From 8c3e9d4d285727012a445f33abf4f9a89171f07a Mon Sep 17 00:00:00 2001 From: sven-ola Date: Sat, 16 Oct 2010 09:19:50 +0000 Subject: doc git-svn-id: https://map66.svn.sourceforge.net/svnroot/map66@48 3484d885-4da6-438d-b19d-107d078dd756 --- README.html | 39 +++++++++++++++++++++++---------------- 1 file changed, 23 insertions(+), 16 deletions(-) (limited to 'README.html') diff --git a/README.html b/README.html index 337f6ca..ebdef69 100644 --- a/README.html +++ b/README.html @@ -1,6 +1,6 @@ -MAP66 (NAT from IPv6 to IPv6, NAT66) for Linux

MAP66 (NAT from IPv6 to IPv6, NAT66) for Linux

Sven-Ola Tuecke

Freifunk

13-OCT-2010


These files implement a Linux netfilter target that changes the IPv6 +MAP66 (NAT from IPv6 to IPv6, NAT66) for Linux

MAP66 (NAT from IPv6 to IPv6, NAT66) for Linux

Sven-Ola Tuecke

Freifunk

16-OCT-2010


These files implement a Linux netfilter target that changes the IPv6 address of packets. The address change is done checksum neutral, thus no checksum re-calculation for the packet is necessary. You can change the IPv6 source address of outgoing packets as well as the IPv6 destination address @@ -8,9 +8,9 @@ to a second, externally used IPv6 address range. IPv6 address mapping is not very similar to IPv4 network address translation, but one can describe it as some sort of stateless NAT. The implementation is based on the expired IETF - discussion paper published here:

http://tools.ietf.org/html/draft-mrw-behave-nat66-02

Warning

Using MAP66 rules together with connection tracking rules sich as + discussion paper published here:

http://tools.ietf.org/html/draft-mrw-behave-nat66-02

Warning

Using MAP66 rules together with connection tracking rules such as --ctstate is currently untested and may not work or - may cause oopses.

Installation

MAP66 implements two pieces of software: a shared library that + may cause dysfunctions.

Installation

MAP66 implements two pieces of software: a shared library that extends the ip6tables command and a Linux kernel module. The shared library file adds the '-j MAP66' target to the ip6tables command. To build and install, you need ip6tables installed as well as the necessary @@ -128,32 +128,39 @@ ip6tables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp- protocol for a new Internet connection if this add on to the RFC 3484 rules is compiled in. For this reason, you may want to change the precedence rules within /etc/gai.conf (see Change gai.conf) or use another - prefix (see Use 6to4 Internal Address).

Change gai.conf

The getaddrinfo() library function manages lists of label, + prefix (see Use Changed Internal Address).

Change gai.conf

The getaddrinfo() library function manages lists of label, precedence, and scope4 type entries. If the /etc/gai.conf file does not provide a single entry for a particular type, the compiled-in list is used. For this reason, you cannot uncomment a single entry to overwrite the default. You need to uncomment all entries of a particular type for this. The label lines compare source addresses, the - precedence lines compare destination addresses.

Procedure 1. Change IPv6 Precedence

  1. Open the /etc/gai.conf file as root user, + precedence lines compare destination addresses.

    Procedure 1. Change IPv6 Precedence

    1. Open the /etc/gai.conf file as root user, e.g. by executing sudo nano /etc/gai.conf.

    2. Remove the leading hash character from the 8 lines starting with #label.

    3. Re-add the hash character to the line stating #label fc00::/7 6.

    4. Save the file.

    5. Restart your browser and re-try to browse to a multi-homed web site.

    The above procedure removes the difference between standard IPv6 source addresses and ULA type private IPv6 source addresses. Anything - else is unchanged.

Use 6to4 Internal Address

As an alternative solution, you may use 6to4 addresses in your - LAN. While the well known IPv4 adresses 10.0.0.0/8, 172.16.0.0/12, and - 192.168.0.0/16 still exist, it is unlikely that their 6to4 counterparts - 2002:0a00::/24, 2002:ac10::/28, and 2002:c0a8::/32 will be routed on the - Internet. Because 6to4 adresses are part of the official 2002::/3 - address prefix for the Internet, no difference between these addresses - and other Internet addresses are made by getaddrinfo().

If you already deployed ULA adresses in your network, you may be + else is unchanged.

Use Changed Internal Address

As an alternative solution, you may use an arbitrary address + prefix in your LAN that is not mentioned in the + gai.conf file nor compiled in. This will work but + introduces a double mapping: one map (Inet-ULA) on the Internet gateway + router and a second map (ULA-Intern) on the internal router.

Note

While the well known IPv4 addresses 10.0.0.0/8, 172.16.0.0/12, + and 192.168.0.0/16 still exist, it is unlikely that their 6to4 + counterparts 2002:0a00::/24, 2002:ac10::/28, and 2002:c0a8::/32 will + be routed on the Internet. Sadly, the (EKU)buntu defaults penalize + 6to4 addresses also.

If you already deployed ULA addresses in your network, you may be interested in a solution that runs on my Freifunk router. The router - uses the IPv4 192.168.65.65/26 on it's LAN interface. WIthin the - OLSR-based mesh network, any interface uses an fdca:ffee:babe::/64 - prefix. The following internal mapping is configured for this:

ip6tables -t mangle -I PREROUTING -i br0 -s 2002:c0a8:4141::/64 -j MAP66 --src-to fdca:ffee:babe::/64 --csum
-ip6tables -t mangle -I POSTROUTING -o br0 -d fdca:ffee:babe::/64 -j MAP66 --dst-to 2002:c0a8:4141::/64 --csum

Motivation

My Internet access at home is realized by a wireless community mesh + uses the IPv6 prefix that is reserved for documentation purposes on it's + LAN interface. WIthin the OLSR-based mesh network, any interface uses an + fdca:ffee:babe::/64 prefix. The following internal mapping is configured + for this:

ip6tables -t mangle -I PREROUTING -i br0 -s 2001:0DB8::/64 -j MAP66 --src-to fdca:ffee:babe::/64 --csum
+ip6tables -t mangle -I POSTROUTING -o br0 -d fdca:ffee:babe::/64 -j MAP66 --dst-to 2001:0DB8::/64 --csum

To prevent the mapped packets to vanish via the default route and + to overcome mac address lookups during the routing process, I also added + these prefixes to the router's /etc/radvd.conf as + well as (host) routes pointing to the br0 interface for + both prefixes.

Motivation

My Internet access at home is realized by a wireless community mesh network not owned by me. The mesh is operated with small embedded devices (nodes aka. WLAN routers) that are interconnected via radio links (WLAN IBSS / AdHoc). Routing is done with a specialized protocol such as Batman -- cgit v1.2.3