I whipped up a (seemingly) working IPv6 set-up for both my hypervisors, meaning my services will soon be IPv6-compliant; yay! I did struggle with it, though. There are a couple of gotchas one needs to be aware of:

  • it is best to use RA, in case your provider changes the default gateway for your server
  • if your hypervisor is going to be a firewall (which I guess it is), you will need to use RADVD to advertise your dom0 to your domUs
  • RA and IPv6 forwarding do actually work together, but you need to enable both in sysctl.conf

Let’s get on with it, then. First, let’s set up IPv6 on the dom0:

#!/bin/sh

PATH=/bin:/sbin:/usr/bin:/usr/sbin

sysctl -w net.ipv6.conf.all.forwarding=1
sysctl -w net.ipv6.conf.xenbr0.accept_ra=2
sysctl -w net.ipv6.conf.xenbr0.autoconf=1

dhclient -cf /etc/dhcp/dhclient6.conf -pf /run/dhclient6.xenbr0.pid -6 -P xenbr0
ip -6 a add 2001:c0de:babe:580::1/56 dev xenbr0
ip -6 ro add 2001:c0de:babe:581::/64 dev xapi0

/etc/init.d/radvd start

This is what dhclient6.conf looks like:

interface "xenbr0" {
          send dhcp6.client-id <your DUID here>;
          request;
}

Then, configure RADVD; it will have to advertise on the internal domU network (xapi0):

interface xapi0
{
        AdvSendAdvert on;
        prefix  2001:c0de:babe:581::/64
        {
                AdvOnLink on;
                AdvAutonomous on;
        };

};

Finally, you may want to firewall this all up a bit:

$IPT6 -P INPUT DROP
$IPT6 -P OUTPUT ACCEPT
$IPT6 -P FORWARD DROP
$IPT6 -F
$IPT6 -X
$IPT6 -Z

$IPT6 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Multicast traffic - needed for IPv6 routing
$IPT6 -A INPUT -p ipv6-icmp -d ff00::/8 -j ACCEPT # Link-local traffic as well, I guess it couldn't hurt...
$IPT6 -A INPUT -p ipv6-icmp -d fe80::/10 -j ACCEPT
$IPT6 -A INPUT -p udp --dport 546 -j ACCEPT # DHCPv6

$IPT6 -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT6 -A FORWARD -i xapi+ -o xenbr0 -j ACCEPT
$IPT6 -A FORWARD -i xenbr0 -o xapi+ -p tcp -m multiport --dports 80,443 -d $vm01_ipv6 -j ACCEPT

And there you go! You will need to make sure IPv6 multicast traffic can go from the dom0 to the domUs through xapi+: RADVD needs this to advertise.