0

I have two computers.

Host 1 is a Debian machine running Miredo (Teredo client) inside of a VirtualBox VPN. The VM host is running under a private IP address space (192.168.0.0).

Host 2 is an Ubuntu machine.

Host 1 <-> Virtual Host <-> Corporate NAT Gateway <-> Internet <-> D-Link 6to4 <-> Host 2

  • From host 1 I can ping6 ipv6.google.com
  • From host 2 I can ping6 ipv6.google.com
  • From host 1 to host 2 95% packets are dropped. May

However I am not able to ping between host 1 and host 2. I am getting 95% of the packets are being dropped. Interestingly a few are actually making it through but not enough to establish a reliable connection.

My questions ...

Is it possible to communicate between an IPv6 6to4 host and a IPv6 Teredo host?

UPDATE: I have managed to get a traceroute to between the machines while it was working ...

 1  6to4.fmt2.he.net (2001:470:0:108::2)  102.245 ms  102.240 ms  102.244 ms
 2  gige-g5-20.core1.fmt2.he.net (2001:470:0:108::1)  102.487 ms  102.387 ms  102.267 ms
 3  10gigabitethernet1-2.core1.pao1.he.net (2001:470:0:30::2)  365.425 ms  365.299 ms  365.180 ms
 4  6to4.pao1.he.net (2001:470:0:13b::2)  369.045 ms  367.008 ms  366.802 ms
 5  2002:ae00:444a::ae00:444a (2002:ae00:444a::ae00:444a)  164.187 ms  167.457 ms  172.094 ms
 6  2002:ae00:444a:5:215:f2ff:fe5c:2a16 (2002:ae00:444a:5:215:f2ff:fe5c:2a16)  171.991 ms * *

It jumps between working, 75% packet failures and just plain old destination unreachable.

kasperd
  • 29,894
  • 16
  • 72
  • 122
Mike F
  • 340
  • 1
  • 6

2 Answers2

2

6to4 is known to be unreliable, and Teredo is even worse. When you communicate between 6to4 and Teredo you get all the problems of each combined plus a few more due to complex interactions between the protocols.

Thus it may come as a surprise to you that the answer is: Yes, you can get reliable communication between 6to4 and Teredo.

Both protocols suffer from the same main problem. They rely on third party relays which are underprovisioned and due to their third party nature come with no SLA.

Teredo uses one relay for both directions. 6to4 usually uses two for different directions, but due to the triangular routing in Teredo you end up depending on three 6to4 relays rather than just two. That is a total of four third party relays which you will be depending on - all of which must have enough capacity for your traffic.

But you don't have to rely on third party relays. You can set up your own relay.

Setting up your own Teredo relay

The Teredo relay is the simplest to set up, and it happens to be the most important to your scenario. A Teredo relay needs a single UDP port on a public IPv4 address. Thus you should not deploy the relay on the LAN behind your D-Link router. You should avoid having any 6to4 relay/gateway on the path between your LAN and the Teredo relay. Thus you should not deploy the relay outside the D-Link router.

In short you need a Teredo relay on the D-Link router to make connectivity work reliably. If the D-Link cannot run a Teredo relay, your best option is to replace the D-Link router with a router which can run a Teredo relay. In my experience it will work reliably if you use a Linux machine with Miredo configured in relay mode for the router.

Deploying your own Teredo relay on the D-Link router would not only mean that you no longer rely on a third party Teredo relay. It will also give you a native path between your Teredo relay and your LAN, thus you avoid two of the three third party 6to4 relays as well.

What's left

You would still be relying on a single third party 6to4 relay. A Teredo client need to choose which Teredo server it will be using. The two Teredo clients I know of each have a default configured which will be used if you do not change the configuration yourself. The network path from the Teredo server to your D-Link router will have to pass through a 6to4 relay.

So what you need to do is to choose a Teredo server with access to a reliable 6to4 relay. Ideally a 6to4 relay should be configured on the machine running the Teredo server.

Is this a recommendable configuration?

Installing a Teredo relay on your router is definitely a reliability improvement as long as your router has a public IPv4 address. It will give a significant reliability improvement for any communication with Teredo users, and it will not have any impact on other communication. This is true regardless of whether your router is doing 6to4 or native IPv6.

Using 6to4 on your LAN is however not recommendable as many networks have not installed any 6to4 relays. Hosts on your LAN would often face problems communicating with hosts with native IPv6.

Using a Teredo client is not recommendable either due to all the same reasons that 6to4 isn't. However there are a few cases where Teredo can be useful. Most importantly a Teredo client can connect to hosts on the LAN behind your router (assuming your router has a Teredo relay). And sometimes I have come across CGN deployments working so poorly that Teredo through the CGN is more reliable than TCP through the CGN.

Community
  • 1
kasperd
  • 29,894
  • 16
  • 72
  • 122
0

It should work, but is dependent on correctly functioning relay routers run by third parties.

To simplify debugging it makes sense to test Teredo and 6to4 seperately. I used Hurricane Electric's looking glass to ping your D-Link router from the routers listed 2 and 3 in your traceroute output, IPv4 worked, IPv6 lost lots of packets. I can ping myself from there OK.

I can ping your D-Link via a direct 6to4 tunnel without problems, but if I direct replies via Hurricane Electric, by using a source address delegated from them packets go missing. It would appear the path from your D-Link to Hurricane Electric id faulty, so using traceroute from to 6to4 end will help finding the problem. Also try traceroute to 192.88.99.1, the 6to4 relay anycast address.

You should consider signing up with a tunnelbroker, to avoid the problems broken with 6to4 relay routers.

Timothy Baldwin
  • 111
  • 1