Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: [1] 2

Author Topic: IPv6 - should I be fiddling with it?  (Read 3065 times)

Chunkers

  • Reg Member
  • ***
  • Posts: 525
  • Brick Wall head-banger
IPv6 - should I be fiddling with it?
« on: November 13, 2020, 09:54:01 AM »

If a little knowledge is a dangerous thing, then I am in great peril.

I tried enabling DHCP6 on my Zen gateways on my router today and got absolutely nothing in return except 'Pending' on both gateways. I fired a quick email to Zen to ask them if there is a big red IPv6 button or something they need to push.

Without a valid IPv6 address pfSense understandably will not allow me to enable the DHCP6 server on my router ... I think, lol

It's exciting,  as a compulsive fiddler who often gets himself in trouble, IPv6 seems to be more complicated than IPv4 and as I have a load balancing system on my router I wondering how I am going to balance the traffic between two IPv6 connections.  The pfSense documentation on this is, er, unclear to me, do i just set up a load balancing with a gateway group the same as IPv4 ... dunno   ::)

Any advice ? Or should I leave well alone .....  :P

Chunks
Logged

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: IPv6 - should I be fiddling with it?
« Reply #1 on: November 13, 2020, 10:55:46 AM »

Go for it.

You don’t need your own DHCP6 server - don’t bother with it. Your router should just advertise the prefix assigned to your LAN and hosts can spin addresses for themselves based on that prefix. That and/or use local IPv6 addresses where appropriate. Not having the single point of failure of the DHCP server is a very good thing for reliability.

IPv6 is less familiar than IPv4 it’s not more complicated. Aside from rock-solid auto-config, some of the other important differences from IPv4 are that multiple addresses per interface are the norm and NAT is a thing of the past.

I have a /48 from my ISP and 2001:8b0:zzzz:0000::/64 is my LAN range. How you obtain your prefix from your ISP depends on the ISP. I simply configure the prefix in my router statically (literally).
Logged

Chunkers

  • Reg Member
  • ***
  • Posts: 525
  • Brick Wall head-banger
Re: IPv6 - should I be fiddling with it?
« Reply #2 on: November 13, 2020, 01:10:25 PM »

Go for it.

You don’t need your own DHCP6 server - don’t bother with it. Your router should just advertise the prefix assigned to your LAN and hosts can spin addresses for themselves based on that prefix. That and/or use local IPv6 addresses where appropriate. Not having the single point of failure of the DHCP server is a very good thing for reliability.

IPv6 is less familiar than IPv4 it’s not more complicated. Aside from rock-solid auto-config, some of the other important differences from IPv4 are that multiple addresses per interface are the norm and NAT is a thing of the past.

I have a /48 from my ISP and 2001:8b0:zzzz:0000::/64 is my LAN range. How you obtain your prefix from your ISP depends on the ISP. I simply configure the prefix in my router statically (literally).

Thanks, thats super helpful, I have some more research to do clearly
Logged

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: IPv6 - should I be fiddling with it?
« Reply #3 on: November 13, 2020, 07:32:31 PM »

The main job is just configuring your router which should be simple once you’ve found the magic runes: turning on router advertisements (RA) in your router and configuring it by specifying the right prefix, which will be a /64 ie xxxx:yyyy:zzzz:aaaa::/64. That’s assuming your ISP gives you a known static prefix. Ask them if you don’t know what it is. (If they give you a dynamic, changing prefix I would say change ISP. That insane situation has been reported in an older thread; can’t remember where though.)
Logged

Alex Atkin UK

  • Addicted Kitizen
  • *****
  • Posts: 5260
    • Thinkbroadband Quality Monitors
Re: IPv6 - should I be fiddling with it?
« Reply #4 on: November 13, 2020, 07:59:25 PM »

My settings for WAN:
IPv6 Configuration type: DHCP6
Use IPv4 connectivity as parent interface: ticked
DHCPv6 Prefix Delegation size: 48
Send IPv6 prefix hint: ticked
Do not wait for RA: ticked

My settings for LAN:
IPv6 Configuration type: Static IPv6
IPv6 address: static ip within a /64 range that your /48 covers. (I can't remember how I chose this)
Use IPv4 connectivity as parent interface.

I believe it should be possible to get an IPv6 automatically assigned to the LAN, but I could never get that to work.

Once you've done that, you need to add a rule to the Zen firewall to allow all traffic to IPv6, and this is where I wasn't happy.

You then have to go to DHCPv6 Server & RA to enable Router Advertisements, but I can't remember exactly what setting to use here as I have IPv6 disabled on the LAN for now.

The problem I have with IPv6 is having to allow unsolicited traffic to ALL clients, because you do not know which IP address they will be assigned.  To me that lowers security as you have to 100% trust every client is only exposing what it should be and that their firewalls cannot be compromised.

With DHCP6 you can somewhat still do it, by setting static IP addresses and denying incoming connections for clients that shouldn't need it, but not all clients work properly with DHCP6, the Xbox One for example last time I checked changed its UID every cold boot so would get a different IP.

To me it seems IPv6 was just created based in an ideal situation that we don't have in the real world.  How is every client getting a random IP address that may change at any time, a workable situation on a private LAN?

Maybe I'm missing something, but I haven't found a single explanation for how to secure an IPv6 network as well as an IPv4.
« Last Edit: November 13, 2020, 08:15:18 PM by Alex Atkin UK »
Logged
Broadband: Zen Full Fibre 900 + Three 5G Routers: pfSense (Intel N100) + Huawei CPE Pro 2 H122-373 WiFi: Zyxel NWA210AX
Switches: Netgear MS510TXUP, Netgear MS510TXPP, Netgear GS110EMX My Broadband History & Ping Monitors

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: IPv6 - should I be fiddling with it?
« Reply #5 on: November 13, 2020, 08:07:13 PM »

Sorry.  ::)  ;D  You certainly are missing something. You need a proper firewall that does what you want - the sane thing.

I don’t firewall individual machines; it’s just handled by my hardware firewall, the Firebrick FB2900.

Your crazy suggestion doesn’t work anyway; what if some box decides not to obey dhcp6 ? I couldn’t live with the uncertainty.

The IPv6 address changing system is under control of the o/s and all such o/s’s decide for themselves when they feel happy to spin up new address and remember that the old addresses have not gone away; both old and new are valid until at some point the old one is safe to be dropped. All of the algorithms in a good o/s that handles IPv6 are much improved and generalised to handle multiple addresses per interface properly. In Windows Vista, Microsoft also applied all the new improved algorithms to IPv4 as well as IPv6 as far as possible treating both the same, thus improving the behaviour of IPv4 handling greatly. I remember reading about all the core algorithm rewrites back then.

Whether or not you have dynamic ‘privacy addresses’ or MAC-derived ones or both and/or local address or addresses handed out by DHCPv6 is up to the whim of your particular o/s. I actually don’t know how many o/s support DHCPv6 (and look at the flags in each RA telling the machines whether or not to look for a DHCPv6 server). I can see why corporates might want to use DHCPv6 in order to link in DNS perhaps so they can IPv6-ping hosts. I don’t care about not being able to IPv6-ping my hosts because I can IPv4-ping every host on my LAN anyway and they all have fixed known IPv4 addresses with DNS names assigned. (IPv4 addresses are handed out by DHCP, but the IPv4 address mappings of all known hosts are all fixed, apart from unknown guest machines.)
« Last Edit: November 13, 2020, 08:25:15 PM by Weaver »
Logged

Alex Atkin UK

  • Addicted Kitizen
  • *****
  • Posts: 5260
    • Thinkbroadband Quality Monitors
Re: IPv6 - should I be fiddling with it?
« Reply #6 on: November 13, 2020, 08:21:22 PM »

Sorry.  ::)  ;D  You certainly are missing something. You need a proper firewall that does what you want - the sane thing.

I don’t firewall individual machines; it’s just handled by my hardware firewall, the Firebrick FB2900.

Your crazy suggestion doesn’t work anyway; what if some box decides not to obey dhcp6 ? I couldn’t live with the uncertainty.

Unless you need to remote into a PC on the LAN then of course you're fine, by default it will not be allowing unsolicited incoming connections and you probably wont care what IPv6 address your client is using.

However, games consoles and my server of course DOES need to accept incoming connections, but games consoles do not let you specify a static IPv6 address so how the heck do you achieve that without allowing ALL clients?

Also as I use NFS, how am I supposed to give specific clients different permissions if I do not know what IP address they are going to be?  How do I make sure NFS is not exposed to the open Internet?
« Last Edit: November 13, 2020, 08:24:10 PM by Alex Atkin UK »
Logged
Broadband: Zen Full Fibre 900 + Three 5G Routers: pfSense (Intel N100) + Huawei CPE Pro 2 H122-373 WiFi: Zyxel NWA210AX
Switches: Netgear MS510TXUP, Netgear MS510TXPP, Netgear GS110EMX My Broadband History & Ping Monitors

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: IPv6 - should I be fiddling with it?
« Reply #7 on: November 13, 2020, 08:37:46 PM »

The latter point about the NFS server is a valid use for DHCPv6. A vast amount of thought over a decade has gone into the design of IPv6 and IPv6-using operating systems; they won’t have missed much. You can either configure the IPv6 addresses statically or use DHCPv6 in that case of yours. Or don’t use IPv6 for NFS. Don’t go IPv6 unless things are set up correctly as IPv6 isn’t compulsory yet and never will be within LANs.

But the crazy firewalling setup urgently needs to be fixed. You could just throw cash at the problem by buying a good hardware firewall (or router that is a firewall).

Some organisations have already gone IPv6-only [!] one example being a large part of Microsoft’s internal corporate network. Now that is hard, because of the need to throw out all the problem kit and software and then find the kit with bugs in it because it does work with IPv6 but assumes there will always also be IPv4. So IPv6 is very definitely corporate-ready and will do everything you want it to do provided you have the right gear and software.
Logged

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: IPv6 - should I be fiddling with it?
« Reply #8 on: November 13, 2020, 08:43:02 PM »

> However, games consoles and my server of course DOES need to accept incoming connections, but games consoles do not let you specify a static IPv6 address so how the heck do you achieve that without allowing ALL clients?

I don’t see why there’s a problem here; this is no different from IPv4. You use a stateful hardware firewall/router to protect your LAN and your games console opens a hole in the firewall by sending an outbound packet. If your games console is a server, then you do need to specify a static IP address, be it IPv4 or IPv6; again no difference, unless I’m missing something. I don’t know full details about the particular setup.
Logged

Alex Atkin UK

  • Addicted Kitizen
  • *****
  • Posts: 5260
    • Thinkbroadband Quality Monitors
Re: IPv6 - should I be fiddling with it?
« Reply #9 on: November 14, 2020, 06:01:30 AM »

Games consoles are awkward, because traditionally they work on a peer to peer basis so need a whole bunch of ports forwarding, or in the case of IPv6 (since you don't need NAT) open.

This is changing to some extent now as people are exploiting this to DoS people, but I expect it will still be needed for some games.

The problem as I mentioned is that you do not control what IP address is assigned to what client on IPv6, so there seems to be no mechanism to allow for the games console to be effectively in the DMZ while in the same subnet as the rest of the LAN that isn't.  Theoretically DHCP6 can do that, but as I mentioned the Xbox is flawed in that its UID changes every reboot so THAT can't work either. (unless they've fixed it now)

Another problem with IPv6 is how do you handle VPNs?  I currently allow incoming traffic to my NAS from the WAN, but outgoing traffic is routed over a VPN.  Part of the security of a VPN is due to everyone being NATted to a single public IP (so from the outside its harder to profile a person to a given activity), so I'm not sure how that would work.

I would like to use IPv6 but it seems at odds with how my network functions.  Although I may play around with putting IPv6 on a VLAN now I have VLAN support on the switch connected to my consoles, though probably only once I have FTTP so the load balancing isn't another issue.
Logged
Broadband: Zen Full Fibre 900 + Three 5G Routers: pfSense (Intel N100) + Huawei CPE Pro 2 H122-373 WiFi: Zyxel NWA210AX
Switches: Netgear MS510TXUP, Netgear MS510TXPP, Netgear GS110EMX My Broadband History & Ping Monitors

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: IPv6 - should I be fiddling with it?
« Reply #10 on: November 14, 2020, 08:17:28 AM »

Well you have some kit that doesn’t play nice with the way that corporate IPv6 is set up. You need some IPv6 static addresses set up, clearly. Stick to IPv4 with kit that doesn’t handle the corporate-type requirements. My own network has not had NAT in over 12 years and I just don’t buy kit that doesn’t fit in with my requirements.

Don’t go IPv6 until you are ready for it. It doesn’t give many advantages and is slightly slower than IPv4 because of the longer header overhead. Remember it is not compulsory.
Logged

Chunkers

  • Reg Member
  • ***
  • Posts: 525
  • Brick Wall head-banger
Re: IPv6 - should I be fiddling with it?
« Reply #11 on: November 14, 2020, 08:54:09 AM »

Finding this thread super informative, thanks guys, my intention was only ever to have a fiddle (and to be honest I am going off the idea!)

One gets the strong impression that the future will need IPv6  so it interesting to learn about it.  I don't have any game consoles but I clearly need to check out whether my firewall is looking after my network properly.

C
Logged

skyeci

  • Kitizen
  • ****
  • Posts: 1383
    • Line stats
Re: IPv6 - should I be fiddling with it?
« Reply #12 on: November 14, 2020, 09:25:19 AM »

Am using ipv6 with Zen on opnsense. Works just fine.
Zen will enable it if you want it. Very easy to configure as well.

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: IPv6 - should I be fiddling with it?
« Reply #13 on: November 14, 2020, 09:40:40 AM »

@Alex I don’t really understand the peer-to-peer thing. That is impossible with most domestic firewall-routers because (a) they are firewalls and (b) domestic unclueful users have NAT generally and (c) most users are clueless about networking and network architecture so couldn’t even configure things appropriately anyway if they had the capability.

Forgive my ignorance about this subject though because I have no experience in the area of this kind of software. My network is used for my wife’s business and security overrides everything, so firewalling is draconian. I have no IPv4 NAT, as I said, so the result is that IPv6 seems very like IPv4 to me.

For anyone considering the transition to IPv6, firstly why? Secondly if you want to do it, get you life clean, chuck out the bad kit and software, like ripping off a bandaid and it might be a useful step to transition to no-NAT IPv4 first, I don’t know. That might help sort your mind out.

I didn’t follow the point about VPNs. VPNs don’t care about IPv6 vs IPv4; lots of AA users have VPNs, I’m sure.

AA has one or two IPv6-only  users. Now that’s hardcore. It’s something that AA supports. In such a case those users access the IPv4 internet still but by going through an IPv6 to IPv4 NAT64 translator at AA. The users’ hosts do this because their DNS64 service feeds them fake results to DNS lookups that result in IPv4 answers which point to the NAT64 translator instead, I have forgotten the details. See https://tools.ietf.org/html/rfc6147

I went IPv6 in 2010 because I wanted to learn. That meant throwing out routers and two ISPs: Demon (business) and Zen (at different sites). Zen got the boot because they kept on making pathetic excuses about IPv6, in response to my repeated nagging, otherwise I might still be using them. I chose AA because they were by far the most experienced IPv6 ISP around, having even back then run a fully IPv6 capable service for many years. They had spent years nagging BT about bugs that made IPv6 over PPP problematic (corruption of packets [!]) even though BT should have no idea what is inside a PPP PDU as it’s none of their business. But bugs are just bugs and sometimes happen without ‘design awareness’, just being triggered by what is the case in the data in an unusual situation rather than by evil intentional design, like treading on a rotten floorboard.

All modern web browsers prefer IPv6 over IPv4. Why this is is incomprehensible to me; it should be the other way around, since IPv4 is always faster pari passu. They all now afaik use the ‘happy eyeballs’ algorithm which races the two IP networks against one another, and then records which is the fastest. It also by design detects ISPs with broken IPv6 and horrid IPv6 Teredo networks.
Logged

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: IPv6 - should I be fiddling with it?
« Reply #14 on: November 14, 2020, 09:52:36 AM »

Following Skyeci’s post, I need to point out that of course Zen has now supported IPv6 for several years, but that was way way too late for me back then in 2010, without even a vague eta.

If I have put Chunkers off then that possibly a good thing. If you really want to learn though, you can try IPv6 out with no cost by using the Hurricane Electric network. See https://tunnelbroker.net/ and they also have a free self-training ‘course’ or ‘certification’ in which you do some setup exercises in order to demonstrate that you are now clueful and then at the end you win a large Toblerone. I myself have so far failed in the course because I haven’t done enough of the setup that is beyond what I need for my own ordinary requirements.
Logged
Pages: [1] 2