Hi Jim
Basically I am trying to do two things:
- First is to solve the same problem that you are addressing. That is, having multiple users behind a single NAT which can't be configured to allow forwarding protocol-41. My solution is to relay all incoming traffic via a single address in the DMZ (that is the address that all non-identified traffic is sent to - assuming that this is allowed). Of course having a NAT that supports this would be the ideal situation (I also found the following on the subject:
http://www.ietf.org/proceedings/57/slides/v6ops-2.pdf) but I want a quick solution which allows operation in any network using any available NAT - as long as DMZ is enabled and I known the address, I can now use the network to work with 6in4 tunneling. I can also allow multiple users to do the same (I think this is your subject and that's why I though it relevant).
- Secondly I want users on the Internet to be able to access a number of global IPv6 addresses behind the same NAT (tunneled via the single public IPv4 address). Effectively the same works because, unlike the forwarding protocol-41 operation of a configurable NAT, it doesn't match outgoing traffic with incoming traffic. The relay agent, in this case, can deliver the incoming 6in4 frames to the respective device(s) either still in 6in4 mode or also extracted in raw IPV6 in the local network.
The first and second things are extremely similar. In fact the C-code that I have written to do this differs in only 9 lines of C-code depending on case 1 or case 2. The difference between case 2 forwarding 6in4 and extracting to RAW IPv6 is also only about the same amount of lines of C-code. This shows that these actions are also very related.
The first situation is the typical tunnel user with a NAT firewall and a single public IP address, with a 6in4 tunnel client behind it. Typically, these users' nat/firewall devices can't be configured to forward a IPv4 transport layer protocol like 6in4, but focus only on things like UDP and TCP ports. A real oversight in most equipment. Even some enterprise equipment can't do this.
However, most of the time these devices
will forward 6in4 traffic
iff it was generated internally first. That is, if 6in4 traffic is originated from behind the NAT to a tunnel server, the NAT device will create a entry in the connection/NAT table, and any return traffic with IPv4 proto 41 will be sent to the inside machine which originally sent it. That is, you can't statically configure an inbound NAT for proto 41 traffic to some specified IPv4 address, but most devices will create one dynamically. Of course, these connection tables eventually time out if there is no traffic for a given amount of time. The typical solution to this is to set up a IPv6 ping which goes off every few minutes that keeps the connection table entry "live" so that outside originated packets won't get dropped.
This is a typical situation and shouldn't require any special software or hardware, as most devices support this type of arrangement.
Of course problems can arise with this type of situation. For instance, if another host inside decides to send a 6in4 packet, the behavior is somewhat "undefined" since it depends on the router/NAT device. I think most of them simply blindly replace the existing connection table entry with a new one with the IPv4 address of whoever just sent the 6in4 packet. This is why it's always best to define a NAT entry if your device allows it.
And of course, this situation segues into the original reason for this thread, e.g., that a NAT device could be fairly easily made to correctly track 6in4 from multiple internal 6in4 clients by peeking at the IPv6 addresses in the payload, allowing you to have multiple tunnel clients behind a single NAT.
Also, as I said earlier, there's already a tunneling protocol out there, well, more than one actually, which allows you to tunnel IPv6 via just about any NAT. One is called Teredo, and is implemented on every windows box, and Linux has an implementation called Miredo. It uses a rather byzantine protocol coupled with a number of Teredo servers and relays out on the internet, along with UDP encapsulation and NAT hole punching techniques to automagically tunnel IPv6 packets through just about any typical NAT. There are also other things such as AYIYA, but its deployment is somewhat more limited (sixxs providers use it, etc).
The "relay agent" you talk about in your 2nd paragraph sounds suspiciously like an IPv6 tunnel router.
At least in the mode where it accepts 6in4 packets and sends them as "RAW IPv6". That's what a router configured with a 6in4 tunnel
does. This allows you to have multiple global IPv6 addresses and subnets behind a single "relay agent".
In the case where it accepts and forwards 6in4 traffic, well, that sounds like a typical IPv6 router with 6in4 tunnels established to multiple other routers.
In the end, you still need a router, either behind a NAT with proto 41 directed to it either via a static NAT, a dynamic table entry, or a DMZ setting,
or a router with a public IPv4 address on it, which accepts 6in4 tunnel traffic, and routes IPv6 on the other end.
It sounds like you're trying to reinvent the wheel a bit here. Unless I'm simply not understanding what you're doing.
Probably I am mixing 6to4 and 6in4: I have only been experimenting with this technology for about 2 or 3 days now so am not up on all the terms; tunneling is the feature of interest so it should probably all read 6in4.
Yeah they are different. 6in4 is a simple IPv6-in-IPv4 tunneling method which stuffs IPv6 packets into an IPv4 packet and sets the protocol header field to 41 to identify itself as 6in4.
6to4 is an automatic tunneling method which uses 6in4 as a tunneling protocol. It uses a set of 6to4 relay servers, which are really just specialized 6in4 tunnel servers, and the special 6to4 IPv6 netblock (2002::/16) in which one's public IPv4 address is encoded into a /48 prefix which is used for one's globally addressable IPv6 space. i.e., if your public IPv4 is
192.0.2.10, your 6to4 prefix would be
2002:c000:20a::/48, from which you can break out multiple /64 prefixes for your LANs. Your 6to4 router living on the edge of your network sends IPv6 traffic to the internet by encapsulating IPv6 packets in a 6in4 packet, and sending it to either a configured 6to4 relay host, or more commonly, the 6to4 anycast address (
192.88.99.1 ) which
ostensibly routes your IPv6 traffic to the closest 6to4 relay. Return traffic is of course sent to your 6to4 router by the relays by extracting the IPv4 address from the 6to4 IPv6 address, encapsulating in 6in4, and sending it to the extracted IPv4.
I learned about the tunneling method and HE, I think last weekend, so registered for an account and disabled the Teredo operation according to the instructions. Therefore I never used it and never heard of it before, so don't know at the moment any details. It is presently OFF - it is also presumably only relevant for Windows and not embedded devices (?).
It's built into windows, and available for linux and other platforms. I'm not sure if it could be easily ported to your embedded devices.
The problem that I do have, with my NAT, is that no IPV6 traffic and no 6in4 traffic normally gets in through it at all. The only way that I can get any such traffic through it into the local network is via DMZ. Therefore it seems that I may be stuck with this before replacing the NAT with something more modern. However I have also experimented with some other NATs (also older ones except a Wireless router that was purchased quiet recently) and none of them seem to offer any configuration allowing such traffic to come through. I also went into a PC shop and asked whether they had anything suitable but they didn't know what I was taking about - so no progress there - consumer electronics (possibly without considering mobile devices) doesn't seem to be very IPV6 oriented at all at the moment - the PC shop keeper confirmed this and recommended that enterprise networking equipment would probably be the solution.
As I said earlier, I haven't seen many NAT devices which won't properly relay inside originated 6in4 traffic. It's is a common setup used by many HE tunnel broker users.
However the goal here is to identify a technique that works for "any old NAT" and can be used by anyone without having to change equipment. Eg. If I sell IPv6 sensors to people to put in their homes and be used to monitor their room temperature via Internet when they are on holiday and allow them to control the shutters remotely when it gets hot, and these sensors should each have a global IPv6 address I need a solution which doesn't require them to replace their existing NATs - I can't expect them to have to purchase a new NAT with advanced tunneling techniques but instead must find a work-around for the existing case. I also can't expect the purchasers of $20 sensors to be expected to install a new firewall/gateway or Linux based system to allow them to operate - with a good guide I could instruct them to set up their tunnel with HE (nice and un-burocratic and quite painless process) but that is about the limit...
Well, this sounds like a job for Teredo. It's exactly what Teredo was created for (although it doesn't work behind
everything, for instance "symmetric nat"). Another option would be to build 6in4 tunneling into your devices and rely on a user's NAT device relaying the 6in4 traffic, which most will do, as long as no other devices attempt to initiate 6in4 traffic. You could have some sort of menu on your device allowing the user to turn on either Teredo, or configure a 6in4 tunnel.
Doing 6to4 behind a NAT is problematic because there's no way to know which relay server will be sending traffic to your NAT device and I've found from experience that they don't all send the traffic with the anycast address set as the source address. Some seem to do so, others use their normal IPv4 address. So to pass through a NAT, one would either need a protocol forward set up, or point the DMZ to your 6to4 router. So you're sort of back to square one with 6to4.
Another possibility is implementing or porting AYIYA to your devices, but you'd be limited to tunnel providers which support AYIYA such as sixxs. I don't know much about it since I use 6in4 with HE, which works quite well for me.
What I have done is proven that it is possible (that is, I have a real working solution based on hardware and software that is now allowing me to post this in IPv6 mode across a NAT that doesn't support 6in4 and without having to expose the PC directly to the Internet) - maybe not the best solution but a first step on the learning curse. Maybe it has some other uses too...;-)
Yeah I'm still how sure how exactly you've done this. But the only ways I can think of that it could be done is by simply implementing a 6in4 router on your devices, and/or perhaps some code which allows a node to act as a 6in4 tunnel relay by peeking at the IPv6 addresses (sort of like my theoretical NAT helper module) and sending them to the appropriate device. The latter thing would be a bit of an odd way to do things, since typically once a 6in4 packet reaches its end point, the IPv6 packets are sent natively over the LAN, and not over further 6in4 tunnels. It also sounds somewhat like a alternative to ISATAP, which is a method of routing IPv6 in a LAN environment across IPv4 only routers, using IPv4 as a link layer protocol. :-)
Anyway, you should probably study the IPv6 transition methods a bit to get an idea of "how things are done already" before spending a lot of time/energy on reinventing ways of doing things which
may already have a standard solution.
A good page to start is:
http://en.wikipedia.org/wiki/IPv6#Transition_mechanisms
