ipv6 at home, Part 2: Tunnel brokers, Windows “AYIYA” tunnel

Has it been 2 months? High time to get on with the planned ipv6 series, then. If you are entirely new to ipv6, it may pay to read part 1: overview.

In this installation, I will cover the use of the SixXS tunnel broker to create an ipv6-over-ipv4 tunnel from your Windows PC, on XP or Vista. This may sound like so much gobble-de-gook – some background is in order. Feel free to skip down to the nuts-and-bolts section if tunneling is an “old hat” to you.

To recap, there are three major ways that a Windows PC will gain access to the ipv6 Internet: Teredo, which is covered in part 1 – bordering-on-easy to set up on Vista, but the most inefficient way  to gain access, and limited in its usefulness under XP.  Tunnel brokers, which I will cover in this part and parts 3/4. And native ipv6 access provided by your ISP, which I’d love to cover, but will need help doing so as none of the ISPs in my area offer it.

Tunnel Types

The “tunnel” that is being brokered here is ipv6 traffic encapsulated in ipv4. A machine on your network acts as your local tunnel endpoint, and your tunnel broker has a device “out there” that acts as the other end. You only have direct ipv4 connectivity. Your tunnel broker is connected both to ipv4 and ipv6. When a machine on your network desires to reach an ipv6 address, it will send the packet to your local tunnel endpoint. That machine wraps the ipv6 packet in an ipv4 header, and sends it over your ipv4 connection to the tunnel broker’s endpoint. There, the ipv6 packet is removed from its wrapper, and sent on its way to the ipv6 destination. Return traffic flows similarly, with the tunnel broker wrapping, and your machine unwrapping.

While this sounds relatively straightforward, the details of how this “wrapping” and “unwrapping” work (encapsulation and decapsulation for those who want to sound technical about it) impose certain restrictions on how you can deploy this in your own network.  Consequently, there are a number of tunnel brokers available, but only a few of these offer tunnels that will work behind “NAT”, a.ka. what your home router does to your traffic before it hits your ISP’s network.

The three major ways of configuring ipv6-over-ipv4 tunnels, then, are:

  • Static 6-to-4 tunnels, using IP protocol  41. These are well suited to being deployed on an ipv6-capable router. Which most folk do not have at home. I will cover this setup in part 4, using a Juniper SSG-5 firewall as an example endpoint.
  • AICCU/AYIYA tunnels, which are offered by SixXS. These can traverse NAT, and I will cover them in this article. They use PC client software. They’ll run on pretty much any OS out there – I will cover Windows only in this post.
  • Hexago TSP tunnels, which can also traverse NAT. I intend to cover this in part 3, and see how it stacks up against SixXS. These also use PC client software.

Configuring an AYIYA tunnel

Let’s get into the “nuts-and-bolts” of setting up a SixXS tunnel, then. SixXS offers POPs (Points of Presence) all over the globe, and just recently added free 10GBit connectivity. This bodes well for good speed when using the service.  They offer three types of tunnels: AICCU/AYIYA (Anything-in-Anything), which traverses NAT and which I will cover here; AICCU/Heartbeat, which is meant for use without NAT, but with a dynamic IP; and a “plain” static 6-to-4 tunnel, which is meant for static IPs and will usually be terminated on a router, not a PC.

SixXS offer a good overview of how to get a tunnel running in their “10 Steps to ipv6” document. I’ll run through those steps with you.

But before I do, one more word about how the SixXS AYIYA tunnel works: You’ll receive a /64 tunnel subnet, for which SixXS will only route the endpoints – the PC running the AICCU utility, and the SixXS end. If you want to get any of your other machines at home onto ipv6, you’ll need to request a /48 subnet from SixXS. These actions – requesting a tunnel, requesting a subnet, changing tunnel properties – cost “ISK”, a virtual currenty SixXS uses. You gain ISK by signing up, and thereafter by having a functioning tunnel up and running.

1) Sign up with SixXS. In fact, first sign up with LinkedIn, or Xing, both “professional” social networking sites.  The reason is that the amount of SixXS “ISK” you receive upon signup with a LinkedIn or Xing profile is sufficient to request a /48 subnet right away, while without those profiles, it’ll just be enough to request a tunnel, after which you’d have to have the tunnel up and running for a week to accumulate enough ISK to request a subnet. SixXS will warn you that signup is handled by people, and it may be weeks before you get your account. In my case, I received it within a day, and was assigned 75 ISK – plenty to start experimenting.

[Update] As has been pointed out in the comments, signing up with SixXS means handing over some of your personal data, such as your name, and having that published in the whois directory. If that makes you nervous, SixXS is not for you.

2) Log in, and request a tunnel. You’ll want an AYIYA tunnel, which happens to be the default setting. Remember to specify your city and country! This will impact your speed, as SixXS will allocate you a POP (tunnel endpoint) close to you. In the next step, select a POP, and give a reason for selecting this POP as well as describe what you’ll use the tunnel for. Again, tunnel requests are processed by people – so be polite, do give a reason, and you’ll get your tunnel set up quickly. Note there will be no email notification when the tunnel is live – just check the SixXS page. SixXS will send you email notification when the tunnel request has been granted, and if you’re smarter than Yours-Truly, you’ll check the right email account.

3) Once you have your tunnel, and if you have enough ISK, and intend to get other machines in your home onto IPv6, request a subnet. This is again, assigned manually to you – in “less than a week” according to the SixXS confirmation page. Usually it takes just a few hours.

4) Set up AICCU. This gets just a tad involved at present, so I’ll abandon the numbering and step you through this.

Update 4/10/2008 – I have had big network slowdown issues after installing Tun/Tap 901 on Vista64. It’s uninstalled again, and I will update again when I know more – such as whether I can reproduce that issue, and how.

Update 7/28/2009 – Upon using OpenVPN 2.1-rc19 in Vista64, I couldn’t even ping the default gateway through aiccu any more, though this worked in XP64. Time to move on from this post. (2009-08-06: that was possibly coincidence)

Update 8/6/2009 – Some notes on behavior when a PoP goes down added.

There’re two parts to an AICCU/AYIYA tunnel: A “Tun/Tap” driver, and the “AICCU” application. Tun/Tap is part of the OpenVPN project. This could be fairly straightforward, but at current is not, due to versioning.

Tun/Tap exists in a version “801”, which has been tested on Windows 2000 and XP, but exists for Vista only in an experimental version, for XP64 in an experimental version, and for Vista64 not at all.

Tun/Tap version “901” works on Windows 2000 / XP / Vista. The version available at SixXS at present will not install on 64-bit Windows, but there is a way around that, see below.

AICCU comes in two flavors for Windows: A GUI version, which is nice and user-friendly, but which, as of this writing, does not support the “901” Tun/Tap driver. And a console version, which does support that driver version, but which is, by its nature, considerably less user-friendly. I expect this to change. The GUI AICCU is at version “2006.07.23” as of April 5th 2008, while the Console AICCU is at “2008.03.15”. At present, then, we’ll use the GUI version to create a configuration file, and use the Console version to set up the actual tunnel. Once the GUI version has been updated, this additional step of needing to use a Console application to establish the tunnel will be unnecessary.

To start, download the tap32 driver version “901”, the AICCU GUI application, and if the GUI application is still at version “2006.07.23” when you do your downloading, also the Console application. If you are running XP64 or Vista64 and the tap32 driver on the SixXS page refuses to install – which it did for me – you may will also need to download the latest build of OpenVPN 2.1.

[Update: I would generally recommend installing a current version of the TAP driver from an OpenVPN package at this point]

Install the tap32 driver, using “addtap.bat”. This failed for me on XP64 and Vista64, so I used the 2.1-rc79 2.1-rc19  install of OpenVPN instead, choosing to only install the “TAP-Win32 Virtual Ethernet Adapter”, nothing else. On Vista, you’ll get a prompt asking you whether you really mean it and you trust the driver; on XP, you won’t which you may also see in XP, depending on the OpenVPN version.

Start the GUI version of AICCU and log in. NB: If you are running Vista, you must start it as Administrator by right-clicking, “Run as Administrator”.

Choose your tunnel.

Lastly, choose Save Configuration from the menu under the SixXS logo. This will save your configuration in c:\windows\aiccu.conf (hence, the need to run as Administrator in Vista), where the Console version can find it.

Close the GUI version – you may have to right-click it in your task bar and choose “Quit”.

Now open a command line – which, in Vista, you may will also have to do as Administrator – navigate to where you downloaded the Console version of AICCU, and execute it using the “start” argument. You expect to see something along these lines:

aiccu-2008-03-15-windows-console.exe start
Succesfully retrieved tunnel information for T15039
[warning] Couldn't open registry key: SYSTEM\CurrentControlSet\Control\Class\{4D
36E972-E325-11CE-BFC1-08002BE10318}000\ComponentId (t2/2 vs 0/0 vs 1)
Renaming adapter 'Local Area Connection 2' to 'aiccu' and using it
[AYIYA-start] : Anything in Anything (draft-02)
[AYIYA-tun->tundev] : (Socket to TUN) started

Open a browser, and go to go6.net. If everything’s working, you expect to see “You are using IPv6 from” at the top of the page. NB: Firefox 2 may have issues with IPv6. Use Firefox 3 or IE instead.

[Update: go6.net can be temperamental. On a few occasions, it showed me as coming in from IPv4 although the IPv6 tunnel was fully functional. You can cross-check by going to ipv6.google.com, which is, well, Google,  on an IPv6-only address]

Note that the tunnel uses an MTU of 1280. This may cause issues with large packets, if machines in the path block IPv6 Path MTU Discovery. You can work around this issue by manually setting the MTU of the tunnel interface.

netsh interface ipv6 set interface aiccu mtu=1280

Vista-specific twist: As with Teredo, Vista refuses to resolve ipv6 addresses, because your physical interface only has a link-local address. There’s a discussion of this in part 1 – I’ll just give you the quick-and-dirty instructions here: Open up the Properties of your LAN or WiFi interface, and change it to have a static IPv6 address. Use the 192.168.1.2 equivalent of 2002:81a8:102:: with a netmask of 48. Do not configure a default gateway for this address.

Running the tunnel as a service

At this point, you can manually start your tunnel. To get the tunnel to come up every time Windows starts, some more work is needed: We are going to install the Console version of AICCU as a service.

Before I show you how to do that, one quick note: I am using the tap901 driver included in OpenVPN because I run XP64 and Vista64. If the steps here sound like way too much work, and you run a 32-bit version of Windows, you can just install the older tap801 driver, and use the GUI version of AICCU, which includes its own service installer. Once a newer AICCU GUI version that works with the tap901 driver becomes available, many of the steps here will become unneccessary, as well.

Download the “srvany” application. Extract its contents into a directory of your choice, c:\aiccu in my case. Copy / rename the Console version of AICCU into this same directory, as aiccu.exe. This is for simplicity’s sake, really.

Now open a command line – as Administrator if running Vista! – navigate to c:\aiccu, and run this command:

instsrv.exe aiccuService c:\aiccu\srvany.exe

Next, you’ll need to edit the registry. So open up regedit, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aiccuService, and add a key named “Parameters“, and under it, a String value called “Application“, set to “c:\aiccu\aiccu.exe start“.

It’s time to test this service. If AICCU is still running, stop it. Open up Start | Control Panel | Administrative Tools | Services, find aiccuService, and choose Action | Start. You expect the service to start without errors.

You’ll also want to verify that the service is set to “Automatic” (by default, it will be), and you may have to open its Properties, and check “Allow service to interact with desktop” on the “Log On” tab.

Navigate to go6.net once more to verify that you are indeed using ipv6. NB: It may take a minute for the system to start using IPv6 once the service has been started.

[Update] I have not had consistent results with getting a hybrid ipv4/ipv6 site such as go6.net to display my ipv6 address, even when ipv6 is working through an AYIYA tunnel. You can always test with an ipv6-only site such as ipv6.google.com.

aiccu behavior when a PoP goes down

While re-testing aiccu, the PoP my tunnel terminates on went down, and was, after a day or so, flagged “down” by SixXS. I requested a new tunnel to a different PoP, re-configured aiccu to use that tunnel, deleted the old tunnel in the SixXs web interface (which has it still “sticking around”, though) and am not having a whole lot of joy:

C:\aiccu>aiccu tunnels
T22555 2001:4978:f:3a1::2 ayiya uschi02

C:\aiccu>aiccu start
[error] Couldn’t show tunnel T15039: 500 This PoP is unfortunately currently down, see http://www.sixxs.net/pops/status/ for more information.
[error] Couldn’t retrieve first tunnel for the above reason, aborting

I’ve reached out to SixXS to see whether they can’t remove the old, down tunnel completely from my handle. This would be considered a bug in aiccu, I’d say.

[Update] This was my own fault: The new tap driver no longer requires admin rights per release notes, so I ran aiccu from an unprivileged prompt. While aiccu.conf can indeed be read, aiccu still somehow “remembered” the old tunnel. Run aiccu from an elevated cmd prompt, and the problem disappears.

IPv6 to the rest of your network

[This section is work-in-progress. The instructions in this section do not make for a functioning router setup at present]

[Update 2009-07-28: I could not get this to work. Addresses are given out, Wireshark shows traffic routing from the LAN to the aiccu interface and traffic coming back in to the aiccu interface, but not being routed back out the LAN interface. At this point, I’ll give up – if you know how to get Windows to route ipv6 traffic, clue me in, and I’ll retest]

Are we done yet? Well, if your own machine is all you’re connecting, yeah, you’re done. Otherwise, you’ll need that subnet you requested earlier, and you’ll have to set your Windows machine up to route for the rest of your network. This will be done through command line – I’ll assume you’re familiar on how to operate it, by now.

The SixXS POP will usually allocate you a /48 subnet, which is sufficient for over 65,000 physical networks. More than you’ll ever need at home, or for your fledgling business, for that matter. The easiest way to get going is to take the address you’ve been assigned, and replace the /48 with a /64, like so: “2001:4830:126a::/48” becomes “2001:4830:126a::/64”. If you want to get deeper into subnetting, you can use a handy IPv6 subnet calculator.

Start by listing your network interfaces using the command “netsh interface ipv6 show interface”

C:\>netsh interface ipv6 show interface
Querying active state…

Idx  Met   MTU    State         Name
—  —-  —–  ————  —–
7     2   1280  Disconnected  Teredo Tunneling Pseudo-Interface
6     0   1400  Disconnected  Network Connect Adapter
5     0   1500  Connected     aiccu
4     0   1500  Connected     Local Area Connection
3     1   1280  Connected     6to4 Pseudo-Interface
2     1   1280  Connected     Automatic Tunneling Pseudo-Interface
1     0   1500  Connected     Loopback Pseudo-Interface

Of the subnet you chose above, use the “::1” address for your Ethernet or WiFi LAN connection. In this example case, the address will be  “2001:4830:126a::1”. Add this address to your LAN interface:

C:\>netsh interface ipv6 add address interface=”Local Area Connection” address=2001:4830:126a::1
Ok.

Next, add your subnet to the routing table, using the interface number you got with the show interface command, and instruct Windows to publish this route in router advertisements:

C:\>netsh interface ipv6 add route 2001:4830:126a::/64 interface=4 publish=yes
Ok.

In Vista, the route most likely already was added when you configured the address. In that case, modify the route to have it published, and verify:

C:\>netsh interface ipv6 set route 2001:4830:126a::/64 interface=4 publish=yes
Ok.

C:\>netsh interface ipv6 show route
Publish  Type      Met  Prefix                    Idx  Gateway/Interface Name
——-  ——–  —  ————————  —  ————————
Yes      Manual    256
2001:4830:126a::/64         4  Local Area Connection

Enable routing (forwarding) and router advertisements on your LAN interface:

C:\>netsh interface ipv6 set interface interface=4 forwarding=enabled advertise=enabled
Ok.

Enable routing on your aiccu tunnel interface, too:

C:\>netsh interface ipv6 set interface interface=5 forwarding=enabled
Ok.

And lastly, allow ICMP messages necessary for Path MTU Discovery through your Windows host firewall:

netsh firewall set icmpsetting type=11 mode=enable
netsh firewall set icmpsetting type=2 mode=enable

At this point, all other IPv6-enabled machines in your LAN network should receive addresses in your /64 subnet range, and be able to route to IPv6 addresses through the machine your AYIYA tunnel runs on.

Conclusion

On my Comcast connection here in Western MA, going through a NJ SixXS POP, I get about 300k/sec download from an ipv6 server, whereas my Hurricane static tunnel gives me about 700k/sec. Your mileage will vary – do some speedtests when you can.

SixXS works, and works well. I wish the OpenVPN / GUI / Console gyrations were not necessary – setup of an AYIYA tunnel on 64-bit Windows is less than straightforward. On the other hand, SixXS has POPs worldwide, is free, and offers tunnels that don’t need a hardware router – that’s worth a lot.

Advertisements