IPv6 6to4 tunnels

Posted on by

HA!

I was reviewing a configuration I did some time ago in order to have an exercise for my students and I had the idea to make a blogpost about it.

Transition technologies are very interesting and are inevitable. In one way or another we’ll need to work with IPv6 (for those who aren’t already ) and we’ll need to deal on the fact that some networks are already IPv6 configured with some others are not. This bring me to talk about how to deal with IPv4/IPv6 techonologies.

Tunnels, Translation, Virtualisation…

So there is many way to go from IPv4 to IPv6 and to have them coexist inside the same network.

Sure we can configure the two protocols side by side (dual stack) and they will be working separately.

But what if we need to go through a non-IPv6 network ? What if we want to implement IPv6 with scalability in mind on a large environment ?

There is multiple tunneling technologies, like GRE Tunnels for example and 6to4 which is the one we’ll talk about here. One a much larger scale (think service providers) the best option may be to leverage the MPLS network already in place to virtualize IPv6 (6VPE).

In the scenario we have here, let imagine we are a customer of an ISP who hasn’t already deploy IPv6 support. We want to go from sites to sites in IPv6 over it’s IPv4 infrastructure. We could deploy multiple GRE tunnels but the drawbacks here are that we need to manually configure them, have one point to point per site and then we need to deal with routing…

6to4 helps here because we only need one 6to4 tunnels (and only one can be configured anyway) which will take care of the various IPv6 destination we may have in our network.

6to4

Basic IPv4 reachability

First thing that we need to have is… IPv4 reachability between sites. Because at the end, this is IPv4 which will do the transport from one site to another. Then we need to configure our tunnels. Let’s take a look a the topology first :

   
 


I have 3 routers that are my 3 sites, and one router which is the IPv4 only ISP network, configuring the network is super easy. ISP will be in .1 of the network and my site will be .2. Default gateway is the ISP interface for each site.

R3#ping 1.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/46/60 ms
R3#ping 2.2.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/40/60 ms

Tunnel configuration

So next, we need to configure the tunnels. There is some things to know here :

  • The tunnel needs to be in ipv6ip 6to4 mode
  • Only the tunnel source needs to be specified, because at the end it’s the 6to4 mechanism that will find the correct destination
  • The reserved range for 6to4 addressing is 2002::/16
  • The next 16 bits of the address is the IPv4 of the physical interface converted to hexadecimal

So let’s go :

Tunnel on R1

interface Tunnel0
no ip address
no ip redirects
ipv6 address 2002:101:102::1/64
tunnel source FastEthernet0/0
tunnel mode ipv6ip 6to4
end

Tunnel on R2

interface Tunnel0
no ip address
no ip redirects
ipv6 address 2002:202:202::1/64
tunnel source FastEthernet0/0
tunnel mode ipv6ip 6to4
end

Tunnel on R3

interface Tunnel0
no ip address
no ip redirects
ipv6 address 2002:303:302::1/64
tunnel source FastEthernet0/0
tunnel mode ipv6ip 6to4
end

So the IPv6 addresses configured on the tunnel interface are the conversion of the IPv4 addresses that are configured on the physical interface source

Example, for R1 IPv4 address is 1.1.1.2 so the IPv6 address will be 2002:0101:0102::/64, I can give the host address that I want for IPv6. This is very important because the 6to4 mechanism will make the conversion from IPv6 to IPv4 to find the correct IPv4 destination

We also need to activate IPv6 routing and we need to add a static route saying that 2002::/16 networks are available through the tunnel interface

ipv6 unicast-routing

ipv6 route 2002::/16 Tunnel0

There is no configuration on the ISP router.

So know if I try to ping the IPv6 address of R2 from R1 here is what happen :

R1#ping 2002:202:202::1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2002:202:202::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/64/92 ms

Behind the scene, let’s take a look at a wireshark capture :


Using the result of the IPv6 conversion, the packet is redirected to the correct IPv4 address. As the ISP is able to route it, the packet reach the destination on the other site.

Remote Networks

Now how to route for IPv6 behind these routers ? This is where all the fun starts

What we can do is use the 6to4 prefix and do some subnet, as the 16 first bits will be 2002 and the next 16 bits will still be the result of the IPv4 conversion to hex, the 6to4 solution can still find the correct destination !!!

Let configure a loopback on R1 with an IPv6 address based on what we described :

interface Loopback0
no ip address
ipv6 address 2002:101:102:1::1/64
end

Now let’s try on R2 to ping this network :

R2(config-if)#do ping 2002:101:102:1::1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2002:101:102:1::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 44/60/92 ms

And from R3 ?

R3#ping 2002:101:102:1::1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2002:101:102:1::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/63/64 ms

It works !!

As long as the 6to4 is able to find the IPv4 destination based on the address prefix, the destination will be reachable. Local IPv6 networks on the 2002::/16 range will have a longer mask and will not use the tunnel interface as specified in the IPv6 routing table.

By using the method we need only one tunnel interface in the end

Going further

I heard you ! You’re asking if we are stuck with the addressing 2002::/16 !

The first answer is no, we can use any prefix and it will work. But the RFC says that 6to4 reserved prefix is 2002::/16 and we want to obey the RFC so… Why not use routing over the 6to4 tunnel ?

Mmm so if you have learned you IPv6 routing lesson, which address an IPv6 routing protocol will use for the next hop ?

Link Local Addresses !

So as there are not routable and 6to4 is not a layer 2 tunneling method we cannot have reachability over the tunnel… But wait… one protocol can use Global Unicast addresses and this protocol is BGP !

So let’s try to configure now, IBGP over 6to4 tunnels

R1#sh run | s router bgp
router bgp 100
no synchronization
bgp log-neighbor-changes
neighbor 2002:202:202::1 remote-as 100
neighbor 2002:202:202::1 update-source Tunnel0
no auto-summary

   
 

R2(config-router)#do sh run | s router bgp
router bgp 100
no synchronization
bgp log-neighbor-changes
neighbor 2002:101:102::1 remote-as 100
neighbor 2002:101:102::1 update-source Tunnel0
no auto-summary

After one moment of intense suspense (BGP still do this effect to me)

*Mar  1 00:31:57.647: %BGP-5-ADJCHANGE: neighbor 2002:101:102::1 Up

*Mar  1 00:31:57.971: %BGP-5-ADJCHANGE: neighbor 2002:202:202::1 Up

   
 

BGP session is now UP over the tunnel, so we are doing BGP over TCP over IPv6 over IPv4


Can we advertise other prefixes now ?

Let’s configure another loopback on R1 and send it on BGP (I had to modify the configuration a little bit on BGP to activate the address family, but this change nothing) :

R1#sh run | s router bgp
router bgp 100
no synchronization
bgp log-neighbor-changes
neighbor 2002:202:202::1 remote-as 100
neighbor 2002:202:202::1 update-source Tunnel0
no auto-summary
!
address-family ipv6
  neighbor 2002:202:202::1 activate
  network 2001:1111:1111::/64
exit-address-family

Has R2 received the prefix and can he pings it ?

R2#sh ipv6 route
IPv6 Routing Table – 5 entries
Codes: C – Connected, L – Local, S – Static, R – RIP, B – BGP
       U – Per-user Static route, M – MIPv6
       I1 – ISIS L1, I2 – ISIS L2, IA – ISIS interarea, IS – ISIS summary
       O – OSPF intra, OI – OSPF inter, OE1 – OSPF ext 1, OE2 – OSPF ext 2
       ON1 – OSPF NSSA ext 1, ON2 – OSPF NSSA ext 2
       D – EIGRP, EX – EIGRP external
B   2001:1111:1111::/64 [200/0]
     via 2002:101:102::1
S   2002::/16 [1/0]
     via ::, Tunnel0
C   2002:202:202::/64 [0/0]
     via ::, Tunnel0
L   2002:202:202::1/128 [0/0]
     via ::, Tunnel0
L   FF00::/8 [0/0]
     via ::, Null0

   
 

R2#ping 2001:1111:1111::1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:1111:1111::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/64/92 ms

Now we can be good boys, obey the RFC, route our IPv6 prefixes and ask the provider to activate IPv6 services !!

Salut !

Leave a Reply

Your email address will not be published. Required fields are marked *