• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Main Menu

OpenBSD 6to4

Started by jimb, June 09, 2009, 09:28:37 PM

Previous topic - Next topic

jimb

Perhaps a bit off topic here, but ...

I set up 6to4 on a friend's OpenBSD router, and it was working fine except to me.

When I looked at the TCPdump, I noticed that the 6in4 traffic coming back from most destinations had the source IP of the standard 6to4 relay anycast address (192.88.99.1), but traffic coming back from me had a different IP.  I think this was causing the OpenBSD gif interface to drop the packet (since it didn't receive it from the address it sent it to).

Since I have a HE 6in4 configured tunnel here, and since a traceroute to the 6to4 IPv4 anycast address goes to HE, I presume it's HE which is acting as the 6to4 relay for traffic returning from my site. 

Is a 6to4 relay supposed to set the source IP to the anycast when it transmits the traffic back to the IPv4 address of someone's 6to4 router?

snarked

What makes you think that the routing should be symmetrical?  It's not.

jimb

Quote from: snarked on June 10, 2009, 02:54:04 AM
What makes you think that the routing should be symmetrical?  It's not.
I'm not saying it should be.  I know it's not.  I'm just wondering if the relay router, wherever it might be, should use the anycast address or its own source address when sending traffic to a site's 6to4 router.

OpenBSD seems to be dropping packets because the source IP isn't the anycast IP.  I'm not sure if that's bad behavior on part of OpenBSD, or on whatever relay router is sending the packets to the site's 6to4.

I googled around and didn't find a solution on the OpenBSD end, just a bunch of posts saying how strict the gif interface is, etc.  Since the firewall was turned off (pf), it's apparently not the FW that is dropping it, but the gif interface code. 

But then, I'm not a BSD guru, which is why I was asking here.  :)

snarked

I use Linux instead of openbsd, but note that L has a configurable option to drop inbound packets that don't match the interface of the outbound connection, so perhaps openbsd has a similar option (that needs to be disabled).

jimb

Quote from: snarked on June 10, 2009, 03:20:57 PM
I use Linux instead of openbsd, but note that L has a configurable option to drop inbound packets that don't match the interface of the outbound connection, so perhaps openbsd has a similar option (that needs to be disabled).
Yeh so far I had no luck finding one unfortunately for the GIF interface, although I can't say I've done an exhaustive search.  Also, if you're talking about RPF, it doesn't apply in this case.

I just told him to use a configured tunnel w/ a TB like HE.  :P

Cabal696

Apologies for resurrecting this *ancient* thread, but Google is next to useless for finding anything helpful on OpenBSD 6to4 support and this is the top result, so I thought I'd offer an explanation.

Background: OpenBSD intentionally did not import 6to4 (stf) functionality from the Kame project. [1]

What I believe the original poster has done is attempt to fake it using gif, with a tunnel of [external ip] -> 192.88.99.1 . However, this is most likely rejecting any traffic not coming from the anycast 6to4 relay router.

In conclusion: If you absolutely need 6to4, you're probably better off using a different BSD or Linux.

[1] http://www.monkey.org/openbsd/archive/tech/0401/msg00012.html