APNIC Seminar The Internet in crisis IPv4 address depletion and life thereafter 20 th, December,...

APNIC Seminar

The Internet in crisisIPv4 address depletion and life thereafter

20th, December, 2007, Hong Kong

At the Chinese University of Hong Kong

Assumptions• Diversified audience:

– People with technical background– People involved with education– University students

• Varying levels of expertise, so no assumptions of prior knowledge made other than:

– An understanding of internetworking concepts (IP addressing, routing and routers)

• Diversified content presented:– Concepts and theory– Policy and operation– Technical and hands-on

Acknowledgements

The material used in this course was created in collaboration with the Japan IPv6 Promotional Council, Jordi Palet Martinez of Consulintel, Merike Kaeo of Double Shot Security, Philip Smith of Cisco, Randy Bush (IIJ), Paul Wilson (APNIC), and Geoff Huston (APNIC) and includes material provided by them.

APNIC acknowledges with thanks and appreciation the contribution and support of the above.

Seminar overview

• The current operation and structure of the Internet– The importance/role of an addressing structure

• The growth of the Internet and IPv4 unallocated address space exhaustion

– The current situation and the consequences of address exhaustion

• How can we cope with it?– The interim solutions (NAT, CIDR)– IPv6 as the solution– Overview of IPv6– IPv4/IPv6 co-existence (transition)– IPv6 deployment

• Issues and concerns

• Future scenarios • Conclusion

The current operation and structure of the Internet

The importance/role of an addressing structure

Recap

IP address, DNS and routing

What is the Internet?

• “The Internet is a worldwide, publicly accessible network of interconnected computer networks that transmit data by packet switching using the standard Internet Protocol (IP).

• It is a "network of networks" that consists of millions of smaller domestic, academic, business, and government networks, which together carry various information and services, such as electronic mail, online chat, file transfer, and the interlinked Web pages and other documents of the World Wide Web.”

http://en.wikipedia.org/wiki/Internet

http://en.wikipedia.org/wiki/Telecommunications_network

http://en.wikipedia.org/wiki/Computer_network

http://en.wikipedia.org/wiki/Data_%28computing%29

http://en.wikipedia.org/wiki/Packet_switching

http://en.wikipedia.org/wiki/Internet_Protocol

http://en.wikipedia.org/wiki/Information

http://en.wikipedia.org/wiki/E-mail

http://en.wikipedia.org/wiki/Online_chat

http://en.wikipedia.org/wiki/Computer_file

http://en.wikipedia.org/wiki/World_Wide_Web

What is IP?

• “The Internet Protocol (IP) is a data-oriented protocol used for communicating data across a packet-switched internetwork.

• IP is a network layer protocol in the Internet protocol suite and is encapsulated in a data link layer protocol (e.g., Ethernet). As a lower layer protocol, IP provides the service of communicable unique global addressing amongst computers.”

http://en.wikipedia.org/wiki/Internet_Protocol

http://en.wikipedia.org/wiki/Protocol_%28computing%29

http://en.wikipedia.org/wiki/Packet-switched

http://en.wikipedia.org/wiki/Internetwork

http://en.wikipedia.org/wiki/Network_layer

http://en.wikipedia.org/wiki/Internet_protocol_suite

http://en.wikipedia.org/wiki/Encapsulation_%28networking%29

http://en.wikipedia.org/wiki/Data_link_layer

http://en.wikipedia.org/wiki/Ethernet

http://en.wikipedia.org/wiki/Lower_layer_protocol

What is an IP address?

• An IP address is NOT a domain name

• It is an identifier that includes necessary information to reach a network location

• Each network location has an IP address

• Reaching a location is achieved via the Internet routing system

My Computer www.gov.au2001:0C00:8888:: 2001:0600::1

www.gov.au ? 192.168.5.1002001:0600::1

IP addresses are not domain names

The Internet

DNS

IP addresses

• Are either IPv4 or IPv6

• IPv4: 32-bit* number – 4 billion different host addresses– E.g. 202.12.29.142

• IPv6: 128-bit* number– 16 billion billion network addresses– E.g. 2001:0400:3c00:a:b:c:d:1

* bit = binary digit

The Four Layers of TCP/IP

Network Access

Application

Transport

Internet

What is the packet switching?

• “Packet switching is a communications paradigm in which packets (units of information carriage) are routed between nodes over data links shared with other traffic. In each network node, packets are queued or buffered, resulting in variable delay.”

http://en.wikipedia.org/wiki/Packet_switching

http://en.wikipedia.org/wiki/Paradigm

http://en.wikipedia.org/wiki/Packet

http://en.wikipedia.org/wiki/Routing

TCP/IP protocol structure

ICMP

UDP

SMTP FTP Telnet

IGMP

ARP RARP

DATA LINK

PHYSICAL

DNS ……… HTTP

TCP

IP

What else is an IP address?

• Internet infrastructure address

• Uniquely assigned to infrastructure elements

• Globally visible to the entire Internet

• A finite “common resource”

• Never “owned” by address users

• Not dependent upon the DNS

Where do IP addresses come from?

IPv4 IPv6

Allocation

Allocation

Assignment

end user

* In some cases via an NIR such as KRNIC

*

Routing

What is a router

• A device in the network that processes and routes data between two points

• A device that routes data between networks using IP addressing

• A layer 3 device

• Hardware or software used to connect two or more networks

How does routing work?

• The routing system is normally hierarchical

• Each part of the hierarchy provides specific detail

• This detail enables traffic to flow from one network to another

• It works in a similar manner to telephone routing

Telephone network routing

Global

Local

National

Prefix table

+1+44+61+852+91…

Prefix table

237…

Prefix table

…

Internet address routing

The Internet

Traffic202.12.29.142

Announce202.12.24.0/21

Global Routing Table

4.128/960.100/1660.100.0/20135.22/16…

Global Routing Table

4.128/960.100/1660.100.0/20135.22/16

202.12.24.0/21…

202.12.29.128/25

Internet address routing

Local Routing Table

202.12.29.0/25202.12.29.128/25

Traffic202.12.29.142

202.12.29.128/25202.12.29.142

Internet address routing – with NAT

Ref: http://207.46.196.114/windowsserver/en/library/0f4bad59-5237-4452-a693-708ac61fe1671033.mspx?mfr=true

Growth of global routing table

http://bgp.potaroo.net/as1221/bgp-active.html

CIDR deployment

Dot-Com boom

Projected routing table

growth without CIDR

Sustainablegrowth?

• Network boundaries may occur at any bit

IP addressing architecture

16K networks x 64K hosts

128 networks x 16M hostsA

B2M networks x 256 hosts

C

Obsolete• inefficient• depletion of B space• too many routes from C space

Classful Classless

Best CurrentPractice

Addresses Prefix Classful Net Mask... ... ... ...

8 /29 255.255.255.24816 /28 255.255.255.24032 /27 255.255.255.22464 /26 255.255.255.192

128 /25 255.255.255.128256 /24 1 C 255.255.255.0... ... ... ...

4096 /20 16 C’s 255.255.240.08192 /19 32 C’s 255.255.224

163843276865536

/18/17 /16

64 C’s128 C’s

1 B

255.255.192255.255.128255.255.0.0

... ... ... ...

Classful addressing

is dead!

RFC1519

IP addressing architecture

• Classful (Obsolete)– Wasteful address architecture

• network boundaries are fixed at 8, 16 or 24 bits (class A, B, and C)

• Classless– Efficient architecture

• network boundaries may occur at any bit (e.g. /12, /16, /19, /24 etc)

• CIDR• Classless Inter Domain Routing architecture

– Allows aggregation of routes within ISPs infrastructure

Best CurrentPractice

RFC1518

RFC1517

/28: 14 hostsNetwork address: 28 bits Host: 4 bits

Net: 10 bits Host address: 22 bits

/10: 4M hosts

Classless addressing - examples

Network address: 19 bits Host: 13 bits

/19: 8190 hosts


/20: 4094 hosts


/24: 254 hosts

Global Internet routing

The Internet

Global routing table

4.128/960.100/1660.100.0/20135.22/16…

Net

Net

Net

NetNet

NetNet

Net

Net

Net

Net

ISP tier structure

Ref: CISCO ISP workshop presented in SANOG 2006

IP address aggregation

ISP D ISP C

ISP A ISP B

Internet

Aggregation

(Non-portable Assignments)

(4 routes)

ISP D ISP C

ISP A ISP B

Internet

(Portable Assignments)

No Aggregation

(21 routes)

Internet resource management

Role of Regional Internet Registry

What are RIRs?

• Industry self-regulatory structures– Open membership-based bodies– Representative of ISPs globally– Service organisations– Non-profit, neutral and independent– 100% self-funded by membership

• First established in early 1990s– Voluntarily by consensus of community– To satisfy emerging technical/admin needs

• In the “Internet Tradition”– Consensus-based, open and transparent

The early years: 1981 – 1992

“The assignment of numbers is also handled by Jon. If you are developing a protocol or application that will require the use of a link, socket, port, protocol, or network number please contact Jon to receive a number assignment.” (RFC 790)

1981:

The boom years: 1992 – 2001

“It has become clear that … these problems are likely to become critical within the next one to three years.” (RFC1366)

“…it is [now] desirable to consider delegating the registration function to an organization in each of those geographic areas.” (RFC 1338)

1992:

Recent years: 2002 – 2007

2004:

Number Resource Organization

What do RIRs do?

• Internet resource allocation– Primarily, IP addresses – IPv4 and IPv6– Receive resources from IANA/ICANN, and redistribute

to ISPs on a regional basis– Registration services (“whois”)

• Policy development and coordination– Open Policy Meetings and processes

• Training and outreach– Training courses, seminars, conferences– Liaison: IETF, ITU, APT, PITA, APEC

• Publications– Newsletters, reports, web site

RIR policy development process

OPEN

TRANSPARENT‘BOTTOM UP’

Anyone can participate

All decisions and policies documented and freely available to anyone

Internet community proposes and approves policy

Need

DiscussEvaluate

Implement Consensus

What is APNIC?

• Regional Internet Registry (RIR) for the Asia Pacific region

– One of five RIRs currently operating around the world– Non-profit, membership organisation

• Open participation, democratic, bottom-up processes– Responsible for distributing Internet resources

throughout the AP region• Industry self-regulatory body

– Consensus-based, open, and transparent decision-making and policy development

• Meetings and mailing lists– Open to anyone– http://www.apnic.net/meetings/23/index.html– http://www.apnic.net/community/lists/index.html

http://www.apnic.net/meetings/23/index.html

http://www.apnic.net/services/help/rd/troubleshooting.html

http://www.apnic.net/services/help/rd/troubleshooting.html

Where is APNIC region?

APNIC services

• Internet resource allocations– “MyAPNIC” secure membership portal– Multilingual helpdesk – email, phone, chat, VOIP*

• Open Policy Meetings– Twice annually– Webcast and remote participation– Stenocaptioning

• Training and education– Technical workshops: Routing, DNS, Security

• Internet support– Fellowships– R&D grants funding– icons – ISP support website

APNIC is NOT

• A network operator– Does not provide networking services

• Works closely with APRICOT forum

• A standards body– Does not develop technical standards

• Works within IETF in relevant areas (IPv6 etc)

• A domain name registry or registrar• Will refer queries to relevant parties

Internet Registry structure

ICANN(IANA)

ARINAPNIC

NIR LIR LIR

LIR ISP ISP

RIPE NCCLACNIC AfriNIC

Global policy coordination

NROAPNIC

ARIN

RIPE NCC

LACNIC

AfriNIC

The main aims of the NRO:

• To protect the unallocated number resource pool• To promote and protect the bottom-up policy development process• To facilitate the joint coordination of activities e.g., engineering projects • To act as a focal point for Internet community input into the RIR system

Global policy coordination

NROAPNIC

ARIN

RIPE NCC

LACNIC

AfriNIC

ASO ICANN

The main function of ASO:

• ASO receives global policies and policy process details from the NRO• ASO forwards global policies and policy process details to ICANN board

RIR and Internet resource management

APNIC, 24

ARIN, 27

LACNIC, 4

RIPE NCC, 24

Multicast, 16

IANA Reserved, 49

Central Registry, 93

AfriNIC, 1Experimental, 16

Public Use, 1

Private Use, 1

As of July 2007

Global IPv4 Delegations (in /8)

RIR and Internet resource management

http://bgp.potaroo.net/as1221/bgp-active.html

CIDR deployment

Dot-Com boom

Projected routing table

growth without CIDR

Sustainablegrowth?

Growth of global routing table

http://www.ietf.org/internet-drafts/draft-michaelson-4byte-as-representation-02.txt

The growth of the Internet and IPv4 unallocated address space exhaustion

Current status of IPv4

Ref: IPv4 unallocated address space exhaustion by Geoff Huston, Sept 2007

Current status of IPv4


IPv4 address allocation – IANA to RIRs


IPv4 allocation – RIRs to their members


Advertised and unadvertised addresses


Predictive model

Date Prediction


IPv4 address consumption model


IPv4 address consumption model


According to this model

• IANA unallocated address pool will be exhausted– 10 May 2010– This is the model’s predicted date as of 22nd

October 2007– Tomorrow’s prediction will be different


IPv4 address consumption prediction

• Assumptions– Tomorrow is a lot like today– Trends visible in the recent past continue into

the future

• This model assumes that there will be:– no panic– no change in policies– no change in the underlying demand dynamics– no rationing– no withholding or hoarding!

• No really! Ref: IPv4 unallocated address space exhaustion by Geoff Huston, Sept 2007

So what will happen after the exhaustion?

• The Internet will not stop but its growth will be impacted

• Who will be impacted?– ISPs

• Sustaining their business models will become more difficult unless you have huge IPv4 address blocks

– End users• Cost of access to the Internet will increase

Some possible scenarios

• So what will happen after the IPv4 unallocated address space exhaustion?– Persist in IPv4 networks using more NATs– Address markets emerging for IPv4– Routing fragmentation– IPv6 transition


How can we cope with it?

CIDR

• Classless Inter Domain Routing– Developed to cope with a rapid IPv4 address

consumption (around 1994 – 1995 period)• Before CIDR, people used Classfull address architecture

- Class A, B and C- A very inflexible architecture

– CIDR allows to assign IP addresses in a much more flexible manner

• Classless address architecture• CIDR allows us to extend the IPv4 address space more than we expected

- Over achievement?

IPv4 NATs today

• Today NATs are largely externalised costs for ISPs– Customers buy and operate NATs– Applications are tuned to single-level-NAT

traversal– Static public addresses typically attract a traffic

premium in the real market• For retail customers, IP addresses already have a market price!


The “Just” add more NATs option

• Demand for increasing NAT “intensity”– Shift ISP infrastructure to private address realms– Multi-level NAT deployment both at the customer edge

and within the ISP network• This poses issues in terms of application discovery and

adaptation to NAT behaviours

– End cost for static public addresses may increase

• How far can NATs scale?– Not well known– What are the critical resources here

• Nat biding capability and state maintenance, NAT packet throughput, private address pool sizes and application complexity


Recovering unused IPv4 address space

• 46 x /8 (in various prefixes) un-routed address spaces existing

– APNIC and LACNIC have active reclamation processes

– However, recovery of such address space is not easy • Most of historical address space exist in USA• Historical address space: address distributed before the RIR

mechanism kicked into the system• Reclamation processes are not only likely to be lengthy and

difficult, but also expensive• Most likely “address market” will emerge

– Amount of recoverble address spaceis relatively insignificant

– Fragmented address blocks • Increase injection to the global routing table

• Only provides limited solutionsRef: APster IIssues 23 – Septemner 2007, “Responses to IPv4 address space consumption” By Paul Wilson

Reuse of 240/4 address space for private use• APNIC’s Paul Wilson and Geoff Huston submitted

an Internet draft recently– draft-wilson-class-e– Proposes the redesigtation of the IPv4 address block

240/4 from “Future Use” (originally designated to IETF as “Class E”) to “Limited Use for Large Private Internet”

• To prepare the future demands of large networks that will be deployed behind NAT

– Such networks large enough to exceed the exisitng private address space available under RFC1918 (defining IPv4 private address space)

• To allow an extended period of dual stack IPv4/IPv6 networks

Ref: APster IIssues 23 – Septemner 2007, “Reuse of 240/4 address space for private use”

Transition to IPv6

• But IPv6 is not backward compatible with IPv4 on the wire

• So the plan is that we need to run some form of a “dual stack” transition process– running both IPv4 and IPv6 protocol stacks in

the host– Or dual stack via protocol translating proxies


So, what is IPv6?

Features of IPv6

• The changes introduced by IPv6 can be grouped into five categories

1. Larger Addresses - New 128 bit IP addresses

2. Flexible Header Format - Uses an entirely new and incompatible datagram format

3. Improved Options - Provides new options not available to IPv4

4. Support for Resource Allocation - network resource pre-allocation

5. Provision for Protocol Extension - makes the protocol more adaptable

IPv6 header• Comparison between IPv4 header and IPv6 header

IHL

IHL=IP Header LengthTTL=Time to Live

Version IHL Type of Service Total Length 4 bits 4bits 8bits 16bits

Identification Flags Fragment Offset 16 bits 4 bits 12 bits

TTL Protocol Header Header Checksum 8 bits 8 bits 16 bits

Source Address32 bits

Destination Address32 bits

IP options0 or more bits

IPv4 Header

= Eliminated in IPv6

Enhanced in IPv6

Enhanced in IPv6

Enhanced in IPv6

IPv6 Header

Source Address128 bits

Destination Address128 bits

Version Traffic Class Flow Label 4bits 8 bits 20 bits

Payload Length Next Header Hop Limit 16 bits 8 bits 8 bits

IPv6 header

• IPv6 header is considerably simpler than IPv4– IPv4: 12 fields + options , IPv6: 8 fields + options

• IPv4 header less flexible – cannot exceed 60 bytes• Eliminated fields in IPv6

• Header Length• Identification• Flag• Fragmentation Offset• Checksum

• Enhanced fields in IPv6• TOS =>Traffic Class• Time to Live => Hop Limit• Protocol => Next header (extension headers)• New Flow Label

• Authentication and privacy capabilities

Extension headers

• Next header fieldIPv6 HeaderNext Header =

TCP (Value = 6)TCP Header DATA

IPv6 HeaderNext Header =

Routing (Value = 43)

Routing HeaderNext Header =

TCPTCP Header DATA

IPv6 HeaderNext Header =

Security (Value = 50)

Security HeaderNext Header = Fragmentation

(value = 44)

Fragmentation Header

Next Header =TCPDATATCP Header

Encapsulated IPv6 packets in IPv4

IPv6 addressing

IPv6 addressing

• 128 bits of address space• Hexadecimal values of eight 16 bit fields

• X:X:X:X:X:X:X:X (X=16 bit number, ex: A2FE)• 16 bit number is converted to a 4 digit hexadecimal number

• Example:• 2001:DB8:124C:C1A2:BA03:6735:EF1C:683D

– Abbreviated form of address• 2001:DB8:0023:0000:0000:036E:1250:2B00

→2001:DB8:23:0:0:36E:1250:2B00

→2001:DB8:23::36E:1250:2B00

(Null value can be used only once)

IPv6 addressing model

• IPv6 Address type – Unicast

• An identifier for a single interface

– Anycast• An identifier for a set of interfaces

– Multicast• An identifier for a group of nodes

RFC4291

Unicast address

• Address given to interface for communication between host and router

– Global unicast address currently delegated by IANA

– Local use unicast address• Link-local address (starting with FE80::)

• Site-local address (starting with FEC0::)

001 FP Global routing prefix Subnet ID I nterface ID 3bits 45 bits 16 bits 64 bits

1111111010 000…….0000 Interface ID 10 bits 54 bits 64 bits

1111111011 Subnet-ID Interface ID 10 bits 54 bits 64 bits

Aggregatable global unicast address - deprecated• RFC 2374 – deprecated

• TLA = Top-Level AggregatorNLA = Next-Level Aggregator(s)SLA = Site-Level Aggregator(s)

• This scheme has been replaced by a coordinated allocation policy defined by RIR.

• You may see them in text books, but remember they are deprecated!

sitetopology(16 bits)

interfaceidentifier(64 bits)

publictopology(45 bits)

interface IDSLA*NLA*TLA001

RFC2374

Interface ID: EUI-64

3 4 5 6 7 8 9 A B C D E

0 0 1 1 0 1 0 0

0 0 1 1 0 1 1 0

3 4 5 6 7 8 9 A B C D E

F F F E

36 5 6 7 8 9 A B C D E F F

Mac Address

EUI-64 Address

Interface Identifier

U/L bit

F E

U/L bit = 0 if non-unique MAC address (A MAC address may be not unique if the administrator changes the MAC address of the Interface.)U/L bit = 1 if unique MAC address

Anycast address

• One-to-one-of-many communication– Delivery to a single interface

• Syntactically the same as a unicast address

• May be assigned to routers only

• Cannot be used as the source address

• Need more widespread experience in the future

Multicast address

• First 8 bits identifies multicast address– 11111111 (FF)

• Flags– 0000 = a permanently-assigned (well-known) multicast address– 0001 = a non-permanently-assigned (transient) multicast address

• Scope (indicates the scope of the multicast group)– 1= node local– 2= link local– 3= site local– 8= organisation local– E= global

• Group ID– Identifies the multicast group within the specified scope

• Well-known multicast addresses– FF02:0:0:0:0:0:0:1 All-nodes address with Link-local scope– FF02:0:0:0:0:0:0:2 All-routers address with Link-local scope

11111111 Flag Scope Group ID

8 bits 4 bits 4bits 112 bits

Autoconfiguration

IPv6 autoconfiguration

• Stateless mechanism– For a site not concerned with the exact addresses– No manual configuration required– Minimal configuration of routers– No additional servers

• Stateful mechanism– For a site requires tighter control over exact address

assignments– Need DHCP server– DHCPv6

• Enable “Plug and play”

RFC2462

Plug and Play

• IPv6 link local address– Even if no servers/routers to assign an IP address to a

device existing, the device can still auto-generate an IP address

• Allow interfaces on the same link to communicate with other devices

• Stateless – No control over information belongs to the interface

with an assigned IP address• Possible security issues

• Stateful– Remember information about interfaces that are

assigned IP addresses


Tentative address (link-local address)Well-known link local prefix +Interface ID (EUI-64)Ex: FE80::310:BAFF:FE64:1D

Is this address unique?

1. A new host is turned on.2. Tentative address will be assigned to the new host.3. Duplicate Address Detection (DAD) is performed. First the host transmit

a Neighbor Solicitation (NS) message to all-nodes multicast address (FF02::1)

5. If no Neighbor Advertisement (NA) message comes back then the address is unique.

6. FE80::310:BAFF:FE64:1D will be assigned to the new host.

AssignFE80::310:BAFF:FE64:1D

2001:1234:1:1/64 network


FE80::310:BAFF:FE64:1D

Send meRouter Advertisement

1. The new host will send Router Solicitation (RS) request to the all-routers multicast group (FE02::2).

2. The router will reply Routing Advertisement (RA).3. The new host will learn the network prefix. E.g, 2001:1234:1:1/644. The new host will assigned a new address Network prefix+Interface ID

E.g, 2001:1234:1:1:310:BAFF:FE64:1D

RouterAdvertisement

Assign2001:1234:1:1:310:BAFF:FE64:1D

2001:1234:1:1/64 network

IPv6 features – autoconfiguration

• Keeps end user costs down– No need for manual configuration– In conjunction with the possibility of low cost

network interface

• Helpful when residential networks emerge as an important market

• But the address not automatically registered into the DNS

• Security issues need to be considered as discussed

IPv4 to IPv6 transition

Dec 2007

Transition overview

• How to get connectivity from an IPv6 hosts to the global IPv6 Internet?– Via an native connectivity– Via an IPv6-in-IPv6 tunnelling techniques

• IPv6-only deployment are rare

• Practical reality– Sites deploying IPv6 will not transit to IPv6-

only, but transit to a state where they support both IPv4 and Ipv6 (dual-stack)

http://www.6net.org/book/deployment-guide.pdf

Transition overview

• Three basic ways of transition– Dual stack– Additional IPv6 infrastructure

• Generally involves IPv6-in-IPv4 tunnelling

– IPv6 only networking

• Different demands of hosts and networks to be connected to IPv6 networks will determine the best way of transition


Transition overview

• Dual stack– Allow IPv4 and IPv6 to coexist in the same

devices and networks

• Tunnelling– Allow the transport of IPv6 traffic over the

existing IPv4 infrastructure

• Translation– Allow IPv6 only nodes to communicate with

IPv4 only nodes

IPv6 essentials by Silvia Hagen, p255

Transition overview

• Once the internal networking is determined,

• The next step is to arrange external connectivity for the whole site– Involves external routing issues– Either natively or via some tunnelling

mechanism


Transition overview

• Implementation rather than transition– No fixed day to convert– But we do not have much time to waste

• The key to successful IPv6 transition– Maintaining compatibility with IPv4 hosts and

routers while deploying IPv6• Millions of IPv4 nodes already exist• Upgrading every IPv4 nodes to IPv6 is not feasible

- No need to convert all at once

• Transition process will be gradual- Consider IPv4 unallocated address space exhaustion

within 2 – 4 years

Dual stack transition

• Dual stack = TCP/IP protocol stack running both IPv4 and IPv6 protocol stacks simultaneously

– Application can talk to both

• Useful at the early phase of transition

DRIVER

IPv4 IPv6

APPLICATION

TCP/UDP

Dual Stack Host

IPv4 IPv6

RFC4213

Dual stack

• A host or a router is equipped with both IPv4 and IPv6 protocol stacks in the OS

• Each node (an IPv4/IPv6 node) is configured with both IPv4 and IPv6 addresses

• Therefore it can both send and receive datagrams belonging to both protocols

• The simplest and the most desirable way for IPv4 and IPv6 to coexist


Dual stack

• Possible challenges– If you use OSPFv2 for your IPv4 network you

need to run OSPFv3 in addition to OPSFv2– How to manage the interaction of the two

protocols• E.g., deployment of email serves for SMTP, and how the MX servers are provisioned for both protocols by offering IPv4 or IPv6 reachability

- How failover is handled between the protocols


Dual stack

• DNS is used with both protocol versions to resolve names and IP addresses– An dual stack node needs a DNS resolver that

is capable of resolving both types of DNS address records

• DSN A record to resolve IPv4 addresses• DNS AAAA record to resolve IPv6 addresses

• Dual stack network– Is an infrastructure in which both IPv4 and Ipv6

forwarding is enabled on routers


Tunnels

• Additional IPv6 infrastructure– Tunnelling techniques used on top of the

present IPv4 infrastructure without having to make any changes to the IPv4 routing or the routers

– Tunnelling is often used by networks not yet capable of offering native IPv6 functionality

– Often used as a first step to test the new protocol and to start integration of IPv6

• Manual, automatic, semi-automatic configured tunnels are available


Tunnelling – general concept

• Tunneling can be used by routers and hosts– IPv6-over-IPv4 tunnelling– Involves three steps

• Encapsulation, decapsulation, and tunnel management

IPv4 header IPv6 dataIPv6 header IPv6 dataIPv6 header

Concept is borrowed from Cisco training material “IPv6 Seminar”


EncapsulationIPv6 network

IPv4 network

IPv6 network

Decapsulation

IPv6 Host X IPv6 Host YTunnel endpoint

IPv6

IPv6

IPv6

IPv6

Tunnel endpoint

IPv4

IPv4

Any number of intermediate routers

Encapsulated IPv6 packets in IPv4

Tunnelling – general concept

• A tunnel can be configured in four different ways:– Router to router

• Spans one segment of the end-to-end path between two hosts. Probably the most common method

– Host to router• Spans the fist segment of the end-to-end path between two

hosts. Many be found in the tunnel broker model

– Host to host• Spans the entire end-to-end path between two hosts

– Router to host• Spans the last segment of the end-to-end path between two

hosts


Tunnel encapsulation

• The steps for the encapsulation of the IPv6 packet

– The entry point of the tunnel decrements the IPv6 hop limit by one

– Encapsulates the packet in an IPv4 header– Transmits the encapsulated packet through the tunnel– The exit point of tunnel receives the encapsulated

packet• If necessary, the IPv4 packet is fragmented

– It checks whether the source of the packet (tunnel entry point) is an acceptable source (according to its configuration)

• If the packet is fragmented, the exit point reassembles it– The exist point removes the IPv4 header– Then it process IPv6 packet to its original destination



Shoing IPv6 source and destinatino addresses

Encapsulated into an IPv4 header

Protocol field decimal value 41= IPv6 (indicating this is an encapsulated packet)


IPv4 source (tunnel entry point) and destination (tunnel exit point) addresses

Payload length field = 64

Next header field = ICMPv6

IPv6 source and destination addresses

Configuring tunnels

• The IPv4 tunnel’s endpoint address is determined by configuring information on the encapsulating node

– Therefore the encapsulating node must keep information about all the tunnel endpoints addresses

– Manual configuration • The administrative work is higher than with automatic tunnels

• For control of the tunnel paths, and to reduce the potential for tunnel relay DoS attacks

– Manually configured tunnels can be advantageous over automatically configured tunnels

• More secure


Manual configuration

IPv6

IPv6

IPv6

IPv6

IPv4

IPv4

Dual StackRouter

Dual Stack Router

IPv4: 192.168.10.1IPv6: 2001:0DB8:700::1

IPv4: 192.168.50.1IPv6: 2001:0DB8:800::1

Manually configured tunnels require:• Dual stack end points• Explicit configuration with both IPv4

and IPv6 addresses at each end

Concept is borrowed from Cisco, Training material “Ipv6 Seminar” delivered at South Asian IPv6 Summit, Jan 2004

RFC4213

Tunnel broker

• Semi-automatic alternative to manual configuration

• Useful when:– A dual stack host in an IPv4-only network

wishing to gain IPv6 connectivity

• The basic idea of a tunnel broker– It allows a user to connect to a web server– Enter some authentication details– Receive back a short script to run– Establish an IPv6-in-IPv4 tunnel to the tunnel

broker server


Tunnel broker

IPv6IPv6

1. Register as a user of TB via a web form

2. Tunnel information response

Dual stacknode

4. Configure tunnel Interface and establishthe tunnel

IPv4IPv4

3. TB configures the tunnelOn the dual stack router

Dual stackrouter

User

Tunnel Broker (TB)

TB is an external system• Free TB services are available

http://www.sixxs.net/tools/aiccu/brokers/

RFC3053

Automatic tunnels

• One of the earlier developed mechanism– RFC4213 (Basic Transition Mechanisms for

IPv6 Hosts and Routers) removes the description of automatic tunnelling

• Since then mostly been replaced by more sophisticated mechanisms– Solution such as ISATAP or 6to4 are generally

considered preferable

• Author of “An IPv6 deployment guide” strongly advice not to use this technique anymore http://www.6net.org/book/deployment-

guide.pdfIPv6 essentials by Silvia Hagen, p261

6to4

• A form of automatic router-to-router tunnelling– Uses the IANA-assigned IPv6 prefix 2002::/16– To designate a site that participates in 6to4– Allows an isolated IPv6 site domains to

communicate with other IPv6 domains with minimum configuration


6to4

• An isolated IPv6 site will assign itself a prefix of 2002:V4ADDR::/48

– V4ADDR is the globally unique IPv4 address configured on the appropriate interface of the domain’s egress router

– The exactly same format as normal /48 prefixes– Allows an IPv6 domain to use it like any other valid /48

prefix

• Tunnel end points are determined by the value of the global routing prefix of the IPv6 destination address contained in the IPv6 packet being transmitted

– This includes the IPv4 addresshttp://www.6net.org/book/deployment-guide.pdf

6to4


6to4

• When 6to4 domains communicate with 6to4 domains, things are relatively simpler– No particular tunnel configuration is required– No need to run any exterior IPv6 routing

protocol as IPv4 exterior routing performs the task


6to4

• However, when 6to4 domains wish to communicate with non-6to4 domains, the situation is a little more complex

– Connectivity between the domains is achieved via a relay router• A router that has at least one logical 6to4 interface• At least one native IPv6 interface• Advertises the 6to4 2002::/16 prefix into the native IPv6 routing

domain• It may routers native IPv6 routes into 6to4 connection

- You need to know the nearest 6to4 relay router’s location- Very few public relays

– Rely routers can be found using IPv4 anycast– IPv6 exterior routing must be used– A critical problem:

• 6to4 routers are not able to identify whether any 6to4 relays are legitimate

• Implementing security measures (security check) is important

ISATAP

• Intra-Site Automatic Tunnel Addressing Protocol (ISATP)– Designed to provide IPv6 connectivity for dual-

stack notdes over an IPv4 based network– Treats the IPv4 network as one large link-

payer network– Allows dual-stack nodes to automatically

tunnel between themselves

Under Construction

Teredo

• A form of automatic tunnelling intended to provide IPv6 connectivity to IPv4 hosts located behind a NAT

– The host does not posses permanent, global-scope IPv4 addresses

– Host to host automatic tunnelling mechanism– Provide IPv6 connectivity by encapsulating IPv6

packets in IPv4-based UDP (User Datagram Protocol) messages

• Allows pass through most NAT devices

• Requires a certain amount of infrastructure– Teredo server and Teredo relay– UDP port 3544 is used by the Teredo server to listen

for requests from the Teredo clients

Teredo

• Teredo servers– To facilitate the addressing of and

communication between Teredo clients and Teredo relays

– They must be on the public IPv4 Internet

• Teredo relays– Gateways between the IPv6 Internet and the

Teredo clients– To forward the data packets – They must be on the IPv4 and IPv6 Internet

IPv6 Network administration, pp 70 - 71

Teredo

• Teredo is intended to be a last resort– Just trying to deploy IPv6 on your desktop and

you are stuck behind a NAT– Then Teredo may be your only choice

• You may not want to include it in your deployment plan– It is better to put necessary infrastructure in

place that eliminates the need for Teredo

IPv6 Network administration, pp 71

IPv6 deployment

Issues and concerns

IPv6 current deployment status

• Not many cases of production networks– Not many business cases– Quite a few research and experimental

networks

• Some statistics to review

IPv6 peering outdegree – March 2005

http://www.caida.org/analysis/topology/as_core_network/ipv6.xml

NTT Verio: 141 peers

The largest cluster of high degree IPv6 AS nodes is in Europe.

UUNET

Sprint ink

Comparative analysis

http://www.caida.org/analysis/topology/as_core_network/ipv6.xml

IPv6 allocation and announcements

• ARIN IPv6 allocation and annoucements

https://www.ripe.net/ripe/meetings/ripe-55/presentations/bush-ipv6-allocation.pdf p2


• APNIC IPv6 allocation and announcements



• RIPE IPv6 allocation and announcements



• LACNIC IPv6 allocation and announcements



• AfriNIC IPv6 allocation and announcements



• Prefix allocation distribution



• Prefix announcement distribution


Issues

• Obviously not many production network deployment– Gap in understanding between front line

network engineers and decision makers• CEO and CIO are not interested in to make investments for protocols not making tangible profit

Under construction

Future scenarios

JPNIC’s most recent report

• Roadmap – responding IPv4 address exhaustionAPNIC/JPNIC IPv4Address exhaustion(2010 – 2011)

Limit of recycling IPv4 stock

Time

IPv4 growth period IPv4 address unavailable

IPv6 expansion period

Responses by ISPs

Existing customers IPv4

New customers Recycling/reassigning IPv4 addresses

IPv4 + NAT

IPv6 preparation period: minimum one year is required

IPv6 full-scale operation

Responses by JPNIC

Present

JPNIC’s most recent report

Conceivable idealistic responses

IPv4 Internet

IPv6 Internet

New ISPs

Dual stack

IPv4 private address

IPv4 global address

IPv6 address

IPv6 address

If vendors develop usable translator then IPv4 can communicate with IPv6 directly

Users

Server operators

Conclusion

What could be useful right now?

• Clear and coherent information about the situation and current choices

• Understanding of the implications of various options

• Appreciation of our limitations and strengths as a global deregulated industry attempting to preserve a single coherent networked outcome

https://www.ripe.net/ripe/meetings/ripe-55/presentations/huston-ipv4.pdf

What could be useful right now?

• Understanding of the larger audience and the broader context in which these processes are playing out

• Some pragmatic workable approaches that allow a suitable degree of choice for players

• Understanding that some transition are not “natural” for a deregulated industry. Some painful transitions were only undertaken in response to regulatory fiat– Think analogue to digital spectrum shift as a

recent example

https://www.ripe.net/ripe/meetings/ripe-55/presentations/huston-ipv4.pdf

Thank you!

Date post:	05-Jan-2016
Category:	Documents
Upload:	aron-elijah-sullivan
View:	212 times
Download:	0 times

APNIC Seminar The Internet in crisis IPv4 address depletion and life thereafter 20 th, December,...

Documents