The sys admin's daily grind: Miredo

Exploring the Tunnel

© fckngc, 123RF

© fckngc, 123RF

Article from Issue 109/2009

The move from IPv4 to IPv6 must be gradual rather than abrupt. After just two minutes of configuration work, Charly leans back and watches his first IPv6 packets pass through a Miredo tunnel.

Network component manufacturers are still spreading the dread tidings: IP addresses are becoming scarce. Stories spread of large access providers buying out smaller ones to get their hands on their IPv4 address pools. If you prefer not to be a victim of the digital famine, you need to switch quickly, says the industry that offers IPv6-capable switches and gateways.

But really, not many access providers can give you native IPv6. In fact, in the context of discussions on IPv6, the word "move" doesn't seem to be all that appropriate. "Co-location" sounds more like it but does tend to remind one of grammar lessons at school. "Dual-tracking" is maybe the best option, because a peaceful coexistence of IPv4 and IPv6 is likely to become the rule, rather than the exception, in the near future.

If you are a customer with an IPv4 provider and would like to add IPv6 to your home network, many tunneling solutions are around that you can try. Configuring them will typically require admin-level skills and is probably beyond the ability of less experienced users, who simply want to explore the field. Teredo solves this problem. The technology, which was developed by Microsoft, sets up an IPv6 tunnel behind a NAT router and automatically distributes the required addresses. Teredo encapsulates the IPv6 payload in v4 UDP datagrams. The Teredo RFC 4380 points out that this is simply an interim solution – other people have been known to refer to it as a "dirty hack."

This Is Not What Problems Look Like

Whatever your opinion, however, Teredo isn't a bad choice for some cautious, initial steps toward IPv6. Setting up Teredo requires virtually no configuration work, and clients are available for any recent operating system. For example, the Linux Miredo [1] client is included with practically any popular distribution. On my Ubuntu lab machine, all I needed to do was type:

apt-get install miredo

to both install the client and start the service. In less than a minute, I had a working IPv6 connection with a prefix of 2001::/32, as defined by the RFC (Figure 1), even though my client resides behind no fewer than two NAT gateways.

Figure 1: The tunnel gives you a sneak preview of the IPv6 future. This example uses the prefix 2001::/32.

Miredo doesn't need a modified kernel; instead, it runs completely in userspace. Although you need to launch Miredo as root to define the required interface parameters, it de-escalates its privileges to nobody after launch. The -u username option lets you specify a user other than nobody. Some distros create a miredo account during the installation.

Finally, a word about security: Whereas NAT routers, which just about every DSL user in the IPv4 world has, put up some kind of protection against undesirable access, IPv6 tears down these barriers. If you are worried about delving into ip6tables, you should at least bind all services suitable for this purpose to localhost (::1).

The Author

Charly Kühnast is a Unix operating system administrator at the Data Center in Moers, Germany. His tasks include firewall and DMZ security and availability. He divides his leisure time into hot, wet, and eastern sectors, where he enjoys cooking, fresh water aquariums, and learning Japanese, respectively.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Charly's Column – Reverse SSH Tunnel

    This month, Charly Kühnast draws attention to a widely unknown weather phenomenon: The instability of rarely used tunnels leading to a Raspberry Pi. Read on for greater insights.

  • The sys admin's daily grind: sshuttle

    When he doesn't want to deal with OpenVPN version conflicts or congestion control problems during TCP tunneling, Charly catches a ride on sshuttle.

  • Charly's Column

    Some of Charly’s servers run the SSH daemon on port 443 rather than on the standard port 22. If an SSL-capable Apache web server starts causing trouble, his method of settling the dispute is sslh.

  • Charly's Column: Corkscrew

    Sys admin columnist Charly never takes a vacation from the Internet. A beach bar with WiFi is quickly found, but it runs a forced proxy, which thinks that the SSH port (22) is in league with the devil and blocks the connection. Time to drill a tunnel.

  • Charly's Column

    What does Charly’s recent two-week vacation in Holland have in common with an SSH session? Nothing at all, at first sight. And therein lies a tale.

comments powered by Disqus

Direct Download

Read full article as PDF:

055-055_charly.pdf (1.06 MB)
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Find SysAdmin Jobs