Those are indeed link-local.
FE80::/10 is strictly link-local only. I.e. it can only ever be used to exchange packets with another system on the same link (either Ethernet segment / bridged domain, or the far end of a PPP, or equivalent). It can, of course, be used as a next-hop in a routing table, so they could potentially route public addresses to you and you could potentially route to the net over a PPP which only has link-local addresses, in much the same way that an IPv4 link with RFC1918 addresses can still forward public-addressed packets.
That confirms what I was thinking. And I presume those link-local addresses can also be used to send router advertisement (RA) messages down the line? Using
tcpdump
on my
tun0 interface, it appears there are periodic transmissions of RA messages coming in on the link-local address.
Probably not. You need to receive a global IPv6 address from them. Typically you'll receive a whole /64 or /48 network to use.
They should be assigning you at least a public /64 to use. Exactly how that is managed is a per-ISP thing, so you may need to chat to them about it if there's no obvious auto-config of a public address coming down the line.
FreeBSD 10.3 should handle it just fine, in theory, but can't say much more than that without knowing your ISP's setup. I've had servers with IPv6 mostly happily enabled since back in the 7.x days, so it's fairly mature now in 10.x.
Yesterday I did some more reading to get a little deeper understanding of IPv6 in general. The thing that is giving me some problems to fully understand is that from what I've read so far, a machine is supposed to be either:
- A host (single interface only, probably runs rtsold to auto-configure it's address, routers, etc)
- A router (multi interface, probably runs rtadvd to announce itself on the network, probably configured statically rather than dynamically)
But it appears that my machine (and for that matter most other typical home network routers) are neither exactly 1) nor 2), as the address/prefix is not known in advance for statically configuring anything, but rather received dynamically from the ISP. It would rather appear that the typical residential gateway type of router has to be a mixture of both. Is this assumption correct?
Seeing that there are RA messages coming down the link, I did some more fiddling yesterday. If this machine is ever supposed to route IPv6 traffic, it appears I will need this in my
/etc/rc.conf:
Code:
ipv6_gateway_enable="YES"
Also to get my
tun0 interface into a state where it is actually able to accept those RA messages coming down the link, it would seem that this is the correct way to do it:
And in order to have my other interfaces (ethernet/wlan) automatically configured with a link-local address I also added this:
Code:
ipv6_activate_all_interfaces="YES"
I understand I could alternatively add
ifconfig_<IF>_ipv6="..."
lines for each interface, but I'm not really sure what to put there.
This got me so far that I could manually run
rtsol -D tun0
which seems to have added another IPv6 address (starting with a 2, so I assume it's a global one) to my
tun0 interface. It also seemed to have added an IPv6 default route pointing to the peer's link-local address. Not sure if this is correct though. If I remember it correctly, it said something about the prefix length being 64.
I have tried a DNS query to my local bind99 name server, and it appeared to be sending out IPv6 packets over the link, but never got any answer. So for the moment I'm a bit stuck here, as I am not quite sure where to take it from here. How do my other interfaces and/or machines on my local network/wireless network get valid IPv6 addresses? Do I need to run
rtadvd
on my ethernet/wlan0 interfaces in order to accomplish that, or would I rather install a local DHCP6 server, or both? What happens if the link to the ISP is dropped? Do I get a different prefix next time it connects, which would mean all machines in my LAN would need to be renumbered? I feel I have still plenty of way to go here...
If you want to experiment with IPv6 you can sign up for a free IPv6 tunnel-broker. I'm currently using one from he.net as my ISP still has no plans to support IPv6 natively.
I would rather not want to go down this tunneling road. As I understand it, some or all of these transition techniques also come with security implications?
On a higher end / business / premium connection, they should be giving you at least a /56 or /48. If they have the fairly crap support that is sadly far too typical these days, I'd probably have a good hunt through their docs, forums, lists, etc; before calling support.
It's just the typical residential type of internet service. It is pretty obvious that they are trying hard to push their customers to use their web based support instead of calling them and asking questions. A search on their website for IPv6 related stuff turned up mostly empty. And I would rather want to wait with calling their support until at least I know what the exact question would be and I do fully understand it.