中文网站
  Advanced Search
Read the latest Blogs from IT professionals in the field. Read and write community created documents. Need IT help? Ask our staff. Connect with your peers. Check our Tech Shop for posters, books and software tools. Home
HomeNetworking TechnologiesNetworking TCP/IPAn IPv6 Deployment Guide Chapter 5: Integration and Transition

5.2.8.1 Definition of the term “Tunnel Broker”

Figure 5-5 Tunnel Broker Scenario

There are many different definitions of the term “tunnel broker”. To clarify what this term means in the context of this paragraph, it is necessary to summarise the tasks that the OpenVPN-based tunnel broker should fulfil:

• provide IPv6 connectivity to a subscribed client
• manage a set of X.509 certificates and keys and a certification authority (CA)
• check authorisation of a client
• assign a fixed IPv6 prefix to each client (either /64 or /128 for a single address)
• adjust routing according to prefix/address assignment
• on subscription of a new client, create client configuration for server and as archive file for client
• handle subscription information

To handle all of the above tasks, the tunnel broker needs to consist at least of the following components:

• OpenVPN server(s)
• OpenSSL certification authority (CA)
• client database
• dedicated router for clients (is identical to OpenVPN server)
• IPv6 infrastructure to route IPv6 traffic to and from clients

To visualise the interaction of these components, take a look at the following figure.

Figure 5-6 Interaction of tunnel broker components

The components in detail may look like this:

• OpenVPN server: powerful Linux or *BSD PC with latest OpenVPN software (at the time of writing, this is a version that is more recent than 1.6_rc2)
• OpenSSL CA: may be any kind of machine with an OpenSSL installation which provides the openssl-binary to create X.509 keys and certificates
• Client database: almost any form of database for holding information about clients ranging from simple text file to dedicated database systems
• Dedicated IPv6 router: normally the same Linux or *BSD machine that runs the OpenVPN server; routes need to be adjusted on that particular machine
• IPv6 infrastructure: your institution’s IPv6 backbone

The above components form what we call a “tunnel broker” for the remainder of this section. It is clear that for the sake of scalability, many of the services (e.g. the OpenVPN server) may be spread across numerous different servers. This is not difficult to achieve and can easily be implemented.
‹ 5.2.8 The Open VPN based Tunnelling Solutionup5.2.8.2 Tunnel Broker Clients ›