One of the things I can’t currently do with two ISPs I connect with is native IPv6 (with a static prefix). In the meantime, I’ve sourced IPv6 tunnels as close to my physical location as possible. Currently I have this setup in New Zealand, on a Christchurch VDSL connection with a tunnel broker to Wellington. In this post I will demonstrate the configuration required to get this up and running nice and quickly on your network. This will be based on Junos OS. Because I’m working with SRX here, we need to check the status of IPv6 and enable this if it isn’t alread
perrin@srx-nz# run show security flow status Flow forwarding mode: Inet forwarding mode: flow based Inet6 forwarding mode: drop MPLS forwarding mode: drop ISO forwarding mode: drop Advanced services data-plane memory mode: Default Flow trace status Flow tracing status: off Flow session distribution Distribution mode: RR-based
It is disabled so we need to enable it then reboot the router.
perrin@srx-nz# set security forwarding-options family inet6 mode flow-based perrin@srx-nz# commit check warning: You have enabled/disabled inet6 flow. You must reboot the system for your change to take effect. If you have deployed a cluster, be sure to reboot all nodes. configuration check succeeds
First thing you’ll need to do is sign up to a tunnel broker. I won’t name names, these are easily available with a quick google search. Basically a tunnel broker provides means to connect to the IPv6 network which currently as of day (24/1/14) has about 16482 prefixes. This is achieved in a by routing the IPv6 traffic via an IPv4 tunnel until it reaches a destination that can route natively with IPv6. This is what I have done via an IPIP tunnel with my tunnel broker as follows:
set interfaces ip-0/0/0 unit 2 description "inet6.0 - TUNNEL_SERVICE - Tunnel to xxxx xxxx" set interfaces ip-0/0/0 unit 2 tunnel source 202.124.x.x set interfaces ip-0/0/0 unit 2 tunnel destination 202.21.x.x set interfaces ip-0/0/0 unit 2 family inet set interfaces ip-0/0/0 unit 2 family inet6 mtu 1480 set interfaces ip-0/0/0 unit 2 family inet6 address 2001:4428:x:x::2/64
Cool so if your family with IPIP tunnels, you’ll know they encapsulate IP traffic with a new IP header rewritten with a new source/dest header. Reasonably simplistic and less overhead than a GRE tunnel, which is good for my DSL connections. The tunnel broker assuaged me a /64 for the tunnel and then another /64 to assign to my LAN. You can see above, you specify in the source and destination fields, your local external IPv6 address and the tunnel brokers IPv4 address.
set interfaces vlan unit 5 family inet6 address 2001:4428:200:x::x/64
Vlan 5 is the SVI I use on my LAN which is where I need to assign the IPv6 addresses. To do this, I use the route advertisement protocol.
set protocols router-advertisement interface vlan.5 prefix 2001:4428:200:8x::/64
This assigns all the compatible devices with global IPv6 addresses.
perrin@server:~$ ifconfig eth0 Link encap:Ethernet HWaddr 00:12:79:bd:d6:8b inet addr:192.168.1.50 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: 2001:4428:200:812e:x:x:x:x64 Scope:Global **output ommited**
Naturally to route traffic out of the local network we need a default route pointing to the other end of the IPIP tunnel’s v6 address
set routing-options rib inet6.0 static route ::/0 next-hop 2001:4428:200:x::1
That’s pretty much it to be honest. Simple IPv6 routing. Be sure to find a destination as close as possible to you to eliminate any potential unnecessary latency.
To verify, I would test both on the router and the host that has been assigned the addresses dynamically.
perrin@srx-nz> ping 2001:4428:200:x::1 source 2001:4428:200:x::2 PING6(56=40+8+8 bytes) 2001:4428:200:x::2 --> 2001:4428:200:x::1 16 bytes from 2001:4428:200:x::1, icmp_seq=0 hlim=64 time=46.450 ms 16 bytes from 2001:4428:200:x::1, icmp_seq=1 hlim=64 time=43.979 ms 16 bytes from 2001:4428:200:x::1, icmp_seq=2 hlim=64 time=45.496 ms 16 bytes from 2001:4428:200:x::1, icmp_seq=3 hlim=64 time=46.494 ms ^C --- 2001:4428:200:x::1 ping6 statistics --- 4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max/std-dev = 43.979/45.605/46.494/1.020 ms
Just a note here, Chorus NZ is running very harsh DLM profile on my VDSL resulting in a 35ms last mile latency… And from the host
perrin@server:~$ ping6 google.com PING google.com(2404:6800:4006:806::1000) 56 data bytes 64 bytes from 2404:6800:4006:806::1000: icmp_seq=1 ttl=52 time=78.2 ms 64 bytes from 2404:6800:4006:806::1000: icmp_seq=2 ttl=52 time=78.2 ms 64 bytes from 2404:6800:4006:806::1000: icmp_seq=3 ttl=52 time=78.9 ms 64 bytes from 2404:6800:4006:806::1000: icmp_seq=4 ttl=52 time=81.9 ms ^C --- google.com ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3001ms rtt min/avg/max/mdev = 78.234/79.351/81.942/1.549 ms perrin@server:~$ ping6 snap.net.nz PING snap.net.nz(cookiemonster.snap.net.nz) 56 data bytes 64 bytes from cookiemonster.snap.net.nz: icmp_seq=1 ttl=59 time=47.7 ms 64 bytes from cookiemonster.snap.net.nz: icmp_seq=2 ttl=59 time=47.1 ms 64 bytes from cookiemonster.snap.net.nz: icmp_seq=3 ttl=59 time=47.8 ms 64 bytes from cookiemonster.snap.net.nz: icmp_seq=4 ttl=59 time=47.9 ms 64 bytes from cookiemonster.snap.net.nz: icmp_seq=5 ttl=59 time=49.4 ms ^C --- snap.net.nz ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4006ms rtt min/avg/max/mdev = 47.150/48.014/49.429/0.771 ms
That’s it. Enjoy but remember, you’ve now opened up your router to the ipv6 internet so you should make sure you secure your RE in the same way you would with IPv4 traffic for things like SSH, SNMP and any protocols you may run on the internet