Child pages
  • 6to4 Tunneling
Skip to end of metadata
Go to start of metadata

Understanding 6to4 addressing

Using an Airport Extreme with 6to4 connected to Comcast's cable modem system, I have an IPv6 address of 2002:473a:314d::219:e3ff:fed4:5512. How did this address get generated?

The network prefix:

2002 - the 6to4 prefix reserved by the IETF
4731:314d - my IPv4 address (71.58.49.77) represented in hex

The host prefix:

My MAC address is 00:19:e3:d4:55:12. This is split down the middle, with ff:fe inserted between the two halves, to form the host component of my IPv6 address.

Notes

  • 3rox is running a 6to4 gateway. It appears that 6to4 traffic going into PSU comes in over the I2 interface.

On-campus, wireless 6to4

VPN

6to4 tunneling does not work with when a user is connected through the VPN. It appears that the VPN concentrator is blocking the 6to4 packets.

802.1X

6to4 tunneling works over 802.1X. However, since PSU is not running a 6to4 relay router, traffic must flow through 3rox, which is the closest relay router. Perhaps PSU (TNS?) should look into running a relay router for PSU hosts?

Mac OS X-provided 6to4 tunneling

Mac OS X has built-in 6to4 tunneling. However, when enabled, many apps won't use AAAA records. v6 connections will work if you specify the address.

Access control issues

Commonly, 6to4 addresses won't be nameserved (since the addresses are (self)assigned dynamically. This can break some access control lists, such as TCP wrappers or NFS shares.

For example, a server might restrict SSH access to uses on campus or in State College (on Comcast cable modems, for example). You might see this in /etc/hosts.allow:

sshd: .psu.edu .hsd1.pa.comcast.net

If that server is dual-stacked, and a 6to4-enabled client attempts to connect, the user will see this error message:

ssh_exchange_identification: Connection closed by remote host

In this case, the user must force a connection over IPv4. This can be done with OpenSSH's -4 option, for example.

Alternatively, the sysadmin could modify the ACL to include 6to4 addresses with PSU and State College Comcast IPs.