IPv6

List of World IPv6 Day Resources

Submitted by Bart on Tue, 06/07/2011 - 20:30

As everyone will already know by now, tomorrow is World IPv6 Day.

Below are a list of resources that may be useful.

Good luck everyone. Like most of Europe, I'll sleep through the first few hours of World IPv6 Day (as it starts at midnight UTC).

Blog Category:

Configuring an IPv6 tunnel on Juniper SRX

Submitted by Bart on Sun, 05/29/2011 - 14:06

After using my old netscreen 5GT for years to terminate my IPv6 tunnel, I replaced it with an SRX100. IPv6 support on the SRX is still fairly new compared to the netscreen but so far I haven't had any problems with it and some of the limitations that existed in netscreen have been removed as well. Netscreen is stable as a rock, but SRX is a lot more fun :)

My goal was to configure an IPv6 tunnel on my SRX and performing stateful firewalling. I mention stateful firewalling explicitly because the SRX can be configured in either packet-mode or flow-mode. In packet mode it will simply route the IPv6 packets but bypass the security module, in flow-mode it will send everything through the security module as well. Packet-mode is useful for routers, but my SRX is running as a firewall, so I need flow-mode.

The first step is to decide which Junos version to run. This is a bit of a challenge because IPv6 tunnel support in flow-mode worked in some versions but not others. To my knowledge support looks a bit like this:

< 10.2 No ipv6 flow-mode support
10.2 ipv6 flow-mode support, not tunneled, no RVI interfaces
10.3 working ipv6 flow-mode with tunnel, no RVI interfaces
10.4 ipv6 flow-mode support, not tunneled, no RVI interfaces
11.1R2 working ipv6 flow-mode with tunnel and RVI interfaces

Quite a challenge. See this thread on the juniper forums for more details. It also contains a workaround for 10.4. I like testing out new features, so my setup is running 11.1R2. If you are running one of these older versions, you might want to try out packet-mode first (which has been working for ages) and once that works, switch to flow-mode.

Example network

As an example, I'll set up a tunnel to a tunnel broker with the following settings:

  • Tunnel broker ipv4 address: 127.34.8.97
  • My public ipv4 address: 127.78.134.3
  • Tunnel ipv6 address: 2001:db8:202:123::2/64
  • Internal ipv6 subnet: 2001:db8:8aa:1::/64

Note that I'm using a fixed IPv4 address on my firewall here, which is required by the SRX configuration. I don't really have a fixed IP, but I'm using a small event script which alters my configuration each time my external IP changes. I'll include that below. That's the power of Junos, you can automate a lot. More on that later.

Tunnel setup

Creating the tunnel is as easy as creating a new IP tunnel interface and adding it to a security zone.

  1. [edit interfaces ip-0/0/0]
  2. unit 0 {
  3.     tunnel {
  4.         source 127.78.134.3;
  5.         destination 127.34.8.97;
  6.     }
  7.     family inet6 {
  8.         mtu 1280;
  9.         address 2001:db8:202:123::2/64;
  10.     }
  11. }
  12. [edit security zones security-zone untrust]
  13. interfaces {
  14.     ip-0/0/0.0 {
  15.         host-inbound-traffic {
  16.             system-services {
  17.                 ping;
  18.             }
  19.         }
  20.     }
  21. }

That's it, now you should be able to ping IPv6 addresses from the SRX itself.

Internal networks

To assign addresses to internal machines, SLAAC is used. The SRX sends out router-advertisements containing the prefix assigned to the network and clients will chose an address from that range. DHCPv6 could be used as an alternative, but that's a topic for a future blog.

  1. [edit configuration protocols router-advertisement]
  2. interface fe-0/0/1.0 {
  3.     prefix 2001:db8:8aa:1::/64 {
  4.         on-link;
  5.         autonomous;
  6.     }
  7. }
  8. [edit configuration interfaces fe-0/0/1]
  9. unit 0 {
  10.     family inet6 {
  11.         address 2001:db8:8aa:1::/64;
  12.     }
  13. }
  14. [edit security zones security-zone trust]
  15. interfaces {
  16.     fe-0/0/1;
  17. }

At this point, internal machines should be assigned an IPv6 address and should be able to ping the SRX.

Security Policy

Configuring security policies can be done just like IPv4 policies. Unlike netscreen, you can even combine IPv4 and IPv6 addresses in policies. So the following default policy will allow full internet access to you're internal machines on both IPv4 and IPv6:

  1. [edit security policies from-zone trust to-zone untrust]
  2. policy trust-to-untrust {
  3.     match {
  4.         source-address any;
  5.         destination-address any;
  6.         application any;
  7.     }
  8.     then {
  9.         permit;
  10.     }
  11. }

Terminating the tunnel on a dynamic IP

To terminate the IPv6 tunnel on a dynamic IP address, first you'll need to run some utility on an internal machine to update the tunnel broker side of the tunnel. This is specific to whichever service you are using.

As you can see in the config above, you need to specify your public IP address in the SRX tunnel setup. Each time that address changes, you would have to re-configure the SRX. That is a lot of work but this can be done automatically by running an event script on the SRX. This script will run each time the address of the interface changes and will update the config accordingly.

The script (ipv6-tunnel-update.slax) is attached to this article, it's not pretty but it works. Before copying this to the SRX, edit it and replace "fe-0/0/0.0" with the name of your uplink interface.
To activate the script, copy it to /var/db/scripts/event on the SRX and add the following to the config:

  1. [edit configuration event-options]
  2. policy ipv6-tunnel-endpoint-update {
  3.     events SYSTEM;
  4.     attributes-match {
  5.         SYSTEM.message matches "EVENT Add";
  6.     }
  7.     then {
  8.         event-script ipv6-tunnel-update.slax;
  9.     }
  10. }
  11. event-script {
  12.     file ipv6-tunnel-update.slax;
  13. }

The script was based on this one but altered to support non-PPP interfaces. I would love to see the automation guru's write a more generic version.

Blog Category:

Configuring servers to support IPv6

Submitted by Bart on Sun, 06/29/2008 - 20:50

After running IPv6 at home for years, I decided it was about time to start using IPv6 on my server as well. Most servers nowadays do support IPv6 without having to patch and recompile the code, so things have gotten a lot easier lately. But there are still a few caveats.

OpenSSH

Apache2

BIND9

Postfix

Blog Category:

Configuring an IPv6 tunnel on a netscreen SSG firewall

Submitted by Bart on Sun, 04/06/2008 - 10:57

I have a netscreen SSG firewall from which I wanted to establish a tunnel to SixXS. I tried this in the past when IPv6 support had just been added, but didn't have much luck. However, nowadays it works pretty well. I've had a working tunnel for about a year now.

The first thing to do is to get a tunnel to an IPv6 broker and request a subnet for your internal systems. Personally I use SixXS but you can probably use any broker you like. As an example, I'll be using these settings:

  • Tunnel broker ipv4 address: 127.34.8.97
  • Tunnel ipv6 address: 2001:DB8:202:123::2/64
  • ipv6 subnet used internally: 2001:DB8:8AA:1::/64

Second, start by upgrading your device to the latest available firmware. IPv6 support is constantly improving as support for more ALGs is added. If you still have a 5GT, you're stuck using 5.4 but if you have an SSG, you can upgrade to 6.0 or even 6.1.

Next, enable IPv6 support on the device. It's not enabled by default so you have to change a boot parameter and restart the device. You can only do this from the CLI:

  1. set envar ipv6=yes

After the device has rebooted, you'll see that there are a few new commands available to configure IPv6 on interfaces and use IPv6 addresses in policies. Next we'll begin configuring the tunnel to our tunnel broker. I'd recommend doing this from the CLI when you are using version 5.4 because the WebUI had some bugs back then.

  1. set interface tunnel.1 zone "Untrust"
  2. set interface tunnel.1 ipv6 mode "host"
  3. set interface tunnel.1 ipv6 ip 2001:DB8:202:123::2/64
  4. set interface tunnel.1 ipv6 enable
  5. set interface tunnel.1 tunnel encap ip6in4 manual
  6. set interface tunnel.1 tunnel local-if adsl2/0 dst-ip 127.34.8.97
  7. set interface tunnel.1 mtu 1280
  8. set route ::/0 interface tunnel.1 gateway :: preference 20

This should give you a working tunnel and allow you to ping IPv6 addresses from the netscreen itself. Next we'll assign an IPv6 address to our internal interface and configure it so that the attached systems will get an autoconfigured address:

  1. set interface ethernet0/1 ipv6 mode "router"
  2. set interface ethernet0/1 ipv6 ip 2001:DB8:8AA:1::1/64
  3. set interface ethernet0/1 ipv6 enable
  4. unset interface ethernet0/1 ipv6 ra link-address
  5. set interface ethernet0/1 ipv6 ra transmit
  6. set interface ethernet0/1 ipv6 nd nud

That should give your internal systems an IPv6 address. All that is left now is configure a policy to allow the IPv6 traffic to pass through. Configuring this is just like when you are using IPv4, except that there now isn't an object named "Any" anymore but there are two, "Any-IPv4" and "Any-IPv6".
A simple policy to allow outbound connections would be:

  1. set policy from "Trust" to "Untrust" "Any-IPv6" "Any-IPv6" "ANY" permit log

Of course, I'd recommend to make them a bit more restrictive. Be very careful with rules from Untrust to Trust. All your internal systems will have a public IP address, don't just allow everything or you might wake up one morning and find something like this:

One thing to keep in mind when you are updating your policies is that you cannot have both IPv4 and IPv6 addresses in one address group. This effectively means that you will have separate policies in your rulebase for IPv4 and IPv6, so try to keep them ordered logically.

Update sept 13, 2009
I recently set up another IPv6 tunnel, this time on a netscreen 5GT running ScreenOS 6.2r3. I decided to incorporate some of the feedback from the comments below, so that the netscreen can be pinged by SixXS for monitoring. The netscreen should respond to pings on its tunnel interface, but doesn't do so for IPv6 traffic, a bug which has been reported to Juniper but which has not yet been fixed.

So instead of putting my IPv6 endpoint address on the tunnel interface, I used a loopback interface, with a /128 subnet mask. Then I created the tunnel interface as before, but making it unnumbered, inheriting the address from the loopback interface:

  1. set interface "loopback.1" zone "Untrust"
  2. set interface "loopback.1" ipv6 mode "host"
  3. set interface "loopback.1" ipv6 ip 2001:DB8:202:123::2/128
  4. set interface "loopback.1" ipv6 enable
  5. set interface loopback.1 route
  6. set interface loopback.1 manage ping
  7. unset interface loopback.1 ipv6 nd nud
  8.  
  9. set interface tunnel.6 ip unnumbered interface loopback.1
  10. set interface "tunnel.6" ipv6 mode "host"
  11. set interface "tunnel.6" ipv6 enable
  12. set interface tunnel.6 tunnel encap ip6in4 manual
  13. set interface tunnel.6 tunnel local-if adsl2/0 dst-ip 127.34.8.97
  14. set interface tunnel.6 mtu 1280
  15. ! had to disable NUD otherwise the tunnel interface state changed to down.
  16. unset interface tunnel.6 ipv6 nd nud
  17.  
  18. set route ::/0 interface tunnel.6 gateway :: preference 20
  19.  
  20. ! note: an explicit policy is only needed when intra-zone blocking is enabled on the Untrust zone
  21. set policy name "SixXS monitoring" from "Untrust" to "Untrust"  "Any-IPv6" "2001:DB8:202:123::2/128" "ICMP6 Echo Request" permit

This works perfectly. Because my external interface IP is dynamic on this device, I set the SixXS tunnel type to Heartbeat and installed AICCU on an internal machine to keep the connection alive.

Blog Category:

Pages

Subscribe to RSS - IPv6