This article reviews a number of popular IPv6 tunneling protocols to help you decide which one to use when getting your LAN IPv6-connected. Read about the strengths and weaknesses of each protocol, and learn how to transition your IPv4 LAN to a dual-stack IPv4/IPv6 network.
IPv6 is the next-generation version of the IP protocol, designed to replace IPv4 and solve the problem of IPv4 address exhaustion. While IPv4 designates 4 bytes per IP address (roughly 4 billion addresses), IPv6 designates 16 addresses (4 billion to the fourth power). Indeed, there are so many addresses that a typical home LAN would be allocated a /64 network, or 4 billion squared.
IPv6 already is available through some ISPs, such as AT&T and Comcast, in select areas. However, not everyone is lucky enough to have the connectivity. For starters, wired copper connections require DOCSIS 3 modems, which not all ISPs provision. Second, your home or small-office router must support IPv6 as well. Finally, although most desktop/laptop OSes do support IPv6, certain devices, such as Microsoft's Xbox, do not. On the mobile-phone and tablet front, things are mixed as well. For example, T-Mobile has support only for certain phones (support.t-mobile.com/message/140209#140209), and the setup process is not straightforward.
On the positive side, core Internet services, such as DNS and large data centers and networks, are much closer to IPv6 deployment. Companies like Google, Facebook and WikiMedia have enabled IPv6 across their servers and are processing a fraction of their traffic over the new protocol. As IPv4 addresses become more and more expensive, IPv6 is becoming more and more attractive to networks and Web site operators alike.
All in all, IPv6 deployment is a chicken-and-egg problem. The more consumers there are with IPv6-enabled, or even IPv6-only connectivity, the more that Web site operators will support IPv6. On the other hand, as more IPv6-accessible content becomes available, IPv6 connectivity will become a priority and a competitive point for ISPs. Google has been collecting statistics about IPv6 connectivity, both overall and by country (www.google.com/ipv6/statistics.html), and it estimates that as of March 2013, more than 1% of its traffic comes in the form of IPv6. Although the figure may seem low, that number grew 500% since March 2011 and shows no signs of slowing down.
Amidst this grand shift of underlying protocols on the Internet, you can help by becoming one more Internet denizen with IPv6 connectivity, even if your ISP does not support IPv6 natively. This is accomplished by setting up a tunnel between your IPv6 only network and a tunnel broker. A tunnel broker is an entity that provides you with an IPv6 address set (a subnet) and a way to communicate to one of its “points of presence” or PoPs via a special tunneling protocol.
In this article, I review my experiences and observations of several of these tunneling protocols. I also look at their advantages and disadvantages, and provide basic instructions on how to get started with them.
Generally, the most important bit of equipment you will need is an IPv6-capable router. Some consumer-grade routers now come with IPv6 support, but you also may be able to “upgrade” your existing router by using third-party firmware, such as Tomato, DD-WRT, OpenWRT and so on. When selecting an IPv6-capable router, it is important to make sure that it also comes with an IPv6 firewall. A major change from IPv4 to IPv6 for consumer LANs is that with IPv4, your NAT used to act like a firewall. Indeed, by default, none of the hosts behind your NAT were accessible from the outside world. If you wanted to have access to a Web server, a game server or NAS from the Internet, you had to “forward ports” in your router's settings.
This isn't the case with IPv6. In fact, the whole point of IPv6 is to provide at least one globally unique address to every host on your network. This opens up your printer to everyone in the world who has IPv6 connectivity. Although this isn't the most likely scenario, others might connect to it and use it as their own. Things like computers with Webcams, NAS devices and so on are all susceptible to this issue.
Despite this grim outlook, remember that NAT never was meant to be a security system. That is the job of your firewall. It is simple to disallow forwarding of any incoming connections by default and then enable specific ports to be allowed using a good firewall. Thus, when looking for a new IPv6-capable router, make sure to get one with a built-in firewall control panel. This will make it a lot easier than dealing with ip6tables and the like on the command line.
IPv6 addresses are composed of 128 bits. A typical IPv6 address looks like 2001:0db8:85a3:0000:0000:8a2e:0370:7334. Note that leading zeros may be omitted like so: 2001:db8:85a3:0:0:8a2e:370:7334. Further, groups of zeros may be skipped once in the address by using the double : symbol, like so: 2001:db8:85a3::8a2e:370:7334. In this manner, an address like 2001:0db8:85a3:0000:0000:0000:0000:0001 could be written as 2001:db8:85a3::1.
An IPv6 also is logically divided into the network prefix and subnet parts, with the first and second 64 bits devoted to each, respectively. Therefore, in the example above, the network prefix is 2001:db8:85a3:0, and the local part is :0:8a2e:370:7334. Currently, an IPv6 address cannot be routed to more than one subnet using a /64 network prefix. If you are interested in that type of functionality, you need to secure a larger network prefix, such as a /48 (where only the first 48 bits are the network prefix).
To learn more about IPv6 addressing, read the IPv6 address page on Wikipedia (en.wikipedia.org/wiki/IPv6_address).
In a lot of cases, a modern operating system can use what is called “stateless autoconfiguration”, where given a subnet prefix and the MAC address of the network interface, a globally unique IPv6 address, may be constructed. This is done by combining those two pieces of data using a predictable algorithm. Although convenient, this may create privacy concerns, as a Web site operator will know your computer's globally unique MAC address. To address this, some operating systems implement what is called IPv6 privacy extensions, where in addition to the static IPv6 address, a dynamic one is generated periodically (typically every hour) and used for making outgoing connections. This does not guarantee privacy (after all, your network/subnet prefix is always known), but it does let you hide your MAC address. This functionality typically is disabled on servers and routers, and enabled on end-user hosts.
Note: if you are used to remembering IPv4 addresses of certain hosts, your life will become a lot more difficult when using IPv6. Instead, you should use DNS to set up easy-to-remember hostnames. Using DNS with IPv6 is fairly straightforward, but an in-depth discussion of it warrants its own article.
If you are lucky enough to have a stable, or at least infrequently changing IPv4 address from your ISP, and you have full control of your router, this method is likely to be the most stable option. Static 6in4 tunnels typically are established with one of the popular tunnel brokers, such as Hurricane Electric's Tunnel Broker (https://tunnelbroker.net), SixXS (https://sixxs.net, pronounced “Six Access”) or one of many others. When you sign up for an account with one of the tunnel brokers, you are given the opportunity to create a tunnel and a subnet that you then can use.
Now, some terminology is in order:
Tunnel ID: typically, a tunnel will have a unique identifier that you may use in various configuration files.
Server IPv4 address: the IPv4 endpoint of the tunnel broker's PoP. Most tunnel brokers let you find a PoP that is closest to you geographically, in order to reduce latency.
Server IPv6 address: the IPv6 address of the server to which you will be connecting. This address is unique to your tunnel.
Client IPv4 address: your router's IPv4 address.
Client IPv6 address: your router's IPv6 address.
Routed /64 or routed /48: this is the subnet within which you will assign addresses to all your hosts. Somewhat confusingly, your router also may have an address in this subnet.
Note: the routed /64 and the client/server IPv6 address usually will differ by 1 in one of the digits. Do not confuse them in your configuration files, as using one in place of the other will not work.
Once you set up your account, you will be given the values for all of the above-mentioned items. You then will be able to put them into the router settings for IPv6. Once everything is plugged in, your router should have IPv6 connectivity. This means you can use an on-line ping6 tool (such as www.subnetonline.com/pages/ipv6-network-tools/online-ipv6-ping.php) to test that your client IPv6 address is accessible. Similarly, if you have command-line access to your router, you can run the following to test that your router can access IPv6-enabled hosts:
$ ping6 google.com
The next step is to assign addresses to the rest of the hosts on your LAN. Under the hood, this typically is done using a tool called radvd, which stands for router advertisement dæmon. This dæmon periodically will send out ICMPv6 packets indicating which IPv6 network prefix may be used by the hosts on the LAN. Each IPv6-capable host on your LAN then will use this prefix, along with its MAC address to determine a static, globally accessible IPv6 address for itself, and will set up a proper routing table.
Note that you likely also will want to enable the IPv6 firewall on your router prior to enabling address assignment for the rest of your LAN. Typically, you will want to allow all connections that originate on your routed subnet and disallow all others. You also may want to enable SSH access if that is something you use, for either specific hosts or all the hosts on the network, by allowing connections to port 22.
If your router does not natively support IPv6, you can use a different computer as your IPv6 router. There are more detailed guides elsewhere that will walk you through the necessary steps for each OS and distribution, but the steps roughly are as follows:
Set the computer as the DMZ machine in your router (necessary for it to be reachable via protocol 41).
Enable the IPv6 firewall on the computer.
Enable IPv6 routing.
Set up the IPv6 tunnel.
Set up LAN address assignment to give IPv6 addresses to the rest of your LAN.
Small computers with low power consumption, such as Raspberry Pis, can be used for this purpose if you don't want to replace your current router.
Which tunnel broker should you choose? That question requires you to do some homework. The biggest consideration for choosing a tunnel broker is whether it has a PoP fairly close to you. If you live in Los Angeles, but your PoP is in Amsterdam, your latency will suffer.
Hurricane Electric's tunnel broker and SixXS both have a large number of PoPs in the US, Europe and Asia. Wikipedia has a larger list of tunnel brokers (en.wikipedia.org/wiki/List_of_IPv6_tunnel_brokers). SixXS is the largest, judging by the PoP size (52 as of March 2013).
There is also a difference in the style of service provided by these operators. Hurricane Electric's tunnel broker is a free, no-strings-attached service with good support from Hurricane Electric. The company provides many other paid services, and tunnelbroker.net is, if anything, a way for people to be aware of its other offerings.
SixXS, on the other hand, is a nonprofit service directed at end users. It comes with some strings attached, the biggest of which is that all requests for tunnels, subnets and so on must be reviewed by a SixXS volunteer before being approved. There also is a point system, where you may lose points, and therefore privileges, if you do not keep your static tunnel running. Do not let this discourage you. Although it seems like there are more hoops to jump through, there also is a helpful community behind this project, and in some cases, it is easier to set up the tunnel and keep it running, because SixXS provides its AICCU software—a dæmon that will keep all your configuration up to date at all times.
The 6in4 heartbeat tunnel is a variant of the static 6in4 tunnel, where a heartbeat allows for dynamically changing IPv4 address to be updated with the server. If you do not have a static IPv4 address from your ISP, this may be a very good choice for you, because it will mean uninterrupted service, even if your IPv4 address gets updated. Currently, only SixXS offers this type of tunnel; however, Hurricane Electric's tunnel broker provides a way to update your IPv4 address periodically over HTTP to achieve a similar effect. The beauty of the 6in4 heartbeat protocol is that when your IPv4 address is not changing, you are using a static IPv6 tunnel with all of its benefits, such as having a permanent IPv6 address for all your hosts, low protocol overhead and a stable PoP. In many cases, if your router supports it, the 6in4 heartbeat from SixXS is the best choice.
AYIYA is different from 6in4 in that it does not use protocol 41. Instead, IPv6 packets are encapsulated in UDP/IPv4 packets. This introduces more overhead, as there are more packet headers. It does provide some very nice benefits, such as increased security and being able to traverse NAT boundaries, and it is harder for your ISP to block.
Currently, SixXS is the only tunnel broker that provides AYIYA tunnels, but because it is the largest tunnel broker, that should not deter you. AYIYA with SixXS is also exempt from losing credits with SixXS if they are not up and running, because they are specifically designed to be dynamic.
Unlike 6in4, each packet over AYIYA is signed using a shared secret, allowing for greater security. As with other tunnel types from SixXS, its official client, AICCU, automatically brings up this type of tunnel for you.
Because AYIYA uses UDP, it is able to traverse most typical types of NAT without any special cooperation from the router. This means that if your router does not support IPv6 tunneling natively, or if you do not have control over your router, you still may be able to get your entire LAN IPv6-connected using this protocol. To do so, you would designate a computer inside your LAN/NAT as the IPv6 router and firewall, bring up an AYIYA tunnel on it, and then use radvd to give addresses to the rest of the hosts on your network.
Another use case for AYIYA is when you want IPv6-connectivity on the go. A typical coffee shop likely will not provide you with IPv6 access. If you want to connect to IPv6 resources from a coffee shop, Internet café or the like, you could set up an AYIYA tunnel on your laptop and turn it on only when you are at one of these locations. Once again, because AYIYA looks like UDP/IPv4, the network operator is not likely to block it. In this use case, you would be able to connect to your hosts on your home or office network, because they will have static IPv6 addresses. Indeed, this is how I typically work remotely: ssh to my workstation at home or at the office from whatever network I happen to be on.
AYIYA does have some disadvantages. Due to its nature, it has more protocol overhead. Additionally, when traversing a NAT, your router will treat this traffic like any other UDP traffic, so if are using some type of QoS rule set, you may want to adjust it to allow AYIYA to have a sufficiently high priority (since it can carry all types of traffic of its own, from DNS requests to streaming video). Generally, a static tunnel is preferred vs. AYIYA, but certain distinct use cases make AYIYA more appealing.
6to4 tunnels (note that 6to4 is different from 6in4, although the two are related) are based on a protocol that is meant to be used during the transitional period, when both IPv4 and IPv6 are enabled. A 6in4 tunnel uses protocol 41, just like 6in4. The difference is that instead of having an explicit tunnel provider with an account, a routed subnet and so on, your host's address is determined purely by its public IPv4 address. Each host on the public IPv4 Internet is given an IPv6 address that starts with 2002. For example, if your public IPv4 address was 192.0.2.4, your IPv6 address would be 2002:c000:0204::1/48 (192 becomes c0, 0 becomes 00, 2 and 4 become 02 and 04, respectively). You can choose a suffix other than ::1. Indeed, using this method, you have an entire /48 network, giving you an 80-bit address space to play with. You can use this address space to allocate addresses to the rest of your LAN.
On the surface, it would seem that a 6to4 tunnel is preferable to a static 6in4 tunnel. Indeed, it is easier to configure, requiring commands using /sbin/ip on Linux, for example. It does, however, have several downsides that generally would disqualify it from being used in practice. First, your IPv6 address would depend on your IPv4 address. This means that if your IPv4 address changes, so does the IPv6 one. If you are using a static 6in4 tunnel, your IPv6 address always is the same, which can be a big deal if you want to access hosts inside your LAN while on the go.
Additionally, when using 6to4, you are going to route your traffic through an anycasted IPv4 address, which may or may not be ideally located compared to where you are. With a static 6in4 tunnel, you get to choose your PoP, and your network becomes predictable.
All in all, 6to4 is best avoided, unless other methods of obtaining IPv6 connectivity are not available.
Teredo is a last-resort protocol. It should not be used in any but the most dire circumstances. However, it is important to cover it here, because it does provide distinct benefits in some limited circumstances. Teredo's claim to fame is its ease of use. There are no accounts to set up, no tunnels to configure, and no firewall rules to write. Teredo is an IPv6 in UDP/IPv4 protocol, similar to AYIYA. The difference is that it also includes a clever address assignment scheme whereby your public IPv4 address and your private IPv4 address on your LAN are combined and used as a part of the IPv6 address. Theoretically, even if your computer is behind several layers of NAT, you still can get IPv6 connectivity using Teredo.
Although the above upside to Teredo is a big win for this tunnel type, it has several downsides. First, not all types of NAT are supported. Specifically, a Teredo tunnel cannot traverse a symmetric NAT. While this NAT type typically is not found on consumer LANs, it is possible to encounter it on networks you do not control.
Second, only a single address is assigned to each tunnel endpoint. Therefore, it is impossible to connect several hosts to the IPv6 Internet using a single Teredo tunnel. Instead, each host would have to run its own Teredo tunnel. Although most desktop/laptop operating systems are capable of this, other devices, such as mobile phones and tablets, are not able to do this, even though they are perfectly capable of connecting to an IPv6-enabled LAN.
Third, the IPv6 address you get is not static. In essence, you can connect to IPv6-enabled resources, but others cannot connect to you. This point alone may override the usefulness of Teredo for most LAN operators.
Finally, I have seen several coffee-shop networks where Teredo did not work, while AYIYA did. This may be an issue if this is your primary reason for using Teredo.
A typical use case for Teredo is when you do not already have an AYIYA tunnel set up with SixXS, are on the go and are trying to access hosts on your home/office LAN over IPv6. In that case, simply fire up a Teredo tunnel, and if there is no filtering on your on-the-go LAN, you will get IPv6 connectivity. On Linux, Teredo is implemented with a software package called miredo. Simply installing it on one of the popular distributions will bring up a Teredo tunnel.
If you have an interest in trying out IPv6 on your workstation or LAN in your home or office, you have many options. When choosing the tunneling method, your best bet is going to be a static 6in4 tunnel from Hurricane Electric's tunnel broker or a 6in4 heartbeat tunnel from SixXS. Another option you may consider will include AYIYA if you do not control your router, or if the router is incapable of IPv6 routing or if you are frequently on the go. Finally, 6to4 tunneling and Teredo are available as last-resort options when for whatever reason nothing else will work.
Happy IPv6 networking!
