DæmonNews: News and views for the BSD community
Daemon News Ezine BSD News BSD Mall BSD Support Forum BSD Advocacy BSD Updates

6to4 IPv6 Explained, or: Flogging a Dead Horse

by Hubert Feyrer <hubert@feyrer.de>

What is it?

6to4 is an easy way to get IPv6 connectivity for hosts that only have an IPv4 uplink. It can be used with static as well as dynamically assigned numbers, e.g. as found in modem dialup scenarios. When using dynamic v4 addresses, note that a dynamic change of IP numbers will be a problem for incoming traffic, i.e. you can't run persistent servers.

Where to get IPv6 address space

The setup on your side doesn't exist on a single IPv6 number, but on a whole /48 network. The address prefix "2002:" is reserved for 6to4 based addresses (i.e. v6 addresses derived from IPv4 addresses). The next 32 bits are your IPv4 address. This results in a /48 network that you can use for your very own purpose. It leaves 16 bits of space for 216 IPv6 subnets, which can take up to 264 nodes each (that's, um ... a BIG number :-).

Thanks to the 6to4 prefix and your worldwide unique IPv4 address, this address block is also unique, and it's mapped to you.

Image #1 shows an example of how the IPv6 address is built for the IPv4 number 62.157.9.98. The lower bits ":0001::1" were chosen arbitrarily by me, they can contain other values. (e.g. EUI-64 addresses if you choose to setup address autoconfiguration via router solicitation - see rtsol(8) for more information).

Image #1: (click to enlarge!)

How to get connected

In contrast to the classic "v6 over v4 tunnel" setup, you do not register at a 6bone-gateway, which will then forward you any v6 traffic (encapsulated in v4). Instead, as your IPv6 address is derived from your IPv4 address, any answers can be sent through your nearest 6to4 gateway to you. Unencapsulation of the package is done via the stf(4) network interface, which also forwards the resulting v6 package then according to your routing setup (in case you have more than one machine connected on your 6to4 assigned network).

For sending out v6 packets, the stf(4) packet will take the v6 packet, and encapsulate it into a v4 packet. You still need a 6bone-connected 6to4-gateway that will unencapsulate your packets, and forward them to the 6bone.

Image #2 tries to illustrate this. Your private network is on the left; the uplink in this case is via a v4-connected PPP-link, and the machine on the right is the 6to4 gateway which is connected to the 6bone.

Image #2: (click to enlarge!)

Security Considerations

In contrast to the "tunnel" setup, you usually can't setup packet filters to block 6to4-packets from unauthorized sources, as this is exactly how (and why) 6to4 works at all. As such, malicious users can send packets with invalid/hazardous IPv6 payloads. See the stf(4) manual page for common configuration mistakes intercepted by default, and for further advice on filtering.

Configuration

The following commands are valid for NetBSD 1.5, but as they don't use any "magic" variables from the OS-specific startup system, this should be widely usable.

You need to know the following values:

  • Your IPv4 address. Use ifconfig(8) or netstat(8) to determine. If you use a NATing gateway or somethingo similar, be sure to use the official, outside-visible address, not your private (10/8 or 192.168/16) one.

    We will use 62.224.57.114 in our example.

  • Your gateway interface's IPv6 address, derived from the above IPv4 address.

    For our example, this is 2002:3ee0:3972:0001::1 (62.224.57.114 == 0x3ee03972, 0001::1 arbitrarily chosen).

  • The IPv6 address of your 6to4 gateway to use.

    We will use 2002:cdb2:5ac2::1 (== 6to4.kfu.com).

Actual configuration consists of three steps:

  1. Make sure you have at least one stf(4) interface configured into your kernel: 

    pseudo-device  stf             1       # 6to4 IPv6 over IPv4 encapsulation

    By default this is not enabled. Please consult some appropriate documents on kernel configuration and compilation.

  2. Configure the stf(4) device by assigning it your IPv4-derived v6-address: 

    ifconfig stf0 inet6 2002:3ee0:3972:0001::1 prefixlen 16 alias

  3. Make sure all your IPv6 traffic is forwarded to your 6to4 gateway to route it via the 6bone: 

    route add -inet6 default 2002:cdb2:5ac2::1

After these steps, you are connected to the IPv6-enabled world - congratulations!

If you have a permanent IPv4 address, you can put these two commands into /etc/netstart.local to configure IPv6 on each bootup.

Gateway

There's a list of known working 6to4 gateways at http://www.kfu.com/~nsayer/6to4/. In tests, only 6to4.kfu.com and 6to4.ipv6.microsoft.com were found to be working. Cisco has another one that you have to register to before using it, see http://www.cisco.com/ipv6/. There's also an experimental 6to4 server located in Germany, 6to4.ipv6.fh-regensburg.de.

Further reading
Google
Web daemonnews.org

More Articles
  • Interview with Jan Schaumann
  • Interview with Theo de Raadt
  • Book Review: Virtualization with VMware ESX Server
  • Editorial: Not Quite Dead Yet
  • The Design of OpenBGPd
  • Interview with der Mouse
  • Letter to Steve Jobs
  • Interview with Manuel Bouyer on Xen
  • Apple and Open Source
  • BSDCan 2006
  • BSD Certification Survey Results
  • Lab in a Box
  • Ike Notes on BSDCan 2005
  • BSDCan 2005 Photos
  • FreeBSD Developer Summit Pictures

    • Advertisements



    Author maintains all copyrights on this article.
    Images and layout Copyright © 1998-2006 Dæmon News. All Rights Reserved.