Upload
nikolas-hayes
View
215
Download
0
Tags:
Embed Size (px)
Citation preview
© 2003-2005 Monash CTIE
Introduction to IPv6 Protocols
Australian Telecommunications CRCNext Generation Internet Program
@Centre for Telecommunications and Information
EngineeringMonash University
http://ctieware.eng.monash.edu.au/twiki/bin/view/Applprog
© 2003-2005 Monash CTIESlide 2
Hello, who are we?
Centre for Telecommunications and Information Engineering (CTIE):
Research centre within Monash University Part of ATcrc Next Generation Internet Program Have an IPv6 testbed running Developers of IPv6 Multimedia applications Implementers of IPv6 Mobility protocols Contributors to IETF Working Groups and standards on
Mobile-IP and IPv6 Diverse Research and Commercial Experience.
© 2003-2005 Monash CTIESlide 3
What we will present : Basics Addressing Routing Domain Name System IPv4 to IPv6 transition Security State of the Art Mobile IPv6
© 2003-2005 Monash CTIESlide 4
IPv6
Network layer protocol Node-to-node
information delivery across multiple links
Layer 3 in the OSI reference model
Physical layer
Application layer
Presentation layer
Session layer
Transport layer
Network layer
Link layer
OSI Reference Model
© 2003-2005 Monash CTIESlide 5
IPv6 Header
Simplified header compared to IPv4
VersionHeader Length
Type of Service
LengthIdentification
Flags
Time To Live
ProtocolSource Address (32
bits)Destination Address (32 bits)
Class of Service
Flow Label
Next Header
Payload Length
Source Address (128
bits)
Destination Address (128
bits)
Fragment OffsetHeader Checksum
Version
IPv4 IPv6
Hop Limit
32 bits
© 2003-2005 Monash CTIESlide 6
Extension Headers
Basic header simplified for ease of processing
Additional information carried in extension headers
Hop-by-hop options Routing header Fragment header Destination options header Authentication header (AH) Encrypted security payload (ESP)
header Next Header field says what type
of header follows E.g. Fragment Header, TCP, ICMP,
etc.
Basic Header
Next Hdr
Next Hdr
Next Hdr
Extension Header
Payload
Extension Header
Length
Length
© 2003-2005 Monash CTIESlide 7
ICMPv6
Same basic concept as ICMP (for IPv4) Error messages – e.g.:
Destination unreachable Packet too big Time exceeded Parameter problem
Information messages – e.g.: Echo request/reply Router solicitation/advertisement Multicast Listener Discovery (like IGMP for IPv4)
© 2003-2005 Monash CTIESlide 8
Progress: Basics Addressing Routing Domain Name System IPv4 to IPv6 transition Security State of the Art Mobile IPv6
© 2003-2005 Monash CTIESlide 9
Address space
128 bit addresses Massive address space to last for the foreseeable
future Default allocation is for all sites to receive 216=65536
subnets Ensures that it is possible to allocate a globally unique
address to every host so that end-to-end applications are possible
© 2003-2005 Monash CTIESlide 10
Address types
Unicast Anycast Multicast No more broadcast!
© 2003-2005 Monash CTIESlide 11
Representing IPv6 addresses
x:x:x:x:x:x:x:x e.g. 1234:5678:9abc:def0:1234:5678:9abc:def0
One string of zeros may be represented by “::” e.g. ff02:0:0:0:0:0:0:1 = ff02::1
Last 2 fields may be represented in IPv4 “dotted decimal” form
e.g. 0:0:0:0:0:ffff:192.168.0.1 or ::ffff:192.168.0.1 “[]” are used around the address for
representation in URLs http://[3ffe:a:b:c::1]:port/dir
© 2003-2005 Monash CTIESlide 12
Representing IPv6 addresses (cont)
No more netmasks Represented by a “/prefixlen” appended to the end of an
address where prefixlen indicates the number of bits in the address that make up the network address
Similar to classless address representation in IPv4 e.g.3ffe:a:b:1::1/64
Network part: 3ffe:a:b:1:: Host part (interface identifier): ::1
© 2003-2005 Monash CTIESlide 13
Address allocation
fe80::/10 - link-local fec0::/10 - site-local – now deprecated
fc00::/8 – ULA central fd00::/8 – ULA local
ff00::/8 – multicast 2000::/3 - globally aggregatable unicast
3ffe::/16 - 6bone 0000::/8 is reserved and contains addresses like
Unspecified address - :: Loopback address - ::1 IPv6 addresses with IPv4 addresses embedded in them
© 2003-2005 Monash CTIESlide 14
Unicast addressing
Associated with an interface rather than a node Several types of unicast addresses
Limited scope – link-local, ULA Globally aggregatable Transition – IPv4 compatible, IPv4 mapped
© 2003-2005 Monash CTIESlide 15
Multicast addressing
ffxy:: prefix x = flags
One flag currently defined Indicates whether the address is one assigned by the IANA
or a transient address y = scope
1 - host scope 2 - link scope 5 - site scope 8 - organization scope e - global scope
© 2003-2005 Monash CTIESlide 16
Multicast addressing (cont.)
suffix indicates group IANA has registered groups for particular uses
::1 - all hosts ::2 - all routers etc...
Using an example from RFC 3513: If the “NTP servers group” is assigned a permanent
group ID of 0x101 then ff01::101 means “all NTP servers on the same node as the
sender” ff02::101 means “all NTP servers on the same link as the
sender” ff05::101 means “all NTP servers on the same site as the
sender” ff0e::101 means “all NTP servers on the Internet”
© 2003-2005 Monash CTIESlide 17
Solicited Nodes Multicast Address
FF02:0:0:0:0:1:FFXX:XXXX where XXXXXX is the low order 24 bits of the Interface
Identifier of a unicast address Nodes MUST join the solicited nodes multicast
address group for each unicast address configured
Facilitates location of nodes Example:
Unicast: 3ffe:0db8::fedc:ba98:7654:3210 Solicited nodes multicast: ff02::1:ff54:3210
© 2003-2005 Monash CTIESlide 18
Interface Identifiers
Manually configured EUI-64
Formed from MAC address of interface RFC-3041 temporary addresses
Randomly generated interface identifiers Provides some level of privacy
Prefix Interface Identifier
Address
© 2003-2005 Monash CTIESlide 19
Address configuration
Stateful DHCPv6 - RFC 3315 Clients use scoped multicast to reach servers and relays May provide information in addition to addresses – e.g.
DNS address Stateless
Routers send periodic advertisements May also be solicited
Hosts use information in advertisements to create valid addresses
© 2003-2005 Monash CTIESlide 20
Router Advertisement
RAs are sent periodically and in response to Router Solicitations
Contains link prefix, lifetime, MTU, etc. Hosts construct addresses by appending their
interface identifier to the prefix advertised by the router
This address then needs to be tested to ensure uniqueness
© 2003-2005 Monash CTIESlide 21
Duplicate Address Detection
Multicast is used to assist in detection of conflicting addresses
Packets are sent to the solicited nodes multicast address
The packet essentially asks if anyone is already using this address
If another node responds, the interface either shuts down or tries another address
The nature of the multicast address ensures that a host that is using the tested address must be listening, but most other hosts won't be.
© 2003-2005 Monash CTIESlide 22
Duplicate Address Detection
Is anyone using address “X”?
I am.
© 2003-2005 Monash CTIESlide 23
Link Address Resolution
Uses the same packet types as DAD Equivalent of ARP in IPv4 Neighbour Solicitation message is sent to the
solicited nodes multicast address (rather than broadcast as in IPv4).
Host with the destination IP address responds with a Neighbour Advertisement that includes its link layer address.
© 2003-2005 Monash CTIESlide 24
Link Address Resolution
Who’s using address “X”?
I am.
My Link layer address is “xxx”
© 2003-2005 Monash CTIESlide 25
Neighbour Unreachability Detection
Hosts maintain a cache of devices they have communicated with recently.
The table indicates the reachability state of each host.
Neighbour solicitation/advertisement messages are used to probe devices to confirm reachability
Not done when it can be confirmed by other information such as TCP three-way handshake
Also not initiated just because a device hasn't been heard for some time.
Old entries removed
© 2003-2005 Monash CTIESlide 26
IPv6 MTU & PATH MTU Discovery
Maximum Transmission Unit (MTU) IPv6 MTU minimum 1280 bytes (vs. IPv4 68 bytes) IPv6 fragmentation end-to-end
Routers don’t fragment IPv6 packets - end nodes do it. Path MTU discovery not mandatory Routers may reply with ICMPv6 ‘Packet too big’
and drop if packet exceeds router/link MTU.
© 2003-2005 Monash CTIESlide 27
IPv6 MTU & PATH MTU Discovery
MTU 1500 MTU 1480 MTU 1280
1500 byte packet
Packet too big – MTU = 1480
1480 byte packet
ICMPv6 Packet too big – MTU = 1280
1280 byte packet
Successful packet
delivery
© 2003-2005 Monash CTIESlide 28
Summary
Huge address space Hosts can autoconfigure their own addresses Scoping allows for some clever use of multicast Neighbour Discovery replaces ARP for address
resolution Also introduces new functionality of Stateless address
autoconfiguration, DAD, NUD, PMTU discovery
© 2003-2005 Monash CTIESlide 29
Progress: Basics Addressing Routing Domain Name System IPv4 to IPv6 transition Security State of the Art Mobile IPv6
© 2003-2005 Monash CTIESlide 30
Packet switched networks
Internet is a packet switched network Each packet contains full addressing information
Simple headers for IPv6 Routing is the process of working out how to send
a packet to its destination
© 2003-2005 Monash CTIESlide 31
Routing
All nodes examine the destination address of arriving packets
Hosts either accept or discard Routers may also forward packets to another node
Packets for “on-link” destinations may be delivered directly Other packets must be forwarded to a “next-hop” router
Packet travels hop-by-hop until it reaches its destination
© 2003-2005 Monash CTIESlide 32
Routing (cont)
Example (IPv6)
traceroute to munnari.oz.au (2001:388:c02:4000::1:21) from 3ffe:8001:12:fc:203:47ff:fe31:51b1, 30 hops max, 16 byte packets 1 3ffe:8001:12:fc::3 (3ffe:8001:12:fc::3) 0.396 ms 0.305 ms 0.307 ms 2 3ffe:8000:ffff:1012::100 (3ffe:8000:ffff:1012::100) 51.953 ms * 39.798 ms 3 vbns-trumpet.hay.vbns.net (3ffe:28ff:ffff:3::100) 251.758 ms 245.323 ms 251.982 ms 4 cs-v6-atm0-2.dng.vbns.net (3ffe:28ff:ffff:3::) 299.732 ms 314.289 ms * 5 iplsng-vbns.abilene.ucaid.edu (2001:468:ff:12c1::1) 404.823 ms 365.734 ms 372.79 ms 6 6plains-iplsng.abilene.ucaid.edu (2001:468:ff:121d::2) 393.285 ms 346.691 ms 359.758 ms 7 sit1.ipv6.broadway.aarnet.net.au (2001:388::1) 559.186 ms 550.964 ms 622.729 ms 8 2001:388:0:11::2 (2001:388:0:11::2) 670.786 ms 542.702 ms 542.287 ms 9 2001:388:c02:4000::1:21 (2001:388:c02:4000::1:21) 560.391 ms 530.628 ms 559.938 ms
© 2003-2005 Monash CTIESlide 33
Routing (cont)
A router may have many interfaces and/or neighbours
How does the router know where to send a packet?
Routing table
© 2003-2005 Monash CTIESlide 34
Routing tables
Contains information about how to get a packet “closer” to its destination
Destination prefix Next hop router Outgoing interface Metric
Routing table is consulted for longest matching prefix
Packet is forwarded using the information in the routing table entry with the longest matching prefix
© 2003-2005 Monash CTIESlide 35
Prefix matching
Example
Simplified routing table
Prefix Next Hop Interface
3ffe:0db8:5000::/36 3ffe:0db8:1000::2 eth0
3ffe:0db8:5400::/40 3ffe:0db8:1001::2 eth1
- Packet arrives with destination address: 3ffe:0db8:5401::1
- Matches both routing table entries but second entry is a longer match (40 bits) so the packet is forwarded out interface eth1
© 2003-2005 Monash CTIESlide 36
Static vs. Dynamic
How is the routing table constructed? Routing table entries may be made by hand
Static routes Not scalable
Most routing table entries calculated automatically
Dynamic routes Routers exchange information with one another
Routing protocols
© 2003-2005 Monash CTIESlide 37
The Internet
“Network of networks” Not practical for every host (or even router) to have a
routing table entry for every other host/router in the Internet
To make routing tables practical, we need entries that refer to multiple hosts
E.g. Default route: 0::/0 3ffe:0db8:1000::2 eth0 “0::/0” will always match and will always be the shortest
match This single entry covers every host that we don’t already
have another entry for
© 2003-2005 Monash CTIESlide 38
Aggregation
As a network of networks, the Internet is divided into administrative regions called “Autonomous Systems” (AS)
Generally all of the routing information from within an AS can be summarized into a single routing table entry
E.g. Acme Computers have many networks: 3ffe:0db8:1001:(a,b,c,etc.)::/64
Devices outside the Acme Computer AS only need to know how to reach: 3ffe:0db8:1001::/48
InternetAS
AS
AS
AS
© 2003-2005 Monash CTIESlide 39
Aggregation (cont)
Devices outside of Acme have a single routing entry for all Acme networks
InternetAcme
AS
AS
AS
3ffe:0db8:1001:a::/64
3ffe:0db8:1001:b::/64
3ffe:0db8:1001:c::/64
3ffe:0db8:1001:d::/64
3ffe:0db8:1001::/48 via route X3ffe:0db8:1001::/48
via route Y
3ffe:0db8:1001::/48 via route Z
© 2003-2005 Monash CTIESlide 40
Aggregation (cont)
So far same as IPv4 IPv6 takes aggregation
further Strict hierarchy for
address allocation IP address allocation is
always a subset of providers address space
E.g. The entire set of hosts beneath the top level provider can be summarized with a single routing table entry
3ffe:0db8::/32
3ffe:0db8:2500:/40
3ffe:0db8:2501:/48
3ffe:0db8:2600:/40
3ffe:0db8:2502:/48
3ffe:0db8:2601:/48
3ffe:0db8:2602:/48
Large provider
Small providers
Individual sites
© 2003-2005 Monash CTIESlide 41
Threats to Aggregation
Provider independent addressing Multihoming
Connecting to the Internet through multiple providers Not yet standardized One of the big hurdles in the way of IPv6 deployment
© 2003-2005 Monash CTIESlide 42
Routing Protocols
Two types of routing protocols Interior, Exterior
Exterior routing protocols are used to exchange information between ASs
BGP-4+ Interior routing protocols exchange information
with other routers under the same administrative control
RIPng, OSPFv3
© 2003-2005 Monash CTIESlide 43
Exterior Protocols
Communicate with other systems Control routing table sizes Manage policy Use bandwidth efficiently
© 2003-2005 Monash CTIESlide 44
Interior Protocols
Independent of protocols used in other ASs Convey complete routing information with an AS
Some protocols allow summarization within an AS OSPF areas
Propagate change rapidly
© 2003-2005 Monash CTIESlide 45
Routing Information Protocol – Next Generation (RIPng)
Interior gateway protocol Based on RIP (IPv4) Distance vector algorithm
Limited to networks with no more than 15 hops Routing decisions take into account fixed metrics
(usually 1)
© 2003-2005 Monash CTIESlide 46
Route table
Each router maintains a route table Each entry in the table contains:
prefix of destination metric
equal to sum of metrics along each hop to the destination network
IPv6 address of next hop a flag to indicate recent changes have taken place various timers associated with route
© 2003-2005 Monash CTIESlide 47
Request/response packets
UDP used to carry messages Packet format
route tag used to separate RIPng routes for network being managed, from those of an external RIPng process that have been imported into the network
Responses may be in response to a request packet or may be sent periodically without solicitation
Responses contain lists of route table entries for the sender
May contain complete or partial tables
© 2003-2005 Monash CTIESlide 48
Split horizon
Don't advertise routes learned from an interface out that interface
Poisoned-reverse Do advertise routes learned from an interface out that
interface, but set metric to infinity so that they appear to be unreachable
© 2003-2005 Monash CTIESlide 49
Major Differences from RIP
RIP includes a "next hop" entry in each routing table entry (RTE)
Due to the length of IPv6 addresses, RIPng defines a special RTE that contains a next-hop address that applies to all following RTEs until another next-hop RTE is included
© 2003-2005 Monash CTIESlide 50
Open Shortest Path First (OSPF)
Another interior gateway protocol Link state algorithm Version 3 supports IPv6
© 2003-2005 Monash CTIESlide 51
Areas
Large ASs may be broken up into “Areas” Helps control the amount of traffic used to
propagate information
© 2003-2005 Monash CTIESlide 52
Designated routers
Uses an election process to pick one router on each link to be “in charge”
© 2003-2005 Monash CTIESlide 53
Flooding
Link state information is propagated by flooding the entire network
Contrast with RIP where information about entire network is passed only to neighbours
Link State Advertisements (LSAs) are stored by routers in a “link-state database”
Dijkstra’s algorithm used on this database to calculate the shortest path tree and populate the routing table
© 2003-2005 Monash CTIESlide 54
Differences from OSPFv2 (IPv4)
Protocol processing done per-link rather than per-subnet
Single links may have multiple IPv6 subnets and devices on the same link that don't share a subnet may still communicate directly
IP addresses are no longer used in OSPF packets packets carry topology information in the form of router
IDs (which are 32-bit values like IPv4 addresses and are sometimes represented that way)
Flooding scope added to LSAs Link, Area and AS scope
© 2003-2005 Monash CTIESlide 55
Differences from OSPFv2 (IPv4) (cont)
Support for multiple instances of OSPF per link Link-local addresses used for communication
between routers where possible Special multicast addresses
AllSPFRouters: ff02::5 AllDRouters: ff02::6
Authentication removed from protocol specification
OSPF now relies on the IP Authentication Header and IP Encapsulating Security Payload features of IPv6 to secure the integrity of routing exchanges
© 2003-2005 Monash CTIESlide 56
Border Gateway Protocol (BGP)
Exterior gateway protocol that allows routing information to be exchanged between autonomous systems (ASs) sufficient to determine reachability and eliminate routing loops.
© 2003-2005 Monash CTIESlide 57
BGP Peers
Information is exchanged between pairs of routers called BGP peers
Information carried using TCP Small “keep alive” packets keep the TCP session
from timing out.
© 2003-2005 Monash CTIESlide 58
BGP routes
Contains “Network Layer Reachability Information” (NLRI) plus “path attributes”
Next Hop AS path
Routing decisions may be based on the attributes Policies are used to determine which routes are
sent to a peer and which routes will be accepted
© 2003-2005 Monash CTIESlide 59
Updates
Entire routing table exchanged when peering first established
Because TCP is used, only changes need to be transmitted after that
Efficient use of bandwidth (compared to IGPs) Routes may added, deleted or modified Routing loops are avoided by examining the AS
path
© 2003-2005 Monash CTIESlide 60
Supporting IPv6
BGP-4+ contains extensions for supporting network protocols other than IPv4
Very little required in order to support IPv6 BGP Identifier is still an IPv4 address
IPv6-only routers still need an IPv4 address to run BGP New attribute defined that carries both the IPv6
NLRI as well as the next hop Next hop attribute is not used (v4 only)
© 2003-2005 Monash CTIESlide 61
Progress: Basics Addressing Routing Domain Name System IPv4 to IPv6 transition Security State of the Art Mobile IPv6
© 2003-2005 Monash CTIESlide 62
DNS - Domain Name System DNS translates “fully qualified domain names” like:
www.ctie.monash.edu.au Into IP addresses like:
130.194.137.141 or 2001:388:608c:fc:205:5dff:fe00:9e3a
DNS servers hold records associating names to IP numbers Applications use DNS Client (resolver) to access the
records Each DNS entry contains multiple record types (RR) and
information No modification required to support IPv6 addresses
in the DNS system Newer DNS software supports both IPv4 and IPv6
access
© 2003-2005 Monash CTIESlide 63
DNS: Resource Records (RR)
RR: A records for IPv4 address AAAA record for IPv6 address A6 not used much anymore = alternative IPv6
address record Example DNS record lookup:
dig helen.ctie.monash.edu.au any;; QUERY SECTION: helen.ctie.monash.edu.au, type = ANY, class
= IN;; ANSWER SECTION:helen.ctie.monash.edu.au. 12H IN A 130.194.252.35helen.ctie.monash.edu.au. 12H IN AAAA
2001:388:608c:fc:205:5dff:fe00:9d30;; AUTHORITY SECTION:monash.edu.au. 12H IN NS
netslave1.cc.monash.edu.au.
© 2003-2005 Monash CTIESlide 64
DNS: IPv6 & Software Support DNS name server software
IPv4 queries can get IPv6 addresses from existing name servers
BIND v9 (on unix/linux/MacOSX) has native IPv6 access MS Windows DNS (winNT,2K,XP) - IPv4 query only!
Client (resolver) apps: Nslookup (MS Windows, Unix, MacOSX) - IPv4 queries DIG - IPv4 and IPv6 versions Proxy software exists for native IPv6 DNS lookup to IPv4
name servers
© 2003-2005 Monash CTIESlide 65
DNS: Reverse lookup
NOT all DNS name servers support reverse lookup of IPv6 addresses
Dig -x <IP address> Automatically checks in_addr.arpa or ip6.arpa
Examples Dig -x 10.1.1.10 looks up 10.1.1.10.in-addr.arpa. Dig -x 3ffe:4567:12:fc:205:5dff:defd:abc looks up \
[x3FFE4567001200FC02055DFFDEFD0ABC/128].ip6.arpa.
© 2003-2005 Monash CTIESlide 66
Progress: Basics Addressing Routing Domain Name System IPv4 to IPv6 transition Security State of the Art Mobile IPv6
© 2003-2005 Monash CTIESlide 67
IPv4 to IPv6 Transition
Strategies and mechanisms: The problem:
IPv4 to IPv6 transition is gradual IPv6 devices need to communicate to IPv4 IPv6 needs to communicate over IPv4 links
The solutions: Dual Stack (IPv4, IPv6) Routers and workstations Tunnels Protocol Translations and Application specific gateways RFC2893 Transition Mechanisms for IPv6 Hosts and Routers
© 2003-2005 Monash CTIESlide 68
Dual Stack
Dual Stack (IPv4, IPv6) Routers and workstations Application doesn’t really need to know what the
transport is. Can communicate to both IPv4 and IPv6
EthernetIPv6 (type 0x86DD)
IPv4 (type 0x0800)
TCP,UDPApplication
© 2003-2005 Monash CTIESlide 69
Dual Stack (cont)
Applications on dual stack hosts: For applications that only support IPv4 - use IPv4
only For applications that support IPv6:
If DNS lookup of destination resolves address to IPv4 destination, use IPv4
If DNS resolves address to IPv6 destination use IPv6 Routers – send traffic based on IP type, and
routing rules
© 2003-2005 Monash CTIESlide 70
IPv4-mapped addresses
IPv4 Mapped addresses --> IPv6 node to IPv4 node
Used by IPv6 applications for internal representation of IPv4 addresses
IPv6 node communicates directly (via dual stack) to IPv4 address
80 bits 0, 16 bits 1, 32 bits of IPv4 address on the end
0:0:0:0:0:FFFF:192.17.1.42 ::FFFF:192.17.1.42 ::FFFF:c0a7:abcd
© 2003-2005 Monash CTIESlide 71
IPv4 compatible addresses
IPv4 compatible addresses represent an IPv6 node without having a real IPv6 address
IPv6 node communicates directly (via dual stack) to IPv4 addresses
96 bits 0, 32 bits of IPv4 address on the end 0:0:0:0:0:0:192.17.1.42 ::192.17.1.42 ::c0a7:abcd
Used by tunneling protocols like 6to4 Can’t use IPv6 stateless address autoconfiguration
– requires preconfigured IPv4 address for node.
© 2003-2005 Monash CTIESlide 72
Tunnels
Tunnels - Encapsulation of IPv6 over IPv4 Manual point-to-point rfc2893 Auto - 6to4,Teredo, ISATAP addresses rfc2893
let IPv6 hosts or networks communicate over IPv4 without explicit tunnel setup
6bone - tunnel connected network - Brokers provide temporary links
3ffe:0db8::1/64
3ffe:0db8::2/64
192.168.1.10
192.168.10.2IPv6 in IPv4
IPv4
© 2003-2005 Monash CTIESlide 73
Tunnels - IPv6 in IPv4
IPv6 packet is encapsulated in an IPv4 packet
IPv4 header IPv4 payload
IPv6 header IPv6 payload
© 2003-2005 Monash CTIESlide 74
Tunnels - IPv6 in IPv4
IPv4 tunnel appears as a single hop to the IPv6 nodes
The MTU decreases by the IPv4 header size (20 bytes)
Tunnel types: Router-Router Node-Node Node-Router
Tunnel configuration - manual (mainly for point to point), automatic, tunnel broker (as per 6bone - for occasional use)
© 2003-2005 Monash CTIESlide 75
Automatic configuration of tunnels
Automatic Tunnel configuration - compatible addresses
A dual stack host connected to an IPv4 network may use an IPv4 compatible address to talk to IPv6 hosts through a gateway
This technique is no longer favoured
IPv6 in IPv4 tunnel
IPv4 network
IPv6 network
Dual stack router
Dual stack host
IPv6 hosts
::192.168.1.1
© 2003-2005 Monash CTIESlide 76
Automatic configuration of Tunnels - 6to4
Tunnel configuration 6to4 RFC3056 Connection of IPv6 domains via IPv4 clouds (6to4) supported by Microsoft implementation with a Microsoft
provided 6to4 endpoint. 2002:v4addr::/48 Made up of 6to4 prefix 2002::/16 (IANA assigned) and IPv4
address of interface E.g. 192.1.2.3 = c001:0203Results in the 6t04 prefix:2002:c001:203::/48
6to4 relay routers such as that provided by Microsoft provide transit capability between 6to4 domains and the native IPv6 internet
© 2003-2005 Monash CTIESlide 77
Automatic configuration of Tunnels - 6to4
2002:c0a8:0101::/48 2002:c0a8:6401::/48
192.168.1.1
192.168.100.1
IPv6 in IPv4 tunnel
IPv4 network IPv6 network
© 2003-2005 Monash CTIESlide 78
IPv4 to IPv6 Transition-Protocol Translation
NAT updated for IPv6 NAT-PT Protocol Translation additions for IPv6
variations Header field changes, meaning of fields change.
Application specific gateways SIIT DNS FTP protocol has addresses embedded in the messages -
need translation at the gateway device [NAT-PT specifies this].
© 2003-2005 Monash CTIESlide 79
NAT-PT and ALG’s
NAT-PT and NAPT-PT . Network Address Translation updated for IPv6
NAT-PT, NAPT-PT translate protocols (e.g.: ICMP) as well as addresses
They define Application Layer Gateways as well (nat-pt specifies FTP, DNS ALG’s as well as protocol translations)
E.g.: NAT-PT translates ICMPv6 ‘path too big’ message into IPv4 ICMP equivalent
Introduces single point of failure device in the network.
May not be possible for all ICMPv6 packets
© 2003-2005 Monash CTIESlide 80
NAT-PT and ALG’s
IPv6 Host IPv4 Host
IPv4 Internet
NAT-PT Router
ICMPv6 IPv4 ICMP
© 2003-2005 Monash CTIESlide 81
NAT-PT and NAPT-PT
NAT-PT Network Address Translation – Protocol Translation
NAPT-PT Network Address Port Translation-protocol translation
NAT-PT uses a pool of IPv4 addresses – allocates one per IPv6 address.
NAPT translates ports as well as addresses. This allows single IPv4 address to represent
multiple IPv6 addresses Stateful address/header translations as per SIIT
© 2003-2005 Monash CTIESlide 82
SIIT
RFC:2765 Stateless IP/ICMP Translation Algorithm (SIIT)
Allows IPv6 only nodes to communicate to IPv4 nodes
Uses boxes on network to do stateless translation of IP/ICMP
Translates packet headers from IPv4 to IPv6 mapped or translated addresses
Must generate appropriate header entries (e.g.: checksums) for protocol
Rewrites ICMP error message as they contain IP addresses embedded
Requires IPv4 allocation mechanism for the IPv6 node and also tunnel/routing configuration
© 2003-2005 Monash CTIESlide 83
Progress: Basics Addressing Routing Domain Name System IPv4 to IPv6 transition Security State of the Art Mobile IPv6
© 2003-2005 Monash CTIESlide 84
Contents IPv4 and IPv6 Security Attacks against Internetworks IPv6 Security Issues. IPv6 Security features.
© 2003-2005 Monash CTIESlide 85
IPv4 and IPv6 Security Weaknesses of IPv4 security
Trust of received packet information (spoofing) Host-to-host security not widely available
IPv6 Security Inherits from IPv4 Packet service, can insert packets Ingress filtering will be incomplete Many of the IPv4 applications will be in IPv6 (email, web)
IPv6 Built with security in mind IPv6 aims to be 'no worse than IPv4' IP Security Protocols (All hosts support IPSec) New Internet applications specified with security in mind
© 2003-2005 Monash CTIESlide 86
Attacks against Internetworks
DoS attacks Attacks against resources (Server, Link, QoS)
Hijack Attacks Theft of service/QoS .
Impersonation Packet forgery
Man In the Middle Snooping Data Insertion/Deletion
Host Intrusion Worms and Viruses (Application Issue!) This may not get better under IPv6.
© 2003-2005 Monash CTIESlide 87
Attacks: Denial of Service
Attacker causes congestion on victim’s computer/network
Internet
Local Network
Attacker
Victim
© 2003-2005 Monash CTIESlide 88
Attacks: Service Theft
Attacker gains unauthorized access to network
Internet
Local Network
AttackerVictim
© 2003-2005 Monash CTIESlide 89
Attacks: Impersonation Attacker disguises itself
as another host to gain unauthorized access to services
Internet
Local Network
Attacker
Victim
Victim
© 2003-2005 Monash CTIESlide 90
Attacks: Man-in-the-Middle Man-in-the-middle attacker can
block, modify, replay or otherwise make use of intercepted packets
Internet
Local Network
Attacker
Victim
Victim
© 2003-2005 Monash CTIESlide 91
Attacks: Host Intrusion
Attacker gains unauthorized access to a remote host
Internet
Local Network
Attacker
Victim
© 2003-2005 Monash CTIESlide 92
IPv6 Security Issues
IPv6 Security issues. Data Confidentiality/Integrity Neighbour Discovery/ Autoconfiguration Network Access Control Mobile IPv6 Key Distribution Transition Mechanisms
© 2003-2005 Monash CTIESlide 93
IPv6 Security Features
IPv6 Security features. IPSec SEND (SEcuring Neighbour Discovery) AAAv6 Mobile IPv6 Return Routability
© 2003-2005 Monash CTIESlide 94
Security Features: IPSec(v6) IPSec
End-to-End Security Authentication Encryption Available in some IPv4 nodes, required in ALL IPv6 nodes.
© 2003-2005 Monash CTIESlide 95
Security Features: SEND SEcuring Neighbor Discovery: Provides a method for applying IPSec to Neighbor
Discovery Works in situations where IPSec typically wouldn't
(Chicken and Egg) Protects autoconfiguration messages from attackers
on the same link. Proves address ownership locally (Using CGA, ABK). In early stages of development Key Technology
© 2003-2005 Monash CTIESlide 96
Security Features: AAAv6
AAAv6 Protocols: Provide Authentication, Authorization and
Accounting Used on access networks Works with NAS, Wireless LAN (EAP), PANA, PPP,
Mobile IPv6 DIAMETER protocol (supercedes RADIUS) Can specify Authorization policy through
Attribute-Value-Pairs.
© 2003-2005 Monash CTIESlide 97
Security Features: AAAv6
Internet
Local Network
802.1X
PANA PPPAAA
Foreign
AAA Home
802.11b Access Point
Access Router
© 2003-2005 Monash CTIESlide 98
Security Issues: Key Distribution The Public Key Infrastructure (PKI) has been around for a
long time. Not many nodes have public keys (poor adoption). Many Key Exchange systems rely upon Public Key
availability. Shared keys don't work for generic peer-to-peer
communication. SEND relies upon Delegation Chains which establish trust
between peers using digital signatures. Cryptographically generated addresses take pessimistic
approach (no widely adopted PKI) If Keys are distributed, still need to replace/update
securely.
© 2003-2005 Monash CTIESlide 99
Security Issues: Transition Mechanisms Most IPv6 hosts will be 'dual stack' IPv4 systems will not have same security feature
set as IPv6 Double Handling of security policy (Mistakes
easier). Small chance of attacks through protocol
translation systems(IPSec may not work well, though).
© 2003-2005 Monash CTIESlide 100
Progress: Basics Addressing Routing Domain Name System IPv4 to IPv6 transition Security State of the Art Mobile IPv6
© 2003-2005 Monash CTIESlide 101
Advocacy and Forums
More info: http://www.ipv6-taskforce.org/ ) International Task Forces (in the EC, Korea, India,
North America, Taiwan) have been set up to run summits and seminars promoting adoption and understanding of IPv6
The IETF (Internet Engineering Task Force) is finalizing standards for IPv6 extensions such as Mobility and Secure Neighbour Discovery.
The IPv6 Forum has released the "IPv6 Ready" logo, which can be used to indicate a product's compliance with IPv6 standards.
© 2003-2005 Monash CTIESlide 102
World-wide connectivity Advocacy won't help if the packets don't get
through! Academic Networks: Internet2 (US), GrangeNet
(AU), 6NET (EU), CERNET2 (China), etc. Commercial Networks:
NTT in Japan and elsewhere Telia and NTT have commercial offerings in
Europe. Uptake in USA is slow but gaining momentum.
Sprint, MCI, etc.
© 2003-2005 Monash CTIESlide 103
IPv6 Implementations (more info: http://www.ipv6.org/impl/ ) Looking at three Classes of implementations:
Host Implementations MobileIPv6 Router Implementations
© 2003-2005 Monash CTIESlide 104
Host Implementations Most vendor Unix: Solaris 8 +, AIX 4.3 +, etc. Linux - kernels 2.2 + include IPv6 (2.5+ full
IPSecv6) FreeBSD - includes KAME from 4.0 OpenBSD - includes KAME from 2.7 MS Windows - supported from XP onwards (some
API issues) Mac OS X (10.2 Jaguar onwards, some API
issues) Embedded Implementations from Wind River,
Elmic, etc.
© 2003-2005 Monash CTIESlide 105
Router Implementations
Available from major vendors including: Cisco IOS 12.2T + Juniper JUNOS 5.1 + Nortel
© 2003-2005 Monash CTIESlide 106
Network Applications
Server Applications Apache web server supports IPv6 Many other services do too, due to 'dual stack'
approach. Desktop Applications
Microsoft Internet Explorer Secure Shell (ssh) FTP, Telnet
© 2003-2005 Monash CTIESlide 107
Progress: Basics Addressing Routing Domain Name System IPv4 to IPv6 transition Security State of the Art Mobile IPv6
© 2003-2005 Monash CTIESlide 108
Contents
IP Mobility Problem Statement Simple solutions
Mobile IPv4 Limitations
Mobile IPv6 Motivation Mobile IPv6 Handovers
© 2003-2005 Monash CTIESlide 109
Mobile Packets the Future? Trends towards packetisation of everything Easier to incorporate different data streams User control of usage models We don't know what the applications will be
(but we can take some guesses). Once we have IP connectivity, anything goes...
© 2003-2005 Monash CTIESlide 110
The Internet Mobility Challenge
IP address is not only a unique address, but tied to Network Topology
Movement of an IP device between networks relies on Layer 2 or Layer 3 context transfer.
When Layer 3 transfer occurs, IP address changes.
Higher layer protocols cannot handle IP address changes (e.g. TCP)
IP Mobility must hide or prevent IP address changes for higher protocol layers
© 2003-2005 Monash CTIESlide 111
Layer 2 mobility limitations Single Layer 3 broadcast domain All broadcasts go over wireless medium Handovers between networks problematic
Service Provider to Enterprise/Service Provider Heterogeneous handovers
Need to re-implement mobility for every Layer 2
© 2003-2005 Monash CTIESlide 112
Using DHCP for roaming
Dynamic Host Configuration Protocol Allows devices to get an address when visiting a
network. Available for IPv4 and IPv6. Existing sessions do not survive movement
across link boundaries Address management not required in IPv6
(Stateless Address Autoconfiguration) Provides additional information (DNS &etc)
© 2003-2005 Monash CTIESlide 113
Mobile IP
No geographic limitations No physical connection No modifications to other hosts or routers No modifications to IP addressing Secure Transparent to transport layer Assumptions
<1 change per second routing based only on destination address
© 2003-2005 Monash CTIESlide 114
Mobile IPv4
Home Address
Internet
Home Agent Foreign Agent
Mobile Node
Correspondent Node
Home Network
Foreign Network
Address Registration
Data
Tunnel
© 2003-2005 Monash CTIESlide 115
Mobile IPv6 Address Autoconfiguration
No Foreign Agents Optional Headers
Routing Header - replaces tunneling Home Address – overcomes ingress filtering Binding update and request
Host Binding Caches Route optimisation
IPSec Separate Security Specification Supports privacy
© 2003-2005 Monash CTIESlide 116
Mobile IPv6 System
Home Address
Internet
Home Agent
Mobile Node
Correspondent Node
Home Network
Foreign Network
Address Binding
Data
Data
Data
Address Registration
Router Advertisement
Care-of Address
© 2003-2005 Monash CTIESlide 117
Mobile IPv6 Handover
Home Address
Internet
Home Agent
Mobile Node
Correspondent Node
Home Network
Foreign Network 2 Care-of
Address 2
Mobile Node
Foreign Network 1
Care-of Address
1
Router Advertisement
Duplicate Address DetectionHome Binding
Update/Acknowledgment
Home Test
Care-of TestCorrespondent Binding Update
© 2003-2005 Monash CTIESlide 118
Mobile IPv6Benefits:1. Uses IPv6 Router
Discovery to detect movement
2. Uses IPv6 Address Autoconfiguration
3. Route Optimisation 4. Limited support
required in Access Network.
Complexities:1. Movement detection
granularity is low 2. Dead time related to
distance from HA3. Security for CN/HA
bindings4. Duplicate Address
Detection slow
© 2003-2005 Monash CTIE
Thank you