A couple of year ago, I moved into a new flat that comes with RJ45 sockets wired for 10 Gigabit (but currently offering 1 Gigabit) Ethernet.
This also meant changing the settings on my router box for my new ISP.
I took this opportunity to review my router's other settings too. I'll be blogging about these over the next few posts.
Adding IPv6 support to my home LAN
I have been following the evolution of IPv6 ever since the KAME project produced the first IPv6 implementation. I have also been keeping track of the IPv4 address depletion.
Around the time the IPv6 Day was organized in 2011, I started investigating the situation of IPv6 support at local ISPs.
Well, never mind all those rumors about Finland being some high-tech mecca. Back then, no ISP went beyond testing their routers for IPv6 compatibility and producing white papers on what their limited test deployments accomplished.
Not that it matters much, in practice. Most IPv6 documentation out there, including Debian's own, still focuses on configuring transitional mechanisms, especially how to connect to a public IPv6 tunnel broker.
Relocating to a new flat and rethinking my home network to match gave me an opportunity to revisit the topic. Much to my delight, my current ISP offers native IPv6.
This prompted me to go back and read up on IPv6 one more time. One important detail:
IPv6 hosts are globally reachable.
The implications of this don't immediately spring to mind for someone used to IPv4 network address translation (NAT):
Any network service running on an IPv6 host can be reached by anyone anywhere.
Contrary to IPv4, there is no division between private and public IP addresses. Whereas a device behind an IPv4 NAT essentially is shielded from the outside world, IPv6 breaks this assumption in more than one way. Not only is the host reachable from anywhere, its default IPv6 address is a mathematical conversion (EUI-64) of the network interface's MAC address, which makes every connection forensically traceable to a unique device.
Basically, if you hadn't given much thought to firewalls until now, IPv6 should give you enough goose bumps to get around it. Tightening the configuration of every network service is also an absolute must. For instance, I configured sshd to only listen to private IPv4 addresses.
What /etc/network/interfaces might look like on an dual-stack (IPv4 + IPv6) host:
allow-hotplug enp9s0 iface enp9s0 inet dhcp iface enp9s0 inet6 auto privext 2 dhcp 1
The auto method means that IPv6 will be auto-configured using SLAAC; privext 2 enables IPv6 privacy options and specifies that we prefer connecting via the randomly-generated IPv6 address, rather than the EUI-64 calculated MAC specific address; dhcp 1 enables passive DHCPv6 to fetch additional routing information.
The above works for most desktop and laptop configurations.
Where things got more complicated is on the router. I decided early on to keep NAT to provide an IPv4 route to the outside world. Now how exactly is IPv6 routing done? Every node along the line must have its own IPv6 address... including the router's LAN interface. This is accomplished using the sample script found in Debian's IPv6 prefix delegation wiki page. I modified mine as follows (the rest of the script is omitted for clarity):
#Both LAN interfaces on my private network are bridged via br0 IA_PD_IFACE="br0" IA_PD_SERVICES="dnsmasq" IA_PD_IPV6CALC="/usr/bin/ipv6calc"
Just put the script at the suggested location. We'll need to request a prefix on the router's outside interface to utilize it. This gives us the following interfaces file:
allow-hotplug enp2s4 enp2s8 enp2s9 auto br0 iface enp2s4 inet dhcp iface enp2s4 inet6 auto request_prefix 1 privext 2 dhcp 1 iface enp2s8 inet manual iface enp2s8 inet6 manual iface enp2s9 inet manual iface enp2s9 inet6 manual iface br0 inet static bridge_ports enp2s8 enp2s9 address 10.10.10.254 iface br0 inet6 manual bridge_ports enp2s8 enp2s9 # IPv6 from /etc/dhcp/dhclient-exit-hooks.d/prefix_delegation
The IPv4 NAT and IPv6 Bridge script on my router looks as follows:
#!/bin/sh PATH="/usr/sbin:/sbin:/usr/bin:/bin" wan=enp2s4 lan=br0 ######################################################################## # IPv4 NAT iptables -F; iptables -t nat -F; iptables -t mangle -F iptables -X; iptables -t nat -X; iptables -t mangle -X iptables -Z; iptables -t nat -Z; iptables -t mangle -Z iptables -t nat -A POSTROUTING -o $wan -j MASQUERADE echo 1 > /proc/sys/net/ipv4/ip_forward ######################################################################## # IPv6 bridge ip6tables -F; ip6tables -X; ip6tables -Z # Default policy DROP ip6tables -P FORWARD DROP # Allow ICMPv6 forwarding ip6tables -A FORWARD -p ipv6-icmp -j ACCEPT # Allow established connections ip6tables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT # Accept packets FROM LAN to everywhere ip6tables -I FORWARD -i $lan -j ACCEPT echo 1 > /proc/sys/net/ipv6/conf/all/forwarding echo 1 > /proc/sys/net/ipv6/conf/default/forwarding # IPv6 propagation via /etc/dhcp/dhclient-exit-hooks.d/prefix_delegation
The above already provided enough IPv6 connectivity to pass the IPv6 test on my desktop inside the LAN.
To make things more fun, I enabled DHCPv6 support for my LAN on the router's dnsmasq by adding the last 3 lines to the configuration:
dhcp-hostsfile=/etc/dnsmasq-ethersfile bind-interfaces interface=br0 except-interface=enp2s4 no-dhcp-interface=enp2s4 dhcp-range=tag:br0,10.10.10.0,static,infinite dhcp-range=tag:br0,::1,constructor:br0,ra-names,ra-stateless,infinite enable-ra dhcp-option=option6:dns-server,[::],[2606:4700:4700::1111],[2001:4860:4860::8888]
The 5 first lines (included here for emphasis) are extremely important: they ensure that dnsmasq won't provide any IPv4 or IPv6 service to the outside interface (enp2s4) and that DHCP will only be provided for LAN hosts whose MAC address is known. Line 6 shows how dnsmasq's DHCP service syntax differs between IPv4 and IPv6. The rest of my configuration was omitted on purpose.
Enabling native IPv6 on my LAN has been an interesting experiment. I'm sure that someone could come up with even better ip6tables rules for the router or for my desktop hosts. Feel free to mention them in the blog's comment.
No comments:
Post a Comment