The sys admin's daily grind: Miredo

Exploring the Tunnel

© fckngc, 123RF

© fckngc, 123RF

Article from Issue 109/2009
Author(s):

The move from IPv4 to IPv6 must be gradual rather than abrupt. After just two minutes of configuration work, Charly leans back and watches his first IPv6 packets pass through a Miredo tunnel.

Network component manufacturers are still spreading the dread tidings: IP addresses are becoming scarce. Stories spread of large access providers buying out smaller ones to get their hands on their IPv4 address pools. If you prefer not to be a victim of the digital famine, you need to switch quickly, says the industry that offers IPv6-capable switches and gateways.

But really, not many access providers can give you native IPv6. In fact, in the context of discussions on IPv6, the word "move" doesn't seem to be all that appropriate. "Co-location" sounds more like it but does tend to remind one of grammar lessons at school. "Dual-tracking" is maybe the best option, because a peaceful coexistence of IPv4 and IPv6 is likely to become the rule, rather than the exception, in the near future.

If you are a customer with an IPv4 provider and would like to add IPv6 to your home network, many tunneling solutions are around that you can try. Configuring them will typically require admin-level skills and is probably beyond the ability of less experienced users, who simply want to explore the field. Teredo solves this problem. The technology, which was developed by Microsoft, sets up an IPv6 tunnel behind a NAT router and automatically distributes the required addresses. Teredo encapsulates the IPv6 payload in v4 UDP datagrams. The Teredo RFC 4380 points out that this is simply an interim solution – other people have been known to refer to it as a "dirty hack."

This Is Not What Problems Look Like

Whatever your opinion, however, Teredo isn't a bad choice for some cautious, initial steps toward IPv6. Setting up Teredo requires virtually no configuration work, and clients are available for any recent operating system. For example, the Linux Miredo [1] client is included with practically any popular distribution. On my Ubuntu lab machine, all I needed to do was type:

apt-get install miredo

to both install the client and start the service. In less than a minute, I had a working IPv6 connection with a prefix of 2001::/32, as defined by the RFC (Figure 1), even though my client resides behind no fewer than two NAT gateways.

Figure 1: The tunnel gives you a sneak preview of the IPv6 future. This example uses the prefix 2001::/32.

Miredo doesn't need a modified kernel; instead, it runs completely in userspace. Although you need to launch Miredo as root to define the required interface parameters, it de-escalates its privileges to nobody after launch. The -u username option lets you specify a user other than nobody. Some distros create a miredo account during the installation.

Finally, a word about security: Whereas NAT routers, which just about every DSL user in the IPv4 world has, put up some kind of protection against undesirable access, IPv6 tears down these barriers. If you are worried about delving into ip6tables, you should at least bind all services suitable for this purpose to localhost (::1).

The Author

Charly Kühnast is a Unix operating system administrator at the Data Center in Moers, Germany. His tasks include firewall and DMZ security and availability. He divides his leisure time into hot, wet, and eastern sectors, where he enjoys cooking, fresh water aquariums, and learning Japanese, respectively.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Charly's Column

    If you do not receive a response to a ping, or if the response is seriously delayed, you might like to take this as a warning. But who wants to ping all day? You need a ping-based monitoring utility like Smokeping.

  • Charly's Column: GestióIP

    A tidy house, a tidy mind they say, and I’ll leave it up to you to consider what being disorganized might mean. Anybody who has tried to manage hundreds of IP addresses using just a sheet of paper or a spreadsheet will probably appreciate some help.

  • Charly's Column

    Corporate policies prohibit the unauthorized connection of hardware to the company network, threatening dire consequences in the case of non-compliance. Fair enough, but how do you actually go about catching somebody trying to plug an illegal laptop into your Ethernet?

  • Charly's Column: Corkscrew

    Sys admin columnist Charly never takes a vacation from the Internet. A beach bar with WiFi is quickly found, but it runs a forced proxy, which thinks that the SSH port (22) is in league with the devil and blocks the connection. Time to drill a tunnel.

  • Radius and 802.1X

    The Radius protocol is typically used to authenticate users in dial-up scenarios. But Radius is also useful in LAN environments: in combination with 802.1X, Radius forces users to authenticate at a low level before the switch opens up a port.

comments powered by Disqus

Direct Download

Read full article as PDF:

055-055_charly.pdf (1.06 MB)

News

njobs Europe
What:
Where:
Country:
Njobs Netherlands Njobs Deutschland Njobs United Kingdom Njobs Italia Njobs France Njobs Espana Njobs Poland
Njobs Austria Njobs Denmark Njobs Belgium Njobs Czech Republic Njobs Mexico Njobs India Njobs Colombia