IPv6 Rationale IPv6 PROTOCOL – ADDRESSING AUTOCONFIGURATION – DEPLOYMENT IPv6 (Review) Changes from IPv4 No fragmentation No checksum New option mechanism Simplified ICMP Autoconfiguration IP security integrated Simplified header Fixed-size header Larger address space Efficient address allocation Simpler header processing Autoconfiguration Support for QoS Support for security IPv4 IPv4Address AddressSpace SpaceExhaustion Exhaustion Currently, Currently,about about75% 75%ofofthe thetotal total IPv4 IPv4address addressspace spaceisiseither either assigned or reserved. The best assigned or reserved. The best models modelspredict predictthat thatIANA IANAwill willrun run out outofofunallocated unallocatedspace spaceinin2011 2011and and that thatthe theRIRs RIRswill willrun runout outthe the following followingyear yearunless unlessnew newways waysofof allocating allocatingor ortrading tradingaddresses addressesare are introduced. introduced. IPv6 (Review) Version Traffic class Flow label Payload length Next header Source address Destination address IPv6 Header Chaining No options/fixed header Faster header processing Use extension headers Total length Æ Payload length Header not included Jumbo-gram extension No header checksum Faster header processing Done at higher levels TTL Æ Hop limit More accurate naming Never was seconds No fragmentation Faster processing Hosts use PMTU discovery Protocol type Æ Next header Protocol type or first extension header IPv6 Extension Headers IPv6 Header Next header=6 TCP Header IPv6 Header Next header=0 Hop-by-hop options Next header=6 TCP Header IPv6 Header Next header=0 Hop-by-hop options Next header=44 Fragment Header Next header=6 Extension header order Hop-by-hop options Destination options Routing header Fragment header Authentication header ESP header Destination options TCP Payload TCP Payload TCP Header TCP Payload 1 IPv6 Option Format Routing Header ACT – Action for unrecognzed option 00 Skip 01 Discard silently 10 Discard + ICMP 11 Discard + ICMP if unicast C – Change indication 0 Does not change 1 Changes en-route Hop-by-hop option examples Router alert message Jumbogram Destination option examples NSAP address option Home address option Type Zero Routing Header Loose source routing Lists addresses datagram should pass through Next Header Header Length Type = 0 Segments left Reserved Address 1 Type Two Routing Header Used for IPv6 mobility Address 2 Address 3 ACT C Type Length Value Value IPv6 Addresses IPv6 Structured Addresses Notation Colon-separated hexadecimal CIDR notation with simplifications 2001:0DB8:0000:0000:000F:60FA: AB3B 2001:DB8:0:0:F:60FA:AB3B 2001:DB8::F:60FA:AB3B 2001:DB8::/32 Current allocation 2001::/16 2002::/16 3FFE::/16 Address types Unspecified Loopback Multicast Link-local unicast Site-local unicast Anycast Global unicast ::0/128 ::1/128 FF00::/8 FE80::/10 FEC0::/10 001 Multicast addresses Meaning Well-known address Transient address Subnet ID n bits m bits Global routing prefix Interface ID 128 - n - m bits Subnet ID Interface ID 16 bits 64 bits 45 bits Global Unicast 6to4 6bone 1 1 1 1 1 1 1 1 0 0 0 T Global routing prefix Examples 1111111011 Subnet ID Interface ID 10 bits 54 bits 64 bits Current global unicast address space Site-local unicast Required addresses Prefix: ff00::/8 T 0 1 Structure Scope Scope 1 2 4 5 8 E 0, 3, F Others Group ID (112 bits) Meaning Interface-local Link-local Admin-local Site-local Organizational-local Global Reserved Unallocated Prefix FF01, FF11 FF02, FF12 FF04, FF14 FF05, FF15 FF08, FF18 FF0E, FF1E Host Link-local address Loopback address (::1) All-nodes (ff02::1) Solicited-node multicast (ff02::ffxx:xxxx) Router Link-local address Loopback address (::1) All-nodes (ff02::1) Solicited-node multicast (ff02::ffxx:xxxx) Subnet-router anycast (Prefix::0) All-routers multicast (ff0x::2) Examples: FF01::101 FF02::101 FF05::101 FF0E::101 All NTP servers on this host FF02::1 All NTP servers on this link FF02::2 All NTP servers in this company FF02::1:ffxx:xxxx All NTP servers in the world All nodes on this link All routers on this link Solicited-node address 2 Address allocation Same procedure as IPv4 IANA Æ RIR Æ LIR Fragmentation and IPv6 Current IANA policy RIRs get /23s LIRs get /32s Customers /48s Multihoming PI addresses mow available o o In practice a /32 Disliked by many Other solutions not deployed or won’t be deployed IPv6 Fragmentation Path MTU Discovery IP fragmentation in hosts 1500 o Uses fragmentation extension header No fragmentation in routers 1500 bytes o Path MTU discovery required Framentation needed 1000 800 500 1000 bytes Framentation needed 800 bytes Fragment header Next header Reserved = 0 Fragment offset Res M Framentation needed Identification 500 bytes IPv6 Autoconfiguration PROTOCOL – ADDRESSING AUTOCONFIGURATION – DEPLOYMENT 3 Autoconfiguration Stateless vs Stateful Stateless: RFC2462 Stateful: work in progress IPv6 Interface ID Stateless autoconfiguration Some goals No manual config of hosts No stateful server required for link-local communication No stateful address config server Facilitate easy renumbering Generate and assign link-local address based on interface ID Configure routers (if any) Configure global and site-local unicast addresses Configure additional information using stateful autoconf Top 3 octets of EUI-64 (OUI) OUI Organizationally unique identifier 24 bits, managed by the IEEE CCC CCC UG CCCCCCCC CCCCCCCC EUI-64/EUI-48 Extended unique identifier OUI + manufacturer-selected bits EUI-48 Typical interface ID 8 bits OUI EUI-64 EUI-64 (or embedded EUI-48) Inverted universal/local bit OUI EUI-48 embedded in EUI-64 OUI FF FE IPv6 stateless autoconfiguration: Address example Generate link-local address 1. Append interface ID (modified EUI-64) to link-local prefix 2. Check that address is not in use using duplicate address detection (DAD) 3. Assign link-local address Example: MAC: 00-0d-60-fa-ab-3b EUI-64: 0-d-60-ff-fe-fa-ab-3b Modified: 0-f-60-ff-fe-fa-ab-3b Result: fe80::f:60ff:fefa:ab3b IPv6 stateless autoconfiguration: # ip addr list 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0b:cd:f2:a7:b9 brd ff:ff:ff:ff:ff:ff inet 130.236.179.11/24 brd 130.236.179.255 scope global eth0 inet6 fe80::20b:cdff:fef2:a7b9/64 scope link inet6 2001:6b0:17:f023:20b:cdff:fef2:a7b9/64 scope global dynamic valid_lft 2591662sec preferred_lft 604462sec IPv6 stateless autoconfiguration: Duplicate address detection (DAD) Configure routers and addresses RFC 2462 Router advertisements DAD must not be performed on anycast addresses DAD should be performed on individual unicast addresses With stateless autoconfiguration it is sufficient to test the link-local address since all others are formed from the same interface ID, which is known to be unique. Process (simplified) Send neighbor solicitation with ::0 as the source Listen for neighbor solicitations and neighbor advertisements Sent periodically by routers May contain address prefixes for network Process o o Router solicitation Non-loopback NS from ::0 for the tentative address indicates duplicate NA indicates that the tentative address is in use Trigger sending router advert’nt Sent by hosts during autoconfig Send RS and wait for RA No RA: do stateful autoconfig Check flags of RA May indicate stateful autoconfig May indicate stateful autoconfig for additional information For each advertised prefix, form a unicast address based on prefix and interface ID, and maybe perform DAD on the address Maybe set the router as a default router 4 IPv6 Neighbor Discovery Neighbor solicitation Neighbor Discovery Solicited node multicast address Who has IPv6 address . . . Sent to solicited node multicast address Type Multicast address for a particular node ff02::ffxx:xxxx where xx:xxxx are low three bytes of target address Code Checksum Reserved Target address IPv6 Neighbor Discovery Neighbor advertisement Neighbor Unreachability Detection (NUD) Options I have IPv6 address . . . Sent to IP sender of solicitation Forward reachability Target link-layer address MTU Prefix information Neighbor cache/table Router Solicited Override Type R SO Code Neighbor cache states ... RSO Solicited neighbor advertisement Hint from upper layer Replaces ARP cache Each entry in one of five states Checksum Reserved Incomplete: Address resolution is being performed on this entry Reachable: Forward path to the neighbor is functioning Stale: No positive confirmation for some time Delay: No positive confirmation and passively waiting for confirmation Probe: Seeking reachability confirmation Target address Options Migration Logical topology Dual stack Deployment issues Hosts use IPv4 to communicate with IPv4-only hosts Hosts use IPv6 to communicate with IPv6-capable hosts Pure IPv6 Tunnels Encapsulate IPv6 in IPv4 for traffic between IPv6 islands Example IPv6 island ”Physical” topology IPv4 network IPv6 island IPv6 island 5 Migration: 6to4 What it is ”Connection of IPv6 domains via IPv4 clouds” IPv6 connectivity with IPv4 uplink Gives one /48 per IPv4 address IPv6-only host Dual-stack host 6to4 router 6to4 router IPSec IPv4 network 6to4 address IPv4 address: x.y.z.q IPv6 net: 2002:xxyy:zzqq::/48 Example: IPv4 address: 212.214.112.221 6to4 prefix: 2002:d4d6:70dd::/48 Public 6to4 relays (anycast 192.88.99.1) IPv6 network IPv6-only host ESP ESP – Encapsulating Security Payload Confidentiality AH – Authentication Header Authentication Integrity IPComp – IP Compression Data compression before ESP IKE – Internet Key Exchange Secret key exchange Security Parameter Index (SPI) Authenticated Sequence Number Payload Encrypted IPSec Overview Padding Pad Length Next Header Authentication data (variable) AH IPSec Concepts Next Header Reserved Payload Length Security Parameter Index Sequence Number Authentication Data (variable) Authenticated Version Internet Header Length Total Length Identification Protocol Source/Destination Address Host/Gateway Implementation Tunnel/Transport Mode Security Associations (SA) o Security Parameter Index (SPI) o Security Policy Database (SPD) o SA database (SAD) Not authenticated Type of Service (TOS) Flags Fragment Offset Time to Live (TTL) Header Checksum 6 IPSec modes ESP/AH Transport mode Communication between hosts Tunnel mode Communication between VPN gateways ESP Transport Mode AH Transport Mode Protects payload only IP header ESP header Protects IP headers and payload IP header Payload AH header ESP Tunnel Mode Protects original IP datagram AH Tunnel Mode Tunnel IP header ESP header Payload Authenticated Inner IP header Payload Protects original IP datagram and tunnel header Tunnel IP header ESP header Inner IP header Payload Authenticated IP header AH/ESP header New IP AH/ESP Orig. IP header header header Payload Payload Authentication and Encryption Security associations Nest ESP in AH Apply ESP first, then AH Security Association (SA) Authenticated ESP Special format for ESP IP header AH header ESP header IP header Payload ESP header Authenticated Payload ESP auth data Authenticated One-way relationship between IPSec hosts Determines processing for sender and decoding for destination SA Database (SAD) Parameters of each SA Security Parameter Index SA Bundle Security Policy Database (SPD) How to process traffic Bypass – no IPSec Discard – don’t accept IPSec processing o o Outbound – Process Inbound – Check processing Example SPD entry Source: 10.1.2.3 Dest: 10.4.4.4 Action: Require IPSec processing SA: ESP/SPI 4365 SAD entry (ESP/SPI 4365) Mode: transport Algorithm: 3DES-CBC Key: … Replay protection … Used by destination to select correct SA for pkt SPI + destination address + protocol identifies SA SAs to apply together E.g. ESP in AH IPSec Processing (out) IP datagram SPD Destination: X Protocol: TCP TCP dport: 25 SAD DST=… SRC=… ICMP ESP AES KEY=… REQUIRED DST=X SRC=… TCP DPORT=25 AH SHA1 KEY=… REQUIRED IPCOMP USE ESP in AH Discard if SPD says REJECT Find appropriate SAs Process according to SA bundle 7 IPSec Processing (in) IKE ESP in AH SPD SAD ESP AES KEY=… REQUIRED DST=… SRC=… ICMP AH SHA1 KEY=… REQUIRED DST=X SRC=… TCP DPORT=25 Discard if wrong security IPCOMP USE IP Datagram Destination: X Protocol: TCP TCP dport: 25 Process according to SPI Problem Static SAs are inconvenient and can be insecure Solution Set up SA on demand Negotiate SA parameters Protocol IKE: Internet Key Exchange IKEv1 used now IKEv2 accepted in 2004 IKE_SA_INIT IKE_AUTH CREATE_CHILD_SA Check that required security was used IPSec Summary Security at the network layer Protocol family o o o Determined outgoing processing Determines incoming requirements Security associations o One way “connection” between peers IPv6 Mobility Support Important changes from IPv4 No foreign agent needed Route optimization Less need for tunnels Mobility Security policy o o ESP for encryption AH for authentication IKE for key exchange Binding Updates Modes Route optimization Bidirectional tunneling To Home Agent IPSec ESP or AH Authentication required New ICMP messages Home Agent Address Discovery Mobile Prefix Solicitation To Correspondent Node Return routability test Mobile Node Home Agent Correspondent Node Home Test Init Care-of Test Init Home Test Care-of Test 8 Binding Updates Home Test Init (MNÆCN) HI cookie Care-of Test Init (COAÆCN) CoI cookie Home Test (CN Æ HA) HI cookie, home keygen token, home nonce index Care-of Test (CNÆCOA) CoI cookie, Care-of keygen token, care-of nonce index Binding Updates Home Test Init Sent to acquire home keygen token Tunneled through HA Conveys home address to correspondent node Binding Updates Home Test Init (MNÆCN) HI cookie Care-of Test Init (COAÆCN) CoI cookie Home Test (CN Æ HA) HI cookie, home keygen token, home nonce index Care-of Test (CNÆCOA) CoI cookie, Care-of keygen token, care-of nonce index Binding Acknowledgement MAC, seq#, status Care-of Test Init Sent to acquire care-of keygen token Sent directly to CN Conveys COA to correspondent node Binding Updates Home Test Sent to convey home keygen token Tunneled through HA to mobile node Binding Updates Binding Update MAC, sequence number, nonce indices, COA Home Test Init (MNÆCN) HI cookie Care-of Test Init (COAÆCN) CoI cookie Home Test (CN Æ HA) HI cookie, home keygen token, home nonce index Care-of Test (CNÆCOA) CoI cookie, Care-of keygen token, care-of nonce index Home Test Init (MNÆCN) HI cookie Care-of Test Init (COAÆCN) CoI cookie Home Test (CN Æ HA) HI cookie, home keygen token, home nonce index Care-of Test (CNÆCOA) CoI cookie, Care-of keygen token, care-of nonce index Care-of Test Sent to convey care-of keygen token Direct to MN Route Optimization CN MN Binding Update Binding Ack Type 2 Routing Header Packets from CN sent to care-of address with type 2 routing header MN extracts home address from type 2 routing header CNÆMN Source: Destination: Routing hdr: CN COA Home address Home address option Specifies home address Carried by destination option extension header MNÆCN Source: Destination: Home address option: COA CN Home address 9 Other Mobility Issues Multicast traffic Movement detection Returning home Interaction with IPSec Multiple care-of addresses Home agent discovery Home address assignment Care-of address formation 10