Upload
spencer-woods
View
218
Download
1
Embed Size (px)
DESCRIPTION
NGtrans 規劃之轉換機制
Citation preview
1
IPv6 Transition Mechanisms• A set of protocol mechanisms implemented in
hosts and routers.• To allow IPv6 and IPv4 hosts to interoperate.
– Because it is impossible to have a “flag day” for all hosts to upgrade from IPv4 to IPv6.
• To allow IPv6 hosts and routers to be deployed in the Internet in a highly diffuse and incremental fashion, with few interdependencies
• The transition should be as transparent to general users as possible
簡 介
IPv4 Only
ExperimentalIPv6
Network
IPv4 Ocean
IPv6 Island
IPv4 Island
IPv6 Ocean
IPv6 Only
Phase Ⅰ Phase Ⅱ Phase Ⅲ Phase Ⅳ
NGtrans 規劃之轉換機制
TransitionMechanisms
Tunneling Translator
Dual Stack
4
IPv4–to–IPv6 Transition Strategy (RFC 2893)
• Dual Stack– Reduce the cost invested in transition by running both
IPv4/IPv6 protocols on the same machine.• Tunneling
– Reduce the cost in wiring by re-using current IPv4 routing infrastructures as a virtual link.
• Translation (RFC 2766 NAT-PT) – Allow IPv6 realm to access the rich contents already
developed on IPv4 applications• From 16-bit DOS to 32-bit Windows• From 4-byte IPv4 to 16-byte IPv6
5
Dual-Stack Approach
• When adding IPv6 to a system, do not delete IPv4– This multi-protocol approach is familiar and well-understood (e.g., for
AppleTalk, IPX, etc.)– Note: in most cases, IPv6 will be bundled with new OS releases, not an extra-
cost add-on (e.g., Windows Vista/7, CentOS 5, FreeBSD 8)• Applications (or libraries) choose IP version to use
– when initiating, based on DNS response:– if (dest has AAAA or A6 record) use IPv6, else use IPv4– when responding, based on version of initiating packet
• This allows indefinite co-existence of IPv4 and IPv6, and gradual, app-by-app upgrades to IPv6 usage
DRIVERIPv4 IPv6IPv4 IPv6
APPLICATIONTCP/UDP
簡易雙重架構機制• IPv4 Stack 功能啟動,而 IPv6 功能關閉 (
即 IPv4-only node)• IPv6 Stack 功能啟動,而 IPv4 功能關閉 (
即 IPv6-only node)• IPv4 Stack 及 IPv6 Stack 功能皆啟動
(node 具組態切換功能 )
IPv4/IPv6 雙重架構機制 IPv6client
TCP
IPv6
Datalink
IPv4client
TCP
IPv4
Datalink
IPv4 mappedIPv6 address
IPv6client
TCP
IPv4 IPv6
Datalink
8
Dual Stack Approach & DNS
• In a dual stack case, an application that:–Is IPv4 and IPv6-enabled–Asks the DNS for all types of addresses–Chooses one address and, for example, connects to the IPv6 address
DNS Server
IPv4
IPv6
www.a.com = * ?
2001:DB8::1
2001:DB8::110.1.1.1
9
Dual Stack Approach
• Dual stack node means:–Both IPv4 and IPv6 stacks enabled–Applications can talk to both–Choice of the IP version is based on name lookup and application preference
TCP UDP
IPv4 IPv6
Application
Data Link (Ethernet)
0x0800 0x86dd
TCP UDP
IPv4 IPv6
IPv6-enable Application
Data Link (Ethernet)
0x0800 0x86dd Frame Protocol ID
Preferred method on
Application’s servers
10
Cisco IOS Dual Stack Configuration
• Cisco IOS is IPv6-enable:–If IPv4 and IPv6 are configured on one interface, the router is dual-stacked–Telnet, Ping, Traceroute, SSH, DNS client, TFTP,…
IPv6 and IPv4 Network
Dual-Stack Router
IPv4: 140.110.199.1
IPv6: 2001:C58:213:1::/64 eui-64
router#
interface Ethernet0 ip address 140.110.199.1 255.255.255.0 ipv6 address 2001:C58:213:1::/64 eui-64
ping www.ncnu.edu.tw
11
Exercise
• Try to turn off IPv6 on your PC, and repeat the above test.
• What are the differences?
13
14
IPv4–to–IPv6 Transition Strategy (RFC 2893; obsoleted by RFC 4213)
• Dual Stack– Reduce the cost invested in transition by running both IPv4/IPv6
protocols on the same machine .• Tunneling
– Reduce the cost in wiring by re-using current IPv4 routing infrastructures as a virtual link.
• Translation (RFC 2766 NAT-PT; obsoleted by RFC 4966) – Allow IPv6 realm to access the rich contents already developed on
IPv4 applications• From 16-bit DOS to 32-bit Windows• From 4-byte IPv4 to 16-byte IPv6
15
Tunnels of IPv6 over IPv4
• Encapsulating the IPv6 packet in an IPv4 packet• Tunneling can be used by routers and hosts
IPv4IPv6 Network
IPv6 Network
Tunnel: IPv6 in IPv4 packet
IPv6 Host
Dual-Stack Router
Dual-Stack Router
IPv6 Host
IPv6 HeaderIPv4 Header
IPv6 Header Transport Header Data
DataTransport Header
16
IPv6 Tunneling
Service Provider IPv4 Backbone
IPv6 Tunnel
IPv6 Tunnel
IPv6 Tunnel
IPv6 Network
IPv6 Network
IPv6 Header Transport Layer HeaderIPv4 Header
IPv6 Header Transport Layer Header Data
Data
17
Manually Configured Tunnel
IPv4IPv6 Network
IPv6 Network
Dual-Stack Router2
Dual-Stack Router1
IPv4: 131.243.129.44 IPv6: 2001:DB8:c18:1::3
IPv4:140.110.199.250 IPv6: 2001:DB8:c18:1::2
router1#
interface Tunnel0 ipv6 address 2001:DB8:c18:1::3/64 tunnel source 131.243.129.44 tunnel destination 140.110.199.250 tunnel mode ipv6ip
router2#
interface Tunnel0 ipv6 address 2001:DB8:c18:1::2/64 tunnel source 140.110.199.250 tunnel destination 131.243.129.44 tunnel mode ipv6ip
• Manually Configured tunnels require:Dual stack end pointsBoth IPv4 and IPv6 addresses configured at each end
18
IPv4
Manually Configured TunnelDual-Stack
Router
IPv4: 140.110.199.254
IPv6: 2001:288:03a1:210::3/127
FreeBSD4.7#gifconfig gif0 61.218.105.10 140.110.199.254ifconfig gif0 inet6 2001:288:03a1:210::2 2001:288:3a1:210::3 prefixlen 128
Dual-Stack Host
IPv4: 61.218.105.10
IPv6: 2001:288:03a1:210::2/127
19
Linux Tunnel
/etc/sysconfig/network-scripts/ifcfg-sit1 DEVICE=sit1 BOOTPROTO=none ONBOOT=yes IPV6INIT=yes #Remote end-ISP IPv4 addr IPV6TUNNELIPV4=140.110.199.250 #Yourself IPv6 tunnel addr from ISP IPV6ADDR=2001:288:3A1:210::2/127
ifup sit1
20
Windows XP Tunnel• netsh interface ipv6
– add v6v4tunnel “T1" 140.113.131.23 140.113.87.100• Syntax: add v6v4tunnel [[interface=]String]
localIPv4Address remoteIPv4Address– add address “T1“ 2001:238:F88:B::30– add route 2001:238:F88:B::30/127 “T1”
• Now you can ping the remote tunnel endpoint 2001:238:F88:B::31
• Use Wireshark to capture packets with filter “ip host 140.113.87.100”.
Windows 7
: Control Information: Data (Tunnel)
DNS
TunnelBroker
Dual-StackUser-Node
TunnelServer
IPv4 Site
IPv6-over-IPv4 Tunnel
IPv6 site
通道代理者 (Tunnel Broker) 機制
通道代理者機制運作1) 使用者聯結 Tunnel Broker 進行註冊事宜
(registration procedure)2) 使用者再次聯結 Tunnel Broker ,提供使用者端點資訊 ( 包括: IP 位址、作業系統、 IPv6 支援軟體等 )3) Tunnel Broker 建置網路端點、 DNS 伺服器及使用者端點組態4) 通道建置完成,使用者可以直接連至 IPv6 網路
通道代理者機制運作Remote Site IPv6 network provider
Client Tunnel Broker DNS Server
Well knownWWW Server
tb.cselt.ittb.cpmpany.com...........
Tunnel BrokerDirectory
TB Listwww.ipv6.org
Dual-StackHost/Router
Client-BrokerInteraction
Tunnel Server
RG
RG
RG
Dual-StackRouter
BrokerInteraction
Broker-DNSInteraction
通道代理者機制運作 (1)
通道代理者機制運作 (2)
通道代理者 (Tunnel Broker) 機制 Implementation
IPv4 網路
IPv6 網路
Client
Tunnel broker
1. IPv4的client端提出網頁的要求
IPv6 DNS
2. Tunnel broker回應Tunnel的資訊給IPv4 的client端
3. Tunnel broker設定 tunnel server或router
4. Client端和 tunnel server 或 router 建立起 tunnel
tunnel
通道代理者機制服務
通道代理者機制服務
通道代理者 (Tunnel Broker) 機制Scripts and Parameters
通道代理者 (Tunnel Broker)機制 Interface
通道代理者 (Tunnel Broker)機制 Routing Table
33
Tunnel Packets
Exercise
• Try to build IPv6 tunnels with one of the following tunnel brokers:– Academia Sinica– HiNet– Hurricane Electric
Some Words About Tunnel Brokers
• 1 tunnel, 1 route, to all the IPv6 world.
• Ease the configuration
• Route may not be optimal.– Especially when users build
tunnels with different service providers.
Automatic Tunnels
• IPv4 Compatible Tunnel (RFC 2893)• IPv6-over-IPv4 Tunnel (RFC 2529)• 6to4 Tunnel (RFC 3056)• ISATAP (RFC 5214)• Teredo (RFC 4380)
37
IPv4 Compatible Tunnel (RFC 2893)
• IPv4-compatible addresses are easy way to auto-tunnel, but it:– May be deprecated soon– Consumes IPv4 addresses
IPv4
Dual-Stack Router
Dual-Stack Router
IPv4: 211.73.68.254 IPv6: ::211.73.68.254
IPv4: 140.110.199.250 IPv6: ::140.110.199.250
IPv6-over-IPv4 Tunnel (RFC 2529)
• Using an IPv4 multicast domain (239.192.0.0/16) as their virtual local link.
• IPv6 address of the tunnel interface would be FE80::[32-bit IPv4 address]
IPv6 Network
IPv4 multicast
FE80::163.22.20.1163.22.20.1
FE80::10.10.20.1 10.10.20.1
2001:DB8::/64
2001:DB8:0A0A:14012001:DB8:A316:1401
39
6to4 Tunnel (RFC 3056)
IPv4IPv6 Network
IPv6 Network
6to4 Router2
6to4 Router1
131.243.129.44 140.110.199.250Network prefix:
2002:83F3:812C::/48Network prefix:
2002:8C6E:C7FA::/48
E0 E0
2002:83F3:812C:1::3
2002:8C6E:C7FA:2::5
IPv6 SRC 2002:83F3:812C:1::3
Data
IPv6 DEST 2002:8C6E:C7FA:2::5
IPv6 SRC 2002:83F3:812C:1::3
Data
IPv6 DEST 2002:8C6E:C7FA:2::5
IPv6 SRC 2002:83F3:812C:1::3
Data
IPv6 DEST 2002:8C6E:C7FA:2::5
IPv4 SRC 131.243.129.44
IPv4 DEST 140.110.199.250
40
6to4 Tunnel
IPv4IPv6 Network
IPv6 Network
6to4 Router2
6to4 Router1
131.243.129.44 140.110.199.250Network prefix:
2002:83F3:812C::/48Network prefix:
2002:8C6E:C7FA::/48= =
E0 E0
router2#interface Ethernet0 ip address 140.110.199.250 255.255.255.0 ipv6 address 2002:8C6E:C7FA:1::/64 eui-64interface Tunnel0 no ip address ipv6 unnumbered Ethernet0 tunnel source Ethernet0 tunnel mode ipv6ip 6to4
ipv6 route 2002::/16 Tunnel0
6to4 Tunnel: – Is an automatic tunnel method– Gives a prefix to the attached IPv6 network– 2002::/16 assigned to 6to4– Requires one global IPv4 address on each site
41
6to4 Tunnel in Windows XP• 6to4 Tunnel is enabled in Windows XP by
default.
42
Network Address TranslatorComputer AIP: 10.0.0.1
Port: 80
Computer BIP: 10.0.0.2
Port: 80
NATPublic Internet
IP: 200.200.200.200Port: 10080
IP: 200.200.200.200Port: 20080
Mapping Table10.0.0.1:80 <-> 1008010.0.0.2:80 <-> 20080
DHCP Server
DHCP ClientPPPoE Client
Private NIC
Public NIC
43
IPv6 tunneling problem• It does not work when the IPv4 address is not globally routable
IPv6B D EIPv6site
IPv6host
6to4 route
r
IPv4 route
r
C
Src: A6Dest: E6
data
Src: A6Dest: E6
data
6to4Relay route
rSrc: N4Dest: D4Src: A6Dest: E6
data
Src: N4Dest: D4Src: A6Dest: E6
data
A to B:IPv6
D to E: IPv6
B to C: IPv4(encapsulating IPv6)
C to D: IPv4(encapsulating IPv6)
A v6 IP: 2002:A00:1:1::3/48 (A6)B v6 IP: 2002:A00:1:1::1/48 (B6)B v4 IP: 10.0.0.1 (B4)
E v6 IP: 2001:238:f88:4::2/64 (E6)D v6 IP: 2001:238:f88:4::1/64 (D6)D v4 IP: 140.114.1.254 (D4)
A
IPv6host
IPv4
NAT address: 140.113.131.74 (N4)
NAT
IPv4
Src: B4Dest: D4Src: A6Dest: E6
data
Address translation
B4 is a private address!
E6 A6
D4 B4
44
IPv6 Tunneling Problem [1/2]
IPv6 Network
IPv4 IPv6 Network
6to4 Router2
NAT6to4 Router1
A B
140.113.131.74 140.119.209.250
2002:8C77:D1FA:2::5
10.0.0.1Network prefix:
2002:8C77:D1FA::/48
IPv6 SRC 2002:A00:1:1::3
Data
IPv6 DEST 2002:8C77:D1FA:2::5
IPv4 SRC 10.0.0.1
IPv4 DEST 140.119.209.250
Network prefix:
2002:A00:1::/48
2002:A00:1:1::3
IPv6 SRC 2002:A00:1:1::3
Data
IPv6 DEST 2002:8C77:D1FA:2::5
IPv4 SRC 140.113.131.74
IPv4 DEST 140.119.209.250
IPv6 SRC 2002:A00:1:1::3
Data
IPv6 DEST 2002:8C77:D1FA:2::5
IPv6 SRC 2002:A00:1:1::3
Data
IPv6 DEST 2002:8C77:D1FA:2::5
45
IPv6 Tunneling Problem [2/2]
IPv6 Network
IPv4 IPv6 Network
6to4 Router2
Connection can’tbe established!
6to4 Router1
A
140.119.209.250
2002:8C77:D1FA:2::5
10.0.0.1Network prefix:
2002:8C77:D1FA::/48Network prefix:
2002:A00:1::/48
2002:A00:1:1::3
IPv4 SRC 140.119.209.250
IPv4 DEST 10.0.0.1
IPv6 SRC 2002:8C77:D1FA:2::5
Data
IPv6 DEST 2002:A00:1:1::3
IPv6 SRC 2002:8C77:D1FA:2::5
Data
IPv6 DEST 2002:A00:1:1::3
?NAT
140.113.131.74
B
46
Teredo Service(RFC 4380)
• Allow hosts behind NAT to access IPv6 without modifying NAT. It contains three basic components:– Teredo Client
• a node wants to gain access to the IPv6 Internet.– Teredo Server
• helper to provide IPv6 connectivity to Teredo clients.– Teredo Relay
• an IPv6 router that can receive traffic from IPv6 realm to Teredo clients and vice versa.
47
Teredo service
• To allow hosts behind NAT to access IPv6, without modifying NAT.– Teredo is not a long term solution– If NAT also supports IPv6 routing, the problem
of NAT traversal will disappear.
48
Teredo definitions• Teredo client
– A node wants to gain access to the IPv6 Internet.• Teredo server
– helper to provide IPv6 connectivity to Teredo clients.• Teredo relay
– An IPv6 router that can receive traffic destined to Teredo clients and forward it to Teredo client.
• Teredo bubble– minimal IPv6 packet, made of an IPv6 header and null payload, no
Next Header.• Teredo service
– The transmission of IPv6 packets over UDP.
49
Operation model• A client has pre-configured
server location.• A client gets IPv6 prefix from
the Teredo server.Teredoserver
Teredorelay
Teredoclient
NAT
IPv6
IPv4
Teredo IPv6 prefix?Tunnel
• Teredo server is stateless. Traffic goes directly between the relay router and the client.
• Teredo Relay announces reachability of Teredo prefix on IPv6 realm.
• Relay and Client maintain peer list to avoid sending Teredo message too often.
Teredo IPv6 prefix,your mapped address
IPv4
50
Teredo Operation Model
IPv4
Teredo Client
Teredo Relay
NATTeredo Server
• Teredo Client gets its Teredo IPv6 address from Teredo Server.
• Use Teredo Relay as relay router.
IPv4 Header
UDP Header
Teredo Header
IPv6 packet
UDP tunnel
My address?
Your Teredo address.
IPv6 Host
IPv6 Network
Tunneling packet
51
Teredo address encoding
• Prefix: the 32 bit Teredo service prefix.– 2001:0000::/32
• Server IPv4: the IPv4 address of a Teredo server.• Flags: a set of 16 bits that document type of address and NAT.
– 16 bits flag: “C00000UG00000000”– C=1 if NAT is cone.– UG should set to “00”.
• Port: the obfuscated "mapped UDP port" of the client• Client IPv4: the obfuscated "mapped IPv4 address" of a client
Prefix Server IPv4 Flags Port Client IPv40 32 64 80 96 127
Obfuscated: XOR every bits in the field with 1, prevent over-genius NAT’s translation.
52
Obtaining an address(1/2)
IPv4 UDP Origin indication IPv6 RA
• Teredo client sends a UDPv4 tunneled IPv6 Router Solicitation to the Teredo server.
• Teredo server replies UDPv4 tunneled IPv6 Router Advertisement with origin indication.
Teredoserver
Teredorelay
Teredoclient
IPv6
IPv4
10.0.0.2:1234
10.0.0.1
9.0.0.1:4096
1.2.3.4
IPv4 UDP IPv6 RS
0x00 0x00 mapped port #
mapped IPv4 addressOrigin indicationformat
NAT
IPv4
53
Obtaining an address(2/2)• Client get mapped address/port from origin indication
– Mapped address: 9.0.0.1:4096– Already known server IP: 1.2.3.4
• Generated Teredo IPv6 address– Prefix: 2001:0000::/32– Server: 0x0102:0304 (Teredo server IP address: 1.2.3.4)– Flags: 0x8000 (cone NAT)– Obfuscated Port: 0xEFFF (=0xFFFF⊕4096)– Obfuscated Address: 0xF6FF:FFFE (=0xFFFF:FFFF⊕
9.0.0.1)– Teredo IPv6 Address: 2001:0000:102:304:8000:EFFF:F6FF:FFFE
• Must keep alive address mapping on NAT– Default refresh interval: 30 seconds.
54
Packet from Teredo node to IPv6 node (1/3)
• A does not know which relay will be chosen by B.
• A sends ICMPv6 “echo request" toward B.
• S forwards “echo request” to IPv6 realm.
TeredoServer
S
TeredoRelay
R
TeredoClient
A
NAT
IPv6
IPv4
IPv4
10.0.0.2:1234
10.0.0.1
9.0.0.1:4096
5.6.7.8:3544
PREF:102:304::EFFF:F6FF:FFFE
B2000::B
10.0.0.2:1234 1.2.3.4:3544 PREF:102:304::EFFF:F6FF:FFFE
2000::B
Src. Dest.
IPv6Src.
IPv6dest.
1.2.3.4:3544
PREF:102:304::EFFF:F6FF:FFFE
2000::B
55
Packet from Teredo node to IPv6 node (2/3)
• B sends the “echo reply” back to Teredo Client.
• The IPv6 packet will be queued by Teredo Relay.
• If Teredo Client is behind a restricted NAT, a bubble must be sent to Teredo Server.
S R
A
NAT
IPv6
IPv4
IPv4
10.0.0.2:1234
10.0.0.1
9.0.0.1:4096
5.6.7.8:3544
PREF:102:304::EFFF:F6FF:FFFE
B2000::B
IPv6Src.
IPv6dest.
1.2.3.4:3544
2000::B PREF:102:304::EFFF:F6FF:FFFE
56
Packet from Teredo node to IPv6 node (3/3)
• R sends the queued “echo reply” to A.
• A knows B can be reached through address 5.6.7.8:3544.
• A will send all further packets directly through R.
S R
Teredo Client A
NAT
IPv6
IPv4
IPv4
10.0.0.2:1234
10.0.0.1
9.0.0.1:4096
5.6.7.8:3544
PREF:102:304::EFFF:F6FF:FFFE
B2000::B
1.2.3.4:3544
57
Teredo Client
HiNet
IPv6 Network
NAT
IPv4 Network
NAT
Teredo Server
Teredo Client
Teredo Client
IPv6 only
IPv6 only
Teredo Relay
DNS
Trial of Teredo in NCTU
IPv6 only
58
Teredo Tunnel [1/2]
IPv4
Teredo Client Teredo
Relay
NATIPv6
NetworkTeredo Server
140.113.131.74
2001:238:F88:131::72001:0000:8C71:8337:8000:234B:738E:7CB5
140.113.131.2
192.168.1.109:1033
IPv4 SRC 140.113.131.74
IPv4 DEST 140.113.131.2
IPv6 SRC 2001:0000:8C71:8337:80
00:234B:738E:7CB5
Data
IPv6 DEST 2001:238:F88:131::7
IPv4 SRC 10.0.0.2
IPv4 DEST 140.113.131.2
UDP SRC 56500
UDP DEST 3544
UDP SRC 1033
UDP DEST 3544
Teredo Header Teredo Header
IPv6 SRC 2001:0000:8C71:8337:80
00:234B:738E:7CB5
Data
IPv6 DEST 2001:238:F88:131::7
IPv6 SRC 2001:0000:8C71:8337:80
00:234B:738E:7CB5
Data
IPv6 DEST 2001:238:F88:131::7
140.113.131.55
B
59
Teredo Tunnel [2/2]
IPv4
Teredo Client Teredo
Relay
NATIPv6
NetworkTeredo Server
140.113.131.74
2001:238:F88:131::72001:0000:8C71:8337:8000:234B:738E:7CB5
140.113.131.2
192.168.1.109:1033
IPv4 SRC 140.113.131.2
IPv4 DEST 140.113.131.74
IPv6 SRC 2001:238:F88:131::7
Data
IPv6 DEST 2001:0000:8C71:8337:80
00:234B:738E:7CB5
IPv6 SRC 2001:238:F88:131::7
Data
IPv6 DEST 2001:0000:8C71:8337:80
00:234E:738E:7CB5
IPv4 SRC 140.113.131.2
IPv4 DEST 192.168.1.109
IPv6 SRC 2001:238:F88:131::7
Data
IPv6 DEST 2001:0000:8C71:8337:80
00:234E:738E:7CB5
UDP SRC 3544
UDP DEST 56500
UDP SRC 3544
UDP DEST 1033
Teredo Header Teredo Header
140.113.131.55
B
60
Protocol Decoder in Ethereal
= 140.113.131.74
Port: 56500
61
Conclusions• Tunneling is a useful technique to establish
connectivity between IPv6 sites even though they don’t have direct links between each other.
• Many users get private IPv4 address from their service providers, such as WLAN and GPRS. These users have difficulty in creating IPv6 tunnels.
• Before all NAT devices can be upgraded to support IPv6, Teredo service is useful for ISPs to provide IPv6 access to their users behind NAT.