Hau’oli Makahiki Hou! (Happy New Year)
With IPv6 utilization between 40-45%, it may be time to consider moving from dual-stack to IPv6-only. At least, set up a test network to better understand what IPv6-only looks like, and how it can make your life easier as a network/system administrator.
By running IPv6-only you gain some quick benefits:
- Only one set of ACLs (or Firewall rules): already half the work
- Easier to troubleshoot the network: No following IP addresses as they change from NAT point to the next
- No guessing if Happy Eyeballs is covering up network issues: it won’t (hint: no happy eyeballs help in IPv6-only)
Of course, IPv6-only means you will start dreaming in Hexadecimal, and you may want to start small, like a test network first.
Running NAT64/DNS64
Running IPv6-only means you will want to run NAT64 and DNS64 servers. I have written in the past on how to setup OpenWrt for DNS64/NAT64. There is still a lot of IPv4 out there on the internet. In order for your IPv6-only network, you will need to translate to IPv4 when IPv6-only devices are talking to IPv4-only devices on the internet. For that NAT64 is the industry solution.
But you don’t need a big expensive router to gain IPv6-only (and NAT64) knowledge. Using an inexpensive consumer router, and running OpenWrt on it, you can then use jool to provide the NAT64 functionality. I have written in the past on configuring jool for NAT64.
IPv6-only network with NAT64/DNS64 to connect to the IPv4-only world
NAT64/DNS64 is one of those services, that as time goes on, it is used less and less. As more web sites are IPv6-enabled, the need for NAT64 translation is reduced.
PREF64 (RFC 8781)
While it is possible to use the Well Known Address (WKA) of 64:ff9b::/96 for small SOHO networks, you may choose to use an address within your IPv6 address allocation block. Why? Because you really only need one NAT64 server in your network (unless you have a huge multi-site network), and you can route packets across your network to the location of the NAT64 server.
If you choose an address in your allocation, you will want to inform the hosts the location of your NAT64 service. This can be done with the recently standardized PREF64 addition to Router Advertisements (RAs). RFC 8781 specifies how this is done.
Another reason to use PREF64 is if you plan on using a Public NAT64+DNS64 service [nat64.net]
Configuring PREF64 in OpenWrt
However, OpenWrt in the most recently release v23.05.0, supports PREF64. The web GUI, LUCI, can make this easy. In my example, I am using the WKA, because my IPv6-only sub-network is only a single network (for now).
To use the web GUI, login, then go to Network->Interfaces->Edit LAN->DHCP Server tab->IPv6 RA Settings tab
Put in the address of your NAT64 server in the NAT64 Server blank. Hit save then save and apply and your done!
Or you can edit /etc/config/dhcp on the router and add the following:
config dhcp 'lan'
option interface 'lan'
...
option ra_pref64 '64:ff9b::/96'
And restart networking:
/etc/init.d/networking restart
Checking that PREF64 is in the RA
It is always good to check your work. RAs are easily sniffed using a tool such as wireshark, or tcpdump.
The RA now includes a PREF64 option (viewed with tshark):
Ethernet II, Src: Ubiquiti_4c:fd:60 (74:83:c2:4c:fd:60), Dst: IntelCor_57:e1:35 (a0:59:50:57:e1:35)
Internet Protocol Version 6, Src: fe80::7683:c2ff:fe4c:fd60, Dst: fe80::2808:e3e7:7a65:22e2
Internet Control Message Protocol v6
Type: Router Advertisement (134)
...
ICMPv6 Option (PREF64 Option)
Type: PREF64 Option (38)
Length: 2 (16 bytes)
0000 0111 0000 1... = Scaled Lifetime: 225
.... .... .... .000 = PLC (Prefix Length Code): 96 bits prefix length (0x0)
Prefix: 64:ff9b::
...
OS interaction with PREF64
Given that PREF64 is a recent addition to the RA, the major OS’s are implementing support.
| OS | Support |
|---|---|
| Mac OS | Supported |
| Andorid | Supported |
| iOS | Supported |
| Windows 10 | Only with WWAN |
| Windows 11 | Unknown |
| Linux/systemd | As of v255 |
| OpenWrt | As of v23.05 |
As I wrote in 2022, OpenWrt also supports sending DHCPv4 Option 108
Getting to IPv6-only
Dual-stack to IPv6-only transition isn’t a black or white activity. With help, such as DHCPv4 Option 108 (IPv6-only preferred, RFC 8925) and PREF64 (RFC 8781) can ease a dual-stack network into a mostly-IPv6-only network. The goal is to get to a future-proof single stack network. These tools will help you get there.