Random IPv6 Encounter

Being in the SFBA has its quirks at time 🙂 Stopped in a 7-11 to get something to drink while driving around. Got up to the register and the clerk asked ‘Is that your IPv6 address?’ I was wearing a Cisco shirt with 2001:420::c15c:0 on the front, which I got at last years World IPv6 Day post-celebration at Tied House. I explained what it was and from, and he laughed. He said he recognized it as being IPv6 because he was studying for his CCNA. So yay SFBA nerds, and yay IPv6 getting into more people’s minds 😀

Basic BGP configuration for IPv6

So you have your ASN and just got your PI (Provider-Independent Address Allocation) straight from an RIR, or perhaps a LoA (Letter of Authority) to announce some PA (Provider-Assigned Address Allocation) space from your ISP. You’ll need to start getting that announced out there to your peers, customers and transits. So lets use some documentation prefixes and ASNs and sort out a basic working config. I’ll base the examples on my experience with Brocade NetIron software on XMRs, which can translate over to Quagga or Cisco IOS with a few tweaks.

Assuming you are familiar with BGP4+ with IPv4, IPv6 is not so different or any more complex when getting started. Lets start off with some numbers:

Upstream ISP ASN: 64500
Your ASN: 64501
Specific /126 configured on interfaces out of allocated /64: 2001:db8:0:1::/126
PA allocation to announce: 2001:db8:1234::/48

Start off with making certain that you’ve configured IPv6 on your upstream facing interface, and they’ve configured your side, and you can ping each other over the link. The upstream provider’s configuration can be done as so:

isp#conf t
isp#(config)ipv6 prefix-list as64501-ipv6-filter seq 1 permit 2001:db8:1234::/48
isp#(config)router bgp
isp#(config-bgp)nei 2001:db8:0:1::2 remote-as 64501
isp#(config-bgp)nei 2001:db8:0:1::2 desc Customer_Name
isp#(config-bgp)no nei 2001:db8:0:1::2 activate
isp#(config-bgp)add ipv6 uni
isp#(config-bgp-af)nei 2001:db8:0:1::2 activate
isp#(config-bgp-af)nei 2001:db8:0:1::2 filter-list as64501-ipv6-filter in
isp#(config-bgp-af)exit
isp#wr mem

So the breakdown of these steps is:

  • enter configuration mode on router
  • build a filter to restrict what the customer (you) are allowed to announce (seq optional but required for multiple entries in list)
  • enter BGP configuration mode
  • create a specific session using target/destination IPv6 address and ASN of customer
  • optionally add a description of the session perhaps to track who it is more clearly
  • you don’t want IPv4 routes going out or coming in over the session, IPv6 routes only
  • change address-family for IPv6 specific BGP settings
  • activate sending and learning IPv6 routes over the session
  • apply the filter for accepting INBOUND routes from you/customer
  • exit & then write out the config

On the customer side it is similar but not exact:

you#conf t
you#(config)ipv6 prefix-list outbound-ipv6-filter seq 1 permit 2001:db8:1234::/48
you#(config)router bgp
you#(config-bgp)nei 2001:db8:0:1::1 remote-as 64500
you#(config-bgp)nei 2001:db8:0:1::1 desc ISP_Name
you#(config-bgp)no nei 2001:db8:0:1::1 activate
you#(config-bgp)add ipv6 uni
you#(config-bgp-af)network 2001:db8:1234::/48
you#(config-bgp-af)nei 2001:db8:0:1::1 activate
you#(config-bgp-af)nei 2001:db8:0:1::1 filter-list outbound-ipv6-filter out
you#(config-bgp-af)exit
you#wr mem

The differences being:
1) outbound filter list on your session to the ISP
2) network statement for the allocation to be announced by BGP

You’ll also need some sort of anchor route so BGP knows to announce the route. This can be either a local null-route or static-route for the covering prefix, or an IP out of the prefix configured on an interface. So once BGP is configured, and establishes between both routers, the ISP side should see something similar to:

isp#sh ipv6 bgp nei 2001:db8:0:1::2 routes
       There are 1 accepted routes from neighbor 2001:db8:0:1::2
Searching for matching routes, use ^C to quit...
Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED
       E:EBGP H:HISTORY I:IBGP L:LOCAL M:MULTIPATH m:NOT-INSTALLED-MULTIPATH
       S:SUPPRESSED F:FILTERED s:STALE
       Prefix             Next Hop        Metric     LocPrf     Weight  Status
1      2001:db8:1234::/48  2001:db8:0:1::2
                                          1          140        0       E
         AS_PATH: 64501

And that should be it. You can obviously play around with peer-groups, route-maps, etc. Communities should work as long as your ISP offers them, so be sure to ask. Ideally there is at least a blackhole community in place. That should allow you to announce a specific range or IP that you want to have null-routed upstream in cases of abuse or attacks. That filter could look like either of the following, depending on how specific they allow you to announce:

ipv6 prefix-list as64501-ipv6-filter seq 1 permit 2001:db8:1234::/48 le 64

or

ipv6 prefix-list as64501-ipv6-filter seq 1 permit 2001:db8:1234::/48 le 128

With the obvious requirement that the BGP sessions would need to be configured as blackhole community enabled on both sides.

Configuring RA on routers or RADVD with Linux

Ok, so in an ideal world, you have 2 allocations: 1 allocation for your server/router’s uplink, and 1 allocation that is a statically routed subnet (either a /64 or /48) to your side of that uplink allocation. For example:

2001:DB8:0:1::/64 = uplink allocation
2001:DB8:0:1::1 = upstream router IP (gateway)
2001:DB8:0:1::2 = customer configured IP (your WAN uplink interface to provider)
2001:DB8:2::/48 = statically routed subnet pointing at 2001:DB8:0:1::2

If you are using a hardware router like a Cisco or a Brocade and you want a LAN segment to have the hosts auto-configure IPv6 addresses, then you simply add the following to that LAN facing interface:

ipv6 enable
ipv6 address 2001:DB8:2::1/64

If hosts on that LAN segment have auto-configuration enabled, then they will do just that: auto-configure IPs on their LAN interfaces using EUI-64/SLAAC.

To use a Linux machine to act as your IPv6 gateway, you’ll need a little help from the RADVD package. First and foremost, you will need IPv6 packet forwarding enabled on the Linux machine that will act as your IPv6 router. Edit /etc/sysctl.conf and add the following line:

net.ipv6.conf.all.forwarding = 1

Then run: sysctl -p to apply changes made to the config file.

Next you will need an IP out of one of the /64s, from your statically routed /48, that you want to use for auto-configuration configured on your LAN facing interface. Let us assume that eth0 is your WAN interface and eth1 is your LAN interface. IP configurations for those interfaces should look like:

eth0 = 2001:DB8:0:1::2/64
eth1 = 2001:DB8:2::1/64

You’ll need to install RADVD either from source or your preferred Linux distro repository of packages. Then edit the radvd.conf file for your prefix and any options you want to enable. What follows is my generic sample configuration. This hasn’t failed to work for me yet:

interface eth1
{
     AdvSendAdvert on;
     AdvHomeAgentFlag off;
     MinRtrAdvInterval 30;
     MaxRtrAdvInterval 100;
     prefix 2001:DB8:2::/64
     {
          AdvOnLink on;
          AdvAutonomous on;
          AdvRouterAddr on;
     };
};

Now you should be able to fire up the RADVD daemon, and hosts on the LAN set to auto-configure should begin to do so. You will find that on the LAN host, their default route and gateway point to the Link-Local address of eth1 on the Linux machine acting as the IPv6 gateway/router. This is entirely normal and expected.

Congrats! Now you should have proper IPv6 access from behind either a hardware router or a Linux machine acting as the gateway/router.