6in4
From Wikipedia, the free encyclopedia
6in4 refers to the encapsulation of IPv6 within explicitly-configured IPv4 tunnels as defined in RFC 1933. It is also referred to as 'proto-41 static', due to the protocol number it uses and the fact that endpoints are static. One should not mistake this protocol for 6to4 or 6over4 which have similar looking names but are different.
6in4 puts an IPv6 packet directly behind a IPv4 packet, setting the 'protocol' field of the IPv4 packet to the value 41, which indicates IPv6. As such 6in4 has minimal overhead for encapsulating IPv6 inside IPv4 as there is no layer in between. With an Ethernet with an MTU of 1500, due to the 20 bytes of IPv4 overhead, one can still send unfragmented IPv6 packets of 1480 bytes.
6in4 tunnels are generally manually configured, but for instance AICCU can configure it automatically with the details retrieved from a TIC server.
6to4 makes use of proto-41 too, but it is not static, instead of static configuration of the endpoints, the endpoint information is taken from the IPv6 addresses inside the IPv6 packet.
Contents |
[edit] NAT
When an endpoint of a 6in4 tunnel is behind a NAT, one can in some cases still make use of the DMZ feature of their NAT 'router'. The NAT 'router' will then forward all incoming proto-41 packets to the configured host, thus making the tunnel work.
[edit] Dynamic 6in4 tunnels / Heartbeat
Even though 6in4 tunnels are static in nature, with the help of a protocol like the heartbeat protocol[1] one can still have dynamic tunnel endpoints. The heartbeat protocol signals the other side of the tunnel with its current endpoint location. A tool like AICCU can then update the endpoints thus in effect making the endpoint dynamic while still using the 6in4 protocol. These kind of tunnels are generally called 'proto-41 heartbeat' tunnels.
[edit] Security Issues
The 6in4 protocol has no security checks, thus one can easily inject IPv6 packets by spoofing the source IPv4 address of a tunnel endpoint and sending it to the other endpoint.
One can partially solve this problem by properly implementing Network ingress filtering or by using IPSEC. Another solution is to use a secure protocol like AYIYA or other tunneling methods that sign their packets thus allowing one to verify the true origin.
This packet injection loophole was abused in a good way for IPv6 Tunnel Discovery [2] which allowed the researcher to discover a lot of IPv6 tunnels around the world.
[edit] References
- ^ Heartbeat Protocol, J. Massar and P. van Pelt
- ^ IPv6 Tunnel Discovery, L. Colitti, G. Di Battista, and M. Patrignani
