1

IPv6 Transition Mechanisms• A set of protocol mechanisms implemented in

hosts and routers.• To allow IPv6 and IPv4 hosts to interoperate.

– Because it is impossible to have a “flag day” for all hosts to upgrade from IPv4 to IPv6.

• To allow IPv6 hosts and routers to be deployed in the Internet in a highly diffuse and incremental fashion, with few interdependencies

• The transition should be as transparent to general users as possible

簡 介

IPv4 Only

ExperimentalIPv6

Network

IPv4 Ocean

IPv6 Island

IPv4 Island

IPv6 Ocean

IPv6 Only

Phase Ⅰ Phase Ⅱ Phase Ⅲ Phase Ⅳ

NGtrans 規劃之轉換機制

TransitionMechanisms

Tunneling Translator

Dual Stack

4

IPv4–to–IPv6 Transition Strategy (RFC 2893)

• Dual Stack– Reduce the cost invested in transition by running both

IPv4/IPv6 protocols on the same machine.• Tunneling

– Reduce the cost in wiring by re-using current IPv4 routing infrastructures as a virtual link.

• Translation (RFC 2766 NAT-PT) – Allow IPv6 realm to access the rich contents already

developed on IPv4 applications• From 16-bit DOS to 32-bit Windows• From 4-byte IPv4 to 16-byte IPv6

5

Dual-Stack Approach

• When adding IPv6 to a system, do not delete IPv4– This multi-protocol approach is familiar and well-understood (e.g., for

AppleTalk, IPX, etc.)– Note: in most cases, IPv6 will be bundled with new OS releases, not an extra-

cost add-on (e.g., Windows Vista/7, CentOS 5, FreeBSD 8)• Applications (or libraries) choose IP version to use

– when initiating, based on DNS response:– if (dest has AAAA or A6 record) use IPv6, else use IPv4– when responding, based on version of initiating packet

• This allows indefinite co-existence of IPv4 and IPv6, and gradual, app-by-app upgrades to IPv6 usage

DRIVERIPv4 IPv6IPv4 IPv6

APPLICATIONTCP/UDP

簡易雙重架構機制• IPv4 Stack 功能啟動，而 IPv6 功能關閉 (

即 IPv4-only node)• IPv6 Stack 功能啟動，而 IPv4 功能關閉 (

即 IPv6-only node)• IPv4 Stack 及 IPv6 Stack 功能皆啟動

(node 具組態切換功能 )

IPv4/IPv6 雙重架構機制 IPv6client

TCP

IPv6

Datalink

IPv4client

TCP

IPv4

Datalink

IPv4 mappedIPv6 address

IPv6client

TCP

IPv4 IPv6

Datalink

8

Dual Stack Approach & DNS

• In a dual stack case, an application that:–Is IPv4 and IPv6-enabled–Asks the DNS for all types of addresses–Chooses one address and, for example, connects to the IPv6 address

DNS Server

IPv4

IPv6

www.a.com = * ?

2001:DB8::1

2001:DB8::110.1.1.1

9

Dual Stack Approach

• Dual stack node means:–Both IPv4 and IPv6 stacks enabled–Applications can talk to both–Choice of the IP version is based on name lookup and application preference

TCP UDP

IPv4 IPv6

Application

Data Link (Ethernet)

0x0800 0x86dd

TCP UDP

IPv4 IPv6

IPv6-enable Application

Data Link (Ethernet)

0x0800 0x86dd Frame Protocol ID

Preferred method on

Application’s servers

10

Cisco IOS Dual Stack Configuration

• Cisco IOS is IPv6-enable:–If IPv4 and IPv6 are configured on one interface, the router is dual-stacked–Telnet, Ping, Traceroute, SSH, DNS client, TFTP,…

IPv6 and IPv4 Network

Dual-Stack Router

IPv4: 140.110.199.1

IPv6: 2001:C58:213:1::/64 eui-64

router#

interface Ethernet0 ip address 140.110.199.1 255.255.255.0 ipv6 address 2001:C58:213:1::/64 eui-64

ping www.ncnu.edu.tw

11

DNS Queries of A and AAAA Records

12

Exercise

• Try to turn off IPv6 on your PC, and repeat the above test.

• What are the differences?

13

14

IPv4–to–IPv6 Transition Strategy (RFC 2893; obsoleted by RFC 4213)

• Dual Stack– Reduce the cost invested in transition by running both IPv4/IPv6

protocols on the same machine .• Tunneling

– Reduce the cost in wiring by re-using current IPv4 routing infrastructures as a virtual link.

• Translation (RFC 2766 NAT-PT; obsoleted by RFC 4966) – Allow IPv6 realm to access the rich contents already developed on

IPv4 applications• From 16-bit DOS to 32-bit Windows• From 4-byte IPv4 to 16-byte IPv6

15

Tunnels of IPv6 over IPv4

• Encapsulating the IPv6 packet in an IPv4 packet• Tunneling can be used by routers and hosts

IPv4IPv6 Network

IPv6 Network

Tunnel: IPv6 in IPv4 packet

IPv6 Host

Dual-Stack Router

Dual-Stack Router

IPv6 Host

IPv6 HeaderIPv4 Header

IPv6 Header Transport Header Data

DataTransport Header

16

IPv6 Tunneling

Service Provider IPv4 Backbone

IPv6 Tunnel

IPv6 Tunnel

IPv6 Tunnel

IPv6 Network

IPv6 Network

IPv6 Header Transport Layer HeaderIPv4 Header

IPv6 Header Transport Layer Header Data

Data

17

Manually Configured Tunnel

IPv4IPv6 Network

IPv6 Network

Dual-Stack Router2

Dual-Stack Router1

IPv4: 131.243.129.44 IPv6: 2001:DB8:c18:1::3

IPv4:140.110.199.250 IPv6: 2001:DB8:c18:1::2

router1#

interface Tunnel0 ipv6 address 2001:DB8:c18:1::3/64 tunnel source 131.243.129.44 tunnel destination 140.110.199.250 tunnel mode ipv6ip

router2#

interface Tunnel0 ipv6 address 2001:DB8:c18:1::2/64 tunnel source 140.110.199.250 tunnel destination 131.243.129.44 tunnel mode ipv6ip

• Manually Configured tunnels require:Dual stack end pointsBoth IPv4 and IPv6 addresses configured at each end

18

IPv4

Manually Configured TunnelDual-Stack

Router

IPv4: 140.110.199.254

IPv6: 2001:288:03a1:210::3/127

FreeBSD4.7#gifconfig gif0 61.218.105.10 140.110.199.254ifconfig gif0 inet6 2001:288:03a1:210::2 2001:288:3a1:210::3 prefixlen 128

Dual-Stack Host

IPv4: 61.218.105.10

IPv6: 2001:288:03a1:210::2/127

19

Linux Tunnel

/etc/sysconfig/network-scripts/ifcfg-sit1 DEVICE=sit1 BOOTPROTO=none ONBOOT=yes IPV6INIT=yes #Remote end-ISP IPv4 addr IPV6TUNNELIPV4=140.110.199.250 #Yourself IPv6 tunnel addr from ISP IPV6ADDR=2001:288:3A1:210::2/127

ifup sit1

20

Windows XP Tunnel• netsh interface ipv6

– add v6v4tunnel “T1" 140.113.131.23 140.113.87.100• Syntax: add v6v4tunnel [[interface=]String]

localIPv4Address remoteIPv4Address– add address “T1“ 2001:238:F88:B::30– add route 2001:238:F88:B::30/127 “T1”

• Now you can ping the remote tunnel endpoint 2001:238:F88:B::31

• Use Wireshark to capture packets with filter “ip host 140.113.87.100”.

Windows 7

: Control Information: Data (Tunnel)

DNS

TunnelBroker

Dual-StackUser-Node

TunnelServer

IPv4 Site

IPv6-over-IPv4 Tunnel

IPv6 site

通道代理者 (Tunnel Broker) 機制

通道代理者機制運作1) 使用者聯結 Tunnel Broker 進行註冊事宜

(registration procedure)2) 使用者再次聯結 Tunnel Broker ，提供使用者端點資訊 ( 包括： IP 位址、作業系統、 IPv6 支援軟體等 )3) Tunnel Broker 建置網路端點、 DNS 伺服器及使用者端點組態4) 通道建置完成，使用者可以直接連至 IPv6 網路

通道代理者機制運作Remote Site IPv6 network provider

Client Tunnel Broker DNS Server

Well knownWWW Server

tb.cselt.ittb.cpmpany.com...........

Tunnel BrokerDirectory

TB Listwww.ipv6.org

Dual-StackHost/Router

Client-BrokerInteraction

Tunnel Server

RG

RG

RG

Dual-StackRouter

BrokerInteraction

Broker-DNSInteraction

通道代理者機制運作 (1)

通道代理者機制運作 (2)

通道代理者 (Tunnel Broker) 機制 Implementation

IPv4 網路

IPv6 網路

Client

Tunnel broker

1. IPv4的client端提出網頁的要求

IPv6 DNS

2. Tunnel broker回應Tunnel的資訊給IPv4 的client端

3. Tunnel broker設定 tunnel server或router

4. Client端和 tunnel server 或 router 建立起 tunnel

tunnel

通道代理者機制服務

通道代理者機制服務

通道代理者 (Tunnel Broker) 機制Scripts and Parameters

通道代理者 (Tunnel Broker)機制 Interface

通道代理者 (Tunnel Broker)機制 Routing Table

33

Tunnel Packets

Exercise

• Try to build IPv6 tunnels with one of the following tunnel brokers:– Academia Sinica– HiNet– Hurricane Electric

Some Words About Tunnel Brokers

• 1 tunnel, 1 route, to all the IPv6 world.

• Ease the configuration

• Route may not be optimal.– Especially when users build

tunnels with different service providers.

Automatic Tunnels

• IPv4 Compatible Tunnel (RFC 2893)• IPv6-over-IPv4 Tunnel (RFC 2529)• 6to4 Tunnel (RFC 3056)• ISATAP (RFC 5214)• Teredo (RFC 4380)

37

IPv4 Compatible Tunnel (RFC 2893)

• IPv4-compatible addresses are easy way to auto-tunnel, but it:– May be deprecated soon– Consumes IPv4 addresses

IPv4

Dual-Stack Router

Dual-Stack Router

IPv4: 211.73.68.254 IPv6: ::211.73.68.254

IPv4: 140.110.199.250 IPv6: ::140.110.199.250

IPv6-over-IPv4 Tunnel (RFC 2529)

• Using an IPv4 multicast domain (239.192.0.0/16) as their virtual local link.

• IPv6 address of the tunnel interface would be FE80::[32-bit IPv4 address]

IPv6 Network

IPv4 multicast

FE80::163.22.20.1163.22.20.1

FE80::10.10.20.1 10.10.20.1

2001:DB8::/64

2001:DB8:0A0A:14012001:DB8:A316:1401

39

6to4 Tunnel (RFC 3056)

IPv4IPv6 Network

IPv6 Network

6to4 Router2

6to4 Router1

131.243.129.44 140.110.199.250Network prefix:

2002:83F3:812C::/48Network prefix:

2002:8C6E:C7FA::/48

E0 E0

2002:83F3:812C:1::3

2002:8C6E:C7FA:2::5

IPv6 SRC 2002:83F3:812C:1::3

Data

IPv6 DEST 2002:8C6E:C7FA:2::5

IPv6 SRC 2002:83F3:812C:1::3

Data

IPv6 DEST 2002:8C6E:C7FA:2::5

IPv6 SRC 2002:83F3:812C:1::3

Data

IPv6 DEST 2002:8C6E:C7FA:2::5

IPv4 SRC 131.243.129.44

IPv4 DEST 140.110.199.250

40

6to4 Tunnel

IPv4IPv6 Network

IPv6 Network

6to4 Router2

6to4 Router1

131.243.129.44 140.110.199.250Network prefix:

2002:83F3:812C::/48Network prefix:

2002:8C6E:C7FA::/48= =

E0 E0

router2#interface Ethernet0 ip address 140.110.199.250 255.255.255.0 ipv6 address 2002:8C6E:C7FA:1::/64 eui-64interface Tunnel0 no ip address ipv6 unnumbered Ethernet0 tunnel source Ethernet0 tunnel mode ipv6ip 6to4

ipv6 route 2002::/16 Tunnel0

6to4 Tunnel: – Is an automatic tunnel method– Gives a prefix to the attached IPv6 network– 2002::/16 assigned to 6to4– Requires one global IPv4 address on each site

41

6to4 Tunnel in Windows XP• 6to4 Tunnel is enabled in Windows XP by

default.

42

Network Address TranslatorComputer AIP: 10.0.0.1

Port: 80

Computer BIP: 10.0.0.2

Port: 80

NATPublic Internet

IP: 200.200.200.200Port: 10080

IP: 200.200.200.200Port: 20080

Mapping Table10.0.0.1:80 <-> 1008010.0.0.2:80 <-> 20080

DHCP Server

DHCP ClientPPPoE Client

Private NIC

Public NIC

43

IPv6 tunneling problem• It does not work when the IPv4 address is not globally routable

IPv6B D EIPv6site

IPv6host

6to4 route

r

IPv4 route

r

C

Src: A6Dest: E6

data

Src: A6Dest: E6

data

6to4Relay route

rSrc: N4Dest: D4Src: A6Dest: E6

data

Src: N4Dest: D4Src: A6Dest: E6

data

A to B:IPv6

D to E: IPv6

B to C: IPv4(encapsulating IPv6)

C to D: IPv4(encapsulating IPv6)

A v6 IP: 2002:A00:1:1::3/48 (A6)B v6 IP: 2002:A00:1:1::1/48 (B6)B v4 IP: 10.0.0.1 (B4)

E v6 IP: 2001:238:f88:4::2/64 (E6)D v6 IP: 2001:238:f88:4::1/64 (D6)D v4 IP: 140.114.1.254 (D4)

A

IPv6host

IPv4

NAT address: 140.113.131.74 (N4)

NAT

IPv4

Src: B4Dest: D4Src: A6Dest: E6

data

Address translation

B4 is a private address!

E6 A6

D4 B4

44

IPv6 Tunneling Problem [1/2]

IPv6 Network

IPv4 IPv6 Network

6to4 Router2

NAT6to4 Router1

A B

140.113.131.74 140.119.209.250

2002:8C77:D1FA:2::5

10.0.0.1Network prefix:

2002:8C77:D1FA::/48

IPv6 SRC 2002:A00:1:1::3

Data

IPv6 DEST 2002:8C77:D1FA:2::5

IPv4 SRC 10.0.0.1

IPv4 DEST 140.119.209.250

Network prefix:

2002:A00:1::/48

2002:A00:1:1::3

IPv6 SRC 2002:A00:1:1::3

Data

IPv6 DEST 2002:8C77:D1FA:2::5

IPv4 SRC 140.113.131.74

IPv4 DEST 140.119.209.250

IPv6 SRC 2002:A00:1:1::3

Data

IPv6 DEST 2002:8C77:D1FA:2::5

IPv6 SRC 2002:A00:1:1::3

Data

IPv6 DEST 2002:8C77:D1FA:2::5

45

IPv6 Tunneling Problem [2/2]

IPv6 Network

IPv4 IPv6 Network

6to4 Router2

Connection can’tbe established!

6to4 Router1

A

140.119.209.250

2002:8C77:D1FA:2::5

10.0.0.1Network prefix:

2002:8C77:D1FA::/48Network prefix:

2002:A00:1::/48

2002:A00:1:1::3

IPv4 SRC 140.119.209.250

IPv4 DEST 10.0.0.1

IPv6 SRC 2002:8C77:D1FA:2::5

Data

IPv6 DEST 2002:A00:1:1::3

IPv6 SRC 2002:8C77:D1FA:2::5

Data

IPv6 DEST 2002:A00:1:1::3

？NAT

140.113.131.74

B

46

Teredo Service(RFC 4380)

• Allow hosts behind NAT to access IPv6 without modifying NAT. It contains three basic components:– Teredo Client

• a node wants to gain access to the IPv6 Internet.– Teredo Server

• helper to provide IPv6 connectivity to Teredo clients.– Teredo Relay

• an IPv6 router that can receive traffic from IPv6 realm to Teredo clients and vice versa.

47

Teredo service

• To allow hosts behind NAT to access IPv6, without modifying NAT.– Teredo is not a long term solution– If NAT also supports IPv6 routing, the problem

of NAT traversal will disappear.

48

Teredo definitions• Teredo client

– A node wants to gain access to the IPv6 Internet.• Teredo server

– helper to provide IPv6 connectivity to Teredo clients.• Teredo relay

– An IPv6 router that can receive traffic destined to Teredo clients and forward it to Teredo client.

• Teredo bubble– minimal IPv6 packet, made of an IPv6 header and null payload, no

Next Header.• Teredo service

– The transmission of IPv6 packets over UDP.

49

Operation model• A client has pre-configured

server location.• A client gets IPv6 prefix from

the Teredo server.Teredoserver

Teredorelay

Teredoclient

NAT

IPv6

IPv4

Teredo IPv6 prefix?Tunnel

• Teredo server is stateless. Traffic goes directly between the relay router and the client.

• Teredo Relay announces reachability of Teredo prefix on IPv6 realm.

• Relay and Client maintain peer list to avoid sending Teredo message too often.

Teredo IPv6 prefix,your mapped address

IPv4

50

Teredo Operation Model

IPv4

Teredo Client

Teredo Relay

NATTeredo Server

• Teredo Client gets its Teredo IPv6 address from Teredo Server.

• Use Teredo Relay as relay router.

IPv4 Header

UDP Header

Teredo Header

IPv6 packet

UDP tunnel

My address?

Your Teredo address.

IPv6 Host

IPv6 Network

Tunneling packet

51

Teredo address encoding

• Prefix: the 32 bit Teredo service prefix.– 2001:0000::/32

• Server IPv4: the IPv4 address of a Teredo server.• Flags: a set of 16 bits that document type of address and NAT.

– 16 bits flag: “C00000UG00000000”– C=1 if NAT is cone.– UG should set to “00”.

• Port: the obfuscated "mapped UDP port" of the client• Client IPv4: the obfuscated "mapped IPv4 address" of a client

Prefix Server IPv4 Flags Port Client IPv40 32 64 80 96 127

Obfuscated: XOR every bits in the field with 1, prevent over-genius NAT’s translation.

52

Obtaining an address(1/2)

IPv4 UDP Origin indication IPv6 RA

• Teredo client sends a UDPv4 tunneled IPv6 Router Solicitation to the Teredo server.

• Teredo server replies UDPv4 tunneled IPv6 Router Advertisement with origin indication.

Teredoserver

Teredorelay

Teredoclient

IPv6

IPv4

10.0.0.2:1234

10.0.0.1

9.0.0.1:4096

1.2.3.4

IPv4 UDP IPv6 RS

0x00 0x00 mapped port #

mapped IPv4 addressOrigin indicationformat

NAT

IPv4

53

Obtaining an address(2/2)• Client get mapped address/port from origin indication

– Mapped address: 9.0.0.1:4096– Already known server IP: 1.2.3.4

• Generated Teredo IPv6 address– Prefix: 2001:0000::/32– Server: 0x0102:0304 (Teredo server IP address: 1.2.3.4)– Flags: 0x8000 (cone NAT)– Obfuscated Port: 0xEFFF (=0xFFFF⊕4096)– Obfuscated Address: 0xF6FF:FFFE (=0xFFFF:FFFF⊕

9.0.0.1)– Teredo IPv6 Address: 2001:0000:102:304:8000:EFFF:F6FF:FFFE

• Must keep alive address mapping on NAT– Default refresh interval: 30 seconds.

54

Packet from Teredo node to IPv6 node (1/3)

• A does not know which relay will be chosen by B.

• A sends ICMPv6 “echo request" toward B.

• S forwards “echo request” to IPv6 realm.

TeredoServer

S

TeredoRelay

R

TeredoClient

A

NAT

IPv6

IPv4

IPv4

10.0.0.2:1234

10.0.0.1

9.0.0.1:4096

5.6.7.8:3544

PREF:102:304::EFFF:F6FF:FFFE

B2000::B

10.0.0.2:1234 1.2.3.4:3544 PREF:102:304::EFFF:F6FF:FFFE

2000::B

Src. Dest.

IPv6Src.

IPv6dest.

1.2.3.4:3544

PREF:102:304::EFFF:F6FF:FFFE

2000::B

55

Packet from Teredo node to IPv6 node (2/3)

• B sends the “echo reply” back to Teredo Client.

• The IPv6 packet will be queued by Teredo Relay.

• If Teredo Client is behind a restricted NAT, a bubble must be sent to Teredo Server.

S R

A

NAT

IPv6

IPv4

IPv4

10.0.0.2:1234

10.0.0.1

9.0.0.1:4096

5.6.7.8:3544

PREF:102:304::EFFF:F6FF:FFFE

B2000::B

IPv6Src.

IPv6dest.

1.2.3.4:3544

2000::B PREF:102:304::EFFF:F6FF:FFFE

56

Packet from Teredo node to IPv6 node (3/3)

• R sends the queued “echo reply” to A.

• A knows B can be reached through address 5.6.7.8:3544.

• A will send all further packets directly through R.

S R

Teredo Client A

NAT

IPv6

IPv4

IPv4

10.0.0.2:1234

10.0.0.1

9.0.0.1:4096

5.6.7.8:3544

PREF:102:304::EFFF:F6FF:FFFE

B2000::B

1.2.3.4:3544

57

Teredo Client

HiNet

IPv6 Network

NAT

IPv4 Network

NAT

Teredo Server

Teredo Client

Teredo Client

IPv6 only

IPv6 only

Teredo Relay

DNS

Trial of Teredo in NCTU

IPv6 only

58

Teredo Tunnel [1/2]

IPv4

Teredo Client Teredo

Relay

NATIPv6

NetworkTeredo Server

140.113.131.74

2001:238:F88:131::72001:0000:8C71:8337:8000:234B:738E:7CB5

140.113.131.2

192.168.1.109:1033

IPv4 SRC 140.113.131.74

IPv4 DEST 140.113.131.2

IPv6 SRC 2001:0000:8C71:8337:80

00:234B:738E:7CB5

Data

IPv6 DEST 2001:238:F88:131::7

IPv4 SRC 10.0.0.2

IPv4 DEST 140.113.131.2

UDP SRC 56500

UDP DEST 3544

UDP SRC 1033

UDP DEST 3544

Teredo Header Teredo Header

IPv6 SRC 2001:0000:8C71:8337:80

00:234B:738E:7CB5

Data

IPv6 DEST 2001:238:F88:131::7

IPv6 SRC 2001:0000:8C71:8337:80

00:234B:738E:7CB5

Data

IPv6 DEST 2001:238:F88:131::7

140.113.131.55

B

59

Teredo Tunnel [2/2]

IPv4

Teredo Client Teredo

Relay

NATIPv6

NetworkTeredo Server

140.113.131.74

2001:238:F88:131::72001:0000:8C71:8337:8000:234B:738E:7CB5

140.113.131.2

192.168.1.109:1033

IPv4 SRC 140.113.131.2

IPv4 DEST 140.113.131.74

IPv6 SRC 2001:238:F88:131::7

Data

IPv6 DEST 2001:0000:8C71:8337:80

00:234B:738E:7CB5

IPv6 SRC 2001:238:F88:131::7

Data

IPv6 DEST 2001:0000:8C71:8337:80

00:234E:738E:7CB5

IPv4 SRC 140.113.131.2

IPv4 DEST 192.168.1.109

IPv6 SRC 2001:238:F88:131::7

Data

IPv6 DEST 2001:0000:8C71:8337:80

00:234E:738E:7CB5

UDP SRC 3544

UDP DEST 56500

UDP SRC 3544

UDP DEST 1033

Teredo Header Teredo Header

140.113.131.55

B

60

Protocol Decoder in Ethereal

= 140.113.131.74

Port: 56500

61

Conclusions• Tunneling is a useful technique to establish

connectivity between IPv6 sites even though they don’t have direct links between each other.

• Many users get private IPv4 address from their service providers, such as WLAN and GPRS. These users have difficulty in creating IPv6 tunnels.

• Before all NAT devices can be upgraded to support IPv6, Teredo service is useful for ISPs to provide IPv6 access to their users behind NAT.