IPv6

From BitFolk
Revision as of 15:40, 7 February 2011 by Strugglers (talk | contribs) (→‎CentOS: Restart networking)
Jump to navigation Jump to search

Some notes about configuring IPv6 at BitFolk.

Your IPv6 assignment

By default customers are assigned a /64 of IPv6 space that starts with 2001:ba8:1f1:. The next four hexadecimal digits will identify your /64. For example: 

$ ip -6 addr show dev eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
    inet6 2001:ba8:1f1:f004:a800:ff:fe6a:380c/64 scope global 
       valid_lft forever preferred_lft forever

This would indicate that 2001:ba8:1f1:f004::/64 is this customer's assignment.

In this case the address 2001:ba8:1f1:f004:a800:ff:fe6a:380c has been dynamically assigned, but all addresses between 2001:ba8:1f1:f004::2 and 2001:ba8:1f1:f004:ffff:ffff:ffff:ffff are available to the customer for assignment (264-2 addresses). 2001:ba8:1f1:f004::1 is used for the IPv6 default gateway.

Disabling autoconfiguration

You might wish to disable autoconfiguration and statically assign your IPv6 addresses. The typical way to do this is with the files in /proc/sys/ (or equivalent settings using sysctl). The following files in /proc/sys/ are relevant: 

/proc/sys/net/ipv6/conf/default/accept_ra
/proc/sys/net/ipv6/conf/all/accept_ra
/proc/sys/net/ipv6/conf/eth0/accept_ra
/proc/sys/net/ipv6/conf/default/autoconf
/proc/sys/net/ipv6/conf/all/autoconf
/proc/sys/net/ipv6/conf/eth0/autoconf

If you echo "0" to all of the above files then IPv6 autoconfiguration will be disabled.

The best way to do this will vary by distribution.

CentOS

Enable IPv6 in /etc/sysconfig/network: 

NETWORKING_IPV6=yes

Configure IPv6 on the interface config file, e.g. /etc/sysconfig/network-scripts/ifcfg-eth0: 

IPV6INIT=yes
IPV6ADDR=2001:ba8:1f1:f004::2/64
IPV6_DEFAULTGW=2001:ba8:1f1:f004::1

Both of the above are in addition to what's already in those files. They're also case-sensitive, i.e. "yes" works but "YES" doesn't.

After doing this you would then need to reboot or issue service network restart. I'd recommend doing that from the xen shell console though!

Debian/Ubuntu

You could put something like this in /etc/network/interfaces: 

iface eth0 inet6 static
    address 2001:ba8:1f1:f004::2
    netmask 64
    gateway 2001:ba8:1f1:f004::1
    post-up echo 0 > /proc/sys/net/ipv6/conf/default/accept_ra
    post-up echo 0 > /proc/sys/net/ipv6/conf/all/accept_ra
    post-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/accept_ra
    post-up echo 0 > /proc/sys/net/ipv6/conf/default/autoconf
    post-up echo 0 > /proc/sys/net/ipv6/conf/all/autoconf
    post-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/autoconf

$IFACE is replaced by the name of the interface by the network configuration scripts.

Configuring additional IPv6 addresses

Debian/Ubuntu

There isn't a nice way to do this yet like there is for IPv4 addresses, so you're forced to call the ip command from the post-up option. Example: 

iface eth0 inet6 static
    address 2001:ba8:1f1:f004::2
    netmask 64
    gateway 2001:ba8:1f1:f004::1
# Disable autoconf
    post-up echo 0 > /proc/sys/net/ipv6/conf/default/accept_ra
    post-up echo 0 > /proc/sys/net/ipv6/conf/all/accept_ra
    post-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/accept_ra
    post-up echo 0 > /proc/sys/net/ipv6/conf/default/autoconf
    post-up echo 0 > /proc/sys/net/ipv6/conf/all/autoconf
    post-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/autoconf
# Add another IPv6 address
    post-up ip -6 address add 2001:ba8:1f1:f004::1337/64 dev $IFACE

The default IPv6 source address

The source address chosen for IPv6 packets is typically the last one added to the system. This may be undesirable if you are adding addresses that you wish to dedicate to certain services. You can force selection of a given IPv6 source address by giving it a longer prefix than anything else on the system; /128 for example.

Debian/Ubuntu

iface eth0 inet6 static
# Perhaps you will only use this one for web serving
    address 2001:ba8:1f1:f004::80
    netmask 64
    gateway 2001:ba8:1f1:f004::1
# Disable autoconf
    post-up echo 0 > /proc/sys/net/ipv6/conf/default/accept_ra
    post-up echo 0 > /proc/sys/net/ipv6/conf/all/accept_ra
    post-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/accept_ra
    post-up echo 0 > /proc/sys/net/ipv6/conf/default/autoconf
    post-up echo 0 > /proc/sys/net/ipv6/conf/all/autoconf
    post-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/autoconf
# This one is to be the one that is used for outbound traffic by default
    post-up ip -6 address add 2001:ba8:1f1:f004::dead:beef:cafe/128 dev $IFACE
# Add another IPv6 address. If it wasn't for the above one using /128 then this would be the default source IPv6 instead
    post-up ip -6 address add 2001:ba8:1f1:f004::1337/64 dev $IFACE

Firewalling

Don't forget that you'll need to firewall your IPv6 just like you firewall your IPv4. The tool to do so is ip6tables.

Disabling IPv6

If you don't use IPv6 yet then it might be best to explicitly disable it.

Debian

lenny

IPv6 is a module on lenny and earlier but you can't just unload it once it's been loaded. You need to blacklist it from being loaded: 

# echo 'blacklist ipv6' >> /etc/modprobe.d/blacklist

Note the append (>>) — this file has useful things in it already.

You will need to reboot for this to take effect.

squeeze or beyond

IPv6 support is built into the kernel on squeeze and beyond. You can disable it with a sysctl, for example: 

# echo 'net.ipv6.conf.all.disable_ipv6=1' > /etc/sysctl.d/disableipv6.conf

will disable IPv6 from the next reboot.

Ubuntu

Lucid (10.04 LTS) and onwards are the same as Debian squeeze.

Reverse DNS

By default you have no reverse DNS for IPv6. BitFolk will delegate the reverse DNS for your zone to nameservers you specify. These can all be nameservers you control, or BitFolk can provide up to three of them (you just provide the master).

The reverse zone for 2001:ba8:1f1:f004::/64 would be called 4.0.0.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa. You can work this out using dig. For example: 

$ dig +noall +question -x 2001:ba8:1f1:f004::1
;1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.0.0.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa. 86371 IN PTR

The 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 part is the record you put in your zone and the 4.0.0.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa is the name of the zone itself. Here is what a typical BIND-format zone file might look like: 

$ORIGIN 4.0.0.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa.
$TTL 10800      ; 3 hours
@                       IN SOA a.ns.example.com. hostmaster@example.com. (
                             2010122701   ; serial
                                   1800   ; refresh (30 mins)
                                    900   ; retry (15 mins)
                                1209600   ; expire (1 week)
                                   3600 ) ; minimum (20 mins)

                                NS a.ns.example.com.
                                NS b.ns.example.com.
                                NS c.ns.example.com.

; Example reverse DNS for 2001:ba8:1f1:f004::1
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 PTR ruminant.ipv6.bitfolk.com.
; Example reverse DNS for 2001:ba8:1f1:f004::1337
7.3.3.1.0.0.0.0.0.0.0.0.0.0.0.0 PTR leetv6.example.com
; Example reverse DNS for 2001:ba8:1f1:f004::dead:beef:cafe
e.f.a.c.f.e.e.b.d.a.e.d.0.0.0.0 PTR nomnom.example.com.

You would then need to contact BitFolk support and ask for 4.0.0.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa to be delegated to your three nameservers {a,b,c}.ns.example.com.

You would be advised to use at least two different nameservers in a reverse DNS delegation. If you don't have enough then BitFolk can provide up to three of them, just ask. BitFolk can also provide the only three visible nameservers while taking the zone from your hidden master if you wish.

Retrieved from "https://tools.bitfolk.com/w/index.php?title=IPv6&oldid=119"