TunnelingIntroduction to TunnelingThe expansion of Internet results in scarce IPv4 addresses. Although the technologiessuch as temporary IPv4 address allocation and Network Address Translation (NAT)relieve the problem of IPv4 address shortage to some extent, they not only increase theoverhead in address resolution and processing, but also lead to high-level applicationfailures. Furthermore, they will still face the problem that IPv4 addresses will eventuallybe used up. Internet Protocol Version 6 (IPv6) adopting the 128-bit addressing schemecompletely solves the above problem. Since significant improvements have been madein address space, security, network management, mobility, and QoS, IPv6 becomesone of the core standards for the next generation Internet protocol. IPv6 is compatiblewith all protocols except IPv4 in the TCP/IP suite. Therefore, IPv6 can completely takethe place of IPv4.Before IPv6 becomes the dominant protocol, the network using the IPv6 protocol stackis expected to communicate with the Internet using IPv4. Therefore, an IPv6-IPv4interworking technology must be developed to ensure the smooth transition from IPv4to IPv6. In addition, the interworking technology should provide efficient, seamlessinformation transfer. The Internet Engineering Task Force (IETF) set up the nextgeneration transition (NGTRANS) working group to study problems about IPv4-to-IPv6transition and efficient, seamless IPv4-IPv6 interworking. Currently, multiple transitiontechnologies and interworking solutions are available. With their own characteristics,they are used to solve communication problems in different transition stages underdifferent environments.Currently, there are three major transition technologies: dual stack (RFC2893),tunneling (RFC2893), and NAT-PT (RFC2766).Tunneling is an encapsulation technology, which utilizes one network transport protocolto encapsulate packets of another network transport protocol and transfer them overthe network. A tunnel is a virtual point-to-point connection. In practice, the virtualinterface that supports only point-to-point connections is called tunnel interface. Onetunnel provides one channel to transfer encapsulated packets. Packets can beencapsulated and decapsulated at both ends of a tunnel. Tunneling refers to the wholeprocess from data encapsulation to data transfer to data decapsulation.IPv6 over IPv4 TunnelI. PrincipleThe IPv6 over IPv4 tunneling mechanism encapsulates an IPv4 header in IPv6 datapackets so that IPv6 packets can pass an IPv4 network through a tunnel to realizeinterworking between isolated IPv6 networks, as shown in Figure 1.Caution:The devices at both ends of an IPv6 over IPv4 tunnel must support IPv4/IPv6 dualstack.IPv6 host IPv6 host Figure 1 Principle of IPv6 over IPv4 tunnelThe IPv6 over IPv4 tunnel processes packets in the following way:1) A host in the IPv6 network sends an IPv6 packet to the device at the source end ofthe tunnel.2) After determining according to the routing table that the packet needs to beforwarded through the tunnel, the device at the source end of the tunnelencapsulates the IPv6 packet with an IPv4 header the and forwards it through thephysical interface of the tunnel.3) The encapsulated packet goes through the tunnel to reach the device at thedestination end of the tunnel. The device at the destination end decapsulates thepacket if the destination address of the encapsulated packet is the device itself.4) The destination device forwards the packet according to the destination address inthe decapsulated IPv6 packet. If the destination address is the device itself, thedevice forwards the IPv6 packet to the upper-layer protocol for processing.II. Configured tunnel and automatic tunnelAn IPv6 over IPv4 tunnel can be established between hosts, between hosts and devices, and between devices. The tunnel destination needs to forward packets if the tunnel destination is not the eventual destination of the IPv6 packet.According to the way the IPv4 address of the tunnel destination is acquired, tunnels are divided into configured tunnel and automatic tunnel.z If the tunnel destination is not the eventual destination of the IPv6 packet, the device at the destination end of the tunnel (usually a router) will decapsulate the IPv6 packet and forward it to the eventual destination. In this case, the IPv4 address of the tunnel destination cannot be acquired from the destination address of the IPv6 packet and it needs to be configured manually. Such a tunnel is calleda configured tunnel.z If the tunnel destination is just the eventual destination of the IPv6 packet, an IPv4 address can be embedded into the IPv6 address so that the IPv4 address of the tunnel destination can automatically be acquired from the destination address of the IPv6 packet. Such a tunnel is called an automatic tunnel.III. TypeAccording to the way an IPv6 packet is encapsulated, IPv6 over IPv4 tunnels are divided into the following types:z IPv6 manual tunnelz Automatic IPv4-compatible IPv6 tunnelz6to4 tunnelz ISATAP tunnelz IPv6-over-IPv4 GRE tunnel (GRE tunnel for short)Among the above tunnels, the IPv6 manual tunnel and GRE tunnel are configured tunnels, while the automatic IPv4 compatible IPv6 tunnel, 6to4 tunnel, and intra-site automatic tunnel address protocol (ISATAP) tunnel are automatic tunnels.1) IPv6 manually configured tunnelA manually configured tunnel is a point-to-point link. One link is a separate tunnel. The IPv6 manually configured tunnels provide stable connections requiring regular secure communication between two border routers or between a border router and a host for access to remote IPv6 networks.2) Automatic IPv4-compatible IPv6 tunnelAn automatic IPv4-compatible IPv6 tunnel is a point-to-multipoint link. IPv4-compatible IPv6 addresses are adopted at both ends of such a tunnel. The address format is 0:0:0:0:0:0:a.b.c.d/96, where a.b.c.d represents an embedded IPv4 address. The tunnel destination is automatically determined by the embedded IPv4 address, which makes it easy to create a tunnel for IPv6 over IPv4. However, an automatic IPv4-compatible IPv6 tunnel must use IPv4-compatible IPv6 addresses and it is stilldependent on IPv4 addresses. Therefore, automatic IPv4-compatible IPv6 tunnels have limitations.3) 6to4 tunnelz Ordinary 6to4 tunnelAn automatic 6to4 tunnel is a point-to-multipoint tunnel and is used to connect multiple isolated IPv6 networks over an IPv4 network to remote IPv6 networks. The embedded IPv4 address in an IPv6 address is used to automatically acquire the destination of the tunnel. The automatic 6to4 tunnel adopts 6to4 addresses. The address format is 2002:abcd:efgh:subnet number::interface ID/64, where abcd:efgh represents the 32-bit source IPv4 address of the 6to4 tunnel, in hexadecimal notation. For example, 1.1.1.1 can be represented by 0101:0101. The tunnel destination is automatically determined by the embedded IPv4 address, which makes it easy to create a 6to4 tunnel.Since the 16-bit subnet number of the 64-bit address prefix in 6to4 addresses can be customized and the first 48 bits in the address prefix are fixed by a permanent value and the IPv4 address of the tunnel source or destination, it is possible that IPv6 packets can be forwarded by the tunnel. A 6to4 tunnel interconnects IPv6 networks and overcomes the limitations of an automatic IPv4-compatible IPv6 tunnel.z6to4 relayA 6to4 tunnel can connect networks whose address prefix is 2002::/16. However, IPv6 network addresses with the prefix such as 2001::/16 may also be used in IPv6 networks. In order for these addresses to be reachable, a 6to4 router must be used as a gateway to forward packets to IPv6 networks. Such a router is called 6to4 relay router. As shown in Figure 2, a static route must be configured on the border router in the 6to4 network and the next-hop address must be the 6to4 address of the 6to4 relay router. In this way, all packets destined for the IPv6 network will be forwarded to the 6to4 relay router, and then to the IPv6 network. Thus, interworking between the 6to4 network (with the address prefix starting with 2002) and the IPv6 network is realized.Figure 2 Principle of 6to4 tunnel and 6to4 relay4) ISATAP tunnelWith the application of the IPv6 technology, there will be more and more IPv6 hosts in the existing IPv4 network. The ISATAP tunneling technology provides a satisfactory solution for IPv6 application. An ISATAP tunnel is a point-to-point automatic tunnel. The destination of a tunnel can automatically be acquired from the embedded IPv4 address in the destination address of an IPv6 packet. When an ISATAP tunnel is used, the destination address of an IPv6 packet and the IPv6 address of a tunnel interface both adopt special addresses: ISATAP addresses. The ISATAP address format is prefix(64bit):0:5EFE:ip-address. The ip-address is in the form of a.b.c.d or abcd:efgh, where abcd:efgh represents a 32-bit source IPv4 address. Through the embedded IPv4 address, an ISATAP tunnel can automatically be created to transfer IPv6 packets. The ISATAP tunnel is mainly used for connection between IPv6 routers or between a host and an IPv6 router over an IPv4 network.Figure 3 Principle of ISATAP tunnel5) GRE tunnelIPv6 packets can be carried over GRE tunnels to pass through the IPv4 network by using standard GRE protocol to encapsulate them. Like the IPv6 manually configured tunnel, a GRE tunnel is a point-to-point link, too. Each link is a separate tunnel. The GRE tunnel is mainly used for stable connections requiring regular secure communication between two border routers or between a host and a border router. IV. Expedite terminationFor a tunnel packet arriving at the device, if the source IP address matches the address of the expedite termination subnet, the packet is sent to an IPv6 tunnel protocol engine to forward, or sent to the CPU for processing. If the tunnel packet needs forwarding, the IPv6 tunnel protocol engine removes the IP encapsulation to obtain the original IPv6 packet and then forwards it directly.The IPv6 over IPv4 GRE tunnel supports the expedite termination function. There are two cases:z The expediting subnet is not applicable to a configured tunnel (for example, GRE tunnel and IPv6 manually configured tunnel). After the expedite termination function is enabled, the system will automatically consider the destination address of a tunnel as the address of the expedite termination subnet, and the subnet mask as 255.255.255.255.z For automatic tunnels (for example, automatic IPv4-compatible IPv6 tunnel, automatic 6to4 tunnel, and ISATAP tunnel), you must carry out the expeditingsubnet command to designate an IP address and subnet mask for the expeditetermination subnet after carrying out the expediting enable command.IPv4 over IPv4 TunnelI. Introduction to IPv4 over IPv4 tunneling protocolThe IPv4 over IPv4 tunneling protocol (RFC1853) is developed for IP data packetencapsulation so that data can be transferred from one IPv4 network to another IPv4network.II. Encapsulation and decapsulationPackets to be transferred through a tunnel undergo an encapsul ation process anddecapsulation process. Figure 4 shows these two processes.IPv4 hostIPv4 host Figure 4 Principle of IPv4 over IPv4 tunnelz EncapsulationThe encapsulation process is as follows:1) The interface of Router A connecting to an IPv4 host receives an IP packet andsubmits it to the IP protocol stack for processing.2) The IP protocol stack determines how to route the packet according to thedestination address in the IP header. If the packet needs to be routed to the IPv4host connected to Router B, the packet is sent to Router A’s tunnel interface that isconnected to Router B.3) After the tunnel interface receives the packet, the packet is encapsulated andsubmitted to the IP protocol stack for processing. The IP protocol stack determinesthe outgoing interface of the tunnel according to the IP header.z DecapsulationContrary to the encapsulation process, the decapsulation process is as follows:1) The IP packet received from the IPv4 network interface is sent to the IP protocolstack which checks the protocol number in the IP header.2) If the protocol number is IPv4, the IP packet is sent to the tunnel module fordecapsulation3) The decapsulated IP packet is sent back to the IP protocol stack for processing. IPv4/IPv6 over IPv6 TunnelI. Introduction to IPv4/IPv6 over IPv6 tunneling protocolThe IPv4/IPv6 over IPv6 tunneling protocol (RFC2473) is developed for IPv4 or IPv6data packet encapsulation so that encapsulated packets can be transmitted over anIPv6 network. The encapsulated packets are IPv6 tunnel packets.Host A Host BFigure 5 Principle of IPv4/IPv6 over IPv6 tunnelAs shown in Figure 5, original data refers to IPv4 or IPv6 packets.II. Encapsulation and decapsulationThe encapsulation process is as follows:1) After receiving the original packet, the interface of Router A connecting privatenetwork A submits it to the corresponding data module for processing. The datamodule then determines how to route the packet.2) If the packet needs to be routed to Host B connected to Router B, the packet issent to Router A’s tunnel interface that is connected to Router B.3) After receiving the packet, the tunnel interface adds an IPv6 header to it andsubmits it to the IPv6 module for processing.4) The IPv6 module re-determines a route according to the destination address in theIPv6 header.Contrary to the encapsulation process, the decapsulation process is as follows:1) The packet received from the IPv6 network interface is sent to the IPv6 module forprocessing.2) If the passenger protocol is IPv4 or IPv6, the packet is sent to the tunnelprocessing module for decapsulation.3) The decapsulated packet is sent to the corresponding protocol module for thesecondary routing process.6PE OverviewIPv6 on the provider edge routers (6PE) is a transition technology by which Internetservice providers (ISPs) can use existing IPv4 backbone networks to provide theaccess capability for sparsely populated IPv6 networks.The major concept of the 6PE is that the IPv6 routing information of users is convertedinto IPv6 routing information with labels and is spread into IPv4 backbone networks ofISPs through Internal Border Gateway Protocol (IBGP) sessions. When IPv6 packetsare forwarded, traffic will be labeled after entering tunnels of backbone networks. Thetunnels can be GRE tunnels or MPLS LSPs.Figure 6 Network diagram for 6PENote:“P” in the above figure refers to a backbone router in the network of a service provider.P is not directly connected with a CE and is required to have the basic MPLS capability.When an ISP wants to utilize the existing IPv4/MPLS network to provide IPv6 trafficswitching capability through MPLS, only the PE routers need to be upgraded.Therefore, it is undoubtedly a high efficient solution that ISPs use the 6PE technologyas an IPv6 transition mechanism. Furthermore, the operation risk of the 6PEtechnology is very low.。