User:JNN2-SIXXS/Case Experience (Home Dynamic NAT)

From SixXS Wiki

This page documents my experience on setting up IPv6 on my home network. I have a LAN of Windows and Linux PCs and servers running on private IPv4 IPs behind an IPv4 dynamic IPv4 NAT. I also travel for work with a Windows XP laptop; I have no native IPv6 access on the road.

I have been watching IPv6 from afar for several years and in June 2008 decided it's time to jump in and learn it. I am particularly motivated by the US Government[1] and several other nations[2] making the effort to go IPv6. I presume this will help push native IPv6 adoption elsewhere, and it will be handy for me to know IPv6 then.

I also would like all my home boxes to have world-routable static IPs, and IPv6 is a fantastic way to do it.

My ISP is the US-based Verizon, and I have their FiOS FTTP product.

Contents 1 Non-SixXS 1.1 Link-Local Addressing 1.2 Private Addressing 1.2.1 Site-Local Addressing 1.2.2 Unique Local Addressing 1.3 Teredo 1.4 6to4 2 SixXS Tunnel 2.1 Handle Request 2.2 ISK Credits 2.3 Tunnel 2.3.1 Static 2.3.2 Heartbeat 2.3.3 AYIYA 2.4 Subnet 3 DNS 3.1 Dnsmasq 3.2 djbdns 3.2.1 tinydns 3.2.2 dnscache 3.3 BIND 3.4 Windows DNS Server 4 Microsoft Windows Notes 5 Experiments in IPv6 5.1 Windows File Sharing 5.2 Windows Terminal Services 5.3 BitTorrent 5.4 Public Domain For My Public Home Network 5.5 Worked For Me 6 Summary of Lessons Learned

Non-SixXS

I don't have native IPv6 available. Before I looked for an IPv6 tunnel broker I started experimenting with the local and private addressing so I could get the feel for installing and using IPv6 on my systems.

Link-Local Addressing

You probably know this before reading this page, but every IPv6-enabled interface gets a link-local address (range of fe80::/10). These are analogous to IPv4's 169.254.0.0/16 "autoip" scope, but IPv6 always uses them--extensively--for local configuration, for example to find subnet prefixes, routers and link-local neighbors. (Viewing neighbors is analogous to viewing IPv4's arp cache.)

I was able to ping6 between link-local addresses on my LAN but was initially unable to use them to view a web page. I think the problem is that the link local addresses aren't meant for user-level communication. However I expect to be using other scopes of addressing for applications, so this was mainly just a test.

Private Addressing

Although there are plenty of IPv6 addresses to go around in the foreseeable future, I wanted a private scope for lab testing before obtaining a tunnel. It also occurred to me that some organizations may be used to using private IPv4 addresses and may choose to remain on a private scope for IPv6 (although I think long term it is preferable to use public addressing and appropriate firewalling).

The private IP ranges described below are analogous to IPv4's 10.0.0.0/8, 192.168.0.0/16 and 172.16.0.0/20.

Site-Local Addressing

Initially fec0::/10 was set aside for site-local addressing. These addresses would not be world-routable and were available for private use. However, this RFC has been obsoleted, and unique local addressing should be used instead. I believe a big concern was of duplicate prefixes being used since everyone was likely to grab fec0::/64 as their first private prefix. If sites were to merge in the future the duplicate prefixes could be a problem.

I decided not to use the obsoleted site-local addressing scheme at home.

Unique Local Addressing

RFC 4193 defines a set of private addresses intended to be globally unique. This prevents problems if sites are later combined (think company mergers) or if a misconfigured router passes the private address onto the public network. FC00::/7 is the range of addresses, with the 9th through the 48th bit used as a global unique ID, leaving a /48 for each site. A global registry is called for to assign IDs and prevent duplicates, but there is currently no official registry. However SixXS runs a voluntary registry that will generate a random global ID for you and register it so others will hopefully not duplicate it.

I used the SixXS ULA registration tool to generate and register my own global ULA ID. I set up a router advertisement daemon on one of my Linux boxes to advertise a /64 prefix out of my global ID, and my other IPv6 hosts successfully statelessly configured themselves to the prefix wihtout any extra effort on my part. It was a proud moment.

One lesson was that the router advertisement daemon only works with /64 prefixes. This makes sense when you think about it since the host portion (EUI-64) is 64 bits, and the entire address needs to be 128 bits. So for stateless autoconfiguration you must always advertise a /64 prefix. So I had a /48 but was only using one /64 out of the /48 for my local subnet. When at first I tried to advertise the /48 the router daemon generated errors saying the prefix had to be /64.

Another lesson is that I had to manually configure the IPv6 address for the Linux box running the router advertisement daemon. Apparently a link can't advertise a prefix to itself, or else there is something I haven't figured out yet. (I read somewhere that the Linux kernel disables autoconfiguration for an interface if forwarding is enabled, and forwarding would be enabled on a router interface.) Actually I don't think the router really needs an address on that prefix as my clients seem to use the router's link local address as the default route. But my router box provides other services, so I assigned it an address.

Teredo

Teredo is an automatic IPv6 tunneling mechanism designed to bypass NATs. It is an IPv4-to-IPv6 transitional mechanism that won't be needed when the IPv6 migration is complete. It is available in Windows IPv6 implementations as activated through a netsh command, and it's available via the Miredo daemon for Linux and unix variants. It works by having Teredo servers negotiate a tunnel between the IPv4 endpoints--usually the Teredo client and a Teredo relay--and then the endpoints pass IPv6 packets via 6in4. Your Teredo IPv6 IP is not static.

I successfully used Teredo from a WinXP host and Miredo from a Linux host behind my NAT, but I did not try to set up a Teredo router that would route from my whole subnet. I think that's possible via Miredo but am not sure if Windows Teredo can be set up that way. Teredo is considered a last resort route; native IPv6, tunnel brokering and 6to4 are preferable to using Teredo. The Teredo specifications state this.

I didn't spend much time on this as my goal was to get a static IPv6 subnet via a tunnel. However I have used Teredo from my laptop while on the road to remote destkop over IPv6 back to my Windows desktop at home. (The home desktop had a public IPv6 address at the time.) I often do this in hotels when I don't have a public IP. When I have a public IP I can use 6to4 instead.

While I can access the IPv6 network in general with Teredo, I was unable to view http://www.kame.net/ via IPv6.

6to4

6to4 is an IPv4-to-IPv6 transitional mechanism that assigns an IPv6 /48 range of addresses to every IPv4 address. It won't be needed after the IPv6 migration is complete. Both Windows and Linux have 6to4 available natively. In Linux you set up a sit interface, and in Windows you use the netsh command to enable 6to4. IPv6 packets are encapsulated in IPv4 via 6in4, and a 6to4 relay is located by using an IPv4 anycast address. If you are on a NAT and do not have an IPv6-capable router you may need to forward protocol 41 (6in4) to a 6to4-capable host to act as an IPv6 router. Not all IPv4 routers can redirect protocol 41.

On the WinXP laptop it was pretty simple to get this working. The only catch is that you have to have an interface with a public IPv4 address, so I don't think you can make it work from behind a NAT. When I'm on a connection that gives me a publicly routable IPv4 address I use 6to4 to ssh, remote desktop or web surf back to my home network (when the home network has world-routable IPv6 addresses).

With Linux behind the NAT I was able to specify the public IPv4 address when configuring the interface, and I configured the NAT router forward 6in4 packets (protocol 41) to the Linux box. I had to also manually assign an IPv6 address to the host. I was able then to talk to the IPv6 internet over the 6to4 address. Then I advertised a /64 prefix within the /48 6to4 range for my IPv4 IP to the rest of my subnet, and the other IPv6 hots statelessly configured themselves and added the default route. Now my entire subnet has 6to4 addresses. Another proud moment.

Unfortunately I have a dynamic IPv4 address, so in effect my 6to4 IPv6 prefix is dynamic, too. And I manually conifgured the prefix, router address and route, so I'll need to reconfigure manually when my IPv4 address changes or set up a script to detect when my IPv4 address changes and then change the IPv6 prefix, address and routes.

While I can access the IPv6 network in general with 6to4, I was unable to view http://www.kame.net/ via IPv6.

SixXS Tunnel

Since I don't have native IPv6 access and don't have a static IPv4 address, my only option to get static public IPv6 addressing is to use a tunnel broker. Luckily for me, they are currently free! I chose SixXS because they have PoPs relatively close to me.

Handle Request

A SixXS IPv6 tunnel is free, but it's not as carefree as signing up for a free email, bulletin board or blog account. You need to read the requirements, provide accurate information and qualified information. For example you can't use a free email address like from Hotmail or Yahoo. I thought I could get away with using my own hosted email since I have two public IPs serving the DNS and MX targets, but my initial handle applicaiton was rejected due to an improper email address. (Okay, it is one host that has both IPs, so it's not as stable as an ISP account.) If you provide accurate and qualified information the first time you will get a quick response. When I sent a reply email requesting to update my profile with my ISP email address I had to wait nearly two weeks for a reply. This is not a complaint but a warning: doing it right the first time gets you faster results!

I don't fully understand the handle terminology but am pretty sure it is a standard term with both IPv4 and IPv6 authorities who assign address ranges. If you already have a RIPE handle you can use it when getting a SixXS account; otherwise just apply directly to SixXS.

After you apply to SixXS with the proper and qualified information you will be approved and get a handle/profile/account/login. You also get 25 ISK credits.

ISK Credits

The ISK credits are a system limiting your requests and encouraging your continued use of your IPv6 tunnel. As it currently stands you have enough credits to request a tunnel when you first sign on but have to have a tunnel up for a week--or at least for one ping a day for a week for dynamic tunnels if I understand correctly--to earn enough credits to request a subnet. You can gain bonus ISK credits as stated in the FAQ. You spend ISK credits making requests and can also lose them for various actions or nonuse of a static tunnel.

A tunnel without a subnet gives you one usable public IPv6 address. A subnet gives you a large range of public addresses.

Tunnel

If you're familiar with a virtual private network, then a SixXS IPv6 tunnel is basically the same concept in reverse. Instead of tunneling from a public address to gain access to a private network you are tunneling from an otherwise private network to open it to the world-routable IPv6 network, and the public tunnel endpoint routes your address(es) to you over the IPv4 tunnel.

With my SixXS tunnel I was finally able to view the dancing KAME turtle at http://www.kame.net/ . For some reason I had been unable to do this over Teredo or 6to4.

Static

A static tunnel requires that you have a static IPv4 address. If you don't keep your static tunnel active you lose ISK credits.

I don't have a static address, so I didn't investigate this option.

Heartbeat

The SixXS heartbeat protocol has your client sent a heartbeat packet once a minute or so to the tunnel endpoint. If and when your IPv4 address changes the heartbeat will come from a newly changed IPv4 address and the tunnel endpoint will know where to send its tunnel packets. The data are 6in4 packets, so like the 6to4 setup mentioned earlier your router will either need to support 6in4 (unlikely) or be able to forward 6in4 (protocol 41) packets to your tunnel endpoint machine (which can be a Windows desktop running the easy-to-use AICCU).

I chose this type of tunnel because I already knew I could properly forward the 6in4 packets from my router to my local tunnel endpoint and because this tunnel type is less of a load on the SixXS PoPs. I took the easy Windows GUI method and downloaded the graphical AICCU client.

AYIYA

The anything-in-anything tunneling protocol is supposed to be the most universal, but the overhead is more taxing on the SixXS PoPs.

I chose against this for the exact reasons I chose the heartbeat protocol. But for those who won't or can't modify their router settings this is probably the method to use.

Subnet

After a week of tunnel uptime I earned enough ISK credits to request a subnet. It was approved quickly. The subnet is a different /48 than my tunnel endpoints. The /48 is routed to me over the tunnel.

I had been using the Windows AICCU client for the one-address tunnel, but now I want a Linux box to act as the router. I used the same Linux box I used for the 6to4 subnet, so my 6in4 sit0 interface was already set up.

I took the following steps to make the subnet usable on my LAN (from a Linux box that was already set up to route IPv4 and IPv6):

• Added the tunnel endpoint IPv6 address to the 6in4 interface on my Linux box
• Added a prefix from my subnet to my router advertisement daemon on the Linux box advertising on the LAN interface
• Added <my subnet>/64 and <my subnet>/48 routes on the Linux router to the LAN interface

I learned some routing lessons in setting this up. Before I added the routes on my Linux router I could watch the IPv6 traffic (using tcpdump) go across the router, but it wouldn't go to my workstation trying to ping6 www.sixxs.net . So I added the <my subnet>/64 route and the hosts worked. I realized that the packets must have been bouncing back over the tunnel to the IPv6 internet resulting in circular routing. It occurred to me that I needed to route the whole /48 somewhere so it doesn't bounce back over the tunnel if some packets get directed to an unused prefix in my subnet. Sure, adding the /64 is redundant to adding the /48, but it gives me a reminder and some flexibility for the future should I decide to add another prefix (for lab routing experience) or reroute the unused prefixes to another interface.

I can now view the Kame dancing turtle from any IPv6-enabled host on my LAN! (For some reason the IPv6 address for www.kame.net is unreachable over 6to4 and Teredo.)

Having the subnet puts all the IPv6 hosts on my previously private LAN on the publicly addressable IPv6 internet. I really need to double-check my updates and firewall rules and be sure the firewalls are working properly on IPv6 traffic. I definitely need to apply some updates, but I learned the hard way not to trust local machines on the LAN, so I already have some safeguards in place.

DNS

IPv6 currently uses AAAA records instead of IPv4's A records to resolve host names to addresses. Adding AAAA record support may require reviewing your DNS server setup if you run your own DNS servers. If you do not run your own DNS server then your current setup will probably work just fine.

On an IPv6-only network DNS servers would need to have IPv6 addresses and registrars would need IPv6 "glue" records to help a recursive DNS server find a domain's root DNS servers. However, most registars do not have IPv6 glue right now. So for today's real-world installations a recursive DNS server will need IPv4 access. And since most hosts are IPv4-only anyway it's a moot point: your DNS server will have IPv4 connectivity.

At the moment all of my DNS servers are bound only to IPv4 addresses. As long as DNS requesters are dual stacked (having both IPv4 and IPv6 enabled) this works fine; they can look up an IPv6 AAAA record by querying a DNS server on an IPv4 address and then connect to the IPv6 host via IPv6. I am curious if there will be an issue when I want to enable reverse lookups on the SixXS subnet I wish to request. I am further curious if there are issues with binding the following servers to an IPv6 address or interface. I'll find out later.

Dnsmasq

Dnsmasq is a small DNS and DHCP server that supports IPv6 name records. I don't recall why, but I chose djbdns over this when originally choosing my IPv4 DNS server. When setting up IPv6 at home I mistakenly thought djbdns's dnscache would not handle AAAA name records and so switched to dnsmasq with DHCP disabled. It worked fine for a few days resolving A and AAAA records, but I only used it as a caching resolver.

I have since switched from dnscache to dnsmasq. dnsmasq can bind to IPv6 and IPv6 addresses and can query over either protocol. It does not recurse; it only caches and forwards DNS lookup requests, so you'll have to point it at another resolver such as your ISP or better yet SixXS's Google-over-IPv6-enabled resolvers if you have a SixXS tunnel. If it weren't for SixXS resolvers' Google-over-IPv6 capability I would probably switch to PowerDNS's Recursor if I wanted an IPv6-transport recursing resolver or stick with dnscache if I want an IPv4-transport-only resolver.

djbdns

I have been using djbdns for my IPv4 name resolution the entire time I've run my own DNS servers for home and public use. My public servers have been virtual private servers with limited resources, so I like how small and simple yet powerful djbdns is.

tinydns

While other name servers accept iterative and recursive lookups from one daemon, tinydns is the iterative lookup portion of djbdns. It only answers queries that are in its database, and it does not forward requests to other servers.

There are IPv6 patches for tinydns, but it doesn't really need them. tindydns was designed to support arbitrary record types. What is missing is the nice shortcut programs like add-alias or add-host for AAAA records. The IPv6 patches add the shortcuts and non-generic record formats for IPv6. Without the patches you can add lines to the tinydns data file using the generic record format and then run tinydns-data or simply run the make command to do it for you. There is an AAAA tinydns record builder at anders.com.

tinydns generic record format:

 :fqdn:n:rdata:ttl:timestamp:lo
Generic record for fqdn. tinydns-data creates a record of type n for fqdn showing rdata. n must be an integer between 1 and 65535; it must not be 2 (NS), 5 (CNAME), 6 (SOA), 12 (PTR), 15 (MX), or 252 (AXFR). The proper format of rdata depends on n. You may use octal \nnn codes to include arbitrary bytes inside rdata.

So for an unpatched tinydns an AAAA record (record type 28) for ipv6-host.example.com at 2001:db8::1 expiring after 86,400 seconds (and not specifying a timestamp or location) would look like this: :ipv6-host.example.com:28:\040\001\015\270\000\000\000\000\000\000\000\000\000\000\000\001:86400

Personally I am intending to make a script to manage the AAAA record creation and update the active database by running make.

I don't yet know if tinydns can bind to an IPv6 interface.

dnscache

dnscache is the recursive lookup portion of djbdns, meaning it does not have a preset database of addresses but instead asks other DNS servers for addresses and then caches the results until they expire or until the daemon is restarted.

I have used dnscache at home and on my public server rather than trust my ISPs' DNS servers. Contrary to my first misunderstanding, dnscache handles AAAA records without modification.

dnscache requires a patch to its ucspi-tcp component to be able to bind to IPv6 addresses in order to serve requests over IPv6. *** I am not sure if this is correct; I am not sure if dnscache can bind to an IPv6 interface.

It occurred to me after writing this article that I don't know if dnscache can query DNS servers over IPv6. In an all-IPv6 network that would be necessary, but in practical use it may be years before this is needed.

BIND

BIND is the de facto standard DNS server. I don't use it, but I understand that it will not handle arbitrary record types, so you must have a version recent enough to know about AAAA records. BIND 9 is highly recommended over previous versions.

Windows DNS Server

Plese see the Microsoft Windows Notes section of this page.

Microsoft Windows Notes

• Windows workstation OSes (XP and Vista) enable frequently changing IPv6 addresses as a privacy feature. This may be turned off with a netsh command: netsh interface ipv6 set privacy state=disabled . Windows server OSes have privacy disabled by default.
• Windows Vista has IPv6 enabled by default
• WINS does not resolve IPv6 addresses and will not be updated to do so since DNS is the modern Windows client-server name resolution protocol and PNRP is the modern Windows peer-to-peer name resolution protocol.
• Windows DNS in Server 2003 handles IPv6 natively. Use Action->Other New Records... and choose IPv6 Host to manually create an AAAA record. The server will add its IPv6 address to the appropriate forward lookup zone.
• Link-local addresses will not be added to the database. This is appropriate behavior.
• The DHCP Client service is the service that registers with DDNS, even if the interface is manually configured. So do not disable the DHCP Client service if you wish to use DDNS. The DNS Client service just caches DNS lookup results.
• Windows XP will not register its IPv6 address in DDNS, but Windows Vista will.

Experiments in IPv6

In this setction I will babble a bit about some of the things I did. The important points should make it back as bullet points in Lessons Learned or Microsoft Windows Notes

Windows File Sharing

Since IPv6 is included in Windows XP SP2 and later I just assumed file sharing would work over IPv6. Not in Windows XP, sorry!

Windows Server 2003 and Windows Vista are supposed to use IPv6 for file sharing. My Windows Server 2003 is listening on an IPv6 interface as shown by netstat -an:

 TCP    [::]:135               [::]:0                 LISTENING       0
 TCP    [::]:445               [::]:0                 LISTENING       0

But my Windows XP Professional box does not. I am also unable to use my Windows XP client to read a share from the server over IPv6.

Note that literal IPv6 addresses are unusable even in Vista and Server 2003 file sharing[3]. The colon is not permitted, so you're not going to use a URI like \\2001:db8::1\sharename\folder\filename or even \\[2001:db8::1]\sharename\folder\filename in the foreseeable future. In my experiments I added IPv6-only hostnames such as host.ipv6.example.com to my DNS servers and tried to connect to them. As a workaround Microsoft uses the ipv6-literal.net domain which will return IPv6 addresses represented by the host name, so if you need to connect to host 2001:db8::1 (short notation for 2001:db8:0:0:0:0:0:1) you can use 2001-db8-0-0-0-0-0-1.ipv6-literal.net . At least according to the referenced link earlier in the paragraph. I just tried resolving IPv6 addresses for 6to4 addresses and my SixXS subnet address, and I couldn't resolve any with the Linux host command, Windows nslookup command or the Windows 2003 Server ping command (with parameter -6). I will have to get a second Windows Server or a Vista box up and running to see if I can get it to work between them. Of course you can always assign your own DNS names if you run a DNS server.

Windows Terminal Services

I had also assumed that getting a world-routable IPv6 subnet would enable me to use Remote Desktop / Terminal Services to my LAN hosts. However the evidence is mounting that these services won't work over IPv6. I am not sure yet, but my Windows Server 2003 is not listening to an IPv6 interface on port 3389 and I have been unable to remote desktop between machines using IPv6-only host names. An article[4] written in 2003 states that Windows XP Remote Desktop does not work with IPv6; there has been a new Remote Desktop client since then, but I can't find any IPv6 info about it.

Remote Desktop Protocol (and other TCP-based services) can be enabled for IPv6 using the standard PortProxy feature. MTC3-RIPE 13:36, 3 June 2009 (UTC)

UPDATE: Terminal services can work over IPv6. I recently lost local IPv4 connectivity due to a DHCP server changeover and still managed to TS from a Windows 7 Beta machine into a Server 2008 machine, and over two SixXS tunnels I connected from Windows XP with the upgraded TS client to the same Server 2008 machine which is definitely unreachable by IPv4. IPv6 connectivity verified by netstat. So the XP client can use IPv6, and Server 2008 TS can use it.

BitTorrent

SixXS runs an IPv6-only BitTorrent tracker, so I gave it a try.

My BitTornado client was an older 0.3 version but seemed to support the IPv6 parameters. It threw a Python error that seemed to indicate the bundled Python interpreter didn't have the IPv6 code with it. I updated to the latest BitTornado and was able to connect using the parameters "--ipv6_enabled 1 --ipv6_binds_v4 0".

At first I was unable to connect to anything but the tracker, but that was because nobody else was connected for the files I requested. I found one file I wanted that had one seed user connected and was able to download the entire file, albeit from one other BitTorrent user. But after several hours nobody has tried downloading any part of the file from me. Normally that would indicate firewall problems, but in this case I think there was just nobody out there trying to download via this tracker.

Once there are more people on IPv6 BitTorrent will be fabulous because there's no need for NAT traversal. But for now there aren't enough people using it to keep the catalog seeded.

Public Domain For My Public Home Network

Before getting the public IPv6 subnet I was mostly stuck behind a NAT on a private LAN. I had my own DNS server set up with a private local domain. I used .local as recommended in some RFC but found this can cause problems as some software uses .local for its own purposes, and my company uses .local for their intranet. So even before I went public via IPv6 I was considering changing my domain name.

I realized that since I would have publicly-routable hosts I would want public names for them. I have several public domain names, but they are fairly long, and I foresee needing to type the domain more frequently as I access different services on different hosts from distant networks. So I went in search of a short public domain name for my home network.

Since I am getting the domain name for my IPv6-enabled network I wanted a registrar that will let me assign IPv6 glue for the name servers; this means that a client that is connected via IPv6-only will be able to find and resolve my names. I chose Joker largely because SixXS uses them.

The .us domain does not have IPv6 glue enabled yet, so that's out. .com, .net and .org seem to be my best bets for having IPv6 glue, being appropriate for my use and being available through an IPv6-friendly registrar. One- and two-letter names are long gone. Three-letter names are gone for .com and .net, but I wanted .net over .org because it's faster for me to type and seems to go well with my purpose. So I searched for available 4-letter .net names with the tools at Domain Name Soup.com. There's a link to attempt to find pronounceable names. The first list of 10 or so names had two 4-letter .net names I liked. I guess I was lucky because I didn't find any available names I liked in many tries after that. One of my two favorites was actually taken, but the other one wasn't so I registered it via Joker. My name is easy to remember and fairly easy to type, but I just now realized it ends in "o" which is the same finger I need to press the "." key afterward. Oh well, overall it's a decent enough name. I won't share it yet as it's not fully implemented, but I think it is going to become the domain for all my IPv6 hosts and services.

Worked For Me

Here's a list of software I made work over IPv6.

• Apache 2 - If you are not listening on all interfaces (Listen 10.0.0.1:80 instead of Listen 80) then you'll need to add an IPv6 interface. In the future I hope to assign an IPv6 address to each virtual host so each vhost can use TLS/SSL.
• openssh - It just works.
• PuTTY - I had an old version and needed an upgrade. I use it to tunnel ports and noticed it made the port available on ::1 as well as 127.0.0.1. ::1 will be nicer to type I think, although I had hoped IPv6 would let me stop tunneling ports so much.
• Mozilla Firefox on Windows - It works with resolved and bracketed literal IPs.
• IE7 on Windows XP - It works with resolved and bracketed literal IPs. (I think I remember writing that literal IPs didn't work, but they just did. Perhaps it's a link scope issue.)
• Iceweasel (Firefox rebranded on Debian Linux) - It just works.
• BitTornado with the "--ipv6_enabled 1 --ipv6_binds_v4 0" command line options
• OpenVZ. I was unable to get the tunnel or radvd running in a VE, so it runs in the host node. I had mixed results using veth networking and having the VE's autoconfigure via RA announcements, but for my purposes it turned out to be easier to use venet networking and just configure the VE addresses statically while radvd serves the physical network only.

Summary of Lessons Learned

• A router advertisement daemon must advertise a /64 prefix by design. This may not be intuitive if you are assigned a /48 or other range of addresses. The reason is that stateless autoconfiguration is designed to have a 64-bit prefix and a 64-bit extended unique identifier (EIU-64). That /48 actually gives you 65,536 /64 prefixes to use, just in case you add a few dozen thousand subnets to your network. I believe it is possible to use subnet prefixes of different sizes, but you won't be able to use stateless autoconfiguration; you'll have to use dhcpv6 or manual configuration instead. But why would you want to? 65,536 subnets of up to 2^64 hosts each should be enough for your needs for the foreseeable future even if you are the largest organization in the solar system. And if that's not enough I'm sure you can get a second or third /48 if you need it.
• A Linux interface running a router advertisement daemon will not configure itself to the advertised prefix; I had to add an IPv6 address manually. I'm not sure yet if I goofed something up or if this is by design. I suppose it's not necessary for the router to have a prefix address since it can be accessed by its link-local address for forwarding packets, so perhaps this is by design. Or perhaps the interface simply doesn't listen to itself.
• For mobile computing: Teredo can be used to get IPv6 access when given a private IPv4 address (as from behind a NAT, as typical in many hotels), and 6to4 can be used to get IPv6 connectivity when assigned a public IPv4 address (as typical when using a cellular ISP PC card).
• 6to4 subnetting on Linux behind a NAT using 6in4 packet forwarding is doable behind a dynamic IPv4 address but requires reconfiguration whenever the public address changes.
• djbdns can handle AAAA (and any arbitrary record type) without patching. The available IPv6 patches just make nicer shortcuts for record creation.
• BIND will reject record types it does not know about, so you'll need a BIND version specifically enabled for AAAA records if you're using BIND for IPv6 name resolution.
• See the Microsoft Windows Notes section of this page for Windows-specific lessons learned.