IPv6 技術講習一般課程 --

IPv6協議運作原理與應用

All rights reserved. No part of this publication and file may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of Professor Nen-Fu Huang (E-mail: nfhuang@cs.nthu.edu.tw).

黃能富特聘教授 國立清華大學資訊工程系 E-mail: nfhuang@cs.nthu.edu.tw

IPv6 協議與應用 - 2

Outline

IPv6 protocol 簡介

IPv6 Routing and IPv6 Addressing

IPv6 Plug and Play Feature

IPv6 Security/QoS Supports

IPv4 to IPv6 Transition Mechanisms

IPv6 國內外現況與發展趨勢

IPv6 協議與應用 - 3

IPv6 Applications

Home Appliance Controllers

VoIP/Video Streaming

Remote Controllers

3G/4G/5G

Internet On-line Games

Home Automation

Sensors and Sensor networks 感測器與感測網路

Internet of Things (IoT) 物聯網

Machine-to-Machine (M2M)

Others

IPv6 協議與應用 - 4

IP addresses need everywhere

IPv6 協議與應用 - 5

IPv6 設計理念

The Internet could not have been so successful in the past years if IPv4 had contained any major flaw.

IPv4 was a very good design, and IPv6 should indeed keep most of its characteristics.

Simply increase the size of addresses and to keep everything else unchanged ?

However, 20 years of experience brought lessons.

IPv6 is not a simple derivation of IPv4, but a definitive improvement.

IPv6 協議與應用 - 6

IPv6 Header Format

4 4 8 8 8 位元

Version Prio Flow Label

Payload Length Next Header Hop Limit

Source IP address (128 位元)

Destination IP address (128位元)

IPv6 協議與應用 - 7

IPv4 Header Format

version IHL Type of Service Total length

Identification Flags Fragment Offset

Time to Live Protocol Header Checksum

Source IP Address

Destination IP Address

Options + Padding

Data

0 3 8 15 19 31

IPv6 協議與應用 - 8

A Comparison of Two Headers

Six fields were suppressed:

Header Length, Type of Service, Identification, Flags, Fragment Offset, Header Checksum.

Three fields were renamed:

Length, Protocol Type, Time to Live

The option mechanism was entirely revised.

Source Routing

Route Recording

Two new fields were added:

Priority and Flow Label (for real-time traffic).

IPv6 協議與應用 - 9

A Comparison of Two Headers

Three major simplifications

Assign a fixed format to all headers (40 bytes)

Remove the header checksum

Remove the hop-by-hop segmentation procedure

IPv6 協議與應用 - 10

From Options to Extension Headers

Hop-by-Hop options header

Routing header

Fragment header

Authentication header

Encrypted security payload

Destination options header

IPv6 協議與應用 - 11

From Options to Extension Headers

IPv6 Header Next Header = TCP

TCP Header

IPv6 Header Next Header = Routing

TCP Header Routing Header Next Header = TCP

IPv6 Header Next Header = Routing

TCP Header

Routing Header Next Header = Fragment

Fragment Header Next Header = TCP

IPv6 協議與應用 - 12

Routing Header

N e x t H e a d e r

R o u t i n g T y p e = 0

N u m a d d r e s s < = 2 4

N e x t A d d r

R e s e r v e d S t r i c t / L o o s e b i t m a s k

A d d r e s s [ 0 ] ( I P v 6 a d d r e s s , 1 2 8 b i t s )

A d d r e s s [ 1 ]

…

A d d r e s s [ N u m A d d r s - 1 ]

IPv6 協議與應用 - 13

Fragment Header

I P v 6

h e a d e r

f r a g m e n t h e a d e r 1

F i r s t 1 4 0 0 o c t e t s

I P v 6

h e a d e r

f r a g m e n t h e a d e r 2

L a s t 1 4 0 0 o c t e t s

N e x t H e a d e r R e s e r v e d F r a g m e n t O f f s e t R e s M

I d e n t i f i e r

Frame Length = 2800 octets

More

IPv6 協議與應用 - 14

IPv6 Addressing

Three categories of IPv6 addresses:

Unicast

Multicast

Anycast

Notation of IPv6 Addresses:

Write 128 bits as eight 16-bit integers separated by colons

Examples:

FEDC:BA98:7654:3210:FEDC:BA98:7654:3210

1080:0:0:0:8:800:200C:417A

IPv6 協議與應用 - 15

IPv6 Addressing

Examples: A set of consecutive null 16-bit numbers can be replaced

by two colons

1080:0:0:0:8:800:200C:417A => 1080::8:800:200C:417A

1080:0:0:0:8:0:0:417A => 1080::8:0:0:417A 1080::8::417A

IPv6 協議與應用 - 16

IPv6 Addressing

Some Addresses formats Provider Addresses

Link Local Addresses

Site Local Addresses

Multicast Addresses

Anycast Addresses

H

Internet

LAN

R

R

LAN

LAN

H H

H

H

Link

Link Link

Site

Site

Site (公司或組織）

IPv6 協議與應用 - 17

site

topology

(16 bits)

interface

identifier

(64 bits)

public

topology

(45 bits)

interface ID SLA* NLA* TLA 001

Global Unicast Addresses

TLA = Top-Level Aggregator NLA* = Next-Level Aggregator(s) SLA* = Site-Level Aggregator(s)

all subfields variable-length (like CIDR)

TLAs may be assigned to providers or exchanges

IPv6 協議與應用 - 18

Link-local addresses for use during auto-configuration and when no routers are present:

Site-local addresses for independence from changes of TLA / NLA*:

Link-Local and Site-Local address

1111111010 0 interface ID

1111111011 0 interface ID SLA*

IPv6 協議與應用 - 19

Interface IDs

Lowest-order 64-bit field of unicast address may be assigned in several different ways:

auto-configured from a 64-bit EUI-64, or expanded from a 48-bit MAC address (e.g., Ethernet address)

auto-generated pseudo-random number (to address privacy concerns)

assigned via DHCP

manually configured

possibly other methods in the future

IPv6 協議與應用 - 20

IPv6 Address Space

Allocation Space Prefix (binary) Fraction of

Address Space

Reserved 0000 0000 1/256

Unassigned 0000 0001 1/256

Reserved for NSAP Allocation 0000 001 1/128

Reserved for IPX Allocation 0000 010 1/128

Unassigned 0000 011 1/128

Unassigned 0000 1 1/32

Unassigned 0001 1/16

Unassigned 001 1/8

Provider-Based Unicast Address 010 1/8

Unassigned 011 1/8

Reserved for Geographic-Based

Unicast Addresses

100 1/8

Unassigned 101 1/8

Unassigned 110 1/8

Unassigned 1110 1/16

Unassigned 1111 0 1/32

Unassigned 1111 10 1/64

Unassigned 1111 110 1/128

Unassigned 1111 1110 0 1/512

Link Local Use Addresses 1111 1110 10 1/1024

Site Local Use Addresses 1111 1110 11 1/1024

Multicast Addresses 1111 1111 1/256

IPv6 協議與應用 - 21

The Evolution of ICMP

The ICMP for IPv4 was made more complete by incorporating the multicast control functions of the IPv4 Group Membership Protocol (IGMP).

ICMP Type Meaning

1 Destination Unreachable

2 Packet Too Big

3 Time Exceeded

4 Parameter Problem

128 Echo Request

129 Echo Reply

130 Group Membership Query

131 Group Membership Report

132 Group Membership Termination

133 Router Solicitation

134 Router Advertisement

135 Neighbor Solicitation

136 Neighbor Advertisement

137 Redirect

IPv6 協議與應用 - 22 22

IPv6 Routing

As in IPv4, IPv6 supports IGP and EGP routing protocols:

IGP (Interior Gateway Protocol) for within an autonomous system (AS) are

RIPng (RFC 2080)

OSPFv3 (RFC 2740)

Integrated IS-ISv6 (draft-ietf-isis-ipv6-02.txt)

EGP (Edge Gateway Protocol) for peering between autonomous systems (ASs)

MP-BGP4 (RFC 2858 and RFC 2545)

IPv6 協議與應用 - 23

IPv6 Routing

BGP4+

Added IPv6 address-family

Added IPv6 transport

Runs within the same process - only one AS supported

All generic BGP functionality works as for IPv4

Added functionality to route-maps and prefix-lists

IPv6 協議與應用 - 24

Plug-and-Play -- Auto-configuration

Auto-configuration means that a computer will automatically discover and register the parameters that it needs to use in order to connect to the Internet.

One should be able to change IPv6 addresses dynamically as one changes ISP providers.

Addresses would be assigned to interfaces for a limited lifetime.

Two modes for address configuration

Stateless mode

Stateful mode (using DHCPv6)

IPv6 協議與應用 - 25

Link State Addresses

When an interface is initialized, the host can build up a link local address for this interface by concatenating the well-known link local prefix and a unique token (48-bit Ethernet address).

A typical link local address:

FE80:0:0:0:0:XXXX:XXXX:XXXX

Link local address can only be used on the local link.

IPv6 協議與應用 - 26

Stateless Autoconfiguration

IPv6 nodes join the all nodes multicast group by programming their interfaces to receive all the packets for the address = FF02::1.

Send a solicitation message to the routers on the link, using the all routers address, FF02::2.

Routers reply with a router advertisement message.

Does not require any servers

IPv6 協議與應用 - 27

Plug-and-Play -- Address Resolution

The neighbor discovery procedure offers the functions of ARP (IP MAC) and router discovery.

Defined as part of IPv6 ICMP.

Host maintains four separate caches:

The destination’s cache.

The neighbor’s cache.

The prefix list.

The router list.

IPv6 協議與應用 - 28

Destination’s Cache

The destination’s cache has an entry for each destination address toward which the host recently sent packets.

It associates the IPv6 address of the destination with that of the neighbor toward which the packets were sent.

Destination Neighbor IPv6 Address (To) IPv6 Address (Via)

IPv6 協議與應用 - 29

Neighbor’s Cache (IP/MAC)

The neighbor’s cache has an entry for the immediately adjacent neighbor to which packets were recently relayed.

It associates the IPv6 address of that neighbor with the corresponding MAC address (48 bits).

Neighbor Neighbor IPv6 Address MAC address

IPv6 協議與應用 - 30

Prefix List and Router List

The prefix list includes the prefixes that have been recently learned from router advertisements.

The router list includes the IPv6 addresses of all routers from which advertisements have recently been received.

IPv6 協議與應用 - 31

Basic Algorithm to Transmit a Packet

To transmit a packet, the host must first find out the next hop for the destination. The next hop should be a neighbor directly connected to the same link as the host.

In most cases, the neighbor address will be found in the destination’s cache.

If not, the host will check whether one of the cached prefixes matches the destination address.

If yes, the destination is local, the next hop is the destination itself.

雙方都在同一個子網路內, 可直接傳送給對方

IPv6 協議與應用 - 32

Basic Algorithm

Otherwise, the destination is probably remote.

A router should be selected from the router list as the next hop.

雙方不在同一個子網路, 需透過 Router 傳送 給對方

The corresponding entry for the next hop is added to the destination’s cache (更新), and the neighbor’s cache is looked up (查詢) to find the MAC address of that neighbor.

IPv6 協議與應用 - 33

Neighbor Solicitation and Neighbor Advertisement messages (IPv6 MAC)

IPv6 source address = link local address of the interface.

Hop count = 1.

IPv6 destination address = solicited node multicast address, which is formed by cascating a fixed 96-bit prefix, FF02:0:0:0:0:1, and the last 32 bits of the node’s IPv6 address.

Neighbor Solicitation

Type =135 Code = 0 Checksum

Reserved

Target address = Solicited Neighbor Address (IPv6)

Options ... (Source link-level address)

IPv6 協議與應用 - 34

Neighbor Advertisement

Type =136 Code = 0 Checksum

R S Reserved

Target address

Options ... (Source link-level address)

Neighbor Solicitation and Neighbor Advertisement messages (IPv6 MAC)

IPv6 協議與應用 - 35

IPv6 Flows and Flow Label

A flow is a sequence of packets sent from a particular source to a particular destination (unicast or multicast).

Each flow can have a Flow label (24 bits).

Flow label may be used together with routing header.

4 4 8 8 8 位元

Version Prio Flow Label

Payload Length Next Header Hop Limit

Source IP address (128 位元)

Destination IP address (128位元)

IPv6 協議與應用 - 36

IPv6 Real-time Support

Supporting Reservations

Real-time flows

Using RSVP and Flows

Using Hop-by-Hop Options

QoS

Flow1

Flow2

Flow3

Flow4

Flow5

S

Scheduler

IPv6 Router

IPv6 Security

IPv6 協議與應用 - 38

IPv6 Security Support

All IPv6 implementations required to support authentication and encryption headers (“IPsec”)

Authentication (認證) separates from encryption (加密) for use in situations where encryption is prohibited or prohibitively expensive

Key distribution protocols

Support for manual key configuration required

IPv6 協議與應用 - 39

Authentication Header

Destination Address + SPI identifies security association state (key, lifetime, algorithm, etc.)

Provides authentication and data integrity for all fields of IPv6 packet that do not change en-route

Default algorithm is Keyed MD5

Next Header Hdr Ext Len

Security Parameters Index (SPI)

Reserved

Sequence Number

Authentication Data

IPv6 協議與應用 - 40

Encapsulating Security Payload (ESP)

Payload

Next Header

Security Parameters Index (SPI)

Sequence Number

Authentication Data

Padding Length Padding

Migration from IPv4 to IPv6

IPv6 協議與應用 - 42

IPv4-IPv6 Transition /Co-Existence

A wide range of techniques have been identified and implemented, basically falling into three categories:

(1)Dual-stack techniques, to allow IPv4 and IPv6 to co-exist in the same devices and networks

(2)Tunneling techniques, to avoid order dependencies when upgrading hosts, routers, or regions

(3)Translation techniques, to allow IPv6-only devices to communicate with IPv4-only devices

Expect all of these to be used, in combination

IPv6 協議與應用 - 43

Next Generation Transition

NGTRANS

Translator

Dual Stack

Tunneling

IPv6 協議與應用 - 44

Dual Stack

RFC 1933 NGTRANS draft : Draft-ietf-ngtrans-dstm-07.txt

IPv4/IPv6

Dual

Stack

Dual

Stack

IPv6

IPv4 Dual

Stack

AIIH

(DHCPv6,

DNS)

IPv6 協議與應用 - 45

Dual Stack Approach

Dual stack node means:

Both IPv4 and IPv6 stacks enabled

Applications can talk to both

Based on name lookup and application preference

TCP UDP

IPv4 IPv6

Application

Data Link

(Ethernet)

0x0800 0x86dd

TCP UDP

IPv4 IPv6

IPv6-enable

Application

Data Link

(Ethernet)

0x0800 0x86dd Frame

Protocol

ID

IPv6 協議與應用 - 46

IPv4

Tunneling

RFC 2529

RFC 3056

RFC 3053

IPv4 IPv6 IPv6

IPv6 IPv6 6over4

6to4

IPv4 IPv6

IPv4/ IPv6 Tunnel Broker

IPv6 協議與應用 - 47

Using Tunnels for IPv6 Deployment

Many techniques are available to establish a tunnel:

Manually configured Manual Tunnel (RFC 2893)

GRE (RFC 2473)

Semi-automated Tunnel broker

Automatic Compatible IPv4 (RFC 2893)

6to4 (RFC 3056)

6over4

ISATAP

IPv6 協議與應用 - 48

Translators

RFC 2765；RFC 2766

RFC 2767

RFC 3089；RFC 3142

IPv6 IPv4 NATPT

SIIT

IPv4 Apps

BITS

IPv6 Stack

IPv4 Apps

BITS

IPv6 Stack

IPv6 Host IPv6 IPv4

IPv4 Host

Socks-Gateway TCPUDP-Relay

IPv6 協議與應用 - 49

Transition Approaches

Dual Stack – system completely supports IPv6

Tunneling – IPv6 packets are encapsulated for transmission

over existing IPv4 infrastructure

Translation – IPv6 packets are translated into IPv4 packets

and vice versa

– Header information is preserved as much as possible

IPv6 協議與應用 - 50

Dual Stack Mechanisms

Simple dual stack (RFC1933)

– Both IPv4 and IPv6 are directly supported

Applications

TCP/UDP

IPV4 IPV6

Device Driver

V4/V6

network

V6

network

Routing protocols

IPV4 IPV6

Device Driver

V4

network

IPv6 協議與應用 - 51

IPv4 Application

Dual Stack Mechanisms

Dual Stack Transition Mechanism (DSTM)

– Assures communication between IPv4 applications in IPv6 only networks and the rest of the Internet

– Temporary IPv4 addresses are assigned when communicating with an IPv4-only host.

– Cooperation between DNS and DHCPv6

– Dynamic Tunnel Interface encapsulates the IPv4 packets

IPv6 only IPv4 only

?

Dual Stack

IPv4 Application

IPv6 協議與應用 - 52

DSTM: Principles

Assumes IPv4/IPv6 dual stack on host IPv4 stack is configured only when one or more

applications need it

– A temporal IPv4 address is given to the host

All IPv4 traffic coming from the host is tunneled towards the DSTM gateway (IPv4 over IPv6).

– DSTM gateway encapsulates/decapsulates packets

– Maintains an IPv6 IPv4 mapping table

IPv6 H IPv4 H Payload

IPv6 協議與應用 - 53

How DSTM works (v6 v4)

A B C DNS DNS DSTM Server

(1) In A, the v4 address of C is used by the application, which sends v4 packet to the kernel

(2) The interface asks DSTM Server for a v4 source address

(3) DSTM server returns : - A temporal IPv4 address for A - IPv6 address of DSTM gateway

DSTM GW

IPv6 協議與應用 - 54

(4) A creates the IPv4 packet (A4 C4)

(6) B decapsulates the v4 packet and send it to C4

(7) B keeps the mapping between A4 A6 in the routing table

(5) A tunnels the v4 packet to B using IPv6 (A6 B6)

How DSTM works (v6 v4)

A B C DNS DNS DSTM Server

DSTM GW

IPv6 H IPv4 H Payload IPv4 H Payload