From owner-freebsd-net@FreeBSD.ORG  Wed Sep 22 20:34:05 2010
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: net@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B36D41065693
	for <net@FreeBSD.org>; Wed, 22 Sep 2010 20:34:05 +0000 (UTC)
	(envelope-from hrs@FreeBSD.org)
Received: from mail.allbsd.org (gatekeeper-int.allbsd.org
	[IPv6:2001:2f0:104:e002::2])
	by mx1.freebsd.org (Postfix) with ESMTP id 259EB8FC2D
	for <net@FreeBSD.org>; Wed, 22 Sep 2010 20:34:04 +0000 (UTC)
Received: from alph.d.allbsd.org (p2176-ipbf406funabasi.chiba.ocn.ne.jp
	[124.86.72.176]) (authenticated bits=128)
	by mail.allbsd.org (8.14.4/8.14.3) with ESMTP id o8MKXjNO080322
	for <net@FreeBSD.org>; Thu, 23 Sep 2010 05:33:55 +0900 (JST)
	(envelope-from hrs@FreeBSD.org)
Received: from localhost (localhost [IPv6:::1]) (authenticated bits=0)
	by alph.d.allbsd.org (8.14.4/8.14.4) with ESMTP id o8MKXhWs008555
	for <net@FreeBSD.org>; Thu, 23 Sep 2010 05:33:45 +0900 (JST)
	(envelope-from hrs@FreeBSD.org)
Date: Thu, 23 Sep 2010 05:32:36 +0900 (JST)
Message-Id: <20100923.053236.231630719.hrs@allbsd.org>
To: net@FreeBSD.org
From: Hiroki Sato <hrs@FreeBSD.org>
X-PGPkey-fingerprint: BDB3 443F A5DD B3D0 A530  FFD7 4F2C D3D8 2793 CF2D
X-Mailer: Mew version 6.3 on Emacs 23.1 / Mule 6.0 (HANACHIRUSATO)
Mime-Version: 1.0
Content-Type: Multipart/Signed; protocol="application/pgp-signature";
	micalg=pgp-sha1;
	boundary="--Security_Multipart(Thu_Sep_23_05_32_36_2010_996)--"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: clamav-milter 0.95.3 at gatekeeper.allbsd.org
X-Virus-Status: Clean
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.3
	(mail.allbsd.org [133.31.130.32]);
	Thu, 23 Sep 2010 05:34:00 +0900 (JST)
X-Spam-Status: No, score=-99.1 required=13.0 tests=AWL,CONTENT_TYPE_PRESENT,
	RCVD_IN_CHINA, RCVD_IN_CHINA_KR, RCVD_IN_PBL, RCVD_IN_TAIWAN,
	SPF_SOFTFAIL, 
	USER_IN_WHITELIST,X_MAILER_PRESENT autolearn=no version=3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	gatekeeper.allbsd.org
Cc: 
Subject: Call for testers: RFC 5569 (6rd) support in stf(4)
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Sep 2010 20:34:05 -0000

----Security_Multipart(Thu_Sep_23_05_32_36_2010_996)--
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hello,

 Can anyone try a patch for adding 6rd (RFC 5569) support to stf(4)?
 The patch for HEAD can be found at:

  http://people.allbsd.org/~hrs/FreeBSD/stf_6rd_20100921-1.diff

 While it still includes a lot of extra code only for debugging
 purpose, it should work anyway.

 The operating principle and a configuration example are the
 following:

 0. Supposed Network Structure

     (IPv6/IPv4 Internet)
       |
       | <-- static or dynamic routes between Internet and
       |     IPv6 network in ISP for 6rd (2001:db8::/32).
       |
  ^  +-+---------+
  |  | PE router |
  |  +-+-----+---+
  |    |.1   |::1
 ISP   |     |
  |    |   --+----------------------
  |    |     2001:db8:c000:0201::/64
  |    |
  |    |         192.0.2.0/24 <-- IPv4 network between the provider
  |  --+----+----------------     and its customers.
  v         |
            |.2
  ^  +------+----+
  |  | CE router |(IPv6 default route is 2001:db8:c000:0201::1)
  |  +------+----+
 HOME       |::1
  |         |
  |         |    2001:db8:c000:0202::/64 <-- IPv6 LAN on customer side
  v  --+----+---------------------------
       |
       |::2
    +--+---+
    |HOST-A| (IPv6 default route is 2001:db8:c000:0202::1)
    +------+

 [Provider side]

  A PE router is used for routing between Internet and ISP's IPv4/IPv6
  network.  The router works in the two ways:

    1) It accepts a 6rd IPv4 packet which contains an IPv6 packet
       inside, decapsulates it, and delivers it as a normal IPv6
       packet based on the routing table.

    2) It accepts an IPv6 packet with the 6rd prefix, encapsulates it
       in an IPv4 packet, and then delivers it as a 6rd IPv4 packet to
       another 6rd router.

  A prefix for 6rd is 2001:db8::/32 in this example.  Since IPv4
  address of the PE router is 192.0.2.1, the calculated 6rd IPv6
  prefix is 2001:db8:c000:0201::/64 (c000:0201 == 192.0.2.1 in HEX).
  The 6rd encap/decap will be done only for packets within this IPv6
  prefix.

 [Customer side]

  A CE router is used for routing between LAN (customer side) and WAN
  (provider side).  It has 192.0.2.2/24 on WAN and
  2001:db8:c000:0202::/64 on LAN.  No direct IPv6 reachability on WAN
  side.  The behavior of the CE router is basically the same as the PE
  router.

 1. 6rd functionality

  The CE router accepts an IPv6 packet with a address range
  2001:db8:c000:0202::/64, and if the destination address is not
  within the LAN, it encapsulates the packet and delivers it as an
  IPv4 packet.  The IPv4 packet's destination address is chosen in the
  following way: if the IPv6 dst addr is within 2001:db8::/32 it will
  be the calculated IPv4 address from the dst addr.  If not, it picks
  up the next hop IPv6 address and try to calculate IPv4 address from
  it.  If both fail, delivery of the IPv4 packet also fails
  (unreachable).

  For incoming 6rd IPv4 packets, CE router decapsulates and delivers
  them as normal IPv6 packets.  Note that decapsulation happens only
  when IPv4 address part in the IPv6 dst addr in the incoming 6rd IPv4
  packets matches the router's IPv4 address itself.

  In this way, CE router offers IPv6 reachability over the IPv4
  network.  For example, "ping6 2001:db8:c000:0201::1" from HOST-A
  works like this:

  a) IPv6 packet is delivered from HOST-A to CE router.
     The packet has the following address information:

      src: 2001:db8:c000:0202::2 (HOST-A)
      dst: 2001:db8:c000:0201::1
      next hop: 2001:db8:c000:0202::1 (CE router)

  b) CE router accepts a packet from HOST-A but no on-link connection
     to 2001:db8:c000:0202::1.  It encapsulates it into an IPv4 packet
     like this:

     outer IPv4 src: 192.0.2.2
     outer IPv4 dst: 192.0.2.1
     inner IPv6 src: 2001:db8:c000:0202::2
     inner IPv6 dst: 2001:db8:c000:0201::1

     The outer IPv4 address pair is chosen by CE router's IPv4 address
     and calculated from inner dst address.  The IPv4 packet will be
     delivered based on the IPv4 routing table.

  c) PE router receives a 6rd IPv4 packet in b).  It checks the inner
     src IPv6 addr matches 6rd prefix and dst IPv4 addr matches the PE
     router's, and then decapsulates it.  The IPv6 packet will be
     delivered based on the IPv6 routing table.  In this case, PE
     router has 2001:db8:c000:0201::1, so the IPv6 packet already
     reaches the final destination over IPv4 network.

  In the same way HOST-A can reach IPv6 Internet if PE router has
  sufficient routing information.

 2. Configuration

  You might want to set ipv6_activate_all_interfaces=YES in rc.conf
  before trying the following command lines.  And of course IPv6
  prefixes here must be global ones in a real configuration.

 2.1 HOST-A

  # ifconfig fxp0 inet6 2001:db8:c000:0202::2/64
  # route add -inet6 default 2001:db8:c000:0202::1

 2.2 CE router

  # ifconfig fxp0 inet6 2001:db8:c000:0202::1/64
  # ifconfig fxp1 inet 192.0.2.2/24
  # ifconfig stf0 create
  # ifconfig stf0 inet6 2001:db8:c000:0202::/32
  # route add -inet6 default 2001:db8:c000:0201::1
  # net.inet.ip.forwarding=1
  # net.inet6.ip6.forwarding=1

  Note that prefixlen of the stf interface must be the same as the 6rd
  relay prefix, not include the IPv4 part.  This means it is from 0 to
  32 in theory.

 2.3 PE router

  # ifconfig fxp0 inet 192.0.2.1/24
  # ifconfig fxp1 inet6 2001:db8:c000:0201::1/64
  # ifconfig stf0 create
  # ifconfig stf0 inet6 2001:db8:c000:0201::/32
  # net.inet.ip.forwarding=1
  # net.inet6.ip6.forwarding=1
  # (+ routes to Internet must be configured in some way)

 2.4 Test

  HOST-A# ping6 2001:db8:c000:0201::1 (communication within 6rd domain)
  HOST-A# ping6 www.kame.net (communication beyond PE router)


 The patched version of stf(4) also supports the following:

  - multiple 6rd domains by adding multiple IPv6 addresses.

  - 6to4 (2002::/16) works as before.

  - stf(4) is clonable now and can be moved across vnets.  While you
    can have multiple instances, only one of them in a vnet can be
    marked as UP.

 Any comments are welcome.

-- Hiroki

----Security_Multipart(Thu_Sep_23_05_32_36_2010_996)--
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)

iEYEABECAAYFAkyaZ+QACgkQTyzT2CeTzy3FZwCghC1CIn+SmuyLFtoO42pdY92r
GHEAoLnxiCpSADYJOXIUQS3BeidFlaXc
=5si3
-----END PGP SIGNATURE-----

----Security_Multipart(Thu_Sep_23_05_32_36_2010_996)----