From 53c6274071f4adab870dfc4173d1815287d65464 Mon Sep 17 00:00:00 2001
From: sven-ola <sven-ola@3484d885-4da6-438d-b19d-107d078dd756>
Date: Wed, 13 Oct 2010 18:20:19 +0000
Subject: git-svn-id: https://map66.svn.sourceforge.net/svnroot/map66@26
 3484d885-4da6-438d-b19d-107d078dd756

---
 README.html | 42 +++++++++++++++++++++++++++---------------
 1 file changed, 27 insertions(+), 15 deletions(-)

(limited to 'README.html')

diff --git a/README.html b/README.html
index cd87ef5..75d1e91 100644
--- a/README.html
+++ b/README.html
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>MAP66 (NAT from IPv6 to IPv6, NAT66) for Linux</title><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /></head><body><div class="article" title="MAP66 (NAT from IPv6 to IPv6, NAT66) for Linux"><div class="titlepage"><div><div><h2 class="title"><a id="id2670864"></a>MAP66 (NAT from IPv6 to IPv6, NAT66) for Linux</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Sven-Ola</span> <span class="surname">Tuecke</span></h3><div class="affiliation"><span class="orgname">Freifunk<br /></span></div></div></div><div><p class="pubdate">13-OCT-2010</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id2721433">Installation</a></span></dt><dt><span class="section"><a href="#id2694012">DKMS Integration</a></span></dt><dt><span class="section"><a href="#id2726093">Configuration</a></span></dt><dd><dl><dt><span class="section"><a href="#id2726270">Brief Version</a></span></dt><dt><span class="section"><a href="#id2720683">Detailed Version</a></span></dt></dl></dd><dt><span class="section"><a href="#id2705734">IPv6/IPv4 Precedence</a></span></dt><dt><span class="section"><a href="#motivation">Motivation</a></span></dt></dl></div><p>These files implement a Linux netfilter target that changes the IPv6
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>MAP66 (NAT from IPv6 to IPv6, NAT66) for Linux</title><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /></head><body><div class="article" title="MAP66 (NAT from IPv6 to IPv6, NAT66) for Linux"><div class="titlepage"><div><div><h2 class="title"><a id="id2830125"></a>MAP66 (NAT from IPv6 to IPv6, NAT66) for Linux</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Sven-Ola</span> <span class="surname">Tuecke</span></h3><div class="affiliation"><span class="orgname">Freifunk<br /></span></div></div></div><div><p class="pubdate">13-OCT-2010</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#install">Installation</a></span></dt><dt><span class="section"><a href="#dkms">DKMS Integration</a></span></dt><dt><span class="section"><a href="#config">Configuration</a></span></dt><dd><dl><dt><span class="section"><a href="#config-brief">Brief Version</a></span></dt><dt><span class="section"><a href="#config-detailed">Detailed Version</a></span></dt></dl></dd><dt><span class="section"><a href="#precedence">IPv6/IPv4 Precedence</a></span></dt><dd><dl><dt><span class="section"><a href="#precedence-gai">Change gai.conf</a></span></dt><dt><span class="section"><a href="#precedence-6to4">Use 6to4 Internal Address</a></span></dt></dl></dd><dt><span class="section"><a href="#motivation">Motivation</a></span></dt></dl></div><p>These files implement a Linux netfilter target that changes the IPv6
   address of packets. The address change is done checksum neutral, thus no
   checksum re-calculation for the packet is necessary. You can change the IPv6
   source address of outgoing packets as well as the IPv6 destination address
@@ -10,7 +10,7 @@
   some sort of stateless NAT. The implementation is based on the expired IETF
   discussion paper published here:</p><p><a class="ulink" href="http://tools.ietf.org/html/draft-mrw-behave-nat66-02" target="_top">http://tools.ietf.org/html/draft-mrw-behave-nat66-02</a></p><div class="warning" title="Warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>Using MAP66 rules together with connection tracking rules sich as
     <strong class="userinput"><code>--ctstate</code></strong> is currently untested and may not work or
-    may cause oopses.</p></div><div class="section" title="Installation"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2721433"></a>Installation</h2></div></div></div><p>MAP66 implements two pieces of software: a shared library that
+    may cause oopses.</p></div><div class="section" title="Installation"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="install"></a>Installation</h2></div></div></div><p>MAP66 implements two pieces of software: a shared library that
     extends the ip6tables command and a Linux kernel module. The shared
     library file adds the '-j MAP66' target to the ip6tables command. To build
     and install, you need ip6tables installed as well as the necessary
@@ -23,7 +23,7 @@
       Linux-2.6 or <code class="filename">ip6t_MAP66.o</code> for Linux-2.4) is not
       automatically installed nor loaded into the kernel. You can copy the
       kernel module file manually, e.g. with <strong class="userinput"><code>sudo cp ip6t_MAP66.ko
-      /lib/modules/$(uname -r)/</code></strong>.</p></div></div><div class="section" title="DKMS Integration"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2694012"></a>DKMS Integration</h2></div></div></div><p>If the next system update needs to install a new kernel version, you
+      /lib/modules/$(uname -r)/</code></strong>.</p></div></div><div class="section" title="DKMS Integration"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="dkms"></a>DKMS Integration</h2></div></div></div><p>If the next system update needs to install a new kernel version, you
     also need to re-compile/re-install the MAP66 kernel module. With
     Debian/(EKU)buntu, this can be automated with the Dynamic Kernel Module
     Support Framework (DKMS). For this, the <code class="filename">dkms.conf</code>
@@ -32,7 +32,7 @@
     below <code class="filename">/usr/src/</code>. To register the MAP66 source to DKMS
     and compile/install, issue these commands:</p><pre class="programlisting">sudo dkms add -m ip6t_MAP66 -v 0.5
 sudo dkms build -m ip6t_MAP66 -v 0.5
-sudo dkms install -m ip6t_MAP66 -v 0.5</pre><p>Read DKMS details here: <a class="ulink" href="Read DKMS details here: https://wiki.kubuntu.org/Kernel/Dev/DKMSPackaging" target="_top">https://wiki.kubuntu.org/Kernel/Dev/DKMSPackaging</a></p></div><div class="section" title="Configuration"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2726093"></a>Configuration</h2></div></div></div><div class="section" title="Brief Version"><div class="titlepage"><div><div><h3 class="title"><a id="id2726270"></a>Brief Version</h3></div></div></div><p>You always need to add two ip6tables-rules to your netfilter
+sudo dkms install -m ip6t_MAP66 -v 0.5</pre><p>Read DKMS details here: <a class="ulink" href="Read DKMS details here: https://wiki.kubuntu.org/Kernel/Dev/DKMSPackaging" target="_top">https://wiki.kubuntu.org/Kernel/Dev/DKMSPackaging</a></p></div><div class="section" title="Configuration"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="config"></a>Configuration</h2></div></div></div><div class="section" title="Brief Version"><div class="titlepage"><div><div><h3 class="title"><a id="config-brief"></a>Brief Version</h3></div></div></div><p>You always need to add two ip6tables-rules to your netfilter
       configuration. One rule matches outgoing packets and changes their IPv6
       source address. The second rule matches incoming packets and reverts the
       address change by altering their IPv6 destination address. To following
@@ -51,7 +51,7 @@ ip6tables -t mangle -I PREROUTING  -i eth0 -d 2001:0DB8:0001::/48 -j MAP66 --dst
       the mapping rule defines a mapping prefix that cannot result in the
       interface address) you can switch off the comparison. Add the
       <strong class="userinput"><code>--nocheck</code></strong> parameter to the ip6tables command for
-      this.</p></div><div class="section" title="Detailed Version"><div class="titlepage"><div><div><h3 class="title"><a id="id2720683"></a>Detailed Version</h3></div></div></div><p>The following explanation details a living example from the
+      this.</p></div><div class="section" title="Detailed Version"><div class="titlepage"><div><div><h3 class="title"><a id="config-detailed"></a>Detailed Version</h3></div></div></div><p>The following explanation details a living example from the
       wireless mesh network that is mentioned under <a class="xref" href="#motivation" title="Motivation">Motivation</a> (see below).
       Throughout the mesh network, a private IP address range is used. The ULA
       prefix is fdca:ffee:babe::/64. All mesh nodes derive their IPv6
@@ -117,7 +117,7 @@ ip6tables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-
         has a 6-to-4 address, you will get the answer packet back via the
         6-to-4 interface. If the above address mapping is configured, you ping
         one IPv6 address and get the answer from another IPv6
-        address...</p></div></div></div><div class="section" title="IPv6/IPv4 Precedence"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2705734"></a>IPv6/IPv4 Precedence</h2></div></div></div><p>With (EKU)buntu and eventually with RedHat, you will notice that
+        address...</p></div></div></div><div class="section" title="IPv6/IPv4 Precedence"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="precedence"></a>IPv6/IPv4 Precedence</h2></div></div></div><p>With (EKU)buntu and eventually with RedHat, you will notice that
     your browser does not show the IPv6 version of a web site that is
     multi-homed when using ULA addresses for your IPv6 Internet connection.
     The reason for this is an add on to the RFC 3484 rules that is compiled
@@ -127,21 +127,33 @@ ip6tables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-
     address higher than the ULA IPv6 address when choosing the transport
     protocol for a new Internet connection if this add on to the RFC 3484
     rules is compiled in. For this reason, you may want to change the
-    precedence rules within <code class="filename">/etc/gai.conf</code>.</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>The getaddrinfo() library function manages lists of label,
+    precedence rules within <code class="filename">/etc/gai.conf</code> (see <a class="xref" href="#precedence-gai" title="Change gai.conf">Change gai.conf</a>) or use another
+    prefix (see <a class="xref" href="#precedence-6to4" title="Use 6to4 Internal Address">Use 6to4 Internal Address</a>).</p><div class="section" title="Change gai.conf"><div class="titlepage"><div><div><h3 class="title"><a id="precedence-gai"></a>Change gai.conf</h3></div></div></div><p>The getaddrinfo() library function manages lists of label,
       precedence, and scope4 type entries. If the
       <code class="filename">/etc/gai.conf</code> file does not provide a single entry
       for a particular type, the compiled-in list is used. For this reason,
       you cannot uncomment a single entry to overwrite the default. You need
       to uncomment all entries of a particular type for this. The
       <span class="quote">“<span class="quote">label</span>”</span> lines compare source addresses, the
-      <span class="quote">“<span class="quote">precedence</span>”</span> lines compare destination addresses.</p></div><div class="procedure" title="Procedure 1. Change IPv6 Precedence"><a id="id2714638"></a><p class="title"><b>Procedure 1. Change IPv6 Precedence</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p>Open the <code class="filename">/etc/gai.conf</code> file as root user,
-        e.g. by executing <strong class="userinput"><code>sudo nano
-        /etc/gai.conf</code></strong>.</p></li><li class="step" title="Step 2"><p>Remove the leading hash character from the 8 lines starting with
-        <span class="quote">“<span class="quote">#label</span>”</span>.</p></li><li class="step" title="Step 3"><p>Re-add the hash character to the line stating <span class="quote">“<span class="quote">#label
-        fc00::/7 6</span>”</span>.</p></li><li class="step" title="Step 4"><p>Save the file.</p></li><li class="step" title="Step 5"><p>Restart your browser and re-try to browse to a multi-homed web
-        site.</p></li></ol></div><p>The above procedure removes the difference between standard IPv6
-    source addresses and ULA type private IPv6 source addresses. Anything else
-    is unchanged.</p></div><div class="section" title="Motivation"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="motivation"></a>Motivation</h2></div></div></div><p>My Internet access at home is realized by a wireless community mesh
+      <span class="quote">“<span class="quote">precedence</span>”</span> lines compare destination addresses.</p><div class="procedure" title="Procedure 1. Change IPv6 Precedence"><a id="id2877432"></a><p class="title"><b>Procedure 1. Change IPv6 Precedence</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p>Open the <code class="filename">/etc/gai.conf</code> file as root user,
+          e.g. by executing <strong class="userinput"><code>sudo nano
+          /etc/gai.conf</code></strong>.</p></li><li class="step" title="Step 2"><p>Remove the leading hash character from the 8 lines starting
+          with <span class="quote">“<span class="quote">#label</span>”</span>.</p></li><li class="step" title="Step 3"><p>Re-add the hash character to the line stating <span class="quote">“<span class="quote">#label
+          fc00::/7 6</span>”</span>.</p></li><li class="step" title="Step 4"><p>Save the file.</p></li><li class="step" title="Step 5"><p>Restart your browser and re-try to browse to a multi-homed web
+          site.</p></li></ol></div><p>The above procedure removes the difference between standard IPv6
+      source addresses and ULA type private IPv6 source addresses. Anything
+      else is unchanged.</p></div><div class="section" title="Use 6to4 Internal Address"><div class="titlepage"><div><div><h3 class="title"><a id="precedence-6to4"></a>Use 6to4 Internal Address</h3></div></div></div><p>As an alternative solution, you may use 6to4 addresses in your
+      LAN. While the well known IPv4 adresses 10.0.0.0/8, 172.16.0.0/12, and
+      192.168.0.0/16 still exist, it is unlikely that their 6to4 counterparts
+      2002:0a00::/24, 2002:ac10::/28, and 2002:c0a8::/32 will be routed on the
+      Internet. Because 6to4 adresses are part of the official 2002::/3
+      address prefix for the Internet, no difference between these addresses
+      and other Internet addresses are made by getaddrinfo().</p><p>If you already deployed ULA adresses in your network, you may be
+      interested in a solution that runs on my Freifunk router. The router
+      uses the IPv4 192.168.65.65/26 on it's LAN interface. WIthin the
+      OLSR-based mesh network, any interface uses an fdca:ffee:babe::/64
+      prefix. The following internal mapping is configured for this: </p><pre class="programlisting">ip6tables -t mangle -I PREROUTING -i br0 -s 2002:c0a8:4141::/64 -j MAP66 --src-to fdca:ffee:babe::/64 --unbalanced
+ip6tables -t mangle -I POSTROUTING -o br0 -d fdca:ffee:babe::/64 -j MAP66 --dst-to 2002:c0a8:4141::/64 --unbalanced</pre></div></div><div class="section" title="Motivation"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="motivation"></a>Motivation</h2></div></div></div><p>My Internet access at home is realized by a wireless community mesh
     network not owned by me. The mesh is operated with small embedded devices
     (nodes aka. WLAN routers) that are interconnected via radio links (WLAN
     IBSS / AdHoc). Routing is done with a specialized protocol such as Batman
-- 
cgit v1.2.3