ipv6 transitioning ram p rustagi, ise dept, pesit [email protected] mar 09-10, 2013
TRANSCRIPT
2
Network Setup
Ha HbR1 R2n/w-1 n-w-3n/w-2
Visual/Logical connectivity
Ha R1
Switch
R2 Hb
Switch
Switch
Physical connectivity
eth1eth1 eth2 eth2 eth1 eth1
3
Network Setup
Ha HbR1 R2IPv4 IPv4IPv4
Visual/Logical connectivity of IPv4 Network
Ha R1
Switch
R2 Hb
Switch
Switch
Physical connectivity
eth1eth1 eth2 eth2 eth1 eth1
4
IPv4 Routing
• Need to be clear about IPv4 address space and subnetting– Comfortable with DDN (Decimal Dotted Notation)
• using iproute2 package i.e. command ‘ip -4’– option ‘-4’ is default, and thus need not be specified
• We will use following private local address space for our lab– prefix 172.16.0.0/16
• Group 1: 172.16.1.0/24 to 172.16.3.0/24• Group 2: 172.16.5.0/24 to 172.16.7.0/24• :• Group 15: 172.16.61.0/24 to 172.16.63.0/24
• Use the following host part of address– .1 for first address and .201 for 2nd address– example:
• 172.16.1.1, 172.16.1.201• 172.16.2.1, 172.16.2.201• 172.16.3.1, 172.16.3.201
5
Extra Exercises
• Ex 1: Use VLSM (Variable Length Subnet Masking)– Use single network like 172.16.1.0/24 to
make 3 networks and then do subnetting.•Assume no of addresses in each network as–NW1 - 100, N2 - 6, N3 - 50
• Ex2: Connect Ha to two n/w via two routers directly
Ha Hb
R1 R2IPv4
IPv4
IPv4
NW - 1
NW -2
NW - 1NW - 1
NW -3
6
Network Setup - FAQ
• How to identify which i/f is eth0, eth1 or eth2 etc.– look at the MAC address starting 50:e5:49
• This corresponds to i/f on mother board• in the o/p of ‘ip addr’, it may show as eth1 or eth2
• Should one delete/override the address 192.168.13.x/21– not required, though you remove if you want to.– These are backbone addresses (College network)
• with default gateway of 192.168.8.1• Should we use backbone (wall socket) instead of switches
– No. Using this you may see lot of unnecessary traffic– it may confuse with unwanted neighbor entries
• Should we not use commands like ifconfig, route, arp etc.– These are deprecated commands, use commands from
iproute2 pkg.• ip addr [options]• ip route [options]• ip neigh [options]
7
Network Setup - FAQ
• Wireshark hangs when we enter host a.b.c.d– this is bug in wireshark. so either wait for few (20 or so) seconds – or instead use tcpdump -n -i ethX -s0 -wfile.pcap <filter>– sudo killall dnsmasq
• Should I use ping command with -c N option– strongly recommended. option -c2 should be fine for most
cases– other wise you have to abort using ^C– Please do not use ^Z
• For routers, should I run two different wireshark captures– Yes. It will provide you better clarity on what is actually
happening• Why should I specify capture filters and not captures all
packets– It may capture too many packets– will make it tough to search for packets you are interested in
• Can I use wireshark in my own work place– Yes. It is a very helpful tool to help you debug network activity
8
Network Setup - FAQ
• Can we assign multiple IP address to a single interface– Yes. An interface can support multiple IP addresses.
• Our connectivity is fine, but we are not able to ping– switches showing lights means you are physically connected– check up your routing table. Most likely this is the culprit.– check up local reachability in network. This MUST work
• Routing appears correctly, still it is not working– analyze from wireshark capture, where packet is going– due to previous incorrect config (info in cache/ram, not
shown)– remove default route entry.
• Why does IP address gets removed when wire is removed or switch is rebooted– Addresses are assigned manually and are not configured
permanently– on link reset, the address goes away.– need to reconfigure the same
9
Wireshark filters - FAQ
• What are the good capture filters– for capturing a traffic for a given network or networks
• net 172.16.1.0/24 or 172.16.2.0/24• net FD00:0101::/64 or FD00:0102::/64
– for capturing specific source and/or destination• src 172.16.1.1 and dst 172.16.3.201• src FD00::0101::52E5:49FF:FE1D:4A8C or dst FD00:0102::52E5:49FF:FE1C:AA96
– for capture specific protocol or applications or TCP/UDP port no• http• port 80 or port 8080• porto udp and port 23456
10
Wireshark filters - FAQ
• What is the difference between capture filter and display filters?– Capture filters are used for capturing only relevant
packets– display filters are used for displaying selected packets
from what is captured.• these may be used to analyze a subset of packets e.g.
– packets on a TCP Connection– looking at only TCP SYN/RST packets etc
• Can I save few packets in a separate file from a captured file– YES. one can save selected packets, a range packets and
a combination of these.• when typing host a.b.c.d, it hangs
– it is due to reverse DNS lookup which timesout.– kill local dnsmasq
• sudo service dnsmasq stop
11
IPv6 Routing
• Similar to IPv4 routing• Need to be clear about IPv6 address space and
subnetting– Comfortable with Hex Colon notation– Comfortable generating EUID-64 from MAC Address
• Generally /64 mask is used for IPv6• Need to use ‘ip -6’ to specify IPv6.
– command syntax remains the same• We will use unique local address space for our lab
exercise– prefix FD00:
• Group 01: FD00:0101::/64 to FD00:0103::/64• Group 02: FD00:0105::/64 to FD00:0107::/64• :• Group 15: FD00:0157::/64 to FD00:0159::/64
12
Setting up IPv6 Routing
• Example IP addresses– N11: IPv6 address of Ha (eth1)-
• fd00:1001::52e5:49ff:fe1d:4a8c/64– N12: IPv6 address of R1 (eth1)-
• fd00:1001::52e5:49ff:fe1d:4aa7/64– N21: IPv6 address of R1 (eth2)-
• fd00:1003::fe75:16ff:fe88:4f86/64– N22: IPv6 address of R2 (eth2)-
• fd00:1003::baa3:86ff:fe04:1bc3/64– N31: IPv6 address of R2 (eth1)-
• fd00:1002::52e5:49ff:fe1b:cf30/64– N32: IPv6 address of Hb (eth1)-
• fd00:1002::52e5:49ff:fe1c:aa96/64 12
Network-1fd00:1001::/64
Network-3fd00:1002::/64
Network-2fd00:1003::/64
Ha HbR1 R2IPv6 IPv6IPv6
13
Setting up IPv6 Routing
• Step 1: – Setup the IP addresses as given above for N1, N2 and
N3• Step 2:
– Configure the routing in Ha, R1, R2 and Hb• Step 3:
– using ping6 to check if setup is working• Step 4:
– use wireshark/tcpdump to analyze the packets
14
Setting up IPv6 Routing
• Setting up the addresses– Configuring eth0 of Ha
• sudo ip -6 addr add N11 dev eth1– Configuring et0h of R1
• sudo ip -6 addr add N12 dev eth1– Configuring eth1 of R1
• sudo ip -6 addr add N21 dev eth2– Configuring eth1 of R2
• sudo ip -6 addr add N22 dev eth2– Configuring eth0 of R2
• sudo ip -6 addr add N31 dev eth1– Configuring eth0 of Hb
• sudo ip -6 addr add N32 dev eth1
15
Configure Routing in Ha and Hb
• At Ha, define routing so as to reach network N3– sudo ip -6 route add fd00:1002::/64 via N12
• At Hb, define routing so as to reach network N1– sudo ip -6 route add fd00:1001::/64 via N31
• Verify configuration entries– ip addr show– ip route show
15
16
Setting up IPv6 Routing
• Configuring Routers R1 and R2 to forward IPv6 packets• Configuring R1
– enable routing function• sudo sysctl –w net.ipv6.conf.all.forwarding=1
– Define routing for N3 only. N1, and N2 are directly connected•sudo ip -6 route add fd00:1002::/64 via
N22• Configuring R2
– enable routing function for both IPv4 and IPv6• sudo sysctl –w net.ipv6.conf.all.forwarding=1
– Add routing for N3 on this tunnel•sudo ip -6 route add fd00:1001::/64 via
N21
16
17
Using IPv6 Network
• Check reachability of N3(Hb) from N1 (Ha)– ping6 -I eth0 -c2 N32
• Run TCP and/or UDP applications– use netcat (nc)– use browser on Ha to access web server on Hb– use ssh to login to Hb from Ha
• Analyzing packets– run wireshark on R1 on both interfaces
• specify the proper capture filter– on eth2 (the interface on which tunnel is created)
• net 172.16.30.0/24– on eth1 (the interface having IPv6 address)
• net fd00:1001::/32 or net fd00:1002::/32
18
Using IPv6 Network
• Starting Web Server on Hb
– restart apache so that it can bind on IPv6– sudo service apache2 restart
• Using Browser– type the URL
• http://[N32]– note: square brackets are mandatory
• web page will be served• Using Dual Stack
– Sender large file (1MB)– see how many packets are sent.?
19
IPv6 Tunneling over IPv4
• Why tunneling?– Two islands of IPv6 network
• connected via IPv4 network– A transition strategy to enable communication among IPv6
network• What is tunneling
– Two end points are defined– each is aware of two types of network– each encapsulates and de-capsulates
• Tunneling handshake– No handshake needed– it is just encapsulation and de-capsulation
• Transmission– first encapsulation– the new destination address is tunnel end point– packet is delivered to other end point– decapsulation
20
Network Setup
Ha HbR1 R2IPv6 IPv6IPv4
Visual connectivity of mixed IPv4/IPv6 network
Ha R1
Switch
R2 Hb
Switch
Switch
Physical connectivity
eth1eth1 eth2 eth2 eth1 eth1
21
Tunnel Setup
• Define R1 and R2 as tunnel end points– Create tunnel interfaces– Define routing for network at the other end via tunnel
interface– similar to routing entries via interface without next hop?
• Tunneling implementation at routers (R1, R2)– encapsulates packets at one end– de-encapsulates at other end
Tunnel connectivity
Ha HbR1 R2IPv6 IPv6Tunnel
22
IP in IP Tunnel
• IP in IP encapsulation– used in Mobile IP (RFC 2003)– from home agent to foreign agent– describes how to take an IP packet
• make it payload of another packet– a mechanism to change the normal routing of IP
datagram– source ----> encapsulator ----> decapsulator ----> destination
• Other encapsulation methods– Minimum encapsulation within IP (RFC 2004)– GRE (Generic Routing Encapsulation) Tunnels (RFC
1701)
23
IP in IP Tunnel
• Disadvantages of IP-in-IP Tunnel– encapsulated datagram becomes larger
• compared to Source Routing option– encapsulation can not be used unless
• a node at tunnel exit point can decapsulate
+---------------------------+
| Outer IP Header |
+------------------+ +---------------------------+
| IP Header | | IP Header |
+------------------+ ====> +---------------------------+
| | | |
| IP Payload | | IP Payload |
| | | |
+------------------+ +---------------------------+
24
IP in IP Tunnel
• IP-in-IP Encapsulation– outer IP header src/dstn addr identify tunnel end points– inner IP headers remain unchanged by encapsulator
• except TTL– Tunnel originator does path MTU discovery to deal
fragmentation issues
25
Setting up IPv6 Tunnel
• Example IP addresses– N11: IPv6 address of Ha (eth1)-
• fd00:1001::52e5:49ff:fe1d:4a8c/64– N12: IPv6 address of R1 (eth1)-
• fd00:1001::52e5:49ff:fe1d:4aa7/64– N21: IPv4 address of R1 (eth2)-
• 172.30.1.1/24– N22: IPv4 address of R2 (eth2)-
• 172.30.1.2/24– N31: IPv6 address of R2(eth1)-
• fd00:1002::52e5:49ff:fe1b:cf30/64– N32: IPv6 address of Hb (eth1)-
• fd00:1002::52e5:49ff:fe1c:aa96/64 25
Ha HbR1 R2IPv6 IPv6Tunnel
Network-1fd00:1001::/64
Network-3fd00:1002::/64
Network-2172.30.1.0/24
26
Setting up IPv6 Tunnel
• Step 1: – Setup the IP addresses as given above for N1, N2 and
N3• Step 2:
– Configure the tunnel end points• Step 3:
– using ping6 to check if setup is working• Step 4:
– use wireshark/tcpdump to analyze the packets
27
Setting up IPv6 Tunnel
• Setting up the addresses– Configuring eth0 of Ha
• sudo ip -6 addr add N11 dev eth1– Configuring et0h of R1
• sudo ip -6 addr add N12 dev eth1– Configuring eth1 of R1
• sudo ip -4 addr add N21 dev eth2– Configuring eth1 of R2
• sudo ip -4 addr add N22 dev eth2– Configuring eth0 of R2
• sudo ip -6 addr add N31 dev eth1– Configuring eth0 of Hb
• sudo ip -6 addr add N32 dev eth1
28
Setting up IPv6 Tunnel
• Configuring Routers as tunnel end point– Note: currently both R1 and R2 are on same IPv4 Network
and hence no IPv4 routing is required. Generally, these will be different networks and hence routing as per IPv4 needs to be setup
• Configuring R1– enable routing function for both IPv4 and IPv6
• sudo sysctl –w net.ipv6.conf.all.forwarding=1• sudo sysctl –w net.ipv4.ip_forward=1
– Create a tunnel and bring it up•sudo ip tunnel add mytun mode sit remote 172.30.1.2 local 172.30.1.1 dev eth2
•sudo ip link set dev mytun up– Give an equivalent IPv6 address (to this tunnel end
point)•sudo ip -6 addr add 2002:ac1e:0101::1/16 dev mytun
– Add routing for N3 on this tunnel•sudo ip -6 route add fd00:1002::/64 dev mytun
28
29
Setting up IPv6 Tunnel
• Configuring R2– enable routing function for both IPv4 and IPv6
• sudo sysctl –w net.ipv6.conf.all.forwarding=1• sudo sysctl –w net.ipv4.ip_forward=1
– Create a tunnel and bring it up•sudo ip tunnel add mytun mode sit remote 172.30.1.1 local 172.30.1.2 dev eth2
•sudo ip link set dev mytun up– Give an equivalent IPv6 address (to this tunnel end
point)•sudo ip -6 addr add 2002:ac1e:0102::1/48 dev mytun
– Add routing for N3 on this tunnel•sudo ip -6 route add fd00:1001::/64 dev mytun
29
30
Configure Routing in Ha and Hb
• At Ha, define routing so as to reach network N3– sudo ip -6 route add fd00:1002::/64 via N12
• At Hb, define routing so as to reach network N1– sudo ip -6 route add fd00:1001::/64 via N31
• Verify configuration entries– ip addr show– ip route show
30
31
Using Tunnel
• Check reachability of N3(Hb) from N1 (Ha)– ping6 -I eth0 -c2 N32
• Run TCP and/or UDP applications– use netcat (nc)– use browser on Ha to access web server on Hb– use ssh to login to Hb from Ha
• Analyzing packets– run wireshark on R1 on both interfaces
• specify the proper capture filter– on eth2 (the interface on which tunnel is created)
• net 172.16.30.0/24– on eth1 (the interface having IPv6 address)
• net fd00:1001::/32 or net fd00:1002::/32
32
IPv4 Packet on Tunnel
33
IPv4 Packet on TunnelIPv4 Headers - IPv6 pkt as payload
34
Original IPv6 packet in IPv4 payload
35
Original ICMPv6 packet as IPv6 data
36
IPv6 pkt after decapsulation at Tunnel
37
IPv6 Communication with IPv4
Ha HbR1 R2IPv6 IPv4IPv4
Visual connectivity-1 of mixed IPv4/IPv6 network
Ha HbR1 R2IPv6 IPv4IPv6
Visual connectivity-2 of mixed IPv4/IPv6 network
Ha HbR1IPv6 IPv4
Logical view of IPv6/IPv4 connectivity
17
NAT64
• Address Translation– Use NAT64 (similar to NAT44)– Will use tayga implementation
• http://www.litech.org/tayga/• supports only static mapping
17
39
NAT64• Address assigned for simplicity
– Actual IPv6 Network (N1) fd00:1::/64• Ha fd00:1::1/64• R1 (IPv6) fd00:1::254/64
– Actual IPv4 Network(N2) 172.17.1.0/24• R2 (IPv4) 172.17.1.254/24• Hb 172.17.1.1/24
Ha HbR1IPv6 IPv4
Logical view of IPv6/IPv4 connectivity
N1 - fd00:1::64
N2 - 172.17.1.0/24
40
NAT64• Address assigned for simplicity
– Logical/mapped IPv4 Network for IPv6 (N1) 172.17.2.0/24• Ha fd00:1::1/64• R1 (IPv6) fd00:1::254/64
– Logical/mapped IPv6 Network for IPv4(N2) fd00:2::/64• R2 (IPv4) 172.17.1.254/24• Hb 172.17.1.1/24
Ha HbR1IPv6 IPv4
Logical view of IPv6/IPv4 connectivityfd00:1::/64(Actual)172.17.2.0/24(mapped)
172.17.1.0/24 Actualfd00:2::/64(mapped)
• Header Translation– Create a logical tunnel between two interfaces of
router• Typically called nat64
– Define the logical network that needs to be translated• These network actually do not exist
– These are translated to their actual address• Define their mapping, e.g
– fd00:2::/64 172.17.1.0/24– 172.17.2.0/64 fd00:1::/64
– Assign network addresses from logical network to be translated• Tunnel interface gets these addresses from the
logical network– IPv6 address fd00:2::254/64 – IPv4 address 172.17.2.254/24
– Define routing for this logical network in the tunnel18
IPv6 - IPv4 (NAT64)
IPv6 - IPv4 (NAT64)
• Header Translation (static mapping)– Define mapping of hosts
• (Ha) fd00:1::1 172.17.2.1• (Hb) 172.17.1.1 fd00:2::1
• The config file will look astun-device nat64ipv4-addr 172.17.2.254ipv6-addr fd00:2::254data-dir /var/db/tayga
map 172.17.2.1 fd00:1::1map 172.17.1.1 fd00:2::1
• Start the tunnel– $ tayga -d
19
43
IPv6 - IPv4 (NAT64)
• Verify communication with translation– Establish communication between Ha and Hb
• Check reachability from Ha– ping –I eth0 fd00:2::1
• Check reachability from Hb– ping 172.17.2.1
44
IPv6 - IPv4 (NAT64)(wireshark capture at Hb)
45
IPv6 - IPv4 (NAT64)(wireshark capture at Hb)