Tunnels. Jean Yves Le Boudec 2014

Similar documents
Tunnels. Jean Yves Le Boudec 2015

Tunnels. Jean Yves Le Boudec 2015

The Netwok 15 Layer IPv4 and IPv6 Part 3

The Network 15 Layer IPv4 and IPv6 Part 3

The Netwok Layer IPv4 and IPv6 Part 2

The Netwok Layer IPv4 and IPv6 Part 1

The Netwok Layer IPv4 and IPv6 Part 1

The Netwok Layer IPv4 and IPv6 Part 2

The Netwok Layer IPv4 and IPv6 Part 1

The Netwok Layer IPv4 and IPv6 Part 1

EXAM TCP/IP NETWORKING Duration: 3 hours

The Netwok Layer IPv4 and IPv6 Part 2

IPv6 Transition Mechanisms

Internet Protocol, Version 6

IPv6 Transition Mechanisms

The Netwok Layer IPv4 and IPv6 Part 1

Transition To IPv6 October 2011

EXAM TCP/IP NETWORKING Duration: 3 hours With Solutions

CSCI-1680 Network Layer:

EXAM TCP/IP NETWORKING Duration: 3 hours With Solutions

Unit 5 - IPv4/ IPv6 Transition Mechanism(8hr) BCT IV/ II Elective - Networking with IPv6

IPv6 Transition Technologies (TechRef)

Planning for Information Network

IPv6. Internet Technologies and Applications

The OSI model of network communications

Chapter 15 IPv6 Transition Technologies

MUM Lagos Nigeria Nov 28th IPv6 Demonstration By Mani Raissdana

Chapter 4 Network Layer: The Data Plane

IPv6 Addressing. There are three types of IPV6 Addresses. Unicast:Multicast:Anycast

EXAM TCP/IP NETWORKING Duration: 3 hours

IPv6 Feature Facts

EXAM TCP/IP NETWORKING Duration: 3 hours With Solutions

EC441 Fall 2018 Introduction to Computer Networking Chapter4: Network Layer Data Plane

Host-based Translation Problem Statement.

EXAM TCP/IP NETWORKING Duration: 3 hours

CCNA Questions/Answers IPv6. Select the valid IPv6 address from given ones. (Choose two) A. FE63::0043::11:21 B :2:11.1 C.

Radware ADC. IPV6 RFCs and Compliance

TCP/IP Protocol Suite

Data Center Configuration. 1. Configuring VXLAN

COE IPv6 Roadmap Planning. ZyXEL

Practical IPv6 for Windows Administrators

Network Interconnection

TopGlobal MB8000 VPN Solution

Connection Oriented Networking MPLS and ATM

On Distributed Communications, Rand Report RM-3420-PR, Paul Baran, August 1964

Table of Contents Chapter 1 Tunneling Configuration

IPv4/v6 Considerations Ralph Droms Cisco Systems

Transitioning to IPv6

Lecture 14: DHCP and NAT

CMPE 80N: Introduction to Networking and the Internet

IP Addressing Modes for Cisco Collaboration Products

Implementing Cisco IP Routing

CSC 4900 Computer Networks: Network Layer

BIG-IP CGNAT: Implementations. Version 13.0

CONCEPTION ON TRANSITION METHODS: DEPLOYING NETWORKS FROM IPV4 TO IPV6

1. Ultimate Powerful VPN Connectivity

ETSF10 Internet Protocols Network Layer Protocols

Network Working Group. Category: Informational Bay Networks Inc. September 1997

IPv6: An Introduction

Lecture 16: Network Layer Overview, Internet Protocol

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

FiberstoreOS IPv6 Security Configuration Guide

COMPUTER NETWORKING LAB EXERCISES (TP) 4

IP Addressing Modes for Cisco Collaboration Products

IPv6 in Campus Networks

IPv6 Rapid Deployment: Provide IPv6 Access to Customers over an IPv4-Only Network

CS519: Computer Networks. Lecture 8: Apr 21, 2004 VPNs

CSC 401 Data and Computer Communications Networks

Fundamentals of Computer Networking AE6382

IPv6 Rapid Deployment (6rd) in broadband networks. Allen Huotari Technical Leader June 14, 2010 NANOG49 San Francisco, CA

CMPE 150/L : Introduction to Computer Networks. Chen Qian Computer Engineering UCSC Baskin Engineering Lecture 12

COMP211 Chapter 4 Network Layer: The Data Plane

Migration to IPv6 from IPv4. Is it necessary?

12.1. IPv6 Feature. The Internet Corporation for Assigned Names and Numbers (ICANN) assigns IPv6 addresses based on the following strategy:

On Distributed Communications, Rand Report RM-3420-PR, Paul Baran, August

1-1. Switching Networks (Fall 2010) EE 586 Communication and. October 25, Lecture 24

Lecture 8. Basic Internetworking (IP) Outline. Basic Internetworking (IP) Basic Internetworking (IP) Service Model

Grandstream Networks, Inc. GWN7000 Multi-WAN Gigabit VPN Router VPN Configuration Guide

Lecture 11: Middleboxes and NAT (Duct tape for IPv4)

Interconnecting Cisco Networking Devices Part 1 (ICND1) Course Overview

CS 356: Computer Network Architectures. Lecture 15: DHCP, NAT, and IPv6. [PD] chapter 3.2.7, 3.2.9, 4.1.3, 4.3.3

Lecture 8. Reminder: Homework 3, Programming Project 2 due on Thursday. Questions? Tuesday, September 20 CS 475 Networks - Lecture 8 1

Tik Network Application Frameworks. IPv6. Pekka Nikander Professor (acting) / Chief Scientist HUT/TML / Ericsson Research NomadicLab

FiberstoreOS IPv6 Service Configuration Guide

Quiz. Segment structure and fields Flow control (rwnd) Timeout interval. Phases transition ssthresh setting Cwnd setting

CS519: Computer Networks. Lecture 1 (part 2): Jan 28, 2004 Intro to Computer Networking

TSIN02 - Internetworking

Data Communication & Networks G Session 7 - Main Theme Networks: Part I Circuit Switching, Packet Switching, The Network Layer

KENIC-AFRINIC IPv6 Workshop 17th 20th June 2008

IP Multicast Jean Yves Le Boudec 2014

Foreword xxiii Preface xxvii IPv6 Rationale and Features

Wireless a CPE User Manual

IPv6 Technical Challenges

OSI Data Link & Network Layer

Mapping of Address and Port using Translation (MAP-T) E. Jordan Gottlieb Network Engineering and Architecture

Computer Network Fundamentals Spring Week 4 Network Layer Andreas Terzis

Network Configuration Example

Introduction to Network Address Translation

DPX8000 Series Deep Service Switching Gateway User Configuration Guide Firewall Service Board Module v1.0

Transition Strategies from IPv4 to IPv6: The case of GRNET

Transcription:

Tunnels Jean Yves Le Boudec 2014

2 Menu Today: lecture Tunnels, 6to4 Link State Routing Tomorrow 11:15 12:15 Last clicker test How TOR works (presentation of best research exercise award) No lab Lab 3 and lab 4 grades available by end of this week

Feedback from Evaluation Things that we will try to improve for next year Labs (lab2) too long Some have stability problems with GNS3 (lab 5) too much configuration work Schedule conflicts with security course Videos of lectures are useful Clicker tests: give a joker question per test! Work: ++(EE students); + (CS); OK (ComSys) 3

Contents 1. VPNs 2. 6 to 6 over 4 3. 4 to 4 over 6 4. Transition to IPv6

1. Tunnels Definition: a tunnel, also called encapsulation occurs whenever a communication layer carries packets of a layer that is not the one above e.g.: IP packet in UDP IP in TCP PPP(layer 2) packet in UDP IPv4 in IPv6 IPv6 in IPv4 Why used? In theory: never In practice: security / private networks / IPv6 IPv4 interworking 5

6 Homer s Network Homer deploys 10.x addresses in two sites and wants to interconnect them as one (closed) private network A 1.1.1.1 2.2.2.2 Simpscom B 10.1/16 10.2/16 How can Homer use Simpscom s network for that?

Your solution 1. Run RIP in A and B 2. Rent a leased line from Simpscom 3. Configure a tunnel between A and B 85% 4. Use modems between A and B 5. It is impossible because 10/8 is for private networks only 6. I don t know 0% 11% 0% 4% 0% 1. 2. 3. 4. 5. 6.

Homer uses an IP over IP Tunnel X 10.1.1.1 S 10.2.2.2 Homer configures a virtual interface in A (eth ); Associates this interface with an IP in IP tunnel, with endpoint 2.2.2.2 Similar stuff in B Homer has a network with 2 routers and one virtual physical link; Homer configures routing tables at A and B (or runs RIP) Packets from S to X are carried inside IP packets across Simpscom 8

S sends a UDP packet to X. What are the IP destination address and protocol at O? O 1. IP dest addr = 1.1.1.1, protocol = 17 (UDP) 2. IP dest addr = 10.1.1.1, protocol = 17 (UDP) 3. None of the above 4. I don t know 75% 14% 11% 0% 1. 2. 3. 4.

Solution S sends a UDP packet to X. What are the IP destination address and protocol at O? 1. The IP destination address is the tunnel endpoint 1.1.1.1 2. The protocol is not UDP but 04 (IPv4) 10

Homer s IP in IP solution is often replaced by IP in UDP Some company firewalls kill IP in IP packets Therefore the tunnel is inside UDP This requires a layer 2 header as well (to identify the protocol type) called L2TP / PPP Outer packet To 1.1.1.1 prot = UDP UDP hdr L2TP/PPP prot = IPv4 To 10.1.1.1 prot = UDP UDP hdr data Inner packet 11

Bart does the same as Homer but wants a secure channel. He uses IPSEC. «IPSEC / ESP tunnel mode» encrypts the inner IP packet Outer packet To 1.1.1.1 prot = UDP UDP hdr L2TP/PPP prot = 50 IPSEC ESP hdr xxxxxxxxxxx xxxxxxxxxxx IPSEC Trailer Nxt Hdr = 04 Inner packet, encrypted This form of tunneling is called «L2TP/IPSEC VPN» (Virtual Private Network) Variants (OpenVPN): IP in TLS over TCP ; IP in TLS over UDP 12

How does a packet from B to A find its way? A wireless LAN VPN Router (IPSec server) EPFL 128.178.83/24 R 128.178.151/24 B 192.168.1.33 Ethernet IP adapter hdr IP Wireless data Network Connection: Connection-specific DNS Suffix. : IP Address............ : 192.168.1.33 Subnet Mask........... : 255.255.255.0 Default Gateway......... : 192.168.1.1 1. VPN router does proxy ARP 2. R has a host route to A 3. Nothing special, the IGP takes care of it 4. I don t know Ethernet adapter Local Area Connection 2: Connection-specific DNS Suffix. : epfl.ch IP Address............ : 128.178.83.22 Subnet Mask........... : 255.255.255.255 Default Gateway......... : 0.0.0.0 44% 24% 32% 0% 1. 2. 3. 4. 13

Solution A has two interfaces: one physical, with address 192.168.1.33, one virtual (tunnel) interface with address 128.178.83.99 (for example) A appears to be on 128.178.83/24 VPN router does proxy ARP on behalf of A R does not need a host route (but VPN Router may need one) 14

15 2. 6 to 6 over 4 Reminder: interoperation scenarios v4 v6 IPv4 and IPv6 are incompatible v4 only host cannot handle IPv6 packets v6 only host cannot handle IPv4 packets What needs to be solved: interworking: h6 to h4 like to like access 6 to 6 over 4 4 to 4 over 6 In this module we study like to like access

Like to like access scenarios 6 to 6 over 4 (The early adopter problem) e.g. Homer wants to use IPv6; ISP provides only IPv4 access IP4/6 Router IP4/6 Router IPv6 Island A IPv4 Internet B IPv6 internet 4 to 4 over 6 (The legacy problem) e.g. Bart continues to use IPv4; ISP provides only IPv6 access IP4/6 Router IP4/6 Router IPv4 Island A IPv6 Internet B IPv4 internet 16

17 Tunnels for 6 to 6 over 4 All like to like solutions use IP in IP tunnels protocol / next header = 04 means the payload is an IPv4 packet protocol / next header = 41 means the payload is an IPv6 packet IP4/6 Router IP4/6 Router 2001:bebe:1 IPv6 Island A IPv4 Internet 1.2.3.4 B IPv6 internet IPv6 Header da = 2001:bebe:1 IPv4 Header da = 1.2.3.4 protocol = 41 IPv6 Header da = 2001:bebe:1 IPv6 Header da = 2001:bebe:1 Payload Payload Payload

What needs to be put in place for a good 6 to 6 over 4 solution We need relay routers (e.g. A and B): these are routers that are dual stack (IPv4 and IPv6) can terminate IPv6 in IPv4 tunnels: encapsulate / decapsulate know how to forward packets on their IPv4 and IPv6 sides We also need to solve the IPv6 address allocation problem Homer does not receive an IPv6 address from his provider since Homer s IPv6 island is connected to an IPv4 only provider We need automatic tunnels e.g. A does not need to keep state information to determine that a packet should be sent to B 18

6rd/6to4 is a solution to the 6 to 6 over 4 problem Several solutions are proposed and implemented 6rd /6to4: we will see 6to4 in detail ; this is the solution that works in IEW; 6rd is similar to 6to4 Teredo : a variant when IPv6 host is behind an IPv4 NAT ISATAP : a variant for enterprise networks warning 6 to 4 is a misnomer; 6to4 is a solution for 6 to 6 over 4, not for h6 to h4 interworking 19

6to4 Uses Special IPv6 Addresses called 6to4 addresses To any valid IPv4 address n we associate the IPv6 prefix 2002:n / 48 example: the 6to4 address prefix that corresponds to 128.178.156.38 is 2002: 80b2:9c26/48 2002::/16 is the prefix reserved for 6to4 addresses An IPv6 address that starts with 2002: is called a 6to4 address The bits 17 to 48 of a 6to4 address are the corresponding IPv4 address A 6to4 host or router is one that is dual stack and uses 6to4 as IPv6 address As we do in the IEW In addition, the IPv4 address 192.88.99.1 is reserved for use in the context of 6to4 addresses and means the IPv6 internet seen from the IPv4 internet 20

21 6to4 Addresses Solve Homer s IPv6 Address Allocation problem Homer enables 6to4 on his router A. Homer s router A uses a 6to4 address prefix derived from of an IPv4 address given to you by your IPv4 provider and uses this prefix for the IPv6 Local Network. Homer s PC H2 obtains from A (e.g. using SLAAC) an IPv6 address with this prefix. This is the setting we use in the IEW. Bart has an isolated host H2 (e.g. smartphone) and enables 6to4 on his host. Bart s host uses one IPv6 address derived from his IPv4 current address. IPv6 host H1 11 IPv6 Local Network 2002:0102:0304:0: :00ab:EUI S12 1.2.3.4 12 1 2002:0102:0304:0: :abcd:eui H1 6to4 router A IPv4 Internet 9.8.7.6 2 6to4 Relay router B 192.88.99.1 3 4 6to4 host H2 2002:0908:0706 ::EUI H2 IPv6 Internet 5 IPv6 host H3 2001:bebe::1

6to4 Relay Routers 6to4 Relay Router = a dual stack router that has a 6to4 address, can terminate routers and connects the IPv4 and IPv6 internets All v4 interfaces of all 6to4 relay router have an IPv4 address plus the special address 192.88.99.1 B announces 192.88.99/24 as directly attached prefix in IPv4 routing B announces 2002/16 as directly attached prefix in IPv6 routing 22

23 Homer at H1 sends a packet to Lisa at H3 IPv6 host H1 11 IPv6 Local Network 2002:0102:0304:0: :00ab:EUI S12 1.2.3.4 12 1 2002:0102:0304:0: :abcd:eui H1 6to4 router A IPv4 Internet 9.8.7.6 6to4 Relay router B 192.88.99.1 3 4 6to4 host H2 IPv6 Internet Destination 2001:bebe::1 is not on link, H1 sends to send to A 2 2002:0908:0706 ::EUI H2 Default IPv6 route inside local IPv6 network is the IPv6 local address of A (point 12) A s default IPv6 route is 2002:c058:6301::0, which is a 6to4 address corresponding to 192.88.99.1 IPv6 host H3 2001:bebe::1 A encapsulates the IPv6 packet in an IPv4 packet with destination address 192.88.99.1 The nearest 6to4 relay router receives the packet (assume it is B) B decapsulates packet and sends an IPv6 packet; normal IPv6 forwarding occurs and original IPv6 packet reaches H3 5

Which is the IPv6 source address at 3 in the encapsulated packet going from H1 to H3? 1. 1.2.3.4 2. 2002:0102:0304:00ab:EUI S12 3. 2002:0102:0304:abcd:EUI H1 4. None of the above 5. I don t know 32% 51% 11% 4% 2% 1. 2. 3. 4. 5. 24

Lisa at H3 sends a packet to Homer at H1 How is this packet routed in the IPv6 internet?? 1. H3 keeps in its routing table the information that Homer s destination address is reached via B and sends the IPv6 packet to B 2. routers in the IPv6 internet send all packets to 2002/16 to the nearest 6to4 relay router 3. routers in the IPv6 internet know that the IPv4 destination address is 1.2.3.4 and compute the best path to A 4. I don t know 53% 23% 23% 0% 1. 2. 3. 4. 25

26 Solution IPv6 host H1 11 IPv6 Local Network 2002:0102:0304:0: :00ab:EUI S12 1.2.3.4 12 1 2002:0102:0304:0: :abcd:eui H1 6to4 router A IPv4 Internet 9.8.7.6 2 6to4 Relay router B 192.88.99.1 3 4 6to4 host H2 2002:0908:0706 ::EUI H2 IPv6 Internet 5 IPv6 host H3 2001:bebe::1 All 6to4 relay routers announce 2002/16 in IPv6 routing protocols. Inside the IPv6 internet, the packet will be sent to the nearest 6to4 relay router. This may or may not be B. Similarly, all 6to4 relay routers announce 192.88.99/24 in IPv4 routing protocols. In the direction H1 H3, inside the IPv4 Internet, the encapsulated packet is sent to the nearest 6to4 relay router. 192.88.99.1 is sometimes called an anycast address: it can be held by several interfaces but packets are sent to only one of these.

What is Bart s IPv6 s default gateway at H2? IPv6 host H1 11 IPv6 Local Network 2002:0102:0304:0: :00ab:EUI S12 1.2.3.4 12 1 2002:0102:0304:0: :abcd:eui H1 6to4 router A IPv4 Internet 9.8.7.6 6to4 host H2 1. An address configured by DHCP 2. An address configured by SLAAC 3. A 6to4 address derived from 192.88.99.1 4. I don t know 2 6to4 Relay router B 192.88.99.1 3 4 2002:0908:0706 ::EUI H2 23% IPv6 Internet 20% 5 52% IPv6 host H3 2001:bebe::1 5% 1. 2. 3. 4. 27

28 IPv6 host H1 11 IPv6 Local Network 2002:0102:0304:0: :00ab:EUI S12 1.2.3.4 12 1 2002:0102:0304:0: :abcd:eui H1 6to4 router A IPv4 Internet Solution 9.8.7.6 2 6to4 Relay router B 192.88.99.1 3 4 6to4 host H2 2002:0908:0706 ::EUI H2 IPv6 Internet A typical (Windows) IPv6 configuration for H2 when using 6to4: 5 IPv6 host H3 2001:bebe::1 Default Gateway......... : 2002:c058:6301::c058:6301 hexa for 192.88.99.1

Which way does a packet go from Bart s host to Homer s? IPv6 host H1 11 IPv6 Local Network 2002:0102:0304:0: :00ab:EUI S12 1.2.3.4 12 1 2002:0102:0304:0: :abcd:eui H1 6to4 router A IPv4 Internet 9.8.7.6 1. via B and back 2. directly over IPv4 to A then H1 3. H1 cannot be reached from H2 4. I don t know 6to4 Relay router B 192.88.99.1 3 4 2 6to4 host H2 2002:0908:0706 ::EUI H2 40% IPv6 Internet 5 IPv6 host H3 2001:bebe::1 IPv6 forwarding table at H2 dest next-hop interface 2002/16 onlink eth12 0/0 2002:c058:6301::c058:6301 eth12 28% 26% 7% 1. 2. 3. 4. 29

Solution H2 is a 6to4 host, its forwarding tables treats all 6to4 destinations as onlink (from an IPv6 viewpoint) H2 sends IPv6 packet directly to its tunnel interface eth12 IPv6 packet is encapsulated in IPv4 with destination address = 1.2.3.4 (derived from destination IPv6 address) IPv4 packet reaches A by normal IPv4 routing 30

31 My Windows PC at EPFL Ethernet adapter Local Area Connection: Connection-specific DNS Suffix. : epfl.ch IPv4 Address........... : 128.178.151.202 Subnet Mask........... : 255.255.255.0 Default Gateway......... : 128.178.151.1 Tunnel adapter Local Area Connection* 15: Connection-specific DNS Suffix. : epfl.ch IPv6 Address........... : 2002:80b2:97ca::80b2:97ca Default Gateway......... : 2002:c058:6301::c058:6301

The nearest 6to4 relay from EPFL C:\> tracert 192.88.99.1 Tracing route to 192.88.99.1 over a maximum of 30 hops 1 <1 ms <1 ms <1 ms cv-ic-dit-v151.epfl.ch [128.178.151.251] 2 <1 ms <1 ms <1 ms c6-gigado-1-v100.epfl.ch [128.178.100.18] 3 <1 ms <1 ms <1 ms c6-ext-v200.epfl.ch [128.178.200.1] 4 1 ms <1 ms <1 ms swiel2.epfl.ch [192.33.209.33] 5 <1 ms <1 ms <1 ms swils2-10ge-1-2.switch.ch [130.59.36.69] 6 2 ms 2 ms 2 ms swibe1-10ge-1-1.switch.ch [130.59.37.130] 7 2 ms 2 ms 2 ms swibe2-10ge-1-4.switch.ch [130.59.36.198] 8 2 ms 2 ms 2 ms 192.88.99.1 32

The nearest 6to4 relay from my home C:\> tracert 192.88.99.1 Tracing route to 192.88.99.1 over a maximum of 30 hops 1 1 ms 2 ms 2 ms 192.168.1.1 2 136 ms 136 ms 136 ms lau01a05.sunrise.ch [212.161.178.79] 3 128 ms 135 ms 136 ms 194.230.94.17 4 * * * Request timed out. 5 71 ms 186 ms 333 ms 212.161.251.178 6 156 ms 164 ms 164 ms 212.161.251.182 7 228 ms 203 ms 169 ms zr-fra1-te0-0-0-3.x-win.dfn.de [80.81.192.222] 8 158 ms 163 ms 162 ms zr-erl1-te0-0-0-4.x-win.dfn.de [188.1.145.197] 9 159 ms 162 ms 162 ms 192.88.99.1 Trace complete. 33

6rd IEW The prefixes 192.88.99/24 and 2002/16 are provider independent : Homer connects to the nearest 6to4 relay router Some ISPs don t like that and want more control: they want their relay routers to be used by their customers only and they want their customers to use only their relay routers. 6rd is a modification and replacement of 6to4 where 6rd addresses are not in 2002/16 but in a block allocated to the ISP Relay router s IPv4 addresses are specified by ISP 6rd is deployed by Free (FR); 6to4 is deployed by Switch (CH) 34

Teredo 6to4 / 6rd require a valid IPv4 address and do not work behind a NAT unless NAT is modified OK for ISPs who control the NAT (e.g. Swisscom) Teredo is a variant of 6to4 invented (by Microsoft) to solve the NAT case without altering the NAT Uses : address block 2001:0/32 Tunnels (IPv6 in UDP in IPv4) (UDP is used to be compatible with existing NAT and firewall filtering rules) relay routers (called «teredo relays») teredo servers > for solving the NAT mapping problem 35

36 My Windows PC at home has access to IPv6 over IPv4 by means of Teredo Tunnel adapter Local Area Connection* 11: Connection-specific DNS Suffix. : IPv6 Address........... : 2001:0:5ef5:79fd:2c63:b421:ab1c:1f40 Link-local IPv6 Address..... : fe80::2c63:b421:ab1c:1f40%12 Default Gateway......... : :: C:\Users\leboudec>tracert 2001:620:618:19c:1:80b2:9c18:1 Tracing route to lca1srv2.epfl.ch [2001:620:618:19c:1:80b2:9c18:1] over a maximum of 30 hops: 1 * * 135 ms teredo-relay2.lrz.de [2001:4ca0:0:103:0:3544:1:2] 2 134 ms 136 ms 137 ms vl-6.vss1-2wr.lrz.de [2001:4ca0:0:103::1:1] 3 149 ms 136 ms 136 ms vl-3066.csr1-2wr.lrz.de [2001:4ca0:0:66::1] 4 155 ms 139 ms 137 ms xr-gar1-pc110-108.x-win.dfn.de [2001:638:c:a003::1] 5 143 ms 163 ms 164 ms zr-fra1-te0-6-0-7.x-win.dfn.de [2001:638:c:c070::1] 6 147 ms 163 ms 163 ms dfn.rt1.fra.de.geant2.net [2001:798:14:10aa::1] 7 159 ms 162 ms 163 ms so-5-0-0.rt1.gen.ch.geant2.net [2001:798:cc:1401:2201::a] 8 213 ms 203 ms 152 ms switch-lb2-gw.rt1.gen.ch.geant2.net [2001:798:12:10aa::a] 9 152 ms 163 ms 163 ms swiel2-10ge-1-3.switch.ch [2001:620:0:c06a::2] 10 * * * Request timed out. 11 152 ms 164 ms 165 ms cv-gigado-v200.epfl.ch [2001:620:618:1c8:1:80b2:c803:1] 12 165 ms 164 ms 163 ms cv-ic-dit-v100-ro.epfl.ch [2001:620:618:164:1:80b2:640c:1] 13 151 ms 163 ms 164 ms lca1srv2.epfl.ch [2001:620:618:19c:1:80b2:9c18:1] Trace complete.

Summary: 6 to 6 over 4 6 to 6 over 4 solves the early adopter problem main solution is 6rd/6to4, with IPv6 in IPv4 tunnels a portion of IPv6 address space used to contain 6rd/6to4 addresses; prefix in such addresses embed a valid IPv4 address tunnels are automatic thanks to the presence of the IPv4 address embedded in the IPv6 prefix relay routers terminate tunnels and announce appropriate address blocks in IPv4 and IPv6; relay routers are stateless Teredo is a variant that supports hosts behind IPv4 NATs without configuration of the NAT 37

3. 4 to 4 over 6 The Legacy Problem IP4/6 Router IP4/6 Router IPv4 Island A IPv6 Internet B IPv4 internet Problem is similar to 6 to 6 over 4 but there are two main differences impossible to embed IPv6 addresses in IPv4 addresses IPv4 addresses may not be available Many solutions are proposed or even deployed; DS lite is the simplest MAP E is an improvement on DS lite 38

39 DS Lite tunnels all IPv4 traffic to a Carrier Grade NAT IPv4 host H1 11 IPv4 Local Network 10.22.32.44 10.11.12.13 2001:baba:bebe::23 12 1 DS-lite box A IPv6 Internet 2001:baba:be00::77 Carrier Grade NAT B 3 4 198.23.34.0 to 198.23.34.255 IPv4 Internet 5 IPv4 host H3 200.23.24.25 at H1, IPv4 destination is not onlink, packet sent to router A at A, destination matches only default route and IPv4 packet is sent into tunnel to B B decapsulates packet, translates IPv4 source address 10.23.32.44 and source port (e.g. 2345) to an IPv4 mapped address (e.g.198.23.34.59) and to a possibly different port number (e.g. 5432)

Carrier Grade NAT is stateful B needs to remember the (v4 address, port) mapping the IPv6 source address of A. In the NAT table at B we see: IPv6 DS lite box address IPv4 address port IPv4 translated address 2001:baba:bebe::23 10.22.32.44 2345 198.23.34.59 5432 NAT Table at B translated port B does this for all customers and for every flow served by this provider. The NAT table may be very large. This is called a Carrier Grade NAT. 40

H1 sends one packet to H3 and H3 responds. We observe the response at 5. Say what is true. IPv4 host H1 11 IPv4 Local Network 10.22.32.44 10.11.12.13 2001:baba:bebe::23 12 1 DS-lite box A IPv6 Internet 2001:baba:be00::77 Carrier Grade NAT B 3 4 198.23.34.0 to 198.23.34.255? IPv4 Internet 5 IPv4 host H3 200.23.24.25 1. The IPv4 destination address in the packet is 10.22.32.44 2. The IPv4 destination address in the packet is 198.23.34.59 3. The IPv6 destination address in the packet is 2001:baba:bebe::23 4. 1 and 3 5. 2 and 3 6. I don t know 48% 23% 15% 10% 5% 0% 1. 2. 3. 4. 5. 6. 41

42 Solution IPv4 host H1 11 IPv4 Local Network 10.22.32.44 10.11.12.13 2001:baba:bebe::23 12 1 DS-lite box A IPv6 Internet 2001:baba:be00::77 Carrier Grade NAT B 3 4 198.23.34.0 to 198.23.34.255 IPv4 Internet 5 IPv4 host H3 200.23.24.25 There is no IPv6 packet at 5, answer 3 is false The IPv4 destination address is the translated IPv4 address, i.e. answer 2 is right and answer 1 is false.

43 MAP E (Mapping Address + Port, Encapsulation) IPv4 host H1 11 IPv4 Local Network 10.22.32.44 2001:baba:be00:abcd:77 10.11.12.13 2001:baba:bebe:0706::0102:0300:0006 12 1 MAP box A IPv6 Internet MAP Border Relay B 3 4 1.2.3.0 to 1.2.3.255 IPv4 Internet 5 IPv4 host H3 200.23.24.25 Problem with DS Lite is the Carrier Grade NAT for very large ISPs MAP E solves the problem by putting address translation in the local network (in MAP box A) instead of the CGN translated port number and IPv4 address are mapped to a part of the IPv6 address

with MAP E, translated IPv4 address and port are embedded in IPv6 prefix MAP box A owns the IPv6 address prefix 2001:baba:bebe:0706 0706 are called the EA bits of the MAP IPv6 address A MAP rule at A specifies which bits are the EA bits; further, the MAP rule is used as follows 07 determines the available bits in the translated IPv4 address e.g. 1.2.3.7 06 specifies that the value of the bits 5 to 12 of the translated port numbers must be (hexa)06 for example the port ae1f can be mapped to b06a The complete IPv6 address of MAP box A is algorithmically derived from the MAP rule e.g. here 2001:baba:bebe:0706::0102:0300:0006 44

Homer at H1 sends one packet to Lisa at H3 IPv4 address port (hexa) IPv4 translated addr. translated port 10.22.32.44 ae1f 1.2.3.07 b06a NAT Table at A at H1, IPv4 destination is not onlink, packet sent to router A A performs NAT44 and translates IPv4 addresses and port; translated IPv4 packet is sent into tunnel to B B decapsulates packet and sends over the Internet v4 45

H1 sends one packet to H3 and H3 responds. We observe the response at 3. Say what is true.? 1. The IPv6 destination address is determined algorithmically from the destination IPv4 address and port number seen at point 4 2. The IPv4 destination address and port number are the same as at point 4 3. 1 and 2 4. None 0% 0% 0% 0% 0% 5. I don t know 1. 2. 3. 4. 5. 46

Solution IPv4 address port (hexa) IPv4 translated addr. translated port 10.22.32.44 ae1f 1.2.3.07 b06a Both are true, i.e. the Border Relay B maps IPv4 translated address and port to the IPv6 address of point 1 Border Relay B needs only static configuration (which bits are mapped) i.e. B is stateless In contrast, A needs to remember the per flow information and is stateful 47

Summary: 4 to 4 over 6 4 to 4 over 6 (the legacy problem) is solved by NAT and IPv4 in IPv6 tunnels DS Lite is simple but requires NAT44 function in the relay router. Works only for small ISPs MAP E is a variant which distributes the NAT44 function close to the IPv4 customer, i.e. is more scalable 48

49 4. Transition to IPv6 We have seen 4 different families of mechanisms for the interoperation of IPv4 and IPv6 Interworking ALG64 (application layer) NAT64 (protocol translation) Like to like 6rd or 6to4 (6 to 6 over 4) DS lite or MAP E (4 to 4 over 6) The multiplicity of solutions is a symptom that the transition to IPv6 has not yet really started Let us try to imagine which mechanisms can be used

You are network manager at EPFL and want to upgrade to IPv6. Which elements do you deploy? 1. ALG64 2. NAT64 3. 6rd 4. MAP E 5. I don t know 0% 0% 0% 0% 0% 1. 2. 3. 4. 5. 50

Solution Since EPFL has enough IPv4 addresses and receives both IPv4 and IPv6 service from their ISP, we don t need to deploy like tolike solutions We may want to migrate all services (such as web, git, infoscience) to IPv6, natively, or by means of ALG64, so that all EPFL services are available on both IPv4 and IPv6 51

You are network manager at simpscom and want to save money by deploying only IPv6 in your cellular network. Which elements do you deploy? 1. ALG64 2. NAT64 3. 6rd 4. MAP E 5. I don t know 0% 0% 0% 0% 0% 1. 2. 3. 4. 5. 52

Solution Your customers probably want to access some IPv4 only services, you can deploy DS Lite or MAP E at your base stations. You can also deploy some ALG64 solutions for important but low volume services such as the control of voice over IP 53

You work from home and have only IPv4 access; you need to upload a proposal to NSF. NSF accepts only IPv6. What do you need to enable on your 1. 6to4 2. Teredo 3. ALG64 4. NAT64 5. I don t know PC? 0% 0% 0% 0% 0% 1. 2. 3. 4. 5. 54

Solution You are probably behind a NAT and have only IPv4 in your LAN. Enable IPv6 on your PC and run Teredo. 55

Conclusion Tunnels are an ad hoc solution used in many cases secure access over an insecure network, VPN like to like access for IPv6/IPv4 issues Transition to IPv6 creates several types of problems (early adopter, legacy) that can be solved with various methods involving automatic tunnels 56

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback