Download Clear and Present Danger of IPv6

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
Document related concepts

Cracking of wireless networks wikipedia , lookup

Transcript 
NANOG39: IPv6 Network Operators BoF
Clear and Present Danger of IPv6
episode 2: IPv6/IPv4 fallback
Katsuyasu TOYAMA
Tomohiro FUJISAKI
Arifumi MATSUMOTO
Shiro NIINOBE
NTT Labs.
IPv6-enabled hosts are increasing
Windows Vista has been released!
IPv6 enabled by default
Still IPv6 internet is not widely deployed
Partially-deployed ipv6 environment is sometimes
troublesome…
IPv6-to-IPv4 fallback is one of the problems
NTT Labs.
What is ‘IPv6-to-IPv4 fallback’?
Many current IPv6/IPv4 dual-stack operating systems
start their communication using IPv6.
If destination has both ipv4 and ipv6 address,
end host first tries ipv6. And if it fails, then tries ipv4.
IPv6/IPv4 Internet
Host
Host
IPv6
IPv6
IPv6stack
stack
IPv4
IPv4stack
stack
Host
Host
IPv6
IPv6stack
stack
IPv4
IPv4stack
stack
Tries IPv6 first and
if it fails, tries IPv4
IPv4
Host
Host
IPv6
IPv6stack
stack
IPv4
IPv4stack
stack
IPv6
IPv6stack
stack
IPv4
IPv4stack
stack
fallback
fallback
IPv6
IPv4
NTT Labs.
Web
Web
server
serverXX
Web
Web
server
serverYY
IPv6
IPv6stack
stack
IPv4
IPv4stack
stack
Web
Web
server Z
server Z
IPv4
IPv4stack
stack
DNS
records
A and
AAAA
A and
AAAA
A
IPv6/IPv4 fallback problem
IPv6-to-IPv4 fallback sometimes takes a long time.
Problem is especially significant in TCP-based applications.
They initially need to establish connection. First they try ipv6
address.
They have to wait for timeout, and then try ipv4 address, and
finallly it is established.
From users’ view
User has to wait approximately 20 seconds, until tcp connection is
established and the web page starts to be displayed.
Over 20 seconds…
click!
NTT Labs.
Where does fallback problem occur?
v4/v6
Host
Host
v4/v6
v4
IPv6
IPv6stack
stack
IPv4
IPv4stack
stack
Web
Web
server
serverZZ
IPv6
IPv6stack
stack
IPv4
IPv4stack
stack
User
Network
A and
AAAA
Internet
User deployed ipv6 in their network,
but the user does not have reachability to
global ipv6 internet because:
the user does not buy ipv6 connectivity, or
upstream does not provide ipv6 connectivity.
NTT Labs.
Such cases are often?
At present, it seems rare …
Vista PCs which are not assigned ipv6 address do not try ipv6.
But near future, enterprise and home network may assign
ipv6 address for some reason.
some ipv6 application starts to be used
accidentally assigned ipv6 address due to misconfigured RA.
At that time, fallback problem will arise in case that
service providers do not provide ipv6 connectivity, or
users do not buy ipv6 connectivity.
NTT Labs.
How to solve this problem
The best solution
Of course, to deploy ipv6 to all the internet; all
providers. ☺
Other solutions
Do not assign ipv6 address until ipv6 connectivity is
prepared.
Do not use ipv6 default route, but only specific routes
in user network.
DNS cache or DNS proxy server in user’s network does
not relay AAAA resource record.
NTT Labs.
How to solve this problem (cont’d)
From an architectual point of view
Network nodes should notify end hosts that there is no
route to the destination, and end hosts should fall
back from ipv6 to ipv4 according to the notification.
ICMPv6 Type1: Destination Unreachable
v4/v6
Host
Host
v4/v6
v4
IPv6
IPv6stack
stack
IPv4
IPv4stack
stack
IPv6
IPv6stack
stack
IPv4
IPv4stack
stack
ICMPv6
User
Network
Web
Web
server
serverZZ
Internet
NTT Labs.
A and
AAAA
Fallback experiment
We compared the behavior of various dual-stack
operating systems regarding IPv6-to-IPv4 fallback.
How do they react to the following situation?
that is, how long do they take to fall back?
No error reports from network nodes
(1) Timeout of connection
Error reports from network nodes
(2) ICMP error
Mainly `ICMP destination unreachable’ message
Force to fall back
(3) TCP RST
not legitimate solution??
NTT Labs.
Fallback experiment (2)
Measuring time
required to fall back
from IPv6 to IPv4 at
client PC when:
(1) No response from
network
(2) ICMPv6 destination
unreachable returned
no route to dest
administratively
prohibited
address unreachable
port unreachable
(3) TCP RST returned
HTTP server
A and AAAA
records registered
Returning ICMPv6 destination
unreachable or TCP reset
responding to the IPv6 TCP
connection setup
IPv6/IPv4 network
Filtering ipv6
packets from client.
Router
●IPv6/IPv4 dual-stack node
with both connectivities
●Using web browser to check
client behavior
NTT Labs.
Client PC
Results of experiments 1/3
unit: seconds
Operating
systems
(1) No
response
from
network:
TCP Timeout
(2) ICMPv6 error
(Type=1: Destination unreachable)
Code=0
No Route
Code=3
Addr
Unreach
Code=1
Admin
Prohibit
Code=4
Port
Unreach
(3) Force
to fall
back
TCP RST
Vista RC2
(Build 5744)
IE 7.0.5600.
(2006.10.11)
21.01
21.00
21.00
21.00
21.00
1.01
WinXP (SP2)
IE 6.x
22.87
22.91
22.92
22.95
22.93
1.06
WinXP (SP2)
Firefox 1.5
20.99
20.96
20.96
20.98
Not fallback
0.97
Time between first IPv6 TCP SYN packet and IPv4 TCP
SYN packet immediately after fallback occurs.
NTT Labs.
Results of experiments 2/3
unit: seconds
Operating systems
(1)
Timeout
(2) ICMPv6 Error (Type=1: Destination unreachable)
Code=0
No Route
Code=3
Addr Unreach
Code=1
Admin Prohibit
Code=4
Port Unreach
(3)
TCP RST
Fedora-C3(kernel:2.6.9)
Mozilla1.7.8
188.98
1.65
1.91
Not fallback
0.23
0.00
Fedora-C3(kernel:2.6.11)
FireFox1.5
186.41
0.01
0.00
0.00
0.01
0.01
FreeBSD-R5.4
Mozilla1.7.8
75.01
12.60
Not fallback
12.60
12.60
1.38
FreeBSD-R5.4
Mozilla1.7.12
75.01
12.61
Not fallback
12.60
12.60
0.01
FreeBSD-R5.4
(with 20050620 kame)
Mozilla1.7.8
75.00
1.78
Not fallback
12.61
12.61
0.90
FreeBSD-R5.4
(with 20060116 kame)
Mozilla1.7.12
75.00
0.02
Not fallback
12.62
12.60
0.03
MacOS X Tiger
Safari2.0.3
149.58
11.89
11.85
11.55
11.99
0.08
Solaris10
Mozilla1.7.12
224.29
224.69
224.69
224.69
0.01
1.05
NTT Labs.
Results of experiments 3/3
unit:seconds
(2) ICMPv6 Error (Type=1: Destination Unreachable)
Operating systems
FreeBSD-R5.4
FireFox1.5
(1)
Timeout
Code=0
No Route
Code=3
Addr Unreach
Code=1
Admin
Prohibit
Code=4
Port Unreach
(3)
TCP RST
75.00
12.60
Not fallback
12.60
12.61
0.01
FreeBSD-R5.4
(with 20060116 kame)
FireFox1.5
75.00
0.01
Not fallback
12.60
12.60
0.02
MacOS X Tiger
FireFox1.5
74.74
11.80
Not fallback
11.72
11.63
0.01
224.69
224.69
224.69
0.02
0.02
Solaris10
FireFox1.5
224.69
NTT Labs.
TCP stack behavior when ICMP errors are returned
When node receives ICMP error packets, TCP stack
behavior is defined in RFC 1122 (for IPv4 ICMP only).
When node receives an ICMP hard error, TCP aborts connection
immediately.
When node receives ICMP soft error, TCP must not abort
connection.
Currently, ICMPv6 destinationunreachable error handling is
different in each OS.
The “draft-ietf-tcpm-tcp-soft-errors-03” proposes IPv6 version of ICMPv6
soft error handling….
NTT Labs.
Summary of IPv6/IPv4 fallback problem
In some cases, IPv6-enabled network without global ipv6
reachability causes ipv6-to-ipv4 fallback problem
User feels a longer time to access web sites.
Before ipv6 is fully deployed, users should be careful to
assign ipv6 address to the network without global ipv6
reachability.
if assign, they need some solution such as:
not default route, but specific route
returning TCP RST to minimize fallback time
From architectual point of view, we should define the
reaction to icmpv6 destination unreachable message.
NTT Labs.
Thank you!
{toyama, fujisaki, arifumi, nin} at NTTv6 dot net
NTT Labs.
Related documents
IPv6 Site Renumbering Gap Analysis
IPv6 Site Renumbering Gap Analysis
Title: ISPs ignore IP timebomb
Title: ISPs ignore IP timebomb
IPv4 to IPv6 Migration strategies
IPv4 to IPv6 Migration strategies
IPv6
IPv6
Document
Document
Document
Document
HOW MANY IP ADDRESSES ARE AVAILABLE IN IPV6
HOW MANY IP ADDRESSES ARE AVAILABLE IN IPV6
These reservations are recognized by the authority on TCP/IP
These reservations are recognized by the authority on TCP/IP
homenet_feb2013
homenet_feb2013
Chapter 9b IPv6 Subnetting
Chapter 9b IPv6 Subnetting