1. IPv6 Transitioning Ram P Rustagi, ISE Dept, PESIT rprustagi@pes.edu Mar 09-10, 2013

2. 2 Network Setup HaHa HbHb R1R1 R2R2 n/w-1n-w-3 n/w-2 Visual/Logical connectivity HaHa R1R1 Swit ch R2R2 HbHb Physical connectivity eth 1 eth 2 eth 1

3. 3 Network Setup HaHa HbHb R1R1 R2R2 IPv4 Visual/Logical connectivity of IPv4 Network HaHa R1R1 Swit ch R2R2 HbHb Physical connectivity eth 1 eth 2 eth 1

4. 4 IPv4 Routing Need to be clear about IPv4 address space and subnetting –Comfortable with DDN (Decimal Dotted Notation) using iproute2 package i.e. command ‘ ip -4’ –option ‘-4’ is default, and thus need not be specified We will use following private local address space for our lab –prefix 172.16.0.0/16 Group 1: 172.16.1.0/24 to 172.16.3.0/24 Group 2: 172.16.5.0/24 to 172.16.7.0/24 : Group 15: 172.16.61.0/24 to 172.16.63.0/24 Use the following host part of address –.1 for first address and.201 for 2nd address –example: 172.16.1.1, 172.16.1.201 172.16.2.1, 172.16.2.201 172.16.3.1, 172.16.3.201

5. 5 Extra Exercises Ex 1 : Use VLSM (Variable Length Subnet Masking) –Use single network like 172.16.1.0/24 to make 3 networks and then do subnetting. Assume no of addresses in each network as –NW1 - 100, N2 - 6, N3 - 50 Ex2: Connect Ha to two n/w via two routers directly HaHa HbHb R1R1 R2R2 IPv4 NW - 1 NW -2 NW - 1 NW -3

6. 6 Network Setup - FAQ How to identify which i/f is eth0, eth1 or eth2 etc. –look at the MAC address starting 50:e5:49 This corresponds to i/f on mother board in the o/p of ‘ ip addr’, it may show as eth1 or eth2 Should one delete/override the address 192.168.13.x/21 –not required, though you remove if you want to. –These are backbone addresses (College network) with default gateway of 192.168.8.1 Should we use backbone (wall socket) instead of switches –No. Using this you may see lot of unnecessary traffic –it may confuse with unwanted neighbor entries Should we not use commands like ifconfig, route, arp etc. –These are deprecated commands, use commands from iproute2 pkg. ip addr [options] ip route [options] ip neigh [options]

7. 7 Network Setup - FAQ Wireshark hangs when we enter host a.b.c.d –this is bug in wireshark. so either wait for few (20 or so) seconds –or instead use tcpdump -n -i ethX -s0 -wfile.pcap –sudo killall dnsmasq Should I use ping command with -c N option –strongly recommended. option -c2 should be fine for most cases –other wise you have to abort using ^C –Please do not use ^Z For routers, should I run two different wireshark captures –Yes. It will provide you better clarity on what is actually happening Why should I specify capture filters and not captures all packets –It may capture too many packets –will make it tough to search for packets you are interested in Can I use wireshark in my own work place –Yes. It is a very helpful tool to help you debug network activity

8. 8 Network Setup - FAQ Can we assign multiple IP address to a single interface –Yes. An interface can support multiple IP addresses. Our connectivity is fine, but we are not able to ping –switches showing lights means you are physically connected –check up your routing table. Most likely this is the culprit. –check up local reachability in network. This MUST work Routing appears correctly, still it is not working –analyze from wireshark capture, where packet is going –due to previous incorrect config (info in cache/ram, not shown) –remove default route entry. Why does IP address gets removed when wire is removed or switch is rebooted –Addresses are assigned manually and are not configured permanently –on link reset, the address goes away. –need to reconfigure the same

9. 9 Wireshark filters - FAQ What are the good capture filters –for capturing a traffic for a given network or networks net 172.16.1.0/24 or 172.16.2.0/24 net FD00:0101::/64 or FD00:0102::/64 –for capturing specific source and/or destination src 172.16.1.1 and dst 172.16.3.201 src FD00::0101::52E5:49FF:FE1D:4A8C or dst FD00:0102::52E5:49FF:FE1C:AA96 –for capture specific protocol or applications or TCP/UDP port no http port 80 or port 8080 porto udp and port 23456

10. 10 Wireshark filters - FAQ What is the difference between capture filter and display filters? –Capture filters are used for capturing only relevant packets –display filters are used for displaying selected packets from what is captured. these may be used to analyze a subset of packets e.g. –packets on a TCP Connection –looking at only TCP SYN/RST packets etc Can I save few packets in a separate file from a captured file –YES. one can save selected packets, a range packets and a combination of these. when typing host a.b.c.d, it hangs –it is due to reverse DNS lookup which timesout. –kill local dnsmasq sudo service dnsmasq stop

11. 11 IPv6 Routing Similar to IPv4 routing Need to be clear about IPv6 address space and subnetting –Comfortable with Hex Colon notation –Comfortable generating EUID-64 from MAC Address Generally /64 mask is used for IPv6 Need to use ‘ip -6 ’ to specify IPv6. –command syntax remains the same We will use unique local address space for our lab exercise –prefix FD00: Group 01: FD00:0101::/64 to FD00:0103::/64 Group 02: FD00:0105::/64 to FD00:0107::/64 : Group 15: FD00:0157::/64 to FD00:0159::/64

12. 12 Setting up IPv6 Routing Example IP addresses – N 11 : IPv6 address of H a (eth1)- fd00:1001::52e5:49ff:fe1d:4a8c/64 – N 12 : IPv6 address of R 1 (eth1)- fd00:1001::52e5:49ff:fe1d:4aa7/64 – N 21 : IPv6 address of R 1 (eth 2 )- fd00:1003::fe75:16ff:fe88:4f86/64 – N 22 : IPv6 address of R 2 (eth2)- fd00:1003::baa3:86ff:fe04:1bc3/64 – N 31 : IPv6 address of R 2 (eth1)- fd00:1002::52e5:49ff:fe1b:cf30/64 – N 32 : IPv6 address of H b (eth1)- fd00:1002::52e5:49ff:fe1c:aa96/64 12 Network-1 fd00:1001::/64 Network-3 fd00:1002::/64 Network-2 fd00:1003::/64 HaHa HbHb R1R1 R2R2 IPv6

13. 13 Setting up IPv6 Routing Step 1: –Setup the IP addresses as given above for N1, N2 and N3 Step 2: –Configure the routing in Ha, R1, R2 and Hb Step 3: –using ping6 to check if setup is working Step 4: –use wireshark/tcpdump to analyze the packets

14. 14 Setting up IPv6 Routing Setting up the addresses –Configuring eth0 of Ha sudo ip -6 addr add N11 dev eth1 –Configuring et0h of R 1 sudo ip -6 addr add N12 dev eth1 –Configuring eth 1 of R 1 sudo ip -6 addr add N21 dev eth2 –Configuring eth 1 of R2 sudo ip -6 addr add N22 dev eth2 –Configuring eth0 of R2 sudo ip -6 addr add N31 dev eth1 –Configuring eth0 of Hb sudo ip -6 addr add N32 dev eth1

15. 15 Configure Routing in Ha and Hb At Ha, define routing so as to reach network N3 – sudo ip -6 route add fd00:1002::/64 via N12 At Hb, define routing so as to reach network N1 – sudo ip -6 route add fd00:1001::/64 via N31 Verify configuration entries –ip addr show –ip route show 15

16. 16 Setting up IPv6 Routing Configuring Routers R1 and R2 to forward IPv6 packets Configuring R1 –enable routing function sudo sysctl –w net.ipv6.conf.all.forwarding=1 –Define routing for N3 only. N1, and N2 are directly connected sudo ip -6 route add fd00:1002::/64 via N22 Configuring R2 –enable routing function for both IPv4 and IPv6 sudo sysctl –w net.ipv6.conf.all.forwarding=1 –Add routing for N3 on this tunnel sudo ip -6 route add fd00:1001::/64 via N21 16

17. 17 Using IPv6 Network Check reachability of N3(Hb) from N1 (Ha) – ping6 -I eth0 -c2 N32 Run TCP and/or UDP applications –use netcat ( nc ) –use browser on Ha to access web server on Hb –use ssh to login to Hb from Ha Analyzing packets –run wireshark on R1 on both interfaces specify the proper capture filter –on eth2 (the interface on which tunnel is created) net 172.16.30.0/24 –on eth1 (the interface having IPv6 address) net fd00:1001::/32 or net fd00:1002::/32

18. 18 Using IPv6 Network Starting Web Server on H b –restart apache so that it can bind on IPv6 –sudo service apache2 restart Using Browser –type the URL http:// [ N 32 ] –note: square brackets are mandatory web page will be served Using Dual Stack –Sender large file (1MB) –see how many packets are sent.?

19. 19 IPv6 Tunneling over IPv4 Why tunneling? –Two islands of IPv6 network connected via IPv4 network –A transition strategy to enable communication among IPv6 network What is tunneling –Two end points are defined –each is aware of two types of network –each encapsulates and de-capsulates Tunneling handshake –No handshake needed –it is just encapsulation and de-capsulation Transmission –first encapsulation –the new destination address is tunnel end point –packet is delivered to other end point –decapsulation

20. 20 Network Setup HaHa HbHb R1R1 R2R2 IPv6 IPv4 Visual connectivity of mixed IPv4/IPv6 network HaHa R1R1 Swit ch R2R2 HbHb Physical connectivity eth 1 eth 2 eth 1

21. 21 Tunnel Setup Define R1 and R2 as tunnel end points –Create tunnel interfaces –Define routing for network at the other end via tunnel interface –similar to routing entries via interface without next hop? Tunneling implementation at routers (R1, R2) –encapsulates packets at one end –de-encapsulates at other end Tunnel connectivity HaHa HbHb R1R1 R2R2 IPv6 Tunnel

22. 22 IP in IP Tunnel IP in IP encapsulation –used in Mobile IP (RFC 2003) –from home agent to foreign agent –describes how to take an IP packet make it payload of another packet –a mechanism to change the normal routing of IP datagram –source ----> encapsulator ----> decapsulator ----> destination Other encapsulation methods –Minimum encapsulation within IP (RFC 2004) –GRE (Generic Routing Encapsulation) Tunnels (RFC 1701)

23. 23 IP in IP Tunnel Disadvantages of IP-in-IP Tunnel –encapsulated datagram becomes larger compared to Source Routing option –encapsulation can not be used unless a node at tunnel exit point can decapsulate +---------------------------+ | Outer IP Header | +------------------+ +---------------------------+ | IP Header | | IP Header | +------------------+ ====> +---------------------------+ | | | | | IP Payload | | IP Payload | | | | | +------------------+ +---------------------------+

24. 24 IP in IP Tunnel IP-in-IP Encapsulation –outer IP header src/dstn addr identify tunnel end points –inner IP headers remain unchanged by encapsulator except TTL –Tunnel originator does path MTU discovery to deal fragmentation issues

25. 25 Setting up IPv6 Tunnel Example IP addresses – N 11 : IPv6 address of H a (eth1)- fd00:1001::52e5:49ff:fe1d:4a8c/64 – N 12 : IPv6 address of R 1 (eth1)- fd00:1001::52e5:49ff:fe1d:4aa7/64 – N 21 : IPv4 address of R 1 (eth 2 )- 172.30.1.1/24 – N 22 : IPv4 address of R 2 (eth2)- 172.30.1.2/24 – N 31 : IPv6 address of R 2 (eth1)- fd00:1002::52e5:49ff:fe1b:cf30/64 – N 32 : IPv6 address of H b (eth1)- fd00:1002::52e5:49ff:fe1c:aa96/64 25 HaHa HbHb R1R1 R2R2 IPv6 Tunnel Network-1 fd00:1001::/64 Network-3 fd00:1002::/64 Network-2 172.30.1.0/24

26. 26 Setting up IPv6 Tunnel Step 1: –Setup the IP addresses as given above for N1, N2 and N3 Step 2: –Configure the tunnel end points Step 3: –using ping6 to check if setup is working Step 4: –use wireshark/tcpdump to analyze the packets

27. 27 Setting up IPv6 Tunnel Setting up the addresses –Configuring eth0 of Ha sudo ip -6 addr add N11 dev eth1 –Configuring et0h of R 1 sudo ip -6 addr add N12 dev eth1 –Configuring eth 1 of R 1 sudo ip -4 addr add N21 dev eth2 –Configuring eth 1 of R2 sudo ip -4 addr add N22 dev eth2 –Configuring eth0 of R2 sudo ip -6 addr add N31 dev eth1 –Configuring eth0 of Hb sudo ip -6 addr add N32 dev eth1

28. 28 Setting up IPv6 Tunnel Configuring Routers as tunnel end point –Note: currently both R1 and R2 are on same IPv4 Network and hence no IPv4 routing is required. Generally, these will be different networks and hence routing as per IPv4 needs to be setup Configuring R1 –enable routing function for both IPv4 and IPv6 sudo sysctl –w net.ipv6.conf.all.forwarding=1 sudo sysctl –w net.ipv4.ip_forward=1 –Create a tunnel and bring it up sudo ip tunnel add mytun mode sit remote 172.30.1.2 local 172.30.1.1 dev eth2 sudo ip link set dev mytun up –Give an equivalent IPv6 address (to this tunnel end point) sudo ip -6 addr add 2002:ac1e:0101::1/16 dev mytun –Add routing for N3 on this tunnel sudo ip -6 route add fd00:1002::/64 dev mytun 28

29. 29 Setting up IPv6 Tunnel Configuring R2 –enable routing function for both IPv4 and IPv6 sudo sysctl –w net.ipv6.conf.all.forwarding=1 sudo sysctl –w net.ipv4.ip_forward=1 –Create a tunnel and bring it up sudo ip tunnel add mytun mode sit remote 172.30.1.1 local 172.30.1.2 dev eth2 sudo ip link set dev mytun up –Give an equivalent IPv6 address (to this tunnel end point) sudo ip -6 addr add 2002:ac1e:0102::1/48 dev mytun –Add routing for N3 on this tunnel sudo ip -6 route add fd00:1001::/64 dev mytun 29

30. 30 Configure Routing in Ha and Hb At Ha, define routing so as to reach network N3 – sudo ip -6 route add fd00:1002::/64 via N12 At Hb, define routing so as to reach network N1 – sudo ip -6 route add fd00:1001::/64 via N31 Verify configuration entries –ip addr show –ip route show 30

31. 31 Using Tunnel Check reachability of N3(Hb) from N1 (Ha) – ping6 -I eth0 -c2 N32 Run TCP and/or UDP applications –use netcat ( nc ) –use browser on Ha to access web server on Hb –use ssh to login to Hb from Ha Analyzing packets –run wireshark on R1 on both interfaces specify the proper capture filter –on eth2 (the interface on which tunnel is created) net 172.16.30.0/24 –on eth1 (the interface having IPv6 address) net fd00:1001::/32 or net fd00:1002::/32

32. 32 IPv4 Packet on Tunnel

33. 33 IPv4 Packet on Tunnel IPv4 Headers - IPv6 pkt as payload

34. 34 Original IPv6 packet in IPv4 payload

35. 35 Original ICMPv6 packet as IPv6 data

36. 36 IPv6 pkt after decapsulation at Tunnel

37. 37 IPv6 Communication with IPv4 HaHa HbHb R1R1 R2R2 IPv6IPv4 Visual connectivity-1 of mixed IPv4/IPv6 network HaHa HbHb R1R1 R2R2 IPv6IPv4 IPv6 Visual connectivity-2 of mixed IPv4/IPv6 network HaHa HbHb R1R1 IPv6 IPv4 Logical view of IPv6/IPv4 connectivity

38. 17 NAT64 Address Translation –Use NAT64 (similar to NAT44) –Will use tayga implementation http://www.litech.org/tayga/ supports only static mapping 17

39. 39 NAT64 Address assigned for simplicity –Actual IPv6 Network ( N1 ) fd00:1::/64 Ha fd00:1::1/64 R1 (IPv6) fd00:1::254/64 –Actual IPv4 Network(N2) 172.17.1.0/24 R2 (IPv4) 172.17.1.254/24 Hb 172.17.1.1/24 HaHa HbHb R1R1 IPv6 IPv4 Logical view of IPv6/IPv4 connectivity N1 - fd00:1::64 N2 - 172.17.1.0/24

40. 40 NAT64 Address assigned for simplicity –Logical/mapped IPv4 Network for IPv6 ( N1 ) 172.17.2.0/24 Ha fd00:1::1/64 R1 (IPv6) fd00:1::254/64 –Logical/mapped IPv6 Network for IPv4(N2) fd00:2::/64 R2 (IPv4) 172.17.1.254/24 Hb 172.17.1.1/24 HaHa HbHb R1R1 IPv6 IPv4 Logical view of IPv6/IPv4 connectivity fd00:1::/64(Actual) 172.17.2.0/24(mapped) 172.17.1.0/24 Actual fd00:2::/64(mapped)

41. Header Translation –Create a logical tunnel between two interfaces of router Typically called nat64 –Define the logical network that needs to be translated These network actually do not exist –These are translated to their actual address Define their mapping, e.g – fd00:2::/64  172.17.1.0/24 – 172.17.2.0/64  fd00:1::/64 –Assign network addresses from logical network to be translated Tunnel interface gets these addresses from the logical network –IPv6 address fd00:2::254/64 –IPv4 address 172.17.2.254/24 –Define routing for this logical network in the tunnel 18 IPv6 - IPv4 (NAT64)

42. Header Translation (static mapping) –Define mapping of hosts ( Ha ) fd00:1::1  172.17.2.1 (Hb) 172.17.1.1  fd00:2::1 The config file will look as tun-device nat64 ipv4-addr 172.17.2.254 ipv6-addr fd00:2::254 data-dir /var/db/tayga map 172.17.2.1fd00:1::1 map 172.17.1.1fd00:2::1 Start the tunnel –$ tayga -d 19

43. 43 IPv6 - IPv4 (NAT64) Verify communication with translation –Establish communication between Ha and Hb Check reachability from Ha –ping –I eth0 fd00:2::1 Check reachability from Hb –ping 172.17.2.1

44. 44 IPv6 - IPv4 (NAT64) (wireshark capture at Hb)

45. 45 IPv6 - IPv4 (NAT64) (wireshark capture at Hb)