FAQ : Connectivity (Tunnels and Subnets) : I have a firewall, what ports/protocols are used?

I have a firewall, what ports/protocols are used?

Paranoid and want to seal everything off? Or are you behind a NAT and want to know what to expect? The following ports/protocols may be used by SixXS tunnels and their configuration tools.

Protocol/Port	Host	IP	Name	What does it do?	NAT remarks
TCP 3874	tic.sixxs.net	IPv4	TIC (Tunnel Information & Control Protocol)	Used for retrieving the tunnel information (eg by AICCU)	Uses TCP and should work without problems
UDP 3740	PoP	IPv4	Heartbeat Protocol	Used for signaling where the current IPv4 endpoint of the tunnel is and that it is alive	outbound from user to PoP only
protocol 41	PoP	IPv4	IPv6 over IPv4 (6in4 tunnel)	Used for tunneling IPv6 over IPv4 (static + heartbeat tunnels)	One needs to appoint the internal host as the DMZ host which usually lets it pass the NAT
UDP 5072	PoP	IPv4	AYIYA (Anything In Anything)	Used for tunneling IPv6 over IPv4 (AYIYA tunnels)	Should cross most NAT's and even firewalls without any issues
ICMPv6 Echo/Response	Tunnel endpoints	IPv6	Internet Control Message Protocol for IPv6	Used for testing if a tunnel is alive by pinging the tunnel endpoint (tunnel::2) from the PoP side of the tunnel (tunnel::1) on the tunnel	none, as it happens inside the tunnel

Policy circumvention

Note that we do not provide IPv6 connectivity to locations where the IPv6 tunnel would circumvent a local policy formed by for instance a firewall. Most corporate networks forbid forms of tunneling as this would open a channel over which an attack into their corporate network could take place as it bypasses the policies implemented in their firewalls. If you are in such a situation, don't try to circumvent your administrators policy but talk to them and try and get IPv6 connectivity setup together with them according to their policies, it is their network afterall, not yours.

Network administrators can easily block the usage of SixXS by blocking the above ports.