From d8af510243d823c202537892b1eb02a1c4ebf33f Mon Sep 17 00:00:00 2001 From: Matthias Schiffer Date: Sat, 12 Nov 2011 08:03:50 +0100 Subject: Another doc update --- README.dbk | 111 ++++++++++-------------------------------------------------- README.html | 78 ++++++++++++------------------------------ 2 files changed, 39 insertions(+), 150 deletions(-) diff --git a/README.dbk b/README.dbk index dadf179..37cd8d4 100644 --- a/README.dbk +++ b/README.dbk @@ -36,8 +36,8 @@ of incoming packets. This allows you to map an internal IPv6 address range to a second, externally used IPv6 address range. IPv6 address mapping is not very similar to IPv4 network address translation, but one can describe it as - some sort of stateless NAT. The implementation is based on the expired IETF - discussion paper published here: + some sort of stateless NAT. The implementation is based on RFC 6296 published + here: https://tools.ietf.org/html/rfc6296 @@ -57,6 +57,7 @@ and the '-j DNPTV6' target (for destination address translation) to the ip6tables command. To build and install, you need ip6tables installed as well as the necessary headers. The Linux kernel module requires the Linux + source file tree and kernel configuration files to compile. On a Debian/(EKU)buntu, the following command prepares the build environment: @@ -70,10 +71,10 @@ /usr/lib/iptables. - The kernel module (ip6t_MAP66.ko is not - automatically installed nor loaded into the kernel. You can copy the - kernel module file manually, e.g. with sudo cp ip6t_MAP66.ko - /lib/modules/$(uname -r)/. + The kernel modules (ip6t_SNPTV6.ko and + ip6t_DNPTV6.ko) is not automatically installed nor loaded + into the kernel. You can copy the kernel module file manually, e.g. with + sudo cp ip6t_SNPTV6.ko ip6t_DNPTV6.ko /lib/modules/$(uname -r)/. @@ -81,16 +82,16 @@ DKMS Integration If the next system update needs to install a new kernel version, you - also need to re-compile/re-install the MAP66 kernel module. With + also need to re-compile/re-install the NPTv6 kernel modules. With Debian/(EKU)buntu, this can be automated with the Dynamic Kernel Module Support Framework (DKMS). For this, the dkms.conf - file is included with the MAP66 source file package. Install DKMS with the + file is included with the NPTv6 source file package. Install DKMS with the following command: sudo apt-get install dkms - If not already in place, move/unpack the MAP66 source file archive - below /usr/src/. To register the MAP66 source to DKMS + If not already in place, move/unpack the NPTv6 source file archive + below /usr/src/. To register the NPTv6 source to DKMS and compile/install, issue these commands: sudo dkms add -m ip6t_NPTV6 -v &VERSION; @@ -111,8 +112,8 @@ sudo dkms install -m ip6t_NPTV6 -v &VERSION; configuration. One rule matches outgoing packets and changes their IPv6 source address. The second rule matches incoming packets and reverts the address change by altering their IPv6 destination address. To following - commands correspond to the Address Mapping Example given - in the IETF discussion paper: + commands correspond to the /48 Prefix Mapping Example given + in RFC6296: ip6tables -t mangle -A PREROUTING -i eth0 -d 2001:0DB8:0001::/48 -j DNPTV6 --to-destination FD01:0203:0405::/48 ip6tables -t mangle -A POSTROUTING -o eth0 -s FD01:0203:0405::/48 -j SNPTV6 --to-source 2001:0DB8:0001::/48 @@ -129,10 +130,10 @@ ip6tables -t mangle -A POSTROUTING -o eth0 -s FD01:0203:0405::/48 -j SNPTV6 --to This means that when an NPTv6 Translator receives a datagram on the internal interface that has a destination address that matches the site's external prefix, it will translate the datagram and forward it - internally. While it is possible that the translator works correctly - without this depending on the network configuration, it is desiarable - to have hairpinning behaviour. The following iptables rules will enable - this: + internally. While it is possible that the network works correctly + without this depending on the configuration of the external router, it + is desirable to have hairpinning behaviour. The following iptables rules + will enable this: ip6tables -t mangle -A PREROUTING -d 2001:0DB8:0001::/48 -j MARK --set-mark 42 ip6tables -t mangle -A PREROUTING -d 2001:0DB8:0001::/48 -j DNPTV6 --to-destination FD01:0203:0405::/48 @@ -157,9 +158,7 @@ ip6tables -t mangle -A POSTROUTING -o eth0 -s FD01:0203:0405::/48 -j SNPTV6 --to protocol for a new Internet connection if this add on to the RFC 3484 rules is compiled in. For this reason, you may want to change the precedence rules within /etc/gai.conf (see ) or use another - prefix (see ). + endterm="precedence-gai-title" linkend="precedence-gai" />).
Change gai.conf @@ -206,79 +205,5 @@ ip6tables -t mangle -A POSTROUTING -o eth0 -s FD01:0203:0405::/48 -j SNPTV6 --to source addresses and ULA type private IPv6 source addresses. Anything else is unchanged.
- -
- Use Changed Internal Address - - As an alternative solution, you may use an arbitrary address - prefix in your LAN that is not mentioned in the - gai.conf file nor compiled in. This will work but - introduces a double mapping: one map (Inet-ULA) on the Internet gateway - router and a second map (ULA-Intern) on the internal router. - - - While the well known IPv4 addresses 10.0.0.0/8, 172.16.0.0/12, - and 192.168.0.0/16 still exist, it is unlikely that their 6to4 - counterparts 2002:0a00::/24, 2002:ac10::/28, and 2002:c0a8::/32 will - be routed on the Internet. Sadly, the (EKU)buntu defaults penalize - 6to4 addresses also. - -
- - -
- Motivation - - My Internet access at home is realized by a wireless community mesh - network not owned by me. The mesh is operated with small embedded devices - (nodes aka. WLAN routers) that are interconnected via radio links (WLAN - IBSS / AdHoc). Routing is done with a specialized protocol such as Batman - or OLSR. The routing protocol selects the nearest out of a dozen Internet - gateways and configures a default route or an IPIP tunnel accordingly. - Each Internet gateway is connected to a different ISP and provides the - service with the help of IPv4 network address translation (NAT). Using NAT - has the following effects: - - - - Address amplification - something not necessary with IPv6 any - more - - - - Anonymization - nice to have as an option but not mission - critical - - - - ISP independence - no reverse routing, no - "buy-a-number-range" - - - - The last point is mission critical. - One can obtain a provider independent IPv6 address range, but you need the - cooperation of an ISP to use that address range for Internet connectivity. - If you e.g. move to another ISP you need your address range to be - re-routed to your new location. - - ISP independence is also possible with some tunneling technique, - such as VPN or mobile IP. Tunneling can be implemented on client PCs and - Internet gateways/servers one day. But there is no need to implement the - same tunneling technique on every mesh node. Why? Because the mesh nodes - can use private IP addresses (or "ULA") to transport the tunnel data - between the client PC and the gateway/server. Each tunneling technique - typically needs a single instance (the "server") which forms a single - point of failure. Rule-of-thumb1: avoid a SPOF for the infrastructure. - Rule-of-thumb2: KISS (keep it simple stupid). - - Using private IP addresses on the mesh nodes has a drawback: mesh - node software updates e.g. a download via HTTP from an Internet server is - not possible. This is where I start to think: hey, some kind of - address mapping may be nice to have. While opening Pandora's NAT66 - box, I discovered that IPv6 nerds do not like the acronym. It is always a - good tactic in info wars to rename, hence the name "MAP66". - - // Sven-Ola
diff --git a/README.html b/README.html index a46d22f..7a0674c 100644 --- a/README.html +++ b/README.html @@ -1,14 +1,14 @@ -NPTv6 (IPv6-to-IPv6 Network Prefix Translation) for Linux

NPTv6 (IPv6-to-IPv6 Network Prefix Translation) for Linux

Sven-Ola Tuecke

Freifunk

Matthias Schiffer

Freifunk Lübeck

10-NOV-2011


These files implement a Linux netfilter target that changes the IPv6 +NPTv6 (IPv6-to-IPv6 Network Prefix Translation) for Linux

NPTv6 (IPv6-to-IPv6 Network Prefix Translation) for Linux

Sven-Ola Tuecke

Freifunk

Matthias Schiffer

Freifunk Lübeck

10-NOV-2011


These files implement a Linux netfilter target that changes the IPv6 address of packets. The address change is done checksum neutral, thus no checksum re-calculation for the packet is necessary. You can change the IPv6 source address of outgoing packets as well as the IPv6 destination address of incoming packets. This allows you to map an internal IPv6 address range to a second, externally used IPv6 address range. IPv6 address mapping is not very similar to IPv4 network address translation, but one can describe it as - some sort of stateless NAT. The implementation is based on the expired IETF - discussion paper published here:

https://tools.ietf.org/html/rfc6296

Warning

Using NPTv6 rules together with connection tracking rules such as + some sort of stateless NAT. The implementation is based on RFC 6296 published + here:

https://tools.ietf.org/html/rfc6296

Warning

Using NPTv6 rules together with connection tracking rules such as --ctstate is currently untested and may not work or may cause dysfunctions.

Installation

NPTv6 implements two pieces of software: a shared library that extends the ip6tables command and a Linux kernel module. The shared @@ -16,40 +16,41 @@ and the '-j DNPTV6' target (for destination address translation) to the ip6tables command. To build and install, you need ip6tables installed as well as the necessary headers. The Linux kernel module requires the Linux + source file tree and kernel configuration files to compile. On a Debian/(EKU)buntu, the following command prepares the build environment:

sudo apt-get install build-essential linux-headers iptables-dev

Unpack the source tgz archive below /usr/src, change to the new sub-directory and issue "make" to build. If this compiles without errors, install the ip6tabless extension by copying libip6t_SNPTV6.so and libip6t_DNPTV6.so to the iptables module directory, which is probably located under /lib/xtables or - /usr/lib/iptables.

Note

The kernel module (ip6t_MAP66.ko is not - automatically installed nor loaded into the kernel. You can copy the - kernel module file manually, e.g. with sudo cp ip6t_MAP66.ko - /lib/modules/$(uname -r)/.

DKMS Integration

If the next system update needs to install a new kernel version, you - also need to re-compile/re-install the MAP66 kernel module. With + /usr/lib/iptables.

Note

The kernel modules (ip6t_SNPTV6.ko and + ip6t_DNPTV6.ko) is not automatically installed nor loaded + into the kernel. You can copy the kernel module file manually, e.g. with + sudo cp ip6t_SNPTV6.ko ip6t_DNPTV6.ko /lib/modules/$(uname -r)/.

DKMS Integration

If the next system update needs to install a new kernel version, you + also need to re-compile/re-install the NPTv6 kernel modules. With Debian/(EKU)buntu, this can be automated with the Dynamic Kernel Module Support Framework (DKMS). For this, the dkms.conf - file is included with the MAP66 source file package. Install DKMS with the - following command:

sudo apt-get install dkms

If not already in place, move/unpack the MAP66 source file archive - below /usr/src/. To register the MAP66 source to DKMS + file is included with the NPTv6 source file package. Install DKMS with the + following command:

sudo apt-get install dkms

If not already in place, move/unpack the NPTv6 source file archive + below /usr/src/. To register the NPTv6 source to DKMS and compile/install, issue these commands:

sudo dkms add -m ip6t_NPTV6 -v 0.6
 sudo dkms build -m ip6t_NPTV6 -v 0.6
 sudo dkms install -m ip6t_NPTV6 -v 0.6

Read DKMS details here: https://wiki.kubuntu.org/Kernel/Dev/DKMSPackaging

Configuration

Brief Version

You always need to add two ip6tables-rules to your netfilter configuration. One rule matches outgoing packets and changes their IPv6 source address. The second rule matches incoming packets and reverts the address change by altering their IPv6 destination address. To following - commands correspond to the Address Mapping Example given - in the IETF discussion paper:

ip6tables -t mangle -A PREROUTING  -i eth0 -d 2001:0DB8:0001::/48 -j DNPTV6 --to-destination FD01:0203:0405::/48
+      commands correspond to the /48 Prefix Mapping Example given
+      in RFC6296:

ip6tables -t mangle -A PREROUTING  -i eth0 -d 2001:0DB8:0001::/48 -j DNPTV6 --to-destination FD01:0203:0405::/48
 ip6tables -t mangle -A POSTROUTING -o eth0 -s FD01:0203:0405::/48 -j SNPTV6 --to-source 2001:0DB8:0001::/48

This example is also printed to the screen if you issue ip6tables -j SNPTV6 --help. By design, you cannot use prefix lengths longer than 64.

NAT Behavioral Requirements

RFC 6296 states that NPTv6 translators must support hairpinning behaviour. This means that when an NPTv6 Translator receives a datagram on the internal interface that has a destination address that matches the site's external prefix, it will translate the datagram and forward it - internally. While it is possible that the translator works correctly - without this depending on the network configuration, it is desiarable - to have hairpinning behaviour. The following iptables rules will enable - this:

ip6tables -t mangle -A PREROUTING -d 2001:0DB8:0001::/48 -j MARK --set-mark 42
+      internally. While it is possible that the network works correctly
+      without this depending on the configuration of the external router, it
+      is desirable to have hairpinning behaviour. The following iptables rules
+      will enable this:

ip6tables -t mangle -A PREROUTING -d 2001:0DB8:0001::/48 -j MARK --set-mark 42
 ip6tables -t mangle -A PREROUTING -d 2001:0DB8:0001::/48 -j DNPTV6 --to-destination FD01:0203:0405::/48
 ip6tables -t mangle -A POSTROUTING -m mark --mark 42 -s FD01:0203:0405::/48 -j SNPTV6 --to-source 2001:0DB8:0001::/48
 ip6tables -t mangle -A POSTROUTING -o eth0 -s FD01:0203:0405::/48 -j SNPTV6 --to-source 2001:0DB8:0001::/48

IPv6/IPv4 Precedence

With (EKU)buntu and eventually with RedHat, you will notice that @@ -62,55 +63,18 @@ ip6tables -t mangle -A POSTROUTING -o eth0 -s FD01:0203:0405::/48 -j SNPTV6 --to address higher than the ULA IPv6 address when choosing the transport protocol for a new Internet connection if this add on to the RFC 3484 rules is compiled in. For this reason, you may want to change the - precedence rules within /etc/gai.conf (see Change gai.conf) or use another - prefix (see Use Changed Internal Address).

Change gai.conf

The getaddrinfo() library function manages lists of label, + precedence rules within /etc/gai.conf (see Change gai.conf).

Change gai.conf

The getaddrinfo() library function manages lists of label, precedence, and scope4 type entries. If the /etc/gai.conf file does not provide a single entry for a particular type, the compiled-in list is used. For this reason, you cannot uncomment a single entry to overwrite the default. You need to uncomment all entries of a particular type for this. The label lines compare source addresses, the - precedence lines compare destination addresses.

Procedure 1. Change IPv6 Precedence

  1. Open the /etc/gai.conf file as root user, + precedence lines compare destination addresses.

    Procedure 1. Change IPv6 Precedence

    1. Open the /etc/gai.conf file as root user, e.g. by executing sudo nano /etc/gai.conf.

    2. Remove the leading hash character from the 8 lines starting with #label.

    3. Re-add the hash character to the line stating #label fc00::/7 6.

    4. Save the file.

    5. Restart your browser and re-try to browse to a multi-homed web site.

    The above procedure removes the difference between standard IPv6 source addresses and ULA type private IPv6 source addresses. Anything - else is unchanged.

Use Changed Internal Address

As an alternative solution, you may use an arbitrary address - prefix in your LAN that is not mentioned in the - gai.conf file nor compiled in. This will work but - introduces a double mapping: one map (Inet-ULA) on the Internet gateway - router and a second map (ULA-Intern) on the internal router.

Note

While the well known IPv4 addresses 10.0.0.0/8, 172.16.0.0/12, - and 192.168.0.0/16 still exist, it is unlikely that their 6to4 - counterparts 2002:0a00::/24, 2002:ac10::/28, and 2002:c0a8::/32 will - be routed on the Internet. Sadly, the (EKU)buntu defaults penalize - 6to4 addresses also.

Motivation

My Internet access at home is realized by a wireless community mesh - network not owned by me. The mesh is operated with small embedded devices - (nodes aka. WLAN routers) that are interconnected via radio links (WLAN - IBSS / AdHoc). Routing is done with a specialized protocol such as Batman - or OLSR. The routing protocol selects the nearest out of a dozen Internet - gateways and configures a default route or an IPIP tunnel accordingly. - Each Internet gateway is connected to a different ISP and provides the - service with the help of IPv4 network address translation (NAT). Using NAT - has the following effects:

  • Address amplification - something not necessary with IPv6 any - more

  • Anonymization - nice to have as an option but not mission - critical

  • ISP independence - no reverse routing, no - "buy-a-number-range"

The last point is mission critical. - One can obtain a provider independent IPv6 address range, but you need the - cooperation of an ISP to use that address range for Internet connectivity. - If you e.g. move to another ISP you need your address range to be - re-routed to your new location.

ISP independence is also possible with some tunneling technique, - such as VPN or mobile IP. Tunneling can be implemented on client PCs and - Internet gateways/servers one day. But there is no need to implement the - same tunneling technique on every mesh node. Why? Because the mesh nodes - can use private IP addresses (or "ULA") to transport the tunnel data - between the client PC and the gateway/server. Each tunneling technique - typically needs a single instance (the "server") which forms a single - point of failure. Rule-of-thumb1: avoid a SPOF for the infrastructure. - Rule-of-thumb2: KISS (keep it simple stupid).

Using private IP addresses on the mesh nodes has a drawback: mesh - node software updates e.g. a download via HTTP from an Internet server is - not possible. This is where I start to think: hey, some kind of - address mapping may be nice to have. While opening Pandora's NAT66 - box, I discovered that IPv6 nerds do not like the acronym. It is always a - good tactic in info wars to rename, hence the name "MAP66".

// Sven-Ola

+ else is unchanged.

-- cgit v1.2.3