© Tramper2, fotolia.com

© Tramper2, fotolia.com

IPv6 tunnel technologies

Dug Out

Article from ADMIN 13/2013
Now that IPv6 is the official Internet protocol, all that remains is the simple task of migrating all the machines on the Internet. Until that happens, tunnel technologies provide an interim solution.

Migration to IPv6 is picking up speed. In the fall of 2012, Deutsche Telekom announced that new DSL customers would have dual stack connections (IPv4+IPv6). Other providers will be following suit in the next few months. For many larger companies, migration to IPv6 is not a matter of a few days but of years. As early as the design phase, the IPv6 developers took into account the fact that the introduction of IPv6 to existing IPv4 networks would, in some cases, involve a long transition period where both technologies would exist side by side. This article describes some tunnel technologies for implementing IPv6 in an IPv4 world.

In the transition phase, IPv6 systems must be able to communicate both with each other and with IPv4 systems. The term "node" in IETF terminology describes an active system on the network that communicates via IPv4 or IPv6. This includes normal workstations and servers as well as routers. RFC 4213 (Basic Transition Mechanisms for IPv6 Hosts and Routers) describes the following node types:

  • IPv4-only nodes: These systems run only IPv4.
  • IPv6-only nodes: These systems run only IPv6.
  • IPv6/IPv4 nodes: These systems run both IP stacks in parallel.
  • IPv4 node: The system communicates with IPv4. This can be either be an IPv4-only node or an IPv6/IPv4 node.
  • IPv6 node: The system communicates with IPv6. This can be either be an IPv6-only node or an IPv6/IPv4 node.

In the following section, the question is how to gradually introduce IPv6 parallel to IPv4. In the process, the challenge of merging the two worlds must be considered. In principle, the following approaches are available:

  • Dual-stack: The systems on the network run both IPv4 and IPv6.
  • Tunnel mechanisms: This is mainly a question of tunneling IPv6 communications through an IPv4 area in order to link IPv6 islands.
  • Translation mechanisms: Similar to the NAT principle, IPv4 systems communicate with IPv6-based systems via appropriate mechanisms and vice versa.

Although dual-stack implementations are the preferred choice in the parallel introduction of IPv6 into an existing IPv4 network, translation technologies do offer a transition from one IP stack to the other. However, only tunnel technologies are capable of connecting IPv6-only nodes with one other through an intervening IPv4-only infrastructure.

Tunnel Digging

IPv6 is being introduced gradually rather than immediately into many networks. A typical scenario in the transitional period is thus communication between IPv6 nodes on an IPv4 network. IPv6 communication needs to be transported over IPv4, that is, IPv6 needs to be tunneled into IPv4. This means that the IPv6 data packet is encapsulated in an IPv4 packet. The IPv6 node itself or a gateway wraps the IPv6 packet in IPv4 and sends it on its way. In doing so, it sets the protocol field in the IPv4 header to a value of 41 (Figure 1).

Figure 1: IPv6 encapsulated in IPv4: The IPv6 packet is wrapped in an IPv4 packet.

The IPv6 header contains the IPv6 addresses of the end-to-end communication, (i.e., of the communicating endpoints). The IPv4 header contains the source and destination addresses of the endpoints within the IPv4 network. These endpoints can be the "real" endpoints of the IPv6 communication in certain tunneling mechanisms. Most of the time, encapsulation is handled by the tunnel gateways. These are usually the border routers or firewalls of the local network.

From the point of view of an IPv6 packet, IPv4 encapsulation is nothing but ordinary encapsulation at link-layer level, like in Ethernet. In such tunnel scenarios, completely different structures can exist for the IPv6 network and the IPv4 network. For example, a complete IPv4 infrastructure, consisting of many routers and network segments, can be transcended in a single hop between the source and the destination from an IPv6 point of view.

The advantage of tunnel solutions is their flexibility in connecting individual IPv6 islands in the "IPv4 ocean." Nevertheless, tunnel technologies are always going to be second choice compared to native IPv6 communication, because they can be complex to configure and also prone to error. Thus, the Teredo tunneling mechanism (described later in this article) is regarded as only partially usable, because it does not work properly in the majority of cases [1].

Tunnel Configurations

Similarly to VPN tunnels, IPv6 tunnels can connect remote locations on the network. RFC 4213 provides for the following tunnel configurations:

  • Router-to-Router
  • Host-to-Router and Router-to-Host
  • Host-to-Host

Router-to-router tunnels connect IPv6 infrastructures via a single virtual hop in an IPv4-only infrastructure. This is the simplest and most common case of a tunnel, because the tunnel configuration is only needed on one or a few systems of the network, and the IPv6-only nodes do not need to know about it. A typical example of router-to-router tunnel is a 6to4 tunnel. In many cases, the tunnel connects two corresponding routers over the IPv4 Internet, in order to connect IPv6 networks across multiple locations (Figure 2).

Figure 2: Router-to-router tunnels connect, for example, two IPv6-enabled sites.

The host-to-router tunnel connects an IPv6/IPv4 node on an IPv4-only network with an IPv6/IPv4 router (Figure 3). To do this, the host uses a tunnel interface and appropriate routing entries (e.g., in the form of the default gateway), which route the corresponding traffic to the tunnel interface. The tunnel interface wraps the IPv6 packets in IPv4 packets and sends them to the IPv6/IPv4 router, which forwards the IPv6 packets to the IPv6 destination. The way back (router-to-host) is similar. ISATAP is a tunneling technology that works on this principle. This tunnel type is mainly used to connect IPv6 nodes within an enterprise network.

Figure 3: A host-to-router tunnel connects an IPv6-enabled computer over IPv4 to an IPv6 router.

A host-to-host tunnel connects the communicating endpoints directly with one another through an IPv4 tunnel. The encapsulated IPv6 packet is unpacked again only at the endpoint of the communication. This principle is also used in ISATAP tunneling technologies and is used to support communications between two IPv6 nodes within an IPv4 network.

Tunnel Types

Basically two different types of IPv6 tunnels are available: configured tunnels and automatic tunnels. With configured tunnels, the administrator needs to set up the tunnel manually on the tunnel endpoints. In this case, the IPv4 destination address of the remote endpoint is not embedded in the IPv6 address, as is typically the case with automatic tunnels. Configured tunnels use manually created tunnel interfaces that define fixed source and destination addresses.

No manual configuration is necessary for automatic tunnels. The tunnels are set up dynamically when needed; the IPv4 destination addresses are typically embedded in the IPv6 address. Tunnel technologies include:

  • 6to4: Used to connect IPv6 nodes on the IPv4 Internet.
  • 6rd: A development of 6to4 without the restriction of statically defined 6to4 prefixes.
  • ISATAP: For connecting IPv6 nodes on an IPv4 intranet.
  • Teredo: Allows the connection of IPv6 nodes through NAT.

In the rest of this article, I will take a closer look at how these technologies work.

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • IPv6 security on IPv4-only networks
    Even though corporations are looking to move to IPv6, in some situations networks still rely exclusively on IPv4. We discuss ways to minimize delays and unsatisfactory behavior in mixed IPv4/IPv6 IT environments.
  • Neglected IPv6 Features

    IPv6 is establishing itself in everyday IT life, and all modern operating systems from Windows, through Mac OS X, to Linux have it on board; but if you let IPv6 introduce itself into your environment, you could be in for some unpleasant surprises.

  • Configuring IPv6 in Windows with NetShell
    Windows provides a simple dialog box for configuring IPv6, but the available settings only scratch the surface. IPv6 comes with many features that are primarily managed using the command-line tool NetShell.
  • Migrating your network to IPv6
    Abraham Lincoln once said, "Give me six hours to chop down a tree and I will spend the first four sharpening the axe." The transition to IPv6 is a big step for many organizations. Careful planning and a systematic approach are critical to a successful migration.
  • IPv6 Tables
    We design a basic set of ip6tables rules for an IPv6 firewall.
comments powered by Disqus