Goatrace contact about

Virtual Machine IPv6 Router

What is Goatrace vmv6r?

vmv6r is a "virtual appliance" designed designed to allow folk to take a look at the IPv6 Internet without a native IPv6 connection and with the bare minimum of work. It is not intended as a foolproof long term solution for IPv6 connectivity and should under no circumstances be run on a corporate network without the permission of the network administrator. See the warnings section below.

vmv6r uses 6to4 to tunnel IPv6 packets between itself and relay routers over an IPv4 network. vmv6r advertises itself on your network as an IPv6 router and provides your IPv6 enabled computers with the information they need to autoconfigure themselves to be able to communicate with the IPv6 Internet.

After booting up vmv6r in VirtualBox or VMware, systems on the same link should normally be able to communicate with the Internet over IPv6, assuming you currently have IPv4 Internet connectivity.

System and Network Requirements

To run vmv6r all you need is:

  • A virtualization product: Platforms known to work are:
    • VirtualBox Versions 3.12 and 4.x have been tested
    Testing is currently under way on VMware.
    Please Let us know what you've tried and what works or doesn't.
  • A computer which supports IPv6 where IPv6 has not been actively disabled. Most recent popular operating systems support IPv6. So far the following have been tested with vmv6r:
    • Linux (OpenSuse 11.1/Ubuntu 10.04/CentOS 5.4/Fedora 13)
    • MacOS X (10.5)
    • Solaris (OpenSolaris 2009.06)
    • Windows (XP SP2)
    Later versions of these Operating Systems are likely to work and earlier ones might do too.
  • For web browsing, a browser which supports IPv6 and hasn't had those capabilities disabled. Browsers known to work include recent versions of:
    • Firefox
    • Safari
    • Internet Explorer
    Please see the browsers section below and let us know what your experiences are.
  • Wired connectivity between your host computer and your network. If you are using VirtualBox, your host computer can be connected to your network wirelessly but only the host computer and other guests on the same host will be able to use vmv6r's 6to4 connectivity. If you are using VMware it won't work at all. See below for details.
  • DHCP enabled on the link on which vmv6r will run. This is taken care of by most people's home broadband routers.
  • An Internet connection with IPv4 connectivity and a routeable external IPv4 address. This does not need to be a "fixed" IP address, and vmv6r should work with most home Internet connections

vmv6r runs in only 24MB of memory and has a 16MB virtual hard disk when uncompressed, so if you can run anything in your virtualization product, you can probably run vmv6r.

Installation

If you don't already have a virtualization product installed, now is the time to consider downloading and installing one. Do think carefully about whether you want to do this or not: These products can significantly change the state of your machine, although generally this is not noticeable to the user. Also be aware that VMware server is over 400MB in size. VirtualBox is about 50MB. VirtualBox is currently used for vmv6r development, runs on Solaris and MacOS as well as Linux and Windows, and is mostly open source.

For future releases we hope to privide a single download as an OVA. Initial experiments have shown that support for this "portable" format in today's widely used virtualization products is less than complete so for ease of use we currently provide separate downloads for VIrtualBox and VMware.

Installing vmv6r for Virtual Box

  1. Download the vmv6r for VirtualBox zip file.
  2. unzip the archive. It contains an ovf machine description file and a virtual disk in vmdk format.
  3. Import the appliance into Virtual Box by selecting "Import Appliance" from the file menu and browsing to the OVF file.
  4. Assign the bridged network interface to the appropriate physical interface on your system: Highlight vmv6r and click on "network" in the details tab on the right hand side. Ensure the interface with which you wish to communicate with the rest of the world is selected in the "Name" box, and click "OK". Even if everything looks correct, click "OK" and not "Cancel": Your VM is not configured until the appropriate adapter is confirmed. Note (as mentioned above ) that if the VM's network interface is associated with a wireless interface on the host system, only the host or other guests on the same host will be able to use vmv6r's IPv6 connectivity.
  5. Now you should be ready to boot vmv6r.

Installing vmv6r for VMware

  1. Download the vmv6r for VMware zip file
  2. Unzip the archive in your VMware directory. The archive contains a vmx machine description and a virtual disk in .vmdk format.
  3. You are now ready to boot vmv6r.

Operation

Operation of vmv6r is very straightforward.

  1. Boot the appliance in your chosen virtualization application
  2. When the machine has booted (normally within 5 seconds assuming a responsive DHCP server) you are ready to connect to the Internet over IPv6.
  3. Try typing the URL of an IPv6 only web site into your browser, e.g. http://w6.goatrace.com or (in case you think it's a trick!) http://ipv6.google.com.
  4. If that didn't work, take a look at the troubleshooing section.
  5. When you're finished, shut vmv6r down. In VirtualBox choose "ACPI Shutdown" from the "Machine" menu in vmv6r's VirtualBox window. Alternatively just power it off: vmv6r only mounts its virtual disk's filesystems in "read only" mode so there is minimal chance of them becoming corrupted.

Known Issues

This is an early release of vmv6r and the documentation is yet to be spellchecked. There are likely many problems and native IPv6 connectivity will be available to all long before the poblems with this appliance are resolved. Below are some of the current "known problems". 6to4 relies on publicly accessible 6to4 routers provided by various companies who probably do not directly financially benefit from the public's use of them. Partly because of this and partly because 6to4 is unlikely to be used for critical purposes (so there is little impetus to resolve minor issues), 6to4 routing is not always perfect.

vmv6r appears to boot up cleanly but you can't connect to any IPv6 web sites

  • Is your network connection wireless? If so, vmv6r will not work for you. If you are using VirtualBox, vmv6r will only work for applications running on VirtualBox's host system or other guests on the same host. See here for an explanation of why not.
  • Is vmv6r's network connection bridged to the host computer's network interface? Check that the interface is "bridged" (not "NAT" or "Host Only") and that it is associated with a physical interface which has connectivity to the Internet.

Some IPv6-only web sites fail to load, others are fine

There can be many reasons for this. One problem we've seen is incorrect IPv4 source addresses on replies sent back to vmvr. 192.88.99.1 is the anycast address of a 6to4 relay router and it is to that address which vmv6r sends IPv4 encapsulated IPv6 packets. When vmv6r sends a 6to4 packet (IP protocol 41) to this address, the majority of stateful home firewall/routers will allow replies to be returned to vmv6r using the same protocol from the same address.

Some sites can route back through routers which incorrectly use a 6rd router source address, causing your firewall/router to block the packet. Check your router's firewall logs for dropped packets from 192.88.99.2.

This can be resolved in one of the following ways:

  • Log into vmv6r and ping the 6to4 address of the 6rd router:
    ping6 -i 5 2002:c058:6302::

    The maximum interval between pings (5 seconds ("-i 5") in the example above) will depend on how long your router/firewall will allow to pass before it no longer regards a packet as part of the same "connection". Don't expect any "replies" to your pings: the sole purpose of this is to fool your firewall/ router into allowing IPv4 encapsulated IPv6 packets back to vmv6r. The router you are pinging is probably not the one which is sending your packets either, (this is an anycast address) but your firewall doesn't know that.

    Sending pings like this is inelegant: It is a hack and puts needless strain on someone else's router. This is why this "solution" is not implemented by default in vmv6r.
  • A better alternative is to find a way of allowing IPv4 encapsulated IPv6 packets from 192.88.99.2 to vmv6r to pass through your firewall. In order to do this you will probably want to assign vmv6r a static IPv4 address.

    Few home broadband routers are flexible enough to allow you to configure this directly. If yours allows it, you want to allow protocol 41 from 192.88.99.2 to vmv6r. If this is not an option, there may be the possibility of designating one of your hosts as a "DMZ machine" to which all packets not currently part of a connection are forwarded. Specifying the address you have assigned to vmv6r here may resolve your issues.

    Any changes to security configuration should be given careful consideration, but in making a decision to do this take into account that by default vmv6r drops all incoming IPv4 packets except for protocol 41, and only accepts or forwards incoming IPv6 which it regards as part of or related to an existing connection. vmvr uses the same Linux netfilter capabilities as many home firewall/routers. You should of course consider that virtual networking may introduce other potential security flaws.

You get the IPv4 version of a dual stacked web site (aka "Why can't I see the dancing Kame?"

This may be the issue described above. If your browser can't contact the IPv6 site it may contact the IPv4 site.

IPv6 sites are slow to load

This may be yet another manifestation of the above problem. A site may be dual stacked and your browser may be attempting to contact the IPv6 address first. If this fails it may, after a timout, contact the IPv4 address and "load" .

Another reason is simply the architecture of 6to4. Rather than taking a path as optimal as BGP can determine to and from your target web site, 6to4 must first be sent to a 6to4 relay router, then be routed on the IPv6 Internet to its destination, then back via another relay router. Your nearest 6to4 relay will most likely not be at your own ISP's site and the number of hops traversed will increase several times. Translation between IPv4 and IPv6 and back will also slow round trip time down and there are no guarantees on the performance of publicly accessible 6to4 routers.

Using Browsers with IPv6

These are some preliminary notes which will be replaced by some more authoritative links. This Wikipedia page has been the reference for some of the untested information below.

For all browsers examined for this project, the convention for specifying IPv6 addresses directly to a browser is to enclose the address in square brackets. Thus: http://[2001:41c8:1:5c32::17]/ will take you to the Goatrace web site. Mostly you'll be wanting to use name- based urls.

Firefox

Firefox has supported IPv6 since version 1.5, although we've only tested 3.6. On MacOS X however, we understand it has only been enabled by default since 3.0. The configuration option which determines whether firefox performs AAAA lookups for names typed into its address bar is "network.dns.disableIPv6". Firefox configuration options can be accessed by typing "about:config" into the address bar and clicking "I'll be careful". To find (and for pre-3.0 MacOS users, change) the IPv6 DNS option, type "ipv6" into the Filter bar. The option should be set to false (i.e. a double negative "Don't disable...") to allow AAAA lookups.

Internet Explorer

Browsing seems to work fine by default on XP sp2 with IE 8. Microsoft provide some basic documentation on use of IE with IPv6 here.

IPv6 support has been claimed in IE for Windows since 4.01. Versions prior to 7 did not support addresses typed directly into the address bar.

IPv6 support is not claimed for IE for Mac.

Other Browsers

Current versions of Chrome, Opera, Konqueror, Mozilla and Lynx all support IPv6.

Technical Details

What's in vmv6r?

The main components of vmv6r are:

  • Linux Kernel with a very minimal configuration
  • Busybox, a single program built for compactness which emulates most of the UNIX-like utilities which vmv6r requires. The dhcp client daemon has been slightly modified to work better in a virtualized environment.
  • Gnu libc
  • radvd, the router advertisment daemon which tells other systems on your network how to configure themselves for IPv6
  • iptables for setting up netfilter firewalling rules. Only a minimal set of netfilter libraries are included.
  • Grub, without which it wouldn't boot.
  • wget, used in determining the "outside" address of your home network.
  • A small daemon which monitors the virtual power button for ACPI shutdown events (source code available, see below). This is considerably more light weight than acpid with no external dependencies.
  • Simple scripts to perform basic configuration of the system and network.

Version information for this software is included with the vmv6r release notes.

Is it Open Source?

Yes, although the curent version contains contains very little compiled code other that from well-known sources as listed above. Much of the work in vmv6r is performed by shell scripts which can be viewed by logging into the booted VM (or mounting its file system). The source for the small program handling acpi power button events and the diff against busybox 1.18.2 are available here. A slightly modified version of the changes in the diff file were incorporated into busybox 1.19.0 and a standard busybox will be used for the next vmv6r release.

How Does it work?

On boot up, vmv6r does the following:
  • Obtains and IP address from dhcp
  • Tries to establish its "external IPv4 address", that is the IPv4 address remote sites see when vmv6r connects to them.
  • Calculates the site's /48 6to4 prefix based on the external IP address. This is designated $PREFIX in the discussion below
  • Creates a 6to4 tunnel between itself and the anycast IPv4 address 192.88.99.1
  • Assigns an address $PREFIX::1 to the "outside" of the tunnel
  • Sets up firewall rules for IPv4 and IPv6 to drop everything except what is needed for operation
  • Assigns the IPv6 address $PREFIX:1::1 to its ethernet interface
  • Creates a configuration file for the router advertisment daemon advertising $PREFIX:1::/64 as the prefix for IPv6 autoconfiguration and advertising itself as an IPv6 router.
  • Starts the router advertisment daemon

vmv6r and wireless Interfaces

Wireless bridged interfaces are a problem for Virtualization products. Tricks with proxy arp which work for normal ethernet interfaces don't work across wireless bridges. Consequently Virtualization products have to resort to MAC spoofing: "NAT"-ing the client's mac address to that of the host system. Getting this to work well can be a very dirty process involving a certain amount of packet mangling.

Because packets arriving across a wireless bridge all have the mac address of the host system, without some fairly sophisticated state tracking the Layer 3 address of an arriving packet must be used to determine which virtual host the packet is destined for.

When systems send packets to a network router for forwarding, the packets they send contain the layer 2 (mac/ethernet) address of the router but the Layer 3 (ie IP) address of the packet's final destination.

A virtual machine with its network interface bridged on a host's wireless interface will never see packets sent to it from remote systems for forwarding: The packets they send for forwarding will be addressed with the Layer 3 (IP) address of the packet's final destination (perhaps an Internet web site) but the mac address of the virtual machine's host system. As these packets don't have the virtual machine's IP address, there is no way for the Virtualization software to know that they are intended for the virtual router. State tracking obviously wouldn't help in this case.

VirtualBox is implemented in such a way that address resolution furnishes the host system with the unspoofed mac address of the guest, and thus it can communicate through a guest which is a router.

A VMware host (with vmplayer 3.1.3 at least) sees the virtual machine's spoofed MAC address on its wireless interface and thus has the same problems using a guest as a router as systems elsewhere on the network.

This may differ between VMware products and versions. And experimental version of vmv6r worked for the host machine with an earlier version of VMware Server because mac spoofing had not been implemented with IPv6 neighbour discovery. Bad for IPv6 guest machines under vmware generally, but perversely good for vmv6r.

Security

vmv6r uses Linux's native netfilter packet filter to restrict access.

Packets arriving over the network (packets over the loopback interface are unfiltered) are subject to the following restrictions.

  • Incoming IPv4 protocol 41 (IPv4 encapsulated IPv6) packets are accepted. The IPv6 payload is subject to further filtering.
  • Incoming IPv4 packets which are part of or related to a connection initiated by vmv6r are accepted. vmv6r uses IPv4 to configure itself (via DHCP), to determine the "outside" (routeable) IP address of your home network, and to send IPv6 packets to a 6to4 router.
  • Any other incoming IPv4 packets are dropped.
  • IPv4 packets are not forwarded
  • IPv6 packets arriving over the 6to4 tunnel interface which are part of or related to a connection initiated by vmv6r are accepted.
  • IPv6 packets arriving over the 6to4 tunnel interface which are part of or related to an exiting connection are forwarded to the local network
  • IPv6 packets arriving on the local network interface are forwarded
  • Any other IPv6 packets are dropped

Logging in to vmv6r

You can log in to vmv6r on the console as you would any other Gnu/Linux system. There is only one user ("root"). As downloaded the default password is "goatrace". This is not "secure". However, the only means of logging in to vmv6r is via the console. Your risk increases substantially however if you allow any kind of RDP access to the vmv6r console.

Busybox provides a reasonable suite of UNIX-like commands but be warned: many of them provide significantly less functionality than the "full fat" regular Linux equivalents. EMACS devotees will be disappointed. C'est la guerre.

Mounting Filesystems Read/Write

To minimise the risk of corruption, simplify cleaning up temporary data, and minimise the risk of corruption, vmv6r mounts its filesystems read-only. Any files which need dynamically updating are replaced by symbolic links to a tmpfs file system.

In order to change anything you need to remount the root file system read/write. This can be done as follows:
mount -o remount,rw /dev/root /
The root file system can now be updated. Some things you may want to do are described below.

Changing the root Password

With / mounted read/write, you can simply use the passwd command to change root's password.

Updating the Keyboard Map

vmv6r is configured by default for a US keyboard. UK users tired of creating files called "grep" and "more" can do the following:
loadkmap < /lib/kbd/keymaps/uk.kmap
To make this the default when vmv6r boots, uncomment the following line in /etc/sysconfig/kbd:
KBD=uk.kmap
Note that busybox's loadkmap uses binary keymap definitions, so simply copying keymaps from your standard Linux system won't work. TODO: converting keymaps.

Users of other keyboards (French, Swiss-German, German, Luxembourg etc.) can mail me as required and appropriate keymaps will be included in the nex release.

Assigning a Static IPv4 address

By default, vmv6r acquires an IPv4 address using DHCP. You may wish to assign a static IP address either because you aren't running DHCP on your network or to allow you to more effectively set up your firewall.

The easiest way to achieve a fixed IP address with DHCP on your subnet is probably to provide a fixed mac address to IP mapping for vmv6r's ethernet address in your DHCP server (TODO: changes in generated mac address in different hypervisors??)

If you want to assign an IP address to vmv6r without the use of DHCP, with / mounted read/write:

  • Edit /etc/network/interfaces in a similar fashion to how you would for a debian-based linux system. To set an IP address of 192.168.1.100, with a local gateway of 192.168.1.1 and a netmask of 255.255.255.0, change:
    iface eth0 inet dhcp
    to
    iface eth0 inet static
    address 192.168.1.100
    netmask 255.255.255.0
    gateway 192.168.1.1
  • Remove the /etc/resolv.conf symbolic link and replace it with a "real" resolv.conf. i.e., if you have a nameserver at 192.168.1.1:
    rm -f /etc/resolv.conf
    echo "nameserver 192.168.1.1 > /etc/resolv.conf

This manual process will be replaced by a configuration utility in a future release.

Warnings

vmv6r is provided as free software without any warranty of any kind and for use entirely at your own risk. It should not be used on a corporate network or anywhere it could interfere with computers performing critical functions. vmv6r uses ipv6 protocols which might conflict with similar protocols already set up by your system administrator. It tells your computers that they can reach the Internet over IPv6 via it. Depending on its set up, your computer may choose to take that path to certain Internet locations rather its normal route, and this might not work.

Disclaimers aside, vmv6r should be perfectly safe to use on a normal home network and shouldn't permanently change the sate of your computers. If it causes a problem, simply turn it off. If your computers continue to experience problems (such as delays accessing some web sites), a reboot should fix things.

Troubleshooting

This is likely to be an extensive section. but remains "TO DO". To keep the vmv6r VM small, few useful debugging tools (e.g. tcpdump) are included on the virtual disk. A future release will include a "debug disk" of tools which can be mounted to provide improved diagnostic capabilities.