IPv6 at home, Part 1: Overview, Teredo

[Edit 2010-02-25 – adding some forward links to the other parts of this series. Rewrote parts – no more mention of how slow Teredo is (it’s not), and some updated comments to reflect the state of ipv6 in 2010]

This blog post is part of a series on ipv6. In this part, I provide an overview of ipv6 and look at Teredo, the technology built into Windows Vista/7; in part 2, I look at AYIYA tunnels through aiccu, using sixxs net as a tunnel broker. Part 2.5 is a collection of useful ipv6 tidbits, and part 3 gets back to the original plan: Exploring ipv6 connectivity options – in this case, the tunnel offered by gogonet.

NB: The tunnel described in part 3 is a lot easier to set up than Teredo. It was never my intent to advocate the use of Teredo as the prevalent way to connect a machine to IPv6. I started with it in this series precisely because I thought it would be the least comfortable option. In hindsight, I should probably have started with the easy button.

Part 4 describes Hurricane Electric 6in4 tunnels, and part 4.1 shows how to set one up on a Juniper ScreenOS device. [JunOS tunnels, as opposed to ScreenOS tunnels, are shaky at this point, they work in 10.3r1, but not in 10.2r3 or 10.4r1. I may describe them when this situation has settled down a bit]

For a corporate environment, I take a look at ipv6 renumbering. If you are planning to deploy ipv6 in your network, you need to think about this.

Overview

I’ve been running IPv6 at home since January 2008. When I took the plunge, I did so mainly to learn about the technology in preparation of it being adopted in the field. Factors that made me finally take this step in January 2008, as opposed to pondering it since January 2001, were:

• The government mandate to deploy IPv6 in federal networks, while weak, will undoubtedly bring IPv6 adoption into some enterprises. When this happens, I want to be ready, and I want my team to be ready, so we can capitalize on our knowledge and can claim to have been running IPv6 since early 2008.
• We’re deploying Juniper SSG-5 firewalls at our techies’ homes, and these little boxes do now support IPv6 with the release of software version 6.0.0. I could have been running IPv6 using a software client, but that would have done little to prepare me for seeing it deployed in an environment I will actually encounter – namely, hardware firewalls and routers.
• Four of the Internet DNS root servers are now reachable through IPv6. For the first time ever, this would allow a connection between IPv6 hosts that relies purely on IPv6. This is less a technical concern than a measure of where we are with IPv6: The root servers were the last “you can’t DO IPv6 without IPv4 first” holdout, and that’s gone now. When the root servers, who are very conservative, move, it’s time for mere mortals to test the waters, too.

Since most folk won’t have IPv6-capable hardware firewalls at home, I will talk about host – specifically, PC – based solutions to connect to IPv6 sites to start out with.

All right, starting with: What is IPv6, and why do I care? At its core, IPv6 is simply “more address space”. The “old way” of addressing, called IPv4, with its 32-bit address space, is running out of space to use, even with the use of NAT. Predictions claim we may run out of space as early as 2012, though I would not be surprised to see us “hang on” a little longer. IPv6 in contrast has a 128-bit address space, which is ridiculously huge.

This has some implications:

• IPv6 will rely on DNS to an even greater degree than IPv4. Let me take the example of go6.net. Its IPv6 address is 2001:5c0:0:1::6. The ‘::’ is a way of saying “multiple zeros here” in IPv6, to shorten writing it. That’s actually a fairly neat and short address, but still hard to memorize. A less ‘neat’ address may look like 2001:470:1f06:223:bd6f:6f5c:a458:2802. Good luck memorizing that one. We’ll need names, and good reverse DNS, and good DDNS.
• Because we have so much address space now, IPv6 does away with IPv4-style subnetting. In IPv6, every subnet is a /64. That is 16 quintillion addresses, up from 4 billion in the entire IPv4 range. And that’s just for one subnet. The goal is to avoid the pain of different-sized subnets – needing to wrestle with /26, /28 and /29 – and the even greater pain of having to change subnets, say going from a /29 to a /28 because you ran out of space and have now a few machines more than you envisioned. The IPv6 /64 subnet range is envisioned to cover all devices that could possibly be hooked up to the physical medium that carries that subnet.
• “Leaf nodes” – that is, sites that aren’t large carrier-grade – will receive a /48, which can then be carved up into individual /64s. This will allow for 65,000+ subnets per site, which will be plenty even for large corporations. A /48 is also what you might receive at home, depending on how you connect to IPv6.
• Lots of address space also means we don’t need private addresses any more. This does away with NAT, which makes life hugely simpler for applications. VPNs become easier, and protocols that embed IP information – notoriously, all the VOIP stuff like H.323 and SIP, as well as Microsoft’s SMB file-sharing protocol – also benefit. As do P2P and game applications, BTW – no more need to configure “port forwards” for these. This also means that firewalling is a must. While NAT was never meant to be a security feature, PAT or Hide-NAT in particular, as implemented in home routers, was often touted as a “firewall” feature by vendors, because by its nature, it disallows incoming connections. There are huge application-level challenges in interop, too, and I’ll get to those.

So, how does an IPv6 host talk to an IPv4 host, or vice versa? The answer is “with difficulty”, if at all. Proposals for rewriting addressing on-the-fly are technically brittle. Particularly when it comes to those applications mentioned that embed IP addresses, like H.323 and SIP and SMB, rewriting that data stream is not very feasible, and not at all scalable. The best idea proposed so far has been to “dual-stack” IPv6-capable equipment: Any given host would have both an IPv6 address and an IPv4 address. It will talk to IPv4 hosts using IPv4, and to IPv6 hosts using IPv6. That is a workable way around those application-level interop challenges. At some point, of course, one would have to either phase out IPv4 or bite the bullet and do application-layer translation for those clients that are still IPv4-only.

For DNS, what you need to know is:

• IPv4 records are A records, IPv6 records are AAAA records. Any given host can have one, the other, or both. go6.net has both, google.com has only IPv4, and IPv6-only hosts such as ipv6.google.com are extremely rare right now. Who in their right mind, after all, would limit content to a tiny portion of the Internet users.
• Windows XP will always use IPv4 to query DNS servers. Even to get an AAAA record, the actual query will run over IPv4. Windows Vista can run IPv6-native and query DNS over IPv6.
• Both Windows XP and Windows Vista will advertise their IPv6 address as a DDNS update. If you run your own DNS server at home and it is IPv6-capable, it should pick up the addresses of your IPv6 hosts.

Connecting to IPv6

Alright, so how do you connect to, say, a web server, using IPv6? Your home router does not know IPv6, and even if it does, your ISP’s router is most likely not configured for IPv6, and would not forward your IPv6 packets. Therefore, you have three ways to get to IPv6 hosts, two of which are actually going to be available for most people at this point.

1. Native IPv6. Your ISP supplies you with IPv6 address space and does all the hard work for you. Rejoice, you are done! Just that, as of this writing, unless you live in France or near one of these ISPs, you are pretty much out of luck. Comcast and other cable providers are starting to make noises about DOCSIS 3.0, which is IPv6-capable, but that is years out. [Edit] Or rather, was years out in 2008 – Comcast is now trialing ipv6 for consumers, with rollout planned in a 2011/2012 timeframe. If you have Verizon FiOS in your area, you’ll get DOCSIS 3.0 earlier – though not necessarily with IPv6 right away. If there’s no FiOS, don’t expect DOCSIS 3.0 very soon. We need other ways of connecting – of tunneling IPv6 traffic through an IPv4 network in some way shape or form.
2. Use a tunnel broker. This is actually going to be your best bet for connecting to IPv6, which is why, perversely, I’ll discuss it in more detail in a later post. Tunnel brokers available are SixXS , which supports both hardware (static) and software/client (heartbeat, AYIYA) tunnels and gives you a full /48; Hurricane Electric, which is more geared towards static (hardware) tunnels and gives you one /64 subnet now also offers a /48; Gogonet/Freenet6, who have their own proprietary way of traversing NAT and are really easy to set up; and Earthlink R&D, which is very specialized: You connect using a custom firmware for a Linksys WRT54G router, and get a /64. Earthlink would be a good choice if you wanted to run IPv6 on your home router, not your home PC, and you don’t have a Cisco / Juniper / what-have-you at home. I’d expect most people to go with Freenet6 or SixXS and use their software client. I’m set up with Hurricane right now, but for a client setup, I’d choose Freenet6.
   There’s also the Apple Airport Extreme, which handles IPv6 tunnels without exposing any of the nuts-and-bolts to the user. [Edit] D-Link have released a number of ipv6 capable routers, too, as have Linksys/Cisco.
3. Use Teredo, a Microsoft-supported tunnel that is established directly from your client machine. Teredo was meant to be used only by applications that specifically request it. For this reason, a host that has Teredo enabled would only ever use Teredo to connect to IPv6-only machines. If IPv4 is an option, it will always prefer that. So, why talk about it first? Because it ships with both Windows XP SP2 and Windows Vista/7 – enabled by default in the latter two, though not enabled for “general application use” by default – and we can expect it to be used to get to IPv6-only content, as tunnel brokers, on the outside, may seem like more work to set up. [Edit] And indeed, with the release of an ipv6 capable uTorrent and HE’s provisioning of Teredo relay servers, Teredo traffic has spiked sharply.

Setting up Teredo

And here’s the breakdown of how to set up Teredo. Again, keep in mind, IPv4 will always be preferred. go6.net will show you with an IPv4 address if all you have is Teredo.

Windows XP SP2

• Realize that Teredo in Windows XP does not support Hide NAT, aka PAT, aka many-to-1 NAT, aka what your home router does. In Teredo language, that kind of NAT is called “Symmetric NAT”, and it’s just not supported by the Teredo implementation in XP. You can still experiment some by either sticking a host onto the Internet directly, without a home router in between. If you have an additional public IP address, you could also set up a Static NAT (aka 1-to-1 NAT), which Teredo calls a “Cone NAT” (if you allow all incoming) or “Restricted Cone NAT” (if you disallow incoming connections), and which is supported. My experiments with my router’s “DMZ” setting, to see whether that will get around the issue, have been less than successful. While Teredo claimed I was behind “cone” NAT, I still had no connectivity.
• Add the IPv6 protocol to your interface. Control Panel | Network Connections -> Right-Click “Properties” on your LAN or WiFi connection, “Install…”, “Protocol”, “Add…”, choose “Microsoft TCP/IP version 6”, hit “OK” until you’re out again.
• Open a command line – “cmd” from Start | Run – and run “ipconfig /all”. You should now see a “link local” IPv6 address, which looks something like “fe80::214:85ff:fe2f:8f06%4”. This won’t be useful for connecting to anything “out there”, but it’ll let you know IPv6 is up and running.
• Configure Teredo. Assuming you are in the US, the command would be “netsh interface ipv6 set teredo client teredo.ipv6.microsoft.com”. If you are elsewhere in the world, you may be able to find a closer Teredo server.
• If you are on a Windows domain – as opposed to a home workgroup – Teredo will disable even if you configure it. You can get around that with the command “netsh interface ipv6 set teredo enterpriseclient”
• The command to see the configured Teredo parameters is “netsh int ipv6 show teredo”, and the message indicating that a user is behind PAT and thus Teredo won’t work here is “Error : client behind symmetric NAT”
• Use an IPv6-only host to test connectivity. If you can connect to http://ipv6.google.com/, it’s working.  Or you could “ping ipv6.google.com” from command line, which should show you an IPv6 address, and succeed.
• A useful command to use while trying different configurations is “netsh int ipv6 renew”, which will re-negotiate the Teredo tunnel. “netsh int ipv6 show route” will show you ipv6 routes.
• Keep in mind that Windows XP will always prefer IPv4 over IPv6 when Teredo is used for IPv6 connectivity. Unless a host has no IPv4 address, its IPv6 address will not be used.
• Lastly, there are reports that Firefox 2 on Windows XP does not handle IPv6 well. Try Firefox 3, or Internet Explorer.

Windows Vista

• IPv6 and Teredo both are enabled by default in Windows Vista. Teredo also supports Hide-NAT aka PAT aka what your home router does. Woo, we’re done? Not so fast, young Arakin: In order to avoid IPv6 connectivity issues caused by default Teredo tunnels, Microsoft have configured DNS so that the system will never resolve any name to an IPv6 address, as long as the system only has link-local and Teredo IPv6 addresses. Teredo is meant to be used by applications that specifically request its use, and that does not include any browsers.
• Thus, we need to hoodwink Vista. If the criteria is “has only link-local or Teredo addresses”, why, then we need to supply another address. Luckly, IPv6 maps the entire ipv4 address space, so we can use that. In reality, it doesn’t matter which address we configure, since it won’t ever be used anyway. Open up the Properties of your LAN or WiFi interface, and change it to have a static IPv6 address. Use either the converted IPv4 address you figured out using the link I gave, or use the 192.168.1.2 equivalent of 2002:c0a8:102:: with a netmask of 48. Do not configure a default gateway for this address.
• Vista would now resolve names to IPv6 addresses, but we need to force it to route traffic through our Teredo interface first. For this, you’ll need to run a Command prompt as “Administrator”. Create a shortcut to a Command prompt on your desktop, then right-click “run as administrator”.
• Figure out the ID of your “Teredo Tunneling Pseudo-Interface” using “route print” and looking at the “Interface List” at the top of its output. In my case, it is “14”. Then, using this ID, add a default route that forces all IPv6 traffic through Teredo: netsh interface ipv6 add route ::/0 interface=14
• Use an IPv6-only host to test connectivity. If you can connect to http://ipv6.google.com/, it’s working.  Or you could “ping ipv6.google.com” from command line, which should show you an IPv6 address, and succeed.
• Keep in mind that Windows Vista will always prefer IPv4 over IPv6 when Teredo is used for IPv6 connectivity. Unless a host has no IPv4 address, its IPv6 address will not be used.

[Edit 2010-02-24 – added Windows 7 and Troubleshooting sections]

Windows 7 [this is the same procedure as for Vista, tested on Win7 x64]

[Edit 2010-04-09 – replaced kludgy workaround for disappearing default route with elegant workaround received through comment]

• IPv6 and Teredo both are enabled by default in Windows 7, just as in Vista. Also as in Vista, Microsoft have configured DNS so that the system will never resolve any name to an IPv6 address, as long as the system only has link-local and Teredo IPv6 addresses.
• Thus, we need to hoodwink Win7. As with Vista, we will provide a 6to4 address. Luckly, IPv6 maps the entire ipv4 address space, so we can use that. In reality, it doesn’t matter which address we configure, since it won’t ever be used anyway. Open up the Properties of your LAN or WiFi interface, and change it to have a static IPv6 address. Use either the converted IPv4 address you figured out using the link I gave, or use the 192.168.1.2 equivalent of 2002:c0a8:102:: with a netmask of 48. Do not configure a default gateway for this address.
• In order for Win7 to resolve names to IPv6 addresses, we need to force it to route traffic through our Teredo interface first. For this, you’ll need to run a Command prompt as “Administrator”. Create a shortcut to a Command prompt on your desktop, then right-click “run as administrator”.
• Figure out the ID of your “Teredo Tunneling Pseudo-Interface” using “route print” and looking at the “Interface List” at the top of its output. In my case, it is “14”. Then, using this ID, add a default route that forces all IPv6 traffic through Teredo: netsh interface ipv6 add route ::/0 interface=14
• Use an IPv6-only host to test connectivity. Try to ping ipv6.google.com or connect to http://ipv6.google.com/.
• Keep in mind that Win7 will always prefer IPv4 over IPv6 when Teredo is used for IPv6 connectivity. Unless a host has no IPv4 address, its IPv6 address will not be used.

In my testing, Win7 would deactivate the default ipv6 route when there was no ipv6 traffic. Thanks to Sam Karim, I can present a fix for this issue: Configure Teredo to be “Default Qualified” so it will not enter into “Dormant” state.

On Windows 7 Business and better:

• Run “gpedit.msc” from the Start Menu by typing it into the search bar or “Run” bar.
• Navigate to Computer Configuration -> Administrative Templates -> Network -> TCPIP Settings -> IPv6 Transition Technologies
• Double click the “Teredo Default Qualified” setting, change it from “Not Configured” to “Enabled”, and click OK, then close gpedit.msc.
• The setting should take effect rather quickly, but you can do “gpupdate /force” to force a refresh.

On Windows 7 Home Premium and Starter editions, you will need to manually create a registry key.

• Open regedit from the Start Menu by typing it into the search bar or “Run” bar
• Navigate to HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows
• Right-click the “Windows” Key and choose New -> Key, create a “TCPIP” Key (observe case)
• Right-click the “TCPIP” Key and choose New -> Key, create a “v6Transition” Key (observe case)
• Right-click the “v6Transition” Key and choose New -> String Value, create an entry called “Teredo_DefaultQualified” with a value of “Enabled” (observe case, note the underscore)

Old workaround for reference until I have fully tested the above new-and-improved methods:

Create a text file, name it “fix-ipv6.cmd” (make sure you can see file extensions!) and paste these lines into it:

1. REM Because Win7 gets rid of ipv6 routes
   netsh interface ipv6 delete route ::/0 interface=14
   netsh interface ipv6 add route ::/0 interface=14
   REM Optionally, run a continuous ping here instead of through a task
   REM ping -t ipv6.google.com
2. Change the ID of the interface in this text file to the ID of the Teredo interface on your system
3. Create a task to run a continuous ping. Optionally, just un-comment the ping command in the file you just created.
   Control Panel | System and Security | Schedule tasks
   Create task (on the right)
   General pane: Give it a name, “Run whether user is logged on or not”, “Configure for: Windows 7”
   Triggers: “New”, “At Startup”, hit “OK”
   Actions: “New”, “Start a program”, enter “ping” into “Program/script” and “ipv6.google.com -t” into “Add arguments (optional)”
   Conditions: Uncheck “Start the task only if the computer is on AC power”
   Settings: Check “Run task as soon as possible after a scheduled start is missed”, “If the task fails, restart every” and uncheck “Stop the task if it runs longer than”
4. After reboot, you’ll need to right-click your “fix-ipv6” and “Run as administrator”

In my testing, this workaround kept the ::/0 route active. You can check using “route print -6” – you want to see the ::/0 route in both active and persistent routes. When it is inactive, it shows up only in persistent.

If this all sounds like more trouble than it’s worth, then using a tunnel broker as described in part 3 may be the ticket for you.

Google and v6

You can add a Google-v6-savvy DNS server, such as HE’s 2001:470:20::2, to your LAN or WiFi connection, and this will give you both ipv4 and ipv6 addresses for Google. However, as Windows will always prefer ipv4 if all you have is Teredo, ipv6 won’t be used in that case. If you’d like to use ipv6 for Google/Youtube, take a look at part 3 of this series instead, and go with a tunnel broker.

Troubleshooting

• Test ipv6 DNS lookup from command line. Note the ping fails to resolve the name, but nslookup can resolve it. This means our DNS server has the entry, but we haven’t configured Win7 yet to use v6 addresses.
  >ping ipv6.google.com
  Ping request could not find host ipv6.google.com. Please check the name and try again.
  >nslookup ipv6.google.com
  Non-authoritative answer:
  Name:    ipv6.l.google.com
  Addresses:  2001:4860:b009::93
  2001:4860:b009::63
  2001:4860:b009::67
  2001:4860:b009::69
  2001:4860:b009::68
  2001:4860:b009::6a
  Aliases:  ipv6.google.com
• Check that the ::/0 route has been added correctly. Open netsh, navigate to interface ipv6, and enter show route. This is what you want to see:
  netsh interface ipv6>show route
  Publish  Type      Met  Prefix                    Idx  Gateway/Interface Name
  ——-  ——–  —  ————————  —  ————————
  No       Manual    256  ::/0                       14  Local Area Connection* 9
• On my system, after changing the IPv6 address of the LAN interface, that route goes into “limbo”. Meaning show route does not show it, but route print does. In that case, you can delete and re-create it, again from netsh’s interface ipv6 context:
  delete route ::/0 “Local Area Connection* 9”
  add route ::/0 “Local Area Connection* 9”
• show teredo is useful to see whether Teredo connectivity is there. You want to see your state as “qualified”
  netsh interface ipv6>show teredo
  Teredo Parameters
  ———————————————
  Type                    : client
  Server Name             : teredo.ipv6.microsoft.com.
  Client Refresh Interval : 30 seconds
  Client Port             : unspecified
  State                   : qualified
  Client Type             : teredo client
  Network                 : unmanaged
  NAT                     : symmetric (port)
  NAT Special Behaviour   : UPNP: No, PortPreserving: No
  Local Mapping           :  —
  External NAT Mapping    : —
• In order for DNS to resolve IPv6 addresses, the LAN/WiFi interface must have a 6to4 address without a default route, Teredo must be working, and a default route through Teredo must be configured. Miss one of those three, and you won’t be able to resolve ipv6 DNS.