© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v2.06-1 IPv6 Transition Mechanisms Describing IPv6 Tunneling Mechanisms.

Презентация:



Advertisements
Похожие презентации
© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Security Issues in IPv6 Discussing Security Issues in an IPv6 Transition Environment.
Advertisements

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v IPv6 Transition Mechanisms Implementing Dual Stack.
© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v IPv6 Transition Mechanisms Describing NAT-PT.
© 2006 Cisco Systems, Inc. All rights reserved.ONT v Implement the DiffServ QoS Model Implementing QoS Preclassify.
© 2006 Cisco Systems, Inc. All rights reserved. BSCI v Implementing IPv6 Using IPv6 with IPv4.
© 2006 Cisco Systems, Inc. All rights reserved. IP6FD v IPv6-Enabled Routing Protocols Examining Integrated IS/IS.
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Secured Connectivity Configuring GRE Tunnels.
© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v IPv6-Enabled Routing Protocols Routing with RIPng.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v MPLS VPN Technology Introducing VPNs.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v Managing IP Traffic with ACLs Scaling the Network with NAT and PAT.
© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v IPv6 Services Understanding QoS Support in an IPv6 Environment.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v MPLS VPN Technology Introducing the MPLS VPN Routing Model.
© 2006 Cisco Systems, Inc. All rights reserved. IP6FD v IPv6-Enabled Routing Protocols Examining OSPFv3.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 9 Routing.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v Customer-to-Provider Connectivity with BGP Connecting a Multihomed Customer to Multiple Service.
© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v IPv6-Enabled Routing Protocols Understanding Multi-Protocol BGP (BGP4+)
© 2006 Cisco Systems, Inc. All rights reserved. IP6FD v Security Issues in IPv6 Understanding IPv6 Security Practices.
© 2006 Cisco Systems, Inc. All rights reserved. BSCI v Implementing IPv6 Implementing Dynamic IPv6 Addresses.
© 2005 Cisco Systems, Inc. All rights reserved.INTRO v Operating and Configuring Cisco IOS Devices Configuring a Router.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v MPLS VPN Implementation Configuring Small-Scale Routing Protocols Between PE and CE Routers.
Транксрипт:

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v IPv6 Transition Mechanisms Describing IPv6 Tunneling Mechanisms

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Tunneling is encapsulating the IPv6 packet in the IPv4 packet. Overlay Tunnels IPv6 DataIPv4 HeaderIPv6 Header Tunnel: IPv6-in-IPv4 Packet IPv6 HeaderIPv6 DataIPv6 HeaderIPv6 Data Dual Stack Router v6 v4 IPv4 Dual Stack Router v6 v4 IPv6 Network IPv6 Host

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Tunneling can be used by routers and hosts. Overlay Tunnels (Cont.) IPv6 DataIPv4 HeaderIPv6 Header Tunnel: IPv6-in-IPv4 Packet IPv6 HeaderIPv6 Data IPv4 Dual Stack Router v6 v4 IPv6 Network Dual Stack Host IPv6 Host

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Tunnel Techniques Available for IPv6 Deployment Many techniques are available for establishing a tunnel: Manually configured –IPv6-in-IPv4 –GRE –VPN Semiautomatic –Tunnel broker Automatic –6to4 –ISATAP –Teredo

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Manually Configured Tunnels require: Dual-stacked endpoints Both IPv4 and IPv6 addresses configured at each end IPv4 connectivity between the endpoints IPv4: IPv6: 001:db8:3:3::3 IPv4: IPv6: 2001:db8:4:4::4 Manually Configured Tunnels Dual Stack Router IPv4 Dual Stack Router IPv6 Network IPv6 Host

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Manually Configured Tunnels Configured tunnels connect IPv4/IPv6 dual-stack hosts or networks to larger IPv6 networks. Local network administrators arrange for a tunnel between IPv6 networks across IPv4-only networks. Configured tunnels are simple to deploy. Configured tunnels allow transport of IPv6 packets over an IPv4 network. Configured tunnels are available on most platforms.

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Used between two points Require configuration of both tunnel source and destination addresses Manual IPv6-in-IPv4 Tunnels Manually Configured Tunnels (Cont.) IPv4: IPv6: 2001:db8:3::3 IPv4: IPv6: 2001:db8:4::2 Dual Stack Router v6 v4 IPv4 Dual Stack Router v6 v4 IPv6 Network IPv6 Host

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Configure dual-stack IPv4 and IPv6 addresses on GRE tunnel interface Identify tunnel entry and exit with IPv4 addresses Required for using IS-IS Protocol Manually Configured Tunnels (Cont.) IPv6 over GRE Tunnel IPv6 HeaderIPv6 DataIPv6 HeaderIPv6 Data Dual Stack Router v6 v4 IPv4 Dual Stack Router v6 v4 IPv6 Network IPv6 Host IPv6 DataIPv4 HeaderIPv6 HeaderGRE Header

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Router1(config)# interface Tunnel0 ipv6 address 2001:db8:3:3::3/64 tunnel source tunnel destination tunnel mode ipv6ip Router2(config)# interface Tunnel0 ipv6 address 2001:db8:4:4::4/64 tunnel source tunnel destination tunnel mode ipv6ip IPv6-in-IPv4 Tunnels IPv4: IPv6: 001:db8:3:3::3 IPv4: IPv6: 2001:db8:4:4::4 Router1 IPv4 Router2 IPv6 Network IPv6 Host

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Configure dual-stack IPv4 and IPv6 addresses on GRE tunnel interface Identify tunnel entry and exit with IPv4 addresses Required for using IS-IS protocol GRE Tunnels IPv6 over GRE Tunnel IPv6 HeaderIPv6 DataIPv6 HeaderIPv6 Data Dual Stack Router v6 v4 IPv4 Dual Stack Router v6 v4 IPv6 Network IPv6 Host IPv6 DataIPv4 HeaderIPv6 HeaderGRE Header

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Automatic Tunnels A tunnel across an IPv4-only network is automatically created by a dual-stack host or network. Manual configuration of tunnel endpoints is not required. Automatic tunnel types include: –6to4: Used for interconnecting islands in IPv6 –ISATAP: Intranet format, not designed for public networks

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v to4 An automatic tunnel method Gives a prefix to the attached IPv6 network 6to4 Tunnel Network prefix: 2002:c0a8:6301::/ Network prefix: 2002:c0a8:1e01::/48 6to4 Router v6 v4 IPv4 6to4 Router v6 v4 IPv6 Network

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v to4 Tunnel (Cont.) 6to4 Router v6 v4 IPv4 6to4 Router v6 v4 IPv6 Network IPv6 Host IPv6 DataIPv4 IPv6 Data Type: Native IPv6 Dst: 2002:c0a8:1e01::1 Type: IPv6-in-IPv4 Dst: :c0a8:1e01::1

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Network prefix: 2002:c0a8:6301::/48 Router1(config)# interface Loopback0 ip address Interface Ethernet0 ipv6 address 2002:c0a8:6301:1::/64 eui-64 interface Tunnel0 no ip address ipv6 unnumbered Ethernet0 tunnel source Loopback0 tunnel mode ipv6ip 6to4 ipv6 route 2002::/16 Tunnel0 Router2(config)# interface Loopback0 ip address Interface Ethernet0 ipv6 address 2002:c0a8:1e01:1::/64 eui-64 interface Tunnel0 no ip address ipv6 unnumbered Ethernet0 tunnel source Loopback0 tunnel mode ipv6ip 6to4 ipv6 route 2002::/16 Tunnel0 Cisco IOS 6to4 Tunnel Configuration Router1 IPv4 Router2 IPv6 Network E0 Network prefix: 2002:c0a8:1e01::/48

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v to4 Relay 6to4 Relay: A gateway to the rest of the IPv6 Internet A default router 6to4 Router v6 v4 IPv4 6to4 Router v6 v4 IPv6 Site Network IPv6 Network Network prefix: 2002:c0a8:6301::/ Network prefix: 2002:c0a8:1e01::/48 IPv6 Internet

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v IPv4 IPv6 address: 2002:c0a8:1e01::1 Router1(config)# interface Ethernet0 ip address ipv6 address 2002:c0a8:6301:1::/64 eui-64 interface Tunnel0 no ip address ipv6 unnumbered Ethernet0 tunnel source Ethernet0 tunnel mode ipv6ip 6to4 ipv6 route 2002::/16 Tunnel0 ipv6 route ::/0 2002:c0a8:1e01::1 Cisco IOS 6to4 Relay Configuration IPv6 Network Network prefix: 2002:c0a8:6301::/ IPv6 Internet 6to4 Router v6 v4 6to4 Relay v6 v4

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v to4 Relay Automatic Tunnels 6to4 Relay IPv4-side: IPv6-side: 2001:db8:5000::3b/64 IPv6IPv4 IPv6 BGP advertises /24 IPv6 Only v6 v4 Host A 6to / :c000:0201:a::7 Host B IPv6 2001:db8:4502::1 IPv4/IPv6 Dual Stack Internet

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v to4 Relay (Reverse Direction) Automatic Tunnels 6to4 Relay (Reverse Direction) 6to4 Relay IPv4-side: IPv6-side: 2001:db8:5000::3b/64 IPv6IPv4 IPv6 BGP advertises 2002::/16 v6 v4 Host A 6to / :c000:0201:a::7 Host B IPv6 2001:db8:4502::1 IPv4/IPv6 Dual Stack Internet IPv6 Only

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v ISATAP ISATAP provides intrasite automatic tunnels and global routability for ISATAP IPv6 hosts. ISATAP :db8:fa05::5EFE: Ipv4-Only Router ISATAP Host IPv4-Only Router ISATAP Host IPv4/IPv6 Host ISATAP Router

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v ISATAP (Cont.) ISATAP provides intrasite automatic tunnels and global routability for ISATAP IPv6 hosts. ISATAP :db8:fa05::5EFE: IPv4-Only Router ISATAP Host IPv4-Only Router ISATAP Host IPv4/IPv6 Host ISATAP Router

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v IPv4-in-IPv6 Tunnels IPv4-in-IPv6 tunnels are similar to manual IPv6-in-IPv4 tunnels. –Next Header field of last extension header used to indicate an IPv4 packet (value = 4) –IPv6 tunnel appears as a point-to-point link –May be secured with AH or ESP IPv4-in-IPv6 tunnels are a late-stage transition mechanism.

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v IPv4-in-IPv6 Tunnel Issues Similar issues as IPv6-in-IPv4 tunneling Reduces MTU by 40 bytes. Firewalls cannot inspect tunneled traffic. NAT gateways do not support BGP4 traffic. Manual tunnels do not scale well

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v IPv4-in-IPv6 Tunnel ICMP Errors Errors during tunneling are either: –In the tunnel header –In the tunnel packet Both errors are reported to the tunnel entry point. If the error is with the tunnel packet, the error is also reported to the packet source.

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Cisco IOS Software IPv4-in-IPv6 Tunnel Configuration Defines the destination of the tunnel tunnel mode ipv6 router(config-if)# Configures the tunnel interface to encapsulate IPv4 packets in IPv6 packets tunnel destination ipv6-address router(config-if)# tunnel source ipv6-address | interface-type interface-num router(config-if)# Defines the source (address or interface) of the tunnel

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v LAN1: 2001:db8:1:1::/64 Ethernet0 Ethernet1 Router2# interface Tunnel0 tunnel source 2001:db8:1:1::2 tunnel destination 2001:db8:1:1::1 tunnel mode ipv6 interface Ethernet1 no ip address ipv6 address 2001:db8:1:1::2/64 Router1# interface Tunnel0 tunnel source Ethernet0 tunnel destination 2001:db8:1:1::2 tunnel mode ipv6 interface Ethernet0 no ip address ipv6 address 2001:db8:1:1::1/64 Cisco IOS Software IPv4-in-IPv6 Tunnel Example IPv4-in-IPv6 Tunnel IPv4 IPv4 Server Router1

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Encapsulates IPv6 packet in IPv4 UDP rather than IPv4 protocol 41 (passes NAT) Teredo IPv4 Next Header = IPv6-in-IPv4 IPv6 Next Header = TCP TCP Data IPv4 Next Header = UDP UDP Data IPv6 Next Header = TCP TCP Data

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v IPv6 address encoding embeds: Global address and port Teredo server address Type of NAT box Address Structure Teredo Prefix 2001:0000 Teredo Server IPv4 Address NAT Type Global Port Global Address 32 bits 16 bits Teredo (Cont.)

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Teredo Characteristics Teredo (Cont.) Teredo is an IPV6-IPv4 transition technology that allows automatic IPv6 tunneling between hosts that are located across IPv4 NATs. IPv6 traffic sent as IPv4 UDP messages Last resort transition technology for IPv6 connectivity Has significant security concerns

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v IPv6 address encoding embeds: Global address and port Teredo server address Type of NAT box Address Structure Teredo (Cont.) Teredo Prefix Teredo Server IPv4 Address NAT Type Global Port Global Address 32 bits 16 bits

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Native IPv6 host transmits to a Teredo IPv6 host. Packets are routed to the Teredo relay. Components of Teredo Infrastructure Teredo (Cont.) IPv6 Network IPv4 Teredo Server Teredo IPv6 Host IPv4 Teredo Relay Native IPv6 Host

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Native IPv6 host transmits to a Teredo IPv6 host. Packets are routed to the Teredo relay. Components of Teredo Infrastructure Teredo (Cont.) IPv6 Network Teredo Server Teredo IPv6 Host IPv4 Teredo Relay Native IPv6 Host

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Native IPv6 host transmits to a Teredo IPv6 host. Packets are routed to the Teredo relay. Components of Teredo Infrastructure Teredo (Cont.) IPv6 Network Teredo Server Teredo IPv6 Host IPv4 Teredo Relay Native IPv6 Host

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Native IPv6 host transmits to a Teredo IPv6 host. Packets are routed to the Teredo relay. Components of Teredo Infrastructure Teredo (Cont.) IPv6 Network Teredo Server Teredo IPv6 Host IPv4 Teredo Relay Native IPv6 Host

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Native IPv6 host transmits to a Teredo IPv6 host. Packets are routed to the Teredo relay. Components of Teredo Infrastructure Teredo (Cont.) IPv6 Network Teredo Server Teredo IPv6 Host IPv4 Teredo Relay Native IPv6 Host

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Native IPv6 host transmits to a Teredo IPv6 host. Packets are routed to the Teredo relay. Components of Teredo Infrastructure Teredo (Cont.) IPv6 Network Teredo Server Teredo IPv6 Host IPv4 Teredo Relay Native IPv6 Host

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Teredo Communication Process Teredo (Cont.) Stage 1: IPv6 host sends initial communication packet Stage 5: Teredo relay transmits original packet to Teredo host Stage 4: Teredo host sends bubble packet back to Teredo relay Stage 3: Teredo server forwards bubble packet to the Teredo host Stage 6: Subsequent packets flow directly Stage 2: Teredo relay sends a bubble packet to the Teredo server

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Teredo relay does not have an entry for the Teredo host, so it queues the packet. Teredo relay sends a bubble packet to the Teredo server. Stages 1 and 2 Teredo (Cont.) IPv6 Network Teredo Server Teredo IPv6 Host IPv4 Teredo Relay Native IPv6 Host

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Teredo relay does not have an entry for the Teredo host, so it queues the packet. Teredo relay sends a bubble packet to the Teredo server. Stages 1 and 2 Teredo (Cont.) IPv6 Network Teredo Server Teredo IPv6 Host IPv4 Teredo Relay Native IPv6 Host

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Stage 3 Teredo (Cont.) Teredo server forwards the bubble packet to the Teredo host, which contains the Teredo relay IPv4 address. IPv6 Network Teredo Server Teredo IPv6 Host IPv4 Teredo Relay Native IPv6 Host

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Teredo host sends the bubble packet back to Teredo relay (opens a hole in the NAT box). Stage 4 Teredo (Cont.) IPv6 Network Teredo Server Teredo IPv6 Host IPv4 Teredo Relay Native IPv6 Host

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Teredo relay transmits original packet to Teredo client. Stage 5 Teredo (Cont.) IPv6 Network Teredo Server Teredo IPv6 Host IPv4 Teredo Relay Native IPv6 Host

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Subsequent packets flow directly. Stage 6 Teredo (Cont.) IPv6 Network Teredo Server Teredo IPv6 Host IPv4 Teredo Relay Native IPv6 Host

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Tunnel Review Features Manually Configured Stable "always on" link Used to interconnect sites IPv6-in-IPv4, GRE, and IPsec/VPN Tunnel Broker and Tunnel Server Semiautomatic tunnel Allocates IPv6 addresses or prefixes to end users or sites 6to4 Automatic tunnel IPv6 prefix formed using IPv4 address (2002: :: /48) Used by end sites ISATAP Automatic tunnel IPv6 address formation = :0:5efe: Intrasite mechanism for sparse enterprise deployments Teredo Automatic tunnel IPv6 address formation = 2001:0000: : : : NAT aware, used by SOHO users DSTM IPv4-in-IPv6 (draft)

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v IPv6 Network Example DSTM IPv4 in IPv6 Tunnel Tunnel Endpoint Tunnel is set up Client Example.net= Example.net IPv4 Network Server sends IPv4 tunnel endpoint addresses 3 Client needs IPv4 connectivity 1 Client requests tunnel information 2

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Tunnel Techniques Available for IPv6 Deployment Many techniques are available for establishing a tunnel: Manually configured –IPv6-in-IPv4 –GRE –VPN Semiautomatic –Tunnel broker Automatic –6to4 –ISATAP –Teredo

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Remote nodes using Cisco VPN Client can connect via IPv4 IPsec: Currently no VPN solutions for establishing IPv6 IPsec connections –Cannot natively establish IPsec tunnels using IPv6 addresses Currently no management for IPv6 traffic in IPv4 VPN tunnels –Deploy IPv6 VPNs using configured and 6to4 tunnels IPv6 for Remote Devices Using VPN Cisco VPN Client IPv4 Internet IPv6 Configured Tunnel Branch 1Branch 2 IPv6 Configured Tunnel VPN HE1 VPN HE2 Corporate Network

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v IPv6 For Remote Devices Using VPN (Cont.) Cisco VPN Client (Cont.) By enabling IPv6 traffic inside the Cisco VPN Client tunnel, you can access IPv6 services remotely: Provides automatic support for NAT and firewall traversal Allows remote host to establish an IPv6-in-IPv4 tunnel either automatically or manually –ISATAP –Configured

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v IPv6 For Remote Devices Using VPN (Cont.) Cisco VPN Client (Cont.) Encrypt/decrypt works for native IPv4 packets and the tunneled IPv6-in-IPv4 packets: Client side: IPv6-tunneled traffic terminates using the IPv4 VPN client address. Router side: IPv6-tunneled traffic terminates using an IPv4 statically assigned address.

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v The VPN concentrator could be replaced with a VPN-enabled Cisco IOS router or PIX. IPv6-in-IPv4 Tunnel Example Cisco VPN Client (Cont.) Remote User Catalyst 6500 Supervisor 720 Dual-Stack Corporate Network VPN 300 Concentrator IPv4 IPSec Tunnel IPv6 Traffic Inside IPv4 IPSec Tunnel Internet IPv6 Server

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v TSP Provides automation of configured tunnels: –Client sends request for tunnel, often via web page signup. –Based on policies, the broker sends the appropriate tunnel information to tunnel router. –Tunnel router configures its tunnel end. –Client then configures its tunnel end. –Client receives the following information: Stable IPv6 address Stable IPv6 prefix Well-known service:

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v TSP (Cont.) Tunnel Modes Dynamic Connection TSP Tunnel Server IPv4 Network DNS Server Tunnel Broker Tunnel Client IPv6 Tunnel over IPv4 Tunnel Server TSP

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Simpler model Server for both web requests and tunnel endpoint Not supported by Cisco Tunnel Server TSP (Cont.) IPv6 Network Tunnel Client Tunnel Server IPv6 Internet IPv4 Internet IPv6 over IPv4 tunnel

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Tunnel information is sent via http-ipv4. Tunnel Broker Concept Automatic Tunnels (Cont.) 1. Web request on IPv4 2. Tunnel information response on IPv4 3. Tunnel broker configures the tunnel on the tunnel server or router 4. Client establishes the tunnel with the tunnel server or router Tunnel Client Tunnel Broker v6 v4 IPv4 Network IPv6 Network

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Tunnel Server: Represents a simpler model Both for web requests and for tunnel endpoint Tunnel Server IPv6 Network Tunnel Client Tunnel Server IPv6 Internet IPv4 Internet IPv6 over IPv4 tunnel

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Summary Configured tunnels (IPv6-in-IPv4, GRE, VPN) are stable and reliable but are difficult to manage as the number of tunnels required increases because each tunnel must have administrator-configured IPv4 endpoints. Automatic tunneling mechanisms scale better than configured tunnels but are less versatile and more difficult to troubleshoot when issues arise. Also, automatic tunneling mechanisms solve specific problems: –6to4 is used to connect an IPv6-enabled island to another island or native IPv6 Internet across an IPv4-only network. –ISATAP, by contrast, provides IPv6 capability to sparsely scattered dual-stack nodes to an enterprise with an IPv4-only backbone. –Teredo allows an IPv6 host on a private IPv4 network to talk to other IPv6 hosts.

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Summary (Cont.) Tunnel brokers aid with configuring manual tunnels to make them much simpler for nontechnical users to deploy. These brokers make IPv6-enabling a node appear "automatic" to the end user. IPv4-in-IPv6 tunnels share many of the same qualities and issues as IPv6-in-IPv4 tunnels. IPv4-in-IPv6 tunnels usually appear in late-stage IPv6 migrations. Cisco IOS software configuration of IPv4-in-IPv6 tunnels is very similar to other IPv6 tunneling mechanisms. DSTM provides a method for an IPv4-only application to obtain IPv4 connectivity in an IPv6-only network. When deploying or permitting any sort of tunneling mechanism, great care must be taken to not introduce security issues or weaken existing controls.

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v