1
从IPv4到IPv6的过渡技术华宁
nhua@biigroup.com
CTO,BII Group
BII Group,China IPv6 Summit 2003
Hua Ning
2
过渡技术的分类
双协议栈(Dual Stack)
隧道(Tunnel)
协议翻译(Protocol Translation)
BII Group,China IPv6 Summit 2003
Hua Ning
3
双协议栈
Driver
IPv4 IPv6
Application
TCP/UDP
BII Group,China IPv6 Summit 2003
Hua Ning
4
双协议栈(举例)
interface Ethernet0/1
ip address 202.204.12.226 255.255.255.240
half-duplex
ipv6 address 3FFE:81B3:1:1::1/64
ipv6 enable
ipv6 nd ra-interval 30
!
Cisco IOS 12.2(15)T
C:\Documents and Settings\hn>ipconfig
Windows IP Configuration
Ethernet adapter local connection:
Connection-specific DNS Suffix,,
IP Address.,,,,,,,,,,,,202.204.12.230
Subnet Mask,,,,,,,,,,,255.255.255.240
IP Address.,,,,,,,,,,,,3ffe:81b3:1:1:40fb:a58:41e6:cf0d
IP Address.,,,,,,,,,,,,3ffe:81b3:1:1:209:6bff:fee0:3240
IP Address.,,,,,,,,,,,,fe80::209:6bff:fee0:3240%4
Default Gateway,,,,,,,,202.204.12.226
fe80::230:94ff:fee0:4ba2%4
WindowXP+SP1
BII Group,China IPv6 Summit 2003
Hua Ning
5
隧道(Tunnel)
手动配置隧道(Configured tunnel)
– v6 over v4,v4 over v6,v4 over v4,v6 over v6
– GRE tunnel
自动隧道(Automatic Tunnel)
–将IPv4地址嵌入在IPv6地址中,利用这个
IPv4地址来决定隧道的源地址和目的地址
– 6to4,6over4,ISATAP等
BII Group,China IPv6 Summit 2003
Hua Ning
6
手动配置隧道
手动配置隧道后,IPv6网络将底层的IPv4网络做为一条点到点的链路
隧道的原点和终点必须支持IPv4/v6双协议
可以在路由器和路由器,主机和路由器,主机和主机之间设置
隧道所在的IPv6链路MTU减少20个字节(假定
IPv4没有option字段),1500�?1480
Data
Transport Layer
Header
IPv6 Header
Data
Transport Layer
Header
IPv6 Header IPv4 Header
BII Group,China IPv6 Summit 2003
Hua Ning
7
手动配置隧道(举例)
interface Loopback1
ip address 202.204.22.193 255.255.255.255
!
interface Tunnel103
description to VIAGINIE ipv6@viagenie.qc.ca
no ip address
ipv6 address 3FFE:81B0:FFFF:3::2/64
ipv6 enable
tunnel source Loopback1
tunnel destination 206.123.31.101
tunnel mode ipv6ip
Cisco IOS 12.2(15)T
BII Group,China IPv6 Summit 2003
Hua Ning
8
自动6to4隧道
FP (3bits) TLA (13bits) IPv4 Address (32bits) SLA ID (16bits) Interface ID (64bits)
001 0x0002 ISP assigned
Locally
administered
Auto configured
IPv4
IPv6
IPv6
IPv6 Internet
6to4 relay
2002:cacc:16c1::1
202.204.12.226 202.112.10.37
202.204.22.193
2002:cacc:ec2::/48
2002:ca70:0a25::/48
6to4 prefix is 2002::/16 + IPv4 address.
2002:a.b.c.d::/48
BII Group,China IPv6 Summit 2003
Hua Ning
9
自动6to4隧道
6to4用来连接多个孤立的IPv6域,每个域最多是一个/48的网络,最少是一台主机
配置6to4隧道后,IPv6网络将底层的IPv4网络做为一个非广播的点到多点的链路(Non
Broadcast Multi Access link NBMA)
IANA分配的6to4地址前缀为2002::/16
IPv4地址嵌入到IPv6地址的第16位到47位,用来标示隧道的源和目的IPv4地址,此地址必须为公有地址
6to4的最大优点在于不需要向网络运营商申请
IPv6地址,有公有v4地址和一个6to4 relay
router 就可以了
BII Group,China IPv6 Summit 2003
Hua Ning
10
自动6to4隧道(举例)
C:\Documents and Settings\hn>netsh interface ipv6 6to4 set relay 6to4.6tnet.com.cn
C:\Documents and Settings\hn>ipv6 if 3
Interface 3,6to4 Tunneling Pseudo-Interface
{A995346E-9F3E-2EDB-47D1-9CC7BA01CD73}
does not use Neighbor Discovery
does not use Router Discovery
routing preference 1
preferred global 2002:cacc:ce6::cacc:ce6,life infinite
link MTU 1280 (true link MTU 65515)
current hop limit 128
reachable time 21500ms (base 30000ms)
retransmission interval 1000ms
DAD transmits 0
Window XP +SP1
BII Group,China IPv6 Summit 2003
Hua Ning
11
自动6to4隧道(举例)
interface Loopback1
ip address 202.204.22.193 255.255.255.255
!
interface Tunnel2002
description 6to4 relay sercice,6to4.6tnet.com.cn
no ip address
no ip redirects
ipv6 address 2002:CACC:16C1::1/128
tunnel source Loopback1
tunnel mode ipv6ip 6to4
!
Cisco IOS 12.2(15)T
BII Group,China IPv6 Summit 2003
Hua Ning
12
自动6to4隧道(举例)
C:\Documents and Settings\hn>ping www.kame.net
Pinging apple.kame.net [2001:200:0:4819:210:f3ff:fe03:4d0] with 32 bytes of data:
Reply from 2001:200:0:4819:210:f3ff:fe03:4d0,time=367ms
Hua Ning www.kame.net
Src v4= 202.204.12.230(Hua Ning)
Dst v4= 202.204.22.193(6to4.6tnet.com.cn,6to4 relay router)
Src v6 = 2002.cacc:ce6::cacc:ce6(Hua Ning)
Dst v6 = 2001:200:0:4819:210:f3ff:fe03:4d0(www.kame.net)
Src v4= 202.255.45.5(kddilab.6to4.jp,6to4 relay router )
Dst v4= 202.204.12.230(Hua Ning)
Src v6 = 2001:200:0:4819:210:f3ff:fe03:4d0(www.kame.net)
Dst v6 = 2002.cacc:ce6::cacc:ce6(Hua Ning)
BII Group,China IPv6 Summit 2003
Hua Ning
13
ISATAP隧道
Network Prefix (64 bits) 0:5EFE A.B.C.D
IPv4
IPv6 Internet
202.204.12.226
202.204.22.193
ISATAP Host ISATAP Host
202.112.10.37
ISATAP Router
BII Group,China IPv6 Summit 2003
Hua Ning
14
ISATAP隧道
Intra-Site Automatic Tunnel Addressing Protocol
(ISATAP)
ISATAP用来一个域内的多个孤立的IPv6主机连接起来
配置ISATAP隧道后,IPv6网络将底层的IPv4网络做为一个非广播的点到多点的链路(Non
Broadcast Multi Access link NBMA)
IANA分配的ISATAP标示为5EFE
IPv4地址嵌入到IPv6地址的最后32位,此地址不一定要公有地址,
IPv6地址的前64位的网络前缀是通过向
ISATAP路由器发送请求得到的
BII Group,China IPv6 Summit 2003
Hua Ning
15
ISATAP隧道(举例)
interface Tunnel2003
description ISATAP border router
no ip address
no ip redirects
ipv6 address 2001:3F8:FFF1::/64 eui-64
no ipv6 nd suppress-ra
tunnel source Loopback1
tunnel mode ipv6ip isatap
!
Cisco IOS 12.2(15)T
BII Group,China IPv6 Summit 2003
Hua Ning
16
ISATAP隧道(举例)
C:\Documents and Settings\hn>netsh interface ipv6 isatap set router 202.204.22.193
C:\Documents and Settings\hn>ipv6 if 2
Interface 2,Automatic Tunneling Pseudo-Interface
{48FCE3FC-EC30-E50E-F1A7-71172AEEE3AE}
does not use Neighbor Discovery
uses Router Discovery
forwards packets
routing preference 1
EUI-64 embedded IPv4 address,202.204.12.230
router link-layer address,202.204.22.193
preferred global 2001:3f8:fff1::5efe:202.204.12.230,life 29d23h59m33s/6d23h
59m33s (public)
preferred link-local fe80::5efe:202.204.12.230,life infinite
link MTU 1480 (true link MTU 65515)
current hop limit 64
reachable time 18000ms (base 30000ms)
retransmission interval 1000ms
DAD transmits 0
Window XP +SP1
BII Group,China IPv6 Summit 2003
Hua Ning
17
ISATAP隧道(举例)
C:\Documents and Settings\hn>ping fe80::5efe:202.204.22.193%2
Pinging fe80::5efe:202.204.22.193%2 with 32 bytes of data:
Reply from fe80::5efe:202.204.22.193%2,time=18ms
Reply from fe80::5efe:202.204.22.193%2,time=26ms
C:\Documents and Settings\hn>ipv6 rt
2001:3f8:fff1::/64 -> 2 pref 1if+8=9 life 29d23h55m17s (autoconf)
::/0 -> 2/fe80::5efe:202.204.22.193 pref 1if+256=257 life 25m17s (autoconf)
Window XP +SP1
BII Group,China IPv6 Summit 2003
Hua Ning
18
ISATAP隧道(举例)
C:\Documents and Settings\hn>ping www.kame.net
Pinging apple.kame.net [2001:200:0:4819:210:f3ff:fe03:4d0] with 32 bytes of data:
Reply from 2001:200:0:4819:210:f3ff:fe03:4d0,time=367ms
Hua Ning www.kame.net
Src v4= 202.204.12.230(Hua Ning)
Dst v4= 202.204.22.193(ISATAP router)
Src v6 = 2002.cacc:ce6::cacc:ce6(Hua Ning)
Dst v6 = 2001:200:0:4819:210:f3ff:fe03:4d0(www.kame.net)
Src v4= 202.204.22.193(ISATAP router )
Dst v4= 202.204.12.230(Hua Ning)
Src v6 = 2001:200:0:4819:210:f3ff:fe03:4d0(www.kame.net)
Dst v6 = 2002.cacc:ce6::cacc:ce6(Hua Ning)
BII Group,China IPv6 Summit 2003
Hua Ning
19
6to4和ISATAP的综合使用
我公司的内部网全部是私有地址
公司的内部网有多台路由器,且不是所有的路由器都支持IPv6
我们公司的网络提供商不提供IPv4服务,公司也无法取得合法的IPv6地址
如何使公司内的主机接入IPv6网络??
BII Group,China IPv6 Summit 2003
Hua Ning
20
6to4和ISATAP的综合使用
IPv4
IPv4
IPv4
IPv6 Internet
6to4 relay
2002:cacc:16c1::1
ISATAP and 6to4 router
202.204.12.226
ISATAP and 6to4 router
202.112.10.37
202.204.22.193
2002:cacc:ec2::/48 2002:ca70:0a25::/48
192.168.1.10
2002:cacc:ec2::5efe:192.168.1.10
10.1.2.9
2002:ca70:0a25::5efe:10.1.2.9
www.kame.net
BII Group,China IPv6 Summit 2003
Hua Ning
21
隧道代理(Tunnel Broker)
Tunnel Broker的作用在于:
–自动分配IPv6地址和与之对应的域名
–自动建立隧道并修改必要的路由配置
–为用户提供Tunnel用于与IPv6用户通信
Tunnel Broker的特点是:
–自动化,面向不同类型的分散的IPv6用户
–可控制性强,可制定多种配置及管理策略
–受操作系统的限制,自动化程度不够理想
BII Group,China IPv6 Summit 2003
Hua Ning
22
隧道代理(Tunnel Broker)
Tunnel Broker
IPv6网络中的主机用户的
IPv6子网用户的主机
IPv6网络
IPv4网络
IPv6网络用户的路由器
BII Group,China IPv6 Summit 2003
Hua Ning
23
隧道代理(Tunnel Broker)(举例)
– www.freenet6.net
– www.tb.6test.edu.cn
– www.iij.ad.jp
– www.tunnelbroker.com
– www.tb.ipv6.btexact.com
– www.tb.6tnet.com.cn
BII Group,China IPv6 Summit 2003
Hua Ning
24
Teredo
现今定义的过渡策略大部分不支持NAT的共存,或者是代价很大;
Teredo的设计目的在于使位于NAT后的节点获得全局性的IPv6连接;
NAT广泛使用的实际情况下,Teredo会有很好的部署前景;
Teredo的原理:把IPv6的包封装在IPv4 UDP包的净荷里,以穿过NAT;
Teredo的部署需要Teredo Server和Teredo Relay的协助,但是,通常情况下,Teredo server和Teredo Relay
可以位于一个设备内。
Teredo的最新的实现加入了Teredo Host-Specific Relay
的功能,供Teredo主机与IPv4/IPv6的双栈主机进行更优化的通信.
BII Group,China IPv6 Summit 2003
Hua Ning
25
Teredo
BII Group,China IPv6 Summit 2003
Hua Ning
26
Teredo
BII Group,China IPv6 Summit 2003
Hua Ning
27
Teredo
BII Group,China IPv6 Summit 2003
Hua Ning
28
DSTM
Dual Stack Transition Mechanism (DSTM)
DSTM通过使IPv6域内的双栈主机获得临时IPv4地址的方式和IPv4-Only的主机或应用进行通信.
使用DSTM的Client是双栈的.
DSTM域是一个纯IPv6网络.
DSTM包括地址服务器(DSTM Server),网关,和DSTM节点等网络元素.
DSTM对高层应用以及网络层透明.
BII Group,China IPv6 Summit 2003
Hua Ning
29
DSTM
4over6 Tunnel
DSTM Domain
IPv6 Network
DSTM Server
DSTM Node
TEP
Tunnel End Point
IPv4 Internet or
IPv4 applications
BII Group,China IPv6 Summit 2003
Hua Ning
30
DSTM
DSTM节点只进行IPv6通信时,不需要IPv4地址.
当DSTM节点检测到需要IPv4的地址时,DNS回复/打开IPv4 Socket的应用/内核需要处理一个IPv4的包,节点向DSTM Server联系.
DSTM节点向DSTM Server请求一个临时的IPv4地址
(端口号)和TEP的IPv6地址.
请求得到的信息用于形成一个4over6的Interface.
DSTM节点将要发送的IPv4数据封装到IPv6包,然后发给TEP(Gateway),后者解封装然后转发到IPv4的
Internet.
DSTM Server和TEP必须要登记DSTM节点的IPv4地址和IPv6地址.
BII Group,China IPv6 Summit 2003
Hua Ning
31
自动的IPv4-Compatible IPv6隧道
0 A.B.C.D
IPv4地址嵌入IPv6地址最后32位,隧道的源地址和目的地址由此IPv4地址决定,
IPv6地址的其它位为0
此项技术的应用范围很小,且存在安全问题,IETF已经不在建议使用
BII Group,China IPv6 Summit 2003
Hua Ning
32
6over4
RFC2529
6over4隧道将IPv4网络作为一个支持广播的网络,此条件要求IPv6网络支持多点广播协议,如IGMP等
239.192.[second to last byte of IPv6 address].[last byte
of IPv6 address];
FF02::1 (link-local scope all-hosts multicast address) is
mapped to 239.192.0.1 ;
FF02::2 (link-local scope all-routers multicast address)
is mapped to 239.192.0.2;
F02::1:FF28:9C5A is mapped to 239.192.156.90;
BII Group,China IPv6 Summit 2003
Hua Ning
33
6over4
6over4在IPv4网络上基本完全实现了IPv6
的Neighbor Discovery协议,利用ND来获得地址
ISATAP由于将IPv4作为非广播网络,只实现了部分ND协议
由于支持多点广播的IPv4网络的缺乏,
且6over4相对于6to4和ISATAP并没有太多的优势,实际中6over4极少使用
BII Group,China IPv6 Summit 2003
Hua Ning
34
协议翻译(NAT-PT)
NAT-PT使得纯IPv6主机(native IPv6 host)可以同纯IPv4主机互通
Network Address Translator-Protocol Translator
(NAT-PT) - RFC 2766/3056/3068
支持NAT-PT的路由器上配有一定数量的IPv4地址(IPv4 pool)用来在IPv6主机向IPv4主机发起连接时动态的分配给IPv6主机
同NAT一样,当应用层协议中包含IP地址字段时,NAT-PT设备中需要含有相应的应用级网关
ALG (Application Lever Gateway),如:DNS-ALG,
FTP-ALG等
BII Group,China IPv6 Summit 2003
Hua Ning
35
协议翻译(NAT-PT)
IPv4
IPv6
NAT-PT Router
Hua Ning
3ffe:81b3:1:1:40fb:a5
8:41e6:cf0d
www.sina.com.cn
202.108.37.37
DNS Server
202.136.254.1
1.主机Hua Ning通过IPv6网络向DNS SERVER发起对www.sina.com.cn
的请求
2,NAT-PT将IPv6 DNS请求翻译为IPv4 DNS请求
3,DNS SERVER通过IPv4网络响应www.sina.com.cn-->202.108.37.37
4,NAT-PT将IPv4的响应翻译为IPv6 DNS响应,同时建立IPv4地址同IPv4
地址的对应关系
5.主机Hua Ning得到www.sina.com.cn的IPv6地址,可以同该服务器正常通信
BII Group,China IPv6 Summit 2003
Hua Ning
36
协议翻译(NAT-PT)(举例)
WindowXP+SP1不支持纯IPv6主机,因为
WindowXP目前只能通过IPv4网络发送IPv6地址请求,不能发送纯IPv6的DNS请求
因此本试验需要在XP上安装一个DNS PROXY,
该DNS代理将IPv4的DNS请求转换为IPv6数据报
该程序可以在
http://www.6tnet.com.cn/pub/ipv6utils/nameproxy
.exe上获得
BII Group,China IPv6 Summit 2003
Hua Ning
37
协议翻译(NAT-PT)(举例)
在WindowsXP的TCP/IP设置中,IPv4地址随便设或者不设,将DNS地址设为127.0.0.1
运行DNS PROXY将IPv6 DNS设置为NAT-
PT路由器的端口地址3FFE:81B3:1:1::1
BII Group,China IPv6 Summit 2003
Hua Ning
38
协议翻译(NAT-PT)(举例)
eth0_0
# IPV6 ADDRESS
ipaddress 3FFE:81B3:1:1::1/64
# IPV6 PREFIX
prefix 3FFE:81B3:1:1::0/64
eth1_0
#IPV4 ADDRESS
ipaddress 202.112.42.90/30
#IPV6 ADDRESS
ipaddress 3ffe:81b0:ffff:10::1/64
#IPV6 ADDRESS
ipaddress 3ffe:81b0:ffff:10::/64
# NAMESERVER
nameserver 202.112.10.37
# NAT STATEMENTS
enable natpt
public_interface eth1_0
natpt_prefix 3FFE:81B3:1000::/64
natpt_domain_interfaces eth0_0
6WindGate SixOS
Version 6
39
谢谢!
从IPv4到IPv6的过渡技术华宁
nhua@biigroup.com
CTO,BII Group
BII Group,China IPv6 Summit 2003
Hua Ning
2
过渡技术的分类
双协议栈(Dual Stack)
隧道(Tunnel)
协议翻译(Protocol Translation)
BII Group,China IPv6 Summit 2003
Hua Ning
3
双协议栈
Driver
IPv4 IPv6
Application
TCP/UDP
BII Group,China IPv6 Summit 2003
Hua Ning
4
双协议栈(举例)
interface Ethernet0/1
ip address 202.204.12.226 255.255.255.240
half-duplex
ipv6 address 3FFE:81B3:1:1::1/64
ipv6 enable
ipv6 nd ra-interval 30
!
Cisco IOS 12.2(15)T
C:\Documents and Settings\hn>ipconfig
Windows IP Configuration
Ethernet adapter local connection:
Connection-specific DNS Suffix,,
IP Address.,,,,,,,,,,,,202.204.12.230
Subnet Mask,,,,,,,,,,,255.255.255.240
IP Address.,,,,,,,,,,,,3ffe:81b3:1:1:40fb:a58:41e6:cf0d
IP Address.,,,,,,,,,,,,3ffe:81b3:1:1:209:6bff:fee0:3240
IP Address.,,,,,,,,,,,,fe80::209:6bff:fee0:3240%4
Default Gateway,,,,,,,,202.204.12.226
fe80::230:94ff:fee0:4ba2%4
WindowXP+SP1
BII Group,China IPv6 Summit 2003
Hua Ning
5
隧道(Tunnel)
手动配置隧道(Configured tunnel)
– v6 over v4,v4 over v6,v4 over v4,v6 over v6
– GRE tunnel
自动隧道(Automatic Tunnel)
–将IPv4地址嵌入在IPv6地址中,利用这个
IPv4地址来决定隧道的源地址和目的地址
– 6to4,6over4,ISATAP等
BII Group,China IPv6 Summit 2003
Hua Ning
6
手动配置隧道
手动配置隧道后,IPv6网络将底层的IPv4网络做为一条点到点的链路
隧道的原点和终点必须支持IPv4/v6双协议
可以在路由器和路由器,主机和路由器,主机和主机之间设置
隧道所在的IPv6链路MTU减少20个字节(假定
IPv4没有option字段),1500�?1480
Data
Transport Layer
Header
IPv6 Header
Data
Transport Layer
Header
IPv6 Header IPv4 Header
BII Group,China IPv6 Summit 2003
Hua Ning
7
手动配置隧道(举例)
interface Loopback1
ip address 202.204.22.193 255.255.255.255
!
interface Tunnel103
description to VIAGINIE ipv6@viagenie.qc.ca
no ip address
ipv6 address 3FFE:81B0:FFFF:3::2/64
ipv6 enable
tunnel source Loopback1
tunnel destination 206.123.31.101
tunnel mode ipv6ip
Cisco IOS 12.2(15)T
BII Group,China IPv6 Summit 2003
Hua Ning
8
自动6to4隧道
FP (3bits) TLA (13bits) IPv4 Address (32bits) SLA ID (16bits) Interface ID (64bits)
001 0x0002 ISP assigned
Locally
administered
Auto configured
IPv4
IPv6
IPv6
IPv6 Internet
6to4 relay
2002:cacc:16c1::1
202.204.12.226 202.112.10.37
202.204.22.193
2002:cacc:ec2::/48
2002:ca70:0a25::/48
6to4 prefix is 2002::/16 + IPv4 address.
2002:a.b.c.d::/48
BII Group,China IPv6 Summit 2003
Hua Ning
9
自动6to4隧道
6to4用来连接多个孤立的IPv6域,每个域最多是一个/48的网络,最少是一台主机
配置6to4隧道后,IPv6网络将底层的IPv4网络做为一个非广播的点到多点的链路(Non
Broadcast Multi Access link NBMA)
IANA分配的6to4地址前缀为2002::/16
IPv4地址嵌入到IPv6地址的第16位到47位,用来标示隧道的源和目的IPv4地址,此地址必须为公有地址
6to4的最大优点在于不需要向网络运营商申请
IPv6地址,有公有v4地址和一个6to4 relay
router 就可以了
BII Group,China IPv6 Summit 2003
Hua Ning
10
自动6to4隧道(举例)
C:\Documents and Settings\hn>netsh interface ipv6 6to4 set relay 6to4.6tnet.com.cn
C:\Documents and Settings\hn>ipv6 if 3
Interface 3,6to4 Tunneling Pseudo-Interface
{A995346E-9F3E-2EDB-47D1-9CC7BA01CD73}
does not use Neighbor Discovery
does not use Router Discovery
routing preference 1
preferred global 2002:cacc:ce6::cacc:ce6,life infinite
link MTU 1280 (true link MTU 65515)
current hop limit 128
reachable time 21500ms (base 30000ms)
retransmission interval 1000ms
DAD transmits 0
Window XP +SP1
BII Group,China IPv6 Summit 2003
Hua Ning
11
自动6to4隧道(举例)
interface Loopback1
ip address 202.204.22.193 255.255.255.255
!
interface Tunnel2002
description 6to4 relay sercice,6to4.6tnet.com.cn
no ip address
no ip redirects
ipv6 address 2002:CACC:16C1::1/128
tunnel source Loopback1
tunnel mode ipv6ip 6to4
!
Cisco IOS 12.2(15)T
BII Group,China IPv6 Summit 2003
Hua Ning
12
自动6to4隧道(举例)
C:\Documents and Settings\hn>ping www.kame.net
Pinging apple.kame.net [2001:200:0:4819:210:f3ff:fe03:4d0] with 32 bytes of data:
Reply from 2001:200:0:4819:210:f3ff:fe03:4d0,time=367ms
Hua Ning www.kame.net
Src v4= 202.204.12.230(Hua Ning)
Dst v4= 202.204.22.193(6to4.6tnet.com.cn,6to4 relay router)
Src v6 = 2002.cacc:ce6::cacc:ce6(Hua Ning)
Dst v6 = 2001:200:0:4819:210:f3ff:fe03:4d0(www.kame.net)
Src v4= 202.255.45.5(kddilab.6to4.jp,6to4 relay router )
Dst v4= 202.204.12.230(Hua Ning)
Src v6 = 2001:200:0:4819:210:f3ff:fe03:4d0(www.kame.net)
Dst v6 = 2002.cacc:ce6::cacc:ce6(Hua Ning)
BII Group,China IPv6 Summit 2003
Hua Ning
13
ISATAP隧道
Network Prefix (64 bits) 0:5EFE A.B.C.D
IPv4
IPv6 Internet
202.204.12.226
202.204.22.193
ISATAP Host ISATAP Host
202.112.10.37
ISATAP Router
BII Group,China IPv6 Summit 2003
Hua Ning
14
ISATAP隧道
Intra-Site Automatic Tunnel Addressing Protocol
(ISATAP)
ISATAP用来一个域内的多个孤立的IPv6主机连接起来
配置ISATAP隧道后,IPv6网络将底层的IPv4网络做为一个非广播的点到多点的链路(Non
Broadcast Multi Access link NBMA)
IANA分配的ISATAP标示为5EFE
IPv4地址嵌入到IPv6地址的最后32位,此地址不一定要公有地址,
IPv6地址的前64位的网络前缀是通过向
ISATAP路由器发送请求得到的
BII Group,China IPv6 Summit 2003
Hua Ning
15
ISATAP隧道(举例)
interface Tunnel2003
description ISATAP border router
no ip address
no ip redirects
ipv6 address 2001:3F8:FFF1::/64 eui-64
no ipv6 nd suppress-ra
tunnel source Loopback1
tunnel mode ipv6ip isatap
!
Cisco IOS 12.2(15)T
BII Group,China IPv6 Summit 2003
Hua Ning
16
ISATAP隧道(举例)
C:\Documents and Settings\hn>netsh interface ipv6 isatap set router 202.204.22.193
C:\Documents and Settings\hn>ipv6 if 2
Interface 2,Automatic Tunneling Pseudo-Interface
{48FCE3FC-EC30-E50E-F1A7-71172AEEE3AE}
does not use Neighbor Discovery
uses Router Discovery
forwards packets
routing preference 1
EUI-64 embedded IPv4 address,202.204.12.230
router link-layer address,202.204.22.193
preferred global 2001:3f8:fff1::5efe:202.204.12.230,life 29d23h59m33s/6d23h
59m33s (public)
preferred link-local fe80::5efe:202.204.12.230,life infinite
link MTU 1480 (true link MTU 65515)
current hop limit 64
reachable time 18000ms (base 30000ms)
retransmission interval 1000ms
DAD transmits 0
Window XP +SP1
BII Group,China IPv6 Summit 2003
Hua Ning
17
ISATAP隧道(举例)
C:\Documents and Settings\hn>ping fe80::5efe:202.204.22.193%2
Pinging fe80::5efe:202.204.22.193%2 with 32 bytes of data:
Reply from fe80::5efe:202.204.22.193%2,time=18ms
Reply from fe80::5efe:202.204.22.193%2,time=26ms
C:\Documents and Settings\hn>ipv6 rt
2001:3f8:fff1::/64 -> 2 pref 1if+8=9 life 29d23h55m17s (autoconf)
::/0 -> 2/fe80::5efe:202.204.22.193 pref 1if+256=257 life 25m17s (autoconf)
Window XP +SP1
BII Group,China IPv6 Summit 2003
Hua Ning
18
ISATAP隧道(举例)
C:\Documents and Settings\hn>ping www.kame.net
Pinging apple.kame.net [2001:200:0:4819:210:f3ff:fe03:4d0] with 32 bytes of data:
Reply from 2001:200:0:4819:210:f3ff:fe03:4d0,time=367ms
Hua Ning www.kame.net
Src v4= 202.204.12.230(Hua Ning)
Dst v4= 202.204.22.193(ISATAP router)
Src v6 = 2002.cacc:ce6::cacc:ce6(Hua Ning)
Dst v6 = 2001:200:0:4819:210:f3ff:fe03:4d0(www.kame.net)
Src v4= 202.204.22.193(ISATAP router )
Dst v4= 202.204.12.230(Hua Ning)
Src v6 = 2001:200:0:4819:210:f3ff:fe03:4d0(www.kame.net)
Dst v6 = 2002.cacc:ce6::cacc:ce6(Hua Ning)
BII Group,China IPv6 Summit 2003
Hua Ning
19
6to4和ISATAP的综合使用
我公司的内部网全部是私有地址
公司的内部网有多台路由器,且不是所有的路由器都支持IPv6
我们公司的网络提供商不提供IPv4服务,公司也无法取得合法的IPv6地址
如何使公司内的主机接入IPv6网络??
BII Group,China IPv6 Summit 2003
Hua Ning
20
6to4和ISATAP的综合使用
IPv4
IPv4
IPv4
IPv6 Internet
6to4 relay
2002:cacc:16c1::1
ISATAP and 6to4 router
202.204.12.226
ISATAP and 6to4 router
202.112.10.37
202.204.22.193
2002:cacc:ec2::/48 2002:ca70:0a25::/48
192.168.1.10
2002:cacc:ec2::5efe:192.168.1.10
10.1.2.9
2002:ca70:0a25::5efe:10.1.2.9
www.kame.net
BII Group,China IPv6 Summit 2003
Hua Ning
21
隧道代理(Tunnel Broker)
Tunnel Broker的作用在于:
–自动分配IPv6地址和与之对应的域名
–自动建立隧道并修改必要的路由配置
–为用户提供Tunnel用于与IPv6用户通信
Tunnel Broker的特点是:
–自动化,面向不同类型的分散的IPv6用户
–可控制性强,可制定多种配置及管理策略
–受操作系统的限制,自动化程度不够理想
BII Group,China IPv6 Summit 2003
Hua Ning
22
隧道代理(Tunnel Broker)
Tunnel Broker
IPv6网络中的主机用户的
IPv6子网用户的主机
IPv6网络
IPv4网络
IPv6网络用户的路由器
BII Group,China IPv6 Summit 2003
Hua Ning
23
隧道代理(Tunnel Broker)(举例)
– www.freenet6.net
– www.tb.6test.edu.cn
– www.iij.ad.jp
– www.tunnelbroker.com
– www.tb.ipv6.btexact.com
– www.tb.6tnet.com.cn
BII Group,China IPv6 Summit 2003
Hua Ning
24
Teredo
现今定义的过渡策略大部分不支持NAT的共存,或者是代价很大;
Teredo的设计目的在于使位于NAT后的节点获得全局性的IPv6连接;
NAT广泛使用的实际情况下,Teredo会有很好的部署前景;
Teredo的原理:把IPv6的包封装在IPv4 UDP包的净荷里,以穿过NAT;
Teredo的部署需要Teredo Server和Teredo Relay的协助,但是,通常情况下,Teredo server和Teredo Relay
可以位于一个设备内。
Teredo的最新的实现加入了Teredo Host-Specific Relay
的功能,供Teredo主机与IPv4/IPv6的双栈主机进行更优化的通信.
BII Group,China IPv6 Summit 2003
Hua Ning
25
Teredo
BII Group,China IPv6 Summit 2003
Hua Ning
26
Teredo
BII Group,China IPv6 Summit 2003
Hua Ning
27
Teredo
BII Group,China IPv6 Summit 2003
Hua Ning
28
DSTM
Dual Stack Transition Mechanism (DSTM)
DSTM通过使IPv6域内的双栈主机获得临时IPv4地址的方式和IPv4-Only的主机或应用进行通信.
使用DSTM的Client是双栈的.
DSTM域是一个纯IPv6网络.
DSTM包括地址服务器(DSTM Server),网关,和DSTM节点等网络元素.
DSTM对高层应用以及网络层透明.
BII Group,China IPv6 Summit 2003
Hua Ning
29
DSTM
4over6 Tunnel
DSTM Domain
IPv6 Network
DSTM Server
DSTM Node
TEP
Tunnel End Point
IPv4 Internet or
IPv4 applications
BII Group,China IPv6 Summit 2003
Hua Ning
30
DSTM
DSTM节点只进行IPv6通信时,不需要IPv4地址.
当DSTM节点检测到需要IPv4的地址时,DNS回复/打开IPv4 Socket的应用/内核需要处理一个IPv4的包,节点向DSTM Server联系.
DSTM节点向DSTM Server请求一个临时的IPv4地址
(端口号)和TEP的IPv6地址.
请求得到的信息用于形成一个4over6的Interface.
DSTM节点将要发送的IPv4数据封装到IPv6包,然后发给TEP(Gateway),后者解封装然后转发到IPv4的
Internet.
DSTM Server和TEP必须要登记DSTM节点的IPv4地址和IPv6地址.
BII Group,China IPv6 Summit 2003
Hua Ning
31
自动的IPv4-Compatible IPv6隧道
0 A.B.C.D
IPv4地址嵌入IPv6地址最后32位,隧道的源地址和目的地址由此IPv4地址决定,
IPv6地址的其它位为0
此项技术的应用范围很小,且存在安全问题,IETF已经不在建议使用
BII Group,China IPv6 Summit 2003
Hua Ning
32
6over4
RFC2529
6over4隧道将IPv4网络作为一个支持广播的网络,此条件要求IPv6网络支持多点广播协议,如IGMP等
239.192.[second to last byte of IPv6 address].[last byte
of IPv6 address];
FF02::1 (link-local scope all-hosts multicast address) is
mapped to 239.192.0.1 ;
FF02::2 (link-local scope all-routers multicast address)
is mapped to 239.192.0.2;
F02::1:FF28:9C5A is mapped to 239.192.156.90;
BII Group,China IPv6 Summit 2003
Hua Ning
33
6over4
6over4在IPv4网络上基本完全实现了IPv6
的Neighbor Discovery协议,利用ND来获得地址
ISATAP由于将IPv4作为非广播网络,只实现了部分ND协议
由于支持多点广播的IPv4网络的缺乏,
且6over4相对于6to4和ISATAP并没有太多的优势,实际中6over4极少使用
BII Group,China IPv6 Summit 2003
Hua Ning
34
协议翻译(NAT-PT)
NAT-PT使得纯IPv6主机(native IPv6 host)可以同纯IPv4主机互通
Network Address Translator-Protocol Translator
(NAT-PT) - RFC 2766/3056/3068
支持NAT-PT的路由器上配有一定数量的IPv4地址(IPv4 pool)用来在IPv6主机向IPv4主机发起连接时动态的分配给IPv6主机
同NAT一样,当应用层协议中包含IP地址字段时,NAT-PT设备中需要含有相应的应用级网关
ALG (Application Lever Gateway),如:DNS-ALG,
FTP-ALG等
BII Group,China IPv6 Summit 2003
Hua Ning
35
协议翻译(NAT-PT)
IPv4
IPv6
NAT-PT Router
Hua Ning
3ffe:81b3:1:1:40fb:a5
8:41e6:cf0d
www.sina.com.cn
202.108.37.37
DNS Server
202.136.254.1
1.主机Hua Ning通过IPv6网络向DNS SERVER发起对www.sina.com.cn
的请求
2,NAT-PT将IPv6 DNS请求翻译为IPv4 DNS请求
3,DNS SERVER通过IPv4网络响应www.sina.com.cn-->202.108.37.37
4,NAT-PT将IPv4的响应翻译为IPv6 DNS响应,同时建立IPv4地址同IPv4
地址的对应关系
5.主机Hua Ning得到www.sina.com.cn的IPv6地址,可以同该服务器正常通信
BII Group,China IPv6 Summit 2003
Hua Ning
36
协议翻译(NAT-PT)(举例)
WindowXP+SP1不支持纯IPv6主机,因为
WindowXP目前只能通过IPv4网络发送IPv6地址请求,不能发送纯IPv6的DNS请求
因此本试验需要在XP上安装一个DNS PROXY,
该DNS代理将IPv4的DNS请求转换为IPv6数据报
该程序可以在
http://www.6tnet.com.cn/pub/ipv6utils/nameproxy
.exe上获得
BII Group,China IPv6 Summit 2003
Hua Ning
37
协议翻译(NAT-PT)(举例)
在WindowsXP的TCP/IP设置中,IPv4地址随便设或者不设,将DNS地址设为127.0.0.1
运行DNS PROXY将IPv6 DNS设置为NAT-
PT路由器的端口地址3FFE:81B3:1:1::1
BII Group,China IPv6 Summit 2003
Hua Ning
38
协议翻译(NAT-PT)(举例)
eth0_0
# IPV6 ADDRESS
ipaddress 3FFE:81B3:1:1::1/64
# IPV6 PREFIX
prefix 3FFE:81B3:1:1::0/64
eth1_0
#IPV4 ADDRESS
ipaddress 202.112.42.90/30
#IPV6 ADDRESS
ipaddress 3ffe:81b0:ffff:10::1/64
#IPV6 ADDRESS
ipaddress 3ffe:81b0:ffff:10::/64
# NAMESERVER
nameserver 202.112.10.37
# NAT STATEMENTS
enable natpt
public_interface eth1_0
natpt_prefix 3FFE:81B3:1000::/64
natpt_domain_interfaces eth0_0
6WindGate SixOS
Version 6
39
谢谢!
