MacOSX IPv6 Networking Knowhow

Assume you want to assign a static IPv6 address 2100:xxxx:xxxx::2/48 to make your Mac an easily-reached server via IPv6. First, create the static IPv6 alias (substitute your own IPv6 prefix for xxxx:xxxx):

$ sudo ifconfig en0 inet6 2100:xxxx:xxxx::2/48

Then verify this worked:

$ ifconfig en0 | grep inet6
	inet6 fe80::217:f2ff:fec6:62ec%en0 prefixlen 64 scopeid 0x4
	inet6 2001:xxxx:xxxx::2 prefixlen 64 autoconf

Second, set the default gateway:

$ sudo route add -inet6 -prefixlen 0 default 2100:xxxx:xxxx::1

Note that if you have a link-local gateway to the IPv6 router to the global Internet, you don’t have to do this second step. To see if you do, type:

$ netstat -rn | grep default
default       10.10.10.1        UGSc       16       17    en1
default       fe80::200:ff:fe01:0%en1         UGSc        en1

If you’re dual-stacked, you’ll also see an IPv4 gateway.

Should you want to remove the IPv6 alias without rebooting, just type:

$ sudo ifconfig en1 inet6 -alias 2100:xxxx:xxxx::2

NOTE: As implied in the tip’s title, this method of IPv6 static assignment is temporary, only lasting until you reboot!

To make a permanent assignment, use the GUI interface Network panel in System Preferences. Alternatively, you can use the networksetup utility to create the alias and the gateway all at once, which will persist across boots:

$ sudo networksetup -setv6manual Ethernet 2001:xxxx:xxxx::2 48 2001:xxxx:xxxx::1

As far as I can tell, the only way to remove an alias created via networksetup is through the GUI.

http://www.bitcricket.com/ip-subnet-calculator.html

There really isn’t anything special about IPv6 subnet calculations. But they can be hard to visualize with all those extra bits. This tool is a help; it’s free, with both Mac and Windows versions.

Mac OS X doesn’t support DHCPv6; it’s just plain missing from the base operating system. DHCPv6 would be useful for setting the IPv6 nameserver address, which incidentally is stored in /etc/named.conf. As things stand, DNS lookups will always go out via IPv4. Most IPv4 name servers happily respond to queries for IPv6 AAAA records, so this isn’t a disaster. It’s just annoying.

A port of the WIDE/KAME DHCPv6 probably will work, as Leopard’s (and Panther’s AFAIK) IPv6  stack is based on FreeBSD’s KAME project. The WIDE/KAME source builds fine on MacOSX 10.5 (Leopard) — just download it, type ./configure, and make, and stand back. But I haven’t tried installing it (via sudo make install) yet, as I want to see where it inserts itself in the base OS. I’ll let you know if I succeed.

Windows does support IPv6, although it’s buggy up until Vista/W2008 SP2. Still, it would be great for Macs to have this, as it’s a key feature for being an enterprise player.

The sysctl command does this:

$ sysctl net.inet6.ip6.kame_version
net.inet6.ip6.kame_version: 20010528/apple-darwin

This means we’re running the 2001 version of the KAME BSD IPv6 stack. Man, that’s old, but it shows how stable IPv6 is!

MacOSX Leopard (10.5) has the largest set of IPv6-enabled apps. Besides Safari, the following all work with IPv6 servers:

• Mail (Mail.app) supports SMTP over IPv6. I’m not sure about POP3/IMAP4.
• The built-in Apache HTTP server can listen on IPv6 interfaces
• The BIND9 DNS server supports queries via IPv6 interfaces, but you must add a listen-on-v6 {any;}; line to your named.conf file.
• PHP and Perl both have IPv6 modules and libraries

If anyone can verify a third-party app that supports IPv6, let me know and I’ll update the list. So far the only one I’m aware of is Intermapper (http://www.intermapper.com).

Web surfing using the popular browsers — Safari, Firefox. Camino, Opera — is pretty automatic. It starts with DNS. MacOSX perfers IPv6 addresses when it looks up a domain, so if a URL has both an IPv4 and IPv6 address (i.e., both A and AAAA zone records), then it will return the IPv6 address to the browser.

For example, my site WhatIsMyIPv6.com has both records:

$ nslookup
> whatismyipv6.com.
Address: 216.64.158.90
> set type=AAAA
> whatismyipv6.com.
whatismyipv6.com has AAAA address 2001:470:a02c::90

The above is a useful example of debugging IPv6 DNS, but some people prefer dig, which works similarly:

$ dig whatismyipv6.com A +short
216.64.158.90
$ dig whatismyipv6.com AAAA +short
2001:470:a02c::90

IPv6 is active by default when MacOSX is first installed, at least for Panther and Leopard, and I’m sure Snow Leopard. But you can be manually turn it on and off, either via the GUI Network control panel or via the command line utility  /usr/sbin/ip6.

To start IPv6 on all interfaces:

ip6 -a

To stop it:

ip6 -x

It’s easy, and it’s free, but it can be confusing. Chances are that your current Internet provider, especially a residential provider, doesn’t offer direct IPv6 connectivity. That’s no barrier to getting hooked up, though: you can use one of a number of free “tunnel broker” services to sign up for a tunnel through the IPv4 miasma to the IPv6 new world.

The service I use and recommend is Huricane Electric’s TunnelBroker.net (http://TunnelBroker.net). They have nice step-by-step procedures that will get you hooked up in a jiffy. But getting started is not Mac-intuitive. So let me outline the steps here to smooth your way:

1. You have to first register for a free TunnelBroker.net account. TB asks for the usual things — name, email, etc. Nothing onerous, but consider that because you’re getting a free bandwidth service — a very nice benefit from TB — you should give them legitimate contact info. Once you a TB account, the rest of TunnelBroker.net gets unlocked for you.

2. Next, you have to go register a new tunnel within TB. I’d have expected some kind of instructions from TB by this point, but you don’t get any until you create a tunnel. For example, you can’t get to TB’s example configurations until you do this. TB should change that, providing at least a minimal roadmap. On the TB page after you log in click “Create Regular Tunnel”. You’ll be prompted for your public IP address. If you have a static one, great. If you don’t, well, there are ways around that we’ll talk about in a future post.

3. Once the tunnel is created, you’ll be assigned a bunch of IP addresses: a public IPv4 address for TB’s server-end of the tunnel, a pair of IPv6 addresses in a /64 subnet that you’ll configure as the IPv6 tunnel endpoints, and a separate /64 IPv6 subnet that will be your own personal IPv6 address space.

You need not write any of this down; you can get to it later at any time just by logging into your TB account. TB will even fill in most of the IP address information in its customer-generated scripts, so you won’t need to even copy and paste these addresses to get up and running.

4. You’ll see a pop-up list under Example OS Configurations. Choose NetBSD/MacOSX. A list of four shell commands will appear, which you’ll eventually copy and paste into a Terminal window. BUT NOT YET! What TB leaves out is that each of these commands must be prefixed with the command “sudo” to execute each in super-user mode (sudo means “super-user do”). So first paste the commands into your favorite text editor, then paste “sudo” on the front of each line in your text edit window. Here’s an example:

sudo ifconfig gif0 create
sudo ifconfig gif0 tunnel 10.10.10.148 72.xxx.xxx.xx
sudo ifconfig gif0 inet6 2001:470:x:x::2 2001:470:x:x::1 prefixlen 128
sudo route -n add -inet6 default 2001:470:x:y::1

Pay close attention to the TB note that says:

“*NOTE* When behind a firewall appliance that passes protocol41, instead of using the IPv4 endpoint you provided to our broker, use the IPv4 address you get from your appliance’s DHCP service.”

What this means is that if you’re behind a NAT firewall you must replace your public IP in the commands above (in the second command) with your Mac’s private IP address. Everyone seems to miss this point, so be forewarned. If you need to make this change (you likely do), alter the second command in the list, replacing the public IP that TB filled in for you automatically with your pirvate IP.

With that caveat observed,  you’re ready to start pasting the commands, one at a time, into a Terminal window. Open Terminal (it’s in Applications>Utilities) and paste the first command line. You’ll be prompted for your Mac login user ID and password once on the first command; the other commands won’t prompt you again. As you paste each command line and hit return, you should get no output. However, if you get an error message on the first line this is usually not serious – just go ahead with the rest of the commands and likely it will all just work.

5. Now open Safari and go to WhatIsMyIPv6.com. If you’ve done everything right, you’ll see your shiny new IPv6 address in great big characters, rather than that rusty old IPv4 address. If it doesn’t work, check to make sure your firewall will pass Protocol 41, which is used by IPv6 tunnels. Note that this isn’t TCP or UDP port 41, it’s IP protocol 41. Not all firewalls can do this, but mine (a Sonicwall TZ190 running Enhanced version software) can.

Last but not least, note that none of these commands take permanent effect. They’ll be lost the next time you reboot, and you’ll have to run them again to get your IPv6 connection re-established. In a future post I’ll explain how to make them permanent.

Congratulations! You’re on the IPv6 Internet! You’ll find a growing number of companies moving to IPv6, so explore and see who you can reach with your own personal IPv6 address block. And take comfort in the fact that your little IPv6 island has 4,294,967,295 times the number of addresses in the entire IPv4 Internet.

As a network engineer that loves the Mac, I’m also heavily involved in IPv6 deployment in government and industry. In the process of rolling out IPv6 in these venues, I’ve found most published guidance glosses over MacOSX and its progeny, such as AppleTV and Airport Extreme. I’ve collected a slew of tips for helping the Mac live more freely in the IPv6 universe; I share them here.