IPv6 Transitioning

Ram P Rustagi, ISE Dept, PESITrprustagi@pes.edu

Mar 09-10, 2013

2

Network Setup

Ha HbR1 R2n/w-1 n-w-3n/w-2

Visual/Logical connectivity

Ha R1

Switch

R2 Hb

Switch

Switch

Physical connectivity

eth1eth1 eth2 eth2 eth1 eth1

3

Network Setup

Ha HbR1 R2IPv4 IPv4IPv4

Visual/Logical connectivity of IPv4 Network

Ha R1

Switch

R2 Hb

Switch

Switch

Physical connectivity

eth1eth1 eth2 eth2 eth1 eth1

4

IPv4 Routing

• Need to be clear about IPv4 address space and subnetting– Comfortable with DDN (Decimal Dotted Notation)

• using iproute2 package i.e. command ‘ip -4’– option ‘-4’ is default, and thus need not be specified

• We will use following private local address space for our lab– prefix 172.16.0.0/16

• Group 1: 172.16.1.0/24 to 172.16.3.0/24• Group 2: 172.16.5.0/24 to 172.16.7.0/24• :• Group 15: 172.16.61.0/24 to 172.16.63.0/24

• Use the following host part of address– .1 for first address and .201 for 2nd address– example:

• 172.16.1.1, 172.16.1.201• 172.16.2.1, 172.16.2.201• 172.16.3.1, 172.16.3.201

5

Extra Exercises

• Ex 1: Use VLSM (Variable Length Subnet Masking)– Use single network like 172.16.1.0/24 to

make 3 networks and then do subnetting.•Assume no of addresses in each network as–NW1 - 100, N2 - 6, N3 - 50

• Ex2: Connect Ha to two n/w via two routers directly

Ha Hb

R1 R2IPv4

IPv4

IPv4

NW - 1

NW -2

NW - 1NW - 1

NW -3

6

Network Setup - FAQ

• How to identify which i/f is eth0, eth1 or eth2 etc.– look at the MAC address starting 50:e5:49

• This corresponds to i/f on mother board• in the o/p of ‘ip addr’, it may show as eth1 or eth2

• Should one delete/override the address 192.168.13.x/21– not required, though you remove if you want to.– These are backbone addresses (College network)

• with default gateway of 192.168.8.1• Should we use backbone (wall socket) instead of switches

– No. Using this you may see lot of unnecessary traffic– it may confuse with unwanted neighbor entries

• Should we not use commands like ifconfig, route, arp etc.– These are deprecated commands, use commands from

iproute2 pkg.• ip addr [options]• ip route [options]• ip neigh [options]

7

Network Setup - FAQ

• Wireshark hangs when we enter host a.b.c.d– this is bug in wireshark. so either wait for few (20 or so) seconds – or instead use tcpdump -n -i ethX -s0 -wfile.pcap <filter>– sudo killall dnsmasq

• Should I use ping command with -c N option– strongly recommended. option -c2 should be fine for most

cases– other wise you have to abort using ^C– Please do not use ^Z

• For routers, should I run two different wireshark captures– Yes. It will provide you better clarity on what is actually

happening• Why should I specify capture filters and not captures all

packets– It may capture too many packets– will make it tough to search for packets you are interested in

• Can I use wireshark in my own work place– Yes. It is a very helpful tool to help you debug network activity

8

Network Setup - FAQ

• Can we assign multiple IP address to a single interface– Yes. An interface can support multiple IP addresses.

• Our connectivity is fine, but we are not able to ping– switches showing lights means you are physically connected– check up your routing table. Most likely this is the culprit.– check up local reachability in network. This MUST work

• Routing appears correctly, still it is not working– analyze from wireshark capture, where packet is going– due to previous incorrect config (info in cache/ram, not

shown)– remove default route entry.

• Why does IP address gets removed when wire is removed or switch is rebooted– Addresses are assigned manually and are not configured

permanently– on link reset, the address goes away.– need to reconfigure the same

9

Wireshark filters - FAQ

• What are the good capture filters– for capturing a traffic for a given network or networks

• net 172.16.1.0/24 or 172.16.2.0/24• net FD00:0101::/64 or FD00:0102::/64

– for capturing specific source and/or destination• src 172.16.1.1 and dst 172.16.3.201• src FD00::0101::52E5:49FF:FE1D:4A8C or dst FD00:0102::52E5:49FF:FE1C:AA96

– for capture specific protocol or applications or TCP/UDP port no• http• port 80 or port 8080• porto udp and port 23456

10

Wireshark filters - FAQ

• What is the difference between capture filter and display filters?– Capture filters are used for capturing only relevant

packets– display filters are used for displaying selected packets

from what is captured.• these may be used to analyze a subset of packets e.g.

– packets on a TCP Connection– looking at only TCP SYN/RST packets etc

• Can I save few packets in a separate file from a captured file– YES. one can save selected packets, a range packets and

a combination of these.• when typing host a.b.c.d, it hangs

– it is due to reverse DNS lookup which timesout.– kill local dnsmasq

• sudo service dnsmasq stop

11

IPv6 Routing

• Similar to IPv4 routing• Need to be clear about IPv6 address space and

subnetting– Comfortable with Hex Colon notation– Comfortable generating EUID-64 from MAC Address

• Generally /64 mask is used for IPv6• Need to use ‘ip -6’ to specify IPv6.

– command syntax remains the same• We will use unique local address space for our lab

exercise– prefix FD00:

• Group 01: FD00:0101::/64 to FD00:0103::/64• Group 02: FD00:0105::/64 to FD00:0107::/64• :• Group 15: FD00:0157::/64 to FD00:0159::/64

12

Setting up IPv6 Routing

• Example IP addresses– N11: IPv6 address of Ha (eth1)-

• fd00:1001::52e5:49ff:fe1d:4a8c/64– N12: IPv6 address of R1 (eth1)-

• fd00:1001::52e5:49ff:fe1d:4aa7/64– N21: IPv6 address of R1 (eth2)-

• fd00:1003::fe75:16ff:fe88:4f86/64– N22: IPv6 address of R2 (eth2)-

• fd00:1003::baa3:86ff:fe04:1bc3/64– N31: IPv6 address of R2 (eth1)-

• fd00:1002::52e5:49ff:fe1b:cf30/64– N32: IPv6 address of Hb (eth1)-

• fd00:1002::52e5:49ff:fe1c:aa96/64 12

Network-1fd00:1001::/64

Network-3fd00:1002::/64

Network-2fd00:1003::/64

Ha HbR1 R2IPv6 IPv6IPv6

13

Setting up IPv6 Routing

• Step 1: – Setup the IP addresses as given above for N1, N2 and

N3• Step 2:

– Configure the routing in Ha, R1, R2 and Hb• Step 3:

– using ping6 to check if setup is working• Step 4:

– use wireshark/tcpdump to analyze the packets

14

Setting up IPv6 Routing

• Setting up the addresses– Configuring eth0 of Ha

• sudo ip -6 addr add N11 dev eth1– Configuring et0h of R1

• sudo ip -6 addr add N12 dev eth1– Configuring eth1 of R1

• sudo ip -6 addr add N21 dev eth2– Configuring eth1 of R2

• sudo ip -6 addr add N22 dev eth2– Configuring eth0 of R2

• sudo ip -6 addr add N31 dev eth1– Configuring eth0 of Hb

• sudo ip -6 addr add N32 dev eth1

15

Configure Routing in Ha and Hb

• At Ha, define routing so as to reach network N3– sudo ip -6 route add fd00:1002::/64 via N12

• At Hb, define routing so as to reach network N1– sudo ip -6 route add fd00:1001::/64 via N31

• Verify configuration entries– ip addr show– ip route show

15

16

Setting up IPv6 Routing

• Configuring Routers R1 and R2 to forward IPv6 packets• Configuring R1

– enable routing function• sudo sysctl –w net.ipv6.conf.all.forwarding=1

– Define routing for N3 only. N1, and N2 are directly connected•sudo ip -6 route add fd00:1002::/64 via

N22• Configuring R2

– enable routing function for both IPv4 and IPv6• sudo sysctl –w net.ipv6.conf.all.forwarding=1

– Add routing for N3 on this tunnel•sudo ip -6 route add fd00:1001::/64 via

N21

16

17

Using IPv6 Network

• Check reachability of N3(Hb) from N1 (Ha)– ping6 -I eth0 -c2 N32

• Run TCP and/or UDP applications– use netcat (nc)– use browser on Ha to access web server on Hb– use ssh to login to Hb from Ha

• Analyzing packets– run wireshark on R1 on both interfaces

• specify the proper capture filter– on eth2 (the interface on which tunnel is created)

• net 172.16.30.0/24– on eth1 (the interface having IPv6 address)

• net fd00:1001::/32 or net fd00:1002::/32

18

Using IPv6 Network

• Starting Web Server on Hb

– restart apache so that it can bind on IPv6– sudo service apache2 restart

• Using Browser– type the URL

• http://[N32]– note: square brackets are mandatory

• web page will be served• Using Dual Stack

– Sender large file (1MB)– see how many packets are sent.?

19

IPv6 Tunneling over IPv4

• Why tunneling?– Two islands of IPv6 network

• connected via IPv4 network– A transition strategy to enable communication among IPv6

network• What is tunneling

– Two end points are defined– each is aware of two types of network– each encapsulates and de-capsulates

• Tunneling handshake– No handshake needed– it is just encapsulation and de-capsulation

• Transmission– first encapsulation– the new destination address is tunnel end point– packet is delivered to other end point– decapsulation

20

Network Setup

Ha HbR1 R2IPv6 IPv6IPv4

Visual connectivity of mixed IPv4/IPv6 network

Ha R1

Switch

R2 Hb

Switch

Switch

Physical connectivity

eth1eth1 eth2 eth2 eth1 eth1

21

Tunnel Setup

• Define R1 and R2 as tunnel end points– Create tunnel interfaces– Define routing for network at the other end via tunnel

interface– similar to routing entries via interface without next hop?

• Tunneling implementation at routers (R1, R2)– encapsulates packets at one end– de-encapsulates at other end

Tunnel connectivity

Ha HbR1 R2IPv6 IPv6Tunnel

22

IP in IP Tunnel

• IP in IP encapsulation– used in Mobile IP (RFC 2003)– from home agent to foreign agent– describes how to take an IP packet

• make it payload of another packet– a mechanism to change the normal routing of IP

datagram– source ----> encapsulator ----> decapsulator ----> destination

• Other encapsulation methods– Minimum encapsulation within IP (RFC 2004)– GRE (Generic Routing Encapsulation) Tunnels (RFC

1701)

23

IP in IP Tunnel

• Disadvantages of IP-in-IP Tunnel– encapsulated datagram becomes larger

• compared to Source Routing option– encapsulation can not be used unless

• a node at tunnel exit point can decapsulate

+---------------------------+

| Outer IP Header |

+------------------+ +---------------------------+

| IP Header | | IP Header |

+------------------+ ====> +---------------------------+

| | | |

| IP Payload | | IP Payload |

| | | |

+------------------+ +---------------------------+

24

IP in IP Tunnel

• IP-in-IP Encapsulation– outer IP header src/dstn addr identify tunnel end points– inner IP headers remain unchanged by encapsulator

• except TTL– Tunnel originator does path MTU discovery to deal

fragmentation issues

25

Setting up IPv6 Tunnel

• Example IP addresses– N11: IPv6 address of Ha (eth1)-

• fd00:1001::52e5:49ff:fe1d:4a8c/64– N12: IPv6 address of R1 (eth1)-

• fd00:1001::52e5:49ff:fe1d:4aa7/64– N21: IPv4 address of R1 (eth2)-

• 172.30.1.1/24– N22: IPv4 address of R2 (eth2)-

• 172.30.1.2/24– N31: IPv6 address of R2(eth1)-

• fd00:1002::52e5:49ff:fe1b:cf30/64– N32: IPv6 address of Hb (eth1)-

• fd00:1002::52e5:49ff:fe1c:aa96/64 25

Ha HbR1 R2IPv6 IPv6Tunnel

Network-1fd00:1001::/64

Network-3fd00:1002::/64

Network-2172.30.1.0/24

26

Setting up IPv6 Tunnel

• Step 1: – Setup the IP addresses as given above for N1, N2 and

N3• Step 2:

– Configure the tunnel end points• Step 3:

– using ping6 to check if setup is working• Step 4:

– use wireshark/tcpdump to analyze the packets

27

Setting up IPv6 Tunnel

• Setting up the addresses– Configuring eth0 of Ha

• sudo ip -6 addr add N11 dev eth1– Configuring et0h of R1

• sudo ip -6 addr add N12 dev eth1– Configuring eth1 of R1

• sudo ip -4 addr add N21 dev eth2– Configuring eth1 of R2

• sudo ip -4 addr add N22 dev eth2– Configuring eth0 of R2

• sudo ip -6 addr add N31 dev eth1– Configuring eth0 of Hb

• sudo ip -6 addr add N32 dev eth1

28

Setting up IPv6 Tunnel

• Configuring Routers as tunnel end point– Note: currently both R1 and R2 are on same IPv4 Network

and hence no IPv4 routing is required. Generally, these will be different networks and hence routing as per IPv4 needs to be setup

• Configuring R1– enable routing function for both IPv4 and IPv6

• sudo sysctl –w net.ipv6.conf.all.forwarding=1• sudo sysctl –w net.ipv4.ip_forward=1

– Create a tunnel and bring it up•sudo ip tunnel add mytun mode sit remote 172.30.1.2 local 172.30.1.1 dev eth2

•sudo ip link set dev mytun up– Give an equivalent IPv6 address (to this tunnel end

point)•sudo ip -6 addr add 2002:ac1e:0101::1/16 dev mytun

– Add routing for N3 on this tunnel•sudo ip -6 route add fd00:1002::/64 dev mytun

28

29

Setting up IPv6 Tunnel

• Configuring R2– enable routing function for both IPv4 and IPv6

• sudo sysctl –w net.ipv6.conf.all.forwarding=1• sudo sysctl –w net.ipv4.ip_forward=1

– Create a tunnel and bring it up•sudo ip tunnel add mytun mode sit remote 172.30.1.1 local 172.30.1.2 dev eth2

•sudo ip link set dev mytun up– Give an equivalent IPv6 address (to this tunnel end

point)•sudo ip -6 addr add 2002:ac1e:0102::1/48 dev mytun

– Add routing for N3 on this tunnel•sudo ip -6 route add fd00:1001::/64 dev mytun

29

30

Configure Routing in Ha and Hb

• At Ha, define routing so as to reach network N3– sudo ip -6 route add fd00:1002::/64 via N12

• At Hb, define routing so as to reach network N1– sudo ip -6 route add fd00:1001::/64 via N31

• Verify configuration entries– ip addr show– ip route show

30

31

Using Tunnel

• Check reachability of N3(Hb) from N1 (Ha)– ping6 -I eth0 -c2 N32

• Run TCP and/or UDP applications– use netcat (nc)– use browser on Ha to access web server on Hb– use ssh to login to Hb from Ha

• Analyzing packets– run wireshark on R1 on both interfaces

• specify the proper capture filter– on eth2 (the interface on which tunnel is created)

• net 172.16.30.0/24– on eth1 (the interface having IPv6 address)

• net fd00:1001::/32 or net fd00:1002::/32

32

IPv4 Packet on Tunnel

33

IPv4 Packet on TunnelIPv4 Headers - IPv6 pkt as payload

34

Original IPv6 packet in IPv4 payload

35

Original ICMPv6 packet as IPv6 data

36

IPv6 pkt after decapsulation at Tunnel

37

IPv6 Communication with IPv4

Ha HbR1 R2IPv6 IPv4IPv4

Visual connectivity-1 of mixed IPv4/IPv6 network

Ha HbR1 R2IPv6 IPv4IPv6

Visual connectivity-2 of mixed IPv4/IPv6 network

Ha HbR1IPv6 IPv4

Logical view of IPv6/IPv4 connectivity

17

NAT64

• Address Translation– Use NAT64 (similar to NAT44)– Will use tayga implementation

• http://www.litech.org/tayga/• supports only static mapping

17

39

NAT64• Address assigned for simplicity

– Actual IPv6 Network (N1) fd00:1::/64• Ha fd00:1::1/64• R1 (IPv6) fd00:1::254/64

– Actual IPv4 Network(N2) 172.17.1.0/24• R2 (IPv4) 172.17.1.254/24• Hb 172.17.1.1/24

Ha HbR1IPv6 IPv4

Logical view of IPv6/IPv4 connectivity

N1 - fd00:1::64

N2 - 172.17.1.0/24

40

NAT64• Address assigned for simplicity

– Logical/mapped IPv4 Network for IPv6 (N1) 172.17.2.0/24• Ha fd00:1::1/64• R1 (IPv6) fd00:1::254/64

– Logical/mapped IPv6 Network for IPv4(N2) fd00:2::/64• R2 (IPv4) 172.17.1.254/24• Hb 172.17.1.1/24

Ha HbR1IPv6 IPv4

Logical view of IPv6/IPv4 connectivityfd00:1::/64(Actual)172.17.2.0/24(mapped)

172.17.1.0/24 Actualfd00:2::/64(mapped)

• Header Translation– Create a logical tunnel between two interfaces of

router• Typically called nat64

– Define the logical network that needs to be translated• These network actually do not exist

– These are translated to their actual address• Define their mapping, e.g

– fd00:2::/64 172.17.1.0/24– 172.17.2.0/64 fd00:1::/64

– Assign network addresses from logical network to be translated• Tunnel interface gets these addresses from the

logical network– IPv6 address fd00:2::254/64 – IPv4 address 172.17.2.254/24

– Define routing for this logical network in the tunnel18

IPv6 - IPv4 (NAT64)

IPv6 - IPv4 (NAT64)

• Header Translation (static mapping)– Define mapping of hosts

• (Ha) fd00:1::1 172.17.2.1• (Hb) 172.17.1.1 fd00:2::1

• The config file will look astun-device nat64ipv4-addr 172.17.2.254ipv6-addr fd00:2::254data-dir /var/db/tayga

map 172.17.2.1 fd00:1::1map 172.17.1.1 fd00:2::1

• Start the tunnel– $ tayga -d

19

43

IPv6 - IPv4 (NAT64)

• Verify communication with translation– Establish communication between Ha and Hb

• Check reachability from Ha– ping –I eth0 fd00:2::1

• Check reachability from Hb– ping 172.17.2.1

44

IPv6 - IPv4 (NAT64)(wireshark capture at Hb)

45

IPv6 - IPv4 (NAT64)(wireshark capture at Hb)