Profile photo of Bernardo Donadio

Bernardo Donadio

Infrastructure specialist, IT automation engineer and 3D printing enthusiast.

on networking, • by bcdonadio

Getting an IPv6 connection with SiXXs

Actually no major ISP (at least consumer-grade) provides IPv6 traffic nor addressing on theirs networks in the country where I live, but I’m curious, and couldn’t be left out of one of the biggest changes in the Internet since the first browser. So, I came out looking for tunnel options, and found that SiXXs is providing free tunnels to anyone who wants it and have a reasonable motive. Lucky me, plain curiosity is an acceptable one.

After a little bit of research, I found out that there is a PoP in my country, and it does provide a fairly low latency for one of continental dimensions like mine. This provider is CBTC (brudi01) and it has a ping time of ~45ms from Porto Alegre. So, everything was perfect, except for a little detail: how the hell IPv6 works?

The first thing to notice is that IPv6 is completely independent from IPv4, also you can (and need) a complete different set of rules in your firewall to both. So, you thought that keeping a single set of consistent rules was hard, don’t ya? Try to keep two, for every single computer. You should use ip6tables to handle those IPv6 rules, and try very hard to not mix everything up. Also, you can’t really simply copy the rules from one to another, because, as they have - on a quick look - almost the same options, they’re not perfectly compatible. Mainly regarding ICMP packets, where they’re almost completely different. They even baptized the new protocol with a new (but not very creative) name: ICMPv6.

After being accepted as a SiXXs user, I could choose my tunnel type, and the options were the following:

  1. Static: really not an option for me. I don’t have a static IPv4 address, and SiXXs draw ISKs (a system of credits, to punish bad users) from users who do not keep their static connections up 24x7. As I have a dynamic home connection, with a very noisy desktop, this was simply not an option.
  2. Heartbeat: I’ve chosen this one, as I have complete control of the NAT of my network. This modality doesn’t draw credits if a tunnel stays down, and even add credits if you open a connection every day.
  3. AYIYA: the IPv6 MacGyver, is able to trespass almost every kind of NAT, but it poses an overhead both to the client and the server. To my desktop, this overhead would be negligible, and since I can use Heartbeat (I have full control of my NAT), this would be of little use to me.

For some reason, I needed to wait again for approval of my tunnel request. A couple of hours later I was able to set my tunnel. Surprisingly, the AICCU, daemon that handles all those three types of tunnels, installation through apt-get on Ubuntu was so easy that almost took all the fun on setting the tunnel, except for a couple of details. Just type this and follow the wizard:

# apt-get install aiccu

Done with the installation, you need to understand that you received two /64 subnets even without asking for an additional /48 one. The first one is the tunnel endpoint IPs, which ::1 will be the PoP router, and ::2 will be you. Actually, you can use this ::2 to any kind of traffic, because, as everything in IPv6, it’s globally reachable. But you will not be able to use any of the other IPs in this subnet. They’re assigned to your PoP, and will not reach you.

The second subnet is routed directly to you. Any packet traveling with the subnet prefix of yours (disregarding the 64 least significant bits of the address) will reach you. In fact, when wiresharking the connection while pinging any address of the subnet you will see them. Cool, huh? Well, not yet. Those pings will not be answered, because your device is not configured to answer to packets coming from any of those addresses of the second subnet. In order to your device be able to do so, you must add them to the list of IPs that it will answer to, as following:

# ip addr change <ipv6_complete_address>/64 dev sixxs preferred_lft 0

Repeat the process until all addresses have this bit set to zero but the one that you want as default. If you need to list the addresses added and to know the current default one, do as so:

# ip addr

The addresses marked with the deprecated tag will be the ones with the preferred_lft bit set to 0. As more in the top that are the addresses, the later they were added. Remember that the ones with the deprecated tag will continue to be working normally, just won’t be the default ones for new outgoing connections.

Good, but now you have to make those changes permanent, otherwise, whenever the machine is either rebooted or the sixxs interface is brought down and up again, you will lose the addresses configurations made so far. You can do so adding the configurations you made in a new executable BASH script like /usr/local/etc/aiccu-subnets.sh or any other path, like this:

#!/bin/bash
ip addr add <your_public_subnet_prefix>::1/64 dev sixxs
ip addr change <ipv6_complete_address>/64 dev sixxs preferred_lft 0

Then you must tell AICCU to execute this file whenever the tunnel is established, appending the following line to /etc/aiccu.conf:

setupscript /usr/local/etc/aiccu-subnets.sh

Finally, the glibc default DNS resolver (getaddrinfo(), also called gai) will be preferring to answer with the IPv6 address of a given domain whenever available. If your tunnel does have a fairly high latency, you may not want this. With the following configuration, the tunnel will only be used when the resolver finds out that the given hostname does only have an AAAA entry, as it will always prefer to answer with the A record.

In order to do so, you must add or uncomment the following line in /etc/gai.conf:

precedence ::ffff:0:0/96  100

Now you’re ready to go rock out with your new IPv6 connection. Don’t forget that you must configure a firewall to the IPv6 stack with ip6tables. You’re now globally reachable and there’s no NAT to protect you!

See ya!