The ISP Column
An occasional column on things Internet
Other Formats: PDF   TXT  

Transitioning Protocols – Part 1
February 2011


Geoff Huston

In a previous article, in November 2010, I looked at some common myths associated with the transition to IPv6. This month I'd like to look behind the various opinions and perspectives about this transition, and look in a little more detail at the nature of the technologies being proposed to support the transition to IPv6.

After some time of hearing dire warnings about the imminent exhaustion of the stocks of available IPv4 address space, we've now achieved the first milestone of address exhaustion, the depletion of the central pool of IANA-managed address space. The last 5 /8s were handed out from IANA to the RIRs on the 3rd February. After some years of industry-wide general inattention and inaction with IPv6 perhaps it's not unexpected to now see a panicked response along the lines of "Maybe we should do something now!"

But what exactly should be done? It's one thing to decide to "support" IPv6 in a network, but quite another to develop a specific plan, complete with specific technologies, timelines, costs, vendors, and a realistic assessment of the incremental risks and opportunities. While working through some of this detail has the normal levels of uncertainty that you would expect to see in any environment that is undergoing constant change and evolution, an additional level of uncertainty here is a by-product of the technology itself.

There's not just one approach to adding support for IPv6 in your network, but many. And it's not just one major objective you need to address, namely incremental deployment of IPv6 as second protocol into your operational network without causing undue disruption to existing services, but two, as the second challenging objective is how to fuel continued growth in your network service platform when the current supply lines of readily available IPv4 addresses effectively dry up.

When?
 
The most common question I've heard recently is: "How long do we have?
 
The remaining pools of IPv4 address space continue to be drawn down. At the start of February 2011 the IANA pool was fully depleted with the final allocation to the RIRs of IPv4 addresses.
 
As an update on the September ISP Column the prediction for RIR address exhaustion, using a model based on monthly address demands now looks like the next 18 months or so will see the first three RIRs run dry of IPv4 addresses.
 
At present, its likely that APNIC be the first RIR to exhaust its available pool of IPv4 addresses, probably in April or May 2011, with the RIPE NCC following in late 2011 and ARIN in mid 2012. The analysis of the probability of the month when this will occur for each RIR and the associated variance of these so-called "exhaustion times" is shown in the figure below.
 

The good news is that many folk have been busy thinking about these inter-twined objectives of extending the useful lifetime of IPv4 in the Internet and simultaneously undertaking the IPv6 transition, and there are a wealth of possible measures you can take, and a broad collection of technologies you can use. Fortunately, we are indeed spoilt with choices here!

The not so good news is that many folk have been busy thinking about these inter-twined objectives, and there are a wealth of possible measures you can take, and a broad collection of technologies you cans use. These options may, or may not, be optimal for your particular circumstances, and may, or may not, be useful for you in mitigating address depletion and may, or may not, be consistent with your chosen longer term network objectives. Unfortunately, we are spoiled for choices here!

Let's have a look at each of the major transitional technologies that are currently in vogue, and look at their respective strengths and weaknesses and their intended area of applicability. In this column we'll look at this from the perspective of the end user. In the next part of this article we'll look at this from the other side, looking at options for ISPs.

V6 for End Clients

The Dual Stack ISP Client

If your service provider provides a dual stack service with both IPv6 and IPv4 then your task should be relatively straightforward. Configure your modem/router with IPv6 in addition to IPv4 and you are done, assuming of course that your local modem/router unit actually supports IPv6, which may not be the case in many of the older and, unfortunately, all too many of the currently available devices.

The conventional approach in this form of environment is to use IPv6 Prefix Delegation, where the ISP provides the client with an IPv6 prefix, usually a /48 or a /56 IPv6 address prefix, which is then passed into the client network via an IPv6 Router Advertisement. Local hosts should be configured to configure their IPv6 stack automatically, and your system should be connected as a dual protocol system.

There are, however, some caveats you probably need to be aware of, of which the most important difference is likely to relate to the probable absence of a NAT function in IPv6. These days most commercial IPv4 Internet services assign a single IP address to each client. To allow this address to be shared within the client's network, most IPv4 'edge' devices auto-configure themselves as a NAT device, permitting outgoing connections using TCP, UDP, and allowing some ICMP message types to traverse the NAT, but not much else. For many clients this NAT configuration becomes the default local security framework, as it permits outbound connections via TCP and UDP to be made, but not much else, and permits no sessions to be initiated as incoming sessions. With iPv6 the local network is probably going to be configured with an entire subnet, and instead of a NAT, this subnet will be directly connected to the Internet.

The local network is then in a mixed situation of being behind a NAT in IPv4, but being directly connected to the Internet using IPv6. This asymmetric configuration with respect to IPv4 and IPv6 raises some questions about the impact to the security of your local network. You need to think about adding appropriate filter rules to the gateway's IPv6 configuration that performs the same level of access control to your local site that you have already set up with IPv4 and the NAT. The best advice here is the need to configure some filter rules for IPv6 that limit the extent of exposure of your internal network to the broader Internet to be directly comparable to the configuration you are using with IPv4.

The IPv4 Only ISP Client

Even today, when the IPv4 pools are running dry, its really not very common to have an ISP offering dual stack IPv4 and IPv6 services. Lets look at the more common situation when your ISP is still only offering IPv4. As an end user, can you still set up some form of IPv6 access?

The answer is "Yes", but you are going to have to resort to tunnels, and the story can get somewhat ugly.

6to4 Tunnels

If you have public IPv4 addresses on your local network you may elect to configure your local system to use the 6to4 tunnelling protocol.

6to4 is an auto-tunnelling protocol, coupled with an addressing structure. The IPv6 address of a 6to4-reachable host begins with the IPv6 prefix 2002::/16 The address architecture embeds a 32 bit IPv4 address of the end host into the next 32 bits. That way the IPv6 address carries the 'equivalent' IPv4 address within the IPv6 address.
 
To send an IPv6 packet the local host must first tunnel through the local IPv4 network. To do this the local host encapsulates the IPv6 packet in an outer IPv4 packet header. The IP protocol used is neither TCP nor UDP, but protocol 41, an IP protocol number reserved for tunnelling IPv6 packets (RFC2473). The IPv4 packet is addressed to a IPv4-to-IPv6 relay. To avoid manual configuration of each client all these relays all share the same anycast address, 192.88.99.1. These relays strip the outer IPv4 packet header off the packet and forward the IPv6 packet into the IPv6 network. The IPv6 destination treats the packet normally, and generates a packet in response without any special processing. The reverse path to a 6to4 host uses a IPv6-to-IPv4 relay. The IPv6 address of the 6to4 local host started with the IPv6 address prefix 2002::/16, so the IPv6 packet that is being sent back to this host has a destination address that uses the 2002::/16 6to4 prefix. This prefix is interpreted as an anycast relay address. A route to the IPv6 2002::/16 prefix is advertised by IPv6-to-IPv4 relays. When they receive a packet destined to a 2002::/16 address the relay will lift the IPv4 address from inside the IPv6 address. They will then wrap the IPv6 packet in an IPv4 packet header, using as a destination address this extracted IPv4 address, and using protocol 41 as the IP protocol. The resultant IPv4 packet is then passed to the 6to4 host in the IPv4 network.
 

 
If the local network has public IPv4 addresses on the local network, then individual hosts on the local network may use 6to4 directly. Of course, if this is the case then the local gateway needs to be configured to accept incoming IP packets that use protocol 41.
 
An alternative is for the local network's gateway device to be configured as a 6to4 gateway, and use the IPv4 address on the ISP-side of the gateway as a common 6to4 address for the local network. The gateway then advertises this synthetic 48 bit IPv6 prefix to the interior network via a conventional IPv6 Router Advertisement. The gateway can couple this with a NAT function and provide native IPv6 to interior hosts who are configured on RFC1918 local IPv4 addresses.

In general, 6to4 is a relatively poor approach to provisioning IPv6, and really should be avoided if at all possible. Indeed, the user experience will probably be better overall if you stay running IPv4 and avoid accessing IPv6 via 6to4.

The major issue here is that a successful connection relies on the assistance of both an outbound and an inbound 6to4 third party relay. On the IPv4 side a 6to4 connection relies on the presence of a useable route to a IPv4-to-IPv6 relay, and preferably one that is as close as possible to the IPv4 endpoint. On the IPv6 side a 6to4 connection relies on a useable relay advertising a route to 2002::/16. Again, to avoid extended path overheads, this relay should be as close as possible to the IPv6 endpoint. This path asymmetry can cause connection 'black holes' where one party can deliver packets to the other but not the reverse.

Also, such configurations have problems if the IPv4 host is configured with stateful filters that insist that the IPv4 source address in incoming packets match the destination address of outgoing packets, which is not necessarily the case in a 6to4 connection.

Finally, it seems that many sites operate with firewall filters that disallow incoming packets other than TCP and UDP (and possibly some forms of ICMP). 6to4 packets using protocol 41, and there appears to be widespread use of filter rules that block such packets.

Tunnelling also adds an additional packet header to a packet, which inflates the size of the packet. Such an expansion of the packet on certain path elements of the network may cause path packet size issues, increasing the risk of encountering path MTU 'black holes' due to the increase of the packet size by 20 bytes when the IPv4 packet header is attached to the packet.

Teredo Tunnels

If the local network is behind an IPv4 NAT, and the NAT gateway does not support 6to4, then all is not lost, as there is another form of tunnelling that could be a possible answer. Teredo is described in RFC 4380.

Teredo, like 6to4, is an auto-tunnelling protocol, coupled with an addressing structure. Like 6to4, Teredo uses its own address prefix, and all Teredo addresses share a common IPv6 /32 address prefix, namely 2001:0000::/32. The next 32 bits are the IPv4 address of the Teredo server. The IPv6 interface identifier field is used to support NAT traversal and it is encoded with the triplet of a field describing the NAT type, the relay's view of the UDP port number used to reach the client (the external UDP port number used by the NAT binding for the client) and the relay's view of the IPv4 address used to reach the client (the external IPv4 address used by the NAT binding for the client).
 
Teredo uses what has become a relatively conventional approach to NAT traversal, using a simplified version of the STUN active probing approach to determine the type of NAT, and uses concepts of "clients", "servers" and "relays". A Teredo client is a dual stack host that is located in the IPv4 world, assumed to be located behind a NAT. A Teredo server is an address and reachability broker that is located in the public IPv4 Internet, and a Teredo relay is a Teredo tunnel endpoint that connects Teredo clients to the IPv6 network. The tunnelling protocol used by Teredo is not the simple IPv6-in-IPv4 protocol 41 used by 6to4. NATs are sensitive to the transport protocol and generally pass only TCP and UDP transport protocols. In Teredo's case the tunnelling is UDP, so all IPv6 Teredo packets are composed of an IPv4 packet header, a UDP transport header, followed by the IPv6 packet as the UDP payload. Teredo uses a combination of ICMPv6 message exchanges to set up a connection and tunnelled packets encapsulated using an outer IPv4 header and a UDP header, and contain the IPv6 packet as a UDP payload.
 
It should be noted that this reliance on ICMP6 to complete an initial protocol exchange and confirm that the appropriate NAT bindings have been set up is not a conventional feature of IPv4 or even IPv6, and IPv6 firewalls that routinely discard ICMP messages will disrupt communications with Teredo clients.
 
The exact nature of the packet exchange in setting up a Teredo connection depends on the nature of the NAT device that sits in front of the Teredo client. An example packet exchange that Teredo uses when the client is behind a Restricted NAT is shown below.
 

Teredo represent a different set of design trade-offs as compared to 6to4. In its desire to be useful in an environment that includes NATs in the IPv4 path Teredo is a per-host connectivity approach, as compared to 6to4's approach which can support both individual hosts and entire end sites within the same technology. Also, Teredo is a host-centric multi-party rendezvous application, and Teredo clients require the existence of dual stack Teredo servers and relays that exist in both the public IPv4 and IPv6 networks. Teredo is more of a connectivity tool than a service solution, and one that is prone to many forms of operational failure.

On the other hand, if you are an isolated IPv6 host behind an IPv4 NAT, and you want to access the IPv6 network then 6to4 is not an option, and you either have to set up static tunnels across the NAT to make it all work, or you can turn on Teredo in your dual stack host and you if everything goes according to theory, you should be able to establish IPv6 connectivity.

Tunnel brokers

In contrast to these auto-tunnel approaches, the simplest form of tunnelling IPv6 packets over an IPv4 network is the manually configured IPv6-in-IPv4 tunnel.

Here an IPv6 packet is simply prefixed by a 20 octet IPv4 packet header. In the outer IPv4 packet header the source address is the IPv4 address of the tunnel ingress, the destination address is the IPv4 address of the tunnel egress and IP protocol field uses value 41, indicating that the payload is an IPv6 packet. The packet is passed across the IPv4 network from tunnel ingress to egress using conventional IPv4 packet forwarding, and at the egress point the IPv4 IP packet header is removed and the inner IPv6 packet is routed in an IPv6 network as before. From the IPv6 perspective the transit across the IPv4 network is a single logical hop.

Alternatively, like VPN tunnels, the tunnel can be configured using UDP or TCP, and with some care, the tunnel can be configured through NATs in the same way as VPN tunnels can be configured through NATs.

The advantage of this approach is that the need to manually configure the tunnel endpoints ensures that the tunnel relay function is not provided, intentionally or unintentionally by third parties through some well-intentioned, but ultimately random, act of goodwill. The need to perform a manual configuration also reduces the chances that the tunnel is broken through local firewall filters. Of course the need to perform a manual configuration does not lend itself to a plug-and-play environment, nor is this a viable approach for a larger mass market of consumer devices and services.

Summary

None of these approaches to offer IPv6 connectivity to end hosts behind an IPv4-only service provider offer the same level of robustness and performance as compared to native IPv4 services. All of these approaches require a significant degree of local expertise to set up and maintain, and often require a solid understanding of other aspects of the local environment, such as firewall and filter conditions and path MTU behaviour to maintain. With the exception of the tunnel broker approach, they also require third party assistance to support the connection, which further adds to the set of potential performance and reliability issues.

It appears that the most robust and reliable way to provision IPv6 to end hosts is for the service provider to provision IPv6 as an integral part of their service offering, and offer clients a dual stack service in both IPv4 and IPv6.

In the second part of this article we'll look at the options for service providers to provision dual stack services to their clients.

Disclaimer

The above views do not necessarily represent the views of the Asia Pacific Network Information Centre.

About the Author

 
 
GEOFF HUSTON is the Chief Scientist at APNIC, the Regional Internet Registry serving the Asia Pacific region.

www.potaroo.net