Modify

Opened 6 years ago

Last modified 4 years ago

#10330 new enhancement

add (optional) policy for source routing of 6to4

Reported by: stlman@… Owned by: developers
Priority: normal Milestone: Barrier Breaker 14.07
Component: packages Version: Trunk
Keywords: Cc:

Description

Some (most? at least sixxs) IPv6 tunnel providers block packets originating from 2002::/16 and entering their networks via tunnels. However, I prefer to keep 6to4 on my router and advertise the prefix in my network to provide a better communication with other 6to4 nodes.

There is a chance (eg. BT, which AFAIK don't implement reasonable address detection algorithm) that a native IPv6 node tries to connect my 6to4 address. Such a connection must be routed via 192.88.99.1 gateway or otherwise packets originating from my machines would be dropped on the other end of my sixxs tunnel. To provide this the following commands are required

ip -6 route add default via ::192.88.99.1 table 10 # or any other
ip -6 rule add from 2002::/16 table 10 # the same as above

I'd recommend putting these somewhere in the 6to4 setup scripts.

Attachments (0)

Change History (3)

comment:1 Changed 6 years ago by stlman@…

Probably adding an entry in /etc/iproute2/rt_tables like

10    6to4

is a good idea too.

As far as the above ip route and ip rule. The first needs to be re-added every time 6to4 interface goes up. The latter stays on all the time.

comment:2 Changed 6 years ago by jeroen@…

Some (most? at least sixxs) IPv6 tunnel providers block packets originating from 2002::/16 and entering their networks via tunnels.

That statement is not entirely correct.

ISPs in general reject packets from being transmitted over their network when not assigned to that user.

Indeed, as such, it is not possible to send 6to4 packets, which originate from 2002::/16, over a SixXS tunnel, but neither can you send any other packet which is not sourced from an assigned address.

And this should be the case for every single ISP on this planet. Unfortunately not all of them employ this and thus one can spoof packets.

Note that 6to4 itself can be sent over IPv4 as then the source address is the IPv4 address which you received from your ISP and you are sending those packets over that ISP.

See also als RFC3704 or the easier for the eye article at Wikipedia:
http://en.wikipedia.org/wiki/Reverse_path_forwarding#Unicast_RPF_.28uRPF.29

And indeed the 'proper' solution is to use the iproute rt_tables function to do source based routing.

(Generally an upstream ISP will handle 6to4 already, thus doing it yourself just makes your setup more complex with likely little gain)

comment:3 Changed 4 years ago by jow

  • Milestone changed from Attitude Adjustment 12.09 to Barrier Breaker 14.07

Milestone Attitude Adjustment 12.09 deleted

Add Comment

Modify Ticket

Action
as new .
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.