在 FreeBSD 下利用 KAME 實做一個 IPv6 路由器 Implement An IPv6 Router Using KAME under FreeBSD

梁家瑋 Liang Jia-Wei 高雄師範大學資訊教育所 [email protected] KAME 計劃是日本的一些公司團隊所共同 ABSTRACT 參與的一個計劃,而這個軟件主要是提供 BSD(包括 FreeBSD、NetBSD 等)作業系統一些 With IPv4(Internet Protocol version 4) , it has 額外的功能,包括了 IPv6、IPSec 以及一些網路 been found the address space provided can’t sustain the growing number hosts connected to the 流量控制應用管理的功能。在此篇論文我們最 Internet. IPv6(Internet Protocol version 6) has 主要的目的是利用 KAME 來實作一個 Router, been designed to resolve scalability issues of the 透過這台 Router,可以使 IPv4 網路與 IPv6 網路 Internet address space. There are a lot of 串聯起來,我們只需要一台 PC 來安裝 FreeBSD advantages in using IPv6. For example, it’s not 並且應用 KAME 來達成,這對於過渡時期還沒 necessary for NAT(Network Address Transmission) 有獨立 IPv6 機器的機構來說是很有幫助的。 server , and the number of IP address is enough. In this way , it’s more convenient to deliver IP 關鍵字: IPv6, FreeBSD,轉換機制,KAME。 addresses to mobile devices , such as notebook , PDA , cell phone , etc. Nowadays , enterprises , 1. Introduction schools , people use computer network in IPv4. It is important for the IPv4/IPv6 transition Nowadays,more and more electric mechanisms.There are various translation equipments need IP address to support internet strategies can be broadly divided into dual stack , access , such as notebooks , cell phones, PDAs. tunneling and translation , and they will be IPv6 will solve the problem of IP address shortage. mentioned later. IPv6 is a new version of IP which is designed to be an evolutionary step from IPv4. It is a natural KAME Project is a joint effort to create increment to IPv4. It can be installed as a normal single solid software set, especially targeted at software upgrade in internet devices and is IPv6/IPsec.In this study, we have a pc which interoperable with the current IPv4. Its deployment installs FreeBSD and KAME and use it for IPv6 strategy is designed to not have any flag days or routing. In this way, we can connect both IPv6 and other dependencies. IPv6 is designed to run well IPv4 networks by the tunneling mechanism . on high performance networks (e.g. Gigabit Ethernet, OC-12, ATM, etc.) and at the same time Keywords: IPv6 networks, Transition still be efficient for low bandwidth networks (e.g. Mechanisms, KAME project, Tunneling wireless). In addition, it provides a platform for Mechanism, FreeBSD. new internet functionality that will be required in the near future. 摘要 IPv4 and IPv6 protocols do not interoperate, 隨著網路愈來愈發達,以及現今科技產品 and hence IPv4 applications do not work in IPv6 environment and vice versa. However, the 都具備上網的功能,我們的網路位址愈來愈不 deployment of IPv6 within the present IPv4 敷使用了,因此我們需要 IPv6 這種新一代的網 Internet will be on an incremental basis and start 路協定,IPv6 與舊有的 IPv4 規格是完全不同 from small IPv6 networks that merge into the 的,且具有相當多的優點,像是不再需要位址 global IPv6 network gradually. 分享共用的機制(NAT),且 IPv6 具有自動裝配 (Autoconfigure) 的機制,還有網路位址安全 KAME Project aims to provide FREE (IPSec)的高度支媛。IPv6 的出現並不會導致 reference implementations of IPv6, IPsec (for both IPv4 的消失,往後的網路環境將是 IPv4 和 IPv6 IPv4 and IPv6) , and advanced internetworking 共存的,如果要 IPv4 與 IPv6 的網路都能夠互 such as advanced packet queuing, ATM, mobility, and whatever interesting on BSD variants. In this 連,必須要有一些轉換機制,此篇論文會提到 study, we implement a IPv6 router that is achieve 一些 IPv6 的特性及轉換的機制。 on FreeBSD with KAME, and we will show how it works. Anycast: An identifier for a set of interfaces (typically belonging to different nodes). A packet 2. IPv6 Overview sent to an anycast address is delivered to one of the interfaces identified by that address (the "nearest" one, according to the routing protocols' measure of distance).

Figure2: IPv6 Unicast addresses

Multicast : An identifier for a set of interfaces (typically belonging to different nodes). Figure1: IPv6 header format A packet sent to a multicast address is delivered to all interfaces identified by that address. There are some features of IPv6 which is different from IPv4 , such as new header format , 2.3 Efficient addressing and routing expanded addressing capabilities , efficient and infrastructure hierarchical addressing and routing infrastructure , autoconfiguration , built-in security , better IPv6 is designed to create an efficient, support for Qos , mobility , and extensibility. hierarchical, and summarizable routing infrastructure based on the common occurrence of 2.1 Header Format multiple levels of ISP(Internet Service Providers). The IPv6 headers is a new format which On the IPv6 differs from IPv4 header. IPv4 headers and IPv6 Internet, backbone routers have much smaller headers are not interoperable. IPv6 has a 128-bit routing tables, corresponding to the routing address , rather than 32-bit address of IPv4. The infrastructure of global ISPs. IPv6 header is twice as large as the IPv4 header. Figure1 shows the IPv6 header format. 2.4 Autoconfiguration

2.2 Expanded Addressing Capabilities In the past, network administrator have to configure the network for each computer. IPv6 IPv6 has 128-bit source and destination IP make it easier for configuring the network. There addresses. 128 bit can express over 3.4×1038 are two ways : One is done by external server like possible combinations of addresses. Each person DHCP , and the other is done by address can own more than 10 IP address. In that way , the autoconfiguration. The plug-and-play can be problem of lack of IP address can be solved. With achieved by autoconfiguration. Using this a much larger number of available addresses, mechanism nodes on a link automatically acquire address-conservation techniques, such as the link-local addresses and communicate with each deployment of NAT, are no longer necessary. other. In the presence of a router advertising Unlike IPv4’s dotted decimal notation, IPv6 network prefixes, they can then acquire site-local addresses are denoted by colon hexadecimal and globally unicast addresses to navigate the notation.There are three types of IPv6 addresses: global IPv6 Internet. Unicast: An identifier for a single interface. 2.5 Security A packet sent to a unicast address is delivered to the interface identified by that address.There are IPsec for IPv6 is still very important. There is three types of unicast addresses : Global Unicast no authentication capability for IPv6, and using Address , Link-Local Unicast Address , Site-Local IPsec for IPv6 is necessary. KAME project Unicast Address shown by Figure2. provides pretty good IPsec stack utility for BSD operating system.

2

2.6 Qos 2.9.1 Dual Stack

IPv6 have a better support for Qos. The IPv6 One technique is “Dual Stack” mechanism. header contains the traffic class which defines how This approach requires hosts and routers to traffic is handled and identified. Traffic implement both IPv4 and IPv6 protocols. Figure4 identification using a Flow Label field in the IPv6 shows the arichitecture of dual stack header allows routers to identify and provide special handling for packets belonging to a flow, a series of packets between a source and destination. Because the traffic class and the flow label are identified individually for every packet, it is ensured that data transmission won’t delay.

2.7 Mobility

As the increase of cell phones , PDA , notebooks, and some some advices with mobility, we need more IP addresses for these advices. There are more advantages in using IPv6, such as following: 1. Everyone can have his own IP address, and Figure 3: Three directions of IPv6 not only one. It’s more convenient for mobile nodes transferring data. As the name suggests, dual stack mode need two protocol stacks which operate in parallel and 2. Easier network management through address thus allow the device to operate via either protocol. autoconfiguration thereby simplifying the IPv4 and IPv6 protocol survive together. Both IPv4 assignment of care-of-address for mobile nodes. and IPv6 packet types are allowed passing in the dual-stacked network.IPv4 applications use the 3. Foreigne agents are not necessary any more. IPv4 stack, and IPv6 applications use the IPv6 stack, and they work together on a project but 4. Routing Algorithms are improved to reduce doing different things. Flow decisions are based on delay by avoiding triangulated routing.We will the IP header version field for receiving, and on the show a router which is implemented in the destination address type for sending. environment of FreeBSD + KAME later. DNS check address types, and the appropriate 2.8 Extensiblility stack is chosen in response to returned DNS record The IPv6 feature allows extending for new types. Some open source operating systems, such feature by adding extension headers after the IPv6 as , FreeBSD , etc , already provide dual IP header. The size of IPv6 extension header is not protocol stacks.The dual stack mode is the most fixed, and it’s only constrained by the size of the widely deployed transition mechanism. However, IPv6 packet. the dual stack mechanism only enables IPv6-IPv6 and IPv4-IPv4 communications. IPv6 packets 2.9 IPv4 / IPv6 transition mechanism aren’t allowed passing to IPv4 stack, contrariwise.

When we add the mechanism of IPv6 in our 2.9.2 Tunneling exsisting network, there is an important concept that IPv4 don’t disappear. We still need some Tunneling is a approach for an IPv6 Island to application services of IPv4. Because of this, we connect other IPv6 island accros IPv4 networks. must construct a dual stack network including IPv4 From the point of view of the two nodes,this and IPv6. "virtual link", called an IPv6 tunnel, appears as a point to point link on which IPv6 acts like a Generally speaking , there are two kinds of link-layer protocol. Tunneling, from the IPv6 services , including IPv6 Dual Stack Service, perspective of transitioning , enables incompatible and IPv6 Tunneling Service, and Native Service. networks to be bridged and is typically deployed We need to integrate with these three different in a point-to-point or sequential fashion. Two kinds of ways.Figure3 shows the three directions common approaches are: of IPv6 networks. 1. End systems use a transitional device like routers in a sparsely distributed transitioning network

2. To enable network edge devices to interconnect over incompatible networks.

Figure5: Tunneling Figure4: Dual Stack 2.9.4 6to4 Tunnel

As Figure5 shows, IPv6 packets are Automatic tunneling infers that tunnel encapsulated in IPv4 packets. Local area networks configuration is performed without the need for need their own routers to pass the packets explicit management. 6to4 is the most widely used containing both IPv6 and IPv4 packets.We need automatic tunneling technique. The 6to4 further a tunneling router to deal with IPv6 packet. mechanism tunnels IPv6 traffic over IPv4 IETF (Internet Engineering Task Force) has networks among isolated 6to4 networks. It drafted several tunnel tools that are Configured provides a mechanism for assigning of an IPv6 Tunneling, 6over4 tunnel, 6to4 tunnel, Tunnel address prefix to a machine that has a global IPv4 Broker and ISATAP. address. This machine can connect up with another, which uses the same mechanism, by transmitting 2.9.3 6over4 Tunnel encapsulated IPv6 packets over an existing IPv4 infrastructure. 6over4 provides a way to achieve automatic IPv6 in IPv4 encapsulation for the interconnection 2.9.5 Tunnel Broker of isolated IPv6 hosts in an IPv4 multicast site. The basic idea is to map IPv6 multicast over The Tunnel Broker idea is an alternative organization-local IPv4 multicast so that it is approach based on the provision of dedicated possible to realize IPv4 end-point and router servers, called Tunnel Brokers, to automatically discovery via Neighbor Discovery. Here, an IPv4 manage tunnel requests coming from the users. domain is a fully interconnected set of IPv4 This approach is expected to be useful to stimulate subnets, within the same local multicast scope, on the growth of IPv6 interconnected hosts and to which there are at least two IPv6 nodes. allow early IPv6 network providers to provide easy access to their IPv6 networks. 6over4 maintains all of the features of IPv6, including end-to-end security and stateless Tunnel brokers can be seen as virtual IPv6 autoconfiguration, and supports multicast by ISPs, providing IPv6 connectivity to users already defining a mapping between IPv6 multicast connected to the IPv4 Internet. In the emerging addresses and IPv4 organization-local multicast IPv6 Internet it is expected that many tunnel addresses. Because the multicast is scoped, the brokers will be available so that the user will just isolated end systems can also use private IPv4 have to pick one. The list of the tunnel brokers address space. should be referenced on a "well known" web page (e.g. http://www.ipv6.org) to allow users to choose the "closest" one, the "cheapest" one, or any other

4

one. The tunnel broker model is based on the set of communication, IPv4 routing must assure that any functional elements depicted in Figure 6. packet intended for IPv6 host passes through DSTM gateway. The DSTM gateway forwards In this study, we choose the Tunnel Broker and receives IPv4 packets from the global Internet. mechanism as the transition mechanism. We’ll mention the operating model later. 2.9.6 DSTM ( Dual Stack Transition Mechanism )

The dual stack transition mechanism is an IPv4/IPv6 transition proposal, the mechanism requires a dedicated server that dynamically provides a temporary global IPv4 address for the duration of the communication (using DHCPv6), and uses IPv4 over IPv6 dynamic tunnels to carry the IPv4 traffic within an IPv6 packet through the IPv6 domain.

Figure7: DSTM architecture

2.9.7 Native

Native Service, as Figure8 shows , IPv4 and IPv6 networks are independent. This enables you to build an IPv6-only network without any impact on existing IPv4 networks. Although it is a very convenient approach, it costs a lot. To put Native Service into practice, we need pay more prime cost. But IPv6 networs should be established for the future. 2.10 KAME Project

KAME Project is a joint effort to create single solid software set, especially targeted at IPv6/IPsec. KAME project was started as a Figure6: Tunnel Broker Model 2-year project (April 1998 - March 2000). It DSTM is intended for IPv6-only networks in which hosts still need to exchange information has got extension for 2 years TWICE, so will with other IPv4 hosts or application. An IPv6-only be until March 2004 at this moment. host requires to communicate using IPv4, the first step to ask the DSTM server for a temporary IPv4 Core researchers of KAME Project have address. The server who administrates the IPv4 committed to work on the IPv6 stack more than 3 address pool reserves one IPv4 address for IPv6 days per week, in full-time manner. Therefore, the host and sends it on its replay. The replay message project is the primary task for the core researchers. also contains the information concerning the The primary task for them is to implement the best DSTM gateway and the validity time of the networking code possible, under BSD copyright. allocated address.Figure8 shows the main Also note that we provide the achievement as Free architecture of DSTM. software, we're much interested in usage of this stack in many ways. Stability is one of the very DSTM host encapsulates outgoing IPv4 important goal for KAME core researchers. packets in IPv6 packets and forwards to the DSTM gateway, incoming packets are tunneled form the 2.10.1 Kernel of KAME gateway to the IPv6 host which decapsulates them on receipt. In order to assure bidirectional IPv6 support is rock-solid and working fine. IPsec is ready and working well for both IPv4 and IPv6, good coverage of algorithms on RFC, S t e p 1 . Prepare a PC (Pentium4 1400MHz , attended couple of test events and known to 128MB ram) for installing FreeBSD and interoperate well. One part of KAME, “Racoon”, KAME. home-brew IKE daemon , is ready, attended couple of test events and known to interoperate well, cert support may need some stabilization. IPComp is ready. ATM and PVC are ready for IPv4/IPv6, heavily tested on Japanese ATM leased line services.

Figure 9: The architecture of this study

S t e p 2 . Install the OS , FreeBSD v4.9.

S t e p 3 . Install KAME SNAP kit. ( The version we use is released on March 22 , 2004)

S t e p 4 . Get KAME SNAP kit from ftp://ftp.kame.net/pub/kame/snap/ Figure8: Native Service Step5. Untar the file. 2.10.2 Userland and Others of KAME bonnielo# tar zxvf kame-20040322-freebsd49-snap.t SMTP over IPv6 , POP over IPv6 , FTP over gz IPv6 , TFTP over IPv6 , telnet over IPv6 , ssh over IPv6 , apache6 , v4/v6 nameserver , and v4/v6 Step6. Check if you have ever resolver are all ready. Multicast DNS resolver ,and installed KAME, be sure to remove IPv6 DHCP ( DHCPv6 ) are testing. the files under “/usr/local/v6”. 3. Implementations Step7. Make prepare. bonnielo# cd kame Here we’ll introduce how we implement a bonnielo# make TARGET=freebsd4 router in using a PC. For example , the LAN of prepare NKNU LAB is IPv4 networks. If we want to connect to IPv6 networks , we should have IPv6 Step8. Edit the mode of FreeBSD. supports or transition mechanism. Figure9 shows bonnielo# cd freebsd4/sys/i386/conf/ how we conceive a approach to connect IPv6 bonnielo# cp GENERIC.KAME networks. As Figure9 shows, the part that we my.KAME implement is IPv6 router , and now we explain bonnielo# vi my.KAME how to do it. bonnielo# /usr/sbin/config my.KAME 3.1 The Procedure of KAME Install Step9. Edit kernel bonnielo# cd ../../compile/my.KAME bonnielo# make depend

6

bonnielo# make ipv6_static_routes="default"ipv bonnielo# make install 6_route_default="default -interface gif0" Step10. Userland build bonnielo# cd ~/kame/freebsd4/ Step8. Start Router Advertisement Daemon Step11. Use common user to run % make includes rtadvd_enable="YES" rtadvd_interfaces="fxp0" Step12. Change to root to run bonnielo# make install-includes 4. Test bonnielo# make bonnielo# make install Here we choose one of NKNU LAB computers to test if we can connect to IPv6 Step13. restart the computer networks. The IPv4 address of the computer is bonnielo# reboot “140.127.47.74”. Now we try to connect to IPv6 websites using this computer.The instruction , 3.2 Setup IPv6 Router “ipconfig” , help us to check the IPv4 and IPv6 address. After we install IPv6, we can see both S t e p 1 . Ask for the Tunnel Broker Service. IPv4 and IPv6 address , such as Figure 11 . ( Here we ask for a IPv6 subnet “3FFE:3600:1E::6CD” from Chunghwa Then we try to browse IPv6 websites. First , Telecom Laboratories , connect to IPv6 Forum of Taiwan , such as Figure http://tb.ipv6.chttl.com.tw ) 12-1 and Figure 12-2. ( http://www.ipv6.org.tw ). We ask for a subnet from the Tunnel Broker , and then we need to edit the In this way , all computers in our LAB can file “/etc/rc.conf” . connect to IPv6 networks. Let us take a look at the website of KAME ( http://www.kame.net ). Now S t e p 2 . Configure the IPv4. we can connect to IPv6 networks , and we can see defaultrouter="140.127.47.253" the logo of KAME is a gif icon. You can see that hostname="bonnielo.adsldns.org" ifconfig_fxp0="inet 140.127.47.99 netmask at http://mendieta.adsldns.org/figure14.gif 255.255.255.0"

Step3. Enable IPv6 ipv6_enable="YES"

Step4. Configure Network Interfaces network_interfaces="lo0 gif0 fxp0" ipv6_ifconfig_fxp0="3FFE:3600: 1D:300::1 prefixlen 64" gif_interfaces="gif0" gifconfig_gif0="140.127.47.99 210.242.96.193"

Step5. Configure IPv6 over IPv4 tunnel ifconfig_gif0="inet6 3FFE:3600:1E::6CD prefixlen 127" Figure 11: The IP state of the comput

Step6. Enable IPv6 Gateway 5. Conclusions ipv6_gateway_enable="YES" It is a transition stage for the IPv6 growth. Step7. Configure IPv6 Router Take the LAN of NKNU for example. We don’t ipv6_router_enable="YES" have IPv6 Native Service. If we want to connect to ipv6_router="/usr/sbin/route6d" IPv6 networks , the idea provided by this paper is ipv6_router_flags="-1" very practical. We just need a computer , even Figure 12-2: This website shows your IPv6 though its hardware components are old. address

This study provides some concepts about 6. Refrences IPv6. Because IPv6 is a trend of networks in D. Haskin, R. Callon, (1997). Routing Aspects the future , we need to understand it more. In Of IPv6 Transition , RFC 2185. the future , IPv6 and IPv4 networks will survive S. Deering, R. Hinden,(1998). Internet Protocol, together. At this moment , it is a more Version 6 (IPv6) Specification , RFC 2460. convenient way using KAME and Tunnel A. Conta, S. Deering, (1998). Generic Packet Broker to connect IPv6 networks. This paper Tunneling in IPv6 Specification , RFC2473. record the way above. We’ll try other advaced W. Simpson, (1998). “Neighbor discovery for IP application of KAME in the future, such as version 6,” RFC2461. “racoon” part , which is about IPsec and D. Meyer, (1998). “Administratively scoped IP security applications. We hope to add some multicast,” RFC2365. utility by editing source codes W. Simpson, (1998) “Neighbor discovery for IP version 6,” RFC2461.

P. Srisuresh, M. Holdrege, (1999). “IP network address translator (NAT) terminology and condiderations,” RFC2663.

B. Carpenter and C. Jung, (1999).“Transmission of IPv6 over IPv4 domains without explicit tunnels,” RFC2529.

IPv6-Enabling the mobile Internet, (2000). White Paper 10878, Nokia, Finland.

B. Carpenter and K. Moore, (2001). “Connection of IPv6 domains via IPv4 clouds,” RFC3056.

A.Durand SUN Microsystems, INC, P. Fasano, I. Guardini CSELT S.p.A. , D.Lento TIM, (2001). ” IPv6 Tunnel Broker” , RFC 3053. Figure 12-1: Connect to IPv6 website J. Wiljakka, (2002). “Transition to IPv6 in GPRS and WCDMA mobile networks,” IEEE Communications Magazine, vol.40, pp.134-140. RFC 2893 - Transition Mechanisms for IPv6 Hosts and Routers

D.Waddington and F. Chang, (2002). “Realizing the transition to IPv6,” IEEE Communications Magazine, vol.40, P.138-147.

KAME project , http://www.kame.net

J. Bound, L. Toutain, O. Medina, H. Afifi and A. Durand, (2002) “Dual stack transition mechanism” TETF Draft, draft-ietf-ngtrans-dstm-08.txt.

http://playground.sun.com/pub/ipng/html/ipng- main.html IETF IPv6 WG IPv6 Forum Taiwqn Journal (2003).

8