Table of Contents
IPv6
“We have enough IPv4 addresses.”
“We wont do IPv6, we will use the next IP version after that.”
“What's IPv6?”
“We do not care about other EU countries already having NAT64 or DS-lite networks. And their customers therefor rent IPv6 only servers that you cannot access.”
“IPv6 is garbage and nobody wants to use it”
“No one on the internet uses IPv6 yet, it's pointless”
“IPv4 NAT was fixed 10 years ago, we don't need IPv6”
“We use IPv4 CGN so it's all fine, there's no need for IPv6”
“IPv6 just isn't a priority”
“IPv6 is just a marketing gimmick, is slower and requires more processing”
“IPv6 is insecure, NAT is a firewall, there's no privacy”
“We have IPv6, but we just want to keep things simple”
“None of our customers want it”
“It's too complicated”
“The IPv6 will soon be outdated again”
“No one else has deployed it”
“We'll deploy IPv6 next year”
“End users don't care about IPv6”
“We don't need that many addresses”
“You already have IPv6, your IP is x.x.x.x”
“Can't we just buy more IPv4 addresses?”
Internet Protocol, Version 6 (IPv6) Specification: 
RFC1883 December 1995
RFC2460 December 1998
RFC8200 July 2017
1996 IPv6 support in the Linux kernel
1998 Microsoft Research releases its first experimental IPv6 stack
1999 First IPv6 tunnel broker, by Ivano Guardini
2000 FreeBSD shipped IPv6 support as part of the FreeBSD 4.0 release
2001 Cisco Systems introduces IPv6 support on Cisco IOS routers and L3 switches.
2002 Windows XP SP1 and Windows Server 2003, IPv6 is included as a core networking technology
2003 Apple Mac OS X v10.3 “Panther” supports IPv6 which is enabled by default.
2008 the European Commission publish their Action Plan for the deployment of Internet Protocol version 6 (IPv6) in Europe, with the aim of making IPv6 available to 25% of European users by 2010.
Some highlight from Wikipedia, go to Major milestones to see more
World IPv6 Test Day June 8, 2011 - “major web companies and other industry players enabled IPv6 on their main websites for 24 hours.”
World IPv6 Launch Day June 6, 2012 - “this time, it's for real” “leaving IPv6 permanently enabled on all participating sites” “
General
The IPv6 address
An IPv6 consist of 128 bits, represented in 8 groups, and is written in hex.
2001:0db8:03e4:7891:2f3a:9a16:dd8e:3a3d
IPv6 compacting
You can remove all leading zeros in each group. When there's multiple groups containing only zeros, you can use ::
Example:
2001:0db8:0000:0000:0000:beef:0042:1337
2001: db8:0000:0000:0000:beef: 42:1337
2001: db8: : beef: 42:1337 (2001:db8::beef:42:1337)
2001:0db8:0000:0000:0000:0000:0042:1337
2001: db8:0000:0000:0000:0000: 42:1337
2001: db8: : 42:1337 (2001:db8::42:1337)
2001:0db8:0000:0000:0000:0000:0000:0007
2001: db8:0000:0000:0000:0000:0000: 7
2001: db8: : 7 (2001:db8::7)IPv6 Broadcast
No, not possible, use multicast instead.
Best way to test those “IPv6 experts” that says IPv6 are bad, if they actually know IPv6.
Most of them seems to claim broadcast exists and it will cause a mess 🤔
Security & Privacy
IPv6 uses the firewall in your router AND the built-in (or a third-party) firewall on your devices.
Your ISP could (if they want to) also do the default firewall part as a service, but I doubt and hope that will ever happen.
IPv6 has a IPv6 Privacy Extension (RFC8981), which 99% of the devices configured using an stateless way are using. In Windows it's called “Temporary Addresses” and usually last for around 4 hours, before being replaced with a new address.
I personally haven't seen a device yet, that didn't make use of the privacy extensions when using SLAAC.
DAD (Duplicate Address Detection, RFC4429) prevents two devices are using the same IP addresses.
Please don't fall for the myths about IPv6. But I wish the people making those myth, good luck with scanning 18446744073709551616 firewalled IP addresses every few hours (/64).
Ranges
Address space
Official IANA space allocations.
| Range | Allocation | Use case |
|---|---|---|
| 2000::/3 | Global Unicast | The public internet 😎 |
| fc00::/7 | Unique Local Unicast | Private ranges, you can use for VPN's and such. Note: You may only use fd00::/8 without registration |
| fe80::/10 | Link-Scoped Unicast | Auto generated for your NIC. In the IPv4 world (169.254.0.0/16) this gets removed when an IP is set, but on IPv6 we keep it! |
| ff00::/8 | Multicast | IPv6 doesn't have broadcast, so we use multicast for spamming instead. |
For assignments, see https://www.iana.org/assignments/ipv6-unicast-address-assignments/ipv6-unicast-address-assignments.xhtml
Other ranges
| Range | Description |
|---|---|
| ::/0 | The entire internets default route, I know, it's so hard to guess. |
| ::/128 | “Unspecified Address” When you don't have an address yet, and you're asking ff02::2 over ICMPv6 for network details |
| ::1/128 | Loopback, sometimes talking to yourself is better than no IPv6 at all. Home sweet home 🏠 |
| 100::/64 | Discard-Only, basically a black hole 😨 Used for mitigating DDoS and more |
| 64:ff9b::/96 | When you have a NAT64 available, and your own network is IPv6 only. This or DS-lite will be used when we're finally done with WAN IPv4 |
| 64:ff9b:1::/48 | Same as above, just not globally reachable |
| 2001::/32 | Teredo tunnels, for those behind shitty ISP's with no IPv6 at all, and end users without IPv6 tunnelbrokers |
| 2001:db8::/32 | Reserved to be used in documentations and more |
Multicast
| Address | Description |
|---|---|
| ff01::1 | Multicast to all nodes in the interface-local scope |
| ff02::1 | Multicast to all nodes in the link-local scope |
| ff01::2 | Multicast to all routers in the interface-local scope |
| ff02::2 | Multicast to all routers in the link-local scope |
| ff05::2 | Multicast to all routers in the site-local scope |
| ff02::1:2 | Multicast to all the DHCPv6 servers and relay agents in the link-local scope |
| ff01::101 | Multicast to all NTP servers in the interface-local scope |
| ff02::101 | Multicast to all NTP servers in the link-local scope |
| ff03::101 | Multicast to all NTP servers in the realm-local scope |
| ff04::101 | Multicast to all NTP servers in the admin-local scope |
| ff05::101 | Multicast to all NTP servers in the site-local scope |
| ff08::101 | Multicast to all NTP servers in the organization-local scope |
| ff0e::101 | Multicast to all NTP servers in the global scope |
| ff02::1:ff00:0/104 | Solicited-node multicast address |
Pro tip: ping the multicast then check your neighborhood with ip -6 neigh. You can now find your stateless devices 😉
IPv6 public services
DNS servers
| Address | Provider | Type |
|---|---|---|
| 2001:4860:4860::8888 | Normal | |
| 2001:4860:4860::8844 | Normal | |
| 2001:4860:4860::6464 | DNS64 for use with NAT64 (64:ff9b::/96) | |
| 2001:4860:4860::64 | DNS64 for use with NAT64 (64:ff9b::/96) | |
| 2606:4700:4700::1111 | Cloudflare | Normal |
| 2606:4700:4700::1001 | Cloudflare | Normal |
| 2606:4700:4700::64 | Cloudflare | DNS64 for use with NAT64 (64:ff9b::/96) |
| 2606:4700:4700::6400 | Cloudflare | DNS64 for use with NAT64 (64:ff9b::/96) |
| 2620:119:35::35 | OpenDNS | Normal |
| 2620:119:53::53 | OpenDNS | Normal |
Test websites
| Website | Description |
|---|---|
| https://z7.dk | Show my IPv4 & IPv6, with loc from free GeoIP databases |
| https://test-ipv6.com | Runs multiple IPv6 connectivity test |
| https://ipv6-test.com | Runs more multiple IPv6 connectivity test |
| https://ipv6test.google.com | Simple confirmation if you have IPv6 or not |
Other
For tunnel brokers see https://en.wikipedia.org/wiki/List_of_IPv6_tunnel_brokers
Tools
IPv6 Link-Local <--> MAC IEEE EUI-64 converter
Trouble finding an IoT device's IP? Try this!
Just be aware, Link-Local addresses are not always based on the MAC address. This usually happens when VLANs and/or other things are used, or simply the device/system does not follow use EUI-64.
Configuration
These examples might be outdated by now, it's been years since I last updated them here. They should work fine though.
Routers
EdgeOS/Vyatte/VyOS example
In this example:
tun0 = Your IPv6 WAN interface
ethX = Your IPv6 LAN interfaces
IPv6 WAN range = 2001:db8:85a3::/48
IPv6 WAN IP = 2001:db8:85a3::1/48
IPv6 LAN1 IP = 2001:db8:85a3:1::1/64
IPv6 LAN1 RA = 2001:db8:85a3:1::/64
But remember with IPv6, it's by design you have multiple IPv6 adresses per interface.
For example you'll always have your link-local address, even with valid unicasts.
The following examples are based on EdgeOS
Security first! Firewall time:
set firewall ipv6-name IPv6-LAN1 default-action drop
set firewall ipv6-name IPv6-LAN1 description 'From WAN to LAN (open ports here, remember dst ip)'
set firewall ipv6-name IPv6-LAN1 rule 10 action accept
set firewall ipv6-name IPv6-LAN1 rule 10 state established enable
set firewall ipv6-name IPv6-LAN1 rule 10 state related enable
set firewall ipv6-name IPv6-LAN1 rule 20 action accept
set firewall ipv6-name IPv6-LAN1 rule 20 description 'Accept ICMPv6'
set firewall ipv6-name IPv6-LAN1 rule 20 protocol icmpv6
set firewall ipv6-name IPv6-WAN-IN default-action drop
set firewall ipv6-name IPv6-WAN-IN rule 10 action accept
set firewall ipv6-name IPv6-WAN-IN rule 10 description 'Accept Established/Related'
set firewall ipv6-name IPv6-WAN-IN rule 10 protocol all
set firewall ipv6-name IPv6-WAN-IN rule 10 state established enable
set firewall ipv6-name IPv6-WAN-IN rule 10 state related enable
set firewall ipv6-name IPv6-LOCAL default-action drop
set firewall ipv6-name IPv6-LOCAL description 'When your router, is the destination'
set firewall ipv6-name IPv6-LOCAL rule 10 action accept
set firewall ipv6-name IPv6-LOCAL rule 10 description 'Accept Established/Related'
set firewall ipv6-name IPv6-LOCAL rule 10 protocol all
set firewall ipv6-name IPv6-LOCAL rule 10 state established enable
set firewall ipv6-name IPv6-LOCAL rule 10 state related enable
set firewall ipv6-name IPv6-LOCAL rule 20 action accept
set firewall ipv6-name IPv6-LOCAL rule 20 description 'Accept ICMP'
set firewall ipv6-name IPv6-LOCAL rule 20 protocol icmpv6
set firewall ipv6-name IPv6-LOCAL rule 30 action accept
set firewall ipv6-name IPv6-LOCAL rule 30 description 'Accept DHCP'
set firewall ipv6-name IPv6-LOCAL rule 30 destination port 546
set firewall ipv6-name IPv6-LOCAL rule 30 protocol udp
set firewall ipv6-name IPv6-LOCAL rule 30 source port 547
set firewall ipv6-name IPv6-LOCAL rule 40 action accept
set firewall ipv6-name IPv6-LOCAL rule 40 description 'Accept DNS from own subnet'
set firewall ipv6-name IPv6-LOCAL rule 40 destination port 53
set firewall ipv6-name IPv6-LOCAL rule 40 protocol udp
set firewall ipv6-name IPv6-LOCAL rule 40 source address '2001:db8:85a3::/48'
set firewall ipv6-name IPv6-LOCAL rule 50 action accept
set firewall ipv6-name IPv6-LOCAL rule 50 description 'Management from own subnet'
set firewall ipv6-name IPv6-LOCAL rule 50 destination port 22,80,443
set firewall ipv6-name IPv6-LOCAL rule 50 protocol tcp
set firewall ipv6-name IPv6-LOCAL rule 50 source address '2001:db8:85a3::/48'
set firewall ipv6-receive-redirects disable
set firewall ipv6-src-route disable
WAN setup:
set interfaces tunnel tun0 address '2001:db8:85a3::1/48'
set interfaces tunnel tun0 firewall in ipv6-name IPv6-WAN-IN
set interfaces tunnel tun0 firewall local ipv6-name IPv6-LOCAL
set protocols static interface-route6 '2000::/3' next-hop-interface tun0
ping ipv6.google.com
LAN1 setup:
set interfaces ethernet eth3 address '2001:db8:85a3:1::1/64'
set interfaces ethernet eth3 firewall local ipv6-name IPv6-LOCAL
set interfaces ethernet eth3 firewall out ipv6-name IPv6-LAN1
set interfaces ethernet eth3 ipv6 dup-addr-detect-transmits 1 # Duplicate Address Dectection (DAD)
set interfaces ethernet eth3 ipv6 router-advert send-advert true # Enable sending RAs
set interfaces ethernet eth3 ipv6 router-advert managed-flag false # We inform that there's no DHCPv6
set interfaces ethernet eth3 ipv6 router-advert other-config-flag false # We love RDNSS, so we confirm there's really no DHCPv6 need.
set interfaces ethernet eth3 ipv6 router-advert prefix '2001:db8:85a3:1::/64' autonomous-flag true # Enables stateless auto config
set interfaces ethernet eth3 ipv6 router-advert prefix '2001:db8:85a3:1::/64' on-link-flag true # Tells all clients, that everyone in that /64 is on the same link.
set interfaces ethernet eth3 ipv6 router-advert prefix '2001:db8:85a3:1::/64' valid-lifetime 2592000 # For how long our range is valid
set interfaces ethernet eth3 ipv6 router-advert radvd-options 'RDNSS 2001:db8:85a3:1::1 {};' # So people can use DNSMinimal EdgeOS/VyOS example
ISP: Kviknet (DK)
Minimal EdgeRouter/VyOS(/Vyatte) setup, with firewall for basic safety.
WAN: eth0 requests /48 from Kviknet with IA-NA: 1, also gets an /128 locally to be able to route the /48
LAN: eth3 gets an /64 from the /48, with SLAAC for compatibility (and privacy)
set firewall ipv6-name WAN-IN-IPv6 default-action drop
set firewall ipv6-name WAN-IN-IPv6 rule 10 action accept
set firewall ipv6-name WAN-IN-IPv6 rule 10 description 'Accept Established/Related'
set firewall ipv6-name WAN-IN-IPv6 rule 10 protocol all
set firewall ipv6-name WAN-IN-IPv6 rule 10 state established enable
set firewall ipv6-name WAN-IN-IPv6 rule 10 state related enable
set firewall ipv6-name WAN-IN-IPv6 rule 20 action accept
set firewall ipv6-name WAN-IN-IPv6 rule 20 description 'Accept ICMP'
set firewall ipv6-name WAN-IN-IPv6 rule 20 protocol icmpv6
set firewall ipv6-name WAN-LOCAL-IPv6 default-action drop
set firewall ipv6-name WAN-LOCAL-IPv6 rule 10 action accept
set firewall ipv6-name WAN-LOCAL-IPv6 rule 10 description 'Accept Established/Related'
set firewall ipv6-name WAN-LOCAL-IPv6 rule 10 protocol all
set firewall ipv6-name WAN-LOCAL-IPv6 rule 10 state established enable
set firewall ipv6-name WAN-LOCAL-IPv6 rule 10 state related enable
set firewall ipv6-name WAN-LOCAL-IPv6 rule 20 action accept
set firewall ipv6-name WAN-LOCAL-IPv6 rule 20 description 'Accept IPv6 ICMP'
set firewall ipv6-name WAN-LOCAL-IPv6 rule 20 protocol ipv6-icmp
set firewall ipv6-name WAN-LOCAL-IPv6 rule 30 action accept
set firewall ipv6-name WAN-LOCAL-IPv6 rule 30 description 'Accept DHCP'
set firewall ipv6-name WAN-LOCAL-IPv6 rule 30 destination port 546
set firewall ipv6-name WAN-LOCAL-IPv6 rule 30 protocol udp
set firewall ipv6-name WAN-LOCAL-IPv6 rule 30 source port 547
set interfaces ethernet eth0 firewall in ipv6-name WAN-IN-IPv6
set interfaces ethernet eth0 firewall local ipv6-name WAN-LOCAL-IPv6
# EdgeOS:
sudo sed -i 's/na 0/na 1/g' /opt/vyatta/sbin/dhcpv6-pd-client.pl # Kviknet fix
set interfaces ethernet eth0 dhcpv6-pd pd 1 prefix-length 48
set interfaces ethernet eth0 dhcpv6-pd pd 1 interface eth3 service slaac
# VyOS 1.3 (exact example is untested):
sudo sed -i 's/na 0/na 1/g' /usr/share/vyos/templates/dhcp-client/ipv6.tmpl # Kviknet fix for VyOS 1.3.2, might be called ipv6.j2 on 1.4, reboot required
set interfaces ethernet eth0 address 'dhcpv6'
set interfaces ethernet eth0 dhcpv6-options pd 1 length '48'
set service router-advert interface eth3 prefix 2001:db8:85a3:1::/64 # Replace with your subnet, I've seen ::/64 been used on the internet but not tested it myself.https://support.kviknet.dk/hc/da/articles/360014470198-IPv6-p%C3%A5-egen-router
OpenBSD NAT64
OpenBSD seems to have NAT64 built-in into its packet filter,
And unbound has DNS64 support. So it should be easy to integrate into your setup.
pf.conf
int_if = "em1"
pass in quick on $int_if inet6 from any to 64:ff9b::/96 af-to inet from (egress:0) keep state
# egress group contains the interfaces with default routes ( = usually WAN)
# af-to rule enables the NAT64 translation
unbound.conf
module-config: "dns64 validator iterator"
dns64-prefix: 64:ff9b::/96Notes
Debug
sudo tcpdump -i eth0 -n -vv '(udp port 546 or 547) or icmp6'
Page Tools
