IPv6 in Practice Benedikt Stockebrand IPv6 in Practice A Unixer’s Guide to the Next Generation Internet With53Figures 123 BenediktStockebrand [email protected] www.benedikt-stockebrand.net LibraryofCongressControlNumber:2006934616 ISBN-10 3-540-24524-3 SpringerBerlinHeidelbergNewYork ISBN-13 978-3-540-24524-7 SpringerBerlinHeidelbergNewYork Thisworkissubjecttocopyright.Allrightsarereserved,whetherthewholeorpartofthe materialisconcerned,specificallytherightsoftranslation,reprinting,reuseofillustrations, recitation,broadcasting,reproductiononmicrofilmorinanyotherway,andstorageindata banks.Duplicationofthispublicationorpartsthereofispermittedonlyundertheprovisions oftheGermanCopyrightLawofSeptember9,1965,initscurrentversion,andpermission forusemustalwaysbeobtainedfromSpringer.Violationsareliableforprosecutionunder theGermanCopyrightLaw. SpringerisapartofSpringerScience+BusinessMedia springer.com ©Springer-VerlagBerlinHeidelberg2007 Theuseofgeneraldescriptivenames,registerednames,trademarks,etc.inthispublication doesnotimply,evenintheabsenceofaspecificstatement,thatsuchnamesareexemptfrom therelevantprotectivelawsandregulationsandthereforefreeforgeneraluse. Typesetting:BytheAuthor Production:LE-TEXJelonek,Schmidt&VöcklerGbR,Leipzig Coverdesign:KünkelLopkaWerbeagentur,Heidelberg Printedonacid-freepaper 45/3100/YL-543210 To my parents Preface In the Beginning there was—Frustration Back in early 2000 I first tried to get seriously started with IPv6. But I couldn’t find any documentation that helped me to understand how to make it work in my usual environment. Being swamped with work at my then job I eventually gave up, frustrated for the first time. In 2002 Silvia Hagen published the first edition of “IPv6 Essentials” [52]. Expecting a hands-on guide to IPv6 I bought it, only to be frustrated again: The book told me a lot more about the IPv6 protocol than I expected but virtually nothing about how to make it work. This time I didn’t give up. I read the book and learned a lot about the underlyingconcepts. WiththisknowledgeImanagedtounderstandtheIPv6- related documentation available for individual Unixen, like Peter Bieringer’s Linux IPv6 Howto [10] or the FreeBSD and Solaris online documentation. Itwasmuchlikestudyingmechanicalengineeringjusttolearnhowtoride abicycle. SoIstartedteachingothershowtogetIPv6upandrunningatcon- ferencesandvarioustrainingcourses. DuringthattimeIwroteafirsttraining manuscript and an article series [104, 105, 106] on IPv6 administration. Since then IPv6 has noticeably matured. Not only have the core protocol specificationsbecomereasonablystable, buttheactualimplementationshave reached a usable state. This made it possible to turn the training course manuscript into something less volatile: The book you are now reading. What This Book is Not About But Why You Might Want to Read It Anyway This book is not about • basic Unix and TCP/IP network administration, VIII • what the fifth bit in the fifty-sixth byte of a neighbor discovery request packet means, • how to make IPv6 work on dedicated router hardware, or Microsoft Win- dows, or • any of the fancy new features people talk or write their PhD thesis about but never bother to implement at a production-grade level. Instead it addresses the Unix-based implementations available today. It tries to tell you how to sit on a bicycle, put your feet on the pedals and get rolling without hurting yourself and innocent bystanders more than necessary—and never mind how that fancy gearbox1 works. SoifyouwanttolearnaboutIPv6bymakingitwork,thisbookiswritten for you. The Unixen Considered This book itself explains how to configure and run IPv6 on three different Unixen: Debian GNU/Linux, FreeBSD and Solaris. These three differ in many respects: Debian Sarge Since the Sarge release most applications support IPv6, but Linux in general is still missing some important IPv6 features, like an IPv6- capable port mapper, so some features available with the other Unixen are stillmissing. Additionally, configuringIPv6inthenetwork configuration files is still awkward. ThereisworkunderwaytoreplacethecurrentIPv6implementationwitha port of the KAME stack from the BSDs; the project is called USAGI. At this time the USAGI stack is still considered experimental and doesn’t generally ship with Linux distributions, so we don’t consider it yet. FreeBSD 6.1 FreeBSD was the primary development environment of the KAME project, which implemented IPv6 for the BSDs. The IPv6 implementation has been integrated into the system quite smoothly. Some deprecated features, like automatic tunnels, have been silently removed, which may cause occasional problems with older installa- tions that still want to use these features. Solaris 10 IPv6 support has been available with Solaris for some time and is quite mature. The major drawbacks are that in some cases it doesn’t im- plementallthemorerecentchangesinthespecificationsandthatitshandling is sometimes noticeably different than with the other Unixen. 1 Together these three give a fair overview of IPv6 with Unix. Beyond them,anumberofotherUnixen,aswellasupdatestothethreeshowninthis 1 See http://www.rohloff.de/en/technical/speedhub/index.html if you really want to know about the gearbox. IX book, will be covered in online supplements available from my home page at http://www.benedikt-stockebrand.net/ together with an errata list and an online copy of the book’s index. So if your Personal Pet Unix is missing, take a look there and you may find what you need. How to Read This Book Since you won’t learn how to ride a bicycle without having a bicycle at hand, you will need a test environment. It is easiest to use virtual machines, like Xen or (as in my case) VMware. Throughout this book you will see a variety of Unixen in a number of test setups, plus a few more Unixen at my home page. I recommend you first stick with your Personal Pet Unix. Dealing with IPv6will bedifficult enough in a few cases; using an unfamiliar Unix at the same time will only cause unnecessary pain. The chapters are arranged in a way to put things to work as soon as possible. The first part deals with fundamental topics that are virtually impossible to skip. There are however sections called either “Inside IPv6” or “Packet Filter Considerations” which you probably want to ignore on first reading. The“InsideIPv6”sectionsprovidesomedetailsoftheinnerworkingsofIPv6 thataresometimesusefulfordebuggingorjustinterestingbythemselves. The “Packet Filter Considerations” provide additional information necessary to set up a packet filter, from protocol details like port numbers to architectural suggestions. The following parts address topics that may be irrelevant to you, so feel free to skip whatever you don’t need. If you care about security however, a basicunderstandingofthesetopicsandtheirsecurityimplicationsisessential, so you want at least to skim these parts. Finally, there are two appendices, one giving a crash course on DNS ad- ministration with BIND and the other providing a list of various well-known addresses and port numbers, plus a bibliography and an index. Security Considerations When you do your very first steps with IPv6 you don’t want to bother about packet filter configuration and other security measures just yet. Neither do you want to disrupt network operation within your company network. Soplease firstuseIPv6inatest-onlyenvironmentdisconnectedfrompro- duction environments or the Internet. There are some interactions between IPv4 and IPv6 and we can’t deal with them right from the start. IfyoureallyhavetostartwithIPv6inaproductionenvironment,readthe first three parts in full, so you know about the most relevant security issues X withIPv6itselfandtheinteractionsbetweenIPv4andIPv6. Onlyafterwards start to use IPv6 in your environment. Trying things in a test environment, making them work, and only after- wards dealing with packet filters and other security issues is obviously prefer- able; use packet filters from the start only if you absolutely have to. Typographic Conventions Throughout the book you will find sections that deal with implementation- specific details. They look like this: Debian Sarge is a Linux distribution particularly popular with Linux ad- ministrators and developers. FreeBSD 6.1 comes with the KAME stack, probably the most complete IPv6 implementation available. Solaris 10 has implemented IPv6 quite early. IPv6 support is well inte- grated, but sometimes the handling is slightly unusual. 2 The number at the bottom refers to the related section in the online sup- plements covering additional implementations. Shell transcripts (“screen shots”) look like this unfortunate specimen: # nice --20 rm -rf / & # fg ^C^C^C^C^C^C^[^[^[^[^[^\^\^\^\^\^\^\^\ Following Bourne shell standards a hash mark (“#”) as a prompt indicates thatthecommandsshownmustberunasrootwhileadollarsign(“$”)implies that the commands don’t require root privileges. File listings look like this: /etc/resolv.conf domain example.com nameserver 2001:db8::1 Occasionally you will find variables within both shell transcripts and file list- ings, appearing as “(cid:1)Interface Name(cid:2)”. More often however you will find ex- amples like “eth0” instead. The highlighted background marks those items that you will likely need to adapt to your needs or that will look different on your system. When we’ve set up something, there is usually a checklist following. It shows how to ensure in a systematic way that everything works as expected. Let’s say that you have just logged in: (cid:1) Readthe“Lastloggedin”messagetomakesurenobodyelseusedyour account since you last logged in. XI (cid:1) Check your disk quotas to make sure you still have enough space left. (cid:1) Read your e-mail for messages from your administrator (if you are a user) or your users (if you are an administrator). These lists usually don’t tell you in detail how to fix a problem, but following them usually helps either to ensure that something works as expected or to find out more precisely what the actual problem is. Network plans look like figure 0.1. Routers are drawn as circles while hosts (or “non-routers”) are square shaped—we defer the exact definition of hosts and routers to section 4.3.2. Individual subnets are always drawn as oblong boxes, even though the coax cabling this presentation is derived from is rarely used anymore. Contiguous sets of subnets and routers like the Big Bad Internet above are called clouds and drawn as such. Big Bad Internet (BBI) Packet Internal Standard HTTP DNS Filtering File Clients Proxy Proxy Router Server DMZ (192.0.2.0/24) Inner Network (192.168.0.0/24) Fig. 0.1. A sample network plan Whenever we look at how IPv6 works, we’ll see protocol flow diagrams thatlooklikefigure0.2. ThisexampleshowstheTCP“threewayhandshake”, which applies to IPv6 as well as IPv4. Client Server SYN SYN/ACK ACK Fig. 0.2. The TCP three way handshake as a protocol flow diagram XII Occasionallywedothingsthatarepotentiallyinsecureoraddresssecurity problems in existing implementations. Whenever you see a warning like For your first attempt to ride a bicycle choose a location easilyandquicklyaccessibletoanambulancebutawayfrom major traffic. Make sure to wear a helmet, gloves, properly padded protective clothes and safety goggles. pleasemakesureyouunderstandwhatitmeansbeforeyouproceed. Similarly, open problems that are yet unresolved look like this: ? So far, no reliable strategy is known how to learn bicycling without getting more or less seriously hurt. Research is still continuing and there is hope that virtual reality will eventually solve this problem. Acknowledgments This book wouldn’t have happened without a number of people who helped me through a number of difficult stages. Before I even started to think about writing this book, the unnamed par- ticipants of various workshops showed me what aspects of IPv6 they were interested in and let me refine the organization and presentation of IPv6 ad- ministration in the way that this book is written. Ren´e Scho¨nfeldt and Bert Ungerer convinced me to write an article series for iX magazine and made me believe that it might just be feasible to turn the training manuscripts into a book. Silvia Hagen, who didn’t even know me at that time, told me quite honestly that she didn’t think it was; she was right in 2004 and almost right in 2006. Dr Frank Schmidt convinced me to start writing. When he left Springer, Jutta-Maria Fleschutz took over his job of guiding a certain debutant writer through the book-writing process and helped me to deliver a printable manuscript. All that time the JOIN IPv6 mailing list was a low-volume high-signal forum that repeatedly helped me out when I was stuck or unsure if I was heading in the right direction. Especially the discussions with Gert Doering, Jeroen Massar, Pim van Pelt and the now disbanded JOIN IPv6 team were immensely helpful to me. DrPeterBieringer, ReinerKrapohlandWolfgangZenkerspenthoursand days of proofreading the raw manuscript, providing a treasure of comments andsuggestions. Theypointedoutvariousmistakesandanumberofambigu- ousorjustawkwardwordingswithoutdispiritingme. Ofcourse,allremaining mistakes are mine alone. Thank you all for your support. Darmstadt, July 2006 Benedikt Stockebrand