• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Main Menu

Setup for IPv6 tunnel test

Started by UltraZero, January 22, 2011, 05:21:42 PM

Previous topic - Next topic

UltraZero

Good day.  I have a question in reference to setting up the Tunnel

I have a small network consisting of several Cisco Switches and routers.

Of course some if these units don't support IPv6 which means I have to work around this problem.

The question is this.  I have a Dlink unit which is attached to my small 6 Meg DSL connection.  It is not IPv6  aware.  Knowing this, will I need to put something else in it's place to allow IPv6 to be tunneled in or can I simply let the tunnel process happen behind the DLINK unit on my Cisco router.  Otherwise, need I run a dual stack router right up to my DSL modem?

Seeing I have never setup something like this before, I'd like a little insight as to how this should work.

I understand the dual stack concept as far as all devices running basically IPv4 and IPv6, but, the tunneling  is something I am wondering how this happens. 

Also, I gather edge routers are what is basically doing the tunneling but, in my situation I have a DLINK unit which I think is going the be the problem for my network.

Can someone confirm this please and maybe provide a solution.

Thanks much.

UltraZero

cholzhauer

Quote
Knowing this, will I need to put something else in it's place to allow IPv6 to be tunneled in or can I simply let the tunnel process happen behind the DLINK unit on my Cisco router.  Otherwise, need I run a dual stack router right up to my DSL modem?

Either/or.  If you can pass protocol 41 to your cisco router, you can leave your Dlink in place.  If you can't, you'll need to either replace it or put your Cisco router ahead of it in the chain.

Your tunnel would be 6in4...the device you host the tunnel on would just encapsulate ipv6 packets in ipv4 packets and send them to HE, would tears off the v4 stuff and sends the v6 traffic onwards.

Hope that makes sense...let me know if you need something clarified.

UltraZero


cholzhauer

Um?

I'm not sure how we swiched from HE and 6in4 to ISATAP?

UltraZero

#4
Sorry, just that's what i get for having 40 browser windows open.  I was reading about the different type of ways to move IPv6 over or within IPv4.  

I wasn't sure which one you were talking about.  I didn't mean to throw the topic into a tail spin.

BTW - Isn't protocol 41 ISATAP?? so I wasn't too far off??

;D

UltraZero

FYI - I have been a sleep for mmmm 10 years and I have a lot of catching  up to do.

Lately, I have been eatting, sleeping,drinking swtiches and routers..

What a meal.  Can you say brain pain??


jimb

Proto 41 is 6in4.  ISATAP is one way you could link IPv6 LANs when you only have IPv4 aware routers connecting the LANs.  To me, that seems like way more pain than what it's worth.  I'd just replace and/or upgrade the equipment to something that can do IPv6 natively.

As for your DLINK, you can either replace it with something that can do IPv6 so that the tunnel terminates on the edge, or you can terminate the tunnel to some internal device which can do 6in4, as long as the dlink will allow a protocol forward for IP protocol 41 to that device. 

UltraZero

Well. I simply decided to rip out the whole thing and start from scratch.

I needed the practice anyway and thought I would rebuild the routers from scratch.

Instead of trying to get the modem side of my dsl connection to work on the DSL module in my Cisco router, I simply took the dlink out of the loop, put in a 3640 in it's place.  Now, I am working on getting security in place from those pesky hackers out there on the net.   I am new to this, funny to say, but, I really like working with hardware. believe it or not, I only started really getting into this about mmm 1 month ago. 

antillie

#8
Well if your new to securing internet facing IOS routers the guys over at Cymru have a rather nice template. It only covers IPv4 but securing both protocols is obviously important.

http://www.cymru.com/Documents/secure-ios-template.html

Not everything in the template will apply to every deployment scenario of course but the template is a useful place to start. When adding IPv6 to my router I basically just adapted the the template to IPv6 where appropriate.

! Source routing could let bad people use our router for nasty things so turn it off.
no ipv6 source-route

interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
! We don't want bad people to try and SSH into our router over IPv6. (Please tell me your not using telnet.)
ipv6 traffic-filter Block-IPv6-SSH in
! Don't send redirects.
no ipv6 redirects
! Enable RPF verification, this prevents ping pong attacks against the LAN.
ipv6 verify unicast reverse-path

! We should drop traffic bound for IPv6 addresses that should never be on the public internet.

! First is the documentation prefix defined in RFC 3849.
ipv6 route 2001:DB8::/32 Null0

! Next is the unique local address range defined in RFC 4193.
ipv6 route FC00::/7 Null0

! Our SSH blocking ACL.
ipv6 access-list Block-IPv6-SSH
deny tcp any any eq 22
permit ipv6 any any

Of course this only covers securing the router itself. Controlling and securing access to the LAN behind the router is an entirely different matter. Personally I would recommend an ASA series firewall for this purpose if you like Cisco gear. That way you can let your router do the tunneling and routing and let the ASA do the firewall and VPN work.

IPv6 security is something of a new field and I'm sure there are plenty of things that haven't been thought of or discovered yet. So we'll just have to try and secure things as best we can at the moment and see how things play out and make changes as needed.

Edit: Added RPF verification to the tunnel interface to prevent ping pong attacks against the LAN. (Especially useful if you are using a /64 on a point to point link to connect the router to a firewall.)

UltraZero

Newbie??  Can  you say.   Wake up, turn on the router and start working.  time I go to bed??  2:30ish am.

Telnet usage.   Naaa.   Figure out some time ago that one can get into trouble if you leave that road open. 

SSH currently is all I am using, although I must say, trying to remember all of the cisco routing commands I have shoved my face into doesn't help remembering ssh.  I am trying to deal with security /ACLs on cisco hardware and am getting my butt kicked. When implementing some of my ACLs, the router drops the connection.  Sucks.  I have consulted many people as to why and no one gives me a straight answer.  I don't think they know.  I keep myself in the trenches and I figure it out little by little.  Keeps me practicing which is the way I look at it.

Re the Cisco ASA firewall. I actually was looking at an older PIX firewall just because of cost.  I know it's a little out dated, but, a little firewall is better than none I would think.  I have to move my router to another location behind my wall (garage) cause it's too loud.  This move is not so bad in the since it will put this piece of equipment closer to my equipment rack. 

I have spent some time on the net (articles and you tube) re hacking and I don't see much about hacking throught firewalls like Cisco ASA or PIX, so, maybe that is a good thing, or maybe the less I hear, the more people are doing it,but, just not in the open.

Kinda getting scary out there.  People are doing stupid things for information.  Man..  What a world.

antillie

Using an old PIX 515 running 7.x or even 8.x code would work too. I only prefer the ASA line as they are still receiving updates from Cisco and are quite a bit more powerful. Unfortunately the PIX 501 will never be able to do IPv6 since it doesn't have enough RAM to run 7.x code.

The PIX 506 also lacks the required RAM to run 7.x code as well so it is also stuck in IPv4 forever. However I believe that is is possible to modify some PIX 506's to accept more RAM and thus run 7.x code but I don't have any experience with that.

Or you could just use a Linux box as a firewall. I think pfSense is starting to add IPv6 support as well.

UltraZero

Re Pix, I as thinking about a 515e.  I was looking for a 520 but, too old.

A 525 or 535 would be nice seeing is they process alot more packets and have more support for interfaces.


antillie

If you get a 515e get one that has at least 64 megs of RAM. Any less and you can't run 7.x code which is needed for IPv6 support.

cholzhauer

I think I remember having this conversation with someone on here before, but I can't remember whom

We used to have a 515 and a 515e here at work and while both of them were running 7.x code, neither supported IPv6. 

I don't know what the old PIX cost anymore, but I know a ASA 5505 is under $400

antillie

#14
That's kinda odd. Since Cisco's own data sheet on PIX 7.0 seems to suggest otherwise.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps2030/product_data_sheet0900aecd80225ae1.html