6to4

6to4 tunneling is an IPv6 transition mechanism that allows isolated IPv6 networks to communicate over an IPv4-only infrastructure.

It helps to compare 6to4 to manual 6in4 tunnels. 6in4 tunnels have the following configuration:

int tun0
 ipv6 address 2001:db8:1::1/64
 tunnel source interface|ipv4-address
 tunnel destination 1.1.1.1
 tunnel mode ipv6ip

Manual 6in4 tunnels are point-to-point, encapsulating IPv6 traffic inside an IPv4 header. The source IPv4 address is specified with the tunnel source command. The destination IPv4 address is specified with the tunnel destination command.

In contrast, a 6to4 tunnel has no specific tunnel destination. The IPv4 destination address is embedded in the IPv6 destination address. The IPv6 destination must use the well-known 6to4 prefix of 2002::/16. The following 32 bits after 2002 are the IPv4 destination in hex. This means that every IPv6 site can have a /48 consisting of 2002:<ipv4 first 16 bits>:<ipv4 last 16 bits>::/48. (The full 32 bit IPv4 address is split up in between the two colons).

For example, a router with IPv4 address 192.168.0.1 will have a 6to4 prefix of 2002:c0a8:0001::/48. Every other 6to4 site will automatically tunnel traffic destined for 2002:c0a8:0001::/48 to 192.168.0.1. Note that all 6to4 routers must be dual-stacked, because they must have a reachable IPv4 address on the IPv4-only network. Compared to a manual 6in4 tunnel which is point-to-point, 6to4 is a point-to-multipoint tunnel.

Lab

We’ll use the topology below to lab 6to4. Imagine that a core team runs the three core routers depicted below. You have no access to these routers, yet you have been tasked with providing IPv6 reachability between all four sites behind the orange routers, R1-R4. To accomplish this, you will use 6to4 tunneling, which will tunnel IPv6 packets across the IPv4 core. 6to4 is used in this case as opposed to manual 6in4 tunnels to reduce the number of tunnel interfaces on the routers, and allow for scaling if more routers are added to the network.

Here are the startup configs:

#R1
hostname R1
!
ipv6 unicast-routing
!
int Gi1
 ip address 10.1.1.2 255.255.255.0
 no shut
!
int lo0
 ipv6 address 2001:db8:1::1/64
!
ip route 0.0.0.0 0.0.0.0 10.1.1.1

#R2
hostname R2
!
ipv6 unicast-routing
!
int Gi1
 ip address 10.1.2.2 255.255.255.0 
 no shut
!
int lo0
 ipv6 address 2001:db8:2::1/64
!
ip route 0.0.0.0 0.0.0.0 10.1.2.1

#R3
hostname R3
!
ipv6 unicast-routing
!
int Gi1
 ip address 10.1.3.2 255.255.255.0 
 no shut
!
int lo0
 ipv6 address 2001:db8:3::1/64
!
ip route 0.0.0.0 0.0.0.0 10.1.3.1

#R4
hostname R4
!
ipv6 unicast-routing
!
int Gi1
 ip address 10.1.4.2 255.255.255.0 
 no shut
!
int lo0
 ipv6 address 2001:db8:4::1/64
!
ip route 0.0.0.0 0.0.0.0 10.1.4.1


#Core1
hostname Core1
!
int Gi1
 ip address 10.1.1.1 255.255.255.0
 no shut
!
int Gi2
 ip address 10.1.2.1 255.255.255.0
 no shut
!
int Gi3
 ip address 10.10.12.1 255.255.255.0
 ip ospf network point-to-point
 no shut
!
router ospf 1
 network 0.0.0.0 255.255.255.255 area 0
 passive-interface Gi1
 passive-interface Gi2

#Core2
hostname Core2
!
int Gi1
 ip address 10.10.12.2 255.255.255.0
 ip ospf network point-to-point
 no shut
!
int Gi2
 ip address 10.10.23.2 255.255.255.0
 ip ospf network point-to-point
 no shut
!
router ospf 1
 network 0.0.0.0 255.255.255.255 area 0

#Core3
hostname Core3
!
int Gi1
 ip address 10.1.3.1 255.255.255.0
 no shut
!
int Gi2
 ip address 10.1.4.1 255.255.255.0
 no shut
!
int Gi3
 ip address 10.10.23.3 255.255.255.0
 ip ospf network point-to-point
 no shut
!
router ospf 1
 network 0.0.0.0 255.255.255.255 area 0
 passive-interface Gi1
 passive-interface Gi2

We’ll now configure the tun0 interface on each router.

  1. A manually specified IPv6 address is not necessary on the tunnel interface. You can simply enable IPv6 to generate a link-local address.

  2. A tunnel destination is not required, and in fact would defeat the entire purpose of 6to4 tunneling. The tunnel destination will be dynmically determined based on the IPv6 destination address.

  3. You must specify the tunnel source IPv4 address (interface or explicit address).

  4. Set the tunnel mode to ipv6ip 6to4

#R1,2,3,4
int tun0
 ipv6 enable
 tunnel source Gi1
 tunnel mode ipv6ip 6to4

After configuring the tunnel interface, you need to statically route 2002::/16 out tun0, at a minimum. In other config guides, you may see lots of static routes, one to each site, but in my opinion this is burdensome and not necessary. You will see that traffic towards other sites will work automatically, simply by using the router’s IPv4 address which is embedded in the IPv6 destination address. In order to route IPv6 traffic that is not behind the 2002::/16 prefix, you must use static routes or BGP in order to route these prefixes towards a 2002::/16 address. We will use BGP later in this lab to provide reachability for the 2001:db8 prefixes in the topology.

#R1,2,3,4
ipv6 route 2002::/16 tun0

If we translate the IP address of each Gi1 interface to hex, and use this for the IPv6 /48 prefix, we can achieve automatic reachability without the use of additional static routes. We’ll add a Lo1 address to each router, concatenating the 2002::/16 prefix with its Gi1 address in hex.

#R1
#10.1.1.2 = 0a010102
int lo1
 ipv6 address 2002:a01:102::1/48

#R2
#10.1.2.2 = 0a010202
int lo1
 ipv6 address 2002:a01:202::1/48

#R3
#10.1.3.2 = 0a010302
int lo1
 ipv6 address 2002:a01:302::1/48

#R4
#10.1.4.2 = 0a010402
int lo1
 ipv6 address 2002:a01:402::1/48

R1 can ping R4’s Lo1, simply by using the 2002::/16 via Tun0 static route. Feel free to try to ping between other pairs of routers.

R1#ping 2002:a01:402::1 source lo1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2002:A01:402::1, timeout is 2 seconds:
Packet sent with a source address of 2002:A01:102::1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/12/52 ms

The IPv6 packet is automatically encapsulated in an IPv4 packet. The tunnel uses Gi1’s IPv4 address for the source, because we specified it under the tunnel configuration with tunnel source Gi1. The tunnel mode is 6to4, so R1 converts the A01:402 in the IPv6 destination address of 2002:A01:402::1 to 10.1.4.2, and uses this for the IPv4 tunnel destination.

  • Wireshark decodes the packet as IPv6 in IPv4 tunneling, displaying the IPv6 addressing in the main panel at the top even though the outer header is actually IPv4.

Notice that the tunnel does not use encryption. It simply encapsulates the IPv6 traffic in an IPv4 header and allows the IPv6 traffic to traverse an IPv4-only network.

In order to route the Lo0 addresses which have a 2001 prefix, we have to either use static routes or BGP. An IGP like OSPFv3 cannot work as it relies on the neighbor being reachable at the link-local layer. Manual 6in4 tunnel can work for OSPFv3 as it is point-to-point. All OSPFv3 messages in a 6in4 tunnel are directed out the tunnel to the specified destination. However with automatic 6to4 tunneling, it is sort of like an NBMA network. A packet destined for a multicast address cannot be mapped to an IPv4 address. 6to4 tunneling only works for 2002::/16 destination addresses. Think of 6to4 as having a dynamic destination which is obtained from the IPv6 destination address, instead of a manually specified destination address.

In our lab we’ll build BGP neighborships using the Lo1 addresses. These are already routable because they embed the IPv4 address of each router’s Gi1 interface inside the /48 prefix. R1 will be a route reflector to reduce the amount of neighborships.

#R1
router bgp 65000
 neighbor 2002:a01:202::1 remote-as 65000
 neighbor 2002:a01:202::1 update-source Lo1
 neighbor 2002:a01:302::1 remote-as 65000
 neighbor 2002:a01:302::1 update-source Lo1
 neighbor 2002:a01:402::1 remote-as 65000
 neighbor 2002:a01:402::1 update-source Lo1
  address-family ipv6
   neighbor 2002:a01:202::1 activate
   neighbor 2002:a01:302::1 activate
   neighbor 2002:a01:402::1 activate
   neighbor 2002:a01:202::1 route-reflector-client
   neighbor 2002:a01:302::1 route-reflector-client
   neighbor 2002:a01:402::1 route-reflector-client
   network 2001:db8:1::/64


#R2,3,4
router bgp 65000
 neighbor 2002:a01:102::1 remote-as 65000
 neighbor 2002:a01:102::1 update-source Lo1
 address-family ipv6
  neighbor 2002:a01:102::1 activate
  network 2001:db8:<router #>::/64

We now have reachability between Lo0 of each router:

R1#ping 2001:db8:2::1 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:DB8:2::1, timeout is 2 seconds:
Packet sent with a source address of 2001:DB8:1::1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/6/26 ms

MTU considerations

There are an extra 20bytes added to each packet - a full IPv4 header. MSS and MTU should be adjusted 20 bytes lower. This means MTU should be 1480 and MSS should be clamped to 1420 (an IPv6 header is 40 bytes as opposed to a 20byte IPv4 header).

Accessing the IPv6 Internet

What if every site needs to access the global IPv6 internet? How can the routers continue tunneling the traffic over the IPv4-only network?

The answer is that the 6to4 specification solves this by using a relay router with a well-known IPv4 address of 192.88.99.1/24. This is an anycast address, so a 6to4 router will use the closest 6to4 relay to reach the IPv6 internet. Every 6to4 router sets a static route for ::/0 pointing to 2002:c058:6301::

We’ll add two routers to our lab, a 6to4 relay router, and a router representing the IPv6 internet:

#Core2
int Gi3
 ip address 10.10.24.2 255.255.255.0
 ip ospf network point-to-point
 no shut

#6to4-Relay
hostname 6to4-Relay
!
ipv6 unicast-routing
!
int Gi1
 ip address 10.10.24.4 255.255.255.0
 ip ospf network point-to-point
 no shut
!
int Gi2
 ipv6 add 2001:db8:100:200::1/64
 no shut
!
int lo0
 ip address 192.88.99.1 255.255.255.0
 ip ospf network point-to-point
!
router ospf 1
 network 0.0.0.0 255.255.255.255 area 0
!
int tun0
 ipv6 enable
 tunnel source Lo0
 tunnel mode ipv6ip 6to4
!
ipv6 route 2002::/16 tun0
!
router bgp 65001
 neighbor 2001:db8:100:200::2 remote-as 65002
 address-family ipv4
  no neighbor 2001:db8:100:200::2 activate
 address-family ipv6
  neighbor 2001:db8:100:200::2 activate
  network 2002::/16
 

#IPv6-Internet
hostname IPv6-Internet
!
ipv6 unicast-routing
!
int Gi1
 ipv6 add 2001:db8:100:200::2/64
 no shut
!
int lo0
 ipv6 add 2001:db8:100:100::1/64
!
router bgp 65002
 bgp router-id 2.2.2.2
 neighbor 2001:db8:100:200::1 remote-as 65001
 address-family ipv4
  no neighbor 2001:db8:100:200::1 activate
 address-family ipv6
  neighbor 2001:db8:100:200::1 activate
  network 2001:db8:100:100::/64

Routers R1 through R4 add a default ipv6 route towards the 6to4 Relay’s 6to4 IPv6 prefix, 2002:c058:6301::

#R1,2,3,4
ipv6 route ::/0 2002:c058:6301::

All routers can now reach the simulated IPv6 internet.

R2#ping 2001:db8:100:100::1 source lo1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:DB8:100:100::1, timeout is 2 seconds:
Packet sent with a source address of 2002:A01:202::1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/3/4 ms

When R2 pings the IPv6-Internet router at 2001:db8:100:100::1, it encapsulates the packet in an IPv4 header with source = Gi1 and destination = 192.88.99.1. The 6to4 relay router decapsulates the traffic, removing the IPv4 header, and delivers the native IPv6 packet to IPv6-Internet. The IPv6-Internet router has a route back to 2002::/16 via 6to4-Relay, learned via BGP. The 6to4-Relay routes the ICMP Reply out tun0 due to the static 2002::/16 route, so it encapsulates the packet in an IPv4 header and delivers to 10.1.2.2 (obtained automatically from the IPv6 destination address).

On the real IPv6 internet, each 6to4-Relay router advertises a 2002::/16 route, so the ingress relay router that encapsulates the traffic destined for the IPv6 internet address may not be the router that does the encapsulation of the return traffic back to the 6to4 router. But the asymmetric routing doesn’t really matter, because this process is completely stateless.

Limitations of 6to4

  • The prefix 2002::/16 must be used.

  • The 6to4 relay should use the address 192.88.99.1. Because this is anycast, a service provider’s relay router may end up preforming relay services for customers of another service provider, which is not in its best interest.

  • The 6to4 relay introduces asymmetric routing. A service provider may have difficulting doing accounting on customer traffic due to this, and also may end up routing the traffic of customers of other service providers. A service provider also has no control over the return traffic for its 6to4 customers, and cannot gaurantee good quality of service.

Conclusion

6to4 is a stateless translation mechanism which allows IPv6 networks to communicate over and IPv4 network. The IPv6 packet is encapsulated in an IPv4 header. The prefix 2002::/16 must be used, and the following 32 bits after 2002 are the IPv4 destination address.

6to4 creates a point-to-multipoint tunnel, in which the destination is dynamically determined by extracting bits 13-48 from the IPv6 destination address and translating this into an IPv4 destination address.

6to4 uses an additional IPv4 header, adding 20 bytes of overhead.

In the next article, we will explore 6RD, which is an improvement over 6to4.

PreviousNAT64Next6RD (IPv6 Rapid Deployment)

Last updated