Transcription
NAT and IPv6:We meet at last!Paul FrancisCornell [email protected]
NAT and IPv6:We meet at last!History and evolution of IPv6 and NAT Teredo: NAT and IPv6 collide andform a new particle Possible futures of IPv6 and NAT? 1/27/2004Paul Francis, NANOG
IPv6 evolutionary tree(1992-1993 time frame)CATNIP (Ullman)NIMROD (Chiappa)Many others .XTUBA (Callon)XPip Pv6Committeeof ExpertsPaul Francis, NANOG
IPng proposals in a nutshellTUBA: OSI’s CNLP Pip: New header structure z64-bit unique ID, plus a stack ofrouting labelsSIP: A simplified IPv4 with 64 bitaddresses IPAE: Originally IPv4-over-IPv4, laterthought of as a transition mechanism 1/27/2004Paul Francis, NANOG
View of the world, circa 1990 Just starting to worry about addressdepletionz Mainly because of poor utilization, notnumber of hosts (class A, B, C)IP was still “the identifier”Long term stable, globally uniquez DNS not universally deployedz Note: This is before the web!1/27/2004Paul Francis, NANOG
IPv6 and NAT historyCIDRIPv6“Selected”ROADGroup started1990IPv6 RFC199219941996199820002003NAT RFCOriginalNAT paper1/27/2004First NATproductsPaul Francis, NANOGROAD ROuting and AddressingCIDR Classless Interdomain RoutingNAT Network Address Translation
Original goals of IPv6:IPv4 with bigger addresses Different proposals had different goalsThere was never a real requirementsprocessz IPv6 reflects Deering’s goalszBigger addresses Simplify the header, fix a few minorproblems Otherwise change as little as possible! 1/27/2004Paul Francis, NANOG
In particular No new routing architecture No new security architecture No new QoS architecture Improved auto-configuration, mobility(maybe), multicast1/27/2004Paul Francis, NANOG
Increased use of NAT anddynamic IP addressesCIDRIPv6“Selected”ROADGroup started1990PPPRFCsIPv6 RFC199219941996NAT RFCDHCPRFCOriginalNAT paper1/27/2004First NATproducts1998IncreasingNAT anddynamicaddressingPaul Francis, NANOG20002003PPP Point-to-Point ProtocolDHCP Dynamic Host ConfigurationProtocol
Disadvantages of NAT State in network (though firewalls have state anyway) Slow/expensive processing (though not in the core where it really matters) Breaks apps that carry IP addresses (though people know not to do this now) Breaks with IP segmentation (but you don’t want to segment anyway) Doesn’t allow incoming connections!! (but some firewalls prevent this anyway!)1/27/2004Paul Francis, NANOG
IETF continues to willfullyignore NATCIDRIPv6“Selected”ROADGroup started1990PPPRFCsIPv6 RFC19921994MobileIP RFCs1996NAT RFCDHCPRFCOriginalNAT paper1/27/2004First NATproductsNAT incompatibleprotocols!IPsecRFCsSIP (VoIP)RFC1998IncreasingNAT anddynamicaddressingPaul Francis, NANOG20002003IPsec IP SecuritySIP Session Initiation ProtocolVoIP Voice over IP
How did NAT harm theinternet? For client/server protocols, very littleharmzWeb, email, FTP, Net news, IRC(chat)Clients can contact servers, manymore clients than servers Various ways to identify clients z1/27/2004Email address, PPP NAI, HTTPcookies, SIP URIs, MIP NAI, . . .Paul Francis, NANOGFTP File Transfer ProtocolIRC Internet Relay ChatNAI Network Access IdentifierURI Uniform Resource Identifier
How did NAT harm theinternet?For peer-to-peer applications, whoknows? If not for NAT, we might now beregularly using internet phone, haveall kinds of interesting groupapplications, etc. z But then again, we might not But this wasn’t enough motivation tomigrate to IPv61/27/2004Paul Francis, NANOG
IPv6 addressing goesthrough various mutationsCIDRIPv6“Selected”ROADGroup started1990PPPRFCs“Site-local” (private) addressesHost multiple addressingNAT-PT v4-v6 translation6to4 global auto-tunnelingISATAP local auto-tunnelingIPv6 RFC199219941996NAT RFCDHCPRFCOriginalNAT paper1/27/2004First NATproducts1998IncreasingNAT anddynamicaddressingPaul Francis, NANOG20002003IPsec IP SecuritySIP Session Initiation ProtocolVoIP Voice over IP
IPv6 address mutationsSite-local prefix16ID (64)Site-assigned NAT-PT Prefix (96)Prefixa.b.c.d16Normal IPv6 prefix1/27/2004a.b.c.dID (64)“ISATAP”a.b.c.dPaul Francis, NANOGSite-localaddressIn-siteNAT-TP6to4ISATAP
Dan kegel’s NATbreakthroughCIDRIPv6“Selected”ROADGroup started1990PPPRFCs“Site-local” (private) addressesHost multiple addressingNAT-PT v4-v6 translation6to4 global auto-tunnelingISATAP local auto-tunnelingIPv6 RFC1992199419961998NAT RFCDHCPRFCOriginalNAT paper1/27/2004IncreasingNAT andFirst NAT dynamicproducts addressingPaul Francis, NANOG20002003Dan Kegelsolves incomingNAT problem(Activision)IETF quietlyignores it!
Packet can’t come in untilNAT box has l Francis, NANOG2.1.1.110.1.1.2
Steve and Bob register withglobally addressed serverApp: I’m steveUDP: 1234IP: 1.1.1.1ApplicationServerApp: I’m bobUDP: 5678IP: 1Paul Francis, NANOGbob10.1.1.2
Server tells Steve and Bobeach other’s NAT mappingApplicationServerI want to talkto bob1.1.1.110.1.1.11/27/2004stevebob is at2.1.1.1:567810.1.1.1Paul Francis, NANOGsteve is at1.1.1.1:12342.1.1.1bob10.1.1.2
Steve sends “bubble packet”to create his mapping1.1.1.110.1.1.11/27/2004steveNo “pinhole”here yet2.1.1.1:5678XCreates “pinhole”in steve’s NAT10.1.1.1Paul Francis, NANOG2.1.1.1bob10.1.1.2
Bob does the same, but thispacket gets eates “pinhole”in bob’s NAT2.1.1.110.1.1.1Paul Francis, NANOGbob10.1.1.2
Steve and Bob can 1.1:56782.1.1.110.1.1.1Paul Francis, NANOGbob10.1.1.2
Limitations of this approach Doesn’t work with some kinds of NATsz NAT must always assign same external portto a given internal portDoesn’t work for TCPzBecause TCP is usually asymmetric expects a listener and a connecter Windows OSs and some firewalls enforce thisz We have a project to fix this problemMany corner cases (for instance, two hostsbehind same NAT)1/27/2004Paul Francis, NANOG
Sea change in IETF attitudetowards NATCIDRIPv6“Selected”ROADGroup started1990PPPRFCsIPv6 RFC19921994STUN and ICEMobile IP over UDPIPsec over UDPSIP (VoIP) IPv6 over UDP (Teredo)RFCIPsecRFCsMobileIP RFCs19961998NAT RFCDHCPRFCOriginalNAT paper1/27/2004IncreasingNAT andFirst NAT dynamicproducts addressingPaul Francis, NANOG20002003Dan Kegelsolves incomingNAT problem(Activision)STUN Simple Traversal of UDP through NATsICE Interactive Connectivity Establishment
NAT Friendliness STUN/ICE/TURNzz IPsec or MIP over UDPz Protocols that utilize SIP (Session InitiationProtocol) to punch through NATsDoesn’t allow direct P2P TCP connectionsNAT-friendly encapsulationsTeredo (IPv6-over-UDP)zz1/27/2004Utilizes IPv6 to punch through NATsRequires stack change in OSPaul Francis, NANOG
Teredo (where NAT meetsIPv6) IPv6 address containseverything needed to punchthrough NATs:zzzTeredoPrefix321/27/2004global addr and portTeredo server addressType of NAT boxTeredo Server NATtypeIPv4 Addr3216Paul Francis, NANOGTCP/UDPIPv6UDPIPv4global Global IPv4portAddress1632
Teredo, STUN/ICE, andIPv6 status Microsoft is pushing Teredozz SIP community is moving ahead withSTUN/ICEz As the basis of its P2P toolkit APIIn its 3degrees P2P applicationNot sure how productized it isIPv6 --- hard to readz1/27/2004Still not “critical” in Asia as of one year agoPaul Francis, NANOG
Possible futures P2P community converges on STUN/ICE or TeredozDemand for IPv6 routers never materializes Or this spurs demand for IPv6 routers? I doubt it.zzzFirewalls, management tools, etc. evolve to supportSTUN/ICE or TeredoThis is the best outcomeI like STUN/ICE better than Teredo Nicer naming, and I think we know how to solve TCPissue Or, no convergence, P2P world remains ad hoc andfragmentedzz1/27/2004But I still don’t think we’ll see IPv6 in routersLikely future if IETF doesn’t accept NAT Paul Francis, NANOG
1/27/2004 Paul Francis, NANOG IPv6 evolutionary tree (1992-1993 time frame) Pip (Francis) IPAE (Hinden) SIP (Dee
