Professional Documents
Culture Documents
Danny Santiago Guamn Loachamn UPM Dpto. de Ingeniera de Servicios Telemticos ds.guaman@alumnos.upm.es Abstract. This paper begins with a brief discussion of the importance of IPv6 deployment and implementation of transition mechanisms through tunnels. In this paper were analyzed three specific cases: 6to4, 6RD and Teredo. In each transition mechanism are described: the scenario in which can be implemented, requirements, model of operation and security considerations. These transition mechanisms have problems when the client's local network behind a NAT. Then described the types of NATs: Full Cone, Restricted Cone, Port Restricted Cone and Symmetric NATs. Also, it describes a technique to cross NAT: Session Traversal Utilities for NAT (STUN) which is used by Teredo. Teredo does not work with symmetric NAT, but this paper presents a proposal for traversing this type of NAT, it is called SymTeredo. Finally, a comparison is made between the three transition mechanisms. It concludes that 6RD provides better performance than 6to4, and that Teredo should be considered as a last resort mechanism because it has poor performance.
1. Introduction
On February 3, 2011 Rod Beckstrom, President of the Internet Corporation for Assigned Names and Numbers (ICANN), announced that had been delivered the last five IPv4 address blocks to Regional Internet Registries [1]. This event has already announced from the 90s shows that the exhaustion of public IPv4 addresses is a reality. So the question arises: We begun IPv6 deployment around the world? The answer to this question is relative and depends on the region where we do. The urgency exists in the regions where to get an IPv4 address is not easy and where the proliferation of new services and the number of mobile devices are growing at an accelerated rate [2]. So it is very important to start with the deployment of IPv6 around the world now!. There are several enhancements that IPv6 offers in addition to increasing the address length: more efficient routing mechanism, better support for security, quality of service, improved mobility, etc. It also opens a range of possibilities for innovation and development of new services and applications. Lowering costs and reducing time in the development of such applications due to return to the principle end-to-end [3]. Another reason is that the Internet is growing faster and converged services: telephony, multimedia, data, Internet of things, all over IP. It presents a great opportunity to innovate and create new applications and services and not limited ourselves by those limitations that impose the IP version 4. However, although several companies in some countries are aware of the exhaustion of IP addresses, they do not know what the next step. Implement one of the many transition mechanisms? Or maybe,
implement a mechanism to increase the time of IPv4, such as Carrier Grade NAT [4] access networks?. If we will decide to go for the second option, Geoff Huston (2011) says: "The risk here is that after making this additional capital investment in Carrier Grade NAT infrastructure, the ISP will be very motivated to protect the value of this investment and will not an effort to implement IPv6 ". In this case an increase of NAT-level - will result in a degradation of service to clients and the opportunity to innovate with new applications and services would be impractical or too expensive because it goes against the principle end-to-end. The first option, without a doubt, the most successful. Compared with Carrier Grade NAT, IPv6 is the only strategy that ensures the continued growth of the Internet, improving simplicity and innovation through connectivity end-to-end.. But the transition must start now!, this transition is not instantaneous it takes time. The transition from Google's internal network began in 2008 and still continue with some drawbacks. Around 95% of the engineers accessing at the corporate network have IPv6 access [5]. In any case, for those who have decided to begin the transition to IPv6, there are several alternatives when choosing a transition mechanism [6]. This paper describes three transition mechanisms through tunnels: 6to4 [7], 6RD [8] and Teredo [9]. These mechanisms could be very useful, because they allow to have IPv6 connectivity even if your ISP does not support native IPv6. Teredo is a transition mechanism that allows IPv6 connectivity, even if it is behind a NAT. Therefore, in the following section describes the types of NAT and a technique called STUN (Session Traversal Utilities for NAT) to traverse[10].
the port restriction. In other words an external host can send packets to the internal host only if the internal host previously sent a packet to a specific IP address and port of the external host. In Figure 3, once the host A with internal address (IPa:Pa) is mapped to the external address (IPb:Pb), any packets from IPa:Pa always be mapped to the external address IPb:Pb. In addition, an external host (IPs1: Pc) can send packets to the internal host A (IPa:Pa) only if previously the host A has sent a packet to IP address and port of the external host IPs1:Pc. Any package delivered from any other host (IPs2:Pd) or any other port (IPs1:Pd) will be rejected.
three less restrictive types of NAT: Full Cone, Restricted Cone and Port Restricted Cone NATs. One of the major limitations of this technique is that it does not work with Symmetric NAT. STUN allows a client to know if it is behind a NAT and what kind is this. Requires a STUN server and client. The STUN server is located on the Internet and has two ports and two IP addresses (See Figure 5). STUN operation is based on four types of tests, and these are detailed in the following sections.
the client is behind a Symmetric NAT and ends the process. If match is passed to the last Test.
3.4 Test IV
T4-1: The STUN client sends a request to the STUN server address IP1 and Port 1. Also requests the server to send the response using the same IP, but through Port 2. T4-2: The server responds using the address IP1 and port 2. STUN Client: If it receives the answer T4-2, then it concludes that the client is behind a Restricted Cone NAT. If no response is received, then it concludes that the client is behind a Port Restricted Cone NAT.
4. 6to4
Figure 5. Session traversal utilities for NAT.
3.1 Test I
T1-1: The STUN client sends a request to the STUN server address IP1 and Port 1. T1-2: The server responds with a message whose payload contains the source IP address and port of the request T1-1. STUN Client: If not T1-2 response is received, perhaps the firewall may be blocking UDP traffic. If T1-2 response is received and IP address and port contained in the payload match the local IP address and port of the client, it is concluded that there is not NAT in the path and ends the process. If the values differ, the client concludes that there is a NAT in the path and performs the following test to determine the type of NAT.
6to4 is a transition mechanism through tunnels which encapsulates IPv6 packets within IPv4 packets so that it can pass through IPv4-only networks and to allow IPv6 traffic through ISPs that only offer IPv4 service. The protocol number of the IPv4 header should be 41, which is reserved for tunneling IPv6 packets. The IPv6 address of a 6to4 host accessible has the prefix 2002::/16. It carries a IPv6 address corresponding IPv4 address, as shown in Figure 6. For example, the address 2002:BF50:4143::1 /128 contains the 6to4 prefix 2002 and the IPv4 address 191.80.65.67 (BF50:4143).
0x2002 Address IPv4 Customer site ID Subnet ID Interface
16 bits
32 bits
16 bits
64 bits
3.2 Test II
T2-1: The STUN client sends a request to the STUN server address IP1 and port 1. Unlike T1-1, the client requests the server which send the answer using the address IP2 and Port 2. To achieve this in the request must send certain parameters [10]. T2-2: The server responds using the address IP1 and port 1. STUN Client: If it receives the T2-2 response then it concludes that it is behind a Full Cone NAT, and ends the process. If no response is received Test III is performed.
sent to the anycast address 192.88.99.1, which is the nearest 6to4 relay. T-3: The relay discards the IPv4 header and extracts the IPv6 packet. Then it is routed to the server as any IPv6 packet. T-4: The server sends the response to the address 2002:C001:0607::100. The route to the IPv6 prefix 2002:: / 16 is announced by the relay, then the answer will be directed to him. T-5: The relay receives the packet and encapsulates the IPv6 packet within an IPv4 packet. The protocol number is 41. The source IPv4 address is the address IPv4 of the relay, and the destination address is 192.1.6.7 (It is extracted from the IPv6 destination address of T-5). T-6: Finally, the 6to4 router discards the IPv4 header and extracts the IPv6 packet, routed to the host 2002:C001:0607::100. The main difference between the two scenarios mentioned above is that in the simple scenario 6to4 routers do not use an IPv6 exterior routing protocol, while in the second scenario, the relay must advertise the prefix 2002:: / 16 to their peers.
supports IPv6 on the client side and 6RD on the ISP side. These changes solve the problem because the ISP itself manages all 6RD network infrastructures and allows input of packets arriving from the IPv6 Internet to Gateway 6RD only if they are destined to a site's ISP.
2) The 6RD Gateway should not use the same anycast address 192.88.99.1, the ISP must choose a different anycast address, for example in Figure 9 uses the anycast address 192.88.99.102. 3) The most important difference is perhaps that 6RD Gateway are located within the ISP's network infrastructure.
32 bits
32 bits
64 bits
6RD must consider threats of Spoofing and Denial of Service (DoS), but are less common and more difficult to perform compared to 6to4. At this point I would like to mention a problem that has 6RD and is not necessarily a security threat. The problem is that sometimes 6RD is against policies address assignment an RIR. The reason is that an RIR normally assigned an IPv6 address prefix /32 to an ISP. According to what was described in section 5, after of 32 bits assigned by the RIR the next 32 bits are the IPv4 address of the site. Then, the address would complete the first 64 bits and there are no bits for subnets. Two solutions have been proposed: one is that the RIR allocated IPv6 address with a prefix smaller and the other solution is to not use the IPv4 address of 32 bits, discarding the redundant prefix [8].
5. Teredo
Teredo is a tunneling transition mechanism that encapsulates IPv6 packets within a UDP IPv4 packets. Thus a packet can traverse an IPv4-only network, and enable IPv6 traffic through ISPs that only offer IPv4 service. The IPv6 address Teredo host has a prefix 2001:0000::/32 (See Figure 10). This IPv6 address contains: the Teredo server IPv4 address, a flag to indicate if the host is behind a NAT (most significant bit set to 1), and the public IPv4 address and port mapped by NAT device. These public IPv4 address and port mapped have bits reversed for obfuscation mechanism [9]. The structure is shown in Figure 6.
Teredo Server IPv4 Port mapped by NAT IPv4 mapped by NAT
5.2 Requirements
1) Home Gateway 6RD provided by the ISP. It is located between the IPv6 site and the IPv4 ISP network. 2) Each site should have an IPv6 prefix provided by a Regional Internet Registry (RIR). 3) Each site must have at least one IPv4 Internet (V4ADDR). 4) Site A and Site B should be able to send IPv4 packets with protocol type 41 between them. 5) A 6RD Relay allows the transit of packets from 6RD site to a native IPv6 network.
0x20010000
Flags
32 bits
32 bits
16 bits
16 bits
32 bits
For example, in the Teredo client IPv6 address 2001:0000:BF50:4143:8000:63BF:3FFF: FDD2/128: 2001000 is the IPv6 prefix, BF504143 (191.80.65.67) is the Teredo server IPv4 address, 8000 indicates that it is behind a NAT (the most significant bit set to 1), 63BF (after investing the bits: 40000) is the port mapped by NAT, and 3FFFFDD2 (after investing the bits: 192.0.2.45) is the address mapped by NAT. See Figure 11.
mapped the addresses 192.0.2.45:40000 to 192.168.1.100:3800 according to the address mapping table.
6. SymTeredo
SymTeredo [11] is an extension of Teredo for traversing the Symmetric NAT. Requires slight modifications in the Teredo Relay and the Teredo Client, but is compatible with the current protocol. No changes in the Teredo server.
5.2 Requirements
1) Teredo Server is used by Teredo clients to identify if this is behind a NAT, and identify what type it is. This uses a simplified version of STUN described in Section 3. 2) Teredo client is a dual stack host and must be assigned an IPv6 address (prefix 2001:0000::/32). 3) Teredo relay must advertise the prefix 2001:000:: / 32 to their peers IPv6.
6.1 Problem
In the NAT table in Figure 12, when the Teredo client is behind a Symmetric NAT, it generates two different mappings: the first (port 40000) when it communicates with the Teredo server and the second (port 50000) when this communicates with the Teredo relay. According to the mode of operation described in section 5.3, when a native IPv6 host try to communicate with Teredo client, the relay will send packets to 192.0.2.45:40000 without success. Thus the goal of SymTeredo is to discover the correct address and port (192.0.2.45:50000) at which the relay should send the packets.
6.2 Modifications
Teredo client modification: The acquired IPv6 address includes a symmetric flag 0x4000 instead of 0x8000 to indicate that the NAT server is symmetric. In Figure 12, the address is 2001:0000:BF50:4143:4000:63BF:3FFF:FDD2. Changes in the Teredo relay: Maintains a addresses cache, their use is described in the next section.
SymTeredo Client (192.0.2.45:40000), but the source IPv4 address and port belong to the Teredo server (191.80.65.67:3544). Therefore the packet through the NAT.. T-6: SymTeredo client discards the UDP IPv4 header and get the Bubble message. The source address of Bubble menssage is the IPv6 address of the relay SymTeredo (contains its own IPv4 address). The SymTeredo client sends a reply packet to the SymTeredo relay, T-7: When the response packet through the NAT, it creates a new mapped address in the NAT table. The new address can be used by the SymTeredo relay to achieve the SymTeredo client. T-8: The relay SymTeredo once receives the response, stores the source IPv4 address and source UDP port in the addresses cache. Where the client IPv6 address is used as an index to find the IPv4 address and port right. T-9: The SymTeredo relay recovers the IPv6 packet stored in the buffer (T-3). The IPv6 packet is encapsulated within an UDP IPv4 packet whose source address and port were recovers from Address Cache. Finally it sends the packet to the client SymTeredo, this time the message passes through NAT because an entry was created before (T-9). Thus an IPv6 packet sent from an IPv6 host to the SymTeredo client can successfully pass through the symmetric NAT.
Comparison Factor IPv6 Prefix Allocation Deployment scenario. Transparent to customer Requirements Direct Connectivity Security Level. Mayor security threats Performance
6to4 2002::/16 6to4 IPv6 Site - Internet IPv4 - 6to4 IPv6 Site. 6to4 IPv6 Site - Internet IPv4 Native IPv6 Site. No IPv6 host support. Router 6to4. Relay 6to4. Public Address IPv4. Only between 6to4 hosts. Low: Better than Teredo. Denial of Service. Spoofing. On average: Lower overhead that Teredo (IPv6 packet over IPv4 packet)
6RD Assigned by RIR. 6RD IPv6 Site - Internet IPv4 6RD IPv6 Site. 6RD IPv6 Site - Internet IPv4 Native IPv6 Site. Yes IPv6 host support. Home Gateway RD (CPE). Border Gateway RD. Public Address IPv4. Only between 6RD hosts. On Average: Better than Teredo and 6to4. Denial of Service. Spoofing. On average: Lower overhead that Teredo (IPv6 packet over IPv4 packet)
Teredo 2001:000::/32 Teredo Client - Internet IPv4 - Teredo Client Teredo Client - Internet IPv4 - Native IPv6 Site. No Dual-Stack Host. Teredo Server. Teredo Relay. Public or Private IPv4 Only between Teredo Clients. Low. Denial of Service. Spoofing. Poor performance: Overhead (IPv6 packet over UDP datagram and over IPv4 packet) and additional messages Bubble sent. Depends on the NAT type.
NAT Traversal
No 6to4 Relay are outside the ISP's infrastructure. Then it can't guarantee delivery of packets from native IPv6 host to 6to4 site. Also it increased security threats.
No Sometimes it is against the policy of the RIR address allocation because it requires less than one IPv6 prefix /32.
Major drawbacks
Poor performance and high security risks. Also it can't traverse Symmetric NATs.
7 Conclusions
The transition mechanisms through tunnels 6to4, 6RD and Teredo are temporary alternatives for IPv6 deployment. These may be useful to familiarize themselves with IPv6, and build IPv6 test environments for developing of new applications and services, while our ISP deployed IPv6 natively. 6RD is the best alternative of the three mechanisms described in this paper. 6RD allows rapid deployment of IPv6 safer than 6to4. Furthermore, this mechanism is implemented by the ISP and it is transparent to the user. However, we must be aware that has a problem because it goes against the policy address assignment to the RIRs. Now, we have to wait if ISPs are willing to change or update the CPEs in each of the clients. The implementation of NAT was an important solution to the IPv4 address exhaustion, but it introduced a lot of complexity in the network and this is against the principle end-to-end. This complexity causes serious problems in IPv6 deployment, and it resulting in complex transition mechanisms such as Teredo. Teredo should be considered as a transition mechanism of last resort due to its poor performance by the overhead added and additional messaging as Bubble Messages.
[7] B. Carpenter and K. Moore. "Connection of IPv6 Domains via IPv4 Clouds". RFC 3056. February 2001. [8] W. Townsley and O. Troan. " IPv6 Rapid Deployment on IPv4 Infrastructures (6rd) Protocol Specification". RFC 5969. August 2011. [9] C. Huitema, Teredo: Tunneling IPv6 over UDP through NATs, RFC 4380, February 2006. [10] J. Rosenberg, J. Weinberger and R. Mahy, Session Traversal Utilities for NAT (STUN), RFC 5389, October 2008. [11] S. M. Huang, Q. Wu and Y. B. Lin, "Enhancing Teredo IPv6 tunneling to traverse the symmetric NAT," Communications Letters, IEEE, vol. 10, pp. 408-410, 2006.
References
[1] ICANN. Available Pool of Unallocated IPv4 Internet Addresses Now Completely Emptied. 2011(04/12/2011). Available: http://www.icann.org/en/news/releases/release03feb11-en.pdf [2] S. Hogg. Techniques for Prolonging the Lifespan of IPv4. 2011(14/10/2011). Available: http://www.networkworld.com/community/node /79152. [3] J. H. Soltzer, D. P. Reed, and D. D. Clark, "Endto-end arguments in system design," ACM Tmns. Comp. Sys., vol. 2, no. 4, 1984, pp. 27788. [4] G. Huston. "NAT++: Address sharing in IPv4". Internet Protocol Journal. vol. 13(2), pp. 2-15. 2010. [5] H. Babiker, I. Nikolova and K. K. Chittimaneni. "Deploying IPv6 in the Google Enterprise Network: Lessons learned". 2011. [6] G. Huston. "Transitioning protocols". Internet Protocol Journal. vol. 14(1), pp. 22-46. 2011.