full v6 environment DNS would be mandatory for everything (but then the temporary addresses stop you using DNS if I understand correctly).
Title: Re: IPv6 users
Post by: Weaver on April 07, 2016, 12:03:57 AM
I use DNS where I can, for example the router's inward facing IPv6 is statically defined and so can easily be given a matching domain name. But the lack of control over IPv6 address assignments frustrarates this completely. Microsoft's approach linking domain names to LLMNR seems so much superior, it's a shame it isn't more widespread.
Title: Re: IPv6 users
Post by: aesmith on April 07, 2016, 08:58:57 AM
But applicable only within one subnet?   In that context, although more labour intensive, could you manually create DNS records mapping names to link local addresses, while still using the temporary addresses for Internet traffic. 
Title: Re: IPv6 users
Post by: Weaver on April 07, 2016, 09:44:23 AM
It rather depends on what you want to use domain names for. I would like to use domain names in firewall rules in certain cases as friendlier alternatives to literal addresses, but that's doubly impossible at the moment.

The point is, sometimes you care about one or all of the addresses an interface owns.
Title: Re: IPv6 users
Post by: Weaver on April 07, 2016, 09:47:59 AM
You have a far, far friendlier setup when you have a Windows server box taking charge of stringing it all together into a clean sensible well-integrated whole.
Title: Re: IPv6 users
Post by: aesmith on April 07, 2016, 10:53:00 AM
For firewall rules surely you need fixed global addresses?  Which means stateless DHCP, stateful DHCP with reservations,  or manual assignment (and disabling the temporary addresses behaviour on the hosts).   

Considering this further, if the reason for temporary addresses is to avoid disclosing the device's MAC address, then would that be equally answered by stateful DHCP?    If the point is to completely conceal your internal addressing scheme then I can't help thinking that NAT is better - firewall rules could reference fixed inside addresses, then dynamic NAT onto Internet routed outside addresses.  Is there any technical reason why you can't NAT IPv6?
Title: Re: IPv6 users
Post by: aesmith on April 10, 2016, 09:25:37 AM
I seem to have a wee bit of a DHCP issue, which has set my tests back a little.  My router has a fairly simple set of options ... IPv6 DHCP server On or Off,  Stateless or Stateful (with range of i/f addresses), and RA On or Off.   Sounds OK, but it doesn't actually seem to work.   Set to Stateful my Windows PC has only a link local address, but has picked up default gateway and default route.   Change the server type to Stateless and Windows now adds a global address and a temporary address.   No ipv6 DNS servers are issued, in either case, in fact I can't see how these are set on the router in any case.

Testing with a (simulated) Cisco router as DHCP client I can see DHCP requests from the client, but no response.   On the other hand if I set the router to autoconfig, and manually add DNS then it works end to end as a v6 only client.
Title: Re: IPv6 users
Post by: burakkucat on April 10, 2016, 05:44:57 PM
I get confused, very easily, with discussions related to IPv6 and so this is just a simple question asking for clarification . . . When you are experimenting, testing or configuring in an IPv6 environment, do you have everything IPv4 "turned off"?
Title: Re: IPv6 users
Post by: Weaver on April 10, 2016, 07:33:57 PM
I have effectively 'turned everything IPv4 off' by accident, on occasion  when I have set a box's IPv4 address to something rfc 1918
Title: Re: IPv6 users
Post by: aesmith on April 12, 2016, 08:08:46 PM
I get confused, very easily, with discussions related to IPv6 and so this is just a simple question asking for clarification . . . When you are experimenting, testing or configuring in an IPv6 environment, do you have everything IPv4 "turned off"?

For my tests with GNS3 I only set IPv6 addressing.  My desktop PC is dual stack, but I'm using A&A's gateway IPv6 name servers so it effectively uses ipv6 for anything Internet.   Router is dual stack.   I'm not really on a campaign to eliminate IPv4 from the home, for a start the phone doesn't support IPv6, it's more a learning exercise.

(Should say, DHCPv6 is now working on my (physical) router.  Set to Stateful it's dishing out proper global addresses with the correct prefix and my chosen range of Interface IDs.   Windows 7 now displays only the Global and Link Local address, no more Temporary addresses.
Title: Re: IPv6 users
Post by: burakkucat on April 12, 2016, 08:35:15 PM
Thank you (both).

I've still got a lot of learning to do . . .
Title: Re: IPv6 users
Post by: Weaver on April 12, 2016, 08:41:18 PM
It is possible to get rid of all IPv4, and if a user uses A & A's NAT64 servers she can still access the IPv4 Internet. However I still have some kit that doesn't speak IPv6, such as the Siemens N300 VoIP box, an Epson Printer and probably some other kit that I have failed to recall.
Title: Re: IPv6 users
Post by: aesmith on April 19, 2016, 11:15:44 AM
I've done a little reading around on IPv6 addressing design, and I think I'm starting to conclude that the idea of dispensing with NAT is over simplistic.   The issue being the relationship between your addressing and your ISP(s).  Clearly it's quite straightforward for a small organisation with only one Internet connection, and who is prepared to re-number his network if he changes provider.   Add a second Internet connection and it's no longer straightforward, I suspect even if it's the same ISP. 

I'm not completely convinced that PI is the answer, I'm currently digging around to find the full story but it doesn't appear trivial to get an allocation out of RIPE.   Even if it was easy, if everyone uses PI addressing that's going to have a huge impact on the size of routing tables.

Or am I missing something?
Title: Re: IPv6 users
Post by: Weaver on April 20, 2016, 02:56:49 PM
I agree with you, and I'm not sure enough thought has gone into addressing design and renumbering implications in IPv6. Idea: Better software in routers and firewalls might help, where addresses could be treated as relative to some base represented by some symbolic value.
Title: Re: IPv6 users
Post by: aesmith on April 20, 2016, 04:47:06 PM
I think when it comes down to it, NAT in it's IPv6 form is going to be the answer.   
Title: Re: IPv6 users
Post by: renluop on April 20, 2016, 05:48:12 PM
PI? Please aid the technically challenged among you! :)
Title: Re: IPv6 users
Post by: aesmith on April 20, 2016, 09:38:13 PM
Provider Independent.    Address ranges allocated directly to the end user, not part of their ISP's allocation.   Theoretically this means you can change provider and still keep the same addressing,  or have more than one Internet connection from different ISPs all routing your addresses.   
Title: Re: IPv6 users
Post by: aesmith on April 21, 2016, 05:11:09 PM
Just to amplify that, the point about PI addressing is that you could number potentially all your network using these addresses, then ask any ISP to route them.  So you'd have the ability to route without using NAT, and without being tied to a single ISP, or having to renumber everything if you change ISP.   That's the good bit.

The disadvantage is that if that becomes standard practice, it's going to hugely increase the size of the Internet routing tables.  To take and example if the ISP has a /32 block assigned, this could be used to issue a /48 block to each of 65536 customers, but to the rest of the Internet it's a single route pointing to the ISP.  Very different if each of those 65536 customer has their own personal and not necessarily related assignment.   Telephone providers must have gone through this pain when number porting came about, and you can no longer look at the first few digits to tell for example a Vodafone number from an O2 one.
Title: Re: IPv6 users
Post by: aesmith on April 22, 2016, 05:39:15 PM
Odd one, I briefly either lost IPv6, or lost the A&A gateway.  Things seemed to lock up, and when I tried a basic ping this is what I got ...

C:\Windows\system32>ping ntp.plus.net

Pinging ntp.plus.net [212.159.13.49] with 32 bytes of data:
Reply from 212.159.13.49: bytes=32 time=27ms TTL=57
Reply from 212.159.13.49: bytes=32 time=23ms TTL=57
Reply from 212.159.13.49: bytes=32 time=24ms TTL=57

Ping statistics for 212.159.13.49:
    Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 23ms, Maximum = 27ms, Average = 24ms


Couple of minutes later it's back.   

C:\Windows\system32>ping ntp.plus.net

Pinging ntp.plus.net [2001:8b0:6464:0:666:616:d49f:d32] with 32 bytes of data:
Reply from 2001:8b0:6464:0:666:616:d49f:d32: time=141ms
Reply from 2001:8b0:6464:0:666:616:d49f:d32: time=120ms
Reply from 2001:8b0:6464:0:666:616:d49f:d32: time=170ms
Reply from 2001:8b0:6464:0:666:616:d49f:d32: time=194ms

Ping statistics for 2001:8b0:6464:0:666:616:d49f:d32:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 120ms, Maximum = 194ms, Average = 156ms

C:\Windows\system32>
Title: Re: IPv6 users
Post by: Weaver on April 23, 2016, 01:18:05 AM
What happens if you try something like ipv6.google.com ? Or any domain name where there is only a AAAA record no A?

The whole business of selecting IPv6 or IPv4 is weird. Lots of website I have connected to which report the client's IP address report IPV4 first and then if you try again then they report IPv6. It seems to me that the (dynamic) preference selection by either browsers or poss operating system is very odd.
Title: Re: IPv6 users
Post by: aesmith on April 23, 2016, 09:18:22 AM
Good point, I'll check that if it happens again.  This was from a dual stack Windows 7 - my understanding is that it tries IPv6 first, and with A&A special name servers that should always succeed.   In my example there it looks like ntp.plus.net is v4 only, as the v6 address shown there is from A&A.   On the other hand it could have been a glitch at my end, and v4 came back before v6.
Title: Re: IPv6 users
Post by: Chrysalis on April 23, 2016, 10:37:10 AM
unexpected present arrived from hurricane electric today :)

Shall I wear this with pride.

front
(http://www.chrysalisnet.org/20160423_103458.jpg)

back
(http://chrysalisnet.org/20160423_103435.jpg)
Title: Re: IPv6 users
Post by: Weaver on April 23, 2016, 11:29:50 AM
@chrysalis - now I'm impressed. Not much chance of me getting off the bottom of the ladder. My "website" such a paltry thing that it is, is on an IPv4-only *nix server, so an early must-have tickbox can't be ticked.
Title: Re: IPv6 users
Post by: kitz on April 26, 2016, 08:41:38 PM
I don't mess with things like this and usually leave it up to my hosts, but after chrys brought it up once before I asked.
They said they could configure it for me, but something or other which Ive forgotten now, which could involve some downtime.

The other reason I didnt bother is SMF (this forum software) only appears to support IPv4.   
I dont understand it fully but say weaver he presents an IPv4 address to the software.  Yet sometimes I see in the forum logs what Im assuming must be IPv6, but the software just shows blanks. 
Title: Re: IPv6 users
Post by: Weaver on April 28, 2016, 05:41:44 PM
@kitz - I won't be sending you IPv6 packets unless you indicate that you can speak IPv6 by publishing a AAAA record for your webserver in the DNS.
Title: Re: IPv6 users
Post by: aesmith on April 29, 2016, 01:46:51 PM
Sending to an IPv4 only destination, I as the sender see an IPv6 address from within A&A's range with the IPv4 address embedded as the last four bytes.

C:\Windows\system32>nslookup forum.kitz.co.uk
Server:  totd.aa.net.uk
Address:  2001:8b0:6464::1

Non-authoritative answer:
Name:    forum.kitz.co.uk
Addresses:  2001:8b0:6464:0:666:616:b918:6225
          185.24.98.37
C:\Windows\system32>                                                                              

C:\Windows\system32>ping forum.kitz.co.uk

Pinging forum.kitz.co.uk [2001:8b0:6464:0:666:616:b918:6225] with 32 bytes of data:
Reply from 2001:8b0:6464:0:666:616:b918:6225: time=44ms
Reply from 2001:8b0:6464:0:666:616:b918:6225: time=46ms
Reply from 2001:8b0:6464:0:666:616:b918:6225: time=44ms
Reply from 2001:8b0:6464:0:666:616:b918:6225: time=47ms

Ping statistics for 2001:8b0:6464:0:666:616:b918:6225:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 44ms, Maximum = 47ms, Average = 45ms

C:\Windows\system32>


At the destination, they will see this traffic originating from an IPv4 address, not sure if that's always the same address or whether there's a range.   For example if I got to whatsmyip.org it shows my originating address as 90.155.46.46, which actually A&A's gateway.
Title: Re: IPv6 users
Post by: Chrysalis on April 29, 2016, 01:49:20 PM
root@vps1 unbound # ping6 forum.kitz.co.uk
unknown host
Title: Re: IPv6 users
Post by: Weaver on May 01, 2016, 08:06:13 AM
To explain, aesmith is using Andrews and Arnold's totd server which allows IPv6-only users to see an all-IPv6 view of the Internet, allowing them to access IPv4 servers by converting between IPv4 and IPv6 on the fly.

Kitz won't see any IPv6.
Title: Re: IPv6 users
Post by: Chrysalis on May 01, 2016, 11:50:44 AM
ok so there is some kind of ipv6 <- ipv4 tunnelling service then?
Title: Re: IPv6 users
Post by: Weaver on May 01, 2016, 09:31:11 PM
No. AA offer native IPv6 straight over PPP, with no overhead and no tunnelling, it's just like the way IPv4 is delivered over DSL. There is simply a conversion server that converts the traffic, and also some tricky business with DNS which lies about the non-availability of AAAA records on IPv4-only servers.
Title: Re: IPv6 users
Post by: aesmith on May 01, 2016, 09:40:39 PM
I'd call it NAT rather than a tunnel.
Edit - Weaver said it better
Title: Re: IPv6 users
Post by: Weaver on May 02, 2016, 05:54:37 AM
In contrast, Sixxs and Hurricane Electric offer IPv6 via tunnels of various types. In fact, A & A can do this for you too, in a standards-based way, the same as Hurricane Electric.
Title: Re: IPv6 users
Post by: Chrysalis on May 02, 2016, 08:39:30 AM
No. AA offer native IPv6 straight over PPP, with no overhead and no tunnelling, it's just like the way IPv4 is delivered over DSL. There is simply a conversion server that converts the traffic, and also some tricky business with DNS which lies about the non-availability of AAAA records on IPv4-only servers.

yes that is a tunnel.
Title: Re: IPv6 users
Post by: aesmith on May 02, 2016, 12:31:53 PM
It's not what I'd call a tunnel because there's no other end of the tunnel.  Native IPv6 hits the gateway, and native IPv4 comes out the other side.   To me a tunnel would be where IPv6 is carried over IPv4 and then comes out of the other end as IPv6 again.

Comparison of coexistence or migration techniques here ...
http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/enterprise-ipv6-solution/white_paper_c11-676278.html