MAP66 (NAT from IPv6 to IPv6, NAT66) for Linux
Sven-Ola
Tuecke
Freifunk
06-OCT-2010
These files implement a Linux netfilter target that changes the IPv6
address of packets. The address change is done checksum neutral, thus no
checksum re-calculation for the packet is necessary. You can change the IPv6
source address of outgoing packets as well as the IPv6 destination address
of incoming packets. This allows you to map an internal IPv6 address range
to a second, externally used IPv6 address range. IPv6 address mapping is not
very similar to IPv4 network address translation, but one can describe it as
some sort of stateless NAT. The implementation is based on the expired IETF
discussion paper published here:
http://tools.ietf.org/html/draft-mrw-behave-nat66-02
Installation
MAP66 implements two pieces of software: a shared library that
extends the ip6tables command and a Linux kernel module. The shared
library file adds the '-j MAP66' target to the ip6tables command. To build
and install, you need ip6tables installed as well as the necessary
headers. The Linux kernel module requires the Linux source file tree and
kernel configuration files to compile. On a Debian/(EKU)buntu, the
following command prepares the build environment:
sudo apt-get install build-essential linux-headers iptables-dev
Unpack the source tgz archive below /usr/src,
change to the new sub-directory and issue "make" to build. If this
compiles without errors, install the ip6tables extension with the
following command:
sudo make install
The kernel module (ip6t_MAP66.ko for
Linux-2.6 or ip6t_MAP66.o for Linux-2.4) is not
automatically installed nor loaded into the kernel. You can copy the
kernel module file manually, e.g. with sudo cp ip6t_MAP66.ko
/lib/modules/$(uname -r)/.
DKMS Integration
If the next system update needs to install a new kernel version, you
also need to re-compile/re-install the MAP66 kernel module. With
Debian/(EKU)buntu, this can be automated with the Dynamic Kernel Module
Support Framework (DKMS). For this, the dkms.conf
file is included with the MAP66 source file package. Install DKMS with the
following command:
sudo apt-get install dkms
If not already in place, move/unpack the MAP66 source file archive
below /usr/src/. To register the MAP66 source to DKMS
and compile/install, issue these commands:
sudo dkms add -m ip6t_MAP66 -v 0.3
sudo dkms build -m ip6t_MAP66 -v 0.3
sudo dkms install -m ip6t_MAP66 -v 0.3
Read DKMS details here: https://wiki.kubuntu.org/Kernel/Dev/DKMSPackaging
Configuration
Brief Version
You always need to add two ip6tables-rules to your netfilter
configuration. One rule matches outgoing packets and changes their IPv6
source address. The second rule matches incoming packets and reverts the
address change by altering their IPv6 destination address. To following
commands correspond to the Address Mapping Example
given
in the IETF discussion paper:
ip6tables -t mangle -I POSTROUTING -o eth0 -s FD01:0203:0405::/48 -j MAP66 --to 2001:0DB8:0001::/48
ip6tables -t mangle -I PREROUTING -i eth0 -d 2001:0DB8:0001::/48 -j MAP66 --to FD01:0203:0405::/48
This example is also printed to the screen if you issue
ip6tables -j MAP66 --help. By design, you cannot
use an arbitrary prefix length. Only /112, /96 .. /16 are
supported.
For each packet, the Linux kernel module also compares the
packet's source address to all IPv6 addresses assigned to the outgoing
interface. If a match is found, the packet's source address is not
mapped. The same comparison happens on the incoming packet's destination
address. The comparison requires some CPU resources, especially if the
interface has a large number of assigned IPv6 addresses. If you are sure
that the mapping cannot match the IPv6 address of the interface (e.g.
the mapping rule defines a mapping prefix that cannot result in the
interface address) you can switch off the comparison. Add the
--nocheck parameter to the ip6tables command for
this.
Detailed Version
The following explanation details a living example from the
wireless mesh network that is mentioned under (see below).
Throughout the mesh network, a private IP address range is used. The ULA
prefix is fdca:ffee:babe::/64. All mesh nodes derive their IPv6
interface addresses by correlating the ULA prefix with the EUI48
(MAC address
) of the respective network adapter.
There is a Debian based virtual machine that should act as one
IPv6 Internet gateway for the mesh. You can reach the virtual machine's
web service via IPv4 under http://bbb-vpn.freifunk.net.
To experiment with IPv6, a SIXXS static tunnel setup has been
added and there is also an experimental 6-to-4 configuration. The
following /etc/network/interfaces file provides the
configuration for IPv6:
auto sixxs
iface sixxs inet6 v4tunnel
address 2001:4dd0:ff00:2ee::2
netmask 64
local 77.87.48.7
endpoint 78.35.24.124
ttl 64
up ip link set mtu 1280 dev $IFACE
up ip route add default via 2001:4dd0:ff00:2ee::1 dev $IFACE
up ip addr add 2001:4dd0:fe77::1/48 dev $IFACE
#auto tun6to4
iface tun6to4 inet6 v4tunnel
# ipv6calc --quiet --action conv6to4 77.87.48.7
address 2002:4d57:3007::1
netmask 16
local 77.87.48.7
endpoint any
ttl 64
gateway ::192.88.99.1
As you can see, the virtual machine has an IPv6 prefix of
2001:4dd0:fe77::/48 and is reachable via http://[2001:4dd0:fe77::1]/.
For experimental purposes, the 6-to-4 tunnel can be activated by issuing
ifup tun6to4. The netfilter setup of this machine
includes the following command sequence to realize mapping from the
private fdca:ffee:babe::/64 prefix to the globally valid IPv6
addresses:
ip6tables -t mangle -F POSTROUTING
ip6tables -t mangle -F PREROUTING
ip6tables -t mangle -F FORWARD
grep -q ^ip6t_MAP66 /proc/modules && rmmod ip6t_MAP66
insmod /usr/src/map66/ip6t_MAP66.ko
ip6tables -t mangle -A POSTROUTING -o sixxs -s fdca:ffee:babe::/64 -j MAP66 --to 2001:4dd0:fe77:1::/64 --nocheck
ip6tables -t mangle -A PREROUTING -i sixxs -d 2001:4dd0:fe77:1::/64 -j MAP66 --to fdca:ffee:babe::/64 --nocheck
ip6tables -t mangle -A POSTROUTING -o tun6to4 -s fdca:ffee:babe::/64 -j MAP66 --to 2002:4d57:3007:1::/64 --nocheck
ip6tables -t mangle -A PREROUTING -i tun6to4 -d 2002:4d57:3007:1::/64 -j MAP66 --to fdca:ffee:babe::/64 --nocheck
ip6tables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
Because for both IPv6 networks the external prefix length is
smaller than the internal prefix length, we can make sure that the
mapped addresses cannot match the interface addresses. For example:
2001:4dd0:fe77:1::/64 cannot be converted to 2001:4dd0:fe77:0::1/128 in
this context. For this reason, we can use the
--nocheck speedup here.
You may stumble over the MSS-clamping rule. While IPv6 defines,
that path MTU detection via ICMPv6 must be supported by any host,
sometimes path MTU detection does not work. The SIXXS tunnel uses an MTU
of 1280 byte. To get the following command working on my PC, I needed to
add the above MSS-clamping rule on the gateway:
wget --prefer-family=IPv6 -O - http://6to4.nro.net/
The tun6to4 tunnel interface is disabled normally, because of
the implicit 2002::/16 network route configured for that interface.
This network route ensures, that traffic between one 2002::/16 to
another 2002::/16 travels directly between the IPv4 hosts. Without
this network route, any IPv6 traffic will be routed via the 6-to-4
gateways which may not work and place a higher load on those 6-to-4
gateways.
However, if you ping the SIXXS IP address from another host that
has a 6-to-4 address, you will get the answer packet back via the
6-to-4 interface. If the above address mapping is configured, you ping
one IPv6 address and get the answer from another IPv6
address...
IPv6/IPv4 Precedence
With (EKU)buntu and eventually with RedHat, you will notice that
your browser does not show the IPv6 version of a web site that is
multi-homed when using ULA addresses for your IPv6 Internet connection.
The reason for this is an add on to the RFC 3484 rules that is compiled
into the (EKU)buntu libc. The pre-installed
/etc/gai.conf file will give you a hint on
this.
In short: the getaddrinfo() library function rates a private IPv4
address higher than the ULA IPv6 address when choosing the transport
protocol for a new Internet connection if this add on to the RFC 3484
rules is compiled in. For this reason, you may want to change the
precedence rules within /etc/gai.conf.
The getaddrinfo() library function manages lists of label,
precedence, and scope4 type entries. If the
/etc/gai.conf file does not provide a single entry
for a particular type, the compiled-in list is used. For this reason,
you cannot uncomment a single entry to overwrite the default. You need
to uncomment all entries of a particular type for this. The
label
lines compare source addresses, the
precedence
lines compare destination addresses.
Change IPv6 Precedence
Open the /etc/gai.conf file as root user,
e.g. by executing sudo nano
/etc/gai.conf.
Remove the leading hash character from the 8 lines starting with
#label
.
Re-add the hash character to the line stating #label
fc00::/7 6
.
Save the file.
Restart your browser and re-try to browse to a multi-homed web
site.
The above procedure removes the difference between standard IPv6
source addresses and ULA type private IPv6 source addresses. Anything else
is unchanged.
Motivation
My Internet access at home is realized by a wireless community mesh
network not owned by me. The mesh is operated with small embedded devices
(nodes aka. WLAN routers) that are interconnected via radio links (WLAN
IBSS / AdHoc). Routing is done with a specialized protocol such as Batman
or OLSR. The routing protocol selects the nearest out of a dozen Internet
gateways and configures a default route or an IPIP tunnel accordingly.
Each Internet gateway is connected to a different ISP and provides the
service with the help of IPv4 network address translation (NAT). Using NAT
has the following effects:
Address amplification - something not necessary with IPv6 any
more
Anonymization - nice to have as an option but not mission
critical
ISP independence - no reverse routing, no
"buy-a-number-range"
The last point is mission critical.
One can obtain a provider independent IPv6 address range, but you need the
cooperation of an ISP to use that address range for Internet connectivity.
If you e.g. move to another ISP you need your address range to be
re-routed to your new location.
ISP independence is also possible with some tunneling technique,
such as VPN or mobile IP. Tunneling can be implemented on client PCs and
Internet gateways/servers one day. But there is no need to implement the
same tunneling technique on every mesh node. Why? Because the mesh nodes
can use private IP addresses (or "ULA") to transport the tunnel data
between the client PC and the gateway/server. Each tunneling technique
typically needs a single instance (the "server") which forms a single
point of failure. Rule-of-thumb1: avoid a SPOF for the infrastructure.
Rule-of-thumb2: KISS (keep it simple stupid).
Using private IP addresses on the mesh nodes has a drawback: mesh
node software updates e.g. a download via HTTP from an Internet server is
not possible. This is where I start to think: hey, some kind of
address mapping may be nice to have
. While opening Pandora's NAT66
box, I discovered that IPv6 nerds do not like the acronym. It is always a
good tactic in info wars to rename, hence the name "MAP66".
// Sven-Ola