Convert Windows boot from BIOS to UEFI without decrypting Bitlocker

I wanted to convert an MBR/BIOS boot drive to GPT/UEFI, but without needing to decrypt and then re-encrypt Bitlocker. Mainly because I am lazy. This worked, but I’ll warn that the advice to decrypt completely first is without any doubt the safest way to go.

Follow the instructions for converting from BIOS to UEFI boot.

With the following changes:

  • Print out your Bitlocker Recovery Key from Control Panel, Bitlocker. You will need this key.
  • Take a backup. No seriously. Use Veeam Endpoint if you don’t have anything else installed to take backups. Stuff goes wrong with computers, and you don’t want to lose your system installation and data.
  • Suspend Bitlocker protection on your system drive.
  • Reboot from your Windows installation / recovery DVD/USB, verify that you can get to your c:\windows directory. This might be d:\windows if you have a recovery partition at the end of the disk.
  • Now boot into Windows and convert to GPT using gptgen
  • When you then boot into the Windows installation / recovery media, you’ll be asked for the Bitlocker Recovery Key. After that, the rest of the steps are as in the generic instructions.
  • When booting into Windows (assuming you changed your BIOS to boot (U)EFI instead of MBR now), you’ll be asked for the recovery key again.
  • In my case, the drive didn’t show suspended. I suspended it again.
  • After that, resuming Bitlocker encryption will fail with “The System cannot find the file specified”.
  • Open Explorer, navigate to C:\Windows\System32\Recovery and rename the file “ReAgent.xml” to “ReAgent.xml.old”
  • Resume Bitlocker encryption on drive C:\ This should now succeed.
  • Reboot for good measure to verify that everything works and you don’t get prompted for the recovery key any more.

ipv6 at home, part 3: gogonet tunnels, freenet6

This blog post is part of a series on ipv6. In part 1, I provided an overview of ipv6 and looked at Teredo, the technology built into Windows Vista; in part 2, I looked at AYIYA tunnels through aiccu, using sixxs net as a tunnel broker. Part 2.5 is a collection of useful ipv6 tidbits, and this part 3 gets back to the original plan: Exploring ipv6 connectivity options – in this case, the tunnel offered by gogo6 (formerly Hexago) at go6.net. gogonet.

Tunnel overview

freenet6, the tunnel service offered by gogo6, uses TSP (Tunnel Setup Protocol) to determine the best tunnel type. It offers IPv6-in-IPv4 tunnels in Native mode (direct connection to a public ipv4 address, no NAT), IPv6-in-IPv4 tunnels in NAT traversal mode (also called IPv6-in-UDP-is-IPv4; this is what you’ll most likely use), and even IPv4-in-IPv6 tunnels (using DSTM, used to reach ipv4 resources if you have an ipv6 address but no ipv4 address – not a very likely scenario at this point in time).

The tunnel service is delivered through gateway6, an incredibly intuitive and easy-to-use client. Both anonymous and authenticated tunnels are available. An anonymous tunnel will provide ipv6 access for the machine the gateway6 client is installed on; an authenticated tunnel gives you a routable /56 network to hand out to the rest of your network.

Setting up an anonymous tunnel

Install the gateway6 client; launch it; leave everything at default; hit “Connect”.

Test your connection by browsing to ipv6.google.com.

In this mode, your assigned ipv6 address will change as your ipv4 address changes.

I should spruce this paragraph up by adding a screen shot of the gateway6 client with all default settings, but it feels gratuitous. This method of connection is hands-down the easiest way to get ipv6 connectivity that you are likely to find.

Setting up an authenticated tunnel

Sign up with go6.net. freenet6. This is separate from the gogonet account you need to even download the client.

Install the gateway6 client.

Change the “Gateway6 address” to be “authenticated.freenet6.net”.

Set the client to “Connect using the following credentials”, and enter your user name and password with go6.net.

On the off-chance that a tunnel endpoint would default to clear-text authentication, you can go to the “Advanced” tab and change your Tunnel Authentication Method to either PASS DSS 3DES1 or Digest MD5.

Hit “Connect” and test your connection by browsing to ipv6.google.com.

In this mode, your assigned ipv6 address will remain static, even if your ipv4 address changes.

Setting up routing to the rest of your network

go6.net will assign a /56 prefix to you on an authenticated tunnel, if you request it.

The simplest way to set this up is:

On the “Advanced” tab, check “Enable Routing Advertisements”. Choose the LAN interface that will serve the ipv6 prefix to the rest of your network. Leave the prefix length at /64.

Hit Connect, and check the “Status” tab – you’ll see your assigned /56 prefix. Of which you are currently using the first /64 – if you have further subnets, you can start assigning more /64s and routing them to the machine that runs the gateway6 client.

Advanced options – running on a router, reverse DNS delegation

Through changing the gw6c.conf file, you can use the gateway6 client to request configuration for a router; and you can request delegation of your ipv6 prefix to your own name server for RDNS (PTR) resolution.

RDNS delegation is set up by simply changing the “dns_server=” entry.

You can run the gateway6 client as a “proxy”, in which mode it will request configuration information for a router. This is described in the gogonet forums. You’d want to set the requested prefix length to /56, not /48 – otherwise, no changes should be necessary.

The provided template outputs configuration for a Cisco router. You can take the relevant information out of the Cisco config file and use it with a Juniper device, or DLink, Apple, any router that supports 6-in-4 (protocol 41) tunnels. You could also write your own template script to output the information in the format your router requires – it’s a simple batch file.

Final thoughts

If you want ipv6 connectivity, and you do not intend to gain it through your router, gogonet should be your first stop. The gateway6 client shows that gaining ipv6 connectivity, and setting up routing to everything else in your network, does not have to be complicated, or involve lengthy command-line sessions.

If you want to terminate your tunnel on a router, give Hurricane Electric a look. Their tunnel setup does not require a client running on a PC – on the other hand, that means it won’t present the router configuration commands to you on a silver platter, either. Consider also that freenet6 has a somewhat patchy record when it comes to reliably handing out your delegated prefix: In the past, prefix numbers would change, and that messes with your router setup and your RDNS.

I had, when I first started writing this series, deliberately placed go6.net behind Teredo and SixXS: I knew it was going to be far easier to set up than those other two, and wanted to progress from “complicated” to “easy” as the series went on. I had not counted on getting stuck quite so hard on routing with the SixXS aiccu setup. In hindsight, covering the easiest method first might have been cleverer.

ipv6 at home, Part 2: Tunnel brokers, Windows “AYIYA” tunnel

Has it been 2 months? High time to get on with the planned ipv6 series, then. If you are entirely new to ipv6, it may pay to read part 1: overview.

In this installation, I will cover the use of the SixXS tunnel broker to create an ipv6-over-ipv4 tunnel from your Windows PC, on XP or Vista. This may sound like so much gobble-de-gook – some background is in order. Feel free to skip down to the nuts-and-bolts section if tunneling is an “old hat” to you.

To recap, there are three major ways that a Windows PC will gain access to the ipv6 Internet: Teredo, which is covered in part 1 – bordering-on-easy to set up on Vista, but the most inefficient way  to gain access, and limited in its usefulness under XP.  Tunnel brokers, which I will cover in this part and parts 3/4. And native ipv6 access provided by your ISP, which I’d love to cover, but will need help doing so as none of the ISPs in my area offer it.

Tunnel Types

The “tunnel” that is being brokered here is ipv6 traffic encapsulated in ipv4. A machine on your network acts as your local tunnel endpoint, and your tunnel broker has a device “out there” that acts as the other end. You only have direct ipv4 connectivity. Your tunnel broker is connected both to ipv4 and ipv6. When a machine on your network desires to reach an ipv6 address, it will send the packet to your local tunnel endpoint. That machine wraps the ipv6 packet in an ipv4 header, and sends it over your ipv4 connection to the tunnel broker’s endpoint. There, the ipv6 packet is removed from its wrapper, and sent on its way to the ipv6 destination. Return traffic flows similarly, with the tunnel broker wrapping, and your machine unwrapping.

While this sounds relatively straightforward, the details of how this “wrapping” and “unwrapping” work (encapsulation and decapsulation for those who want to sound technical about it) impose certain restrictions on how you can deploy this in your own network.  Consequently, there are a number of tunnel brokers available, but only a few of these offer tunnels that will work behind “NAT”, a.ka. what your home router does to your traffic before it hits your ISP’s network.

The three major ways of configuring ipv6-over-ipv4 tunnels, then, are:

  • Static 6-to-4 tunnels, using IP protocol  41. These are well suited to being deployed on an ipv6-capable router. Which most folk do not have at home. I will cover this setup in part 4, using a Juniper SSG-5 firewall as an example endpoint.
  • AICCU/AYIYA tunnels, which are offered by SixXS. These can traverse NAT, and I will cover them in this article. They use PC client software. They’ll run on pretty much any OS out there – I will cover Windows only in this post.
  • Hexago TSP tunnels, which can also traverse NAT. I intend to cover this in part 3, and see how it stacks up against SixXS. These also use PC client software.

Configuring an AYIYA tunnel

Let’s get into the “nuts-and-bolts” of setting up a SixXS tunnel, then. SixXS offers POPs (Points of Presence) all over the globe, and just recently added free 10GBit connectivity. This bodes well for good speed when using the service.  They offer three types of tunnels: AICCU/AYIYA (Anything-in-Anything), which traverses NAT and which I will cover here; AICCU/Heartbeat, which is meant for use without NAT, but with a dynamic IP; and a “plain” static 6-to-4 tunnel, which is meant for static IPs and will usually be terminated on a router, not a PC.

SixXS offer a good overview of how to get a tunnel running in their “10 Steps to ipv6” document. I’ll run through those steps with you.

But before I do, one more word about how the SixXS AYIYA tunnel works: You’ll receive a /64 tunnel subnet, for which SixXS will only route the endpoints – the PC running the AICCU utility, and the SixXS end. If you want to get any of your other machines at home onto ipv6, you’ll need to request a /48 subnet from SixXS. These actions – requesting a tunnel, requesting a subnet, changing tunnel properties – cost “ISK”, a virtual currenty SixXS uses. You gain ISK by signing up, and thereafter by having a functioning tunnel up and running.

1) Sign up with SixXS. In fact, first sign up with LinkedIn, or Xing, both “professional” social networking sites.  The reason is that the amount of SixXS “ISK” you receive upon signup with a LinkedIn or Xing profile is sufficient to request a /48 subnet right away, while without those profiles, it’ll just be enough to request a tunnel, after which you’d have to have the tunnel up and running for a week to accumulate enough ISK to request a subnet. SixXS will warn you that signup is handled by people, and it may be weeks before you get your account. In my case, I received it within a day, and was assigned 75 ISK – plenty to start experimenting.

[Update] As has been pointed out in the comments, signing up with SixXS means handing over some of your personal data, such as your name, and having that published in the whois directory. If that makes you nervous, SixXS is not for you.

2) Log in, and request a tunnel. You’ll want an AYIYA tunnel, which happens to be the default setting. Remember to specify your city and country! This will impact your speed, as SixXS will allocate you a POP (tunnel endpoint) close to you. In the next step, select a POP, and give a reason for selecting this POP as well as describe what you’ll use the tunnel for. Again, tunnel requests are processed by people – so be polite, do give a reason, and you’ll get your tunnel set up quickly. Note there will be no email notification when the tunnel is live – just check the SixXS page. SixXS will send you email notification when the tunnel request has been granted, and if you’re smarter than Yours-Truly, you’ll check the right email account.

3) Once you have your tunnel, and if you have enough ISK, and intend to get other machines in your home onto IPv6, request a subnet. This is again, assigned manually to you – in “less than a week” according to the SixXS confirmation page. Usually it takes just a few hours.

4) Set up AICCU. This gets just a tad involved at present, so I’ll abandon the numbering and step you through this.

Update 4/10/2008 – I have had big network slowdown issues after installing Tun/Tap 901 on Vista64. It’s uninstalled again, and I will update again when I know more – such as whether I can reproduce that issue, and how.

Update 7/28/2009 – Upon using OpenVPN 2.1-rc19 in Vista64, I couldn’t even ping the default gateway through aiccu any more, though this worked in XP64. Time to move on from this post. (2009-08-06: that was possibly coincidence)

Update 8/6/2009 – Some notes on behavior when a PoP goes down added.

There’re two parts to an AICCU/AYIYA tunnel: A “Tun/Tap” driver, and the “AICCU” application. Tun/Tap is part of the OpenVPN project. This could be fairly straightforward, but at current is not, due to versioning.

Tun/Tap exists in a version “801”, which has been tested on Windows 2000 and XP, but exists for Vista only in an experimental version, for XP64 in an experimental version, and for Vista64 not at all.

Tun/Tap version “901” works on Windows 2000 / XP / Vista. The version available at SixXS at present will not install on 64-bit Windows, but there is a way around that, see below.

AICCU comes in two flavors for Windows: A GUI version, which is nice and user-friendly, but which, as of this writing, does not support the “901” Tun/Tap driver. And a console version, which does support that driver version, but which is, by its nature, considerably less user-friendly. I expect this to change. The GUI AICCU is at version “2006.07.23” as of April 5th 2008, while the Console AICCU is at “2008.03.15”. At present, then, we’ll use the GUI version to create a configuration file, and use the Console version to set up the actual tunnel. Once the GUI version has been updated, this additional step of needing to use a Console application to establish the tunnel will be unnecessary.

To start, download the tap32 driver version “901”, the AICCU GUI application, and if the GUI application is still at version “2006.07.23” when you do your downloading, also the Console application. If you are running XP64 or Vista64 and the tap32 driver on the SixXS page refuses to install – which it did for me – you may will also need to download the latest build of OpenVPN 2.1.

[Update: I would generally recommend installing a current version of the TAP driver from an OpenVPN package at this point]

Install the tap32 driver, using “addtap.bat”. This failed for me on XP64 and Vista64, so I used the 2.1-rc79 2.1-rc19  install of OpenVPN instead, choosing to only install the “TAP-Win32 Virtual Ethernet Adapter”, nothing else. On Vista, you’ll get a prompt asking you whether you really mean it and you trust the driver; on XP, you won’t which you may also see in XP, depending on the OpenVPN version.

Start the GUI version of AICCU and log in. NB: If you are running Vista, you must start it as Administrator by right-clicking, “Run as Administrator”.

Choose your tunnel.

Lastly, choose Save Configuration from the menu under the SixXS logo. This will save your configuration in c:\windows\aiccu.conf (hence, the need to run as Administrator in Vista), where the Console version can find it.

Close the GUI version – you may have to right-click it in your task bar and choose “Quit”.

Now open a command line – which, in Vista, you may will also have to do as Administrator – navigate to where you downloaded the Console version of AICCU, and execute it using the “start” argument. You expect to see something along these lines:

aiccu-2008-03-15-windows-console.exe start
Succesfully retrieved tunnel information for T15039
[warning] Couldn't open registry key: SYSTEM\CurrentControlSet\Control\Class\{4D
36E972-E325-11CE-BFC1-08002BE10318}000\ComponentId (t2/2 vs 0/0 vs 1)
Renaming adapter 'Local Area Connection 2' to 'aiccu' and using it
[AYIYA-start] : Anything in Anything (draft-02)
[AYIYA-tun->tundev] : (Socket to TUN) started

Open a browser, and go to go6.net. If everything’s working, you expect to see “You are using IPv6 from” at the top of the page. NB: Firefox 2 may have issues with IPv6. Use Firefox 3 or IE instead.

[Update: go6.net can be temperamental. On a few occasions, it showed me as coming in from IPv4 although the IPv6 tunnel was fully functional. You can cross-check by going to ipv6.google.com, which is, well, Google,  on an IPv6-only address]

Note that the tunnel uses an MTU of 1280. This may cause issues with large packets, if machines in the path block IPv6 Path MTU Discovery. You can work around this issue by manually setting the MTU of the tunnel interface.

netsh interface ipv6 set interface aiccu mtu=1280

Vista-specific twist: As with Teredo, Vista refuses to resolve ipv6 addresses, because your physical interface only has a link-local address. There’s a discussion of this in part 1 – I’ll just give you the quick-and-dirty instructions here: Open up the Properties of your LAN or WiFi interface, and change it to have a static IPv6 address. Use the 192.168.1.2 equivalent of 2002:81a8:102:: with a netmask of 48. Do not configure a default gateway for this address.

Running the tunnel as a service

At this point, you can manually start your tunnel. To get the tunnel to come up every time Windows starts, some more work is needed: We are going to install the Console version of AICCU as a service.

Before I show you how to do that, one quick note: I am using the tap901 driver included in OpenVPN because I run XP64 and Vista64. If the steps here sound like way too much work, and you run a 32-bit version of Windows, you can just install the older tap801 driver, and use the GUI version of AICCU, which includes its own service installer. Once a newer AICCU GUI version that works with the tap901 driver becomes available, many of the steps here will become unneccessary, as well.

Download the “srvany” application. Extract its contents into a directory of your choice, c:\aiccu in my case. Copy / rename the Console version of AICCU into this same directory, as aiccu.exe. This is for simplicity’s sake, really.

Now open a command line – as Administrator if running Vista! – navigate to c:\aiccu, and run this command:

instsrv.exe aiccuService c:\aiccu\srvany.exe

Next, you’ll need to edit the registry. So open up regedit, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aiccuService, and add a key named “Parameters“, and under it, a String value called “Application“, set to “c:\aiccu\aiccu.exe start“.

It’s time to test this service. If AICCU is still running, stop it. Open up Start | Control Panel | Administrative Tools | Services, find aiccuService, and choose Action | Start. You expect the service to start without errors.

You’ll also want to verify that the service is set to “Automatic” (by default, it will be), and you may have to open its Properties, and check “Allow service to interact with desktop” on the “Log On” tab.

Navigate to go6.net once more to verify that you are indeed using ipv6. NB: It may take a minute for the system to start using IPv6 once the service has been started.

[Update] I have not had consistent results with getting a hybrid ipv4/ipv6 site such as go6.net to display my ipv6 address, even when ipv6 is working through an AYIYA tunnel. You can always test with an ipv6-only site such as ipv6.google.com.

aiccu behavior when a PoP goes down

While re-testing aiccu, the PoP my tunnel terminates on went down, and was, after a day or so, flagged “down” by SixXS. I requested a new tunnel to a different PoP, re-configured aiccu to use that tunnel, deleted the old tunnel in the SixXs web interface (which has it still “sticking around”, though) and am not having a whole lot of joy:

C:\aiccu>aiccu tunnels
T22555 2001:4978:f:3a1::2 ayiya uschi02

C:\aiccu>aiccu start
[error] Couldn’t show tunnel T15039: 500 This PoP is unfortunately currently down, see http://www.sixxs.net/pops/status/ for more information.
[error] Couldn’t retrieve first tunnel for the above reason, aborting

I’ve reached out to SixXS to see whether they can’t remove the old, down tunnel completely from my handle. This would be considered a bug in aiccu, I’d say.

[Update] This was my own fault: The new tap driver no longer requires admin rights per release notes, so I ran aiccu from an unprivileged prompt. While aiccu.conf can indeed be read, aiccu still somehow “remembered” the old tunnel. Run aiccu from an elevated cmd prompt, and the problem disappears.

IPv6 to the rest of your network

[This section is work-in-progress. The instructions in this section do not make for a functioning router setup at present]

[Update 2009-07-28: I could not get this to work. Addresses are given out, Wireshark shows traffic routing from the LAN to the aiccu interface and traffic coming back in to the aiccu interface, but not being routed back out the LAN interface. At this point, I’ll give up – if you know how to get Windows to route ipv6 traffic, clue me in, and I’ll retest]

Are we done yet? Well, if your own machine is all you’re connecting, yeah, you’re done. Otherwise, you’ll need that subnet you requested earlier, and you’ll have to set your Windows machine up to route for the rest of your network. This will be done through command line – I’ll assume you’re familiar on how to operate it, by now.

The SixXS POP will usually allocate you a /48 subnet, which is sufficient for over 65,000 physical networks. More than you’ll ever need at home, or for your fledgling business, for that matter. The easiest way to get going is to take the address you’ve been assigned, and replace the /48 with a /64, like so: “2001:4830:126a::/48” becomes “2001:4830:126a::/64”. If you want to get deeper into subnetting, you can use a handy IPv6 subnet calculator.

Start by listing your network interfaces using the command “netsh interface ipv6 show interface”

C:\>netsh interface ipv6 show interface
Querying active state…

Idx  Met   MTU    State         Name
—  —-  —–  ————  —–
7     2   1280  Disconnected  Teredo Tunneling Pseudo-Interface
6     0   1400  Disconnected  Network Connect Adapter
5     0   1500  Connected     aiccu
4     0   1500  Connected     Local Area Connection
3     1   1280  Connected     6to4 Pseudo-Interface
2     1   1280  Connected     Automatic Tunneling Pseudo-Interface
1     0   1500  Connected     Loopback Pseudo-Interface

Of the subnet you chose above, use the “::1” address for your Ethernet or WiFi LAN connection. In this example case, the address will be  “2001:4830:126a::1”. Add this address to your LAN interface:

C:\>netsh interface ipv6 add address interface=”Local Area Connection” address=2001:4830:126a::1
Ok.

Next, add your subnet to the routing table, using the interface number you got with the show interface command, and instruct Windows to publish this route in router advertisements:

C:\>netsh interface ipv6 add route 2001:4830:126a::/64 interface=4 publish=yes
Ok.

In Vista, the route most likely already was added when you configured the address. In that case, modify the route to have it published, and verify:

C:\>netsh interface ipv6 set route 2001:4830:126a::/64 interface=4 publish=yes
Ok.

C:\>netsh interface ipv6 show route
Publish  Type      Met  Prefix                    Idx  Gateway/Interface Name
——-  ——–  —  ————————  —  ————————
Yes      Manual    256
2001:4830:126a::/64         4  Local Area Connection

Enable routing (forwarding) and router advertisements on your LAN interface:

C:\>netsh interface ipv6 set interface interface=4 forwarding=enabled advertise=enabled
Ok.

Enable routing on your aiccu tunnel interface, too:

C:\>netsh interface ipv6 set interface interface=5 forwarding=enabled
Ok.

And lastly, allow ICMP messages necessary for Path MTU Discovery through your Windows host firewall:

netsh firewall set icmpsetting type=11 mode=enable
netsh firewall set icmpsetting type=2 mode=enable

At this point, all other IPv6-enabled machines in your LAN network should receive addresses in your /64 subnet range, and be able to route to IPv6 addresses through the machine your AYIYA tunnel runs on.

Conclusion

On my Comcast connection here in Western MA, going through a NJ SixXS POP, I get about 300k/sec download from an ipv6 server, whereas my Hurricane static tunnel gives me about 700k/sec. Your mileage will vary – do some speedtests when you can.

SixXS works, and works well. I wish the OpenVPN / GUI / Console gyrations were not necessary – setup of an AYIYA tunnel on 64-bit Windows is less than straightforward. On the other hand, SixXS has POPs worldwide, is free, and offers tunnels that don’t need a hardware router – that’s worth a lot.

IPv6 at home, Part 1: Overview, Teredo

[Edit 2010-02-25 – adding some forward links to the other parts of this series. Rewrote parts – no more mention of how slow Teredo is (it’s not), and some updated comments to reflect the state of ipv6 in 2010]

This blog post is part of a series on ipv6. In this part, I provide an overview of ipv6 and look at Teredo, the technology built into Windows Vista/7; in part 2, I look at AYIYA tunnels through aiccu, using sixxs net as a tunnel broker. Part 2.5 is a collection of useful ipv6 tidbits, and part 3 gets back to the original plan: Exploring ipv6 connectivity options – in this case, the tunnel offered by gogonet.

NB: The tunnel described in part 3 is a lot easier to set up than Teredo. It was never my intent to advocate the use of Teredo as the prevalent way to connect a machine to IPv6. I started with it in this series precisely because I thought it would be the least comfortable option. In hindsight, I should probably have started with the easy button.

Part 4 describes Hurricane Electric 6in4 tunnels, and part 4.1 shows how to set one up on a Juniper ScreenOS device. [JunOS tunnels, as opposed to ScreenOS tunnels, are shaky at this point, they work in 10.3r1, but not in 10.2r3 or 10.4r1. I may describe them when this situation has settled down a bit]

For a corporate environment, I take a look at ipv6 renumbering. If you are planning to deploy ipv6 in your network, you need to think about this.

Overview

I’ve been running IPv6 at home since January 2008. When I took the plunge, I did so mainly to learn about the technology in preparation of it being adopted in the field. Factors that made me finally take this step in January 2008, as opposed to pondering it since January 2001, were:

  • The government mandate to deploy IPv6 in federal networks, while weak, will undoubtedly bring IPv6 adoption into some enterprises. When this happens, I want to be ready, and I want my team to be ready, so we can capitalize on our knowledge and can claim to have been running IPv6 since early 2008.
  • We’re deploying Juniper SSG-5 firewalls at our techies’ homes, and these little boxes do now support IPv6 with the release of software version 6.0.0. I could have been running IPv6 using a software client, but that would have done little to prepare me for seeing it deployed in an environment I will actually encounter – namely, hardware firewalls and routers.
  • Four of the Internet DNS root servers are now reachable through IPv6. For the first time ever, this would allow a connection between IPv6 hosts that relies purely on IPv6. This is less a technical concern than a measure of where we are with IPv6: The root servers were the last “you can’t DO IPv6 without IPv4 first” holdout, and that’s gone now. When the root servers, who are very conservative, move, it’s time for mere mortals to test the waters, too.

Since most folk won’t have IPv6-capable hardware firewalls at home, I will talk about host – specifically, PC – based solutions to connect to IPv6 sites to start out with.

All right, starting with: What is IPv6, and why do I care? At its core, IPv6 is simply “more address space”. The “old way” of addressing, called IPv4, with its 32-bit address space, is running out of space to use, even with the use of NAT. Predictions claim we may run out of space as early as 2012, though I would not be surprised to see us “hang on” a little longer. IPv6 in contrast has a 128-bit address space, which is ridiculously huge.

This has some implications:

  • IPv6 will rely on DNS to an even greater degree than IPv4. Let me take the example of go6.net. Its IPv6 address is 2001:5c0:0:1::6. The ‘::’ is a way of saying “multiple zeros here” in IPv6, to shorten writing it. That’s actually a fairly neat and short address, but still hard to memorize. A less ‘neat’ address may look like 2001:470:1f06:223:bd6f:6f5c:a458:2802. Good luck memorizing that one. We’ll need names, and good reverse DNS, and good DDNS.
  • Because we have so much address space now, IPv6 does away with IPv4-style subnetting. In IPv6, every subnet is a /64. That is 16 quintillion addresses, up from 4 billion in the entire IPv4 range. And that’s just for one subnet. The goal is to avoid the pain of different-sized subnets – needing to wrestle with /26, /28 and /29 – and the even greater pain of having to change subnets, say going from a /29 to a /28 because you ran out of space and have now a few machines more than you envisioned. The IPv6 /64 subnet range is envisioned to cover all devices that could possibly be hooked up to the physical medium that carries that subnet.
  • “Leaf nodes” – that is, sites that aren’t large carrier-grade – will receive a /48, which can then be carved up into individual /64s. This will allow for 65,000+ subnets per site, which will be plenty even for large corporations. A /48 is also what you might receive at home, depending on how you connect to IPv6.
  • Lots of address space also means we don’t need private addresses any more. This does away with NAT, which makes life hugely simpler for applications. VPNs become easier, and protocols that embed IP information – notoriously, all the VOIP stuff like H.323 and SIP, as well as Microsoft’s SMB file-sharing protocol – also benefit. As do P2P and game applications, BTW – no more need to configure “port forwards” for these. This also means that firewalling is a must. While NAT was never meant to be a security feature, PAT or Hide-NAT in particular, as implemented in home routers, was often touted as a “firewall” feature by vendors, because by its nature, it disallows incoming connections. There are huge application-level challenges in interop, too, and I’ll get to those.

So, how does an IPv6 host talk to an IPv4 host, or vice versa? The answer is “with difficulty”, if at all. Proposals for rewriting addressing on-the-fly are technically brittle. Particularly when it comes to those applications mentioned that embed IP addresses, like H.323 and SIP and SMB, rewriting that data stream is not very feasible, and not at all scalable. The best idea proposed so far has been to “dual-stack” IPv6-capable equipment: Any given host would have both an IPv6 address and an IPv4 address. It will talk to IPv4 hosts using IPv4, and to IPv6 hosts using IPv6. That is a workable way around those application-level interop challenges. At some point, of course, one would have to either phase out IPv4 or bite the bullet and do application-layer translation for those clients that are still IPv4-only.

For DNS, what you need to know is:

  • IPv4 records are A records, IPv6 records are AAAA records. Any given host can have one, the other, or both. go6.net has both, google.com has only IPv4, and IPv6-only hosts such as ipv6.google.com are extremely rare right now. Who in their right mind, after all, would limit content to a tiny portion of the Internet users.
  • Windows XP will always use IPv4 to query DNS servers. Even to get an AAAA record, the actual query will run over IPv4. Windows Vista can run IPv6-native and query DNS over IPv6.
  • Both Windows XP and Windows Vista will advertise their IPv6 address as a DDNS update. If you run your own DNS server at home and it is IPv6-capable, it should pick up the addresses of your IPv6 hosts.

Connecting to IPv6

Alright, so how do you connect to, say, a web server, using IPv6? Your home router does not know IPv6, and even if it does, your ISP’s router is most likely not configured for IPv6, and would not forward your IPv6 packets. Therefore, you have three ways to get to IPv6 hosts, two of which are actually going to be available for most people at this point.

  1. Native IPv6. Your ISP supplies you with IPv6 address space and does all the hard work for you. Rejoice, you are done! Just that, as of this writing, unless you live in France or near one of these ISPs, you are pretty much out of luck. Comcast and other cable providers are starting to make noises about DOCSIS 3.0, which is IPv6-capable, but that is years out. [Edit] Or rather, was years out in 2008 – Comcast is now trialing ipv6 for consumers, with rollout planned in a 2011/2012 timeframe. If you have Verizon FiOS in your area, you’ll get DOCSIS 3.0 earlier – though not necessarily with IPv6 right away. If there’s no FiOS, don’t expect DOCSIS 3.0 very soon. We need other ways of connecting – of tunneling IPv6 traffic through an IPv4 network in some way shape or form.
  2. Use a tunnel broker. This is actually going to be your best bet for connecting to IPv6, which is why, perversely, I’ll discuss it in more detail in a later post. Tunnel brokers available are SixXS , which supports both hardware (static) and software/client (heartbeat, AYIYA) tunnels and gives you a full /48; Hurricane Electric, which is more geared towards static (hardware) tunnels and gives you one /64 subnet now also offers a /48; Gogonet/Freenet6, who have their own proprietary way of traversing NAT and are really easy to set up; and Earthlink R&D, which is very specialized: You connect using a custom firmware for a Linksys WRT54G router, and get a /64. Earthlink would be a good choice if you wanted to run IPv6 on your home router, not your home PC, and you don’t have a Cisco / Juniper / what-have-you at home. I’d expect most people to go with Freenet6 or SixXS and use their software client. I’m set up with Hurricane right now, but for a client setup, I’d choose Freenet6.
    There’s also the Apple Airport Extreme, which handles IPv6 tunnels without exposing any of the nuts-and-bolts to the user. [Edit] D-Link have released a number of ipv6 capable routers, too, as have Linksys/Cisco.
  3. Use Teredo, a Microsoft-supported tunnel that is established directly from your client machine. Teredo was meant to be used only by applications that specifically request it. For this reason, a host that has Teredo enabled would only ever use Teredo to connect to IPv6-only machines. If IPv4 is an option, it will always prefer that. So, why talk about it first? Because it ships with both Windows XP SP2 and Windows Vista/7 – enabled by default in the latter two, though not enabled for “general application use” by default – and we can expect it to be used to get to IPv6-only content, as tunnel brokers, on the outside, may seem like more work to set up. [Edit] And indeed, with the release of an ipv6 capable uTorrent and HE’s provisioning of Teredo relay servers, Teredo traffic has spiked sharply.

Setting up Teredo

And here’s the breakdown of how to set up Teredo. Again, keep in mind, IPv4 will always be preferred. go6.net will show you with an IPv4 address if all you have is Teredo.

Windows XP SP2

  • Realize that Teredo in Windows XP does not support Hide NAT, aka PAT, aka many-to-1 NAT, aka what your home router does. In Teredo language, that kind of NAT is called “Symmetric NAT”, and it’s just not supported by the Teredo implementation in XP. You can still experiment some by either sticking a host onto the Internet directly, without a home router in between. If you have an additional public IP address, you could also set up a Static NAT (aka 1-to-1 NAT), which Teredo calls a “Cone NAT” (if you allow all incoming) or “Restricted Cone NAT” (if you disallow incoming connections), and which is supported. My experiments with my router’s “DMZ” setting, to see whether that will get around the issue, have been less than successful. While Teredo claimed I was behind “cone” NAT, I still had no connectivity.
  • Add the IPv6 protocol to your interface. Control Panel | Network Connections -> Right-Click “Properties” on your LAN or WiFi connection, “Install…”, “Protocol”, “Add…”, choose “Microsoft TCP/IP version 6”, hit “OK” until you’re out again.
  • Open a command line – “cmd” from Start | Run – and run “ipconfig /all”. You should now see a “link local” IPv6 address, which looks something like “fe80::214:85ff:fe2f:8f06%4”. This won’t be useful for connecting to anything “out there”, but it’ll let you know IPv6 is up and running.
  • Configure Teredo. Assuming you are in the US, the command would be “netsh interface ipv6 set teredo client teredo.ipv6.microsoft.com”. If you are elsewhere in the world, you may be able to find a closer Teredo server.
  • If you are on a Windows domain – as opposed to a home workgroup – Teredo will disable even if you configure it. You can get around that with the command “netsh interface ipv6 set teredo enterpriseclient”
  • The command to see the configured Teredo parameters is “netsh int ipv6 show teredo”, and the message indicating that a user is behind PAT and thus Teredo won’t work here is “Error : client behind symmetric NAT”
  • Use an IPv6-only host to test connectivity. If you can connect to http://ipv6.google.com/, it’s working.  Or you could “ping ipv6.google.com” from command line, which should show you an IPv6 address, and succeed.
  • A useful command to use while trying different configurations is “netsh int ipv6 renew”, which will re-negotiate the Teredo tunnel. “netsh int ipv6 show route” will show you ipv6 routes.
  • Keep in mind that Windows XP will always prefer IPv4 over IPv6 when Teredo is used for IPv6 connectivity. Unless a host has no IPv4 address, its IPv6 address will not be used.
  • Lastly, there are reports that Firefox 2 on Windows XP does not handle IPv6 well. Try Firefox 3, or Internet Explorer.

Windows Vista

  • IPv6 and Teredo both are enabled by default in Windows Vista. Teredo also supports Hide-NAT aka PAT aka what your home router does. Woo, we’re done? Not so fast, young Arakin: In order to avoid IPv6 connectivity issues caused by default Teredo tunnels, Microsoft have configured DNS so that the system will never resolve any name to an IPv6 address, as long as the system only has link-local and Teredo IPv6 addresses. Teredo is meant to be used by applications that specifically request its use, and that does not include any browsers.
  • Thus, we need to hoodwink Vista. If the criteria is “has only link-local or Teredo addresses”, why, then we need to supply another address. Luckly, IPv6 maps the entire ipv4 address space, so we can use that. In reality, it doesn’t matter which address we configure, since it won’t ever be used anyway. Open up the Properties of your LAN or WiFi interface, and change it to have a static IPv6 address. Use either the converted IPv4 address you figured out using the link I gave, or use the 192.168.1.2 equivalent of 2002:c0a8:102:: with a netmask of 48. Do not configure a default gateway for this address.
  • Vista would now resolve names to IPv6 addresses, but we need to force it to route traffic through our Teredo interface first. For this, you’ll need to run a Command prompt as “Administrator”. Create a shortcut to a Command prompt on your desktop, then right-click “run as administrator”.
  • Figure out the ID of your “Teredo Tunneling Pseudo-Interface” using “route print” and looking at the “Interface List” at the top of its output. In my case, it is “14”. Then, using this ID, add a default route that forces all IPv6 traffic through Teredo: netsh interface ipv6 add route ::/0 interface=14
  • Use an IPv6-only host to test connectivity. If you can connect to http://ipv6.google.com/, it’s working.  Or you could “ping ipv6.google.com” from command line, which should show you an IPv6 address, and succeed.
  • Keep in mind that Windows Vista will always prefer IPv4 over IPv6 when Teredo is used for IPv6 connectivity. Unless a host has no IPv4 address, its IPv6 address will not be used.

[Edit 2010-02-24 – added Windows 7 and Troubleshooting sections]

Windows 7 [this is the same procedure as for Vista, tested on Win7 x64]

[Edit 2010-04-09 – replaced kludgy workaround for disappearing default route with elegant workaround received through comment]

  • IPv6 and Teredo both are enabled by default in Windows 7, just as in Vista. Also as in Vista, Microsoft have configured DNS so that the system will never resolve any name to an IPv6 address, as long as the system only has link-local and Teredo IPv6 addresses.
  • Thus, we need to hoodwink Win7. As with Vista, we will provide a 6to4 address. Luckly, IPv6 maps the entire ipv4 address space, so we can use that. In reality, it doesn’t matter which address we configure, since it won’t ever be used anyway. Open up the Properties of your LAN or WiFi interface, and change it to have a static IPv6 address. Use either the converted IPv4 address you figured out using the link I gave, or use the 192.168.1.2 equivalent of 2002:c0a8:102:: with a netmask of 48. Do not configure a default gateway for this address.
  • In order for Win7 to resolve names to IPv6 addresses, we need to force it to route traffic through our Teredo interface first. For this, you’ll need to run a Command prompt as “Administrator”. Create a shortcut to a Command prompt on your desktop, then right-click “run as administrator”.
  • Figure out the ID of your “Teredo Tunneling Pseudo-Interface” using “route print” and looking at the “Interface List” at the top of its output. In my case, it is “14”. Then, using this ID, add a default route that forces all IPv6 traffic through Teredo: netsh interface ipv6 add route ::/0 interface=14
  • Use an IPv6-only host to test connectivity. Try to ping ipv6.google.com or connect to http://ipv6.google.com/.
  • Keep in mind that Win7 will always prefer IPv4 over IPv6 when Teredo is used for IPv6 connectivity. Unless a host has no IPv4 address, its IPv6 address will not be used.

In my testing, Win7 would deactivate the default ipv6 route when there was no ipv6 traffic. Thanks to Sam Karim, I can present a fix for this issue: Configure Teredo to be “Default Qualified” so it will not enter into “Dormant” state.

On Windows 7 Business and better:

  • Run “gpedit.msc” from the Start Menu by typing it into the search bar or “Run” bar.
  • Navigate to Computer Configuration -> Administrative Templates -> Network -> TCPIP Settings -> IPv6 Transition Technologies
  • Double click the “Teredo Default Qualified” setting, change it from “Not Configured” to “Enabled”, and click OK, then close gpedit.msc.
  • The setting should take effect rather quickly, but you can do “gpupdate /force” to force a refresh.

On Windows 7 Home Premium and Starter editions, you will need to manually create a registry key.

  • Open regedit from the Start Menu by typing it into the search bar or “Run” bar
  • Navigate to HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows
  • Right-click the “Windows” Key and choose New -> Key, create a “TCPIP” Key (observe case)
  • Right-click the “TCPIP” Key and choose New -> Key, create a “v6Transition” Key (observe case)
  • Right-click the “v6Transition” Key and choose New -> String Value, create an entry called “Teredo_DefaultQualified” with a value of “Enabled” (observe case, note the underscore)

Old workaround for reference until I have fully tested the above new-and-improved methods:

Create a text file, name it “fix-ipv6.cmd” (make sure you can see file extensions!) and paste these lines into it:

  1. REM Because Win7 gets rid of ipv6 routes
    netsh interface ipv6 delete route ::/0 interface=14
    netsh interface ipv6 add route ::/0 interface=14
    REM Optionally, run a continuous ping here instead of through a task
    REM ping -t ipv6.google.com
  2. Change the ID of the interface in this text file to the ID of the Teredo interface on your system
  3. Create a task to run a continuous ping. Optionally, just un-comment the ping command in the file you just created.
    Control Panel | System and Security | Schedule tasks
    Create task (on the right)
    General pane: Give it a name, “Run whether user is logged on or not”, “Configure for: Windows 7”
    Triggers: “New”, “At Startup”, hit “OK”
    Actions: “New”, “Start a program”, enter “ping” into “Program/script” and “ipv6.google.com -t” into “Add arguments (optional)”
    Conditions: Uncheck “Start the task only if the computer is on AC power”
    Settings: Check “Run task as soon as possible after a scheduled start is missed”, “If the task fails, restart every” and uncheck “Stop the task if it runs longer than”
  4. After reboot, you’ll need to right-click your “fix-ipv6” and “Run as administrator”

In my testing, this workaround kept the ::/0 route active. You can check using “route print -6” – you want to see the ::/0 route in both active and persistent routes. When it is inactive, it shows up only in persistent.

If this all sounds like more trouble than it’s worth, then using a tunnel broker as described in part 3 may be the ticket for you.

Google and v6

You can add a Google-v6-savvy DNS server, such as HE’s 2001:470:20::2, to your LAN or WiFi connection, and this will give you both ipv4 and ipv6 addresses for Google. However, as Windows will always prefer ipv4 if all you have is Teredo, ipv6 won’t be used in that case. If you’d like to use ipv6 for Google/Youtube, take a look at part 3 of this series instead, and go with a tunnel broker.

Troubleshooting

  • Test ipv6 DNS lookup from command line. Note the ping fails to resolve the name, but nslookup can resolve it. This means our DNS server has the entry, but we haven’t configured Win7 yet to use v6 addresses.
    >ping ipv6.google.com
    Ping request could not find host ipv6.google.com. Please check the name and try again.
    >nslookup ipv6.google.com
    Non-authoritative answer:
    Name:    ipv6.l.google.com
    Addresses:  2001:4860:b009::93
    2001:4860:b009::63
    2001:4860:b009::67
    2001:4860:b009::69
    2001:4860:b009::68
    2001:4860:b009::6a
    Aliases:  ipv6.google.com
  • Check that the ::/0 route has been added correctly. Open netsh, navigate to interface ipv6, and enter show route. This is what you want to see:
    netsh interface ipv6>show route
    Publish  Type      Met  Prefix                    Idx  Gateway/Interface Name
    ——-  ——–  —  ————————  —  ————————
    No       Manual    256  ::/0                       14  Local Area Connection* 9
  • On my system, after changing the IPv6 address of the LAN interface, that route goes into “limbo”. Meaning show route does not show it, but route print does. In that case, you can delete and re-create it, again from netsh’s interface ipv6 context:
    delete route ::/0 “Local Area Connection* 9”
    add route ::/0 “Local Area Connection* 9”
  • show teredo is useful to see whether Teredo connectivity is there. You want to see your state as “qualified”
    netsh interface ipv6>show teredo
    Teredo Parameters
    ———————————————
    Type                    : client
    Server Name             : teredo.ipv6.microsoft.com.
    Client Refresh Interval : 30 seconds
    Client Port             : unspecified
    State                   : qualified
    Client Type             : teredo client
    Network                 : unmanaged
    NAT                     : symmetric (port)
    NAT Special Behaviour   : UPNP: No, PortPreserving: No
    Local Mapping           :  —
    External NAT Mapping    : —
  • In order for DNS to resolve IPv6 addresses, the LAN/WiFi interface must have a 6to4 address without a default route, Teredo must be working, and a default route through Teredo must be configured. Miss one of those three, and you won’t be able to resolve ipv6 DNS.