0

I have a setup of a laptop connected to a cellular IPv4 network (3G usb dongle) and PC connected to another IPv4/IPv6 network. Both have been configured to run as IPv6 routers and each has its IPv6 network.

The laptop connects to the Internet via the 3G network with IPv4 address (private one and it is mostly changing) on one interface and has the other interface on AP mode providing its own private IPv6 network (2001:db8:444::/64). The PC connects to the Internet via the organization network with both public IPv4 and IPv6 addresses on one interface and has the other interface on AP mode providing its own private IPv6 network (2001:db8:222::/64). Both running Linux Ubuntu.

Is it possible to get the two IPv6 network (2001:db8:222::/64 and 2001:db8:444::/64) to communicate over the IPv4 Internet?

Is openvpn of any good in this case to get IPv6 traffic over IPv4-IPv4 tunnel?

Thanks for helping in advance

MadHatter
  • 79,770
  • 20
  • 184
  • 232
user239167
  • 1
  • Where did you get those two ipv6 ranges? That is, who assigned them to you? – MadHatter Aug 25 '14 at 06:00
  • I am just using them privately to conduct some experiments on the lab and no one has assigned them to me. – user239167 Aug 25 '14 at 06:17
  • @MadHatter See [RFC 3849](https://tools.ietf.org/html/rfc3849). – Michael Hampton Aug 25 '14 at 12:03
  • Interesting; thank you! Perhaps the OP could comment on whether (s)he really has used those addresses, and if so, why; or whether (s)he has used different ones, and redacted them in line with the RFC. – MadHatter Aug 26 '14 at 09:07

4 Answers4

6

The Teredo tunneling protocol will likely do what you want, but you have to work with the protocol in picking addresses; the same is true of 6to4. You have picked your IPv6 addresses out of the air.

The old IPv4 concept, of some private (RFC1918) address ranges which were globally unroutable but anyone could use (including over multiple sites, as long as they arranged for them to be carried over a VPN) has been quite strenuously resisted by the ipv6 designers. One of IPv6's fundamental design goals was that every v6 endpoint should be globally-routable. That doesn't mean every endpoint has to be globally accessible - that's what firewalls are for - but it should be globally routable, and globally routed.

If you try to do IPv6 in a way that defies that, you'll end up tying yourself in knots. I know you say you don't care about the rest of the world, but the protocol does. If you do this according to the assumptions that are embedded in the protocol, your life will be much easier.

Edit: your comment is correct in its question about v6-via-v4 tunneling, but if (for example) you want to use 6to4, you must use the v6 ranges that correspond to the public v4 addresses of your tunnel endpoints, according to the 6to4 mapping scheme.

Much better still is to use a v6-capable ISP at each end, and get actual public v6 space assigned to each network, though I concede that finding such ISPs still takes a fair bit of looking.

MadHatter
  • 79,770
  • 20
  • 184
  • 232
  • Does that mean this will not work following the IPv6 design? My understanding is that using the ipv6 into ipv4 tunnel will make the two IPv6 networks as if they are at the same intra-net. Then the only thing that is required is forwarding the traffic between them via the tunnel. – user239167 Aug 25 '14 at 07:24
  • I don't see Teredo addresses anywhere in the question. `2001:db8::/32` is the documentation prefix. The Teredo prefix is `2001::/32`. – kasperd Aug 25 '14 at 07:41
  • Arghggh. You are right, as usual, kasperd; I botched the netmask (and not for the first time). I have amended the question accordingly. – MadHatter Aug 25 '14 at 07:45
  • 1
    The part about IPv6 not having an equivalent of RFC 1918 is not entirely right. There is RFC 4193 which differs from RFC 1918 by being for IPv6 and avoiding address conflicts. There is an old question about that, which I apparently answered years before registering on serverfault: http://serverfault.com/questions/216602/what-is-the-ipv6-equivalent-to-ipv4-rfc1918-addresses – kasperd Aug 25 '14 at 08:04
  • 1
    Grumble. You and your inconvenient facts. Nevertheless, I'm standing by my answer here; 4193 ("*Unique Local IPv6 Unicast Addresses*") comes some seven years and two thousand RFCs after 2160 (*"IPv6 Specification"*). It has always seemed to me that the protocol was designed for global routability for all endpoints from day one, and is only slowly and painfully being bent away from that standard. – MadHatter Aug 25 '14 at 08:29
  • @MadHatter There are good and bad use cases for RFC 4193 addresses. If you try to use them with NAT like it has been done with RFC 1918 addresses, you are definitely doing it wrong. A host with an RFC 4193 address and no "real" IPv6 address is a strong hint something is wrong with the configuration. So I agree with your recommendation not to use them in the solution for this particular question. – kasperd Aug 25 '14 at 08:36
1

It is possible to configure a tunnel with private IPv6 addresses allocated according to RFC 4193. But I wouldn't recommend it. I also wouldn't recommend configuring your server with 6to4 or Teredo addresses.

My recommendations are as follows:

  • For a server go with native IPv6. If your hosting provider cannot provide IPv6 yet, they are not serious enough, and I recommend moving to a hosting provider who can. If you do move to another hosting provider, pick one that will allocate a routed prefix to your server, some providers only allocate a link prefix.

  • For a home or office network where no provider with native IPv6 is available, I recommend a 6in4 tunnel (not 6to4). If you have a hosted server with a routed IPv6 prefix, you can configure your own tunnel server there. Otherwise there are several free tunnel providers. Choice of tunnel provider depends on your needs, but for most users HE appear to be the best provider.

  • For a laptop moving between many different networks I recommend tunneling IPv6 over UDPv4. This can be done with Teredo or a tunnel provider. There are not as many providers of this kind of tunnel, but gogo6 has such a service.

Whether you are running native IPv6 or a 6in4 tunnel, I have a couple of recommendations to make communication more reliable in case the other end of the communication is using a tunnel. These will only work, if your network has at least one public IPv4 address:

  • Configure a Teredo relay. On Linux the miredo software can do this. By default miredo act as a Teredo client, but that would only be appropriate for the laptop. With a minor configuration change, miredo becomes a Teredo relay, which is something every IPv6 network should have until IPv4 starts getting phased out.

  • Configure a 6to4 relay. Any modern Linux distribution should come with support for that without needing additional software installed. You shouldn't be putting 6to4 addresses in DNS, your DNS records should have native IPv6 addresses. The 6to4 relay is only for improved reliability, when the other end of the connection uses 6to4.

kasperd
  • 30,455
  • 17
  • 76
  • 124
1

Is openvpn of any good in this case to get IPv6 traffic over IPv4-IPv4 tunnel?

Yes recent versions of openvpn can hapilly carry IPv6 over IPv4 or vice-versa.

Peter Green
  • 4,211
  • 12
  • 30
0

You might want to look into LISP, the Locator/Identifier Separation Protocol

Locator/ID Separation Protocol (LISP) (RFC 6830) is a "map-and-encapsulate" protocol which is developed by the Internet Engineering Task Force LISP Working Group. The basic idea behind the separation is that the Internet architecture combines two functions, routing locators (where a client is attached to the network) and identifiers (who the client is) in one number space: the IP address. LISP supports the separation of the IPv4 and IPv6 address space following a network-based map-and-encapsulate scheme (RFC 1955). In LISP, both identifiers and locators can be IP addresses or arbitrary elements like a set of GPS coordinates or a MAC address.

Sgaduuw
  • 1,833
  • 12
  • 16