IPv6 on the Campus
Note 1: This manual provides some info about some advanced aspects of the network at the University of Twente. For normal use of IPv6 on campus, you don’t need any information provided by this manual. This should work out-of-the-box for (almost) all devices.
Note 2: It is assumed you have some in-depth knowledge about your Operating System and about different network systems and network protocols. This manual is not focused on beginners. Please make sure you have enough foreknowledge before starting to work with this manual.
This manual provides some background information about services provided at the network of the University of Twente and provides some information about procedures for users that want to get the most out of these services. Therefore this manual is not a “traditional” step-by-step manual, as most of the ICT manuals at the website of the University of Twente are.
IPv6 (version 6 of the Internet Protocol) is the successor of IPv4. IPv4 is in use since 1983 and provides every device on the internet with a unique address (the IP address). Using this IP address, devices can send data over the internet to other devices. This manual does not explain the working principles of the internet further. If you are eager to learn more about this, than this (http://www.theshulers.com/whitepapers/internet_whitepaper/) could be of interest for you.
Due to the structure of IPv4 addresses, there are only around 4.3 Billion unique IPv4 addresses available of which, due to various reasons, only 3.7 are available for the general public. Due to this limited amount of addresses, starting in the nineties it was predicted that we would run out of IPv4 addresses eventually. In the beginning of 2011, this prediction became reality when the leading instance in the area of IP addresses (IANA, the Internet Assigned Numbers Authority) assigned the last block of free IPv4 addresses to regional organizations. This was not a surprise, because IPv4 only provides 1 IP address per 2 inhabitants of the world while a lot of people (especially in the western world) possess multiple devices that are connected to the internet.
IPv6 addresses are structured in such a way that there are virtually an unlimited number of unique addresses (to be precise: 2218 or 3.4 x 1038 unique addresses). This should solve the problem of running out of IPv4 addresses. IPv6 is therefore used in more and more and will eventually replace IPv4 completely. The University of Twente has already supported IPv6 and IPv4 for years and is prepared for the future.
Luckily, IPv6 is not a thing of the last few years. The world decided to eventually switch to IPv6 more than a decade ago. Therefor most devices that could connect to the internet do already support IPv6 and therefore it is very likely that you don’t have to configure anything by hand to use IPv6.
An IPv4 devices gets in IP address via the DCHP protocol. This is also the case at the UT network. A comparable protocol is also available for IPv6 to dynamically allocate IPv6 address to devices: DHCPv6. The UT network, however, does not use this protocol. The UT network uses a strategy called SLAAC (Stateless auto configuration). This means that a device provides itself with an IPv6 address based on its MAC-address and a so called IPv6-prefix. An IPv6-prefix is a prefix for IPv6 addresses with is valid for (a part of a) network. For example, the prefix of campusnet (which contains all the student housing) is 2001:67c:2564:331::/64. If your MAC address is 12:34:56:78:90:ab, than your IPv6-adres will become 2001:67c:2564:331:1234:56ff:fe78:90ab. A SLAAC address is recognizable due to the “ff:fe” part in the middle of the IPv6 address. If you want to want to know more about SLAAC, you could start at this (http://www.sput.nl/internet/ipv6/ll-mac.html) page.
Some campus residents use an own router in their housing. Most routers try to request for an IPv6 address via DHCPv6. As discussed before, this could lead to problems on campusnet. Therefore it is important to disable DHCPv6 on your router. Of course you could still make use of IPv6 within your local network. This can be done in one of the following two manners:
Some routers support a function called “IPv6 pass-through” (or alike). When this function is activated for IPv6, the clients on the LAN-side of the router will get an IPv6 address via SLAAC using the campusnet prefix. In this case, your router functions more or less like a switch instead of a router (of course only for IPv6). Clients registered in DAS (https://das.snt.utwente.nl) with a static IP address and hostname, will also get that hostname via their SLAAC IPv6-address. These hostnames are structured like hostname.student.ipv6.utwente.nl and only work if the registered device connects to the campusnet VLAN.
Other routers enable you to route your own IPv6 prefix. If this is the case you could – if you want – request your own, personal /64 IPv6 prefix via the SNT Helpdesk. The university will then route this IPv6 prefix to your own router. From there on you can use either DHCPv6 in your own LAN (please make sure you do not advertise a DHCPv6 server to the UT network!) or use SLAAC.
Privacy and security considerations
One aspect of IPv6 is that, in contrast to IPv4, every device is (most likely) directly connected to the internet and therefore is publically accessible.
In the case of IPv4 most home connections (provided by Internet Service Providers), one household will only get one IPv4 address assigned. The router of the household will provide all the devices connected to it with an internal IPv4 address (mostly in the range 192.168.0.0/16) (this is also the case if you use your own router on campusnet). These local IP addresses are thus not unique on a worldwide base and are therefore not accessible from the internet. These local IP addresses are therefore only used locally. Your router is constantly translating the local IP addresses to the global one (the one assigned to the router) and vice versa in a process called Network Address Translation (NAT). This process actually is the only reason the internet is still functioning while globally there are more devices using the internet than IPv4 addresses.
IPv6 solves the lack of addresses but introduces another problem. Every device is directly connected to the internet (instead of via a NAT) and therefore also reachable via the internet. Therefore it’s even more important that your router, but also the devices connected to the router, have a decent firewall (because there is no NAT which protects your devices from remote connections).
Furthermore, often SLAAC is used for generating the IPv6-address your device will have. This introduces a privacy issue since the generation process of an IPv6 address out of your MAC-address and network prefix is reversible. Everybody who intercepts an SLAAC IPv6 address is able to deduce the MAC address of the device. MAC-addresses can be used to i.e. find out which manufacturer the network device has produced.
An even larger problem is that the last part of the SLAAC address is solely based on your MAC-address. When you switch between different networks (this could be different parts of the campus, but also i.e. your home network, your mobile phone network (3G/4G/5G), or the networks of your friends), the last part of your IPv6 address won’t change. Websites you frequently visit (like news agencies, but also Google) can identify your device via the last part of your SLAAC IPv6 address. It is even possible they could correlate your SLAAC IPv6 address to a location via the network prefix of your current IPv6 address (i.e. an IPv6 address starting with 2001:67c:2564 means that the device is currently at the University of Twente).
The last mentioned problem could be prevented/solved by using a technique called privacy extensions. This method allows devices to use (besides a SLAAC IPv6 address) a random generated IPv6 address. When using this random address for sending request to the internet, tracking your device will become a whole lot more difficult. Privacy extentions are especially useful for smartphones and laptops (for mobile devices). Most operating systems will automatically use privacy extensions. If you want to learn more about privacy extensions, you could start here (http://www.internetsociety.org/deploy360/resources/privacy-extensions-for-ipv6-slaac/).
This section contains some common issues that could happen when using IPv6
As described before, SLAAC could result in privacy issues which could be solved via privacy extensions. In general using privacy extensions will not result in any problems, but in some cases it could. For example this is the case when your device should connect to a service which only accepts connections from certain IP addresses. In this case you would like that your hostname could be traced for outgoing connections. In this case you would like to use SLAAC or a static host IPv6 address. You could disable the privacy extensions of Windows by opening a PowerShell terminal with administration privileges and execute the following two commands:
Set-NetIPv6Protocol -RandomizeIdentifiers Disabled
Set-NetIPv6Protocol -UseTemporaryAddresses Disabled