There is no denying that IPv6 (or v6 for short) is sticking around. I’ve been slowly learning about how this version of the IP protocol works.

Introduction

I spent 2 hours today setting up a v6 network at home and a 6to4 tunnel so that I can talk to other v6 hosts from my desktop.

An interesting tidbit: There are so many possible v6 addresses, that the entire v4 address space can fit into a single 64 bit network prefix. As part of the transition from 4 to 6, the 2002::/16 prefix has been reserved for 6to4 addresses. So, to get your 6to4 address, all you need to do is convert your current v4 address into hex. Let’s take mine (99.226.247.247) for example:

99 in hex is 63
226 in hex is e2
247 in hex is f7

So my 6to4 address would  be 2002:63e2:f7f7::1/16

Using a 6to4 address allows you to use v6 services without actually being allocated a v6 address from your ISP. The downside is that you are essentially encapsulating v6 packets inside a v4 packet and routing it through a gateway.

This is the only way to get set up with v6 on Rogers at the moment.

The Set-Up

The Cable Modem: SMC 8014W-G (Provided by Rogers)
The Router: Linksys E3000 with DD-WRT v24-sp2 (12/24/10) big firmware
The Machine: Windows 7 Desktop (connected via ethernet).

There is no way you can get a simple cable modem when using the high speed extreme option with Rogers. You must use their gateway/cable modem combo (according to the rep I spoke to).

Step 1: Enabling IPv6 In The Router

First things first: Enable IPv6 in the DD-WRT interface.

There is no DHCP with v6 (well there is, but it’s used in situations where you need more control or stateful configuration for your network). Instead they use something called Stateless Address Autoconfiguration. This uses ICMP “router discovery” packets. When your host wants to get a v6 address it sends out a “where’s the router?” request on the v6 multicast address (ff02::1).

In turn the router replies with “i’m here! and here is your IP address”.

This is handled by the radvd deamon on the router. I decided to not use it, as I will just be statically assigning my v6 addresses.

Step 2: Set Up The Routing

The set-up is a little unorthodox. Things are little more complicated because the cable modem is also a router. It has been configured so that the IP of the E3000 is in its DMZ. This is important, otherwise the SMC will filter the packets (because of NAT).

Logging into the E3000, issue these commands:

ip tunnel add tun6to4 mode sit ttl 255 remote any local 192.168.0.2
ip link set tun6to4 mtu 1480
ip link set tun6to4 up
ip addr add 2002:63e2:f7f7:0::1/16 dev tun6to4
ip addr add 2002:63e2:f7f7:1::1/64 dev br0
ip -6 route add 2000::/3 via ::192.88.99.1 dev tun6to4

In order:

• This sets up the 6to4 tunnel. The 192.168.0.2 ip address is the Cable Modem (the routers gateway)
• Set the MTU for this tunnel to 1480 bytes.
• Bring the tunnel interface up
• Assign your 6to4 v6 address to the tunnel
• Assign a v6 address to the LAN interface
• Add a route, so that all globally routable v6 addresses will go via the tunnel

There are some caveats to this set up:

1. If my v4 ip address ever changes, then I will need to reassign the 6to4 addresses (both for the router and my LAN PCs)
2. If the router is ever rebooted, I will need to set this up manually again.
3. Remember: this is a v6 tunnel over v4. So you need to have a working v4 stack before this will work.

Step 3: Test

I happen to have a v6 enabled host on the internet to test with. However, if you don’t, you could use a IPv6 looking glass instead.

Try pinging your 6to4 tunnel address:

> ping6 2002:63e2:f7f7:0::1
PING6(56=40+8+8 bytes) 2607:f698:1:102::3 --> 2002:63e2:f7f7::1
16 bytes from 2002:63e2:f7f7::1, icmp_seq=0 hlim=58 time=45.613 ms
16 bytes from 2002:63e2:f7f7::1, icmp_seq=1 hlim=58 time=41.322 ms
16 bytes from 2002:63e2:f7f7::1, icmp_seq=2 hlim=58 time=43.454 ms
16 bytes from 2002:63e2:f7f7::1, icmp_seq=3 hlim=58 time=40.359 ms
16 bytes from 2002:63e2:f7f7::1, icmp_seq=4 hlim=58 time=42.404 ms
^C
--- 2002:63e2:f7f7:0::1 ping6 statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 40.359/42.630/45.613/1.816 ms

Great it works!

Step 4: Getting Out From The Inside

Since I choose to statically assign my v6 addresses on my LAN, I will have to assign them to my PCs.

I used the following settings for my windows 7 machine:

With this setup, you can actually ping the internal host from the internet:

> ping6 2002:63e2:f7f7:1::2
PING6(56=40+8+8 bytes) 2607:f698:1:102::3 --> 2002:63e2:f7f7:1::2
16 bytes from 2002:63e2:f7f7:1::2, icmp_seq=0 hlim=121 time=41.471 ms
16 bytes from 2002:63e2:f7f7:1::2, icmp_seq=1 hlim=121 time=42.922 ms
^C
--- 2002:63e2:f7f7:1::2 ping6 statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 41.471/42.197/42.922/0.725 ms

Pretty cool!

Putting It All Together

This really is a v6/v4 hybrid solution. For two reasons:

1. You’re still looking up DNS requests over IPv4. (Anyone know of a public v6 DNS server? Google Public DNS doesn’t offer v6 yet)
2. All this is happening over a IPv4 tunnel to a 6to4 gateway (see below)

If you notice earlier on we added a route with a special IPv4 address:

ip -6 route add 2000::/3 via ::192.88.99.1 dev tun6to4

The 192.88.99.1 anycast address was specially set up to route you to the closest 6to4 gateway. So for, example, on Rogers:

traceroute to 192.88.99.1 (192.88.99.1), 30 hops max, 38 byte packets
 1  10.235.140.1 (10.235.140.1)  13.316 ms  11.994 ms  9.499 ms
 2  69.63.243.233 (69.63.243.233)  15.053 ms  11.410 ms  23.912 ms
 3  69.63.250.157 (69.63.250.157)  11.310 ms  13.009 ms  11.035 ms
 4  69.63.251.146 (69.63.251.146)  13.045 ms  8.604 ms  13.188 ms
 5  gw-he.torontointernetxchange.net (198.32.245.112)  10.891 ms  11.337 ms  13.139 ms
 6  10gigabitethernet1-2.core1.nyc5.he.net (72.52.92.165)  27.507 ms  39.681 ms  27.587 ms
 7  v110.core1.nyc4.he.net (184.105.213.69)  28.141 ms  34.631 ms  25.771 ms
 8  192.88.99.1 (192.88.99.1)  28.025 ms  28.291 ms  30.515 ms

The closest 6to4 gateway is on Hurricane Electrics network. Thankfully they peer at TorIX, so it’s only a few hops away (here in Toronto).

If I was to do the same traceroute from a machine in Houston, Texas it goes to the Hurricane Electric 6to4 gateway in Chicago instead.

Another thing to keep in mind is the preference to which your OS will give to routing packets over v6 versus v4. For example, my website at www.infiniteloop.ca resolves with both a v6 and v4 address:

>nslookup www.infiniteloop.ca
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
Name:    www.infiniteloop.ca
Addresses:  2607:f698:1:102::2
 204.15.199.58

By default, Windows 7 will use the v4 routing to www.infiniteloop.ca, for example:

This is actually set up on purpose (as per paragraph 2.1 in RFC 3484) so that Windows will only router packets by default over v6 to other 6to4 addresses only.

Since the hosts that I want to contact are true v6 hosts, and not 6to4 IPs, I need to make the following adjustment on the windows command line:

netsh interface ipv6 set prefix 2002::/16 30 1

This changes the priority of routing to all v6 hosts over your 6to4 tunnel. Visiting the same website now yields this:

Notice the IP address being returned is the IP of the local machine? No more hiding behind NAT!

Conclusion

I set this up so that I can test various IPv6 websites and applications without having to wait for Rogers to get off their arse and provide native v6 connectivity.

Using v6 doesn’t result any anything special. In fact, the set up I have will actually be slower compared to v4 because of the translation between v6 and v4. Additionally my v6 packets will be going to the 6to4 gateway (which could go offline, or be half way around the world) before reaching its destination.

Please feel free to leave any comments, questions or suggestions!