IPv4 to IPv6 Transition Strategy

Transcription

1 IPv4 to Transition Strategy Dual Stack (RFC 2893) Reduce the cost invested in transition by running both IPv4/ protocols on the same machine. Tunneling Reduce the cost in wiring by re-using current IPv4 routing infrastructures as a virtual link. Translation Allow realm to access the rich contents already developed on IPv4 applications 2

2 Tunnels of over IPv4 Header Transport Header Host Dual-Stack Router IPv4 Dual-Stack Router Host IPv4 Header Tunnel: in IPv4 packet Header Transport Header Encapsulating the packet in an IPv4 packet Tunneling can be used by routers and hosts 3

3 Tunneling Tunnel Service Provider IPv4 Backbone Tunnel IPv4 Header Header Header Transport Layer Header Transport Layer Header Tunnel 4

4 Manually Configured Tunnel Dual-Stack Router1 IPv4 Dual-Stack Router2 router1# IPv4: : 3ffe:b00:c18:1::3 IPv4: : 3ffe:b00:c18:1::2 router2# interface Tunnel0 ipv6 address 3ffe:b00:c18:1::3/64 tunnel source tunnel destination tunnel mode ipv6ip interface Tunnel0 ipv6 address 3ffe:b00:c18:1::2/64 tunnel source tunnel destination tunnel mode ipv6ip Manually Configured tunnels require: Dual stack end points Both IPv4 and addresses configured at each end 5

5 Manually Configured Tunnel Dual-Stack Router IPv4 Dual-Stack Host IPv4: : 2001:288:03a1:210::3/127 IPv4: : 2001:288:03a1:210::2/127 FreeBSD4.7# gifconfig gif ifconfig gif0 inet6 2001:288:03a1:210::2 2001:288:3a1:210::3 prefixlen 128 6

6 Linux Tunnel /etc/sysconfig/network-scripts/ifcfg-sit1 DEVICE=sit1 BOOTPROTO=none ONBOOT=yes IPV6INIT=yes #Remote end-isp IPv4 addr IPV6TUNNELIPV4= #Yourself tunnel addr from ISP IPV6ADDR=2001:288:3A1:210::2/127 ifup sit1 7

7 Windows XP Tunnel netsh interface ipv6 add v6v4tunnel T1" Syntax: add v6v4tunnel [[interface=]string] localipv4address remoteipv4address add address T1 2001:238:F88:B::30 add route 2001:238:F88:B::30/127 T1 Now you can ping the remote tunnel endpoint 2001:238:F88:B::31 Use Ethereal to capture packets with filter ip host

8 Tunnel Packets 9

9 IPv4 Compatible Tunnel (RFC 2893) Dual-Stack Router IPv4 Dual-Stack Router IPv4: : :: IPv4: : :: IPv4-compatible addresses are easy way to autotunnel, but it: May be deprecated soon Consumes IPv4 addresses 10

10 6to4 Tunnel (RFC 3056) 2002:8C6E:C7FA:2::5 2002:83F3:812C:1::3 prefix: 2002:83F3:812C::/48 E0 6to4 Router1 IPv4 6to4 Router prefix: E0 2002:8C6E:C7FA::/48 SRC 2002:83F3:812C:1::3 DEST 2002:8C6E:C7FA:2::5 IPv4 SRC IPv4 DEST SRC 2002:83F3:812C:1::3 DEST 2002:8C6E:C7FA:2::5 SRC 2002:83F3:812C:1::3 DEST 2002:8C6E:C7FA:2::5 11

11 6to4 Tunnel prefix: 2002:83F3:812C::/48 E0 6to4 Router1 IPv4 6to4 Router prefix: = = E0 2002:8C6E:C7FA::/48 6to4 Tunnel: Is an automatic tunnel method Gives a prefix to the attached network 2002::/16 assigned to 6to4 Requires one global IPv4 address on each site router2# interface Ethernet0 ip address ipv6 address 2002:8C6E:C7FA:1::/64 eui-64 interface Tunnel0 no ip address ipv6 unnumbered Ethernet0 tunnel source Ethernet0 tunnel mode ipv6ip 6to4 ipv6 route 2002::/16 Tunnel0 12

12 6to4 Tunnel in Windows XP 6to4 Tunnel is enabled in Windows XP by default. 13

13 Address Translator Computer A IP: Port: 80 NAT IP: Port: Public Internet Computer B IP: Port: 80 IP: Port: Public NIC DHCP Client PPPoE Client DHCP Server Mapping Table :80 <-> :80 <-> Private NIC 14

14 tunneling problem It does not work when the IPv4 address is not globally routable - IPv4 IPv4 *+ D4 B4 E6 A6!""!""##$%&!""!""###%& #"'"'"'#!""#!$&(&&!%!""#!$&(&&#% #"'##'#'!) *+#"'##$'#$#',* 15

15 Tunneling Problem [1/2] 2002:A00:1:1::3 2002:8C77:D1FA:2::5 A 6to4 Router1 NAT IPv4 6to4 Router2 B prefix: 2002:A00:1::/ prefix: 2002:8C77:D1FA::/48 IPv4 SRC IPv4 SRC SRC 2002:A00:1:1::3 DEST 2002:8C77:D1FA:2::5 IPv4 DEST SRC 2002:A00:1:1::3 DEST 2002:8C77:D1FA:2::5 IPv4 DEST SRC 2002:A00:1:1::3 DEST 2002:8C77:D1FA:2::5 SRC 2002:A00:1:1::3 DEST 2002:8C77:D1FA:2::5 16

16 Tunneling Problem [2/2] 2002:A00:1:1::3 2002:8C77:D1FA:2::5 A 6to4 Router1 NAT IPv4 6to4 Router2 B prefix: 2002:A00:1::/ prefix: 2002:8C77:D1FA::/48 Connection can t be established! IPv4 SRC IPv4 DEST SRC 2002:8C77:D1FA:2::5 DEST 2002:A00:1:1::3 SRC 2002:8C77:D1FA:2::5 DEST 2002:A00:1:1::3 17

17 Service (RFC 4380) Allow hosts behind NAT to access without modifying NAT. It contains three basic components: Client a node wants to gain access to the Internet. Server helper to provide connectivity to clients. Relay an router that can receive traffic from realm to clients and vice versa. 18

18 service To allow hosts behind NAT to access, without modifying NAT. is not a long term solution If NAT also supports routing, the problem of NAT traversal will disappear. 19

19 definitions client A node wants to gain access to the Internet. server helper to provide connectivity to clients. relay An router that can receive traffic destined to clients and forward it to client. bubble minimal packet, made of an header and null payload, no Next Header. service The transmission of packets over UDP. 20

20 Operation model server +(./ NAT client relay + +(.0 1 A client has pre-configured server location. A client gets prefix from the server. server is stateless. Traffic goes directly between the relay router and the client. Relay announces reachability of prefix on realm. Relay and Client maintain peer list to avoid sending message too often. 21

21 Operation Model Client gets its address from Server. Use Relay as relay router. Client NAT 2/ IPv4 3+' Server Host Tunneling packet UDP tunnel Relay IPv4 Header UDP Header Header packet 22

22 address encoding " $! &" 4 #!, Prefix Server IPv4 Flags Port Prefix: the 32 bit service prefix. 2001:0000::/32 Server IPv4: the IPv4 address of a server. Flags: a set of 16 bits that document type of address and NAT. 16 bits flag: C00000UG C=1 if NAT is cone. UG should set to 00. Port: the obfuscated "mapped UDP port" of the client Client IPv4: the obfuscated "mapped IPv4 address" of a client Client IPv4 56(756 (8 #09*+ ' 23

23 Obtaining an address(1/2) #'!'$' server NAT relay 4'"'"'#"4 #"'"'"'# client sends a UDPv4 tunneled Router Solicitation to the server. server replies UDPv4 tunneled Router Advertisement with origin indication. IPv4 IPv4 UDP UDP RS Origin indication RA #"'"'"'!#!$ client 5 (1 0x00 0x00 mapped IPv4 address mapped port # 24

24 Obtaining an address(2/2) Client get mapped address/port from origin indication Mapped address: :4096 Already known server IP: Generated address Prefix: 2001:0000::/32 Server: 0x0102:0304 ( server IP address: ) Flags: 0x8000 (cone NAT) Obfuscated Port: 0xEFFF (=0xFFFF Address: 2001:0000:102:304:8000:EFFF:F6FF:FFFE Must keep alive address mapping on NAT Default refresh interval: 30 seconds. 25

25 Packet from node to node (1/3) Server S #'!'$'$)!""" Relay R )'','&$) A does not know which relay will be chosen by B. A sends ICMPv6 echo request" toward B. S forwards echo request to realm. NAT 4'"'"'#"4 #"'"'"'# ' :1234 ' :3544 ' PREF:102:304::E FFF:F6FF:FFFE 2000::B ' #"'"'"'!#!$ Client A :#"!$"::::::::: PREF:102:304::E FFF:F6FF:FFFE 2000::B 26

26 Packet from node to node (2/3) S #'!'$'$) #"'"'"'!#!$!""" NAT A R )'','&$) 4'"'"'#"4 #"'"'"'# :#"!$"::::::::: B sends the echo reply back to Client. The packet will be queued by Relay. If Client is behind a restricted NAT, a bubble must be sent to Server. 2000::B ' PREF:102:304:: EFFF:F6FF:FFF E ' 27

27 Packet from node to node (3/3) S #'!'$'$)!""" R )'','&$) 4'"'"'#"4 NAT #"'"'"'# R sends the queued echo reply to A. A knows B can be reached through address :3544. A will send all further packets directly through R. #"'"'"'!#!$ Client A :#"!$"::::::::: 28

28 Trial of in NCTU Client Client only only IPv4 DNS HiNet Client only NAT NAT Server Relay 29

29 2001:0000:8C71:8337:80 00:234B:738E:7CB5 NAT :1033 IPv4 Tunnel [1/2] Server 2001:238:F88:131::7 B Client IPv4 SRC IPv4 DEST UDP SRC 1033 UDP DEST 3544 Header SRC 2001:0000:8C71:8337:80 00:234B:738E:7CB5 DEST 2001:238:F88:131:: Relay IPv4 SRC IPv4 DEST UDP SRC UDP DEST 3544 Header SRC 2001:0000:8C71:8337:80 00:234B:738E:7CB5 DEST 2001:238:F88:131:: SRC 2001:0000:8C71:8337:80 00:234B:738E:7CB5 DEST 2001:238:F88:131::7 30

30 2001:0000:8C71:8337:8 000:234B:738E:7CB5 NAT : 1033 Tunnel [2/2] IPv Server 2001:238:F88:131::7 B Client IPv4 SRC IPv4 DEST UDP SRC 3544 UDP DEST 1033 Header SRC 2001:238:F88:131::7 DEST 2001:0000:8C71:8337:80 00:234E:738E:7CB Relay IPv4 SRC IPv4 DEST UDP SRC 3544 UDP DEST Header SRC 2001:238:F88:131::7 DEST 2001:0000:8C71:8337:80 00:234E:738E:7CB SRC 2001:238:F88:131::7 DEST 2001:0000:8C71:8337:80 00:234B:738E:7CB5 31

31 Protocol Decoder in Ethereal Port: =

32 Conclusions Tunneling is a useful technique to establish connectivity between sites even though they don t have direct links between each other. Many users get private IPv4 address from their service providers, such as WLAN and GPRS. These users have difficulty in creating tunnels. Before all NAT devices can be upgraded to support, service is useful for ISPs to provide access to their users behind NAT. 33