Text

Un article de DVD.

Hands-on

First Part : IPv6 Installation

This part will help you to discover IPv6 basic functionnalities. Compare to IPv4, IPv6 offers a four time bigger addressing space, a simpler and more efficient header format and a better protocol designed.

During this first part will will install three equipments representing a company network:

• a 2800 cisco router
• a Linux server
• a client with an dual boot in Linux and Windows XP

We will study the way to connect to an IPv6 provider (with tunnels and natively), we will design an addressing plan for our company network. We will also configure some services like DNS, proxy web to focus to application migration and we will see some filtering rules to enhance security.

General Framework

The room is divided in 14 rows (numbered 1 to 14). Each row is composed of 4 benches composed of a cisco 2800, and two PCs.

Locate your :

• Row number :
• Bench number :
• Which PC will be the server
• Which PC will be the client

Cisco 2800 have two Ethernet interfaces:

• One will be connected to a central router. We will call this network interconnection network
• the other one to a switch to connect both PCs which will symbolize your company network. We will call this network company network

Cabling have been previously done, you don't have to modifiy it. To avoid interfences between groups, VLANs have been introduced. They will be totally transparent in the company network part. On the opposite, the four benches composing a row are connected to the same VLAN to allow direct communication when routing protocol will be studied.

Starting equipments

Since no addresses are currently configured on your equipment, you have to use the serial link connecting your PC server and the cisco router to start configuring the router.

Log on the server PC with user ipv6, password ipv6. On the desktop you find the tools for this hands-on :

• Root Terminal open an administrative console with the password ipv6
• Ethereal is a tool to capture and visualize packets on the network. You can use it with the password ipv6
• Firefox is the well-known web browser.

To access to the console of the router, on the client PC, double-click on the Root Terminal icon. You should type root password ipv6:

Configure an IPv4 address on the client PC to access to the router. For all bench the server PC address will be 192.168.0.2 and 192.168.0.1 for the router.

root@ubuntu:~#ifconfig eth0 192.168.0.2

The router should gives you a prompt. If not, call an assistant.

To start configuring the router, you must log to the router by typing:

root@ubuntu:~#telnet 192.168.0.1
Trying 192.168.0.1...
Connected to 192.168.0.1.
Escape character is '^]'.
 

User Access Verification

Password: plugtests
Router#

Now you are connected to the cisco router, you can start configuring it.

IPv4 configuration

During the first phase, you will use tunnel to interconnect your router to the central router. This will emulate cases where your access provider is not able to offer you IPv6 connectivity. Different kind of tunnel may be used. In this Hands-on, we will use IPv6 over IPv4 tunneling.

The first step is to configure an IPv4 address on your cisco external interface following addressing plan rules defined for this room. The address will be 10.0.RR.B where RR represent your row number and B you bench number.

	What is the IPv4 address of your router ?

Router#conf term
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#int FastEthernet 0
Router(config-if)#ip addr 10.0.RR.B 255.255.255.0 (RR=row , B = Bench)
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#exit
Router#write
Building configuration...
[OK]
Router#

We can test to see that the interface is well connected and the main router is reachable

Router#ping 10.0.RR.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.RR.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Router#

If you don't get answer to the ping, call an assistant

IPv6 Tunnel Configuration

Tunnel addressing scheme will be more complex to number. 2001:688:C04:EE00::/56 have been dedicated to tunnels. To allocate a /64 prefix for each tunnels, only 1 byte can be used for numbering all the tunnels in the room, we adopt the following notation. Tunnel prefix will be 2001:688:C04:EETT::/64 where TT is equal in hexadecimal to 4*(R -1) + B (R is your row number and B your bench number).

	What is the IPv6 prefix of your tunnel ?

The IID (Interface IDentifier) for central router will be 1 and the IID for your router will be 2.

	What is the IPv6 address of: the central router : your router :

You have to configure the tunnel on your cisco. Locally this will be tunnel 0. You have to provide the IPv4 address of both tunnel's ends and the IPv6 address on your side. Note that to activate IPv6 on the interface, you have to type the command ipv6 enable, even if an IPv6 address have been configured on this interface.

Router#conf term
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#int tunnel 0
Router(config-if)#tunnel mode ipv6ip
Router(config-if)#tunnel source 10.0.RR.B (RR=row, B=bench)
Router(config-if)#tunnel dest 10.0.BB.254 (RR=row)
Router(config-if)#ipv6 enable
Router(config-if)#ipv6 address 2001:688:C04:EETT::2/64
Router(config-if)#exit
Router(config)#exit
Router#write
[OK]

You can test if the other end is responding using IPv6 protocol, by typing:

Router#ping 2001:688:C04:EETT::1
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to ping 2001:688:C04:EETT::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
Router#

Try to ping host 2001:660:7301:1::1

Router#ping 2001:660:7301:1::1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:660:7301:1::1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Router#

	From your cisco router can you join other IPv6 addresses ?

You have to set-up a default route to join other equipment.

Router#conf term
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ipv6 route ::/0 2001:688:C04:EETT::1
Router(config)#exit
Router#write
Building configuration...
[OK]

Internal network configuration

IPv6 uses aggregable unicast addresses derived from IPv4 CIDR hierarchical addressing plan. ETSI Network received prefix 2001:688:C04::/48 from France Télécom. For this hands-on, prefix 2001:688:C04:E000::/52 have been allocated. We will use the following addressing conventions:

• The network inteconnecting your PCs, representing the company network, will be numbered 2001:688:C04:ERRB::/64 where RR represents your row number in decimal and B your Bench number.

	What is your company network prefix ?

The first step will be just to enable IPv6 on the router's internal interface, to see what is by default configured.

You can type the following commands:

Router#conf term
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#int vlan1
Router(config-if)#ipv6 enable
outer(config-if)#no shutdown
Router(config-if)#^Z         (CONTROL-Z)
Router#write
*Mar 1 02:51:53.428: %SYS-5-CONFIG_I: Configured from console by consolerite
Building configuration...
[OK]

You can see IPv6 interface configuration by typing:

Router#sh ipv6 interface brief 
FastEthernet0              [up/up]
FastEthernet0.1            [deleted/down]
BRI0                       [administratively down/down]
BRI0:1                     [administratively down/down]
BRI0:2                     [administratively down/down]
FastEthernet1              [up/down]
FastEthernet2              [up/down]
FastEthernet3              [up/down]
FastEthernet4              [up/down]
FastEthernet5              [up/up]
FastEthernet6              [down/down]
FastEthernet7              [up/down]
FastEthernet8              [up/down]
Vlan1                      [up/up]
    FE80::214:F2FF:FE6C:E39A
Tunnel0                    [up/up]
    FE80::A00:F01
    2001:688:C04:EE39::2

The ipv6 enable command, you just typed, have configured an link-local IPv6 address (FE80::/10) to the internal interface.

You will now configure an IPv6 global address to that interface.

Router#conf term
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#int vlan1
Router(config-if)#ipv6 addr 2001:688:C04:ERRB::/64 eui-64
Router(config-if)#exit
Router(config)#ipv6 unicast-routing
Router(config)#exit
Router#write
*Mar 1 02:51:53.428: %SYS-5-CONFIG_I: Configured from console by consolerite
Building configuration...
[OK]

You can have a look at interface configuration:

Router#sh ipv6 int vlan1
Vlan1 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::2E0:1EFF:FE9F:2886
Global unicast address(es):
2001:688:C04:ERRB:2E0:1EFF:FE9F:2886, subnet is 2001:688:C04:ERRB::/64
Joined group address(es):
FF02::1
FF02::2
FF02::1:FF9F:2886
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND advertised reachable time is 0 milliseconds
ND advertised retransmit interval is 0 milliseconds
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
Hosts use stateless autoconfig for addresses.
Router#

Note that the Interface ID is the same for the link-local prefix and the global address.

The ipv6 unicast-routing command is used to activate IPv6 forwarding inside the router.

	List multicast groups subscribed by the router

	Which kind of equipment subscribed to the FF02::1 group ?

	Which kind of equipment subscribed to the FF02::2 group ?

Server configuration

Your Cisco router is now operational and gives you access to the IPv6 internet. We are going:

• to study auto-configuration process,
• see how stateless addresses are obtained,
• then we will manually assign an IPv6 address (easiest to remember) to the server.

Verify interface status of your server:

root@ubuntu:~# ifconfig -a
eth0      Link encap:Ethernet  HWaddr 00:0A:5E:3F:35:20  
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:809 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0 KiB)  TX bytes:0 (0 KiB)
          Interrupt:177 Base address:0x6f00 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:57 errors:0 dropped:0 overruns:0 frame:0
          TX packets:57 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:4328 (4.2 KiB)  TX bytes:4328 (4.2 KiB)

sit0      Link encap:IPv6-in-IPv4  
          NOARP  MTU:1480  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
root@ubuntu:~#

	Which interfaces have already an IPv6 address ?

We will study the packets exchanged on the network during IPv6 bootstrap.

Start ethereal by double-clicking on the icon of the desktop. Use the administrative password ipv6

By clicking on the first icon on the left of the menubar, start the capture on the interface any

Now, you can activate your server network interface eth0:

You can type the following commands:

root@ubuntu:~# ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:0A:5E:3F:35:20  
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:809 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0 KiB)  TX bytes:0 (0 KiB)
          Interrupt:177 Base address:0x6f00 
root@ubuntu:~# ifconfig eth0 up
root@ubuntu:~# ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:0A:5E:3F:35:20  
          inet6 addr: fe80::20a:5eff:fe3f:3520/64 Scope:Link
          inet6 addr: 2001:688:C04:ERRB:20a:5eff:fe3f:3520/64 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4 errors:0 dropped:0 overruns:820 frame:0
          TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2474 (2.4 KiB)  TX bytes:15826 (15.4 KiB)
          Interrupt:177 Base address:0x6f00
root@ubuntu:~#

The eth0 interface now have 2 IPv6 addresses : one with Scope:Link the other with Scope:Global. If one of these addresses is missing, call an assistant.

	What kind of addresses are those beginning with FE80 ?

	What kind of packets have been captured ?

Look at IPv6 routing table by typing:

root@ubuntu:~# route -A inet6

DNS Parameters

	Which parameters have been configured through neighbor discovery ?

DNS parameters should be configured using either automatic configuration with DHCPv6 or manual static configuration. In this hands-on, we configure it statically.

You can configure the DNS server with this command:

root@ubuntu:~# echo "nameserver 2001:660:7301:1::1" > /etc/resolv.conf

Now you can test connectivity by pinging a very well known server in Japan.

root@ubuntu:~# ping6 www.kame.net
PING6(56=40+8+8 bytes) 2001:688:C04:ERRB:20a:5eff:fe3f:34cc --> 2001:200:0:8002:203:47ff:fea5:3085
16 bytes from 2001:200:0:8002:203:47ff:fea5:3085, icmp_seq=0 hlim=43 time=309.051 
16 bytes from 2001:200:0:8002:203:47ff:fea5:3085, icmp_seq=1 hlim=43 time=307.121 
16 bytes from 2001:200:0:8002:203:47ff:fea5:3085, icmp_seq=2 hlim=43 time=308.681 
^C
--- www.kame.net ping6 statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/std-dev = 307.121/308.284/309.051/0.836 ms
root@ubuntu:~#

Static Address

It is more convienent for servers to avoid Interface ID derived from MAC address and add a static address.

To add a new address, you can type:

root@ubuntu:~# ifconfig eth0 add 2001:688:C04:ERRB::1/64
root@ubuntu:~# ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:0A:5E:3F:35:20  
          inet6 addr: fe80::20a:5eff:fe3f:3520/64 Scope:Link
          inet6 addr: 2001:688:C04:ERRB:20a:5eff:fe3f:3520/64 Scope:Global
          inet6 addr: 2001:688:C04:ERRB::1/64 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4 errors:0 dropped:0 overruns:820 frame:0
          TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2474 (2.4 KiB)  TX bytes:15826 (15.4 KiB)
          Interrupt:177 Base address:0x6f00
root@ubuntu:~# 

Congratulations! Your server is connected to the Internet v6.

Running the web and SSH server

On your server, you will offer some IPv6 services such as a web server and a remote shell service named SSH.

First verify which service are running using IPv6 on your server:

root@ubuntu:~# netstat -taun | grep tcp6
root@ubuntu:~#

No services are running on IPv6 yet. As a web server, you will use Apache, which IPv6-compatible and is available on Linux.

Start the web server Apache

root@ubuntu:~# /etc/init.d/apache2 start

Now verify the web service is available using IPv6

root@ubuntu:~# netstat -taun | grep tcp6
tcp6       0      0 :::80                   :::*                    LISTEN
root@ubuntu:~#

Start the remote shell service SSH

root@ubuntu:~# /etc/init.d/ssh start

Now verify the SSH service is available using IPv6

root@ubuntu:~# netstat -taun | grep tcp6
tcp6       0      0 :::80                   :::*                    LISTEN
tcp6       0      0 :::22                   :::*                    LISTEN
root@ubuntu:~#

It is time now to configure your client to test services.

Client configuration

To start configuring the client PC, you have to log as ipv6 user, password ipv6.

Open a Root terminal.

You can verify the IPv6 address for the client PC, by typing:

root@ubuntu:~# ifconfig eth0

	What is the global address of the client PC ?

You can verify routing table state, by typing:

root@ubuntu:~# route -A inet6

	What is the default router address ?

You can activate manually name resolution, by typing:

root@ubuntu:~# echo "nameserver 2001:660:7301:1::1" > /etc/resolv.conf

You can verify that name resolution works by typing:

root@ubuntu:~# ping6 www.kame.net
PING6(56=40+8+8 bytes) 2001:688:C04:ERRB:20a:5eff:fe3f:3823 --> 2001:200:0:8002:203:47ff:fea5:3085
16 bytes from 2001:200:0:8002:203:47ff:fea5:3085, icmp_seq=0 hlim=43 time=309.051 
16 bytes from 2001:200:0:8002:203:47ff:fea5:3085, icmp_seq=1 hlim=43 time=307.121 
^C
--- www.kame.net ping6 statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/std-dev = 307.121/308.284/309.051/0.836 ms
root]#

At this point, all equipments are full IPv6.

You can try a traceroute to different addresses to see route taken by packets

root@ubuntu:~# traceroute6 www.sixxs.net
traceroute6 to noc.sixxs.net (2001:838:1:1:210:dcff:fe20:7c7c) from
2001:688:C04:ERRB:211:24ff:fe92:106d, 30 hops max, 12 byte packets
 1  2001:660:7301:3103::1  2.049 ms  1.276 ms  1.002 ms
 2  2001:660:7301:ffff::1938  3.874 ms  4.782 ms  4.845 ms
 3  rennes-g3-0-10.cssi.renater.fr  4.433 ms  6.097 ms  4.572 ms
 4  caen-pos1-0.cssi.renater.fr  7.097 ms  6.969 ms  6.923 ms
 5  rouen-pos1-0.cssi.renater.fr  10.848 ms  10.003 ms  41.631 ms
 6  nri-a-pos6-0.cssi.renater.fr  212.261 ms  28.269 ms  17.771 ms
 7  2001:660:3000:101::43:21  12.653 ms  12.727 ms  32.992 ms
 8  po5-0.pascr2.pop.opentransit.net  13.776 ms  13.118 ms  13.98 ms
 9  po10-0.loncr3.pop.opentransit.net  22.253 ms  22.435 ms  22.252 ms
10  so6-0-0.loncr1.pop.opentransit.net  22.552 ms  27.784 ms  22.604 ms
11  so-0-0-3.lon11.ip6.tiscali.net  23.662 ms  22.461 ms  22.456 ms
12  realroot-gw.ip6.tiscali.net  23.086 ms  57.944 ms  24.813 ms
13  ge0-0-44.br0.nlams1.realroute.net  31.562 ms  33.623 ms  31.325 ms
14  ams-ix.ipv6.concepts.nl  52.795 ms  33.69 ms  58.469 ms
15  se1.breda.ipv6.concepts-ict.net  48.328 ms  35.16 ms  34.185 ms
16  noc.sixxs.net  61.634 ms  34.332 ms  34.587 ms
root]#

	traceroute6 gives you addresses of all routers IPv6 and IPv4 if tunnels are used ?

Using IPv6 (web, proxy, ssh)

We are going to use IPv6 services and see how we can reach web services located on IPv4-only servers.

Open the Firefox web Browser by double-clicking on the icon.

In the address box, you can type the following URL

http://[2001:688:C04:ERRB::1]:80

and then, type return.

Note that square brackets are very important to avoid ambiguity with port number contained in the URL.

You can also access web servers such as:

• www.kame.net
• www.point6.net
• www.renater.fr
• www.google.com

	Why it does not work with google.com ?

One possible solution is to use a proxy to access to IPv4 web server. The proxy is a dual-stack machine connected to both IPv4 and IPv6 network. We will use a well-known proxy available on the Internet: ipv6gate.sixxs.net. By adding sixxs.org at the end of the server name, you tell your browser to contact the proxy using IPv6, and the proxy will contact the server using IPv4.

You can try to join IPv4 only web sites by typing:

• www.google.com.sixxs.org
• www.lemonde.fr.sixxs.org

Look at the address of these web sites by typing:

root@ubuntu:~# ping6 www.google.com.sixxs.org
root@ubuntu:~# ping6 www.lemonde.fr.sixxs.org

	What is the IPv6 address of these web sites ?

Go to www.point6.net.sixxs.org webpage

	What is the IP address shown on the page, which is the source address of the request received by the server of the web site ?

The client sends its requests in IPv6, the proxy forwards them using IPv4 and receives the answers in IPv4. Then the proxy converts these answer in IPv6 and sends the results to your client. For any website, the IPv6 address you will use is the IPv6 address of the proxy, and the client address seen by the web site is the IPv4 address of the proxy.

Now we can test the remote shell service SSH using IPv6

In a terminal, you can type:

root@ubuntu:~# ssh ipv6@2001:688:C04:ERRB::1
Password: ipv6

You are now connected on your server PC. You may notice that you can log on any other server PC of the room, using their IPv6 address ! We will now set up some access restrictions to enhance the security of your network.

Setting up security

As you saw, the IPv6 large address space allows any host of your company network to have a global IPv6 address, compared to IPv4 that require to deploy private IPv4 addresses. IPv6 allows the hosts of your company network to be access directly. But this stresses out the need of having good security policies to protect yours hosts.

In the network you set up during this hands-on, any hosts can be access directly using web or SSH. We will now apply a security policy in this network that will be equivalent to a network deploying private IPv4 addresses:

• Hosts can connect to others public servers
• Public servers can connect to hosts only if the connection has been sollocited by host.

This is called a statefull firewall. We will set up a statefull firewall for the SSH service, to stop any connection to your server from other bench in the room. We will also set up a stateless firewall rule to allow web access only to your server.

On the router console, type:

Router#configure terminal
Router(config)# ipv6 access-list secu-in
Router(config-ipv6-acl)# evaluate cqwww
Router(config-ipv6-acl)# evaluate cqssh
Router(config-ipv6-acl)# permit tcp any any eq 22 reflect secu-ssh
Router(config-ipv6-acl)# permit tcp any 2001:688:C04:ERRB::1/64 eq www reflect secu-www
Router(config-ipv6-acl)# permit icmp any any
Router(config-ipv6-acl)# permit udp any any
Router(config-ipv6-acl)# exit
Router(config)# ipv6 access-list secu-out
Router(config-ipv6-acl)# evaluate secu-ssh
Router(config-ipv6-acl)# evaluate secu-www
Router(config-ipv6-acl)# permit tcp any any eq www reflect cqwww
Router(config-ipv6-acl)# permit tcp any any eq 22 reflect cqssh
Router(config-ipv6-acl)# permit icmp any any
Router(config-ipv6-acl)# permit udp any any
Router(config-ipv6-acl)# exit
Router(config)# interface tunnel 0
Router(config-if)# ipv6 traffic-filter secu-in in
Router(config-if)# ipv6 traffic-filter secu-out out
Router(config-if)# exit
Router(config)# exit
Router# write
Router#

You created two access-lists. The secu-in access-list will apply for all packets coming from the Internet to the tunnel interface of the router. The secu-out access-list will apply for all packets going from your company network to the Internet.

In the secu-in access-list, you set up

• A reflexive access-list for tcp traffic on port 22 (SSH).
• A stateless access-list for tcp traffic, to be allowed only with your server PC as destination.

In the secu-out access-list, you set up

• An evaluate access-list linked to the reflexive one you set up in secu-in

The two access-list reflect and evaluate implement the statfull firewall. Packets coming from the Internet using TCP port 22 will be allowed by secu-in only if the connection has been initiated from inside your company network and so, been evaluated in the secu-out access-list.

Verify that the web traffic is not disturbed by the access-lists Go to:

• Your server: http://[2001:688:C04:ERRB::1]:80/
• The server of a bench next to you: http://[2001:688:C04:ERRB'::1]:80/
• A server on the Internet: http://www.point6.net

Verify that the SSH traffic from the Internet is discarded by your router

• Ask the bench next to you to access with SSH to your server
• Try to access with SSH to the server of the bench next to you

Windows XP client

We will now experience the support of a host running Windows XP in an Ipv6-only network. Your client is a dual-boot machine with both Linux and Windows XP systems installed.

Boot the client PC and choose "Windows XP" system

Log on Windows with user ipv6, password ipv6

Open a terminal:

• In the "Start" Menu, choose "Execute..."
• type cmd.exe

Verify the IP configuration of the host with the command:

> ipconfig

	How many IPv6 addresses are configured on the host ?

Windows XP requires to explicitly enable the IPv6 support. This should be done once for all Windows XP host. You may look at the packets exchanged on the network during the IPv6 setup using Ethereal on the server PC.

To enable IPv6 on your client, type the command:

> ipv6 install

Verify the IP configuration of the host with the command:

> ipconfig

	How many IPv6 addresses are configured for the interface "Local Network" ?

Your Windows client is now part of the IPv6 network of your company. You can test the connectivity by accessing to your web server :

Open the Firefox2.0 web browser and go the address:

http://[2001:688:C04:ERRB::1]:80

Try to access the web page http://www.kame.net

That reminds you that we did not set up a DNS server on the host. Actually Windows XP lacks support of DNS queries over IPv6. The tool dns-reflector acts as a proxy to forward IPv4 DNS queries to an IPv6 DNS server.

open a new command-line window, drag-and-drop the dns-reflector icon on the window, add the IPv6 address of the DNS as argument

> dns-reflector.exe 2001:660:7301:1::1

dns-reflector will forward to 2001:660:7301:1::1 all queries received from the loopback interface. You should now configure this proxy as your DNS server

Open "Start" menu, "Parameters", "Network"

Open Properties for "Local Network", and Properties for TCP/IP

In the "Preferred DNS" filed, type the IPv4 loopback address 127.0.0.1

You can now try the web page http://www.kame.net or any web page using the proxy sixxs.org

Suppression des tunnels vers un routage natif

• suppress default route

Router#conf term
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#no ipv6 route ::/0

• suppress tunnel

Router#conf term
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#no int tunnel 0
Router(config)#
Router#write
Building configuration...
[OK]

• configure ipv6 address with the native interconnection address 2001:688:C04:EFRR::B/64

Router#conf term
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#int FastEthernet 0
Router(config-if)#ipv6 addr 2001:688:C04:EFRR::B/64(RR=row , B = Bench)
Router(config-if)#ipv6 enable
Router(config-if)#exit
Router(config)#exit
Router#write