• Aucun résultat trouvé

The Network Layer 15 IPv4 and IPv6

N/A
N/A
Protected

Academic year: 2022

Partager "The Network Layer 15 IPv4 and IPv6"

Copied!
31
0
0

Texte intégral

(1)

The Network Layer 15 IPv4 and IPv6

Part 3

ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE

Jean‐Yves Le Boudec

2017

(2)

Contents

9. Proxy ARP 10. Fragmentation

11. Interworking h4‐h6 with NATs

Textbook

Chapter 5: The Network Layer

(3)

9. Proxy‐ARP

Reminder: IP principle says one  subnet = one LAN

Assume you want to cheat with this  principle, e.g. 12.12.12.4 is in the  wrong place, but you want to keep  it that way. You can support this  configuration with /32 entries  (with IPv4) in forwarding tables 

R1 R2 R3

12.12.12.0/24 23.23.23.0/24

12.12.12.4

dest next-hop interface

12.12.12.0/24 On-link eth0

23.23.23.0/24 On-link eth1

12.12.12.4/32 23.23.23.2 eth1

dest next-hop interface

12.12.12.0/24 23.23.23.1 eth0

23.23.23.0/24 On-link eth0

12.12.12.4/32 On-link eth1

dest next-hop interface

12.12.12.0/24 On-link eth0

12.12.12.4/32 12.12.12.2 eth0

0/0 12.12.12.2 eth0

(4)

Does this solve the problem ?

A. Yes because  R2 now send packets to 12.12.12.4 on the correct

interface

B. No this does not work because subnets cannot be split across multiple locations

C. No it does not work for other reasons

D. I don’t know

(5)

sic500cs should be a ….

A. Router B. Bridge

C. Application Layer gateway D. I don’t know

ed2-in 15.221

15.13 128.178.84.1

ed0-ext EPFL-Backbone

sic500cs 128.178.84.3

VPN Tunnel 128.178.84.133

stisun1 15.7

• All subnets have

255.255.255.0 netmask

• Subnet 84 is on both sides of sic500cs

greenmac

(6)

Assume you want to have sic500cs operating as a router

This deviates from the IP  principle: one subnet = one  LAN

Therefore we need a second  deviation (at least) to 

compensate

We can use PROXY‐ARP 

sic500cs answers for ARP  REQs / NDP NSs on behalf of  greenmac

ed2-in 15.221

15.13 128.178.84.1

ed0-ext EPFL-Backbone

sic500cs 128.178.84.3

VPN Tunnel 128.178.84.133

stisun1 15.7

greenmac

(7)

ed0‐ext has a packet to 128.178.84.133 and sends

an ARP REQ

A. sic500cs replies with own  MAC address

B. sic500cs replies with the  MAC  address of greenmac

C. Greenmac replies with his  MAC address

D. Greenmac replies with the   MAC address of sic500cs E. I don’t know

ed2-in 15.221

15.13 128.178.84.1

ed0-ext EPFL-Backbone

sic500cs 128.178.84.3

VPN Tunnel 128.178.84.133

stisun1 15.7

greenmac

1. All subnets have

255.255.255.0 netmask 2. Subnet 84 is on both

sides of sic500cs

3. sic500cs does PROXY- ARP on behalf of

greenmac

(8)

10. Fragmentation

Link‐layer networks have 

different maximum frame  lengths

MTU (maximum transmission  unit) = maximum frame size  usable for an IP packet

MAC layer options and tunnels  make this worse

Link‐layer Network MTU

Ethernet, WiFi VPN Tunnel in IPv4 Token Ring  4 Mb/s 16 Mb/s FDDI X.25 Frame Relay ATM with AAL5 Hyperchannel PPP

1500 1400 4464 17914 4352 576 1600 9180 65535 296 to 1500

Z:\>netsh interface ipv6 show subinterfaces

MTU  MediaSenseState Bytes In  Bytes Out  Interface

‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐

4294967295  1      0      28980  Loopback Pseudo‐Interface 1 1500      5      0      0  Wireless Network Connection 2 1400      1      19419      14328  VPN EPFL

1500      1  126682357   17501036  Local Area Connection 1280      5      0        536  Local Area Connection* 12

(9)

IPv4 Fragmentation

IPv4 hosts or routers may have IP datagrams larger than MTU Fragmentation is performed when IP datagram too large

re‐assembly is only at destination, never at intermediate points fragmentation is in principle avoided with TCP 

R2 R1

MTU = 1500 MTU = 620 MTU =1500

IP

Header 1400 Bytes 1

(10)

R2 R1

MTU = 1500 MTU = 620 MTU =1500

IPv4

Header 1400 Bytes

1 IPv4

Header 600 B 3a

IPv4

Header 600 B 3b

IPv4

Header 200 B 3c

IPv4

Header 1400 Bytes 4

IPv4 header fields Length Identification More Fragment flag Offset 8 * Offset

1 and 4 1420 567 0 0 0

IPv4

Header 600 B 2a

2a, 3a 620 567 1 0 0

IPv4

Header 600 B 2b

2b,3b 620 567 1 75 600

IPv4

Header 200 B 2c

2c, 3c 220 567 0 150 1200

(11)

IPv4 Fragmentation (2)

IP datagram is fragmented if 

MTU of interface < datagram total length all fragments are self‐contained IP packets

fragmentation controlled by fields: Identification, Flag and Fragment  Offset in IPv4 header;

IP datagram = original ; IP packet = fragments or complete datagram

Fragment data size (here  600) is always a multiple of 8 Identification given by source

Length Identification More Fragment flag Offset 8 * Offset

1 1420 567 0 0 0

2a 620 567 1 0 0

2b 620 567 1 75 600

2c 220 567 0 150 1200

(12)

IPv6 Fragmentation

Same as IPv4 except

Routers never fragment – drop packet if too large Fragmentation header is a «next header»

Minimum MTU is 1280 Bytes (vs 68 for IPv4)

(13)

Fragmentation Considered Harmful

Fragmentation requires re‐assembly at destination; 

this may cause deadlocks and identification wrapping problems unit of loss is smaller than unit of re‐transmission: can worsen 

congestion (avalanche effect)

Solution = avoid fragmentation as much as possible by discovering 

“Path MTU” (= minimum MTU along one path)

(14)

Methods for setting Path MTU

Path MTU Discovery (PMTUD) 

1. Host sets “Don’t Fragment” bit on all datagrams (IPv4 only – with IPv6 routers never fragment)

2. sets PathMTU to local MTU

3. routers send ICMP message: “destination unreachable/ 

fragmentation needed” if MTU is too large

4. host reduces PathMTU estimate to next smallest value 5. after timeout, host increases PMTU estimate

Packetization Layer Path MTU Discovery (PLPMTUD)  does not require routers to send ICMP messages 

relies on TCP making Path MTU probes from time to time; 

estimate the largest possible Path‐MTU that works by observing  packets that were acknowledged

Path‐MTU is kept in destination cache by operating system   18

(15)

IPv6 example

:\>netsh interface ipv6 show destinationcache Interface 12: Local Area Connection

PMTU Destination Address       Next Hop Address

‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐

1500 2a00:1450:4001:c02::54      fe80::208:e3ff:feff:fc50 1500 2a00:1450:4002:801::100c      fe80::208:e3ff:feff:fc50 1500 2a00:1450:4003:803::100f      fe80::208:e3ff:feff:fc50 1500 2a00:1450:400a:804::1008      fe80::208:e3ff:feff:fc50 1500 2a00:1450:400a:805::100d      fe80::208:e3ff:feff:fc50 1500 2a00:1450:400a:805::100f      fe80::208:e3ff:feff:fc50 1500 2a00:1450:400a:807::1018      fe80::208:e3ff:feff:fc50 1500 2a00:1450:400a:807::101f      fe80::208:e3ff:feff:fc50 1500 2a03:2880:f006:101:face:b00c:0:1      fe80::208:e3ff:feff:fc50 1500 2a02:26f0:12:198::eed fe80::208:e3ff:feff:fc50

(16)

TCP, UDP and Fragmentation

The UDP service interface accepts a datagram 

up to 64 KB (by default) or up to 4GB (with IPv6 “jumbo payload”  

extension header 

UDP datagram passed to the IP service interface as one SDU

is fragmented at the source if resulting IP datagram is too large  to fit on Path MTU

The TCP service interface is stream oriented

packetization is done by TCP – fragmentation should in principle  be avoided

TCP connections negotiate an MSS (maximum segment size) Host operating system should verify that 

(17)

When a host generates UDP traffic, the port number is always present in all packets

A. True B. False

C. True with IPv4, false with IPv6 D. True with IPv6, false with IPv4 E. I don’t know

(18)

One TCP segment is contained in one IPv4 datagram that is fragmented by a router on its way from source to

destination. One of the fragments is lost. What will TCP re‐transmit ?

A. The bytes that were in the missing fragment

B. The bytes that were in all fragments of the datagram, missing or  not

C. It depends whether the loss is detected by fast retransmit or by  timeout

D. I don’t know

(19)

11. IPv4 and IPv6 Interworking with NATs

IPv4 and IPv6 are  incompatible

v4 only host cannot handle  IPv6 packets

v6 only host cannot handle  IPv4 packets

What needs to be solved: 

interworking: h6 to h4 like‐to‐like access

6 to 6 over 4 4 to 4 over 6

In this module we study  interworking

like‐to‐like access is studied in 

(20)

Reminder:

Dual Stack Application Layer Gateways (ALG46s) can be used to solve h4 to h6 Interworking

Application layer gateway (e.g. web proxy) relays HTTP questions /  answers. 

ALG must be dual stack

Simple but performance is not optimal (store and forward) Plus dependency on application

ALG46 TCP

IPv6

Application TCP/ IP

IPv4 Application

TCP IPv6

TCP IPv4

Homer’s PC Web proxy Web server

IPv6 IPv4

(21)

NAT64 (RFC6146) is an alternative solution to solve h6 to h4 interworking

NAT64 translates an IPv4 packet into an IPv6 packet and vice‐

versa;  no encapsulation

NAT uses an IPv4 address pool to translate IPv6 address (No need for IPv6 private pool)

Port translation is  used (as in any NAT) to save number of IPv4  addresses of the pool

To h6, h4 appears under an IPv6 translated address To h4, h6 appears under an IPv4 translated address

IPv4 Internet 192.0.2.1 IPv4 only host 2001:620:618:dede::baba

IPv6 only host

IPv6 Internet

NAT

h6 (client6) h4 (server4)

1 2

??? h4’s IPv 6 translated address 

??? h6’s IPv 4translated address 

(22)

Translation from IPv6 address to IPv4 translated address is stateful

NAT owns pool 120.130.26/24

Packet from h6 is translated by NAT to next available IPv4 source address /port  number combination – this is the usual NAT’s job

Need to keep table of all existing mapping – this is called “stateful” operation

NAT table From:

2001:620:618:dede::baba Next hdr : tcp

Srce port = 2345

IPv4 Internet 192.0.2.1 IPv4 only host 2001:620:618:dede::baba

IPv6 only host

IPv6 Internet

NAT64

h6 (client6) h4 (server4)

1 2

2001:620:618:dede::baba tcp port 2345 120.130.26.33 tcp port 1763

From:

120.130.26.33 Protocol type: tcp

Srce port = 1763

v6 v4

(23)

Translation from IPv4 address to IPv6 translated address is stateless

IPv4 addresses are mapped to valid IPv6 addresses such as 64:ff9b::c00:201

Such an address is an IPv4‐embedded‐IPv6 address

The block 64:ff9b::/96 is a well know prefix reserved for that use; 

other prefixes (ISP specific) may be used

IPv4 Internet 192.0.2.1 IPv4 only host 2001:620:618:dede::baba

IPv6 only host

IPv6 Internet

NAT64

h6 (client6) h4 (server4)

1 2

64:ff9b::c000:201

(24)

How is the v4 address 192.0.2.1 translated to the v6 address 64:ff9b::c000:201 ?

A. The NAT keeps a translation table B. It is algorithmic

C. None of the above D. I don’t know

IPv4 Internet 192.0.2.1 IPv4 only host 2001:620:618:dede::baba

IPv6 only host

IPv6 Internet

NAT64

h6 (client6) h4 (server4)

1 2

64:ff9b::c000:201

(25)

How does client6 knows that NAT64 should be used ?

DNS64 is used in combination with stateful NAT64

DNS64 responds with translated IPv6 address if no AAAA record is  found

This is transparent to client6

IPv4 Internet 192.0.2.1 IPv4 only host 2001:620:618:dede::baba

IPv6 only host

IPv6 Internet

NAT64

h6 (client6) h4 (server4)

DNS64 DNS

infoscience.epfl.ch ?

A and AAAA infoscience.epfl.ch ? infoscience.epfl.ch A 192.0.2.1 infoscience.epfl.ch AAAA 64:ff9b::c000:201

(26)

NAT64, putting things together

IPv4 Internet 192.0.2.1 IPv4 only host 2001:620:618:dede::baba

IPv6 only host

IPv6 Internet

NAT64

h6 (client6) h4 (server4)

To: 64:ff9b::c000:201 From: 2001:620:618:dede::baba

Next Header : tcp Source port 2345

Dest Port : 80 GET /

To: 192.0.2.1 From: 120.130.26.33

Protocol type: tcp Source port 1763

Dest Port : 80 GET /

DNS64 DNS

infoscience.epfl.ch ?

A and AAAA infoscience.epfl.ch ? infoscience.epfl.ch A 192.0.2.1 infoscience.epfl.ch AAAA 64:ff9b::c000:201

(27)

How does NAT64 translate 120.130.26.33 to 2001:620:618:dede::baba ?

A. Algorithmically using the 64:ff9b::/96 prefix B. Algorithmically using a different prefix

C. Using its NAT table and with the help of the port numbers D. I don’t know

IPv4 Internet 192.0.2.1 IPv4 only host 2001:620:618:dede::baba

IPv6 only host

IPv6 Internet

NAT64

h6 (client6) h4 (server4)

To: 2001:620:618:dede::baba From: 64:ff9b::c000:201

Next Header : tcp Source port 80 Dest Port : 2345

<html><head>Loula…

From: 192.0.2.1 To: 120.130.26.33

Protocol type: tcp Source port 80 Dest Port : 1763

<html><head>Loula…

(28)

client4 to server6 with NAT64

NAT64 and DNS64 support client6 ↔ server4

The reverse client4 ↔ server6 works with NAT64 with static configuration of NAT64 mapping from server IPv6 address to server’s IPv4 translated address is stateful and  requires ad‐hoc configuration of NAT64; must be put in DNS as A record.

mapping from client4 IPv4 address to client’s IPv6 translated address is stateless

IPv4 Internet 194.23.24.25

client4 2001:620:618:dede::baba

server6

IPv6 Internet

NAT64

To: 2001:620:618:dede::baba From: 64:ff9b::c217:1819

Next Header : tcp Source port: 1763

Dest Port : 80 GET /

From: 194.23.24.25 To: 120.130.26.33

Protocol type: tcp Source port: 1763

Dest Port : 80 GET /

IPv6 address and port IPv4 address and port

2001:620:618:dede::baba  ; port x 120.130.26.33 : port x, static

NAT64 table

(29)

Pros and Cons of NAT64

(30)

All links are Ethernet v2 with MTU = 1500 Bytes.

Assume all hosts perform Path‐MTU and discover the best possible Path‐MTU value. What is the value of Path‐

MTU at server4 for the interaction with client6 ?

A. 1500 Bytes B. 1480 Bytes C. 1460 Bytes D. I don’t know

(31)

Conclusion

Proxy ARP / NDP is a trick used to solve the problems caused by a  subnet present at different locations

Fragmentation is due to different MAC layers having different packet  sizes; MTU is by definition the max length of an IP packet at a given  interface. When a packet is too large, it can be either discarded or  fragmented. Fragmentation occurs only at IPv6 hosts, IPv4 hosts or  IPv4 routers. Re‐assembly is never done by routers.

Fragmentation may cause problems and should be avoided if possible.

Translation between IPv4 and IPv6 is a possible solution to the h4‐h6  interworking problem. It uses NAT64.

Translation is stateless between an IPv4 address and a translated IPv6  address; it is stateful between an IPv6 address and a translated IPv4  address. 

NAT64 is automatic for client6<‐> server4 and static for server6 <‐> 

client4. Both require some manipulation of DNS.

Références

Documents relatifs

Based on the results obtained, we can conclude that the traffic shape for the Gnutella protocol is self-similar in the area of lower m for all message types.. Indeed, the

Dual Stack Application Layer Gateways (ALG46s) can be used to solve h4 to h6 Interworking.

When pre-shared key authentication is used with IPsec to protect SIGTRAN based communication, unique pre-shared keys are configured with peers that are identified by their

Context ID : A randomly generated value defining the expected usage context for the particular ORCHID and the hash function to be used for generation of ORCHIDs

dual-stack (IPv6/IPv4) nodes over IPv4 networks.. The main objectives of this document are to: 1) describe the domain of applicability, 2) specify addressing requirements, 3)

We presented the design and validation of an algorithm, called JITeR ( Just-In-Time Routing ), which routes deadline constrained messages at application level, using novel overlay

An example of a multi-layer graph with 6 networks: ligand-protein network is in deep blue (IUPHAR), ligand-ligand networks are in light blue (ligand similarity network) and

Secondly, we train the neural network on 5-band TokyoTech multispectral image database 5-BAND Tokyo 1 and use it to de- mosaic a 5 color CFA (see Figure 2) [30, 31].. This database is