From 8790aa53a3d0959ba318fea1ecb9de5a4de4cac5 Mon Sep 17 00:00:00 2001 From: Matthias Schiffer Date: Thu, 10 Nov 2011 08:23:38 +0100 Subject: Updated README --- README.dbk | 168 ++++++++++++------------------------------------------------- 1 file changed, 33 insertions(+), 135 deletions(-) (limited to 'README.dbk') diff --git a/README.dbk b/README.dbk index f07753f..a96bb0d 100644 --- a/README.dbk +++ b/README.dbk @@ -1,13 +1,11 @@ - - + ]>
- MAP66 (NAT from IPv6 to IPv6, NAT66) for Linux + NPTv6 (IPv6-to-IPv6 Network Prefix Translation) for Linux Sven-Ola @@ -18,8 +16,17 @@ Freifunk + + Matthias + + Schiffer - 16-OCT-2010 + + Freifunk Lübeck + + + + 10-NOV-2011 These files implement a Linux netfilter target that changes the IPv6 @@ -33,10 +40,10 @@ discussion paper published here: http://tools.ietf.org/html/draft-mrw-behave-nat66-02 + url="https://tools.ietf.org/html/rfc6296">https://tools.ietf.org/html/rfc6296 - Using MAP66 rules together with connection tracking rules such as + Using NPTv6 rules together with connection tracking rules such as --ctstate is currently untested and may not work or may cause dysfunctions. @@ -44,26 +51,26 @@
Installation - MAP66 implements two pieces of software: a shared library that + NPTv6 implements two pieces of software: a shared library that extends the ip6tables command and a Linux kernel module. The shared - library file adds the '-j MAP66' target to the ip6tables command. To build - and install, you need ip6tables installed as well as the necessary - headers. The Linux kernel module requires the Linux source file tree and - kernel configuration files to compile. On a Debian/(EKU)buntu, the - following command prepares the build environment: + library file adds the '-j SNPTV6' target (for source address translation) + and the '-j DNPTV6' target (for destination address translation) to the + ip6tables command. To build and install, you need ip6tables installed as + well as the necessary headers. The Linux kernel module requires the Linux + source file tree and kernel configuration files to compile. On a Debian/(EKU)buntu, + the following command prepares the build environment: sudo apt-get install build-essential linux-headers iptables-dev Unpack the source tgz archive below /usr/src, change to the new sub-directory and issue "make" to build. If this - compiles without errors, install the ip6tables extension with the - following command: - - sudo make install + compiles without errors, install the ip6tabless extension by copying + libip6t_SNPTV6.so and libip6t_DNPTV6.so to the iptables module directory, + which is probably located under /lib/xtables or + /usr/lib/iptables. - The kernel module (ip6t_MAP66.ko for - Linux-2.6 or ip6t_MAP66.o for Linux-2.4) is not + The kernel module (ip6t_MAP66.ko is not automatically installed nor loaded into the kernel. You can copy the kernel module file manually, e.g. with sudo cp ip6t_MAP66.ko /lib/modules/$(uname -r)/. @@ -86,9 +93,9 @@ below /usr/src/. To register the MAP66 source to DKMS and compile/install, issue these commands: - sudo dkms add -m ip6t_MAP66 -v &VERSION; -sudo dkms build -m ip6t_MAP66 -v &VERSION; -sudo dkms install -m ip6t_MAP66 -v &VERSION; + sudo dkms add -m ip6t_NPTV6 -v &VERSION; +sudo dkms build -m ip6t_NPTV6 -v &VERSION; +sudo dkms install -m ip6t_NPTV6 -v &VERSION; Read DKMS details here: https://wiki.kubuntu.org/Kernel/Dev/DKMSPackaging @@ -107,121 +114,12 @@ sudo dkms install -m ip6t_MAP66 -v &VERSION; commands correspond to the Address Mapping Example given in the IETF discussion paper: - ip6tables -t mangle -I POSTROUTING -o eth0 -s FD01:0203:0405::/48 -j MAP66 &OPTSRCTO; 2001:0DB8:0001::/48 -ip6tables -t mangle -I PREROUTING -i eth0 -d 2001:0DB8:0001::/48 -j MAP66 &OPTDSTTO; FD01:0203:0405::/48 + ip6tables -t mangle -I POSTROUTING -o eth0 -s FD01:0203:0405::/48 -j SNPTV6 --to-source 2001:0DB8:0001::/48 +ip6tables -t mangle -I PREROUTING -i eth0 -d 2001:0DB8:0001::/48 -j DNPTV6 --to-destination FD01:0203:0405::/48 This example is also printed to the screen if you issue - ip6tables -j MAP66 --help. By design, you cannot - use an arbitrary prefix length. Only /112, /96 .. /16 are - supported. - - For each packet, the Linux kernel module also compares the - packet's source address to all IPv6 addresses assigned to the outgoing - interface. If a match is found, the packet's source address is not - mapped. The same comparison happens on the incoming packet's destination - address. The comparison requires some CPU resources, especially if the - interface has a large number of assigned IPv6 addresses. If you are sure - that the mapping cannot match the IPv6 address of the interface (e.g. - the mapping rule defines a mapping prefix that cannot result in the - interface address) you can switch off the comparison. Add the - --nocheck parameter to the ip6tables command for - this. -
- -
- Detailed Version - - The following explanation details a living example from the - wireless mesh network that is mentioned under (see below). - Throughout the mesh network, a private IP address range is used. The ULA - prefix is fdca:ffee:babe::/64. All mesh nodes derive their IPv6 - interface addresses by correlating the ULA prefix with the EUI48 - (MAC address) of the respective network adapter. - - There is a Debian based virtual machine that should act as one - IPv6 Internet gateway for the mesh. You can reach the virtual machine's - web service via IPv4 under http://bbb-vpn.freifunk.net. - To experiment with IPv6, a SIXXS static tunnel setup has been - added and there is also an experimental 6-to-4 configuration. The - following /etc/network/interfaces file provides the - configuration for IPv6: - - auto sixxs -iface sixxs inet6 v4tunnel - address 2001:4dd0:ff00:2ee::2 - netmask 64 - local 77.87.48.7 - endpoint 78.35.24.124 - ttl 64 - up ip link set mtu 1280 dev $IFACE - up ip route add default via 2001:4dd0:ff00:2ee::1 dev $IFACE - up ip addr add 2001:4dd0:fe77::1/48 dev $IFACE - -#auto tun6to4 -iface tun6to4 inet6 v4tunnel - # ipv6calc --quiet --action conv6to4 77.87.48.7 - address 2002:4d57:3007::1 - netmask 16 - local 77.87.48.7 - endpoint any - ttl 64 - gateway ::192.88.99.1 - - As you can see, the virtual machine has an IPv6 prefix of - 2001:4dd0:fe77::/48 and is reachable via http://[2001:4dd0:fe77::1]/. - For experimental purposes, the 6-to-4 tunnel can be activated by issuing - ifup tun6to4. The netfilter setup of this machine - includes the following command sequence to realize mapping from the - private fdca:ffee:babe::/64 prefix to the globally valid IPv6 - addresses: - - ip6tables -t mangle -F POSTROUTING -ip6tables -t mangle -F PREROUTING -ip6tables -t mangle -F FORWARD - -grep -q ^ip6t_MAP66 /proc/modules && rmmod ip6t_MAP66 -insmod /usr/src/map66/ip6t_MAP66.ko - -ip6tables -t mangle -A POSTROUTING -o sixxs -s fdca:ffee:babe::/64 -j MAP66 &OPTSRCTO; 2001:4dd0:fe77:1::/64 --nocheck -ip6tables -t mangle -A PREROUTING -i sixxs -d 2001:4dd0:fe77:1::/64 -j MAP66 &OPTDSTTO; fdca:ffee:babe::/64 --nocheck -ip6tables -t mangle -A POSTROUTING -o tun6to4 -s fdca:ffee:babe::/64 -j MAP66 &OPTSRCTO; 2002:4d57:3007:1::/64 --nocheck -ip6tables -t mangle -A PREROUTING -i tun6to4 -d 2002:4d57:3007:1::/64 -j MAP66 &OPTDSTTO; fdca:ffee:babe::/64 --nocheck -ip6tables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu - - Because for both IPv6 networks the external prefix length is - smaller than the internal prefix length, we can make sure that the - mapped addresses cannot match the interface addresses. For example: - 2001:4dd0:fe77:1::/64 cannot be converted to 2001:4dd0:fe77:0::1/128 in - this context. For this reason, we can use the - --nocheck speedup here. - - You may stumble over the MSS-clamping rule. While IPv6 defines, - that path MTU detection via ICMPv6 must be supported by any host, - sometimes path MTU detection does not work. The SIXXS tunnel uses an MTU - of 1280 byte. To get the following command working on my PC, I needed to - add the above MSS-clamping rule on the gateway: - - wget --prefer-family=IPv6 -O - http://6to4.nro.net/ - - - The tun6to4 tunnel interface is disabled normally, because of - the implicit 2002::/16 network route configured for that interface. - This network route ensures, that traffic between one 2002::/16 to - another 2002::/16 travels directly between the IPv4 hosts. Without - this network route, any IPv6 traffic will be routed via the 6-to-4 - gateways which may not work and place a higher load on those 6-to-4 - gateways. - - However, if you ping the SIXXS IP address from another host that - has a 6-to-4 address, you will get the answer packet back via the - 6-to-4 interface. If the above address mapping is configured, you ping - one IPv6 address and get the answer from another IPv6 - address... - + ip6tables -j SNPTV6 --help. By design, you cannot + use prefix lengths longer than 64.
-- cgit v1.2.3