Presentation is loading. Please wait.

Presentation is loading. Please wait.

IPv6 技術講習一般課程 -- IPv6 協議運作原理與應用 All rights reserved. No part of this publication and file may be reproduced, stored in a retrieval system, or transmitted.

Similar presentations


Presentation on theme: "IPv6 技術講習一般課程 -- IPv6 協議運作原理與應用 All rights reserved. No part of this publication and file may be reproduced, stored in a retrieval system, or transmitted."— Presentation transcript:

1 IPv6 技術講習一般課程 -- IPv6 協議運作原理與應用 All rights reserved. No part of this publication and file may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of Professor Nen-Fu Huang (E-mail: nfhuang@cs.nthu.edu.tw). 黃能富特聘教授 國立清華大學資訊工程系 E-mail: nfhuang@cs.nthu.edu.tw

2 IPv6 協議與應用 - 2 Outline n IPv6 protocol 簡介 n IPv6 Routing and IPv6 Addressing n IPv6 Plug and Play Feature n IPv6 Security/QoS Supports n IPv4 to IPv6 Transition Mechanisms n IPv6 國內外現況與發展趨勢

3 IPv6 協議與應用 - 3 IPv6 Applications n Home Appliance Controllers n VoIP/Video Streaming n Remote Controllers n 3G/4G/5G n Internet On-line Games n Home Automation n Sensors and Sensor networks 感測器與感測網路 n Internet of Things (IoT) 物聯網 n Machine-to-Machine (M2M) n Others

4 IPv6 協議與應用 - 4 IP addresses need everywhere

5 IPv6 協議與應用 - 5 IPv6 設計理念 n The Internet could not have been so successful in the past years if IPv4 had contained any major flaw. n IPv4 was a very good design, and IPv6 should indeed keep most of its characteristics. n Simply increase the size of addresses and to keep everything else unchanged ? n However, 20 years of experience brought lessons. n IPv6 is not a simple derivation of IPv4, but a definitive improvement.

6 IPv6 協議與應用 - 6 IPv6 Header Format

7 IPv6 協議與應用 - 7 IPv4 Header Format version IHL Type of Service Total length Identification Flags Fragment Offset Time to Live Protocol Header Checksum Source IP Address Destination IP Address Options + Padding Data 0 3 8 15 19 31

8 IPv6 協議與應用 - 8 A Comparison of Two Headers n Six fields were suppressed: l Header Length, Type of Service, Identification, Flags, Fragment Offset, Header Checksum. n Three fields were renamed: l Length, Protocol Type, Time to Live n The option mechanism was entirely revised. l Source Routing l Route Recording n Two new fields were added: l Priority and Flow Label (for real-time traffic).

9 IPv6 協議與應用 - 9 A Comparison of Two Headers n Three major simplifications l Assign a fixed format to all headers (40 bytes) l Remove the header checksum l Remove the hop-by-hop segmentation procedure

10 IPv6 協議與應用 - 10 From Options to Extension Headers n Hop-by-Hop options header n Routing header n Fragment header n Authentication header n Encrypted security payload n Destination options header

11 IPv6 協議與應用 - 11 From Options to Extension Headers IPv6 Header Next Header = TCP TCP Header IPv6 Header Next Header = Routing TCP Header Routing Header Next Header = TCP IPv6 Header Next Header = Routing TCP Header Routing Header Next Header = Fragment Fragment Header Next Header = TCP

12 IPv6 協議與應用 - 12 Routing Header

13 IPv6 協議與應用 - 13 Fragment Header IPv6 header fragment header 1 First 1400 octets IPv6 header fragment header 2 Last 1400 octets Next HeaderReservedFragment OffsetResM Identifier Frame Length = 2800 octets More

14 IPv6 協議與應用 - 14 IPv6 Addressing n Three categories of IPv6 addresses: l Unicast l Multicast l Anycast n Notation of IPv6 Addresses: l Write 128 bits as eight 16-bit integers separated by colons l Examples: FEDC:BA98:7654:3210:FEDC:BA98:7654:3210 1080:0:0:0:8:800:200C:417A

15 IPv6 協議與應用 - 15 IPv6 Addressing n Examples: l A set of consecutive null 16-bit numbers can be replaced by two colons l 1080:0:0:0:8:800:200C:417A => 1080::8:800:200C:417A l 1080:0:0:0:8:0:0:417A => 1080::8:0:0:417A 1080::8::417A

16 IPv6 協議與應用 - 16 IPv6 Addressing n Some Addresses formats l Provider Addresses l Link Local Addresses l Site Local Addresses l Multicast Addresses l Anycast Addresses H Internet LAN R R H H H H Link Site Site ( 公司或組織)

17 IPv6 協議與應用 - 17 site topology (16 bits) interface identifier (64 bits) public topology (45 bits) interface IDSLA*NLA*TLA 001 Global Unicast Addresses n TLA = Top-Level Aggregator NLA* = Next-Level Aggregator(s) SLA* = Site-Level Aggregator(s) n all subfields variable-length (like CIDR) n TLAs may be assigned to providers or exchanges

18 IPv6 協議與應用 - 18 Link-local addresses for use during auto- configuration and when no routers are present: Site-local addresses for independence from changes of TLA / NLA*: Link-Local and Site-Local address 1111111010 0interface ID 1111111011 0 interface IDSLA*

19 IPv6 協議與應用 - 19 Interface IDs  Lowest-order 64-bit field of unicast address may be assigned in several different ways:  auto-configured from a 64-bit EUI-64, or expanded from a 48-bit MAC address (e.g., Ethernet address)  auto-generated pseudo-random number (to address privacy concerns)  assigned via DHCP  manually configured  possibly other methods in the future

20 IPv6 協議與應用 - 20 IPv6 Address Space

21 IPv6 協議與應用 - 21 The Evolution of ICMP n The ICMP for IPv4 was made more complete by incorporating the multicast control functions of the IPv4 Group Membership Protocol (IGMP).

22 IPv6 協議與應用 - 22 IPv6 Routing n As in IPv4, IPv6 supports IGP and EGP routing protocols: l IGP (Interior Gateway Protocol) for within an autonomous system (AS) are  RIPng (RFC 2080)  OSPFv3 (RFC 2740)  Integrated IS-ISv6 (draft-ietf-isis-ipv6-02.txt) l EGP (Edge Gateway Protocol) for peering between autonomous systems (ASs)  MP-BGP4 (RFC 2858 and RFC 2545)

23 IPv6 協議與應用 - 23 IPv6 Routing n BGP4+ l Added IPv6 address-family l Added IPv6 transport l Runs within the same process - only one AS supported l All generic BGP functionality works as for IPv4 l Added functionality to route-maps and prefix-lists

24 IPv6 協議與應用 - 24 Plug-and-Play -- Auto-configuration n Auto-configuration means that a computer will automatically discover and register the parameters that it needs to use in order to connect to the Internet. n One should be able to change IPv6 addresses dynamically as one changes ISP providers. n Addresses would be assigned to interfaces for a limited lifetime. n Two modes for address configuration l Stateless mode l Stateful mode (using DHCPv6)

25 IPv6 協議與應用 - 25 Link State Addresses n When an interface is initialized, the host can build up a link local address for this interface by concatenating the well-known link local prefix and a unique token (48-bit Ethernet address). n A typical link local address: FE80:0:0:0:0:XXXX:XXXX:XXXX n Link local address can only be used on the local link.

26 IPv6 協議與應用 - 26 Stateless Autoconfiguration n IPv6 nodes join the all nodes multicast group by programming their interfaces to receive all the packets for the address = FF02::1. n Send a solicitation message to the routers on the link, using the all routers address, FF02::2. n Routers reply with a router advertisement message. n Does not require any servers

27 IPv6 協議與應用 - 27 Plug-and-Play -- Address Resolution n The neighbor discovery procedure offers the functions of ARP (IP  MAC) and router discovery. n Defined as part of IPv6 ICMP. n Host maintains four separate caches: l The destination’s cache. l The neighbor’s cache. l The prefix list. l The router list.

28 IPv6 協議與應用 - 28 Destination’s Cache n The destination’s cache has an entry for each destination address toward which the host recently sent packets. n It associates the IPv6 address of the destination with that of the neighbor toward which the packets were sent. Destination Neighbor IPv6 Address (To) IPv6 Address (Via)

29 IPv6 協議與應用 - 29 Neighbor’s Cache (IP/MAC) n The neighbor’s cache has an entry for the immediately adjacent neighbor to which packets were recently relayed. n It associates the IPv6 address of that neighbor with the corresponding MAC address (48 bits). Neighbor Neighbor IPv6 Address MAC address

30 IPv6 協議與應用 - 30 Prefix List and Router List n The prefix list includes the prefixes that have been recently learned from router advertisements. n The router list includes the IPv6 addresses of all routers from which advertisements have recently been received.

31 IPv6 協議與應用 - 31 Basic Algorithm to Transmit a Packet n To transmit a packet, the host must first find out the next hop for the destination. The next hop should be a neighbor directly connected to the same link as the host. n In most cases, the neighbor address will be found in the destination’s cache. n If not, the host will check whether one of the cached prefixes matches the destination address. n If yes, the destination is local, the next hop is the destination itself.  雙方都在同一個子網路內, 可直接傳送給對方

32 IPv6 協議與應用 - 32 Basic Algorithm n Otherwise, the destination is probably remote. n A router should be selected from the router list as the next hop.  雙方不在同一個子網路, 需透過 Router 傳送 給對方 n The corresponding entry for the next hop is added to the destination’s cache ( 更新 ), and the neighbor’s cache is looked up ( 查詢 ) to find the MAC address of that neighbor.

33 IPv6 協議與應用 - 33 Neighbor Solicitation and Neighbor Advertisement messages (IPv6  MAC) n IPv6 source address = link local address of the interface. n Hop count = 1. n IPv6 destination address = solicited node multicast address, which is formed by cascating a fixed 96-bit prefix, FF02:0:0:0:0:1, and the last 32 bits of the node’s IPv6 address. Neighbor Solicitation Type =135 Code = 0 Checksum Reserved Target address = Solicited Neighbor Address (IPv6) Options... (Source link-level address)

34 IPv6 協議與應用 - 34 Neighbor Advertisement Type =136 Code = 0 Checksum R S Reserved Target address Options... (Source link-level address) Neighbor Solicitation and Neighbor Advertisement messages (IPv6  MAC)

35 IPv6 協議與應用 - 35 IPv6 Flows and Flow Label n A flow is a sequence of packets sent from a particular source to a particular destination (unicast or multicast). n Each flow can have a Flow label (24 bits). n Flow label may be used together with routing header.

36 IPv6 協議與應用 - 36 IPv6 Real-time Support n Supporting Reservations l Real-time flows l Using RSVP and Flows l Using Hop-by-Hop Options QoS Flow 1 Flow 2 Flow 3 Flow 4 Flow 5 S Scheduler IPv6 Router

37 IPv6 Security

38 IPv6 協議與應用 - 38 IPv6 Security Support n All IPv6 implementations required to support authentication and encryption headers (“IPsec”) n Authentication ( 認證 ) separates from encryption ( 加密 ) for use in situations where encryption is prohibited or prohibitively expensive n Key distribution protocols n Support for manual key configuration required

39 IPv6 協議與應用 - 39 Authentication Header n Destination Address + SPI identifies security association state (key, lifetime, algorithm, etc.) n Provides authentication and data integrity for all fields of IPv6 packet that do not change en-route n Default algorithm is Keyed MD5 Next HeaderHdr Ext Len Security Parameters Index (SPI) Reserved Sequence Number Authentication Data

40 IPv6 協議與應用 - 40 Encapsulating Security Payload (ESP) Payload Next Header Security Parameters Index (SPI) Sequence Number Authentication Data Padding Length Padding

41 Migration from IPv4 to IPv6

42 IPv6 協議與應用 - 42 IPv4-IPv6 Transition /Co-Existence  A wide range of techniques have been identified and implemented, basically falling into three categories:  (1)Dual-stack techniques, to allow IPv4 and IPv6 to co-exist in the same devices and networks  (2)Tunneling techniques, to avoid order dependencies when upgrading hosts, routers, or regions  (3)Translation techniques, to allow IPv6-only devices to communicate with IPv4-only devices  Expect all of these to be used, in combination

43 IPv6 協議與應用 - 43 Next Generation Transition NGTRANS Translator Dual Stack Tunneling

44 IPv6 協議與應用 - 44 Dual Stack n RFC 1933 n NGTRANS draft : Draft-ietf-ngtrans-dstm-07.txt IPv4/IPv6 Dual Stack Dual Stack IPv6 IPv4 Dual Stack AIIH (DHCPv6, DNS)

45 IPv6 協議與應用 - 45 Dual Stack Approach n Dual stack node means: l Both IPv4 and IPv6 stacks enabled l Applications can talk to both l Based on name lookup and application preference TCPUDP IPv4IPv6 Application Data Link (Ethernet) 0x08000x86dd TCPUDP IPv4IPv6 IPv6-enable Application Data Link (Ethernet) 0x08000x86dd Frame Protocol ID Preferred method on Application’s servers

46 IPv6 協議與應用 - 46 IPv4 Tunneling n RFC 2529 n RFC 3056 n RFC 3053 IPv4 IPv6 6 over4 6 to4 IPv4 IPv6 IPv4/ IPv6 Tunnel Broker

47 IPv6 協議與應用 - 47 Using Tunnels for IPv6 Deployment n Many techniques are available to establish a tunnel: l Manually configured  Manual Tunnel (RFC 2893)  GRE (RFC 2473) l Semi-automated  Tunnel broker l Automatic  Compatible IPv4 (RFC 2893)  6to4 (RFC 3056)  6over4  ISATAP

48 IPv6 協議與應用 - 48 Translators n RFC 2765 ; RFC 2766 n RFC 2767 n RFC 3089 ; RFC 3142 IPv6 IPv4 NATPT SIIT IPv4 Apps BITS IPv6 Stack IPv4 Apps BITS IPv6 Stack IPv6 Host IPv6IPv4 Host Socks-Gateway TCPUDP-Relay

49 IPv6 協議與應用 - 49 Transition Approaches  Dual Stack –system completely supports IPv6  Tunneling –IPv6 packets are encapsulated for transmission over existing IPv4 infrastructure  Translation –IPv6 packets are translated into IPv4 packets and vice versa –Header information is preserved as much as possible

50 IPv6 協議與應用 - 50 Dual Stack Mechanisms  Simple dual stack (RFC1933) –Both IPv4 and IPv6 are directly supported Applications TCP/UDP IPV4IPV6 Device Driver V4/V6 network V6 network Routing protocols IPV4 IPV6 Device Driver V4 network

51 IPv6 協議與應用 - 51 IPv4 Application Dual Stack Mechanisms  Dual Stack Transition Mechanism (DSTM) –Assures communication between IPv4 applications in IPv6 only networks and the rest of the Internet –Temporary IPv4 addresses are assigned when communicating with an IPv4-only host. –Cooperation between DNS and DHCPv6 –Dynamic Tunnel Interface encapsulates the IPv4 packets IPv6 only IPv4 only ? Dual Stack IPv4 Application

52 IPv6 協議與應用 - 52 DSTM: Principles  Assumes IPv4/IPv6 dual stack on host  IPv4 stack is configured only when one or more applications need it –A temporal IPv4 address is given to the host  All IPv4 traffic coming from the host is tunneled towards the DSTM gateway (IPv4 over IPv6). –DSTM gateway encapsulates/decapsulates packets –Maintains an IPv6  IPv4 mapping table IPv6 H IPv4 H Payload

53 IPv6 協議與應用 - 53 How DSTM works (v6  v4) A B C DNS DSTM Server (1) In A, the v4 address of C is used by the application, which sends v4 packet to the kernel (2) The interface asks DSTM Server for a v4 source address (3) DSTM server returns : - A temporal IPv4 address for A - IPv6 address of DSTM gateway DSTM GW

54 IPv6 協議與應用 - 54 (4) A creates the IPv4 packet (A 4  C 4 ) (6) B decapsulates the v4 packet and send it to C 4 (7) B keeps the mapping between A 4  A 6 in the routing table (5) A tunnels the v4 packet to B using IPv6 (A 6  B 6 ) How DSTM works (v6  v4) AB C DNS DSTM Server DSTM GW IPv6 H IPv4 H Payload IPv4 H Payload

55 Tunneling Mechanisms n RFC 1933 (Transition Mechanisms for IPv6 Hosts and Routers) n RFC 2529 (6over4) n RFC 3056 (6to4) n RFC 5412 (ISATAP) n RFC 4380 (Teredo) n RFC 3053 (Tunnel Broker)

56 IPv6 協議與應用 - 56 RFC1933  Transition Mechanisms for IPv6 Hosts and Routers  Configured tunnels –Connects IPv6 hosts or networks over an existing IPv4 infrastructure –Generally used between sites exchanging traffic regularly  Automatic tunnels –Tunnel is created then removed after use –Requires IPv4 compatible IPv6 address –::140.114.1.101

57 IPv6 協議與應用 - 57  Carry IPv6 packets over IPv4 infrastructure  Encapsulate IPv6 in IPv4  Tunnel endpoints are explicitly configured  Tunnel endpoints must be dual stack nodes  IPv4 address is the endpoint for the tunnel Configured Tunnel IPV4 IPV6 Device Driver Routing protocols IPV4 IPV6 Device Driver Routing protocols

58 IPv6 協議與應用 - 58 Configured Tunnel IPv4 Tunnel Dual-stack node Dual-stack node IPv4 HIPv6 HPayloadIPv6 HPayloadIPv6 HPayload IPv6 Island IPv4 Networks 192.168.1.1 192.168.2.1 Src=192.168.1.1 Dst=192.168.2.1

59 IPv6 協議與應用 - 59 Automatic Tunnel n Node is assigned an IPv4 compatible IPv6 address l ::140.114.1.101 n If destination is an IPv4 compatible IPv6 address, automatic tunneling is used by router (tunneling to destination) l Routing table redirects ::/96 to automatic tunnel interface 0000 IPv4 address 0000........ 0000 80 16 32 bits

60 IPv6 協議與應用 - 60 IPv6 Island IPv4 Internet Dual-stack node Dual-stack node IPv4 HIPv6 HPayloadIPv6 HPayload 0:0:0:0:0:0IPv4 Address Automatic Tunnel Example IPv4 compatible IPv6 address DST IPv6 address = ::140.114.1.101 DST IPv4 address = 140.114.1.101 140.114.1.101 IPv6 HPayload IPv4 Tunnel SRC IPv4 address = ? 140.113.4.1

61 IPv6 協議與應用 - 61 6over4 n To allow isolated IPv6 hosts, located on a physical link which has no directly connected IPv6 router, to become fully functional IPv6 hosts by using an IPv4 domain that supports IPv4 multicast as their virtual local link. n RFC 2529 IPv6 IPv4 IPv6 in IPv4 A D B C 6over4 IGMP is used to join a multicast group

62 IPv6 協議與應用 - 62 n 6over4 is an automatic tunneling technique that leverages IPv4 multicast. n IPv6 addresses are formed using a link local scope l (FE80:: prefix). n A host’s IPv4 address comprises the 6over4 interface ID portion of its IPv6 address. n For example, a 6over4 host l IPv4 address = 192.223.16.85 (C0DF:1055) l a 6over4 address = FE80::C0DF:1055. 6over4 FE80 0000..000 IPv4 address 16 80 32 bits

63 IPv6 協議與應用 - 63 n IPv6 packets are tunneled in IPv4 headers using corresponding IPv4 multicast addresses. n The Internet Group Membership Protocol (IGMP) is used by 6over4 hosts to inform IPv4 routers of multicast group membership. n All members of the multicast group receive the tunneled packets, and the intended recipient strips off the IPv4 header and processes the IPv6 packet. n The IPv6 router running 6over4 reachable via the IPv4 multicast mechanism can serve as a tunnel endpoint to route the packet via IPv6. 6over4

64 IPv6 協議與應用 - 64 6over4 Example IPv6 IPv4 IPv6 in IPv4 A D B C 6over4 192.168.1.1 fe80::c080:0101 fe80::c080:0201 192.168.2.1 IPv4 HIPv6 HPayload Src=fe80::c080:0101 Dst=fe80::c080:0301 Src=192.168.1.1 Dst=IPv4 multicast (IGMP joined) (B  C) fe80::c080:0301 192.168.3.1 fe80::c080:0401 192.168.4.1

65 IPv6 協議與應用 - 65 n 6over4 supports IPv6 multicast, hosts can perform IPv6 router and neighbor discovery to locate IPv6 routers. n When tunneling IPv6 multicast messages, e.g., for neighbor discovery, the IPv4 destination address is formatted as 239.192.Y.Z, where Y and Z are the last two bytes of the IPv6 multicast address. n Thus an IPv6 message to the all-routers, link-scoped, multicast address FF02::2 would be tunneled to IPv4 destination 239.192.0.2. n FF02::1 (neighbor discovery)  239.192.0.1 6over4 IPv6 Multicast

66 IPv6 協議與應用 - 66 6over4 Example (IPv6 Multicast) IPv6 IPv4 IPv6 in IPv4 A D B C 6over4 192.168.1.1 fe80::c080:0101 fe80::c080:0201 192.168.2.1 IPv4 HIPv6 HPayload Src=fe80::c080:0101 Dst=ff02::1 Src=192.168.1.1 Dst=239.192.0.1 (B  all neighbors) fe80::c080:0301 192.168.3.1 fe80::c080:0401 192.168.4.1

67 IPv6 協議與應用 - 67 6to4 n Interconnection of isolated IPv6 domains over an IPv4 network without explicit tunnel setup n Effectively it treats the IPv4 network as a unicast point-to-point link layer. n RFC 3056 IPv6 IPv6 IPv4 2002:c0a8:101:1::1 2002:c0a8:201:2::2 IPv6 in IPv4

68 IPv6 協議與應用 - 68 6to4 n Automatic establishment of the tunnel l By embedding the IPv4 destination address in the IPv6 address l Under the 2002::/16 reserved prefix (2002::/16 = 6to4) n Gives a full /48 to a site based on its external IPv4 address l 2002: ::/48 l Format: 2002: : ::/64 2002 IPv4 address subnet eui-64 16 32 16 64 bits 2002:c0a8:101:1::1 2002:c0a8:201:2::2

69 IPv6 協議與應用 - 69 How to embed the IPv4 addr in IPv6 addr ? 192.168.2.1 = 11000000101010000000001000000001 = 1100000010101000:0000001000000001 = c 0 a 8 : 0 2 0 1 = c0a8:201

70 IPv6 協議與應用 - 70 6to4 Network to Network Example IPv6 in IPv4 IPv6 IPv6 IPv4 IPv6 HPayload Src=2002:c0a8:101:1::1 Dst=2002:c0a8:201:2::2 IPv6 HPayload Src=2002:c0a8:101:1::1 Dst=2002:c0a8:201:2::2 IPv4 HIPv6 HPayload Src=192.168.1.1 Dst=192.168.2.1 2002:c0a8:101:1::1 2002:c0a8:201:2::2 192.168.2.1 192.168.1.1

71 IPv6 協議與應用 - 71 ISATAP n The Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) connects dual-stack nodes over IPv4 networks. n Views the IPv4 network as a link layer for IPv6 n Supports automatic tunneling n RFC 5214 IPv6 in IPv4 IPv6 IPv4 IPv6 in IPv4 A C B ?

72 IPv6 協議與應用 - 72 ISATAP n Automatic tunneling from ISATAP nodes to the ISATAP routers in a private network n Creates a virtual IPv6 link over the IPv4 network n Special bits identify an ISATAP address (Node identifier part of IPv6 address) Link-local or ISATAP assigned prefix 00:00:5E:FE IPv4 addr 64 32 32 bits 192.168.1.1 fe80:0:0:0:0:0:5efe:c080:0101 fe80::5efe:c080:0101

73 IPv6 協議與應用 - 73 ISATAP Example IPv6 in IPv4 IPv6 IPv4 ISATAP host 192.168.1.1 fe80::5efe:c080:0101 3ffe:ffff::5efe:c080:0101 3ffe:ffff::5efe:c080:0201 fe80::5efe:c080:0201 192.168.2.1 ISATAP host 3ffe:ffff:0:1::1 IPv6 in IPv4 A B C IPv4 HIPv6 HPayload Src=fe80::5efe:c080:0101 Dst=3ffe:ffff:0:1::1 Src=192.168.1.1 Dst=192.168.3.1 (B  C) 3ffe:ffff::5efe:c080:0301 fe80::5efe:c080:0301 192.168.3.1 ISATAP router

74 IPv6 協議與應用 - 74 Teredo n NAT prohibits the use of direct tunnels n Teredo: Tunneling IPv6 over UDP through Network Address Translations (NATs) n Teredo service: enables nodes located behind one or more IPv4 NATs to obtain IPv6 connectivity by tunneling packets over UDP n RFC 4380 (Microsoft) IPv6 IPv4 (private Address) IPv4 NAT A B IPv6 in UDP in IPv4

75 IPv6 協議與應用 - 75 Teredo n Running the service requires the help of "Teredo servers" and "Teredo relays" n The Teredo servers are stateless, and only have to manage a small fraction of the traffic between Teredo clients n The Teredo relays act as IPv6 routers between the Teredo service and the "native" IPv6 Internet n The relays can also provide interoperability with hosts using other transition mechanisms such as "6to4"

76 IPv6 協議與應用 - 76 Teredo n Uses IPv6 in UDP in IPv4 n External mapping of IPv4 address and port are discovered by the Teredo server (on the external side of NAT) n Terodo uses a specific prefix (2001:0000). n The address includes the IPv4 of Teredo server and public IPv4 and port number of the host Teredo Teredo server flags obfuscated obfuscated client 32 32 16 16 32 bits 2001:0000/32 Prefix IPv4 address UDP port public IPv4 addr

77 IPv6 協議與應用 - 77 Terodo Example IPv6 IPv4 (private Address) IPv4 NAT 65.54.227.120 192.0.2.45 2001:0000:4136:e378:8000:63bf:3ffff:fdd2 191.168.1.1 40000 A B IPv6 in UDP in IPv4 http://en.wikipedia.org/wiki/Teredo_tunneling

78 IPv6 協議與應用 - 78 Teredo Example (A  B) IPv6 HPayload IPv6 IPv4 (private Address) IPv4 NAT 191.168.1.1 3ffe:ffff:0:1::1 191.168.1.1 40000 IPv4 HUDP H IPv6 HPayload Src = 2001:0:4136:e378:8000:63bf:3ffff:fdd2 Dst = 3ffe:ffff:0:1::1 Src=192.168.1.1 Dst=65.54.227.120 UDP port = 40000 65.54.227.120 192.0.2.45 IPv4 HUDP H IPv6 HPayload Src=192.0.2.45 Dst=65.54.227.120 A B IPv6 in UDP in IPv4

79 IPv6 協議與應用 - 79 Teredo Example (B  A) IPv6 IPv4 (private Address) IPv4 NAT 191.168.1.1 3ffe:ffff:0:1::1 191.168.1.1 40000 IPv6 HPayload Src = 3ffe:ffff:0:1::1 Dst = 2001:0:4136:e378: 8000:63bf:3ffff:fdd2 IPv4 HUDP H IPv6 HPayload Src=____?_____ Dst=____?_____ UDP port = ____?____ 65.54.227.120 192.0.2.45 IPv4 HUDP H IPv6 HPayload Src=____?______ Dst= ____?______ A B IPv6 in UDP in IPv4 65.54.227.120 192.0.2.45 65.54.227.120 191.168.1.1 40000

80 IPv6 協議與應用 - 80 檢查一下自己電腦的 IPv6 tunnel 位址 n >cmd n >ipconfig n Terado Server ? Public IPv4 address ? Port number ? 2001:0/32  Teredo tunnel fe80::  link-local address

81 IPv6 協議與應用 - 81 IPv6 Tunnel Calculator http://www.wyae.de/docs/ipv6calc/ 我的 Mine

82 IPv6 Tunnel Broker RFC 3053

83 IPv6 協議與應用 - 83 Tunnel Broker n IPv6 tunneling over the internet requires heavy manual configuration l Network administrators are faced with overwhelming management load l Getting connected to the IPv6 world is not an easy task for IPv6 beginners

84 IPv6 協議與應用 - 84 Tunnel Broker n The Tunnel Broker approach is an opportunity to solve the problem l The basic idea is to provide tunnel broker servers to automatically manage tunnel requests coming from the users n Benefits l Stimulate the growth of IPv6 interconnected hosts l Allow to early IPv6 network providers the provision of easy access to their IPv6 networks

85 IPv6 協議與應用 - 85 Tunnel broker n The Tunnel Broker fits well for small isolated IPv6 sites, especially isolated IPv6 hosts on the IPv4 Internet n Client node must be dual stack (IPv4/IPv6) n The client IPv4 address must be globally routable (no behind NAT)

86 IPv6 協議與應用 - 86 Tunnel broker architecture Tunnel Broker IPv6 network provider DNS server Tunnel Servers Remote site Client Daul stack TB Discovery www.IPv6.org Dual stack routers Broker-router Interaction tb.cht.com tb.aaa.com Client-Broker Interaction Broker-DNS Interaction

87 IPv6 協議與應用 - 87 How Tunnel Broker works ? (1) Tunnel Broker DNS server Client Daul stack 1. Client provides minimal configuration information http https …. IPv4 address Nickname IPv6 OS type

88 IPv6 協議與應用 - 88 How Tunnel Broker works ? (2) Tunnel Broker DNS server Client Daul stack 2. Broker automatically configures Client, DNS, and the selected Tunnel Server rsh, SNMP, DHCPv6 …. rsh, SNMP … rsh, Dynamic DNS update protocol

89 IPv6 協議與應用 - 89 How Tunnel Broker works ? (3) Tunnel Broker DNS server Client Daul stack 3. The tunnel is now up and working

90 IPv6 協議與應用 - 90 單位名稱說明網站 URL 亞太電信 http://www.apol.com.tw/ipv6/ipv6-tb-4.html 遠傳電信 http://www.ipv6.seed.net.tw/how2v6/ 台灣大電訊 http://www.twmsolution.com/ipv6/ 台灣碩網 http://www.so-net.net.tw/service/ipv6/ 中華電信 http://www.ipv6.hinet.net/installGuide.htm 中研院 http://www.ascc.sinica.edu.tw/iascc/articals.php? _section=2.4&_op=?articalID:2258 台灣各 ISP IPv6 Tunnel Broker 免費連線服務 台灣有哪些 tunnel brokers ? http://ipv6tips.ipv6.org.tw/refer3.html

91 IPv6 協議與應用 - 91 中華電信 HiNet Tunnel Broker http://www.ipv6.hinet.net/installGuide.htm

92 IPv6 協議與應用 - 92 中華電信 HiNet Tunnel Broker n 中華電信 TB 使用 gogo6 tunnel broker n Client 必須安裝 軟 體 (gogoCLIENT utility) http://www.ipv6.hinet.net/installGuide.htm

93 IPv6/IPv4 Translator n SIIT n NATPT n Reverse Proxy n NAT64 n 464XLAT

94 Stateless IP/ICMP Translation Algorithm (SIIT) RFC 2765

95 IPv6 協議與應用 - 95 SIIT n Translate the v6 header into a v4 header on some point of the network l Routing can direct packet to those translation points. n Translate ICMP headers from both worlds n Allows IPv6 hosts, which do not have a permanently assigned IPv4 addresses, to communicate with IPv4- only hosts. n No State in translators (  NAT)

96 IPv6 協議與應用 - 96 SIIT IPv4 network Pool of IPv4 addresses SIIT IPv6 host IPv4 host Using SIIT for a single IPv6-only subnet SIIT TypeCodechecksum ICMPv4 header TypeCodechecksum ICMPv6 header

97 IPv6 協議與應用 - 97 SIIT Pool of IPv4 addresses IPv4 network IPv6 host IPv4 host Dual network Using SIIT for an IPv6-only or dual cloud which contains some IPv6-only hosts and IPv4 hosts IPv4 host

98 IPv6 協議與應用 - 98 98 SIIT n Suitable for use when IPv6 side has no IPv4, for instance, for embedded systems with stack on chip. (IPv6 sensors) n Ipv6 side uses special, “translatable” addresses, which preserve TCP/UDP checksum value n Translatable source address is received by the IPv6 node from a shared pool n Translatable destination address is made from IPv4 DNS entry

99 RFC 2766 Network Address Translation – Protocol Translation (NAT-PT)

100 IPv6 協議與應用 - 100 100 NAT-PT Network Address Translation-Protocol Translation. Translates IP address between IPv4 and IPv6. uses a pool of IPv4 addresses and ports. composes and manages a mapping table (IPv4 and IPv6) is similar to NAT in IPv4 network.

101 IPv6 協議與應用 - 101 NAT-PT 129.254.165.141203.243.253.15DATA IPv4 packet 2001:203:201:200:ae01:ff10:2ecd:3ffe2001:203:201:1:3f1e:2ea2:ff10:2f3cDATA IPv6 packet 32bits 128bits 32bits NAT-PT Mapping table Pool of address

102 IPv6 協議與應用 - 102 Network Configuration Requirements IPv4 Translator 64  Network Configuration Requirements IPv4 Interface (eth0) IPv6 Interface (eth1) IPv6 Intranet Network Prefix(::/96) Default outbound IPv6 Gateway Pool of IPv4 addresses and ports Static mapping for DNS servers IPv6 Host IPv6 Server DNSv6 Server IPv6 Intranet IPv4 Host DNS Server

103 IPv6 協議與應用 - 103 Configuration requirements System Requirements NAT-PT must be border router between only- IPv4-network and only-IPv6-network. All requests and responses pertaining to a session be routed via the same NAT-PT router. NAT-PT does not apply to packets originating from or directed to dual-stack nodes that do not require packet translation.

104 IPv6 協議與應用 - 104 Address Translation (IPv4 -> IPv6) Translator prefix aaaa::/96 cs.nthu.edu.tw 140.114.165.141 DNS(v4) 140.114.15.15 www.gsnv6.tw ? DA:140.114.134.184 SA:140.114.15.15 DNS response resource data (140.114.134.180) DA:140.114.134.180 SA:140.114.165.141 www.gsnv6.tw 2001:288::1 DNS(v6) 2001:288::2 DA:2001:288::2 SA:aaaa::140.114.15.15 resource data (2001:288::1) DA:2001:288::1 SA:aaaa::140.114.165.141 140.114.134.1842001:288::2 After mapping is verified either it is existed or not, DNS-ALG makes the mapping table of IPv4  inside resource data After mapping is verified either it is existed or not, DNS-ALG makes the mapping table of IPv4  inside resource data 140.114.134.180 0001 140.114.134.181 0002 140.114.134.1802001:288::1 DNS static Mapping POOL of IPv4 ADDRESS DA is changed to mappied address SA is added and removed prefix/96 IPv4 IPv6 Mapping table

105 IPv6 協議與應用 - 105 cs.nthu.edu.tw 140.114.165.141 DNS(v4) 140.114.15.15 www.gsnv6.tw 2001:288::1 DNS(v6) 2001:288::2 Translator prefix aaaa::/96 140.114.134.1842001:288::2 140.114.134.180 0001 140.114.134.181 0002 140.114.134.1802001:288::1 DNS static Mapping POOL of IPv4 ADDRESS SA is changed to mappied address DA is added and removed prefix/96 After mapping is verified either it is existed or not, NAT-PT makes the mapping table of IPv4  IPv6 source address After mapping is verified either it is existed or not, NAT-PT makes the mapping table of IPv4  IPv6 source address DA:140.114.15.15 SA:140.114.134.184 resource data (140.114.165.141) DA:140.114.165.141 SA:140.114.134.180 cs.nthu.edu.tw ? resource data (aaaa::140.114.165.141) DA:aaaa::140.114.165.141 SA:2001:288::1 IPv4 IPv6 Mapping table Address Translation (IPv6 -> IPv4) DA:aaaa::140.114.15.15 SA:2001:288::2

106 Reverse Proxy

107 IPv6 協議與應用 - 107 Reverse Proxy n A reverse proxy taking requests from the Internet and forwarding them to servers in an internal network. n These resources are then returned to the client as though they originated from the proxy server itself. Reverse Proxy Web Servers Client Internal network Internet

108 IPv6 協議與應用 - 108 n Reverse proxies can hide the existence and characteristics of an origin server or servers. n Application firewall features can protect against common web-based attacks. Without a reverse proxy, removing malware can become difficult. n For secure websites (https), a web server may not perform SSL encryption itself, but instead offloads the task to a reverse proxy that may be equipped with SSL acceleration hardware. n A reverse proxy can distribute the load from incoming requests to several servers. Reverse Proxy

109 IPv6 協議與應用 - 109 Reverse Proxy for IPv6 n Can be used to provide communication between hosts in IPv6 network and IPv4 servers in IPv4 network. n The IPv4 web server has two entries in DNS l IPv4 address of the server l IPv6 address of the reverse proxy. n IPv6 host connects to the reverse proxy to access the web service. Web Server DNS 設定 www.gsn.tw in A 74.125.31.94 www.gsn.tw in AAAA 2001:c50:ffff:1::2 Reverse Proxy

110 IPv6 協議與應用 - 110 Reverse Proxy for IPv6 Example Reverse Proxy IPv4 only Host www.gsn.tw ? www.gsn.tw (IPv4 Only) Web Server IPv6  IPv4 Mapping IPv6 IPv4 AAAA 2001:c50:ffff:1::2 SYN 2001:c50:ffff:1::2 74.125.31.94 DNS Web Server DNS 設定 www.gsn.tw in A 74.125.31.94 www.gsn.tw in AAAA 2001:c50:ffff:1::2 IPv6/IPv4 Dual Stack Host 192.0.2.45 SYN Src=192.0.2.45 dst= 74.125.31.94 2001:c50:ffff:1::2 IPv6 only Host

111 IPv6 協議與應用 - 111 Reverse Proxy for IPv6 n 優點: l 可快速提供 IPv6 連線服務。 l 原有網頁伺服器與防火牆需要異動少。 n 缺點: l 擴展性不易,非所有協定都可完全透通。 l 對伺服器來說,使用者顯示都來自於同一個位 址 (reverse proxy IP address) ,當使用者數量多 時容易影響服務效能。 n 較適合做為轉移到 IPv6 過程的暫時性解決方案

112 NAT64 RFC 6146: Stateful NAT64: Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers

113 IPv6 協議與應用 - 113 NAT64 n Provides communication between IPv6 and IPv4 hosts by using a form of Network Address Translation (NAT). n The NAT64 gateway is a translator between IPv4 and IPv6 protocols. n An IPv6 client sends an IPv4-embedded IPv6 address packet to the resulting address. n The NAT64 gateway creates a mapping between the IPv6 and the IPv4 addresses, which may be manually configured or determined automatically. 64:ff9b::c000:201  192.0.2.1

114 IPv6 協議與應用 - 114 NAT64 n The NAT64 gateway maintains IPv6-to-IPv4 address mapping, which may be established l manually (stateless mapping) or l automatically (stateful mapping) when the first packet from the IPv6 network reaches the NAT64 gateway. n However, the translation is not symmetric (not 1- to-1), as the IPv6 address space is much larger than the IPv4 address space.

115 IPv6 協議與應用 - 115 NAT64 and DNS64 Example NAT64 IPv6 Host DNS www.gsn.tw ? A 192.0.2.1 www.gsn.tw Web Server IPv6  IPv4 Mapping IPv6 IPv4 www.gsn.tw ? AAAA 64:ff9b::c000:201 SYN 64:ff9b::c000:201 SYN src=192.0.2.45 dst= 192.0.2.1 192.0.2.1 DNS64 IPv4-embedded IPv6 address 192.0.2.45

116 IPv6 協議與應用 - 116 NAT64 Implementations n Ecdysis, a NAT64 gateway, includes DNS64 n TAYGA, a stateless NAT64 implementation for Linux n Jool, a stateful NAT64 implementation for Linux, developed by NIC Mexico and Monterrey Institute of Technology n OpenBSD 5.1 brings a PF packet filter capable of NAT64 n Microsoft Forefront Unified Access Gateway, a reverse proxy and VPN solution that implements DNS64 and NAT64 http://en.wikipedia.org/wiki/NAT64

117 IPv6 協議與應用 - 117 NAT64 Implementations n Stateless NAT64 on Cisco ASR 1000 n Stateful NAT64 feature on Juniper MX Series 3D Universal Edge router n Cisco ASA version 9.0 release brings NAT64 and DNS64 n experimental public NAT64/DNS64 service at LITNET, Kaunas University of Technology n Dual stack architecture that recognizes both IPv4 and IPv6 traffic on Fortinet FortiGate® multi-threat security appliances http://en.wikipedia.org/wiki/NAT64

118 RFC 6145 RFC 6146 RFC 6877 464XLAT: Combination of Stateful and Stateless Translation

119 IPv6 協議與應用 - 119 464XLAT n Simple technique to provide IPv4 access service across IPv6 network by combining existing stateful and stateless translations. l Stateful translation (PLAT): RFC 6146 l Stateless translation (CLAT): RFC6145 n Only a small amount of IPv4 addresses are required in PLAT to support the stateful translation. n Can apply to wireline network and wireless 3GPP network.

120 IPv6 協議與應用 - 120 464XLAT n PLAT: Provider side translator (XLAT) l Translate global IPv6 address to global IPv4 address, and vice versa. l A stateful translator n CLAT: Customer side translator (XLAT) l Translate private IPv4 address to global IPv6 address, and vice versa. l A stateless translator l Implemented in a router or a mobile phone l DNS64 and port mapping are not required.

121 IPv6 協議與應用 - 121 464XLAT Example (Private  Public) IPv4 IPv6IPv4[p] IPv6 IPv4 Src= 192.168.1.2 IPv4 Dst= 198.51.100.1 IPv6 Src= 2001:db8:aaaa::192.168.1.2 IPv6 Dst= 2001:db8:bbbb::198.51.100.1 2001:db8:aaaa::aa 2001:db8:cccc::cccc IPv4 Src= 192.0.2.100 IPv4 Dst= 198.51.100.1 Mapping table 192.168.1.2  192.0.2.100 CLAT PLAT CLAT XLATE Src Prefix 2001:db8:aaaa::/96 XLATE Dst Prefix 2001:db8:bbbb::/96 PLAT IPv4 pool 192.0.2.1- 192.0.2.100 XLATE Dst Prefix 2001:db8:bbbb::/96 192.168.1.2 198.51.100.1 IPv4

122 IPv6 協議與應用 - 122 464XLAT Example (Private  Public) IPv4 IPv6IPv4[p] IPv6 IPv4 Src= 192.51.100.1 IPv4 Dst= 198.168.1.2 IPv6 Src= 2001:db8:bbbb::198.51.100.1 IPv6 Dst= 2001:db8:aaaa::192.168.1.2 2001:db8:aaaa::aa 2001:db8:cccc::cccc IPv4 Src= 198.51.100.1 IPv4 Dst= 192.0.2.100 192.168.1.2 198.51.100.1 Mapping table 192.168.1.2  192.0.2.100 CLAT PLAT CLAT XLATE Src Prefix 2001:db8:bbbb::/96 XLATE Dst Prefix 2001:db8:aaaa::/96 PLAT XLATE Src Prefix 2001:db8:bbbb::/96 XLATE Dst Prefix 2001:db8:aaaa::/96 IPv4

123 IPv6 協議與應用 - 123 464XLAT Trials n Wireline network l JPIX has started trial service  Started on July 2000  16 ISPs (Jan. 2012)  CLAT is implemented to existing CPE routers (NEC) n Wireless 3GPP network l T-Mobile USA  PLAT: T-Mobile USA  CLAT: Android, Nokia N900  http://code.google.com/p/android-clat/  https://code.google.com/p/n900ipv6/wiki/Nat64D

124 IPv6 協議與應用 - 124 Android + CLAT on a UMTS IPv6-only network with DNS64/NAT64 n Mobile phone: Nexus S phone with CLAT software n Mobile network: T-Mobile USA IPv6 Beta https://sites.google.com/site/tmoipv6/464xlat NAT 4  6 NAT 6  4 IPv6 only Cell network CLAT daemon PLAT server IPv4service IPv4IPv6 APPs


Download ppt "IPv6 技術講習一般課程 -- IPv6 協議運作原理與應用 All rights reserved. No part of this publication and file may be reproduced, stored in a retrieval system, or transmitted."

Similar presentations


Ads by Google