1、我國我國IPv6建置發展計畫建置發展計畫 期中成果報告研究發展分項計畫 子計畫二:6TANET 台灣IPv6網路轉換環境技術研究子計畫二:6TANET 台灣IPv6網路轉換環境技術研究子計畫二:6TANET 台灣IPv6網路轉換環境技術研究子計畫二:6TANET 台灣IPv6網路轉換環境技術研究東華大學趙涵捷1 IPv6 第四層以上相關協定分析交通大學陳懷恩2超高速乙太網路 IPv6/IPv4 轉換器之研製台灣大學東華大學郭斯彥陳俊良3 可穿越 NAT 的 IPv6 Tunnel交通大學吳坤熹4以 IPv6 為基礎的隱匿型網路偵測管理台灣科技大學東華大學黃忠偉張瑞雄 IPv6 第四層以上相關協
2、定分析 陳懷恩Research Assistant ProfessorDepartment of CSIE,NCTUEmail:wechenmail.nctu.edu.twTEL:886-3-5731924計畫目標n分析常見的第四層以上通訊協定,在由 IPv4 演進到 IPv6 時所需要改變的差異性n提供廠商移植IPv6軟體時之參考,以加速國內IPv6軟硬體研發,實現國內IPv6網際網路環境,促使我國儘速邁入IPv6資訊網路新紀元計畫工作重點n研讀並分析相關通訊協定n網路應用協定、網路路由協定、網路管理協定nSIP-based VoIP相關協定n製作IPv6通訊協定分析器雛形n製作通訊協定分析
3、器雛形n分析第二、三層封包(e.g.,Ethernet,IPv4,IPv6)n分析SIP-based VoIP相關協定(e.g.,SIP,SDP,RTP,RTCP)n設計廠商升級IPv4程式到IPv6程式的機制n提供廠商修改Socket程式的方法n設計v4/v6轉換之中介軟體計畫成果n提供IPv4程式轉換為IPv6程式之方法n第四層以上之程式多由socket撰寫而成n本計畫提供如何將現有IPv4程式修改成IPv6的方法n提供IPv6協定分析器n提供開發程式、教育訓練時之輔助n設計SIP-based VoIP專屬的分析器n設計主機端轉換之中介軟體(Middleware)n修改現有程式需要時間、人
4、力、金錢n提供廠商在不修改程式的情況下快速轉換程式為IPv6的方法n以Bump-In-the-Stack(BIA)為基礎n設計應用層(Application-Level)轉換機制提供轉換IPv4程式到IPv6之方法n介紹IPv4與IPv6之不同n不用轉換的Socket APIn需要轉換的Socket APIn需要轉換的資料結構IPv4/IPv6位址長度不同nNumerical addressesnIPv4,32 bit addressnIPv6,128 bit address 32 bitsIPv4IPv6128 bits不需要轉換的Socket API(依序)nServer端的程式碼nsoc
5、ket open a socketnbind bind local address to the socketnlisten listen on a portnaccept wait for the connectionnread/write if TCPnrecvfrom/sendto if UDPnClient端的程式碼nsocket open a socketnconnect connect to a servernread/write if TCPnrecvfrom/sendto if UDP轉換需要改變的部分n有一些與IP位址相關的Socket API與參數需要修改n程式部分有運用到
6、IP位址的部分n位址轉換函式n位址複製函式n位址比較函式n位址相關之記憶體指派與變數宣告API與資料結構的轉換n參數名稱轉換 IPv4IPv6AF_INETAF_INET6PF_INETPF_INET6IN_ADDR_ANYinaddr6_anyAPI與資料結構的轉換n資料結構轉換IPv4IPv6in_addrin6_addrsockaddrsockaddr_in6sockaddr_insockaddr_in6API與資料結構的轉換n資料結構參數轉換IPv4IPv6sin_lensin6_lensin_familysin6_familysin_portsin6_portsin_addrsin6
7、_addrs_addrs6_addrAPI與資料結構的轉換n函式轉換IPv4IPv6Name-to_addressFunctionsAddress conversionFunctionsinet_aton()inet_addr()inet_pton()inet_ntoa()inet_ntop()gethostbyname()gethostbyaddr()getipnodebyname()getipnodebyaddr()getnameinfo()getaddrinfo()設計主機端轉換之中介軟體n可是要將應用程式升級成IPv6會有以下問題n需要改用新的 APIn需要改用新的 Data stru
8、cturen例子:SIP-based VoIP User Agentn共有約200行Socket API、資料結構需要轉換n約有600行位址相關函式、變數、記憶體指派需要修改n短期內將程式升級IPv6不容易n需要改的函式、變數需要追蹤修訂n程式版本升級時,亦需隨之修訂n提出一個轉換v4/v6的中介軟體,以 BIA為基礎,設計應用層轉換機制轉換中介軟體系統架構轉換中介軟體之設計依不同程式所需設計ALG原BIA之架構提供IPv6相關協定分析器n提供Windows XP/2003上通訊協定分析n可分析以下協定:nEthernet,ARP,ICMP/ICMPv6,IPv4/IPv6nDNS,HTTP,
9、FTPnSIP,SDP,RTP,RTCPn可協助本計畫之開發n未來可協助廠商開發相關應用n可提供教育訓練(如:通訊改進教育計畫)使用IPv6通訊協定分析軟體架構與介面Physical NICsWindows NDISWinPCap Protocol Driver/NPFWinPCap packet.dllWinPCap winpcap.dllDevice IO ControlPacket Interfacelibpcap Interface封包分析軟體封包分析軟體IPv6通訊協定分析軟體之設計Packet ModulenPacket Module 負責封包收送nParsing Package負
10、責第二、三層封包解析IPv6 ModuleTransport ModuleSIPRTPRTCPParsing PackageIPv6通訊協定分析軟體之雛形系統選取介面封包分析計畫結論n目前已有IPv6相關Socket程式,建議廠商開發軟體時,可以考慮撰寫IPv4/IPv6共存之應用程式。n目前已完成IPv6通訊協定分析器雛形,有興趣的廠商可以與本子計畫或研發分組聯絡。n目前設計之應用層轉換以工研院SIP-based UA作為實際v4/v6轉換的例子,若需要進一步資料,歡迎會後與本子計畫聯繫。n本子計畫將繼續v4/v6轉換之研究,以期能幫助國內廠商在節省人力、時間與金錢的情況下,快速升級至IPv
11、6 ready。Teredo-Tunneling IPv6 through NATsDate:2003-7-24Speaker:Quincy WuNational Chiao Tung UniversityIPv4toIPv6 Transition Strategy(RFC 2893)Dual Stack Reduce the cost invested in transition by running both IPv4/IPv6 protocols on the same machine.Tunneling Reduce the cost in wiring by re-using cur
12、rent IPv4 routing infrastructures as a virtual link.Translation Allow IPv6 realm to access the rich contents already developed on IPv4 applicationsTunnels of IPv6 over IPv4 Encapsulating the IPv6 packet in an IPv4 packet Tunneling can be used by routers and hostsIPv4IPv6 NetworkIPv6 NetworkTunnel:IP
13、v6 in IPv4 packetIPv6 HostDual-Stack RouterDual-Stack RouterIPv6 HostIPv6 HeaderIPv4 HeaderIPv6 HeaderTransport HeaderDataDataTransport HeaderIPv4Manually Configured TunnelDual-Stack RouterIPv4:140.110.199.254 IPv6:2001:288:03a1:210:3/127 FreeBSD4.7#gifconfig gif0 61.218.105.10 140.110.199.254ifconf
14、ig gif0 inet6 2001:288:03a1:210:2 2001:288:3a1:210:3 prefixlen 128Dual-Stack HostIPv4:61.218.105.10 IPv6:2001:288:03a1:210:2/127 Linux Tunnel/etc/sysconfig/network-scripts/ifcfg-sit1 DEVICE=sit1 BOOTPROTO=none ONBOOT=yes IPV6INIT=yes#Remote end-ISP IPv4 addr IPV6TUNNELIPV4=140.110.199.250#Yourself I
15、Pv6 tunnel addr from ISP IPV6ADDR=2001:288:3A1:210:2/127ifup sit16to4 Tunnel(RFC 3056)IPv4IPv6 NetworkIPv6 Network6to4 Router26to4 Router1131.243.129.44140.110.199.250Network prefix:2002:83F3:812C:/48Network prefix:2002:8C6E:C7FA:/48=E0E0router2#interface Ethernet0 ip address 140.110.199.250 255.255
16、.255.0 ipv6 address 2002:8C6E:C7FA:1:/64 eui-64interface Tunnel0 no ip address ipv6 unnumbered Ethernet0 tunnel source Ethernet0 tunnel mode ipv6ip 6to4ipv6 route 2002:/16 Tunnel0 6to4 Tunnel:Is an automatic tunnel method Gives a prefix to the attached IPv6 network 2002:/16 assigned to 6to4 Requires
17、 one global IPv4 address on each site6to4 TunnelIPv4IPv6 NetworkIPv6 Network6to4 Router26to4 Router1131.243.129.44140.110.199.250Network prefix:2002:83F3:812C:/48Network prefix:2002:8C6E:C7FA:/48E0E02002:83F3:812C:1:32002:8C6E:C7FA:2:5IPv6 SRC 2002:83F3:812C:1:3DataIPv6 DEST 2002:8C6E:C7FA:2:5IPv6 S
18、RC 2002:83F3:812C:1:3DataIPv6 DEST 2002:8C6E:C7FA:2:5IPv6 SRC 2002:83F3:812C:1:3DataIPv6 DEST 2002:8C6E:C7FA:2:5IPv4 SRC 131.243.129.44IPv4 DEST 140.110.199.250IPv6 tunneling problem It does not work when the IPv4 address is not globally routableIPv6BDEIPv6siteIPv6host6to4 routerIPv4 routerCSrc:A6De
19、st:E6dataSrc:A6Dest:E6data6to4Relay routerSrc:N4Dest:D4Src:A6Dest:E6dataSrc:N4Dest:D4Src:A6Dest:E6dataA to B:IPv6D to E:IPv6B to C:IPv4(encapsulating IPv6)C to D:IPv4(encapsulating IPv6)A v6 IP:2002:a02:3fe:2/48(A6)B v6 IP:2002:a02:3fe:1/48(B6)B v4 IP:10.2.3.254(B4)E v6 IP:2001:238:f88:4:2/64(E6)D v
20、6 IP:2001:238:f88:4:1/64(D6)D v4 IP:140.114.1.254(D4)AIPv6hostIPv4NAT address:1.2.5.6(N4)NATIPv4Src:B4Dest:D4Src:A6Dest:E6dataAddress translationB4 is a private address!E6 A6D4 B4Teredo service To allow hosts behind NAT to access IPv6,without modifying NAT.Teredo is not a long term solution If NAT a
21、lso supports IPv6 routing,the problem of NAT traversal will disappear.Teredo definitions Teredo client A node wants to gain access to the IPv6 Internet.Teredo server helper to provide IPv6 connectivity to Teredo clients.Teredo relay An IPv6 router that can receive traffic destined to Teredo clients
22、and forward it to Teredo client.Teredo bubble minimal IPv6 packet,made of an IPv6 header and null payload,no Next Header.Teredo service The transmission of IPv6 packets over UDP.Operation model A client has pre-configured server location.A client gets IPv6 prefix from the Teredo server.TeredoserverT
23、eredorelayTeredoclientNATIPv6IPv4IPv4Teredo IPv6 prefix?Teredo IPv6 prefix,your mapped addressTunnel Teredo server is stateless.Traffic goes directly between the relay router and the client.Teredo Relay announces reachability of Teredo prefix on IPv6 realm.Relay and Client maintain peer list to avoi
24、d sending Teredo message too often.Teredo address encodingPrefix:the 32 bit Teredo service prefix.3FFE:831F:/32Server IPv4:the IPv4 address of a Teredo server.Flags:a set of 16 bits that document type of address and NAT.16 bits flag:“C00000UG00000000”C=1 if NAT is cone.UG should set to“00”.Port:the
25、obfuscated mapped UDP port of the clientClient IPv4:the obfuscated mapped IPv4 address of a clientPrefixServer IPv4FlagsPortClient IPv40 32 64 80 96 127Obfuscated:XOR every bits in the field with 1,prevent over-genius NATs translation.Obtaining an address(1/2)IPv4UDPOrigin indicationIPv6 RA Teredo c
26、lient sends a UDPv4 tunneled IPv6 Router Solicitation to the Teredo server.Teredo server replies UDPv4 tunneled IPv6 Router Advertisement with origin indication.TeredoserverTeredorelayTeredoclientNATIPv6IPv4IPv410.0.0.2:123410.0.0.19.0.0.1:40961.2.3.4IPv4UDPIPv6 RS0 x000 x00mapped port#mapped IPv4 a
27、ddressOrigin indicationformatObtaining an address(2/2)Client get Teredo service prefix 3FFE:831F:/32(PREF=3FFE:831F)Client get mapped address/port from origin indication Mapped address:9.0.0.1:4096 Generated Teredo IPv6 address 3FFE:831F:102:304:EFFF:F6FF:FFFE Already known server IP:1.2.3.4 Address
28、 and port are obfuscated.Must keep alive address mapping on NAT Default refresh interval:30 seconds.Packet from Teredo node to IPv6 node(1/3)A does not know which relay will be chosen by B.A sends ICMPv6“echo request toward B.S forwards“echo request”to IPv6 realm.TeredoServer STeredoRelay RTeredoCli
29、ent ANATIPv6IPv4IPv410.0.0.2:123410.0.0.19.0.0.1:40965.6.7.8:3544PREF:102:304:EFFF:F6FF:FFFEB2000:B10.0.0.2:12341.2.3.4:3544PREF:102:304:EFFF:F6FF:FFFE2000:BSrc.Dest.IPv6Src.IPv6dest.1.2.3.4:3544PREF:102:304:EFFF:F6FF:FFFE2000:BPacket from Teredo node to IPv6 node(2/3)B sends the“echo reply”back to
30、Teredo Client.The IPv6 packet will be queued by Teredo Relay.If Teredo Client is behind a restricted NAT,a bubble must be sent to Teredo Server.SRANATIPv6IPv4IPv410.0.0.2:123410.0.0.19.0.0.1:40965.6.7.8:3544PREF:102:304:EFFF:F6FF:FFFEB2000:BIPv6Src.IPv6dest.1.2.3.4:35442000:BPREF:102:304:EFFF:F6FF:F
31、FFEPacket from Teredo node to IPv6 node(3/3)R sends the queued“echo reply”to A.A knows B can be reached through address 5.6.7.8:3544.A will send all further packets directly through R.SRTeredo Client ANATIPv6IPv4IPv410.0.0.2:123410.0.0.19.0.0.1:40965.6.7.8:3544PREF:102:304:EFFF:F6FF:FFFEB2000:B1.2.3
32、.4:3544Conclusion Many users get private IPv4 address from their service providers,such as WLAN and GPRS.These users are unable to create IPv6 tunnels.Before all NAT devices can be upgraded to support IPv6,Teredo service is useful for users behind NAT to obtain IPv6 access.6TANET IPv6 TrAnsition Net
33、work Environment of Taiwan IPv6/IPv4 轉換器介紹東華大學 資訊工程學系 張耀中 IPv6 Current State Introduction Objective Schedule Conclusion Internet checksum use 16-bits 1s complement checksumWe adopt a 32-bits 1s complement checksum algorithm Take advantage of the 32-bits registers in IXDP1200 Much faster and efficien
34、t 2 policiesCASEPolicyARP ND(ICMP checksum)Re-Compute AlgorithmIPv6 Header IPv4 HeaderRe-Compute AlgorithmICMPv4 ICMPv6Adjustment AlgorithmTCPAdjustment AlgorithmUDPAdjustment Algorithm IPv4/IPv6網路通訊協定轉換機制之技術與應用 IPv4/IPv6網路通訊協定轉換機制之運作原理 IPv4/IPv6網路通訊協定轉換機制之應用現況 適合我國GbE網路環境之轉換機制超高速乙太網路IPv6/IPv4轉換器雛型系
35、統 雛型系統之系統需求規格與功能訂定 雛型系統之設計與實作 雛型系統之測試 IPv4/IPv6轉換機制運作原理研究 IPv4/IPv6轉換機制應用現況研究 GbE 網路環境轉移機制評估與設計 NP-based GbE IPv6/v4 轉換器雛形系統規格與功能訂定 雛型系統之軟體設計 雛型系統之實作與測試IPv6 is a young lady?IPv6NATIPv4Global Summit IPv6 North AmericaIPv6 State of the World-Latif Ladid ReliabilitySimplicity Flexible Renumbering Trans
36、ition Tool BoxQoSFlow Bits?Mobile IPv6End-2-end TransparencyDynamic Routing Multicast v6e2e Security AutoconfigurationPlug&Ping.Global Summit IPv6 North AmericaIPv6 State of the World-Latif Ladid 以以 IPv6 IPv6 為基礎的隱匿型為基礎的隱匿型網路偵測管理網路偵測管理IPv6 IPv6 環境下偵測管理的問題環境下偵測管理的問題 區段內區段內 IPv6 IPv6 網址範圍巨大,逐一掃瞄網址範圍巨大
37、,逐一掃瞄 IPv6 IPv6 網址以偵網址以偵測上網之電腦或設備,需耗費時大量時間而變不可行測上網之電腦或設備,需耗費時大量時間而變不可行 IPv6 IPv6 網址設定方式較複雜,不同於網址設定方式較複雜,不同於 IPv4 IPv4 網址能事先預網址能事先預知相關訊息知相關訊息 由於由於switchswitch大量使用,大量使用,broadcast broadcast 訊息不容易取得,增訊息不容易取得,增加偵測時的困難度加偵測時的困難度Vers=4Total lengthType of serviceIdentificationFragment OffsetFlagsIHLTTLHeader
38、 ChecksumProtocolSource AddressDestination AddressOptions.Vers=6flow LabelTraffic ClassPayload LengthNext HeaderHop LimitDestination AddressSource AddressIPv4IPv620 bytes40 bytesIPv4-IPv6 headers網址類型網址類型:Unicast:一對一一對一GlobalSite localLink local Multicast Anycast單一介面可以被設定多種單一介面可以被設定多種 IPv6 網址網址 以以 Mu
39、lticast Multicast 取代取代 broadcast broadcastIPv6 網址IP1MAC1IP2MAC2Neighbor Solicitation:IP2?Neighbor advertisement:IP2 MAC2IPv6 PacketAddress resolutionConfigure hosts addressesIPv6 routerPrefix:pf1/64 IPv6:pf1:X and fe80:XIPv6 host A IPv6:Pf1:YFe80:YIPv6 Host B IPv6:fe80:ZRouter advert.Fe80:XPrefix:pf
40、1Router solicitation本子計劃進行的目的本子計劃進行的目的於各個於各個 IPv6 IPv6 網路區段中載入不具網路區段中載入不具 IP Address IP Address 之隱之隱匿偵測點匿偵測點藉由隱匿偵測點於各網路區段中進行偵測,並建構出藉由隱匿偵測點於各網路區段中進行偵測,並建構出區段內已存在之電腦名單區段內已存在之電腦名單主控端針對各個區段的隱匿偵測點進行蒐集,並根據主控端針對各個區段的隱匿偵測點進行蒐集,並根據蒐集結果產生整體網路拓樸架構圖,以提供管理者對蒐集結果產生整體網路拓樸架構圖,以提供管理者對整體網路規劃及評估整體網路規劃及評估相關軟體設計開發相關軟體設計
41、開發目前僅有目前僅有 ActiveX ActiveX 能以網路物件形式存在且具有網路能以網路物件形式存在且具有網路封包攔截或傳遞功能封包攔截或傳遞功能開發開發ActiveXActiveX隱匿偵測點物件,透過隱匿偵測點物件,透過 Web Web 介面下載至介面下載至各區段偵測點;啟動偵蒐功能以建構出區段內上網電腦各區段偵測點;啟動偵蒐功能以建構出區段內上網電腦清單清單開發主從架構之主控管理程式,動態即時蒐集各網路開發主從架構之主控管理程式,動態即時蒐集各網路區段資料後進行彙整,進而建構出網路拓樸圖區段資料後進行彙整,進而建構出網路拓樸圖網路物件程式範例網路物件程式範例隱匿偵測點物件動作流程隱匿偵
42、測點物件動作流程啟動 Router solicitation 開始取得取得 Global Address Global Address 的的PrefixPrefix 啟動啟動 ping multicast IP ping multicast IP是否有是否有 acknowledge acknowledge 封包回傳封包回傳根據區段中某電腦根據區段中某電腦 Acknowledge Acknowledge 封包資料封包資料建構該電腦建構該電腦 IPv6 Address IPv6 Address 加入區段內已存在電腦名單加入區段內已存在電腦名單結束YNping Multicast IP根據 RFC
43、2461和RFC 2463,可藉由ff02:1(link-local scope all-nodes multicast address)令上網電腦回應其 link-local IPv6 網址利用ping6 指令及 ff02:1,令上網電腦回應 link-local 網址清單本計畫需實現 RFC 2461及RFC 2463之規範,以偵蒐區域網路內之上網電腦或設備利用利用 ping6 ping6 取得取得 link-local link-local 網址清單網址清單實驗結果之部分清單實驗結果之部分清單root#ping6-I eth0 ff02:1PING ff02:1(ff02:1)from
44、fe80:280:c8ff:fe6f:abeb eth0:56 data bytes64 bytes from:1:icmp_seq=1 ttl=64 time=0.108 ms64 bytes from fe80:202:b3ff:fe8e:6af7:icmp_seq=1 ttl=64 time=0.265 ms(DUP!)64 bytes from fe80:2d0:b7ff:fe2d:ead5:icmp_seq=1 ttl=64 time=0.304 ms(DUP!)64 bytes from fe80:2c0:4fff:fe15:4c4a:icmp_seq=1 ttl=64 time=
45、0.308 ms(DUP!)64 bytes from fe80:280:c8ff:fe58:4038:icmp_seq=1 ttl=64 time=0.347 ms(DUP!)64 bytes from fe80:200:e8ff:fe63:aa7d:icmp_seq=1 ttl=64 time=0.350 ms(DUP!)64 bytes from fe80:2e0:29ff:fe34:be97:icmp_seq=1 ttl=64 time=0.447 ms(DUP!)64 bytes from fe80:a00:20ff:fe93:22ca:icmp_seq=1 ttl=255 time
46、=0.326 ms(DUP!)64 bytes from fe80:206:29ff:fe13:3de4:icmp_seq=1 ttl=64 time=0.374 ms(DUP!)64 bytes from fe80:202:b3ff:fe16:5c44:icmp_seq=1 ttl=64 time=0.514 ms(DUP!).對對 各各 個個 隱隱 匿匿 偵偵 測測 點點 發發 送送資資 料料 蒐蒐 集集 R R e eq qu ue es st t各各 個個 隱隱 匿匿 偵偵 測測 點點 回回傳傳根根 據據 區區 段段 電電 腦腦 名名 單單資資 料料建建 構構 全全 域域 電電 腦腦 網網 路路 結結 構構繪繪 製製 網網 路路 拓拓 樸樸 圖圖 行行 介介 面面結 束開 始YN主控程式動作流程主控程式動作流程繪製網路拓樸圖形介面繪製網路拓樸圖形介面本計畫可應用於產業界之相關研究本計畫可應用於產業界之相關研究 網管系統 網路安全