Coexistence and Transition
Carlos Mar)nez
[email protected]
Coexistence and Transition l
l
l
l
l
l
The whole structure of the Internet is based on IPv4 An inmediate change of this protocol is imposible due to the size of the Internet IPv6 adoption should be performed gradually There will be a transition period and coexistence between both protocols The IPv4 network needs to communicate with the IPv6 network and viceversa To facilitate this process, it has been developed some technics to mantain the compatibility between IPv4 and IPv6
Coexistence and Transition These transition techniques are divided into three categories:
l
Dual Stack Provides support for both protocols in the same device Tunnels Enables IPv6 traffic in the same IPv4 network infrastructure already installed Traduction Allows communication between nodes that supports IPv6 and nodes that supports IPv4 only
Dual Stack l
l
l
l
The nodes are capable of sending/ receiving IPv4 and IPv6 packets An IPv6/IPv4 node, when it communicates with an IPv6 node, it behaves as an IPv6 node, and when communicates with an IPv4 node, as an IPv4 one This node needs at least one IPv6 address and one IPv4 IPv4 needs mechanisms, such as DHCP, to obtain IPv4 addresses, and IPv6 mechanisms to obtain IPv6 addresses (ie: autoconfiguration)
Capa de Aplicacion
TCP/UDP
IPv6
IPv4
Capa de Enlace
Paquete IPv6
Paquete IPv4
Dual Stack stack networks are capable of route both packet types l
l
Dual
Things to consider: l
DNS servers configuration
l
Routing protocols configuration
l
Firewall configuration !!!!
l
Changes in network management
Tunnel techniques l
Also called encapsulation
l
The IPv6 content is encapsulated into IPv4 packets
l
Can be classified in the following ways: l
Router-a-Router
l
Host-a-Router
l
Router-a-Host
l
Host-a-Host
Tunnel techniques l
There are different forms of encapsulation: l
l
IPv6 packets encapsulated into IPv4 packets l
Protocol 41
l
6to4, ISATAP and Tunnel Brokers
IPv6 packets encapsulated into GRE packets l
l
Protocol GRE
IPv6 packets encapsulated into UDP packets l
TEREDO
Tunnel Broker l
l
l
l
Consists of an IPv6 tunnel within an IPv4 network, created in the computer or network that is connected to the ISP that will provide IPv6 connectivity The procedure is to register with an ISP Tunnel Broker and download the software or configuration script to establish this tunnel The tunnel conection is done through a web server application provider that offers this service Suitable for small networks or an independent host
ISATAP l
l
l
ISATAP (Intra-Site Automatic Tunnel Addressing Protocol ) – tunneling technique that connects host-to-host routers There is no ISATAP tunnel techniques, it is a technique used within organizations Is useful, for example, when the organization already has IPv6 valid addresses, buth its internal infrastructure does not support IPv6
ISATAP l
Addressing l
l
l
l
l l
With this technique, the IPv4 address of the client and router are used as components of the ISATAP address. With that, an ISATAP node can easily determine the entry and exit points of the IPv6 tunnels, without the need of another protocol or auxiliary resource The ISATAP addressing format is:
Unicast prefix: Any valid unicast IPv6 prefix, which can be link-local (FE80::/64) or global Public or Private IPv4 ID: If the IPv4 address is a public one, this field must be set to "200" and if the address is a private one, (192.168.0.0/16, 172.16.0.0/12 o 10.0.0.0/8) this field has to be set to ‘0’ ISATAP ID: Always has a value 5EFE IPv4 Address: Address of the client or router in IPv4 format
GRE l
l l
l
GRE (Generic Routing Encapsulation) - hosts-to-host static tunnel developed to encapsulate many different types of protocols Supported in most operating systems and routers This mecahnism works taking the original package + a GRE header and sending it to the destination IP address When the encapsulated packet arrives at the other end of the tunnel, the GRE header is removed and the original packet is processed
Cabezal IPv4
Cabezal GRE
Paquete siendo Transportado
GRE
6rd • Developed by “Free” a French ISP – Detailed in the rfc5569 – Protocol specificaDon rfc5969
• Developed in only 6 weeks • Enables IPv6 connecDvity for only-‐IPv4 networks – Must be supported by the client equipment (CPE)
• Depends on two components
– CPE 6rd: interface between the operator and the user – Relay 6rd: interface between the IPv4 network and IPv6 network
6rd
6rd • Device characterisDcs – CPE • XDSL modem, cable modem, 3G modem, etc. • Modified soUware to support 6rd • Remote management is recommended
– Relay 6rd • Encapsulate/unencapsulate IPv4 IPv6 packets
6rd • CPE receives an IPv4 address and an IPv6 address • IPv6 address is a public one and is constructed based in the IPv4 assigned address using the folowing model
464XLAT • Dual IPv4-‐IPv6 translaDon method • Offers a shared IPv4 address for many IPv6 naDve users • Use a statefull translate mechanism(PLAT) and a stateless one (CLAT) – CLAT (customer side translator) makes a 1:1 translaDon, each IPv4 address has a corresponding IPv6 address – PLAT (provider site translator) makes a 1:N translaDon, many IPv6 global addresses correspond to one IPv4 global address
464XLAT
464XLAT • The IPv6 96-‐bit prefix is unique per client • Because is a 96-‐bits prefix is not possible the autoconfiguraDon mechanism, addresses must be obtained by DHCP • The CLAT translator can be implemented on CPEs or mobiles • Andoid hep://code.google.com/p/android-‐clat/ • Linux hep://www.ivi2.org/IVI/
Security l
l
l
l
Because the implementation of double stack technics, the applications are exposed to attacks in both protocols, IPv6 and IPv4, which is solved with specific firewall settings for each protocol Tunnel and translation mechanisms are those that cause the greatest impacts, from the security point of view Tunnel mechanisms are susceptible to DoS attacks, packet and address forgery of that devices that operate as routers and relays, for example in 6to4 and TEREDO mechanisms Translation techniques involves issues related to incompatibilities with some security mechanisms, like those between NAT and IPv4
Security •
How to protect: •
•
•
Implementing double stack in the migration process, protecting both stacks with firewall Always prefer static than dynamic tunneling Allow only incoming traffic from authorized tunnels