IPv6 (modified version)

Download Report

Transcript IPv6 (modified version)

Internet Protocol Version 6
(IPv6)
國立清華大學資訊工程學系 黃能富教授
E-mail: [email protected]
國立清華大學資訊系黃能富教授
1
大綱





IPv6 Introduction
Routing and Addressing
Plug and Play
Security/QoS Supports
IPv4/Ipv6 Transition Mechanisms
國立清華大學資訊系黃能富教授
2
IPv6 Applications







Home Appliance Controllers
VoIP/Video Streaming
Remote Controllers
3G/4G
Games
Home Automation
Others
國立清華大學資訊系黃能富教授
3
IP位址需求無所不在
國立清華大學資訊系黃能富教授
4
The Design of IPv6





The Internet could not have been so successful in the
past years if IPv4 had contained any major flaw.
IPv4 was a very good design, and IPv6 should indeed
keep most of its characteristics.
It could have been sufficient to simply increase the
size of addresses and to keep everything else
unchanged.
However, 10 years of experience brought lessons.
IPv6 is built on this additional knowledge. It is not a
simple derivation of IPv4, but a definitive
improvement.
國立清華大學資訊系黃能富教授
5
IPv6
Header
Format
IPv6 Header
IPv4 Header
8
4
4
Version Prio
Payload Length
8
Flow Label
Next Header
8 位元
Hop Limit
Source IP address (128 位元)
Destination IP address (128 位元)
4
4
8
Version IHL
ToS
Identifier
Time to live
Protocol
3
位元
13
Total length
Flags
Fragment offset
Header checksum
Source IP address (32 bits)
Destination IP address (32 bits)
Options + Padding
Data (不固定長度)
國立清華大學資訊系黃能富教授
6
A Comparison of Two Headers



Six fields were suppressed:
– Header Length, Type of Service, Identification,
Flags, Fragment Offset, Header Checksum.
Three fields were renamed:
– Length, Protocol Type, Time to Live
The option mechanism was entirely revised.
– Source Routing
– Route Recording

Two new fields were added:
– Priority and Flow Label (to handle the realtime traffic).
國立清華大學資訊系黃能富教授
7
A Comparison of Two Headers

Three major simplifications
– Assign a fixed format to all headers
(40 bytes)
– Remove the header checksum
– Remove the hop-by-hop
segmentation procedure
國立清華大學資訊系黃能富教授
8
From Options to Extension Headers






Hop-by-Hop options header
Routing header
IPv6 Header
Next Header=TCP
Fragment header
Authentication header
Encrypted security payload
Destination options header
TCP Header
IPv6 Header
Next Header=
Routing
Routing Header
Next Header=
TCP
IPv6 Header
Next Header=
Routing
Routing Header Fragment Header Fragment of
Next Header=
Next Header=
TCP Header
Fragment
TCP
TCP Header
國立清華大學資訊系黃能富教授
9
Routing Header
Next
Header
Reserved
Routing Type Num address Next Addr
=0
<= 24
Strict/Loose bit mask
Address[0] (IPv6 address, 128 bits)
Address[1]
…
Address[Num Addrs -1]
國立清華大學資訊系黃能富教授
10
Fragment Header
Frame Length = 2800 octets
IPv6
header
fragment
header 1
First 1400 octets
IPv6
header
fragment
header 2
Last 1400 octets
Next Header
Reserved
Fragment Offset
Identifier
Res M More
國立清華大學資訊系黃能富教授
11
IPv6 Addressing


Three categories of IPv6 addresses:
– Unicast
– Multicast
– Anycast
Notation of IPv6 Addresses:
– Write 128 bits as eight 16-bit integers separated by
colons
– Example:
FEDC:BA98:7654:3210:FEDC:BA98:7654:3210
– A set of consecutive null 16-bit numbers can be
replaced by two colons
– Example: 1080:0:0:0:8:800:200C:417A =>
1080::8:800:200C:417A
國立清華大學資訊系黃能富教授
12
Addressing

Some Addresses formats
– Provider Addresses
– Link Local Addresses
– Site Local Addresses
– Multicast Addresses
– Anycast Addresses
H
H
H
LAN
Link
R
H
Link
LAN
H
LAN
R
Site
Link
Site
Internet
Site (公司或組織)
國立清華大學資訊系黃能富教授
13
Global Unicast Addresses
001
TLA
NLA*
public
topology
(45 bits)
SLA*
site
topology
(16 bits)
interface ID
interface
identifier
(64 bits)
TLA = Top-Level Aggregator
NLA* = Next-Level Aggregator(s)
SLA* = Site-Level Aggregator(s)
 all subfields variable-length, non-selfencoding (like CIDR)
 TLAs may be assigned to providers or
exchanges

國立清華大學資訊系黃能富教授
14
Link-Local及Site-Local位址
Link-local addresses for use during autoconfiguration and when no routers are
present:
0
1111111010
interface ID
Site-local addresses for independence from
changes of TLA / NLA*:
1111111011
0
SLA*
interface ID
國立清華大學資訊系黃能富教授
15
Interface IDs
Lowest-order 64-bit field of unicast address
may be assigned in several different ways:
auto-configured from a 64-bit EUI-64, or
expanded from a 48-bit MAC address (e.g.,
Ethernet address)
auto-generated pseudo-random number (to
address privacy concerns)
assigned via DHCP
manually configured
possibly other methods in the future
國立清華大學資訊系黃能富教授
16
The
Evolution
of ICMP

ICMP Type
1
2
3
4
128
129
130
131
132
133
134
135
136
137
Meaning
Destination Unreachable
Packet Too Big
Time Exceeded
Parameter Problem
Echo Request
Echo Reply
Group Membership Query
Group Membership Report
Group Membership Termination
Router Solicitation
Router Advertisement
Neighbor Solicitation
Neighbor Advertisement
Redirect
The ICMP for IPv4 was streamlined, and was made
more complete by incorporating the multicast control
functions of the IPv4 Group Membership Protocol.
國立清華大學資訊系黃能富教授
17
IPv6 Routing

As in IPv4, IPv6 supports IGP and EGP routing
protocols:
–IGP for within an autonomous system are
•RIPng (RFC 2080)
•OSPFv3 (RFC 2740)
•Integrated IS-ISv6 (draft-ietf-isis-ipv6-02.txt)
–EGP for peering between autonomous systems
•MP-BGP4 (RFC 2858 and RFC 2545)

BGP4+
–Added IPv6 address-family
–Added IPv6 transport
–Runs within the same process - only one AS supported
–All generic BGP functionality works as for IPv4
–Added functionality to route-maps and prefix-lists
國立清華大學資訊系黃能富教授
18
Plug-and-Play -- Auto-configuration




Autoconfiguration means that a computer will
automatically discover and register the
parameters that it needs to use in order to
connect to the Internet.
One should be able to change addresses
dynamically as one changes providers.
Addresses would be assigned to interfaces for a
limited lifetime.
Two modes for address configuration
– Stateless mode
– Stateful mode (using an IPv6 version of
DHCP)
國立清華大學資訊系黃能富教授
19
Link State Addresses



When an interface is initialized, the host
can build up a link local address for this
interface by concatenating the wellknown link local prefix and a unique
token (48-bit Ethernet address).
A typical link local address:
FE80:0:0:0:0:XXXX:XXXX:XXXX
Link local address can only be used on
the local link.
國立清華大學資訊系黃能富教授
20
Stateless Autoconfiguration






IPv6 nodes join the all nodes multicast group by
programming their interfaces to receive all the
packets for the address = FF02::1.
Send a solicitation message to the routers on
the link, using the all routers address, FF02::2.
Routers reply with a router advertisement
message.
Does not require any servers
Relatively inefficient use of the address space
Lack of network access control
國立清華大學資訊系黃能富教授
21
Plug-and-Play -Address Resolution


The neighbor discovery procedure offers the
functions of ARP as well as those of router
discovery. Defined as part of IPv6 ICMP.
Host maintains four separate caches:
– The destination’s cache.
– The neighbor’s cache.
– The prefix list.
– The router list.
國立清華大學資訊系黃能富教授
22
Destination’s Cache


The destination’s cache has an entry for
each destination address toward which
the host recently sent packets.
It associates the IPv6 address of the
destination with that of the neighbor
toward which the packets were sent.
Destination
IPv6 Address (To)
Neighbor
IPv6 Address (Via)
國立清華大學資訊系黃能富教授
23
Neighbor’s Cache


The neighbor’s cache has an entry for the
immediately adjacent neighbor to which
packets were recently relayed.
It associates the IPv6 address of that
neighbor with the corresponding media
address (MAC address).
Neighbor
IPv6 Address
Neighbor
MAC address
國立清華大學資訊系黃能富教授
24
Prefix List and Router List


The prefix list includes the prefixes that
have been recently learned from router
advertisements.
The router list includes the IPv6 addresses
of all routers from which advertisements
have recently been received.
國立清華大學資訊系黃能富教授
25
Basic Algorithm




To transmit a packet, the host must first find
out the next hop for the destination. The next
hop should be a neighbor directly connected
to the same link as the host.
In most cases, the neighbor address will be
found in the destination’s cache.
If not, the host will check whether one of the
cached prefixes matches the destination
address.
If this is the case, the destination is local, the
next hop is the destination itself.
國立清華大學資訊系黃能富教授
26
Basic Algorithm


Otherwise, the destination is probably remote.
A router should be selected from the router list
as the next hop.
Once the next hop has been determined, the
corresponding entry is added to the
destination’s cache, and the neighbor’s cache is
looked up to find the media address (MAC) of
that neighbor.
國立清華大學資訊系黃能富教授
27
Neighbor Solicitation and Neighbor
Advertisement messages (IPv6 MAC)



IPv6 source
address = link local
address of the
interface.
Hop count = 1.
IPv6 destination
address = solicited
node multicast
address, which is
formed by
cancatenating a
fixed 96-bit prefix,
FF02:0:0:0:0:1, and
the last 32 bits of
the node’s IPv6
address.
Type =135 Code = 0
Checksum
Reserved
Target address =
Solicited Neighbor Address (IPv6)
Options ... (Source link-level address)
Neighbor Solicitation
Type =136 Code = 0
R S
Checksum
Reserved
Target address
Options ... (Source link-level address)
Neighbor Advertisement
國立清華大學資訊系黃能富教授
28
Real-time Support and Flows



A flow is a sequence of packets sent from a particular
source to a particular (unicast or multicast)
destination for which the source desires special
handling by the intervening routers.
Flow label may be used together with routing header.
Supporting Reservations
– Real-time flows
– Using RSVP and Flows
QoS
R1
– Using Hop-by-Hop Options R2
R3
S
R4
Data
國立清華大學資訊系黃能富教授
29
Security
30
IPv6 Security
 All
implementations required to support
authentication and encryption headers
(“IPsec”)
 Authentication separates from encryption
for use in situations where encryption is
prohibited or prohibitively expensive
 Key distribution protocols
 Support for manual key configuration
required
國立清華大學資訊系黃能富教授
31
Authentication Header
Next Header
Hdr Ext Len
Reserved
Security Parameters Index (SPI)
Sequence Number
Authentication Data



Destination Address + SPI identifies security
association state (key, lifetime, algorithm, etc.)
Provides authentication and data integrity for all fields
of IPv6 packet that do not change en-route
Default algorithm is Keyed MD5
國立清華大學資訊系黃能富教授
32
Encapsulating Security Payload
(ESP)
Security Parameters Index (SPI)
Sequence Number
Payload
Padding
Padding Length Next Header
Authentication Data
國立清華大學資訊系黃能富教授
33
Migration from Ipv4 to Ipv6
34
IPv4-IPv6 Transition /Co-Existence
A wide range of techniques have been
identified and implemented, basically falling
into three categories:
 (1)Dual-stack techniques, to allow IPv4 and
IPv6 to co-exist in the same devices and
networks
 (2)Tunneling techniques, to avoid order
dependencies when upgrading hosts, routers, or
regions
 (3)Translation techniques, to allow IPv6-only
devices to communicate with IPv4-only devices
Expect all of these to be used, in combination
國立清華大學資訊系黃能富教授
35
Next Generation Transition
Dual Stack
NGTRANS
Tunneling
Translator
國立清華大學資訊系黃能富教授
36
Dual Stack

RFC 1933

NGTRANS draft :
Draft-ietf-ngtrans-dstm-07.txt
IPv6
IPv4/IPv6
Dual
Stack
Dual
Stack
AIIH
(DHCPv6,
DNS)
IPv4
Dual
Stack
國立清華大學資訊系黃能富教授
37
Dual Stack Approach
Application
TCP
UDP
TCP
UDP
IPv4
IPv6
IPv4
IPv6
0x0800
0x86dd
Data Link
(Ethernet)

IPv6-enable
Application
0x0800
0x86dd
Data Link
(Ethernet)
Frame
Protocol
ID
Dual stack node means:
–Both IPv4 and IPv6 stacks enabled
–Applications can talk to both
–Choice of the IP version is based on name lookup and
application preference
國立清華大學資訊系黃能富教授
38
Dual Stack Mechanisms

Simple dual stack
– Both IPv4 and IPv6 are directly supported

Dual Stack Transition Mechanism
(DSTM)
– Temporary IPv4 addresses are assigned
when communicating with an IPv4-only
host.
– Cooperation between DNS and DHCPv6
– Dynamic Tunnel Interface encapsulates
the IPv4 packets
國立清華大學資訊系黃能富教授
39
Dual Stack
RFC 1933 -- Transition Mechanisms for
IPv6 Hosts and Routers
NGTRANS draft :
–Draft-ietf-ngtrans-dstm-07.txt
40
RFC 1933
Applications
TCP/UDP
IPV4
Routing protocols
IPV6
TCP/UDP
Device Driver
IPV4
IPV6
Device Driver
V6
network
V4/V6
network
V4
network
國立清華大學資訊系黃能富教授
41
Dual Stack Transition Mechanism
(DSTM)
Draft–ietf–ngtrans–dstm-07
42
Dual Stack Transition Mechanism

What is it for?
– DSTM assures communication between IPv4
applications in IPv6 only networks and the rest of
the Internet.
?
IPv6 only
IPv4 only
IPv4 Applications
國立清華大學資訊系黃能富教授
43
DSTM
國立清華大學資訊系黃能富教授
44
DSTM: Principles


Assumes IPv4 and IPv6 stacks are available
on host
IPv4 stack is configured only when one or more
applications need it
– A temporal IPv4 address is given to the host

All IPv4 traffic coming from the host is tunneled
towards the DSTM gateway (IPv4 over IPv6).
– DSTM gw encapsulates/decapsulates packets
– Maintains an @v6  @v4 mapping table
國立清華大學資訊系黃能富教授
45
DSTM: How it works (v6  v4)
DNS
DSTM
DNS
C
B
A
DSTM
GW

In A, the v4 address of C is used by the application,
which sends v4 packet to the kernel

The interface asks DSTM Server for a v4 source address

DSTM server returns :
- A temporal IPv4 address for A
- IPv6 address of DSTM gateway
國立清華大學資訊系黃能富教授
46
DSTM: How it works (v6  v4)
DNS
A
DSTM
DNS
C
B
DSTM
GW
 A creates
the IPv4 packet (A4  C4)
 A tunnels the v4 packet to B using IPv6 (A6  B6)

B decapsulates the v4 packet and send it to C4

B keeps the mapping between A4  A6 in the routing table
國立清華大學資訊系黃能富教授
47
DSTM
國立清華大學資訊系黃能富教授
48
DSTM: Address Allocation

Manual
– host lifetime (no DSTM server)

Dynamic
– application lifetime
– 2 methods
• use DHCPv6
– DHCPv6 will not be ready soon !
• use RPC
– Easier, RPCv6 ready
– Works fine in v6  v4 case.
– Can be secure*
– Security Concerns
• Request for IPv4 address needs authentification
• Automatic @6  @4 mapping at gw, or configured by server?
國立清華大學資訊系黃能富教授
49
DSTM: Application
IPv4 Internet
tunnel to 6bone
6to4 tunnels
NFS
v6
v6
client
web
v6
client
pop
v6
routers
IPv6
sites
ALG
client
v6
routers
v6
DSTM
IPv6 site
國立清華大學資訊系黃能富教授
50
DSTM vs. NAT-PT

NAT-PT has the same problems as NAT:
– Translation sometimes complex (Ex. FTP)
– NAT box may need to be configured for
every new application.
– NAT-PT supposes v6fied applications
• This is not the case!
• In DSTM, applications can send IPv4 packets
to the kernel.
國立清華大學資訊系黃能富教授
51
Tunneling

RFC 2529
IPv6

6over4
IPv6
RFC 3056
IPv6

IPv4
IPv4
6to4
IPv6
RFC 3053
IPv4/
IPv6
IPv4
Tunnel Broker
IPv6
國立清華大學資訊系黃能富教授
52
Using Tunnels for IPv6 Deployment
 Many
techniques are available to
establish a tunnel:
–Manually configured
•Manual Tunnel (RFC 2893)
•GRE (RFC 2473)
–Semi-automated
•Tunnel broker
–Automatic
•Compatible IPv4 (RFC 2893)
•6to4 (RFC 3056)
•6over4
•ISATAP
國立清華大學資訊系黃能富教授
53
Tunneling
RFC
1933
RFC 2529
RFC 3053
RFC 3056
Draft-ietf-ngtrans-isatap-04.txt
54
RFC 1933
Transition Mechanisms for IPv6
Hosts and Routers
55
RFC1933

Configured tunnels
– Connects IPv6 hosts or networks over an
existing IPv4 infrastructure
– Generally used between sites exchanging
traffic regularly

Automatic tunnels
– Tunnel is created then removed after use
– Requires IPv4 compatible addresses
國立清華大學資訊系黃能富教授
56
Configured Tunnel




Mechanism to carry IPv6 packets over IPv4
infrastructure
Encapsulate IPv6 in IPv4
Tunnel endpoints are explicitly configured
 All IPv6 implementations support this
Tunnel endpoints must be dual stack nodes
 The IPv4 address is the endpoint for the
tunnel
Routing protocols
TCP/UDP
IPV4
IPV6
Device Driver
國立清華大學資訊系黃能富教授
57
Configured Tunnel
IPv4 Networks
IPv6 Island
IPv4 Tunnel
Dual-stack
node
IPv6 H
Payload
IPv4 H
IPv6 H
IPv6 Island
Dual-stack
node
Payload
IPv6 H
Payload
國立清華大學資訊系黃能富教授
58
Automatic Tunnel

Node is assigned an IPv4 compatible
address
– ::140.114.1.101

If destination is an IPv4 compatible
address, automatic tunneling is used
(tunneling to destination)
– Routing table redirects ::/96 to automatic
tunnel interface
0000 . . . . . . . . 0000
80
0000
16
IPv4 address
32
國立清華大學資訊系黃能富教授
59
Automatic Tunnel
0:0:0:0:0:0
IPv6 Island
IPv4 Address
Dual-stack
node
Dual-stack
node
IPv4 Internet
IPv6 H
Payload
IPv4 H
IPv6 H
Payload
國立清華大學資訊系黃能富教授
60
IPv6 Tunnel Broker
RFC 3053
61
Motivation

IPv6 tunneling over the internet requires heavy
manual configuration
– Network administrators are faced with overwhelming
management load
– Getting connected to the IPv6 world is not an easy task for
IPv6 beginners

The Tunnel Broker approach is an opportunity
to solve the problem
– The basic idea is to provide tunnel broker servers to
automatically manage tunnel requests coming from the users

Benefits
– Stimulate the growth of IPv6 interconnected hosts
– Allow to early IPv6 network providers the provision of easy
access to their IPv6 networks
國立清華大學資訊系黃能富教授
62
Tunnel broker

Tunnel broker automatically manages tunnel
requests coming from the users
– The Tunnel Broker fits well for small isolated IPv6
sites, especially isolated IPv6 hosts on the IPv4
Internet



Client node must be dual stack (IPv4/IPv6)
The client IPv4 address must be globally
routable (no NAT)
RFC 3053
國立清華大學資訊系黃能富教授
63
Tunnel broker
DNS
伺服器
(3)
使用者
(2)
(1)
隧道代理
(4)
IPv6 over IPv4 隧道
隧道終點
隧道伺服器
IPv6 Island
IPv6
隧道終點
IPv4網路
國立清華大學資訊系黃能富教授
64
Tunnel broker architecture
國立清華大學資訊系黃能富教授
65
How does it work?(1)
國立清華大學資訊系黃能富教授
66
How does it work?(2)
國立清華大學資訊系黃能富教授
67
Translator

RFC 2765;RFC 2766
IPv6


NATPT
SIIT
IPv4
RFC 2767
IPv4 Apps
IPv4 Apps
BITS
BITS
IPv6 Stack
IPv6 Stack
RFC 3089;RFC 3142
IPv6
Host
Socks-Gateway
TCPUDP-Relay
IPv6
IPv4
IPv4
Host
國立清華大學資訊系黃能富教授
68
IPv6/Ipv4 Translator
RFC
2765
RFC 2766
RFC 2767
RFC 3089
RFC 3142
69
Stateless IP/ICMP Translation
algorithm (SIIT)
RFC 2765
70
SIIT
國立清華大學資訊系黃能富教授
71
SIIT


Suppress the v4 stack
Translate the v6 header into a v4 header
on some point of the network
– Routing can direct packet to those
translation points.


Translate ICMP from both worlds
No State in translators ( NAT)
國立清華大學資訊系黃能富教授
72
SIIT
SIIT
IPv4 network
IPv4 host
IPv6 host
Pool of IPv4 addresses
Using SIIT for a single
IPv6-only subnet
國立清華大學資訊系黃能富教授
73
SIIT
Dual network
SIIT
IPv6 host
IPv4 network
IPv4 host
Pool of IPv4 addresses
Using SIIT for an IPv6-only or dual cloud which
contains some IPv6-only hosts as well as IPv4
hosts
國立清華大學資訊系黃能富教授
74
SIIT



Suitable for use when IPv6 side has no IPv4,
for instance, for embedded systems with stack
on chip.
Ipv6 side uses special, “translatable” addresses,
which preserve TCP/UDP checksum value
Translatable source address is received by the
IPv6 node from a shared pool ; translatable
destination address is made from IPv4 DNS
entry
國立清華大學資訊系黃能富教授
75
RFC 2766
Network Address Translation –
Protocol Translation (NAT-PT)
76
NAT-PT
NAT-PT:
•stands for Network Address Translation-Protocol Translation.
•translates IP address between IPv4(32bits) and IPv6(128bits).
•uses a pool of IPv4 addresses and ports.
•composes and manages a mapping table (IPv4 and IPv6)
•is similar to NAT in IPv4 network.
SIIT:
• stands for Stateless IP/ICMP Translation Algorithm.
• translates between IPv4 and IPv6 packet headers (including
ICMP headers) in separate translator boxes in the network
without requiring any per-connection state in those boxes.
• can be used as part of a solution that allows IPv6 hosts,which do
not have a permanently assigned IPv4 addresses, to
communicate with IPv4-only hosts.
國立清華大學資訊系黃能富教授
77
NAT-PT
IPv4 packet
129.254.165.141
203.243.253.15
32bits
DATA
32bits
Mapping table
Pool of address
NAT-PT
IPv6 packet
2001:203:201:200:ae01:ff10:2ecd:3ffe
2001:203:201:1:3f1e:2ea2:ff10:2f3c
128bits
128bits
IPv4 header
Ver
ICMPv4 header
HDle
TOS
n
Identification
TTL
Total len
Fragment offset
flag
Protocol
Type
checksum
Next
Header44
Payload Length
checksum
ICMPv6 header
Flow Label
Traffic Class
Code
SIIT
IPv6 header
Ver
DATA
Type
Hop Limit
Code
checksum
IPv6 fragment header
Next Header
Reserved
Fragment Offset
Res
M
Identification
國立清華大學資訊系黃能富教授
78
Configuration Requirements
TRANSLATOR
DNSv6 Server
6
4
IPv4 Host
IPv6 Server
Local area
IPv4 INTERNET
IPv6 Host
IPv6 Intranet
Tunneling path
 Network Configuration Requirements
 IPv4 Interface (eth0)
 IPv6 Interface (eth1)
 IPv6 Intranet Network Prefix(::/96)
 Default outbound IPv6 Gateway
 Pool of IPv4 addresses and ports
 Static mapping for DNS server
 Support tunneling path(not yet)
Dual stack
Host
IPv6 Host
IPv6 Intranet
國立清華大學資訊系黃能富教授
79
Configuration requirements
System Requirements
• NAT-PT must be border router between onlyIPv4-network and only-IPv6-network.
• It is mandatory that all requests and responses
pertaining to a session be routed via the same
NAT-PT router.
• NAT-PT does not apply to packets originating
from or directed to dual-stack nodes that do not
require packet translation.
• End-to-end network layer security is not possible.
國立清華大學資訊系黃能富教授
80
Address Translation (IPv4 -> IPv6)
DNS(v4)
129.254.15.15
IPv4
DA:2001:230::2
SA:aaaa::129.254.15.15
DA:132.146.134.184
SA:129.254.15.15
DNS response
resource data(132.146.134.180)
TRANSLATOR
resource data
(2001:230::1)
prefix aaaa::/96
DNS(v6)
2001:230::2
IPv6
v6.opicom.co.kr ?
DA:132.146.134.180
SA:129.254.165.141
v4.etri.re.kr
129.254.165.141
DA is changed to mappied address
SA is added and removed prefix/96
DNS static Mapping
132.146.134.184
132.146.134.180
0001
132.146.134.181
0002
DA:2001:230::1
SA:aaaa::129.254.165.141
v6.opicom.co.kr
2001:230::1
2001:230::2
Mapping table
132.146.134.180
2001:230::1
POOL of IPv4 ADDRESS
After mapping is verified either it is existed or not,
DNS-ALG makes the mapping table of IPv4 inside resource data
國立清華大學資訊系黃能富教授
81
NAT-PT operations with DNS-ALG
(IPv4IPv6)
3FFE:3600:B::3
ipv6DNS.cs.nthu.edu.tw
IPv6
DNS
(3)
A6
140.114.78.1
ipv4DNS.cs.nthu.edu.tw
(4) A6
(5)
NAT-PT
3FFE:3600:B::2
ipv6.cs.nthu.edu.tw
IPv4 address pool
140.114.78.51
140.114.78.52
140.114.78.53
140.114.78.54
140.114.78.55
:
:
:
(6)
A
Address allocation and create
address mapping
(7)
IPv6
host
(2)
A
DNS-ALG
(8)
V4 address
pool
IPv6 <-> IPv4 Address Mapping Table
3FFE:3600:B::2 <-> 140.114.78.51
:
:
:
:
IPv4
DNS
(1)
IPv4
Host
140.114.78.58
ipv4.cs.nthu.edu.tw
Final Result
IPv4 Host think it’s communicating
with 140.114.78.51
IPv6 Host think it’s communicating
with 3FFE:3600:b::140.114.78.58
國立清華大學資訊系黃能富教授
82
Address Translation (IPv6 -> IPv4)
DA:129.254.15.15
SA:132.146.134.184
DNS(v4)
129.254.15.15
resource data
(129.254.165.141)
DA:aaaa::129.254.15.15
SA:2001:230::2
TRANSLATOR
prefix aaaa::/96
resource data
(aaaa::129.254.165.141)
IPv4
DNS(v6)
2001:230::2
v4.etri.re.kr ?
DA:129.254.165.141
SA:132.146.134.180
SA is changed to mappied address
DA is added and removed prefix/96
IPv6
DA:aaaa::129.254.165.141
SA:2001:230::1
v6.opicom.co.kr
2001:230::1
v4.etri.re.kr
129.254.165.141
132.146.134.184
132.146.134.180
0001
132.146.134.181
0002
POOL of IPv4 ADDRESS
2001:230::2
DNS static Mapping
132.146.134.180
2001:230::1
Mapping table
After mapping is verified either it is existed or not,
NAT-PT makes the mapping table of IPv6 source address
國立清華大學資訊系黃能富教授
83
NAT-PT operations with DNS-ALG
(IPv6IPv4)
3FFE:3600:B::3
ipv6DNS.cs.nthu.edu.tw
IPv6
DNS
A6
(2)
(6) A6
(1)
(7)
IPv6
host
3FFE:3600:B::2
ipv6.cs.nthu.edu.tw
140.114.78.1
ipv4DNS.cs.nthu.edu.tw
DNS-ALG
(3) A
A
(4)
Address allocation(get IPv6
prefix) (5)
NAT-PT
(9)
IPv4
Host
(8)
V4 address
pool
IPv6 <-> IPv4 Address Mapping Table
140.114.78.51
140.114.78.52
140.114.78.53
140.114.78.54
140.114.78.55
:
:
:
IPv4
DNS
3FFE:3600:B::2 <-> 140.114.78.51
:
:
:
:
140.114.78.58
ipv4.cs.nthu.edu.tw
Final Result
IPv6 Host think it’s communicating
with 3FFE:3600:b::140.114.78.58
IPv4 Host think it’s communicating
with 140.114.78.51
國立清華大學資訊系黃能富教授
84
Implementation
• IPv4/IPv6 Translation Features
• can translate IPv4/IPv6 Header,Protocol.
• support NAT-PT & SIIT
• is bi-direction between IPv4 and IPv6.
DNS- FTP…..
• uses pool of addresses and ports.
ALG ALG
• support DNS-ALG & FTP-ALG.
• support Translation Manager.
socket
• Switch NAT-PT to NAPT-PT.
TCP/UDP
• Basic network tools support
IPv6/IPv4 Translation Manager
• netstat, ifconfig, route, etc.
NA(P)T
(PT)
-PT
• ping6, telnet6, ftp6, etc.
SIIT
IPv6/IPv4
mapping
• Embedded Linux kernel 2.4.4
IPv6 table
IPv4
Addr. Pool
(IPv4)
NIC(eth1)
NIC(eth0)
國立清華大學資訊系黃能富教授
85
Trend and Plan
Today
ROUTER
ROUTER
IPv4 INTERNET
OCEAN
NAT
Give me
address
There are all IPv4 ISLAND
IPv4 connection
IPv6 connection
國立清華大學資訊系黃能富教授
86
Trend and Plan
TRANSLATOR
Tomorrow
TRANSLATOR
IPv4 INTERNET
OCEAN
TRANSLATOR
There are some IPv6 ISLAND
IPv4 connection
IPv6 connection
國立清華大學資訊系黃能富教授
87
Trend and Plan
The day after tomorrow
TRANSLATOR
TRANSLATOR
IPv6 INTERNET
OCEAN
Translator is still there
TRANSLATOR
There are some IPv4 ISLAND
IPv4 connection
IPv6connection
國立清華大學資訊系黃能富教授
88