Wednesday, November 25, 2009

Chapter 4: IPv6 Development and Features

Four years ago, various groups within the Internet community began working on the next version of the Internet Protocol, IPv6. IPv4, as discussed earlier on chapters 1 and 2, has been adequate to support simple distributed applications, such as file transfer and electronic mail. But the world’s needs today are calling for the Internet to support a multimedia environment, rich in applications and use of the World Wide Web. With the advent of complex client/server environments and Intranet in the corporate world, greater support of these applications and for Web users is a must. This chapter was based on Process Software’s document "A Practical Guide to IPv6 Developments and Concepts," for more detailed information check their Web site at http://www.process.com

This chapter discusses:

  • IPv6 developments and features
  • IPv6 expanded addressing
  • IPv6 performance
  • IPv6 security and more.

The Calling of the Internet Engineering Task Force

The Internet Engineering Task Force (IETF) issued a call for proposals for specifications for the next generation IP. Almost three years ago, a design for IPv6 was developed. That design focuses on three main areas:

  • Addressing
  • Performance
  • Security

IPv6 Addressing

IPv6 uses a 128-bit addressing scheme. This increases address space by a factor of 296! According to one IPv6 paper, this should provide for "adequate addressing capability for any network limited to this planet." By using 128 bits rather than 32 bits as IPv4 does, IPv6 increases address space by a billion x a billion x a billion times. Table 4.1 shows a comparison of this address increase:

Table 4.1

A 128 bits address format increases substantially the number of possible address in comparison to a 32 bits one.

IP Version

Size of Address Space

IPv4

32 bits = 4,294,967,296

IPv6

128 bits = 340,282,366,920,938,463,463,374,607,431,768,211,456

But what is as important as the address space is the how the addresses are allocated. IPv6 assigns addresses in a hierarchical manner, as needed by the requester, rather than in blocks that have unused addresses, as IPv4 do. In this hierarchical scheme, an upper authority subdivides its address allocation to a lower authority, which can subdivide its address allocation to the next lower authority, and so on.

Currently, network providers assign the bulk of addresses. With IPv6, addresses are not centrally allocated and only one prefix (010) is for network provider allocations.

The address classes of IPv6 also meet the needs of the user community more directly than IPv4. There are basically three types of network users:

  • Ones who use an organization’s Intranet and the Internet;
  • Ones who use only their company’s Intranet at this time, but might connect to the Internet in the future,
  • Individuals who connect to the Internet via telephone lines from home, airports, hotels, or anywhere else.

IPv6 provides a better way of servicing these kinds of users by offering three address types:

  • Four categories of unicast addresses
  • Improved multicast address format
  • The new anycast address format

The IPv6 addresses are 128-bit identifiers for interfaces and sets of interfaces.

Unicast Addresses

Unicast addresses identify a single interface. Packets sent to a unicast address are delivered to the interface identified by that address. There are four types of unicast addresses:

  • Provider-based, which provides global addressing to all connected hosts
  • Local use, which includes link-local for addressing on a single link (physical network) or subnetwork, and site-local designed for local use that can later be integrated into global addressing
  • IPv4 compatible, which provides compatibility between IPv4 and IPv6 until a complete transition is attained
  • Loopback, which sends an IPv6 packet to itself. These packets are not sent outside a single node.

The interface is the system’s Ethernet, FDDI, or Token Ring MAC addresses (48-bit).

Multicast Addresses

Multicast addresses identify a set of interfaces that usually belong to different nodes. Packets sent to a multicast address are delivered to all interfaces identified by that address. This is useful in several ways, such as sending discovery messages to only the machines that are registered to receive them. A particular multicast address can be confined to a single system, restricted to a specific site, associated with a particular network link, or distributed worldwide.

Note that IPv6 has no broadcast addresses and uses multicasting instead, as shown on Table 4.2.

Table 4.2

A multicast address allows multiple configurations, being part of a single system, restricted to a specific site, associated to a network link or distributed worldwide.

Bits

8

4

4

112

11111111

Flags

Scope

Group ID

Anycast Addresses

Anycast addresses is a new introduction to IP technology with the IPv6n protocol. This kind of address identifies a set of interfaces, usually belonging to different nodes. A packet sent to an anycast address is delivered to one of the interfaces identified by the address. This is usually the nearest interface, and is determined by how the router measures distance.

This makes routing more efficient (see Table 4.3) because the address itself can specify intermediate hops en route to a destination, rather than having the router determine the route.

Table 4.3

Anycast addresses enables more efficient routing by specifying intermediate hops en route to a destination.

Bits

N

128-n

Subnet prefix

0000 0000

A Word About Address Resolution and Neighbor Discovery

In order for Internet packets to be transferred in a particular subnet on a particular media, the notes need to know the subnet address or the media address of the target station. IPv4 relies on the Address Resolution Protocol (ARP), but IPv6 uses what is called neighbor discovery, which provides the same resources of ARP but also adds router discovery.

With IPv6, neighbor discovery is described in generic terms as part of IPv6 ICMP. Christian Huitema, in his book "IPv6, The New Internet Protocol," describes very well how IPv6 uses multicast transmission to identify the media address of their destination. The message will always be sent to multicast address every time the media address of the destination is unknown. Thus, for IEEE-802, Ethernet of FDDI, the 48-bit multicast address is obtained by concatenating a fixed 16-bit prefix, 3333, and the last 32 bits of the IPv6 multicast address. Xerox reserved this prefix for use with IPv6, as shown on figure 4.1.

Mapping of a multicast address in IEEE-802 networks.

RFC 1970, "Neighbor Discovery for IP Version 6 (IPv6)," specifies the standards track protocol for the Internet community. As mentioned earlier, nodes and hosts do need a mechanism to determine the address of a target note or host. Neighbor Discovery enables it by a link-layer address process, for neighbors known to reside on attached links. Neighbor Discovery is also used by hosts to find neighboring routers that are willing to forward packets on their behalf. It also actively keep track of which neighbors are reachable and which are not, and to detect changed link-layer addresses. When a router or the path to a router fails, a host actively searches for functioning alternates.

For more details about the parameters of this specification check the RFC 1970 at http://playground.sun.com/pub/ipng/html/ipng-main.html .

An Overview of the Protocol

Besides solving many problems related to the interaction of nodes attached to a same link it also defines mechanisms for resolving few other specific problems:

  • Router Discovery, resolving how hosts locate routers residing on attached links.
  • Prefix Discovery, resolving how hosts discover the set of address prefixes that define which destinations are on-link for an attached link.
  • Parameter Discovery, solving how a node learns the necessary link parameters, such as the link MTU or Internet parameters, such as the hop limit value to place in outgoing packets.
  • Address Autoconfiguration, solving how nodes automatically configure an address for an interface.
  • Address resolution, resolves how nodes determine the link-layer address of an on-link destination, such as a neighbor, given only the destination's IP address.
  • Next-hop determination, is the algorithm used for mapping an IP destination address into the IP address of the neighbor to which traffic for the destination should be sent. The next-hop can be a router or the destination itself.
  • Neighbor Unreachability Detection, defines how nodes will determine if a neighbor is no longer reachable. If neighbors nodes are used as routers, alternate default routers can be tried, but in the case of both routers and hosts, address resolution can be performed again.
  • Duplicate Address Detection resolves how a node determines if the address it wants to use is already in use by another node or not.
  • Redirect, defines how a router informs a host of a better first-hop node to reach a particular destination.
  • Neighbor Discovery defines five different ICMP packet types:
  • A pair of Router Solicitation and
    • Router Advertisement messages,
  • A pair of Neighbor Solicitation and
    • Neighbor Advertisements messages,
  • A Redirect message.

The messages serve the following purpose:

  • Router Solicitation: When an interface becomes enabled, hosts may send out Router Solicitations that request routers to generate Router Advertisements immediately rather than at their next scheduled time.
  • Router Advertisement: Routers advertise their presence together with various link and Internet parameters either periodically, or in response to a Router Solicitation message. Router Advertisements contain prefixes that are used for on-link determination and/or address configuration, a suggested hop limit value, etc.
  • Neighbor Solicitation: Sent by a node to determine the link-layer address of a neighbor, or to verify that a neighbor is still reachable via a cached link-layer address. Neighbor Solicitations are also used for Duplicate Address Detection.
  • Neighbor Advertisement: A response to a Neighbor Solicitation message. A node may also send unsolicited Neighbor Advertisements to announce a link-layer address change.
  • Redirect: Used by routers to inform hosts of a better first hop for a destination.

On multicast-capable links, each router is capable to periodically multicast a Router Advertisement packet to announce its availability. In order to keep track of available routers, a host receives Router Advertisements from all routers, building a list of default routers. These Router Advertisements are frequently generated, so those hosts can always be updated about their presence every few minute. However, hosts don’t receive enough announcements from the routers to the point of relying on an absence of advertisements to detect router failure. For that, a separate Neighbor Unreachability Detection algorithm provides failure detection.

For more information about routing check chapter 5, "IPv6 Routing," which discusses it in more details, as this discussion goes beyond the goals for this chapter.

IPv6 Is Multimedia Ready

IPv6 incorporates a variety of functions that make it possible to use the Internet to deliver video and other real-time data that require guaranteed bandwidth and latency to insure that packets arrive on a regular basis.

Multicast support

IPv6 mandates support for multicast, a function that delivers messages to all hosts that register to receive it. This function makes it possible to deliver data simultaneously to large numbers of users for public or private consumption without wasting bandwidth broadcasting to the entire network. IPv6 also includes facilities to limit the scope of multicast message distribution to a specific location, region, company or other criteria, thereby reducing bandwidth usage and providing security.

Bandwidth Reservations

Using the mandated RSVP functionality, which is discussed in more details on chapter 9, "IPv6 Performance," users can reserve bandwidth along the route from source to destination. This makes it possible to provide video or other real-time data with a guaranteed quality of service.

Packet Prioritizing

Packets will be assigned a priority level, insuring that lower priority packets do not interrupt real-time data flow.

Jumbograms

IPv6 will support packet sizes of up to 4 billion bytes. This will make the transmission of large packets easier and insure that IPv6 will be able to make the best use of all available bandwidth over any transmission media.

IPv6 has Plug-and-Play Features

Currently, users or network managers must manually configure each machine with its address and other network information. This is a confusing, error-prone task for many individual users and a time consuming chore for network managers. It also requires that to change network addresses, every machine must be manually reconfigured. IPv6 solves these problems by including mechanisms to allow hosts to discover their own addresses and to automate address changes.

Address Discovery

IPv6 allows hosts to learn their own address from a local router during boot-up, eliminating the need to manually configure addresses on each host. IPv6 also specifies procedures for a host to allocate an address for local site communications and for small sites without routers.

Network Information Discovery

IPv6 mandates support for Dynamic Host Configuration Protocol (DHCP) which allows the host to obtain all relevant network information from a local router during boot-up.

Automated Address Changes

Because the router in IPv6 distributes network addresses, changing the address of the network requires only updating the router. In addition, all addresses include lifetimes, enabling the router to specify a time to switch addresses, insuring a smooth, error-free transition to a new address.

Support for Mobile Hosts

IPv6 will incorporate algorithms to automatically forward packets from a base address to any other address. This will allow users connected to the Internet from any location, even mobile phones, to seamlessly receive their messages.

Dead Neighbor Detection

IPv6 specifies dead neighbor and dead gateway detection algorithms insuring that all implementations of IPv6 are able to efficiently detect problems and reroute packets when necessary.

Added Flexibility

IPv6 allows applications to specify how to treat unknown options. This provides IPv6 with the flexibility to add new options in the future without necessitating those existing implementations all be updated to conform.

Control Over Routing

As opposed to the capability to choose only loose (automatically determined) or strict (user specified) routing for the entire path in IPv4, in IPv6 users can specify loose or strict routing for each hop along the path. IPv6 also includes the flexibility to include additional routing methods in the future.

Anycast addressing

IPv6 allows a source to specify that it wants to contact any one machine from a group via a single address. More about addressing is discussed on chapter 6, "IPv6 Addressing."

Configurability of features

The IPv6 protocol for hosts and routers to discover neighboring machines is called neighbor discovery. IPv6 allows all the features of neighbor discovery such as retries and time-out parameters to be locally configured. This provides increased flexibility as well as the capability to optimize neighbor discovery for the needs and constraints of each individual network.

IPv4 Compatibility

Because of the huge installed base of IPv4 hosts and routers, the specifications for IPv6 include mechanisms designed to insure a smooth, gradual transition from IPv4 to IPv6.

IPv4 Address Translation

IPv4 addresses are easily translated into IPv6 address by adding an IPv6 address prefix of leading zeroes.

Dual Protocol Stacks

For the foreseeable future, all implementations of IPv6 will also include an IPv4 stack.

IPv6 Tunneled Over IPv4

IPv6 hosts will be able to communicate with each other through IPv4 routers by encapsulating IPv6 packets within IPv4 packets.

Backward Compatibility

Application Programming Interface (API) support for both IPv4 and IPv6 addresses permits IPv6 applications to transparently support legacy IPv4 services.

Security Infrastructure

IPv6 provides an infrastructure for packet-level encryption and authentication that applications can use to insure networking security.

Encryption

Encryption scrambles the data packets to prevent unauthorized people from reading the message. Although 56-bit DES encryption is part of the IETF standard, due to conflicts with U.S. export constraints, international users may not have access to this functionality.

Authentication

Authentication verifies that the source address was not forged and that the packet was not tampered with in route. IPv6 implementations include the MD5 algorithm for message authentication to verify that the message arrives unchanged from the user claiming to have sent the packet.

IPv6 Performance Considerations

Network performance is directly related to routing. The amount of traffic that leaves the local network (external traffic) compared to the amount of traffic that occurs on the network is constantly increasing. This is due in part to the demand for more services, especially graphics based services. Speeds for LANs and WANs have also increased to hundreds of megabits per second, with gigabit networks not far in the future. Routers need to perform their functions of processing and forwarding IP datagrams much quicker than before.

There are fewer fields in an IPv6 packet header than in IPv4. To increase the speed, at which a packet travels past a router, separate optional headers are placed between the IPv6 header and the transport layer header. Most of these are not examined or processed by routers along the packet’s path, which simplifies and speeds up router processing. Additional optional headers are also easier to add, making IPv6 more flexible than IPv4. Because the IPv6 packet header has a fixed length, processing is also simplified.

IPv6 does not fragment packets as they are routed as IPv4 does. Instead, packet fragmentation and reassembly will be done exclusively in the communicating hosts, thus reducing the workload for intermediate routers. When the transition to IPv6 is complete, the Internet will consist of only networks with Maximum Transmission Units (MTUs) equal to or larger than 576 bytes.

Performance with IPv6 will be optimized by the use of flow labels. The flow source specifies in the label any special service requirements from routers along a path, such as priority, delay, or bandwidth. All packets in the sequence carry the same details of this information in the flow label to reserve the type of service they need from intermediate routers. Such a need would be for transmitting video, or limiting traffic a specific computer or application sends to avoid congestion.

With IPv6, a flow can be one or multiple TCP connections, and a single application could generate a single flow or multiple flows. An example of a single flow would be a text page, and an example of a multiple flow would be an audio/visual conference.

Packets that share a flow label also share path, resource allocation, discard requirements, accounting, and security attributes. The flow label is defined before transmission.

IPv6 Security Considerations

As the Internet has grown in popularity and use, the reasons for its use have changed and increased. More and more, users want to know that their transactions and access to their own sites are secure. Users also want to increase security across protocol layers. Up until IPv6, security has been available only by added applications or services.

IPv6 provides security measures in two functional areas,

  • Authentication - Authentication requires that a sender log into the receiver. If the sender is not recognized, then access is not allowed. If access is allowed, this ensures that the packets were actually sent by the approved sender and that the content was not changed in transit.
  • Privacy - Privacy takes the form of encryption and protects data from unintended users. Packets that leave a site can be encrypted and packets that enter a site can be authenticated.

Both privacy and authentication can be applied in a "security association." For a one-way exchange between a sender and a receiver, one association is needed; for a two-way exchange, two associations are needed. When combining authentication and privacy, either can be applied first. If encryption is applied first, the entire packet is authenticated, including encrypted and unencrypted parts. If authentication is applied first, authentication applies to the entire packet.

IPv6 Autoconfiguration Considerations

Configuring IPv4 systems has traditionally been difficult and problematic. IPv6 offers two ways for computer systems and personal electronic products to configure themselves automatically:

  • Stateful - Enables servers to dynamically assign unique addresses to computers as they are requested, getting the addresses from a database of pre-allocated values.
  • Stateless. – Enables IPv6 nodes to generate globally unique addresses by concatenating the link-local address of the network connection they are using with an internal interface number, such as an Ethernet or Token Ring MAC address.

Much planning, testing, and more testing has gone into the development of IPv6 to ensure that use of the Internet is interrupted as little as possible. The next section explains the transition plan.

Making the Transition to IPv6

In creating the next generation Internet Protocol, the IETF has also created a transition path from IPv4 to IPv6. The immense size of the Internet, and thus all the users of IPv4, makes an overnight change impossible. And no user can afford any downtime caused by waiting to upgrade.

For these reasons, the transition to IPv6 can be done on a node-by-node basis. Autoconfiguration should help by eliminating the need for human intervention to configure systems.

There are features of IPv6 that are compatible with IPv4, which will help ease the transition. For example, IPv4 addresses can be embedded within IPv6 addresses and all IPv6 nodes, at least for the time being, also support IPv4. Packets for IPv6 can be embedded within IPv4 packets so tunneling through parts of the network that support only IPv4 is possible.

Because of this compatibility between IPv4 and IPv6, some users may not feel the need to upgrade. However, the benefits of using IPv6 far outweigh the cost of upgrading. To not upgrade would be like riding a horse on the Autobahn rather than driving a car.

IPv6 is being tested over and over by IETF and its participating partners. With its core specifications finalized, IPv6 implementations should occur within a year and Internet Service Providers should begin to offer IPv6 links during the next three to four years.

TIP:

When looking for more information or services on IPv6, a great source is Process Software, which can be found at http://www.process.com/ipv6

The Effect of IPv6 on Other Standards

As discussed in these past three chapter, the changes (and new features!) of IPv6 are very significant if compared to IPv4. Thus, it’s not unusual to expect a major impact of it over other IETF, and non-IETF standards. The truth is that many of the IETF standards are being affected by the advent of IPv6. More than 50% of all the Internet standards (21 out of 51) will have to be revised for use with IPv6. Along the same lines, few other draft and Proposed Standards (PS) are also being affected.

Revisions are ranging (and will continue!) from simple text revisions of PS, to revisions to the protocols, including packet formats, will be required. In many of these cases the address is just being carried as a data element and a revised format with a larger field for the address will have no effect on the functional paradigm. In the remaining cases some facet of the operation of the protocol will be changed as a result of IPv6.

One example of it, which is described in more details at Sun’s Website (http://playground.sun.com/pub/ipng/html/ipng-main.html ) is the security and source route mechanisms in IPv6, which are fundamentally changed from IPv4. Therefore, all the protocols and applications that relied on the IPv4 functionality will have to be modified, or redesigned, if not rethought, in order to use the equivalent functions in this new version of the protocol.

TIP:

For more information about IETF’s standards and drafts relating to or affected by IPv6, check IETF’s web site at URL http://www.ietf.org. You can also find further information at the IP Next Generation Homepage at URL http://playground.sun.com/pub/ipng/html/ipng-main.html.

Using Virtual LANs with IPv6

Virtual LAN (VLAN) is an integral feature of switched LANs. To understand and define VLANs, think of it as a group of workstations on multiple LAN segments communicating with each other as if they were on a single LAN. An example of it is Microsoft’s technical support. Part of Microsoft’s technical support is outsourced to other companies all over the country. For security and confidentially issues, these company’s technicians are part of individual domains, trusted by Microsoft’s primary domain so they can access the technical support database at Microsoft. Although being based on different cities all over the world, these ‘foreign’ domains and users all become part on a single network.

But let’s take a look at what kind of LANs we have available and how VLANs and IPv6 can bring value-added benefits to the corporation

Router-based LANs

As router-based LANs are being replaced by switched LANs, Virtual LANs (VLANs) are becoming an important network management tool. VLANs are being deployed for traffic and bandwidth management in layer 2 switched networks.

The problem with router based LANs, as shown on figure 4.2, is that they suffer from bandwidth and latency problems, thus being replaced by switched LANs. But simple switches leave a vacuum regarding network control and traffic management functionality, which is necessary to operate our networks. Virtual LANs (VLANs) provide efficient tools for controlling traffic and network management, which are making them an important component ad solution for today’s complex and faster networks.

Typical problem faced by "real LANs: collisions.

Typical problems with router based LANs are few. On a 802-type LAN, for example, a shared medium network always requires all nodes to share the bandwidth of the physical link, limiting effective utilization of the physical link. Thus, it is common for a Ethernet-based LAN to achieve only 30%-40% efficiency, since all nodes were in a single collision domain.

Switched-based LANs

In a switching-based architecture (Packet Buffering Memory), a switched port is dedicated to every node on the LAN. Each node has it’s own wire and all bandwidth is dedicated to the node, which eliminate the need for sharing it with all other nodes on the same LAN, is with the router-based model. Since each node is in it’s own collision domain, as shown on figure 4.3, Ethernet efficiencies can achieve more than 95%, promoting almost a collision-free LAN.

Switched-based LANs promote a almost collision free network.

This Ethernet efficiency is possible because a usable bandwidth within a switched LAN is determined. A switched port is only allowed to receive:

  • Unicast traffic addressed to the node
  • Broadcast traffic within the LAN, and
  • Multicast traffic within the LAN

Therefore, the volume of unnecessary broadcasts and multicasts the node receives limits this usable bandwidth to a node in a switched port.

Understanding Virtual LANs

Virtual LANs (VLANS), as exemplified on the Microsoft’s example above, are flexible, location/topology independent group of stations communicating as if on a common physical LAN, as shown on figure 4.4.

A VLAN connects LANs and nodes independently of their location and/or topology.

VLAN’s components.

VLANs provide a series of benefits to a switched environment, including:

  • Walks away of the typical Ethernets LANs, characterized by a single collision and broadcast domain
  • Resolves the problem of eliminating one broadcast domain, which bridges were not able to resolve when breaking up Ethernet LANs into multiple collision domains
  • Allowed for a cheap, inexpensive and fast solution for the job routers do in breaking up Ethernet into multiple collision domains, and containing broadcasts within each domain
  • Enabled switches to break Ethernet into multiple collision domains and use it (VLANs) to contain broadcasts within each domain in a fast, cheap and simple way.

The VLAN Bridge, which implements Virtual LAN, provides the following benefits.

  • Broadcast containment
  • Security
  • Easy administration

When using VLANs for broadcast containment, as depicted by figure 4.6, you can limit broadcast domain sizes:

  • IP-based up to 1000 nodes per VLAN
  • IPX-based up to 500 nodes per VLAN
  • AppleTalk-based up to 200 nodes per VLAN, and
  • Isolation of chatty protocols

Using VLAN to contain broadcasts.

IP Multicast traffic, as shown on figure 4.7, can easily flood switched networks and VLANs can be a the best, if not the only effective solution for resolving the ever increasing demand on multicasting applications such as:

  • Video training
  • Video conferencing
  • Stock ticker & news feeds
  • Medical critical care, etc.

VLAN addresses the ever-increasing traffic of IP multicasting.

VLANs can also resolve uncontrolled proliferating IP multicasting traffic, as shown on figure 4.8, by containing it:

  • Having switches using IGMP to snoop and determine which systems want to see a multicast
  • Automatically creating a Autocast VLAN based upon the IGMP snooping
  • Allowing multicast to only go to ports that joined the multicast group/VLAN

VLAN can be effective use to contain the proliferation of IP multicasting.

There are many different kinds of Virtual LANs, as listed below:

  • Port based VLAN, as shown on figure 4.9
  • MAC address based VLAN, as shown on figure 4.10
  • Protocol based VLAN, as shown on figure 4.11 and 4.12
  • IP Subnet based VLAN
  • IP Multicast based VLAN
  • ELAN based VLAN
  • Policy based VLAN

NOTE:

For more information on configuring VLANS check the University of Iowa’s site, which has a great document/presentation at URL http://iworks.ecn.uiowa.edu/conference/IWorks97/sessions/sn084/sld024.html.

From Here

Chapter 5, "IPv6 Routing," discusses the IETF official IPv6 routing protocols, OSPFv3 and IDRPv2, and their (big) differences, as well as implementation details.

Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)