IPv6过渡、IVI原理和CNGI试商用部署(1)

IPv6过渡、IVI原理和CNGI试商用项目部署CERNET李星、包丛笑、马严、赵钦2010-07-142大纲•过渡的需求–IPv4地址耗尽•过渡技术分析–双栈、隧道、翻译•IVI的核心技术–地址格式–协议翻译•CNGI试商用部署安排–地址分配–路由–子网和端系统–域名解析•几种场景分析3过渡需求（1）•国家需求–IP地址需求面临大幅攀升•我国互联网用户数：3.6亿仅占人口总数的27%•大力发展的物联网将大量使用IP地址–技术创新国家战略•网络标准、技术、设备和管理–安全监控•用户需求–用户需要上网，但不关心IPv4/IPv64过渡需求（2）5过渡的事实•IPv4和IPv6是不兼容的协议。•没有切换的旗帜日。•IPv4地址要在2012年耗尽。–还仅剩16/8未分配6CERNET十年来的过渡实践TranslationIVIBi-directionStatelessTranslationIETFBehaveWGDual-StackNFSCNETIPv6onlyCERNET2•100universities•1MsubscribersTunnelIPv6overIPv4CERNET-6BoneTunnelIPv4overIPv6IETFsoftwireWGRFC5565SAVI•IETFWG•IETFRFC5210IPv4CERNET•1500universities•20Msubscribers199420012004200520081998200620077CERNET(IPv4)CERNET2(IPv6)GlobalIPv4GlobalIPv6IVIIVIIPv4-accessibleservers/clients•重载•收费•轻载•免费8流量比较IPv4IPv69过渡技术分析•双栈•隧道–6over4–4over6•翻译–IVI–NAT6410过渡技术•双栈–技术可行、无经济上的动力–终端可行、网络实施有困难•隧道–必须与双栈结合•翻译–技术困难、经济合理11隧道技术分类•6over4–Tunnelbroker–Manualconfiguredtunnel–6to46RD(auto)–isatap(auto)–Teredo(auto)–Mesh6PE(BGP)•4over6–Mesh(BGP)–HubsandspokesDual-stacklite12隧道技术图示DS-lite6RD13翻译技术分类•无状态–IPv6表示IPv4：基于算法的地址嵌入–IPv4表示IPv6：基于算法的地址嵌入•有状态–IPv6表示IPv4：基于算法的地址嵌入–IPv4表示IPv6：基于会话的动态生成14翻译技术使用场景Scenario1“anIPv6networktotheIPv4Internet”Scenario2“theIPv4InternettoanIPv6network”xlateTheIPv4InternetAnIPv6NetworkDNSxlateAnIPv6NetworkDNSAnIPv4NetworkxlateTheIPv4InternetAnIPv4NetworkDNSxlateDNSTheIPv6InternetTheIPv6InternetScenario3“anIPv4networktotheIPv6Internet”Scenario4“theIPv6InternettoanIPv4network”Scenario5“anIPv6networktoanIPv4network”Scenario6“anIPv4networktoanIPv6network”Scenario7“theIPv6InternettotheIPv4Internet”Scenario8“theIPv4InternettotheIPv6Internet”IVI{NAT64IVI{NAT64NAT6415无状态翻译（IVI）的核心技术•基本原理•地址格式•协议翻译•域名翻译16无状态翻译技术基本原理TheIPv4InternetC/STheIPv6InternetAnIPv6networkAnIVInetworkCC/SIVI•Sameasinthe1:1IVIFFIPv4AddressAll0LIR0324072127IPv4-converted/IPv4-translatableaddressformatDNSALGasIPv4/6translatorIPv4DomainIPv6DomainA/MXRequestA/MXResponseAAAARequestAAAAResponse17地址格式的意义IPv6IPv4RealIPv6hostRealIPv4hostmirroredIPv6hostmirroredIPv4hostIVI18IVI地址格式MappingRule:IPv4addressesareembeddedfrombit40tobit72oftheIPv6addressesofaspecific/32.Example:ISP’sIPv6/322001:250::/32borrowedIPv4address(IVI4):202.38.108.0/24mappedIVIIPv6address(IVI6):2001:250:ffca:266c::/6419IVI地址映射原理（1）Bi-dirborrowingIPG6IPS6(i)IVI4(i)IVIG46(i)IVI6(i)4664IPS4(i)IPG4Itisthe(end)userswhoarecommunicatingwithusers/contentslocatedinIPv4(IPG4&&allotherIVI4(j))viaIVIG46(i).20IVI地址映射原理（2）IVIG46(i)IVI6(i)IVIG46(j)IVI6(j)IPG4IVI4(i)Bi-dirborrowing64IVI4(j)464664IPS6(i)IPS6(j)IPG621IVI路由原理RoutingandmappingconfigurationexampleiprouteIVI4/k192.168.1.1iproute0.0.0.00.0.0.0192.168.1.2ipv6route2001:DB8:FF00::/402001:DB8::1IVIR1R2192.168.1.12001:DB8::12001:DB8::2192.168.1.2IPv4IPv6ipv6routeIVI6/(40+k)2001:DB8::2mrouteIVI4-networkIVI4-maskpseudo-addressinterfacesource-PFdestination-PFmroute6destination-PFdestination-PF-pref-len22IVI可达性矩阵IPG4IVIIPG6IPG4OKOKNOIVIOKOKOKIPG6NOOKOK23头翻译(IPv4IPv6)IPv4FieldTranslatedtoIPv6Version(0x4)Version(0x6)IHL(discarded)TypeofService(discarded)TotalLengthPayloadLength=TotalLength-IHL*4Identification(discarded,cf.SubsectionV-C)Flags(sameasabove)Offset(sameasabove)TimetoLiveHopLimitProtocolNextHeaderHeaderChecksum(discarded)SourceAddressApplyIVIstatelessaddressmappingDestinationAddr.(sameasabove)Options(discarded)24头翻译(IPv6IPv4)IPv6FieldTranslatedtoIPv4HeaderVersion(6)Version(4)TrafficClass(discarded)FlowLabel(discarded)PayloadLengthTotalLength=PayloadLength+20NextHeaderProtocolHopLimitTTLSourceAddressApplyIVIinverseaddressmappingDestinationAddr.(sameasabove)—IHL=5—HeaderChecksumrecalculated25头翻译的难点（1）•MTU和分片–IPv6头比IPv4头大20字节–IPv6仅允许端系统分片–IPv6最小的MTU=1280–IPv4允许路由器分片•MTU处理方法–PMTUD–Fragmentation–TCPMSS26头翻译的难点（2）•ICMP翻译–与地址格式有关的翻译•ICMP出错消息翻译–包含IP头的出错消息翻译•产生ICMP出错消息–DDoS处理、源地址处理•传输层校验和处理–非checksumneutral地址问题•与RFC2460不兼容的IPv6网络和主机处理–MTU–ID27Linux原型系统结构•DNS46•ForprovidingprimaryDNSserviceforIVI4(i)andIVI6(i),eachhostwillhavebothAandAAAArecords•AuthoritativeDNSserver–Example–:ffca:266c:200::–•DNS64•ForresolvingIVIG46(i)forIVI6(i),useIVIDNStodothedynamicmappingbasedontheIVIrule.•CachingDNSserver–Example––:ff12:0716:5300::29CNGI试商用部署安排•目标•关键技术–地址分配–路由–子网和端系统–域名解析•排错•进度30CNGI试商用IPv4/IPv6过渡系统•目标–在CNGI-CERNET2上建立有100个校园网参加的IPv4向IPv6过渡的试商用系统，为中国商业网的继续发展提供能与全世界IPv4和IPv6网络互联互通的IPv4/IPv6过渡解决方案。•建设内容–可扩展可分步实施的IPv4/IPv6过渡技术–IPv4/IPv6过渡核心设备–IPv4/IPv6过渡边界设备–IPv4/IPv6过渡管理系统–校园网试商用实施–IPv4/IPv6过渡域名转换系统31CNGI试商用IPv4/IPv6过渡系统（翻译）•主干网IVI（一期8月10日以前完成）–无状态（1:1IVI）–必须使用IVI地址–支持双向发起的通信•校园网IVI（二期10月）–有状态（NAT64）–可以使用任意地址–仅支持IPv6发起的通信32CNGI试商用IPv4/IPv6过渡系统（IVI）主干IVI设备CNGI-CERNET2IPv6/32校园网IPv6/48IPv4InternetIPv6Internet主干IVIIPv6计算机主干IVIDNSIPv4/20校园IVI设备校园IVIDNS校园网校园IVI网管主干IVI网管IP/4计算机CERNET网管中心校园IVIIPv6计算机校园Non-IVIIPv6计算机校园Non-IVIIPv6计算机主干IVI设备CNGI-CERNET2IPv6/32校园网IPv6/48IPv4InternetIPv6Internet主干IVIIPv6计算机主干IVIDNSIPv4/20校园IVI设备校园IVIDNS校园网校园IVI网管主干