IP/ICMP Translation Algorithm (IIT) Xing Li, Congxiao Bao, Fred Baker 2008-11-17.

Slides:



Advertisements
Similar presentations
CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
Advertisements

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
PRIVATE NETWORK INTERCONNECTION (NAT AND VPN) & IPv6
Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv IPv6.
1 IPv6. 2 Problem: 32-bit address space will be completely allocated by Solution: Design a new IP with a larger address space, called the IP version.
CE363 Data Communications & Networking Chapter 7 Network Layer: Internet Protocol.
IPv6 Victor T. Norman.
Chapter 22 IPv6 (Based on material from Markus Hidell, KTH)
CS 457 – Lecture 16 Global Internet - BGP Spring 2012.
1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.
Network Layer IPv6 Slides were original prepared by Dr. Tatsuya Suda.
2: Comparing IPv4 and IPv6 Rick Graziani Cabrillo College
Umut Girit  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.
IPv6 Header & Extensions Joe Zhao SW2 Great China R&D Center ZyXEL Communications, Inc.
Network Layer Packet Forwarding IS250 Spring 2010
The Network Layer Chapter 5. The IP Protocol The IPv4 (Internet Protocol) header.
Internet Control Message Protocol (ICMP). Introduction The Internet Protocol (IP) is used for host-to-host datagram service in a system of interconnected.
ICMP & ICMPv6 Referenced on RFC’s 792 and 2463 respectively. Frank Azevedo.
Chapter 5 The Network Layer.
Internet Command Message Protocol (ICMP) CS-431 Dick Steflik.
Notes for IPv6 Terrance Lee. Transition Mechanisms for IPv6 Hosts and Routers (RFC 2893)
1 Internet Control Message Protocol (ICMP) RIZWAN REHMAN CCS, DU.
IPv4/IPv6 Translation: Framework Li, Bao, and Baker.
IPv6 Fundamentals Chapter 2: IPv6 Protocol
Network Layer4-1 NAT: Network Address Translation local network (e.g., home network) /24 rest of.
ICMP (Internet Control Message Protocol) Computer Networks By: Saeedeh Zahmatkesh spring.
Basic Transition Mechanisms for IPv6 Hosts and Routers -RFC 4213 Kai-Po Yang
TCP/IP Essentials A Lab-Based Approach Shivendra Panwar, Shiwen Mao Jeong-dong Ryoo, and Yihan Li Chapter 5 UDP and Its Applications.
CSE4213 Computer Networks II
Fall 2005Computer Networks20-1 Chapter 20. Network Layer Protocols: ARP, IPv4, ICMPv4, IPv6, and ICMPv ARP 20.2 IP 20.3 ICMP 20.4 IPv6.
IPSec IPSec provides the capability to secure communications across a LAN, across private and public wide area networks (WANs) and across the Internet.
1 Internet Control Message Protocol (ICMP) Used to send error and control messages. It is a necessary part of the TCP/IP suite. It is above the IP module.
1 Network Layer Lecture 16 Imran Ahmed University of Management & Technology.
Layer 3: Internet Protocol.  Content IP Address within the IP Header. IP Address Classes. Subnetting and Creating a Subnet. Network Layer and Path Determination.
CSC 600 Internetworking with TCP/IP Unit 7: IPv6 (ch. 33) Dr. Cheer-Sun Yang Spring 2001.
ICMP
Transport Layer3-1 Chapter 4: Network Layer r 4. 1 Introduction r 4.2 Virtual circuit and datagram networks r 4.3 What’s inside a router r 4.4 IP: Internet.
Chapter 13 The Internet.
Lesson 2 Introduction to IPv6.
1 Requirements for Internet Routers (Gateways) and Hosts Relates to Lab 3. (Supplement) Covers the compliance requirements of Internet routers and hosts.
ICMPv6 Error Message Types Informational Message Types.
Chapter 27 IPv6 Protocol.
1 Lecture 13 IPsec Internet Protocol Security CIS CIS 5357 Network Security.
© Janice Regan, CMPT 128, CMPT 371 Data Communications and Networking Network Layer NAT, IPv6.
1 Computer Communication & Networks Lecture 19 Network Layer: IP and Address Mapping Waleed Ejaz.
Internet Protocol Version 4 VersionHeader Length Type of Service Total Length IdentificationFragment Offset Time to LiveProtocolHeader Checksum Source.
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
UDP : User Datagram Protocol 백 일 우
1 IPv6: Packet Structures Dr. Rocky K. C. Chang 29 January, 2002.
K. Salah1 Security Protocols in the Internet IPSec.
Network Layer Protocols COMP 3270 Computer Networks Computing Science Thompson Rivers University.
Chapter 20 Network Layer: Internet Protocol Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Lecture 13 IP V4 & IP V6. Figure Protocols at network layer.
4: Network Layer4-1 Chapter 4: Network Layer r 4. 1 Introduction r 4.2 Virtual circuit and datagram networks r 4.3 What’s inside a router r 4.4 IP: Internet.
Internet Control Message Protocol (ICMP)
Internet Control Message Protocol (ICMP)
Chapter 4 Network Layer Computer Networking: A Top Down Approach 6th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 CPSC 335 Data Communication.
Chapter 19 Network Layer Protocols
Next Generation: Internet Protocol, Version 6 (IPv6) RFC 2460
Internet Control Message Protocol (ICMP)
Stateless Source Address Mapping for ICMPv6 Packets
Byungchul Park ICMP & ICMPv DPNM Lab. Byungchul Park
Internet Control Message Protocol (ICMP)
Internet Control Message Protocol (ICMP)
Internet Control Message Protocol (ICMP)
Guide to TCP/IP Fourth Edition
Internet Control Message Protocol (ICMP)
Internet Control Message Protocol (ICMP)
Review of Internet Protocols Network Layer
Chapter 4: outline 4.1 Overview of Network layer data plane
Presentation transcript:

IP/ICMP Translation Algorithm (IIT) Xing Li, Congxiao Bao, Fred Baker

2 Abstract This document specifies an update to the Stateless IP/ICMP Translation Algorithm described in RFC The algorithm translates between IPv4 and IPv6 packet headers (including ICMP headers). The specification addresses both a stateful and a stateless mode. –In the stateless mode, translation information is carried in the address itself, permitting both IPv4->IPv6 and IPv6->IPv4 session establishment. –In the stateful mode, translation state is maintained between IPv4 address/port pairs and IPv6 address/port pairs, enabling IPv6 systems to open sessions with IPv4 systems. The choice of operational mode is made by the operator deploying the network. This document confines itself to the actual translation.

3 Outline Introduction Scenario and Terminology Assumptions and Applicability Translating from IPv4 to IPv6 Translating from IPv6 to IPv4 Host operation New testing codes

4 Introduction and motivation Dual stack is preferable. There are several different scenarios where there might be IPv6-only hosts that need to communicate with IPv4-only hosts. This document specifies a mechanism that is one of the components needed to make IPv6-only nodes interoperate with IPv4- only nodes.

5 Scenario IPv6-onlyIPv4-only Xlate DNS IPv4 packetsIPv6 packets The IPv4 packets arrived in the IP/ICMP translator will be translated to IPv6 packets. –The translator translates the packet headers from IPv4 to IPv6 and translate the addresses in those headers from IPv4 addresses to IPv6 addresses. The IPv6 packets arrived in the IP/ICMP translator will be translated to IPv4 packets. –The translator translates the packet headers from IPv6 to IPv4 and translate the addresses in those headers from IPv6 addresses to IPv4 addresses.

6 Assumptions The use of this translation algorithm assumes that the IPv6 network is somehow well connected. The translating function as specified in this document does not translate any IPv4 options and it does not translate IPv6 routing headers, hop-by-hop extension headers, or destination options headers. The translation of datagram containing TCP segments is described in [RFC5382]. Fragmented IPv4 UDP packets that do not contain a UDP checksum (i.e. the UDP checksum field is zero) are not of significant use over wide-areas in the Internet and will not be translated by the translator.

7 Applicability At first sight it might appear that the IPsec functionality [RFC4301] can not be carried across the translator. However, since the translator does not modify any headers above the logical IP layer (IP headers, IPv6 fragment headers, and ICMP messages) packets encrypted using ESP in Transport-mode can be carried through the translator. IPv4 multicast addresses can not be mapped to IPv6 multicast addresses based on the unicast mapping rule. However, special rule can be created for the multicast packet translation.

8 Translating from IPv4 to IPv6

9 4  6 Address translation Source Address: –In both the stateless mode and the stateful mode, the IPv6 address is the IPv4-mapped IPv6 address, which embeds the IPv4 address as specified in [Framework]. Destination Address: –In stateless mode, which is to say that if the IPv4 destination address is within the range of the stateless translation prefix, the IPv6 address is the IPv4-mapped IPv6 address, which embeds the IPv4 address as specified in [Framework]. –In stateful mode, which is to say that if the IPv4 destination address is within the range of the stateful translation prefix, the IPv6 address and transport layer destination port corresponding to the IPv4 destination address and destination port are derived from the database reflecting current session state in the translator.

10 4  6 Address translation examples IPv6-only IPv4-only Xlate src: 2001:250:ff12:b500:1f00:: dst: 2001:250:ffca:266c:0200:: src: dst: Stateless IPv6-only IPv4-only Xlate src: 2001:250:ff12:b500:1f00:: dst: 2001:da8:abcd::X#Q src: dst: #P Stateful Mapping stable #P  2001:da8:abcd::X#Q LIR PrefixIPv4 addr Prefix part Host part 64 Entirely 0 Based on the algorithm Based on the state Based on the algorithm IPv4-mapped IPv6 addressunmapped IPv6 address

11 ICMPv4 Headers  ICMPv6 Headers All ICMP messages that are to be translated require that the ICMP checksum field be updated as part of the translation since ICMPv6 unlike ICMPv4 has a pseudo- header checksum just like UDP and TCP. In addition all ICMP packets need to have the Type value translated and for ICMP error messages the included IP header also needs translation. The actions needed to translate various ICMPv4 messages are: –……

12 ICMPv4 Error Messages  ICMPv6

13 MTU and segmentation handling One of the differences between IPv4 and IPv6 is that in IPv6 path MTU discovery is mandatory but it is optional in IPv4. This implies that IPv6 routers will never fragment a packet - only the sender can do fragmentation. Other than the special rules for handling fragments and path MTU discovery the actual translation of the packet header consists of a simple mapping as defined below. Note that ICMP packets require special handling in order to translate the content of ICMP error message and also to add the ICMP pseudo-header checksum. If the DF flag is not set and the IPv4 packet will result in an IPv6 packet larger than 1280 bytes the IPv4 packet MUST be fragmented prior to translating it. If the DF bit is set and the packet is not a fragment Header translation –…… If there is need to add a fragment header (the DF bit is not set or the packet is a fragment) the header fields are set as above with the following exceptions: –…… If a UDP packet has a zero UDP checksum then a valid checksum must be calculated in order to translate the packet. A stateless translator can not do this for fragmented packets but [MILLER] indicates that fragmented UDP packets with a zero checksum appear to only be used for malicious purposes. Thus this is not believed to be a noticeable limitation. When a translator receives the first fragment of a fragmented UDP IPv4 packet and the checksum field is zero the translator SHOULD drop the packet and generate a system management event specifying at least the IP addresses and port numbers in the packet. When it receives fragments other than the first it SHOULD silently drop the packet, since there is no port information to log. When a translator receives an unfragmented UDP IPv4 packet and the checksum field is zero the translator MUST compute the missing UDP checksum as part of translating the packet. Also, the translator SHOULD maintain a counter of how many UDP checksums are generated in this manner.

14 Knowing when to Translate The translator is assumed to know the address mapping algorithm and the IPv4 prefix range of the stateless translation in the stateless mode or the pool (s) of IPv4 address in the stateful mode. If the translator is implemented in a router providing both translation and normal forwarding, and the address is reachable by a more specific route without translation, the router should forward it without translating it. In general, however, if the IPv4 destination field contains an address that falls in these configured sets of prefixes the packet needs to be translated to IPv6.

15 Translating from IPv6 to IPv4

16 6  4 Address translation Source Address: –In stateless mode, IPv6 packets that are translated always have an IPv4-mapped IPv6 address. Thus the IPv4 address is derived from the IPv4-mapped IPv6 address as specified in [Framework]. –In stateful mode, IPv6 packets that are translated have an unmapped IPv6 address. The IPv4 source address and transport layer source port corresponding to the IPv6 source address and source port are derived from the database reflecting current session state in the translator as described in [nat64]. Destination Address: –In both the stateless mode and the stateful mode, IPv6 packets that are translated always have an IPv4-mapped IPv6 address. Thus the IPv4 address is derived from the IPv4-mapped IPv6 address as specified in [Framework].

17 6  4 Address translation examples IPv6-only IPv4-only Xlate src: 2001:250:ffca:266c:0200:: dst: 2001:250:ff12:b500:1f00:: src: dst: Stateless IPv6-only IPv4-only Xlate src: 2001:da8:abcd::X#Q dst: 2001:250:ff12:b500:1f00:: src: #P dst: Stateful Mapping stable #P  2001:da8:abcd::X#Q LIR PrefixIPv4 addr Prefix part Host part 64 Entirely 0 Based on the algorithm Based on the state Based on the algorithm IPv4-mapped IPv6 addressunmapped IPv6 address

18 ICMPv6 Headers  ICMPv4 Headers All ICMP messages that are to be translated require that the ICMP checksum field be updated as part of the translation since ICMPv6 unlike ICMPv4 has a pseudo- header checksum just like UDP and TCP.

19 ICMPv6 Error Messages  ICMPv4

20 MTU and segmentation handling There are some differences between IPv6 and IPv4 in the area of fragmentation and the minimum link MTU that effect the translation. An IPv6 link has to have an MTU of 1280 bytes or greater. The corresponding limit for IPv4 is 68 bytes. Thus, unless there were special measures, it would not be possible to do end-to-end path MTU discovery when the path includes an IPv6-to-IPv4 translator since the IPv6 node might receive ICMP "packet too big" messages originated by an IPv4 router that report an MTU less than However, [RFC2460] requires that IPv6 nodes handle such an ICMP "packet too big" message by reducing the path MTU to 1280 and including an IPv6 fragment header with each packet. This allows end-to-end path MTU discovery across the translator as long as the path MTU is 1280 bytes or greater. When the path MTU drops below the 1280 limit the IPv6 sender will originate 1280 byte packets that will be fragmented by IPv4 routers along the path after being translated to IPv4.[RFC2460]

21 Knowing when to Translate If the translator is implemented in a router providing both translation and normal forwarding, and the address is reachable by a more specific route without translation, the router should forward it without translating it. Otherwise, when the translator receives an IPv6 packet with an IPv4-mapped destination IPv6 address the packet will be translated to IPv4.

22 Host operation Interaction of IPv4-mapped IPv6 addresses with RFC3484 address selection –IPv6 systems should select source and destination addresses that are as similar as possible. IPv6-only systems with IPv4-mapped IPv6 addresses to connect from their IPv4-mapped IPv6 address when communicating with IPv4-only systems. This is important, because it promotes stateless translation operation. The IPv4-mapped IPv6 address systems may also find the IPv4-mappded IPv6 address pair "most similar" when communicating with other systems with IPv4-mapped IPv6 addresses.

23 New testing code of Xlate