April 14, 2005
Take IPv6 Out for a Spin
After perusing O'Reilly's book IPv6 Network Administration (reviewed in Dr. I. Doctor March 31, 2005), I decided to see just how hard it is to get IPv6 up and running. Not hard at all, it turns out. Just a little reading, a free IPv6 connection from Hurricane Electric, and a few minutes tinkering with an old Cisco 2611 router put me on the IPv6 Internet with my own IPv6 address block. I can now surf to any IPv6 site in the world, and run an IPv6 Web server to boot! You can do it too, and you should.
IPv6 is coming, and I have a feeling that momentum is picking up. My experience getting IPv6 operational convinced me that this is one technology every network admin needs to learn. Today I'm starting a continuing thread describing my IPv6 experiences to encourage you to get your feet wet and save you the trouble of the mistakes I make. The first installment describes everything I did to get IPv6 connected.
What's your motivation for learning IPv6, other than to stay on the bleeding edge of network science? What motivated me is the realization that IPv6 is going to save me a lot of work down the road. IPv6 is actually much, much easier to administer than good ol' IPv4. It supports autoconfiguration, so you need never mess with IP address assignments, subnet masks, DHCP, DNS settings, etc., again! You can plug in any device -- even a server -- and have it automatically join an IPv6 network.
IPv6 also means you'll never run out of IP addresses. I know they say "never say never," but this is a provable exception to that rule. The smallest IP block assigned to a single network is sixty-four bits long. This is twice as many bits as the entire 32-bit IPv4 address space currently serving the entire Internet -- for one network! IPv6 also eliminates IP spoofing, which will be the end of spam, and has IPSec built-in, which lets you establish secure device-to-device communications without VPN software or hardware.
I'm only scratching the surface, but these benefits should be enough to whet your appetite. So let's get you on board.
I do my fair share of network scut work: replacing cables, configuring printers, troubleshooting DHCP failures, etc. I found setting up IPv6 no harder than configuring a managed Ethernet switch. All you need is a Cisco router, an IPv6-capable desktop computer (Windows XP or Mac OS X will do nicely), and a spare afternoon. You'll configure the Cisco router to serve as an IPv6 gateway, connecting to the IPv6 backbone via a VPN tunnel. You plug one side of the Cisco into your public Internet connection, and the other side into your test IPv6 LAN. Ordinary Ethernet switches and NICs suffice for your LAN equipment, which can be as simple as a single desktop or notebook computer.
Technically, you don't need the router, but I think using one makes a far more valuable testbed than directly connecting a computer to the IPv6 world. A dual-Ethernet Cisco 2611 will do nicely; you can buy these all day on eBay for under $300. Make sure you're running at least IOS version 12.3 (I used 12.3.13/IP: c2600-i-mz.123-13.bin), with 32MB RAM and 8MB flash.
Before configuring the router, sign up for free IPv6 connectivity via Hurricane Electric's (HE) slick IPv6 Tunnel Broker service. HE gives you a huge IPv6 address block and an unencrypted IPv6 tunnel directly to the HE IPv6 backbone. The tunnel and address space are free -- a public service of HE to help spread the IPv6 gospel. Just visit their site at http://ipv6.he.net, click on IPv6 Tunnel Broker, and follow the instructions. The process is fully automated; I had an IPv6 account in a few minutes. It takes about 24 hours for the tunnel to become operational, but you can start the next step immediately.
If you haven't already done so, this would be a good time to either buy O'Reilly's IPv6 Network Administration, or read it online at O'Reilly's Safari Bookshelf (http://safari.oreilly.com. The critical knowledge you need for now is in Chapter 3: Planning and Chapter 5: Installation and Configuration, but if you have time, read Chapters 1 and 2 to gain a basic knowledge of IPv6 terminology and address formats.
Now you're ready to configure the Cisco router. Here's the exact configuration I used. You should replace the IP addresses in this example with the ones for your own network and IPv6 tunnel. HE's Tunnel Broker actually generates the Cisco router configuration statements for the tunnel interface, so you can just cut and paste that into the listing below:
service nagle no service pad service timestamps debug datetime msec localtime service timestamps log datetime msec localtime service password-encryption ! hostname ipv6-gateway ! logging buffered 100000 debugging no logging console ! ipv6 unicast-routing ip subnet-zero no ip source-route ip name-server 4.2.2.1 ! interface Tunnel0 description Hurricane Electric IPv6 Tunnel bandwidth 10000 no ip address ipv6 address 2001:470:1F00:FFFF::865/127 ipv6 enable tunnel source 206.83.0.1 tunnel destination 64.71.128.82 tunnel mode ipv6ip no shutdown ! interface Ethernet0 description Public Internet side of the router ip address 206.83.1.254 255.255.255.0 no shutdown ! interface Ethernet1 description My IPv6 LAN ip address 206.83.0.1 255.255.255.0 ipv6 address 2001:470:1F00:1174::1/64 no shutdown ! ip classless ip route 0.0.0.0 0.0.0.0 206.83.1.1 ipv6 route ::/0 Tunnel0 ! no ip http server ! line con 0 transport preferred all transport output all stopbits 1 line vty 0 4 transport preferred none transport output all ! end
Here are two gotchas to watch for. First, make sure that you include the IPv6 address block from HE in your router's LAN Ethernet IP address. My block is 2001:470:1F00:1174::/64, so I set the Router's LAN interfaced to the .1 address in that block: 2001:470:1F00:1174::1. If these addresses look bizarre to you, just skim through IPv6 Network Administration Chapters 1 and 2 and you'll get the hang of it.
The second take-care item is to be sure you get this statement:
ipv6 unicast-routing
into the router configuration. If you don't, the router won't route IPv6 packets. This requirement is emphasized in section 5.2.1 of the book, but I missed it the first time (the authors even warn that, "Everyone forgets to turn this on.").
After you've configured the router, you're ready to test. Plug the router's Ethernet0 port into your Internet connection and the Ethernet1 into your test LAN. Then check to see if your IPv6 tunnel has come up, using the show interface tunnel0 command. You should see the following:
ipv6-gateway>show interface tunnel0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Description: Hurricane Electric IPv6 Tunnel
MTU 1514 bytes, BW 10000 Kbit, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 206.83.0.1, destination 64.71.128.82
Tunnel protocol/transport IPv6/IP, key disabled, sequencing disabled
Tunnel TTL 255
Checksumming of packets disabled, fast tunneling enabled
Last input 19:13:04, output 19:13:04, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
2 packets input, 320 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
3 packets output, 436 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
The critical status indicators are in the first line: Tunnel0 is up, line protocol is up. If you don't see both "up" indications, then check to make sure the router has Internet connectivity, and that something is plugged into the LAN Ethernet port. A good test is to try and ping your regular Internet gateway.
If the tunnel is up, you can execute your first IPv6 command, a ping to the far end of your IPv6 tunnel. This requires use of Cisco's extended ping command, which means you must first be in the router's privileged ("enable") mode:
ipv6-gateway>enable ipv6-gateway# ping ipv6 Target IPv6 address: 2001:470:1F00:FFFF::864 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands? [no]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:470:1F00:FFFF::864, timeout is 2 seconds: !!!!!
Those five !!!!! characters mark a momentous rite of passage: your baptism into the world of IPv6. But don't stop there! Try to ping something a little farther out on the Internet:
ipv6-gateway# ping ipv6 Target IPv6 address: 2001:0770:0800:0003::1 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands? [no]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:470:1F00:FFFF::864, timeout is 2 seconds: !!!!!
How far out is that? Traceroute to it and see:
ipv6-gateway# traceroute 2001:0770:0800:0003::1 Type escape sequence to abort. Tracing the route to callisto-fe1-0-0-0.cork.core.hea.net (2001:770:800:3::1) 1 mel.tunnel.tserv1.fmt.ipv6.he.net (2001:470:1F00:FFFF::864) 24 msec 16 msec 20 msec 2 2001:470:1FFF:2::26 16 msec 16 msec 16 msec 3 3FFE:80A::C 20 msec 20 msec 20 msec 4 2001:450:1:1::21 84 msec 80 msec 90 msec 5 schiphol-tun12.bh.core.hea.net (2001:770:8:12::1) 90 msec 98 msec 90 msec 6 luna-pos4-0.kil.core.hea.net (2001:770:90:2::1) 91 msec 91 msec 92 msec 7 hyperion-gige3-0-1.bh.core.hea.net (2001:770:90:5::2) 92 msec 92 msec 92 msec 8 callisto-fe1-0-0-0.cork.core.hea.net (2001:770:800:3::1) 92 msec 97 msec 92 msec
You've just traveled to HEAnet, Ireland's National Education and Research Network! I'll leave further exploration as an excercise for the reader. In the next installment, I'll describe how to connect and configure an IPv6 desktop computer (hint: just plug it in!) and show you how the process works under the covers.
Posted by Mel Beckman at April 14, 2005 1:44 AM
