Transcript PPT - AsiaFI

Using HIP to solve MULTI-HOMING IN IPv6
networks
YUAN Zhangyi
Beijing University of Posts and Telecommunications
Introduction
• Why we need NAT in IPv6?
– Hiding enterprise’s topology
– Keep IP addresses independent
– ……
• NAT66, referred in an IETF draft, may be
implemented in an IPv6 router to map one IPv6
address prefix to another IPv6 address prefix as
each IPv6 packet transits the router.
Introduction
The mechanism of NAT66 device
We deployed Two-way algorithm to map one
private address to a global address.
NAT66
Src.addr
Process
NAT outside
Address
Change
Port No.
Packet
Outside Process
Des.addr
unchanged
Packet
Port No. is stable
Translate the Src.addr
Des. addr
Src.addr
Port No.
Port No.
unchanged
Src.addr
changed
NAT inside
Address
Change
Des.addr
changed
Port No.
is stable
Packet
Packet
Translate the Des.addr
Inside Process
Des.addr
Src.addr
unchanged
Port No.
unchanged
HIP(Host Identify Protocol)
• HIP insert a new layer between Transport Layer and Network Layer.
• Transport Layer use HIT(Host Identity Tag) to recognize a session. It uses
<HIT, port > instead of <IP address, port>. As a result, any changes in
Network layer will not affect the upper applications.
Network Topology
Experiment 1--- NAT66 disabled
Initiator
Responder
I1: trigger exchange
R1: puzzle, D-H, key, sig
I2: solutions, D-H, (key),
sig
R2: sig
In the first case, NAT66 is disabled in the edge router. HIP will exchange
four packets before the connection is built.
we first added a new address to host’s another interface. It initiated a threeway UPDATE handshake with the destination host with a new Locator in its
packet.
Network Topology
Experiment 2--- NAT66 enabled
Mobility Case
We tested whether HIP support mobility with nat66
enabled in Linksys boxes. After adding a new IP
address to interface on Entry. Wireshark captured three
UPDATE packets initiated by Entry with the new IP
address along with the original IP address in Locator
parameter in the first UPDATE packet. Then we deleted
the original IP address. Entry initiated another update.
But this time the three-way handshake failed. There
were only UPDATE packets from Entry to Terminal
without any responds, which meant the new IP address
was unreachable for Terminal.
The whole process suggested that Entry did send HIP
UPDATE packets to Terminal notifying its IP address
had changed. It initiated a three-way handshake and
sent the first UPDATE packet to Terminal with its new
IP address as the Locator. When Terminal received this
UPDATE packet, it tried to send a responding packet to
Entry using the new address as the destination
address. Because the new IP address was the private
address behind nat66, it is unreachable for Terminal.
Therefore, the three-way UPDATE handshake failed to
set up and the connection lost.
Network Topology
Experiment 2--- NAT66 enabled
Multihoming case
We changed the default route of Terminal. Previously the packets
sending out from Terminal went to Linksys3 and now we changed the
default route to Linksys4.
From the packets caught by Wireshark, we surprisingly noticed that the
connection was not interrupted. Entry accepted the packets from
Linksys4, even though the source IP address was not the address on its
Hit-IP Address mapping table.
The packets above show that the source IP address changed silently,
without disturbing the communication.
If the address changes but SPI remains the same and the checksum is
valid, HIP is intended to report to the transport that it was received from
the original address.
Conclusion
HIP can really help solving multihoming and mobility
though deploying it in our test environment:
 HIP can support mobility in the environment without
nat66 through sending UPDATE packets.
 HIP cannot support mobility in our environment with
nat66 functioning in the edge router, unless more
mechanism, like a RVS server, is getting involved.
 As for multihoming, HIP does help solving this
problem.
Thank You!
YUAN Zhangyi