Dual Stack IPv6 in Homenetwork

Since this year I have an internet provider where dual stack IPv4/IPv6 is possible without DS-Lite. And after about 7 years!! after the IPv6 Launch Day on June 6th, 2012 I arrived with my home network in the IPv6 age.

Background

Dual Stack Light
In principle a way to encapsulate IPv4 packets in IPv6 and thus ensure access to the IPv4 Internet. The customer is only provided with globally routable IP addresses via IPv6 and private IPv4 addresses are used in the LAN. The conversion from a private IPv4 address to a public one is done at the provider’s site, which is why port forwarding no longer works.
Further problems can occur with VoIP, VPNs and gaming, so it is a no-go for me.

Source: https://en.wikipedia.org/wiki/IPv6#Dual-Stack_Lite_(DS-Lite)

The Dual Stack Light is very attractive for the providers, because only a few public IPv4 addresses have to be available and thus the IPv4 shortage can be solved.

The expansion
Last year, an expansion of the network infrastructure was announced at my place of residence: fiber optics. Finally FTTH 🎉
Not quite as it turns out. In Switzerland, Swisscom has a mandate to provide the basic service and is therefore expanding the network alongside UPC. Swisscom advertised a fibre-optic expansion at my place of residence, but effectively only FTTS (Fibre-to-the-Street) was expanded, i.e. fibre-optic to the street. The remaining distance to the house will be solved via copper as before. Swisscom is now (after the expansion!) advertising with “Highspeed” Internet.

Download speeds of up to 500 Mbit/s are actually possible, but on the back of a dead technology horse: copper-wire.
At the moment, I have to accept that I cannot yet use an up-to-date infrastructure.

Provider
But what I can choose is the provider. With the new speed over copper, other providers come into question.
So far I was very impressed by Init7, but up to now the offer was not economical with a slow copper line, because always the same price is paid, no matter what speed. This has now changed with FTTS and G.fast.

For me, Init7 is the best Internet provider in Switzerland - and offers Dual Stack IPv4/IPv6 as well as other advantages like free router selection, free TV and is well peered.

Configuration

So, newly started with Init7 into the year 2020 and immediately experimented a bit.

As router I use a Ubiquiti EdgeMax Light - my configurations refer to it.

  • eth0 is my WAN interface
  • eth1 is my LAN interface, resp. for the VLANs

My actual setup is a bit more complex: For different purposes I have different VLANs e.g. one for WLAN, one for multimedia, office etc.

From Init7 you get a whole /48 network assigned for use.

PPPoE
Copper7 from Init7 needs PPPoE for an internet connection, so I have to configure the dial-up first:

configure
edit interfaces ethernet eth0 pppoe 0
set default route auto
set mtu 1492
set name server car
set user-id INIT7.xyz@downstream.ch
set password XYZ
commit
save

IPv6
Here IPv6 is activated on the PPPoE interface - the address is obtained via PPPoE:

configure
edit interfaces ethernet eth0 pppoe 0
set ipv6 address autoconf
set ipv6 dup-addr-detect-transmits 1
set ipv6 enable
commit
save

Now networks can be configured with IPv6. For this purpose the assigned prefix from the provider is used (e.g. ‘2001:1620:999::/48’) and an ID (e.g. 0100) for my subnet: ‘2001:1620:999:0100::/64’. The new prefix can be a maximum of 64 bits, since additional 64 bits are required for address generation for a host.

The /64 network has room for all devices: 2^64 = 18 trillion single addresses. Good further information about IPv6 can be found here.

I can now choose choose freely Subnets (0-ffff) through the 4th block:

  • 2001:1620:999:0100 e.g. Vlan 100 for the office
  • 2001:1620:999:0102 Vlan 102 for the WLAN
  • you get it
configure
edit interfaces ethernet eth1 vif 100
set address 2001:1620:999:0100::1/64
set ipv6 address autoconf
set ipv6 dup-addr-detect-transmits 1
set ipv6 router-advert prefix 2001:1620:999:0100::/64
set ipv6 name server none # or another dns server
set ipv6 send-advert true
commit
save

In most IPv6-enabled networks, network addresses are distributed via stateless address auto-configuration (SLAAC). This is a fancy way of saying that hosts in an IPv6 network configure their own IP addresses, i.e. DHCP is dropped.
By advertising the new prefix for this subnet, every IPv6 capable device in VLAN 100 should now configure a global IPv6 address, which, if the firewall is configured correctly, can access the Internet:

ping -6 init7.ch
PING init7.ch(camelus.init7.net (2001:1620:2777:23::2)) 56 data bytes
64 bytes from camelus.init7.net (2001:1620:2777:23::2): icmp_seq=1 ttl=58 time=9.07 ms
64 bytes from camelus.init7.net (2001:1620:2777:23::2): icmp_seq=2 ttl=58 time=9.05 ms
64 bytes from camelus.init7.net (2001:1620:2777:23::2): icmp_seq=3 ttl=58 time=8.75 ms

--- init7.ch ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 8.746/8.954/9.071/0.147 ms

IPv6 Privacy Extension
With IPv6, each device gets a uniquely identifiable IPv6 address, which is composed of the network prefix and the identifier calculated from the MAC address (EUI-64). It would be the same principle if each device had a public IPv4 and NAT was not used.

Although SLAAC works very well in most networks and provides a very efficient method for dealing with IP addresses, it can reveal more information about the devices on the home network than you would like. Websites can use the IPv6 address to determine the MAC address of the client on networks that use SLAAC. This could be misused for tracking or malware campaigns. There are legitimate concerns about data protection and privacy.

To address this, the Privacy Extensions have been introduced. If these are activated, each interface gets at least one additional temporary generated IPv6 address, which changes regularly. The random interface identifier then no longer allows any conclusion to be drawn about the host.

Normally this is activated by default, but this should be checked. In Linux this is not always the case. Especially on servers or non-mobile devices a temporary address is usually not desired.

If the Privacy Extensions are active, at least 2 IPv6 addresses should be visible and one of them has a temporary flag:

# ip addr show
inet 192,168,100,177/24 brd 192,168,100,255 scope global dynamic
inet6 2001:1620:999:0100:452e:8e5f:f324:dc39/64 scope global temporary dynamic
inet6 2001:1620:999:0100:8d59:1d48:2918:8374/64 scope global dynamic mngtmpaddr noprefixroute
inet6 fe80::959d:24bd:d333:67d1/64 scope link noprefixroute

There is a kernel tunable that controls temporary addressing on Linux systems:

# Do not use a temporary address
net.ipv6.conf.all.use_tempaddr = 0
# Set a temporary address, but do not make it the default
net.ipv6.conf.all.use_tempaddr = 1
# Set a temporary address and make it the default
net.ipv6.conf.all.use_tempaddr = 2

I recommend to set the Setting Permanent to ‘2’.

Speed

To get the most out of it, hardware offloading must be enabled on the Ubiquiti Edgemax, otherwise the CPU will limit the throughput to ~80Mbit. This causes some network operations to be outsourced to a special processor:

configure
set system offload ipv4 forwarding enable
set system offload ipv4 pppoe enable
set system offload ipv4 vlan enable
set system offload ipv6 forwarding enable
set system offload ipv4 pppoe enable
commit
save

In the current result only 45Mbit up to the maximum download bandwidth of 500Mbit and 20Mbit up to the maximum upload bandwidth of 130Mbit are missing, which the modem has measured. Where the bottleneck is I can’t find out at the moment, but I am already quite satisfied with 450Mbit/s. This is faster than 99% of Swiss users :).

Alright, Homenetwork launched. ⚡🌐🚀🦄