• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Best practices for addressing home LAN

Started by thorvoquien, July 02, 2010, 12:31:30 PM

Previous topic - Next topic

thorvoquien

Issue/Question #1
At work I have a static IPv4 address and a tunnel with only a routed /64

server IPv6: 2001:470:XXX0:17d::1/64
client IPv6: 2001:470:XXX0:17d::2/64
routed /64: 2001:470:XXX1:17d::/64

if I use the example Mac OS X tunnel config I end up with the following

gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
tunnel inet XXX.XXX.16.248 --> 209.51.181.2
inet6 fe80::YYY:YYff:feYY:YYYY%gif0 prefixlen 64 scopeid 0x2
inet6 2001:470:XXX0:17d::2 --> 2001:470:XXX0:17d::1 prefixlen 128
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::YYY:YYff:feYY:YYYY%en0 prefixlen 64 scopeid 0x4
inet XXX.XXX.16.248 netmask 0xffffff00 broadcast XXX.XXX.16.255

ip6.me reports my v6 address as 2001:470:XXX0:17d::2 which is the same as my tunnel client v6 address and not in the routed /64 address space. Is this correct or should my address be the routed /64?

Sidenote: Is there any way to get the en0 interface to have a non-link local ipv6 address? Is this even desirable? Does it even make sense to do that? The gif0 address works fine for all v6 traffic but just doesn't show up in the gui network prefs that only shows physical interfaces.

Issue/Question #2
At home I use an Airport router as the endpoint for the tunnel. The prefix it advertises is the routed /64 prefix. Machines on my local network all autoconfigure using that prefix and their EUI-64 MAC. As such multiple machines are sharing the /64 space. Is this the ideal way to set up a home lan or should I be using the routed /48 prefix? If I did that how are those 16 bits assigned? When I give the airport router the /48 LAN address it just puts all machines at 2001:470:ZZZ1:0000::/64. In theory do I want each LAN machine to have its own complete /64 as such:

2001:470:ZZZ1:0001:MAC1
2001:470:ZZZ1:0002:MAC2
2001:470:ZZZ1:0003:MAC3

If so does anyone know what sort of home routing hardware I would need to do something like this? If not what is the ideal home LAN v6 addressing scheme?

jimb

#1

  • The client IPv6 interface goes on the 6in4 interface (tunnel interface).
  • The routed /64 goes on your LAN interface (en0 in your case).
  • Your LAN will ideally use your routed /64 interface.
  • A routed /48 is only required if you have more than one LAN in your network.  If this is the case, you can use both your routed /64, and /64 subnets of your routed /48 as you please on your internal networks.
  • The routed /48 is split into /64s (e.g. 2001:db8:1234:XXXX::/64, where XXXX ranges from 0 - FFFF, or 65,536 subnets).  That is what you put on your devices, not the entire /48.  You subnet a routed /48 just has you would subnet any chunk of IPv4 space you would get (for instance a /16).  The router won't magically subnet it.  If you assign an interface a /48, it will simply be a huge /48 LAN.  It will also be incompatible with IPv6 auto-configuration via router advertisements.
  • Your box is properly using the tunnel IPv6 address to access the internet.  It's using this because a) the application didn't specify a specific IPv6 to use for a source address, and b) it is the IPv6 address on the interface through which the traffic is routed.  If you wish for whatever reason for the application to use an IPv6 in your routed /64, you must configure the application to do so with a cmd line switch, config file, config GUI, or whatever.  There may also be a way to do it via /etc/gai.conf (linux) or ip addrlist (linux) or their equiv under OSX or BSD, but I've never been able to make an app do this through these methods.  Unfortunately some apps don't support specifying a source IP or IPv6 to use.

thorvoquien

Okay, to try and be very clear here.

All machines on a single subnet home LAN are intended to share a /64.

eg
2001:db8:1234:XXXX::1
2001:db8:1234:XXXX::2
2001:db8:1234:XXXX::3

in the same way they share a single subnet LAN today under IPv4
192.168.XXX.1
192.168.XXX.2
192.168.XXX.3
The main difference being that they can auto-configure addresses for themselves in this space without DHCP or manually assigning numbers without fears of conflict.

Regarding client vs LAN IP
When I have the router be the tunnel endpoint it has an explicit GUI setting for everything you described. The client address is used as the WAN interface v6 address and the LAN range is sent to the LAN as a router advertisement prefix. This all seems to be correct given what you have described.

One the single machine setup (where the computer itself is the tunnel endpoint) does anyone know the steps to configure (either via gui or command line config) the system to present a "localhost" router advertisement that the en0 interface could pick up and autoconfigure from or a way to manually assign an address and "router" to the

I have tried (in the gui) assigning the LAN address as the en0 interface address and setting the router address to either the tunnel's fe80:: address as listed in ifconfig or the client tunnel endpoint. The result is that all v6 traffic breaks down until I remove the en0 address and run the set default v6 route command again. Does anyone know what I might be doing wrong here?

For reference, setting the address manually with the link local address of my router in the home network works fine. Is there something about the tunnel's link local address that makes this not work?

jimb

Quote from: thorvoquien on July 03, 2010, 06:15:28 AM
Okay, to try and be very clear here.

All machines on a single subnet home LAN are intended to share a /64.

eg
2001:db8:1234:XXXX::1
2001:db8:1234:XXXX::2
2001:db8:1234:XXXX::3

in the same way they share a single subnet LAN today under IPv4
192.168.XXX.1
192.168.XXX.2
192.168.XXX.3
The main difference being that they can auto-configure addresses for themselves in this space without DHCP or manually assigning numbers without fears of conflict.
Yes.  For IPv6, think of a /64 as the default LAN size.  IPv6 autoconfiguration doesn't work with longer prefix lengths.  You can run longer prefixes on your LANs, but it'll break certain things.  If you need more than one subnet, request a /48 and break it into /64s.

Subnetting in IPv6 isn't any different than IPv4 really.  Just uses bigger addresses.  Subnetting under IPv6 is simpler, since there are essentially "standardized" prefix lengths to use for different things (ISPs get /32s [or bigger], businesses/home users get /48s or /56s, or maybe /60s, and LANs are /64s), in contrast to IPv4 with a complex VLSM situation.  Under IPv4 you would always have to carefully assign your address space with conservation in mind, and balance subnet size with the number of networks you think you might need, etc.  With IPv6 LANs are all /64s, and you'll never run out of addresses in a LAN since you have 2^64 - 1 to work with.  And you won't have to worry about running out of subnets since it'll be trivial to get a /48, which gives you 64k subnets to work with.  The huge amount of address space makes subnetting far simpler, easier to identify (think quick: what network is 192.0.2.219/27 on!  Now, try: 2001:db8:1234:10::1/64), etc, etc.

QuoteRegarding client vs LAN IP
When I have the router be the tunnel endpoint it has an explicit GUI setting for everything you described. The client address is used as the WAN interface v6 address and the LAN range is sent to the LAN as a router advertisement prefix. This all seems to be correct given what you have described.

One the single machine setup (where the computer itself is the tunnel endpoint) does anyone know the steps to configure (either via gui or command line config) the system to present a "localhost" router advertisement that the en0 interface could pick up and autoconfigure from or a way to manually assign an address and "router" to the

I have tried (in the gui) assigning the LAN address as the en0 interface address and setting the router address to either the tunnel's fe80:: address as listed in ifconfig or the client tunnel endpoint. The result is that all v6 traffic breaks down until I remove the en0 address and run the set default v6 route command again. Does anyone know what I might be doing wrong here?

For reference, setting the address manually with the link local address of my router in the home network works fine. Is there something about the tunnel's link local address that makes this not work?
Not exactly sure what you're trying to do here, but I'm assuming that you want to assign an address out of your routed /64 on a single tunnel connected computer and use that instead of the address on your tunnel interface.  If the computer has the ethernet interface plugged in, you mere add an IPv6 to the ethernet interface from the routed 64.  If it's not, then you can add one to your loopback interface.  As for autoconfiguring, well, I don't think that'll work on the machine which is actually doing the route advertisements.

thorvoquien

Quote from: jimb on July 03, 2010, 07:14:32 PM
Not exactly sure what you're trying to do here, but I'm assuming that you want to assign an address out of your routed /64 on a single tunnel connected computer and use that instead of the address on your tunnel interface.  If the computer has the ethernet interface plugged in, you mere add an IPv6 to the ethernet interface from the routed 64.  If it's not, then you can add one to your loopback interface.  As for autoconfiguring, well, I don't think that'll work on the machine which is actually doing the route advertisements.

Thanks for your help so far!

To answer this question, yes, what I want is to have (ideally) my ethernet interface assigned (manually or otherwise) an address from the routed /64. I would like to do this for two reasons. 1. I would like the GUI system preferences to show an IPv6 address. 2. I would like to be able to use reverse DNS on that machine. HE only delegates reverse dns for the routed /64 and handle reverse dns for the tunnel endpoints on their own producing much longer (and non-symetric with the hostnames I want to assign) reverse dns.

I tried manually assigning an IPv6 address both via the GUI and via command line ifconfig. I cannot figure out a proper routing setup between the machine's various interfaces that doesn't result in nothing being routed at all.

Routing Setup with ethernet routing to the tunnel. Default route is ethernet with it's gateway being the local tunnel endpoint. (doesn't work)

default                                 2001:470:XXX0:17d::1            UGSc            en0
::1                                     ::1                             UH              lo0
2001:470:XXX0:17d::1                    2001:470:XXX0:17d::2            UH             gif0
2001:470:XXX0:17d::2                    link#2                          UHL             lo0
2001:470:XXX1:17d::/64                  link#4                          UC              en0
2001:470:XXX1:17d::1                    YY:YY:YY:YY:YY:YY               UHL             lo0


Routing Setup with tunnel only. Default route is the local tunnel endpoint itself. (does work)

default                                 2001:470:XXX0:17d::1            UGSc           gif0
::1                                     ::1                             UH              lo0
2001:470:XXX0:17d::1                    2001:470:XXX0:17d::2            UH             gif0
2001:470:XXX0:17d::2                    link#2                          UHL             lo0


How should these look to end up with an ethernet address (or at least a reverse dns lookupable client address in the routed /64 space)?

thorvoquien

Okay I think I have figured out at least one solution that goes most of the way. I have changed my tunnel config script to add an alias address to the gif0 interface before the tunnel v6 address. This changes the default suggested tunnel config for Mac OS X to:


ifconfig gif0 create
ifconfig gif0 tunnel CLIENT_V4 SERVER_V4
ifconfig gif0 inet6 alias CLIENT_ROUTED_V6 prefixlen 64
ifconfig gif0 inet6 CLIENT_TUNNEL_V6 CLIENT_SERVER_V6 prefixlen 128
route -n add -inet6 default CLIENT_SERVER_V6


The result is that the client will answer to both the tunnel v6 address and the routed v6 address and the default v6 address that packets sent from the machine use is the CLIENT_ROUTED_V6 address. The routed v6 address can be set up with forward and reverse dns at dns.he.net (or elsewhere). The routed v6 address still doesn't show up in the GUI but we get everything important.

jimb

OK.  Now it seems like what you're really trying to do is prefer your routed /64 from your router from outgoing and incoming connections.  For incoming, it's easy, just advertise your servers using the routed /64.  For outgoing, you must configure whatever software you are using to use the routed /64 IPv6 as the source.

What you're doing now works but is a bit of a hack.