Gentoo IPv6 Router Guide

1. Preliminaries

Basic Kernel Configuration 

Any of the 2.4 or 2.6 kernel trees availables in Gentoo will easily support IPv6 connections. The new USAGI IPv6 stack is integrated to the kernel since Linux 2.4.22 and Linux 2.6.0. Note that for older kernels, alpha-sources-2.4.21 and gentoo-sources-2.4.20 can have the USAGI patches applied, if you correctly set usagi in your USE variable.

(for a 2.6 kernel)
# emerge gentoo-dev-sources
(or for a 2.4 one)
# emerge gentoo-sources

Now we are ready to enter the kernel source directory and begin our actual kernel configuration.

# cd /usr/src/linux
# make menuconfig

Device Drivers --->
Networking support --->
Networking options --->
   <*> The IPv6 protocol (EXPERIMENTAL)
(The IPv6 options beneath this one can be useful for many other applications,
but should not be needed for a basic setup)

(This option is only required if you are using ptrtd for 6to4 conversion)
[*] Network device support
   <*> Universal TUN/TAP device driver support

Testing IPv6 Support 

After enabling the recommended options, recompile your kernel and reboot into your new IPv6-enabled kernel.

If you don't already have iproute2 installed, we urge you to do it now. iproute2 is a network configuration suite that contains ip, the famous replacement for ifconfig, route, iptunnel and others...

# emerge sys-apps/iproute2

If IPv6 is working, the loopback device should show an IPv6 address:

# ip -6 addr show lo
1: lo: <LOOPBACK,UP> mtu 16436
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
    (The above lines show things are working)

Before going any further, make sure that you add ipv6 to your list of USE variables in make.conf, so that future emerges of packages will include IPv6 support.

2. Tunnel Configuration

Basic Configuration 

Most ISPs still do not offer any native IPv6 connections. To get around this limitation, there are several "tunnel brokers" around the globe that offer free IPv6 tunnels. This will allow you to tunnel all your IPv6 connections through an IPv4 connection.

Below are two examples for setting up a tunnel with two popular North American tunnels, Hurricane Electric (applies for non-heartbeat tunnels from sixxs.net as well) and Freenet6.

Hurricane Electric 

Hurricane Electric (HE for short) offers free IPv6 tunnels and allocates a /64 block of addresses for you. It also allows configuration of reverse DNS. Getting a tunnel from HE is as easy as going to http://www.tunnelbroker.net/ and filling out a one page form.

After you have a tunnel approved and have a /64 block allocated, you can configure your Gentoo box. HE provides sample configurations based on ifconfig and the iproute utilities. The following two examples assume you have the following configuration:

Using the iproute2 package and the ip command, you would do the following:

(Create a tunnel between the local (eth0) IPv4 and HE's remote IPv4 address)
# ip tunnel add sixbone mode sit remote 64.71.128.82 local 68.36.91.195 ttl 64 dev eth0
(Extract the tunneling overhead from the MTU)
# ip link set sixbone mtu 1280
(Bring the tunnel up)
# ip link set sixbone up
(Assign the IPv6 address to it)
# ip addr add 2001:470:1F00:FFFF::189 dev sixbone
(Route all global unicast IPv6 addresses through our 'sixbone' tunnel device)
# ip route add 2000::/3 dev sixbone

Freenet6 

Freenet6 is another free tunnel broker. Registration only requires a username and a valid email address. They have chosen to turn the tunnel management into a client/server setup and have created the tspc client. The client is available in portage. To install it do:

# emerge freenet6

Now you need to configure freenet6 by editing /etc/freenet6/tspc.conf. You should only have to edit the userid and passwd fields to match those assigned from Freenet6. Below is a complete sample config file.

tsp_version=1.0.1
tsp_dir=/etc/freenet6
auth_method=any
client_v4=auto
userid=anonymous
passwd=foobar
template=gentoo
server=tsps1.freenet6.net
retry_delay=0
if_tunnel=sit3

Testing your connection 

Now that your tunnel is configured, you can test your connection. The easiest way to do this is to use the ping6 utility and try to ping an IPv6 host.

# emerge iputils
# ping6 www.kame.net
PING www.kame.net(orange.kame.net) 56 data bytes
64 bytes from orange.kame.net: icmp_seq=1 ttl=52 time=290 ms
64 bytes from orange.kame.net: icmp_seq=2 ttl=52 time=277 ms
64 bytes from orange.kame.net: icmp_seq=3 ttl=52 time=280 ms
64 bytes from orange.kame.net: icmp_seq=4 ttl=52 time=279 ms
64 bytes from orange.kame.net: icmp_seq=5 ttl=52 time=277 ms

--- www.kame.net ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4038ms
rtt min/avg/max/mdev = 277.040/281.041/290.046/4.699 ms

Further work is currently in progress to add better IPv6 support to the network init scripts. If you'd like to know the status of this and/or help out, email [email protected].

3. IPv6 Support in Applications

Re-emerging packages 

Unless you had USE="ipv6" in your /etc/make.conf previously, you probably need to re-emerge a bunch of packages to compile in IPv6 support for them. To get a list of all the installed packages which leverage the ipv6 USE variable, you can run the below line.

# emerge -epv world | grep ipv6 | sed "s:^.*\] ::; s:-[0-9]\+.*::" | cut -d' ' -f1

To easily re-emerge some selected packages, do:

# emerge -epv world | grep ipv6 | sed "s:^.*\] ::; s:-[0-9]\+.*::" | \
> cut -d' ' -f1 > packages

Next, edit the packages file to remove any packages you don't want to recompile at this time. Then simply run:

# emerge `cat packages`

IPv6 Specific Packages 

There are a few packages which specifically deal with IPv6 items. Most of these are located in /usr/portage/net-misc.

4. DNS setup

IPv6 and DNS 

Just as DNS for IPv4 uses A records, DNS for IPv6 uses AAAA records. (This is because IPv4 is an address space of 2^32 while IPv6 is an address space of 2^128). For reverse DNS, the INT standard is deprecated but still widely supported. ARPA is the latest standard. Support for the ARPA format will be described here.

BIND configuration 

Recent versions of BIND include excellent IPv6 support. This section will assume you have at least minimal knowledge about the configuration and use of BIND. We will assume you are not running bind in a chroot. If you are, simply append the chroot prefix to most of the paths in the following section.

First you need to add entries for both forward and reverse DNS zone files in /etc/bind/named.conf.

(We allow bind to listen to IPv6 addresses.
Using 'any' is the only way to do it prior to bind-9.3)
options {
    [...]
    listen-on-v6 { any; }
    [...]
};
(This will provide the forward DNS for the domain 'ipv6-rules.com':)
zone "ipv6-rules.com" IN {
    type master;
    file "pri/ipv6-rules.com";
};
(This format for reverse DNS is "bitwise." It's done by taking the IPv6 prefix,
reversing the order of the numbers and putting a period between each number)
zone "6.9.2.0.0.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa" {
        type master;
        file "pri/rev-ipv6-rules.com.arpa";
};

Now we must create those zone files and add entries for all of our hosts:

$TTL    2h
@       IN      SOA     ipv6-rules.com. webmaster.ipv6-rules.com.  (
                                2003052501 ; Serial
                                28800      ; Refresh
                                14400      ; Retry
                                3600000    ; Expire
                                86400 )    ; Minimum
                NS      ns1.ipv6-rules.com

        IN      AAAA    2001:470:1f00:296::1 ; address for ipv6-rules.com
host1   IN      AAAA    2001:470:1f00:296::2 ; address for host1.ipv6-rules.com
host2   IN      AAAA    2001:470:1f00:296::3:3 ; address for host2.ipv6-rules.com

$TTL 3d ; Default TTL (bind 8 needs this, bind 9 ignores it)
@       IN SOA ipv6-rules.com. webmaster.ipv6-rules.com. (
                        2003052501      ; Serial number (YYYYMMdd)
                        24h             ; Refresh time
                        30m             ; Retry time
                        2d              ; Expire time
                        3d )            ; Default TTL
        IN      NS     ns1.ipv6-rules.com.
; IPv6 PTR entries
$ORIGIN 6.9.2.0.0.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa.

1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN      PTR     ipv6-rules.com.
2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN      PTR     host1.ipv6-rules.com.
3.0.0.0.3.0.0.0.0.0.0.0.0.0.0.0 IN      PTR     host2.ipv6-rules.com.

DJBDNS configuration 

There are currently some third-party patches to DJBDNS available at http://www.fefe.de/dns/ that allow it to do IPv6 nameserving. DJBDNS can be installed with these patches by emerging it with ipv6 in your USE variables.

# emerge djbdns

After djbdns is installed, it can be setup by running tinydns-setup and answering a few questions about which IP addresses to bind to, where to install tinydns, etc.

# tinydns-setup

Assuming we've installed tinydns into /var/tinydns, we can now edit /var/tinydns/root/data. This file will contain all the data needed to get tinydns handling DNS for your IPv6 delegation.

// *.ipv6-rules.com is authoritatively handled by 192.168.0.1
.ipv6-rules.com:192.168.0.1:a:259200
// Authoritative reverse DNS for 2001:470:1f00:296::/64
.6.9.2.0.0.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa:192.168.0.1:a
// Specify the IPs for host1 and host2
6host1.ipv6-rules.com:200104701f0002960000000000000001:86400
6host2.ipv6-rules.com:200104701f0002960000000000000002:86400
// Point www to host1
3www.ipv6-rules.com:200104701f0002960000000000000002:86400

Lines prefixed with a 6 will have both an AAAA and a PTR record created. Those prefixed with a 3 will only have an AAAA record created. Besides manually editing the data file, you can use the scripts add-host6 and add-alias6 to add new entries. After changes are made to the data file, you simply need to run make from /var/tinydns/root. This will create /var/tinydns/root/data.cfb, which tinydns will use as its source of information for DNS requests.

5. IPv6 Router

Configure routing 

Further configuration is required if we want to use our system as a router for other clients wishing to connect to the outside world with IPv6. We need to enable forwarding of IPv6 packets. We can do this in one of two ways.

# echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
or
# sysctl -w net.ipv6.conf.all.forwarding=1

To enable forwarding at boot, you'll need to edit /etc/sysctl.conf and add the following line.

net.ipv6.conf.default.forwarding=1

Traffic should now be forwarded from this box through the tunnel we've established with our broker.

To assign IPv6 addresses to clients, the IPv6 specification allows for both stateless and stateful IP assignment. Stateless assignment uses a process called Router Advertisement and allows clients to obtain an IP and a default route by simply bringing an interface up. It is called "stateless" because there is no record of IPs assigned and the host they are assigned to. Stateful assignment is handled by DHCPv6. It is "stateful" because the server keeps a state of the clients who've requested IPs and received them.

Stateless Configuration 

Stateless configuration is easily accomplished using the Router Advertisement Daemon, or radvd.

# emerge radvd

After having emerged radvd, we need to create /etc/radvd/radvd.conf that contains information about what IP block to assign IPs from. Here is a sample radvd.conf file using the prefix we've been assigned from our tunnel broker.

interface eth1
{
        // Send advertisement messages to other hosts
        AdvSendAdvert on;
        // Fragmentation is bad(tm)
        AdvLinkMTU 1280;
        MaxRtrAdvInterval 300;
        // IPv6 subnet prefix we've been assigned by our PoP
        prefix 2001:470:1F00:296::/64
        {
                AdvOnLink on;
                AdvAutonomous on;
        };
};

Further information is available in man radvd.conf. We can now start radvd and set it to start at boot.

# /etc/init.d/radvd start
# rc-update add radvd default

Stateful Configuration 

If you'd like to use stateful configuration, you'll need to install and configure dhcpv6.

# emerge dhcpv6

Next we must configure the DHCPv6 server by editing /etc/dhcp6s.conf.

prefer-life-time 10000;
valid-life-time 20000;
renew-time 5000;
rebind-time 8000;
interface eth1 {
    link AAA {
        allow unicast;
        send unicast;
        allow rapid-commit;
        send server-preference 5;
        renew-time 1000;
        rebind-time 2400;
        prefer-life-time 2000;
        valid-life-time 3000;
        pool{
            range 2001:470:1f00:296::10 to 2001:470:1f00:296::110/64;
            prefix 2001:470:1f00:296::/64;
        };
    };
};

We can now start dhcp6s, and configure it to start at boot.

# /etc/init.d/dhcp6s start
# rc-update add dhcp6s default

6. IPv6 Clients

Using radvd 

Clients behind this router should now be able to connect to the rest of the net via IPv6. If using radvd, configuring hosts should be as easy as bringing the interface up. (This is probably already done by your net.ethX init scripts).

# ip link set eth0 up
# ip addr show eth0
1: eth0: <BROADCAST,MULTICAST,UP> mtu 1400 qdisc pfifo_fast qlen 1000
    link/ether 00:01:03:2f:27:89 brd ff:ff:ff:ff:ff:ff
    inet6 2001:470:1f00:296:209:6bff:fe06:b7b4/128 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::209:6bff:fe06:b7b4/64 scope link
       valid_lft forever preferred_lft forever
    inet6 ff02::1/128 scope global
       valid_lft forever preferred_lft forever

using DHCPv6 

If your router is set up to use DHCPv6, your clients will also need to have the dhcpv6 package installed. After having done this, you need to configure your client by editing /etc/dhcp6c.conf.

interface eth0 {
        send rapid-commit;
        request prefix-delegation;
        request domain-name-servers;
        request temp-address;
        iaid 11111;
        renew-time 11000;
        rebind-time 21000;
};

7. Using 6to4 Conversion

Basic principles 

6to4 conversion can be used if you want to have hosts that talk to IPv4 hosts over a purely IPv6 connection. Thus you can have an entirely IPv6 internal network, with one host dealing with connecting to the outside IPv4/IPv6 world.

DNS configuration 

To get 6to4 conversion working, a DNS proxy, totd, need to be configured that will send you AAAA records for sites that really only have A records. These AAAA records will point to IPv6 addresses which don't actually exist, but which will get routed through a 6to4 proxy.

Since totd is still ~x86 masked pending further testing, you'll have to unmask it by appending the following line to your /etc/portage/package.keywords file (see "man portage" for more informations about this file).

net-misc/totd ~x86

Then simply run emerge:

# emerge totd

Next, we need to setup /etc/totd.conf with some basic configuration information.

(Points to a real DNS nameserver)
forwarder 192.168.0.2 port 53
(What prefix to put before faked AAAA records)
prefix 3ffe:abcd:1234:9876::
(What port to run totd on)
port 5005
(What PID file to use)
pidfile /var/run/totd.pid
(Actually do 6to4 stuff)
stf

6to4 proxy 

ptrtd will be used as a 6to4 proxy, enabling connections between the internal IPv6 host and the outside IPv4 host.

# emerge ptrtd

We now need to configure ptrtd, telling it what fake prefix (the one we setup totd to use) to create proxy connections for. Edit /etc/conf.d/ptrtd and set IPV6_PREFIX. This should be the same prefix as was configured with totd.

IPV6_PREFIX="3ffe:abcd:1234:9876::"

You can now start totd, and enable it to start at boot.

# /etc/init.d/totd start
# rc-update add totd default

Client configuration and testing 

Clients may now be configured to connect to both IPv4 and IPv6 hosts through an IPv6 only connection. Assuming that the clients are already receiving an IP address from radvd, we simply need to add a new DNS resolver entry, and add a default route for those "fake addresses". First, add an entry at the top of your /etc/resolv.conf pointing to the machine running totd.

nameserver 2001:470:1f00:296::1 (The server running totd)

To test name resolution, request an AAAA record for a known IPv4 only site.

# dig aaaa google.com
;; ANSWER SECTION:
google.com.             300     IN      AAAA     3ffe:abcd:1234:9876::d8ef:3364
google.com.             300     IN      AAAA     3ffe:abcd:1234:9876::d8ef:3564

We will now add a default route for all addresses prefixed with our chosen fake prefix.

(Assuming your IPv6 interface is eth0)
# ip route add 3ffe:abcd:1234:9876::/64 via 2001:470:1f00:296::1 dev eth0

Finally, use ping6 to ping google.com at it's fake IPv6 location.

# ping6 -c 2 google.com
PING 3ffe:abcd:1234:9876::d8ef:3364(3ffe:abcd:1234:9876::d8ef:3364) 56 data bytes
64 bytes from 3ffe:abcd:1234:9876::d8ef:3364: icmp_seq=1 ttl=54 time=0.106 ms
64 bytes from 3ffe:abcd:1234:9876::d8ef:3364: icmp_seq=2 ttl=54 time=0.090 ms

--- 3ffe:abcd:1234:9876::d8ef:3364 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.090/0.098/0.106/0.008 ms

8. Other Resources

There are many excellent resources online pertaining to IPv6.

On IRC, you can try #gentoo-ipv6 or #ipv6 on Freenode. You can connect to the Freenode servers using an IPv6 enabled client by connecting to irc.ipv6.freenode.net.