IPv6 Beginner Questions

Hello,

my ISP has announced to me that they will rollout IPv6 within the next two years. No date. Just "you will get informed within 14 days before switching".

So I have to deal with IPv6. -.-

It's quite confusing to me ... So I have many questions or rather I want to know if I understand things right.

I just want to have the things like I have them with IPv4. But there are clips which I have to come arround.

At the Moment I have Servers/Printers with fixed IPv4's which are handout by DHCP. One of these printers is not able to do IPv6.
None of that Servers/Devices are reachable directly over WAN. Each access from outside is running through VPN.

If I understand IPv6 right each device is getting at least two addresses. One private and one public.
How does a device/system know where it has to search for e.g. printers? Send traffic at all? Searching local first, then the whole internet?

I don't want my printers or servers exposed to the internet. ATM I've blocked internet access for any printer through OpenWrt firewall. Only lan traffic is allowed.
On serverside in/out/fwd is blocked by default. Only service ports "in" and needed "out" are open. The firewall rules for certain services are even restricted to certain sources (like 192.168.1.0/24).
Services e. g. samba, nfs are bound to their lan which they are serving.
If my understanding is right I cannot do this anymore because the OS decides which IP it's using.
On top of that the ISP is changing IP "sometimes" for privacy. So the IPs of the clients are changing too?
Privacy in this connext is a joke if the MAC-Address of every device is coded into the address?
On the one side I want a bit privacy on the other side I cannot do things like before without stable IP's. But this "stable" IP's are like THIS! device ... and not like any 192.168.1.100.

Another thing is masquerading. I mean I don't want to expose my whole infrastructure to the internet for tracking every device individually... WTF!?
Did they ever thought about this implementing IPv6? Sure End-to-End is nice. But not for everyone. I doubt that every company want to blow out every client that they have to the internet.
https://openwrt.org/docs/guide-user/network/ipv6/ipv6.nat6
According to this my plan is to handout only private IPv6 addresses to the lan (clients/servers/printers).
And prevent them to get any public IP's. So all is like before. Is that doable/realistic?

Just my thoughts after two days of reading about IPv6. Maybe there are some people sitting in the same boat already having solutions/workarrounds. oO

Kind regards.

Depends on:

  • Resolver priority in case you access printer via hostname.
  • Host connectivity, i.e. IPv6 has higher priority if client has public IPv6.
  • Routing, such as routing policy, metrics and masks.

Do not create firewall forwarding from WAN-zone to LAN-zone and it will be OK.

That's incorrect approach.
The only use case is stingy ISP with too small IPv6-prefix.

Just because your ISP will rollout IPv6 doesn't mean that you cannot continue to work with IPv4 in your LAN.
I highly doubt that your ISP will force you to migrate overnight from IPv4 only to IPv6 only. Most likely there will be some transitional period with dual-stack, so you'll have time to adapt to IPv6, while working with IPv4 as well.
And judging from the timeframe of 2 years for the deployment, I don't see the sunset of IPv4 anytime soon.

Thanks for your reply guys!

@ trendy:

How is traffic running if my Router is getting ipv4 and ipv6? OpenWrt is handing out ipv4 and ipv6 to every client automatically. So who is deciding it's ipv4 only allowed?
And even it's dual-stack. From what I've learnt so far Windows always prefer ipv6 over ipv4. I bet Linux is doing the same. Probably you have control over that behaviour. But I don't want/cannot control every device in lan.
I have to do something to stop this or deal with ipv6.

Sure it will be not from one day to the other day. And I bet that there will be a dual-stack transition period. But phone support did not know anything how they will do things. They just know that it will happen if infrastructure got an upgrade. They just announced the possibility. Maybe they will cancle or delay it. So I have to prepare a bit myself and learn things now and not if things happen.

@ vgaetera:

If I understand ipv6 correct I have to deal with things which were doing the Router/NAT for me on ipv4 before now on every client/server? Just because every client on the same subnet is able to talk directly to each other and negotiate everything self-suffcient? So like for every IP the client has I "could"/have to implement the routing, metrics and masc?

Maybe I was not clear enough. But, if I open any port on my router every client on subnet is exposed? What I meant was the "fact" (I don't really know) that every client is routed through the internet with his own IP (consisting prefix from ISP, own subnet and macaddress) not like the "masqued" IP traffic on ipv4 "publishing" the ISP IP only.

But in general it is possible?

Dual stack works fine, you are overthinking things.
If host has IPv6 address it would be accessible via IPv6, otherwise IPv4 is utilized.

Not always, it depends on connectivity and address type.

Those things are mostly done automatically.
Of course there's some overhead in client/server/router firewall configuration and DNS/DHCP-server configuration but it's manageable.

Opening port on your router doesn't expose your subnet.

Removing NAT doesn't disable forwarded traffic filtering on your router firewall.

It's possible, but meaningless at least and "shooting yourself in the foot" more likely.

2 Likes

NAT is not a firewall... The firewall settings preventing forwarding from WAN to LAN protect your IPv6 LAN machines from receiving inbound probes.

For printers etc you can give manual ULA addresses, they will be stable, independent of your ISP prefix, and not reachable from the internet even if you have forwarding enabled.

If you are concerned about privacy you can enable privacy addressing, your computer's will use a new randomly generated address every few minutes as their source address.

IPv6 is way way better than ipv4 and yes they really did think this stuff through, rejoice rather than be concerned. Also hurricane electric has a nice online training you might try, and you can get yourself a tunnel to try it all out.

5 Likes

OK, no need to panic, the good news is that you've got a year or two to get comfortable with IPv6 and understand how it is different than IPv4 and how you can take advantage of it features.

First, as most of your questions seem to be around security, as mentioned, NAT is not a firewall. Many rely on it to provide restrictions on connectivity, but it is poor at truly controlling access. Everything that people "misguidedly trust" NAT to perform is better handled by firewall rules (and should, in my opinion, be, even with NAT present). Here's roughly what NAT does, as typically configured:

  • Accept all packets coming in from the internal network, no matter the destination
  • Forward all packets coming from the router or the internal network to any external destination
  • Accept any packets from any external destination that seem related to a connection from the router or the internal network
  • Accept any setup packets (TCP) and any UDP packets to destinations that have been preconfigured ("port forwarding")

(You don't really "open ports" to all addresses with IPv4 NAT, you open access to a mapping from one host:port to another host:port. With IPv6 you open the firewall to a specific host:port, so if anything, it is easier and more secure.)

Note that with NAT, by the time you reach the perimeter, you no longer know the source of outgoing packets, so you can't filter on that. All you know is some inside host is trying to connect to some outside host. There are also all kinds of techniques developed to "fool" NAT into opening ports that perhaps you don't want open (STUN, for example, and, hopefully you've already disabled UPnP).

All of this can, and probably should be managed with firewall rules. The differences between IPv4 and IPv6 are mainly that:

  • You have to write the firewall rules explicitly, rather than blindly trusting that NAT works
  • You can write those rules to be very fine-grained, including knowledge of the inside host

The hacks required to properly manage dynamic firewall rules for NAT-ed IPv4 drive people nuts. Even networking experts! IPv6 makes this process much easier, and much more robust.

Addressing is another "interesting" difference.

An IPv6 interface can have multiple addresses. The only one that is required is a link-local address. You don't have to do anything to get a link-local address in modern OSes, Linux, macOS, Windows, FreeBSD, Android, iOS, .... As crazy as it may sound, you can have the same link-local address on two or more interfaces on the same machine. Since the link-local address is only used on that link, it doesn't matter. You may well find that your router uses its link-local address (and that of the upstream router) for routing packets, not your IA_NA (ISP-assigned global address). Assuming that the services and firewalls on each of your devices permit it, you can use a link-local address for everything, as long as on that link. Printers, for example, can serve the entire subnet with just a link-local address.

The other address scopes that are generally interesting to SOHO users are ULAs and global addresses. Any interface can have zero, one, or more of these, from either scope. Most SOHO users don't use DHCPv6 as IPv6 is intended to allow reasonable self-configuration. A router advertises itself, perhaps some DNS servers, and what "pool" a host can pick from. The host picks from that, checks that nobody else is using it (unlikely in a SOHO network, with 18,446,744,073,709,551,616 addresses in a /64), then announces that it is "claiming" that address. As dlakelan points out, many OSes don't use a MAC-generated address and periodically rotate them.

"Topology hiding" came up over and over in the early days of IPv6 from NAT users, including enterprises. Virtually all of the arguments I have seen can be eliminated by appropriate use of addresses. The fact that you can't easily scan 18,446,744,073,709,551,616 addresses in a /64 as easily as you can the 254 in an IPv4 /24 alone should be comforting.

ULA addresses are ones that you randomly pick a prefix from the permitted space, then assign as you see fit. They can be valuable for connections within your own network, even across routers for the various topological subnets you may have. ULA address don't route over the "open Internet"; they are effectively private to your network.

How does a host pick which address and interface to use? It is not significantly different than IPv4; the routing table identifies if the destination is direct, or what the next hop is. The "additional" part is that a link-local address is generally used if the target is, well, link-local, a ULA typically used if the destination is in the same ULA address range, and a global address if the destination is a global address.

All in all, the fact that with properly deployed IPv6 you know the host and destination at all your control and routing point means that things get easier to robustly control. Yes, you have to control them, and NAT has been a crutch for many, SOHO or otherwise, in the past. Yes, pull the crutch and if you don't have a leg to stand on, you fall down. However, you've got plenty of time to strengthen that leg and begin to run with ease. The idea of learning more about IPv6 and getting into it a bit with a tunnel broker over the next year or so is a good one.

4 Likes

Just to stress the important bits

  • in the default OpenWrt firewall configuration, IPv4 and IPv6 are handled pretty much the same - meaning incoming connections without an according forwarding rule are rejected (as they would be for IPv4 in the default config)
  • the default OpenWrt IPv6 (wan6) configuration is quite likely to just work, if your ISP enables dualstack IPv4+IPv6 operations you might not even notice the difference, neither for external connections nor internally - it should just work for most normal cases.
  • you can assign static DHCPv6 leases (based on the client's duid) just as you would for IPv4, likewise local DNS can resolve AAAA (IPv6) and A (IPv4) records just fine.
  • clients only supporting IPv4 will still be transparently accessible (via IPv4).
  • operating systems usually prefer IPv6 over IPv4, that also means for hosts without IPv6 connectivity, the IPv4 addresses will be used as before.
  • ULA prefixes are a good idea for addressing/ accessing internal hosts.
  • IPv6 privacy extensions are available (and default) for most operating systems, meaning outgoing IPv6 connections will usually use a temporary/ random IPv6 to retain your privacy and hide the MAC address (these addresses are normally rotated every 12h or 24h).
  • incoming connections (if explicitly allowed in your IPv6 forwarding firewall rules) would use static (additional) IPv6 addresses instead (either derived from the MAC address (SLAAC) or manually assigned via DHCPv6)

If your ISP does the only sensible thing (not all do) of enabling real dualstack operations (globally addressable IPv4 address and a native /56 or /48 IPv6 prefix), you'd probably use IPv6 without actually noticing a difference. If your ISP takes the opportunity to use dualstack-lite (cgNATed IPv4 address and native /56 or /48 IPv6 prefix), it will still work - but you would have to learn/ switch to IPv6 for incoming connections (as you'd have effectively lost the globally routable IPv4 address and could only use IPv6 instead). Only very bad/ broken ISP would only hand out a single /64 IPv6 prefix.

I'd like to echo dlakelan's suggestion to try Hurricane Electric's IPv6 certification program and to use their IPv6 tunnels for testing (this can be set up quite nicely with OpenWrt), until your ISP switches you over, which will allow you getting familiar with IPv6 at your own pace.

2 Likes

Sure, I know that. And I know what NAT is doing. BUT for me masquerade/nat is a possibility to "hide" devices behind ONE IP and ONE MAC. Nothing more is/was my intention and concern if I was asking for the mentioned guide about nat6/masq6. Maybe I was a bit unclear at this point.

Is masquerading as a single option available for wan6? My guess is no. But this depends how things are solved in OpenWrt? I could also setup a proxy for ipv6 to masq my devices. But that would be a bit oversized for this tiny network I have.

It is still confusing me what IP is sent to the Internet if a client is creating a connection over my OpenWrt router to the internet.

Let's say:
prefix from ISP is like: 2001:adb8:85d3::/48
OpenWrt LAN prefix is: fd39:2af9:bcc8::1/60
Device/Interface is: 1234:9a4f:0371:8357

What "IP" is sent out to the internet? Is it like ISP prefix + Device/Interface ID or like ISP prefix + so-called OpenWrt Device/Interface-ID generated in conjunction with getting connected to ISP (which I don't have currently)? Or Am I completly wrong?

I'm setting up a router with 6to4 today. So maybe I'll find out this by myself soon.

Thank you very much for your detailed contribution. I appreciate that! My knowledge about NAT was not so deep like your remarks. But in general I know how NAT is working. Upnp is the first thing I disable on every router I've got my hands on since this "cancer" was released. :slight_smile: The fact that IPv6 is controlled with host:port I've got already.

I see the advantage of IPv6 but for me (atm!) it looks like more work/time to setup things. I guess this is because I have not really a clue about IPv6. :smiley:

That point is still confusing me. I have to re-read things to understand it.

Let's say I want to do sth. like that on the client machine:

iptables -A INPUT -m conntrack --ctstate NEW -s 192.168.1.0/24 -p udp --sport 161 -j ACCEPT

What would be the equivalent for ipv6? If I understand it correct I have to adjust the source/subnet for each client/router environment in my firewall scripts? So e. g. fe80::/10 or ff02::fb is not an possible option?

O.K. I agree about scanning those address regions. And I have to say that security in general is not my concern. Sure firewalling would be a new challange and work. But as I said above the main concern was (now I'm in hope it is not) to populate my whole infrastructure to the internet. Just because every device is able to get his own address to connect to the internet. When it comes to privacy I don't know much about if it comes to ipv6. And If I look into my ISP modem there is already a IPv6 Address (not usable). But it is a fixed address (never changing) even if I'm reconnecting (it is a ::/62-prefix). IPv4 is changing. As far as I know the worst I can get is a 64-prefix. Best case its 60.

Thanks for your kind words and beleiving in me. :wink:

First: Thank you very much for summing up things. :slight_smile:

I hope I understand this point right. In conjunction what I have written above. "What IP is sent out to the internet?"
Does this mean that If a ipv6 connected device is connecting to the internet each device it is using his own random ip (derivatived from the ip prefix which I've got from my provider)?

Yeah I've already got this. The first thing I'll do is to setup a 6to4 router to have a test environment and then move on.

P. S. English is not my native language. So If things are sounding strange or confusing I must say that it's just that I've missed/mis-understood things and/or written things wrong. Sorry for that. And thanks for your patience! :slight_smile:

1 Like

If the device has privacy addressing turned on, yes.

With ipv6 each machine gets lots of addresses. There is an algorithm for determining which one to use for outgoing connections, in general it's to use the smallest scope available that works. Generally operating systems that have privacy addresses enabled prefer them over non privacy.

The address space is so big that you could put billions of addresses on each machine without clashes.

No, there is not "IPv6 NAT" except for some very special cases for enterprises (changing ISPs, as one of them, as the prefix comes from the ISP).

The good thing about MAC addresses is that they are link-local -- Layer 2 (Ethernet) things. The only MAC your ISP knows about is the MAC of the "WAN" interface of your router. Nobody past your ISP's first router knows any of your MAC addresses, as those routers aren't directly connected to any of your devices.

Don't be surprised when you find out that:

  • Your router's public IPv6 address (IA_NA) isn't in the same block as what you were given for your own hosts (IA_PD)
  • Your router and your ISP's router use link-local addresses (fe80::\10)

Key words here are "sent out to the internet", so it needs to use an address from the global scope (2000::/3) from your IA_PD (so that the return packets can get back to you).

If it were to mistakenly use a link-local scope or ULA (fc00::/7) address, the router would never forward the link-local address and, for virtually all SOHO ("Small Office, Home Office") users, never forward the ULA address. If your router mistakenly forwarded one of those over the open Internet, they would likely be blocked by the ISP's firewall, and certainly dropped at the first router.

ULAs are, for virtually all SOHO users, addresses that they can use for their own, internal needs, like having a printer that can be accessed by both the "private" internal network, as well as a "guest" network (so it is not link-local for both). It's not 100% right to say that a ULA never gets forwarded through your router, but it's very close. (An exception would be if, for example, you had a home office and an office in another building, and you manually set up an IPv6 VPN between the two, including routing those packets through the VPN.)

For most people, only one or two hosts (if any!) will need a "manual" IPv6 address -- those that provide services that, with IPv4, you would have "opened a port forward" for. It's only the ones that connected to from the outside. For connections from the inside to the outside, the self-selected, typically random and periodically changing global IPv6 address from your IA_PD (prefix delegation) works just fine.

I remember when we moved and the way I discovered that the cable provider supplied IPv6 was that a command-line utility on my Mac was showing it was connecting with IPv6. With OpenWrt, everything "just worked" without configuration!

Well, except SLAAC addresses encode the MAC into the ipv6 address... I guess people are concerned about having their computer tracked as it moves from network to network by the host portion of the ipv6 address. The solution to this is as you mentioned later the "randomly selected" privacy addresses... Doing some googling, Android and Windows both have them enabled by default. Linux distros depend on how you set up the interface but it's easy to enable them. Sometimes they're "stable privacy" addresses, sometimes time varying, but in both cases they're not exposing your MAC address.