Setup of point-to-point tunnel

9.1. Types of tunnels

There are more than one possibility to tunnel IPv6 packets over IPv4-only links.

9.1.1. Static point-to-point tunneling: 6bone

A point-to-point tunnel is a dedicated tunnel to an endpoint, which knows about your IPv6 network (for backward routing) and the IPv4 address of your tunnel endpoint and defined in RFC 2893 / Transition Mechanisms for IPv6 Hosts and Routers. Requirements:

• IPv4 address of your local tunnel endpoint must be static, global unique and reachable from the foreign tunnel endpoint
• A global IPv6 prefix assigned to you (see 6bone registry)
• A foreign tunnel endpoint which is capable to route your IPv6 prefix to your local tunnel endpoint (mostly remote manual configuration required)

9.1.2. Automatically tunneling

Automatic tunneling occurs, when a node directly connects another node gotten the IPv4 address of the other node before.

9.1.3. 6to4-Tunneling

6to4 tunneling (RFC 3056 / Connection of IPv6 Domains via IPv4 Clouds) uses a simple mechanism to create automatic tunnels. Each node with a global unique IPv4 address is able to be a 6to4 tunnel endpoint (if no IPv4 firewall prohibits traffic). 6to4 tunneling is mostly not a one-to-one tunnel. This case of tunneling can be divided into upstream and downstream tunneling. Also, a special IPv6 address indicates that this node will use 6to4 tunneling for connecting the world-wide IPv6 network

9.1.3.1. Generation of 6to4 prefix

The 6to4 address is defined like following (schema is taken from RFC 3056 / Connection of IPv6 Domains via IPv4 Clouds):

| 3+13 | 32 | 16 | 64 bits | +---+------+-----------+--------+--------------------------------+ | FP+TLA | V4ADDR | SLA ID | Interface ID | | 0x2002 | | | | +---+------+-----------+--------+--------------------------------+

FP and TLA together (16 bits) have the value 0x2002. V4ADDR is the node's global unique IPv4 address (in hexadecimal notation). SLA is the subnet identifier (65536 local subnets possible) and are usable to represent your local network structure.
For gateways, such prefix is generated by normally using SLA “0000” and suffix “::1” (not a must, can be an arbitrary one with local-scope) and assigned to the 6to4 tunnel interface. Note that Microsoft Windows uses V4ADDR also for suffix.

9.1.3.2. 6to4 upstream tunneling

The node has to know to which foreign tunnel endpoint its in IPv4 packed IPv6 packets should be send to. In “early” days of 6to4 tunneling, dedicated upstream accepting routers were defined. See NSayer's 6to4 information for a list of routers.
Nowadays, 6to4 upstream routers can be found auto-magically using the anycast address 192.88.99.1. In the background routing protocols handle this, see RFC 3068 / An Anycast Prefix for 6to4 Relay Routers for details.

9.1.3.3. 6to4 downstream tunneling

The downstream (6bone -> your 6to4 enabled node) is not really fix and can vary from foreign host which originated packets were send to. There exist two possibilities:

• Foreign host uses 6to4 and sends packet direct back to your node (see below)
• Foreign host sends packets back to the world-wide IPv6 network and depending on the dynamic routing a relay router create a automatic tunnel back to your node.

9.1.3.4. Possible 6to4 traffic

• from 6to4 to 6to4: is normally directly tunneled between the both 6to4 enabled hosts
• from 6to4 to non-6to4: is sent via upstream tunneling
• non-6to4 to 6to4: is sent via downstream tunneling

9.2. Displaying existing tunnels

9.2.1. Using "ip"

Usage:

# /sbin/ip -6 tunnel show [<device>]

Example:

# /sbin/ip -6 tunnel show sit0: ipv6/ip remote any local any ttl 64 nopmtudisc sit1: ipv6/ip remote 195.226.187.50 local any ttl 64

9.2.2. Using "route"

Usage:

# /sbin/route -A inet6

Example (output is filtered to display only tunnels through virtual interface sit0):

# /sbin/route -A inet6 | grep "\Wsit0\W*$" ::/96 :: U 256 2 0 sit0 2002::/16 :: UA 256 0 0 sit0 2000::/3 ::193.113.58.75 UG 1 0 0 sit0 fe80::/10 :: UA 256 0 0 sit0 ff00::/8 :: UA 256 0 0 sit0

9.3. Setup of point-to-point tunnel

There are 3 possibilities to add or remove point-to-point tunnels.
A good additional information about tunnel setup using “ip” is Configuring tunnels with iproute2 (article) (Mirror).

9.3.1. Add point-to-point tunnels

9.3.1.1. Using "ip"

Common method at the moment for a small amount of tunnels.
Usage for creating a tunnel device (but it's not up afterward, also a TTL must be specified because the default value is 0).

# /sbin/ip tunnel add <device> mode sit ttl <ttldefault> remote ¬ <ipv4addressofforeigntunnel> local <ipv4addresslocal>

Usage (generic example for three tunnels):

# /sbin/ip tunnel add sit1 mode sit ttl <ttldefault> remote ¬ <ipv4addressofforeigntunnel1> local <ipv4addresslocal> # /sbin/ip link set dev sit1 up # /sbin/ip -6 route add <prefixtoroute1> dev sit1 metric 1 # /sbin/ip tunnel add sit2 mode sit ttl <ttldefault> ¬ <ipv4addressofforeigntunnel2> local <ipv4addresslocal> # /sbin/ip link set dev sit2 up # /sbin/ip -6 route add <prefixtoroute2> dev sit2 metric 1 # /sbin/ip tunnel add sit3 mode sit ttl <ttldefault> ¬ <ipv4addressofforeigntunnel3> local <ipv4addresslocal> # /sbin/ip link set dev sit3 up # /sbin/ip -6 route add <prefixtoroute3> dev sit3 metric 1

9.3.1.2. Using "ifconfig" and "route" (deprecated)

This not very recommended way to add a tunnel because it's a little bit strange. No problem if adding only one, but if you setup more than one, you cannot easy shutdown the first ones and leave the others running.
Usage (generic example for three tunnels):

# /sbin/ifconfig sit0 up # /sbin/ifconfig sit0 tunnel <ipv4addressofforeigntunnel1> # /sbin/ifconfig sit1 up # /sbin/route -A inet6 add <prefixtoroute1> dev sit1 # /sbin/ifconfig sit0 tunnel <ipv4addressofforeigntunnel2> # /sbin/ifconfig sit2 up # /sbin/route -A inet6 add <prefixtoroute2> dev sit2 # /sbin/ifconfig sit0 tunnel <ipv4addressofforeigntunnel3> # /sbin/ifconfig sit3 up # /sbin/route -A inet6 add <prefixtoroute3> dev sit3

Important: DON'T USE THIS, because this setup implicit enable "automatic tunneling" from anywhere in the Internet, this is a risk, and it should not be advocated.

9.3.1.3. Using "route" only

It's also possible to setup tunnels in Non Broadcast Multiple Access (NBMA) style, it's a easy way to add many tunnels at once. But none of the tunnel can be numbered (which is a not required feature).
Usage (generic example for three tunnels):

# /sbin/ifconfig sit0 up # /sbin/route -A inet6 add <prefixtoroute1> gw ¬ ::<ipv4addressofforeigntunnel1> dev sit0 # /sbin/route -A inet6 add <prefixtoroute2> gw ¬ ::<ipv4addressofforeigntunnel2> dev sit0 # /sbin/route -A inet6 add <prefixtoroute3> gw ¬ ::<ipv4addressofforeigntunnel3> dev sit0

Important: DON'T USE THIS, because this setup implicit enable "automatic tunneling" from anywhere in the Internet, this is a risk, and it should not be advocated.

9.3.2. Removing point-to-point tunnels

Manually not so often needed, but used by scripts for clean shutdown or restart of IPv6 configuration.

9.3.2.1. Using "ip"

Usage for removing a tunnel device:

# /sbin/ip tunnel del <device>

Usage (generic example for three tunnels):

# /sbin/ip -6 route del <prefixtoroute1> dev sit1 # /sbin/ip link set sit1 down # /sbin/ip tunnel del sit1 # /sbin/ip -6 route del <prefixtoroute2> dev sit2 # /sbin/ip link set sit2 down # /sbin/ip tunnel del sit2 # /sbin/ip -6 route del <prefixtoroute3> dev sit3 # /sbin/ip link set sit3 down # /sbin/ip tunnel del sit3

9.3.2.2. Using "ifconfig" and "route" (deprecated because not very funny)

Not only the creation is strange, the shutdown also...you have to remove the tunnels in backorder, means the latest created must be removed first.
Usage (generic example for three tunnels):

# /sbin/route -A inet6 del <prefixtoroute3> dev sit3 # /sbin/ifconfig sit3 down # /sbin/route -A inet6 del <prefixtoroute2> dev sit2 # /sbin/ifconfig sit2 down # /sbin/route -A inet6 add <prefixtoroute1> dev sit1 # /sbin/ifconfig sit1 down # /sbin/ifconfig sit0 down

9.3.2.3. Using "route"

This is like removing normal IPv6 routes.
Usage (generic example for three tunnels):

# /sbin/route -A inet6 del <prefixtoroute1> gw ¬ ::<ipv4addressofforeigntunnel1> dev sit0 # /sbin/route -A inet6 del <prefixtoroute2> gw ¬ ::<ipv4addressofforeigntunnel2> dev sit0 # /sbin/route -A inet6 del <prefixtoroute3> gw ¬ ::<ipv4addressofforeigntunnel3> dev sit0 # /sbin/ifconfig sit0 down

9.3.3. Numbered point-to-point tunnels

Sometimes it's needed to configure a point-to-point tunnel with IPv6 addresses like in IPv4 today. This is only possible with the first (ifconfig+route - deprecated) and third (ip+route) tunnel setup. In such cases, you can add the IPv6 address to the tunnel interface like shown on interface configuration.

9.4. Setup of 6to4 tunnels

Pay attention that the support of 6to4 tunnels currently lacks on vanilla kernel series 2.2.x (see systemcheck/kernel for more information). Also note that that the prefix length for a 6to4 address is 16 because of from network point of view, all other 6to4 enabled hosts are on the same layer 2.

9.4.1. Add a 6to4 tunnel

First, you have to calculate your 6to4 prefix using your local assigned global routable IPv4 address (if your host has no global routable IPv4 address, in special cases NAT on border gateways is possible):
Assuming your IPv4 address is

1.2.3.4

the generated 6to4 prefix will be

2002:0102:0304::

Local 6to4 gateways should (but it's not a must, you can choose an arbitrary suffix with local-scope, if you feel better) always assigned the suffix “::1”, therefore your local 6to4 address will be

2002:0102:0304::1

Use e.g. following for automatic generation:

ipv4="1.2.3.4"; printf "2002:%02x%02x:%02x%02x::1" `echo $ipv4 | tr "." " "`

There are two ways possible to setup 6to4 tunneling now.

9.4.1.1. Using "ip" and a dedicated tunnel device

This is now the recommended way (a TTL must be specified because the default value is 0).
Create a new tunnel device

# /sbin/ip tunnel add tun6to4 mode sit ttl <ttldefault> remote any local ¬ <localipv4address>

Bring interface up

# /sbin/ip link set dev tun6to4 up

Add local 6to4 address to interface (note: prefix length 16 is important!)

# /sbin/ip -6 addr add <local6to4address>/16 dev tun6to4

Add (default) route to the global IPv6 network using the all-6to4-routers IPv4 anycast address

# /sbin/ip -6 route add 2000::/3 via ::192.88.99.1 dev tun6to4 metric 1

It was reported that some versions of “ip” (e.g. SuSE Linux 9.0) don't support IPv4-compatible IPv6 addresses for gateways, in this case the related IPv6 address has to be used:

# /sbin/ip -6 route add 2000::/3 via 2002:c058:6301::1 dev tun6to4 metric 1

9.4.1.2. Using "ifconfig" and "route" and generic tunnel device “sit0” (deprecated)

This is now deprecated because using the generic tunnel device sit0 doesn't let specify filtering per device.
Bring generic tunnel interface sit0 up

# /sbin/ifconfig sit0 up

Add local 6to4 address to interface

# /sbin/ifconfig sit0 add <local6to4address>/16

Add (default) route to the global IPv6 network using the all-6to4-relays IPv4 anycast address

# /sbin/route -A inet6 add 2000::/3 gw ::192.88.99.1 dev sit0

9.4.2. Remove a 6to4 tunnel

9.4.2.1. Using "ip" and a dedicated tunnel device

Remove all routes through this dedicated tunnel device

# /sbin/ip -6 route flush dev tun6to4

Shut down interface

# /sbin/ip link set dev tun6to4 down

Remove created tunnel device

# /sbin/ip tunnel del tun6to4

9.4.2.2. Using “ifconfig” and “route” and generic tunnel device “sit0” (deprecated)

Remove (default) route through the 6to4 tunnel interface

# /sbin/route -A inet6 del 2000::/3 gw ::192.88.99.1 dev sit0

Remove local 6to4 address to interface

# /sbin/ifconfig sit0 del <local6to4address>/16

Shut down generic tunnel device (take care about this, perhaps it's still in use...)

# /sbin/ifconfig sit0 down