Using 6to4 for IPv6 at Home
By stretch | Wednesday, March 17, 2010 at 4:22 a.m. UTC
Earlier this week, we looked at using 6to4 tunnels to establish IPv6 connectivity among sites separated by an IPv4-only transit network. This article extends that concept a bit further to show how you can take advantage of 6to4 tunneling to achieve IPv6 (albeit non-native) access to the public Internet, even from home.
This article discusses configuration of the 6to4 tunnel on an IOS-based access router, however this concept applies to any router or end host which supports 6to4 tunneling and has a global IPv4 address.
Step 1: Find a 6to4 Relay Near You
Like any tunnel, our 6to4 tunnel must have two endpoints. One end will obviously be our local site, but the other must be some point with both IPv4 and IPv6 Internet access. A number of carriers and service providers operate public 6to4 relays for this purpose. In the past, one would have to search for a relay manually. Fortunately, RFC 3068 introduced a well-known anycast address by which to automatically reach the nearest (as determined by BGP) public 6to4 relay.
The 6to4 relay anycast addresses are:
- IPv4: 18.104.22.168
- IPv6: 2002:c058:6301:: (2002::/16 + the IPv4 address in hex)
A simple traceroute will determine the nearest 6to4 relay:
$ traceroute 22.214.171.124 traceroute to 126.96.36.199 (188.8.131.52), 30 hops max, 40 byte packets 1 192.168.10.1 (192.168.10.1) 0.373 ms 2.951 ms 2.794 ms 2 10.4.16.1 (10.4.16.1) 7.020 ms 12.463 ms 12.596 ms 3 ip72-219-223-217.dc.dc.cox.net (184.108.40.206) 12.097 ms 13.054 ms 13.248 ms 4 mrfddsrj02-ge110.rd.dc.cox.net (220.127.116.11) 12.657 ms 12.770 ms 12.878 ms 5 ashbbrj02-as0.0.r2.as.cox.net (18.104.22.168) 29.782 ms 13.392 ms 29.871 ms 6 22.214.171.124 (126.96.36.199) 13.611 ms 9.034 ms 10.151 ms
I'm lucky enough to have access to a relay just ~11 msec away (round-trip)!
Step 2: Ensure IPv6 Routing is Enabled
Your IPv6 packets won't go far without this:
Router(config)# ipv6 unicast-routing
Step 3: Configure the Tunnel Interface on the Router
Before we can configure the tunnel, we must know the public IPv4 address we'll be using to access the IPv4 Internet. Note that for reliable persistent operation, this must be a static address (versus one assigned via DHCP). In this example we'll be using the IPv4 address 188.8.131.52.
To calculate the 6to4 prefix for the tunnel interface, we convert the 32-bit IPv4 address into hexadecimal and append it to the 2002::/16 IPv6 prefix to get 2002:46AE:B626::/48. The actual address we use for our tunnel interface can be any address within this prefix; for our example, we'll use 2002:46AE:B626::/128.
Now we can configure our tunnel interface:
interface Tunnel0 description 6to4 ipv6 address 2002:46AE:B626::/128 tunnel source 184.108.40.206 tunnel mode ipv6ip 6to4
Step 4: Set Up IPv6 Routes
Two IPv6 routes are needed to make this work. First, we need a route for 2002::/16 pointing out our 6to4 tunnel. Second, we need a default route pointing to the 6to4 relay IPv6 anycast address (2002:C058:6301::):
ipv6 route 2002::/16 Tunnel0 ipv6 route ::/0 2002:C058:6301::
Step 5: Number the Inside IPv6 Network(s)
The entire 2002:46AE:B626::/48 prefix (minus the subnet used for the tunnel interface) is available to number the internal IPv6 networks. For example, if we have a collection of internal hosts on VLAN 10, we can assign our VLAN 10 interface the address 2002:46AE:B626:1::1/64. IPv6-enabled hosts on this VLAN should automatically detect the presence of an IPv6 router and assign themselves an IPv6 address from this subnet using address autoconfiguration.
$ ip -6 address list eth0 5: eth0: mtu 1500 qlen 1000 inet6 2002:46ae:b626:1:21d:60ff:feb3:184/64 scope global dynamic valid_lft 2591870sec preferred_lft 604670sec inet6 fe80::21d:60ff:feb3:184/64 scope link valid_lft forever preferred_lft forever
If desired, one also has the option to manually assign IPv6 addresses to internal hosts, or using DHCPv6.
You may also configure one or two public IPv6 DNS servers on your hosts, but IPv6 DNS information (e.g. AAAA records) can be carried over IPv4 DNS just as well.
At this point you should have IPv6 connectivity to the world. Some sites to test include:
- http://ipv6.google.com/ or http://[2001:4860:800e::68]/
- http://www.kame.net/ or http://[2001:200:0:8002:203:47ff:fea5:3085]/
Posted in IPv6
March 17, 2010 at 4:46 a.m. UTC
This is awesome! Wow!
March 17, 2010 at 7:54 a.m. UTC
A question that has raised to me... How come the Tunnel0 interface doesn't have a "tunnel destination" command, only "tunnel source ...". I mean how does the tunnel know where to terminate? Does it always look for 220.127.116.11 as the remote end, so it is not necessary to provide it?
March 17, 2010 at 8:12 a.m. UTC
@ppalias: That's the "magic" behind 6to4. The destination IPv4 address is determined from the next-hop IPv6 address. Our default IPv6 route points to 2002:C058:6301::; because the tunnel mode is 6to4, C058:6301 is converted into the IPv4 address 18.104.22.168 to be used as the tunnel destination.
The theory behind 6to4 is explained more in-depth in the prior article, 6to4 IPv6 Tunneling.
March 17, 2010 at 8:47 a.m. UTC
Thank you Stretch, I understood that ipv4 to ipv6 had this hexadecimal conversion of ipv4 address, but it didn't cross my mind that the reverse was automatically done to find the tunnel destination.
March 17, 2010 at 2:31 p.m. UTC
Very Cool. Thanks
March 24, 2010 at 4:58 a.m. UTC
For those interested, BGPmon.net keeps a list of networks that run 6to4 relay servers. http://www.bgpmon.net/6to4.php
This list is updated once a day.
March 25, 2010 at 10:39 a.m. UTC
I'm going to give this a try sometime soon on my 877W at home. I know google are already running a number of services via ipv6 which is a good way to test
April 28, 2011 at 11:32 a.m. UTC
Quick question for you regarding the above article.
Let’s say I'm trying to access ipv6.google.com from my home network. My router which services the home network is performing 6to4 tunnelling to the nearest 6to4 relay router via the anycast method detailed in the above article.
Once the traffic has passed through said relay and hits google my return traffic would most likely be returned through a completely different relay, most likely the closet BGP4+ router advertising the 2002::/16 prefix?
I believe this is correct but wanted check.
July 27, 2011 at 2:05 p.m. UTC
Just thought this might be interesting. I have been using an openvpn service from http://vpnv6.com on Windows 7 for few months now. I seem to be able to browse to those IPv6 websites you have listed without any configuration on my windows at all. IPv6 browsing just works once I'm connected to the VPN.