So, after swearing off almost every possible option of being a geek at home for a significant amount of time, I finally decided I needed to spend some intimate time with IPv6. I had already read about it back in the mid-90’s and studied some of the fundamentals of it as part of my preparation for the CCIE exams. But I had never really put it to operational use, until now. It’s coming. You can’t ignore it anymore. So, it was time to immerse myself in it and lift the veil from my eyes, so to speak.
So, I knew that my broadband provider does not offer native IPv6. Essentially, the only option that leaves me with today is to set up a tunneling service to a natively connected IPv6 host. So, I chose to set up a free account with Hurricane Electric (www.tunnelbroker.net). It takes a couple of minutes to register an account and walk through the process to create a new tunnel. It is super simple. I have a Cisco router so I selected the tunnel config example for Cisco IOS, pasted it into my router and was up and running in minutes. I also had a /48 subnet assigned to my tunnel for local network use.
So, my first thought is that I have just opened my home network up to the entire IPv6 world without any thought to security. So, I immediately shut the tunnel interface down and looked for some config notes on security setup for IPv6. I chose a basic access-list that allows limited ICMP traffic inbound to the router’s external IPv6 tunnel interface and blocks everything else.
ipv6 access-list he-inbound sequence 170 permit icmp any any echo-reply permit icmp any any unreachable permit icmp any any parameter-problem permit icmp any any packet-too-big permit icmp any any no-admin permit icmp any any time-exceeded permit icmp any any hop-limit sequence 290 deny icmp any any sequence 500 deny ipv6 any any log-input fragments ipv6 unicast-routing ipv6 general-prefix TheWaystation 2001:470:C4E6::/48 ipv6 cef ipv6 cef accounting prefix-length interface Tunnel0 description Hurricane Electric IPv6 Tunnel Broker no ip address ipv6 address 2001:470:1F10:E9D::2/64 ipv6 enable ipv6 traffic-filter he-inbound in tunnel source 18.104.22.168 tunnel destination 22.214.171.124 tunnel mode ipv6ip interface FastEthernet0/0 ipv6 address 2001:470:C4E6:BABB::1/64 ipv6 enable ipv6 nd prefix 2001:470:C4E6:BABB::/64 infinite infinite ipv6 dhcp server Home ipv6 inspect firewall6 in ipv6 route ::/0 2001:470:1F10:E9D::1
I then configured ‘ipv6 inspect‘ to allow me to initiate connectivity outbound to the IPv6 Internet and only permit return traffic that is dynamically defined by the inspection service.
ipv6 inspect max-incomplete low 100 ipv6 inspect max-incomplete high 300 ipv6 inspect udp idle-time 60 ipv6 inspect tcp idle-time 1200 ipv6 inspect tcp finwait-time 8 ipv6 inspect tcp max-incomplete host 100 block-time 1 ipv6 inspect name HE-IPv6 tcp alert on timeout 120 ipv6 inspect name HE-IPv6 udp alert on timeout 60 ipv6 inspect name HE-IPv6 icmp alert off timeout 5 ipv6 inspect name HE-IPv6 ftp alert off audit-trail off timeout 1200 ipv6 inspect name firewall6 tcp alert on timeout 120 ipv6 inspect name firewall6 udp alert on timeout 60 ipv6 inspect name firewall6 icmp alert off audit-trail off timeout 5
Once I completed that, I re-enabled the tunnel interface and tested it out by pinging to a couple of public IPv6 hosts and verified that everything worked properly.
Next I set about configuring my local network so that any IPv6 enabled devices would be able to make use of the service. I defined the general prefix 2001:470:c4e6::/48 on my router. I then assigned a unique /64 subnet to my wired VLAN and my wireless VLAN. I had to define the prefix to advertise for neighbor discovery so that clients would be able to make use of auto addressing. So, I chose a couple of 4 hex digit prefixes and defined them as the ‘ipv6 nd prefix‘ on each interface. The IPv6 enabled clients on those segments automatically detected the new advertisements and updated their configurations automatically. Both clients were able to ping my router by global and link-local address and reach a public IPv6 DNS server. I then went to test-ipv6.com and verified my IPv6 connectivity. Everything just worked properly the first time. I was pretty amazed at how simple the setup was.
Once I had connectivity, it was time to see what IPv6 enabled content there was out there to test out. I found a site with a list of cool stuff and picked out a live streaming surveillance camera in Amsterdam. I was pretty impressed that I sustained a 1.5Mbps video/audio stream over a tunneled connection and it worked pretty well.
Now it is time to start lobbying AT&T to provide native IPv6 support on my DSL line.