The life and times of Jeffrey Forman.

New and Shiny – Comcast IPv6

A few months ago Comcast began publicizing their IPv6 trials for their customers. For those who don’t have a lot of spare time, IPv6 is the next addressing system for the Internet. Currently IPv4 is the predominant addressing system, akin to a phone number. With the growing number of people using the global Internet, these numbers are bound to run out. Various predictions have put this exhaustion anywhere from tomorrow to a hundred years from now for that Internet-apocalypse to arrive. IPv6 among other things, offers a near limit-less number of addresses (2^128 for the curious).

Comcast, loved or hated, started IPv6 trials on their own network, turning up customers on their (trial?) IPv6 network. Since IPv6 is not in widespread use today, and not all destinations on the Internet can handle v6 requests, there are several stop-gap solutions. One of them is IPv6 6RD, where RD stands for “Rapid deployment.” From my little understanding, this allows Comcast customers to encapsulate v6 traffic inside v4 packets through Comcast’s network to the IPv6-enabled destinations.

Without further wait, this is how I did it (save the several weeks of headbanging frustration that ensued):

Comcast provides their customers with some network addressing information:

IPv6 prefix = 2001:55c::/32
6rd BR FQDN = 6rd.comcast.net
IPv4 prefix length = 0

Having only a very cursory knowledge of IPv6 addressing, I stumbled my way through the configuration. The IPv6 prefix is used to determine the breadth of Comcast’s v6 network, which octets are network bits, and what bits are host bits. The BR FQDN (border router, fully qualified domain name) is the IPv4 hostname for the gateway in which my firewall will connect to reach the “v6 Internet.” IPv6 packets are encapsulated inside v4 packets, and passed through this border router for further transit.

On to the configuration. First off, I use OpenBSD 4.7 on my firewall/router. It runs on a little embedded box, using pf as the firewall packet filter.

First we must set some system variables via sysctl (via command line and commit to /etc/sysctl.conf):

net.inet6.ip6.accept_rtadv=0

net.inet6.ip6.forwarding=0

These two variables tell your machine not to accept router advertisements (don’t act like a DHCP client accepting network configuration), and the second one tells your machine not to forward IPv6 packets. v6 unlike v4, for the most part, obviates the need for NAT. Therefore if this value were ’1′, you would be forwarding v6 traffic from the external Internet to all v6-enabled devices on your home network. Unless you really intend to open up your home network to the entire Internet, keep this value as 0 for now.

I created a little shell script that creates the tunnel interface (gif0), and then configures the interface and default routes.

#!/bin/sh -x

WANIP=`ifconfig vr0 | grep -v inet6 | grep inet | awk '{print $2}'`

HOSTRD=`host 6rd.comcast.net | awk '{print $4}'`

V6PREFIX=`printf '%02x%02x:%02x%02x' $(echo $WANIP | tr . ' ')`

ifconfig gif0 destroy

ifconfig gif0 create

ifconfig gif0 tunnel ${WANIP} ${HOSTRD}

ifconfig gif0 inet6 2001:55c:${V6PREFIX}::1 prefixlen 32

ifconfig gif0 up

route -n add -inet6 default ::1 -ifp gif0

The nasty bits are mostly in the first three variables.
WANIP is the external IPv4 IP of my firewall
HOSTRD is the IPv4 IP of Comcast’s IPv6 border router
V6PREFIX: This takes WANIP and converts the IP into its hexadecimal equivalent. This is the format used in IPv6 addresses, and will make up the rest of my personal IPv6 prefix.

Most of the script is self explanatory, and large chunks are stolen from others on the Comcast IPv6 message boards. I have set my external IPv6 tunnel interface to $prefix::1, and set the route for all IPv6 traffic to go out over the gif0 tunnel interface.

At this point, if pf is disabled (therefore allowing all packets through to your machine), you should be able to ping6/traceroute6 to various IPv6-enabled Internet sites. These include ipv6.google.com, http://www.kame.net and ipv6.comcast.net.

# traceroute6 ipv6.google.com
traceroute6: Warning: ipv6.l.google.com has multiple addresses; using 2001:4860:800f::63
traceroute6 to ipv6.l.google.com (2001:4860:800f::63) from 2001:55c:MY:PREFIX::1, 64 hops max, 12 byte packets
1  2001:55c:MY:PREFIX::1  21.491 ms  19.103 ms  22.759 ms
2  2001:558:e0:52::1  20.734 ms  19.227 ms  16.623 ms
3  2001:558:e0:24::1  17.903 ms  18.821 ms  19.193 ms
4  te-0-3-0-4-cr01.newyork.ny.ibone.comcast.net  21.704 ms  23.512 ms  24.715 ms
5  pos-1-12-0-0-cr01.mclean.va.ibone.comcast.net  27.821 ms  41.616 ms  31.4 ms
6  pos-0-3-0-0-pe01.ashburn.va.ibone.comcast.net  25.451 ms  34.823 ms  25.43 ms
7  2001:558:0:f749::2  29.801 ms  39.119 ms  33.211 ms
8  Vlan22.icore1.AEQ-Ashburn.ipv6.as6453.net  34.592 ms  36.29 ms  33.039 ms
9  pr61.iad07.net.google.com  34.766 ms  34.493 ms  39.389 ms
10  2001:4860::1:0:9ff  34.941 ms  35.911 ms  32.12 ms
11  2001:4860:0:1::149  37.298 ms 2001:4860:0:1::14b  48.993 ms 2001:4860:0:1::149  37.446 ms
12  iad04s01-in-x63.1e100.net  36.593 ms  31.367 ms  33.089 ms

This post only involves getting your gateway machine speaking IPv6. I have been able to wire up the rest of my internal LAN using rtadvd, and allow them IPv6 access. There are a lot more pieces here, including rtadvd and packet filtering that I don’t quite fully understand yet how they all interact, and will require another post.