ipv6 workshop - bcnet · 2015-12-16 · ipv6 fundamentals april 28, 2014 33 address types ipv6...

Alvin Wong, Sr Network Analyst @ BCNETToby Wong, Network Analyst @ BCNETMicheal Jones, Systems Administrator @ Cybera

IPv6 Workshop

9:00AM 10:00AM:

IntroductionWhy IPv6?State of IPv6 AdoptionIPv6 FundamentalsIPv6 Deployment Options

Agenda

April 28, 2014 www.bc.net 2

10:00AM 10:15AM <Break>10:15AM 12:00PM

Assignment #1 Local RoutingAssignment #2 Campus Routing

12:00PM 1:00PM <Lunch>1:00PM 2:00PM

Assignment #3 - InterdomainRoutingAssignment #4 Router Security

Agenda

April 28, 2014 www.bc.net 3

2:00PM 2:15PM <Break>2:15PM 3:00PM

Systems Introduction3:00PM 5:00PM

Systems Assignments (DNS, Web, Email, and Firewall)

Introductions

April 28, 2014 www.bc.net 4

Alvin Wong, Sr. Network Analyst, BCNETemail: alvin.wong@bc.net

Toby Wong, Network Analyst, BCNETemail: toby.wong@bc.net

Micheal Jones, Systems Administrator, Cyberaemail: micheal.jones@cybera.ca

Introduction

April 28, 2014 www.bc.net 5

Tell us about you!

Name:What you do:Organization:Interest or experience in IPv6:Fun fact about you:

Introduction

April 28, 2014 www.bc.net 6

IPv6 Community Lab

Network test-bed to gain IPv6 knowledge and experience on real hardwareBCNET, Canarie and Cisco donated the hardwareLab consists of 8 x Cisco 2800 routers, 1 x Cisco 3700 switch

https://www.bc.net/atl-conf/display/BCNETIPv6LAB/Home

Introduction

April 28, 2014 www.bc.net 7

Why IPv6?

April 28, 2014 www.bc.net 8

Inevitability

32-bit IPv4 address space limited to 4.3 billion unique addresses (developed in 1980s)

Running out of IPv4 addresses -- IANA/ICANN and RIRs /8s are depleting

APNIC and RIPE down to their last /8

Why IPv6

April 28, 2014 www.bc.net 9

IANA Unallocated Address Pool Exhaustion: 03-Feb-2011

Projected RIR Address Pool Exhaustion Dates:

Why IPv6

April 28, 2014 www.bc.net 10

http://www.potaroo.net/tools/ipv4/

RIR Projected Exhaustion Date

APNIC 19­Apr­2011 (actual)

RIPE 14­Sep­2012 (actual)

ARIN 19­Mar­2015

LACNIC 16­Sep­2014

AFRINIC 18­Apr­2020

Why IPv6

April 28, 2014 www.bc.net 11

http://www.potaroo.net/tools/ipv4/plotend.png

More IP addresses!

Reduce reliance on NATReachability to growing IPv6 only networksGrowth in the number of network devicesNew countries and greater needs

Why IPv6

April 28, 2014 www.bc.net 12

State of IPv6 Adoption

April 28, 2014 www.bc.net 13

State of IPv6 Adoption

April 28, 2014 www.bc.net 14

Content Provider LevelGoogleFacebookYahoo!BingNetflix

National Connectivity LevelCanarieHurricane ElectricTata CommunicationsShawPeer1

State of IPv6 Adoption

April 28, 2014 www.bc.net 15http://www.google.com/ipv6/statistics.html

Percentage of users that access Google via IPv6 < 3.4%

State of IPv6 Adoption

April 28, 2014 www.bc.net 16

http://v6asns.ripe.net

Percentage of ASes Announcing IPv6 Prefixes

State of IPv6 Adoption

April 28, 2014 www.bc.net 17

http://mnlab-ipv6.seas.upenn.edu/fig1

State of IPv6 Adoption

April 28, 2014 www.bc.net 18

IPv6 deployment at BCNET

BCNET has been IPv6 ready many yearsFrom research to productionAddress space

Canarie address space (PA provider aggregatable)2001:410:1000::/40

Provider independent (PI) address space2607:f8f0::/32

IPv6 Fundamentals

April 28, 2014 www.bc.net 19

IPv6 Fundamentals

April 28, 2014 www.bc.net 20

IPv4 Header IPv6 Header

IPv6 Header vs IPv4 Header

IPv6 has fixed header length of 40 bytes (IPv4 was min. 20 bytes +options.)IPv6 removed:

Internet header length (IHL) fieldOptions fieldPadding field

IPv6 Uses Payload Length field instead of Total Length fieldProcessing advantages in using fixed-length header!

IPv6 Fundamentals

April 28, 2014 www.bc.net 21

IPv6 Header vs IPv4 Header

IPv4 Protocol field replaced with IPv6 Next Header field to indicate:

IPv6 Fundamentals

April 28, 2014 www.bc.net 22

ICMPv6 (58)TCP (6)UDP (17)IPSEC AH (51)IPSEC ESP (50)

Fragment (44)

futureproof!

IPv6 Header vs IPv4 Header

Removed IP fragmentation supportRemoved Fragment Offset, Identification, Flags fieldsRely on end-hosts to fragment and reassembleAll IPv6 hosts must accept minimum MTU of 1280 bytesICMPv6 vital to learn if packet-too-big

Removed Header Checksum (let TCP/UDP layer handle)TTL renamed as Hop LimitAdded new Flow label

IPv6 Fundamentals

April 28, 2014 www.bc.net 23

IPv6 Fundamentals

April 28, 2014 www.bc.net 24

IPv4 Header IPv6 Header

IPv6 = 128-bits (IPv4 = 32-bits)

340,282,366,920,938,463,463,374,607,431,768,211,456 addresses or:

= 3.4 x 1038

undecilliontrillion trillion

How many addresses is that?

IPv6 Fundamentals

April 28, 2014 www.bc.net 25

If earth was made entirely of 1 cubic millimeter grains of sand, you could give a unique address to each grain in 300 million planets the size of the earth.

Enough addresses to be assigned to every atom of every human being on the planet and still be left 2.91 x 1038 addresses.

IPv6 Fundamentals

April 28, 2014 www.bc.net 26

128-bit binary representation

00100110000001111111100011110000000000000000000000000000000000000000000001111000000000000000000000000000000000000101010010111110

Addresses represented by 8 groups of 16 bits separated by colons :

Use hexadecimals to shorten

e.g. 2607:F8F0:0000:0000:0078:0000:0000:54BE

IPv6 Fundamentals

April 28, 2014 www.bc.net 27

Hexadecimal Refresher

conveniently represent 4 binary bits

-lots of binary bits.

Case insensitive.

IPv6 Fundamentals

April 28, 2014 www.bc.net 28

Binary Decimal Hex

0000 0 0

0001 1 1

0010 2 2

0011 3 3

0100 4 4

0101 5 5

0110 6 6

0111 7 7

1000 8 8

1001 9 9

1010 10 A

1011 11 B

1100 12 C

1101 13 D

1110 14 E

1111 15 F

Two more optional shortcuts:

1) Leading zeros within a group are optional.

2607:f8f0:0000:0000:0078:0000:0000:54be

2607:f8f0:0000:0000:0078:0000:0000:54be

2607:f8f0:0:0:78:0:0:54be

IPv6 Fundamentals

April 28, 2014 www.bc.net 29

2) Multiple groups of zeroes can be replaced with ::

2607:f8f0:0:0:78:0:0:54be

or2607:f8f0:0:0:78::54be 2607:f8f0::78:0:0:54be

Beware: Use only once in an address, or else invalid and ambiguous!

e.g. 2607:f8f0::78::54be is invalid!

IPv6 Fundamentals

April 28, 2014 www.bc.net 30

IPv6 Address ComponentsLike IPv4, there are always two parts to an address:

NetworkHost (interface ID)

IPv6 Fundamentals

April 28, 2014 www.bc.net 31

Network bits Host bits

IPv6 Fundamentals

April 28, 2014 www.bc.net 32

Network bits Host bits

Just as in IPv4, we retain use of CIDR notation:

ipv6-address/prefix-length

E.g. 2001:0db8:0:cd30::/60

Network Prefix bits

IPv6 Fundamentals

April 28, 2014 www.bc.net 33

Address Types IPv6 Description

Unspecified :: Unassigned

Loopback ::1 Self address

Global Unicast 2000::/3 (2000­3FFF) One to one  globally routable

Link­Local Unicast FE80::/10 One to one within layer­2 domain

Unique Local Unicast FC00::/7 and FD00::/7 One to one not globally routable

Multicast FF00::/8 One to many

Anycast Choose from Unicast One to nearest

IPv6 Address Types

No broadcast IPv6 relies heavily on multicast.

IPv6 Fundamentals

April 28, 2014 www.bc.net 34

Prefix Size Allocations

/12 Regional Internet Registry allocations from IANA/ICANN

/20 Local Internet Registry extra large allocations

/24 Local Internet Registry large allocations

/28 Local Internet Registry medium allocations

/32 Local Internet Registry minimum allocations

/48 Default end sites assignment

/64 Single End­user LAN (default prefix size for SLAAC)

IPv6 Address Allocations

From Global Unicast 2000::/3 range.

IPv6 Fundamentals

April 28, 2014 www.bc.net 35

Address Description Usage

FF02::1 All IPv6 nodes address Similar to broadcast

FF02::2 All routers address Communicate with all routers

FF02::5 OSPF Similar to 224.0.0.5 for OSPFv2

FF02::6 OSPF DRs Similar to 224.0.0.6 for OSPFv2

FF02::9 RIP Routers Similar to 224.0.0.9 for RIPv2

FF02::A EIGRP Routers Similar to 224.0.0.10 for OSPFv2

FF02:0:0:0:0:1:FF00::/104appended w/ last24­bits of MAC address 

Solicited Node Multicast

Duplicate Address DetectionNeighbour Discovery (like ARP)

Common IPv6 Multicast Addresses

Interface ID (Host bits)64-bits are requiredCan be assigned in the following ways:

ManuallyDHCPAutomatic self-configuration

EUI-64 (IEEE standard for 64-bit MAC address)Modified EUI-64 (IEEE standard for 64-bit MAC derived from older 48-bit MAC)

Pseudo-random numberDepends on OSOften used for privacy

IPv6 Fundamentals

April 28, 2014 www.bc.net 36

Network bits Host bits

Modified EUI-64Modified EUI-64 is derived from the 48-bit MAC address:

1. insert FF:FE in the middle2. complement (invert) 7th bit.

E.g. 00:0C:29:0C:47:D5 (MAC address)

00:0C:29:FF:FE:0C:47:D5

02:0C:29:FF:FE:0C:47:D5

IPv6 Fundamentals

April 28, 2014 www.bc.net 37

Network bits Host bits

IPv6 Fundamentals

April 28, 2014 www.bc.net 38

Network Host (Interface) ID

64 bits 020C:29FF:FE0C:47D5

Modified EUI-64

E.g. 00:0C:29:0C:47:D5 (MAC address)

Stateless Address Auto Configuration (SLAAC)

Automatic self-assignment of IPv6 unicast addressesNo manual configuration of hosts or routers neededNo DHCP servers neededFor network bits:

Assign Link-local Prefix: FE80::/64Assign Global Prefix: Learned from Router Advertisement

For host bits:Use EUI-64 or random bits (privacy)

IPv6 Fundamentals

April 28, 2014 www.bc.net 39

Duplicate Address Detection (DAD)

Host interfaces:

1. -

2. Send a Neighbor Solicitation (NS)Src :: (unspecified)Dst: Solicited-Node multicast address

FF02:0:0:0:0:1:FF00::/104 w/ last 24-bits of wanted address

3. -

IPv6 Fundamentals

April 28, 2014 www.bc.net 40

Neighbour Discovery Protocol (NDP)NDP defines the following five ICMPv6 packet types and their purposes:

Router Solicitation (RS) - used by hosts to locate routers Router Advertisement (RA) - used by routers to advertise their presenceRedirect - used by routers to inform hosts of a better first hop for a destinationNeighbor Solicitation (NS) - used by nodes to determine the link-layer address of a neighborNeighbor Advertisement (NA) - used by nodes to respond to a Neighbor Solicitation message

Once again, ICMPv6 is fundamentally important!

IPv6 Fundamentals

April 28, 2014 www.bc.net 41

IPv6 InterfacesCommon to have sets of IPv6 addresses

Loopback (::1)Link Local (fe80::/64 address)Global Unicast (2xxxx::/64 address)Temporary (randomized for privacy)

Windows Vista or laterMac OSX Lion or later

distros

Join multiple multicast groupsAll NodesSolicited Node Multicast

IPv6 Fundamentals

April 28, 2014 www.bc.net 42

IPv6 RoutingIGP

RIPngIS-ISOSPFv3EIGRP for IPv6

EGPMP-BGP

IPv6 Fundamentals

April 28, 2014 www.bc.net 43

IPv6 Deployment Options

April 28, 2014 www.bc.net 44

Native:IPv6 OnlyDual Stack (both IPv4 and IPv6)

Proxy:Proxy and Translation

Tunneling:6to4TeredoISATAP

IPv6 Deployment Options

April 28, 2014 www.bc.net 45

Suggestions:Use a phased approachPrepare to support both IPv6 and IPv4 simultaneouslyStart at perimeter and move towards center of networkPrioritize public facing services such as web and email (business priority)Embed IPv6 requirements for equipment/software refresh cyclesDevelop IPv6 architecture standards and technical requirementsEstablish governance bodies to oversee adoption, including a Steering Committee and a Community of PracticeCreating a change management strategy, including policies, training, and communications

IPv6 Deployment Options

April 28, 2014 www.bc.net 46

Lab Assignments

April 28, 2014 www.bc.net 47

Dual-Stack Wireless SSID: BCNETv6DemoPassword: IPv6BCNETDemoPassword

Notice the IPv6 Addresses you have assigned (Link-Local, Global Unicast)

Verify by visiting: http://test-ipv6.com

More IPv6 Laptop Config Info: http://goo.gl/ziA5M

Configure your Laptop for IPv6

April 28, 2014 www.bc.net 48

Lab Site

April 28, 2014 www.bc.net 49

Please visit BCNET IPv6 Community Lab site:

https://wiki.bc.net/atl-conf/display/BCNETIPv6LAB/Home

or

http://goo.gl/BjjFi

Router Login AccountsYou can use SSH to login into your router.username: v6gurupassword: v6demo

Server (VM) Login AccountsYou can use SSH to login to the servers.usernames: v6gurupassword: v6demo

If you are using Windows, you can use Putty, a free SSH client.

Lab Login

April 28, 2014 www.bc.net 50

Lab Topology

April 28, 2014 www.bc.net 51

Setup Local Routing

1. Assign two /64 subnets out of the assigned netblock (/60) for your group. These /64 subnets are for Net1 and Net2.

2. Configure these two subnets on your router.

3. Stateless address auto configuration for each subnet (Net1 & Net2) (Router Advertisement) should automatically be activated.

4. Verify that your VMs have IPv6 addresses from the ranges you assigned via SLAAC.

Lab Assignment #1

April 28, 2014 www.bc.net 52

Setup OSPF

Lab Assignment #2

April 28, 2014 www.bc.net 53

Setup OSPF

1. Configure the IPv6 addresses on the connection towards your two neighbouringrouters. IPv6 addresses to be used are in your provided group worksheets.Remember that these are 802.1q tagged links.

2. Configure OSPFv3 on your router, we will use area 0 and no authentication.3. Configure the NET1 & NET2 interfaces (GigabitEthernet0/0 & GigabitEthernet0/1) as

passive OSPF interfaces.4. Make sure your router establishes adjacencies with both neighbouring routers.5. Confirm routing tables that Net1, Net2 and your uplink prefixes are announced.6. Disable IPv6 routers advertisements on these backbone links between routers.7. Verify connectivity to your networks and VMs.

Lab Assignment #2

April 28, 2014 www.bc.net 54

1 Hour

Return at 1:00PM

Break

April 28, 2014 www.bc.net 55

Setup BGP

1. Configure the IPv6 addresses on the connection towards the BCNET router.

2. Configure BGP on your router and have it peer with BCNET router (AS65527).

3. Announce the prefix assigned to you (aggregated /60 block , not the individual /64's) to BCNET over BGP).

4. Verify if you receive default IPv6 route ::/0 from BCNET.

5. Verify if you can ping6/traceroute6 to www.bc.net.

Lab Assignment #3

April 28, 2014 www.bc.net 56

Security

Configure an ACL that allows access to your router for:snmp (udp 161)telnet (tcp 23)ssh (tcp 22) Only from IPv6 source address within the /60 prefix assigned to you. Deny all other traffic

Lab Assignment #4

April 28, 2014 www.bc.net 57

Thank you!

April 28, 2014 www.bc.net 58

http://www.bc.net  |   info@bc.net   |  604.822.1348