IPv6
 

I am totally lost, Comcast just sent my IPv6 capable modem. I am currently what they call double stacked which means I have both IPv6 and IPv4 addresses.

My home network has always been 192.168.X.X. I set all my devices for DHCP but I reserve the address to the device in my router so I can enter the relationship in the hosts file which makes my network routable by host name. This way hostname and IP never change.

Now translate what I just said into IPv6 speak. I saw ULA, local-link and god knows what then they go into these long technical dissertations that are waaaay over my head.

The first part of the DHCP IP range which is hardcoded into my router is 260:1:87c:3c I can't change that part. I want to have about 20 addresses avail. I can change the last part in my router which is 0:0:0:0/64 (full starting address is 260:1:87c:3c:0:0:0:0/64). What would I set the end number to to make a block of 20 addresses. Would it just be 0:0:0:20/64?

Also, I have a video server that I would like to have a semi-static address. Do most routers allow both IPv4 and IPv6 clients or is this double stacking something my ISP does but I probably couldn't do it with Debian etc...? My router seems to give one or the other but not both.

Good to hear that Comcast is finally deploying IPv6. Consider yourself slightly privileged.

Unlike with IPv4, local IPv6 networks are not meant to be based on non-routable addresses. There are plenty of routable IPv6 addresses to go around (to put it mildly), meaning that NAT is no longer necessary.

You've been allocated a /64 block, which is the smallest IPv6 block you're ever likely to see, and is typically given to end users and small businesses. As an IPv6 address is 128 bits in length, this means that the first 64 bits (260:1:87c:3c) represent your address block, while the other 64 bits are addresses in that block. You have a total of 18,446,744,073,709,551,616 addresses to your disposal (2 to the power of 64). You won't be running out any time soon.

IPv6 addresses can be handed out by a DHCP server, or the clients can generate their own addresses by listening for router advertisements which will tell them the subnet number and identify any routers on that subnet. You are also free to use statically assigned addresses; any address starting with 260:1:87c:3c belongs on your network.

To make a certain address range available to DHCP clients, simply tell the DHCP server in your router the desired start and end address of the DHCP scope (or on some DHCP server, the start address and the desired number of addresses). Exactly how this is done depends on the make and model of the router.

In addition to the routable IPv6 address, each NIC on an IPv6-enabled host will also have a local-link address (fe80:something) which roughly corresponds to the 169.254.x.x IPv4 addresses a DHCP client will assign to itself whenever a DHCP server is not available. Unlike with IPv4, a link-local IPv6 address is always present, even if you have a routable IPv6 address assigned to the same interface. You can safely ignore these addresses.

Important: Remember that you're no longer hiding behind the public IP address of your router. Unless there's a firewall on your router or some other place in the Comcast infrastructure, all your IPv6-enabled hosts will be reachable from the Internet. Enable your firewall and don't run any services you aren't actually using and/or haven't configured properly.

Wow, I had heard IPv6 is more secure. I've always done my best with security knowing that I had NAT as a final (or first) line of defense. I can't believe that I'm hanging out there and they call this better??? I still don't completely understand since I do have a public IPv6 address. Do I still have ports and all that? What is with the address Comcast assigns if each device is publicly routable?

Also, do I change the last number to 20 to limit my block of addresses I will give out? Seems like a waste to give me all those addresses then I use only 20.

Also, will my Windows machines and Debian clients bee able to have both types of IP's (4 and 6) or do they get one or the other?

NAT is not a security feature, it's an ugly kludge implemented to prevent the Internet from collapsing due to the extreme scarcity of IPv4 addresses.

The fact that you are "secure" on your local network because your address isn't routable on the public Internet is just a coincidence. As IPv6 becomes increasingly more common, expect to hear about networks being compromised because network admins have become complacent and accustomed to relying on NAT for protection.

The IPv6 protocol in itself is more secure. It has, among other things, native support for IPsec encryption. It also allows for faster processing of packets by routers, and implementing IPv6 should lead to a faster and more secure Internet in general.

You don't configure a DHCP server by changing an IP address, you tell it which address range you want it to hand out. If you specify 260:1:87c:3c::10 as the start address and 260:1:87c:3c::23 as the end address, your scope will have 20 addresses.

Note that the numbers are in hexadecimal, so the range 10-23 consists of the addresses 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 1a, 1b, 1c, 1d, 1e, 1f, 20, 21, 22 and 23. Also, leading zeros can be omitted and a consecutive range of zeros can be abbreviated as "::": 0260:0001:087c:003c:0000:0000:0000:0010 = 260:1:87c:3c:0:0:0:10 = 260:1:87c:3c::10

They will have one of each. That's what "dual stack" is all about. IPv6 will run alongside IPv4 until the latter can safely be retired.

This is my point, you can't expect home users to become network admins. I must be missing the boat cuz this sounds like a hackers dream and an ISP's nightmare since most end users just want a connection to facebook and youtube and have no interest in learning to secure a network.

This is what I needed to know, how to specify a block of 20 instead of having my gazillion addresses avail to be grabbed.

This is good to know also, I was reading about this 6 to 4 which made it sound like I can give IPv6 addresses to any device that can take one and it will route to 4 as if it had a IPv4 address.

One last question, I have a torrent client running on my server. Do I need to create a rule to route the traffic? With IPv4 I have the port forwarded so do I need to do something like that with IPv6 or how does that work???

If the Comcast engineers know what they're doing, they will have activated the firewall feature in the router and defined the default setting for inbound traffic as "deny all". That's all it takes to achieve the same level of security.

Of course, if an ISP chooses to hire fools and incompetents as network admins, we may have a problem, but that problem exists whether one runs IPv6 or not. We've probably all heard about ISPs handing out broadband routers with management interfaces exposed to the Internet and "admin"/"admin" as the default credentials, or routers with an active UPnP process bound to the WAN interface.

With IPv4, you need to forward a port from the router's public IP to your non-routeble IP address because other clients will need to contact the router's address in order to reach you.

Since your IPv6 address is already routable, you only have to open/allow traffic to the relevant port number in the firewall settings on your router (and possibly in the local firewall on the server as well, if activated). TCP and UDP works the same way with IPv6 as it does with IPv4.

Cool, I appreciate all the help. I think it's starting to click. I turned on the firewall in the router.

Is there a way to truncate this number 2601:1:87c0:3c::10/64. I keep seeing stuff like fe80:::1 and was wondering if I use to use the whole number to make it static in my /etc/network/interface file?

Would my torrent client use the same port for IPv4 and IPv6 or do I need to assign it a port for IPv6?

Also, this was in my hosts file so I un-commented the entries. is this correct or does it mean something?
Doing an "ifconfig" I get this fe80::214:d1ff:fe24:8a5a/64 Scope:Link so I was wondering if I need to change the host file to;

Lastly, is it safe for me to post my ip addresses like this? Or should I change them to new rages?

2601:1:87c0:3c::10/64 is as short as it gets. Unabbreviated it would look like this: 2601:0001:87c0:003c:0000:0000:0000:0010.

The IPv4 and IPv6 sockets are separate (the combination of address, protocol and port number is called a socket), but you can certainly use the same port number for both.

::1 is the IPv6 address for localhost (really 0:0:0:0:0:0:0:1). Unlike IPv4, which assigns an entire network with ~16.78 million addresses (127.0.0.0/8) to the loopback interface, IPv6 uses a single address. Turns out having 16.78 million addresses that refers to oneself is about 16.78 millon - 1 more addresses than strictly necessary.

The addresses starting with "ff02" are link-local multicast addresses. They are used to reach hosts or routers performing certain functions, or as in the case of ff02::1, everybody on the network. IPv6 makes extensive use of multicasts, and the broadcast mechanism found in IPv4 has been removed.

Nope, the "fe80" address is a link-local address generated from the MAC address of the NIC. All IPv6-enabled NICs have these, and they don't need to be referenced anywhere.

The only issue I can think of is related to privacy. It is theoretically possible to tie your IPv4 or IPv6 address to your identity, but in your case one would need access to the Comcast customer database to make that connection.

My IPv6 networks are tied to a tunnel which is actually registered in my name, so if I were to post my address online, anybody could easily find the address and name of the tunnel endpoint, and based on that make a qualified assumption as to my identity.

Unless your network is horribly insecure, posting your address online shouldn't be a security risk. A routable address is reachable anyway, and we all get scanned by automated scripts every single day.

Thanks for all the help. Now I need to get DNS working. This is what I'm getting now that I'm using IPv6.

This is the entry in my interface file so I should have gotten DNS via DHCP.

What does cat /etc/resolv.conf have to say about your DNS settings?

That looks right, as 2001:558:feed::1 and 2001:558:feed::2 are the addresses of cdns01.comcast.net and cdns02.comcast.net respectively.

Perhaps you're missing a gateway. What's the output of ip -6 route? Does ping6 2a00:1450:4013:c01::6a work?

This tells me something is wrong with my ip6 config if it won't ping by ip addy...

Yep, you don't have a gateway entry in your routing table. It would have looked something like this:Either your router isn't sending out IPv6 Router Advertisement packages, or your PC isn't receiving them. The following tcpdump command will tell you if RAs are being sent:(Assuming you have tcpdump installed and that your NIC is eth0, of course.)

If you do see RAs, the problem could be the firewall on the client.

Got the ping6 working with the fix from this site http://forums.gentoo.org/viewtopic-t...9-start-0.html

nslookup still no worky.