Talk about IPv6-awkward IPv4

Source: Internet
Author: User


Talk about IPv6-the embarrassing IPv4 1. The embarrassing arp www.2cto.com knew long ago that layer-3 protocols include IP, ARP, ICMP, ARP under IP, and ICMP over IP. Looking at the arp Protocol format, we find that it does not use the IP protocol for packets. It seems that it is in parallel with the IP protocol. It is not appropriate to regard arp as part of the IP protocol because it is dedicated to IP service.
As arp is located, and it is connected to standard IP protocols and various messy link layer protocols, the position of arp is very embarrassing, this makes its implementation very complex. It must have the same parts for the IP protocol and different parts for the MAC to process different link layers. In other words, each link layer requires an arp protocol. In addition, arp has different implementations in the BMA network and NBMA network. In the BMA network, such as Ethernet, an address resolution should disturb the whole broadcast domain, which cannot be said to be a side effect. IPv6 completely solves this problem. IPv6 uses the adjacent contact request message of ND and the adjacent contact announcement message to replace arp as the address resolution scheme. All the ND packets are carried in ICMPv6, while ICMPv6 uses the IP address, in this way, all IP address-related things will be integrated into ICMPv6, and there is no need to develop a very embarrassing arp protocol like IPv4.
IPv6 address resolution uses Multicast technology, which minimizes the impact on the entire Link. This is also the Standard Specification of IPv6. According to the standard, each interface automatically generates a local link address (see the following for details). There are several other types of addresses available, the IPv6 stack must generate a "request node" multicast address for each IPv6 address of the interface and listen on it. The IP address corresponds to the generated multicast address, each time you need to resolve the MAC address of the IP address, you only need to send the adjacent contact request to the requested node multicast address corresponding to the IP address to be resolved. Www.2cto.com 2. the embarrassing Address Configuration once upon a time, I always wanted to write a small program to take it to a hotel where there were Network cables or wifi but not necessarily DHCP, it can find the CIDR Block of the access network, and then select an IP address that does not conflict with me. The program has been written a lot and can also meet such requirements, but it is still difficult to expect a person who does not understand the network to do this, in essence, this requirement can be completed using arping and nmap... IPv6 can be configured automatically for hosts. In this way, the "out-of-the-box" is implemented. As long as your computer accesses the network, the corresponding network port will generate a local link address according to certain rules, this rule is FE80 + (MAC address-EUI64 ing), so that you can use this address to communicate with other nodes on the link. If there is a router on the Link, of course, you can communicate with the router, the router will configure the global address that can be run on the public network to the interface of your machine, and push the route for you. What's even more gratifying is that, many of the above-mentioned communications are still fully automated. This is reflected in several ND packets, such as router requests/announcements, and adjacent contact requests/announcements. Those who have played OpenVPN should be familiar with all of this. In fact, there are also many ideas that make the standard readers eager to try! 3. the embarrassing NATIPv4 stateful NAT completely removes the global interconnection. This type of unilateral protectionism is as annoying as the tariff. Not only does the client use SNAT for protection, the server also uses DNAT for ing... what if I use stateless NAT? None! Before and after stateless NAT, the interconnectivity is fully controlled by the top manager of the NAT network management. Of course, this is also closely related to whether the network management is faulty. NAT is no longer needed for IPv6. If you want to implement protectionism, you can still use NAT. Each interface is configured with multiple addresses. The Protocol Stack knows which address to use when communicating with and communicates with the link. Then, it uses the local link address to communicate with the local organization, use the local site address to communicate with the outside world. If you do not want to assign a Global Address to the node, you can also NAT the Organization site address to a global address... 4. when I went to college, I knew the Class A, B, and C addresses, but then I learned about CIDR, as a result, many vro configuration interfaces have a class configuration and no class configuration option. when exploring the implementation of each vro, the Routing Query logic of a classless IP address is different from that of a classless IP address. The simplest example is that a dynamic Trie tree is not suitable for a classless IP address. IPv4 address categories make the IP address area unevenly distributed, and the United States occupies A large number of Class A addresses. If the operator permits, the children can freely p2p, A large number of Internet users in China can only browse the web after NAT. The IPv6 plan removes this region and classifies it based on a fixed-length prefix. Even private addresses (Local Link addresses/site addresses, see the following section) and multicast addresses are classified in this way. A. The global address is fixed with a 48-bit prefix. the next 16 bits are used by the Organization to divide subnets, And the last 64 bits are used to identify nodes. B. Private addresses such as local link addresses starting with FE80 and fixed prefix bits. C. All other address types you can think of are like this. 5. the source IP address of traffic destined for an external port of an embarrassing private IP address cannot be a private IP address, which is always an ACL configured by almost every network administrator, however, it is often because of the omission of rules such as private addresses, which are lessons learned, the emergence of a series of so-called classic ACL rules, both network management and network programmers must keep these rules in mind. If we reflect on these rules, most of the reason is that IPv4 specifies several private address segments, but does not specify how the vro implements these private addresses, all of this depends on manual configuration. This is an embarrassment. Private addresses should never appear on the Internet. The problem is who defines "Public Network ". IPv6 not only classifies the addresses by hierarchical categories, but also limits the range of the addresses in a basic category. Therefore, various constraints are embedded in the implementation of vro. IPv6 limits the address. In general, unicast IPv6 addresses are divided into three categories: globally accessible addresses: addresses that can be routed globally, similar to non-private IPv4 addresses, this address can be configured on any network port. It can be manually configured, DHCPv6 can be used, or IPv6 can be automatically configured. Accessible address of an organization: the address that can be routed in a certain organization. The address cannot be routed anywhere without restriction. It is only used within the Organization. An organization can be a country, a company, and a tribe. In short, it is related to the participation in human planning, which makes the definition very unclear. Link reachable address: Valid only on a L2 link, and cannot span over a l3 device. One address must be configured for each interface, and FE80 indicates its prefix. The address must be automatically configured and is generated as long as the interface is enabled, with the generation rule FE80: + EUI-64 label, which is automatically generated by the interface MAC address and a series of rules. The three types of addresses are distinguished by their scopes. Routers isolate addresses based on address types:. the local link address cannot span the vro; B. the Organization address is not allowed to span the egress router of the Organization; c. an interface must have a local link address and a global address. When communication occurs, select the source address based on the routing result and target address scope. Let's take a look at IPv6's improvements to IPv4. For communications between IPv4 and IPv6 on the same link, you must use DHCP or manually specify IP addresses of the same network segment. You can directly use the locally configured link address to manually configure IP addresses for communications within the same organization. If you use a global public IP address, always note that there must be no address conflict. To use a local unique IP address for Internet communication, you must configure multiple policies on the egress router or firewall to prevent leakage of private IP addresses. Private link local address and Organization address cannot run out of the egress router. The private address has a private segment for each type of ABC address, and the private segment is not continuous. The private segment and the address category have an intersection. You must explicitly differentiate whether the private segment is private or not based on the Limit domain. You can directly resolve the address to obtain the restricted domain of the address. Behind these features are the implementation mechanism of IPv6. During communication, IPv6 always selects the IP address configured on the local machine with the minimum scope meeting the accessibility requirement based on the target address. For example, IPv6 finds that the target address starts with FE80, A local link address is used. If the target address is an intra-Organization address, a intra-Organization address is used as the source address instead of a global unicast address, even if it has this address, it will not be used. Linux has the following macro definitions: [plain] # define IFA_HOST IPV6_ADDR_LOOPBACK # define IFA_LINK IPV6_ADDR_LINKLOCAL # define IFA_SITE routing # define IFA_GLOBAL 0x0000U source address selection logic: [plain] int round (struct net_device * dev, struct in6_addr * daddr, struct in6_addr * saddr, int onlink) {struct inet6_ifaddr * ifp = NULL; struct round * match = NULL; struct inet6_dev * idev; int scope; int err; int Hiscore =-1, score; if (! Onlink) scope = ipv6_addr_scope (daddr); else scope = IFA_LINK; /** known dev * search dev and walk through dev addresses * // first select the source IP address if (dev) on the egress Nic of the route result) {if (dev-> flags & IFF_LOOPBACK) scope = IFA_HOST; read_lock (& addrconf_lock); idev = _ in6_dev_get (dev); if (idev) {read_lock_bh (& idev-> lock); for (ifp = idev-> addr_list; ifp = ifp-> if_next) {if (ifp-> scope = scope) {if (ifp-> flags & IFA_F_T ENTATIVE) continue; score = pai6_saddr_pref (ifp, 0); // determine the selection ratio by address status if (score <= hiscore) continue; if (match) in6_ifa_put (match ); match = ifp; hiscore = score; in6_ifa_hold (ifp );...}} read_unlock_bh (& idev-> lock);} read_unlock (& addrconf_lock);} if (scope = IFA_LINK) goto out; /** dev = NULL or search failed for specified dev * // if not found, select read_lock (& dev_base_lock); read_lock (& addrconf _ Lock); for (dev = dev_base; dev = dev-> next) {// repeat "select Source IP address on the egress Nic of the route result "}... out: err =-EADDRNOTAVAIL; if (match) {pai6_addr_copy (saddr, & match-> addr); err = 0; in6_ifa_put (match);} return err;} Actually, the IPv4 Implementation of Linux already has the scope concept. The IPv4 scope is divided into the routing scope and the address scope. The routing scope indicates the distance from the target to the current machine, and the address scope indicates the scope of the address. The reason why IPv4 has a routing scope is that the IPv4 address cannot determine the target range based on the address itself. It can only be specified when routing is configured. The scope of IPv4 routing is not required, the purpose is to ensure that the data packet is getting closer and closer to the target during the forwarding process. Therefore, the routing scope of a data packet must be wider than the routing scope that arrives at the next hop of the route. The IPv4 address scope is similar to the IPv6 restricted domain, but its usage is little known. It is actually used to limit the range of IP addresses, for example, if you want to select the link scope address for the communication flow sent to this link, the link scope address cannot be used as the source for the communication that spans the router. For IPv6, because the address itself can obtain the scope information of the address, you do not need to maintain a scope attribute field for the address or route entry. If you do not believe this, you can use ip route ls table all to see that all IPv4 routes have scope and IPv6 routes do not have scope. The IPv6 scope displayed by ip address ls is not an external Configuration Attribute of the address, but an internal nature of the address. The scope of the IPv6 address does not change according to the scope parameter in the ip addr add command, but is calculated based on the address itself. 6. the embarrassing mtu I used to implement a module that can be NAT without reorganizing segments on Linux. The motivation is to perform NAT on an intermediate node first, it is too troublesome to partition the NAT after it is completed. The most annoying part of this implementation is the re-calculation of the Verification Code. It is not only necessary to calculate the verification code of the IP header, but also to re-calculate the pseudo header of TCP/UDP, thus affecting the upper-layer verification code. NAT is the culprit, and sharding/restructuring is just catering. If we look at the root cause again and assume that the NAT problem has been solved (in fact, it is solved in IPv6), the culprit is that the MTU value is too different for each link. IPv6 imposes rigid rules that no IP sharding is performed on intermediate routers. This is mainly based on two points. First, the current network medium is no longer like N years ago. You can set a minimum MTU value by default (not very small in fact, this is unfortunate. Second, many things can be done at end-to-end node points, such as MTU discovery. If you need to partition, why does the upper-layer protocol not issue a smaller package, or slice at the IP address layer. A router is capable of high-speed forwarding, and a shard is not its function scope. This is very similar to express delivery. The middle packing personnel do not have the right to unpack the package, and generally return the package directly. 7. embarrassing stream recognition once upon a time, whether for public or private, I have always been expecting a network accelerator card to complete the Linux ip_conntrack function, because the conntrack efficiency of the protocol stack is too low, it is not only necessary to parse the layer-4 protocol, but also to maintain the conntrack structure for the stream to occupy the memory, but also to face the situation that the connection table is full in the case of a large number of connections. Conntrack has two roles. The first is to make certain processing necessary for a stream based on efficiency considerations, such as NAT and status matching, the second is to identify certain streams for special processing, such as prioritizing audio and video streams. In fact, the second requirement should not be the responsibility of the intermediate node, but should be self-reported by the end node. This is also the original meaning of the TOS field. However, due to the additional conntrack processing, the audio and video streams that should have been preferential treatment have increased the latency due to conntrack. IPv6 completely handed over the second requirement to the End Node. The End Node is filled with the stream tag field contained in the IPv6 Header for the intermediate node to identify and process the stream, communication traffic that belongs to the same source or target can be distinguished by stream marking. Even so, IPv6 does not force the intermediate node to cancel the conntrack. After all, if the end node does not set the stream tag, the intermediate node still needs additional logic computing to identify the stream. For example, for stateful NAT, conntrack is required. 8. the embarrassing collection of IPv4 is too complicated, so many logics must be determined after the Internal Computing of the protocol stack. The protocol stack implementation of each operating system is also a complicated competition, IPv4 has done almost all the work, and most of them will reduce the performance of the IP network. When the link bandwidth is getting cheaper and the processor resources are getting more expensive, the processing will be more appropriate for the end node. 9. the unpleasant IPv4 protocol stack code ip_rcv and ip_rcv_finish are Linux protocol stack functions for receiving IP datagram, which process a large amount of information and are complex, not to mention the trouble of route lookup, the Checksum and verification, packet check, option processing, sharding, and reorganization are complex enough. The Routing Query is simple. However, because many manually defined attributes exist in IPv4 route entries, the amount of code is more than doubled. For example, to determine the scope matching, neighbor resolution to update the route cache and other operations. The processing of IPv6 is very simple and hard to imagine. The 20% feature cut down 80% of the Code. 10. high-speed links require tacit understanding rather than intelligence. If many things are definite, computing is not needed. Computing itself is the largest user consuming computer software resources and power energy, if the problem is confirmed, you can simply implement it, and the remaining computing energy can be used for multiple times. Although intelligence is great, for protocols, rules and regulations can make computing more efficient. [Plain] static inline int ip6_rcv_finish (struct sk_buff * skb) {if (skb-> dst = NULL) ip6_route_input (skb ); return dst_input (skb);} fib6_lookup is called by ip6_route_input. as the core of route search, it is much thinner than IPv4 route search. In essence, it is implemented using a binary search tree, and the search is very direct, removing the matching of scope and other human attributes. IPv6 headers are fixed and flexible for fast processing. Most of the additional options are only processed in the end system, and can be chained even during intermediate processing, this is the essence of the "next Header" in the header.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.