My tale of IPv6 blues

My ISP provider is KPN. They recently enabled IPv6 in my street. I was using before a IPv6 Tunnel Broker, starting with SixXS and after they went out, with Hurricane Electric. So naturally, I decided to switch to KPN's native IPv6 service.

They provide a /64 prefix, which is reasonable. Would be better if they provided a /48, but /64 is better than other providers.

So to start using KPN as the IPv6 turned out very easy. Their default configuration works right out of the box if you have single flat network.

I used to have a router/FW between the KPN modem and my network, but at some point I decided to go for a flat network design. With this, (without having to do anything) once KPN enabled IPv6, all my equipment that was IPv6 capable started using IPv6. It was like magic.

I run a number of server systems in my home network, using Alpine Linux as its operating system.

For some reason, these servers would be able to use IPv6 at first (either via static configuration or auto-configuration), but stop working after a few minutes (often after 65 seconds).

Things worked fine for my void-linux systems. These use NetworkManager so I guess this helps.

Even googling around I was not able to find a solution. Apparently doing this would re-enable things:

ip -6 a del $ip6_addr dev $IFACE
ip -6 a add $ip6_addr dev $IFACE

So what I did is, I wrote a small little script that would run every 45 seconds, and do this:

ip -6 address save dev $IFACE scope global > $savefile
ip -6 address flush dev $IFACE scope global
ip -6 address restore < $savefile 2>&1 | grep -v 'RTNETLINK answers: File exists' || :

Again, I have no idea what is going on.

Eventually I changed my set-up to have something like this:

KPN modem router HOME NETWORK

The router in between does Network Address Translation and Firewalling. The reasons I chose this is:

  • More natural way of handling incoming connections
  • Makes it possible to switch ISP's easier, down the line. Alternatively, would make it possible to load-balance between two ISPs.
  • Can use iptables for firewally. I recognize that this is only good for a geek like me though.

This causes problems with my IPv6 set-up because now I have two segments.

The KPN modem, assumes a flat network (with /64). Since I can't create routes in the KPN modem then the only option would have been to NAT. However the general concensus is NOT to NAT IPv6. See this article for example.

An alternative would have been to split the /64 into /80 segments. Unfortunately, that doesn't work as a lot of the software out there assumes that the network part of the IPv6 address is at most 64 bits.

Linux has a feature built-in to the kernel called proxy_ndp. For example,

The problem is that this does not scale well as the proxy address needs to be statically configured.

There are daemons that claim to proxy NDP for ranges:

These however did not work for me.

So I wrote my own script to manage kernel proxy_ndp entries myself. Essentially it does the following:

  • listen on ip monitor for IPv6 neighbor messages
  • add and remove kernel data

The whole script can be found here.

Another approach is to use dnsmasq and can be found here.