08 June 2011

Happy IPv6 test day

There is a 'ipv6 readiness testing day' today, April June 8, 2011, and so it seems appropriate to post my personal checklist for putting a CentOS box up on that network fabric

  • Apply for an account with SixXs. Their reply takes a couple of days, as it is a volunteer run organization
  • Have a deployed, updated, and hardened unit at a routable static IPv4 address
  • Amend /etc/sysconfig/iptables to include a line passing the tunnelling protocol. I place the entry after the IPSEC protocol entries in a stock setup. Restart iptables 
    ... 
    -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
    -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
    # vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
    -A RH-Firewall-1-INPUT -p ipv6 -j ACCEPT
    # ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    ...
  • Strip out any previous efforts at disabling the ipv6 / net-pf-10 kernel modules from loading in /etc/modules.conf, and in the files sourced in /etc/modprobe.d/ . Then rebuild the modules dependency table: /sbin/depmod -a
  • Amend /etc/sysconfig/network to carry the following lines: 
    #
    NETWORKING_IPV6=yes
    IPV6INIT=yes
    IPV6FORWARDING=yes
    IPV6_DEFAULTDEV=sit1
    #
    Which anticipates that the configuration details for the ipv6 tunnel will live in a file: /etc/sysconfig/network-scripts/ifcfg-sit1
  • and add that mentioned file: /etc/sysconfig/network-scripts/ifcfg-sit1 -- I have elided site-specific details as to IP addresses with: aa.bb.cc and aa:bb:cc placeholders 
    #
    DEVICE=sit1
    BOOTPROTO=none
    ONBOOT=yes
    IPV6INIT=yes
    IPV6_TUNNELNAME="SixXS"
    #
    IPV6_AUTOTUNNEL=yes
    PHYSDEV=eth0
    IPV6_ROUTER=yes
    #
    IPV6TUNNELIPV4="38.229.76.3"
    #    38.229.76.3 is the remote end of the tunnel at the tunnel broker
    IPV6TUNNELIPV4LOCAL="198.aa.bb.cc"
    #    198.aa.bb.cc is the local ipv4 static IP
    IPV6ADDR="2604:aa:bb:cc::2/64"
    #    2604:aa:bb:cc::2/64 shows both the local gateway IP, and netmask
    #    the remote end gateway IP is by convention, the :1 
    IPV6_MTU="1280"
    TYPE=sit
    #

At this point, simply restarting networking should bring up the ipv6 link, and properly route it -- so: /sbin/service network restart

The interfaces will look something like this: 

[herrold@nostname ~]$ /sbin/ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:01:02:aa:bb:cc
          inet addr:76.aa.bb.cc  Bcast:76.aa.bb.dd  Mask:255.255.255.248
          inet6 addr: fe80::201:aaff:bb05:cc16/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:11088057 errors:0 dropped:0 overruns:1 frame:0
          TX packets:10668738 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1726307345 (1.6 GiB)  TX bytes:3178496052 (2.9 GiB)
          Interrupt:3 Base address:0x6f80

[herrold@hostname ~]$ /sbin/ifconfig sit1
sit1      Link encap:IPv6-in-IPv4
          inet6 addr: 2604:aa:bb:cc::2/64 Scope:Global
          inet6 addr: fe80::bbf2:cc1c/128 Scope:Link
          UP POINTOPOINT RUNNING NOARP  MTU:1480  Metric:1
          RX packets:500 errors:0 dropped:0 overruns:0 frame:0
          TX packets:502 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:53331 (52.0 KiB)  TX bytes:62784 (61.3 KiB)

[herrold@hostname ~]$

To wrap this up, ipv6 hardening, and connection debugging are worthy topics, and it may well be that a cautious sysadmin wants to lock down /etc/sysconfig/ip6tables and examine how one has hardened /etc/hosts.deny ... But rather than rush out content (I have a couple of mailing list posts I need to re-work), I'll leave these for later posts, while you, gentle reader, go apply for an account at a tunnel broker

Posted by at
Labels: ,