ipv6 - the next generation on the internet dave heldenbrand utah valley state college...
TRANSCRIPT
IPv6 - The Next Generation on the Internet
Dave HeldenbrandUtah Valley State [email protected]
Copyright © 1997, 2003 Network Professional Association
2/3/06 2
Agenda
Quick review of IPv4 basics Problems with IPv4 IPv6 architecture and functionality Transition issues
2/3/06 3
Review of IPv4 Features
Unreliable/connectionless/non-sequenced packet routing service
32-bit address contains network & host components
Larger packets are fragmented and reassembled
"Traditional" implementations have no security
2/3/06 4
Relevant IPv4 Header Fields
Yellow fields are modified, relocated, redefined or eliminated in IPv6
Version Hdr Len
4 16 24 31
Identification Flags Fragment Offset
Type of Service Total Length
8 19
Time To Live
Destination IP Address
Options (If Used)
Header Checksum
Source IP Address
Protocol
Padding
20Bytes
0
Payload
2/3/06 5
IPv4 - Two Address Types Traditional Class A/B/C
– Allows one level of subnetting– Effectively a three-tiered address hierarchy
Classless Inter-Domain Routing (CIDR) is used externally
These are two different ways of interpreting the same address space
2/3/06 9
IPv4 Fragmentation
SourceHost
DestinationHost
Router 1
Router 2
MTU = 1500
1500 Byte Packet
2/3/06 10
IPv4 Fragmentation
SourceHost
DestinationHost
Router 1
Router 2
MTU = 1000
MTU = 1500
1000 Byte Fragment
500 Byte Frag
2/3/06 11
IPv4 Fragmentation
SourceHost
DestinationHost
Router 1
Router 2MTU = 500
MTU = 1000
MTU = 1500
500 Byte Frag 500 Byte Frag 500 Byte Frag
2/3/06 12
IPv4 - Options
Option fields are appended to the IP header Length must be multiple of 4 bytes or padded Code in first byte specifies which option Options include:
– Source routing– Record route– Military classification level (e.g. TOP SECRET)– (Not much of interest to a typical Internet user)
2/3/06 13
IPv4 - Type of Service “TOS” provides two ways to request special handling Precedence sub-field indicates packet priority D/T/R bits indicate type of handling
– Minimize Delay– Maximize Throughput– Maximize Reliability
Later redefined/augmented as DiffServ (RFC 2475) Current Internet backbone mostly ignores TOS
requests In newer systems, TOS is called Quality of Service
(QoS)
2/3/06 14
IPv4 - Address Problems
The “shortage” of IP addresses– Due to growth and inefficient allocation
Lots of destination networks = large routing tables = Internet backbone router overhead– Target backbone router table size ≈ 100K
destination networks
Administration of addresses is a headache for the InterNIC and ISPs
2/3/06 15
IPv4 - Other Problems
Packet fragmentation causes overhead in routers
“Real-time” applications (video and voice) need guaranteed minimum delay– IPv4 TOS doesn’t reliably provide this
No real security - commercial users need:– Authentication– Privacy
2/3/06 16
Introducing IPv6
Result of the IPng effort started in 1991
Many contributors, but based on the work of Steve Deering (Xerox PARC)
Intended to solve most of the aforementioned problems
2/3/06 17
Features of IPv6
16 byte/128-bit addresses with multilevel hierarchical addressing
Resource allocation (flows) replace IPv4 TOS Options replaced by Extension Headers Fragmentation process changed Designed to allow future extensions without a
major upgrade (we hope)
2/3/06 18
What Doesn’t Change with IPv6?
Still a datagram protocol (unreliable and connectionless)
Supports most IPv4 features and options (but often in new ways)
Understands IPv4 addresses
2/3/06 19
Overview of IPv6 Packet
Base header contains addressing and minimal control information
Most IPv4 options (and some regular functions) are Extension Headers in IPv6
Base HeaderExtensionHeader 1
. . . PayloadExtensionHeader n
(Optional)
2/3/06 20
IPv6 Base Header Format
40Bytes
Version Flow Label
0 4 16 24 31
Payload Length Next Header Hop Limit
Source Address
Destination Address
Flow Label - for resource reservationPayload Length - # bytes in packet, excluding base headerNext Header - code indicates next header (IPv6 Extension Hdr or Transport Hdr)Hop Limit - same as IPv4 Time to Live (TTL)
2/3/06 21
Base Header Summary
64-bit alignment No fragmentation control fields
– They’re part of a separate Extension Header
No more checksum– Redundant with error checking in other layers
(and too much overhead in routers)
Still 40 bytes – twice as large as the default IPv4 header
2/3/06 22
IPv4 Header Fields Missing in the IPv6 Base Header
Version Hdr Len
4 16 24 31
Identification Flags Fragment Offset
Type of Service Total Length
8 19
Time To Live
Destination IP Address
Options (If Used)
Header Checksum
Source IP Address
Protocol
Padding
20Bytes
0
Payload
The yellow fields in the IPv4 header do not appear in the IPv6 Base Header
2/3/06 23
Resource Allocation (Flows) Flow - a sequence of packets sent between
two nodes for which the source requires special handling
Designed to allow an application to reserve resources end-to-end – Guaranteed data rate– Maximum delay
Intended to exploit underlying Quality of Service features in technologies like Frame Relay and ATM
2/3/06 24
Flow Label Subfields
Traffic Class (TClass)– Packet priority (lower number = lower priority)– Range is 0 - 7 when source provides congestion
control (TCP)– Range is 8 - 15 for traffic that doesn’t (UDP/RTP/
video/voice)
Flow Identifier is a number that associates the packet with an established flow
Flow IdentifierTClass
Flow Label from IPv6 Base Header
4 bits 24 bits
2/3/06 25
Extension Headers
Functions that would have been IPv4 Options (or basic functions )
Specific IPv6 extension headers with Next Header codes:– Fragmentation 44– Routing (source routing) 43– Authentication 51– ESP (privacy/encryption) 50– Hop-by-Hop Options 0– Destination Options 60
2/3/06 26
Parsing Extension Headers The Next Header field in a base header or extension
header indicates what follows
The standard IPv4 protocol codes still indicate Transport protocols (TCP = 6, UDP = 17)
Base HeaderNext Hdr = TCP
TCP Segment
Base HeaderNext Hdr = Route
Route HeaderNext Hdr = TCP
TCP Segment
Base HeaderNext Hdr = Route
Route HeaderNext Hdr = Auth.
Auth. HeaderNext Hdr = TCP
TCP Segment
2/3/06 27
IPv6 Extension Headers vs. IPv6 Options
Most Extension Headers serve one specific function (fragmentation, routing, etc.)
Two special Extension Headers serve as containers for multiple (unspecified) Options– The Hop-by-Hop Options Extension Header
includes options that must be processed by each router
– The Destination Options Extension Header includes options that are only processed at the destination
2/3/06 29
Fragmentation
Fragmentation is required when a packet reaches a link with a smaller maximum packet size than any previous link
Only the source host performs fragmentation (IPv6 routers don’t)
Source host must discover the Path MTU (smallest MTU size across the entire path)
2/3/06 30
Path MTU Discovery
For a given flow, the source host assumes that the path MTU is the MTU of the first link
If a packet reaches a link with a smaller MTU, that router discards it and returns an ICMP error message along with that link’s MTU
This continues until the packet reaches the destination
The source host caches the smallest link MTU as the “Path MTU” for that flow
2/3/06 31
Path MTU Discovery
SourceHost
DestinationHost
Router 1
Router 2
MTU = 1500
1500 Byte Packet
Path MTU = 1500
2/3/06 32
Path MTU Discovery
SourceHost
DestinationHost
Router 1
Router 2
MTU = 1000
MTU = 1500
ICMP "Pkt Too Big" (MTU = 1000)
Path MTU = 1000
2/3/06 33
Path MTU Discovery
SourceHost
DestinationHost
Router 1
Router 2
MTU = 1000
MTU = 1500
1000 Byte Fragment500 Byte Frag
Path MTU = 1000
2/3/06 34
Path MTU Discovery
SourceHost
DestinationHost
Router 1
Router 2
MTU = 1000
MTU = 1500
1000 Byte Fragment
500 Byte FragPath MTU = 1000
2/3/06 35
Path MTU Discovery
SourceHost
DestinationHost
Router 1
Router 2MTU = 500
MTU = 1000
MTU = 1500
Path MTU = 500
ICMP "Pkt Too Big" (MTU = 500)
2/3/06 36
Path MTU Discovery
SourceHost
DestinationHost
Router 1
Router 2MTU = 500
MTU = 1000
MTU = 1500
Path MTU = 500
500 Byte Frag 500 Byte Frag 500 Byte Frag
2/3/06 37
Path MTU DiscoverySource
Host
DestinationHost
Router 1
Router 2MTU = 500
MTU = 1000
MTU = 1500
500 Byte Frag 500 Byte Frag 500 Byte Frag
Path MTU = 500
2/3/06 38
Consequences of New Fragmentation Method
Improved router performance (since routers don’t fragment)
No more “fragments of fragments” Hosts that don’t support Path MTU discovery must
limit packet size to 576 bytes All links must support a MTU of at least 576 bytes or
do “local” fragmentation (a la ATM AAL5) This makes dynamic route changes problematic,
since the new path may include a smaller MTU – QoS promises associated with flows cause the same
problem
– Result: no dynamic path changes in IPv6
2/3/06 39
Fragment Extension Header
Next Header Reserved
0 8 16 29 31
Identification
Fragment Offset Res M
Fragment Offset - offset of data in this packet, from the start of the original packet (counted in 8-byte units)
M Flag - Set to 1 if more fragments coming, set to 0 if this is the last fragment
Identification - a value unique to the original packet and common to all fragments
2/3/06 41
IPv6 Fragmentation Example
UnfragmentablePart
Fragmentable Part
Frag1
The Unfragmentable Part contains the IPv6 base header plus any extension headers thatmust be processed en route to the destination. The remainder of the original packet is theFragmentable Part (which may include additional extension headers, along with the payload).
Frag2 Frag3
Original IPv6 Packet
Frag1 Ext Header Fragment 1Unfragmentable
Part
Frag2 Ext Header Fragment 2Unfragmentable
Part
Frag3 Ext Header Fragment 3Unfragmentable
Part
ResultingFragments
2/3/06 45
IPv6 Address Space
Number of possible 128-bit addresses = 340,282,366,920,938,463,463,374,607,431,768,211,456
(3.4 * 1038)
That’s about 4 x 1018 per square meter of the Earth’s surface
Nevertheless, we could run short again if addresses aren’t allocated efficiently
2/3/06 46
Colon Hex Address Notation
Colon hex notation is used to reduce the number of digits required to represent a 128-bit address
Each 16-bit group is expressed in hex, and separated from the next group by a colon– Non-significant zeros can be omitted– Traditional dotted decimal suffixes are permitted
(to express an IPv4 address in IPv6 format)
2/3/06 47
Colon Hex Examples
Standard form - FF01:0:0:0:0:0:0:43 Alternative compressed form - FF01::43 The above address in dotted decimal would
be 255.1.0.0.0.0.0.0.0.0.0.0.0.0.0.67 The IPv6 form of the traditional IPv4 address
114.27.62.13 can be expressed as 0:0:0:0:0:0:114.27.62.13 or compressed to ::114.27.62.13
2/3/06 48
IPv6 Address Categories Traditional Unicast (one-to-one)
Multicast (one-to-many)– Destination is a group of computers that may reside on
many networks– Broadcast is just a special case of multicast
Anycast/Cluster (one-to-nearest)– Destination is one from a group of nodes (probably routers
or servers)– Probably local scope only (requires cooperation of routers)
2/3/06 49
Classless Addressing IPv6 classifies addresses based on a
variable-length Address Type Prefix– Prefix ranges from 3 to 10 bits, depending on
Address Type
Different than IPv4 address classes (A/B/C), similar to CIDR (classless)
The longest-match algorithm is used to optimize routing table lookup
2/3/06 50
IPv6 Address Prefixes
*All other prefixes are reserved (approx. 3/4 of total address space).
**Any Unicast address prefix can be used for Anycast. 7E16 is reserved for Mobile IPv6.
ADDRESS TYPE *BINARY PREFIX
IPv4-compatible (96 zero bits + IPv4 addr)
NSAP addresses 0000 001
IPX-compatible (obsolete) 0000 010
Global unicast 001
Link-local unicast 1111 1110 10
IANA – reserved (was site local) 1111 1110 11
Multicast 1111 1111
**Anycast ???
2/3/06 52
Aggregatable Global Unicast Addresses
Global Routing Prefix includes a value assigned to the ISP (used for backbone routing) and a value assigned to the subscriber
Subnet ID is assigned by that subscriber to a part of its intranet
Interface ID would probably be a hardware address (e.g. Ethernet) to facilitate easy autoconfiguration
Global Routing Prefix Subnet ID Interface ID
n bits 64 - n bits 64 bits
2/3/06 53
IPv6 Security (IPsec)
Two Extension Headers are devoted to security
Authentication Header (RFC 2402)– Ensures that the packet was transmitted by the
source identified in the packet header– Guarantees packet contents weren’t altered
Encapsulating Security Payload Header (RFC 2406)– Packet contents are encrypted to prevent
eavesdropping by third parties
2/3/06 54
Security Associations Agreement between endpoints about a
key, authentication and/or encryption algorithm to be used, etc.
One SA per direction, per algorithm Two modes – Transport (end-to-end) and
Tunnel (between VPN gateways) Security Association data is held in secure
database on both ends Indexed by Security Parameter Index
(SPI), IP address and AH or ESP Identifier
2/3/06 55
Authentication Header
Length - count of 32-bit words in Authentication Header
Security Parameters Index - identifies a security association (relationship) between source and destination host, typically assigned by destination. Acts as an index to an entry in the Security Association database that indicates which algorithm, algorithm mode, key, and other security properties apply to the associated packet.
Sequence Number – counter to prevent replay attacks
Authentication Data - output of specific authentication algorithm (hash) being used, in multiples of 32 bits. Hash includes shared secret key. Keyed MD-5 and SHA-1 must be supported.
Next Header Length
0 8 16 31
Security Parameters Index (SPI)
Reserved
Authentication Data(Variable Length)
Sequence Number
2/3/06 56
Authentication Header Modes
IP Header Authentication Header TCP Header Payload
Extent of authentication
Transport Mode Authentication HeaderUsed for authenticating payload end-to-end, where packet is not modified en-route by non-IPv6 entities (i.e., no NAT, no proxies). All IP header fields except Version, Flow Label and Hop Limit are protected.
Tunnel Mode Authentication HeaderUsed when packet is being tunneled between VPN gateways, etc. Authentication header is verified by receiving gateway, not destination host. All outer IP header fields except Version, Flow Label and Hop Limit are protected.
IP Header Authentication Header TCP Header PayloadInner IP Header
Extent of authentication
2/3/06 57
Encapsulating Security Payload Header & Trailer
Security Parameters Index – same as Authentication Header
Sequence Number - same as Authentication Header
Encryption Parameters – initialization vector, etc. DES-CBC must be supported.
Payload Hdr Type - functions as encrypted Next Header field (references TCP header in this example)
0 8 16 31
Security Parameters Index (SPI) (cleartext)
Sequence Number (cleartext)
Encryption Parameters (encrypted)
TCP Header (encrypted)
Payload (encrypted)
Padding (encrypted) Padding Len (encr) Payload Hdr Type
(Optional Authentication Data)
2/3/06 58
Encapsulating Security Payload Header Modes
IP Header ESP Header TCP Header Payload ESP Trailer
Extent of encryption
Transport Mode ESP HeaderUsed for encrypting payload end-to-end, where packet is not modified en-route by non-IPv6 entities (i.e., no NAT, no proxies).
Tunnel Mode ESP HeaderUsed when encryption of entire packet is required between VPN gateways, etc. Decryption is performed by receiving gateway, not destination host.
Extent of encryption
IP Header ESP Header TCP Header Payload ESP TrailerIP Header
2/3/06 59
Example of Relationship Between Security Headers
This example assumes authentication + Transport mode (host-to-host) ESP
Base Header
Dynamic Extension Hdrs
Authentication Header
ESP Header
Transport Segment
Static Extension HdrsEncrypted
Cleartext
ESP Trailer
2/3/06 61
IPSec for IPv4
The features of IPv6 security have been retrofitted into IPv4 as "IPSec"
Used primarily to support VPNs
Problems with lack of integration and inability of applications to request security via an API
Contrast this with IPv6, where security is mandated (more or less) and more directly available to applications
2/3/06 62
Migration Issues
The “Flag Day” problem – Can’t simply pull the plug on IPv4 at some
prearranged date
IPv4 will be around indefinitely
Need to provide for a phased transition
2/3/06 63
Tunneling IPv6 Within IPv4 There are “islands” of IPv6 networks
connected by the IPv4 Internet– IPv6-aware border routers encapsulate IPv6
packets within IPv4 headers and tunnel them over IPv4
– Destination border routers strip off the IPv4 header and deliver the IPv6 packet
The experimental 6Bone works this way, with some native IPv6 available (www.6bone.net)
Works reasonably well (not just a hack)
2/3/06 64
Tunneling IPv6Within IPv4
IPv6 SourceHost
IPv6Destination
Host
BorderRouter 1
BorderRouter 2
Internet(IPv4 Only)
IPv6 Network
IPv6 Network
IPv6 Pkt
2/3/06 65
Tunneling IPv6Within IPv4
IPv6 SourceHost
IPv6Destination
Host
BorderRouter 1
BorderRouter 2
IPv4 HdrIPv6 Pkt
Internet(IPv4 Only)
IPv6 Network
IPv6 Network
2/3/06 66
Tunneling IPv6Within IPv4
IPv6 SourceHost
IPv6Destination
Host
BorderRouter 1
BorderRouter 2
Internet(IPv4 Only)
IPv6 Network
IPv6 Network
IPv6 Pkt
2/3/06 67
Header Translation
Used when an IPv6-only host communicates with an IPv4-only host
Requires an intermediate router (gateway) with a dual protocol stack
IPv4-compatible IPv6 addresses help, but this is a messy problem
2/3/06 68
Impact on Other Internet Protocols
Migrating to IPv6 will have many side effects
Any protocol that transports IP addresses or calculates a pseudoheader-based checksum will have to be modified
These new protocols usually have a “6” or “ng” suffix (e.g RIPng, OSPF6)
RIPv2 OSPF BGP UDPARP(?) PPP DHCPDNS ICMP TCP
2/3/06 69
IPv6 Products
Done deal All major players have IPv6 implementations
for their OS's and routers– Cisco – Linux – Nortel – Solaris– Microsoft – HP-UX– Novell – Mac OS X– BSD (KAME)
2/3/06 70
Competition from NAT Boxes One of the strongest perceived incentives
for migration was the shortage of IPv4 addresses
Network Address Translators helped to solve this problem by translating “official” external IP addresses into “private” internal addresses (10.x.x.x, etc.)
Created a disincentive for migration
2/3/06 74
Relevant RFCs General IPv6 Info: 1883 Background Info: 1752, 1191, 791, 1700 IPv6 Addressing: 1884, 1887 CIDR: 1519 Security: 1825, 1826, 1827, 2401, 2402, 2406, 2408,
2409 Modifications to other protocols: 1885, 1886 Network Address Translation: 1631 (Close to 100 related RFCs) Available at www.ietf.org/rfc.html
2/3/06 75
Useful Books IPv6 Essentials by S. Hagen (O’Reilly) (Best
introduction)
IPng, The New Internet Protocol by C. Huitema (Prentice Hall)
IPng, Internet Protocol Next Generation by S. Bradner & A. Mankin (Addison-Wesley)
Internetworking with TCP/IP Vol. I, 5th Ed. by D. Comer (Prentice Hall)
IPng and the TCP/IP Protocols by S. Thomas (Wiley)
2/3/06 76
To Get a Copy… ftp://cseftp.uvsc.edu/cns/heldenda/Misc/IPv6_Slides.ppt
Or email me at [email protected]
Please note – this document is copyrighted by the Network Professional Association and cannot be redistributed or posted on web or FTP servers