Table Of ContentIPv6 in Practice
Benedikt Stockebrand
IPv6
in Practice
A Unixer’s Guide to the
Next Generation Internet
With53Figures
123
BenediktStockebrand
contact@benedikt-stockebrand.net
www.benedikt-stockebrand.net
LibraryofCongressControlNumber:2006934616
ISBN-10 3-540-24524-3 SpringerBerlinHeidelbergNewYork
ISBN-13 978-3-540-24524-7 SpringerBerlinHeidelbergNewYork
Thisworkissubjecttocopyright.Allrightsarereserved,whetherthewholeorpartofthe
materialisconcerned,specificallytherightsoftranslation,reprinting,reuseofillustrations,
recitation,broadcasting,reproductiononmicrofilmorinanyotherway,andstorageindata
banks.Duplicationofthispublicationorpartsthereofispermittedonlyundertheprovisions
oftheGermanCopyrightLawofSeptember9,1965,initscurrentversion,andpermission
forusemustalwaysbeobtainedfromSpringer.Violationsareliableforprosecutionunder
theGermanCopyrightLaw.
SpringerisapartofSpringerScience+BusinessMedia
springer.com
©Springer-VerlagBerlinHeidelberg2007
Theuseofgeneraldescriptivenames,registerednames,trademarks,etc.inthispublication
doesnotimply,evenintheabsenceofaspecificstatement,thatsuchnamesareexemptfrom
therelevantprotectivelawsandregulationsandthereforefreeforgeneraluse.
Typesetting:BytheAuthor
Production:LE-TEXJelonek,Schmidt&VöcklerGbR,Leipzig
Coverdesign:KünkelLopkaWerbeagentur,Heidelberg
Printedonacid-freepaper 45/3100/YL-543210
To my parents
Preface
In the Beginning there was—Frustration
Back in early 2000 I first tried to get seriously started with IPv6. But I
couldn’t find any documentation that helped me to understand how to make
it work in my usual environment. Being swamped with work at my then job
I eventually gave up, frustrated for the first time.
In 2002 Silvia Hagen published the first edition of “IPv6 Essentials” [52].
Expecting a hands-on guide to IPv6 I bought it, only to be frustrated again:
The book told me a lot more about the IPv6 protocol than I expected but
virtually nothing about how to make it work.
This time I didn’t give up. I read the book and learned a lot about the
underlyingconcepts. WiththisknowledgeImanagedtounderstandtheIPv6-
related documentation available for individual Unixen, like Peter Bieringer’s
Linux IPv6 Howto [10] or the FreeBSD and Solaris online documentation.
Itwasmuchlikestudyingmechanicalengineeringjusttolearnhowtoride
abicycle. SoIstartedteachingothershowtogetIPv6upandrunningatcon-
ferencesandvarioustrainingcourses. DuringthattimeIwroteafirsttraining
manuscript and an article series [104, 105, 106] on IPv6 administration.
Since then IPv6 has noticeably matured. Not only have the core protocol
specificationsbecomereasonablystable, buttheactualimplementationshave
reached a usable state. This made it possible to turn the training course
manuscript into something less volatile: The book you are now reading.
What This Book is Not About
But Why You Might Want to Read It Anyway
This book is not about
• basic Unix and TCP/IP network administration,
VIII
• what the fifth bit in the fifty-sixth byte of a neighbor discovery request
packet means,
• how to make IPv6 work on dedicated router hardware, or Microsoft Win-
dows, or
• any of the fancy new features people talk or write their PhD thesis about
but never bother to implement at a production-grade level.
Instead it addresses the Unix-based implementations available today. It tries
to tell you how to sit on a bicycle, put your feet on the pedals and get rolling
without hurting yourself and innocent bystanders more than necessary—and
never mind how that fancy gearbox1 works.
SoifyouwanttolearnaboutIPv6bymakingitwork,thisbookiswritten
for you.
The Unixen Considered
This book itself explains how to configure and run IPv6 on three different
Unixen: Debian GNU/Linux, FreeBSD and Solaris. These three differ in
many respects:
Debian Sarge Since the Sarge release most applications support IPv6, but
Linux in general is still missing some important IPv6 features, like an IPv6-
capable port mapper, so some features available with the other Unixen are
stillmissing. Additionally, configuringIPv6inthenetwork configuration files
is still awkward.
ThereisworkunderwaytoreplacethecurrentIPv6implementationwitha
port of the KAME stack from the BSDs; the project is called USAGI. At this
time the USAGI stack is still considered experimental and doesn’t generally
ship with Linux distributions, so we don’t consider it yet.
FreeBSD 6.1 FreeBSD was the primary development environment of the
KAME project, which implemented IPv6 for the BSDs.
The IPv6 implementation has been integrated into the system quite
smoothly. Some deprecated features, like automatic tunnels, have been
silently removed, which may cause occasional problems with older installa-
tions that still want to use these features.
Solaris 10 IPv6 support has been available with Solaris for some time and
is quite mature. The major drawbacks are that in some cases it doesn’t im-
plementallthemorerecentchangesinthespecificationsandthatitshandling
is sometimes noticeably different than with the other Unixen. 1
Together these three give a fair overview of IPv6 with Unix. Beyond
them,anumberofotherUnixen,aswellasupdatestothethreeshowninthis
1 See http://www.rohloff.de/en/technical/speedhub/index.html if you really
want to know about the gearbox.
IX
book, will be covered in online supplements available from my home page at
http://www.benedikt-stockebrand.net/ together with an errata list and
an online copy of the book’s index. So if your Personal Pet Unix is missing,
take a look there and you may find what you need.
How to Read This Book
Since you won’t learn how to ride a bicycle without having a bicycle at hand,
you will need a test environment. It is easiest to use virtual machines, like
Xen or (as in my case) VMware.
Throughout this book you will see a variety of Unixen in a number of test
setups, plus a few more Unixen at my home page. I recommend you first
stick with your Personal Pet Unix. Dealing with IPv6will bedifficult enough
in a few cases; using an unfamiliar Unix at the same time will only cause
unnecessary pain.
The chapters are arranged in a way to put things to work as soon as
possible.
The first part deals with fundamental topics that are virtually impossible
to skip. There are however sections called either “Inside IPv6” or “Packet
Filter Considerations” which you probably want to ignore on first reading.
The“InsideIPv6”sectionsprovidesomedetailsoftheinnerworkingsofIPv6
thataresometimesusefulfordebuggingorjustinterestingbythemselves. The
“Packet Filter Considerations” provide additional information necessary to
set up a packet filter, from protocol details like port numbers to architectural
suggestions.
The following parts address topics that may be irrelevant to you, so feel
free to skip whatever you don’t need. If you care about security however, a
basicunderstandingofthesetopicsandtheirsecurityimplicationsisessential,
so you want at least to skim these parts.
Finally, there are two appendices, one giving a crash course on DNS ad-
ministration with BIND and the other providing a list of various well-known
addresses and port numbers, plus a bibliography and an index.
Security Considerations
When you do your very first steps with IPv6 you don’t want to bother about
packet filter configuration and other security measures just yet. Neither do
you want to disrupt network operation within your company network.
Soplease firstuseIPv6inatest-onlyenvironmentdisconnectedfrompro-
duction environments or the Internet. There are some interactions between
IPv4 and IPv6 and we can’t deal with them right from the start.
IfyoureallyhavetostartwithIPv6inaproductionenvironment,readthe
first three parts in full, so you know about the most relevant security issues
X
withIPv6itselfandtheinteractionsbetweenIPv4andIPv6. Onlyafterwards
start to use IPv6 in your environment.
Trying things in a test environment, making them work, and only after-
wards dealing with packet filters and other security issues is obviously prefer-
able; use packet filters from the start only if you absolutely have to.
Typographic Conventions
Throughout the book you will find sections that deal with implementation-
specific details. They look like this:
Debian Sarge is a Linux distribution particularly popular with Linux ad-
ministrators and developers.
FreeBSD 6.1 comes with the KAME stack, probably the most complete
IPv6 implementation available.
Solaris 10 has implemented IPv6 quite early. IPv6 support is well inte-
grated, but sometimes the handling is slightly unusual. 2
The number at the bottom refers to the related section in the online sup-
plements covering additional implementations.
Shell transcripts (“screen shots”) look like this unfortunate specimen:
# nice --20 rm -rf / &
# fg
^C^C^C^C^C^C^[^[^[^[^[^\^\^\^\^\^\^\^\
Following Bourne shell standards a hash mark (“#”) as a prompt indicates
thatthecommandsshownmustberunasrootwhileadollarsign(“$”)implies
that the commands don’t require root privileges.
File listings look like this:
/etc/resolv.conf
domain example.com
nameserver 2001:db8::1
Occasionally you will find variables within both shell transcripts and file list-
ings, appearing as “(cid:1)Interface Name(cid:2)”. More often however you will find ex-
amples like “eth0” instead. The highlighted background marks those items
that you will likely need to adapt to your needs or that will look different on
your system.
When we’ve set up something, there is usually a checklist following. It
shows how to ensure in a systematic way that everything works as expected.
Let’s say that you have just logged in:
(cid:1) Readthe“Lastloggedin”messagetomakesurenobodyelseusedyour
account since you last logged in.
XI
(cid:1) Check your disk quotas to make sure you still have enough space left.
(cid:1) Read your e-mail for messages from your administrator (if you are a
user) or your users (if you are an administrator).
These lists usually don’t tell you in detail how to fix a problem, but following
them usually helps either to ensure that something works as expected or to
find out more precisely what the actual problem is.
Network plans look like figure 0.1. Routers are drawn as circles while
hosts (or “non-routers”) are square shaped—we defer the exact definition of
hosts and routers to section 4.3.2. Individual subnets are always drawn as
oblong boxes, even though the coax cabling this presentation is derived from
is rarely used anymore. Contiguous sets of subnets and routers like the Big
Bad Internet above are called clouds and drawn as such.
Big Bad Internet (BBI)
Packet Internal Standard
HTTP DNS
Filtering File Clients
Proxy Proxy
Router Server
DMZ (192.0.2.0/24) Inner Network (192.168.0.0/24)
Fig. 0.1. A sample network plan
Whenever we look at how IPv6 works, we’ll see protocol flow diagrams
thatlooklikefigure0.2. ThisexampleshowstheTCP“threewayhandshake”,
which applies to IPv6 as well as IPv4.
Client Server
SYN
SYN/ACK
ACK
Fig. 0.2. The TCP three way handshake as a protocol flow diagram
XII
Occasionallywedothingsthatarepotentiallyinsecureoraddresssecurity
problems in existing implementations. Whenever you see a warning like
For your first attempt to ride a bicycle choose a location
easilyandquicklyaccessibletoanambulancebutawayfrom
major traffic. Make sure to wear a helmet, gloves, properly
padded protective clothes and safety goggles.
pleasemakesureyouunderstandwhatitmeansbeforeyouproceed. Similarly,
open problems that are yet unresolved look like this:
?
So far, no reliable strategy is known how to learn bicycling without
getting more or less seriously hurt. Research is still continuing and
there is hope that virtual reality will eventually solve this problem.
Acknowledgments
This book wouldn’t have happened without a number of people who helped
me through a number of difficult stages.
Before I even started to think about writing this book, the unnamed par-
ticipants of various workshops showed me what aspects of IPv6 they were
interested in and let me refine the organization and presentation of IPv6 ad-
ministration in the way that this book is written.
Ren´e Scho¨nfeldt and Bert Ungerer convinced me to write an article series
for iX magazine and made me believe that it might just be feasible to turn
the training manuscripts into a book. Silvia Hagen, who didn’t even know
me at that time, told me quite honestly that she didn’t think it was; she was
right in 2004 and almost right in 2006.
Dr Frank Schmidt convinced me to start writing. When he left Springer,
Jutta-Maria Fleschutz took over his job of guiding a certain debutant writer
through the book-writing process and helped me to deliver a printable
manuscript.
All that time the JOIN IPv6 mailing list was a low-volume high-signal
forum that repeatedly helped me out when I was stuck or unsure if I was
heading in the right direction. Especially the discussions with Gert Doering,
Jeroen Massar, Pim van Pelt and the now disbanded JOIN IPv6 team were
immensely helpful to me.
DrPeterBieringer, ReinerKrapohlandWolfgangZenkerspenthoursand
days of proofreading the raw manuscript, providing a treasure of comments
andsuggestions. Theypointedoutvariousmistakesandanumberofambigu-
ousorjustawkwardwordingswithoutdispiritingme. Ofcourse,allremaining
mistakes are mine alone.
Thank you all for your support.
Darmstadt, July 2006 Benedikt Stockebrand
