IP Version 6 Hosts | The Best Damn Firewall Book Period

We've discussed the configuration and implementation of an IPv6 router. However, what good does an IPv6 router do without IPv6 hosts? In the interest of providing complete documentation on an IPv6 network deployment, here we talk about configuring a Solaris 8 system to interact with an IPv6 network.

Automatic Configuration

One feature of IPv6 is the ability to autoconfigure systems with an IP address when they bootstrap. This feature, built into the IPv6 protocol, is seamlessly supported by Solaris 8. This can be an advantage in networks with a large number of hosts that might not need connectivity with one another or a known accessible address. The steps to take advantage of this feature are minimal.

A Solaris 8 system depends on the /etc/hostname6.interface file for IPv6. When the system boots, if it finds this file, it attempts to configure itself to the information contained in the file. To create a Solaris 8 host that is configured via the network, the only necessity is having a hostname6.interface file with no information. This causes the system to use the data attained from the network via in.ndpd and configure itself for communication using the network information and MAC address of the interface.

Manual Configuration

Interfaces on a Solaris 8 system using IPv6 can be manually configured using data on the system or via data attained from DNS. This configuration is beneficial in that it gives systems a known address at which they can be reached. This is an ideal configuration for servers on an IPv6 network.

The ipnodes File

One of a few ways a Solaris 8 host can be configured manually is by using the /etc/inet/ipnodes file. This method is ideal in a situation in which IPv6 DNS is not available. To take advantage of this feature, our first step is to make an entry in the ipnodes file for the address we want the system to configure and a host name. Take a look at Figure 7.7. It is an ipnodes file entry for a host that will boot with IPv6 configured.

click to expand
Figure 7.7: An ipnodes File Entry for a Host That Will Boot with IPv6 Configured

In this example, we see that our host has an entry for 0A:0A:0A:0A:0A:0A:0A:02 in the ipnodes file, with the host name barracuda and on mydomain.com. This entry is referenced when the system bootstraps. To give the system the address we desire, we need to place the address in the hostname6.interface file. We use the following entry to force the system to configure an interface using this address:

addif barracuda.mydomain.com/64 up

When the system is next rebooted, this code instructs the system to place the address resolving to barracuda.mydomain.com in the ipnodes file on the next available virtual interface, bound to the physical interface denoted at the end of the hostname6.interface file.

DNS

Another of a few ways Solaris 8 can be configured to attain a desired IP address is via DNS. The benefit of this method is that it allows systems to attain their IP addresses from one centrally managed server. This can be helpful in a large network in which systems need awareness of one another and users need to be able to access systems within the network via a known address or name.

This configuration option depends entirely on a network with support for IPv6 DNS. To configure a host to use DNS, the /etc/nsswitch.conf file must be edited. The ipnodes line within /etc/nsswitch.conf by default uses files to resolve host names. Edit the /etc/nsswitch.conf, and make the ipnodes line look like the following example:

ipnodes:    files dns

Under this configuration, when the host attempts to resolve an IPv6 address or an IPv6 host name, it first consults the /etc/inet/ipnodes file. If it cannot find an entry for the host in the ipnodes file, it then turns to DNS. When the host receives a response from the name server, it configures this response to the interface on which the hostname6.interface file ends. This address is configured to the next available virtual interface on the physical network interface.

Configuring Solaris as a Secure Gateway

In this section we talked about using Solaris as a router between different networks. Solaris is capable of functioning as a gateway as well. In implementation, there is little difference between the two functions. The main difference is in their placement on networks and the way in which they interact with hosts.

A gateway is a system that connects two or more segments of the same network via two or more interfaces. The reasons for this configuration are typically situations such as dial-up users who don't need dedicated connections or segments of the same network that are divided by some physical obstacle in which an additional outbound link to the Internet either isn't needed or isn't wanted.

Solaris is suited for this type of use. As mentioned previously, a default installation of Solaris will work for this purpose. The only requirement for a Solaris gateway is two or more interfaces, and the system will automatically configure itself to pass traffic between the two networks. By observing our discussion about minimalism, it's possible to create a system that will, in most cases, provide secure, reliable service.

One key configuration difference we should mention is the changing of the IP kernel module variables. In our previous discussion, we recommended the disabling of the ip_forward_directed_broadcasts and the ip_forward_src_routed variables. In a gateway environment in which systems are on the same subnet, we do not want to disable these options. These options, in a gateway situation, are helpful in terms of network management. A correctly designed network will not let broadcast into or out of the subnet.