diff options
| author | Matthias Schiffer <mschiffer@universe-factory.net> | 2011-11-10 23:57:01 +0100 |
|---|---|---|
| committer | Matthias Schiffer <mschiffer@universe-factory.net> | 2011-11-10 23:57:01 +0100 |
| commit | 922a4577b10b489782917bc743c9c721dce92181 (patch) | |
| tree | e24b2bba065c6131da71c34ed650baaa45839373 | |
| parent | 0d03a6f3467d93f1ae7b04e3fed6fc11a1a9f9e4 (diff) | |
| download | NPTv6-922a4577b10b489782917bc743c9c721dce92181.tar NPTv6-922a4577b10b489782917bc743c9c721dce92181.zip | |
Update documentation
| -rw-r--r-- | README.dbk | 38 | ||||
| -rw-r--r-- | README.html | 32 |
2 files changed, 36 insertions, 34 deletions
@@ -114,13 +114,31 @@ sudo dkms install -m ip6t_NPTV6 -v &VERSION;</programlisting> commands correspond to the <quote>Address Mapping Example</quote> given in the IETF discussion paper:</para> - <programlisting>ip6tables -t mangle -I POSTROUTING -o eth0 -s FD01:0203:0405::/48 -j SNPTV6 --to-source 2001:0DB8:0001::/48 -ip6tables -t mangle -I PREROUTING -i eth0 -d 2001:0DB8:0001::/48 -j DNPTV6 --to-destination FD01:0203:0405::/48</programlisting> + <programlisting>ip6tables -t mangle -A PREROUTING -i eth0 -d 2001:0DB8:0001::/48 -j DNPTV6 --to-destination FD01:0203:0405::/48 +ip6tables -t mangle -A POSTROUTING -o eth0 -s FD01:0203:0405::/48 -j SNPTV6 --to-source 2001:0DB8:0001::/48</programlisting> <para>This example is also printed to the screen if you issue <userinput>ip6tables -j SNPTV6 --help</userinput>. By design, you cannot use prefix lengths longer than 64.</para> </section> + + <section id="config-nat-behaviour"> + <title id="config-nat-behaviour-title">NAT Behavioral Requirements</title> + + <para>RFC 6296 states that NPTv6 translators must support hairpinning behaviour. + This means that when an NPTv6 Translator receives a datagram on the + internal interface that has a destination address that matches the + site's external prefix, it will translate the datagram and forward it + internally. While it is possible that the translator works correctly + without this depending on the network configuration, it is desiarable + to have hairpinning behaviour. The following iptables rules will enable + this:</para> + + <programlisting>ip6tables -t mangle -A PREROUTING -d 2001:0DB8:0001::/48 -j MARK --set-mark 42 +ip6tables -t mangle -A PREROUTING -d 2001:0DB8:0001::/48 -j DNPTV6 --to-destination FD01:0203:0405::/48 +ip6tables -t mangle -A POSTROUTING -m mark --mark 42 -s FD01:0203:0405::/48 -j SNPTV6 --to-source 2001:0DB8:0001::/48 +ip6tables -t mangle -A POSTROUTING -o eth0 -s FD01:0203:0405::/48 -j SNPTV6 --to-source 2001:0DB8:0001::/48</programlisting> + </section> </section> <section id="precedence"> @@ -205,22 +223,6 @@ ip6tables -t mangle -I PREROUTING -i eth0 -d 2001:0DB8:0001::/48 -j DNPTV6 --to be routed on the Internet. Sadly, the (EKU)buntu defaults penalize 6to4 addresses also.</para> </note> - - <para>If you already deployed ULA addresses in your network, you may be - interested in a solution that runs on my Freifunk router. The router - uses the IPv6 prefix that is reserved for documentation purposes on it's - LAN interface. Within the OLSR-based mesh network, any interface uses an - fdca:ffee:babe::/64 prefix. The following internal mapping is configured - for this:</para> - - <programlisting>ip6tables -t mangle -I PREROUTING -i br0 -s 2001:0DB8::/64 -j MAP66 --src-to fdca:ffee:babe::/64 --csum -ip6tables -t mangle -I POSTROUTING -o br0 -d fdca:ffee:babe::/64 -j MAP66 --dst-to 2001:0DB8::/64 --csum</programlisting> - - <para>To prevent the mapped packets to vanish via the default route and - to overcome mac address lookups during the routing process, I also added - these prefixes to the router's <filename>/etc/radvd.conf</filename> as - well as (host) routes pointing to the <quote>br0</quote> interface for - both prefixes.</para> </section> </section> diff --git a/README.html b/README.html index 2d2e8a2..a46d22f 100644 --- a/README.html +++ b/README.html @@ -1,6 +1,6 @@ <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> -<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>NPTv6 (IPv6-to-IPv6 Network Prefix Translation) for Linux</title><meta name="generator" content="DocBook XSL Stylesheets V1.76.1" /></head><body><div class="article" title="NPTv6 (IPv6-to-IPv6 Network Prefix Translation) for Linux"><div class="titlepage"><div><div><h2 class="title"><a id="id315566"></a>NPTv6 (IPv6-to-IPv6 Network Prefix Translation) for Linux</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Sven-Ola</span> <span class="surname">Tuecke</span></h3><div class="affiliation"><span class="orgname">Freifunk<br /></span></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Matthias</span> <span class="surname">Schiffer</span></h3><div class="affiliation"><span class="orgname">Freifunk Lübeck<br /></span></div></div></div><div><p class="pubdate">10-NOV-2011</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl><dt><span class="section"><a href="#install">Installation</a></span></dt><dt><span class="section"><a href="#dkms">DKMS Integration</a></span></dt><dt><span class="section"><a href="#config">Configuration</a></span></dt><dd><dl><dt><span class="section"><a href="#config-brief">Brief Version</a></span></dt></dl></dd><dt><span class="section"><a href="#precedence">IPv6/IPv4 Precedence</a></span></dt><dd><dl><dt><span class="section"><a href="#precedence-gai">Change gai.conf</a></span></dt><dt><span class="section"><a href="#precedence-addrs">Use Changed Internal Address</a></span></dt></dl></dd><dt><span class="section"><a href="#motivation">Motivation</a></span></dt></dl></div><p>These files implement a Linux netfilter target that changes the IPv6 +<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>NPTv6 (IPv6-to-IPv6 Network Prefix Translation) for Linux</title><meta name="generator" content="DocBook XSL Stylesheets V1.76.1" /></head><body><div class="article" title="NPTv6 (IPv6-to-IPv6 Network Prefix Translation) for Linux"><div class="titlepage"><div><div><h2 class="title"><a id="id363330"></a>NPTv6 (IPv6-to-IPv6 Network Prefix Translation) for Linux</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Sven-Ola</span> <span class="surname">Tuecke</span></h3><div class="affiliation"><span class="orgname">Freifunk<br /></span></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Matthias</span> <span class="surname">Schiffer</span></h3><div class="affiliation"><span class="orgname">Freifunk Lübeck<br /></span></div></div></div><div><p class="pubdate">10-NOV-2011</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl><dt><span class="section"><a href="#install">Installation</a></span></dt><dt><span class="section"><a href="#dkms">DKMS Integration</a></span></dt><dt><span class="section"><a href="#config">Configuration</a></span></dt><dd><dl><dt><span class="section"><a href="#config-brief">Brief Version</a></span></dt><dt><span class="section"><a href="#config-nat-behaviour">NAT Behavioral Requirements</a></span></dt></dl></dd><dt><span class="section"><a href="#precedence">IPv6/IPv4 Precedence</a></span></dt><dd><dl><dt><span class="section"><a href="#precedence-gai">Change gai.conf</a></span></dt><dt><span class="section"><a href="#precedence-addrs">Use Changed Internal Address</a></span></dt></dl></dd><dt><span class="section"><a href="#motivation">Motivation</a></span></dt></dl></div><p>These files implement a Linux netfilter target that changes the IPv6 address of packets. The address change is done checksum neutral, thus no checksum re-calculation for the packet is necessary. You can change the IPv6 source address of outgoing packets as well as the IPv6 destination address @@ -39,10 +39,20 @@ sudo dkms install -m ip6t_NPTV6 -v 0.6</pre><p>Read DKMS details here: <a class= source address. The second rule matches incoming packets and reverts the address change by altering their IPv6 destination address. To following commands correspond to the <span class="quote">“<span class="quote">Address Mapping Example</span>”</span> given - in the IETF discussion paper:</p><pre class="programlisting">ip6tables -t mangle -I POSTROUTING -o eth0 -s FD01:0203:0405::/48 -j SNPTV6 --to-source 2001:0DB8:0001::/48 -ip6tables -t mangle -I PREROUTING -i eth0 -d 2001:0DB8:0001::/48 -j DNPTV6 --to-destination FD01:0203:0405::/48</pre><p>This example is also printed to the screen if you issue + in the IETF discussion paper:</p><pre class="programlisting">ip6tables -t mangle -A PREROUTING -i eth0 -d 2001:0DB8:0001::/48 -j DNPTV6 --to-destination FD01:0203:0405::/48 +ip6tables -t mangle -A POSTROUTING -o eth0 -s FD01:0203:0405::/48 -j SNPTV6 --to-source 2001:0DB8:0001::/48</pre><p>This example is also printed to the screen if you issue <strong class="userinput"><code>ip6tables -j SNPTV6 --help</code></strong>. By design, you cannot - use prefix lengths longer than 64.</p></div></div><div class="section" title="IPv6/IPv4 Precedence"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="precedence"></a>IPv6/IPv4 Precedence</h2></div></div></div><p>With (EKU)buntu and eventually with RedHat, you will notice that + use prefix lengths longer than 64.</p></div><div class="section" title="NAT Behavioral Requirements"><div class="titlepage"><div><div><h3 class="title"><a id="config-nat-behaviour"></a>NAT Behavioral Requirements</h3></div></div></div><p>RFC 6296 states that NPTv6 translators must support hairpinning behaviour. + This means that when an NPTv6 Translator receives a datagram on the + internal interface that has a destination address that matches the + site's external prefix, it will translate the datagram and forward it + internally. While it is possible that the translator works correctly + without this depending on the network configuration, it is desiarable + to have hairpinning behaviour. The following iptables rules will enable + this:</p><pre class="programlisting">ip6tables -t mangle -A PREROUTING -d 2001:0DB8:0001::/48 -j MARK --set-mark 42 +ip6tables -t mangle -A PREROUTING -d 2001:0DB8:0001::/48 -j DNPTV6 --to-destination FD01:0203:0405::/48 +ip6tables -t mangle -A POSTROUTING -m mark --mark 42 -s FD01:0203:0405::/48 -j SNPTV6 --to-source 2001:0DB8:0001::/48 +ip6tables -t mangle -A POSTROUTING -o eth0 -s FD01:0203:0405::/48 -j SNPTV6 --to-source 2001:0DB8:0001::/48</pre></div></div><div class="section" title="IPv6/IPv4 Precedence"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="precedence"></a>IPv6/IPv4 Precedence</h2></div></div></div><p>With (EKU)buntu and eventually with RedHat, you will notice that your browser does not show the IPv6 version of a web site that is multi-homed when using ULA addresses for your IPv6 Internet connection. The reason for this is an add on to the RFC 3484 rules that is compiled @@ -60,7 +70,7 @@ ip6tables -t mangle -I PREROUTING -i eth0 -d 2001:0DB8:0001::/48 -j DNPTV6 --to you cannot uncomment a single entry to overwrite the default. You need to uncomment all entries of a particular type for this. The <span class="quote">“<span class="quote">label</span>”</span> lines compare source addresses, the - <span class="quote">“<span class="quote">precedence</span>”</span> lines compare destination addresses.</p><div class="procedure" title="Procedure 1. Change IPv6 Precedence"><a id="id314638"></a><p class="title"><strong>Procedure 1. Change IPv6 Precedence</strong></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p>Open the <code class="filename">/etc/gai.conf</code> file as root user, + <span class="quote">“<span class="quote">precedence</span>”</span> lines compare destination addresses.</p><div class="procedure" title="Procedure 1. Change IPv6 Precedence"><a id="id398835"></a><p class="title"><strong>Procedure 1. Change IPv6 Precedence</strong></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p>Open the <code class="filename">/etc/gai.conf</code> file as root user, e.g. by executing <strong class="userinput"><code>sudo nano /etc/gai.conf</code></strong>.</p></li><li class="step" title="Step 2"><p>Remove the leading hash character from the 8 lines starting with <span class="quote">“<span class="quote">#label</span>”</span>.</p></li><li class="step" title="Step 3"><p>Re-add the hash character to the line stating <span class="quote">“<span class="quote">#label @@ -75,17 +85,7 @@ ip6tables -t mangle -I PREROUTING -i eth0 -d 2001:0DB8:0001::/48 -j DNPTV6 --to and 192.168.0.0/16 still exist, it is unlikely that their 6to4 counterparts 2002:0a00::/24, 2002:ac10::/28, and 2002:c0a8::/32 will be routed on the Internet. Sadly, the (EKU)buntu defaults penalize - 6to4 addresses also.</p></div><p>If you already deployed ULA addresses in your network, you may be - interested in a solution that runs on my Freifunk router. The router - uses the IPv6 prefix that is reserved for documentation purposes on it's - LAN interface. Within the OLSR-based mesh network, any interface uses an - fdca:ffee:babe::/64 prefix. The following internal mapping is configured - for this:</p><pre class="programlisting">ip6tables -t mangle -I PREROUTING -i br0 -s 2001:0DB8::/64 -j MAP66 --src-to fdca:ffee:babe::/64 --csum -ip6tables -t mangle -I POSTROUTING -o br0 -d fdca:ffee:babe::/64 -j MAP66 --dst-to 2001:0DB8::/64 --csum</pre><p>To prevent the mapped packets to vanish via the default route and - to overcome mac address lookups during the routing process, I also added - these prefixes to the router's <code class="filename">/etc/radvd.conf</code> as - well as (host) routes pointing to the <span class="quote">“<span class="quote">br0</span>”</span> interface for - both prefixes.</p></div></div><div class="section" title="Motivation"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="motivation"></a>Motivation</h2></div></div></div><p>My Internet access at home is realized by a wireless community mesh + 6to4 addresses also.</p></div></div></div><div class="section" title="Motivation"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="motivation"></a>Motivation</h2></div></div></div><p>My Internet access at home is realized by a wireless community mesh network not owned by me. The mesh is operated with small embedded devices (nodes aka. WLAN routers) that are interconnected via radio links (WLAN IBSS / AdHoc). Routing is done with a specialized protocol such as Batman |