Child pages
  • General IPv6 Notes
Skip to end of metadata
Go to start of metadata

DNS Issues

Hostnames are mapped to IPv6 addresses by AAAA records in the DNS. Not all nameservers properly support queries for AAAA records.

There are two categories of bugs:

1) Nameservers which silently ignore AAAA queries. BIND 4 is notorious for this bug. This bug causes clients to wait for their AAAA query to timeout and frequently leads to the perception that "IPv6 is slow."

2) Nameservers which improperly respond to AAAA queries. It is common for a host to have an A record, but not AAAA records. When a namserver received a AAAA query, it should respond with NODATA, indicating that it does not have an AAAA record, but does have records of other type. Some nameservers are broken and return NXDOMAIN, which indicates that the server does not have records of any type for the hostname. This causes clients not to query for A records. Microsoft has a KB article about this issue. See RFC 2308 for more on NXDOMAIN -vs- NODATA.

Enabling/Disabling Privacy Addresses

IT IS NOT RECOMMENDED THAT YOU ENABLE PRIVACY ADDRESSES

Windows 7/Vista

Windows 7 and Vista enable privacy extensions by default. There is currently no way to disable IPv6 privacy extensions via AD Group Policy, however a machine startup script with the following commands can be used to disable them:

netsh interface ipv6 set privacy state=disabled
netsh interface ipv6 set global randomizeidentifiers=disabled

Those commands can also be run manually, as Administrator, if you have a machine that is not a member of a Domain.

Mac OS X

Mac OS X does not use privacy addresses by default. To enable them, run this from Terminal:

sysctl -w net.inet6.ip6.use_tempaddr=1

To (optionally) set the temp. addr. lifetime (in seconds):

sysctl -w net.inet6.ip6.temppltime=XX

To make these settings persistent, you must add them to /etc/sysctl.conf:

net.inet6.ip6.use_tempaddr=1
net.inet6.ip6.temppltime=XX

Linux

Linux does not use privacy addresses by default. To enable them,

echo "1" > /proc/sys/net/ipv6/conf/default/use_tempaddr

Solaris

Solaris does not use temporary addresses by default. To enable them,

edit /etc/inet/ndpd.conf

ifdefault TmpAddrsEnabled true

Optionally, set:

ifdefault TmpValidLifetime XX
ifdefault TmpPreferredLifetime XX

Then restart ndpd:

svcadm restart svc:/network/routing/ndp:default

Static IPv6 addresses

Mac OS X

From the GUI:

System Preferences -> Network -> interface -> TCP/IP -> Configure IPv6.

From the command line:

$ sudo ifconfig en0 inet6 2001:0DB8::15/64
$ sudo route add -inet6 -prefixlen 0 default 2001:0DB8::1

Solaris

Global zone

In Solaris 8, 9 or 10 (in the global zone):

Edit /etc/hostname6.interface:

token ::XX/64

where XX is the host component of your static address.

Child zone

(Solaris 10 only)

As root, run zonecfg -z zonename:

zonecfg:zonename> add net
zonecfg:zonename:net> set address=address/prefix
zonecfg:zonename:net> set physical=interface
zonecfg:zonename:net> end
zonecfg:zonename> verify
zonecfg:zonename> commit
zonecfg:zonename> exit

Note: For a child zone, you must specify the full IPv6 address in the set address= command. This is different from configuring the global zone, where you only specify the host component of the address (in /etc/hostname6.interface).

Note: When adding IPv6 to a child zone, you must add both the global address as well as a link-local address. Solaris will not automatically assign a link-local address for a child zone as it does for the global zone. Care must be taken when choosing a link-local address so as to not interfere with any other devices on the network.

Red Hat Enterprise Linux / Fedora

Edit /etc/sysconfig/network

NETWORKING_IPV6=yes
IPV6_DEFAULTGW=2001:0DB8::1

where x is your default router

Edit /etc/sysconfig/network-scripts/ifcfg-eth0

IPV6INIT=yes
IPV6_AUTOCONF=no
IPV6ADDR=2001:0DB8::5/64

where x is your static address

NOTE: At least on Fedora 9, IPV6_AUTOCONF should be in /etc/sysconfig/network, not /etc/sysconfig/network-scripts/ifcfg-ethn.

To configure multiple IPv6 addresses, use the IPV6ADDR_SECONDARIES directive. For example,

$ cat /etc/sysconfig/network-scripts/ifcfg-eth0
# Broadcom Corporation NetXtreme BCM5703X Gigabit Ethernet
DEVICE=eth0
BOOTPROTO=static
BROADCAST=128.118.27.127
HWADDR=00:0D:56:BB:08:46
IPADDR=128.118.27.7
NETMASK=255.255.255.128
NETWORK=128.118.27.0
ONBOOT=yes
IPV6INIT=yes
IPV6ADDR=2001:0DB8::7/64
IPV6ADDR_SECONDARIES=2001:0DB8::8/64
#IPV6_ROUTER=no
#IPV6_AUTOCONF=no
#IPV6FORWARDING=no

Debian / Ubuntu

Edit /etc/network/interfaces and add entries for inet6 to lo and eth0. E.g.:

auto lo eth0
iface lo inet loopback
iface lo inet6 loopback
iface eth0 inet6 static
	address 2001:0DB8::12
	netmask 64

See this link for troubleshooting tips.

AIX 5.x

To configure the address, run this as root:

chdev -l interface -a netaddr6='<IPv6 address>' -a prefixlen='<prefixlen>'  -a state=up

To configure the router, run this as root:

chdev -l inet0 -a rout6=net,,,,,'default','<IPv6 router address>'

More detailed information can be found in this white paper

FreeBSD

IPv6 support has been built into the FreeBSD kernel since version 4.0 (March 2000). To enable it, edit /etc/rc.conf and add:

ipv6_enable="YES"

and reboot.

To configure a static address, add this to /etc/rc.conf:

ipv6_ifconfig_XXX="2001:0DB8::16"

Where XXX is the name of the network interface (e.g., em0, fxp1, etc).

To assign a default router add this to /etc/rc.conf:

ipv6_defaultrouter="2001:0DB8::1"

For more information, see the FreeBSD handbook.

This page also has useful information.

NetBSD

See NetBSD's IPv6 documentation

BusyBox

BusyBox has supported IPv6 since version 1.3.0 (December 2006), with significant improvements in version 1.4.0 (January 2007). Additional IPv6 support was added in 1.13.4 (DNS queries over IPv6).

WireShark

See also the WireShark wiki page on IPv6.

Capture Filter

This will capture only IPv6 traffic:

ip6

Display Filter

See also the WireShark IPv6 display filter reference.

To show IPv6 traffic (excluding ICMPv6) and all DNS queries for AAAA records:

(ipv6 && !icmpv6) || dns.qry.type==0x1c

tcpwrappers

There are two versions of tcpwrappers, one that supports IPv6 and one that does not. Make sure you have the IPv6-capable version. See the table below for details.

To use an IPv6 address in hosts.allow and hosts.deny, you must enclose that addresses in square brackets (see RFC 2732 for the gory details).

Example:

Allow all hosts on 2001:0DB8::/32 to connect to sshd:

sshd: [2001:0DB8::]/32

Note that the prefix length (32) is outside the brackets!

The following operating systems have IPv6 support in their tcpwrappers:

  • MacOS X 10.4 and higher
  • Solaris 8 and higher
  • RedHat Enterprise Linux 4 and higher

(this is by no means a complete list. Readers are encouraged to expand it based on their experiences).

WebAccess

It is possible to use WebAccess with IPv6-enabled web servers. If you are using Apache, you must set

CosignCheckIP never

in Apache's configuration. Otherwise IPv6-connections won't be authenticated by WebAccess.

Detail

A dual-stacked client connects to a dual-stacked, WebAccess-protected server over IPv6. The server redirects the client to WebAccess, which will use IPv4 (since WebAccess isn't IPv6-capable at the moment). The WebAccess server records the client's IPv4 address in its authentication token. The client is then redirected to the server, which will occur over IPv6.

The server then checks that the client's IP address (in this case an IPv6 address) matches the address in its WebAccess cookie (which will be the IPv4 address the client used to connect to webaccess.psu.edu). Obviously, an IPv4 and IPv6 address won't match. The CoSign module on the server won't authorize the client, as it will think the client's cookie has been stolen.

To disable this address check, one must set CosignCheckIP as described above.

Platform-specific Notes

VMware

VMware has a whitepaper on IPv6 support in Virtual Infrastructure 3. In short, guest VMs support IPv6, but IPv6 checksum offload isn't supported on vNICs. The vCenter Server and VI Client do not support IPv6.

The VMware Guest OS Installation Guide lists several issues with IPv6:

  • On some Linux distributions, VMware tools can't be configured if IPv6 is enabled. To install it, disable IPv6 first.

vSphere 4.0 has significantly improved IPv6 support. Specifically:

  • IPv6 TSO and checksum offloading
  • Service Console is reachable over IPv6
  • vmkernel has IPv6 support
  • IP storage supports IPv6

vSphere 4.1 further improved IPv6 support, including gaining IPv6 certification. vSphere 4.1 supports IPv6 for:

  • Guest virtual machines 
  • ESX/ESXi management 
  • vSphere client 
  • vCenter Server 
  • vMotion 
  • IP storage (iSCSI, NFS)---experimental

Note that IPv6 is disabled by default when installing ESX 4.1. You can enable IPv6 for the COS and VMkernel from the command line and from Networking Properties.

To enable IPv6 from the command line:

For ESX 4.1 – # esxcfg-vswif -6 true
For ESXi 4.1 – # esxcfg-vmknic -6 true

To enable IPv6 from the GUI, in vCenter Server, select the host, click Configuration > Networking > Properties. Select Enable IPv6 support on this host system.

z/OS

z/OS gained IPv6 support in Release 1.4. IBM has a PDF, z/OS V1R9.0 Communications Server: IPv6 Network & Application Design Guide, with additional configuration information. See also, Communications Server for z/OS V1R9 TCP/IP Implementation Volume 1: Base Functions, Connectivity, and Routing, Appendix A.

To run z/OS Communications Server in dual-stack, the OSA-Express posts must be in QDIO mode. The only link layer protocol that supports IPv6 is MPC+. The devices that use the MPC+ protocol are XCF, MPCPTP, and MPCIPA (for example, OSA-Express in QDIO mode and HiperSockets on the System z9).

To enable IPv6 (in dual-mode stack mode), you must code both AF_INET and AF_INET6 in SYS1.PARMLIB(BPXPRMxx). IPv6 is not enabled by default.

Mac OS X

Mac OS X configures link-local loopback (fe80::1).

The netstat(1) command truncates IPv6 addresses by default. To print the full address, use `netstat -l`.

Solaris 10

Solaris 10 does not configure link-local loopback (fe80::1).

The last(1) command normally truncates the hostname column. To list the full IPv6 address, use `last -a`. That will list the hostname at the end of the line, and not truncate it.

FreeBSD

FreeBSD configures link-local loopback (fe80::1).

Linux

Linux does not configure link-local loopback (fe80::1).

The RedHat Satellite Server does not support IPv6, as its based on an old version of RHEL and Apache (1.3). See this bug for more information.

Explanation of values in /proc/sys/net/ipv6

Linux's network stack has a global ECN flag that applies to both IPv4 and IPv6. It is not possible to disable ECN for IPv4 but leave it enabled for IPv6.

The following ethernet drivers support IPv6 checksum offloading: bnx2, s2io, tg3.
The following ethernet drivers support IPv6 TSO: bnx2, bnx2x, e1000, e1000e, igb, ixgbe, myri10ge, netxen, s2io, tg3.

IPv6 enhancements by kernel version:

Linux 2.6.12 (June 2005) removed IPv6's "experimental" status.

Linux 2.6.15 (January 2006) added IPv6 connection tracking support to netfilter.

Linux 2.6.18 (September 2006) added hardware TSO support for tg3.

Linux 2.6.19 (November 2006) added Mobile IPv6, support for multiple IPv6 routing tables.

Linux 2.6.20 (February 2007) added per-interface statistics for IPv6 and hardware TSO for e1000.

Linux 2.6.21 (April 2007) added support for NFS over IPv6.

Linux 2.6.22 (July 2007) added IPv6 support to the in-kernel CIFS client. The stock kernel required you to use an IPv6 address when mounting. Erion provided a patch to enabled IPv6 hostnames (AAAA) to be used. It also added TSO and checksum offload for bnx2.

Linux 2.6.23 (October 2007) added a general framework for IPv6 checksum offload and enhanced ethtool to report this capability.

Linux 2.6.24 (January 2008) fixed several NFS-over-IPv6 bugs and added hardware TSO for myri10ge. It also added stateful connection tracking to ip6tables, the Linux software firewall.

Linux 2.6.26 (July 2008) improved NFS-over-IPv6 support, added TCP syncookie support for IPv6, improved multicast support, and added support for Source Address Selection (RFC 5014)

Linux 2.6.28 (December 2008) continued to work on NFS-over-IPv6 support, improved netfiler v6 support (xt_recent), and added IPv6 support to IPVS.