Carson Gee

So I have an IPv6 class tomorrow so I decided to study by dinking around with setting up IPv6 on my home network. I was disappointed to find out that Ubuntu (even the current revision), still doesn't ship with ISC's DHCPD v4 server, so I couldn't with DHCPv6, but other than that it was a blast.

I first just tried setting up teredo using miredo which was a mere apt-get/pacman install away. I really enjoyed the 0 configuration of just typing sudo mireno and being able to ping6 ipv6.google.com. It was really fun, and a great way to jump in.

So that started the fun, then I thought that having my own routable ipv6 network on the internet would be even more fun, so I set up a 6to4 tunnel on my laptop tunneling through my DSL modem/NAT router and created a routable /64 on the IPv6 Internet.  That is a network address space large enough to fit 4.2 billion puny version 4 Internets inside of it and all it takes is a public IPv4 address that is somewhat resistant to change.

Here are the basic commands I ran to build the tunnel and route, I chose the ffff subnet because bigger numbers are more fun. The only reason for the variables is to do some easy dotted quad to hex pair colon conversion of the public IP address:

ipv4_int="192.168.0.12" # Whatever your local LAN IP address is
ipv4_pub="xxx.xxx.xxx.xxx" # Whatever your current public IP Address is
ipv6=$(printf "2002:%02x%02x:%02x%02x::1" $(echo $ipv4_pub | tr "." " ")) # Converts ipv4 public address to guaranteed ipv6 network as a /64
lan_prefix=$(printf "2002:%02x%02x:%02x%02x:ffff::/64" $(echo $ipv4_cur | tr "." " ")) # This creates the subnet you want to route locally, basically the v6 version of the 192.168.0.0/24 most people have at home for v4 networks
eth0_ipv6=$(printf "2002:%02x%02x:%02x%02x:ffff::1/64" $(echo $ipv4_pub | tr "." " ")) # This is the specific ipv6 address you want to give this machine on your new ipv6 subnet

# Now we create the tunnels and route tables needed to get everything cooking
ip tunnel add tun6to4 mode sit ttl 200 remote any local $ipv4_int # Create a tunnel interface named tun6to4  that is a "simple internet transition" tunnel with a 200 hop time to live converting any remote address to our local ipv4 address
ip link set dev tun6to4 up # Bring the sit tunnel online
ip -6 addr add $ipv6/48 dev tun6to4 # add our ipv6 network address to the tunnel
ip -6 addr add $eth0_ipv6 dev eth0 # add our specific local ipv6 address to eth0
ip -4 addr add $ipv4_cur dev tun6to4 # add our public ipv4 address to the tunnel
ip -6 route add 2000::/3 via ::192.88.99.1 dev tun6to4 metric 1 # Add a route routing everything destined to/from 2000::/3 (the ipv6 internet) through 192.88.99.1 (a special anycast address that brokers routes between the versions)

By adding both your ipv4 and ipv6 addresses to your tunnel and your Ethernet interface and adding a route between them, we should be good to go to route to and from the ipv6 Internet.  I validated this by SSHing from my data center located IPv6 enabled server in the "cloud" to my laptop behind my IPv4 NAT (but on the public IPv6 Internet) and did the opposite way as well.  It was super fun, but I wanted a bit more, and this is were it gets really frightening from a security standpoint.

So not satisfied to just have my laptop on the new Internet, I decided to apt-get/pacman install radvd (lovely name, I now have Rad VD).  This little daemon advertises to the local network segment that the machine running on it is an IPv6 router, and it gives them addresses. To get it running on Arch Linux, I just grabbed the example out of /usr/share/docs/radvd/ copied it to /etc/radvd.conf and commented everything that wasn't related to 6to4.  I also had to turn on IPv6 tunneling in the kernel:
echo "1" /proc/sys/net/ipv6/conf/all/forwarding

And within seconds, and it was creepily within seconds, nearly every device on my LAN had not only gotten a universally routable IPv6 address from my little laptop, but routing all IPv6 traffic through my computer.  It was a bit weird seeing pings from all the computers in my house show up on Wireshark, and a bit stranger watching Google searches from my girlfriends computer after I told her to go to http://ipv6.google.com.

I suppose that is somewhat OK if you have network access controls or 802.1x in place, but you really have to trust people on your networks a lot more than you may think with IPv6, and the really horrible part is that this is all on by default.  I didn't turn IPv6 on or do any configuration on the nodes in my house, they just all lit up and got excited to have working IPv6 and starting sending me all of the traffic, so it is likely easier to exploit now while IPv6 adoption is near zero than it will be when everyone is ready for it.

So for now I'm going to tear down my IPv6 routable network, and ponder the excitement of having a completely open and NATless network along with all the grief that may happen from it. I haven't been this excited in a while though, and I imagine in the coming months I will have fully IPv6 enabled e-mail, Web, etc, and rebuild my home IPv6 network that can fit 4.2 billion Internets inside of it.