Post on 22-Jun-2020
Tunnels
Jean‐YvesLeBoudec2014
Menu
Today:lectureTunnels,6to4LinkStateRouting
Tomorrow11:15– 12:15LastclickertestHowTORworks
(presentationofbestresearchexerciseaward)Nolab
Lab3andlab4gradesavailablebyendofthisweek
2
Feedback from Evaluation
ThingsthatwewilltrytoimprovefornextyearLabs(lab2)toolongSomehavestabilityproblemswithGNS3(lab5)toomuchconfigurationworkScheduleconflictswithsecuritycourse
VideosoflecturesareusefulClickertests:giveajokerquestionpertest!Work:++(EEstudents);+(CS);OK(ComSys)
3
Contents1. VPNs
2. 6to6over43. 4to4over6
4. TransitiontoIPv6
1. Tunnels
Definition:atunnel,alsocalledencapsulation occurswheneveracommunicationlayercarriespacketsofalayerthatisnottheoneabove
e.g.: IPpacketinUDPIPinTCPPPP(layer2)packetinUDPIPv4inIPv6IPv6inIPv4
Whyused?Intheory:neverInpractice:security/privatenetworks/IPv6‐IPv4interworking
5
Homer’s Network
Homerdeploys10.xaddressesintwositesandwantstointerconnectthemasone(closed)privatenetwork
HowcanHomeruseSimpscom’s networkforthat?
6
A B 1.1.1.1
10.2/16
2.2.2.2Simpscom
10.1/16
Your solution …
1. RunRIPinAandB2. Rentaleasedlinefrom
Simpscom3. ConfigureatunnelbetweenA
andB4. UsemodemsbetweenAandB5. Itisimpossiblebecause10/8is
forprivatenetworksonly6. Idon’tknow
1. 2. 3. 4. 5. 6.
0%
11%
0%4%
0%
85%
Homer uses an IP over IP Tunnel
HomerconfiguresavirtualinterfaceinA(eth );AssociatesthisinterfacewithanIPinIPtunnel,withendpoint2.2.2.2SimilarstuffinBHomerhasanetworkwith2routersandonevirtualphysicallink;HomerconfiguresroutingtablesatAandB(orrunsRIP)PacketsfromStoXarecarriedinsideIPpacketsacrossSimpscom
8
X10.1.1.1
S10.2.2.2
S sends a UDP packet to X.What are the IP destination address and protocol at O ?
1. IPdest addr =1.1.1.1,protocol=17(UDP)2. IPdest addr =10.1.1.1,protocol=17(UDP)3. Noneoftheabove4. Idon’tknow
O
1. 2. 3. 4.
75%
0%
11%14%
SolutionS sends a UDP packet to X.
What are the IP destination address and protocol at O ?
1. TheIPdestinationaddressisthetunnelendpoint1.1.1.12. TheprotocolisnotUDPbut04(IPv4)
10
Homer’s IP in IP solution is often replaced by IP in UDP
SomecompanyfirewallskillIPinIPpacketsThereforethetunnelisinsideUDPThisrequiresalayer2headeraswell(toidentifytheprotocoltype)calledL2TP/PPP
11
To 1.1.1.1prot = UDP
UDPhdr
L2TP/PPPprot = IPv4
To 10.1.1.1prot = UDP
UDPhdr
data
Inner packet
Outer packet
Bart does the same as Homer but wants a secure channel. He uses IPSEC.
«IPSEC/ESPtunnelmode»encryptstheinnerIPpacket
Thisformoftunnelingiscalled«L2TP/IPSECVPN»(VirtualPrivateNetwork)Variants(OpenVPN):IPinTLSoverTCP;IPinTLSoverUDP
12
To 1.1.1.1prot = UDP
UDPhdr
L2TP/PPPprot = 50
xxxxxxxxxxxxxxxxxxxxxx
IPSECTrailer
Nxt Hdr = 04IPSEC
ESP hdr
Inner packet,encrypted
Outer packet
How does a packet from B to A find its way ?
1. VPNrouterdoesproxy‐ARP2. RhasahostroutetoA3. Nothingspecial,theIGPtakescareofit4. Idon’tknow
13
VPNRouter
(IPSec server)
wireless LANR
IP hdr IP data
A
EPFL
B
128.178.83/24128.178.151/24
192.168.1.33Ethernet adapter Wireless Network Connection:
Connection-specific DNS Suffix . :IP Address. . . . . . . . . . . . : 192.168.1.33Subnet Mask . . . . . . . . . . . : 255.255.255.0Default Gateway . . . . . . . . . : 192.168.1.1
Ethernet adapter Local Area Connection 2:Connection-specific DNS Suffix . : epfl.ch
IP Address. . . . . . . . . . . . : 128.178.83.22Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 0.0.0.0
1. 2. 3. 4.
44%
0%
32%
24%
Solution
Ahastwointerfaces:onephysical,withaddress192.168.1.33,onevirtual(tunnel)interfacewithaddress128.178.83.99(forexample)Aappearstobeon128.178.83/24VPNrouterdoesproxyARPonbehalfofARdoesnotneedahostroute(butVPNRoutermayneedone)
14
2. 6 to 6 over 4 Reminder: interoperation scenarios v4‐v6
IPv4andIPv6areincompatible
v4onlyhostcannothandleIPv6packetsv6onlyhostcannothandleIPv4packets
What needstobesolved:interworking:h6toh4like‐to‐likeaccess
6to6over44to4over6
Inthismodulewestudylike‐to‐likeaccess
15
Like‐to‐like access scenarios
6to6over4(The“earlyadopter”problem)e.g.HomerwantstouseIPv6;ISPprovidesonlyIPv4access
4to4over6(The“legacy”problem)e.g.BartcontinuestouseIPv4;ISPprovidesonlyIPv6access
16
A
IP4/6Router
IP4/6Router
IPv4Internet IPv6internet
IPv6Island B
A
IP4/6Router
IP4/6Router
IPv6Internet IPv4internet
IPv4Island B
Tunnels for 6 to 6 over 4Alllike‐to‐likesolutionsuseIPinIPtunnels
protocol/nextheader=04meansthepayloadisanIPv4packetprotocol/nextheader=41meansthepayloadisanIPv6packet
17
A
IP4/6Router
IP4/6Router
IPv4Internet IPv6internet
IPv6Island B
IPv4Headerda=1.2.3.4protocol=41
IPv6Headerda=2001:bebe:1
IPv6 Headerda = 2001:bebe:1
IPv6 Headerda = 2001:bebe:1
PayloadPayload Payload
1.2.3.4
2001:bebe:1
What needs to be put in place for a good 6 to 6 over 4 solution
Weneedrelayrouters (e.g.AandB):theseareroutersthataredualstack(IPv4andIPv6)canterminateIPv6inIPv4tunnels:encapsulate/decapsulateknowhowtoforwardpacketsontheirIPv4andIPv6sides
WealsoneedtosolvetheIPv6addressallocation problemHomerdoesnotreceiveanIPv6addressfromhisprovidersinceHomer’sIPv6islandisconnectedtoanIPv4‐only‐provider
Weneedautomatictunnelse.g.AdoesnotneedtokeepstateinformationtodeterminethatapacketshouldbesenttoB
18
6rd/6to4 is a solution to the “6 to 6 over 4” problem
Severalsolutionsareproposedandimplemented6rd/6to4:wewillsee6to4indetail;thisisthesolutionthatworksinIEW;6rdissimilarto6to4Teredo :avariantwhenIPv6hostisbehindanIPv4NATISATAP:avariantforenterprisenetworks
warning6to4isamisnomer;6to4isasolutionfor“6to6over4”,notfor“h6toh4interworking”
19
6to4 Uses Special IPv6 Addresses called 6to4 addressesToanyvalidIPv4addressnweassociatetheIPv6prefix2002:n/48example:the6to4addressprefixthatcorrespondsto128.178.156.38is2002:80b2:9c26/482002::/16istheprefixreservedfor6to4addressesAnIPv6addressthatstartswith2002:…iscalleda6to4addressThebits17to48ofa6to4addressarethecorrespondingIPv4addressA6to4hostorrouterisonethatisdualstackanduses6to4asIPv6address
AswedointheIEWInaddition,theIPv4address192.88.99.1 isreservedforuseinthecontextof6to4addressesandmeans“theIPv6internetseenfromtheIPv4internet”
20
6to4 Addresses Solve Homer’s IPv6 Address Allocation problem
Homerenables6to4onhisrouterA.Homer’srouterAusesa6to4addressprefixderivedfromofanIPv4addressgiventoyoubyyourIPv4providerandusesthisprefixfortheIPv6LocalNetwork.Homer’sPCH2obtainsfromA(e.g.usingSLAAC)anIPv6addresswiththisprefix.ThisisthesettingweuseintheIEW.BarthasanisolatedhostH2(e.g.smartphone)andenables6to4onhishost.Bart’shostusesoneIPv6addressderivedfromhisIPv4currentaddress.
21
2001:bebe::1
IPv6Internet
IPv6 host H1
6to4 host H2
IPv6 host H3
6to4 Relay router
B
IPv4Internet
11
2
3 45
1.2.3.4
9.8.7.6
12 1
6to4 router A
2002:0102:0304:0::abcd:EUIH1
2002:0102:0304:0::00ab:EUIS12
IPv6Local Network
2002:0908:0706::EUIH2
192.88.99.1
6to4 Relay Routers6to4RelayRouter=adualstackrouterthathasa6to4address,canterminateroutersandconnectstheIPv4andIPv6internetsAllv4interfacesofall6to4relayrouterhaveanIPv4addressplusthespecialaddress192.88.99.1Bannounces192.88.99/24asdirectlyattachedprefixinIPv4routingBannounces2002/16asdirectlyattachedprefixinIPv6routing
22
Homer at H1 sends a packet to Lisa at H3
Destination2001:bebe::1isnotonlink,H1sendstosendtoADefaultIPv6routeinsidelocalIPv6networkistheIPv6localaddressofA(point12)
A’sdefaultIPv6routeis2002:c058:6301::0,whichisa6to4addresscorrespondingto192.88.99.1AencapsulatestheIPv6packetinanIPv4packetwithdestinationaddress192.88.99.1Thenearest6to4relayrouterreceivesthepacket(assumeitisB)Bdecapsulates packetandsendsanIPv6packet;normalIPv6forwardingoccursandoriginalIPv6packetreachesH3
23
2001:bebe::1
IPv6Internet
IPv6 host H1
6to4 host H2
IPv6 host H3
6to4 Relay router
B
IPv4Internet
11
2
3 45
1.2.3.4
9.8.7.6
12 1
6to4 router A
2002:0102:0304:0::abcd:EUIH1
2002:0102:0304:0::00ab:EUIS12
IPv6Local Network
2002:0908:0706::EUIH2
192.88.99.1
Which is the IPv6 source address at 3 in the encapsulated packet going from H1 to H3 ?
1. 1.2.3.42. 2002:0102:0304:00ab:EUIS123. 2002:0102:0304:abcd:EUIH14. Noneoftheabove5. Idon’tknow
241. 2. 3. 4. 5.
11%
2%4%
51%
32%
Lisa at H3 sends a packet to Homer at H1How is this packet routed in the IPv6 internet ?
1. H3keepsinitsroutingtabletheinformationthatHomer’sdestinationaddressisreachedviaBandsendstheIPv6packettoB
2. routersintheIPv6internetsendallpacketsto2002/16tothenearest6to4relayrouter
3. routersintheIPv6internetknowthattheIPv4destinationaddressis1.2.3.4andcomputethebestpathtoA
4. Idon’tknow25
1. 2. 3. 4.
23%
0%
23%
53%
?
Solution
All6to4relayroutersannounce2002/16inIPv6routingprotocols.InsidetheIPv6internet,thepacketwillbesenttothenearest6to4relayrouter.ThismayormaynotbeB.Similarly,all6to4relayroutersannounce192.88.99/24inIPv4routingprotocols.InthedirectionH1→H3,insidetheIPv4Internet,theencapsulatedpacketissenttothenearest6to4relayrouter.192.88.99.1issometimescalledan“anycast”address:itcanbeheldbyseveralinterfacesbutpacketsaresenttoonlyoneofthese.
26
2001:bebe::1
IPv6Internet
IPv6 host H1
6to4 host H2
IPv6 host H3
6to4 Relay router
B
IPv4Internet
11
2
3 45
1.2.3.4
9.8.7.6
12 1
6to4 router A
2002:0102:0304:0::abcd:EUIH1
2002:0102:0304:0::00ab:EUIS12
IPv6Local Network
2002:0908:0706::EUIH2
192.88.99.1
What is Bart’s IPv6’s default gateway at H2 ?
1. AnaddressconfiguredbyDHCP2. AnaddressconfiguredbySLAAC3. A6to4addressderivedfrom
192.88.99.14. Idon’tknow
27
2001:bebe::1
IPv6Internet
IPv6 host H1
6to4 host H2
IPv6 host H3
6to4 Relay router
B
IPv4Internet
11
2
3 45
1.2.3.4
9.8.7.6
12 1
6to4 router A
2002:0102:0304:0::abcd:EUIH1
2002:0102:0304:0::00ab:EUIS12
IPv6Local Network
2002:0908:0706::EUIH2
192.88.99.1
1. 2. 3. 4.
23%
5%
52%
20%
Solution
Atypical(Windows)IPv6configurationforH2whenusing6to4:
Default Gateway . . . . . . . . . : 2002:c058:6301::c058:6301
28
2001:bebe::1
IPv6Internet
IPv6 host H1
6to4 host H2
IPv6 host H3
6to4 Relay router
B
IPv4Internet
11
2
3 45
1.2.3.4
9.8.7.6
12 1
6to4 router A
2002:0102:0304:0::abcd:EUIH1
2002:0102:0304:0::00ab:EUIS12
IPv6Local Network
2002:0908:0706::EUIH2
192.88.99.1
hexa for 192.88.99.1
Which way does a packet go from Bart’s host to Homer’s?
1. viaBandback2. directlyoverIPv4toAthenH13. H1cannotbereachedfromH24. Idon’tknow
291. 2. 3. 4.
40%
7%
26%28%
2001:bebe::1
IPv6Internet
IPv6 host H1
6to4 host H2
IPv6 host H3
6to4 Relay router
B
IPv4Internet
11
2
3 45
1.2.3.4
9.8.7.6
12 1
6to4 router A
2002:0102:0304:0::abcd:EUIH1
2002:0102:0304:0::00ab:EUIS12
IPv6Local Network
2002:0908:0706::EUIH2
192.88.99.1
dest next-hop interface
2002/16 onlink eth120/0 2002:c058:6301::c058:6301 eth12
IPv6 forwarding table at H2
Solution
H2isa6to4host,itsforwardingtablestreatsall6to4destinationsasonlink (fromanIPv6viewpoint)H2sendsIPv6packetdirectlytoitstunnelinterfaceeth12IPv6packetisencapsulatedinIPv4withdestinationaddress=1.2.3.4(derivedfromdestinationIPv6address)IPv4packetreachesAbynormalIPv4routing
30
My Windows PC at EPFL
31
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : epfl.chIPv4 Address. . . . . . . . . . . : 128.178.151.202Subnet Mask . . . . . . . . . . . : 255.255.255.0Default Gateway . . . . . . . . . : 128.178.151.1
Tunnel adapter Local Area Connection* 15:
Connection-specific DNS Suffix . : epfl.chIPv6 Address. . . . . . . . . . . : 2002:80b2:97ca::80b2:97caDefault Gateway . . . . . . . . . : 2002:c058:6301::c058:6301
The nearest 6to4 relay from EPFL
32
C:\> tracert 192.88.99.1
Tracing route to 192.88.99.1 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms cv-ic-dit-v151.epfl.ch [128.178.151.251]
2 <1 ms <1 ms <1 ms c6-gigado-1-v100.epfl.ch [128.178.100.18]
3 <1 ms <1 ms <1 ms c6-ext-v200.epfl.ch [128.178.200.1]
4 1 ms <1 ms <1 ms swiel2.epfl.ch [192.33.209.33]
5 <1 ms <1 ms <1 ms swils2-10ge-1-2.switch.ch [130.59.36.69]
6 2 ms 2 ms 2 ms swiBE1-10GE-1-1.switch.ch [130.59.37.130]
7 2 ms 2 ms 2 ms swibe2-10ge-1-4.switch.ch [130.59.36.198]
8 2 ms 2 ms 2 ms 192.88.99.1
The nearest 6to4 relay from my home
33
C:\> tracert 192.88.99.1
Tracing route to 192.88.99.1 over a maximum of 30 hops
1 1 ms 2 ms 2 ms 192.168.1.1
2 136 ms 136 ms 136 ms lau01a05.sunrise.ch [212.161.178.79]
3 128 ms 135 ms 136 ms 194.230.94.17
4 * * * Request timed out.
5 71 ms 186 ms 333 ms 212.161.251.178
6 156 ms 164 ms 164 ms 212.161.251.182
7 228 ms 203 ms 169 ms zr-fra1-te0-0-0-3.x-win.dfn.de [80.81.192.222]
8 158 ms 163 ms 162 ms zr-erl1-te0-0-0-4.x-win.dfn.de [188.1.145.197]
9 159 ms 162 ms 162 ms 192.88.99.1
Trace complete.
6rd
Theprefixes192.88.99/24 and2002/16areprovider‐independent:Homerconnectstothenearest6to4relayrouterSomeISPsdon’tlikethatandwantmorecontrol:theywanttheirrelayrouterstobeusedbytheircustomersonlyandtheywanttheircustomerstouseonlytheirrelayrouters.6rdisamodificationandreplacementof6to4where
6rdaddressesarenotin2002/16butinablockallocatedtotheISPRelayrouter’sIPv4addressesarespecifiedbyISP
6rdisdeployedbyFree(FR);6to4isdeployedbySwitch(CH)34
IEW
Teredo
6to4/6rdrequireavalidIPv4addressanddonotworkbehindaNATunlessNATismodifiedOKforISPswhocontroltheNAT(e.g.Swisscom)Teredo isavariantof6to4invented(byMicrosoft)tosolvetheNATcasewithoutalteringtheNATUses:
addressblock2001:0/32Tunnels(IPv6inUDPinIPv4)(UDPisusedtobecompatiblewithexistingNATandfirewallfilteringrules)relayrouters(called« teredo relays »)teredo servers‐>forsolvingtheNATmappingproblem
35
My Windows PC at home has access to IPv6 over IPv4 by means of Teredo
36
Tunnel adapter Local Area Connection* 11:
Connection-specific DNS Suffix . : IPv6 Address. . . . . . . . . . . : 2001:0:5ef5:79fd:2c63:b421:ab1c:1f40Link-local IPv6 Address . . . . . : fe80::2c63:b421:ab1c:1f40%12Default Gateway . . . . . . . . . : ::
C:\Users\leboudec>tracert 2001:620:618:19c:1:80b2:9c18:1Tracing route to lca1srv2.epfl.ch [2001:620:618:19c:1:80b2:9c18:1]over a maximum of 30 hops:
1 * * 135 ms teredo-relay2.lrz.de [2001:4ca0:0:103:0:3544:1:2] 2 134 ms 136 ms 137 ms vl-6.vss1-2wr.lrz.de [2001:4ca0:0:103::1:1] 3 149 ms 136 ms 136 ms vl-3066.csr1-2wr.lrz.de [2001:4ca0:0:66::1] 4 155 ms 139 ms 137 ms xr-gar1-pc110-108.x-win.dfn.de [2001:638:c:a003::1] 5 143 ms 163 ms 164 ms zr-fra1-te0-6-0-7.x-win.dfn.de [2001:638:c:c070::1] 6 147 ms 163 ms 163 ms dfn.rt1.fra.de.geant2.net [2001:798:14:10aa::1] 7 159 ms 162 ms 163 ms so-5-0-0.rt1.gen.ch.geant2.net [2001:798:cc:1401:2201::a] 8 213 ms 203 ms 152 ms switch-lb2-gw.rt1.gen.ch.geant2.net [2001:798:12:10aa::a] 9 152 ms 163 ms 163 ms swiEL2-10GE-1-3.switch.ch [2001:620:0:c06a::2]
10 * * * Request timed out.11 152 ms 164 ms 165 ms cv-gigado-v200.epfl.ch [2001:620:618:1c8:1:80b2:c803:1] 12 165 ms 164 ms 163 ms cv-ic-dit-v100-ro.epfl.ch [2001:620:618:164:1:80b2:640c:1] 13 151 ms 163 ms 164 ms lca1srv2.epfl.ch [2001:620:618:19c:1:80b2:9c18:1]
Trace complete.
Summary: 6 to 6 over 4
6to6over4solvesthe“earlyadopter”problemmainsolutionis6rd/6to4,with
IPv6inIPv4tunnelsaportionofIPv6addressspaceusedtocontain6rd/6to4addresses;prefixinsuchaddressesembed avalidIPv4addresstunnelsareautomatic thankstothepresenceoftheIPv4addressembeddedintheIPv6prefixrelayroutersterminatetunnelsandannounceappropriateaddressblocksinIPv4andIPv6;relayroutersarestateless
Teredo isavariantthatsupportshostsbehindIPv4NATswithoutconfigurationoftheNAT
37
3. 4 to 4 over 6The Legacy Problem
Problemissimilarto6to6over4buttherearetwomaindifferences
impossibletoembedIPv6addressesinIPv4addressesIPv4addressesmaynotbeavailable
Manysolutionsareproposedorevendeployed;DS‐liteisthesimplestMAP‐EisanimprovementonDS‐lite
38
A
IP4/6Router
IP4/6Router
IPv6Internet IPv4internet
IPv4Island B
DS‐Lite tunnels all IPv4 traffic to a “Carrier‐Grade NAT”
atH1,IPv4destinationisnotonlink,packetsenttorouterAatA,destinationmatchesonlydefaultrouteandIPv4packetissentintotunneltoBBdecapsulates packet,translatesIPv4sourceaddress10.23.32.44andsourceport(e.g.2345)toanIPv4mappedaddress(e.g.198.23.34.59) andtoapossiblydifferentportnumber(e.g.5432)
39
200.23.24.25
IPv4Internet
IPv4 host H1
IPv4 host H3
Carrier Grade NAT
B
IPv6Internet
113 4
5
2001:baba:bebe::23
12 1
DS-litebox A
10.22.32.44
10.11.12.13
IPv4Local Network
2001:baba:be00::77198.23.34.0
to 198.23.34.255
Carrier Grade NAT is stateful
Bneedstorememberthe(v4address,port)mapping theIPv6sourceaddressofA.IntheNATtableatBwesee:
Bdoesthisforallcustomersandforeveryflowservedbythisprovider.TheNATtablemaybeverylarge.Thisiscalleda“CarrierGradeNAT”.
40
IPv6DS‐liteboxaddress
IPv4address port IPv4translatedaddress
translatedport
2001:baba:bebe::23 10.22.32.44 2345 198.23.34.59 5432NAT Table at B
H1 sends one packet to H3and H3 responds. We observe the response at 5. Say what is true.
1. TheIPv4destinationaddressinthepacketis10.22.32.442. TheIPv4destinationaddressinthepacketis198.23.34.593. TheIPv6destinationaddressinthepacketis2001:baba:bebe::234. 1and35. 2and36. Idon’tknow
411. 2. 3. 4. 5. 6.
15%
48%
0%
10%
23%
5%
200.23.24.25
IPv4Internet
IPv4 host H1
IPv4 host H3
Carrier Grade NAT
B
IPv6Internet
113 4
5
2001:baba:bebe::23
12 1
DS-litebox A
10.22.32.44
10.11.12.13
IPv4Local Network
2001:baba:be00::77198.23.34.0
to 198.23.34.255?
Solution
ThereisnoIPv6packetat5,answer3isfalseTheIPv4destinationaddressisthetranslatedIPv4address,i.e.answer2isrightandanswer1isfalse.
42
200.23.24.25
IPv4Internet
IPv4 host H1
IPv4 host H3
Carrier Grade NAT
B
IPv6Internet
113 4
5
2001:baba:bebe::23
12 1
DS-litebox A
10.22.32.44
10.11.12.13
IPv4Local Network
2001:baba:be00::77198.23.34.0
to 198.23.34.255
MAP‐E(Mapping Address + Port, Encapsulation)
ProblemwithDS‐LiteistheCarrierGradeNATforverylargeISPsMAP‐Esolvestheproblembyputtingaddresstranslationinthelocalnetwork(inMAPboxA)insteadoftheCGNtranslatedportnumberandIPv4addressaremappedtoapartoftheIPv6address
43
200.23.24.25
IPv4Internet
IPv4 host H1
IPv4 host H3
MAPBorderRelayB
IPv6Internet
113 4
5
2001:baba:bebe:0706::0102:0300:0006
12 1
MAPbox A
10.22.32.44
10.11.12.13
IPv4Local Network
2001:baba:be00:abcd:771.2.3.0
to 1.2.3.255
with MAP‐E, translated IPv4 address and port are embedded in IPv6 prefix
MAPboxAownstheIPv6addressprefix2001:baba:bebe:07060706arecalledtheEAbitsoftheMAPIPv6addressA“MAPruleatA”specifieswhichbitsaretheEAbits;further,theMAPruleisusedasfollows07 determinestheavailablebitsinthetranslatedIPv4addresse.g.1.2.3.706 specifiesthatthevalueofthebits5to12ofthetranslatedportnumbersmustbe(hexa)06forexampletheportae1f canbemappedtob06aThecompleteIPv6addressofMAPboxAisalgorithmicallyderivedfromtheMAPrulee.g.here2001:baba:bebe:0706::0102:0300:0006
44
Homer at H1 sends one packet to Lisa at H3
atH1,IPv4destinationisnotonlink,packetsenttorouterAAperformsNAT44andtranslatesIPv4addressesandport;translatedIPv4packetissentintotunneltoBBdecapsulates packetandsendsovertheInternetv4
45
IPv4address port(hexa) IPv4translatedaddr. translatedport
10.22.32.44 ae1f 1.2.3.07 b06aNAT Table at A
H1 sends one packet to H3and H3 responds. We observe the response at 3. Say what is true.
1. TheIPv6destinationaddressisdeterminedalgorithmicallyfromthedestinationIPv4addressandportnumberseenatpoint4
2. TheIPv4destinationaddressandportnumberarethesameasatpoint43. 1and24. None5. Idon’tknow
46
?
1. 2. 3. 4. 5.
0% 0%0%0%0%
Solution
Botharetrue,i.e.theBorderRelayBmapsIPv4translatedaddressandporttotheIPv6addressofpoint1BorderRelayBneedsonlystaticconfiguration(whichbitsaremapped)i.e.BisstatelessIncontrast,Aneedstoremembertheper‐flowinformationandisstateful
47
IPv4address port(hexa) IPv4translatedaddr. translatedport
10.22.32.44 ae1f 1.2.3.07 b06a
Summary: 4 to 4 over 6
4to4over6(thelegacyproblem)issolvedbyNATandIPv4inIPv6tunnelsDS‐LiteissimplebutrequiresNAT44functionintherelayrouter.WorksonlyforsmallISPsMAP‐EisavariantwhichdistributestheNAT44functionclosetotheIPv4customer,i.e.ismorescalable
48
4. Transition to IPv6
Wehaveseen4differentfamiliesofmechanismsfortheinteroperationofIPv4andIPv6
ThemultiplicityofsolutionsisasymptomthatthetransitiontoIPv6hasnotyetreallystarted
Letustrytoimaginewhichmechanismscanbeused
49
Interworking Like‐to‐like
ALG64(applicationlayer) 6rdor6to4(6to6over4)
NAT64(protocoltranslation) DS‐liteorMAP‐E(4to4over6)
You are network manager at EPFL and want to upgrade to IPv6. Which elements do you deploy ?
1. ALG642. NAT643. 6rd4. MAP‐E5. Idon’tknow
501. 2. 3. 4. 5.
0% 0%0%0%0%
Solution
SinceEPFLhasenoughIPv4addressesandreceivesbothIPv4andIPv6servicefromtheirISP,wedon’tneedtodeploylike‐to‐likesolutionsWemaywanttomigrateallservices(suchasweb,git,infoscience)toIPv6,natively,orbymeansofALG64,sothatallEPFLservicesareavailableonbothIPv4andIPv6
51
You are network manager at simpscom and want to save money by deploying only IPv6 in your
cellular network. Which elements do you deploy ?1. ALG642. NAT643. 6rd4. MAP‐E5. Idon’tknow
521. 2. 3. 4. 5.
0% 0%0%0%0%
Solution
YourcustomersprobablywanttoaccesssomeIPv4‐onlyservices,youcandeployDS‐LiteorMAP‐Eatyourbasestations.YoucanalsodeploysomeALG64solutionsforimportantbutlowvolumeservicessuchasthecontrolofvoiceoverIP
53
You work from home and have only IPv4 access; you need to upload a proposal to NSF. NSF accepts only IPv6. What do you need to enable on your
PC?1. 6to42. Teredo3. ALG644. NAT645. Idon’tknow
541. 2. 3. 4. 5.
0% 0%0%0%0%
Solution
YouareprobablybehindaNATandhaveonlyIPv4inyourLAN.EnableIPv6onyourPCandrunTeredo.
55
Conclusion
Tunnelsareanad‐hocsolutionusedinmanycasessecureaccessoveraninsecurenetwork,VPNlike‐to‐likeaccessforIPv6/IPv4issues
TransitiontoIPv6createsseveraltypesofproblems(earlyadopter,legacy)thatcanbesolvedwithvariousmethodsinvolvingautomatictunnels
56