IPv6

From SOWNWiki
Jump to: navigation, search

SOWN has global IPv6 addressing provided by the University of Southampton. In March 2016, IPv6 officially superseded IPv4 with the latter being declared "Historic". IPv6 is required for continued global unique addressing, as officially top-level address space for IPv4 ran out at the end of January 2011. SOWN has a /56 IPv6 prefix which represents approximately 3^20 unique addresses or 256 /64 networks or nodes.

Address Space

Allocations

University-Of-Southampton have:  2001:630:d0::/48
Electronics and Computer Science have:  2001:630:d0:f000::/52
SOWN uses:  2001:630:d0:f700::/56

Routing

Sown-gw is the gateway server for the SOWN network. It sits between the SOWN network and forwards IPv6 (and IPv4) traffic between SOWN and the rest of the Internet. Although SOWN allocates addresses from the whole 2001:630:d0:f700::/56 IPv6 range, only the 2001:630:d0:f700::/64 is currently (statically) routed down to SOWN from the University of Southampton's network. It is planned that the whole 2001:630:d0:f700::/56 will be statically routed to the SOWN network by late 2017 / early 2018.

Firewalling

To ensure SOWN's network is firewalled from the Internet on IPv6. The IPv6 firewall is deployed along with its Iv4 counterpart using /etc/init.d/firewall on [[Sown-gw][. The following firewall configuration (/etc/default/firewall6) is deployed by this script:

*raw
:PREROUTING ACCEPT [18477998:11099061430]
:OUTPUT ACCEPT [2669381:312650145]
COMMIT

*mangle
:PREROUTING ACCEPT [18477998:11099061430]
:INPUT ACCEPT [4513555:4055743616]
:FORWARD ACCEPT [13946597:7041946510]
:OUTPUT ACCEPT [2669381:312650145]
:POSTROUTING ACCEPT [16604636:7353796401]
COMMIT

*filter
:INPUT DROP [48:2880]
:FORWARD DROP [5133:308012]
:OUTPUT ACCEPT [1149448:125247877]
[3240995:3901369955] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT --comment "Allow all existing and related connections"
[802906:63745512] -A INPUT -p ipv6-icmp -j ACCEPT --comment "Allow all ICMPv6 requests for ping, traceroute, neighbor discovery, etc."
[462698:90069936] -A INPUT -d ff00::/8 -j ACCEPT --comment "Allow gw to operate as a multicast router"
[0:0] -A INPUT -s ff00::/8 -j ACCEPT  --comment "Allow gw to operate as a multicast router"
[58:7476] -A INPUT -d fe80::/10 -j ACCEPT --comment "Allow connections to link-local addresses from gw"
[0:0] -A INPUT -s fe80::/10 -j ACCEPT  --comment "Allow connections from link-local addresses to gw"
[6826:546417] -A INPUT -i eth0 -j ACCEPT --comment "Allow any requests on the SOWN VLAN interface"
[0:0] -A INPUT -p pim -j ACCEPT --comment "Allow PIM for SSM to allow gw to operate as a multicast router"
[72:4320] -A INPUT -j LOG --log-prefix "INPUT DEBUG DROP: " --comment "Log all traffic to gw that is being dropped."
[0:0] -A INPUT -p tcp -m tcp -s 2001:630:d0:/48--dport 22 -j ACCEPT --comment "Allow SSH onto gw from the rest of the UoS"
[0:0] -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j DROP --comment "Drop all router advertisements"
[5754:460320] -A FORWARD -s 2001:630:d0:f700::247/128 -d 2001:630:d0:f104::80f/128 -p tcp -j REJECT --reject-with icmp6-port-unreachable --comment "Drop all requests from backup3 to skoll.ecs.soton.ac.uk. Canary check to confirm firewall is active."
[12178349:6835731842] -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT --comment "Allow through all existing and related connections"
[1543013:160468856] -A FORWARD -p ipv6-icmp -j ACCEPT --comment "Allow through all remaining ICMPv6"
[103493:36655810] -A FORWARD -i eth0 -j ACCEPT --comment "Allow through all requests on the SOWN VLAN interface"
[607:36420] -A FORWARD -p udp -m udp --dport 33434:33523 -m state --state NEW -j ACCEPT --comment "Allow through all UDP requests used by traceroute6"
[0:0] -A FORWARD -p udp -m udp --dport 33434:33523 -m state --state ESTABLISHED -j DROP --comment "traceroute6 does require an establsied connection so drop to avoid these ports being abused"
[0:0] -A FORWARD -p pim -j ACCEPT --comment "Allow through all PIM from SSM to facilitate multicast"
[0:0] -A FORWARD -d ff00::/8 -j ACCEPT --comment "Allow outgoing multicast from SOWN"
[0:0] -A FORWARD -s ff00::/8 -j ACCEPT --comment "Allow incoming multicast to SOWN"
[0:0] -A FORWARD -d fe80::/10 -j ACCEPT --comment "Allow hosts to talk to each other over link-local addresses"
[14267:1140656] -A FORWARD -s 2001:8b0:c40:ed67::/64 -d 2001:630:d0:f700::210/128 -p tcp -m tcp --dport 80 -j ACCEPT --comment "Allow Chris Malton to access SmokePing on odroid.ecs.soton.ac.uk"
[45223:3255880] -A FORWARD -s 2001:630:d0:f111::/64 -d 2001:630:d0:f700::210/128 -p tcp -m tcp --dport 80 -j ACCEPT --comment "Allow IAM VLAN hosts to access SmokePing on odroid.ecs.soton.ac.uk"
[47469:3630072] -A FORWARD -s 2001:630:d0:f111::/64 -d 2001:630:d0:f700::219/128 -p tcp -m tcp --dport 80 -j ACCEPT --comment "Allow Chris Malton to access SmokePing on vpn-test.sown.org.uk"
[2834:226720] -A FORWARD -s 2001:8b0:c40:ed67::/64 -d 2001:630:d0:f700::219/128 -p tcp -m tcp --dport 80 -j ACCEPT --comment "Allow IAM VLAN hosts to access SmokePing on vpn-test.sown.org.uk"
[0:0] -A FORWARD -s fe080::/10 -j ACCEPT --comment "Allow hosts to talk to each other over link-local addresses"
[5588:339934] -A FORWARD -j LOG --log-prefix "FORWARD DEBUG DROP: " --comment "Log all forwarded traffic that is being dropped."
[0:0] -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j DROP --comment "Do not let gw send out router advertisements."
COMMIT

RADVD

SOWN(at)Home nodes will run a router advertisements daemon (RADVD) which will advertise the prefix and default route of the IPv6 network.

The configuration file is very simple:

 interface eth0
 {
   AdvSendAdvert on;
   prefix 2001:630:d0:f700::/64
   {
   };
 };

OpenVPN

OpenVPN will be used to route IPv6 subnets to SOWN(at)Home nodes connected to the network. Currently, the SOWN's standalone IPv6 tunnelbroker provides a similar service but is not integrated into the SOWN(at)Home firmware and admin system. Its features are being integrated into SOWN's new OpenVPN server on Sown-vpn2.

Multicast

Sown-gw will be configured to become the IPv6 multicast router for SOWN.

Packages Required

The following packages will probably be needed to allow Sown-gw to talk to the ford.6core ECS's IPv6 core router.

  • pimd
  • mrd6

No other configuration should be required at this stage. However, some packages may need to be to use eth1 as the default multicast route/interface. Although this really shouldn't be required.

Testing Source Specific Multicast (SSM)

To be tested

Testing Any Source Multicast (ASM)

To be tested