IPv6 tunnel technologies

Dug Out

6to4 – For the Internet

6to4 can act as a router-to-router, host-to-router, and router-to-host tunnel [2]. However, you will typically build the tunnel as a router-to-router configuration. 6to4 treats the entire IPv4 Internet as a single link. The prefix of 6to4 is 2002::/16, that is, it always begins with 2002. The use of a single address prefix means you can always identify a 6to4 tunnel address. The next 32 bits of the address contain the hexadecimal IPv4 address of the remote endpoints of the tunnel, which is a 6to4 router or 6to4 relay. Next are the 16-bit subnet ID and the interface ID of the target system (Figure 4).

Figure 4: 6to4 embeds the target IPv4 address in the IPv6 packet.

Windows systems as of Windows Vista automatically create a 6to4 tunnel interface, if the system uses a public IPv4 address on one of its interfaces and no other IPv6 connectivity (native or on ISATAP) exists. In this case, the 6to4 tunnel interface is assigned an IPv6 address of 2002:WWXX:YYZZ::WWXX:YYZZ, where WWXXYYZZ stands for the public IPv4 address. If the public IPv4 address of a Windows Server 2012-based computer is, for example, 131.107.1.1, then the 6to4 tunnel address is 2002:836B:101::836B:101.

6to4 uses various components to handle different tasks, as follows:

  • 6to4 host: A native IPv6 host that has at least one 6to4 address (prefix 2002::/16) through which it can be reached. This host does not have a 6to4 tunnel interface because it communicates via IPv4. It is the endpoint of IPv6 communications routed via a 6to4 tunnel.
  • 6to4 router: An IPv6/IPv4 router that has a 6to4 tunnel interface, which it uses to forward traffic between 6to4 hosts to another 6to4 router, 6to4 relay, or 6to4 host. 6to4 routers must be configured appropriately – no matter which platform they use.
  • 6to4 host/router: An IPv6/IPv4 host that is connected directly to the Internet. In contrast to the 6to4 router, it forwards only its own traffic via 6to4 to other IPv6 nodes, not the traffic from other systems.
  • 6to4 relay: In contrast to 6to4 routers, a 6to4 relay directs the traffic to the IPv6 Internet. This means that a 6to4 relay must use BGP to connect to the Internet, while 6to4 routers connect a specific IPv6 network.

Each 6to4 site has its own 6to4 prefix (2002:WWXX:YYZZ::/48). The rest of the 6to4 address defines the subnet and the interface ID of the host on the network. From the perspective of a 6to4 host or router, the entire 6to4 site is comprised of a single computer: itself.

How 6to4 Works

For a 6to4 router, the 6to4 site can comprise up to 65,536 subnets. In any case, it sees all the subnets on the site. A 6to4 site can, on the other hand, comprise a single IPv4 address through which the site is accessible. In its router advertisements, the 6to4 router propagates the 6to4 prefix to the internal nodes so that 6to4 also works well with autoconfiguration.

The trick here is that the IPv4 address of the target host's site is embedded in the 6to4 address. The stakeholder systems extract this address and use it to bridge the IPv4 part of the route. In the example scenario from Figure 5, WKS1 wants to communicate with WKS2 and resolves the Fully Qualified Domain Name (FQDN) of WKS2. The DNS server returns the address 2002:9D3C:101:F::1. From the prefix, WKS1 sees that this is a 6to4 address.

Figure 5: A sample scenario for the use of 6to4.

As a 6to4 host/router with a public IPv4 address, WKS1 is itself in a position to tunnel the IPv6 packet in IPv4, so it references bits 17 through 48 to identify the prefix of the 6to4 router's IPv4 address as 157.60.1.1. The tunneled packet is now sent to the 6to4 router, which again unpacks the packet and accordingly forwards it internally. Because WKS1 uses its 6to4 tunnel address of 2002:836B:101::836B:101 as the from address, the 6to4 router can deliver the response packet from WKS2 to the correct IPv4 address, 131.107.1.1, which it extracts from the prefix for WKS1.

To address native IPv6 addresses on the IPv6 Internet, the 6to4 router or 6to4 host/router looks for a 6to4 relay in the neighborhood. The IPv4 Anycast address 192.88.99.1 exists for this purpose. In other words, IPv6 packets to native IPv6 addresses are also encapsulated by 6to4-enabled nodes, where the destination address of the IPv4 header is 192.88.99.1. These packages go to the nearest 6to4 relay and are delivered there with the help of normal IPv6 routing.

The response of the IPv6-only node is also routed via a 6to4 relay, although this is not necessarily the same relay as the one used on the outbound route. This variation in the path can lead to the typical problems associated with asymmetrical routing; for example, a stateful firewall might not be able to correctly assign the response packets. In this context, the nodes on the IPv6 Internet must know a route to a 6to4 relay – but this is not always the case. Additionally, 6to4 has the disadvantage that NAT is only supported if the 6to4 router or the 6to4 relay is also the NAT device. 6to4 is supported by most popular operating system platforms.

6rd – The Evolution

6rd [3] tunneling technology is based on 6to4 and was designed by Rémi Després. 6rd was introduced in 2007 by French provider FREE. The letters "RD" stand for rapid deployment and also happen to be the developer's initials. In contrast to 6to4, 6rd uses end customer prefixes, instead of a separate prefix of its own. This feature contributes to the success of 6rd. After Després published RFC 5569 as an informational RFC, the IETF went on to prepare 6rd for standardization as RFC 5969.

In contrast to 6to4, the data for the communications is transported between internal and external IPv6-only nodes that are connected via the IPv4 Internet by the provider's own 6rd relays (Figure 6). The provider retains full control over IPv6 communications crossing its networks and can therefore also use its own prefixes. Because the public IPv4 address of the 6rd relay must be communicated here, too, it is also embedded in the IPv6 address.

Figure 6: In 6rd, the data for communications between internal IPv6-only nodes is transported via the provider's own 6rd relays.

One special feature of 6rd is the fact that the prefix assigned to a provider is variable, so, in the case of longer prefixes, there are not enough bits in the IPv6 address. If the provider receives a standard prefix (/32) from the Regional Internet Registry (RIR), it can accommodate the IPv4 address in the following 32 bits. But, the provider can only provide a single subnet to the customer, because the last 64 bits of the IPv6 address are reserved for the interface ID. In the case of FREE, the provider later received a /26 prefix. The address was divided so that the IPv4 hex address was embedded after the prefix; then two reserved bits followed, and, finally, the 4-bit subnet ID.

Another approach to the problem of saving static bits for the purpose of supporting longer provider prefixes is to omit redundant parts of the IPv4 address. If a provider, for example, always uses a specific /18 subnet for its customers, the provider can omit the first 18 bits of the IPv4 address without losing any relevant information. The 6rd technique is an interesting approach with the potential of replacing the legacy 6to4 system in the medium term.

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • IPv6 security on IPv4-only networks
    Even though corporations are looking to move to IPv6, in some situations networks still rely exclusively on IPv4. We discuss ways to minimize delays and unsatisfactory behavior in mixed IPv4/IPv6 IT environments.
  • Neglected IPv6 Features

    IPv6 is establishing itself in everyday IT life, and all modern operating systems from Windows, through Mac OS X, to Linux have it on board; but if you let IPv6 introduce itself into your environment, you could be in for some unpleasant surprises.

  • Configuring IPv6 in Windows with NetShell
    Windows provides a simple dialog box for configuring IPv6, but the available settings only scratch the surface. IPv6 comes with many features that are primarily managed using the command-line tool NetShell.
  • Migrating your network to IPv6
    Abraham Lincoln once said, "Give me six hours to chop down a tree and I will spend the first four sharpening the axe." The transition to IPv6 is a big step for many organizations. Careful planning and a systematic approach are critical to a successful migration.
  • IPv6 Tables
    We design a basic set of ip6tables rules for an IPv6 firewall.
comments powered by Disqus