Kitz Forum

Computers & Hardware => Networking => Topic started by: Chunkers on November 13, 2020, 09:54:01 AM

Title: IPv6 - should I be fiddling with it?
Post by: Chunkers on November 13, 2020, 09:54:01 AM
If a little knowledge is a dangerous thing, then I am in great peril.

I tried enabling DHCP6 on my Zen gateways on my router today and got absolutely nothing in return except 'Pending' on both gateways. I fired a quick email to Zen to ask them if there is a big red IPv6 button or something they need to push.

Without a valid IPv6 address pfSense understandably will not allow me to enable the DHCP6 server on my router ... I think, lol

It's exciting,  as a compulsive fiddler who often gets himself in trouble, IPv6 seems to be more complicated than IPv4 and as I have a load balancing system on my router I wondering how I am going to balance the traffic between two IPv6 connections.  The pfSense documentation on this is, er, unclear to me, do i just set up a load balancing with a gateway group the same as IPv4 ... dunno   ::)

Any advice ? Or should I leave well alone .....  :P

Chunks
Title: Re: IPv6 - should I be fiddling with it?
Post by: Weaver on November 13, 2020, 10:55:46 AM
Go for it.

You donít need your own DHCP6 server - donít bother with it. Your router should just advertise the prefix assigned to your LAN and hosts can spin addresses for themselves based on that prefix. That and/or use local IPv6 addresses where appropriate. Not having the single point of failure of the DHCP server is a very good thing for reliability.

IPv6 is less familiar than IPv4 itís not more complicated. Aside from rock-solid auto-config, some of the other important differences from IPv4 are that multiple addresses per interface are the norm and NAT is a thing of the past.

I have a /48 from my ISP and 2001:8b0:zzzz:0000::/64 is my LAN range. How you obtain your prefix from your ISP depends on the ISP. I simply configure the prefix in my router statically (literally).
Title: Re: IPv6 - should I be fiddling with it?
Post by: Chunkers on November 13, 2020, 01:10:25 PM
Go for it.

You donít need your own DHCP6 server - donít bother with it. Your router should just advertise the prefix assigned to your LAN and hosts can spin addresses for themselves based on that prefix. That and/or use local IPv6 addresses where appropriate. Not having the single point of failure of the DHCP server is a very good thing for reliability.

IPv6 is less familiar than IPv4 itís not more complicated. Aside from rock-solid auto-config, some of the other important differences from IPv4 are that multiple addresses per interface are the norm and NAT is a thing of the past.

I have a /48 from my ISP and 2001:8b0:zzzz:0000::/64 is my LAN range. How you obtain your prefix from your ISP depends on the ISP. I simply configure the prefix in my router statically (literally).

Thanks, thats super helpful, I have some more research to do clearly
Title: Re: IPv6 - should I be fiddling with it?
Post by: Weaver on November 13, 2020, 07:32:31 PM
The main job is just configuring your router which should be simple once youíve found the magic runes: turning on router advertisements (RA) in your router and configuring it by specifying the right prefix, which will be a /64 ie xxxx:yyyy:zzzz:aaaa::/64. Thatís assuming your ISP gives you a known static prefix. Ask them if you donít know what it is. (If they give you a dynamic, changing prefix I would say change ISP. That insane situation has been reported in an older thread; canít remember where though.)
Title: Re: IPv6 - should I be fiddling with it?
Post by: Alex Atkin UK on November 13, 2020, 07:59:25 PM
My settings for WAN:
IPv6 Configuration type: DHCP6
Use IPv4 connectivity as parent interface: ticked
DHCPv6 Prefix Delegation size: 48
Send IPv6 prefix hint: ticked
Do not wait for RA: ticked

My settings for LAN:
IPv6 Configuration type: Static IPv6
IPv6 address: static ip within a /64 range that your /48 covers. (I can't remember how I chose this)
Use IPv4 connectivity as parent interface.

I believe it should be possible to get an IPv6 automatically assigned to the LAN, but I could never get that to work.

Once you've done that, you need to add a rule to the Zen firewall to allow all traffic to IPv6, and this is where I wasn't happy.

You then have to go to DHCPv6 Server & RA to enable Router Advertisements, but I can't remember exactly what setting to use here as I have IPv6 disabled on the LAN for now.

The problem I have with IPv6 is having to allow unsolicited traffic to ALL clients, because you do not know which IP address they will be assigned.  To me that lowers security as you have to 100% trust every client is only exposing what it should be and that their firewalls cannot be compromised.

With DHCP6 you can somewhat still do it, by setting static IP addresses and denying incoming connections for clients that shouldn't need it, but not all clients work properly with DHCP6, the Xbox One for example last time I checked changed its UID every cold boot so would get a different IP.

To me it seems IPv6 was just created based in an ideal situation that we don't have in the real world.  How is every client getting a random IP address that may change at any time, a workable situation on a private LAN?

Maybe I'm missing something, but I haven't found a single explanation for how to secure an IPv6 network as well as an IPv4.
Title: Re: IPv6 - should I be fiddling with it?
Post by: Weaver on November 13, 2020, 08:07:13 PM
Sorry.  ::)  ;D  You certainly are missing something. You need a proper firewall that does what you want - the sane thing.

I donít firewall individual machines; itís just handled by my hardware firewall, the Firebrick FB2900.

Your crazy suggestion doesnít work anyway; what if some box decides not to obey dhcp6 ? I couldnít live with the uncertainty.

The IPv6 address changing system is under control of the o/s and all such o/sís decide for themselves when they feel happy to spin up new address and remember that the old addresses have not gone away; both old and new are valid until at some point the old one is safe to be dropped. All of the algorithms in a good o/s that handles IPv6 are much improved and generalised to handle multiple addresses per interface properly. In Windows Vista, Microsoft also applied all the new improved algorithms to IPv4 as well as IPv6 as far as possible treating both the same, thus improving the behaviour of IPv4 handling greatly. I remember reading about all the core algorithm rewrites back then.

Whether or not you have dynamic Ďprivacy addressesí or MAC-derived ones or both and/or local address or addresses handed out by DHCPv6 is up to the whim of your particular o/s. I actually donít know how many o/s support DHCPv6 (and look at the flags in each RA telling the machines whether or not to look for a DHCPv6 server). I can see why corporates might want to use DHCPv6 in order to link in DNS perhaps so they can IPv6-ping hosts. I donít care about not being able to IPv6-ping my hosts because I can IPv4-ping every host on my LAN anyway and they all have fixed known IPv4 addresses with DNS names assigned. (IPv4 addresses are handed out by DHCP, but the IPv4 address mappings of all known hosts are all fixed, apart from unknown guest machines.)
Title: Re: IPv6 - should I be fiddling with it?
Post by: Alex Atkin UK on November 13, 2020, 08:21:22 PM
Sorry.  ::)  ;D  You certainly are missing something. You need a proper firewall that does what you want - the sane thing.

I donít firewall individual machines; itís just handled by my hardware firewall, the Firebrick FB2900.

Your crazy suggestion doesnít work anyway; what if some box decides not to obey dhcp6 ? I couldnít live with the uncertainty.

Unless you need to remote into a PC on the LAN then of course you're fine, by default it will not be allowing unsolicited incoming connections and you probably wont care what IPv6 address your client is using.

However, games consoles and my server of course DOES need to accept incoming connections, but games consoles do not let you specify a static IPv6 address so how the heck do you achieve that without allowing ALL clients?

Also as I use NFS, how am I supposed to give specific clients different permissions if I do not know what IP address they are going to be?  How do I make sure NFS is not exposed to the open Internet?
Title: Re: IPv6 - should I be fiddling with it?
Post by: Weaver on November 13, 2020, 08:37:46 PM
The latter point about the NFS server is a valid use for DHCPv6. A vast amount of thought over a decade has gone into the design of IPv6 and IPv6-using operating systems; they wonít have missed much. You can either configure the IPv6 addresses statically or use DHCPv6 in that case of yours. Or donít use IPv6 for NFS. Donít go IPv6 unless things are set up correctly as IPv6 isnít compulsory yet and never will be within LANs.

But the crazy firewalling setup urgently needs to be fixed. You could just throw cash at the problem by buying a good hardware firewall (or router that is a firewall).

Some organisations have already gone IPv6-only [!] one example being a large part of Microsoftís internal corporate network. Now that is hard, because of the need to throw out all the problem kit and software and then find the kit with bugs in it because it does work with IPv6 but assumes there will always also be IPv4. So IPv6 is very definitely corporate-ready and will do everything you want it to do provided you have the right gear and software.
Title: Re: IPv6 - should I be fiddling with it?
Post by: Weaver on November 13, 2020, 08:43:02 PM
> However, games consoles and my server of course DOES need to accept incoming connections, but games consoles do not let you specify a static IPv6 address so how the heck do you achieve that without allowing ALL clients?

I donít see why thereís a problem here; this is no different from IPv4. You use a stateful hardware firewall/router to protect your LAN and your games console opens a hole in the firewall by sending an outbound packet. If your games console is a server, then you do need to specify a static IP address, be it IPv4 or IPv6; again no difference, unless Iím missing something. I donít know full details about the particular setup.
Title: Re: IPv6 - should I be fiddling with it?
Post by: Alex Atkin UK on November 14, 2020, 06:01:30 AM
Games consoles are awkward, because traditionally they work on a peer to peer basis so need a whole bunch of ports forwarding, or in the case of IPv6 (since you don't need NAT) open.

This is changing to some extent now as people are exploiting this to DoS people, but I expect it will still be needed for some games.

The problem as I mentioned is that you do not control what IP address is assigned to what client on IPv6, so there seems to be no mechanism to allow for the games console to be effectively in the DMZ while in the same subnet as the rest of the LAN that isn't.  Theoretically DHCP6 can do that, but as I mentioned the Xbox is flawed in that its UID changes every reboot so THAT can't work either. (unless they've fixed it now)

Another problem with IPv6 is how do you handle VPNs?  I currently allow incoming traffic to my NAS from the WAN, but outgoing traffic is routed over a VPN.  Part of the security of a VPN is due to everyone being NATted to a single public IP (so from the outside its harder to profile a person to a given activity), so I'm not sure how that would work.

I would like to use IPv6 but it seems at odds with how my network functions.  Although I may play around with putting IPv6 on a VLAN now I have VLAN support on the switch connected to my consoles, though probably only once I have FTTP so the load balancing isn't another issue.
Title: Re: IPv6 - should I be fiddling with it?
Post by: Weaver on November 14, 2020, 08:17:28 AM
Well you have some kit that doesnít play nice with the way that corporate IPv6 is set up. You need some IPv6 static addresses set up, clearly. Stick to IPv4 with kit that doesnít handle the corporate-type requirements. My own network has not had NAT in over 12 years and I just donít buy kit that doesnít fit in with my requirements.

Donít go IPv6 until you are ready for it. It doesnít give many advantages and is slightly slower than IPv4 because of the longer header overhead. Remember it is not compulsory.
Title: Re: IPv6 - should I be fiddling with it?
Post by: Chunkers on November 14, 2020, 08:54:09 AM
Finding this thread super informative, thanks guys, my intention was only ever to have a fiddle (and to be honest I am going off the idea!)

One gets the strong impression that the future will need IPv6  so it interesting to learn about it.  I don't have any game consoles but I clearly need to check out whether my firewall is looking after my network properly.

C
Title: Re: IPv6 - should I be fiddling with it?
Post by: skyeci on November 14, 2020, 09:25:19 AM
Am using ipv6 with Zen on opnsense. Works just fine.
Zen will enable it if you want it. Very easy to configure as well.
Title: Re: IPv6 - should I be fiddling with it?
Post by: Weaver on November 14, 2020, 09:40:40 AM
@Alex I donít really understand the peer-to-peer thing. That is impossible with most domestic firewall-routers because (a) they are firewalls and (b) domestic unclueful users have NAT generally and (c) most users are clueless about networking and network architecture so couldnít even configure things appropriately anyway if they had the capability.

Forgive my ignorance about this subject though because I have no experience in the area of this kind of software. My network is used for my wifeís business and security overrides everything, so firewalling is draconian. I have no IPv4 NAT, as I said, so the result is that IPv6 seems very like IPv4 to me.

For anyone considering the transition to IPv6, firstly why? Secondly if you want to do it, get you life clean, chuck out the bad kit and software, like ripping off a bandaid and it might be a useful step to transition to no-NAT IPv4 first, I donít know. That might help sort your mind out.

I didnít follow the point about VPNs. VPNs donít care about IPv6 vs IPv4; lots of AA users have VPNs, Iím sure.

AA has one or two IPv6-only  users. Now thatís hardcore. Itís something that AA supports. In such a case those users access the IPv4 internet still but by going through an IPv6 to IPv4 NAT64 translator at AA. The usersí hosts do this because their DNS64 service feeds them fake results to DNS lookups that result in IPv4 answers which point to the NAT64 translator instead, I have forgotten the details. See https://tools.ietf.org/html/rfc6147

I went IPv6 in 2010 because I wanted to learn. That meant throwing out routers and two ISPs: Demon (business) and Zen (at different sites). Zen got the boot because they kept on making pathetic excuses about IPv6, in response to my repeated nagging, otherwise I might still be using them. I chose AA because they were by far the most experienced IPv6 ISP around, having even back then run a fully IPv6 capable service for many years. They had spent years nagging BT about bugs that made IPv6 over PPP problematic (corruption of packets [!]) even though BT should have no idea what is inside a PPP PDU as itís none of their business. But bugs are just bugs and sometimes happen without Ďdesign awarenessí, just being triggered by what is the case in the data in an unusual situation rather than by evil intentional design, like treading on a rotten floorboard.

All modern web browsers prefer IPv6 over IPv4. Why this is is incomprehensible to me; it should be the other way around, since IPv4 is always faster pari passu. They all now afaik use the Ďhappy eyeballsí algorithm which races the two IP networks against one another, and then records which is the fastest. It also by design detects ISPs with broken IPv6 and horrid IPv6 Teredo networks.
Title: Re: IPv6 - should I be fiddling with it?
Post by: Weaver on November 14, 2020, 09:52:36 AM
Following Skyeciís post, I need to point out that of course Zen has now supported IPv6 for several years, but that was way way too late for me back then in 2010, without even a vague eta.

If I have put Chunkers off then that possibly a good thing. If you really want to learn though, you can try IPv6 out with no cost by using the Hurricane Electric network. See https://tunnelbroker.net/ (https://tunnelbroker.net/) and they also have a free self-training Ďcourseí or Ďcertificationí (https://ipv6.he.net/certification/) in which you do some setup exercises in order to demonstrate that you are now clueful and then at the end you win a large Toblerone. I myself have so far failed in the course because I havenít done enough of the setup that is beyond what I need for my own ordinary requirements.
Title: Re: IPv6 - should I be fiddling with it?
Post by: burakkucat on November 14, 2020, 04:21:20 PM
In private discussions with Weaver over the past years, I have tried to understand IPv6 but have comprehensively failed (other than the basics).  :-[  So I remain IPv4 only, whilst waiting for IPv8 to be developed and released.
Title: Re: IPv6 - should I be fiddling with it?
Post by: Alex Atkin UK on November 14, 2020, 04:56:09 PM
@Alex I donít really understand the peer-to-peer thing. That is impossible with most domestic firewall-routers because (a) they are firewalls and (b) domestic unclueful users have NAT generally and (c) most users are clueless about networking and network architecture so couldnít even configure things appropriately anyway if they had the capability.

Basically they depend on enough users having uPNP enabled on their router so that those users can host game sessions.  PC gaming has the same issue I believe, except its even more cryptic as there is no standard for incoming port usage.

In theory, Xbox uses IPv6 Teredo but god knows how that actually works in practice.
Title: Re: IPv6 - should I be fiddling with it?
Post by: Weaver on November 14, 2020, 09:31:42 PM
For Burakkucat I have not done all the work in explaining it well. I ought to take a look at wikipedia on the subject. I recommend that Hurricane Electric Ďpracticalsí course to you, a good way to learn and you donít need an IPv6 ISP.

@Alex I see; the games use uPnP to manipulate NAT. Have never used it; wouldnít allow it. I donít want anyone DOSing me or trying to break into my machines or eating my CPU time.

Teredo does work (for me); I tried it out on Windows Vista / 7. Itís really clever. Hurricane Electric provided the network for Microsoft when I tried it. Whenever you fire up an app that needs IPv6 in Windows and the internet connection is IPv4-only, then it starts Teredo to make the app run.

An example of such an app was Windows Live messenger (RIP?) which was IPv6-only and used peer-to-peer with firewall-busting of some sort iirc. They used IPv6 because that was the sane way to get peer-to-peer to work in any environment. That started Teredo whenever necessary.
Title: Re: IPv6 - should I be fiddling with it?
Post by: Alex Atkin UK on November 15, 2020, 03:09:11 AM
Yeah I don't get if/when Teredo kicks in as it certainly doesn't for web browsing.  I guess its only for Microsofts own services or things that might not support IPv4?
Title: Re: IPv6 - should I be fiddling with it?
Post by: Weaver on November 15, 2020, 07:19:10 AM
Iím not sure. I suspect that any app that demands IPv6 connectivity will kickstart Teredo and web browsers donít; they just check to see if IPv6 is available rather than demanding it. Either that or Windows Live Messenger explicitly started Teredo and I was wrong in my assumption. I may have read something in Microsoftís core networking blog.
Title: Re: IPv6 - should I be fiddling with it?
Post by: Chunkers on November 15, 2020, 09:22:10 AM
Hmm, so IPv6 is not the natural successor to IPv4 that I thought it was?  I think I need to get back in my box ....  ;)
Title: Re: IPv6 - should I be fiddling with it?
Post by: Weaver on November 15, 2020, 10:00:53 AM
I think that it should be all about wanting to self-educate right now and no other reason unless you are a business network owner.

It certainly is the natural successor, but people are being very slow in cleaning up their act. We will start to see more and more adoption of IPv6 by corporates as, like Microsoft, they donít want to pay $10-20 per seat for IPv4 addresses even if they can get them at all. Their server farms are needing IPv4 Ďrealí global addresses of course unlike the corporates who use NAT and 10.0.0.0/8 addresses internally. Mobile networks will wake up now and one day start using IPv6 rather than having to deal with the nightmare that is CGNAT an all the potential screw-ups that it entails.

But the point is you have time. You can start using the first IPv6-only websites, some of which have already been around for ten years. Like http://loopsofzen.co.uk which is IPv6-only, at 2001:8b0:0:30::666:102 - In decadesí time, more and more will start to appear when all users have IPv6 and the IPv4-only fraction starts to go down and down to a safe-considered level.

If you have problem kit, just get rid of it if needed. With a decent modern router and a sane IPv6 ISP, itís incredibly easy to get going and you can put your toe in the water first by using the Hurricane Electric tunnelbroker.net tunnel I mentioned earlier, which is free. I just filled out the RA element in the XML config in my Firebrick and specified the prefix for my LAN (which is 2001:8b0:xxxx:0::/64) and it all just worked.

I have tried out IPv6-only, which is indeed hardcore, on a hosted Raspberry Pi hosted by Mythic Beasts (https://www.mythic-beasts.com/order/rpi/), which has no IPv4 address. That will make a very interesting experiment for you !

One thing you can do is:- donít buy non-ipv6 kit or software; vote with your feet, or even better moan at manufacturers/authors/ISPs. Like I did with Zen. And even with AA: I have repeatedly moaned at them about the lack of IPv6 on their 4G data SIMs, although itís not something that they can easily fix as they are at the mercy of their stupid service providers AQL and/or Three.
Title: Re: IPv6 - should I be fiddling with it?
Post by: Alex Atkin UK on November 15, 2020, 06:50:58 PM
Indeed, my VPS provider charges extra for IPv4 while providing IPv6 as standard.  I'd imagine IPv4 is going to get more and more expensive as companies use up their allocation.