Ni b

Chapter 8: Transition Methods

A Transition Plan for the Internet

IANA address cn kit sm 2011.

IPv4 address cn kit tt c RIRs 2014.

IPv4 s khng c thay th hon ton.

Vendor cung cp IPv6 feature v tnh nng so vi IPv4.

Application vendor thm support IPv6.

Customer phi hi thc vic chuyn i.

IETF Transition Schemes

The Internet Engineering Task Force (IETF) IP next generation transition (ngtrans) working group has been hard at
work designing transition schemes. In addition, many private parties and organizations have developed alternate
proposals. In this course, we explore some of the more promising methods at the time of this writing. Because new
transition methods are constantly being created, we must stay abreast of new proposals within the ngtrans group.
The general transition concepts and methods are described in RFC4213-Basic Transition Mechanisms for IPv6
Hosts and Routers.
Transition mechanisms can be categorized in three groups:
1. The dual-stack approach has hosts and routers configured with both IPv4 and IPv6 addresses on their interfaces,
as well as with services such as the Dynamic Host Configuration Protocol (DHCP) for both IPv4 and IPv6. At some
point, when this step has been completed for the majority of the Internet, IPv4 addresses will be gradually removed.

Transition c chia ra lm 3 group:

Ni B
Ni b

Transition mechanisms can be categorized in three groups:

2. The tunneling approach suggests that IPv6 will be installed in pockets or islands.
Tunnels will be used to connect these disparate islands until the upgrade to the underlying backbone is completed.
Tunneling can be implemented using manual configuration of both ends of the tunnel and also can be initiated
automatically when required. You can use different options to implement tunneling of IPv6 over IPv4 and even IPv4
over IPv6. Some of the techniques include the following:
6over4;
6to4;
ISATAP;
TEREDO;
GRE;
Tunnel brokers;
IPv6 over MPLS;
IPsec; and
RFC 4213-Basic Transition Mechanisms for IPv6 Hosts and Routers describes how IPv6 packets are encapsulated
within IPv4 headers using Protocol 41.

3. The protocol translation approach provides methods for software translation between IPv4 and IPv6 packet
formats and messages. Translation of IPv4 to IPv6 packets might be required as new applications supported only on
IPv6 are implemented and required to interact with nodes that cannot be upgraded to run on IPv6.

1: Dual-stack: host v router cu hnh both IPv4 v IPv6 trn interface, hay DHCP IPv4 v IPv6.

2: Tunnel: c dng kt ni islands, cho ti khi backbone c upgrade IPv6 hon ton.

Tunneling manual configuration trn both ends, c khi to t ng.

Tunneling IPv6 over IPv4 v IPv4 over IPv6:

6over4;
6to4;
ISATAP;
TEREDO;
GRE;
Tunnel brokers;
IPv6 over MPLS;
IPsec; and
RFC 4213-Basic Transition Mechanisms for IPv6 Hosts and Routers describes how IPv6 packets are encapsulated
within IPv4 headers using Protocol 41.

3: Protocol translation: software translation gia IPv4 v IPv6 format and message.

Translation IPv4 to IPv6 yu cu new application supported trn IPv6.

IPv6 thc thi v tng tc trn node m node ko th upgrade chy IPv6.

The Dual-Stack Approach

Ni B
Ni b

The Domain Name System (DNS) has been updated to give operating system administrators some direction about
which protocol to use.
RFC 3363-Representing IPv6 Addresses in the DNS describes the currently accepted type of DNS record for IPv6
use.

Devices cu hnh IPv4.

IPv6 c trin khai:

+ IPv6 c install nh second Network Layer Stack.

+ IPv6 c cu hnh trn tt c cc devices.

Host chu trch nhim:

+ Khi no dng IPv4.

+ Khi no dng IPv6.

DNS c updated cho hot ng ca operating system

Ni B
Ni b

A dual-stack host will request both types of records from the DNS server for a specific destination host. The DNS
server will respond with the series of IPv6 address records that correspond to the complete host record and the IPv4
Type A record, if available.
After receiving the two types of addresses, the host will select one to use. This decision will be left to the host
protocol stack resolver library, and will usually result in the IPv6 address being used.

Dual-stack host yu cu 2 types of record AAAA=IPv6, A=IPv4.

DNS respond 2 address record.

Host quyt nh dng record phn gii

Ni B
Ni b

Dual-Stack Node Behavior: Part 1

A dual-stack node will automatically query for an IPv6 and an IPv4 address by sending both an AAAA (IPv6) DNS
query and an A (IPv4) query. After the node receives responses to both queries, the application is responsible for
choosing between IPv6 and IPv4 to contact the destination. Most dual-stack implementations prefer IPv6 over IPv4
and will try to contact the destination using IPv6 first.
In the example on the slide, a node first attempts to contact www.hotmail.com. The packet capture shows the nodes
attempts to find an IPv6 address and an IPv4 address for the same destination using AAAA and A queries. For this
destination, only the A query receives a response containing an IPv4 address. The second example uses the same
application and tries to contact ipv6.google.com.
In this case, it receives a response with an IPv6 address to its AAAA query.

Dual-Stack Node Behavior

Dual-stack node query IPv6 v IPv4 address both AAAA(IPv6) DNS, A(IPv4).

Application chu nhim v chn IPv4 hay IPv6.

Dual-stack Prefer IPv6 over IPv4, s contact destination vi IPv6 trc.

Ni B
Ni b

IPv6 s c chn trc.

Ni B
Ni b

Ni B
Ni b

Cu hnh Source-address IPv4 hay IPv6, nhng not both.

SNMP trap send ti management station IPv4 v IPv6.

Tunneling

Ni B
Ni b

Tunneling:

+ ng gi IPv6 native trong IPv4 packet.

+ Gii ng gi IPv6 v forward process.

Manually cu hnh tunnel:

GRE, IPsec.

Tunneling Approaches
The second broad transition method suggests using tunnels to span IPv4 networks until all the intermediate routers
have been upgraded to support IPv6.
Tunneling requires encapsulation of the IPv6 packet within an IPv4 header. The new IPv4 packet is then forwarded
across the IPv4 network to the other side, where the IPv4 header is removed and the IPv6 packet is either processed
or forwarded. Many Different Tunneling Approaches
Many approaches to tunneling IPv6 over IPv4, and IPv4 over IPv6, have been defined, some of which
are listed:
Static tunnels: 6over4 and 4over6;
Dynamic or automatic tunnels: 6to4, ISATAP, TEREDO, and tunnel brokers; and
Other options include: GRE, IPsec, IPv6 over MPLS.

Span IPv4 h tr IPv6, v cc intermediate router khng h tr IPv6.

ng gi IPv6 packet trong IPv4 header.

IPv4 header removed IPv6 packet c process v forward.

Cc tunnel h tr:

Static tunnels: 6over4 and 4over6;

Dynamic or automatic tunnels: 6to4, ISATAP, TEREDO, and tunnel brokers; and
Other options include: GRE, IPsec, IPv6 over MPLS.

Static Tunnels.

Ni B
Ni b

Cu hnh manually.

Dng trong cc trng hp:

+ Router-to-Router.

+ Host-to-Host.

+ Host-to-Router.

+ Router-to-Host.

Cu hnh mi endpoint.

Ging Point-to-Point connection.

Ni B
Ni b

Ni B
Ni b

Ni B
Ni b

GRE Tunnels

GRE tunnel

Mang IPv6 over GRE over IPv4.

+ Cu hnh dual-stack IPv4 v IPv6 address trn router.

+ Cu hnh IPv6 trn GRE tunnel interface.

+ Xc nh tunnel endpoint vi IPv4 address.

GRE yu cu dng IS-IS protocol across tunnel.

Ni B
Ni b

IPv6 over GRE Tunnels

Another alternative for carrying IPv6 traffic across an IPv4 core is generic routing encapsulation (GRE) tunnels.
GRE is a tunneling protocol that enables the transport of a variety of Layer 3 protocols, including IPv6. You use
these protocols for different applications, such as providing backup links, transporting non-IP protocols over an IP
network, and connecting islands of IP or IPv6 networks.
To create a GRE tunnel in the Junos OS, the router must be equipped with Layer 2 service capabilities, which are
native in a Juniper Networks SRX Series Services Gateway, or are available through a hardware module in a Juniper
Networks M Series, T Series, or MX Series device. When these services are enabled on a router, a pseudo-interface
is created, which is identified as gr-x/y/z.
Required configuration steps include the following:
Configure dual-stack IPv4 and IPv6 addresses on IPv4 core-facing interfaces;
Identify tunnel endpoints (source IP address and destination IP address); and
Configure family inet6 and provide an IPv6 address.
Configuration of GRE tunnels is very similar to the configuration of static IPv6 over IPv4 tunnels. The main
difference is the encapsulation of traffic. IPv6 over IPv4 tunnels provide direct encapsulation of IPv6 packets within
IPv4 packets. The IPv6 payload is identified using protocol 41. When encapsulating IPv6 over GRE tunnels, an
extra header of 8 bytes is inserted between the IPv4 and IPv6 headers, which can be considered a drawback, though
not too significant. However, in some situations, such as when transporting IS-IS over the tunnel, GRE
encapsulation is necessary. IPv6 headers, which can be considered a drawback, though not too significant. However,
in some situations, such as when transporting IS-IS over the tunnel, GRE encapsulation is necessary.

GRE l tunneling protocol, enable transport layer 3 protocol.

Dng Protocol cho application khc nhau, cung cp backup links, transporting non-IP protocols.

Khi enable GRE, pseudo-interface c to. gr-x/y/z.

Cu hnh yu cu:

+ Cu hnh dual-stack IPv4 and IPv6 trn IPv4 core-facing interface.

+ Xc nh tunnel endpoint (source IP address and destination IP address)

+ Cu hnh family inet6 v cung cp IPv6 address.

+ Cu hnh gn ging static IPv6 over IPv4 tunnels, nhng khc vic ng gi packet.

+ IPv6 over IPv4 tunnels static: ng gi IPv6 packets trong IPv4 packet. IPv6 payload xc nh dng protocol 41.

+ IPv6 over GRE tunnels: extra header 8 bytes chn gia IPv4 and IPv6 headers (ko cn thit). Nhng trong vi tnh
hung th n cn thit nh transporting IS-IS over the tunnel

Ni B
Ni b

IPsec Encapsulating Security Payload in IPv6

A persistent misconception within the industry is that IPv6 is more secure than IPv4. One reason for this notion is

Ni B
Ni b

that it provides IP Security (IPsec) as part of the protocol stack rather than as an additional client that you must add
to the device. However, the fact is, you can protect IPv6 with the same IPsec concepts, techniques, algorithms, and
encapsulation methods used to protect IPv4 transmissions, which means that in general, whatever you have done for
IPv4 security thus far must be replicated for IPv6. The only difference regarding IPsec is, because IPv6 standards
mandate support for IPsec, you might not need additional software or IPsec clients. The presence of IPsec does not
mean that IPsec will be enabled by default in IPv6 devices and will not have to be configured; it does not mean
IPsec will operate any differently or any better than in IPv4 environments and it does not mean configuration will be
easier. Replicating your IPv4 settings means only that IPsec will be available for you to use on any IPv6
implementations that follow the specifications.
You must consider other factors as well. For example, scanning an IPv6 prefix could take a long time because of the
much larger address space, but in terms of implemented IPsec services, the difference would be minimal. One
important issue you might face, however, is the lack of support of Internet Key Exchange (IKE), which is not part of
the mandatory implementation features. The next slide discusses this concern.
RFC4303-IP Encapsulating Security Payload (ESP) defines the concepts, encapsulation format, and uses of the ESP
to protect both IPv4 and IPv6 traffic.

IPv6 security than IPv4: Reason

+ Cung cp IP Security (IPsec) nh phn protocol stack, IPv4 client phi add ti device.

IPv6 ging IPsec, techniques, algorithms, and encapsulation methods bo v trn IPv4.

IPv6 Standard h tr IPsec, ko cn add software hay IPsec client.

IPsec available trn IPv6

Ko h tr Internet Key Exchange (IKE)

IKE l c ch dng trao i keys nh k trnh attack nghe trm v ly mu.

Ni B
Ni b

Thay i Key bo mt trc sequence number cycles.

Ko phi IPsec IPv6 stack include IKE support, phi dng v qun l manual.

Key infrastructure ang thiu s trin khai rng, v vy vic thc thi IPsec kh m rng.

IKE Issues in IPv6

The Internet Security Association and Key Management Protocol (ISAKMP) combines authentication, key
management, and security association (SA) management to build secure communication channels between hosts.
Within the ISAKMP framework, you can use IKE to negotiate SAs. Regardless of the initial SA setup, even if you
use symmetric pre-shared keys, the shared key must be rolled over (changed) before you reuse the sequence
numbers (also called the initialization vector). For IPsec ESP, the sequence number is a 32-bit value, which means
that you can use a shared key (securely) for no more than 4 billion packets before you have to change the key. IKE
provides a mechanism to securely change the shared key. Many IPsec implementations for IPv6 do not support IKE,
because it is not mandated by the standards. Therefore, you must use and change static keys manually, which is
cumbersome and very prone to misconfiguration; thus it is not scalable and increases the security risks.

Internet Security Association and Key Management Protocol (ISAKMP) kt hp authentication, key management,
and security association (SA) management bo v giao tip cc hosts.

Dng IKE thng lng SA

IPsec ESP, sequence number 32 bit, Dng share key(securely) khng qu 4 t packets, sau phi thay i key.

IKE c ch change(securely) shared key.

IKE khng h tr cho IPv6 phi change static key manually.

Ni B