Time Warner’s reluctance to issue me a second IP address meant that I’d have to find another solution. SixXS is another tunnel broker which makes use of a protocol called AYIYA. AYIYA is capable of traversing NAT, so it would work well in my situation. Unfortunately it’s not supported by Cisco, so the 2611 was of no use to me anymore.

After some failed experiments and lost money with open source firmware and Linksys routers, I decided that a full Linux install would be the best route to go. I built a machine out of spare parts that I had laying around and installed Ubuntu 9.10 on it. Once I got everything up and running, I installed the SixXS client (AICCU) and started working on getting the tunnel up and running.

I hit another snag when I found out that the point of presence (the tunnel broker’s endpoint) was down. I jumped to freenet6 in the interest of keeping things moving. They provide a tunnel via TSP, which also traverses NAT. Their nearest POP is all the way over in Montreal, which means big latencies for someone in LA, but I was able to establish a tunnel, which I was satisfied with for the moment. Here’s my config for their client (gw6c):

userid=
passwd=
#server=broker.freenet6.net
# Always use Montreal POP
server=montreal.freenet6.net
auth_method=any
prefixlen=64
template=linux
if_tunnel_v6v4=freenet6
if_tunnel_v6udpv4=freenet6
# Assign the v6 address to eth0
if_prefix=eth0
keepalive=yes
keepalive_interval=10
host_type=router

Once I’d established my connection and saw what my v6 IP was going to be, I used a v6 subnet calculator to find out what my /64 networks would be and noted them down. I then entered the v6 address into /etc/network/interfaces so that I could add static routes as the interface came up:

# v6 Interface
auto eth0
iface eth0 inet6 static
    #address 169.254.1.2
    #netmask 255.255.0.0
    address 2001::1
    netmask 64
    up ip -6 route add 2001:0:0:1::/64 via 2001::2 dev eth0

You may notice the link local v4 address that’s been commented out on the v6 address. The reason for this being there is that gw6c can’t do its magic unless the interface specified is up. Until I had my v6 address, I used this link local address. 2001::2, as specified in the route above, is my ASA, which has had it’s address manually configured. 2001:0:0:1::/64 is the network that I’m using for my LAN. I’ve got 254 more networks that I can make use of if I ever find a reason (2001:0:0:2::/64…2001:0:0:ff::/64).

Configuring the ASA was fairly simple. There’s an outside and an inside interface that need to be configured, then the default route needs to be set:

interface Vlan10
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 ipv6 address 2001:0:0:1::1/64
!
interface Vlan30
 no forward interface Vlan20
 nameif v6tunnel
 security-level 0
 no ip address
 ipv6 address 2001::2/64
!
ipv6 route v6tunnel ::/0 2001::1

As far as I can tell, there’s really no reason I need to use a second VLAN for the v6 tunnel, so I’m going to eventually try moving it to the outside VLAN, but for now it’s working well, and I don’t need a DMZ at the moment.

Once I configured the ASA properly, it started advertising itself and all of the hosts on my LAN are picking up v6 addresses from it. The problem I’m left with is how to do DNS discovery. Unfortunately there doesn’t seem to be a good answer here. Microsoft seems to be fond of the idea of using DHCPv6, Apple wants to use well-known anycast addresses and I honestly have no idea what’s going on in the Linux world.

Selecting a transition mechanism

With regards to deployment, IPv6 is really in its toddler years right now. We’ve moved past the old 6bone test network, but most ISPs still aren’t offering native connectivity yet. That means that the majority of people are going to have to choose a transition mechanism to connect to the rest of the world. There are two main types of transition mechanisms:

• Dual network stacks running IPv4 and IPv6 simultaneously
• Encapsulation of IPv6 packets inside of IPv4 packets (tunneling)

Running dual network stacks is a no-brainer. Even though I’m setting up v6, I still need to talk to all of the v4 hosts that comprise the majority of the current Internet. The real question was what type of tunnel I wanted to use.. There are quite a few different options out there; the most well known being 6to4, Teredo and manual point to point tunneling.

6to4 and Teredo are both automatic tunneling protocols. They don’t require a specific tunnel to be configured and your IPv6 addresses are automatically allocated based on your IPv4 address. Teredo is meant to be used on a single host behind NAT, while 6to4 is generally used on gateway devices. I’d recommend reading the RFCs for more specific information, but a Google search will go a long way as well.

I had a very hard time trying to decide which way to go because I have a dynamic IP address and have no easy way to get a static address. In the end, I chose a manual point to point tunnel. My IP address doesn’t change that often and I decided that the extra control was worth the extra effort of making a change on the tunnel provider’s site once every few months. My tunnel is through Hurricane Electric. They’ve got a very easy setup wizard and even have example configurations for many deployment scenarios.

Requesting and configuring the tunnel

This was the easiest step in the entire setup. I went to http://tunnelbroker.net and signed up for an account. Then I just clicked on “Create Regular Tunnel”. The form asks for your public IP address and gives you a list of servers in different locations to connect to. HE assigns a routed /64 by default, but everyone has the option of allocating a /48 with the click of a link.

Router configuration

After getting the tunnel set up, I went on to configure my router. As I mentioned before, HE has configurations available for the tunnel, so that didn’t take much work at all. The rest I was able to piece together from a Cisco article: Tunneling IPv6 through an IPv4 Network. What I came up with in the end was something like this:

ipv6 unicast-routing
ipv6 cef
!
interface Tunnel0
 description Hurricane Electric IPv6 Tunnel Broker
 no ip address
 ipv6 enable
 ipv6 address 2001:x:x:x::2
 tunnel source x.x.x.x
 tunnel destination x.x.x.x
 tunnel mode ipv6ip
!
interface FastEthernet0/1
 description Inside Network
 ipv6 address 2001:x:x::1/64
 ipv6 enable
!
ipv6 route ::/0 Tunnel0

Line 1 enables unicast IPv6 routing. Line 2 enables Cisco express forwarding for IPv6. The tunnel is configured on lines 4-11. IPv6 is configured and enabled for our inside LAN interface on lines 15 and 16 and I set the default route for IPv6 to the tunnel interface on line 18.

By default, this will issue router advertisements and allow machines to do stateless autoconfiguration for IPv6 addressing. I originally ran into trouble with this while I was trying to subnet my /48. I had my inside LAN interface configured with a /52 and none of the machines on my network would autoconfigure themselves. Eventually I realized that all hosts should be sitting on a /64 subnet. This is in an RFC somewhere. I’ll link to it if I’m able to find it. Once I made the change everything just magically started working.

Final outcome

At this point, I’ve got IPv6 connectivity up and running. I can get to IPv6 enabled sites on the internet by IP address, but I’m not able resolve AAAA records yet because I haven’t got DHCP and DNS configured yet. I’ll get to that in the next post.