Embed Size (px)
Citation preview
Using HIP to solve MULTI-HOMING IN IPv6 networks
YUAN Zhangyi
Beijing University of Posts and Telecommunications
Introduction
• Why we need NAT in IPv6?– Hiding enterprise’s topology– Keep IP addresses independent– ……
• NAT66, referred in an IETF draft, may be implemented in an IPv6 router to map one IPv6 address prefix to another IPv6 address prefix as each IPv6 packet transits the router.
Introduction
The mechanism of NAT66 device
We deployed Two-way algorithm to map one private address to a global address.
NAT66 ProcessNAT outside
NAT inside
Packet
Packet
Packet
Src.addr
Des. addr
Port No.
Src.addr changed
Des.addr unchanged
Port No. unchanged
Address Change
Packet
Src.addr
Des.addr
Port No.
Src.addr unchanged
Des.addr changed
Port No. unchanged
Address Change
Outside Process
Port No. is stable
Translate the Src.addr
Inside Process
Port No. is stable
Translate the Des.addr
HIP(Host Identify Protocol)
• HIP insert a new layer between Transport Layer and Network Layer.
• Transport Layer use HIT(Host Identity Tag) to recognize a session. It uses <HIT, port > instead of <IP address, port>. As a result, any changes in Network layer will not affect the upper applications.
Network Topology
Experiment 1--- NAT66 disabled
Initiator Responder
I1: trigger exchange
R1: puzzle, D-H, key, sig
I2: solutions, D-H, (key), sig
R2: sig
In the first case, NAT66 is disabled in the edge router. HIP will exchange four packets before the connection is built.
we first added a new address to host’s another interface. It initiated a three-way UPDATE handshake with the destination host with a new Locator in its packet.
Network Topology
Experiment 2--- NAT66 enabledMobility Case
We tested whether HIP support mobility with nat66 enabled in Linksys boxes. After adding a new IP address to interface on Entry. Wireshark captured three UPDATE packets initiated by Entry with the new IP address along with the original IP address in Locator parameter in the first UPDATE packet. Then we deleted the original IP address. Entry initiated another update. But this time the three-way handshake failed. There were only UPDATE packets from Entry to Terminal without any responds, which meant the new IP address was unreachable for Terminal.
The whole process suggested that Entry did send HIP UPDATE packets to Terminal notifying its IP address had changed. It initiated a three-way handshake and sent the first UPDATE packet to Terminal with its new IP address as the Locator. When Terminal received this UPDATE packet, it tried to send a responding packet to Entry using the new address as the destination address. Because the new IP address was the private address behind nat66, it is unreachable for Terminal. Therefore, the three-way UPDATE handshake failed to set up and the connection lost.
Network Topology
Experiment 2--- NAT66 enabled
Multihoming caseWe changed the default route of Terminal. Previously the packets sending out from Terminal went to Linksys3 and now we changed the default route to Linksys4. From the packets caught by Wireshark, we surprisingly noticed that the connection was not interrupted. Entry accepted the packets from Linksys4, even though the source IP address was not the address on its Hit-IP Address mapping table.The packets above show that the source IP address changed silently, without disturbing the communication.If the address changes but SPI remains the same and the checksum is valid, HIP is intended to report to the transport that it was received from the original address.
Conclusion
HIP can really help solving multihoming and mobility though deploying it in our test environment:
HIP can support mobility in the environment without nat66 through sending UPDATE packets.
HIP cannot support mobility in our environment with nat66 functioning in the edge router, unless more mechanism, like a RVS server, is getting involved.
As for multihoming, HIP does help solving this problem.
YUAN Zhangyi
Thank You!
