Guide du routeur IPv6

Préliminaires

Basic kernel configuration

N'importe quel arbre basé sur un noyau 2.6 disponible dans Gentoo prend facilement en charge les connexions IPv6. La nouvelle pile IPv6 USAGI est intégrée das le noyau depuis Linux 2.6.0.

Vous êtes désormais prêt à entrer dans le répertoire des sources du noyau et à commencer la configuration de votre noyau.

'"`UNIQ--pre-00000002-QINU`"'

Testing IPv6 support

After enabling the recommended options, recompile the kernel and reboot into the new IPv6-enabled kernel.

If iproute2 is not yet installed, it is seriously recommended to do so. iproute2 is a network configuration suite that contains ip, the famous replacement for ifconfig, route, iptunnel and others...

Si IPv6 fonctionne, le périphérique de boucle de retour (loopback device) devrait indiquer une adresse IPv6 :

1: lo: <LOOPBACK,UP> mtu 16436
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
    ## (Les lignes ci-dessus montrent que tout fonctionne correctement)

Before going any further, make sure to add ipv6 to the list of USE variables in make.conf, so that future emerges of packages will include IPv6 support.

Tunnel configuration

Basic configuration

Most ISPs still do not offer any native IPv6 connections. To get around this limitation, there are several "tunnel brokers" around the globe that offer free IPv6 tunnels. This will allow to tunnel all the IPv6 connections through an IPv4 connection.

Ci-dessous, nous présentons deux exemples de création de tunnel avec deux courtiers populaires nord américains, Hurricane Electric (s'applique tout aussi bien aux tunnels non heartbeat de sixx) et Freenet6.

Hurricane Electric

Hurricane Electric (HE for short) offers free IPv6 tunnels and allocates a /64 block of addresses for each customer. It also allows configuration of reverse DNS. Getting a tunnel from HE is as easy as going to https://www.tunnelbroker.net/ and filling out a one page form.

After a tunnel is approved and a /64 block is allocated, start to configure the system. HE provides sample configurations based on ifconfig and the iproute utilities. The following two examples assume that the following configuration is used:

Using the sys-apps/iproute2 package and the ip command, do the following.

Créer un tunnel entre l'IPv4 local (eth0) et l'adresse IPv4 distante de HE.

Extraire le surcoût du « tunnelling » du MTU :

Démarrer le tunnel :

Assigner l'adresse IPv6 à ce tunnel :

Route all global unicast IPv6 addresses through our 'he6' tunnel device:

The following example shows how to establish this at boot time:

iptunnel_he6="mode sit remote 64.71.128.82 local 68.36.91.195 ttl 64 dev eth0"
depend_he6="net.eth0"
config_he6="2001:470:1F00:FFFF::2/64"
routes_he6="default via 2001:470:1F00:FFFF::1 dev he6"
mtu_he6="1280"

To make this device start on boot:

When tunneling IPv6 over IPv4, the packets will first come through the IPv4 chain before being passed to the IPv6 chain.

Freenet6

Freenet6 is another free tunnel broker. Optional registration only requires a username and a valid email address. They have chosen to turn the tunnel management into a client/server setup and have created the gogoCLIENT client. The client is available in Portage. To install it do:

Now when choosing to connect with authentication, configure gogoCLIENT by editing /etc/gogoc/gogoc.conf. Only the userid and passwd fields need to be changed to match those assigned from Freenet6 and change the gateway server. Below is a sample config file.

auth_method=any
userid=anonymous
passwd=foobar
template=linux
server=broker.freenet6.net

Testing the connection

Now that the tunnel is configured, test the connection. The easiest way to do this is to use the ping6 utility and try to ping an IPv6 host.

PING www.kame.net(orange.kame.net) 56 data bytes
64 bytes from orange.kame.net: icmp_seq=1 ttl=52 time=290 ms
64 bytes from orange.kame.net: icmp_seq=2 ttl=52 time=277 ms
64 bytes from orange.kame.net: icmp_seq=3 ttl=52 time=280 ms
64 bytes from orange.kame.net: icmp_seq=4 ttl=52 time=279 ms
64 bytes from orange.kame.net: icmp_seq=5 ttl=52 time=277 ms
--- www.kame.net ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4038ms
rtt min/avg/max/mdev = 277.040/281.041/290.046/4.699 ms

Further work is currently in progress to add better IPv6 support to the network init scripts. To know the status of this and/or help out, please email latexer@gentoo.org.

IPv6 support in applications

Réinstaller des paquets

Unless USE="ipv6" was already set in /etc/portage/make.conf previously, it is probably necessary to re-emerge a bunch of packages to compile in IPv6 support for them. To get a list of all the installed packages which are affected by USE flag changes, use Portage's --newuse (-N) option:

When many USE flags have been changed, the list could be quite long. It's suggested to keep the system up-to-date, so it won't hurt if all affected packages are rebuilt.

IPv6 specific packages

Il existe quelques paquets qui concernent spécifiquement des items IPv6. La plupart est localisée dans /usr/portage/net-misc.

Mise en place du DNS

IPv6 et DNS

Tout comme DNS utilise des enregistrements A pour l'IPv4, DNS utilise des enregistrements AAAA pour IPv6.(Ceci est dû au fait que IPv4 est un espace d'adressage de 2^32 alors que IPv6 est un espace d'adressage de 2^128). Pour le DNS inverse, la norme INT est déconseillée, car en voie d'obsolescence, mais encore largement prise en charge. ARPA est la norme actuelle. La prise en charge du format ARPA sera décrite ici.

Configuration de BIND

Recent versions of BIND include excellent IPv6 support. This section will assume at least minimal knowledge about the configuration and use of BIND. We will assume that bind is not running in a chroot. If this assumption is wrong, simply append the chroot prefix to most of the paths in the following section.

First add entries for both forward and reverse DNS zone files in /etc/bind/named.conf.

## (We allow bind to listen to IPv6 addresses.
## Using 'any' is the only way to do it prior to bind-9.3)
options {
    [...]
    listen-on-v6 { any; }
    [...]
};
## (This will provide the forward DNS for the domain 'ipv6-rules.com':)
zone "ipv6-rules.com" IN {
    type master;
    file "pri/ipv6-rules.com";
};
## (This format for reverse DNS is "bitwise." It's done by taking the IPv6 prefix,
## reversing the order of the numbers and putting a period between each number)
zone "6.9.2.0.0.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa" {
        type master;
        file "pri/rev-ipv6-rules.com.arpa";
};

Maintenant vous devez créer ces fichiers de zone et ajouter des entrées pour tous vos hôtes :

$TTL    2h
@       IN      SOA     ipv6-rules.com. webmaster.ipv6-rules.com.  (
                                2003052501 ; Serial
                                28800      ; Refresh
                                14400      ; Retry
                                3600000    ; Expire
                                86400 )    ; Minimum
                NS      ns1.ipv6-rules.com
 
IN      AAAA    2001:470:1f00:296::1 ; address for ipv6-rules.com
host1   IN      AAAA    2001:470:1f00:296::2 ; address for host1.ipv6-rules.com
host2   IN      AAAA    2001:470:1f00:296::3:3 ; address for host2.ipv6-rules.com

$TTL 3d ; Default TTL (bind 8 needs this, bind 9 ignores it)
@       IN SOA ipv6-rules.com. webmaster.ipv6-rules.com. (
                        2003052501      ; Serial number (YYYYMMdd)
                        24h             ; Refresh time
                        30m             ; Retry time
                        2d              ; Expire time
                        3d )            ; Default TTL
        IN      NS     ns1.ipv6-rules.com.
; IPv6 PTR entries
$ORIGIN 6.9.2.0.0.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa.
 
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN      PTR     ipv6-rules.com.
2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN      PTR     host1.ipv6-rules.com.
3.0.0.0.3.0.0.0.0.0.0.0.0.0.0.0 IN      PTR     host2.ipv6-rules.com.

Configuration de DJBDNS

There are currently some third-party patches to DJBDNS available at http://www.fefe.de/dns/ that allow it to do IPv6 name serving. DJBDNS can be installed with these patches by emerging it with ipv6 in the USE variable.

After djbdns is installed, it can be setup by running tinydns-setup and answering a few questions about which IP addresses to bind to, where to install tinydns, etc.

Assuming we've installed tinydns into /var/tinydns, we can now edit /var/tinydns/root/data. This file will contain all the data needed to get tinydns handling DNS for the IPv6 delegation.

## (*.ipv6-rules.com is authoritatively handled by 192.168.0.1)
.ipv6-rules.com:192.168.0.1:a:259200
## (Authoritative reverse DNS for 2001:470:1f00:296::/64)
.6.9.2.0.0.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa:192.168.0.1:a
## (Specify the IPs for host1 and host2)
6host1.ipv6-rules.com:200104701f0002960000000000000001:86400
6host2.ipv6-rules.com:200104701f0002960000000000000002:86400
## (Point www to host1)
3www.ipv6-rules.com:200104701f0002960000000000000002:86400

Lines prefixed with a 6 will have both an AAAA and a PTR record created. Those prefixed with a 3 will only have an AAAA record created. Besides manually editing the data file, it is possible to use the scripts add-host6 and add-alias6 to add new entries. After changes are made to the data file, simply run make from /var/tinydns/root. This will create /var/tinydns/root/data.cfb, which tinydns will use as its source of information for DNS requests.

IPv6 router

Configurer le routage

Des compléments doivent être apportés à la configuration si vous voulez utiliser votre système comme un routeur pour d'autres clients désireux de se connecter au monde extérieur en IPv6. Vous devez activer le transfert de paquets IPv6. Cela peut se faire de deux manières :

• Either we set the value 1 in the forwarding pseudo-file:

root #echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

• Or we use the sysctl command:

root #sysctl -w net.ipv6.conf.all.forwarding=1

To enable forwarding at boot, edit /etc/sysctl.conf and add the following line.

## (When using radvd, this setting is not needed)
net.ipv6.conf.default.forwarding=1

Le trafic devrait maintenant être transféré de ce système à travers le tunnel que vous avez établi chez votre courtier.

Pour attribuer des adresses IPv6 aux clients, la spécification IPv6 autorise à la fois l'attribution d'adresses IP sans état et avec état. Les attributions sans état utilisent un processus appelé Router Advertisement (publicité de routeur) et permettent aux clients d'obtenir une adresse IP et une route par défaut en activant une interface. Elles sont appelées sans état parce qu'il n'y a pas d'enregistrement de l'adresse IP attribuée et de l'hôte auquel elle est attribué.L'attribution avec état est prise en charge par DHCPv6. Elle est dite avec état parce que le serveur conserve un état du client qui a requis les adresses IP et les a reçues.

Stateless configuration

Stateless configuration is easily accomplished using the Router Advertisement Daemon, or radvd:

After having emerged radvd, we need to create /etc/radvd/radvd.conf that contains information about what IP block to assign IPs from. Here is a sample radvd.conf file using the prefix we've been assigned from our tunnel broker.

interface eth1
{
        ## (Send advertisement messages to other hosts)
        AdvSendAdvert on;
        ## (Fragmentation is bad(tm))
        AdvLinkMTU 1280;
        MaxRtrAdvInterval 300;
        ## (IPv6 subnet prefix we've been assigned by our PoP)
        prefix 2001:470:1F00:296::/64
        {
                AdvOnLink on;
                AdvAutonomous on;
        };
};

Further information is available in man radvd.conf. We can now start radvd and set it to start at boot.

Stateful configuration

To have a stateful configuration, install and configure net-misc/dibbler.

Vous devez maintenant configurer le client dibbler en éditant le fichier /etc/dibbler/client.conf .

iface ppp0 {
	rapid-commit yes
	pd
	option dns-server
}

Vous pouvez maintenant démarrer le client dibbler, et le configurer pour qu'il soit lancé au démarrage

IPv6 clients

Utiliser radvd

Clients behind this router should now be able to connect to the rest of the net via IPv6. If using radvd, configuring hosts should be as easy as bringing the interface up. (This is probably already done by the net.ethX init scripts).

1: eth0: <BROADCAST,MULTICAST,UP> mtu 1400 qdisc pfifo_fast qlen 1000
    link/ether 00:01:03:2f:27:89 brd ff:ff:ff:ff:ff:ff
    inet6 2001:470:1f00:296:209:6bff:fe06:b7b4/128 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::209:6bff:fe06:b7b4/64 scope link
       valid_lft forever preferred_lft forever
    inet6 ff02::1/128 scope global
       valid_lft forever preferred_lft forever

Should this not work ensure that the IPv6 firewall is allowing ICMPv6 packets through:

External resources

There are many excellent resources online pertaining to IPv6.

• www.ipv6.org - General IPv6 information
• www.linux-ipv6.org/ - USAGI project
• www.deepspace6.net - Linux/IPv6 site
• www.kame.net - *BSD implementation

On IRC, try the #ipv6 channel on Freenode. Connect to the Freenode servers using an IPv6 enabled client by connecting to irc.ipv6.freenode.net.

This page is based on a document formerly found on our main website gentoo.org.
The following people contributed to the original document: Peter Johanson, Jorge Paulo, Camille Huot, Pasi Valminen, Joshua Saddler (nightmorph), Markos Chandras (Hwoarang)
They are listed here because wiki history does not allow for any external attribution. If you edit the wiki article, please do not add yourself here; your contributions are recorded on each article's associated history page.