IPv6 via Tunnel Broker

One of the things I can’t currently do with two ISPs I connect with is native IPv6 (with a static prefix). In the meantime, I’ve sourced IPv6 tunnels as close to my physical location as possible. Currently I have this setup in New Zealand, on a Christchurch VDSL connection with a tunnel broker to Wellington. In this post I will demonstrate the configuration required to get this up and running nice and quickly on your network. This will be based on Junos OS. Because I’m working with SRX here, we need to check the status of IPv6 and enable this if it isn’t alread

perrin@srx-nz# run show security flow status 
  Flow forwarding mode:
    Inet forwarding mode: flow based
    Inet6 forwarding mode: drop
    MPLS forwarding mode: drop
    ISO forwarding mode: drop
    Advanced services data-plane memory mode: Default
  Flow trace status
    Flow tracing status: off
  Flow session distribution
    Distribution mode: RR-based

It is disabled so we need to enable it then reboot the router.

perrin@srx-nz# set security forwarding-options family inet6 mode flow-based 

perrin@srx-nz# commit check 
warning: You have enabled/disabled inet6 flow.
You must reboot the system for your change to take effect.
If you have deployed a cluster, be sure to reboot all nodes.
configuration check succeeds

 

First thing you’ll need to do is sign up to a tunnel broker. I won’t name names, these are easily available with a quick google search. Basically a tunnel broker provides means to connect to the IPv6 network which currently as of day (24/1/14) has about 16482 prefixes. This is achieved in a by routing the IPv6 traffic via an IPv4 tunnel until it reaches a destination that can route natively with IPv6. This is what I have done via an IPIP tunnel with my tunnel broker as follows:

set interfaces ip-0/0/0 unit 2 description "inet6.0 - TUNNEL_SERVICE - Tunnel to xxxx xxxx"
set interfaces ip-0/0/0 unit 2 tunnel source 202.124.x.x
set interfaces ip-0/0/0 unit 2 tunnel destination 202.21.x.x
set interfaces ip-0/0/0 unit 2 family inet
set interfaces ip-0/0/0 unit 2 family inet6 mtu 1480
set interfaces ip-0/0/0 unit 2 family inet6 address 2001:4428:x:x::2/64

Cool so if your family with IPIP tunnels, you’ll know they encapsulate IP traffic with a new IP header rewritten with a new source/dest header. Reasonably simplistic and less overhead than a GRE tunnel, which is good for my DSL connections. The tunnel broker assuaged me a /64 for the tunnel and then another /64 to assign to my LAN. You can see above, you specify in the source and destination fields, your local external IPv6 address and the tunnel brokers IPv4 address.

set interfaces vlan unit 5 family inet6 address 2001:4428:200:x::x/64

Vlan 5 is the SVI I use on my LAN which is where I need to assign the IPv6 addresses. To do this, I use the route advertisement protocol.

set protocols router-advertisement interface vlan.5 prefix 2001:4428:200:8x::/64

This assigns all the compatible devices with global IPv6 addresses.

perrin@server:~$ ifconfig
eth0      Link encap:Ethernet  HWaddr 00:12:79:bd:d6:8b  
          inet addr:192.168.1.50  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: 2001:4428:200:812e:x:x:x:x64 Scope:Global
**output ommited**

Naturally to route traffic out of the local network we need a default route pointing to the other end of the IPIP tunnel’s v6 address

set routing-options rib inet6.0 static route ::/0 next-hop 2001:4428:200:x::1

That’s pretty much it to be honest. Simple IPv6 routing. Be sure to find a destination as close as possible to you to eliminate any potential unnecessary latency.

To verify, I would test both on the router and the host that has been assigned the addresses dynamically.

perrin@srx-nz> ping 2001:4428:200:x::1 source 2001:4428:200:x::2  
PING6(56=40+8+8 bytes) 2001:4428:200:x::2 --> 2001:4428:200:x::1
16 bytes from 2001:4428:200:x::1, icmp_seq=0 hlim=64 time=46.450 ms
16 bytes from 2001:4428:200:x::1, icmp_seq=1 hlim=64 time=43.979 ms
16 bytes from 2001:4428:200:x::1, icmp_seq=2 hlim=64 time=45.496 ms
16 bytes from 2001:4428:200:x::1, icmp_seq=3 hlim=64 time=46.494 ms
^C
--- 2001:4428:200:x::1 ping6 statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/std-dev = 43.979/45.605/46.494/1.020 ms

Just a note here, Chorus NZ is running very harsh DLM profile on my VDSL resulting in a 35ms last mile latency… And from the host

perrin@server:~$ ping6 google.com
PING google.com(2404:6800:4006:806::1000) 56 data bytes
64 bytes from 2404:6800:4006:806::1000: icmp_seq=1 ttl=52 time=78.2 ms
64 bytes from 2404:6800:4006:806::1000: icmp_seq=2 ttl=52 time=78.2 ms
64 bytes from 2404:6800:4006:806::1000: icmp_seq=3 ttl=52 time=78.9 ms
64 bytes from 2404:6800:4006:806::1000: icmp_seq=4 ttl=52 time=81.9 ms
^C
--- google.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3001ms
rtt min/avg/max/mdev = 78.234/79.351/81.942/1.549 ms
perrin@server:~$ ping6 snap.net.nz
PING snap.net.nz(cookiemonster.snap.net.nz) 56 data bytes
64 bytes from cookiemonster.snap.net.nz: icmp_seq=1 ttl=59 time=47.7 ms
64 bytes from cookiemonster.snap.net.nz: icmp_seq=2 ttl=59 time=47.1 ms
64 bytes from cookiemonster.snap.net.nz: icmp_seq=3 ttl=59 time=47.8 ms
64 bytes from cookiemonster.snap.net.nz: icmp_seq=4 ttl=59 time=47.9 ms
64 bytes from cookiemonster.snap.net.nz: icmp_seq=5 ttl=59 time=49.4 ms
^C
--- snap.net.nz ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 47.150/48.014/49.429/0.771 ms

That’s it. Enjoy but remember, you’ve now opened up your router to the ipv6 internet so you should make sure you secure your RE in the same way you would with IPv4 traffic for things like SSH, SNMP and any protocols you may run on the internet

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

WordPress spam blocked by CleanTalk.