IPv6 over IPv4 tunneling

From CT3

Jump to: navigation, search

By Ma xyz

IPv6 over IPv4 tunneling allow access to the IPv6 Internet in absence of an IPv6 native access provider (Or interconnection between any IPv6 islands over an IPv4 infrastructure). Cisco routers support automatic (6to4, ISATAP) and configured IPv6 over IPv4 tunneling.

Image:V6tunnelimg1-conceptoverview.png


IPv6 packets are encapsulated directly behind the IPv4 header. The IPv4 header protocol type field is set to 41 [1].

Image:V6tunnelimg2-tunneledpacket.png


The presented config examples have been tested with IOS 12.4(22)T SP Services.

Contents

Basic internet access router IPv6 configurations

Enabling IPv6 routing & CEF:

ipv6 unicast routing
ipv6 cef

IPv6 default route:

ipv6 route ::/0 <IPv6 outside interface or next-hop>

IPv4/6 dual-stack interface (most probably your inside interface will be dual stack):

interface <Any Interface>
 description DUAL-STACK-INTERFACE
 ip address 192.168.0.1 255.255.255.0
 ipv6 address 2001:db8:1234:1::1/64
 ipv6 enable

IPv6 only interface:

interface <Any Interface>
 description IPV6-ONLY-INTERFACE
 no ip address
 ipv6 address 2001:db8:1234:1::1/64
 ipv6 enable

ACL for incoming traffic:

!
interface <IPv6 Outside Interface>
 description IPV6-OUTSIDE
 ipv6 address 2001:db8:5678:1::2/64
 ipv6 enable
 ipv6 traffic-filter IPv6-OUTSIDE in
!
 ipv6 access-list IPv6-OUTSIDE
 permit icmp any any
!

The incoming ACL on the outside interface allows only incoming icmp connections.

IOS Firewall CBAC for outgoing traffic:

!
ipv6 inspect name V6-INSPECT tcp
ipv6 inspect name V6-INSPECT udp
ipv6 inspect name V6-INSPECT ftp
ipv6 inspect name V6-INSPECT icmp
!
interface <IPv6 Inside Interface>
 description IPV6-INSIDE
 ipv6 address 2001:db8:1234:1::1/64
 ipv6 enable
 ipv6 inspect V6-INSPECT in
!

Currently Cisco IOS Firewall for IPv6 supports CBAC (Context based access control) with basic inspect rules for TCP, UDP, ICMP and application layer inspect rule for FTP. In the above sample all are configured for basic outgoing internet access.

6to4 automatic tunnel - Public 6to4 relay

If used for public internet access 6to4 [2] tunneling relies on public 6to4 relays reachable on the IPv4 internet by means of the anycasted address 192.88.99.1 [3]. The 6to4 prefix is defined as 2002::/16, the next 32 bits are based on the public IPv4 addresses of the tunnel endpoints such as that for every IPv4 address exists a corresponding /48 IPv6 net and 65k /64 subnets; for "free".

Define 6to4 prefix:

ipv6 general-prefix 6TO4PREFIX 6to4 FastEthernet0/0
!
interface FastEthernet0/0
 ip address 198.18.0.1 255.255.255.0

The name 6TO4PREFIX can now be used as placeholder for an IPv6 prefix constructed as follows:

Image:V6tunnelimg3-6to4-addressing.png


Apply an IPv6 address to the internal interface (normally you would want to configure the internal interface dual stack, allthough IPv6 only is possible):

interface FastEthernet0/1
 ip address 192.168.0.1 255.255.255.0
 ipv6 address 6TO4PREFIX ::1:0:0:0:1/64
 ipv6 enable

Configure the 6to4 tunnel interface:

interface Tunnel0
 description 6TO4-TUNNEL
 no ip address
 no ip redirects
 ipv6 enable
 tunnel source FastEthernet0/0
 tunnel mode ipv6ip 6to4

Configure a "recursive" default route as follows:

ipv6 route 2002::/16 Tunnel0
ipv6 route ::/0 2002:C058:6301::

The IPv6 default route points to the 6to4 anycast relay address (c058:6301 = 192.88.99.1), all 2002::/16 destined traffic is routed through the 6to4 tunnel interface (Tunnel0).

Complete IPv4/IPv6 6to4 access router config example:

!
version 12.4
!
ip cef
!
ip inspect name V4-INSPECT http
ip inspect name V4-INSPECT https
ip inspect name V4-INSPECT ftp
ip inspect name V4-INSPECT pop3
ip inspect name V4-INSPECT smtp
ip inspect name V4-INSPECT dns
ip inspect name V4-INSPECT tcp
ip inspect name V4-INSPECT udp
ip inspect name V4-INSPECT icmp
ipv6 general-prefix 6TO4PREFIX 6to4 FastEthernet0/0
ipv6 unicast-routing
ipv6 cef
ipv6 inspect name V6-INSPECT tcp
ipv6 inspect name V6-INSPECT udp
ipv6 inspect name V6-INSPECT ftp
ipv6 inspect name V6-INSPECT icmp
!
interface Tunnel0
 description 6TO4-TUNNEL
 no ip address
 no ip redirects
 ipv6 enable
 ipv6 traffic-filter IPV6-OUTSIDE in
 tunnel source FastEthernet0/0
 tunnel mode ipv6ip 6to4
!
interface FastEthernet0/0
 description OUTSIDE-WAN-INTERNET
 ip address 198.18.0.1 255.255.255.0
 ip access-group IPV4-OUTSIDE in
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description INSIDE-LAN
 ip address 192.168.0.1 255.255.255.0
 ip inspect V4-INSPECT in
 ipv6 address 6TO4PREFIX ::1:0:0:0:1/64
 ipv6 enable
 ipv6 inspect V6-INSPECT in
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
!
ip access-list extended IPV4-OUTSIDE
 permit icmp any any
 permit ip host 192.88.99.1 host 198.18.0.1
!
ipv6 route 2002::/16 Tunnel0
ipv6 route ::/0 2002:C058:6301::
!
ipv6 access-list IPV6-OUTSIDE
 permit icmp any any
!
end

Configured 6in4 tunnel - Tunnelbroker

Disadvantages of public 6to4 relays (Anycasted 192.88.99.1) are the unknown service quality/availability and the probability of "asymmetric routing". This can be fixed using a Tunnelbroker service which allows a fix configured IPv6 tunnel and the possibility of getting a "real" IPv6 prefix routed or even announcing ones own (RIR allocated) IPv6 prefix. Hurricane Electric or SixXS are providing IPv6 tunnels, routed /48 prefixes and even BGP access for free.

Example IPv6 tunnel parameters:

  • Tunnelbroker IPv4 address: 1.2.3.4
  • Tunnelbroker IPv6 tunnel endpoint: 2001:db8:5678:1::1
  • Our IPv6 tunnel endpoint: 2001:db8:5678:1::2
  • Our routed /48 prefix: 2001:db8:1234::/48

Apply a respective IPv6 subnet to the internal interface (for our example we choose subnet 1):

interface FastEthernet0/1
 ip address 192.168.0.1 255.255.255.0
 ipv6 address 2001:db8:1234:1::1/64
 ipv6 enable

Configure the IPv6 tunnel interface:

interface Tunnel0
 description IPV6-CONFIGURED-TUNNEL
 no ip address
 ipv6 address 2001:db8:5678:1::2/64
 ipv6 enable
 tunnel source 198.18.0.1
 tunnel destination 1.2.3.4
 tunnel mode ipv6ip

Configure the IPv6 default route:

ipv6 route ::/0 2001:db8:5678:1::1

Complete IPv4/IPv6 6in4/Tunnelbroker access router config example:

!
version 12.4
!
ip cef
!
ip inspect name V4-INSPECT http
ip inspect name V4-INSPECT https
ip inspect name V4-INSPECT ftp
ip inspect name V4-INSPECT pop3
ip inspect name V4-INSPECT smtp
ip inspect name V4-INSPECT dns
ip inspect name V4-INSPECT tcp
ip inspect name V4-INSPECT udp
ip inspect name V4-INSPECT icmp
ipv6 general-prefix 6TO4PREFIX 6to4 FastEthernet0/0
ipv6 unicast-routing
ipv6 cef
ipv6 inspect name V6-INSPECT tcp
ipv6 inspect name V6-INSPECT udp
ipv6 inspect name V6-INSPECT ftp
ipv6 inspect name V6-INSPECT icmp
!
interface Tunnel0
 description IPV6-CONFIGURED-TUNNEL
 no ip address
 ipv6 address 2001:db8:5678:1::2/64
 ipv6 enable
 ipv6 traffic-filter IPV6-OUTSIDE in
 tunnel source 198.18.0.1
 tunnel destination 1.2.3.4
 tunnel mode ipv6ip
!
interface FastEthernet0/0
 description OUTSIDE-WAN-INTERNET
 ip address 198.18.0.1 255.255.255.0
 ip access-group IPV4-OUTSIDE in
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description INSIDE-LAN
 ip address 192.168.0.1 255.255.255.0
 ip inspect V4-INSPECT in
 ipv6 address 2001:db8:1234:1::1/64
 ipv6 enable
 ipv6 inspect V6-INSPECT in
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
!
ip access-list extended IPV4-OUTSIDE
 permit icmp any any
 permit ip host 1.2.3.4 host 198.18.0.1
!
ipv6 route ::/0 2001:db8:5678:1::1
!
ipv6 access-list IPV6-OUTSIDE
 permit icmp any any
!
end

LAN IPv6 Hosts

In an IPv6 LAN you can but do not need to use DHCP for address assignement. The preferred process is stateless autoconfiguration [4] using router discovery & router advertisments. As soon as you connect an IPv6 enabled host to your LAN it generates an ICMPv6 router discovery message and the router answers advertising the locally configured subnet prefix (in our above example 2001:db8:1234:1::/64). The host then configures its local IPv6 address (interface identifier) as described here. Some hosts (eg. Windows XP) additionally assign temporary random generated identifiers [5] and prefer these over the EUI-64 identifier.

ISATAP

In case you want to connect a more complex network to the IPv6 internet you may find that some of your internal layer 3 devices (eg. lower end Cisco Catalyst Switches) do not currenlty support IPv6 routing. You can either implement configured tunnels between IPv6 islands or use the automatic tunneling mechanism ISATAP [6].

Image:V6tunnelimg5-isatap-concept.png


ISATAP makes use of an underlying IPv4 network as NBMA layer 2 network. A hosts ISATAP IPv6 interface identifier is constructed concatenating the IPv4 address for the last 32 bits after 00x0:5efe. If the IPv4 address is global x=1 otherwise x=0.

Image:V6tunnelimg4-isatapaddressing.png


The router internal LAN interface does not need to be IPv6 enabled:

interface FastEthernet0/1
 description INSIDE-LAN
 ip address 192.168.0.1 255.255.255.0

Configure the ISATAP tunnel interface using an available IPv6 prefix:

interface Tunnel1
 description ISATAP
 no ip address
 no ip redirects
 ipv6 address 2001:db8:1234:1::/64 eui-64
 no ipv6 nd ra suppress
 tunnel source FastEthernet0/1
 tunnel mode ipv6ip isatap

The configuration of "no ipv6 nd ra suppress" is required to enable router advertisments on a tunnel interface (disabled by default).

The configuration of "eui-64" interface identifier with tunnel mode "isatap" results in an assgined ipv6 isatap address corresponding to the Fastethernet0/1 interface:

RouterISATAP#sh ipv6 int brief
Tunnel1                    [up/up]
    FE80::5EFE:C0A8:6447
    2001:db8:1234:1:0:5EFE:C0A8:1

Complete IPv4/IPv6 6in4/Tunnelbroker & ISATAP access router config example:

!
version 12.4
!
ip cef
!
ip inspect name V4-INSPECT http
ip inspect name V4-INSPECT https
ip inspect name V4-INSPECT ftp
ip inspect name V4-INSPECT pop3
ip inspect name V4-INSPECT smtp
ip inspect name V4-INSPECT dns
ip inspect name V4-INSPECT tcp
ip inspect name V4-INSPECT udp
ip inspect name V4-INSPECT icmp
ipv6 general-prefix 6TO4PREFIX 6to4 FastEthernet0/0
ipv6 unicast-routing
ipv6 cef
ipv6 inspect name V6-INSPECT tcp
ipv6 inspect name V6-INSPECT udp
ipv6 inspect name V6-INSPECT ftp
ipv6 inspect name V6-INSPECT icmp
!
interface Tunnel0
 description IPV6-CONFIGURED-TUNNEL
 no ip address
 ipv6 address 2001:db8:5678:1::2/64
 ipv6 enable
 ipv6 traffic-filter IPV6-OUTSIDE in
 tunnel source 198.18.0.1
 tunnel destination 1.2.3.4
 tunnel mode ipv6ip
!
interface Tunnel1
 description ISATAP
 no ip address
 no ip redirects
 ipv6 address 2001:db8:1234:1::/64 eui-64
 no ipv6 nd ra suppress
 ipv6 inspect V6-INSPECT in
 tunnel source FastEthernet0/1
 tunnel mode ipv6ip isatap
!
interface FastEthernet0/0
 description OUTSIDE-WAN-INTERNET
 ip address 198.18.0.1 255.255.255.0
 ip access-group IPV4-OUTSIDE in
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description INSIDE-LAN
 ip address 192.168.0.1 255.255.255.0
 ip inspect V4-INSPECT in
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
!
ip access-list extended IPV4-OUTSIDE
 permit icmp any any
 permit ip host 1.2.3.4 host 198.18.0.1
!
ipv6 route ::/0 2001:db8:5678:1::1
!
ipv6 access-list IPV6-OUTSIDE
 permit icmp any any
!
end

The NBMA nature prevents the usage of ICMPv6 for router solicitaion therefore ISATAP hosts discover the router either via DNS or via a preconfigured router list.

Configuring the ISATAP router on a Win XP host:

netsh interface ipv6 isatap set router 192.168.0.1

DNS

If you are connecting to the IPv6 internet via one of the described transition mechanisms most probably you do not have acces to a IPv6 enabled DNS server (if you did not implement one for yourself). In a dual-stack environment this does not represent a problem as DNS resolution is independent of the used network protocol (You can request an IPv6 address for a name from a IPv4 DNS server and vice versa).

The today available (eg. Windows Vista or Dibbler for other plattforms) solution for a host to get a IPv6 DNS address is DHCPv6 [7]. Future implementations probably will add the possibility to discover DNS servers via router advertisments [8].

Personal tools

CT3

Main menu