Thursday 29 March 2012

IPv6 Tunnel Types

Tunneling encapsulates IPv6 packets in IPv4 packets for delivery across an IPv4 infrastructure. There are number of options to choose from.

Cisco IOS IPv6 supports the following types of overlay tunneling mechanisms:

Static
  • Manual
  • Generic routing encapsulation (GRE) (Default)
Automatic
  • IPv4-compatible
  • 6to4
  • Intra-Site Automatic Tunnel Addressing Protocol (ISATAP)

 I used the following network to test these tunnels types.


Manual Tunnel
A manually configured tunnel is a permanent link between two IPv6 domains over an IPv4 backbone. The packet format is:

IPv4 Header
IPv6 Header
IPv6 Payload

  • Point-to-Point (can be used between sites)
  • supports multicast
  • Carries only IPv6 Packets (ie OSPFv6 / EIGRPv6 is fine but not ISIS)
  • Supports CEF
interface tunnel tunnel-number

   ipv6 address ipv6-prefix/prefix-length [eui-64]

   tunnel source {ip-address | interface-type interface-number}

   tunnel destination ip-address

   tunnel mode ipv6ip
 

The tunnel mode ipv6ip command specifies IPv6 as the passenger protocol and IPv4 as both the encapsulation and transport protocol for the manual IPv6 tunnel. 

This tunnel configuration is quite simple so no output is presented.

GRE Tunnels (default)
GRE tunnels are links between two points. The packet format is

IPv4 Header
GRE Header (includes an protocol field which describe the packet contained within)
IPv6 Header
IPv6 Payload 
  • Point-to-Point (can be used between sites)
  • supports multicast
  • Carries many types of packets.
  • Supports CEF?
interface tunnel tunnel-number

   ipv6 address ipv6-prefix/prefix-length [eui-64]

   tunnel source {ip-address | ipv6-address | interface-type interface-number}

   tunnel destination {host-name | ip-address | ipv6-address}

   tunnel mode gre ip

The tunnel mode gre ipv6 command specifies GRE as the encapsulation protocol for the tunnel.

This tunnel configuration is quite simple so no output is presented. 

IPv4 Compatible
With an IPv4-compatible tunnel, the tunnel destination is automatically determined by the IPv4 address in the low-order 32 bits of IPv4-compatible IPv6 addresses. 
IPv4-compatible IPv6 addresses are IPv6 unicast addresses that have zeros in the high-order 96 bits of the address, and an IPv4 address in the low-order 32 bits. They can be written as 0:0:0:0:0:0:A.B.C.D or ::A.B.C.D, where "A.B.C.D" represents the embedded IPv4 address. Due to this configuration the only routing protocols supported across this tunnel are static or BGP. I have documented the static configuration below. The BGP example can be found here.
  • Point-to-Multipoint (depends on the static / BGP routing endpoints)
  • does not support multicast
  • Carries only ipv6 unicast traffic
  • Supports CEF?
 IPv4-compatible tunnels were initially supported for IPv6, but are currently being deprecated. Cisco now recommends that you use a different IPv6 tunneling technique named ISATAP tunnels.
interface tunnel tunnel-number

   ipv6 address ipv6-prefix/prefix-length [eui-64]

   tunnel source {ip-address | interface-type interface-number}


   tunnel mode ipv6ip auto-tunnel


In addition to the tunnel you need to setup a static route. For the example network above, the configuration of R2 and R3 are given below.


R2
interface Tunnel0
 no ip address
 no ip redirects
 ipv6 address 2002:2002::2/64
 ipv6 enable
 ipv6 ospf 1 area 0
 tunnel source Ethernet0/1
 tunnel mode ipv6ip auto-tunnel



ipv6 route ::/0 ::2.2.2.3

R3
interface Tunnel2
 no ip address
 no ip redirects
 ipv6 address 2002:2002::3/64
 ipv6 enable
 tunnel source Ethernet0/1
 tunnel mode ipv6ip auto-tunnel
 

ipv6 route ::/0 ::2.2.2.2


Another point to note is that the tunnel endpoints (2002:2002::/64) are not pingable. In both of the above tunnel types (manual / gre) these endpoint respond. Example log when traffic traverses this tunnel:

*Mar 29 05:54:12.979: Tunnel2: IPv6/IP adjacency fixup, 2.2.2.3->2.2.2.2, tos set to 0x0
*Mar 29 05:54:12.983: Tunnel2: IPv6/IP to classify 2.2.2.2->2.2.2.3 (tbl=0,"default" len=120 ttl=254 tos=0x0) ok, oce_rc


Finally if you look closely, the next hop of the static route is "::2.2.2.2". This is a merge of the IPv6 and IPv4 dotted decimal notation which the router understands. If you use a high address range (192.168.1.2 192.168.1.3) you add the ipv6 static route as "ipv6 route ::/0 ::C0A8:0102" or "ipv6 route ::/0 ::192.168.1.2". In the running config however its always represented as ::192.168.1.2.


6to4 Tunnel

  • Point-to-Multipoint (depends on the static / BGP routing endpoints) (Site to Site connectivity)
  • does not support multicast
  • Carries only ipv6 unicast traffic

An automatic 6to4 tunnel allows isolated IPv6 domains to be connected over an IPv4 network. The IPv4 address embedded in the IPv6 address is used to find the other end of the automatic tunnel. The tunnel destination is determined by the IPv4 address of the border router extracted from the IPv6 address that starts with the prefix 2002::/16, where the format is 2002:border-router-IPv4-address::/48. Following the embedded IPv4 address are 16 bits that can be used to number networks within the site.

An IPv4-compatible tunnel is typically used only between two IPv6 domains, but a 6to4 tunnel is used to connect two or more IPv6 domains.The 6to4 tunnels can be conceptualised as a big frame relay cloud where each endpoint is address as per the rule 2002:border-router-IPv4-address::/48. You then add static routes which advertise the networks available on each end point.





For my example given right at the start the configuration of R2 and R3 are given below.


R2
!
interface Tunnel0
 no ip address
 no ip redirects
 ipv6 address 2002:202:202::2/64
 tunnel source Ethernet0/1
 tunnel mode ipv6ip 6to4
!

interface Ethernet0/1
 ip address 2.2.2.2 255.255.255.0
!
ipv6 route 2002::/16 Tunnel0
ipv6 route ::/0 2002:202:203::


R3
!
interface Tunnel2
 no ip address
 no ip redirects
 ipv6 address 2002:202:203::3/64
 tunnel source Ethernet0/1
 tunnel mode ipv6ip 6to4
!

interface Ethernet0/1
 ip address 2.2.2.3 255.255.255.0
!
ipv6 route 2002::/16 Tunnel2
ipv6 route ::/0 2002:202:202::





ISATAP

  • Point-to-Multipoint (depends on the static / BGP routing endpoints) (Within a site)
  • does not support multicast
  • carries only ipv6 unicast traffic

ISATAP is an automatic overlay tunneling mechanism that uses the underlying IPv4 network as an NBMA link layer for IPv6. ISATAP is designed for transporting IPv6 packets within a site where a native IPv6 infrastructure is not yet available; for example, when sparse IPv6 hosts are deployed for testing. ISATAP tunnels allow individual IPv4 or IPv6 dual-stack hosts within a site to communicate with other such hosts on the same virtual link, basically creating an IPv6 network using the IPv4 infrastructure.


ISATAP uses a well-defined IPv6 address format composed

64bits - Link local or global IPv6 unicast prefix (including 6to4 prefixes)
32bits - 0000:5EFE 
32bits -  IPv4 address of the ISATAP link 
 

Although the ISATAP tunneling mechanism is similar to other automatic tunneling mechanisms, such as IPv6 6to4 tunneling, ISATAP is designed for transporting IPv6 packets within a site, but not between sites

interface tunnel tunnel-number

  ipv6 address ipv6-prefix/prefix-length [eui-64]

  no ipv6 nd ra suppress

  tunnel source {ip-address | interface-type interface-number}

  tunnel mode ipv6ip isatap

 

No comments:

Post a Comment