安全性技術研討會 /IPv4 轉換技術 簡介 1 2 簡介 NGtrans 規劃之轉換機制 3 4 Name Dual stack SIIT Bump-in-Stack (BIS) Bump-in-API (BIA) NAT-PT 轉換機制比較 Connectivity 4-to-4 over 4, 6-to-6 over 6 6-to-4, 4-to-6 4-to-6 4-to-6 6-to-4, 4-to-6 Type Dual stack Location In single E5 or ND In single ES or ND In single ES In single ES In single ND IPv4/ 雙重架構機制 (Dual Stack) MTP 4-to-6,4-to-6 (multicast) In single ND TRT 6-to-4 In single ND SOCKS64 4-to-6, 4-to-6 Between ES and ND 6over4 6-to-6 over 4 Tunnel Between ES and ND ISATAP 6-to-6 over 4 Tunnel Between ES and ND DSTM 4-to-4 over 6 Tunnel Between ES and ND Configured IP-in-IP 6-to-6 over 4, 4-to-4 over 6 Tunnel Between ES and ND, two NDs or two ESs 6to4 6-to-6 over 4 Tunnel Between two NDs 5 6 1
IPv4/ 雙重架構機制 簡易雙重架構機制 RFC1933->RFC2893(Standard) 7 8 簡易雙重架構機制 IPv4 Stack 功能啟動, 而 功能關閉 ( 即 IPv4-only node) Stack 功能啟動, 而 IPv4 功能關閉 ( 即 -only node) IPv4 Stack 及 Stack 功能皆啟動 (node 具組態切換功能 ) 9 簡易雙重架構機制 +Tunneling RFC 1933 RFC 3056 RFC 3053 IPv4/ IPv4 6over4 IPv4 6to4 IPv4 Tunnel Broker 10 係確保 IPv4 之應用能於 網路上運作 Draft-ietf-ngtrans-dstm-08.txt 11 12 2
一 node 與一 IPv4 node 互通時, 其先取得一暫用之 IPv4 位址 (DSTM 伺服器提供 ) 此暫用之 IPv4 位址係由 DNS 及 DHCPv6 協調產生 傳送時藉由動態通道技術包裝 IPv4 封包 13 14 運作 (v6 v4) 運作 (v6 v4) 1. 一個應用之封包傳送由 A node() 至 C node(ipv4) 2. A node 要求 DSTM 伺服器給予一 IPv4 Source 位址 3. DSTM 伺服器回覆 A node 暫用之 IPv4 address 位址及 DSTM Gateway 的 位址 4. A node 產生 IPv4 封包 1. 一個 A node 至 B node 的通道建立 ( 送 封包 ) 2. B node 拆除 封包頭, 然後將此 IPv4 封包送給 C node 3. B node 記錄 A node 的 IPv4 與 位址, 然後 Mapping 在它的 Routing Table 中 15 16 + Port Range DHCPv6 Server DNS Server Routing Intranet Company ABC DSTM Router Global Internet IPv4 Host Z DHCPv6 Server DNS Server DSTM Routing Domain Intranet Company ABC DSTM Router Global Internet IPv4 Host Z Intranet ABC /IPv4 DFZ /IPv4 Host X Dynamic Tunnel Interface DHCPv6 Client -Host X 從 DHCPv6 伺服器取得 IPv4-Mapped 位址及 DSTM 伺服器的端點位置 - Host X can now communicate with IPv4 to Hosts Y and Z End-2-End. IPv4 Host Y 17 /IPv4 Host X Dynamic Tunnel Interface DHCPv6 Client Intranet ABC /IPv4 DFZ - Host X obtains IPv4-Mapped Address, Port Range, and TEP for DSTM Router, from DHCPv6 Server. - Host X can now communicate with IPv4 to Hosts Y and Z End-2-End. - DSTM Router can now use a single address for multiple /IPv4 IPv4 Host Y Hosts within the DSTM Routing Domain. 18 3
ModemBank DHCPv6 Server DNS Server DSTM Routing Domain 6to4 Intranet Company ABC DSTM Router Intranet ABC /IPv4 DFZ /IPv4 Host X Dynamic Tunnel Interface 6to4 Dynamic Interface DHCPv6 Client Host X obtains IPv4-Mapped Address and Port Range only. TEP is not needed as 6to4 address is used to communicate to DSTM Router. Global Internet IPv4 Host Z IPv4 Host Y 19 DHCPv6+ SA= 2002:100.0.0.1::2:2 DA= 2002:200.4.5.6:: SA= 100.0.1.1 DA= 200.4.5.6 SA= 100.0.1.1 DA= 200.4.5.6 + 6to4 SA= 100.0.1.1 DA= 200.4.5.6 IPv4? 100.0.1.1 2002:100.0.0.1::2:2 Dual stack Node 200.4.5.6 IPv4 Only SA= 100.0.1.1 100.0.0.1 DA= 200.4.5.6 100.0.1.1 = 2002:100.0.0.1::2:2 SA= 2002:100.0.0.1::2:2 DA= 2002:200.4.5.6:: SA= 100.0.1.1 DA= 200.4.5.6 Only Routing SA= 200.4.5.6 DA= 100.0.1.1 SA= 200.4.5.6 DA= 100.0.1.1 SA= 200.4.5.6 DA= 100.0.1.1 SA= 2002:200.4.5.6:: DA= 2002:100.0.0.1::2:2 SA= 200.4.5.6 DA= 100.0.1.1 SA= 2002:200.4.5.6:: DA= 2002:100.0.0.1::2:2 SA= 200.4.5.6 DA= 100.0.1.1 20 DSTM Server DHCPv6+DNS Server DSTM Routing Domain IPv4 Query to Address Intranet Company ABC DSTM Router Global Internet IPv4 Host Z DSTM Server Mechanisms and Extensions 3G and WLAN Network Network Router Network Services Intranet ABC /IPv4 DFZ /IPv4 Host X Dynamic Tunnel Interface 6to4 Dynamic Interface DHCPv6 Client - Host Y and Z can now do DNS Lookup for Host X that has only address. - DNS Y or Z query will go to DSTM Server - DSTM server will assign Host X an IPv4 address SIIT-M-WLAN-3G Hosts Router/Gateway IPv4 Network IPv4 Host Y and return Host Y or Z back that address 22 Comm. Tower Access Point End-2-End Communications IPv4 Services 應用 Roaming Scenario Giving IPv4 addresses to visitors can become expensive: Visited Network offers connectivity only Home network offers connection to the v4 world via DSTM Home Net to Corporate Intranet to Global Internet Y 802.11 ed0: flags=8843<up,broadcast,running,simplex,multicast> mtu 1500 inet6 fe80::200:c0ff:fe11:cba0%ed0 prefixlen 64 scopeid 0x1 inet6 3ffe:305:1002:4:200:c0ff:fe11:cba0 prefixlen 64 inet6 2001:660:282:4:200:c0ff:fe11:cba0 prefixlen 64 ether 00:00:c0:11:cb:a0 gif0: flags=8011<up,pointopoint,multicast> mtu 1280 inet6 fe80::200:c0ff:fe11:cba0%gif0 --> :: prefixlen 64 inet 192.108.119.197 --> 192.108.119.199 netmask 0xffffffff physical address inet6 3ffe:305:1002:4:200:c0ff:fe11:cba0 - -> 3ffe:305:1002:1:200:c0ff:fe85:cba0 23 建置 BSD «INRIA» DSTM gateway DSTM server (RPC) Client: manual conf, dynamic conf BSD Kame Client: Manual Configuration Linux Client: Manual Configuration Windows :? 24 4
DSTM 機制之 freeware 軟體 通道機制 (Tunnel) 25 26 通道機制 通道機制封包格式 27 28 通道之協定運作 通道機制 手動建置 (Manually Configured) 半自動建置 (Semi-automated) 全自動建置 (Automated) 29 30 5
通道機制 - 手動建置 通道機制 - 全自動建置 31 32 6over4 通道機制封包格式 6over4 通道機制 33 34 6over4 通道機制 6to4 自動通道機制 35 6
6to4 封包格式 6to4 自動通道機制 37 38 6to4 自動通道機制 -Interface 6to4 自動通道機制 Routing Table 通道代理者 (Tunnel Broker) 機制 通道代理者機制運作 1) 使用者聯結 Tunnel Broker 進行註冊事宜 (registration procedure) 2) 使用者再次聯結 Tunnel Broker, 提供使用者端點資訊 ( 包括 :IP 位址 作業系統 支援軟體等 ) 3) Tunnel Broker 建置網路端點 DNS 伺服器及使用者端點組態 4) 通道建置完成, 使用者可以直接連至 網路 42 7
通道代理者機制運作 (1) 通道代理者機制運作 43 44 通道代理者(Tunnel Broker)機制 Implementation 通道代理者機制運作(2) 通道代理者機制運作(2) 45 通道代理者機制服務 通道代理者機制服務 47 48 8
通道代理者 (Tunnel Broker) 機制 Scripts and Parameters 通道代理者 (Tunnel Broker) 機制 Interface 通道代理者 (Tunnel Broker) 機制 Routing Table 應用特性 Tunnel Mechanism Primary Use Limitation Requirements Configured Tunnel 6to4 Tunnel Tunnel Broker Stable and secure links for regular communication Connection of multiple remote domains Frequent communication Standalone isolated end systems Tunnel between two points only Large management overhead No independently managed NAT Limitation of the number of tunnels supported by the 6to4 router Potential security implication ISP-registered address Dual-stack router prefix (2002::/16) Dual-stack router Tunnel broker service must know how to create and set a script 通道機制機制之延遲時間分析 通道機制之通過率分析 average transmission time 6to4 Configured tunnel Tunnel broker time(ms) 250 225 200 175 150 125 64 128 256 512 768 1024 pack size(bytes) 6to4 configureg tunnel tunnel broker Throughput(Kbps) 75 65 55 45 35 25 15 5 128 256 512 768 1024 packet size(bytes) 53 54 9
通道機制機制之 CPU 利用率分析 通道機制機制之資料遺失率分析 55 56 通道為主之機制的效能指標 位址協定轉換機制 () 57 58 位址協定轉換機制之網路端協定轉換 位址協定轉換機制 網路位址與通訊協定之轉換 (Network Address Translation-Protocol Translation; NAT-PT) TCP-UDP 中繼機制 (TCP-UDP Relay) Bump-in-the-Stack (BIS) 機制 SOCKS 為基礎的 /IPv4 閘道器機制 59 60 10
無縫 IP/ICMP 轉換演算法 SIIT 演算法 網路位址與通訊協定之轉換機制 (4-6) 61 62 網路位址與通訊協定之轉換機制 (6-4) TCP-UDP 中繼機制 (TCP-UDP Relay) 63 64 TCP-UDP 中繼機制運作 BIS 機制 65 66 11
BIS 機制協定模組 BIA 機制協定模組 IPv4 Applications IPv4 Socket API Socket API (IPv4, ) Socket API Name Resolver Address Mapper Function Mapper 67 Network Card 68 SOCKS 為基礎的 /IPv4 閘道器機制運作 參考文獻 69 70 參考文獻 參考文獻 [1] Deering and R. Hinden, Internet protocol, version 6 () specification, IETF RFC2460, December 1998. [2] J. Davies, Introduction to IP version 6, Microsoft, February 2002. [3] -Enabling the mobile Internet, White Paper 10878, Nokia, Finland, 2000. [4] P. Srisuresh, M. Holdrege, IP network address translator (NAT) terminology and considerations, IETF RFC2663, August 1999. [5] J. Wiljakka, Transition to in GPRS and WCDMA mobile networks, IEEE Communications Magazine, Vol.40, No.4, pp.134-140, April 2002. 71 [6] A. Durand, Deploying, IEEE Internet Computing, pp.79-81, January/February 2001. [7] D.Waddington and F. Chang, Realizing the transition to, IEEE Communications Magazine, Vol.40, No.6, pp.138-147, June 2002. [8] A. Durand, P. Fasano, I. Guardinie and D. Lento, tunnel broker, IETF RFC3053, February 2001. [9] F. Templin, T.Gleeson, M.Talwar and D. Thalar, Intrasite automatic tunnel addressing protocol (ISATAP), IETF draft-ietf-ngtrans-isatap-04.txt, April 2002. [10] R. Gilligan, Transition mechanisms for hosts and routers, IETF RFC2893, August 2000. 72 12
參考文獻 參考文獻 [11] W. Biemot, An overview of the introduction of in the internet, IETF draft-ietf-ngtrans-introduction-to-ipv6- transition-08.txt, February 2002. [12] /IPv4 coexistence and migration, White Paper, Microsoft, Washington, November 2001. [13] Transition to in 2G and 3G networks, White Paper 10832, Nokia, Finland, 2000. [14] B. Carpenter and C. Jung, Transmission of over IPv4 domains without explicit tunnels, IETF RFC2529, March 1999. [15] W. Simpson, Neighbor discovery for IP version 6, IETF RFC2461, December 1998. 73 [16] D. Meyer, Administratively scoped IP multicast, IETF RFC2365, July 1998. [17] T. Dunn, Marketplace the transition, IEEE Internet Computing, Vol.6, No.3, pp.11-13, May/June 2002. [18] B. Carpenter and K. Moore, Connection of domains via IPv4 clouds, IETF RFC3056, February 2001. [19] J. Bound, L. Toutain, O. Medina, H. Afifi and A. Durand, Dual stack transition mechanism (DSTM), IETF draft-ietf-ngtrans-dstm-08.txt, July 2002. [20] E. Nordmark, Stateless IP/ICMP translation algorithm (SIIT), IETF RFC2765, February 2000. 74 參考文獻 [21] K. Tsuchiya, H. Higuchi and Y. Atarashi, Dual stack hosts using the Bump-In-the-Stack (BIS) techniques, IETF RFC2767, February 2000. [22] S. Lee, M.K. Shin, Y.J. Kim, E. Nordmark and A. Durand, Dual stack hosts using Bump-in-the-API (BIA) techniques, IETF RFC3338, October 2002. [23] G. Tsirtsis and P. Srisuresh, Network address translation-protocol translation (NAT-PT), IETF RFC2766, February 2000. 75 13