26. IPv6

Kernun UTM supports IPv6 since version 3.5. An example of an IPv6-enabled configuration can be found in the sample configuration file /usr/local/kernun/conf/samples/cml/ipv6.cml. It is a dual-stack configuration with IPv4 and IPv6 enabled both in the internal and the external network. Clients from the internal network can access HTTP and SSH servers in the external network. For a transparent (HTTP or SSH) proxy, the target server IP address is taken from the destination address of the client's connection. Hence the same IP version is used by the client and the server. In the case of the non-transparent HTTP proxy, the target server name is passed by the client to the proxy in the request URI. The proxy resolves the name and establishes connection to the server. Hence an IPv4 client can access an IPv6 server and vice versa.

Figure 5.110. IPv6 interfaces

IPv6 interfaces

The configuration of network interfaces is depicted in Figure 5.110, “IPv6 interfaces”. There are three interfaces: LOOPBACK is the standard system loopback interface; INT and EXT are the internal and the external Ethernet interfaces, respectively. IPv6 support in Kernun UTM is enabled if at least one IPv6 address is assigned to any network interface in the configuration[47]. IPv6 addresses are defined by the ipv6 item. It is also possible to specify IPv6 aliases by the alias section. By default, Kernun UTM operates as an IPv6 router, but it does not send router advertisements. Router advertisements can be turned on and their parameters can be set for an interface in the ipv6-rtadv section.

Figure 5.111. IPv6 networking parameters

IPv6 networking parameters

Some global IPv6-related networking parameters are depicted in Figure 5.111, “IPv6 networking parameters”. The resolver section defines the name server address[48]. A single domain name can be resolved to an IPv4 or an IPv6 address. The preference item selects, which resolved addresses will be used. There are four possibilities: use IPv4 and ignore IPv6, use IPv6 and ignore IPv4, use both and prefer IPv4, or use both and prefer IPv6. The last choice is used in the sample configuration. The default is to prefer IPv4. The routes section defines the default IPv4 and IPv6 routes. It is also possible to add static routes to IPv4 and IPv6 networks by the static item. The ipv6-router item enables or disables forwarding of IPv6 packets. IPv6 forwarding is enabled by default, so this item can be omitted. The ipv6-rtadv section defines default values for IPv6 router advertisements. These defaults can be overriden by an interface.ipv6-rtadv section. In the example configuration, router advertisements are configured so that they provide address and default route autoconfiguration and DHCPv6 is not used.

Figure 5.112. Proxies with IPv6 support

Proxies with IPv6 support

The sample IPv6 configuration contains HTTP and TCP proxies, depicted in Figure 5.112, “Proxies with IPv6 support”. Their configurations are similar to IPv4-only proxies. The only differences are IPv6 addresses in the listen-on items and in acl INTOK.

IPv6 addresses can be used in place of IPv4 addresses in many other places in the Kernun UTM configuration. It is possible to use other proxies for IPv6 communication, as well as define IPv6 packet filter rules and IPv6 IPsec VPN connections. We do not show configurations of these components here, because they are essentially the same as the respective IPv4-only configurations. DHCPv6 server is configured in the dhcp6-server section, in a way similar to DHCPv4 server in the dhcp-server section. Fixed IPv6 addresses and AAAA DNS records can be defined by entries in the hosts-table section.

There are also some important differences and limitations of IPv6. Destination IPv6 address must not be set for a point-to-point network interface (TUN, GIF, GRE). The GRE network interface type does not support IPv6 tunnel addresses. OpenVPN cannot use IPv6 transport. The mac value of an IPv6 entry of the hosts-table is interpreted as the host's DUID.

[47] Note that in addition to explicitly assigned addresses, each interface has a link-local IPv6 address assigned automatically by the operating system.

[48] In this sample configuration, a local caching nameserver chained to the DNS proxy is used.