Friday, June 1, 2012

Surfing with IPv6



My DSL carrier (and as far I know no Spanish ADSL carriers) has IPv6 available so my only chance to join IPv6 Launch Day is to create a tunnel to a IPv6 service provider. I've choose the well known Hurricane Electric Tunnel Broker free service.

Easy steps using Ubuntu:
- Sign-in.
- Create your tunnel connection towards your public IPv4 address (Note: You will need to allow HE to ping your router in your firewall configuration).
- Configuration following this guide: http://davecoyle.com/documents/ubuntu-ipv6-he-tunnel.html
- Add the IPv6 DNS server at your /etc/resolv.conf file. In this cases is: nameserver 2001:470:20::2
My suggestion, and for the sake of the test, is to use only this DNS server.
And test!

How my IPv6 tunnel interface looks like:

# ifconfig he-ipv6
he-ipv6   Link encap:IPv6-in-IPv4 
          inet6 addr: 2001:470:1f08:16b::2/64 Scope:Global
          UP POINTOPOINT RUNNING NOARP  MTU:1480  Metric:1
          RX packets:24393 errors:0 dropped:0 overruns:0 frame:0
          TX packets:15097 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:30140949 (30.1 MB)  TX bytes:1460976 (1.4 MB)

And the local interface. Now we have the new localhost IPv6 address ::1 (In IPv6 this is the equivalent of 127.0.0.1).

lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1043 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1043 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:105946 (105.9 KB)  TX bytes:105946 (105.9 KB)

First, ping my interface (notice that I'm using ping6 command):

# ping6 -c 5 2001:470:1f08:16b::2
PING 2001:470:1f08:16b::2(2001:470:1f08:16b::2) 56 data bytes
64 bytes from 2001:470:1f08:16b::2: icmp_seq=1 ttl=64 time=0.033 ms
64 bytes from 2001:470:1f08:16b::2: icmp_seq=2 ttl=64 time=0.048 ms
64 bytes from 2001:470:1f08:16b::2: icmp_seq=3 ttl=64 time=0.062 ms
64 bytes from 2001:470:1f08:16b::2: icmp_seq=4 ttl=64 time=0.047 ms
64 bytes from 2001:470:1f08:16b::2: icmp_seq=5 ttl=64 time=0.032 ms
--- 2001:470:1f08:16b::2 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 3996ms
rtt min/avg/max/mdev = 0.032/0.044/0.062/0.012 ms

Then, ping the other side of the tunnel (notice the round trip time change):

# ping6 -c 5 2001:470:1f08:16b::1
PING 2001:470:1f08:16b::1(2001:470:1f08:16b::1) 56 data bytes
64 bytes from 2001:470:1f08:16b::1: icmp_seq=1 ttl=64 time=66.7 ms
64 bytes from 2001:470:1f08:16b::1: icmp_seq=2 ttl=64 time=66.5 ms
64 bytes from 2001:470:1f08:16b::1: icmp_seq=3 ttl=64 time=66.5 ms
64 bytes from 2001:470:1f08:16b::1: icmp_seq=4 ttl=64 time=66.3 ms
64 bytes from 2001:470:1f08:16b::1: icmp_seq=5 ttl=64 time=67.4 ms
--- 2001:470:1f08:16b::1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4007ms
rtt min/avg/max/mdev = 66.309/66.720/67.461/0.460 ms

And then, my first IPv6 ping to Google :)

# ping6 -c 5 -n ipv6.google.com
PING ipv6.google.com(2a00:1450:400d:803::1013) 56 data bytes
64 bytes from 2a00:1450:400d:803::1013: icmp_seq=1 ttl=57 time=167 ms
64 bytes from 2a00:1450:400d:803::1013: icmp_seq=2 ttl=57 time=176 ms
64 bytes from 2a00:1450:400d:803::1013: icmp_seq=3 ttl=57 time=170 ms
64 bytes from 2a00:1450:400d:803::1013: icmp_seq=4 ttl=57 time=176 ms
64 bytes from 2a00:1450:400d:803::1013: icmp_seq=5 ttl=57 time=176 ms
--- ipv6.google.com ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 167.003/173.506/176.744/3.987 ms

And now is time for a browser and what could be better than http://whatismyipv6.com (IPv6 style of course :)

whatismyipv6.com
And http://test-ipv6.com

test-ipv6.com

Google redirects me to the UK site although I'm at Spain. That's because among all the tunnels endpoints from Hurricane Electric I've choose the one at London. But there are more. This could become handy later.


A curios ping :)

# ping6 -n -c1 www.v6.facebook.com
PING www.v6.facebook.com(2620:0:1cfe:face:b00c::3) 56 data bytes
64 bytes from 2620:0:1cfe:face:b00c::3: icmp_seq=1 ttl=51 time=197 ms
--- www.v6.facebook.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 197.501/197.501/197.501/0.000 ms

And a couple more:

2a01:4f8:d13:3a43:feed:abba:deca:f       www.synchronkartei.de
2001:4cc0:1ff:40:bebe:cafe:bebe:cafe     www.webtuga.com
2001:610:148:dead:beef:b00b:cafe:babe    www.ist-mome.org

2 comments:

  1. do you scan another ipv6 networks? ... that's not nice!

    # /root/showfirewall.sh
    all tcp 2001:470:xxx::[80] <- 2a01:4f8:100:2ffe::4[37214] FIN_WAIT_2:FIN_WAIT_2
    all tcp 2001:470:xxx::[80] <- 2a02:2918:100:480::194[60107] FIN_WAIT_2:FIN_WAIT_2
    tcpdump: WARNING: snaplen raised from 116 to 160
    Jun 07 23:55:10.103894 rule 2/(match) block in on axe0: 2001:470:1f08:16b::2.58716 > 2001:470:xxx::.22: S 1913004252:1913004252(0) win 14200 <[|tcp]>
    Jun 07 23:55:11.105641 rule 2/(match) block in on axe0: 2001:470:1f08:16b::2.58716 > 2001:470:xxx::.22: S 1913004252:1913004252(0) win 14200 <[|tcp]>
    Jun 08 02:01:36.596408 rule 2/(match) block in on axe0: 2001:470:1f08:16b::2.46029 > 2001:470:xxx::.5900: S 2489408097:2489408097(0) win 14200 <[|tcp]>
    Jun 08 02:01:37.596405 rule 2/(match) block in on axe0: 2001:470:1f08:16b::2.46029 > 2001:470:xxx::.5900: S 2489408097:2489408097(0) win 14200 <[|tcp]>
    Jun 08 02:15:48.764828 rule 2/(match) block in on axe0: 2001:470:1f08:16b::2.53326 > 2001:470:xxx::.3389: S 1986041610:1986041610(0) win 14200 <[|tcp]>
    Jun 08 02:15:49.770596 rule 2/(match) block in on axe0: 2001:470:1f08:16b::2.53326 > 2001:470:xxx::.3389: S 1986041610:1986041610(0) win 14200 <[|tcp]>
    ...

    ReplyDelete
    Replies
    1. BrainfoodDE,
      Yes, I did. And also an article about it http://blog.domenech.org/2012/06/ipv6-security-back-to-square-one.html
      I'm glad to see that you pay attention to IP security. Well done!

      Thanks for comment.

      Juan

      Delete