1 / 48

IPv6 IETF Next Gen Internet Greg O’Shea Microsoft Research

IPv6 IETF Next Gen Internet Greg O’Shea Microsoft Research. Contents. Motivation Addressing Packet structure ICMPv6 (Neighbor Discovery) Address auto-configuration IPSec Mobile IPv6 Transitioning Reflections. 1. 7. 24. Class A. 0. Network. Host. 2. 14. 16. Class B. 10.

deiondre
Télécharger la présentation

IPv6 IETF Next Gen Internet Greg O’Shea Microsoft Research

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IPv6 IETF Next Gen Internet Greg O’Shea Microsoft Research

  2. Contents • Motivation • Addressing • Packet structure • ICMPv6 (Neighbor Discovery) • Address auto-configuration • IPSec • Mobile IPv6 • Transitioning • Reflections

  3. 1 7 24 Class A 0 Network Host 2 14 16 Class B 10 Network Host 3 21 8 Class C 110 Network Host IPv4 : a protocol for the present • 32-bits seemed plenty in 1978 • Yield might be as low as 200M/4G • Shortage of class B addresses • NAT: relieve pressure on address space • CIDR: relieve pressure on routers • Is this too restrictive for the future?

  4. IPv6: a protocol for the future • Anticipated growth of the Internet • 10 billion people by 2020 ? • Some with several computers • mobile phones (etc) with IP addresses? • Debate and proposals in IETF (1994) • Goal: an IP address for every computer • Avoid restrictions of address shortage • IPv6 (1996) uses 128-bit addresses • cheap and easily acquired

  5. Scalability and housekeeping • More efficient headers (router-friendly) • fixed header size, no options, wrt forwarding • extension headers follow IP hdr • Hierarchical route prefixes • Per Classless Inter-Domain Routing (CIDR) • route/n is route of prefix length 0<=n<=64 • space-efficient longest-match route tables • Reduce net admin overheads • Stateless Address auto-configuration • And also Security (IPSec) • Security for IP layer (sometimes, in principle) • And also Mobility (MIPv6) • Support mobile hosts moving between IP nets

  6. Notabilia • You have to modify your apps – a little is enough • Struct sockaddr -> SOCKADDRINFO • Gethostbyname() - > getaddrinfo() • Does not modify TCP, UDP etc • Co-exists with IPv4, typically dual-stack • Why 128 bits? Room for hierarchical prefixes • 1500 <= packetsize <= 64KB • Min exploits most common case (eth) • Routers unlikely to fwd more than 64KB • No header checksum • L2, PPP and e.g. TCP checksums suffice • Saves routers recomputing cks(--HopCount) • No fragmentation between routers • Lost frag requires rexmit whole packet • Source learns PMTU from ICMPv6

  7. Addressing

  8. 3ffe:8310:0000:0000:20d:56ff:fe6d:f02c 64-bit network prefix 64-bit Interface Id • Type 001 : Global aggregatable address • TLA : Top Level Aggregator (think: long haul) • NLA : Next Level Aggregator (think: NSP, ISP) • SLA : Site Level Aggregator (think: any.org) • Interface Id (~unique) • Derived from MAC • Else manual else random else DHCPv6 else novel (e.g. CGA) • Collision avoidance via DAD (else feel wrath of IESG) 8-bit 13-bit 24-bit 3-bit 16-bit 001 TLA Res NLA SLA Interface Id

  9. Primary Address Types • Global • Link-local (fe80::/10) • Routers do not forward beyond link • Site-local (feco::/10) (deprecated) • Routers do not forward beyond site • Multicast (ff00::/8) • no broadcast in IPv6 • FF02::1 (Link-local all-nodes address) • FF02::2 (Link-local all-routers address) • Null = :: (:: = string of zero hextets) • Loopback = ::1

  10. Packet Headers

  11. vers class flow label length next hop lim Source Address Destination Address IPv6 Header • Designed for efficiency in routers • Fixed size, no options • Larger (40-byte) but simpler to handle

  12. BaseHeader Extension Header 1 … Extension Header N Data Extension Headers 1. Hop-by-Hop (e.g. MLD) 2. Dest Opts header (intermediate nodes) 3. Routing Header 4. Fragment Header 5. Authentication Header (AH) (~deprecated) 6. Encapsulating Security Payload (ESP) header • Destination Opts header (final destination) • Mobility Header

  13. Compare headers (in your own time) IPv4 Header Field Change in IPv6 Version New value of 6 Internet Header Length Removed Type of Service Traffic Class field Total Length Payload Length field Identification Removed to Fragment extension header Fragmentation Flags Removed to Fragment extension header Fragment Offset Removed to Fragment extension header Time to Live Hop Limit field Protocol Next Header field Header Checksum Removed Source Address Same, new 128-bit length Destination Address Same, new 128-bit length Options Removed to extension headers

  14. ICMPv6

  15. ICMPv6 in general • Test reachability • ping, tracert • Error report • Destination Unreachable • Time Exceeded • Packet Too Big (ref PMTU discovery) • Multicast Listener Discovery (MLD) • e.g. join solicited node multicast group • Neighbor Discovery (ND) • Address resolution and 2-way reachable • Stateless addr autoconfig & DAD

  16. Neighbor Discovery (ND) • Router Solicitation (RS) • Exists a router? • Router Advertisement (RA) • publishes route, prefix and option info • Neighbor Solicitation (NS) • L3->L2 address resolution • Bi-directional reachable • maintain Neighbor Cache state • Neighbor Advertisement (NA) • Redirect

  17. NCE state machine

  18. Stateless address auto-configuration

  19. IPv6 Address Autoconfiguration • Configure link-local address (fe80::IFid) • Perform duplicate address detection • Send RS to discover router(s) • Receive RA(s) • Populate route table with routes from RA • Note ::/0 route published by default routers • Form tentative address(es) from (prefix:Ifid) • Start DAD on tentative address(es) • If DAD succeeds, address(es) preferred • O(1.5s) elapsed (mostly DAD timeout)

  20. IPSec

  21. Internet Protocol Security (IPSec) • Network-layer (IP-layer) security protocol. • Specified for IPv6 and IPv4. • Intended to replace all other Internet security protocols but probably won't. • End-to-end authentication and encryption between two IP hosts. • IP addresses used to as host identifiers. • Three steps: • Configure Security Policy Database (SPD) • IKE or manual create Security Associations (SA). • ESP session protocol protects data.

  22. Key exchange 1 SPD SPD Security Policy Database Security Policy Database IPSec IPSec SA Pair IPSec Security Association Database Security Association Database SAD SAD ESP 2 IPSec Architecture Untrusted network Host A Host B • Security associations (SA) created by IKE, used by IPSec. • Security policy guides SA creation and selection for use. IKE(v2) IKE(v2) Session Key Session Key

  23. ESP Packet Format ESP header and trailer = SPI + Sequence number + Padding ESP authentication trailer = message authentication code (MAC) Original Packet: IP header IP Payload ESP in transport mode: Original Original IP header ESP header IP Payload ESP trailer Auth trailer Encrypted Authenticated ESP in tunnel mode: Original IP header ESP header IP header IP Payload ESP trailer Auth trailer Encrypted Authenticated

  24. Mobile IPv6 (2003)

  25. The Problem: internet hosts cannot move Traditional IP address = (network + host-id) • is bound to a specific network • Connections break if node moves between nets • Okay for traditional, wired connections • Problem for mobile, wireless computers (future)

  26. MIPv6: a game for three players... • Mobile Node (MN) • (s)he who moves between IP nets • Home Agent (HA) • Proxy on home net for absent MN • Correspondent Node (CN) • (s)he who speaks with a MN • Potentially every IPv6 node is a CN • Potentially the CN is also an MN

  27. … involving up to four addresses • Home Address (HoA) • where apps think host is • Care-Of Address (CoA) • where host actually is • IP header • Source CoA: where sender is attached • Dest CoA: where destination is attached • Home Address Destination Option • HoA of sender, if sender is MN abroad • Routing Header (Type 2) • HoA of recipient, if recipient is MN abroad

  28. Messages and data structures • Binding Update: (HoA, CoA) • Sent by MN to inform CN (or HA) of its whereabouts • Binding Cache on CN and HA • list of Binding Updates accepted • Binding Update List on MN • list of BUs sent that have not yet expired

  29. Mobile on home net,Correspondent elsewhere

  30. Packets arrive on home net (normal)

  31. Mobile node moves abroad

  32. Mobile tells HA its whereabouts IPSec Transport

  33. Home Agent fwds to mobile IPSectunnel

  34. HoTi: Request K0 from CN IPSectunnel

  35. HoT: Get K0 = HMAC(HoA)Kcn IPSectunnel

  36. CoTi: Request K1 from CN

  37. CoT: Get K1 = HMAC(CoA)Kcn

  38. BU: key K = SHA1(K0, K1)

  39. CN regenerates K; bypasses HA

  40. Transitioning

  41. Native v6 indicated by circles Also in Cambridge, U.K. ISATAP available in all buildings and all locations Native and ISATAP can communicate via ISATAP routers Microsoft publicly hosts Teredo servers on the Internet Microsoft IPv6 Deployment

  42. v4 Enterprise 6to4 v6 Enterprise Native v6 Enterprise v4+ISATAP Enterprise V4-v6 Dual Stack Enterprise v4 Internet v6 v6 v6 Internet Teredo v6 v6 v6 NAT NAT v4/v6 Co-Existence Strategy ISATAP Router 6to4 Router 6to4 Router 6to4 Relay 6to4 6to4 IDG 6to4 Relay ISATAP Teredo Relay

  43. IPv6 Transitioning Overview • Fragmented IPv6 infrastructure • Bridge the gaps using IPv4 tunnels • 6to4 tunneling uses (2002::/16 routes) • 6to4 router with public V4ADDR=w.x.y.z • forms 2002:V4ADDR::IFid and publishes in DNS • Advertises 2002:V4ADDR::/48 (local) • Advertises 2002::/16 (offsite) via its IF=#3 • Isolated IPv6 host can tunnel to known 6to4 router • ISATAP for isolated hosts on IPv4 intranet • Host looks up “ISATAP” to find ISATAP router • Host configures e.g. fe80::0:5EFE:w.x.y.z(%2) • Host sends via tunnel IF(%2) (wraps v6 in v4) • Tunneled RS/RA to ISATAP router yields offsite routes • Teredo – if behind a v4 NAT that can’t do 6to4 • 3FFE:831F::/32 prefix (TBC, awaiting IANA) • 3ffe:831f:wwxx:yyzz:encoding (read the docs) • IPv6 tunneled over UDP port 3544 /IPv4 from host to Teredo server

  44. Reflections

  45. Reflections on MIPv6 • From 20 pages (1996) to 219 pages (2003) • Modified (IPSec, RA, RH2, DAD, ND) • New (MH, HAO, DHAAD, MPS) • “Loose consensus and working code” • Good people all agree that spec looks okay • Try to implement: discover it isn’t okay • compliance tests become definitive interpretation • Debate on IETF list: fight your corner • Politics: choose IPSec if possible • Security based on IPSec AH didn’t scale. • Editorial: riding the paper tiger • For use on corp nets? Carrier nets? Both? • Why must the home net exist ? • Would tunnel be better than HAO + RH2 ? • Some want alternative to IPSec (Hot Topic) • What are the scenarios ?

  46. Deployment of IPv6 • Base specs in place and stable • Production implementations • routers, BSD, Linux, Windows • Demand from Far East, then Europe • Recently mandated by U.S. DoD • Time and $ to change and retest apps • Need apps that survive loss of IPv4 • Dominant in 10 years? Ever? • Where are the production nets ? • *not* tunnels or experimental

  47. References • http://www.ietf.org/ • http://www.uk.ipv6tf.org/ • http://www/microsoft.com/ipv6 • http://www.ipv6forum.com/ • http://www.ipv6tf.org/

  48. Questions

More Related