IPv6 技術講習一般課程 -- IPv6協議運作原理與應用
黃能富特聘教授 國立清華大學資訊工程系 E-mail: [email protected]
All rights reserved. No part of this publication and file may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of Professor Nen-Fu Huang (E-mail: [email protected]). Outline
IPv6 protocol 簡介 IPv6 Routing and IPv6 Addressing IPv6 Plug and Play Feature IPv6 Security/QoS Supports IPv4 to IPv6 Transition Mechanisms IPv6 國內外現況與發展趨勢
IPv6 協議與應用 - 2 IPv6 Applications
Home Appliance Controllers VoIP/Video Streaming Remote Controllers 3G/4G/5G Internet On-line Games Home Automation Sensors and Sensor networks 感測器與感測網路 Internet of Things (IoT) 物聯網 Machine-to-Machine (M2M) Others
IPv6 協議與應用 - 3 IP addresses need everywhere
IPv6 協議與應用 - 4 IPv6 設計理念 The Internet could not have been so successful in the past years if IPv4 had contained any major flaw. IPv4 was a very good design, and IPv6 should indeed keep most of its characteristics. Simply increase the size of addresses and to keep everything else unchanged ? However, 20 years of experience brought lessons. IPv6 is not a simple derivation of IPv4, but a definitive improvement.
IPv6 協議與應用 - 5 IPv6 Header Format
4 4 8 8 8 位元 Version Prio Flow Label Payload Length Next Header Hop Limit
Source IP address (128 位元)
Destination IP address (128 位元)
IPv6 協議與應用 - 6 IPv4 Header Format
0 3 8 15 19 31 version IHL Type of Service Total length
Identification Flags Fragment Offset
Time to Live Protocol Header Checksum Source IP Address Destination IP Address Options + Padding
Data
IPv6 協議與應用 - 7 A Comparison of Two Headers Six fields were suppressed: Header Length, Type of Service, Identification, Flags, Fragment Offset, Header Checksum. Three fields were renamed: Length, Protocol Type, Time to Live The option mechanism was entirely revised. Source Routing Route Recording Two new fields were added: Priority and Flow Label (for real-time traffic). IPv6 協議與應用 - 8 A Comparison of Two Headers
Three major simplifications Assign a fixed format to all headers (40 bytes) Remove the header checksum Remove the hop-by-hop segmentation procedure
IPv6 協議與應用 - 9 From Options to Extension Headers
Hop-by-Hop options header Routing header Fragment header Authentication header Encrypted security payload Destination options header
IPv6 協議與應用 - 10 From Options to Extension Headers
IPv6 Header Next Header = TCP Header TCP
IPv6 Header Routing Header Next Header = Next Header = TCP Header Routing TCP
IPv6 Header Routing Header Fragment Header Next Header = Next Header = Next Header = TCP Header Routing Fragment TCP
IPv6 協議與應用 - 11 Routing Header
N ex t Ro u t in g Ty p e N u m a d d r e ss N ex t A d d r H ea d er = 0 < = 2 4 Re s e r v ed St r ic t / L o o se bi t m a sk
A d d r es s [ 0 ] ( IP v 6 a d d r es s , 1 2 8 bi t s)
A d d r es s [ 1 ]
…
A d d r es s [ N u m A d d r s - 1 ]
IPv6 協議與應用 - 12 Fragment Header
Frame Length = 2800 octets
IP v 6 fr a g m e n t F i r s t 1 4 0 0 o c t e t s he a d e r he a d e r 1
IP v 6 fr a g m e n t L a s t 1 4 0 0 o c t e t s he a d e r he a d e r 2
Ne x t H e a d e r Re s e r v e d Fr a g m e n t O f f s e t Re s M More Id e n t i f i e r
IPv6 協議與應用 - 13 IPv6 Addressing
Three categories of IPv6 addresses: Unicast Multicast Anycast Notation of IPv6 Addresses: Write 128 bits as eight 16-bit integers separated by colons Examples:
FEDC:BA98:7654:3210:FEDC:BA98:7654:3210
1080:0:0:0:8:800:200C:417A
IPv6 協議與應用 - 14 IPv6 Addressing Examples: A set of consecutive null 16-bit numbers can be replaced by two colons 1080:0:0:0:8:800:200C:417A =>
1080::8:800:200C:417A
1080:0:0:0:8:0:0:417A =>
1080::8:0:0:417A 1080::8::417A
IPv6 協議與應用 - 15 IPv6 Addressing
H H Some Addresses formats H Provider Addresses LAN Link Local Addresses Link Link Site Local Addresses R LAN Multicast Addresses H Anycast Addresses H LAN
R Link Site Site Internet
Site (公司或組織) IPv6 協議與應用 - 16 Global Unicast Addresses
001 TLA NLA* SLA* interface ID
public site interface topology topology identifier (45 bits) (16 bits) (64 bits) TLA = Top-Level Aggregator NLA* = Next-Level Aggregator(s) SLA* = Site-Level Aggregator(s) all subfields variable-length (like CIDR) TLAs may be assigned to providers or exchanges
IPv6 協議與應用 - 17 Link-Local and Site-Local address
Link-local addresses for use during auto- configuration and when no routers are present:
1111111010 0 interface ID Site-local addresses for independence from changes of TLA / NLA*:
1111111011 0 SLA* interface ID
IPv6 協議與應用 - 18 Interface IDs
Lowest-order 64-bit field of unicast address may be assigned in several different ways: auto-configured from a 64-bit EUI-64, or expanded from a 48-bit MAC address (e.g., Ethernet address) auto-generated pseudo-random number (to address privacy concerns) assigned via DHCP manually configured possibly other methods in the future
IPv6 協議與應用 - 19 IPv6 Address Space
Allocation Space Prefix (binary) Fraction of Address Space Reserved 0000 0000 1/256 Unassigned 0000 0001 1/256 Reserved for NSAP Allocation 0000 001 1/128 Reserved for IPX Allocation 0000 010 1/128 Unassigned 0000 011 1/128 Unassigned 0000 1 1/32 Unassigned 0001 1/16 Unassigned 001 1/8 Provider-Based Unicast Address 010 1/8 Unassigned 011 1/8 Reserved for Geographic-Based 100 1/8 Unicast Addresses Unassigned 101 1/8 Unassigned 110 1/8 Unassigned 1110 1/16 Unassigned 1111 0 1/32 Unassigned 1111 10 1/64 Unassigned 1111 110 1/128 Unassigned 1111 1110 0 1/512 Link Local Use Addresses 1111 1110 10 1/1024 Site Local Use Addresses 1111 1110 11 1/1024 Multicast Addresses 1111 1111 1/256
IPv6 協議與應用 - 20 The ICMP Type Meaning 1 Destination Unreachable Evolution 2 Packet Too Big 3 Time Exceeded of ICMP 4 Parameter Problem 128 Echo Request 129 Echo Reply 130 Group Membership Query 131 Group Membership Report 132 Group Membership Termination 133 Router Solicitation 134 Router Advertisement 135 Neighbor Solicitation 136 Neighbor Advertisement 137 Redirect
The ICMP for IPv4 was made more complete by incorporating the multicast control functions of the IPv4 Group Membership Protocol (IGMP).
IPv6 協議與應用 - 21 IPv6 Routing As in IPv4, IPv6 supports IGP and EGP routing protocols: IGP (Interior Gateway Protocol) for within an autonomous system (AS) are RIPng (RFC 2080) OSPFv3 (RFC 2740) Integrated IS-ISv6 (draft-ietf-isis-ipv6-02.txt) EGP (Edge Gateway Protocol) for peering between autonomous systems (ASs) MP-BGP4 (RFC 2858 and RFC 2545)
22IPv6 協議與應用 - 22 IPv6 Routing
BGP4+ Added IPv6 address-family Added IPv6 transport Runs within the same process - only one AS supported All generic BGP functionality works as for IPv4 Added functionality to route-maps and prefix-lists
IPv6 協議與應用 - 23 Plug-and-Play -- Auto-configuration
Auto-configuration means that a computer will automatically discover and register the parameters that it needs to use in order to connect to the Internet. One should be able to change IPv6 addresses dynamically as one changes ISP providers. Addresses would be assigned to interfaces for a limited lifetime. Two modes for address configuration Stateless mode Stateful mode (using DHCPv6)
IPv6 協議與應用 - 24 Link State Addresses When an interface is initialized, the host can build up a link local address for this interface by concatenating the well-known link local prefix and a unique token (48-bit Ethernet address). A typical link local address: FE80:0:0:0:0:XXXX:XXXX:XXXX Link local address can only be used on the local link.
IPv6 協議與應用 - 25 Stateless Autoconfiguration IPv6 nodes join the all nodes multicast group by programming their interfaces to receive all the packets for the address = FF02::1. Send a solicitation message to the routers on the link, using the all routers address, FF02::2. Routers reply with a router advertisement message. Does not require any servers
IPv6 協議與應用 - 26 Plug-and-Play -- Address Resolution
The neighbor discovery procedure offers the functions of ARP (IP MAC) and router discovery. Defined as part of IPv6 ICMP. Host maintains four separate caches: The destination’s cache. The neighbor’s cache. The prefix list. The router list.
IPv6 協議與應用 - 27 Destination’s Cache The destination’s cache has an entry for each destination address toward which the host recently sent packets. It associates the IPv6 address of the destination with that of the neighbor toward which the packets were sent.
Destination Neighbor IPv6 Address (To) IPv6 Address (Via)
IPv6 協議與應用 - 28 Neighbor’s Cache (IP/MAC) The neighbor’s cache has an entry for the immediately adjacent neighbor to which packets were recently relayed. It associates the IPv6 address of that neighbor with the corresponding MAC address (48 bits).
Neighbor Neighbor IPv6 Address MAC address
IPv6 協議與應用 - 29 Prefix List and Router List The prefix list includes the prefixes that have been recently learned from router advertisements. The router list includes the IPv6 addresses of all routers from which advertisements have recently been received.
IPv6 協議與應用 - 30 Basic Algorithm to Transmit a Packet To transmit a packet, the host must first find out the next hop for the destination. The next hop should be a neighbor directly connected to the same link as the host. In most cases, the neighbor address will be found in the destination’s cache. If not, the host will check whether one of the cached prefixes matches the destination address. If yes, the destination is local, the next hop is the destination itself. 雙方都在同一個子網路內, 可直接傳送給對方
IPv6 協議與應用 - 31 Basic Algorithm
Otherwise, the destination is probably remote. A router should be selected from the router list as the next hop. 雙方不在同一個子網路, 需透過 Router 傳送 給對方 The corresponding entry for the next hop is added to the destination’s cache (更新), and the neighbor’s cache is looked up (查詢) to find the MAC address of that neighbor.
IPv6 協議與應用 - 32 Neighbor Solicitation and Neighbor Advertisement messages (IPv6 MAC) IPv6 source address = link local address of the interface. Hop count = 1. IPv6 destination address = solicited node multicast address, which is formed by cascating a fixed 96-bit prefix, FF02:0:0:0:0:1, and the last 32 bits of the node’s IPv6 address.
Type =135 Code = 0 Checksum Reserved
Target address = Solicited Neighbor Address (IPv6)
Options ... (Source link-level address)
Neighbor Solicitation IPv6 協議與應用 - 33 Neighbor Solicitation and Neighbor Advertisement messages (IPv6 MAC)
Type =136 Code = 0 Checksum R S Reserved
Target address
Options ... (Source link-level address)
Neighbor Advertisement
IPv6 協議與應用 - 34 IPv6 Flows and Flow Label
A flow is a sequence of packets sent from a particular source to a particular destination (unicast or multicast). Each flow can have a Flow label (24 bits). Flow label may be used together with routing header.
4 4 8 8 8 位元 Version Prio Flow Label Payload Length Next Header Hop Limit
Source IP address (128 位元)
Destination IP address (128 位元)
IPv6 協議與應用 - 35 IPv6 Real-time Support Supporting Reservations Real-time flows Using RSVP and Flows Using Hop-by-Hop Options
QoS
Flow1 Scheduler Flow2
Flow3 S
Flow4
Flow5 IPv6 Router IPv6 協議與應用 - 36 IPv6 Security IPv6 Security Support All IPv6 implementations required to support authentication and encryption headers (“IPsec”) Authentication (認證) separates from encryption (加密) for use in situations where encryption is prohibited or prohibitively expensive Key distribution protocols Support for manual key configuration required
IPv6 協議與應用 - 38 Authentication Header
Next Header Hdr Ext Len Reserved Security Parameters Index (SPI) Sequence Number
Authentication Data
Destination Address + SPI identifies security association state (key, lifetime, algorithm, etc.) Provides authentication and data integrity for all fields of IPv6 packet that do not change en-route Default algorithm is Keyed MD5
IPv6 協議與應用 - 39 Encapsulating Security Payload (ESP)
Security Parameters Index (SPI) Sequence Number
Payload
Padding Padding Length Next Header
Authentication Data
IPv6 協議與應用 - 40 Migration from IPv4 to IPv6 IPv4-IPv6 Transition /Co-Existence
A wide range of techniques have been identified and implemented, basically falling into three categories: (1)Dual-stack techniques, to allow IPv4 and IPv6 to co-exist in the same devices and networks (2)Tunneling techniques, to avoid order dependencies when upgrading hosts, routers, or regions (3)Translation techniques, to allow IPv6-only devices to communicate with IPv4-only devices Expect all of these to be used, in combination
IPv6 協議與應用 - 42 Next Generation Transition
Dual Stack
NGTRANS
Tunneling Translator
IPv6 協議與應用 - 43 Dual Stack
RFC 1933 NGTRANS draft : Draft-ietf-ngtrans-dstm-07.txt
IPv4/IPv6 IPv6 AIIH Dual Dual (DHCPv6, Stack Stack DNS) IPv4 Dual Stack
IPv6 協議與應用 - 44 Dual Stack Approach
IPv6-enable Application Application
TCP UDP TCP UDP
IPv4 IPv6 IPv4 IPv6 Frame 0x0800 0x86dd 0x0800 0x86dd Protocol Data Link Data Link ID (Ethernet) (Ethernet)
Dual stack node means: Both IPv4 and IPv6 stacks enabled Applications can talk to both Based on name lookup and application preference
IPv6 協議與應用 - 45 Tunneling
RFC 2529 IPv4
IPv6 6over4 IPv6
RFC 3056 IPv4 IPv6 6to4 IPv6
RFC 3053
IPv4/ IPv4 IPv6 IPv6 Tunnel Broker
IPv6 協議與應用 - 46 Using Tunnels for IPv6 Deployment
Many techniques are available to establish a tunnel: Manually configured Manual Tunnel (RFC 2893) GRE (RFC 2473) Semi-automated Tunnel broker Automatic Compatible IPv4 (RFC 2893) 6to4 (RFC 3056) 6over4 ISATAP
IPv6 協議與應用 - 47 Translators RFC 2765;RFC 2766
NATPT IPv6 IPv4 SIIT
RFC 2767
IPv4 Apps IPv4 Apps BITS BITS IPv6 Stack IPv6 Stack
RFC 3089;RFC 3142 Socks-Gateway IPv6 TCPUDP-Relay IPv4 Host IPv6 IPv4 Host
IPv6 協議與應用 - 48 Transition Approaches
Dual Stack – system completely supports IPv6 Tunneling – IPv6 packets are encapsulated for transmission over existing IPv4 infrastructure Translation – IPv6 packets are translated into IPv4 packets and vice versa – Header information is preserved as much as possible
IPv6 協議與應用 - 49 Dual Stack Mechanisms
Simple dual stack (RFC1933) – Both IPv4 and IPv6 are directly supported
Applications TCP/UDP IPV4 IPV6 Routing protocols
Device Driver IPV4 IPV6 Device Driver
V6 V4/V6 network network
V4 network
IPv6 協議與應用 - 50 Dual Stack Mechanisms
Dual Stack Transition Mechanism (DSTM) – Assures communication between IPv4 applications in IPv6 only networks and the rest of the Internet – Temporary IPv4 addresses are assigned when communicating with an IPv4-only host. – Cooperation between DNS and DHCPv6 – Dynamic Tunnel Interface encapsulates the IPv4 packets
? IPv4 Application IPv4 Application IPv6 only IPv4 only
Dual Stack IPv6 協議與應用 - 51 DSTM: Principles
Assumes IPv4/IPv6 dual stack on host IPv4 stack is configured only when one or more applications need it – A temporal IPv4 address is given to the host All IPv4 traffic coming from the host is tunneled towards the DSTM gateway (IPv4 over IPv6). – DSTM gateway encapsulates/decapsulates packets – Maintains an IPv6 IPv4 mapping table
IPv6 H IPv4 H Payload
IPv6 協議與應用 - 52 How DSTM works (v6 v4)
DNS DSTM Server DNS A B C
DSTM GW
(1) In A, the v4 address of C is used by the application, which sends v4 packet to the kernel
(2) The interface asks DSTM Server for a v4 source address
(3) DSTM server returns : - A temporal IPv4 address for A - IPv6 address of DSTM gateway
IPv6 協議與應用 - 53 How DSTM works (v6 v4)
DNS DSTM Server DNS A B C
IPv6 H IPv4 H Payload IPv4 H Payload DSTM GW
(4) A creates the IPv4 packet (A4 C4)
(5) A tunnels the v4 packet to B using IPv6 (A6 B6)
(6) B decapsulates the v4 packet and send it to C4
(7) B keeps the mapping between A4 A6 in the routing table
IPv6 協議與應用 - 54 Tunneling Mechanisms
RFC 1933 (Transition Mechanisms for IPv6 Hosts and Routers) RFC 2529 (6over4) RFC 3056 (6to4) RFC 5412 (ISATAP) RFC 4380 (Teredo) RFC 3053 (Tunnel Broker)
RFC1933
Transition Mechanisms for IPv6 Hosts and Routers Configured tunnels – Connects IPv6 hosts or networks over an existing IPv4 infrastructure – Generally used between sites exchanging traffic regularly Automatic tunnels – Tunnel is created then removed after use – Requires IPv4 compatible IPv6 address – ::140.114.1.101 IPv6 協議與應用 - 56
Configured Tunnel
Carry IPv6 packets over IPv4 infrastructure Encapsulate IPv6 in IPv4 Tunnel endpoints are explicitly configured Tunnel endpoints must be dual stack nodes IPv4 address is the endpoint for the tunnel
Routing protocols Routing protocols
IPV4 IPV6 IPV4 IPV6 Device Driver Device Driver
IPv6 協議與應用 - 57 Configured Tunnel
192.168.1.1 192.168.2.1
IPv6 Island IPv4 Networks IPv6 Island
IPv4 Tunnel Dual-stack Dual-stack node node
IPv6 H Payload IPv4 H IPv6 H Payload IPv6 H Payload
Src=192.168.1.1 Dst=192.168.2.1
IPv6 協議與應用 - 58 Automatic Tunnel
Node is assigned an IPv4 compatible IPv6 address ::140.114.1.101 If destination is an IPv4 compatible IPv6 address, automatic tunneling is used by router (tunneling to destination) Routing table redirects ::/96 to automatic tunnel interface
80 16 32 bits 0000 ...... 0000 0000 IPv4 address
IPv6 協議與應用 - 59 Automatic Tunnel Example
Dual-stack node 0:0:0:0:0:0 IPv4 Address 140.114.1.101 140.113.4.1 140.114.1.101 IPv6 H Payload IPv6 Island IPv4 compatible IPv6 address IPv4 Internet Dual-stack node
IPv6 H Payload IPv4 H IPv6 H Payload
DST IPv6 address DST IPv4 address = ::140.114.1.101 = 140.114.1.101 SRC IPv4 address = ? IPv6 協議與應用 - 60 6over4 To allow isolated IPv6 hosts, located on a physical link which has no directly connected IPv6 router, to become fully functional IPv6 hosts by using an IPv4 domain that supports IPv4 multicast as their virtual local link. RFC 2529 C A
D IPv6 IPv4 6over4
B IGMP is used to join a multicast group IPv6 協議與應用 - 61 6over4 6over4 is an automatic tunneling technique that leverages IPv4 multicast. IPv6 addresses are formed using a link local scope (FE80:: prefix). A host’s IPv4 address comprises the 6over4 interface ID portion of its IPv6 address. For example, a 6over4 host IPv4 address = 192.223.16.85 (C0DF:1055) a 6over4 address = FE80::C0DF:1055.
16 80 32 bits FE80 0000..000 IPv4 address
IPv6 協議與應用 - 62 6over4 IPv6 packets are tunneled in IPv4 headers using corresponding IPv4 multicast addresses. The Internet Group Membership Protocol (IGMP) is used by 6over4 hosts to inform IPv4 routers of multicast group membership. All members of the multicast group receive the tunneled packets, and the intended recipient strips off the IPv4 header and processes the IPv6 packet. The IPv6 router running 6over4 reachable via the IPv4 multicast mechanism can serve as a tunnel endpoint to route the packet via IPv6.
IPv6 協議與應用 - 63 6over4 Example fe80::c080:0201 fe80::c080:0301 192.168.2.1 192.168.3.1 fe80::c080:0401 192.168.4.1 C A
D IPv6 IPv4 6over4
IPv4 H IPv6 H Payload (B C) B Src=192.168.1.1 192.168.1.1 Dst=IPv4 multicast (IGMP joined) fe80::c080:0101 Src=fe80::c080:0101 Dst=fe80::c080:0301
IPv6 協議與應用 - 64
6over4 IPv6 Multicast 6over4 supports IPv6 multicast, hosts can perform IPv6 router and neighbor discovery to locate IPv6 routers. When tunneling IPv6 multicast messages, e.g., for neighbor discovery, the IPv4 destination address is formatted as 239.192.Y.Z, where Y and Z are the last two bytes of the IPv6 multicast address. Thus an IPv6 message to the all-routers, link-scoped, multicast address FF02::2 would be tunneled to IPv4 destination 239.192.0.2. FF02::1 (neighbor discovery) 239.192.0.1
IPv6 協議與應用 - 65 6over4 Example (IPv6 Multicast) fe80::c080:0201 fe80::c080:0301 192.168.2.1 192.168.3.1 fe80::c080:0401 192.168.4.1 C A
D IPv6 IPv4 6over4
IPv4 H IPv6 H Payload (B all B neighbors) Src=192.168.1.1 192.168.1.1 Dst=239.192.0.1 fe80::c080:0101 Src=fe80::c080:0101 Dst=ff02::1
IPv6 協議與應用 - 66
6to4 Interconnection of isolated IPv6 domains over an IPv4 network without explicit tunnel setup Effectively it treats the IPv4 network as a unicast point-to-point link layer. RFC 3056
2002:c0a8:101:1::1 2002:c0a8:201:2::2
IPv6 in IPv4 IPv6 IPv4 IPv6
IPv6 協議與應用 - 67 6to4 Automatic establishment of the tunnel By embedding the IPv4 destination address in the IPv6 address Under the 2002::/16 reserved prefix (2002::/16 = 6to4) Gives a full /48 to a site based on its external IPv4 address 2002:
2002:c0a8:101:1::1 2002:c0a8:201:2::2 IPv6 協議與應用 - 68 How to embed the IPv4 addr in IPv6 addr ?
192.168.2.1 = 11000000101010000000001000000001
= 1100000010101000:0000001000000001
= c 0 a 8 : 0 2 0 1
= c0a8:0201 = c0a8:201
IPv6 協議與應用 - 69 6to4 Network to Network Example
2002:c0a8:101:1::1 192.168.1.1 192.168.2.1 2002:c0a8:201:2::2
IPv4
IPv6 IPv6 in IPv4 IPv6
IPv6 H Payload IPv4 H IPv6 H Payload IPv6 H Payload
Src=2002:c0a8:101:1::1 Src=192.168.1.1 Src=2002:c0a8:101:1::1 Dst=2002:c0a8:201:2::2 Dst=192.168.2.1 Dst=2002:c0a8:201:2::2
IPv6 協議與應用 - 70 ISATAP The Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) connects dual-stack nodes over IPv4 networks. Views the IPv4 network as a link layer for IPv6 Supports automatic tunneling RFC 5214 A
C IPv4 IPv6
B
IPv6 協議與應用 - 71 ISATAP Automatic tunneling from ISATAP nodes to the ISATAP routers in a private network Creates a virtual IPv6 link over the IPv4 network Special bits identify an ISATAP address (Node identifier part of IPv6 address) 64 32 32 bits
Link-local or ISATAP assigned prefix 00:00:5E:FE IPv4 addr 192.168.1.1 fe80:0:0:0:0:0:5efe:c080:0101 fe80::5efe:c080:0101
IPv6 協議與應用 - 72 ISATAP Example
3ffe:ffff::5efe:c080:0201 3ffe:ffff::5efe:c080:0301 fe80::5efe:c080:0201 fe80::5efe:c080:0301 192.168.2.1 192.168.3.1 ISATAP host ISATAP router
A
C
IPv4 IPv6 3ffe:ffff:0:1::1
IPv4 H IPv6 H Payload (B C) B Src=192.168.1.1 ISATAP host Dst=192.168.3.1 192.168.1.1 fe80::5efe:c080:0101 Src=fe80::5efe:c080:0101 3ffe:ffff::5efe:c080:0101 Dst=3ffe:ffff:0:1::1 IPv6 協議與應用 - 73
Teredo NAT prohibits the use of direct tunnels Teredo: Tunneling IPv6 over UDP through Network Address Translations (NATs) Teredo service: enables nodes located behind one or more IPv4 NATs to obtain IPv6 connectivity by tunneling packets over UDP RFC 4380 (Microsoft)
IPv4 (private NAT Address) IPv4 IPv6 A IPv6 in IPv4 B
IPv6 協議與應用 - 74 Teredo
Running the service requires the help of "Teredo servers" and "Teredo relays" The Teredo servers are stateless, and only have to manage a small fraction of the traffic between Teredo clients The Teredo relays act as IPv6 routers between the Teredo service and the "native" IPv6 Internet The relays can also provide interoperability with hosts using other transition mechanisms such as "6to4"
IPv6 協議與應用 - 75 Teredo
Uses IPv6 in UDP in IPv4 External mapping of IPv4 address and port are discovered by the Teredo server (on the external side of NAT) Terodo uses a specific prefix (2001:0000). The address includes the IPv4 of Teredo server and public IPv4 and port number of the host
32 32 16 16 32 bits Teredo Teredo server flags obfuscated obfuscated client Prefix IPv4 address UDP port public IPv4 addr
2001:0000/32 IPv6 協議與應用 - 76 Terodo Example
192.0.2.45 65.54.227.120
NAT IPv4 (private IPv4 Address) IPv6 A IPv6 in IPv4 B
191.168.1.1 40000 2001:0000:4136:e378:8000:63bf:3ffff:fdd2
http://en.wikipedia.org/wiki/Teredo_tunneling IPv6 協議與應用 - 77 Teredo Example (A B)
191.168.1.1 192.0.2.45 65.54.227.120 3ffe:ffff:0:1::1 NAT IPv4 (private Address) IPv4 IPv6 A IPv6 in IPv4 B
191.168.1.1 40000 IPv6 H Payload
IPv4 H UDP H IPv6 H Payload Src=192.0.2.45 Dst=65.54.227.120 Src=192.168.1.1 Dst=65.54.227.120 IPv4 H UDP H IPv6 H Payload UDP port = 40000 Src = 2001:0:4136:e378:8000:63bf:3ffff:fdd2 Dst = 3ffe:ffff:0:1::1 IPv6 協議與應用 - 78 Teredo Example (B A)
191.168.1.1 192.0.2.45 65.54.227.120 3ffe:ffff:0:1::1 NAT IPv4 (private Address) IPv4 IPv6 B A IPv6 in UDP in IPv4
191.168.1.1 40000 IPv6 H Payload
Src = 3ffe:ffff:0:1::1 IPv4 H UDP H IPv6 H Payload Dst = 2001:0:4136:e378: Src=____65.54.227.120?______Src=____65.54.227.120?_____ 8000:63bf:3ffff:fdd2 Dst= ____192.0.2.45?______Dst=____191.168.1.1?_____ UDP port = ____40000?____ IPv4 H UDP H IPv6 H Payload
IPv6 協議與應用 - 79 檢查一下自己電腦的 IPv6 tunnel 位址 >cmd >ipconfig
2001:0/32 Teredo tunnel
fe80:: link-local address
Terado Server ? Public IPv4 address ? Port number ?
IPv6 協議與應用 - 80 IPv6 Tunnel Calculator
我的 Mine
http://www.wyae.de/docs/ipv6calc/
IPv6 協議與應用 - 81 IPv6 Tunnel Broker
RFC 3053 Tunnel Broker
IPv6 tunneling over the internet requires heavy manual configuration Network administrators are faced with overwhelming management load Getting connected to the IPv6 world is not an easy task for IPv6 beginners
IPv6 協議與應用 - 83 Tunnel Broker
The Tunnel Broker approach is an opportunity to solve the problem The basic idea is to provide tunnel broker servers to automatically manage tunnel requests coming from the users Benefits Stimulate the growth of IPv6 interconnected hosts Allow to early IPv6 network providers the provision of easy access to their IPv6 networks
IPv6 協議與應用 - 84 Tunnel broker
The Tunnel Broker fits well for small isolated IPv6 sites, especially isolated IPv6 hosts on the IPv4 Internet Client node must be dual stack (IPv4/IPv6) The client IPv4 address must be globally routable (no behind NAT)
IPv6 協議與應用 - 85 Tunnel broker architecture
Remote site IPv6 network provider
Tunnel Broker DNS server
Client Client-Broker Interaction Broker-DNS Daul stack Interaction Broker-router Interaction TB Discovery
Tunnel Servers
Dual stack www.IPv6.org tb.cht.com routers tb.aaa.com
IPv6 協議與應用 - 86 How Tunnel Broker works ? (1)
http https …. Tunnel Broker DNS server
Client IPv4 address Daul stack Nickname IPv6 OS type
1. Client provides minimal configuration information
IPv6 協議與應用 - 87 How Tunnel Broker works ? (2)
rsh, Dynamic DNS update rsh, SNMP, protocol DHCPv6 …. Tunnel Broker DNS server
Client Daul stack rsh, SNMP …
2. Broker automatically configures Client, DNS, and the selected Tunnel Server
IPv6 協議與應用 - 88 How Tunnel Broker works ? (3)
Tunnel Broker DNS server Client Daul stack
3. The tunnel is now up and working
IPv6 協議與應用 - 89 台灣有哪些 tunnel brokers ?
台灣各 ISP IPv6 Tunnel Broker 免費連線服務
單位名稱 說明網站 URL
亞太電信 http://www.apol.com.tw/ipv6/ipv6-tb-4.html
遠傳電信 http://www.ipv6.seed.net.tw/how2v6/
台灣大電訊 http://www.twmsolution.com/ipv6/
台灣碩網 http://www.so-net.net.tw/service/ipv6/
中華電信 http://www.ipv6.hinet.net/installGuide.htm
http://www.ascc.sinica.edu.tw/iascc/articals.php? 中研院 _section=2.4&_op=?articalID:2258
http://ipv6tips.ipv6.org.tw/refer3.html IPv6 協議與應用 - 90 中華電信 HiNet Tunnel Broker
http://www.ipv6.hinet.net/installGuide.htm IPv6 協議與應用 - 91 中華電信 HiNet Tunnel Broker
中華電信 TB 使用 gogo6 tunnel broker Client 必須安裝 軟 體 (gogoCLIENT utility)
http://www.ipv6.hinet.net/installGuide.htm IPv6 協議與應用 - 92 IPv6/IPv4 Translator
RFC 2765 RFC 2766 RFC 2767 RFC 3089 RFC 3142 Stateless IP/ICMP Translation Algorithm (SIIT)
RFC 2765 SIIT
Translate the v6 header into a v4 header on some point of the network Routing can direct packet to those translation points. Translate ICMP headers from both worlds Allows IPv6 hosts, which do not have a permanently assigned IPv4 addresses, to communicate with IPv4- only hosts. No State in translators ( NAT)
IPv6 協議與應用 - 95 SIIT
SIIT IPv4 network
IPv6 host IPv4 host
Pool of IPv4 addresses Using SIIT for a single ICMPv4 header IPv6-only subnet
Type Code checksum
SIIT
ICMPv6 header Type Code checksum IPv6 協議與應用 - 96 SIIT
IPv4 network Dual network SIIT
IPv6 host IPv4 host
Pool of IPv4 addresses IPv4 host
Using SIIT for an IPv6-only or dual cloud which contains some IPv6-only hosts and IPv4 hosts
IPv6 協議與應用 - 97 SIIT Suitable for use when IPv6 side has no IPv4, for instance, for embedded systems with stack on chip. (IPv6 sensors) Ipv6 side uses special, “translatable” addresses, which preserve TCP/UDP checksum value Translatable source address is received by the IPv6 node from a shared pool Translatable destination address is made from IPv4 DNS entry 98IPv6 協議與應用 - 98 Network Address Translation – Protocol Translation (NAT-PT)
RFC 2766 NAT-PT
Network Address Translation-Protocol Translation. Translates IP address between IPv4 and IPv6. uses a pool of IPv4 addresses and ports. composes and manages a mapping table (IPv4 and IPv6) is similar to NAT in IPv4 network.
100IPv6 協議與應用 - 100 NAT-PT
IPv4 packet 129.254.165.141 203.243.253.15 DATA 32bits 32bits Mapping table NAT-PT Pool of address IPv6 packet 2001:203:201:200:ae01:ff10:2ecd:3ffe 2001:203:201:1:3f1e:2ea2:ff10:2f3c DATA 128bits 128bits
IPv6 協議與應用 - 101 Network Configuration Requirements
Translator DNS Server 6 4 DNSv6 Server
IPv6 Server IPv4 IPv4 Host IPv6 Host
IPv6 Intranet
Network Configuration Requirements IPv4 Interface (eth0) IPv6 Interface (eth1) IPv6 Intranet Network Prefix(::/96) Default outbound IPv6 Gateway Pool of IPv4 addresses and ports Static mapping for DNS servers IPv6 協議與應用 - 102 Configuration requirements
System Requirements • NAT-PT must be border router between only- IPv4-network and only-IPv6-network. • All requests and responses pertaining to a session be routed via the same NAT-PT router. • NAT-PT does not apply to packets originating from or directed to dual-stack nodes that do not require packet translation.
IPv6 協議與應用 - 103 Address Translation (IPv4 -> IPv6)
DNS(v4) DNS(v6) 140.114.15.15 2001:288::2
DA:140.114.134.184 DA:2001:288::2 SA:140.114.15.15 SA:aaaa::140.114.15.15
Translator resource data DNS response resource prefix aaaa::/96 (2001:288::1) data (140.114.134.180) IPv6 www.gsnv6.tw ? IPv4
DA:140.114.134.180 DA is changed to mappied address DA:2001:288::1 SA:140.114.165.141 SA is added and removed prefix/96 SA:aaaa::140.114.165.141 cs.nthu.edu.tw www.gsnv6.tw 140.114.165.141 DNS static Mapping 2001:288::1 140.114.134.184 2001:288::2 Mapping table 140.114.134.180 0001 140.114.134.181 0002 140.114.134.180 2001:288::1
POOL of IPv4 ADDRESS After mapping is verified either it is existed or not, DNS-ALG makes the mapping table of IPv4 inside resource data IPv6 協議與應用 - 104 Address Translation (IPv6 -> IPv4)
DNS(v4) DNS(v6) 140.114.15.15 2001:288::2 DA:140.114.15.15 DA:aaaa::140.114.15.15 SA:140.114.134.184 SA:2001:288::2
resource data Translator prefix aaaa::/96 (140.114.165.141) resource data (aaaa::140.114.165.141)
IPv4 IPv6 cs.nthu.edu.tw ?
DA:140.114.165.141 SA is changed to mappied address DA:aaaa::140.114.165.141 SA:140.114.134.180 DA is added and removed prefix/96 SA:2001:288::1 DNS static Mapping cs.nthu.edu.tw www.gsnv6.tw 140.114.165.141 140.114.134.184 2001:288::2 2001:288::1 140.114.134.180 0001 Mapping table 140.114.134.181 0002 140.114.134.180 2001:288::1 POOL of IPv4 ADDRESS After mapping is verified either it is existed or not, NAT-PT makes the mapping table of IPv4 IPv6 source address IPv6 協議與應用 - 105