Super Mac IPv6 Sleeper: Airport Extreme does IPv6 tunneling AND firewalling!

June 6th, 2010 admin No comments

It’s been known for some time that Apple’s Airport Extreme base station can double as an IPv6 tunnel gateway. But the Extreme’s IPv6 support was kind of half-baked: it’s rudimentory “firewall” was all-or-nothing, and its NAT pass-through support was buggy. But Apple’s latest Extreme — the “Late 2009″ edition with 7.5x firmware– fixes those bugs AND adds a spiffy new IPv6 firewall. (Alas, older Extreme’s only support up through 7.4 firmware, which still has problems with IPv6).

It took me about five minutes to create a Hurricane Electric ( account and configure the Extreme as an IPv6-over-IPv4 tunnel gateway, with the Extreme configured in transparent mode, using a private DHCP address acquired from the local LAN. I just plugged in the remote tunnel IPv4 address, local tunnel IPv6 endpoint address, the IPv6 default route, and the LAN’s IPv6 subnet address. (Note: Apple swapped the order of remote and local ipv6 in the upgrade from 7.4 to 7.5 firmware.) The tunnel popped into existence instantly. I had set up Google’s open IPv6-enabled DNS server (IPv4 address for the LAN DNS server address.

The Extreme seems to have IPv6 Router Advertisements enabled by defaul, so IPv6 stateless autoconfig cheerfully gave everyone on the LAN a Global IPv6 address from the /64 assignment, and all the LAN systems were suddenly IPv6 enabled! This is too easy!

The Extreme’s IPv6 firewall option appears when you click “Block incoming IPv6 connections” (without which the Extreme allows all inbound connections), at which point a new “IPv6 Firewall” tab appears. (Apparently this has always been there but I never clicked the “Block incoming” box and so never saw it before. )You can permit Teredo tunnels if you like, as well as inbound IPsec connections, with a couple clicks. The “firewall” interface is primitive but gets the job done, letting you allow specific TCP and UDP protocols to specific inside IPv6 addresses. The Extreme IPv6 firewall is v6-only, however, so you still need a good IPv4 firewall.

So far I’ve only tried running an Extreme as an IPv6 gateway using its LAN-transparent mode, in which the device gets a LAN IP from your local DHCP server. I did this to avoid double-NAT. However, you should be able to set up IPv6 tunneling in routed mode — where the Extreme’s WAN port faces the Internet with a provider-assigned public IPv4 address. In this arrangement, the LAN ports create an IPv6 “sandbox” — as long as your border firewall supports passing GRE protocol (IP protocol 47) outbound. But at least you don’t have to open any pinholes to the Extreme or otherwise weaken your enterprise security stance.

The one missing bit: the Extreme has no built-in DHCPv6 server, so it can’t distribute name server settings to clients after stateless autoconfig. However, as long as your LAN IPv6 clients use an IPv6-enabled DNS server at an IPv4 address (Google’s qualifies), then you can get to the IPv6 Internet via names without problem.

At $179, this is the cheapest easy-to-configure IPv6 gateway appliance on the market!

[UPDATE on 2010/06/06: A reader tells me that the IPv6 firewall has been in the Extreme for more than a year, but few people find it because it's hidden behind that "Block all incoming IPv6 connections" checkbox. I've edited this post to reflect that. -mel]

Categories: Uncategorized Tags:

Performance testing: where to get big files on a fat pipe

April 3rd, 2010 admin No comments

One of the best IPv6 performance tests is to simply run basic HTTP or FTP file transfers. This kind of testing can often reveal a lot more about your performance than those popular Java- and Flash-based speed-test widgets. For one thing, you can monitor the transfer in Wireshark and look for odd fragmentation, MTU problems, missing ACKs, and the like. But where to get big files on a fat IPv6 pipe? From, that’s where. Operated by Swedish ISP Tele2 Sverige AB, this site has test files ranging from 100MB to 1TB, accessible via both FTP and HTTP. Yes, it’s download testing only, but that’s where most problems get discovered anyway. I realize this isn’t a Mac-specific site, but Macs have to do performance testing too!

Categories: Uncategorized Tags:

Don’t forget to flush DNS cache when testing IPv6

March 22nd, 2010 admin No comments

MacOSX resolvers can cache IPv4 addresses, making them preferable to IPv6-capable applications, such as web browsers. The apps are IPv6-capable, but if an IPv4 address is already cached for a given fully qualified domain name (FQDN), the apps can’t look up names properly to prefer IPv6 addresses when available. The fix is to manually clear your MacOSX DNS cache. Do that with the simple command:

sudo dscacheutil -flushcache

MacOSX Leopard has a CLI IPv6 firewall

March 22nd, 2010 admin No comments

It’s called, cleverly enough, ipv6fw. Just type

man ip6fw

for the easy-to-follow ;) instruction guide.

Categories: Uncategorized Tags:

Apple Airport & Time Capsule have built-in IPv6 support

March 22nd, 2010 admin No comments

They can operate as a direct IPv6 gateway if your ISP supports IPv6, or it can operate as a tunneling device. To configure the tunneling option, follow these steps (courtesy of James Woodyatt):

1. Launch AirPort Utility.
2. Select your device from the sidebar and choose Manual Setup.
3. Select the [Internet] pane of the configuration window.
4. Select the TCP/IP tab.
5. At the “Configure IPv4″ pop-up, choose the “Manually” option.
6. Enter the statically assigned IPv4 WAN configuration parameters for your device:
+ IP Address
+ Subnet Mask
+ Router Address
+ DNS Servers
+ Domain Name [optional]
7. Select the [Advanced] pane of the configuration window.
8. Select the IPv6 tab.
9. At the “IPv6 Mode” pop-up, choose the “Tunnel” option.
10. At the “Configure IPv6″ pop-up, choose the “Manually” option.
11. Enter the statically assigned IPv6-in-IPv4 configuration parameters for your tunnel:
+ Remote IPv4 Address
+ Local IPv6 Address
+ Remote IPv6 Address
+ Enter the IPv6 address for a /64 LAN with a prefix that was assigned with your tunnel.
12. Click [Update] and wait for the AirPort/Time-Capsule to restart.

Categories: Uncategorized Tags:

How to determine the KAME version number of a MacOSX release

March 22nd, 2010 admin No comments

MacOSX uses the KAME project ( IPv6 protocol stack and tools.The KAME project was a joint effort of six companies in Japan to provide a free stack of IPv6, IPsec, and Mobile IPv6 for BSD variants. The project officially concluded in March 2006 and most of the components moved to FreeBSD, NetBSD, and MacOSX. Sometimes it’s helpful to see what the KAME version is in the MacOSX release you’re running. Here’s how:

sysctl -a | grep kame_version
net.inet6.ip6.kame_version: 20010528/apple-darwin

Categories: Uncategorized Tags:

How do you use scp with IPv6 on a Mac?

March 22nd, 2010 admin No comments

You can do this:

ssh root@2001:1234::1 (example address)

but you can’t do this:

scp root@2001:1234::1:/tmp/file .

because scp parses this as hostname 2001 and file path 1234::1:/etc/motd, yielding an error such as this one:

ssh: connect to host 2001 port 22: Connection refused

The scp manpage addresses this problem for -L and -R arguments (you can use the -6 option on scp to force all addresses to be interpreted as IPv6), but it is silent about using IPv6 when copying files.

The trick is to use square brackets to delimit the IPv6 address, which on the Mac also requires escaping the brackets, thusly:

scp root@\[2001:1234::1\]:/tmp/file .

Handy References

August 17th, 2009 admin No comments

Here are some immediate references that you might find useful if you’re trying to solve a general IPv6 connectivity problem, or trying to get up to speed on IPv6 in the round:

IPv6 Intelligence

Derek Morr’s Living with IPv6 blog


ARIN IPv6 Wiki

Categories: Tips Tags:

IPv6 Firewalling

August 17th, 2009 admin 1 comment

First, the bad news. There is no clean, elegant way to firewall IPv6 traffic in MacOSX. The Firewall GUI control panel won’t do it. But the internal firewall that runs behind the GUI is FreeBSD’s ipfw packet filter, which does support stateful filtering. I’ll try it soon on a Mac, but I’ve used this on FreeBSD and it’s not too awful.

Categories: Tips Tags:

Enabling IPv6 privacy addresses

August 17th, 2009 admin No comments

One security annoyance with IPv6, especially its stateless autoconfig feature, is that the default IPv6 address contains your compter’s MAC (physical Ethernet) address. This makes it far too easy to track you on the Internet. IPv4 NAT, for all its evils, at least protected your unique identity behind your firewall.

Fortunately IPv6 has a slick feature, called Privacy Addressing, that fixes this. Your computer generates random host address parts, changing them periodically. Old random addresses hand around as long as you have a session open using them, but new sessions use the latest randomly-generated IPv6 address. The feature takes care to check for collisions, automatically forcing a retry should one occur (two in a row is statistically very unlikely).

You turn the feature on using the sysctl command:

$ sudo sysctl -w net.inet6.ip6.use_tempaddr=1

I haven’t quite figured out what the timer is on this. It seems to be an hour or so between IP address changes. I’ll play around with it, or go read the Darwin code to see what’s going on under the covers. For machines that don’t have to be servers, however, this looks like a very handy feature!

Categories: Tips Tags: