Today is World IPv6 Day, so you might be wondering just how easy it is to run IPv6 on your own home network. The answer is that it’s surprisingly simple, and even if you can’t yet get IPv6 connectivity from your internet provider, it’s still possible to connect your PC – or indeed your whole network – to the IPv6 internet. …
"so why the heck not"?
I think the admission that your router is switched put of the security consideration is enough to put me off this overt geekery ta.
Like most of the planet, you'll prise IPv4 from my cold, dead fingers - I.e. I'll upgrade when I have to, not leave myself wide open to attack on one machine via a tunnelled IPv6 link.
While I applaud your efforts to help people configure and try out IPv6, this seems a little irresponsible.
That's one reason why we went as far as showing how to get your tunnel set up, and didn't provide explicit instructions for routing to your whole network, ending with a security warning instead.
I think we'd have been a touch irresponsible to show people exactly how to open up their whole network to the IPv6 world without any mention of security. But we included a security warning at the start of the walk-though on page 2 and ended the article by reiterating that you'll need to consider security.
I really don't think that's an irresponsible way to approach this; we don't have space to cover every security issue, for every platform, and if we just pretended IPv6 wasn't happening, that would be a bit odd too.
We've not hidden the security aspects from people; I hope we've gone some way to ensure that if readers do try this, they'll at least have thought about them.
I stopped reading when you said you weren't covering security as that's my largest concern about the whole ipv6, I don't want all the machines within the lan and dmz with their own direct route out and a route back until someone explains all the complexities of making ipv6 devices secure.
Not that much of a risk
I don't think the risk of running an IPv6 connection for a few minutes is particularly high.
This is just a test drive right?
It isn't something I plan on leaving up until I have looked properly at the security implications for the networks involved and by then I expect to have migrated to an ISP that does support IPv6 natively...
Sure if you enable it and forget it is there then you should expect some consequences.
Security is an issue I'd love to cover in detail, but there's a limit to how long each article published tends to be. Given that, we could quite easily do a whole piece on IPv6 security for each platform that readers are likely to be using, including Windows variants.
And I'd rather do it in detail than have to try and cram a brief bit of information about three or four different platforms into one piece.
Making the devices secure isn't really any more difficult that doing so for IPv4. The issue at the moment is simply that if you do set up a tunnel because you don't want to wait for your ISP, then you will very likely be bypassing whatever firewall you have in your router, and NAT too, if that's what you were relying on.
By the time customer DSL equipment is rolled out, the software in that should have firewalls that you can configure for IPv6 just as easily as for IPv4.
And, of course, the simple thing (well, if you're running something like OpenBSD) is not to have anything running that you don't want people to connect to. So, that may mean revisiting config files for different services and checking they don't automatically listen for IPv6 if you don't want them on.
Since I'm mostly just testing outbound connectivity, and can't see any reason why, for instance, I should have SMTP over IPv6 available for emailing me right now, I have a simple filter on my gateway, which is "pass IPv6 out, don't allow any incoming connections via the tunnel"
But everyone's situation and software is going to be different.
Firstly, you can't do IPV6 *through* a NAT router as is implied in the article, you must do it *on* your router.
This means, that you need an IPV4 router running *nix on it to terminate the local end of your tunnel.
Furthermore, if you are running *a nix router then it will already have a firewall (iptables) on it (unless you are mad of course)
So, once you already have a bunch of IPTABLES rules then IPV6 security becomes trivially easy.
You simply take all your existing rules (sans masquerading and DNAT as these don't exist in IPV6) and simply apply them as an ip6table rule in the exact same way.
iptables -A INPUT -i $IPV4WAN -j DROP
ip6tables -A INPUT -i $IPV6WAN -j DROP
It's so easy that I wonder why they didn't just mention that in the article.
Security really isn't that hard, but you do need to think about it
I created a virtual machine to act as my IPv6 router/firewall. It's running a recent distro so it has a recent ip6tables (older distros are a bit limited here). I let port 22 in and anything but 25 out (mind you, the one windows machine doesn't do ipv6, yet). I also turned password access off for all the machines running sshd.
That's very nearly enough. I also log unauthorised packets (those that will be rejected) so I can see who is trying to break in.
Of course, the router/firewall is doing nothing else, just like my Netgear router does for IPv4.
I'm looking at the possibility of getting a new router that supports OpenWRT so I can move my tunnel endpoint into that rather than in a virtual machine, but for now, the virtual machine is an ideal environment to do things with IPv6. Things, of course, my employer is not going to let me do because they have no plans for anything to do with IPv6. Which is terribly short-sighted of them.
PC clients with IPv6 addresses are globally addressable and discoverable. If you're not sure of your software firewall and your OS, that's a Very Bad Thing. Your firewall will quite merrilly let your PC accept inbound IPv6 connections on forgotten services from North Korea, and those services may have well documented protocol exploits that don't require authentication at all to inject executable code into your PC with the highest authority - even higher than yours. If you're on XP it's best not to risk it. Even W7 is pretty iffy.
PC clients with IPv6 addresses are globally addressable
Well, yes, but unless you install RADVD or its equivalent on your router then your LAN clients will not get a routable address. I would like to assume that if someone actually went to the trouble of installing radvd on their router then they would also consider configuring the appropriate firewall.
I'm considering setting up an IPv6 mailserver to see when SPAM migrates to IPv6. :)
You may already have one
I've done a couple of IPv6 setups here - one on Windows XP to see how fiddly it was for this article, and the other using my OpenBSD box when I was writing the original WTF is IPv6 piece.
On the latter, it was easy - I run Postfix as the mail server and all you need to do is change on line in the main.cf file, typically.
By default, it binds to only IPv4, but add (or uncomment) a line in main.cf that says
inet_protocols = all
then retstart, and you're away; I didn't need to do any other tinkering, and was able to connect to the IPv6 address. I have postgrey and amavisd also running, doing front-end filtering, and didn't need to tinker with those at all; the system accepted the connection via IPv6, and passed it to the amavisd filter using IPv4.
You'll spot the IPv6 spam because the address will be in the headers; this is how the Received lines logged my IPv6 incoming mail:
Received: from macbook (unknown [IPv6:2001:470:1f09:1890:21f:f3ff:fe51:43f8]) by gate.nigelwhitfield.com (Postfix) with SMTP for
If you are in a non-windows environemnt it is more or less plug and away
Debian, MacOS, BSDs all work out of the box nowdays (at most you have to turn on a setting or two).
The only tinkering I did was because I still use pure v4 clients on my home network so I wanted to have a v4-v6 bridge. So I set-up a proxy and DNS on my house server which can go v4 or v6. Clients use it and do not need v6 themselves. Similar setup with mail, VPNs, etc.
The only site I have had a problem is maplin.co.uk.
Some genius consulting them on security has told them to set up their name server to not return anything on an AAAA query. So you have to wait for it to timeout the first time before it goes v4. After that it is fine.
Exactly the setup I used until I got native v6 from my ISP.
Of course you probably won't notice any difference when you get this set up (it should "just work") so other than ping(6)ing websites it's hard to notice which ones have v6 and which don't. If you're using Firefox you could try an extension like this one which shows you which IP versions the site you're connecting to appears to support.
..the benefis appear to be limitied i.e you may be abkle to access your devices eaiser (until you external address changes by the sounds)
The downsides are, you devices are easier to access, you punch bloody great holes in you security and it is a lot of work for little or no reward.
I supose VoIP should be easier, but meh, easy to get to work these days anyway.
On World IPv6, will the reg be taking their own advice?
Is the register going to be adding IPv6 to their network on that day or have they done it already?
It's a shame, really
that theregister is not reachable over IPv6 on IPv6 day:
$ host -t aaaa www.theregister.co.uk
www.theregister.co.uk has no AAAA record
Re: On World IPv6, will the reg be taking their own advice?
No, they haven't.
# host www.theregister.com
www.theregister.com has address 184.108.40.206
# dig www.theregister.com AAAA
; <<>> DiG 9.6.-ESV-R3 <<>> www.theregister.com AAAA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56258
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;www.theregister.com. IN AAAA
;; AUTHORITY SECTION:
theregister.com. 494 IN SOA ns1.theregister.co.uk. hostmaster.theregister.co.uk. 2010031800 28800 7200 604800 3600
;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jun 8 12:35:10 2011
;; MSG SIZE rcvd: 105
Zone hasn't changed since March 2010. Bloody disgraceful! :o)
HE tunnelbroker great for servers, not so good for lappies
HE tunnelbroker great for servers, not so good for laptops.
Reason? HE tunnelbroker is classical protocol-41 only, so doesn't work over NAT, so on your laptop you need to use their PPtP to get a public IPv4 address first, which makes for a somewhat Heath-Robinson solution which discourages you from switching it on. (On a co-lo box hosted in a la-la-la-la-we-can't-hear-you-because-our-head-is-buried-in-the-sand IPv4-only facilities house HE tunnelbroker is great because it's maintained by a commercial company.)
Freenet6 is easier to set up, and works over NAT, but so unreliable as to be useless.
SixXS supports AYIYA, which works over NAT, as well as classical protocol-41 tunnels. It is a bit of a bitch to set up, requiring manual configuration of AICCU as a service using a service-to-arbitrary-program "shim". And do read, comprehend, and follow every word which Jeroen Massar writes; don't assume that people you're not paying are there to do your bidding. But once it's set up it just works automatically without needing to be manually connected. Reliability and performance is generally good. Though changing PoP is difficult, so if you're in the jet set then it's not for you. Then again if you're in the jet set you won't be messing around with this stuff anyway...
Depends on the OS
On Debian (and clones) AYIYA works out of the box in an idiot-friendly manner. You just apt-get the package, plug in your handle and password and you are away. No setup whatsoever.
So it depends what are you using.
Isnt Pippa's rear more importnat than this ipv6 thingy for us Brits?
Looking at the v6 presence of British companies - yes
Looking at the www address records
BT - no v6
O2 - no v6
BBC - no v6
TalkTalk - no v6
EasyNet - no v6
TheRegister - no v6
For comparison - google, facebook, yahoo, etc all show v6 records today.
So you are definitely right. Pippa's bottom is definitely more important.
The BBC already have an ipv6 presence, but it is totally separate from their ipv4 stuff. bbc.co.uk has no ipv6 address, bbcmedia.co.uk/ipv6.bbc.co.uk has no ipv4 address.
They're not totally behind.
On IPv6 day the BBC did put out their ::bbc:1 service. I know, I was checking the weather over it (miserable, in case you wondered).
No it's not!
Nice article, but I'm afraid I just couldn't let this go...
"Surprisingly, I found this a lot more fiddly to do with Windows XP than it was using an Open BSD box to do the same trick"
This isn't surprising at all. OBSD has truly excellent and extremely flexible tools for setting up all aspects of the network; probably better than any other OS out there.
Whereas Windows network handling is , well... shite.
Perhaps surprising was the wrong word to use; but I wanted to convey that, though most people will think something like OpenBSD scary and tricky to configure, it's actually very straightforward.
It's because of that network functionality (and the sane approach to security) that it's been sitting on my main gateway server here for quite a few years now; I really would recommend it to anyone who want to tinker with any aspects of networking.
Not for everyone
The ISP I use from home, formerly Tiscali and now TalkTalk, seems to be blocking ICMP Ping, which means that the Tunnel setup fails at the stage where you select IP address and server.
The page is showing the IP address I'm using, but immediately below that line is "Checking", in red.
On the whole, I think I shall leave my curiousity unassuaged. The last time I checked, TalkTalk weren't admitting to any plan for IPv6 anyway. And the Router/Modem kit in PC World (I know...) doesn't mention IPv6 on the packaging.
How long before the panic?
Your ISP probably isnt blocking ping, the box they gave you is. You can disable this usually. I had that issue with getting my tunnel working on O2.
would have been nice
I can't help but notice the reg is still on ipv4 only today :)
What's in it for HE?
[genuine question:] What do companies like Hurricane Electric get from it? They can't put adverts on your communications, and they have to steer all the traffic at some cost. What's the business model?
Also, it increases latency but presumeably also overheads? Negligible/noticeable?
RE: What's in it for HE?
I too have been pondering that for a while.
My best guess is that's a combination of altruism and marketing - they get a lot of publicity, world wide, for what is probably a very limited expenditure. Given that they'll be doing a lot of work internally anyway, adding the tunnelbroker service has probably cost them very little, while also increasing significantly the number of IPv6 connected users. All these users will generate real IPv6 traffic which will allow them to further analyse how things are working in their own network, and fix any problems they might find.
All this means that a) lots more people will have heard of them, and b) anyone looking for native IPv6 connectivity will have heard of them, and c) such users will know that HE do IPv6 in a world where so many carriers/ISPs still have their head stuck in the sand about it (or stuck up their backsides).
As for those "why should I bother, I'm fine right now" types. Well sit tight, but don't complain when IPv6 only services start appearing. It'll be a while yet, but it will happen sooner or later. IPv6 now is not as hard as IPv4 was when I first got online, and once vendors (especially the consumer electronics ones) and ISPs extract their digits from their fundaments then it will become even easier and transparent to users.
As for security, there is ZERO reason why a firewall cannot be equally effective on IPv6 as IPv4 - zero reason that is except that too many people have their heads in the sand and are still pretending it's not going to happen. I have my entire home network IPv6 enabled, and it's no less secure than the IPv4 side because I use a decent firewall that has proper IPv6 support.
If your firewall doesn't do IPv6 properly, then that's not the fault of IPv6, it's the fault of the firewall developer and you should be asking them why - or just switching to a decent firewall.
And finally ... NAT IS NOT A FIREWALL, NAT is a fundamentally f***ed up cludge that breaks lots of stuff. Working around all the stuff NAT f***s up wastes a huge amount of development and support effort that would be better spent making stuff better.
Anyone using IPv6 should enable the privacy extensions which prevent your local ip address from becoming unique. Instructions (in German) just choose the commands for your OS:
I'm stuck with a USB modem that my ISP gave me, which I doubt supports IPv6.
And I doubt they'll send me a router free of charge.
But hey, that's tiscali/Talk Talk for you!
What? You are "stuck" with a modem because TalkTalk won't send you a router free of charge?
I'll give you a clue, it's the same way you manage to eat when Tesco won't send you food free of charge.
You either ask your mum to get it for you, or buy it yourself.
I've a feeling if you called TalkTalk and asked nicely (and mentioned how if you moved to any of the other ISPs they'd give you a new one for free) then they'd probably send you a proper LAN router. After all they give them out to new customers so they have plenty of them around...
Failing that, get on eBay and get something secondhand for £20-30, and then head back to TT's support website where there are instructions on setting up your own router for use with their service.
apply clue with extreme force
for fuck's sake!
1) there are roughly twice as many people on this planet than there are ipv4 addresses. before you ever say anything about ip addressing again, come up with a viable solution that will give everyone just one ipv4 address. of course there will be a billion or two people who might never get connected but there will be at least that number who will each need more than one address.
2) nat is not the answer. it breaks too many things. like sip or video/audio streaming. try getting two or more people playing the same game over the internet at the same time when they all go through the same nat device.
3) even if nat was the answer and was guaranteed to work perfectly for every application and internet protocol forever, including the ones that have still to be invented, see 1).
4) net 10/8 is big enough for 16 million devices. the biggest telcos and cable companies have more than that number of customers already. this is why comcast, a us cable company, is all ipv6 now. they need ~300 million ip addresses: roughly 10-12 per customer (household). they have around 25 million customers today. they just can't hope to meet this with ipv4 address. vodaphone must be getting close to 16 million customers in england. if they're using nat, their network managers must be shitting themselves.
5) things like smart metering simply cannot work with nat. see 4). there are around 25 million gas meters in this country, most of them served by british gas. these won't fit into 10/8. the situation isn't quite as bad with electricity or water meters. oh, and you'll be seriously fucked because the meter will have to be renumbered (ie a site visit) whenever you switch providers => moving to a new utility company's wan. a nat solution (if it worked) would have that delightful property.
6) the intelligent grid will require end-to-end connectivity. nat breaks that. energy-hungry devices will have to be able to contact the power company to get real-time info about the cheapest and dearest times to power up. good luck making that work across the country with nat. or expecting everyone to reconfigure this mythical nat box in their house or office every time they plugged in a new kettle or telly.
7) anyone sitting on excess ipv4 space is unlikely to hand it back. now that those addresses are a scarce and almost exhausted commodity, carbon-based life-forms with a functioning brain will want to sell their spare addresses if they can. besides even once that ipv4 market starts, there still won't be enough addresses to go round. see 1).
8) the best thing vendors could do with nat is eliminate it. and apply clue to any fuckwits who think nat is the answer.
9) how many devices will be connected to the internet next year? more? less? same as now? what about in 5 years or 10 years? nat isn't going to save us. it will make things worse because all that nat shit will have to be ripped out and replaced with ipv6 some day. might as well have one migration to do instead of two.
10) every land-line will need a unique ip address at the exchange when the telcos switch to their next generation nets. incumbents like bt are already doing this. mobile operators won't be far behind. but they'll be connecting tablets and fondleslabs that sometimes get used to make phone calls. once you have 10+ million customers, network 10/8 and nat is just not going to do it. see 4).
11) iana handed out /8s to the regional internet registries. so it isn't worth handing back anything smaller than that to iana. and anyway, smaller chunks of free ipv4 space will be up for sale on ebay soon if they're not there already.
12) proper uptake of ipv6 puts a stop to all this nat fuckwittedness forever. and kills the trade in v4 addresses. it'll provide more than enough headroom for what we already expect we want to do on the internet for the next decade or two. and still leave vast amounts of unused space for whatever happens on the internet after our great-great grandchildren are long dead,
finally time to change the IPv6 enabled option on my router from no to yes.
One of the benefits of having a seperate modem/router combo, you can get yourself a half decent router instead of being stuck with what your isp gives you.
"You’ll probably need tweak the firewall on your router"
That is, on Windows XP, which includes a very tough firewall, you will either have to disable the "Potential Router List" (KB978338), or configure it correctly to recognise potential routers. On Windows 7 this firewall feature cannot be so easily disabled so it will have to be configured correctly.
Those of you only using simplistic BSD firewalls don't have to worry about this --- because you don't have that level of protection to start with.
I think you've got that the wrong way around
The XP firewall is remarkably simplistic. The BSD and Linux firewalls are remarkably good.
There are any number of firewalls/routers running Linux and iptables, there's at least one I believe is running BSD.
I can only think you were looking at some ancient packet filter, which, come to think of it, is much what Windows has ...
Wait for it .....
flurries of malware tempting users with "New Improved IPv6 Capabilities" - simply download this app (you know you like shinny apps) and improve your download speeds (whatever) with new shinny IPv6. No matter what your specs. PC or Mac - you can enter a new world of IPv-ness and brag to your mates about it.
(goes and sits on the Naughty Step for exhibiting devious tendencies)
well, I've had it for years, I'm bored of people mistaking NAT for a firewall, it just isn't. if the router supports IPv6, it also has a firewall, and will stop the traffic. the chances of anything finding you on IPv6 are so incredibly slim anyway, it's not actually a huge issue yet, anyway.
What baffles me, is ElReg putting up an article, 5 pages long about IPv6, and yet. they don't have it..... Why not ElReg, it really isn't that difficult at all! even if it's tunneled!
Oddly enough ...
The web servers aren't managed by the same people who write and edit the articles.
time to apply for a job?
I've tinkered with IPv6 on my home network (and ended up leaving it alone as the default APIPA in Windows 7/2008 works fine enough as it is!). But until my ISP starts offering it to the home, and I can find a reasonably priced v6-capable replacement for my Netgear, then I'm not going to bother messing about with this tunnelling malarky.
The Home Router's already sorted.
D-Link already offers a number of IPv6 ready home routers: the DIR-615, -632, -655, and -825, depending on your needs (one note: check firmwares and/or labeling--not all of them are IPv6 ready). After a little number fiddling, I've managed to get my DIR-615 to share the tunnel in the article with the local net. Now the IPv6 test says I'm fully IPv6 qualified.
PS. If you insist on Netgear devices, try the WNR3500L or WNDR3700/WNDR37AV. A list can be found at this Wikipedia address: http://en.wikipedia.org/wiki/Comparison_of_IPv6_support_in_routers (It may not be considered authoritative, but these kinds of lists are usually kept up to date).
Rule number one: EAT YOUR OWN DOGFOOD
dig www.theregister.co.uk AAAA
; <<>> DiG 9.7.3 <<>> www.theregister.co.uk AAAA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52121
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;www.theregister.co.uk. IN AAAA
;; AUTHORITY SECTION:
theregister.co.uk. 576 IN SOA ns1.theregister.co.uk. hostmaster.theregister.co.uk. 2010103000 28800 7200 604800 3600
;; Query time: 15 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jun 8 08:27:54 2011
;; MSG SIZE rcvd: 90
Nothing to see here, move along.
- Comment Renewable energy 'simply WON'T WORK': Top Google engineers
- Game Theory Dragon Age Inquisition: Our chief weapons are...
- 'How a censorious and moralistic blogger ruined my evening'
- Leaked screenshots show next Windows kernel to be a perfect 10
- Amazon warming up 'cheapo web video' cannon to SINK Netflix