Loading learning content...
What if IPv6 transition required no manual tunnel configuration at all? What if any site with a public IPv4 address could instantly gain IPv6 connectivity, automatically able to reach any other site with the same capability?
This was the vision behind 6to4: an automatic tunneling mechanism that embeds IPv4 addresses directly within IPv6 addresses, enabling tunnel endpoints to be derived algorithmically rather than configured manually. First standardized in 2001 (RFC 3056), 6to4 promised to accelerate IPv6 adoption by eliminating the configuration barrier.
The reality proved more complex. While 6to4's concept was elegant, operational challenges—asymmetric routing, unreliable relay routers, and NAT complications—led to significant reliability problems. Today, 6to4 is deprecated (RFC 7526), but understanding its mechanics is essential for network engineers who may encounter legacy deployments or need to understand why automatic tunneling proved problematic.
By the end of this page, you will understand 6to4's address format and how IPv4 addresses are embedded, the role of relay routers in connecting to native IPv6, why asymmetric routing creates reliability issues, the security vulnerabilities that emerged, and why 6to4 is now deprecated in favor of more controlled transition mechanisms.
The core innovation of 6to4 is embedding the site's IPv4 address within its IPv6 prefix. This enables any router to determine the tunnel endpoint simply by examining the destination IPv6 address.
A 6to4 address uses the globally reserved 2002::/16 prefix, followed by the site's public IPv4 address encoded in hexadecimal:
6to4 Address Format:
2002:V4ADDR::/48
Where V4ADDR = 32-bit IPv4 address in hex
Example:
IPv4 address: 192.0.2.1
As hexadecimal: c0.00.02.01 → c000:0201
6to4 prefix: 2002:c000:0201::/48
| 16 bits | 32 bits | 16 bits | 64 bits |
+----------+---------------+-----------+----------------------+
| 2002 | IPv4 in hex | Subnet ID | Interface Identifier |
+----------+---------------+-----------+----------------------+
| 6to4 | c000:0201 | 0001 | host address bits |
| prefix | (192.0.2.1) | | |
The resulting hierarchy:
| Public IPv4 | Hex Representation | 6to4 Prefix | Example Host Address |
|---|---|---|---|
| 192.0.2.1 | c000:0201 | 2002:c000:0201::/48 | 2002:c000:0201:1::1 |
| 198.51.100.5 | c633:6405 | 2002:c633:6405::/48 | 2002:c633:6405:ffff::1 |
| 203.0.113.200 | cb00:71c8 | 2002:cb00:71c8::/48 | 2002:cb00:71c8:2::100 |
| 10.1.2.3 | 0a01:0203 | 2002:0a01:0203::/48 | Invalid (private IPv4) |
6to4 only works with public IPv4 addresses. Private addresses (10.x, 172.16-31.x, 192.168.x) cannot be used because they're not globally routable—other sites couldn't tunnel back to you. This is a fundamental limitation that excludes most hosts behind NAT.
The conversion process is straightforward but error-prone by hand:
IPv4: 203.0.113.200
Step 1: Convert each octet to hex
203 → CB (12*16 + 11 = 203)
0 → 00
113 → 71 (7*16 + 1 = 113)
200 → C8 (12*16 + 8 = 200)
Step 2: Combine into 32-bit hex
CB00:71C8
Step 3: Prepend 2002:
2002:CB00:71C8::/48
This mathematical relationship between IPv4 and 6to4 addresses is what enables automatic endpoint derivation: given any 6to4 destination, the sender can extract the IPv4 tunnel endpoint without any pre-configuration.
6to4 enables three distinct communication scenarios, each with different mechanics:
When both communicating sites use 6to4 addresses, tunneling is direct and symmetric.
Example:
Traffic Flow:
Return traffic follows the reverse path symmetrically.
This is where 6to4 gets complex. When a 6to4 site needs to reach a native IPv6 address (not 2002::/16), it cannot derive a tunnel endpoint—the destination has no embedded IPv4 address.
Solution: 6to4 Relay Routers
Relay routers advertise the 2002::/16 prefix into the native IPv6 Internet. They act as gateways between 6to4 and native IPv6:
The 192.88.99.1 Anycast Address:
RFC 3068 reserves 192.88.99.1 as the anycast address for 6to4 relays. Multiple relays worldwide announce this address; packets reach the topologically nearest relay.
IPv6 equivalent: 2002:c058:6301::/48 (192.88.99.1 in 6to4 format)
Here's where serious problems emerge. When native IPv6 sends to 6to4:
The Asymmetry Problem:
These are often different relays, potentially on different continents! If one direction's relay has problems, the bidirectional connection fails—yet troubleshooting only sees the working direction's path.
6to4's asymmetric routing creates a situation where connectivity depends on relay routers you don't control, don't know about, and can't troubleshoot. If the relay handling your inbound traffic fails, your outbound works but inbound doesn't—a partial connectivity state that's extremely confusing to diagnose.
Despite being deprecated, understanding 6to4 router configuration helps in recognizing legacy deployments and understanding automatic tunneling concepts.
A 6to4 border router must:
! Assuming external IPv4 is 192.0.2.1
! Create the 6to4 tunnel interface
interface Tunnel6to4
tunnel source 192.0.2.1
tunnel mode ipv6ip 6to4
ipv6 address 2002:c000:0201::1/128
! Internal LAN interface
interface Ethernet0
ipv6 address 2002:c000:0201:1::1/64
! Route to other 6to4 sites through tunnel
ipv6 route 2002::/16 Tunnel6to4
! Route to native IPv6 via relay anycast
ipv6 route ::/0 2002:c058:6301::1
Key points:
| Destination Prefix | Action | Tunnel Destination |
|---|---|---|
| 2002:c633:6405::/48 | Direct 6to4 tunnel | 198.51.100.5 (extracted from address) |
| 2002:cb00:71c8::/48 | Direct 6to4 tunnel | 203.0.113.200 (extracted from address) |
| 2001:db8::/32 | Via relay | 192.88.99.1 (anycast) |
| 2607:f8b0::/32 (Google) | Via relay | 192.88.99.1 (anycast) |
Although 6to4 was primarily designed for routers, operating systems also implemented host-based 6to4. Windows XP/Vista/7 and early Linux kernels could act as their own 6to4 endpoints:
Windows:
netsh interface ipv6 6to4 set state state=enabled
Linux:
ip tunnel add tun6to4 mode sit remote any local 192.0.2.1
ip link set tun6to4 up
ip addr add 2002:c000:0201::1/16 dev tun6to4
ip route add ::/0 via ::192.88.99.1 dev tun6to4
However, host-based 6to4 was particularly unreliable because hosts typically don't have public IPv4 addresses—they're behind NAT. This led Microsoft and others to eventually disable 6to4 by default.
In theory, 6to4 was brilliant: no coordination needed between sites, no tunnel broker signup, instant IPv6 connectivity for any public-IP site. The problem wasn't the design—it was the reliance on volunteer-operated relay infrastructure that nobody was responsible for maintaining.
The Achilles' heel of 6to4 is its dependence on relay routers—and specifically, the lack of any reliable relay infrastructure.
Unlike DNS root servers (operated by designated organizations with formal responsibilities), 6to4 relays were operated by volunteers:
There was no requirement, no SLA, no accountability. Relays could appear and disappear at will.
The 192.88.99.1 anycast approach created additional problems:
Path Selection Unpredictability:
No Quality Guarantee:
Research quantified the problem:
Study by Huston/APNIC (2011):
Study by Nikkhah et al. (2011):
The verdict: 6to4 wasn't just unreliable—it was unpredictably unreliable. Users experienced intermittent failures that were nearly impossible to diagnose.
6to4 demonstrated that automatic mechanisms requiring infrastructure investment (relay routers) without a clear operational model fail. Everyone assumed 'someone else' would run reliable relays. Nobody was accountable, so nobody guaranteed quality. This informed the design of later transition mechanisms.
Beyond operational problems, 6to4 introduced significant security risks that were difficult to mitigate.
Since 6to4 derives tunnel endpoints from addresses, spoofed addresses create spoofed tunnels:
Attack Scenario:
This enables:
Rogue Relay Attack: Anyone can announce 192.88.99.1 and become a 6to4 relay. Malicious relays can:
Mitigation Difficulty: There's no way for 6to4 sites to verify they're using a legitimate relay. The anycast model means you get whatever relay BGP selects—you can't choose.
IPv4 firewalls often don't inspect Protocol 41:
Enterprise Risk: Even if an enterprise blocks native IPv6, any host with a public IPv4 and 6to4 enabled can establish IPv6 connectivity—bypassing all IPv4 security controls.
6to4 can create 'shadow' IPv6 connectivity that network administrators don't know about. A Windows laptop with 6to4 enabled might be reachable via IPv6 even in an IPv4-only enterprise—completely outside security controls. This was a major driver of the deprecation decision.
Given the operational and security problems, the Internet Engineering Task Force (IETF) formally deprecated 6to4 in 2015.
RFC 7526 ('Deprecating the Anycast Prefix for 6to4 Relay Routers') officially marked 6to4 as deprecated:
Key declarations:
Rationale from RFC 7526:
'The 6to4 relay routing model has proven to be fragile in practice, with various operational problems reported... The problems with 6to4 are not things that can be easily fixed. The fundamental problem is that 6to4 relies on a functional and ubiquitous deployment of 6to4 relay routers throughout the Internet. This condition has not been met and is unlikely to be met in the foreseeable future.'
| Operating System | 6to4 Default | Notes |
|---|---|---|
| Windows XP/Vista | Enabled | Historical; these versions are obsolete |
| Windows 7 | Enabled → Disabled | Disabled via update in ~2014 |
| Windows 8/10/11 | Disabled | Explicitly disabled by default |
| macOS | Disabled | Disabled in modern versions |
| Linux | Not auto-enabled | Requires manual configuration |
| iOS/Android | Not supported | Mobile OSes never implemented 6to4 |
Native IPv6 is the preferred solution. As IPv6 deployment accelerated (now exceeding 40% globally), the need for tunneling mechanisms has decreased dramatically.
For sites still needing transition mechanisms:
Despite deprecation, you may still encounter 6to4:
Response: Disable 6to4 wherever found. Replace with native IPv6 or properly managed tunneling.
The good news: IPv6 adoption has progressed to the point where automatic tunneling is rarely needed. Major content providers (Google, Facebook, Netflix) are fully IPv6-capable. Most major ISPs offer native IPv6. 6to4's deprecation is a sign of success—the transition is far enough along that we no longer need workarounds.
Understanding 6to4's position among transition mechanisms helps clarify when each approach is appropriate (or was appropriate historically).
| Feature | 6to4 | Teredo | Configured Tunnel | Native Dual-Stack |
|---|---|---|---|---|
| Configuration | Automatic | Automatic | Manual | Provider-configured |
| NAT Traversal | No (requires public IP) | Yes (UDP-based) | No | N/A |
| Relay Required | Yes (for native IPv6) | Yes (always) | No | No |
| Reliability | Poor (relay-dependent) | Fair (Microsoft relays) | Good (controlled) | Excellent |
| Security | Poor | Fair | Good (can add IPsec) | Good |
| Status (2024) | Deprecated | Legacy | Still valid | Preferred |
| Prefix Used | 2002::/16 | 2001:0::/32 | Any assigned | Provider prefix |
Configured Tunnels succeed because:
Tunnel Brokers succeed because:
Native Dual-Stack succeeds because:
6to4 failed because:
6to4 teaches that systems requiring shared infrastructure need clear operational models. 'Build it and they will come' doesn't work for infrastructure—you need designated operators, funding models, and accountability. The Internet's routing infrastructure works because specific organizations are responsible for root DNS, IXP operation, etc. 6to4 had no such model.
6to4 represents an important chapter in IPv6 transition history—an elegant idea that failed in practice due to infrastructure economics and security realities. Let's consolidate the key lessons:
What's Next:
Next, we'll examine Teredo—another automatic tunneling mechanism that addressed 6to4's biggest limitation: NAT traversal. By encapsulating IPv6 in UDP (rather than Protocol 41), Teredo enables hosts behind NAT to have globally reachable IPv6 addresses. While also largely obsolete today, Teredo's design innovations influenced later protocols.
You now understand 6to4 comprehensively: address format and derivation, tunneling mechanics, relay router operation, the infrastructure problems that doomed it, security vulnerabilities, and its formal deprecation. This knowledge helps you recognize legacy 6to4 deployments and understand why modern transition focuses on native IPv6.