Which of the following tunneling methods is used to send IPv4 traffic through an IPv6 network?

What is IPv4 to IPv6 Tunneling?

• Posted at 2021-02-26 17:27:21
• By Prefixx Team

IPv4 to IPv6 tunneling relates to the use of the current routing system of the IPv4 address to accommodate the inevitable IPv6 traffic. It helps to effectively migrate to IPv6 by maintaining consistency with the IPv4 hosts and the routers configured at present. In addition, you can boost the transfer process to IPv6 by preserving the continuity among infrastructure systems. This was because when you are using IPv6, you can also use the IPv4 networking infrastructure to optimize the resources that are available.

A variety of transition mechanisms are available for tunneling IPv6 over existing IPv4 networks:

•manually configured IPv6 over IPv4 tunneling

•IPv6 over IPv4 GRE tunneling

•semi-automatic tunneling

•fully automatic tunneling

•ISATAP tunneling

The router and host servers of IPv4 or IPv6 can do IPv6 datagram through the networking topology of IPv4 addresses by using them in the IPv4 packets usable. In particular, tunneling from IPv4 to IPv6 can be achieved as mentioned below.

•IPv4 or IPv6 Routers are linked to the IPv6 packet tunnels across devices using an IPv4 interface. This implies that now the tunnel covers every particular section of the IPv6 packet's end-to-end route.

•Host-to-Router: The IPv4 or IPv6 host tunnel to an intermediate IPv4 or IPv6 router which can be reached via the current IPv4 infrastructure, in this case. In this case, the tunnel just occupies the first portion of the IPv6 packet end-to-end route.

•Host-to‐Host: This is indeed a linking of IPv4 or IPv6 hosts to that of a tunnel IPv6 packets across the networks using IPv4 architecture. The complete end-to-end path of the IPv6 packet is shielded in this case.

•Router-to-Peer: The IPv4 or IPv6 routers tunnel to both the actual destination host, whether it is IPv6 or IPv4. This implies that the tunnel just occupies the last portion of the end-to-end route of the IPv6 packet.

Deploying IPv6 over IPv4 Tunneling

The consistency with the broadly deployed IPv4 servers and routers is the secret to a smooth IPv6 transition. The process of converting the Internet to IPv6 is simplified for IPv4 compatibility by using IPv6. An IPv6 links isolated IPv6 locations with an IPv4 network via an IPv4 tunnel. The implementation of IPv6 over IPv4 will support service providers and businesses that are involved in providing an end-to-end IPv6 service without significant infrastructure improvements. The ability to link isolated IPv6 domination over existing IPv4 infrastructure and services is one of the key advantages of this method of tunneling.

Through IPv6 tunneling across IPv4, configuration data on the enclosing node decides the IPv4 tunnel destination address. Either one-way or two-way tunnels can be used. Two-way tunnels serve as point-to-point virtual connections. Although the platforms IPv4 and IPv6 cannot explicitly interoperate, transfer schemes exist that allow hosts to connect with any other user on any network form.

The processes of transfer link IPv4 to IPv6 and enable the two options to work together. Since IPv6 is a distinct IPv4 protocol, the switch from IPv4 to IPv6 could be run concurrently with IPv4. Both IPv4 and IPv6 can be running on the same framework (dual stacking) at one time by host and network system, and they are hidden. The two protocols have no intervention. IPv4 networks would be lost on time as we switch to IPv6.

At present, unused IPv4 addresses are a major cause of electricity consumption which directly relates to greenhouse emissions. Therefore, tunneling is an essential technique to efficiently use the resources. It helps to avoid wastage of energy and resources at present and the future as well. 

Prerequisite – Differences between IPv4 and IPv6 
When we want to send a request from an IPv4 address to an IPv6 address, but it isn’t possible because IPv4 and IPv6 transition is not compatible. For a solution to this problem, we use some technologies. These technologies are Dual Stack Routers, Tunneling, and NAT Protocol Translation. These are explained as following below. 

1. Dual-Stack Routers: 
   In dual-stack router, A router’s interface is attached with IPv4 and IPv6 addresses configured are used in order to transition from IPv4 to IPv6. 

In this above diagram, A given server with both IPv4 and IPv6 addresses configured can communicate with all hosts of IPv4 and IPv6 via dual-stack router (DSR). The dual stack router (DSR) gives the path for all the hosts to communicate with the server without changing their IP addresses. 

1. Tunneling: 
   Tunneling is used as a medium to communicate the transit network with the different IP versions.

In this above diagram, the different IP versions such as IPv4 and IPv6 are present. The IPv4 networks can communicate with the transit or intermediate network on IPv6 with the help of the Tunnel. It’s also possible that the IPv6 network can also communicate with IPv4 networks with the help of a Tunnel. 

1. NAT Protocol Translation: 
   With the help of the NAT Protocol Translation technique, the IPv4 and IPv6 networks can also communicate with each other which do not understand the address of different IP version. 

   Generally, an IP version doesn’t understand the address of different IP version, for the solution of this problem we use NAT-PT device which removes the header of first (sender) IP version address and add the second (receiver) IP version address so that the Receiver IP version address understand that the request is sent by the same IP version, and its vice-versa is also possible. 

In the above diagram, an IPv4 address communicates with the IPv6 address via a NAT-PT device to communicate easily. In this situation, the IPv6 address understands that the request is sent by the same IP version (IPv6) and it responds.
 

Practice Tags :

In this article we will learn about a transition technology in networking known as Teredo tunneling. There are various transition technologies already in place such as 6to4, but because of some shortcoming of the existing technologies, Teredo was developed. Teredo has some security considerations which will be covered later in this document.

What is Teredo tunneling?

There are various tunneling methods that have been developed before Teredo such as 6to4 for IPv6 (Internet Protocol version 6) packets as payload of IPv4, but with tunneling methods like 6to4 there is a limitation that it won’t work for the IPv6 devices sitting behind a NAT. To overcome this shortcoming, the Teredo tunneling method was developed, which is used to give full IPv6 connectivity to IPv6 hosts even from behind a NAT device. Teredo operates using a platform independent tunneling protocol designed to provide IPv6 connectivity by encapsulating IPv6 datagram packets within IPv4 User Datagram Protocol (UDP) packets. These datagrams can be routed on the IPv4 Internet and through NAT devices. Other Teredo nodes elsewhere called Teredo relays that have access to the IPv6 network then receive the packets, unencapsulate them, and route them on.

Also, 6to4, the most common IPv6 over IPv4 tunneling protocol, requires the tunnel endpoint to have a public IPv4 address. However, many hosts are currently attached to the IPv4 Internet through one or several NAT devices, and in such a situation, the only available public IPv4 address is assigned to the NAT device, and the 6to4 tunnel endpoint needs to be implemented on the NAT device itself. Many NAT devices currently deployed, however, cannot be upgraded to implement 6to4, for technical or economic reasons. Teredo alleviates this problem by encapsulating IPv6 packets within UDP/IPv4 datagrams, which most NATs can forward properly. Thus, IPv6-aware hosts behind NATs can be used as Teredo tunnel endpoints even when they don’t have a dedicated public IPv4 address. In effect, a host implementing Teredo can gain IPv6 connectivity with no cooperation from the local network environment.

Teredo node types

Teredo defines various kinds of node types. The below list specifies them:

• Teredo Client: Teredo client is host which has IPv4 connectivity to Internet behind a NAT device and uses Teredo tunneling to use an IPv6 segment.
• Teredo Server: Teredo Server is used for initial configuration of a Teredo tunnel. It is a node which has IPv4 connectivity and can be used to provide IPv6 connectivity to Teredo clients.
• Teredo Relay: Teredo Relay is an IPv6 router which is used to forward all of the data on behalf of Teredo client it serves.
• Teredo Service Port: Teredo service port determines the port from which a Teredo client sends Teredo packets. The port is attached to one or more client IPv4 addresses.
• Teredo Refresh Interval: This period states the time interval during which a Teredo IPv6 address is expected to remain valid in the absence of “refresh” traffic. For a client located behind a NAT, the interval depends on configuration parameters of the local NAT, or the combination of NATs in the path to the Teredo server.
• Teredo Node Identifier: It is a 64 bit identifier comprising of a port and IPv4 address at which a client can be reached through the Teredo service, as well as a flag indicating the type of NAT through which the client accesses the IPv4 Internet.
• Teredo Mapped Address and Mapped Port: A global IPv4 address and a UDP port that results from the translation of the IPv4 address and UDP port of a client’s Teredo service port by one or more NATs.

How does Teredo work?

The below section describes the way in which Teredo along with its various functions together.

• Teredo tunneling starts with Teredo clients communicating with a Yeredo server. In this initial phase, client location is determined, i.e. whether it is behind a symmetric NAT, cone or a restricted cone.
• After the position of the client is determined, the Teredo IPv6 address embeds the address and port through which the client can receive IPv4/UDP packets encapsulating IPv6 packets.
• After this, Teredo clients can exchange the IPv6 packets with other compatible IPv6 nodes through Teredo relays. Teredo relays advertise reachability of the Teredo prefix to a certain subset of the IPv6 Internet.
• Then Teredo clients have to discover Teredo clients that are closed to the native IPv6 node. Here a spoofing attack is possible where a malicious node can act as a legitimate IPv6 compatible node. In order to prevent spoofing, the Teredo clients perform a relay discovery procedure by sending an ICMP echo request to the native host.
• Message is encapsulated in UDP and sent by the client to its Teredo serve, then the server decapsulates the IPv6 message and forwards it to the intended IPv6 destination. The payload of the echo request contains a large random number. The echo reply is sent by the peer to the IPv6 address of the client, and is forwarded through standard IPv6 routing mechanisms.
• Thus the packet will reach the relay which is closest to the TIPv6 node. For future requests, the Teredo client will discover the IPv4 address and UDP port used by the relay to send the echo reply, and will send further IPv6 packets to the peer by encapsulating them in a UDP packet sent to this IPv4 address and port. In order to prevent spoofing, the Teredo client verifies that the payload of the echo reply contains the proper random number. The Teredo server never carries actual data traffic.

Security considerations

Teredo Tunneling comes with various security issues that should be kept in mind before it is deployed in the network.

Attack Surface

Teredo Tunneling increases the attack surface as it assigns routable IPv6 address to otherwise non-routable devices which are sitting behind a NAT device. Thus Teredo increases exposure of complete IPv6 stack and tunneling software to attacks.

UDP on Firewall

Since Teredo embeds the IPv6 inside UDP packets and then transmits them within IPv4 packets, UDP traffic must be allowed on the firewall to allow Teredo to work.

DoS on Teredo clients

Since Teredo clients use mapped address and ports from Teredo servers, this service must be protected from malicious 3rd party servers which act as Teredo servers and send crafted malicious inputs to Teredo clients. In order to prevent spoofing, the Teredo clients perform a relay discovery procedure by sending an ICMP echo request to the native host.

Since Teredo Relay acts asa relay for IPv6 packets, this service must be protected against crafted packets that can be used by attackers to hide their address and conduct a Denial of Service attack.

Sources

Which of the following protocols are used to allow IPv6 to travel over an IPv4 network?

Which of the following methods can be used to generate an interface ID for an IPv6 address?

Can IPv6 send packets to IPv4?

What are the solutions of transition from IPv4 address to IPv6 address in the Internet?