From 922a4577b10b489782917bc743c9c721dce92181 Mon Sep 17 00:00:00 2001 From: Matthias Schiffer Date: Thu, 10 Nov 2011 23:57:01 +0100 Subject: Update documentation --- README.dbk | 38 ++++++++++++++++++++------------------ README.html | 32 ++++++++++++++++---------------- 2 files changed, 36 insertions(+), 34 deletions(-) diff --git a/README.dbk b/README.dbk index a96bb0d..dadf179 100644 --- a/README.dbk +++ b/README.dbk @@ -114,13 +114,31 @@ sudo dkms install -m ip6t_NPTV6 -v &VERSION; commands correspond to the Address Mapping Example given in the IETF discussion paper: - ip6tables -t mangle -I POSTROUTING -o eth0 -s FD01:0203:0405::/48 -j SNPTV6 --to-source 2001:0DB8:0001::/48 -ip6tables -t mangle -I PREROUTING -i eth0 -d 2001:0DB8:0001::/48 -j DNPTV6 --to-destination FD01:0203:0405::/48 + ip6tables -t mangle -A PREROUTING -i eth0 -d 2001:0DB8:0001::/48 -j DNPTV6 --to-destination FD01:0203:0405::/48 +ip6tables -t mangle -A POSTROUTING -o eth0 -s FD01:0203:0405::/48 -j SNPTV6 --to-source 2001:0DB8:0001::/48 This example is also printed to the screen if you issue ip6tables -j SNPTV6 --help. By design, you cannot use prefix lengths longer than 64. + +
+ NAT Behavioral Requirements + + RFC 6296 states that NPTv6 translators must support hairpinning behaviour. + This means that when an NPTv6 Translator receives a datagram on the + internal interface that has a destination address that matches the + site's external prefix, it will translate the datagram and forward it + internally. While it is possible that the translator works correctly + without this depending on the network configuration, it is desiarable + to have hairpinning behaviour. The following iptables rules will enable + this: + + ip6tables -t mangle -A PREROUTING -d 2001:0DB8:0001::/48 -j MARK --set-mark 42 +ip6tables -t mangle -A PREROUTING -d 2001:0DB8:0001::/48 -j DNPTV6 --to-destination FD01:0203:0405::/48 +ip6tables -t mangle -A POSTROUTING -m mark --mark 42 -s FD01:0203:0405::/48 -j SNPTV6 --to-source 2001:0DB8:0001::/48 +ip6tables -t mangle -A POSTROUTING -o eth0 -s FD01:0203:0405::/48 -j SNPTV6 --to-source 2001:0DB8:0001::/48 +
@@ -205,22 +223,6 @@ ip6tables -t mangle -I PREROUTING -i eth0 -d 2001:0DB8:0001::/48 -j DNPTV6 --to be routed on the Internet. Sadly, the (EKU)buntu defaults penalize 6to4 addresses also. - - If you already deployed ULA addresses in your network, you may be - interested in a solution that runs on my Freifunk router. The router - uses the IPv6 prefix that is reserved for documentation purposes on it's - LAN interface. Within the OLSR-based mesh network, any interface uses an - fdca:ffee:babe::/64 prefix. The following internal mapping is configured - for this: - - ip6tables -t mangle -I PREROUTING -i br0 -s 2001:0DB8::/64 -j MAP66 --src-to fdca:ffee:babe::/64 --csum -ip6tables -t mangle -I POSTROUTING -o br0 -d fdca:ffee:babe::/64 -j MAP66 --dst-to 2001:0DB8::/64 --csum - - To prevent the mapped packets to vanish via the default route and - to overcome mac address lookups during the routing process, I also added - these prefixes to the router's /etc/radvd.conf as - well as (host) routes pointing to the br0 interface for - both prefixes.
diff --git a/README.html b/README.html index 2d2e8a2..a46d22f 100644 --- a/README.html +++ b/README.html @@ -1,6 +1,6 @@ -NPTv6 (IPv6-to-IPv6 Network Prefix Translation) for Linux

NPTv6 (IPv6-to-IPv6 Network Prefix Translation) for Linux

Sven-Ola Tuecke

Freifunk

Matthias Schiffer

Freifunk Lübeck

10-NOV-2011


These files implement a Linux netfilter target that changes the IPv6 +NPTv6 (IPv6-to-IPv6 Network Prefix Translation) for Linux

NPTv6 (IPv6-to-IPv6 Network Prefix Translation) for Linux

Sven-Ola Tuecke

Freifunk

Matthias Schiffer

Freifunk Lübeck

10-NOV-2011


These files implement a Linux netfilter target that changes the IPv6 address of packets. The address change is done checksum neutral, thus no checksum re-calculation for the packet is necessary. You can change the IPv6 source address of outgoing packets as well as the IPv6 destination address @@ -39,10 +39,20 @@ sudo dkms install -m ip6t_NPTV6 -v 0.6

Read DKMS details here: Address Mapping Example” given - in the IETF discussion paper:

ip6tables -t mangle -I POSTROUTING -o eth0 -s FD01:0203:0405::/48 -j SNPTV6 --to-source 2001:0DB8:0001::/48
-ip6tables -t mangle -I PREROUTING  -i eth0 -d 2001:0DB8:0001::/48 -j DNPTV6 --to-destination FD01:0203:0405::/48

This example is also printed to the screen if you issue + in the IETF discussion paper:

ip6tables -t mangle -A PREROUTING  -i eth0 -d 2001:0DB8:0001::/48 -j DNPTV6 --to-destination FD01:0203:0405::/48
+ip6tables -t mangle -A POSTROUTING -o eth0 -s FD01:0203:0405::/48 -j SNPTV6 --to-source 2001:0DB8:0001::/48

This example is also printed to the screen if you issue ip6tables -j SNPTV6 --help. By design, you cannot - use prefix lengths longer than 64.

IPv6/IPv4 Precedence

With (EKU)buntu and eventually with RedHat, you will notice that + use prefix lengths longer than 64.

NAT Behavioral Requirements

RFC 6296 states that NPTv6 translators must support hairpinning behaviour. + This means that when an NPTv6 Translator receives a datagram on the + internal interface that has a destination address that matches the + site's external prefix, it will translate the datagram and forward it + internally. While it is possible that the translator works correctly + without this depending on the network configuration, it is desiarable + to have hairpinning behaviour. The following iptables rules will enable + this:

ip6tables -t mangle -A PREROUTING -d 2001:0DB8:0001::/48 -j MARK --set-mark 42
+ip6tables -t mangle -A PREROUTING -d 2001:0DB8:0001::/48 -j DNPTV6 --to-destination FD01:0203:0405::/48
+ip6tables -t mangle -A POSTROUTING -m mark --mark 42 -s FD01:0203:0405::/48 -j SNPTV6 --to-source 2001:0DB8:0001::/48
+ip6tables -t mangle -A POSTROUTING -o eth0 -s FD01:0203:0405::/48 -j SNPTV6 --to-source 2001:0DB8:0001::/48

IPv6/IPv4 Precedence

With (EKU)buntu and eventually with RedHat, you will notice that your browser does not show the IPv6 version of a web site that is multi-homed when using ULA addresses for your IPv6 Internet connection. The reason for this is an add on to the RFC 3484 rules that is compiled @@ -60,7 +70,7 @@ ip6tables -t mangle -I PREROUTING -i eth0 -d 2001:0DB8:0001::/48 -j DNPTV6 --to you cannot uncomment a single entry to overwrite the default. You need to uncomment all entries of a particular type for this. The label lines compare source addresses, the - precedence lines compare destination addresses.

Procedure 1. Change IPv6 Precedence

  1. Open the /etc/gai.conf file as root user, + precedence lines compare destination addresses.

    Procedure 1. Change IPv6 Precedence

    1. Open the /etc/gai.conf file as root user, e.g. by executing sudo nano /etc/gai.conf.

    2. Remove the leading hash character from the 8 lines starting with #label.

    3. Re-add the hash character to the line stating #label @@ -75,17 +85,7 @@ ip6tables -t mangle -I PREROUTING -i eth0 -d 2001:0DB8:0001::/48 -j DNPTV6 --to and 192.168.0.0/16 still exist, it is unlikely that their 6to4 counterparts 2002:0a00::/24, 2002:ac10::/28, and 2002:c0a8::/32 will be routed on the Internet. Sadly, the (EKU)buntu defaults penalize - 6to4 addresses also.

    If you already deployed ULA addresses in your network, you may be - interested in a solution that runs on my Freifunk router. The router - uses the IPv6 prefix that is reserved for documentation purposes on it's - LAN interface. Within the OLSR-based mesh network, any interface uses an - fdca:ffee:babe::/64 prefix. The following internal mapping is configured - for this:

    ip6tables -t mangle -I PREROUTING -i br0 -s 2001:0DB8::/64 -j MAP66 --src-to fdca:ffee:babe::/64 --csum
    -ip6tables -t mangle -I POSTROUTING -o br0 -d fdca:ffee:babe::/64 -j MAP66 --dst-to 2001:0DB8::/64 --csum

    To prevent the mapped packets to vanish via the default route and - to overcome mac address lookups during the routing process, I also added - these prefixes to the router's /etc/radvd.conf as - well as (host) routes pointing to the br0 interface for - both prefixes.

Motivation

My Internet access at home is realized by a wireless community mesh + 6to4 addresses also.

Motivation

My Internet access at home is realized by a wireless community mesh network not owned by me. The mesh is operated with small embedded devices (nodes aka. WLAN routers) that are interconnected via radio links (WLAN IBSS / AdHoc). Routing is done with a specialized protocol such as Batman -- cgit v1.2.3