Saturday, June 11, 2011

Were you prepared for IPv6 day?

For computers to talk to one another on the Internet, each needs an IP address, an identifier used to determine which device needs to receive a message.

Officially, the jury is out on whether we've run out of IP addresses for the Internet's existing infrastructure (IPv4), in reality we ran out of them in practical terms a decade ago, with ISPs and users using rationing techniques varying from "NAT" (Network Address Translation - a way to have multiple computers share a single address) to "dynamic IP addresses" to manage the severe shortage of addresses compared to the numbers of devices people want attached to the Internet.

The solution, IPv6, is something I've written on before. IPv6 increases the number of IP addresses exponentially, creating enough that every connectible device on the planet could conceivably have 18,446,744,073,709,551,616 addresses by itself (and that's just using the proposed, best practices, number planning system! OK, the real number is somewhat less given the number of reserved networks, but we're still talking about being within an order of magnitude of that number.)

Also important, IPv6 updates the Internet's security model so that the bodges people have relied upon for so many decades to try to keep their machines secure are no longer necessary.

Great, huh? Well, IPv6 isn't compatible with IPv4 - the two can co-exist on the same network, but applications have to explicitly support it, and you don't have an IPv6 network and connection to the Internet unless you've explicitly set it up.

To that end, Wednesday was IPv6 day. IPv6 day gave everyone a chance to check a number of things:
  • That if they configured their services to be available to IPv6 users, that IPv6 users would be able to use them.
  • That if they configured their services to be available to IPv6 users, it wouldn't affect people who only had IPv4 access.
  • To make sure they could use other people's IPv6 services.
  • To make sure there were no major holes in the system that caused a rise in the amount of hacking.
By all accounts, IPv6 day was largely a success. Some users experienced glitches, but for the most part, everything worked this time.

But were you ready? Well, moving over to IPv6 is not as scary or difficult as you might imagine, with the exception of one thing. I'll cover that in a moment.

How to upgrade to IPv6

1. Get a broadband connection

And it has to be "real" broadband, the kind that's usually delivered over a cable (telephone, cable TV) to your house. Some wireless broadband services may work, but you're unlikely to find anything designed for mobile use will work at all. This is because your connection needs to be a proper Internet connection, and mobile links are typically hampered by firewalls and proxies that make using them for anything other than web access extremely difficult.

2. Get the right router

For your home or small office, you probably connect to the Internet via two devices, a "router" and a "modem". The modem - cable or DSL - connects to your ISP's physical network, and the "router" is what allows you to share your connection with all of the computers on your network. Wireless routers are increasingly popular these days, but you may have bought a non-wireless router for security reasons.

Well, the router is the major thing you need to check and possibly upgrade. Newer routers support IPv6 natively, and do so even if your ISP doesn't. One inexpensive router is the D-Link DIR-615 (sponsored link) although I use the slightly more advanced dual band D-Link DIR-815 (also sponsored.) I've used both routers personally, and the two support IPv6 natively, even if your ISP doesn't.


3. Set up your IPv6 connection

You have three options as far as getting an IPv6 connection goes. In order of most preferred to least, they are:
  1. A direct connection from your ISP
  2. 6to4
  3. A tunneled connection from a Tunnel Broker.
All of these options are available for free if they're available, and they all provide the same thing: a block of 18,446,744,073,709,551,616 IPv6 addresses for use as you see fit. Yes, it's that number again, but I'm using it in a slightly different context. Anyway, the point is all three systems give you what's called a "Prefix", which is a huge block of addresses that should cover every single device you could possibly connect to your network, no matter whether it's a single PC or an entire corporation.

Let's discuss each and I'm going to explain how to see if you have them available if you have one of the routers linked to above (or a similar D-Link router) - but if you have another router that supports IPv6, my instructions should be easy to transfer to that one.

A direct connection to your ISP is obviously the preferred way to access the Internet, but be aware there are a few gotchas as far as this route goes. The major issues are:
  • ISPs that offer IPv6 often don't actually offer it as a direct connection, instead providing some kind of tunnel. The reason for this is that many ISPs are still experimenting, and their IPv6 services reflect the fact they're experimenting.
  • Many ISPs don't allow you to configure something called reverse DNS. Reverse DNS is part of the process of identifying computers, and many of the technologies that are used to implement IPv6's IPsec security system require reverse DNS to be working. Right now, that's not a top priority, but it's something that needs to be addressed in the near future.
How can you tell if your ISP provides you with native IPv6 connectivity? For the D-Link routers specified above, do the following:

  • Make sure your router is set up and that your router, not your modem, is managing your Internet connection. For cable modems, that's pretty much the default anyway. For DSL modems, you may have to put your modem into "bridged mode". How to do this is beyond the scope of this article, but if you're confused then your ISP should be able to help.
  • Log in to your router using the web configuration system
  • Go to the Advanced tab
  • Go to the IPv6 page using the menu on the left.
  • Choose "Autoconfiguration" from the "My connection is" drop down.
  • Save the changes.
  • You should discover fairly shortly whether you have a live connection. Go to the Status tab, and select the IPv6 page from the menu on the left. If nothing comes up as the "WAN IPv6 address", and you're using DSL, try changing the type to "PPPoE", and save the changes.
  • If you don't get anything showing up as the "WAN IPv6 address" after a few minutes, this isn't working, and your ISP is not providing native IPv6 connectivity. So, it's time for plan B.
  • If you did get things up and running, go back to that IPv6 configuration page (Advanced->IPv6), and under "LAN ADDRESS AUTOCONFIGURATION SETTINGS", ensure "Enable autoconfiguration" is set, and make sure "Autoconfiguration type" is "stateless". Save the settings, and try IPv6!
If things didn't work, then the next thing to try is 6to4. 6to4 connectivity provides an automatic tunnel through the IPv4 part of the Internet. Your IPv4 address is used to create a range of IPv6 addresses, and anything addressed to those IPv6 addresses gets routed to your router. In theory, the system works with all real Internet connections - as long as you have real, direct, IPv4 connectivity to your router, and your router has a real IPv4 address, you should be able to use it.

In practice, some ISPs are being bloody minded about this (AT&T's Fastaccess system springs to mind - you SEE why I don't want AT&T to take over T-Mobile? AT&T hates innovation, or at least they act is if they do) and they prevent you from using 6to4 by cutting off access to the gateways that make it work. But if you can get it, it's a cheap, easy to set up, efficient way of using IPv6. There's virtually no downside compared to native access from your ISP save for slightly less efficient use of bandwidth. You might even find it works better than native access from your ISP!

So, how do you check if it's available? Well, the procedure is slightly more complicated. First of all, I want you to make sure your own computer supports IPv6. Exactly how you configure that will depend upon your choice of operating system, but I need you to make sure you've done that before you continue with these instructions.

Now you're set up, go back to your router's admin page, log in, and go to Advanced -> IPv6, as you did previously.

  • Change the "My IPv6 connection is" setting to 6to4.
  • Leave everything in the "WAN IPv6 ADDRESS SETTINGS" section blank, even the stuff that looks mandatory.
  • Under "LAN ADDRESS AUTOCONFIGURATION SETTINGS", ensure "Enable autoconfiguration" is set, and make sure "Autoconfiguration type" is "stateless".
  • Save settings
  • Make sure things are set up properly by giving it a minute, and going to Status -> IPv6. If you don't get anything coming up under WAN IPv6 Address, then keep trying, and if nothing's up after five minutes, well, it's just not going to work.
This is half the battle. The other half is making sure you really do have IPv6 connectivity. The problem is that, as I said, some ISPs block certain gateways needed for 6to4 to work, and you need to make sure your ISP isn't one of the. So, if you successfully completed the above steps, do the following:
  • Make sure your PC has an IPv6 address. How you do this is operating system dependent, but in essence you need to make sure you have an address beginning with 2002:. On a PC, open a DOS window, and type "ipconfig | more". On a GNU/Linux box, or a Mac, you can use "ifconfig | more" to do much the same thing. If one of your "interfaces" is listing as having an address looking like 2002:xxxx:yyyy:...(etc) (where xxxx and yyyy are strings of digits and letters) then you have the address. If you don't get one, and you're sure your PC is set up correctly, try rebooting.
  • Once you're sure you have an IPv6 address, open a web browser, and visit http://ipv6.google.com. If Google comes up, your 6to4 system is working!
If things didn't work, then plan C is the way to go. Specifically, getting a connection from a Tunnel Broker.

Now, what is a Tunnel Broker? A Tunnel Broker provides an IPv6 connection over what, in some ways, resembles a VPN (except your router handles the connection part.) Just as with 6to4 and native ISP support, you still get a proper block of IPv6 addresses (a prefix), but unlike the other options, all of your traffic needs to go to and from the broker, which is somewhat inefficient, to put it mildly.

Tunnels are available for free, and one of the most popular is Hurricane Electric's "tunnelbroker.net" service. Just go to that address, sign up for an account, and after you've followed the instructions, configure your router thusly:

  • I know you're about sick of it by now, but log back into your router, and go to Advanced -> IPv6
  • Select "IPv6 over IPv4 tunnel"
  • Under "IPv6 over IPv4 TUNNEL SETTINGS", enter the information TunnelBroker.net gave you.
  • Save the changes
  • Check the status, and wait for everything to work.
By now, one of these three methods should have given you an IPv6 connection.

4. That's it!

Those three steps should have given you an IPv6 network to use. You can, at least, test IPv6 using this, but remember, there's more to IPv6 than a lot more addresses. You also need to think about your network's security, but that's for another article!

No comments:

Post a Comment