IPv6

IPv6 Using IPv6 and IPv4

Integration and Co-existence

Integration and o-existence 2

Integration and Co-existence Strategy The transition from IPv4 to IPv6 does not

require an upgrade on all nodes at the same time.

Many transition mechanisms enable smooth integration of IPv4 to IPv6.

There are mechanisms available that allow IPv4 nodes to communicate with IPv6 nodes.

All of these mechanisms can be applied to different situations.


Integration Methods1. Dual Stack (Dual IP)

Complete support for both Internet protocols, IPv4 and IPv6, in hosts and routers.

Most preferred mechanism.2. Tunnelling Techniques

The encapsulation of packets of one IP version number within packets of a second IP version number in order to traverse clouds of the second IP version number.

3. Translation Techniques Enables IPv6-only devices to communicate with IPv4-only devices and

vice versa. Least desirable set of mechanisms.

Dual Stack


Dual Stack Conceptually easiest ways of introducing IPv6 to a network is

called the “dual stack mechanism”, as described in [NG05], which is an update of RFC 2893 [RFC2893].

A host or a router is equipped with both IPv4 and IPv6 protocol stacks in the operating system (though this may typically be implemented in a hybrid way).

Each node, called an “IPv4/IPv6 node”, is configured with both IPv4 and IPv6 addresses.

It can both send and receive datagrams belonging to both protocols and thus communicate with every node in the IPv4 and IPv6 network.

Well known and has been applied in the past for other protocol transitions.


Application Supporting both IPv4 and IPv6 Can use both stacks


Stack Selection

Dual-stack node itself can not randomly decide to use one of the two stacks to communicate.

Two methods to force a dual-stack node to use its IPv6 stack:

1. Manual entry by the user2. Using a naming service


1. Stack Selection: Manual entry by the user

If the user knows the IPv6 address of the destination IPv6 hostname, can fill in the IPv6 address to establish the session

The legal format of IPv6 must be used This method is good enough for debugging

but best for daily use of applications.


2. Stack Selection: Using a Naming service

By configuring FQDN in DNS with IPv4 and IPv6 addresses An FQDN may be available through one IPv4 address

represented by an A record or through one IPv6 address represented by an AAAA record in the DNS server.

The same FQDN might be available with both IPv4 and IPv6 addresses.

DNS servers can be queried to provide information about a server’s availability and host service either over IPv4 or IPv6.

As defined in RFC 2553, Basic Socket Interface Extensions for IPv6, a new API is defined to handle both IPv4 and IPv6 in DNS queries.

The functions gethostbyname and gethostbyaddr in applications must be modified to get the benefits of the IPv6 protocol in legacy IPv4-based applications.


Stack Selection: Using a Naming servicePossible querying scenarios

Querying for an IPv4 address A record

Querying for an IPv6 Address AAAA record

Querying for all types of Addresses First look for an AAAA record, if not Then look for an A record


Querying the Naming Service for an IPv4 Address

When an application is IPv4 aware only, it asks the DNS server to get only the IPv4 address for the host name to communicate.


Querying the Naming Service for an IPv6 Address

Application may also support IPv6 only. It asks the DNS server to resolve an FQDN to get the host name ‘s IPv6 address to communicate.

IPv6 application requesting an FQDN AAAA record from DNS


Querying the Naming Service for all types of Addresses

Application first looks for AAAA record. If does not find one, it looks for an A record to communicate with a host name.

Application supporting both is coded to give preference to IPv6 address received from DNS


Enabling Dual Stack on Cisco routers When both IPv4 and IPv6 addresses are assigned

to a network interface, the interface is considered dual-stacked.


Applications supports Dual-Stack on Cisco routers DNS Resolver

It may resolve host names into IPv4 and IPv6 addresses. It can be configured ip name-server ipv6-address command. It

can accept upto six name servers Telnet

IOS EXEC accepts both IPv4 and IPv6 address as an argument TFTP server

IOS EXEC accepts both IPv4 and IPv6 address as an argument HTTP server

Accepts incoming sessions over IPv4 and IPv6

Tunnelling IPv6 Packets over Existing IPv4 Network

Note: Tunnelling is an intermediate integration and transition technique

that should not be considered a final solution. Native IPv6 architecture

should be the ultimate goal.


Why Tunneling? Tunnels are generally used on the network to carry incompatible protocols

or specific data over an existing network. For deployment of IPv6, it provides a basic way for IPv6 hosts or island of

IPv6 hosts, servers, and routers to reach other IPv6 island and IPv6 networks using IPv4 routing domain as the transport layer.

Edge routers at the border of the IPv6 islands and the Internet can handle the tunnelling of IPv6 packets in IPv4.Tunnelling can be configured between border routers or between a border router and a host; however, both tunnel endpoints must support both the IPv4 and IPv6 protocol stacks.


How Does Tunnelling IPv6 Packets in IPv4 Work? Tunnelling encapsulates IPv6 packets in IPv4

packets for delivery across an IPv4 infrastructure (a core network or the Internet).

When IPv6 packets are tunneled in IPv4, their original header and payload are not modified.

One IPv4 header is inserted over the IPv6 header. At each side of the tunnel, encapsulation and

decapsulation of IPv6 packets are performed. Edge device must support both IPv4 and IPv6.


IPv6 Packets Delivered Through IPv4 Tunnel


Issues with Tunnelling Tunnel MTU and Fragmentation

IPv4 header = 20 octets is inserted before the IPV6 packet decreasing IPv6 effective MTU by 20 octets

Min IPv6 MTU = 1280 octets Due to fragmentation of IPv6 – leads to performance

issues Handling IPv4 ICMPv4 errors Filtering Protocol 41 NAT


IPv6 Tunneling Scenarios in IPv41. Host-to-host

Isolated hosts with a dual stack on an IPv4 network can establish a tunnel to another dual-stack host.

Allows the establishment of end-to-end IPv6 sessions between hosts

2. Host to router Isolated hosts with a dual stack on an IPv4 network can

establish a tunnel to the dual-stack router3. Router to router

Routers with a dual-stack on an Ipv4 network can establish a tunnel to another dual-stack router.


IPv6 Tunneling Scenarios in IPv4


Isolated Dual-Stack Host Encapsulation can be done by edge routers

between hosts or between a host and a router.


Deploying Tunnels1. Configured Tunnels (Manual)2. Tunnel Broker3. Tunnel Server4. 6to4 5. GRE Tunnels6. Intra-Site Automatic Tunnel Addressing Protocol

(ISATAP)7. Automatic IPv4-compatible tunnel


1. Configured Tunnels (Manual) The very first transition mechanism supported by IPv6 Configured tunnels are enabled and configured statically on

dual-stack nodes. A manually configured tunnel is equivalent to a permanent link

between two IPv6 domains over an IPv4 backbone. The primary use is for stable connections that require regular

secure communication between two edge routers or between an end system and an edge router, or for connection to remote IPv6 networks.

The host or router at each end of a configured tunnel must support both the IPv4 and IPv6 protocol stacks.


1. Configured Tunnels (Manual) contd.

An IPv6 address is manually configured on a tunnel interface, and manually configured IPv4 addresses are assigned to the tunnel source and the tunnel destination.

Manually configured tunnels can be configured between border routers or between a border router and a host.

On each side of a configured tunnel, IPv4 and IPv6 addresses must be assigned manually to configure the tunnel interface.

Local IPv4 address Used as the source IPv4 address for outbound traffic

Far-end IPv4 address Used as the destination IPv4 for outbound traffic

Local IPv6 address Assigned locally to the tunnel interface


Enabling configured Tunnels on Cisco


Addresses Assigned to a configured Tunnel Interface

IPv6 addresses assigned to both ends of the tunnel are within the same subnet

IPv6 routing must be configured properly to enable forwarding of IPv6 packets between the two IPv6 networks.


Enabling a Configured Tunnel: Example


Example of a Configured Tunnel - 1


2. Tunnel Broker

It is an external system, rather than a router that acts as a server on the IPv4 networks and that receives requests for tunnelling from dual-stack nodes.

Requests are sent over IPv4 by dual-stack nodes to the tunnel broker using HTTP.

End users can fill a webpage to request a configured tunnel The tunnel-broker sends back information over HTTP to the

dual-stack nodes such as the IPv4 addresses, IPv6 addresses, default IPv6 routes to apply for the establishment of a configured tunnel to a dual-stack router.

Tunnel-broker remotely applies commands on a dual-stack router to enable a configured tunnel.


2. Tunnel Broker


3. Tunnel Servers Simplified mode of tunnel broker & considered an

open model It combines the broker and dual-stack router in the

same system. Request method is still HTTP over IPv4 Dual-stack host on an IPv4 network reaches tunnel

server using HTTP End user fills the web form and receives the config. End user applies the configuration to his dual-stack

host to enable configured tunnel


3. Tunnel Servers

Tunnel server locally applies the far-end configuration of the configured tunnel.

At this time, when the configuration is applied on the both ends, configured tunnel is fully established and can be used.


4. 6to4 Tunnels An automatic 6to4 tunnel may be configured on a border

router in an isolated IPv6 network, which creates a tunnel on a per-packet basis to a border router in another IPv6 network over an IPv4 infrastructure.

The key difference between automatic 6to4 tunnels and manually configured tunnels is that the tunnel is not point-to-point; it is point-to-multipoint.

“Connection of IPv6 Domains via IPv4 Clouds without Explicit Tunnels", provides a solution to the complexity problem of using manually configured tunnels by specifying a unique routing prefix for each end-user site that carries an IPv4 tunnel endpoint address


Automatic 6to4 Tunnels The simplest deployment scenario for 6to4 tunnels is to

interconnect multiple IPv6 sites, each of which has at least one connection to a shared IPv4 network.

This IPv4 network could be the global Internet or a corporate backbone.

The key requirement is that each site have a globally unique IPv4 address; the Cisco IOS software uses this address to construct a globally unique 6to4/48 IPv6 prefix.

As with other tunnel mechanisms, appropriate entries in a Domain Name System (DNS) that map between hostnames and IP addresses for both IPv4 and IPv6 allow the applications to choose the required address.


6to4 Tunnels


Characteristic Automatic Tunneling

Tunneling of IPv6 packets between 6to4 sites is done dynamically according to the destination IPv6 addresses of packets originating from IPv6 nodes on 604 sites.

Enabled at the Edge of the site 6to4 should be enabled in border routers at the edge of sites. 6to4 routers must be able to reach other 6to4 sites and 6to4 routers using

IPv4 routing infrastructure Automatic prefix assignment

Provides one aggregatable global unicast IPv6 prefix to each 6to4 site – based on the 2002::/16 address space

Each 6to4 site uses on globally unicast IPv4 address assigned on a router This Ipv4 address is converted into hexadecimal format and is appended to

the 2002::/16 prefix Final representation – 2002::ipv address::/48 Each site gets one /48 prefix.


6to4 routers


End-to-End IPv6 session Between IPv6 hosts Through 6to4 Routers


Enabling 6to4 Router Configuration on Cisco


Enabling 6to4 Router Configuration on Cisco (contd.)


Enabling 6to4 Router Configuration on Cisco – Example


ACL Rule No IP ACL denying protocol 41. With 6to4, following ACLs are recommended

Inbound ipv4 packets with protocol 41 from any source address on the IPv4 Internet

permit 41 any host 132.214.1.10 (incoming 6to4 traffic) permit 41 host 132.214.1.10 any (outgoing 6to4 traffic)


6to4 Relay Service To allow hosts and networks using 6to4 addresses to exchange

traffic with hosts using "native" IPv6 addresses, "relay routers" have been established.

A relay router connects to an IPv4 network and an IPv6 network. 6to4 packets arriving on an IPv4 interface will have their IPv6

payloads routed to the IPv6 network, while packets arriving on the IPv6 interface with a destination address prefix of 2002::/16 will be encapsulated and forwarded over the IPv4 network.

A 6to4 relay service is a 6to4 border router that offers traffic forwarding to the IPv6 Internet for remote 6to4 border routers.

A 6to4 relay forwards packets that have a 2002::/16 source prefix.

6to4 tunnels and connections to a 6to4 relay service need not be requested or negotiated between customers and the ISP.


6to4 Relay Service To allow a 6to4 router to communicate with the native IPv6

Internet, it must have its IPv6 default gateway set to a 6to4 address which contains the IPv4 address of a 6to4 relay router.

To avoid the need for users to set this up manually, the 6to4 relay anycast address of 192.88.99.1 (which when wrapped in 6to4 with the subnet and hosts fields zero becomes 2002:c058:6301::) has been allocated for the purpose of sending packets to a relay router.

For routing reasons the whole of 192.88.99.0/24 has been allocated for routes pointed at 6to4 relay routers that use the anycast IP.

Providers willing to provide 6to4 service to their clients or peers should advertise the anycast prefix like any other IP prefix, and route the prefix to their 6to4 relay.


Configuring 6to4 Relay Service Anycast IPv4 prefix is supported in Cisco IOS. Cisco router can act as a 6to4 relay with the anycast

IPv4 prefix.

IPv6-Only-to-IPv4-Only Transition Mechanisms


IPv6-Only-to-IPv4-Only Communication Networks made of native IPv6 only and IPv4-only

protocols have to interact and co-exist. Full interaction between the two types of networks is

mandatory to maintain complete compatibility between both protocols.

Examples: A node in an IPv6-only domain sending an email using

SMTP to a destination node in an IPv4-only domain. A node in an IPv4-Only domain replying to the source IPv6-

Only node in the IPv6 domain. Nodes in an IPv4 domain connecting using HTTP to a

destination web server running in an IPv6 domain.


Methods Two methods are used to provide

communication between IPv6-only and IPv4 only domains:

1. Application-Level Gateways (ALGs)2. NAT-PT


Application-Level Gateways (ALGs)

ALG technique is a network architecture in which gateways with dual-stack support allow nodes in an IPv6-only domain to interact with nodes on IPv6 only domain


Application-Level Gateways (ALGs) IPv6 host A establishes an IP session to the IPv4-only server B

through ALG. ALG C maintains one independent session with the IPv6 only host A

using IPv6 as the transport protocol and another independent session with the IPv4 only server B over IPv4.

ALG C converts the IPv6 session into IPv4, and vice versa. ALG C has dual-stack support.


NAT-PT Network Address Translation - Protocol Translation (NAT-PT) is an

IPv6-IPv4 translation mechanism, as defined in RFC 2765 and RFC 2766, allowing IPv6-only devices to communicate with IPv4-only devices and vice versa.

Before implementing NAT-PT, you must configure IPv4 and IPv6 on the router interfaces that need to communicate between IPv4-only and IPv6-only networks.

Using a protocol translator between IPv6 and IPv4 allows direct communication between hosts speaking a different network protocol.

Users can use either static definitions or IPv4-mapped definitions for NAT-PT operation.


IPv6-Only node A communicates with IPv4-only node B through a NAT-PT device


NAT-PT Operations


NAT-PT One of the benefits of NAT-PT is that no changes

are required to existing hosts because all the NAT-PT configurations are performed at the NAT-PT router.

NAT-PT should not be used when other native communication techniques exist.

Types of NAT-PT1. Static NAT-PT2. Dynamic NAT-PT3. PAT


Static NAT-PT Operation Static NAT-PT uses static translation rules to map

one IPv6 address to one IPv4 address. IPv6 network nodes communicate with IPv4 network

nodes using an IPv6 mapping of the IPv4 address configured on the NAT-PT router.

Static NAT-PT is useful when applications or servers require access to a stable IPv4 address.

Accessing an external IPv4 DNS server is an example where static NAT PT can be used.


Static NAT-PT Operation

The NAT-PT device is configured to map the source IPv6 address for node A of 2001:0db8:bbbb:1::1 to the IPv4 address 192.168.99.2.

NAT-PT is also configured to map the source address of IPv4 node C, 192.168.30.1 to 2001:0db8::a.

When packets with a source IPv6 address of node A are received at the NAT-PT router they are translated to have a destination address to match node C in the IPv4-only network.


Dynamic NAT-PT Operation Dynamic NAT-PT allows multiple NAT-PT mappings by

allocating addresses from a pool. NAT-PT is configured with a pool of IPv6 and/or IPv4 addresses. At the start of a NAT-PT session a temporary address is

dynamically allocated from the pool. The number of addresses available in the address pool

determines the maximum number of concurrent sessions. The NAT-PT device records each mapping between addresses

in a dynamic state table. Dynamic NAT-PT translation operation requires at least one

static mapping for the IPv4 DNS server.


Dynamic NAT-PT Operation

The NAT-PT device is configured with an IPv6 access list, prefix list, or route map to determine which packets are to be translated by NAT-PT.

A pool of IPv4 addresses - 10.21.8.1 to 10.21.8.10 is configured When an IPv6 packet to be translated is identified, NAT-PT uses the configured mapping

rules and assigns a temporary IPv4 address from the configured pool of IPv4 addresses. After the IPv6 to IPv4 connection is established, the reply packets going from IPv4 to IPv6

take advantage of the previously established dynamic mapping to translate back from IPv4 to IPv6.

If the connection is initiated by an IPv4-only host then the explanation is reversed.


Port Address Translation (PAT) or Overload PAT allows a single IPv4 address to be used among

multiple sessions by multiplexing on the port number to associate several IPv6 users with a single IPv4 address.

PAT can be accomplished through a specific interface or through a pool of addresses.


Implementing NAT-PT1. Configuring Basic IPv6 to IPv4 Connectivity for NAT-PT (required) 2. Configuring IPv4-Mapped NAT-PT (required) 3. Configuring Mappings for IPv6 Hosts Accessing IPv4 Hosts

(required) 4. Configuring Mappings for IPv4 Hosts Accessing IPv6 Hosts

(optional) 5. Configuring Port Address Translation

6. Verifying NAT-PT Configuration and Operation (optional)


1. Configuring Basic IPv6 to IPv4 Connectivity for NAT-PT NAT-PT Prefix

An IPv6 prefix with a prefix length of 96 must be specified for NAT-PT to use.

The IPv6 prefix can be a unique local unicast prefix, a subnet of allocated IPv6 prefix, or even an extra prefix obtained from ISP.

The NAT-PT prefix is used to match a destination address of an IPv6 packet.

If the match is successful, NAT-PT will use the configured address mapping rules to translate the IPv6 packet to an IPv4 packet.

The NAT-PT prefix can be configured globally or with different IPv6 prefixes on individual interfaces.

Using a different NAT-PT prefix on several interfaces allows the NAT-PT router to support an IPv6 network with multiple exit points to IPv4 networks.


Configuring NAT-PT Prefix ipv6 nat prefix ipv6-prefix/prefix-length interface type number ipv6 address ipv6-prefix {/prefix-length | link-local} ipv6 nat exit interface type number ip address ip-address mask [secondary] ipv6 nat


2. Configuring IPv4-Mapped NAT-PT

To enable customers to send traffic from their IPv6 network to an IPv4 network without configuring IPv6 destination address mapping.

Commands interface type number ipv6 nat prefix ipv6-prefix v4-mapped {access-list-name | ipv6-prefix}

Example: Router(config)# interface ethernet 3/1 Router(config-if)# ipv6 nat prefix 2001::/96 v4-mapped v4map_acl


3. Configuring Mappings for IPv6 Hosts Accessing IPv4 Hosts To configure static or dynamic IPv6 to IPv4 address mappings. The dynamic address mappings include assigning a pool of IPv4

addresses and using an access list, prefix list, or route map to define which packets are to be translated.

ipv6 nat v6v4 source ipv6-address ipv4-addressoripv6 nat v6v4 source {list access-list-name | route-map map-name} pool name

ipv6 nat v6v4 pool name start-ipv4 end-ipv4 prefix-length prefix-length ipv6 nat translation [max-entries number] {timeout | udp-timeout | dns-timeout |

tcp-timeout | finrst-timeout | icmp-timeout} {seconds | never} ipv6 access-list access-list-name permit {protocol} {source-ipv6-prefix/prefix-length |

any | host source-ipv6-address} [operator [port-number]] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address}

exit show ipv6 nat translations [icmp | tcp | udp] [verbose] show ipv6 nat statistics


ipv6 nat translation command


4. Configuring Mappings for IPv4 Hosts Accessing IPv6 Hosts

To configure static or dynamic IPv4 to IPv6 address mappings.

Commands ipv6 nat v4v6 source ipv4-address ipv6-address

oripv6 nat v4v6 source list {access-list-number | name} pool name

ipv6 nat v4v6 pool name start-ipv6 end-ipv6 prefix-length prefix-length access-list {access-list-name | number} {deny | permit} [source source-wildcard]

[log] Example

Router(config)# ipv6 nat v4v6 source 10.21.8.11 2001:0db8:yyyy::2orRouter(config)# ipv6 nat v4v6 source list 1 pool v6pool

Router(config)# ipv6 nat v4v6 pool v6pool 2001:0db8:yyyy::1 2001:0db8:yyyy::2 prefix-length 128

Router(config)# access-list 1 permit 192.168.30.0 0.0.0.255


5. Configuring Port Address Translation ipv6 nat v6v4 source {list access-list-name | route-map map-name} pool name overload

Router(config)# ipv6 nat v6v4 source 2001:0db8:yyyy:1::1 10.21.8.10 or ipv6 nat v6v4 source {list access-list-name | route-map map-name} interface interface

name overload Router(config)# ipv6 nat v6v4 source list pt-list1 pool v4pool overload

ipv6 nat v6v4 pool name start-ipv4 end-ipv4 prefix-length prefix-length Router(config)# ipv6 nat v6v4 pool v4pool 10.21.8.1 10.21.8.10 prefix-length 24

ipv6 nat translation [max-entries number] {timeout | udp-timeout | dns-timeout | tcp-timeout | finrst-timeout | icmp-timeout} {seconds | never} Router(config)# ipv6 nat translation udp-timeout 600

ipv6 access-list access-list-name Router(config)# ipv6 access-list pt-list1

permit {protocol} {source-ipv6-prefix/prefix-length | any | host source-ipv6-address} [operator [port-number]] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address} Router(config-ipv6-acl)# permit ipv6 2001:0db8:bbbb:1::/64 any


Static NAT-PT Configuration: Exampleinterface Ethernet3/1 ipv6 address 2001:0db8:3002::9/64 ipv6 enable ipv6 nat ! interface Ethernet3/3 ip address 192.168.30.9 255.255.255.0 ipv6 nat ! ipv6 nat v4v6 source 192.168.30.1 2001:0db8:0::2 ipv6 nat v6v4 source 2001:0db8:bbbb:1::1 10.21.8.10 ipv6 nat prefix 2001:0db8:0::/96


Enabling Traffic to be Sent from an IPv6 Network to an IPv4 Network without Using IPv6 Dastination Address Mapping: Example

ipv6 nat prefix 2000::/96 v4-mapped v4map_acl

ipv6 access-list v4map_acl permit ipv6 2001::/96 2000::/96


Dynamic NAT-PT Configuration for IPv6 Hosts Accessing IPv4 Hosts: Example

interface Ethernet3/1 ipv6 address 2001:0db8:bbbb:1::9/64 ipv6 enable ipv6 nat ! interface Ethernet3/3 ip address 192.168.30.9 255.255.255.0 ipv6 nat ! ipv6 nat v4v6 source 192.168.30.1 2001:0db8:0::2 ipv6 nat v6v4 source list pt-list1 pool v4pool ipv6 nat v6v4 pool v4pool 10.21.8.1 10.21.8.10 prefix-length 24 ipv6 nat translation udp-timeout 600 ipv6 nat prefix 2001:0db8:1::/96 ! ipv6 access-list pt-list1 permit ipv6 2001:0db8:bbbb:1::/64 any


Dynamic NAT-PT Configuration for IPv4 Hosts Accessing IPv6 Hosts Example

interface Ethernet3/1 ipv6 address 2001:0db8:bbbb:1::9/64 ipv6 enable ipv6 nat ! interface Ethernet3/3 ip address 192.168.30.9 255.255.255.0 ipv6 nat ! ipv6 nat v4v6 source list pt-list2 pool v6pool ipv6 nat v4v6 pool v6pool 2001:0db8:0::1 2001:0db8:0::2 prefix-length 128 ipv6 nat v6v4 source 2001:0db8:bbbb:1::1 10.21.8.0 ipv6 nat prefix 2001:0db8:0::/96 ! access-list pt-list2 permit 192.168.30.0 0.0.0.255


Lab-Exercise

Case-study: Using IPv6 Integration and coexistence strategies using Cisco routers

Q & A

Documents

IPv6