1. IPv6 技術理論與實務研習班 IPv4/IPv6 轉移機制介紹

2. 2 大綱  簡介  Dual Stack  Tunneling  Translator

3. 3 大綱  簡介  Dual Stack  Tunneling  Translator

4. 4 Network Today IPv6 Network (Thousands of Nodes) IPv6 Network (Thousands of Nodes) IPv4 Network (Millions of Nodes) IPv4 Network (Millions of Nodes)

5. 5 Future Network IPv4 Network (Millions of Nodes) IPv4 Network (Millions of Nodes) IPv6 Network (Trillions of Nodes) IPv6 Network (Trillions of Nodes)

6. 6 IETF NGTrans(v6ops) Working Group  Define the processes by which networks can be transitioned from IPv4 to IPv6  Define & specify the mandatory and optional mechanism that vendors are to implement in Hosts, Routers and other components of the Internet in order for the Transition.  http://www.ietf.org/html.charters/ngtrans- charter.html  http://www.ietf.org/html.charters/v6ops- charter.html

7. 7 IPv4-IPv6 Transition /Co-Existence A wide range of techniques have been identified and implemented, basically falling into three categories: – Dual-stack techniques, to allow IPv4 and IPv6 to co-exist in the same devices and networks – Tunneling techniques, to avoid order dependencies when upgrading hosts, routers, or regions – Translator techniques, to allow IPv6-only devices to communicate with IPv4-only devices Expect all of these to be used, in combination

8. 8 Transition Mechanisms

9. 9 大綱  簡介  Dual Stack  Tunneling  Translator

10. Dual Stack  RFC 2893  DSTM:Draft-ietf-ngtrans- dstm-08.txt

11. RFC 2893 Transition Mechanisms for IPv6 Hosts and Routers

12. 12 RFC 2893 Applications TCP/UDP IPV4IPV6 Device Driver V4/V6 network V6 network V4 network TCP/UDP IPV4 IPV6 Device Driver Routing protocols

13. Draft–ietf–ngtrans–dstm–08.txt Dual Stack Transition Mechanism (DSTM)

14. 14 Dual Stack Transition Mechanism  What is it for? – DSTM assures communication between IPv4 applications in IPv6 only networks and the rest of the Internet. IPv6 only IPv4 only ?

15. 15 DSTM: Principles  Allows IPv6/IPv4 hosts to talk to IPv4 hosts  IPv4 address not initially assigned to dual-stack host  Uses a DHCPv6 server to temporarly assign IPv4 address; and a special DNS server  Requires at least one IPv4 address per site

16. 16 DSTM

17. 17 大綱  簡介  Dual Stack  Tunneling  Translator

18. Tunneling  RFC 2893  RFC 2529  RFC 3053  RFC 3056  ISATAP:Draft-ietf-ngtrans- isatap-13.txt

19. RFC 2893 Transition Mechanisms for IPv6 Hosts and Routers

20. 20 RFC 2893  Configured tunnels –Connects IPv6 hosts or networks over an existing IPv4 infrastructure –Generally used between sites exchanging traffic regularly  Automatic tunnels –Tunnel is created then removed after use –Requires IPv4 compatible addresses

21. 21 Configured Tunnels IPv4 Tunnel Dual-stack node Dual-stack node IPv4 HIPv6 HPayloadIPv6 HPayloadIPv6 HPayload IPv6 Island IPv4 Networks

22. 22 Automatic Tunnel  Node is assigned an IPv4 compatible address – ::140.112.1.101  If destination is an IPv4 compatible address, automatic tunneling is used – Routing table redirects ::/96 to automatic tunnel interface 0000IPv4 address0000........ 0000 80 1632

23. 23 IPv6 Island IPv4 Internet IPv4 Tunnel Dual-stack node Dual-stack node IPv4 HIPv6 HPayloadIPv6 HPayload 0:0:0:0:0:0IPv4 Address Automatic Tunnel

24. RFC 2529 6 over 4

25. 25 6over4  Interconnection of isolated IPv6 domains in an IPv4 world  No explicit tunnels  The egress router of the IPv6 site must – Have a dual stack (IPv4/IPv6) – Have a globally routable IPv4 address – Have an IPv4 multicast infrastructure Local IPv4 multicast network appears as a single IPv6 subnet Local IPv4 multicast network appears as a single IPv6 subnet – Implement 6over4 on an external interface

26. 26 How 6over4 works v4 Site’s IPv4 routing infrastructure IPv4 Multicast enabled V4/v6 System with 6over4 driver V4/v6 6over4 router Autoconfiguration and ND via IPv4 Multicast System to System communication via IPv6 over IPv4 tunneling using IPv4 addresses learned during Autoconfig/ND System with 6over4 driver

27. RFC 3053 IPv6 Tunnel Broker

28. 28 Motivation  IPv6 tunneling over the internet requires heavy manual configuration – Network administrators are faced with overwhelming management load – Getting connected to the IPv6 world is not an easy task for IPv6 beginners  The Tunnel Broker approach is an opportunity to solve the problem – The basic idea is to provide tunnel broker servers to automatically manage tunnel requests coming from the users  Benefits – Stimulate the growth of IPv6 interconnected hosts – Allow to early IPv6 network providers the provision of easy access to their IPv6 networks

29. 29 Tunnel broker  Tunnel broker automatically manages tunnel requests coming from the users – The Tunnel Broker fits well for small isolated IPv6 sites, especially isolated IPv6 hosts on the IPv4 Internet  Client node must be dual stack (IPv4/IPv6)  The client IPv4 address must be globally routable (no NAT)

30. 30 DNS 伺服器 IPv4 網路 隧道代理 (2) (1) (3) (4) 使用者 隧道終點 隧道伺服器 IPv6 Island IPv6 IPv6 over IPv4 隧道 Tunnel broker

31. RFC 3056 Connection of IPv6 Domains via IPv4 Clouds(6to4)

32. 32 Allows communication of isolated IPv6 domains over an IPv4 infrastructure Minimal manual configuration Uses globally unique prefix comprised of the unique 6to4 TLA and the globally unique IPv4 address of the exit router. 6to4 FP 001 TLA 0x0002 V4 addressSLA IDInterface ID 313163264 Prefix length :48 bits Format prefix : 001 TLA value : 0x0002 NLA value : V4 address

33. 33 6to4  IPv6 addressing – Any isolated IPv6 domain can autonomously build its own globally unique IPv6 prefix. – The globally unique IPv4 address of the domain border router is used for this purpose. 2002IPv4SLAInterface ID ISPv4 assignedmanagedauto-configured6to4 prefix internet IPv6 island Router 4/6 Public IPv4 address of dual-stack GW Well known 0x2002

34. 34 6to4  Communication among 6to4 sites – The egress router automatically creates a tunnel to the destination domain – The IPv4 endpoint is extracted from the destination IPv6 prefix  Only the egress router has to be 6to4 capable. internet tunnel Router 6to4 6to4 site

35. 35 6to4  Communication with the native IPv6 world – Based on 6to4 relays – A 6to4 router must be able to locate at least one 6to4 relay (e.g. manual conf.) internet tunnel Router 6to4 ISP site ISP 2002::/16

36. Draft-ietf-ngtrans-isatap-13.txt Intra-Site Automatic Tunnel Addressing Protocol (ISATAP)

37. 37 ISATAP  The primary function of ISATAP is to allow hosts that are multiple IPv4 hops away from an IPv6 router to participate in the IPv6 network by automatically tunneling IPv6 packets over IPv4 to the next-hop address.  Example: ISATAP host communicates with IPv6 host (no ISATAP support). – The ISATAP host is isolated in an IPv4 network whereas the IPv6 host is a IPv6 network IPv4Infrastructure HOST B ISATAP Supported IPv6 Network IPv6 Network IPv6 HOST

38. 38 ISATAP  In the reverse direction, the ISATAP router automatically performs IPv6- in-IPv4 tunneling for packets from the native IPv6 host to the ISATAP host even though the native IPv6 host has no knowledge of the legacy IPv4 infrastructure or addressing architecture. IPv4Infrastructure HOST B ISATAP Supported IPv6 Network IPv6 Network IPv6 HOST

39. 39 Construction of ISATAP address  ISATAP interface identifier can be combined with any 64-bit prefix (including 6to4 prefixes) to form an RFC 2373 compliant IPv6 globally aggregatable unicast address.  IPv4 address inside EUI-64 interface identifier ::0:5EFE:A.B.C.D for IPv4 address A.B.C.D The 0:5EFE portion is formed from the combination of the Oganizational Unit Identifier (OUI) that is assigned to IANA, and a type that indicates an embedded IPv4 address (FE). Interface IdentifierPrefix ISATAP Prefix Specially constructed EUI64 Interface ID 64-bits ISATAP Address Format

40. 40 ISATAP Address Example  If TYPE = 0xFF and TSE = 0xFE, TSD contains legacy EUI48 (TSE = 0xFF reserved by IEEE).  If TYPE = 0xFE, TSE and TSD together contain embedded IPv4 address. IPv4 address is: 140.173.129.3 routing prefix is: 3FFE:1A05:510:2412 ISATAP IPv6 address is: OUIExtension ID 24-bits40-bits EUI-64 Format Interface Identifier 00 5eTYPETSETSD :0:5EFE:3FFE:1A05:510:2412140.173.129.3 Link-local variant is: FE80::0:5EFE:140.173.129.3 Specially constructed EUI64 Interface ID

41. 41 ISATAP Operation Simple Deployment Scenario of ISATAP (Hosts….) The Automatic Tunneling Pseudo-Interface uses the link-local ISATAP address assigned to the interface as a source, and uses the last 32 bits in the source and destination IPv6 addresses (corresponding to the embedded IPv4 addresses) as the source and destination IPv4 addresses FE80:5EFE:10.40.1.29 IPv4Infrastructure IPv6 Header IPv6 Data IPv6 Header IPv6 Data IPv4 Header 192.168.41.30 10.40.1.29 FE80:5EFE:192.168.41.30 HOST A ISATAP Supported HOST B ISATAP Supported IPv6 Header IPv6 Data Src = FE80:5EFE:10.40.1.29 Dst = FE80:5EFE:192.168.41.30 Src = FE80:5EFE:10.40.1.29 Dst = FE80:5EFE:192.168.41.30 Src = 10.40.1.29 Dst = 192.68.41.30

42. 42 ISATAP Operation Simple Deployment Scenario of ISATAP (Routers…) IPv6 Network IPv6 Network IPv4 Network IPv6 in IPv4 ISATAP IPv6 HOST ISATAP HOST 3FFE:1A05:5102412:5EFE:10.40.1.29 10.40.1.29 IPv6 Header IPv6 Data 3FFE:1A05:5102412:5EFE:192.168.41.25 192.168.41.25 IPv6 Header IPv6 Data IPv4 Header IPv6 Header IPv6 Data Src = 3FFE:1A05:5102412:5EFE:10.40.1.29 Dst = 3FFE:3600:8::1 Src = 10.40.1.29 Dst = 192.68.41.25 Src = 3FFE:1A05:5102412:5EFE:10.40.1.29 Next = 3FFE:1A05:5102412:5EFE:192.168.41.25 Dst = 3FFE:3600:8::1

43. 43 大綱  簡介  Dual Stack  Tunneling  Translator

44. Translator  RFC 2765  RFC 2766  RFC 2767  RFC 3338  RFC 3089  RFC 3142

45. RFC 2765 Stateless IP/ICMP Tanslation algorithm (SIIT)

46. 46 SIIT

47. 47 SIIT  Allows IPv6-only hosts to talk to IPv4 hosts  Translation on IP packet header(including ICMP headers) in separate translator boxes in the network without requiring any per-connection state in those boxes.  Translation on IP packet header (including ICMP headers) in separate translator boxes in the network without requiring any per-connection state in those boxes.  Use IPv4-translatable IPv6 address (0::ffff:0:a.b.c.d)  Most option fields can not be translated  Requires one temporary IPv4 address per host

48. 48 SIIT

49. RFC 2766 Network Address Translation – Protocol Translation (NAT-PT)

50. 50 Introduction p Allows IPv6-only hosts to talk to IPv4 hosts and vice-versa p Stateful translation p Requires at least one IPv4 address per site p Traditional NAT-PT m Sessions are unidirectional, outbound from the v6 network m Two variations: Basic-NAT-PT and NAPT-PT p Bi-directional-NAT-PT m Session can be initiated from hosts in v4 network as well as the v6 network m A DNS-ALG must be employed to facilitate name to address mapping p similar to NAT in IPv4 network

51. 51 Limitations  all requests and responses pertaining to session should be routed via the same NAT-PT router.  A number of IPv4 fields have changed meaning in IPv6 and translation is not straightforward.  Ex. Option headers, details found in [SIIT]  Applications that carry the IP address in the high layer will not work. In this case ALG need to be incorporated to provide support for these applications.  Lack of end-to-end security

52. 52 Address Translation (IPv4 -> IPv6) TRANSLATOR prefix aaaa::/96 v4.etri.re.kr 129.254.165.141 DNS(v4) 129.254.15.15 v6.opicom.co.kr ? DA:132.146.134.184 SA:129.254.15.15 DNS response resource data(132.146.134.180) DA:132.146.134.180 SA:129.254.165.141 v6.opicom.co.kr 2001:230::1 DNS(v6) 2001:230::2 DA:2001:230::2 SA:aaaa::129.254.15.15 resource data (2001:230::1) DA:2001:230::1 SA:aaaa::129.254.165.141 132.146.134.1842001:230::2 After mapping is verified either it is existed or not, DNS-ALG makes the mapping table of IPv4 inside resource data 132.146.134.1800001 132.146.134.1810002 132.146.134.1802001:230::1 DNS static Mapping POOL of IPv4 ADDRESS DA is changed to mappied address SA is added and removed prefix/96 IPv4 IPv6 Mapping table

53. 53 TRANSLATOR prefix aaaa::/96 132.146.134.1842001:230::2 132.146.134.1800001 132.146.134.1810002 132.146.134.1802001:230::1 DNS static Mapping POOL of IPv4 ADDRESS SA is changed to mappied address DA is added and removed prefix/96 After mapping is verified either it is existed or not, NAT-PT makes the mapping table of IPv6 source address v4.etri.re.kr 129.254.165.141 DNS(v4) 129.254.15.15 DA:129.254.15.15 SA:132.146.134.184 resource data (129.254.165.141) DA:129.254.165.141 SA:132.146.134.180 v6.opicom.co.kr 2001:230::1 DNS(v6) 2001:230::2 v4.etri.re.kr ? DA:aaaa::129.254.15.15 SA:2001:230::2 resource data (aaaa::129.254.165.141) DA:aaaa::129.254.165.141 SA:2001:230::1 IPv4 IPv6 Mapping table Address Translation (IPv6 -> IPv4)

54. RFC 2767 Dual Stack Hosts using the “ Bump-In-the-Stack ” Technique (BIS)

55. 55 BIS  Allow existing IPv4 applications communicate with other IPv6 hosts (There are few applications for IPv6)  Make hosts as if dual stack with applications for both IPv4 and IPv6  BIS adds new modules to the local IPv4 stack  On the BIS host, the IPv6 destination address is mapped into a local private IPv4 address  Same limitation as Protocol translation(SIIT): overhead/limitations of SIIT  2 layer interface dependant

56. 56 Structure of the proposed dual stack host IPv4 applications Network card drivers IPv6 translator Address mapper Extension name resolver TCP/IPv4 Network card

57. 57 Action of the Originator 1. When initialization, register its own IPv4/IPv6 address into table 2. IPv4 application summits a query for A record 3. Extension name resolver snoops the query, and creates another query for both A and AAAA record Network Driver IPv4 Application IPv4 IPv6 R M T 2. A record 3. A/AAAA record DNS Server R: extension name resolver M: address mapper T: translator

58. 58 Action of the Originator 4a. And 5a. If A record is replied => resolver returns the A record to the Application 6a. No need for the IP conversion by the translator IPv4 Application IPv4 IPv6 Network Driver R M T 4a. A record 5a. DNS Server 6a. Data IPv4 R: extension name resolver M: address mapper T: translator

59. 59 Action of the Originator 4b. And 5b. and 6b. If AAAA record is replied, resolver requests the mapper to assign an IPv4 address corresponding to IPv6 address 7b. Resolver return A record to application 8b. Application sends IPv4 packets to IPv6 hosts through translator. The translator querys the mapper to provide IPv6 addresses IPv4 Application IPv4 IPv6 Network Driver R M T 4b. AAAA record 5b. 6.b 7b. DNS Server 8b. IPv6 R: extension name resolver M: address mapper T: translator

60. 60 Action of the recipient IPv6 1. IPv6 packet reaches translator 2. Translator requests mapper to provide mapping entries 3. Mapper checks the table to find the IPv4 address for the src If no entry, mapper selects an IPv4 address from the pool 4. Mapper returns IPv4 source/dest address to the translator IPv4 Application IPv4 IPv6 Network Driver R M T 2. 4. 1.

61. 61 Action of the recipient 5. Translator translates the IPv6 packet into an IPv4 packet and tosses it up to the application IPv4 Application IPv4 IPv6 Network Driver R M T IPv6 5.

62. RFC 3338 Dual Stack Hosts Using “ Bump-in-the-API(BIA) ”

63. 63 BIA (Bump-in-the-API)  Allow existing IPv4 applications communicate with other IPv6 hosts (There are few applications for IPv6)  Socket API level translation rather than the IP level translation – No overhead for protocol translation  2 layer interface independent  Dual stack: IPv6 application available also!

64. 64 BIA IPv4 applications Socket API (IPv4, IPv6) Name Resolver Address Mapper Function Mapper API Translator TCP(UDP)/IPv4TCP(UDP)/IPv6

65. 65 BIA IPv4 applications IPv6 applications Socket API (IPv6) TCP(UDP)/IPv6 Socket API (IPv4) TCP(UDP)/IPv4 API Translator (IPv4 IPv6) IPv4 applications Socket API (IPv6) TCP(UDP)/IPv6 Socket API (IPv4) API Translator (IPv4 IPv6) TCP(UDP)/IPv4 IPv6 applications

66. RFC 3089 A SOCKS-based IPv6/IPv4 Gateway Mechanism

67. 67 SOCKS gateway  SOCKS server relays two "terminated" IPv4 and IPv6 connections at the "application layer" – Each socksified application has its own *Socks Lib*. – replace applications' socket APIs and DNS name resolving APIs – an enhanced SOCKS server that enables any types of protocol combination relays between Client C (IPvX) and Destination D (IPvY).  Application proxy – Clients must be “socksified”

68. 68 Basic SOCKS-based Gateway

69. 69 Advanced SOCKS-based Gateway

70. RFC 3142 An IPv6-to-IPv4 Transport Relay Translator

71. 71 Transport Relay  Translator – At the transport level – Between the IPv6 host and IPv4 host – Receives the IPv6 TCP connection from the origination node  Makes an IPv4 TCP connection to the destination node

72. 72 IPv6-to-IPv4 transport relay translator Inner network outer network TRT system – dummy prefix fec0:0:0:1::/64 fec0:0:0:1::10.1.1.1 10.1.1.1 Initiating host IPv6 only Destination host IPv4 only 10.1.1.1 TCP/IPv6: the initiating host --> the TRT system address on IPv6 header: A6 -> C6::X4 TCP/IPv4: the TRT system --> the destination host address on IPv4 header: Y4 -> X4 A6 B6 Y4 X4

73. 73 Implementers  In a large site, it is possible to have multiple TRT systems in a site. By the following steps: – Configure multiple TRT systems – Configure different dummy prefix to them – Let the initiating host pick a dummy prefix randomly for load-balancing Install special DNS server to the site – Configure DNS servers differently to return different dummy prefixes and tell initiating hosts of different DNS servers – Let DNS server pick a dummy prefix randomly for load-balancing.

74. 74 Advantages of TRT  TRT is designed to require no extra modification on IPv6-only initiating hosts, nor that on IPv4-only destination hosts.  Some other translation mechanisms need extra modifications on IPv6-only initiating hosts, limiting possibility of deployment.  The IPv6-to-IPv4 header converters have to take care of path MTU and fragmentation issues. However, TRT is free from this problem.

75. 75 Disadvantages of TRT  TRT supports bi-directional traffic only. The IPv6- to-IPv4 header converters may be able to support other cases, such as unidirectional multicast datagrams.  TRT needs a stateful TRT system between the communicating peers, just like NAT systems. It is possible to place multiple TRT systems in a site, a transport layer connection goes through particular, a single TRT system.

76. 76 Disadvantages of TRT  Special code is necessary to relay NAT-unfriendly protocols. Some of NAT-unfriendly protocols, including IPSec, cannot be used across TRT system.

77. Application Layer Gateway  DNS ALG  FTP ALG

78. 78 ALG ALG 是對應於特定應用程式的代理人，用來讓 V6 node 可以和 V4 node 互相溝通。有些應用程式會把網路位址 存在封包的 payload 中，可是 NAT-PT 本身並無法得知 payload 裡存的是什麼。 ALG 可以協助 NAT-PT 來達到 這個功能。

79. 79 有無 DNS-ALG 之比較 在沒有 DNS-ALG 的情況下， NAT-PT 只能做到 v6 建 立連線到 v4 ， v4 無法透過 NAT-PT 向 v6 建立連線。  沒有 DNS-ALG

80. 80 有無 DNS-ALG 之比較 這是假設從 v6 網路到 v4 網路的狀況，其實 v4 到 v6 是一樣的 狀況，只是 IPv4 和 IPv6 角色反過來。  有 DNS-ALG

81. 81 Ｗ hy???  V4 之所以需要透過 NAT-PT 向 v6 建立連線需要 DNS-ALG 的 協助，是因為一開始， v4 node 並不知道 NAT-PT 會給 v6 node 替代的 v4 address 是什麼。所以得利用 namelookup 來 取得該 v6 node 對應的 v4 address mapping ，以建立連線。

82. 82 FTP-ALG Support FTP control message 中會攜帶 IP address 以及 TCP port 資 訊， FTP-ALG 可以支援 NAT-PT 使得 FTP 在 application level 的轉換沒有問題。在 RFC2428 中建議利用 EPRT 和 EPSV 兩個 指令分別替代 PORT 和 PASV 指令。

83. 83 FTP-ALG Support V4 node 可能有 implement EPRT 和 EPSV 也可能沒有。如果 V4 node 利用 PORT 和 PASV 送出 FTPSession Request 的話， FTP-ALG 會將指令分別轉換成 EPRT 和 EPSV 。 由 V4 node 產生 FTP session 的情況

84. 84 FTP-ALG Support  第一種方法： FTP-ALG 不改變 EPRT 和 EPSV ，而只是轉換 成 NAT-PT 或 NAPT-PT 所指 定的 IPv4 相對應資訊。但在這種方法下， IPv4 端的 FTP application 必須 upgrade to support EPRT and EPSV 。  第二種方法： FTP-ALG 把 EPRT 和 EPSV 分別轉換成 PORT 和 PASV 。同時也對 這幾個參 數做轉換。好處是 IPv4 端的 FTP 不需 upgrade 。壞處是， FTP-ALG 無法對 EPSV ALL 這個指令做對應的轉 換，這個情況下， IPv4 端的 FTP app 會傳回 error 。 由 V6 node 產生 FTP session 的情況

85. 85 結論： Internet Transition Trend Only IPv4 IPv6 Islan d IPv6 Islan d IPv4 Ocean IPv4 Ocean IPv4 Island IPv4 Island IPv6 Ocean IPv6 Ocean IPv6 Ocean IPv6 Ocean IPv4 Ocean IPv4 Ocean TB 6to4 6over4 NAT-PT Multi mechanism NAT-PT DSTM 4to6

86. 86