IPv6 協定與特性介紹
TWNIC
郭晟偉
Outline
z
IPv6 Addressing
‰
Unicast
„
Aggregatable Global
Scoped address
„
Link-Local
‰ Unique-local
Special IPv6 address
„
‰
‰
Unspecified
Loopback
‰
IPv4/IPv6 transition
‰
‰
‰
Multicast
Anycast
z
Protocol
‰
‰
‰
‰
IPv6 Header
ICMPv6
Neighbor Discovery
Address
Autoconfiguration
Address Notation
z
z
z
以16進位，每16位元為單位並以‘：’為區隔來表示
‰ 2001:3600:4368:1234:0008:AB12:98CE:1000
‰ IPv4以十進位，每8位元為單位並以‘‧’為區隔來表
示，如202.39.157.141
為使標示簡潔，位於一單位內前方之0可省略
‰ 2001:3600:4368:1234:8:AB12:98CE:1000
為使標示簡潔，若有連續為0 之位元，可以“::”表示，
但一個位址中只能使用一次
‰ 2001:3600::1 與
2001:3600:0000:0000:0000:0000:0000:0001
‰ 2001:3600::3:0000:1與
2001:3600:0000:0000:0000:0003:0000:0001
IPv6 - Addressing Model
Addresses are assigned to interfaces
z
‰
z
z
Interface ‘expected’ to have multiple
addresses
Addresses have scope
‰
‰
‰
z
No change from IPv4 Model
Link Local
Unique Local
Global
Global
Addresses have lifetime
‰
Valid and Preferred lifetime
Site-Local Link-Local
Unique-Local
Basic Address Types
z
Unicast
‰
‰
‰
z
Multicast
‰
‰
‰
z
Address of a single interface
Delivery to single interface
for one-to-one communication
Address of a set of interfaces
Delivery to all interfaces in the set
for one-to-many communication
Anycast
‰
‰
‰
‰
Address of a set of interfaces
Delivery to a single interface in the set
for one-to-nearest communication
Nearest is defined as being closest in
term of routing distance
U
M
M
M
A
A
A
Global Routing Prefixes
Allocation
Prefix binary
Prefix hex
Fraction of
address space
Unassigned
0000 0000
::0/8
1/256
Reserved
0000 001
Global unicast
001
2000::/3
1/8
Link-local unicast
1111 1110 10
FE80::/10
1/1024
Reserved (formely Site-local
unicast)
1111 1110 11
FEC0::/10* *
deprecated
1/1024
Local IPv6 address
1111 110
FC00::/7
Private administration
1111 1101
FD00::/8
Multicast
1111 1111
FF00::/8
1/128
The updated list of address allocations can be found at:
http://www.iana.org/assignments/ipv6-address-space.
1/256
Global Unicast Address
z
z
z
Global routing prefix A service provider is assigned a portion
of this prefix by the Internet Assigned Numbers Authority
(IANA), and it then allocates a subspace to its customers. Its
length is 48 bits or shorter based on the RFC 4291
recommendations.*
Subnet ID An organization receives a prefix from its service
provider where the global routing prefix identifies the service
provider (SP) and the organization inside the SP, and the
subnet ID identifies the organizational structure of its
network.*
Interface ID The low-order 64 bits of the address are used to
identify the interfaces of nodes on a link. *
Current allocations
Prefix
Allocation
RFC
2000::/3
Assignable Global Unicast Address space
Allocations made out of the 2000::/3 space can
be viewed at
http://www.iana.org/assignments/ipv6unicast-address-assignments
RFC 3513
2001:0000::/32
Teredo
RFC 4380
2001:DB8::/32
For documentation purposes only, nonroutable
RFC 3849
2002::/16
6to4
RFC 3056
3FFE::/16
6Bone Testing (to be phased out by June 2006)
RFC 2471
IPv6 interface identifier
z
z
z
z
Lowest-order 64-bit field of unicast address
Globally unique or locally unique within a subnet
Future higher-layer protocols may take advantage of
globally-unique interface IDs to identify nodes
independently of their current location
Configure interface identifier
‰ manual configuration
‰ DHCPv6 (configures whole address)
‰ automatic derivation from MAC address or other
hardware serial number
‰ pseudo-random generation (for client privacy)
‰ the latter two choices enable “serverless” or “stateless”
autoconfiguration, when combined with high-order part
of the address learned via Router Advertisements
The conversion of a universally administered, unicast IEEE 802
address to an IPv6 interface identifier
Special IPv6 address
z
Unspecified address(0:0:0:0:0:0:0:0 or ::)
Indicate the absence of an address
‰ Equivalent to IPv4 0.0.0.0
‰ Never assigned to an interface or used as a destination
address
Loopback address (0:0:0:0:0:0:0:1 or ::1)
‰ Identify a loopback interface
IPv4-compatible address (0:0:0:0:0:0:w.c.x.z or ::w.c.x.z) (RFC4291)
‰ Used by dual-stack nodes
‰ IPv6 traffic is automatically encapsulated with an IPv4 header
and send to the destination using the IPv4 infrastructure
IPv4 mapped address (0:0:0:0:0:FFFF:w.c.x.z or ::FFFF:w.c.x.z)
(RFC 4291)
‰ Represent an IPv4-only node to an IPv6 node
‰ Never used as a source or destination address of IPv6 packet
‰
z
z
z
Address for IPv4/IPv6 Transition
z
z
6to4 Addresses (RFC 3056)
‰
IPv6 hosts or networks communicate over an IPv4-only infrastructure
‰
EX: 62.2.84.115, the 6to4 address is 2002:3e02:5473::/48
ISATAP addresses (RFC 4214)
‰
‰
The Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) is an
automatic tunneling mechanism
EX: Host: 192.168.0.1 and 64-bit prefix of 2001:DB8:510:200::/64, the
ISATP address is 2001:DB8:510:200:0:5EFE:C0A8:1
Address for IPv4/IPv6 Transition(cont.)
z
Teredo Addresses (RFC 4380)
Link-Local Unicast Addresses
z
z
z
z
z
meaningful only in a single link zone, and may be
re-used on other links
Link-local addresses for use during autoconfiguration and when no routers are present
Required for Neighbor Discovery process, always
automatically configuration
An IPv6 router never forwards link-local traffic
beyond the link
Prefix= FE80::/64
1111111010
10 bits
0
interface ID
54 bits
64 bits
Unique-Local Address
z
z
z
z
z
z
meaningful only in a single site zone, and can not be re-used in
other sites
Equivalent to the IPv4 private address space
Replace Site-Local Addresses
L identifies the assignment policy. Only value 1 (FD00::/8) is
currently in use designating a local assignment*
Global ID is a 40-bit identifier that ensures the global
uniqueness of the address. It is generated pseudo-randomly
and must not be sequential. Because ULAs should not be
globally routed, they do not need to be aggregated, so
sequential global IDs are not necessary *
Prefix= FC00::/7
L=1 表示Local
L=0 保留中
1111110 L
Global ID subnet ID
7 bits 1 bits40 bits
16 bits
interface ID
64 bits
Multicast IPv6 addresses
z
z
z
Multicast address can not be used as source or as
intermediate destination in a Routing header
low-order Transient(T) flag indicates permanent
(T=0) / transient(T=1) group; three other flags
reserved
Scope field
‰
‰
‰
‰
‰
‰
1: node-local
2: link-local
5: site-local
8: organization-local
E: global
Others: reserved
11111111 flags scope
8
4
4
group ID
112 bits
Anycast IPv6 address
z
z
z
z
z
Assigned to multiple interface
Only used as destination address
Only assigned to router
anycast addresses are indistinguishable from unicast
Subnet-router anycast address is predefined and
requires
Subnet Prefix
n bits
000…000
128 - n bits
Other IPv6 addresses
z
Solicited-node address
‰
‰
Facilitates the efficient query of network node
during address resolution
Prefix= FF02::1FF00/104 and the last 24-bits of
IPv6 address
Global Unicast Address
Network ID
Interface ID
Copy
64 bits
FF02
0000
0000
0000
0000
FF02::1:FF00:0000/104
0001
FF
24 bits
Dualstack TCP/IP Protocol Suite
IPv6 vs. IPv4 Packet Data Unit
maximum
65535 octets
minimum
20 octets
IPv4 Header
Data Field
IPv4 PDU
maximum
65535 octets
Fixed
40 octets
IPv6 Header
0 or more
Extension
Header
Extension
Header
IPv6 PDU
Transport-level PDU
Comparison of IPv4 and IPv6 Header
IPv6 Packet Header
IPv4 Packet Header
Ver IHL
Service
Type
Total Length
Identification
Flags
TTL
Header Checksum
Protocol
Source Address
Offset
Ver
Traffic
Class
Payload Length
Flow Label
Next
Header
Source Address
Destination Address
Options + Padding
32 bits
Destination Address
Hop
Limit
Summary of Header Changes between IPv4 & IPv6
z
z
z
Streamlined
¾
Fragmentation fields moved out of base header
¾
IP options moved out of base header
¾
Header Checksum eliminated
¾
Header Length field eliminated
¾
Length field excludes IPv6 header
¾
Alignment changed from 32 to 64 bits
Revised
¾
Time to Live t Hop Limit
¾
Protocol t Next Header
¾
Precedence & TOS t Traffic Class
¾
Addresses increased 32 bits t 128 bits
Extended
¾
Flow Label field added
IPv6 extension header
40 octets
IPv6 Header
0 or more
Extension
Header
Extension
Header
Transport-level PDU
IPv6 PDU general form
z
z
z
z
z
z
Hop-by-hop options header
Routing header
Fragment header
Authentication header
Encapsulating security payload header
Destination options header
IPv6 extension header(cont.)
Octets:
z
40
IPv6 header
Hop-by-hop options header
Variable
IPv6 specification
recommended order:
‰
‰
Variable
Routing header
‰
8
Fragment header
Authentication header
Encap security payload header
Variable
Variable
‰
Variable
‰
‰
TCP header
Application data
‰
Variable
= Next header
field
IPv6 packet with all extension headers
‰
IPv6 header
Hop-by-hop options
header
Destination options
header(for intermediate
destination when the
routing header is present)
Routing header
Fragment header
Authentication header
Encapsulation security
payload header
Destination options
header(for final
destination)
ICMPv6
z
ICMPv6 messages (RFC4443)
‰
ICMPv6 error messages
„
„
„
„
‰
Destination Unreachable (message type 1)
Packet Too Big (message type 2)
Time Exceeded (message type 3)
Parameter Problem (message type 4)
ICMPv6 informational messages
„
„
Echo Request (message type 128)
Echo Reply (message type 129)
Minimum MTU
z
Link MTU
‰
z
Path MTU
‰
z
z
z
A link’s maximum transmission unit(ex: the max IP packet
size that can be transmitted over the link)
The minimum MTU of all the links in a path between a
source and a destination
Minimum link MTU for IPv6 is 1280 octets vs 68
octets for IPv4
On links with MTU < 1280, link-specific
fragmentation and reassembly must be used
On links that have a configurable MTU, it’s
recommended a MTU of 1500 bytes
Path MTU Discovery
z
z
RFC 1981
Implementations are expected to perform path MTU discovery
to send packets bigger than 1280 octets
‰ For each destination, start by assuming MTU of first-hop
link
If a packet reach a link in which it can’t fit, will invoke
ICMP “packet too big” message to source, reporting the
link’s MTU; MTU is cached by source for specific
destination
‰ Occasionally discard cached MTU to detect possible
increase
Minimal implementation can omit path MTU discovery as long
as all packets kept <= 1280 octets
‰ Ex: in a boot ROM implementation
‰
z
Neighbor Discovery(ND)
z
z
z
z
z
RFC 2461
Node(Hosts and Routers) use ND to determinate
the link-layer addresses for neighbors known to
reside on attached links and quick purge cached
valued that become invalid
Hosts also use ND to find neighboring router that
willing to forward packets on their behalf
Nodes use the protocol to actively keep track of
which neighbors are reachable and which are not,
and to detect changed link-layer addresses
Replace ARP, ICMP Router Discovery, and ICMP
Redirect used in IPv4
IPv6 ND processes
z
Router discovery
‰
‰
z
Prefix discovery
‰
‰
z
Discovery additional parameter(ex: link MTU, default hop
limit for outgoing packet)
Address autoconfiguration
‰
z
Discovery the network prefix
Equivalent to ICMPv4 Address Mask Request/Reply
Parameter discovery
‰
z
Discover the local hosts on an attached link
Equivalent to ICMPv4 Router Discovery
Configure IP address for interfaces
Address resolution
‰
Equivalent to ARP in IPv4
IPv6 ND processes(cont.)
z
Next-hop determination
‰
‰
z
z
Neighbor unreachable detection(NUD)
Duplicate address detection(DAD)
‰
z
Destination address, or
Address of an on-link default router
Determine that an address considered for use is not
already in use by a neighboring node
First-hop Redirect function
‰
‰
Inform a host of a better first-hop IPv6 address to reach a
destination
Equivalent to ICMPv4 Redirect
ND message format
z
z
5 ND messages:
‰ Router solicitation
‰ Router Advertisement
‰ Neighbor Solicitation
‰ Neighbor Advertisement
‰ Redirect
All ND message are send with hop limit= 255.
‰ If it is not set to 255, the message is silently discarded
‰ Provide Protection from ND-based network attacks launched from
off-link nodes
‰ Router can not have forwarded the ND message from an off-link
node
Address autoconfiguration
z
z
The autoconfiguration for link-local addresses is only specified for
hosts. Routers must obtain through manual configuration
Three type of autoconfiguration
‰
‰
‰
‰
Based on receipt Router Advertisement message
Stateless
„ and one or more prefix information
„ Both Managed address configuration and Other stateful
configuration flag=1
Stateful
„ no prefix information
„ Either Managed address configuration or Other stateful
configuration flag=1
„ DHCPv6
Both
„ and one or more prefix information
„ Either Managed address configuration or Other stateful
configuration flag=1
Serverless Autoconfiguration(“Plug-inzPlay”)
Hosts can construct their own addresses:
subnet prefix(es) learned from periodic multicast
advertisements from neighboring router(s)
‰ interface IDs generated locally
‰
MAC addresses : pseudo-random temporary
Other IP-layer parameters also learned from router
adverts (e.g., router addresses, recommended hop
limit, etc.)
Higher-layer info (e.g., DNS server and NTP
server addresses) discovered by multicast /
anycast-based service-location protocol [details
being worked out]
DHCP also available for those who want more
control
‰
z
z
z
Auto-Reconfiguration(“Renumbering”)
z
New address prefixes can be introduced, and old ones
withdrawn
‰ we assume some overlap period between old and new,
i.e., no “flash cut-over”
hosts learn prefix lifetimes and preference order from
router advertisements
‰ old TCP connections can survive until end of overlap;
new TCP connections can survive beyond overlap
Router renumbering protocol, to allow domain-interior routers
to learn of prefix introduction / withdrawal
New DNS structure to facilitate prefix changes
‰
z
z
Reference
z
z
IETF
Books
‰
‰
‰
‰
O’reilly, “IPv6 Essentials” Second Edition , 2006
O’reilly, “IPv6 Network Administration”, 2005
Cisco Press, “Deploying IPv6 Networks”, 2006
Apress, “Running IPv6”, 2006
Lab – IPv6 Enable
z
Boot time enabling of IPv6 with autoconfig
OS
Enable IPv6 at boot (with autoconf where possible)
Solaris
Create an empty /etc/hostname6.ifname
Red Hat
Add NETWORKING_IPV6="yes" to /etc/sysconfig/network.
AIX
Use smit or chrctcp to enable autoconf6 and ndpd-host under: Communications
Applications and Services
TCP/IP
IPV6 Configuration
IPV6
Daemon/Process Configuration.
WinXP
ipv6 install
Win2003
netsh interface ipv6 install
FreeBSD
Add ipv6_enable="YES" to /etc/rc.conf.
Mac OS X
Enabled by default (see /etc/hostconfig).
Tru64
Use ip6_setup to start IPv6 on an interface or edit /etc/rc.config directly.
IOS
conf term interface if number ipv6 enableYou may also want ipv6 unicast-routing.
JUNOS
set interfaces if unit no family inet6 address addr
Lab – IPv6 Enable
z
Runtime enabling of IPv6 with autoconfig
OS
Runtime IPv6 enable (with autoconf where possible)
Solaris
ifconfig ifname inet6 plumb up and then run /usr/lib/inet/in.ndpd.
Linux
Load kernel module with insmod ipv6 then sysctl
net.ipv6.conf.ifname.accept_ra=1.
AIX
autoconf6 -a followed by ndpd-host.
WinXP
ipv6 install
Win2003
netsh interface ipv6 install
FreeBSD
sysctl net.inet6.ip6.accept_rtadv=1
Mac OS X
sysctl -w net.inet6.ip6.accept_rtadv=1
Tru64
Ensure kernel contains IPv6, ifconfig ifname ipv6 upand then run nd6hostd.
IOS
conf term interface if number ipv6 enableYou may also want ipv6 unicastrouting.
JUNOS
set interfaces if unit no family inet6 address addr
Lab – IPv6 Enable
z
Manual IPv6 addressing at boot time
OS
Manual assignment of address at boot
Solaris
Add hostname and IPv6 address to /etc/inet/ipnodes and then put hostname in
/etc/hostname6.ifname.
AddIPV6INIT="yes" IPV6ADDR="2001:db8::1/64"
Red Hat
to /etc/sysconfig/network-scripts/ifcfg-ifname.
AIX
Use the Communications Applications and Services
TCP/IP
IPV6
Configuration
IPv6 Network Interfaces menu in smit to set the address, or use chdev
to set the "netaddr6" attribute on the interface.
WinXP
ipv6 adu ifindex/2001:db8::1
Win2003
netsh interface ipv6 add address interface=ifindex 2001:db8::1
FreeBSD
Add ipv6_ifconfig_ifname="2001:db8::1 prefixlen 64" to /etc/rc.conf.
Mac OS
X
No specific technique, but could use Startup Items.
Tru64
Can be set using ip6_config or using IP6IFCONFIG_, NUM_IP6CONFIG, and IP6DEV_
in /etc/rc.config.
IOS
conf term interface if number ipv6 address 2001:db8::1/64
JUNOS
set interfaces if unit no family inet6 address 2001:db8::1/64
Lab – IPv6 Enable
z
Manual IPv6 addressing at runtime
OS
Manual assignment of address at runtime
Solaris
ifconfig ifname inet6 addif 2001:db8::1/64 up
Linux
ip addr add 2001:db8::1/64 dev eth0
AIX
ifconfig ifname inet6 2001:db8::1/64
WinXP
ipv6 -p adu ifindex/2001:db8::1
Win2003
netsh interface ipv6 add address interface=ifindex 2001:db8::1
FreeBSD
ifconfig ifname inet6 2001:db8::1 prefixlen 64 alias
Mac OS X
ifconfig ifname inet6 2001:db8::1 prefixlen 64 alias
Tru64
ifconfig ifname ipv6ifconfig ifname inet6 2001:db8::1
IOS
conf term interface if number ipv6 address 2001:db8::1/64
JUNOS
set interfaces if unit no family inet6 address 2001:db8::1/64
Lab – IPv6 Enable
z
Displaying IPv6 interface information
OS
Showing configured addresses
Solaris
ifconfig -a
Linux
ifconfig -a
AIX
ifconfig -a
WinXP
ipv6 if
Win2003
ipconfig
FreeBSD
ifconfig -a
Mac OS X
ifconfig -a
Tru64
ifconfig -a
IOS
show ipv6 interface
JUNOS
show interfaces
Lab – IPv6 Enable(cont.)
z
Testing with ping and telnet
OS
ping
traceroute
Solaris
ping -A inet6 -i if
traceroute -A inet6
Linux
ping6 -I if
traceroute6
AIX
ping
traceroute
WinXP
ping6
tracert6
Win2003
ping
tracert
FreeBSD
ping6 -I if
traceroute6
Mac OS X
ping6 -I if
traceroute6
Tru64
ping -V 6 -I if
traceroute -V 6
IOS
ping ipv6
traceroute ipv6
JUNOS
ping inet6
traceroute inet6
Lab – IPv6 Enable(cont.)
z
Displaying IPv6 neighbors
OS
Showing neighbor cache
Solaris
netstat -p
Linux
ip -f inet6 neigh
AIX
ndp -a
WinXP
ipv6 nc
Win2003
netsh interface ipv6 show neighbors
FreeBSD
ndp -a
Mac OS X
ndp -a
Tru64
netstat -N
IOS
show ipv6 neighbors
JUNOS
show ipv6 neighbors
Lab – IPv6 Enable(cont.)
z
Displaying IPv6 routes
OS
Showing routes
Solaris
netstat -rn
Linux
ip -f inet6 route
AIX
netstat -rn
WinXP
ipv6 rt
Win2003
netsh interface ipv6 show routes
FreeBSD
netstat -rn
Mac OS X
netstat -rn
Tru64
netstat -rn
IOS
show ipv6 route
JUNOS
set route forwarding-table family inet6
Lab – IPv6 Enable(cont.)
z
Configuring IPv6 Resolver
OS
Enabling IPv6 transport resolver
Solaris
No support.
Linux
Edit /etc/resolv.conf
AIX
No support.
WinXP
Use netsh interface ipv6 add dns ifnameserver IP
Win2003
Use netsh interface ipv6 add dns ifnameserver IP
FreeBSD
Edit /etc/resolv.conf
Mac OS X
Not supported in Jaguar.. Supported on Panther through network
control panel or by editing /etc/resolv.conf.
Tru64
No support.
IOS
The ip nameserver command accepts IPv6 addresses.
JUNOS
set system name-server v6addr
Lab – IPv6 Enable(cont.)
z
Static IPv6 address to hostname mapping
OS
IPv6 hosts file
Solaris
/etc/inet/ipnodes
Linux
/etc/hosts
AIX
/etc/hosts
WinXP
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS
Win2003
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS
FreeBSD
/etc/hosts
Mac OS X
/etc/hosts
Tru64
/etc/ipnodes
IOS
The ipv6 host command adds static entries to the host name
cache.
JUNOS
set system static-host-mapping hostname inet6 v6addr
IPv6/IPv4
Transition 機制
現有網際網路的應用服務架構
現有IPv4服務環境的限制
z
z
z
z
IPv4無法提供目前網際網路連線所需要的位址空間
IPv4 依靠Broadcast的機制，對網路及伺服器效能產生
Overhead
IPv4 沒有普遍被公認而應用於網路設備及應用系統的
Quality of Service管理機制。
IPv4 在傳輸時的資料安全性不足
以上所提之限制，只包含了IPv4缺點之一部份，但已足夠
說明IPv4是一個無法滿足未來網際網路需求的通訊協
定。IPv6對於以上的缺點，均內建了解決方案。
IPv6可解決的問題
在技術問題上，可消除IPv4位址不足，移動性
不足的限制。並使用Qos及IPSec的機制提高重
要服務的傳輸品質與資料傳輸安全
z 在經營問題方面，可降低ISP業者的營運成本
與克服NAT障礙而產生的技術成本，並可為使
用者創造新的服務。
使用IPv6來解決目前IPv4所產生的問題，會較
研發IPv4的新技術來解決IPv4的問題更為有
效，並對ISP業者的投資更有保障。
z
三大類過渡技術
1.
2.
3.
IPv6/IPv4 Dual Stack (即在同一條線路上，同
時提供IPv6及IPv4的通訊協定)
Tunneling (即在現有的兩個IPv4的端點間，
建IPv6的隧道，使兩端後的使用Dual Stack作
業系統的使用者能以IPv6互通)
Translator(理論上，透過轉換機制可讓僅支援
IPv4的使用者，可與僅支援IPv6的HOST連
線，並讓僅支援IPv6的使用者，與僅支援
IPv4的HOST連線)
三大過渡技術示意圖
圖片來源:IPv6 技術理論與實務研習班: IPv4/IPv6轉移機制介紹講義
Dual Stack Mode
IPv6/IPv4 Dual Stack Mode
在現階段和一段很長遠的未來，IPv6/IPv4 Dual Stack
Mode 已經不能算是過渡技術了。而是一種絕對必要的
技術。一方面是未來的網際網路將是IPv6與IPv4共存的
世界，適合採用IPv4的應用將仍然使用IPv4, 適合採用
IPv6的應用將使用IPv6推動 , 另一方面因為目前國際上
的IPv6 DNS解析機制的標準尚未完成，IPv6 DNS的註冊
機制也未完成，進而大部份的作業系統(如Windows XP)
也尚未將由IPv6進行DNS Query的機制導入。在目前的
情況下，使用Native IPv6 mode 將無法有效的進行DNS
解析，導致IPv6服務無法運作。也就是在目前與可見的
未來之大環境下，使用者端一定要使用Dual Stack Mode
否則無法使用IPv6網路服務。
Dual Stack Mode 示意圖
圖片來源:IPv6 技術理論與實務研習班: IPv4/IPv6轉移機制介紹講義
Routing protocols
TCP/UDP
Applications
IPV4
TCP/UDP
IPV4
IPV6
Device Driver
IPV6
Device Driver
V4/V6
V4/V6
network
network
V6
V6
network
network
V4/V6
V4/V6
network
network
V4
V4
network
network
Tunneling
Tunneling 系統的元件
Tunnel 大致包含了下列元件
a.
Tunnel Server: 提供Tunnel 服務之局端設備
b.
Tunnel Client: 與Tunnel Server建立連線，並由
Tunnel Server取得IPv6網址之使用者端網路設備
c.
Tunnel Broker (optional for tunnel service, but required
for tunnel: 用來進行Tunnel Server的認証機制，經用
Tunnel Broker的管制可以僅讓有權限的Tunnel Client
能夠與Tunnel Server連線
Tunnel 的種類(一)
圖片來源:IPv6 技術理論與實務研習班: IPv4/IPv6轉移機制介紹講義
z
Configured Tunnel: 手動設定之Tunnel
適用於ISP與企業用戶間的IPv6 Tunnel連線
優點:安全性高，可支援IPv6 Multicast
缺點:設定之工作負擔很重
IPv4 Networks
IPv6 Island
Dual-stack
node
IPv6 H Payloa
d
IPv6 Island
IPv4 Tunnel
Dual-stack
IPv4 H IPv6 H Payloa
d
node
IPv6 H Payloa
d
Tunnel 的種類(二)
圖片來源:IPv6 技術理論與實務研習班: IPv4/IPv6轉移機制介紹講義
z
Automatic Tunnel
WinXP現在支援ISATAP，以及6to4與Teredo三種Tunnel模式
Dual-stack
IPv6 Island node
4
IPv
el
n
n
Tu
Dual-stack
node
IPv4 Internet
IPv6 H
Payload
IPv4 H
IPv6 H
Payload
Automatic Tunnel
ISATAP:
優點: 使用者完全不用進行設定，適用於企業內部網路之步署。可
為Private IPv4使用者提供Public IPv6 之位址, Cisco路由器支援
缺點: 安全性不足,會造成Bottle Neck。但如配合Firewall使用，即
為安全性最佳之解決方案。
6to4:
優點: 適用於WAN端連結，Cisco路由器支援
缺點: 安全性不足，網際網路連線能力不足，沒有Business Model
Teredo:
優點:可以讓在IP分享器後之虛擬IP Tunnel Client 與使用Public IP之
Teredo Tunnel Server 建立IPv6 Tunnel
缺點: 使用者需進行設定、安全性不足、難以控管、會造成Bottle
Neck、 Cisco路由器不支援。
Tunnel Broker System
由於Automatic Tunnel 無法有效進行安全管
控，而Configured Tunnel 需要太多的手動設
定。而造成ISP不願意提供IPv6 Tunneling
Service. Tunnel Broker 可為Configured Tunnel
及網管人員提供較佳的管理方式，使IPv6
Tunneling Service的商業化提供了可行的途
徑。但對一般使用者而言，仍然不夠方便。
圖片來源:IPv6 技術理論與實務研習班: IPv4/IPv6轉移機制介紹講義
Tunnel Broker 系統示意圖
DNS
伺服器
(3)
Tunnel
Client
(2)
(1)
Tunnel Broker
(4)
IPv6 over IPv4 隧道
隧道終點
IPv4網路
Tunnel
Server
IPv6 Island
IPv6
隧道終點
其他Tunnel 服務系統
Hexago Migration Broker
使用TSP通訊協定，其Client程式可免費下載，並完
全支援Windows XP, FreeBSD及Linux三種作業系
統。並提供免費的IPv6 Tunnel 服務。可支援Client
Mode及Router Mode。 http://www.hexago.com 中央
研究院有提供免費的Server服務。
http://tb2.ipv6.ascc.net
Translator
「Copyright 2006 ITRI工業技術研究院」
Translator的功用
1.
2.
3.
IPv6在根本上改進了IPv4原有的缺點，並移除了原
來IPv4最仰賴的Broadcast機制。因此原有在IPv4上
的應用必須重寫才能支援IPv6.
為了讓原IPv4的應用可以用到IPv6網路上，必須要
經過Translator的轉換，將IPv4的模式及IPv6的模式
相互轉換，才有機會讓應用程式能夠互通
很多應用程式在IPv6時的編寫標準與IPv4不時是有
差異的，必須要靠依據個別程式的特性，打造其專
屬的轉換機制
Translator 技術一覽
z
z
z
z
z
z
RFC 2765: Stateless IP/ICMP Translation Algorithm (SIIT)
RFC 2766: Network Address Translation - Protocol Translation (NATPT)
RFC 2767: Dual Stack Hosts using the Bump-in-the-Stack technique
RFC 3338: Dual Stack Hosts Using "Bump-in-the-API (BIA)
RFC 3089: A SOCKS-based IPv6/IPv4 Gateway Mechanism
RFC 3142: An IPv6-to-IPv4 transport relay translator
但目前實際上被大部份路由器及防火牆廠商接受的只有SIIT, NATPT以及其外掛之Application Layer Gateway, 因此以下僅企紹NATPT及其相關技術
SIIT
圖片來源:IPv6 技術理論與實務研習班: IPv4/IPv6轉移機制介紹講義
SIIT 為ICMPv6及ICMPv4之間的轉換技術，使IPv6與IPv4的使用者
能夠互相Ping到對方
NAT-PT
類似IPv4的NAT 機制及Virtual Server的概念
為IPv4的HOST, 在NAT-PT的IPv6端，定義其Virtual
Public IPv6位址
為IPv6的HOST, 在NAT-PT的IPv4端，定義其Virtual
IPv4位址(Public或Private都可以，適應用場合而定)
因此 對IPv4 HOST而言，對方被視為IPv4 HOST
對IPv6 HOST而言，對方也被視為IPv6 HOST, 而達到互
動之目的
NAT-PT 示意圖 (IPv4 > IPv6)
圖片來源:IPv6 技術理論與實務研習班: IPv4/IPv6轉移機制介紹講義
DA:2001:230::2
SA:aaaa::129.254.15.15
DA:132.146.134.184
SA:129.254.15.15
DNS(v4)
129.254.15.15
DNS response
resource data(132.146.134.180)
TRANSLATOR
resource data
(2001:230::1)
prefix aaaa::/96
DNS(v6)
2001:230::2
IPv6
IPv4
v6.opicom.co.kr ?
DA:132.146.134.180
SA:129.254.165.141
DA is changed to mappied address
SA is added and removed prefix/96
DA:2001:230::1
SA:aaaa::129.254.165.141
v4.etri.re.kr
129.254.165.141
132.146.134.184
v6.opicom.co.kr
2001:230::1
2001:230::2
DNS static Mapping
132.146.134.180
0001
132.146.134.181
0002
132.146.134.180
2001:230::1
Mapping table
POOL of IPv4 ADDRESS
After mapping is verified either it is existed or not,
DNS-ALG makes the mapping table of IPv4 inside resource data
NAT-PT 示意圖 (IPv6 > IPv4)
圖片來源:IPv6 技術理論與實務研習班: IPv4/IPv6轉移機制介紹講義
DA:129.254.15.15
SA:132.146.134.184
DNS(v4)
129.254.15.15
resource data
(129.254.165.141)
DA:aaaa::129.254.15.
15
SA:2001:230::2
TRANSLATOR
resource data
(aaaa::129.254.165.141)
prefix aaaa::/96
IPv4
DNS(v6)
2001:230::2
v4.etri.re.kr ?
IPv6
DA:129.254.165.141
SA:132.146.134.180
SA is changed to mappied address
DA is added and removed prefix/96
DA:aaaa::129.254.165.141
SA:2001:230::1
v6.opicom.co.kr
2001:230::1
v4.etri.re.kr
129.254.165.141
132.146.134.184
2001:230::2
DNS static Mapping
132.146.134.180
0001
132.146.134.181
0002
132.146.134.180
2001:230::1
Mapping table
POOL of IPv4 ADDRESS
After mapping is verified either it is existed or not,
NAT-PT makes the mapping table of IPv6 source address
Application Layer Gateway
z
z
由以上兩圖所示，已經表現了DNS-ALG在
NAT-PT系統之關鍵性地位。
由於IPv6與IPv4在先天上的不同，因此不同的
應用程式需要不同的ALG
目前在Router及相關轉換設備上常見的ALG有
Http-ALG, FTP-ALG, DNS-ALG, SIP-ALG, RTPALG等。
Translator 技術之限制
1. 現實上，不可能為每一個Application都寫出
其特定的ALG，因此Translator技術僅適用於特
定的情境，可作為ICP以IPv4 only的WebServer及FTP Server提供Content給IPv6使用
者，或ITSP業者以現有IPv4平台提供服務給
VoIPv6使用者等服務之解決方案。
2. 只能進行特定對特定或不特定對特定之轉
換，無法提供不特定對不特定或特定對不特定
之轉換
Thank You