Category Archives: Networking

More on IPv6 Addressing

Posted on by cbroccoli
No Comments

I have been reading a couple of RFCs on IPv6 and was getting confused with all of the different address types and definitions, so I have decided to make a cheat-sheet to help me next time I need it….

Defined IP addresses:

  • ::ffff:192.0.2.128     IPv4 mapped IPv6 address
  • 2002::/16    6to4 tunnels
  • 2001::/16    teredo tunnels
  • ::1/128   Loopback (link-local scope)
  • fc00::/7    Unique Local unicast Address (ULA) (global-scope) – see blog on IPv6 Addressing
  • fec::/16    Site-local unicast addresses (obsoleted by ULA)
  • fe80::/16   Link-local unicast addresses
  • ff00::/16    Multicast addresses
  • ff02::/16   Link-local multicast addresses
  • ff05::/16  Site-local multicast addresses
  • ff0e::/16  Global multicast addresses
  • ::/0    Default
  • ::/96 ipv4 compatible addresses (obsolete)
  • 3ffe::/16    6bone address range (no longer in use)
  • 2001:db8::/32    Reserved for documentation
  • 64:ff9b::/96    Well known address for NAT64 used to represent global ipv4 addresses in the ipv6 address space after NAT

I have also discovered via wireshark that there are a lot of users of the link local multicast address ff02::/16:

  • ff02::c     Microsoft Simple Service Discovery Protocol (used for universal PnP)
  • ff02::1     All nodes multicast address
  • ff02::2    All routers multicast address
  • ff02::1:ff_ _:_ _ _ _   Solicited node multicast address  where the _ _:_ _ _ _ are the lower order24 bits of the destination nodes address (used for neighbor solicitation)

So this is what I have found so far.  I will keep adding to the list add  addresses pop-up.

Categories: IPv6, Networking | Tags:

Automatic 6to4 Tunnels

Posted on by cbroccoli
No Comments

To learn about and test the capabilities of site to site tunneling I built the following network, which consists of an IPv4 core (the Internet / legacy corporate network) and two IPv6 islands.  The goal here is to enable communications between the two IPv6 endpoints R7 and R8.

As an additional challenge, I built the core IPv4 network using ISIS as the routing protocol.  I had never used ISIS before and with ISIS being the basis for TRILL, I thought that some first hand experience with it might come in handy.  The ISIS configuration is based on a most excelent tutorial I stumbled across while doing research on FCoE and data center bridging (http://http://www.menog.net/menog-meetings/menog4/presentations/MENOG4-ISIS-Tutorial.pdf).  I won’t go into the details here, so  for the purposes of this entry the IPv4 network can just be considered a cloud.

In this first attempt I decided to try my hand at using an automatic 6to4 tunnel as described in: http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-tunnel_ps6441_TSD_Products_Configuration_Guide_Chapter.html.  The tunnel was built between R5 and R6.

 

One of the interesting things about automatic 6to4 tunnels is that as long as you have end to end IPv4 connectivity between the IPv4 interfaces on your tunnel endpoints, connectivity between the tunnel interfaces will work automatically due to the fact that the IPv4 address is encoded in the tunnel address (AC.10.C8.02 = 172.16.200.2).   Through this mechanism, the tunnel destinations are automatically derived.  If the IPv6 tunnel interfaces of the routers are the next hops in a routing table, then tunnels will be “built” on demand as traffic is routed towards the end destination.  The one essential command is a static route defining that the whole 2002::/16 network is reachable across the tunnel interface:

ipv6 route 2002::/16 Tunnel0

The challenges is configuring dynamic routing between the two networks so that the remote networks are known.  Most dynamic routing protocols will will not work across the tunnel interfaces.  The only one that should work is BGP.  For this test, however, I configured static routes on each end.  For example on R5:

ipv6 route FDC1:E1F2:425D:6::/64 2002:AC10:6402::1

The opposite route was added to R6.  I then redistributed this route into the local routing processes (OSPF in this case) and had connectivity between R7 and R8.

As mentioned, BGP will probably work fine if the other end of the tunnel is a service provider for the IPv6 Internet.  This would be a standard model for connecting and routing with service providers.    For enterprises, where both locations are internal offices (a data center and a branch office for example), BGP would not be the normal routing protocol chosen.  An alternative, since both ends of the tunnel are under the same administrative control, would be to run a totally different tunneling model such as DMVPN, which would allow for OSPF to be implemented as the site-to-site routing protocol.   The complete tunnel interface configurations on both ends are listed below.

For R5:

interface Tunnel0
 no ip address
 no ip redirects
 ipv6 address 2002:AC10:C802::1/64
 ipv6 ospf 100 area 0
 tunnel source Ethernet0/0
 tunnel mode ipv6ip 6to4
!
interface Ethernet0/0
 ip address 172.16.200.2 255.255.255.0

For R6:

interface Tunnel0
 no ip address
 no ip redirects
 ip ospf network non-broadcast
 ipv6 address 2002:AC10:6402::1/64
 ipv6 ospf 100 area 0
 tunnel source Ethernet0/0
 tunnel mode ipv6ip 6to4
!
interface Ethernet0/0
 ip address 172.16.100.2 255.255.255.0

The output from R8:

R8# ping ipv6  FDC1:E1F2:425D:6:CE08:13FF:FE40:0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to FDC1:E1F2:425D:6:CE08:13FF:FE40:0, 
timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max=180/219/312ms

 

Categories: IPv6, Networking

AYIYA Tunnel with SIXXS

Posted on by cbroccoli
No Comments

I discovered SixXS when I was looking for a way to calculate a ULA.  I used their calculator to generate the address I am using in my Lab.

SixXS is tunnel broker which provides access to a network of IPv6 PoPs via tunnels(tunnel servers).  There are a couple of ways to connect to the IPv6 Internet behind the servers, the first being an AYIYA tunnel for individual IPv4 clients generally behind a NAT and the second being 6to4 tunnels for whole subnets.   (for more information see:  www.sixxs.net)

Being an ISP, SixXS provides global IPv6 addresses to their clients based on the ranges they received from their regional address registration authority.

I registered myself with SixXS and requested a AYIYA tunnel.  I also installed the recommended software, the latest AICCU console and the OpenVPN TUN/Tap32 tunnel driver (downloaded from OpenVPN – V 2.1.4).

Once everything was installed, I started AICCU:

c:\aiccu>aiccu-console start
Succesfully retrieved tunnel information for T47241
[warning] Error opening registry key: SYSTEM\CurrentControlSet\Control\Class\{4D
36E972-E325-11CE-BFC1-08002BE10318}\Properties (t1)
[AYIYA-start] : Anything in Anything (draft-02)
[AYIYA-tun->tundev] : (Socket to TUN) started

The tunnel interface shows up under ipconfig as:

Ethernet adapter tunO:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TAP-Win32 Adapter V9
Physical Address. . . . . . . . . : 00-FF-ED-4F-3C-A4
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:1620:f00:c7::2(Preferred)
Link-local IPv6 Address . . . . . : fe80::172:291b:56d3:dc47%25(Preferred)
Autoconfiguration IPv4 Address. . : 169.254.220.71(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 2001:1620:f00:c7::1
DHCPv6 IAID . . . . . . . . . . . : 721485805
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-13-41-B4-A0-18-A9-05-29-EC-7B
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
NetBIOS over Tcpip. . . . . . . . : Enabled

There was a problem with browsers when accessing IPv6 enabled web sites.  Apparently in Windows7, the tunnel interface shown above is not considered a real IPv6 enabled interface.  To fix this, I assigned a static IP address to the physical WLAN interface:

Wireless LAN adapter Wireless Network Connection 2:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Linksys WMP600N Wireless-N PCI Adapter wi
th Dual-Band
Physical Address. . . . . . . . . : 00-25-9C-EB-AC-3B
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : fdc1:e1f2:425d:5::1(Preferred)
Link-local IPv6 Address . . . . . : fe80::f5b3:d8cf:9af:c0db%13(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.103(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : 29 November 2010 13:22:06
Lease Expires . . . . . . . . . . : 30 November 2010 13:23:45
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 335553948
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-13-41-B4-A0-18-A9-05-29-EC-7B
DNS Servers . . . . . . . . . . . : 195.186.1.162
195.186.4.162
NetBIOS over Tcpip. . . . . . . . : Enabled

Once this was done, access to the IPv6 Internet was possible:

C:\Users\cbroccoli>ping -6 ipv6.google.com
Pinging ipv6.l.google.com [2a00:1450:8002::93] with 32 bytes of data:
Reply from 2a00:1450:8002::93: time=93ms
Reply from 2a00:1450:8002::93: time=95ms
Reply from 2a00:1450:8002::93: time=97ms
Reply from 2a00:1450:8002::93: time=95ms
Ping statistics for 2a00:1450:8002::93:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 93ms, Maximum = 97ms, Average = 95ms
C:\Users\cbroccoli>tracert -6 www.kame.net
Tracing route to orange.kame.net [2001:200:dff:fff1:216:3eff:feb1:44d7]
over a maximum of 30 hops:/p>
1 74 ms 74 ms 76 ms gw-200.zrh-02.ch.sixxs.net [2001:1620:f00:c7::1]
2 74 ms 74 ms 74 ms 2001:1620:2005:4::1
3 69 ms 70 ms 73 ms r1zur1.core.init7.net [2001:1620:2::49]
4 74 ms 74 ms 75 ms r1fra1.core.init7.net [2001:1620:2::6]
5 83 ms 87 ms 83 ms r1ams1.core.init7.net [2001:1620:2::66]
6 89 ms 89 ms 91 ms ge-0.ams-ix.amstnl02.nl.bb.gin.ntt.net [2001:7f8:1::a500:2914:1]
7 373 ms 371 ms 453 ms as-4.r21.tokyjp01.jp.bb.gin.ntt.net [2001:418:0:2000::16]
8 368 ms 371 ms 369 ms po-2.a15.tokyjp01.jp.ra.gin.ntt.net [2001:218:0:6000::116]
9 376 ms 376 ms 377 ms ge-8-2.a15.tokyjp01.jp.ra.gin.ntt.net [2001:218:2000:5000::82]
10 376 ms 372 ms 371 ms ve44.foundry6.otemachi.wide.ad.jp [2001:200:0:10::141]
11 374 ms 375 ms 374 ms ve42.foundry4.nezu.wide.ad.jp [2001:200:0:11::66]
12 372 ms 373 ms 371 ms cloud-net1.wide.ad.jp [2001:200:0:1c0a:218:8bff:fe43:d1d0]
13 368 ms 369 ms 367 ms 2001:200:dff:fff1:216:3eff:feb1:44d7
Trace complete.

Also, access to web sites via IE, Chrome and Firefox worked just fine.

When sniffing a tunneled http packet, the IPv6 data is encapsulated as follows:

[ethernet]
[ipv4 headder] – ipv4 source and destination for the tunnel
[udp] – ayiya port 5072
[ayiya headder]-here ipv6 ip address of the tunnel source of the packet is included as the ID
[ipv6 headder] – with theactual source and destination for the http session
[tcp]
[http]
[data]

Categories: IPv6, Networking | Tags: