[Redbrick-ipv6] RedBrick IPv6 Network

Colm MacCarthaigh colmmacc at redbrick.dcu.ie
Thu Dec 18 11:29:31 GMT 2003


After a gap of almost a year on the project. RedBrick now has working
IPv6 connectivity, making us the first Networking Society in Ireland
to offer IPv6 services (though not the first to have IPv6 - that honour
goes to TCD netsoc).

  colmmacc at carbon (~) $ ping6 www.ipv6.net
  PING www.ipv6.net(cl-111.ams-04.nl.sixxs.net) 56 data bytes
  64 bytes from cl-111.ams-04.nl.sixxs.net: icmp_seq=1 ttl=57 time=186 ms
  64 bytes from cl-111.ams-04.nl.sixxs.net: icmp_seq=2 ttl=57 time=182 ms
  64 bytes from cl-111.ams-04.nl.sixxs.net: icmp_seq=3 ttl=57 time=182 ms
  64 bytes from cl-111.ams-04.nl.sixxs.net: icmp_seq=4 ttl=57 time=189 ms
  64 bytes from cl-111.ams-04.nl.sixxs.net: icmp_seq=5 ttl=57 time=186 ms

  --- www.ipv6.net ping statistics ---
  5 packets transmitted, 5 received, 0% loss, time 4042ms
  rtt min/avg/max/mdev = 182.263/185.266/189.177/2.674 ms

Earlier this week, James Healy (DCU CSD) was able to open up protocol
41 access between RedBrick and a SiXXS IPv6 node in HEAnet, after
we gave some assurances and explained it all. James has also given 
us full access to the RedBrick switch, which also helped with the move
:)

I'll try and explain how it all works, for future reference, and
because well - we're a networking society. Feel free to ask for
more if I havn't explained something well.

First of all, our access is through a SixXS (www.sixxs.net) PoP located
in HEAnet, and we are tunneling an IPv6 allocation over IPv4 to this. This
tunnel is a /64, we then route our IPv6 allocation over the tunnel. The
allocation is a /48. For now, deathray is the nominated IPv6 router and
firewall.


   136.206.15.3 < ----- Protocol 41 over IPv4 -----> 193.1.31.74

        2001:770:100:9::2                  2001:770:100:9::1


Our tunnel (2001:770:100:9::/64) is SixXS tunnel number 1900, and is 
registered in my NIC handle (CM2064-RIPE). It's configured on deathray
with;

  auto sixxs
  iface sixxs inet6 v4tunnel
    address 2001:770:100:9::2
    netmask 64
    endpoint 193.1.31.74
    ttl 64
    up ip link set mtu 1280 dev sixxs
    up ip route add 2000::/3 via 2001:770:100:9::1 dev sixxs


in /etc/network/interfaces. If anyone else has a Ripe or 6bone NIC handle
and would like to be appended to the allocation, mail and I'll see what
I can sort out. Our allocation is;

	2001:770:107::/48

And this is routed over our tunnel. So, from an IPv6 topology point
of view;


                     ->  2001:770:107::/48 ->                

	    SixXS				Deathray
	2001:770:100:9::1		   2001:770:100:9::2


So, deathray is the IPv6 router on our end. I've added an IPv6 firewall
using ip6tables to deathray, which meets both our (only allow inbound
on services we offer) and James's (Don't allow any outbound)
requirements. The ruleset is;

  # This is the subnet used for the tunnel itself,
  # and is used only for routing.
  LINK="2001:770:100:9::2/64"

  # This is RedBrick's IPv6 Allocation
  ALLOCATION="2001:770:107::/48"

  # Flush the existing rules
  ip6tables -F INPUT
  ip6tables -F OUTPUT

  # Allow IPv6 ICMP 
  ip6tables -A INPUT  -i sixxs -p icmpv6 -d $LINK       -j ACCEPT 
  ip6tables -A OUTPUT -o sixxs -p icmpv6 -s $LINK       -j ACCEPT 
  ip6tables -A INPUT  -i sixxs -p icmpv6 -d $ALLOCATION -j ACCEPT 
  ip6tables -A OUTPUT -o sixxs -p icmpv6 -s $ALLOCATION -j ACCEPT 

  # ip6tables does not yet have connection tracking, so we permit
  # packets which claim to be established (same as Cisco established)
  ip6tables -A INPUT  -i sixxs -p tcp -d $ALLOCATION ! --syn -j ACCEPT
  ip6tables -A OUTPUT -o sixxs -p tcp -s $ALLOCATION ! --syn -j ACCEPT

  # Allow ssh, web, mail, imap, https and irc inbound
  ip6tables -A INPUT  -i sixxs -p tcp -d $ALLOCATION --dport 22   -j ACCEPT
  ip6tables -A INPUT  -i sixxs -p tcp -d $ALLOCATION --dport 25   -j ACCEPT
  ip6tables -A INPUT  -i sixxs -p tcp -d $ALLOCATION --dport 80   -j ACCEPT
  ip6tables -A INPUT  -i sixxs -p tcp -d $ALLOCATION --dport 143  -j ACCEPT
  ip6tables -A INPUT  -i sixxs -p tcp -d $ALLOCATION --dport 443  -j ACCEPT
  ip6tables -A INPUT  -i sixxs -p tcp -d $ALLOCATION --dport 6667 -j ACCEPT

  # Drop everything else, including all unestablished outbound 
  # connectivity
  ip6tables -A INPUT  -i sixxs -j LOG --log-prefix "INPUT:"
  ip6tables -A INPUT  -i sixxs -j DROP
  ip6tables -A OUTPUT -o sixxs -j LOG --log-prefix "OUTPUT:"
  ip6tables -A OUTPUT -o sixxs -j DROP


Not allowing any outbound is slightly harsh, however it mirrors the IPv4
setup, and is one of the concerns James had about the connectivity. So
for the time being it remains, but will be kept under review. From an
offering-services-to-members point of view, it makes no difference :)

Now, having connectivty and an allocation wouldnt be much use without
the ability to route IPv6, so in /etc/sysctl.conf on deathray, we have;

	net/ipv6/conf/all/forwarding=1

This allows deathray to route IPv6 for all of our hosts. The next
step in the process was to assign IPv6 addresses from our allocation
to Carbon, Prodigy and Deathray. To achieve this we are doing two
things.

First of all, we are only using a /64 from our /48 for the RedBrick
subnet, this gives us lots of spare subets for later in RedBrick
life. Because we're ".15" in IPv4, I went with 2001:770:107:15::/64.
For deathray itself, the IPv6 address is staticaly configured, again
in /etc/network/interfaces;

	iface eth0 inet6 static
        address 2001:770:107:15:20d:56ff:fe70:c857
        netmask 64

In order to get addresses to other machines on the Subnet, we are using
radvd - the IPv6 router advertisement daemon. This is running on
deathray, and advertising out of eth0. The following is the config
in /etc/radvd.conf;

	interface eth0
	{
	   AdvSendAdvert on;
	   prefix 2001:770:107:15::/64
	   {
	   };
	};

radvd works in IPv6 multicast mode, which means all IPv6 machines 
within a local ethernet segment will see the router advertisement.
To make sure we didnt end up giving IPv6 address to the private
RFC1918 interfaces on carbon/deathray/prodigy, we used our enable
access on the switch yesterday to partition the switchports using
vlans. It's important that we make sure to keep things this way :)

Anyway, after all that, deathray and carbon were fully working
in IPv6. Prodigy needed us to touch /etc/hostname6.eth0 and reboot
(goddamn Solaris!) but now it too has an IPv6 address. 

	deathray	2001:770:107:15:20D:56FF:FE70:C857
	carbon		2001:770:107:15:206:5BFF:FEFC:FB70
	prodigy		2001:770:107:15:A00:20FF:FEAB:E119

And the following services have been IPv6 enabled;

	deathray - ssh/scp
	carbon   - ssh/scp
	prodigy	 - ssh/scp,imap,http,webmail

In other words, every outfacing user available service :) 

I've added two reverse DNS zones for our allocation;

	7.0.1.0.0.7.7.0.1.0.0.2.ip6.int
	7.0.1.0.0.7.7.0.1.0.0.2.ip6.arpa

And added the neccessary fu for carbon/prodigy/deathray. Fergus has kindly
configured the DCU nameservers to slave the zones from us and serve them,
HEAnet is also acting as a secondary. For the forward zone, I've added
.ipv4 and .ipv6 records, ie;

	Machines;
	carbon.ipv4.redbrick.dcu.ie, carbon.ipv6.redbrick.dcu.ie
	deathray.ipv4.redbrick.dcu.ie, deathray.ipv6.redbrick.dcu.ie
	prodigy.ipv4.redbrick.dcu.ie, prodigy.ipv6.redbrick.dcu.ie
	
	Services;
	www.ipv4.redbrick.dcu.ie , www.ipv6.redbrick.dcu.ie
	login.ipv4.redbrick.dcu.ie , login.ipv6.redbrick.dcu.ie
	lists.ipv4.redbrick.dcu.ie, lists.ipv6.redbrick.dcu.ie
	webmail.ipv4.redbrick.dcu.ie, webmail.ipv6.redbrick.dcu.ie
	imap.ipv4.redbrick.dcu.ie, imap.ipv4.redbrick.dcu.ie


These records are all live now :) They allow you to use DNS to force
which protocol to use. Later this evening, after it's been announced
on .announce, the standard records like "carbon.redbrick.dcu.ie"
and "www.redbrick.dcu.ie" will all get IPv6 address aswell, this means
peoples own machines will decide which protocol to use automatically.

That's it, I think :) People should now come up with cool use of 
addresses, we have several billion now.

I realise a lot of that will have been gobbledegook to people, but don't
worry, over the next few weeks, we'll be explaining more about Ipv6 from
the basics up :)

It's likely there may be some problems with the config of our services,
so if you have Ipv6, please try it out with RedBrick, and notify us
of all problems. 

-- 
colmmacc at redbrick.dcu.ie        PubKey: colmmacc+pgp at redbrick.dcu.ie  
Web:                                 http://devnull.redbrick.dcu.ie/ 




More information about the Redbrick-ipv6 mailing list