ipv4 to ipv6 migration kala_ipv4 to ipv6... · ipv4 to ipv6 migration project report ... host part-...
TRANSCRIPT
IPv4 to IPv6 Migration
Project Report
Project Guide-
Dr. N.P. Dhavale
Deputy General Manager
IDRBT, Hyderabad
By-
Nupur Kala
B. Tech 2nd year
Electrical Engineering
IIT Delhi
1
IPv4
to
IP
v6 M
igra
tio
n|
7/1
1/2
01
3
ACKNOWLEDGEMENT
A summer project is a golden opportunity for learning and self -development. I consider myself very lucky and honored to have so many wonderful people lead me through in completion of this project. I would like to express my sincere gratitude to the Institute for Development and Research in Banking Technology (IDRBT) and particularly Dr. N. P. Dhavale,(DGM INFINET and Services) who was my guide in this project for providing me with the opportunity to learn all the nuances of a banking platform and carry out research on the topic of – “ IPV4 to IPV6 migration” which is a concern that the entire world is facing. I am extremely grateful to Dr. N. P. Dhavalefor his advice, innovative suggestions
and supervision. I thank him for considering me capable enough to work on such a
challenging project of migration from IPv4 to IPv6 which allowed me to get in
touch with the most challenging and latest technologies. I would also like to thank
Mr. E. Srihari for guiding me and helping me out whenever I got stuck.
I am thankful to the staff of INFINET department at IDRBT for their co-
operation particularly Mr. Eshwar Prasad, Mr. Ravi, Mr. Shreedhar and Mr.
Prashant, Mrs. Anuradha with whom I worked throughout my stint at IDRBT and
the project was possible only with their cooperation.
I am thankful for IDRBT for providing such an amazing platform for
students to work in real application oriented research. Finally, I thank one
and all who made this project successful either directly or indirectly.
Nupur Kala (IIT Delhi)
Project Trainee Department of INFINET, IDRBT
Hyderabad
2
IPv4
to
IP
v6 M
igra
tio
n|
7/1
1/2
01
3
CERTIFICATE
Miss Nupur Kala, student of B. Tech 2nd year at IIT Delhi in the Department of
Electrical Engineering was assigned the project “IPv4 to IPv6 migration” under the
guidance of INFINET department of IDRBT. During the course of the project she
has undertaken a study of IP Addressing scheme, Networking Protocols and
Systems, and software.
This is to certify that she has successfully completed the projects assigned to here
as an intern at Institute for Development and Research in Banking Technology
(IDRBT), Hyderabad from May 15, 2013 to July 12, 2013.
Dr. N.P.Dhavale
(Project Guide)
Deputy General Manager
IDRBT, Hyderabad
3
IPv4
to
IP
v6 M
igra
tio
n|
7/1
1/2
01
3
Abstract
With ever increasing number of network devices, the exhaustion of IPv4 address
space has become inevitable. Thus, migration from IPv4 to IPv6 (which offers a
much larger address space) is necessary. The purposeof this project is to design
an IPv6 Addressing schema for the Indian Financial Network (INFINET) and to
evaluate various IPv6 migration strategies. After designing the schema, it has
been implemented on a test bench set – up which uses dual stack configuration.
For management of the network, we are using IP Address Management tool for
managing IPv6 IPs and for URL resolution we are using DNS with BIND 9.
4
IPv4
to
IP
v6 M
igra
tio
n|
7/1
1/2
01
3
IPv4 to IPv6 Migration
Project Report
Contents of the project –
1. Introduction
2. Understanding IPv6 addresses
3. Advantages of using IPv6
4. Classification of IPv6 addresses
5. Obtaining IPv6 addresses
6. Composition of IPv6 address
7. Unique Local Addresses
8. Designing the addressing scheme for INFINET 9. Developing a test bench
10. Strategy for migration
11. Tools for supporting dual stack implementation
a. DNS
b. IPAM 12. Security concerns 13. Conclusion
5
IPv4
to
IP
v6 M
igra
tio
n|
7/1
1/2
01
3
Introduction
First let us begin by understanding what an IP address is. All of us use internet on our PCs, laptops, and maybe smartphones, I phones, etc. We use internet either for sending or receiving messages or for looking for some information or doing some sort of transactions. All of this essentially requires our device to communicate with some other device on the internet.
Now think about the postal system, say someone wants to send you a package, to enable the package to reach to you, you need to provide some physical address at the post office where the package can be delivered. Similarly in order for your device to be part of the internet, it needs to have an IP address or an Internet Protocol address.
IP Address – An IP address is a unique number used for identifying a device on the internet. An IP address basically consists of two parts –
a) Network part– This is used for identifying a particular network on the Internet.
b) Host part- This is used for identifying a particular host/device on a given network.
At present the fourth version of IP addresses or IPv4 is being used for addressing the devices on the internet.
IPv4 - IPv4 addresses are basically 32 – bit values. The 32 – bits of an IPv4 address are segmented into four 8 – bit fields called octets. Each octet is then converted into decimal numbers from 0-255 and separated by a period (dot).
The use of 32 bits gives us 322 or approximately 4 billion IPv4 addresses but with the increasing number of users and new devices connecting to internet. We are quickly running out of them. Thus, IPv6 has been developed which provides an
6
IPv4
to
IP
v6 M
igra
tio
n|
7/1
1/2
01
3
address pool large enough to meet the world’s IP address demand well into the future.
Understanding IPv6 Addresses
IPv6 – The IPv6 is the sixth version of IP address. It is a 128 – bit long value, allowing for 1282 or 383.4 10 addresses. To represent the 128 bit address, IPV6 uses 16 – bit hexadecimal fields separated by colons (:).
IPv6 Address format – AnIPv6 address basically has 32 hexadecimal digits organized into eight groups of four hexadecimal digit each separated by colons.
For example –
FD7A:E640:07B2:FACE:0000:1123:6161:016F
IPv6 uses the following conventions to allow easier representation of the IPv6 addresses –
1) The leading zeroes in the address field are considered to be optional and therefore, they can be compressed.
a) For example – 2011:0001:0011:0111:1111:2222:6666:0016
Can be equivalently represented as –
2011:1:11:111:1111:2222:6666:16
2) Also, successive fields of zeroes can be replaced by a pair of colons (::).
b) 2011:1111:0000:0000:0000:0000:6666:1661
7
IPv4
to
IP
v6 M
igra
tio
n|
7/1
1/2
01
3
Can be equivalently represented as –
2011: 1111::6666:1661
c) 2011:0001:0000:0000:0000:1100:0066:0161
Can be equivalently represented as –
2011: 1::1100: 66: 161
However, we cannot have more than one pair of colons (::) in an IPv6 address as in this case there will be no way to decide the size of each block of zeroes.
The Interface ID in case of an IPv6 address is always 64 – bit long, allowing the end user to have 642 devices at the interface LAN.
Advantages of using IPv6 addresses
Using IPv6 addresses offers the following advantages –
1. Larger address space – Using IPv6 gives us 1282 addresses. As Steve Leibson puts it, the address space is large enough that even if we give IPv6 addresses to every single atom on earth, we will still have enough addresses to assign addresses to 100 such earths.
2. Eliminates need for NAT– Network Address Translation Protocol or NATis presently very popular in organizations and enterprises as it allows us to map a large pool of private IPv4 addresses to a few globally routable addresses, thus solving the problem of address scarcity. However, using NAT creates various security issues and other packet transmission problems as many internet protocols break down on address translation. With IPv6
8
IPv4
to
IP
v6 M
igra
tio
n|
7/1
1/2
01
3
one can get rid of all such issues as there are enough addresses so the use of NAT can be completely eliminated.
3. Comes with inbuilt support for IPSec – IPSec is the internet protocol that ensures secure transaction of packets over the internet. IPv6 comes with an inbuilt support for IPSec whereas it has to be manually implemented in case of IPv4.
4. Simplified packet header – Although, the increase in IPv6 address size results in an increase in IPv6 header size but the use of a much more simplified header format leads to efficient routing of packets over the network.
Unlike, the IPv4 packet header whose size can vary from 20 octets to 60 octets, the IPv6 packet header has a fixed size of 40 octets. Thus, forwarding of packets at the routers becomes much easier. The fixed header size in IPv6 eliminates the need for options field which is used in IPv4 header for increasing the size of the header and the length field.
9
IPv4
to
IP
v6 M
igra
tio
n|
7/1
1/2
01
3
5. Hierarchical network–The extremely large address space provides flexible network architecture. The Internet Service Providers (ISP) can allocate larger address blocks to organizations which in turn allows the ISP to aggregate the prefixes of all its customers into a single prefix and announce this on the internet.
The larger IPv6 address space also enables the use of multiple levels of hierarchy inside the address space which in turn helps in reducing the size of internet routing tables.
6. Increased number of multicast addresses - One of the salient features of IPv6 is that it does not use broadcasts at all. The functions previously supported byIPv4 broadcasts such as router discovery and router solicitation requests are handled by IPv6 multicast.Multicast allows IP packets such as a video stream to be sent to multiple destinations at the same time, savingnetwork bandwidth. Multicast improves the efficiency of a network by limiting the broadcast requests to asmaller number of only interested nodes.
10
IPv4
to
IP
v6 M
igra
tio
n|
7/1
1/2
01
3
Differences between IPv4 and IPv6
IPv4 IPv6
Deployed
Size of address
Address Format
Prefix Notation
Size
IP Sec support
Protocol for mapping IP addresses to MAC addresses
Broadcast Messages
1981
32 –bit
Dotted Decimal Notation:
172.1.0.104
172.1.0.0/24
322
Optional
Address Resolution Protocol (ARP)
Available
1999
128 –bit
Hexadecimal Notation:
2011:1006::6
2011: 1006::1 / 48
1282
Inbuilt
Neighbor Discovery Protocol (NDP)
Not available
11
IPv4
to
IP
v6 M
igra
tio
n|
7/1
1/2
01
3
Obtaining IPv6 addresses
The Internet Assigned Numbers Authority (IANA) is responsible for coordinating IPv6 address allocation at the global levels. The assignment of IPv6 addresses like IPv4 addresses follows a hierarchical fashion.
The IANA allocates each of the five Regional Internet Registries (RIR) addresses with prefix size of three. An RIR then allocates National Internet Registries (NIR) / Local Internet Registries (LIR) prefixes of size 12. These NIRs then allocate prefixes of size 32 to Internet Service Providers (ISP). The ISP in turn allocates prefixes of size 48 or 56 to end user.
Thus, the end user gets either 16 or 8 bits for subnetting.
India comes under APNIC (Asia Pacific Internet Community) regional internet registry. In India, Indian Registry for Internet Names and Numbers (IRINN) has
12
IPv4
to
IP
v6 M
igra
tio
n|
7/1
1/2
01
3
been setup by National Internet Exchange of India (NIXI) for allocation of IPv6 addresses within the country.
Types of IPv6 addresses
1. Unicast address– An IPv6 unicast address points to a single interface on the internet. A packet sent to a unicast address is delivered to a unique host on the internet.
2. Multicast address – An IPv6 multicast address identifies a set of interfaces on the internet. A packet sent to a multicast address is delivered to all the interfaces in the set.
13
IPv4
to
IP
v6 M
igra
tio
n|
7/1
1/2
01
3
3. Anycast address – It also points to a set of interfaces or hosts on the internet. But unlike multicast addresses, a packet sent to an anycast address goes to only one of the interface in the set usually the nearest one.
Composition of an IPv6 address
An IPv6 address basically consists of two parts-
1. Network ID – The first 64 bits identify a unique network on the internet.
2. Interface ID – The next 64 bits identify a unique host on a given network.
Most organizations generally get prefixes whose length varies from 44 bits to 56
bits from their ISPs.This leaves the organizations with 20 to 8 bits for subnetting
within the organization.
e.g.-
FD7A:E640:07B0/44 means-
FD7A :E640 : 07B0: 0000 : 0000 : 0000 : 0000 : 0000 /44
| Network prefix |Subnet ID| interface ID |
FD7A:E640:07B0/56 means-
FD7A :E640 : 07B0: 0000 : 0000 : 0000 : 0000 : 0000 /44
| Network prefix | | interface ID |
Subnet ID
14
IPv4
to
IP
v6 M
igra
tio
n|
7/1
1/2
01
3
There are three different ways of configuring the interface ID of an IPv6 address –
a) Manual Assignment :IPv6 Addresses and Subnetting knowledge is a must for manual IPv6 allocation.
b) DHCPv6 – It stands for Dynamic Host Control Protocol version 6. DHCP issues IP address to the system when it boots, from a pool of IPv6 addresses on a lease basis. Once the valid time duration for the address is over, a new address is issued to the host. DHCPv6 is used when a site requires tighter control over exact address assignment.
c) Stateless Address Auto-configuration (SLAAC) - This mechanism allows a host to generate its own addresses using a combination of locally available information and information advertised by routers. Routers advertise the prefixes that identify the subnet(s) associated with a particular link, while host generate an interface identifier that uniquely identifies an interface on a subnet. An address is formed by combining the two. In the absence of routers, a host can generate link local addresses .The stateless approach is used when a site is not particularly concerned with the exact addresses hosts use, as long as they are unique and routable.
15
IPv4
to
IP
v6 M
igra
tio
n|
7/1
1/2
01
3
Types of Unicast IPv6 addresses
Unique Local Unicast addresses
(ULA)
Unique Local Unicast addresses are intended for local communications and are not routable on the global internet. They have replaced the original site local addresses that have been deprecated. They have an advantage over site local addresses as the algorithm used to work out the prefix ensures that the addresses have high probability of being globally unique.
Format of Unique Local Unicast Addresses
16
IPv4
to
IP
v6 M
igra
tio
n|
7/1
1/2
01
3
One does not need to get these addresses from any ISP or RIR. A pseudo random algorithm has been suggested to get the ULA prefix for use on the local network.
The algorithm works as follows –
1) First we get the current time of the day in 64 – bit NTP (Network Time Protocol) format.
2) We get a EUI-64 identifier from the system running the algorithm. If a EUI – 64 is not available it can be created using the 48 – bit MAC address. If a EUI – 64 identifier cannot be obtained or created; we can use some other suitably unique identifier belonging to the local node such as the serial number of the computer.
3) Then we need to concatenate the time of the day in NTP format with the identifier obtained in the above step to create a key.
4) Next we compute the SHA – 1 digest on this key which results in a 160 – bit value.
5) We can use the least significant 40 bits or 36 bits as the Global Id depending on the size of prefix that we need.
6) We then need to concatenate FC00:: /7, with the Global ID and set the L bit to 1.
The algorithm provides us with the required prefix for local use.
17
IPv4
to
IP
v6 M
igra
tio
n|
7/1
1/2
01
3
Designing the IPv6 addressing scheme
for Indian Financial Network
(INFINET)
INFINET is the communication backbone of the Indian Banking and Financial sector. Being a Closed User Group with around 220 banks as its members, currently the network uses private IPv4 addresses for all its internal communication. We wish to replace this IPv4 framework by an IPv6 framework.
For this we have used the Unique Local Unicast addresses to come up with an appropriate address plan.I have come up with two different addressing schemes for the purpose.
1) Approach 1 – In this scheme I have used specific nibbles of the IPv6 address to identify the bank to which it belongs and the city where it is located.
Composition of IPv6 addresses allocated in the INFINET –
Of the 128 bits in the IPv6 address, here is what each group of bits will signify –
1) The first 44 bits (11 nibbles) denote the global ID which will be common for all the banks part of the INFINET. We have used the following Global ID –
FD7A: E640: 07B0:: /44.
We have generated this Global – ID using the procedure described above.
2) The next 12 bits (3 nibbles) help us identify a particular bank in the network. This allows us to address 4096 banks. For example –
18
IPv4
to
IP
v6 M
igra
tio
n|
7/1
1/2
01
3
a. Reserve Bank of India has been given ‘4EA’ as bank ID.
b. State Bank of India has been assigned ‘2AD’ as bank ID.
c. Central Bank of India has got a bank ID of ‘1CE’.
d. Syndicate Bank has got the bank ID ‘6DE’.
e. Andhra Bank has been a bank ID of ‘8AC’.
f. Canara Bank has got the bank ID of ‘0CA’.
3) The next 8 bits(2 nibbles) help us to find the location given an IPv6 address. This allows us to identify 256 cities. For example –
a. Chennai’s city ID is ‘CE’.
b. Delhi’s city ID is ‘D2’.
c. Hyderabad’s city ID is ‘D3’.
d. Kolkata’s city ID is ‘AD’.
e. Mumbai’s city ID is ‘B1’.
f. Pune’s city ID is ‘E0’.
Some sample subnet identifiers generated by using the above scheme are as follows -
19
IPv4
to
IP
v6 M
igra
tio
n|
7/1
1/2
01
3
Syndicate Bank, Kolkata - 6DEAD
State Bank of India, Delhi – 2ADD2
Punjab and Sindh Bank, Dehradun – 0ADD0
Bank of India, Kolkata – 4BEAD
Canara Bank, Bhopal – 0CAB0
Indian Bank, Dispur – 8DAD1
J P Morgan Asset Management India Private Limited, Hyderabad –
ACED3
IDBI Bank, Mumbai – 5DAB1
Fidelity Business Services India Private Limited, Pune – FACE0
Union Bank of India, Shillong – BAD00
We have tried to allocate subnet identifiers that are recognizable words and patterns so that they are easy to memorize. Following is the list of three to five letter words that can be formed using the first six English alphabets –
3 letter words – ace, add, bad, bed, bee, cab, dab, dad, fad, fed, fee.
4 letter words – bead, bade, beef, café, cede, dead, deaf, deed, face,
fade, feed, aced.
5 letter words – added, ceded, faced, faded.
Thus, the Kolkata branch of Syndicate Bank gets a prefix of-
FD7A:E640:07B6:DEAD /64
The prefix for SBI, Delhi is –
FD7A:E640:07B2:ADD2 /64
2) Approach 2-Inthe second approach out of the five nibbles available for
subnetting we are usingthe first four nibbles for identifying the bank name
and the last nibble is used to identify the data-centre.
Using this scheme we can address 65,536 different banks and each of them
can have as many as 16 data centers as part of the network.
20
IPv4
to
IP
v6 M
igra
tio
n|
7/1
1/2
01
3
Note that banks have a maximum of three data centers- primary data
center and one or two backup data centers backup (near DC and far DC).
Some of the sample bank identifiers are-
Bank of Maharashtra‘s bank ID - ‘BABA’.
Reserve Bank of India’s bank ID – ‘EBEA’.
Canara Bank’s bank ID - ‘CAFÉ’.
Indian Bank’s bank ID -‘DEAD’.
The data centers are assigned the following IDs –
Primary Data center – 1
Near DC – 2
Far DC – 3
The prefix for the primary datacenter of RBI is-
FD7A:E640:07BE:BEA1 /64
Migration strategies
There are three major migration strategies available for migration from IPv4 to IPv6-
1. Dual Stack– In the dual stack implementation all the network devices (workstations, servers, routers, etc. ) support both IPv4 and IPv6. The applications can communicate using either version. It is an easy to implement strategy.
This migration strategy is recommend and easy to implement and also it enables the co-existenceof IPv4 and IPv6 users/applications till all the users/applications are migrated to IPv6.
21
IPv4
to
IP
v6 M
igra
tio
n|
7/1
1/2
01
3
However, in order to implement dual stack all the devices need to support both the IP versions and extra processing power (CPU, memory etc.) to simultaneously handle both the protocols.
2. Tunneling – It is a transition mechanism whereby an IP packet from one address family is encapsulated in an IP packet from another address family enabling the original packet to be transported over network of another address family. There are two types of tunnels- static and dynamic. Static tunnels are created manually whereas dynamic use several techniques to automatically define the endpoints (6to4, ISATSP etc.).
3. Translation – In the translation mechanism the packets from one protocol are converted to another. Although, the approach allows for communication between devices supporting any version but, the translator has to read every packet header and this requires extra processing power.
22
IPv4
to
IP
v6 M
igra
tio
n|
7/1
1/2
01
3
Developing a test bench setup
The main focus of the test setup is to evaluate the under mentioned:
a. Implementation of IP Addressing Schema described above.
b. To implement the dual stack solution for seamless access between
IPv4 and IPv6.
c. Measure the performance of the devices.
d. Access the IPv6 enabled web server through IPv4 client and vice
versa.
e. Configuring DNS server for IPv6 services hosted on web server.
f. Managing IPv6 IPs using IPAM tools.
23
IPv4
to
IP
v6 M
igra
tio
n|
7/1
1/2
01
3
As shown in the above diagram in our test bench setup we are using 6 routers. The routers A and B act as two datacenters of RBI. The
24
IPv4
to
IP
v6 M
igra
tio
n|
7/1
1/2
01
3
remaining four routers represent four different bank branches at four different locations. At router C, we have a DNS server and an IPAM server. We are also placing a web server with Apache Tomcat 7 Web Application manager uploadedon it. At router E, we have an IPv4 only client and at router F we have an IPv6 only client. Routers A, B and C are enabled with dual stack configuration to allow a peaceful co-existence.
Details of components used –
Two Cisco 1841 routers –They useIOS version 12.3 which supports both IPv4 and IPv6.
Two Cisco 3660 router – They use IOS version 12.4 which supports both IPv4 and IPv6.
One Cisco 3745 router – They use IOS version 15 which supports both IPv4 and IPv6.
One Cisco 2651 router – They use IOS version 12.3 which supports both IPv4 and IPv6.
The above Cisco routers are configured with IOSversion 12.3 and onwards support both IPv4 and IPv6.
DNS and IPAM – installed on a host with Redhat operating system version 6.2 which supports both IPV4 and IPV6.
Tomcat 7 Web Application Manager – It is installed on windows 7 operating system.
25
IPv4
to
IP
v6 M
igra
tio
n|
7/1
1/2
01
3
Important commands used in network
configuration
o no shut – It turns on a particular router interface for communication.
o ipv6 unicast routing – enables IPv6 on the interface.
o ip address 192.168.1.1 255.255.255.252– Itallocates the specified IPv4 address prefix to the interface. Next to the IPv4 address, we have specified the masking value.
o ipospf 1 area x– Enables the OSPF protocol on the given interface and makes it part of the specified area.
o ipv6 address FD10:AAAA:BBBB:CCC0::2/126 – Allocates the specified IPv6 address to the interface .
o ipv6ospf 1 area x- Enables the OSPFv6 protocol on the given interface and makes it part of the specified area.
o showip route – displays all the ipv4 routesgoing from the given router.
o show ipv6 route – displays all the ipv6 routes going from the given router.
26
IPv4
to
IP
v6 M
igra
tio
n|
7/1
1/2
01
3
Addresses used for test setup
For the Wide Area Network connections (WAN), we have used the following prefix-
IPv6 – FD10:AAAA:BBBB:CCC0::/124
IPv4 – 192.168.1.0/28
For the LAN connections at various routers the following prefixes are used –
Datacenter 1(Router A) : IPv6 –FD7A:BBBB:CCC0:2100::/64
IPv4 – 172.168.169.0/24
Datacenter 2(Router B): IPv6 – FD7A:BBBB:CCC1:2101::/64
IPv4 – 172.168.168.0/24
Branch 1(Router C): IPv6 – FD7A:BBBB:CCCA:1101::/64
IPv4 – 192.168.169.0/24
Server with DNS and IPAM –
IPv6 address - FD7A:BBBB:CCCA:1101::2
IPv4 address – 192.168.169.2
Web server with Tomcat Application uploaded –
27
IPv4
to
IP
v6 M
igra
tio
n|
7/1
1/2
01
3
IPv6 address- FD7A:BBBB:CCCA:1101::3
IPv4 address – 192.168.169.3
Branch 2(Router D): IPv6 – FD7A:BBBB:CCCB:1101::/64
IPv4 – 192.168.168.0/24
Branch 3(Router E): IPv6 – FD7A:BBBB:CCCC:1101::/64
IPv6 only client – FD7A:BBBB:CCCC:1101::2
Branch 4(Router F):IPv4 – 10.10.10.0/24
IPv4 only client – 10.10.10.2
We are using Open Shortest Path First (OSPF for IPv4 and OSPFv3 for IPV6) routing protocol which is a dynamic link state protocol. In OSPF a host that detects a change in the routing table immediately multicasts the information to all the hosts in the network. This ensures that all will have the same routing table information.
The above setup offers several advantages. First of all, it can represent the network of any enterprise or organization undergoing a transition from IPv4 to IPv6. Also, the above setup offers a kind of hierarchical organization, e.g. , there can be hundreds of routers in area 2 connected to router D, but router A doesn’t need to do much work to communicate with them. Being the neighbor of router D, router A automatically gets information about all the subsequent connections.
28
IPv4
to
IP
v6 M
igra
tio
n|
7/1
1/2
01
3
Supporting tools
1. DNS
DNS is the acronym of Domain Name System.DNS is an internet service that maps IP addresses and fully qualified domain names (FQDN) to one another.
Need for DNS – Since, it is not humanly possible to memorize the IP addresses of all the websites we might want to access, we need DNS. A DNS server maps turns a user friendly domain name like www.google.com into an IP address 173.194.38.179.
Computers that run DNS are called name servers. There are basically four types of name server configurations -
Master – It stores original and authoritative zone records for a namespace and answers queries about the name space from other name servers.
Slave – It answers queries from other name servers concerning namespaces for which it is considered an authority. Slave name servers get their namespace from master name servers.
Caching –only – It offers name to IP resolution services but is not authoritative for any zone. Answers for all resolutions are cached in memory for a fixed period of time , which is specified by a retrieved zone record.
Forwarding–Forwards request to a specific list of name servers for name resolution. If none of the specified name servers can perform the resolution, it fails.
29
IPv4
to
IP
v6 M
igra
tio
n|
7/1
1/2
01
3
One can think of DNS as a large database which helps resolve domain names and maps them to IP address. It works on distributed ownership or authority model. Authority is delegated based on domain or zone. Zones are defined on authoritative name servers through the use of zone files ( which decribe the namespace of that zone, the mail server to be used for a particular domain or sub- domain etc.). Zone files are stored on primary name servers or masters.
In our test bench setup, I have used BIND 9 DNS server, particularly BIND 9.7.3 version. BIND is the acronym of Berkeley Internet Name Domain project, which is a group that maintains DNS related software for Linux.On the Redhat operating system, BIND usually runs as the named process. The major BIND configuration files that I configured for the test bench setup are –
File Description
/etc/named.conf The main configuration file that lists the location of all your domain’s zone files.
/etc/named.rfc1912.zones Base configuration file for a caching name server
/etc/resolv.conf Defines the DNS server for a given host
/var/named/named.ca A list of 13 root authoritative DNS servers
As explained above a DNS zone file contains mapping information about a particular zone. There are basically two types of zone files –
1.Forward lookup zone file- The forward lookup zone file maps a Fully Qualified Domain Name (FQDN) to an IP address. The forward lookup file for a dual stack network consists of A records and AAAA records. A DNS A record maps a fully
30
IPv4
to
IP
v6 M
igra
tio
n|
7/1
1/2
01
3
qualified domain name to an IPv4 address whereas a DNS AAAA record maps a fully qualified domain name to an IPv6 address.
This is the forward zone file for mywebsite.com.
2.Reverse lookup zone file-IP reverse lookup zone file maps an IP address to a fully qualified domain name via pointer (PTR) records.
31
IPv4
to
IP
v6 M
igra
tio
n|
7/1
1/2
01
3
Reverse zone file for mywebsite.com
32
IPv4
to
IP
v6 M
igra
tio
n|
7/1
1/2
01
3
Working of DNS
When we type the fully qualified domain name of the website in our web browser, our computer connects to the DNS server.
The DNS server then searches for the website’s IP address in its records.
It first searches its AAAA record. If the website has an IPv6 address it returns the address in response to the host’s query.
In case there is no AAAA record, it searches for the A record and returns the IPv4 address if it finds one.
33
IPv4
to
IP
v6 M
igra
tio
n|
7/1
1/2
01
3
The commands like nslookup, dig, host, etc. are used to query DNS zone records.
Querying the DNS resource records from command prompt
34
IPv4
to
IP
v6 M
igra
tio
n|
7/1
1/2
01
3
2.IP Address Manager (IPAM)
IP Address Management is a method of tracking and modifying the information associated with a network’s IP address space. IPAM allows the administrators to ensutre that the inventory of assignable IP addresses remains current and sufficient.
Need – The deployment of IPv6 has made manual management of the IP address space close to impossible. First of all, the IPv6 addresses are so long that memorizing them and maintaining larghe spreadsheets for the entire network is very difficult. Also, the use of SLAAC and DHCPv6 has resulted in a very dynamic network.
The functions performed by an IP Address Manager can be grouped in three major categories –
a) Address Space Management – An IPAM allows us to gain visibility into all aspects of our IP address infrastructure from a single console.
b) Multi -server management and monitoring – An IPAM enables us to automatically discover DHCP and DNS servers on the network, monitor service availability and centrally manage their configuration.
c) Network Audit–An IPAM provides a centralized repository for all configuration changes performed on DHCP servers and DNS servers and for IP addresses issued on the internet.
I have used GestioIP in the testbench setup.
35
IPv4
to
IP
v6 M
igra
tio
n|
7/1
1/2
01
3
GestioIP
GestioIP is open source, automated, web-based IP address manager that supports IPv4 as well as IPv6.
The software is designed to collect information in an automated way, making its maintenance cost low.
It offers web forms to import networks from spreadsheets or from the routing tables of SNMP-enabled devices and web- based synchronization of the networks against the DNS.
It also allows for cron-scheduled automatic update of the host entries via SNMP, against the DNS that ensures that GestioIP 's database is always up to date.
Work done –
For installing GestioIP, I had to first install Redhat operating system inside a virtual box on a windows machine.
Then, I had to install and configure Apache2 web server and mod perl_2 for the purpose of installation.
A MySQL database was also created for this purpose.
Once GestioIP has been installed on the server we can access the software by typing the following URL in the address bar of our web browser-
http://servername/gestioip
36
IPv4
to
IP
v6 M
igra
tio
n|
7/1
1/2
01
3
The first screen that appears once you enter the correct username and password. One can see all the networks that are being managed on the home page.
37
IPv4
to
IP
v6 M
igra
tio
n|
7/1
1/2
01
3
The following is the screen that appears when we add a new network to GestioIP.
38
IPv4
to
IP
v6 M
igra
tio
n|
7/1
1/2
01
3
The above screen shot shows how sites are administered and categorized in GestioIP.
39
IPv4
to
IP
v6 M
igra
tio
n|
7/1
1/2
01
3
Above is a screenshot of subnet calculator inGestioIP
40
IPv4
to
IP
v6 M
igra
tio
n|
7/1
1/2
01
3
Security Concerns
Just like IPv4, IPv6 also has to deal with the issues of man in the middle attack, traffic interception attack, blackholing of the host attack, Denial of Service attack, etc. However, the introduction of some new features in IPv6 lead to possibility of some other types of attacks as well,e.g. , more end notes permitted on the link (upto 642 ) and increased neighbor cache size on end nodes and default router which creates more opportunities for Denial of Service (DoS) attack. Following are the various security vulnerabilities in the IPv6 addressing scheme-
1. Router Discovery related concerns – It allows the hosts to locate routers attached to its link.In order to discover a router on its link a host A sends an ICMPv6 router solicitation message requesting information for the routers in its local link. A legitimate router (RTR), respondswith an ICMPv6 router advertisement for a lifetime x that lets host A know that it is a router in the link. In turn host A installs a default route in its link pointing to RTR for x time. If an intruder say host B manages to install itself in the link it could use router discovery to insert itself as the default router in the routing table of host A. It can then see all traffic from host A and deploy attacks like man in the middle attack.
2. Stateless Address Auto – configuration (SLAAC) issues – SLAAC enables an IPV6 endpoint to get an IPV6 address from a link it is coming upon without needing DHCPv6 address allocation. When host A needs an IPv6 address it sends an ICMPv6 router solicitation requesting the link information. RTR responds with an ICMPv6 router advertisement that provides the IPv6 address prefix on the link and the lifetime t for it. Then, host A can pick up an address on the link and after checking its availability (via Duplicate Address Detection) , it can begin using it.
If a malicious host B manages to insert itself in the link, it could spoof an ICMPv6 router advertisement from RTR sending a new prefix. The host A will then generate an IPv6 address using this prefix. Depending on the network configuration, the RTR Access Control List (ACL) may deny the new
41
IPv4
to
IP
v6 M
igra
tio
n|
7/1
1/2
01
3
address from traversing the network. Thus, the attacker could blackhole hosts in its local link.
3. Neighbor Discovery related concerns–Neighbor Discovery (ND) performs operations such as Address Resolution, Duplicate Address Detection (DAD), NeighborUnreachability (NUD) and Redirection. In IPv6 the following ICMPv6 messages are used for network discovery – Neighbor Advertisement (NA) and Neighbor Solicitation (NS). In IPv6, host A sends a Neighbor Solicitation message to get the link layer address of its neighbor say host B. When host B replies with an ICMPv6 Neighbor Advertisement, the host A knows about the MAC address of host B and creates a Neighbor Cache entry matching the IP address of host B to its MAC address. If a malicious host T manages to insert itself in the link, it could impersonate host B and in turn intercept all packets that were directed for host B. Thus, leading to man in the middle or intercept traffic attack.
4. DHCPv6 related concerns – DHCPv6 describes how a host can acquire an IPV6 address and other configuration options from a server that is available on its local link. As in IPv4 DHCP, DHCPv6 is susceptible to rogue server attacks, i.e., an attacker who manages to insert a rogue DHCPv6 server on the link could potentially asssign addresses and configuration options to the link hosts as it wished and could then easily deploy man in the middle attack, traffic intercept attack, blackholing the host attack.
5. Neighbor Cache related concerns – While performing address resolution after receiving the ICMPv6 Neighbor Advertisement, host A creates a neighbor cache entry for the IP address it resolved to MAC address. Given, the size of the local link’s address pool , a host’s neighbor cache can significantly increase in relation to the Address Resolution Protocol (ARP ) table size in IPv4. In this scenario, malicious host T can attack the neighbor cache of a host or routing device and cause a Denial of Service (DoS) condition.
42
IPv4
to
IP
v6 M
igra
tio
n|
7/1
1/2
01
3
Conclusion
The purpose of this project was to thoroughly study IPv6- its advantages, disadvantages, deployment and migration etc. As we realize for transition from IPv4 to IPv6, we need to go through a stage where we have to ensure a peaceful co- existence of the two networks. Also, the migration is inevitable because the IPv4 addresses are no longer capable enough to meet the address demands of the world.
43
IPv4
to
IP
v6 M
igra
tio
n|
7/1
1/2
01
3
References
• RFC (Request for Comment) – 4942,4472,3596,3971,6147,4213,4659,4364,5952,1918,6144,6146,3493,6052,4861,5722,6105,4890,4941,5157,5375,6672,3363,1886,4291,5453,3364,4862,3879,4193.
• “CCNP ROUTE 642-902 Official Certification Guide ”- by Cisco.
• “Migrating to IPv6 – A Practical Guide to Implementing IPv6 in Mobile and Fixed Networks”-by Marc Blanchet
• “IPv4/IPv6 Transition Mechanisms” - by LukaKorsic ,Matjaz Straus Istenic
• The ABCs of IP Version 6 – Cisco IOS Learning Services
• “IPv6 Basics” –by Marco Hogewoning, RIPE NCC Trainer
• “6net –An Ipv6 Deployment Guide”- by Martin Dunmore
• “IPv6 Now- IPv6 Prefix Primer”- by Karl Auer