Introduction to IPv6
Download
Report
Transcript Introduction to IPv6
Transitioning to IPv6:
Issues and Mechanisms
Jeff Doyle
Senior Network Architect
7/17/2015
Copyright © 2006 Juniper Networks
APRICOT 2006
Perth, Australia
1 March, 2006
1
3 Types of Transition Mechanisms
Dual Stacks
Tunnels
IPv4/IPv6 coexistence on one device
For tunneling IPv6 across IPv4 clouds
Later, for tunneling IPv4 across IPv6 clouds
IPv6 <-> IPv6 and IPv4 <-> IPv4
Translators
7/17/2015
IPv6 <-> IPv4
Copyright © 2006 Juniper Networks
2
Dual Stacking
In most cases, the simplest approach
IPv6 now supported on most modern network
platforms
Routers
Servers
Hosts
If (almost) everything is “bilingual”, transition is
controlled by DNS
7/17/2015
Copyright © 2006 Juniper Networks
3
Dual Stacking
IPv4-only Host:
Dual-Stacked
Host:
stan.v4.com
207.14.182.10
Query:
stan.v4.com?
A Resource Record:
207.14.182.10
199.15.23.87
3ffe:3700:1100:1:210:a4ff:fea0:bc97
DNS
IPv6-only Host:
ollie.v6.com
3ffe.2301.1700.1.abcd.1234.dada.1
7/17/2015
Copyright © 2006 Juniper Networks
4
Dual Stacking
IPv4-only Host:
Dual-Stacked
Host:
stan.v4.com
207.14.182.10
Query:
ollie.v6.com?
AAAA Resource Record:
3ffe.2301.1700.1.abcd.1234.dada.1
199.15.23.87
3ffe:3700:1100:1:210:a4ff:fea0:bc97
DNS
IPv6-only Host:
ollie.v6.com
3ffe.2301.1700.1.abcd.1234.dada.1
7/17/2015
Copyright © 2006 Juniper Networks
5
Tunnels
Necessary if all nodes between communicating
endpoints are not dual stacked
Add a layer of complexity to the network and the
transition plan
7/17/2015
Copyright © 2006 Juniper Networks
6
Tunnel Applications
IPv4
IPv6
IPv6
IPv6
Router to Router
IPv4
IPv6
Host to Host
IPv4
IPv6
IPv6
Host to Router / Router to Host
7/17/2015
Copyright © 2006 Juniper Networks
7
Tunnel Types
Automatic Tunnels
Application:
Configured Tunnels
Application:
Permanent site-to-site
connectivity
Carriers, SPs, large
backbones
Technologies:
GRE, IP-IP, IPSec…
MPLS
Technologies:
Controlled, deterministic
7/17/2015
Transient connectivity
Connectivity across “v6 unaware”
segments
Router to Router
Host to Router
Host to Host
Tunnel Brokers
6to4
ISATAP
Teredo?
DSTM
Possibly non-deterministic
Possible security risks
Copyright © 2006 Juniper Networks
8
Automatic Tunnels:
Endpoint Determination
Configured tunnels: Endpoints (IP addresses) are
determined by administrator
Automatic tunnels require an automatic endpoint
determination
Two Approaches:
1. Assign them from an authoritative server
Tunnel brokers, Teredo, DSTM
2. Imbed them in IPv6 addresses
6to4, ISATAP
7/17/2015
Copyright © 2006 Juniper Networks
9
Authoritative Server Approach:
Tunnel Broker
3
Tunnel
Broker
1
2
6
Client
IPv4
Network
4
DNS
AAA Authorization
2.
Configuration request
3.
TB chooses:
•
TS
•
IPv6 addresses
•
Tunnel lifetime
4.
5.
TB registers tunnel IPv6 addresses
Config info sent to TS
6.
Config info sent to client:
•
Tunnel parameters
•
DNS name
Tunnel enabled
7.
5
7
IPv6 Tunnel
7/17/2015
1.
Copyright © 2006 Juniper Networks
Tunnel
Server
IPv6
Network
10
Imbedded Endpoint Address
Approach: 6to4
138.14.85.210 (Dotted Decimal) = 8a0e:55d2 (Hex)
IPv4 Interface: 138.14.85.210
IPv4 Address: 65.114.168.91
6to4 prefix: 2002:8a0e:55d2::/48
6to4 prefix: 2002:4172:a85b::/48
IPv4
Network
IPv6
Site
IPv6
Site
6to4 Router
6to4 Router
6to4 address:
6to4 address:
2002:8a0e:55d2:1:230:65ff:fe2c:9a6
7/17/2015
Copyright © 2006 Juniper Networks
2002:4172:a85b:1:20a:95ff:fe8b:3cba
11
Imbedded Endpoint Address
Approach: 6to4
6to4 Router Recognizes
6to4 Prefixes
Local Tunnel Endpoint =
138.14.85.210
Remote Tunnel Endpoint =
65.114.168.91
Packet Source Address:
2002:8a0e:55d2:1:230:65ff:fe2c:9a6
Packet Destination Address:
2002:4172:a85b:1:20a:95ff:fe8b:3cba
IPv4
Network
IPv6
Site
IPv6
Site
IPv6
6to4 Router
6to4 Router
Host1:
2002:8a0e:55d2:1:230:65ff:fe2c:9a6
Host2:
2002:4172:a85b:1:20a:95ff:fe8b:3cba
DNS:
Host2 = 2002.4172.a85b:20a:95ff:fe8b:3cba
7/17/2015
Copyright © 2006 Juniper Networks
12
Translators
Necessary if IPv6-only endnode and IPv4-only endnode
must speak
Very few situations where translators should be required
Dual stacking and/or tunneling should be sufficient in most
cases
The great majority of modern IPv6-capable network/host
systems are dual stack, not IPv6-only
IPv6-only devices are likely to be specialized, and in IPv6-only
networks
Add another layer of complexity to the network and the
transition plan
Avoid them if you can
7/17/2015
Copyright © 2006 Juniper Networks
13
Translator Types
Network level translators
Stateless IP/ICMP Translation Algorithm (SIIT)(RFC 2765)
NAT-PT (RFC 2766)
Bump in the Stack (BIS) (RFC 2767)
Transport level translators
Transport Relay Translator (TRT) (RFC 3142)
Application level translators
Bump in the API (BIA)(RFC 3338)
SOCKS64 (RFC 3089)
Application Level Gateways (ALG)
7/17/2015
Copyright © 2006 Juniper Networks
14
Translator Types
Network level translators
Stateless IP/ICMP Translation Algorithm (SIIT)(RFC 2765)
NAT-PT (RFC 2766)
Transport level translators
Bump in the Stack (BIS) (RFC 2767)
Transport Relay Translator (TRT) (RFC 3142)
Application level translators
Bump in the API (BIA)(RFC 3338)
SOCKS64 (RFC 3089)
Application Level Gateways (ALG)
NAT-PT (using SIIT procedures) has
emerged as the dominant translator
7/17/2015
Copyright © 2006 Juniper Networks
15
Stateless IP/ICMP Translation (SIIT)
204.127.202.4
IPv4
Network
IPv6
Network
Source = 216.148.227.68
Dest = 204.127.202.4
SIIT
Source = 204.127.202.4
Dest = 216.148.227.68
Source = ::ffff:0:216.148.227.68
Dest = ::ffff:204.127.202.4
Source = ::ffff:204.127.202.4
Dest = ::ffff:0:216.148.227.68
SIIT also changes:
•Traffic Class TOS
•Payload length
•Protocol Number NH Number
•TTL Hop Limit
3ffe:3700:1100:1:210:a4ff:fea0:bc97
216.148.227.68
7/17/2015
Copyright © 2006 Juniper Networks
16
Network Address Translation - Protocol
Translation (NAT-PT)
IPv4 Pool: 120.130.26/24
IPv6 prefix: 3ffe:3700:1100:2/64
IPv6
Network
IPv4
Network
DNS
v4host.4net.org?
NAT-PT
v4host.4net.org
A 204.127.202.4
v4host.4net.org
AAAA 3ffe:3700:1100:2::204.127.202.4
v4host.4net.org
204.127.202.4
v6host.6net.com
3ffe:3700:1100:1:210:a4ff:fea0:bc97
7/17/2015
Copyright © 2006 Juniper Networks
17
Network Address Translation - Protocol
Translation (NAT-PT)
IPv6
Network
IPv4 Pool: 120.130.26/24
IPv6 prefix: 3ffe:3700:1100:2/64
IPv4
Network
Mapping Table
Inside
3ffe:3700:1100:1:210:a4ff:fea0:bc97
DNS
Outside
120.130.26.10
Source = 3ffe:3700:1100:1:210:a4ff:fea0:bc97
Dest = 3ffe:3700:1100:2::204.127.202.4
NAT-PT
Source = 120.130.26.10
Dest = 204.127.202.4
Source = 204.127.202.4
Dest = 120.130.26.10
v4host.4net.org
204.127.202.4
Source = 3ffe:3700:1100:2::204.127.202.4
Dest = 3ffe:3700:1100:1:210:a4ff:fea0:bc97
v6host.6net.com
3ffe:3700:1100:1:210:a4ff:fea0:bc97
7/17/2015
Copyright © 2006 Juniper Networks
18
Problems with NAT-PT
Statefulness (mapping table) restricts asymmetric traffic
Complicates network troubleshooting
Single point of failure or attack
Possible DNS difficulties
Many of the same constraints, vulnerabilities as v4 NAT
Nevertheless, some see v6 NAT as a necessity
Maintaining provider independence, for example
7/17/2015
Copyright © 2006 Juniper Networks
19
Transition Strategies:
Dual Stacked IPv4/IPv6 Backbone
(Possibly) lower capital expense
(Possibly) higher operational complexity
More risk of network disruption during migration
Less incremental migration
Legacy equipment issues
Access
7/17/2015
Access
IPv4/IPv6
IPv4
Copyright © 2006 Juniper Networks
20
Transition Strategies:
Separate IPv4/IPv6 Backbones
(Possibly) higher capital expense
Lower operational complexity
Low risk to operational network
Easier, more incremental migration
IPv6
Access
Access
IPv4
7/17/2015
Copyright © 2006 Juniper Networks
21
Conclusions
Dual stacking is the simplest approach
Tunnel only when necessary
Translation should seldom be needed, if at all
A long-range transition plan reduces cost
IPv6 SW/HW phased in as part of normal network
evolution
Biggest transition expense is likely to be planning,
testing, inventory, training, etc.
7/17/2015
i.e., human resource expenses
Not capital expenses
Copyright © 2006 Juniper Networks
22
Thank you!
[email protected]
7/17/2015
Copyright © 2006 Juniper Networks
23