IPv4/IPv6 Coexistence Scenarios - Requirements for Translation Mechanisms. draft-ietf-v6ops-nat64-pb-statement-req-01 M. Bagnulo, F. Baker, I. van Beijnum.

Slides:



Advertisements
Similar presentations
IPv4/IPv6 Coexistence and Transition: Requirements for solutions draft-bagnulo-v6ops-6man-nat64-pb-statement-01 M. Bagnulo, F. Baker v6ops WG - IETF71.
Advertisements

NAT, firewalls and IPv6 Christian Huitema Architect, Windows Networking Microsoft Corporation.
IPv4 - IPv6 Integration and Coexistence Strategies Warakorn Sae-Tang Network Specialist Professional Service Department A Subsidiary.
TCP/IP Protocol Suite 1 Chapter 27 Upon completion you will be able to: Next Generation: IPv6 and ICMPv6 Understand the shortcomings of IPv4 Know the IPv6.
CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
December 5, 2007 CS-622 IPv6: The Next Generation 1 IPv6 The Next Generation Saroj Patil Nadine Sundquist Chuck Short CS622-F2007 University of Colorado,
Project by: Palak Baid (pb2358) Gaurav Pandey (gip2103) Guided by: Jong Yul Kim.
1 Teredo - Tunneling IPv6 through NATs Date: Speaker: Quincy Wu National Chiao Tung University.
Enabling IPv6 in Corporate Intranet Networks
17/10/031 Summary Peer to peer applications and IPv6 Microsoft Three-Degrees IPv6 transition mechanisms used by Three- Degrees: 6to4 Teredo.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.
Understanding Internet Protocol
Guide to Network Defense and Countermeasures Second Edition
An Overview of IPv6 Transition/Co-existence Technologies Fernando Gont UTN/FRH LACNOG 2010 Sao Paulo, Brazil, October 19-22, 2010.
IPv6: The Next Generation Internet Protocol Luke Simpson and Martin Bouts ECE 4112 Spring 2005 May 2nd, 2005.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.
COM555: Mobile Technologies Location-Identifier Separation.
NAT (Network Address Translator) Atif Karamat In the name of God the most merciful and the most compassionate.
Transition Mechanisms for Ipv6 Hosts and Routers RFC2893 By Michael Pfeiffer.
Internet Protocol Security (IPSec)
IP/ICMP Translation Algorithm (IIT) Xing Li, Congxiao Bao, Fred Baker
NAT64 marcelo bagnulo, Philip Matthews, Iljitsch van Beijnum IETF 72 - Dublin.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
資 管 Lee Lesson 11 Coexistence and Migration. 資 管 Lee Lesson Objectives Coexistence and migration overview Coexistence mechanisms ◦ Dual Stack ◦ Tunneling.
Support Protocols and Technologies. Topics Filling in the gaps we need to make for IP forwarding work in practice – Getting IP addresses (DHCP) – Mapping.
Network Layer4-1 NAT: Network Address Translation local network (e.g., home network) /24 rest of.
Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.
CSE 8343 Group 3 Advanced OS Inter Operability Between IPv4 and IPv6 Team Members Aman Preet Singh Rohit Singh Nipun Aggarwal Chirag Shah Eugene Novak.
Coexistence and Migration
IPv6 Home Networking Architecture - update IETF homenet WG Interim meeting Philadelphia, 6 th Oct 2011 draft-chown-homenet-arch-00.
Guide to TCP/IP Fourth Edition
Basic Transition Mechanisms for IPv6 Hosts and Routers -RFC 4213 Kai-Po Yang
IPv4/IPv6 transition experience and the features of stateless translation (IVI) Xing Li Plenary: Life after IPv4 Exhaustion.
IPv6 and IPv4 Coexistence Wednesday, October 07, 2015 IPv6 and IPv4 Coexistence Motorola’s Views for Migration and Co-existence of 3GPP2 Networks to Support.
Network Layer4-1 Chapter 4: Network Layer r 4. 1 Introduction r 4.2 Virtual circuit and datagram networks r 4.3 What’s inside a router r 4.4 IP: Internet.
Sharing a single IPv4 address among many broadband customers
APNIC Update The state of IP address distribution and IPv6 deployment status Miwa Fujii Senior IPv6 Program Specialist APNIC.
1 Stable Connectivity IETF 91 11/2014 Honolulu draft-eckert-anima-stable-connectivity-00 T.Eckert M. Behringer.
IPv6 transition strategies IPv6 forum OSAKA 12/19/2000 1/29.
The Implementation of 6TALK Yong-Geun Hong The 1 st GLOBAL IPv6 Summit in AP
Ch 6: IPv6 Deployment Last modified Topics 6.3 Transition Mechanisms 6.4 Dual Stack IPv4/IPv6 Environments 6.5 Tunneling.
The necessity of 4-over-6 stateless address sharing mechanism Satoru Matsushima Jie Jiao Chunfa Sun 0.
Use of the IPv6 Flow Label as a Transport-Layer Nonce draft-blake-ipv6-flow-nonce-02 Steven Blake IETF 76 November 2009.
An Update on Multihoming in IPv6 Report on IETF Activity RIPE IPv6 Working Group 22 Sept 2004 RIPE 49 Geoff Huston, APNIC.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 11: Network Address Translation for IPv4 Routing And Switching.
Guidance of Using Unique Local Addresses draft-liu-v6ops-ula-usage-analysis-05 draft-liu-v6ops-ula-usage-analysis-05 Bing Liu(speaker), Sheng Jiang, Cameron.
W&L Page 1 CCNA CCNA Training 3.4 Describe the technological requirements for running IPv6 in conjunction with IPv4 Jose Luis Flores /
Deploying IPv6, Now Christian Huitema Architect Windows Networking & Communications Microsoft Corporation.
Public 4over6: WGLC feedback Peng Wu IETF84. Feedback from WGLC Relationship with stateless 4-over-6 solutions? Different primary targets and application.
Site Multihoming for IPv6 Brian Carpenter IBM TERENA Networking Conference, Poznan, 2005.
17/10/031 Euronetlab – Implementation of Teredo
Uni Innsbruck Informatik th IETF, PMTUD WG: Path MTU Discovery Using Options draft-welzl-pmtud-options-01.txt Michael Welzl
DNS64 draft-bagnulo-behave-dns64-01 m. bagnulo, P. Matthews, I. van Beijnum, A. Sullivan, M. Endo IETF 73 - Mineapolis.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.
IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 IPv6 Transition Mechanisms, their Security and Management Georgios Koutepas National Technical.
Lecture 13 IP V4 & IP V6. Figure Protocols at network layer.
Atrium Router Project Proposal Subhas Mondal, Manoj Nair, Subhash Singh.
COM594: Mobile Technologies Location-Identifier Separation.
Internet Protocol Version 6 Specifications
Network Address Translation
Stateless Source Address Mapping for ICMPv6 Packets
LESSON 3.3_A Networking Fundamentals Understand IPv6 Part 1.
New Solutions For Scaling The Internet Address Space
An Update on Multihoming in IPv6 Report on IETF Activity
Chapter 11: Network Address Translation for IPv4
Presentation transcript:

IPv4/IPv6 Coexistence Scenarios - Requirements for Translation Mechanisms. draft-ietf-v6ops-nat64-pb-statement-req-01 M. Bagnulo, F. Baker, I. van Beijnum IETF72

Requirements for new generation of v4-v6 translation mechanisms Basic Requirements that MUST be supported Important things that SHOULD be supported

Translation scenario,-----.,-----.,' `.,' `. / \ / \ / IPv4-only \ / IPv6-only \ / Domain Domain \ ; |Translation| : | | Gateway | | : ; \ / \ / \ |IPv4| / \ |IPv6| / \ |Host| / \ |Host| / ` ,' ` ,' '-----' '-----’ IPv4 host means that it has only v4 stack or a dual stack host without IPv6 address IPv6 host means that it has only v6 stack or a dual stack host without IPv4 address

Basic Requirements that MUST be supported R1: Changes in the hosts The translation mechanism MUST NOT require changes in the v4-only nodes to support the Basic requirements described in this section,unless explicitly stated in the particular requirement. The translation mechanism MAY require changes to v6-only nodes. Question: are changes in dual stack nodes acceptable or not? Question: we do agree that changes are ok in v6 only nodes with current definition of v6 only node?

Basic Requirements that MUST be supported R2: Basic communication support –R2.1: Translation mechanim must support v6-initiated short-lived local handle (as defined in Section 3.1. –strong consensus on this –Question: v6-initiated connections from which v6 address to which v4 address? All v6 source to all v4 destinations? Subset of v6 sources to all v4 destinations? Subset of v6 sources to subset of v4 dest?

Basic Requirements that MUST be supported R2: Basic communication support –R2.2: Translation mechanim must support v4- initiated short-lived local handle (as defined in Section 3.1). – there is not clear if there is consensus for this –The problem is that some basic req may not be possible to meet in this case –Proposal: keep it, but have seprate reqs lists for v4 and v6 initiated communications

Basic Requirements that MUST be supported R3: Interaction with dual-stack hosts Translation mechanism MUST allow using native connectivity when it is available. This means that if a v6(4)-only nodes wants to communicate with a dual stack, it must use native v6(4) connectivity (In this case, dual stack means a host with both IPv6 and IPv4 stacks, wich are both active, i.e. they have v4 and v6 connectivity). Question 1: v6 only nodes may require modification to do this and this means that unmodified hosts may not prefer native connectivity and apps non compatible with nats would break. Should we disallow this? Question 2: is this requirement feasible for unmodified v4 only hosts? My guess is no

Basic Requirements that MUST be supported R4: DNS semantics preservation Any modifications to DNS responses associated with translation MUST NOT violate standard DNS semantics. This includes in particular that a DNS response (that has been modified by the translator mechanism) should not be invalid if it ends up in the wrong context, i.e. traversing a non expected part of the topology. Question: this can be achieved of v6 intiated communications, but hardly can be the case for v4 intiated connections...

Basic Requirements that MUST be supported R5: Routing IPv6 routing should not be affected in any way, and there should be no risk of importing "entropy" from the IPv4 routing tables into IPv6. No issues with this

Basic Requirements that MUST be supported R6: Protocols supported –The translation mechanism MUST support at least TCP, UDP, ICMP, TLS. –Question: what is the rationale we include TLS here? –Question: should we move DCCP and SCTP to MUST rahter than SHOULD?

Basic Requirements that MUST be supported R7: Behave requirements The translation mechanism MUST be compliant with the requirements for IPv4 NATs defined in [I-D.ietf- behave-tcp] and in [RFC4787] when applicable. These requirements should be interpreted with the IPv6 side on the IPv6-IPv4 translator being the IPv4 private side of the conventional NAT. This heavily assumes v6 initiated communications. If we have nat46, we probably don’t need this Question: should we include the behave requirements for ICMP, DCCP, SCTP?

Basic Requirements that MUST be supported R8: Fragmented packets The translation mechanism MUST suport fragmented packets when the fragments arrive within an interval smaller or equal to 5 seconds. Redundant with behave requirements?

Basic Requirements that MUST be supported R9: Security The adoption of the translation mechanism MUST not result in a significantly more vulnerable Internet

Basic Requirements that MUST be supported R10: DNSSec support DNSSec support MUST NOT be prevented. R10.1: In particular, if an IPv6 node is initiating a communication with an IPv4 that is located behind a translator, the IPv6 initiator MUST be able to perform DNSSec verification of the DNS information of the IPv4 target. (strong consensus on this one).

Basic Requirements that MUST be supported R10: DNSSec support DNSSec support MUST NOT be prevented. R10.2: In particular, if an IPv4 node is initiating a communication with an IPv6 that is located behind a translator, the IPv4 initiator MUST be able to perform DNSSec verification of the DNS information of the IPv4 target. This may require the modification of the IPv4 node as well. not clear if there consensus on this one Not clear if it is feasible

Basic Requirements that MUST be supported R11: IPsec support. The translator MUST be able to support the translation of at least one mode of IPsec and IKE flows sufficient to allow nodes using IKE and IPsec to successfully set up and use IPsec SAs. Although desirable, it is not a requirement that such a capability be done with no changes to the IPv4 nodes IKE/IPsec implementation.

Important things that SHOULD be supported (I) I1: Operational flxibility –It should be possible to locate the translation device at an arbitrary point in the network (i.e. not at fixed points such as a site exit), so that there is full operational flexibility.

Important things that SHOULD be supported (II) I2: Richer application behaviour support –The translation mechanism SHOULD support the other types of application behaviours, including Long-lived application associations, callbacks and referrals.In order to support this. The translation mechanism MAY require changes to v4-only nodes too I3: SCTP support –The translation mechanism SHOULD not prevent a SCTP communication between a v6-only node and a v4-only node

Important things that SHOULD be supported (III) I4: DCCP support –The translation mechanism SHOULD not prevent a DCCP communication between a v6-only node and a v4-only node I5: Multicast support –The translation mechanism SHOULD not prevent multicast traffic between the v4-only nodes and the v6-only nodes.

OLD slides next

Transition scenarios There are seven obvious transition scenarios: –IPv4 system connecting to an IPv4 system across an IPv4 network, –An IPv6 system connecting to an IPv6 system across an IPv6 network, –an IPv4 system connecting to an IPv4 system across an IPv6 network, –an IPv6 system connecting to an IPv6 system across an IPv4 network, –an IPv4 system connecting to an IPv6 system, or –an IPv6 system connecting to an IPv4 system. –a dual stack system connected to a IPv6 domain that is connecting to an IPv4 system.

Transition scenarios IPv4 system connecting to an IPv4 system across an IPv4 network, An IPv6 system connecting to an IPv6 system across an IPv6 network, Dual stack provides support for these

Transition scenarios an IPv4 system connecting to an IPv4 system across an IPv6 network, an IPv6 system connecting to an IPv6 system across an IPv4 network, Both tunnels and translation could support these, we reccomend tunnels.

Transition scenarios an IPv4 system connecting to an IPv4 system across an IPv6 network, an IPv6 system connecting to an IPv6 system across an IPv4 network, Both tunnels and translation could support these, we reccomend tunnels.

Transition scenarios an IPv4 system connecting to an IPv6 system, or an IPv6 system connecting to an IPv4 system. Translation is needed to support these

Requirements for the overall transition strategy (I) 1.Any transition strategy must contemplate a period of coexistence, with ultimate transition (e.g., turning off IPv4) being business decision. 2.Many are delaying turning on IPv6 (initiating coexistence in their networks) as long as possible. 3.Some are turning off IPv4 immediately, at least as a customer service. 4.Therefore, dual stack approaches, tunneled architectures, and translation architectures are all on the table.

Requirements for the overall transition strategy (II) 5.Any solution that makes translation between semi- connected islands "normal" has failed the fundamental architecture of the Internet and can expect service complexity to be an issue. 6.Translation architectures must provide for the advertisement of IPv4 names to IPv6 systems and vice versa. The address advertised in the "far" domain must be that of the translating gateway. 7.Tunneling architectures must provide a way to minimize and ideally eliminate configuration of the tunnel.

Market timing considerations We expect translation mechanism to require deployment in the very near term –Prior to IPv4 address depletion Host software tends to be changed primarily when people buy new hardware –every 2-3 years on average, The mechanisms needs to be compatible with currently-deployed –Windows (XP and Vista), MacOSX (Tiger and Leopard), Linux, and Solaris operating systems. The solution is expected to deploy via patch update procedures in the hosts or otherwise all solved in network devices.

Requirements for new generation of v4-v6 translation mechanisms Basic Requirements that MUST be supported Important things that SHOULD be supported

Basic Requirements that MUST be supported R1: Changes in the hosts: –The translation mechanism MUST NOT require changes in the v4-only nodes to support the Basic requirements. –The translation mechanism MAY require changes to v6-only nodes. R2: Basic communication support: –Translation mechanim must support v4-initiated and v6-initiated (?) short-lived local handle.

Basic Requirements that MUST be supported R3: Interaction with dual-stack hosts: –Translation mechanism MUST allow using native connectivity when it is available. This means that if a v6-only nodes wants to communicate with a dual stack, it must use native v6 connectivity and the other way round R4: Private Addressing: –The translation mechanism MUST support v4-initiated short- lived local handle type of communication when the v4-only node has a private v4 address. R5: DNS semantics preservation: –Any modifications to DNS responses associated with translation MUST NOT violate standard DNS semantics. This includes in particular that a DNS response should not be invalid if it ends up in the wrong context, i.e. traversing a non expected part of the topology.

Basic Requirements that MUST be supported R6: Routing: –IPv6 routing should not be affected in any way, and there should be no risk of importing "entropy" from the IPv4 routing tables into IPv6. R7: Protocols supported: –The translation mechanism MUST support at least TCP, UDP, ICMP, TLS. R8: Behave-type requirements: –Mapping timeout (5min), –Address mapping behaviour: Endpoint independent –Port Assignment –Filtering behaviour: Endpoint independent

Basic Requirements that MUST be supported R9: Fragmented packets: –The translation mechanism MUST suport fragmented packets when the fragments arrive in an ordered fashion. R10: Security: –The adoption of the translation mechanism MUST not introduce new vulnerabilities in the Internet

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.