Monday, February 18, 2013

IPv6 anyone?

Recently, I was fiddling in a terminal and I noticed something strange: a bunch of connections going to IPv6 addresses.

A while back, I subscribed to Hurricane's TunnelBroker and I got my own networks, a /48 and a /64. However, this IPv6 was not one of them, and I was really sure that the tunnel was done. Actually, the tunnel terminated on a small cisco router that's been sitting quietly in a cupboard for a few weeks.

Here is the output of my "ifconfig":

em1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet  netmask  broadcast
        inet6 2a00:1028:838a:1d8e:21d:60ff:fe04:f31c  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::21d:60ff:fe04:f31c  prefixlen 64  scopeid 0x20<link>
        ether 00:1d:60:04:f3:1c  txqueuelen 1000  (Ethernet)
        RX packets 442625  bytes 241048181 (229.8 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 482924  bytes 92626306 (88.3 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

The IPv6 2a00:1028:838a:1d8e:21d:60ff:fe04:f31c subnet belongs to my provider, O2 Czech Republic (or Telefonica). So ... My ISP supports native IPv6? Cool!

Let's go further: as there is nothing in my small router's web interface, let's have a look through the CLI. Yep,  both the inside (br0) and outside (ppp0) interfaces have IPv6. Quite expected!

br0       Link encap:Ethernet  HWaddr B0:B2:DC:16:3A:4C  
          inet addr:  Bcast:  Mask:
          inet6 addr: 2a00:1028:838a:1d8e::1/64 Scope:Global
          inet6 addr: fe80::1/64 Scope:Link
          RX packets:3932310 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4920649 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:633818668 (604.4 MiB)  TX bytes:43890958 (41.8 MiB)

ppp0      Link encap:Point-Point Protocol  
          inet addr:  P-t-P:  Mask:
          inet6 addr: 2a00:1028:838a:1d8c::1/64 Scope:Global
          inet6 addr: fe80::b2b2:dcff:fe16:3a4c/10 Scope:Link
          RX packets:4873418 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3806955 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3 
          RX bytes:4266450464 (3.9 GiB)  TX bytes:623147288 (594.2 MiB)

When confronted to that, my first reaction is "Gosh! Firewall!". Here, that's fine: the firewall is configured to block everything that's not originating inside. This is confirmed by an online IPv6 scanner.

But then: "what if I put a rule that allows an IP on the Inside to be pinged from the Internet?"

Let's try it. It's only a try so I put the entry directly into the IPv6 FORWARD table. I found several sites that offer the ability to run a ping test to an IPv6 host. Here is the one I used. As expected, there are replies, versus none before the line was added.

Weird part is I do remember checking a few weeks ago and I had no IPv6 connectivity. So what happened?

On New Year's eve, my previous provider's supplied router died. So after a few calls and a few days, a tech from O2 showed up with a new router. I didn't really pay attention at the time, as I was quite busy with a number of other things.

The Model Number is P-660HN-T3A_IPv6, apparently a model specific to O2. When I looked up on the Zyxel website, I couldn't find any matching firmware; the latest vendor provided firmware dates back to 2011. Searching for "O2 IPv6" returns a few hits. However and funnily enough, it states that the P-66HN-T3A doesn't support IPv6 yet ...

Now, I have to contact my server hosting company in France, so they activate IPv6 as well. 

And one more task on my to-do list: continue playing with IPv6.