Talking about IPv6 tunnel technology

IPv6 was originally designed without tunnel technology, but IPv4 is so widely used that IPv4 cannot be abandoned for IPv6 network transformation, so IPv4 and IPv6 protocols must coexist in the same network. In use, in some places, the networks between IPv6 and IPv6, or between IPv4 and IPv4 are isolated, so it is necessary to open up IPv6 passing through the IPv4 network and IPv4 passing through the IPv6 network, and IPv6 tunnel technology came into being. Tunnel technology is definitely a standard established for network integration. In essence, it is a multi-layer superposition of message headers, which greatly reduces network forwarding efficiency. Because the maximum length of Ethernet messages is fixed, the larger the proportion of message header length, the lower the forwarding efficiency. Whether it is IPv6-Over-IPv4 or IPv4-Over-IPv6, the message content must include two message headers, and the IPv6 message header is long. If IPv4 itself is an MPLS network, the message header content is even longer.

[[252394]]

There are many types of IPv6 tunnels, such as: 6PE technology for running IPv6 over MPLS network; IPv6 tunnel technology based on GRE, which can carry IPv6 datagrams on IPv4 GRE tunnel; IPv6 tunnel technology based on UNDP, which solves the problem that traditional NAT cannot support IPv6-over-IPv4 data packet traversal. This technology encapsulates IPv6 data in UDP payload to traverse NAT, called Teredo tunnel; there is also proxy technology for simplifying tunnel configuration, providing automatic configuration means; ISATAP tunnel, manual tunnel, IPv4 compatible with IPv6 automatic tunnel, etc. IPv6 tunnels are diverse in form, and the reason for so many types is mainly to adapt to the existing IPv4 network. GRE, MPLS, NAT and other technologies are widely used in IPv4 networks. IPv6 needs to be able to penetrate these networks to truly coexist with IPv4. IPv6 tunnel technology has become an important part of IPv6 technology.

Nowadays, the whole network has started a craze for building IPv6 networks. Most of them are transformations on existing IPv4 networks, that is, keeping the original IPv4 network applications unchanged, and then opening IPv6 networks to support IPv6 users. The coexistence of the two major network technologies requires tunnel technology everywhere. We will not talk about these tunnels in detail here. The characteristics and implementation methods of each tunnel can be searched on the Internet, and it is not complicated to master them. Each network device will provide guidance on how to use and configure each tunnel. However, if you really want to use it, you must pay attention to some technical pitfalls to avoid falling into them and taking many detours.

MTU Issues

When using a tunnel, we must first consider the MTU issue, the maximum transmission unit and fragmentation of the tunnel: the minimum MTU of IPv6 is 1280 bytes, and after passing through the tunnel, the IPv4 header is added, which reduces the MTU of the data packet from 1500 to 1480 bytes. The header of a tunnel-encapsulated message is longer than a normal message. Before a message is encapsulated, it has not exceeded the maximum Ethernet frame length, but it may exceed it after the MTU is added. Such messages at the boundary value must handle the fragmentation problem, otherwise they will not be able to pass due to message length problems. The MTU of the tunnel supports static specification and dynamic negotiation. We can increase the MTU of the tunnel to avoid the problem of messages exceeding the maximum Ethernet frame after the tunnel is added and needing to be fragmented. Although there is no problem with proper handling, the forwarding efficiency is reduced. After the MTU is added, we must also consider whether other devices on the tunnel link support it, otherwise some messages between the two will not be able to pass due to the difference in the MTU size settings. Sometimes this situation is not easy to troubleshoot. For example, the BGP neighbor cannot be established through the tunnel. This may be caused by the different lengths of messages sent by the BGP protocol, some of which cannot pass. It is not easy to analyze such problems and find the cause of MTU. If you can make a good design plan in advance, you can avoid this.

Tunnel neighbor establishment problem

There are many types of IPv6 tunnels, but basically only one type is used in a network, and a network device does not support the configuration of more than two tunnels at the same time. At least the traffic between two tunnels cannot be interoperable. Therefore, in the selection of tunnel types, it is necessary to first determine according to network requirements. The establishment of a tunnel is very simple. As long as the IP addresses at both ends of the tunnel are reachable, the tunnel can be established. IPv6 tunnels are not as rich as VXLAN tunnels, and do not support horizontal splitting. Therefore, it is common to have only one tunnel to connect two independent networks. As long as it is reachable, the IP addresses at both ends of the tunnel can be interoperable at Layer 2 or Layer 3, and various QoS can be performed on the links through which the tunnel passes. Tunnel problems are nothing more than the three problems of failure to establish, tunnel oscillation, and failure to communicate. The reasons may be strange and vary from device to device. On the surface, tunnel implementation is more complicated, but in fact, there are not many problems. When forwarding externally through the tunnel, just ignore the inner layer, and when forwarding internally, just ignore the outer layer. Compared with other IPv6 technologies, tunnel technology looks scary on the surface, but it is actually not complicated to master.

Tunnel safety

Tunnels are definitely less secure than ordinary network forwarding. Why? Because tunnels face security threats from both the inner and outer layers. If the IPv4 address is spoofed, anyone can inject as much traffic as they want into the tunnel. 6over4 may also be attacked by address spoofing, and external forged 6over4 packets may invade the 6over4 domain. Since tunnel technology will shield the payload and temporary ports often used by many voice calls and FTP clients during the optimization process, this will lead to problems such as the inability to establish effective security policies. It may also cause other types of potential errors when the network is connected. According to Mike Morris in the article "Return to Cisco Subnets", "... suboptimal routing, maximum transmission unit problems, and risks in hardware and software scalability" are all possible situations. In short, the security issues of tunnel technology will become more prominent. For data centers that pay special attention to network security, how to establish a secure tunnel is a long-term research topic. There is still a lack of security protection technology specifically for tunnels.

IPv6 tunnel is a necessary technology to connect IPv6 islands in IPv4 networks and IPv4 islands in IPv6 networks. Since the construction of the whole network in 2018, the application of IPv6 tunnel is very small, and most of them are still based on opening IPv4/IPv6 dual stack. With the deepening of IPv6 deployment, some local area networks may involve the application of tunnels. At that time, we must seriously consider the issues mentioned in this article. Although IPv6 tunnel is relatively sound in theory, there are few actual application cases, and new problems may be encountered in practice. In the process of IPv6 full network transformation, IPv6 tunnel as an application feature will definitely play an important role in network transformation.