Enable IPv6 Privacy Extensions on Ubuntu

March 19th, 2011

With SLAAC, your MAC address is embedded into your IPv6 address. When you connect to the world, you’re giving them something that can be traced back to you (or at least a piece of hardware you have). RFC3041 was created to help address this privacy issue. It’s since been obsoleted by RFC4941. The Linux kernel does support these RFCs, but most distributions do not turn it on by default. While the below was tested on Ubuntu, it should theoretically work for most flavors of Linux.

First, determine which interface(s) you want to enable the privacy extensions:


$ ifconfig
eth2      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx  
          inet addr:192.168.0.2  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: 2001:db8::xxxx:xxff:fexx:xxxx/64 Scope:Global
          inet6 addr: fe80::xxxx:xxff:fexx:xxxx/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6547155 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3594147 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:9470877266 (9.4 GB)  TX bytes:313893925 (313.8 MB)
          Interrupt:42 Base address:0xe000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:859192 errors:0 dropped:0 overruns:0 frame:0
          TX packets:859192 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:418471854 (418.4 MB)  TX bytes:418471854 (418.4 MB)

In my case it’s eth2 (and no, I don’t know what happened to eth0 and eth1 ;).

Add the following lines to /etc/sysctl.conf:

net.ipv6.conf.eth2.use_tempaddr = 2
net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.use_tempaddr = 2

*Note that the first line could (and most likely would) be different for your particular set up.

after that, restart your network (or if you like, restart your computer altogether) and you should see a new address


$ ifconfig
eth2      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx  
          inet addr:192.168.0.2  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: 2001:db8::xxxx:xxff:fexx:xxxx/64 Scope:Global
          inet6 addr: fe80::xxxx:xxff:fexx:xxxx/64 Scope:Link
          inet6 addr: 2001:db8::9dd7:675f:8d2b:d78a/64 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6565518 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3607197 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:9493464492 (9.4 GB)  TX bytes:315035089 (315.0 MB)
          Interrupt:42 Base address:0xe000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:861796 errors:0 dropped:0 overruns:0 frame:0
          TX packets:861796 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:419488499 (419.4 MB)  TX bytes:419488499 (419.4 MB)

Outgoing connections will now use the new “random” ipv6 address. You can verify by going to http://test-ipv6.com

Posted in IPv6, Ubuntu | 2 Comments »

xkcd.com

February 25th, 2011

Just noticed (via @henet on twitter) that xkcd.com is now sporting an AAAA record:

$ dig aaaa xkcd.com

; <<>> DiG 9.7.0-P1 <<>> aaaa xkcd.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28275 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;xkcd.com. IN AAAA ;; ANSWER SECTION: xkcd.com. 270 IN AAAA 2001:48c8:1:d:0:23:5482:d026 ;; Query time: 636 msec ;; SERVER: 64.59.135.143#53(64.59.135.143) ;; WHEN: Fri Feb 25 06:33:11 2011 ;; MSG SIZE rcvd: 54

The best part is that it doesn’t seem to be a tunnel, and xkcd’s host (Voxel) is running true native dual stack:

$ traceroute xkcd.com -f 7
traceroute to xkcd.com (72.26.203.99), 30 hops max, 60 byte packets
7 equinix-ix.ord1.us.voxel.net (206.223.119.107) 43.713 ms 47.946 ms 52.495 ms
8 910.te4-3.tsr1.lga3.us.voxel.net (208.122.44.133) 70.260 ms 70.248 ms 70.456 ms
9 0.ae59.tsr1.lga5.us.voxel.net (208.122.44.202) 71.796 ms 69.963 ms 69.826 ms
10 0.ae57.csr2.lga6.us.voxel.net (208.122.44.210) 69.970 ms 71.774 ms 71.762 ms
11 72.26.203.99 (72.26.203.99) 71.628 ms 69.762 ms 69.435 ms

$ traceroute6 xkcd.com -f 4
traceroute to xkcd.com (2001:48c8:1:d:0:23:5482:d026), 30 hops max, 80 byte packets
4 equinix-ix.sjc1.us.v6.voxel.net (2001:504:0:1:0:2:9791:1) 51.188 ms 58.107 ms 60.402 ms
5 ve16.tsr2.iad1.us.voxel.net (2001:48c8::801) 146.855 ms 146.911 ms 146.821 ms
6 0.te6-2.tsr1.ewr1.us.voxel.net (2001:48c8::811) 137.073 ms 137.044 ms 137.029 ms
7 0.te1-4.tsr1.lga5.us.voxel.net (2001:48c8::819) 135.758 ms 136.719 ms 135.739 ms
8 0.ae2.csr2.lga6.us.voxel.net (2001:48c8::82e) 136.702 ms 139.450 ms 139.429 ms
9 2001:48c8:1:d:0:23:5482:d026 (2001:48c8:1:d:0:23:5482:d026) 139.242 ms 121.606 ms 126.777 ms

Welcome to the IPv6 fold xkcd!

Posted in IPv6 | No Comments »

World IPv6 Day

January 13th, 2011

Now that some large companies (Google, Yahoo, Facebook, Akamai and Limelight Networks to name a few) are stepping up to the plate, World IPv6 Day is looking to be an awesome IPv6 event. However, ISPs are going to get a lot of calls about slow connections and possibly even no connection to these sites from their customers. The good news is that 6to4 and Teredo tunnels have improved in performance in recent months, so it wouldn’t be as bad as it would have been if it happened, say, last year. As well, with the focus on a specific day, hardware makers, software vendors, and ISPs have a target to get ready for this event, so hopefully, while problems can and will still happen, everyone at least has a chance to be prepared for them.

What are your plans for June 8th, 2011?

Posted in IPv6 | No Comments »

When will we run out of IPv4 addresses?

November 14th, 2010

I’ve been kind of working on a post about IPv4 exhaustion. It’s been hard though, because I’m not much of a statistics nut. Fortunately, there exists a Veng Diagram where someone falls into an IP nut *and* a statistics nut.

Geoff Huston has provided us with some good info on IPv4 exhaustion with this guide. He also gives us a “when” prediction here.

The number that most people are currently throwing out is the date that IANA will run out of numbers. But there are at least 2 levels below them. RIRs (Regional Internet Registries) and LIRs/ISPs (Local Internet Registries/Internet Service Providers. An LIR is usually some type of ISP). So there will be some time after IANA runs out before RIRs run out, then some time after that before ISPs run out.

However, if you think that means that you can take your time before implementing IPv6, you’re quite wrong. We’re not looking at much more than 3 or 4 years before ISPs run out (and that’s quite optimistic.) If you deal in anyway with the Asia Pacific area, it’s likely MUCH less. That’s not a lot of time to get a whole new infrastructure tested, tuned, hardened, implemented and supported. If you deal with home users, you’re going to have to do a whole lot more work. There aren’t a lot of end users that are even prepared to deal with IPv6 yet. You’ll have to figure out how to support devices that don’t work on IPv6 (CGN is one way, and it’s not pretty). If you aren’t mired in the details by now, you’re behind, and it’s just going to start costing more and more to get your network up to snuff the longer you delay. There are a few ISPs starting trials to their end customers. These guys will have the clear advantage in support and knowledge base when the time comes that IPv6 is needed.

Will you?

Posted in IPcalypse, IPv6 | 3 Comments »

Stupid IPv6 tricks

September 28th, 2010

I recently wanted to find the IPv6 address of a computer on my network. However, since I’m using autoconfiguration, I had no way of knowing what it was, unless I walked the 5 feet and checked it out on the computer itself. Instead, I went looking and found this IPv6 trick to get a list of addresses on your network.
It returns the link local addresses (so it only works as long as you’re on the same link).
But I needed to know the global IPv6 address. Fortunately for me, the only addresses on this link are my computer, the gateway and the computer I wanted to find. I got this from the above ping6 trick (addresses may have been changed to protect the guilty):

$ ping6 -I eth2 ff02::1
PING ff02::1(ff02::1) from fe80::92e6:baff:febd:6532 eth2: 56 data bytes
64 bytes from fe80::91e6:baff:feba:6532: icmp_seq=1 ttl=64 time=0.045 ms
64 bytes from fe80::211:f3ff:fe67:8fee: icmp_seq=1 ttl=64 time=0.131 ms (DUP!)
64 bytes from fe80::212:3fff:fef6:2c23: icmp_seq=1 ttl=64 time=0.149 ms (DUP!)
^C
--- ff02::1 ping statistics ---
1 packets transmitted, 1 received, +2 duplicates, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.045/0.108/0.149/0.046 ms

I know what my link local is (from ifconfig), and I know what my router’s link local is (from ip -f inet6 neigh) [shortened to ip -6 n, thanks to @barttrojanowski]:

$ ip -6 n
fe80::212:3fff:fef6:2c33 dev eth2 lladdr 00:12:3f:f6:2c:23 router REACHABLE
2001:db8:81e5::1 dev eth2 lladdr 00:12:3f:f6:2c:23 router REACHABLE

So that leaves me with fe80::211:f3ff:fe67:8fee. To get the global address, I drop fe80 and tack on my subnet of 2001:db8::/64
$ ping6 2001:db8::211:f3ff:fe67:8fee
PING 2001:db8::211:f3ff:fe67:8fee(2001:db8::211:f3ff:fe67:8fee) 56 data bytes
64 bytes from 2001:db8::211:f3ff:fe67:8fee: icmp_seq=1 ttl=64 time=9.73 ms
64 bytes from 2001:db8::211:f3ff:fe67:8fee: icmp_seq=2 ttl=64 time=0.113 ms
^C
--- 2001:db8::211:f3ff:fe67:8fee ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.113/4.923/9.733/4.810 ms

Posted in IPv6 | No Comments »

The Home Router and IPv6

September 8th, 2010

As someone who’s trying to implement IPv6 for an ISP, I’ve found that the biggest piece lacking out there is the home router. Going forward with IPv6, it’s even less desirable to not have a hardware firewall, as it’s now not just a firewall, but an actual router. Previously, with IPv4, a home “router” actually only did NAT, not routing. With IPv6, we’re now routing all public addresses around the home, and finding one that does this somewhat intelligently is a challenge. The other piece of the puzzle you’ll need is a router that will do DHCPv6. Most ISP’s will continue to use DHCP to hand out IP addresses (v4 or v6), utilizing it’s ability to hand out prefixes (PD – Prefix Delegation) to give customers a subnet of some size (/48 and /56 seem to be the most talked about sizes) to use in their networks. The thinking is that at some point in the (hopefully) not so distant future, you’ll be able to subnet off computers, appliances, mobile devices, and whatever else we put on the interwebs into discreet subnets.

So far, there are only 2 commercial routers that you can buy today that seem to work for a user looking to have IPv6 on an ISP using DHCPv6: The Apple Airport Extreme, and the D-Link DIR-615.
I’ve also heard of a router made in Australia, but haven’t seen it for sale here in North America.

The only other option is to try installing a third party software onto your router (ala tomato or dd-wrt) This should only be taken by those who don’t mind breaking things for fun, as the worst case scenario is wrecking the router you put it on.

The good news is that there are more of these routers coming, so if you can put it off, wait a while before buying an router so you can be sure IPv6 is available. If not, maybe spend some time either ensuring it has IPv6 support now, or that you can use one of the third party software versions on the one you buy.

Posted in IPv6 | No Comments »

Getting there

September 1st, 2010

Hopefully we’ll have some real content here. In the meantime, I present this comic by xkcd! (make sure you hover your cursor over the image.)
Campfire

Posted in Uncategorized | No Comments »

Newer Entries »