IPv6

From BitFolk
Jump to: navigation, search

Some notes about configuring IPv6 at BitFolk.

Your IPv6 assignment

By default customers are assigned a /64 of IPv6 space that starts with 2001:ba8:1f1:. The next four hexadecimal digits will identify your /64. For example:

$ ip -6 addr show dev eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
    inet6 2001:ba8:1f1:f004:a800:ff:fe6a:380c/64 scope global 
       valid_lft forever preferred_lft forever

This would indicate that 2001:ba8:1f1:f004::/64 is this customer's assignment.

In this case the address 2001:ba8:1f1:f004:a800:ff:fe6a:380c has been dynamically assigned, but all addresses between 2001:ba8:1f1:f004::2 and 2001:ba8:1f1:f004:ffff:ffff:ffff:ffff are available to the customer for assignment (264-2 addresses). 2001:ba8:1f1:f004::1 is used for the IPv6 default gateway.

As with IPv6, your IPv6 assignment is listed in the Panel.

Static IPv6 configuration

You might wish to disable autoconfiguration and statically assign your IPv6 addresses. The typical way to do this is with the files in /proc/sys/ (or equivalent settings using sysctl). The following files in /proc/sys/ are relevant:

/proc/sys/net/ipv6/conf/default/accept_ra
/proc/sys/net/ipv6/conf/all/accept_ra
/proc/sys/net/ipv6/conf/eth0/accept_ra
/proc/sys/net/ipv6/conf/default/autoconf
/proc/sys/net/ipv6/conf/all/autoconf
/proc/sys/net/ipv6/conf/eth0/autoconf

If you echo "0" to all of the above files then IPv6 autoconfiguration will be disabled.

The best way to do this will vary by distribution.

CentOS

Enable IPv6 in /etc/sysconfig/network:

NETWORKING_IPV6=yes

Configure IPv6 on the interface config file, e.g. /etc/sysconfig/network-scripts/ifcfg-eth0:

IPV6INIT=yes
IPV6_AUTOCONF=no
IPV6ADDR=2001:ba8:1f1:f004::2/64
IPV6_DEFAULTGW=2001:ba8:1f1:f004::1

Both of the above are in addition to what's already in those files. They're also case-sensitive, i.e. "yes" works but "YES" doesn't.

After doing this you would then need to reboot or issue service network restart. I'd recommend doing that from the xen shell console though!

Debian/Ubuntu

You could put something like this in /etc/network/interfaces:

iface eth0 inet6 static
    address 2001:ba8:1f1:f004::2
    netmask 64
    gateway 2001:ba8:1f1:f004::1
    post-up echo 0 > /proc/sys/net/ipv6/conf/default/accept_ra
    post-up echo 0 > /proc/sys/net/ipv6/conf/all/accept_ra
    post-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/accept_ra
    post-up echo 0 > /proc/sys/net/ipv6/conf/default/autoconf
    post-up echo 0 > /proc/sys/net/ipv6/conf/all/autoconf
    post-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/autoconf

$IFACE is replaced by the name of the interface by the network configuration scripts.

Ubuntu from 18.04 onwards (netplan)

From 18.04 (Bionic Beaver) onwards Ubuntu has switched to using netplan instead of ifupdown. A new install will be configured to use netplan by the installer.

If upgrading, it is recommended that you switch to netplan from ifupdown. While netplan is supposed to ignore any interface that is defined in /etc/network/interfaces, this has been found to be unreliable.

netplan is configured in the /etc/netplan/01-netcfg.yaml file. Here's an example which covers both multiple IPv4 addresses and a basic IPv6 setup.

network:
  version: 2
  renderer: networkd
  ethernets:
    eth0:
      addresses:
        - "85.119.82.225/21"
        - "85.119.83.73/32"
        - "2001:ba8:1f1:f004::2/64"
      gateway4: "85.119.80.1"
      gateway6: "2001:ba8:1f1:f004::1"

Configuring additional IPv6 addresses

CentOS

In the interface config file, e.g. /etc/sysconfig/network-scripts/ifcfg-eth0, add the following line:

IPV6ADDR_SECONDARIES="2001:ba8:1f1:f004::1337"

Additional secondaries are added as a space separated list:

IPV6ADDR_SECONDARIES="2001:ba8:1f1:f004::1337 2001:ba8:1f1:f004::dead:beef"

Debian/Ubuntu

There isn't a nice way to do this yet like there is for IPv4 addresses, so you're forced to call the ip command from the post-up option. Example:

iface eth0 inet6 static
    address 2001:ba8:1f1:f004::2
    netmask 64
    gateway 2001:ba8:1f1:f004::1
# Disable autoconf
    post-up echo 0 > /proc/sys/net/ipv6/conf/default/accept_ra
    post-up echo 0 > /proc/sys/net/ipv6/conf/all/accept_ra
    post-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/accept_ra
    post-up echo 0 > /proc/sys/net/ipv6/conf/default/autoconf
    post-up echo 0 > /proc/sys/net/ipv6/conf/all/autoconf
    post-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/autoconf
# Add another IPv6 address
    post-up ip -6 address add 2001:ba8:1f1:f004::1337 dev $IFACE

netplan (Ubuntu 18.04 onwards)

Just add more IPv6 addresses to the addresses: list in the config file (e.g. /etc/netplan/01-netcfg.yaml):

network:
  version: 2
  renderer: networkd
  ethernets:
    eth0:
      addresses:
        - "85.119.82.225/21"
        - "85.119.83.73/32"
        - "2001:ba8:1f1:f004::2/64"
        - "2001:ba8:1f1:f004::22/128"
        gateway4: "85.119.80.1"
        gateway6: "2001:ba8:1f1:f004::1"

To update the config and then make it live:

$ sudo netplan generate
$ sudo netplan apply

The default IPv6 source address

The source address chosen for IPv6 packets is typically the last one added to the system. This may be undesirable if you are adding addresses that you wish to dedicate to certain services. You can force a particular IPv6 address to be used as source by marking all the other addresses as deprecated. Deprecated addresses will still receive traffic and can still source traffic if they are specifically requested, but by default will not be used as a source address. You mark an IPv6 address as deprecated by setting its preferred_lft to 0.

Deprecating existing addresses

Given the following IPv6 setup:

$ ip -6 addr show dev eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
    inet6 2001:db8:1f1:f1eb::2/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 2001:db8:1f1:f1eb::53/64 scope global 
       valid_lft forever preferred_lft forever

Here 2001:db8:1f1:f1eb::53 will most likely be used as a source address because it was added last. In order to force 2001:db8:1f1:f1eb::2 to be used, you can use ip address change to deprecate the other one:

# ip -6 addr change 2001:db8:1f1:f1eb::53/64 dev eth0 preferred_lft 0
# ip -6 addr show dev eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
    inet6 2001:db8:1f1:f1eb::53/64 scope global deprecated 
       valid_lft forever preferred_lft forever
    inet6 2001:db8:1f1:f1eb::2/64 scope global 
       valid_lft forever preferred_lft forever

To make the change permanent you'll need to set it in your network configuration.

Debian/Ubuntu

iface eth0 inet6 static
# This one is to be the one that is used for outbound traffic by default
    address 2001:ba8:1f1:f004::2
    netmask 64
    gateway 2001:ba8:1f1:f004::1
# Disable autoconf
    post-up echo 0 > /proc/sys/net/ipv6/conf/default/accept_ra
    post-up echo 0 > /proc/sys/net/ipv6/conf/all/accept_ra
    post-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/accept_ra
    post-up echo 0 > /proc/sys/net/ipv6/conf/default/autoconf
    post-up echo 0 > /proc/sys/net/ipv6/conf/all/autoconf
    post-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/autoconf
# Perhaps you will only use this one for web serving
    post-up ip -6 address add 2001:ba8:1f1:f004::80 dev $IFACE preferred_lft 0
# Add another IPv6 address. If it wasn't for the use of preferred_lft 0 this
# one would probably be the default source address
    post-up ip -6 address add 2001:ba8:1f1:f004::1337 dev $IFACE preferred_lft 0
netplan (Ubuntu 18.04 onwards)

Unfortunately netplan doesn't currently have a way to directly set preferred_lft. A bug has been filed, and in the mean time it is possible to use a systemd-networkd hook script to set the lifetime after the address is added.

Firewalling

Don't forget that you'll need to firewall your IPv6 just like you firewall your IPv4. The tool to do so is ip6tables.

Neighbor Discovery

IPv6 uses neighbor discovery to map IPv6 addresses to Ethernet (MAC) addresses. This replaces the functionality of ARP in IPv4, and as a result means you do need to allow some types of ICMPv6 traffic through if you want anything at all to work:

ip6tables --append INPUT -p ipv6-icmp --icmpv6-type neighbor-advertisement -j ACCEPT
ip6tables --append INPUT -p ipv6-icmp --icmpv6-type neighbor-solicitation  -j ACCEPT

Alternatively you may just want to allow everything on link-local addresses:

ip6tables --append INPUT -s fe80::/10 -j ACCEPT

Router Advertisements

If you wish to allow stateless address autoconfiguration from BitFolk to work then you need to allow the following in your IPv6 firewall:

ip6tables --append INPUT  -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
ip6tables --append OUTPUT -p icmpv6 --icmpv6-type router-solicitation  -j ACCEPT

Preferring IPv4 over IPv6

Sometimes a host has both IPv4 and IPv6 addresses. By default, Linux tends to prefer IPv6. If for some reason you wish to prefer IPv4 addresses then you can do so by adding:

precedence ::ffff:0:0/96 100

at the end of /etc/gai.conf .

Disabling IPv6

If you don't use IPv6 yet then it might be best to explicitly disable it.

Debian

lenny

IPv6 is a module on lenny and earlier but you can't just unload it once it's been loaded. You need to blacklist it from being loaded:

# echo 'blacklist ipv6' >> /etc/modprobe.d/blacklist

Note the append (>>) — this file has useful things in it already.

You will need to reboot for this to take effect.

squeeze or beyond

IPv6 support is built into the kernel on squeeze and beyond. You can disable it with a sysctl, for example:

# echo 'net.ipv6.conf.all.disable_ipv6=1' > /etc/sysctl.d/disableipv6.conf

will disable IPv6 from the next reboot.

Ubuntu

Lucid (10.04 LTS) and onwards are the same as Debian squeeze.

Reverse DNS

Automated IPv6 reverse DNS (default)

By default you have generic automatic reverse DNS for IPv6 that looks a bit like this:

$ dig +noall +answer -x 2001:ba8:1f1:f004::2
2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.0.0.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa. 3560 IN PTR 2001-ba8-1f1-f004-0-0-0-2.autov6rev.bitfolk.space.
$ dig +noall +answer -t aaaa 2001-ba8-1f1-f004-0-0-0-2.autov6rev.bitfolk.space
2001-ba8-1f1-f004-0-0-0-2.autov6rev.bitfolk.space. 3600 IN AAAA 2001:ba8:1f1:f004::2

As you can see, it resolves correctly both ways.

Controlling your own IPv6 reverse DNS

If instead you would like to take control of your IPv6 reverse DNS then BitFolk can delegate the reverse DNS for your zone to nameservers you specify. These can all be nameservers you control, or BitFolk can provide up to three of them (you just provide the master: see the page on secondary DNS for more information.)

The reverse zone for 2001:ba8:1f1:f004::/64 would be called 4.0.0.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa. You can work this out using dig. For example:

$ dig +noall +question -x 2001:ba8:1f1:f004::1
;1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.0.0.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa. 86371 IN PTR

or sipcalc:

$ sipcalc -ar 2001:ba8:1f1:f004::1/64
-[ipv6 : 2001:ba8:1f1:f004::1/64] - 0

[IPV6 INFO]
Expanded Address        - 2001:0ba8:01f1:f004:0000:0000:0000:0001
Compressed address      - 2001:ba8:1f1:f004::1
Subnet prefix (masked)  - 2001:ba8:1f1:f004:0:0:0:0/64
Address ID (masked)     - 0:0:0:0:0:0:0:1/64
Prefix address          - ffff:ffff:ffff:ffff:0:0:0:0
Prefix length           - 64
Address type            - Aggregatable Global Unicast Addresses
Network range           - 2001:0ba8:01f1:f004:0000:0000:0000:0000 -
                          2001:0ba8:01f1:f004:ffff:ffff:ffff:ffff

[V4INV6]
Expanded v4inv6 address - 2001:0ba8:01f1:f004:0000:0000:0.0.0.1
Compr. v4inv6 address   - 2001:ba8:1f1:f004::0.0.0.1

[IPV6 DNS]
Reverse DNS (ip6.arpa)  -
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.0.0.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa.

-


The 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 part is the record you put in your zone and the 4.0.0.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa is the name of the zone itself. Here is what a typical BIND-format zone file might look like:

$ORIGIN 4.0.0.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa.
$TTL 10800      ; 3 hours
@                       IN SOA a.ns.example.com. hostmaster@example.com. (
                             2010122701   ; serial
                                   1800   ; refresh (30 mins)
                                    900   ; retry (15 mins)
                                1209600   ; expire (2 weeks)
                                   3600 ) ; minimum (20 mins)

                                NS a.ns.example.com.
                                NS b.ns.example.com.
                                NS c.ns.example.com.

; Example reverse DNS for 2001:ba8:1f1:f004::1
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 PTR ruminant.ipv6.bitfolk.com.
; Example reverse DNS for 2001:ba8:1f1:f004::1337
7.3.3.1.0.0.0.0.0.0.0.0.0.0.0.0 PTR leetv6.example.com.
; Example reverse DNS for 2001:ba8:1f1:f004::dead:beef:cafe
e.f.a.c.f.e.e.b.d.a.e.d.0.0.0.0 PTR nomnom.example.com.

put this is in a file called for example /etc/bind/4.0.0.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa, and then reference this file from your named.conf:

zone "4.0.0.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa" {
	type master;
	file "/etc/bind/4.0.0.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa";
};

You would then need to delegate reverse DNS for this domain to your nameservers. This can be configured from the IPv6 section of the Panel.

You would be advised to use at least two different nameservers in a reverse DNS delegation. If you don't have enough then BitFolk can provide up to three of them, just ask. BitFolk can also provide the only three visible nameservers while taking the zone from your hidden master if you wish. In that case you would list the three Bitfolk servers in the panel, and if you wish you can firewall your master server off to Bitfolk's internal network only, so that the internet at large can't query it (allow 85.119.80.222, 85.119.80.238, 85.119.80.244, 2001:ba8:1f1:f040::/64 and 2001:ba8:1f1:f25d::/64 on both UDP and TCP).

Routing IPv6

The standard BitFolk customer assignment of IPv6 is a /64. This will give you plenty of addresses for your VPS, but isn't enough to route IPv6 further. For example, those using their VPS as a VPN server may wish to route an IPv6 network to each of their clients.

It is recommended to use a /64 for each IPv6 network—autoconfiguration won't work if you don't—so if you intend to further route IPv6 then you should contact support to ask for a /56. That will allow up to 256 /64 networks to be routed.

FAQs

I configured an IPv6 address that's all f's and now I can't reach some sites

If you configure an address between ...:ffff:ffff:ffff:ff80 and ...:ffff:ffff:ffff:ffff then you might experience strange routing problems for packets sourced from those addresses.

As per RFC 2526, the last 128 addresses in each subnet are reserved for anycast use. While they might be usable as normal unicast IPv6 addresses, some sites may filter them or they might be used locally.