/v6 Transition Technologies, ETRI (hclee_shep@etri.re.kr) June 23, 2004 KRnet 2004 Track D
Contents / Tunneling based Mechanisms Translation based Mechanisms /v6 coexistence Network Models Transition Scenarios (v6ops WG) Consideration for Additional Problems
(1) () (32 ): 2 32 = 43 ( 70% ) ( : 3,150 ) : 3,000
(2)
(3) (3)- - -. (ADSL)..IMT-2000,.Home Network -.Data..? - Hacking -.. Mission Critical Data - -User -Home N/W IP Internet Biz. - IP,..IP Phone. /.private public IP - N/W. Seamless Communication.Traffic -E-Commerce - Multimedia.VOD( / ).Internet Game.Pay-per-view TV -Plug & Play N/W -Ent-to-End < :..>
(I)
(II)
: a : b b a Transition cost Cost difference between v4/v6 operations? Source PC of Japan
/ does not have compatibility with Lots of infrastructure No Flag Day No / barriers at any time Transition will be incremental Possibly over several years or decade Must be easy for end user Transition from to must not break anything Deployment will be considered with transition in mind Assumption of / coexistence
Types of Transition Mechanisms Host/Router - / Dual Stack APPLICATION TCP/UDP DRIVER Networks - Tunneling Tunneling across clouds Later, Tunneling across clouds IPvY Network IPvX Tunnel IPvY Network Gateway - / Translation Network Translator Network
/ Transition Mechanisms Coexist with and [RFC 2893] (Tunneling) Configured / Automatic Tunneling 6to4[RFC3056]. DSTM (Dual Stack Transition Mechanism) [ID] TB (Tunnel Broker)[RFC3053], ISATAP [ID], TEREDO[ID] (Translation) NAT-PT (Network Address Translation Protocol Translation)[RFC2766] SIIT (Stateless IP/ICMP Translation)[RFC2765] BIS (Bump-in-the-Stack)[RFC2767] / BIA (Bump-in-the API)[RFC3338] SOCKS Gateway[RFC3089], Transport Relay[RFC3142] (Combination) SIIT and DSTM, NAT-PT and 6to4, DSTM and 6to4
Dual Stack Dual Stacks Complete support for both and protocol specification Resolver libraries dealing with the A and AAAA records transport vs. transport Default address selection rules Default Address Selection for Internet Protocol version 6 (), [RFC3484] Application (DNS resolver) A, AAAA Transport Protocol (TCP, UDP) 0x86dd 0x0800 Data Link Layer Physical Layer
Tunneling -in- Tunneling Configured Tunneling Manual configuration such as 6bone Requires explicit configuration at the entry point to the network Automatic Tunneling Rely on a special unicast addresses -compatible address (e.g., ::129.254.254.86) - deprecated ISATAP 6to4 -in- Tunneling 4over6 DSTM (Dual Stack Transition Mechanism)
Configured vs. Automatic Tunneling Configured Tunnel Automatic Tunnel Network router Network router Network Network router Network router Network Host Host Host Host SRC: DST: PAYLOAD Header SRC DST SRC: DST: Header Header SRC: -Compatible DST: -Compatible PAYLOAD Header SRC DST SRC: -Compatible DST: -Compatible Header Header
6to4 6to4 TLA + V4 ADDR NLA Interconnection of isolated domains through an world Site border router must have at least one globally-unique address Uses embedded address 6to4 Address 2002:V4ADDR::/48 E.g.) Reserved 6to4 TLA-ID: 2002::/16 address: 129.254.15.1 = 81fe:0f01 Resulting 6to4 prefix: 2002:81fe:0f01::/48 All 6to4 hosts have 6to4 address including 6to4 prefix pre-defined ISPv4 assigned managed 2002 SLA auto-configured Interface ID 48 bits 16 bits 64 bits
6to4 Operations - Simple Scenario 6to4 site A Source 2002:c001:0203:1:230:65ff:fe2c:9a6 Host, A1 Host, A2 SRC DST SRC Address DST Address 192.1.2.3 A3 Header Header 2002:c001:0203::/48 Network 2002:09FE:FDFC::/48 9.254.253.252, B3 6to4 / router = router with 6to4 encapsulator Host, B1 Host, B2 Destination 2002:09fe:fdfc:1:20a:95ff:fe8b:3cba 6to4 site B
Configuration Example Windows XP 6to4 Host 6to4 Router : 129.254.254.83
Tunnel Broker RFC3053 Designed for small sites and isolated hosts to connect to an existing network Three Basic components: Client: Dual-stack host or router, tunnel end-point Tunnel Broker: Dedicated server for automatically managing tunnel requests from users, sends requests to Tunnel Server Tunnel Server: Dual-stack Internet-connected router, other tunnel end point Examples of Tunnel broker service Freenet6[Canada] (www.freenet6.net) CERNET/Nokia[China] (www.tb.6test.edu.cn) Internet Initiative Japan (www.iij.ad.jp) Hurricane Electric [USA] (www.tunnelbroker.com) Btexact[UK] (www.tb.ipv6.btexact.com)
Tunnel Broker Operation Client 1 2 3 Tunnel Broker 6 Internet DNS in Tunnel 7 4 5 Tunnel Server Internet 1. AAA Authorization 2. Configuration request 3. TB chooses: -TS - address - Tunnel lifetime 4. TB register tunnel address 5. Config info sent to TS 6. Config info sent to client: - Tunnel Parameters -DNS name 7. Tunnel enabled
ISATAP Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) Connects hosts and routers (nodes) within sites. allows a dual stack node or node, which don t share common data-link with other node in the same site, to communicate with other node. Incremental node deployment in site ISATAP Address Forms 64bits Interface ID from address + special reserved identifier Format: prefix::0:5efe: address Example address: 140.173.129.3 Global Prefix : 3ffe:1a05:510:2412::/48 ISATAP Address is 3ffe:1a05:510:2412:0000:5efe:140.173.129.3
ISATAP Operation network ISATAP host network host host ISATAP router host host host SRC: ISATAP DST: ISATAP PAYLOAD Header ISATAP router ISATAP host network SRC DST Header host host SRC: ISATAP DST: ISATAP Header Site
Teredo Tunneling over UDP through NATs Propose a service that enables nodes located behind NAT to obtain connectivity by tunneling packets over UDP Tunnels over UDP (port 3544) rather than IP protocol #41 Basic Components Teredo Client: Dual-stacked node Teredo Server: Node with globally routable internet access, provides connectivity to client Teredo Relay: Dual-stacked router providing connectivity to client Teredo Address Format Teredo Prefix Teredo Server Address Flags Obscured External Port Obscured External Address 32bits 32bits 16bits 16bits 32bits
Teredo Operation(1) Initial Configuration for Teredo client Mapping Mapping Table Table 10.0.0.2 10.0.0.2 : : 1234 1234 9.0.0.1 9.0.0.1 : : 4096 4096 9.0.0.1 10.0.0.2:1234
Teredo Operation(2) Initial communication from a Teredo client to a Teredo relay with a cone NAT
DSTM An Active Deployments Approach Provide a method for communications with -only nodes or applications Provide a method to assign temporary addresses to / nodes over a native network Used of 4over6 dynamic tunnels within an network to carry traffic DSTM Domain DSTM Server / Client Internet or Intranet Applications Domain DSTM TEP
DSTM Examples 6TALK DSTM Client (www.dstm.info)
Translation Network Layer Header Conversion - NAT-PT, SIIT, BIS Fast, but many dilemmas Fragments & ICMP Transport Layer Transport Relay - SOCKS,TRT Slow TCP/UDP services Application Layer Application Proxy - Squid Slow No address mapping Server per service and Transaction service only HTTP TCP HTTP TCP HTTP TCP HTTP TCP HTTP TCP HTTP TCP
NAT-PT - RFC2766 Provide transparent routing to end-nodes in realm trying to communicate with end-nodes in realm and vice versa Use a combination of Network Address (+Port) Translation(NA(P)T) and Protocol Translation(SIIT) / header translation ICMPv6/ICMPv6 translation TCP/UDP checksum update to / to FTP ALG / DNS ALG and additional ALGs should be supported
NAT-PT Operation NAT-PT DNS server www.6talk.net AAAA aaaa::202.30.143.11 DNS-ALG www.6talk.net A 202.30.143.11 www.6talk.net AAAA?... www.6talk.net A?... 2001:230::1 aaaa::202.30.143.11... 129.254.6.1 202.30.143.11... Domain Domain address address Port 2001:230::1 129.254.6.1 - -............ / Address Mapping Table Public address 129.254.6.1 129.254.6.2... Public Address Pool
BIA (Bump-in in-the-api) RFC 3338 Allows the dual stack hosts to communicate with other hosts using existing applications Name resolver intercepts Dns calls, uses calls instead Address Mapper maintains mappings of interal pool unassigned of address Function Mapper translates Socket API to Socket API and vice versa BIA Network Native Host Application Layer Socket Layer BIA TCP(UDP) Ethernet MAC Physical Layer Existing Applications API Translator Name Resolver Address Mapper Function Mapper Native Host
BIA vs. BIS (Bump-in in-the-stack) Application Layer Socket Layer Translator Extension Name Resolver Address Mapper Header or APIs Translator Application Layer Socket Layer TCP(UDP) TCP(UDP) Translator Ethernet MAC Physical Layer Ethernet MAC Physical Layer BIA BIS
Architecting the Transition(1) Mechanisms the building blocks to be used for to provide connectivity, or to interoperate between and 1. Providing connectivity native tunneled over IPvX to a close tunnel end-point tunneled over IPvX (over longer distances) 2. Protocol translation 3. Application-specific protocol interoperability (i.e., ALG or proxy) Deployment models for nodes the ways how IP nodes might be deployed, including the different combinations of /6 capabilities and connectivity 1. -only 2. Dual-stack with only connectivity 3. Dual-stack with /6 connectivity 4. Dual-stack with only connectivity 5. -only
Architecting the Transition(2) Deployment models for services the ways how IP services ("applications") could be provisioned 1. -only 2. Separate and E.g., www.example.com / www.ipv6.example.com 3. Both /6 4. -only Srvc -only Separate /6 -only Node -only... 2,3 DS w/... 1,2,3 DS w/both.... DS w/ 1,2,3... -only 2,3...
Transition Mechanism Deployment Considerations if I have an existing -only service (e.g., a web site) or if I deploy -only service, whose burden is it to enable its use by all clients I wish to make it accessible to? if I deploy -only service (e.g., a peer-to-peer application, or a special web site), whose burden is it to enable its use by all clients I wish to make it accessible to? if I deploy -only nodes, or dual-stack nodes with only connectivity, whose burden is it to enable them to access all the services they want? how much easier would it be to go for dual-stack approach instead?
/v6 coexistence Network Models 1 2 4 V6 V6 App App V6 net. V4/Dual/V6 V4/Dual/V6 App App DSTM in Tunneling 3 V4 V4 App App Configured, 6to4 in IPv 4 Tunneling V4 net. V4/Dual/V6 V4/Dual/V6 App App 6 V6 V6 APP APP V6 net. in Tunneling 5 7 V4/Dual/V6 V4/Dual/V6 App App ISATAP, TB 8 NAT-PT, SIIT,TR SOCKS64 V4 V4 App App V4 net. in Tunneling V4/Dual/V6 V4/Dual/V6 App App NAT TEREDO 9 V4/Dual/V6 V4/Dual/V6 App App
Transition Scenarios (v6ops WG) Problems Too many mechanisms Goals 1. provide network managers with at least one viable framework and complete tool set for deploying. 2. expose any mismatch between the requirements of a target environment and the ngtrans tool set. Environments Cellular Networks (3GPP) [RFC3574], Analysis [Last Call] Unmanaged Network (SOHO lan) Scenarios[RFC3750], Analysis [Last Call] ISP service model (Dial : HFC : DSL : FtoH : 3G ) Scenarios [Last Call] Coauthor Managed Network (Enterprise lan & vpn) Scenarios [Last Call] Application Transition Scenarios [Last Call] ETRI Editor / Security Consideration Security Consideration for 6to4 [Last Call]
Consideration for Additional Problems Problems (NAT-PT, ISATAP, 6to4, Configured Tunnel, DSTM etc.) Increasing the network complexity by translation and tunneling Increasing the security risks such as DoS attacks Security consideration for 6to4 Additional considerations will be needed for other mechanisms and cousages Solution Interworking [section 6.2, draft-ietf-v6ops-unmaneval- 03.txt ],, Ex: Issues with Dual Stack on by Default <draft-ietf-v6opsv6onbydefault-02.txt >