|My week converting to IPv6|
Practical issues with the transition from IPv4 to IPv6
Current IP addressing scheme
Our current addressing scheme on the Internet is based on the IPv4 standard which defines addresses of 32 bits. This gives about 4 billion unique addresses. The world is running out of these IP addresses in the near future. We have heard this mantra for almost ten years now, but nobody seems really afraid of the day when ARIN, RIPE or one of the other Internet Number registries runs out of new addresses. An alternative has been available for a number of years. The IPv6 standard increases the number of bits in IP addresses from 32 to 128. This should be enough to address every single dust particle on our planet. But IPv6 is not a mainstream solution yet. All routers in the main infrastructure of the Internet support IPv6, some technology related companies like Google have converted their services and network structure to IPv6 and large countries like China which only lately appeared on the Internet when an IP address was already a scarce resource use it in part of their national infrastructure. But for the average Joe Surfer and Jane Webmaster, IPv6 is still something from planet Mars.
According to warnings we can find all over the web, it takes roughly another 500 days before the bucket with unassigned IPv4 addresses is empty. From that moment on only IPv6 addresses will be handed out, or new users and devices will be forced to use private range addresses and connect to the global network via proxies or NAT routers.
I don't want to wait until that moment and realize only then that I had to start earlier with preparations. The next week I will try to convert all my Internet connections and networked devices to IPv6. I will not only connect my local network to the Internet with IPv6, but also my servers--as far as my hosting and co-location providers allow me to--and the services I offer like web, email and time servers. I know it will be a week of work, frustration and problems and for that reason alone it would be better to wait for others to convert. But as I am now in a period of renewing or replacing most of my servers and my ISP started a pilot with native IPv6 on their network, I decided to jump in.
In this post I will start with some backgrounds of IPv6. The next post will cover my attempts to convert the first computers and network devices to IPv6.
We all know IPv4 addresses. They are 32 bits wide, and written down in a group of four decimal integers between 0 and 255. They are short with a maximum of 15 characters and relatively easy to remember. Some IP addresses have special meanings like 127.0.0.1 for the local device and 10.x.y.z for addresses which are not globally routeable. IPv6 is different. With 128 bits they are four times as long, and therefore not easy to remember. They are not written down in decimal but in hexadecimal, and to make the confusion complete, there are a number of different ways to write them down.
The basic way to write down an IPv6 number is by separating all hecadecimal digits with a dot. You get an address like:
This representation is not often used in practice, because it is difficult to read and you easily make errors when writing it down. The only time you need this representation is when adding reverse PTR records of IPv6 addresses in an DNS server. For all other uses of IPv6 addresses, the digits are grouped and separated with colons.
The second way to write down an IPv6 address is by grouping the hexadecimal digits in groups of four digits each. The groups are separated with a colon. In this way, the above address becomes
This is still not easy to remember, but errors are easier to spot. We also start to see some logic in the addressing. The first 2001 is the address type. The 0011:abcd defines the subnet. Most of the time you will be assigned a /48 subnet. That means that the first 48 bits of the IPv6 addresses you get are fixed, and you are free to assign values to the other 80 bits for each of the devices in your network. In some cases a /64 subnet is assigned to you where the first 64 bits are fixed. The ISP will route all traffic for destinations where the address begins with 2001:0011:abcd or 2001:0011:abcd:0000 to my internet connection. It is my responsibility to route these addresses further to internal devices. This is where we see the first difference between IPV4 and IPv6. Instead of one IP address which can point to only one device, we get a truckload full of IP addresses which we have to route ourselves.
In our example IPv6 address 2001:0011:abcd is an /48 prefix and 2001:0011:abcd:0000 an /64 prefix. The part of the number what follows the prefix has been assigned by the user. Assuming my ISP has provided me with an /48 prefix, I have assigned 0000:0000:0000:0023:4567 to my local device, for example my desktop computer.
In many cases a full IPv6 address consists of a prefix, followed by many zeros and then a small sub-number for the device. Because of this, there is an extra compression rule to IPv6 addresses. All leading zeros of a hexadecimal group may be omitted, and one or more adjacent groups of 0000 may be totally omitted and rewritten by a double colon ::
After this rule has been applied, the shortest way to write down our example IPv6 becomes
Still not easy to remember, but acceptable. At least much easier than the dot separated address which we started with.
IPv6 and NAT
Almost everyone with a broadband connection makes use of a NAT router. NAT (Network Address Translation) was the poor man's solution to extend the lifetime of the IPv4 addressing scheme. It has become very popular since the introduction and its use has become wider than just reducing the number of assigned global IP addresses. A NAT router listens to outbound data packets from local devices and reroutes these packets to the global Internet, while rewriting the IP address and port number in these packets. Each outgoing packet stream is assigned a unique port number. Incoming packets are scanned for the port numbers and if these port numbers match an existing communication stream or a port number in a fixed routing table, the destination IP address and port number is rewritten and the packet is forwarded to the internal device.
With this setup many devices can share one global IP address. The second advantage is that the local network is closed, unless there is a dynamic or static entry in the routing table of the NAT router which tells the router how to forward incoming packets. This is a very safe approach. No external traffic can reach an internal device, unless the internal devices initiated the communication, or the administrator added a route in the routing table of the router. This makes it relatively safe to connect weak or unprotected devices to the internal network. As long as they don't start communications with the Internet, there is no way harmful packets can reach them directly.
The IPv6 approach is to give every device a unique global address. NAT is seen as a workaround from the IPv4 era and NAT and IPv6 therefore do not work happily together. In the ideal world it is nice to have every device globally addressable, but the Internet is less than ideal. Therefore firewalling traffic becomes much more important than with IPv4, because we cannot rely anymore on the default "all traffic is blocked unless" approach of the current generation NAT routers. Firewalling must either be done in the router, or on each individual device.
Today I received my IPv6 capable ADSL router. Well to be honest, the router is not really IPv6 capable yet. There are currently no SOHO routers on the market with a flawless IPv6 implementation. Many claim they support IPv6, but because almost no ISP offers native IPv6 currently, no small router has been tested on a large scale and they therefore all have their own problems. This model needs a beta software update from the manufacturer to get the basic IPv6 implementation working. Hopefully I will have it setup by tomorrow when I will write the next part of this thread.
Looking forward to watching this unfold.
|This should be enough to address every single dust particle on our planet. |
hehehe, good one.
A question comes to mind regarding host files. Will you enter overriding IPv6 addresses the same as always?
I didn't look in DNS resolving and hosts files with IPv6 yet but I will come to that point in a few days.
Day 2: Installation of the IPv6 SOHO router
Today I replaced my ordinary ADSL router with an IPv6 enabled one. The ISP had a number of recommendations but based on my wishes only one fitted my needs. My office uses fully SIP based telephony and ony one router offered native SIP VoIP connections together with an IPv6 network stack. This router also has some features which I don't use yet but are happy with, like high speed wireless WLAN and an ISDN internal digital telephony connection which I could use to reconnect my old ISDN PBX which is now collecting dust.
As I said in my first post, this router doesn't come with IPv6 out of the box, but needs beta software from the manufacturer. The installation was quite straight forward. I remember when I installed the first ADSL router about ten years ago. It had a sloppy web interface and 90% of the work had to be done via a telnet connection. Nowadays the whole interface is graphical and so easy that everything can be done by people without technical knowledge. At least that was what I thought...
It took me almost two hours to replace my old router with the new one. Not because it was so difficult, but because the manufacturer had all the interesting functionality which they thought a normal user wouldn't need moved to an Expert-mode. And this Expert-mode was only visible if you enabled it in an obscure corner of the menu structure. It is always interesting to see what manufacturers think what should be put under the advanced options which must be hidden for the average Joe User. In my case it were the IPv4 IP address settings for my internal network and the DSL line type. I happened to have an other DSL line type than normal and the default IP range of the router didn't match my current fixed IP address range of my local network. Hence the two hours frustration before I got online.
Besides these basic modem problems, installing IPv6 went fluently. It was just a matter of enabling the IPv6 option in the appropriate menu of the router, selecting one of the four addressing modes and press the Apply button. Within 5 seconds the router presented me the IPv6 /48 address prefix that had been assigned to me by my ISP.
The four addressing modes are important to get the right connection. My ISP now offers on a limited base native IPv6, where the whole path from my computer to the major Internet backbone is IPv6 enabled. But most ISPs don't have their full network IPv6 enabled yet. The modem offers therefore various tunneling protocols as alternative where part of the connection between the router and the backbone is tunneled over an IPv4 network. There are several tunneling protocols and tunnel providers, each with their own settings.
I was impressed by the relatively easy way to connect the router over IPv6 to the Internet. I still have some issues, but these are all related to broken IPv4 functionality after the router switch, but no IPv6 related problems so far.
Converting my Windows 7 laptop
The first computer to convert is my Windows 7 Laptop. Microsoft claims to have built-in IPv6 support in their Windows versions since XP and 2003, so this should be relatively easy. The IPv6 stack was already loaded in the Network configuration and I only had to activate it. It started with fully automatic IP settings determined by the router. I must say that I was somewhat shocked when I saw the IP address that the router had given to me. I was used to IPv4 DHCP servers where the IP addresses are selected from a small private block, often in the 192.168.x.y or 10.x.y.z range. With IPv6 this is totally different. With the /48 network prefix that the ISP had assigned to me, the router had the freedom to choose from 2^80 unique IP addresses and it had done quite a good task to select something random. Only the first four hexadecimal digits were logical, i.e. :0001: which was probably to define the first subnet within my office.
It seems that some routers take the MAC address of the network adapter and sometimes the current time to calculate a unique IP address for a client. This may be adequate for average users who are not interested in what is happening on the network level, but I like some organization in the numbering scheme of my computers and other network devices. How would I ever check if a device is up with a simple ping command? Or do they expect me to type something like ping 2001:0011:abcd:1:11aa:bbcc:ddee:ff12: every time I want to check if an internal computer is reachable?
The router had assigned an equally random IP address to itself. My first goal was therefore to replace the randomly generated IP addresses with new ones. For compatibility I decided to assign each computer an IPv6 IP address which was derived from the last part of the IPv4 address used for that computer. For example, the computer with address 10.0.0.100 would be assigned the IPv6 address 2001:0011:abcd:1::100. Assigning such an address in Windows 7 is easy. The only problem is that you also have to add the IP addresses of the router and the DNS server because if you choose not to use the DHCP server for a client's IPv6 address, it also won't receive the default router and DNS settings.
The problem started when I wanted to change the randomized router IP address to something useful. I couldn't find an option in the firmware, and it may not be possible at all. I filed a support request for that one and hopefully I will be able to change that IP address in a few days.
It took me more time than I expected to get the IPv4 configuration up and running again after the router switch. My plan was to also implement IPv6 on a Windows XP machine, but I will do that tomorrow. But basic IPv6 from my laptop to the Internet is working now, with the following command output as proof:
Pinging www.l.google.com [2a00:1450:8005::68] with 32 bytes of data:
Reply from 2a00:1450:8005::68: time=18ms
Reply from 2a00:1450:8005::68: time=15ms
Reply from 2a00:1450:8005::68: time=16ms
Reply from 2a00:1450:8005::68: time=15ms
hmm, maybe I should crack the ipv6 book that has been sitting on shelf for 8 years
subnetting ipv6...super fun *gag*
Looks like when web hosting companies switch over to IPv6, all websites will have dedicated IP addresses assigned to them. May be all sub domains of a domain will also have dedicated IP addresses assigned to them. I'm looking forward to dawn of this new era.
lammert, two questions ...
- Have you tried assigning static IPv6 addresses to certain devices yet? For example, we have static IPs for certain servers and other network attached hardware (NAS, printers, etc.)
- Can you reserve a range of IPv6 addresses within the subnet on your router?
I didn't convert more devices in my network to IPv6 yet, but spent a day on researching the issue of assigning static IPv6 addresses.
It is no problem to assign a static IPv6 address in Windows 7. You just assign it in the IPv6 protocol settings and it works. But there are two problems which you have to cope with. The first 64 bits of an IPv6 address are assigned by the ISP and the router. In my case that is not a real problem because my ISP assigns static IP addresses to all customers. But many ISPs assign IP addresses which change after each DHCP lease period is over. Some do it because they have a small pool of IP addresses which they have to assign as efficient as possible to all currently active clients, but others do it deliberately because they want to discourage customers to run web or email servers on their home network.
With such an ISP, the first 64 bits of the IPv6 address change every few hours to days. I haven't found a solution yet to assign a partly fixed IP address in which the first part may vary depending on the address prefix assigned by the ISP and router, but with a fixed postfix of 64 bits which I have assigned statically.
But that is not the main problem I found. Static IP addresses will only be used by those who have some understanding of the underlying technology. The average Joe Surfer will just use the internal DHCPv6 server of the router to receive IPv6 addresses. This solves the problem of the varying prefix with many ISPs but it creates a huge privacy issue.
Many routers do not use a random generator to generate the DHCPv6 addresses, but take the MAC address of the network adapter and perform some simple calculations on it. With simple I mean really simple like swapping a few bytes and flipping a few bits. No one-way encrypting with MD5, SHA or even DES. A MAC address of a network adapter is a globally unique 48 bits value which contains information about the manufacturer, adapter model and production number. If this number can be easily derived from a visitors IPv6 address, there is virtually no privacy anymore. It doesn't help if you surf with different browsers, clear caches or disallow cookies, the exposed MAC address will always tell that it is you who is visiting. Even if you have a dual OS install and surf with both Linux and Windows, the other party will know that you are still the same person.
But that is not where it stops. Most network controllers are embedded on motherboards now, so the MAC address also gives a clear indication of the brand and model of the computer you are surfing with. This gives malware distributors more handles to find holes in your system and it is a dream for contextual advertisers. It is just a matter of time before ads will pop up offering you a RAM upgrade because it is known that your model is equipped with less than average RAM, for example.
The privacy issue is a huge problem in my opinion. Until now IPv6 has been the field of the geeks and the technology lovers who may care less of these issues, but with a broad implementation of IPv6, router manufacturers should repair their DHCPv6 address generators in such a way that reverse engineering of the IPv6 address to a MAC address isn't possible anymore. And ideally the assigned IPv6 address should change often enough to not become a replacement for cookies, or worse, a replacement for the Processor Serial Number [google.com], which was introduced by Intel in the Pentium III but discontinued in later processor models because it had raised too many questions about privacy.
coopster, regarding the assignment of static IP addresses or even subnets:
The router I use now always generates the subnet :0001: and there is no way to change that yet. The IPv6 part of the firmware is in development and there will be more functionality in future releases, but I can't control any subnetting at this moment. Even worse, the last 64 bits of the IPv6 address of this router are fixed, and directly calculated from the MAC address. The manufacturer has confirmed me that there is no way to assign another internal IPv6 address to the router yet and they will raise it to the level of bug/enhancement to get that fixed in the future.
My plan was to make some basic division of subnets and even try to reroute a subnet to an external server, but that is going to be difficult, if not impossible.
I just discovered a third way to assign local IPv6 addresses. If no fixed IPv6 address is entered in Windows and the router is not configured to generate local IP addresses, computers can generate IP addresses themselves which change periodically. These addresses conform to the RFC3041 privacy extensions for IPv6. In that case you get fully random addresses which change so often that your activities on the Internet can't be traced, but at the same time make local IP management or the setup of static server addresses impossible.
With every new IPv6 solution you get two new problems it seems.
The basic design flaw in IPv6 as I see it now is that when they invented it in the nineties they wanted to uniquely and globally identify every networked device in one hierarchical address space. The world has changed with more focus on social issues and privacy and less on universal interconnectivity and technological possibilities. Where IPv4 with a NAT router gives the best of both worlds, i.e. local fixed and logical understandable addresses and privacy by hiding the local network specifics to the outside world through the NAT router, the single global addressing scheme of IPv6 has no possibilities for that. The world moved on to 2010, while the standard remained in the vision of 1990.
This is not a minor problem which can be fixed with things like the RFC3041 privacy extensions or another quick fix. The lack of separation of the global and local addressing schemes is a major design flaw of IPv6.
I just discovered a third way to assign local IPv6 addresses. If no fixed IPv6 address is entered in Windows and the router is not configured to generate local IP addresses, computers can generate IP addresses themselves which change periodically
that would be called Automatic Private IP Addressing (APIPA)
Converting Windows XP to IPv6
I have a mixed group of computers here, mainly because of my work. Most of them run operating systems which don't understand IPv6 and will never do. It is obvious that Microsoft won't release updates for my Windows 95 and Windows 2000 laptops because these devices are not supported anymore, but I was a little bit disappointed that also my Windows Mobile 2003 PDA has no IPv6 support. Even though when this OS was launched, it was rumored that IPv6 would be implemented. The only other Microsoft OS I have here which could be a candidate for conversion is Windows XP with service pack 3.
The installation of IPv6 on XP took one more step than on Windows 7. On Windows 7 the IPv6 protocol has already be loaded and only has to be activated, on XP you have to install the protocol first, which takes another 15 or 20 seconds. After it had been succesfully installed I couldn't change the properties button and I therefore restarted the box. A normal procedure for a Microsoft system if an installation seems to have been completed for only 90%.
After the OS came back up, I was immediately able to ping Google on its IPv6 address. So everything was working fine, including receiving the IPv6 address of my ADSL router over the network. But the Properties button in the network settings was still gray. It took me some time to realize that Microsoft didn't allow me to change any of the IPv6 settings, including the own IP address or the IP address of the router. There may be some settings in the registry which could be used for that but that is something out of the reach of most XP users. So for now is my conclusion that if you want to work with IPv6, you have to accept the default settings and there is no way to structure the IP addresses of your internal network in any way.
Converting Linux to IPv6
I have a number of Linux versions here. Some old fashioned Debian 3 installations are mainly used for testing and developing stuff for specific customers and they have to be fully compatible with those customer's system. Even though converting might be possible, I therefore won't touch these boxes. That leaves only my PlayStation 3 running Yellow Dog Linux and my Centos 5.4 installations to be converted to IPv6. IPv6 is present in all modern Linux kernels and the only thing you have to do is to switch it on. Centos and Yellow Dog linux are family members in the same Linux source tree and configuration files are therefore on the same location. In short, add the following line to /etc/sysconfig/network
and the following two lines to /etc/sysconfig/network-scripts/ifcfg-eth0
|IPV6ADDR=<the box IPv6 address> |
IPV6_DEFAULTGW=<the router IPv6 address>
restart the network services and it should work.
Yes, you have read it well, it should work, but it didn't. Two problems were preventing me from pinging www.google.com on it's IPv6 address.
Linux vs. Windows approach
After having played with IPv6 on Windows for a few days, I thought that ping www.google.com would automatically try to ping on the IPv6 address. This is not the case and the difference is in the approach Microsoft has taken versus the Linux approach.
Microsoft develops software for users. In their way of thinking about IPv6, they have decided that most users don't know anything about protocols, network packets, addressing or routing. The network connection should work with very few manual intervention, and the OS should solve problems related to the underlying protocol. Therefore all utilities and software I have tested on Windows take an approach where they automatically first search for an AAAA (IPv6) record for a domain name, and use an IPv4 A record only if there is no IPv6 version available. Ping, tracert and browsers will therefore connect you automatically over IPv6, unless it isn't available.
Linux is different. Linux was written by geeks for geeks, and geeks seem to want to be in control of everything, including low level network packet addressing when they in fact are working on a high level application level. This has caused a strange, and in my opinion wrong approach by duplicating network tools into a IPv4 and an IPv6 version. You have ping for IPv4 and ping6 for IPv6. traceroute for IPv4 and traceroute6 for IPv6. The tool nslookup under Windows automatically gives you the A and AAAA records if you provide a domain name, the Linux version requires you to first set the query type with the command type=AAAA, before you see the IPv6 address of a domain. But you won't see IPv4 addresses once you have done this.
Although I have above average technological knowledge, I love the Microsoft approach. In cases where you need to specificy the protocol you want to use, you simply add the -4 or -6 option to the ping or tracert command line and it will use IPv4 or IPv6 addressing only. It hides the technological layers, unless you need to see them. And it makes an easy transition from IPv4 to IPv6 also easier than the separated approach used in Linux.
Google and IPv6
It may look like this section is a rant on Google. It isn't. In fact Google is the only Alexa top 100 company who have made a lot of their services available under IPv6. But this problem really needs a fix.
With the knowledge I had gained that Linux uses ping6 to check connectivity with IPv6 devices, I tried that to see if I could make a connection with www.google.com over IPv6.
It didn't work. :(
The ping6 command could reach my local devices, my router and after some testing it could also ping to bare IPv6 addresses over the Internet. But I couldn't get IPv6 to work with normal domain names. It seemed that www.google.com didn't resolve to an IPv6 address, even though it did work under Windows 7 and Windows XP. It took me quite some time to understand the reason, but after a number of tries, I discovered that Google was the source of this problem. Look at the following screen dump I made from my test Linux system.
|-bash-3.2$ nslookup |
> set type=AAAA
> server 10.0.0.138
Default server: 10.0.0.138
www.google.com canonical name = www.l.google.com.
www.l.google.com has AAAA address 2a00:1450:8001::63
www.l.google.com has AAAA address 2a00:1450:8001::68
www.l.google.com has AAAA address 2a00:1450:8001::93
Authoritative answers can be found from:
> server 184.108.40.206
Default server: 220.127.116.11
www.google.com canonical name = www.l.google.com.
www.l.google.com canonical name = www-tmmdi.l.google.com.
Authoritative answers can be found from:
In the first part, I use the local address 10.0.0.138 of my ADSL router as a DNS server. It forwards queries to the DNS server of my ISP and gives correct answers on my IPv6 queries. In the second part I used server 18.104.22.168 as a DNS server, which is Google's public DNS server [webmasterworld.com]. That IP address was set up as default for DNS resolving on my test Linux box. Google's public DNS server doesn't resolve IPv6 addresses. It doesn't even resolve the IPv6 address of Google's own main domain name. This means that all people who have done a quick install of their DNS settings with the 22.214.171.124 and 126.96.36.199 addresses, won't have any outbound IPv6 connectivity, even if their ISP supports it and all the other local settings are correct.
Administration of IPv6 networks
In my next post I will focus more on hosts files, setting up DNS servers and firewalling.
An update on the Google IPv6 DNS problem
The Google DNS server 188.8.131.52 seems to produce AAAA records for other domains than google.com, and at the same time AAAA records for google.com are also not available via some general IPv4 DNS resolvers I tried. For some reason Google is blocking deliberately the advertising of their AAAA records to clients if they are not damn sure that the client understands the IPv6 protocol. This may be related to the incompatibility of a small percentage of client configurations with IPv6, as described in this other thread [webmasterworld.com].
regarding ping6 and friends ... how about creating your own shell commands for ping and friends and use alias to set your version as default? Your shell script could check for a -4 or -6 switch and handle accordingly, defaulting to -6, of course. It seems to me that would work and then you can have a *nix command similar to what you like about the MS command.
There is some hope regarding traceroute and traceroute6. Both tools are in fact the same executable where traceroute6 is a symbolic link to traceroute. You already have the -4 and -6 options for traceroute to force IPv4 or IPv6 resolving. I could live with using traceroute and force IPv6 resolving with a flag when I need it.
But ping and ping6 is a different story. These are two different executables which need a shell script as wrapper to make the underlying calls invisible to the user. And nslookup is even a bigger problem because you have to set the record type manually.
And while testing IPv6 connectivity under Linux I discovered more. One CentOS 5.4 server here is still not converted to IPv6. There is a setting NETWORKING_IPV6=no in /etc/sysconfig/network and I have no IPv6 address or IPv6 router address assigned. But a traceroute6 from this computer to www.google.com works without problems. Also ping6 to my local Windows 7 laptop works, although as far as I know IPv6 shouldn't be enabled on this Linux server. I am puzzled by this. It would indicate that IPv6 is enabled in some way on default CentOS installations without the users knowing it. Most people don't have an IPv6 firewall running on their Linux servers which would mean that as soon as the ISP or data center network becomes able to transport native IPv6 packets, your server might become attacked without you knowing it. I am digging further into this issue, because I want to know how the IPv6 address was assigned to this server, and how it obtained the router address.
How do I find out the mac address of my IPv6 Windows 7 netbook, and use it to do mac authentication on my ipv4 wireless router?
The easiest way to look up your MAC address is to open a command prompt and start the command ipconfig /all. The Physical Address is the MAC address. Every network adapter has its own MAC address, so you have to search for the Physical Address of the adapter which connects directly to your router.