- DNS Issues
- Enabling/Disabling Privacy Addresses
- Static IPv6 addresses
- Platform-specific Notes
Hostnames are mapped to IPv6 addresses by AAAA records in the DNS. Not all nameservers properly support queries for AAAA records.
There are two categories of bugs:
1) Nameservers which silently ignore AAAA queries. BIND 4 is notorious for this bug. This bug causes clients to wait for their AAAA query to timeout and frequently leads to the perception that "IPv6 is slow."
2) Nameservers which improperly respond to AAAA queries. It is common for a host to have an A record, but not AAAA records. When a namserver received a AAAA query, it should respond with NODATA, indicating that it does not have an AAAA record, but does have records of other type. Some nameservers are broken and return NXDOMAIN, which indicates that the server does not have records of any type for the hostname. This causes clients not to query for A records. Microsoft has a KB article about this issue. See RFC 2308 for more on NXDOMAIN -vs- NODATA.
Enabling/Disabling Privacy Addresses
IT IS NOT RECOMMENDED THAT YOU ENABLE PRIVACY ADDRESSES
Windows 7 and Vista enable privacy extensions by default. There is currently no way to disable IPv6 privacy extensions via AD Group Policy, however a machine startup script with the following commands can be used to disable them:
Those commands can also be run manually, as Administrator, if you have a machine that is not a member of a Domain.
Mac OS X
Mac OS X does not use privacy addresses by default. To enable them, run this from Terminal:
To (optionally) set the temp. addr. lifetime (in seconds):
To make these settings persistent, you must add them to
Linux does not use privacy addresses by default. To enable them,
Solaris does not use temporary addresses by default. To enable them,
Then restart ndpd:
Static IPv6 addresses
Mac OS X
From the GUI:
System Preferences -> Network -> interface -> TCP/IP -> Configure IPv6.
From the command line:
In Solaris 8, 9 or 10 (in the global zone):
where XX is the host component of your static address.
(Solaris 10 only)
As root, run
Note: For a child zone, you must specify the full IPv6 address in the
set address= command. This is different from configuring the global zone, where you only specify the host component of the address (in
Note: When adding IPv6 to a child zone, you must add both the global address as well as a link-local address. Solaris will not automatically assign a link-local address for a child zone as it does for the global zone. Care must be taken when choosing a link-local address so as to not interfere with any other devices on the network.
Red Hat Enterprise Linux / Fedora
where x is your default router
where x is your static address
NOTE: At least on Fedora 9, IPV6_AUTOCONF should be in /etc/sysconfig/network, not /etc/sysconfig/network-scripts/ifcfg-ethn.
To configure multiple IPv6 addresses, use the
IPV6ADDR_SECONDARIES directive. For example,
Debian / Ubuntu
/etc/network/interfaces and add entries for inet6 to lo and eth0. E.g.:
See this link for troubleshooting tips.
To configure the address, run this as root:
To configure the router, run this as root:
More detailed information can be found in this white paper
IPv6 support has been built into the FreeBSD kernel since version 4.0 (March 2000). To enable it, edit
/etc/rc.conf and add:
To configure a static address, add this to
Where XXX is the name of the network interface (e.g., em0, fxp1, etc).
To assign a default router add this to
For more information, see the FreeBSD handbook.
This page also has useful information.
BusyBox has supported IPv6 since version 1.3.0 (December 2006), with significant improvements in version 1.4.0 (January 2007). Additional IPv6 support was added in 1.13.4 (DNS queries over IPv6).
See also the WireShark wiki page on IPv6.
This will capture only IPv6 traffic:
See also the WireShark IPv6 display filter reference.
To show IPv6 traffic (excluding ICMPv6) and all DNS queries for AAAA records:
There are two versions of tcpwrappers, one that supports IPv6 and one that does not. Make sure you have the IPv6-capable version. See the table below for details.
To use an IPv6 address in
hosts.deny, you must enclose that addresses in square brackets (see RFC 2732 for the gory details).
Allow all hosts on 2001:0DB8::/32 to connect to sshd:
Note that the prefix length (32) is outside the brackets!
The following operating systems have IPv6 support in their tcpwrappers:
- MacOS X 10.4 and higher
- Solaris 8 and higher
- RedHat Enterprise Linux 4 and higher
(this is by no means a complete list. Readers are encouraged to expand it based on their experiences).
It is possible to use WebAccess with IPv6-enabled web servers. If you are using Apache, you must set
in Apache's configuration. Otherwise IPv6-connections won't be authenticated by WebAccess.
A dual-stacked client connects to a dual-stacked, WebAccess-protected server over IPv6. The server redirects the client to WebAccess, which will use IPv4 (since WebAccess isn't IPv6-capable at the moment). The WebAccess server records the client's IPv4 address in its authentication token. The client is then redirected to the server, which will occur over IPv6.
The server then checks that the client's IP address (in this case an IPv6 address) matches the address in its WebAccess cookie (which will be the IPv4 address the client used to connect to webaccess.psu.edu). Obviously, an IPv4 and IPv6 address won't match. The CoSign module on the server won't authorize the client, as it will think the client's cookie has been stolen.
To disable this address check, one must set
CosignCheckIP as described above.
VMware has a whitepaper on IPv6 support in Virtual Infrastructure 3. In short, guest VMs support IPv6, but IPv6 checksum offload isn't supported on vNICs. The vCenter Server and VI Client do not support IPv6.
The VMware Guest OS Installation Guide lists several issues with IPv6:
- On some Linux distributions, VMware tools can't be configured if IPv6 is enabled. To install it, disable IPv6 first.
vSphere 4.0 has significantly improved IPv6 support. Specifically:
- IPv6 TSO and checksum offloading
- Service Console is reachable over IPv6
- vmkernel has IPv6 support
- IP storage supports IPv6
vSphere 4.1 further improved IPv6 support, including gaining IPv6 certification. vSphere 4.1 supports IPv6 for:
- Guest virtual machines
- ESX/ESXi management
- vSphere client
- vCenter Server
- IP storage (iSCSI, NFS)---experimental
Note that IPv6 is disabled by default when installing ESX 4.1. You can enable IPv6 for the COS and VMkernel from the command line and from Networking Properties.
To enable IPv6 from the command line:
To enable IPv6 from the GUI, in vCenter Server, select the host, click Configuration > Networking > Properties. Select Enable IPv6 support on this host system.
z/OS gained IPv6 support in Release 1.4. IBM has a PDF, z/OS V1R9.0 Communications Server: IPv6 Network & Application Design Guide, with additional configuration information. See also, Communications Server for z/OS V1R9 TCP/IP Implementation Volume 1: Base Functions, Connectivity, and Routing, Appendix A.
To run z/OS Communications Server in dual-stack, the OSA-Express posts must be in QDIO mode. The only link layer protocol that supports IPv6 is MPC+. The devices that use the MPC+ protocol are XCF, MPCPTP, and MPCIPA (for example, OSA-Express in QDIO mode and HiperSockets on the System z9).
To enable IPv6 (in dual-mode stack mode), you must code both AF_INET and AF_INET6 in SYS1.PARMLIB(BPXPRMxx). IPv6 is not enabled by default.
Mac OS X
Mac OS X configures link-local loopback (fe80::1).
The netstat(1) command truncates IPv6 addresses by default. To print the full address, use `netstat -l`.
Solaris 10 does not configure link-local loopback (fe80::1).
The last(1) command normally truncates the hostname column. To list the full IPv6 address, use `last -a`. That will list the hostname at the end of the line, and not truncate it.
FreeBSD configures link-local loopback (fe80::1).
Linux does not configure link-local loopback (fe80::1).
The RedHat Satellite Server does not support IPv6, as its based on an old version of RHEL and Apache (1.3). See this bug for more information.
Explanation of values in /proc/sys/net/ipv6
Linux's network stack has a global ECN flag that applies to both IPv4 and IPv6. It is not possible to disable ECN for IPv4 but leave it enabled for IPv6.
The following ethernet drivers support IPv6 checksum offloading: bnx2, s2io, tg3.
The following ethernet drivers support IPv6 TSO: bnx2, bnx2x, e1000, e1000e, igb, ixgbe, myri10ge, netxen, s2io, tg3.
IPv6 enhancements by kernel version:
Linux 2.6.12 (June 2005) removed IPv6's "experimental" status.
Linux 2.6.15 (January 2006) added IPv6 connection tracking support to netfilter.
Linux 2.6.18 (September 2006) added hardware TSO support for tg3.
Linux 2.6.19 (November 2006) added Mobile IPv6, support for multiple IPv6 routing tables.
Linux 2.6.21 (April 2007) added support for NFS over IPv6.
Linux 2.6.22 (July 2007) added IPv6 support to the in-kernel CIFS client. The stock kernel required you to use an IPv6 address when mounting. Erion provided a patch to enabled IPv6 hostnames (AAAA) to be used. It also added TSO and checksum offload for bnx2.
Linux 2.6.23 (October 2007) added a general framework for IPv6 checksum offload and enhanced ethtool to report this capability.
Linux 2.6.24 (January 2008) fixed several NFS-over-IPv6 bugs and added hardware TSO for myri10ge. It also added stateful connection tracking to ip6tables, the Linux software firewall.
Linux 2.6.28 (December 2008) continued to work on NFS-over-IPv6 support, improved netfiler v6 support (xt_recent), and added IPv6 support to IPVS.