EarthLink IPv6 Frequently Asked Questions

  1. Will I lose any functionality if I install your firmware?
  2. Do I have to be an EarthLink customer to use this service?
  3. How does this all work?
  4. What does that mean, "a /64 IPv6 network prefix"?
  5. A /64 seems like overkill. Why would you give out such big network blocks?
  6. Stateless Auto-WHAT?
  7. Will I have to reconfigure all my machines in order for this to work?
  8. I'm still running Windows 98 or Windows ME. Will it work for me?
  9. What about Windows 2000?
  10. I have a Linksys model XYZ, not a WRT54G. Will your firmware work on my box?
  11. I'm willing to give it a try. Where do I get your firmware?
  12. Something went wrong. Now what do I do?
  13. What are the security ramifications of all this?
  14. How can I customize the firewall rules?
  15. Why did you write your own command line utility instead of just using telnet?
  16. I installed your firmware. How can I tell if it's working correctly?
  17. On my Mac, I don't seem to be able to surf to any IPv6 websites
  18. Why do I even need to use a WRT54G for this? It seems to me I could accomplish the same thing using my Linux or FreeBSD box.
  19. I'm having troubles on WinXP. I'm able to surf the web, but inbound TCP connections and inbound UDP don't work.
  1. Will I lose any functionality if I install your firmware?

    2. No. Your WRT54G should still do everything it did before. The IPv4 / NAT functionality runs side-by-side with the IPv6 functionality, and the two do not interfere with each other.

  2. Do I have to be an EarthLink customer to use this service?

    3. No. This pilot service is available to anyone.

  3. How does this all work?

    4. We have developed a customized firmware revision for the Linksys WRT54G which turns it into an IPv6 router. Upon bootup, the WRT54G makes an IPSEC tunnel to a router in our lab testbed. Once the IPSEC tunnel is established, DHCPv6 is used to delegate a /64 IPv6 network prefix from the router in our lab to your WRT54G. The WRT54G then advertises that network on your LAN (both wired and wireless). Any IPv6-capable machines on your LAN will autoconfigure themselves with an IPv6 address and use the WRT54G as their default router.

  4. What does that mean, "a /64 IPv6 network prefix"?

    5. An IPv6 address contains 128 bits. A "network prefix" is the first N bits of an IPv6 address. If we refer to a "/64" network, we mean a network in which the first 64 bits of the IPv6 address identify the network, while the last 64 bits define individual nodes on that network. A /64 network may contain up to 18,446,744,073,709,551,616 individual nodes. In contrast, the entire address space for IPv4 only supports a theoretical maximum of 4,294,967,296 individual nodes.

  5. That seems like overkill. Why would you give out such big network blocks?

    6. Because "that's just the way it's done". A lot of the functionality of IPv6 depends on the network block being a /64 (or larger) prefix. If you have a network block smaller than a /64, certain things (like Stateless Autoconfiguration) will no longer work.

  6. Stateless Auto-WHAT?

    7. Stateless Autoconfiguration is the process by which all nodes on an IPv6 network automatically configure themselves to have an IPv6 address. The nodes generate a random IPv6 address based on the network prefix and their own MAC address. They then check to make sure no other node has already claimed that address. If no other node has claimed that address, the node automatically configures its interface to have that address.

  7. Will I have to reconfigure all my machines in order for this to work?

    8. No. We have tested machines running Linux, FreeBSD, Solaris, Mac OSX, and Windows XP. They all support IPv6 "out-of-the-box". They all detect the network prefix advertisements sent out by the WRT54G and autoconfigure themselves with an IPv6 address and a default route. The only thing you might have to do is type "ipv6 install" from a command window in Windows XP.

  8. I'm still running Windows 98 or Windows ME. Will it work for me?

    9. No. Sorry, but Windows 98 and Windows ME do not support IPv6. Neither does Windows NT 3.xx.

  9. What about Windows 2000?

    10. You may be able to get Windows 2000 to work, at least in some limited fashion. But you have to download and install some special software from Microsoft. You can get more information at this URL: http://msdn.microsoft.com/downloads/sdks/platform/tpipv6.asp

  10. I have a Linksys model XYZ router, not a WRT54G. Will your firmware work on my box?

    11. No. The firmware we provide is specific to the WRT54G. There is a remote chance that it might work to some extent on some other Linksys models that are based on the MIPS processor and Linux operating system. But we haven't tested it and we strongly recommend against trying it. At a minimum it is likely that you will lose at least some functionality. And the odds are you will render your Linksys product totally inoperable (see question # 12 below).

  11. I'm willing to give it a try. Where do I get your firmware?

    12. Get the firmware image here.

  12. OK, I gave it a try. I downloaded your firmware and tried to install it. But something went wrong, and now my WRT54G doesn't work at all anymore. I hate you, I Hate you, I HATE YOU!!! What can I do?

    13. Do not despair, as you can probably recover from this. We have an entire page devoted to recovering WRT54Gs which have been turned into "electric rocks". Here's how.

  13. What are the security ramifications of all this? Will it be easier for people to break into my computers now?

    14. The firmware upgrade enables the following default IPv6 iptables filter rules 

    ip6tables -A FORWARD -i gif0 -s  -j DROP
ip6tables -A FORWARD -i br0 -j ACCEPT
ip6tables -A FORWARD -o br0 -p tcp --destination-port 22 -j ACCEPT
ip6tables -A FORWARD -i gif0 -p tcp --syn -j DROP
ip6tables -A FORWARD -i gif0 -p udp --dport 1024: -j ACCEPT
ip6tables -A FORWARD -i gif0 -p udp -j DROP

    gif0 is the IPv6 tunnel interface, and br0 is the "bridge interface". Think of br0 as sort of a "pseudo-interface" which combines the wired and wireless interfaces together into one network interface. Note that SSH port 22 inbound is open by default, as are UDP ports above 1024. Except on port 22, no TCP SYN packets are allowed in from the outside. All outbound traffic is permitted.

    The good news is that no operating system we have tested seems to enable any service to listen on IPv6 by default. So you should be fairly safe unless you explicitly turn on some service and have it listen on your machine's IPv6 address. Also, due to the mind-numbingly large IPv6 address space IPv6 provides, it is difficult for hackers to "find" your machine to try and break into it.

    We in no way endorse "security through obscurity" as a security methodology, but the fact is that it is extremely difficult to scan the IPv6 universe for hosts to crack. In IPv4 you can look at the IP address allocated to you by your ISP and be pretty confident that if you scan the 256 or so addresses near your own, you will find a machine. Probably many machines. With IPv6 that isn't true. To find hosts on a /64 IPv6 network, you have to scan some 18 quintillion addresses. And that assumes that you already know the /64 prefix to search!

  14. How can I customize the firewall rules?

    15. You can login to your WRT54G and use the 'ip6tables' command to establish your own custom firewall rules. However, you will lose these firewall settings whenever the WRT54G is rebooted.

    To save your firewall rules in NVRAM so they will be enabled upon router reboot, create a file in the /tmp directory which contains the firewall rules that you wish to add, just as you would supply them on the 'ip6tables' command line. Then use the 'ip6fwsave' command to store them in NVRAM. Here is an example: 

    # cd /tmp
# cat > my_ip6_fw_rules
-A FORWARD -i br0 -j ACCEPT
-A FORWARD -o br0 -p tcp --destination-port 22 -j ACCEPT
-A FORWARD -o br0 -p tcp --destination-port 80 -j ACCEPT
-A FORWARD -i gif0 -p tcp --syn -j DROP
-A FORWARD -i gif0 -p udp --dport 1024: -j ACCEPT
-A FORWARD -i gif0 -p udp -j DROP
^D
# ip6fwsave my_ip6_fw_rules

    NOTE: '^D' above means "CTRL-D". In this example we customize the default ruleset by also allowing inbound TCP connections to port 80 (HTTP). Please note that these new firewall rules will not take effect until the WRT54G is rebooted.

  15. Why did you write your own command line utility instead of just using telnet?

    16. There isn't much spare flash memory left on the WRT54G to add new functionality. By dumping the telnet daemon and replacing it with a VERY stripped down utility we were able to save a few hundred thousand bytes of precious flash memory. Plus, the client / server we wrote doesn't send your password over the net in the clear like telnet does.

  16. I installed your firmware and rebooted my WRT54G. Everything seems OK, but how can I tell if it's working correctly?

    17. There are few things you can do:

  17. I have a Mac, and the output of "ifconfig -a" shows that I have an IPv6 address. But I don't seem to be able to surf to any IPv6 websites. I can get to www6.research.earthlink.net, but when I go to www.kame.net the turtle doesn't dance and it tells me I'm not using IPv6. What's up?

    18. Many sites (like www.kame.net) are accessible via either IPv4 or IPv6 using the same URL. On the Mac, the Safari and Internet Explorer browsers will always prefer to use IPv4 over IPv6. So will Firefox, but with Firefox you can change this behavior by entering the URL "about:config", then changing the value of "network.dns.disableIPv6" to "false".

    You may run into similar symptoms on Windows XP when using the Internet Explorer browser. We recommend using the Firefox browser on XP. By default, Firefox is configured to use prefer IPv6 over IPv4.

  18. Why do I even need to use a WRT54G for this? It seems to me I could accomplish the same thing using my Linux or FreeBSD box.

    19. You're right, you could. But it involves some pretty serious Unix System Administration skills. You have to know how to configure IPSEC, how to configure DHCPv6, how to configure route advertisements, how to configure IPv6 routing, and several other things. And it would be very difficult for us to help people debug their configurations as they tried to get it all to work.

  19. I'm having troubles on WinXP. I'm able to surf the web, but inbound TCP connections and inbound UDP don't work.

    20. Upgrade to Service Pack 2. Windows XP has exhibits some very odd behavior in its IPv6 implementation prior to Service Pack 2.

EarthLink

R&D Home
Last modified: Tue May 3 17:30:09 PST 2005
Questions and feedback: ipv6 at research.earthlink.net
Copyright 2005, EarthLink, Inc.