ipv6 at home, part 3: gogonet tunnels, freenet6

This blog post is part of a series on ipv6. In part 1, I provided an overview of ipv6 and looked at Teredo, the technology built into Windows Vista; in part 2, I looked at AYIYA tunnels through aiccu, using sixxs net as a tunnel broker. Part 2.5 is a collection of useful ipv6 tidbits, and this part 3 gets back to the original plan: Exploring ipv6 connectivity options – in this case, the tunnel offered by gogo6 (formerly Hexago) at go6.net. gogonet.

Tunnel overview

freenet6, the tunnel service offered by gogo6, uses TSP (Tunnel Setup Protocol) to determine the best tunnel type. It offers IPv6-in-IPv4 tunnels in Native mode (direct connection to a public ipv4 address, no NAT), IPv6-in-IPv4 tunnels in NAT traversal mode (also called IPv6-in-UDP-is-IPv4; this is what you’ll most likely use), and even IPv4-in-IPv6 tunnels (using DSTM, used to reach ipv4 resources if you have an ipv6 address but no ipv4 address – not a very likely scenario at this point in time).

The tunnel service is delivered through gateway6, an incredibly intuitive and easy-to-use client. Both anonymous and authenticated tunnels are available. An anonymous tunnel will provide ipv6 access for the machine the gateway6 client is installed on; an authenticated tunnel gives you a routable /56 network to hand out to the rest of your network.

Setting up an anonymous tunnel

Install the gateway6 client; launch it; leave everything at default; hit “Connect”.

Test your connection by browsing to ipv6.google.com.

In this mode, your assigned ipv6 address will change as your ipv4 address changes.

I should spruce this paragraph up by adding a screen shot of the gateway6 client with all default settings, but it feels gratuitous. This method of connection is hands-down the easiest way to get ipv6 connectivity that you are likely to find.

Setting up an authenticated tunnel

Sign up with go6.net. freenet6. This is separate from the gogonet account you need to even download the client.

Install the gateway6 client.

Change the “Gateway6 address” to be “authenticated.freenet6.net”.

Set the client to “Connect using the following credentials”, and enter your user name and password with go6.net.

On the off-chance that a tunnel endpoint would default to clear-text authentication, you can go to the “Advanced” tab and change your Tunnel Authentication Method to either PASS DSS 3DES1 or Digest MD5.

Hit “Connect” and test your connection by browsing to ipv6.google.com.

In this mode, your assigned ipv6 address will remain static, even if your ipv4 address changes.

Setting up routing to the rest of your network

go6.net will assign a /56 prefix to you on an authenticated tunnel, if you request it.

The simplest way to set this up is:

On the “Advanced” tab, check “Enable Routing Advertisements”. Choose the LAN interface that will serve the ipv6 prefix to the rest of your network. Leave the prefix length at /64.

Hit Connect, and check the “Status” tab – you’ll see your assigned /56 prefix. Of which you are currently using the first /64 – if you have further subnets, you can start assigning more /64s and routing them to the machine that runs the gateway6 client.

Advanced options – running on a router, reverse DNS delegation

Through changing the gw6c.conf file, you can use the gateway6 client to request configuration for a router; and you can request delegation of your ipv6 prefix to your own name server for RDNS (PTR) resolution.

RDNS delegation is set up by simply changing the “dns_server=” entry.

You can run the gateway6 client as a “proxy”, in which mode it will request configuration information for a router. This is described in the gogonet forums. You’d want to set the requested prefix length to /56, not /48 – otherwise, no changes should be necessary.

The provided template outputs configuration for a Cisco router. You can take the relevant information out of the Cisco config file and use it with a Juniper device, or DLink, Apple, any router that supports 6-in-4 (protocol 41) tunnels. You could also write your own template script to output the information in the format your router requires – it’s a simple batch file.

Final thoughts

If you want ipv6 connectivity, and you do not intend to gain it through your router, gogonet should be your first stop. The gateway6 client shows that gaining ipv6 connectivity, and setting up routing to everything else in your network, does not have to be complicated, or involve lengthy command-line sessions.

If you want to terminate your tunnel on a router, give Hurricane Electric a look. Their tunnel setup does not require a client running on a PC – on the other hand, that means it won’t present the router configuration commands to you on a silver platter, either. Consider also that freenet6 has a somewhat patchy record when it comes to reliably handing out your delegated prefix: In the past, prefix numbers would change, and that messes with your router setup and your RDNS.

I had, when I first started writing this series, deliberately placed go6.net behind Teredo and SixXS: I knew it was going to be far easier to set up than those other two, and wanted to progress from “complicated” to “easy” as the series went on. I had not counted on getting stuck quite so hard on routing with the SixXS aiccu setup. In hindsight, covering the easiest method first might have been cleverer.

ipv6 at home, part 2.5: Google, DHCPv6, speed tests, troubleshooting, various

This blog post is part of a series on ipv6. In part 1, I provided an overview of ipv6 and looked at Teredo, the technology built into Windows Vista; in part 2, I looked at AYIYA tunnels through aiccu, using sixxs net as a tunnel broker. I also got stuck for a very long time on trying to use Windows as a router for an ipv6 subnet on that setup, and ultimately failed to make that work.

Part 2.5 is going to be an in-between – a collection of ipv6-related tidbits that will, hopefully, be useful, but have no particular cohesion.

Google services on ipv6

Back in January, Google announced that they had moved a number of their services to be multi-homed. To avoid causing issues for people with Vista that didn’t have functioning ipv6 connectivity, this is an opt-in service. That is achieved by using a DNS server that peers with Google for ipv6 addresses.

Unless you work for an ISP, you are not going to peer your own servers with Google. However, several tunnel brokers, including Hurricane Electric and sixxs, offer DNS servers that can serve up Google ipv6 addresses.

Here’s an example nslookup:

> www.google.com
Server:  UnKnown
Address:  2001:470:20::2

Non-authoritative answer:
Name:    www.l.google.com
Addresses:  2001:4860:b002::68
 74.125.91.103
 74.125.91.104
 74.125.91.147
 74.125.91.99
Aliases:  www.google.com

As you can see, both A (ipv4) and AAAA (ipv6) records are being returned. In order for Vista to use the ipv6 address, you need to use the ipv6 address of the DNS server. If you query DNS over ipv4 and get both A and AAAA records, Vista will prefer an ipv4 address.

You can test which address is going to be used by running “ping http://www.google.com”, which will show the numerical address that the OS is trying to reach.

DHCPv6

If you are using a software tunnel such as AYIYA over aiccu, then you can set the DNS server to be used manually, through the Control Panel. If you are using an ipv6-capable router or firewall, however, you can send out that information over DHCPv6.

Cisco has a clear and concise paper on DHCPv6. From an implementation standpoint, it is very simple: Decide whether DHCPv6 is only going to serve DNS addresses, or whether it is going to handle all ipv6 address assignment, too. Then set flags for your RA (Router Advertisement) Configuration: “O” (“Other Parameters”) if RA handles addresses and DHCPv6 handles DNS, or “M” (“Managed”) if DHCPv6 handles addresses and DNS.

An RFC draft dated July 2005 suggests to expand RA to be able to hand out DNS server addresses without the need for DHCPv6. That draft has not yet been adopted, and I have yet to see an implementation in a major vendor’s routing OS.

[Update 2008-08-02] Jeremy points out that the above statement about implementation being “very simple” is rather brash. He’s correct, and explains the differences between Windows and Linux/Unix in this regard in his company blog. With lots of references to “dueling RFCs”, fun. For a broader view of ipv6 and its real-world applications, and a much more in-depth view than “okay how do I get this to work at home anyhow”, definitely do follow his blog.

Speed Test

If you’d like to compare your ipv6 speed to your ipv4 speed, you can do so through an ipv6 speed test offered by the University of Maine. The test can actually run in both ipv6 and ipv4, which makes it useful for comparison.

ftp.isc.org is reachable through ipv6 as well – if you can find a suitably large file there, it could serve as a measure of download speed over ipv6.

Troubleshooting

This may have to be a “paragraph-in-perpetual-progress”. A few of the tools I found useful are:

Wireshark, in case you need to see what is happening to your ipv6 packets – are they leaving on the interface you think they should be leaving on, do you see return packets?

netsh is full of useful commands in its “interface ipv6” context, among them:

show route – does that just, shows you the ipv6 routing table

show siteprefixes – you’ll get a list of all the ipv6 prefixes (networks) configured on your machine

show prefixpolicies – you’ll see a list of which prefixes are preferred in which order. This is explained in more detail at ipv6 Day. Note that my own attempts to “fiddle with” prefix policy left me in a state where Vista would not function for ipv6 traffic at all.

reset – resets all ipv6 settings to default. Really useful if you’ve done a little too much fiddling. Needs a reboot.

show addresses – will show you the ipv6 addresses and their lifetime

show interfaces – configured interfaces and their up/down state

ipconfig /release6 and ipconfig /renew6 can be used to release/renew RA or DHCPv6 addresses

Turning off unused tunnel interfaces

Windows comes with built-in Teredo, ISATAP and 6-to-4 tunnel interfaces. These can become a distraction when configuring an alternative way to access ipv6, such as through your router or a third-party tunnel application.

Courtesy of ipv6 Day comes a description of registry settings to turn these off. There are a lot of possible combinations, including some that will turn off ipv6 entirely, which can come in handy in corporate environments.

The TL;DR for turning off all Windows built-in tunnels is:

  • In regedit, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tcpip6\Parameters\
  • Create a DWORD called DisabledComponents
  • Set it to “1”
  • Reboot

ipv4 exhaustion counters

Hurricane Electric, my preferred tunnel broker, offers a number of widgets and applications to keep track of ipv4 address space exhaustion. That includes Vista / Win 7 gadgets, Google Desktop and iGoogle gadgets, iPhone/iPod touch apps, and a web widget.

The “days remaining” are to be taken with a grain of salt. 676 days to complete ipv4 exhaustion! (As of August 2nd 2009) Actually, what is likely to happen is that we’ll see ipv4 space become more and more expensive, to the point where it is no longer economically feasible to own large portions of it just for access purposes – we’ll see hosting companies running it for decades, and your typical office running on v6 with a way to reach v4 over a tunnel. The reverse of today’s situation – eventually.

ipv6 certification

[Update 2009-08-06 – More detail on DNS requirements for this cert program]

Hurricane Electric also offers a fun ipv6 certification. What’s interesting about it is that it’s almost completely results-based. The first few levels (“Newbie” and so on) are just a questionnaire, but to reach the coveted “Sage” level, it’ll be doing real tasks, such as sending/receiving SMTP email over ipv6.

Achieving this entirely from home has one more than one challenge – you need a DNS server that will let you set AAAA records, will act as delegation for ipv6 PTR records, has its own AAAA entry and will respond to ipv6 queries, and you will need ipv6 glue for your DNS server at the TLD. There are a number of free ones available. These will let you set AAAA records, and usually also function for RDNS delegation. None of them are reachable over ipv6. A combination of afraid.org, v6ns.org and a BIND server on your machine will get you all the way to “Guru”, but you won’t get “Sage” that way, as you’ll be missing the TLD glue.

The certification tests use the same domain you start out with throughout, or a subdomain thereof. If you want “smooth sailing”, choose a domain you own on a registrar that supports ipv6 glue.

It’s a worthwhile exercise in that you’ll find that ipv6 connectivity itself is really not the issue – finding real-world applications that support ipv6 is the larger challenge. You’ll also learn more about ipv6 DNS than you truly ever wanted to know.

ipv6 address space – think about registering yours

If you are involved in a corporate networking group, you may want to think about how you are going to handle ipv6 space. Traditionally, you get your address assignments from your ISP. This creates an amount of pain when moving ISPs. In ipv4, that’s public-facing addresses, while the internal network can stay untouched. In ipv6, everything uses public addresses – no more NAT (pending discussion, there are address translation efforts underway for ipv4/ipv6 translation – which doesn’t change the situation w/ regards to your ipv6 space). That means an ISP move could potentially require you to renumber everything, down to the last printer and desktop.

You can plan for this, by avoiding static assignments wherever possible, and always thinking about “how would I switch this to an entirely different subnet if I had to?” every step of the way.

Or, if you qualify, you can get a direct assignment of ipv6 space from ARIN. This used to be trivially easy as an “early adopter”, but that policy has been discontinued. Now, you need to be either a) eligible for direct ipv4 assignment (that’s getting tougher and tougher by the month) or b) already have a direct ipv4 assignment, and show that you use it efficiently.

It’ll be interesting to see how this policy evolves as ipv4 space becomes ever scarcer – will ARIN just stop assigning v6 space directly to end users, or will we see policies that are not tied to v4 eligibility?

[Edit 2009-08-02]

As Jeremy points out in a comment, ULA space (Unique Local Address as per RFC4193) is a the solution to receiving address space from your ISP, but wanting to avoid the pain of needing to re-do addressing of your entire network when moving ISPs. As long as the devices you give these addresses to do not need connectivity to the Internet, that is: As per the RFC, “They [the ULA addresses] are not expected to be routable on the global Internet”. In practice, that translates into a requirement to filter out ULA space at the BGP border router. SixXs has a page to register ULAs. As they point out, while there is no requirement to register ULAs, collisions (which are not very likely but can happen) can be dealt with by registering ULAs anyway.