ipv6 transition techniques

IPv6 Routing

Mukom Akong T. (@perfexcellent)

After this section, you should be able to:

Describe the need for transition technologies. Understand and configure manual 6in4 tunnels. Understand and configure automatic 6to4 tunneling. Identify and describe the options for v6-v4 translation.

Transition Mechanisms

The Problem Transition Mechanisms Solve

www.afrinic.net | slide 3

How do we connect v6 networks over non-v6 capable links? How do we get v6 only networks talking to v4 only networks?

IPv4-only networke.g. the Internet Dual-Stacked Network

v4 & v6

IPv4-only network

IPv6-only network

Tran

siti

on M

echa

nism

s

Categories of Transition Techniques


Tran

siti

on M

echa

nism

s

Dual

Sta

ck

Tunn

elin

g Tr

ansla

tion

IPv6

Tran

sitio

n Te

chni

ques

Your hardware, software, security systems run both v4 and v6. Hosts (desktops, servers, mobile devices, sensors etc) Load balancers Switches (think DHCP & IGMP snooping, etc ) Routers (intra-domain and inter-domain routing protocols) Firewalls, intrusion detection and prevention systems

Dual Stack Network View


Tran

siti

on M

echa

nism

s cisco.com

Dual Stack Network Node View


IPv4 | IPv6 Application

TCP UDP

IPv4 IPv6

Network Medium (e.g. Ethernet, Wireless, Fibre)

Tran

siti

on M

echa

nism

s

u Manually specified by the user e.g. http://[2000:100::7]/index.html vs http://192.0.2.1.html ping 2001:db8::a vs ping 192.0.2.1

u Through DNS v4-only application queries, get an A entry and uses v4 v6-only application queries, gets an AAAA record and uses v6 Dual-stacked application queries, gets both A & AAAA and

prefers v6 (or very rarely v4). DNS responses are independent of the L3 protocol ie a host

can query over v4 and get AAAA response.

Stack Selection on a Dual-Stacked Device


Tran

siti

on M

echa

nism

s

Conguring a Cisco Router for Dual Stack


Tran

siti

on M

echa

nism

s

R1(config) ipv6 unicast-routing R1(config) ip cef R1(config) ipv6 cef R1(config) interface fast ethernet 0/2 R1(config-if) ipv6 address 2001:db8:c200::1/64 R1(config-if) ip address 192.168.15.1 255.255.255.0 R1(config-if)#ipv6 ospf 1 area 12 R1(config-if)#ip ospf 1 area 12

R2(config) ipv6 unicast-routing R2(config) ip cef R2(config) ipv6 cef R2(config) interface fast ethernet 0/2 R2(config-if) ipv6 address 2001:db8:c200::2/64 R2(config-if) ip address 192.168.15.2 255.255.255.0 R2(config-if)#ipv6 ospf 1 area 12 R2(config-if)#ip ospf 1 area 12

Increased complexity Security policies for both v4 and v6 Two IGP routing protocols & multiple BGP address families Some things work differently in each of the protocols Applications must communicate over both protocols

Increased support costs Higher resource requirements Extra memory for routing database and tables for v6 BGP tables for v4 (300K+) AND a growing v6 BGP table

Some Implications of Running Dual Stack


Tran

siti

on M

echa

nism

s

u Encapsulate IPv6 within IPv4 packets (v4 protocol number 41). u Source and destination fields are set to the v4 addresses of the tunnel

endpoints. u Tunnel endpoints are either manually configured or derived from transition

addresses.

Tunneling


cisco.com

Tr

ansi

tion

Mec

hani

sms

u Manual Requires manual configuration at both ends. Pre-agreement for addresses to use at both endpoints.

u Semi automatic, Tunnel Broker [RFC 3053] Remote end is auto-configured, other is manual Router-to-router or host-to-router

u Automatic Tunnels are created on demand. Examples: 6to4, 6rd, ISATAP

Types of Tunnels


Tran

siti

on M

echa

nism

s

Manual Tunnels


Dual-stacked router [DSR] (or host) at both ends. IPv4 reachability between both ends. Public IPv4 addresses on each of the tunnel endpoints.

Pre-requisites

DSR gets a v6 packet on its native v6 interface and routing directs it out the tunnel interface.

DSR encapsulates the v6 packet inside a v4 packet and sends it to the v4 address of the tunnel endpoint. (in the v4 header, v6 is identified by protocol no. 41)

End DSR decapsulates the v4 packet, sees a v6 packet and sends it out its v6 interface according to normal v6 routing table.

How it works

Firewalls in transit might block protocol no. 41. Full cooperation of the tunnel endpoint routers admin is required. MTU issues in the path.

Potential issues

Tran

siti

on M

echa

nism

s

Manual Tunneling Example


2001:db8:1000::/64 Internet or ISP network 2001:db8:2000::/64192

.0.2.1

/24

198.51.100.1/24

R1 R2

2001:db8:12::1/64 2001

:db8:1

2::2/

64

R1# interface Loopback 0 ip address 192.0.2.1 255.255.255.0 interface Tunnel0 no ip address ipv6 2001:db8:12::1/64 tunnel source Loopback0 tunnel destination 198.51.100.1 tunnel mode ipv6ip tunnel path-mtu-discovery ipv6 route 2001:db8:2000::/64 Tunnel0

R2# interface Loopback 0 ip address 198.51.100.1 255.255.255.0 interface Tunnel0 no ip address ipv6 2001:db8:12::2/64 tunnel source Loopback0 tunnel destination 192.0.2.1 tunnel mode ipv6ip tunnel path-mtu-discovery ipv6 route 2001:db8:1000::/64 Tunnel0

Tran

siti

on M

echa

nism

s

6to4 Tunneling [RFC3056]


Dual-stacked router [DSR] (or host) at both ends. IPv4 reachability between both ends using public IPv4 addresses.

Pre-requisites

DSR routes packets on its native v6 interface out the tunnel interface. DSR automatically determines the tunnel endpoint (the v4 address that

comes after 2002::/16) DSR encapsulates the v6 packet inside a v4 packet and sends it onwards. End DSR decapsulates the v4 packet, sees a v6 packet and sends it out its

v6 interface according to normal v6 routing table.

How it works

Relays are subject to abuse (DOS & v6 address spoofing) Indiscriminately connecting to any endpoint poses security risks. Asymmetric: different endsites may use different relays. MTU issues in the path.

Potential issues

Tran

siti

on M

echa

nism

s

Routing between 6to4 Networks


Tran

siti

on M

echa

nism

s

Source: Adeel Ahmed, Ciprian Popoviciu

Routing between 6to4 and Native v6


A 6to4 relay router connected to native v6 and also to v4 using a 6to4 interface and advertising 2002::/16 to its neighbours

Default gateway on the 6to4 routers or host must be the 6to4 relay address of 192.88.99.1 [2002:c058:6301::/48]

Pre-requisites

6to4 router sends the packets to 2002:c058:6301::/48 (which will get to the nearest relay)

The relay decapsulates the packet and routes normally it out its native v6 interface.

Packets from 6to4 site to native v6 Internet.

Packets follow normal v6 routing and get to native v6 interface of 6to4 relay.

Seeing that the destination is in the 2002::/16 range, the relay extracts the v4 address and creates a tunnel and forwards it over v4 interface.

Routing packets from native v6 Internet to 6to4 site Tra

nsit

ion

Mec

hani

sms

Routing between 6to4 and Native v6: Relays


Tran

siti

on M

echa

nism

s

Source: Adeel Ahmed, Ciprian Popoviciu

6to4 Tunneling Example


R1# interface Loopback 0 ip address 192.0.2.1 255.255.255.0 interface Tunnel0 no ip address ipv6 enable tunnel source Loopback0 tunnel mode ipv6ip 6to4 tunnel path-mtu-discovery ipv6 route 2002::/16 Tunnel0 ipv6 route ::/0 2002:C058:6301::

Site A IPv6 network Internet or ISP network Site B IPv6 network192.0.2.1/24

198.51.100.1/24

2002:C633:6401::/48

2002:C000:201::/48

R1 R2

R2# interface Loopback 0 ip address 198.51.100.1 255.255.255.0 interface Tunnel0 no ip address ipv6 enable tunnel source Loopback0 tunnel mode ipv6ip 6to4 tunnel path-mtu-discovery ipv6 route 2002::/16 Tunnel0 ipv6 route ::/0 2002:C058:6301::

Tran

siti

on M

echa

nism

s

u 6rd = IPv6 Rapid Deployment (RFC 5969) u Plug-n-play ease of 6to4 without the drawbacks. u Uses an ISPs v6 prefix rather than 2002::/16 thus limiting the

operational domain to the ISPs network.

Tran

siti

on M

echa

nism

sThe 6rd Transition Technique


M

ark Tow

nsley, Cisco

Tran

siti

on M

echa

nism

sElements of a 6rd System


Element Description

6rd prefix An IPv6 prefix selected by SP for use in 6rd Used (instead of 2002::/16) to create 6rd addresses There's only 1 6rd prefix per 6rd domain

6rd delegated prefix Calculated by CE for use within customer site 6rd prefix + CE WAN-side v4 address

CE router

LAN-side: v6 natively implemented WAN-side: v4-only, can be Ethernet, ATM, PPP and use

PPPOE, IPCP, DHCP etc. WAN-side v4 address could be global or private per 6rd

domain A CE could belong to more than one 6rd domain

Tran

siti

on M

echa

nism

sElements of a 6rd System


Element Description

Border Relay (BR)

Links 6rd domain to external v6 domains/Internet Can be reached via anycast Has at least one each of

IPv4 interface A 6rd virtual interface acting as an endpoint for the

6rd v6-in-v4 tunnel An IPv6 interface connected to the native IPv6

network

6rd virtual interface

Internal multipoint tunnel interface where 6rd encap & decap occurs

Typically one per CE No more than 1 on each BR per domain

6to4 6rd Clients network

Dual stack or v6 only Dual stack or v6 only Client IPv6 prefix

2002:::/48 Normal v6 address

Single v6 address :::/n Part or all of client v4 address is

used 6rd prefix

Traffic between site and other IPv6 sites Send packet to 6to4 relay Return path may use diff relay

Send packet to Border Relay (BR) Return traffic sent to same BR

IPv6 Traffic over ISPs Access Network Tunneled within v4, follows v4 routing Tunneled within v4, follows v4 routing

Tran

siti

on M

echa

nism

sFrom 6to4 to 6rd


u X typically ranges from 12 32 bits u Y typically ranges from 8 32 bits u Try to ensure that: (x + y) < 64 so client can still have subnets Prefix lifetimes on LAN

Tran

siti

on M

echa

nism

sAuto 6rd Prex Delegation Example


M

ark Tow

nsley, Cisco

u Install a default route to the 6rd BR u Install a black hole route to the auto-delegated prefix u Install routes for any advertise LAN-side prefixes

Tran

siti

on M

echa

nism

s6rd CPE Routing Behavior


Allows SP provide v6 over v4-only access network SP can start building v6 experience while migrating rest of the

network Quick to deploy all CPEs get the same configuration

Tran

siti

on M

echa

nism

sAdvantages of 6rd


Tran

siti

on M

echa

nism

s6rd Conguration | Mandatory Parameters


IPv4MaskLen

number of identical high-order bits for all CE IPv4 addresses in the 6rd domain.

This much high order bits are stripped from the v4 address before constructing the 6rd prefix

If clients get /32s, the v4masklen=0 and entire CPE v4 address is used. If clients addresses are from a /n prefix, then v4masklen is 32-n 6rdPrefix & 6rdPrefixLen

Part of ISPs allocation from RIRs Used instead of 2002::/16 to form the v6 prefix for each client site 6rdBRIPv4Address

Analogous to 6to4 relay Used to reach other non-6rd sites

u An XMS object retrieved after v4 connectivity is established u A DNS record u SMIv3 MIB u PPP IPCP u Manually by the administrator u DHCPv4 OPTION_6RD (212) Tr

ansi

tion

Mec

hani

sms

Provisioning 6rd CPEs


ipv6 general-prefix 6rd_PREFIX 6rd Tunnel0 interface Loopback0 ip address 10.0.0.1 255.255.255.0 ! interface Tunnel0 tunnel source Loopback0 tunnel mode ipv6ip 6rd tunnel 6rd ipv4 prefix-len 8 tunnel 6rd prefix 2001:db80::/28 ipv6 address DELEGATED_PREFIX::/128 anycast ! ipv6 route 2001:db80::/28 Tunnel0 ipv6 route 2001:db80:0:1000::/52 Null0

Tran

siti

on M

echa

nism

s6rd Conguration | Border Relay


ipv6 general-prefix DELEGATED_PREFIX 6rd Tunnel0 interface Dialer0 ip address dhcp ! (10.0.0.10) ! interface Tunnel0 tunnel source Dialer0 tunnel mode ipv6ip 6rd tunnel 6rd ipv4 prefix-len 8 tunnel 6rd prefix 2001:db80::/28 tunnel 6rd br 10.0.0.1 ipv6 address DELEGATED_PREFIX ::/128 anycast ! interface Ethernet0 ipv6 address DELEGATED_PREFIX ::/64 eui-64 ! ipv6 route 2001:db80::/28 Tunnel0 ipv6 route ::/0 Tunnel0 2001:db80:0:1000:: ipv6 route 2001:db80:0:a000::/52 Null0

Tran

siti

on M

echa

nism

s6rd Conguration | CPE


General Tunnel Conguration Steps [IOS]


Tran

siti

on M

echa

nism

s

1 | Create the tunnel Interface

(config)#interface tunnel tunnel-number

2 | Specify the tunnel source

(config-if)tunnel source {interface type-number | a.b.c.d}

3 | Specify the tunnel destination (manual tunnels only)

(config-if)tunnel destination a.b.c.d | hostname

4 | Assign and IPv6 address to the tunnel

(config)#ipv6 address address/prefix-length

5 | Specify the type of the tunnel

(config)#tunnel mode mode

Cisco IOS Tunnel Modes


Type Configuration Parameter

Tunnel Mode Tunnel Source Tunnel Destination Tunnel IPv6

address

Manual ipv6ip

An IPv4 address or a reference to an interface on which an IPv4 address has been configured.

IPv4 address Global unicast

GRE/IPv4 gre ip IPv4 address Global unicast

6to4 ipv6ip 6to4 Calculated automatically on a per-packet basis

6to4 address

6rd Ipv6ip 6rd

ISATAP ipv6ip isatap ISATAP address

Tran

siti

on M

echa

nism

s

u Only mechanism for getting v4 only speaking to v6 only u Operates in two modes: Stateful - one to many v4 address mapping Stateless - one to one address mapping with only IP & ICMP

header translation) u Current Implementations Ecdysis (free and Open Source) MS Forefront UAG DirectAccess Cisco CGv6

IPv4-IPv6 Translation: NAT64 & DNS64


Tran

siti

on M

echa

nism

s

NAT64 & DNS64 Use Case for Access Networks


Tran

siti

on M

echa

nism

s

Source: Marc Blanchette, Viagenie

NAT64 & DNS64 Use Case for Content Providers


Tran

siti

on M

echa

nism

s

Source: Marc Blanchette, Viagenie

NAT64 & DNS64 How it Works


Tran

siti

on M

echa

nism

s

DNS64

Regular DNS

v4 Serverwww.example.com

192.0.2.6

NAT64

v6 Host2001:db8::2

A? www.example.com

www.example.com = 192.0.2.6

2

3

Synthesize AAAA from A using WKP 64:ff9b::/96

4AA

AA? w

ww.ex

ample

.com

1

www.

exam

ple.co

m =

64:ff

9b::c

000:2

06

5

6

7

810

Inside: 2001:db8::1Outside: 192.0.2.1

src:2001:db

8::2 | dst:64

:ff9b::c000:

206

src:[64:ff9b::

c000:206 |

src:2001:db

8::2

src:192.0.2.1dst:192.0.2.6src:192.0.2.6dst:192.0.2.1

9 Do v6v4 N

APT

Re-calc checksums

After this section, you should be able to:

Describe the various roadblocks holding back IPv6. Brainstorm solutions to the above problems. Identify the key messages to use in selling IPv6 to management Brainstorm a generic IPv6 deployment framework and tailor it to

your own organisation.

IPv6 Business Readiness Class Discussion

Challenges you anticipate in your move to IPv6 Addressing plan ideas What kind of help do you need? Suggestions for over-coming the challenges.


IPv6

Bus

ines

s R

eadi

ness

Discussion Points

Raise awareness Training Network equipment and application audit Modify all RFPs to make IPv6 support mandatory Plan to replace all non-v6 devices/applications with v6-capable versions. Get your IPv6 allocation Enable both IPv6 and IPv4 on your network If ISP doesnt support v6 transit, consider using tunnels


IPv6

Bus

ines

s R

eadi

ness

Generic Transition Plan

So What Can You Do?!!


u Enable IPv6 support for your public servers (DNS, mail, web) Start having experience with what works, doesn't work, fixes.

u On return, gather your colleagues and teach them what you have learnt.

u Subscribe to [email protected] and share experiences/learn.

u Make IPv6 support mandatory in all your equipment and software purchases.

u Get rid of all non-v6 capable operating systems in your network. u Set up a small lab and start experimenting with v6.

Thank U | Questions ?

www.afrinic.net

ipv6 transition techniques

Documents

ipv6 address

ipv6 ospf

v6v4 translation

transition addresses

v6 networks

transition mechanismsconguring

transition technologies

dns v4