[colug-432] tunnelled IPv6 -- was: Looking for info on Columbus

Wed Mar 9 11:19:54 EST 2011

> What is your problem with a tunnelled ipv6 connection?  They
> are pretty trivial to set up, and I've not noticed any
> 'lagginess' with the ones I've used?

Russ has been guiding me off-list.  He demanded "a full report to the
colug ML".  (For those who know Russ, I should not have to insert
smileys.)

Summary:  I'm on SixXS.  One /64 tunnel.  One /48 subnet.  No changes
to my DNS.  No systems routed yet.  But no charge!

If you want to play IPv6 at this time, your best bet is to find a
tunnel broker.  There are several ways your IPv6 traffic can be
carried via tunnel via IPv4.  So no need to wait for native IPv6 on
your wire.  Hurricane Electric is one broker.  SixXS is another.

Details follow in story form.

I have wanted to get into the IPv6 game for at least five years.  Most
recently, I have been following Hurricane Electric.  I think you can
get a cheap (or free) IPv6 tunnel and PoP from them.  But Russ was
using SixXS, and like a lot of people I am more inclined to begin my
journey on a trail at least partially blazed.

I have AAAA records in my DNS, but they are all useless.  Initially, I
did not understand the (lack of) routability of the link addr.  Then
when I knew to assign routable IPv6 addresses, I didn't want to use a
network that someone else might remotely also use.  (There is no v6
equivalent to the RFC 1597 v4 blocks.)  This is an infinitesimally
small risk, but I am a purist.  Lately I *have* gotten IPv6 traffic on
my own LAN.

Oh ... related to RFC 1597, important note:  NO NAT.  There is no NAT
in IPv6 and we don't *want* NAT.  Many consumers will not understand.
There will be a demand for NAT.  When consumers clue-in and start
using V6, do your part to stamp out NAT.  IPv6 is designed so that NAT
is not required.

SIGNING UP

Signing up for SixXS, there are a few validations for which they apply
human attention.  Nice.  They want to make sure you are legit (that
you are technically competent, that you are not up to malfeasance,
etc) and presumably that you are not a robot.  SixXS is not a company.
 It is a project sponsored by several companies.  They give all kinds
of disclaimers: it may take a week for some turn around.  But the
human factor is a huge plus in my book and I have found the turn
around to be very fast.

Monday (Feb 28, late) I got into their system.  Something funky about
punctuation w/r/t my location.  (only got the city coded, not the
state; go fig)  Come the next morning (early) and I was approved for a
tunnel.  Yippee!  Now to get a box connected.

CONNECTING

Note:  If you install the "aiccu" package from SixXS, the rest might
be handled automagically.  And depending on your distro and package
manglement tool suite, you may be able to  'yum install aiccu'  or
'apt-get install aiccu'  or  'zypper install aiccu'.  You get the
idea.  But I did some side trail blazing so was a little slower.

Until recently, my primary firewall was an old SLES9 machine.  (Thanks
Jim P!  That's the beater Pentium I bought from you a couple years
ago.)  I took it out of FW duty, but the machine still runs and
handles certain traffic from behind the safety of a new NetGear NAT
gadget.  If the [explitive deleted] UPS worked, this box would be
ideal for my tunnel.  To use that machine for my SixXS tunnel, this
reference almost worked ...

        http://www.sixxs.net/faq/connectivity/?faq=ossetup&os=linuxsuse

I had to change the interface name from "sixxs" to "sit2".  (Was
dinking around with "sit1" also.  Long story.)  Generally, "sit0" is
reserved.  Also, when you're behind NAT, remember that your
TUNNEL_LOCAL_IPADDR  is of course the address on the local machine,
not the externally visible address.  (ie: don't use your cablemodem or
DSL addr.  Duh.)   I also had to manually specify
TUNNEL_LOCAL_INTERFACE=eth0,  which one theoretically should not need
to do.

At that point, 'ifup sit2' worked, but the tunnel was dead.  Turns out
that you still need their AICCU software, which is available for SuSE,
but my machine is just too back levelled.  I should have clued in from
the "This tunnel requires AICCU to function." statement on the status
page.  More info on that is here ...

        http://www.sixxs.net/tools/aiccu/

SLES9 is too far back-level for me to resolve the reqs.  I finally got
the tunnel working on a toy Kubuntu box.  This helped ...

        http://wiki.kubuntu.org/IPv6

Power went out.  (Twice in one month.  Not normal for my location.
Found out both UPSs fail D/R muster.)  Also, the guy who owns the toy
machine needed it back.  So after power was restored, I copied its
disk to an LV, pointed KVM at that, and booted Kubuntu as a guest.
Tunnel resumed.  Nice!

I later installed "aiccu" on a SLES 10 Xen guest.  Works!

ROUTING

Tuesday the 8th (late) the tunnel had been working smoothly for a week
so I requested a subnet.  Next morning (early), the subnet was
approved and associated with my tunnel.  They gave me a /48.  Now I
know there are literally billions of subnets in IPv6 /48 space.  But
still ... they shifted 16 bits further left from my tunnel.  (Left is
liberal, after all, and in this case that's a good thing.)   ;-)

SixXS has a kredit game for services you request.  Originally, you
could not get a subnet until your tunnel had been working for a solid
week (and acquired more kredits).  I somehow got more initial kreds
than they used to give, so I could have requested the subnet sooner.
But I elected to let it ride and go with stability.

I HAVE NOT gotten external V6 routing, but am sending this report now
for the sake of discussion.  Discuss!

Next steps:  Gotta get some of my machines routing via the tunnel.  I
will put them on my /48 subnet.  (80 bits of addresses there)

I need to resume my olde v6 DNS experiments.  (a subdomain with just
quad A records, also add usable quad A records to the parent domain)

Open questions:  Can I use the tunnel space for hosts?  (64 bits of
addressing.  Why throw it away?)

What security concerns are there with the absence of NAT?  I mean, for
example, Steve VanSlyck just got SSH presence.  Guessing he is like me
and that box fronts a number of other machines.  With a V6 tunnel, I
can supposedly not have to worry about TWC or SWB changing my wired V4
address.  Can I also route to/from the other machines?  Is that safe?

-- R;   <><