Skip to end of metadata
Go to start of metadata

The network at ARIN XXI was a bit more complex than a typical ARIN meeting network. In order to facilitate the IPv6 event we designed what amounts to three separate networks for ARIN XXI. These networks had three separate SSIDs: ARINXXI, ARINXXI-V6 and ARINXXI-V6-XP. The following diagram gives a view of the network topology.

IPv6 transit on each network was provided by tunnels back to the ARIN offices in Virginia where we have IPv6 transit through OCCAID via the Equinix IPv6IX. The following diagram depicts the IPv6 tunnel configuration.

ARINXXI: The primary network supported both IPv4 and IPv6. IPv4 addresses and DNS servers were assigned via DHCPv4 while IPv6 addresses were assigned using RA. IPv4 address space and transit was provided by our sponsor, Wild Blue. IPv6 address space and transit was provided by a tunnel back to the ARIN offices. This machine did not have any special configuration. It was set up as a Linux based router with radvd providing IPv6 addresses advertisements to clients and BIND 9 providing DNS services. The IPv6 tunnel and routing were handled using standard Linux mechanisms.

IPv4 and IPv6 packet forwarding were enabled:

echo "1" > /proc/sys/net/ipv6/conf/all/forwarding
echo "1" > /proc/sys/net/ipv4/conf/all/forwarding

The IPv6 Tunnel was setup:

ifconfig sit0 up
ifconfig sit0 inet6 tunnel ::199.43.0.65
ifconfig sit1 up
ifconfig sit1 inet6 add 2001:500:30::2/64
route -A inet6 add ::/0 dev sit1

You also need to assign an IPv6 address to the internal Ethernet Interface:

ifconfig eth0 inet6 add 2001:500:30:10::1/64

radvd.conf contained:

interface eth0
{
AdvSendAdvert on;
MinRtrAdvInterval 5;
MaxRtrAdvInterval 15;
prefix 2001:500:30:10::/64
{
AdvOnLink on;
AdvAutonomous on;
};
};

Bind was setup as a recursive name server listening on both IPv4 and IPv6.

ARINXX-V6: The ARINXXX-V6 network was configured to support only IPv6 on the local network segment (No IPv4 for clients at all). This network provided connectivity to the IPv4 Internet by using NAT-PT and the TOTd DNS gateway. The IPv6 transit and address space for this network was provided by a tunnel to the ARIN offices. The IPv4 transit which was required for NAT-PT was provided by the meeting sponsor. We used a Linux box as the gateway device for this network. DHCPv6 services were used to provide clients which supported DHCPv6 a DNS server. Those clients that did not support DHCPv6 were required to configured their DNS server manually. The Linux box ran an implementation of NAT-PT which is available from http://www.lucastomicki.net/naptd.php]. The Linux machine also ran a DNS application layer gateway (DNS ALG) named TOTd, or Trick or Treat Daemon. The TOTd application is basically a DNS proxy that provides a NAT-PT compatible AAAA record for hosts that do not return a valid AAAA record when a DNS query is performed. This allows the NAT-PT daemon to provide the translation necessary to connect to an IPv4 only resource from an IPv6 only client. While the basic configuration of this Linux gateway was pretty standard things get a bit complicated when using the naptd daemon. The following configuration details will hopefully help you along if you would like to set this up yourself.

IPv6 packet forwarding must be enabled:

echo "1" > /proc/sys/net/ipv6/conf/all/forwarding

The IPv6 Tunnel was setup (You will need to have you own tunnel endpoint to define in line two):

ifconfig sit0 up
ifconfig sit0 inet6 tunnel ::199.43.0.65
ifconfig sit1 up
ifconfig sit1 inet6 add 2001:500:30::2/64
route -A inet6 add ::/0 dev sit1

and an IPv6 address was assigned to the internal Ethernet Interface:

ifconfig eth0 inet6 add 2001:500:30:10::1/64

radvd.conf contained:

interface eth0
{
AdvSendAdvert on;
AdvManagedFlag off;
AdvOtherConfigFlag on;
MinRtrAdvInterval 10;
MaxRtrAdvInterval 30;
prefix 2001:500:30:11::/64
{
AdvOnLink on;
AdvAutonomous on;
};
};

We found that radvd had to be up and running in order for DHCPv6 to work properly. It appeared the ISC dhcpd (4.1.0a1) wanted to see an RA before it would do its thing.

dhcpd.conf:

default-lease-time 1800;
max-lease-time 1800;
ddns-update-style none;
authoritative;
log-facility local7;
option dhcp6.name-servers 2001:500:30:11::1;
subnet6 2001:500:30:11::/64 { }

dhcpd was also started with the following command line options:

dhcpd -6 -cf /usr/local/etc/dhcpd.conf

The DNS ALG (TOTd) was configured as follows:

; DNS Server to use for resolution
forwarder 99.198.94.4 port 53
; Prefix to use for nat-pt hosts
prefix 2000:ffff::
; port to listen on
port 53
pidfile /var/run/totd5005.pid
totuser nobody
; 6to4 reverse lookup setting
stf

The nat-pt application does not use text based configuration files. It provides a tool that generates a binary configuration file. What follows is a log of the answers we supplied to the configuration generator for our network. We tried a lot of the different setups in our lab and we found the the only setup the worked reliably was a very basic configuration (we accepted the defaults).

naptd-confmaker log:

Ataga IPv4/IPv6 NAPT Configuration Maker
(c) 2005 by Lukasz Tomicki <tomicki@o2.pl>
Do you want to create a new configuration? Y/n
y
Do you want IPv4 addresses from the outside interfaces to be automatically used as part of the NAT pool? Y/n
y
Do you want to configure additional address as part of your NAT pool? y/N
n
Do you want to create a pool of public IPv4 addresses that will allow incoming connections to be dynamically mapped to appropriate IPv6 addresses? y/N
n
Do you want to create static mappings of public IPv4 addresses that will allow incoming connections to reach IPv6 hosts? y/N
n
Enter the name of the first inside (IPv6) interface that you want NAT-PT to listen on.
interface (eth0 eth1 sit0 sit1): eth0
eth0
Do you want to enter more interfaces? y/N
n
Enter the name of the first outside (IPv4) interface that you want NAT-PT to listen on.
interface (eth0 eth1 sit0 sit1): eth1
eth1
Do you want to enter more interfaces? y/N
n
Enter the TCP translation timeout in seconds 86400:
Enter the UDP translation timeout in seconds 3600:
Enter the ICMP translation timeout in seconds 30:
Enter the IPv6 prefix that will be used as the destination for translations.
prefix 2000:ffff
Please enter the IPv4 address of the DNS server you are currently using.
IPv4 DNS server: 99.198.94.4
99.198.94.4
You can configure hosts for automatic DNS translation by using the DNS server below.
IPv6 DNS Server: 2000:ffff::63c6:5e04
Thank you for choosing Ataga as you IPv4/IPv6 NAT-PT solution.
Setup is now complete. Type 'naptd' to start NAT-PT.

Several iptables rules are required to make the NAT-PT daemon work properly. This is because the daemon is running in use ... \n

  • No labels