Just recently the last two IPv4 /8s [1] have been allocated by IANA, providing the lift off for IPv4 address space exhaustion [2]. While the issue has been well known for years, and many people have been promoting IPv6 [3], only a few companies have migrated their networks and services [4,7]. It is now receiving its long demanded attention.
I am currently working on IPv6 security implementations and would like to feedback about how to migrate IPv4- into dual stacked IPv6 networks, securely. This article starts off with an example of a tunnel broker setup to help people get their first hands-on IPv6 experience. More advanced topics and focusing on various security issues are planned to be published on a part by part base. Stay tuned on IPv6.
IPv6 in IPv4 tunneling:
From Wikipedia (http://en.wikipedia.org/wiki/Tunnel_broker) “A tunnel broker is a service which provides a network tunnel. These tunnels can provide encapsulated connectivity over existing infrastructure to a new infrastructure.
There are a variety of tunnel brokers, though most commonly the term is used to refer to an IPv6 tunnel broker, as defined in RFC 3053 [5]. These commonly provide IPv6 tunnels to endusers/endsites using either manual, scripted or automatic configuration. In general tunnel brokers offer so called ‘protocol 41′ or proto-41 tunnels. These are tunnels where IPv6 is tunneled directly inside IPv4 by having the protocol field set to ’41’ (IPv6) in the IPv4 packet.”
Basically a IPv6 tunnel broker allows you to connect to and communicate with existing IPv6 networks even if your Service Provider network only supports IPv4. It allows testing for IPv6 deployment where some network node or transit communication is not fully IPv6 enabled:
Subscribing for IPv6 tunnel service with SixXS Tunnelbroker:
Please note that SixXS is just one of several tunnelbrokers available [6]. At the time I came around IPv6 tunneling this was simply one of the most popular ones.
Signup for a – SiXS handle: http://www.sixxs.net/signup/create/
You will receive a confirmation mail with your username, password and tunnel id and further details, e.g. login into the main website with your login details, request a tunnel and wait for tunnel approval.
Tunnel Name My V6 Tunnel PoP Name gblon02 PoP Location London, United Kingdom (Great Britain) United Kingdom (Great Britain) PoP IPv4 77.75.104.126 Your Location Peterborough, United Kingdom (Great Britain) United Kingdom (Great Britain) Your IPv4 AYIYA, currently 80.40.20.10 IPv6 Prefix 2a01:348:6:157::1/64 PoP IPv6 2a01:348:6:157::1 Your IPv6 2a01:348:6:157::2 Created 2008-11-11 15:17:51 CEST State AYIYA (automatically enabled on the fly) |
This is a sample of user’s authentication data provided::
Username : BMsixxs-SIXXS
Password : TrfGvfda
URL to logon and verify : https://www.sixxs.net/home/
Setup for Windows (XP) example using SixXS Tunnelbroker:
Install the Windows XP IPv6 TCP/IP stack and type into a command line and do a reboot after:
ipv6 install |
Install the OpenVPN software bundle with default settings (http://openvpn.se/files/install_packages/openvpn-2.0.9-gui-1.0.3-install.exe).
You do not to run/configure any OpenVpn application, we just need the “tap” driver to get aiccu working. SixXS tab driver from their own site didn’t work for me.
(Note that you need another reboot.)
Download the Windows(XP) Aiccu Gui version from http://www.sixxs.net/archive/sixxs/aiccu/windows/aiccu-current-gui.exe .
Start the Windows(XP) Aiccu Gui version. Type in your username and password Select your tunnel and click enable.
In a Windows command shell you should be now able to ping ipv6.google.com (Note that the firewall might block your icmp echo request).
You can also test your IPv6 connectivity by directing your browser to URL:
C:\Documents and Settings\Administrator>ping6 ipv6.google.com
Pinging ipv6.l.google.com [2001:4860:a003::68] Reply from 2001:4860:a003::68: bytes=32 time=104ms |
http://ipv6.google.com |
Your “ipconfig” ouput looks now similar to:
C:\Documents and Settings\Administrator>ipconfig /all
Windows IP Configuration Host Name . . . . . . . . . . . . : wawabinbung Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : dyn.bernd.marienfeldt.de Ethernet adapter aiccu: Connection-specific DNS Suffix . : Tunnel adapter Teredo Tunneling Pseudo-Interface: Connection-specific DNS Suffix . : Tunnel adapter 6to4 Tunneling Pseudo-Interface: Connection-specific DNS Suffix . : dyn.bernd.marienfeldt.de Tunnel adapter Automatic Tunneling Pseudo-Interface: Connection-specific DNS Suffix . : dyn.bernd.marienfeldt.de |
Example Setup Linux Ubuntu using SixXS Tunnelbroker:
Install “aiccu” the SixXS client application:
sudo aptitude install aiccu |
Provide Username, Password and Tunnel id (if necessary) during the setup. This will be all set for you during the installation but you can find the config in:
/etc/aiccu
username Charly-SIXXS |
Your network should now be configured ready to go:
Again you can test your ipv6 connectivity:
ifconfig -a
sixxs Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 |
bernd@isopiece:~$ ping6 ipv6.google.com PING ipv6.google.com(fx-in-x68.google.com) 56 data bytes 64 bytes from fx-in-x68.google.com: icmp_seq=1 ttl=56 time=95.7 ms 64 bytes from fx-in-x68.google.com: icmp_seq=2 ttl=56 time=96.8 ms 64 bytes from fx-in-x68.google.com: icmp_seq=3 ttl=56 time=96.4 ms ^C |
IPv6 Enabled Websites:
http://www.sixxs.net/wiki/IPv6_Enabled_Websites [7]
References:
[1] CIDR: http://en.wikipedia.org/wiki/CIDR or http://tinyurl.com/27jw9x
[2] IPv4 exhaustion
[3] IPv6, http://en.wikipedia.org/wiki/Ipv6 or http://tinyurl.com/9wjqy
[4] Pushing towards IPv6 implementations:
[5] RFC 3043, IPv6 Tunnel Broker from 2001 : http://www.ietf.org/rfc/rfc3053
[6] List of tunnel brokers
[7] List of IPv6 enabled websites: http://www.sixxs.net/wiki/IPv6_Enabled_Websites or http://tinyurl.com/6lbubxp
_______________________
Back to IPv6 Analysis Overview.