[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: More Quick 'n' Easy IPv6 for Debian, Wireless



On Wed, Jan 21, 2004 at 02:34:07AM +0100, Jeroen Massar wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> 
> Marc Singer [mailto:elf@buici.com] wrote:
> 
> > On Tue, Jan 20, 2004 at 08:46:33PM +0100, Jeroen Massar wrote:
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > 
> > > John Goerzen [mailto:jgoerzen@complete.org] wrote:
> > > 
> > > > On Tue, Jan 20, 2004 at 10:46:52AM -0800, Marc Singer wrote:
> > > > > What I'm not finding is how to get this working where there are hosts
> > > > > behind NAT'ing routers.  In this case, a wireless AP that provides
> > > > > limited configurability and no ipv6 support.  Using the already
> > > > 
> > > > If you can configure it to let protocol 41 (ipv6) through, you may be
> > > > able to make things work.  (I have been able to do that going 
> > > > through a Shorewall IPV4-only NAT box.)
> > > 
> > > Setting up a box to have one internal IP as the "DMZ" helps too.
> > > Most of the boxes allow it, but some do not.
> > 
> > It has that, but then it means that I can have only one wireless
> > device connected to the 6bone.
> 
> radvd on the interface facing the wireless AP and done.

If I understand your suggestion, this means that the DMZ host, a
wireless host, will act as radvd for the other wireless hosts.  This
means that that host must be present for the others to gain access to
the 6bone, right?

> > > > However, you may not be able to do that on your AP.  You may 
> > > > need a more powerful router.
> > > 
> > > Please don't call these things routers ;)
> > 
> > Chuckle.  This thing is really hokey.  I've ordered another one that
> > promises to have more routing capabilities.
> 
> Anything doing NAT should not be called a router, but that is imho ;)

Seems kinda extreme, but I get your point.

> > Now, let me see if this makes sense.  My plan has been to construct a
> > short 6to4 tunnel over IPSECv4 between the wireless node and my ipv6
> > router.  ipv6 packets will make a short hop over the wireless link
> > before heading out to the net through the router's 6to4 tunnel.  Given
> > that there is an IPSECv4 tunnel from the wireless node to the router,
> > I could setup a 6to4 tunnel on the wireless host that points to
> > ::192.88.99.1, but there isn't really a benefit here.  Routing ought
> > to work, but it means setting up another another tunnel just to save a
> > couple of packet processing steps in the router.
> 
> If I understand you correctly you have:
> 
>                                                    <---> [Wireless Host]
> [6to4 anycast relay] <-----> [Internet] <---> [AP]
>                                                    <---> [Router]
> 

Not exactly.


[6to4 anycast relay]
      ^
      |
  [Internet]
      |
      v
   [Router] <---> [AP] <---> [Wireless Host]
      ^
      |
      v
 [Wired Host]  

> And then you want to do 6to4 from the router to the anycast address.

That already works.

> Assuming that you are using NAT you can't use 6to4 unless you map
> it directly onto one internal host in the AP and properly let the
> router think that it has the public IP, as RFC1918 addresses don't
> route onto the internet. If that is done you can
> indeed create either a tunnel or possibly even native IPv6 between
> the Router and the Wireless Host. I would try native btw. If you want
> it to be secure indeed go for the ipsec tunnel.

In the picture above, the Wire Host (s) all work fine.  radvd gives
them address and they have immediate access to the 6bone.

My plan is to form a bridge between the Wireless Host (or any of
several) and the Router and then let the router carry ipv6 traffic to
the Anycast Relay when necessary.  

  1) If I get another tunnel, I'd like to change it in only one place,
     though I know that I may have to renumber everything if I get a 
      bonafide network delegation.
  2) I'd really like to let there be a radvd server for the Wireless
     Hosts, but I don't see how I can do this unless I can get one of
     the Router's interfaces to appear in the collision domain of the
     wireless network. 
  3) The next best thing is to for an IPSEC tunnel from the Wireless
     Host to the Router since this kind of tunnel is recognized by the
     AP.  As an aside, the AP is really dumb in this respect.  It
     requires that the IPSEC tunnel use ISAKMP because of the port 500
     exchange that triggers the special super secret pass-through
     mode. I'd use another kind of tunnel, but I don't think there is
     one that will work with the AP.

Cheers.



Reply to: