Download Why IPv6 is necessary for new communication scenarios

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

Peering wikipedia , lookup

Lag wikipedia , lookup

Net bias wikipedia , lookup

Point-to-Point Protocol over Ethernet wikipedia , lookup

Network tap wikipedia , lookup

Policies promoting wireless broadband in the United States wikipedia , lookup

IEEE 802.1aq wikipedia , lookup

Distributed firewall wikipedia , lookup

Computer network wikipedia , lookup

AppleTalk wikipedia , lookup

Airborne Networking wikipedia , lookup

I²C wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Wireless security wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Dynamic Host Configuration Protocol wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Transcript
Why IPv6 is necessary for
new communication scenarios
Tony Hain – Cisco
William Dixon – V6 Security
For IPv6 Coalition Summit
Reston, VA May 26, 2005
How IPv4 NAT Works
Internet IPv4
•
•
Internal node connects out using TCP
NAT translates outbound packet:
–
–
•
•
•
•
•
Network Address Translator
source address from private to public
Source port from original to different new #
NAT creates state in mapping table to
process corresponding inbound responses
Internet server sees 1 external NAT IP
address only
Server TCP responds to NAT IP address
NAT translates response:
–
–
NAT has external, public,
routeable Internet IP address
Private IPv 4 Address Ranges (RFC 1918)
192.168.x.x /16 (~65k nodes )
172.16.0.0 /12 (~1.05M nodes)
10.x.x.x /8 (~16.7M nodes)
to internal node private IP address
Using original outbound source port now as
destination port for inbound
When connection is done, TCP sends
“finish” or “reset” commands, which NAT
sees, so it deletes state
`
Inbound Connections Through NAT Not
possible without admin configuration
c
ne
on
on
les
sI
nte
rne
C
et
rn
te
In
tC
on
ne
c ti
ss
le
ir e
W
or
208.48.59.107,
host 107.resto.hyattsiagx .com
d
ire
W
Internet IPv4
W
ir e
do
rW
ir e
n
tio
Hyatt Hotel Gateway that does NAT
Hyatt Wired Network in Press Room ,
Private IPv 4 Addresses
192.168.x.x
Home Gateway/Router
that does NAT
Home Network typically uses
Private IP Addresses
E.g. 192.168.x.x
`
Ethernet adapter Local Area Connection :
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . :3Com 3C920
Integrated Fast Ethernet Controller (3C905C-TX
Compatible)
IP Address. . . . . . . . . . . . :192 .168 .1.2
Subnet Mask . . . . . . . . . . . :255.255.255.0
Default Gateway . . . . . . . . . :192.168.1.1
DHCP Server . . . . . . . . . . . :192.168.1.1
DNS Servers . . . . . . . . . . . :192.168.1.1
The IPv6 conference network doesn’t allow
connections between all wireless nodes
Wi
red
or
W
W
ire
ec
t io
n
Internet IPv4
on
ne
ctio
n
do
rW
ire
le s
sI
nt e
rn
et
Co
n
ne
ct i
on
W
ire
d
or
W
ire
les
sI
nte
rne
tC
on
n
208.48.59.107,
host107.resto.hyattsiagx .com
ire
les
s In
t er
ne
tC
Hyatt Hotel Gateway
Wireless Access Point
Wireless Access Point
Hyatt Wired Network in Press Room ,
Private IPv 4 Addresses
Ethernet adapter Local Area Connection :
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . :3Com 3C920
Integrated Fast Ethernet Controller (3C905C-TX
Compatible)
IP Address. . . . . . . . . . . . :192 .168 .1.2
Subnet Mask . . . . . . . . . . . :255.255.255.0
Default Gateway . . . . . . . . . :192.168.1.1
DHCP Server . . . . . . . . . . . :192.168.1.1
DNS Servers . . . . . . . . . . . :192.168.1.1
SSID “IPv 6Summit” Using
Routeable Internet IPv 4
Addresses
Ethernet adapter Wireless Network Connection 4:
SSID “Panera” Private IP
Addresses
Ethernet adapter Wireless Network Connection 4:
Connection-specific DNS Suffix . : savvis .net
Connection-specific DNS Suffix . : jfk.gblx.com
Description . . . . . . . . . . . :Belkin 802.11g
Description . . . . . . . . . . . :Belkin 802 .11g
Network Adapter
Network Adapter
IP Address. . . . . . . . . . . . :208.48.182.55
Subnet Mask . . . . . . . . . . . :255.255.254.0
Default Gateway . . . . . . . . . :208 .48.182.1
DHCP Server . . . . . . . . . . . :10.20.20.2
DNS Servers . . . . . . . . . . . :64.212.106.84
.212.106.85
64
IP Address. . . . . . . . . . . . :10.0.50.77
Subnet Mask . . . . . . . . . . . :255 .255 .255 .0
IP Address. . . . . . . . . . . . :
fe80::211:50ff:fe35:8482%7
Default Gateway . . . . . . . . . :10.0.50.4
DHCP Server . . . . . . . . . . . :10.0.50.4
DNS Servers . . . . . . . . . . . :209.144.50.113
209
.144.50.125
Peer to Peer applications required to build rendezvous and
proxy architecture for IPv4 peer discovery and relaying
data connections (e.g. IM, VOIP, Napster)
Wi
red
or
W
W
ire
ec
t io
n
Internet IPv4
on
ne
ctio
n
do
rW
ire
le s
sI
nt e
rn
et
Co
n
ne
ct i
on
W
ire
d
or
W
ire
les
sI
nte
rne
tC
on
n
208.48.59.107,
host107.resto.hyattsiagx .com
ire
les
s In
t er
ne
tC
Hyatt Hotel Gateway
Wireless Access Point
Wireless Access Point
Hyatt Wired Network in Press Room ,
Private IPv 4 Addresses
Ethernet adapter Local Area Connection :
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . :3Com 3C920
Integrated Fast Ethernet Controller (3C905C-TX
Compatible)
IP Address. . . . . . . . . . . . :192 .168 .1.2
Subnet Mask . . . . . . . . . . . :255.255.255.0
Default Gateway . . . . . . . . . :192.168.1.1
DHCP Server . . . . . . . . . . . :192.168.1.1
DNS Servers . . . . . . . . . . . :192.168.1.1
SSID “IPv 6Summit” Using
Routeable Internet IPv 4
Addresses
Ethernet adapter Wireless Network Connection 4:
SSID “Panera” Private IP
Addresses
Ethernet adapter Wireless Network Connection 4:
Connection-specific DNS Suffix . : savvis .net
Connection-specific DNS Suffix . : jfk.gblx.com
Description . . . . . . . . . . . :Belkin 802.11g
Description . . . . . . . . . . . :Belkin 802 .11g
Network Adapter
Network Adapter
IP Address. . . . . . . . . . . . :208.48.182.55
Subnet Mask . . . . . . . . . . . :255.255.254.0
Default Gateway . . . . . . . . . :208 .48.182.1
DHCP Server . . . . . . . . . . . :10.20.20.2
DNS Servers . . . . . . . . . . . :64.212.106.84
.212.106.85
64
IP Address. . . . . . . . . . . . :10.0.50.77
Subnet Mask . . . . . . . . . . . :255 .255 .255 .0
IP Address. . . . . . . . . . . . :
fe80::211:50ff:fe35:8482%7
Default Gateway . . . . . . . . . :10.0.50.4
DHCP Server . . . . . . . . . . . :10.0.50.4
DNS Servers . . . . . . . . . . . :209.144.50.113
209
.144.50.125
IPv6 Enables Direct Connectivity
•
•
•
•
Every node has a global routeable address
Local Link Neighbor (Peer) Discovery
Inbound connections possible if firewalls allow
Remote peer address discovery provided by:
– Home Agent fixed Home Address using Mobile IPv6
– Static IP for non-mobile assets w/o Mobile IPv6
– Dynamic DNS update with current IPv6 address, if allowed,
enables name resolution to find current address
– Still use rendezvous point for remote peer address discovery w/o
Mobile IPv6 Home Agent
• AND end-to-end security standard with IPsec
– Core protocols finalized defined ‘98, and recently improved
– Work in progress to define scenarios like, “how does home
gateway let only your family connect in ?”
IPv6 Network Architecture
Protection
(draft-ietf-v6ops-nap-00.txt)
Brian Carpenter, Ralph Droms, Tony Hain, Eric
L Klein, Gunter Van de Velde
Network Architecture Protection:
“A set of IPv6 techniques that may be
combined on an IPv6 site to simplify and
protect the integrity of its network architecture,
without the need for Address Translation“
8
Market Perceived Benefits of NAT
& the IPv6 alternatives
Function
IPv4/NAT
IPv6
Simple Gateway as
default router and
address pool manager
DHCP – single address
upstream
DHCP – limited number of
individual devices downstream
DHCP-PD – arbitrary length
customer prefix upstream, SLAAC
via RA downstream
Simple Security
Filtering due to lack of
translation state
Context Based Access Control
Local usage tracking
NAT state table
Address uniqueness
End system privacy
NAT transforms device ID bits
in the address
Temporary use privacy addresses
Topology hiding
NAT transforms subnet bits in
the address
Untraceable addresses using IGP
host routes /or MIPv6 tunnels for
stationary devices
Addressing Autonomy
RFC 1918
RFC 3177 & ULA
Global Address Pool
Conservation
RFC 1918
340,282,366,920,938,463,463,374,607,431,768,211,
Renumbering and
Multi-homing
Address translation at border
456
addresses
Preferred lifetime per prefix &
Multiple addresses per interface
IPv6 Gap Analysis
•
•
•
•
•
Completion of work on ULAs
Renumbering procedure
How to completely hide subnet topology
Multihoming
Traceability issues