• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

IPv6 over IPv4 testbed

Started by rotxed, June 03, 2010, 02:34:32 AM

Previous topic - Next topic

rotxed

Hi everyone. I would like to ask a question about a scenario that I have been setting in the last 4 weeks.

I have a PC that acts as a server/router (1), which has 2 network interfaces. eth0 is used to gather IPv4 connectivity. eth1 is used to create a subnet on IPv4 and has one dual-stack laptop (2) connected to it. I also have virtualized a Windows 7 machine on the laptop (2), which operates in IPv6 only. On the server I have successfully set up a tunnel that provides me with IPv6 connectivity.

(1) IPv4 --------------------- IPv4 / IPv6 (2) --------------------- IPv6 (3)

Now, the question. What kind of tunnel do I need to let the virtual machine (3) communicate over the IPv4 infrastructure that lies between (1) and (2)? Is a point-to-point tunnel enough?

I have done many google searches, and I've read that there are many tunnelling options: Teredo, ITASAP, 6to4, .. But I believe that none of them suit my scenario.

I hope that you guys can help me sort this thing out. If the scenario is not clear enough just tell me, I'll try to explain it as best as possible (I apologyze for my poor English, I'm an Italian student).

jimb

There's nothing special you need to do.  If you have RA set up so that the laptop is automatically configuring IPv6 addresses, then the Win7 VM box should also.  If you don't have RA set up, you simply need to manually set up an IPv6 address and default router (pointed to the server's IPv6) on the Win7 VM and it should work (presuming the VM's NIC is in "bridged" mode).

Of course you'll also need a DNS server which can speak IPv6.

rotxed

Quote from: jimb on June 03, 2010, 04:13:05 AM
There's nothing special you need to do.  If you have RA set up so that the laptop is automatically configuring IPv6 addresses, then the Win7 VM box should also.  If you don't have RA set up, you simply need to manually set up an IPv6 address and default router (pointed to the server's IPv6) on the Win7 VM and it should work (presuming the VM's NIC is in "bridged" mode).

Of course you'll also need a DNS server which can speak IPv6.

Well, you have quite understood the situation, but not my problem! Assume that I already have a DNS server which can handle both A and AAAA records. What I need to do know can be (I hope) described with this example:

- I have my dual-stack laptop connected with my server/router via IPv4. The server/router acts as DHCPv4 to the laptop and assigns him an address on the same subnet; so, the server/router has 172.16.2.1 IPv4 address and the laptop gets, for example, 172.16.2.50 IPv4 address
- The Win7 virtual machine lies over the dual-stack laptop and connects with it via IPv6: the dual-stack laptop has a static link-local IPv6 address and acts as DHCPv6 for the VM; this way, the VM receives a global unicast IPv6 address
- Now, I would like the Win7 VM to communicate with the IPv6 internet (like browsing ipv6.google.com) through the IPv4 infrastructure!

The only way to achieve this result is to incapsulate the IPv6 packets in IPv4 packets via tunnelling. What I need is to create a tunnel between the laptop and the server/router.

I hope that I have been more clear this time :)

cholzhauer


jimb

I presumed your server/router already had IPv6 connectivity to the internet via an HE tunnel.

Typically in such a situation you would put the HE assigned routed /64 on the LAN interface of the server/router, and now you have a "dual-stack LAN".  From there you can either manually assign addresses from your routed /64 to other IPv6 nodes on your LAN (including your VM, presuming it's bridged), or run RA, or run DHCPv6.  The laptop and Win7 box will simply communicate over the LAN to the server/router, to which you have the IPv6 default route pointed.

Now, if for some reason that VM isn't bridged, but routed, you'll need a routed /48, and something to act as a LAN router between the VM and the LAN.  Another possibility is setting up a 6in4 tunnel to the server/router, but is a bit silly on the LAN since an ethernet LAN can simply carry the IPv6 packets directly.  If you need to do that though, it's very similar to the process you use to set up the HE tunnel.  You set up 6in4 tunnel interface on each box with IPv6 addresses, then you can point routes through them.



rotxed

#5
Quote from: cholzhauer on June 03, 2010, 10:31:27 AM
Yeah, that makes sense.

I found this page, but it only mentions linux

http://tldp.org/HOWTO/Linux+IPv6-HOWTO/chapter-configuring-ipv6-in-ipv4-tunnels.html


Yeah, I've already seen that many times. I will give it a try by setting up a CentOS VM which will connect to the server/router (it has CentOS, too).

rotxed

Quote from: jimb on June 03, 2010, 01:19:27 PM
I presumed your server/router already had IPv6 connectivity to the internet via an HE tunnel.

Your assumption is correct.

Quote from: jimbNow, if for some reason that VM isn't bridged, but routed, you'll need a routed /48, and something to act as a LAN router between the VM and the LAN.  Another possibility is setting up a 6in4 tunnel to the server/router, but is a bit silly on the LAN since an ethernet LAN can simply carry the IPv6 packets directly.  If you need to do that though, it's very similar to the process you use to set up the HE tunnel.  You set up 6in4 tunnel interface on each box with IPv6 addresses, then you can point routes through them.

So you are telling me that a 6in4 tunnel between the server/router and the dual-stack laptop could solve the situation? Is there some kind of guidelines/tutorial/noobish-step-by-step-cuz-im-stupid guide? :D

jimb

What I'm really trying to tell you is that if you're running IPv6 on the LAN interface of the server/router, and the VM's NIC is bridged to that same LAN (typical), you don't need a tunnel.  It should be able to send packets to the server/router directly over the ethernet, regardless of whether the laptop itself has IPv6 connectivity.

If the NIC on the VM is bridged through the LAN interface on the laptop, you can think of the Win7 VM as a separate machine plugged into the same ethernet switch as the laptop and the server/router.  Both IPv4 and IPv6 can be used on that LAN.

A 6in4 tunnel probably isn't what you need if I understand your network topology.  And if you needed to use it, the win7 box would have to be dual-stack since 6in4 uses IPv4.  Or you could use something like ISATAP possibly, but that gets even more complicated.

rotxed

Quote from: jimb on June 04, 2010, 02:21:31 AM
What I'm really trying to tell you is that if you're running IPv6 on the LAN interface of the server/router, and the VM's NIC is bridged to that same LAN (typical), you don't need a tunnel.  It should be able to send packets to the server/router directly over the ethernet, regardless of whether the laptop itself has IPv6 connectivity.

If the NIC on the VM is bridged through the LAN interface on the laptop, you can think of the Win7 VM as a separate machine plugged into the same ethernet switch as the laptop and the server/router.  Both IPv4 and IPv6 can be used on that LAN.

A 6in4 tunnel probably isn't what you need if I understand your network topology.  And if you needed to use it, the win7 box would have to be dual-stack since 6in4 uses IPv4.  Or you could use something like ISATAP possibly, but that gets even more complicated.

OK. I know that I could possibly achieve the IPv6 connectivity on the VM without a tunnel. But this is not what I want to do. My goal is to achieve the IPv6 connectivity using the IPv4 infrastructure as a transport-layer! So, I think that tunnelling is the only available option. That is why I'm so eager to find some kind of configuration or walkthrough to obtain a working network configuration.

jimb, thanks for your patience, I know that trying to make me understand things can be frustrating!  ;D

jimb

#9
Ah.  I sort of forgot your original intentions of a "testbed".  To do what you want, that'd be either via tunneling, or something like ISATAP.

Both of those can connect IPv6 islands in a sea of IPv4 only.  Tunneling is typically used over the internet, WAN links, etc.  6in4 and GRE are popular methods.  Setting up a tunnel is fairly trivial.  It works similarly to how you set up your tunnel to HE, except you're setting up two sides.  Basically, you set up the tunnels the same way, reversing the local/remote IPv4 addresses on each side, then add IPv6 addresses to each side from some /64 (typically ::1 and ::2).  Now you have a virtual IPv6 link/NIC over which you can route traffic.  So you can add static routes through the link, etc, for the IPv6 networks.  Or run a dynamic routing protocol like OSPF.  And of course as soon as you add the tunnel links to a system already running IPv6 on the LAN side, both of those boxes become routers, so now you have to make sure that forwarding is enabled, the firewall is configured to pass the traffic, etc, etc.

ISATAP is intended for the LAN, to connect separate IPv6 LANs separated by an IPv4 only routing infrastructure.  It uses IPv4 as a "link layer" to get IPv6 traffic across IPv4 only routers.  I haven't actually implemented it so I'm not very familiar with it.  I know it requires hosts which can do ISATAP (I know windows can), and uses DNS entries to find routers and/or relays used for it.

Obviously, you'd want to simulate separate LANs for this, otherwise there'd be no point since IPv6 can speak natively over an ethernet LAN (ethertype 0x86DD).

If you googled around, I'm sure you'd find "cookbook" instructions on how to set up tunnels or ISATAP.

I doubt there are many people using ISATAP anymore though, since most LAN routers produced in the last five years or so can already route IPv6, so it's easier just to enable it (I'm talking real routers here, not consumer grade edge/internet type routers).

rotxed

Quote from: jimb on June 04, 2010, 03:11:28 AM
Ah.  I sort of forgot your original intentions of a "testbed".  To do what you want, that'd be either via tunneling, or something like ISATAP.

Both of those can connect IPv6 islands in a sea of IPv4 only.  Tunneling is typically used over the internet, WAN links, etc.  6in4 and GRE are popular methods.  Setting up a tunnel is fairly trivial.  It works similarly to how you set up your tunnel to HE, except you're setting up two sides.  Basically, you set up the tunnels the same way, reversing the local/remote IPv4 addresses on each side, then add IPv6 addresses to each side from some /64 (typically ::1 and ::2).  Now you have a virtual IPv6 link/NIC over which you can route traffic.  So you can add static routes through the link, etc, for the IPv6 networks.  Or run a dynamic routing protocol like OSPF.  And of course as soon as you add the tunnel links to a system already running IPv6 on the LAN side, both of those boxes become routers, so now you have to make sure that forwarding is enabled, the firewall is configured to pass the traffic, etc, etc.

ISATAP is intended for the LAN, to connect separate IPv6 LANs separated by an IPv4 only routing infrastructure.  It uses IPv4 as a "link layer" to get IPv6 traffic across IPv4 only routers.  I haven't actually implemented it so I'm not very familiar with it.  I know it requires hosts which can do ISATAP (I know windows can), and uses DNS entries to find routers and/or relays used for it.

Obviously, you'd want to simulate separate LANs for this, otherwise there'd be no point since IPv6 can speak natively over an ethernet LAN (ethertype 0x86DD).

If you googled around, I'm sure you'd find "cookbook" instructions on how to set up tunnels or ISATAP.

I doubt there are many people using ISATAP anymore though, since most LAN routers produced in the last five years or so can already route IPv6, so it's easier just to enable it (I'm talking real routers here, not consumer grade edge/internet type routers).

I did it! Thanks for your information, I managed to set up a 6in4 tunnel between the dual-stack laptop and the server/router. The answer has been right under my nose for a week now. The Linux IPv6-HOWTO, which was linked some posts ago and which I have been reading so many times, reported the correct sequence of steps for the setup. The problem was that I had to change the dual-stack laptop's OS from Windows XP to CentOS in order to configure the tunnel. I can't imagine a way to install a cross-OS-tunnel!

Thanks so much jimb and cholzhauer, you have been very helpful! :)

jimb

Cross-OS 6in4 tunnels are entirely possible and are in use all the time.

Under linux you use "ip", under Windows use use "netsh".  They also have different procedures for allowing IP forwarding, etc.  Just different ways to do the same exact thing under different OSes, but the resultant tunnels work the same way.

rotxed

Quote from: jimb on June 04, 2010, 03:30:57 PM
Cross-OS 6in4 tunnels are entirely possible and are in use all the time.

Under linux you use "ip", under Windows use use "netsh".  They also have different procedures for allowing IP forwarding, etc.  Just different ways to do the same exact thing under different OSes, but the resultant tunnels work the same way.


That's nice to know. I have more confidence with /sbin/ip rather than netsh. I hope that some goooooogling will help me on that.

rotxed

OK, now I'm facing the last issue on my network configuration, that is to say: I cannot resolve names from the Win7 VM. Since this VM has only IPv6 stack enabled, I think I have two solutions:


  • give the Win7 VM an IPv6 address for my DNS server - I can do that, and I have already tried as follows. I have assigned the IPv6 address of one of the server/router NICs, which has an IPv6 address. I can ping6 that address from the Win7 VM, but I'm still not able to resolve names.
  • install a resolver on the dual-stack laptop with CentOS - the resolver should act simply as a query forwarder, from the Win7 VM to the server/router; I didn't try yet, I wanted to know if there are better solutions to this.

What is more, I have faced a strange behaviour. If I ping6, from the Win7 VM, one of the server/router's NIC, let's say eth1 which has a static IPv6 address, nothing goes wrong. ping6 works flawlessly. The weird thing is that, if I tcpdum on eth1 while ping6 is still active, I cannot see any ICMPv6 request/reply. How come?

jimb

Quote from: rotxed on June 08, 2010, 12:40:16 AM
OK, now I'm facing the last issue on my network configuration, that is to say: I cannot resolve names from the Win7 VM. Since this VM has only IPv6 stack enabled, I think I have two solutions:


  • give the Win7 VM an IPv6 address for my DNS server - I can do that, and I have already tried as follows. I have assigned the IPv6 address of one of the server/router NICs, which has an IPv6 address. I can ping6 that address from the Win7 VM, but I'm still not able to resolve names.
  • install a resolver on the dual-stack laptop with CentOS - the resolver should act simply as a query forwarder, from the Win7 VM to the server/router; I didn't try yet, I wanted to know if there are better solutions to this.

What is more, I have faced a strange behaviour. If I ping6, from the Win7 VM, one of the server/router's NIC, let's say eth1 which has a static IPv6 address, nothing goes wrong. ping6 works flawlessly. The weird thing is that, if I tcpdum on eth1 while ping6 is still active, I cannot see any ICMPv6 request/reply. How come?
If your IPv6 DNS server isn't dual stack, you're going to have a hard time resolving a lot of things out there.  Many DNS servers aren't accessible via IPv6 transport. 

If you're using "icmp" to match icmpv6 in tcpdump, it won't work, you need to "icmp6".  If you're not trying to match, it should show them.  Also, if the connection from the win7 VM to your router is via a tunnel, you won't see the icmpv6 traffic unless you listen on the tunnel interface itself, but you'll see 6in4 packets.