Posts Tagged ‘Tunnelbroker’

Just recently the last two IPv4 /8s [1] have been allocated by IANA, providing the lift off for IPv4 address space exhaustion [2]. While the issue has been well known for years, and many people have been promoting IPv6 [3], only a few companies have migrated their networks and services [4,7]. It is now receiving its long demanded attention.

I am currently working on IPv6 security implementations and would like to feedback about how to migrate IPv4- into dual stacked IPv6 networks, securely. This article starts off with an example of a tunnel broker setup to help people get their first hands-on IPv6 experience. More advanced topics and focusing on various security issues are planned to be published on a part by part base. Stay tuned on IPv6.

IPv6 in IPv4 tunneling:

From Wikipedia (http://en.wikipedia.org/wiki/Tunnel_broker) “A tunnel broker is a service which provides a network tunnel. These tunnels can provide encapsulated connectivity over existing infrastructure to a new infrastructure.

There are a variety of tunnel brokers, though most commonly the term is used to refer to an IPv6 tunnel broker, as defined in RFC 3053 [5]. These commonly provide IPv6 tunnels to endusers/endsites using either manual, scripted or automatic configuration. In general tunnel brokers offer so called ‘protocol 41′ or proto-41 tunnels. These are tunnels where IPv6 is tunneled directly inside IPv4 by having the protocol field set to ’41′ (IPv6) in the IPv4 packet.”

Basically a IPv6 tunnel broker allows you to connect to and communicate with existing IPv6 networks even if your Service Provider network only supports IPv4. It allows testing for IPv6 deployment where some network node or transit communication is not fully IPv6 enabled:

Subscribing for IPv6 tunnel service with SixXS Tunnelbroker:

Please note that SixXS is just one of several tunnelbrokers available [6]. At the time I came around IPv6 tunneling this was simply one of the most popular ones.

Signup for a – SiXS handle: http://www.sixxs.net/signup/create/

You will receive a confirmation mail with your username, password and tunnel id and further details, e.g. login into the main website with your login details, request a tunnel and wait for tunnel approval.

Tunnel Name My V6 Tunnel
PoP Name gblon02
PoP Location London, United Kingdom (Great Britain) United Kingdom (Great Britain)
PoP IPv4 77.75.104.126
Your Location Peterborough, United Kingdom (Great Britain) United Kingdom (Great Britain)
Your IPv4 AYIYA, currently 80.40.20.10
IPv6 Prefix 2a01:348:6:157::1/64
PoP IPv6 2a01:348:6:157::1
Your IPv6 2a01:348:6:157::2
Created 2008-11-11 15:17:51 CEST 

State AYIYA (automatically enabled on the fly)

This is a sample of user’s authentication data provided::

Username : BMsixxs-SIXXS
Password : TrfGvfda

URL to logon and verify : https://www.sixxs.net/home/

Setup for Windows (XP) example using SixXS Tunnelbroker:

Install the Windows XP IPv6 TCP/IP stack and type into a command line and do a reboot after:

ipv6 install

Install the OpenVPN software bundle with default settings (http://openvpn.se/files/install_packages/openvpn-2.0.9-gui-1.0.3-install.exe).

You do not to run/configure any OpenVpn application, we just need the “tap” driver to get aiccu working. SixXS tab driver from their own site didn’t work for me.
(Note that you need another reboot.)

Download the Windows(XP) Aiccu Gui version from http://www.sixxs.net/archive/sixxs/aiccu/windows/aiccu-current-gui.exe .

Start the Windows(XP) Aiccu Gui version. Type in your username and password Select your tunnel and click enable.

In a Windows command shell you should be now able to ping ipv6.google.com (Note that the firewall might block your icmp echo request).

You can also test your IPv6 connectivity by directing your browser to URL:

C:\Documents and Settings\Administrator>ping6 ipv6.google.com

Pinging ipv6.l.google.com [2001:4860:a003::68]
from 2a01:348:6:157::2 with 32 bytes of data:

Reply from 2001:4860:a003::68: bytes=32 time=104ms
Reply from 2001:4860:a003::68: bytes=32 time=98ms
Reply from 2001:4860:a003::68: bytes=32 time=97ms
Reply from 2001:4860:a003::68: bytes=32 time=97ms

http://ipv6.google.com

Your “ipconfig” ouput looks now similar to:

C:\Documents and Settings\Administrator>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : wawabinbung
Primary Dns Suffix . . . . . .:
Node Type . . . . . . . . . . . . ..: Hybrid
IP Routing Enabled. . . . . . : No
WINS Proxy Enabled. . . . . : No
DNS Suffix Search List. . . ..: dyn.bernd.marienfeldt.de

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : dyn.bernd.marienfeldt.de
Description . . . . . . . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter
Physical Address. . . . . . . . . : 00-0C-22-97-97-97
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 80.40.20.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IP Address. . . . . . . . . . . . : fe80::20c:29ff:feb4:9d97%4
Default Gateway . . . . . . . . . : 80.40.20.1
DHCP Server . . . . . . . . . . . : 80.40.20.2
DNS Servers . . . . . . . . . . . : 80.40.20.2
80.40.20.3
fec0:0:0:ffff::1%2
fec0:0:0:ffff::2%2
fec0:0:0:ffff::3%2
Primary WINS Server . . . . . . . : 80.40.20.2
Lease Obtained. . . . . . . . . . : 16 June 2009 17:23:08
Lease Expires . . . . . . . . . . : 16 June 2009 21:23:08

Ethernet adapter aiccu:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TAP-Win32 Adapter V8
Physical Address. . . . . . . . . : 00-FF-F6-0E-68-C9
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 0.0.0.0
Subnet Mask . . . . . . . . . . . : 0.0.0.0
IP Address. . . . . . . . . . . . : 2a01:348:6:157::2
IP Address. . . . . . . . . . . . : fe80::2ff:f6ff:fe0e:68c9%5
Default Gateway . . . . . . . . . : 2a01:348:6:157::1
DHCP Server . . . . . . . . . . . : 255.255.255.255
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : FF-FF-FF-FF-FF-FF-FF-FF
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : fe80::ffff:ffff:fffd%6
Default Gateway . . . . . . . . . :
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter 6to4 Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . : dyn.bernd.marienfeldt.de
Description . . . . . . . . . . . : 6to4 Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : C3-42-E9-41
Dhcp Enabled. . . . . . . . . . . : No
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%2
fec0:0:0:ffff::2%2
fec0:0:0:ffff::3%2
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter Automatic Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . : dyn.bernd.marienfeldt.de
Description . . . . . . . . . . . : Automatic Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : C3-42-E9-41
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : fe80::5efe:80.40.20.10%2
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%2
fec0:0:0:ffff::2%2
fec0:0:0:ffff::3%2
NetBIOS over Tcpip. . . . . . . . : Disabled

Example Setup Linux Ubuntu using SixXS Tunnelbroker:

Install “aiccu” the SixXS client application:

sudo aptitude install aiccu

Provide Username, Password and Tunnel id (if necessary) during the setup. This will be all set for you during the installation but you can find the config in:

/etc/aiccu

username Charly-SIXXS
password Random
protocol tic
server tic.sixxs.net
tunnel_id T18743
# AICCU Configuration
.
.

Your network should now be configured ready to go:

Again you can test your ipv6 connectivity:

ifconfig -a

sixxs Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet6 addr: 2a01:348:6:157::2/64 Scope:Global
inet6 addr: fe80::48:6:157:2/64 Scope:Link
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1280 Metric:1
RX packets:269 errors:0 dropped:0 overruns:0 frame:0
TX packets:332 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:155985 (155.9 KB) TX bytes:48812 (48.8 KB)

bernd@isopiece:~$ ping6 ipv6.google.com
PING ipv6.google.com(fx-in-x68.google.com) 56 data bytes
64 bytes from fx-in-x68.google.com: icmp_seq=1 ttl=56 time=95.7 ms
64 bytes from fx-in-x68.google.com: icmp_seq=2 ttl=56 time=96.8 ms
64 bytes from fx-in-x68.google.com: icmp_seq=3 ttl=56 time=96.4 ms
^C

IPv6 Enabled Websites:

http://www.sixxs.net/wiki/IPv6_Enabled_Websites [7]

References:

[1] CIDR: http://en.wikipedia.org/wiki/CIDR or http://tinyurl.com/27jw9x
[2] IPv4 exhaustion
[3] IPv6, http://en.wikipedia.org/wiki/Ipv6 or http://tinyurl.com/9wjqy
[4] Pushing towards IPv6 implementations:

  • http://www.ipv6actnow.org/
  • Hurricane Electric Internet Services
  • http://www.6uk.org.uk/
  • http://gogonet.gogo6.com/
  • LINX IPv6 Workshop 2009 or http://tinyurl.com/6krd78n
  • IPv6 Congress May 2011
  • [5] RFC 3043, IPv6 Tunnel Broker from 2001 : http://www.ietf.org/rfc/rfc3053
    [6] List of tunnel brokers

  • http://www.sixxs.net/tools/aiccu/brokers/ or http://tinyurl.com/cx6pc
  • http://en.wikipedia.org/wiki/List_of_IPv6_tunnel_brokers or http://tinyurl.com/288z4h
  • [7] List of IPv6 enabled websites: http://www.sixxs.net/wiki/IPv6_Enabled_Websites or http://tinyurl.com/6lbubxp

    _______________________
    Back to IPv6 Analysis Overview
    .