I've had a bit of a headache with some of my servers that are secured with very stingy iptables rules. When my ISP assigns a different IP address to the cable modem in my home office, I can suddenly no longer connect via SSH to my precious servers. I expect I could pay someone for a static IP v4 address and continue living in the past, but I was wondering if IPV6 might help me solve this problem. I've been reading this, but it's not very detailed and I'm having a bit of trouble understanding how things work with IPv6, iptables, NAT, etc.

Is one's auto-generated local-link address meaningful across the entire internet?
According to RFC 2462, IPv6 generates a "link local" address starting with FE80 and typically ending with one's "interface identifier" (would this be a MAC address?). I understand from this wikipedia article that such addresses are meaningful in the local network. On the other hand, isn't the point of IPv6 to eliminate NAT and restore end-to-end communications? I'm also wondering if such an auto-generated IP would be easy to spoof and also wondering what sort of mechanism would allow a user in Tokyo, for instance, to reliably and securely route traffic to my IPv6 address.

Do I still need an ISP to give me a "public" IPv6 address?
Autogeneration of link-local addresses aside, I'm guessing that I'll still need an ISP to provide me with a publicly accessible IPv6 address and that to acquire such an address means that I would need to acquire internet connectivity from this ISP -- which suggests a hefty bill because my ISP (Time Warner Cable) doesn't offer IPv6 AFAIK and I would need to acquire commercial internet service. Am I correct in my understanding here?

Isn't some kind of tunneling required to route ipv6 traffic these days?
Given that my ISP provides me with an IPv4 address and doesn't seem to support IPv6 in any fashion, I'm wondering how my router and computer distinguish IPv4 from IPv6 when the stuff is coming off the NIC. I'm sort of wondering if my computers engage in any IPv6 traffic at all. In the ifconfig on my *nix machines and on my Windows machine's ipconfig output, I see that my machines have IPv6 address, but am unclear whether they actually transceive any IPv6 traffic or not. Additionally, the PDF I linked above describes numerous tunneling possibilities and the security looks really sketchy. I'm wondering if there's any way to know if my IPv6 traffic might have to transit a v4 network in route to its destination.

What's the relation between iptables and ip6tables?
Assuming I could acquire an IPv6 address that was universally meaningful to the Internet and that I could connect securely and reliably to my server, the question also arises of what my iptables should look like. Does iptables take precedence over ip6tables? I'm guessing that somehow the machine knows whether incoming packets are ip6 or ip4 and will use the -- entirely separate -- rules of iptables or ip6tables accordingly.

Any help would be much appreciated.

No, it is not.

A link local IPv6 address may be globally unique (becaus it's generated based on the interface MAC address), but the FE80::/10 network is not.

Like the IPv4 APIPA network (169.254.0.0/16), FE80::/10 can exist in any number of locations simultanously and as a result, packets to and from nodes in these networks are not routable.

Yes, you need a globaly routable IPv6 address in order to communicate with other IPv6 hosts.

Only if your ISP doesn't provide you with a routable IPv6 address. In that case, you would need to use a tunnel of some sort, like Teredo or a manually configured tunnel to a tunnel provider.

I use HE (tunnelbroker.net) myself, and it works great. As you say, it means that all IPv6 traffic takes a slight detour through the tunnel provider's network. Had I been residing in a more IPv6-civilized nation (like, say, France), I would have received a /64 network directly from my provider.

Other than the fact that iptables manages the Netfilter IPv4 firewall and ip6tables manages the Netfilter IPv6 firewall in much the same way, none.

IPv4 packets are not affected by ip6tables rules, and vice versa.

Thanks for the response!

I'm curious about the mechanics here. I'm guessing that if you have any modern OS that it speaks proper IPV6, but am unsure where the "tunnel" starts -- your router? Is there a client that runs on your machine? Do you simply enter something in your hosts file? How does traffic sent to your IPv6 address/subnet become available to you? Any additional description you could offer would be much appreciated.

And, personally, I find the state of broadband provisioning in the U.S. to be a national embarassment. I expect I'll be writing my elected representatives about this again.

Hmmm...I expect I'll need to do some remedial study of networking layers to understand where this gets sorted out.

In my case, the local tunnel endpoint is my router. It has an IPv6 address bound to the ethernet interface connected to the local LAN, and a different (as in a different IPv6 network) IPv6 address assigned to a virtual tunnel interface. Both these IPv6 networks were assigned to me by the tunnel provider.

I set up the tunnel interface by specifying the IPv6 addresses for both endpoints, as well as the IPv4 address for the tunnel provider endpoint. Instructions on how to do this can be found on the tunnel provider website.

IPv6 packets travel from the local LAN to the router, where they're encapsulated inside a special IPv6-in-IPv4 packet. This packet is then sent across the regular IPv4 Internet to the IPv4 address of a tunnel provider endpoint, where the IPv4 envelope is removed and the IPv6 packet forwarded over the IPv6-enabled Internet backbone.

My router is a small server running Linux, but a number of other types of routers and operating systems work as well. I've managed to set up Windows Server 2008 R2 as an IPv6 tunnel endpoint, but had some issues getting it to forward IPv6 traffic to and from a local LAN.

You may also use your PC as a tunnel endpoint. This is how Teredo works, and I believe all Microsoft OSes from Windows XP onwards support Teredo. A Linux/BSD client exists as well (Miredo).

Both IPv4 and IPv6 are layer 3 protocols. When a packet is received by a Linux PC, it is processed by the relevant firewall tables and chains according to protocol type.

Hmmm. Do you have a fancy router which has features to configure such a thing?

Got a link? I've been clicking around at hurricane electric, but can't seem to find it.

Any thoughts on how secure this might be? I.e., are there any features that prevent someone else from connecting to your tunnel and spoofing you?

Thanks for the info!

My router is simply a dedicated small form factor PC running Linux.

You don't need an expensive router to set up an IPv6 tunnel, but you do need a router with proper IPv6 support and currently, surprisingly few routers in the consumer segment have any kind of IPv6 support. Some D-Link models can act as IPv6 tunnel endpoints, Mikrotik and Fortigate have had good IPv6 support for years, and any router capable of running OpenWRT or Tomato firmware will also work.

Even if your router doesn't support the creation of IPv6 tunnels, it may be able to pass the tunnel packets on to another router or PC on your LAN. The Hurricane Electric "IPv6 Software Applications & Hardware Appliances" subforum is a good place to start if you're looking for a tunnel-capable router or want to know if your existing router can do the job.
You're right, I see now that you need to create a (free) account first and request a tunnel. The configuration examples actually include your specific tunnel details, such as addresses and account information. The idea is that you can simply paste the instructions directly into the command line, if your router or system is command line based, and you'll have a working tunnel.
Yes, there is. In order to set up a working tunnel, you need to specify the IPv4 address of your tunnel endpoint. You need a username and a password in order to do this, so an intruder will not be able to set up a working tunnel using your IPv6 addresses.

Of course, it is possible to spoof IPv6-in-IPv4 tunnel packets, so an attacker may be able to create some noise by sending false IPv6 packets in a spoofed tunnel. This will only work if the attacker guesses the right HE tunnel endpoint AND the attecker's service provider isn't doing egress filtering/reverse path verification. In any case, the attacker will not be able to receive the reply packets.

This scenario is true for all regular IPv4 traffic as well, so an IPv6-in-IPv4 tunnel is no more or less secure than any other Internet traffic. For security, one should use encryption like SSL/TLS or IPsec, which also provide authentication.

Thanks for the generous detail, Ser Olmy. It occurs to me that if I want to solve my original problem, I need to be able to use SSH on my local machine, have SSH connect via an IP4 tunnel to the remote tunneling service, and then be sure that the tunneling service connects via IP6 to my server that is so tightly locked down -- and I'm not even sure that Amazon EC2 supports IP6 networking.

I'm going to have to think about this a bit.