IPv6 and IPv4 Coexistence
Download
Report
Transcript IPv6 and IPv4 Coexistence
IPv6 and IPv4 co-existence
Burt Crépeault :: [email protected]
www.iitelecom.com
1
IIT
© IITelecom,
2004
© Institut international des télécommunications inc., 2004
IPv6 and IPv4 co-existence
Session objectives
At the end of this session, the participants should be able to:
2
IIT
© IITelecom,
2004
Name the different network migration scenarios from IPv4 to IPv6
Name the migration scenarios from IPv4 applications to IPv6
applications
Session content
Migration scenarios from IP version 4 to IP version 6
Network migration
Dual stack
Tunnelling IPv6 in IPv4
–
–
Configured tunnels
Automatic tunnels
IPv4-compatible address
6to4
6over4
Tunnel Broker/server
ISATAP
Teredo
Tunnelling IPv4 in IPv6
–
3
IIT
© IITelecom,
2004
DSTM
Session content
Migration scenarios from IP version 4 to IP version 6
Applications migration
IPv6 Translation or Transport Layer (4) Translation
–
–
–
–
Application-layer Gateways
–
4
IIT
© IITelecom,
2004
SIIT, NAT-PT and NAPT-PT
Bump-in-the-Stack
Bump-in-the-API
Transport Relays
Proxy
1: Network Migration
5
IIT
© IITelecom,
2004
Dual stack
Host nodes harbour two network stack and two sets of network
addresses: IPv4 and IPv6
IPv6-compatible applications require both IPv4 and IPv6 destination
addresses
Therefore, the DNS resolver returns IPv4, IPv6 or both addresses to
the application
IPv6/IPv4 applications chose one of the destination addresses and
initiate the communication using:
– The IPv4 stack for IPv4 destination addresses
– The IPv6 stack for IPv6 destination addresses
6
IIT
© IITelecom,
2004
Dual stack
Application
TCP
UDP
IPv4
IPv6
Data link (Ethernet)
7
IIT
© IITelecom,
2004
IPv6 tunnelling inside IPv4
IPv6
packet
IPv6 packet
Encapsulated
inside an
IPv4 datagram
IPv4
header
IPv6 Transport
header
header
Application
protocol data
IPv6 Transport
header
header
Application
protocol data
Application data
Transport data
IPv6 packet
IPv4 datagram
8
IIT
© IITelecom,
2004
IPv6 tunnelling inside IPv4
IPv6 encapsulated inside IPv4
– IP protocol: 41
Several possible topologies:
– Router to router
– Host to router
– Host to host
9
IIT
© IITelecom,
2004
The tunnel end-points take care of the encapsulation. The process
is therefore transparent to the intermediate equipment
When security equipment is present in the path, they must allow IP
protocol 41 to go through
There is a problem when NAPT equipment is in the path
GRE tunnels perform the same task
IPv6 tunnelling methods
Configured tunnels
Automatic tunnels
–
–
–
–
–
10
IIT
© IITelecom,
2004
6to4
6over4
Tunnel Broker/server
ISATAP
Teredo
Configured tunnels
The tunnel end-points are explicitly configured
The end-points must run a dual stack
– The IPv4 address is the tunnel end-point
– Requires a visible IPv4 address (no NAPT possible)
The tunnel configuration implies a manual configuration of
– IPv4 source and destination addresses
– IPv6 source and destination addresses
Configured tunnels can be set up between:
– Two routers
– A host node and a router
– Two host nodes
11
IIT
© IITelecom,
2004
Configured tunnels
Host node to a router
IPv4= 192.168.1.1
IPv6= 3ffe:b00:a:1::1
IPv4= 192.168.2.1
IPv6=3ffe:b00:a:1::2 3ffe:b00:a:5::1
3ffe:b00:a:3::2
IPv4
IPv6
IPv6 in IPv4
IPv6
header
IPv6
data
Src= 3ffe:b00:a:1::1
Dst= 3ffe:b00:a:3::2
IPv4
IPv6
header header
IPv6
data
Src= 192.168.1.1
Dst= 192.168.2.1
IPv6
header
IPv6
data
Src= 3ffe:b00:a:1::1
Dst= 3ffe:b00:a:3::2
The above example uses the 6bone address space = 3ffe::/16
12
IIT
© IITelecom,
2004
Configured tunnels
Router to router
IPv6
IPv6
header
192.168.2.1
192.168.1.1
3ffe:b00:a:1::1
IPv6
data
Src= 3ffe:b00:a:1::1
Dst= 3ffe:b00:a:3::2
IPv4
IPv6 in IPv4
IPv4 IPv6
header header
3ffe:b00:a:3::2
IPv6
IPv6
data
Src= 192.168.1.1
Dst= 192.168.2.1
IPv6
header
IPv6
data
Src= 3ffe:b00:a:1::1
Dst= 3ffe:b00:a:3::2
The above example uses the 6bone address space = 3ffe::/16
13
IIT
© IITelecom,
2004
Configured tunnels considerations
Tunnels do not traverse NAPT
If one of the sites uses NAPT, a possible solution would be to terminate
the tunnel in the NAPT node
– Not always possible
14
IIT
© IITelecom,
2004
A possible transition: when IPv4 addresses are scarce, deploy IPv4
addresses with NAPT and create an end-to-end IPv6 solution
Configured tunnels considerations
This tunnelling method uses IPv4-compatible IPv6 addresses for tunnel
termination.
–
The recipient node’s address is specified in the encapsulated packet.
This method can only be used in router-to-host and host-to-host
situations since they are the only cases where the tunnel end-points are
also the destination
Can only be used for IPv6 over IPv4 tunnels, but not vice versa.
–
–
–
15
IIT
© IITelecom,
2004
::<IPv4 Address>
Doesn’t make use of the advantages of IPv6
Will most likely be abandoned
6to4 is a generally preferred option
IPv4-compatible IPv6 address
IPv6 addresses with embedded IPv4 addresses are global
Unicast addresses that begin with the binary prefix 000.
One of the transition methods to IPv6 allows a means for nodes and routers to dynamically create
IPv6 tunnels allowing transmission of IPv6 packets over an IPv4 infrastructure. Nodes that
implement this technique are assigned a special IPv6 address which transports an IPv4 address in
it 32 least significant bits. This type of address is call an IPv4-compatible IPv6 address; its format is
shown below:
16 bits
80 bits
0
0
Host
IPv4ID
Prefix
0000 : 0000 : 0000 : 0000
32 bits
IPv4 address
: 0000 :
0000
:
143.23.234.211
The IPv4 address used inside an IPv4-compatible IPv6 address must be a
public, globally routable IPv4 address
16
IIT
© IITelecom,
2004
6to4
RFC 3056
Application: interconnect isolated IPv6 networks over an IPv4 network
Automatic tunnel
– No explicit tunnel
– The destination IPv4 address is embedded in the IPv6 one
– Uses a reserved prefix 2002::/16 (2002::/16 = 6to4)
Provides a full /48 network to a site based on its external IPv4 address
– External IPv4 address is embedded:
2002:<ipv4 ext address>::/48
– Format: 2002:<ipv4add>:<subnet>::/64
17
IIT
© IITelecom,
2004
6to4 Network-to-Network
(Router to Router)
2002:c0a8:101:1::1
192.168.2.1
192.168.1.1
IPv6
IPv6
IPv6 data
header
Source
= 2002:c0a8:101:1::1
Destination = 2002:c0a8:201:2::2
18
IIT
© IITelecom,
2004
IPv6
IPv6 in IPv4
6to4
2002:c0a8:201:2::2
6to4
IPv4
IPv4
header
IPv6
IPv6 data
header
Source
= 192.168.1.1
Destination = 192.168.2.1
IPv6
IPv6 data
header
Source
= 2002:c0a8:101:1::1
Destination = 2002:c0a8:201:2::2
6to4 considerations
Limited by external (public) IPv4 addresses:
– When the edge router changes its IPv4 public (external) address, the
IPv6 private network must be renumbered
– Only one entry point is possible (not possible to have more than one
entry point for redundancy purposes)
19
IIT
© IITelecom,
2004
In a network where IPv4 and IPv6 co-exist, when a host node with
dual stack and a 6to4 address want to send a packet to a 6to4
destination, is the packet sent to the router or does the host try
itself to establish the tunnel?
What equipment supports 6to4?
The edge router:
6to4 implementation
Must have an external, reachable IPv4 address
– The loopback interface can be used
Is a node with a dual stack
The host nodes:
No extra steps to support 6to4. 2002 is a valid prefix that can be
used in the router advertisement message
Do not need a dual stack
– A host wanting to reach an IPv4 address will go through the IPv6 stack
and use a 6to4 source and destination address
20
IIT
© IITelecom,
2004
6over4
RFC 2529
Uses IPv4 addresses as interface identifiers and creates a virtual link
with IPv4 multicast groups with a site-local scope.
IPv6 multicast addresses are mapped to IPv4 multicast addresses to
allow Neighbour Discovery
This method is seldom used due to a lack of general support for IPv4
multicast in sites and local ISPs.
21
IIT
© IITelecom,
2004
Tunnel Broker or Tunnel Server
Uses a control protocol to establish a tunnel
Tunnel Setup Protocol (TSP)
A client send a request for a tunnel
The broker:
– Is policy-based
– Returns the appropriate tunnel information to the client
– Configures his tunnel end-point
The client then configures its own tunnel end-point
The client receives:
– A stable IPv6 address
– A stable IPv6 prefix
Popular free service: http://www.freenet6.net
(Based in Canada)
22
IIT
© IITelecom,
2004
Tunnel Broker
1. Request through Web (IPv4)
2. Server-side Tunnel is created
IPv4
3. Sends a script for the
IPv6 client-side tunnel
6Bone
IPv6
4. Tunnel is established
IP version 6 uses Internet IP version 4 transport:
– Provides on-demand IPv6 connectivity
– Assigns an IPv6 address to the host
– Connects the host to the IPv6 network
23
IIT
© IITelecom,
2004
Tunnel Broker
IPv4
IPv6
IPv6 in IPv4
Separate Web server and IPv4
router
IPv4
IPv6
IPv6 in IPv4
Integrated Web server and router
Single host tunnel
IPv4
IPv6
IPv6
IPv6 in IPv4
Integrated Web server and router
Multiple host (network) tunnel
24
IIT
© IITelecom,
2004
Tunnel Broker with TSP
Client-side request :
A tunnel for a single host
A tunnel for a network (with routing)
– With prefix delegation
– Without prefix delegation (I have one but you can publicise it)
Routing information
– I’m using RIP, BGP, OSPF, …
Domain name information
– The host node name is…
– Reverse delegation
Server-side reply:
Here’s what you requested!
Impossible to establish a tunnel, here’s an alternate tunnel broker’s
address
Request granted for a host tunnel, but not for a network tunnel
Here’s the prefix, the BGP information (AS number) …
25
IIT
© IITelecom,
2004
Tunnel Broker with TSP
Allows:
Exchange of data to be negotiated between the two parties, such as IP
mobility messages
– IPv4 mobility but with a fixed, stable IPv6 prefix and address
Authentication: Password, SecurID card, public key, etc.
Can be found:
In the boot sequence of a host node
In the host node’s and the router’s OS
Can be combined and co-exist with other tunnels:
26
IIT
© IITelecom,
2004
With DSTM as a tunnel setup protocol
With UDP encapsulation as a controlled and authenticated method to go
through NAT
TSP implementation
Initially conceived for tunnel brokers, its scope is much
larger:
27
IIT
© IITelecom,
2004
Host or router nodes can use it on an IPv4 network
With or without NAT in the path
In a corporate network
In a provider network
On the Internet
Provides control, authentication and security
Provides permanent addresses
Freenet6
Freenet6 project (http://www.freenet6.net)
Tunnel broker using Tunnel Setup Protocol (TSP)
User requests:
A tunnel
A stable address
A /64 or /48 network
IPv4 mobility (an IPv4 address change reconfigures the tunnel, without
modifying the IPv6 address or prefix)
Process is completely automated, no intervention required
Over 90,000 users!
The TSP client software is open-source and distributed with
Linux and BSD. It is also available in Windows, Solaris, Cisco
and QNX versions.
NAT-traversal (UDP encapsulation) development is in progress
28
IIT
© IITelecom,
2004
ISATAP
Intra-Site Automatic Tunnel Addressing Protocol
Automatic tunnelling between ISATAP host nodes and ISATAP
routers in a corporate network
Creates a virtual IPv6 link over IPv4
Special use of the most significant bits of the host identifier to form a
ISATAP address.
32 bits
64 bits
Link-local or ISATAP prefix
00:00:5E:FE
ISATAP
Prefix
0000 : 0000 : 0000 : 0000
29
IIT
© IITelecom,
2004
:
0000 : 5EFE :
32 bits
IPv4 address
Host
143.23.234.211
ISATAP example
3ffe:ffff::5efe:c0a8:0301
fe80::5efe:c0a8:0301
3ffe:ffff::5efe:c0a8:0201
192.168.3.1
fe80:: 5efe:c0a8:0201
ISATAP router
192.168.2.1
ISATAP host IPv4
A
IPv6 in IPv4
IPv6 in IPv4
IPv6
C
ISATAP
IPv6 in IPv4
3ffe:ffff:0:1::1
B
ISATAP host
192.168.1.1
fe80::5efe:c0a8:0101
3ffe:ffff::5efe:c0a8:0101
The above example uses 6Bone addressing space = 3ffe::/16
30
IIT
© IITelecom,
2004
ISATAP implementation
31
IIT
© IITelecom,
2004
Ina corporate network
No NAT in the path
Not between service providers
Not global
Teredo
A
NAPT prevents direct tunnels
Teredo puts IPv6 in UDP in IPv4
The relationship between the IPv4 address and the port number is
discovered by the Teredo server (situated on the outer side of the NAT)
NAT
IPv4
(private address
space) IPv6 in IPv4
Teredo use a specific prefix.
The IPv6 address includes
the IPv4 address and the
source UDP port number of
the host station.
IPv4
TEREDO
IPv6
B
16 bits
Prefix
32 bits
IPv4 Address
Network
ZZ
32
IIT
© IITelecom,
2004
:
143.23.234.211
:
16 bits
Port
64 bits
Interface ID
Port
Station
XX
:
0290 : 27FF : FE17 : FC0F
IPv6 in UDP in IPv4
IPv6
packet
IPv6 packet
Encapsulated
inside an IPv4
packet
IPv4
header
IPv6 Transport
header
header
Application
protocol data
IPv4 UDP IPv6 Transport
header header header
Application
protocol data
Data
Transport layer
IPv6 Packet
IPv4 Transport
IPv4 datagram
33
IIT
© IITelecom,
2004
Teredo implementation
34
IIT
© IITelecom,
2004
Used for hosts behind a NAPT that need to go through it
The UDP encapsulation reduces the MTU for the original IPv6
packet
Automatic tunnels: Teredo and transport relays are susceptible to
security attacks
Can be combined to TSP for a controlled deployment, stable
prefixes and addresses and an overall improvement in security
Tunnelling IPv4 over IPv6
Dual Stack Transition Mechanism (DSTM)
For IPv6 networks using IPv4 applications
Transparent to any IPv4 application
When communications can be performed natively in IPv6, DSTM is not
required. For protocols such as http and smtp, it is preferable to use
application level gateways (ALG)
Requires DHCPv6 and TSP
Can be deployed in multiple stages:
1.
2.
3.
35
IIT
© IITelecom,
2004
Manual tunnel configuration
Use of DHCPv6 and TSP to dynamically assign IPv4 addresses to stations
on the network, for as long as they are on the network
Assign IPv4 addresses for the duration of the requirement only
Dual Stack Transition Mechanism (DSTM)
The DSTM Server and
DSTM Gateway can be
implemented in the same
hardware
IPv6
1
DSTM server 2
3
IPv4 over IPv6
IPv4
4
Station IPv6
1.
2.
3.
4.
36
IIT
© IITelecom,
2004
DSTM Gateway
IPv4 datagram to send; Request to the server for an address (Port Address Translation
(PAT) can be used to optimise the usage of IPv4 addresses)
Request to the DSTM Gateway to add the Tunnel End Point (TEP)
Reply to the host node, with:
•
Assigned IPv4 address
•
Assignment period (expiry)
•
IPv4 and IPv6 addresses of the TEP
Use of the tunnel for the IPv4 communication
2: Applications Migration
37
IIT
© IITelecom,
2004
IPv6 translation methods
38
IIT
© IITelecom,
2004
SIIT, NAT-PT and NAPT-PT
Bump-in-the-stack
Bump-in-the-API
Transport-layer Translator
SIIT, NAT-PT and NAPT-PT
For communications between a IPv6-only network and an IPv4-only
network:
39
IIT
© IITelecom,
2004
A network-layer translator, also called a header translator. RFC 2765:
Stateless IP/ICMP Translator (SIIT) Algorithm
Network Address Translation with Protocol Translation (NAT-PT) as
defined in RFC 2766 is situated an the interconnection point between an
IPv4 and an IPv6 network
A dual stack or a tunnel do not affect the packet itself. However, NAT-PT
et NAPT-PT (Network Address Port Translation + Protocol Translation)
modify the header, resulting in possible loss of functionality
NAT-PT cannot affect the IP addresses transported in the payload by
application protocols (e.g. ftp, H.323)
Bump in the Stack (BIS)
RFC 2767
Similar to NAT-PT and SIIT but implemented in the OS stack
Valid for a host connected to an IPv6-only network
Adds three modules to the stack
A translator
–
A DNS name resolver extension
–
IPvX to IPvY headers
Such as the DNS-ALG used in NAT-PT
An address mapper
Limitations of this translation method:
40
IIT
© IITelecom,
2004
IPv4 to IPv6 but not the other way around
No IPv4 to/from the network
As with NAT-PT and SIIT, will not work with multicast addresses or
addresses embedded in the payload by the applications (eg. ftp, H323).
Application Level Gateways (ALG) are required.
Bump in the Stack (BIS)
BIS stack
41
IIT
© IITelecom,
2004
Bump in the API (BAS)
Similar to BIS but with an API translator between the socket API
and the TCP/IP modules.
Designed for systems with an IPv6 stack and IPv4 applications
still in service
Adds three modules to the stack:
A DNS name resolver extension
–
A function mapper
–
Such as the DNS-ALG used in NAT-PT
Translates call to the IPv4 socket towards the IPv6 socket, and vice versa
An address mapper
Does not introduce additional processing for each packet
Limitations are similar to BIS
42
IIT
© IITelecom,
2004
Bump in the API (BAS)
BAS stack
43
IIT
© IITelecom,
2004
Transport Relays
Transport Relay Translator RFC 3142
IPv6
Special DNSv6
server
1
2
3
IPv6 Host
IIT
© IITelecom,
2004
IPv4
TRT
1.
2.
3.
4.
44
4
DNS Request
AAAA Reply: IPv6 address with a special prefix if the destination is IPv4
IPv6 packets sent to the TRT
IPv4 packets are exchanged
Transport Relays
SOCKS - RFC 1928
Also known as Proxy protocol for client/server environments
Similar to Transport Relay
Two main software components:
–
SOCKS server
Found at the application layer
SOCKS client
Found between the application and the transport layers
–
45
IIT
© IITelecom,
2004
An application must therefore be SOCKS-compatible
Application Layer Gateway (ALG)
Acts as a proxy server
Dual Stack Router
IPv4
IPv6
IPv6 Host
46
IIT
© IITelecom,
2004
Dual Stack ALG
Transition summary
For networks and applications:
Many tools exist:
–
–
47
IIT
© IITelecom,
2004
Tunnels between IPv6 networks
Translation between IPv4 and IPv6
Many more methods are available and will emerge
So far, no single method applies to all scenarios
Not all methods will gain momentum and commercial success
It’s important to choose the method that is most adapted to a particular
situation
Transition summary
Specific applications:
Mail servers:
–
48
IIT
© IITelecom,
2004
Sendmail has been compatible with IPv6 for some time
Web servers
–
Apache 1.3 is IPv6 ready (with a patch)
–
Apache 2.0 is IPv6 ready
–
Can be run in a separate server with mirroring
–
Can be run inside the same server with IPv6 connectivity
If servers are isolated from the IPv6 network, build a tunnel with a stable,
fixed IP address represented in DNS
Questions?
?
49
IIT
© IITelecom,
2004
IPv6 and IPv4 co-existence
Burt Crépeault :: [email protected]
www.iitelecom.com
50
IIT
© IITelecom,
2004
© Institut international des télécommunications inc., 2004