README.html


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>NPTv6 (IPv6-to-IPv6 Network Prefix Translation) for Linux</title><meta name="generator" content="DocBook XSL Stylesheets V1.76.1" /></head><body><div class="article" title="NPTv6 (IPv6-to-IPv6 Network Prefix Translation) for Linux"><div class="titlepage"><div><div><h2 class="title"><a id="id463568"></a>NPTv6 (IPv6-to-IPv6 Network Prefix Translation) for Linux</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Sven-Ola</span> <span class="surname">Tuecke</span></h3><div class="affiliation"><span class="orgname">Freifunk<br /></span></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Matthias</span> <span class="surname">Schiffer</span></h3><div class="affiliation"><span class="orgname">Freifunk Lübeck<br /></span></div></div></div><div><p class="pubdate">10-NOV-2011</p></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl><dt><span class="section"><a href="#install">Installation</a></span></dt><dt><span class="section"><a href="#dkms">DKMS Integration</a></span></dt><dt><span class="section"><a href="#config">Configuration</a></span></dt><dd><dl><dt><span class="section"><a href="#config-brief">Brief Version</a></span></dt><dt><span class="section"><a href="#config-nat-behaviour">NAT Behavioral Requirements</a></span></dt></dl></dd><dt><span class="section"><a href="#precedence">IPv6/IPv4 Precedence</a></span></dt><dd><dl><dt><span class="section"><a href="#precedence-gai">Change gai.conf</a></span></dt></dl></dd></dl></div><p>These files implement a Linux netfilter target that changes the IPv6
  address of packets. The address change is done checksum neutral, thus no
  checksum re-calculation for the packet is necessary. You can change the IPv6
  source address of outgoing packets as well as the IPv6 destination address
  of incoming packets. This allows you to map an internal IPv6 address range
  to a second, externally used IPv6 address range. IPv6 address mapping is not
  very similar to IPv4 network address translation, but one can describe it as
  some sort of stateless NAT. The implementation is based on RFC 6296 published
  here:</p><p><a class="ulink" href="https://tools.ietf.org/html/rfc6296" target="_top">https://tools.ietf.org/html/rfc6296</a></p><div class="warning" title="Warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>Using NPTv6 rules together with connection tracking rules such as
    <strong class="userinput"><code>--ctstate</code></strong> is currently untested and may not work or
    may cause dysfunctions.</p></div><div class="section" title="Installation"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="install"></a>Installation</h2></div></div></div><p>NPTv6 implements two pieces of software: a shared library that
    extends the ip6tables command and a Linux kernel module. The shared
    library file adds the '-j SNPTV6' target (for source address translation)
    and the '-j DNPTV6' target (for destination address translation) to the
    ip6tables command. To build and install, you need ip6tables installed as
    well as the necessary headers. The Linux kernel module requires the Linux

    source file tree and kernel configuration files to compile. On a Debian/(EKU)buntu,
    the following command prepares the build environment:</p><pre class="programlisting">sudo apt-get install build-essential linux-headers iptables-dev</pre><p>Unpack the source tgz archive below <code class="filename">/usr/src</code>,
    change to the new sub-directory and issue "make" to build. If this
    compiles without errors, install the ip6tabless extension by copying
    libip6t_SNPTV6.so and libip6t_DNPTV6.so to the iptables module directory,
    which is probably located under <code class="filename">/lib/xtables</code> or
    <code class="filename">/usr/lib/iptables</code>.</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>The kernel modules (<code class="filename">ip6t_SNPTV6.ko</code> and
      <code class="filename">ip6t_DNPTV6.ko</code>) is not automatically installed nor loaded
      into the kernel. You can copy the kernel module file manually, e.g. with
      <strong class="userinput"><code>sudo cp ip6t_SNPTV6.ko ip6t_DNPTV6.ko /lib/modules/$(uname -r)/</code></strong>.</p></div></div><div class="section" title="DKMS Integration"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="dkms"></a>DKMS Integration</h2></div></div></div><p>If the next system update needs to install a new kernel version, you
    also need to re-compile/re-install the NPTv6 kernel modules. With
    Debian/(EKU)buntu, this can be automated with the Dynamic Kernel Module
    Support Framework (DKMS). For this, the <code class="filename">dkms.conf</code>
    file is included with the NPTv6 source file package. Install DKMS with the
    following command:</p><pre class="programlisting">sudo apt-get install dkms</pre><p>If not already in place, move/unpack the NPTv6 source file archive
    below <code class="filename">/usr/src/</code>. To register the NPTv6 source to DKMS
    and compile/install, issue these commands:</p><pre class="programlisting">sudo dkms add -m ip6t_NPTV6 -v 0.6
sudo dkms build -m ip6t_NPTV6 -v 0.6
sudo dkms install -m ip6t_NPTV6 -v 0.6</pre><p>Read DKMS details here: <a class="ulink" href="Read DKMS details here: https://wiki.kubuntu.org/Kernel/Dev/DKMSPackaging" target="_top">https://wiki.kubuntu.org/Kernel/Dev/DKMSPackaging</a></p></div><div class="section" title="Configuration"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="config"></a>Configuration</h2></div></div></div><div class="section" title="Brief Version"><div class="titlepage"><div><div><h3 class="title"><a id="config-brief"></a>Brief Version</h3></div></div></div><p>You always need to add two ip6tables-rules to your netfilter
      configuration. One rule matches outgoing packets and changes their IPv6
      source address. The second rule matches incoming packets and reverts the
      address change by altering their IPv6 destination address. To following
      commands correspond to the <span class="quote">“<span class="quote">/48 Prefix Mapping Example</span>”</span> given
      in RFC6296:</p><pre class="programlisting">ip6tables -t mangle -A PREROUTING  -i eth0 -d 2001:0DB8:0001::/48 -j DNPTV6 --to-destination FD01:0203:0405::/48
ip6tables -t mangle -A POSTROUTING -o eth0 -s FD01:0203:0405::/48 -j SNPTV6 --to-source 2001:0DB8:0001::/48</pre><p>This example is also printed to the screen if you issue
      <strong class="userinput"><code>ip6tables -j SNPTV6 --help</code></strong>. By design, you cannot
      use prefix lengths longer than 64.</p></div><div class="section" title="NAT Behavioral Requirements"><div class="titlepage"><div><div><h3 class="title"><a id="config-nat-behaviour"></a>NAT Behavioral Requirements</h3></div></div></div><p>RFC 6296 states that NPTv6 translators must support hairpinning behaviour.
      This means that when an NPTv6 Translator receives a datagram on the
      internal interface that has a destination address that matches the
      site's external prefix, it will translate the datagram and forward it
      internally. While it is possible that the network works correctly
      without this depending on the configuration of the external router, it
      is desirable to have hairpinning behaviour. The following iptables rules
      will enable this:</p><pre class="programlisting">ip6tables -t mangle -A PREROUTING -d 2001:0DB8:0001::/48 -j MARK --set-mark 42
ip6tables -t mangle -A PREROUTING -d 2001:0DB8:0001::/48 -j DNPTV6 --to-destination FD01:0203:0405::/48
ip6tables -t mangle -A POSTROUTING -m mark --mark 42 -s FD01:0203:0405::/48 -j SNPTV6 --to-source 2001:0DB8:0001::/48
ip6tables -t mangle -A POSTROUTING -o eth0 -s FD01:0203:0405::/48 -j SNPTV6 --to-source 2001:0DB8:0001::/48</pre></div></div><div class="section" title="IPv6/IPv4 Precedence"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="precedence"></a>IPv6/IPv4 Precedence</h2></div></div></div><p>With (EKU)buntu and eventually with RedHat, you will notice that
    your browser does not show the IPv6 version of a web site that is
    multi-homed when using ULA addresses for your IPv6 Internet connection.
    The reason for this is an add on to the RFC 3484 rules that is compiled
    into the (EKU)buntu libc. The pre-installed
    <code class="filename">/etc/gai.conf</code> file will give you a hint on
    this.</p><p>In short: the getaddrinfo() library function rates a private IPv4
    address higher than the ULA IPv6 address when choosing the transport
    protocol for a new Internet connection if this add on to the RFC 3484
    rules is compiled in. For this reason, you may want to change the
    precedence rules within <code class="filename">/etc/gai.conf</code> (see <a class="xref" href="#precedence-gai" title="Change gai.conf">Change gai.conf</a>).</p><div class="section" title="Change gai.conf"><div class="titlepage"><div><div><h3 class="title"><a id="precedence-gai"></a>Change gai.conf</h3></div></div></div><p>The getaddrinfo() library function manages lists of label,
      precedence, and scope4 type entries. If the
      <code class="filename">/etc/gai.conf</code> file does not provide a single entry
      for a particular type, the compiled-in list is used. For this reason,
      you cannot uncomment a single entry to overwrite the default. You need
      to uncomment all entries of a particular type for this. The
      <span class="quote">“<span class="quote">label</span>”</span> lines compare source addresses, the
      <span class="quote">“<span class="quote">precedence</span>”</span> lines compare destination addresses.</p><div class="procedure" title="Procedure 1. Change IPv6 Precedence"><a id="id499064"></a><p class="title"><strong>Procedure 1. Change IPv6 Precedence</strong></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p>Open the <code class="filename">/etc/gai.conf</code> file as root user,
          e.g. by executing <strong class="userinput"><code>sudo nano
          /etc/gai.conf</code></strong>.</p></li><li class="step" title="Step 2"><p>Remove the leading hash character from the 8 lines starting
          with <span class="quote">“<span class="quote">#label</span>”</span>.</p></li><li class="step" title="Step 3"><p>Re-add the hash character to the line stating <span class="quote">“<span class="quote">#label
          fc00::/7 6</span>”</span>.</p></li><li class="step" title="Step 4"><p>Save the file.</p></li><li class="step" title="Step 5"><p>Restart your browser and re-try to browse to a multi-homed web
          site.</p></li></ol></div><p>The above procedure removes the difference between standard IPv6
      source addresses and ULA type private IPv6 source addresses. Anything
      else is unchanged.</p></div></div></div></body></html>