gianluca realiconan.diei.unipg.it/rcm/lucidircm/ipv6.pdfipv6 header next header=tcp tcp header +...

1

IPv6 Tutorial

Gianluca Reali

2

IPv6 - Important changes

• Expanded Address Space– Address length quadrupled to 16 bytes

• Header Format Simplification– Fixed length, optional headers are daisy-chained– IPv6 header is twice as long (40 bytes) as IPv4 header without options (20

bytes)• No checksumming at the IP network layer• No hop-by-hop segmentation– Path MTU discovery

• 64 bits aligned• Authentication and Privacy Capabilities– IPsec is mandated

• No more broadcast

3

IPv4- Datagram0 15 16 31

Version (4) Total Length (16)

Identifier (16) Fragment Offset (13)

IHL (4) Type of Service (8)

Options & Padding (multiple of 32)

Time To Live (8) Protocol (8) Header Checksum (16)

Source Address (32)

Destination Address (32)

Data.

Flag(3)

•Version = 4

• IHL - Internet Header Length = 5 with no header options

[min = 160 bits] [max = 512 bits]

• Type of service , desired quality service

0- 2 Precedence3 Normal delay low delay4 Normal throughput High throughput5 Normal Reliability High reliability6- 7 Reserved

Prec. D T R 0 00 1 2 3 4 5 6 7

•Identification, Flags, Fragmentation Offset- use to segmentation and reassembly packet

Bit 0 = Reserved; must be 0Bit 1 = DF ( 0 = May fragment; 1 = do not fragment )Bit 2 = MF (0 = last fragment; 1 = more fragments )

•Option and Padding - additional info to control functions such as routing and security

4

Issue on header format vers

frag offset

source address

destination address

options and padding

header checksum

TOS total length

identification

hlen

protocol

flag

TTL

• Checksum in header format will calculate only the header checksum. Computation will be done if there are changes in header value. TTL value is decrement at every hop. Therefore, computation will be done at every router hop.

• Options and Padding Field will be checked at every router hop and this use up router processing time which will degrade router performance.

5

IPv4 addressing

Network Address Host Address

Where you are connected Who you are

202.188.125.67

Features Presentation

• 32 bits address

• Represent Network & Host Address

• Divided into Classes Class A 0.0.0.0-127.255.255.255Class B 128.0.0.0-191.255.255.255Class C 192.0.0.0-223.255.255.255

• Later adopt CIDR 192.228.0.0/16 or 192.228.0.0/20 …..

6

IPv4 address type

• “Unicast” Address : Specified for a single recipient, i.e. interface.

• Multicast Address : 244.0.0.0/4

• Broadcast Address : e.g 192.228.128.255

• Unspecified Address : 0.0.0.0

• Loopback Address : 127.0.0.1

7

Address space

- Communications appliances (e.g. phone, pager)- Information appliances(e.g. electronic books)- Entertainment appliances (e.g. set-top boxes)

•• More connected devicesMore connected devices•• More management costs More management costs •• More demanding applicationsMore demanding applications

• IPv4 with only 32 bits gave approximately 4.3 x109

LARGE ADDRESS SPACE NEEDED Facts : With current world populations 2 persons need to

share an IP address

8

Limitation to IPv4 addressing• Decision to stick with 32-bit address space meant that

there were only 232 (4,294,967,296) IPv4 addresses available

• Classful A, B, and C octet boundaries are easy to understand but inefficient to deploy in the real world. A /24 is too small for an average organization, while a /16 is too big!

Internet gowth

IP4

9

The HD Ratio(RFC-3194)

• measures “pain level” of a given level of utilization of a hierarchical address space, on a scale of 0 to 1

• HD = log ( number of addressed objects ) /log ( total number of addresses)

• historical analysis of IPv4, US phone numbers, French phone numbers, DECnet IV, etc. shows remarkable consistency:

HD = 0.80 manageable ( 51M for 32-bit space)HD = 0.85 painful (154M for 32-bit space)HD = 0.87 practical limit (240M for 32-bit space)

10

Fragmentation

MTU limited

datagrams fragments

• A process used by IP to reduce the size of packets (will be acceptable to MTU size)

• Fragments will be reassembled at the final destination (based on identification field, segment offset and flags)

• How ?

receiving computer’sfragment reassembly buffer

11

Fragmentation flag

• Identification Number16 bits integer value used to identify all fragments. This id is not a sequence number!

• Flags - 3 bits control fragmentation

vers

frag offset

source address

destination address

options and padding

header checksum

TOS total length

identification

hlen

protocol

flag

TTL

R DF MF

reserved, must be 0

0=may fragment 1=don’t fragment

0=last fragment 1=more fragment

• Fragment offset - indicate the distance of fragment datafrom the start of the original datagram, measure in 8 octets unit

12

Fragmentation sampleIP packets

UDP Data (2000 bytes)

0 ..1472 bytes 1472….2000

Ethernet with MTU 1500

IP Header UDP

IP Header UDP IP Header

Fragment #1 Fragment #2

Identification=26304 MF = 1 Fragment Offset= 0

Identification=26304 MF = 0 Fragment Offset = 184(=1472/8)

13

Problems in fragmentation

• The end node has no way to know how many fragments there be.

• Every node will travel independently.If any fragment lost, all datagram must be discarded

• If any fragment fails to arrive (timer) all datagram must be discarded

• IP will make no attempt to recover these situations (connectionless). Only give ICMP error e.g “Packet too big”

14

Avoiding fragmentation• Set DF=1 and the message will not be fragmented.But

if message is larger than the link is able to accept, message will be discarded from the network

• Standard recommend that all networks supporting TCP/IP should have an MTU of at least 576 bytes (guaranteed packets will never be fragmented)

15

Routing problems• Large Backbone Routing Table

backbone routing table explosion ~ 90K routes . Problem with legacy IPv4

• Routing Performance At every hop router will need to check and verify header checksum.This will increase processing time and degrade routing performance.

Fragmentation of packets are also done by router. Might need to be fragmented several times. This will also effect routing performance.

Hierarchical addressing scheme should be adopted and simplified header field can ease router burden.

16

Internet security

Ln M s a

seg

oInternet

•• EavesdroppingEavesdropping•• SpoofingSpoofing•• ForgeryForgery•• Packet dropsPacket drops•• Denial of serviceDenial of service

Long Messages ges

17

IP layer security• Security at Network Layer.

• Confidentiality, Integrity, and Authentication are key services used to protect against these threats

• If data is encrypted while in transit, it is impossible for a perpetrator to observe or modify.

• Security in IPv4 is not mandated. We have to run IPSec on top of IP.

Strong Network-Layer authentication, identity spoofing and denial-of service can be prevented

18

Host auto-configuration

Stateful Server Mode

Via DHCP

DHCP Server

DHCP request

DHCP respondhost

Stateless Server mode will be a better solution and can save cost

19

Quality of Service• Quality of Service in IPv4 is using best effort delivery

services , for data to arrive its destination as soon as possible.

• No reservation for bandwidth. This is adequate for traditional applications such as Telnet and FTP. But nowadays, multimedia applications need real-time and sensitive data transfer to the network. Therefore, better QOS is needed.

An improved Quality of service need to be implemented.

20

Before IPv6…

0-3 unassigned4 Internet Protocol, IP (current version)5 Stream Protocol, ST (not a new version of IP)6 IPv6 (formerly SIP, SIPP)7 CATNIP (formerly IPv7, TP/IX; deprecated)8 Pip (deprecated)9 TUBA (deprecated)10-15 unassigned

Note: IPv6 working group was formed and being chaired by Steve Deering(Cisco Systems, Inc) and Robert Hinden (Nokia)

21

What are IPv6 advantages?

• scalable IP address with streamlined IP header• optimized routing table size (<10K routes)• better real time support• self-configuration of workstations• security features

Note:IPv6 was designed to re-build and re-engineer IPv4; thusstill inherit some IPv4’s characteristics but rejects its flaws

22

IPv6 packet structure

ExtensionHeaders

Higher-level protocol header + application content

IPv6 Header

payload

IPv6 packet

Definitions:IP header provides addressing and controlIP payload carries information and error/control protocols

• Extension headers(optional):hop-by-hop, routing, fragment, authentication, encryption & destination header

• Higher-level protocol header:ICMPv6, UDP & TCP

header

23

Header comparisonRemoved (6)• ID, flags, frag offset• TOS, hlen• header checksum

Changed (3)• total length=> payload• protocol=>next header• TTL=>hop limit

Added (2)• traffic class• flow label

Expanded• address 32 to 128 bits

vers

0 15 16 31

hlen TOS total length

identification flags frag offset

TTL protocol header checksum

source address

destination address

options and padding

20bytes

IPv4

vers traffic class flow label

payload length next header hop limit

source address

destination address

40bytes

IPv6

24

vers

0 15 16 31hlen TOS total length

identification flags frag offset

TTL protocol

source address

destination address

options and padding

header checksumMajor improvement

1- No Options. Options field is replaced with extension header. The removal of the options results in a fixed length, 40 byte IP header.

2- No header checksum. Transport and data link layer have already performed checksumming.The removal of this feature leads to fast IP packet’s processing.

3- No segmentation procedure by routers. With path MTU discovery in IPv6, only source host performs fragmentation process. Removal of this procedure will speed up IP forwarding in routers.

25

Extension headers (RFC 2460) Extension Headers Higher-level protocol header

+ application content IPv6 Header

IPv6 packet

IPv6 headernext header=TCP

TCP header + data

IP PayloadIP header

IPv6 headernext header=routing

Routing headernext header=TCP

TCP header + data

• Extension headers include hop-by-hop, destination, routing, fragment, authentication and encapsulating security payload

Extension headerIP headerIP Payload

IPv6 headernext header=routing

IP header

Routing headernext header=fragment

fragment ofTCP header + data

IP Payload

Fragment headernext header=TCP

Extension headers

26

IPv6 Header Options (RFC2460)• Processed only by node identified in IPv6 Destination Address field => much lower overhead than IPv4 options

exception: Hop-by-Hop Options header• Eliminated IPv4’s 40-octet limit on options

in IPv6, limit is total packet size, or Path MTU in some cases

Currently defined Headers should appear in the following order: –IPv6 header–Hop-by-Hop Options header–Destination Options header–Routing header–Fragment header–Authentication header (RFC 1826)–Encapsulating Security Payload header (RFC 1827)–Destination Options header–upper-layer header

27

IPv6 Header Options (RFC2460)

28

Fragmentation

• IPv6 fragmentation & reassembly is an end-to-end function

• Routers do not fragment packets BUT only send the ICMP “message too big”(with the new MTU size) using the Path MTU Discovery feature

• Advantage:- better router performance; that is intermediate routers

don’t have to check for the fragmentation fields(identification + flags + fragment offset fields) every time the packets pass through them

29

Path MTU discovery

FDDIMTU=4500

Source

FDDIMTU=4500

ICMP “packet too big”

A

Destination

FDDIMTU=4500

B

EthernetMTU=1500

For packets bigger than 1280 bytes, path MTU discovery is expected:

• start by assuming MTU of the first-hop link • if a packet reaches a link which couldn’t fit, an ICMP “packet too big”

is generated and sent back to the source• then the source will fragmentize the packet into smaller chunks

(following this new MTU size) and start this process all over again

30

How Was IPv6 Address Size Chosen?

• Some wanted fixed-length, 64-bit addresses– Easily good for 1012 sites, 1015 nodes, at .0001 allocation

efficiency (3 orders of magnitude more than IPv6 requirement)– Minimizes growth of per-packet header overhead– Efficient for software processing

• Some wanted variable-length, up to 160 bits– Compatible with OSI NSAP addressing plans– Big enough for auto-configuration using IEEE 802 addresses– Could start with addresses shorter than 64 bits & grow later

• Settled on fixed-length, 128-bit addresses

31

Address space IPv4 Address space IPv6 Address Space

3FFE:90:AD:23:112:9:56:210

128-bit

192.228.134.34

32-bit

• 128-bit or 16 bytes

• 2^128=340,282,366,920,938,463,463,374,607,431,768,211,456

• 4.2 x 10^9 versus 3.4 x 10^38 addresses

Note:IPv4 allows 1 IP for every 2 persons, but IPv6 offers ~5.6 x10^28 per person(out of 6 billions population -- 6 x 10^9)

IPv4 IPv6

32

Address syntax: preferred

• Hexadecimal values of the eight 16-bit pieces, separated by colon

X:X:X:X:X:X:X:XX:X:X:X:X:X:X:X

X = 16-bit numberse.g. A3BF or FFFE

• Example:FE78:3450:BED8:9542:FEDC:BA09:1236:763C3FFE:0:0:0:13:45D:432:1A

33

Address syntax: compressed • Compressed form=> “::” indicates multiple groups of 16-

bits of zeros, but only once in an address

4A80:0:0:0:5:800:50CA:290D => 4A80::5:800:50CA:290DFE80:0:0:0:0:0:0:349 => FE80::3494D0A:0:0:89:0:0:236:8009 => 4D0A::89:0:0:23:8009 or

4D0A:0:0:89::23:80090:0:0:0:0:0:0:1 => ::1

Note: Except 2 types of IPv6 addresses have different representation (IPv4-compatible and IPv4-mapped)

34

Address type

• There are 3 types of addresses:

Unicast : defines a single recipientA packet sent to a unicast address is delivered to the interface identified by that address

Anycast : defines a number of recipientsA packet sent to an anycast address is delivered to one of the interfaces (the working nearest interface)

Multicast : defines a number of recipientsA packet sent to a muticast address is delivered to all of the interfaces identified by that address

35

Address type• A single interface may be assigned multiple IPv6 addresses of

any type (unicast, anycast, multicast)

– No Broadcast Address -> Use Multicast

36

Address allocation • Prefix is used to identify type of IPv6 address; normallythe first 16 bits (or first 2 bytes)

Global unicast 001 2xxx or 3xxx

Site-local unicast 1111 1110 11 FECx .... FEFxIPv4-compatible unicast 000...0(96 zero bits) 0:0:0:0:0:0:n.n.n.n

Multicast 1111 1111 FFxxReserved IPX 0000 010 04xx or 05xx

Allocation Binary prefix

Link-local unicast 1111 1110 10 FE8x ... FEBx

Example(the first 16-bit)

IPv4-mapped unicast 000..FFFF(80 zero bits) 0:0:0:0:0:FFFF:n.n.n.n

• All other binary prefix are reserved for future use• Anycast addresses are allocated from the unicast prefixes

37

Address allocation

38

Aggregatable global unicast

• This hierarchical structure improves backbone routing; it sorts traffic towards networks attached to the Internet backbone

• Without an address hierarchy, backbone routers have tostore route table information on the reachability of every network in the world

FP TLA IDRES NLA ID SLA ID Interface ID

Public Topology Site Interface ID

Topology

133 8 24

FP = Format Prefix TLA= Top Level Aggregation SLA = Site-Level AggregationNLA= Next-Level Aggregation RES= Reserved

Allocation Binary Prefix Example

Global unicast 001 2xxx or 3xxx

39

Aggregatable global unicast cont’

TOP TOP

Next Level

Next LevelNext Level

Site LevelInterface ID

Public Topology

( providers/exchanges )

SiteTopology

(LAN) Interface ID(link)

40

Hierarchical Addressing & Aggregation

ISP

2001:0410::/32

Customerno 2

IPv6 Internet

2001::/162001:0410:0002:/48

Customerno 1

Only announces the /32 prefix

2001:0410:0001:/48

–Larger address space enables:•Aggregation of prefixes announced in the global routing table.•Efficient and scalable routing.

–But current Multi-Homing schemes break the model

(note: no masks in IPv6!)

41

Non-Global Addresses

• IPv6 includes non-global addresses, similar to IPv4 private addresses (“net 10”, etc.)

• a topological region within which such non-global addresses are used is called a zone

• zones come in different sizes, called scopes(e.g., link-local, site-local,…)

• unlike in IPv4, a non-global address zone is also part of the global addressable region (the “global zone”)=> an interface may have both global and non-global addresses

42

Address Zones and Scopes

The Global InternetSite

Site

Site

• • •

• • •

Link

Link

Link • • •

• • •

Link

Link

Link • • •

• • •

Link

Link

Link • • •

• • •

Each oval is a different zone; different colors indicate different scopes

43

Properties of Zones and Scopes

• zones of the same scope do not overlap, e.g., two sites cannot overlap (i.e., cannot have any links in common)

• zones of smaller scope nest completely within zones of larger scope

• zones of same scope can reuse addresses of that scope (e.g., the same site-local address can occur in more than one site)

44

Properties of Zones and Scopes

• the scope of an address is encoded in the address itself, but the zone of an address is not– that’s why the “%zone-id” qualifier is needed, in the text

representation of addresses– for a non-global address received in a packet, its zone is

determined based on what interface it arrived on

• packets with a source or destination address of a given scope are kept within a zone of that scope– (enforced by zone-boundary routers)

• zone boundaries always cut through nodes,not links or interfaces

45

Zone Boundaries

Link Link

Link

Site

Site

Global

46

Non-Global Unicast Addresses

• link-local unicast addresses are meaningful only in a single link zone, and may be re-used on other links

• site-local unicast addresses are meaningful only in a single site zone, and may be re-used in other sites

interface ID01111111010

subnet ID interface ID01111111011

10 bits 54 bits 64 bits

10 bits 38 bits 64 bits16 bits

47

Address Allocation Policy

2001 0410

ISP prefixSite prefix

/32 /48 /64

Registry

/23

Interface ID

Bootstrap process - RFC2450LAN prefix

• The allocation process is under reviewed by the Registries: –IANA allocates 2001::/16 to registries–Each registry gets a /23 prefix from IANA–Formely, all ISP were getting a /35–With the new policy, Registry allocates a /32 prefix to an IPv6 ISP–Then the ISP allocates a /48 prefix to each customer (or potentially /64)–ftp://ftp.cs.duke.edu/pub/narten/ietf/global-ipv6-assign-2002-06-26.txt

48

Interface IDsLowest-order 64-bit field of unicast address may be assigned in several different ways:

– auto-configured from a 64-bit EUI-64, or expanded from a 48-bit MAC address (e.g., Ethernet address)

– auto-generated pseudo-random number(to address privacy concerns)

– assigned via DHCP– manually configured

49

IPv6 Address Privacy (RFC 3041)

/48 /64/23 /32

0410 Interface ID2001

Temporary addresses for IPv6 host client application, eg. Web browser– Inhibit device/user tracking but is also a potential issue– More difficult to scan all IP addresses on a subnet but port

scan is identical when an address is known– Random 64 bit interface ID, run Duplicate Address Detection

(DAD) before using it– Rate of change based on local policy– Implemented on Microsoft Windows XP– From RFC 3041: “…interface identifier …facilitates the tracking

of individual devices (and thus potentially users)…”

50

Topic 2: IPv6 Concepts

Link-local & Site-local link-local unicast 1111 1110 10 FE8x ... FEBx


site-local unicast 1111 1110 11 FECx .... FEFx

• Link-local addresses are used during auto-configuration while no router present

1111111010 0 interface ID

e.g=>fe80::2d0:b7ff:fe11:5d36

• Site-local addresses are used within an isolated intranet, independence from changes of TLA/NLA:

1111111011 0 SLA* interface ID

e.g=>fec0::90:234:ffde:1098

51

IPv4-compatible & IPv4-mapped IPv4-compatible 00..(96 bits of zero) 0:0:0:0:0:0:n.n.n.n


IPv4-mapped 00..ffff(80 bits of zero) 0:0:0:0:0:ffff:n.n.n.n

• These addresses have a mixed environment of IPv4 and IPv6 addresses: 1) IPv4-compatible IPv6 address

technique for hosts and routers to dynamically tunnel IPv6 packets over IPv4 routing infrastructure – dual stack

0:0:0:0:0:0:192.226.124.45 => ::192.226.124.45

2) IPv4-mapped IPv6 addressrepresent the addresses of IPv4-only nodes (those that do not support IPv6) as IPv6 addresses. Never src/dest of IPv6 packets.

0:0:0:0:0:FFFF:192.226.124.45 => ::FFFF:192.226.124.45

52

Special Addresses

• Unspecified addressused as a source address by a station that has not yet been configured with other type of addresses. Never assigned.

0:0:0:0:0:0:0:0 => ::

• Loopback addressused by a node to send an IPv6 datagram to itself. Never sent on a link.

0:0:0:0:0:0:0:1 => ::1

53

Anycast address• Anycast allocated from the unicast address space;

syntactically indistinguishable from unicast address

• An unicast address assigned to more than one interfaces becomes anycast address; the nodes to which the address is assigned must be explicitly configured to know that it is an anycast address

• It cannot be a source address

54

Expanded Address Space Multicast Addresses (RFC 3513)

Multicast 1111 1111 FFxx


• Multicast identifies a group of nodes; specifically identifiesa set of interfaces that usually belong to different nodes.

11111111 flags scope group ID

Low-order flag: indicates permanent (well-known) or non-permanent (transient) group

Scope value: limits the scope of multicast group, i.e. node-local,link-local,site-local, community-local, organization-local, global etc

55

Expanded Address SpaceMulticast Addresses (RFC 3513)

128 bits

Group ID0

1111 1111 Flagsscope

Flags =T=0 a permanent IPv6 Multicast address.T=1 a transient IPv6 multicast address

T000 0F F

• Multicast is used in the context of one-to-many.

8 bits 8 bits

Scope =

1 = node 2 = link 5 = site 8 = organization E= global

56

Multicast Address Examples

•• All Nodes Addresses:All Nodes Addresses:–FF01:0:0:0:0:0:0:1–FF02:0:0:0:0:0:0:1

•• All Routers Addresses:All Routers Addresses:–FF01:0:0:0:0:0:0:2–FF02:0:0:0:0:0:0:2–FF05:0:0:0:0:0:0:2

•• OSPv3:OSPv3:–AllSPFRouters : FF02::5–AllDRouters : FF02::6

•• SolicitedSolicited--Node Address:Node Address:–FF02:0:0:0:0:1:FFXX:XXXX–Concatenation of prefix FF02:0:0:0:0:1:FF00::/104 with the low-

order 24 bits of an address (unicast or anycast)

57

Tunnels to Get ThroughIPv6-Ignorant Routers

• encapsulate IPv6 packets inside IPv4 packets(or MPLS frames)

• many methods exist for establishing tunnels:– manual configuration– “tunnel brokers” (using web-based service to create a tunnel)– “ISATAP” (intra-domain, using IPv4 addr as IPv6 interface ID)– “6-to-4” (inter-domain, using IPv4 addr as IPv6 site prefix)

• can view this as:– IPv6 using IPv4 as a virtual link-layer, or– an IPv6 VPN (virtual public network), over the IPv4 Internet

(becoming “less virtual” over time, we hope)

58

6to4 and ISATAP Addresses

• 6to4 (RFC 3056) – WAN tunneling

• ISATAP (Draft) – Campus tunneling

2002 Public IPv4 address

/48/16

Interface IDSLA/64

2001 0410

ISP prefixSite prefix

/32 /48

Registry

/23

IPv4 Host address00 00 5E FE

/64

32 bits32 bits

59

Routing

• No new structure being introduced in IPv6 routing• Uses the IPv4 CIDR method; which relies on the IPv6

address architecture(hierarchical)• Changes the existing IPv4 routing protocols to handle

bigger address e.g. OSPF, RIP, BGP4+

TOP TOP

Next LevelNext Level

Next Level

SiteHostlink

Top Level 2^13 = 8,192

60

Outstanding Features

• Security• Quality of Service (QoS)• Auto-configuration

61

Security Extension Headers

(ESP and/or AH)Higher-level protocol header

+ application content IPv6 Header

IPv6 packet

• All implementation are expected to support authentication and encryption headers (IPsec)

• IPsec protects the network layer, that provides: - authenticity- integrity- confidentiality

• IPsec uses the Encapsulating Security Payload (ESP) and Authentication Header(AH); part of extension headers

• The security can cover communications between two host, two networks or between a host and a network

62

How IPSec work?

Security Gateway B

10.0.0.010.0.0.2

10.0.0.1Security Gateway A192.228.140.0 Public IP

Network

Gateway A

Secret: abcdefgPolicies:• Local 192.228.140.0 ESP,3DES,MD5• Remote 10.0.0.0, tunnel security gateway B

Gateway B

Secret: abcdefgPolicies:• Local 10.0.0.0 ESP,3DES,MD5• Remote 192.228.140.0, tunnel security gateway B

Note:This IPsec tunnel is built between network and network scenario

63

Authentication header0 7 15 23 31

Nextheader

Payload Length Reserved

Security Parameters Index (SPI)

Sequence number

Authentication data

IPHeader

DataTCPAH

Authenticated

• destination address + SPI identifies Security Association(key, lifetime, algorithm, etc)

• provides authentication and data integrity for IPv6 packets that do not change en-route (source and destination are not allowed to change during the transit)

• default algorithm is keyed MD5; computing the hash code of combination of message & the secret key

64

IPHeader

ESPTrailer

TCP DataESP Authdata ESP header

Encrypted

Authenticated

7

Next header

Payload Data

Padding

Security Parameters Index (SPI)Sequence number

Authentication dataPad length

• ESP encrypts the payload data & hides the traffic between the two nodes

• ESP provides authentication as well (but exclude IP header)

• default algorithm is DES-CBS 0 15 23 31

65

IPv6 Support for Int-Serv

• 20-bit Flow Label field to identify specific flows needing special QoS– each source chooses its own Flow Label values; routers use Source

Addr + Flow Label to identify distinct flows– Flow Label value of 0 used when no special QoS requested (the

common case today)• This part of IPv6 is not standardized yet, and may well change semantics in the future

– http://www.ietf.org/internet-drafts/draft-ietf-ipv6-flow-label-07.txt

66

Real time support Applications reserve resources in advance via Flow Label.

Flow 1

Workstation FileServer

Multimedia Server

Flow 2

PC

• All packets belongs to the same flow must be sent with thesame source/destination address, traffic class and flow label

67

IPv6 Support for Diff-Serv

• 8-bit Traffic Class field to identify specific classes of packets needing special QoS

– same as new definition of IPv4 Type-of-Service byte– may be initialized by source or by router enroute; may be

rewritten by routers enroute– traffic Class value of 0 used when no special QoS

requested (the common case today)

68

Neighbor Discovery (RFC 2461)

• Protocol built on top of ICMPv6 (RFC 2463)– Combination of IPv4 protocols (ARP, ICMP,…)

• Neighbor Discovery:– Determines the link-layer address of a neighbor

on the same link, Duplicate Address Detection– Finds neighbor routers, Keeps track of neighbors

• Defines 5 ICMPv6 packet (message) types– Router Solicitation / Router Advertisements– Neighbor Solicitation / Neighbor Advertisements– Redirect

69

Auto configuration

• Auto configuration allows hosts to fabricate their own addresses, with or without DHCP server.

• It is part of the the Neighbor Discovery (ND; messages and processes that determine relationships between neighboring nodes.

Processes:- router discovery (similar to ICMPv4 Router Discovery)- prefix discovery (similar to ICMPv4 Address Mask Request/Reply)- autoconfiguration of address & other parameters- duplicate address detection- neighbor unreachability detection- link-layer address resoultion (similar to ARP in IPv4) - first hop redirect(similar to the IPv4 ICMP Redirect message)

70

Auto configuration

• The interface identifier is formed from the EUI-64 bycomplementing the “Universal/Local” (U/L) bit, whichis the next-to-lowest order bit of the first octet of the EUI-64.- for example, the ethernet EUI-48 (MAC) 00:50:56:d9:88:38 corresponds to the EUI-6400:50:56:FF:FE:d9:88:38the interface identifier is02:50:56:FF:FE:d9:88:38

71

Auto configuration ‘cont“Plug and play” feature

via ICMP (no server required)Stateless mode :IPv6 Address

3ffe:89::A87:C09:1BE:CC7:BA=Prefix3ffe:89::/64

Link Address00:A87:C09:1BE:CC7:BA+

Stateful server mode : via DHCP

DHCPserver

3ffe:89::A87:C09:1BE:CC7:BADHCP response

router advertisement

00:A87:C09:1BE:CC7:BADHCP request

72

Stateless Autoconfiguration

2. RA 2. RA1. RS

1 1 -- ICMP Type = 133 (RS)ICMP Type = 133 (RS)

Src = ::

Dst = All-Routers multicast Address

query= please send RA

2 2 -- ICMP Type = 134 (RA)ICMP Type = 134 (RA)

Src = Router Link-local Address

Dst = All-nodes multicast address

Data= options, prefix, lifetime, autoconfig flag

Router solicitations are sent by booting nodes to request RAs for configuring the interfaces.

73

Duplicate Address DetectionA B

ICMP type = 135ICMP type = 135Src = 0 (::) Dst = Solicited-node multicast of AData = link-layer address of A Query = what is your link address?

Duplicate Address Detection (DAD) uses neighbor solicitation to verify the existence of an address to be configured.

74

IPv6 Addressing Examples

LAN: 3ffe:b00:c18:1::/64

Ethernet0

MAC address: 0060.3e47.1530

router# show ipv6 interface Ethernet0Ethernet0 is up, line protocol is up

IPv6 is enabled, link-local address is FE80::260:3EFF:FE47:1530Global unicast address(es):

2001:410:213:1:260:3EFF:FE47:1530, subnet is 2001:410:213:1::/64Joined group address(es):

FF02::1:FF47:1530FF02::1FF02::2

MTU is 1500 bytes

interface Ethernet0ipv6 address 2001:410:213:1::/64 eui-64

75

Auto configuration

Renumbering

Hosts renumbering is done by modifying the RA to announce the old prefix with a short lifetime and the new prefix.

Router renumbering protocol(RFC 2894), to allow domain-interior routers to learn of prefix introduction / withdrawal

RA indicates SUBNET PREFIX

SUBNET PREFIX + MAC ADDRESS








At boot time, an IPv6 host build a Link-Local address,

then its global IPv6 address(es) from RA

76

Overview of Mobile IPv6

HA

1. 1. 2.2.MN

CN

4.4. 3.3.

• 1. MN obtains Local IP address using stateless or stateful autoconfiguration– Neighbor Discovery

• 2. MN registers with HA by sending a Binding Update• 3. HA intercepts traffic for registered MN and tunnels packets from CN to

MN• 4. MN sends packets from CN directly or via HA using Tunnel

77

Route OptimizationHomeAgent

CN to MNCN to MN

Correspondent Host

• Traffic is routed directly from the CN to the MN• Binding Update SHOULD be part of every IPv6 node implementation• IPv4 also has route optimization but CN needs enhanced IP stack and Key

management is a problem• Security Issues –

– Shared Key or PKI Problem and We need a Scalable Solution

MobileNode

78

IPv6 and DNS

IPv6IPv6

AAAA record: www.abc.test AAAA 3FFE:B00:C18:1::2

AAAA record: www.abc.test AAAA 3FFE:B00:C18:1::2

PTR record: 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.8.1.c.0.0.0.b.0.e.f.f.3.ip6.arpa PTR www.abc.test.

PTR record: 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.8.1.c.0.0.0.b.0.e.f.f.3.ip6.arpa PTR www.abc.test.

IPv4IPv4

A record:www.abc.test. A 192.168.30.1

A record:www.abc.test. A 192.168.30.1

PTR record:1.30.168.192.in-addr.arpa. PTR

www.abc.test.

PTR record:1.30.168.192.in-addr.arpa. PTR

www.abc.test.

Hostname to IP addressHostname to IP address

IP address to hostnameIP address to hostname

79

Migration Techniques

• Dual Stack Host• Tunneling• Translation

80

Dual stack host• Support both IPv4 and IPv6

• Determine stack via DNS

ApplicationTCP

IPv4 IPv6Ethernet

IPv6IPv4 Dual Stack Host

81

Automatic tunnelingIPv6 host ::1.2.3.4

IPv4/6 host 2.3.4.5

IPv4 network

• Encapsulate IPv6 packet in Ipv4

• rely on IPv4-compatible IPv6 address

src = ::1.2.3.4 (IPv4-compatible IPv6 adr)

dst = ::2.3.4.5 (IPv4-compatible IPv6 adr)

6 traffic flow label

payload len next hops

payload

flow label6 traffic


payload

4frag offident

src = ::1.2.3.4

dst = ::2.3.4.5

TTL prot checksum



flow label6 traffic


payload

4frag offident

src = ::1.2.3.4

dst = ::2.3.4.5

TTL prot checksum



2.3.4.5 2.3.4.5

…… IPv4IPv6IPv4IPv6

hl TOS len hl TOS len

2.3.4.5

82

Configured tunnelingIPv6 host 2001::A:A:B

IPv6 host 2001::B:B:C

IPv4 network

• Encapsulate IPv6 packet in Ipv4

• IPv6 only address

…… IPv4IPv6IPv4 IPv6

src = 2001::A:A:B (IPv6 adr)

dst = 2001::B:B:C (IPv6 adr)



payload

flow label6 traffic


payload

4frag offident

src = R1

dst = R2

TTL prot checksum



2001::B:B:Chl TOS len

2001::B:B:C

R1 R2





payload

83

Translation

IPv6-IPv4 TranslationTranslating both the network address and protocol from IPv6 to IPv4 and vice versa

IPv6-onlydevices

IPv4-only and dual-stack devices

NAT-PT

84

IPv6 and IPv4 coexistence

85

Specification

• the development is coordinated by IETF, specifically by IPv6/IPng Working Group

• a number of IPv6 specifications have already become IETF Draft Standards; well-tested and proven stableVisit: http://playground.sun.com/ipng/specs/standards.html

• others are proposals; with more new standards coming alongVisit: http://playground.sun.com/ipng/specs/specifications.html

• discussion on specifications are carried out in mailing lists such as: [email protected] or [email protected]

86

Implementation

• most IP stack vendors are actively working towardsfully supporting IPv6router: 3com, Nortel, CISCO, Hitachi, Telebit, Zebrahost : IBM, HP, Kame, BSDI, Sun, Microsoft, Linux,

OpenBSD

• beta releases are common to be found and testers arealways welcome

• details, visit: “http://playground.sun.com/pub/ipng/html/ipng-implementations.html”

87

Recent IPv6 “Hot Topics” in the IETF

• multihoming• address selection• address allocation• DNS discovery• 3GPP usage of IPv6• anycast addressing• scoped address architecture• flow-label semantics• API issues

(flow label, traffic class, PMTU discovery, scoping,…)

• enhanced router-to-host info• site renumbering procedures• inter-domain multicast

routing• address propagation and AAA

issues of different access scenarios

• end-to-end security vs. firewalls

• and, of course, transition /co-existence / interoperabilitywith IPv4(a bewildering array of transition tools and techniques)

Note: this indicates vitality, not incompleteness, of IPv6!

88

References

Books TCP/IP Illustrated Volume 1, The Protocols, Richard Stevens, Addison-Wesley 2000 IPv6: The new Internet Protocol , Christian Huitema, Prentice Hall, 1997 IPv6 Networks: Marcus Goncalves & Kitty Niles, McGraw Hill, 1998 IPv6: The New Version of the Internet Protocol, Steve Deering, APRICOT2000

WWWwww.6bone.net www.microsoft.com www.playground.sun.com www.manis.net.mywww.cbe.ku.ac.th/~nguan/resource/slide/network.html

RFCsRFC 2373: Internet Version 6 Addressing Architecture, July 1998 RFC 2460: Internet Protocol Version 6(IPv6) Specification, Dec 1998 RFC 2461: Neighbor Discovery for IP Version 6 (IPv6), Dec 1998RFC 2462: IPv6 Stateless Address Autoconfiguration, Dec 1998 RFC 2471: IPv6 Testing Address Allocation, Dec 1998

gianluca realiconan.diei.unipg.it/rcm/lucidircm/ipv6.pdfipv6 header next header=tcp tcp header +...

Documents