C++ Internet Protocol and Socket Address Classes
Document Number: TBD
Date: TBD
Author: Aleksandar Fabijanic <alex AT pocoproject.org>
Günter Obiltschnig <guenter.obiltschnig AT appinf.com>
Content
1. Revision History
2. Motivation and Scope
3. IP Address
3.1. Usage Examples
3.1.1. IPv4
3.1.2. IPv6
3.2. Header <ip_address> synopsis
5. Socket Address
5.1. Usage Examples
5.2. Header <socket_address> synopsis
6. Conclusion
7. Acknowledgments
1. Revision History
- Oct 10 2012: created
2. Motivation and Scope
Given the pervasiveness of networking and Internet, there is a
pressing need for standard networking support in C++ language.
This proposal addresses the concerns of IP and socket addresses;
it is aimed to be one of the fundamental building blocks and
steps toward the Standard C++ Network Library goal.
This proposal is based on IP and socket address implementations
in the Net library in C++ Portable Components (POCO) [6] framework.
POCO framework has been open sourced in 2005 by its principal
sponsor (Applied Informatics Software Engineering GmbH) and is
currently licensed under Boost Software License and used in
production by numerous commercial entities as well as other
open source projects [7].
The scope of the proposal is description of functionality,
interfaces and usage examples for a set of classes providing
functionality to store and manipulate Internet Protocol
(IPv4 and v6) as well as socket (IP address + port) addresses.
3. IP Address
The ip_address class represents an Internet Protocol host
address. The address can belong to either IPv4 or IPv6
(if the target platform supports it) address family.
Relational operators (==, !=, <, <=, >, >=) are supported.
Notably, an IPv4 address is never equal to an IPv6
address, even if the IPv6 address is IPv4 compatible and
the addresses are logically the same.
For underlying IP address bit manipulation, bitwise operators
(&, |, ^, ~) are supported.
3.1 Usage Examples
3.1.1. IPv4:
ip_address ia("127.0.0.1");
assert (ia.family() == ip_address::ipv4);
assert (ia.to_string() == "127.0.0.1");
assert (ip.is_loopback());
ip_address addr("10.0.0.51");
ip_address mask(24, ip_address::ipv4);
assert(mask.prefix_len() == 24);
ip_address net = addr & mask;
assert(net.to_string() == "10.0.0.0");
ip_address host("0.0.0.51");
assert((net | host) == addr);
assert((~mask).to_string() == "0.0.0.255");
3.1.2. IPv6
ip_address ia("1080:0:0:0:8:600:200a:425c");
assert (ia.family() == ip_address::ipv6);
assert (ia.to_string() == "1080::8:600:200a:425c");
ip_address ia(62, ip_address::ipv6);
assert(ia.to_string() == "ffff:ffff:ffff:fffc::");
3.2. Header <ip_address> synopsis
namespace std {
namespace net {
typedef int socklen_t;
class ip_address {
public:
typedef std::vector<IPAddress> list;
enum family
/// Possible address families for IP addresses.
{
ipv4
#ifdef _STD_HAVE_IPv6
,ipv6
#endif
};
ip_address();
/// Creates a wildcard (zero) IPv4 ip_address.
ip_address(const ip_address& addr);
/// Creates an ip_address by copying another one.
explicit IPAddress(family family);
/// Creates a wildcard (zero) ip_address for the given address family.
explicit ip_address(const std::string& addr);
/// Creates an IPAddress from the string containing
/// an IP address in presentation format (dotted decimal
/// for IPv4, hex string for IPv6).
/// Depending on the format of addr, IPv4 or an IPv6 address is
/// created. See to_string() for details on the supported formats.
/// Throws std::runtime_exception if the address cannot be parsed.
ip_address(const std::string& addr, Family family);
/// Creates an ip_address from the string containing
/// an IP address in presentation format (dotted decimal
/// for IPv4, hex string for IPv6).
ip_address(const void* addr, socklen_t length);
/// Creates an IPAddress from a native internet address.
/// A pointer to an in_addr or an in6_addr structure may be passed.
ip_address(const void* addr, socklen_t length, uint32_t scope);
/// Creates an IPAddress from a native internet address.
/// A pointer to a in_addr or a in6_addr structure may be
/// passed. Additionally, for an IPv6 address, a scope ID
/// may be specified. The scope ID will be ignored if an IPv4
/// address is specified.
ip_address(uint32_t prefix, family family);
/// Creates an ip_address mask with the given length of prefix.
ip_address(const struct sockaddr& sockaddr);
/// Creates an ip_address from sockaddr structure.
~ip_address();
/// Destroys the IPAddress.
ip_address& operator = (const ip_address& addr);
/// Assigns an IPAddress.
void swap(ip_address& address);
/// Swaps the IPAddress with another one.
family family() const;
/// Returns the address family (ipv4 or ipv6) of the address.
uint32_t scope() const;
/// Returns the IPv6 scope identifier of the address. Returns 0 if
/// the address is an IPv4 address, or the address is an
/// IPv6 address but does not have a scope identifier.
std::string to_string() const;
/// Returns a string containing a representation of the address
/// in presentation format.
/// For IPv4 addresses the result will be in dotted-decimal (d.d.d.d) notation.
/// The preferred form is x:x:x:x:x:x:x:x, where the 'x's are the hexadecimal
/// values of the eight 16-bit pieces of the address. This is the full form.
/// Example: 1080:0:0:0:8:600:200a:425c
/// It is not necessary to write the leading zeros in an individual field.
/// However, there must be at least one numeral in every field, except as
/// described below.
/// It is common for IPv6 addresses to contain long strings of zero bits.
/// In order to make writing addresses containing zero bits easier, a special
/// syntax is available to compress the zeros. The use of "::" indicates multiple
/// groups of 16-bits of zeros.
/// The "::" can only appear once in an address. The "::" can also be used to
/// compress the leading and/or trailing zeros in an address.
/// Example: 1080::8:600:200a:425c
/// For dealing with IPv4 compatible addresses in a mixed environment,
/// a special syntax is available: x:x:x:x:x:x:d.d.d.d, where the 'x's are the
/// hexadecimal values of the six high-order 16-bit pieces of the address,
/// and the 'd's are the decimal values of the four low-order 8-bit pieces of the
/// standard IPv4 representation address. Example: ::ffff:192.168.1.120
/// If an IPv6 address contains a non-zero scope identifier, it is added
/// to the string, delimited by a percent character. On Windows platforms,
/// the numeric value (which specifies an interface index) is directly
/// appended. On Unix platforms, the name of the interface corresponding
/// to the index (interpretation of the scope identifier) is added.
bool is_wildcard() const;
/// Returns true iff the address is a wildcard (all zero) address.
bool is_broadcast() const;
/// Returns true iff the address is a broadcast address.
/// Only IPv4 addresses can be broadcast addresses. In a broadcast
/// address, all bits are one. For an IPv6 address, returns always false.
bool is_loopback() const;
/// Returns true iff the address is a loopback address.
/// For IPv4, the loopback address is 127.0.0.1.
/// For IPv6, the loopback address is ::1.
bool is_multicast() const;
/// Returns true iff the address is a multicast address.
/// IPv4 multicast addresses are in the
/// 224.0.0.0 to 239.255.255.255 range
/// (the first four bits have the value 1110).
/// IPv6 multicast addresses are in the
/// FFxx:x:x:x:x:x:x:x range.
bool is_unicast() const;
/// Returns true iff the address is a unicast address.
/// An address is unicast if it is neither a wildcard,
/// broadcast or multicast address.
bool is_link_local() const;
/// Returns true iff the address is a link local unicast address.
/// IPv4 link local addresses are in the 169.254.0.0/16 range,
/// according to RFC 3927.
/// IPv6 link local addresses have 1111 1110 10 as the first
/// 10 bits, followed by 54 zeros.
bool is_site_local() const;
/// Returns true iff the address is a site local unicast address.
/// IPv4 site local addresses are in on of the 10.0.0.0/24,
/// 192.168.0.0/16 or 172.16.0.0 to 172.31.255.255 ranges.
/// Originally, IPv6 site-local addresses had FEC0/10 (1111 1110 11)
/// prefix (RFC 4291), followed by 38 zeros. Interfaces using
/// this mask are supported, but obsolete; RFC 4193 [3] prescribes
/// fc00::/7 (1111 110) as local unicast prefix.
bool is_ipv4_compatible() const;
/// Returns true iff the address is IPv4 compatible.
/// For IPv4 addresses, this is always true.
/// For IPv6, the address must be in the ::x:x range (the
/// first 96 bits are zero).
bool is_ipv4_mapped() const;
/// Returns true iff the address is an IPv4 mapped IPv6 address.
/// For IPv4 addresses, this is always true.
/// For IPv6, the address must be in the ::FFFF:x:x range.
bool is_well_known_mcast() const;
/// Returns true iff the address is a well-known multicast address.
/// For IPv4, well-known multicast addresses are in the 224.0.0.0/8 range.
/// For IPv6, well-known multicast addresses are in the
/// FF0x:x:x:x:x:x:x:x range.
bool is_node_local_mcast() const;
/// Returns true iff the address is a node-local multicast address.
/// IPv4 does not support node-local addresses, thus the result is
/// always false for an IPv4 address.
/// For IPv6, node-local multicast addresses are in the
/// FFx1:x:x:x:x:x:x:x range.
bool is_link_local_mcast() const;
/// Returns true iff the address is a link-local multicast address.
/// For IPv4, link-local multicast addresses are in the
/// 224.0.0.0/24 range. Note that this overlaps with the range for well-known
/// multicast addresses.
/// For IPv6, link-local multicast addresses are in the
/// FFx2:x:x:x:x:x:x:x range.
bool is_site_local_mcast() const;
/// Returns true iff the address is a site-local multicast address.
/// For IPv4, site local multicast addresses are in the 239.255.0.0/16 range.
/// For IPv6, site-local multicast addresses are in the
/// FFx5:x:x:x:x:x:x:x range.
bool is_org_local_mcast() const;
/// Returns true iff the address is a organization-local multicast address.
/// For IPv4, organization-local multicast addresses are in the
/// 239.192.0.0/16 range.
/// For IPv6, organization-local multicast addresses are in the
/// FFx8:x:x:x:x:x:x:x range.
bool is_global_mcast() const;
/// Returns true iff the address is a global multicast address.
/// For IPv4, global multicast addresses are in the
/// 224.0.1.0 to 238.255.255.255 range.
/// For IPv6, global multicast addresses are in the
/// FFxF:x:x:x:x:x:x:x range.
bool operator == (const ip_address& addr) const;
/// Returns true if IP addresses are equal.
bool operator != (const ip_address& addr) const;
/// Returns true if IP addresses are not equal.
bool operator < (const ip_address& addr) const;
/// Returns true if this IP address is lesser than addr.
bool operator <= (const ip_address& addr) const;
/// Returns true if this IP address is lesser than or equal to addr.
bool operator > (const ip_address& addr) const
/// Returns true if this IP address is greater than addr.
bool operator >= (const ip_address& addr) const;
/// Returns true if this IP address is greater than or equal to addr.
ip_address operator & (const ip_address& addr) const;
/// Performs a bitwise ANd operation and returns result.
ip_address operator | (const ip_address& addr) const;
/// Performs a bitwise OR operation and returns result.
ip_address operator ^ (const ip_address& addr) const;
/// Performs a bitwise XOR operation and returns result.
ip_address operator ~ () const;
/// Performs a bitwise NOT operation on this IP address and returns result.
socklen_t length() const;
/// Returns the length in bytes of the internal socket address structure.
const void* addr() const;
/// Returns the internal address structure.
uint32_t af() const;
/// Returns the address family (AF_INET or AF_INET6) of the address.
unit32_t prefix_len() const;
/// Returns the prefix length.
void mask(const ip_address& mask);
/// Masks the IP address using the given netmask, which is usually
/// a IPv4 subnet mask. Only supported for IPv4 addresses.
/// The new address is (address & mask).
void mask(const ip_address& mask, const ip_address& set);
/// Masks the IP address using the given netmask, which is usually
/// a IPv4 subnet mask. Only supported for IPv4 addresses.
/// The new address is (address & mask) | (set & ~mask).
static ip_address assign(const std::string& addr);
/// Creates an IPAddress from the string containing
/// an IP address in presentation format (dotted decimal
/// for IPv4, hex string for IPv6).
/// Depending on the format of addr, either an IPv4 or
/// an IPv6 address is created.
/// See to_string() for details on the supported formats.
/// Throws std::runtime_exception if the address cannot be parsed.
static bool try_assign(const std::string& addr, IPAddress& result);
/// Tries to interpret the given address string as an
/// IP address in presentation format (dotted decimal
/// for IPv4, hex string for IPv6).
/// Returns true and stores the IPAddress in result if the
/// string contains a valid address.
/// Returns false and leaves result unchanged otherwise.
static IPAddress wildcard(Family family = ipv4);
/// Returns a wildcard IPv4 or IPv6 address.
static IPAddress broadcast();
/// Returns a broadcast IPv4 address (255.255.255.255).
};
}} // namespace std::net
4. Socket Address
This class represents an internet (IP) endpoint/socket address. The address
can belong either to the IPv4 or the IPv6 address family and consists of a
host IP address and a port number.
4.1 Usage Examples
socket_address wild;
assert (wild.host().is_wildcard());
assert (wild.port() == 0);
socket_address sa1("192.168.1.100", 100);
assert (sa1.host().to_string() == "192.168.1.100");
assert (sa1.port() == 100);
socket_address sa2("192.168.1.100", "100");
assert (sa2.host().to_string() == "192.168.1.100");
assert (sa2.port() == 100);
socket_address sa3("192.168.1.100", "ftp");
assert (sa3.host().to_string() == "192.168.1.100");
assert (sa3.port() == 21);
socket_address sa4("www.appinf.com", 80);
assert (sa4.host().toString() == "50.57.108.29");
assert (sa4.port() == 80);
4.2 Header <socket_address> synopsis
namespace std {
namespace net {
class socket_address
/// This class represents an (IP) socket address.
/// The address can belong either to the IPv4 or the IPv6 address
/// family and consists of a host address and a port number.
{
public:
socket_address();
/// Creates a wildcard (all zero) IPv4 socket_address.
socket_address(const ip_address& host, uint_16t port);
/// Creates a socket_address from an IP address and a port number.
socket_address(const std::string& host, uint_16t port);
/// Creates a socket_address from an IP address and a port number.
/// The IP address must either be a domain name, or it must
/// be in dotted decimal (IPv4) or hex string (IPv6) format.
socket_address(const std::string& host, const std::string& port);
/// Creates a socket_address from an IP address and a
/// service name or port number.
/// The IP address must either be a domain name, or it must
/// be in dotted decimal (IPv4) or hex string (IPv6) format.
/// The given port must either be a decimal port number, or
/// a service name (as typically returned in struct servent
/// by the getservbyname() call.
explicit socket_address(const std::string& host_and_port);
/// Creates a socket_address from an IP address or host name and a
/// port number/service name. Host name/address and port number
/// must be separated by a colon. In case of an IPv6 address, the
/// address part must be enclosed in brackets.
///
/// Examples:
/// 192.168.1.10:80
/// [::ffff:192.168.1.120]:2040
/// www.appinf.com:8080
socket_address(const socket_address& addr);
/// Creates a socket_address by copying another one.
socket_address(const struct sockaddr* addr, socklen_t length);
/// Creates a socket_address from a native socket address.
~socket_address();
/// Destroys the socket_address.
socket_address& operator = (const socket_address& addr);
/// Assigns another socket_address.
void swap(socket_address& addr);
/// Swaps the socket_address with another one.
ip_address host() const;
/// Returns the host IP address.
uint_16t port() const;
/// Returns the port number.
socklen_t length() const;
/// Returns the length of the internal native socket address.
const struct sockaddr* addr() const;
/// Returns a pointer to the internal native socket address.
uint32_t af() const;
/// Returns the address family (AF_INET or AF_INET6) of the address.
std::string to_string() const;
/// Returns a string representation of the address.
ip_address::family family() const;
/// Returns the address family of the host's address.
bool operator < (const socket_address& addr) const;
/// Less than operator.
bool operator == (const socket_address& addr) const;
/// Equal operator.
bool operator != (const socket_address& addr) const;
/// Not equal operator.
};
}} // namespace std::net
6. Conclusion
Class interfaces for IP and socket address as well as rationale for their
introduction in C++ Standard and usage examples were described in this
proposal. This proposal is one of the starting points and building blocks
for C++ Standard Networking Library. Implementation of the described
functionality is currently available in POCO framework [6]; the
implementation differs in naming scheme from this proposal. Given a
positive feedback on the proposal, implementation will be available
in the near future as a standalone implementation in standard-compliant
naming convention, with accompanying tests and code examples.
7. Acknowledgements
POCO original author (Günter Obiltschnig)
POCO project contributors and users
References
[1] RFC 791
[2] RFC 2460
[3] RFC 4193
[4] RFC 3513
[5] RFC 3879
[6] C++ Portable Components: http://pocoproject.org
[7] List of known POCO users: http://pocoproject.org/forum/viewtopic.php?f=11&t=3826
© Copyright 2005 Günter Obiltschnig
© Copyright 2012 Aleksandar Fabijanic
Saturday, 31 May 2014
C++ Internet Protocol and Socket Address Classes
What is tunneltrace?
TUNNELTRACE-RS v1.0
===================
What is tunneltrace?
--------------------
Tunneltrace is a tool used for detecting IPv6 in IPv4 tunnels. More precisely,
Tunneltrace can run in 2 modes:
Mode 1:
Given two IPv4 Addresses it checks if there is a tunnel between them. If there
is evidence of the presence of a tunnel, tunneltrace outputs a confidence
value, which provides a measure of the probability that the tunnel exists, and
tries to determine the IPv6 addresses of the endpoints.
Mode 2:
Tunneltrace can also determine, given an IPv6 Address, the full Path from the
node where tunneltrace is launched to the given address. From the Path
determined tunneltrace identifies the Path MTU and all the tunnels inside the path, and for
each tunnel found it tries to find the IPv4 addresses of the endpoints and
outputs a confidence value.
Techniques used
---------------
Tunneltrace uses three techniques to detect tunnels:
1) IPv4 spoofing
2) DNS lookups
3) Queries to the 6bone registry
Each of the above techniques has a degree of confidence. The confidence value
output by tunneltrace is the sum of the confidence values of each technique
that succeeded.
Brief description of the techniques
-----------------------------------
1. IPv4 spoofing
These are the main techniques used by tunneltrace. By encapsulating an IPv6
packet in an IPv4 packet having the source address of one of the tunnel
endpoints, tunneltrace can trick the other endpoint into treating the packet as
if it had come from the tunnel.
Tunneltrace uses four spoofing techniques:
a) Injected Ping
Encapsulated IPv6 echo request to a pingable IPv6 interface. Used to
determine if there is a tunnel.
b) Dying Packet
Similar to the above, but injects packets with a Hop Count field of 1.
Used to determine the IPv6 addresses of the tunnel endpoints.
c) Ping Pong Packet
Similar to the above, but attempts to determine the address of one
endpoint if the address of the other endpoint is known.
d) Fragmented Injection
As Injected Ping but puts the IPv6 echo request message into three IPv4 fragments
2. DNS Lookups
Looks for AAAA records with the endpoint hostnames, if we are running tunneltrace in
mode 1.
Looks for A records with the endpoint hostnames (retreived by a reverse-lookup),if we
are running tunneltrace in mode 2.
3. Queries to the 6bone registry
Looks for a corresponding entry in the 6bone registries. Tunneltrace requires
a copy of the 6bone registry file to be stored locally in /etc/6bone.db or
in the directory where tunneltrace is installed.
You may download this file from ftp://whois.6bone.net/6bone/6bone.db.gz
A detailed description of the techniques used can be found in the papers
available at the URL:
http://www.dia.uniroma3.it/~compunet/tunneldiscovery/tunneling-noms.pdf
4) Path MTU Discovery
Tunneltrace tries to send ICMPv6 packets with the MTU of the node where it is running
and using Hop Limit manipulation for determining the Path (Modifing the HL field).
If it receives a ICMPv6 message of Packet-Too-Big, from that point on it will send
packets with the MTU specified in the Packet-Too-Big messagge, until it doesn't
receive antoher packet too big messagge, and so on.
5) Fragmented IPv6 in IPv4 Path MTU Discovery
If Tunneltrace finds on its Path a Tunnel, it tryes to use the outern endpoint of it as Vantage Point
for Path MTU Discovery , by creating an IPv6 Packet of the MTU of the source node in IPv4 Fragments
of 68 bytes. So to be able to do Path MTU Discovery (and PATH TRACING with Hop Limit manipulation)
from the Vantage Point. This repeatably for every new Vantage Point that Tunneltrace finds further
on in the Path.
How confidence values are calculated
------------------------------------
The Confidence value output by tunneltrace is calculated using the following
criteria:
Spoofing Techniques ->
Injected Ping success on 1 Endpoint only : 5 Confidence Points
Injected Ping success of both Endpoints : 7 Confidence Points
Dying Packet success on each Endpoint : 1 Confidence point
Ping Pong Packet success on one Endpoint (if Dying Packet didn't work)
: 1 Confidence point
If Spoofing Techniques succeeded, then ->
6bone registries lookup success : 1 Confidence points
If no Spoofing Technique succeeded, then ->
DNS lookups success : 1 Confidence points
6bone registries lookup success : 4 Confidence points
Compiling tunneltrace
---------------------
To compile tunneltrace, run the build.sh script in the distribution.
Compilation requires the C++ development libraries to be installed.
Tunneltrace is known to compile on Linux and FreeBSD, but should also compile
and run on other platforms such as Solaris.
Tunneltrace runs on both littleEndian and bigEndian machines.
Using tunneltrace
-----------------
1. Prerequisites
Due to the use of spoofing techniques that require raw sockets, you must be
root to run tunneltrace.
Some of the techniques used by tunneltrace require a reference IPv6 address.
This address must be globally routed or, at a minimum, reachable from the
tunnel endpoints. The reference IPv6 address may be specified on the command
line using the -h parameter or in the file /etc/tunneltrace.ip.
As stated previously, tunneltrace also requires a 6bone registry dump in the
file /etc/6bone.db or in the directory where tunneltrace is installed.
You may run multiple istances of tunneltrace in parallel, since each one recognizes its
own packets.
2. Usage
Tunneltrace's syntax is the following :
Mode 1:
tunneltrace [ -h reference IPv6 ] [ -v ] <source IPv4> <dest IPv4>
Where <source IPv4> AND <dest IPv4>: IPv4 addresses or hostnames
Mode 2:
tunneltrace [ -h reference IPv6 ] <dest IPv6>
Where <dest IPv6>: IPv6 address or hostname
Tunneltrace exits with an error if <source IPv4> or <dest IPv4> are not valid
IPv4 addresses or resolvable hostnames or if the reference IPv6 is not a valid
IPv6 address or <dest IPv6> is not a valid IPv6 address or resolvable hostname
or is not reachable.
The -v option is used for generating Parametric OUTPUT (on one line) in order to
see the techniques that worked in detail
Output format
-------------
The output format of tunneltrace is the following:
Mode 1:
# tunneltrace <source IPv4> <dest IPv4>
source_host(source_IPv4) -> dest_host(dest_IPv4)
source_IPv6 -> dest_IPv6 ; CONFIDENCE X/10
Mode 2:
# tunneltrace <dest IPv6>
1 host_1(IPv6_1) MTU
2 host_2(IPv6_2) MTU
source_host1(source_IPv4_1) -> dest_host2(dest_IPv4_2)
source_IPv6_1 -> dest_IPv6_2 ; CONFIDENCE X/10
3 host_3(IPv6_3) MTU
.
.
8 host_dest(IPv6_dest) MTU
If none of the techniques worked, tunneltrace will output a confidence value of
zero and one or both of the IPv6 addresses will be shown as "unknown".
Credits
-------
Tunneltrace was developed as part of Davide De Micco's master thesis in
collaboration with the Computer Networks research group at Roma Tre University.
Contributors are:
Davide De Micco
Lorenzo Colitti
Giuseppe Di Battista
Emanuele Conti
Maurizio Patrignani
===================
What is tunneltrace?
--------------------
Tunneltrace is a tool used for detecting IPv6 in IPv4 tunnels. More precisely,
Tunneltrace can run in 2 modes:
Mode 1:
Given two IPv4 Addresses it checks if there is a tunnel between them. If there
is evidence of the presence of a tunnel, tunneltrace outputs a confidence
value, which provides a measure of the probability that the tunnel exists, and
tries to determine the IPv6 addresses of the endpoints.
Mode 2:
Tunneltrace can also determine, given an IPv6 Address, the full Path from the
node where tunneltrace is launched to the given address. From the Path
determined tunneltrace identifies the Path MTU and all the tunnels inside the path, and for
each tunnel found it tries to find the IPv4 addresses of the endpoints and
outputs a confidence value.
Techniques used
---------------
Tunneltrace uses three techniques to detect tunnels:
1) IPv4 spoofing
2) DNS lookups
3) Queries to the 6bone registry
Each of the above techniques has a degree of confidence. The confidence value
output by tunneltrace is the sum of the confidence values of each technique
that succeeded.
Brief description of the techniques
-----------------------------------
1. IPv4 spoofing
These are the main techniques used by tunneltrace. By encapsulating an IPv6
packet in an IPv4 packet having the source address of one of the tunnel
endpoints, tunneltrace can trick the other endpoint into treating the packet as
if it had come from the tunnel.
Tunneltrace uses four spoofing techniques:
a) Injected Ping
Encapsulated IPv6 echo request to a pingable IPv6 interface. Used to
determine if there is a tunnel.
b) Dying Packet
Similar to the above, but injects packets with a Hop Count field of 1.
Used to determine the IPv6 addresses of the tunnel endpoints.
c) Ping Pong Packet
Similar to the above, but attempts to determine the address of one
endpoint if the address of the other endpoint is known.
d) Fragmented Injection
As Injected Ping but puts the IPv6 echo request message into three IPv4 fragments
2. DNS Lookups
Looks for AAAA records with the endpoint hostnames, if we are running tunneltrace in
mode 1.
Looks for A records with the endpoint hostnames (retreived by a reverse-lookup),if we
are running tunneltrace in mode 2.
3. Queries to the 6bone registry
Looks for a corresponding entry in the 6bone registries. Tunneltrace requires
a copy of the 6bone registry file to be stored locally in /etc/6bone.db or
in the directory where tunneltrace is installed.
You may download this file from ftp://whois.6bone.net/6bone/6bone.db.gz
A detailed description of the techniques used can be found in the papers
available at the URL:
http://www.dia.uniroma3.it/~compunet/tunneldiscovery/tunneling-noms.pdf
4) Path MTU Discovery
Tunneltrace tries to send ICMPv6 packets with the MTU of the node where it is running
and using Hop Limit manipulation for determining the Path (Modifing the HL field).
If it receives a ICMPv6 message of Packet-Too-Big, from that point on it will send
packets with the MTU specified in the Packet-Too-Big messagge, until it doesn't
receive antoher packet too big messagge, and so on.
5) Fragmented IPv6 in IPv4 Path MTU Discovery
If Tunneltrace finds on its Path a Tunnel, it tryes to use the outern endpoint of it as Vantage Point
for Path MTU Discovery , by creating an IPv6 Packet of the MTU of the source node in IPv4 Fragments
of 68 bytes. So to be able to do Path MTU Discovery (and PATH TRACING with Hop Limit manipulation)
from the Vantage Point. This repeatably for every new Vantage Point that Tunneltrace finds further
on in the Path.
How confidence values are calculated
------------------------------------
The Confidence value output by tunneltrace is calculated using the following
criteria:
Spoofing Techniques ->
Injected Ping success on 1 Endpoint only : 5 Confidence Points
Injected Ping success of both Endpoints : 7 Confidence Points
Dying Packet success on each Endpoint : 1 Confidence point
Ping Pong Packet success on one Endpoint (if Dying Packet didn't work)
: 1 Confidence point
If Spoofing Techniques succeeded, then ->
6bone registries lookup success : 1 Confidence points
If no Spoofing Technique succeeded, then ->
DNS lookups success : 1 Confidence points
6bone registries lookup success : 4 Confidence points
Compiling tunneltrace
---------------------
To compile tunneltrace, run the build.sh script in the distribution.
Compilation requires the C++ development libraries to be installed.
Tunneltrace is known to compile on Linux and FreeBSD, but should also compile
and run on other platforms such as Solaris.
Tunneltrace runs on both littleEndian and bigEndian machines.
Using tunneltrace
-----------------
1. Prerequisites
Due to the use of spoofing techniques that require raw sockets, you must be
root to run tunneltrace.
Some of the techniques used by tunneltrace require a reference IPv6 address.
This address must be globally routed or, at a minimum, reachable from the
tunnel endpoints. The reference IPv6 address may be specified on the command
line using the -h parameter or in the file /etc/tunneltrace.ip.
As stated previously, tunneltrace also requires a 6bone registry dump in the
file /etc/6bone.db or in the directory where tunneltrace is installed.
You may run multiple istances of tunneltrace in parallel, since each one recognizes its
own packets.
2. Usage
Tunneltrace's syntax is the following :
Mode 1:
tunneltrace [ -h reference IPv6 ] [ -v ] <source IPv4> <dest IPv4>
Where <source IPv4> AND <dest IPv4>: IPv4 addresses or hostnames
Mode 2:
tunneltrace [ -h reference IPv6 ] <dest IPv6>
Where <dest IPv6>: IPv6 address or hostname
Tunneltrace exits with an error if <source IPv4> or <dest IPv4> are not valid
IPv4 addresses or resolvable hostnames or if the reference IPv6 is not a valid
IPv6 address or <dest IPv6> is not a valid IPv6 address or resolvable hostname
or is not reachable.
The -v option is used for generating Parametric OUTPUT (on one line) in order to
see the techniques that worked in detail
Output format
-------------
The output format of tunneltrace is the following:
Mode 1:
# tunneltrace <source IPv4> <dest IPv4>
source_host(source_IPv4) -> dest_host(dest_IPv4)
source_IPv6 -> dest_IPv6 ; CONFIDENCE X/10
Mode 2:
# tunneltrace <dest IPv6>
1 host_1(IPv6_1) MTU
2 host_2(IPv6_2) MTU
source_host1(source_IPv4_1) -> dest_host2(dest_IPv4_2)
source_IPv6_1 -> dest_IPv6_2 ; CONFIDENCE X/10
3 host_3(IPv6_3) MTU
.
.
8 host_dest(IPv6_dest) MTU
If none of the techniques worked, tunneltrace will output a confidence value of
zero and one or both of the IPv6 addresses will be shown as "unknown".
Credits
-------
Tunneltrace was developed as part of Davide De Micco's master thesis in
collaboration with the Computer Networks research group at Roma Tre University.
Contributors are:
Davide De Micco
Lorenzo Colitti
Giuseppe Di Battista
Emanuele Conti
Maurizio Patrignani
How to add IPv6 over IPv4 support to your network behind a NAT router
Firewall+IPv6 Tunnel mini-HOWTO
Hernán Freschi <hjf(at)hjf.com.ar>
version 0.1, 2002-11-27
How to add IPv6 over IPv4 support to your network behind a NAT router.
----------------------------------------------------------------------
Table of Contents
1. Introduction
1.1 Copyright
1.2 Disclaimer
1.3 Credits
1.4 Changelog
2. What's IPv6? What can it do for me?
3. How do I connect to the 6bone?
4. What should I allow through the firewall?
5. Configuring the IPv6 machines/routers
5.1. Linux
5.2. Windows
5.2.1 IPv6 stand-alone machine
5.2.2 IPv6 network
5.2.2.1 The Router
5.2.2.2 The clients
6. Examples
6.1 Windows PC using IPv6, behind iptables NAT/MASQ, with a tunnel from HE.
6.2 Multiple Windows PCs using IPv6, behind iptables NAT/MASQ, with a tunnel from BTExact.
----------------------------------------------------------------------
1. Introduction
1.1 Copyright
This document is Copyright 2002 by Hernán Freschi. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license can be found at www.gnu.org.
1.2 Disclaimer
Use the information in this document at your own risk. I disavow any potential liability for the contents of this document. Use of the concepts, examples, and/or other content of this document is entirely at your own risk.
All copyrights are owned by their owners, unless specifically noted otherwise. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark.
Naming of particular products or brands should not be seen as endorsements.
You are strongly recommended to take a backup of your system before major installation and backups at regular intervals.
1.3 Credits
Hernán Freschi <hjf(at)hjf.com.ar>
Microsoft, Windows, 2000, XP, SP1, .NET Server 2003 are all trademarks of Microsoft Corp.
Any comments or suggestions can be mailed to my mail address on: hjf(at)hjf.com.ar
This document is still in beta phase, so errors and omissions may be present.
1.4 Changelog
0.1 Initial Release.
Getting Started
2. What's IPv6? What can it do for me?
Sorry, that is beyond the scope of this document. This aims to make a iptables firewall to allow incoming traffic from an IPv6 tunnel.
3. How do I connect to the 6bone?
Through a tunnel broker!. Get your account (for free) at:
www.tunnelbroker.net (USA)
tb.ipv6.btexact.com (UK)
tb.ngnet.it (Italy?)
You could also use www.freenet6.net, but they use proprietary software, which doesn't run inside a network. But it's easier to implement and even assigns /48 subnets.
4. What should I allow through the firewall?
Everything that comes from the tunnel address, except ICMP (what for? let the linux box answer, so the packets dont get in the network). The rules I use are this:
iptables -A FORWARD -s <tunnel address> -p ! ICMP -i eth0 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -j DNAT --to <internal router address>
And that's it. The outgoing packets don't need special treatment.
Note: This, of course, assumes that your Linux firewall doesn't handle the IPv6 packets. It's designed to run on tiny distros like FloppyFW (www.zelow.no/floppyfw) or LRP (www.lrp.org). With this, the firewall doesn't need support for IPv6. These packets are handled in an internal, more powerful (ie: with a hard disk) computer.
5. Configuring the IPv6 machines/routers
5.1 Linux
I don't have a linux box to experiment, you can either
a) Donate a hard disk, so I can install linux again or
b) Write this section for me :)
5.2 Windows (2000/XP/XP-SP1/.NET Server 2003 ONLY! Win9x is UNSUPPORTED).
First of all, you have to install IPv6 support:
C:\> ipv6 install
Installing...
Success.
5.2.1 IPv6 stand-alone machine:
Use your brokers script! If they didn't provide one, use these:
ipv6.exe rtu ::/0 2/::<tunnel address>
ipv6.exe adu 2/<your ipv6 address>
The 2/ is the Interface Index. It's usually 2, but it may vary. If in doubt, type
ipv6 if
and look for a line like this:
Interface 2: Automatic tunnel pseudo-interface
The number, obviously, is the one you are looking for.
5.2.2 IPv6 network
(Note: this applies only to the external network. If you need help setting up the IPv6 lan, read www.microsoft.com/ipv6)
5.2.2.1 The Router
Use your brokers script! If they didn't provide one, use these:
ipv6.exe rtu ::/0 2/::<tunnel address>
ipv6.exe adu 2/<your ipv6 address>
ipv6.exe rtu <your ipv6 subnet>/<your ipv6 netmask> 4 pub life 86400
ipv6.exe ifc 2 forw
ipv6.exe ifc 3 forw
ipv6.exe ifc 4 forw adv
2, 3, 4 are the interface indices. They may vary. To find out, type
ipv6 if
5.2.2.2 The clients
You don't need to do nothing, they are auto configured.
6. Examples:
6.1 Windows PC using IPv6, behind iptables NAT/MASQ, with a tunnel from HE.
Equipment required:
1 Box capable of running iptables (kernel = 2.4.x)
1 Box running Microsoft® Windows 2000, Windows XP (SP1), Windows .NET Server 2003.
Tunnel:
1 /127 Allocation from Hurricane Electric
+---+ +---+ \/\/\/\/\/ +------+ /\/\/\/\/\
|WIN|------------|FFW|-----------/INTERNET\---------|TUNNEL|----------\ 6bone /
+---+ +---+ \/\/\/\/\/ +------+ /\/\/\/\/\
10.42.42.100<->10.42.42.1 <-> 209.13.122.2 <-> ipv6.he.net <-> 2001:470:1F00:FFFF::xxxx
Configuration:
On the Linux box type:
iptables -A FORWARD -s 64.71.128.82 -p ! ICMP -i eth0 -j ACCEPT
iptables -t nat -A PREROUTING -s 64.71.128.82 -i eth0 -j DNAT --to 10.42.42.100
On the MS box type:
ipv6 rtu ::/0 2/::64.71.128.82 pub
ipv6 adu 2/2001:470:1F00:FFFF::xxxx
Congratulations. You are set.
Now try pinging to 6bone.net, for example.
6.2 Multiple Windows PCs using IPv6, behind iptables NAT/MASQ, with a tunnel from BTExact.
Equipment required:
1 Box capable of running iptables (kernel = 2.4.x)
n Boxes running Microsoft® Windows 2000, Windows XP (SP1), Windows .NET Server 2003.
Tunnel:
1 /64 Allocation from Hurricane Electric
+---+ +---+ +---+
|WIN| |WIN| |WIN|
+---+ +---+ +---+
+-----+-----+
+---+ +---+ \/\/\/\/\/ +------+ /\/\/\/\/\
--|WRT|------------|FFW|-----------/INTERNET\---------|TUNNEL|----------\ 6bone /
+---+ +---+ \/\/\/\/\/ +------+ /\/\/\/\/\
10.42.42.100<->10.42.42.1 <-> 209.13.122.2 <-> 193.113.58.80 <-> 2001:618:400::xxxx:xxxx
Configuration:
On the Linux box type:
iptables -A FORWARD -s 64.71.128.82 -p ! ICMP -i eth0 -j ACCEPT
iptables -t nat -A PREROUTING -s 64.71.128.82 -i eth0 -j DNAT --to 10.42.42.100
On the MS router type:
ipv6.exe rtu ::/0 2/::193.113.58.80
ipv6.exe adu 2/2001:618:400::xxxx:xxxx
ipv6.exe rtu 2001:618:400:xxxx::/64 4 pub life 86400
ipv6.exe ifc 2 forw
ipv6.exe ifc 3 forw
ipv6.exe ifc 4 forw adv
On the other machines type:
Nothing, they are auto configured. If they dont work, try:
ipv6 reset
If that doesn't work, check for a default route (::/0).
ipv6 rt
If there isn't one, try adding one:
ipv6 rtu ::/0 n/(your routers ipv6 address)
(where n is the interface index of the ethernet board connected to the network, usually 4).
If it works, but the next time you reboot, it does not auto configure, then maybe you are not publishing the default route in the router.
Congratulations. You are set.
Now try pinging to 6bone.net, for example.
IPv6 multicast address assignment with DHCPv6
Network Working Group J. Durand
Internet-Draft GIP RENATER
Expires: August 19, 2005 February 18, 2005
IPv6 multicast address assignment with DHCPv6
draft-jdurand-assign-addr-ipv6-multicast-dhcpv6-01
Status of this Memo
By submitting this Internet-Draft, I certify that any applicable
patent or other IPR claims of which I am aware have been disclosed,
and any of which I become aware will be disclosed, in accordance with
RFC 3668.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that other
groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at http://
www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on August 19, 2005.
Copyright Notice
Copyright (C) The Internet Society (2005). All Rights Reserved.
Abstract
This document proposes a simple solution to solve IPv6 multicast
address assignment problem using the DHCPv6 protocol.
Durand Expires August 19, 2005 [Page 1]
Internet-Draft IPv6 multicast address assignment with DHCPv6 February 2005
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1 IPv6 multicast deployment status . . . . . . . . . . . . . 3
1.2 Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
1.3 SSM: no solution needed . . . . . . . . . . . . . . . . . 3
1.4 Session announcement considerations . . . . . . . . . . . 4
2. State of the art for address assignment . . . . . . . . . . . 4
3. Assignment with DHCPv6 . . . . . . . . . . . . . . . . . . . . 4
3.1 New DHCPv6 options . . . . . . . . . . . . . . . . . . . . 4
3.1.1 IA_MA option for IPv6 Multicast Addresses . . . . . . 4
3.1.2 Scope Option for IPv6 multicast address . . . . . . . 6
3.2 Address timers . . . . . . . . . . . . . . . . . . . . . . 6
3.3 Assignment of a multicast prefix . . . . . . . . . . . . . 7
3.4 Client and server behavior . . . . . . . . . . . . . . . . 7
4. Group-ID consideration . . . . . . . . . . . . . . . . . . . . 8
5. Deployment scenarios - Case studies . . . . . . . . . . . . . 8
5.1 Scenario 1: Site deployment . . . . . . . . . . . . . . . 8
5.2 Scenario 2: Campus deployment . . . . . . . . . . . . . . 9
5.3 Scenario 3: ISP deployment . . . . . . . . . . . . . . . . 9
6. Security considerations . . . . . . . . . . . . . . . . . . . 9
7. Acknowledgement . . . . . . . . . . . . . . . . . . . . . . . 10
8. Discussions . . . . . . . . . . . . . . . . . . . . . . . . . 10
9. Changes from -00 . . . . . . . . . . . . . . . . . . . . . . . 10
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 10
10.1 Normative references . . . . . . . . . . . . . . . . . . . . 10
10.2 Informative references . . . . . . . . . . . . . . . . . . . 11
Author's Address . . . . . . . . . . . . . . . . . . . . . . . 12
Intellectual Property and Copyright Statements . . . . . . . . 13
Durand Expires August 19, 2005 [Page 2]
Internet-Draft IPv6 multicast address assignment with DHCPv6 February 2005
1. Introduction
Embedded-RP [11] is the only available solution for IPv6 interdomain
ASM. Embedded-RP requires an IPv6 multicast address assignment
mechanism, as multicast addresses mapping to the RP cannot be guessed
and manually built by users. This is depicted in section 2.1.2 of the
IETF working group document draft-ietf-mboned-addrarch [13].
This document proposes a simple solution to assign IPv6 multicast
addresses or prefixes using the DHCPv6 protocol [8].
1.1 IPv6 multicast deployment status
The document draft-jdurand-ipv6-multicast-ra [14] recalls the
following:
"The deployment of IPv6 multicast is expanding. Some networks have
already put the service in production. Some gateways have been
deployed, making it possible to have interoperability between IPv4
and IPv6 multicast. Some sites have even stopped IPv4 multicast, due
to its complexity (due to NAT and MSDP for example) and only rely on
IPv6 multicast, using the deployed gateways for interoperability with
IPv4.
As of this writing, most sessions are created manually from
unicast-prefix based address space [6], or use SDR to form a
semi-random address. Nevertheless these addresses cannot fit with
embedded-RP [11] which is the only existing solution for IPv6
interdomain ASM.
Some people argue that SSM solves the problem but there is nowadays a
demand from customers to be capable to have multicast sessions (both
IPv4 and IPv6) with multiple sources (e.g., conferencing) and it is
not clear how to achieve this with SSM. While "multiple-source SSM"
could potentially be done with the aid of SIP or RTP, this does not
exist yet, and a simple solution for ASM is needed."
1.2 Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [1].
1.3 SSM: no solution needed
In the SSM model, as the channel is defined by the tuple (source
address , group address), a collision can only occur if a host would
like to be a sender for 2 different groups having the same address.
Durand Expires August 19, 2005 [Page 3]
Internet-Draft IPv6 multicast address assignment with DHCPv6 February 2005
Therefore, it is sufficient for a sender to choose different
addresses for different channels, this is a decision local to the
host. This document only considers the ASM model which is a bit more
complex.
1.4 Session announcement considerations
This document does not address the session announcement problem. It
only answers the question of large scale address assignemnt of IPv6
multicast addresses. Announcement of the sessions can still be done
using web pages, emails, directories, SAP, etc.
2. State of the art for address assignment
MADCAP [2] solves, or could solve, the multicast address assignment
problem for both IPv4 and IPv6. However, MADCAP is a fork of DHCP, it
has only a couple of implementations which have not been widely
deployed. We assume that a mechanism that would be a simple extension
to a more widely available mechanism (DHCPv6) could be more deployed.
This proposal and draft-jdurand-ipv6-multicast-ra [14] simplify the
assignment architecture since the unicast and multicast address
assignment mechanisms become the same. We consider at this stage only
IPv6 multicast since most of the key elements used are already
defined, and interaction with IPv4 multicast is ensured. If felt
needed by the community, this proposal could be extended to IPv4.
3. Assignment with DHCPv6
3.1 New DHCPv6 options
This section introduces new options for IPv6 multicast address
assignment with DHCPv6.
3.1.1 IA_MA option for IPv6 Multicast Addresses
RFC 3315 [8] defines the following options for Identity Associations
(IA):
o IA_NA option for Non temporary Addresses
o IA_TA option for Temporary Addresses
This document introduces a third option: the IA_MA option for IPv6
Multicast Addresses. This option is used to carry an IA_MA, the
parameters associated with the IA_MA, and the addresses associated
with the IA_MA. The format of the IA_MA option is:
Durand Expires August 19, 2005 [Page 4]
Internet-Draft IPv6 multicast address assignment with DHCPv6 February 2005
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| option-code | option-len |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| IAID (4octets) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
. IA_MA-options .
. .
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
option-code: OPTION_IA_MA (TBD)
option-len: 4 + length of IA_MA-options field
IAID: The unique identifier for this IA_MA; the IAID must be unique
among the identifiers for all of this client's IA_MAs. The number
space for IA_MA IAIDs is separate from the number space for IA_NA
and IA_TA IAIDs
IA_MA-Options: Options associated with this IA_MA
The IA_MA-options field encapsulates those options that are specific
to this IA_MA. For example, all of the IA Address Options carrying
the multicast addresses associated with this IA_MA are in the
IA_MA-options field.
Each IA_MA carries one "set" of multicast addresses; that is, at most
one address per session created by the client requiring an address.
An IA_MA option may only appear in the options area of a DHCP
message. A DHCP message may contain multiple IA_MA options. The
status of any operations involving this IA_MA is indicated in a
Status Code option in the IA_MA-options field.
Note that an IA has no explicit "lifetime" or "lease length" of its
own. When the valid lifetimes of all of the addresses in an IA_MA
have expired, the IA can be considered as having expired.
An IA_MA option does not include values for T1 and T2 (see RFC 3315
[8]). A client MAY request that the lifetimes of multicast addresses
be extended by including the addresses in a IA_MA option sent in a
Renew or Rebind message to a server. For example, a client would
request an extension on the lifetime of a multicast address to allow
an application to continue a multicast session.
The client obtains new multicast addresses by sending an IA_MA option
Durand Expires August 19, 2005 [Page 5]
Internet-Draft IPv6 multicast address assignment with DHCPv6 February 2005
with a new IAID to a server. The server will generate new multicast
addresses and return them to the client. In case the clients needs to
extend the multicast session, it sends a Renew message to the server
with the IA_MA and addresses in parameters.
3.1.2 Scope Option for IPv6 multicast address
The scope option for IPv6 multicast addresses is used by the clients
to request multicast addresses with a certain scope. It is included
in the IA address option IAaddr-options field defined in section 22.5
of RFC 3315 [8]. A user can attach more than one scope option for
IPv6 multicast address to an IA address option if the client does not
know exactely the scope it wants to request but has a set of adequate
scope values.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| OPTION_SCOPE | option-len |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| scope | res |
+-+-+-+-+-------+
option-code: OPTION_SCOPE (TBD)
option-len: 1
scope: The scope value for the requested IPv6 multicast address,
according to values defined in RFC 3513 [9]
res: This field is reserved for future use. The 4 bits of this field
MUST be set to 0, and MUST be ignored on receipt
3.2 Address timers
NOTE: There have been some discussions about using some options for
the timers. This is let to next releases of the document as this
release really focuses on why an assignment based on DHCPv6 has an
interest.
The IA address option defined in RFC 3315 [8] contains the following
32 bits fields:
o preferred-lifetime: The preferred lifetime for the IPv6 address in
the option, expressed in units of seconds
o valid-lifetime: The valid lifetime for the IPv6 address in the
Durand Expires August 19, 2005 [Page 6]
Internet-Draft IPv6 multicast address assignment with DHCPv6 February 2005
option, expressed in units of seconds
We suggest to use these fields, usually defined for unicast
addresses, for IPv6 multicast addresses, with the definition written
above.
The maximum value for these lifetimes is 2^32 seconds or 49710 days
equivalent to 136 years. Therefore a host that wants to be assigned
an address for a 2 days session occuring in 30 days can request an
address with a preferred lifetime value of 32 days. According to the
IPv6 multicast addressing space available, servers should allow this
type of requests, or at least should permit a certain number of
long-term assignment per host. The address is directly assigned by
the DHCP server when the request is received. We suggest here not
using the parameters minDesiredStartTime and maxDesiredStartTime
specified in RFC 2771 [3] which bring too much complexity for the
assignment and don't really make sense for IPv6 where many addresses
are available.
3.3 Assignment of a multicast prefix
The assignment of a multicast prefix can be needed in the following
scenarios:
o An ISP needs to assign a block of IPv6 multicast address to an
enterprise, assigning IPv6 multicast addresses to its hosts. This
scenario will most likely occur when DHCPv6 prefix delegation [10]
is already used to assign unicast prefixes to the enterprise.
o Also it is most likely that the multicast applications will not
support at the beginning the API to request for an IPv6 multicast
address via DHCPv6. Then, on startup, or when connected to a new
network, a host could ask for an IPv6 multicast prefix.
Applications could then choose locally multicast addresses in the
prefix assigned to the host.
To fulfill this need, the prefix delegation mechanism described in
RFC 3633 [10] is needed also for multicast prefixes. The actual
specifications of the IPv6 prefix Options for DHCPv6 do not need to
be changed to support multicast prefix delegations. The only thing to
keep in mind is that multicast prefix delegation can also occur
between a router and a host to fulfill the second requirement
mentioned above.
3.4 Client and server behavior
The procedures to request an IPv6 multicast address is more or less
the same than the ones described in RFC 3315 [8] to request a
Durand Expires August 19, 2005 [Page 7]
Internet-Draft IPv6 multicast address assignment with DHCPv6 February 2005
temporary IPv6 address. The differences are following:
o The client uses IA-type IA_MA described above to ask for IPv6
multicast addresses.
o The client SHOULD use the Scope Option in solicit and request
messages to tell the server the scope wanted for the IPv6
multicast address requested. It can include more than one Scope
Option for IPv6 multicast address per addresses requested in case
the client does not know exactly the scope it wants to request but
has a set of adequate scope values.
o The client SHOULD specify the lifetimes for every address it wants
to be assigned in solicit, request, renew and rebind messages.
o The server MUST assign addresses only if it can assign an address
matching one of the scope requested. In case the server can't
assign an address with the requested scopes, it must include the
Status Code Option NoAddrsAvail in the advertise and reply
messages and should include a status message with the scopes that
can be assigned by the server and their description.
o If no scope option is specified by the client, the server can
assign a multicast address with any scope. It can be a default
scope value configured by the DHCP server administrator.
4. Group-ID consideration
RFC 3307 [7] defines guidelines for the choice of IPv6 multicast
group identifier (the last 32 bits of the IPv6 multicast address). It
specifies that for dynamic IPv6 multicast address allocation, the
group-ID MUST be in the range 0x80000000 to 0xFFFFFFF.
5. Deployment scenarios - Case studies
This section gives examples of DHCPv6 deployments for IPv6 multicast
address assignment.
5.1 Scenario 1: Site deployment
Consider a site having configured a DHCPv6 server and having one RP
for a site-local scope (scope 5). In this simple scenario, the DHCPv6
server can assign the complete set of addresses with a site-local
scope.
We have the same scenario if the site configures one RP for global
scope with embedded-RP technology. The DHCPv6 server of the site can
Durand Expires August 19, 2005 [Page 8]
Internet-Draft IPv6 multicast address assignment with DHCPv6 February 2005
assign the complete set of addresses derived from the RP's address
(see Embedded-RP [11]).
5.2 Scenario 2: Campus deployment
Consider a campus having configured one DHCPv6 server for the entire
site, and having several labs (in different subnets) having each a
multicast scope for their own usage. Every lab might have for example
a scope admin-local (scope 4), and the campus may have the scope
site-local (scope 5). The problem of the DHCPv6 server is to assign
appropriate addresses to each of the labs.
The server can retrieve information about the location of the client
according to the explanation given in section 11 of RFC 3315 [8]. The
server can determine this way in which lab the client is and assign
adequate addresses. This way a server can assign the same address
twice to different clients in different labs.
5.3 Scenario 3: ISP deployment
Consider an ISP providing a global RP service to its customers. The
ISP decided to use embedded-RP technology for this RP. Every
customers having configured a DHCPv6 server would like to assign IPv6
multicast addresses based on the RP of their ISP. The problem is to
avoid overlap between addresses assigned by every DHCPv6 servers.
In this scenario, the ISP having configured an RP would allocate a
range of IPv6 multicast addresses based on its RP to every customer
having subscribed for the service (as explained in section 5.2 of
Embedded-RP [11]). This allocation could be typically hand-off
allocation, as it is done between ISP and big customers (not
end-users at home) for unicast or could be done with DHCPv6 prefix
delegation as explained in this document. This way, every DHCPv6
server is then configured with a different multicast address range,
all matching the same RP. This means that ISPs need to allocate IPv6
multicast addresses to their customers, as they do today for IPv6
unicast. Address allocation architectures are exactly the same.
Nevertheless, we can note that any customer could deploy its own
embedded-RP rather than using the one of its ISP, which simplifies
this scenario.
6. Security considerations
The security considerations related to the DHCPv6 protocol are
discussed in the security considerations section of [8].
Durand Expires August 19, 2005 [Page 9]
Internet-Draft IPv6 multicast address assignment with DHCPv6 February 2005
7. Acknowledgement
The author would like to thank Bernard Tuy, Stig Venaas, Christian
Strauf, Pekka Savola and Dave Thaler for their good contributions to
this memo. The author would also like to thank Ralph Droms who took
time to consider the IPv6 multicast assignment problem and introduced
the concept of the identity association for IPv6 multicast addresses.
The author would also like to thank all the people having worked on
the 6NET Deliverable 3.4.3 [12], which was the initial document that
raised the complete problematic of IPv6 multicast address assignment.
Pekka Savola, Dave Thaler, Stig Venaas and Bernard Tuy have
contributed to better state the problem and mention why the proposal
is of interest.
8. Discussions
Here are the current discussions and questions about this document:
o Timers could be specified with a new DHCPv6 option rather than
overloading the timers of the address
o If the server cannot assign addresses for the required scopes, it
could assign an address in any other scope it is configured for.
9. Changes from -00
o Clarification of the need for the proposal
o The multicast address assignment state of the art is now let to
ID.draft-ietf-mboned-addrarch [13].
o IPv6 multicast prefix delegation is now supported by this
mechanism, from comments received in IETF 60th.
10. References
10.1 Normative references
[1] S. Bradner, "Key words for use in RFCs to Indicate Requirement
Levels", RFC 2119, March 1997.
[2] S. Hanna, B. Patel and M. Shah, "Multicast Address Dynamic
Client Allocation Protocol (MADCAP)", RFC 2970, December 1999.
[3] R. Finlayson, "An Abstract API for Multicast Address
Durand Expires August 19, 2005 [Page 10]
Internet-Draft IPv6 multicast address assignment with DHCPv6 February 2005
Allocation", RFC 2771, February 2000.
[4] M. Handley, C. Perkins and E. Whelan, "Session Announcement
Protocol (SAP)", RFC 2974, October 2000.
[5] D. Meyer and P. Lothberg, "GLOP Addressing in 233/8", RFC 3180,
September 2001.
[6] B. Haberman and D. Thaler, "Unicast-Prefix-based IPv6 Multicast
Addresses", RFC 3306, August 2002.
[7] B. Haberman, "Allocation Guidelines for IPv6 Multicast
Addresses", RFC 3307, August 2002.
[8] R. Droms, J. Bound, B. Volz, T. Lemon, C. Perkins and M.
Carney, "Dynamic Host Configuration Protocol for IPv6
(DHCPv6)", RFC 3315, July 2003.
[9] R. Hinden and S. Deering, "Internet Protocol Version 6 (IPv6)
Addressing Architecture", RFC 3513, April 2003.
[10] O. Troan, R. Droms, "IPv6 Prefix Options for Dynamic Host
Configuration Protocol (DHCP) version 6", RFC 3633, December
2003.
[11] P. Savola and B. Haberman, "Embedding the Rendezvous Point (RP)
Address in an IPv6 Multicast Address", November 2004.
10.2 Informative references
[12] 6NET project partners, "6NET D3.4.3 - IPv6 multicast address
allocation study", May 2003.
[13] P. Savola, "Overview of the Internet Multicast Addressing
Architecture", November 2004.
[14] J. Durand and P. Savola, "RA for IPv6 multicast prefixes",
February 2005.
Durand Expires August 19, 2005 [Page 11]
Internet-Draft IPv6 multicast address assignment with DHCPv6 February 2005
Author's Address
Jerome Durand
GIP RENATER
151 Bd de l'Hopital
Paris 75013
France
Phone: +33 1 53 94 20 30
EMail: Jerome.Durand@renater.fr
Durand Expires August 19, 2005 [Page 12]
Internet-Draft IPv6 multicast address assignment with DHCPv6 February 2005
Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the IETF's procedures with respect to rights in IETF Documents can
be found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Disclaimer of Validity
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement
Copyright (C) The Internet Society (2005). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
Acknowledgment
Funding for the RFC Editor function is currently provided by the
Internet Society.
Converting IPv4 addresses to IPv6 addresses
Converting IPv4 addresses to IPv6 addresses
-------------------------------------------
Here's a cool tool for doing it in windows:
http://www.softpedia.com/get/Network-Tools/IP-Tools/IPConvert.shtml
Here's the main ipv6 website:
http://www.ipv6.org
There's a good read at Microsfoft on tcp/ip
fundamentals and subnetting:
http://www.microsoft.com/technet/itsolutions/network/evaluate/
technol/tcpipfund/tcpipfund_ch04.mspx#EEIAG
Here are some OpenBSD related sites:
http://www.inet6.dk/config/openbsd.html
http://www.sans.org/reading_room/whitepapers/firewalls/807.php
I'm sure there are scads more. Google is your friend! ;)
Here are a few more, more general or linux:
http://enterprisenetworkingplanet.com/netsp/article.php/3634596
http://enterprisenetworkingplanet.com/netsp/article.php/3629546
http://enterprisenetworkingplanet.com/netsp/article.php/3633211
The examples below are pretty simple Class C
network examples. I put several sequential
addresses in order to show the progression
in IPv6 notation.
--------------------------------------------
IPV4 Address: 192.168.1.100
IPV6 Address:
IPv6 Full Address
0000:0000:0000:0000:0000:0000:C0A8:0164
IPv6 Shorthand Adress:
::C0A8:0164
IPv6 & Dot Notation Full Address:
0000:0000:0000:0000:0000:0000:192.168.1.100
IPv6 & Dot Notation Shorthand Adress:
192.168.1.100
--------------------------------------------
--------------------------------------------
IPV4 Address: 192.168.1.101
IPV6 Address:
IPv6 Full Address
0000:0000:0000:0000:0000:0000:C0A8:0165
IPv6 Shorthand Adress:
::C0A8:0165
IPv6 & Dot Notation Full Address:
0000:0000:0000:0000:0000:0000:192.168.1.101
IPv6 & Dot Notation Shorthand Adress:
192.168.1.101
--------------------------------------------
--------------------------------------------
IPV4 Address: 192.168.1.102
IPV6 Address:
IPv6 Full Address
0000:0000:0000:0000:0000:0000:C0A8:0166
IPv6 Shorthand Adress:
::C0A8:0166
IPv6 & Dot Notation Full Address:
0000:0000:0000:0000:0000:0000:192.168.1.102
IPv6 & Dot Notation Shorthand Adress:
192.168.1.102
--------------------------------------------
--------------------------------------------
IPV4 Address: 192.168.1.103
IPV6 Address:
IPv6 Full Address
0000:0000:0000:0000:0000:0000:C0A8:0167
IPv6 Shorthand Adress:
::C0A8:0167
IPv6 & Dot Notation Full Address:
0000:0000:0000:0000:0000:0000:192.168.1.103
IPv6 & Dot Notation Shorthand Adress:
192.168.1.103
--------------------------------------------
--------------------------------------------
IPV4 Address: 192.168.1.104
IPV6 Address:
IPv6 Full Address
0000:0000:0000:0000:0000:0000:C0A8:0168
IPv6 Shorthand Adress:
::C0A8:0168
IPv6 & Dot Notation Full Address:
0000:0000:0000:0000:0000:0000:192.168.1.104
IPv6 & Dot Notation Shorthand Adress:
192.168.1.104
----------------------
-------------------------------------------
Here's a cool tool for doing it in windows:
http://www.softpedia.com/get/Network-Tools/IP-Tools/IPConvert.shtml
Here's the main ipv6 website:
http://www.ipv6.org
There's a good read at Microsfoft on tcp/ip
fundamentals and subnetting:
http://www.microsoft.com/technet/itsolutions/network/evaluate/
technol/tcpipfund/tcpipfund_ch04.mspx#EEIAG
Here are some OpenBSD related sites:
http://www.inet6.dk/config/openbsd.html
http://www.sans.org/reading_room/whitepapers/firewalls/807.php
I'm sure there are scads more. Google is your friend! ;)
Here are a few more, more general or linux:
http://enterprisenetworkingplanet.com/netsp/article.php/3634596
http://enterprisenetworkingplanet.com/netsp/article.php/3629546
http://enterprisenetworkingplanet.com/netsp/article.php/3633211
The examples below are pretty simple Class C
network examples. I put several sequential
addresses in order to show the progression
in IPv6 notation.
--------------------------------------------
IPV4 Address: 192.168.1.100
IPV6 Address:
IPv6 Full Address
0000:0000:0000:0000:0000:0000:C0A8:0164
IPv6 Shorthand Adress:
::C0A8:0164
IPv6 & Dot Notation Full Address:
0000:0000:0000:0000:0000:0000:192.168.1.100
IPv6 & Dot Notation Shorthand Adress:
192.168.1.100
--------------------------------------------
--------------------------------------------
IPV4 Address: 192.168.1.101
IPV6 Address:
IPv6 Full Address
0000:0000:0000:0000:0000:0000:C0A8:0165
IPv6 Shorthand Adress:
::C0A8:0165
IPv6 & Dot Notation Full Address:
0000:0000:0000:0000:0000:0000:192.168.1.101
IPv6 & Dot Notation Shorthand Adress:
192.168.1.101
--------------------------------------------
--------------------------------------------
IPV4 Address: 192.168.1.102
IPV6 Address:
IPv6 Full Address
0000:0000:0000:0000:0000:0000:C0A8:0166
IPv6 Shorthand Adress:
::C0A8:0166
IPv6 & Dot Notation Full Address:
0000:0000:0000:0000:0000:0000:192.168.1.102
IPv6 & Dot Notation Shorthand Adress:
192.168.1.102
--------------------------------------------
--------------------------------------------
IPV4 Address: 192.168.1.103
IPV6 Address:
IPv6 Full Address
0000:0000:0000:0000:0000:0000:C0A8:0167
IPv6 Shorthand Adress:
::C0A8:0167
IPv6 & Dot Notation Full Address:
0000:0000:0000:0000:0000:0000:192.168.1.103
IPv6 & Dot Notation Shorthand Adress:
192.168.1.103
--------------------------------------------
--------------------------------------------
IPV4 Address: 192.168.1.104
IPV6 Address:
IPv6 Full Address
0000:0000:0000:0000:0000:0000:C0A8:0168
IPv6 Shorthand Adress:
::C0A8:0168
IPv6 & Dot Notation Full Address:
0000:0000:0000:0000:0000:0000:192.168.1.104
IPv6 & Dot Notation Shorthand Adress:
192.168.1.104
----------------------
How To Setup IPv6
Introduction
************
IPv6 (Internet Protocol Version 6) is the successor, respectively the
replacement, of the current version Internet Protocol, IPv4. The main
problem using IPv4 is the growing shortage of IPv4 Addresses caused by
the growing number of machines added to the internet.
IPv6 fixes a number of problems in IPv4, such as the limited number of
available IPv4 addresses. It also adds many improvements to IPv4 in areas
such as routing and network autoconfiguration. IPv6 is expected to
gradually replace IPv4, with the two coexisting for a number of years
during a transition period.
For this reason ePages supports IPv6 in version 6.0.6 and higher.
Requirements
************
- ePages 6.0.6 or higher
- License containing IPv6 address
- Linux kernel 2.6
- Windows 2003 Server 32 Bit or Windows 2008 Server
Prerequisites - Linux
=====================
- Check if the network interface supports IPv6:
ip -6 addr show
If command returns nothing or an error occurs, ask your system
administrator to add the IPv6 network interface (ip -6 addr add ...).
- Check if the firewall allows IPv6 connections:
PATH=$PATH:/usr/sbin:/sbin iptables -L
If not, ask your system administrator to change the firewall settings.
- If you use your own web server (not the web server that comes with
ePages) and you want to use IPv6 for the web server, check the Listen
directive in the configuration file (usually httpd.conf). Use 'Listen
80' (or other port), not 'Listen 0.0.0.0:80' (then only IPv4 is supported).
Prerequisites - Windows
=======================
- Enable IPv6 in Windows OS:
Control Panel -> Network Connections -> Local Area Connection -> Properties
-> Install... -> Protocol (Add) -> Microsoft TCP/IP version 6
- Check if the firewall allows IPv6 connections:
Control Panel -> Windows Firewall
- The IIS has to be unconnected or assigned to the correct IPv6 address if the
IIS should run with IPv6:
Administrative Tools -> IIS Manager -> Default Web Site
-> IP Address (All Unassigned)
IPv6 Activation
***************
Activate IPv6 either in the setup process or after the setup
process. Windows only supports IPv6 activation after setup, skip to the
respective section.
IPv6 Activation in Setup - Linux
================================
This section shows how to IPv6 during the setup. This works only for
Linux, not for Windows. See section 'IPv6 Activation after Setup' if you
want to enable IPv6 in ePages on Windows.
Enable IPv6 by customizing your install.cnf file prior the installation
process. You can skip the section
"Post Installation" then.
- The installation is defined in "install.cnf".
- Append either ":ip6" to the hostname entry (the hostname has to be resolvable
to an IPv6 address) or use an IPv6 address directly.
- If IPv6 doesn't work on this machine the installation starts using IPv4.
- If <hostname>:ip6 doesn't resolve to an IPv6 address the installation routine
will try to get an IPv4 address for that hostname and use that one.
- If that fails too the address ::1 will be used.
IPv6 Activation After Setup
===========================
Environment Variables
---------------------
Windows:
Set EPAGES_ENABLE_IPv6=1. The environment variable EPAGES_IPLIST must
contain the IPv6 address or the hostname (whether you use IPv6
addresses or hostnames in Webinterface.conf) if EPAGES_IPBINDING is
set.
- Click the right mouse key on the "My computer" icon.
- Choose "Properties".
- On the tab "Advanced" click "Environment variables".
- To create the variable click "New", then enter name (EPAGES_ENABLE_IPv6)
and value (1) and save with "OK".
- If the environment variable already exists, choose the variable from
the list, click "Edit", enter the new value (1) and save with "OK".
- Change EPAGES_IPLIST in the same way (if necessary).
- Reboot the server to take effect of the new variable.
Linux:
Set EPAGES_ENABLE_IPv6=1. The environment variable LOCAL_IPS must
contain the IPv6 address or the hostname (whether you use IPv6
addresses or hostnames in Webinterface.conf) if IP_BINDING is set.
- Add line "export EPAGES_ENABLE_IPv6=1" to the configuration file
"/etc/default/epages6".
- Change EPAGES_IPLIST in "/etc/default/epages6" if necessary.
If EPAGES_ENABLE_IPv6 is unset or 0, application server and request
router only support IPv4. In this case, if application server or request
router are configured to IPv6 in WebInterface.conf, errors will occur.
Host Names and Addresses
------------------------
If a host name is resolved to both IPv4 and IPv6, then the IPv6 address
is used if EPAGES_ENABLE_IPv6=1, otherwise the IPv4 address.
In Windows, "localhost" is resolved to both 127.0.0.1 and ::1.
In Linux, "localhost" is resolved to 127.0.0.1 and "ipv6-localhost" is
resolved to ::1.
If IP binding isn't used, a server can be connected with IPv6 and IPv4
clients if the server is set to IPv6 and has an IPv4 address too.
WebInterface.conf
-----------------
All IPv4 addresses can be replaced by IPv6 addresses or relevant host
names. The hostname must be short (without ".") or the result of the
command `hostname --fqdn`.
In section "URLRewrite", line ExceptionHost, an IPv6 address has to be
added in squared brackets, e.g.:
[URLRewrite]
ExceptionHost=shop.domain.ex [2001:4bd8:2:2:213:d3ff:fe62:f1f0]
When using IP-Masks the part of the IP following the wildcard ("*") will
be truncated and is considered as the beginning of the IP to be
tested. IPv6 masks must be written in short form, i.e.:
- Left-hand zeros have to be written
- Zero blocks have to be shorten to ::
In case of a mixed IPv4/IPv6 communication beside the IPv4 mask the IPv4
mask in IPv6 notation must also exist, e.g. ::ffff:172.20.24.*.
If you use host names in WebInterface.conf, the corresponding IP entry or
IP mask must also exit.
Host masks as follows are not allowed: [*.epages.de]
epages.conf
-----------
IPv6 addresses can be entered in addition to IPv4 addresses and domain names.
Sybase Configuration
--------------------
Thy Sybase interfaces file (Linux: $SYBASE/interfaces; Windows:
%SYBASE%\ini\sql.ini) may contain IPv4 addresses, IPv6 addresses or host
names.
For Windows, Sybase recommends to use IPv6 addresses instead of host names, see
http://infocenter.sybase.com/help/index.jsp?topic=/com.sybase.dc38421_1500/html/ntconfig/X36043.htm.
Hostnames will be resolved to IPv4 addresses on Windows, i.e. IPv4 is
used if host names are entered in "sql.ini".
If you want to support IPv4 and IPv6, you will need to have entries for
both protocols, e.g.:
DBServer
master tcp ether revival.sybase.com 17100
query tcp ether revival.sybase.com 17100
master tcp ether revival.v6.sybase.com 17100
query tcp ether revival.v6.sybase.com 17100
The "*.res" files in $Sybase/ASE-15_0 can contain IPv6 addresses.
Start ePages with IPv6
**********************
Windows hosts must be rebooted to take effect of the changes.
After starting ePages, check if the services run with IPv6:
Windows:
netstat -a -n | perl -ne "s/ +/ /g; /TCP.*LISTENING/ && print"
Linux:
netstat -tulpn
If the web server runs with IPv6, you can use the IPv6 address in square
brackets in the URL, e.g.:
http://[2001:4bd8:2:2:2e0:7dff:fe76:8613]:80/WebRoot/WebAdapterError.html
A Communication Mechanism between IPv4 and IPv6
Expires in six month K. Watanabe, Hitachi
Y. Atarashi, Hitachi
T. Miyamoto, Hitachi
K. Yamamoto, NAIST
J. Murai, Keio University
A Communication Mechanism between IPv4 and IPv6
<draft-tsuchiya-ipv4-ipv6-translator-00.txt>
Status of this Memo
This document is an Internet-Draft. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as
reference material or to cite them other than as ``work in
progress.''
To learn the current status of any Internet-Draft, please check the
``1id-abstracts.txt'' listing contained in the Internet-Drafts
Shadow Directories on ds.internic.net (US East Coast), nic.nordu.net
(Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific
Rim).
Abstract
In the late stage of the transition from IPv4 to IPv6, IPv4 lands
are interconnected by IPv6 ocean and it is necessary for an IPv4
node and an IPv6 to communicate directly. This memo proposes a
mechanism to enable such direct communication with extension name
servers, an address mapper, and translators for each IPv4 land.
1. Introduction
RFC1933 [TRANS-MECH] proposed mechanisms to transit IPv4 [IPv4] to
IPv6 [IPv6], including dual stack and tunneling, for the early
stage. IPv6 nodes are assumed to have IPv4 stack and IPv4 addresses.
In the late stage of the transition, however, the space of IPv4
Tsuchiya draft-tsuchiya-ipv4-ipv6-translator-00.txt [Page 1]
INTERNET-DRAFT November 1997
address will be exhausted. So, an IPv4 address cannot be assigned to
dual-stack hosts. Moreover, IPv6-only hosts will appear for cost
reasons. It is expected that IPv4 hosts will retain for a long time,
even after appearance of IPv6-only hosts. Therefore, it is highly
desired to develop a mechanism to enable a communication between an
IPv4 host and an IPv6 host directly.
Though a header conversion mechanism is defined in [HDRCNV],
interaction for an IPv4 host, an IPv6 host, a header conversion
router, and name servers is not mentioned. This memo describes an
entire scheme of direct communications between IPv4 hosts and IPv6
hosts. The scheme is applicable to environments where there are
multiple name servers and multiple site boundary routes thanks to
one "address mapper". It is not necessary to modify IPv4 hosts and
IPv6 hosts.
This document uses the words defined in [IPV4], [IPV6], and
[TRANS-MECH].
2. Components
In the late stage of the transition, IPv4 "land"s are interconnected
by IPv6 "ocean". A set of IPv4-only nodes in an organization is an
example of IPv6 island.
The proposed system consists of extension name servers, one address
mapper, and translators. To implement communication between IPv4
nodes and IPv6 nodes, each IPv4 island needs to install such
components.
Extension name servers have both IPv4 stack and IPv6 stack and
provides name service to IPv4 nodes and IPv6 nodes. Translators also
have dual-stack functionality and translates "language" of IPv4
nodes and that of IPv6 nodes. The address mapper is communicates
only with the extension name servers and the translators.
Tsuchiya draft-tsuchiya-ipv4-ipv6-translator-00.txt [Page 2]
INTERNET-DRAFT November 1997
Figure 1 illustrates an IPv4 land which installed the proposed
system.
+---------+ +-------- //
|IPv4 node| |
+----+----+ |
| |
+------+------+ |
| | |
|An IPv4 land | | IPv6 ocean
| | |
| | +------------------------+ | +---------+
| +--+ extension name servers +--+ |IPv6 node|
| | +------------+-----------+ | +---------+
| | | |
| | +------------+-----------+ | +---------+
| | | one address mapper | | |IPv6 node|
| | +------------+-----------+ | +---------+
| | | |
| | +------------+-----------+ | +---------+
| +--+ translators +--+ |IPv6 node|
| | +------------------------+ | +---------+
| | |
+------+------+ |
| |
+----+----+ |
|IPv4 node| +-------- //
+---------+
Figure 1
2.1 Translator between IPv4 and IPv6
The followings are examples of Translator between IPv4 and IPv6.
(1) Proxy gateway
An proxy gateway locates between an IPv4 host and an IPv6 host
and establishes both an IPv4 connection to the IPv4 host and an
IPv6 connection to the IPv6 host. The proxy gateway relays data
from the IPv4 host to the IPv6 host and vice versa.
(2) Header conversion router
A header conversion router locates between an IPv4 host and an
Tsuchiya draft-tsuchiya-ipv4-ipv6-translator-00.txt [Page 3]
INTERNET-DRAFT November 1997
IPv6 host. When the router receives an IPv4 packet, the router
converts its IPv4 header to an IPv6 header then forwards it.
When the router receives an IPv6 packet, the router converts its
IPv6 header to an IPv4 header then fragments the packet if
necessary and forwards it.
2.2 Extension Name Server
Extension name servers returns a "proper" answer in a response to
IPv4 node's request or IPv6 node's request.
An IPv4 node typically requests one of extension name servers to
resolve 'A' record correspond to a host name. If 'A' record is
resolved, the server returns it. If only 'AAAA' record is available,
the server requests an address mapper to assign one IPv4 address
correspond to its IPv6 address. Then the server returns the assigned
IPv4 address to the IPv4 node.
An IPv6 node typically requests one of extension name servers to
resolve 'AAAA' record correspond to a host name. If 'AAAA' record is
resolved, the server returns it. If only 'A' record is available,
the server requests the address mapper to assign one IPv6 address
correspond to its IPv4 address. Then the server returns the assigned
IPv6 address to IPv6 node.
2.3 Address Mapper
An address mapper maintains an IPv4 address spool and an IPv6
address spool. An example of the IPv4 address spool is private
addresses(e.g number 10). An example of the IPv6 address spool is a
part of IPv6 space assigned to the organization where the IPv4 land
locates inside.
When an extension name server or a translator requests one IPv6
address for an IPv4 address, the address mapper selects one IPv6
address from the IPv6 address spool and returns it.
When an extension name server or a translator requests one IPv4
address for an IPv6 address, the address mapper selects one IPv4
address from the IPv4 address spool and returns it.
3. Interaction Examples
The following subsection explains communication from an IPv4 node to
an IPv6 node and communication from an IPv6 node to an IPv4 node,
respectively.
Tsuchiya draft-tsuchiya-ipv4-ipv6-translator-00.txt [Page 4]
INTERNET-DRAFT November 1997
3.1 Communication from an IPv4 node to an IPv6 node
This subsection describes communication between an IPv4 node called
"host4" and an IPv6 node called "host6". The communication is
triggered by "host4".
"host4" sends a query to an extension name server to resolves 'A'
record for "host6".
The extension name server tries resolving both 'A' record and 'AAAA'
record for "host6" but only 'AAAA' record is resolved. Then the
server requests an address mapper to assign one IPv4 address
correspond to the IPv6 address.
The address mapper selects one IPv4 address out of its IPv4 address
spool and returns it to the server.
The server creates 'A' record for the assigned IPv4 address and
returns it to "host4".
"host4" sends IPv4 data to "host6".
The IPv4 data reaches a translator. The translator tries translating
the IPv4 data to IPv6 data but does not know how to translate. (For
example, a proxy gateway cannot create an IPv6 connection to "host6"
since the IPv6 address of "host6" is not available.) So, the
translator requests the mapper to tell mapping entries for the IPv4
source address and the IPv4 destination address.
The mapper looks up its mapping table with the IPv4 destination
address and finds one IPv6 address for it. Then the mapper looks up
its mapping table with the IPv4 source address. In this case, there
is not a mapping entry so the mapper selects one IPv6 address for
the IPv4 source address. Finally, the mapper returns a pair of the
IPv6 source address and the IPv6 destination address to the
translator.
The translator translates the IPv4 data to IPv6 data. (For example,
the proxy gateway creates one IPv6 connection to "host6" and relay
the IPv4 data.)
The IPv6 data reaches "host6". "host6" sends new IPv6 data to
"host4".
The IPv6 data reaches the translator. This time the translator has
mapping entries for the IPv6 source address and the IPv6 destination
Tsuchiya draft-tsuchiya-ipv4-ipv6-translator-00.txt [Page 5]
INTERNET-DRAFT November 1997
address. The translator translates the IPv6 data to IPv4 data. (For
example, the proxy gateway just relays the data.)
The IPv4 data reaches "host4".
The following diagram illustrates the interaction above:
IPv4 extension address translator IPv6
node name server mapper node
"host4" "host6"
Resolve an IPv4 address for host6
---> Query of 'A' record for "host6".
only 'AAAA' record is resolved.
---> Request one IPv4 address correspond to
the IPv6 address.
Assign on IPv4 address.
<--- Reply with the IPv4 address.
Create 'A' record for the IPv4 address.
<--- Reply with the 'A' record.
Tsuchiya draft-tsuchiya-ipv4-ipv6-translator-00.txt [Page 6]
INTERNET-DRAFT November 1997
IPv4 extension address translator IPv6
node name server mapper node
"host4" "host6"
Send data to host6
=============================> IPv4 data
Try translating but don't
know how to translate it.
<--- Request IPv6 addresses
corresond to the IPv4 source
address and to the IPv4
destination address.
One IPv6 address correspond to the IPv4
destination address is already
available. Assign one IPv6 address for
the IPv4 source address.
---> Reply with the IPv6 source
address and the IPv6
destination address.
Translate IPv4 to IPv6.
===> IPv6 data
Reply data to
host4
<=== IPv6 data
Translate IPv6 to IPv4
<============================== IPv6 data
3.2 Communication from an IPv6 node to an IPv4 node
In a case where communication is triggered by "host6", its query to
resolve 'AAAA' record for "host4" is eventually delivered to one of
extension name servers. After interaction is symmetric to the case
described in Sention 3.1.
Tsuchiya draft-tsuchiya-ipv4-ipv6-translator-00.txt [Page 7]
INTERNET-DRAFT November 1997
4. Security Consideration
Header conversions of AH [AH] and ESP [ESP] are cryptographically
impossible. This is a big disadvantage of header conversion router
approach. On the other hand, it is possible to use AH and ESP in
proxy gateway approach.
5. References
[AH] Stephen Kent and Randall Atkinson, "IP Authentication Header",
Internet-Draft, July 1997.
[ESP] Stephen Kent and Randall Atkinson, "IP Encapsulating Security
Payload (ESP)", Internet-Draft, July 1997.
[HDRCNV] Erik Nordmark, "IPv4/IPv6 Stateless Header Translator",
Inernet-Draft, July 1997.
[IPV4] J. Postel, "Internet Protocol", RFC 791, September 1981.
[IPV6] S. Deering and R. Hinden, "Internet Protocol, Version 6
(IPv6) Specification", RFC 1883, January 1996.
[TRANS-MECH] R. Gilligan and E. Nordmark, "Transition Mechanisms for
IPv6 Hosts and Routers", RFC 1933, April 1996.
10. Author's Addresses
Kazuaki TSUCHIYA
Hitachi, Ltd.
Hitachi Systemplaza Shinkawasaki
890 Kashimada, Saiwai, Kawasaki, 211 Japan
Phone: +81-44-549-1714
Fax: +81-44-549-1721
Email: tsuchi@isrd.hitachi.co.jp
Munechika SUMIKAWA
Office Systems Division, Hitachi, Ltd.
810 Shimoimaizumi, Ebina-shi 243-04 JAPAN
Phone: +81-462-35-2111
FAX: +81-462-35-8325
EMail: sumikawa@ebina.hitachi.co.jp
Tsuchiya draft-tsuchiya-ipv4-ipv6-translator-00.txt [Page 8]
INTERNET-DRAFT November 1997
Ken WATANABE
Hitachi, Ltd.
Hitachi Systemplaza Shinkawasaki
890 Kashimada, Saiwai, Kawasaki, 211 Japan
Phone: +81-44-549-1714
Fax: +81-44-549-1721
Email: nabeken@isrd.hitachi.co.jp
Yoshifumi ATARASHI
Office Systems Division, Hitachi, Ltd.
810 Shimoimaizumi, Ebina-shi 243-04 JAPAN
Phone: +81-462-35-2111
FAX: +81-462-35-8325
EMail: atarashi@ebina.hitachi.co.jp
Takahisa MIYAMOTO
Hitachi, Ltd.
Hitachi Systemplaza Shinkawasaki
890 Kashimada, Saiwai, Kawasaki, 211 Japan
Phone: +81-44-549-1714
Fax: +81-44-549-1721
Email: t-miyamo@isrd.hitachi.co.jp
Kazu YAMAMOTO
Nara Institute of Science and Technology
8916-5 Takayama, Ikoma City 630-01 JAPAN
Phone: +81-7437-2-5322
FAX: +81-7437-2-5329
EMail: Kazu@Mew.org
Jun MURAI
Keio University
5322 Endo, Fujisawa 252 JAPAN
Phone: +81-466-47-5111
Fax: +81-466-49-1101
EMail: jun@wide.ad.jp
Use of VLANs for IPv4-IPv6 Coexistence in Enterprise Networks
Network Working Group T. Chown
Request for Comments: 4554 University of Southampton
Category: Informational June 2006
Use of VLANs for IPv4-IPv6 Coexistence in Enterprise Networks
Status of This Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2006).
Abstract
Ethernet VLANs are quite commonly used in enterprise networks for the
purposes of traffic segregation. This document describes how such
VLANs can be readily used to deploy IPv6 networking in an enterprise,
which focuses on the scenario of early deployment prior to
availability of IPv6-capable switch-router equipment. In this
method, IPv6 may be routed in parallel with the existing IPv4 in the
enterprise and delivered at Layer 2 via VLAN technology. The IPv6
connectivity to the enterprise may or may not enter the site via the
same physical link.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Enabling IPv6 per Link . . . . . . . . . . . . . . . . . . . . 3
2.1. IPv6 Routing over VLANs . . . . . . . . . . . . . . . . . 3
2.2. One VLAN per Router Interface . . . . . . . . . . . . . . 4
2.3. Collapsed VLANs on a Single Interface . . . . . . . . . . 4
2.4. Congruent IPv4 and IPv6 Subnets . . . . . . . . . . . . . 5
2.5. IPv6 Addressing . . . . . . . . . . . . . . . . . . . . . 5
2.6. Final IPv6 Deployment . . . . . . . . . . . . . . . . . . 5
3. Example VLAN Topology . . . . . . . . . . . . . . . . . . . . . 6
4. Security Considerations . . . . . . . . . . . . . . . . . . . . 7
5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 7
6. Informative References . . . . . . . . . . . . . . . . . . . . 7
Appendix A. Configuration Example . . . . . . . . . . . . . . . . 8
Chown Informational [Page 1]
RFC 4554 VLANs for IPv4-IPv6 Coexistence June 2006
1. Introduction
Ethernet VLANs are quite commonly used in enterprise networks for the
purposes of traffic segregation. This document describes how such
VLANs can be readily used to deploy IPv6 networking in an enterprise,
including the scenario of early deployment prior to availability of
IPv6-capable switch-router equipment, where IPv6 may be routed in
parallel with the existing IPv4 in the enterprise and delivered to
the desired LANs via VLAN technology.
It is expected that in the long run, sites migrating to dual-stack
networking will either upgrade existing switch-router equipment to
support IPv6 or procure new equipment that supports IPv6. If a site
already has production routers deployed that support IPv6, the
procedures described in this document are not required. In the
interim, however, a method is required for early IPv6 adopters that
enables IPv6 to be deployed in a structured, managed way to some or
all of an enterprise network that currently lacks IPv6 support in its
core infrastructure.
The IEEE 802.1Q VLAN standard allows separate LANs to be deployed
over a single bridged LAN, by inserting "Virtual LAN" tagging or
membership information into Ethernet frames. Hosts and switches that
support VLANs effectively allow software-based reconfiguration of
LANs through configuration of the tagging parameters. The software
control means that VLANs can be used to alter the LAN infrastructure
without having to physically alter the wiring between the LAN
segments and Layer 3 routers.
Many IPv4 enterprise networks are utilising VLAN technology. Where a
site does not have IPv6-capable Layer 2/3 switch-router equipment,
but VLANs are supported, a simple yet effective method exists to
gradually introduce IPv6 to some or all of that site's network, in
advance of the site's core infrastructure having dual-stack
capability.
If such a site wishes to introduce IPv6, it may do so by deploying a
parallel IPv6 routing infrastructure (which is likely to be a
different platform to the site's main infrastructure equipment, i.e.,
one that supports IPv6 where the existing equipment does not), and
then using VLAN technology to "overlay" IPv6 links onto existing IPv4
links. This can be achieved without needing any changes to the IPv4
configuration. The VLANs don't need to differentiate between IPv4
and IPv6; the deployment is just dual-stack, as Ethernet is without
VLANs.
Chown Informational [Page 2]
RFC 4554 VLANs for IPv4-IPv6 Coexistence June 2006
The IPv4 default route to the VLAN is provided by one (IPv4) router,
while the IPv6 default route to the VLAN is provided by a different
(IPv6) router. The IPv6 router can provide native IPv6 connectivity
to the whole site with just a single physical interface, thanks to
VLAN tagging and trunking, as described below.
The IPv6 connectivity to the enterprise may or may not enter the site
via the same physical link as the IPv4 traffic, and may be native or
tunneled from the external provider to the IPv6 routing equipment.
This VLAN usage is a solution adopted by a number of sites already,
including that of the author.
It should be noted that a parallel infrastructure will require
additional infrastructure and thus cost, and will often require a
separate link into the site (from an IPv6 provider), quite possibly
tunneled, that will require the site's security policy to be applied
(e.g., firewalling and intrusion detection). For sites that believe
early adoption of IPv6 is important, that price is one they may be
quite willing to pay. However, this document focuses on the
technical issues of VLAN usage in such a scenario.
2. Enabling IPv6 per Link
The precise method by which IPv6 would be "injected" into the
existing IPv4 network is deployment specific. For example, perhaps a
site has an IPv4-only router, connected to an Ethernet switch that
supports VLANs and a number of hosts connected to that VLAN. Let's
further assume that the site has a dozen of these setups that it
wishes to IPv6-enable immediately. This could be done by upgrading
the twelve routers to support IPv6, and turning IPv6 on those
routers. However, this may not be practical for various reasons.
The simplest approach would be to connect an IPv6 router with one
interface to an Ethernet switch, and connect that switch to other
switches, and then use VLAN tags between the switches and the IPv6
router to "reach" all the IPv4-only subnets from the IPv6 router.
Thus, the general principle is that the IPv6 router device (e.g.,
performing IPv6 Router Advertisements [1] in the case of stateless
autoconfiguration) is connected to the target link through the use of
VLAN-capable Layer 2 equipment.
2.1. IPv6 Routing over VLANs
In a typical scenario where connectivity is to be offered to a number
of existing IPv6 internal subnets, one IPv6 router could be deployed,
with both an external interface and one or more internal interfaces.
The external interface connects to the wider IPv6 internet, and may
Chown Informational [Page 3]
RFC 4554 VLANs for IPv4-IPv6 Coexistence June 2006
be dual-stack if some tunnel mechanism is used for external
connectivity, or IPv6-only if a native external connection is
available.
The internal interface(s) can be connected directly to a VLAN-capable
switch. It is then possible to write VLAN tags on the packets sent
from the internal router interface based on the target IPv6 link
prefix. The VLAN-tagged traffic is then transported across the
internal VLAN-capable site infrastructure to the target IPv6 links
(which may be dispersed widely across the site network).
Where the IPv6 router is unable to VLAN-tag the packets, a protocol-
based VLAN can be created on the VLAN-capable device connected to the
IPv6 router, causing IPv6 traffic to be tagged and then redistributed
on (congruent) IPv4 subnet links that lie in the same VLAN.
2.2. One VLAN per Router Interface
The VLAN marking may be done in different ways. Some sites may
prefer to use one router interface per VLAN; for example, if there
are three internal IPv6 links, a standard PC-based IPv6 router with
four Ethernet ports could be used, one for the external link and
three for the internal links. In such a case, one switch port would
be needed per link, to receive the connectivity from each router
port.
In such a deployment, the IPv6 routing could be cascaded through
lower-tier internal IPv6-only routers. Here, the internal-facing
ports on the IPv6 edge router may feed other IPv6 routers over IPv6-
only links, which in turn inject the IPv6 connectivity (the stub
links using 64-bit subnet prefixes and associated Router
Advertisements) into the VLANs.
2.3. Collapsed VLANs on a Single Interface
Using multiple IPv6 routers and one port per IPv6 link (i.e., VLAN)
may be unnecessary. Many devices now support VLAN tagging based on
virtual interfaces such that multiple IPv6 VLANs could be assigned
(trunked) from one physical router interface port. Thus, it is
possible to use just one router interface for "aggregated" VLAN
trunking from a switch. This is a far more interesting case for a
site planning the introduction of IPv6 to (part of) its site network.
This approach is viable while the IPv6 traffic load is light. As
traffic volume grows, the single collapsed interface could be
extended to utilise two or more physical ports, where the capacity of
the IPv6 router device allows it.
Chown Informational [Page 4]
RFC 4554 VLANs for IPv4-IPv6 Coexistence June 2006
2.4. Congruent IPv4 and IPv6 Subnets
Such a VLAN-based technique can be used to deploy IPv6-only VLANs in
an enterprise network. However, most enterprises will be interested
in dual-stack IPv4-IPv6 networking.
In such a case, the IPv6 connectivity may be injected into the
existing IPv4 VLANs, such that the IPv4 and IPv6 subnets are
congruent (i.e., they coincide exactly when superimposed). Such a
method may have desirable administrative properties; for example, the
devices in each IPv4 subnet will be in the same IPv6 subnets also.
This is the method used at the author's site.
Furthermore, IPv6-only devices may be gradually added into the subnet
without any need to resize the IPv6 subnet (which may hold in effect
an infinite number of hosts in a /64 in contrast to IPv4 where the
subnet size is often relatively limited, or kept to a minimum
possibly due to address space usage concerns). The lack of
requirement to periodically resize an IPv6 subnet is a useful
administrative advantage for IPv6.
2.5. IPv6 Addressing
One site using this VLAN technique has chosen to number its IPv6
links with the format [Site IPv6 prefix]:[VLAN ID]::/64. The VLAN
tag is 16 bits, so this can work with a typical maximum 48-bit site
prefix. Linking the VLAN ID into a site's addressing scheme may not
fit topology and aggregation, and thus is not necessarily a
recommended addressing plan, but some sites may wish to consider its
usage.
2.6. Final IPv6 Deployment
The VLAN technique for IPv6 deployment offers a more structured
alternative to opportunistic per-host intra-site tunnelling methods
such as Intra-Site Automatic Tunnel Addressing Protocol ISATAP [2].
It has the ability to offer a simple yet efficient method for early
IPv6 deployment to an enterprise site.
When the site acquires IPv6-capable switch-router equipment, the
VLAN-based method can still be used for delivery of IPv6 links to
physical switch interfaces, just as it is commonly used today for
IPv4 subnets, but with a common routing infrastructure.
Chown Informational [Page 5]
RFC 4554 VLANs for IPv4-IPv6 Coexistence June 2006
3. Example VLAN Topology
The following figure shows how a VLAN topology may be used to
introduce IPv6 in an enterprise network, using a parallel IPv6
routing infrastructure and VLAN tagging.
External IPv6 Internet
|
|
IPv6 Access Router
|
|
Switch-router with VLAN support
|
|
+--------------+----------------+
|Site enterprise infrastructure |
| with support for VLANs |
+----+--------------------+-----+
| |
| |
VLAN switch A VLAN switch B
| | |
| | |
Subnet1 Subnet2 Subnet3
Figure 1: IPv6 deployment using VLANs (physical diagram)
In this scenario, the IPv6 access router has one physical port facing
toward the internal infrastructure. In this example, it need only be
IPv6-enabled, as its purpose is solely to handle IPv6 traffic for the
enterprise. The access router has an additional interface facing
toward the external infrastructure, which in this example could be
dual-stack if the external IPv6 connectivity is via a tunnel to an
IPv6 ISP.
A number of VLANs are handled by the internal-facing IPv6 router
port; in this case, IPv6 links Subnet1, Subnet2, Subnet3. The VLANs
are seen as logical subinterfaces of the physical interface on the
IPv6 access router, which is using the "collapsed VLAN" method
described above, tagging the inbound traffic with one of three VLAN
IDs depending on the target IPv6 Subnet prefix.
Chown Informational [Page 6]
RFC 4554 VLANs for IPv4-IPv6 Coexistence June 2006
The following figure shows how the IPv6 view of the deployment looks;
all IPv6 subnets are on-link to the IPv6 access router, whether or
not they share the same physical links over the VLAN infrastructure.
External IPv6 Internet
|
|
Site IPv6 Access Router
| | |
| | |
Subnet1 Subnet2 Subnet3
Figure 2: IPv6 view of the deployment (logical view)
In this example, the router acts as an IPv6 first-hop access router
to the physical links, separately from the IPv4 first-hop router.
This technique allows a site to easily "inject" native IPv6 into all
the links where a VLAN-capable infrastructure is available, enabling
partial or full IPv6 deployment on the wire in a site.
4. Security Considerations
There are no additional security considerations particular to this
method of enabling IPv6 on a link.
Where the IPv6 connectivity is delivered into the enterprise network
by a different path from the IPv4 connectivity, care should be given
that equivalent application of security policy (e.g., firewalling) is
made to the IPv6 path.
5. Acknowledgements
The author would like to thank colleagues on the 6NET project, where
this technique for IPv4-IPv6 coexistence is widely deployed, in
particular Pekka Savola (CSC/FUNET), but also including Janos Mohacsi
(Hungarnet), Martin Dunmore and Chris Edwards (Lancaster University),
Christian Strauf (JOIN Project, University of Muenster), and Stig
Venaas (UNINETT).
6. Informative References
[1] Narten, T., Nordmark, E., and W. Simpson, "Neighbor Discovery
for IP Version 6 (IPv6)", RFC 2461, December 1998.
[2] Templin, F., Gleeson, T., Talwar, M., and D. Thaler, "Intra-Site
Automatic Tunnel Addressing Protocol (ISATAP)", RFC 4214,
October 2005.
Chown Informational [Page 7]
RFC 4554 VLANs for IPv4-IPv6 Coexistence June 2006
Appendix A. Configuration Example
This section describes a configuration example for using a computer
running the FreeBSD variant of the Berkeley Software Distribution
(BSD) operating system as a router to deploy IPv6 networking across a
number of IPv6 links on an enterprise (in this case, six links), for
a scenario similar to the one described above. Here, the precise
configuration may of course vary depending on the existing site VLAN
deployment. This section highlights that the VLAN configuration must
be manually configured; the support is not "automatic".
In this example, the configuration is for an IPv6 BSD router
connected directly to a site's external IPv6 access router. The BSD
router has one interface (dc0) toward the site IPv6 access router,
and three interfaces (dc1, dc2, dc3) over which the internal routing
is performed (the number of interfaces can be varied; three are used
here to distribute the traffic load). The IPv6 documentation prefix
(2001:db8::/32) is used in the example.
--- Example IPv6 VLAN configuration, FreeBSD ---
#
# To IPv6 enable a vlan
#
# 1. Add a new vlan device to cloned_interfaces called vlanX
#
# 2. Add an ifconfig_vlanX line, the number is the vlan tag ID
#
# 3. Add vlanX to ipv6_network_interfaces
#
# 4. Add an ipv6_ifconfig_vlanX line, with a new unique prefix
#
# 5. Add vlanX to rtadvd_interface
#
# 6. Add vlanX to ipv6_router_flags
### Interfaces ###
# Bring physical interfaces up
ifconfig_dc0="up"
ifconfig_dc1="up"
ifconfig_dc2="up"
ifconfig_dc3="up"
Chown Informational [Page 8]
RFC 4554 VLANs for IPv4-IPv6 Coexistence June 2006
# Create VLan interfaces
cloned_interfaces="vlan0 vlan1 vlan2 vlan3 vlan4 vlan5 vlan6"
# Upstream link to IPv6 Access Router
ifconfig_vlan0="vlan 37 vlandev dc0"
# Downstream interfaces, load balance over interfaces dc1,dc2,dc3
ifconfig_vlan1="vlan 11 vlandev dc1" # Subnet1
ifconfig_vlan2="vlan 17 vlandev dc2" # Subnet2
ifconfig_vlan3="vlan 24 vlandev dc3" # Subnet3
ifconfig_vlan4="vlan 25 vlandev dc1" # Subnet4
ifconfig_vlan5="vlan 34 vlandev dc2" # Subnet5
ifconfig_vlan6="vlan 14 vlandev dc3" # Subnet6
### IPv6 ###
# Enable ipv6
ipv6_enable="YES"
# Forwarding
ipv6_gateway_enable="YES"
# Define Interfaces
ipv6_network_interfaces="vlan0 vlan1 vlan2 vlan3 vlan4 vlan5 vlan6"
# Define addresses
ipv6_ifconfig_vlan0="2001:db8:d0:101::2 prefixlen 64" # Uplink
ipv6_ifconfig_vlan1="2001:db8:d0:111::1 prefixlen 64" # Subnet1
ipv6_ifconfig_vlan2="2001:db8:d0:112::1 prefixlen 64" # Subnet2
ipv6_ifconfig_vlan3="2001:db8:d0:121::1 prefixlen 64" # Subnet3
ipv6_ifconfig_vlan4="2001:db8:d0:113::1 prefixlen 64" # Subnet4
ipv6_ifconfig_vlan5="2001:db8:d0:114::1 prefixlen 64" # Subnet5
ipv6_ifconfig_vlan6="2001:db8:d0:115::1 prefixlen 64" # Subnet6
# Router advertisements
rtadvd_enable="YES"
rtadvd_interfaces="-s vlan0 vlan1 vlan2 vlan3 vlan4 vlan5 vlan6"
### Routing ###
# Multicast
mroute6d_enable="YES"
mroute6d_program="/sbin/pim6sd"
Chown Informational [Page 9]
RFC 4554 VLANs for IPv4-IPv6 Coexistence June 2006
# RIP-ng
ipv6_router_enable="YES"
ipv6_router_flags="-N dc0,dc1,dc2,dc3, vlan1,vlan2,vlan3,
vlan4,vlan5,vlan6"
--- End of configuration ---
Note that if there was only one internal-facing interface, then again
so long as the OS supported VLAN trunking, all the VLAN IDs could be
associated to that interface (dc1, for example).
The VLAN IDs need to be managed by the site administrator, but would
probably already be assigned for existing IPv4 subnets (ones into
which IPv6 is being introduced).
For a large enterprise, a combination of internal tunnels and VLAN
usage could be used; the whole site need not be enabled by VLAN
tagging alone. This choice is one for the site administrator to
make.
Author's Address
Tim Chown
University of Southampton
Southampton, Hampshire SO17 1BJ
United Kingdom
EMail: tjc@ecs.soton.ac.uk
Chown Informational [Page 10]
RFC 4554 VLANs for IPv4-IPv6 Coexistence June 2006
Full Copyright Statement
Copyright (C) The Internet Society (2006).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Acknowledgement
Funding for the RFC Editor function is provided by the IETF
Administrative Support Activity (IASA).
Chown Informational [Page 11]
Request for Comments: 4554 University of Southampton
Category: Informational June 2006
Use of VLANs for IPv4-IPv6 Coexistence in Enterprise Networks
Status of This Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2006).
Abstract
Ethernet VLANs are quite commonly used in enterprise networks for the
purposes of traffic segregation. This document describes how such
VLANs can be readily used to deploy IPv6 networking in an enterprise,
which focuses on the scenario of early deployment prior to
availability of IPv6-capable switch-router equipment. In this
method, IPv6 may be routed in parallel with the existing IPv4 in the
enterprise and delivered at Layer 2 via VLAN technology. The IPv6
connectivity to the enterprise may or may not enter the site via the
same physical link.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Enabling IPv6 per Link . . . . . . . . . . . . . . . . . . . . 3
2.1. IPv6 Routing over VLANs . . . . . . . . . . . . . . . . . 3
2.2. One VLAN per Router Interface . . . . . . . . . . . . . . 4
2.3. Collapsed VLANs on a Single Interface . . . . . . . . . . 4
2.4. Congruent IPv4 and IPv6 Subnets . . . . . . . . . . . . . 5
2.5. IPv6 Addressing . . . . . . . . . . . . . . . . . . . . . 5
2.6. Final IPv6 Deployment . . . . . . . . . . . . . . . . . . 5
3. Example VLAN Topology . . . . . . . . . . . . . . . . . . . . . 6
4. Security Considerations . . . . . . . . . . . . . . . . . . . . 7
5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 7
6. Informative References . . . . . . . . . . . . . . . . . . . . 7
Appendix A. Configuration Example . . . . . . . . . . . . . . . . 8
Chown Informational [Page 1]
RFC 4554 VLANs for IPv4-IPv6 Coexistence June 2006
1. Introduction
Ethernet VLANs are quite commonly used in enterprise networks for the
purposes of traffic segregation. This document describes how such
VLANs can be readily used to deploy IPv6 networking in an enterprise,
including the scenario of early deployment prior to availability of
IPv6-capable switch-router equipment, where IPv6 may be routed in
parallel with the existing IPv4 in the enterprise and delivered to
the desired LANs via VLAN technology.
It is expected that in the long run, sites migrating to dual-stack
networking will either upgrade existing switch-router equipment to
support IPv6 or procure new equipment that supports IPv6. If a site
already has production routers deployed that support IPv6, the
procedures described in this document are not required. In the
interim, however, a method is required for early IPv6 adopters that
enables IPv6 to be deployed in a structured, managed way to some or
all of an enterprise network that currently lacks IPv6 support in its
core infrastructure.
The IEEE 802.1Q VLAN standard allows separate LANs to be deployed
over a single bridged LAN, by inserting "Virtual LAN" tagging or
membership information into Ethernet frames. Hosts and switches that
support VLANs effectively allow software-based reconfiguration of
LANs through configuration of the tagging parameters. The software
control means that VLANs can be used to alter the LAN infrastructure
without having to physically alter the wiring between the LAN
segments and Layer 3 routers.
Many IPv4 enterprise networks are utilising VLAN technology. Where a
site does not have IPv6-capable Layer 2/3 switch-router equipment,
but VLANs are supported, a simple yet effective method exists to
gradually introduce IPv6 to some or all of that site's network, in
advance of the site's core infrastructure having dual-stack
capability.
If such a site wishes to introduce IPv6, it may do so by deploying a
parallel IPv6 routing infrastructure (which is likely to be a
different platform to the site's main infrastructure equipment, i.e.,
one that supports IPv6 where the existing equipment does not), and
then using VLAN technology to "overlay" IPv6 links onto existing IPv4
links. This can be achieved without needing any changes to the IPv4
configuration. The VLANs don't need to differentiate between IPv4
and IPv6; the deployment is just dual-stack, as Ethernet is without
VLANs.
Chown Informational [Page 2]
RFC 4554 VLANs for IPv4-IPv6 Coexistence June 2006
The IPv4 default route to the VLAN is provided by one (IPv4) router,
while the IPv6 default route to the VLAN is provided by a different
(IPv6) router. The IPv6 router can provide native IPv6 connectivity
to the whole site with just a single physical interface, thanks to
VLAN tagging and trunking, as described below.
The IPv6 connectivity to the enterprise may or may not enter the site
via the same physical link as the IPv4 traffic, and may be native or
tunneled from the external provider to the IPv6 routing equipment.
This VLAN usage is a solution adopted by a number of sites already,
including that of the author.
It should be noted that a parallel infrastructure will require
additional infrastructure and thus cost, and will often require a
separate link into the site (from an IPv6 provider), quite possibly
tunneled, that will require the site's security policy to be applied
(e.g., firewalling and intrusion detection). For sites that believe
early adoption of IPv6 is important, that price is one they may be
quite willing to pay. However, this document focuses on the
technical issues of VLAN usage in such a scenario.
2. Enabling IPv6 per Link
The precise method by which IPv6 would be "injected" into the
existing IPv4 network is deployment specific. For example, perhaps a
site has an IPv4-only router, connected to an Ethernet switch that
supports VLANs and a number of hosts connected to that VLAN. Let's
further assume that the site has a dozen of these setups that it
wishes to IPv6-enable immediately. This could be done by upgrading
the twelve routers to support IPv6, and turning IPv6 on those
routers. However, this may not be practical for various reasons.
The simplest approach would be to connect an IPv6 router with one
interface to an Ethernet switch, and connect that switch to other
switches, and then use VLAN tags between the switches and the IPv6
router to "reach" all the IPv4-only subnets from the IPv6 router.
Thus, the general principle is that the IPv6 router device (e.g.,
performing IPv6 Router Advertisements [1] in the case of stateless
autoconfiguration) is connected to the target link through the use of
VLAN-capable Layer 2 equipment.
2.1. IPv6 Routing over VLANs
In a typical scenario where connectivity is to be offered to a number
of existing IPv6 internal subnets, one IPv6 router could be deployed,
with both an external interface and one or more internal interfaces.
The external interface connects to the wider IPv6 internet, and may
Chown Informational [Page 3]
RFC 4554 VLANs for IPv4-IPv6 Coexistence June 2006
be dual-stack if some tunnel mechanism is used for external
connectivity, or IPv6-only if a native external connection is
available.
The internal interface(s) can be connected directly to a VLAN-capable
switch. It is then possible to write VLAN tags on the packets sent
from the internal router interface based on the target IPv6 link
prefix. The VLAN-tagged traffic is then transported across the
internal VLAN-capable site infrastructure to the target IPv6 links
(which may be dispersed widely across the site network).
Where the IPv6 router is unable to VLAN-tag the packets, a protocol-
based VLAN can be created on the VLAN-capable device connected to the
IPv6 router, causing IPv6 traffic to be tagged and then redistributed
on (congruent) IPv4 subnet links that lie in the same VLAN.
2.2. One VLAN per Router Interface
The VLAN marking may be done in different ways. Some sites may
prefer to use one router interface per VLAN; for example, if there
are three internal IPv6 links, a standard PC-based IPv6 router with
four Ethernet ports could be used, one for the external link and
three for the internal links. In such a case, one switch port would
be needed per link, to receive the connectivity from each router
port.
In such a deployment, the IPv6 routing could be cascaded through
lower-tier internal IPv6-only routers. Here, the internal-facing
ports on the IPv6 edge router may feed other IPv6 routers over IPv6-
only links, which in turn inject the IPv6 connectivity (the stub
links using 64-bit subnet prefixes and associated Router
Advertisements) into the VLANs.
2.3. Collapsed VLANs on a Single Interface
Using multiple IPv6 routers and one port per IPv6 link (i.e., VLAN)
may be unnecessary. Many devices now support VLAN tagging based on
virtual interfaces such that multiple IPv6 VLANs could be assigned
(trunked) from one physical router interface port. Thus, it is
possible to use just one router interface for "aggregated" VLAN
trunking from a switch. This is a far more interesting case for a
site planning the introduction of IPv6 to (part of) its site network.
This approach is viable while the IPv6 traffic load is light. As
traffic volume grows, the single collapsed interface could be
extended to utilise two or more physical ports, where the capacity of
the IPv6 router device allows it.
Chown Informational [Page 4]
RFC 4554 VLANs for IPv4-IPv6 Coexistence June 2006
2.4. Congruent IPv4 and IPv6 Subnets
Such a VLAN-based technique can be used to deploy IPv6-only VLANs in
an enterprise network. However, most enterprises will be interested
in dual-stack IPv4-IPv6 networking.
In such a case, the IPv6 connectivity may be injected into the
existing IPv4 VLANs, such that the IPv4 and IPv6 subnets are
congruent (i.e., they coincide exactly when superimposed). Such a
method may have desirable administrative properties; for example, the
devices in each IPv4 subnet will be in the same IPv6 subnets also.
This is the method used at the author's site.
Furthermore, IPv6-only devices may be gradually added into the subnet
without any need to resize the IPv6 subnet (which may hold in effect
an infinite number of hosts in a /64 in contrast to IPv4 where the
subnet size is often relatively limited, or kept to a minimum
possibly due to address space usage concerns). The lack of
requirement to periodically resize an IPv6 subnet is a useful
administrative advantage for IPv6.
2.5. IPv6 Addressing
One site using this VLAN technique has chosen to number its IPv6
links with the format [Site IPv6 prefix]:[VLAN ID]::/64. The VLAN
tag is 16 bits, so this can work with a typical maximum 48-bit site
prefix. Linking the VLAN ID into a site's addressing scheme may not
fit topology and aggregation, and thus is not necessarily a
recommended addressing plan, but some sites may wish to consider its
usage.
2.6. Final IPv6 Deployment
The VLAN technique for IPv6 deployment offers a more structured
alternative to opportunistic per-host intra-site tunnelling methods
such as Intra-Site Automatic Tunnel Addressing Protocol ISATAP [2].
It has the ability to offer a simple yet efficient method for early
IPv6 deployment to an enterprise site.
When the site acquires IPv6-capable switch-router equipment, the
VLAN-based method can still be used for delivery of IPv6 links to
physical switch interfaces, just as it is commonly used today for
IPv4 subnets, but with a common routing infrastructure.
Chown Informational [Page 5]
RFC 4554 VLANs for IPv4-IPv6 Coexistence June 2006
3. Example VLAN Topology
The following figure shows how a VLAN topology may be used to
introduce IPv6 in an enterprise network, using a parallel IPv6
routing infrastructure and VLAN tagging.
External IPv6 Internet
|
|
IPv6 Access Router
|
|
Switch-router with VLAN support
|
|
+--------------+----------------+
|Site enterprise infrastructure |
| with support for VLANs |
+----+--------------------+-----+
| |
| |
VLAN switch A VLAN switch B
| | |
| | |
Subnet1 Subnet2 Subnet3
Figure 1: IPv6 deployment using VLANs (physical diagram)
In this scenario, the IPv6 access router has one physical port facing
toward the internal infrastructure. In this example, it need only be
IPv6-enabled, as its purpose is solely to handle IPv6 traffic for the
enterprise. The access router has an additional interface facing
toward the external infrastructure, which in this example could be
dual-stack if the external IPv6 connectivity is via a tunnel to an
IPv6 ISP.
A number of VLANs are handled by the internal-facing IPv6 router
port; in this case, IPv6 links Subnet1, Subnet2, Subnet3. The VLANs
are seen as logical subinterfaces of the physical interface on the
IPv6 access router, which is using the "collapsed VLAN" method
described above, tagging the inbound traffic with one of three VLAN
IDs depending on the target IPv6 Subnet prefix.
Chown Informational [Page 6]
RFC 4554 VLANs for IPv4-IPv6 Coexistence June 2006
The following figure shows how the IPv6 view of the deployment looks;
all IPv6 subnets are on-link to the IPv6 access router, whether or
not they share the same physical links over the VLAN infrastructure.
External IPv6 Internet
|
|
Site IPv6 Access Router
| | |
| | |
Subnet1 Subnet2 Subnet3
Figure 2: IPv6 view of the deployment (logical view)
In this example, the router acts as an IPv6 first-hop access router
to the physical links, separately from the IPv4 first-hop router.
This technique allows a site to easily "inject" native IPv6 into all
the links where a VLAN-capable infrastructure is available, enabling
partial or full IPv6 deployment on the wire in a site.
4. Security Considerations
There are no additional security considerations particular to this
method of enabling IPv6 on a link.
Where the IPv6 connectivity is delivered into the enterprise network
by a different path from the IPv4 connectivity, care should be given
that equivalent application of security policy (e.g., firewalling) is
made to the IPv6 path.
5. Acknowledgements
The author would like to thank colleagues on the 6NET project, where
this technique for IPv4-IPv6 coexistence is widely deployed, in
particular Pekka Savola (CSC/FUNET), but also including Janos Mohacsi
(Hungarnet), Martin Dunmore and Chris Edwards (Lancaster University),
Christian Strauf (JOIN Project, University of Muenster), and Stig
Venaas (UNINETT).
6. Informative References
[1] Narten, T., Nordmark, E., and W. Simpson, "Neighbor Discovery
for IP Version 6 (IPv6)", RFC 2461, December 1998.
[2] Templin, F., Gleeson, T., Talwar, M., and D. Thaler, "Intra-Site
Automatic Tunnel Addressing Protocol (ISATAP)", RFC 4214,
October 2005.
Chown Informational [Page 7]
RFC 4554 VLANs for IPv4-IPv6 Coexistence June 2006
Appendix A. Configuration Example
This section describes a configuration example for using a computer
running the FreeBSD variant of the Berkeley Software Distribution
(BSD) operating system as a router to deploy IPv6 networking across a
number of IPv6 links on an enterprise (in this case, six links), for
a scenario similar to the one described above. Here, the precise
configuration may of course vary depending on the existing site VLAN
deployment. This section highlights that the VLAN configuration must
be manually configured; the support is not "automatic".
In this example, the configuration is for an IPv6 BSD router
connected directly to a site's external IPv6 access router. The BSD
router has one interface (dc0) toward the site IPv6 access router,
and three interfaces (dc1, dc2, dc3) over which the internal routing
is performed (the number of interfaces can be varied; three are used
here to distribute the traffic load). The IPv6 documentation prefix
(2001:db8::/32) is used in the example.
--- Example IPv6 VLAN configuration, FreeBSD ---
#
# To IPv6 enable a vlan
#
# 1. Add a new vlan device to cloned_interfaces called vlanX
#
# 2. Add an ifconfig_vlanX line, the number is the vlan tag ID
#
# 3. Add vlanX to ipv6_network_interfaces
#
# 4. Add an ipv6_ifconfig_vlanX line, with a new unique prefix
#
# 5. Add vlanX to rtadvd_interface
#
# 6. Add vlanX to ipv6_router_flags
### Interfaces ###
# Bring physical interfaces up
ifconfig_dc0="up"
ifconfig_dc1="up"
ifconfig_dc2="up"
ifconfig_dc3="up"
Chown Informational [Page 8]
RFC 4554 VLANs for IPv4-IPv6 Coexistence June 2006
# Create VLan interfaces
cloned_interfaces="vlan0 vlan1 vlan2 vlan3 vlan4 vlan5 vlan6"
# Upstream link to IPv6 Access Router
ifconfig_vlan0="vlan 37 vlandev dc0"
# Downstream interfaces, load balance over interfaces dc1,dc2,dc3
ifconfig_vlan1="vlan 11 vlandev dc1" # Subnet1
ifconfig_vlan2="vlan 17 vlandev dc2" # Subnet2
ifconfig_vlan3="vlan 24 vlandev dc3" # Subnet3
ifconfig_vlan4="vlan 25 vlandev dc1" # Subnet4
ifconfig_vlan5="vlan 34 vlandev dc2" # Subnet5
ifconfig_vlan6="vlan 14 vlandev dc3" # Subnet6
### IPv6 ###
# Enable ipv6
ipv6_enable="YES"
# Forwarding
ipv6_gateway_enable="YES"
# Define Interfaces
ipv6_network_interfaces="vlan0 vlan1 vlan2 vlan3 vlan4 vlan5 vlan6"
# Define addresses
ipv6_ifconfig_vlan0="2001:db8:d0:101::2 prefixlen 64" # Uplink
ipv6_ifconfig_vlan1="2001:db8:d0:111::1 prefixlen 64" # Subnet1
ipv6_ifconfig_vlan2="2001:db8:d0:112::1 prefixlen 64" # Subnet2
ipv6_ifconfig_vlan3="2001:db8:d0:121::1 prefixlen 64" # Subnet3
ipv6_ifconfig_vlan4="2001:db8:d0:113::1 prefixlen 64" # Subnet4
ipv6_ifconfig_vlan5="2001:db8:d0:114::1 prefixlen 64" # Subnet5
ipv6_ifconfig_vlan6="2001:db8:d0:115::1 prefixlen 64" # Subnet6
# Router advertisements
rtadvd_enable="YES"
rtadvd_interfaces="-s vlan0 vlan1 vlan2 vlan3 vlan4 vlan5 vlan6"
### Routing ###
# Multicast
mroute6d_enable="YES"
mroute6d_program="/sbin/pim6sd"
Chown Informational [Page 9]
RFC 4554 VLANs for IPv4-IPv6 Coexistence June 2006
# RIP-ng
ipv6_router_enable="YES"
ipv6_router_flags="-N dc0,dc1,dc2,dc3, vlan1,vlan2,vlan3,
vlan4,vlan5,vlan6"
--- End of configuration ---
Note that if there was only one internal-facing interface, then again
so long as the OS supported VLAN trunking, all the VLAN IDs could be
associated to that interface (dc1, for example).
The VLAN IDs need to be managed by the site administrator, but would
probably already be assigned for existing IPv4 subnets (ones into
which IPv6 is being introduced).
For a large enterprise, a combination of internal tunnels and VLAN
usage could be used; the whole site need not be enabled by VLAN
tagging alone. This choice is one for the site administrator to
make.
Author's Address
Tim Chown
University of Southampton
Southampton, Hampshire SO17 1BJ
United Kingdom
EMail: tjc@ecs.soton.ac.uk
Chown Informational [Page 10]
RFC 4554 VLANs for IPv4-IPv6 Coexistence June 2006
Full Copyright Statement
Copyright (C) The Internet Society (2006).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Acknowledgement
Funding for the RFC Editor function is provided by the IETF
Administrative Support Activity (IASA).
Chown Informational [Page 11]