LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 07-25-2013, 05:46 PM   #1
Soapm
Member
 
Registered: Dec 2012
Posts: 180

Rep: Reputation: Disabled
IPv6


I am totally lost, Comcast just sent my IPv6 capable modem. I am currently what they call double stacked which means I have both IPv6 and IPv4 addresses.

My home network has always been 192.168.X.X. I set all my devices for DHCP but I reserve the address to the device in my router so I can enter the relationship in the hosts file which makes my network routable by host name. This way hostname and IP never change.

Now translate what I just said into IPv6 speak. I saw ULA, local-link and god knows what then they go into these long technical dissertations that are waaaay over my head.

The first part of the DHCP IP range which is hardcoded into my router is 260:1:87c:3c I can't change that part. I want to have about 20 addresses avail. I can change the last part in my router which is 0:0:0:0/64 (full starting address is 260:1:87c:3c:0:0:0:0/64). What would I set the end number to to make a block of 20 addresses. Would it just be 0:0:0:20/64?

Also, I have a video server that I would like to have a semi-static address. Do most routers allow both IPv4 and IPv6 clients or is this double stacking something my ISP does but I probably couldn't do it with Debian etc...? My router seems to give one or the other but not both.

Last edited by Soapm; 07-25-2013 at 05:47 PM.
 
Old 07-25-2013, 06:17 PM   #2
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,404

Rep: Reputation: Disabled
Good to hear that Comcast is finally deploying IPv6. Consider yourself slightly privileged.

Unlike with IPv4, local IPv6 networks are not meant to be based on non-routable addresses. There are plenty of routable IPv6 addresses to go around (to put it mildly), meaning that NAT is no longer necessary.

You've been allocated a /64 block, which is the smallest IPv6 block you're ever likely to see, and is typically given to end users and small businesses. As an IPv6 address is 128 bits in length, this means that the first 64 bits (260:1:87c:3c) represent your address block, while the other 64 bits are addresses in that block. You have a total of 18,446,744,073,709,551,616 addresses to your disposal (2 to the power of 64). You won't be running out any time soon.

IPv6 addresses can be handed out by a DHCP server, or the clients can generate their own addresses by listening for router advertisements which will tell them the subnet number and identify any routers on that subnet. You are also free to use statically assigned addresses; any address starting with 260:1:87c:3c belongs on your network.

To make a certain address range available to DHCP clients, simply tell the DHCP server in your router the desired start and end address of the DHCP scope (or on some DHCP server, the start address and the desired number of addresses). Exactly how this is done depends on the make and model of the router.

In addition to the routable IPv6 address, each NIC on an IPv6-enabled host will also have a local-link address (fe80:something) which roughly corresponds to the 169.254.x.x IPv4 addresses a DHCP client will assign to itself whenever a DHCP server is not available. Unlike with IPv4, a link-local IPv6 address is always present, even if you have a routable IPv6 address assigned to the same interface. You can safely ignore these addresses.

Important: Remember that you're no longer hiding behind the public IP address of your router. Unless there's a firewall on your router or some other place in the Comcast infrastructure, all your IPv6-enabled hosts will be reachable from the Internet. Enable your firewall and don't run any services you aren't actually using and/or haven't configured properly.
 
Old 07-25-2013, 06:33 PM   #3
Soapm
Member
 
Registered: Dec 2012
Posts: 180

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Ser Olmy View Post
Important: Remember that you're no longer hiding behind the public IP address of your router. Unless there's a firewall on your router or some other place in the Comcast infrastructure, all your IPv6-enabled hosts will be reachable from the Internet. Enable your firewall and don't run any services you aren't actually using and/or haven't configured properly.
Wow, I had heard IPv6 is more secure. I've always done my best with security knowing that I had NAT as a final (or first) line of defense. I can't believe that I'm hanging out there and they call this better??? I still don't completely understand since I do have a public IPv6 address. Do I still have ports and all that? What is with the address Comcast assigns if each device is publicly routable?

Also, do I change the last number to 20 to limit my block of addresses I will give out? Seems like a waste to give me all those addresses then I use only 20.

Also, will my Windows machines and Debian clients bee able to have both types of IP's (4 and 6) or do they get one or the other?
 
Old 07-25-2013, 06:47 PM   #4
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,404

Rep: Reputation: Disabled
Quote:
Originally Posted by Soapm View Post
Wow, I had heard IPv6 is more secure. I've always done my best with security knowing that I had NAT is a final (or first) line of defense. I can't believe that's I'm hanging out there and they call this better??? I still don't completely understand since I do have a public IPv6 address. Do I still have ports and all that? What is with the address Comcast assigns if each device is publicly routable?
NAT is not a security feature, it's an ugly kludge implemented to prevent the Internet from collapsing due to the extreme scarcity of IPv4 addresses.

The fact that you are "secure" on your local network because your address isn't routable on the public Internet is just a coincidence. As IPv6 becomes increasingly more common, expect to hear about networks being compromised because network admins have become complacent and accustomed to relying on NAT for protection.

The IPv6 protocol in itself is more secure. It has, among other things, native support for IPsec encryption. It also allows for faster processing of packets by routers, and implementing IPv6 should lead to a faster and more secure Internet in general.

Quote:
Originally Posted by Soapm View Post
Also, do I change the last number to 20 to limit my block of addresses I will give out? Seems like a waste to give me all those addresses then I use only 20.
You don't configure a DHCP server by changing an IP address, you tell it which address range you want it to hand out. If you specify 260:1:87c:3c::10 as the start address and 260:1:87c:3c::23 as the end address, your scope will have 20 addresses.

Note that the numbers are in hexadecimal, so the range 10-23 consists of the addresses 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 1a, 1b, 1c, 1d, 1e, 1f, 20, 21, 22 and 23. Also, leading zeros can be omitted and a consecutive range of zeros can be abbreviated as "::": 0260:0001:087c:003c:0000:0000:0000:0010 = 260:1:87c:3c:0:0:0:10 = 260:1:87c:3c::10

Quote:
Originally Posted by Soapm View Post
Also, will my Windows machines and Debian clients bee able to have both types of IP's (4 and 6) or do they get one or the other?
They will have one of each. That's what "dual stack" is all about. IPv6 will run alongside IPv4 until the latter can safely be retired.
 
Old 07-25-2013, 07:24 PM   #5
Soapm
Member
 
Registered: Dec 2012
Posts: 180

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Ser Olmy View Post
The fact that you are "secure" on your local network because your address isn't routable on the public Internet is just a coincidence. As IPv6 becomes increasingly more common, expect to hear about networks being compromised because network admins have become complacent and accustomed to relying on NAT for protection.
This is my point, you can't expect home users to become network admins. I must be missing the boat cuz this sounds like a hackers dream and an ISP's nightmare since most end users just want a connection to facebook and youtube and have no interest in learning to secure a network.

Quote:
Originally Posted by Ser Olmy View Post
You don't configure a DHCP server by changing an IP address, you tell it which address range you want it to hand out. If you specify 260:1:87c:3c::10 as the start address and 260:1:87c:3c::23 as the end address, your scope will have 20 addresses.
This is what I needed to know, how to specify a block of 20 instead of having my gazillion addresses avail to be grabbed.

Quote:
Originally Posted by Ser Olmy View Post
They will have one of each. That's what "dual stack" is all about. IPv6 will run alongside IPv4 until the latter can safely be retired.
This is good to know also, I was reading about this 6 to 4 which made it sound like I can give IPv6 addresses to any device that can take one and it will route to 4 as if it had a IPv4 address.

One last question, I have a torrent client running on my server. Do I need to create a rule to route the traffic? With IPv4 I have the port forwarded so do I need to do something like that with IPv6 or how does that work???
 
Old 07-25-2013, 07:55 PM   #6
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,404

Rep: Reputation: Disabled
Quote:
Originally Posted by Soapm View Post
This is my point, you can't expect home users to become network admins. I must be missing the boat cuz this sounds like a hackers dream and an ISP's nightmare since most end users just want a connection to facebook and youtube and have no interest in learning to secure a network.
If the Comcast engineers know what they're doing, they will have activated the firewall feature in the router and defined the default setting for inbound traffic as "deny all". That's all it takes to achieve the same level of security.

Of course, if an ISP chooses to hire fools and incompetents as network admins, we may have a problem, but that problem exists whether one runs IPv6 or not. We've probably all heard about ISPs handing out broadband routers with management interfaces exposed to the Internet and "admin"/"admin" as the default credentials, or routers with an active UPnP process bound to the WAN interface.

Quote:
Originally Posted by Soapm View Post
One last question, I have a torrent client running on my server. Do I need to create a rule to route the traffic? With IPv4 I have the port forwarded so do I need to do something like that with IPv6 or how does that work???
With IPv4, you need to forward a port from the router's public IP to your non-routeble IP address because other clients will need to contact the router's address in order to reach you.

Since your IPv6 address is already routable, you only have to open/allow traffic to the relevant port number in the firewall settings on your router (and possibly in the local firewall on the server as well, if activated). TCP and UDP works the same way with IPv6 as it does with IPv4.
 
Old 07-25-2013, 08:32 PM   #7
Soapm
Member
 
Registered: Dec 2012
Posts: 180

Original Poster
Rep: Reputation: Disabled
Cool, I appreciate all the help. I think it's starting to click. I turned on the firewall in the router.

Is there a way to truncate this number 2601:1:87c0:3c::10/64. I keep seeing stuff like fe80:::1 and was wondering if I use to use the whole number to make it static in my /etc/network/interface file?

Would my torrent client use the same port for IPv4 and IPv6 or do I need to assign it a port for IPv6?

Also, this was in my hosts file so I un-commented the entries. is this correct or does it mean something?
Code:
# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
Doing an "ifconfig" I get this fe80::214:d1ff:fe24:8a5a/64 Scope:Link so I was wondering if I need to change the host file to;

Code:
# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
fe80::1 ip6-allnodes
fe80::2 ip6-allrouters
Lastly, is it safe for me to post my ip addresses like this? Or should I change them to new rages?
 
Old 07-25-2013, 09:00 PM   #8
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,404

Rep: Reputation: Disabled
Quote:
Originally Posted by Soapm View Post
5Is there a way to truncate this number 2601:1:87c0:3c::10/64. I keep seeing stuff like fe80:::1 and was wondering if I use to use the whole number to make it static in my /etc/network/interface file?
2601:1:87c0:3c::10/64 is as short as it gets. Unabbreviated it would look like this: 2601:0001:87c0:003c:0000:0000:0000:0010.

Quote:
Originally Posted by Soapm View Post
Would my torrent client use the same port for IPv4 and IPv6 or do I need to assign it a port for IPv6?
The IPv4 and IPv6 sockets are separate (the combination of address, protocol and port number is called a socket), but you can certainly use the same port number for both.

Quote:
Originally Posted by Soapm View Post
Also, this was in my hosts file so I un-commented the entries. is this correct or does it mean something?
Code:
# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
::1 is the IPv6 address for localhost (really 0:0:0:0:0:0:0:1). Unlike IPv4, which assigns an entire network with ~16.78 million addresses (127.0.0.0/8) to the loopback interface, IPv6 uses a single address. Turns out having 16.78 million addresses that refers to oneself is about 16.78 millon - 1 more addresses than strictly necessary.

The addresses starting with "ff02" are link-local multicast addresses. They are used to reach hosts or routers performing certain functions, or as in the case of ff02::1, everybody on the network. IPv6 makes extensive use of multicasts, and the broadcast mechanism found in IPv4 has been removed.

Quote:
Originally Posted by Soapm View Post
Doing an "ifconfig" I get this fe80::214:d1ff:fe24:8a5a/64 Scope:Link so I was wondering if I need to change the host file
Nope, the "fe80" address is a link-local address generated from the MAC address of the NIC. All IPv6-enabled NICs have these, and they don't need to be referenced anywhere.

Quote:
Originally Posted by Soapm View Post
Lastly, is it safe for me to post my ip addresses like this? Or should I change them to new rages?
The only issue I can think of is related to privacy. It is theoretically possible to tie your IPv4 or IPv6 address to your identity, but in your case one would need access to the Comcast customer database to make that connection.

My IPv6 networks are tied to a tunnel which is actually registered in my name, so if I were to post my address online, anybody could easily find the address and name of the tunnel endpoint, and based on that make a qualified assumption as to my identity.

Unless your network is horribly insecure, posting your address online shouldn't be a security risk. A routable address is reachable anyway, and we all get scanned by automated scripts every single day.
 
Old 07-25-2013, 09:27 PM   #9
Soapm
Member
 
Registered: Dec 2012
Posts: 180

Original Poster
Rep: Reputation: Disabled
Thanks for all the help. Now I need to get DNS working. This is what I'm getting now that I'm using IPv6.

Code:
me@lenny:/# ping www.google.com
ping: unknown host www.google.com
Code:
me@lenny:/# nslookup www.google.com
;; connection timed out; no servers could be reached
This is the entry in my interface file so I should have gotten DNS via DHCP.

Code:
iface eth0 inet6 dhcp
 
Old 07-25-2013, 09:35 PM   #10
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,404

Rep: Reputation: Disabled
What does cat /etc/resolv.conf have to say about your DNS settings?
 
Old 07-25-2013, 10:02 PM   #11
Soapm
Member
 
Registered: Dec 2012
Posts: 180

Original Poster
Rep: Reputation: Disabled
Code:
me@lenny:/# cat /etc/resolv.conf
nameserver 2001:558:feed::1
nameserver 2001:558:feed::2
 
Old 07-25-2013, 10:24 PM   #12
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,404

Rep: Reputation: Disabled
That looks right, as 2001:558:feed::1 and 2001:558:feed::2 are the addresses of cdns01.comcast.net and cdns02.comcast.net respectively.

Perhaps you're missing a gateway. What's the output of ip -6 route? Does ping6 2a00:1450:4013:c01::6a work?
 
Old 07-25-2013, 10:31 PM   #13
Soapm
Member
 
Registered: Dec 2012
Posts: 180

Original Poster
Rep: Reputation: Disabled
Code:
me@lenny:/# ip -6 route
2601:1:87c0:3c::/64 dev eth0  proto kernel  metric 256
fe80::/64 dev eth0  proto kernel  metric 256
Code:
me@lenny:/# ping6 2a00:1450:4013:c01::6a
connect: Network is unreachable
This tells me something is wrong with my ip6 config if it won't ping by ip addy...
 
Old 07-25-2013, 10:42 PM   #14
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,404

Rep: Reputation: Disabled
Yep, you don't have a gateway entry in your routing table. It would have looked something like this:
Code:
::/0 via 2601:1:87c0:3c::<something> dev eth0  proto kernel  metric <some number>
Either your router isn't sending out IPv6 Router Advertisement packages, or your PC isn't receiving them. The following tcpdump command will tell you if RAs are being sent:
Code:
tcpdump -i eth0 'icmp6 and (ip6[40+0] == 134)'
(Assuming you have tcpdump installed and that your NIC is eth0, of course.)

If you do see RAs, the problem could be the firewall on the client.
 
Old 07-25-2013, 10:43 PM   #15
Soapm
Member
 
Registered: Dec 2012
Posts: 180

Original Poster
Rep: Reputation: Disabled
Got the ping6 working with the fix from this site http://forums.gentoo.org/viewtopic-t...9-start-0.html

Code:
1. Ensure /proc/sys/net/ipv6/conf/*/accept_ra is 1
2. ACCPET all icmp6 in ip6tables
nslookup still no worky.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Another IPv6 Crash Course For Linux: Real IPv6 Addresses, Routing, Name Services LXer Syndicated Linux News 0 04-21-2011 08:40 AM
BIND9 as forwarder, IPv6 queries from IPv6 forwarders Nonoo Linux - Server 1 11-23-2009 02:57 PM
ipv6 skmkunju Linux - Newbie 1 11-27-2008 09:47 AM
How to set IPv6 address on IPv6 router tlemons Linux - Networking 3 09-17-2007 02:25 PM
Ipv6 HolyKnight SUSE / openSUSE 3 11-21-2006 06:12 PM


All times are GMT -5. The time now is 05:25 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration