The Gig of Ham

One geek's contributions to the series of tubes

Feb 11, 2015 - 8 minute read - Comments - Internet ipv6 sysadmin

I thought I knew pain, and then I tried to switch to native IPv6 at home

For years, I have been happily using a Hurricane Electric IPv6 tunnel for my IPv6 at home. I have had it on five different ISPs and it has “just worked” (with the notable exception of U-Verse[1]) for 5+ years. However, my tunnel terminated in LA, and latency has been an issue of recent. I don’t blame HE, I picked where the tunnel terminated and I live in Austin TX now. So, I decided to finally drop the tunnel and switch to native IPv6 from my ISP (Time Warner Cable) instead. I’ve deployed IPv6 in data centers, written blog posts, and built two in production products that use IPv6 almost exclusively. I figured this would be a cake walk!

Boy, was I wrong.

Getting an IP address using IPv6

For 90% of the world, most people deploy SLAAC. This is a stateless system where the router to your network sends out a multi-cast message every 30s or so (called a Router Advertisement) that says something to the effect of “Hello [2001:DB8:472:101::/64] I am [2001:DB8:472:101::1] and I’ll be your router” at which point your system generates a EUI64 host address (which is based on your MAC and if privacy extensions are on is hashed for your protection), suffixes it to the [2001:DB8:472:101::/64] subnet yeilding an address like [2001:DB8:472:101:1910:4202:cf43:9b2e]. That address is assigned to the interface, the default route is set to the router address, and we all move on with life.

Important side note: your IPv6 interface would have 2 IPs (at least) assigned to it. One starts with fe80:: and has your MAC address with a few extra characters in it. This is your link local address, it can only talk to other link local addresses on the same Layer 2 (LAN or VLAN) segment. It is NOT publicly addressable outside your local Layer 2 segment. This becomes important in a moment.

However, ISPs don’t like this. It’s stateless by design, but that means any number of devices could be attached to your modem and ask for an address! “That’s madness! We charge by machine!” they say. Right. Whatever. So, they need a more stateful system. Also, SLAAC doesn’t provide any DNS information which can be a problem.

Enter DHCPv6

DHCPv6, as the name implies, is the IPv6 version of DHCP. It’s similar in concept, and wildly different in execution. DHCP in the IPv4 world sends a broadcast message asking for a DHCP lease. The response comes back from any server saying something to the effect of “Hello MAC 52:54:00:e4:5a:3c, take address 203.0.113.8424, use router 203.0.113.1, use DNS servers 8.8.8.8 and 8.8.4.4, and set your domain name to example.com”. At which point you would be configured and move on with life.

In the IPv6 world, DHCP has a lot more options and request types than IPv4 did. So, the default out-of-the-box DHCPv6 client simply asks for an address. It does this by sending a message to the DHCP multi-cast address [ff02::1:2] using the link-local address on the interface. Then some random node will send you back a response like “Hello [fe80::5054:ff:fee4:5a3c] take address [2001:DB8:472:101:da3:9b97:960a:edf4/128]“. Well, at least that’s what the TWC DHCPv6 servers do. No router, no DNS, nothing else.

However, this is a SINGLE IPv6 address. Not really useful for a router. Unlike IPv4 THERE IS NO SNAT/PAT. Anyone who says otherwise is LYING! Everything, and I mean EVERYTHING gets a real routable IPv6 address. There is no equivelant to the IPv4 standbys of 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 so don’t ask. So, how does this work? You need what is called a “prefix delegation”, this allows for you to ask for one or more /64 netblocks for use behind your router.

So, we enable the “prefix delegation” flag and retry DHCPv6. The response back was not what I expected: ”Hello [fe80::5054:ff:fee4:5a3c] take prefix delegation [2001:DB8:fec:4acd::/64]“. So now my public interface has no routable address, and I have a prefix delegation. Great. Turns out you have to ask for a prefix delegation (IA_PD), a non-temporary address assignment (IA_NA), and while you are at it you might as well ask for your DNS severs and domain name. Added bonus for Comcast customers: the Prefix Delegation comes from a different DHCPv6 server so it may take a while to show up. At that point you get back almost everything you need. Almost.

Where is the router?

DHCPv6 typically does not provide an router for you. You are supposed to ask for one yourself using the “Router Solicitation” mechanism of IPv6. In FreeBSD (what my router at home runs) There is a lovely process that does this for you: “rtsold”. (Linux seems to do this automagically for you and doesn’t need a process.) Great. Now I have all the pieces I need. Or so I thought.

All the IPv6 client tools suck

My router at home is a box I built myself running FreeBSD. Why FreeBSD? Because I like “pf” and the conntrack code in Linux is..sub optimal. I hear it’s much better than it was when I moved my routers to FreeBSD or OpenBSD 10 years ago, but I’ve not done extensive testing of recent. Lots of things deploy NAT with conntrack in production using Linux so it can’t be as bad as it was when my poor home router was falling over every time we fired up Counter-Strike which made 60k connections right off the bat. I also like to use my stuff at home as a test bed for bigger stuff in place at “work”.

So, the ISC DHCP client on FreeBSD will assign your IA_NA to the interface, write the IA_PD to syslog, and fire off a script with the DNS information. Not super useful. The KAME DHCP client on FreeBSD will assign your IA_NA to the interface, assign your IA_PD to a different interface, and fire off a script for DNS information. Better.

However, the version of rtsold which ships with FreeBSD 10 only ever logs the router address. Sure, it will call a script when one is seen, but how to find what the new router address should be is an exercise left to the reader.

On top of this, my prefix delegation changes from TWC whenever they feel like. I have a reasonable number of IPv6 rules in pf, and I need to re-run that with the new prefix information every time that happens..and that is also an exercise left up to the reader.

I give up

At this point, I considered moving the router to Linux. So, I did some research. The DHCP client situation seems to be better, but you still have a lot of “magic” that needs to be done in with scripts when your prefix changes, and all that magic is still an exercise left up to the reader. So, I decided to switch to a pfSense install instead. It took a little extra work, but everything I want is (mostly) working. The native IPv6 stuff “just works”. The rest of the monitoring and remote access stuff was a bit more clicky than I wanted but seems to be working. I couldn’t run Asterisk on my router any longer, so that’s behind the firewall and port-forwarded. Took a little while to work through all the magic that requires, but it’s all working now as well.

TL;DR Manual sucked, used pfSense

It’s super simple to get working, and the interface is reasonable. Has OpenVPN built in, works on just about any hardware, has all the pf goodness baked in, and has many dynamic DNS clients so you can setup a OpenVPN server easily. Other good choices are mikrotik and m0n0wall, but I don’t know if m0n0wall does IPv6 yet.

Moving Forward

I’m still using FreeBSD for my data center routers, but those all have static IPv6 addressing or SLAAC so that works fine. I may yet switch my home router over to Linux, and get the lay of the land there. I will probably go full crazy and implement nftables instead of iptables & ip6tables and find many, many bugs. I may just start by doing that on an lab router and cutting my teeth there. The TWC support staff don’t speak IPv6, and won’t help you if you call. At least that was my experience, so if your router doesn’t do it for you, good luck.

I’m also investigating better ways for people to be able to reach IPv6 enabled services that don’t have native IPv6 on their desktop. It’s not really a problem for me (I have VPNs and whatnot I can use), but for users of the things I have built / are building it can help. Suggestions/feedback welcome.

[1]Notes on U-Verse

When I moved back to Austin, I decided to get Internet access from U-Verse instead of TWC right off the bat. The reasoning was that I wanted a static IP if I could get it, and I knew from past experience of myself and friends that the only difference between TWC “consumer” and “business class” was the price you pay. Turns out, basically the same thing for U-Verse. Ports 80 and 25 were still blocked, I could not get native IPv6, and I couldn’t use my HE tunnel because passing IP-GRE traffic through the U-Verse modems causes a buffer overflow (known issue for 3+ years) so they just drop all GRE traffic because their vendors haven’t (yet) been able to provide a fix. Also, U-Verse in my area is terrible and TWC is tolerable so I switched. YMMV.

comments powered by Disqus