In this chapter, we will be our migration to IPv6. We will start by giving the BGP-speaking routers the ability to route IPv6 addresses.
IPv6 adds many features on top of what is offered by IPv4. The most frequently heard new feature is the far larger address space, especially as we run out of IPv4 addresses out on the (real) internet. Other features include built-in encryption (using IPsec), built-in multicast routing, and others.
IPv6 allows an interface to have multiple addresses, and introduces the concept of different types of addresses. Link-local addresses are only routed on the local network, similar in some ways to addresses like 192.168.0.0/24 in IPv6. Routers out on the internet will not forward packets sent to link-local addresses. There are also multicast addresses, which forward packets out to members of its multicast group. There are also anycast addresses, which allow multiple computers to have the same IP address; other computers simply end up communicating with the one closest to them in the network. For a much more in-depth discussion on IPv6 concepts, check out http://en.wikipedia.org/wiki/IPv6_Address
We'll begin by making the BGP-speaking routers on the backbone IPv6 capable. Start up backbone1, and run ifconfig to look at the interfaces we have configured.
Looking at the loopback interface, we see that the IPv4 address is 127.0.0.1, as expected. We also see that it has an IPv6 address assigned - "::1". This is the standard address for the loopback interface, like 127.0.0.1 for IPv4. If you try:
ping6 ::1
you should see a response. Note that ping6 is just the ping command for IPv6.
From the ifconfig output, we can see that all of the interfaces have a link-local address starting with fe80. These addresses are automatically assigned to each interface, and are only routable on the local network.
As a test, try
ping6 fe80::1
which should be the link-local address of the loopback interface. You'll see that we get a "Network is unreachable" error. For the link-local address, we actually need to specify which interface we are sending the packets from:
ping6 fe80::1%lo0
Now we get a response.
Now let's try to assign some regular IPv6 addresses. In backbone1, assign an address to interface em1 (which is the interface to backbone2):
sudo ifconfig em1 inet6 2001:0:15::1 prefixlen 48
In backbone2, assign the following address:
sudo ifconfig em0 inet6 2001:0:15::100 prefixlen 48
Note that you specify inet6 instead of inet for these IPv6 commands. Also note that specifying the prefix length has the same effect as specifying the netmask for IPv4 addresses.
At this point, you can ping backbone2 from backbone1:
ping6 2001:0:15::100
Of course, using the ifconfig command means that the changes you make will disappear once the computer is rebooted. Just like IPv4, you can put the IPv6 settings in the /etc/hostname.if files. You can refer to Figure 1.4 for a diagram of our virtual internet with IPv6 addresses. On backbone1, edit /etc/hostname.em0 and add the following line:
inet6 2001:0:10::100 48
Edit /etc/hostname.em1 and add:
inet6 2001:0:15::1 48
Edit /etc/hostname.em2 and add:
inet6 2001:0:100::1 64
Edit /etc/hostname.em3 and add:
inet6 2001:0:150::1 64
This sets the IPv6 addresses for all 4 interfaces.
Next, on backbone2, make the following changes:
Edit /etc/hostname.em0 and add:
inet6 2001:0:15::100 48
Edit /etc/hostname.em1 and add:
inet6 2001:0:20::1 48
Edit /etc/hostname.em2 and add:
inet6 2001:0:125::1 64
Edit /etc/hostname.em3 and add:
inet6 2001:0:75::1 64
Finally, on backbone3, make the following changes:
Edit /etc/hostname.em0 and add:
inet6 2001:0:20::100 48
Edit /etc/hostname.em1 and add:
inet6 2001:0:50::1 48
Edit /etc/hostname.em2 and add:
inet6 2001:0:55::1 48
Reboot all three VMs for the changes to take effect.
Note that at this point, each VM can ping its neighbor, but backbone1 can't ping backbone3, and vice-versa. Just like with IPv4, we need to maintain routing tables to know where to forward packets. In this case, backbone1 doesn't know from which interface to send out a packet going to backbone3.
BGP will also be used to exchange routing information for IPv6 networks. Since we already have OpenBGPD up and running, it will only take some minor tweaking to have it working with IPv6.
In backbone1, edit /etc/bgpd.conf First, we need to establish a connection with neighboring ASes over IPv6. In order to accomplish this, we'll first add the macros for the IPv6 addresses at after the macros for the IPv4 addresses:
border_ipv6="2001:0:10::1" backbone2_ipv6="2001:0:15::100" isp2_ipv6="2001:0:100::100" isp_ipv6="2001:0:150::100"
We'll then add the neighbor statements just like we did for IPv4:
neighbor $border_ipv6 {
remote-as 65999
descr "border IPv6"
holdtime 180
holdtime min 3
announce all
tcp md5sig password backbone1-border-pswd
}
neighbor $backbone2_ipv6 {
remote-as 65002
descr "backbone2 IPv6"
holdtime 180
holdtime min 3
announce all
tcp md5sig password backbone1-backbone2-pswd
}
neighbor $isp2_ipv6 {
remote-as 65100
descr "gateway.isp2.sam IPv6"
holdtime 180
holdtime min 3
announce all
tcp md5sig password backbone1-isp2-pswd
}
neighbor $isp_ipv6 {
remote-as 65150
descr "gateway.isp.sam IPv6"
holdtime 180
holdtime min 3
announce all
tcp md5sig password backbone1-isp-pswd
}Next, we need to announce the IPv6 networks. At the end of the section where all of the announced IPv4 networks are listed, add the following:
network 2001:0:10::/48 network 2001:0:15::/48
Finally, we need to add a filter rule to allow the IPv6 addresses. After the allow line for IPv4 networks, add:
allow from any inet6 prefixlen 8 - 48
That's all we need to do. At this point, kill the bgpd parent process and restart it with sudo bgpd. A quick
bgpctl show rib
should show the IPv6 networks which are now being announced.
For backbone2, edit /etc/bgpd.conf and add the following:
...
backbone1_ipv6="2001:0:15::1"
backbone3_ipv6="2001:0:20::100"
isp3_ipv6="2001:0:125::100"
...
neighbor $backbone1_ipv6 {
remote-as 65001
descr "backbone1 IPv6"
holdtime 180
holdtime min 3
announce all
tcp md5sig password backbone1-backbone2-pswd
}
neighbor $backbone3_ipv6 {
remote-as 65003
descr "backbone3 IPv6"
holdtime 180
holdtime min 3
announce all
tcp md5sig password backbone2-backbone3-pswd
}
neighbor $isp3_ipv6 {
remote-as 65125
descr "gateway.isp3.sam IPv6"
holdtime 180
holdtime min 3
announce all
tcp md5sig password backbone2-isp3-pswd
}
...
network 2001:0:15::/48
network 2001:0:20::/48
network 2001:0:75::/48
...
allow from any inet6 prefixlen 8 - 48Again, kill the bgpd parent process and restart it.
Finally, for backbone3, edit /etc/bgpd.conf and add the following:
backbone2_ipv6="2001:0:20::1"
...
network 2001:0:20::/48
network 2001:0:50::/48
network 2001:0:55::/48
...
neighbor $backbone2_ipv6 {
remote-as 65002
descr "backbone2 IPv6"
holdtime 180
holdtime min 3
announce all
tcp md5sig password backbone2-backbone3-pswd
}
...
allow from any inet6 prefixlen 8 - 48Restart the bgpd process as before.
At this point, the output of bgpctl show rib on backbone1 should show routes announced by backbone3 (e.g. 2001:0:50::/48).
There is one little catch though. A ping6 2001:0:20::100 (pinging backbone3 from backbone1 over IPv6) doesn't work. That is because IPv6 forwarding is turned off by default. Go to backbone2 and issue:
sudo sysctl net.inet6.ip6.forwarding=1
Now, the ping command from backbone1 should work.
You can also do a traceroute over IPv6:
traceroute6 2001:0:20::100
To permanently enable IPv6 forwarding on the backbone VMs, edit /etc/sysctl.conf on each of the VMs and uncomment (or add) the following:
net.inet6.ip6.forwarding=1
That's all there is to setting up IPv6 networking and exchanging IPv6 routes in OpenBGPD. It was mostly just extending what we've already done for IPv4. As a matter of fact, perhaps the most valuable experience I personally got from going through all of this myself was to see that IPv6 isn't some magical new thing that I didn't understand, and was completely different from IPv4, and would take forever to learn. In the next chapters, we'll see how most protocols we're familiar with, e.g. HTTP, run pretty much the same over IPv6.
Before we finish the chapter, we'll just go and do the same thing on all of the other BGP-speaking routers.
On gateway.isp.sam, make the following changes.
Edit /etc/hostname.em0 and add:
inet6 2001:0:150::100 64
Edit /etc/hostname.em1 and add:
inet6 2001:0:150:1::1 64
Edit /etc/hostname.em2 and add:
inet6 2001:0:150:2::1 64
Edit /etc/bgpd.conf and add:
...
backbone1_ipv6="2001:0:150::1"
...
network 2001:0:150::/48
...
neighbor $backbone1_ipv6 {
remote-as 65001
descr "backbone1 IPv6"
holdtime 180
holdtime min 3
announce all
tcp md5sig password backbone1-isp-pswd
}
...
allow from any inet6 prefixlen 8 - 48Edit /etc/sysctl.conf and add/uncomment the following:
net.inet6.ip6.forwarding=1
Next, on gateway.isp2.sam, make the following changes.
Edit /etc/hostname.em0 and add:
inet6 2001:0:100::100 64
Edit /etc/hostname.em1 and add:
inet6 2001:0:101::1 64
Edit /etc/bgpd.conf and add:
...
backbone1_ipv6="2001:0:100::1"
router1_ipv6="2001:0:101::100"
...
network 2001:0:100::/48
network 2001:0:101::/64
...
neighbor $backbone1_ipv6 {
remote-as 65001
descr "backbone1 IPv6"
holdtime 180
holdtime min 3
announce all
tcp md5sig password backbone1-isp2-pswd
}
neighbor $router1_ipv6 {
remote-as 65101
descr "router1.projreality.sam IPv6"
holdtime 180
holdtime min 3
announce all
tcp md5sig password isp2-router1-pswd
}
...
allow from any inet6 prefixlen 8 - 48Edit /etc/sysctl.conf and add/uncomment the following:
net.inet6.ip6.forwarding=1
Next, on gateway.isp3.sam, make the following changes.
Edit /etc/hostname.em0 and add:
inet6 2001:0:125::100 64
Edit /etc/hostname.em1 and add:
inet6 2001:0:126::1 64
Edit /etc/hostname.em2 and add:
inet6 2001:0:127::1 48
Edit /etc/bgpd.conf and add:
...
backbone2_ipv6="2001:0:125::1"
router2_ipv6="2001:0:126::100"
...
network 2001:0:125::/48
network 2001:0:126::/64
network 2001:0:127::/48
neighbor $backbone2_ipv6 {
remote-as 65002
descr "backbone2 IPv6"
holdtime 180
holdtime min 3
announce all
tcp md5sig password backbone2-isp3-pswd
}
neighbor $router2_ipv6 {
remote-as 65126
descr "router2.projreality.sam IPv6"
holdtime 180
holdtime min 3
announce all
tcp md5sig password isp3-router2-pswd
}
...
allow from any inet6 prefixlen 8 - 48Edit /etc/sysctl.conf and add/uncomment the following:
net.inet6.ip6.forwarding=1
Next, on router1.projreality.sam, make the following changes.
Edit /etc/hostname.em0 and add:
inet6 2001:0:101::100 64
Edit /etc/hostname.em1 and add:
inet6 2001:0:210::1 64
Edit /etc/bgpd.conf and add:
...
isp2_ipv6="2001:0:101::1"
router2_ipv6="2001:0:210::2"
firewall_ipv6="2001:0:210::10"
...
...
neighbor $isp2_ipv6 {
remote-as 65100
descr "gateway.isp2.sam IPv6"
holdtime 180
holdtime min 3
announce all
tcp md5sig password isp2-router1-pswd
}
neighbor $router2_ipv6 {
remote-as 65126
descr "router2.projreality.sam IPv6"
holdtime 180
holdtime min 3
announce all
tcp md5sig password router1-router2-pswd
}
neighbor $firewall_ipv6 {
remote-as 65210
descr "firewall.projreality.sam IPv6"
holdtime 180
holdtime min 3
announce all
tcp md5sig password router1-firewall-pswd
}
...
allow from any inet6 prefixlen 8 - 48Edit /etc/sysctl.conf and add/uncomment the following:
net.inet6.ip6.forwarding=1
Next, on router2.projreality.sam, make the following changes.
Edit /etc/hostname.em0 and add:
inet6 2001:0:126::100 64
Edit /etc/hostname.em1 and add:
inet6 2001:0:210::2 64
Edit /etc/bgpd.conf and add:
...
isp3_ipv6="2001:0:126::1"
router1_ipv6="2001:0:210::1"
firewall_ipv6="2001:0:210::10"
...
...
neighbor $isp3_ipv6 {
remote-as 65125
descr "gateway.isp3.sam IPv6"
holdtime 180
holdtime min 3
announce all
tcp md5sig password isp3-router2-pswd
}
neighbor $router1_ipv6 {
remote-as 65101
descr "router1.projreality.sam IPv6"
holdtime 180
holdtime min 3
announce all
tcp md5sig password router1-router2-pswd
}
neighbor $firewall_ipv6 {
remote-as 65210
descr "firewall.projreality.sam IPv6"
holdtime 180
holdtime min 3
announce all
tcp md5sig password router2-firewall-pswd
}
...
allow from any inet6 prefixlen 8 - 48Edit /etc/sysctl.conf and add/uncomment the following:
net.inet6.ip6.forwarding=1
Next, on firewall.projreality.sam, make the following changes.
Edit /etc/hostname.em0 and add:
inet6 2001:0:210::10 64
Edit /etc/hostname.em1 and add:
inet6 2001:0:210:1::1 64
Edit /etc/hostname.em2 and add:
inet6 2001:0:210:2::1 64
Edit /etc/bgpd.conf and add:
...
router1_ipv6="2001:0:210::1"
router2_ipv6="2001:0:210::2"
...
network 2001:0:210::/48
...
neighbor $router1_ipv6 {
remote-as 65101
descr "router1.projreality.sam IPv6"
holdtime 180
holdtime min 3
announce all
tcp md5sig password router1-firewall-pswd
}
neighbor $router2_ipv6 {
remote-as 65126
descr "router2.projreality.sam IPv6"
holdtime 180
holdtime min 3
announce all
tcp md5sig password router2-firewall-pswd
}
...
allow from any inet6 prefixlen 8 - 48Edit /etc/sysctl.conf and add/uncomment the following:
net.inet6.ip6.forwarding=1
One catch with the firewall - if you try bgpctl show rib, the only IPv6 network is the one being announced by the firewall itself. Doing a bgpctl show neighbor [IPv6 address] on any of the neighbors shows that a BGP session is not established. This is because the firewall is still configured for IPv4 only - it is intentionally dropping all IPv6 packets, so the BGP packets sent over IPv6 don't get through. We will deal with this in the chapter on IPv6 firewalling. For now, issue a sudo pfctl -d to disable PF (simulation only - don't do this on a production system!), and verify that you can ping the firewall over IPv6 from, say, gateway.isp.sam