Département Réseau, Sécurité et Multimédia Rapport d'Activités 2008
Département Réseau, Sécurité et Multimédia Rapport d'Activités 2008 Département Réseau, Sécurité et Multimédia Rapport d'Activités 2008
An easy-to-use solution for IPv6 connectivityResearch Staff : Laurent Toutain, Bruno Stevant, E. Gallet de SanterreKeywords : IPv6, IPv6-IPv4 transitionApplications : Home networks, SME networks,Partners & Funding : funded by Conseil Régional de BretagneIntroductionIPv6 is nowadays implemented in manycomponents such as core network, operatingsystems and even several applications.However, end-to-end IPv6 connectivity is stillmissing, especially because very few InternetAccess Providers (IAP) offer IPv6 connectivityand prefixes allocation. The IETF and somecompanies have defined and/or developedtransitions tools like: 6to4, Tunnel Broker orTeredo, but these tools concern eitherexperimented users or do not offer all the IPv6benefits (always-on, machine to machinecommunications,...) to build applications.Furthermore, some of these solutions may alsolead to some security threats.RealizationDuring the Point6 project, funded in 2005 and2006 by the Brittany Region Council, we havedefined some transition tools to bring IPv6 toSmall and Medium Enterprises (SME) andHome Networks. This experiment led to thedevelopment of the Point6Box. We alsoworked to enhance network autoconfiguration.Part of this work has beenstandardized by IETF by the Softwires workinggroup [1]. An experiment that conjointly runswith Renater allows academics and SME to getprefixes through Point6Box/Softwiresarchitecture.Point6Box/SoftwirearchitectureThe Point6Box is an add-on equipment thatcan be connected to any IPv4 network in orderto bring IPv6 connectivity and functionalities ina non-intrusive way. It is important to notethat our goal is to fill missing gaps and not tospecialize an equipment for IPv6 connectivity.Progressively, when IAP will become IPv6aware, the functionalities provided by thePoint6Box will be integrated into the providerequipments.Several usages and objectives have beenidentified in this project:• - allow IPv6 connectivity for devicesconnected in a SME and Home network, ina very easy way, nearly withoutconfiguration from the user,• - locate IPv6 functionalities on stand-aloneand cheap equipment to avoid to rely ondesktop computers. Since IPv6 implies tobe always-on, the Point6Box has not to beswitched off.• - allow the introduction of IPv6demonstrators on existing IPv4 networkinfrastructure to ease demonstrations ofnew features.• - anticipate new usages. The connectivityoffered by the Point6Box is very close tonative access. Currently, new applicationssuch as machine to machinecommunication relying on autoconfigurationfeatures and servicediscovery can be tested.• - manage an IPv6 network to discovermissing features and debugging existingsoftware to improve quality and reduceexploitation costs. Experiences learnedduring the transition phase must bedirectly reused when IPv6 will be run onnative infrastructures.• - use open source software for CPE and PEand extend functionalities when needed.• - use only fully standardized protocols,such as L2TP [RFC2661], PPP, etc.• - be able to run over any IPv4infrastructures (any NAT solutions) toprovide a transition tool to IAPs compliantwith future native access architecture.Technically, the Point6Box can be viewed asan IPv6 router with only one Ethernet portplugged into the CPEv4. To provide IPv6connectivity, the Point6Box is connected to anIPv6 Provider Edge through a VPN-like tunnel.This tunnel is made over L2TP, which providesthree main characteristics:6 Extract of Pracom’s Annual Report 2008
• - L2TP messages are carried over UDP tooffer NAT-traversal capabilities,• - PPP is used to carry IPv6 frames, so wecan rely on built-in authentication andconfiguration mechanisms, and have veryeasy interaction with AAA servers.• - PPP and L2TP hello messages may beused to detect when a tunnel is down, forinstance due to an IPv4 addressrenumbering and maintains contexts intothe NAT Box.The Point6Box removes the L2TPencapsulation and forwards incoming IPv6packets on the link. Generally SME or Homerouters interfaces are bridged with an IEEE802.11 network, so every equipmentconnected to that network will receive RouterAdvertisements. IPv6 traffic generated bythese equipments will be routed through thePoint6Box. IPv4 traffic will continue to beNATed by the IPv4 edge router.The Point6 Provider Edge is connected to theIPv6 backbone. It includes the server part andcan be connected to an AAA database to allowauthorization and monitoring. The followingpicture describes the service architecture.RADIUSserverDHCPv6serverIPv4/v6 ISPL2TP IPv6ServerDHCPv6 relayPE v6Connexion AccountingL2TP tunnelDHCPv6 request and replyRADIUS authorizationIPv6IPv4PE v4CPE v4NATb r i d g eCPE v6Point6 ClientXYZStateless autoconfusing RA mechanismFE80::XA:B:D:101::XFE80::YA:B:D:101::YFE80::ZA:B:D:101::ZAuto-configuration of the SME/Home networkis a major feature to rapidly spread IPv6. If theSME/Home network includes several routersconfiguration for IPv4 requires technical skills.We have study several approaches to offerinternal routers configuration (see[AINA2005]). In this proposal, we focus onDHCPv6 because it does not require anymodification, even if this approach is lessefficient in case of multi-homing.The Point6Box includes a DHCPv6 server toanswer the requests inside the domain. Thestatic parameters such as DNS resolver andthe DNS domain are given to other routers andA:B:D:101::1a pool of /64 prefixes is a constructed basedon the prefix received from the provider. Aninternal router will execute the followingalgorithm, when one of its interface getsconfigured through the Neighbor Discovery(ND) protocol:• - The router sends DHCPv6 requests for a/64 prefix (the interaction with ND asexplained in [2] is used to detect loops ordual prefixes allocation),• - The router waits for answers from thePoint6Box containing the prefix and otherparameters,• - The router assigns prefixes to interfaces.It starts unicast and multicast routing anda DHCPv6 relay. The relay functionality isused to allow downstream routers to talkwith the DHCPv6 server.At this point, the internal routers areconfigured, the equipment addresses can besetup through standard Neighbor Discoveryprotocol and other parameters throughDHCPv6.Future worksThe protocol used in the Point6Box is nowstandardized. We will now focused oninteroperability of Softwires equipement. TheRoHC protocol is being integrated as a featureto decrease the overhead of the tunnel. Weare also studying the interest of a Point6Boxsolution to provide IPv4 connectivity over IPv6network.References[1] B. Storer, C. Pignataro, M. Dos Santos J.Tremblay, B. Stevant, “Softwires Hub & SpokeDeployment Framework with L2TPv2”, draftietf-softwire-hs-framework-l2tpv2-08,.Work inProgress.[2] Chelius, G., Fleury, E., and L. Toutain, "NoAdministration Protocol (NAP) for IPv6 RouterAuto-Configuration", AINA 2005 IEEE 19thInternational Conference on AdvancedInformation Networking and Applications,March 2005.Pracom’s Annual Report 2008 7
- Page 2 and 3: Présentation générale...........
- Page 4 and 5: Activités d’enseignementLe dépa
- Page 6 and 7: Activités de rechercheLe départem
- Page 8 and 9: Notre implication dans les organism
- Page 10 and 11: le cadre du projet NextTV4all où l
- Page 12 and 13: cloisonnement par domaine tels qu
- Page 14 and 15: - le GIS ITS (Intelligent Transport
- Page 16 and 17: Twente aux Pays Bas, Université de
- Page 18 and 19: Liste des doctorants présents en 2
- Page 20 and 21: Annexe 2 : liste des publicationsAr
- Page 22 and 23: COMA-BREBEL Céline, CUPPENS Nora,
- Page 24 and 25: PHAN LE Cam Tu, CUPPENS Frédéric,
- Page 26 and 27: Annexe 3 : description détaillée
- Page 28 and 29: Access Control ....................
- Page 30 and 31: schemes specifically suitable for l
- Page 34 and 35: Loss Synchronization and Router Buf
- Page 36 and 37: Sensor NetworksRandom Walk Techniqu
- Page 38 and 39: Suppressing Neighbor Discovery in W
- Page 40 and 41: Media and NetworksIP-based transmis
- Page 42 and 43: One of the most difficult aspects o
- Page 44 and 45: Another direction is the associatio
- Page 46 and 47: classes. In our simple study case,
- Page 48 and 49: Management of Multiple Access Netwo
- Page 50 and 51: Adaptation of Multimedia Flows in a
- Page 52 and 53: Optimized mobility management in he
- Page 54 and 55: ecause it offers a generic framewor
- Page 56 and 57: Future workOur next step is to fina
- Page 58 and 59: Security Analysis and ValidationAna
- Page 60 and 61: RealizationFigure 1 shows a classif
- Page 62 and 63: Policy AdministrationResearch Staff
- Page 64 and 65: execution in a distributed manner.
- Page 66 and 67: Intrusion DetectionDetection and co
- Page 68 and 69: eported alerts have to be managed b
- Page 70 and 71: inside the corresponding detection
- Page 72 and 73: function has a limitation that it d
- Page 74 and 75: 1) Normal Node behavior simulation:
- Page 76 and 77: negotiation. These strategies speci
- Page 78 and 79: A Fast Adaptative Secure Technology
- Page 80 and 81: estricted to the organization to wh
• - L2TP messages are carried over UDP tooffer NAT-traversal capabilities,• - PPP is used to carry IPv6 frames, so wecan rely on built-in authentication andconfiguration mechanisms, and have veryeasy interaction with AAA servers.• - PPP and L2TP hello messages may beused to d<strong>et</strong>ect when a tunnel is down, forinstance due to an IPv4 addressrenumbering and maintains contexts intothe NAT Box.The Point6Box removes the L2TPencapsulation and forwards incoming IPv6pack<strong>et</strong>s on the link. Generally SME or Homerouters interfaces are bridged with an IEEE802.11 n<strong>et</strong>work, so every equipmentconnected to that n<strong>et</strong>work will receive RouterAdvertisements. IPv6 traffic generated bythese equipments will be routed through thePoint6Box. IPv4 traffic will continue to beNATed by the IPv4 edge router.The Point6 Provider Edge is connected to theIPv6 backbone. It includes the server part andcan be connected to an AAA database to allowauthorization and monitoring. The followingpicture describes the service architecture.RADIUSserverDHCPv6serverIPv4/v6 ISPL2TP IPv6ServerDHCPv6 relayPE v6Connexion AccountingL2TP tunnelDHCPv6 request and replyRADIUS authorizationIPv6IPv4PE v4CPE v4NATb r i d g eCPE v6Point6 ClientXYZStateless autoconfusing RA mechanismFE80::XA:B:D:101::XFE80::YA:B:D:101::YFE80::ZA:B:D:101::ZAuto-configuration of the SME/Home n<strong>et</strong>workis a major feature to rapidly spread IPv6. If theSME/Home n<strong>et</strong>work includes several routersconfiguration for IPv4 requires technical skills.We have study several approaches to offerinternal routers configuration (see[AINA2005]). In this proposal, we focus onDHCPv6 because it does not require anymodification, even if this approach is lessefficient in case of multi-homing.The Point6Box includes a DHCPv6 server toanswer the requests inside the domain. Thestatic param<strong>et</strong>ers such as DNS resolver andthe DNS domain are given to other routers andA:B:D:101::1a pool of /64 prefixes is a constructed basedon the prefix received from the provider. Aninternal router will execute the followingalgorithm, when one of its interface g<strong>et</strong>sconfigured through the Neighbor Discovery(ND) protocol:• - The router sends DHCPv6 requests for a/64 prefix (the interaction with ND asexplained in [2] is used to d<strong>et</strong>ect loops ordual prefixes allocation),• - The router waits for answers from thePoint6Box containing the prefix and otherparam<strong>et</strong>ers,• - The router assigns prefixes to interfaces.It starts unicast and multicast routing anda DHCPv6 relay. The relay functionality isused to allow downstream routers to talkwith the DHCPv6 server.At this point, the internal routers areconfigured, the equipment addresses can bes<strong>et</strong>up through standard Neighbor Discoveryprotocol and other param<strong>et</strong>ers throughDHCPv6.Future worksThe protocol used in the Point6Box is nowstandardized. We will now focused oninteroperability of Softwires equipement. TheRoHC protocol is being integrated as a featur<strong>et</strong>o decrease the overhead of the tunnel. Weare also studying the interest of a Point6Boxsolution to provide IPv4 connectivity over IPv6n<strong>et</strong>work.References[1] B. Storer, C. Pignataro, M. Dos Santos J.Tremblay, B. Stevant, “Softwires Hub & SpokeDeployment Framework with L2TPv2”, drafti<strong>et</strong>f-softwire-hs-framework-l2tpv2-08,.Work inProgress.[2] Chelius, G., Fleury, E., and L. Toutain, "NoAdministration Protocol (NAP) for IPv6 RouterAuto-Configuration", AINA 2005 IEEE 19thInternational Conference on AdvancedInformation N<strong>et</strong>working and Applications,March 2005.Pracom’s Annual Report <strong>2008</strong> 7