Living in the Future with IPv6

It’s not quite flying cars, but since yesterday I’m living in the future. IPv6 has arrived at my home network after I switched to a new VDSL contract. I had to activate it manually in my FritzBox home router though, but as far as I can tell, things are working fine. Now I’m able to use Google services and read Heise Online via IPv6!

Finding the IPv6 settings in the FritzBox web UI took me a minute. You need to switch to the “Extended View” (a somewhat hidden link at bottom of the page), then you can enable it via the IPv6 tab from the “Internet / Access” menu (“Internet / Zugangsdaten” in German). Afterwards, the router acquires a /56 prefix from my ISP and sends router advertisements.

Without any configuration on the client side, an Ubuntu 14.10 machine, my Chromecast, and all of my Android devices (Nexus 4, Nexus 7, and an old Samsung Galaxy Tab 10.1) acquired IPv6 addresses. My Sonos Play:1, WD TV, and XBox 360 don’t seem to have IPv6 support, which is a bit disappointing since they aren’t that old. My ancient Okipage 12i/n printer is excused, I think it may actually predate IPv6.

You can ping all your IPv6-enabled hosts via the ff02::1 multicast address using the following command (ff02::2 reaches all local routers):

  ping6 -I eth0 ff02::1

Try this command to see which connections actually use IPv6:

  netstat -Wtn

And of course, you can also search Google for “what is my ip address” to see whether you’re actually using IPv6 or use one of many testing sites.

Having globally routable IP addresses is a nice thing. However, other than being an ugly hack, IPv4 with NAT has a few nice security properties that you need with IPv6, too. My tests from the outside fortunately showed that internal systems aren’t reachable: Datagrams were dropped by the FritzBox firewall with the appropriate ICMP message (code 0x0D, “Administratively prohibited”).

One drawback of IPv6 is that it makes tracking users across the internet much easier because the default stateless autoconfiguration derives the adress suffix from the network interface’s MAC address. Of course, there’s more than one way of tracking people without their consent (see evercookie, for example), but for IPv6 there are privacy extensions that switch your IP address after a while. The old IP address still remains valid for a transition period though.

Privacy extensions are active on Android 4 (“Ice Cream Sandwich”) and later, so there’s no need to configure anything. For Ubuntu Linux, you have to enable the feature manually via sysctl(8) on the network device:

  sysctl net.ipv6.conf.all.use_tempaddr=2

Three different values are accepted: “0” disables privacy extensions, “1” enables temporary addresses, while “2” also makes Linux prefer them when connecting to a service.

You can add this property to /etc/sysctl.conf, but apparently it requires a fairly recent kernel (3.16.0 from Ubuntu 14.10 worked). According to some reports, the net.ipv6.conf.all.use_tempaddr property only had effect on newly created network interfaces and the /etc/sysctl.conf mechanism gets executed after the network devices are already up.

Anyway, if privacy extensions are active, the following command should list multiple IP addresses, where one has the temporary flag and possibly another one with a deprecated flag:

  ip addr show dev eth0

You should also verify that connections actually use the temporary address using the netstat(8) command given above.

There it is. IPv6, roughly 15 years after I read the first RFCs.

Advertisements
This entry was posted in linux and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s