This document was published in the
January 2001 Daemonnews
issue and is also linked on the
6Bone 6to4-page.
6to4 IPv6 Explained
or: Flogging a Dead Horse
Hubert Feyrer, December 2000
What is it
6to4 is a easy way to get IPv6 connectivity for hosts that only have a
IPv4 uplink. It can be used with static as well as dynamically
assigned numbers, e.g. as found in modem dialup scenarios. When using
dynamic v4 addresses, note that a dynamic change of IP numbers will be
a problem for incoming traffic, i.e. you can't run persistent servers.
Where to get IPv6 address space
The setup on your side doesn't exist on one single IPv6 number, but of
a whole /48 network. The address prefix prefix "2002:" is reserved for
6to4 based addresses (i.e. v6 addresses derived from IPv4
addresses). The next 32 bits are your IPv4 address. This results in a
/48 network that you can use for your very own purpose. It leaves 16
bits space for 216 IPv6 subnets, which can take up to
264 nodes each (that's, um ... a BIG number :-).
Thanks to the 6to4 prefix and your worldwide unique IPv4 address, this
address block is also unique, and it's mapped to you.
Image #1 shows in an example how the IPv6 address is
built for the IPv4 number 62.157.9.98. The lower bits ":0001::1" were
chosen arbitrarily by me, they can contain other values. (E.g. EUI-64
addresses if you choose to setup address autoconfiguration via router
solicitation - see rtsol(8) for more information).
|
Image #1: (click to enlarge!)
|
How to get connected
In contrast to the classic "v6 over v4 tunnel" setup, you do not
register at a 6bone-gateway, which will then forward you any v6
traffic (encapsulated in v4). Instead, as your IPv6 address is derived
from your IPv4 address, any answers can be sent through your nearest
6to4 gateway to you. Unencapsulation of the package is done via the
stf(4) network interface, which also forwards the resulting v6 package
then according to your routing setup (in case you have more than one
machine connected on your 6to4 assigned network).
For sending out v6 packets, the stf(4) packet will take the v6 packet,
and encapsulate it into a v4 packet. You still need a 6bone-connected
6to4-gateway that will unencapsulate your packets, and forward them
to the 6bone.
Image #2 (6to4-image1.gif) tries to illustrate this. Your private
network is on the left, the uplink in this case is via a v4-connected
PPP-link, and the machine on the right is the 6to4 gateway which is
connected to the 6bone.
|
Image #2: (click to enlarge!)
|
Security Considerations
In contrast to the "tunnel" setup, you usually can't setup packet
filters to block 6to4-packets from unauthorized sources, as this is
exactly how (and why) 6to4 works at all. As such, malicious users can
send packets with invalid/hazardous IPv6 payload. See the stf(4)
manual page for common configuration mistakes intercepted by default,
and for further advice on filtering.
Configuration
The following commands are valid for NetBSD 1.5, but as they don't use
any "magic" variables from the OS-specific startup system, this should
be widely usable.
You need to know the following values:
- Your IPv4 address. Use ifconfig(8) or netstat(8) to determine.
If you use a NATing gateway or something, be sure to use the
official, outside-visible address, not your private (10/8 or
192.168/16) one.
We will use 62.224.57.114 in our example.
- Your gateway interface's IPv6 address, derived from the above
IPv4 address.
For our example, this is 2002:3ee0:3972:0001::1 (62.224.57.114
== 0x3ee03972, 0001::1 arbitrarily chosen).
- The IPv6 address of your 6to4 gateway to use.
We will use
2002:cdb2:5ac2::1 (== 6to4.kfu.com).
Actual configuration consists of three steps:
- Make sure you have at least one stf(4) interface configured into
your kernel:
pseudo-device stf 1 # 6to4 IPv6 over IPv4 encapsulation
By default this is not enabled. Please consult some
appropriate documents on kernel configuration and
compilation.
- Configure the stf(4) device by assigning it your IPv4-derived
v6-address:
ifconfig stf0 inet6 2002:3ee0:3972:0001::1 prefixlen 16 alias
- Make sure all your IPv6 traffic is forwarded to your 6to4 gateway
to route it via the 6bone:
route add -inet6 default 2002:cdb2:5ac2::1
After these steps, you are connected to the IPv6-enabled world -
Congratulations!
If you have a permanent IPv4 address, you can put these two commands
into /etc/netstart.local to configure IPv6 on each bootup.
Gateway
There's a list of known working 6to4 gateways at
http://www.kfu.com/~nsayer/6to4/. In tests, only 6to4.kfu.com
and 6to4.ipv6.microsoft.com were found working. Cisco has
another one that you have to register to before using it, see
http://www.cisco.com/ipv6/. There's also an experimental 6to4 server located in
Germany, 6to4.ipv6.fh-regensburg.de.
Further reading
(c) Copyright 20000110 Hubert Feyrer
$Id: 6to4.html,v 1.1 2000/12/31 03:50:55 feyrer Exp feyrer $
