Tunnels. Jean Yves Le Boudec 2015

Similar documents
Tunnels. Jean Yves Le Boudec 2015

Tunnels. Jean Yves Le Boudec 2014

The Netwok Layer IPv4 and IPv6 Part 2

The Network 15 Layer IPv4 and IPv6 Part 3

The Netwok 15 Layer IPv4 and IPv6 Part 3

The Netwok Layer IPv4 and IPv6 Part 2

The Netwok Layer IPv4 and IPv6 Part 1

The Netwok Layer IPv4 and IPv6 Part 1

The Netwok Layer IPv4 and IPv6 Part 1

The Netwok Layer IPv4 and IPv6 Part 1

EXAM TCP/IP NETWORKING Duration: 3 hours

The Netwok Layer IPv4 and IPv6 Part 2

The Netwok Layer IPv4 and IPv6 Part 1

IPv6 Transition Mechanisms

Internet Protocol, Version 6

IPv6 Transition Mechanisms

EXAM TCP/IP NETWORKING Duration: 3 hours With Solutions

Transition To IPv6 October 2011

EXAM TCP/IP NETWORKING Duration: 3 hours With Solutions

Unit 5 - IPv4/ IPv6 Transition Mechanism(8hr) BCT IV/ II Elective - Networking with IPv6

IPv6. Internet Technologies and Applications

The OSI model of network communications

EXAM TCP/IP NETWORKING Duration: 3 hours

EC441 Fall 2018 Introduction to Computer Networking Chapter4: Network Layer Data Plane

TopGlobal MB8000 VPN Solution

Host-based Translation Problem Statement.

IPv6 Feature Facts

Chapter 4 Network Layer: The Data Plane

IPv6 Transition Technologies (TechRef)

EXAM TCP/IP NETWORKING Duration: 3 hours With Solutions

CSCI-1680 Network Layer:

Radware ADC. IPV6 RFCs and Compliance

CSC 4900 Computer Networks: Network Layer

Chapter 15 IPv6 Transition Technologies

Table of Contents Chapter 1 Tunneling Configuration

Implementing Cisco IP Routing

Connection Oriented Networking MPLS and ATM

MUM Lagos Nigeria Nov 28th IPv6 Demonstration By Mani Raissdana

BIG-IP CGNAT: Implementations. Version 13.0

CMPE 80N: Introduction to Networking and the Internet

CS519: Computer Networks. Lecture 8: Apr 21, 2004 VPNs

COE IPv6 Roadmap Planning. ZyXEL

Planning for Information Network

Practical IPv6 for Windows Administrators

IPv4/v6 Considerations Ralph Droms Cisco Systems

IPv6 Addressing. There are three types of IPV6 Addresses. Unicast:Multicast:Anycast

EXAM TCP/IP NETWORKING Duration: 3 hours

Transitioning to IPv6

CSC 401 Data and Computer Communications Networks

Network Interconnection

Interconnecting Cisco Networking Devices Part 1 (ICND1) Course Overview

Microsoft Exam

IP Addressing Modes for Cisco Collaboration Products

COMP211 Chapter 4 Network Layer: The Data Plane

IPv6: An Introduction

12.1. IPv6 Feature. The Internet Corporation for Assigned Names and Numbers (ICANN) assigns IPv6 addresses based on the following strategy:

IPv6 Rapid Deployment: Provide IPv6 Access to Customers over an IPv4-Only Network

CMPE 150/L : Introduction to Computer Networks. Chen Qian Computer Engineering UCSC Baskin Engineering Lecture 12

Internet Engineering Task Force (IETF) Request for Comments: 7040 Category: Informational. O. Vautrin Juniper Networks Y. Lee Comcast November 2013

1. Ultimate Powerful VPN Connectivity

Mapping of Address and Port using Translation (MAP-T) E. Jordan Gottlieb Network Engineering and Architecture

DPX8000 Series Deep Service Switching Gateway User Configuration Guide Firewall Service Board Module v1.0

IP Addressing Modes for Cisco Collaboration Products

KENIC-AFRINIC IPv6 Workshop 17th 20th June 2008

Politecnico di Milano Scuola di Ingegneria Industriale e dell Informazione. 09 Intranetting. Fundamentals of Communication Networks

IP Multicast Jean Yves Le Boudec 2014

Network layer: Overview. Network layer functions IP Routing and forwarding NAT ARP IPv6 Routing

Data Center Configuration. 1. Configuring VXLAN

The TCP/IP Architecture. Jean Yves Le Boudec 2017

Fundamentals of Computer Networking AE6382

Lecture 14: DHCP and NAT

IPv6 in Campus Networks

Network Working Group. Category: Informational Bay Networks Inc. September 1997

TCP/IP Protocol Suite

Network layer: Overview. Network Layer Functions

The TCP/IP Architecture. Jean Yves Le Boudec 2017

1-1. Switching Networks (Fall 2010) EE 586 Communication and. October 25, Lecture 24

The TCP/IP Architecture. Jean Yves Le Boudec 2015

The TCP/IP Architecture. Jean Yves Le Boudec 2015

On Distributed Communications, Rand Report RM-3420-PR, Paul Baran, August 1964

CONCEPTION ON TRANSITION METHODS: DEPLOYING NETWORKS FROM IPV4 TO IPV6

CCNA Questions/Answers IPv6. Select the valid IPv6 address from given ones. (Choose two) A. FE63::0043::11:21 B :2:11.1 C.

IPv6 Transition Strategies

Q-Balancer Range FAQ The Q-Balance LB Series General Sales FAQ

Configuration of an IPSec VPN Server on RV130 and RV130W

Wireless a CPE User Manual

The TCP/IP Architecture. Jean Yves Le Boudec 2015

Chapter 4: outline. 4.5 routing algorithms link state distance vector hierarchical routing. 4.6 routing in the Internet RIP OSPF BGP

HSCN IP Addressing Good Practice Guidelines

Transition Strategies from IPv4 to IPv6: The case of GRNET

Quiz. Segment structure and fields Flow control (rwnd) Timeout interval. Phases transition ssthresh setting Cwnd setting

Tik Network Application Frameworks. IPv6. Pekka Nikander Professor (acting) / Chief Scientist HUT/TML / Ericsson Research NomadicLab

IPv6 Transition Strategies

Cisco IOS IPv6. Cisco IOS IPv6 IPv6 IPv6 service provider IPv6. IPv6. data link IPv6 Cisco IOS IPv6. IPv6

Stateless automatic IPv4 over IPv6 Tunneling (SA46T)

Yasuo Kashimura Senior Manager, Japan, APAC IPCC Alcatel-lucent

FINAL EXAM - SLOT 2 TCP/IP NETWORKING Duration: 90 min. With Solutions

Implementing IP Addressing Services

Chapter 3 LAN Configuration

Post IPv4 completion. Making IPv6 deployable incrementally by making it. Alain Durand

Transcription:

Tunnels Jean Yves Le Boudec 2015

1. Tunnels Definition: a tunnel, also called encapsulation occurs whenever a communication layer carries packets of a layer that is not the one above e.g.: IP packet in UDP IP in TCP PPP(layer 2) packet in UDP IPv4 in IPv6 IPv6 in IPv4 Why used? In theory: never In practice: security / private networks / IPv6 IPv4 interworking 2

3 Homer s Network Homer deploys 10.x addresses in two sites and wants to interconnect them as one (closed) private network A 1.1.1.1 2.2.2.2 Simpscom B 10.1/16 10.2/16 How can Homer use Simpscom s network for that?

Your solution 1. Run RIP in A and B 2. Rent a leased line from Simpscom 3. Configure a tunnel between A and B 4. Use modems between A and B 5. It is impossible because 10/8 is for private networks only 6. I don t know 0% 0% 0% 0% 0% 0% 1. 2. 3. 4. 5. 6.

Homer uses an IP over IP Tunnel X 10.1.1.1 S 10.2.2.2 Homer configures a virtual interface in A (eth ); Associates this interface with an IP in IP tunnel, with endpoint 2.2.2.2 Similar stuff in B Homer has a network with 2 routers and one virtual physical link; Homer configures routing tables at A and B (or runs RIP) Packets from S to X are carried inside IP packets across Simpscom 5

S sends a UDP packet to X. What are the IP destination address and protocol at O? O 1. IP dest addr = 1.1.1.1, protocol = 17 (UDP) 2. IP dest addr = 10.1.1.1, protocol = 17 (UDP) 3. None of the above 4. I don t know 0% 0% 0% 0% 1. 2. 3. 4.

Homer s IP in IP solution is often replaced by IP in UDP Some company firewalls kill IP in IP packets Therefore the tunnel is inside UDP This requires a layer 2 header as well (to identify the protocol type) called L2TP / PPP Outer packet To 1.1.1.1 prot = UDP UDP hdr L2TP/PPP prot = IPv4 To 10.1.1.1 prot = UDP UDP hdr data Inner packet 8

Bart does the same as Homer but wants a secure channel. He uses IPSEC. «IPSEC / ESP tunnel mode» encrypts the inner IP packet Outer packet To 1.1.1.1 prot = UDP UDP hdr L2TP/PPP prot = 50 IPSEC ESP hdr xxxxxxxxxxx xxxxxxxxxxx IPSEC Trailer Nxt Hdr = 04 Inner packet, encrypted This form of tunneling is called «L2TP/IPSEC VPN» (Virtual Private Network) Variants (OpenVPN): IP in TLS over TCP ; IP in TLS over UDP 9

How does a packet from B to A find its way? A wireless LAN VPN Router (IPSec server) EPFL 128.178.83/24 R 128.178.151/24 B 192.168.1.33 Ethernet IP adapter hdr IP Wireless data Network Connection: Connection-specific DNS Suffix. : IP Address............ : 192.168.1.33 Subnet Mask........... : 255.255.255.0 Default Gateway......... : 192.168.1.1 1. VPN router does proxy ARP 2. R has a host route to A 3. Nothing special, the IGP takes care of it 4. I don t know Ethernet adapter Local Area Connection 2: Connection-specific DNS Suffix. : epfl.ch IP Address............ : 128.178.83.22 Subnet Mask........... : 255.255.255.255 Default Gateway......... : 0.0.0.0 0% 0% 0% 0% 1. 2. 3. 4. 10

12 2. 6 to 6 over 4 Reminder: interoperation scenarios v4 v6 IPv4 and IPv6 are incompatible v4 only host cannot handle IPv6 packets v6 only host cannot handle IPv4 packets What needs to be solved: interworking: h6 to h4 like to like access 6 to 6 over 4 4 to 4 over 6 In this module we study like to like access

Like to like access scenarios 6 to 6 over 4 (The early adopter problem) e.g. Homer wants to use IPv6; ISP provides only IPv4 access IP4/6 Router IP4/6 Router IPv6 Island A IPv4 B IPv6 internet 4 to 4 over 6 (The legacy problem) e.g. Bart continues to use IPv4; ISP provides only IPv6 access IP4/6 Router IP4/6 Router IPv4 Island A IPv6 B IPv4 internet 13

Tunnels for 6 to 6 over 4 All like to like solutions use IP in IP tunnels protocol / next header = 04 means the payload is an IPv4 packet protocol / next header = 41 means the payload is an IPv6 packet IP4/6 Router IP4/6 Router 2001:bebe:1 IPv6 Island A IPv4 1.2.3.4 B IPv6 internet IPv4 Header da = 1.2.3.4 protocol = 41 IPv6 Header da = 2001:bebe:1 IPv6 Header da = 2001:bebe:1 IPv6 Header da = 2001:bebe:1 Payload Payload Payload 14

What needs to be put in place for a good 6 to 6 over 4 solution We need relay routers (e.g. A and B): these are routers that are dual stack (IPv4 and IPv6) can terminate IPv6 in IPv4 tunnels: encapsulate / decapsulate know how to forward packets on their IPv4 and IPv6 sides We also need to solve the IPv6 address allocation problem Homer does not receive an IPv6 address from his provider since Homer s IPv6 island is connected to an IPv4 only provider We need automatic tunnels e.g. A does not need to keep state information to determine that a packet should be sent to B 15

6rd/6to4 is a solution to the 6 to 6 over 4 problem Several solutions are proposed and implemented 6rd /6to4: we will see 6to4 in detail ; this is the solution that works in IEW; 6rd is similar to 6to4 Teredo : a variant when IPv6 host is behind an IPv4 NAT ISATAP : a variant for enterprise networks warning 6 to 4 is a misnomer; 6to4 is a solution for 6 to 6 over 4, not for h6 to h4 interworking 16

6to4 Uses Special IPv6 Addresses called 6to4 addresses To any valid IPv4 address n we associate the IPv6 prefix 2002:n / 48 example: the 6to4 address prefix that corresponds to 128.178.156.38 is 2002: 80b2:9c26/48 2002::/16 is the prefix reserved for 6to4 addresses An IPv6 address that starts with 2002: is called a 6to4 address The bits 17 to 48 of a 6to4 address are the corresponding IPv4 address A 6to4 host or router is one that is dual stack and uses 6to4 as IPv6 address As we do in the IEW In addition, the IPv4 address 192.88.99.1 is reserved for use in the context of 6to4 addresses and means the IPv6 internet seen from the IPv4 internet 17

18 6to4 Addresses Solve Homer s IPv6 Address Allocation problem Homer enables 6to4 on his router A. Homer s router A uses a 6to4 address prefix derived from of an IPv4 address given to you by your IPv4 provider and uses this prefix for the IPv6 Local Network. Homer s PC H2 obtains from A (e.g. using SLAAC) an IPv6 address with this prefix. This is the setting we use in the IEW. Bart has an isolated host H2 (e.g. smartphone) and enables 6to4 on his host. Bart s host uses one IPv6 address derived from his IPv4 current address. IPv6 host H1 11 IPv6 Local Network 2002:0102:0304 :00ab:EUI S12 1.2.3.4 12 1 2002:0102:0304 :abcd:eui H1 6to4 router A IPv4 9.8.7.6 192.88.99.1 2 6to4 Relay router B 3 4 6to4 host H2 2002:0908:0706 ::EUI H2 IPv6 5 IPv6 host H3 2001:bebe::1

6to4 Relay Routers 6to4 Relay Router = a dual stack router that has a 6to4 address, can terminate routers and connects the IPv4 and IPv6 internets All v4 interfaces of all 6to4 relay router have an IPv4 address plus the special address 192.88.99.1 B announces 192.88.99/24 as directly attached prefix in IPv4 routing B announces 2002/16 as directly attached prefix in IPv6 routing IPv6 host H1 11 IPv6 Local Network 2002:0102:0304 :00ab:EUI S12 1.2.3.4 12 1 2002:0102:0304 :abcd:eui H1 6to4 router A IPv4 9.8.7.6 192.88.99.1 2 6to4 Relay router B 3 4 6to4 host H2 2002:0908:0706 ::EUI H2 IPv6 5 IPv6 host H3 2001:bebe::1 19

20 Homer at H1 sends a packet to Lisa at H3 IPv6 host H1 11 IPv6 Local Network 2002:0102:0304 :00ab:EUI S12 1.2.3.4 12 1 2002:0102:0304 :abcd:eui H1 6to4 router A IPv4 9.8.7.6 192.88.99.1 6to4 Relay router B 6to4 host H2 IPv6 Destination 2001:bebe::1 is not on link, H1 sends to send to A 2 2002:0908:0706 ::EUI H2 3 4 Default IPv6 route inside local IPv6 network is the IPv6 local address of A (point 12) A s default IPv6 route is 2002:c058:6301::0, which is a 6to4 address corresponding to 192.88.99.1 IPv6 host H3 2001:bebe::1 A encapsulates the IPv6 packet in an IPv4 packet with destination address 192.88.99.1 The nearest 6to4 relay router receives the packet (assume it is B) B decapsulates packet and sends an IPv6 packet; normal IPv6 forwarding occurs and original IPv6 packet reaches H3 5

Which is the IPv6 source address at 3 in the encapsulated packet going from H1 to H3? IPv6 host H1 11 IPv6 Local Network 2002:0102:0304 :00ab:EUI S12 1.2.3.4 12 1 2002:0102:0304 :abcd:eui H1 6to4 router A 1. 1.2.3.4 2. 2002:0102:0304:00ab:EUI S12 3. 2002:0102:0304:abcd:EUI H1 4. None of the above 5. I don t know IPv4 9.8.7.6 192.88.99.1 2 6to4 Relay router B 3 4 6to4 host H2 2002:0908:0706 ::EUI H2 IPv6 5 IPv6 host H3 2001:bebe::1 0% 0% 0% 0% 0% 1. 2. 3. 4. 5. 21

IPv6 host H1 11 Lisa at H3 sends a packet to Homer at H1 How is this packet routed in the IPv6 internet? IPv6 Local Network 2002:0102:0304 :00ab:EUI S12 1.2.3.4 12 1 2002:0102:0304 :abcd:eui H1 6to4 router A IPv4 9.8.7.6 192.88.99.1 2 6to4 Relay router B 3 4 6to4 host H2 2002:0908:0706 ::EUI H2 1. H3 keeps in its routing table the information that Homer s destination address is reached via B and sends the IPv6 packet to B 2. routers in the IPv6 internet send all packets to 2002/16 to the nearest 6to4 relay router 3. routers in the IPv6 internet know that the IPv4 destination address is 1.2.3.4 and compute the best path to A 4. I don t know? IPv6 5 IPv6 host H3 2001:bebe::1 0% 0% 0% 0% 1. 2. 3. 4. 22

What is Bart s IPv6 s default gateway at H2? IPv6 host H1 11 IPv6 Local Network 2002:0102:0304 :00ab:EUI S12 1.2.3.4 12 1 2002:0102:0304 :abcd:eui H1 6to4 router A IPv4 9.8.7.6 1. An address configured by DHCP 2. An address configured by SLAAC 3. A 6to4 address derived from 192.88.99.1 4. I don t know 192.88.99.1 2 6to4 Relay router B 3 4 6to4 host H2 2002:0908:0706 ::EUI H2 IPv6 5 IPv6 host H3 2001:bebe::1 0% 0% 0% 0% 1. 2. 3. 4. 24

Which way does a packet go from Bart s host to Homer s? IPv6 host H1 11 IPv6 Local Network 2002:0102:0304 :00ab:EUI S12 1.2.3.4 12 1 2002:0102:0304 :abcd:eui H1 6to4 router A IPv4 9.8.7.6 192.88.99.1 2 6to4 Relay router B 3 4 6to4 host H2 2002:0908:0706 ::EUI H2 IPv6 5 IPv6 host H3 2001:bebe::1 1. via B and back 2. directly over IPv4 to A then H1 3. H1 cannot be reached from H2 4. I don t know 0% 0% 0% 0% 1. 2. 3. 4. 26

28 My Windows PC at EPFL Ethernet adapter Local Area Connection: Connection-specific DNS Suffix. : epfl.ch IPv4 Address........... : 128.178.151.202 Subnet Mask........... : 255.255.255.0 Default Gateway......... : 128.178.151.1 Tunnel adapter Local Area Connection* 15: Connection-specific DNS Suffix. : epfl.ch IPv6 Address........... : 2002:80b2:97ca::80b2:97ca Default Gateway......... : 2002:c058:6301::c058:6301

The nearest 6to4 relay from EPFL C:\> tracert 192.88.99.1 Tracing route to 192.88.99.1 over a maximum of 30 hops 1 <1 ms <1 ms <1 ms cv-ic-dit-v151.epfl.ch [128.178.151.251] 2 <1 ms <1 ms <1 ms c6-gigado-1-v100.epfl.ch [128.178.100.18] 3 <1 ms <1 ms <1 ms c6-ext-v200.epfl.ch [128.178.200.1] 4 1 ms <1 ms <1 ms swiel2.epfl.ch [192.33.209.33] 5 <1 ms <1 ms <1 ms swils2-10ge-1-2.switch.ch [130.59.36.69] 6 2 ms 2 ms 2 ms swibe1-10ge-1-1.switch.ch [130.59.37.130] 7 2 ms 2 ms 2 ms swibe2-10ge-1-4.switch.ch [130.59.36.198] 8 2 ms 2 ms 2 ms 192.88.99.1 29

The nearest 6to4 relay from my home C:\> tracert 192.88.99.1 Tracing route to 192.88.99.1 over a maximum of 30 hops 1 1 ms 2 ms 2 ms 192.168.1.1 2 136 ms 136 ms 136 ms lau01a05.sunrise.ch [212.161.178.79] 3 128 ms 135 ms 136 ms 194.230.94.17 4 * * * Request timed out. 5 71 ms 186 ms 333 ms 212.161.251.178 6 156 ms 164 ms 164 ms 212.161.251.182 7 228 ms 203 ms 169 ms zr-fra1-te0-0-0-3.x-win.dfn.de [80.81.192.222] 8 158 ms 163 ms 162 ms zr-erl1-te0-0-0-4.x-win.dfn.de [188.1.145.197] 9 159 ms 162 ms 162 ms 192.88.99.1 Trace complete. 30

31 IPv6 host H1 11 IPv6 Local Network IEW 2002:0102:0304 :00ab:EUI S12 1.2.3.4 12 1 2002:0102:0304 :abcd:eui H1 6to4 router A IPv4 9.8.7.6 6rd 192.88.99.1 2 6to4 Relay router B 3 4 6to4 host H2 2002:0908:0706 ::EUI H2 IPv6 5 IPv6 host H3 2001:bebe::1 The prefixes 192.88.99/24 and 2002/16 are provider independent : Homer connects to the nearest 6to4 relay router Some ISPs don t like that and want more control: they want their relay routers to be used by their customers only and they want their customers to use only their relay routers. 6rd is a modification and replacement of 6to4 where 6rd addresses are not in 2002/16 but in a block allocated to the ISP Relay router s IPv4 addresses are specified by ISP 6rd is deployed by Free (FR); 6to4 is deployed by Switch (CH)

Teredo 6to4 / 6rd require a valid IPv4 address and do not work behind a NAT unless NAT is modified OK for ISPs who control the NAT (e.g. Swisscom) Teredo is a variant of 6to4 invented (by Microsoft) to solve the NAT case without altering the NAT Uses : address block 2001:0/32 Tunnels (IPv6 in UDP in IPv4) (UDP is used to be compatible with existing NAT and firewall filtering rules) relay routers (called «teredo relays») teredo servers > for solving the NAT mapping problem 32

33 My Windows PC at home has access to IPv6 over IPv4 by means of Teredo Tunnel adapter Local Area Connection* 11: Connection-specific DNS Suffix. : IPv6 Address........... : 2001:0:5ef5:79fd:2c63:b421:ab1c:1f40 Link-local IPv6 Address..... : fe80::2c63:b421:ab1c:1f40%12 Default Gateway......... : :: C:\Users\leboudec>tracert 2001:620:618:19c:1:80b2:9c18:1 Tracing route to lca1srv2.epfl.ch [2001:620:618:19c:1:80b2:9c18:1] over a maximum of 30 hops: 1 * * 135 ms teredo-relay2.lrz.de [2001:4ca0:0:103:0:3544:1:2] 2 134 ms 136 ms 137 ms vl-6.vss1-2wr.lrz.de [2001:4ca0:0:103::1:1] 3 149 ms 136 ms 136 ms vl-3066.csr1-2wr.lrz.de [2001:4ca0:0:66::1] 4 155 ms 139 ms 137 ms xr-gar1-pc110-108.x-win.dfn.de [2001:638:c:a003::1] 5 143 ms 163 ms 164 ms zr-fra1-te0-6-0-7.x-win.dfn.de [2001:638:c:c070::1] 6 147 ms 163 ms 163 ms dfn.rt1.fra.de.geant2.net [2001:798:14:10aa::1] 7 159 ms 162 ms 163 ms so-5-0-0.rt1.gen.ch.geant2.net [2001:798:cc:1401:2201::a] 8 213 ms 203 ms 152 ms switch-lb2-gw.rt1.gen.ch.geant2.net [2001:798:12:10aa::a] 9 152 ms 163 ms 163 ms swiel2-10ge-1-3.switch.ch [2001:620:0:c06a::2] 10 * * * Request timed out. 11 152 ms 164 ms 165 ms cv-gigado-v200.epfl.ch [2001:620:618:1c8:1:80b2:c803:1] 12 165 ms 164 ms 163 ms cv-ic-dit-v100-ro.epfl.ch [2001:620:618:164:1:80b2:640c:1] 13 151 ms 163 ms 164 ms lca1srv2.epfl.ch [2001:620:618:19c:1:80b2:9c18:1] Trace complete.

Summary: 6 to 6 over 4 6 to 6 over 4 solves the early adopter problem main solution is 6rd/6to4, with IPv6 in IPv4 tunnels a portion of IPv6 address space used to contain 6rd/6to4 addresses; prefix in such addresses embed a valid IPv4 address tunnels are automatic thanks to the presence of the IPv4 address embedded in the IPv6 prefix relay routers terminate tunnels and announce appropriate address blocks in IPv4 and IPv6; relay routers are stateless Teredo is a variant that supports hosts behind IPv4 NATs without configuration of the NAT 34

3. 4 to 4 over 6 The Legacy Problem IP4/6 Router IP4/6 Router IPv4 Island A IPv6 B IPv4 internet Problem is similar to 6 to 6 over 4 but there are two main differences impossible to embed IPv6 addresses in IPv4 addresses IPv4 addresses may not be available Many solutions are proposed or even deployed; XLAT uses NAT64 and no tunnel DS lite is the simplest MAP E is an improvement to DS lite 35

36 DS Lite tunnels all IPv4 traffic to a Carrier Grade NAT IPv4 host H1 10.11.12.13 2001:baba:bebe::23 2001:baba:be00::77 Carrier Grade NAT B 198.23.34.0 to 198.23.34.255 11 IPv4 Local Network 10.22.32.44 12 1 DS-lite box A IPv6 3 4 IPv4 5 IPv4 host H3 200.23.24.25 at H1, IPv4 destination is not onlink, packet sent to router A at A, destination matches only default route and IPv4 packet is sent into tunnel to B B decapsulates packet, translates IPv4 source address 10.23.32.44 and source port (e.g. 2345) to an IPv4 mapped address (e.g.198.23.34.59) and to a possibly different port number (e.g. 5432)

Carrier Grade NAT is stateful B needs to remember the (v4 address, port) mapping the IPv6 source address of A. In the NAT table at B we see: IPv6 DS lite box address IPv4 address port IPv4 translated address 2001:baba:bebe::23 10.22.32.44 2345 198.23.34.59 5432 NAT Table at B translated port B does this for all customers and for every flow served by this provider. The NAT table may be very large. This is called a Carrier Grade NAT. 37

H1 sends one packet to H3 and H3 responds. We observe the response at 5. Say what is true. IPv4 host H1 11 IPv4 Local Network 10.22.32.44 10.11.12.13 2001:baba:bebe::23 12 1 DS-lite box A IPv6 2001:baba:be00::77 Carrier Grade NAT B 3 4 198.23.34.0 to 198.23.34.255? IPv4 5 IPv4 host H3 200.23.24.25 1. The IPv4 destination address in the packet is 10.22.32.44 2. The IPv4 destination address in the packet is 198.23.34.59 3. The IPv6 destination address in the packet is 2001:baba:bebe::23 4. 1 and 3 5. 2 and 3 6. I don t know 0% 0% 0% 0% 0% 0% 1. 2. 3. 4. 5. 6. 38

40 464XLAT is similar to DS lite but replaces IPv4 host H1 11 IPv4 Local Network 10.22.32.44 For H1 s address: encapsulation by translation 10.11.12.13 2001:baba:bebe/64 12 1 CLAT CLAT performs stateless header translation IPv4 < > IPv6. E.g. 10.22.32.44 is mapped to 2001:baba:bebe::a16:202c PLAT performs stateful header translation IPv4 < > IPv6 and port number translation; Eg 2001:baba:bebe::a16:202c port 3456 is mapped to 198.23.34.45 port 4567 For H3 s address IPv6 2001:baba:be00/643 PLAT 3 4 198.23.34.0 to 198.23.34.255 IPv4 IPv4 host H3 200.23.24.25 CLAT and PLAT peform stateless translation, e.g. 200.23.24.25 is mapped to 2001:baba:be00::c817:1819 198 5

41 MAP E (Mapping Address + Port, Encapsulation) IPv4 host H1 11 IPv4 Local Network 10.22.32.44 2001:baba:be00:abcd:77 10.11.12.13 2001:baba:bebe:0706::0102:0300:0006 12 1 MAP box A IPv6 MAP Border Relay B 3 4 1.2.3.0 to 1.2.3.255 IPv4 5 IPv4 host H3 200.23.24.25 Problem with DS Lite is the Carrier Grade NAT for very large ISPs MAP E solves the problem by putting address translation in the local network (in MAP box A) instead of the CGN translated port number and IPv4 address are mapped to a part of the IPv6 address

with MAP E, translated IPv4 address and port are embedded in IPv6 prefix MAP box A owns the IPv6 address prefix 2001:baba:bebe:0706 0706 are called the EA bits of the MAP IPv6 address A MAP rule at A specifies which bits are the EA bits; further, the MAP rule is used as follows 07 determines the available bits in the translated IPv4 address e.g. 1.2.3.7 06 specifies that the value of the bits 5 to 12 of the translated port numbers must be (hexa)06 for example the port ae1f can be mapped to b06a The complete IPv6 address of MAP box A is algorithmically derived from the MAP rule e.g. here 2001:baba:bebe:0706::0102:0300:0006 42

Homer at H1 sends one packet to Lisa at H3 IPv4 address port (hexa) IPv4 translated addr. translated port 10.22.32.44 ae1f 1.2.3.07 b06a NAT Table at A at H1, IPv4 destination is not onlink, packet sent to router A A performs NAT44 and translates IPv4 addresses and port; translated IPv4 packet is sent into tunnel to B B decapsulates packet and sends over the v4 43

H1 sends one packet to H3 and H3 responds. We observe the response at 3. Say what is true.? 1. The IPv6 destination address is determined algorithmically from the destination IPv4 address and port number seen at point 4 2. The IPv4 destination address and port number are the same as at point 4 3. 1 and 2 4. None 0% 0% 0% 0% 0% 5. I don t know 1. 2. 3. 4. 5. 44

Summary: 4 to 4 over 6 4 to 4 over 6 (the legacy problem) is solved by NAT and IPv4 in IPv6 tunnels DS Lite is simple but requires NAT44 function in the relay router. Works only for small ISPs. 464XLAT is similar. MAP E is a variant which distributes the NAT44 function close to the IPv4 customer, i.e. is more scalable. MAP T is like MAP E but with translation instead of encapsulation. 46

47 4. Transition to IPv6 We have seen 4 different families of mechanisms for the interoperation of IPv4 and IPv6 Interworking ALG64 (application layer) NAT64 (protocol translation) Like to like 6rd or 6to4 (6 to 6 over 4) DS lite, 464XLAT, MAP E, MAP T (4 to 4 over 6) The multiplicity of solutions is a symptom that the transition to IPv6 is difficult Let us try to imagine which mechanisms can be used

You are network manager at EPFL and want to upgrade to IPv6. Which elements do you deploy? 1. ALG64 2. NAT64 3. 6rd 4. MAP E 5. MAP T 6. I don t know 0% 0% 0% 0% 0% 1. 2. 3. 4. 5. 48

You are network manager at simpscom and want to save money by deploying only IPv6 in your cellular network. Which elements do you deploy? 1. ALG64 2. NAT64 3. 6rd 4. MAP T 5. I don t know 0% 0% 0% 0% 0% 1. 2. 3. 4. 5. 50

You work from home and have only IPv4 access; you need to upload a proposal to NSF. NSF accepts only IPv6. What do you need to enable on your PC? 1. 6to4 2. Teredo 3. ALG64 4. NAT64 5. I don t know 0% 0% 0% 0% 0% 1. 2. 3. 4. 5. 52

Conclusion Tunnels are an ad hoc solution used in many cases secure access over an insecure network, VPN like to like access for IPv6/IPv4 issues Transition to IPv6 creates several types of problems (early adopter, legacy) that can be solved with various methods involving automatic tunnels and header translation promises a lot of fun! 54

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback