Connecting the network to global IPv6 space
Some time ago, in the comments to the article “IPv6 gateway for the local network,” I was asked to talk about how I activated IPv6 in one of my projects. I'll start with a couple of words about the project itself. CareNet is the result of the cooperation of two major Swedish universities: the KTH Royal Institute of Technology and the Karolinska Institutet . In short, CareNet is a system for observing palliative patients outside the hospital. A small device is installed at the patient's home that has access to the Internet and is connected via VPN to the CareNet servers. The device includes an HDVC client, a set of sensors for monitoring the patient’s condition, and a means of accessing a medical portal containing all the patient information. Medical information is available to both the patient and the doctor.
But the article is about IPv6 activation, so we are more interested in not the client, but the central part of the CareNet infrastructure. It includes a number of routers and servers that are located on the KTH university campus in Stockholm. The scheme gives an idea about the scale of the network.
For 20 weeks my task was to maintain the specified infrastructure in working condition and to increase its functionality. One of the tasks for me, I determined the activation of IPv6 in this small network topology. Moreover, in addition to deploying IPv6 within the network, I also wanted to connect CareNet to the global IPv6 space.
')
I started by asking the university administration to give me a piece of the IPv6 lab range for my small sandbox. The prefix 2001: 6b0: 32 :: / 49 was solemnly delegated to me. At first I was offended and several times I wanted to run and ask for more, but in the end, having put the addressing scheme on paper like that, I decided that 6x10 23 addresses should be enough.
Having defined the addressing, I configured the interfaces on the routers. It must be said here that the routers in CareNet are unusual, built on the basis of the high-performance hardware and software Linux-platform Bifrost. This is a university development now entering the commercial market. The interfaces between the routers have a bandwidth of 10 Gb / s. For routing (control plane) is responsible for the Quagga software package.
Having added IPv6 addresses to the interfaces of the routers, I launched OSPFv3 as a dynamic routing protocol. Basic settings, one OSPF-zone 0.0.0.0. There is no technical explanation why OSPF is selected. Personally, I choose by name. I don't like ripng. Here is IS-IS with pleasure, but Quagga does not support it.
I worked with Quagga for the first time, but I got accustomed instantly because the command interface is similar to the Cisco CLI. I give an example of configuration of the ospf6d daemon for two routers:
Routing is activated and the next question arises about the dynamic allocation of IPv6 addresses to servers in the farm and clients in access networks. This task was decided to entrust to the DHCPv6 server. I deployed two DHCPv6 servers: ISC DHCP and Dibbler. A competition was organized according to the conditions of which the server who first serves the client by allocating an IPv6 address to him will remain in operation. Dibbler was quick, so ISC DHCP was destroyed. An example of setting the ranges of allocated addresses:
Two interesting differences from the usual DHCP for IPv4:
Internal routing is working, customers have received addresses, business for small - to open IPv6 Internet access. Guessing that my immediate neighbor, AS 2839 (KTH-LAN) is already part of the global IPv6 space, I dared to ask its administrators to allow me to establish an additional BGP session from KTH-LAN to announce my IPv6 prefix. After agreeing on all the technical details, the IPv6 BGP neighborhood was established. It took a couple of days to convince the autonomous system that follows the next chain (SUNET) to update its incoming BGP filters and finally release my prefix to free float. Bgpd daemon configuration:
In addition to filtering the declared and received prefixes, it would be nice to activate identical filters directly for the autonomous system crossing the border of the traffic, as a mechanism to counteract “IP spoofing” attacks. A simple access control list ACL will do the job.
By setting up BGP and sorting out the filters, I opened champagne and got ready to meet the first ICMPv6 response, better known as ping, from ipv6.google.com. The route tracing is below:
Finally, I'll tell you how DNS was configured to work with IPv6 addresses. It was not necessary to install a DNS server from scratch, because the network already had a BIND server serving the IPv4 range. IPv6 records have been added to the direct DNS zone to existing IPv4 addresses. Pretty straightforward and simple, but just in case I'll give an example configuration:
But with the reverse zone (reverse DNS lookup) had to tinker. A separate file was created, named in accordance with the canons 2.3.0.0.0.b.6.0.1.0.0.2.ip6.arpa. The name is formed from the prefix 2001: 6b0: 32 :: / 49 written in the reverse order and supplemented with zeros. Further, in a rather unfriendly and difficult-to-read format, reverse DNS records are added for all IPv6 systems on the network. Part of the configuration is shown below:
The goal has been achieved; CareNet has become part of the global IPv6 domain. I described in detail the entire process of activating IPv6 in the official documents for the project, which are available on CareNet. There you can find schemes. The project is academic, the information is open and does not contain any secrets. Thanks for attention.
But the article is about IPv6 activation, so we are more interested in not the client, but the central part of the CareNet infrastructure. It includes a number of routers and servers that are located on the KTH university campus in Stockholm. The scheme gives an idea about the scale of the network.
For 20 weeks my task was to maintain the specified infrastructure in working condition and to increase its functionality. One of the tasks for me, I determined the activation of IPv6 in this small network topology. Moreover, in addition to deploying IPv6 within the network, I also wanted to connect CareNet to the global IPv6 space.
')
Addressing
I started by asking the university administration to give me a piece of the IPv6 lab range for my small sandbox. The prefix 2001: 6b0: 32 :: / 49 was solemnly delegated to me. At first I was offended and several times I wanted to run and ask for more, but in the end, having put the addressing scheme on paper like that, I decided that 6x10 23 addresses should be enough.
Having defined the addressing, I configured the interfaces on the routers. It must be said here that the routers in CareNet are unusual, built on the basis of the high-performance hardware and software Linux-platform Bifrost. This is a university development now entering the commercial market. The interfaces between the routers have a bandwidth of 10 Gb / s. For routing (control plane) is responsible for the Quagga software package.
Internal Routing, OSPFv3
Having added IPv6 addresses to the interfaces of the routers, I launched OSPFv3 as a dynamic routing protocol. Basic settings, one OSPF-zone 0.0.0.0. There is no technical explanation why OSPF is selected. Personally, I choose by name. I don't like ripng. Here is IS-IS with pleasure, but Quagga does not support it.
I worked with Quagga for the first time, but I got accustomed instantly because the command interface is similar to the Cisco CLI. I give an example of configuration of the ospf6d daemon for two routers:
hostname VR-ospf6d <br>
!
router ospf6
router-id 192.16.126.9
interface eth1 area 0.0.0.0 # HR <br>
interface eth2 area 0.0.0.0 # KR <br>
interface dummy0 area 0.0.0.0 #loopback <br>
!
hostname KR-ospf6d <br>
!
interface eth2 # <br>
ipv6 ospf6 passive # OSPF Hello <br>
!
router ospf6
router-id 192.16.126.10
interface eth2 area 0.0.0.0 # <br>
interface eth0 area 0.0.0.0 # VR <br>
interface dummy0 area 0.0.0.0
!
Dynamic Address Allocation, DHCPv6
Routing is activated and the next question arises about the dynamic allocation of IPv6 addresses to servers in the farm and clients in access networks. This task was decided to entrust to the DHCPv6 server. I deployed two DHCPv6 servers: ISC DHCP and Dibbler. A competition was organized according to the conditions of which the server who first serves the client by allocating an IPv6 address to him will remain in operation. Dibbler was quick, so ISC DHCP was destroyed. An example of setting the ranges of allocated addresses:
vp@dns:~$ cat /etc/dibbler/server.conf <br>
... <br>
option dns-server 2001:6b0:32:0::66 #IPv6 DNS <br>
class {
pool 2001:6b0:32:0::0000 - 2001:6b0:32:0::0fff # IPv6 <br>
}
client duid 0x000100011657fdc9be10f563c5bf {
address 2001:6b0:32:0::69 # Ipv6 SIP <br>
}
... <br>
Two interesting differences from the usual DHCP for IPv4:
- First, DHCPv6 does not provide the client with the default gateway address, which in our case is the router in Kista. The gateway itself must announce its existence in accordance with the mechanism of Neighbor Discovery. RFC 2461 describes this mechanism in detail; I will only mention that the router must periodically send a message to the Router Advertisement (RA), declaring itself the default gateway in this segment. In my case, for this it was necessary to supplement the configuration of the KR router:
hostname KR-zebra <br>
!
interface eth2 # <br>
no ipv6 nd suppress-ra # RA <br>
ipv6 nd prefix 2001:6b0:32::/64 no-autoconfig #IPv6 <br>
! - The second feature is the basis on which the DHCPv6 server allocates static addresses. If in DHCPv4 it was enough just to set the MAC address of the device to which you need to allocate a permanent address, then the DHCPv6 server configuration will have to prescribe the so-called DHCP Unique Identifier (DUID). I suggest to find it in the configuration given earlier by yourself. You can read about the DUID in RFC 3315 .
External Routing, BGP
Internal routing is working, customers have received addresses, business for small - to open IPv6 Internet access. Guessing that my immediate neighbor, AS 2839 (KTH-LAN) is already part of the global IPv6 space, I dared to ask its administrators to allow me to establish an additional BGP session from KTH-LAN to announce my IPv6 prefix. After agreeing on all the technical details, the IPv6 BGP neighborhood was established. It took a couple of days to convince the autonomous system that follows the next chain (SUNET) to update its incoming BGP filters and finally release my prefix to free float. Bgpd daemon configuration:
hostname VR-bgpd <br>
!
router bgp 8973 # CareNet <br>
bgp router-id 192.16.126.1
neighbor 2001:6b0:1:2::1 remote-as 2839 #IPv6 BGP- <br>
no neighbor 2001:6b0:1:2::1 activate
!
address-family ipv6
network 2001:6b0:32::/49 # <br>
neighbor 2001:6b0:1:2::1 activate
neighbor 2001:6b0:1:2::1 soft-reconfiguration inbound
neighbor 2001:6b0:1:2::1 route-map only-default6-in in # <br>
neighbor 2001:6b0:1:2::1 route-map only-carenet6-out out # <br>
exit-address-family
!
ipv6 prefix-list CARENET6 seq 5 permit 2001:6b0:32::/49 # 2001:6b0:32::/49 <br>
ipv6 prefix-list DEFAULT6 seq 5 permit ::/0 # ::/0 <br>
!
route-map only-default6-in permit 10
match ipv6 address prefix-list DEFAULT6
!
route-map only-carenet6-out permit 10
match ipv6 address prefix-list CARENET6
!
In addition to filtering the declared and received prefixes, it would be nice to activate identical filters directly for the autonomous system crossing the border of the traffic, as a mechanism to counteract “IP spoofing” attacks. A simple access control list ACL will do the job.
By setting up BGP and sorting out the filters, I opened champagne and got ready to meet the first ICMPv6 response, better known as ping, from ipv6.google.com. The route tracing is below:
vp@dns:~$ traceroute6 ipv6.google.com <br>
traceroute to ipv6.l.google.com (2a00:1450:4010:c01::93) from 2001:6b0:32::66, 30 hops max, 24 byte packets
1 kis-lanlink.carenet-se.se (2001:6b0:32::1) 1.13 ms 0.457 ms 0.49 ms
2 lpp01m02-in-x93.1e100.net (2a00:1450:4010:c01::93) 0.944 ms 0.933 ms 1.115 ms
3 br1g-cn6-p2p.gw.kth.se (2001:6b0:1:2::1) 1.261 ms 1.3 ms 1.091 ms
4 * * *
5 t1fre-ae5-v1.sunet.se (2001:6b0:1e:1::36) 1.467 ms 1.256 ms 1.239 ms
6 se-fre.nordu.net (2001:948:0:f051::1) 1.718 ms 1.562 ms 1.463 ms
7 se-tug.nordu.net (2001:948:1:1::3) 1.344 ms 1.315 ms 1.269 ms
8 se-tug2.nordu.net (2001:948:1:5::3) 1.505 ms 1.359 ms 1.287 ms
9 google-gw.nordu.net (2001:948:0:f008::3) 1.443 ms 1.616 ms 1.298 ms
10 2001:4860::1:0:26ec (2001:4860::1:0:26ec) 1.896 ms 2.002 ms 1.911 ms
11 2001:4860::8:0:26e5 (2001:4860::8:0:26e5) 41.025 ms 11.119 ms 11.02 ms
12 2001:4860::2:0:2aaf (2001:4860::2:0:2aaf) 11.223 ms 11.455 ms 11.955 ms
13 2001:4860:0:1::4d0 (2001:4860:0:1::4d0) 22.558 ms 21.472 ms 17.857 ms
14 lpp01m02-in-x93.1e100.net (2a00:1450:4010:c01::93) 10.833 ms 10.878 ms 13.669 ms
DNS for IPv6
Finally, I'll tell you how DNS was configured to work with IPv6 addresses. It was not necessary to install a DNS server from scratch, because the network already had a BIND server serving the IPv4 range. IPv6 records have been added to the direct DNS zone to existing IPv4 addresses. Pretty straightforward and simple, but just in case I'll give an example configuration:
vp@dns:~$ sudo cat /etc/bind/zones/external/carenet-se.se.db <br>
... <br>
;; Routers' loopacks
vr IN A 192.16.126.9
vr IN AAAA 2001:6b0:32:10::1
... <br>
But with the reverse zone (reverse DNS lookup) had to tinker. A separate file was created, named in accordance with the canons 2.3.0.0.0.b.6.0.1.0.0.2.ip6.arpa. The name is formed from the prefix 2001: 6b0: 32 :: / 49 written in the reverse order and supplemented with zeros. Further, in a rather unfriendly and difficult-to-read format, reverse DNS records are added for all IPv6 systems on the network. Part of the configuration is shown below:
vp@dns:~$ sudo cat /etc/bind/zones/2.3.0.0.0.b.6.0.1.0.0.2.ip6.arpa <br>
$TTL 600
$ORIGIN 2.3.0.0.0.b.6.0.1.0.0.2.ip6.arpa. # <br>
@ IN SOA ns.carenet-se.se. adm.carenet-se.se. (
2011120101;
28800;
604800;
604800;
86400);
IN NS ns.carenet-se.se.
IN NS ns.ssvl.kth.se.
IN NS ns2.ssvl.kth.se.
6.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR ns.carenet-se.se.
... <br>
$ORIGIN 0.0.0.0.2.3.0.0.0.b.6.0.1.0.0.2.ip6.arpa.
9.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR sip.carenet-se.se.
4.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR log.carenet-se.se.
... <br>
$ORIGIN 0.1.0.0.2.3.0.0.0.b.6.0.1.0.0.2.ip6.arpa.
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR vr.carenet-se.se.
... <br>
Conclusion and additional information
The goal has been achieved; CareNet has become part of the global IPv6 domain. I described in detail the entire process of activating IPv6 in the official documents for the project, which are available on CareNet. There you can find schemes. The project is academic, the information is open and does not contain any secrets. Thanks for attention.
Source: https://habr.com/ru/post/135130/
All Articles