newspaint

Documenting Problems That Were Difficult To Find The Answer To

Making My Website IPv6 Enabled

Given that many other big companies have switched on IPv6 on 2012-06-06 I decided it was time to IPv6 enable my company website.

I asked my hosting provider to tell me my network address and they gave me a /64 prefix. I could pick whatever I wanted for the host portion of the address. I won’t reveal the actual network address but for the purposes of this article I will use 2001:db8:beef:2::/64.

I am using Debian for my operating system. I will go through the procedures for:

  • adding the IPv6 address to the Ethernet interface
  • adding the IPv6 address to my Bind (DNS) configuration
  • adding rules to ip6tables

Ethernet Interface

You cannot add an IPv6 address to a virtual interface like eth0:1. It must be added to a whole interface – like eth0 – where it will co-exist with the IPv4 address.

I added the following block to my /etc/network/interfaces file:

iface eth0 inet6 static
        address 2001:db8:beef:2::3
        gateway fe80::1
        netmask 64
        pre-up echo 0 > /proc/sys/net/ipv6/conf/eth0/autoconf

Note that I picked a host address of 3 – but you can choose whatever you like.

Next I ran ifdown eth0 && ifup eth0 – of course if you’ve made a mistake you might lose your connectivity to the device – so you should have a console connection standing by in case you lose your network.

Bind DNS

It is relatively easy to add an IPv6 address to your Bind DNS configuration. Merely enter a line such as:

www AAAA 2001:db8:beef:2::3

Don’t forget to update the serial number in the zone file.

To test this you can run dig AAAA www.mysite.com.

ip6tables

The ip6tables and associated tools ip6tables-save and ip6tables-restore function just like the iptables equivalent functions.

Note that ip6tables does not recognise the ICMP protocol. You must use the icmpv6 keyword, instead, when referring to ICMP for IPv6. You’ll also note that some response types such as port-unreachable are now icmpv6-port-unreachable.

For example, some catch-all reject rules at the end of my script:

-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -p udp -j REJECT --reject-with icmp6-port-unreachable
-A INPUT -j REJECT

For a list of ICMPv6 types you can run the following from the command line:

user@host:~$ ip6tables -p icmpv6 -h
Valid ICMPv6 Types:
destination-unreachable
   no-route
   communication-prohibited
   address-unreachable
   port-unreachable
packet-too-big
time-exceeded (ttl-exceeded)
   ttl-zero-during-transit
   ttl-zero-during-reassembly
parameter-problem
   bad-header
   unknown-header-type
   unknown-option
echo-request (ping)
echo-reply (pong)
router-solicitation
router-advertisement
neighbour-solicitation (neighbor-solicitation)
neighbour-advertisement (neighbor-advertisement)
redirect

DON’T THINK ABOUT IPv6 ENABLING YOUR HOST WITHOUT A CORRESPONDINGLY NEW FIREWALL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: