RE: More Quick 'n' Easy IPv6 for Debian, Wireless
-----BEGIN PGP SIGNED MESSAGE-----
Marc Singer [mailto:elf@buici.com] wrote:
> On Tue, Jan 20, 2004 at 08:46:33PM +0100, Jeroen Massar wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> >
> > John Goerzen [mailto:jgoerzen@complete.org] wrote:
> >
> > > On Tue, Jan 20, 2004 at 10:46:52AM -0800, Marc Singer wrote:
> > > > What I'm not finding is how to get this working where there are hosts
> > > > behind NAT'ing routers. In this case, a wireless AP that provides
> > > > limited configurability and no ipv6 support. Using the already
> > >
> > > If you can configure it to let protocol 41 (ipv6) through, you may be
> > > able to make things work. (I have been able to do that going
> > > through a Shorewall IPV4-only NAT box.)
> >
> > Setting up a box to have one internal IP as the "DMZ" helps too.
> > Most of the boxes allow it, but some do not.
>
> It has that, but then it means that I can have only one wireless
> device connected to the 6bone.
radvd on the interface facing the wireless AP and done.
> > > However, you may not be able to do that on your AP. You may
> > > need a more powerful router.
> >
> > Please don't call these things routers ;)
>
> Chuckle. This thing is really hokey. I've ordered another one that
> promises to have more routing capabilities.
Anything doing NAT should not be called a router, but that is imho ;)
>
> > > Well, that depends on what you're trying to do. If you're trying to
> > > join the global IPv6 network, that won't help. However, AFAIK, you'll
> > > run into the same issues with IPSec.
> >
> > Why not? Routing IPv6 over a tunnel... is routing IPv6 over a tunnel,
> > doesn't matter if it goes over IPSec or whatever ;)
> > Using tinc for tunneling IPv6 into networks that are even firewalled
> > away is even a well used method for this.
>
> So, it works because the 6to4 addresses really route at the /48 level
> and I can allocate heaps of /64's knowing that all of them will make
> their way back to my router.
Indeed, just set the correct routes. 2002::/16 space is nothing different
from other IPv6 space except that routers that know that it is 6to4 and
have both IPv6 and IPv4 connectivity could (or was it should/must?) route
the 6to4 traffic directly to the 6to4 router in question over IPv4.
Thus if you create a 6in4 (proto41) tunnel to another box it will happily
carry the
> Now, let me see if this makes sense. My plan has been to construct a
> short 6to4 tunnel over IPSECv4 between the wireless node and my ipv6
> router. ipv6 packets will make a short hop over the wireless link
> before heading out to the net through the router's 6to4 tunnel. Given
> that there is an IPSECv4 tunnel from the wireless node to the router,
> I could setup a 6to4 tunnel on the wireless host that points to
> ::192.88.99.1, but there isn't really a benefit here. Routing ought
> to work, but it means setting up another another tunnel just to save a
> couple of packet processing steps in the router.
If I understand you correctly you have:
<---> [Wireless Host]
[6to4 anycast relay] <-----> [Internet] <---> [AP]
<---> [Router]
And then you want to do 6to4 from the router to the anycast address.
Assuming that you are using NAT you can't use 6to4 unless you map
it directly onto one internal host in the AP and properly let the
router think that it has the public IP, as RFC1918 addresses don't
route onto the internet. If that is done you can
indeed create either a tunnel or possibly even native IPv6 between
the Router and the Wireless Host. I would try native btw. If you want
it to be secure indeed go for the ipsec tunnel.
Greets,
Jeroen
-----BEGIN PGP SIGNATURE-----
Version: Unfix PGP for Outlook Alpha 13 Int.
Comment: Jeroen Massar / http://unfix.org/~jeroen
iQA/AwUBQA3XDymqKFIzPnwjEQJ2UgCfTVOfL5YcXBwgqL22XbtyidNNzPYAn2om
s+W3JL0HIu3n1kPwfv8u1VpH
=3hQd
-----END PGP SIGNATURE-----
Reply to: