Home  Prev  cOS Stream 4.00.03 Administration Guide  Next

5.4. IPv6 Support

The IP address standard IPv6 is designed as a successor to IPv4 with the principal advantage of providing a much larger address space. Among many other benefits, the large number of available global IPv6 addresses means that NAT should no longer required for sharing a limited number of public addresses.

IPv6 is usable with most configuration objects. A list of usage restrictions can be found later in this section.

IPv6 is Enabled by Default

By default, the Clavister NetShield Firewall supports IPv6 and this does not need to be explicitly enabled. If all IPv6 traffic is to be ignored, the following command can be used: 
System:/> set Settings IPSettings AllowIPVersion=IPv4
This allows only IPv4 packets to be processed and all IPv6 packets will be dropped. Conversely, if all IPv4 packets are to be dropped and only IPv6 recognized, the CLI command would be: 
System:/> set Settings IPSettings AllowIPVersion=IPv6
To return to the original, default situation where both IPv4 and IPv6 are processed, the command would be: 
System:/> set Settings IPSettings AllowIPVersion=Any

Adding an IPv6 Address

IPv6 address objects are created in the address book in a similar way to IPv4 addresses.

For IPv6, only the all-nets-ip6 object (IPv6 address ::/0) exists by default in the address book. This means that the IPv6 address and network objects associated with interfaces must be created manually.

Example 5.6. Adding an IPv6 Address

This example adds a new address object called my_ip6_address to the address book with the single IPv6 address 2001:DB8::1.

Command-Line Interface

System:/> add Address IPAddress my_ip6_address Address=2001:DB8::1
[Note] Note: The prefix 2001:DB8::/32 is reserved for documentation

As described in RFC3849, the IPv6 prefix 2001:DB8::/32 is specifically reserved for documentation. All IPv6 examples in this guide use this network or addresses from it.

Enabling IPv6 on an Interface

Predefined address book objects already exist for each Ethernet interface. To enable IPv6 on an interface, an IPv6 address and network (prefix) are added to the associated address book objects.

This could be done specifying a comma separated list of the IPv4 address and the IPv6 address for the interface. However, the recommendation is to create a separate IPAddress object for the IPv6 address and add that to the interface.

If an IPv6 address and network are not assigned, IPv6 packets arriving at the interface are always dropped.

Example 5.7. Enabling IPv6 on an Interface

Assume that the interface if1 is to have the IPv4 address 10.15.0.50 with network 10.15.0.0/24. IPv6 is to be enabled on the interface with the IPv6 address 2001:DB8::1 from the network 2001:DB8::/32.

Command-Line Interface

Set the default address object for the interface to the IPv4 address. 

System:/> set Address IPAddress if1_ip Address=10.15.0.50

Add an IPv6 address object for the interface: 

System:/> add Address IPAddress if1_ip6_ip Address=2001:DB8::1

Set the IPv4 and IPv6 addresses directly on the interface: 

System:/> set Interface EthernetInterface if1 IPAddress=if1_ip,if1_ip6_ip

Set the IPv4 network for the interface: 

System:/> set Address IPAddress if1_net Address=10.15.0.0/24

Add a new object for the IPv6 network associated with the interface: 

System:/> add Address IPAddress if1_ip6_net Address=2001:DB8::/32

The route for the IPv6 must now be added manually: 

System:/> cc RoutingTable main
System:/RoutingTable/main> add Route Interface=if1 Network=if1_ip6_net
System:/RoutingTable/main> cc
System:/>

[Tip] Tip: Use period plus tab when appending an address

When using the CLI set Address IPAddress command, the objective can be to append a new IP address value to any existing values.

All the existing values can be displayed by using the key sequence of a period ( . ) followed by a tab after Address=. A comma ( , ) can then be typed followed by the new address to be added to the list.

IPv6 Interface Routes are Not Added Automatically

When an IPv6 address and network are assigned to an Ethernet interface (both are required) then an IPv6 route for that interface should be added manually to the main routing table. The route cannot be added automatically.

IP Rules Can Mix IPv4 and IPv6

There is no requirement in cOS Stream to have separate IP rules that refer to IPv4 and IPv6 address objects. It is valid to use an IPAddress that combines both IPv4 and IPv6 addresses in a single IP rule.

However, an IP rule that has only IPv4 as its source and only IPv6 as its destination will not have any useful function. It is not possible, however, to mix IPv4 and IPv6 on a single route. Separate routes must be created.

Grouping IP Addresses

Since an IPAddress object can contain any number of IPv4 or IPv6 addresses as well as references to other IPAddress objects, these are used to create grouping of IP addresses. There is no special group address object in cOS Stream.

The all-nets Address Object

The preconfigured all-nets-ip4 address object is a catch-all object for all IPv4 addresses. Similarly, all-nets-ip6 represents all IPv6 addresses and only IPv6 addresses.

To represent all IPv4 and IPv6 addresses, all-nets-ip4 is combined with all-nets-ip6 in the single predefined object all-nets.

IPv6 Neighbor Discovery

IPv6 Neighbor Discovery (ND) is the IPv6 equivalent of the ARP protocol with IPv4 (see Chapter 4, ARP).

When IPv6 is enabled for a given Ethernet interface, cOS Stream will respond to any IPv6 Neighbor Solicitations (NS) sent to that interface with IPv6 Neighbor Advertisements (NA) for the IPv6 address configured for that interface.

Enabling neighbor discovery for other IP addresses on an interface can be achieved by adding an NDEntry object to the NDEntries list. The NDEntries object exists by default as an empty list and does not need to be created. The example below demonstrates adding an NDEntry to the list.

Example 5.8. Enabling Interface Neighbor Discovery

This example will create an NDEntry that publishes the IPv6 address my_ipv6 on the if3 interface:

Command-Line Interface

First, change the context to be NDEntries: 

System:/> cc NDEntries

Next, add an NDEntry object to NDEntries: 

System:/NDEntries> add NDEntry Interface=if3 IP=my_ipv6

Note that the default value for the Mode property is Publish.

Finally, return to the default, root context: 

System:/NDEntries> cc
System:/>

Enabling IPv6 Router Advertisements

An additional option for an Ethernet or VLAN interface is to enable IPv6 Router Advertisement. This is the IPv6 equivalent of an IPv4 DHCP server and it means that any external client connected to the interface can solicit and receive IPv6 messages to perform Stateless Address Auto-Configuration (SLAAC). The SLAAC process allows the client to create its own unique global IPv6 address based on the MAC address of its interface and the prefix of the IPv6 address for the interface it is connected to.

Enabling router advertisements in cOS Stream is done by enabling the AdvertiseIP property for a single Route object in a routing table. This enables advertisements on the interface specified in that route and only for the host or network specified in that route.

Example 5.9. Enabling IPv6 Advertisements

This example enables IPv6 advertisements on the route if1_route in the routing table main.

Command-Line Interface

First, change the current context to be the main routing table: 

System:/> cc RoutingTable main

Now, enable router advertisements on the target route: 

System:/RoutingTable/main> set if1_route AdvertiseIP6=yes

Finally, return to the default CLI context: 

System:/> cc

Some of the values in the router advertisement are controlled by an object called a RouterAdvertisementProfile. This is assigned to the RouterAdvertisementProfile property of the interface. Initially, the value DefaultProfile is always assigned to this property for all interfaces. This uses the default values for a new RouterAdvertisementProfile object but does not correspond to an editable object in the system.

If the default values provided by the DefaultProfile value are not satisfactory, the following steps must be used:

Note that the value of the RouterAdvertisementProfile property for an interface only has meaning if the AdvertiseIP6 property of an associated route is enabled. It is enabling the AdvertiseIP6 property of the Route object that turns on router advertisements and not a profile assigned to the interface.

Enabling Automatic Interface Address Configuration

Another option for an Ethernet or VLAN interface is to enable automatic IPv6 Address Configuration of the interface. This is essentially the reverse of the Router Advertisement feature described above and can provide a means to automatically assign IPv6 addresses. When enabled, the following properties of the interface object can be automatically assigned by an external device that is sending out router advertisements:

This option is enabled by setting the IPv6AddressConfiguration property to the value SLAAC. The default value for this property is Static which means that the properties listed above must get their values assigned manually by changing the corresponding address objects (these are also listed above). Out of these address book objects, only ifn_ip exists by default. The other address objects listed are automatically created by cOS Stream at the time that the IPv6AddressConfiguration property is set to SLAAC.

Example 5.10. Enabling Automatic Address Configuration

This example shows how to enable automatic address configuration on the if1 interface.

Command-Line Interface

System:/> set Interface EthernetInterface if1
			IPv6AddressConfiguration=SLAAC

The ND Cache and ndp Command

Like ARP, the IPv6 neighbor discovery mechanism in cOS Stream maintains a Neighbor Discovery Cache (ND cache). This cache can be displayed and managed using the ndp CLI command.

To display the entire cache use the command: 

System:/> ndp -show
			
Neighbor cache of iface if1:
    Stale  fc01:6:13::1   = 77:2b:cb:8d:72:de   Expire=5033

Neighbor cache of iface if2:
     Good  fc01:22:13::1  = 00:1b:23:b1:d7:4f   Expire=28

To flush the entire cache use the command: 

System:/> ndp -flush

A gratuitous neighbor discovery can be sent on an interface with a specified IP address with the command: 

System:/> ndp -notify <if> -ip=<address>

The ndpsnoop Command

The ndpsnoop command will provide real-time logging at the console of both router advertisements and router solicitations. For example, to view all activity on the if1 interface. 
System:/> ndpsnoop if1

All the options for the ndp and ndpsnoop commands can be found in the separate Clavister NetShield Firewall CLI Reference Guide.

IPv6 and IPsec

The Clavister NetShield Firewall supports the transport of either IPv4 or IPv6 over ESP. The ESP packets may themselves use either IPv4 or IPv6. This means that the local network and the remote network for an IPsec tunnel can be specified as IPv4 or IPv6 addresses. However, the local network and remote network must use the same IP version.

IPv6 and High Availability

The High Availability (HA) feature fully supports IPv6. Any IPv6 configuration objects will be mirrored on both the HA master and slave units including the NDP cache. If a failover occurs, state information will not be lost when one unit takes over processing from the other and IPv6 connections will not be lost.

In an HA configuration where interfaces have IPv6 enabled and IPv6 addresses assigned, there can be both a private and shared IPv6 address for each pair of interfaces. Each interface pair will have different private IPv6 addresses on the master and slave but will have the same shared IPv6 IP.

It is possible to have both an IPv4 and IPv6 shared IP address for the same interface. If this is the case, there must also be a private IPv4 and private IPv6 address for the individual interfaces in the pairing.

Home  Prev   Next