ipv6 connections: how?
jayjwa
I'm obviously doing something wrong, but can't figure out what to look
at. Connections with ipv6 don't seem to work. Consider an httpd on the
localhost, also listening at interface pan0:
ip -f inet6 addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
3: pan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500
inet6 fe80::54e7:33ff:fe76:a19f/64 scope link
valid_lft forever preferred_lft forever
5: bnep0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qlen 1000
inet6 fe80::20a:3aff:fe7c:5c74/64 scope link
valid_lft forever preferred_lft forever
7: ath0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 2290
inet6 fe80::21b:2fff:febe:c0d1/64 scope link
valid_lft forever preferred_lft forever
curl I made sure to build with ipv6 support, I built it today. It
responds:
curl -v https://fe80::54e7:33ff:fe76:a19f/
* About to connect() to fe80::54e7:33ff:fe76:a19f port 443 (#0)
* Trying fe80::54e7:33ff:fe76:a19f... Failed to connect to fe80::54e7:33ff:fe76:a19f: Invalid argument
* Success
* couldn't connect to host
* Closing connection #0
curl: (7) Failed to connect to fe80::54e7:33ff:fe76:a19f: Invalid argument
Exit 7
Looks like it doesn't know what it's supposed to do. I enter the same in
Firefox, and Firefox shortens the address:
from
https://fe80::54e7:33ff:fe76:a19f/
to
and then tells me
Firefox can't find the server at fe80.
The browser could not find the host server for the provided address.
Of course not, that's not the right address. It's not "fe80", but
fe80::54e7:33ff:fe76:a19f.
I try another server, this one an ipv6-enabled ftp, at the localhost
address:
curl -v ftp://::1/
* Could not resolve host: : (Domain name not found)
* Closing connection #0
curl: (6) Could not resolve host: : (Domain name not found)
Exit 6
netcat -v fe80::54e7:33ff:fe76:a19f 591
Error: Couldn't resolve host "fe80::54e7:33ff:fe76:a19f"
Exit 1
netcat -v ::1 591
Error: Couldn't resolve host "::1"
Exit 1
Yet ...
ping6 fe80::54e7:33ff:fe76:a19f
PING fe80::54e7:33ff:fe76:a19f (fe80::54e7:33ff:fe76:a19f): 56 data bytes
64 bytes from fe80::54e7:33ff:fe76:a19f%pan0: icmp_seq=0 ttl=64 time=0.091 ms
64 bytes from fe80::54e7:33ff:fe76:a19f%pan0: icmp_seq=1 ttl=64 time=0.098 ms
64 bytes from fe80::54e7:33ff:fe76:a19f%pan0: icmp_seq=2 ttl=64 time=0.100 ms
^C--- fe80::54e7:33ff:fe76:a19f ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.091/0.096/0.100/0.000 ms
ping6 ::1
PING ::1 (::1): 56 data bytes
64 bytes from ::1: icmp_seq=0 ttl=64 time=0.085 ms
64 bytes from ::1: icmp_seq=1 ttl=64 time=0.085 ms
64 bytes from ::1: icmp_seq=2 ttl=64 time=0.085 ms
^C--- ::1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.085/0.085/0.085/0.000 ms
This would probably be the other host, actually across a bluetooth
(NAP) link:
ping6 ff02::1
PING ff02::1 (ff02::1): 56 data bytes
64 bytes from fe80::54e7:33ff:fe76:a19f%pan0: icmp_seq=0 ttl=64 time=0.212 ms
64 bytes from fe80::108f:97ff:fe36:6311%pan0: icmp_seq=0 ttl=64 time=284.773 ms (DUP!)
64 bytes from fe80::54e7:33ff:fe76:a19f%pan0: icmp_seq=1 ttl=64 time=0.164 ms
64 bytes from fe80::108f:97ff:fe36:6311%pan0: icmp_seq=1 ttl=64 time=49.288 ms (DUP!)
64 bytes from fe80::54e7:33ff:fe76:a19f%pan0: icmp_seq=2 ttl=64 time=0.160 ms
64 bytes from fe80::108f:97ff:fe36:6311%pan0: icmp_seq=2 ttl=64 time=28.285 ms (DUP!)
64 bytes from fe80::54e7:33ff:fe76:a19f%pan0: icmp_seq=3 ttl=64 time=0.164 ms
64 bytes from fe80::108f:97ff:fe36:6311%pan0: icmp_seq=3 ttl=64 time=30.264 ms (DUP!)
64 bytes from fe80::54e7:33ff:fe76:a19f%pan0: icmp_seq=4 ttl=64 time=0.157 ms
64 bytes from fe80::108f:97ff:fe36:6311%pan0: icmp_seq=4 ttl=64 time=32.248 ms (DUP!)
64 bytes from fe80::54e7:33ff:fe76:a19f%pan0: icmp_seq=5 ttl=64 time=0.163 ms
64 bytes from fe80::108f:97ff:fe36:6311%pan0: icmp_seq=5 ttl=64 time=18.227 ms (DUP!)
^C--- ff02::1 ping statistics ---
6 packets transmitted, 6 packets received, +6 duplicates, 0% packet loss
round-trip min/avg/max/stddev = 0.157/37.009/284.773/76.473 ms
So I think there's ipv6 working in some way.
If both (2) my hosts are ipv6-enabled, and the servers themselves are
built with ipv6 support, then I should be able to at least connect back
and forth intra-LAN via ipv6, correct, even if my ISP isn't supporting
ipv6 (because I'm inside the LAN, not outside). Why can't I use ipv6 to
make connections here?
ps: How to tell port number from address when using ipv6 if both are
seperated with ":"?
eg,
port 591 at fe80::54e7:33ff:fe76:a19f
would be
fe80::54e7:33ff:fe76:a19f:591 ?
--
[** America, The Police State **]
http://www.hermes-press.com/police_state.htm
finger jayjwa at host atr2.ath.cx ==============================
Allen Kistler
> I'm obviously doing something wrong, but can't figure out what to look
> at. Connections with ipv6 don't seem to work. Consider an httpd on the
> localhost, also listening at interface pan0:
>
>
> ps: How to tell port number from address when using ipv6 if both are
> seperated with ":"?
>
> eg,
>
> port 591 at fe80::54e7:33ff:fe76:a19f
>
> would be
>
> fe80::54e7:33ff:fe76:a19f:591 ?
If the syntax includes the port, usually you enclosed the IP address in
brackets.
e.g., [fe80::54e7:33ff:fe76:a19f]:591
That's the convention that's been chosen for URLs (e.g., Firefox). Apps
that pick their own syntax may have other conventions.
Chris Cox
> I'm obviously doing something wrong, but can't figure out what to look
> at. Connections with ipv6 don't seem to work. Consider an httpd on the
> localhost, also listening at interface pan0:
I'm seeing link local addresses, but not a global one... you may
need network infrastructure that is IPv6 capable (?).
Allen Kistler
Link-local addresses work fine as long as there are no routers between
the client and server. In particular, connections to localhost
(localhost6) wouldn't use a router.
Probably the reason there's no global address is because he didn't
assign one and doesn't have an IPv6-capable router advertising a prefix.
You can run IPv6 in your home or a lab without them. Of course, it's
better to have them, but you don't actually need them, especially if
you're not interested in IPv6 Internet access.
jayjwa
>>> I'm obviously doing something wrong, but can't figure out what to look
>>> at. Connections with ipv6 don't seem to work. Consider an httpd on the
>>> localhost, also listening at interface pan0:
>>
>> I'm seeing link local addresses, but not a global one... you may
>> need network infrastructure that is IPv6 capable
Either way, shouldn't the loopback work? If the ping6 tests succeed,
wouldn't that mean net-devices are IPv6 capable, even if connections
aren't working now?
> Link-local addresses work fine as long as there are no routers between
> the client and server. In particular, connections to localhost
> (localhost6) wouldn't use a router.
>
> Probably the reason there's no global address is because he didn't
> assign one and doesn't have an IPv6-capable router advertising a
> prefix. You can run IPv6 in your home or a lab without them. Of
> course, it's better to have them, but you don't actually need them,
> especially if you're not interested in IPv6 Internet access.
Is this IPv6-specific? Currently, the first system acts as a router,
forwarding packets for (when it's attached) ethernet connections, a
bluetooth connection, and any number of wireless clients, usually
two. For the bluetooth, I use addresses such as 192.168.20.*, and the
wireless such as 192.168.30.*. Bluetooth is set statically, using ip
addr add <address> broadcast + dev <device> while wireless I run DHCP
for so that clients can pull addresses out of 192.168.30.* when they
need to.
I had assumed that when you assigned an IPv4 address to an interface,
you also get the "IPv6 equivilant" to the IPv4 address as well because
while I specifically set inet 192.168.20.1/24 brd 192.168.20.255 scope
global pan0 out of the below information, the inet6 part auto-magically
appeared:
3: pan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
link/ether 00:0a:3a:7c:5c:74 brd ff:ff:ff:ff:ff:ff
inet 192.168.20.1/24 brd 192.168.20.255 scope global pan0
inet6 fe80::54e7:33ff:fe76:a19f/64 scope link
valid_lft forever preferred_lft forever
As for the routes, IPv4 looks as expected,
192.168.20.0/24 dev pan0 proto kernel scope link src 192.168.20.1
192.168.30.0/24 dev ath0 proto kernel scope link src 192.168.30.1
127.0.0.0/8 dev lo scope link
default via 192.168.20.2 dev pan0
with routes added according to the address I gave the interface when it
upped. With IPv6, this doesn't appear to be happening. All interfaces
look like they have the same route,
fe80::/64 dev pan0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev bnep0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev ath0 proto kernel metric 256 mtu 2290 advmss 2230 hoplimit 4294967295
ff00::/8 dev pan0 metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
ff00::/8 dev bnep0 metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
ff00::/8 dev ath0 metric 256 mtu 2290 advmss 2230 hoplimit 4294967295
Someone must be using IPv6 - do you just enter, for example,
"http://2001:0db8:0:f101::1/" in FireFox's address bar and it works? If
so, what do your 'ip -6 route show''s display on both Internet-facing
and intranet hosts?
The Linux+IPv6-HOWTO talks about auto-configuration, but it's not clear
what they mean. This IPv6 stuff is tricky :-\
--
Allen Kistler
> Allen Kistler <acki...@oohay.moc> writes:
>> Chris Cox wrote:
>>> jayjwa wrote:
>>>> at. Connections with ipv6 don't seem to work. Consider an httpd on the
>>>> localhost, also listening at interface pan0:
>>> I'm seeing link local addresses, but not a global one... you may
>>> need network infrastructure that is IPv6 capable
>
> Either way, shouldn't the loopback work? If the ping6 tests succeed,
> wouldn't that mean net-devices are IPv6 capable, even if connections
> aren't working now?
Yes, loopback would work even if you don't have globally routable
addresses. I say that in the next statement, which you quoted.
>> Link-local addresses work fine as long as there are no routers between
>> the client and server. In particular, connections to localhost
>> (localhost6) wouldn't use a router.
>>
>> Probably the reason there's no global address is because he didn't
>> assign one and doesn't have an IPv6-capable router advertising a
>> prefix. You can run IPv6 in your home or a lab without them. Of
>> course, it's better to have them, but you don't actually need them,
>> especially if you're not interested in IPv6 Internet access.
>
> Is this IPv6-specific? ...
Each IPv6 device automatically assigns IPv6 link-local addresses
(fe80::/10) to its interfaces based on the interface MAC address.
Link-local addresses only work on the local link (i.e., they are not
routed), which is why they're called link-local. There is no arp in
IPv6. Link-local addresses and their detection by on-link neighbors
takes the place of arp. Link-local auto-configuration is analogous to
169.254.0.0/16 addresses in IPv4 (except they're MAC-based instead of
random).
> [snip]
>
> ... while wireless I run DHCP
> for so that clients can pull addresses out of 192.168.30.* when they
> need to.
>
> I had assumed that when you assigned an IPv4 address to an interface,
> you also get the "IPv6 equivilant" to the IPv4 address as well because
> while I specifically set inet 192.168.20.1/24 brd 192.168.20.255 scope
> global pan0 out of the below information, the inet6 part auto-magically
> appeared:
>
> 3: pan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
> link/ether 00:0a:3a:7c:5c:74 brd ff:ff:ff:ff:ff:ff
> inet 192.168.20.1/24 brd 192.168.20.255 scope global pan0
> inet6 fe80::54e7:33ff:fe76:a19f/64 scope link
> valid_lft forever preferred_lft forever
DHCP is much different in IPv6 and completely separate from IPv4 DHCP.
Auto-configuration of global addresses in IPv6 depends on router
advertisements telling each client on a link what the network prefix is
for that link, then the client adds its MAC address (or a random number
using privacy extensions if you're worried that someone might figure out
who you are by your MAC address) to form the full address. Or you can
manually assign a global address. Or both. (I do both, one private
admin - fd00::/8 - assigned manually and one truly global - 2000::/3 -
handed out automatically by the router.)
In fact, there's no limit to the number of addresses you can assign to a
given interface. Unlike in IPv4, you don't alias an interface to assign
it more addresses. In IPv6, you just assign it as many addresses as you
want or need.
> As for the routes, IPv4 looks as expected,
>
> 192.168.20.0/24 dev pan0 proto kernel scope link src 192.168.20.1
> 192.168.30.0/24 dev ath0 proto kernel scope link src 192.168.30.1
> 127.0.0.0/8 dev lo scope link
> default via 192.168.20.2 dev pan0
>
> with routes added according to the address I gave the interface when it
> upped. With IPv6, this doesn't appear to be happening. All interfaces
> look like they have the same route,
>
> fe80::/64 dev pan0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
> fe80::/64 dev bnep0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
> fe80::/64 dev ath0 proto kernel metric 256 mtu 2290 advmss 2230 hoplimit 4294967295
> ff00::/8 dev pan0 metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
> ff00::/8 dev bnep0 metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
> ff00::/8 dev ath0 metric 256 mtu 2290 advmss 2230 hoplimit 4294967295
You have no IPv6 routes. You have only directly connected networks for
the link-local addresses (fe80::/10) and the multicast addresses
(ff00::/8). Setting routes in config files is highly dependent on
distro, but setting IPv6 routes probably follows the pattern your distro
uses for IPv4 routes.
> Someone must be using IPv6 - do you just enter, for example,
> "http://2001:0db8:0:f101::1/" in FireFox's address bar and it works? If
> so, what do your 'ip -6 route show''s display on both Internet-facing
> and intranet hosts?
As I said in my original post (which you edited away), there is an RFC
that specifies the IP address is to be enclosed in brackets for IPv6
URLs. Using the example address above, it would be
http://[2001:0db8:0:f101::1]. If you added a port, for example 81, it
would be http://[2001:0db8:0:f101::1]:81.
Considering that IPv6 addresses are 128 bits, DNS is even more important
than in IPv4. People could fairly easily type out the decimal dotted
representation of a 32-bit IPv4 address, but there is a much greater
opportunity to fat-finger the hexadecimal representation of a 128-bit
address.
Trimmed for verbosity, "ip -6 route show" on my Internet host (which has
ppp0 with mtu 1492 on eth1):
2002:wwxx:yyzz:3::/64 dev eth0 mtu 1500
2002::/16 dev tun6to4 mtu 1472
fd00:0:0:3::/64 dev eth0 mtu 1500
fd01:0:0:9::/64 via fd00:0:0:3::9 dev eth0 mtu 1500
fe80::/64 dev eth1 mtu 1500
fe80::/64 dev eth0 mtu 1500
fe80::/64 dev tun6to4 mtu 1472
default via ::192.88.99.1 dev tun6to4 mtu 1472
192.88.99.1 is the public anycast address for 6to4 relay routing
services. Since I use 6to4 tunneling to get access to the IPv6
Internet, the IPv4 anycast address is my default IPv6 Internet route.
Trimmed for verbosity, "ip -6 route show" on my internal host:
2002:wwxx:yyzz:3::/64 dev eth0 expires 84sec mtu 1500
fd00:0:0:3::/64 dev eth0 mtu 1500
fd01:0:0:9::/64 dev vmnet1 mtu 1500
fd00::/8 via fd00:0:0:3::2 dev eth0 mtu 1500
fe80::/64 dev eth0 mtu 1500
fe80::/64 dev vmnet1 mtu 1500
default via fe80::250:bfff:fed3:43df dev eth0 expires 174sec mtu 1500
... where wwxx:yyzz is my public IPv4 address, propagated by my
firewall/router into the internal network via router advertisements.
NAT is not implemented in Linux for IPv6, so there's no masquerade.
(Based on some fairly religious statements that have been made, it's
possible NAT may never be implemented in Linux.) I've also eliminated
for readability the "unreachable" routes blocked by netfilter
(ip6tables). (Take note: There are some nasty people who have been able
to penetrate IPv6 networks because home firewall admins have been a
little slow figuring out how to deal with IPv6 correctly without NAT.)
Because my ppp0 address is dynamic, the internal advertisements have a
fairly short expiry in case the public IPv4 address changes. Note that
the default route on the internal host is the link-local address of the
internal interface (eth0) on my Internet host. The internal host picks
that route up also from the router advertisement.
> The Linux+IPv6-HOWTO talks about auto-configuration, but it's not clear
> what they mean. This IPv6 stuff is tricky :-\
A book or other tutorial not specific to Linux is probably a better way
to learn IPv6, especially for folks who might still be a little fuzzy on
how IPv4 works. I liked "IPv6 Essentials" from O'Reilly, but other
folks might have different favorites.
HTH
jayjwa
>> Either way, shouldn't the loopback work? If the ping6 tests succeed,
>> wouldn't that mean net-devices are IPv6 capable, even if connections
>> aren't working now?
>
> Yes, loopback would work even if you don't have globally routable
> addresses. I say that in the next statement, which you quoted.
Well, it didn't, that's why I asked again, to clearify, because my
results did not match the expected. However, I found out the reason for
that, so problem one solved. Of the tools I was testing with, curl has
need of some option and can't request [xxx]:xxx type addresses
directly. Netcat - no idea what's up with it, probably does not support
IPv6. wget (and now curl) I have working:
curl -v -k -g 'https://[::1]/'
wget --no-check-certificate -6 -S 'https://[::1]/'
> You have no IPv6 routes.
This is problem #2 and the heart of the matter.
> You have only directly connected networks
> for the link-local addresses (fe80::/10) and the multicast addresses
> (ff00::/8). Setting routes in config files is highly dependent on
> distro, but setting IPv6 routes probably follows the pattern your
> distro uses for IPv4 routes.
This is not a distro, thus I am asking how to do it. Setting routes in
config files sooner or later amounts to some script someone's written
that reads those values in and then executes the proper tools with those
values as arguments. I need to know the tools and the inner workings of
it, so I can write the scripts, or do it by hand when needed.
> Trimmed for verbosity, "ip -6 route show" on my internal host:
>
> 2002:wwxx:yyzz:3::/64 dev eth0 expires 84sec mtu 1500
> fd00:0:0:3::/64 dev eth0 mtu 1500
> fd01:0:0:9::/64 dev vmnet1 mtu 1500
> fd00::/8 via fd00:0:0:3::2 dev eth0 mtu 1500
> fe80::/64 dev eth0 mtu 1500
> fe80::/64 dev vmnet1 mtu 1500
> default via fe80::250:bfff:fed3:43df dev eth0 expires 174sec mtu 1500
>
> ... where wwxx:yyzz is my public IPv4 address, propagated by my
> firewall/router into the internal network via router
> advertisements. NAT is not implemented in Linux for IPv6, so there's
> no masquerade. (Based on some fairly religious statements that have
> been made, it's possible NAT may never be implemented in Linux.) I've
> also eliminated for readability the "unreachable" routes blocked by
> netfilter (ip6tables). (Take note: There are some nasty people who
> have been able to penetrate IPv6 networks because home firewall admins
> have been a little slow figuring out how to deal with IPv6 correctly
> without NAT.)
I can see why. This isn't like another version of IP, this is more like
a completely new protocol with little if any similarity to IPv4. No
wonder people are slow picking up on it as it requires relearning almost
all aspects of networking.
If there is no NAT, what do you do in situations, such as mine, where
you have less public IP addresses than you have machines needing to
access the Internet? Assign link-local addresses and let the
Internet-facing machine worry about routing what-where?
> Because my ppp0 address is dynamic, the internal advertisements have a
> fairly short expiry in case the public IPv4 address changes. Note
> that the default route on the internal host is the link-local address
> of the internal interface (eth0) on my Internet host. The internal
> host picks that route up also from the router advertisement.
radvd - is this what makes those router advertisements?
'radvd is the router advertisement daemon for IPv6. It listens to router
solicitations and sends router advertisements as described in "Neighbor
Discovery for IP Version 6 (IPv6)" (RFC 4861).'
I came across it while looking for info on IPv6 and routing. I built &
installed it, but have yet to write a config file for it until I get a
better understanding of how IPv6 works.
> A book or other tutorial not specific to Linux is probably a better
> way to learn IPv6, especially for folks who might still be a little
> fuzzy on how IPv4 works. I liked "IPv6 Essentials" from O'Reilly, but
> other folks might have different favorites.
> HTH
Yes, thank you very much.
--
"Police to hack [** America, The Police State **] citizen's PCs"
http://www.worldnetdaily.com/index.php?fa=PAGE.view&pageId=85293
http://www.hermes-press.com/police_state.htm
finger jayjwa at host atr2.ath.cx <==[email|pgp|im|website]=====*
Darren Salt
[snip]
> If there is no NAT, what do you do in situations, such as mine, where you
> have less public IP addresses than you have machines needing to access the
> Internet?
s/less/fewer/
That won't happen. You'll have a /48 or a /64 or something similar, so you
should have one or two addresses spare :-)
[snip]
--
| Darren Salt | linux or ds at | nr. Ashington, | Toon
| RISC OS, Linux | youmustbejoking,demon,co,uk | Northumberland | Army
| Let's keep the pound sterling
When it rains, it pours.
Mark Hobley
> curl -v -k -g 'https://[::1]/'
> wget --no-check-certificate -6 -S 'https://[::1]/'
Aren't the IPV6 versions named curl6 netcat6 and wget6?
Mark.
--
Mark Hobley
Linux User: #370818 http://markhobley.yi.org/
jayjwa
>> curl -v -k -g 'https://[::1]/'
>> wget --no-check-certificate -6 -S 'https://[::1]/'
>
> Aren't the IPV6 versions named curl6 netcat6 and wget6?
Far as I know, it's all the same source code. What matters is if you
included support for IPv6 when they were built. If they are named
differently, it might distinguise one build from another.
--
Israel: "Just defending themselves"" Yeah, right...
"In one home, the agency said, four small children were found
sitting close to their dead mothers, too weak to stand on
their own". http://news.bbc.co.uk/2/hi/middle_east/7819261.stm
jayjwa
BTW, this is what I was mainly asking for. NetBSD puts it nicely and is
similar enough to Linux that most of it applies.
http://www.netbsd.org/docs/network/ipv6/
If you're just starting out with IPv6 and getting it set up on a network
that was previously v4 only, it's a good doc to read IMO.
--
[Zionism Kills: Don't believe Western/Israeli Hype.]
http://www.commondreams.org/view/2009/01/07-7
finger jayjwa at atr2.ath.cx