Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

IPv6 Rationale

advertisement 
IPv6 Rationale
„
„
„
IPv6
„
„
„
PROTOCOL – ADDRESSING
AUTOCONFIGURATION – DEPLOYMENT
IPv6 (Review)
Changes from IPv4
„ No fragmentation
„ No checksum
„ New option mechanism
„ Simplified ICMP
„ Autoconfiguration
„ IP security integrated
„ Simplified header
„ Fixed-size header
Larger address space
Efficient address allocation
Simpler header processing
Autoconfiguration
Support for QoS
Support for security
IPv4
IPv4Address
AddressSpace
SpaceExhaustion
Exhaustion
Currently,
Currently,about
about75%
75%ofofthe
thetotal
total
IPv4
IPv4address
addressspace
spaceisiseither
either
assigned
or
reserved.
The
best
assigned or reserved. The best
models
modelspredict
predictthat
thatIANA
IANAwill
willrun
run
out
outofofunallocated
unallocatedspace
spaceinin2011
2011and
and
that
thatthe
theRIRs
RIRswill
willrun
runout
outthe
the
following
followingyear
yearunless
unlessnew
newways
waysofof
allocating
allocatingor
ortrading
tradingaddresses
addressesare
are
introduced.
introduced.
IPv6 (Review)
Version
Traffic class
Flow label
Payload length
Next header
Source address
Destination address
IPv6 Header Chaining
No options/fixed header
„ Faster header processing
„ Use extension headers
Total length Æ Payload length
„ Header not included
„ Jumbo-gram extension
No header checksum
„ Faster header processing
„ Done at higher levels
TTL Æ Hop limit
„ More accurate naming
„ Never was seconds
No fragmentation
„ Faster processing
„ Hosts use PMTU discovery
Protocol type Æ Next header
„ Protocol type or first extension
header
IPv6 Extension Headers
IPv6 Header
Next header=6
TCP Header
IPv6 Header
Next header=0
Hop-by-hop options
Next header=6
TCP Header
IPv6 Header
Next header=0
Hop-by-hop options
Next header=44
Fragment Header
Next header=6
Extension header order
„ Hop-by-hop options
„ Destination options
„ Routing header
„ Fragment header
„ Authentication header
„ ESP header
„ Destination options
TCP Payload
TCP Payload
TCP Header
TCP Payload
1
IPv6 Option Format
Routing Header
ACT – Action for unrecognzed option
00 Skip
01
Discard silently
10
Discard + ICMP
11
Discard + ICMP if
unicast
C – Change indication
0
Does not change
1
Changes en-route
Hop-by-hop option examples
„ Router alert message
„ Jumbogram
Destination option examples
„ NSAP address option
„ Home address option
Type Zero Routing Header
„ Loose source routing
„ Lists addresses datagram
should pass through
Next Header Header Length
Type = 0
Segments left
Reserved
Address 1
Type Two Routing Header
„ Used for IPv6 mobility
Address 2
Address 3
ACT C
Type
Length
Value
Value
IPv6 Addresses
IPv6 Structured Addresses
Notation
„
Colon-separated hexadecimal CIDR
notation with simplifications
„
2001:0DB8:0000:0000:000F:60FA:
AB3B
2001:DB8:0:0:F:60FA:AB3B
2001:DB8::F:60FA:AB3B
„
2001:DB8::/32
Current allocation
„
2001::/16
„
2002::/16
„
3FFE::/16
Address types
„
Unspecified
„
Loopback
„
Multicast
„
Link-local unicast
„
Site-local unicast
„
Anycast
„
Global unicast
::0/128
::1/128
FF00::/8
FE80::/10
FEC0::/10
001
Multicast addresses
Meaning
Well-known address
Transient address
Subnet ID
n bits
m bits
Global routing prefix
Interface ID
128 - n - m bits
Subnet ID
Interface ID
16 bits
64 bits
45 bits
Global Unicast
6to4
6bone
1 1 1 1 1 1 1 1 0 0 0 T
Global routing prefix
Examples
1111111011
Subnet ID
Interface ID
10 bits
54 bits
64 bits
Current global
unicast
address space
Site-local
unicast
Required addresses
Prefix: ff00::/8
T
0
1
Structure
Scope
Scope
1
2
4
5
8
E
0, 3, F
Others
Group ID
(112 bits)
Meaning
Interface-local
Link-local
Admin-local
Site-local
Organizational-local
Global
Reserved
Unallocated
Prefix
FF01, FF11
FF02, FF12
FF04, FF14
FF05, FF15
FF08, FF18
FF0E, FF1E
Host
„ Link-local address
„ Loopback address (::1)
„ All-nodes (ff02::1)
„ Solicited-node multicast
(ff02::ffxx:xxxx)
Router
„ Link-local address
„ Loopback address (::1)
„ All-nodes (ff02::1)
„ Solicited-node multicast
(ff02::ffxx:xxxx)
„ Subnet-router anycast (Prefix::0)
„ All-routers multicast (ff0x::2)
Examples:
FF01::101
FF02::101
FF05::101
FF0E::101
All NTP servers on this host
FF02::1
All NTP servers on this link
FF02::2
All NTP servers in this company FF02::1:ffxx:xxxx
All NTP servers in the world
All nodes on this link
All routers on this link
Solicited-node address
2
Address allocation
Same procedure as IPv4
„ IANA Æ RIR Æ LIR
Fragmentation and IPv6
Current IANA policy
RIRs get /23s
„ LIRs get /32s
„ Customers /48s
„
Multihoming
„ PI addresses mow available
o
o
„
In practice a /32
Disliked by many
Other solutions not deployed or
won’t be deployed
IPv6 Fragmentation
„
Path MTU Discovery
IP fragmentation in hosts
1500
o Uses fragmentation extension header
„
No fragmentation in routers
1500 bytes
o Path MTU discovery required
Framentation needed
1000
800
500
1000 bytes
Framentation needed
800 bytes
Fragment header
Next header
Reserved = 0
Fragment offset
Res M
Framentation needed
Identification
500 bytes
IPv6
Autoconfiguration
PROTOCOL – ADDRESSING
AUTOCONFIGURATION – DEPLOYMENT
3
Autoconfiguration
Stateless vs Stateful
„
„
Stateless: RFC2462
Stateful: work in progress
IPv6 Interface ID
Stateless autoconfiguration
„
„
Some goals
„
„
„
„
No manual config of hosts
No stateful server required for
link-local communication
No stateful address config
server
Facilitate easy renumbering
„
„
Generate and assign link-local
address based on interface ID
Configure routers (if any)
Configure global and site-local
unicast addresses
Configure additional
information using stateful
autoconf
Top 3 octets of EUI-64 (OUI)
OUI
„
„
Organizationally unique identifier
24 bits, managed by the IEEE
CCC CCC UG CCCCCCCC
CCCCCCCC
EUI-64/EUI-48
„
„
Extended unique identifier
OUI + manufacturer-selected bits
EUI-48
Typical interface ID
„
„
8 bits
OUI
EUI-64
EUI-64 (or embedded EUI-48)
Inverted universal/local bit
OUI
EUI-48 embedded in EUI-64
OUI
FF
FE
IPv6 stateless autoconfiguration:
Address example
Generate link-local address
1.
Append interface ID (modified
EUI-64) to link-local prefix
2.
Check that address is not in
use using duplicate address
detection (DAD)
3.
Assign link-local address
Example:
„
MAC: 00-0d-60-fa-ab-3b
EUI-64: 0-d-60-ff-fe-fa-ab-3b
Modified: 0-f-60-ff-fe-fa-ab-3b
„
Result: fe80::f:60ff:fefa:ab3b
„
„
IPv6 stateless autoconfiguration:
# ip addr list
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:0b:cd:f2:a7:b9 brd ff:ff:ff:ff:ff:ff
inet 130.236.179.11/24 brd 130.236.179.255 scope global eth0
inet6 fe80::20b:cdff:fef2:a7b9/64 scope link
inet6 2001:6b0:17:f023:20b:cdff:fef2:a7b9/64 scope global dynamic
valid_lft 2591662sec preferred_lft 604462sec
IPv6 stateless autoconfiguration:
Duplicate address detection (DAD)
Configure routers and addresses
RFC 2462
Router advertisements
„
„
„
DAD must not be performed on
anycast addresses
DAD should be performed on
individual unicast addresses
With stateless autoconfiguration it
is sufficient to test the link-local
address since all others are formed
from the same interface ID, which
is known to be unique.
Process (simplified)
„
„
Send neighbor solicitation with ::0
as the source
Listen for neighbor solicitations and
neighbor advertisements
„
„
Sent periodically by routers
May contain address prefixes for
network
Process
„
„
„
o
o
Router solicitation
„
„
Non-loopback NS from ::0 for the
tentative address indicates
duplicate
NA indicates that the tentative
address is in use
„
„
Trigger sending router advert’nt
Sent by hosts during autoconfig
Send RS and wait for RA
No RA: do stateful autoconfig
Check flags of RA
„
„
May indicate stateful autoconfig
May indicate stateful autoconfig for
additional information
For each advertised prefix, form a
unicast address based on prefix and
interface ID, and maybe perform DAD
on the address
Maybe set the router as a default
router
4
IPv6 Neighbor Discovery
Neighbor solicitation
„
„
Neighbor Discovery
Solicited node multicast address
Who has IPv6 address . . .
Sent to solicited node multicast
address
Type
„
„
Multicast address for a particular node
ff02::ffxx:xxxx where xx:xxxx are low three
bytes of target address
Code
Checksum
Reserved
Target address
IPv6 Neighbor Discovery
Neighbor advertisement
„
„
Neighbor Unreachability Detection (NUD)
Options
I have IPv6 address . . .
Sent to IP sender of solicitation
„
„
„
Forward reachability
Target link-layer address
MTU
Prefix information
„
„
Neighbor cache/table
„
„
Router
Solicited
Override
Type
R SO
Code
Neighbor cache states
„
„
...
RSO
Solicited neighbor advertisement
Hint from upper layer
Replaces ARP cache
Each entry in one of five states
Checksum
„
„
Reserved
„
Incomplete: Address resolution is
being performed on this entry
Reachable: Forward path to the
neighbor is functioning
Stale: No positive confirmation for
some time
Delay: No positive confirmation
and passively waiting for
confirmation
Probe: Seeking reachability
confirmation
Target address
Options
Migration
Logical topology
Dual stack
„
Deployment issues
„
Hosts use IPv4 to communicate
with IPv4-only hosts
Hosts use IPv6 to communicate
with IPv6-capable hosts
Pure IPv6
Tunnels
„
„
Encapsulate IPv6 in IPv4 for traffic
between IPv6 islands
Example
IPv6 island
”Physical” topology
IPv4
network
IPv6
island
IPv6 island
5
Migration: 6to4
What it is
„ ”Connection of IPv6 domains
via IPv4 clouds”
„ IPv6 connectivity with IPv4
uplink
„ Gives one /48 per IPv4 address
IPv6-only host
Dual-stack host
6to4 router
6to4 router
IPSec
IPv4
network
6to4 address
„ IPv4 address: x.y.z.q
„ IPv6 net: 2002:xxyy:zzqq::/48
Example:
IPv4 address: 212.214.112.221
6to4 prefix:
2002:d4d6:70dd::/48
Public 6to4 relays
(anycast 192.88.99.1)
IPv6
network
IPv6-only host
ESP
ESP – Encapsulating Security
Payload
„ Confidentiality
AH – Authentication Header
„ Authentication
„ Integrity
IPComp – IP Compression
„ Data compression before ESP
IKE – Internet Key Exchange
„ Secret key exchange
Security Parameter Index (SPI)
Authenticated
Sequence Number
Payload
Encrypted
IPSec Overview
Padding
Pad Length
Next Header
Authentication data (variable)
AH
IPSec Concepts
Next Header
Reserved
Payload Length
Security Parameter Index
Sequence Number
Authentication Data (variable)
Authenticated
„
Version
„
Internet Header Length
„
Total Length
„
Identification
„
Protocol
„
Source/Destination Address
„
„
„
Host/Gateway Implementation
Tunnel/Transport Mode
Security Associations (SA)
o Security Parameter Index (SPI)
o Security Policy Database (SPD)
o SA database (SAD)
Not authenticated
„
Type of Service (TOS)
„
Flags
„
Fragment Offset
„
Time to Live (TTL)
„
Header Checksum
6
IPSec modes
ESP/AH
Transport mode
„ Communication between hosts
Tunnel mode
„ Communication between VPN
gateways
ESP Transport Mode
„
AH Transport Mode
Protects payload only
IP
header
ESP
header
„
Protects IP headers and payload
IP
header
Payload
AH
header
ESP Tunnel Mode
„
Protects original IP datagram
AH Tunnel Mode
„
Tunnel IP
header
ESP
header
Payload
Authenticated
Inner IP
header
Payload
Protects original IP datagram
and tunnel header
Tunnel IP
header
ESP
header
Inner IP
header
Payload
Authenticated
IP
header
AH/ESP
header
New IP AH/ESP Orig. IP
header header header
Payload
Payload
Authentication and Encryption
Security associations
Nest ESP in AH
„ Apply ESP first, then AH
Security Association (SA)
Authenticated ESP
„ Special format for ESP
„
„
IP
header
AH
header
ESP
header
IP
header
Payload
ESP
header
Authenticated
Payload
ESP
auth data
Authenticated
One-way relationship between
IPSec hosts
Determines processing for
sender and decoding for
destination
SA Database (SAD)
„
Parameters of each SA
Security Parameter Index
„
„
SA Bundle
„
„
Security Policy Database (SPD)
How to process traffic
„ Bypass – no IPSec
„ Discard – don’t accept
„ IPSec processing
o
o
Outbound – Process
Inbound – Check processing
Example
„
„
SPD entry
Source: 10.1.2.3
Dest: 10.4.4.4
Action: Require IPSec processing
SA: ESP/SPI 4365
SAD entry (ESP/SPI 4365)
Mode: transport
Algorithm: 3DES-CBC
Key: …
Replay protection
…
Used by destination to select
correct SA for pkt
SPI + destination address +
protocol identifies SA
SAs to apply together
E.g. ESP in AH
IPSec Processing (out)
IP datagram
SPD
Destination: X
Protocol: TCP
TCP dport: 25
SAD
DST=… SRC=…
ICMP
ESP AES KEY=…
REQUIRED
DST=X SRC=…
TCP DPORT=25
AH SHA1 KEY=…
REQUIRED
IPCOMP
USE
ESP in AH
Discard if SPD
says REJECT
Find appropriate SAs
Process according
to SA bundle
7
IPSec Processing (in)
IKE
ESP in AH
SPD
SAD
ESP AES KEY=…
REQUIRED
DST=… SRC=…
ICMP
AH SHA1 KEY=…
REQUIRED
DST=X SRC=…
TCP DPORT=25
Discard if wrong security
IPCOMP
USE
IP Datagram
Destination: X
Protocol: TCP
TCP dport: 25
Process according to SPI
Problem
„ Static SAs are inconvenient and
can be insecure
Solution
„ Set up SA on demand
„ Negotiate SA parameters
Protocol
„ IKE: Internet Key Exchange
„ IKEv1 used now
„ IKEv2 accepted in 2004
IKE_SA_INIT
IKE_AUTH
CREATE_CHILD_SA
Check that required
security was used
IPSec Summary
„
„
Security at the network layer
Protocol family
o
o
o
„
Determined outgoing processing
Determines incoming requirements
Security associations
o
One way “connection” between peers
IPv6 Mobility Support
Important changes from IPv4
„ No foreign agent needed
„ Route optimization
„ Less need for tunnels
Mobility
Security policy
o
o
„
ESP for encryption
AH for authentication
IKE for key exchange
Binding Updates
Modes
„ Route optimization
„ Bidirectional tunneling
To Home Agent
„ IPSec ESP or AH
„ Authentication required
New ICMP messages
„ Home Agent Address Discovery
„ Mobile Prefix Solicitation
„
To Correspondent Node
Return routability test
Mobile Node
Home Agent
Correspondent
Node
Home Test Init
Care-of Test Init
Home Test
Care-of Test
8
Binding Updates
Home Test Init (MNÆCN)
„ HI cookie
Care-of Test Init (COAÆCN)
„ CoI cookie
Home Test (CN Æ HA)
„ HI cookie, home keygen token,
home nonce index
Care-of Test (CNÆCOA)
„ CoI cookie, Care-of keygen
token, care-of nonce index
Binding Updates
Home Test Init
„ Sent to acquire home keygen
token
„ Tunneled through HA
„ Conveys home address to
correspondent node
Binding Updates
Home Test Init (MNÆCN)
„ HI cookie
Care-of Test Init (COAÆCN)
„ CoI cookie
Home Test (CN Æ HA)
„ HI cookie, home keygen token,
home nonce index
Care-of Test (CNÆCOA)
„ CoI cookie, Care-of keygen
token, care-of nonce index
Binding Acknowledgement
„ MAC, seq#, status
Care-of Test Init
„ Sent to acquire care-of keygen
token
„ Sent directly to CN
„ Conveys COA to correspondent
node
Binding Updates
Home Test
„ Sent to convey home keygen
token
„ Tunneled through HA to mobile
node
Binding Updates
Binding Update
„ MAC, sequence number, nonce
indices, COA
Home Test Init (MNÆCN)
„ HI cookie
Care-of Test Init (COAÆCN)
„ CoI cookie
Home Test (CN Æ HA)
„ HI cookie, home keygen token,
home nonce index
Care-of Test (CNÆCOA)
„ CoI cookie, Care-of keygen
token, care-of nonce index
Home Test Init (MNÆCN)
„ HI cookie
Care-of Test Init (COAÆCN)
„ CoI cookie
Home Test (CN Æ HA)
„ HI cookie, home keygen token,
home nonce index
Care-of Test (CNÆCOA)
„ CoI cookie, Care-of keygen
token, care-of nonce index
Care-of Test
„ Sent to convey care-of keygen
token
„ Direct to MN
Route Optimization
CN
MN
Binding Update
Binding Ack
Type 2 Routing Header
„ Packets from CN sent to care-of
address with type 2 routing
header
„ MN extracts home address
from type 2 routing header
CNÆMN
Source:
Destination:
Routing hdr:
CN
COA
Home address
Home address option
„ Specifies home address
„ Carried by destination option
extension header
MNÆCN
Source:
Destination:
Home address option:
COA
CN
Home address
9
Other Mobility Issues
„
„
„
„
„
„
„
„
Multicast traffic
Movement detection
Returning home
Interaction with IPSec
Multiple care-of addresses
Home agent discovery
Home address assignment
Care-of address formation
10
Related documents
CMPS 1033 – Project Proposal Due Wednesday, September 15
CMPS 1033 – Project Proposal Due Wednesday, September 15
Document12942891 12942891
Document12942891 12942891
Document Body Layout
Document Body Layout
Formatting APA Research Paper
Formatting APA Research Paper
If you need to split the cost of the order across different account codes, perform the line level resulting PO to properly post to PeopleSoft*. Failure to do so will require the creation of a new
If you need to split the cost of the order across different account codes, perform the line level resulting PO to properly post to PeopleSoft*. Failure to do so will require the creation of a new
Methods Worksheet
Methods Worksheet
Download
advertisement