Solaris IPv6 tunnel setup
Saturday, December 4, 2010
IPv4 Internet addresses, 32 bits in length, are running out. The replacement is IPv6 addresses, which are 128 bits. Ten years ago, IPv6 was in an experimental stage for several operating systems. On Linux, experimental patches, modules, and binaries were available, which I cobbled together to enable IPv6 on my home network. To test my old IPv6 setup, I decided to join a IPv6 test network, 6bone which was composed mainly of IPv6 over IPv4 tunnels. My main contribution was correcting & clarifying Peter Bieringer's Linux+IPv6 HOWTO.
Since IPv4 addresses are running out, it may be a good idea to IPv6-enable your computer or network IPv6 enabled. I'll show you how you can configure a Solaris system using Hurricane Electric's (HE's) free IPv6 over IPv4 tunnel service, which uses IP Protocol 41. This tunnel allows you to connect your IPv6-enabled computer or network (at home or work) to HE's IPv6 network. This is necessary because most ISPs don't
support IPv6. Other (free) tunnel services are also available and the setup is similar. The advantage of HE is they have a webpage that shows your configuration and the exact setup (command line configuration) for various operating systems, including Solaris.
Step 1: provision a tunnel from Hurricane Electric
Go to www.tunnelbroker.net, register and login. Setup a IPv6 tunnel by entering your IP address (not internal IP address if you're behind a NAT, but external IP address visible to Internet), and choose a tunnel endpoint closest to you (I choose Los Angeles, for example). Under "Example Configurations:", select "Solaris" and click on "Show Config". Here's the information I got:
Step 2: Setup and test your end of the tunnel
Server IPv4 address: 66.220.18.42
Server IPv6 address: 2001:470:c:2ed::1/64
Client IPv4 address: 66.27.60.10
Client IPv6 address: 2001:470:c:2ed::2/64
Routed /48: Allocate
Routed /64: 2001:470:d:2ed::/64
. . .
Example Configurations: Solaris Show Config
Copy and Paste the following into a command windows:
ifconfig ip.tun0 inet6 plumb
ifconfig ip.tun0 inet6 tsrc 66.27.60.10 tdst 66.220.18.42 up
ifconfig ip.tun0 inet6 addif 2001:470:c:2ed::2 2001:470:c:2ed::1 up
route add -inet6 default 2001:470:c:2ed::1
*NOTE* When behind a firewall appliance that passes protocol41, instead
of using the IPv4 endpoint you provided to our broker, use the IPv4
address you get from your appliance's DHCP service.
Once the tunnel is provisioned and setup on the remote (HE) end, you need to setup your (local) end of the tunnel. To do that, just type the ifconfig and route commands shown above as root (or use sudo or pfexec). If your computer is behind a NAT router, you need to use your private IP address that you use on your local network. These private IP addresses usually begin with 192.168. or 172.16.172.31., or 10.). In my case, I substitute "66.27.60.10" with "10.11.12.15". If you are behind a router with NAT, make sure it passes IP Protocol 41 packets through. My IPv4 router (D-Link DGL-4300) does that out-of-the-box. Here's my session showing how I set it up and tested the tunnel. The commands I type in are in bold:
The ip.tun0 and ip.tun0:1 above specifies the IPv4 and IPv6 addresses, respectively of the tunnel between you and remote end, operated by HE. The "route" command specifies a default route where all IPv6 packets not otherwise directed are sent through the IPv6 tunnel. Lets test the tunnel to verify it works. Ping of ::1 (localhost) will work if IPv6 was not disabled during installation. Next, ping all local IPv6 hosts (ff02::1), then ping a remote IPv6 host (www.kame.net), and print the route to the remote host with traceroute.
# /usr/sbin/ifconfig ip.tun0 inet6 plumb
# /usr/sbin/ifconfig ip.tun0 inet6 tsrc 10.11.12.15 tdst 66.220.18.42 up
# /usr/sbin/ifconfig ip.tun0 inet6 addif 2001:470:c:2ed::2 2001:470:c:2ed::1 up
# /usr/sbin/route add -inet6 default 2001:470:c:2ed::1
# /usr/sbin/ifconfig -a6
lo0: flags=2002000849mtu 8252 index 1
inet6 ::1/128
e1000g0: flags=202100841mtu 1500 index 2
inet6 fe80::20e:cff:fe68:e4cc/10
e1000g0:1: flags=202180841mtu 1500 index 2
inet6 2001:470:c:2ed:20e:cff:fe68:e4cc/64
ip.tun0: flags=2204851mtu 1480 index 3
inet tunnel src 10.11.12.15 tunnel dst 66.220.18.42
tunnel hop limit 60
inet6 fe80::a0b:c0f/10 --> fe80::42dc:122a
ip.tun0:1: flags=2200851mtu 1480 index 3
inet6 2001:470:c:2ed::2/128 --> 2001:470:c:2ed::1
Step 3: Configure the tunnel and reboot
# /usr/sbin/ping ::1
::1 is alive
# /usr/sbin/ping -s -i ip.tun0 ff02::1
PING ff02::1: 56 data bytes
64 bytes from fe80::a0b:c0f: icmp_seq=0. time=0.282 ms
64 bytes from fe80::230:48ff:fe98:d3ea: icmp_seq=0. time=43.538 ms
64 bytes from fe80::a0b:c0f: icmp_seq=1. time=0.163 ms
64 bytes from fe80::230:48ff:fe98:d3ea: icmp_seq=1. time=41.564 ms
^C
# /usr/sbin/ping -A inet6 -s www.kame.net
PING www.kame.net: 56 data bytes
64 bytes from orange.kame.net (2001:200:0:8002:203:47ff:fea5:3085): icmp_seq=0. time=187.449 ms
64 bytes from orange.kame.net (2001:200:0:8002:203:47ff:fea5:3085): icmp_seq=1. time=185.819 ms
^C
# /usr/sbin/traceroute -A inet6 www.kame.net
traceroute: Warning: Multiple interfaces found; using 2001:470:c:2ed::2 @ ip.tun0:1
traceroute to www.kame.net (2001:200:0:8002:203:47ff:fea5:3085), 30 hops max, 60 byte packets
1 drydog-1.tunnel.tserv15.lax1.ipv6.he.net (2001:470:c:2ed::1) 36.687 ms 38.787 ms 36.992 ms
2 gige-g4-6.core1.lax1.he.net (2001:470:0:9d::1) 36.298 ms 37.407 ms 36.206 ms
3 10gigabitethernet1-3.core1.pao1.he.net (2001:470:0:34::1) 43.780 ms 44.840 ms 43.861 ms
4 3ffe:80a::b2 46.525 ms 47.224 ms 44.585 ms
5 hitachi1.otemachi.wide.ad.jp (2001:200:0:4401::3) 183.115 ms 197.892 ms 186.334 ms
6 2001:200:0:1802:20c:dbff:fe1f:7200 186.029 ms 185.448 ms 186.854 ms
7 ve42.foundry4.nezu.wide.ad.jp (2001:200:0:11::66) 187.344 ms 185.172 ms 203.837 ms
8 ve45.nec2.yagami.wide.ad.jp (2001:200:0:12::74) 186.746 ms 188.705 ms 186.606 ms
9 2001:200:0:8400::10:1 185.072 ms 185.955 ms 183.482 ms
10 orange.kame.net (2001:200:0:8002:203:47ff:fea5:3085) 184.444 ms 185.315 ms 187.816 ms
If you got this far, the hard part's behind you. Next, you need to save the tunnel configuration, and reboot to verify it is configured OK. I assume with these instructions that NWAM is disabled and you're using hostname*.* files to setup Ethernet interfaces (NWAM isn't available on Solaris 10 or earlier in any case). With your favorite text editor, create or modify these files. Touch file /etc/hostname6.
As an optional step, create file /etc/inet/ndpd.conf so the IPv6 Neighbor Discovery Protocol (NDP) can broadcast to other IPv6 hosts on your local network (change "e1000g0" below to your network interface). This step is only needed if you have other hosts you wish to autoconfigure to use this IPv6 tunnel. The other Solaris hosts only need IPv6 enabled and a zero-length /etc/hostname6.
# svcs physical
STATE STIME FMRI
disabled 9:18:16 svc:/network/physical:nwam
online 9:18:16 svc:/network/physical:default
# touch /etc/hostname6.e1000g0
# cat >/etc/hostname6.ip.tun0
tsrc 10.11.12.15 tdst 66.220.18.42 up
addif 2001:470:c:2ed::2 2001:470:c:2ed::1 up
^D
#/usr/sbin/route -p add -inet6 default 2001:470:c:2ed::1
Reboot and retest your network as above to verify it still works.
# cat >/etc/inet/ndpd.conf
ifdefault AdvSendAdvertisements on
# Setup local network addresses using a routable prefix from HE.
# Important: replace "e1000g0" with YOUR network interface.
prefix 2001:470:d:2ed::/64 e1000g0
^D
Step 4: Security Considerations
Just as with IPv4, you need to protect your computer and network from outsiders coming through on Internet. Disable network services you don't need. All or most Solaris network services can be restricted to use the local network only, if not that way already (see the man page and documentation for each service). Typing "netstat -af inet6" shows what services are listening on IPv6 ports. On OpenSolaris, and recent Solaris 10 updates, ipfilter and TCP Wrappers are IPv6-aware. Also, remember that a IPv6 tunnel bypasses any firewall setup you may have on your router between your home or work network and Internet.
The best way to start is to disable most services and enable only what you need. Type /usr/sbin/netservices limited to disable most network services (except ssh), or restrict them respond to local requests only. This is the default for OpenSolaris and recent updates of Solaris 10. The Solaris Security Toolkit allows selective enabling and disabling of services during or after installation, depending on what SST driver profile you use. For example, this hardens the system with the server-secure driver profile:
/opt/SUNWjass/bin/jass-execute -d server-secure.driver
Step 5: Use and further configuration
- You can use nslookup to lookup IPv6 addresses. For example, nslookup -q=aaaa www.kame.net returns 2001:200:0:8002:203:47ff:fea5:3085.
- For testing, you can use IPv6 addresses in URLs. Firefox on Solaris supports IPv6. Here's a sample URL, which is the IPv6 address for www.kame.net : http://[2001:200:0:8002:203:47ff:fea5:3085]/ (if the tortoise on the webpage is animated, you're connected using IPv6). .
- Most Solaris utilities, such as ftp, ssh, telnet are IPv6 enabled. As are the Apache, FTP, ssh, and other network servers.
In the near future, more and more routers and firewalls will support IPv6 and IPv6 tunnels. Cisco supports IPv6. Among consumer routers, Dlink is far ahead in the game. Their wifi routers DI-784 (802.11abg), DI-524 & DI-624 (bg), WBR-1310 & WBR-2310 (g), and DIR-615 (n) support IPv6 and IPv6 tunnels. Other consumer routers, such as Linksys WRT54G, have third-party open source software available with IPv6 support.
In the more distant future, which is always more risky to predict, ISPs will finally come along and support IPv6. But this won't happen until IPv6 usage has become widespread. With the explosion of non-computer Internet devices (such as cell/mobile phones, PDAs, music devices, etc.) and growth of Internet in third-world countries, the jump in IPv6 deployment will take many by surprise.
0 comments:
Post a Comment