Introduction
IPv6 is an "emerging" technology that has been emerging for some time…at least in the U.S. Development on IPv6 began in the mid 1990’s and here we are in 2015 with most of the U.S. yet to implement IPv6. (Google statistics show that less than 14% of the US has adopted IPv6.)
Interest in IPv6 is increasing, though. With IPv4 addresses nearly exhausted, ISPs, network device manufacturers and even end-users are taking notice and deploying or working on implementing IPv6.
I covered some IPv6 terms and basics a few years back. So this article is intended as a practical how-to for moving a home/SOHO network to an IPv6 internet connection.
Before we start, it’s important to note that IPv4 and IPv6 are not mutually exclusive. In fact, you can and will likely use both at the same time. A network running both IPv4 and IPv6 is said to be “dual stacked.” IPv4 may be phased out over time. But it is likely we’ll be running in dual stack mode for some time.
Making The Switch
Step 1: Determine whether your Interent Service Provider (ISP) supports IPv6
The best way is to check your ISP’s help pages, or do a quick search using your ISP’s name and "IPv6". Or as a last resort, you could even call customer support.
The road to IPv6 was a long one for me. My ISP was Windstream and I wanted to experiment with IPv6. But Windstream didn’t support it. Periodically, I’d call customer service and ask if they supported IPv6. But the Windstream customer service usually didn’t understand my question and couldn’t provide an answer.
However, I recently switched to Time Warner as my ISP, prompted by a new customer promotion. After switching, I noticed on Time Warner’s website that “TWC has rolled out IPv6 to over 90% of its residential network”. So, I set about getting an IPv6 internet connection.
Step 2: Determine whether your modem and router support IPv6
ISPs that support IPv6 usually list supported devices. (Time Warner lists supported devices here.) My modem is a Motorola SB6121 and is listed as "approved for use with Time Warner Cable high-speed data services and supports IPv6." You can access the SB6121 at 192.168.100.1, but the only available option is to reset it. I didn’t have to change anything on the cable modem to enable IPv6.
Since I’m not using a Time Warner router, I was on my own figuring out if my router supports IPv6. Fortunately, I recently reviewed the Linksys LRT224 router and worked with one of their engineers, who assured me the LRT224 supports IPv6.
If you don’t have a friend at your router’s maker, dig into your router’s admin pages and look for IPv6 settings. The ones you want are usually found in the WAN configuration section. Here’s the relatively simple options provided on an old Linksys E4200. I suspect they would not be much help in getting a working IPv6 connection.
Linksys E4200 IPv6 WAN connection options
Here are more comprehensive options on a D-Link DIR-615, which look like they would provide a better shot at getting you connected.
D-Link DIR-615 WAN connection options
As noted earlier, other devices on your network, such as switches, access points, and internal network devices, do not need to support IPv6 for you to deploy IPv6. They will continue to operate at IPv4. But you should have at least one device that supports IPv6. You’ll need it to determine whether you have a proper IPv6 internet connection. Fortunately, Windows 7 and above and MacOS 10 both support IPv6.
Making the Switch – more
Step 3: Enable IPv6 on your router
To enable IPv6 on the LRT224, I enabled dual-stack in the IP Mode screen in the Setup > Network menu, as shown below.
Enable IPv6
Once I enabled dual-stack, I noticed the WAN interface on my router now had a global IPv6 address, but my PCs did not. A global IPv6 address is similar to what we refer to as a "public" IPv4 address. Global IPv6 addresses typically have a first digit of 2.
In addition to the IPv6 address on my WAN interface, I knew I needed a global IPv6 subnet (also known as a prefix) to assign to my LAN, but I had no idea how to get one. I called Time Warner for guidance, but received none, to put it politely. Eventually, I reached out to Linksys and they told me to enable the DHCP-PD feature on the router. DHCP-PD (PD = Prefix Delegation) is a component of DHCPv6, which is the version of DHCP used for IPv6 addressing.
In the below screenshot, you can see DHCP-PD enabled on the LRT224 and an IPv6 prefix successfully received from Time Warner. (Note, in the below screenshot and others throughout this article, I’ve replaced digits of my actual IPv6 addresses with “xxxx.” Since these are globally accessible IPv6 addresses, it isn’t wise to publish them on the Internet.)
DHCP-PD
With DHCP-PD enabled, an end user’s router will send a DHCPv6 request to the ISP for an IPv6 address and an IPv6 prefix. The ISP will respond with an IPv6 address for the router’s WAN interface and an IPv6 prefix the router can use for the LAN.
As shown in the below wireshark output of the DHCPv6 reply from Time Warner to my LRT224, I received a WAN IPv6 address of 2606:a000:dfc0:15:a1f4:4829:a55d:xxxx, a LAN IPv6 prefix length = 64 and a LAN prefix = 2606:a000:1205:xxxx:. Subsequently, and as I’ll show in Step 4, devices on my LAN will get an IPv6 address starting with 2606:a000:1205:xxxx.
DHCPv6 Wireshark trace
Note that a /64 prefix is typically the smallest IPv6 subnet assigned since it is required for SLAAC (stateless address autoconfiguration) to work (more on SLAAC shortly). But it’s possible to subnet an IPv6 address to a smaller subnet than /64 if you use DHCPv6 or static addressing. In case you’re wondering, a /64 IPv6 subnet is 264 addresses, i.e. 18,446,744,073,709,551,616. Enjoy!
Step 4: Get an IPv6 address on your device
This should happen automatically for IPv6-enabled devices. But a quick way to force it to happen on a Windows 7 or higher system is to type ipconfig /release and then ipconfig /renew from the command prompt. Once complete, type ipconfig /all. The output will look something like that below.
Notice the line labeled Temporary IPv6 address with an arrow next to it on the left. This is a global IPv6 address my PC uses when I go to a public IPv6 website. Notice that the first half of that address matches the prefix I received via DHCP-PD.
ipconfig /all
A new issue with IPv6 is Stateless Address Autoconfiguration (SLAAC). SLAAC is an IPv6 method devices use to request network information and generate their own unique IPv6 addresses without a DHCP server. Windows labels addresses generated via SLAAC as “Temporary.” In this case, the global IPv6 address my Windows PC is using has been generated via SLAAC.
SLAAC is considered a more efficient means of delivering IPv6 addresses, as a DHCP server isn’t needed and router resources aren’t consumed maintaining a list of devices and their associated address. The downside is SLAAC eliminates the convenience of viewing a DHCP table on the router, displaying devices and their IP addresses. On the LRT224, the DHCPv6 server is disabled by default. You can manually configure DHCPv6 on the LRT224, which would then provide the ability to see devices and their IPv6 addresses.
You’ll also notice an IPv6 device has multiple IPv6 addresses. It is common for a device to have multiple IPv6 addresses, each with a different purpose. In addition to global addresses, other IPv6 address types include link-local addresses, multicast addresses and unique local addresses.
Link-local addresses, which start with FE80, are automatically created by IPv6 enabled devices for local communication only and are not routable addresses. Multicast addresses, which start with FF, are used for various purposes, such as to request router information via IPv6 Neighbor Discovery Protocol (NDP). Unique local addresses, which start with FC, are similar to private addresses in IPv4. However, since Network Address Translation (NAT) is typically not used in IPv6, the use of unique local IPv6 addresses has limitations.
Clearly, all these addresses are going to require a change in the way we think about LAN address space!
Verification
IPv6 is now enabled on my network and all devices capable of running IPv6 should be good to go. My Windows 7 and Windows 8 PCs all had global IPv6 addresses without any configuration. My Macbook running MacOS 10.9.5 and my iPhone 4 running iOS 7.0.4 also had global IPv6 addresses without any action on my part.
To verify IPv6 is working, just browse to test-ipv6.com. This website will tell you the global IPv6 address used by your device and verify your IPv6 functionality. As you can see from the screenshot below, the test shows my PC is communicating via IPv6 over the Internet. Notice also that the IPv6 address detected by the IPv6 test site matches the IPv6 address displayed in the ipconfig /all output shown above.
Test IPv6
Another useful test is to type ping google.com from the command line. Google has enabled IPv6, and since IPv6 is now supported on my network, my PC will use IPv6 when communicating to an IPv6 enabled destination. As you can see from the ping output, I’m getting an IPv6 response from google.com to my ping.
Ping IPv6
The above test also illustrates the “intelligence” of IPv6. You don’t have to decide when to use IPv6. An IPv6 enabled device will use IPv6 when available and fall back to IPv4 when necessary. In the above example, my PC first did a DNS lookup on google.com and received both IPv6 and IPv4 addresses. You can try this yourself. On an IPv6-enabled system, type nslookup google.com from the command line. As you can see below, the DNS lookup returned both the IPv6 address and IPv4 addresses for google.com.
IPv6 and DNS
Security
As mentioned previously, IPv6 eliminates the need for NAT for IP address conservation. However, NAT’s "firewall" provides a measure of security by hiding the IPv4 addresses of LAN devices from the Internet. With global IPv6 addresses, NAT is not needed to share a measly single (temporary) IPv4 address, grudgingly assigned by your ISP; you have 18,446,744,073,709,551,616 addresses! But devices that haven’t made the jump to IPv6 will still need your router’s NAT to share that single IPv4 WAN IP. IPv6 traffic, on the other hand, will simply be routed.
Without NAT, I wondered whether the LRT224 firewall would provide any protection for devices with IPv6 addresses, so again I reached out to Linksys. Linksys informed me that the LRT224 firewall “by default will block a connection initiated from the WAN side unless access rules allow it.” So just because an IPv6 address is "global", doesn’t mean it can be freely accessed outside your LAN. Whew!
Further investigation of the LRT224 showed it had a section for both IPv4 and IPv6 in its firewall settings. Below is a screenshot of the IPv6 Access Rules. The default configuration on the LRT224 firewall is the same for both IPv4 and IPv6; all traffic initiated from the WAN blocked by default and all traffic initiated from the LAN allowed. As with IPv4, you can still open ports to a specific device, but that can be tricky, given the lack of DHCP client lists. I’ll come back to this in a follow-on piece.
IPv6 Firewall
Closing Thoughts
Certainly, there are pros and cons to IPv6. On the pro side, IPv6 provides unlimited addresses and resolves the issue with IPv4 address exhaustion. Another value to IPv6 is improved connectivity. NAT can be problematic for protocols like VPN tunnels and VoIP. NAT can cause call connection and call quality problems for VoIP users. NAT can also cause problems if you want to host a server, perhaps for gaming or some other purpose. Having a global IPv6 address on your VoIP device or game server removes NAT from the equation and improves connectivity.
IPv6 also opens up a lot of cool new technologies. Many IPv6 enabled routers support IPv6 technologies such as 6to4 and 6rd. 6to4 allows IPv6 packets to be sent over an IPv4 network. 6to4 can be useful if you’re trying to connect to a IPv6 destination and your ISP does not yet support IPv6. 6rd refers to IPv6 rapid deployment and is similar to 6to4, as it also provides a means to transmit IPv6 over an IPv4 network. IPv6 also holds the promise of increased security by supporting IPsec security between IPv6 endpoints.
I think the biggest downside to IPv6 is the lack of information and relative immaturity of the technology. I had the benefit of using a Linksys LRT224 with direct access to Linksys engineering to figure out DHCP-PD. However, the manual for the LRT224 doesn’t even mention DHCP-PD. Regarding maturity, IPv6 is not a new technology, but it is still new to ISPs, device manufacturers and customers. IPv6 has a lot more advantages than the few points I’ve mentioned, but it is going to take some time before those advantages are simplified enough so the majority of us can understand and use them.
My experience shows Time Warner has IPv6 working, at least in my area. Comcast also appears to be relatively far along in its deployment of IPv6. Here’s a link to Comcast’s IPv6 site and Comcast’s list of supported devices.
Once I got IPv6 working, I was surprised at how easy it was to set up…once I knew how. I really only had to enable dual-stack and DHCP-PD. My new dual stack network seems to be just as stable and as fast as it was before I enabled IPv6. For the masses to use IPv6, though, it has to work automatically. As IPv6 deployment becomes more widespread, my guess is devices will have dual-stack and DHCP-PD already enabled, eliminating the need for action from the end user.