diff options
-rw-r--r-- | README.dbk | 25 | ||||
-rw-r--r-- | README.txt | 22 |
2 files changed, 24 insertions, 23 deletions
@@ -22,8 +22,8 @@ checksum neutral, thus no checksum re-calculation for the packet is necessary. You can change the IPv6 source address of outgoing packets as well as the IPv6 destination address of incoming packets. This allows you to map an internal IPv6 address range to a second, externally used IPv6 address range. IPv6 address mapping is not very similar to IPv4 network address - translation, but one can describe it as some sort of stateless NAT. The implementation is based on the expired the IETF - discussion paper published here:</para> + translation, but one can describe it as some sort of stateless NAT. The implementation is based on the expired IETF discussion + paper published here:</para> <para><ulink url="http://tools.ietf.org/html/draft-mrw-behave-nat66-02">http://tools.ietf.org/html/draft-mrw-behave-nat66-02</ulink></para> @@ -38,8 +38,8 @@ <programlisting>sudo apt-get install build-essential linux-headers iptables-dev</programlisting> - <para>Unpack the source tgz archive to <filename>/usr/src</filename>, change to the archive's sub-directory and issue "make" - to build. If this compiles without errors, install the ip6tables extension with the following command:</para> + <para>Unpack the source tgz archive below <filename>/usr/src</filename>, change to the new sub-directory and issue "make" to + build. If this compiles without errors, install the ip6tables extension with the following command:</para> <programlisting>sudo make install</programlisting> @@ -78,7 +78,7 @@ sudo dkms install -m ip6t_MAP66 -v 0.3</programlisting> <title>Brief Version</title> <para>You always need to add two ip6tables-rules to your netfilter configuration. One rule matches outgoing packets and - changes their IPv6 source address. The second rule matches incoming packets and revert the address change by altering + changes their IPv6 source address. The second rule matches incoming packets and reverts the address change by altering their IPv6 destination address. To following commands correspond to the <quote>Address Mapping Example</quote> given in the IETF discussion paper:</para> @@ -89,8 +89,8 @@ ip6tables -t mangle -I PREROUTING -i eth0 -d 2001:0DB8:0001::/48 -j MAP66 --to you cannot use an arbitrary prefix length. Only /112, /96 .. /16 are supported.</para> <para>For each packet, the Linux kernel module also compares the packet's source address to all IPv6 addresses assigned to - the outgoing interface. It a match is found, the packet's source address is not mapped. The same comparison happens on the - incoming packet's destination address. The comparison require some CPU resources, especially if the interface has a large + the outgoing interface. If a match is found, the packet's source address is not mapped. The same comparison happens on the + incoming packet's destination address. The comparison requires some CPU resources, especially if the interface has a large number of assigned IPv6 addresses. If you are sure that the mapping cannot match the IPv6 address of the interface (e.g. the mapping rule defines a mapping prefix that cannot result in the interface address) you can switch off the comparison. Add the <userinput>--nocheck</userinput> parameter to the ip6tables command for this.</para> @@ -151,9 +151,9 @@ ip6tables -t mangle -A PREROUTING -i tun6to4 -d 2002:4d57:3007:1::/64 -j MAP66 ip6tables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu</programlisting> <para>Because for both IPv6 networks the external prefix length is smaller than the internal prefix length, we can make - sure that the mapped addresses cannot match the interfaces address. For example: 2001:4dd0:fe77:1::/64 cannot be converted - to 2001:4dd0:fe77:0::1/128 in this context. For this reason, we can use the <userinput>--nocheck</userinput> speedup - here.</para> + sure that the mapped addresses cannot match the interface addresses. For example: 2001:4dd0:fe77:1::/64 cannot be + converted to 2001:4dd0:fe77:0::1/128 in this context. For this reason, we can use the <userinput>--nocheck</userinput> + speedup here.</para> <para>You may stumble over the MSS-clamping rule. While IPv6 defines, that path MTU detection via ICMPv6 must be supported by any host, sometimes path MTU detection does not work. The SIXXS tunnel uses an MTU of 1280 byte. To get the following @@ -255,9 +255,10 @@ ip6tables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp- implemented on client PCs and Internet gateways/servers one day. But there is no need to implement the same tunneling technique on every mesh node. Why? Because the mesh nodes can use private IP addresses (or "ULA") to transport the tunnel data between the client PC and the gateway/server. Each tunneling technique typically needs a single instance (the "server") - which forms a single point of failure. Rule-of-thumb1: avoid a SPOF for the infrastructure. Rule-of-thumb2: KISS.</para> + which forms a single point of failure. Rule-of-thumb1: avoid a SPOF for the infrastructure. Rule-of-thumb2: KISS (keep it + simple stupid).</para> - <para>Using private IP addresses on the mesh nodes has a drawback: mesh node software updates e.g. via HTTP downloads from + <para>Using private IP addresses on the mesh nodes has a drawback: mesh node software updates e.g. a download via HTTP from an Internet server is not possible. This is where I start to think: <quote>hey, some kind of address mapping may be nice to have</quote>. While opening Pandora's NAT66 box, I discovered that IPv6 nerds do not like the acronym. It is always a good tactic in info wars to rename, hence the name "MAP66".</para> @@ -27,8 +27,8 @@ address of outgoing packets as well as the IPv6 destination address of incoming packets. This allows you to map an internal IPv6 address range to a second, externally used IPv6 address range. IPv6 address mapping is not very similar to IPv4 network address translation, but one can describe it as some sort of -stateless NAT. The implementation is based on the expired the IETF discussion -paper published here: +stateless NAT. The implementation is based on the expired IETF discussion paper +published here: http://tools.ietf.org/html/draft-mrw-behave-nat66-02 @@ -43,9 +43,9 @@ On a Debian/(EKU)buntu, the following command prepares the build environment: sudo apt-get install build-essential linux-headers iptables-dev -Unpack the source tgz archive to /usr/src, change to the archive's -sub-directory and issue "make" to build. If this compiles without errors, -install the ip6tables extension with the following command: +Unpack the source tgz archive below /usr/src, change to the new sub-directory +and issue "make" to build. If this compiles without errors, install the +ip6tables extension with the following command: sudo make install @@ -82,7 +82,7 @@ Brief Version You always need to add two ip6tables-rules to your netfilter configuration. One rule matches outgoing packets and changes their IPv6 source address. The second -rule matches incoming packets and revert the address change by altering their +rule matches incoming packets and reverts the address change by altering their IPv6 destination address. To following commands correspond to the “Address Mapping Example” given in the IETF discussion paper: @@ -94,9 +94,9 @@ This example is also printed to the screen if you issue ip6tables -j MAP66 /16 are supported. For each packet, the Linux kernel module also compares the packet's source -address to all IPv6 addresses assigned to the outgoing interface. It a match is +address to all IPv6 addresses assigned to the outgoing interface. If a match is found, the packet's source address is not mapped. The same comparison happens -on the incoming packet's destination address. The comparison require some CPU +on the incoming packet's destination address. The comparison requires some CPU resources, especially if the interface has a large number of assigned IPv6 addresses. If you are sure that the mapping cannot match the IPv6 address of the interface (e.g. the mapping rule defines a mapping prefix that cannot @@ -160,7 +160,7 @@ ip6tables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp- Because for both IPv6 networks the external prefix length is smaller than the internal prefix length, we can make sure that the mapped addresses cannot match -the interfaces address. For example: 2001:4dd0:fe77:1::/64 cannot be converted +the interface addresses. For example: 2001:4dd0:fe77:1::/64 cannot be converted to 2001:4dd0:fe77:0::1/128 in this context. For this reason, we can use the --nocheck speedup here. @@ -254,10 +254,10 @@ on every mesh node. Why? Because the mesh nodes can use private IP addresses (or "ULA") to transport the tunnel data between the client PC and the gateway/ server. Each tunneling technique typically needs a single instance (the "server") which forms a single point of failure. Rule-of-thumb1: avoid a SPOF -for the infrastructure. Rule-of-thumb2: KISS. +for the infrastructure. Rule-of-thumb2: KISS (keep it simple stupid). Using private IP addresses on the mesh nodes has a drawback: mesh node software -updates e.g. via HTTP downloads from an Internet server is not possible. This +updates e.g. a download via HTTP from an Internet server is not possible. This is where I start to think: “hey, some kind of address mapping may be nice to have”. While opening Pandora's NAT66 box, I discovered that IPv6 nerds do not like the acronym. It is always a good tactic in info wars to rename, hence the |