MacOSX IPv6 Networking Knowhow

Here are some immediate references that you might find useful if you’re trying to solve a general IPv6 connectivity problem, or trying to get up to speed on IPv6 in the round:

IPv6 Intelligence

http://ipv6int.net/systems/mac_os_x-ipv6.html

Derek Morr’s Living with IPv6 blog

http://www.personal.psu.edu/dvm105/blogs/ipv6/

SIXXS

http://www.sixxs.net/wiki/SixXS_Wiki

ARIN IPv6 Wiki

http://whois.arin.net/index.php/Main_Page

First, the bad news. There is no clean, elegant way to firewall IPv6 traffic in MacOSX. The Firewall GUI control panel won’t do it. But the internal firewall that runs behind the GUI is FreeBSD’s ipfw packet filter, which does support stateful filtering. I’ll try it soon on a Mac, but I’ve used this on FreeBSD and it’s not too awful.

One security annoyance with IPv6, especially its stateless autoconfig feature, is that the default IPv6 address contains your compter’s MAC (physical Ethernet) address. This makes it far too easy to track you on the Internet. IPv4 NAT, for all its evils, at least protected your unique identity behind your firewall.

Fortunately IPv6 has a slick feature, called Privacy Addressing, that fixes this. Your computer generates random host address parts, changing them periodically. Old random addresses hand around as long as you have a session open using them, but new sessions use the latest randomly-generated IPv6 address. The feature takes care to check for collisions, automatically forcing a retry should one occur (two in a row is statistically very unlikely).

You turn the feature on using the sysctl command:

$ sudo sysctl -w net.inet6.ip6.use_tempaddr=1

I haven’t quite figured out what the timer is on this. It seems to be an hour or so between IP address changes. I’ll play around with it, or go read the Darwin code to see what’s going on under the covers. For machines that don’t have to be servers, however, this looks like a very handy feature!

Mac OS X doesn’t support DHCPv6; it’s just plain missing from the base operating system. DHCPv6 would be useful for setting the IPv6 nameserver address, which incidentally is stored in /etc/named.conf. As things stand, DNS lookups will always go out via IPv4. Most IPv4 name servers happily respond to queries for IPv6 AAAA records, so this isn’t a disaster. It’s just annoying.

A port of the WIDE/KAME DHCPv6 probably will work, as Leopard’s (and Panther’s AFAIK) IPv6  stack is based on FreeBSD’s KAME project. The WIDE/KAME source builds fine on MacOSX 10.5 (Leopard) — just download it, type ./configure, and make, and stand back. But I haven’t tried installing it (via sudo make install) yet, as I want to see where it inserts itself in the base OS. I’ll let you know if I succeed.

Windows does support IPv6, although it’s buggy up until Vista/W2008 SP2. Still, it would be great for Macs to have this, as it’s a key feature for being an enterprise player.

The sysctl command does this:

$ sysctl net.inet6.ip6.kame_version
net.inet6.ip6.kame_version: 20010528/apple-darwin

This means we’re running the 2001 version of the KAME BSD IPv6 stack. Man, that’s old, but it shows how stable IPv6 is!

MacOSX Leopard (10.5) has the largest set of IPv6-enabled apps. Besides Safari, the following all work with IPv6 servers:

• Mail (Mail.app) supports SMTP over IPv6. I’m not sure about POP3/IMAP4.
• The built-in Apache HTTP server can listen on IPv6 interfaces
• The BIND9 DNS server supports queries via IPv6 interfaces, but you must add a listen-on-v6 {any;}; line to your named.conf file.
• PHP and Perl both have IPv6 modules and libraries

If anyone can verify a third-party app that supports IPv6, let me know and I’ll update the list. So far the only one I’m aware of is Intermapper (http://www.intermapper.com).

Web surfing using the popular browsers — Safari, Firefox. Camino, Opera — is pretty automatic. It starts with DNS. MacOSX perfers IPv6 addresses when it looks up a domain, so if a URL has both an IPv4 and IPv6 address (i.e., both A and AAAA zone records), then it will return the IPv6 address to the browser.

For example, my site WhatIsMyIPv6.com has both records:

$ nslookup
> whatismyipv6.com.
Address: 216.64.158.90
> set type=AAAA
> whatismyipv6.com.
whatismyipv6.com has AAAA address 2001:470:a02c::90

The above is a useful example of debugging IPv6 DNS, but some people prefer dig, which works similarly:

$ dig whatismyipv6.com A +short
216.64.158.90
$ dig whatismyipv6.com AAAA +short
2001:470:a02c::90

IPv6 is active by default when MacOSX is first installed, at least for Panther and Leopard, and I’m sure Snow Leopard. But you can be manually turn it on and off, either via the GUI Network control panel or via the command line utility  /usr/sbin/ip6.

To start IPv6 on all interfaces:

ip6 -a

To stop it:

ip6 -x