Show 86 – Connect To The IPv6 Internet For Free Using TunnelBroker.net

Hurricane Electric’s Owen DeLong joins Ethan Banks and Greg Ferro to discuss TunnelBroker.net. What’s TunnelBroker.net? It’s a free service from Hurricane Electric that lets you connect to the IPv6 Internet across an IPv4-only connection. Want to get started with IPv6? This is a great way to go, not only for the connectivity, but also for the IPv6 education Hurricane Electric offers.

We keep the show pretty on-topic, and cover the following information.

  • Who is Hurricane Electric?
  • In simple terms, what’s the TunnelBroker.net service?
  • Are these “real” routable IPv6 address blocks HE is issuing?
  • Why is HE offering this service (a) at all and (b) for free?
  • Who is eligible to use TunnelBroker.net?
  • Why bother? Isn’t carrier grade NAT going to save us all?
  • There are several types of IPv6 over IPv4 tunnels. What kind of tunnel is tunnelbroker.net using, and why was this type chosen over others?
  • What sorts of devices can successfully bring up an IPv6 tunnel to HE?
  • What sort of tunnel termination device is on the HE side? Is it redundant/resilient? In what way?
  • Explain the tunnelbroker.net provisioning process. Is it automated or are there humans involved?
  • Once the tunnel is up, what can you do with it?
  • Can end users do anything crazy like advertise their own RIR-assigned IPv6 allocation to HE via BGP through the tunnel? Or nail up 2 tunnels to HE to have redundant virtual links for their IPv6 block?
  • What happens if the user’s IPv4 tunnel endpoint is dynamically assigned, and the address changes?
  • How does a person advertise their IPv6-enabled service with DNS?
  • What resources would you recommend for a person trying to get smart about IPv6?
  • What’s a good strategy for a business looking to do IPv6 multihoming?
  • Is IPv6 prefix translation just a lame way for carriers to get out of upgrading their equipment?

LINKS

Ethan Banks
Ethan Banks, CCIE #20655, has been managing networks for higher ed, government, financials and high tech since 1995. Ethan co-hosts the Packet Pushers Podcast, which has seen over 2M downloads and reaches over 10K listeners. With whatever time is left, Ethan writes for fun & profit, studies for certifications, and enjoys science fiction. @ecbanks
Ethan Banks
Ethan Banks
  • http://twitter.com/Vegaskid1973 Matt Thompson

    I’d heard of these guys a few months ago and after my exposure to IPv6 this last week, had committed to using their services upon my return. Looking forward to listening.

    • Stephen Stack

      Great Show as usual – Matt, if you need some help with TunnelBroker’ing – let me know ;)

  • http://twitter.com/zloeber Zachary Loeber

    The HE folk are bright people, I cannot wait to hear the show!

    On a side note, Ethan, your name is something straight out of a spy movie.

  • http://www.brianraaen.com/ Brian Christopher Raaen

    Interesting, I just wrote a short Blog Post on Hurricane Electric Tunnels, bringing my total to HE tunnel post to two.  One on using Linux and the Other on using a Cisco Router.

  • http://twitter.com/paulgear1 Paul Gear

    Where did you get your Vint Cerf poster?

  • http://twitter.com/gingmar Mario Gingras

    I’m using there service since last june and it was a breeze to set it up on my fruit compagny wireless router. only time it broke was when my isp change my IP address

    will look up in there IPV6 training

  • http://twitter.com/paulgear1 Paul Gear

    Greg & Ethan, i think the view of NAT you present on the show is caricatured.  Greg in particular oversimplifies the situation because his analogy is flawed.  Perhaps if i can offer an adjustment to the analogy, i might explain it in a way that makes sense to you.

    The real reason for using PO boxes is not that it obfuscates your residential address but that it *makes it easier to manage your mail*.  A PO box enables a number of different scenarios that would not be possible with direct mail delivery.  Here are some of them:

    1. I can move houses from one place to another within the same town and not need to update my address with lots of people.
    2. I may have problems with vandalism in my neighbourhood; i want the mail kept at the post office instead of sitting around in my mailbox during the day.
    3. I may want to collect my mail in the city on the way home from work and read it during my train commute to the suburbs.
    4. I could leave the mail in the PO box all week and only collect it on Saturdays (if i have rented a box with sufficient capacity).
    5. Multiple persons who work for the same company from different offices can share the same PO box and the same mail processing staff for their mail delivery.

    I’m sure there are others, but you get the point.  The PO box provides a central point of mail management, severs the relationship between the place of residence/work and the place of mail delivery, and allows people to adapt their mail workflow to something that suits them better.  For someone who works from home and wants their mail delivered daily with an easy walk to the end of the driveway to pick it up, a PO box would offer no benefits, but for others it might be a critical part of how they manage their mail.

    That is the role that NAT can play in a network – it severs the relationship between the IP address and the structure of packet delivery in the network.  As you rightly pointed out, this can cause problems with some applications, and might not be necessary in many networks, but for others it’s precisely what is needed.

    • http://packetpushers.net/author/ecbanks Ethan Banks

      Did Greg’s analogy suck because it doesn’t have parallels everywhere you wanted them? Maybe it did, but I don’t really care, because I believe the point is still valid. You’re nitpicking the analogy, not the larger point. That said, there are uses for NAT. I personally would never argue that no one should ever use it. But the fact of the matter is that I don’t WANT to use NAT in the IPv6 world we’re slowly moving towards. NAT does more harm than good. It’s a pain point to manage. The single greatest challenge I have today on my small-ish enterprise network with a lot of VPN tunnels to third parties is coping with NAT. NAT is a pain in the butt, and there’s no way around that. NAT DOES break applications. NAT DOES complicate firewall & router configurations. NAT DOES add logging & forensics complexity. NAT DOES NOT offer security in any practical sense, and no amount of argument will change my mind on that. Show me a NAT scheme you think is protecting you, and I’ll show you a stateful firewall that’s actually doing the job.

      Will there be a need for NAT in an all IPv6 world? I’m sure some scenarios will present themselves where NAT66 is an appropriate answer…as you say “precisely what is needed.” I’m pretty sure Ivan Pepelnjak has blogged about such. But we’re very early in the IPv6 game from a standpoint of global deployment, and already we’re hearing of not one, but a number of schemes to extend IPv4’s NAT capabilities, and NAT66 schemes that do little more than accommodate carriers’ either unwillingness or inability to grow their IPv6 routing tables. Shame on them. Miserable, finger-pointing shame.

      I’m sorry, but I’m sick to death of NAT. Sick of it. Frustrated, angry, weary, fill-in-the-blank with a colorful, overdramatic adjective of your choosing. I have pissed away hours and hours and hours over the years creating, re-working, and troubleshooting complicated NAT schemes necessitated by overlapping IPv4 address space as well as having to NAT RFC1918 space to get to the Internet. For example, NAT on the Cisco ASA, probably the most commonly deployed firewall platform on the planet in enterprise networks, is an utter joke the deeper I get into it. Cisco made major changes in 8.3 and 8.4 and then got it wrong with a NAT rule processing order that’s just shy of random (I’m exaggerating to make a point, but the documentation on ASA NAT processing order reads like pulp fiction) and can even trump the routing table. Even *Check Point* does NAT better.

      IPv6 should be greatly reducing my network’s dependence on NAT, and I think we all need to get behind the anti-NAT movement. Let’s not keep talking about how NAT will live on in IPv6. Will it? Yes, as I said earlier, I’m sure unique situations will present themselves. Should NAT be the expected, anticipated normative IPv6 behavior? It better not be, or else we’ve all failed – standards bodies, carriers, and engineering staffs. All of us.

      • http://twitter.com/paulgear1 Paul Gear

        Wow – did they move stabby Tuesday without telling me?  :-)

        All i was pointing out was that Greg’s setting up of a poor analogy and then using it as justification for dismissing the technology doesn’t make much sense.  I wasn’t ignoring the technology for the analogy, just trying to find some common ground by starting with the same analogy.  Obviously #fail on my part. ;-)

        You seem to think that NAT is neutral at best, and usually harmful,
        whereas in my experience there are many instances where NAT makes things easier to troubleshoot and more comprehensible.  Certainly i think the ability to structure internal addressing schemes without reference to the constraints of the address space provided by one’s registrar is a huge advantage.  (Here in APNIC territory, this is a big deal if you still care about IPv4, which most of us do.)

        I’m not suggesting that everybody use NAT all the time.  I’m aiming to get my own network native IPv6 end-to-end for this year’s IPv6 day, and of course i’ll do it without NAT.  All i’m saying is that it’s not as simple as: NAT bad, no NAT good.

        Maybe i’ve lived a sheltered life, but i have never had to troubleshoot a problem that ended up being caused by NAT, and NAT has never been a stumbling block for that troubleshooting.  That said, every NAT device i’ve used was Linux-based, and from what you’ve said, if i had started with Cisco’s NAT, i might have a very different view.

        P.S. Curious: what sort of scale is “small-ish enterprise network”?  How many sites, staff, switch ports in the core, VPN tunnels, and public IPs are we talking about?

  • http://twitter.com/CharlieClemmer Charlie Clemmer

    Great show and I enjoyed hearing the commentary from Owen. 

    HE is providing a great service to the community, and as a resource for getting up to speed on IPv6 quickly (and even having a little fun with the IPv6 certification program), it’s been a blast!

    Thanks for doing this show guys!