Introduction to the IPv6 Protocol

Download Report

Transcript Introduction to the IPv6 Protocol

IPv6
IETF Next Gen Internet
Greg O’Shea
Microsoft Research
Contents









Motivation
Addressing
Packet structure
ICMPv6 (Neighbor Discovery)
Address auto-configuration
IPSec
Mobile IPv6
Transitioning
Reflections
IPv4 : a protocol for the present
1
Class A 0
7
24
Network
Host
2
14
16
Network
Host
Class B 10
3
Class C 110




Network
8
Host
32-bits seemed plenty in 1978


21
Yield might be as low as 200M/4G
Shortage of class B addresses
NAT: relieve pressure on address space
CIDR: relieve pressure on routers
Is this too restrictive for the future?
IPv6: a protocol for the future

Anticipated growth of the Internet







10 billion people by 2020 ?
Some with several computers
mobile phones (etc) with IP addresses?
Debate and proposals in IETF (1994)
Goal: an IP address for every computer
Avoid restrictions of address shortage
IPv6 (1996) uses 128-bit addresses

cheap and easily acquired
Scalability and housekeeping

More efficient headers (router-friendly)



Hierarchical route prefixes




Stateless Address auto-configuration
And also Security (IPSec)


Per Classless Inter-Domain Routing (CIDR)
route/n is route of prefix length 0<=n<=64
space-efficient longest-match route tables
Reduce net admin overheads


fixed header size, no options, wrt forwarding
extension headers follow IP hdr
Security for IP layer (sometimes, in principle)
And also Mobility (MIPv6)

Support mobile hosts moving between IP nets
Notabilia

You have to modify your apps – a little is enough






Does not modify TCP, UDP etc
Co-exists with IPv4, typically dual-stack
Why 128 bits? Room for hierarchical prefixes
1500 <= packetsize <= 64KB



Min exploits most common case (eth)
Routers unlikely to fwd more than 64KB
No header checksum



Struct sockaddr -> SOCKADDRINFO
Gethostbyname() - > getaddrinfo()
L2, PPP and e.g. TCP checksums suffice
Saves routers recomputing cks(--HopCount)
No fragmentation between routers


Lost frag requires rexmit whole packet
Source learns PMTU from ICMPv6
Addressing
3ffe:8310:0000:0000:20d:56ff:fe6d:f02c
64-bit network prefix
3-bit
001

13-bit
8-bit
24-bit
16-bit
TLA
Res
NLA
SLA
Interface Id
Type 001 : Global aggregatable address




64-bit Interface Id
TLA : Top Level Aggregator (think: long haul)
NLA : Next Level Aggregator (think: NSP, ISP)
SLA : Site Level Aggregator (think: any.org)
Interface Id (~unique)



Derived from MAC
Else manual else random else DHCPv6 else novel (e.g. CGA)
Collision avoidance via DAD (else feel wrath of IESG)
Primary Address Types


Global
Link-local (fe80::/10)


Site-local (feco::/10) (deprecated)





Routers do not forward beyond site
Multicast (ff00::/8)


Routers do not forward beyond link
no broadcast in IPv6
FF02::1 (Link-local all-nodes address)
FF02::2 (Link-local all-routers address)
Null = :: (:: = string of zero hextets)
Loopback = ::1
Packet Headers
IPv6 Header

Designed for efficiency in routers


Fixed size, no options
Larger (40-byte) but simpler to handle
vers
class
length
flow label
next
hop lim
Source Address
Destination Address
Extension Headers
Base
Header
1.
2.
3.
4.
5.
6.
7.
8.
Extension
Extension
…
Header 1
Header N
Data
Hop-by-Hop (e.g. MLD)
Dest Opts header (intermediate nodes)
Routing Header
Fragment Header
Authentication Header (AH) (~deprecated)
Encapsulating Security Payload (ESP) header
Destination Opts header (final destination)
Mobility Header
Compare headers (in your own time)
IPv4 Header Field
Change in IPv6
Version
Internet Header Length
Type of Service
Total Length
Identification
Fragmentation Flags
Fragment Offset
Time to Live
Protocol
Header Checksum
Source Address
Destination Address
Options
New value of 6
Removed
Traffic Class field
Payload Length field
Removed to Fragment extension header
Removed to Fragment extension header
Removed to Fragment extension header
Hop Limit field
Next Header field
Removed
Same, new 128-bit length
Same, new 128-bit length
Removed to extension headers
ICMPv6
ICMPv6 in general

Test reachability


Error report




Destination Unreachable
Time Exceeded
Packet Too Big (ref PMTU discovery)
Multicast Listener Discovery (MLD)


ping, tracert
e.g. join solicited node multicast group
Neighbor Discovery (ND)


Address resolution and 2-way reachable
Stateless addr autoconfig & DAD
Neighbor Discovery (ND)

Router Solicitation (RS)


Router Advertisement (RA)





publishes route, prefix and option info
Neighbor Solicitation (NS)


Exists a router?
L3->L2 address resolution
Bi-directional reachable
maintain Neighbor Cache state
Neighbor Advertisement (NA)
Redirect
NCE state machine
Stateless address
auto-configuration
IPv6 Address Autoconfiguration

Configure link-local address (fe80::IFid)




Send RS to discover router(s)
Receive RA(s)
Populate route table with routes from RA



Note ::/0 route published by default routers
Form tentative address(es) from (prefix:Ifid)


Perform duplicate address detection
Start DAD on tentative address(es)
If DAD succeeds, address(es) preferred
O(1.5s) elapsed (mostly DAD timeout)
IPSec
Internet Protocol Security (IPSec)






Network-layer (IP-layer) security protocol.
Specified for IPv6 and IPv4.
Intended to replace all other Internet security
protocols but probably won't.
End-to-end authentication and encryption between
two IP hosts.
IP addresses used to as host identifiers.
Three steps:
1. Configure Security Policy Database (SPD)
2. IKE or manual create Security Associations (SA).
3. ESP session protocol protects data.
IPSec Architecture
Untrusted
network
Host A
Session
Key
IKE(v2)
1
Key
exchange
Host B
Session
Key
IKE(v2)
SPD
SPD
Security
Policy
Database
IPSec
SAD


Security
Association
Database
IPSec SA Pair
2
ESP
IPSec
Security
Policy
Database
Security
AssociationSAD
Database
Security associations (SA) created by IKE, used by IPSec.
Security policy guides SA creation and selection for use.
ESP Packet Format
Original Packet:
IP header
IP Payload
ESP in transport mode:
Original
IP header ESP header
Original
ESP header and trailer =
SPI + Sequence number +
Padding
ESP authentication trailer =
message authentication
code (MAC)
IP Payload
ESP trailer Auth trailer
Encrypted
Authenticated
ESP in tunnel
mode:
Original
IP header ESP header IP header
IP Payload
Encrypted
Authenticated
ESP trailer Auth trailer
Mobile IPv6 (2003)
The Problem: internet hosts cannot move
Traditional IP address = (network + host-id)




is bound to a specific network
Connections break if node moves between
nets
Okay for traditional, wired connections
Problem for mobile, wireless computers
(future)
MIPv6: a game for three players...

Mobile Node (MN)


Home Agent (HA)


(s)he who moves between IP nets
Proxy on home net for absent MN
Correspondent Node (CN)



(s)he who speaks with a MN
Potentially every IPv6 node is a CN
Potentially the CN is also an MN
… involving up to four addresses

Home Address (HoA)


where apps think host is
Care-Of Address (CoA)
where host actually is
IP header
 Source CoA: where sender is attached
 Dest CoA: where destination is attached



Home Address Destination Option


HoA of sender, if sender is MN abroad
Routing Header (Type 2)

HoA of recipient, if recipient is MN abroad
Messages and data structures

Binding Update: (HoA, CoA)
•

Binding Cache on CN and HA
•
•
Sent by MN to inform CN (or HA) of its
whereabouts
list of Binding Updates accepted
Binding Update List on MN
•
list of BUs sent that have not yet expired
Mobile on home net,
Correspondent elsewhere
Packets arrive on home net (normal)
Mobile node moves abroad
Mobile tells HA its whereabouts
Home Agent fwds to mobile
HoTi: Request K0 from CN
HoT: Get K0 = HMAC(HoA)Kcn
CoTi: Request K1 from CN
CoT: Get K1 = HMAC(CoA)Kcn
BU: key K = SHA1(K0, K1)
CN regenerates K; bypasses HA
Transitioning
Microsoft IPv6 Deployment
Native v6 indicated by circles

Also in Cambridge, U.K.
ISATAP available in all buildings and all
locations


Native and ISATAP can communicate via
ISATAP routers
Microsoft publicly hosts Teredo
servers on the Internet
v4/v6 Co-Existence Strategy
v4
Enterprise
v4+ISATAP
Enterprise
ISATAP Router
6to4 Router
6to4 v6
Enterprise
V4-v6 Dual
Stack
Enterprise
6to4 Router
v6
6to4 Relay
6to4
Native v6
Enterprise
v4 Internet
v6
6to4 IDG
6to4 Relay
ISATAP
Teredo Relay
NAT
Teredo
NAT
v6 Internet
v6
v6
v6
IPv6 Transitioning Overview



Fragmented IPv6 infrastructure
Bridge the gaps using IPv4 tunnels
6to4 tunneling uses (2002::/16 routes)

6to4 router with public V4ADDR=w.x.y.z





Isolated IPv6 host can tunnel to known 6to4 router
ISATAP for isolated hosts on IPv4 intranet





forms 2002:V4ADDR::IFid and publishes in DNS
Advertises 2002:V4ADDR::/48 (local)
Advertises 2002::/16 (offsite) via its IF=#3
Host looks up “ISATAP” to find ISATAP router
Host configures e.g. fe80::0:5EFE:w.x.y.z(%2)
Host sends via tunnel IF(%2) (wraps v6 in v4)
Tunneled RS/RA to ISATAP router yields offsite routes
Teredo – if behind a v4 NAT that can’t do 6to4



3FFE:831F::/32 prefix (TBC, awaiting IANA)
3ffe:831f:wwxx:yyzz:encoding (read the docs)
IPv6 tunneled over UDP port 3544 /IPv4 from host to Teredo
server
Reflections
Reflections on MIPv6

From 20 pages (1996) to 219 pages (2003)



“Loose consensus and working code”












Modified (IPSec, RA, RH2, DAD, ND)
New (MH, HAO, DHAAD, MPS)
Good people all agree that spec looks okay
Try to implement: discover it isn’t okay
compliance tests become definitive interpretation
Debate on IETF list: fight your corner
Politics: choose IPSec if possible
Security based on IPSec AH didn’t scale.
Editorial: riding the paper tiger
For use on corp nets? Carrier nets? Both?
Why must the home net exist ?
Would tunnel be better than HAO + RH2 ?
Some want alternative to IPSec (Hot Topic)
What are the scenarios ?
Deployment of IPv6


Base specs in place and stable
Production implementations







routers, BSD, Linux, Windows
Demand from Far East, then Europe
Recently mandated by U.S. DoD
Time and $ to change and retest apps
Need apps that survive loss of IPv4
Dominant in 10 years? Ever?
Where are the production nets ?

*not* tunnels or experimental
References





http://www.ietf.org/
http://www.uk.ipv6tf.org/
http://www/microsoft.com/ipv6
http://www.ipv6forum.com/
http://www.ipv6tf.org/
Questions