Questions about local ipv6 setup
Trond Endrestøl
Trond.Endrestol at fagskolen.gjovik.no
Mon Feb 20 09:46:54 UTC 2017
On Thu, 16 Feb 2017 17:23-0500, Jon Radel wrote:
> On 2/16/17 11:28 AM, Ernie Luzar wrote:
>
> >
> > Does ipv6 have a range of non-public routeable ipv4 address that are
> > reserved for LAN use like 10.0.0.0/8 is for ipv4?
>
> Yes, several different flavors, some of which are not directly
> comparable to anything in ipv4.
>
> A mandatory address for every ipv6 configured interface is the
> link-local address in fe80::/64. As suggested by the name, this is an
> address that is only usable on the LAN the interface is attached to,
> these addresses are not routed. On most modern ipv6 stacks you'll end
> up with one of these automatically, with least significant 64 bits based
> on a transformation of the MAC for the interface. You can, however,
> assign a different or additional one of these and use that on the LAN.
>
> Most directly comparable to RFC 1918 addresses would the the unique
> local addresses in fc00::/7.
> To do it right, you'd use fd00::/8 half of that space, concatenated
> with a different 40-bit pseudo-random number for each of your LANs.
In my opinion that's overkill, but certainly doable. According to RFC
4193 (https://tools.ietf.org/html/rfc4193), the Unique Local IPv6
Unicast Addresses uses this format:
| 7 bits |1| 40 bits | 16 bits | 64 bits |
+--------+-+------------+-----------+----------------------------+
| Prefix |L| Global ID | Subnet ID | Interface ID |
+--------+-+------------+-----------+----------------------------+
Generating one prefix for your entire network and using the 16-bit
field in the middle for your subnet IDs seems more appropriate than
generating a set of unique prefixes, one for each subnet. YMMV.
Remember to use the fd00::/8 prefix. APNIC has seen the fc00::/8
prefix on the live Internet,
https://conference.apnic.net/data/36/apnic-36-ula_1377495768.pdf.
> You could route these anywhere in your network, but not globally.
>
> After that you get into the weird stuff, such as using ipv4-mapped-ipv6
> space for the RFC 1918 numbers. I can't think of why this wouldn't
> work, but certainly haven't tried it.
>
>
> >
> > Do any of the 3 freebsd firewalls have ability to do ipv6 NAT?
>
> Consider avoiding NAT entirely. One of the beautiful things about ipv6
> is avoiding NAT and all the breakage that results from NAT. If you're
> actually connected to the ipv6 Internet you should have no trouble
> getting an address for every device you own many times over.
>
> >
> > Can the default dhcp client handle ipv6?
>
> I believe not but haven't checked recently if that is still true. But
> really, the use case for DHCP is minimal in IPv6. There are better ways
> to dynamically assign addresses unless you have special requirements.
> See net/dhcp6 and other ports for more.
>
> >
> > On my host I run ipfilter firewall, I have done nothing to enable ipv6,
> > but the daily security email shows a list of ipv6 denied packets. Does
> > this mean that ipv6 packets are flowing freely on the public internet?
> >
>
> It possibly just means that something else on your LAN is talking ipv6.
> However, it is true that there are an awful lot of ipv6 packets on the
> ipv6 Internet--frankly it would be extremely sad if there weren't.
> There are even a lot of ipv6 packets on the ipv4 Internet, though
> they're all encapsulated in some fashion or another. But without the
> slightest hint as to whether you're connected to the ipv6 Internet, what
> type of packets they are, and what address they're coming from, it's
> right hard for us to even guess what it all means.
>
> It could be that your local gateway is configured to send out RA (router
> advertisement) packets routinely. See
> https://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol for more.
>
> > My current goal is to configure ipv6 to work only between my gateway and
> > LAN nodes. Have been unable to find example on how to accomplish this.
> > Can anyone point me to such documentation.
>
> Things to try when you've got a bit of ipv6 running:
>
> ndp -a
> ndp -an
>
> which show you everything speaking ipv6 on your LAN(s).
>
> ping6
> traceroute6
>
> should be obvious.
>
> If during setup you say you want to use ipv6, you should end up with at
> very least an fe80:: address, which should be sufficient to talk to
> anything else on your LAN that speaks ipv6. Whether you get more
> depends on what your router is configured to do in regards to NDP, etc.,
> etc.
--
+-------------------------------+------------------------------------+
| Vennlig hilsen, | Best regards, |
| Trond Endrestøl, | Trond Endrestøl, |
| IT-ansvarlig, | System administrator, |
| Fagskolen Innlandet, | Gjøvik Technical College, Norway, |
| tlf. mob. 952 62 567, | Cellular...: +47 952 62 567, |
| sentralbord 61 14 54 00. | Switchboard: +47 61 14 54 00. |
+-------------------------------+------------------------------------+
More information about the freebsd-questions
mailing list