IPv6 Static /64

What is IPv6? In short IPV6 is the next iteration of the internet protocol. The number of current ipv4 address is nearly expired and is becoming harder and harder to obtain a address based on the version 4 of the protocol. With Ipv6 the number of addresses is fantastically huge and should support the internet for the foreseeable future. For an introduction to Ipv6 and what it has to offer see this article, here.

With the advent of Ipv6, this enables the tech-minded community to invent things that were never before possible. ISP's have been charging for Ipv4 addresses at a price that is usually not a worthwhile purchase for the average hobbyist tech-engineer. With so many Ipv6 addresses available there is no reason to sell even a massive sub net of a /64 or even a /48, and so companies like Hurricane Electric and GoGo6 are giving away sub nets to allow users to have there own static Ipv6 addresses.

The buzzword of Ipv6 is “the internet of things”. This is the idea that you could connect anything and everything you wanted to the Internet, toasters, headphones, your latest project, pretty much anything that you could possibly dream up. With so many addresses available we can use them for anything and everything.
Having anything and everything connected to the internet sounds like a good idea until you talk to a security researcher. To a security researcher or a common ill willed hacker, the idea of a world connected to the internet brings about an excitement as unprepared people start connecting things to the internet, millions of potential security holes will crop up, instead of hackers stealing data off your computer, they are now able to access say your oven in your kitchen, turning it on and possibly creating a disaster inside your home. Suddenly to burn down a house you don't need to show up in person and light a match to start a house fire, it is just done anonymously over the internet with a few keystrokes. This is a scary thought, but I fear that we will be going down the road of the internet of things whether it is a good idea or a bad one.
My personal feelings are that this could be a good thing, but developers, engineers and creators alike need to be wary of people who may try to use this for evil and need to take the necessary steps to ensure that they don't become a victim of someone who would mean them harm.

IPv6 Network Setup Security Considerations

Like most people you will probably be working with IPv6 alongside an Ipv4 network. The way I have my network setup and the way I suggest that you do it too is to split your two networks into two separate networks. Think of Ipv4 as your production network that you don't want to have had compromised and the IPv6 as a development environment network, where even if it did get compromised, your Ipv4 environment would be unscathed.

The below is a diagram of a network setup that I use and suggest you use as well when developing with IPv6.



In the diagram above, there are two separate networks, each blocked by their own router firewall. In this instance, you could safely disable any firewall that may come with the modem. Separating your networks will prevent any security flaws in your programming from compromising your “production” workstations, and your IPv6 server could face the internet in a demilitarized zone (DMZ). Keep in mind that even though you put your internet facing server in a DMZ doesn't mean that you don't need some sort of firewall between the internet and your server. When configuring the router you need to still only open the ports that you must and take proper security measures when writing your programming to prevent the hacking of your devices and server.

Getting your Own /64

For the purposes of this article I will be using Hurricane Electric to provide a static IPv6 /64 sub net. There are several other providers of IPv6 addresses that you can make use of; a quick Google search will reveal this for you. If your lucky enough to have an ISP that is handing out IPv6 sub nets then you may get to use the new protocol in native mode. (Most IPv6 is currently not native, it uses IPv6 over IPv4, which basically means that the IPv6 packets are encapsulated in an IPv4 packet).

Start by going to www.he.net, and click setup tunnel broker from the quick links on the right hand side of the page. Enter in your information and log into your account. Now select Create Tunnel on the left hand side of the page. You will need to know your current Ipv4 address to proceed. To obtain this type “what is my ip” into Google search to get your public IP address. Once your tunnel is created, click on the link for the tunnel you setup under your account page to reveal your tunnel details. Make note of your “Server IPv4 Address”, “Client IPv6 Address” and your “Routed /64”. You will also note that you can get assigned a /48 at any time should your needs require it.

You now have your own plethora of IPv6 addresses.

Setting Up the Router

While not required, I will be using DD-WRT to complete the rest of the setup for the router. Linksys (a subset of Cisco) also supports IPv6, but GUI support of IPv6 for Linksys (and DD-WRT for that matter) is limited or non-existent.

The first step is to select a router that can handle a version of DD-WRT that supports IPv6. Select a router that supports either the Nokaid, VOIP, Big, Mega or Giga builds of DD-WRT. You can look up routers in the DD-WRT router database, located here.

The next task is to install the firmware onto the router; follow the documentation for the specific router you have selected. Basically this involves flashing the Webflash Image using the routers built in firmware and then flashing once more for your target firmware (one of the builds listed above). Once again read the documentation on setting up your router: RTFB!!!

Now you will want to set the IP address on the computer that you are going to configure the router on. Set this to 192.168.1.45 or another similar address, the sub net mask should be 255.255.255.0. You can leave the default gateway and the DNS server untouched. Once you have setup the static IP on your PC, you will now want to open up your web browser and enter 192.168.1.1 into the address bar. The default username is root and the default password is admin to log into DD-WRT.

Set Basic Router Configuration: - Administration > Management > Router Password, set this to something secure.
- Wireless > Wireless Security > Security Mode > WPA2 Personal Mixed
- Wireless > Wireless Security > WPA Shared Key, set a secure password.
- Administration > Management > IPv6 > Enable
- Administration > Management > Radvd Enabled > Enable
- Security > Firewall > Block Anonymous WAN Requests (ping) , uncheck this box.

Next you will want to go to Administration > Commands in the command box you will want to copy and paste the router start up configuration. Download the script from here. This is essentially a simplified version of the script found here.
In the script near the top, configure the basic connection settings with the IP address information that you obtained from Hurricane Electric in the previous steps. The optional/advanced settings of the script can be safely ignored for now. Once that is complete, click on the Save Startup button on the bottom of the screen in DD-WRT. This will save the router startup configuration. Lastly unplug the power cable on the router and replug.

The next step is to confirm that you are getting an IPv6 address on the computer you have plugged into the router. Go to Start > type “cmd” > type “ipconfig”, and hit enter. Your results should be similar to the below picture.

Ensure that both the IPv6 Address and Default Gateway both have an IPv6 address assigned to them. If not you will need to review your configuration settings in the router startup config that you entered in earlier. Also check that the network adapter you are using has IPv6 Enabled (Windows 7, 8, and 8.1 should have this already set).

Configure the Router Firewall

The last step in setting up the router is to configure the the Firewall. I suggest downloading the open source tool called Firewall Builder, which can be found here.

Once you have downloaded and installed Firewall Builder, open the program and click the create new firewall button.

Start by naming the firewall object. The firewall software should be IPTABLES, and the OS of the firewall is DD-WRT (nvram). Select Use preconfigured firewall templates and use standard template objects, select next and from the list select DDWRT template.

The br0 interface should be configured with the server ipv6 address obtained from Hurricane electric, the vlan1 should be the default gateway address (obtained from the ipconfig on the command prompt). The loopback address should be “::1”. Ensure you have selected it as a IPv6 type address. Now select finish to create the firewall objects.

From the Library drop down list on the left hand side select the User library. Open Firewalls > DD WRT > Policy, this will show you the current firewall policy rules. Create a new rule using the green plus sign. Your rule should say Source VLAN1:IPv6 to Destination br0:ipv6 and should accept IPv6 any ICMP6 traffic in both directions. Leave the other firewall rules as they are for now. We now want to compile the firewall using the hammer button in the top right of the window. Select the check box: compile for DD WRT and hit next. Finally inspect the generated file. This will show you the text that will be used to program the firewall. Copy and paste this text into the DD-WRT command window and select Save Firewall at the bottom of the page. Reboot the router by removing and replugging the power cord.

Test Connectivity

First ensure you can browse the internet by visiting Google. Next we need to check and see if the IP address is pingable from the internet. Ensure that any firewall on your modem is disabled. Using this handy website here, enter your IPv6 address that you obtained from the “IPCONFIG” command in the command prompt and initiate the ping. If you have successfully setup the router it should ping.

Once your IP address is pingable from the internet, you have essentially setup the basics for any IPv6 programming that you want to do. The next steps are to setup an application server to talk to all your IPv6 internet connected devices and start the programming! I hope this article has shed some light on the process of setting up a static IPv6 address. If you have any questions feel free to contact me at the email below and I will do my best to assist you.

Enjoi!

                                                        T3rr0rByte13@hobbyware.org

                                                                                                     ©2017 All Rights Reserved. All contents of this site are copyright to Hobbyware.org