Switching to IPv6

IPv4 is the infrastructure upon which we have the best global connectivity that we've ever had, but it has its problems and its weak points.

IPv6 is the designated successor to IPv4, with a goal of eliminating some of the obvious weak points and integrating some well-tested solutions to common problems learned from the IPv4 experience. This page is about getting connected to the new networking protocols.

Native IPv6

If your upstream offers you native IPv6, i'm not sure how to do this yet

IPv6 tunneled over IPv4

Hurricane Electric offers a free tunnel brokering service. This appears to be a decent option if you have a relatively static IP address, and don't mind giving them your personal information. If you create an account on their site, and ask to be delegated a /64 range it will be done in an automated fashion, so you can complete this step in a matter of minutes.

When you get your delegation, there will be two ranges described: one range is for the tunnel itself, covering specifically the two endpoints. The other range is yours to do with as you please.

Setting it up

Typically, the setup would be:

Enable IPv6 in your kernel

Most modern Linux-based OSes are shipping with an IPv6-enabled kernel. So usually the only thing you need to do is to load the module:

modprobe -v ipv6

Add the tunnel to your router

Here's how i configured the local tunnel (much of this was pulled from the scripts output by the the HE tunnel broker site). Make sure you replace the variables appropriately for your connection. In particular, note that $TUNNEL_LOCAL_IPv6_ADDR usually does not fall into your /64 delegation -- it's just an external IP address to communicate between endpoints of the tunnel.

ip tunnel add he-ipv6 mode sit remote $TUNNEL_BROKER_IPv4_ADDR local $MY_PUBLIC_IPv4_ADDR ttl 255
ip link set he-ipv6 up
ip addr add ${TUNNEL_LOCAL_IPv6_ADDR}/64 dev he-ipv6
ip route add ::/0 dev he-ipv6

Declare your delegation on your LAN

ip -f inet6 addr add 2001:470:1f07:60d::1/64 dev lan

Enable routing between the two

This enables full-fledged IPv6 routing across all interfaces:

echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

It'd be better to make it a little more fine-grained, probably.

More sophisticated routing

Once your connection is up, you might want to do some filtering at your firewall. NAT is fortunately totally unnecessary with IPv6, but that doesn't mean that you don't want to filter traffic in some circumstances. For example, you might want to reject inbound requests except for ones you explicitly allow. Look at the ip6tables utility for this (it is similar to iptables).

DNS lookups and reverse delegation

Now that you have an IPv6 delegation, you probably want to be able to serve records for it. AAAA records are the equivalent of A records (forward lookup), and PTR records are still used for reverse lookup, but in a different space. Instead of (for a full class C reverse delegation Z.Y.X.0/24), reverse lookups are organized under the zone. For example, reverse DNS for the IPv6 delegation at the lair is in the

Hurricane Electric offers immediate reverse delegation to the nameserver of your choice through their webUI.

tinydns-data records for IPv6

bleh. unpatched djbdns doesn't have an easy way to produce AAAA records, and it isn't capable of serving traffic over IPv6 transport at all, unfortunately.

That doesn't mean that you can't make a quick pass at it initially, though.

I used an online record builder to come up with the appropriate "generic" records for AAAA values.

The PTR records can be produced cleanly by using ^ records, and typical . records can be used to identify nameservers for reverse delegations. For example:

# my reverse delegation mentioned above:
# an example AAAA record:\040\001\004\160\037\007\006\015\000\000\000\000\000\000\000\002:86400
# the equivalent PTR record:


I know that a lot of the changes in IPv6 (aside from the address space) have to do with autoconfiguration of hosts on a local network segment. But i'm not sure what specifically i need to do to make that work. Are there services i need to run on the router so that route announcements propagate automagically to IPv6-only clients?

Last modified 10 years ago Last modified on May 28, 2008, 6:08:49 PM