[colug-432] direct IPv6; July COLUG Meeting Announcement

R P Herrold herrold at owlriver.com
Mon Jul 25 14:33:23 EDT 2011


On Mon, 25 Jul 2011, Greg Sidelinger wrote:

> Is this through a consumer level ISP?

no, it is on my commercial oriented side, although it is 
affordably priced <advt> ;) </advt>

We run a couple ASN's in a full bore, Tier IV datacenter 
(Gordon's), and there are IANA issues we solve for the 
customer

He and I have been working at the issue since last September 
or so

http://www.pmman.com/

-------------------

I need to write up the doco, but it looks like this in a draft 
I sent out to selected customers in the last few weeks:

btw, we are NATIVE ipv6 capable now

I've not written the post, but it is easy:

1. Enable ipv6 in /etc/sysconfig/network

[root at bronson sysconfig]# cat network
NETWORKING=yes
# NETWORKING_IPV6=no


2. Amend a few rules in /etc/sysconfig/ip6tables to control 
the source of the assignment to a trusted one we run [on the 
ipv6 interface of 'secure.pmman.com'] [NOTE: there are other 
domU in the network running HE or SixXS tunnels, and they also 
advertise their willingness to peer for others in the 
broadcast subnet -- but these are not recommended, as they 
will not be durable, nor necessarily trustable to a third 
party]

  ...
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmpv6 --icmpv6-type
         router-advertisement -s fe80::2e0:81ff:fe34:b2a6 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmpv6 --icmpv6-type
         router-advertisement -s fe80::202:b3ff:feda:5e8b -j ACCEPT
-A RH-Firewall-1-INPUT -p icmpv6 --icmpv6-type
         router-advertisement -j DROP
-A RH-Firewall-1-INPUT -p icmpv6 -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
  ...

and restart ip6tables (also enable it not already enabled in 
sysconfig)

         /sbin/service ip6tables restart
         /sbin/chkconfig ip6tables on


3. Remove the no-ipv6 blocks in our default install from 
/etc/modprobe.conf

[root at bronson etc]# cat modprobe.conf
# alias net-pf-10 off
# alias ipv6 off
alias eth0 e1000
alias eth1 e1000
  ...

and rebuild the module dependencies:  depmod -a


4. Restart networking
         /sbin/service network restart


and eth0 should be up, assigned, and routing ipv6


Each domU gets a free (no extra cost, anyway), durable 
assignment in our block, and routing, in:

         2605:4400:1::/64

based on the ipv4 and MAC address of your unit

and eth0 should be up, assigned, and routing ipv6


We can also arrange for private /64 assignments (sadly not 
portible, due to the fact that they are a local sub-delegation 
-- one has to go to IANA, set up an ASN, and pay a $2000 
initiation fee, and $2000 a year, and fill out a bunch of use 
justifications, to get a direct assignment)


The PMman DNS tool already handles AAAA and ipv6 PTR records, 
so you are set to go

------------------------------

-- Russ herrold


More information about the colug-432 mailing list