How to get familiar with IPv6

As there is no real progress in my piano sessions due to the lack of time and blah :) I just have another nice topic which costs me a couple of hours I want you to spend more efficient.

This is meant to be a double post, as it is handling the IPv6 tunneling topic in two variations: as a setup on a linux host and as one on a Cisco router.

– the linux part:

I was using a DSL modem in bridged mode with ppp dailup on a linux host behind becuase the modem was not able to handle IPv6 not even in an unstable mode.

As I now got a Cisco 877VA as my new CPE I am now able to use IPv6 natively if my provider would also support IPv6 on the dialup accounts. I was to nosy to see what IPv6 can do for me and my annoying NAT issueus on the Cisco router that I decided to go for an 6to4-tunnel for the first sight.
There the services of SixXS (http://www.sixxsx.net) came in place because they are giving you your first tunnel for free.
To asure that you are using IPv6 they are monitoring your first connection and your’re earning ISK for keepong up the tunnel to get more services as a /64 net and another tunnel and more.

So first of all (before the Cisco setup) I built the tunnel with the recommended linux client aiccu which is well documented and easy to set up

#aiccu.conf

username your-SIXXS-user
password your-SIXXS-pass
protocol tic
server tic.sixxs.net

ipv6_interface sixxs
tunnel_id your-SIXXS-tunnel-id

verbose true
daemonize true
automatic true
requiretls false
pidfile /run/aiccu.pid
defaultroute true

If you’re happy to only have an tunnel running to repack your IPv4 traffic to the IPv6 network on your default gateway your’re fine by now. If not, you’re a bit like me: I was also interesed in running my own v6 network to shut down IPv4 step by step as most of my devices at home are able to run on v6.

So there your earned ISK’s are good to check out a /64 net and set up radvd as a route advertiser to spread IPv6 addresses to all devices which are responding properly on a v6 broadcast. This radvd is also easy to set up and can autoconfigure your devices in a single second.

#radvd.conf

interface eth1
{
	AdvSendAdvert on;
        MinRtrAdvInterval 3;
        MaxRtrAdvInterval 10;
	prefix 2001:your-SIXXS-IPv6-prefix::/64
	{
                AdvOnLink on;
                AdvAutonomous on;
                AdvRouterAddr on;
	};
};

– the cisco part:

there is a pretty good documentation in the wiki of SixXS (https://www.sixxs.net/wiki/Cisco/) itself, so I just give you a quick look on the tunnel interface and the _really needed_ access-lists in the ZBF (zone based firewall) on the router which are covering the security issues you’ll have as there is no NAT in a default IPv6 network.

!
interface Tunnel6
 description +++ 4to6 Tunnel to SIXXS +++
 no ip address
 ip tcp adjust-mss 1420
 ipv6 address 2001:your-SIXXS-Linknet::2/64
 ipv6 enable
 ipv6 inspect cbac-ipv6 out
 ipv6 traffic-filter ipv6-internet-in in
 tunnel source Dialer0
 tunnel mode ipv6ip
 tunnel destination your-SIXXS-ipv4-tunneldest
end
!
ipv6 route ::/0 Tunnel6

to let the garbage outside you should apply at least this

ipv6 access-list ipv6-internet-in
 remark allow ping by SixXS PoP to determine tunnel status
 permit icmp host 2001:your-SIXXS-Linknet::1 host 2001:your-SIXXS-Linknet::2 echo-request
 remark Prevent spoofing
 deny ipv6 2001:your-SIXXS-Prefix::/64 any log
 remark prevent ingress of all addresses except global unicast and multicast
 deny ipv6 ::/3 any log
 deny ipv6 8000::/2 any log
 deny ipv6 C000::/3 any log
 deny ipv6 E000::/4 any log
 deny ipv6 F000::/5 any log
 deny ipv6 F800::/6 any log
 deny ipv6 FC00::/7 any log
 deny ipv6 FE00::/8 any log
 permit icmp any any time-exceeded
 permit icmp any any packet-too-big
 permit icmp any any echo-request
 permit icmp any any echo-reply
 deny ipv6 any any log

So if all is aisd and done, you can check on http://kame.net if your turtle is dancing; if so, you did everything right, congratulations! Have fun using next genration IP network.