Coexistence and Transition

 

Carlos  Mar)nez   [email protected]  

Coexistence and Transition l 

l 

l 

l 

l 

l 

The whole structure of the Internet is based on IPv4 An inmediate change of this protocol is imposible due to the size of the Internet IPv6 adoption should be performed gradually There will be a transition period and coexistence between both protocols The IPv4 network needs to communicate with the IPv6 network and viceversa To facilitate this process, it has been developed some technics to mantain the compatibility between IPv4 and IPv6

Coexistence and Transition These transition techniques are divided into three categories:

l 

Dual Stack Provides support for both protocols in the same device Tunnels Enables IPv6 traffic in the same IPv4 network infrastructure already installed Traduction Allows communication between nodes that supports IPv6 and nodes that supports IPv4 only

Dual Stack l 

l 

l 

l 

The nodes are capable of sending/ receiving IPv4 and IPv6 packets An IPv6/IPv4 node, when it communicates with an IPv6 node, it behaves as an IPv6 node, and when communicates with an IPv4 node, as an IPv4 one This node needs at least one IPv6 address and one IPv4 IPv4 needs mechanisms, such as DHCP, to obtain IPv4 addresses, and IPv6 mechanisms to obtain IPv6 addresses (ie: autoconfiguration)

Capa de Aplicacion

TCP/UDP

IPv6

IPv4

Capa de Enlace

Paquete IPv6

Paquete IPv4

Dual Stack stack networks are capable of route both packet types l 

l 

  Dual

Things to consider: l 

DNS servers configuration

l 

Routing protocols configuration

l 

Firewall configuration !!!!

l 

Changes in network management

Tunnel techniques l 

Also called encapsulation

l 

The IPv6 content is encapsulated into IPv4 packets

l 

Can be classified in the following ways: l 

Router-a-Router

l 

Host-a-Router

l 

Router-a-Host

l 

Host-a-Host

Tunnel techniques l 

There are different forms of encapsulation: l 

l 

IPv6 packets encapsulated into IPv4 packets l 

Protocol 41

l 

6to4, ISATAP and Tunnel Brokers

IPv6 packets encapsulated into GRE packets l 

l 

Protocol GRE

IPv6 packets encapsulated into UDP packets l 

TEREDO

Tunnel Broker l 

l 

l 

l 

Consists of an IPv6 tunnel within an IPv4 network, created in the computer or network that is connected to the ISP that will provide IPv6 connectivity The procedure is to register with an ISP Tunnel Broker and download the software or configuration script to establish this tunnel The tunnel conection is done through a web server application provider that offers this service Suitable for small networks or an independent host

ISATAP l 

l 

l 

ISATAP (Intra-Site Automatic Tunnel Addressing Protocol ) – tunneling technique that connects host-to-host routers There is no ISATAP tunnel techniques, it is a technique used within organizations Is useful, for example, when the organization already has IPv6 valid addresses, buth its internal infrastructure does not support IPv6

ISATAP l 

Addressing l 

l 

l 

l 

l  l 

With this technique, the IPv4 address of the client and router are used as components of the ISATAP address. With that, an ISATAP node can easily determine the entry and exit points of the IPv6 tunnels, without the need of another protocol or auxiliary resource The ISATAP addressing format is:

Unicast prefix: Any valid unicast IPv6 prefix, which can be link-local (FE80::/64) or global Public or Private IPv4 ID: If the IPv4 address is a public one, this field must be set to "200" and if the address is a private one, (192.168.0.0/16, 172.16.0.0/12 o 10.0.0.0/8) this field has to be set to ‘0’ ISATAP ID: Always has a value 5EFE IPv4 Address: Address of the client or router in IPv4 format

GRE l 

l  l 

l 

GRE (Generic Routing Encapsulation) - hosts-to-host static tunnel developed to encapsulate many different types of protocols Supported in most operating systems and routers This mecahnism works taking the original package + a GRE header and sending it to the destination IP address When the encapsulated packet arrives at the other end of the tunnel, the GRE header is removed and the original packet is processed

Cabezal IPv4

Cabezal GRE

Paquete siendo Transportado

GRE

6rd   •  Developed  by  “Free”  a  French  ISP   –  Detailed  in  the  rfc5569   –  Protocol  specificaDon  rfc5969  

•  Developed  in  only  6  weeks   •  Enables  IPv6  connecDvity  for  only-­‐IPv4  networks   –  Must  be  supported  by  the  client  equipment  (CPE)  

•  Depends  on  two  components  

–  CPE  6rd:  interface  between  the  operator  and  the  user   –  Relay  6rd:  interface  between  the  IPv4  network  and   IPv6  network  

6rd  

6rd   •  Device  characterisDcs   –  CPE   •  XDSL  modem,  cable  modem,  3G  modem,  etc.   •  Modified  soUware  to  support  6rd   •  Remote  management  is  recommended  

–  Relay  6rd   •  Encapsulate/unencapsulate  IPv4    IPv6  packets  

6rd   •  CPE  receives  an  IPv4  address  and  an  IPv6   address   •  IPv6  address  is  a  public  one  and  is  constructed   based  in  the  IPv4  assigned  address  using  the   folowing  model  

464XLAT   •  Dual  IPv4-­‐IPv6  translaDon  method   •  Offers  a  shared  IPv4  address  for  many  IPv6  naDve   users   •  Use  a  statefull  translate  mechanism(PLAT)  and  a   stateless  one  (CLAT)   –  CLAT  (customer  side  translator)  makes  a  1:1   translaDon,  each  IPv4  address  has  a  corresponding   IPv6  address   –  PLAT  (provider  site  translator)  makes  a  1:N   translaDon,  many  IPv6  global  addresses  correspond  to   one  IPv4  global  address  

464XLAT  

464XLAT   •  The  IPv6  96-­‐bit  prefix    is  unique  per  client   •  Because  is  a  96-­‐bits  prefix  is  not  possible  the   autoconfiguraDon  mechanism,  addresses  must  be     obtained  by  DHCP   •  The  CLAT  translator  can  be  implemented  on  CPEs   or  mobiles     •  Andoid  hep://code.google.com/p/android-­‐clat/   •  Linux  hep://www.ivi2.org/IVI/  

Security l 

l 

l 

l 

Because the implementation of double stack technics, the applications are exposed to attacks in both protocols, IPv6 and IPv4, which is solved with specific firewall settings for each protocol Tunnel and translation mechanisms are those that cause the greatest impacts, from the security point of view Tunnel mechanisms are susceptible to DoS attacks, packet and address forgery of that devices that operate as routers and relays, for example in 6to4 and TEREDO mechanisms Translation techniques involves issues related to incompatibilities with some security mechanisms, like those between NAT and IPv4

Security • 

How to protect: • 

• 

• 

Implementing double stack in the migration process, protecting both stacks with firewall Always prefer static than dynamic tunneling Allow only incoming traffic from authorized tunnels