DNS and Bind, 4th Edition
How to get connected
In contrast to the classic "IPv6-over-IPv4 tunnel" setup, you do not register at a 6bone-gateway, which will then forward you any v6 traffic (encapsulated in v4). Instead, because your IPv6 address is derived from your IPv4 address, any answers will be sent to you through your nearest 6to4 gateway. De-encapsulation of the packet is done via a 6to4-capable network interface, which then forwards the resulting v6 package according to your routing setup -- in case you have more than one machine connected on your 6to4 assigned network.
For sending out v6 packets, the 6to4-capable network interface will take the v6 packet, and encapsulate it into a v4 packet. You still need a 6bone-connected 6to4-gateway as an uplink that will de-encapsulate your packets, and forward them on over the 6Bone.
In contrast to the "configured tunnel" setup, you usually can't set up packet filters to block 6to4-packets from unauthorized sources, as this is exactly how (and why) 6to4 works at all. As such, malicious users can send packets with invalid/hazardous IPv6 payloads. If you don't already filter on your border gateways anyway, packets with the following characteristics should not be allowed as valid 6to4 packets, and some firewalling seems to be justified for them:
- unspecified v4 source/destination address: 0.0.0.0/8
- loopback address in outer (v4) source/destination: 127.0.0.0/8
- IPv4 multicast in source/destination: 188.8.131.52/4
- limited broadcasts: 255.0.0.0/8
- subnet broadcast address as source/destination: depends on your v4 setup
The NetBSD stf(4) man page documents some common configuration mistakes intercepted by default by the KAME stack as well as some further advice on filtering. Keep in mind that because of the requirement of these filters, 6to4 is not perfectly secure. Still, if forged 6to4 packets become a problem, you can use IPsec authentication to ensure the IPv6 packets are not modified.
Data needed for 6to4 setup
In order to setup and configure IPv6 over 6to4, a few bits of configuration data must be known in advance. These are:
Your local IPv4 number. It can be determined using either the
netstat -icommands on most Unix systems. If you use a NAT gateway or something similar, be sure to use the official, outside-visible address, not your private (10/8 or 192.168/16) one.
We will use 184.108.40.206 as the local IPv4 address in our example.
First you will need to know your local IPv6 address, as derived from the IPv4 address. See the instructions above on how to do that.
For our example, this is
2002:3ee0:3972:0001::1(0x3ee03972 is the IP address
220.127.116.11converted into hex. 0001::1 is an individual machine address and was arbitrarily chosen to identify this computer)..
Depending on your IPv6 stack, you'll need either the IPv6- or IPv4-number of the 6to4 uplink gateway you want to use. If you use a BSD/KAME based IP-stack, the v6 number will do, as it also contains the v4 number in the usual 6to4 translation. If you use Linux, having the gateway's IPv4 number will be handy.
We will use
2002:c25f:6cbf::1(== 18.104.22.168 == 6to4.ipv6.fh-regensburg.de).
To process 6to4 packets, the operating system kernel needs to know about them. to do this, a driver has to be compiled in that knows about 6to4, and how to handle it.
For a BSD/KAME derived kernel, put the following into your kernel configuration file to prepare it for using IPv6 and 6to4. For example, on NetBSD use:
options INET6 # IPv6 pseudo-device stf # 6to4 IPv6 over IPv4 encapsulation
Note that the
stf(4) device is not enabled by default. Please consult
these documents on kernel configuration and compilation for assistance.
On Linux, do a
make config or
make menuconfig, and make sure the following answers are made:
Networking options The IPv6 protocol: yes IPv6: enable EUI-64 token format: yes IPv6: disable provider based address: yes
After these configuration steps, build and install the kernel (and any assorted modules, for Linux), then reboot your system to use the new kernel. Please consult your BSD/Linux flavor's documentation for further information on building and installing a new kernel.