Transition to IPv6: IVI in the University Campus · Transition to IPv6: IVI in the University Campus C. Bao, X. Li 2010-11-03 . 2 Abstract • Due to the IPv4 address deletion problem,

Transition to IPv6: IVI in the University Campus

C. Bao, X. Li2010-11-03

2

Abstract• Due to the IPv4 address deletion problem, the

IPv4 and IPv6 will be coexistent at least for the next decade. In the past three years, we have been developing stateless and prefix-specific translation (IVI).

• In this session we will share our IPv6 transition experience and introduce the IVI deployment program for 100 Campus networks in China.

• In addition, we will discuss the IPv6 transition scheme for the developing countries and the possible collaboration with the Internet2 member universities.

3

IPv4 count down

4

The networks we are running

5

CERNET IPv6 transition experience

Translation IVI

Bi-direction Stateless Translation

IETF Behave WG

Dual-StackNFSCNET

IPv6 onlyCERNET2

• 100 universities• 1M subscribers

TunnelIPv6 over IPv4CERNET-6Bone

TunnelIPv4 over IPv6

IETF softwire WG

IPv4CERNET

• 1500 universities• 20M subscribers

1994 2001 2004 2005 20081998 2006 2007

666

CERNET (IPv4)

• CERNET is the first (1994) nation wide Internet backbone in China.

• CERNET ranks 30 in global CIDR report.

• Over 2,000 universities on CERNET with about 20M subscribers.

7

CIDR report

8

University ranking

9

CERNET-6Bone

• CERNET-6bone is the first (1998) IPv6 network in China.

• Ping traffic

10

Dual stack NSFCNET

• NSFCNET is the first (2000) IPv4/IPv6 high-speed academic network in China.

• It provides IPv4/IPv6 unicast and multicast services to the education and research community, but very, very few IPv6 traffic.

1111

CERNET2 (IPv6)

• Built in 2004, with national coverage

• CERNET2 is the largest IPv6 backbone in China.

• About 200 universities connected to CERNET2 with about 1M subscribers.

12

Be unique, be different• Protocol selection

– Pure IPv6• Equipment

– Multiple vendors• Complexity

– Multiple ASs• Transition

– IPv4 over IPv6 (IETF softwire)– IVI stateless translation (IETF behave)

• Architecture– Source address authentication (IETF SAVI)

13

Softwire IPv4 over IPv6

IPv6 TransitAFBRAFBR

AFBR AFBR

IPv4 accessisland

IPv4 accessisland

IPv4 accessisland

IPv4 accessisland

IPv6 access

IPv6 access

IPv4 static or eBGP peering

Encapsulation and Setup

Same behavior as a dual-stack backbone

softwire

IPv4 over IPv6

• Provide IPv4/IPv6 dual-stack service in PE, but run IPv6-only in P routers – IETF softwire WG

• Save operation cost.

141414

To encourage transition

• CERNET (IPv4) – Congested and charged.

• CERNET2 (IPv6)– Light loaded and free of charge.

• So, for using high quality and free network, port your application to IPv6.

1515

IPv6 applications

• Video• Sensor networks

• Beijing 2008 Olympic website

161616

IPv4 and IPv6 traffic

• IPv6’ traffic is about 10% of IPv4

201020092008

201020092008

IPv4

IPv6

17

Remarks• Upgrading network to dual stack does not

mean transition. The IPv6 traffic is still very small.– NSFCNET

• Promotion IPv6 can help, but does not help to fully solve the transition problem.– CERNET2

18

The killer application

• Video?• P2P?• Internet of Things?• The

intercommunication with the IPv4 Internet is the killer application of IPv6.

19

CERNET (IPv4) CERNET2 (IPv6)

Global IPv4

Global IPv4

Global IPv6

Global IPv6

19

We invented IVI

IVI

IPv4-accessible

servers/clients

Stateless and prefix specific.• 1:1 IVI without IPv4 address sharing• 1:N IVI with IPv4 address sharing

20

Transition technologies

• Dual stack– IPv4 address depletion problem– N2 problem

• Tunnel– Still need dual stack– IPv4 address depletion problem– Upgrade tunnel points

• Translation– Add a translator

21

Translation scenarios

Scenario 1 “an IPv6 network to the IPv4 Internet”Scenario 2 “the IPv4 Internet to an IPv6 network”

xlateThe IPv4Internet

An IPv6NetworkDNS

xlate An IPv6NetworkDNS

An IPv4Network

xlate

The IPv4Internet

An IPv4Network DNS

xlate

DNS

The IPv6Internet

The IPv6Internet

Scenario 3 “an IPv4 network to the IPv6 Internet”Scenario 4 “the IPv6 Internet to an IPv4 network”

Scenario 5 “an IPv6 network to an IPv4network”Scenario 6 “an IPv4 network to an IPv6 network”

Scenario 7 “the IPv6 Internet to the IPv4 Internet”Scenario 8 “the IPv4 Internet to the IPv6Internet”

IVI { < NAT64

IVI {

< NAT64

< NAT64

• Framework (info)• Scenarios• Operation modes• Building blocks

• Address format (std)• Address format• Prefix recommendation

• Translation (std)• Header translation• ICMP handling

• DNS (std)• A AAAA mapping• DNSSec handling

• Session database (std)• Mapping table handing

• Others (APL-ALGs, multicast, …)

Refer to

Refer to

Stateless translator

Stateful translator

Refer to

IETF behave WG document layout

23

IETF standards

24

Stateless translation (IVI)

A subset of IPv6 addresses

IPv6IPv4

Real IPv6 hostReal IPv4 host mirrored IPv6 host mirrored IPv4 host

IVI

A subset of IPv6 addresses

25

IVI address format

Mapping Rule: IPv4 addresses are embedded from bit 40 to bit 72 of the IPv6 addresses of a specific /32.

Example: ISP’s IPv6 /32 2001:250::/32borrowed IPv4 address (IVI4): 202.38.108.0/24mapped IVI IPv6 address (IVI6): 2001:250:ffca:266c::/64

26

IVI address mapping（1）

Bi-dir borrowing

IPG6

IPS6(i)

IVI4(i)

IVIG46(i) IVI6(i)

4 66 4

IPS4(i)

IPG4

It is the (end) users who are communicating with users/contents located in IPv4 (IPG4 && all other IVI4(j)) via IVIG46(i).

27

IVI address mapping（2）

IVIG46(i) IVI6(i) IVIG46(j) IVI6(j)

IPG4 IVI4(i)

Bi-dir borrowing

6 4

IVI4(j)

4 64 6 6 4

IPS6(i) IPS6(j)

IPG6

28

IVI routing Routing and mapping configuration example

ip route IVI4/k 192.168.1.1

ip route 0.0.0.0 0.0.0.0 192.168.1.2

ipv6 route 2001:DB8:FF00::/40 2001:DB8::1

IVIR1 R2192.168.1.1 2001:DB8::1

2001:DB8::2192.168.1.2 IPv4IPv4 IPv6IPv6

ipv6 route IVI6/(40+k) 2001:DB8::2

mroute IVI4-network IVI4-mask pseudo-address interface source-PF destination-PFmroute6 destination-PF destination-PF-pref-len

29

IVI reachability matrix

OKOKNONon-IVI

OKOKOKIVI

NOOKOKIPG4

Non-IVI

IVI v4

30

IVI incremental deployment (1)IPG4

IPG6

IVI gateway

AB

A’

C’

A’ B’B’ A’

A BB A

B’

31

IVI incremental deployment (2)

IVI gateway2

IPG4

IPG6

IVI gateway1

AB

B’A’

B’’A’’

C’

A’ B’

A B A B

A’’ B’’B’’ A’’

B AB A

B’ A’

32

IVI incremental deployment (3)

IVI gateway2

IPG4

IPG6

IVI gateway1

AB

B’A’

B’’A’’

C’

A’ B’’

B’’ A’

33

Header translation (IPv4 IPv6)

(discarded) Options (same as above) Destination Addr. Apply IVI stateless address mapping Source Address (discarded) Header Checksum Next Header Protocol Hop Limit Time to Live (same as above) Offset (same as above) Flags (discarded, cf. Subsection V-C) Identification Payload Length = Total Length -IHL * 4 Total Length (discarded) Type of Service (discarded) IHL Version (0x6) Version (0x4) Translated to IPv6 IPv4 Field

34

Header translation (IPv6 IPv4)

Header Checksum recalculated —

IHL = 5 —

(same as above) Destination Addr.

Apply IVI inverse address mapping Source Address

TTL Hop Limit

Protocol Next Header

Total Length = Payload Length + 20 Payload Length

(discarded) Flow Label

(discarded) Traffic Class

Version (4) Version (6)

Translated to IPv4 Header IPv6 Field

35

IVI DNS (DNS46 and DNS64)

IPv6IPv6

mapped IVI IPv6 address

IPv4IPv4

IVI

IVIDNS

• DNS46• Authoritative DNS server

– Example– www.ivi2.org AAAA 2001:250:ffca:266c:200::– www.ivi2.org A  202.38.108.2

• DNS64• Caching DNS server

– Example – www.mit.edu A        18.7.22.83 – www.mit.edu AAAA    2001:250:ff12:0716:5300::

36

DNS64

37

ALG issue

• IVI supports– web：ssh，telnet、DVTS，vlc，email

• ALG requirements– ftp– URL contains IPv4 literals

38

www.ivi2.org

39

Equipments

40

Deployment issues

• Network topology• Address plan• IVI address calculator• Host configuration• Trouble shooting

41

Network topology

CNGI-CERNETIPv6 主干网

IPv6校园网

校园网 IPv6 /48IVI子网 IPv6 /64

R

默认路由

IVI DNS=2001:250:aaa0:100:1::2

2001:da8:ff3a:c8e4:fe00::/64

2001:da8:ff3a:c8e4:100::/64

2001:da8:ff3a:c8e4:200::/64

2001:da8:ff3a:c8e4:300::/64

2001:da8:ff3a:c8e4:fd00::/64

S

H1

H2

H3

H253

CNGI-CERNETIPv6 主干网

IPv6校园网

校园网 IPv6 /48IVI子网 IPv6 /64

R

默认路由

IVI DNS=2001:250:aaa0:100:1::2

2001:da8:ff3a:c8e4:fe00::/64

2001:da8:ff3a:c8e4:100::/64

2001:da8:ff3a:c8e4:200::/64

2001:da8:ff3a:c8e4:300::/64

2001:da8:ff3a:c8e4:fd00::/64

SCNGI-CERNETIPv6 主干网

CNGI-CERNETIPv6 主干网

IPv6校园网IPv6校园网

校园网 IPv6 /48IVI子网 IPv6 /64

R

默认路由

IVI DNS=2001:250:aaa0:100:1::2

2001:da8:ff3a:c8e4:fe00::/64

2001:da8:ff3a:c8e4:100::/64

2001:da8:ff3a:c8e4:200::/64

2001:da8:ff3a:c8e4:300::/64

2001:da8:ff3a:c8e4:fd00::/64

S

H1

H2

H3

H253Default route

Campus IPv6 /48IVI IPv6 /64

Campusbackbone

42

Address plan

• IVI subnet– IVI4=58.200.228.0/24– IVI6=2001:da8:ff3a:c8e4::/64

• R interface address– 2001:da8:ff3a:c8e4:fe00::（58.200.228.254）

• IVI6 hosts – 2001:da8:ff3a:c8e4:100::  (58.200.228.1) – 2001:da8:ff3a:c8e4:200::  (58.200.228.2) – ……– 2001:da8:ff3a:c8e4:fd00:: (58.200.228.253)

43

Address translation calculator• From IPv4 to IPv6

– http://www.ivi2.org/cgi-bin/ivimap.pl?ipv4=0.0.0.0/0&lir=2001:da8• From IPv6 to IPv4

– http://www.ivi2.org/cgi-bin/ivi6map.pl?ipv4=2001:da8:ff00:0:0::&lir=2001:da8

Address translation calculator： http://www.ivi2.org

44

Host configuration• Static configuration

– IVI6 address/prefix length= 2001:da8:ffca:266e:100::/64– default gateway= 2001:da8:ffca:266e:fe00::– Nameserver= 2001:da8:aaae::201– Disable auto-configuration

• Auto-configuration– Cannot use SLAAC– Cannot use stateless DHCPv6

• Stateful DHCPv6– IVI6 address/prefix length: DHCPv6– default gateway: RA– nameserver: DHCPv6

45

Trouble shooting (1)

IPv4 IVI IPv6

b

a

1

IVI

Non-IVIIPv4

IPv4 address

IPv6 address

PREFIX=2001:da8:ff00::/403 2

46

Trouble shooting (2)

47

CNGI-CERNET2 100 campus

2: Campus network IPv6 upgrades (100)

3: Key technologies (6)

4: Applications (20)

1: Project Architecture

5: International/Dom

estic peering

48

Key technologies

• Source address validation and services• IPv4/IPv6 transition• Large-scale IPv6 multicast• Backbone management• Service platform• Campus management

49

Campus network connectivity

Global IPv4

Global IPv4

Global IPv6

Global IPv6

IPv4-only IPv4/IPv6Dual-stack IPv6-only

Campus network

CERNET2 (IPv6)CERNET (IPv4)

NAT64

50

Backbone IVI setup

主干

IVI 设备

CNGI - CERNET2

IPv6/32校园网

IPv6/48

IPv4

Internet

IPv6

Internet

主干

IVI IPv6

计算机

主干 IVI

DNS

CERNET

校园

IVI IPv6

计算机

校园

Non - IVI IPv6

计算机

校园

Non - IVI IPv6

计算机

CNGI - CERNET2

IPv6/32

CNGI - CERNET2

IPv6/32IPv6/48

IPv4

Internet

IPv4

Internet

IPv6

Internet

IPv6

Internet

IVI IPv6

DNS64DNS46

Campus CERNET

IVI IPv6

Non - IVI IPv6

Non - IVI IPv6IVIcore

100 universities

51

IVI address assignment

52

Tsinghua campus WLAN example

53

L3 switch configuration• Cisco7609

interface Vlan30no ip addressipv6 address 2001:DA8:FF3A:C881:100::/64ipv6 enableipv6 nd prefix default 2592000 604800 no‐autoconfigipv6 nd managed‐config‐flagipv6 nd other‐config‐flagipv6 nd ra suppressipv6 dhcp relay destination 2402:F000:1:901::9:8

no‐autoconfig A=0managed‐config‐flag M=1other‐config‐flag O=1

54

DHCPv6 server configuration

• ISC DHCP4.1.1‐P1：

subnet6 2001:da8:ff3a:c881::/64 {range6 2001:da8:ff3a:c881:200:: 2001:da8:ff3a:c881:200::;range6 2001:da8:ff3a:c881:300:: 2001:da8:ff3a:c881:300::;

... ...range6 2001:da8:ff3a:c881:fe00:: 2001:da8:ff3a:c881:fe00::;option dhcp6.name‐servers 2001:250:aaa0:100:1::2;option dhcp6.domain‐search "v6.tsinghua.edu.cn";

}

55

Windows 7 client

56

ping

57

Remarks

• Windows 7– Plug and play– Dibbler server does not work properly for Windows 7– The default gateway is from RA

• Windows XP– Does not have build in DHCPv6 client– Cannot resolve DNS via IPv6

58

• Windows XP does not have DHCPv6 – Download dibbler client

• Windows XP cannot resolve DNS via IPv6 transport – DHCP assign a RFC1918 addresses，via

IPv4 resolver to get AAAA– Use DNSMASQ to proxy the IPv4 and IPv6

DNS queries

Windows XP auto-configuration（1）

59

Windows XP auto-configuration（2）

IVI IPv6

IVI DNS

IPv4

Windows XP

server

202.112.35.200

Rrouter

192.168.1.1/242001:252:ffca:2669:fe00:100::/64

2001:252:ffca:2669:fe00::/64

192.168.1.7 2001:252:ffca:2669:700::/64

IVI IPv6

IVI DNS

IPv4

Windows XP

server

202.112.35.200

Rrouter

192.168.1.1/242001:252:ffca:2669:fe00:100::/64

2001:252:ffca:2669:fe00::/64

192.168.1.7 2001:252:ffca:2669:700::/64

60

Dibbler DHCPv6 configuration

61

The Windows XP configuration• Install IPv6 stack by run cmd and type ipv6 install• Set network configuration to DHCP• Download

– http://klub.com.pl/dhcpv6/dibbler/dibbler-0.7.2-win32.exe– Install dibbler-client only.

• Start All Program dibbler client Edit Config File– modify iface to match the local system.. for example

• Start All Program Dibbler Client Run in the console, every time in the IVI mode – Setup Client Install as service不工作。

62

Useful links• DHCP

– http://linux.softpedia.com/get/System/Networking/ISC-DHCP6320.shtml• DHCPv6 (Dibbler)

– http://klub.com.pl/dhcpv6/#DOWNLOAD• DNS proxy

– http://www.thekelleys.org.uk/dnsmasq/• Dibbler Windows client

– http://klub.com.pl/dhcpv6/dibbler/dibbler-0.7.2-win32.exe

63

New progress

• 1:N IVI– Share IPv4 address among IPv6-only hosts

• 1:N dIVI– Share IPv4 address among IPv6-only hosts– Do not require ALG– Do not require DNS64

• IVI66– Map SLAAC address to IVI addresses

64

i=2

i=1

2001:da8:ffca:266c:0500::4:0

2001:da8:ffca:266c:0500::4:1

2001:da8:ffca:266c:0500::4:2

2001:da8:ffca:266c:0500::4:3

202.38.108.5

84

85

86

87

8786

8584

i=0

i=3

IPv4 address

IPv6 address

port

port

1:N IVI

• If R=256• A /24 is equivalent to a /16

65

1:N dIVI

The IPv4Internet

1:NIVI Hgw1

An IPv6network

Hgw2

HgwK

Hgw0H0DS

H1DS

H2DS

HKDS

The IPv6Internet

66

IVI66

IVI nat66Any IPv6

addressesAny IPv6

addressesIPv4InternetIPv4

Internet

IVI addresses

IVI addresses

IPv6InternetIPv6

Internet

67

IVI and Internet2

68

Move forward

• Constrains – IPv4 addresses are running out (2011-2012)– Incremental deployment

• Major goals– Move contents to IPv6– Increase subscriber base

69

Possible solutions

• If the SP has enough IPv4 addresses– Deploy dual stack access network, wait for

some part of the Internet is IPv6-only• If the SP does not have enough IPv4

addresses– Deploy dual stack access network, install

CGN (NAT44), wait for some part of the Internet is IPv6-only

– Or construct a IPv6-only access network, install stateless IPv4/IPv6 translator (IVI)

70

The IVI solution

• Move contents to IPv6– Build IPv6-only access network– Use 1:1 IVI to make IPv6-only servers

accessible to the IPv4 Internet• Increase subscriber base

– Build IPv6-only access network– Use 1:N IVI or 1:N dIVI to provide IPv4/IPv6

services to customers

71

IVI illustration

IPv6Shared IPv4

The IPv4 Internet

The IPv6 Internet

IPv4/IPv6Core Network PE

PEPE

PE

PE

IPv4/IPv6

Access network

IPv6

Dual-stack core IPv6 accessXLATE

1:NIVI

1:1IVI

serversclients

72

Recommendations

• For developed countries – Move servers to IPv6-only and deploy IVI

translator– Build new IPv6-only segments of the campus

network and deploy IVI translator• For developing countries

– Build IPv6-only campus network and deploy IVI translator

73

IVI IPv4/IPv6 transition

Support IPv4 Support IPv6 (IVI)

SupportIPv6 (IVI)

Support IPv4

IPv4 area IPv6 area

Service

Netw

orkU

ser

V4 only Network V6 only Network

IVI

SupportIPv6 (non-IVI)

Support IPv6 (non-IVI)

Transition IPv4 IPv6