295 lines
15 KiB
Org Mode
295 lines
15 KiB
Org Mode
* Time table / log
|
|
| When? | What? | Notes |
|
|
| 2019-02-21 | Kick-Off | x |
|
|
| | Finish all admin points | x |
|
|
| | Know when/how to coordinate | x |
|
|
| 2019-02-21 | Clarifications Ueli Maurer (Mentor) | x |
|
|
| | Write mail / phone | x |
|
|
| 2019-02-22 | Have all papers handed in | |
|
|
| | | |
|
|
| 2019-02-23 | python2 / ipaddress is buggy | x |
|
|
| | p4utils is python2 only support | |
|
|
| | bmpy_utils is not installable with pip | |
|
|
| | python2 / latest ipaddress==1.0.22 still has the bug | |
|
|
| | ipaddress.ip_network("2001:db8:61::/64") | |
|
|
| | IPv6Network(u'3230:3031:3a64:6238:3a36:313a:3a2f:3634/128') | |
|
|
| | | |
|
|
| | egress routing | x |
|
|
| | | |
|
|
| 2019-02-24 | non reliable neighbor entries / flushing addresses puts into failed | |
|
|
| | | |
|
|
| | | |
|
|
| 2019-02-28 | Meet Laurent #2 | |
|
|
| | - Parser for all protocols (udp,tcp,icmp,icmp6) | |
|
|
| | | |
|
|
| | | |
|
|
| 2019-02-22 | Have rough definition of tasks | |
|
|
| 2019-03-01 | Feature list / priority list / roadmap clear | |
|
|
| 2019-03-08 | NAT46 1:1 table TCP/UDP working | |
|
|
| 2019-03-15 | NAT46 1:1 table ICMP, ICMPv6 working | |
|
|
| | Will need some switch local ip addresses | |
|
|
| | | |
|
|
| 2019-03-29 | Jool SIIT / range / offset support https://www.jool.mx/en/run-vanilla.html | |
|
|
| | Jool EAMT support https://www.jool.mx/en/run-eam.html | |
|
|
| | Bidirectional support | |
|
|
| | Will need IPv6 embedding suport https://tools.ietf.org/html/rfc6052 | |
|
|
| | | |
|
|
| 2019-04-05 | NAT64 prefix based IPv6->IPv4 conversion [tayga] | |
|
|
| | Use case: IPv6 hosts send to specific /96 | |
|
|
| | | |
|
|
| 2019-04-19 | NAT64 dynamic pool implementation: n:m ipv6 to ipv4 mapping | |
|
|
| | And n:1 stateful mappings https://www.jool.mx/en/run-nat64.html | |
|
|
| | Needs active controller | |
|
|
| | Needs timeout / leases | |
|
|
| 2019-05-10 | Benmarking results between P4, Jool, Tayga | |
|
|
| | Real hardware of advantage | |
|
|
| | | |
|
|
| 2019-08-01 | Latest start writing documentation | |
|
|
| 2019-08-21 | hand in thesis | |
|
|
* Topics / Tasks
|
|
** Admin
|
|
*** DONE Clarify PDF / form with Denise Spicher: free form description
|
|
*** TODO Create task description to be handed in mystudies
|
|
*** DONE Create list of tasks / initial brainstorming
|
|
*** TODO Get OK from Ueli Maurer that thesis is valid in Information Security Area
|
|
*** TODO Find out how-when-whom-where to meet / define schedule
|
|
*** TODO Latex and/or org-mode for the thesis?
|
|
*** TODO Add initial milestones
|
|
**** 180d plan
|
|
**** 25w
|
|
** Thesis implementation
|
|
*** DONE Setup test VM for P4: 2a0a:e5c0:2:12:400:f0ff:fea9:c3e3
|
|
*** DONE Get feature list of jool
|
|
*** DONE Get feature list of tayga
|
|
*** DONE Setup P4 base / structure
|
|
*** DONE Create minimal controller for populating tables
|
|
*** TODO Checkout / review egress settings
|
|
*** TODO Implement ICMP <-> ICMP6 translation
|
|
**** DONE Parse icmp
|
|
**** DONE Parse icmpv6
|
|
**** DONE Add (static) egress configuration
|
|
**** DONE Calculate ICMP6 checksums
|
|
**** TODO Implement minimal neighbor discovery
|
|
***** TODO For the switch
|
|
***** TODO For other nodes -> multicast
|
|
***** TODO Maybe implement link local addresses (missing at the moment)
|
|
****** ff02::/??
|
|
****** rfc4861
|
|
"Neighbor Solicitation messages are multicast to the solicited-node
|
|
multicast address of the target address."
|
|
****** DONE multicasting / groups
|
|
******* create a group ("node") that contains "all other" ports
|
|
******* create a multicast group with an ID
|
|
******* associate the "node" with the multicast group ID
|
|
***** If destination is within ff02::1:ff00:0/104, multicast
|
|
|
|
**** TODO Make switch answer icmp6 echo request for
|
|
**** TODO Make switch answer icmp echo request for
|
|
**** TODO Add default route for v6 and v4 hosts
|
|
**** TODO Translate icmp <-> icmp6
|
|
**** TODO Create table entry for mapping v4->v6 [net]
|
|
**** TODO Create table entry for mapping v6->v4 [net]
|
|
*** TODO Setup test VM [dual stack] for Jool:
|
|
*** TODO Setup test VM [dual stack] for tayga:
|
|
*** NAT64/NAT46 Features in jool and tayga
|
|
**** TODO Static 1:1 NAT46: translate from IPv4 to IPv6 with a table
|
|
***** TODO TCP
|
|
***** TODO UDP
|
|
***** TODO ICMP <-> ICMPv6
|
|
**** TODO Stateless Prefix based NAT64: IPv6 to IPv4 translation prefix based
|
|
***** Allows IPv6 hosts to reach the IPv4 Internet
|
|
**** See time table above
|
|
*** Additional features queue (to be discussed)
|
|
**** TODO Offset based translation (v4->v6) -> same as range (?)
|
|
**** TODO IP address learning (v6/v4) for real life switch? How do hosts find it?
|
|
** Thesis documentation
|
|
*** Motivation
|
|
TBD
|
|
*** Translation mechanisms
|
|
- v4 to v6 / vice versa
|
|
- Stateful / stateless
|
|
- static / dynamic
|
|
**** Explicit Address Mappings Table (EAMT)
|
|
Range based mapping tables
|
|
See https://www.jool.mx/en/eamt.html,
|
|
https://tools.ietf.org/html/rfc7757
|
|
|
|
*** Current state of the art tayga/jool
|
|
TBD
|
|
**** Tayga
|
|
- Single threaded
|
|
- Multi threaded work started due to initiative of ungleich /
|
|
Chrisrock [IPv6.chat]
|
|
**** Jool
|
|
- EAMT bidirectional only (!)
|
|
|
|
IPtables interaction
|
|
|
|
```
|
|
|
|
user@T:~# # Create a Jool iptables instance named "example."
|
|
user@T:~# # Also, establish that the IPv6 representation of any IPv4 address should be
|
|
user@T:~# # `2001:db8::<IPv4 address>`. (See sections below for examples.)
|
|
user@T:~# jool_siit instance add "example" --iptables --pool6 2001:db8::/96
|
|
user@T:~#
|
|
user@T:~# # Tell iptables which traffic should be handled by our newly-created instance:
|
|
user@T:~#
|
|
user@T:~# # IPv6: only packets from 2001:db8::198.51.100.8/125 to 2001:db8::192.0.2
|
|
user@T:~# ip6tables -t mangle -A PREROUTING \
|
|
> -s 2001:db8::198.51.100.8/125 -d 2001:db8::192.0.2.0/120 \
|
|
> -j JOOL_SIIT --instance "example"
|
|
user@T:~# # IPv4: Only packets from 192.0.2 to 198.51.100.8/29
|
|
user@T:~# iptables -t mangle -A PREROUTING \
|
|
> -s 192.0.2.0/24 -d 198.51.100.8/29 \
|
|
> -j JOOL_SIIT --instance "example"
|
|
```
|
|
5656
|
|
**** Cisco (?)
|
|
*** P4 based implementation
|
|
TBD
|
|
**** General
|
|
|
|
- IPv6 subnet 2001:db8::/32
|
|
- IPv6 hosts are in 2001:db8:6::/64
|
|
- IPv6 default router (::/0) is 2001:db8:6::42/64
|
|
- IPv4 mapped Internet "NAT64 prefix" 2001:db8:4444::/96 (should
|
|
go into a table)
|
|
- IPv4 hosts are in 10.0.4.0/24
|
|
- IPv6 in IPv4 mapped hosts are in 10.0.6.0/24
|
|
- IPv4 default router = 10.0.0.42
|
|
**** Neighbor discover protocol
|
|
- Matching on prefix & ingress port, setting multicast
|
|
**** Static mappings
|
|
- likely need table(s)
|
|
- need tcp & udp translation
|
|
**** ICMPv6
|
|
Different lengths possible
|
|
|
|
[20:35] line:~% ping -6 -s 20 ::1
|
|
PING ::1(::1) 20 data bytes
|
|
28 bytes from ::1: icmp_seq=1 ttl=64 time=0.045 ms
|
|
28 bytes from ::1: icmp_seq=2 ttl=64 time=0.064 ms
|
|
^C
|
|
--- ::1 ping statistics ---
|
|
2 packets transmitted, 2 received, 0% packet loss, time 1018ms
|
|
rtt min/avg/max/mdev = 0.045/0.054/0.064/0.012 ms
|
|
[20:36] line:~% ping -6 -s 80 ::1
|
|
PING ::1(::1) 80 data bytes
|
|
88 bytes from ::1: icmp_seq=1 ttl=64 time=0.053 ms
|
|
88 bytes from ::1: icmp_seq=2 ttl=64 time=0.095 ms
|
|
^C
|
|
--- ::1 ping statistics ---
|
|
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
|
|
rtt min/avg/max/mdev = 0.053/0.074/0.095/0.021 ms
|
|
[20:36] line:~%
|
|
|
|
Different checksum in most packets.
|
|
|
|
root@ubuntu:~/master-thesis# ip -6 neigh show
|
|
root@ubuntu:~/master-thesis# ip -6 neigh add 2001:db8:61::42 dev h1-eth0 lladdr 00:00:0a:00:00:42
|
|
root@ubuntu:~/master-thesis# ip -6 neigh show
|
|
2001:db8:61::42 dev h1-eth0 lladdr 00:00:0a:00:00:42 PERMANENT
|
|
root@ubuntu:~/master-thesis#
|
|
|
|
root@ubuntu:~/master-thesis# tcpdump -ni h1-eth0
|
|
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
|
|
listening on h1-eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
|
|
^C20:22:43.944152 IP6 2001:db8:61::1 > 2001:db8:61::42: ICMP6, echo request, seq 1, length 64
|
|
20:22:43.945992 IP6 2001:db8:61::1 > 2001:db8:61::42: ICMP6, echo request, seq 1, length 64
|
|
20:22:44.952453 IP6 2001:db8:61::1 > 2001:db8:61::42: ICMP6, echo request, seq 2, length 64
|
|
20:22:44.953995 IP6 2001:db8:61::1 > 2001:db8:61::42: ICMP6, echo request, seq 2, length 64
|
|
|
|
4 packets captured
|
|
4 packets received by filter
|
|
0 packets dropped by kernel
|
|
root@ubuntu:~/master-thesis#
|
|
***** When pinging we see
|
|
DEBUG:main:INCOMING: <Ether dst=33:33:ff:00:00:42 src=00:00:0a:00:00:01 type=0x86dd |<IPv6 version=6 tc=0 fl=0 plen=32 nh=ICMPv6 hlim=255 src=2001:db8:61::1 dst=ff02::1:ff00:42 |<ICMPv6ND_NS type=Neighbor Solicitation code=0 cksum=0xd343 res=0 tgt=2001:db8:61::42 |<ICMPv6NDOptSrcLLAddr type=1 len=1 lladdr=00:00:0a:00:00:01 |>>>>
|
|
DEBUG:main:INCOMING: <Ether dst=33:33:ff:00:00:42 src=00:00:0a:00:00:01 type=0x86dd |<IPv6 version=6 tc=0 fl=0 plen=32 nh=ICMPv6 hlim=255 src=2001:db8:61::1 dst=ff02::1:ff00:42 |<ICMPv6ND_NS type=Neighbor Solicitation code=0 cksum=0xd343 res=0 tgt=2001:db8:61::42 |<ICMPv6NDOptSrcLLAddr type=1 len=1 lladdr=00:00:0a:00:00:01 |>>>>
|
|
DEBUG:main:INCOMING: <Ether dst=33:33:ff:00:00:42 src=00:00:0a:00:00:01 type=0x86dd |<IPv6 version=6 tc=0 fl=0 plen=32 nh=ICMPv6 hlim=255 src=2001:db8:61::1 dst=ff02::1:ff00:42 |<ICMPv6ND_NS type=Neighbor Solicitation code=0 cksum=0xd343 res=0 tgt=2001:db8:61::42 |<ICMPv6NDOptSrcLLAddr type=1 len=1 lladdr=00:00:0a:00:00:01 |>>>>
|
|
|
|
|
|
***** Hosts
|
|
****** Left side: IPv6
|
|
****** Right side: IPv4
|
|
**** Requirements
|
|
-
|
|
*** Performance comparison
|
|
*** Feature/Functionality difference / overview
|
|
**** Not included
|
|
- DNS64 - has already been solved in a different domain
|
|
*** References / Follow up
|
|
**** RFC 6052: https://tools.ietf.org/html/rfc6052 IPv6 Addressing of IPv4/IPv6 Translators
|
|
**** RFC 6586 for deployment experiences using Stateful NAT64.
|
|
**** RFC 7757 Explicit Address Mappings for Stateless IP/ICMP Translation
|
|
**** RFC 4443 ICMPv6 https://tools.ietf.org/html/rfc4443
|
|
**** RFC 4861: https://tools.ietf.org/html/rfc4861 Neighbor discovery
|
|
**** RFC 2460 IPv6 (Checksum https://tools.ietf.org/html/rfc2460#section-8.1)
|
|
**** EAMT/Jool: https://www.jool.mx/en/eamt.html
|
|
**** Solicited node multicast address https://en.wikipedia.org/wiki/Solicited-node_multicast_address
|
|
* Proposal / task description
|
|
** Task description for mystudies
|
|
*** High speed NAT64 with P4
|
|
Currently there are two main open source NAT64 solution available:
|
|
tayga and jool. The former is a single threaded, cpu bound user
|
|
space solution, the latter a custom Linux kernel module.
|
|
|
|
This thesis challenges this status quo by developing a P4 based
|
|
solution supporting all features of jool/tayga and comparing the
|
|
performance, security and adaptivity of the solutions.
|
|
|
|
- Milestone 1: Stateless NAT64/NAT46 translations in P4
|
|
- Milestone 2: Stateful (dynamic) NAT64/NAT46 translations
|
|
- Milestone 3: Hardware adaption
|
|
|
|
|
|
** Original ideas
|
|
Proposal 1: Automating NAT64 with P4
|
|
|
|
In IPv6 only data centers IPv4 connectivity is still a business
|
|
requirement. Current state of the art methods include layer 7 proxying
|
|
or static assignments. both featuring static assignments.
|
|
|
|
A flexible, dynamic assignment of IPv4 addresses to IPv6 hosts, similar
|
|
to lease times in DHCPv4 and prefix delegations in DHCPv6 could reduce
|
|
the pressure on IPv4 addresses.
|
|
|
|
I would suggest the develop of a new protocol (likely UDP embedded) that
|
|
allows hosts to request on-network support for IPv4 addresses. As IPv4
|
|
addresses have to be treated as "expensive", an accounting metric has to
|
|
be introduced. While in the business world this is usually related to
|
|
money, in the network world IPv4 users could be paying the network by
|
|
(reduced) bandwidth.
|
|
|
|
If such a metric existed, devices attached to the network could also try
|
|
to negotiate and wait for using IPv4, when the price / penality for IPv4
|
|
is low (this might be very suitable for mail exchangers for instance).
|
|
|
|
|
|
Proposal 2: High speed NAT64 with P4
|
|
|
|
Currently there are two main open source NAT64 solution available:
|
|
tayga[0] and jool[1]. The former is a single threaded, cpu bound user
|
|
space solution, the latter a custom Linux kernel module.
|
|
|
|
I would like to challenge this status quo and develop a P4 based
|
|
solution supporting all features of jool/tayga and comparing the
|
|
performance and adaptivity of the solutions.
|
|
|
|
[0] http://www.litech.org/tayga/
|
|
[1] https://www.jool.mx/en/index.html
|
|
|
|
|
|
Proposal 3: Challenging the status quo with IPv10
|
|
|
|
The de facto standard in networking is to treat IPv4
|
|
and IPv6 as "impossible to combine". This proposal is
|
|
to challenge this notion with three different methods:
|
|
|
|
- Extensions to IPv4 to request remote IPv6 transport
|
|
- Extensions to IPv6 to request remote IPv4 transport
|
|
- Support in network equipment to handle the extensions
|
|
|
|
As the IPv4 header does not allow embedding IPv6 addresses due to size
|
|
limitations, embedding the destination address in a secondary header
|
|
might be necessary (possibly encapsulated in UDP).
|