# 6to4 or 6in4 - which do you use?



## Deleted member 9563 (Jun 14, 2014)

I recently needed to get IPv6 connectivity and ran into a problem configuring my router. I was unsuccessful in getting my Tomato (Shibby 1.05 AIO) router to accept a 6in4 configuration with a tunnel from Hurricane Electric. I finally got it to work simply by choosing 6in4 instead. That appears to function well.

According to http://test-ipv6.com/ (which may be opinionated - I don't know), 6to4 is not desirable, whereas 6in4 is the way to go. I don't really understand why. In thinking more about it, I've come to suspect that using a tunnel would actually create some security issues which would have to be dealt with if one chooses that route.

What do other people do, and why?


----------



## SirDice (Jun 17, 2014)

For HE IPv6 you need to use gif(4):

```
gif_interfaces="gif0"
ifconfig_gif0_ipv6="inet6 IPv6a IPv6b prefixlen 64"
gifconfig_gif0="IPv4a IPv4b"

ipv6_defaultrouter="-iface gif0"
```
What you're basically doing is tunneling IPv6 _over_ your existing IPv4 connection to Hurricane Electric. From there it comes out the tunnel and gets passed on to the internet. Very much like how a VPN works.


----------



## kpa (Jun 17, 2014)

That's not very secure though. Anyone with man in middle capabilities can modify the traffic at will without you noticing anything. The so called AYIYA (Anything In Anything) method that SixXS offers for their tunnels requires a login for connectivity and provides some protection against tampering in form of packet authentication using a MAC (message authentication code) based on a cryptographic hash function.

https://www.sixxs.net/tools/ayiya/


----------



## SirDice (Jun 17, 2014)

The best option would be to bug your ISP about it and get them to support IPv6 natively. Even with IPv4 addresses almost depleted most ISP still do not support IPv6. I think we, the tech guys and girls, need to prod them a lot more about it.


----------



## Deleted member 9563 (Jun 18, 2014)

SirDice said:
			
		

> The best option would be to bug your ISP about it and get them to support IPv6 natively. Even with IPv4 addresses almost depleted most ISP still do not support IPv6. I think we, the tech guys and girls, need to prod them a lot more about it.



I sent them an e-mail a while ago, but they didn't answer yet. Perhaps I scared them. 

I think my FreeBSD installation is good to go as it is. I wanted to get access to IPv6 sites through my router. With the current 6to4 setup, I can `ping6` and `ssh` to my heart's desire. Web sites which are version 6 only are also accessible, but that doesn't really serve any purpose for me except for testing at this point.

It sounds like 6in4 has some serious security issues which need to be addressed in the firewall, is that correct?


----------

