IPv6
I am totally lost, Comcast just sent my IPv6 capable modem. I am currently what they call double stacked which means I have both IPv6 and IPv4 addresses.
My home network has always been 192.168.X.X. I set all my devices for DHCP but I reserve the address to the device in my router so I can enter the relationship in the hosts file which makes my network routable by host name. This way hostname and IP never change. Now translate what I just said into IPv6 speak. I saw ULA, local-link and god knows what then they go into these long technical dissertations that are waaaay over my head. The first part of the DHCP IP range which is hardcoded into my router is 260:1:87c:3c I can't change that part. I want to have about 20 addresses avail. I can change the last part in my router which is 0:0:0:0/64 (full starting address is 260:1:87c:3c:0:0:0:0/64). What would I set the end number to to make a block of 20 addresses. Would it just be 0:0:0:20/64? Also, I have a video server that I would like to have a semi-static address. Do most routers allow both IPv4 and IPv6 clients or is this double stacking something my ISP does but I probably couldn't do it with Debian etc...? My router seems to give one or the other but not both. |
Good to hear that Comcast is finally deploying IPv6. Consider yourself slightly privileged.
Unlike with IPv4, local IPv6 networks are not meant to be based on non-routable addresses. There are plenty of routable IPv6 addresses to go around (to put it mildly), meaning that NAT is no longer necessary. You've been allocated a /64 block, which is the smallest IPv6 block you're ever likely to see, and is typically given to end users and small businesses. As an IPv6 address is 128 bits in length, this means that the first 64 bits (260:1:87c:3c) represent your address block, while the other 64 bits are addresses in that block. You have a total of 18,446,744,073,709,551,616 addresses to your disposal (2 to the power of 64). You won't be running out any time soon. IPv6 addresses can be handed out by a DHCP server, or the clients can generate their own addresses by listening for router advertisements which will tell them the subnet number and identify any routers on that subnet. You are also free to use statically assigned addresses; any address starting with 260:1:87c:3c belongs on your network. To make a certain address range available to DHCP clients, simply tell the DHCP server in your router the desired start and end address of the DHCP scope (or on some DHCP server, the start address and the desired number of addresses). Exactly how this is done depends on the make and model of the router. In addition to the routable IPv6 address, each NIC on an IPv6-enabled host will also have a local-link address (fe80:something) which roughly corresponds to the 169.254.x.x IPv4 addresses a DHCP client will assign to itself whenever a DHCP server is not available. Unlike with IPv4, a link-local IPv6 address is always present, even if you have a routable IPv6 address assigned to the same interface. You can safely ignore these addresses. Important: Remember that you're no longer hiding behind the public IP address of your router. Unless there's a firewall on your router or some other place in the Comcast infrastructure, all your IPv6-enabled hosts will be reachable from the Internet. Enable your firewall and don't run any services you aren't actually using and/or haven't configured properly. |
Quote:
Also, do I change the last number to 20 to limit my block of addresses I will give out? Seems like a waste to give me all those addresses then I use only 20. Also, will my Windows machines and Debian clients bee able to have both types of IP's (4 and 6) or do they get one or the other? |
Quote:
The fact that you are "secure" on your local network because your address isn't routable on the public Internet is just a coincidence. As IPv6 becomes increasingly more common, expect to hear about networks being compromised because network admins have become complacent and accustomed to relying on NAT for protection. The IPv6 protocol in itself is more secure. It has, among other things, native support for IPsec encryption. It also allows for faster processing of packets by routers, and implementing IPv6 should lead to a faster and more secure Internet in general. Quote:
Note that the numbers are in hexadecimal, so the range 10-23 consists of the addresses 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 1a, 1b, 1c, 1d, 1e, 1f, 20, 21, 22 and 23. Also, leading zeros can be omitted and a consecutive range of zeros can be abbreviated as "::": 0260:0001:087c:003c:0000:0000:0000:0010 = 260:1:87c:3c:0:0:0:10 = 260:1:87c:3c::10 Quote:
|
Quote:
Quote:
Quote:
One last question, I have a torrent client running on my server. Do I need to create a rule to route the traffic? With IPv4 I have the port forwarded so do I need to do something like that with IPv6 or how does that work??? |
Quote:
Of course, if an ISP chooses to hire fools and incompetents as network admins, we may have a problem, but that problem exists whether one runs IPv6 or not. We've probably all heard about ISPs handing out broadband routers with management interfaces exposed to the Internet and "admin"/"admin" as the default credentials, or routers with an active UPnP process bound to the WAN interface. Quote:
Since your IPv6 address is already routable, you only have to open/allow traffic to the relevant port number in the firewall settings on your router (and possibly in the local firewall on the server as well, if activated). TCP and UDP works the same way with IPv6 as it does with IPv4. |
Cool, I appreciate all the help. I think it's starting to click. I turned on the firewall in the router.
Is there a way to truncate this number 2601:1:87c0:3c::10/64. I keep seeing stuff like fe80:::1 and was wondering if I use to use the whole number to make it static in my /etc/network/interface file? Would my torrent client use the same port for IPv4 and IPv6 or do I need to assign it a port for IPv6? Also, this was in my hosts file so I un-commented the entries. is this correct or does it mean something? Code:
# The following lines are desirable for IPv6 capable hosts Code:
# The following lines are desirable for IPv6 capable hosts |
Quote:
Quote:
Quote:
The addresses starting with "ff02" are link-local multicast addresses. They are used to reach hosts or routers performing certain functions, or as in the case of ff02::1, everybody on the network. IPv6 makes extensive use of multicasts, and the broadcast mechanism found in IPv4 has been removed. Quote:
Quote:
My IPv6 networks are tied to a tunnel which is actually registered in my name, so if I were to post my address online, anybody could easily find the address and name of the tunnel endpoint, and based on that make a qualified assumption as to my identity. Unless your network is horribly insecure, posting your address online shouldn't be a security risk. A routable address is reachable anyway, and we all get scanned by automated scripts every single day. |
Thanks for all the help. Now I need to get DNS working. This is what I'm getting now that I'm using IPv6.
Code:
me@lenny:/# ping www.google.com Code:
me@lenny:/# nslookup www.google.com Code:
iface eth0 inet6 dhcp |
What does cat /etc/resolv.conf have to say about your DNS settings?
|
Code:
me@lenny:/# cat /etc/resolv.conf |
That looks right, as 2001:558:feed::1 and 2001:558:feed::2 are the addresses of cdns01.comcast.net and cdns02.comcast.net respectively.
Perhaps you're missing a gateway. What's the output of ip -6 route? Does ping6 2a00:1450:4013:c01::6a work? |
Code:
me@lenny:/# ip -6 route Code:
me@lenny:/# ping6 2a00:1450:4013:c01::6a |
Yep, you don't have a gateway entry in your routing table. It would have looked something like this:
Code:
::/0 via 2601:1:87c0:3c::<something> dev eth0 proto kernel metric <some number> Code:
tcpdump -i eth0 'icmp6 and (ip6[40+0] == 134)' If you do see RAs, the problem could be the firewall on the client. |
Got the ping6 working with the fix from this site http://forums.gentoo.org/viewtopic-t...9-start-0.html
Code:
1. Ensure /proc/sys/net/ipv6/conf/*/accept_ra is 1 |
All times are GMT -5. The time now is 09:06 PM. |