Notes for IPv6

1
Notes for IPv6

• Terrance Lee

2

• Transition Mechanisms for IPv6 Hosts and Routers
• (RFC 2893)

3
Purpose and Approaches

• Interoperation of an IPv4/IPv6 node with another
  IPv4/IPv6 node or an IPv4-only node
• Dual Stacks
• Configured Tunneling
• Host-to-Router, Router-to-Router
• Automatic Tunneling
• IPv4-Compatible IPv6 Addr. (v4addr)
• Host-to-Host, Router-to-Host

4
Techniques Used in Transition

• Configured Tunneling
• IPv4 tunnel endpoint addr is determined by
  configuration information
• Automatic Tunneling
• IPv4 tunnel endpoint addr is determined from the
  IPv4-compatible destination addr
• IPv4 Multicast Tunneling
• IPv4 tunnel endpoint addr is determined using
  Neighbor Discovery

5
Check Packet Length for Tunneling (1/2)

• If (IPv4 path MTU 20) lt 1280
• if packet length gt 1280 bytes
• send IPv6 ICMP packet too long
• with MTU 1280 Drop packet
• else
• Encapsulate dont set Dont Fragment
• flag in the IPv4 header
• endif

6
Check Packet Length for Tunneling (2/2)

• Else
• if packet length gt (IPv4 path MTU 20)
• send IPv6 ICMP packet too big with
• MTU (IPv4 path MTU 20)
• Drop packet
• else
• Encapsulate and set the Dont Fragment flag
• endif
• endif

7
IPv4 Header Construction (1/2)

• Version 4
• Header Length 5
• Type of Service 0 (Might be changed)
• Total Length Payload length from IPv6 header
  plus length of IPv6 and IPv4 headers
• Identification Generated uniquely
• Flags As specified before
• Fragment Offset Set as necessary

8
IPv4 Header Construction (2/2)

• Time to Live Implementation specific
• Protocol 41
• Header Checksum Calculate the checksum
• Source Address IPv4 address of encapsulating
  node
• Destination Address IPv4 address of tunnel
  endpoint

9
Configured Tunneling

• The tunnel endpoint addr is determined from
  configuration information
• IPv6/IPv4 hosts that are connected to datalinks
  with no IPv6 routers MAY use a default configured
  tunnel to reach an IPv6 router.

10
Automatic Tunneling Operation

• Perform automatic tunneling if the destination
  IPv6 addr is IPv4-compatible with prefix
  000000/96
• The automatic tunneling module MUST NOT send to
  IPv4 broadcast or multicast destinations

11
Ingress Filtering

• Invalid IPv6 addresses after de-capsulation
• multicast, broadcast, 0.0.0.0, 127.0.0.1
• IPv6 link-local address for an IPv4 virtual
  interface FE80/64 Interface Identifier
• Link-local addresses are used by the routing
  protocols operating over the tunnels
• Interface Identifier 0000v4addr
• Need ingress filter for packet filtering

12

• Transmission of IPv6 over IPv4 Domains without
  Explicit Tunnels
• (6over4)
• (RFC 2529)

13
Purpose and Approaches

• Specifies frame format of IPv6 packets and the
  method of forming IPv6 link-local addresses over
  IPv4 multicast domains
• Specifies contents of Source/Target Link-Layer
  Address option used in Router Solicitation,
  Router Advertisement, Neighbor Solicitation,
  Neighbor Advertisement, Redirect messgaes
• Uses IPv4 multicast as a virtual Ethernet

14
Motivation

• Allow isolated IPv6 hosts to become fully
  functional IPv6 hosts by using an IPv4 domain
  that supports IPv4 multicast as their virtual
  local link
• Does not require IPv4-compatible addr or
  configured tunnels
• Known as 6over4 or virtual Ethernet

15
Maximum Transmission Unit

• The default MTU for IPv6 packets on an IPv4
  domain is 1480 octets.
• MTU may be varied by a Router Advertisement
  containing an MTU option or by manual
  configuration
• The IPv4 DF bit MUST NOT be set if the IPv6 MTU
  proves to be too larger for some intermediate
  IPv4 subnets

16
Frame Format

• Protocol type 41 (IPv6 packets tunneled inside
  IPv4 frames) for outer IPv4 header
• If there are IPv4 options, then padding should be
  added to the IPv4 header such that the IPv6
  header starts on a boundary that is a 32-bit
  offset from the end of the datalink header
• Recommended default TTL 8

17
Link Local Address

• Prefix FE80/64
• Link Local Address FE8000V4ADDR
• The Universal/Local bit is zero (i.e., the
  Interface Identifier is not globally unique)

18
Address Mapping Unicast (1/2)

• RFC 2461 Neighbor Discovery for IP Version 6
  describes the procedure for mapping IPv6 addr
  into IPv4 virtual link-layer addr

Type Length Zeros IPv4 Address
19
Address Mapping Unicast (2/2)

• Type
• 1 for Source Link-Layer addr
• 2 for Target Link-Layer addr
• Length
• 1 (in units of 8 octets)
• IPv4 Address
• The 32 bit IPv4 addr in network byte order

20
Address Mapping Multicast (1/2)

• IPv4 multicast must be available
• An IPv6 multicast destination addr DST MUST be
  transmitted to the IPv4 multicast addr of
  Organization-Local Scope taken from the block
  239.192.0.0/16

21
Address Mapping Multicast (2/2)

• DST 14, DST 15
• Last two bytes of IPv6 multicast addr
• OLS
• Configured Organization-Local Scope addr
• block. Should be 192.

239 OLS DST14 DST15
22
Transition Issues

• A site may choose to start its IPv6 transition by
  configuring one IPv6 router to support 6over4
  on an interface connected to the sites IPv4
  domain, and another IPv6 format on an interface
  connected to the IPv6 Internet.
• During transition, routers may need to advertise
  at least two IPv6 prefixes, one for the native
  LAN (e.g., Ethernet) and one for 6over4.

23

• Connection of IPv6 Domains via IPv4 Clouds
• (6to4)
• (RFC 2893)

24
Purpose and Approaches

• Interoperation of IPv6 sites over the IPv4
  network without explicit tunnel setup
• Communication of isolated IPv6 sites with native
  IPv6 domains via relay router
• Treats the wide area IPv4 network as a unicast
  point-to-point link layer
• The site needs a globally unique IPv4 addr
• Can coexist with Firewall and NAT

25
Terminologies (1/2)

• 6to4 pseudo interface 6to4 encapsulation point
• 6to4 prefix 2002/16 (The site addr prefix
  2002V4ADDR/48)
• 6to4 router An IPv6 router supporting a 6to4
  pseudo interface
• 6to4 site A site running IPv6 internally using
  6to4 addresses

26
Terminologies (2/2)

• Relay router A 6to4 router configured to support
  transit routing between 6to4 addresses and native
  IPv6 addresses
• 6to4 exterior routing domain a routing domain
  interconnecting a set of 6to4 routers and relay
  routers. It is distinct from an IPv6s interior
  routing domain and all native IPv6 exterior
  routing domains

27
Sending Rule for 6to4 Router (1/2)

• If the final destination is a 6to4 addr, it will
  be considered as the next hop
• If the final destination is not a 6to4 addr and
  is not local, the next hop indicated by routing
  will be the 6to4 addr of a relay router

28
Sending Rule for 6to4 Router (2/2)

• If the next hop IPv6 addr for an IPv6 packet
• does match the prefix 2002/16, and
• does not match any prefix of the local site
• then
• apply any security checks
• encapsulate the packet in IPv4 with
• IPv4 dest addr the NLA value V4ADDR
• extracted from the next hop IPv6 addr
• queue the packet for IPv4 forwarding

29
De-capsulation Rule

• For an incoming IPv4 packet with protocol type
  41, a 6to4 router performs
• Apply any security checks
• Remove the IPv4 header
• Submit the packet to local IPv6 routing

30

• Stateless IP/ICMP Translation (SIIT)
• (FRC 2765)

31
Purpose and Approaches

• Interoperation of an IPv6-only node with an
  IPv4-only node
• IPv6 node somehow acquires an IPv4 addr.
• The temporary IPv4 addr. is used as an
  IPv4-translated IPv6 addr.
• Stateless IP/ICMP translation

32
Applicability and Limitation

• IPv6 node sees an IPv4-mapped addr. for the peer
• IPv6 node uses an IPv4-translatable addr. for its
  local addr. for that communication
• Only ESP transport mode (IPsec) is relatively
  easy to make work through a translator
• Does not work for multicast packets

33
Addresses

• IPv4-mapped 0ffffa.b.c.d (refers to an IPv4
  node)
• IPv4-compatible 00a.b.c.d (refers to
  automatic tunneling)
• IPv4-translated 0ffff0a.b.c.d (refers to an
  IPv6-enabled node)
• 0ffff000/ 96 is chosen to checksum to zero
  to avoid any changes to the transport protocols
  pseudo header checksum

34
Translating from IPv4 to IPv6
IPv6 Header
Fragment Header (Not always)
Transport Layer Header
Data
IPv4 Header
Transport Layer Header
Data
35
Translating IPv4 Headers to IPv6 Headers(1/5)

• Version 6
• Traffic Class Always set to zero or, by default,
  copied from Type of Service and Precedence field
• Flow Label 0
• Payload Length Total length value from IPv4
  header, minus the size of the IPv4 header and
  IPv4 options, if present

36
Translating IPv4 Headers to IPv6 Headers(2/5)

• Next Header protocol field copied from IPv4
  header
• Hop Limit TTL value copied from IPv4 header
• Source Address
• low-order 32 bits IPv4 source addr
• high-order 96 bits ffff00/96 (IPv4-
• mapped prefix)

37
Translating IPv4 Headers to IPv6 Headers(3/5)

• Destination Address
• low-order 32 bits IPv4 destination addr
• high-order 96 bits 0ffff000/96
  (IPv4-translated prefix)
• IPv4 options are ignored (not translated)
• Error if an un-expired source route option is
  present

38
Translating IPv4 Headers to IPv6 Headers(4/5)

• If a fragment header is needed (DF bit is not set
  or the packet is a fragment)
• IPv6 Fields
• Payload Length
• Total length value from IPv4 header 8
  (fragment header) IPv4 header length
• Next Header Fragment Header (44)

39
Translating IPv4 Headers to IPv6 Headers(5/5)

• Fragment Header Fields
• Next Header Protocol field copied from IPv4
  header
• Fragment Offset Fragment Offset copied from IPv4
  header
• M Flag More Fragment bit copied from IPv4 header
• Identification
• Low-order 16 bits copied from the ID field in
  the IPv4 header
• High-order 16 bits set to zero

40
Translating UDP over IPv4

• Un-fragmented UDP IPv4 packets
• Calculate the checksum if the checksum field is
  zero
• Fragmented UDP IPv4 packets
• First fragment Drop the packet, generate a
  system management event
• Other fragments Drop the packet

41
When to Translate

• Assume the translator knows the pool of IPv4
  addresses that are used to represent internal
  IPv6-only nodes
• CPU translates ICMPv4 to ICMPv6

42
Translating from IPv6 to IPv4
IPv6 Header
Fragment Header (if present)
Transport Layer Header
Data
IPv4 Header
Transport Layer Header
Data
43
Translating IPv6 Headers into IPv4 Headers(1/6)

• Version 4
• Internet Header Length 5 (no IPv4 options)
• Type of Service and Precedence By default,
  copied from the Traffic Class (all 8 bits) or
  always set to zero
• Total Length Payload Length value from IPv6
  header size of the IPv4 header

44
Translating IPv6 Headers to IPv4 Headers(2/6)

• Identification All zero
• Flags
• More Fragment 0
• Dont Fragment 1
• Fragment Offset All zero
• Time to Live Hop Limit value copied from IPv6
  header (Decrement TTL and check if zero after
  translation)

45
Translating IPv6 Headers into IPv4 Headers(3/6)

• Protocol Next Header field copied from IPv6
  header
• Header Checksum Computed once the IPv4 header is
  created
• Source Address
• If the IPv6 source addr is an IPv4-translated
  addr
• Use the low-order 32 bits for IPv4 addr
• else
• Set to 0.0.0.0 (to avoid completely dropping)

46
Translating IPv6 Headers to IPv4 Headers(4/6)

• Destination Address Low-order 32 bits of the
  IPv6 destination address
• IPv6 hop-by-hop options header, destination
  options header, or routing header (with Segments
  Left field equal to zero) are ignored with Total
  Length adjusted
• Routing header with a non-zero Segments Left
  field Error

47
Translating IPv6 Headers to IPv4 Headers(5/6)

• IPv6 packets with Fragment header
• Total Length Payload length value from IPv6
  header 8 (Fragment header) size of IPv4
  header
• Identification Copy from the low-order 16 bits
  of the ID field in the Fragment header

48
Translating IPv6 Headers to IPv4 Headers(6/6)

• Flags
• More Flag M flag in the Fragment header
• Dont Fragment Flag 0
• Fragment Offset Copied from the Fragment Offset
  field in the Fragment header
• Protocol Next Header field copied from Fragment
  header

49
When to Translate

• Receives an IPv6 packet with an IPv4-mapped
  destination address

50

• Network Address Translation Protocol
  Translation
• (NAT-PT)
• (RFC 2766)

51
Purpose and Approaches

• Interoperation of an IPv6-only node with an
  IPv4-only node
• Does not mandate dual stacks or tunneling
• Uses a pool of globally unique v4 addresses for
  assignment to v6 nodes on a dynamic basis
• Combines SIIT and NAT

52
Terminologies (1/2)

• NAT translation of an IPv4 addr into an IPv6
  addr and vice versa
• Traditional NAT-PT allows hosts within a v6
  network to access hosts in the v4 network.
  Sessions are unidirectional, outbound from the v6
  network. (Two variations Basic NAT-PT and
  NAPT-PT)

53
Terminologies (2/2)

• Bi-Directional NAT-PT Sessions can be initiated
  from hosts in either v4 or v6 network.
• Protocol Translation (PT) Detailed in SIIT
• Application Level Gateway (ALG) An application
  specific agent that allows a v6 node to
  communicate with a v4 node and vice versa. Some
  applications carry network addresses in payloads.
  NAT-PT is application unaware.

54
Basic Traditional NAT-PT (1/2)

• Assume IPv6 Node A (FEDCBA9876543210) wants
  to communicate with IPv4 Node C (132.146.243.30)
• Node A creates a packet with
• Src Addr FEDCBA9876543210
• Dst Addr PREFIX132.146.243.30
• (PREFIX/96 is advertised in the stub domain by
  the NAT-PT and packets addressed to this PREFIX
  is routed to the NAT-PT)

55
Basic Traditional NAT-PT (2/2)

• For session initiation packet, an address (e.g.,
  120.130.26.10) is allocated by the NAT-PT
• The packet is silently discarded if it is not a
  session initiation packet and there is no
  established state for the session

56
NAPT-PT Operation (1/4)

• Allow multiple v6 nodes to communicate with v4
  nodes using a single v4 address
• Example
• IPv6 Node A creates a packet with
• Src Addr FEDCBA9876543210
• Src TCP Port 3017
• Dst Addr PREFIX132.146.243.30
• Dst TCP Port 23

57
NAPT-PT Operation (2/4)

• At NAPT-PT box, translated into
• SA 120.130.26.10, Src TCP Port 1025
• DA 132.146.243.30, Dst TCP Port 23
• Inbound NAPT-PT sessions are restricted to one
  server per service assigned via static TCP/UDP
  port mapping.
• Example IPv6 Node A may be the only HTTP server
  (port 80) in the v6 domain

58
NAPT-PT Operation (3/4)

• IPv4 Node C sends a packet
• SA 132.146.243.30, Src TCP Port 1025
• DA 120.130.26.10, Dst TCP Port 80
• At NAPT-PT box, translated into
• SA PREFIX132.146.243.30, Src TCP Port 1025
• DA FEDCBA9876543210, Dst TCP Port 80

59
NAPT-PT Operation (4/4)

• DNS queries and responses are processed by CPU
• Some static binding for v4 and v6 addresses

60
Translating IPv4 Headers to IPv6 Headers

• Same as in SIIT apart from
• SA
• The low-order 32 bits IPv4 SA.
• The high-order 96 bits PREFIX
• DA
• NAT-PT retains a mapping between the IPv4
  destination addr and the IPv6 addr of the
  destination node

61
Translating IPv6 Headers to IPv4 Headers

• Same as in SIIT apart from
• SA
• The NAT-PT retains a mapping between the IPv6
  SA and an IPv4 address from the pool of IPv4
  addresses
• DA
• The low-order 32 bits of the IPv6 DA is copied
  to the IPv4 DA

62
TCP/UDP/ICMP Checksum Update from IPv4 to IPv6
(1/2)

• UDP checksums, when set to a non-zero value, and
  TCP checksum should be recalculated to reflect
  the addr change from v4 to v6 (Incremental
  adjustment is possible)
• In NAPT-PT, TCP/UDP checksum should be adjusted
• When the checksum of a v4 packet is set to zero,
  NAT-PT must evaluate the checksum in its entirety
  for the v6-translated packet

63
TCP/UDP/ICMP Checksum Update from IPv4 to IPv6
(2/2)

• Reassemble fragmented UDP packets with zero
  checksum before evaluate the checksum for the
  v6-translated packet
• ICMPv6 uses pseudo-header in checksum evaluation
• There might be source and destination address
  translations in payload of ICMP packets

64
TCP/UDP/ICMP Checksum Update from IPv6 to IPv4

• TCP/UDP checksum should be recalculated to
  reflect the address change from v6 to v4
  (Incremental adjustment is possible)
• For UDP packets, the checksum may optionally be
  changed to zero
• Remove the v6 pseudo header in checksum
  calculation of v4 ICMP header (Checksum
  adjustment algorithm is possible)