Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

FAQ
It is currently Sat Aug 19, 2017 2:44 am


Internet Protocol, Transport Control Protocol, Network protocols, Routing, Routers, IP aliases, Routes, Ethernet

Author Message
mandrei99
Post  Post subject: IPv6 tunnel - Debian Linux and tunnelbroker.net - IPv6 in IPv4 (ip protocol 41)  |  Posted: Sun Feb 01, 2015 4:17 am

Joined: Tue Aug 04, 2009 9:16 am
Posts: 245

Offline
 

IPv6 tunnel - Debian Linux and tunnelbroker.net - IPv6 in IPv4 (ip protocol 41)

IPv6 tunnel between Debian Linux and tunnelbroker.net using ip protocol 41 (ipv6 encapsulation in ipv4)

There are many techniques to use IPv6 /64 or even /48 subnets when you do not own an ASN. One of them uses ipv6 tunnel brokers. These are companies that have huge ipv6 address space allocated to them and they delegate smaller blocks like the above mentioned to individual users or companies.

Tunnelbroker.net (HE) is one of these brokers that uses IPv6 encapsulation in IPv4 (protocol id 41: http://en.wikipedia.org/wiki/List_of_IP_protocol_numbers). Their website offers an intuitive form that allows creating an IPv6 encapsulating tunnel between your public/internet facing IP and their local gateway (they have multiple gateway across the world).

This method is not similar to IPsec where Nat-Traversal encapsulates ESP in UDP to be NAT compatible so unless you can forward IPv4 protocol 41 to your private host, it will not work.

Another nice feature of the IPv6 tunnel broker is the examples offered for multiple platforms: Junos, IOS, Linux, BSD, Windows and so on.

Deploying IPv6 tunnel on Debian Linux:


As shown in the example section for Linux are listed below.
Code:
$ sudo modprobe ipv6
$ sudo ip tunnel add tun6 mode sit remote 209.51.161.14 local 11.11.111.11 ttl 255
$ sudo ip link set tun6 up
$ sudo ip addr add 2001:470:1a06:1042::2/64 dev tun6
$ sudo ip route add ::/0 dev tun6
$ sudo ip -f inet6 addr

To make the tunnel persistent after reboot add the following to “/etc/network/interfaces”:
Code:
auto tun6
iface tun6 inet6 static
      address 2001:470:1a06:1042::2/64
      network 2001:470:1a06:1042::0
      pre-up ip tunnel add tun6 mode sit remote 209.51.161.14 local 11.11.111.11 ttl 255
      up ip link set mtu 1480 dev tun6
      up ip ro add ::/0 dev tun6
      post-down ip tunnel del tun6

The above commands creates a sit tunnel (IPv6 in IPv4) between Linux host and the remote gateway and sets up a static default route for IPv6 (::/0) via the tunnel interface. Let’s confirm it’s creation:
Code:
$sudo ip tunnel show
tun6: ipv6/ip  remote 209.51.161.14  local 11.11.111.11  ttl 255  6rd-prefix 2002::/16
sit0: ipv6/ip  remote any  local any  ttl 64  nopmtudisc 6rd-prefix 2002::/16

Showing at the route towards google ipv6 address:
Code:
$ dig +short aaaa google.com
2607:f8b0:4004:807::1008
$ ip -6 ro get 2607:f8b0:4004:807::1008
2607:f8b0:4004:807::1008 from :: via 2607:f8b0:4004:807::1008 dev tun6  src 2001:470:1a06:1042::2  metric 0
    cache

So all ipv6 traffic will follow the path via the tunnel we’ve just created.

Some information about the options used is provided by “man ip-tunnel”
Quote:
mode MODE
set the tunnel mode. Available modes depend on the encapsulating address family.
Modes for IPv4 encapsulation available: ipip, sit, isatap and gre.
Modes for IPv6 encapsulation available: ip6ip6, ipip6 and any.

There are the following IPv4 encapsulation modes:
ipip - IPv4 in IPv4 - protocol 94
Code:
grep -i ipip /etc/protocols
ipip   94   IPIP      # IP-within-IP Encapsulation Protocol

sit - IPv6 in IPv4 - protocol 41
gee - GRE header (extra 4 bytes usually)- protocol 47
Code:
grep 47 /etc/protocols
gre   47   GRE      # General Routing Encapsulation

Choosing one tunnelling mode the over the other is a matter of limitations, support and preference (GRE has extra over head - the GRE header, but it is MPLS friendly).

Now that the tunnel is set up, there are two types of traffic that need whitelisting in iptables: 1. IPv4 traffic from HE gateway to your public facing interface (and reverse) that encapsulates ipv6 packets (ipv4 protocol 41) and 2. The ipv6 traffic ending up on the tunnel interface (tun6 in example above).

Enable IPv4 traffic that encapsulates ipv6 in iptables:


Code:
iptables -I INPUT -i eth0 -p 41 -s 209.51.161.14 -j ACCEPT
iptables -I OUTPUT -o eth0 -p 41 -d 209.51.161.14 -j ACCEPT

Where “209.51.161.14” is ipv6 tunnel broker gateway. My example explicitly allows IPv6-in-IPv4 (protocol 41) traffic to and from the broker gateway as outbound traffic is also filtered.

The second iptables part is having an ipv6 internet facing interface “tun6” that will need more or less same rules as “eth0” interface for ipv4 traffic. With tunnel you receive a routed /64 ipv6 subnet by default or a /48 at request. This space can be used on loopback or by virtual machines (if running KVM) via the internal bridge.

Note: As with IPv4, when IPv6 is enabled in a network or on a host, it is best to start wit dropping all ipv6 traffic and allowing only services destined for this protocol or configuring all services to not use IPv6 unless otherwise necessary.





Top
Display posts from previous:  Sort by  
E-mail friendPrint view

Topics related to - "IPv6 tunnel - Debian Linux and tunnelbroker.net - IPv6 in IPv4 (ip protocol 41)"
 Topics   Author   Replies   Views   Last post 
There are no new unread posts for this topic. How to force NTP in Debian/Ubuntu to synchronize to IPv4 servers, not IPv6 (default \w both proto)

mandrei99

0

1291

Wed Jun 18, 2014 11:04 am

mandrei99 View the latest post

There are no new unread posts for this topic. Linux: How to list IPv6 neighbors

mandrei99

0

699

Thu Oct 09, 2014 3:11 am

mandrei99 View the latest post

There are no new unread posts for this topic. How to add IP alias in Debian Linux to last after reboot

debuser

3

1437

Sat Jul 21, 2012 6:03 am

Harespok View the latest post

There are no new unread posts for this topic. PTP/IP. Picture transfer protocol

Stevo

0

507

Sun Nov 29, 2015 6:38 pm

Stevo View the latest post

There are no new unread posts for this topic. FreeBSD find pid that opened TCP/UDP socket without lsof using address of protocol control block(PCB

mandrei99

0

1155

Wed Dec 11, 2013 4:56 am

mandrei99 View the latest post

There are no new unread posts for this topic. FreeBSD: How to list IPv6 neighbors

mandrei99

0

1929

Mon Oct 06, 2014 10:00 am

mandrei99 View the latest post

There are no new unread posts for this topic. How to accept IPv6 Router Advertisements on interface in FreeBSD

mandrei99

0

1082

Wed Apr 29, 2015 3:54 am

mandrei99 View the latest post

There are no new unread posts for this topic. Fatal error: Trying to set unexisting parameter 'gmysql-host' - PowerDNS error on Debian

mandrei99

0

3834

Tue Jan 13, 2015 12:03 pm

mandrei99 View the latest post

There are no new unread posts for this topic. How to add (persistent) static ARP entries in Linux

mandrei99

0

10624

Mon Sep 29, 2014 5:17 am

mandrei99 View the latest post

There are no new unread posts for this topic. Linux How to change hardware MAC address of an interface

debuser

1

884

Tue Dec 06, 2011 6:26 am

Zettie49 View the latest post

 

Who is online
Users browsing this forum: No registered users and 0 guests
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum
Jump to:  
News News Site map Site map SitemapIndex SitemapIndex RSS Feed RSS Feed Channel list Channel list


Delete all board cookies | The team | All times are UTC - 5 hours [ DST ]



phpBB SEO