The Internet Protocol Journal - Volume 6, Number 3

IPv6 Behind the Wall

by Jim Bound

IPv6 has technology advantages over IPv4, and most of them will not be seen by the end user any more than users see features added to other extensions to the Internet Protocol suite, sensors on their automobiles, or from any core technology evolution. This article focuses on three of those IPv6 technology advantages "Behind the Wall."

An essential catalyst for the Next-Generation Internet is the Internet Protocol Version 6 (IPv6), which will provide an evolution to a more pervasive use of the Internet and networking in general. The current Internet, using IPv4, is insufficient to support the business and operational preconditions for peer-to-peer applications and security, billions of mobile devices, sensor networks, and the requisite distributed computing infrastructure to support a mobile society. The "band aids" applied to permit the current Internet to keep it operating has created additional operational costs and reduced operational capabilities for users and networks.

This article is an IPv6 Forum (www.ipv6forum.com ) statement of the technology advantages of IPv6.

IPv6 Supports End-to-End Applications and Security
There are several schools of thought and opinions on the issue of address space and all project different results, depending on one's mathematical view and philosophy regarding use models. There is also the effect of disruptive technology, which can make moot any projections of IPv4 address space. In that sense, rationing is justified and intelligent. The IPv6 Forum believes we already are experiencing the initial quake of disruptive technology, and that there is a need for users and markets to evolve further with a basic tenet that end-to-end applications and security are a priori for that evolution to begin. The IPv6 Forum believes that Network Address Translation (NAT) is about control, but that control comes at a cost of the freedom to use peer-to-peer computing over client to server-only computing.

Two users on the Internet today generally cannot each initiate peer-topeer communications with each other because their location and identity are not available to each other from two disparate networks. In addition, security between them must trust a third party, and absolute private communications is impossible. The reason is that the Internet has evolved so that users are generally behind NATs that preclude peerto- peer communications, or the exchange of private security credentials. Some will say this affords users security on the Internet. Although NAT does provide a denial-of-service perimeter, it also provides a denial of service to a direct trust relationship between peers. IPv6 is the only way to have peer-to-peer security for the Next-Generation Internet at a reasonable cost and a true privacy trust model on the Internet.

In the field of network computer science when engineers and architects implement translation functions in a solution, a cost is incurred that would not exist without translation. This is due to the need to keep state before, during, and after the translation. In software engineering terminology, these state machines add time and space costs to the entire operation. In addition, a NAT box is a single point of failure, because it is the only point on the network where a user can exit or enter when translation exists. Translation also does not permit the use of all functions possible without translation because too many participants need to know the mappings, and each function requires a separate state to be maintained, and the time + space costs increase exponentially. The time + space costs of NAT to keep the Internet operational have been passed on to every part of the current Internet business, consumer, and government market sectors, and cannot even support the original functions of the Internet before NAT. The current Internet has no hope of supporting the functions of the Next-Generation Internet required or of offering a solution to the great digital divide that exists currently and is increasing daily.

The good news is that IPv6 is evolving, early adopter deployment has begun, and vendors have delivered initial IPv6 products to the market. IPv6 will not require NAT, and the infrastructure supports a stateless architecture for the Internet, using statefull properties only where they can be used without a translation attribute or policy. IPv6 inherently supports mobile communications, billions of devices, and sensor networks that will be pervasive at a reasonable cost and provide the option to eliminate the digital divide within the current Internet.

IPv6 Supports a Stateless Node Discovery Architecture
A Next-Generation Internet base technology advantage for mobile user devices, ad hoc networks, mobile network providers, and generally for all users is the Stateless Node Discovery Architecture inherent within IPv6.

IPv6 nodes can discover each other and form IPv6 addresses to communicate on a network using what is called Neighbor Discovery and Stateless Autoconfiguration. IPv6 supports an extensible stateless node discovery paradigm, which provides the following features:
Discover presence of nodes on the network
Discover Datalink Layer nodes on the network
Discover routers on the network
Discover link configuration parameters on the network

These features permit an IPv6 node to obtain and maintain information about the accessibility of another node on the network for communications. Node Discovery is the predecessor to the node obtaining an address from IPv6 autoconfiguration. This core IPv6 technology framework also permits nodes to communicate on networks where there are no routers within an ad hoc network.

A host, when booted on an IPv6 link, first creates a link-local address by taking the architecturally defined prefix in Neighbor Discovery FE80 , and appending an End User Identifier (EUI), determined by the host, to that prefix. This link-local address is then verified on the link that it is not duplicated with other link-local addresses on that host's link. This host communication is performed using link IPv6 multicast packets, to avoid duplicate link-local addresses, which are not permitted on an IPv6 Link.

The host then uses the link-local address to send on the IPv6 link Neighbor Solicitations , and all other hosts on that link see those multicast solicitations, and then return Neighbor Advertisements to the host. After this communications process, all nodes on the IPv6 link can now communicate, and communication was accomplished without theuse of servers or routers in a stateless manner.

The host also listens for Router Advertisements on the IPv6 link (or sends Router Solicitations), which provide address prefixes, link configuration parameters, and information as to whether or not to use a stateless or stateful method for address assignment, and additional network configuration parameters using the Dynamic Host Configuration Protocol for IPv6 (DHCPv6) [1].

If the host is instructed to use the stateless method for address configuration, then it can use the router prefixes announced to form IPv6 addresses from those prefixes by appending the EUI determined from the link-local address to that prefix to create an IPv6 Address. IPv6 supports multiple address types within the address architecture [2,3]. If the host is instructed to use the stateful method for address configuration, then DHCPv6 can be used to configure additional hosts' addresses.

Users will not see these IPv6 stateless advantages for network communications, but they will exist behind the wall of the user to provide a new and improved set of mechanisms for Node Discovery and Address Autoconfiguration far more robust and efficient than using the current IP Version 4 (IPv4) protocol. The IPv6 Stateless Architecture for Node Discovery permits a new model for node communications on links.

The Mobile IPv6 Technology Value Proposition
Mobile IPv6 offers many improvements over Mobile IPv4. Mobile IP as a technology permits users to remain connected across wireline (for example, Ethernet, xDSL) and wireless (for example, 802.11, cellular, satellite) networks, while roaming between networks. This permits users to stay connected while on the way to the airport from home, rather than shutting down their personal digital assistant (PDA)/laptop at home, and reconnecting at the WiFi location at the airport.

Figure 1: Route Optimization with Built-In Security



Figure 1 depicts the multiple phases of a mobile IPv6 connection. On the home network, a mobile node receives its home address as any IPv6 node. The mobile node registers that address with the Home Agent , which is a router that keeps the location information for the mobile node when it moves to a foreign network, stores the mobile-node care-of address when the mobile node is away from home, and performs other functions on behalf of the mobile node when it is away from home. A peer node that the mobile node communicates with is defined as the Correspondent Node (which may be stationary or mobile).

Security between the mobile node and home agent can be accomplished using the IP Security Protocol (IPSec) architecture. This permits secure communications between the mobile node and the home agent. When a correspondent node receives a packet from a mobile node, it first checks its binding caches to see if it has a cache of the mobile-node care-of address, and if it does not, the correspondent node sends the packet to the mobile-node home address. The home agent receives all packets sent to the mobile node when it is away from home and then tunnels the packets to the mobile-node care-of address.

To permit a mobile node and correspondent node to communicate directly, without going through a home agent, requires the use of Mobile IPv6 Route Optimization . First the connection to the correspondent node needs to be secure from the home agent and directly from the mobile node. In the figure, that is done using a procedure defined as Return Routability (RR) within the Mobile IPv6 protocol. The network path between the mobile node and correspondent node is secured through the RR procedure.

Mobile IPv6 uses the extensibility of the IPv6 protocol defining new Neighbor Discovery messages and types, Routing Header , and the use of the Destination Option in an IPv6 packet, which does not exist in IPv4. Discussion of those extensions is beyond the scope of this article, and is left as an exercise for readers to read the actual Mobile IPv6 specification.

Mobile IPv6 has core technical operational advantages over Mobile IPv4, as follows:
There is no need to deploy special routers as "foreign agents," as in Mobile IPv4. Mobile IPv6 operates in any location without any special support required from the local router.
Support for route optimization is a fundamental part of the protocol, rather than a set of nonstandard extensions.
Mobile IPv6 route optimizations can operate securely even without prearranged security associations. It is expected that the route optimizations can be deployed on a global scale among all mobile-node correspondent nodes.
Support is also integrated into Mobile IPv6 for allowing route optimizations to coexist with routers that perform ingress filtering.
The IPv6 Neighbor Unreachability Detection assures symmetric reachability between the mobile node and its default router in the current location.
Most packets sent to a mobile node away from home in Mobile IPv6 are sent using an IPv6 routing header rather than IP encapsulation, reducing the amount of resulting overhead compared to Mobile IPv4.
Mobile IPv6 is decoupled from any particular link layer because it uses IPv6 Neighbor Discovery instead of IPv4 Address Resolution Protocol (ARP). This also improves the robustness of the protocol.
The use of IPv6 encapsulation (and the routing header) removes the need in Mobile IPv6 to manage tunnel soft state.
The dynamic home-agent address discovery mechanism in Mobile IPv6 returns a single reply to the mobile node. The directed broadcast used in IPv4 returns separate replies from each home agent.

Summary
This article has presented three of the key technology advantages of IPv6 behind the wall. There are others, but they are technically too complex to define in a short article, but rather the subject of IPv6 implementation white papers. The IPv6 architecture extends the potential for the Next-Generation Internet to support rapid renumbering of networks, Quality of Service, extensions for ad hoc networks, and the hope of extending the Internet beyond the capabilities and functions today with IPv4. Most important is that IPv6 enhancements will be developed without using "band aids," as is currently being done with today's IPv4 architecture. The author of this article would like to thank Tony Hain and Patrick Grossetete from Cisco Systems for their review.

For Further Reading
[1] R. Droms, Ed., J. Bound, B. Volz, T. Lemon, C. Perkins, M. Carney, "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)," RFC 3315, July 2003.

[2] R. Hinden, S. Deering, "Internet Protocol Version 6 (IPv6) Addressing Architecture," RFC 3513, April 2003.

[3] R. Hinden, S. Deering, E. Nordmark, "IPv6 Global Unicast Address Format," RFC 3587, August 2003.

Additional information regarding IPv6 can be found at the International IPv6 Forum Web site www.ipv6forum.com and the North American IPv6 Task Force Web site www.nav6tf.org. Specifically, readers can view the IPv6 Forum basic value proposition at: http://www.nav6tf.org/summit_slides/IPv6_Value_Proposition_June_2003final.ppt

JIM BOUND works at Hewlett Packard Corporation as an HP Fellow and is a Network Technical Director within the Enterprise UNIX (HP-UX) Division's Network and Security Lab Engineering Group. Jim was a member of the Internet Protocol Next Generation (IPng) Directorate within the IETF, which selected IPv6, among several proposals, to become the basis of the IETF's work on an IPng in 1994. Jim has been a key designer and implementor of IPv6, and contributor and coauthor of IPv6 specifications. Jim founded an ad-hoc IPv6 deployment group working with implementors across the Internet in 1998, which became the IPv6 Forum, where Jim is now Chair of the IPv6 Forum Technical Directorate and Member of the Board of Directors. Jim is also Chair of the North American IPv6 Task Force. Jim is a pioneer member of the Internet Society, and member of the Institute of Electrical and Electronics Engineers (IEEE). In July 2001, Jim received the IPv6 Forum Internet IPv6 Pioneer Award as the IPv6 Forum's "Lead Plumber." Jim has been working in the field of networking as engineer and architect since 1978, and is a subject matter expert to government and industry, for IPv6 and network-centric technology. E-mail: jim.bound@hp.com