1 IPv6 Transition Mechanisms A set of protocol mechanisms implemented in hosts and routers. To allow IPv6 and IPv4 hosts to interoperate. –Because it is impossible to have a “flag day” for all hosts to upgrade from IPv4 to IPv6. To allow IPv6 hosts and routers to be deployed in the Internet in a highly diffuse and incremental fashion, with few interdependencies The transition should be as transparent to general users as possible

簡 介簡 介

NGtrans 規劃之轉換機制

4 IPv4–to–IPv6 Transition Strategy (RFC 2893) Dual Stack –Reduce the cost invested in transition by running both IPv4/IPv6 protocols on the same machine. Tunneling –Reduce the cost in wiring by re-using current IPv4 routing infrastructures as a virtual link. Translation (RFC 2766 NAT-PT) –Allow IPv6 realm to access the rich contents already developed on IPv4 applications From 16-bit DOS to 32-bit Windows From 4-byte IPv4 to 16-byte IPv6

5 Dual-Stack Approach When adding IPv6 to a system, do not delete IPv4 –This multi-protocol approach is familiar and well-understood (e.g., for AppleTalk, IPX, etc.) –Note: in most cases, IPv6 will be bundled with new OS releases, not an extra-cost add-on (e.g., Windows Vista/7, CentOS 5, FreeBSD 8) Applications (or libraries) choose IP version to use –when initiating, based on DNS response: –if (dest has AAAA or A6 record) use IPv6, else use IPv4 –when responding, based on version of initiating packet This allows indefinite co-existence of IPv4 and IPv6, and gradual, app-by-app upgrades to IPv6 usage DRIVER IPv4 IPv6 APPLICATION TCP/UDP

簡易雙重架構機制 IPv4 Stack 功能啟動，而 IPv6 功能關閉 ( 即 IPv4-only node) IPv6 Stack 功能啟動，而 IPv4 功能關閉 ( 即 IPv6-only node) IPv4 Stack 及 IPv6 Stack 功能皆啟動 (node 具組態切換功能 )

IPv4/IPv6 雙重架構機制

8 Dual Stack Approach & DNS In a dual stack case, an application that: –Is IPv4 and IPv6-enabled –Asks the DNS for all types of addresses –Chooses one address and, for example, connects to the IPv6 address DNS Server IPv4 IPv6 = * ? 2001:DB8::

9 Dual Stack Approach Dual stack node means: –Both IPv4 and IPv6 stacks enabled –Applications can talk to both –Choice of the IP version is based on name lookup and application preference TCPUDP IPv4IPv6 Application Data Link (Ethernet) 0x08000x86dd TCPUDP IPv4IPv6 IPv6-enable Application Data Link (Ethernet) 0x08000x86dd Frame Protocol ID Preferred method on Application’s servers

10 Cisco IOS Dual Stack Configuration Cisco IOS is IPv6-enable: –If IPv4 and IPv6 are configured on one interface, the router is dual-stacked –Telnet, Ping, Traceroute, SSH, DNS client, TFTP,… IPv6 and IPv4 Network Dual-Stack Router IPv4: IPv6: 2001:C58:213:1::/64 eui-64 router# interface Ethernet0 ip address ipv6 address 2001:C58:213:1::/64 eui-64

ping 11

DNS Queries of A and AAAA Records 12

Exercise Try to turn off IPv6 on your PC, and repeat the above test. What are the differences? 13

14 IPv4–to–IPv6 Transition Strategy (RFC 2893; obsoleted by RFC 4213) Dual Stack –Reduce the cost invested in transition by running both IPv4/IPv6 protocols on the same machine. Tunneling –Reduce the cost in wiring by re-using current IPv4 routing infrastructures as a virtual link. Translation (RFC 2766 NAT-PT; obsoleted by RFC 4966) –Allow IPv6 realm to access the rich contents already developed on IPv4 applications From 16-bit DOS to 32-bit Windows From 4-byte IPv4 to 16-byte IPv6

15 Tunnels of IPv6 over IPv4 Encapsulating the IPv6 packet in an IPv4 packet Tunneling can be used by routers and hosts IPv4 IPv6 Network Tunnel: IPv6 in IPv4 packet IPv6 Host Dual-Stack Router IPv6 Host IPv6 Header IPv4 Header IPv6 Header Transport Header Data Transport Header

16 IPv6 Tunneling Service Provider IPv4 Backbone Service Provider IPv4 Backbone IPv6 Tunnel IPv6 Network IPv6 Header Transport Layer Header IPv4 Header IPv6 Header Transport Layer Header Data

17 Manually Configured Tunnel IPv4 IPv6 Network Dual-Stack Router2 Dual-Stack Router1 IPv4: IPv6: 2001:DB8:c18:1::3 IPv4: IPv6: 2001:DB8:c18:1::2 router1# interface Tunnel0 ipv6 address 2001:DB8:c18:1::3/64 tunnel source tunnel destination tunnel mode ipv6ip router2# interface Tunnel0 ipv6 address 2001:DB8:c18:1::2/64 tunnel source tunnel destination tunnel mode ipv6ip Manually Configured tunnels require: Dual stack end points Both IPv4 and IPv6 addresses configured at each end

18 IPv4 Manually Configured Tunnel Dual-Stack Router IPv4: IPv6: 2001:288:03a1:210::3/127 FreeBSD4.7# gifconfig gif ifconfig gif0 inet6 2001:288:03a1:210::2 2001:288:3a1:210::3 prefixlen 128 Dual-Stack Host IPv4: IPv6: 2001:288:03a1:210::2/127

19 Linux Tunnel /etc/sysconfig/network-scripts/ifcfg-sit1 DEVICE=sit1 BOOTPROTO=none ONBOOT=yes IPV6INIT=yes #Remote end-ISP IPv4 addr IPV6TUNNELIPV4= #Yourself IPv6 tunnel addr from ISP IPV6ADDR=2001:288:3A1:210::2/127 ifup sit1

20 Windows XP Tunnel netsh interface ipv6 –add v6v4tunnel “T1" Syntax: add v6v4tunnel [[interface=]String] localIPv4Address remoteIPv4Address –add address “T1“ 2001:238:F88:B::30 –add route 2001:238:F88:B::30/127 “T1” Now you can ping the remote tunnel endpoint 2001:238:F88:B::31 Use Wireshark to capture packets with filter “ip host ”.

Windows 7

通道代理者 (Tunnel Broker) 機制

通道代理者機制運作 1) 使用者聯結 Tunnel Broker 進行註冊事宜 (registration procedure) 2) 使用者再次聯結 Tunnel Broker ，提供使用者端 點資訊 ( 包括： IP 位址、作業系統、 IPv6 支援軟 體等 ) 3) Tunnel Broker 建置網路端點、 DNS 伺服器及使 用者端點組態 4) 通道建置完成，使用者可以直接連至 IPv6 網路

通道代理者機制運作

通道代理者機制運作 (1)

通道代理者機制運作 (2)

通道代理者 (Tunnel Broker) 機制 Implementation

通道代理者機制服務

通道代理者 (Tunnel Broker) 機制 Scripts and Parameters

通道代理者 (Tunnel Broker) 機制 Interface

通道代理者 (Tunnel Broker) 機制 Routing Table

33 Tunnel Packets

Exercise Try to build IPv6 tunnels with one of the following tunnel brokers: –Academia Sinica –HiNet –Hurricane Electric

Some Words About Tunnel Brokers 1 tunnel, 1 route, to all the IPv6 world. Ease the configuration Route may not be optimal. –Especially when users build tunnels with different service providers.

Automatic Tunnels IPv4 Compatible Tunnel (RFC 2893) IPv6-over-IPv4 Tunnel (RFC 2529) 6to4 Tunnel (RFC 3056) ISATAP (RFC 5214) Teredo (RFC 4380)

37 IPv4 Compatible Tunnel (RFC 2893) IPv4-compatible addresses are easy way to auto-tunnel, but it: –May be deprecated soon –Consumes IPv4 addresses IPv4 Dual-Stack Router IPv4: IPv6: :: IPv4: IPv6: ::

IPv6-over-IPv4 Tunnel (RFC 2529) Using an IPv4 multicast domain ( /16) as their virtual local link. IPv6 address of the tunnel interface would be FE80::[32-bit IPv4 address] IPv6 Network IPv4 multicast FE80:: FE80:: :DB8::/ :DB8:0A0A: :DB8:A316:1401

39 6to4 Tunnel (RFC 3056) IPv4 IPv6 Network 6to4 Router2 6to4 Router Network prefix: 2002:83F3:812C::/48 Network prefix: 2002:8C6E:C7FA::/48 E0 2002:83F3:812C:1::3 2002:8C6E:C7FA:2::5 IPv6 SRC 2002:83F3:812C:1::3 Data IPv6 DEST 2002:8C6E:C7FA:2::5 IPv6 SRC 2002:83F3:812C:1::3 Data IPv6 DEST 2002:8C6E:C7FA:2::5 IPv6 SRC 2002:83F3:812C:1::3 Data IPv6 DEST 2002:8C6E:C7FA:2::5 IPv4 SRC IPv4 DEST

40 6to4 Tunnel IPv4 IPv6 Network 6to4 Router2 6to4 Router Network prefix: 2002:83F3:812C::/48 Network prefix: 2002:8C6E:C7FA::/48 == E0 router2# interface Ethernet0 ip address ipv6 address 2002:8C6E:C7FA:1::/64 eui-64 interface Tunnel0 no ip address ipv6 unnumbered Ethernet0 tunnel source Ethernet0 tunnel mode ipv6ip 6to4 ipv6 route 2002::/16 Tunnel0 6to4 Tunnel: – Is an automatic tunnel method – Gives a prefix to the attached IPv6 network – 2002::/16 assigned to 6to4 – Requires one global IPv4 address on each site

41 6to4 Tunnel in Windows XP 6to4 Tunnel is enabled in Windows XP by default.

42 Network Address Translator Computer A IP: Port: 80 Computer B IP: Port: 80 NAT Public Internet IP: Port: IP: Port: Mapping Table : : DHCP Server DHCP Client PPPoE Client Private NIC Public NIC

43 IPv6 tunneling problem It does not work when the IPv4 address is not globally routable IPv6 B DE site IPv6 host 6to4 router IPv4 router C Src: A6 Dest: E6 data Src: A6 Dest: E6 data 6to4 Relay router Src: N4 Dest: D4 Src: A6 Dest: E6 data Src: N4 Dest: D4 Src: A6 Dest: E6 data A to B: IPv6 D to E: IPv6 B to C: IPv4 (encapsulating IPv6) C to D: IPv4 (encapsulating IPv6) A v6 IP: 2002:A00:1:1::3/48 (A6) B v6 IP: 2002:A00:1:1::1/48 (B6) B v4 IP: (B4) E v6 IP: 2001:238:f88:4::2/64 (E6) D v6 IP: 2001:238:f88:4::1/64 (D6) D v4 IP: (D4) A IPv6 host IPv4 NAT address: (N4) NAT IPv4 Src: B4 Dest: D4 Src: A6 Dest: E6 data Address translation B4 is a private address! E6 A6 D4 B4

44 IPv6 Tunneling Problem [1/2] IPv6 Network IPv4 IPv6 Network 6to4 Router2 NAT 6to4 Router1 A B :8C77:D1FA:2:: Network prefix: 2002:8C77:D1FA::/48 IPv6 SRC 2002:A00:1:1::3 Data IPv6 DEST 2002:8C77:D1FA:2::5 IPv4 SRC IPv4 DEST Network prefix: 2002:A00:1::/ :A00:1:1::3 IPv6 SRC 2002:A00:1:1::3 Data IPv6 DEST 2002:8C77:D1FA:2::5 IPv4 SRC IPv4 DEST IPv6 SRC 2002:A00:1:1::3 Data IPv6 DEST 2002:8C77:D1FA:2::5 IPv6 SRC 2002:A00:1:1::3 Data IPv6 DEST 2002:8C77:D1FA:2::5

45 IPv6 Tunneling Problem [2/2] IPv6 Network IPv4 IPv6 Network 6to4 Router2 Connection can’t be established! 6to4 Router1 A :8C77:D1FA:2:: Network prefix: 2002:8C77:D1FA::/48 Network prefix: 2002:A00:1::/ :A00:1:1::3 IPv4 SRC IPv4 DEST IPv6 SRC 2002:8C77:D1FA:2::5 Data IPv6 DEST 2002:A00:1:1::3 IPv6 SRC 2002:8C77:D1FA:2::5 Data IPv6 DEST 2002:A00:1:1::3 ？ NAT B

46 Teredo Service (RFC 4380) Allow hosts behind NAT to access IPv6 without modifying NAT. It contains three basic components: –Teredo Client a node wants to gain access to the IPv6 Internet. –Teredo Server helper to provide IPv6 connectivity to Teredo clients. –Teredo Relay an IPv6 router that can receive traffic from IPv6 realm to Teredo clients and vice versa.

47 Teredo service To allow hosts behind NAT to access IPv6, without modifying NAT. –Teredo is not a long term solution –If NAT also supports IPv6 routing, the problem of NAT traversal will disappear.

48 Teredo definitions Teredo client –A node wants to gain access to the IPv6 Internet. Teredo server –helper to provide IPv6 connectivity to Teredo clients. Teredo relay –An IPv6 router that can receive traffic destined to Teredo clients and forward it to Teredo client. Teredo bubble –minimal IPv6 packet, made of an IPv6 header and null payload, no Next Header. Teredo service –The transmission of IPv6 packets over UDP.

49 Operation model A client has pre-configured server location. A client gets IPv6 prefix from the Teredo server. Teredo server Teredo relay Teredo client NAT IPv6 IPv4 Teredo IPv6 prefix? Tunnel Teredo server is stateless. Traffic goes directly between the relay router and the client. Teredo Relay announces reachability of Teredo prefix on IPv6 realm. Relay and Client maintain peer list to avoid sending Teredo message too often. Teredo IPv6 prefix, your mapped address IPv4

50 Teredo Operation Model IPv4 Teredo Client Teredo Relay NAT Teredo Server Teredo Client gets its Teredo IPv6 address from Teredo Server. Use Teredo Relay as relay router. IPv4 Header UDP Header Teredo Header IPv6 packet UDP tunnel My address? Your Teredo address. IPv6 Host IPv6 Network Tunneling packet

51 Teredo address encoding Prefix: the 32 bit Teredo service prefix. –2001:0000::/32 Server IPv4: the IPv4 address of a Teredo server. Flags: a set of 16 bits that document type of address and NAT. –16 bits flag: “C00000UG ” –C=1 if NAT is cone. –UG should set to “00”. Port: the obfuscated "mapped UDP port" of the client Client IPv4: the obfuscated "mapped IPv4 address" of a client PrefixServer IPv4FlagsPortClient IPv Obfuscated: XOR every bits in the field with 1, prevent over-genius NAT ’ s translation.

52 Obtaining an address(1/2) IPv4UDPOrigin indicationIPv6 RA Teredo client sends a UDPv4 tunneled IPv6 Router Solicitation to the Teredo server. Teredo server replies UDPv4 tunneled IPv6 Router Advertisement with origin indication. Teredo server Teredo relay Teredo client IPv6 IPv : : IPv4UDPIPv6 RS 0x00 mapped port # mapped IPv4 address Origin indication format NAT IPv4

53 Obtaining an address(2/2) Client get mapped address/port from origin indication –Mapped address: :4096 –Already known server IP: Generated Teredo IPv6 address –Prefix: 2001:0000::/32 –Server: 0x0102:0304 (Teredo server IP address: ) –Flags: 0x8000 (cone NAT) –Obfuscated Port: 0xEFFF (=0xFFFF ⊕ 4096) –Obfuscated Address: 0xF6FF:FFFE (=0xFFFF:FFFF ⊕ ) –Teredo IPv6 Address: 2001:0000:102:304:8000:EFFF:F6FF:FFFE Must keep alive address mapping on NAT –Default refresh interval: 30 seconds.

54 Packet from Teredo node to IPv6 node (1/3) A does not know which relay will be chosen by B. A sends ICMPv6 “echo request" toward B. S forwards “echo request” to IPv6 realm. Teredo Server S Teredo Relay R Teredo Client A NAT IPv6 IPv : : :3544 PREF:102:304::EFFF:F6FF:FFFE B 2000::B : :3544PREF:102:304::E FFF:F6FF:FFFE 2000::B Src.Dest. IPv6 Src. IPv6 dest :3544 PREF:102:304::E FFF:F6FF:FFFE 2000::B

55 Packet from Teredo node to IPv6 node (2/3) B sends the “echo reply” back to Teredo Client. The IPv6 packet will be queued by Teredo Relay. If Teredo Client is behind a restricted NAT, a bubble must be sent to Teredo Server. SR A NAT IPv6 IPv : : :3544 PREF:102:304::EFFF:F6FF:FFFE B 2000::B IPv6 Src. IPv6 dest : ::BPREF:102:304:: EFFF:F6FF:FFF E

56 Packet from Teredo node to IPv6 node (3/3) R sends the queued “echo reply” to A. A knows B can be reached through address :3544. A will send all further packets directly through R. SR Teredo Client A NAT IPv6 IPv : : :3544 PREF:102:304::EFFF:F6FF:FFFE B 2000::B :3544

57 Teredo Client HiNet IPv6 Network NAT IPv4 Network NAT Teredo Server Teredo Client IPv6 only Teredo Relay DNS Trial of Teredo in NCTU IPv6 only

58 Teredo Tunnel [1/2] IPv4 Teredo Client Teredo Relay NAT IPv6 Network Teredo Server :238:F88:131::7 2001:0000:8C71:8337:80 00:234B:738E:7CB :1033 IPv4 SRC IPv4 DEST IPv6 SRC 2001:0000:8C71:8337:80 00:234B:738E:7CB5 Data IPv6 DEST 2001:238:F88:131::7 IPv4 SRC IPv4 DEST UDP SRC UDP DEST 3544 UDP SRC 1033 UDP DEST 3544 Teredo Header IPv6 SRC 2001:0000:8C71:8337:80 00:234B:738E:7CB5 Data IPv6 DEST 2001:238:F88:131::7 IPv6 SRC 2001:0000:8C71:8337:80 00:234B:738E:7CB5 Data IPv6 DEST 2001:238:F88:131:: B

59 Teredo Tunnel [2/2] IPv4 Teredo Client Teredo Relay NAT IPv6 Network Teredo Server :238:F88:131::7 2001:0000:8C71:8337:8 000:234B:738E:7CB : 1033 IPv4 SRC IPv4 DEST IPv6 SRC 2001:238:F88:131::7 Data IPv6 DEST 2001:0000:8C71:8337:80 00:234B:738E:7CB5 IPv6 SRC 2001:238:F88:131::7 Data IPv6 DEST 2001:0000:8C71:8337:80 00:234E:738E:7CB5 IPv4 SRC IPv4 DEST IPv6 SRC 2001:238:F88:131::7 Data IPv6 DEST 2001:0000:8C71:8337:80 00:234E:738E:7CB5 UDP SRC 3544 UDP DEST UDP SRC 3544 UDP DEST 1033 Teredo Header B

60 Protocol Decoder in Ethereal = Port: 56500

61 Conclusions Tunneling is a useful technique to establish connectivity between IPv6 sites even though they don’t have direct links between each other. Many users get private IPv4 address from their service providers, such as WLAN and GPRS. These users have difficulty in creating IPv6 tunnels. Before all NAT devices can be upgraded to support IPv6, Teredo service is useful for ISPs to provide IPv6 access to their users behind NAT.