6to4 - can't ping 192.88.99.1?

Hi all,

Once again I'm trying to get connected to the IPv6 world, but I think
I've now hit a problem with my ISP (or further upstream). But before I
go bugging them about it, I figured I'd ask some experts.

So here goes... I'm trying the default 6to4 approach:
$ ip tunnel add tun6to4 mode sit ttl 255 remote any local $WANIP6
$ ip -6 route add 2000::/3 via ::192.88.99.1 dev tun6to4

But I can't reach any sites via IPv6. And I think it's because of this:

aschuring@neminis:~$ traceroute 192.88.99.1
traceroute to 192.88.99.1 (192.88.99.1), 30 hops max, 60 byte packets
1 gw.loos.site (172.22.21.1) 0.672 ms 1.513 ms 1.747 ms
2 213.197.27.154 (213.197.27.154) 18.367 ms 19.254 ms 19.463 ms
3 213.197.27.117 (213.197.27.117) 20.755 ms 21.175 ms 21.880 ms
4 ge-0.2.0.core1.ams.bb.your.org (204.9.53.58) 22.959 ms 23.564 ms
25.655 ms
5 * * *
6 * * *
[...]


But I don't know where to go from here. The last IP address belongs to a
small registrar in Illinois, which doesn't really make sense to me, but
I don't know how the 192.88.99.1 anycast addresses are maintained. Would
it make sense for me to ask my ISP to verify their routing tables?


Thanks for any help you can give me,

Arno

On Sun, 14 Jun 2009 00:30:08 +0200, Arno Schuring wrote:

> aschuring@neminis:~$ traceroute 192.88.99.1

Try traceroute -I 192.88.99.1

"Arno Schuring" <(E-Mail Removed)> wrote in message
news:87d1d$4a342870$d594e6a3$(E-Mail Removed) .net...
> Once again I'm trying to get connected to the IPv6 world, but I think
> I've now hit a problem with my ISP (or further upstream). But before I
> go bugging them about it, I figured I'd ask some experts.
>
> So here goes... I'm trying the default 6to4 approach:
> $ ip tunnel add tun6to4 mode sit ttl 255 remote any local $WANIP6
> $ ip -6 route add 2000::/3 via ::192.88.99.1 dev tun6to4
>
> But I can't reach any sites via IPv6. And I think it's because of this:
>
> aschuring@neminis:~$ traceroute 192.88.99.1
> traceroute to 192.88.99.1 (192.88.99.1), 30 hops max, 60 byte packets
> 1 gw.loos.site (172.22.21.1) 0.672 ms 1.513 ms 1.747 ms
> 2 213.197.27.154 (213.197.27.154) 18.367 ms 19.254 ms 19.463 ms
> 3 213.197.27.117 (213.197.27.117) 20.755 ms 21.175 ms 21.880 ms
> 4 ge-0.2.0.core1.ams.bb.your.org (204.9.53.58) 22.959 ms 23.564 ms
> 25.655 ms
> 5 * * *
> 6 * * *
> [...]
>
>
> But I don't know where to go from here. The last IP address belongs to a
> small registrar in Illinois, which doesn't really make sense to me, but
> I don't know how the 192.88.99.1 anycast addresses are maintained. Would
> it make sense for me to ask my ISP to verify their routing tables?
>
> Thanks for any help you can give me,

Since you can traceroute toward it, your ISP obviously is getting a route
via BGP. Therefore, it's presumedly reachable. I can't verify if the
"your.org" 6to4 gateway is up because 192.88.99.0/24 is an anycast network
and my routing points to another provider's gateway.

As your first hop is in 172.16.0.0/12, you obviously have a NAT-box or
router on your network. Are you certain that IPv6 packets aren't hitting
your router? They may be IPv4 packets using protocol 41 (instead of TCP or
UDP), and some consumer devices cannot handle protocol 41 properly - or
need a DMZ'ed box to forward them through.

Hello,

Arno Schuring a écrit :
>
> So here goes... I'm trying the default 6to4 approach:
> $ ip tunnel add tun6to4 mode sit ttl 255 remote any local $WANIP6

What is $WANIP6 ?

> $ ip -6 route add 2000::/3 via ::192.88.99.1 dev tun6to4

You skipped some steps :
- Assign an IPv6 address within your 6to4 prefix to one of your box
interfaces (it does not need to be the 6to4 interface).
- Add a route to the whole 6to4 prefix 2002::/16 on the 6to4 interface.

Actually these two steps can be merged in one operation, e.g. :

$ ip addr add <6to4address>/16 dev tun6to4

> But I can't reach any sites via IPv6.

Can you elaborate ? How did you test ? Any error messages ?

> And I think it's because of this:
>
> aschuring@neminis:~$ traceroute 192.88.99.1
> traceroute to 192.88.99.1 (192.88.99.1), 30 hops max, 60 byte packets
> 1 gw.loos.site (172.22.21.1) 0.672 ms 1.513 ms 1.747 ms
> 2 213.197.27.154 (213.197.27.154) 18.367 ms 19.254 ms 19.463 ms
> 3 213.197.27.117 (213.197.27.117) 20.755 ms 21.175 ms 21.880 ms
> 4 ge-0.2.0.core1.ams.bb.your.org (204.9.53.58) 22.959 ms 23.564 ms
> 25.655 ms
> 5 * * *
> 6 * * *
> [...]

Not necessarily. A 6to4 relay router may ignore anything but 6to4
traffic (IPv4 protocol 41).

> But I don't know where to go from here. The last IP address belongs to a
> small registrar in Illinois

Huh ? Your.org is a hosting company which is known to operate a 6to4
relay router. This seems to be their POP in the Netherlands.

From the private address in your first hop it appears that you may be
using some NAT. If so, make sure that :
- your NAT device can handle 6in4/6to4 (IPv4 protocol 41) traffic ;
- the NAT device forwards incoming 6to4 traffic from the outside to your
box (6to4 routing is asymmetric, so the IPv4 source address of a reply
may be different from the IPv4 destination address of the request and
simple masquerding won't handle this case) ;
- you use the 6to4 prefix derived from the public IPv4 address of the
NAT device, not from the private address of your box.

Hi all,

thanks for the replies. I realize I've not been as detailed as I should
have been, so please forgive me if I'm being too verbose now

Bit Twister wrote:
>> aschuring@neminis:~$ traceroute 192.88.99.1
> Try traceroute -I 192.88.99.1
No change, even if I do this from the router:

# traceroute -I 192.88.99.1
traceroute to 192.88.99.1 (192.88.99.1), 30 hops max, 38 byte packets
1 213.197.27.154 (213.197.27.154) 13.823 ms 24.154 ms 6.344 ms
2 213.197.27.117 (213.197.27.117) 7.070 ms 6.704 ms 6.826 ms
3 ge-0.2.0.core1.ams.bb.your.org (204.9.53.58) 7.599 ms 7.298 ms
7.050 ms
4 * * *
5 * * *


Pascal Hambourg wrote:
>> So here goes... I'm trying the default 6to4 approach:
>> $ ip tunnel add tun6to4 mode sit ttl 255 remote any local $WANIP6
>
> What is $WANIP6 ?
[...]
>> $ ip -6 route add 2000::/3 via ::192.88.99.1 dev tun6to4
>
> You skipped some steps :
Yes I know. Because I couldn't reach the 6to4 gateway via ipv4, I
immediately jumped to the conclusion that giving the detailed IPv6
configuration was irrelevant.

So here is the IPv6-up script:
WANIP6=
while [ -z "$WANIP6" ] ; do
sleep 8
WANIP6=$(ip -4 addr show dev vlan1 | awk '/inet/ {print $2}' | cut -d/
-f1)
done

V6PREFIX=$(printf '2002:%02x%02x:%02x%02x' $(echo $WANIP6 | tr . ' '))
ip tunnel add tun6to4 mode sit ttl 255 remote any local $WANIP6
ip link set tun6to4 mtu 1280
ip link set tun6to4 up
ip addr add $V6PREFIX:0::1/16 dev tun6to4
ip addr add $V6PREFIX:1::1/64 dev br0
ip -6 route add 2000::/3 via ::192.88.99.1 dev tun6to4
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding



> - Add a route to the whole 6to4 prefix 2002::/16 on the 6to4 interface.
Side note: is there a reason why this route should be added even when I
have a 2000::/3 route already defined?

>> But I can't reach any sites via IPv6.
>
> Can you elaborate ? How did you test ? Any error messages ?
No errors, just timeouts:

aschuring@neminis:~$ ping6 -c3 www.kame.net
PING www.kame.net(orange.kame.net) 56 data bytes

--- www.kame.net ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1999ms

aschuring@neminis:~$ traceroute6 www.kame.net
traceroute to www.kame.net (2001:200:0:8002:203:47ff:fea5:3085), 30 hops
max, 80 byte packets
1 2002:d594:e6a3:1::1 (2002:d594:e6a3:1::1) 0.919 ms 1.003 ms 1.087 ms
2 * * *

- opening a browser to http://whatismyipv6.net : times out, then
redirects to the ipv4 site which says "Your IP is 213.148.230.163"


> Not necessarily. A 6to4 relay router may ignore anything but 6to4
> traffic (IPv4 protocol 41).
Hmm... that's too bad. So I have no way to confirm either the validity
of my ISP's routes, or test the reachability of the 6to4 gateway?


>> But I don't know where to go from here. The last IP address belongs to a
>> small registrar in Illinois
>
> Huh ? Your.org is a hosting company which is known to operate a 6to4
> relay router. This seems to be their POP in the Netherlands.
Ah. Didn't know that. I based my comment solely on the whois information:

aschuring@neminis:~$ whois 204.9.53.58

OrgName: YOUR.ORG, INC.
OrgID: YOURO
Address: 840 W Lake St #406
City: Roselle
StateProv: IL
PostalCode: 60172
Country: US
[...]

> From the private address in your first hop it appears that you may be
> using some NAT. If so, make sure that :
> - your NAT device can handle 6in4/6to4 (IPv4 protocol 41) traffic ;
> - the NAT device forwards incoming 6to4 traffic from the outside to your
> box (6to4 routing is asymmetric, so the IPv4 source address of a reply
> may be different from the IPv4 destination address of the request and
> simple masquerding won't handle this case) ;
> - you use the 6to4 prefix derived from the public IPv4 address of the
> NAT device, not from the private address of your box.
See below.

D. Stussy wrote:
> As your first hop is in 172.16.0.0/12, you obviously have a NAT-box or
> router on your network. Are you certain that IPv6 packets aren't hitting
> your router? They may be IPv4 packets using protocol 41 (instead of
TCP or
> UDP), and some consumer devices cannot handle protocol 41 properly - or
> need a DMZ'ed box to forward them through.

There are two boxes, to be exact. One is my modem (Emiment EM4206),
which is configured in bridged mode so it really only should be doing
modem-y things and not be dropping packets.

The router is a Linksys wrt54 with DD-WRT firmware installed. I already
know that (out-of-the-box) it has issues with IPv6 but I believe I've
overcome them. One problem that is still present is that the default
firmware image has no ipv6-tools (no ip6tables executable or kernel
module, no ping6 or traceroute6) so I'm a little constrained in the
tests I can do.

Here's the revelant info from my configuration (on the router):

# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
[ ACCEPT lines skipped ]
DROP udp -- anywhere anywhere udp dpt:route
ACCEPT ipv6 -- anywhere anywhere
DROP icmp -- anywhere anywhere
[ lines skipped ]
DROP 0 -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT ipv6 -- anywhere anywhere
[ lines skipped ]
DROP 0 -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[ empty ]

# ip -s ad
6: vlan1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
link/ether 00:1d:7e:c6:9c:23 brd ff:ff:ff:ff:ff:ff
inet 213.148.230.163/24 brd 213.148.230.255 scope global vlan1
inet6 fe80::21d:7eff:fec6:9c23/64 scope link
7: br0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
link/ether 00:1d:7e:c6:9c:22 brd ff:ff:ff:ff:ff:ff
inet 172.22.21.1/24 brd 172.22.21.255 scope global br0
inet 169.254.255.1/16 brd 169.254.255.255 scope global br0:0
inet6 2002:d594:e6a3:1::1/64 scope global
inet6 fe80::21d:7eff:fec6:9c22/64 scope link
9: tun6to4@NONE: <NOARP,UP> mtu 1280 qdisc noqueue
link/sit 213.148.230.163 brd 0.0.0.0
inet6 ::213.148.230.163/128 scope global
inet6 2002:d594:e6a3::1/16 scope global

# ip -s ro
172.22.21.0/24 dev br0 proto kernel scope link src 172.22.21.1
213.148.230.0/24 dev vlan1 proto kernel scope link src 213.148.230.163
169.254.0.0/16 dev br0 proto kernel scope link src 169.254.255.1
127.0.0.0/8 dev lo scope link
default via 213.148.230.1 dev vlan1
# ip -6 -s ro
::/96 via :: dev tun6to4 metric 256 mtu 1280 advmss 1220
2002:d594:e6a3:1::/64 dev br0 metric 256 mtu 1500 advmss 1440
2002::/16 dev tun6to4 metric 256 mtu 1280 advmss 1220
2000::/3 via ::192.88.99.1 dev tun6to4 metric 1024 mtu 1280 advmss 1220
[ fe80:: and ff00:: routes skipped ]


# cat /tmp/radvd.conf
interface br0 {
MinRtrAdvInterval 3;
MaxRtrAdvInterval 10;
AdvLinkMTU 1280;
AdvSendAdvert on;
prefix 0:0:0:1::/64 {
AdvOnLink on;
AdvAutonomous on;
AdvValidLifetime 7200;
AdvPreferredLifetime 300;
Base6to4Interface vlan1;
AdvRouterAddr on;
};
};
# cat /proc/sys/net/ipv6/conf/all/forwarding
1


Many thanks for making it to the end of this mail,
Arno

Arno Schuring a écrit :
>
>> - Add a route to the whole 6to4 prefix 2002::/16 on the 6to4 interface.
>
> Side note: is there a reason why this route should be added even when I
> have a 2000::/3 route already defined?

Yes : reach directly other 6to4 networks. By the way I tested this and
it seems to work, so your overall 6to4 setup seems fine : if I ping your
router's 6to4 address from my 6to4 address, I get a (direct) reply.
However if I ping from my native IPv6 address, I get no reply.

> aschuring@neminis:~$ ping6 -c3 www.kame.net
> PING www.kame.net(orange.kame.net) 56 data bytes
>
> --- www.kame.net ping statistics ---
> 3 packets transmitted, 0 received, 100% packet loss, time 1999ms
>
> aschuring@neminis:~$ traceroute6 www.kame.net
> traceroute to www.kame.net (2001:200:0:8002:203:47ff:fea5:3085), 30 hops
> max, 80 byte packets
> 1 2002:d594:e6a3:1::1 (2002:d594:e6a3:1::1) 0.919 ms 1.003 ms 1.087 ms
> 2 * * *

Note that from my experience, www.kame.net appears to be one of the few
sites which is unfortunately not reachable using 6to4. However from the
lack of reply at the second hop, it seems that your were correct about
the faulty 6to4 relay or routing.

> Hmm... that's too bad. So I have no way to confirm either the validity
> of my ISP's routes, or test the reachability of the 6to4 gateway?

Maybe try to ping the IPv6 anycast address of the 6to4 relay,
2002:c058:6301::.

> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> ACCEPT ipv6 -- anywhere anywhere

Note that this rule is not necessary, as the hosts on your LAN don't use
6in4 encapsulation.

Pascal Hambourg wrote:
> By the way I tested this and
> it seems to work, so your overall 6to4 setup seems fine : if I ping your
> router's 6to4 address from my 6to4 address, I get a (direct) reply.
> However if I ping from my native IPv6 address, I get no reply.
Wow, that's very valuable information. Thanks for testing!

> Note that from my experience, www.kame.net appears to be one of the few
> sites which is unfortunately not reachable using 6to4.
Do you have a suggestion as to which address to use when testing IPv6
(6to4) connectivity?

>> Hmm... that's too bad. So I have no way to confirm either the validity
>> of my ISP's routes, or test the reachability of the 6to4 gateway?
>
> Maybe try to ping the IPv6 anycast address of the 6to4 relay,
> 2002:c058:6301::
Sadly, no luck:

aschuring@neminis:~$ ping6 -c3 2002:c058:6301::
PING 2002:c058:6301:2002:c058:6301: 56 data bytes

--- 2002:c058:6301:: ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2015ms



>> Chain FORWARD (policy ACCEPT)
>> target prot opt source destination
>> ACCEPT ipv6 -- anywhere anywhere
>
> Note that this rule is not necessary, as the hosts on your LAN don't use
> 6in4 encapsulation.
Ah yes, that makes sense. I added it manually just to be sure I covered
all the angles, glad to know it isn't necessary.

Thanks for your help. I'll take this to my ISP and see if they are
willing/able to help me out.


Thanks to all,
Arno

Arno Schuring a écrit :
>
> Do you have a suggestion as to which address to use when testing IPv6
> (6to4) connectivity?

whatismyipv6.net seems to work fine with 6to4 (when the relay works).

> Thanks for your help. I'll take this to my ISP and see if they are
> willing/able to help me out.

See <http://www.6to4.your.org/> too. I remember that Your.org's 6to4
relay router once had a firewall issue which was quicky solved thanks to
a cooperation between my ISP and Your.org.

On Sun, 14 Jun 2009 14:49:06 +0200, Arno Schuring wrote:
>> Try traceroute -I 192.88.99.1
> No change, even if I do this from the router:
>
> # traceroute -I 192.88.99.1
> traceroute to 192.88.99.1 (192.88.99.1), 30 hops max, 38 byte packets
> 1 213.197.27.154 (213.197.27.154) 13.823 ms 24.154 ms 6.344 ms
> 2 213.197.27.117 (213.197.27.117) 7.070 ms 6.704 ms 6.826 ms
> 3 ge-0.2.0.core1.ams.bb.your.org (204.9.53.58) 7.599 ms 7.298 ms
> 7.050 ms
> 4 * * *
> 5 * * *

How odd.

$ traceroute -I 192.88.99.1
traceroute to 192.88.99.1 (192.88.99.1), 30 hops max, 60 byte packets
1 gateway.home.test (192.168.1.1) 0.727 ms 0.835 ms 1.258 ms
2 L100.DLLSTX-VFTTP-33.verizon-gni.net (71.170.124.1) 8.402 ms 9.758 ms 9.885 ms
3 P11-1.DLLSTX-LCR-03.verizon-gni.net (130.81.58.104) 12.171 ms 12.32 12.384 ms
4 so-5-1-0-0.DFW01-BB-RTR1.verizon-gni.net (130.81.29.180) 14.414 14.467 14.660 ms
5 so-6-0-0-0.DFW80-PEER-RTR1-re1.verizon-gni.net (130.81.17.173) 42.159 17.202 44.187 ms
6 gige-g2-7.core1.dal1.he.net (64.62.205.49) 39.389 ms 40.988 ms 43.220 ms
7 10gigabitethernet5-2.core1.ash1.he.net (72.52.92.62) 53.272 47.801 49.659 ms
8 192.88.99.1 (192.88.99.1) 54.309 ms 49.032 ms 51.196 ms

Bit Twister a écrit :
>
> How odd.

What's odd ?

> $ traceroute -I 192.88.99.1
[...]
> 8 192.88.99.1 (192.88.99.1) 54.309 ms 49.032 ms 51.196 ms

So what ?