Date: Thu, 23 Sep 2010 05:32:36 +0900 (JST) From: Hiroki Sato <hrs@FreeBSD.org> To: net@FreeBSD.org Subject: Call for testers: RFC 5569 (6rd) support in stf(4) Message-ID: <20100923.053236.231630719.hrs@allbsd.org>
next in thread | raw e-mail | index | archive | help
----Security_Multipart(Thu_Sep_23_05_32_36_2010_996)-- Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hello, Can anyone try a patch for adding 6rd (RFC 5569) support to stf(4)? The patch for HEAD can be found at: http://people.allbsd.org/~hrs/FreeBSD/stf_6rd_20100921-1.diff While it still includes a lot of extra code only for debugging purpose, it should work anyway. The operating principle and a configuration example are the following: 0. Supposed Network Structure (IPv6/IPv4 Internet) | | <-- static or dynamic routes between Internet and | IPv6 network in ISP for 6rd (2001:db8::/32). | ^ +-+---------+ | | PE router | | +-+-----+---+ | |.1 |::1 ISP | | | | --+---------------------- | | 2001:db8:c000:0201::/64 | | | | 192.0.2.0/24 <-- IPv4 network between the provider | --+----+---------------- and its customers. v | |.2 ^ +------+----+ | | CE router |(IPv6 default route is 2001:db8:c000:0201::1) | +------+----+ HOME |::1 | | | | 2001:db8:c000:0202::/64 <-- IPv6 LAN on customer side v --+----+--------------------------- | |::2 +--+---+ |HOST-A| (IPv6 default route is 2001:db8:c000:0202::1) +------+ [Provider side] A PE router is used for routing between Internet and ISP's IPv4/IPv6 network. The router works in the two ways: 1) It accepts a 6rd IPv4 packet which contains an IPv6 packet inside, decapsulates it, and delivers it as a normal IPv6 packet based on the routing table. 2) It accepts an IPv6 packet with the 6rd prefix, encapsulates it in an IPv4 packet, and then delivers it as a 6rd IPv4 packet to another 6rd router. A prefix for 6rd is 2001:db8::/32 in this example. Since IPv4 address of the PE router is 192.0.2.1, the calculated 6rd IPv6 prefix is 2001:db8:c000:0201::/64 (c000:0201 == 192.0.2.1 in HEX). The 6rd encap/decap will be done only for packets within this IPv6 prefix. [Customer side] A CE router is used for routing between LAN (customer side) and WAN (provider side). It has 192.0.2.2/24 on WAN and 2001:db8:c000:0202::/64 on LAN. No direct IPv6 reachability on WAN side. The behavior of the CE router is basically the same as the PE router. 1. 6rd functionality The CE router accepts an IPv6 packet with a address range 2001:db8:c000:0202::/64, and if the destination address is not within the LAN, it encapsulates the packet and delivers it as an IPv4 packet. The IPv4 packet's destination address is chosen in the following way: if the IPv6 dst addr is within 2001:db8::/32 it will be the calculated IPv4 address from the dst addr. If not, it picks up the next hop IPv6 address and try to calculate IPv4 address from it. If both fail, delivery of the IPv4 packet also fails (unreachable). For incoming 6rd IPv4 packets, CE router decapsulates and delivers them as normal IPv6 packets. Note that decapsulation happens only when IPv4 address part in the IPv6 dst addr in the incoming 6rd IPv4 packets matches the router's IPv4 address itself. In this way, CE router offers IPv6 reachability over the IPv4 network. For example, "ping6 2001:db8:c000:0201::1" from HOST-A works like this: a) IPv6 packet is delivered from HOST-A to CE router. The packet has the following address information: src: 2001:db8:c000:0202::2 (HOST-A) dst: 2001:db8:c000:0201::1 next hop: 2001:db8:c000:0202::1 (CE router) b) CE router accepts a packet from HOST-A but no on-link connection to 2001:db8:c000:0202::1. It encapsulates it into an IPv4 packet like this: outer IPv4 src: 192.0.2.2 outer IPv4 dst: 192.0.2.1 inner IPv6 src: 2001:db8:c000:0202::2 inner IPv6 dst: 2001:db8:c000:0201::1 The outer IPv4 address pair is chosen by CE router's IPv4 address and calculated from inner dst address. The IPv4 packet will be delivered based on the IPv4 routing table. c) PE router receives a 6rd IPv4 packet in b). It checks the inner src IPv6 addr matches 6rd prefix and dst IPv4 addr matches the PE router's, and then decapsulates it. The IPv6 packet will be delivered based on the IPv6 routing table. In this case, PE router has 2001:db8:c000:0201::1, so the IPv6 packet already reaches the final destination over IPv4 network. In the same way HOST-A can reach IPv6 Internet if PE router has sufficient routing information. 2. Configuration You might want to set ipv6_activate_all_interfaces=YES in rc.conf before trying the following command lines. And of course IPv6 prefixes here must be global ones in a real configuration. 2.1 HOST-A # ifconfig fxp0 inet6 2001:db8:c000:0202::2/64 # route add -inet6 default 2001:db8:c000:0202::1 2.2 CE router # ifconfig fxp0 inet6 2001:db8:c000:0202::1/64 # ifconfig fxp1 inet 192.0.2.2/24 # ifconfig stf0 create # ifconfig stf0 inet6 2001:db8:c000:0202::/32 # route add -inet6 default 2001:db8:c000:0201::1 # net.inet.ip.forwarding=1 # net.inet6.ip6.forwarding=1 Note that prefixlen of the stf interface must be the same as the 6rd relay prefix, not include the IPv4 part. This means it is from 0 to 32 in theory. 2.3 PE router # ifconfig fxp0 inet 192.0.2.1/24 # ifconfig fxp1 inet6 2001:db8:c000:0201::1/64 # ifconfig stf0 create # ifconfig stf0 inet6 2001:db8:c000:0201::/32 # net.inet.ip.forwarding=1 # net.inet6.ip6.forwarding=1 # (+ routes to Internet must be configured in some way) 2.4 Test HOST-A# ping6 2001:db8:c000:0201::1 (communication within 6rd domain) HOST-A# ping6 www.kame.net (communication beyond PE router) The patched version of stf(4) also supports the following: - multiple 6rd domains by adding multiple IPv6 addresses. - 6to4 (2002::/16) works as before. - stf(4) is clonable now and can be moved across vnets. While you can have multiple instances, only one of them in a vnet can be marked as UP. Any comments are welcome. -- Hiroki ----Security_Multipart(Thu_Sep_23_05_32_36_2010_996)-- Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (FreeBSD) iEYEABECAAYFAkyaZ+QACgkQTyzT2CeTzy3FZwCghC1CIn+SmuyLFtoO42pdY92r GHEAoLnxiCpSADYJOXIUQS3BeidFlaXc =5si3 -----END PGP SIGNATURE----- ----Security_Multipart(Thu_Sep_23_05_32_36_2010_996)----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100923.053236.231630719.hrs>