新一代互联网网络层协议IPv6.ppt

新一代互联网网络层协议ipv6 清华大学计算机系 1 outline uprotocol background utechnology highlights uenhanced capabilities utransition issues unext steps 2 新一代互联网的定义和主要特征 u目前还没有统一的严格定义，新一代互联网将是 一个渐进的发展过程 u目前已取得共识的主要特征 更大：ipv6的地址空间，网络的规模更大，接入网络的 终端种类和数量更多，网络应用更广泛 更快：100mbps以上的端到端高性能通信 更安全可信：对象识别，身份认证和访问授权，数据加密 和完整性，基于真实ipv6源地址的可信任网络 更及时：组播服务，服务质量（qos），大规模实时交 互应用 更方便：基于移动和无线通信的丰富应用 更可管理：有序的管理、有效的运营、及时的维护 更有效：有盈利模型，获得重大社会效益和经济效益 3 why a new ip? u1991 ale wg studied projections about address consumption rate showed exhaustion by 2008 ubake-off in mid-1994 selected approach of a new protocol over multiple layers of encapsulation 4 what ever happened to ipv5? 0 ip march 1977 version (deprecated) 1 ip january 1978 version (deprecated) 2 ip february 1978 version a (deprecated) 3 ip february 1978 version b (deprecated) 4 ipv4 september 1981 version (current widespread) 5 st stream transport (not a new ip, little use) 6 ipv6 december 1998 version (formerly sip, sipp) 7 catnip ipng evaluation (formerly tp/ix; deprecated) 8 pip ipng evaluation (deprecated) 9 tuba ipng evaluation (deprecated) 10-15 unassigned 5 technologies routers do not fragment packets en-route if too bigthey send icmp “packet too big” instead next header original packet identifier reservedfragment offset0 0 m 27 routing usame “longest-prefix match” routing as ipv4 cidr ustraightforward changes to existing ipv4 routing protocols to handle bigger addresses unicast: ospfv3, ripng, is-is, bgp4+, multicast: pim, mospf, uuse of routing header with anycast addresses allows routing packets through particular regions e.g., for provider selection, policy, performance, etc. 28 routing header address1 reserved address0 next headerhdr ext lenrouting typesegments left 29 s a b d example of using the routing header s wants to send packet to d though a and b 30 s a b d example of using the routing header src address: s dest address: a routing header address: b and d 31 s a b d example of using the routing header src address: s dest address: b routing header address: d 32 s a b d example of using the routing header src address: s dest address: d 33 some terminology nodea protocol module that implements ipv6 routera node that forwards ipv6 packets not explicitly addressed to itself hostany node that is not a router linka communication facility or medium over which nodes can communicate at the link layer, i.e., the layer immediately below ipv6 neighborsnodes attached to the same link interfacea nodes attachment to a link addressan ipv6-layer identifier for an interface or a set of interfaces 34 text representation of addresses “preferred” form: 1080:0:ff:0:8:800:200 c:417a compressed form:ff01:0:0:0:0:0:0:43 becomes ff01:43 ipv4-compatible: 0:0:0:0:0:0: or : 35 ipv6 - addressing model link-localsite-localglobal addresses are assigned to interfaces no change from ipv4 model interface expected to have multiple addresses addresses have scope link local site local (fec0:1) global addresses have lifetime valid and preferred lifetime 36 types of ipv6 addresses uunicast address of a single interface delivery to single interface umulticast address of a set of interfaces delivery to all interfaces in the set uanycast address of a set of interfaces delivery to a single interface in the set uno more broadcast addresses 37 address type prefixes address type binary prefix ipv4-compatible0000.0 (96 zero bits) global unicast001 link-local unicast1111 1110 10 site-local unicast1111 1110 11 multicast1111 1111 uall other prefixes reserved (approx. 7/8ths of total) uanycast addresses allocated from unicast prefixes 38 site topology (16 bits) interface identifier (64 bits) public topology (45 bits) interface idsla*nla*tla 001 global unicast addresses utla = top-level aggregator nla* = next-level aggregator(s) sla* = site-level aggregator(s) uall subfields variable-length, non-self- encoding (like cidr) utlas may be assigned to providers or exchanges 39 link-local addresses for use during auto- configuration and when no routers are present site-local addresses for independence from changes of tla / nla link-local routers use source addr + flow label to identify distinct flows flow label value of 0 used when no special qos requested (the common case today) this part of ipv6 is not standardized yet, and may well change semantics in the future, rfc3697 only gives basic specification 51 ipv6 support for diffserv 8-bit traffic class field to identify specific classes of packets needing special qos same as new definition of ipv4 type-of-service byte may be initialized by source or by router enroute; may be rewritten by routers enroute traffic class value of 0 used when no special qos requested (the common case today) 52 compromise usignaled diffserv (rfc 2998) uses rsvp for signaling with course-grained qualitative aggregate markings allows for policy control without requiring per-router state overhead 53 ipv6 mobility 54 ipv4 mobility: vocabulary home network: permanent “home” of mobile (e.g., 128.119.40/24) permanent address: address in home network, can always be used to reach mobile e.g., 86 home agent: entity that will perform mobility functions on behalf of mobile, when mobile is remote wide area network 55 ipv4 mobility: more vocabulary care-of-address: address in visited network. (e.g., 79,129.13.2) wide area network visited network: network in which mobile currently resides (e.g., 79.129.13/24) permanent address: remains constant (e.g., 86) foreign agent: entity in visited network that performs mobility functions on behalf of mobile. correspondent: wants to communicate with mobile 56 ipv4 mobility: registration end result: uforeign agent knows about mobile uhome agent knows location of mobile wide area network home network visited network 1 mobile contacts foreign agent on entering visited network 2 foreign agent contacts home agent home: “this mobile is resident in my network” 57 ipv4 mobility wide area network home network visited network 3 2 4 1 correspondent addresses packets using home address of mobile home agent intercepts packets, forwards to foreign agent foreign agent receives packets, forwards to mobile mobile replies directly to correspondent 58 ipv6 mobility umobile hosts have one or more home address relatively stable; associated with host name in dns ua host will acquire a foreign address when it discovers it is in a foreign subnet (i.e., not its home subnet) uses auto-configuration to get the address registers the foreign address with a home agent, i.e, a router on its home subnet upackets sent to the mobiles home address(es) are intercepted by home agent and forwarded to the foreign address, using encapsulation umobile ipv6 hosts will send binding-updates to correspondent to remove home agent from flow 59 home agent binding maintenance wide area network home network visited network 1 60 home agent binding maintenance wide area network home network visited network 2 1 61 ipv6 mobility wide area network home network visited network 2 1 correspondent addresses packets using home address of mobile home agent intercepts packets, forwards to mobile with tunnel in the inner ipv6 header, the source address is the correspondent nodes address and the destination address is the mobile nodes home address 62 ipv6 mobility wide area network home network visited network 2 1 in the inner ipv6 header, the source address is the mobile nodes home address and the destination address is the correspondent nodes address. 3 4 63 direct delivery uwhen the mobile node is away from home, it can choose to send data from its care-of address without using mobile ipv6 for transport layer connection data that is long-term and being sent to a correspondent node with which it has completed correspondent registration, the mobile node sends the data from its care-of address for short-term communication that does not require a logical connection, the mobile node can send data from its care-of address 64 correspondent node binding maintenance ureturn routability procedure ubinding update and binding acknowledgement message exchange uresults: on the mobile node, there is an entry in its binding update list for the correspondent node on the correspondent node, there is an entry in its binding cache for the mobile node 65 return routability procedure 66 binding update wide area network home network visited network 1 ipv6 header source = care-of address destination =correspondent dest. option header home address option home address mobility header binding update cryptographic proof 67 binding acknowledgement wide area network home network visited network 2 1 ipv6 header source = correspondent destination = care-of address type2 routng header home address mobility header binding ack 68 direct delivery wide area network home network visited network 1 ipv6 header source = care-of address destination =correspondent dest. option header home address option home address 69 direct delivery wide area network home network visited network 2 1 ipv6 header source = correspondent destination = care-of address type2 routng header home address 70 comparison with mobile ipv4 uthere is no “foreign agents“ in mobile ipv6 usupport for route optimization is a fundamental part of the protocol umobile ipv6 route optimization can operate securely even without pre-arranged security associations 71 comparison with mobile ipv4 usupport is also integrated into mobile ipv6 for allowing route optimization to coexist efficiently with routers that perform “ingress filtering“ umost packets sent to a mobile node while away from home in mobile ipv6 are sent using an ipv6 routing header umobile ipv6 is decoupled from any particular link layer, as it uses ipv6 neighbor discovery (nd) instead of arp 72 icmp and nd 73 icmp error messages common format as much of the invoking packet as will fit without the icmp packet exceeding mtu (code and parameter are type-specific) typecodechecksum parameter 74 icmp error message types udestination unreachable no route administratively prohibited address unreachable port unreachable upacket too big utime exceeded uparameter problem erroneous header field unrecognized next header type unrecognized option 75 icmp informational messages uecho request new tcp connections can survive beyond overlap urouter renumbering protocol, to allow domain-interior routers to learn of prefix introduction / withdrawal unew dns structure to facilitate prefix changes 81 minimum mtu udefinitions: link mtua links maximum transmission unit, i.e., the max ip packet size that can be transmitted over the link path mtuthe minimum mtu of all the links in a path between a source and a destination uminimum link mtu for ipv6 is 1280 octets (versus 68 octets for ipv4) uon links with mtu path mtu discovery uimplementations are expected to perform path mtu discovery to send packets bigger than 1280 octets: for each dest., start by assuming mtu of first-hop link if a packet reaches a link in which it cannot fit, will invoke icmp “packet too big” message to source, reporting the links mtu; mtu is cached by source for specific destination occasionally discard cached mtu to detect possible increase uminimal implementation can omit path mtu discovery as long as all packets kept 1280 octets e.g., in a boot rom implementation 83 nd autoconfiguration, prefix & parameter discovery urouter solicitation are sent by booting nodes to request ras for configuring the interfaces. 1. rs: icmp type = 133 src = : dst = all-routers multicast address query= please send ra 2. ra2. ra1. rs 2. ra: icmp type = 134 src = router link-local address dst = all-nodes multicast address data= options, prefix, lifetime, autoconfig flag 84 nd address resolution & neighbor unreachability detection icmp type = 135 (ns) src = a dst = solicited-node multicast of b data = link-layer address of a query = what is your link address? ab icmp type = 136 (na) src = b dst = a data = link-layer address of b a and b can now exchange packets on this link 85 nd redirect uredirect is used by a router to signal the reroute of a packet to an onlink host to a better router or to another host on the link redirect: src = r2 dst = a data = good router = r1 3ffe:b00:c18:2:/64 r1 r2 ab src = a dst ip = 3ffe:b00:c18:2:1 dst ethernet = r2 (default router) src = a dst ethernet = r1 86 nd duplicate address detection icmp type = 135 src = 0 (:) dst = solicited-node multicast of a data = link-layer address of a query = what is your link address? ab uduplicate address detection (dad) uses neighbor solicitation to verify the existence of an address to be configured 87 ipv6 routing 88 ipv6 routing ustraightforward changes to existing ipv4 routing protocols to handle bigger addresses ripng same destination/mask/metric information as ripv2 bgp4+ multiprotocols extensions integrated is-is 20 byte nsap support facilitates ipv6 address/routing ospfv3 packet formats changed to reflect 128 bits uipv6 multicast routing pim, mospf, mbgp have ipv6 extensions, have to move forward ipv6 multicast has larger address space removing potential collision 89 bgp4+ overview uadded ipv6 address-family uadded ipv6 transport uall generic bgp functionality works as for ipv4 90 outline uprotocol background utechnology highlights uenhanced capabilities utransition issues unext steps 91 ipv4 - ipv6 co-existence / transition 92 ipv6 timeline (a pragmatic projection) q 1 q 2 q 3 q 4 2007 q 1 q 2 q 3 q 4 2004 q 1 q 2 q 3 q 4 2003 q 1 q 2 q 3 q 4 2000 q 1 q 2 q 3 q 4 2001 q 1 q 2 q 3 q 4 2002 q 1 q 2 q 3 q 4 2005 q 1 q 2 q 3 q 4 2006 consumer adoption = enterprise adoption =adoption dod ipv6 timeline successful transition to ipv4 from ncp in 1982.12.31 94 deployments uipv6 deployments will occur piecewise from the edge core infrastructure only moving when significant customer usage demands it whenever possible, devices and applications should be capable of both ipv4 & ipv6, to minimize the delays and potential failures inherent in translation points 95 impediments to ipv6 deployment uapplications uapplications uapplications move to the new apis now 96 transition / co-existence techniques a wide range of techniques have been identified and implemented, basically falling into three categories: (1)dual-stack techniques, to allow ipv4 and ipv6 to co-exist in the same devices and networks (2)tunneling techniques, to avoid order dependencies when upgrading hosts, routers, or regions (3)translation techniques, to allow ipv6-only devices to communicate with ipv4-only devices expect all of these to be used, in combination 97 dual-stack approach uwhen adding ipv6 to a system, do not delete ipv4 uapplications (or libraries) choose ip version to use uthis allows indefinite co-existence of ipv4 and ipv6, and gradual app-by-app upgrades to ipv6 usage 98 dual-stack and dns uapplication can ask dns server return ipv4 and ipv6 address uapplication can choose one of them 99 tunnels to get through ipv6-ignorant routers uencapsulate ipv6 packets inside ipv4 packets (or mpls frames) umany methods exist for establishing tunnels: manual configuration “tunnel brokers” (using web-based service to create a tunnel) automatic (depricated, using ipv4 as low 32bits of ipv6) “6-over-4” (intra-domain, using ipv4 multicast as virtual lan) “6-to-4” (inter-domain, using ipv4 addr as ipv6 site prefix) ucan view this as: ipv6 using ipv4 as a virtual link-layer, or an ipv6 vpn (virtual public network), over the ipv4 internet 100 ipv6 tunnel 101 manual configuration tunnel 102 6to4 tunnel 103 4over6 tunnel 104 translation uthis is a simple extension to nat techniques, to translate header format as well as addresses ipv6 nodes behind a translator get full ipv6 functionality when talking to other ipv6 nodes located anywhere they get the normal (i.e., degraded) nat functionality when talking to ipv4 devices 105 nat-pt 106 outline uprotocol background utechnology highlights uenhanced capabilities utransition issues unext steps 107 so what can i do? ubegin porting now! uestablish test networks to verify configurations, and application compatibility 108 dual stack ipv4/ipv6 backbone 109 native ipv6-only backbone ipv6 intranet ipv4 tunnel ipv4/v6 intranet mobile ipv6 ipv4 intranet ipv6 intranet ipv6 backbone translating gateway translating gateway urequires: ipv4 over ipv6 tunnels for ipv4 traffic hardware forwarding for ipv6 network management over ipv6 unot recommended today as ipv4 traffic is still the main source ubut it is a good testbed for ipv6 110 cernet2 111 西交 华中科大 中科大 上交 华南理工 电子科大 东大 天大 重大 厦大 东南大 兰大 大工 哈工大吉大 山大 浙大 中南大 郑大 北大 北邮 北航 复旦 同济 清华 cernet2主干网25个核心节点 112 113 114 ipv6 myths uits more secure no except that e2e ipsec should be possible higher layer security must not be impacted by ip version uit has better qos no except that e2e addressing makes qos management a bit easier uit enables voip no but e2e addresses simplify being “always on” for incoming calls ubig addresses solve the routing problem no routing problem is identical to ipv4 but better aggregation, simplified renumbering 115 ietf hot topics umultihoming uaddress allocation udns discovery u3gpp use of ipv6 umobile ipv6 uscoped addressing uflow labels uapi issues usite renumbering uaddress privacy udns deployment uinter-domain multicast uaaa utransition udns development uanycast 116 for more information u/html.charters/ipn gwg-charter.html u/html.charters/ngtr ans-charter.html u/ipv6/ u/ngtrans/ 117 for more information u u uhttp:/www.ipv6.o