Integrating IPv6 into an

IPv4 Network

Ryan J. Determan
CCIE #5276

Sunset Learning
Integrating IPv6 into an
IPv4 Network

Implement Dual Stack in an IP Network

IPv6 Tunneling Mechanisms
Deploy IPv6 with NAT-PT
Other Protocol Transition Mechanisms
Integrating IPv6 into an
IPv4 Network

Implement Dual Stack in an IP Network

 Dual Stack

¾ Both IPv4 and IPv6 stacks are enabled.

¾ Applications can talk to both.
¾ Choice of the IP version is based on name
lookup and application preference.
 Dual Stack (Cont.)

Cisco IOS

Cisco IOS software is IPv6 ready:

¾ If IPv4 and IPv6 addresses are configured on

an interface, the interface is dual stacked.

¾ Most vendors ship products with both IP

versions.
 Dual Stack (Cont.)

Dual Stack Address Host Selection Process

 Dual Stack (Cont.)

Example
 Implementing Dual Stack

Dual stack implementation procedure:

1. Upgrade both hosts and routers to support IPv6.

2. Enable existing software features or acquire

upgrades.
3. Upgrade all services where possible to provide

IPv6 functionality.
4. Ensure that dual routing tables can be supported.
Integrating IPv6 into an
IPv4 Network

IPv6 Tunneling Mechanisms

 Manually Configured Tunnels

Configured tunnels connect IPv4/IPv6 dual-stack hosts

or networks to larger IPv6 networks.
¾ Local network administrators arrange for a

tunnel between IPv6 networks across IPv4-only

networks.
¾ Configured tunnels are simple to deploy.

¾ Configured tunnels allow transport of IPv6

packets over an IPv4 network.

¾ Configured tunnels are available on most

platforms.
 Manually Configured Tunnels (Cont.)

Manual IPv6-in-IPv4 Tunnels

¾ Used between two points

¾ Require configuration of both tunnel source
and destination addresses
 Manually Configured Tunnels (Cont.)

IPv6 over GRE Tunnel

Configure dual-stack IPv4 and IPv6 addresses on GRE tunnel

interface.
Identify tunnel entry and exit with IPv4 addresses.
Is required for using IS-IS.
 Automatic Tunnels

A tunnel across an IPv4-only network is automatically

created by a dual-stack host or network.
¾ Manual configuration of tunnel endpoints is not

required.
¾ Automatic tunnel types include:

• 6to4: Used for interconnecting islands in IPv6

• ISATAP: “Intranet” format, not designed for public
networks
 Automatic Tunnels (Cont.)

6to4

¾ Provides automatic tunnel establishment method

connecting IPv6 islands through an IPv4 network
¾ Gives a prefix to the attached IPv6 network
¾ Converts IPv4 to hex and integrates 6to4 IPv6
addresses
 Automatic Tunnels (Cont.)

6to4 (Cont.)
 Automatic Tunnels (Cont.)

6to4 Relay
 Automatic Tunnels (Cont.)

6to4 Relay (Reverse Direction)

J1

Automatic Tunnels (Cont.)

ISATAP
Slide 18

J1 designer note
John, 3/4/2004
 Automatic Tunnels (Cont.)

ISATAP (Cont.)

Acts as a default router for ISATAP hosts

Advertises address prefixes that ISATAP hosts use
to autoconfigure ISATAP global (or site) addresses
Provides intra-site automatic tunnels and global
routability
J2

Automatic Tunnels (Cont.)

ISATAP (Cont.)
Slide 20

J2 designer note
John, 3/4/2004
 Automatic Tunnels (Cont.)

Tunnel Broker Concept

Tunnel information is sent via http-ipv4.

Integrating IPv6 into an
IPv4 Network

Deploying IPv6 with NAT-PT

J3

NAT-PT

How NAT-PT Works

NAT-PT allows IPv6-only and IPv4-only nodes to

communicate:
• ALG translates IPv4 and IPv6 DNS requests and responses.
• No changes are required on end nodes.
Slide 23

J3 this slide seems very redundant with previous slide - perhaps we can delete this one?
John, 3/15/2004
 NAT-PT (Cont.)

How NAT-PT Works (Cont.)

 NAT-PT/SIIT

NAT-PT uses SIIT to translate IP packet headers

between IPv4 and IPv6.
 NAT-PT/SIIT (Cont.)

The new packet is built via field mapping from the

translated packet.
 NAPT-PT

NAPT-PT multiplexes on the port number to associate

several IPv6 users with one IPv4 address.
 Fragmentation

NAT-PT manages path MTU and fragmentation:

¾ Sending ICMP error message to packet-sender reports “packet

too big” for path MTU discovery.

¾ ICMP error messages pass through NAT-PT translator.

¾ DF flag in the IPv4 header indicates Path MTU discovery.

 Fragmentation (Cont.)

¾If IPv4 node does not perform Path MTU Discovery, NAT-
PT system ensures packets smaller than IPv6 minimum
MTU of 1280.
¾DF is not set.
 NAT-PT DNS ALG

AAAA query for

address lookup, which
exists in DNS as IPv4
record, must itself be
translated to IPv6
response before IPv6
node can open
connection.
 NAT-PT DNS ALG (Cont.)

Example
 NAT-PT FTP ALG

An FTP control session carries the IP address and TCP port information
for the data session in its payload, requiring an FTP-ALG to provide
application-level transparency.
 How to Implement IPv6 Using NAT-PT

1. Assign IPv4 and IPv6 addresses to the interfaces.

2. Enable interfaces for NAT.
3. Configure mapping for a DNS server.
4. Configure an address pool of IPv4 addresses.
5. Configure the NAT IPv6 prefix.
6. Construct an IPv6 access list.
 How to Implement IPv6 Using NAT-PT (Cont.)

Example
 How to Implement IPv6 Using NAT-PT (Cont.)

Dynamic Translation
Configuration Example
Integrating IPv6 into an
IPv4 Network

Other Protocol Transition Mechanisms

 Teredo

Encapsulates IPv6 packet in IPv4/UDP rather than

IPv4/Protocol-41 (passes NAT)
 Teredo (Cont.)

Teredo Characteristics

Teredo is an IPV6/IPv4 transition technology that

allows automatic IPv6 tunneling between hosts that
are located across IPv4 NATs.
• IPv6 traffic sent as IPv4 UDP messages
• Last resort transition technology for IPv6
connectivity
• Has significant security concerns
 Teredo (Cont.)

Address Structure

IPv6 address encoding embeds:

• Global address and port
• Teredo server address
• Type of NAT box
 Teredo (Cont.)

Teredo Communication Process

 Teredo (Cont.)

Stage 1 and 2

• Teredo relay doesn’t have an entry for the Teredo host, so

it queues the packet.
• Teredo relay sends a “bubble” packet to the Teredo Server.
 Teredo (Cont.)

Stage 3

Teredo Server forwards the bubble packet to the Teredo

host, which contains the Teredo relay IPv4 address.
 Teredo (Cont.)

Stage 4

Teredo host sends the bubble packet back to Teredo

Relay (opens a hole in the NAT box).
 Teredo (Cont.)

Stage 5

Teredo relay transmits original packet to Teredo client.

 Teredo (Cont.)

Stage 6

Subsequent packets flow directly.

 Cisco VPN Client

IPv6 for Remote Devices Using VPN

Remote nodes using Cisco VPN client can connect via IPv4 IPSec:
¾ Currently no VPN solutions for establishing IPv6 IPSec connections

• Cannot natively establish IPSec tunnels using IPv6 addresses yet

¾ Currently no management for IPv6 traffic in IPv4 VPN tunnels

• Deploy IPv6 VPNs using configured and 6to4 tunnels

 Cisco VPN Client (Cont.)

IPv6 For Remote Devices Using VPN (Cont.)

By enabling IPv6 traffic inside the Cisco VPN client

tunnel, you can access IPv6 services remotely:
¾ Provides automatic support for NAT and Firewall

traversal
¾ Allows remote host to establish a v6-in-v4 tunnel

either automatically or manually

• ISATAP
• Configured
 Cisco VPN Client (Cont.)

IPv6 For Remote Devices Using VPN (Cont.)

Encrypt/decrypt works for native IPv4 packets as well

as the tunneled IPv6-in-IPv4 packets:
¾ Client-side - IPv6 tunneled traffic terminates using

the IPv4 VPN client address.

¾ Router-side - IPv6 tunneled traffic terminates

using a IPv4 statically assigned address.

 Cisco VPN Client (Cont.)

IPv6-in-IPv4 Tunnel Example

The VPN concentrator could be replaced with a VPN-

enabled IOS router or PIX.
 TSP

¾ Provides automation of configured tunnels:

• Client sends request for tunnel, often via web page signup.
• Based on policies, the broker sends the appropriate tunnel
information to tunnel router.
• Tunnel router configures its tunnel end.
• Client then configures its tunnel end.
• Client receives the following information:
– Stable IPv6 address
– Stable IPv6 prefix
¾ Well-known service: http://www.freenet6.net
 TSP (Cont.)

Tunnel Modes
 TSP (Cont.)

Tunnel Server

Simpler model
Server for both web requests and tunnel endpoint
Not supported by Cisco
Integrating IPv6 into an
IPv4 Network

Questions?

rdeterman@sunsetlearning.com

Sunset Learning