ONLamp.com
oreilly.comSafari Books Online.Conferences.

advertisement


Getting Connected with 6to4
Pages: 1, 2, 3

Related Reading:

DNS and Bind

DNS and Bind, 4th Edition
By Paul Albitz & Cricket Liu
4th Edition April 2001
0-596-00158-4, Order Number: 1584
622 pages, $44.95

How to get connected

In contrast to the classic "IPv6-over-IPv4 tunnel" setup, you do not register at a 6bone-gateway, which will then forward you any v6 traffic (encapsulated in v4). Instead, because your IPv6 address is derived from your IPv4 address, any answers will be sent to you through your nearest 6to4 gateway. De-encapsulation of the packet is done via a 6to4-capable network interface, which then forwards the resulting v6 package according to your routing setup -- in case you have more than one machine connected on your 6to4 assigned network.



For sending out v6 packets, the 6to4-capable network interface will take the v6 packet, and encapsulate it into a v4 packet. You still need a 6bone-connected 6to4-gateway as an uplink that will de-encapsulate your packets, and forward them on over the 6Bone.

Diagram of request and reply routing.
Request and reply can be routed via different gateways in 6to4.

Security considerations

In contrast to the "configured tunnel" setup, you usually can't set up packet filters to block 6to4-packets from unauthorized sources, as this is exactly how (and why) 6to4 works at all. As such, malicious users can send packets with invalid/hazardous IPv6 payloads. If you don't already filter on your border gateways anyway, packets with the following characteristics should not be allowed as valid 6to4 packets, and some firewalling seems to be justified for them:

  • unspecified v4 source/destination address: 0.0.0.0/8
  • loopback address in outer (v4) source/destination: 127.0.0.0/8
  • IPv4 multicast in source/destination: 224.0.0.0/4
  • limited broadcasts: 255.0.0.0/8
  • subnet broadcast address as source/destination: depends on your v4 setup

The NetBSD stf(4) man page documents some common configuration mistakes intercepted by default by the KAME stack as well as some further advice on filtering. Keep in mind that because of the requirement of these filters, 6to4 is not perfectly secure. Still, if forged 6to4 packets become a problem, you can use IPsec authentication to ensure the IPv6 packets are not modified.

Data needed for 6to4 setup

In order to setup and configure IPv6 over 6to4, a few bits of configuration data must be known in advance. These are:

  • Your local IPv4 number. It can be determined using either the ifconfig -a or netstat -i commands on most Unix systems. If you use a NAT gateway or something similar, be sure to use the official, outside-visible address, not your private (10/8 or 192.168/16) one.

    We will use 62.224.57.114 as the local IPv4 address in our example.

  • First you will need to know your local IPv6 address, as derived from the IPv4 address. See the instructions above on how to do that.

    For our example, this is 2002:3ee0:3972:0001::1 (0x3ee03972 is the IP address 62.224.57.114 converted into hex. 0001::1 is an individual machine address and was arbitrarily chosen to identify this computer)..

  • Depending on your IPv6 stack, you'll need either the IPv6- or IPv4-number of the 6to4 uplink gateway you want to use. If you use a BSD/KAME based IP-stack, the v6 number will do, as it also contains the v4 number in the usual 6to4 translation. If you use Linux, having the gateway's IPv4 number will be handy.

    We will use 2002:c25f:6cbf::1 (== 194.95.108.191 == 6to4.ipv6.fh-regensburg.de).

Kernel preparation

To process 6to4 packets, the operating system kernel needs to know about them. to do this, a driver has to be compiled in that knows about 6to4, and how to handle it.

For a BSD/KAME derived kernel, put the following into your kernel configuration file to prepare it for using IPv6 and 6to4. For example, on NetBSD use:

options INET6       # IPv6
pseudo-device stf   # 6to4 IPv6 over IPv4 encapsulation

Note that the stf(4) device is not enabled by default. Please consult these documents on kernel configuration and compilation for assistance.

On Linux, do a make config or make menuconfig, and make sure the following answers are made:

Networking options The IPv6 protocol:	yes
IPv6: enable EUI-64 token format:		yes
IPv6: disable provider based address: 	yes

After these configuration steps, build and install the kernel (and any assorted modules, for Linux), then reboot your system to use the new kernel. Please consult your BSD/Linux flavor's documentation for further information on building and installing a new kernel.

Pages: 1, 2, 3

Next Pagearrow





Sponsored by: