Sei sulla pagina 1di 41

IPv6!Routing !

Mukom Akong T. (@perfexcellent)

Transition!Mechanisms !
After this section, you should be able to:
! ! ! ! Describe the need for transition technologies. Understand and congure manual 6in4 tunnels. Understand and congure automatic 6to4 tunneling. Identify and describe the options for v6-v4 translation.

The Problem Transition Mechanisms Solve !

Transition Mechanisms !

IPv6-only network

IPv4-only network

IPv4-only network e.g. the Internet

Dual-Stacked Network v4 & v6

! How do we connect v6 networks over non-v6 capable links? ! How do we get v6 only networks talking to v4 only networks?
www.afrinic.net | slide 3

Transition Mechanisms !

IPv6 Transition Techniques

Translation
www.afrinic.net | slide 4

Categories of Transition Techniques !

Tunneling

Dual Stack

Dual Stack Network View !


Transition Mechanisms !

cisco.com

Your hardware, software, security systems run both v4 and v6. !! Hosts (desktops, servers, mobile devices, sensors etc) !! Load balancers !! Switches (think DHCP & IGMP snooping, etc ) !! Routers (intra-domain and inter-domain routing protocols) !! Firewalls, intrusion detection and prevention systems
www.afrinic.net | slide 5

Dual Stack Network Node View !


Transition Mechanisms !
IPv4 | IPv6 Application

TCP

UDP

IPv4

IPv6

Network Medium (e.g. Ethernet, Wireless, Fibre)

www.afrinic.net | slide 6

Stack Selection on a Dual-Stacked Device !


"! Manually specied by the user e.g.

Transition Mechanisms !

!! http://[2000:100::7]/index.html vs http://192.0.2.1.html !! ping 2001:db8::a vs ping 192.0.2.1 !! v4-only application queries, get an A entry and uses v4 !! v6-only application queries, gets an AAAA record and uses v6 !! Dual-stacked application queries, gets both A & AAAA and
prefers v6 (or very rarely v4). !! DNS responses are independent of the L3 protocol ie a host can query over v4 and get AAAA response.
www.afrinic.net | slide 7

"! Through DNS

Con"guring a Cisco Router for Dual Stack !


R2(cong) ipv6 unicast-routing R2(cong) ip cef R2(cong) ipv6 cef R2(cong) interface fast ethernet 0/2 R2(cong-if) ipv6 address 2001:db8:c200::2/64 R2(cong-if) ip address 192.168.15.2 255.255.255.0 R2(cong-if)#ipv6 ospf 1 area 12 R2(cong-if)#ip ospf 1 area 12 R1(cong) ipv6 unicast-routing R1(cong) ip cef R1(cong) ipv6 cef R1(cong) interface fast ethernet 0/2 R1(cong-if) ipv6 address 2001:db8:c200::1/64 R1(cong-if) ip address 192.168.15.1 255.255.255.0 R1(cong-if)#ipv6 ospf 1 area 12 R1(cong-if)#ip ospf 1 area 12
www.afrinic.net | slide 8

Transition Mechanisms !

Some Implications of Running Dual Stack !

Transition Mechanisms !

! Increased complexity

Security policies for both v4 and v6 Two IGP routing protocols & multiple BGP address families Some things work differently in each of the protocols Applications must communicate over both protocols ! Increased support costs ! Higher resource requirements !! Extra memory for routing database and tables for v6 !! BGP tables for v4 (300K+) AND a growing v6 BGP table

!! !! !! !!

www.afrinic.net | slide 9

Tunneling !
cisco.com

Transition Mechanisms !
"! Encapsulate IPv6 within IPv4 packets (v4 protocol number 41). "! Source and destination elds are set to the v4 addresses of the tunnel

endpoints. "! Tunnel endpoints are either manually congured or derived from transition addresses.
www.afrinic.net | slide 10

Types of Tunnels !
Transition Mechanisms !
"! Manual

!! Requires manual conguration at both ends. !! Pre-agreement for addresses to use at both endpoints. !! Remote end is auto-congured, other is manual !! Router-to-router or host-to-router

"! Semi automatic, Tunnel Broker [RFC 3053]

"! Automatic

!! Tunnels are created on demand. !! Examples: 6to4, 6rd, ISATAP


www.afrinic.net | slide 11

Manual Tunnels !
Pre-requisites

Transition Mechanisms !

! Dual-stacked router [DSR] (or host) at both ends. ! IPv4 reachability between both ends. ! Public IPv4 addresses on each of the tunnel endpoints. How it works ! DSR gets a v6 packet on its native v6 interface and routing directs it out the tunnel interface. ! DSR encapsulates the v6 packet inside a v4 packet and sends it to the v4 address of the tunnel endpoint. (in the v4 header, v6 is identied by protocol no. 41) ! End DSR decapsulates the v4 packet, sees a v6 packet and sends it out its v6 interface according to normal v6 routing table. Potential issues ! Firewalls in transit might block protocol no. 41. ! Full cooperation of the tunnel endpoint routers admin is required. ! MTU issues in the path.
www.afrinic.net | slide 12

Manual Tunneling Example !


Transition Mechanisms !
19 8.5 4 2 1.1 / 1 . 00 2 R1 R2 . .1/ 0 . 2 2 19 Internet or ISP network 4 20 01 64 / :db ::2 2 8:1 8:1 2:: b 1/ :d 1 64 0 20

2001:db8:1000::/64

2001:db8:2000::/64

R1# interface Loopback 0 ip address 192.0.2.1 255.255.255.0 interface Tunnel0 no ip address ipv6 2001:db8:12::1/64 tunnel source Loopback0 tunnel destination 198.51.100.1 tunnel mode ipv6ip tunnel path-mtu-discovery

R2# interface Loopback 0 ip address 198.51.100.1 255.255.255.0 interface Tunnel0 no ip address ipv6 2001:db8:12::2/64 tunnel source Loopback0 tunnel destination 192.0.2.1 tunnel mode ipv6ip tunnel path-mtu-discovery ipv6 route 2001:db8:1000::/64 Tunnel0

ipv6 route 2001:db8:2000::/64 Tunnel0

www.afrinic.net | slide 13

6to4 Tunneling [RFC3056] !


Pre-requisites

Transition Mechanisms !

! Dual-stacked router [DSR] (or host) at both ends. ! IPv4 reachability between both ends using public IPv4 addresses. How it works ! DSR routes packets on its native v6 interface out the tunnel interface. ! DSR automatically determines the tunnel endpoint (the v4 address that comes after 2002::/16) ! DSR encapsulates the v6 packet inside a v4 packet and sends it onwards. ! End DSR decapsulates the v4 packet, sees a v6 packet and sends it out its v6 interface according to normal v6 routing table. Potential issues ! Relays are subject to abuse (DOS & v6 address spoong) ! Indiscriminately connecting to any endpoint poses security risks. ! Asymmetric: different endsites may use different relays. ! MTU issues in the path.
www.afrinic.net | slide 14

Routing between 6to4 Networks !


Transition Mechanisms !

Source: Adeel Ahmed, Ciprian Popoviciu


www.afrinic.net | slide 15

Routing between 6to4 and Native v6 !


Pre-requisites

Transition Mechanisms !

! A 6to4 relay router connected to native v6 and also to v4 using a 6to4 interface and advertising 2002::/16 to its neighbours ! Default gateway on the 6to4 routers or host must be the 6to4 relay address of 192.88.99.1 [2002:c058:6301::/48] Packets from 6to4 site to native v6 Internet. ! 6to4 router sends the packets to 2002:c058:6301::/48 (which will get to the nearest relay) ! The relay decapsulates the packet and routes normally it out its native v6 interface. Routing packets from native v6 Internet to 6to4 site ! Packets follow normal v6 routing and get to native v6 interface of 6to4 relay. ! Seeing that the destination is in the 2002::/16 range, the relay extracts the v4 address and creates a tunnel and forwards it over v4 interface.
www.afrinic.net | slide 16

Routing between 6to4 and Native v6: Relays !

Transition Mechanisms !

Source: Adeel Ahmed, Ciprian Popoviciu


www.afrinic.net | slide 17

6to4 Tunneling Example !


Transition Mechanisms !
19

2002:C633:6401::/48
8.5 1.1 00 .1/

R1
Site A IPv6 network

19

2.0

Internet or ISP network

24

R2
Site B IPv6 network

.2.

1/2

2002:C000:201::/48
R1# interface Loopback 0 ip address 192.0.2.1 255.255.255.0 interface Tunnel0 no ip address ipv6 enable tunnel source Loopback0 tunnel mode ipv6ip 6to4 tunnel path-mtu-discovery ipv6 route 2002::/16 Tunnel0 ipv6 route ::/0 2002:C058:6301::

R2# interface Loopback 0 ip address 198.51.100.1 255.255.255.0 interface Tunnel0 no ip address ipv6 enable tunnel source Loopback0 tunnel mode ipv6ip 6to4 tunnel path-mtu-discovery ipv6 route 2002::/16 Tunnel0 ipv6 route ::/0 2002:C058:6301::

www.afrinic.net | slide 18

The 6rd Transition Technique !


Mark Townsley, Cisco

Transition Mechanisms !

"! 6rd = IPv6 Rapid Deployment (RFC 5969) "! Plug-n-play ease of 6to4 without the drawbacks. "! Uses an ISPs v6 prex rather than 2002::/16 thus limiting the

operational domain to the ISPs network.


www.afrinic.net | slide 19

Elements of a 6rd System !


Transition Mechanisms !
Element 6rd prefix 6rd delegated prefix Description ! An IPv6 prefix selected by SP for use in 6rd ! Used (instead of 2002::/16) to create 6rd addresses ! There's only 1 6rd prefix per 6rd domain ! Calculated by CE for use within customer site ! 6rd prefix + CE WAN-side v4 address ! LAN-side: v6 natively implemented ! WAN-side: v4-only, can be Ethernet, ATM, PPP and use PPPOE, IPCP, DHCP etc. ! WAN-side v4 address could be global or private per 6rd domain ! A CE could belong to more than one 6rd domain

CE router

www.afrinic.net | slide 20

Elements of a 6rd System !


Transition Mechanisms !
Element Description ! Links 6rd domain to external v6 domains/Internet ! Can be reached via anycast ! Has at least one each of ! IPv4 interface ! A 6rd virtual interface acting as an endpoint for the 6rd v6-in-v4 tunnel ! An IPv6 interface connected to the native IPv6 network ! Internal multipoint tunnel interface where 6rd encap & decap occurs ! Typically one per CE ! No more than 1 on each BR per domain

Border Relay (BR)

6rd virtual interface

www.afrinic.net | slide 21

From 6to4 to 6rd !


6to4 6rd Clients network Dual stack or v6 only Dual stack or v6 only Client IPv6 prefix ! ! 2002:<v4Addr>::/48 Normal v6 address <optional> ! ! ! ! ! ! Send packet to 6to4 relay Return path may use diff relay ! ! Single v6 address <6rd-Prefix>:<v4Addr>::/n Part or all of client v4 address is used 6rd prefix Send packet to Border Relay (BR) Return traffic sent to same BR

Transition Mechanisms !

Traffic between site and other IPv6 sites

IPv6 Traffic over ISPs Access Network Tunneled within v4, follows v4 routing Tunneled within v4, follows v4 routing

www.afrinic.net | slide 22

Auto 6rd Pre"x Delegation !


Transition Mechanisms !
6rdPrefix WANv4Addr Client Network Use

x bits

y bits

128 - (x + y) bits

"! X typically ranges from 12 32 bits "! Y typically ranges from 8 32 bits "! Try to ensure that:

!! (x + y) < 64 so client can still have subnets !! Prex lifetimes on LAN <=WANv4 address lease time
www.afrinic.net | slide 23

Auto 6rd Pre"x Delegation Example !


Mark Townsley, Cisco

Transition Mechanisms !

www.afrinic.net | slide 24

6rd CPE Routing Behavior !


Transition Mechanisms !

"! Install a default route to the 6rd BR "! Install a black hole route to the auto-delegated prex "! Install routes for any advertise LAN-side prexes

www.afrinic.net | slide 25

Advantages of 6rd !
Transition Mechanisms !

! Allows SP provide v6 over v4-only access network ! SP can start building v6 experience while migrating rest of the

network ! Quick to deploy all CPEs get the same conguration

www.afrinic.net | slide 26

6rd Con"guration | Mandatory Parameters !


IPv4MaskLen ! number of identical high-order bits for all CE IPv4 addresses in the 6rd domain. ! This much high order bits are stripped from the v4 address before constructing the 6rd prex ! If clients get /32s, the v4masklen=0 and entire CPE v4 address is used. ! If clients addresses are from a /n prex, then v4masklen is 32-n 6rdPrex & 6rdPrexLen ! Part of ISPs allocation from RIRs ! Used instead of 2002::/16 to form the v6 prex for each client site 6rdBRIPv4Address ! Analogous to 6to4 relay ! Used to reach other non-6rd sites
www.afrinic.net | slide 27

Transition Mechanisms !

Provisioning 6rd CPEs !


Transition Mechanisms !

"! An XMS object retrieved after v4 connectivity is established "! A DNS record "! SMIv3 MIB "! PPP IPCP "! Manually by the administrator "! DHCPv4 OPTION_6RD (212)

www.afrinic.net | slide 28

6rd Con"guration | Border Relay !


ipv6 general-prex 6rd_PREFIX 6rd Tunnel0 interface Loopback0 ip address 10.0.0.1 255.255.255.0 ! interface Tunnel0 tunnel source Loopback0 tunnel mode ipv6ip 6rd tunnel 6rd ipv4 prex-len 8 tunnel 6rd prex 2001:db80::/28 ipv6 address DELEGATED_PREFIX::/128 anycast ! ipv6 route 2001:db80::/28 Tunnel0 ipv6 route 2001:db80:0:1000::/52 Null0
www.afrinic.net | slide 29

Transition Mechanisms !

6rd Con"guration | CPE !


ipv6 general-prex DELEGATED_PREFIX 6rd Tunnel0 interface Dialer0 ip address dhcp ! (10.0.0.10) ! interface Tunnel0 tunnel source Dialer0 tunnel mode ipv6ip 6rd tunnel 6rd ipv4 prex-len 8 tunnel 6rd prex 2001:db80::/28 tunnel 6rd br 10.0.0.1 ipv6 address DELEGATED_PREFIX ::/128 anycast ! interface Ethernet0 ipv6 address DELEGATED_PREFIX ::/64 eui-64 ! ipv6 route 2001:db80::/28 Tunnel0 ipv6 route ::/0 Tunnel0 2001:db80:0:1000:: ipv6 route 2001:db80:0:a000::/52 Null0
www.afrinic.net | slide 30

Transition Mechanisms !

General Tunnel Con"guration Steps [IOS] !


1 | Create the tunnel Interface

Transition Mechanisms !

(cong)#interface tunnel tunnel-number 2 | Specify the tunnel source (cong-if)tunnel source {interface type-number | a.b.c.d} 3 | Specify the tunnel destination (manual tunnels only) (cong-if)tunnel destination a.b.c.d | hostname 4 | Assign and IPv6 address to the tunnel (cong)#ipv6 address address/prex-length 5 | Specify the type of the tunnel (cong)#tunnel mode mode
www.afrinic.net | slide 31

Cisco IOS Tunnel Modes !


Transition Mechanisms !

Conguration Parameter Type Tunnel Mode Manual GRE/IPv4 6to4 6rd ISATAP ipv6ip gre ip ipv6ip 6to4 Ipv6ip 6rd ipv6ip isatap
www.afrinic.net | slide 32

Tunnel Source

Tunnel Destination IPv4 address

Tunnel IPv6 address Global unicast Global unicast 6to4 address

An IPv4 address or a reference to an interface on which an IPv4 address has been congured.

IPv4 address

Calculated automatically on a per-packet basis ISATAP address

IPv4-IPv6 Translation: NAT64 & DNS64 !


Transition Mechanisms !
"! Only mechanism for getting v4 only speaking to v6 only "! Operates in two modes:

!! Stateful - one to many v4 address mapping !! Stateless - one to one address mapping with only IP & ICMP
header translation) "! Current Implementations !! Ecdysis (free and Open Source) !! MS Forefront UAG DirectAccess !! Cisco CGv6

www.afrinic.net | slide 33

NAT64 & DNS64 Use Case for Access Networks !


Transition Mechanisms !

Source: Marc Blanchette, Viagenie


www.afrinic.net | slide 34

NAT64 & DNS64 Use Case for Content Providers !


Transition Mechanisms !

Source: Marc Blanchette, Viagenie


www.afrinic.net | slide 35

NAT64 & DNS64 How it Works !


4

Transition Mechanisms !

Synthesize AAAA from A using WKP 64:ff9b::/96

2
A A A A ? w w w w w 64 w.e .e :ff xa xa 9b m m pl ::c ple e. 00 .c co o 0: m m 20 = 6

A? www.examp le.com
m = 192.0.2.6

Regular DNS

5 DNS64

3 www.example.co

v6 Host 2001:db8::2

Inside: 2001:db8::1 Outside: 192.0.2.1 s rc:19 7 2.0.2 6 0 2 : d 0 .1 s 0 t :192 :c0 : NAT64 b . 0 9 f .2.6 :64:f t s 2 s r : c : d : 8 1 | 92.0 9 1:db 8::2 0 .2.6 b 0 d d 2 : s : t 1 c : r 0 1 s 9 0 2 | .0.2. 8 10 6 src:2 206 : 1 0 0 0 c : : b 4:f f9 6 [ : c sr

www.afrinic.net | slide 36

Do v6<->v4 NAPT Re-calc checksums

v4 Server www.example.com 192.0.2.6

IPv6!Business!Readiness!!Class!Discussion !
After this section, you should be able to:
! ! ! ! Describe the various roadblocks holding back IPv6. Brainstorm solutions to the above problems. Identify the key messages to use in selling IPv6 to management Brainstorm a generic IPv6 deployment framework and tailor it to your own organisation.

Discussion Points !
IPv6 Business Readiness !

! Challenges you anticipate in your move to IPv6 ! Addressing plan ideas ! What kind of help do you need? ! Suggestions for over-coming the challenges.

www.afrinic.net | slide 38

Generic Transition Plan !


IPv6 Business Readiness !

! Raise awareness ! Training ! Network equipment and application audit ! Modify all RFPs to make IPv6 support mandatory ! Plan to replace all non-v6 devices/applications with v6-capable versions. ! Get your IPv6 allocation ! Enable both IPv6 and IPv4 on your network ! If ISP doesnt support v6 transit, consider using tunnels

www.afrinic.net | slide 39

So What Can You Do?!! !


"! Enable IPv6 support for your public servers (DNS, mail, web)

!! Start having experience with what works, doesn't work, xes.

"! On return, gather your colleagues and teach them what you have

learnt. "! Subscribe to afripv6-discuss@afrinic.net and share experiences/ learn. "! Make IPv6 support mandatory in all your equipment and software purchases. "! Get rid of all non-v6 capable operating systems in your network. "! Set up a small lab and start experimenting with v6.
www.afrinic.net | slide 40

Thank U | Questions ? !
www.afrinic.net