This document was published in the January 2001 Daemonnews issue and is also linked on the 6Bone 6to4-page.



6to4 IPv6 Explained
or: Flogging a Dead Horse
Hubert Feyrer, December 2000

What is it

6to4 is a easy way to get IPv6 connectivity for hosts that only have a IPv4 uplink. It can be used with static as well as dynamically assigned numbers, e.g. as found in modem dialup scenarios. When using dynamic v4 addresses, note that a dynamic change of IP numbers will be a problem for incoming traffic, i.e. you can't run persistent servers.

Where to get IPv6 address space

The setup on your side doesn't exist on one single IPv6 number, but of a whole /48 network. The address prefix prefix "2002:" is reserved for 6to4 based addresses (i.e. v6 addresses derived from IPv4 addresses). The next 32 bits are your IPv4 address. This results in a /48 network that you can use for your very own purpose. It leaves 16 bits space for 216 IPv6 subnets, which can take up to 264 nodes each (that's, um ... a BIG number :-).

Thanks to the 6to4 prefix and your worldwide unique IPv4 address, this address block is also unique, and it's mapped to you.

Image #1 shows in an example how the IPv6 address is built for the IPv4 number 62.157.9.98. The lower bits ":0001::1" were chosen arbitrarily by me, they can contain other values. (E.g. EUI-64 addresses if you choose to setup address autoconfiguration via router solicitation - see rtsol(8) for more information).

Image #1: (click to enlarge!)

How to get connected

In contrast to the classic "v6 over v4 tunnel" setup, you do not register at a 6bone-gateway, which will then forward you any v6 traffic (encapsulated in v4). Instead, as your IPv6 address is derived from your IPv4 address, any answers can be sent through your nearest 6to4 gateway to you. Unencapsulation of the package is done via the stf(4) network interface, which also forwards the resulting v6 package then according to your routing setup (in case you have more than one machine connected on your 6to4 assigned network).

For sending out v6 packets, the stf(4) packet will take the v6 packet, and encapsulate it into a v4 packet. You still need a 6bone-connected 6to4-gateway that will unencapsulate your packets, and forward them to the 6bone.

Image #2 (6to4-image1.gif) tries to illustrate this. Your private network is on the left, the uplink in this case is via a v4-connected PPP-link, and the machine on the right is the 6to4 gateway which is connected to the 6bone.

Image #2: (click to enlarge!)

Security Considerations

In contrast to the "tunnel" setup, you usually can't setup packet filters to block 6to4-packets from unauthorized sources, as this is exactly how (and why) 6to4 works at all. As such, malicious users can send packets with invalid/hazardous IPv6 payload. See the stf(4) manual page for common configuration mistakes intercepted by default, and for further advice on filtering.

Configuration

The following commands are valid for NetBSD 1.5, but as they don't use any "magic" variables from the OS-specific startup system, this should be widely usable.

You need to know the following values:

Actual configuration consists of three steps:
  1. Make sure you have at least one stf(4) interface configured into your kernel:

    pseudo-device  stf             1       # 6to4 IPv6 over IPv4 encapsulation 

    By default this is not enabled. Please consult some appropriate documents on kernel configuration and compilation.

  2. Configure the stf(4) device by assigning it your IPv4-derived v6-address:

    ifconfig stf0 inet6 2002:3ee0:3972:0001::1 prefixlen 16 alias

  3. Make sure all your IPv6 traffic is forwarded to your 6to4 gateway to route it via the 6bone:

    route add -inet6 default 2002:cdb2:5ac2::1

After these steps, you are connected to the IPv6-enabled world - Congratulations!

If you have a permanent IPv4 address, you can put these two commands into /etc/netstart.local to configure IPv6 on each bootup.

Gateway

There's a list of known working 6to4 gateways at http://www.kfu.com/~nsayer/6to4/. In tests, only 6to4.kfu.com and 6to4.ipv6.microsoft.com were found working. Cisco has another one that you have to register to before using it, see http://www.cisco.com/ipv6/. There's also an experimental 6to4 server located in Germany, 6to4.ipv6.fh-regensburg.de.

Further reading


(c) Copyright 20000110 Hubert Feyrer
$Id: 6to4.html,v 1.1 2000/12/31 03:50:55 feyrer Exp feyrer $