IPv6 easy guide for Sysadmins

I was taking a deeper look on IPv6 and like to share whats important from a system admin perspective that could also help you to understand it in a more simple way then you expect from reading the RFCs.

Base knowledge about IPv6

This is a sample IPv6 address 1234:0001:1234:0002:1234:0003:5212:2312

This address could also be written as follow 1234:1:1234:2:1234:3:5212:2312 as you can see we can remove all zero’s from the beginning of each block

Also if you have for example an Address like 2001:DDDD:AAAA:BBBB:0000:0000:0000:0000 this address can go up to 2001:DDDD:AAAA:BBBB:FFFF:FFFF:FFFF:FFFF

Also if you have for example an Address like 2001:DDDD:AAAA:BBBB:0000:0000:0000:0000 you can shorten the address because the last 4 blocks are 0 2001:DDDD:AAAA:BBBB::

You can do this only if you have at least 1 Group (Block) of zeros or max 4 Blocks

Useable Hexadecimal characters in the ipv6 address 0-9 , A, B, C, D, E, F

Localhost?

IPv4 used to have 127.X.X.X as the loopback IP where you can to a ping IPv6 uses ::1 or 0:0:0:0:0:0:0:1

Private Network?

IPv4 used to have 192.168.X.X or 10.X.X.X depending on how many hosts you have (yes there are also others) you created subnets for those addresses

IPv6 has this feature too, but from my understanding you not need it (i dont see any usecase where you probably need a private address space here)

unique local addresses in IPv6 start with fc00::/7 Why i will never use unique local addresses? this i will explain later in the post

Public IPs

IPv4 has many Blocks of Public IP Addresses which would be too much to write them all down IPv6 has just “some” more :-P

DNS Servers?

IPv4 DNS entrys use IN A records IPv6 DNS entrys use IN AAA records

Corporate Network IP assignment

IPv4 here you needed to have at least one external IP Address and then you provided different VLAN Subnets with private IP Addresses. If you have only one IP Address then you have to do the NAT (Network Address Translation) to be able to contact a local Server from Outside (example: Webserver, Mailserver)

IPv6 here you need to make sure to get at least a /48 Subnet of IPv6 addresses, in this way you can do proper VLAN subnetting to have DMZ / Client Lans / Printer Lans / VOIP Vlans …. This also means every device in your network gets a public IPv6 address, so read the Firewall section in my post properly.

VPN

IPv4 Actually with todays standards you use VPN to access a corporate network and to be able to get access to all your servers from the outside with a encrypted tunnel over the internet.

IPv6 you dont need any VPN anymore, the only thing you need to make sure is that all Services that you offer and want to have are secured thrue a encryption like SSL/TLS.

Firewall

IPv4 here you need to allow every traffic that you want to be allowed. If you want to be able to connect from an external address, you are forced to create a NAT rule wich in most cases on smaller devices is very cpu hungry.

IPv6 is there more simple, but you should be able to create rules that are based on groups (vlans ipv6 subnets). There is no longer anything like NAT needed.

Corporate applications

IPv4 is already implemented and it works

IPv6 is for the most Sysadmins very new and they dont know if there corporate applications will work under the ipv6 conditions or if even ipv6 is implemented. Create a List of all applications that you are using and setup a test enviroment with every application. Make sure to setup the test enviroment on a single computer and each connection that is / should / will be made you enter ::1 as the address. this ensures your application makes a connection over ipv6 localhost. After you done that you also need to check the dns resolution of ipv6. So you need to create a ipv6.corporate.net IN AAA entry for ::1 now you can use the dns name that only resolves to localhost.

What where the Problems i was facing with IPv6

  • Windows Windows changes its IPv6 Address permanently on every boot , it gets in the default setup 4 IPv6 addresses. (Static inbound, Dynamic inbound, Static outbound, Dynamic outbound) For my test and also for doing proper IPv6 Firewall rules i had to disable the Windows IPv6 Dynamic features with those commands:

netsh interface ipv6 set privacy state=disabled store=active

netsh interface ipv6 set privacy state=disabled store=persistent

netsh interface ipv6 set global randomizeidentifiers=disabled store=active

netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent

  • Mobile Phone My Mobilephone did not work with IPv6 (Test phone Nokia E52) this was just for a test, but you may encounter other Phones that have the same problem. What did work for me was a iOS Device 6.X+ and Android 4.2+

  • Calculating Subnetmasks and Ammount of used IPs I used a online calculator to get the right ammount of subnets

  • Because my ISP did not yet support Native IPv6 i was forced to use a tunnelbroker from Hurricane (www.tunnelbroker.net)

  • For easy implementations i did use ipv4 addresses in the ipv6 space for example 2001:AAAA:BBBB:CCCC:10:0:0:1 with this in place i only needed to remember the first 8 bytes and then the ipv4 numbers ;-)

comments powered by Disqus