How do I route IPv4 encapsulated packets?

itojun@iijlab.net itojun@iijlab.net
Fri, 18 May 2001 22:31:11 +0900


>I have the (netgear) NAT box forwarding EVERYTHING to this
>OpenBSD box (firewalls are moot when the inside machines are
>all secure).

	I don't recommend using IPv6-over-IPv4 across NAT box.  sometimes
	you can make it work, but the way you need to tweak it is not universal
	(can depend on NAT box).

>My question is this: 
>What do tunnelled IPv6 over IPv4 packets look like to the
>intermediate machine?

# /sbin/ping6 -I gif0 ff02::1
PING6(56=40+8+8 bytes) fe80::2d0:b7ff:fe1e:8dee%gif0 --> ff02::1
16 bytes from fe80::2d0:b7ff:fe1e:8dee%lo0, icmp_seq=0 hlim=64 time=0.228 ms
16 bytes from fe80::208:c7ff:fe73:17f3%gif0, icmp_seq=0 hlim=64 time=166.289 ms(DUP!)
^C
--- ff02::1 ping6 statistics ---
1 packets transmitted, 1 packets received, +1 duplicates, 0% packet loss
round-trip min/avg/max/std-dev = 0.228/83.258/166.289/83.031 ms


09:31:38.775978 216.98.98.132 > 202.232.2.100: fe80::2d0:b7ff:fe1e:8dee > ff02::1: icmp6: echo request (len 16, hlim 64) (ttl 30, id 56935)
                         4500 004c de67 0000 1e29 b5ee d862 6284
                         cae8 0264 6000 0000 0010 3a40 fe80 0000
                         0000 0000 02d0 b7ff fe1e 8dee ff02 0000
                         0000 0000 0000 0000 0000 0001 8000 0a35
                         22e8 0000 3a24 053b c3d6 0b00
09:31:38.942059 202.232.2.100 > 216.98.98.132: fe80::208:c7ff:fe73:17f3 > fe80::2d0:b7ff:fe1e:8dee: icmp6: echo reply (len 16, hlim 64) (ttl 24, id 34155)
                         4500 004c 856b 0000 1829 14eb cae8 0264
                         d862 6284 6000 0000 0010 3a40 fe80 0000
                         0000 0000 0208 c7ff fe73 17f3 fe80 0000
                         0000 0000 02d0 b7ff fe1e 8dee 8100 2949
                         22e8 0000 3a24 053b c3d6 0b00

>An ICMP6 packet looks like ICMP4 with more payload?

	I don't see what you are trying to mean.

>Tcpdump doesn't help cause ALL the machines speak IPv6 and
>it just tells me it's an encapsulated IP6 packet.

	why it does not help?  see above...

>Or is it impossible to tunnel IPv6 through a NAT box not
>matter the setup.

	almost impossible (or does not worth your prescious time),
	I would say...

iitojun