1. Introduction

This will explain how to set up IPv6 in SysV initscripts based systems. In particular, if you have the directory /etc/sysconfig then this is for you - if you need to set up IPv6, that is. I won't cover native IPv6, as unfortunately I do not have access to that. This article would give you an idea of how to do it, though - with a few adjustments (mainly, set up IP directly without a tunnel or relay being involved). I will however, cover IPv6 via tunnel brokers and 6to4 relays. Do note however, that 6to4 is considered deprecated (this is why I'm now using a tunnel broker for my IPv6 needs - I use Hurricane Electric's tunnel broker).

Regarding the firewall section: I will mention specific rules. However, please DO NOT take that as "I have to type this rule out" - firewalls are very different based on organization policies and services required. I'm only showing you the general idea. And perhaps this section could go in a different article entirely, but with access to a new network comes the need for new security measures. Also note that for tunnels to work properly, you might have to allow protocol 41 (ipv6 in /etc/protocols) through your firewall. Aside from that, just see that section when you're ready for it.

Note that this document covers static IP configuration and therefore also static tunnels. It is certainly possible to configure IPv6 dynamically, but I won't be discussing it. It's also possible that, once you have a router set up, that you can use either DHCPv6 or radvd (router advertisement daemon) to assign the rest of your network with IPv6 IPs on the fly. See that section for more information, as well as references.

For this document I will assume a few values. You'll need to substitute these values for the real values assigned to you. You need to substitute the following (see paragraph below for more info) :

1. ISP assigned IPv4 IP
2. Tunnel Broker assigned IPv4 IP Tunnel Endpoint
3. Tunnel Broker assigned IPv6 IP Tunnel
4. Tunnel Broker assigned IPv6 IP

Per RFC 5737 and RFC 3849 I will use the following IPs for documentation purposes:

1. ISP assigned IPv4 IP - 192.0.2.1
2. Tunnel Broker assigned IPv4 IP Tunnel Endpoint - 198.51.100.1
3. Tunnel Broker assigned IPv6 IP Tunnel - 2001:db8:dddd:ffff::2/64
4. Tunnel Broker assigned IPv6 IP - 2001:db8:dddd:ffff::1/64

In addition, when discussing 6to4 relays the relay IP is always 192.88.99.1 and that is not to be adjusted if you expect it to work.

So, there are two ways of going about this. You can either:

1. Configure it at the command line and then set up the sysconfig/network configuration files
2. Set up your boot configuration files and then restart the network

I tend to use either and some times both: the first one to make sure all is OK and then edit the network configuration files and then make sure that restarting the network will give the same result.

Also note that I will not cover Linux net-tools. It has been deprecated for a long long(!) while. You really should learn to use iproute2, i.e., the 'ip' command instead of ifconfig - it's more reliable, anyway.

So, option 1 would go like the below substituting the proper variables. And I shouldn't need to say this but remember you will learn more if you type this out, rather than copy and paste.

First, if you use a binary based Linux distribution (e.g. RedHat/Fedora Core/CentOS/etc) and you follow their recommendation of not compiling your own kernel, then you should have a modular kernel. If however, you do not have modules enabled, you'll have to make sure IPv6 is compiled in. In any case, you load modules with the /sbin/modprobe command.

The # is your prompt (I hope you knew that; if not, maybe you shouldn't be doing this and you should get help from someone else who does know a bit more. Feel free however, to read along if you like). The lines I start with an asterisk (*) are remarks of mine.

* Load the module (if not already loaded) :
# /sbin/modprobe ipv6
* Set up the tunnel device (observe sit1 and NOT sit0 which is RESERVED) :
# /sbin/ip tunnel add sit1 mode sit remote 198.51.100.1 local 192.0.2.1 ttl 255
* Set the tunnel device status to up/online:
# /sbin/ip link set sit1 up
* Add your IPv6 tunnel endpoint IP to the tunnel device (e.g. sit1).
# /sbin/ip addr add 2001:db8:dddd:ffff::2/64 dev sit1
* Add the default route to the tunnel :
# /sbin/ip route add ::/0 dev sit1

The next part of this will set your global IPv6 IP on your interface. I'm assuming eth0 is your interface. Again, substitute where appropriate. The -6 says that we are dealing with the inet6 family. It's not usually required. I tend to do it generally though, especially if I want only IPv6 info. In this case it can be skipped but I'm including it for completeness (this is the same as the parameter '-f inet6').

* Add the IP address to the interface:
# /sbin/ip -6 addr add 2001:db8:dddd:ffff::1/64 dev eth0
* Now, lastly, add a route for your new IPv6 IP:
# /sbin/ip route add 2001:db8:dddd:ffff::/64 dev eth0

You should now have access to the IPv6 Internet. Try ping6 on a global scope IPv6 IP address (keep in mind the section Security/Firewalling though - you may have it blocked by default currently, in which case ping6 might not work). An example host to ping6: the IPv6 tunnel broker and in particular their end of the tunnel.

If you want the above to stay after a reboot, then you'll also want to do the instructions in this method. You'll probably also want to restart the network afterwards, in order to make sure things look the same (will elaborate on this later).

There are a few files you need to configure. The files and additions are (do NOT replace the files that exist; only update them accordingly! If you do not have a file then you will need to create it.):

# Begin /etc/sysconfig/network
NETWORKING_IPV6=yes
IPV6_DEFAULTDEV="sit1"
# If you want to act as a router, uncomment next line:
# IPV6FORWARDING="yes"
# End /etc/sysconfig/network

The above basically says enable IPv6 via the device sit1 (this is your tunnel device). The forwarding related line is ONLY if you want to act as a router, e.g. you have other hosts that will connect through the machine to access IPv6. I should point out this is a nice way to solve the problem of modems or routers that are NOT IPv6 enabled. You disable routing on the router or modem/router and then set your machines default gateway to the server's IP, and let the server do the routing.

# Begin of /etc/sysconfig/network-scripts/ifcfg-sit1
# Please read /usr/share/doc/initscripts-*/sysconfig.txt
# for the documentation of these parameters.
ONBOOT=yes
DEVICE=sit1
BOOTPROTO=none
IPV6INIT=yes
IPV6TUNNELIPV4=198.51.100.1
IPV6TUNNELIPV4LOCAL=192.0.2.1
IPV6ADDR=2001:db8:dddd:ffff::2/64
# End /etc/sysconfig/network-scripts/ifcfg-sit1

The above sets up the tunnel device as if you typed the commands I gave you earlier. Just remember to substitute your numbers and you will be fine.

And now for your physical network interface.

# Begin of /etc/sysconfig/network-scripts/ifcfg-eth0
IPV6INIT=yes
IPV6ADDR=2001:db8:dddd:ffff::1/64
# If you want, uncomment next line:
# IPV6_DEFAULTDEV="sit1"
# End of /etc/sysconfig/network-scripts/ifcfg-eth0

To test that this all works okay, you simply type in the following command at the root prompt (# is prompt) :

# /sbin/service network restart

If all is good (ip -6 addr ls and ip -6 route ls both show up the correct information, for example), you can move on to the Security/Firewalling section of this document.

I won't cover the command line option here. You can fairly easily adapt things from the tunnel example. The main difference is the 'tunnel device' is different (is tun6to4), and the default route would point to the 192.88.99.1 relay. Again though, this transition system is deprecated. Note also that your IP will be different from the above example. A bit of background on that: ALL IPv4 IPs have a reserved IPv6 block allocated to them via 6to4. How do you find your IPv6 block?

One such way is by typing in the following at the command prompt ($ is the prompt - no need to be root for this .. and don't type it):

$ printf "2002:%02x%02x:%02x%02x::1\n" 192 0 2 1
2002:c000:0201::1

(That's for the IP 192.0.2.1 - substitute each octect with the corresponding octect in your IP). The result is your IPv6 IP prefix. You have 65536 /64 blocks of IPv6 IPs. So, once you have that info, you'll need the following lines in the files below. Once again the same rule above applies here - do NOT REPLACE the files that already exist.

# Begin /etc/sysconfig/network
NETWORKING_IPV6=yes
IPV6_DEFAULTDEV="tun6to4"
# If you want to act as a router, uncomment next line:
# IPV6FORWARDING="yes"
# End /etc/sysconfig/network

I've already explained the above. The only difference is you're using tun6to4 as the default device, rather than sit1.

# Begin /etc/sysconfig/network-scripts/ifcfg-eth0
# Please read /usr/share/doc/initscripts-*/sysconfig.txt
# for the documentation of these parameters.
IPV6INIT=yes
IPV6TO4INIT=yes
IPV6TO4_RELAY="192.88.99.1"
IPV6ADDR=2002:c000:0201::1/64
IPV6ADDR_SECONDARIES="2002:0a00:0001::2/64 2002:0a00:0001::3/64"
IPV6_DEFAULTDEV="tun6to4"
# End /etc/sysconfig/network-scripts/ifcfg-eth0

The astute reader may notice a few new variables. Amongst the new variables: IPV6ADDR_SECONDARIES. This is a way to add more IPv6 IPs to your interface; it's not required. And yes, it's possible with tunnels and natively, too, as long as the IP (or IP block is allocated to you). In other words, feel free to add more to your interface(s). Remember, with 6to4 you have 65536 /64 blocks of IPv6 IPs. With tunnel brokers, it varies; Hurricane Electric, as an example, gives you by default a /64 block. You can also allocate a /48 block which gives you 65536 /64 blocks for your networks.

Obviously, like all things humans create, there's going to be some problems. IPv6 is certainly no different, and there WILL be issues. Therefore, firewalls are STILL relevant. The addressing scheme changes only one thing with respect to firewalls: the address and headers (the underlying protocols, essentially). Sure, with a larger address range it will take much more time to scan for vulnerable machines, but to just take that as "I don't need a firewall" is foolish and is in many respects relying on security through obscurity: hiding something or hiding behind something, does not mean you aren't vulnerable - temporarily or indefinitely; it simply means you aren't vulnerable or known to be vulnerable for the time being!

Therefore, you DO need to keep security in mind. The questions you must ask yourself, are these (certainly not only these but these are some) :

1. Do I run any IPv6 services? Are you 100% sure?
2. Am I connected to the IPv6 Internet?
3. What would happen if I don't take precautions and do get compromised?

To give you an idea of what or why these are important, read the following answers.

1. Even if you didn't configure a service to run as IPv6 specifically, you should keep in mind that certain programs bind to ALL interfaces and ALL addresses. Therefore, you MAY very well have IPv6 services. When you then reboot or restart the service after you gain IPv6 access, you could be exposing a private service that may otherwise not be visible!
2. Well, you're reading this document, so I assume your goal is to be connected. Security is the responsibility of all netizens, and therefore you SHOULD firewall your system.
3. This is of course more of a rhetorical question, but its something that I would believe many don't think of. Think of legal liabilities, loss of income for your company, whatever it may be: protect your network!

So, as you may or may not know, the netfilter project is project associated with the Linux kernel firewalls: iptables and ip6tables (yes, sadly, you have two sets of rules for firewalling. That's just how it is and while some may think it might be better as one I say it really depends on your perspective; modularity is pretty useful and keeping things clean and related is not too bad a thing, either).

In any case, there are at least four ways of creating your firewall rules:

1. A graphical program (a server probably doesn't have a GUI, however) that guides you through it.
2. A script you write that executes the iptables and ip6tables commands to build the rules.
3. Editing the files /etc/sysconfig/iptables and /etc/sysconfig/ip6tables (Ugh! I don't understand what the reasoning for this one is. They are generated by the ip{,6}tables-save commands. Just use the proper commands and then save the tables once it is set properly. Much cleaner that way. My opinion of course, but generally speaking there is no reason to edit the file then restoring it when you could just run the commands directly).
4. Use a different firewall with a configuration file set, e.g. shorewall.

First, I did mention protocol 41. This belongs in the iptables rule set. This means, you'll need a command like the below, should you realise you need to allow it through:

# /sbin/iptables -I INPUT -p 41 -j ACCEPT

Again, that's just an example. You might find you don't even need it, even with default policy set to DROP (how it should be).

For more information about firewalls, see the many documents out there on the Internet, even possibly the Linux firewall howto at the Linux Document Project here.

Generally speaking, be reasonable: use connection tracking if your kernel supports it (up until 2.6.20, connection tracking in ip6tables did not work properly - no errors, just broken connections), block ports/services that are not to be used by others outside of your network, and only allow (default policy DROP) services that you need - not the other way around (ALLOW policy, dropping specific ports).

Also remember to check things like source ip (your machine should not send out packets to itself, so a packet coming in claiming to be YOUR IP is bogus), as well as allowing the loopback device unlimited access (you'll definitely run into trouble if you don't). Example of allowing unlimited access to the loopback:

# /sbin/ip6tables -A INPUT -i lo -j ACCEPT
# /sbin/ip6tables -A OUTPUT -i lo -j ACCEPT
# /sbin/ip6tables -A FORWARD -i lo -j ACCEPT

The rest is entirely up to you. I could try to explain some rules, but there's enough information out there, and let's face it: entire books are dedicated to firewalling - there's a lot to consider. If you need, just use a GUI to develop your firewall rules (some recommend all do that but some forget some know the commands well enough and the fact that you can use all the features in the command line but with the GUI you can only use what is supported in that program).

When I used the 6to4 Relay method this is how I set up radvd. Adapt this and you should be multicasting to your network nodes IPv6 IPs they can use. Note that eth1 was my internal network interface and eth0 was my global/external (technically all global link IPv6 IPs are external, but I based the wording on how my IPv4 network is).

# Begin /etc/radvd.conf
interface eth1
{
AdvSendAdvert on;
MinRtrAdvInterval 60;
MaxRtrAdvInterval 600;
prefix 2002:c000:0201::1/64
{
AdvOnLink on;
Base6to4Interface eth0;
AdvPreferredLifetime 600;
AdvValidLifetime 1800;
AdvAutonomous on;
AdvRouterAddr off;
};
};
# End /etc/radvd.conf

A tip with this :

If you use dynamic assignment, e.g. by the above, you'll find that the network interface will have the IPv6 IP prefix at the first portion but the second half is based on your MAC address of the network card. This is great, unless you actually want a specific IP. How you make sure that doesn't happen, is either disable auto configuration, or the sysctl variables and values of:

net.ipv6.conf.all.use_tempaddr = 0
net.ipv6.conf.default.use_tempaddr = 0

Note for radvd to work, you'll need to act as a router.

Where you go from here, is up to you. Just keep in mind that IPv6 is the future (one of these days, that is.. one of these days...) so you may as well get learning it. There's many things to learn now: assigning IPs to the rest of your network (which I briefly discussed above), DNS, email, web, and so on. I'm debating writing about some of these in general, and if I do I'll touch upon IPv6 for them. I'll update this document to refer to those, if I get around to it. I may cover some of this later in another document, but for now I'll leave you to some references for this stuff.

So what if you have any trouble after this set up? Well, I have not run in to any, except one. So either: a) you sort it out, or b) it might be the one problem below, or c) you disable IPv6 for the time being. Its up to you. I'll update this when I have more to add - or if I have more to add - in time.

In the mean time, perhaps it is the one below, or you can use it for reference later:

The problem is what happens if a web site (for example) has their primary domain resolving to their IPv6 IP, but somehow forgot to set up the web server, or even just is having trouble with their IPv6 interface? You can a) contact them and they can fix it. But if its a known problem with them, there is a solution. Say for instance, you want to prevent http://xexyl.net from resolving to IPv6. In Firefox, its easy. There's other ways too, of course, but this is a simple one and a nice way to test if that is indeed the problem:

Go to the following location (so the place where you'd type a URL in):

about:config

I'm sure you know about it. Now, click on the silly little disclaimer confirm button they have, and then select the filter option (text box). Type 'dns' (w/o quotes) into that text box. You should see the following key:

network.dns.ipv4OnlyDomains

So, if you wanted to prevent xexyl.net from resolving via IPv6, simply put in (the value portion of the above key):

xexyl.net

If you wanted to stop xexyl.net and xexyl.com from resolving via IPv6, you can do:

xexyl.net,xexyl.com

(In other words, it's a comma separated list of domains to not use IPv6 for).

See the following files related to IPv6 in /usr/share/doc/initscripts-*/

1. ipv6-6to4.howto
2. ipv6-tunnel.howto
(tunnel set up)
3. static-routes-ipv6
(how to assign a static route for IPv6)
4. sysconfig.txt

The files are as follows:

1. Has info about router advertisement set up
2. How to set up an IPv6 tunnel
3. How to assign a static route for IPv6
4. Information about /etc/sysconfig in general - more than just networking

This will provide different views and other information, too. There's many sites out with a lot of information on them, these days. If you're using 6to4, then, you may find the following website interesting : http://6to4.nro.net/ (this is for Reverse DNS if you have your own DNS server). See also the Linux Document Project as well as the TCP/IP guide (has information on IPv6) at http://www.tcpipguide.com/

One last thing to remember is there's much more - with configuring the network interfaces, services and everything in between.

Well, there you have it. A guide to getting access to the IPv6 Internet through tunnels, relays and router advertisements. There's much more, as I mentioned in What's Next section, but this should help you get started on your venture into the realm of IPv6.