gianluca realiconan.diei.unipg.it/rcm/lucidircm/ipv6.pdfipv6 header next header=tcp tcp header +...
TRANSCRIPT
1
IPv6 Tutorial
Gianluca Reali
2
IPv6 - Important changes
• Expanded Address Space– Address length quadrupled to 16 bytes
• Header Format Simplification– Fixed length, optional headers are daisy-chained– IPv6 header is twice as long (40 bytes) as IPv4 header without options (20
bytes)• No checksumming at the IP network layer• No hop-by-hop segmentation– Path MTU discovery
• 64 bits aligned• Authentication and Privacy Capabilities– IPsec is mandated
• No more broadcast
3
IPv4- Datagram0 15 16 31
Version (4) Total Length (16)
Identifier (16) Fragment Offset (13)
IHL (4) Type of Service (8)
Options & Padding (multiple of 32)
Time To Live (8) Protocol (8) Header Checksum (16)
Source Address (32)
Destination Address (32)
Data.
Flag(3)
•Version = 4
• IHL - Internet Header Length = 5 with no header options
[min = 160 bits] [max = 512 bits]
• Type of service , desired quality service
0- 2 Precedence3 Normal delay low delay4 Normal throughput High throughput5 Normal Reliability High reliability6- 7 Reserved
Prec. D T R 0 00 1 2 3 4 5 6 7
•Identification, Flags, Fragmentation Offset- use to segmentation and reassembly packet
Bit 0 = Reserved; must be 0Bit 1 = DF ( 0 = May fragment; 1 = do not fragment )Bit 2 = MF (0 = last fragment; 1 = more fragments )
•Option and Padding - additional info to control functions such as routing and security
4
Issue on header format vers
frag offset
source address
destination address
options and padding
header checksum
TOS total length
identification
hlen
protocol
flag
TTL
• Checksum in header format will calculate only the header checksum. Computation will be done if there are changes in header value. TTL value is decrement at every hop. Therefore, computation will be done at every router hop.
• Options and Padding Field will be checked at every router hop and this use up router processing time which will degrade router performance.
5
IPv4 addressing
Network Address Host Address
Where you are connected Who you are
202.188.125.67
Features Presentation
• 32 bits address
• Represent Network & Host Address
• Divided into Classes Class A 0.0.0.0-127.255.255.255Class B 128.0.0.0-191.255.255.255Class C 192.0.0.0-223.255.255.255
• Later adopt CIDR 192.228.0.0/16 or 192.228.0.0/20 …..
6
IPv4 address type
• “Unicast” Address : Specified for a single recipient, i.e. interface.
• Multicast Address : 244.0.0.0/4
• Broadcast Address : e.g 192.228.128.255
• Unspecified Address : 0.0.0.0
• Loopback Address : 127.0.0.1
7
Address space
- Communications appliances (e.g. phone, pager)- Information appliances(e.g. electronic books)- Entertainment appliances (e.g. set-top boxes)
•• More connected devicesMore connected devices•• More management costs More management costs •• More demanding applicationsMore demanding applications
• IPv4 with only 32 bits gave approximately 4.3 x109
LARGE ADDRESS SPACE NEEDED Facts : With current world populations 2 persons need to
share an IP address
8
Limitation to IPv4 addressing• Decision to stick with 32-bit address space meant that
there were only 232 (4,294,967,296) IPv4 addresses available
• Classful A, B, and C octet boundaries are easy to understand but inefficient to deploy in the real world. A /24 is too small for an average organization, while a /16 is too big!
Internet gowth
IP4
9
The HD Ratio(RFC-3194)
• measures “pain level” of a given level of utilization of a hierarchical address space, on a scale of 0 to 1
• HD = log ( number of addressed objects ) /log ( total number of addresses)
• historical analysis of IPv4, US phone numbers, French phone numbers, DECnet IV, etc. shows remarkable consistency:
HD = 0.80 manageable ( 51M for 32-bit space)HD = 0.85 painful (154M for 32-bit space)HD = 0.87 practical limit (240M for 32-bit space)
10
Fragmentation
MTU limited
datagrams fragments
• A process used by IP to reduce the size of packets (will be acceptable to MTU size)
• Fragments will be reassembled at the final destination (based on identification field, segment offset and flags)
• How ?
receiving computer’sfragment reassembly buffer
11
Fragmentation flag
• Identification Number16 bits integer value used to identify all fragments. This id is not a sequence number!
• Flags - 3 bits control fragmentation
vers
frag offset
source address
destination address
options and padding
header checksum
TOS total length
identification
hlen
protocol
flag
TTL
R DF MF
reserved, must be 0
0=may fragment 1=don’t fragment
0=last fragment 1=more fragment
• Fragment offset - indicate the distance of fragment datafrom the start of the original datagram, measure in 8 octets unit
12
Fragmentation sampleIP packets
UDP Data (2000 bytes)
0 ..1472 bytes 1472….2000
Ethernet with MTU 1500
IP Header UDP
IP Header UDP IP Header
Fragment #1 Fragment #2
Identification=26304 MF = 1 Fragment Offset= 0
Identification=26304 MF = 0 Fragment Offset = 184(=1472/8)
13
Problems in fragmentation
• The end node has no way to know how many fragments there be.
• Every node will travel independently.If any fragment lost, all datagram must be discarded
• If any fragment fails to arrive (timer) all datagram must be discarded
• IP will make no attempt to recover these situations (connectionless). Only give ICMP error e.g “Packet too big”
14
Avoiding fragmentation• Set DF=1 and the message will not be fragmented.But
if message is larger than the link is able to accept, message will be discarded from the network
• Standard recommend that all networks supporting TCP/IP should have an MTU of at least 576 bytes (guaranteed packets will never be fragmented)
15
Routing problems• Large Backbone Routing Table
backbone routing table explosion ~ 90K routes . Problem with legacy IPv4
• Routing Performance At every hop router will need to check and verify header checksum.This will increase processing time and degrade routing performance.
Fragmentation of packets are also done by router. Might need to be fragmented several times. This will also effect routing performance.
Hierarchical addressing scheme should be adopted and simplified header field can ease router burden.
16
Internet security
Ln M s a
seg
oInternet
•• EavesdroppingEavesdropping•• SpoofingSpoofing•• ForgeryForgery•• Packet dropsPacket drops•• Denial of serviceDenial of service
Long Messages ges
17
IP layer security• Security at Network Layer.
• Confidentiality, Integrity, and Authentication are key services used to protect against these threats
• If data is encrypted while in transit, it is impossible for a perpetrator to observe or modify.
• Security in IPv4 is not mandated. We have to run IPSec on top of IP.
Strong Network-Layer authentication, identity spoofing and denial-of service can be prevented
18
Host auto-configuration
Stateful Server Mode
Via DHCP
DHCP Server
DHCP request
DHCP respondhost
Stateless Server mode will be a better solution and can save cost
19
Quality of Service• Quality of Service in IPv4 is using best effort delivery
services , for data to arrive its destination as soon as possible.
• No reservation for bandwidth. This is adequate for traditional applications such as Telnet and FTP. But nowadays, multimedia applications need real-time and sensitive data transfer to the network. Therefore, better QOS is needed.
An improved Quality of service need to be implemented.
20
Before IPv6…
0-3 unassigned4 Internet Protocol, IP (current version)5 Stream Protocol, ST (not a new version of IP)6 IPv6 (formerly SIP, SIPP)7 CATNIP (formerly IPv7, TP/IX; deprecated)8 Pip (deprecated)9 TUBA (deprecated)10-15 unassigned
Note: IPv6 working group was formed and being chaired by Steve Deering(Cisco Systems, Inc) and Robert Hinden (Nokia)
21
What are IPv6 advantages?
• scalable IP address with streamlined IP header• optimized routing table size (<10K routes)• better real time support• self-configuration of workstations• security features
Note:IPv6 was designed to re-build and re-engineer IPv4; thusstill inherit some IPv4’s characteristics but rejects its flaws
22
IPv6 packet structure
ExtensionHeaders
Higher-level protocol header + application content
IPv6 Header
payload
IPv6 packet
Definitions:IP header provides addressing and controlIP payload carries information and error/control protocols
• Extension headers(optional):hop-by-hop, routing, fragment, authentication, encryption & destination header
• Higher-level protocol header:ICMPv6, UDP & TCP
header
23
Header comparisonRemoved (6)• ID, flags, frag offset• TOS, hlen• header checksum
Changed (3)• total length=> payload• protocol=>next header• TTL=>hop limit
Added (2)• traffic class• flow label
Expanded• address 32 to 128 bits
vers
0 15 16 31
hlen TOS total length
identification flags frag offset
TTL protocol header checksum
source address
destination address
options and padding
20bytes
IPv4
vers traffic class flow label
payload length next header hop limit
source address
destination address
40bytes
IPv6
24
vers
0 15 16 31hlen TOS total length
identification flags frag offset
TTL protocol
source address
destination address
options and padding
header checksumMajor improvement
1- No Options. Options field is replaced with extension header. The removal of the options results in a fixed length, 40 byte IP header.
2- No header checksum. Transport and data link layer have already performed checksumming.The removal of this feature leads to fast IP packet’s processing.
3- No segmentation procedure by routers. With path MTU discovery in IPv6, only source host performs fragmentation process. Removal of this procedure will speed up IP forwarding in routers.
25
Extension headers (RFC 2460) Extension Headers Higher-level protocol header
+ application content IPv6 Header
IPv6 packet
IPv6 headernext header=TCP
TCP header + data
IP PayloadIP header
IPv6 headernext header=routing
Routing headernext header=TCP
TCP header + data
• Extension headers include hop-by-hop, destination, routing, fragment, authentication and encapsulating security payload
Extension headerIP headerIP Payload
IPv6 headernext header=routing
IP header
Routing headernext header=fragment
fragment ofTCP header + data
IP Payload
Fragment headernext header=TCP
Extension headers
26
IPv6 Header Options (RFC2460)• Processed only by node identified in IPv6 Destination Address field => much lower overhead than IPv4 options
exception: Hop-by-Hop Options header• Eliminated IPv4’s 40-octet limit on options
in IPv6, limit is total packet size, or Path MTU in some cases
Currently defined Headers should appear in the following order: –IPv6 header–Hop-by-Hop Options header–Destination Options header–Routing header–Fragment header–Authentication header (RFC 1826)–Encapsulating Security Payload header (RFC 1827)–Destination Options header–upper-layer header
27
IPv6 Header Options (RFC2460)
28
Fragmentation
• IPv6 fragmentation & reassembly is an end-to-end function
• Routers do not fragment packets BUT only send the ICMP “message too big”(with the new MTU size) using the Path MTU Discovery feature
• Advantage:- better router performance; that is intermediate routers
don’t have to check for the fragmentation fields(identification + flags + fragment offset fields) every time the packets pass through them
29
Path MTU discovery
FDDIMTU=4500
Source
FDDIMTU=4500
ICMP “packet too big”
A
Destination
FDDIMTU=4500
B
EthernetMTU=1500
For packets bigger than 1280 bytes, path MTU discovery is expected:
• start by assuming MTU of the first-hop link • if a packet reaches a link which couldn’t fit, an ICMP “packet too big”
is generated and sent back to the source• then the source will fragmentize the packet into smaller chunks
(following this new MTU size) and start this process all over again
30
How Was IPv6 Address Size Chosen?
• Some wanted fixed-length, 64-bit addresses– Easily good for 1012 sites, 1015 nodes, at .0001 allocation
efficiency (3 orders of magnitude more than IPv6 requirement)– Minimizes growth of per-packet header overhead– Efficient for software processing
• Some wanted variable-length, up to 160 bits– Compatible with OSI NSAP addressing plans– Big enough for auto-configuration using IEEE 802 addresses– Could start with addresses shorter than 64 bits & grow later
• Settled on fixed-length, 128-bit addresses
31
Address space IPv4 Address space IPv6 Address Space
3FFE:90:AD:23:112:9:56:210
128-bit
192.228.134.34
32-bit
• 128-bit or 16 bytes
• 2^128=340,282,366,920,938,463,463,374,607,431,768,211,456
• 4.2 x 10^9 versus 3.4 x 10^38 addresses
Note:IPv4 allows 1 IP for every 2 persons, but IPv6 offers ~5.6 x10^28 per person(out of 6 billions population -- 6 x 10^9)
IPv4 IPv6
32
Address syntax: preferred
• Hexadecimal values of the eight 16-bit pieces, separated by colon
X:X:X:X:X:X:X:XX:X:X:X:X:X:X:X
X = 16-bit numberse.g. A3BF or FFFE
• Example:FE78:3450:BED8:9542:FEDC:BA09:1236:763C3FFE:0:0:0:13:45D:432:1A
33
Address syntax: compressed • Compressed form=> “::” indicates multiple groups of 16-
bits of zeros, but only once in an address
4A80:0:0:0:5:800:50CA:290D => 4A80::5:800:50CA:290DFE80:0:0:0:0:0:0:349 => FE80::3494D0A:0:0:89:0:0:236:8009 => 4D0A::89:0:0:23:8009 or
4D0A:0:0:89::23:80090:0:0:0:0:0:0:1 => ::1
Note: Except 2 types of IPv6 addresses have different representation (IPv4-compatible and IPv4-mapped)
34
Address type
• There are 3 types of addresses:
Unicast : defines a single recipientA packet sent to a unicast address is delivered to the interface identified by that address
Anycast : defines a number of recipientsA packet sent to an anycast address is delivered to one of the interfaces (the working nearest interface)
Multicast : defines a number of recipientsA packet sent to a muticast address is delivered to all of the interfaces identified by that address
35
Address type• A single interface may be assigned multiple IPv6 addresses of
any type (unicast, anycast, multicast)
– No Broadcast Address -> Use Multicast
36
Address allocation • Prefix is used to identify type of IPv6 address; normallythe first 16 bits (or first 2 bytes)
Global unicast 001 2xxx or 3xxx
Site-local unicast 1111 1110 11 FECx .... FEFxIPv4-compatible unicast 000...0(96 zero bits) 0:0:0:0:0:0:n.n.n.n
Multicast 1111 1111 FFxxReserved IPX 0000 010 04xx or 05xx
Allocation Binary prefix
Link-local unicast 1111 1110 10 FE8x ... FEBx
Example(the first 16-bit)
IPv4-mapped unicast 000..FFFF(80 zero bits) 0:0:0:0:0:FFFF:n.n.n.n
• All other binary prefix are reserved for future use• Anycast addresses are allocated from the unicast prefixes
37
Address allocation
38
Aggregatable global unicast
• This hierarchical structure improves backbone routing; it sorts traffic towards networks attached to the Internet backbone
• Without an address hierarchy, backbone routers have tostore route table information on the reachability of every network in the world
FP TLA IDRES NLA ID SLA ID Interface ID
Public Topology Site Interface ID
Topology
133 8 24
FP = Format Prefix TLA= Top Level Aggregation SLA = Site-Level AggregationNLA= Next-Level Aggregation RES= Reserved
Allocation Binary Prefix Example
Global unicast 001 2xxx or 3xxx
39
Aggregatable global unicast cont’
TOP TOP
Next Level
Next LevelNext Level
Site LevelInterface ID
Public Topology
( providers/exchanges )
SiteTopology
(LAN) Interface ID(link)
40
Hierarchical Addressing & Aggregation
ISP
2001:0410::/32
Customerno 2
IPv6 Internet
2001::/162001:0410:0002:/48
Customerno 1
Only announces the /32 prefix
2001:0410:0001:/48
–Larger address space enables:•Aggregation of prefixes announced in the global routing table.•Efficient and scalable routing.
–But current Multi-Homing schemes break the model
(note: no masks in IPv6!)
41
Non-Global Addresses
• IPv6 includes non-global addresses, similar to IPv4 private addresses (“net 10”, etc.)
• a topological region within which such non-global addresses are used is called a zone
• zones come in different sizes, called scopes(e.g., link-local, site-local,…)
• unlike in IPv4, a non-global address zone is also part of the global addressable region (the “global zone”)=> an interface may have both global and non-global addresses
42
Address Zones and Scopes
The Global InternetSite
Site
Site
• • •
• • •
Link
Link
Link • • •
• • •
Link
Link
Link • • •
• • •
Link
Link
Link • • •
• • •
Each oval is a different zone; different colors indicate different scopes
43
Properties of Zones and Scopes
• zones of the same scope do not overlap, e.g., two sites cannot overlap (i.e., cannot have any links in common)
• zones of smaller scope nest completely within zones of larger scope
• zones of same scope can reuse addresses of that scope (e.g., the same site-local address can occur in more than one site)
44
Properties of Zones and Scopes
• the scope of an address is encoded in the address itself, but the zone of an address is not– that’s why the “%zone-id” qualifier is needed, in the text
representation of addresses– for a non-global address received in a packet, its zone is
determined based on what interface it arrived on
• packets with a source or destination address of a given scope are kept within a zone of that scope– (enforced by zone-boundary routers)
• zone boundaries always cut through nodes,not links or interfaces
45
Zone Boundaries
Link Link
Link
Site
Site
Global
46
Non-Global Unicast Addresses
• link-local unicast addresses are meaningful only in a single link zone, and may be re-used on other links
• site-local unicast addresses are meaningful only in a single site zone, and may be re-used in other sites
interface ID01111111010
subnet ID interface ID01111111011
10 bits 54 bits 64 bits
10 bits 38 bits 64 bits16 bits
47
Address Allocation Policy
2001 0410
ISP prefixSite prefix
/32 /48 /64
Registry
/23
Interface ID
Bootstrap process - RFC2450LAN prefix
• The allocation process is under reviewed by the Registries: –IANA allocates 2001::/16 to registries–Each registry gets a /23 prefix from IANA–Formely, all ISP were getting a /35–With the new policy, Registry allocates a /32 prefix to an IPv6 ISP–Then the ISP allocates a /48 prefix to each customer (or potentially /64)–ftp://ftp.cs.duke.edu/pub/narten/ietf/global-ipv6-assign-2002-06-26.txt
48
Interface IDsLowest-order 64-bit field of unicast address may be assigned in several different ways:
– auto-configured from a 64-bit EUI-64, or expanded from a 48-bit MAC address (e.g., Ethernet address)
– auto-generated pseudo-random number(to address privacy concerns)
– assigned via DHCP– manually configured
49
IPv6 Address Privacy (RFC 3041)
/48 /64/23 /32
0410 Interface ID2001
Temporary addresses for IPv6 host client application, eg. Web browser– Inhibit device/user tracking but is also a potential issue– More difficult to scan all IP addresses on a subnet but port
scan is identical when an address is known– Random 64 bit interface ID, run Duplicate Address Detection
(DAD) before using it– Rate of change based on local policy– Implemented on Microsoft Windows XP– From RFC 3041: “…interface identifier …facilitates the tracking
of individual devices (and thus potentially users)…”
50
Topic 2: IPv6 Concepts
Link-local & Site-local link-local unicast 1111 1110 10 FE8x ... FEBx
Allocation Binary Prefix Example
site-local unicast 1111 1110 11 FECx .... FEFx
• Link-local addresses are used during auto-configuration while no router present
1111111010 0 interface ID
e.g=>fe80::2d0:b7ff:fe11:5d36
• Site-local addresses are used within an isolated intranet, independence from changes of TLA/NLA:
1111111011 0 SLA* interface ID
e.g=>fec0::90:234:ffde:1098
51
IPv4-compatible & IPv4-mapped IPv4-compatible 00..(96 bits of zero) 0:0:0:0:0:0:n.n.n.n
Allocation Binary Prefix Example
IPv4-mapped 00..ffff(80 bits of zero) 0:0:0:0:0:ffff:n.n.n.n
• These addresses have a mixed environment of IPv4 and IPv6 addresses: 1) IPv4-compatible IPv6 address
technique for hosts and routers to dynamically tunnel IPv6 packets over IPv4 routing infrastructure – dual stack
0:0:0:0:0:0:192.226.124.45 => ::192.226.124.45
2) IPv4-mapped IPv6 addressrepresent the addresses of IPv4-only nodes (those that do not support IPv6) as IPv6 addresses. Never src/dest of IPv6 packets.
0:0:0:0:0:FFFF:192.226.124.45 => ::FFFF:192.226.124.45
52
Special Addresses
• Unspecified addressused as a source address by a station that has not yet been configured with other type of addresses. Never assigned.
0:0:0:0:0:0:0:0 => ::
• Loopback addressused by a node to send an IPv6 datagram to itself. Never sent on a link.
0:0:0:0:0:0:0:1 => ::1
53
Anycast address• Anycast allocated from the unicast address space;
syntactically indistinguishable from unicast address
• An unicast address assigned to more than one interfaces becomes anycast address; the nodes to which the address is assigned must be explicitly configured to know that it is an anycast address
• It cannot be a source address
54
Expanded Address Space Multicast Addresses (RFC 3513)
Multicast 1111 1111 FFxx
Allocation Binary Prefix Example
• Multicast identifies a group of nodes; specifically identifiesa set of interfaces that usually belong to different nodes.
11111111 flags scope group ID
Low-order flag: indicates permanent (well-known) or non-permanent (transient) group
Scope value: limits the scope of multicast group, i.e. node-local,link-local,site-local, community-local, organization-local, global etc
55
Expanded Address SpaceMulticast Addresses (RFC 3513)
128 bits
Group ID0
1111 1111 Flagsscope
Flags =T=0 a permanent IPv6 Multicast address.T=1 a transient IPv6 multicast address
T000 0F F
• Multicast is used in the context of one-to-many.
8 bits 8 bits
Scope =
1 = node 2 = link 5 = site 8 = organization E= global
56
Multicast Address Examples
•• All Nodes Addresses:All Nodes Addresses:–FF01:0:0:0:0:0:0:1–FF02:0:0:0:0:0:0:1
•• All Routers Addresses:All Routers Addresses:–FF01:0:0:0:0:0:0:2–FF02:0:0:0:0:0:0:2–FF05:0:0:0:0:0:0:2
•• OSPv3:OSPv3:–AllSPFRouters : FF02::5–AllDRouters : FF02::6
•• SolicitedSolicited--Node Address:Node Address:–FF02:0:0:0:0:1:FFXX:XXXX–Concatenation of prefix FF02:0:0:0:0:1:FF00::/104 with the low-
order 24 bits of an address (unicast or anycast)
57
Tunnels to Get ThroughIPv6-Ignorant Routers
• encapsulate IPv6 packets inside IPv4 packets(or MPLS frames)
• many methods exist for establishing tunnels:– manual configuration– “tunnel brokers” (using web-based service to create a tunnel)– “ISATAP” (intra-domain, using IPv4 addr as IPv6 interface ID)– “6-to-4” (inter-domain, using IPv4 addr as IPv6 site prefix)
• can view this as:– IPv6 using IPv4 as a virtual link-layer, or– an IPv6 VPN (virtual public network), over the IPv4 Internet
(becoming “less virtual” over time, we hope)
58
6to4 and ISATAP Addresses
• 6to4 (RFC 3056) – WAN tunneling
• ISATAP (Draft) – Campus tunneling
2002 Public IPv4 address
/48/16
Interface IDSLA/64
2001 0410
ISP prefixSite prefix
/32 /48
Registry
/23
IPv4 Host address00 00 5E FE
/64
32 bits32 bits
59
Routing
• No new structure being introduced in IPv6 routing• Uses the IPv4 CIDR method; which relies on the IPv6
address architecture(hierarchical)• Changes the existing IPv4 routing protocols to handle
bigger address e.g. OSPF, RIP, BGP4+
TOP TOP
Next LevelNext Level
Next Level
SiteHostlink
Top Level 2^13 = 8,192
60
Outstanding Features
• Security• Quality of Service (QoS)• Auto-configuration
61
Security Extension Headers
(ESP and/or AH)Higher-level protocol header
+ application content IPv6 Header
IPv6 packet
• All implementation are expected to support authentication and encryption headers (IPsec)
• IPsec protects the network layer, that provides: - authenticity- integrity- confidentiality
• IPsec uses the Encapsulating Security Payload (ESP) and Authentication Header(AH); part of extension headers
• The security can cover communications between two host, two networks or between a host and a network
62
How IPSec work?
Security Gateway B
10.0.0.010.0.0.2
10.0.0.1Security Gateway A192.228.140.0 Public IP
Network
Gateway A
Secret: abcdefgPolicies:• Local 192.228.140.0 ESP,3DES,MD5• Remote 10.0.0.0, tunnel security gateway B
Gateway B
Secret: abcdefgPolicies:• Local 10.0.0.0 ESP,3DES,MD5• Remote 192.228.140.0, tunnel security gateway B
Note:This IPsec tunnel is built between network and network scenario
63
Authentication header0 7 15 23 31
Nextheader
Payload Length Reserved
Security Parameters Index (SPI)
Sequence number
Authentication data
IPHeader
DataTCPAH
Authenticated
• destination address + SPI identifies Security Association(key, lifetime, algorithm, etc)
• provides authentication and data integrity for IPv6 packets that do not change en-route (source and destination are not allowed to change during the transit)
• default algorithm is keyed MD5; computing the hash code of combination of message & the secret key
64
IPHeader
ESPTrailer
TCP DataESP Authdata ESP header
Encrypted
Authenticated
7
Next header
Payload Data
Padding
Security Parameters Index (SPI)Sequence number
Authentication dataPad length
• ESP encrypts the payload data & hides the traffic between the two nodes
• ESP provides authentication as well (but exclude IP header)
• default algorithm is DES-CBS 0 15 23 31
65
IPv6 Support for Int-Serv
• 20-bit Flow Label field to identify specific flows needing special QoS– each source chooses its own Flow Label values; routers use Source
Addr + Flow Label to identify distinct flows– Flow Label value of 0 used when no special QoS requested (the
common case today)• This part of IPv6 is not standardized yet, and may well change semantics in the future
– http://www.ietf.org/internet-drafts/draft-ietf-ipv6-flow-label-07.txt
66
Real time support Applications reserve resources in advance via Flow Label.
Flow 1
Workstation FileServer
Multimedia Server
Flow 2
PC
• All packets belongs to the same flow must be sent with thesame source/destination address, traffic class and flow label
67
IPv6 Support for Diff-Serv
• 8-bit Traffic Class field to identify specific classes of packets needing special QoS
– same as new definition of IPv4 Type-of-Service byte– may be initialized by source or by router enroute; may be
rewritten by routers enroute– traffic Class value of 0 used when no special QoS
requested (the common case today)
68
Neighbor Discovery (RFC 2461)
• Protocol built on top of ICMPv6 (RFC 2463)– Combination of IPv4 protocols (ARP, ICMP,…)
• Neighbor Discovery:– Determines the link-layer address of a neighbor
on the same link, Duplicate Address Detection– Finds neighbor routers, Keeps track of neighbors
• Defines 5 ICMPv6 packet (message) types– Router Solicitation / Router Advertisements– Neighbor Solicitation / Neighbor Advertisements– Redirect
69
Auto configuration
• Auto configuration allows hosts to fabricate their own addresses, with or without DHCP server.
• It is part of the the Neighbor Discovery (ND; messages and processes that determine relationships between neighboring nodes.
Processes:- router discovery (similar to ICMPv4 Router Discovery)- prefix discovery (similar to ICMPv4 Address Mask Request/Reply)- autoconfiguration of address & other parameters- duplicate address detection- neighbor unreachability detection- link-layer address resoultion (similar to ARP in IPv4) - first hop redirect(similar to the IPv4 ICMP Redirect message)
70
Auto configuration
• The interface identifier is formed from the EUI-64 bycomplementing the “Universal/Local” (U/L) bit, whichis the next-to-lowest order bit of the first octet of the EUI-64.- for example, the ethernet EUI-48 (MAC) 00:50:56:d9:88:38 corresponds to the EUI-6400:50:56:FF:FE:d9:88:38the interface identifier is02:50:56:FF:FE:d9:88:38
71
Auto configuration ‘cont“Plug and play” feature
via ICMP (no server required)Stateless mode :IPv6 Address
3ffe:89::A87:C09:1BE:CC7:BA=Prefix3ffe:89::/64
Link Address00:A87:C09:1BE:CC7:BA+
Stateful server mode : via DHCP
DHCPserver
3ffe:89::A87:C09:1BE:CC7:BADHCP response
router advertisement
00:A87:C09:1BE:CC7:BADHCP request
72
Stateless Autoconfiguration
2. RA 2. RA1. RS
1 1 -- ICMP Type = 133 (RS)ICMP Type = 133 (RS)
Src = ::
Dst = All-Routers multicast Address
query= please send RA
2 2 -- ICMP Type = 134 (RA)ICMP Type = 134 (RA)
Src = Router Link-local Address
Dst = All-nodes multicast address
Data= options, prefix, lifetime, autoconfig flag
Router solicitations are sent by booting nodes to request RAs for configuring the interfaces.
73
Duplicate Address DetectionA B
ICMP type = 135ICMP type = 135Src = 0 (::) Dst = Solicited-node multicast of AData = link-layer address of A Query = what is your link address?
Duplicate Address Detection (DAD) uses neighbor solicitation to verify the existence of an address to be configured.
74
IPv6 Addressing Examples
LAN: 3ffe:b00:c18:1::/64
Ethernet0
MAC address: 0060.3e47.1530
router# show ipv6 interface Ethernet0Ethernet0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::260:3EFF:FE47:1530Global unicast address(es):
2001:410:213:1:260:3EFF:FE47:1530, subnet is 2001:410:213:1::/64Joined group address(es):
FF02::1:FF47:1530FF02::1FF02::2
MTU is 1500 bytes
interface Ethernet0ipv6 address 2001:410:213:1::/64 eui-64
75
Auto configuration
Renumbering
Hosts renumbering is done by modifying the RA to announce the old prefix with a short lifetime and the new prefix.
Router renumbering protocol(RFC 2894), to allow domain-interior routers to learn of prefix introduction / withdrawal
RA indicates SUBNET PREFIX
SUBNET PREFIX + MAC ADDRESS
SUBNET PREFIX + MAC ADDRESS
SUBNET PREFIX + MAC ADDRESS
SUBNET PREFIX + MAC ADDRESS
SUBNET PREFIX + MAC ADDRESS
SUBNET PREFIX + MAC ADDRESS
SUBNET PREFIX + MAC ADDRESS
SUBNET PREFIX + MAC ADDRESS
At boot time, an IPv6 host build a Link-Local address,
then its global IPv6 address(es) from RA
76
Overview of Mobile IPv6
HA
1. 1. 2.2.MN
CN
4.4. 3.3.
• 1. MN obtains Local IP address using stateless or stateful autoconfiguration– Neighbor Discovery
• 2. MN registers with HA by sending a Binding Update• 3. HA intercepts traffic for registered MN and tunnels packets from CN to
MN• 4. MN sends packets from CN directly or via HA using Tunnel
77
Route OptimizationHomeAgent
CN to MNCN to MN
Correspondent Host
• Traffic is routed directly from the CN to the MN• Binding Update SHOULD be part of every IPv6 node implementation• IPv4 also has route optimization but CN needs enhanced IP stack and Key
management is a problem• Security Issues –
– Shared Key or PKI Problem and We need a Scalable Solution
MobileNode
78
IPv6 and DNS
IPv6IPv6
AAAA record: www.abc.test AAAA 3FFE:B00:C18:1::2
AAAA record: www.abc.test AAAA 3FFE:B00:C18:1::2
PTR record: 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.8.1.c.0.0.0.b.0.e.f.f.3.ip6.arpa PTR www.abc.test.
PTR record: 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.8.1.c.0.0.0.b.0.e.f.f.3.ip6.arpa PTR www.abc.test.
IPv4IPv4
A record:www.abc.test. A 192.168.30.1
A record:www.abc.test. A 192.168.30.1
PTR record:1.30.168.192.in-addr.arpa. PTR
www.abc.test.
PTR record:1.30.168.192.in-addr.arpa. PTR
www.abc.test.
Hostname to IP addressHostname to IP address
IP address to hostnameIP address to hostname
79
Migration Techniques
• Dual Stack Host• Tunneling• Translation
80
Dual stack host• Support both IPv4 and IPv6
• Determine stack via DNS
ApplicationTCP
IPv4 IPv6Ethernet
IPv6IPv4 Dual Stack Host
81
Automatic tunnelingIPv6 host ::1.2.3.4
IPv4/6 host 2.3.4.5
IPv4 network
• Encapsulate IPv6 packet in Ipv4
• rely on IPv4-compatible IPv6 address
src = ::1.2.3.4 (IPv4-compatible IPv6 adr)
dst = ::2.3.4.5 (IPv4-compatible IPv6 adr)
6 traffic flow label
payload len next hops
payload
flow label6 traffic
payload len next hops
payload
4frag offident
src = ::1.2.3.4
dst = ::2.3.4.5
TTL prot checksum
src = ::1.2.3.4 (IPv4-compatible IPv6 adr)
dst = ::2.3.4.5 (IPv4-compatible IPv6 adr)
flow label6 traffic
payload len next hops
payload
4frag offident
src = ::1.2.3.4
dst = ::2.3.4.5
TTL prot checksum
src = ::1.2.3.4 (IPv4-compatible IPv6 adr)
dst = ::2.3.4.5 (IPv4-compatible IPv6 adr)
2.3.4.5 2.3.4.5
…… IPv4IPv6IPv4IPv6
hl TOS len hl TOS len
2.3.4.5
82
Configured tunnelingIPv6 host 2001::A:A:B
IPv6 host 2001::B:B:C
IPv4 network
• Encapsulate IPv6 packet in Ipv4
• IPv6 only address
…… IPv4IPv6IPv4 IPv6
src = 2001::A:A:B (IPv6 adr)
dst = 2001::B:B:C (IPv6 adr)
6 traffic flow label
payload len next hops
payload
flow label6 traffic
payload len next hops
payload
4frag offident
src = R1
dst = R2
TTL prot checksum
src = 2001::A:A:B (IPv6 adr)
dst = 2001::B:B:C (IPv6 adr)
2001::B:B:Chl TOS len
2001::B:B:C
R1 R2
src = 2001::A:A:B (IPv6 adr)
dst = 2001::B:B:C (IPv6 adr)
6 traffic flow label
payload len next hops
payload
83
Translation
IPv6-IPv4 TranslationTranslating both the network address and protocol from IPv6 to IPv4 and vice versa
IPv6-onlydevices
IPv4-only and dual-stack devices
NAT-PT
84
IPv6 and IPv4 coexistence
85
Specification
• the development is coordinated by IETF, specifically by IPv6/IPng Working Group
• a number of IPv6 specifications have already become IETF Draft Standards; well-tested and proven stableVisit: http://playground.sun.com/ipng/specs/standards.html
• others are proposals; with more new standards coming alongVisit: http://playground.sun.com/ipng/specs/specifications.html
• discussion on specifications are carried out in mailing lists such as: [email protected] or [email protected]
86
Implementation
• most IP stack vendors are actively working towardsfully supporting IPv6router: 3com, Nortel, CISCO, Hitachi, Telebit, Zebrahost : IBM, HP, Kame, BSDI, Sun, Microsoft, Linux,
OpenBSD
• beta releases are common to be found and testers arealways welcome
• details, visit: “http://playground.sun.com/pub/ipng/html/ipng-implementations.html”
87
Recent IPv6 “Hot Topics” in the IETF
• multihoming• address selection• address allocation• DNS discovery• 3GPP usage of IPv6• anycast addressing• scoped address architecture• flow-label semantics• API issues
(flow label, traffic class, PMTU discovery, scoping,…)
• enhanced router-to-host info• site renumbering procedures• inter-domain multicast
routing• address propagation and AAA
issues of different access scenarios
• end-to-end security vs. firewalls
• and, of course, transition /co-existence / interoperabilitywith IPv4(a bewildering array of transition tools and techniques)
Note: this indicates vitality, not incompleteness, of IPv6!
88
References
Books TCP/IP Illustrated Volume 1, The Protocols, Richard Stevens, Addison-Wesley 2000 IPv6: The new Internet Protocol , Christian Huitema, Prentice Hall, 1997 IPv6 Networks: Marcus Goncalves & Kitty Niles, McGraw Hill, 1998 IPv6: The New Version of the Internet Protocol, Steve Deering, APRICOT2000
WWWwww.6bone.net www.microsoft.com www.playground.sun.com www.manis.net.mywww.cbe.ku.ac.th/~nguan/resource/slide/network.html
RFCsRFC 2373: Internet Version 6 Addressing Architecture, July 1998 RFC 2460: Internet Protocol Version 6(IPv6) Specification, Dec 1998 RFC 2461: Neighbor Discovery for IP Version 6 (IPv6), Dec 1998RFC 2462: IPv6 Stateless Address Autoconfiguration, Dec 1998 RFC 2471: IPv6 Testing Address Allocation, Dec 1998