travaux:ipv6-faq

Différences

Ci-dessous, les différences entre deux révisions de la page.

Lien vers cette vue comparative

Les deux révisions précédentes Révision précédente
Prochaine révision 		Révision précédente
travaux:ipv6-faq [2014/05/02 14:19]
sthibaul rewrite some paragraphs, fix some information 		travaux:ipv6-faq [2018/06/19 02:20] (Version actuelle)
sthibaul [Why should I enable IPv6?]
Ligne 1: Ligne 1:
 +
 ======= IPv6 FAQ ======= ======= IPv6 FAQ =======
  
Ligne 28: Ligne 29:
   * Because you have the opportunity to rethink your addressing scheme.   * Because you have the opportunity to rethink your addressing scheme.
   * Because there are no IPv4 addresses any more.   * Because there are no IPv4 addresses any more.
-  * Because IPv4 will be yet more and more painful to make working at all. +  * Because IPv4 will be yet more and more painful to make working at all. We have kept piling up tricks to continue using IPv4, but that has already cost more than just migrating to IPv6, and continue costing **again** even more than just migrating to IPv6
-  * http://www.youtube.com/watch?v=eYffYT2y-Iw+  * Because there are no IPv4 addresses any more. 
 +  * https://labs.ripe.net/Members/david_holder/blockers-to-ipv6-adoption 
 +  * https://www.ipv6.com/general/top-10-features-that-make-ipv6-greater-than-ipv4/ 
 +  * https://www.youtube.com/watch?v=d8wIdd2fNmk 
  
 TODO: links to details TODO: links to details
Ligne 48: Ligne 53:
 ===== Do I have to completely migrate to IPv6? ===== ===== Do I have to completely migrate to IPv6? =====
  
-Well, in the end, all machines should have IPv6 configured. But that does not mean one has to get rid of IPv4 immediately. One can simply add IPv6 along IPv4, and IPv6 will be used whenever it can be, while IPv4 can still be used as a fallback, even if it is behind a CGN.+Well, in the end, all machines should have IPv6 configured. But that does not mean one has to get rid of IPv4 immediately. One can simply add IPv6 along IPv4, and IPv6 will be used whenever it can be, while IPv4 can still be used as a fallback, even if it is behind a CGN (see about CGN below).
  
-The combination of NAT64 + DNS64 can however be used to set up an IPv6-only network, which can still transparently access the IPv4 world, see more on this below.+That said, a combination of NAT64 + DNS64 can be used to set up an IPv6-only network, which can still transparently access the IPv4 world, see more on this below.
  
 ===== Is IPv6 slower than IPv4? ===== ===== Is IPv6 slower than IPv4? =====
  
-There is no general answer to this. For various reasons, IPv6 is faster to process than IPv4 (e.g. no checksum in the IP header, no fragmentation, which brings huge savings for routers). For other reasons, it is slower (e.g. bigger addresses, leading to 1.33% bandwidth overhead on typical networks). IPv6 implementations also might not have yet gotten as optimized as IPv4 ones. But on the other hand the routing tables are much cleaner with IPv6, and IPv6 makes way less use of ethernet broadcasts. In the end, some applications simply try both, and use the one that connects first, so whichever it is wins :)+There is no general answer to this. 
 + 
 +For various reasons, IPv6 is faster to process than IPv4 (e.g. no checksum in the IP header, no fragmentation, much simpler routing tables, which brings huge savings for routers, and much less use of Ethernet broadcasts). 
 + 
 +For other reasons, it is slower (e.g. bigger addresses, leading to 1.33% bandwidth overhead on typical networks, and implementations might not have yet gotten as optimized as IPv4 ones). 
 + 
 +In the end, some applications simply try both, and use the one that connects first, so whichever it is wins :)
  
 ===== Does my machine support IPv6? ===== ===== Does my machine support IPv6? =====
Ligne 75: Ligne 86:
 ===== How does DNS work with IPv6? ===== ===== How does DNS work with IPv6? =====
  
-DNS replies contain both IPv4 answers (in A records) and IPv6 answers (in AAAA records), independently of the protocol which was actually used to transport the request/reply themselves:+DNS replies contain both IPv4 answers (in A records) and IPv6 answers (in AAAA records), independently of the protocol which was actually used to transport the request and reply themselves:
  
   $ dig -4 any www.ffdn.org   $ dig -4 any www.ffdn.org
   ...   ...
-  www.ffdn.org. 86400 IN A 141.255.128.13 +  www.ffdn.org. 86400 IN A 185.233.100.13 
-  www.ffdn.org. 86400 IN AAAA 2a01:474::13+  www.ffdn.org. 86400 IN AAAA 2a0c:e300::13
   ...   ...
   $ dig -6 any www.ffdn.org   $ dig -6 any www.ffdn.org
   ...   ...
-  www.ffdn.org. 86400 IN A 141.255.128.13 +  www.ffdn.org. 86400 IN A 185.233.100.13 
-  www.ffdn.org. 86400 IN AAAA 2a01:474::13+  www.ffdn.org. 86400 IN AAAA 2a0c:e300::13
   ...   ...
  
Ligne 113: Ligne 124:
 ==== How to bring IPv6 routing up to my machine? ==== ==== How to bring IPv6 routing up to my machine? ====
  
-Hopefully, your ISP brings IPv6 up to your router, if not, ask them for it. You then just need to configure the router to route IPv6 (that step is extremely similar to IPv4 routing, with BGP and OSPF (version 3) for instance), and for instance configure DHCPv6 or stateless autoconfiguration, as well as Router Advertisement (RA), so you don't need to configure your machine's operating system. +Hopefully, your ISP brings IPv6 up to your router, if not, ask them for it. You then just need to configure the router to route IPv6 (which is extremely similar to IPv4 routing, with BGP and OSPF (version 3) for instance).
- +
-You also need to make sure IPv6 resolution works. For instance, ''host www.ffdn.org'' should report both 141.255.128.13 and 2a01:474::13. If not, you need to configure your DNS server to enable IPv6 AAAA records.+
  
 If your ISP does not bring IPv6 up to your router, you can use an IPv6 tunnel, see below. If your ISP does not bring IPv6 up to your router, you can use an IPv6 tunnel, see below.
  
-Of course, don't forget to set up a firewall along the way. Yes, a firewall, not NAT+Of course, don't forget to set up a firewall along the way. Yes, a firewall, not NAT, see below.
- +
-[[http://v6.testmyipv6.com/]] can be used for instance to easily test that it worked fine.+
  
 ==== Does my ISP bring IPv6 up to my router? ==== ==== Does my ISP bring IPv6 up to my router? ====
Ligne 133: Ligne 140:
   * TODO...   * TODO...
  
-==== How to configure my server operating system for IPv6? ====+==== How to configure my server or client operating system for IPv6? ====
  
-The simplest way is simply not to have to configure it, by just configuring DHCPv6 or stateless autoconfiguration on your router. Machines on the network will then automatically configure themselves, just like they can do for IPv4.+The simplest way is simply not to have to configure it, by just configuring DHCPv6 or stateless autoconfiguration, as well as Router Advertisement (RA) on your router, see the "quick examples" section. Machines on the network will then automatically configure themselves, just like they can do for IPv4.
  
 You can however also configure the IPv6 address, default gateway and DNS server by hand, similarly to manual configuration of the IPv4 address. You can however also configure the IPv6 address, default gateway and DNS server by hand, similarly to manual configuration of the IPv4 address.
 +
 +You need to make sure IPv6 resolution works. For instance, ''host www.ffdn.org'' should report both 185.233.100.13 and 2a0c:e300::13. If not, you need to configure your DNS server to enable IPv6 AAAA records (TODO: tell briefly how in the "quick examples" section).
 +
 +[[http://v6.testmyipv6.com/]] can be used for instance to easily test that it worked fine.
  
 ==== How to make sure my client software knows how to connect through IPv6? ==== ==== How to make sure my client software knows how to connect through IPv6? ====
  
-You can tcpdump your network interface, or use netstat, etc. to check how it connects. If the application does not seem to support IPv6, please report a bug to their authors. Nowadays, all applications should really support IPv6.+You can use ''tcpdump -i eth0 ip6'' , or use ''netstat -Ainet6'' , etc. to see how it connects. If the application does not seem to support IPv6, please report a bug to their authors. Nowadays, all applications should really support IPv6.
  
 One can force the application to use IPv6 by specifying the IPv6 address by hand. This can for instance be done in URLs, by putting the address inside braces (to avoid confusion with the TCP port number), for instance http://[2001:db8::1]/ One can force the application to use IPv6 by specifying the IPv6 address by hand. This can for instance be done in URLs, by putting the address inside braces (to avoid confusion with the TCP port number), for instance http://[2001:db8::1]/
Ligne 147: Ligne 158:
 A lot of command-line tools (e.g. ssh, wget, dig, ...) have ''-4'' and ''-6'' options to force the use of IPv4 or IPv6. A lot of command-line tools (e.g. ssh, wget, dig, ...) have ''-4'' and ''-6'' options to force the use of IPv4 or IPv6.
  
-==== How to make sure my server software listens for IPv6 connections? ====+==== How to make sure my server software listens to IPv6 connections? ====
  
-One can see this in netstat -Ainet6, e.g.: +One can see this in ''netstat -Ainet6'', e.g.: 
  
 ''tcp6            0 :::22                   :::                   LISTEN      5265/sshd'' ''tcp6            0 :::22                   :::                   LISTEN      5265/sshd''
Ligne 155: Ligne 166:
 ssh is properly listening on TCPv6 port 22. ssh is properly listening on TCPv6 port 22.
  
-Some software may have to be explicitly told to listen for IPv6, by specifying things like+Some software may have to be explicitly told to listen to IPv6, by specifying things like
  
 ''listen = 0.0.0.0, ::'' ''listen = 0.0.0.0, ::''
  
-where 0.0.0.0 is for all IPv4 addresses, and :: is for all IPv6 addresses.+where 0.0.0.0 is for all IPv4 addresses, and :: is for all IPv6 addresses. See the "quick examples" section.
  
 ==== How to publish AAAA DNS records ==== ==== How to publish AAAA DNS records ====
  
-IPv6 AAAA DNS records are just like IPv4 A records, except they contain an IPv6 (which is 4 times bigger than an IPv4, thus the 4 A's :) )+IPv6 AAAA DNS records are just like IPv4 A records, except they contain an IPv6 (which is 4 times bigger than an IPv4, thus the 4 A's :) ). For instance, here 'myserver' has bothe an IPv4 and an IPv6: 
 + 
 +''myserver IN A 192.0.2.13'' 
 +''myserver IN AAAAA 2001:db8::13''
  
 ===== Can an IPv6-only machine A connect to an IPv4-only machine B? ===== ===== Can an IPv6-only machine A connect to an IPv4-only machine B? =====
Ligne 169: Ligne 183:
 Not natively: there has to be a router ''R'' in-between which has both IPv6 and IPv4 configured, and performs **NAT64** address translation for instance: Not natively: there has to be a router ''R'' in-between which has both IPv6 and IPv4 configured, and performs **NAT64** address translation for instance:
  
-''A'' will send IPv6 packets using its IPv6 address as source, and will encode the IPv4 address of the destination in the ''64:ff9b::/96'' prefix.  For instance, a destination of ''192.0.2.128'' will become ''64:ff9b::c000:0280'', which can also be written as ''64:ff9b::192.0.2.128'' to clearly show the mapping (it's also possible to use any ''/96'' prefix inside your assigned IPv6 address space to perform the translation, instead of the well-known prefix ''64:ff9b::/96'').+''A'' will send IPv6 packets using its IPv6 address as source, and will encode the IPv4 address of the destination in the ''64:ff9b::/96'' prefix; for instance, a destination of ''192.0.2.128'' will become ''64:ff9b::c000:0280'', which can also be written as ''64:ff9b::192.0.2.128'' to clearly show the mapping (it's also possible to use any ''/96'' prefix inside your assigned IPv6 address space to perform the translation, instead of the well-known prefix ''64:ff9b::/96'').
 ''B'' will send and receive IPv4 packets, using its ''192.0.2.128'' address. ''B'' will send and receive IPv4 packets, using its ''192.0.2.128'' address.
  
Ligne 188: Ligne 202:
 ===== I have heard that IPv6 is less secure because it does not have NAT, is that so? ===== ===== I have heard that IPv6 is less secure because it does not have NAT, is that so? =====
  
-Well, IPv6 does have NAT support nowadays actually (See below), but using NAT has drawbacks (see below).+Well, IPv6 does have NAT support nowadays actually (see below), but using NAT has drawbacks (see below).
  
-And anyway, not using NAT does not make your network less secure. What can make your network less secure is not using a firewall at all. It happens that enabling NAT would usually automatically enable a firewall. But you can also enable a firewall, thus getting security, without having to enable NAT (which does not bring security but breaks things).+And anyway, using NAT does not make your network more secure. What can make your network less secure is not using a firewall at all. It happens that enabling NAT would usually automatically enable a firewall. But you can also enable a firewall, thus getting security, without having to enable NAT (which does not bring security but breaks things).
  
 ===== Is NAT available with IPv6? ===== ===== Is NAT available with IPv6? =====
Ligne 198: Ligne 212:
 That being said, this is usually not a good idea, as NAT breaks a lot of application protocols, see below, and IPv6 is precisely meant to let all machines have their own public IP. That being said, this is usually not a good idea, as NAT breaks a lot of application protocols, see below, and IPv6 is precisely meant to let all machines have their own public IP.
  
-If you really want to, you can use a random fd00::/8 prefix for defining a private local network.+If you really want to, you can use a random fd00::/8 prefix for defining a private local network, see below.
  
 ===== What are the downsides of NAT? ===== ===== What are the downsides of NAT? =====
Ligne 208: Ligne 222:
     * IRC's DCC     * IRC's DCC
     * Voice over IP: SIP     * Voice over IP: SIP
-    * And any such protocol that anybody on earth might want to invent. Firewall plugins can be written to cope with the protocols above, but they can not work with newer protocols that people invent. +    * And any such protocol that anybody on earth might want to invent. Firewall plugins can be written to cope with the protocols above, but they can not automatically work with newer protocols that people invent. 
-  * Consequently, it makes protocols try to deal with NATs, which makes them much more complex (e.g. STUN).+  * Consequently, it makes protocols try to deal with NATs, which makes them much more complex.
  
-===== Why CGN poses more downsides? =====+===== Why CGN has more downsides? =====
  
-Well, it's basically the same as NAT, but first to a larger scale: Carrier-Grade NAT (CGN) means it is all customers of an ISP which are masqueraded behind the same public IP addresses, and out of control from customers.+Well, it's basically the same as NAT, but to a larger scale: Carrier-Grade NAT (CGN) means it is all customers of an ISP which are masqueraded behind the same public IP addresses, and out of control from the customers. As a consequence:
  
   * All users sharing the same public IP address appear the same on the Internet.   * All users sharing the same public IP address appear the same on the Internet.
Ligne 235: Ligne 249:
  
 (TODO: any other?) (TODO: any other?)
 +
 +See the "quick examples" section.
  
 ===== Do I have to rethink my addressing scheme? ===== ===== Do I have to rethink my addressing scheme? =====
Ligne 248: Ligne 264:
 One of the issues in IPv4 is however when merging two networks which already use 192.168.0.0/16, which leads to addresses conflicts. For the same reason, the IPv6 site-local addresses are deprecated, because the very notion of "site" can vary, leading to various issues. One of the issues in IPv4 is however when merging two networks which already use 192.168.0.0/16, which leads to addresses conflicts. For the same reason, the IPv6 site-local addresses are deprecated, because the very notion of "site" can vary, leading to various issues.
  
-For this reason, it is recommended to rather use Unique Local Addresses (ULA): take one 40-bit random number for your site, and append it to fd00::/8, leading to a /48 prefix. For instance, one could end up with fd12:3456:789a::/48. Then one can define up to 65536 /64 prefixes in it: fd12:3456:789a:1::/64 for instance. That last step is just like when one was defining 10.x.y.0/24 IPv4 prefixes for instance. When two sites merge, since each of them has taken a random number, there is very low probability of collision. The [[https://www.sixxs.net/tools/grh/ula/|SixXS database]] can be used as a registration base. This is voluntary only, but helps reducing risks of conflicts.+For this reason, it is recommended to rather use Unique Local Addresses (ULA): take one 40-bit random number for your site, and append it to fd00::/8, leading to a /48 prefix. For instance, one could end up with fd12:3456:789a::/48. Then one can define up to 65536 /64 prefixes in it: fd12:3456:789a:1::/64 for instance. That last step is just like when one is defining 10.x.y.0/24 IPv4 prefixes for instance. When two sites merge, since each of them has taken a random number, there is very low probability of collision. The [[https://www.sixxs.net/tools/grh/ula/|SixXS database]] can be used as a registration base. This is voluntary only, but helps reducing any risks of conflicts.
  
 ===== How does dynamic routing work? (BGP,OSPF,...) ===== ===== How does dynamic routing work? (BGP,OSPF,...) =====
Ligne 256: Ligne 272:
 ===== Does my IPv6 address leak information on my machine? ===== ===== Does my IPv6 address leak information on my machine? =====
  
-If you configure your network with stateless configuration, and do not enable its privacy extension, yes, your IPv6 address will contain the MAC address of your network board, which happens to contain information about the manufacturer of the board, when, and where it was built (and thus roughly where it was sold).+If you configure your network with stateless configuration, and do not enable its privacy extension, yes, your IPv6 address will contain the MAC address of your network board, which happens to contain information about the manufacturer of the board, when, and where it was built (and thus roughly where it was sold). For instance, in 2001:db8::1234:56ff:fe78:9abc/64, the 12:34:56:78:9A:BC MAC address shows up.
  
 But that's only in that case. With static configuration, dhcp dynamic configuration, or stateless configuration with privacy extension (i.e. it basically takes a random address), there is no such issue. But that's only in that case. With static configuration, dhcp dynamic configuration, or stateless configuration with privacy extension (i.e. it basically takes a random address), there is no such issue.
  
 +The privacy extension is usually not enabled by default, but can be enabled this way on Linux (here on eth0):
 +
 +''echo 2 > /proc/sys/net/ipv6/conf/eth0/use_tempaddr''
 +
 +TODO: other OSes
 ===== Do I have to change all my equipments? ===== ===== Do I have to change all my equipments? =====
  
Ligne 285: Ligne 306:
 ===== Is there ARP in IPv6? ===== ===== Is there ARP in IPv6? =====
  
-Yes, although it is rather called Neighbour Discovery Protocol (NDP), is contained in ICMPv6, and works bit differently (but basically it'the same principle).+It was reworked and called Neighbour Discovery Protocol (NDP), and is contained in ICMPv6 instead of special type of ethernet frame. In the end NDP is basically the same principle as ARP, to translate from L3 addresses to L2 addresses, but implemented in a better way.
  
 ====== Cheatsheet ====== ====== Cheatsheet ======
Ligne 311: Ligne 332:
 ====== Some quick examples ====== ====== Some quick examples ======
  
 +===== Firefox =====
 +
 +Out of the box, firefox should use IPv6 connectivity when available. However, it is not visible to the user.
 +
 +There is a firefox extension that displays whether the current page is loaded over IPv4 or IPv6: https://addons.mozilla.org/fr/firefox/addon/sixornot/
 +
 +You can test it on this wiki: if you have IPv6 connectivity, you should see a green "6" (loaded over IPv6). Otherwise, you will see an orange "6" (the wiki has IPv6 records in the DNS, but you are still reaching it over IPv4).
 +
 +If IPv6 connectivity does not work, make sure that it is not disabled: in ''about:config'' , make sure that ''network.DNS.disableIPv6'' is set to ''false''
 ===== Basic OS checks ===== ===== Basic OS checks =====
  
Ligne 367: Ligne 397:
  
 TODO: how to deactivate ipv4 completely, to check ipv6 for sure? TODO: how to deactivate ipv4 completely, to check ipv6 for sure?
 +
 +==== *BSD ====
 +
 +TODO
  
 ==== MacOS ==== ==== MacOS ====
Ligne 419: Ligne 453:
   interface eth0 {   interface eth0 {
     AdvSendAdvert on;     AdvSendAdvert on;
-    prefix 2001:db8:0:1::/64 { };  # enable stateless configuration+    prefix 2001:db8:0:1::/64 { };  # enable stateless configuration within that prefix
     route ::/0 { };  # default route through us     route ::/0 { };  # default route through us
     RDNSS 2001:db8:0:1::1 { };  # announce DNS server.     RDNSS 2001:db8:0:1::1 { };  # announce DNS server.
   }   }
  
-''RDNSS'' can optionally be dropped and a DHCPv6 server configured instead. ''prefix'' and ''route'' are still necessary to provide hosts with routing information (RA).+''RDNSS'' can optionally be dropped and a DHCPv6 server configured instead. ''prefix'' and ''route'' are still necessary to provide hosts with routing advertisement (RA).
  
 ===== DHCPv6 configuration example ===== ===== DHCPv6 configuration example =====
Ligne 434: Ligne 468:
 ===== dnsmasq ===== ===== dnsmasq =====
  
-dnsmasq can provide both DHCPv6 and Router Advertisement (RA)+dnsmasq can provide both DHCPv6 and Router Advertisement (RA).
  
 TODO TODO
Ligne 440: Ligne 474:
 ===== Firewall example ===== ===== Firewall example =====
  
-Here are example for home-use firewalls: connections only go from inside to outside, assuming a DSL connection to the Internet. It also accepts NDP (just like ARP is usually accepted), but makes sure it will not be forwarded (hop limit is 255).+Here are examples for home-use firewalls: connections only go from inside to outside, assuming a DSL connection to the Internet. It also accepts NDP (just like ARP is usually accepted), but makes sure it will not be forwarded (hop limit is 255).
  
 ==== iptables ==== ==== iptables ====
Ligne 516: Ligne 550:
 ===== Mobile IPv6 ===== ===== Mobile IPv6 =====
  
-Although not widely used, this allows a machine to roam between IPv6 networks without losing your connections: the machine is carrying a public adress with it, attached to the home LAN of the machine, and packet routing to the machine is automatically done down to the network where the machine happens to go through.+Although not widely used, this allows a machine to roam between IPv6 networks without losing connections: the machine is carrying a public adress with it, attached to the home LAN of the machine, and packet routing to the machine is automatically done down to the network where the machine happens to go through.
  
 ====== Why is there no IPv5? ====== ====== Why is there no IPv5? ======
  • travaux/ipv6-faq.1399033158.txt.gz
  • Dernière modification: 2014/05/02 14:19
  • de sthibaul