diff options
Diffstat (limited to 'README.dbk')
| -rw-r--r-- | README.dbk | 168 |
1 files changed, 33 insertions, 135 deletions
@@ -1,13 +1,11 @@ <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [ -<!ENTITY OPTDSTTO "--dst-to"> -<!ENTITY OPTSRCTO "--src-to"> -<!ENTITY VERSION "0.5"> +<!ENTITY VERSION "0.6"> ]> <article> <articleinfo> - <title>MAP66 (NAT from IPv6 to IPv6, NAT66) for Linux</title> + <title>NPTv6 (IPv6-to-IPv6 Network Prefix Translation) for Linux</title> <author> <firstname>Sven-Ola</firstname> @@ -18,8 +16,17 @@ <orgname>Freifunk</orgname> </affiliation> </author> + <author> + <firstname>Matthias</firstname> + + <surname>Schiffer</surname> - <pubdate>16-OCT-2010</pubdate> + <affiliation> + <orgname>Freifunk Lübeck</orgname> + </affiliation> + </author> + + <pubdate>10-NOV-2011</pubdate> </articleinfo> <para>These files implement a Linux netfilter target that changes the IPv6 @@ -33,10 +40,10 @@ discussion paper published here:</para> <para><ulink - url="http://tools.ietf.org/html/draft-mrw-behave-nat66-02">http://tools.ietf.org/html/draft-mrw-behave-nat66-02</ulink></para> + url="https://tools.ietf.org/html/rfc6296">https://tools.ietf.org/html/rfc6296</ulink></para> <warning> - <para>Using MAP66 rules together with connection tracking rules such as + <para>Using NPTv6 rules together with connection tracking rules such as <userinput>--ctstate</userinput> is currently untested and may not work or may cause dysfunctions.</para> </warning> @@ -44,26 +51,26 @@ <section id="install"> <title id="install-title">Installation</title> - <para>MAP66 implements two pieces of software: a shared library that + <para>NPTv6 implements two pieces of software: a shared library that extends the ip6tables command and a Linux kernel module. The shared - library file adds the '-j MAP66' target to the ip6tables command. To build - and install, you need ip6tables installed as well as the necessary - headers. The Linux kernel module requires the Linux source file tree and - kernel configuration files to compile. On a Debian/(EKU)buntu, the - following command prepares the build environment:</para> + library file adds the '-j SNPTV6' target (for source address translation) + and the '-j DNPTV6' target (for destination address translation) to the + ip6tables command. To build and install, you need ip6tables installed as + well as the necessary headers. The Linux kernel module requires the Linux + source file tree and kernel configuration files to compile. On a Debian/(EKU)buntu, + the following command prepares the build environment:</para> <programlisting>sudo apt-get install build-essential linux-headers iptables-dev</programlisting> <para>Unpack the source tgz archive below <filename>/usr/src</filename>, change to the new sub-directory and issue "make" to build. If this - compiles without errors, install the ip6tables extension with the - following command:</para> - - <programlisting>sudo make install</programlisting> + compiles without errors, install the ip6tabless extension by copying + libip6t_SNPTV6.so and libip6t_DNPTV6.so to the iptables module directory, + which is probably located under <filename>/lib/xtables</filename> or + <filename>/usr/lib/iptables</filename>.</para> <note> - <para>The kernel module (<filename>ip6t_MAP66.ko</filename> for - Linux-2.6 or <filename>ip6t_MAP66.o</filename> for Linux-2.4) is not + <para>The kernel module (<filename>ip6t_MAP66.ko</filename> is not automatically installed nor loaded into the kernel. You can copy the kernel module file manually, e.g. with <userinput>sudo cp ip6t_MAP66.ko /lib/modules/$(uname -r)/</userinput>.</para> @@ -86,9 +93,9 @@ below <filename>/usr/src/</filename>. To register the MAP66 source to DKMS and compile/install, issue these commands:</para> - <programlisting>sudo dkms add -m ip6t_MAP66 -v &VERSION; -sudo dkms build -m ip6t_MAP66 -v &VERSION; -sudo dkms install -m ip6t_MAP66 -v &VERSION;</programlisting> + <programlisting>sudo dkms add -m ip6t_NPTV6 -v &VERSION; +sudo dkms build -m ip6t_NPTV6 -v &VERSION; +sudo dkms install -m ip6t_NPTV6 -v &VERSION;</programlisting> <para>Read DKMS details here: <ulink url="Read DKMS details here: https://wiki.kubuntu.org/Kernel/Dev/DKMSPackaging">https://wiki.kubuntu.org/Kernel/Dev/DKMSPackaging</ulink></para> @@ -107,121 +114,12 @@ sudo dkms install -m ip6t_MAP66 -v &VERSION;</programlisting> commands correspond to the <quote>Address Mapping Example</quote> given in the IETF discussion paper:</para> - <programlisting>ip6tables -t mangle -I POSTROUTING -o eth0 -s FD01:0203:0405::/48 -j MAP66 &OPTSRCTO; 2001:0DB8:0001::/48 -ip6tables -t mangle -I PREROUTING -i eth0 -d 2001:0DB8:0001::/48 -j MAP66 &OPTDSTTO; FD01:0203:0405::/48</programlisting> + <programlisting>ip6tables -t mangle -I POSTROUTING -o eth0 -s FD01:0203:0405::/48 -j SNPTV6 --to-source 2001:0DB8:0001::/48 +ip6tables -t mangle -I PREROUTING -i eth0 -d 2001:0DB8:0001::/48 -j DNPTV6 --to-destination FD01:0203:0405::/48</programlisting> <para>This example is also printed to the screen if you issue - <userinput>ip6tables -j MAP66 --help</userinput>. By design, you cannot - use an arbitrary prefix length. Only /112, /96 .. /16 are - supported.</para> - - <para>For each packet, the Linux kernel module also compares the - packet's source address to all IPv6 addresses assigned to the outgoing - interface. If a match is found, the packet's source address is not - mapped. The same comparison happens on the incoming packet's destination - address. The comparison requires some CPU resources, especially if the - interface has a large number of assigned IPv6 addresses. If you are sure - that the mapping cannot match the IPv6 address of the interface (e.g. - the mapping rule defines a mapping prefix that cannot result in the - interface address) you can switch off the comparison. Add the - <userinput>--nocheck</userinput> parameter to the ip6tables command for - this.</para> - </section> - - <section id="config-detailed"> - <title id="config-detailed-title">Detailed Version</title> - - <para>The following explanation details a living example from the - wireless mesh network that is mentioned under <xref - endterm="motivation-title" linkend="motivation" /> (see below). - Throughout the mesh network, a private IP address range is used. The ULA - prefix is fdca:ffee:babe::/64. All mesh nodes derive their IPv6 - interface addresses by correlating the ULA prefix with the EUI48 - (<quote>MAC address</quote>) of the respective network adapter.</para> - - <para>There is a Debian based virtual machine that should act as one - IPv6 Internet gateway for the mesh. You can reach the virtual machine's - web service via IPv4 under <ulink - url="http://bbb-vpn.freifunk.net">http://bbb-vpn.freifunk.net</ulink>. - To experiment with IPv6, a <ulink - url="http://www.sixxs.net/">SIXXS</ulink> static tunnel setup has been - added and there is also an experimental 6-to-4 configuration. The - following <filename>/etc/network/interfaces</filename> file provides the - configuration for IPv6:</para> - - <programlisting>auto sixxs -iface sixxs inet6 v4tunnel - address 2001:4dd0:ff00:2ee::2 - netmask 64 - local 77.87.48.7 - endpoint 78.35.24.124 - ttl 64 - up ip link set mtu 1280 dev $IFACE - up ip route add default via 2001:4dd0:ff00:2ee::1 dev $IFACE - up ip addr add 2001:4dd0:fe77::1/48 dev $IFACE - -#auto tun6to4 -iface tun6to4 inet6 v4tunnel - # ipv6calc --quiet --action conv6to4 77.87.48.7 - address 2002:4d57:3007::1 - netmask 16 - local 77.87.48.7 - endpoint any - ttl 64 - gateway ::192.88.99.1</programlisting> - - <para>As you can see, the virtual machine has an IPv6 prefix of - 2001:4dd0:fe77::/48 and is reachable via <ulink - url="http://[2001:4dd0:fe77::1]/">http://[2001:4dd0:fe77::1]/</ulink>. - For experimental purposes, the 6-to-4 tunnel can be activated by issuing - <userinput>ifup tun6to4</userinput>. The netfilter setup of this machine - includes the following command sequence to realize mapping from the - private fdca:ffee:babe::/64 prefix to the globally valid IPv6 - addresses:</para> - - <programlisting>ip6tables -t mangle -F POSTROUTING -ip6tables -t mangle -F PREROUTING -ip6tables -t mangle -F FORWARD - -grep -q ^ip6t_MAP66 /proc/modules && rmmod ip6t_MAP66 -insmod /usr/src/map66/ip6t_MAP66.ko - -ip6tables -t mangle -A POSTROUTING -o sixxs -s fdca:ffee:babe::/64 -j MAP66 &OPTSRCTO; 2001:4dd0:fe77:1::/64 --nocheck -ip6tables -t mangle -A PREROUTING -i sixxs -d 2001:4dd0:fe77:1::/64 -j MAP66 &OPTDSTTO; fdca:ffee:babe::/64 --nocheck -ip6tables -t mangle -A POSTROUTING -o tun6to4 -s fdca:ffee:babe::/64 -j MAP66 &OPTSRCTO; 2002:4d57:3007:1::/64 --nocheck -ip6tables -t mangle -A PREROUTING -i tun6to4 -d 2002:4d57:3007:1::/64 -j MAP66 &OPTDSTTO; fdca:ffee:babe::/64 --nocheck -ip6tables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu</programlisting> - - <para>Because for both IPv6 networks the external prefix length is - smaller than the internal prefix length, we can make sure that the - mapped addresses cannot match the interface addresses. For example: - 2001:4dd0:fe77:1::/64 cannot be converted to 2001:4dd0:fe77:0::1/128 in - this context. For this reason, we can use the - <userinput>--nocheck</userinput> speedup here.</para> - - <para>You may stumble over the MSS-clamping rule. While IPv6 defines, - that path MTU detection via ICMPv6 must be supported by any host, - sometimes path MTU detection does not work. The SIXXS tunnel uses an MTU - of 1280 byte. To get the following command working on my PC, I needed to - add the above MSS-clamping rule on the gateway:</para> - - <programlisting>wget --prefer-family=IPv6 -O - http://6to4.nro.net/</programlisting> - - <note> - <para>The tun6to4 tunnel interface is disabled normally, because of - the implicit 2002::/16 network route configured for that interface. - This network route ensures, that traffic between one 2002::/16 to - another 2002::/16 travels directly between the IPv4 hosts. Without - this network route, any IPv6 traffic will be routed via the 6-to-4 - gateways which may not work and place a higher load on those 6-to-4 - gateways.</para> - - <para>However, if you ping the SIXXS IP address from another host that - has a 6-to-4 address, you will get the answer packet back via the - 6-to-4 interface. If the above address mapping is configured, you ping - one IPv6 address and get the answer from another IPv6 - address...</para> - </note> + <userinput>ip6tables -j SNPTV6 --help</userinput>. By design, you cannot + use prefix lengths longer than 64.</para> </section> </section> |