《大中华区产品经理》PPT课件.ppt

Solaris 8 IPv6,鄧偉文 大中華區產品經理 昇陽電腦,IPv6 Overview Transitioning to IPv6 Philosophy and requirements Transition tools Scenarios API transition - porting socket applications Solaris 8 Configuration and Use,Outline,Enough address space for new Internet devices! Plug & play (auto configuration, renumbering) IP level security from day one IP multicast from day one Traffic class field for differentiated service Flow label for more efficient handling of reserved QoS Efficient IP mobility support Neighbor Discovery (ARP+) for autoconfig and improved robustness,New IPv6 Features,Unicast addresses Global addresses Now uses prefix-based hierarchical allocation (CIDR) Private IP address space (RFC 1918) Multicast addresses Deliver to a group address Any host can join a group address and receive packets Anycast functionality possible using routing system Logical service implemented by multiple servers Anycast uses the routing system to deliver to one server Compare: Multicast would deliver to all servers,IPv4 Addressing,Larger addresses - 128 bits instead of 32 bits Multiple addresses required for hosts (new) Global addresses (hierarchical allocation) Site-local addresses (new - like IPv4 private addr) Isolate the internal traffic from external changes Link-local addresses (new) For booting and routing protocol traffic Multicast Includes scope information in IPv6 Anycast (formalized notion),IPv6 vs. IPv4 Addressing,Global address 3 bits 13 bits 32 bits 16 bits 64 bits 010 TLA NLA(s) Subnet Interface token Site local address 10 bits 38 bits 16 bits 64 bits 1111111011 0000 Subnet Interface token Link local address 10 bits 54 bits 64 bits 1111111010 0000 Interface token Multicast address 8 bits 4 4 112 bits 11111111 flags scope Group ID,IPv6 Address Formats,Recall IPv4 uses “dotted decimal” notation Each byte is in decimal e. g. 30 IPv6: colon separated hexadecimal 16-bit quantities FF02: 0: 0: 0: 0: 1: 200E: 8C6C (8 components) FF02: 1: 200E: 8C6C (“:” means all-zero components) IPv6 addresses containing IPv4: combination 0: 0: 0: 0: 0: ffff: 30 : ffff: 30 (compressed),Text Representation of Addresses,Transition Philosophy Requirements,Let sites and ISPs transition at their own pace No global coordination Minimize any dependencies during the transition Provide a multitude of “tools” Different sites might have different constraints Early adopters different than production users? Try to provide IPv6 benefits during transition Lack of IPv4 address and/ or features will drive transition Maintain 100% compatibility with installed base Protocols as well as applications,Dual stack approach Name service support (DNS, NIS, NIS+, LDAP) Tunneling across IPv4 routers See RFC 1933 and RFC 2529 Enables communication between IPv6-only devices and dual stack “servers”,Current Transition Tools,IPv6 hosts and routers support both IPv4 and IPv6 Interoperates with IPv4 and IPv6 The same applications and transport protocols run on both IP versions Upgrading from IPv4 to dual IPv4/ IPv6 does not break anything As part of regular new OS release Enable IPv6 and record IPv6 address in DNS to turn on the IPv6 features,Dual Stack Approach,Contains IPv6 addresses for hosts that support IPv6 Contains IPv4 addresses for hosts that support IPv4 Dual IPv4/ IPv6 nodes have both addresses IPv4 or IPv6 can used to reach the name server Returned information independent of the protocol used Add IPv6 address to name service when Node supports IPv6 The IPv6 address is configured in node Node is connected to the IPv6 “center” so that it can be reached using IPv6 from all IPv6 nodes that access that name service,Use of Name Service (DNS etc.),Use tunneling encapsulating IPv6 packets inside IPv4 to cross IPv4 clouds,“Bridging” IPv4 Routers,IPv6,From A to B,Data,IPv6,From A to B,Data,IPv4,From R1 to R2,From A to B,Data,Some IPv4 cloud,R,R,R,R1 v4/v6,R2 v4/v6,Start with name service upgrade Need DNS AAAA support (BIND 4.9.4 or later) Need “ipnodes” map/ table in NIS/ NIS+ Upgrade primary server as well as secondaries Separate zone for IPv6 nodes or same zone? Experimental - hosts only Incremental - one subnet at a time + internal tunnels Routers first - all routers then hosts No need for internal tunnels,Transition Scenarios,Host to host tunneling - no routers upgraded,Site “Experimental”,6bone,Tunnel IPv6 in IPv4,Tunnel IPv6 in IPv4,IPv4 host,IPv4/v6host,IPv4/v6host,IPv4,IPv4,IPv4 host,IPv4 host AAAA,DNS server,“Subnet at a time” plus internal tunnels,Site “Incremental“,Concrete Incremental Transition,1. Design subnet addressing plan 2. Upgrade DNS servers to BIND 4.9.4 or newer 3. Create “ipnodes” NIS/ NIS+ map 4. Upgrade one or more routers on a subnet 5. Connect these routers to “IPv6” core using tunnels 6. Upgrade one or more hosts on that subnet 7. Repeat 4, 5 and 6. 8. Incrementally remove tunnels when there is native connectivity between the routers,Future “Translating” Tools,Needed for IPv6-only to IPv4-only communication Could use Application Layer Gateways (proxies, mail relays) at IPv6/ IPv4 “boundary” (simple) An alternative is on-demand assignment of temporary IPv4 addresses to dual nodes (DSTM) Using DHCPv6 to acquire a short lease IPv4 address Triggered by host for outgoing communication Triggered by DNS server for incoming communication Or combined network address translation and protocol translation (NAT- PT) IPv4 to/from IPv6 translation plus NAT,Future Wide Area Transition,How to reach across the “backbone” with minimal configuration? Needed if ISPs dont support IPv6 soon enough Configured tunnels might be too labor intensive Currently one proposal: “6to4” Does not require explicit tunnels Embeds one IPv4 address of site in IPv6 addresses Still provides the site with 80 bits of address space Other proposals might be developed Perhaps using BGP to allow ISPs to provide policy for tunnel placement?,IPv6 Socket API Extensions,java. net and ONC RPC more transparent Unmodified programs continue to support IPv4 Modify programs to support both IPv4 and IPv6 About 10 to 15 lines of code changes Modifications to handle larger addresses struct sockaddr and sockaddr_ in are too small Use sockaddr_ storage structure for general addresses Opportunity to prepare for the future Internet Increase robustness by trying all IP addresses Avoid storing IP addresses (renumbering) More work for apps that send around IP addresses,The New IPv6 Socket API,Basic API (RFC 2553) From AF_INET to AF_INET6 From sockaddr_in to sockaddr_in6 From gethostbyname() to getaddrinfo() From gethostbyaddr() to getnameinfo() From inet_ntoa()/ inet_addr() to inet_ntop()/ inet_pton() From INADDR_ANY to in6addr_any Multicast support (IPPROTO_IP socket options) Advanced API (draft-ietf-ipngwg-rfc2292bis-*. txt) Source routing and other IP options/extensions Raw sockets (not TCP and UDP),Porting a Socket Client,Tries all addresses; Handles site local addresses IPv4 code IPv6/ IPv4 code int int myconnect( char *host, int port) myconnect( char *host, char *service) struct sockaddr_ in dest; struct addrinfo *res, *aip; int sock, ret; struct addrinfo hints; struct hostent *hp; int error; int s = -1; hp = gethostbyname( host); bzero( ,Minimal Porting of Socket Client,NOT recommended - does not handle site local addr IPv4 code IPv6/ IPv4 code int int myconnect( char *host, int port) myconnect( char *host,int port) struct sockaddr_ in dest; struct sockaddr_in6 dest; int sock, ret; int sock, ret; struct hostent *hp; struct hostent *hp; int errnum; hp = gethostbyname( host); hp= getipnodebyname( host, AF_ INET6, AI_ DEFAULT, ,Solaris 8 IPv6 Status,Protocol stack plus core applications TCP/ UDP/ IP, NFS, RPC telnet, ftp, r*, sendmail, etc NIS and NIS+ stores IPv6 addresses. Runs over IPv6. DNS stores IPv6 addresses. Does not run over IPv6. Basic transition tools (RFC 1933) Dual-stack with configured and automatic tunnels Future protocol pieces IPsec for IPv6, Mobile IPv6 Future applications JDK, snmpd, apache, iPlanet, etc,Solaris IPv6 API Tools,Code scrubber (string search in source code) See /solaris/ipv6/ Porting guide See http:/arachnid.eng/inet/ipv6/ migration/index.html Sun internal website (Future) “Library” to allow shrink- wrapped application binaries to use new APIs on old OS releases (Future) shared object to allow “lucky” applications to use IPv6 without a port Intended for “emergencies” - not to discourage porting,Enabling Solaris IPv6,touch /etc/ hostname6. le0 (for each interface) Install tool will ask “enable IPv6” question reboot (or re-init networking) ifconfig -a shows IPv6 address Manually put IPv6 addresses in DNS/ NIS/. Some day - secure dynamic DNS update Need public key infrastructure for this BINDv9 has much of what is needed,Enabling Solaris IPv6 Router,Cisco router is very similar In addition to the host/server steps Create /etc/inet/ndpd. conf containing subnet prefixes prior to rebooting Neighbor Discovery (in. ndpd) will tell the hosts their subnet address prefixes RIPng routing protocol (in.ripngd) is run automatically,Sample router ndpd. conf,# Send router advertisements out all NICs ifdefault AdvSendAdvertisements on # Advertise a global prefix and a # site local prefix on three interfaces. # 0x9255 = 192.146.85 prefix 2: 0: 0: 9255: 0/64 hme0 prefix fec0: 0: 0: 9255: 0/64 hme0 # 0x9256 = 192.146.86 prefix 2: 0: 0: 9256: 0/64 hme1 prefix fec0: 0: 0: 9256: 0/64 hme1 # 0x9259 = 192.146.89 prefix 2: 0: 0: 9259: 0/64 hme2 prefix fec0: 0: 0: 9259: 0/64 hme2,Configuring a Tunnel,Tunnel IPv6 in IPv4 for transition purposes between two (Solaris) routers In /etc/ hostname6. ip. tun0 on 0: tsrc 0 tdst 5 up addif 3ff2:8191:2d1e 3ff2:8192: 1e2d up Plus inverse configured on 5,Diagnostics,ifconfig -a shows all interfaces ifconfig -a4/ ifconfig -a6 shows subset netstat shows all netstat -f inet/ netstat -f inet6 to see one of them netstat -sa shows per interface IPv6/ ICMPv6 counters /etc/ default/ inet_ type can force ifconfig and netstat to only display IPv4 compatible output snoop ip6 shows all IPv6 packets ping -a will try all addresses (IPv6 and IPv4) traceroute -a will try all addresses,Daemons,/usr/ lib/ inet/ in. ndpd performs part of the Neighbor Discovery protocol On router used to send Router Advertisements as specified in /etc/ inet/ ndpd. conf On host receives Router Advertisements and configures IPv6 addresses, subnet prefixes, etc (no ndpd. conf is needed on a host) “ARP” and redirect functionality is in the kernel /usr/ lib/ inet/ in. ripngd runs the IPv6 version of RIP (I