Native IPv6 connection to TekSavvy using OpenWRT

by Craig Miller

Riding the road to IPv6

Jumping on the IPv6 super highway

I have been connected to the IPv6 internet for years using a tunnel to Hurricane Electric, and I recommend this method if your ISP is unable to provide a native IPv6 connection. Hurricane Electric is very stable, with tunnel terminations points in many locations. However a downside of any kind of tunnel, is that it is limited by the IPv4 transport underneath. In my case it meant that my ping6 times where never going to be better than my IPv4 ping times.

Therefore, a Native IPv6 connection is always preferred to a tunneled one. In this article, I'd like to show how to connect to TekSavvy's Native IPv6 service over DSL using a router running OpenWRT.


The OSI Model in Review

Before we get into how to connect natively, let's review the OSI model (Open Systems Interconnection model). The OSI model is the key to understanding networking, and how the different layers interact.

Layer
 Description
 Examples
 7
 Application
 HTTP, IMAP, NTP
 6
 Presentation
 N/A
 5
 Session
 N/A
 4
 Transport
 TCP, UDP
 3
Network
 IPv4, IPv6
 2
 Data-link
 Ethernet, 802.11 (wireless), PPP
 1
 Physical
 Wires, Radio links

For the purposes of IP (Internet Protocol), layers 5 and 6 aren't really used. As you can see IPv4 and IPv6 are networking protocols (layer 3).

Scapy Notation

To represent the layers in a textual form, I tend to prefer the slash notation used by scapy, an excellent open source packet test tool. For example a web request packet would look like (physical layer is assumed):
ethernet/IPv6/TCP/HTTP

Another look at tunneling

With the OSI refresher, we can revisit the Idea of Tunneling to Hurricane Electric. A tunnel packet would like like this:
ethernet/IPv4 tunnel/IPv6/TCP/HTTP
As you can see an extra layer (or tunnel) has been inserted, the IPv4 tunnel, and is removed when the packet reaches the tunnel end point at Hurricane Electric.

IPv6 and DSL/PPPoE

You might think that a native connection to the internet via TekSavvy would be as simple as:
ethernet/IPv6/TCP/HTTP
But, alas, almost no one has a native ethernet connection to the internet. Most of us have a Cable or DSL connection to an ISP (Internet Service Provider), which means more encapsulations (or you could think of it as tunneling).

TekSavvy DSL, as many other DSL services uses PPPoE (Point to Point Protocol over Ethernet) over DSL (Digital Subscriber Link). There are several flavours of DSL, such as ADSL, HDSL, and VDSL. But your DSL modem will handle those lower layers (L1 & L2), and present an ethernet jack, where you would plug in your OpenWRT Router. (note: TekSavvy Cable does NOT support Native IPv6 yet)

The WAN interface on the router must be configured for PPPoE (which uses authentication, usually CHAP, Challenge Handshake Protocol). So far, the packets going into the router look like:
xDSL/ethernet/PPPoE/...
Part of the PPPoE negotiations that OpenWRT will do with the TekSavvy server is to assign an IPv4 address on the WAN interface. When IPv6 is enabled as part of PPPoE configuration tab (in Luci, the graphical web interface for OpenWRT), PPPoE will negotiate a pseudo-MAC address for the PPPoE interface, and a link-local address is then assigned.

What is not assigned is a global IPv6 address on the WAN interface. This is a little confusing at first, since IPv4 interfaces always have a familiar IPv4 address. But TekSavvy has decided to just use the link-local addresses for the PPPoE link, rather than use up another /64 for a point-to-point link. This creates kind of a gap (of global addresses) in the link between your home network, and the big Internet. This looks like this:

IPv6 Internet 
TekSavvy
 
PPPoE 
OpenWRT
 
Home LAN
 
global address
 
 global-> 
 link-local<------->link-local
 
->global
 
 global

Networking without NAT

You may have noticed that with the exception of the PPPoE link (above) all the rest of the links are using globally routed IPv6 addresses. This is good, because without NAT any-to-any connectivity is restored (they way networks used to be before NAT).

However, the home network needs a globally routable prefix as well. Fortunately, TekSavvy will give you one to use, via DHCPv6-PD (Dynamic Host Control Protocol v6 with Prefix Delegation). The PD is the key, as it tells the router what globally routable address to advertise inside the home network (using Router Advertisements, RAs).

Configuration of OpenWRT

Before configuring your router, you may need to configure the DSL modem/router to be in bridging mode. This is important as PPPoE will not cross a router.

There is an excellent configuration guide for IPv6 on the OpenWRT website. You will need to install odhcp6c on your router to make the DHCPv6-PD request to TekSavvy, and accept the PD (prefix delegation) from them.

However, a couple of changes need to be made from that guide. The primary configuration is in /etc/config/network, a UCI (Universal Configuration Interface) file.
/etc/config/network 
config interface wan
        option ipv6 1 # only required for PPP-based protocols
        ...

config interface wan6
        option ifname 'pppoe-wan' # use pppoe-wan or "@wan"
        option proto    dhcpv6
	option reqaddress 'none' # Does not request pppoe-link global address
	option reqprefix 'auto'  # Accept any prefix-length for prefix delegation


In the wan6 stanza, the ifname should be your pppoe interface (or you can use @wan), as you want the DHCPv6-PD request to be encapsulated in PPPoE. The request packet will look like:
ethernet/pppoe/ipv6 (link-local)/dhcpv6 request
Edit 15 June 2016: TekSavvy issues Prefix-Delegation differently based on the DHCPv6 Request Address option (option 3, IA_NA). In the example above option reqaddress 'none' will result in a PD of /56 being allocated to your router (yes that is 256 /64s, lots of room to play). However the default value is option reqaddress 'try' and will result in a PD of /64 allocation (much less fun). In the Luci (web interface) set "Request Address" to Disabled, and sit back and enjoy the /56 from TekSavvy!

Setting up your firewall

You will also want to put the wan6 interface in the same firewall zone as the wan (since you don't want everyone coming into your home LAN). Edit the firewall configuration file in /etc/config/firewall, and add wan6 to the option network line:
/etc/config/firewall 
config zone                    
        option name 'wan'      
        option output 'ACCEPT' 
        option masq '1'       
        option mtu_fix '1'    
        option input 'REJECT' 
        option forward 'DROP' 
        option network 'wan wan6'

Of course, you can also use luci (the web interface for OpenWRT) to assign the wan6 interface to the wan zone.

OpenWRT auto-configuring RAs and routes

Once the DHCPv6-PD response come back from the TekSavvy server, OpenWRT will automagically send out RAs with the new prefix on that home LAN (br-lan interface). All hosts connected to the home LAN will use SLAAC (StateLess Address AutoConfig) to create globally routable addresses. OpenWRT will also insert routes to permit the home LAN packets to get out. You can see this route by ssh-ing to OpenWRT and typing:
root@OpenWrt:/tmp# ip -6 route
default from 2607:c000:812f:6f00::/56 via fe80::2a0:a512:85:2940 dev pppoe-wan  proto static  metric 4096 
2607:c000:812f:6f00::/64 dev br-lan  proto static  metric 1024 
fe80::/64 dev br-lan  proto kernel  metric 256 
fe80::/64 dev wlan1  proto kernel  metric 256 
fe80::/64 dev eth1  proto kernel  metric 256 
fe80::/10 dev pppoe-wan  metric 1 
fe80::/10 dev pppoe-wan  proto kernel  metric 256

The key route is the first one, the default route. Let's look at this line a bit more to decode what TekSavvy is doing. It says that any packet from the 2607:c000:812f:6f00::/64 (my home LAN PD) send to fe80::2a0:a512:85:2940 (TekSavvy Server link-local address) via the pppoe-wan interface. This is an excellent use of the link-local address, since it saves having to administer another prefix just for the PPPoE link.

If you have Windows machines on your LAN network, you will want to turn on the DHCPv6 server on the LAN interface. See IPv6 Dual Stack, the good, the bad, and the ugly.

/etc/config/dhcp
config dhcp 'lan'
        option interface 'lan'
        #option ignore '1'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_default '1'
        option ra_management '1' # 0=M & O bits set to zero

Checking IPv6 connectivity

If you look at the addresses of a machine inside your home LAN, you should now see a global IPv6 address with the new prefix.
~$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 10:9a:dd:54:b6:34 brd ff:ff:ff:ff:ff:ff
    inet 10.1.1.115/24 brd 10.1.1.255 scope global eth0
    inet6 2607:c000:812f:6f00:56b:6a01:3728:8802/64 scope global temporary dynamic 
       valid_lft 6882sec preferred_lft 1482sec
    inet6 2607:c000:812f:6f00:fc71:1b50:8623:68a0/64 scope global temporary deprecated dynamic 
       valid_lft 6882sec preferred_lft 0sec
    inet6 2607:c000:812f:6f00:e451:232c:9150:b476/64 scope global temporary deprecated dynamic 
       valid_lft 6882sec preferred_lft 0sec
    inet6 2607:c000:812f:6f00:129a:ddff:fe54:b634/64 scope global dynamic 
       valid_lft 6882sec preferred_lft 1482sec
    inet6 fe80::129a:ddff:fe54:b634/64 scope link 
       valid_lft forever preferred_lft forever

And of course, there is ping6, that updated vintage test application.
~$ ping6 -c 2 -n google.com
PING google.com(2607:f8b0:400a:804::1008) 56 data bytes
64 bytes from 2607:f8b0:400a:804::1008: icmp_seq=1 ttl=56 time=14.9 ms
64 bytes from 2607:f8b0:400a:804::1008: icmp_seq=2 ttl=56 time=14.5 ms

Native IPv6, is it worth it? Absolutely!

A key advantage of running Native IPv6, rather than tunneled is much lower ping times, which translates to lower latency. How much faster? Via the Hurricane Electric, I was seeing ping6 to Google at about 120 ms, and Native is just under 15 ms, that is eight times less latency. Why such a big difference? It takes, time to manipulate packets (adding or removing encapsulations). And there is the time to traverse the tunnel, then traverse to the final destination. Going Native removes all of that.

For those who use multi-user games, the reduced latency will make a big difference (e.g. Xbox prefers IPv6 over IPv4).

TekSavvy Caveats

So it is all good news, right? Well not quite. TekSavvy's network setup will work for the masses, which I am sure is why they did it this way. Everytime the PPPoE is renegotiated, a new Prefix-Delegation is sent, which means the network prefix inside you home will change. OpenWRT will send out new RAs to advertise the new prefix, and all the machines on your network will create new global addresses. And most will not even notice.

The PD prefixes appear to be coming from a pool, and everytime PPPoE connects a new PD prefix is pulled from the pool. A friendlier implementation would be to give you the same prefix, like DHCP gives you the same address upon renewal.

DNS Bummer

But for the few of us who run their own DNS (Domain Name Service) in our Home, with AAAA records (IPv6 name to address records) for our internal machines, it breaks horribly. Suddenly without warning, all of the AAAA records are invalid, and your nice naming system for your internal machines are broken. I haven't resolved this issue, and for now, I have kept my Hurricane Electric tunnel up, which keeps my static IPv6 prefix, and I have the Native IPv6 prefix from TekSavvy. I'll have to code up something to update my AAAA records when TekSavy updates my prefix. Apparently (according to TekSavvy) static prefixes are not available for residential customers at this time.

DNS is your friend with IPv6. It is a nice abstraction layer which works world-wide, and can work in your home to help you not remember hexidecimal addresses (which are going to change anyway, since the prefixes change). Setting up AAAA records is the way to go.

Wrong M & O bits in RA

TekSavvy is sending the incorrect M & O (Managed and Other flags) in their RA. According to RFC 3315 (DHCPv6), they should be sending M=0, O=1, to tell the DHCPv6 Client to make a request, but don't try to get an address. Fortunately, OpenWRT allows us to tell the DHCPv6 client the same thing via configuration. By setting the /etc/config/network option reqaddress 'none' you are telling the client not to request an address. The side effect of this, is that TekSavvy will issue a /56 prefix (or the equivalent of 256 end network /64 prefixes) rather than a single /64. A /56 may seem like overkill for now, but as home network become more complex, having multiple subnets on multiple LANs within your home will become very useful (think about having a guest network, and an internal network, where your servers are).

Go Native!

Going Native is the way to go. ISPs will work through some of these operational issues, as they get more experience with IPv6. OpenWRT is an excellent open source router software which as of release 15.05 (Chaos Calmer) has excellent IPv6 support.



14 November 2015
Updated 15 June 2016

*