tunnels - École Polytechnique Fédérale de Lausanne€¦ · All like‐to‐like solutions use IP...

56
Tunnels Jean‐Yves Le Boudec 2014

Transcript of tunnels - École Polytechnique Fédérale de Lausanne€¦ · All like‐to‐like solutions use IP...

Page 1: tunnels - École Polytechnique Fédérale de Lausanne€¦ · All like‐to‐like solutions use IP in IP tunnels protocol / next header = 04 means the payload is an IPv4 packet protocol

Tunnels

Jean‐YvesLeBoudec2014

Page 2: tunnels - École Polytechnique Fédérale de Lausanne€¦ · All like‐to‐like solutions use IP in IP tunnels protocol / next header = 04 means the payload is an IPv4 packet protocol

Menu

Today:lectureTunnels,6to4LinkStateRouting

Tomorrow11:15– 12:15LastclickertestHowTORworks

(presentationofbestresearchexerciseaward)Nolab

Lab3andlab4gradesavailablebyendofthisweek

2

Page 3: tunnels - École Polytechnique Fédérale de Lausanne€¦ · All like‐to‐like solutions use IP in IP tunnels protocol / next header = 04 means the payload is an IPv4 packet protocol

Feedback from Evaluation

ThingsthatwewilltrytoimprovefornextyearLabs(lab2)toolongSomehavestabilityproblemswithGNS3(lab5)toomuchconfigurationworkScheduleconflictswithsecuritycourse

VideosoflecturesareusefulClickertests:giveajokerquestionpertest!Work:++(EEstudents);+(CS);OK(ComSys)

3

Page 4: tunnels - École Polytechnique Fédérale de Lausanne€¦ · All like‐to‐like solutions use IP in IP tunnels protocol / next header = 04 means the payload is an IPv4 packet protocol

Contents1. VPNs

2. 6to6over43. 4to4over6

4. TransitiontoIPv6

Page 5: tunnels - École Polytechnique Fédérale de Lausanne€¦ · All like‐to‐like solutions use IP in IP tunnels protocol / next header = 04 means the payload is an IPv4 packet protocol

1. Tunnels

Definition:atunnel,alsocalledencapsulation occurswheneveracommunicationlayercarriespacketsofalayerthatisnottheoneabove

e.g.: IPpacketinUDPIPinTCPPPP(layer2)packetinUDPIPv4inIPv6IPv6inIPv4

Whyused?Intheory:neverInpractice:security/privatenetworks/IPv6‐IPv4interworking

5

Page 6: tunnels - École Polytechnique Fédérale de Lausanne€¦ · All like‐to‐like solutions use IP in IP tunnels protocol / next header = 04 means the payload is an IPv4 packet protocol

Homer’s Network

Homerdeploys10.xaddressesintwositesandwantstointerconnectthemasone(closed)privatenetwork

HowcanHomeruseSimpscom’s networkforthat?

6

A B 1.1.1.1

10.2/16

2.2.2.2Simpscom

10.1/16

Page 7: tunnels - École Polytechnique Fédérale de Lausanne€¦ · All like‐to‐like solutions use IP in IP tunnels protocol / next header = 04 means the payload is an IPv4 packet protocol

Your solution …

1. RunRIPinAandB2. Rentaleasedlinefrom

Simpscom3. ConfigureatunnelbetweenA

andB4. UsemodemsbetweenAandB5. Itisimpossiblebecause10/8is

forprivatenetworksonly6. Idon’tknow

1. 2. 3. 4. 5. 6.

0%

11%

0%4%

0%

85%

Page 8: tunnels - École Polytechnique Fédérale de Lausanne€¦ · All like‐to‐like solutions use IP in IP tunnels protocol / next header = 04 means the payload is an IPv4 packet protocol

Homer uses an IP over IP Tunnel

HomerconfiguresavirtualinterfaceinA(eth );AssociatesthisinterfacewithanIPinIPtunnel,withendpoint2.2.2.2SimilarstuffinBHomerhasanetworkwith2routersandonevirtualphysicallink;HomerconfiguresroutingtablesatAandB(orrunsRIP)PacketsfromStoXarecarriedinsideIPpacketsacrossSimpscom

8

X10.1.1.1

S10.2.2.2

Page 9: tunnels - École Polytechnique Fédérale de Lausanne€¦ · All like‐to‐like solutions use IP in IP tunnels protocol / next header = 04 means the payload is an IPv4 packet protocol

S sends a UDP packet to X.What are the IP destination address and protocol at O ? 

1. IPdest addr =1.1.1.1,protocol=17(UDP)2. IPdest addr =10.1.1.1,protocol=17(UDP)3. Noneoftheabove4. Idon’tknow

O

1. 2. 3. 4.

75%

0%

11%14%

Page 10: tunnels - École Polytechnique Fédérale de Lausanne€¦ · All like‐to‐like solutions use IP in IP tunnels protocol / next header = 04 means the payload is an IPv4 packet protocol

SolutionS sends a UDP packet to X.

What are the IP destination address and protocol at O ? 

1. TheIPdestinationaddressisthetunnelendpoint1.1.1.12. TheprotocolisnotUDPbut04(IPv4)

10

Page 11: tunnels - École Polytechnique Fédérale de Lausanne€¦ · All like‐to‐like solutions use IP in IP tunnels protocol / next header = 04 means the payload is an IPv4 packet protocol

Homer’s IP in IP solution is often replaced by IP in UDP

SomecompanyfirewallskillIPinIPpacketsThereforethetunnelisinsideUDPThisrequiresalayer2headeraswell(toidentifytheprotocoltype)calledL2TP/PPP

11

To 1.1.1.1prot = UDP

UDPhdr

L2TP/PPPprot = IPv4

To 10.1.1.1prot = UDP

UDPhdr

data

Inner packet

Outer packet

Page 12: tunnels - École Polytechnique Fédérale de Lausanne€¦ · All like‐to‐like solutions use IP in IP tunnels protocol / next header = 04 means the payload is an IPv4 packet protocol

Bart does the same as Homer but wants a secure channel. He uses IPSEC.

«IPSEC/ESPtunnelmode»encryptstheinnerIPpacket

Thisformoftunnelingiscalled«L2TP/IPSECVPN»(VirtualPrivateNetwork)Variants(OpenVPN):IPinTLSoverTCP;IPinTLSoverUDP

12

To 1.1.1.1prot = UDP

UDPhdr

L2TP/PPPprot = 50

xxxxxxxxxxxxxxxxxxxxxx

IPSECTrailer

Nxt Hdr = 04IPSEC

ESP hdr

Inner packet,encrypted

Outer packet

Page 13: tunnels - École Polytechnique Fédérale de Lausanne€¦ · All like‐to‐like solutions use IP in IP tunnels protocol / next header = 04 means the payload is an IPv4 packet protocol

How does a packet from B to A find its way ?

1. VPNrouterdoesproxy‐ARP2. RhasahostroutetoA3. Nothingspecial,theIGPtakescareofit4. Idon’tknow

13

VPNRouter

(IPSec server)

wireless LANR

IP hdr IP data

A

EPFL

B

128.178.83/24128.178.151/24

192.168.1.33Ethernet adapter Wireless Network Connection:

Connection-specific DNS Suffix . :IP Address. . . . . . . . . . . . : 192.168.1.33Subnet Mask . . . . . . . . . . . : 255.255.255.0Default Gateway . . . . . . . . . : 192.168.1.1

Ethernet adapter Local Area Connection 2:Connection-specific DNS Suffix . : epfl.ch

IP Address. . . . . . . . . . . . : 128.178.83.22Subnet Mask . . . . . . . . . . . : 255.255.255.255

Default Gateway . . . . . . . . . : 0.0.0.0

1. 2. 3. 4.

44%

0%

32%

24%

Page 14: tunnels - École Polytechnique Fédérale de Lausanne€¦ · All like‐to‐like solutions use IP in IP tunnels protocol / next header = 04 means the payload is an IPv4 packet protocol

Solution

Ahastwointerfaces:onephysical,withaddress192.168.1.33,onevirtual(tunnel)interfacewithaddress128.178.83.99(forexample)Aappearstobeon128.178.83/24VPNrouterdoesproxyARPonbehalfofARdoesnotneedahostroute(butVPNRoutermayneedone)

14

Page 15: tunnels - École Polytechnique Fédérale de Lausanne€¦ · All like‐to‐like solutions use IP in IP tunnels protocol / next header = 04 means the payload is an IPv4 packet protocol

2.  6 to 6 over 4 Reminder: interoperation scenarios v4‐v6

IPv4andIPv6areincompatible

v4onlyhostcannothandleIPv6packetsv6onlyhostcannothandleIPv4packets

What needstobesolved:interworking:h6toh4like‐to‐likeaccess

6to6over44to4over6

Inthismodulewestudylike‐to‐likeaccess

15

Page 16: tunnels - École Polytechnique Fédérale de Lausanne€¦ · All like‐to‐like solutions use IP in IP tunnels protocol / next header = 04 means the payload is an IPv4 packet protocol

Like‐to‐like access scenarios

6to6over4(The“earlyadopter”problem)e.g.HomerwantstouseIPv6;ISPprovidesonlyIPv4access

4to4over6(The“legacy”problem)e.g.BartcontinuestouseIPv4;ISPprovidesonlyIPv6access

16

A

IP4/6Router

IP4/6Router

IPv4Internet IPv6internet

IPv6Island B

A

IP4/6Router

IP4/6Router

IPv6Internet IPv4internet

IPv4Island B

Page 17: tunnels - École Polytechnique Fédérale de Lausanne€¦ · All like‐to‐like solutions use IP in IP tunnels protocol / next header = 04 means the payload is an IPv4 packet protocol

Tunnels for 6 to 6 over 4Alllike‐to‐likesolutionsuseIPinIPtunnels

protocol/nextheader=04meansthepayloadisanIPv4packetprotocol/nextheader=41meansthepayloadisanIPv6packet

17

A

IP4/6Router

IP4/6Router

IPv4Internet IPv6internet

IPv6Island B

IPv4Headerda=1.2.3.4protocol=41

IPv6Headerda=2001:bebe:1

IPv6 Headerda = 2001:bebe:1

IPv6 Headerda = 2001:bebe:1

PayloadPayload Payload

1.2.3.4

2001:bebe:1

Page 18: tunnels - École Polytechnique Fédérale de Lausanne€¦ · All like‐to‐like solutions use IP in IP tunnels protocol / next header = 04 means the payload is an IPv4 packet protocol

What needs to be put in place for a good 6 to 6 over 4 solution

Weneedrelayrouters (e.g.AandB):theseareroutersthataredualstack(IPv4andIPv6)canterminateIPv6inIPv4tunnels:encapsulate/decapsulateknowhowtoforwardpacketsontheirIPv4andIPv6sides

WealsoneedtosolvetheIPv6addressallocation problemHomerdoesnotreceiveanIPv6addressfromhisprovidersinceHomer’sIPv6islandisconnectedtoanIPv4‐only‐provider

Weneedautomatictunnelse.g.AdoesnotneedtokeepstateinformationtodeterminethatapacketshouldbesenttoB

18

Page 19: tunnels - École Polytechnique Fédérale de Lausanne€¦ · All like‐to‐like solutions use IP in IP tunnels protocol / next header = 04 means the payload is an IPv4 packet protocol

6rd/6to4 is a solution to the “6 to 6 over 4” problem

Severalsolutionsareproposedandimplemented6rd/6to4:wewillsee6to4indetail;thisisthesolutionthatworksinIEW;6rdissimilarto6to4Teredo :avariantwhenIPv6hostisbehindanIPv4NATISATAP:avariantforenterprisenetworks

warning6to4isamisnomer;6to4isasolutionfor“6to6over4”,notfor“h6toh4interworking”

19

Page 20: tunnels - École Polytechnique Fédérale de Lausanne€¦ · All like‐to‐like solutions use IP in IP tunnels protocol / next header = 04 means the payload is an IPv4 packet protocol

6to4 Uses Special IPv6 Addresses called 6to4 addressesToanyvalidIPv4addressnweassociatetheIPv6prefix2002:n/48example:the6to4addressprefixthatcorrespondsto128.178.156.38is2002:80b2:9c26/482002::/16istheprefixreservedfor6to4addressesAnIPv6addressthatstartswith2002:…iscalleda6to4addressThebits17to48ofa6to4addressarethecorrespondingIPv4addressA6to4hostorrouterisonethatisdualstackanduses6to4asIPv6address

AswedointheIEWInaddition,theIPv4address192.88.99.1 isreservedforuseinthecontextof6to4addressesandmeans“theIPv6internetseenfromtheIPv4internet”

20

Page 21: tunnels - École Polytechnique Fédérale de Lausanne€¦ · All like‐to‐like solutions use IP in IP tunnels protocol / next header = 04 means the payload is an IPv4 packet protocol

6to4 Addresses Solve Homer’s IPv6 Address Allocation problem

Homerenables6to4onhisrouterA.Homer’srouterAusesa6to4addressprefixderivedfromofanIPv4addressgiventoyoubyyourIPv4providerandusesthisprefixfortheIPv6LocalNetwork.Homer’sPCH2obtainsfromA(e.g.usingSLAAC)anIPv6addresswiththisprefix.ThisisthesettingweuseintheIEW.BarthasanisolatedhostH2(e.g.smartphone)andenables6to4onhishost.Bart’shostusesoneIPv6addressderivedfromhisIPv4currentaddress.

21

2001:bebe::1

IPv6Internet

IPv6 host H1

6to4 host H2

IPv6 host H3

6to4 Relay router

B

IPv4Internet

11

2

3 45

1.2.3.4

9.8.7.6

12 1

6to4 router A

2002:0102:0304:0::abcd:EUIH1

2002:0102:0304:0::00ab:EUIS12

IPv6Local Network

2002:0908:0706::EUIH2

192.88.99.1

Page 22: tunnels - École Polytechnique Fédérale de Lausanne€¦ · All like‐to‐like solutions use IP in IP tunnels protocol / next header = 04 means the payload is an IPv4 packet protocol

6to4 Relay Routers6to4RelayRouter=adualstackrouterthathasa6to4address,canterminateroutersandconnectstheIPv4andIPv6internetsAllv4interfacesofall6to4relayrouterhaveanIPv4addressplusthespecialaddress192.88.99.1Bannounces192.88.99/24asdirectlyattachedprefixinIPv4routingBannounces2002/16asdirectlyattachedprefixinIPv6routing

22

Page 23: tunnels - École Polytechnique Fédérale de Lausanne€¦ · All like‐to‐like solutions use IP in IP tunnels protocol / next header = 04 means the payload is an IPv4 packet protocol

Homer at H1 sends a packet to Lisa at H3

Destination2001:bebe::1isnotonlink,H1sendstosendtoADefaultIPv6routeinsidelocalIPv6networkistheIPv6localaddressofA(point12)

A’sdefaultIPv6routeis2002:c058:6301::0,whichisa6to4addresscorrespondingto192.88.99.1AencapsulatestheIPv6packetinanIPv4packetwithdestinationaddress192.88.99.1Thenearest6to4relayrouterreceivesthepacket(assumeitisB)Bdecapsulates packetandsendsanIPv6packet;normalIPv6forwardingoccursandoriginalIPv6packetreachesH3

23

2001:bebe::1

IPv6Internet

IPv6 host H1

6to4 host H2

IPv6 host H3

6to4 Relay router

B

IPv4Internet

11

2

3 45

1.2.3.4

9.8.7.6

12 1

6to4 router A

2002:0102:0304:0::abcd:EUIH1

2002:0102:0304:0::00ab:EUIS12

IPv6Local Network

2002:0908:0706::EUIH2

192.88.99.1

Page 24: tunnels - École Polytechnique Fédérale de Lausanne€¦ · All like‐to‐like solutions use IP in IP tunnels protocol / next header = 04 means the payload is an IPv4 packet protocol

Which is the IPv6 source address at 3 in the encapsulated packet going from H1 to H3 ?

1. 1.2.3.42. 2002:0102:0304:00ab:EUIS123. 2002:0102:0304:abcd:EUIH14. Noneoftheabove5. Idon’tknow

241. 2. 3. 4. 5.

11%

2%4%

51%

32%

Page 25: tunnels - École Polytechnique Fédérale de Lausanne€¦ · All like‐to‐like solutions use IP in IP tunnels protocol / next header = 04 means the payload is an IPv4 packet protocol

Lisa at H3 sends a packet to Homer at H1How is this packet routed in the IPv6 internet ?

1. H3keepsinitsroutingtabletheinformationthatHomer’sdestinationaddressisreachedviaBandsendstheIPv6packettoB

2. routersintheIPv6internetsendallpacketsto2002/16tothenearest6to4relayrouter

3. routersintheIPv6internetknowthattheIPv4destinationaddressis1.2.3.4andcomputethebestpathtoA

4. Idon’tknow25

1. 2. 3. 4.

23%

0%

23%

53%

?

Page 26: tunnels - École Polytechnique Fédérale de Lausanne€¦ · All like‐to‐like solutions use IP in IP tunnels protocol / next header = 04 means the payload is an IPv4 packet protocol

Solution

All6to4relayroutersannounce2002/16inIPv6routingprotocols.InsidetheIPv6internet,thepacketwillbesenttothenearest6to4relayrouter.ThismayormaynotbeB.Similarly,all6to4relayroutersannounce192.88.99/24inIPv4routingprotocols.InthedirectionH1→H3,insidetheIPv4Internet,theencapsulatedpacketissenttothenearest6to4relayrouter.192.88.99.1issometimescalledan“anycast”address:itcanbeheldbyseveralinterfacesbutpacketsaresenttoonlyoneofthese.

26

2001:bebe::1

IPv6Internet

IPv6 host H1

6to4 host H2

IPv6 host H3

6to4 Relay router

B

IPv4Internet

11

2

3 45

1.2.3.4

9.8.7.6

12 1

6to4 router A

2002:0102:0304:0::abcd:EUIH1

2002:0102:0304:0::00ab:EUIS12

IPv6Local Network

2002:0908:0706::EUIH2

192.88.99.1

Page 27: tunnels - École Polytechnique Fédérale de Lausanne€¦ · All like‐to‐like solutions use IP in IP tunnels protocol / next header = 04 means the payload is an IPv4 packet protocol

What is Bart’s IPv6’s default gateway at H2 ?

1. AnaddressconfiguredbyDHCP2. AnaddressconfiguredbySLAAC3. A6to4addressderivedfrom

192.88.99.14. Idon’tknow

27

2001:bebe::1

IPv6Internet

IPv6 host H1

6to4 host H2

IPv6 host H3

6to4 Relay router

B

IPv4Internet

11

2

3 45

1.2.3.4

9.8.7.6

12 1

6to4 router A

2002:0102:0304:0::abcd:EUIH1

2002:0102:0304:0::00ab:EUIS12

IPv6Local Network

2002:0908:0706::EUIH2

192.88.99.1

1. 2. 3. 4.

23%

5%

52%

20%

Page 28: tunnels - École Polytechnique Fédérale de Lausanne€¦ · All like‐to‐like solutions use IP in IP tunnels protocol / next header = 04 means the payload is an IPv4 packet protocol

Solution

Atypical(Windows)IPv6configurationforH2whenusing6to4:

Default Gateway . . . . . . . . . : 2002:c058:6301::c058:6301

28

2001:bebe::1

IPv6Internet

IPv6 host H1

6to4 host H2

IPv6 host H3

6to4 Relay router

B

IPv4Internet

11

2

3 45

1.2.3.4

9.8.7.6

12 1

6to4 router A

2002:0102:0304:0::abcd:EUIH1

2002:0102:0304:0::00ab:EUIS12

IPv6Local Network

2002:0908:0706::EUIH2

192.88.99.1

hexa for 192.88.99.1

Page 29: tunnels - École Polytechnique Fédérale de Lausanne€¦ · All like‐to‐like solutions use IP in IP tunnels protocol / next header = 04 means the payload is an IPv4 packet protocol

Which way does a packet go from Bart’s host to Homer’s?

1. viaBandback2. directlyoverIPv4toAthenH13. H1cannotbereachedfromH24. Idon’tknow

291. 2. 3. 4.

40%

7%

26%28%

2001:bebe::1

IPv6Internet

IPv6 host H1

6to4 host H2

IPv6 host H3

6to4 Relay router

B

IPv4Internet

11

2

3 45

1.2.3.4

9.8.7.6

12 1

6to4 router A

2002:0102:0304:0::abcd:EUIH1

2002:0102:0304:0::00ab:EUIS12

IPv6Local Network

2002:0908:0706::EUIH2

192.88.99.1

dest next-hop interface

2002/16 onlink eth120/0 2002:c058:6301::c058:6301 eth12

IPv6 forwarding table at H2

Page 30: tunnels - École Polytechnique Fédérale de Lausanne€¦ · All like‐to‐like solutions use IP in IP tunnels protocol / next header = 04 means the payload is an IPv4 packet protocol

Solution

H2isa6to4host,itsforwardingtablestreatsall6to4destinationsasonlink (fromanIPv6viewpoint)H2sendsIPv6packetdirectlytoitstunnelinterfaceeth12IPv6packetisencapsulatedinIPv4withdestinationaddress=1.2.3.4(derivedfromdestinationIPv6address)IPv4packetreachesAbynormalIPv4routing

30

Page 31: tunnels - École Polytechnique Fédérale de Lausanne€¦ · All like‐to‐like solutions use IP in IP tunnels protocol / next header = 04 means the payload is an IPv4 packet protocol

My Windows PC at EPFL

31

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : epfl.chIPv4 Address. . . . . . . . . . . : 128.178.151.202Subnet Mask . . . . . . . . . . . : 255.255.255.0Default Gateway . . . . . . . . . : 128.178.151.1

Tunnel adapter Local Area Connection* 15:

Connection-specific DNS Suffix . : epfl.chIPv6 Address. . . . . . . . . . . : 2002:80b2:97ca::80b2:97caDefault Gateway . . . . . . . . . : 2002:c058:6301::c058:6301

Page 32: tunnels - École Polytechnique Fédérale de Lausanne€¦ · All like‐to‐like solutions use IP in IP tunnels protocol / next header = 04 means the payload is an IPv4 packet protocol

The nearest 6to4 relay from EPFL

32

C:\> tracert 192.88.99.1

Tracing route to 192.88.99.1 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms cv-ic-dit-v151.epfl.ch [128.178.151.251]

2 <1 ms <1 ms <1 ms c6-gigado-1-v100.epfl.ch [128.178.100.18]

3 <1 ms <1 ms <1 ms c6-ext-v200.epfl.ch [128.178.200.1]

4 1 ms <1 ms <1 ms swiel2.epfl.ch [192.33.209.33]

5 <1 ms <1 ms <1 ms swils2-10ge-1-2.switch.ch [130.59.36.69]

6 2 ms 2 ms 2 ms swiBE1-10GE-1-1.switch.ch [130.59.37.130]

7 2 ms 2 ms 2 ms swibe2-10ge-1-4.switch.ch [130.59.36.198]

8 2 ms 2 ms 2 ms 192.88.99.1

Page 33: tunnels - École Polytechnique Fédérale de Lausanne€¦ · All like‐to‐like solutions use IP in IP tunnels protocol / next header = 04 means the payload is an IPv4 packet protocol

The nearest 6to4 relay from my home

33

C:\> tracert 192.88.99.1

Tracing route to 192.88.99.1 over a maximum of 30 hops

1 1 ms 2 ms 2 ms 192.168.1.1

2 136 ms 136 ms 136 ms lau01a05.sunrise.ch [212.161.178.79]

3 128 ms 135 ms 136 ms 194.230.94.17

4 * * * Request timed out.

5 71 ms 186 ms 333 ms 212.161.251.178

6 156 ms 164 ms 164 ms 212.161.251.182

7 228 ms 203 ms 169 ms zr-fra1-te0-0-0-3.x-win.dfn.de [80.81.192.222]

8 158 ms 163 ms 162 ms zr-erl1-te0-0-0-4.x-win.dfn.de [188.1.145.197]

9 159 ms 162 ms 162 ms 192.88.99.1

Trace complete.

Page 34: tunnels - École Polytechnique Fédérale de Lausanne€¦ · All like‐to‐like solutions use IP in IP tunnels protocol / next header = 04 means the payload is an IPv4 packet protocol

6rd

Theprefixes192.88.99/24 and2002/16areprovider‐independent:Homerconnectstothenearest6to4relayrouterSomeISPsdon’tlikethatandwantmorecontrol:theywanttheirrelayrouterstobeusedbytheircustomersonlyandtheywanttheircustomerstouseonlytheirrelayrouters.6rdisamodificationandreplacementof6to4where

6rdaddressesarenotin2002/16butinablockallocatedtotheISPRelayrouter’sIPv4addressesarespecifiedbyISP

6rdisdeployedbyFree(FR);6to4isdeployedbySwitch(CH)34

IEW

Page 35: tunnels - École Polytechnique Fédérale de Lausanne€¦ · All like‐to‐like solutions use IP in IP tunnels protocol / next header = 04 means the payload is an IPv4 packet protocol

Teredo

6to4/6rdrequireavalidIPv4addressanddonotworkbehindaNATunlessNATismodifiedOKforISPswhocontroltheNAT(e.g.Swisscom)Teredo isavariantof6to4invented(byMicrosoft)tosolvetheNATcasewithoutalteringtheNATUses:

addressblock2001:0/32Tunnels(IPv6inUDPinIPv4)(UDPisusedtobecompatiblewithexistingNATandfirewallfilteringrules)relayrouters(called« teredo relays »)teredo servers‐>forsolvingtheNATmappingproblem

35

Page 36: tunnels - École Polytechnique Fédérale de Lausanne€¦ · All like‐to‐like solutions use IP in IP tunnels protocol / next header = 04 means the payload is an IPv4 packet protocol

My Windows PC at home has access to IPv6 over IPv4 by means of Teredo

36

Tunnel adapter Local Area Connection* 11:

Connection-specific DNS Suffix . : IPv6 Address. . . . . . . . . . . : 2001:0:5ef5:79fd:2c63:b421:ab1c:1f40Link-local IPv6 Address . . . . . : fe80::2c63:b421:ab1c:1f40%12Default Gateway . . . . . . . . . : ::

C:\Users\leboudec>tracert 2001:620:618:19c:1:80b2:9c18:1Tracing route to lca1srv2.epfl.ch [2001:620:618:19c:1:80b2:9c18:1]over a maximum of 30 hops:

1 * * 135 ms teredo-relay2.lrz.de [2001:4ca0:0:103:0:3544:1:2] 2 134 ms 136 ms 137 ms vl-6.vss1-2wr.lrz.de [2001:4ca0:0:103::1:1] 3 149 ms 136 ms 136 ms vl-3066.csr1-2wr.lrz.de [2001:4ca0:0:66::1] 4 155 ms 139 ms 137 ms xr-gar1-pc110-108.x-win.dfn.de [2001:638:c:a003::1] 5 143 ms 163 ms 164 ms zr-fra1-te0-6-0-7.x-win.dfn.de [2001:638:c:c070::1] 6 147 ms 163 ms 163 ms dfn.rt1.fra.de.geant2.net [2001:798:14:10aa::1] 7 159 ms 162 ms 163 ms so-5-0-0.rt1.gen.ch.geant2.net [2001:798:cc:1401:2201::a] 8 213 ms 203 ms 152 ms switch-lb2-gw.rt1.gen.ch.geant2.net [2001:798:12:10aa::a] 9 152 ms 163 ms 163 ms swiEL2-10GE-1-3.switch.ch [2001:620:0:c06a::2]

10 * * * Request timed out.11 152 ms 164 ms 165 ms cv-gigado-v200.epfl.ch [2001:620:618:1c8:1:80b2:c803:1] 12 165 ms 164 ms 163 ms cv-ic-dit-v100-ro.epfl.ch [2001:620:618:164:1:80b2:640c:1] 13 151 ms 163 ms 164 ms lca1srv2.epfl.ch [2001:620:618:19c:1:80b2:9c18:1]

Trace complete.

Page 37: tunnels - École Polytechnique Fédérale de Lausanne€¦ · All like‐to‐like solutions use IP in IP tunnels protocol / next header = 04 means the payload is an IPv4 packet protocol

Summary: 6 to 6 over 4

6to6over4solvesthe“earlyadopter”problemmainsolutionis6rd/6to4,with

IPv6inIPv4tunnelsaportionofIPv6addressspaceusedtocontain6rd/6to4addresses;prefixinsuchaddressesembed avalidIPv4addresstunnelsareautomatic thankstothepresenceoftheIPv4addressembeddedintheIPv6prefixrelayroutersterminatetunnelsandannounceappropriateaddressblocksinIPv4andIPv6;relayroutersarestateless

Teredo isavariantthatsupportshostsbehindIPv4NATswithoutconfigurationoftheNAT

37

Page 38: tunnels - École Polytechnique Fédérale de Lausanne€¦ · All like‐to‐like solutions use IP in IP tunnels protocol / next header = 04 means the payload is an IPv4 packet protocol

3.        4 to 4 over 6The Legacy Problem

Problemissimilarto6to6over4buttherearetwomaindifferences

impossibletoembedIPv6addressesinIPv4addressesIPv4addressesmaynotbeavailable

Manysolutionsareproposedorevendeployed;DS‐liteisthesimplestMAP‐EisanimprovementonDS‐lite

38

A

IP4/6Router

IP4/6Router

IPv6Internet IPv4internet

IPv4Island B

Page 39: tunnels - École Polytechnique Fédérale de Lausanne€¦ · All like‐to‐like solutions use IP in IP tunnels protocol / next header = 04 means the payload is an IPv4 packet protocol

DS‐Lite tunnels all IPv4 traffic to a “Carrier‐Grade NAT”

atH1,IPv4destinationisnotonlink,packetsenttorouterAatA,destinationmatchesonlydefaultrouteandIPv4packetissentintotunneltoBBdecapsulates packet,translatesIPv4sourceaddress10.23.32.44andsourceport(e.g.2345)toanIPv4mappedaddress(e.g.198.23.34.59) andtoapossiblydifferentportnumber(e.g.5432)

39

200.23.24.25

IPv4Internet

IPv4 host H1

IPv4 host H3

Carrier Grade NAT

B

IPv6Internet

113 4

5

2001:baba:bebe::23

12 1

DS-litebox A

10.22.32.44

10.11.12.13

IPv4Local Network

2001:baba:be00::77198.23.34.0

to 198.23.34.255

Page 40: tunnels - École Polytechnique Fédérale de Lausanne€¦ · All like‐to‐like solutions use IP in IP tunnels protocol / next header = 04 means the payload is an IPv4 packet protocol

Carrier Grade NAT is stateful

Bneedstorememberthe(v4address,port)mapping theIPv6sourceaddressofA.IntheNATtableatBwesee:

Bdoesthisforallcustomersandforeveryflowservedbythisprovider.TheNATtablemaybeverylarge.Thisiscalleda“CarrierGradeNAT”.

40

IPv6DS‐liteboxaddress

IPv4address port IPv4translatedaddress

translatedport

2001:baba:bebe::23 10.22.32.44 2345 198.23.34.59 5432NAT Table at B

Page 41: tunnels - École Polytechnique Fédérale de Lausanne€¦ · All like‐to‐like solutions use IP in IP tunnels protocol / next header = 04 means the payload is an IPv4 packet protocol

H1 sends one packet to H3and H3 responds. We observe the response at 5. Say what is true.

1. TheIPv4destinationaddressinthepacketis10.22.32.442. TheIPv4destinationaddressinthepacketis198.23.34.593. TheIPv6destinationaddressinthepacketis2001:baba:bebe::234. 1and35. 2and36. Idon’tknow

411. 2. 3. 4. 5. 6.

15%

48%

0%

10%

23%

5%

200.23.24.25

IPv4Internet

IPv4 host H1

IPv4 host H3

Carrier Grade NAT

B

IPv6Internet

113 4

5

2001:baba:bebe::23

12 1

DS-litebox A

10.22.32.44

10.11.12.13

IPv4Local Network

2001:baba:be00::77198.23.34.0

to 198.23.34.255?

Page 42: tunnels - École Polytechnique Fédérale de Lausanne€¦ · All like‐to‐like solutions use IP in IP tunnels protocol / next header = 04 means the payload is an IPv4 packet protocol

Solution

ThereisnoIPv6packetat5,answer3isfalseTheIPv4destinationaddressisthetranslatedIPv4address,i.e.answer2isrightandanswer1isfalse.

42

200.23.24.25

IPv4Internet

IPv4 host H1

IPv4 host H3

Carrier Grade NAT

B

IPv6Internet

113 4

5

2001:baba:bebe::23

12 1

DS-litebox A

10.22.32.44

10.11.12.13

IPv4Local Network

2001:baba:be00::77198.23.34.0

to 198.23.34.255

Page 43: tunnels - École Polytechnique Fédérale de Lausanne€¦ · All like‐to‐like solutions use IP in IP tunnels protocol / next header = 04 means the payload is an IPv4 packet protocol

MAP‐E(Mapping Address + Port, Encapsulation)

ProblemwithDS‐LiteistheCarrierGradeNATforverylargeISPsMAP‐Esolvestheproblembyputtingaddresstranslationinthelocalnetwork(inMAPboxA)insteadoftheCGNtranslatedportnumberandIPv4addressaremappedtoapartoftheIPv6address

43

200.23.24.25

IPv4Internet

IPv4 host H1

IPv4 host H3

MAPBorderRelayB

IPv6Internet

113 4

5

2001:baba:bebe:0706::0102:0300:0006

12 1

MAPbox A

10.22.32.44

10.11.12.13

IPv4Local Network

2001:baba:be00:abcd:771.2.3.0

to 1.2.3.255

Page 44: tunnels - École Polytechnique Fédérale de Lausanne€¦ · All like‐to‐like solutions use IP in IP tunnels protocol / next header = 04 means the payload is an IPv4 packet protocol

with MAP‐E, translated IPv4 address and port are embedded in IPv6 prefix

MAPboxAownstheIPv6addressprefix2001:baba:bebe:07060706arecalledtheEAbitsoftheMAPIPv6addressA“MAPruleatA”specifieswhichbitsaretheEAbits;further,theMAPruleisusedasfollows07 determinestheavailablebitsinthetranslatedIPv4addresse.g.1.2.3.706 specifiesthatthevalueofthebits5to12ofthetranslatedportnumbersmustbe(hexa)06forexampletheportae1f canbemappedtob06aThecompleteIPv6addressofMAPboxAisalgorithmicallyderivedfromtheMAPrulee.g.here2001:baba:bebe:0706::0102:0300:0006

44

Page 45: tunnels - École Polytechnique Fédérale de Lausanne€¦ · All like‐to‐like solutions use IP in IP tunnels protocol / next header = 04 means the payload is an IPv4 packet protocol

Homer at H1 sends one packet to Lisa at H3

atH1,IPv4destinationisnotonlink,packetsenttorouterAAperformsNAT44andtranslatesIPv4addressesandport;translatedIPv4packetissentintotunneltoBBdecapsulates packetandsendsovertheInternetv4

45

IPv4address port(hexa) IPv4translatedaddr. translatedport

10.22.32.44 ae1f 1.2.3.07 b06aNAT Table at A

Page 46: tunnels - École Polytechnique Fédérale de Lausanne€¦ · All like‐to‐like solutions use IP in IP tunnels protocol / next header = 04 means the payload is an IPv4 packet protocol

H1 sends one packet to H3and H3 responds. We observe the response at 3. Say what is true.

1. TheIPv6destinationaddressisdeterminedalgorithmicallyfromthedestinationIPv4addressandportnumberseenatpoint4

2. TheIPv4destinationaddressandportnumberarethesameasatpoint43. 1and24. None5. Idon’tknow

46

?

1. 2. 3. 4. 5.

0% 0%0%0%0%

Page 47: tunnels - École Polytechnique Fédérale de Lausanne€¦ · All like‐to‐like solutions use IP in IP tunnels protocol / next header = 04 means the payload is an IPv4 packet protocol

Solution

Botharetrue,i.e.theBorderRelayBmapsIPv4translatedaddressandporttotheIPv6addressofpoint1BorderRelayBneedsonlystaticconfiguration(whichbitsaremapped)i.e.BisstatelessIncontrast,Aneedstoremembertheper‐flowinformationandisstateful

47

IPv4address port(hexa) IPv4translatedaddr. translatedport

10.22.32.44 ae1f 1.2.3.07 b06a

Page 48: tunnels - École Polytechnique Fédérale de Lausanne€¦ · All like‐to‐like solutions use IP in IP tunnels protocol / next header = 04 means the payload is an IPv4 packet protocol

Summary: 4 to 4 over 6

4to4over6(thelegacyproblem)issolvedbyNATandIPv4inIPv6tunnelsDS‐LiteissimplebutrequiresNAT44functionintherelayrouter.WorksonlyforsmallISPsMAP‐EisavariantwhichdistributestheNAT44functionclosetotheIPv4customer,i.e.ismorescalable

48

Page 49: tunnels - École Polytechnique Fédérale de Lausanne€¦ · All like‐to‐like solutions use IP in IP tunnels protocol / next header = 04 means the payload is an IPv4 packet protocol

4. Transition to IPv6

Wehaveseen4differentfamiliesofmechanismsfortheinteroperationofIPv4andIPv6

ThemultiplicityofsolutionsisasymptomthatthetransitiontoIPv6hasnotyetreallystarted

Letustrytoimaginewhichmechanismscanbeused

49

Interworking Like‐to‐like

ALG64(applicationlayer) 6rdor6to4(6to6over4)

NAT64(protocoltranslation) DS‐liteorMAP‐E(4to4over6)

Page 50: tunnels - École Polytechnique Fédérale de Lausanne€¦ · All like‐to‐like solutions use IP in IP tunnels protocol / next header = 04 means the payload is an IPv4 packet protocol

You are network manager at EPFL and want to upgrade to IPv6. Which elements do you deploy ?

1. ALG642. NAT643. 6rd4. MAP‐E5. Idon’tknow

501. 2. 3. 4. 5.

0% 0%0%0%0%

Page 51: tunnels - École Polytechnique Fédérale de Lausanne€¦ · All like‐to‐like solutions use IP in IP tunnels protocol / next header = 04 means the payload is an IPv4 packet protocol

Solution

SinceEPFLhasenoughIPv4addressesandreceivesbothIPv4andIPv6servicefromtheirISP,wedon’tneedtodeploylike‐to‐likesolutionsWemaywanttomigrateallservices(suchasweb,git,infoscience)toIPv6,natively,orbymeansofALG64,sothatallEPFLservicesareavailableonbothIPv4andIPv6

51

Page 52: tunnels - École Polytechnique Fédérale de Lausanne€¦ · All like‐to‐like solutions use IP in IP tunnels protocol / next header = 04 means the payload is an IPv4 packet protocol

You are network manager at simpscom and want to save money by deploying only IPv6 in your 

cellular network. Which elements do you deploy ?1. ALG642. NAT643. 6rd4. MAP‐E5. Idon’tknow

521. 2. 3. 4. 5.

0% 0%0%0%0%

Page 53: tunnels - École Polytechnique Fédérale de Lausanne€¦ · All like‐to‐like solutions use IP in IP tunnels protocol / next header = 04 means the payload is an IPv4 packet protocol

Solution

YourcustomersprobablywanttoaccesssomeIPv4‐onlyservices,youcandeployDS‐LiteorMAP‐Eatyourbasestations.YoucanalsodeploysomeALG64solutionsforimportantbutlowvolumeservicessuchasthecontrolofvoiceoverIP

53

Page 54: tunnels - École Polytechnique Fédérale de Lausanne€¦ · All like‐to‐like solutions use IP in IP tunnels protocol / next header = 04 means the payload is an IPv4 packet protocol

You work from home and have only IPv4 access; you need to upload a proposal to NSF. NSF accepts only IPv6. What do you need to enable on your 

PC?1. 6to42. Teredo3. ALG644. NAT645. Idon’tknow

541. 2. 3. 4. 5.

0% 0%0%0%0%

Page 55: tunnels - École Polytechnique Fédérale de Lausanne€¦ · All like‐to‐like solutions use IP in IP tunnels protocol / next header = 04 means the payload is an IPv4 packet protocol

Solution

YouareprobablybehindaNATandhaveonlyIPv4inyourLAN.EnableIPv6onyourPCandrunTeredo.

55

Page 56: tunnels - École Polytechnique Fédérale de Lausanne€¦ · All like‐to‐like solutions use IP in IP tunnels protocol / next header = 04 means the payload is an IPv4 packet protocol

Conclusion

Tunnelsareanad‐hocsolutionusedinmanycasessecureaccessoveraninsecurenetwork,VPNlike‐to‐likeaccessforIPv6/IPv4issues

TransitiontoIPv6createsseveraltypesofproblems(earlyadopter,legacy)thatcanbesolvedwithvariousmethodsinvolvingautomatictunnels

56