Address Autoconfiguration
Manually configuring IP addresses in hosts is a tedious task. Managing static addresses assigned to hosts is also difficult, especially when you need to change static addresses. In IPv4, a Dynamic Host Configuration Protocol (DHCP) server lets you maintain a pool of IP addresses. A host can lease an address and obtain configuration information (such as a default gateway and DNS servers) from the DHCP server, which lets the host automatically configure its IP address. IPv6 inherits this autoconfiguration service from IPv4 and refers to it as stateful autoconfiguration.
In addition to stateful autoconfiguration, IPv6 introduces a stateless autoconfiguration service, which provides more flexible address management. In the stateless autoconfiguration process, a host first generates a link local unicast address by appending its 64-bit NIC ID to the link local address prefix 1111111010. (The Institute of Electrical and Electronics Engineers--IEEE--has changed the old NIC 48-bit globally unique ID--GUID--to a 64-bit GUID known as EUI-64. If the NIC ID is 48 bits, the NIC driver for IPv6 will convert the 48-bit NIC ID to a 64-bit ID according to an IEEE formula.) The host then sends a query, called neighbor discovery, to the same address to verify the uniqueness of the link local unicast address. If there is no response, the self-configured link local unicast address is unique. Otherwise, the host uses a randomly generated interface ID to form a new link local unicast address. Using this link local address as a source address, the host multicasts a request for configuration information, called router solicitation, to all routers on the local link. The routers respond to the request with a router advertisement that contains an aggregatable global unicast address prefix and other relevant configuration information. The host automatically configures its global address by appending its interface ID to the global address prefix it receives from the router. Now the host can communicate with any other host on the Internet. Figure 2 illustrates the stateless autoconfiguration process.
With stateless autoconfiguration, you can change all your network addresses without intervening manually. For example, when you switch to a new ISP, you will be given a new aggregatable global address prefix. The ISP can propagate the prefix from its router to your routers. Your routers advertise the prefix to all hosts in your network, because the routers periodically multicast the router advertisements to all the hosts on their local links. The new addresses replace the old addresses when the hosts receive the new address prefix through the router advertisements.
IP Security
Security is always an important topic on the Internet, and the original IP design did not address security. You probably have heard stories about hackers in the early days of the Internet who attacked government, military, and corporate networks and stole sensitive information. To increase Internet security, IETF developed a set of IP Security (IPSec) protocols that have protected IP communications since 1995. IPSec is part of IPv6 and an optional extension to IPv4.
IPSec supplies two security features: authentication and encryption. Authentication lets you know that the data you receive is from the actual sender and was not altered in transit. Authentication deters hackers from attacking your network and data. Encryption encodes data to provide data confidentiality, and it prevents hackers from decoding the data when it traverses the network. The Authentication Header (AH) protocol in IPSec defines the way you can use authentication. Encapsulating Security Payload (ESP) IEEE standard in IPSec defines the way you can apply encryption and optional authentication. You can use either or both of the protocols in your IP communications based on your security requirements. Both AH and ESP can provide authentication, but AH provides stronger authentication than ESP provides.
When you apply AH or ESP in a specific communication, the protocol is associated with a set of security information and services. This association is referred to as Security Association. SA might include the authentication algorithm, the encryption algorithm, and the keys for authentication and encryption. IPSec uses a key distribution and exchange protocol, such as Internet Security Association and Key Management Protocol (ISAKMP), to establish and maintain the SA. The SA is a one-way logical connection. For example, authenticated communication between two hosts will use two SAs, one in each direction.
IPSec defined two types of SAs: transport mode and tunnel mode. The transport-mode SA inserts the AH or ESP header after the IP header (and any optional extension headers) and before any upper-layer headers (such as the TCP or UDP header) and data. (See the sidebar "What's New in the IPv6 Header" to learn about IPv6 headers.) The tunnel-mode SA, however, puts the entire original IP packet into a new IP packet. You will see two IP headers for each packet in tunnel mode: an outer header specifying the destination for IPSec processing, and an inner header specifying the ultimate destination of the packet. You can use the transport-mode SA only between two hosts, but you can use the tunnel-mode SA between two hosts or between two security gateways, or between a host and a security gateway. A security gateway can be a router, firewall, or Virtual Private Network (VPN) device.
An important application of IPSec is VPN, which secures communications between networks connected through a public network, such as the Internet. Figure 3, page 206, shows an IPSec-enabled VPN, in which you can apply the two SA modes according to your security requirements. For example, if you treat your internal network as a trusted network, you can use the tunnel mode between your network's two security gateways. A packet traverses between a host and the security gateway in the same network. The security gateway encrypts the packet to the Internet and decrypts the packet from the Internet. If you need to protect communication all the way from a host in your network to a host in a different network, you can establish a secure channel between the two hosts with the transport mode or tunnel mode. Figure 3 shows that a mobile host attached to the Internet can use IPSec to communicate with its home network without a security leak.
IPSec, as a part of IPv6, is a network layer protocol. It deals with underlying network security regardless of the higher-layer applications, such as Web, email, and file transfer. To authenticate a Web session, you still need Secure Sockets Layer (SSL) protocol. However, protocols in the TCP/IPv6 suite can take full advantage of IPSec. For instance, the Open Shortest Path First (OSPF) routing protocol for IPv6 removed the authentication feature you find in OSPF for IPv4.
IPv6 Transition
The benefits of IPv6 are the driving force behind a worldwide effort to upgrade the Internet and corporate networks to IPv6. This global upgrade is not an overnight project. IETF recognized that it will be impossible for all systems on the Internet and corporate networks to upgrade from IPv4 to IPv6 at once. Mixed and heterogeneous IPv6 and IPv4 systems will need to coexist on the Internet for a long time. As part of the IPv6 development effort, IETF defined the processes that will drive the transition from IPv4 to IPv6, including three mechanisms: the IPv4-compatible IPv6 address, dual IP stacks, and IPv6 over IPv4 tunneling.
The IPv4-compatible IPv6 address is a special IPv6 unicast address that an IPv6 and an IPv4 node can use to communicate over an IPv4 network. This address has a prefix of 96 zero bits followed by a 32-bit IPv4 address. For example, if a node's IPv4 address is 192.56.1.1, its IPv4-compatible IPv6 address will be 0:0:0:0:0:0:C038:101.
The dual IP stack mechanism implements both IPv6 and IPv4 stacks on one system, either a host or a router. Such a system, an IPv6 and IPv4 node, has both IPv6 and IPv4 addresses and can send and receive IPv6 and IPv4 packets.
Compared to the dual IP stack mechanism, IPv6 over IPv4 tunneling is a more complicated method. The tunneling mechanism encapsulates IPv6 data inside IPv4 packets to carry IPv6 data between an IPv6 node and an IPv4 node over existing IPv4 networks, such as the Internet. Three steps are involved in the tunneling process: encapsulation, decapsulation, and tunnel management. In encapsulation, the tunnel entry point creates an IPv4 header, encapsulates the IPv6 packet in a new IPv4 packet, and transmits the packet. In decapsulation, the tunnel endpoint removes the IPv4 header, recovers the original IPv6 packet, and processes it. Finally, the tunnel entry point maintains the tunnel configuration information, such as the maximum transfer unit (MTU) size that the tunnel supports.
There are four tunneling scenarios: router-to-router, host-to-router, host-to-host, and router-to-host. In the network Figure 4 shows, which uses an IPv4 routing infrastructure to carry IPv6 packets, you can apply one of the four tunneling scenarios according to the spe-
cific communication between two hosts. For example, when Host 2 sends an IPv6 packet to Host 4, Router A will encapsulate the IPv6 packet in an IPv4 packet destined to Router B. When Router B receives the IPv4 packet, it decapsulates the packet and forwards it to Host 4. In this tunneling, the tunnel endpoint (Router B) is not the packet's final destination (Host 4). The tunnel entry point (Router A) must determine the tunnel endpoint and find the tunnel endpoint's address from configuration information when the tunnel entry point establishes the tunnel. Therefore, this type of tunneling is called configured tunneling. When Host 7 sends a packet to Host 1, Host 7 establishes a host-to-router tunnel between itself and Router A. Because Router A is not the packet's final destination, this host-to-router tunneling is also configured tunneling.
When a host with an IPv4-compatible IPv6 address sends a packet to another host with an IPv4-compatible address through an IPv4 routing network, the source host can establish a host-to-host tunnel. The tunnel entry point, the source host, determines that the destination host is the tunnel endpoint and automatically extracts the lower order 32 bits of the IPv4-compatible address to determine the tunnel endpoint's address. This type of tunneling is called automated tunneling. In automated tunneling, the tunnel endpoint is always the packet's ultimate destination. For example, in Figure 4, when Host 5 sends a packet to Host 7, it can use automated tunneling from Host 5 to Host 7. Automated tunneling also applies to the router-to-host tunneling scenario. For instance, when Host 4 sends a packet to Host 5, Host 4 can use automated tunneling from Router B to Host 5.
The dual IP stack and IPv6 over IP4 tunneling mechanisms let you migrate IPv4 to IPv6 in your network at a controllable pace. Before your IPv6 transition, you must have a new DNS server in place that supports both IPv4 and IPv6. You can use the new resource record type AAAA for an IPv6 host and address in the DNS server, and the record type A for an IPv4 host and address. The new DNS server will handle both AAAA and A records for IPv6 and IPv4 nodes. Currently, the new versions of UNIX operating systems (OSs) from Digital Equipment, IBM, and Sun Microsystems support the new DNS and IPv6. Although Microsoft DNS in Windows NT Server 4.0 includes the AAAA record type, Microsoft TCP/IP for NT doesn't speak IPv6 yet.
Where Are You Going Today?
IPv6 is the long-term solution to building a reliable, manageable, secure, and high-performance Internet and IP network. Now that you understand IPv6's important features and benefits, you must know where you plan to go to apply this new technology to your network. Study IPv6, add it to your long-term project plan, get your hands on it, ask vendors to support it, integrate it into your network upgrade, and deliver it to your clients. You might be curious about Microsoft's support for IPv6 in NT 4.0 and 5.0. Unfortunately, whether and how Microsoft will support IPv6 is mainly a mystery. However, Microsoft is implementing IPSec in NT 5.0, a subject I will address in a future article. Microsoft might not completely support IPv6 now, but the Internet is off and running to a new destination, and its name is IPv6.
End of Article
Prev. page
1
[2]
next page -->
