Skip to main content

IPv6 6to4 Tunnel using Linux

I have created for my self a script that allow me to create a 6to4 tunnel in one command, I would like to share with you the results:
#!/bin/bash
# 
# Shiran  Guez CCIE 20572
# 
# Create a 6to4 IPv6 tunnel, allow an easy step into the IPv6 world
#  
# should run the script with root or sudo
# curl is needed for External IP address retrive 
# 
# GENERAL Note :
#
# The below is an example of a tcpdump output from the test performed by this script, you can see that first we generate an IPv6 packet that is translated and sent to the anycast and answer is recived back from anycast address.
#12:13:29.215403 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 64) 2002:5744:2e00::1 > 2a00:1450:400c:c01::69: [icmp6 sum ok] ICMP6, echo request, length 64, seq 1
#12:13:29.215417 IP (tos 0x0, ttl 200, id 0, offset 0, flags [DF], proto IPv6 (41), length 124)
#    10.0.0.4 > 192.88.99.1: IP6 (hlim 64, next-header ICMPv6 (58) payload length: 64) 2002:5744:2e00::1 > 2a00:1450:400c:c01::69: [icmp6 sum ok] ICMP6, echo request, length 64, seq 1
#12:13:29.583505 IP (tos 0x80, ttl 245, id 0, offset 0, flags [DF], proto IPv6 (41), length 124)
#    192.88.99.1 > 10.0.0.4: IP6 (class 0x80, hlim 55, next-header ICMPv6 (58) payload length: 64) 2a00:1450:400c:c01::69 > 2002:5744:2e00::1: [icmp6 sum ok] ICMP6, echo reply, length 64, seq 1
#12:13:29.583505 IP6 (class 0x80, hlim 55, next-header ICMPv6 (58) payload length: 64) 2a00:1450:400c:c01::69 > 2002:5744:2e00::1: [icmp6 sum ok] ICMP6, echo reply, length 64, seq 1
#
#
_START_6TO4_ () {
                LOCAL_IP_ADDR=`ifconfig | grep "inet " | grep -v "127.0." | awk -F : '{print $2}' | awk '{print $1}'`
                EXTEN_IP_ADDR=`curl corz.org/ip`
                ARRR_6TO4_IPV6=$(printf "2002:%02x%02x:%02x%02x::1" $(echo $EXTEN_IP_ADDR | tr "." " "))
                NETWORK_PREFIX=$(printf "2002:%02x%02x:%02x%02x:1::/64" $(echo $EXTEN_IP_ADDR | tr "." " "))
                ETH0_IPV6=$(printf "2002:%02x%02x:%02x%02x:1::1/64" $(echo $EXTEN_IP_ADDR | tr "." " "))
                #               
                # Create the tunnel
                ip tunnel add tun6to4 mode sit ttl 200 remote any local $LOCAL_IP_ADDR
                ip link set dev tun6to4 up
                ip -6 addr add $ARRR_6TO4_IPV6/48 dev tun6to4
                ip -6 addr add $ETH0_IPV6 dev eth0
                ip -4 addr add $EXTEN_IP_ADDR dev tun6to4
                #Comment:        RFC 3068 
                #Comment:        http://www.rfc-editor.org/rfc/rfc3068.txt
                #Comment:        This block is used by the multiple, separately operated networks 
                #Comment:        and often originates from many different Autonomous Systems.
                #Comment:        The below add a route redirecting the outgoing traffic to the anycast address.
                ip -6 route add 2000::/3 via ::192.88.99.1 dev tun6to4 metric 1
                ip -6 route add $NETWORK_PREFIX dev eth0 metric 1
                # Display and test results
                _SHOW_
}
_STOP_ALL_ () {
        ip -6 route flush dev tun6to4
        ip -6 route flush scope global
        ip -6 addr flush scope global
        ip link set dev tun6to4 down
        ip tunnel del tun6to4
}
_REFRESH_TUNNEL_ () {
                _STOP_ALL_
                _START_6TO4_
}
_SHOW_ () {
        echo " =============== 6to4 Dynamic Tunnel ===================="
        echo " ETH0 IPV6 ADDR : $(echo "`ip -6 addr | grep -A 2 eth0 | grep inet6 | awk '{print $2}'`")"
        echo " TUNNEL IPV6 ADDR : $(echo "`ip -6 addr | grep -A 2 tun6to4 | grep inet6 | awk '{print $2}'`")"
        echo " Testing Connectivity please wait..."
        # TEST IS PERFORMED TO ONE OF GOOGLE.COM IPV6 ADDR 2a00:1450:400c:c01::69
        echo " TEST RESULT : $(ping6 -c 1 2a00:1450:400c:c01::69 > /dev/null && echo "SUCCESS" || echo "FAILED TO CONNECT" ;)"
}
case "$1" in
  start)
        _START_6TO4_
    ;;
  stop)
        _STOP_ALL_
   ;;
  show)
        _SHOW_
    ;;
  refresh)
        _REFRESH_TUNNEL_
        ;;
  *)
    echo "Usage: tunnel6 {start|stop|refresh|show}"
    exit 1
    ;;
esac
exit 0
1 comment

Popular posts from this blog

Step By Step MPLS – Basic MPLS Setup

Initial configuration , very basic with no MPLS, connectivity only to directly connected interfaces.R1R2R3R4!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
ip address 10.0.31.1 255.255.255.0
duplex auto
speed auto
!
!
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet0/0
ip address 10.0.42.2 255.255.255.0
duplex auto
speed auto
!
!
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
no clns route-cache
!
interface FastEthernet0/0
ip address 10.0.31.3 255.255.255.0
duplex auto
speed auto
  no clns route-cache
!
interface Serial1/0
ip address 10.0.43.3 255.255.255.0
  serial restart-delay 0
no clns route-cache
!
!
!
interface Loopback0
ip address 4.4.4.4 255.255.255.255
no clns route-cache
!
interface FastEthernet0/0
ip address 10.0.42.4 255.255.255.0
duplex auto
speed auto
!
interface Serial1/0
ip address 10.0.43.4 255.255.255.0
  serial restart-delay 0
no clns route-cache
!
adding to the following configuration MPLS labels we will start wi…

VRF Maximum Routes

Maximum routes under customer vrf, if the service provider had unlimited resources he would not have needed that!
however normally resources are limited and expensive, and Service provider would like to make money from his available resources. maximum routes configured under VRF provide a mean of controlling PE local resource and abuse avoidance from the CE side.I have vrf called DC_EXTRANET, you can see that I have 16 routes, I have configured 10 maximum routes under that vrf however I did not want to be aggressive so I have set the warning only option. See that immediately I get a notice that I have more routes then the maximum, however no action is taken other then alerting and sending a syslog. ! PE_ashdod_otherisp.n(config-vrf)# maximum routes 10 warning-only % The current number of routes in the routing table is equal to, or exceeds the configured warning limit PE_ashdod_otherisp.n(config-vrf)# *Nov 26 20:39:41.175: %IPRT-3-ROUTELIMITWARNING: IP routing table limit warning - DC_…

What is about to change in CISSP from Apr 2018

Change have arrived and like with other professional certification there is almost a standard time before certification gets its update, with most anywhere it is between 3 - 4 years, CISSP is no different and since last update was on 2015 the change is arriving here as well.

For the people that wish to see the official existing and new outline

I have decided to write this post as the new out line is more of a list of Domain and Sections within the domain without hint or indication to what was modified actually and I could not find anyone else that done that comparison, I had to take the task and do the comparison, please be advised that I have done it for my own "pleasure" so apologies if I missed something :-)
Lets start with the obvious change:
CISSP - Before Apr 2018CISSP - from Apr 20181. Security and Risk Management16%15%2. Asset Security10%10%3. Security Engineering12%13%4. Communications and Network Security12%14%5. Identity and Access Management13%13%6. …