Upload
others
View
35
Download
0
Embed Size (px)
Citation preview
IPv6 技術講習一般課程 --
IPv6協議運作原理與應用
All rights reserved. No part of this publication and file may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of Professor Nen-Fu Huang (E-mail: [email protected]).
黃能富特聘教授 國立清華大學資訊工程系 E-mail: [email protected]
IPv6 協議與應用 - 2
Outline
IPv6 protocol 簡介
IPv6 Routing and IPv6 Addressing
IPv6 Plug and Play Feature
IPv6 Security/QoS Supports
IPv4 to IPv6 Transition Mechanisms
IPv6 國內外現況與發展趨勢
IPv6 協議與應用 - 3
IPv6 Applications
Home Appliance Controllers
VoIP/Video Streaming
Remote Controllers
3G/4G/5G
Internet On-line Games
Home Automation
Sensors and Sensor networks 感測器與感測網路
Internet of Things (IoT) 物聯網
Machine-to-Machine (M2M)
Others
IPv6 協議與應用 - 4
IP addresses need everywhere
IPv6 協議與應用 - 5
IPv6 設計理念
The Internet could not have been so successful in the past years if IPv4 had contained any major flaw.
IPv4 was a very good design, and IPv6 should indeed keep most of its characteristics.
Simply increase the size of addresses and to keep everything else unchanged ?
However, 20 years of experience brought lessons.
IPv6 is not a simple derivation of IPv4, but a definitive improvement.
IPv6 協議與應用 - 6
IPv6 Header Format
4 4 8 8 8 位元
Version Prio Flow Label
Payload Length Next Header Hop Limit
Source IP address (128 位元)
Destination IP address (128位元)
IPv6 協議與應用 - 7
IPv4 Header Format
version IHL Type of Service Total length
Identification Flags Fragment Offset
Time to Live Protocol Header Checksum
Source IP Address
Destination IP Address
Options + Padding
Data
0 3 8 15 19 31
IPv6 協議與應用 - 8
A Comparison of Two Headers
Six fields were suppressed:
Header Length, Type of Service, Identification, Flags, Fragment Offset, Header Checksum.
Three fields were renamed:
Length, Protocol Type, Time to Live
The option mechanism was entirely revised.
Source Routing
Route Recording
Two new fields were added:
Priority and Flow Label (for real-time traffic).
IPv6 協議與應用 - 9
A Comparison of Two Headers
Three major simplifications
Assign a fixed format to all headers (40 bytes)
Remove the header checksum
Remove the hop-by-hop segmentation procedure
IPv6 協議與應用 - 10
From Options to Extension Headers
Hop-by-Hop options header
Routing header
Fragment header
Authentication header
Encrypted security payload
Destination options header
IPv6 協議與應用 - 11
From Options to Extension Headers
IPv6 Header Next Header = TCP
TCP Header
IPv6 Header Next Header = Routing
TCP Header Routing Header Next Header = TCP
IPv6 Header Next Header = Routing
TCP Header
Routing Header Next Header = Fragment
Fragment Header Next Header = TCP
IPv6 協議與應用 - 12
Routing Header
N e x t H e a d e r
R o u t i n g T y p e = 0
N u m a d d r e s s < = 2 4
N e x t A d d r
R e s e r v e d S t r i c t / L o o s e b i t m a s k
A d d r e s s [ 0 ] ( I P v 6 a d d r e s s , 1 2 8 b i t s )
A d d r e s s [ 1 ]
…
A d d r e s s [ N u m A d d r s - 1 ]
IPv6 協議與應用 - 13
Fragment Header
I P v 6
h e a d e r
f r a g m e n t h e a d e r 1
F i r s t 1 4 0 0 o c t e t s
I P v 6
h e a d e r
f r a g m e n t h e a d e r 2
L a s t 1 4 0 0 o c t e t s
N e x t H e a d e r R e s e r v e d F r a g m e n t O f f s e t R e s M
I d e n t i f i e r
Frame Length = 2800 octets
More
IPv6 協議與應用 - 14
IPv6 Addressing
Three categories of IPv6 addresses:
Unicast
Multicast
Anycast
Notation of IPv6 Addresses:
Write 128 bits as eight 16-bit integers separated by colons
Examples:
FEDC:BA98:7654:3210:FEDC:BA98:7654:3210
1080:0:0:0:8:800:200C:417A
IPv6 協議與應用 - 15
IPv6 Addressing
Examples: A set of consecutive null 16-bit numbers can be replaced
by two colons
1080:0:0:0:8:800:200C:417A => 1080::8:800:200C:417A
1080:0:0:0:8:0:0:417A => 1080::8:0:0:417A 1080::8::417A
IPv6 協議與應用 - 16
IPv6 Addressing
Some Addresses formats Provider Addresses
Link Local Addresses
Site Local Addresses
Multicast Addresses
Anycast Addresses
H
Internet
LAN
R
R
LAN
LAN
H H
H
H
Link
Link Link
Site
Site
Site (公司或組織)
IPv6 協議與應用 - 17
site
topology
(16 bits)
interface
identifier
(64 bits)
public
topology
(45 bits)
interface ID SLA* NLA* TLA 001
Global Unicast Addresses
TLA = Top-Level Aggregator NLA* = Next-Level Aggregator(s) SLA* = Site-Level Aggregator(s)
all subfields variable-length (like CIDR)
TLAs may be assigned to providers or exchanges
IPv6 協議與應用 - 18
Link-local addresses for use during auto-configuration and when no routers are present:
Site-local addresses for independence from changes of TLA / NLA*:
Link-Local and Site-Local address
1111111010 0 interface ID
1111111011 0 interface ID SLA*
IPv6 協議與應用 - 19
Interface IDs
Lowest-order 64-bit field of unicast address may be assigned in several different ways:
auto-configured from a 64-bit EUI-64, or expanded from a 48-bit MAC address (e.g., Ethernet address)
auto-generated pseudo-random number (to address privacy concerns)
assigned via DHCP
manually configured
possibly other methods in the future
IPv6 協議與應用 - 20
IPv6 Address Space
Allocation Space Prefix (binary) Fraction of
Address Space
Reserved 0000 0000 1/256
Unassigned 0000 0001 1/256
Reserved for NSAP Allocation 0000 001 1/128
Reserved for IPX Allocation 0000 010 1/128
Unassigned 0000 011 1/128
Unassigned 0000 1 1/32
Unassigned 0001 1/16
Unassigned 001 1/8
Provider-Based Unicast Address 010 1/8
Unassigned 011 1/8
Reserved for Geographic-Based
Unicast Addresses
100 1/8
Unassigned 101 1/8
Unassigned 110 1/8
Unassigned 1110 1/16
Unassigned 1111 0 1/32
Unassigned 1111 10 1/64
Unassigned 1111 110 1/128
Unassigned 1111 1110 0 1/512
Link Local Use Addresses 1111 1110 10 1/1024
Site Local Use Addresses 1111 1110 11 1/1024
Multicast Addresses 1111 1111 1/256
IPv6 協議與應用 - 21
The Evolution of ICMP
The ICMP for IPv4 was made more complete by incorporating the multicast control functions of the IPv4 Group Membership Protocol (IGMP).
ICMP Type Meaning
1 Destination Unreachable
2 Packet Too Big
3 Time Exceeded
4 Parameter Problem
128 Echo Request
129 Echo Reply
130 Group Membership Query
131 Group Membership Report
132 Group Membership Termination
133 Router Solicitation
134 Router Advertisement
135 Neighbor Solicitation
136 Neighbor Advertisement
137 Redirect
IPv6 協議與應用 - 22 22
IPv6 Routing
As in IPv4, IPv6 supports IGP and EGP routing protocols:
IGP (Interior Gateway Protocol) for within an autonomous system (AS) are
RIPng (RFC 2080)
OSPFv3 (RFC 2740)
Integrated IS-ISv6 (draft-ietf-isis-ipv6-02.txt)
EGP (Edge Gateway Protocol) for peering between autonomous systems (ASs)
MP-BGP4 (RFC 2858 and RFC 2545)
IPv6 協議與應用 - 23
IPv6 Routing
BGP4+
Added IPv6 address-family
Added IPv6 transport
Runs within the same process - only one AS supported
All generic BGP functionality works as for IPv4
Added functionality to route-maps and prefix-lists
IPv6 協議與應用 - 24
Plug-and-Play -- Auto-configuration
Auto-configuration means that a computer will automatically discover and register the parameters that it needs to use in order to connect to the Internet.
One should be able to change IPv6 addresses dynamically as one changes ISP providers.
Addresses would be assigned to interfaces for a limited lifetime.
Two modes for address configuration
Stateless mode
Stateful mode (using DHCPv6)
IPv6 協議與應用 - 25
Link State Addresses
When an interface is initialized, the host can build up a link local address for this interface by concatenating the well-known link local prefix and a unique token (48-bit Ethernet address).
A typical link local address:
FE80:0:0:0:0:XXXX:XXXX:XXXX
Link local address can only be used on the local link.
IPv6 協議與應用 - 26
Stateless Autoconfiguration
IPv6 nodes join the all nodes multicast group by programming their interfaces to receive all the packets for the address = FF02::1.
Send a solicitation message to the routers on the link, using the all routers address, FF02::2.
Routers reply with a router advertisement message.
Does not require any servers
IPv6 協議與應用 - 27
Plug-and-Play -- Address Resolution
The neighbor discovery procedure offers the functions of ARP (IP MAC) and router discovery.
Defined as part of IPv6 ICMP.
Host maintains four separate caches:
The destination’s cache.
The neighbor’s cache.
The prefix list.
The router list.
IPv6 協議與應用 - 28
Destination’s Cache
The destination’s cache has an entry for each destination address toward which the host recently sent packets.
It associates the IPv6 address of the destination with that of the neighbor toward which the packets were sent.
Destination Neighbor IPv6 Address (To) IPv6 Address (Via)
IPv6 協議與應用 - 29
Neighbor’s Cache (IP/MAC)
The neighbor’s cache has an entry for the immediately adjacent neighbor to which packets were recently relayed.
It associates the IPv6 address of that neighbor with the corresponding MAC address (48 bits).
Neighbor Neighbor IPv6 Address MAC address
IPv6 協議與應用 - 30
Prefix List and Router List
The prefix list includes the prefixes that have been recently learned from router advertisements.
The router list includes the IPv6 addresses of all routers from which advertisements have recently been received.
IPv6 協議與應用 - 31
Basic Algorithm to Transmit a Packet
To transmit a packet, the host must first find out the next hop for the destination. The next hop should be a neighbor directly connected to the same link as the host.
In most cases, the neighbor address will be found in the destination’s cache.
If not, the host will check whether one of the cached prefixes matches the destination address.
If yes, the destination is local, the next hop is the destination itself.
雙方都在同一個子網路內, 可直接傳送給對方
IPv6 協議與應用 - 32
Basic Algorithm
Otherwise, the destination is probably remote.
A router should be selected from the router list as the next hop.
雙方不在同一個子網路, 需透過 Router 傳送 給對方
The corresponding entry for the next hop is added to the destination’s cache (更新), and the neighbor’s cache is looked up (查詢) to find the MAC address of that neighbor.
IPv6 協議與應用 - 33
Neighbor Solicitation and Neighbor Advertisement messages (IPv6 MAC)
IPv6 source address = link local address of the interface.
Hop count = 1.
IPv6 destination address = solicited node multicast address, which is formed by cascating a fixed 96-bit prefix, FF02:0:0:0:0:1, and the last 32 bits of the node’s IPv6 address.
Neighbor Solicitation
Type =135 Code = 0 Checksum
Reserved
Target address = Solicited Neighbor Address (IPv6)
Options ... (Source link-level address)
IPv6 協議與應用 - 34
Neighbor Advertisement
Type =136 Code = 0 Checksum
R S Reserved
Target address
Options ... (Source link-level address)
Neighbor Solicitation and Neighbor Advertisement messages (IPv6 MAC)
IPv6 協議與應用 - 35
IPv6 Flows and Flow Label
A flow is a sequence of packets sent from a particular source to a particular destination (unicast or multicast).
Each flow can have a Flow label (24 bits).
Flow label may be used together with routing header.
4 4 8 8 8 位元
Version Prio Flow Label
Payload Length Next Header Hop Limit
Source IP address (128 位元)
Destination IP address (128位元)
IPv6 協議與應用 - 36
IPv6 Real-time Support
Supporting Reservations
Real-time flows
Using RSVP and Flows
Using Hop-by-Hop Options
QoS
Flow1
Flow2
Flow3
Flow4
Flow5
S
Scheduler
IPv6 Router
IPv6 Security
IPv6 協議與應用 - 38
IPv6 Security Support
All IPv6 implementations required to support authentication and encryption headers (“IPsec”)
Authentication (認證) separates from encryption (加密) for use in situations where encryption is prohibited or prohibitively expensive
Key distribution protocols
Support for manual key configuration required
IPv6 協議與應用 - 39
Authentication Header
Destination Address + SPI identifies security association state (key, lifetime, algorithm, etc.)
Provides authentication and data integrity for all fields of IPv6 packet that do not change en-route
Default algorithm is Keyed MD5
Next Header Hdr Ext Len
Security Parameters Index (SPI)
Reserved
Sequence Number
Authentication Data
IPv6 協議與應用 - 40
Encapsulating Security Payload (ESP)
Payload
Next Header
Security Parameters Index (SPI)
Sequence Number
Authentication Data
Padding Length Padding
Migration from IPv4 to IPv6
IPv6 協議與應用 - 42
IPv4-IPv6 Transition /Co-Existence
A wide range of techniques have been identified and implemented, basically falling into three categories:
(1)Dual-stack techniques, to allow IPv4 and IPv6 to co-exist in the same devices and networks
(2)Tunneling techniques, to avoid order dependencies when upgrading hosts, routers, or regions
(3)Translation techniques, to allow IPv6-only devices to communicate with IPv4-only devices
Expect all of these to be used, in combination
IPv6 協議與應用 - 43
Next Generation Transition
NGTRANS
Translator
Dual Stack
Tunneling
IPv6 協議與應用 - 44
Dual Stack
RFC 1933 NGTRANS draft : Draft-ietf-ngtrans-dstm-07.txt
IPv4/IPv6
Dual
Stack
Dual
Stack
IPv6
IPv4 Dual
Stack
AIIH
(DHCPv6,
DNS)
IPv6 協議與應用 - 45
Dual Stack Approach
Dual stack node means:
Both IPv4 and IPv6 stacks enabled
Applications can talk to both
Based on name lookup and application preference
TCP UDP
IPv4 IPv6
Application
Data Link
(Ethernet)
0x0800 0x86dd
TCP UDP
IPv4 IPv6
IPv6-enable
Application
Data Link
(Ethernet)
0x0800 0x86dd Frame
Protocol
ID
IPv6 協議與應用 - 46
IPv4
Tunneling
RFC 2529
RFC 3056
RFC 3053
IPv4 IPv6 IPv6
IPv6 IPv6 6over4
6to4
IPv4 IPv6
IPv4/ IPv6 Tunnel Broker
IPv6 協議與應用 - 47
Using Tunnels for IPv6 Deployment
Many techniques are available to establish a tunnel:
Manually configured Manual Tunnel (RFC 2893)
GRE (RFC 2473)
Semi-automated Tunnel broker
Automatic Compatible IPv4 (RFC 2893)
6to4 (RFC 3056)
6over4
ISATAP
IPv6 協議與應用 - 48
Translators
RFC 2765;RFC 2766
RFC 2767
RFC 3089;RFC 3142
IPv6 IPv4 NATPT
SIIT
IPv4 Apps
BITS
IPv6 Stack
IPv4 Apps
BITS
IPv6 Stack
IPv6 Host IPv6 IPv4
IPv4 Host
Socks-Gateway TCPUDP-Relay
IPv6 協議與應用 - 49
Transition Approaches
Dual Stack – system completely supports IPv6
Tunneling – IPv6 packets are encapsulated for transmission
over existing IPv4 infrastructure
Translation – IPv6 packets are translated into IPv4 packets
and vice versa
– Header information is preserved as much as possible
IPv6 協議與應用 - 50
Dual Stack Mechanisms
Simple dual stack (RFC1933)
– Both IPv4 and IPv6 are directly supported
Applications
TCP/UDP
IPV4 IPV6
Device Driver
V4/V6
network
V6
network
Routing protocols
IPV4 IPV6
Device Driver
V4
network
IPv6 協議與應用 - 51
IPv4 Application
Dual Stack Mechanisms
Dual Stack Transition Mechanism (DSTM)
– Assures communication between IPv4 applications in IPv6 only networks and the rest of the Internet
– Temporary IPv4 addresses are assigned when communicating with an IPv4-only host.
– Cooperation between DNS and DHCPv6
– Dynamic Tunnel Interface encapsulates the IPv4 packets
IPv6 only IPv4 only
?
Dual Stack
IPv4 Application
IPv6 協議與應用 - 52
DSTM: Principles
Assumes IPv4/IPv6 dual stack on host IPv4 stack is configured only when one or more
applications need it
– A temporal IPv4 address is given to the host
All IPv4 traffic coming from the host is tunneled towards the DSTM gateway (IPv4 over IPv6).
– DSTM gateway encapsulates/decapsulates packets
– Maintains an IPv6 IPv4 mapping table
IPv6 H IPv4 H Payload
IPv6 協議與應用 - 53
How DSTM works (v6 v4)
A B C DNS DNS DSTM Server
(1) In A, the v4 address of C is used by the application, which sends v4 packet to the kernel
(2) The interface asks DSTM Server for a v4 source address
(3) DSTM server returns : - A temporal IPv4 address for A - IPv6 address of DSTM gateway
DSTM GW
IPv6 協議與應用 - 54
(4) A creates the IPv4 packet (A4 C4)
(6) B decapsulates the v4 packet and send it to C4
(7) B keeps the mapping between A4 A6 in the routing table
(5) A tunnels the v4 packet to B using IPv6 (A6 B6)
How DSTM works (v6 v4)
A B C DNS DNS DSTM Server
DSTM GW
IPv6 H IPv4 H Payload IPv4 H Payload