From 32a78e4c844717c73eac5fdb38ce39824bb115c1 Mon Sep 17 00:00:00 2001
From: KemoNine <kemonine@lollipopcloud.solutions>
Date: Fri, 18 Jan 2019 13:58:25 -0500
Subject: [PATCH] Add clat/ipv6 only notes to lte modem docs

---
 hardware/clat.md         | 84 ++++++++++++++++++++++++++++++++++++++++
 hardware/quectel_ec25.md | 67 +++++++++++++++++++++++++++-----
 hardware/rfc7050.py      | 78 +++++++++++++++++++++++++++++++++++++
 3 files changed, 220 insertions(+), 9 deletions(-)
 create mode 100644 hardware/clat.md
 create mode 100644 hardware/rfc7050.py

diff --git a/hardware/clat.md b/hardware/clat.md
new file mode 100644
index 0000000..2b68316
--- /dev/null
+++ b/hardware/clat.md
@@ -0,0 +1,84 @@
+# Inspiration / Further Reading
+
+- [http://jool.mx/en/464xlat.html](http://jool.mx/en/464xlat.html)
+- [https://tools.ietf.org/html/draft-ietf-behave-nat64-discovery-heuristic-17](https://tools.ietf.org/html/draft-ietf-behave-nat64-discovery-heuristic-17)
+- [https://sites.google.com/site/tmoipv6/464xlat](https://sites.google.com/site/tmoipv6/464xlat)
+- [http://jool.mx/en/install.html](http://jool.mx/en/install.html)
+- [https://github.com/NICMx/Jool/](https://github.com/NICMx/Jool/)
+- [https://hveem.no/using-dnsmasq-for-dhcpv6](https://hveem.no/using-dnsmasq-for-dhcpv6)
+- [https://github.com/toreanderson/clatd](https://github.com/toreanderson/clatd)
+- [http://jool.mx/en/run-vanilla.html#sample-network](http://jool.mx/en/run-vanilla.html#sample-network)
+- [http://jool.mx/en/eamt.html](http://jool.mx/en/eamt.html)
+- [http://jool.mx/en/run-eam.html](http://jool.mx/en/run-eam.html)
+- [https://partiallydisassembled.wordpress.com/2017/04/14/pi-nat64/](https://partiallydisassembled.wordpress.com/2017/04/14/pi-nat64/)
+
+# Install Jool
+
+``` bash
+
+# If using raspbian be sure linux-headers package(s)
+apt install build-essential pkg-config libnl-genl-3-dev libxtables-dev dkms git autoconf tar
+
+git clone https://github.com/NICMx/Jool.git /scratch/jool
+cd /scratch/jool
+git checkout `git tag | sort -r | head -n1`
+dkms install ./
+./autogen.sh
+./configure
+cd src/usr
+make
+make install
+
+```
+
+# Figure out NAT64 endpoints via RFC7050 
+
+See ```quectel_ec25.md``` for details
+
+# Figure out address mapping setup
+
+Look at your ipv6 address, pray for a /64 and do some mappings...
+
+```
+
+2607:fb90:88bd:95b9:999e:f533:32e4:71fa/64
+    -> 2607:fb90:88bd:95b9::
+    -> 2607:fb90:88bd:95b9::172.17.17.17/120
+
+```
+
+# Setup jool routing for ipv4 <> ipv6
+
+```
+sysctl -w net.ipv4.conf.all.forwarding=1
+sysctl -w net.ipv6.conf.all.forwarding=1
+modprobe jool_siit
+jool_siit instance add "lollipop" --iptables --pool6 2607:7700:0:26::/96 # pool6 is NAT64 endpoints via RFC7050
+jool_siit instance display
+jool_siit -i "lollipop" eamt add "2607:fb90:88bd:95b9::172.17.17.0/120" "172.17.17.0/24" # ipv6 address map <> ipv4 lan
+jool_siit -i "lollipop" eamt display
+
+jool_siit -i "lollipop" stats display --all | less
+
+ip6tables -t mangle -A PREROUTING \
+    -s 2607:fb90:88bd:95b9::172.17.17.0/120 \
+    -j JOOL_SIIT --instance "lollipop"
+iptables  -t mangle -A PREROUTING \
+    -s 172.17.17.0/24 \
+    -j JOOL_SIIT --instance "lollipop"
+ip6tables -I OUTPUT -d 2607:7700:0:26::/96 -j ACCEPT
+
+```
+
+The iptables commands above were adapted from this block of the jool.mx docs
+
+```
+
+user@T:~# ip6tables -t mangle -A PREROUTING \
+>		-s 2001:db8::198.51.100.8/125 -d 2001:db8::192.0.2.0/120 \
+>		-j JOOL_SIIT --instance "example"
+user@T:~# iptables  -t mangle -A PREROUTING \
+>		-s 192.0.2.0/24 -d 198.51.100.8/29 \
+>		-j JOOL_SIIT --instance "example"
+
+```
diff --git a/hardware/quectel_ec25.md b/hardware/quectel_ec25.md
index dbf00f7..6451d1c 100644
--- a/hardware/quectel_ec25.md
+++ b/hardware/quectel_ec25.md
@@ -19,15 +19,7 @@ Only perform these steps and operations if you *must* have a Quectel EC25 and ca
 - [https://sixfab.com/updated-tutorial-3-make-a-ppp-internet-connection-with-3g-4glte-shields-on-raspberry-pi/](https://sixfab.com/updated-tutorial-3-make-a-ppp-internet-connection-with-3g-4glte-shields-on-raspberry-pi/)
 - [https://sixfab.com/product/quectel-ec25-mini-pcle-4glte-module/](https://sixfab.com/product/quectel-ec25-mini-pcle-4glte-module/)
 - [https://sixfab.com/gps-tracker-with-3g-4glte-shield/](https://sixfab.com/gps-tracker-with-3g-4glte-shield/)
-
-
-
-
-
-
-
-
-
+- [https://tools.ietf.org/html/draft-ietf-behave-nat64-discovery-heuristic-17](https://tools.ietf.org/html/draft-ietf-behave-nat64-discovery-heuristic-17)
 
 # Setup Apt Repos
 
@@ -88,3 +80,60 @@ cgps 127.0.0.1:2948 # the "usual" way we like to monitor gps status
                   # Add -n -D 3 to options (for debugging)
 
 ```
+
+# NAT64 + DNS64
+
+If you find yourself on a pure ipv6 network with NAT64/DNS64 deployed, you'll need the following breadcrumbs and information to get things online.
+
+This section is a Work In Progress and not 100% working. Help Welcome.
+
+## Figure out NAT64 endpoints via RFC7050
+
+This may or may not be deployed on your carrier's network. Start here for decyphering NAT64 prefixes.
+
+``` bash
+
+host ipv4only.arpa
+ipv4only.arpa has address 192.0.0.170
+ipv4only.arpa has address 192.0.0.171
+ipv4only.arpa has IPv6 address 2607:7700:0:26::c000:aa
+ipv4only.arpa has IPv6 address 2607:7700:0:26::c000:ab
+ping 2607:7700:0:26::8.8.8.8
+
+```
+
+## Figure out NAT64 endpoints w/o RFC7050
+
+See the ```rfc7050.py``` script and ajust it lightly to look for an ipv4 only DNS record so the prefix can be found programatically by the rest of the script.
+
+## Turn on DNS64 in Unbound
+
+You'll need an additional include line in the config *above* the existing one for ```/etc/unbound/dns64.conf```.
+
+``` bash
+
+cat > /etc/unbound/dns64.conf <<EOF
+module-config: "dns64 validator iterator"
+dns64-prefix: 2607:7700:0:26::/96
+EOF
+systemctl restart unbound
+
+```
+
+## Turn off DNS64 in Unbound
+
+This is how you'd turn off DNS64 when back on ipv4 in some capacity.
+
+``` bash
+
+cat > /etc/unbound/dns64.conf <<EOF
+#module-config: "dns64 validator iterator"
+#dns64-prefix:
+EOF
+systemctl restart unbound
+
+```
+
+## Dig into the clat setup
+
+See ```clat.md``` for additional details on how to setup routing for the NAT64 edge. This is not working 100% and you've been warned some iptables and similarly difficult tech tinkering is required.
diff --git a/hardware/rfc7050.py b/hardware/rfc7050.py
new file mode 100644
index 0000000..5847fae
--- /dev/null
+++ b/hardware/rfc7050.py
@@ -0,0 +1,78 @@
+#!/usr/bin/env python3
+
+###############
+# RFC7050 ipv6 prefix discovery
+# Prefixes can have lengths 32, 40, 48, 56, 64, or 96 per RFC6052
+# IMPORTANT: THIS DOES NOT HANDLE THE SUFFIX ASPECTS THAT MAY COME INTO PLAY ON SOME NETWORKS
+###############
+
+##########
+# Dependencies
+##########
+# pip3 install dnspython
+
+##########
+# Sample T-Mobile record
+##########
+# ipv4only.arpa
+#     192.0.0.170
+#     192.0.0.171
+#     2607:7700:0:26::c000:aa
+#     2607:7700:0:26::c000:ab
+
+##########
+import ipaddress
+import dns.resolver
+
+##########
+# Discovery of DNS records
+##########
+#TODO: Swap this to a well-known address that is ISP independent
+#          Sub domain with only an A record somewhere?
+           Update to handle the tweaked approach
+resolver = dns.resolver.Resolver()
+a_recs = resolver.query("ipv4only.arpa", "A")
+aaaa_recs = resolver.query("ipv4only.arpa", "AAAA")
+
+##########
+# Process DNS records for prefix discovery process
+##########
+a_addresses = []
+aaaa_addresses = []
+
+for a in a_recs:
+    print(a)
+    a_addresses.append(ipaddress.IPv4Address(a.to_text()))
+
+for aaaa in aaaa_recs:
+    print(aaaa)
+    aaaa_addresses.append(ipaddress.IPv6Address(aaaa.to_text()))
+
+##########
+# Figure out published prefixes
+##########
+prefixes = []
+
+for aaaa in aaaa_addresses:
+    ipv6_bytes = aaaa.packed
+    for a in a_addresses:
+        ipv4_bytes = a.packed
+        # Split the bytes so we can find the prefix minus the ipv4 address and following info
+        partition = ipv6_bytes.partition(ipv4_bytes)
+        if partition[0] != ipv6_bytes:
+            # Padded to a full 16 bytes needed by the Python ipaddress module
+            mask_number_bytes = 16 - len(partition[0])
+            # Figure out the actual integer mask
+            mask = 128 - (mask_number_bytes * 8)
+            # Pad the prefix with 0's
+            prefix_bytes = partition[0] + bytearray(mask_number_bytes)
+            # Get the /128 address
+            address = ipaddress.IPv6Address(prefix_bytes)
+            # Build the compressed address + mask for output
+            prefix = '/'.join([str(address), str(mask)])
+            # De-duplicate the prefixes
+            #     Some ISPs publish multiple records that result in identical prefixes
+            if prefix not in prefixes:
+                prefixes.append(prefix)
+
+print(prefixes)