Presentation is loading. Please wait.

Presentation is loading. Please wait.

IPv4/IPv6 Coexistence Scenarios - Requirements for Translation Mechanisms. draft-ietf-v6ops-nat64-pb-statement-req-01 M. Bagnulo, F. Baker, I. van Beijnum.

Published byAllan Lyons Modified over 8 years ago

Similar presentations

Presentation on theme: "IPv4/IPv6 Coexistence Scenarios - Requirements for Translation Mechanisms. draft-ietf-v6ops-nat64-pb-statement-req-01 M. Bagnulo, F. Baker, I. van Beijnum."— Presentation transcript:

1 IPv4/IPv6 Coexistence Scenarios - Requirements for Translation Mechanisms. draft-ietf-v6ops-nat64-pb-statement-req-01 M. Bagnulo, F. Baker, I. van Beijnum IETF72

2 Requirements for new generation of v4-v6 translation mechanisms Basic Requirements that MUST be supported Important things that SHOULD be supported

3 Translation scenario,-----.,-----.,' `.,' `. / \ / \ / IPv4-only \ / IPv6-only \ / Domain +-----------+ Domain \ ; |Translation| : | | Gateway | | : +-----------+ ; \ +----+ / \ +----+ / \ |IPv4| / \ |IPv6| / \ |Host| / \ |Host| / `. +----+,' `. +----+,' '-----' '-----’ IPv4 host means that it has only v4 stack or a dual stack host without IPv6 address IPv6 host means that it has only v6 stack or a dual stack host without IPv4 address

4 Basic Requirements that MUST be supported R1: Changes in the hosts The translation mechanism MUST NOT require changes in the v4-only nodes to support the Basic requirements described in this section,unless explicitly stated in the particular requirement. The translation mechanism MAY require changes to v6-only nodes. Question: are changes in dual stack nodes acceptable or not? Question: we do agree that changes are ok in v6 only nodes with current definition of v6 only node?

5 Basic Requirements that MUST be supported R2: Basic communication support –R2.1: Translation mechanim must support v6-initiated short-lived local handle (as defined in Section 3.1. –strong consensus on this –Question: v6-initiated connections from which v6 address to which v4 address? All v6 source to all v4 destinations? Subset of v6 sources to all v4 destinations? Subset of v6 sources to subset of v4 dest?

6 Basic Requirements that MUST be supported R2: Basic communication support –R2.2: Translation mechanim must support v4- initiated short-lived local handle (as defined in Section 3.1). – there is not clear if there is consensus for this –The problem is that some basic req may not be possible to meet in this case –Proposal: keep it, but have seprate reqs lists for v4 and v6 initiated communications

7 Basic Requirements that MUST be supported R3: Interaction with dual-stack hosts Translation mechanism MUST allow using native connectivity when it is available. This means that if a v6(4)-only nodes wants to communicate with a dual stack, it must use native v6(4) connectivity (In this case, dual stack means a host with both IPv6 and IPv4 stacks, wich are both active, i.e. they have v4 and v6 connectivity). Question 1: v6 only nodes may require modification to do this and this means that unmodified hosts may not prefer native connectivity and apps non compatible with nats would break. Should we disallow this? Question 2: is this requirement feasible for unmodified v4 only hosts? My guess is no

8 Basic Requirements that MUST be supported R4: DNS semantics preservation Any modifications to DNS responses associated with translation MUST NOT violate standard DNS semantics. This includes in particular that a DNS response (that has been modified by the translator mechanism) should not be invalid if it ends up in the wrong context, i.e. traversing a non expected part of the topology. Question: this can be achieved of v6 intiated communications, but hardly can be the case for v4 intiated connections...

9 Basic Requirements that MUST be supported R5: Routing IPv6 routing should not be affected in any way, and there should be no risk of importing "entropy" from the IPv4 routing tables into IPv6. No issues with this

10 Basic Requirements that MUST be supported R6: Protocols supported –The translation mechanism MUST support at least TCP, UDP, ICMP, TLS. –Question: what is the rationale we include TLS here? –Question: should we move DCCP and SCTP to MUST rahter than SHOULD?

11 Basic Requirements that MUST be supported R7: Behave requirements The translation mechanism MUST be compliant with the requirements for IPv4 NATs defined in [I-D.ietf- behave-tcp] and in [RFC4787] when applicable. These requirements should be interpreted with the IPv6 side on the IPv6-IPv4 translator being the IPv4 private side of the conventional NAT. This heavily assumes v6 initiated communications. If we have nat46, we probably don’t need this Question: should we include the behave requirements for ICMP, DCCP, SCTP?

12 Basic Requirements that MUST be supported R8: Fragmented packets The translation mechanism MUST suport fragmented packets when the fragments arrive within an interval smaller or equal to 5 seconds. Redundant with behave requirements?

13 Basic Requirements that MUST be supported R9: Security The adoption of the translation mechanism MUST not result in a significantly more vulnerable Internet

14 Basic Requirements that MUST be supported R10: DNSSec support DNSSec support MUST NOT be prevented. R10.1: In particular, if an IPv6 node is initiating a communication with an IPv4 that is located behind a translator, the IPv6 initiator MUST be able to perform DNSSec verification of the DNS information of the IPv4 target. (strong consensus on this one).

15 Basic Requirements that MUST be supported R10: DNSSec support DNSSec support MUST NOT be prevented. R10.2: In particular, if an IPv4 node is initiating a communication with an IPv6 that is located behind a translator, the IPv4 initiator MUST be able to perform DNSSec verification of the DNS information of the IPv4 target. This may require the modification of the IPv4 node as well. not clear if there consensus on this one Not clear if it is feasible

16 Basic Requirements that MUST be supported R11: IPsec support. The translator MUST be able to support the translation of at least one mode of IPsec and IKE flows sufficient to allow nodes using IKE and IPsec to successfully set up and use IPsec SAs. Although desirable, it is not a requirement that such a capability be done with no changes to the IPv4 nodes IKE/IPsec implementation.

17 Important things that SHOULD be supported (I) I1: Operational flxibility –It should be possible to locate the translation device at an arbitrary point in the network (i.e. not at fixed points such as a site exit), so that there is full operational flexibility.

18 Important things that SHOULD be supported (II) I2: Richer application behaviour support –The translation mechanism SHOULD support the other types of application behaviours, including Long-lived application associations, callbacks and referrals.In order to support this. The translation mechanism MAY require changes to v4-only nodes too I3: SCTP support –The translation mechanism SHOULD not prevent a SCTP communication between a v6-only node and a v4-only node

19 Important things that SHOULD be supported (III) I4: DCCP support –The translation mechanism SHOULD not prevent a DCCP communication between a v6-only node and a v4-only node I5: Multicast support –The translation mechanism SHOULD not prevent multicast traffic between the v4-only nodes and the v6-only nodes.

20 OLD slides next

21 Transition scenarios There are seven obvious transition scenarios: –IPv4 system connecting to an IPv4 system across an IPv4 network, –An IPv6 system connecting to an IPv6 system across an IPv6 network, –an IPv4 system connecting to an IPv4 system across an IPv6 network, –an IPv6 system connecting to an IPv6 system across an IPv4 network, –an IPv4 system connecting to an IPv6 system, or –an IPv6 system connecting to an IPv4 system. –a dual stack system connected to a IPv6 domain that is connecting to an IPv4 system.

22 Transition scenarios IPv4 system connecting to an IPv4 system across an IPv4 network, An IPv6 system connecting to an IPv6 system across an IPv6 network, Dual stack provides support for these

23 Transition scenarios an IPv4 system connecting to an IPv4 system across an IPv6 network, an IPv6 system connecting to an IPv6 system across an IPv4 network, Both tunnels and translation could support these, we reccomend tunnels.

24 Transition scenarios an IPv4 system connecting to an IPv4 system across an IPv6 network, an IPv6 system connecting to an IPv6 system across an IPv4 network, Both tunnels and translation could support these, we reccomend tunnels.

25 Transition scenarios an IPv4 system connecting to an IPv6 system, or an IPv6 system connecting to an IPv4 system. Translation is needed to support these

26 Requirements for the overall transition strategy (I) 1.Any transition strategy must contemplate a period of coexistence, with ultimate transition (e.g., turning off IPv4) being business decision. 2.Many are delaying turning on IPv6 (initiating coexistence in their networks) as long as possible. 3.Some are turning off IPv4 immediately, at least as a customer service. 4.Therefore, dual stack approaches, tunneled architectures, and translation architectures are all on the table.

27 Requirements for the overall transition strategy (II) 5.Any solution that makes translation between semi- connected islands "normal" has failed the fundamental architecture of the Internet and can expect service complexity to be an issue. 6.Translation architectures must provide for the advertisement of IPv4 names to IPv6 systems and vice versa. The address advertised in the "far" domain must be that of the translating gateway. 7.Tunneling architectures must provide a way to minimize and ideally eliminate configuration of the tunnel.

28 Market timing considerations We expect translation mechanism to require deployment in the very near term –Prior to IPv4 address depletion 2010-2012 Host software tends to be changed primarily when people buy new hardware –every 2-3 years on average, The mechanisms needs to be compatible with currently-deployed –Windows (XP and Vista), MacOSX (Tiger and Leopard), Linux, and Solaris operating systems. The solution is expected to deploy via patch update procedures in the hosts or otherwise all solved in network devices.

29 Requirements for new generation of v4-v6 translation mechanisms Basic Requirements that MUST be supported Important things that SHOULD be supported

30 Basic Requirements that MUST be supported R1: Changes in the hosts: –The translation mechanism MUST NOT require changes in the v4-only nodes to support the Basic requirements. –The translation mechanism MAY require changes to v6-only nodes. R2: Basic communication support: –Translation mechanim must support v4-initiated and v6-initiated (?) short-lived local handle.

31 Basic Requirements that MUST be supported R3: Interaction with dual-stack hosts: –Translation mechanism MUST allow using native connectivity when it is available. This means that if a v6-only nodes wants to communicate with a dual stack, it must use native v6 connectivity and the other way round R4: Private Addressing: –The translation mechanism MUST support v4-initiated short- lived local handle type of communication when the v4-only node has a private v4 address. R5: DNS semantics preservation: –Any modifications to DNS responses associated with translation MUST NOT violate standard DNS semantics. This includes in particular that a DNS response should not be invalid if it ends up in the wrong context, i.e. traversing a non expected part of the topology.

32 Basic Requirements that MUST be supported R6: Routing: –IPv6 routing should not be affected in any way, and there should be no risk of importing "entropy" from the IPv4 routing tables into IPv6. R7: Protocols supported: –The translation mechanism MUST support at least TCP, UDP, ICMP, TLS. R8: Behave-type requirements: –Mapping timeout (5min), –Address mapping behaviour: Endpoint independent –Port Assignment –Filtering behaviour: Endpoint independent

33 Basic Requirements that MUST be supported R9: Fragmented packets: –The translation mechanism MUST suport fragmented packets when the fragments arrive in an ordered fashion. R10: Security: –The adoption of the translation mechanism MUST not introduce new vulnerabilities in the Internet

Download ppt "IPv4/IPv6 Coexistence Scenarios - Requirements for Translation Mechanisms. draft-ietf-v6ops-nat64-pb-statement-req-01 M. Bagnulo, F. Baker, I. van Beijnum."

Similar presentations

IPv4/IPv6 Coexistence and Transition: Requirements for solutions draft-bagnulo-v6ops-6man-nat64-pb-statement-01 M. Bagnulo, F. Baker v6ops WG - IETF71.

IPv4/IPv6 Coexistence and Transition: Requirements for solutions draft-bagnulo-v6ops-6man-nat64-pb-statement-01 M. Bagnulo, F. Baker v6ops WG - IETF71.
NAT, firewalls and IPv6 Christian Huitema Architect, Windows Networking Microsoft Corporation.

NAT, firewalls and IPv6 Christian Huitema Architect, Windows Networking Microsoft Corporation.
IPv4 - IPv6 Integration and Coexistence Strategies Warakorn Sae-Tang Network Specialist Professional Service Department A Subsidiary.

IPv4 - IPv6 Integration and Coexistence Strategies Warakorn Sae-Tang Network Specialist Professional Service Department A Subsidiary.
TCP/IP Protocol Suite 1 Chapter 27 Upon completion you will be able to: Next Generation: IPv6 and ICMPv6 Understand the shortcomings of IPv4 Know the IPv6.

TCP/IP Protocol Suite 1 Chapter 27 Upon completion you will be able to: Next Generation: IPv6 and ICMPv6 Understand the shortcomings of IPv4 Know the IPv6.
CPSC 441 - Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-

CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
December 5, 2007 CS-622 IPv6: The Next Generation 1 IPv6 The Next Generation Saroj Patil Nadine Sundquist Chuck Short CS622-F2007 University of Colorado,

December 5, 2007 CS-622 IPv6: The Next Generation 1 IPv6 The Next Generation Saroj Patil Nadine Sundquist Chuck Short CS622-F2007 University of Colorado,
Project by: Palak Baid (pb2358) Gaurav Pandey (gip2103) Guided by: Jong Yul Kim.

Project by: Palak Baid (pb2358) Gaurav Pandey (gip2103) Guided by: Jong Yul Kim.
1 Teredo - Tunneling IPv6 through NATs Date: 2003-10-31 Speaker: Quincy Wu National Chiao Tung University.

1 Teredo - Tunneling IPv6 through NATs Date: Speaker: Quincy Wu National Chiao Tung University.
Enabling IPv6 in Corporate Intranet Networks

Enabling IPv6 in Corporate Intranet Networks
17/10/031 Summary Peer to peer applications and IPv6 Microsoft Three-Degrees IPv6 transition mechanisms used by Three- Degrees: 6to4 Teredo.

17/10/031 Summary Peer to peer applications and IPv6 Microsoft Three-Degrees IPv6 transition mechanisms used by Three- Degrees: 6to4 Teredo.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.

1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.
Understanding Internet Protocol

Understanding Internet Protocol
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
An Overview of IPv6 Transition/Co-existence Technologies Fernando Gont UTN/FRH LACNOG 2010 Sao Paulo, Brazil, October 19-22, 2010.

An Overview of IPv6 Transition/Co-existence Technologies Fernando Gont UTN/FRH LACNOG 2010 Sao Paulo, Brazil, October 19-22, 2010.
IPv6: The Next Generation Internet Protocol Luke Simpson and Martin Bouts ECE 4112 Spring 2005 May 2nd, 2005.

IPv6: The Next Generation Internet Protocol Luke Simpson and Martin Bouts ECE 4112 Spring 2005 May 2nd, 2005.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.

1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.

Similar presentations

Ads by Google