3. IPv6 - advanced functionalities II. PA159: Net-Centric Computing I. Eva Hladká Faculty of Informatics Masaryk University Autumn 2010 Eva Hladká (Fl MU) IPv6 - advanced functionalities II Autumn 2010 1 / 53 Path MTU discovery Lecture overview i) Path MTU discovery sfc IPv6 Mobility Support in Detail » Return Routability Procedure 3) IPv6 Security in Detail • General Security Practices • IPv6 - Security Support 4^ IPv6 QoS Support in Detail • Integrated Services • Differentiated Services QoS and IPv6 J>) IPv6 Transition • Porting Applications • IPv6 and IPv4 Worlds' Interoperability 6fc IPv6" Literature 3. IPv6 - advanced functionalities II. Autumn 2010 2 / 53 Path MTU discovery IPv6 Path MTU discovery o just source devices must decide on the correct size of fragments • routers can't fragment datagrams, just end nodes can! o if a datagram is too large for a router, it must drop the datagram o and send back to the source a feedback about this occurrence (in the form of an ICMPv6 Packet Too Big message) o Path MTU Discovery o a special technique used for determining what size of fragments should be used o uses the feedback mechanism performed by ICMPv6 Packet Too Big messages the source node sends a datagram that has the MTU of its local physical link (it represents an upper bound on the MTU) if this goes through without any errors, that value for future datagrams to that destination can be used if it gets back any Packet Too Big messages, it tries again using a smaller datagram size (indicated in the Packet Too Big message) 3. IPv6 - advanced functionalities II. Autumn 2010 3 / 53 Path MTU discovery IPv6 Path MTU discovery The Schema Eva Hladkaá (FI MU) S. IPv6 - advanced functionalities II. Autumn 2010 4 / 53 IPv6 Mobility Support in Detail Lecture overview Fll Path MTU Hkrnvprv 2) IPv6 Mobility Support in Detail o Return Routability Procedure F3I IPv6 Security in Detail • General Security Practices • IPv6 - Security Support [^1 IPv6 QoS Support in Detail • Integrated Services • Differentiated Services QoS and IPv6 ri* IPv6 Transition • Porting Applications • IPv6 and IPv4 Worlds' Interoperability [*6fe IPv6" literature 3. IPv6 - advanced functionalities II. Autumn 2010 5 / 53 IPv6 Mobility Support in Detail IPv6 - Mobility Support I. • main idea: even mobile devices are somewhere "at home" o i.e., their home network exists o used addresses: o Home Address - a global unicast persistent address, through which a mobile node is always accessible (even though not being in its home network) o Care-of Address - a global unicast address for the mobile node while it is in a foreign network (the address is based on the network where the host is currently located) o Correspondent Node (CN) - a peer node with which a mobile node is communicating o Home Agent (HA) - a router in the home network, through which the mobile node is always accessible receives datagram destined to the mobile node and forwards them (via a tunnel) to it o route optimization - direct communication of the mobile and corresponding nodes o in order to optimize the communication not necessary (the communication might proceed through the home agent all the time) Eva Hladka (FIMU) 3. IPv6 - advanced functionalities II. Autumn 2010 6 / 53 IPv6 Mobility Support in Detail IPv6 - Mobility Support II. How it works o as long as the mobile node is at home, it receives packets through regular IP routing mechanism and behaves like any other host o when the mobile node is away from the home network, it has an additional care-of address (received via a mechanism available in the foreign network) o the association of home address and care-of address is called binding the mobile node registers its care-of address with a router on its home link (its Home Agent (HA)) there are two ways to communicate for a correspondent node and a mobile node: o bidirectional tunneling - packets from the correspondent node are sent to the HA, which encapsulates them and sends them to the mobile node's care-of address (and vice versa) o route optimization - the communication between the mobile node and correspondent node can be direct without the usage of the HA o the mobile node has to register its care-of address with the correspondent node, and o the binding has to be authorized through the Return Routability Procedure Eva Hladka (FIMU) 3. IPv6 - advanced functionalities II. Autumn 2010 7 / 53 IPv6 Mobility Support in Detail IPv6 - Mobility Support II. The schema Figure: An illustration of home agent's functionality in IPv6. 3. IPv6 - advanced functionalities II. Autumn 2010 8 / 53 IPv6 Mobility Support in Detail Return Routability Procedure IPv6 - Mobility Support II. Return Routability Procedure o mobile node must prove to correspondent node that it owns both home address and care-of address o but mobile node does not share any secret with the correspondent node o initially performed using IPsec o however, there is no world-wide Public Key Infrastructure (PKI) available for the nodes o Return Routability (RR) Procedure o RFC 3775 o enables the correspondent node to obtain some reasonable assurance that the mobile node is in fact addressable at its claimed care-of address as well as at its home address only when successfully proven, the route optimization might take place o reduces the risk of a security attack (a harmful node working off the mobile node) 3. IPv6 - advanced functionalities II. Autumn 2010 9 / 53 IPv6 Mobility Support in Detail Return Routability Procedure IPv6 - Mobility Support II. Return Routability Procedure - the steps D) MN sends a Home Test Init (HoTI) message via HA to the CN (this message carries a Home Init Cookie) o this way the CN learns the home address of the MN Vfy MN sends a Care-of Test Init (CoTI) message to the CN (this message carries a Care-of Init Cookie) - this is sent to the CN directly (not through the HA) o this way the CN learns the care-of address of the MN [3) CN replies to the Home Test Init message with a Home Test (HoT) message sent via HA (this message carries the Home Init Cookie and the Home Nonce Index) the MN can now generate a Home Keygen Token [4 CN replies to the Care-of Test Init message with a Care-of Test (CoT) message sent to the MN's care-of address (this message carries the Care-of Init Cookie and the Care-of Nonce Index) the MN can now generate a Care-of Keygen Token [5> both the MN and the CN compute a 20-byte Management Key, which is used to secure the Binding Update messages having the correct Management Key the MN has proven that it is reachable both via its home and care-of addresses Eva Hladka (FIMU) 3. IPv6 - advanced functionalities II. Autumn 2010 10/53 IPv6 Mobility Support in Detail Return Routability Procedure IPv6 - Mobility Support III. Home Agent Functionality Home Agent: o maintains binding cache and a list of home agents o every router, that sits on the same link and provides home agent services, must be listed processes bindings o indicates primary care-of address • processes care-of addresses' changes/removals o tunnels received packets to care-of address o performs Neighbor Advertisements by the name of mobile node o supports Home Agent Address Discovery • normally, mobile nodes are configured statically with a home agent's address o once a home agent is renumbered (or goes down being replaced by another HA with a different IP), dynamic discovery of the HA's address takes place • Home Agent Address Discovery Request (sent using home agents' anycast address) and Home Agent Address Discovery Reply messages o see details in the literature Eva Hladka (FIMU) 3. IPv6 - advanced functionalities II. Autumn 2010 11/53 IPv6 Mobility Support in Detail Return Routability Procedure IPv6 - Mobility Support II. Return Routability Procedure - the schema Autumn 2010 12 / 53 IPv6 Security in Detail Lecture overview Path MTU discovery sfc IPv6 Mobility Support in Detail » Return Routability Procedure 3^ IPv6 Security in Detail o General Security Practices o IPv6 - Security Support 4 IPv6 QoS Support in Detail • Integrated Services • Differentiated Services QoS and IPv6 J>) IPv6 Transition • Porting Applications • IPv6 and IPv4 Worlds' Interoperability 6fc IPv6" Literature 3. IPv6 - advanced functionalities II. Autumn 2010 13 / 53 IPv6 Security in Detail General Security Practices General Security Practices I. • standard network security practices involve two "triads" of thought, CIA and AAA o Confidentiality: o stored or transmitted information cannot be read or altered by an unauthorized party o Integrity: any alteration of transmitted or stored information can be detected o Availability: o the information in question is readily accessible to authorized users at all times 3. IPv6 - advanced functionalities II. Autumn 2010 14 / 53 IPv6 Security in Detail General Security Practices General Security Practices II. o Authentication: o ensuring an individual or group is who they say they are (the act of clarifying a claimed identity) o Authorization: ensuring that the authenticated user or group has the proper rights to access the information they are attempting to access o Accounting: o the act of collecting information on resource usage (e.g., a log) o Nonrepudiation: o not included in the CIA/AAA Triads o means that a specific action (such as sending, receiving, or deleting of information) cannot be denied by any of the parties involved 3. IPv6 - advanced functionalities II. Autumn 20l0 l5 / 53 IPv6 Security in Detail General Security Practices General Security Practices III. o the security requirements need to be provided by two basic security elements: o encryption - to provide confidentiality o secure checksums - to provide integrity o suitable combinations of both may be used to provide more complex services like authenticity and nonrepudiation o there are two forms of encryption commonly used" o Secret Key Cryptography (Symmetric Cryptography) - sender and recipient have to agree on a shared secret Public Key Cryptography (Asymmetric Cryptography) - encryption algorithm uses a key pair consisting of a public and private keys o message digest (hash) - a function which takes input of an arbitrary length and outputs fixed-length (unique) code 3. IPv6 - advanced functionalities II. Autumn 2010 16 / 53 IPv6 Security in Detail IPv6 - Security Support IPv6 - Security Support o a general security mechanisms are described by IPSec (RFC 2401, updated by RFC 4301) o both for IPv4 and IPv6 o IPv4: IPSec may be installed separately o IPv6: IPSec is mandatory and integral part of the IPv6 stack o == IPv6 is not more secure than IPv4 o elements of IPSec framework: o a protocol for authentication - AH (Authentication Header) □ a protocol for encryption - ESP (Encapsulating Security Payload) header o a definition for the use of cryptographic algorithms for encryption and authentication o a definition of security policies and security associations between communicating peers key management 3. IPv6 - advanced functionalities II. Autumn 2010 17 / 53 IPv6 Security in Detail IPv6 - Security Support IPv6 - Security Support Security Associations o Security Associations (SA): q a set of security information that describes a particular kind of secure connection between one device and another o three elements: a key an encryption or authentication mechanism o additional parameters for the algorithm (counters, duplicity protection, etc.) o one-way agreements == to provide encrypted and authenticated duplex communication, 4 SAs are necessary o an SA is defined by a set of three parameters: o Security Parameter Index (SPI) - a 32-bit number chosen to uniquely identify a particular SA IP Destination Address - the address of the device for whom the SA is established o Security Protocol Identifier - specifies whether this association is for AH or ESP Eva Hladká (FIMU) 3. IPv6 - advanced functionalities II. Autumn 2010 18/53 IPv6 Security in Detail IPv6 - Security Support IPv6 - Security Support Key Management In order to establish an SA, the peers have to agree on a cryptographic algorithm and negotiate keys o the negotiation often happens over insecure paths o several protocols proposed for an automated negotiation: o old approach: Internet Security Association and Key Management Protocol (ISAKMP) (RFC 2407 and 2408) and Internet Key Exchange version 1 (IKEvl) (RFC 2409) o current approach: Internet Key Exchange version 2 (IKEv2) (RFC 4306) o simplifies IKEv1 (consolidates RFCs 2407, 2408, and 2409 into a single document) o fixes bugs and ambiguities o tries to remain as close to IKEv1 as possible 3. IPv6 - advanced functionalities II. Autumn 2010 19 / 53 IPv6 Security in Detail IPv6 - Security Support IPv6 - Security Support Key Management - Internet Key Exchange version 2 (IKEv2) Internet Key Exchange version 2 (IKEv2) o automatically establishes SAs and creates/deletes cryptographic material o authenticates communicating peers o works in 2 phases: [jj establishes a secure channel to negotiate the data protection cryptographic material o results in a single ISAKMP/IKE SA [2) establishes the secure channel for the transmission of data o results in a pair of IPsec SAs 3. IPv6 - advanced functionalities II. Autumn 2010 20 / 53 IPv6 Security in Detail IPv6 - Security Support IPv6 - Security Support IPSec Modes I. IPSec differentiates two modes of transport: o Transport mode the protocol protects the message passed down to IP from the transport layer o the message is processed by AH/ESP and the appropriate header(s) are added in front of the transport (UDP or TCP) header the IP header is then added in front of that by IP o Tunnel mode o IPSec is used to protect a complete encapsulated IP datagram after the IP header has already been applied to it the IPSec headers appear in front of the original IP header, and a new IP header is added in front of the IPSec header o i.e., entire original IP datagram is secured and encapsulated within another IP datagram 3. IPv6 - advanced functionalities II. Autumn 2010 21 / 53 IPvG Security in Detail IPvG - Security Support IPv6 - Security Support IPSec Modes II. transportní renm původní data původní AH/ESP dala IPv6 hlavička IPv6 hlavička hlavička tunelující režim 22 / 5S IPv6 Security in Detail IPv6 - Security Support IPv6 - Security Support Authentication Header (AH) I. AH (Authentication Header) o a protocol that provides authentication of either all or part of the contents of a datagram o performed by an addition of a header calculated based on the values in the datagram o protocol steps: a SA has to be set up between the two communicating devices o just the source and destination know how to perform the computation but nobody else can [2> on the source device, AH performs the computation and puts the result (called the Integrity Check Value (ICV)) into a special header with other fields for transmission [3> the destination device does the same calculation using the key the two devices share, which enables it to see immediately if any of the fields in the original datagram were modified the presence of the AH header allows to verify the integrity of the message, but doesn't encrypt it □ the AH provides just authentication, not privacy! Eva Hladka (FIMU) 3. IPv6 - advanced functionalities II. Autumn 2010 23 / 53 IPv6 Security in Detail IPv6 - Security Support IPv6 - Security Support Authentication Header (AH) II. - header placement I Next Hesderl I Next Hesderl TCP Segment Data Original IPv6 Datagram Formal (Including Routing Extension Header and Destination-Specific Destination Options Extension Header) Routing Ext Autn □est Op- Authenticated Fields IPv6 AH Datagram Format - IPSec Transport Mode Authenticated Field Eva Hladka (FI MU) IPv6 AH Datagram Format - IPSec Tunnel Mode 3. IPv6 - advanced functionalities II. Autumn 2010 24 / 53 IPv6 Security in Detail IPv6 - Security Support Eva Hladka (FI MU) 3. IPv6 - advanced functionalities II. Autumn 2010 25 / 53 IPv6 Security in Detail IPv6 - Security Support IPv6 - Security Support Encapsulating Security Payload (ESP) Header I. ESP (Encapsulating Security Payload) o a protocol that protects data against being examined by a non-authorized party o performed by data encryption o provides privacy o ESP also supports its own authentication scheme like that used in AH o instead of having just a header, ESP divides its fields into three components: o ESP Header - contains two fields (the SPI and Sequence Number) and comes before the encrypted data ESP Trailer - placed after the encrypted data (contains padding that is used to align the encrypted data) • ESP Authentication Data -when ESP's optional authentication feature is used, this contains an Integrity Check Value (ICV), computed in a similar way like in AH case 3. IPv6 - advanced functionalities II. Autumn 2010 26 / 53 IPv6 Security in Detail IPv6 - Security Support Next Header I I Me:-: Heaöerl It: -ťí:ť I TCP Segment Data Encrypted IP Data Encrypted Fields Authenticated Fields IPv6 ESP Datagram Format - IPSec Transport Mode Eva Hladká (Fl MU) Authenticated Fields IPv6 ESP Datagram Format - IPSec Tunnel Mode 3. IPv6 - advanced functionalities II. Autumn 2010 27 / 5S IPv6 Security in Detail IPv6 - Security Support Eva Hladka (FI MU) 3. IPv6 - advanced functionalities II. Autumn 2010 28 / 53 IPv6 Security in Detail IPv6 - Security Support IPv6 - Security Support Why AH? Since ESP provides authentication, is AH necessary? o yes o an authentication is often enough o AH does not require as computational power as the ESP does o ESP uses stronger encryption algorithms o AH authenticates the whole datagram o ESP does not authenticate the outer IP header 3. IPv6 - advanced functionalities II. Autumn 2010 29 / 53 IPv6 QoS Support in Detail Lecture overview Path MTU discovery sfc IPv6 Mobility Support in Detail » Return Routability Procedure 3) IPv6 Security in Detail • General Security Practices • IPv6 - Security Support 4) IPv6 QoS Support in Detail o Integrated Services o Differentiated Services QoS and IPv6 J>) IPv6 Transition • Porting Applications • IPv6 and IPv4 Worlds' Interoperability 6fc IPv6" Literature 3. IPv6 - advanced functionalities II. Autumn 2010 30 / 53 IPv6 QoS Support in Detail QoS in the Internet o IPv4 is based on a simple packet forwarding model o all packets are treated alike - they are forwarded with best effort treatment according to "first-come, first-served" principle o there are no options to control flow parameters like delay, jitter, or bandwidth allocations o two main architectures for providing data streams with priorities and quality guarantees were proposed: o Integrated Services o based on the paradigm that bandwidth and all related resources are reserved per flow on an end-to-end basis (routers store information about flows and analyze each passing packet) o Differentiated Services • based on packets' markup (assigning the packets a certain priority class and their serving in the inner network nodes based on that priority) 3. IPv6 - advanced functionalities II. Autumn 2010 31 / 53 IPv6 QoS Support in Detail Integrated Services Integrated Services Intergrated Services: o an application announces the network with its qualitative requirements o the network checks, whether the required resources are available, and decides, whether the request will be satisfied (so-called Admission Control phase) • if it's not possible to satisfy the requirements, the connection is refused the application might decide about reducing its requirements o if the requirements could be satisfied, the network informs all the components on the path to the receiver about necessary resources' reservations (queues size, their priority, etc.) a reservation protocol has to be used o e.g., the Resource reSerVation Protocol (RSVP) (RFC 2205) or the YESSIR (YEt another Sender Session Internet Reservations) o main drawback: • it's necessary to maintain a state in the inner network nodes (= scalability problems) Eva Hladka (FIMU) 3. IPv6 - advanced functionalities II. Autumn 2010 32 / 53 IPv6 QoS Support in Detail Integrated Services Integrated Services Resource Reservation Illustration 3. IPv6 - advanced functionalities II. Autumn 2010 33 / 53 IPv6 QoS Support in Detail Differentiated Services Differentiated Services o a precise definition of required QoS parameters is not always necessary o usually, a guarantee that the transmission quality will not become worse when the network becomes (over)loaded is sufficient o == Differentiated Services no necessity to inform the network with transmission quality requirements resource reservation protocols are not necessary each packet is marked by a tag indicating a priority class before being sent to the network packets are marked when entering the network only o a tag is put into Type of Service (IPv4) or Traffic Class (IPv6) fields the packet is processed on the inner network nodes based on its priority class (the inner network nodes just read the tag and handle the packet based on it) □ main advantage: simple (for implementation in applications as well as inner network nodes) o no state information in the inner network nodes (= good scalability) no initial delay required by the necessity to perform resource reservations Eva Hladka (FIMU) 3. IPv6 - advanced functionalities II. Autumn 2010 34 / 53 IPv6 QoS Support in Detail Differentiated Services Differentiated Services Packet Classification Illustration 3. IPv6 - advanced functionalities II. Autumn 2010 35 / 53 IPv6 QoS Support in Detail QoS and IPv6 QoS and IPv6 Traffic Class field I. Two IPv6 header fields can be used for QoS: Traffic Class field: o sometimes referenced as Packet Priority (PRI) field o 1-byte field o its use specified in RFC 2474 • introduces the term "DS field" (DiffServ field) for the Traffic Class field o DiffServ routers have a known set of DS routines which are determined by the 6-bit value (DiffServ CodePoints - DSCP) in the DS field o 64 different codepoints can be specified o coding rules are specified in RFC 3140 (assigned by IANA) o these DSCP values specify how packets should be forwarded o (a default behavior denominated by an all-zeros DSCP must be provided by any DS router (best-effort service)) o last 2 bits (Explicit Congestion Notification - ECN value) are specified in RFC 3168 o four possible codepoints used for Congestion Notification o using them, a router can signal overload before a packet loss occurs Eva Hladka (FIMU) 3. IPv6 - advanced functionalities II. Autumn 2010 36 / 53 IPv6 QoS Support in Detail QoS and IPv6 QoS and IPv6 Traffic Class field II. RFC 2474 DiffServ Bits RFC 316S IP ECN Bits 7 6 5 4 3 2 1 - 0 DiffSem i Code Point (DSC 3) ECT CE Congestion Experienced (CE) Bit 0 = No Congestion Experienced 1 = Congestion Experienced ECM-Capable Transport (ECN) Bit 0 = Non ECN-Capable Transport 1 = ECN-Capable Transport VER | PRI | Flow label Payload length | Next header | Hop limit Source address Destination address Payload extension headers Dam packet from the upper layer 3. IPv6 - advanced functionalities II. Autumn 2010 37 / 53 IPv6 QoS Support in Detail QoS and IPv6 QoS and IPv6 Flow Label field I. A flow is a sequence of related packets sent from a source to a unicast, anycast, or multicast destination. Flow Label field: o a 20-bit field which enables classification of packets belonging to a specific flow o IPv6 routers must handle all the packets belonging to the same flow in a similar fashion o when routers receive the first packet of a new flow, they can process the information carried by the headers (IPv6 header, Routing header, and Hop-by-Hop extension headers) and store the result in a cache memory this information can be used to route all other packets belonging to the same flow (having the same source address and the same Flow Label it does not require to examine all those headers) o how to use this field efficiently is still an open issue 3. IPv6 - advanced functionalities II. Autumn 2010 38 / 53 IPv6 QoS Support in Detail QoS and IPv6 QoS and IPv6 Flow Label field II. o traditionally, flow classifiers have been based on the 5-tuple: source and destination addresses, ports, and the transport protocol type o the classifier must use transport next header value and port numbers (= less efficient) o some of these fields may be even unavailable due to either fragmentation or encryption o IPv6 uses just the triple of the Flow Label and the Source and Destination Address fields o it enables efficient IPv6 flow classification o only IPv6 main header fields in fixed positions are processed o IPv6 source nodes supporting the flow labeling must be able to label known flows (e.g., TCP connections, application streams) o even if they does not require any flow-specific treatment o a Flow Label of zero is used to indicate packets not being part of any flow 3. IPv6 - advanced functionalities II. Autumn 2010 39 / 53 IPv6 Transition Lecture overview Path MTU discovery sfc IPv6 Mobility Support in Detail » Return Routability Procedure 3) IPv6 Security in Detail • General Security Practices • IPv6 - Security Support 4^ IPv6 QoS Support in Detail • Integrated Services • Differentiated Services QoS and IPv6 5> IPv6 Tra nsition o Porting Applications • IPv6 and IPv4 Worlds' Interoperability 6fc IPv6" Literature 3. IPv6 - advanced functionalities II. Autumn 2010 40 / 53 IPv6 Transition Porting Applications IPv6 Transition - Porting Applications Applications using IPv4 network sockets need to be converted to IPv6: o this conversion can be very simple (simple programs) or a challenging effort (complex network applications) o the programmer has to make a decision, whether the program will be IPv4-only, separated IPv4 and IPv6, or IP protocol version independent (recommended for most cases) IP protocol version independent code makes the code agnostic to the IP protocol version 3. IPv6 - advanced functionalities II. Autumn 2010 41 / 53 IPv6 Transition Porting Applications IPv6 Transition - Porting Applications Issues I. Application porting issues under IPv6: o Address parsing o IPv4 dotted decimal addresses are trivial to parse o IPv6 hex-colon addresses require a library support for input or output o a complete input parser can be a few hundred lines of code o rendering an address in canonical form involves complex analysis of the address o Address memory space o legacy code often stores IPv4 addresses in 32-bit unsigned integer variables native data type makes masking operations easy fewer details to remember o few machines have a native 128-bit data type all code has to be changed in order to use the appropriate structure (see later) Eva Hladká (FIMU) 3. IPv6 - advanced functionalities II. Autumn 2010 42 / 53 IPv6 Transition Porting Applications IPv6 Transition - Porting Applications Issues II. o URL and text representation of IP addresses □ original standards for URLs and URIs do not allow IPv6 addresses in URLs o the problem is the colons in hex-colon notation (used for port specification in IPv4) o RFC 3986 modifies standard to allow IPv6 addresses in brackets o http://[fe80::219:d1ff:fe06:e908]:8080/ o a lot of legacy code does not accept this Multiple addresses o in the IPv4 world, the vast majority of systems have one address per interface o IPv6-enabled stack handles multiple IP addresses on a single interface (e.g., one IPv4 address, one global IPv6 address and one link-local IPv6 address) o the code must take this into account (e.g., when querying the DNS for server addresses, the client code should loop through all the received IP addresses until one is answering) 3. IPv6 - advanced functionalities II. Autumn 2010 43 / 53 IPv6 Transition Porting Applications IPv6 Transition - Porting Applications Useful structures and functions I. Structures: o struct addrinfo o a replacement of the hostent structure o holds connection information used in handling name to IP address resolution • it's used by getaddrinfo function o struct sockaddr_in6 o IPv6 version of sockaddr.in structure o holds IP address and port number of a connection, IPv6 flow label and scope of the address • it's used in socket calls as place holder for IPv6 addresses o it is specific to IPv6 - it is not IP version independent and thus should be avoided o struct sockaddr_storage o a struct defined for casting either sockaddr.in or struct sockaddr_in6 this should be used when making a program IP version independent Eva Hladka (FIMU) 3. IPv6 - advanced functionalities II. Autumn 2010 44 / 53 IPv6 Transition Porting Applications IPv6 Transition - Porting Applications Useful structures and functions II. Functions: o getaddrinfo o a replacement of the gethostbyname function o it queries the DNS for the IP addresses of a hostname o the result is linked list of addresses, which should be traversed by the calling program getnameinfo o replacement of the gethostbyaddr, inet.addr and inet_ntoa functions it queries the DNS for the hostname of an IP address the result is the hostname string 3. IPv6 - advanced functionalities II. Autumn 2010 45 / 53 IPv6 Transition IPv6 and IPv4 Worlds' Interoperability IPv4 & IPv6 Interoperability o during the IPv6 proposal, a gradual transition from IPv4 has been taken into account o == a mechanism for IPv4 and IPv6 co-existence is necessary o 3 main categories: o Dual stack o a device supports both IPv4 and IPv6 simultaneously o allows IPv4 and IPv6 to coexist in the same devices and networks o Tunneling • IPv6 datagrams are encapsulated into IPv4 datagram's data o allows the transport of IPv6 traffic over the existing IPv4 infrastructure □ Translators (NAT-PT) o a device translates IPv6 datagrams into IPv4 datagrams (client — server direction) and vice versa o allows IPv6-only nodes to communicate with IPv4-only nodes 3. IPv6 - advanced functionalities II. Autumn 2010 46 / 53 IPv6 Transition IPv6 and IPv4 Worlds' Interoperability IPv4 & IPv6 Interoperability Dual Stack Appl cation , i ^ayer TCP or UDP IGMP, ICMPv4 IPv4 ARP, RARP ICMPv6 IPv6 J Underlying - LAN or WAN technology 1 -<- To IPv4 system To IPv6 system Eva Hladka (FIMU) 3. IPv6 - advanced functionalities II. Autumn 2010 47 / 53 IPv6 Transition IPv6 and IPv4 Worlds' Interoperability IPv4 & IPv6 Interoperability Dual Stack - features & drawbacks o main advantage: easy to use and flexible o host can communicate with IPv4 hosts using IPv4 or communicate with IPv6 hosts using IPv6 o once everything becomes upgraded to IPv6, IPv4 stack can simply be disabled/removed o offers greatest flexibility in dealing with islands of IPv4-only applications, equipment and networks o disadvantages: o two separate protocol stacks have to be running (resource consumption) all applications must be capable of determining whether this host is communicating with an IPv4 or IPv6 peer o DNS resolver must be capable of resolving both IPv4 and IPv6 address types routing protocol must deal with both protocols (or separate protocols for IPv4 routing and IPv6 routing have to be used) □ etc. 3. IPv6 - advanced functionalities II. Autumn 2010 48 / 53 IPv6 Transition IPv6 and IPv4 Worlds' Interoperability IPv4 & IPv6 Interoperability Tunneling Eva Hladká (FI MU) 3. IPv6 - advanced functionalities II. Autumn 2010 49 / 53 IPv6 Transition IPv6 and IPv4 Worlds' Interoperability IPv4 & IPv6 Interoperability Tunneling - features & drawbacks o main advantage: allows to migrate to IPv6 just the way one likes □ there is no specific upgrade order that has to be followed (separate clouds could be interconnected via tunnels) o once everything becomes upgraded to IPv6, no changes are necessary (the tunneling points are just discarded) disadvantages: o additional load is put on the routers o tunnel end-points represent single points of failure o troubleshooting gets more complex o for example, one might run into hop count or MTU size issues, as well as fragmentation problems o management of encapsulated traffic (e.g., per-protocol accounting) is also more difficult due to encapsulation o tunnels also offer points for security attacks etc. 3. IPv6 - advanced functionalities II. Autumn 2010 50 / 53 IPv6 Transition IPv6 and IPv4 Worlds' Interoperability IPv4 & IPv6 Interoperability Translators (NAT-PT) Eva Hladká (FI MU) 3. IPv6 - advanced functionalities II. Autumn 2010 51 / 53 IPv6 Transition IPv6 and IPv4 Worlds' Interoperability IPv4 & IPv6 Interoperability Translators (NAT-PT) - features & drawbacks o should be used only if no other technique is possible just as a temporary solution until one of the other techniques can be implemented o advantage: IPv6 hosts can directly communicate with IPv4 hosts (and vice versa) disadvantages: does not support the advanced features of IPv6 (such as end-to-end security) poses limitations on the design topology replies have to come through the same NAT router through which requests have been sent o NAT router is a single point of failure all applications having IP address in the payload of the packets will stumble 3. IPv6 - advanced functionalities II. Autumn 2010 52 / 53 IPv6: Literature IPv6: Literature o relevant RFCs o Satrapa P.: IPv6. CZ.NIC association, 2008. Available online: http://knihy.nic.cz/files/nic/edice/ pavel_satrapa_ipv6_2008.pdf o Hagen S.: IPv6 Essentials. O'Reilly Media, Inc., 2006. o Blanchet M.: Migrating to IPv6. John Wiley & Sons, Ltd., 2005. o http://www.tcpipguide.com o http://www.ipv6.cz 3. IPv6 - advanced functionalities II. Autumn 2010 53 / 53