In order to combat the shrinking IP space problem, the concept of IPv6 was born. Future-minded designers chose to have 128 bits of address space, providing for a total of 340,282,366,920,938,463,463,374,607,431,768,211,456 (3.4 1,038) addresses or, in more visual terms, 655,570,793,348,866,943,898,599 (6.5 1,023) addresses for every square meter of the earth's surface. This provides a sizable extension over the current 32-bits of address space under IPv4.
The first noticeable difference between IPv4 and IPv6 is how the addresses are written. A typical IPv6 address looks like:
fe80:0010:0000:0000:0000:0000:0000:0001
There are eight sets of four hex values in every IP address. These addresses can be long and cumbersome, which is why a shortening method was developed. A single string of zeroes can be replaced with the double colon. For example, the previous example could be written in shortened form as.
fe80:0010::1
However, this can be done only one time in an address in order to avoid ambiguity about what has been removed. Let us consider the following example IP which has separate strings of zeroes:
2001:0000:0000:a080:0000:0000:0000:0001
Since only one string of zeroes can be replaced, the IP can not be shortened to:
2001::a080::1
Generally, the longest string is shortened. In this example, with the longest set replaced, the shortened IP is:
2001:0000:0000:a080::1
Within IPv6, there are several different types of addresses that define the various functions available within the specification:
Link-local address
This address is automatically configured when the IPv6 stack is initialized using the MAC address from your network card. This kind of address is generally considered a client-only type of address, and would not be capable of running a server or listening for inbound connections. Link-local addresses always begin with FE8x, FE9x, FEAx, or FEBx, where the x can be replaced with any hex digit.
Site-local addresses
While a part of the original specification, and still described in various texts, site-local addresses have been deprecated and are no longer considered to be part of IPv6.
Global unicast address
This address type is Internet routable and is expected to be the outward facing IP on all machines. This kind of address is currently identified by its starting digits of either 2xxx or 3xxx, though this may be expanded in the future as necessary.
While the most obvious benefit of IPv6 is the dramatically increased address space, there are several other key advantages that come with it. For example, there are numerous performance gains with IPv6. Packets can be processed more efficiently because option fields in the packet headers are processed only when actual options are present; additional performance gains come from having removed packet fragmentation. A second advantage is a boost in security through the inclusion of embedded IPSec. As it will be part of the protocol, implementation of encryption and non-repudiation will be more natural. Quality of Service (QoS) is another advantage that is developing with IPv6. Enabling this functionality would allow network administrators to prioritize groups of network traffic. This can be critical on networks that handle services like Voice over IP because even small network disruptions can make the service less reliable. Finally, advances in address auto-configuration make on-the-fly networking much easier. Additional benefits will emerge as adoption and research continue. Hopefully, some of these will come with advances in Mobile IP technologies that promise to make it possible for any device to keep the same IP address regardless of its current network connection.
IPv6 support has come a long way recently and is now supported in nearly all Linux distributions. It has been a part of the 2.4 kernel for the last few releases and is included in kernel 2.6.
Enabling IPv6 support in Linux has become much easier now that it is distributed with the kernel sources. Patching is no longer necessary, but you will need to install a set of tools, which will be described later in this section.
If IPv6 support isn't already built into your kernel, it may already be compiled as a module. A quick test to see whether or not the module is present can be accomplished with the following command:
vlager# modprobe ipv6
vlager#If there is no response the module was most likely successfully loaded. There are several ways to verify that support is enabled. The fastest is by checking the /proc directory:
vlager# ls -l /proc/net/if_inet6
-r--r--r-- 1 root root 0 Jul 1 12:12 /proc/net/if_inet6If you have a compatible version of ifconfig, it can also be used to verify:
vlager# ifconfig eth0 |grep inet6
inet6 addr: fe80::200:ef99:f3df:32ae/10 Scope:LinkIf these tests are unsuccessful, you will likely need to recompile your kernel to enable support. The kernel configuration option for IPv6 in the .config file is:
CONFIG_IPV6=m
By using a "make menuconfig," the option to enable IPv6 under the 2.4 kernel is found under "Network Options" section. Under the 2.6 kernel configuration, it is found under "Network Support/Network Options". It can either be compiled into the kernel or built as a module. If you do build as a module, remember that you must modprobe before attempting to configure the interface.
In order to configure the interface for IPv6 usage, you will need to have IPv6 versions of the common network utilities. With most Linux distributions now supporting IPv6 out of the box, it's likely that you'll already have these tools installed. If you're upgrading from an older distribution or using Linux From Scratch, you will probably need to install a package called net-tools, which can be found at various places on the Internet. You can find the most recent version by searching for "net-tools" on Google or FreshMeat.
To verify that you have compatible versions, a quick check can be done with either ifconfig or netstat. The quick check would look like this:
vlager# /sbin/netstat grep inet6Before proceeding, you'll also want to make sure you have the various network connectivity checking tools for IPv6, such as ping6, traceroute6, and tracepath6. They are found in the iputils package and, again, are generally installed by default on most current distributions. You can search your path to see whether or not these tools are available and install them if necessary. Should you need to find them, the author has placed them at If everything has gone smoothly, your interface will have been auto-configured using your MAC address. You can check this by using ifconfig:
vlager# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:07:E9:DF:32:AE
inet addr:10.10.10.19 Bcast:10.10.10.255 Mask:255.255.255.0
inet6 addr: fe80::207:e9ff:fedf:32ae/10 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2272821 errors:0 dropped:0 overruns:0 frame:73
TX packets:478473 errors:0 dropped:0 overruns:0 carrier:0
collisions:4033 txqueuelen:100
RX bytes:516238958 (492.3 Mb) TX bytes:54220361 (51.7 Mb)
Interrupt:20 Base address:0x2000
vlager#The third line in the output displays the link-local address of vlager. It is easy to identify it as such because any address starting with fe80 will always be a link-local type IP address. If you are concerned about privacy issues in using your MAC as your main IP address, or if you are configuring a server and wish to have an easier IP address, you can configure your own IP address according to the following example:
vlager# ifconfig eth0 inet6 add 2001:02A0::1/64
vlager#At this point, however, you may not have a global address type to assign, as we've done above. So, your IP may be a link- or site-local address. These will work perfectly for any non-Internet routable traffic that you want to pass, but if you wish to connect to the rest of the world, you will need to have either a connection directly to the IPv6 backbone or an IPv6 tunnel through a tunnel broker, which we'll discuss in the next section.
To join the wonderful world of IPv6 you will need a path through which to connect. A tunnel is currently the only way to access the IPv6 backbone for most users, as few sites have direct IPv6 connectivity. Attempting to route IPv6 traffic directly over IPv4 networks won't get you very far, as the next-hop router will most likely not know what to do with your seemingly odd traffic. For most users, the easiest path to establish a tunnel is through a tunnel broker. There are a number of different brokers on the Internet who will provide you with your very own IPv6 address space. One of the fastest and most popular tunnel brokers is Hurricane Electric (Figure 13-1), which has an automated IPv6 tunnel request form. They require only that you have a "pingable" IPv4 address that is constantly connected to the Internet. This is the IPv4 address that they will expect to be the source of your tunnel.
Once you have received your IPv6 address space, you're ready to build your tunnel. In order to accomplish this, you will need to use the additional Link encapsulation interfaces that exist after installing the IPv6 module.
To build your tunnel, you will need to configure both the sit0 and sit1 interfaces. The sit interfaces are considered virtual adapters, because they do not directly represent hardware in your system. However, from a software perspective, these will be treated in almost the same way any other interface is treated. We will direct and route traffic through them. The sit virtual interfaces allow you to map your IPv4 address to an IPv6 address, and then create an IPv6 interface on your machine. This process is started by enabling the sit0 interface and assigning it your IPv4 address. For this example, 10.10.0.8 is the tunnel broker's IPv4 endpoint, and 2001:FEFE:0F00::4B is vlager's IPv6 tunnel endpoint IP address.
vlager# ifconfig sit0 up vlager# ifconfig sit0 inet6 tunnel ::10.10.0.8
This step enables the sit0 interface and binds it to the tunnel broker's IPv4 address. The next step is to assign your IPv6 address to the sit1 interface. That is accomplished with the following commands:
vlager# ifconfig sit1 up vlager# ifconfig sit1 inet6 add 2001:FEFE:0F00::4B/127
The tunnel should now be operational. However, in order to test, you will need to route IPv6 traffic to the sit1 interface. This is most easily handled by using route.
vlager$ route -A inet6 add ::/0 dev sit1This command tells the OS to send all IPv6 traffic to the sit1 device. With the route in place, you should now be able to verify your IPv6. The connectivity can now be tested by using ping6. In this example, we will ping the IPv6 address of the remote side of our newly created tunnel.
vlager# ping6 2001:470:1f00:ffff::3a PING 2001:470:1f00:ffff::3a(2001:470:1f00:ffff::3a) 56 data bytes 64 bytes from 2001:470:1f00:ffff::3a: icmp_seq=1 ttl=64 time=26.2 ms 64 bytes from 2001:470:1f00:ffff::3a: icmp_seq=2 ttl=64 time=102 ms 64 bytes from 2001:470:1f00:ffff::3a: icmp_seq=3 ttl=64 time=143 ms 64 bytes from 2001:470:1f00:ffff::3a: icmp_seq=4 ttl=64 time=130 ms Ctrl-c --- 2001:470:1f00:ffff::3a ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3013ms rtt min/avg/max/mdev = 26.295/100.590/143.019/45.339 ms vlager#
There are currently quite a few IPv6-aware applications that are also commonly in use on the IPv4 networks. Among the more popular are the Apache web server and OpenSSH. In this section, we'll detail common configuration for enabling IPv6 within these applications.
Although Apache v1.3 is commonly used due to its stability, it does not support IPv6 without source code modification. Should you absolutely need v1.3 and IPv6 support, IPv6 patches do exist, but they are unsupported and likely untested. There has been a great deal of discussion about whether to include official IPv6 support in the stable v1.3, and the general consensus has been to leave v1.3 alone and use v2.0 for the continued support and development of Apache's IPv6 support. The Apache web server Versions 2.0 and higher support IPv6 without modification. Therefore, we will focus on this version in this section.
The configuration of Apache with IPv6 is fairly straightforward. The build process requires no special options and can be installed from either source or RPM. One option that can be set at compile time that may be of interest to IPv6 users is -enable-v4-mapped tag. This is most often the default in pre built packages. It enables you to have a line with a general Listen directive such as:
Listen 80
This will bind the web server process to all available IP addresses. Administrators of IPv6 systems may find this behavior insecure and inefficient, as unnecessary sockets will be opened for the large number of default IPv6 addresses. It is for this reason that you can use -disable-v4-mapped when compiling and force explicit configuration of listening interfaces. With this option disabled, you can still have interfaces listen on all ports, but you must specify to do so.
When the server is compiled and installed as you wish, a single change to the configuration file is required to enable a listener. This step is very similar to the IPv4 configuration of Apache. To enable a web listener on vlager's IPv6 IP, the following change to the apache.conf file is required:
Listen [fec0:ffff::2]:80
Once Apache is started, it opens up a listener on port 80 on the specified IP. This can be verified through the use of netstat:
vlager# netstat -aunt
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 10.10.0.4:22 0.0.0.0:* LISTEN
tcp 0 0 fec0:ffff::2:80 :::* LISTEN
vlager#The second entry in the table is the IPv6 apache listener, and it is noted in exactly the same format as the IPv4 addresses.
If you would like to have your Apache server listen on all available IPv6 addresses, a slightly different configuration option can be used:
Listen [::]:80
This is very similar to the 0.0.0.0 address used to accomplish the same thing in IPv4. To enable listeners on ports other than 80, either replace the existing port number or add additional Listen lines. For a more detailed discussion of Apache, please refer to Chapter 14.
The OpenSSH project has been compatible with IPv6 since its early days, and support within the program is now considered mature. It is also quite easy to configure. No additional options need to be passed during compile time, so installing from binary package will cause no problems.
This section assumes that you have OpenSSH operational under IPv4 and know where your configuration files are installed. In our case, the configuration files are installed in /etc/ssh. To add an IPv6 listener, we need to add a line to the sshd_config file:
ListenAddress fec0:ffff::2 Port 1022
When OpenSSH is restarted with the -6 command-line option, it will now be listening on our IPv6 address at port 1022.
Accessing IPv6 hosts with the OpenSSH client is also quite easy. It is only necessary to specify the -6 command-line option as follows:
othermachine$ ssh -6 fec0:ffff::2 -p 1022
bob@fec0:ffff::2's password:
bob@vlager $That's really all there is to configuring OpenSSH for IPv6 usage. At this point you should have a server with an OpenSSH IPv6 listener and be able to use ssh to connect to other machines on the IPv6 network. If not, please see the Section 13.2.6, next.
As IPv6 networking is often uncharted territory, it is not uncommon for things to go wrong. One of the most common mistakes made when dealing with IPv6 initially involves the address notation. The change from the period to the colon for subset separation can cause errors, as most administrators' hands are used to reaching for the period. A second notation problem when writing out addresses comes with shortening them. As discussed earlier in the section, when omitting series of zeroes, a double colon is used. Should you forget the double colon, the machine will generate an error informing you that you have entered an incomplete IP address. Here are some examples of incorrect IPv6 notation:
fe80.ffff.0207.3bfe.0ddd.bbfe.02 3ffe:0001:fefe:5 2001:fdff::0901::1
If the problem is more severe, and you're not seeing the IPv6 stack at all, you should review your kernel configuration. If you've compiled support for IPv6 directly into the kernel, check your system log and see if you're receiving any errors when it attempts to load. A successful IPv6 installation will yield the following message at boot time:
NET4: Linux TCP/IP 1.0 for NET4.0 IP Protocols: ICMP, UDP, TCP IP: routing cache hash table of 4096 buckets, 32Kbytes TCP: Hash tables configured (established 32768 bind 65536) NET4 Unix domain sockets 1.0/SMP for Linux NET4.0. IPv6 v0.8 for NET4.0 IPv6 over IPv4 tunneling driver
This section shows the network stack initialization, and the last two lines are specific to IPv6. If you don't see these two lines, or see an error, you need to check your kernel configuration file and perhaps consider building IPv6 as a module.
If you've built IPv6 support as a module, make sure you have it configured to load automatically. There are as many ways to do this as there are Linux distributions, so consult your distribution's documentation for specific details.
When properly loaded, the module should appear when you enter the lsmod command.
vlager# lsmod |grep ipv6
Module Size Used by Not tainted
ipv6 162132 -1When loading the module, you should also see the following lines in your system log:
Jul 7 16:13:43 deathstar kernel: IPv6 v0.8 for NET4.0 Jul 7 16:13:43 deathstar kernel: IPv6 over IPv4 tunneling driver
If you are confident that your IPv6 stack has installed properly, and you are able to send traffic on your local LAN but cannot send traffic through your IPv6 tunnel, check your IPv4 connectivity. The first step in this process would be double-checking the IPv4 tunnel addresses specified in the sit0 configuration. If the configuration is accurate, test the remote IPv4 endpoint. The inability to send IPv4 traffic to the tunnel endpoint IP will also prevent you from sending any IPv6 traffic.
Other connectivity issues could be the result of a misconfigured firewall. If you have decided to use Netfilter for IPv6, make certain that your firewall rules are accurate by attempting to send traffic both with and without your rules enabled. It is possible that there may be problems within Netfilter for IPv6 that prevent certain configurations from working properly.