6to4-Tunneling

Download Report

Transcript 6to4-Tunneling 

Service Providers IPv6
Tunneling
By Gaza IPv6 Project Team
Eng. Alaa H. Ahmed
1
Gaza IPv6 Project - Eng. Alaa H. Ahmed
Agenda
 Static point-to-point tunneling-6in4
 6to4-Tunneling
 Miredo automatic tunneling
 4 in 6 tunneling
2
Gaza IPv6 Project - Eng. Alaa H. Ahmed
Configuring IPv6-in-IPv4 tunnels
 If you want to leave your link and you have no IPv6
capable network around you, you need IPv6-in-IPv4
tunneling to reach the world wide IPv6-Internet.
 There are some kind of tunnel mechanism and also
some possibilities to setup tunnels
3
Gaza IPv6 Project - Eng. Alaa H. Ahmed
Types of tunnels
 There are more than one possibility to tunnel IPv6
packets over IPv4-only links:
 Static point-to-point tunneling: 6in4
 6to4-Tunneling
 Automatically tunneling-Miredo
4
Gaza IPv6 Project - Eng. Alaa H. Ahmed
Static point-to-point tunneling-6in4
 Allows point-to-point tunneling of IPv6 data between
network endpoints via IPv4
 A point-to-point tunnel is a dedicated tunnel to an endpoint,
which knows about your IPv6 network (for backward
routing) and the IPv4 address of your tunnel endpoint.
 IPv4 address of your local tunnel endpoint must be static, global
unique and reachable from the foreign tunnel endpoint
 A global IPv6 prefix assigned to you
 A foreign tunnel endpoint which is capable to route your IPv6
prefix to your local tunnel endpoint (mostly remote manual
configuration required)
 requiring n(n-1)/2 tunnels for n sites (e.g. ten sites would require
45 tunnels for full mesh connectivity)
5
Gaza IPv6 Project - Eng. Alaa H. Ahmed
Displaying existing tunnels
# /sbin/ip -6 tunnel show [<device>]
# /sbin/ip -6 tunnel show
sit0: ipv6/ip remote any local any ttl 64 nopmtudisc
sit1: ipv6/ip remote 195.226.187.50 local any ttl 64
6
Gaza IPv6 Project - Eng. Alaa H. Ahmed
6in4 Tunneling configuration
 Create a IPv6 tunnel interface:
# /sbin/ip tunnel add <Tunnelname> mode sit local <ipv4addresslocal>
remote <ipv4addressofforeigntunnel>
 Bring it up
# ip link set <Tunnelname> up
 Assign a IPv6 address from a new subnet to the tunnel
# ip -6 addr add <IPv6 Address >/64 dev <Tunnelname>
7
Gaza IPv6 Project - Eng. Alaa H. Ahmed
6in4 Tunneling configuration
 Route the subnet to your IP own address,
# ip -6 route add <prefixtoroute1> dev <Tunnelname> metric 1
 Enable IPv6 forwarding
# echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
 Removing point-to-point tunnels
# /sbin/ip tunnel del <TunnelName>
8
Gaza IPv6 Project - Eng. Alaa H. Ahmed
LAB1
9
Gaza IPv6 Project - Eng. Mohammed Abu-Jamous
6to4-Tunneling (2002::/16)
 6to4 is an Internet transition mechanism for migrating
from IPv4 to IPv6.
 Allow IPv6 packets to be transmitted over an IPv4
network without the need to configure explicit tunnels.
 Special relay servers are also in place that allow 6to4
networks to communicate with native IPv6 networks.
 Host must have a global IPv4 address connected, and
the host is responsible for encapsulation of outgoing
IPv6 packets and decapsulation of incoming 6to4
packets.
10
Gaza IPv6 Project - Eng. Alaa H. Ahmed
6to4-Tunneling (2002::/16)
 6to4 performs three functions:
 Assigns a block of IPv6 address space to any host or
network that has a global IPv4 address.
 Encapsulates IPv6 packets inside IPv4 packets for
transmission over an IPv4 network using 6in4.
 Routes traffic between 6to4 and "native" IPv6 networks.
11
Gaza IPv6 Project - Eng. Alaa H. Ahmed
6to4-Tunneling (2002::/16)
 Most IPv6 networks use autoconfiguration, which
requires the last 64 bits for the host.
 The first 64 bits are the IPv6 prefix.
 The first 16 bits of the prefix are always 2002:
 The next 32 bits are the IPv4 address
 The last 16 bits of the prefix are available for addressing
multiple IPv6 subnets behind the same 6to4 router
IPv4 = 1.2.3.4  IPv6 Range= 2002:0102:0304::/48
Your Host IP  2002:0102:0304::1
12
Gaza IPv6 Project - Eng. Alaa H. Ahmed
ipv4="1.2.3.4"; printf "2002:%02x%02x:%02x%02x::1" `echo $ipv4 | tr "." " "`
6to4-Tunneling (2002::/16)
 Border Router & Relay Router
 A 6to4 border router is an IPv6 router supporting a
6to4 tunnel-interface.
 It is normally the border router between an IPv6 site
and a wide-area IPv4 network, where the IPv6 site uses
2002::/16 co-related to the IPv4 address used later on.
 Relay router is a 6to4 router configured to support
transit routing between 6to4 addresses and pure native
IPv6 addresses
13
Gaza IPv6 Project - Eng. Alaa H. Ahmed
6to4-Tunneling (2002::/16)
 To reach the entire IPv6 Internet a device is required
that accepts your automatic tunnels and is able to
forward the encapsulated IPv6 packets to the IPv6
Internet. This is the task of a 6to4 relay.
 They have been widely deployed and are reachable on
192.88.99.1 anycast address everywhere you are
14
Gaza IPv6 Project - Eng. Alaa H. Ahmed
Implementing 6to4 Tunnling
15
Gaza IPv6 Project - Eng. Mohammed Abu-Jamous
Configuration
 Configure Linux to forward (route) IPv6.
 Create the 6to4 tunnel.
 Assign IPv6 addresses to the interfaces on the Linux
system.
 Configure IPv6 routing.
 Advertise IPv6 prefixes to the end systems.
16
Gaza IPv6 Project - Eng. Alaa H. Ahmed
Enable Linux as IPv6 Router
 Enable IPv6 packet forwarding
# cat /proc/sys/net/ipv6/conf/all/forwarding
0
#echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
 For permanent edit /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=localhost.localdomain
NETWORKING_IPV6=yes
IPV6FORWARDING=yes
 restart network service
17
Gaza IPv6 Project - Eng. Alaa H. Ahmed
Creating Tunnel
 To create the tunnel we need to know the IPv4 address
of the WAN connection.
# ip addr show dev eth1
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen
1000
link/ether 00:0c:29:b6:07:3d brd ff:ff:ff:ff:ff:ff
inet 10.1.12.1/24 brd 10.1.12.255 scope global eth1
 The tunnel type is called SIT (Simple Internet
Transition) on Linux. The created interface will have
the name tun6to4.
# ip tunnel add tun6to4 mode sit ttl 254 remote any local 10.1.12.1
# ip link set dev tun6to4 up
18
Gaza IPv6 Project - Eng. Alaa H. Ahmed
Creating Tunnel
 The following display shows the tunnel up and running.
# ip link show dev tun6to4
10: tun6to4@NONE: <NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue
link/sit 10.1.12.1 brd 0.0.0.0
19
Gaza IPv6 Project - Eng. Alaa H. Ahmed
Addressing
 The 6to4 address is a combination of the 6to4 prefix
(2002::/16), the IPv4 address of the WAN interface
(10.1.12.1 -> hexadecimal ::a01:c01::).
 the site-level aggregator (SLA or "subnet"; we
chose 0 for the WAN interface and 1 for the LAN
interface) and the host. The prefix is /64.
# ip -6 addr add 2002:a01:c01::1/16 dev tun6to4
20
Gaza IPv6 Project - Eng. Alaa H. Ahmed
Addressing
 Looking at the interfaces we now see these addresses
configured
# ip -6 addr show dev tun6to4
10: tun6to4@NONE: <NOARP,UP,LOWER_UP> mtu 1480
inet6 2002:a01:c01::1/16 scope global
valid_lft forever preferred_lft forever
inet6 ::10.1.12.1/128 scope global
valid_lft forever preferred_lft forever
21
Gaza IPv6 Project - Eng. Alaa H. Ahmed
IPv6 Routing
 As long as the local LAN only consists of directly
connected LAN segments only two routes are required:
a route to other 6to4 sites and a default route
# ip -6 route add 2000::/3 via ::10.1.23.3 dev tun6to4 metric 1
# ip -6 route add ::/0 via ::192.88.99.1 dev tun6to4 metric 1
# ip -6 route show
2000::/3 via ::10.1.23.3 dev tun6to4 metric 1 …
fe80::/64 dev eth1 metric 256 …
fe80::/64 dev eth0 metric 256 …
fe80::/64 dev tun6to4 metric 256 …
default via fe80::1 dev eth0 metric
22
Gaza IPv6 Project - Eng. Alaa H. Ahmed
Remove a 6to4 tunnel
 Remove all routes through this dedicated tunnel device
# /sbin/ip -6 route flush dev tun6to4
 Shut down interface
# /sbin/ip link set dev tun6to4 down
 Remove created tunnel device
# /sbin/ip tunnel del tun6to4
23
Gaza IPv6 Project - Eng. Alaa H. Ahmed
Automatic IPv6 Tunneling -Teredo
tunneling (2001:0::/32)
 Automatic tunneling occurs, when a node directly
connects another node gotten the IPv4 address of the
other node before
 Teredo is by default in Windows releases
 Miredo an open source Teredo IPv6 tunneling software,
for Linux and the BSD operating systems. It includes
functional implementations of all components of the
Teredo specification
24
Gaza IPv6 Project - Eng. Alaa H. Ahmed
How it works ?
 Teredo operates using a platform independent tunneling
protocol designed to provide IPv6 (Internet Protocol
version 6) connectivity by encapsulating IPv6 datagram
packets within IPv4 User Datagram Protocol (UDP)
packets.
 These datagrams can be routed on the IPv4 Internet and
through NAT devices
25
Gaza IPv6 Project - Eng. Mohammed Abu-Jamous
How it works ?
 Teredo Client: A host which has IPv4 connectivity to the Internet
from behind a NAT assigned an IPv6 address that starts with the
Teredo prefix (2001:0::/32).
 Teredo server :A well-known host which is used for initial
configuration of a Teredo tunnel. A Teredo server never forwards
any traffic for the client . very modest bandwidth requirements
which allows a single server to support large numbers of clients.
 Teredo relay: The remote end of a Teredo tunnel forward all of the
data on behalf of the Teredo clients it serves, Therefore, a relay
requires a lot of bandwidth and can only support a limited number
of simultaneous clients
26
Gaza IPv6 Project - Eng. Mohammed Abu-Jamous
How it works ?
 0-31: are set to the Teredo prefix (2001:0::/32).
 32-64: IPv4 address of the Teredo server
 64-79: holds some flags and other bits;
 80-95: contains the obfuscated UDP port number mapped by the
NAT to the Teredo client with all bits inverted.
 96-127: contains the obfuscated IPv4 address. This is the public
IPv4 address of the NAT with all bits inverted
Bits
0 - 31
32 - 63
64 - 79
80 - 95
96 - 127
Length
32 bits
32 bits
16 bits
16 bits
32 bits
Obfuscated
UDP port
Obfuscated
Client
public IPv4
Description
27
Prefix
Teredo
server IPv4
Gaza IPv6 Project - Eng. Mohammed Abu-Jamous
Flags
How it works ?
closest Teredo relay
28
Gaza IPv6 Project - Eng. Mohammed Abu-Jamous
Limitations
 Teredo is not compatible with all NAT devices. Like
symmetric NATs.
 Symmetric NAT
 Each request from the same internal IP address and port
to a specific destination IP address and port is mapped to
a unique external source IP address and port; if the same
internal host sends a packet even with the same source
address and port but to a different destination, a different
mapping is used.
 Only an external host that receives a packet from an
internal host can send a packet back
29
Gaza IPv6 Project - Eng. Mohammed Abu-Jamous
Miredo Configuration
 Get the package from the internet
 wget http://www.remlab.net/files/miredo/miredo-1.0.6.tar.bz2
 Extract it
 tar -xvf miredo-1.0.6.tar.bz2
 Install it
 ./configure
 make
 make install
30
Gaza IPv6 Project - Eng. Mohammed Abu-Jamous
Miredo Configuration
 Start the service
 /usr/local/sbin/miredo -f
[root@localhost sbin]# ./miredo -f
miredo[6325]: Starting...
miredo[6326]: Qualified (NAT type: restricted)
miredo[6326]: New Teredo address/MTU
miredo[6326]: Teredo pseudo-tunnel started
miredo[6326]: (address: 2001:0:53aa:64c:0:d66c:aa8d:9671, MTU: 1280)
31
Gaza IPv6 Project - Eng. Mohammed Abu-Jamous
Miredo Configuration
 Check the teredo interface
#ifconfig
teredo Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet6 addr: fe80::ffff:ffff:ffff/64 Scope:Link
inet6 addr: 2001:0:53aa:64c:0:d66c:aa8d:9671/32 Scope:Global
UP POINTOPOINT RUNNING NOARP MTU:1280 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
32
Gaza IPv6 Project - Eng. Mohammed Abu-Jamous
Miredo Configuration
 Ping IPv6 Address
 ipv6.google.com
 www.v6.google.com
[root@localhost ~]# ping6 -c 4 www.kame.net
PING www.kame.net(2001:200:dff:fff1:216:3eff:feb1:44d7) 56 data bytes
64 bytes from 2001:200:dff:fff1:216:3eff:feb1:44d7: icmp_seq=3 ttl=58 time=1235 ms
64 bytes from 2001:200:dff:fff1:216:3eff:feb1:44d7: icmp_seq=2 ttl=58 time=2242 ms
64 bytes from 2001:200:dff:fff1:216:3eff:feb1:44d7: icmp_seq=1 ttl=58 time=3241 ms
64 bytes from 2001:200:dff:fff1:216:3eff:feb1:44d7: icmp_seq=0 ttl=58 time=4243 ms
--- www.kame.net ping statistics --4 packets transmitted, 4 received, 0% packet loss, time 3000ms
rtt min/avg/max/mdev = 1235.778/2740.725/4243.165/1120.492 ms, pipe 5
[root@localhost ~]#
33
Gaza IPv6 Project - Eng. Mohammed Abu-Jamous
Configuring IPv4-in-IPv6 tunnels
 Setup of point-to-point tunnel
 creating a 4over6 tunnel device
# /sbin/ip tunnel add <device> mode ip4ip6 remote
<ipv6addressofforeigntunnel> local <ipv6addresslocal>
 Bring it up
# /sbin/ip link set dev <device> up
 Add a route
# /sbin/ip -6 route add <prefixtoroute1> dev <device> metric 1
34
Gaza IPv6 Project - Eng. Alaa H. Ahmed
References
 http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO/chapterconfiguring-ipv6-in-ipv4-tunnels.html
 https://www.sixxs.net/faq/connectivity/?faq=ossetup
 http://www.shorewall.net/6to4.htm
 http://www.tldp.org/HOWTO/Linux%2BIPv6HOWTO/configuring-ipv6to4-tunnels.html
 http://www.anyweb.co.nz/tutorial/v6Linux6to4
35
Gaza IPv6 Project - Eng. Mohammed Abu-Jamous