لطفا منتظر باشید ...
13.2. IPv6 as a Solution
In order to combat the shrinking IP space problem, the concept of
IPv6 was born. Future-minded designers chose to have 128 bits of
address space, providing for a total of
340,282,366,920,938,463,463,374,607,431,768,211,456 (3.4 1,038)
addresses or, in more visual terms, 655,570,793,348,866,943,898,599
(6.5 1,023) addresses for every square meter of the
earth's surface. This provides a sizable extension
over the current 32-bits of address space under IPv4.
13.2.1. IPv6 Addressing
The
first noticeable difference between IPv4 and IPv6 is how the
addresses are written. A typical IPv6 address looks like:
fe80:0010:0000:0000:0000:0000:0000:0001
There are eight sets of four hex values in
every IP address. These addresses can be long and cumbersome, which
is why a shortening method was developed. A single string of zeroes
can be replaced with the double colon. For example, the previous
example could be written in shortened form as.
fe80:0010::1However, this can be done only one time in an address in order to
avoid ambiguity about what has been removed. Let us consider the
following example IP which has separate strings of zeroes:
2001:0000:0000:a080:0000:0000:0000:0001Since only one string of zeroes can be replaced, the IP can not be
shortened to:
2001::a080::1Generally, the longest string is shortened. In this example, with the
longest set replaced, the shortened IP is:
2001:0000:0000:a080::1Within IPv6, there are several different types of addresses that
define the various functions available within the specification:Link-local address
This
address is automatically configured when the IPv6 stack is
initialized using the MAC address from your network card. This kind
of address is generally considered a client-only type of address, and
would not be capable of running a server or listening for inbound
connections. Link-local addresses always begin with FE8x,
FE9x, FEAx, or FEBx, where the x can
be replaced with any hex digit.
Site-local addresses
While a
part of the original specification, and still described in various
texts, site-local addresses have been deprecated and are no longer
considered to be part of IPv6.
Global unicast address
This address type is Internet routable and
is expected to be the outward facing IP on all machines. This kind of
address is currently identified by its starting digits of either
2xxx or 3xxx, though this
may be expanded in the future as necessary.
13.2.2. IPv6 Advantages
While the most obvious benefit of IPv6 is
the dramatically increased address space, there are several other key
advantages that come with it. For example, there are numerous
performance gains with IPv6. Packets can be processed more
efficiently because option fields in the packet headers are processed
only when actual options are present; additional performance gains
come from having removed packet fragmentation. A second advantage is
a boost in security through the inclusion of embedded IPSec. As it
will be part of the protocol, implementation of encryption and
non-repudiation will be more natural. Quality of Service (QoS) is
another advantage that is developing with IPv6. Enabling this
functionality would allow network administrators to prioritize groups
of network traffic. This can be critical on networks that handle
services like Voice over IP because even small network disruptions
can make the service less reliable. Finally, advances in address
auto-configuration make on-the-fly networking much easier. Additional
benefits will emerge as adoption and research continue. Hopefully,
some of these will come with advances in Mobile IP technologies that
promise to make it possible for any device to keep the same IP
address regardless of its current network connection.
13.2.3. IPv6 Configuration
IPv6
support has come a long way recently and is now supported in nearly
all Linux distributions. It has been a part of the 2.4 kernel for the
last few releases and is included in kernel 2.6.
13.2.3.1 Kernel and system configuration
Enabling IPv6 support in Linux has
become much easier now that it is distributed with the kernel
sources. Patching is no longer necessary, but you will need to
install a set of tools, which will be described later in this
section.If IPv6 support isn't already built into your
kernel, it may already be compiled as a module. A quick test to see
whether or not the module is present can be accomplished with the
following command:
vlager# modprobe ipv6If there is no response the module was most likely successfully
vlager#
loaded. There are several ways to verify that support is enabled. The
fastest is by checking the /proc directory:
vlager# ls -l /proc/net/if_inet6If you have a compatible version of
-r--r--r-- 1 root root 0 Jul 1 12:12 /proc/net/if_inet6
ifconfig, it can also be used
to verify:
vlager# ifconfig eth0 |grep inet6If these tests are unsuccessful, you will likely need to recompile
inet6 addr: fe80::200:ef99:f3df:32ae/10 Scope:Link
your kernel to enable support. The kernel configuration option for
IPv6 in the .config file is:
CONFIG_IPV6=mBy using a "make
menuconfig," the option to enable IPv6 under the 2.4
kernel is found under "Network
Options" section. Under the 2.6 kernel
configuration, it is found under "Network
Support/Network Options". It can either be compiled
into the kernel or built as a module. If you do build as a module,
remember that you must modprobe before
attempting to configure the interface.
13.2.3.2 Interface configuration
In order to configure the interface for
IPv6 usage, you will need to have IPv6 versions of the common network
utilities. With most Linux distributions now supporting IPv6 out of
the box, it's likely that you'll
already have these tools installed. If you're
upgrading from an older distribution or using Linux From Scratch, you
will probably need to install a package called
net-tools, which can be found at various places
on the Internet. You can find the most recent version by searching
for "net-tools" on Google or
FreshMeat.
To verify that you have compatible versions, a
quick check can be done with either ifconfig or
netstat. The quick check would look like this:
vlager# /sbin/netstat grep inet6
Before proceeding,
you'll also want to make sure you have the various
network connectivity checking tools for IPv6, such as
ping6, traceroute6, and
tracepath6. They are found in the
iputils package and, again, are generally
installed by default on most current distributions. You can search
your path to see whether or not these tools are available and install
them if necessary. Should you need to find them, the author has
placed them at If
everything has gone smoothly, your interface will have been
auto-configured using your MAC address. You can check this by using
ifconfig:
vlager# ifconfig eth0The third line in the output displays the
eth0 Link encap:Ethernet HWaddr 00:07:E9:DF:32:AE
inet addr:10.10.10.19 Bcast:10.10.10.255 Mask:255.255.255.0
inet6 addr: fe80::207:e9ff:fedf:32ae/10 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2272821 errors:0 dropped:0 overruns:0 frame:73
TX packets:478473 errors:0 dropped:0 overruns:0 carrier:0
collisions:4033 txqueuelen:100
RX bytes:516238958 (492.3 Mb) TX bytes:54220361 (51.7 Mb)
Interrupt:20 Base address:0x2000
vlager#
link-local address of vlager. It is easy to identify it as such
because any address starting with fe80 will always
be a link-local type IP address. If you are concerned about privacy
issues in using your MAC as your main IP address, or if you are
configuring a server and wish to have an easier IP address, you can
configure your own IP address according to the following example:
vlager# ifconfig eth0 inet6 add 2001:02A0::1/64At this
vlager#
point, however, you may not have a global address type to assign, as
we've done above. So, your IP may be a link- or
site-local address. These will work perfectly for any non-Internet
routable traffic that you want to pass, but if you wish to connect to
the rest of the world, you will need to have either a connection
directly to the IPv6 backbone or an IPv6 tunnel through a
tunnel broker, which we'll
discuss in the next section.
13.2.4. Establishing an IPv6 Connection via a Tunnel Broker
To join the wonderful world of IPv6
you will need a path through which to connect. A tunnel is currently
the only way to access the IPv6 backbone for most users, as few sites
have direct IPv6 connectivity. Attempting to route IPv6 traffic
directly over IPv4 networks won't get you very far,
as the next-hop router will most likely not know what to do with your
seemingly odd traffic. For most users, the easiest path to establish
a tunnel is through a tunnel broker. There are a number of different
brokers on the Internet who will provide you with your very own IPv6
address space. One of the fastest and most popular tunnel brokers is
Hurricane Electric (Figure 13-1), which has an
automated IPv6 tunnel request form. They require only that you have a
"pingable" IPv4 address that is
constantly connected to the Internet. This is the IPv4 address that
they will expect to be the source of your tunnel.
Figure 13-1. Obtaining a tunnel from he.net
13.2.4.1 Building your tunnel
Once you have received your IPv6 address space,
you're ready to build your tunnel. In order to
accomplish this, you will need to use the additional Link
encapsulation interfaces that exist after installing the IPv6 module.To build your tunnel, you will need to configure both the sit0 and
sit1 interfaces. The sit interfaces are considered virtual adapters,
because they do not directly represent hardware in your system.
However, from a software perspective, these will be treated in almost
the same way any other interface is treated. We will direct and route
traffic through them. The sit virtual interfaces allow you to map
your IPv4 address to an IPv6 address, and then create an IPv6
interface on your machine. This process is started by enabling the
sit0 interface and assigning it your IPv4 address. For this example,
10.10.0.8 is the tunnel
broker's IPv4 endpoint, and
2001:FEFE:0F00::4B is vlager's IPv6 tunnel endpoint
IP address.
vlager# ifconfig sit0 upThis step enables the sit0 interface and binds it to the tunnel
vlager# ifconfig sit0 inet6 tunnel ::10.10.0.8
broker's IPv4 address. The next step is to assign
your IPv6 address to the sit1 interface. That is accomplished with
the following commands:
vlager# ifconfig sit1 upThe tunnel should now be operational. However, in order to test, you
vlager# ifconfig sit1 inet6 add 2001:FEFE:0F00::4B/127
will need to route IPv6 traffic to the sit1 interface. This is most
easily handled by using route.
vlager$ route -A inet6 add ::/0 dev sit1This command tells the OS to send all IPv6 traffic to the sit1
device. With the route in place, you should now be able to verify
your IPv6. The connectivity can now be tested by using
ping6. In this example, we will ping the IPv6
address of the remote side of our newly created tunnel.
vlager# ping6 2001:470:1f00:ffff::3a
PING 2001:470:1f00:ffff::3a(2001:470:1f00:ffff::3a) 56 data bytes
64 bytes from 2001:470:1f00:ffff::3a: icmp_seq=1 ttl=64 time=26.2 ms
64 bytes from 2001:470:1f00:ffff::3a: icmp_seq=2 ttl=64 time=102 ms
64 bytes from 2001:470:1f00:ffff::3a: icmp_seq=3 ttl=64 time=143 ms
64 bytes from 2001:470:1f00:ffff::3a: icmp_seq=4 ttl=64 time=130 ms
Ctrl-c
--- 2001:470:1f00:ffff::3a ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3013ms
rtt min/avg/max/mdev = 26.295/100.590/143.019/45.339 ms
vlager#
13.2.5. IPv6-Aware Applications
There are
currently quite a few IPv6-aware applications that are also commonly
in use on the IPv4 networks. Among the more popular are the Apache
web server and OpenSSH. In this section, we'll
detail common configuration for enabling IPv6 within these
applications.
13.2.5.1 Apache web server
Although Apache v1.3 is commonly used due
to its stability, it does not support IPv6 without source code
modification. Should you absolutely need v1.3 and IPv6 support, IPv6
patches do exist, but they are unsupported and likely untested. There
has been a great deal of discussion about whether to include official
IPv6 support in the stable v1.3, and the general consensus has been
to leave v1.3 alone and use v2.0 for the continued support and
development of Apache's IPv6 support. The Apache web
server Versions 2.0 and higher support IPv6 without modification.
Therefore, we will focus on this version in this section.
13.2.5.2 Configuring Apache v2.0.x for IPv6 support
The
configuration of Apache with IPv6 is fairly straightforward. The
build process requires no special options and can be installed from
either source or RPM. One option that can be set at compile time that
may be of interest to IPv6 users is
-enable-v4-mapped tag. This is most often the
default in pre built packages. It enables you to have a line with a
general Listen directive such as:
Listen 80This will bind the web server process to
all available IP addresses. Administrators of IPv6 systems may find
this behavior insecure and inefficient, as unnecessary sockets will
be opened for the large number of default IPv6 addresses. It is for
this reason that you can use -disable-v4-mapped
when compiling and force explicit configuration of listening
interfaces. With this option disabled, you can still have interfaces
listen on all ports, but you must specify to do so.When the
server is compiled and installed as you wish, a single change to the
configuration file is required to enable a listener. This step is
very similar to the IPv4 configuration of Apache. To enable a web
listener on vlager's IPv6 IP, the
following change to the apache.conf file is
required:
Listen [fec0:ffff::2]:80Once Apache is started, it opens up
a listener on port 80 on the specified IP. This can be verified
through the use of netstat:
vlager# netstat -auntThe second entry in the table is the IPv6 apache listener, and it is
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 10.10.0.4:22 0.0.0.0:* LISTEN
tcp 0 0 fec0:ffff::2:80 :::* LISTEN
vlager#
noted in exactly the same format as the IPv4 addresses.If you would like to have your Apache server listen on all available
IPv6 addresses, a slightly different configuration option can be
used:
Listen [::]:80This is very similar to the 0.0.0.0 address used to accomplish the
same thing in IPv4. To enable listeners on ports other than 80,
either replace the existing port number or add additional
Listen lines. For a more detailed discussion of
Apache, please refer to Chapter 14.
13.2.5.3 OpenSSH
The OpenSSH
project has been compatible with IPv6 since its early days, and
support within the program is now considered mature. It is also quite
easy to configure. No additional options need to be passed during
compile time, so installing from binary package will cause no
problems.This section assumes that you have OpenSSH
operational under IPv4 and know where your configuration files are
installed. In our case, the configuration files are installed in
/etc/ssh. To add an IPv6 listener, we need to
add a line to the sshd_config file:
ListenAddress fec0:ffff::2When OpenSSH is restarted with the
Port 1022
-6 command-line option, it will now be listening
on our IPv6 address at port 1022.Accessing IPv6 hosts with the OpenSSH client is also quite easy. It
is only necessary to specify the -6 command-line
option as follows:
othermachine$ ssh -6 fec0:ffff::2 -p 1022That's really all there
bob@fec0:ffff::2's password:
bob@vlager $
is to configuring OpenSSH for IPv6 usage. At this point you should
have a server with an OpenSSH IPv6 listener and be able to use
ssh to connect to other machines on the IPv6
network. If not, please see the Section 13.2.6, next.
13.2.6. Troubleshooting
As IPv6 networking is often uncharted
territory, it is not uncommon for things to go wrong. One of the most
common mistakes made when dealing with IPv6 initially involves the
address notation. The change from the period to the colon for subset
separation can cause errors, as most administrators'
hands are used to reaching for the period. A second notation problem
when writing out addresses comes with shortening them. As discussed
earlier in the section, when omitting series of zeroes, a double
colon is used. Should you forget the double colon, the machine will
generate an error informing you that you have entered an incomplete
IP address. Here are some examples of incorrect IPv6 notation:
fe80.ffff.0207.3bfe.0ddd.bbfe.02If the problem is more severe, and
3ffe:0001:fefe:5
2001:fdff::0901::1
you're not seeing the IPv6 stack at all, you should
review your kernel configuration. If you've compiled
support for IPv6 directly into the kernel, check your system log and
see if you're receiving any errors when it attempts
to load. A successful IPv6 installation will yield the following
message at boot time:
NET4: Linux TCP/IP 1.0 for NET4.0This section shows the network stack initialization, and the last two
IP Protocols: ICMP, UDP, TCP
IP: routing cache hash table of 4096 buckets, 32Kbytes
TCP: Hash tables configured (established 32768 bind 65536)
NET4 Unix domain sockets 1.0/SMP for Linux NET4.0.
IPv6 v0.8 for NET4.0
IPv6 over IPv4 tunneling driver
lines are specific to IPv6. If you don't see these
two lines, or see an error, you need to check your kernel
configuration file and perhaps consider building IPv6 as a module.If you've built IPv6 support as a module, make sure
you have it configured to load automatically. There are as many ways
to do this as there are Linux distributions, so consult your
distribution's documentation for specific details.When properly
loaded, the module should appear when you enter the
lsmod command.
vlager# lsmod |grep ipv6When loading the module, you should also see the following lines in
Module Size Used by Not tainted
ipv6 162132 -1
your system log:
Jul 7 16:13:43 deathstar kernel: IPv6 v0.8 for NET4.0If you are confident that your IPv6 stack has installed properly, and
Jul 7 16:13:43 deathstar kernel: IPv6 over IPv4 tunneling driver
you are able to send traffic on your local LAN but cannot send
traffic through your IPv6 tunnel, check your IPv4 connectivity. The
first step in this process would be double-checking the IPv4 tunnel
addresses specified in the sit0 configuration. If the configuration
is accurate, test the remote IPv4 endpoint. The inability to send
IPv4 traffic to the tunnel endpoint IP will also prevent you from
sending any IPv6 traffic.Other
connectivity issues could be the result of a misconfigured firewall.
If you have decided to use Netfilter for IPv6, make certain that your
firewall rules are accurate by attempting to send traffic both with
and without your rules enabled. It is possible that there may be
problems within Netfilter for IPv6 that prevent certain
configurations from working properly.
