Scribd
Upload
7 views

IPv6 Tutorial

Uploaded by

alkanarynet
Copyright
© © All Rights Reserved
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
7 views

IPv6 Tutorial

Uploaded by

alkanarynet
Copyright
© © All Rights Reserved
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 118

Introduction to

IPv6 Protocols

© 2003-2005 Monash CTIE


What we will present :
 Basics
 Addressing
 Routing
 Domain Name System
 IPv4 to IPv6 transition
 Security
 State of the Art
 Mobile IPv6

Slide 2
© 2003-2005 Monash CTIE
IPv6
 Network layer protocol Application layer
 Node-to-node information
delivery across multiple links Presentation layer
 Layer 3 in the OSI Session layer
reference model Transport layer
Network layer
Link layer
Physical layer

OSI Reference Model

Slide 3
© 2003-2005 Monash CTIE
IPv6 Header
 Simplified header compared to IPv4
IPv4 IPv6
Header Type of Service
Version Length Class of Service Next Header
Flags Version

Length Flow Label


Identification Fragment Offset Payload Length Hop Limit
Time Protocol Header Checksum
To Live Source Address (32 bits) Source Address
Destination Address (32 bits) (128 bits)

Destination Address
32 bits (128 bits)

Slide 4
© 2003-2005 Monash CTIE
Extension Headers
 Basic header simplified for ease of
processing Next Hdr
 Additional information carried in
extension headers
Basic Header
 Hop-by-hop options
 Routing header
 Fragment header
 Destination options header
 Authentication header (AH) Next Hdr Length
 Encrypted security payload (ESP) Extension Header
header
 Next Header field says what type of Next Hdr Length
header follows Extension Header
 E.g. Fragment Header, TCP, ICMP, etc.
Payload

Slide 5
© 2003-2005 Monash CTIE
ICMPv6
 Same basic concept as ICMP (for IPv4)
 Error messages – e.g.:
 Destination unreachable
 Packet too big
 Time exceeded
 Parameter problem
 Information messages – e.g.:
 Echo request/reply
 Router solicitation/advertisement
 Multicast Listener Discovery (like IGMP for IPv4)

Slide 6
© 2003-2005 Monash CTIE
Progress:
 Basics
 Addressing
 Routing
 Domain Name System
 IPv4 to IPv6 transition
 Security
 State of the Art
 Mobile IPv6

Slide 7
© 2003-2005 Monash CTIE
Address space
 128 bit addresses
 Massive address space to last for the foreseeable future
 Default allocation is for all sites to receive 216=65536 subnets
 Ensures that it is possible to allocate a globally unique address to
every host so that end-to-end applications are possible

Slide 8
© 2003-2005 Monash CTIE
Address types
 Unicast
 Anycast
 Multicast
 No more broadcast!

Slide 9
© 2003-2005 Monash CTIE
Representing IPv6 addresses
 x:x:x:x:x:x:x:x
 e.g. 1234:5678:9abc:def0:1234:5678:9abc:def0
 One string of zeros may be represented by “::”
 e.g. ff02:0:0:0:0:0:0:1 = ff02::1
 Last 2 fields may be represented in IPv4 “dotted decimal”
form
 e.g. 0:0:0:0:0:ffff:192.168.0.1 or ::ffff:192.168.0.1
 “[]” are used around the address for representation in
URLs
 http://[3ffe:a:b:c::1]:port/dir

Slide 10
© 2003-2005 Monash CTIE
Representing IPv6 addresses
(cont)
 No more netmasks
 Represented by a “/prefixlen” appended to the end of an address
where prefixlen indicates the number of bits in the address that
make up the network address
 Similar to classless address representation in IPv4
 e.g.3ffe:a:b:1::1/64
 Network part: 3ffe:a:b:1::
 Host part (interface identifier): ::1

Slide 11
© 2003-2005 Monash CTIE
Address allocation
 fe80::/10 - link-local
 fec0::/10 - site-local – now deprecated
 fc00::/8 – ULA central
 fd00::/8 – ULA local
 ff00::/8 – multicast
 2000::/3 - globally aggregatable unicast
 3ffe::/16 - 6bone
 0000::/8 is reserved and contains addresses like
 Unspecified address - ::
 Loopback address - ::1
 IPv6 addresses with IPv4 addresses embedded in them

Slide 12
© 2003-2005 Monash CTIE
Unicast addressing
 Associated with an interface rather than a node
 Several types of unicast addresses
 Limited scope – link-local, ULA
 Globally aggregatable
 Transition – IPv4 compatible, IPv4 mapped

Slide 13
© 2003-2005 Monash CTIE
Multicast addressing
 ffxy:: prefix
 x = flags
 One flag currently defined
 Indicates whether the address is one assigned by the IANA or a
transient address
 y = scope
 1 - host scope
 2 - link scope
 5 - site scope
 8 - organization scope
 e - global scope

Slide 14
© 2003-2005 Monash CTIE
Multicast addressing (cont.)
 suffix indicates group
 IANA has registered groups for particular uses
 ::1 - all hosts
 ::2 - all routers
 etc...
 Using an example from RFC 3513:
 If the “NTP servers group” is assigned a permanent group ID of
0x101 then
 ff01::101 means “all NTP servers on the same node as the sender”
 ff02::101 means “all NTP servers on the same link as the sender”
 ff05::101 means “all NTP servers on the same site as the sender”
 ff0e::101 means “all NTP servers on the Internet”

Slide 15
© 2003-2005 Monash CTIE
Solicited Nodes Multicast Address
 FF02:0:0:0:0:1:FFXX:XXXX
 where XXXXXX is the low order 24 bits of the Interface Identifier
of a unicast address
 Nodes MUST join the solicited nodes multicast address
group for each unicast address configured
 Facilitates location of nodes
 Example:
 Unicast: 3ffe:0db8::fedc:ba98:7654:3210
 Solicited nodes multicast: ff02::1:ff54:3210

Slide 16
© 2003-2005 Monash CTIE
Interface Identifiers
 Manually configured
 EUI-64
 Formed from MAC address of interface
 RFC-3041 temporary addresses
 Randomly generated interface identifiers
 Provides some level of privacy

Address
Prefix Interface Identifier

Slide 17
© 2003-2005 Monash CTIE
Address configuration
 Stateful
 DHCPv6 - RFC 3315
 Clients use scoped multicast to reach servers and relays
 May provide information in addition to addresses – e.g. DNS
address
 Stateless
 Routers send periodic advertisements
 May also be solicited
 Hosts use information in advertisements to create valid
addresses

Slide 18
© 2003-2005 Monash CTIE
Router Advertisement
 RAs are sent periodically and in response to Router
Solicitations
 Contains link prefix, lifetime, MTU, etc.
 Hosts construct addresses by appending their interface
identifier to the prefix advertised by the router
 This address then needs to be tested to ensure
uniqueness

Slide 19
© 2003-2005 Monash CTIE
Duplicate Address Detection
 Multicast is used to assist in detection of conflicting
addresses
 Packets are sent to the solicited nodes multicast address
 The packet essentially asks if anyone is already using this
address
 If another node responds, the interface either shuts down or
tries another address
 The nature of the multicast address ensures that a host
that is using the tested address must be listening, but
most other hosts won't be.

Slide 20
© 2003-2005 Monash CTIE
Duplicate Address Detection

Is anyone using I am.


address “X”?

Slide 21
© 2003-2005 Monash CTIE
Link Address Resolution
 Uses the same packet types as DAD
 Equivalent of ARP in IPv4
 Neighbour Solicitation message is sent to the solicited
nodes multicast address (rather than broadcast as in
IPv4).
 Host with the destination IP address responds with a
Neighbour Advertisement that includes its link layer
address.

Slide 22
© 2003-2005 Monash CTIE
Link Address Resolution

I am.
Who’s using My Link layer
address “X”? address is “xxx”

Slide 23
© 2003-2005 Monash CTIE
Neighbour Unreachability
Detection
 Hosts maintain a cache of devices they have
communicated with recently.
 The table indicates the reachability state of each host.
 Neighbour solicitation/advertisement messages are used
to probe devices to confirm reachability
 Not done when it can be confirmed by other information
such as TCP three-way handshake
 Also not initiated just because a device hasn't been heard
for some time.
 Old entries removed

Slide 24
© 2003-2005 Monash CTIE
IPv6 MTU & PATH MTU
Discovery
 Maximum Transmission Unit (MTU)
 IPv6 MTU minimum 1280 bytes (vs. IPv4 68 bytes)
 IPv6 fragmentation end-to-end
 Routers don’t fragment IPv6 packets - end nodes do it.
 Path MTU discovery not mandatory
 Routers may reply with ICMPv6 ‘Packet too big’ and drop
if packet exceeds router/link MTU.

Slide 25
© 2003-2005 Monash CTIE
IPv6 MTU & PATH MTU
Discovery

MTU 1500 MTU 1480 MTU 1280

1500 byte packet

Packet too big – MTU = 1480

1480 byte packet

ICMPv6 Packet too big – MTU = 1280


Successful
1280 byte packet packet
delivery

Slide 26
© 2003-2005 Monash CTIE
Summary
 Huge address space
 Hosts can autoconfigure their own addresses
 Scoping allows for some clever use of multicast
 Neighbour Discovery replaces ARP for address resolution
 Also introduces new functionality of Stateless address
autoconfiguration, DAD, NUD, PMTU discovery

Slide 27
© 2003-2005 Monash CTIE
Progress:
 Basics
 Addressing
 Routing
 Domain Name System
 IPv4 to IPv6 transition
 Security
 State of the Art
 Mobile IPv6

Slide 28
© 2003-2005 Monash CTIE
Packet switched networks
 Internet is a packet switched network
 Each packet contains full addressing information
 Simple headers for IPv6
 Routing is the process of working out how to send a
packet to its destination

Slide 29
© 2003-2005 Monash CTIE
Routing
 All nodes examine the destination address of arriving packets
 Hosts either accept or discard
 Routers may also forward packets to another node
 Packets for “on-link” destinations may be delivered directly
 Other packets must be forwarded to a “next-hop” router
 Packet travels hop-by-hop until it reaches its destination

Slide 30
© 2003-2005 Monash CTIE
Routing (cont)
 Example (IPv6)
traceroute to munnari.oz.au (2001:388:c02:4000::1:21) from 3ffe:8001:12:fc:203:47ff:fe31:51b1,
30 hops max, 16 byte packets
1 3ffe:8001:12:fc::3 (3ffe:8001:12:fc::3) 0.396 ms 0.305 ms 0.307 ms
2 3ffe:8000:ffff:1012::100 (3ffe:8000:ffff:1012::100) 51.953 ms * 39.798 ms
3 vbns-trumpet.hay.vbns.net (3ffe:28ff:ffff:3::100) 251.758 ms 245.323 ms 251.982 ms
4 cs-v6-atm0-2.dng.vbns.net (3ffe:28ff:ffff:3::) 299.732 ms 314.289 ms *
5 iplsng-vbns.abilene.ucaid.edu (2001:468:ff:12c1::1) 404.823 ms 365.734 ms 372.79 ms
6 6plains-iplsng.abilene.ucaid.edu (2001:468:ff:121d::2) 393.285 ms 346.691 ms 359.758 ms
7 sit1.ipv6.broadway.aarnet.net.au (2001:388::1) 559.186 ms 550.964 ms 622.729 ms
8 2001:388:0:11::2 (2001:388:0:11::2) 670.786 ms 542.702 ms 542.287 ms
9 2001:388:c02:4000::1:21 (2001:388:c02:4000::1:21) 560.391 ms 530.628 ms 559.938 ms

Slide 31
© 2003-2005 Monash CTIE
Routing (cont)
 A router may have many interfaces and/or neighbours
 How does the router know where to send a packet?
 Routing table

Slide 32
© 2003-2005 Monash CTIE
Routing tables
 Contains information about how to get a packet “closer”
to its destination
 Destination prefix
 Next hop router
 Outgoing interface
 Metric
 Routing table is consulted for longest matching prefix
 Packet is forwarded using the information in the routing table
entry with the longest matching prefix

Slide 33
© 2003-2005 Monash CTIE
Prefix matching
 Example

Simplified routing table


Prefix Next Hop Interface
3ffe:0db8:5000::/36 3ffe:0db8:1000::2 eth0
3ffe:0db8:5400::/40 3ffe:0db8:1001::2 eth1

- Packet arrives with destination address: 3ffe:0db8:5401::1

- Matches both routing table entries but second entry is a longer


match (40 bits) so the packet is forwarded out interface eth1

Slide 34
© 2003-2005 Monash CTIE
Static vs. Dynamic
 How is the routing table constructed?
 Routing table entries may be made by hand
 Static routes
 Not scalable
 Most routing table entries calculated automatically
 Dynamic routes
 Routers exchange information with one another
 Routing protocols

Slide 35
© 2003-2005 Monash CTIE
The Internet
 “Network of networks”
 Not practical for every host (or even router) to have a routing
table entry for every other host/router in the Internet
 To make routing tables practical, we need entries that refer to
multiple hosts
 E.g. Default route: 0::/0 3ffe:0db8:1000::2 eth0
 “0::/0” will always match and will always be the shortest match
 This single entry covers every host that we don’t already have
another entry for

Slide 36
© 2003-2005 Monash CTIE
Aggregation
 As a network of networks, the
Internet is divided into AS Internet
administrative regions called
AS
“Autonomous Systems” (AS)
 Generally all of the routing
information from within an AS can
be summarized into a single routing
table entry
 E.g. Acme Computers have many AS
networks: 3ffe:0db8:1001: AS
(a,b,c,etc.)::/64
 Devices outside the Acme
Computer AS only need to know
how to reach: 3ffe:0db8:1001::/48

Slide 37
© 2003-2005 Monash CTIE
Aggregation (cont)
3ffe:0db8:1001::/48
Internet AS via route Z
Acme
3ffe:0db8:1001:b::/64

3ffe:0db8:1001:d::/64

3ffe:0db8:1001:a::/64
AS
3ffe:0db8:1001:c::/64

 Devices outside of AS
Acme have a
single routing
entry for all Acme 3ffe:0db8:1001::/48

networks 3ffe:0db8:1001::/48 via route X via route Y

Slide 38
© 2003-2005 Monash CTIE
Aggregation (cont)
 So far same as IPv4
 IPv6 takes aggregation Large provider
further 3ffe:0db8::/32
 Strict hierarchy for address
allocation
Small providers
 IP address allocation is 3ffe:0db8:2500:/40
always a subset of providers 3ffe:0db8:2600:/40
address space

 E.g. The entire set of hosts


3ffe:0db8:2501:/48 3ffe:0db8:2601:/48
beneath the top level provider
3ffe:0db8:2502:/48 3ffe:0db8:2602:/48
can be summarized with a
Individual sites
single routing table entry

Slide 39
© 2003-2005 Monash CTIE
Threats to Aggregation
 Provider independent addressing
 Multihoming
 Connecting to the Internet through multiple providers
 Not yet standardized
 One of the big hurdles in the way of IPv6 deployment

Slide 40
© 2003-2005 Monash CTIE
Routing Protocols
 Two types of routing protocols
 Interior, Exterior
 Exterior routing protocols are used to exchange
information between ASs
 BGP-4+
 Interior routing protocols exchange information with
other routers under the same administrative control
 RIPng, OSPFv3

Slide 41
© 2003-2005 Monash CTIE
Exterior Protocols
 Communicate with other systems
 Control routing table sizes
 Manage policy
 Use bandwidth efficiently

Slide 42
© 2003-2005 Monash CTIE
Interior Protocols
 Independent of protocols used in other ASs
 Convey complete routing information with an AS
 Some protocols allow summarization within an AS
 OSPF areas
 Propagate change rapidly

Slide 43
© 2003-2005 Monash CTIE
Routing Information Protocol
– Next Generation (RIPng)
 Interior gateway protocol
 Based on RIP (IPv4)
 Distance vector algorithm
 Limited to networks with no more than 15 hops
 Routing decisions take into account fixed metrics (usually 1)

Slide 44
© 2003-2005 Monash CTIE
Route table
 Each router maintains a route table
 Each entry in the table contains:
 prefix of destination
 metric
 equal to sum of metrics along each hop to the destination network
 IPv6 address of next hop
 a flag to indicate recent changes have taken place
 various timers associated with route

Slide 45
© 2003-2005 Monash CTIE
Request/response packets
 UDP used to carry messages
 Packet format
 route tag used to separate RIPng routes for network being
managed, from those of an external RIPng process that have
been imported into the network
 Responses may be in response to a request packet or
may be sent periodically without solicitation
 Responses contain lists of route table entries for the
sender
 May contain complete or partial tables

Slide 46
© 2003-2005 Monash CTIE
Split horizon
 Don't advertise routes learned from an interface out that
interface
 Poisoned-reverse
 Do advertise routes learned from an interface out that interface, but
set metric to infinity so that they appear to be unreachable

Slide 47
© 2003-2005 Monash CTIE
Major Differences from RIP
 RIP includes a "next hop" entry in each routing table entry (RTE)
 Due to the length of IPv6 addresses, RIPng defines a special RTE
that contains a next-hop address that applies to all following
RTEs until another next-hop RTE is included

Slide 48
© 2003-2005 Monash CTIE
Open Shortest Path First
(OSPF)
 Another interior gateway protocol
 Link state algorithm
 Version 3 supports IPv6

Slide 49
© 2003-2005 Monash CTIE
Areas
 Large ASs may be broken up into “Areas”
 Helps control the amount of traffic used to propagate
information

Slide 50
© 2003-2005 Monash CTIE
Designated routers
 Uses an election process to pick one router on each link
to be “in charge”

Slide 51
© 2003-2005 Monash CTIE
Flooding
 Link state information is propagated by flooding the
entire network
 Contrast with RIP where information about entire network is
passed only to neighbours
 Link State Advertisements (LSAs) are stored by routers in
a “link-state database”
 Dijkstra’s algorithm used on this database to calculate
the shortest path tree and populate the routing table

Slide 52
© 2003-2005 Monash CTIE
Differences from OSPFv2 (IPv4)
 Protocol processing done per-link rather than per-subnet
 Single links may have multiple IPv6 subnets and devices on the
same link that don't share a subnet may still communicate
directly
 IP addresses are no longer used in OSPF packets
 packets carry topology information in the form of router IDs
(which are 32-bit values like IPv4 addresses and are sometimes
represented that way)
 Flooding scope added to LSAs
 Link, Area and AS scope

Slide 53
© 2003-2005 Monash CTIE
Differences from OSPFv2
(IPv4) (cont)
 Support for multiple instances of OSPF per link
 Link-local addresses used for communication between
routers where possible
 Special multicast addresses
 AllSPFRouters: ff02::5
 AllDRouters: ff02::6
 Authentication removed from protocol specification
 OSPF now relies on the IP Authentication Header and IP
Encapsulating Security Payload features of IPv6 to secure the
integrity of routing exchanges

Slide 54
© 2003-2005 Monash CTIE
Border Gateway Protocol
(BGP)
 Exterior gateway protocol that allows routing information
to be exchanged between autonomous systems (ASs)
sufficient to determine reachability and eliminate routing
loops.

Slide 55
© 2003-2005 Monash CTIE
BGP Peers
 Information is exchanged between pairs of routers called
BGP peers
 Information carried using TCP
 Small “keep alive” packets keep the TCP session from
timing out.

Slide 56
© 2003-2005 Monash CTIE
BGP routes
 Contains “Network Layer Reachability Information”
(NLRI) plus “path attributes”
 Next Hop
 AS path
 Routing decisions may be based on the attributes
 Policies are used to determine which routes are sent to a
peer and which routes will be accepted

Slide 57
© 2003-2005 Monash CTIE
Updates
 Entire routing table exchanged when peering first
established
 Because TCP is used, only changes need to be
transmitted after that
 Efficient use of bandwidth (compared to IGPs)
 Routes may added, deleted or modified
 Routing loops are avoided by examining the AS path

Slide 58
© 2003-2005 Monash CTIE
Supporting IPv6
 BGP-4+ contains extensions for supporting network
protocols other than IPv4
 Very little required in order to support IPv6
 BGP Identifier is still an IPv4 address
 IPv6-only routers still need an IPv4 address to run BGP
 New attribute defined that carries both the IPv6 NLRI as
well as the next hop
 Next hop attribute is not used (v4 only)

Slide 59
© 2003-2005 Monash CTIE
Progress:
 Basics
 Addressing
 Routing
 Domain Name System
 IPv4 to IPv6 transition
 Security
 State of the Art
 Mobile IPv6

Slide 60
© 2003-2005 Monash CTIE
DNS - Domain Name System
 DNS translates “fully qualified domain names” like:
 www.ctie.monash.edu.au
 Into IP addresses like:
 130.194.137.141 or 2001:388:608c:fc:205:5dff:fe00:9e3a
 DNS servers hold records associating names to IP numbers
 Applications use DNS Client (resolver) to access the records
 Each DNS entry contains multiple record types (RR) and information
 No modification required to support IPv6 addresses in the
DNS system
 Newer DNS software supports both IPv4 and IPv6 access

Slide 61
© 2003-2005 Monash CTIE
DNS: Resource Records (RR)
 RR:
 A records for IPv4 address

 AAAA record for IPv6 address

 A6 not used much anymore = alternative IPv6

address record
 Example DNS record lookup:
dig helen.ctie.monash.edu.au any
;; QUERY SECTION: helen.ctie.monash.edu.au, type = ANY, class
= IN
;; ANSWER SECTION:
helen.ctie.monash.edu.au. 12H IN A 130.194.252.35
helen.ctie.monash.edu.au. 12H IN AAAA
2001:388:608c:fc:205:5dff:fe00:9d30
;; AUTHORITY SECTION:
monash.edu.au. 12H IN NS
netslave1.cc.monash.edu.au.

Slide 62
© 2003-2005 Monash CTIE
DNS: IPv6 & Software
Support
 DNS name server software
 IPv4 queries can get IPv6 addresses from existing name
servers
 BIND v9 (on unix/linux/MacOSX) has native IPv6 access
 MS Windows DNS (winNT,2K,XP) - IPv4 query only!
 Client (resolver) apps:
 Nslookup (MS Windows, Unix, MacOSX) - IPv4 queries
 DIG - IPv4 and IPv6 versions
 Proxy software exists for native IPv6 DNS lookup to IPv4 name
servers

Slide 63
© 2003-2005 Monash CTIE
DNS: Reverse lookup
 NOT all DNS name servers support reverse lookup
of IPv6 addresses
 Dig -x <IP address>
 Automatically checks in_addr.arpa or ip6.arpa
 Examples
 Dig -x 10.1.1.10 looks up 10.1.1.10.in-addr.arpa.
 Dig -x 3ffe:4567:12:fc:205:5dff:defd:abc looks up \
[x3FFE4567001200FC02055DFFDEFD0ABC/128].ip6.arpa.

Slide 64
© 2003-2005 Monash CTIE
Progress:
 Basics
 Addressing
 Routing
 Domain Name System
 IPv4 to IPv6 transition
 Security
 State of the Art
 Mobile IPv6

Slide 65
© 2003-2005 Monash CTIE
IPv4 to IPv6 Transition
Strategies and mechanisms:
 The problem:

 IPv4 to IPv6 transition is gradual

 IPv6 devices need to communicate to IPv4

 IPv6 needs to communicate over IPv4 links

 The solutions:

 Dual Stack (IPv4, IPv6) Routers and workstations

 Tunnels

 Protocol Translations and Application specific gateways

 RFC2893 Transition Mechanisms for IPv6 Hosts and Routers

Slide 66
© 2003-2005 Monash CTIE
Dual Stack

 Dual Stack (IPv4, IPv6) Routers and workstations


 Application doesn’t really need to know what the
transport is.
 Can communicate to both IPv4 and IPv6

Application
TCP,UDP
IPv4 (type
IPv6
0x0800) Ethernet (type
0x86DD)
Slide 67
© 2003-2005 Monash CTIE
Dual Stack (cont)

 Applications on dual stack hosts:


 For applications that only support IPv4 - use IPv4 only
 For applications that support IPv6:
 If DNS lookup of destination resolves address to IPv4
destination, use IPv4
 If DNS resolves address to IPv6 destination use IPv6
 Routers – send traffic based on IP type, and routing
rules

Slide 68
© 2003-2005 Monash CTIE
IPv4-mapped addresses
 IPv4 Mapped addresses --> IPv6 node to IPv4 node
 Used by IPv6 applications for internal representation of
IPv4 addresses
 IPv6 node communicates directly (via dual stack) to IPv4
address
 80 bits 0, 16 bits 1, 32 bits of IPv4 address on the end
 0:0:0:0:0:FFFF:192.17.1.42
 ::FFFF:192.17.1.42
 ::FFFF:c0a7:abcd

Slide 69
© 2003-2005 Monash CTIE
IPv4 compatible addresses
 IPv4 compatible addresses represent an IPv6 node
without having a real IPv6 address
 IPv6 node communicates directly (via dual stack) to IPv4
addresses
 96 bits 0, 32 bits of IPv4 address on the end
 0:0:0:0:0:0:192.17.1.42
 ::192.17.1.42
 ::c0a7:abcd
 Used by tunneling protocols like 6to4
 Can’t use IPv6 stateless address autoconfiguration –
requires preconfigured IPv4 address for node.

Slide 70
© 2003-2005 Monash CTIE
Tunnels
 Tunnels - Encapsulation of IPv6 over IPv4
 Manual point-to-point rfc2893
 Auto - 6to4,Teredo, ISATAP addresses rfc2893
 let IPv6 hosts or networks communicate over IPv4 without explicit
tunnel setup
 6bone - tunnel connected network - Brokers provide temporary links

IPv4
192.168.1.10 192.168.10.2
IPv6 in IPv4
3ffe:0db8::1/64 3ffe:0db8::2/64

Slide 71
© 2003-2005 Monash CTIE
Tunnels - IPv6 in IPv4
 IPv6 packet is encapsulated in an IPv4 packet

IPv4 header IPv4 payload

IPv6 header IPv6 payload

Slide 72
© 2003-2005 Monash CTIE
Tunnels - IPv6 in IPv4
 IPv4 tunnel appears as a single hop to the IPv6 nodes
 The MTU decreases by the IPv4 header size (20 bytes)
 Tunnel types:
 Router-Router

 Node-Node

 Node-Router

 Tunnel configuration - manual (mainly for point to point),


automatic, tunnel broker (as per 6bone - for occasional
use)

Slide 73
© 2003-2005 Monash CTIE
Automatic configuration of
tunnels
 Automatic Tunnel configuration - compatible addresses
 A dual stack host connected to an IPv4 network may use an
IPv4 compatible address to talk to IPv6 hosts through a
gateway IPv6 hosts
 This technique is no longer favoured

Dual
Dual stack host stack
IPv4 network router

IPv6 in IPv4 tunnel IPv6 network

::192.168.1.1

Slide 74
© 2003-2005 Monash CTIE
Automatic configuration of
Tunnels - 6to4
 Tunnel configuration 6to4
 RFC3056 Connection of IPv6 domains via IPv4 clouds (6to4)
 supported by Microsoft implementation with a Microsoft provided
6to4 endpoint.
 2002:v4addr::/48
 Made up of 6to4 prefix 2002::/16 (IANA assigned) and IPv4
address of interface
 E.g. 192.1.2.3 = c001:0203
Results in the 6t04 prefix: 2002:c001:203::/48
 6to4 relay routers such as that provided by Microsoft provide transit
capability between 6to4 domains and the native IPv6 internet

Slide 75
© 2003-2005 Monash CTIE
Automatic configuration of
Tunnels - 6to4

IPv4 network IPv6 network


IPv6 in IPv4 tunnel

192.168.1.1 192.168.100.1
2002:c0a8:0101::/48 2002:c0a8:6401::/48

Slide 76
© 2003-2005 Monash CTIE
IPv4 to IPv6 Transition-
Protocol Translation
 NAT updated for IPv6
 NAT-PT Protocol Translation additions for IPv6 variations
 Header field changes, meaning of fields change.
 Application specific gateways
 SIIT
 DNS
 FTP protocol has addresses embedded in the messages - need
translation at the gateway device [NAT-PT specifies this].

Slide 77
© 2003-2005 Monash CTIE
NAT-PT and ALG’s
 NAT-PT and NAPT-PT . Network Address Translation
updated for IPv6
 NAT-PT, NAPT-PT translate protocols (e.g.: ICMP) as well
as addresses
 They define Application Layer Gateways as well (nat-pt
specifies FTP, DNS ALG’s as well as protocol translations)
 E.g.: NAT-PT translates ICMPv6 ‘path too big’ message into IPv4
ICMP equivalent
 Introduces single point of failure device in the network.
 May not be possible for all ICMPv6 packets

Slide 78
© 2003-2005 Monash CTIE
NAT-PT and ALG’s

NAT-PT
IPv6 Host IPv4 Host
Router
IPv4 Internet

ICMPv6 IPv4 ICMP

Slide 79
© 2003-2005 Monash CTIE
NAT-PT and NAPT-PT
 NAT-PT Network Address Translation – Protocol
Translation
 NAPT-PT Network Address Port Translation-protocol
translation
 NAT-PT uses a pool of IPv4 addresses – allocates one
per IPv6 address.
 NAPT translates ports as well as addresses.
 This allows single IPv4 address to represent multiple
IPv6 addresses
 Stateful address/header translations as per SIIT

Slide 80
© 2003-2005 Monash CTIE
SIIT
 RFC:2765 Stateless IP/ICMP Translation Algorithm (SIIT)
 Allows IPv6 only nodes to communicate to IPv4 nodes
 Uses boxes on network to do stateless translation of
IP/ICMP
 Translates packet headers from IPv4 to IPv6 mapped or
translated addresses
 Must generate appropriate header entries (e.g.:
checksums) for protocol
 Rewrites ICMP error message as they contain IP
addresses embedded
 Requires IPv4 allocation mechanism for the IPv6 node
and also tunnel/routing configuration

Slide 81
© 2003-2005 Monash CTIE
Progress:
 Basics
 Addressing
 Routing
 Domain Name System
 IPv4 to IPv6 transition
 Security
 State of the Art
 Mobile IPv6

Slide 82
© 2003-2005 Monash CTIE
Contents
 IPv4 and IPv6 Security
 Attacks against Internetworks
 IPv6 Security Issues.
 IPv6 Security features.

Slide 83
© 2003-2005 Monash CTIE
IPv4 and IPv6 Security
 Weaknesses of IPv4 security
 Trust of received packet information (spoofing)
 Host-to-host security not widely available
 IPv6 Security Inherits from IPv4
 Packet service, can insert packets
 Ingress filtering will be incomplete
 Many of the IPv4 applications will be in IPv6 (email, web)
 IPv6 Built with security in mind
 IPv6 aims to be 'no worse than IPv4'
 IP Security Protocols (All hosts support IPSec)
 New Internet applications specified with security in mind

Slide 84
© 2003-2005 Monash CTIE
Attacks against Internetworks
 DoS attacks
 Attacks against resources (Server, Link, QoS)
 Hijack Attacks
 Theft of service/QoS .
 Impersonation
 Packet forgery
 Man In the Middle
 Snooping
 Data Insertion/Deletion
 Host Intrusion
 Worms and Viruses (Application Issue!)
 This may not get better under IPv6.

Slide 85
© 2003-2005 Monash CTIE
Attacks: Denial of Service
 Attacker causes congestion
on victim’s
computer/network
Attacker

Local
Network
Internet

Victim

Slide 86
© 2003-2005 Monash CTIE
Attacks: Service Theft
 Attacker gains
unauthorized access to
network
Attacker
Victim

Local
Network
Internet

Slide 87
© 2003-2005 Monash CTIE
Attacks: Impersonation
 Attacker disguises itself as
another host to gain
unauthorized access to
services
Attacker

Local Victim
Network
Internet

Victim

Slide 88
© 2003-2005 Monash CTIE
Attacks: Man-in-the-Middle
 Man-in-the-middle attacker can block,
modify, replay or otherwise make use
of intercepted packets

Local Victim
Network
Internet

Victim

Attacker

Slide 89
© 2003-2005 Monash CTIE
Attacks: Host Intrusion
 Attacker gains
unauthorized access to a
remote host
Attacker

Local
Network
Internet

Victim

Slide 90
© 2003-2005 Monash CTIE
IPv6 Security Issues
 IPv6 Security issues.
 Data Confidentiality/Integrity
 Neighbour Discovery/ Autoconfiguration
 Network Access Control
 Mobile IPv6
 Key Distribution
 Transition Mechanisms

Slide 91
© 2003-2005 Monash CTIE
IPv6 Security Features
 IPv6 Security features.
 IPSec
 SEND (SEcuring Neighbour Discovery)
 AAAv6
 Mobile IPv6 Return Routability

Slide 92
© 2003-2005 Monash CTIE
Security Features: IPSec(v6)
 IPSec
 End-to-End Security
 Authentication
 Encryption
 Available in some IPv4 nodes, required in ALL IPv6 nodes.

Slide 93
© 2003-2005 Monash CTIE
Security Features: SEND
 SEcuring Neighbor Discovery:
 Provides a method for applying IPSec to Neighbor
Discovery
 Works in situations where IPSec typically wouldn't
(Chicken and Egg)
 Protects autoconfiguration messages from attackers on
the same link.
 Proves address ownership locally (Using CGA, ABK).
 In early stages of development
 Key Technology

Slide 94
© 2003-2005 Monash CTIE
Security Features: AAAv6
 AAAv6 Protocols:
 Provide Authentication, Authorization and Accounting
 Used on access networks
 Works with NAS, Wireless LAN (EAP), PANA, PPP, Mobile
IPv6
 DIAMETER protocol (supercedes RADIUS)
 Can specify Authorization policy through
Attribute-Value-Pairs.

Slide 95
© 2003-2005 Monash CTIE
Security Features: AAAv6

PANA PPP
AAA Foreign

802.11b Access
Access Point Router
Local AAA Home
Network
Internet

802.1X

Slide 96
© 2003-2005 Monash CTIE
Security Issues: Key
Distribution
 The Public Key Infrastructure (PKI) has been around for a long
time.
 Not many nodes have public keys (poor adoption).
 Many Key Exchange systems rely upon Public Key availability.
 Shared keys don't work for generic peer-to-peer communication.
 SEND relies upon Delegation Chains which establish trust
between peers using digital signatures.
 Cryptographically generated addresses take pessimistic approach
(no widely adopted PKI)
 If Keys are distributed, still need to replace/update securely.

Slide 97
© 2003-2005 Monash CTIE
Security Issues: Transition
Mechanisms
 Most IPv6 hosts will be 'dual stack'
 IPv4 systems will not have same security feature set as
IPv6
 Double Handling of security policy (Mistakes easier).
 Small chance of attacks through protocol translation
systems
(IPSec may not work well, though).

Slide 98
© 2003-2005 Monash CTIE
Progress:
 Basics
 Addressing
 Routing
 Domain Name System
 IPv4 to IPv6 transition
 Security
 State of the Art
 Mobile IPv6

Slide 99
© 2003-2005 Monash CTIE
Advocacy and Forums
 More info: http://www.ipv6-taskforce.org/ )
 International Task Forces (in the EC, Korea, India, North
America, Taiwan) have been set up to run summits and
seminars promoting adoption and understanding of IPv6
 The IETF (Internet Engineering Task Force) is finalizing
standards for IPv6 extensions such as Mobility and
Secure Neighbour Discovery.
 The IPv6 Forum has released the "IPv6 Ready" logo,
which can be used to indicate a product's compliance
with IPv6 standards.

Slide 100
© 2003-2005 Monash CTIE
World-wide connectivity
 Advocacy won't help if the packets don't get through!
 Academic Networks: Internet2 (US), GrangeNet (AU),
6NET (EU), CERNET2 (China), etc.
 Commercial Networks:
 NTT in Japan and elsewhere

 Telia and NTT have commercial offerings in Europe.

 Uptake in USA is slow but gaining momentum.

 Sprint, MCI, etc.

Slide 101
© 2003-2005 Monash CTIE
IPv6 Implementations
 (more info: http://www.ipv6.org/impl/ )
 Looking at three Classes of implementations:
 Host Implementations

 MobileIPv6

 Router Implementations

Slide 102
© 2003-2005 Monash CTIE
Host Implementations
 Most vendor Unix: Solaris 8 +, AIX 4.3 +, etc.
 Linux - kernels 2.2 + include IPv6 (2.5+ full IPSecv6)
 FreeBSD - includes KAME from 4.0
 OpenBSD - includes KAME from 2.7
 MS Windows - supported from XP onwards (some API
issues)
 Mac OS X (10.2 Jaguar onwards, some API issues)
 Embedded Implementations from Wind River, Elmic,
etc.

Slide 103
© 2003-2005 Monash CTIE
Router Implementations

 Available from major vendors including:


 Cisco IOS 12.2T +
 Juniper JUNOS 5.1 +
 Nortel

Slide 104
© 2003-2005 Monash CTIE
Network Applications
 Server Applications
 Apache web server supports IPv6

 Many other services do too, due to 'dual stack'

approach.
 Desktop Applications
 Microsoft Internet Explorer

 Secure Shell (ssh)

 FTP, Telnet

Slide 105
© 2003-2005 Monash CTIE
Progress:
 Basics
 Addressing
 Routing
 Domain Name System
 IPv4 to IPv6 transition
 Security
 State of the Art
 Mobile IPv6

Slide 106
© 2003-2005 Monash CTIE
Contents
 IP Mobility
 Problem Statement
 Simple solutions
 Mobile IPv4
 Limitations
 Mobile IPv6
 Motivation
 Mobile IPv6
 Handovers

Slide 107
© 2003-2005 Monash CTIE
Mobile Packets the Future?
 Trends towards packetisation of everything
 Easier to incorporate different data streams
 User control of usage models
 We don't know what the applications will be
(but we can take some guesses).
 Once we have IP connectivity, anything goes...

Slide 108
© 2003-2005 Monash CTIE
The Internet Mobility
Challenge
 IP address is not only a unique address, but tied to
Network Topology
 Movement of an IP device between networks relies on
Layer 2 or Layer 3 context transfer.
 When Layer 3 transfer occurs, IP address changes.
 Higher layer protocols cannot handle IP address
changes (e.g. TCP)
 IP Mobility must hide or prevent IP address changes
for higher protocol layers

Slide 109
© 2003-2005 Monash CTIE
Layer 2 mobility limitations
 Single Layer 3 broadcast domain
 All broadcasts go over wireless medium
 Handovers between networks problematic
 Service Provider to Enterprise/Service Provider
 Heterogeneous handovers
 Need to re-implement mobility for every Layer 2

Slide 110
© 2003-2005 Monash CTIE
Using DHCP for roaming
 Dynamic Host Configuration Protocol
 Allows devices to get an address when visiting a
network.
 Available for IPv4 and IPv6.
 Existing sessions do not survive movement across link
boundaries
 Address management not required in IPv6 (Stateless
Address Autoconfiguration)
 Provides additional information (DNS &etc)

Slide 111
© 2003-2005 Monash CTIE
Mobile IP
 No geographic limitations
 No physical connection
 No modifications to other hosts or routers
 No modifications to IP addressing
 Secure
 Transparent to transport layer
 Assumptions
 <1 change per second
 routing based only on destination address

Slide 112
© 2003-2005 Monash CTIE
Mobile IPv4
Data

Correspondent
Node
Internet

Home Address

Home
Network Tunnel Mobile
Node
Foreign
Address Registration Network
Home Agent Foreign Agent

Slide 113
© 2003-2005 Monash CTIE
Mobile IPv6
 Address Autoconfiguration
 No Foreign Agents
 Optional Headers
 Routing Header - replaces tunneling
 Home Address – overcomes ingress filtering
 Binding update and request
 Host Binding Caches
 Route optimisation
 IPSec
 Separate Security Specification
 Supports privacy

Slide 114
© 2003-2005 Monash CTIE
Mobile IPv6 System
Correspondent
Data Node

Address
Internet Binding
Data
Router
Home Address Advertisement

Home Data Care-of


Network Address
Mobile
Node
Address Registration Foreign
Network
Home Agent

Slide 115
© 2003-2005 Monash CTIE
Mobile IPv6 Handover
Correspondent Mobile
Node Node
Care-of Test
Foreign
Correspondent
Network 1
Binding Update Care-of
Internet Address 1

Router
Home Address Advertisement

Home
Home Test Foreign
Network Network 2 Care-of
Address 2
Duplicate Address Mobile
Home Binding Detection
Update/Acknowledgment Node
Home Agent

Slide 116
© 2003-2005 Monash CTIE
Mobile IPv6
Benefits: Complexities:
1. Uses IPv6 Router 1. Movement detection
Discovery to detect granularity is low
movement 2. Dead time related to

2. Uses IPv6 Address distance from HA


Autoconfiguration 3. Security for CN/HA
3. Route Optimisation bindings
4. Limited support required 4. Duplicate Address
in Access Network. Detection slow

Slide 117
© 2003-2005 Monash CTIE
Thank you

© 2003-2005 Monash CTIE

You might also like