Solaris IPv6 tunnel setup


If you have IPv6 enabled, www.kame.net
shows a
kame anime (animated tortoise).
If you just have IPv4, the kame won't move.

IPv4 Internet addresses, 32 bits in length, are running out. The replacement is IPv6 addresses, which are 128 bits. Ten years ago, IPv6 was in an experimental stage for several operating systems. On Linux, experimental patches, modules, and binaries were available, which I cobbled together to enable IPv6 on my home network. To test my old IPv6 setup, I decided to join a IPv6 test network, 6bone which was composed mainly of IPv6 over IPv4 tunnels. My main contribution was correcting & clarifying Peter Bieringer's Linux+IPv6 HOWTO.

Since IPv4 addresses are running out, it may be a good idea to IPv6-enable your computer or network IPv6 enabled. I'll show you how you can configure a Solaris system using Hurricane Electric's (HE's) free IPv6 over IPv4 tunnel service, which uses IP Protocol 41. This tunnel allows you to connect your IPv6-enabled computer or network (at home or work) to HE's IPv6 network. This is necessary because most ISPs don't support IPv6. Other (free) tunnel services are also available and the setup is similar. The advantage of HE is they have a webpage that shows your configuration and the exact setup (command line configuration) for various operating systems, including Solaris.

Step 1: provision a tunnel from Hurricane Electric

Go to www.tunnelbroker.net, register and login. Setup a IPv6 tunnel by entering your IP address (not internal IP address if you're behind a NAT, but external IP address visible to Internet), and choose a tunnel endpoint closest to you (I choose Los Angeles, for example). Under "Example Configurations:", select "Solaris" and click on "Show Config". Here's the information I got:

Server IPv4 address:    66.220.18.42
Server IPv6 address:    2001:470:c:2ed::1/64
Client IPv4 address:    66.27.60.10
Client IPv6 address:    2001:470:c:2ed::2/64
Routed /48:             Allocate
Routed /64:             2001:470:d:2ed::/64
. . .
Example Configurations: Solaris  Show Config

Copy and Paste the following into a command windows:
ifconfig ip.tun0 inet6 plumb
ifconfig ip.tun0 inet6 tsrc 66.27.60.10 tdst 66.220.18.42 up
ifconfig ip.tun0 inet6 addif 2001:470:c:2ed::2 2001:470:c:2ed::1 up
route add -inet6 default 2001:470:c:2ed::1

\*NOTE\* When behind a firewall appliance that passes protocol41, instead
of using the IPv4 endpoint you provided to our broker, use the IPv4
address you get from your appliance's DHCP service. 

Step 2: Setup and test your end of the tunnel

Once the tunnel is provisioned and setup on the remote (HE) end, you need to setup your (local) end of the tunnel. To do that, just type the ifconfig and route commands shown above as root (or use sudo or pfexec). If your computer is behind a NAT router, you need to use your private IP address that you use on your local network. These private IP addresses usually begin with 192.168. or 172.16.172.31., or 10.). In my case, I substitute "66.27.60.10" with "10.11.12.15". If you are behind a router with NAT, make sure it passes IP Protocol 41 packets through. My IPv4 router (D-Link DGL-4300) does that out-of-the-box. Here's my session showing how I set it up and tested the tunnel. The commands I type in are in bold:

# /usr/sbin/ifconfig ip.tun0 inet6 plumb
# /usr/sbin/ifconfig ip.tun0 inet6 tsrc 10.11.12.15 tdst 66.220.18.42 up
# /usr/sbin/ifconfig ip.tun0 inet6 addif 2001:470:c:2ed::2 2001:470:c:2ed::1 up
# /usr/sbin/route add -inet6 default 2001:470:c:2ed::1
# /usr/sbin/ifconfig -a6
lo0: flags=2002000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv6,VIRTUAL> mtu 8252 index 1
        inet6 ::1/128 
e1000g0: flags=202100841<UP,RUNNING,MULTICAST,ROUTER,IPv6,CoS> mtu 1500 index 2
        inet6 fe80::20e:cff:fe68:e4cc/10 
e1000g0:1: flags=202180841<UP,RUNNING,MULTICAST,ADDRCONF,ROUTER,IPv6,CoS> mtu 1500 index 2
        inet6 2001:470:c:2ed:20e:cff:fe68:e4cc/64 
ip.tun0: flags=2204851<UP,POINTOPOINT,RUNNING,MULTICAST,DHCP,NONUD,IPv6> mtu 1480 index 3
        inet tunnel src 10.11.12.15 tunnel dst 66.220.18.42
        tunnel hop limit 60 
        inet6 fe80::a0b:c0f/10 --> fe80::42dc:122a 
ip.tun0:1: flags=2200851<UP,POINTOPOINT,RUNNING,MULTICAST,NONUD,IPv6> mtu 1480 index 3
        inet6 2001:470:c:2ed::2/128 --> 2001:470:c:2ed::1 

The ip.tun0 and ip.tun0:1 above specifies the IPv4 and IPv6 addresses, respectively of the tunnel between you and remote end, operated by HE. The "route" command specifies a default route where all IPv6 packets not otherwise directed are sent through the IPv6 tunnel. Lets test the tunnel to verify it works. Ping of ::1 (localhost) will work if IPv6 was not disabled during installation. Next, ping all local IPv6 hosts (ff02::1), then ping a remote IPv6 host (www.kame.net), and print the route to the remote host with traceroute.

# /usr/sbin/ping ::1
::1 is alive
# /usr/sbin/ping -s -i ip.tun0 ff02::1
PING ff02::1: 56 data bytes
64 bytes from fe80::a0b:c0f: icmp_seq=0. time=0.282 ms
64 bytes from fe80::230:48ff:fe98:d3ea: icmp_seq=0. time=43.538 ms
64 bytes from fe80::a0b:c0f: icmp_seq=1. time=0.163 ms
64 bytes from fe80::230:48ff:fe98:d3ea: icmp_seq=1. time=41.564 ms
\^C
# /usr/sbin/ping -A inet6 -s www.kame.net
PING www.kame.net: 56 data bytes
64 bytes from orange.kame.net (2001:200:0:8002:203:47ff:fea5:3085): icmp_seq=0. time=187.449 ms
64 bytes from orange.kame.net (2001:200:0:8002:203:47ff:fea5:3085): icmp_seq=1. time=185.819 ms
\^C
# /usr/sbin/traceroute -A inet6 www.kame.net
traceroute: Warning: Multiple interfaces found; using 2001:470:c:2ed::2 @ ip.tun0:1
traceroute to www.kame.net (2001:200:0:8002:203:47ff:fea5:3085), 30 hops max, 60 byte packets
 1  drydog-1.tunnel.tserv15.lax1.ipv6.he.net (2001:470:c:2ed::1)  36.687 ms  38.787 ms  36.992 ms
 2  gige-g4-6.core1.lax1.he.net (2001:470:0:9d::1)  36.298 ms  37.407 ms  36.206 ms
 3  10gigabitethernet1-3.core1.pao1.he.net (2001:470:0:34::1)  43.780 ms  44.840 ms  43.861 ms
 4  3ffe:80a::b2  46.525 ms  47.224 ms  44.585 ms
 5  hitachi1.otemachi.wide.ad.jp (2001:200:0:4401::3)  183.115 ms  197.892 ms  186.334 ms
 6  2001:200:0:1802:20c:dbff:fe1f:7200  186.029 ms  185.448 ms  186.854 ms
 7  ve42.foundry4.nezu.wide.ad.jp (2001:200:0:11::66)  187.344 ms  185.172 ms  203.837 ms
 8  ve45.nec2.yagami.wide.ad.jp (2001:200:0:12::74)  186.746 ms  188.705 ms  186.606 ms
 9  2001:200:0:8400::10:1  185.072 ms  185.955 ms  183.482 ms
10  orange.kame.net (2001:200:0:8002:203:47ff:fea5:3085)  184.444 ms  185.315 ms  187.816 ms

Step 3: Configure the tunnel and reboot

If you got this far, the hard part's behind you. Next, you need to save the tunnel configuration, and reboot to verify it is configured OK. I assume with these instructions that NWAM is disabled and you're using hostname\*.\* files to setup Ethernet interfaces (NWAM isn't available on Solaris 10 or earlier in any case). With your favorite text editor, create or modify these files. Touch file /etc/hostname6.<interface name> (where <interface name> is your Ethernet interface). In file /etc/hostname6.ip.tun0 add two lines from the ifconfig command you used above starting with "tsrc" and "addif". To make the IPv6 default route last across reboots, use "route -p add -inet6 default IPv6GatewayAddress" :

# svcs physical
STATE          STIME    FMRI
disabled        9:18:16 svc:/network/physical:nwam
online          9:18:16 svc:/network/physical:default 
# touch /etc/hostname6.e1000g0
# cat >/etc/hostname6.ip.tun0
tsrc 10.11.12.15 tdst 66.220.18.42 up
addif 2001:470:c:2ed::2 2001:470:c:2ed::1 up
\^D
#/usr/sbin/route -p add -inet6 default 2001:470:c:2ed::1 

As an optional step, create file /etc/inet/ndpd.conf so the IPv6 Neighbor Discovery Protocol (NDP) can broadcast to other IPv6 hosts on your local network (change "e1000g0" below to your network interface). This step is only needed if you have other hosts you wish to autoconfigure to use this IPv6 tunnel. The other Solaris hosts only need IPv6 enabled and a zero-length /etc/hostname6.<interface name> file.

# cat >/etc/inet/ndpd.conf
ifdefault AdvSendAdvertisements on 
# Setup local network addresses using a routable prefix from HE.
# Important: replace "e1000g0" with YOUR network interface.
prefix 2001:470:d:2ed::/64 e1000g0 
\^D

Reboot and retest your network as above to verify it still works.

Step 4: Security Considerations

Just as with IPv4, you need to protect your computer and network from outsiders coming through on Internet. Disable network services you don't need. All or most Solaris network services can be restricted to use the local network only, if not that way already (see the man page and documentation for each service). Typing "netstat -af inet6" shows what services are listening on IPv6 ports. On OpenSolaris, and recent Solaris 10 updates, ipfilter and TCP Wrappers are IPv6-aware. Also, remember that a IPv6 tunnel bypasses any firewall setup you may have on your router between your home or work network and Internet.

The best way to start is to disable most services and enable only what you need. Type /usr/sbin/netservices limited to disable most network services (except ssh), or restrict them respond to local requests only. This is the default for OpenSolaris and recent updates of Solaris 10. The Solaris Security Toolkit allows selective enabling and disabling of services during or after installation, depending on what SST driver profile you use. For example, this hardens the system with the server-secure driver profile:
/opt/SUNWjass/bin/jass-execute -d server-secure.driver

Step 5: Use and further configuration

  • You can use nslookup to lookup IPv6 addresses. For example, nslookup -q=aaaa www.kame.net returns 2001:200:0:8002:203:47ff:fea5:3085.
  • For testing, you can use IPv6 addresses in URLs. Firefox on Solaris supports IPv6. Here's a sample URL, which is the IPv6 address for www.kame.net : http://[2001:200:0:8002:203:47ff:fea5:3085]/ (if the tortoise on the webpage is animated, you're connected using IPv6). .
  • Most Solaris utilities, such as ftp, ssh, telnet are IPv6 enabled. As are the Apache, FTP, ssh, and other network servers.

Alternatives and Future

In the near future, more and more routers and firewalls will support IPv6 and IPv6 tunnels. Cisco supports IPv6. Among consumer routers, Dlink is far ahead in the game. Their wifi routers DI-784 (802.11abg), DI-524 & DI-624 (bg), WBR-1310 & WBR-2310 (g), and DIR-615 (n) support IPv6 and IPv6 tunnels. Other consumer routers, such as Linksys WRT54G, have third-party open source software available with IPv6 support.

In the more distant future, which is always more risky to predict, ISPs will finally come along and support IPv6. But this won't happen until IPv6 usage has become widespread. With the explosion of non-computer Internet devices (such as cell/mobile phones, PDAs, music devices, etc.) and growth of Internet in third-world countries, the jump in IPv6 deployment will take many by surprise.

References and notes

  • http://www.optix.org/~dxy/solaris/ipv6/ by "dxy" of Japan has more information on configuring Solaris for IPv6, including DNS and tcp_wrappers usage.
  • http://internecine.eu/systems/solaris-ipv6.html summarizes Solaris IPv6 support, and has some notes for newer IPv6-based protocols.
  • Migrating to IPv6 on the Solaris OS, a 16-page PDF file by Nagendra Nagarajayya, covers IPv6 basics and setup, and C source code changes to make apps IPv6 aware. Also some Java IPv6 notes.
  • http://docs.sun.com/ shows how to configure various aspects of a IPv6 network in the System Administration Guide. Go to the chapter (or enter in the search box) "Configuring an IPv6 Network". Go to the chapter "IPv6 Tunnels" for technical information on IPv6/IPv6 tunnels on Solaris OS.
  • Freenet6 (go6) also offers free IPv6 tunnels using a proprietary protocol. I haven't tried them, but they have been around for years.
  • http://www.go6.net/ a good starting point (portal) for IPv6 information and news.
  • http://ipv6.google.com/ is a basic IPv6 test website. It is accessible from IPv6, but not IPv4. Watch the dancing letters.
  • http://www.sixxs.net/misc/coolstuff/ lists selected IPv6 cool websites.
  • Jumpstart tip. For those who use JumpStart to install Solaris, add the line "protocol_ipv6=yes" in the network_interface stanza(s) in your sysidcfg file.
<script type="text/javascript" src="http://platform.twitter.com/widgets.js"></script>
<script src="http://connect.facebook.net/en_US/all.js#xfbml=1"></script>
Comments:

Is there a better way how to configure default IPv6 route than introducing/using rc script ?

Posted by Vladimir Kotal on February 01, 2009 at 08:18 PM PST #

Use "route -p" to make the default IPv6 route persistent across reboots. I updated the blog with this easier method.

Posted by Daniel Anderson on February 02, 2009 at 08:15 AM PST #

Post a Comment:
Comments are closed for this entry.
About

Solaris cryptography and optimization.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today