aa.net.uk Broadband - Broadband you can work with

Skip to Navigation / Skip to Content

Knowledge base IPv6

IP version 6 (IPv6) is the current version of Internet Protocol, which is the set of standards defining how computers and other devices communicate over the Internet.

In spite of the fact that IPv6 has been around since 1995, most devices connected to the Internet still only talk IP version 4 (IPv4). IPv4 has been around from the first days of the internet, but with IPv4 address space finally running out at the end of January 2011 people are finally starting to realise that they need IPv6 if they want to keep communicating with everything on the Internet. AAISP are leading the way in the UK, having provided IPv6 since 2002, but the final parts to the puzzle (a cheap DSL router that does IPv6) are only now starting to emerge and allow everyone to use IPv6 with ease.

FAQ

What happens when IPv4 runs out
We have specific plans for how we will handle IPv4 running out. But what happens generally? We have some ideas.
Do A&A support IPv6
Yes, we allocate a /48 to each customer and allow subnets down to /64 to be routed to individual lines
Do A&A support native IPv6
Yes, we support native and tunneled on a per subnet basis and you can change settings on our control pages
Can I load balance the same as IPv4
Yes, all of the load balancing and fall back options we have for IPv4 apply the same for IPv6 and are on the control pages
Does reverse DNS work
Yes, we have an auto-allocated reverse DNS for all IPs, but you can control specific forward and reverse DNS entries or run your own DNS servers for reverse DNS just the same as IPv4
Can I run an IPv6 only network
You certainly do not need to do this, but yes, we provide a DNS64 DNS server and NAT64 gateway allowing access to the IPv4 world via IPv6. However, most operating systems are not yet fully ready to support IPv6 only operation
Can I access google via IPv6
Yes, they return AAAA records in DNS to our resolvers and any customer resolvers.
Do A&A provide an IPv6 router
Yes, we ship the Technicolor TG582N with IPv6 enabled firmware as standard.

What is IPv6?

The old version of Internet Protocol is version 4 (IPv4). It had been around for many years, but does not scale well enough to last in the long term. The main problem is the address space - the number of IP addresses that exist. Unfortunately these run out end of January 2011, although it will take some months for most ISPs to run out after that date.

Legacy IPv4 addresses use 32 bits which gives about 4 billion combinations. You may have seen IP addresses written like this, 192.168.1.2.

IPv6 is version 6 of IP (no, don't ask about version 5). It has a number of key changes, and some thought has gone in to the way the protocol works in the way that the world currently uses the internet. One of the key differences with IPv6 is the address space. It uses 128 bit addresses which is a lot of addresses (340282366920938463463374607431768211456 to be exact) - more than enough to give an address to every atom in every computing device in the planet.

What does an IPv6 address look like

An example is 2001:b80::1234:5678. The address has blocks of hexadecimal separated by colons and can have "::" to mean lots of zeros.

Why would I want to use it?

Why would you want to be able to access any of the Internet? Basically, some of the Internet is not available if you only have the old version 4 protocol. By having IPv6 and IPv4 you can access the whole of the Internet.

Normally people would use a mixture of IPv4 and IPv6 addresses on their network, but eventually IPv6 only networks will start to be used. You don't need to worry about IPv6 only networking just yet though.

How many IP addresses?

Normally a company would received 1208925819614629174706176 addresses to cover up to 65536 sites.

What is AAISP doing about IPv6?

We operate an IPv4 and IPv6 network. All of our servers have IPv6 addresses as well as IPv4 addresses. Most services we run use IPv6 happily, including email, web pages, and DNS. We provide IPv6 address allocations to customers (just ask support).

We can route your address allocations to your broadband line or lines as you wish. This can either be via an IPv4 tunnel (see below for typical setup instructions), or we can route IPv6 natively as IPv6 over PPPoA over ADSL. IPv6 functionality is just a part of our service and so includes multiple line bonding uplink and downlink for IPv6 addresses in the same way as we do IPv4 addresses.

Where tunneling IPv6, we sent from IPv4 address 81.187.81.6. You can use this as the endpoint to which you send tunnel traffic. You can also send 6to4 traffic relating to any of your IPv4 addresses using the 192.88.99.X gateway address.

Note: Native IPv6 requires router support at your end and such routers are often expensive. Also, we are aware that BT have some issues handling native IPv6 on some parts of their network which we are trying to resolve (Sep 2008) - we have a work around so please contact support if you have issues. The FireBrick FB2700 provides an ideal solution for businesses providing IPv6 and a firewall all in one small box.

IPv6 only networks

AAISP are testing IPv6/4 mapping allowing an IPv6 only network to operate. To use this set your DNS to 2001:8b0:6464::1 and 2001:8b0:6464::2. These will provide IPv6 addresses for IPv4 hosts on the internet and map traffic to the IPv4 addresses for you.

Running an IPv6 only network is not necessary and somewhat geeky, do not worry unless you are experimenting with this.

What systems support IPv6?

IPv6 is available for linux, windows and mac systems and many others. It is likely to be installed and enabled by default. You just need the right router or firewall on your network to make it all work with IPv6 as well as IPv4.

Where can I find more?

If you search for IPv6 you will find lots of information. If you have any specific questions please ask us by email or in our newsgroup.

Firewalls

Some firewalls are only IPv4 and will not cope with IPv6. The FireBrick FB2700 provides IPv6 and firewalling and is ideal for a small business. Talk to support for advice on IPv6 firewalling.

Setting up our control pages

Just like IPv4 addresses, you can set the line or lines to which your IPv6 block is sent. The only extra field is the tunnel endpoint. If set, then all traffic to you is wrapped in an IPv4 wrapper and sent to that IPv4 address down your line(s). If not set, then the IPv6 traffic is sent natively over PPPoA to your router. Only some types of router handle this. Just like IPv4 routing settings, changes only take effect on the next connection of your line(s).

Note that the old way to do this involved ticking the "S" box for a static route, this sent trafffic via our old, and now redundant, IPv6 router endless. You should untick this now and tick your line number(s) instead - if not, you will still receive incoming traffic, but outbound traffic will fail our source filtering, and so not work.

Source checking

Just as with IPv4 addresses, we check the source address of traffic coming from your lines to ensure the source address is one of your addresses. This is done the same for native IPv6 packets. Also, any IPv6 packets wrapped in IPv4 wrappers sent to our IPv6 endpoint, or the generic 192.88.99.X endpoints will be unwrapped and the IPv6 source address checked.

You can use 6to4 addresses (2002::/16 prefix with an IPv4 address) either native or wrapped in an IPv4 wrapper. The IPv4 part of the IPv6 address is checked against your IPv4 allocations.

This helps ensure you will get the replies to your traffic, and that a misconfiguration cannot result in untracable nuisance traffic on the internet.

Setting up IPv6 with FireBrick FB2700

We suggest using a PPPoE modem or a router in bridge mode, and simply add a ppp config, e.g. <ppp username="whatever" password="whatever" port="4"/>

Ensure you have an IPv6 allocation and it is set up on the control pages, then simply include it in your LAN subnet, e.g. <subnet ip="2001:bd8:1:2::1/64" ra="true"/>. The ra setting means that your FireBrick will tell computers on your network to get an address on your network.

Setting up IPv6 on linux redhat/FC

Add /etc/sysconfig/network-scripts/ifcfg-tun0

TYPE=sit
DEVICETYPE=sit
ONBOOT=yes
DEVICE=tun0
BOOTPROTO=none
IPV6INIT=yes
IPV6ADDR=2001:8B0:1234:5678::1/64 (your IPv6)
USERCTL=no
PEERDNS=no
IPV6TUNNELIPV4=81.187.81.6
IPV6TUNNELIPV4LOCAL=217.169.0.1 (your IPv4)
MTU=1400
In /etc/sysconfig/network, add
NETWORKING_IPV6=yes
IPV6_DEFAULTDEV=tun0

We then suggest editing /etc/radvd.conf and running radvd service to announce your IPv6 block to machines on your LAN.

Some later Redhat based distros don't seem to like the tunnel device being called tun0. If that happens, please call the device sit1 instead, and modify the files accordingly.

Setting up IPv6 on Windows

IPv6 not supported by MS on 98/ME/95. but can purchase 3rd party stacks from: http://www.trumpet.com.au/

Microsoft Windows XP/Vista/7/Server IPv6 FAQ: http://technet.microsoft.com/en-us/network/cc987595.aspx

Setting up with RADV

If you have a linux box or similar on your LAN acting as an IPv6 gateway, perhaps tunneling IPv6 as described above, and you have RADV set up (to announce the IPv6 network to the LAN), then setting up additional boxes couldn't be simpler!

Modern linux clients just pick up the IPv6 announcements and start using it by default - no work needed.

Even the Nokia 9500 mobile phone picks up an IPv6 address from the LAN with no configuration changes using the RADV announcements!

On windows XP it is pretty simple - just go to the protocols section on the interface settings and add protocol IPv6. Then, your windows machines simply picks up an IPv6 address from the LAN by RADV and just works!

On a non IPv6 network but with real IP addresses allowing IPv6 tunnel wrappers over IPv4 to pass (such as a windows machine with ADSL modem connected directly), windows XP will happily work with 2002::/16 prefix 6to4 addresses, although the default outgoing tunnel enpoint appears to be a microsoft server in the US.

On a FireBrick FB2700 you just need the ra="true" on your LAN subnet to enable RADV

Bypassing security?!

Whilst IPv6 does not have have much in the way of advantage over IPv4 just yet, it does fool some security systems. This may be good or bad, depending on your point of view. If setting up a firewall you may want to consider IPv6 and IPv6 wrapped in IPv4 traffic. At an IPv4 level all you see if this IPv4 protocol 41 traffic to a single IPv4 endpoint - no separate sessions or ports or protocols.

For example, IPv6 bypasses all of the security on at least one common parental control package - Netintelligence. Anyone installing Netintelligence needs to consider if IPv6 is available. Bearing in mind that IPv6 installation on windows XP is a doddle, and it will work without any ISP support using IPv4 tunnels and 2002::/16 prefix address space!

If you think this is only a problem for accessing web sites that have IPv6 addresses, think again. There are IPv6 proxies, like sixxs.org, where simply suffixing any normal IPv4 web site with .sixxs.org allows access via an IPv6 proxy, so any site can easily be accessed.

IPv6 Debian (Etch and presumably Ubuntu)/Ubuntu notes

Provided by a customer(thank you!)

The following notes assume you have been allocated a /64 address range by A&A in the form 2001:08B0:XXXX:0001/64. Change the XXXX part to whatever matches your range.

Connecting one host

Getting a single host connected is very simple, but you do first need to ensure that your ADSL router will pass through packets with a protocol id of 41 to your selected host. Note that this is a *protocol* number and not a port number. This means the relevant traffic is not TCP (protocol 6) or UDP (protocol 17) but another one entirely.

On my Netgear DG834G the trick is to use the Any(ALL) service in the Firewall rules and allow any traffic from 81.187.81.6 (A&A's IPv6 tunnel gateway) to my selected host. You may be able to do something similar if your router doesn't allow you to configure protocols other than TCP and UDP explicitly.

Note: Another customer has found that there is a bug in the Netgear router which causes the firewall to fail if this firewall rule is added. - With the rule disabled, everything is fine. With the rule enabled, www.grc.com is able to see al open ports, including those that had been explicitly firewalled. It appears that the "source" parameter is not being passed through to iptables on the router. A work-around for this is not yet known, so it may not be possible to pass 6in4 routing through on this particular router.
We'd recommend customers to take care with this and to test it

You may need to install a couple of packages to give you all the tools you need. As root, type:

apt-get install iputils-ping iproute

Configuring your etch host then requires you just to edit /etc/network/interfaces and add the following stanza at the end:

auto 6in4
iface 6in4 inet6 v4tunnel
        address 2001:08B0:XXXX:0001::1
        netmask 124
        endpoint 81.187.81.6
        ttl 64
        up ip link set mtu 1280 dev 6in4
        up ip route add default via 2001:08B0:XXXX:0001::2 dev 6in4

remembering to change the XXXX to whatever value you've been allocated.

After that just type "ifup 6in4" (as root) and your link should be up.

Connecting an entire LAN

If you want to connect an entire LAN to the IPv6 Internet then first select one machine to act as the gateway and configure basic connectivity for that machine using the instructions in the previous section.

Once that is working you need to work out an IPv6 address for your selected machine's Ethernet interface. To do this you need to know its MAC address. As root, type "ifconfig" and the output you get should be something like this:

eth0      Link encap:Ethernet  HWaddr 00:01:6C:A8:9C:C3
...

The HWaddr bit there is your Ethernet interface's MAC address. In this case that would be:

    00:01:6C:A8:9C:C3

Take this and add 2 to the first number, giving:

02:01:6C:A8:9C:C3

Then shove FF:FE in the middle giving:

    02:01:6C:FF:FE:A8:9C:C3

Then combine consecutive pairs to give:

    0201:6CFF:FEA8:9CC3

and finally pre-pend this with your IPv6 range allocation from A&A, giving:

2001:08B0:XXXX:0001:0201:6CFF:FEA8:9CC3

This is the global IPv6 address for your Ethernet interface. Edit /etc/network/interfaces again and add the following clause:

iface eth0 inet6 static
	address 2001:08B0:XXXX:0001:0201:6CFF:FEA8:9CC3
	netmask 64

Then do "ifdown eth0" and "ifup eth0" to get the new address configured.

Fortunately that's the only address you need to calculate for yourself. The rest are done automatically for you if you install radvd, so:

    apt-get install radvd
    cp /usr/share/doc/radvd/examples/simple-radvd.conf /etc/radvd.conf

and then edit /etc/radvd.conf. By default it reads:

interface eth0
{
   AdvSendAdvert on;
   prefix 2001:db8::/32
   {
   };
};

and you just need to change the "prefix" line so that it reads:

interface eth0
{
   AdvSendAdvert on;
   prefix 2001:08b0:XXXX:0001::/64
   {
   };
};

again replacing XXXX with the relevant part of your IPv6 allocation.

Then start radvd with:

/etc/init.d/radvd start

and it should be up and running. Note that the script which starts radvd automatically turns IPv6 forwarding on so you don't need to bother with that step separately.

Within a very few minutes, all the other IPv6 capable machines on your LAN should have configured themselves with correct IPv6 addresses and they will all be able to talk IPv6 through your gateway machine to the outside world.

********* DANGER, WILL ROBINSON! ********

The above steps will bypass any existing firewall protection which you have for your LAN. All your machines will now be connected to the real IPv6 Internet with nothing filtering the traffic to and from them.

You almost certainly want to configure firewall rules on your gateway machine of a similar calibre to whatever you currently have.

Cisco notes

Some customers running native IPv6 on a Cisco 877 router have seen a huge disparity between IPv4 and IPv6 speeds. IPv6 file transfers are about 10 times slower than IPv4 transfers!

It turns out to be a Cisco IOS bug; once the IPv6 stateful firewall (inspect) has been disabled, IPv6 should run at full speed.

It is Cisco bug CSCtb10776 (Inspection drops NIC-segmented packets when WScale is on). It can also be worked around by disabling TCP window scaling on the affected hosts, but that can have performance implications of its own. It has been fixed in IOS versions:

15.1(0.18)T
12.4(25b)M0.13
15.0(1)M1.2

IPv6 DNS Resolvers

Our DNS servers have IPv6 addresses, these are 2001:8b0::2020 and 2001:8b0::2021