1 teredo - tunneling ipv6 through nats date: 2003-10-31 speaker: quincy wu national chiao tung...

1

Teredo- Tunneling IPv6 through NATs

Date: 2003-10-31

Speaker: Quincy WuNational Chiao Tung University

2

IPv4–to–IPv6 Transition Strategy (RFC 2893)

• Dual Stack– Reduce the cost invested in transition by running both

IPv4/IPv6 protocols on the same machine .

• Tunneling– Reduce the cost in wiring by re-using current IPv4

routing infrastructures as a virtual link.

• Translation– Allow IPv6 realm to access the rich contents already

developed on IPv4 applications

3

Tunnels of IPv6 over IPv4

• Encapsulating the IPv6 packet in an IPv4 packet

• Tunneling can be used by routers and hosts

IPv4IPv6 Network

IPv6 Network

Tunnel: IPv6 in IPv4 packet

IPv6 Host

Dual-Stack Router

Dual-Stack Router

IPv6 Host

IPv6 HeaderIPv6 HeaderIPv4 HeaderIPv4 Header

IPv6 HeaderIPv6 Header Transport Header

Transport Header DataData

DataDataTransport Header

Transport Header

4

IPv4

Manually Configured TunnelDual-Stack

Router

IPv4: 140.119.209.254

IPv6: 2001:288:03a1:210::3/127

FreeBSD4.7#gifconfig gif0 140.119.209.254 140.113.199.2ifconfig gif0 inet6 2001:288:03a1:210::2 2001:288:3a1:210::3 prefixlen 128

Dual-Stack Host

IPv4: 140.113.199.2

IPv6: 2001:288:03a1:210::2/127

5

6to4 Tunnel (RFC 3056)

IPv4IPv6 Network

IPv6 Network

6to4 Router2

6to4 Router1

140.119.209.254 140.113.199.250Network prefix:

2002:8C77:D1FE::/48

Network prefix:

2002:8C71:C7FA::/48= =

E0 E0

router2#interface Ethernet0 ip address 140.113.199.250 255.255.255.0 ipv6 address 2002:8C71:C7FA:1::/64 eui-64interface Tunnel0 no ip address ipv6 unnumbered Ethernet0 tunnel source Ethernet0 tunnel mode ipv6ip 6to4

ipv6 route 2002::/16 Tunnel0

6to4 Tunnel: – Is an automatic tunnel method– Gives a prefix to the attached IPv6 network– 2002::/16 assigned to 6to4– Requires one global IPv4 address on each site

6

6to4 Tunnel

IPv4IPv6 Network

IPv6 Network

6to4 Router2

6to4 Router1

140.113.131.1 140.119.209.250Network prefix:

2002:8C71:8301::/48

Network prefix:

2002:8C77:D1FE::/48

E0 E0

2002:8C71:8301:1::3

2002:8C77:D1FE:2::5

IPv6 SRC 2002:8C71:8301:1::3

IPv6 SRC 2002:8C71:8301:1::3

DataData

IPv6 DEST 2002:8C77:D1FE:2::5

IPv6 DEST 2002:8C77:D1FE:2::5

IPv6 SRC 2002:8C71:8301:1::3

IPv6 SRC 2002:8C71:8301:1::3

DataData

IPv6 DEST 2002:8C77:D1FE::5

IPv6 DEST 2002:8C77:D1FE::5

IPv6 SRC 2002:8C71:8301:1::3

IPv6 SRC 2002:8C71:8301:1::3

DataData

IPv6 DEST 2002:8C77:D1FE:2::5

IPv6 DEST 2002:8C77:D1FE:2::5

IPv4 SRC 140.113.131.1

IPv4 SRC 140.113.131.1

IPv4 DEST 140.113.119.250

IPv4 DEST 140.113.119.250

7

IPv6 Tunneling Problem (1/2)

IPv6 Network

IPv4 IPv6 Network

6to4 Router

NAT

2 3 41 6to4 Router

A

B C

D

140.113.131.2140.119.209.250

2002:8C77:D1FE:2::5

10.0.0.1Network prefix:

2002:8C77:D1FE::/48

IPv6 SRC 2002:A00:1:1::3

IPv6 SRC 2002:A00:1:1::3

DataData

IPv6 DEST 2002:8C77:D1FE:2::5

IPv6 DEST 2002:8C77:D1FE:2::5

IPv4 SRC 10.0.0.1

IPv4 SRC 10.0.0.1

IPv4 DEST 140.119.209.250

IPv4 DEST 140.119.209.250

Network prefix:

2002:A00:1::/48

2002:A00:1:1::3

IPv6 SRC 2002:A00:1:1::3

IPv6 SRC 2002:A00:1:1::3

DataData

IPv6 DEST 2002:8C77:D1FE:2::5

IPv6 DEST 2002:8C77:D1FE:2::5

IPv4 SRC 140.113.131.2

IPv4 SRC 140.113.131.2

IPv4 DEST 140.119.209.250

IPv4 DEST 140.119.209.250

IPv6 SRC 2002:A00:1:1::3

IPv6 SRC 2002:A00:1:1::3

DataData

IPv6 DEST 2002:8C77:D1FE:2::5

IPv6 DEST 2002:8C77:D1FE:2::5

IPv6 SRC 2002:A00:1:1::3

IPv6 SRC 2002:A00:1:1::3

DataData

IPv6 DEST 2002:8C77:D1FE:2::5

IPv6 DEST 2002:8C77:D1FE:2::5

E0E0

8

IPv6 Tunneling Problem (2/2)

IPv6 Network

IPv4 IPv6 Network

6to4 Router

NAT

Destination isPrivate Address!

5

6to4 Router

6

A

B C

D

140.113.131.2140.119.209.250

2002:8C77:D1FE:2::5

10.0.0.1Network prefix:

2002:8C77:D1FE::/48

Network prefix:

2002:A00:1::/48

2002:A00:1:1::3

IPv4 SRC 140.119.209.250

IPv4 SRC 140.119.209.250

IPv4 DEST 10.0.0.1

IPv4 DEST 10.0.0.1

IPv6 SRC 2002:8C77:D1Fe:2::5

IPv6 SRC 2002:8C77:D1Fe:2::5

DataData

IPv6 DEST 2002:A00:1:1::3

IPv6 DEST 2002:A00:1:1::3

E0E0

IPv6 SRC 2002:8C77:D1Fe:2::5

IPv6 SRC 2002:8C77:D1Fe:2::5

DataData

IPv6 DEST 2002:A00:1:1::3

IPv6 DEST 2002:A00:1:1::3

?

9

Teredo Service

• Allow hosts behind NAT to access IPv6 without modifying NAT. It contains three basic components:– Teredo Client

• A node wants to gain access to the IPv6 Internet.– Teredo Server

• helper to provide IPv6 connectivity to Teredo clients.– Teredo Relay

• An IPv6 router that can receive traffic from IPv6 realm to Teredo clients and vice versa.

10

Teredo Operation Model

IPv4

Teredo Client

Teredo Relay

NATTeredo Server

• Teredo Client gets its Teredo IPv6 address from Teredo Server.

• Use Teredo Relay as Relay router.

IPv4 Header

UDP Header

Teredo Header

IPv6 packet

Teredo IPv6 Tunnel

Teredo address?

Your Teredo address.

IPv6 Host

IPv6 Network

11

Teredo Address Encoding

• Teredo Prefix: 32 bit Teredo service prefix.– 3FFE:831F::/32

• Teredo Server IPv4: IPv4 address of the Teredo server.• Flags: 16 bits that document type of address and NAT.

– Bit pattern: “C00000UG00000000”– C=1 if NAT is cone.– UG should set to “00”.

• Obscured Teredo Client External Port: mapped UDP port of the client• Obscured Teredo Client External IPv4: mapped IPv4 address of the client

Obfuscated: XOR every bits in the field with 1, prevent over-genius NAT’s translation.

Teredo Prefix Teredo Server IPv4 Flags Obscured Teredo Client Ext

ernal Port

Obscured Teredo Client External IPv4

32bits 32bits 32bits16bits16bits

12

Teredo Tunnel: To host behind NAT

IPv4

Teredo Client

Teredo Relay

NATIPv6

NetworkTeredo Server

1

2

3

140.113.131.1

2001:238:F88:131::7

3FFE:831F:8C71:8337::F227:738E:7CFE

IPv4 SRC 140.113.131.73

IPv4 SRC 140.113.131.73

IPv4 DEST 140.113.131.1

IPv4 DEST 140.113.131.1

140.113.131.55

140.113.131.73

IPv6 SRC 2001:238:F88:131::7IPv6 SRC 2001:238:F88:131::7

DataData

IPv6 DEST 3FFE:831F:8C71:8337::F

227:738E:7CFE


227:738E:7CFEIPv6 SRC 2001:238:F88:131::7IPv6 SRC 2001:238:F88:131::7

DataData


227:738E:7CFE


227:738E:7CFE

IPv4 SRC 140.113.131.3

IPv4 SRC 140.113.131.3

IPv4 DEST 10.0.0.1

IPv4 DEST 10.0.0.1

IPv6 SRC 2001:238:F88:131::7IPv6 SRC 2001:238:F88:131::7

DataData


227:738E:7CFE


227:738E:7CFE

UDP SRC 3544

UDP SRC 3544

UDP DEST 54392

UDP DEST 54392

UDP SRC 3544

UDP SRC 3544

UDP DEST 3544

UDP DEST 3544

13

Teredo Client

HiNet

IPv6 Network

NAT

IPv4 Network

NAT

Teredo Server

Teredo Client

Teredo Client

IPv6 only

IPv6 only

IPv6 only

Teredo Relay

DNS

Trial of Teredo in NCTU

14

Protocol Decoder in Ethereal

= 140.113.131.74

Port: 56500

15

Conclusion

• Many users get private IPv4 address from their service providers, such as WLAN and GPRS. These users are unable to create IPv6 tunnels.

• Before all NAT devices can be upgraded to support IPv6, Teredo service is useful for ISPs to provide IPv6 access to their users behind NAT.

1 teredo - tunneling ipv6 through nats date: 2003-10-31 speaker: quincy wu national chiao tung...

Documents

ipv6 address

ipv6 packet

ipv6 realm

tunnels of ipv6

data ipv6 dest

attached ipv6 network

e0 ipv6 src

hosts ipv4 ipv6 network