Tuesday, August 13, 2013

Setup an IPv6 Tunnel through Hurricane Electric on a Cisco Router

I've setup my home network with an IPv6 tunnel through Hurricane Electric. The process is pretty straight forward and I'll share my learnings with you in this post.

How a Manual IPv6-in-IPv4 Tunnel Works
Using an IPv6-in-IPv4 tunnel through Hurricane Electric is useful when your current ISP doesn't offer native IPv6 service or tunneled 6rd service yet. In this case, you need to tunnel IPv6 traffic across an intermediate IPv4-only network (or the Internet). I setup my tunnel broker account through HE as an initial step in learning IPv6 prior to switching to the IPv6 service offered from my current ISP (CenturyLink). In a future post, I'll describe setting up the CenturyLink 6rd tunneling service, which will be slightly different.

The HE tunnel broker service uses a manually configured IPv6-in-IPv4 tunnel. It's pretty straightforward to understand how this works. You will define an IPv4 tunnel source (your local dual-stack router's WAN interface), an IPv4 tunnel destination (the HE dual-stack router), and a default route on your local router that directs all IPv6 traffic across the tunnel. All IPv6 traffic will be encapsulated inside an IPv4 packet and sent across the IPv4-only network. When the frame reaches the tunnel destination router the outer IPv4 header is stripped off and the IPv6 packet is forwarded to it's destination.

Manual IPv6-in-IPv4 Tunnel

There are a few things you'll need before you get started:
  • A static IPv4 address from your ISP - preferred for a manual IPv6-in-IPv4 tunnel so the tunnel destination router can encapsulate return traffic back to your local router. You can use a dynamic IPv4 address, but it requires updating the tunnel definition every time it changes (see this FAQ).
  • A dual-stack capable router - in my case, I'm using a Cisco router. 
Setting Up the Tunnel Broker Service
There are a few steps involved in setting up the tunnel broker service.
  1. Create an account at http://tunnelbroker.net
    Enter a username and password in the login box and click the "Register" button. Fill in your information to complete the process.

  2. Create a new tunnel
    Click the "Create Regular Tunnel" link in the User Functions section. You'll need to enter the IPv4 address of your local router's WAN interface, which must be a publicly routable Internet address (not a private RFC 1918 address). Then select a tunnel server from the list below. This will be the tunnel destination router that Hurricane Electric provides to terminate your tunnel service. I recommend selecting the closest server to your location for lowest latency performance. Click the "Create Tunnel" button on the bottom of the form.

    Hurricane Electric Regular Tunnel Creation
  3. View your tunnel details
    You will need to take note of a few items that will be used when configuring your local router:
    - Server IPv4 Address - will be used as the IPv4 tunnel destination.
    - Server IPv6 Address - for reference only as the IPv6 tunnel endpoint.
    - Client IPv4 Address - will be used on your local router's WAN interface as the tunnel source.
    - Client IPv6 Address - will be used on your local router's tunnel interface to establish a neighbor relationship with the server's IPv6 address on the other end of the tunnel.
    - Routed /64 - this is the /64 network prefix that you can use internally on your local network for IPv6 capable hosts.
    - Available DNS Resolvers - you can use these ISP provided IPv6 DNS capable servers to lookup IPv6 resources on the Internet (such as web servers, mail servers, etc.). Or you could alternatively use any public IPv6 DNS servers (such as OpenDNS or Google).

    Hurricane Electric Tunnel Details
  4. Optionally - assign a /48 prefix to your local network
    If you need more than one IPv6 routed prefix on your local network, Hurricane Electric can assign you an entire /48 prefix, which will be routed across the tunnel. You can then break into smaller network prefixes for use on multiple links in your local network. To assign a /48 prefix, click the "Assign /48" link.
Setting Up Your Cisco Router for IPv6
Next, we'll need to configure your local Cisco router.

First, enable IPv6 routing and Cisco Express Forwarding (CEF):

ipv6 unicast-routing
ipv6 cef

Second, you'll want to create a tunnel interface for the link to the Hurricane Electric tunnel broker service.

interface Tunnel0
 description Hurricane Electric IPv6 Tunnel Broker

 # No IPv4 address will be on the tunnel interface
 no ip address

 # Enable IPv6 on the interface
 ipv6 enable

 # Assign a Global Unicast Address to the Tunnel interface.
 # Use the Client IPv6 Address assigned to you by Hurricane
 # Electric. This will allow your router to establish a neighbor
 # relationship with the other tunnel endpoint router,
 # referenced as Server IPv6 Address.
 ipv6 address 2001:470:XXXX:XXXX::2/64

 # Set an IPv6 MTU that adjusts for the 20-byte IPv4
 # encapsulation caused by the tunnel. This prevents
 # dropping packets and sending back an ICMP 
 # Packet-too-Big error. I have a PPPoE link and reduce
 # the MTU another 8-bytes. 1500-20(IPv4)-8(PPPoE) = 1472.
 ipv6 mtu 1472

 # You may want to secure your local network using an
 # IPv6 ACL and traffic inspection. I'll cover these in 
 # a subsequent post.
 ipv6 inspect v6firewall in
 ipv6 inspect v6firewall out
 ipv6 traffic-filter v6Outside_ACL in

 # Configure the tunnel mode as a manual IPv6-in-IPv4 tunnel.
 tunnel mode ipv6ip

 # Configure the tunnel source and destination IPv4 endpoints.
 # The tunnel source is the IPv4 address on your local router's
 # WAN interface. The tunnel destination is Server IPv4 Address
 # provided by Hurricane Electric.
 tunnel source 63.224.XXX.XXX
 tunnel destination

Next, install a default route for all IPv6 traffic originating from your local network to traverse the tunnel.

ipv6 route ::/0 Tunnel0

Configure a stateless DHCPv6 server to assign IPv6 DNS servers and a domain suffix to clients so they can resolve hostnames to IP addresses. A stateless DHCPv6 server does not hand out IPv6 addresses to clients or maintain a binding database. In my setup, I'll be using SLAAC to allow clients to autoconfigure addresses on the local link based on the prefix(es) advertised by the router in ICMP Router Advertisements. You can use the ISP provided DNS servers or any public server as mentioned previously.

ipv6 dhcp pool DHCPv6
 dns-server 2001:470:20::2
 domain-name yourdomain.com

Configure a local LAN interface with the routed IPv6 network assigned to you by Hurricane Electric. This may be the /64 prefix originally assigned to your network or a smaller portion of a /48 if you requested one (break the /48 into smaller /64 prefixes for multiple internal network links). This interface is typically a dual-stack interface, meaning it will support both IPv4 and IPv6 clients. This is important to allow clients to continue to use IPv4 to access services which are not yet available over IPv6.

interface FastEthernet0/0
 ip address
 ip nat inside
 ip virtual-reassembly in

 # Enable IPv6 on the interface
 ipv6 enable

 # Configure the assigned /64 prefix from Hurricane Electric
 # on the local LAN interface.
 ipv6 address 2001:470:XXXX:XXXX::1/64

 # Advertise a smaller IPv6 MTU than the default 1500 bytes
 # in order to account for tunnel overhead. The minimum IPv6
 # MTU is 1280 bytes and is a safe bet. This prevents dropping
 # packets due to IPv6 tunneling mechanisms.
 ipv6 mtu 1280

 # Advertise the ability for clients to configure other
 # parameters such as DNS by setting the other-config-flag
 # in Router Advertisements.
 ipv6 nd other-config-flag

 # Assign the previously defined DHCPv6 server to this interface.
 ipv6 dhcp server DHCPv6

The configuration of the IPv6 MTU on the local LAN interface is important because Path MTU discovery often does not work across the Internet when stateful security devices block ICMP Packet-too-Big error messages. Even if your tunnel supports a higher MTU than the minimum 1280 bytes, such as 1472 bytes, you may run into situations where some IPv6 Internet resources still require a smaller MTU because tunneling occurs elsewhere along the route.

Testing It All Out
Once you've got your tunnel established and local LAN configured, let's test it out.

Ping from your WAN interface across the tunnel. This will verify IPv6 reachability across the tunnel between the two tunnel endpoints.

cisco-router#ping 2001:470:XXXX:XXXX::1   
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:470:XXXX:XXXX::1, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/32/32 ms

Connect a client to your local LAN. This will verify that a client is properly receiving an IPv6 address from your router. Here is an example using an Apple MacBook Pro connected to an IPv6 network over Wi-Fi:

Apple MacBook Pro IPv6 Network Connection
You will notice that the Cisco router sends Router Advertisements (RA) using it's link-local address in the fe80::/16 address block. Embedded in the RA is information about the network prefixes configured for the link, whether or not clients should use auto-configuration (SLAAC) to obtain an address, and the other-config-flag related to stateless DHCPv6 for DNS and domain suffix assignment. Most modern clients will auto-configure two global IPv6 addresses: one using the EUI-64 format based on the Ethernet MAC address on their interface, and one using the auto-generated random method for security and privacy. Hosts will typically prefer the random address when initiating sessions with other hosts.

vonNagyMBP13:~ andrewvonnagy$ ifconfig en1
en1: flags=8863 mtu 1500
ether 68:xx:xx:xx:1b:f0 
inet6 fe80::6axx:xxff:fexx:1bf0%en1 prefixlen 64 scopeid 0x5 
inet6 2001:470:XXXX:XXXX:6axx:xxff:fexx:1bf0 prefixlen 64 autoconf 
inet6 2001:470:XXXX:XXXX:4d2f:7cb8:221c:f6a1 prefixlen 64 autoconf temporary 
inet netmask 0xffffff00 broadcast
media: autoselect
status: active

You can also check the DNS settings on the host to ensure stateless DHCPv6 worked properly.

Apple MacBook Pro IPv6 DNS Server(s) and Domain Suffix

Next, ping the remote tunnel endpoint from the local LAN host across the tunnel. This will verify the routing for your assigned network prefix is working properly across the tunnel. Tip: be sure to use the correct ping6 command on Mac OS X!

vonNagyMBP13:~ andrewvonnagy$ ping6 2001:470:XXXX:XXXX::1
PING6(56=40+8+8 bytes) 2001:470:XXXX:XXXX:4d2f:7cb8:221c:f6a1 --> 2001:470:XXXX:XXXX::1
16 bytes from 2001:470:XXXX:XXXX::1, icmp_seq=0 hlim=63 time=35.977 ms
16 bytes from 2001:470:XXXX:XXXX::1, icmp_seq=1 hlim=63 time=33.656 ms
16 bytes from 2001:470:XXXX:XXXX::1, icmp_seq=2 hlim=63 time=32.902 ms
16 bytes from 2001:470:XXXX:XXXX::1, icmp_seq=3 hlim=63 time=35.838 ms
16 bytes from 2001:470:XXXX:XXXX::1, icmp_seq=4 hlim=63 time=35.926 ms
--- 2001:470:1F10:36::1 ping6 statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 32.902/34.860/35.977/1.313 ms

You might want to try resolving a AAAA DNS record:

vonNagyMBP13:~ andrewvonnagy$ dig @2001:470:20::2 www.google.com AAAA

; <<>> DiG 9.8.1-P1 <<>> @2001:470:20::2 www.google.com AAAA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- 14297="" font="" id:="" noerror="" opcode:="" query="" status:="">
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;www.google.com. IN AAAA

www.google.com. 52 IN AAAA 2607:f8b0:4009:802::1010

;; Query time: 38 msec
;; SERVER: 2001:470:20::2#53(2001:470:20::2)
;; WHEN: Tue Aug 13 15:24:33 2013
;; MSG SIZE  rcvd: 60

Finally, try hitting an IPv6 test website. A good one for North America is the North American IPv6 Task Force website. Look for the image of a turtle in the right sidebar along with detection of the IPv6 address being used by your host. You can also try hitting the Google IPv6 test webpage or http://test-ipv6.com/.


Additional IPv6 posts you might be interested in:

No comments:

Post a Comment