IPv6 routing questions

[sei]

Hello all,

I hope this is the right forum for my question.
First I would like to describe my situation. My ISP at home (unitymedia in Germany) changed my internet cable connection to IPv6 with DS-Lite. DS-Lite ist not a good solution for me, because I have a server at home, which I would like to be reachable from the internet. As a quick solution I rent a hosted virtual server with a static IPv4 address to provide my most important services.
My first question now is, if it is common practice by ISPs to assign dynamic IPv6 addresses? What is the sense, actually there is no IPv6 address shortage. Why they do not give me a static IPv6 subnet, which I could use in my LAN at home? How could I have a persistent network configuration with this connection? How could I write firewall rules with every host in my LAN has changing IPs? Also my ISP is such a genius that they give me a router (Cisco EPC3208G) that autoconfigures my hosts with IPv6 addresses, routing and DNS resolvers. The DNS resolvers of the ISP of cource, which do not know my network printer and I wonder why I cannot print anymore. Also I do not have access to the configuration options of the router to use stateless DHCPv6 with my own DHCPv6 server. The short form, my provider gives me a nearly unusable native IPv6 and very limited IPv4.
Now comes the tricky part for me.
I had the idea, to use my IPv4 only VPS as my own gateway to the IPv4 world.
Is it possible to set up a IPv6 tunnel between my VPS and my home server, using Tunnelbroker on the IPv4-only VPS?
Then route my IPv4 traffic from my home LAN through the IPv6 tunnel to my VPS and from there to the IPv4 internet. Perhaps this works better than the DS-Lite of my ISP. And I have a static IPv4 from which I could route requests from the IPv4 internet to the server in my home LAN.
Does anybody know a Linux based solution for a "IPv4 in IPv6"-Tunnel on Linux. Both my home server and the VPS run Ubuntu linux.

I know this was a lot of text and questions, but I hope I could describe my situation and why I have such a unconventional plan.

Best regards and thanks in advance,
Sven

[kasperd]

As a quick solution I rent a hosted virtual server with a static IPv4 address to provide my most important services.

If you have services, which need to be accessible to people other than yourself, you'll probably have to keep that server for years to come.

Out of curiosity, which provider did you choose? I just got myself a virtual server at Hetzner.

My first question now is, if it is common practice by ISPs to assign dynamic IPv6 addresses?

In Denmark it is common practice among ISPs to pretend IPv4 shortage isn't a problem and that NAT is such a great solution that more layers of NAT is a much better solution than IPv6.

What is the sense, actually there is no IPv6 address shortage. Why they do not give me a static IPv6 subnet, which I could use in my LAN at home?

They are supposed to route a static subnet to you. And it certainly would be easier to manage, if they give a static IPv6 prefix to each customer. The easiest way to get you IPv6 probably is to just provide you with a static /64 on the link and no routed prefix. That is what I got on my virtual server, which is the only place I have native IPv6 access.

How could I have a persistent network configuration with this connection? How could I write firewall rules with every host in my LAN has changing IPs? Also my ISP is such a genius that they give me a router (Cisco EPC3208G) that autoconfigures my hosts with IPv6 addresses, routing and DNS resolvers. The DNS resolvers of the ISP of cource, which do not know my network printer and I wonder why I cannot print anymore.

If you have your own domain and setup the proper records to point to IPv6 addresses on your LAN, then you can also resolve those names through the resolvers of your ISP.

Also I do not have access to the configuration options of the router to use stateless DHCPv6 with my own DHCPv6 server. The short form, my provider gives me a nearly unusable native IPv6 and very limited IPv4.

I am not convinced your IPv6 connectivity is unusable. Given the information provided so far, I find it more likely that it is just a matter of configuring devices on your LAN appropriately, than your ISP really giving you addresses from varying subnets.

If you'd be prepared to experiment a little bit, could you try the following:
1. Find out which IPv6 addresses are visible on your network (ping6 -n ff02::1%eth0 if you are using Linux).
2. Go to my test page http://test-ipv6.netiter.dk/
3. Take note of your IPv6 address mentioned on that page
4. Restart the EPC3208G
5. Once you have a received a new IPv6 address repeat step 1 and 2.
6. Find out which parts of the IPv6 address changed, and which parts remained the same.

I had the idea, to use my IPv4 only VPS as my own gateway to the IPv4 world.
Is it possible to set up a IPv6 tunnel between my VPS and my home server, using Tunnelbroker on the IPv4-only VPS?
Then route my IPv4 traffic from my home LAN through the IPv6 tunnel to my VPS and from there to the IPv4 internet.

Yes, that is possible. But I would recommend a VPS with native dual stack. Ideally the tunnel between your home and the VPS can use different redundant sorts of connectivity.

With the right software on a device you have at home and matching software on your VPS, you have many different ways to get packets between your home and the VPS.

• IPv4 through DS-lite from the device at home to the static IPv4 address of your VPS
• IPv6 using native IPv6 address of the VPS
• IPv6 using tunnelbroker.net address of the VPS
• IPv6 using 6to4 address of the VPS
• IPv6 using Teredo address of the VPS

You'll only see all of those fail simultaneously if one of the endpoints is really disconnected from the network.

Perhaps this works better than the DS-Lite of my ISP.

Perhaps. But the way to get reliability is by having redundant connectivity. I think before deciding on any solution, it would be better to understand what sort of IPv6 connectivity you have.

You should also consider, that there may be simpler solutions. http://en.wikipedia.org/wiki/List_of_IPv6_tunnel_brokers mentions three different 4in6 providers.

[sei]

Thank you for your quick reply.

My virtual server is at Giga hosting (www.giga-hosting.biz) located in Munich. I did not spend to much time on searching a VPS hoster, it was a fair offer and it runs fine up to now. Missing IPv6 is the only issue, but I asked their support today and they plan IPv6 on their VPS in early summer 2013.

I am very new to the hole IPv6 topic, my ISP forced me to dive into IPv6 a week ago be switching my connection to DS-Lite. I do not think I already understood everything, so I thank you very much for your support.
I will test your suggestions when I am at home at night.
If the IPv6 subnet assigned by my ISP does not change, can I rely on that fact? Does that mean I can assign IPv6 addresses statically to the hosts in my LAN and write AAAA and reverse records in my DNS server? Will they also have IPv6 privacy extensions addresses, if I assign static addresses?

Another issue about which I am not sure:
The IPv6 firewall in the Cisco EPC3208G is crap. I can activate it, then it blocks everything from the internet or I can deactivate it, and all my hosts global scope IPv6 address are reachable from the internet. Both I do not want. I want a solution to be able to open some ports on a specific host and block the rest. In old IPv4 days I did this with shorewall and DNAT port forwarding. This is not necessary with IPv6, I know.
So my question is, how could a network setup look, where I have an IPv6 Linux firewall directly behind the open Cisco EPC3208G and my LAN behind the linux IPv6 firewall. How could the Cisco know, to route incoming traffic over the linux IPv6 firewall?

Thanks and best regards,
Sven

[kasperd]

If the IPv6 subnet assigned by my ISP does not change, can I rely on that fact?

Can you ever really rely on anything from an ISP? If you can shut down the router for a few minutes and still have the same prefix when it comes back online, then chances are you'll be able to keep that prefix for a long time. That doesn't mean it can never change.

If the prefix does change at some point, then you may have to reconfigure your hosts and update DNS. I don't know how much that can be automated with existing tools. You may want to avoid the most obvious fixed addresses, such that until you get your DNS records updated, they will not respond rather than pointing to somebody else's computer.

For example if you assigned 2001:db8:1:2::2 to your server, and 2001:db8:1:2::/64 was given to another customer, he too might use 2001:db8:1:2::2. If instead you had originally used 2001:db8:1:2:0:1810:7dc:c741, then if 2001:db8:1:2::/64 was given to another customer, it is unlikely that 2001:db8:1:2:0:1810:7dc:c741 would be responding. And until you update DNS, there will be no response rather than users getting connected to the wrong server.

I think the problem is unlikely to happen in any case, since most likely the prefix remains static for a long time, and most people will be using IP addresses based on MAC address or privacy addresses.

Does that mean I can assign IPv6 addresses statically to the hosts in my LAN and write AAAA and reverse records in my DNS server?

You can assign static IPv6 addresses and put those in AAAA records. You probably won't have much chance of getting reverse DNS records.

Will they also have IPv6 privacy extensions addresses, if I assign static addresses?

That depends on the OS on the individual hosts. There is nothing in the protocol preventing a host with a static IPv6 address from acquiring a privacy address as well and use that for connections initiated by the host.

So my question is, how could a network setup look, where I have an IPv6 Linux firewall directly behind the open Cisco EPC3208G and my LAN behind the linux IPv6 firewall. How could the Cisco know, to route incoming traffic over the linux IPv6 firewall?

Yes you can do that. Having a prefix routed to your own firewall would be ideal for that. But even if you cannot get that prefix routed, it is still possible to do.

What you are going to need in that case is a bridging firewall. A typical firewall is a router with packet filtering capabilities. A bridging firewall is a switch with packet filtering capabilities. I have at one point in the past configured a very basic bridging firewall using Linux. (I had two DHCP servers on the same segment, and I needed the bridging firewall to control which MAC address used which DHCP server). What you need to use for that is ebtables. I don't know how advanced filtering you can do with ebtables, since what I needed was much simpler, than what you need.

[sei]

Great idea with the bridge firewall and thank you for the tip with the non-trivial IPv6-addresses!
I think, I will use the MAC-address related IPv6-address like SLAAC.
Because my Linux-Box is a Mini-ITX with only one ethernet interface, again I need a complicated setup.
But this setup should work in my opinion:
I will use a 802.1q VLAN tag switch. VLAN 10 for Cisco and Linux-Box (should give me vlan interface eth0.10 on linux) and VLAN 20 for LAN and Linux-Box (should give me vlan interface eth0.20 on linux). Now I define a bridge interface br0 on the Linux-Box between eth0.10 and eth0.20. So the two VLANs 10 and 20 will be connected and I can hook up my iptables and ip6tables (shorewall and shorewall6). The clients in the LAN and the Linux-Box use the Cisco as default gateway, so everything from and to the LAN has to pass the linux firewall and the cisco does not know anything about the firewall.

[kasperd]

I will use a 802.1q VLAN tag switch. VLAN 10 for Cisco and Linux-Box (should give me vlan interface eth0.10 on linux) and VLAN 20 for LAN and Linux-Box (should give me vlan interface eth0.20 on linux). Now I define a bridge interface br0 on the Linux-Box between eth0.10 and eth0.20. So the two VLANs 10 and 20 will be connected and I can hook up my iptables and ip6tables (shorewall and shorewall6). The clients in the LAN and the Linux-Box use the Cisco as default gateway, so everything from and to the LAN has to pass the linux firewall and the cisco does not know anything about the firewall.

That should work assuming your switch and the network interface in the Linux box both support VLAN tagging. Remember that you definitely don't want the switch to permit configuration over the VLAN connected to the router.

[kasperd]

In my log I see that the test page has been accessed from two different Unitymedia IPv6 addresses (and one IPv4 address). The two IPv6 addresses are both in the same /64 block. That is consistent with what I was expecting. I cannot see from my log if you restarted the router in between, but assuming you did, then you got the same /64 again.

One minor concern regarding the test results is the use of a third party Teredo relay. Looks like Unitymedia do not have their own Teredo relay and is instead relying on a third party relay. I have seen the same Teredo relay used by ISPs in Denmark, and I think that Teredo relay is located in Amsterdam.

Normally I would recommend that you set up your own Teredo relay at home using the Miredo software. Unfortunately, that isn't an option in your case, as you don't have the single public IPv4 address, which it requires. (Actually it requires just a single UDP port on a public IPv4 address, but even that you don't have).

What this means is that my previous suggestion about using a Teredo address on the VPS is not going to be as reliable as it could have been. But considering that was only suggested as one of multiple redundant methods of connectivity, it isn't critical.

If you are going to use a laptop to connect back home and that laptop is sometimes on networks where you don't have a public IPv4 address and you don't have any IPv6 address, then a Teredo client on the laptop could give a reliable connection back home assuming your home network had a reliable Teredo relay. I don't know exactly how reliable that third party relay is.

If the Teredo relay turns out to be unreliable and if that causes any problems for you, what you should do is to learn how to spot problems with the Teredo relay and contact your ISP every time you see problems with it. Even though it is a third party relay, as a customer you should still consider it your ISP's responsibility. It is still their job to figure out if they provide the most reliable service using a third party relay or by running their own.

If you are not going to communicate with Teredo clients, you can ignore the Teredo relay completely.