IPv6 at home, Part 1: Overview, Teredo

Overview

I’ve been running IPv6 at home for a good month now, mainly to learn about the technology in preparation of it being adopted in the field. Factors that made me finally take this step in January 2008, as opposed to pondering it since January 2001, were:

• The government mandate to deploy IPv6 in federal networks, while weak, will undoubtedly bring IPv6 adoption into some enterprises. When this happens, I want to be ready, and I want my team to be ready, so we can capitalize on our knowledge and can claim to have been running IPv6 since early 2008.
• We’re deploying Juniper SSG-5 firewalls at our techies’ homes, and these little boxes do now support IPv6 with the release of software version 6.0.0. I could have been running IPv6 using a software client, but that would have done little to prepare me for seeing it deployed in an environment I will actually encounter – namely, hardware firewalls and routers.
• Four of the Internet DNS root servers are now reachable through IPv6. For the first time ever, this would allow a connection between IPv6 hosts that relies purely on IPv6. This is less a technical concern than a measure of where we are with IPv6: The root servers were the last “you can’t DO IPv6 without IPv4 first” holdout, and that’s gone now. When the root servers, who are very conservative, move, it’s time for mere mortals to test the waters, too.
• The IPv6 experiment is going to make IPv6-only content available which is expected to draw a non-technical crowd, and gather data on the ways people connect, the kind of throughput they got, and the issues they encounter. Should the experiment actually go forward, it will be the first real data gathering on whether IPv6 is “ready” for production, and should give us very valuable data on how to improve it in those areas where it is not ready.

Since most folk won’t have IPv6-capable hardware firewalls at home, I will talk about host – specifically, PC – based solutions to connect to IPv6 sites to start out with.

All right, starting with: What is IPv6, and why do I care? At its core, IPv6 is simply “more address space”. The “old way” of addressing, called IPv4, with its 32-bit address space, is running out of space to use, even with the use of NAT. Predictions claim we may run out of space as early as 2012, though I would not be surprised to see us “hang on” a little longer. IPv6 in contrast has a 128-bit address space, which is ridiculously huge.

This has some implications:

• IPv6 will rely on DNS to an even greater degree than IPv4. Let me take the example of go6.net. Its IPv6 address is 2001:5c0:0:1::6. The ‘::’ is a way of saying “multiple zeros here” in IPv6, to shorten writing it. That’s actually a fairly neat and short address, but still hard to memorize. A less ‘neat’ address may look like 2001:470:1f06:223:bd6f:6f5c:a458:2802. Good luck memorizing that one. We’ll need names, and good reverse DNS, and good DDNS.
• Because we have so much address space now, IPv6 does away with IPv4-style subnetting. In IPv6, every subnet is a /64. That is 16 quintillion addresses, up from 4 billion in the entire IPv4 range. And that’s just for one subnet. The goal is to avoid the pain of different-sized subnets – needing to wrestle with /26, /28 and /29 – and the even greater pain of having to change subnets, say going from a /29 to a /28 because you ran out of space and have now a few machines more than you envisioned. The IPv6 /64 subnet range is envisioned to cover all devices that could possibly be hooked up to the physical medium that carries that subnet.
• “Leaf nodes” – that is, sites that aren’t large carrier-grade – will receive a /48, which can then be carved up into individual /64s. This will allow for 65,000+ subnets per site, which will be plenty even for large corporations. A /48 is also what you might receive at home, depending on how you connect to IPv6.
• Lots of address space also means we don’t need private addresses any more. This does away with NAT, which makes life hugely simpler for applications. VPNs become easier, and protocols that embed IP information – notoriously, all the VOIP stuff like H.323 and SIP, as well as MicroSoft’s SMB file-sharing protocol – also benefit. As do P2P and game applications, BTW – no more need to configure “port forwards” for these. This also means that firewalling is a must. While NAT was never meant to be a security feature, PAT or Hide-NAT in particular, as implemented in home routers, was often touted as a “firewall” feature by vendors, because by its nature, it disallows incoming connections. There are huge application-level challenges in interop, too, and I’ll get to those.

So, how does an IPv6 host talk to an IPv4 host, or vice versa? The answer is “with difficulty”, if at all. Proposals for rewriting addressing on-the-fly are technically brittle. Particularly when it comes to those applications mentioned that embed IP addresses, like H.323 and SIP and SMB, rewriting that data stream is not very feasible, and not at all scalable. The best idea proposed so far has been to “dual-stack” IPv6-capable equipment: Any given host would have both an IPv6 address and an IPv4 address. It will talk to IPv4 hosts using IPv4, and to IPv6 hosts using IPv6. That is a workable way around those application-level interop challenges. At some point, of course, one would have to either phase out IPv4 or bite the bullet and do application-layer translation for those clients that are still IPv4-only.

For DNS, what you need to know is:

• IPv4 records are A records, IPv6 records are AAAA records. Any given host can have one, the other, or both. go6.net has both, google.com has only IPv4, and IPv6-only hosts such as ipv6.google.com are extremely rare right now. Who in their right mind, after all, would limit content to a tiny portion of the Internet users.
• Windows XP will always use IPv4 to query DNS servers. Even to get an AAAA record, the actual query will run over IPv4. Windows Vista can run IPv6-native and query DNS over IPv6.
• Both Windows XP and Windows Vista will advertise their IPv6 address as a DDNS update. If you run your own DNS server at home and it is IPv6-capable, it should pick up the addresses of your IPv6 hosts.

Connecting to IPv6

Alright, so how do you connect to, say, a web server, using IPv6? Your home router does not know IPv6, and even if it does, your ISP’s router is most likely not configured for IPv6, and would not forward your IPv6 packets. Therefore, you have three ways to get to IPv6 hosts, two of which are actually going to be available for most people at this point.

1. Native IPv6. Your ISP supplies you with IPv6 address space and does all the hard work for you. Rejoice, you are done! Just that, as of this writing, unless you live in France or near one of these ISPs, you are pretty much out of luck. Comcast and other cable providers are starting to make noises about DOCSIS 3.0, which is IPv6-capable, but that is years out. If you have Verizon FiOS in your area, you’ll get DOCSIS 3.0 earlier – though not necessarily with IPv6 right away. If there’s no FiOS, don’t expect DOCSIS 3.0 very soon. We need other ways of connecting – of tunneling IPv6 traffic through an IPv4 network in some way shape or form.
2. Use a tunnel broker. This is actually going to be your best bet for connecting to IPv6, which is why, perversely, I’ll discuss it in more detail in a later post. Tunnel brokers available are SixXS , which supports both hardware (static) and software/client (heartbeat, AYIYA) tunnels and gives you a full /48; Hurricane Electric, which is more geared towards static (hardware) tunnels and gives you one /64 subnet now also offers a /48; Hexago/Freenet6, who have their own proprietary way of traversing NAT; and Earthlink R&D, which is very specialized: You connect using a custom firmware for a Linksys WRT54G router, and get a /64. Earthlink would be a good choice if you wanted to run IPv6 on your home router, not your home PC, and you don’t have a Cisco / Juniper / what-have-you at home. I’d expect most people to go with SixXS and use their software client. I’m set up with Hurricane right now, but for a client setup or a setup where I want more than one subnet, I’d choose SixXS.
   There’s also the Apple Airport Extreme, which handles IPv6 tunnels without exposing any of the nuts-and-bolts to the user.
3. Use Teredo, a MicroSoft-supported tunnel that is established directly from your client machine. Teredo by its nature is going to be a lot slower than IPv4 connectivity. For this reason, a host that has Teredo enabled would only ever use Teredo to connect to IPv6-only machines. If IPv4 is an option, it will always prefer that. While Teredo would be a way to get at IPv6-only content, it would be slow, and it’s not a good choice for experimenting with IPv6. So, why talk about it first? Because it ships with both Windows XP SP2 and Windows Vista – enabled by default in the latter, though not useful by default – and we can expect it to be used to get to IPv6-only content, as tunnel brokers, on the outside, may seem like more work to set up.

Setting up Teredo

And here’s the breakdown of how to set up Teredo. Again, keep in mind, IPv4 will always be preferred. go6.net will show you with an IPv4 address if all you have is Teredo.

Windows XP SP2

• Realize that Teredo in Windows XP does not support Hide NAT, aka PAT, aka many-to-1 NAT, aka what your home router does. In Teredo language, that kind of NAT is called “Symmetric NAT”, and it’s just not supported by the Teredo implementation in XP. You can still experiment some by either sticking a host onto the Internet directly, without a home router in between. If you have an additional public IP address, you could also set up a Static NAT (aka 1-to-1 NAT), which Teredo calls a “Cone NAT” (if you allow all incoming) or “Restricted Cone NAT” (if you disallow incoming connections), and which is supported. My experiments with my router’s “DMZ” setting, to see whether that will get around the issue, have been less than successful. While Teredo claimed I was behind “cone” NAT, I still had no connectivity.
• Add the IPv6 protocol to your interface. Control Panel | Network Connections -> Right-Click “Properties” on your LAN or WiFi connection, “Install…”, “Protocol”, “Add…”, choose “Microsoft TCP/IP version 6″, hit “OK” until you’re out again.
• Open a command line – “cmd” from Start | Run – and run “ipconfig /all”. You should now see a “link local” IPv6 address, which looks something like “fe80::214:85ff:fe2f:8f06%4″. This won’t be useful for connecting to anything “out there”, but it’ll let you know IPv6 is up and running.
• Configure Teredo. Assuming you are in the US, the command would be “netsh interface ipv6 set teredo client teredo.ipv6.microsoft.com”. If you are elsewhere in the world, you may be able to find a closer Teredo server.
• If you are on a Windows domain – as opposed to a home workgroup – Teredo will disable even if you configure it. You can get around that with the command “netsh interface ipv6 set teredo enterpriseclient”
• The command to see the configured Teredo parameters is “netsh int ipv6 show teredo”, and the message indicating that a user is behind PAT and thus Teredo won’t work here is “Error : client behind symmetric NAT”
• Use an IPv6-only host to test connectivity. If you can connect to http://hermes.amessage.eu/ and see a purple background (and not much else), it’s working. Or you could “ping hermes.amessage.eu” from command line, which should show you an IPv6 address, and succeed. [Update 2008-04-18] A less esoteric IPv6-only destination is http://ipv6.google.com/.
• A useful command to use while trying different configurations is “netsh int ipv6 renew”, which will re-negotiate the Teredo tunnel. “netsh int ipv6 show route” will show you ipv6 routes.
• Keep in mind that Windows XP will always prefer IPv4 over IPv6 when Teredo is used for IPv6 connectivity. Unless a host has no IPv4 address, its IPv6 address will not be used.
• Lastly, there are reports that Firefox 2 on Windows XP does not handle IPv6 well. Try Firefox 3, or Internet Explorer.

Windows Vista

• IPv6 and Teredo both are enabled by default in Windows Vista. Teredo also supports Hide-NAT aka PAT aka what your home router does. Woo, we’re done? Not so fast, young Arakin: In order to avoid “spamming” the Internet with inefficient and slow IPv6 Teredo traffic, Microsoft have configured DNS so that the system will never resolve any name to an IPv6 address, as long as the system only has link-local and Teredo IPv6 addresses. Teredo is meant to be used by applications that specifically request its use, and that does not include any browsers.
• Thus, we need to hoodwink Vista. If the criteria is “has only link-local or Teredo addresses”, why, then we need to supply another address. Luckly, IPv6 maps the entire ipv4 address space, so we can use that. In reality, it doesn’t matter which address we configure, since it won’t ever be used anyway. Open up the Properties of your LAN or WiFi interface, and change it to have a static IPv6 address. Use either the converted IPv4 address you figured out using the link I gave, or use the 192.168.1.2 equivalent of 2002:81a8:102:: with a netmask of 48. Do not configure a default gateway for this address.
• Vista would now resolve names to IPv6 addresses, but we need to force it to route traffic through our Teredo interface first. For this, you’ll need to run a Command prompt as “Administrator”. Create a shortcut to a Command prompt on your desktop, then right-click “run as administrator”.
• Figure out the name of your Teredo interface using “ipconfig /all”. In my case, it is “Local Area Connection* 10″. Then, using this name, add a default route that forces all IPv6 traffic through Teredo: netsh interface ipv6 add route ::/0 “Local Area Connection* 10″
• Use an IPv6-only host to test connectivity. If you can connect to http://hermes.amessage.eu/ and see a purple background (and not much else), it’s working. Or you could “ping hermes.amessage.eu” from command line, which should show you an ipv6 address, and succeed. [Update 2008-04-18] A less esoteric IPv6-only destination is http://ipv6.google.com/.
• Keep in mind that Windows Vista will always prefer IPv4 over IPv6 when Teredo is used for IPv6 connectivity. Unless a host has no IPv4 address, its IPv6 address will not be used.

My next installment, when I get around to it, will talk about using a tunnel broker for IPv6 connectivity, which is by far the best way of setting up a connection to IPv6 hosts. Short of having a native IPv6 connection, that is.