「我國 ipv6 建置發展計畫」 92 年度期中成果報告研究發展分項計畫

「我國 IPv6 建置發展計畫」92 年度期中成果報告研究發展分項計畫

子計畫二： 6TANET 台灣 IPv6 網路轉換環境技術研究

子計畫二：6TANET 台灣IPv6網路轉換環境技術研究

子計畫二：6TANET 台灣IPv6網路轉換環境技術研究

子計畫二： 6TANET 台灣 IPv6 網路轉換環境技術研究東華大學趙涵捷1 IPv6 第四層以上相關協定分析交通大學陳懷恩2 超高速乙太網路 IPv6/IPv4 轉換器之研製台灣大學東華大學

郭斯彥陳俊良

3 可穿越 NAT 的 IPv6 Tunnel 交通大學吳坤熹

4 以 IPv6 為基礎的隱匿型網路偵測管理台灣科技大學東華大學

黃忠偉張瑞雄

IPv6 第四層以上相關協定分析陳懷恩

Research Assistant ProfessorDepartment of CSIE, NCTU

Email: [email protected]: 886-3-5731924

mailto:[email protected]

計畫目標分析常見的第四層以上通訊協定，在由 IPv4 演進到 IPv6 時所需要改變的差異性提供廠商移植 IPv6 軟體時之參考，以加速國內 IPv6 軟硬體研發，實現國內 IPv6 網際網路環境，促使我國儘速邁入 IPv6 資訊網路新紀元

計畫工作重點研讀並分析相關通訊協定

網路應用協定、網路路由協定、網路管理協定 SIP-based VoIP 相關協定

製作 IPv6 通訊協定分析器雛形製作通訊協定分析器雛形分析第二、三層封包 (e.g., Ethernet, IPv4, IPv6) 分析 SIP-based VoIP 相關協定 (e.g., SIP, SDP, RTP, RTCP)

設計廠商升級 IPv4 程式到 IPv6 程式的機制提供廠商修改 Socket 程式的方法設計 v4/v6 轉換之中介軟體

計畫成果提供 IPv4 程式轉換為 IPv6 程式之方法

第四層以上之程式多由 socket 撰寫而成本計畫提供如何將現有 IPv4 程式修改成 IPv6 的方法

提供 IPv6 協定分析器提供開發程式、教育訓練時之輔助設計 SIP-based VoIP 專屬的分析器

設計主機端轉換之中介軟體 (Middleware) 修改現有程式需要時間、人力、金錢提供廠商在不修改程式的情況下快速轉換程式為 IPv6 的方法以 Bump-In-the-Stack (BIA) 為基礎設計應用層 (Application-Level) 轉換機制

提供轉換 IPv4 程式到 IPv6 之方法介紹 IPv4 與 IPv6 之不同不用轉換的 Socket API 需要轉換的 Socket API 需要轉換的資料結構

IPv4/IPv6 位址長度不同 Numerical addresses

IPv4, 32 bit address IPv6, 128 bit address

32 bits

IPv4

IPv6128 bits

不需要轉換的 Socket API ( 依序 ) Server 端的程式碼

socket open a socket bind bind local address to the socket listen listen on a port accept wait for the connection read/write if TCP recvfrom/sendto if UDP

Client 端的程式碼 socket open a socket connect connect to a server read/write if TCP recvfrom/sendto if UDP

轉換需要改變的部分有一些與 IP 位址相關的 Socket API 與參數需要修改程式部分有運用到 IP 位址的部分

位址轉換函式位址複製函式位址比較函式位址相關之記憶體指派與變數宣告

API 與資料結構的轉換參數名稱轉換

IPv4 IPv6

AF_INET AF_INET6

PF_INET PF_INET6

IN_ADDR_ANY inaddr6_any

API 與資料結構的轉換資料結構轉換

IPv4 IPv6

in_addr in6_addr

sockaddr sockaddr_in6

sockaddr_in sockaddr_in6

API 與資料結構的轉換資料結構參數轉換

IPv4 IPv6

sin_len sin6_len

sin_family sin6_family

sin_port sin6_port

sin_addr sin6_addr

s_addr s6_addr

API 與資料結構的轉換函式轉換

IPv4 IPv6

Name-to_addressFunctions

Address conversionFunctions

inet_aton()inet_addr() inet_pton()

inet_ntoa() inet_ntop()

gethostbyname()gethostbyaddr()

getipnodebyname()getipnodebyaddr()getnameinfo()getaddrinfo()

設計主機端轉換之中介軟體可是要將應用程式升級成 IPv6 會有以下問題

需要改用新的 API 需要改用新的 Data structure

例子： SIP-based VoIP User Agent 共有約 200 行 Socket API 、資料結構需要轉換約有 600 行位址相關函式、變數、記憶體指派需要修改

短期內將程式升級 IPv6 不容易需要改的函式、變數需要追蹤修訂程式版本升級時，亦需隨之修訂

提出一個轉換 v4/v6 的中介軟體，以 BIA 為基礎，設計應用層轉換機制

轉換中介軟體系統架構

Windows XP SP1

Winsock Applications Web browser FTP

Winsock API module

Network Card

NDIS Driver

TCP/IPv4

Translator

TCP/IPv6

轉換中介軟體之設計

Layered Service ProviderALG Manager Address Mapper

Higher level LSP

Lower Level LSP

Transport Service Provider

Name ResolverApplication Leyer Gatewways

TCP/IPv4

Transport Service Provider

TCP/IPv6

System Winsock 2 Component

Winsock application

Winsock application

Winsock application

NDIS Driver

依不同程式所需設計 ALG

原 BIA 之架構

提供 IPv6 相關協定分析器提供 Windows XP/2003 上通訊協定分析

可分析以下協定： Ethernet, ARP, ICMP/ICMPv6, IPv4/IPv6 DNS, HTTP, FTP SIP, SDP, RTP, RTCP

可協助本計畫之開發未來可協助廠商開發相關應用可提供教育訓練 ( 如：通訊改進教育計畫 ) 使用

IPv6 通訊協定分析軟體架構與介面

Physical NICsWindows NDIS

WinPCap Protocol Driver / NPFWinPCap packet.dllWinPCap winpcap.dll

Device IO Control

Packet Interface

libpcap Interface 封包分析軟體

IPv6 通訊協定分析軟體之設計

Packet Module

Packet Module 負責封包收送 Parsing Package 負責第二、三層封包解析

IPv6 Module

Transport Module

SIP RTP RTCP

Parsing Package

IPv6 通訊協定分析軟體之雛形系統

選取介面封包分析

計畫結論目前已有 IPv6 相關 Socket 程式，建議廠商開發軟體時，可以考慮撰寫 IPv4/IPv6 共存之應用程式。目前已完成 IPv6 通訊協定分析器雛形，有興趣的廠商可以與本子計畫或研發分組聯絡。目前設計之應用層轉換以工研院 SIP-based UA 作為實際 v4/v6 轉換的例子，若需要進一步資料，歡迎會後與本子計畫聯繫。本子計畫將繼續 v4/v6 轉換之研究，以期能幫助國內廠商在節省人力、時間與金錢的情況下，快速升級至 I

Pv6 ready 。

Teredo- Tunneling IPv6 through NATs

Date: 2003-7-24Speaker: Quincy Wu

National Chiao Tung University

IPv4–to–IPv6 Transition Strategy (RFC 2893)

• Dual Stack– Reduce the cost invested in transition by running both

IPv4/IPv6 protocols on the same machine .• Tunneling

– Reduce the cost in wiring by re-using current IPv4 routing infrastructures as a virtual link.

• Translation– Allow IPv6 realm to access the rich contents already

developed on IPv4 applications

Tunnels of IPv6 over IPv4

• Encapsulating the IPv6 packet in an IPv4 packet• Tunneling can be used by routers and hosts

IPv4IPv6 Network

IPv6 Network

Tunnel: IPv6 in IPv4 packet

IPv6 Host

Dual-Stack Router

Dual-Stack Router

IPv6 Host

IPv6 HeaderIPv4 Header

IPv6 Header Transport Header Data

DataTransport Header

IPv4

Manually Configured TunnelDual-Stack

Router

IPv4: 140.110.199.254

IPv6: 2001:288:03a1:210::3/127

FreeBSD4.7#gifconfig gif0 61.218.105.10 140.110.199.254ifconfig gif0 inet6 2001:288:03a1:210::2 2001:288:3a1:210::3 prefixlen 128

Dual-Stack Host

IPv4: 61.218.105.10

IPv6: 2001:288:03a1:210::2/127

Linux Tunnel

/etc/sysconfig/network-scripts/ifcfg-sit1 DEVICE=sit1 BOOTPROTO=none ONBOOT=yes IPV6INIT=yes #Remote end-ISP IPv4 addr IPV6TUNNELIPV4=140.110.199.250 #Yourself IPv6 tunnel addr from ISP IPV6ADDR=2001:288:3A1:210::2/127

ifup sit1

6to4 Tunnel (RFC 3056)

IPv4IPv6 Network

IPv6 Network

6to4 Router2

6to4 Router1

131.243.129.44 140.110.199.250Network prefix:

2002:83F3:812C::/48Network prefix:

2002:8C6E:C7FA::/48= =

E0 E0

router2#interface Ethernet0 ip address 140.110.199.250 255.255.255.0 ipv6 address 2002:8C6E:C7FA:1::/64 eui-64interface Tunnel0 no ip address ipv6 unnumbered Ethernet0 tunnel source Ethernet0 tunnel mode ipv6ip 6to4

ipv6 route 2002::/16 Tunnel0

6to4 Tunnel: – Is an automatic tunnel method– Gives a prefix to the attached IPv6 network– 2002::/16 assigned to 6to4– Requires one global IPv4 address on each site

6to4 Tunnel

IPv4IPv6 Network

IPv6 Network

6to4 Router2

6to4 Router1

131.243.129.44 140.110.199.250Network prefix:

2002:83F3:812C::/48Network prefix:

2002:8C6E:C7FA::/48

E0 E0

2002:83F3:812C:1::3

2002:8C6E:C7FA:2::5

IPv6 SRC 2002:83F3:812C:1::3

Data

IPv6 DEST 2002:8C6E:C7FA:2::5

IPv6 SRC 2002:83F3:812C:1::3

Data


IPv6 SRC 2002:83F3:812C:1::3

Data


IPv4 SRC 131.243.129.44

IPv4 DEST 140.110.199.250

IPv6 tunneling problem• It does not work when the IPv4 address is not globally routable

IPv6B D EIPv6site

IPv6host

6to4 route

r

IPv4 route

r

C

Src: A6Dest: E6data

Src: A6Dest: E6data

6to4Relay route

rSrc: N4Dest: D4Src: A6Dest: E6data

Src: N4Dest: D4Src: A6Dest: E6data

A to B:IPv6

D to E: IPv6

B to C: IPv4(encapsulating IPv6)

C to D: IPv4(encapsulating IPv6)

A v6 IP: 2002:a02:3fe::2/48 (A6)B v6 IP: 2002:a02:3fe::1/48 (B6)B v4 IP: 10.2.3.254 (B4)

E v6 IP: 2001:238:f88:4::2/64 (E6)D v6 IP: 2001:238:f88:4::1/64 (D6)D v4 IP: 140.114.1.254 (D4)

A

IPv6host

IPv4

NAT address: 1.2.5.6 (N4)

NAT

IPv4

Src: B4Dest: D4Src: A6Dest: E6data

Address translation

B4 is a private address!

E6 A6

D4 B4

Teredo service

• To allow hosts behind NAT to access IPv6, without modifying NAT.– Teredo is not a long term solution– If NAT also supports IPv6 routing, the problem

of NAT traversal will disappear.

Teredo definitions• Teredo client

– A node wants to gain access to the IPv6 Internet.• Teredo server

– helper to provide IPv6 connectivity to Teredo clients.• Teredo relay

– An IPv6 router that can receive traffic destined to Teredo clients and forward it to Teredo client.

• Teredo bubble– minimal IPv6 packet, made of an IPv6 header and null payload, no

Next Header.• Teredo service

– The transmission of IPv6 packets over UDP.

Operation model• A client has pre-configured se

rver location.• A client gets IPv6 prefix from

the Teredo server.Teredoserver

Teredorelay

Teredoclient

NAT

IPv6

IPv4

IPv4

Teredo IPv6 prefix?Teredo IPv6 prefix,your mapped address

Tunnel• Teredo server is stateless. Tra

ffic goes directly between the relay router and the client.

• Teredo Relay announces reachability of Teredo prefix on IPv6 realm.

• Relay and Client maintain peer list to avoid sending Teredo message too often.

Teredo address encoding

• Prefix: the 32 bit Teredo service prefix.– 3FFE:831F::/32

• Server IPv4: the IPv4 address of a Teredo server.• Flags: a set of 16 bits that document type of address and NAT.

– 16 bits flag: “C00000UG00000000”– C=1 if NAT is cone.– UG should set to “00”.

• Port: the obfuscated "mapped UDP port" of the client• Client IPv4: the obfuscated "mapped IPv4 address" of a client

Prefix Server IPv4 Flags Port Client IPv40 32 64 80 96 127

Obfuscated: XOR every bits in the field with 1, prevent over-genius NAT’s translation.

Obtaining an address(1/2)

IPv4 UDP Origin indication IPv6 RA

• Teredo client sends a UDPv4 tunneled IPv6 Router Solicitation to the Teredo server.

• Teredo server replies UDPv4 tunneled IPv6 Router Advertisement with origin indication.

Teredoserver

Teredorelay

Teredoclient

NAT

IPv6

IPv4

IPv4

10.0.0.2:1234

10.0.0.1

9.0.0.1:4096

1.2.3.4

IPv4 UDP IPv6 RS

0x00 0x00 mapped port #

mapped IPv4 addressOrigin indicationformat

Obtaining an address(2/2)

• Client get Teredo service prefix– 3FFE:831F::/32– (PREF= 3FFE:831F)

• Client get mapped address/port from origin indication– Mapped address: 9.0.0.1:4096

• Generated Teredo IPv6 address– 3FFE:831F:102:304::EFFF:F6FF:FFFE– Already known server IP: 1.2.3.4– Address and port are obfuscated.

• Must keep alive address mapping on NAT– Default refresh interval: 30 seconds.

Packet from Teredo node to IPv6 node (1/3)

• A does not know which relay will be chosen by B.

• A sends ICMPv6 “echo request" toward B.

• S forwards “echo request” to IPv6 realm.

TeredoServer

S

TeredoRelay

R

TeredoClient

A

NAT

IPv6

IPv4

IPv4

10.0.0.2:1234

10.0.0.1

9.0.0.1:4096

5.6.7.8:3544

PREF:102:304::EFFF:F6FF:FFFE

B2000::B

10.0.0.2:1234 1.2.3.4:3544 PREF:102:304::EFFF:F6FF:FFFE

2000::B

Src. Dest. IPv6Src. IPv6dest.

1.2.3.4:3544


2000::B


• B sends the “echo reply” back to Teredo Client.

• The IPv6 packet will be queued by Teredo Relay.

• If Teredo Client is behind a restricted NAT, a bubble must be sent to Teredo Server.

S R

A

NAT

IPv6

IPv4

IPv4

10.0.0.2:1234

10.0.0.1

9.0.0.1:4096

5.6.7.8:3544


B2000::B

IPv6Src. IPv6dest.

1.2.3.4:3544

2000::B PREF:102:304::EFFF:F6FF:FFFE


• R sends the queued “echo reply” to A.

• A knows B can be reached through address 5.6.7.8:3544.

• A will send all further packets directly through R.

S R

Teredo Client A

NAT

IPv6

IPv4

IPv4

10.0.0.2:1234

10.0.0.1

9.0.0.1:4096

5.6.7.8:3544


B2000::B

1.2.3.4:3544

Conclusion

• Many users get private IPv4 address from their service providers, such as WLAN and GPRS. These users are unable to create IPv6 tunnels.

• Before all NAT devices can be upgraded to support IPv6, Teredo service is useful for users behind NAT to obtain IPv6 access.

41

National Dong Hwa University R.O.CNational Dong Hwa University R.O.C

6TANET IPv6 TrAnsition Network Enviro6TANET IPv6 TrAnsition Network Environment of Taiwannment of Taiwan

IPv6 / IPv4 轉換器介紹東華大學資訊工程學系張耀中

42

National Dong Hwa UniversityNational Dong Hwa University

AgendaAgenda

• IPv6 Current State• Introduction• Objective• Schedule• Conclusion

43


IPv6 TF Around The WorldIPv6 TF Around The World

44


45


46


47


48


Transition MechanismsTransition Mechanisms

49


50


51


52


IPv4 to IPv6 Data FlowIPv4 to IPv6 Data Flow

53


IPv4 to IPv6 Data FlowIPv4 to IPv6 Data Flow

54


Header TranslationHeader Translation-IPv4 to IPv6-IPv4 to IPv6

55


Header TranslationHeader Translation-IPv6 to IPv4-IPv6 to IPv4

56


Checksum ModificationChecksum Modification• Internet checksum use 16-bits 1’s complement checksum• We adopt a 32-bits 1’s complement checksum algorithm

– Take advantage of the 32-bits registers in IXDP1200– Much faster and efficient– 2 policies

CASE Policy

ARP ND (ICMP checksum) Re-Compute Algorithm

IPv6 Header IPv4 Header Re-Compute Algorithm

ICMPv4 ICMPv6 Adjustment Algorithm

TCP Adjustment Algorithm

UDP Adjustment Algorithm

57


IQ2000IQ2000

58


Project ObjectiveProject Objective

IPv4/IPv6 網路通訊協定轉換機制之技術與應用– IPv4/IPv6 網路通訊協定轉換機制之運作原理– IPv4/IPv6 網路通訊協定轉換機制之應用現況–適合我國 GbE 網路環境之轉換機制

超高速乙太網路 IPv6/IPv4 轉換器雛型系統– 雛型系統之系統需求規格與功能訂定– 雛型系統之設計與實作– 雛型系統之測試

59


60


Project ScheduleProject Schedule

IPv4/IPv6轉換機制運作原理研究 IPv4/IPv6轉換機制應用現況研究 ※

GbE 網路環境轉移機制評估與設計 NP-based GbE IPv6/v4 轉換器雛形系統規格與功能訂定 ※

雛型系統之軟體設計 ※

雛型系統之實作與測試 ※

61


IPv6 is a young lady?

IPv6

NAT

IPv4 Global Summit IPv6 North AmericaIPv6 State of the World - Latif Ladid

62


•

ReliabilitySimplicity

Flexible

Renumbering Transition

Tool Box

QoS

Flow Bits?

Mobile IPv6

End-2-end

Transparency

Dynamic Routing

Multicast v6

e2e Security

Autoconfiguration

Plug & Ping

... ...

Global Summit IPv6 North AmericaIPv6 State of the World - Latif Ladid

以 IPv6 為基礎的隱匿型網路偵測管理

IPv6 環境下偵測管理的問題區段內 IPv6 網址範圍巨大，逐一掃瞄 IPv6 網址以偵測上網之電腦或設備，需耗費時大量時間而變不可行 IPv6 網址設定方式較複雜，不同於 IPv4 網址能事先預知相關訊息由於 switch 大量使用， broadcast 訊息不容易取得，增加偵測時的困難度

Vers = 4 Total lengthType of serviceIdentification Fragment OffsetFlagsIHL

TTL Header ChecksumProtocolSource Address

Destination AddressOptions...

Vers = 6 flow LabelTraffic ClassPayload Length Next Header Hop Limit

Destination Address

Source Address

IPv4

IPv6

20 bytes

40 bytes

IPv4 - IPv6 headers

• 網址類型：– Unicast : 一對一

• Global• Site local• Link local

– Multicast– Anycast

• 單一介面可以被設定多種 IPv6 網址• 以 Multicast 取代 broadcast

IPv6 網址

@IP1@MAC1

@IP2@MAC2

Neighbor Solicitation : @ IP2 ?

Neighbor advertisement : @ IP2 @ MAC2

IPv6 Packet

Address resolution

Configure hosts addressesIPv6 routerPrefix : pf1/64@ IPv6 : pf1::X and fe80::X

IPv6 host A@ IPv6 : Pf1::YFe80::Y

IPv6 Host B

@ IPv6 :fe80::Z

Router advert.Fe80::XPrefix : pf1

Router solicitation

本子計劃進行的目的於各個 IPv6 網路區段中載入不具 IP Address 之隱匿偵測點藉由隱匿偵測點於各網路區段中進行偵測，並建構出區段內已存在之電腦名單主控端針對各個區段的隱匿偵測點進行蒐集，並根據蒐集結果產生整體網路拓樸架構圖，以提供管理者對整體網路規劃及評估

相關軟體設計開發•目前僅有 ActiveX 能以網路物件形式存在且具有網路封包攔截或傳遞功能•開發 ActiveX 隱匿偵測點物件，透過 Web 介面下載至各區段偵測點；啟動偵蒐功能以建構出區段內上網電腦清單•開發主從架構之主控管理程式，動態即時蒐集各網路區段資料後進行彙整，進而建構出網路拓樸圖

網路物件程式範例

隱匿偵測點物件動作流程啟動 Router solicitation

開始

取得 Global Address 的 Prefix

啟動 ping multicast IP

是否有 acknowledge 封包回傳根據區段中某電腦 Acknowledge 封包資料建構該電腦 IPv6 Address

加入區段內已存在電腦名單

結束

Y

N

ping Multicast IP

•根據 RFC 2461 和 RFC 2463 ，可藉由 ff02::1(link-local scope all-nodes multicast address) 令上網電腦回應其 link-local IPv6 網址•利用 ping6 指令及 ff02::1 ，令上網電腦回應 link-local 網址清單•本計畫需實現 RFC 2461 及 RFC 2463 之規範，以偵蒐區域網路內之上網電腦或設備

利用 ping6 取得 link-local 網址清單實驗結果之部分清單[root]# ping6 -I eth0 ff02::1PING ff02::1(ff02::1) from fe80::280:c8ff:fe6f:abeb eth0: 56 data bytes64 bytes from ::1: icmp_seq=1 ttl=64 time=0.108 ms64 bytes from fe80::202:b3ff:fe8e:6af7: icmp_seq=1 ttl=64 time=0.265 ms (DUP!)64 bytes from fe80::2d0:b7ff:fe2d:ead5: icmp_seq=1 ttl=64 time=0.304 ms (DUP!)64 bytes from fe80::2c0:4fff:fe15:4c4a: icmp_seq=1 ttl=64 time=0.308 ms (DUP!)64 bytes from fe80::280:c8ff:fe58:4038: icmp_seq=1 ttl=64 time=0.347 ms (DUP!)64 bytes from fe80::200:e8ff:fe63:aa7d: icmp_seq=1 ttl=64 time=0.350 ms (DUP!)64 bytes from fe80::2e0:29ff:fe34:be97: icmp_seq=1 ttl=64 time=0.447 ms (DUP!)64 bytes from fe80::a00:20ff:fe93:22ca: icmp_seq=1 ttl=255 time=0.326 ms (DUP!)64 bytes from fe80::206:29ff:fe13:3de4: icmp_seq=1 ttl=64 time=0.374 ms (DUP!)64 bytes from fe80::202:b3ff:fe16:5c44: icmp_seq=1 ttl=64 time=0.514 ms (DUP!)...

對各個隱匿偵測點發送Request資料蒐集

各個隱匿偵測點回傳

根據區段電腦名單資料

建構全域電腦網路結構

繪製網路拓樸圖行介面

結束

開始

Y

N

主控程式動作流程

繪製網路拓樸圖形介面

本計畫可應用於產業界之相關研究• 網管系統• 網路安全

「我國 ipv6 建置發展計畫」 92 年度 期中成果報告 研究發展分項計畫

Documents

「我國 ipv6 建置發展計畫」 92 年度期中成果報告研究發展分項計畫