IPv6 Tunneling: 6to4, Teredo, and ISATAP
Understand IPv6 transition tunneling mechanisms that encapsulate IPv6 traffic within IPv4 networks for connectivity during the migration period.
Why Tunneling?
During the IPv4-to-IPv6 transition, not all networks support IPv6 natively. Tunneling allows IPv6 traffic to traverse IPv4-only infrastructure by encapsulating IPv6 packets inside IPv4 packets.
[IPv6 Packet] → encapsulate → [IPv4 Header][IPv6 Packet] → IPv4 network → decapsulate → [IPv6 Packet]
Tunneling Mechanisms Compared
| Mechanism | RFC | Automatic? | NAT-friendly? | Status |
|---|---|---|---|---|
| 6to4 | RFC 3056 | Yes | No | Deprecated (RFC 7526) |
| Teredo | RFC 4380 | Yes | Yes | Legacy, avoid |
| ISATAP | RFC 5214 | Yes | No | Legacy |
| 6in4 / HE Tunnel | RFC 4213 | Manual | No | Active, useful |
| DS-Lite | RFC 6333 | ISP-managed | Yes | ISP deployments |
| MAP-E/MAP-T | RFC 7597/7599 | ISP-managed | Yes | ISP deployments |
6to4 (Deprecated)
6to4 automatically creates a tunnel using the IPv4 address embedded in a special IPv6 prefix:
IPv4 address: 203.0.113.5
6to4 prefix: 2002:cb00:7105::/48
Why deprecated: Relies on public relay routers that are often unreliable, have high latency, and introduce security vulnerabilities (traffic can be intercepted by any relay).
Teredo
Teredo tunnels IPv6 through UDP/IPv4, designed to work behind NAT:
Teredo prefix: 2001:0000::/32
Teredo server: Helps establish the tunnel
Teredo relay: Forwards traffic to native IPv6
Why to avoid: Adds latency, bypass security policies (IPv6 traffic hidden in UDP), and most operating systems now disable it by default.
6in4 (Manual Tunnels)
The most reliable tunneling option — a manually configured tunnel between your network and a tunnel broker:
# Linux: Create a 6in4 tunnel to Hurricane Electric
ip tunnel add he-ipv6 mode sit remote 216.66.22.2 local YOUR_IPV4
ip link set he-ipv6 up
ip addr add 2001:470:xxxx::2/64 dev he-ipv6
ip route add ::/0 dev he-ipv6
Hurricane Electric (tunnelbroker.net) provides free tunnel broker service with /48 prefix allocation.
Modern ISP Approaches
Instead of user-managed tunnels, ISPs now use:
- DS-Lite — IPv4 traffic is tunneled through IPv6 to the ISP's CGNAT. Your connection is native IPv6 with IPv4 as the overlay.
- MAP-E — Stateless IPv4-over-IPv6 tunneling with port-restricted NAT.
- 464XLAT — Client-side NAT64 for IPv4-only applications on IPv6-only networks.
Recommendation
For new deployments, dual-stack (native IPv4 + IPv6) is always preferred over tunneling. If your ISP does not offer IPv6, a Hurricane Electric 6in4 tunnel is the most reliable option. Avoid 6to4 and Teredo entirely.