Saturday, December 4, 2010

Solaris IPv6 tunnel setup

IPv4 Internet addresses, 32 bits in length, are running out. The replacement is IPv6 addresses, which are 128 bits. Ten years ago, IPv6 was in an experimental stage for several operating systems. On Linux, experimental patches, modules, and binaries were available, which I cobbled together to enable IPv6 on my home network. To test my old IPv6 setup, I decided to join a IPv6 test network, 6bone which was composed mainly of IPv6 over IPv4 tunnels. My main contribution was correcting & clarifying Peter Bieringer's Linux+IPv6 HOWTO.
Since IPv4 addresses are running out, it may be a good idea to IPv6-enable your computer or network IPv6 enabled. I'll show you how you can configure a Solaris system using Hurricane Electric's (HE's) free IPv6 over IPv4 tunnel service, which uses IP Protocol 41. This tunnel allows you to connect your IPv6-enabled computer or network (at home or work) to HE's IPv6 network. This is necessary because most ISPs don't
support IPv6. Other (free) tunnel services are also available and the setup is similar. The advantage of HE is they have a webpage that shows your configuration and the exact setup (command line configuration) for various operating systems, including Solaris.
Step 1: provision a tunnel from Hurricane Electric
Go to www.tunnelbroker.net, register and login. Setup a IPv6 tunnel by entering your IP address (not internal IP address if you're behind a NAT, but external IP address visible to Internet), and choose a tunnel endpoint closest to you (I choose Los Angeles, for example). Under "Example Configurations:", select "Solaris" and click on "Show Config". Here's the information I got:
Server IPv4 address:    66.220.18.42
Server IPv6 address:    2001:470:c:2ed::1/64
Client IPv4 address:    66.27.60.10
Client IPv6 address:    2001:470:c:2ed::2/64
Routed /48:             Allocate
Routed /64:             2001:470:d:2ed::/64
. . .
Example Configurations: Solaris  Show Config

Copy and Paste the following into a command windows:
ifconfig ip.tun0 inet6 plumb
ifconfig ip.tun0 inet6 tsrc 66.27.60.10 tdst 66.220.18.42 up
ifconfig ip.tun0 inet6 addif 2001:470:c:2ed::2 2001:470:c:2ed::1 up
route add -inet6 default 2001:470:c:2ed::1

*NOTE* When behind a firewall appliance that passes protocol41, instead
of using the IPv4 endpoint you provided to our broker, use the IPv4
address you get from your appliance's DHCP service. 
Step 2: Setup and test your end of the tunnel
Once the tunnel is provisioned and setup on the remote (HE) end, you need to setup your (local) end of the tunnel. To do that, just type the ifconfig and route commands shown above as root (or use sudo or pfexec). If your computer is behind a NAT router, you need to use your private IP address that you use on your local network. These private IP addresses usually begin with 192.168. or 172.16.172.31., or 10.). In my case, I substitute "66.27.60.10" with "10.11.12.15". If you are behind a router with NAT, make sure it passes IP Protocol 41 packets through. My IPv4 router (D-Link DGL-4300) does that out-of-the-box. Here's my session showing how I set it up and tested the tunnel. The commands I type in are in bold:
# /usr/sbin/ifconfig ip.tun0 inet6 plumb
# /usr/sbin/ifconfig ip.tun0 inet6 tsrc 10.11.12.15 tdst 66.220.18.42 up
# /usr/sbin/ifconfig ip.tun0 inet6 addif 2001:470:c:2ed::2 2001:470:c:2ed::1 up
# /usr/sbin/route add -inet6 default 2001:470:c:2ed::1
# /usr/sbin/ifconfig -a6
lo0: flags=2002000849 mtu 8252 index 1
        inet6 ::1/128 
e1000g0: flags=202100841 mtu 1500 index 2
        inet6 fe80::20e:cff:fe68:e4cc/10 
e1000g0:1: flags=202180841 mtu 1500 index 2
        inet6 2001:470:c:2ed:20e:cff:fe68:e4cc/64 
ip.tun0: flags=2204851 mtu 1480 index 3
        inet tunnel src 10.11.12.15 tunnel dst 66.220.18.42
        tunnel hop limit 60 
        inet6 fe80::a0b:c0f/10 --> fe80::42dc:122a 
ip.tun0:1: flags=2200851 mtu 1480 index 3
        inet6 2001:470:c:2ed::2/128 --> 2001:470:c:2ed::1 
The ip.tun0 and ip.tun0:1 above specifies the IPv4 and IPv6 addresses, respectively of the tunnel between you and remote end, operated by HE. The "route" command specifies a default route where all IPv6 packets not otherwise directed are sent through the IPv6 tunnel. Lets test the tunnel to verify it works. Ping of ::1 (localhost) will work if IPv6 was not disabled during installation. Next, ping all local IPv6 hosts (ff02::1), then ping a remote IPv6 host (www.kame.net), and print the route to the remote host with traceroute.
# /usr/sbin/ping ::1
::1 is alive
# /usr/sbin/ping -s -i ip.tun0 ff02::1
PING ff02::1: 56 data bytes
64 bytes from fe80::a0b:c0f: icmp_seq=0. time=0.282 ms
64 bytes from fe80::230:48ff:fe98:d3ea: icmp_seq=0. time=43.538 ms
64 bytes from fe80::a0b:c0f: icmp_seq=1. time=0.163 ms
64 bytes from fe80::230:48ff:fe98:d3ea: icmp_seq=1. time=41.564 ms
^C
# /usr/sbin/ping -A inet6 -s www.kame.net
PING www.kame.net: 56 data bytes
64 bytes from orange.kame.net (2001:200:0:8002:203:47ff:fea5:3085): icmp_seq=0. time=187.449 ms
64 bytes from orange.kame.net (2001:200:0:8002:203:47ff:fea5:3085): icmp_seq=1. time=185.819 ms
^C
# /usr/sbin/traceroute -A inet6 www.kame.net
traceroute: Warning: Multiple interfaces found; using 2001:470:c:2ed::2 @ ip.tun0:1
traceroute to www.kame.net (2001:200:0:8002:203:47ff:fea5:3085), 30 hops max, 60 byte packets
 1  drydog-1.tunnel.tserv15.lax1.ipv6.he.net (2001:470:c:2ed::1)  36.687 ms  38.787 ms  36.992 ms
 2  gige-g4-6.core1.lax1.he.net (2001:470:0:9d::1)  36.298 ms  37.407 ms  36.206 ms
 3  10gigabitethernet1-3.core1.pao1.he.net (2001:470:0:34::1)  43.780 ms  44.840 ms  43.861 ms
 4  3ffe:80a::b2  46.525 ms  47.224 ms  44.585 ms
 5  hitachi1.otemachi.wide.ad.jp (2001:200:0:4401::3)  183.115 ms  197.892 ms  186.334 ms
 6  2001:200:0:1802:20c:dbff:fe1f:7200  186.029 ms  185.448 ms  186.854 ms
 7  ve42.foundry4.nezu.wide.ad.jp (2001:200:0:11::66)  187.344 ms  185.172 ms  203.837 ms
 8  ve45.nec2.yagami.wide.ad.jp (2001:200:0:12::74)  186.746 ms  188.705 ms  186.606 ms
 9  2001:200:0:8400::10:1  185.072 ms  185.955 ms  183.482 ms
10  orange.kame.net (2001:200:0:8002:203:47ff:fea5:3085)  184.444 ms  185.315 ms  187.816 ms
Step 3: Configure the tunnel and reboot
If you got this far, the hard part's behind you. Next, you need to save the tunnel configuration, and reboot to verify it is configured OK. I assume with these instructions that NWAM is disabled and you're using hostname*.* files to setup Ethernet interfaces (NWAM isn't available on Solaris 10 or earlier in any case). With your favorite text editor, create or modify these files. Touch file /etc/hostname6. (where is your Ethernet interface). In file /etc/hostname6.ip.tun0 add two lines from the ifconfig command you used above starting with "tsrc" and "addif". To make the IPv6 default route last across reboots, use "route -p add -inet6 default IPv6GatewayAddress" :
# svcs physical
STATE          STIME    FMRI
disabled        9:18:16 svc:/network/physical:nwam
online          9:18:16 svc:/network/physical:default 
# touch /etc/hostname6.e1000g0
# cat >/etc/hostname6.ip.tun0
tsrc 10.11.12.15 tdst 66.220.18.42 up
addif 2001:470:c:2ed::2 2001:470:c:2ed::1 up
^D
#/usr/sbin/route -p add -inet6 default 2001:470:c:2ed::1 
As an optional step, create file /etc/inet/ndpd.conf so the IPv6 Neighbor Discovery Protocol (NDP) can broadcast to other IPv6 hosts on your local network (change "e1000g0" below to your network interface). This step is only needed if you have other hosts you wish to autoconfigure to use this IPv6 tunnel. The other Solaris hosts only need IPv6 enabled and a zero-length /etc/hostname6. file.
# cat >/etc/inet/ndpd.conf
ifdefault AdvSendAdvertisements on 
# Setup local network addresses using a routable prefix from HE.
# Important: replace "e1000g0" with YOUR network interface.
prefix 2001:470:d:2ed::/64 e1000g0 
^D
Reboot and retest your network as above to verify it still works.
Step 4: Security Considerations
Just as with IPv4, you need to protect your computer and network from outsiders coming through on Internet. Disable network services you don't need. All or most Solaris network services can be restricted to use the local network only, if not that way already (see the man page and documentation for each service). Typing "netstat -af inet6" shows what services are listening on IPv6 ports. On OpenSolaris, and recent Solaris 10 updates, ipfilter and TCP Wrappers are IPv6-aware. Also, remember that a IPv6 tunnel bypasses any firewall setup you may have on your router between your home or work network and Internet.
The best way to start is to disable most services and enable only what you need. Type /usr/sbin/netservices limited to disable most network services (except ssh), or restrict them respond to local requests only. This is the default for OpenSolaris and recent updates of Solaris 10. The Solaris Security Toolkit allows selective enabling and disabling of services during or after installation, depending on what SST driver profile you use. For example, this hardens the system with the server-secure driver profile:
/opt/SUNWjass/bin/jass-execute -d server-secure.driver
Step 5: Use and further configuration
  • You can use nslookup to lookup IPv6 addresses. For example, nslookup -q=aaaa www.kame.net returns 2001:200:0:8002:203:47ff:fea5:3085.
  • For testing, you can use IPv6 addresses in URLs. Firefox on Solaris supports IPv6. Here's a sample URL, which is the IPv6 address for www.kame.net : http://[2001:200:0:8002:203:47ff:fea5:3085]/ (if the tortoise on the webpage is animated, you're connected using IPv6). .
  • Most Solaris utilities, such as ftp, ssh, telnet are IPv6 enabled. As are the Apache, FTP, ssh, and other network servers.
Alternatives and Future
In the near future, more and more routers and firewalls will support IPv6 and IPv6 tunnels. Cisco supports IPv6. Among consumer routers, Dlink is far ahead in the game. Their wifi routers DI-784 (802.11abg), DI-524 & DI-624 (bg), WBR-1310 & WBR-2310 (g), and DIR-615 (n) support IPv6 and IPv6 tunnels. Other consumer routers, such as Linksys WRT54G, have third-party open source software available with IPv6 support.
In the more distant future, which is always more risky to predict, ISPs will finally come along and support IPv6. But this won't happen until IPv6 usage has become widespread. With the explosion of non-computer Internet devices (such as cell/mobile phones, PDAs, music devices, etc.) and growth of Internet in third-world countries, the jump in IPv6 deployment will take many by surprise.

1 comment:

  1. Nice post but almost impossible to read due to the colors used.

    ReplyDelete

My Mine