6to4 addresses

A look a the IPv6 6to4 class of addresses.

For anyone with an existing IPv4 address the 6to4 class of IPv6 addresses provide a quick method to get up and running with IPv6. There’s no registration process needed and no permission needed to use the addresses. Just configure and go!

In this article we’ll take a look at what these addresses are and how then can be utilized to gain access to the rest of the IPv6 internet.

What are 6to4 addresses

A 6to4 address is a special class of IPv6 address in which the IPv6 includes an embedded IPv4 address. This embedded IPv4 address makes the addresses unique for every IPv4 address and provides a method to automatically find a IPv4-to-IPv6 gateway for those IPv6 addresses.

All 6to4 address are easy to identify since they start with the 2002 prefix. They are defined as one of the transition methods for IPv6 in RFC3056. The full definition of a 6to4 address is:

The combination of the Format Prefix and the Top Level Aggregator gives the first 16 bits as 2002 (in hex). The next 32 bits contains the IPv4 IP address. This embedded address must be a valid IPv4 address that belongs that is reachable on the IPv4 internet. It will be used as the gateway machine for the rest of the IPv6 internet to reach your machine (via an automatic tunnel over IPv4). The reminder of the address is available for local use with the intention being to use 16 bits for the subnet address and 48 bits for the host address.

For example, if your IPv4 address is 172.29.45.100 [1] then we can calculate the 6to4 address prefix by taking the hex representation of the IPv4 address and prefixing it with the 6to4 prefix:

 [hydrogen]~%> printf "2002:%x%02x:%x%02x\n" 172 29 45 100
 2002:ac1d:2d64

A complete address would consist of this prefix followed by the subnet number and the host number. The following shows an example setup containing three machines and their associated 6to4 addresses. The subnet used is 1 and the hostname component is automatically generated for the client and manually set to 1 and 2 for the firewall and server respectively:

   +-- Client (hydrogen)
   |   (IPv6) 2002:ac1d:2d64:1:2e0:18ff:fefb:7a25
   |
   +-- Server (oxygen)
   |   (IPv6) 2002:ac1d:2d64:1::2
   |
   |   (IPv6) 2002:ac1d:2d64:1::1
   +-- Firewall (zinc)

Tunneling

While having IPv6 working within a single network might be a nice start it’s not really a lot of use without being able to communicate with all the other IPv6 machines out there. Like all transition method the solution is to tunnel IPv6 packets over IPv4.

For packets with a destination addresses beginning with a prefix of 2002 (the 6to4 address prefix) the packets can be automatically tunneled by a gateway router to the IPv4 address embedded in the address. In the following example the firewall doubles as the gateway router (which is common) and has two separate IPv6 addresses (one address is in subnet 1 on the internet LAN, and the other is on subnet 0 and is the gateway addresses.)

   +-- Client (hydrogen)
   |   (IPv6) 2002:ac1d:2d64:1:2e0:18ff:fefb:7a25
   |
   +-- Server (oxygen)
   |   (IPv6) 2002:ac1d:2d64:1::2
   |
   |   (IPv6) 2002:ac1d:2d64:1::1
   +-- Firewall / Gateway router (zinc)
   |   (IPv6) 2002:ac1d:2d64::1
   |   (IPv4) 172.29.45.100
   |
   | (ipv6-over-ipv4 tunnel)
   |
   |   (IPv4) 192.168.112.45
   |   (IPv6) 2002:c0a8:702d::1
   +-- Firewall / Gateway router (tin)

 [hydrogen]~%> traceroute6 tin
 traceroute to tin (2002:c0a8:702d::1) from
 » 2002:ac1d:2d64:1:2e0:18ff:fefb:7a25, 30 hops max, 16 byte packets
  1  2002:ac1d:2d64:1::1 (2002:ac1d:2d64:1::1)  0.452 ms  0.18 ms  0.122 ms
  2  2002:c0a8:702d::1 (2002:c0a8:702d::1)  66.161 ms  68.9 ms  66.233 ms
 [hydrogen]~%>

Note that the remote host, tin, could was able to route packets back because they were originally from a 6to4 address (hydrogen‘s address). So it was able to automatically tunnel them over IPv4 to the local gateway router‘s IPv4 address of 172.29.45.100. Any host that has both IPv4 and IPv6 addresses (regardless of the type of IPv6 address) is able to perform this automatic tunneling in order to send packets to 6to4 IPv6 addresses.

For packets whose destination address is not a 6to4 address another method is needed to contact them. Again IPv6-over-IPv4 tunneling is used but the packets need to be tunneled to a host that contains connectivity to both the IPv4 network and the real IPv6 network, called a 6to4 relay router. In the following example the host 192.88.99.1 is used as the relay router:

   +-- Client (hydrogen)
   |   (IPv6) 2002:ac1d:2d64:1:2e0:18ff:fefb:7a25
   |
   +-- Server (oxygen)
   |   (IPv6) 2002:ac1d:2d64:1::2
   |
   |   (IPv6) 2002:ac1d:2d64:1::1
   +-- Firewall / Gateway router (zinc)
   |   (IPv6) 2002:ac1d:2d64::1
   |   (IPv4) 172.29.45.100
   |
   | (ipv6-over-ipv4 tunnel)
   |
   |   (IPv4) 192.88.99.1
   |   (IPv6) 2002:c058:6301::1
   +-- Relay router (zinc)
   |   (IPv6) {real IPv6 address(es)}
   |
  (Rest of IPv6 network)

 [hydrogen]~%> traceroute6 www.kame.net
 traceroute to orange.kame.net (2001:200:0:8002:203:47ff:fea5:3085) from
 » 2002:ac1d:2d64:1:2e0:18ff:fefb:7a25, 30 hops max, 16 byte packets
  1  2002:cbd9:1d86:1::1 (2002:cbd9:1d86:1::1)  0.211 ms  0.149 ms  0.12 ms
  2  2002:3eec:20cb::1 (2002:3eec:20cb::1)  412.087 ms  
  3  2001:6e8:1:1:1:1:1:1 (2001:6e8:1:1:1:1:1:1)  413.888 ms  416.029 ms  415.803 ms
  4  2001:7f8:7::790:1 (2001:7f8:7::790:1)  398.918 ms  398.695 ms  397.304 ms
  5  at1-0-100.r3.alto.esp.fi.v6.eunetip.net (2001:670:1:f000::2)  398.382 ms  402.046 ms
 » 397.684 ms
  6  kpnqwest-gw1.nl.ipv6.aorta.net (2001:730::1:6)  408.174 ms  406.497 ms  404.062 ms
  7  be-bru-re-02-t-0.ipv6.aorta.net (2001:730::1:5)  418.124 ms  413.4 ms  413.12 ms
  8  3ffe:80b0:1000:0:204:ddff:fe08:f10 (3ffe:80b0:1000:0:204:ddff:fe08:f10)  455.341 ms
 » 457.599 ms  457.016 ms
  9  ge0-0-0-0.gr0.ixbru.be.easynet.net (2001:6f8:0:201::1)  457.974 ms  459.282 ms  455.531 ms
 10  so0-1-1-0.gr0.gdbru.be.easynet.net (2001:6f8::35:11:1)  458.687 ms  462.519 ms  458.679 ms
 11  so0-2-0-0.gr0.thlon.uk.easynet.net (2001:6f8::3:20:1)  459.778 ms  458.511 ms  462.911 ms
 12  so0-1-0-0.gr0.hsnyc.us.easynet.net (2001:6f8::3:31:2)  529.188 ms  530.478 ms  531.656 ms
 13  2001:6f8::18:21:2 (2001:6f8::18:21:2)  528.45 ms  527.957 ms  530.168 ms
 14  fe0-0-0-0.gr0.bwnyc.us.easynet.net (2001:6f8:0:100::1)  529.673 ms  528.528 ms  530.47 ms
 15  nyc6-gate0.iij-america.net (2001:240:100:fffd::21)  574.09 ms  711.16 ms  575.031 ms
 16  otm6-bb1.IIJ.Net (2001:240:100:fffd::ff)  574.26 ms  721.918 ms  612.637 ms
 17  otm6-gate0.iij.net (2001:200:0:1800::2497:0)  681.471 ms tky001ix06.IIJ.Net
 » (2001:240:100:2::30) 572.239 ms tky001ix06.IIJ.Net (2001:240:100:1::30)  590.686 ms
 18  hitachi1.otemachi.wide.ad.jp (2001:200:0:1800::9c4:2)  570.874 ms  573.218 ms  572.263 ms
 19  hitachi1.otemachi.wide.ad.jp (2001:200:0:1802:240:66ff:fe10:cf7c)  578.181 ms  572.46 ms
 » 570.816 ms
 20  gr2000.k2c.wide.ad.jp (2001:200:0:4819::2000:1)  574.55 ms pc3.yagami.wide.ad.jp
 » (2001:200:0:1c04::1000:2000)  579.396 ms gr2000.k2c.wide.ad.jp (2001:200:0:4819::2000:1)
 » 576.071 ms
 21  orange.kame.net (2001:200:0:8002:203:47ff:fea5:3085)  612.776 ms 572.989 ms
 » gr2000.k2c.wide.ad.jp (2001:200:0:4819::2000:1)  578.724 ms
 [hydrogen]~%>

The above examples used the address of 192.88.99.1 as the relay router address. This is the standard address that anyone can use and is discussed more in the next section.

6to4 relay router address

In the examples in the previous section the IPv4 address 192.88.99.1 was used as the relay router address. This is a special address defined in RFC3068 that anyone using 6to4 addresses may use as a relay router address for reaching the rest of the IPv6 internet.

This gateway address does not refer to a single machine, but rather a specific address that gateways are expected to advertise (via BPG). So in theory this should connect to the nearest (in BPG route terms) gateway. This is not always the case though and other 6to4 gateways may provide a far better path.

From two different ISPs in Australia this resolves to a machine in Switzerland and Finland respectively, and there is no saying when this will change or what it would be from other ISPs. Perhaps more important there is an actual 6to4 relay router available in Australia which significantly shorts the path to IPv6 internet. The follow example uses the AARNet relay router at ipv6.broadway.aarnet.net.au (192.231.212.5):

 [hydrogen]~%> traceroute6 www.kame.net
 traceroute to orange.kame.net (2001:200:0:8002:203:47ff:fea5:3085) from
 » 2002:ac1d:2d64:1:2e0:18ff:fefb:7a25, 30 hops max, 16 byte packets
  1  2002:ac1d:2d64:1::1 (2002:ac1d:2d64:1::1)  0.193 ms  13.881 ms  0.18 ms
  2  2002:c0e7:d405::1 (2002:c0e7:d405::1)  35.837 ms  41.879 ms  35.629 ms
  3  tunnelXX.tpr3.jp.apan.net (2001:388:0:2::2)  363.041 ms  382.8 ms  366.619 ms
  4  hitachi1.otemachi.wide.ad.jp (2001:200:0:1800::9c4:2)  362.1 ms  365.106 ms  393.305 ms
  5  pc3.yagami.wide.ad.jp (2001:200:0:1c04::1000:2000)  386.68 ms  362.495 ms  363.477 ms
  6  gr2000.k2c.wide.ad.jp (2001:200:0:4819::2000:1)  365.217 ms  366.891 ms  363.225 ms
  7  orange.kame.net (2001:200:0:8002:203:47ff:fea5:3085)  371.281 ms  387.188 ms  363.529 ms

A list of publicly available 6to4 gateways is provided in Nick’s list of public 6to4 relay routers which can be handy to find a closer 6to4 relay router than that provided by using 192.88.99.1. But please carefully check the policy of the relay router you select when not using the standard address.

Should I use 6to4 addresses?

Like all the other methods of obtaining IPv6 addresses, there are both advantages and disadvantages to 6to4 addresses.

The main advantages are:

  • No need to register anything, if you have an IPv4 address then you also have IPv6 6to4 addresses;
  • Traffic between separate 6to4 sites takes the most direct route possible. This in turn can give you lower latency and may also permit you to take advantage of free traffic (if your ISP has free peering links).

The main disadvantages are:

  • If you only have a dynamic IPv4 address then your IPv6 6to4 addresses will also be dynamic.
  • There is currently no support for setting reverse DNS entries when using 6to4 addresses.
  • The tunneled IPv6 packets may arrive from any IPv4 addresses and therefore filtering becomes both more difficult and more important.

Documentation:

The following RFCs provide the definition of 6to4 addresses and the 6to4 relay routers:

Footnotes

[1] Note that as the private IPv4 addresses are not valid for use in IPv6 addresses. Therefore the addresses used in the examples will not work in a real configuration. You must change them to match your own IPv4 address.

† 15 Feb 2004: Revision 2 © 2004 Jamie Lenehan

Leave a Reply

Your email address will not be published. Required fields are marked *