Technical Quickstart for IPv6

Someone recently asked me .. "Short of reading RFCs, do you have pointers too good information sources on IPv6 you can share?"

I wrote a reply, and turns out, I sent that reply to yet another person a few hours later.

Something tells me this might be useful to shair a bit more broadly, and this is just the forum for shairing tidbits about IPv6, so here we go...

Practical experience is my guide. I spent time looking at RFC's over 10 years ago, but its simple enough to explain the basics without involving references to the RFC's directly, though this info is available in the RFC's..

Be aware this advice is specific to OpenBSD as given, but should be easy to translate to any other IPv6 aware OS.

An easy 1st step is to 'ping6 -n -w ff02::1%em0' and whatever addresses are returned will be targets for traffic on the local network, aka 'ssh fe80::...%em0' for example.

The RFC's talk about boundary conditions and other corner cases, and I do run into them upon occasion but suffice it to say..

link local = ethernet segment
ff02::1%em0 = ping all link local hosts on `em0' (multicast)
ff02::2%em0 = ping all link local routers on `em0' (multicast)
fe80::...%em0 = the link local addresses available on `em0'.
2000::/3 = global addresses
2001:240::/32 = typical allocation for an ISP
2001:240:58a::/48 = typical allocation for a site
2001:240:58a::/64 = typical subnet and/or ethernet segment

With IPv6, it takes CIDR to the next logical conclusion, no `netmasks' with IPv6, only CIDR notation.

For stateless address autoconfiguration, 'rtsol -F em0' (set
net.inet6.ip6.accept_rtadv=1 in /etc/sysctl.conf).

Easy router for IPv6:

inet6 2001:240:58a::1

Easy client for IPv6:


If you don't have a native uplink for IPv6, gif(4) is typically the way to go. he.net via tunnelbroker.net is a good source of upstream IPv6 addresses for now, this is
something you'd do on your router:

inet6 alias 2001:470:1f0e:28f::2 128
dest 2001:470:1f0e:28f::1
!route -qn add -inet6 default 2001:470:1f0e:28f::1

Be very wary of filtering all IPv6 traffic on your firewall, then only permitting e.g. tcp in. IPv6 uses 'multicast' via ff02::/8 for MAC address determination using NDP as opposed to IPv4's ARP broadcasts.

There is a diff in the oven, not yet fully baked that would permit pf to handle fragments, but until it is in, this is what a 4.6 to -current pf.conf can look like:

set skip on lo

# block in log
# XXX the next 5 lines are required as opposed to the above one
# because v6 fragments are not handled by pf
block in log inet
block in log inet6 proto udp
block in log inet6 proto tcp
block in log inet6 proto icmp6
block in log inet6 proto esp
block in log inet6 proto ipv6

pass out
# multicast replies that don't reply with same addresses
pass in inet6 proto icmp6 from { fe80::/16 (egress:network) } icmp6-type { echorep fqdnrep }
# ndp
pass in inet6 proto icmp6 icmp6-type { neighbradv routeradv neighbrsol }
pass in inet6 proto icmp6 icmp6-type { echoreq fqdnreq }
pass on enc0

pass in on egress proto tcp to (egress) port ssh

Yes, the above is taken from some real systems of mine, so I'm sure you can substitute your own addresses when Hurricane Electric allocates them to you.

One thing to keep in mind, some people try voodoo things but if you stick with giving a /64 subnet to each subnet, rtadvd and rtsol will have no problems.

For DNS, the forward and reverse are similar to IPv4, but lots of dots for the reverse as all 8 octets of 4 digits are spelled out as a single byte (8 bits):

$ host 2001:240:58a:100::1 domain
+name pointer puffy.FreeDaemonHosting.com.

As you can tell from the above, 2001:240:58a:100::1 is shorthand notation for 2001:0240:58a:0100:0000:0000:0000:0001 .. aka leading 0's can be dropped,
and one sequence of 0000:0000:.. can be shortened to just '::'.

If you're a programmer you would want to learn getaddrinfo() and getnameinfo() api's, introduced so you can get a list of addresses and if necessary handle
the address specific bits, but unless your application stores data structures and manipulates them based on the address family, it is entirely possible to write an application that is address family independent and not reference AF_INET nor AF_INET6! See 'nc' or 'telnet' or 'ssh' code for examples..

This concludes your $.10 tour of IPv6 ;-) I'm sure there will be a few terms above new to you if you are new to IPv6, feel free to read up on them via internet searches and such.

Also, a good starting point would be the inet6(4) man page on OpenBSD, which points out a couple of RFC's for `light reading' *grin*.

1 comment:

Todd T. Fries said...

... really people, the above details may be a short list, but every one counts. Especially the part about the example pf.conf. Just had a friend have issues with openvpn, and guess what? pf was blocking his v6 .. 'block all' does not permit very useful debuging via 'tcpdump -envps 1500 -i pflog0' now does it?? ;-)