Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

IPv6 tunnel - Debian Linux and tunnelbroker.net - IPv6 in IPv4 (ip protocol 41)

IPv6 tunnel between Debian Linux and tunnelbroker.net using ip protocol 41 (ipv6 encapsulation in ipv4)

There are many techniques to use IPv6 /64 or even /48 subnets when you do not own an ASN. One of them uses ipv6 tunnel brokers. These are companies that have huge ipv6 address space allocated to them and they delegate smaller blocks like the above mentioned to individual users or companies.

Tunnelbroker.net (HE) is one of these brokers that uses IPv6 encapsulation in IPv4 (protocol id 41: http://en.wikipedia.org/wiki/List_of_IP_protocol_numbers). Their website offers an intuitive form that allows creating an IPv6 encapsulating tunnel between your public/internet facing IP and their local gateway (they have multiple gateway across the world).

This method is not similar to IPsec where Nat-Traversal encapsulates ESP in UDP to be NAT compatible so unless you can forward IPv4 protocol 41 to your private host, it will not work.

Another nice feature of the IPv6 tunnel broker is the examples offered for multiple platforms: Junos, IOS, Linux, BSD, Windows and so on.

Deploying IPv6 tunnel on Debian Linux:

As shown in the example section for Linux are listed below.

To make the tunnel persistent after reboot add the following to “/etc/network/interfaces”:
The above commands creates a sit tunnel (IPv6 in IPv4) between Linux host and the remote gateway and sets up a static default route for IPv6 (::/0) via the tunnel interface. Let’s confirm it’s creation:

Showing at the route towards google ipv6 address:
So all ipv6 traffic will follow the path via the tunnel we’ve just created.

Some information about the options used is provided by “man ip-tunnel”
There are the following IPv4 encapsulation modes:
ipip - IPv4 in IPv4 - protocol 94
sit - IPv6 in IPv4 - protocol 41
gee - GRE header (extra 4 bytes usually)- protocol 47
Choosing one tunnelling mode the over the other is a matter of limitations, support and preference (GRE has extra over head - the GRE header, but it is MPLS friendly).

Now that the tunnel is set up, there are two types of traffic that need whitelisting in iptables: 1. IPv4 traffic from HE gateway to your public facing interface (and reverse) that encapsulates ipv6 packets (ipv4 protocol 41) and 2. The ipv6 traffic ending up on the tunnel interface (tun6 in example above).

Enable IPv4 traffic that encapsulates ipv6 in iptables:

Where “209.51.161.14” is ipv6 tunnel broker gateway. My example explicitly allows IPv6-in-IPv4 (protocol 41) traffic to and from the broker gateway as outbound traffic is also filtered.

The second iptables part is having an ipv6 internet facing interface “tun6” that will need more or less same rules as “eth0” interface for ipv4 traffic. With tunnel you receive a routed /64 ipv6 subnet by default or a /48 at request. This space can be used on loopback or by virtual machines (if running KVM) via the internal bridge.

Note: As with IPv4, when IPv6 is enabled in a network or on a host, it is best to start wit dropping all ipv6 traffic and allowing only services destined for this protocol or configuring all services to not use IPv6 unless otherwise necessary.