Questions about local ipv6 setup

Trond Endrestøl Trond.Endrestol at fagskolen.gjovik.no
Mon Feb 20 09:46:54 UTC 2017 

On Thu, 16 Feb 2017 17:23-0500, Jon Radel wrote:

> On 2/16/17 11:28 AM, Ernie Luzar wrote:
> 
> > 
> > Does ipv6 have a range of non-public routeable ipv4 address that are
> > reserved for LAN use like 10.0.0.0/8 is for ipv4?
> 
> Yes, several different flavors, some of which are not directly
> comparable to anything in ipv4.
> 
> A mandatory address for every ipv6 configured interface is the
> link-local address in fe80::/64.  As suggested by the name, this is an
> address that is only usable on the LAN the interface is attached to,
> these addresses are not routed.  On most modern ipv6 stacks you'll end
> up with one of these automatically, with least significant 64 bits based
> on a transformation of the MAC for the interface.  You can, however,
> assign a different or additional one of these and use that on the LAN.
> 
> Most directly comparable to RFC 1918 addresses would the the unique 
> local addresses in fc00::/7.

> To do it right, you'd use fd00::/8 half of that space, concatenated 
> with a different 40-bit pseudo-random number for each of your LANs.

In my opinion that's overkill, but certainly doable. According to RFC 
4193 (https://tools.ietf.org/html/rfc4193), the Unique Local IPv6 
Unicast Addresses uses this format:

| 7 bits |1|  40 bits   |  16 bits  |          64 bits           |
+--------+-+------------+-----------+----------------------------+
| Prefix |L| Global ID  | Subnet ID |        Interface ID        |
+--------+-+------------+-----------+----------------------------+

Generating one prefix for your entire network and using the 16-bit 
field in the middle for your subnet IDs seems more appropriate than 
generating a set of unique prefixes, one for each subnet. YMMV.

Remember to use the fd00::/8 prefix. APNIC has seen the fc00::/8 
prefix on the live Internet, 
https://conference.apnic.net/data/36/apnic-36-ula_1377495768.pdf.

> You could route these anywhere in your network, but not globally.
> 
> After that you get into the weird stuff, such as using ipv4-mapped-ipv6
> space for the RFC 1918 numbers.  I can't think of why this wouldn't
> work, but certainly haven't tried it.
> 
> 
> > 
> > Do any of the 3 freebsd firewalls have ability to do ipv6 NAT?
> 
> Consider avoiding NAT entirely.  One of the beautiful things about ipv6
> is avoiding NAT and all the breakage that results from NAT.  If you're
> actually connected to the ipv6 Internet you should have no trouble
> getting an address for every device you own many times over.
> 
> > 
> > Can the default dhcp client handle ipv6?
> 
> I believe not but haven't checked recently if that is still true.  But
> really, the use case for DHCP is minimal in IPv6.  There are better ways
> to dynamically assign addresses unless you have special requirements.
> See net/dhcp6 and other ports for more.
> 
> > 
> > On my host I run ipfilter firewall, I have done nothing to enable ipv6,
> > but the daily security email shows a list of ipv6 denied packets. Does
> > this mean that ipv6 packets are flowing freely on the public internet?
> > 
> 
> It possibly just means that something else on your LAN is talking ipv6.
> However, it is true that there are an awful lot of ipv6 packets on the
> ipv6 Internet--frankly it would be extremely sad if there weren't.
> There are even a lot of ipv6 packets on the ipv4 Internet, though
> they're all encapsulated in some fashion or another.  But without the
> slightest hint as to whether you're connected to the ipv6 Internet, what
> type of packets they are, and what address they're coming from, it's
> right hard for us to even guess what it all means.
> 
> It could be that your local gateway is configured to send out RA (router
> advertisement) packets routinely.  See
> https://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol for more.
> 
> > My current goal is to configure ipv6 to work only between my gateway and
> > LAN nodes. Have been unable to find example on how to accomplish this.
> > Can anyone point me to such documentation.
> 
> Things to try when you've got a bit of ipv6 running:
> 
> ndp -a
> ndp -an
> 
> which show you everything speaking ipv6 on your LAN(s).
> 
> ping6
> traceroute6
> 
> should be obvious.
> 
> If during setup you say you want to use ipv6, you should end up with at
> very least an fe80:: address, which should be sufficient to talk to
> anything else on your LAN that speaks ipv6.  Whether you get more
> depends on what your router is configured to do in regards to NDP, etc.,
> etc.

-- 
+-------------------------------+------------------------------------+
| Vennlig hilsen,               | Best regards,                      |
| Trond Endrestøl,              | Trond Endrestøl,                   |
| IT-ansvarlig,                 | System administrator,              |
| Fagskolen Innlandet,          | Gjøvik Technical College, Norway,  |
| tlf. mob.   952 62 567,       | Cellular...: +47 952 62 567,       |
| sentralbord 61 14 54 00.      | Switchboard: +47 61 14 54 00.      |
+-------------------------------+------------------------------------+

More information about the freebsd-questions mailing list