IPv6 deployment:small development network
Introduction to IPv6
Implementing a simple SOHO network using IPv6
Implementing a small development network using IPv6
http://dons.usfca.edu/buckwalt/ipv6/image024.gif
Infrastructure requirements and layout
In this section, we will describe the network layout, design, and an example implementation for a network used by a small software consulting firm. The requirements for this office represent those of technology professionals, whose needs include:
- All requirements of a SOHO Office, as in the previous section
- The ability to directly connect to client networks and public internets
- The ability to keep information and technology resources safe behind a firewall
As in the SOHO case earlier, everything that we wish to accomplish with IPv6 can be done with "off the shelf" components, including Linux as the firewall/router.
Implementation strategy in IPv4
If we were deploying this architecture for an IPv4 environment, we would base it on our previous SOHO configuration, with a couple of notable exceptions:
- We would use public Internet addresses instead of private addressing assuming that we do not use Network Address Translation but still require access to miscellaneous resources on the Internet.
- We would configure a firewall to limit incoming connections to our network
- We would have to route traffic and therefore establish default routes.
- We may configure a DNS server to answer DNS requests locally for our growing network. However this is probably not necessary because our ISP likely provides DNS and mail service for us.
- The firewall’s outside interface (A) is a globally accessible Internet address. The firewall’s inside interface (B) is also a public IP address pool which must be routable. All hosts (D) on the network are on the same subnet as the firewall’s inside interface (B). All web traffic travels through the web proxy (C) to take advantage of filtering, virus scanning, and caching.
Implementation strategy in IPv6
In IPv6, as in the previous example, the implementation is simple and almost identical to the IPv4 deployment. The simplest configuration options would allow us to take advantage of stateless autoconfiguration on a publicly accessible network address space. To do this, we will need to obtain a 64 bit address block from our ISP. We will also need to configure a firewall to block incoming traffic. Our web-proxy is inside of the firewall. Later, we will configure our firewall/router to perform router advertisements through the Neighbor Advertisement and Solicitation mechanism described in Section 1.
Configuring the firewall in Linux
For a long time, Linux has been a favorite inexpensive firewall solution for small businesses and IT professionals. While the default Linux kernel still has a few bugs in its IPv6 stack (IPv6 bugs), we can still implement a suitable firewall for our minimalist purposes.
In our previous SOHO example, we used a configuration script to ensure that the proxy server would initialize the IPv6 interfaces for outbound communication. In this example, the firewall, rather than the proxy server, is the outward facing host and therefore needs the configuration of the IPv6 addresses defined previously. In addition, we will need a 64 bit address allocation block from our ISP for our internal address space (so we can do stateless autoconfiguration). In my firewall, I have 2 interfaces, eth0 which faces inward (or toward the "clean side" of the network) and eth3 (which faces the "dirty" side). The "clean side" will have an address from our 64 bit allocation block "hard-coded" to it while the "dirty side" will have the IPv6 address used originally by our proxy sit0 interface. (Also see the original SOHO example in Section 2.) The revised script will look like this:
#!/bin/bash # the address on eth0 is an arbitrary address on our allocated netw. /sbin/ifconfig eth0 inet6 add 2001:470:1f00:1040::192.168.1.6/64 /sbin/ifconfig sit0 up /sbin/ifconfig sit0 tunnel ::64.71.128.82 /sbin/ifconfig sit1 up /sbin/ifconfig sit1 inet6 add 2001:470:1f00:ffff::759/127 /sbin/route -A inet6 add ::/0 dev sit1
1. First make sure that your system is configured to serve as a firewall AND as an IPv6 host. For the firewall requirement, please see the document Firewall-HOWTO. For the IPv6 host requirement, please refer to the requirements for our SOHO proxy server in the previous section. 2. Next, make sure the netfilter6 package has been installed on the firewall. This can be seen by issuing the following command, and observing the output:
# ******/usr/local/prometeo root@sparta:> ip6tables -L Chain INPUT (policy ACCEPT) target prot opt source destination
Chain FORWARD (policy ACCEPT) target prot opt source destination
Chain OUTPUT (policy ACCEPT) target prot opt source destination
This happens to be a very poor firewall configuration, but demonstrates that at least the firewall can be configured.
3. Next, we need to create our firewall rules. There are a number of ways to do this, but the best way is to use the "Firewall-HOWTO" guide to determine the proper firewall rules and then make copies of the rules replacing the iptables commands with ip6tables in a separate script. (It is VERY important that you firewall both the IPv4 AND IPv6 protocols on your firewall if you have IPv4 enabled as well. Otherwise, you could inadvertently leave something open on IPv4 that is closed on IPv6.)
My simple IPv6 firewall script is available.
4. Finally, ensure that this script (and its IPv4 counterpart) is executed on every system startup.
Configuring router advertisements in Linux
Once we have a dynamic IPv6 address allocation pool from our ISP, we need to tell our clients that they are to use the addresses. As noted in Section 1 of the document, this is done through the use of router advertisements.
Please keep in mind that there are two types of router advertisements. The first type, discussed here, represent the advertisements that routers give to their end-nodes in the router advertisement and solicitation messages. These advertisements are analogous to the router advertisements given to DHCP clients during the DHCP address allocation process. The advertisements are handled as ICMP traffic. The second type of router advertisement occurs when a routing protocol such as RIP or OSPF sends routing information to other routers so that they can synchronize their routing tables. This type of router advertisement is done through higher level protocols and is discussed in more detail later in this paper.
In Linux, router advertisements are done through a daemon process called radvd. This program, available from litech allows us to configuration the router advertisement process.
1. Download the source from radvd.
2. Extract the source files from the tarball with the following command:
$ tar xzf radvd-0.7.2.tar.gz
This creates a directory called radvd-0.7.2
3. Enter the directory and configure the source
$ cd radvd-0.7.2
$ ./configure --prefix=/usr/local --sysconfdir=/etc \
--mandir=/usr/share/man
4. Compile the source
$ make
5. Install the compiled binaries as the "root" user
$ su – root –c "make install"
6. Next, edit the radvd configuration file:
$ vi /etc/radvd.conf
This is my example (using the network address block given to me by my ISP):
interface eth0 {
AdvSendAdvert on;
# AdvSendAdvert off;
MinRtrAdvInterval 3;
MaxRtrAdvInterval 10;
AdvSourceLLAddress on;
AdvDefaultLifetime 300;
AdvHomeAgentFlag off;
prefix 2001:470:1f00:1040::/64 {
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr off;
};
};
7. The creators of radvd have conveniently created a startup script for us. We need only to copy it and symlink it:
# cp <src-dir>/redhat/radvd.init /etc/rc.d/init.d/radvd # chmod 755 /etc/rc.d/init.d/radvd # ln –s /etc/rc.d/init.d/radvd /etc/rc.d/rc3.d/S99radvd # ln –s /etc/rc.d/init.d/radvd /etc/rc.d/rc3.d/K01radvd
Once we start the script, our clients should see their new IPv6 addresses appear (as if by magic!):
http://dons.usfca.edu/buckwalt/ipv6/image026.jpg
Amazingly enough, they will also be aware of the proper routing table:
http://dons.usfca.edu/buckwalt/ipv6/image028.jpg
At this point, all of our machines can connect directly to the IPv6 Internet through our firewall. At some point, we may consider moving to a DHCP server to reduce the amount of wasted address space, but we have successfully completed a simple network configuration.
Internal links
Next section: Campus network
Main article: IPv6 deployment