15 KiB
- Time table / log
- Topics / Tasks
- Admin
- Clarify PDF / form with Denise Spicher: free form description
- Create task description to be handed in mystudies
- Create list of tasks / initial brainstorming
- Get OK from Ueli Maurer that thesis is valid in Information Security Area
- Find out how-when-whom-where to meet / define schedule
- Latex and/or org-mode for the thesis?
- Add initial milestones
- Thesis implementation
- Setup test VM for P4: 2a0a:e5c0:2:12:400:f0ff:fea9:c3e3
- Get feature list of jool
- Get feature list of tayga
- Setup P4 base / structure
- Create minimal controller for populating tables
- Checkout / review egress settings
- Implement ICMP <-> ICMP6 translation
- Parse icmp
- Parse icmpv6
- Add (static) egress configuration
- Calculate ICMP6 checksums
- Implement minimal neighbor discovery
- Make switch answer icmp6 echo request for
- Make switch answer icmp echo request for
- Add default route for v6 and v4 hosts
- Translate icmp <-> icmp6
- Create table entry for mapping v4->v6 [net]
- Create table entry for mapping v6->v4 [net]
- Setup test VM [dual stack] for Jool:
- Setup test VM [dual stack] for tayga:
- NAT64/NAT46 Features in jool and tayga
- Additional features queue (to be discussed)
- Thesis documentation
- Motivation
- Translation mechanisms
- Current state of the art tayga/jool
- P4 based implementation
- Performance comparison
- Feature/Functionality difference / overview
- References / Follow up
- RFC 6052: https://tools.ietf.org/html/rfc6052 IPv6 Addressing of IPv4/IPv6 Translators
- RFC 6586 for deployment experiences using Stateful NAT64.
- RFC 7757 Explicit Address Mappings for Stateless IP/ICMP Translation
- RFC 4443 ICMPv6 https://tools.ietf.org/html/rfc4443
- RFC 4861: https://tools.ietf.org/html/rfc4861 Neighbor discovery
- RFC 2460 IPv6 (Checksum https://tools.ietf.org/html/rfc2460#section-8.1)
- EAMT/Jool: https://www.jool.mx/en/eamt.html
- Solicited node multicast address https://en.wikipedia.org/wiki/Solicited-node_multicast_address
- Admin
- Proposal / task description
Time table / log
When? | What? | Notes |
2019-02-21 | Kick-Off | x |
Finish all admin points | x | |
Know when/how to coordinate | x | |
2019-02-21 | Clarifications Ueli Maurer (Mentor) | x |
Write mail / phone | x | |
2019-02-22 | Have all papers handed in | |
2019-02-23 | python2 / ipaddress is buggy | x |
p4utils is python2 only support | ||
bmpy_utils is not installable with pip | ||
python2 / latest ipaddress==1.0.22 still has the bug | ||
ipaddress.ip_network("2001:db8:61::/64") | ||
IPv6Network(u'3230:3031:3a64:6238:3a36:313a:3a2f:3634/128') | ||
egress routing | x | |
2019-02-24 | non reliable neighbor entries / flushing addresses puts into failed | |
2019-02-28 | Meet Laurent #2 | |
- Parser for all protocols (udp,tcp,icmp,icmp6) | ||
2019-02-22 | Have rough definition of tasks | |
2019-03-01 | Feature list / priority list / roadmap clear | |
2019-03-08 | NAT46 1:1 table TCP/UDP working | |
2019-03-15 | NAT46 1:1 table ICMP, ICMPv6 working | |
Will need some switch local ip addresses | ||
2019-03-29 | Jool SIIT / range / offset support https://www.jool.mx/en/run-vanilla.html | |
Jool EAMT support https://www.jool.mx/en/run-eam.html | ||
Bidirectional support | ||
Will need IPv6 embedding suport https://tools.ietf.org/html/rfc6052 | ||
2019-04-05 | NAT64 prefix based IPv6->IPv4 conversion [tayga] | |
Use case: IPv6 hosts send to specific /96 | ||
2019-04-19 | NAT64 dynamic pool implementation: n:m ipv6 to ipv4 mapping | |
And n:1 stateful mappings https://www.jool.mx/en/run-nat64.html | ||
Needs active controller | ||
Needs timeout / leases | ||
2019-05-10 | Benmarking results between P4, Jool, Tayga | |
Real hardware of advantage | ||
2019-08-01 | Latest start writing documentation | |
2019-08-21 | hand in thesis |
Topics / Tasks
Admin
DONE Clarify PDF / form with Denise Spicher: free form description
TODO Create task description to be handed in mystudies
DONE Create list of tasks / initial brainstorming
TODO Get OK from Ueli Maurer that thesis is valid in Information Security Area
TODO Find out how-when-whom-where to meet / define schedule
TODO Latex and/or org-mode for the thesis?
TODO Add initial milestones
180d plan
25w
Thesis implementation
DONE Setup test VM for P4: 2a0a:e5c0:2:12:400:f0ff:fea9:c3e3
DONE Get feature list of jool
DONE Get feature list of tayga
DONE Setup P4 base / structure
DONE Create minimal controller for populating tables
TODO Checkout / review egress settings
TODO Implement ICMP <-> ICMP6 translation
DONE Parse icmp
DONE Parse icmpv6
DONE Add (static) egress configuration
DONE Calculate ICMP6 checksums
TODO Implement minimal neighbor discovery
TODO For the switch
TODO For other nodes -> multicast
TODO Maybe implement link local addresses (missing at the moment)
"Neighbor Solicitation messages are multicast to the solicited-node multicast address of the target address."
If destination is within ff02::1:ff00:0/104, multicast
TODO Make switch answer icmp6 echo request for
TODO Make switch answer icmp echo request for
TODO Add default route for v6 and v4 hosts
TODO Translate icmp <-> icmp6
TODO Create table entry for mapping v4->v6 [net]
TODO Create table entry for mapping v6->v4 [net]
TODO Setup test VM [dual stack] for Jool:
TODO Setup test VM [dual stack] for tayga:
NAT64/NAT46 Features in jool and tayga
TODO Static 1:1 NAT46: translate from IPv4 to IPv6 with a table
TODO TCP
TODO UDP
TODO ICMP <-> ICMPv6
TODO Stateless Prefix based NAT64: IPv6 to IPv4 translation prefix based
Allows IPv6 hosts to reach the IPv4 Internet
See time table above
Additional features queue (to be discussed)
TODO Offset based translation (v4->v6) -> same as range (?)
TODO IP address learning (v6/v4) for real life switch? How do hosts find it?
Thesis documentation
Motivation
TBD
Translation mechanisms
- v4 to v6 / vice versa
- Stateful / stateless
- static / dynamic
Explicit Address Mappings Table (EAMT)
Range based mapping tables See https://www.jool.mx/en/eamt.html, https://tools.ietf.org/html/rfc7757
Current state of the art tayga/jool
TBD
Tayga
- Single threaded
- Multi threaded work started due to initiative of ungleich / Chrisrock [IPv6.chat]
Jool
- EAMT bidirectional only (!)
IPtables interaction
```
user@T:~# # Create a Jool iptables instance named "example." user@T:~# # Also, establish that the IPv6 representation of any IPv4 address should be user@T:~# # `2001:db8::<IPv4 address>`. (See sections below for examples.) user@T:~# jool_siit instance add "example" –iptables –pool6 2001:db8::/96 user@T:~# user@T:~# # Tell iptables which traffic should be handled by our newly-created instance: user@T:~# user@T:~# # IPv6: only packets from 2001:db8::198.51.100.8/125 to 2001:db8::192.0.2 user@T:~# ip6tables -t mangle -A PREROUTING \ > -s 2001:db8::198.51.100.8/125 -d 2001:db8::192.0.2.0/120 \ > -j JOOL_SIIT –instance "example" user@T:~# # IPv4: Only packets from 192.0.2 to 198.51.100.8/29 user@T:~# iptables -t mangle -A PREROUTING \ > -s 192.0.2.0/24 -d 198.51.100.8/29 \ > -j JOOL_SIIT –instance "example" ``` 5656
Cisco (?)
P4 based implementation
TBD
General
- IPv6 subnet 2001:db8::/32
- IPv6 hosts are in 2001:db8:6::/64
- IPv6 default router (::/0) is 2001:db8:6::42/64
- IPv4 mapped Internet "NAT64 prefix" 2001:db8:4444::/96 (should go into a table)
- IPv4 hosts are in 10.0.4.0/24
- IPv6 in IPv4 mapped hosts are in 10.0.6.0/24
- IPv4 default router = 10.0.0.42
Neighbor discover protocol
- Matching on prefix & ingress port, setting multicast
Static mappings
- likely need table(s)
- need tcp & udp translation
ICMPv6
Different lengths possible
[20:35] line:~% ping -6 -s 20 ::1 PING ::1(::1) 20 data bytes 28 bytes from ::1: icmp_seq=1 ttl=64 time=0.045 ms 28 bytes from ::1: icmp_seq=2 ttl=64 time=0.064 ms ^C — ::1 ping statistics — 2 packets transmitted, 2 received, 0% packet loss, time 1018ms rtt min/avg/max/mdev = 0.045/0.054/0.064/0.012 ms [20:36] line:~% ping -6 -s 80 ::1 PING ::1(::1) 80 data bytes 88 bytes from ::1: icmp_seq=1 ttl=64 time=0.053 ms 88 bytes from ::1: icmp_seq=2 ttl=64 time=0.095 ms ^C — ::1 ping statistics — 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 0.053/0.074/0.095/0.021 ms [20:36] line:~%
Different checksum in most packets.
root@ubuntu:~/master-thesis# ip -6 neigh show root@ubuntu:~/master-thesis# ip -6 neigh add 2001:db8:61::42 dev h1-eth0 lladdr 00:00:0a:00:00:42 root@ubuntu:~/master-thesis# ip -6 neigh show 2001:db8:61::42 dev h1-eth0 lladdr 00:00:0a:00:00:42 PERMANENT root@ubuntu:~/master-thesis#
root@ubuntu:~/master-thesis# tcpdump -ni h1-eth0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on h1-eth0, link-type EN10MB (Ethernet), capture size 262144 bytes ^C20:22:43.944152 IP6 2001:db8:61::1 > 2001:db8:61::42: ICMP6, echo request, seq 1, length 64 20:22:43.945992 IP6 2001:db8:61::1 > 2001:db8:61::42: ICMP6, echo request, seq 1, length 64 20:22:44.952453 IP6 2001:db8:61::1 > 2001:db8:61::42: ICMP6, echo request, seq 2, length 64 20:22:44.953995 IP6 2001:db8:61::1 > 2001:db8:61::42: ICMP6, echo request, seq 2, length 64
4 packets captured 4 packets received by filter 0 packets dropped by kernel root@ubuntu:~/master-thesis#
When pinging we see
DEBUG:main:INCOMING: <Ether dst=33:33:ff:00:00:42 src=00:00:0a:00:00:01 type=0x86dd |<IPv6 version=6 tc=0 fl=0 plen=32 nh=ICMPv6 hlim=255 src=2001:db8:61::1 dst=ff02::1:ff00:42 |<ICMPv6ND_NS type=Neighbor Solicitation code=0 cksum=0xd343 res=0 tgt=2001:db8:61::42 |<ICMPv6NDOptSrcLLAddr type=1 len=1 lladdr=00:00:0a:00:00:01 |>>>> DEBUG:main:INCOMING: <Ether dst=33:33:ff:00:00:42 src=00:00:0a:00:00:01 type=0x86dd |<IPv6 version=6 tc=0 fl=0 plen=32 nh=ICMPv6 hlim=255 src=2001:db8:61::1 dst=ff02::1:ff00:42 |<ICMPv6ND_NS type=Neighbor Solicitation code=0 cksum=0xd343 res=0 tgt=2001:db8:61::42 |<ICMPv6NDOptSrcLLAddr type=1 len=1 lladdr=00:00:0a:00:00:01 |>>>> DEBUG:main:INCOMING: <Ether dst=33:33:ff:00:00:42 src=00:00:0a:00:00:01 type=0x86dd |<IPv6 version=6 tc=0 fl=0 plen=32 nh=ICMPv6 hlim=255 src=2001:db8:61::1 dst=ff02::1:ff00:42 |<ICMPv6ND_NS type=Neighbor Solicitation code=0 cksum=0xd343 res=0 tgt=2001:db8:61::42 |<ICMPv6NDOptSrcLLAddr type=1 len=1 lladdr=00:00:0a:00:00:01 |>>>>
Hosts
Requirements
Performance comparison
Feature/Functionality difference / overview
Not included
- DNS64 - has already been solved in a different domain
References / Follow up
RFC 6052: https://tools.ietf.org/html/rfc6052 IPv6 Addressing of IPv4/IPv6 Translators
RFC 6586 for deployment experiences using Stateful NAT64.
RFC 7757 Explicit Address Mappings for Stateless IP/ICMP Translation
RFC 4443 ICMPv6 https://tools.ietf.org/html/rfc4443
RFC 4861: https://tools.ietf.org/html/rfc4861 Neighbor discovery
RFC 2460 IPv6 (Checksum https://tools.ietf.org/html/rfc2460#section-8.1)
EAMT/Jool: https://www.jool.mx/en/eamt.html
Solicited node multicast address https://en.wikipedia.org/wiki/Solicited-node_multicast_address
Proposal / task description
Task description for mystudies
High speed NAT64 with P4
Currently there are two main open source NAT64 solution available: tayga and jool. The former is a single threaded, cpu bound user space solution, the latter a custom Linux kernel module.
This thesis challenges this status quo by developing a P4 based solution supporting all features of jool/tayga and comparing the performance, security and adaptivity of the solutions.
- Milestone 1: Stateless NAT64/NAT46 translations in P4
- Milestone 2: Stateful (dynamic) NAT64/NAT46 translations
- Milestone 3: Hardware adaption
Original ideas
Proposal 1: Automating NAT64 with P4
In IPv6 only data centers IPv4 connectivity is still a business requirement. Current state of the art methods include layer 7 proxying or static assignments. both featuring static assignments.
A flexible, dynamic assignment of IPv4 addresses to IPv6 hosts, similar to lease times in DHCPv4 and prefix delegations in DHCPv6 could reduce the pressure on IPv4 addresses.
I would suggest the develop of a new protocol (likely UDP embedded) that allows hosts to request on-network support for IPv4 addresses. As IPv4 addresses have to be treated as "expensive", an accounting metric has to be introduced. While in the business world this is usually related to money, in the network world IPv4 users could be paying the network by (reduced) bandwidth.
If such a metric existed, devices attached to the network could also try to negotiate and wait for using IPv4, when the price / penality for IPv4 is low (this might be very suitable for mail exchangers for instance).
Proposal 2: High speed NAT64 with P4
Currently there are two main open source NAT64 solution available: tayga[0] and jool[1]. The former is a single threaded, cpu bound user space solution, the latter a custom Linux kernel module.
I would like to challenge this status quo and develop a P4 based solution supporting all features of jool/tayga and comparing the performance and adaptivity of the solutions.
[0] http://www.litech.org/tayga/ [1] https://www.jool.mx/en/index.html
Proposal 3: Challenging the status quo with IPv10
The de facto standard in networking is to treat IPv4 and IPv6 as "impossible to combine". This proposal is to challenge this notion with three different methods:
- Extensions to IPv4 to request remote IPv6 transport
- Extensions to IPv6 to request remote IPv4 transport
- Support in network equipment to handle the extensions
As the IPv4 header does not allow embedding IPv6 addresses due to size limitations, embedding the destination address in a secondary header might be necessary (possibly encapsulated in UDP).