“IPv4 to IPv6 Transition” Babu Ram Dawadi @IOE Pulchowk Campus 4/26/2017

Transition Mechanisms Immediate migration to IPv6-only network is not possible IPv4 and IPv6 Coexists for long period of time. Some transition mechanisms have been standardized TUNNELING DUAL STACK & TRANSLATION (network address & protocol translation) Currently: IPv6 exists over IPv4 Islands Future: IPv4 exists over IPv6 Islands Finally IPv6-only Islands 4/26/2017

What is a tunnel? A tunnel identifies packets in a data stream Identify by encapsulation (new header possibly new trailer) Identify by labeling. Entry into a tunnel gives the data stream different characteristics E.g., Privacy, authentication, different routing characteristics Security is not always the goal of the tunnel Also called virtual private networks (VPNs) in many situations

Tunneling Tunneling enables IPv6 hosts/routers to communicate with other IPv6 hosts/router over IPv4 network Tunneling encapsulates IPv6 datagrams within IPv4 packets 4/26/2017

Tunneling… IPv4/IPv6 hosts and routers can tunnel IPv6 datagram over regions of IPv4 routing topology by encapsulating them within IPv4 packets. Tunneling techniques are classified by the way the encapsulating node determines the address of the node at the end of the tunnel: Host-to-host Host-to-router Router-to-router Router-to-host In router-to-router and host-to-router tunneling methods, the IPv6 packet is tunneled to a router 4/26/2017

IPv6 over IPv4 Tunneling The IPv4 Protocol field is set to 41 to indicate an encapsulated IPv6 packet. The Source and Destination fields are set to IPv4 addresses of the tunnel endpoints. The tunnel endpoints are either manually configured as part of the tunnel interface or are automatically derived from the next-hop address of the matching route for the destination and the tunneling interface. 4/26/2017

Host-to-Host In the host-to-host tunneling configuration, an IPv6/IPv4 node that resides within an IPv4 infrastructure creates an IPv6 over IPv4 tunnel to reach another IPv6/IPv4 node that resides within the same IPv4 infrastructure. IPv6/IPv4 hosts that use ISATAP addresses to tunnel across an organization’s IPv4 infrastructure. IPv6/IPv4 hosts that use IPv4-compatible addresses to tunnel across an organization’s IPv4 infrastructure. 4/26/2017

Host-to-Router and Router-to-Host In the host-to-router tunneling configuration, an IPv6/IPv4 node that resides within an IPv4 infrastructure creates an IPv6 over IPv4 tunnel to reach an IPv6/IPv4 router In the router-to-host tunneling configuration, an IPv6/IPv4 router creates an IPv6 over IPv4 tunnel across an IPv4 infrastructure to reach an IPv6/IPv4 node Figure below shows host-to-router (for traffic traveling from Node A to Node B) and router-to-host (for traffic traveling from Node B to Node A) tunneling. 4/26/2017

Router to Router Tunneling In the router-to-router tunneling configuration, two IPv6/IPv4 routers connect two IPv6-capable infrastructures over an IPv4 infrastructure The IPv6 over IPv4 tunnel between the two routers acts as a single hop. For each IPv6/IPv4 router, there is a tunnel interface representing the IPv6 over IPv4 tunnel and routes that use the tunnel interface 4/26/2017

Tunneling (Contd…) Configured Tunneling Automatic Tunneling Tunnel end point address must be determined from configuration in the encapsulating node Automatic Tunneling Tunnel End Points address is determined by IPv4 compatible Destination address (0::IPv4-address) The packet being processed on the router will be redirected if the destination IPv6 address is an IPv4 compatible address and automatic tunneling is then used 4/26/2017

IPv4 Compatible IPv6 Address Format Automatic Tunneling The nodes performing automatic tunneling are assigned an IPv4 compatible address. This sort of address is identified by a 96 bit prefix consisting only of zeros and an IPv4 address in the low-order 32 bits IPv4 Compatible IPv6 Address Format When the packet is being processed in the router, it is redirected if the destination IPv6 address is an IPv4 compatible address, and automatic tunneling is then used If the destination address is a native IPv6 address, automatic tunneling cannot be used. 96-bits 32-bits 0:0:0:0:0:0 IPv4 Address 4/26/2017

Packet from Host A  Host B Automatic Tunneling 6to4, 6over4 and ISATAP are examples of automatic Tunneling Description Source Address Destination Address Packet from Host A  Host B Src=IPv6 Dst=0::IPv4 of B Tunnel from Router  Host B Src=IPv4 Dst=IPv4 Tunnel from Host B  Router Packet from Host B  Host A Src=0::IPv4 of B Dst=IPv6 4/26/2017

6to4 Tunneling 6to4 is a mechanism for IPv6 sites to communicate with each other over the IPv4 network without explicit tunnel set-up A relay router is a 6to4 router configured to support transit routing between 6to4 addresses and native IPv6 addresses. The IANA permanently assigned one IPv6 address prefix for “6to4”. It is 2002::/16. The “6to4” prefix 2002::/16 can be prepended to a host or router’s globally-unique 32-bit IPv4 address (<IPv4-Addr>) to form a 48-bit “6to4” prefix 2002:<IPv4-Addr> 4/26/2017

6to4 Tunn.. In all scenarios the 6to4 router advertises the prefix 2002:IPv4::/48 to the local net 6to4 is an efficient method for routing between 6to4 networks, but may be inefficient between native IPv6 networks and 6to4 networks 4/26/2017

ISATAP Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) is designed to provide connectivity between IPv6 nodes within an IPv4 network that does not have an IPv6 router in the site It uses IPv4 infrastructure and automatic IPv6-in-IPv4 tunneling The ISATAP address has a standard 64 bit IPv6 prefix, which can be link-local, unique local, a 6to4 prefix, or belongs to the global unicast range The interface identifier is 0000:5EFE (32 bits), FE tells that this address contains an IPv4 embedded address. This gives us the ISATAP address format: prefix: 0:5EFE:IPv4 address 4/26/2017

ISATAP IPv6 hosts can also communicate with hosts on a native IPv6 network or with hosts on other IPv4 subnets Configuring a border router does this; it can be a 6to4 gateway or an ISATAP router The ISATAP router acts as a default router for the ISATAP hosts 4/26/2017

DUAL-STACK Dual-stack node has complete support for both IPv4 & IPv6 In communication with IPv6 host, it acts like IPv6 only node and to communicate with IP4 only host, it acts like IPv4 only node. Three mode of operation: IPv6-stack, IPv4-stack & Dual-stack 4/26/2017

DSTM: Dual Stack Transition Mechanism DSTM is an IPv4 to IPv6 transition proposal based on the use of IPv4 over IPv6 dynamic tunnels and the temporary allocation of IPv4 global addresses to Dual-Stack hosts DSTM is intended for IPv6-only networks in which hosts still need to exchange information with other IPv4 hosts or applications DSTM benefits IPv4 applications are run over an IPv6-only network. Network administration is simplified: only IPv6 is routed inside the domain. Need of IPv4 global addresses are reduced: Hosts are given a global IPv4 address on a temporary basis only when an application requires it. 4/26/2017

DSTM: configuration A Dual-stack host in an IPv6-only network wishing to communicate using IPv4; A DSTM server who administrates the IPv4 addresses pool and A DSTM gateway in charge of encapsulation and decapsulation of IPv4 over IPv6 packets. In the architecture required for DSTM, only C needs to have direct IPv4 connectivity and a permanent IPv4 address. 4/26/2017

Tunnel Broker Tunnel broker with the dedicated servers to manage automatic tunnel request form end users Tunnel broker is the point where users connects to register and activate tunnels 4/26/2017

Tunnel Broker… Tunnel broker clients are the dual stack nodes where TB and clients have to share pre-configured or automatically established security association. TB Share load of network tunnel end points with several tunnel servers by sending configuration orders to relevant tunnel server whenever a tunnel has to be created. Communication between the broker and the servers can take place with IPv4 or IPv6. A tunnel server is a dual stack router connected to the internet 4/26/2017

Translation Main goal is to provide transparent routing for nodes in IPv6 to communicate nodes in IPv4. Translate IPv6 packets into IPv4 packets & vice-versa It offer transition mechanism in addition to tunneling/dual-stack. Network Address Translation-Protocol Translation (NAT-PT) is the technique widely been used to overcome the limitation of IPv4 address. IP, TCP, UDP, ICMP header s/messages are translated 4/26/2017

Translation… Category Stateless IP/ICMP Translation (SIIT) & Network Address translator Protocol Translator NAT-PT allows IPv6 only host to talk to IPv4 only hosts and vice versa IPv4 NAT=> Translate one IPv4 address to Another IPv4 address Here NAT refers to translation of IPv4 address to IPv6 and Vice-Versa. Provides routing between IPv4 and IPv6 address realms All NAT-PT configurations are performed on router and hence no changes are made to hosts. 4/26/2017

Protocol Translation Translating IPv4 headers to IPv6 headers Source address: The low-order 32 bits is the IPv4 source address. The high-order 96 bits is the designated PREFIX for all v4 communications. Addresses using this PREFIX will be routed to the NAT-PT gateway PREFIX::/96). Destination address: NAT-PT retains a mapping between the IPv4 destination address and the IPv6 address of the destination node. The IPv4 destination address is replaced by the IPv6 address retained in that mapping. 4/26/2017

Protocol Translation Translating IPv6 headers to IPv4 headers Source address: The NAT-PT retains a mapping between the IPv6 source address and an IPv4 address from the pool of IPv4 addresses available. The IPv6 source address is replaced by the IPv4 address retained in that mapping. Destination address: IPv6 packets that are translated have a destination address of the form PREFIX::IPv4/96. Thus the low-order 32 bits of the IPv6 destination address is copied to the IPv4 destination address. 4/26/2017

4/26/2017

How NAT-PT works ? IPv6 Host A IPv4 Host B Translation 2-packet 120.10.40/24 1-packet Src: 2001:d30:119::2 Dst: prefix::202.70.91.6 Translation 2-packet Src: 120.10.40.10 Dst: 202.70.91.6 3-packet Src: 202.70.91.6 Dst: 120.10.40.10 4-packet Src: prefix::202.70.91.6 Dst: 2001:d30:119::2 How NAT-PT works ? To communicate with IPv4 node, NAT-PT generate fake IPv6 address of IPv4 node by appending IPv4 address of destination to the 96-bits prefix. The prefix is supplied on the configuration The fake address can be generated using Application Level gateway Program: Trick-Or-Treat Daemon (DNS-ALG) 4/26/2017

DNS-ALG for NAT-PT: Trick Or Treat Daemon TOTD is a small DNS proxy name server which supports IPv6 and enable IPv6 only sites to access IPv4 sites by using some translation mechanism such as NAT-PT It is a IPv6 DNS proxy which receive DNS queries from clients and forward it to a normal DNS server If the reachable normal DNS server is IPv4 only, TOTD must be configured with dual stack mechanism otherwise for IPv6 reachable DNS server, it can be configured for IPv6 only server 4/26/2017

TOTD.. Events made when client make a request to TOTD server Request an AAAA/A6 records: when a client request an AAAA/A6 record, the TOTD server simply forward the request to the client only if the requested record exists otherwise an A record is requested to normal DNS server and TOTD will receive an answer in IPv4 which will be translated into IPv6 address by adding certain PREFIX to the IPv4 address and forwards it to the client. PTR lookup: when a client tries a PTR lookup, TOTD simply proxies the look up only if the PTR lookup is using normal global IPv6 address. Otherwise if the PTR lookup is using converted IPv6 address, TOTD will convert the address back to IPv4 and the PTR lookup result will be forwarded to the requested client. Other request: other queries will be always ignored and the reply is simply forwarded to the client without modification. 4/26/2017

TOTD TOTD generates the fake IPv6 address by appending IPv4 address with IPv6/64 prefix. The prefix is configured with TOTD configuration 4/26/2017

NAT-PT & DNS-ALG test TOTD: a DNS-ALG which is an IPv6 DNS proxy Generates fake IPv6 address of IPv4 only node. A combinational test with NAT-PT, DNS, DNS-ALG has been proposed. Totd Server DNS-ALG NAT PT Client IPv6 Only Normal DNS Server Internet IPv4/IPv6 IPv6 Only IPv4/IPv6 4/26/2017

NA-PT,DNS &TOTD [root@tu-soi ~]# cat /etc/totd.conf forwarder ::1 port 5353 forwarder 2001:d30:101:1::11 port 53 forwarder 2001:d30:102:1000::1001 port 53 prefix 2001:d30:101:624:: NA-PT,DNS &TOTD Users-IPv6 only TOTD Server Issues a DNS query to ask for the IP address of www.ioe.edu.np Forward the DNS query DNS Reply 202.70.91.6 DNS Server NAT-PT 2001:D30:101:624:: CA46:5B06 Destination 2001:D30:101:624 ::CA46:5B06 Ioe.edu.np IPv4 only 1 2 3 4 5 6 7 [root@tu-soi ~]# ping6 www.ioe.edu.np PING www.ioe.edu.np(2001:d30:101:624::ca46:5b06) 56 data bytes 64 bytes from 2001:d30:101:624::ca46:5b06: icmp_seq=0 ttl=44 time=2126 ms 64 bytes from 2001:d30:101:624::ca46:5b06: icmp_seq=1 ttl=47 time=2153 ms

NAT-PT, DNS, DNS-ALG, SQUID IPv6-SQUID: To reduce the processing overhead in NAT-PT Users-IPv6 only TOTD Server DNS Server NAT-PT Ioe.edu.np IPv4 only Others Proxy Server Email Server DNS Queries and Replies HTTP Traffic

IPv4 Only web accessed via IPv6-only Node [root@tu-soi ~]# tail -f /var/log/squid/access.log 1199694696.227 1510 2001:d30:119:0:b091:e66d:22b:dca0 TCP_MISS/304 457 GET http://www.ioe.edu.np/stylet.css - PARENT_HIT/2001:d30:101:1::5 text/css 1199694696.867 4980 2001:d30:119:0:b091:e66d:22b:dca0 TCP_MISS/200 10314 GET http://www.ioe.edu.np/ - DEFAULT_PARENT/2001:d30:101:1::5 text/html 1199694697.742 1514 2001:d30:119:0:b091:e66d:22b:dca0 TCP_MISS/304 456 GET http://www.ioe.edu.np/bglink.css - PARENT_HIT/2001:d30:101:1::5 text/css Address [2001:d30:119::2] port 3128 IPv4 Only web accessed via IPv6-only Node

IPv4 Mail Server accessed via IPv6-only Node

Comparison Mechanisms Remarks Tunneling: Can communicate with remote IPv6 network without supporting IPv6 in ISP network Loads on the router (consumes time & CPU power for encapsulation and dcapsulation) MTU size issue and fragmentation problems Dual-Stack: easy to use and can communicate with both hosts Two separate protocols running over single machine consumes CPU power and memory firewall protection for both protocols (burden) Don’t solve the problem of IPv4 address exhaustion Translation: Does not support Advanced IPv6 feature Easy to implement, single border router acting as NAT-PT IPv6 hosts can directly communicate with IPv4 hosts Independent of Hosts Encourage for transition to IPv6 network 4/26/2017

Concluding Remarks Migration to IPv6 network should be done as soon as possible due to IPv4 address inadequacy. IPv6-Network is ready to implement, Though all the applications are not ready with IPv6 like what is available in IPv4. More researches are needed for IPv6 compatible application implementation. Upgrading current network to IPv6 seems difficult, so needs to upgrade by creating IPv6-only sub-network. 4/26/2017

Conclusion (Contd…) Currently Tunneling/Dual-Stack seems better because IPv4 network is dominant but NAT-PT is the better approach when IPv6 become dominant. Awareness & Training regarding the implementation is necessary in Nepal from the root by implementing IPv6 from academic research network 4/26/2017

Conclusion (Contd…) The current status of IPv4/IPv6 shows that the world will have IPv6-only network beyond 2030 4/26/2017

Deployment Challenges and Risk For the Government Policy Issues Political Issues Cost of overall transition (cost of HW/SW/Training) Lack of Human Resources Private sectors Economical Issues-Cost of Migration (cost of HW/SW/Training) Service Related Issues Quality and Reliability of Service after Migration Level of Trust National Polices Meets with Global Standards 4/26/2017

Thank You! 4/26/2017