Default system IPv6 address

Need help? Ask here.

Moderator: Moderators

Re: Default system IPv6 address

Postby user00265 » Thu Apr 26, 2012 1:06 pm

user00265 wrote:Just as a follow-up, I've been messing with this and it seems to be related to ip6tables entries. I'm narrowing down the suspects. Seems that the default DROP policy for INPUT is the culprit, not matching some packets, even when there is a explicit rule to allow them through.


One more look at the iptables rules revealed that packets were being dropped by the default INPUT policy, but not all of them were! That was what this issue became after tweaking. However, because of that tweaking I inserted a rule to allow ICMPv6, but only for the main IP and not the rest of the IPs. I had forgotten about this and have now fixed it... All addresses are now reachable from various IPv6 endpoints around the world (suck that, Verizon!). With some exceptions that couldn't find me: core1.sjc2.he.net

And one item worthy of note: there's a few different routers before the final router my server is at (sw-airway0), which depends on the route, but there's one without reverse hostname coming up: 2607:fe70::2:1 -- I know another router I frequently get is core0-eth2.
Elisamuel Resto
Simply Sam, LLC
user00265
 
Posts: 18
Joined: Wed Apr 28, 2010 7:45 pm
Location: Chatfield, MN

Re: Default system IPv6 address

Postby Seth » Thu Apr 26, 2012 2:51 pm

ICMPv6 is critical to IPv6 and it won't work without it, unlike IPv4 where you can get away with blocking it at the expense of breaking things like path MTU discovery. I generally don't recommend filtering any ICMP for best performance.

As far as our network, we have an asymmetric environment and packets can pass through any one of several parallel core, edge or border routers, including multuple IPv6 native upstream providers.
Seth
Site Admin
 
Posts: 265
Joined: Sun Aug 30, 2009 10:44 pm
Location: Nevada

Re: Default system IPv6 address

Postby user00265 » Thu Apr 26, 2012 2:56 pm

Seth wrote:ICMPv6 is critical to IPv6 and it won't work without it, unlike IPv4 where you can get away with blocking it at the expense of breaking things like path MTU discovery. I generally don't recommend filtering any ICMP for best performance.

I had that in to explicitly allow ICMPv6 (any type), since the default INPUT policy is DROP... but I just limited it to the servers' main IPv6 address... it now answers for the whole /48 if asked for any ICMPv6 type. I also did the same for IPv4 (allow all ICMP packets through).

Seth wrote:As far as our network, we have an asymmetric environment and packets can pass through any one of several parallel core, edge or border routers, including multuple IPv6 native upstream providers.

Yeah, I understand that, just the fact that I see proper hostnames pretty much anywhere that relates to a Roller Networks' equipment, but this particular address has none, that is all.
Elisamuel Resto
Simply Sam, LLC
user00265
 
Posts: 18
Joined: Wed Apr 28, 2010 7:45 pm
Location: Chatfield, MN

Re: Default system IPv6 address

Postby user00265 » Thu Apr 26, 2012 2:59 pm

Oh, right right... should I use MYV6HERE::1 as the default gateway for IPv6 or can I use airway's link-local address?
Elisamuel Resto
Simply Sam, LLC
user00265
 
Posts: 18
Joined: Wed Apr 28, 2010 7:45 pm
Location: Chatfield, MN

Re: Default system IPv6 address

Postby Seth » Thu Apr 26, 2012 3:04 pm

The IPv6 reverse zone file may have a typo in it, I'll take a look.
Seth Mattinen, Roller Network LLC
Seth
Site Admin
 
Posts: 265
Joined: Sun Aug 30, 2009 10:44 pm
Location: Nevada

Re: Default system IPv6 address

Postby Seth » Thu Apr 26, 2012 3:12 pm

user00265 wrote:Oh, right right... should I use MYV6HERE::1 as the default gateway for IPv6 or can I use airway's link-local address?


I leave RA enabled by default so it will announce your gateway. You can safely disable the autoconf address and use a static IP while still listening for the gateway, that's what I do for servers. I believe the announced gateway is the link local, but using ::1 statically should work too. All our customers get their own VLAN with their subnet assignments so there isn't any risk from rouge RA since everyone is separated at layer 2.
Seth Mattinen, Roller Network LLC
Seth
Site Admin
 
Posts: 265
Joined: Sun Aug 30, 2009 10:44 pm
Location: Nevada

Re: Default system IPv6 address

Postby Seth » Thu Apr 26, 2012 3:18 pm

This is how I configure an IPv6 static on Debian:

Code: Select all
iface eth0 inet6 static
    address 2001:0DB8:107:400::a
    netmask 64
    pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/autoconf


It learns the gateway with RA. The netmask is probably redundant with RA but I put it in manually anyway.
Seth Mattinen, Roller Network LLC
Seth
Site Admin
 
Posts: 265
Joined: Sun Aug 30, 2009 10:44 pm
Location: Nevada

Previous

Return to Support

Who is online

Users browsing this forum: No registered users and 2 guests

cron