euchinagrid ipv6 tutorial cataniav2 1

8/14/2019 EUChinaGRID IPv6 Tutorial Cataniav2 1

1/111

Gabriella Paolini - GARR IPv6 Tutorial Catania, 06/06/20071

IPv6 TutorialIPv6 TutorialCataniaCatania

0066/0/066/2007/2007Gabriella Paolini

[email protected]

GARR


2/111


Why do we need IPv6 ? (1/2)

A bigger address space

From 32 bits to 128 bits: A true global connectivity

No more hidden networks or hosts

All the hosts can be reachable (From Client-only to Server!)

Security systems End-to-end

Auto configuration Opportunity to use 64 bits for host (uniqueness guarantee)

"plug and play"

Opportunity to manage Multihoming in an easy way Renumbering in an easy way


3/111


Why do we need IPv6 ? (2/2) IP Header efficient and extensible:

Less fields in the basic header Routing efficiency Performance Header extendibility Better options management

No more packet fragmentation during routerstransitReal implementation of:

Security

Mobility Multicast Replace broadcast

More efficient use of the network


4/111


IPv4 Header(1/3) 20 bytes without options field

Ver IHL TOS. Total length

Identification

TTL

32 bits Source Address

32 bits Destination Address

Protocol

Flag Fragment offset

Checksum

In yellow fields that are no more included in IPv6

IP Options Padding

4Bytes

4Bytes

4Bytes

4Bytes

4Bytes


5/111


IPv4 Header(2/3) Version. 4 bit.

IP header format

4 - IP, Internet Protocol. IHL, Internet Header Length. 4 bit.

Packet Header length in 32 bits groups. Minimum value is 5. TOS, Type of Service. 8 bit.

Type of Service required. To define the packet management

during its transport. Total length. 16 bit.

Total packet length. Identification. 16 bit.

To identify packet fragment during fragmentation.

Flags. 3 bit. To control packet fragmentation

Fragment Offset. 13 bit. To order fragmented packet rebuilding.


6/111


IPv4 Header(3/3) TTL, Time to Live. 8 bit.

To track packet Time to live.

Protocol. 8 bit. Next protocol used in the higher level.

Header checksum. 16 bit. IP header Checksum, options included .

Source IP address. 32 bit. Source IP address. Destination IP address. 32 bit.

Destination IP address.

Options. Variable length. Padding. Variable length.

Useful to create a 32 bit compliant packet header.


7/111


IPv6 Header(1/3) 40 byte without other header extensions

Ver Traffic Class Flow Label

Payload Length

128 bits Source Address

128 bits Destination Address

Next Header Hop Limit

In yellow fields that are already present in IPv4


8/111


IPv6 Header(2/3)

Version. 4 bit.

6 - IPv6. Traffic Class. 8 bit.

To identify packets priority (IPv4 TOS)

Flow Label. 20 bit.

To identify flow. Mobile IPv6.Payload Length. 16 bit.

Data Length in the packet

Max size 64 KB. For packets bigger than 64K, use Jumbo

Payload option.


9/111


IPv6 Header(3/3)

Next Header. 8 bit.

Next header value. If its a higher level protocol, value is thesame that in IPv4.

To identify extension header.

Hop Limit. 8 bit.

Replace the IPv4 TTL.Source address. 16 byte.

Source IPv6 address.

Destination address. 16 byte.

Destination IPv6 address.


10/111


Extension Headers (1/6)

A new method for implementing options

After the IPv6 header

IPv6 Header

Next Header

= TCP

TCP Header Data

DataTCP Header

IPv6 Header

Next Header

= Routing

Routing Header

Next Header

= TCP

DataTCP Header

IPv6 Header

Next Header= Routing

Routing Header

Next Header= ESP

ESP Header

Next Header= TCP


11/111



00 = Hop-by-Hop Options

43 = Routing 44 = Fragment

51 = Authentication 60 = Destination Options 50 = Encapsulating Security Payload xx = Higher level protocols, like in IPv4 58 = Internet Control Message Protocol (ICMPv6)

59 = No next header


12/111



Hop-by-hop options (00)

All the information will be managed by each node duringpacket path.

Some options: Router Alert

Jumbo Payload

Routing (43) Like IPv4 option Loose Source Route

It specifies a list of routers to jump

mobile IPv6 & multihoming Header valued only by routers in the list


13/111



Fragment (44)

Used only by host (not by Routers!!) Minimum MTU of 1280 byte (68 byte in IPv4) Link without this capacity have to manage fragmentation at data-link level

Destination Options (60) Used to transport optional information (managed only by

destination host)

In the Daisy Chain: Before Routing Header

Or at the end of Daisy Chain

Used for Mobile IPv6 With the Routing header


14/111



Security is embedded in IPv6:

IPsec native on IPv6

Authentication Header (51) To manage authentication: verifying source address and

integrity of the packet during the pathEncapsulating Security Payload (50)

Only the destination host will be grant to open the packet

Like IPv4 there is two model: transport or tunnel


15/111



An example:

IPv6

Hop by hop

Destination

Routing

Fragmentation

Authentication

Security

Destination

Upper Layer

}

}}

}}

}

}


16/111


Addresses IPv4 = 32 bits

IPv6 = 128 bits 4 times the numbers of bits! ~3,4 * 1038 of usable hosts (theoretical max)

1030 addresses for each person in the world


17/111


18/111


IPv6 Address Format (2/2)

More close fields only with zero are represented by

a :: (double colon symbol) but only once in anaddress. Es:2001:0:1234::D0:ABCD:532

This notation is not valid:

2001::1234::C1C0:ABCD:876 This notation is valid:

2001:760:2:0:0:0:0:0 => 2001:760:2::

FF02:0:0:0:0:0:0:1 => FF02::1

0:0:0:0:0:0:0:1 => ::1 0:0:0:0:0:0:0:0 => ::


19/111


IPv6 address in a URL In an URL IPv6 addresses have to be represented

between square brackets. http://[2001:1:4F3A::206:AE14]:8888/index.html

Software that uses URL (browser, etc.) has been

modified to be IPv6 compliant, but: uncomfortable for the users Used only for diagnostic

More useful with a domain name.


20/111


Type of Addresses

IPv6 divides addresses in:

Unicast: node addresses

Multicast: group of nodes addresses

Anycast: services addresses


21/111


IPv6 addresses architecture (1/2)

To calculate on the first 16 bit

es. 2000-3FFF --> 0010 0000 0000 0000 0011 1111 1111 1111


22/111


IPv6 addresses architecture (2/2)


23/111


Unicast AddressesUnspecified

Loopback IPv4 Compatible

IPv4 MappedScoped Addresses :

Link-local Site-local

Aggregatable Global Addresses


24/111


Unspecified 0:0:0:0:0:0:0:0 or simply ::

Its used to specify the absence of an address

It can be used in the initial request for DHCP toobtain an address

Duplicate Address Detection (DAD)

Like 0.0.0.0 in IPv4 ::/0 is the default route


25/111


Loopback 0:0:0:0:0:0:0:1 or simply ::1

To identify node itself

Like 127.0.0.1 in IPv4 (localhost)

To test if IPv6 stack is working : ping6 ::1


26/111


IPv4 compatibleUsed to insert IPv4 addresses in IPv6 addresses

The first 96 bits are equal to zero, the other 32 bitsspecify the IPv4 address 0:0:0:0:0:0:192.168.0.1

::192.168.0.1

::C0A8:1E01Used for IPv4-IPv6 transition


27/111


IPv4 mapped They permit to define IPv6 addresses for nodes that

support only IPv4 The first 80 bits are equal to zero, the next 16 bits

are equal to 1 (FFFF) and, the last 32 bits specifythe IPv4 address

0:0:0:0:0:FFFF:192.168.0.1 ::FFFF:192.168.0.1

::FFFF:C0A8:1E01

Used for IPv4-IPv6 transition


28/111


Subnet Prefix and Host Identifier IPv6 unicast addresses are divided in two parts:

Subnet Prefix (first 64 bits)

Host Identifier (last 64 bits)

The host can be identified : Manually.

Using the Interface ID (mac address): the mac address (or

EUI 48/64) is ricalculated and used as host identifier in theIPv6 address.

XXXX:XXXX:XXXX:XXXX XXXX:XXXX:XXXX:XXXX

Subnet Prefix (64 bit) Host Identifier(64 bit)


29/111


EUI-64 format The Interface ID :

Identifies univocally an interface

Has to be univocal on a link

Can be obtained starting from EUI-64 identifier.

EUI-64 identifier is based on the same base of MAC

address (Its an evolution) It identifies the manufacturer and the serial number of aninput/output interface using 64bits

There is a procedure to move from EUI-48 ID (mac-

address) to EUI-64 ID


30/111


Interface ID from mac-address From MAC address (EUI-48 ID) insert the sequence

FF-FE after the first 24 bits.

cccccc00 cccccccc cccccccc xxxxxxxx xxxxxxxx xxxxxxxx

24 bit 24 bit

11111111 11111110cccccc00 cccccccc cccccccc xxxxxxxx xxxxxxxx xxxxxxxx

0xFF 0xFE

cccccc1c cccccccc cccccccc 11111111 11111110 xxxxxxxx xxxxxxxx xxxxxxxx Interface ID

EUI-64 Address

IEEE 802 Address

MAC Address: 00-AA-00-3F-2A-1CEUI-64 Address: 00-AA-00-FF-FE-3F-2A-1CU/L complementation: 02-AA-00-FF-FE-3F-2A-1CIn IPV6 notation: 02AA:00FF:FE3F:2A1C


31/111


Link and Site For link we mean a unique physical network like a

LAN or a point-to-point connection. Nodes on thesame link are named neighbor.

A site is a group of link managed by a unique

authority (ex. A University campus)


32/111


Link-local (1/2) Its a Scoped address (new with IPv6)

Scope = local link (i.e. LAN, VLAN) It can be used only between nodes in the same link No routing

Automatically configured for each interface good to start communication. Using the interface identifier

Format:

FE80:0:0:0:

1111111010 0 interface ID

10 bit 54 bit 64 bit


33/111


Link-local (2/2)


34/111


35/111


Site-local (2/3)Used for an address plan in a whole site

Examples : Numbering for a site before to be connected to the Internet. Privet addressing (ex. Local printers)

Format: FEC0:0:0::

Subnet id = 16 bits = 64K subnets

1111111011 0 subnet ID interface ID

10 bit 38 bit 16 bit 64 bit


36/111


Site-local (2/3)


37/111


Aggregatable Global IPv6Addresses

TLA Registry

Sub-TLA Registry

NLA Registry

SLA Registry

End-User (LAN)

/23 Regional Registries

/32 Local Internet Registries

/48 Site

/64 Link IANA

ARINRIPENCC APNIC

GARR

CASPUR Roma Tre

/23

/23/23

2000::/3

RIR RIR RIR

/32

/48 /48

/64/64/64/64/64/64


38/111


Multicast (1/3)Multicast = one to many

No broadcast in IPv6. Multicast is used instead ofbroadcast, above all in the local links.

Scoped addresses: it substitutes TTL in IPv4


39/111


Multicast (2/3) Format:

FF::

Identify by FP 11111111 (=FF)

Flag = 0 permanent / 1 temporary

Scope: node (1), link (2), site (5), organization (8), global(E)

Group ID: It identifies a multicast group in a specific scope.

1111-1111 Flag Scope Group ID

8 4 4 112


40/111


Multicast (3/3) For example:

Considering the Group ID All-Nodes (1) :

The address FF01::1 affects all the interfaces on the samenode

The address FF02::1 affects all the interfaces on the samelink

The address FF05::1 affects all the interfaces on the samesite

The address FF0E::1 affects all the interfaces in Internet


41/111


Multicast addressesSome reserved multicast addresses :

ADDRESS SCOPE Type

FF01::1 Node All Nodes

FF02 ::1 Link All Nodes

FF01::2 Node All Routers

FF02 ::2 Link All Routers

FF05 ::2 Site All Routers

FF02 ::1: FFXX :XXXX Link Solicited-Node


42/111


AnycastOne-to-any The Anycast addresses are not distinguishable from

unicast addresses

They are unicast addresses assigned to a group ofinterfaces (usually in different nodes)

They help to find the server closer to the source.

Some anycast addresses are reserved for specific

use: Router subnet

Mobile IPv6 home-agent discovery


43/111


Addresses for each hostEach IPv6 host has to recognize as its own this

addresses: One link-local address for each interface

Assigned unicast/anycast addresses (manually orautomatically)

Loopback address

All-Nodes group multicast address Solicited-node multicast addresses for each assigned

unicast/anycast address

All the other multicast addresses for each group it joins


44/111


How to select an addressOne node can use different network connections

Its possible to have more IPv6 addresses assigned on the

same interface (more than one global address)

For each flow node has to select source anddestination address.

The choice is done following this rules : To use the right scope following the destination (global, site,

local)

To use the address more similar to the destination (IPv4,IPv6)

The algorithm of choice can be overwritten by thestack or the application.


45/111


DNS The use of IPv6 is not changing basic mechanism of

Domain Name System This new record are introduced to manage IPv6

addresses: A new resource record to associate IPv6 address to a name

A new domain for reverse resolution of IPv6 addresses.


46/111


A name for an IPv6 addressAAAA record

To define mapping between a domain name and an IPv6

address Like A record in IPv4

Supported in Bind from 4.9.5 version.


47/111


An IPv6 address for a namePTR record

To define mapping between an IPv6 address and a domain

name The same record used in IPv4

A new Top Level domain used for IPv6: from ip6.int

to ip6.arpa Divided by 4 bits. In IPv4 classful division. Easier to

delegate.


48/111


BIND configurationAAAA record $ORIGIN 6net.garr.itwww IN AAAA 3ffe:b00:c18:1:290:27ff:fe17:fc1d

PTR record (ip6.arpa) $ORIGIN 1.0.0.0.8.1.c.0.0.0.b.0.e.f.f.3.ip6.arpa d.1.c.f.7.1.e.f.f.f.7.2.0.9.2.0 IN PTR www.6net.garr.it


49/111


ICMPv6 protocol It is the IPv6 version of ICMP with the same basic

features Error discovery, control, debugging

Add new functionalities Neighbor discovery

Neighbor Solicitation, Unreachability, Autoconfiguration

Multicast group management

It has the same functionalities of ICMP, ARP, eIGMP protocols for IPv4.


50/111


ICMPv6: Message type Two class of messaged:

From type 0 to 127 Error Messages

From type 128 to 255 Informational Messages

The most common error messages are: Destination Unreachable (1)

Packet Too Big (2)

Time Exceeded (3)

Parameter Problem (4)


51/111


Path MTU Discovery (1/2) IPv6 fragmentation management is end-to-end

Routers dont fragmented packets

The fragmentation process is managed by host

The host use Path MTU Discovery to know themaximum MTU available on the link. Based on ICMPv6 Packet too big messages

A router creates a packet too big message when the MTUused is too large for the path

Specifies the new MTU in the data field.


52/111


Path MTU Discovery (1/2) How MTU path discovery works:

The host sends the first packet with the same dimension as

MTU of its link If a Packet Too Big is reached the host sends another

message with the new MTU

The host repeats the process until no error is found

The host sends packets periodically, to check if thepath has changed

Minimum MTU for IPv6 is 1280 byte


53/111


Neighbor Discovery Uses ICMPv6

Manages the control information within a link

Address resolution Neighbor Solicitation and Neighbor Advertisement

Neighbor Unreachability Detection

Autoconfiguration Router Solicitation e Router Advertisement

Redirect

Messages cannot be sent outside the link Valid messages have Hop Limit = 255


54/111


Stateless Autoconfiguration Allows the IPv6 hosts to connect to the network without manual

configuration

No need to use DHCP Uses specific multicast group

Addresses are based on Interface ID

On the link, hosts can communicate among them using link-

local addresses Unlike DHCP, the DNS must be configured manually


55/111


Stateful Configuration Addresses and other network parameters (ex. DNS)

can be configured manually: Entirely manual configuration

DHCPv6


56/111


Configuration Basics

Linux


57/111


Configuration Basics Linux (1/3) IPv6 support is available since Linux kernel release

2.4.

The current support does not implement all RFCfeatures

A patch (USAGI patch) is available to provide allextensions to the kernel.

Further information:

USAGI Project http://www.linux-ipv6.org/


58/111


Configuration Basics Linux (2/3) If the IPv6 support is available on our kernel, the file

/proc/net/if_inet6

must be present. If not, we can try to load the IPv6

kernel module,

# modprobe ipv6

and then test it again. If the module is not available we must rebuild our

kernel.


59/111


Configuration Basics Linux (3/3)Resources:

Kernel documentation

Linux Kernel HOWTO

(http://www.linuxdoc.org/HOWTO/Kernel-HOWTO.html).

I t f C fi ti Li


60/111


Interface Configuration Linux

(1/2) The configuration syntax for IPv6 is similar to IPv4.In the

following examples, we will use ifconfig.

Add an IPv6 address to an interface

# /sbin/ifconfig inet6 add

/# /sbin/ifconfig eth0 inet6 add 2001:760:ffff::126/64

Delete an IPv6 address from an interface

# /sbin/ifconfig inet6 del /

# /sbin/ifconfig eth0 inet6 del 2001:760:ffff::126/64

I t f C fi ti


61/111


Show the interface configuration#ifconfig eth0eth0 Link encap:Ethernet HWaddr 00:10:B5:DA:59:B8

inet addr:193.206.158.126 Bcast:193.206.158.255Mask:255.255.255.0inet6 addr: 2001:760:ffff::126/64 Scope:Globalinet6 addr: fe80::210:b5ff:feda:59b8/10 Scope:LinkUP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:6262494 errors:0 dropped:0 overruns:0 frame:0TX packets:7971062 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:100

Interrupt:5 Base address:0xc000Global unicast address

Link local address

MAC ADDRESS EUI-64 format

Interface Configuration

Linux(2/2)


62/111


Show the routing table

#route --inet6Kernel IPv6 routing table

Destination Next Hop Flags Metric Ref Use Iface

::1/128 :: U 0 0 0 lo

2001:760:ffff::126/128 :: U 0 0 0 lo

2001:760:ffff::/64 :: UA 256 0 0 eth0 ;route for the global address

fe80::210:b5ff:feda:59b8/128 :: U 0 0 0 lo

fe80::250:56ff:fec0:1/128 :: U 0 0 0 lofe80::250:56ff:fec0:8/128 :: U 0 0 0 lo

fe80::/10 :: UA 256 0 0 eth0 ;route for the link-local

ff00::/8 :: UA 256 0 0 eth0 ;generic route for multicast

::/0 :: UDA 256 0 0 eth0 ; automatic default route

Routing table Linux (1/2)

As for IPv4 we can operate on the routing table.

We will use for these functions the route command.


63/111


#route --inet6 add|del / gw [dev ]#route --inet6 add|del / [dev ]

#route --inet6 add default gw 2001:760:ffff::11

#route --inet6

Kernel IPv6 routing table

Destination Next Hop Flags Metric Ref Use Iface

::/0 2001:760:ffff::11 UG 1 0 0 eth0 ;default route

::/0 :: UDA 256 0 0 eth0 ; automatic default route

Routing table Linux (2/2)

Add or delete an entry on the routing table


64/111


Host Configuration Fedora CoreLinuxEdit the file/etc/sysconfig/network-scripts/ifcfg-

(ifcfg-eth0for the first ethernet interface)Add the following lines

IPV6INIT=yes

IPV6ADDR=

Adding the following configuration to/etc/sysconfig/network

NETWORKING_IPV6=yes

IPV6_DEFAULTGW=

Restart the network

#service network restart


65/111


Host Configuration Generic Linux

The following configuration should be used if the IPv6 scripts are

not available on the operating systemAdd the following lines to/etc/rc.local(it could be /etc/rc.d/rc.localon many distributions)

IPV6_ADDRESS=IPV6_GW=

/sbin/ifconfig eth0 inet6 add $IPV6_ADDRESS

/sbin/route --inet6 add default gw $IPV6_GW


66/111


Configuration BasicsMicrosoft Windows


67/111

Configuration Basics Microsoft


68/111



Windows (2/2)Windows IPv6 implementation supports:

Autoconfiguration Tunnel

Teredo

Windows software is IPv6 ready: Internet Explorer.

Ping, traceroute e telnet.

Firewall



69/111



Windows 2000 On Windows 2000 you need to install Service Pack-1,2 o 3.

The installation kit must be modified as follow:

Download the IPv6 kit from URLhttp://msdn.microsoft.com/downloads/sdks/platform/tpipv6/download.asp

Extract the archive content to a temporary folder (e.g.C:\>ipv6kit);

From this folder, execute setup.exe -x, A folder called files will be created; Edit the file Hotfix.inf and modify the key

NTServicePackVersion:

For SP2 NTServicePackVersion=512 For SP3 NTServicePackVersion=768

Run Hotfix.exe and restart the computer.


70/111


Running IPv6 Microsoft Windows 2000/XPWe can activate or deactivate the IPv6 stack using the

command net

net stop tcpip6

Disable the IPv6 support and remove the related kernel moduleThe net command cannot deactivate IPv6 if an IPv6 socket is inuse.

net start tcpip6

Load the IPv6 kernel module (tcpip6.sys) and activate the IPv6support.

Microsoft Windows 2000


71/111


C:>ipv6 if 4

Interface 4 (site 1):uses Neighbor Discoverylink-level address: 00-50-56-a3-00-01

preferred address 2001:760::196, infinite/infinitepreferred address fe80::250:56ff:fea3:1, infinite/infinitemulticast address ff02::1, 1 refs, not reportablemulticast address ff02::1:ffa3:1, 1 refs, last reportermulticast address ff02::1:ff00:0, 1 refs, last reporter

link MTU 1500 (true link MTU 1500)current hop limit 128reachable time 36000ms (base 30000ms)

retransmission interval 1000msDAD transmits 1

Running IPv6 Microsoft Windows 2000

(1/3)

The ipv6 command manage the windows IPv6 stack.

The following command show the interfaces configuration:



72/111



(2/3)

The ipv6.exe command is also used to:

Add and delete IPv6 addresses on the network interfaces.View and modify the some protocol attributes(router advertisement, forward options etc.)Add or delete an interface

Show and manage the routing table



73/111


C:\>ipv6usage: ipv6 if [ifindex]

ipv6 ifc ifindex [forwards] [-forwards] [advertises] [-advertises] [mtu #bytes] [site site-identifer]

ipv6 ifd ifindexipv6 adu ifindex/address [lifetime validlifetime[/preflifetime]] [anycast

] [unicast]ipv6 nc [ifindex [address]]ipv6 ncf [ifindex [address]]ipv6 rc [ifindex address]ipv6 rcf [ifindex [address]]ipv6 bcipv6 rtipv6 rtu prefix ifindex[/address] [lifetime L] [preference P] [publish] [

age] [spl SitePrefixLength]ipv6 sptipv6 spu prefix ifindex [lifetime L]


(3/3)

Microsoft Windows XP


74/111


Running IPv6 Microsoft Windows XP

(1/3)

In Windows XP the use of the netsh utility instead ofipv6.exe is

suggestedA complete reference to migrate ipv6.exe command to netsh isavailable at the URL:http://www.microsoft.com/technet/itsolutions/network/ipv6/ipv62netshtable.mspx

To install the IPv6 support type the following command in a

command windownetsh interface ipv6 install



75/111



(2/3)Show the interface table

C:>netsh interface ipv6 show interfaceIdx Met MTU State Name

--- ---- ----- ------------ -----6 0 1500 Disconnected Wireless Network Connection5 0 1500 Connected Local Area Connection4 2 1280 Disconnected Teredo Tunneling Pseudo-Interface3 1 1280 Connected 6to4 Pseudo-Interface2 1 1280 Connected Automatic Tunneling Pseudo-Interface

1 0 1500 Connected Loopback Pseudo-Interface

Add the IPv6 address to the Local Area Connection Interface

C:>netsh interface ipv6 add address interface=5 address=

Add the default gateway route through the same interface

C:>netsh interface ipv6 add route ::/0 5



76/111



(3/3)

Check the routing table

C:>netsh interface ipv6 show routeQuerying active state...

Publish Type Met Prefix Idx Gateway/Interface Name------- ----- ---- ------------------ --- ---------------------no Manual 0 ::/0 5 2001:760::11

Microsoft Windows


77/111


Running IPv6 Microsoft Windows

Vista (1/3)IPv6 is enabled by default !!!

Includes GUI configuration

New features: Complete IPsec support

MLD v2

IPv6 over PPP DHCPv6

Teredo with symmetric NAT support

Cant be uninstalled Can be disabled for a given interface

Microsoft Windows


78/111


Running IPv6 Microsoft Windows

Vista (2/3)

Running IPv6 Microsoft


79/111


g

Windows Vista (3/3)


80/111


Running IPv6 Microsoft WindowsThe ping6 command is used to check the IPv6 connectivity

C:>ping6 www.kame.net

Pinging www.kame.net [2001:200:0:8002:203:47ff:fea5:3085]

from 2001:760::73 with 32 bytes of data:

Reply from 2001:200:0:8002:203:47ff:fea5:3085: bytes=32 time=310ms

Reply from 2001:200:0:8002:203:47ff:fea5:3085: bytes=32 time=310msReply from 2001:200:0:8002:203:47ff:fea5:3085: bytes=32 time=310ms

Reply from 2001:200:0:8002:203:47ff:fea5:3085: bytes=32 time=310ms

Ping statistics for 2001:200:0:8002:203:47ff:fea5:3085:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),Approximate round trip times in milli-seconds:

Minimum = 310ms, Maximum = 310ms, Average = 310msnetsh interface ipv6 add addressinterface=5 address=


81/111


IPv4-IPv6 transition


82/111


Step 1

Network Design Define Wide and Local network segments

Define special areas (due to requirements and operations) -VLANs, DMZs etc.

Define management entities and their areas of responsibility

Network management information flow

Security requirements: For users and applications

For the network itself (protection of the management information,protection of network devices, security of management procedures)

Plan the steps to transition to the new protocol. Examine the

possibility of deploying transition mechanisms (for communicationsbetween IPv6 areas within an IPv4 network and vise-versa)

A General Transition Roadmap(1/2)

A General Transition Roadmap


83/111


p(2/2)Step 2

Implementation of a mixed IPv4/IPv6 environment

Gradual transition of non-critical systems to IPv6 Allows the evaluation of the operation and stability of the network

devices and non-critical systems under IPv6

Develops the transition procedures

Disseminates the usages of transition mechanisms (tunnels,

gateways, etc.) for communications between exclusive IPv6 areasStep 3

Transition of all systems to IPv6

Exclusive usage of IPv6 in the network

Maintaining transition mechanisms for legacy systems and contactswith IPv4 networks


84/111


Transition mechanisms Three categories:

Implemented on the host

Dual Stack Host BIS, BIA, ...

Implemented on the network layer Tunnel

> Manuals,> ISATAP, Teredo, ...

Dual Stack Network

Based on protocol translators SIIT and NAT-PT


85/111


Dual Stack Host (1/2)

Its easyA dual stack node :

Implements both the protocols

Has IPv4 and IPv6 addresses on the same interface

The IPv4-only applications use IPv4 For the application that support IPv6:

DNS resolves both IPv4 and Ipv6 addresses If destination has an IPv6 address, the host uses IPv6

If destination has only an IPv4 address, the host uses IPv4

Applicazione

TCP,UDP

IPv4 IPv6

Ethernet

0x86DD0x0800


86/111


Dual Stack Host (2/2)Advantages:

Easy

No particular support Limitations:

No reduces the need of IPv4 addresses

Needs a dual stack network

Doesnt integrate the IPv6 network with IPv4 The two networks are completely separate

Its a compatibility mechanism more than a transition one

At present almost all of the IPv6 nodes are dual

stack host.

6 i 4 l (1/3)


87/111


IPv6-in-IPv4 Tunnel (1/3) Tunnels are usually used to

transport a protocol through a

network based on anotherprotocol IPv6-in-IPv4 tunnels permits

to use IPv6 without a native

IPv6 infrastructure IPv6 packets are

encapsulated in IPv4 packetsadding an IPv4 Header

The Protocol field in the IPv4header is 41 I

IPv6 Packet

IHL LengthVerIdentification F Fragment Offset

TOS

TTL Protocol Hdr checksumSource Address

Destination Address

IPv4 Header

Ver Class Flow LabelLength Next Hdr Hop Limit

Source Address

Data

Destination Address

IP 6 i IP 4 T l (2/3) Li k IP 4


88/111


IPv6-in-IPv4 Tunnel (2/3)

On the tunnel Ingress interface IPv6 packets are encapsulatedin IPv4 packets

The obtained IPv4 packets are routed over the IPv4 networksas all the other IPv4 packets

At the tunnel egress interface packets are decapsulated

The IPv6 packets are elaborated as they are arrived from anative IPv6 network.

Router IPv4

Router IPv6

Router dual stack

Link IPv4

Link IPv6

Tunnel IPv6 su IPv4

Example of IPv6-in-IPv4 tunnel

IP 6 i IP 4 T l (3/3)


89/111


IPv6-in-IPv4 Tunnel (3/3) The end points have to be dual stack nodes In the path, tunnel is only an IPv6 hop

From IPv6 point of view, the IPv4 network issomething like a layer 2 technology

Tunnet MTU is - 20 byte for the IPv4 header

Tunnels can be : Router to router

Host to router

Host to host

Very useful for first experiences with IPv6 and in thefirst phase of transition

T l B k (1/2)


90/111


Tunnel Broker(1/2)

Web service in IPv4 It helps the host to create dynamically a tunnel with a preconfigured

end point.

A user asks for a tunnel using a web page

The tunnel broker identifies the user The tunnel broker configures a router as tunnel end-point and sendsparameters to the user

For occasional users

IPv4

IPv6Client

Broker

Router

T l B k (2/2)


91/111


Tunnel Broker(2/2) http://www.go6.net/4105/freenet.asp

http://www.coredumps.org/

http://www.ngnet.it/i/privati.php (solo per gli utentiTelecom Italia)

http://www.fast-labs.net/tb/ (solo per gli utentiFastweb)

A t ti T li M h i


92/111


Automatic Tunneling Mechanisms ISATAP

Intra-Site Automatic Tunnel Addressing Protocol

To connect nodes and routers IPv6 over an IPv4 onlyinfrastructure

Teredo Tunneling IPv6 over UDP Through NATs

Encapsulated IPv6 packets in UDP IPv4 packets instead oftunnel IPv4 packets

To permit to use tunnel also behind IPv4 NAT

T d (1/2)


93/111


Teredo (1/2) Useful for hosts behind NAT

Encapsulates the IPv6 packets within UDP v4 packets tobypass the problem of NAT in many cases restricting protocol41 (IP encapsulated) packets

The encapsulation takes place at the communicating nodeitself rather than at a border router (like it happens in 6to4)

The Teredo-relay then forwards the packets to the native IPv6

network Issues:

Complex implementation

Can operate only with specific NAT types

Limited number of Teredo-relays available in the Internet Used only if there is no other available solution

T d (2/2)


94/111


Teredo (2/2)

IPv6Private IPv4

NAT

Teredo tunnel: IPv6 in UDPv4

Public IPv4

Private IPv4

NAT

Client

Public IPv4

Server

Relay

6

3

2

1

4

5

Public IPv6

Teredo address format


95/111


Teredo address format

Teredo IPv6 prefix

IPv4 address: global address of the server Flags: Cone or Symmetric NAT

Port: port number to be used with the IPv4 address

The client IPv4 field contains the global address of the NAT

Teredoprefix

32 bits

IPv4 @

32 bits

Flags

16 bits

Client IPv4

32 bits

Port

16 bits

Teredo limitations


96/111


Teredo limitationsVulnerability to DoS attacks on relay, The entity that operates the Teredo relay has little

means in order to control who is using the serviceSome NATs are not supported Teredo relays are not deployed!

Lack of implementation in routers

Teredo prefix is not advertised in the IPv6 Internet

Protocol Translators


97/111

Gabriella Paolini - GARR

IPv6 Tutorial

Catania, 06/06/200797

Protocol Translators Its a method to permit communication between IPv4-only

nodes with IPv6-only nodes

An alternative to Dual Stack nodes

Dual Stack needs an IPv4 address for each node

Where ?

All the traffic (IPv4-to-IPv6 and vice versa) runs on the translatornode

Limitations : Robustness

Security

Accountability

Traffic

NAT PT


98/111


IPv6 Tutorial

Catania, 06/06/200798

NAT-PT Like NAT in IPv4

The translator node has a pool of IPv4 addresses that can be assigned tothe nodes that ask for it

The translator maintains IPv4-IPv6 connections table IPv4 address is represent by IPv6 address adding the 32 bits IPv4

address to a 96 bits prefix

IPv6 mapping dynamic IPv4, IPv4 deterministic IPv6

Needs a translation mechanism for DNS queries (DNS ALG)

In a static configuration, it can be used from IPv4 to IPv6.

NAT PT : an example (1/4)


99/111


IPv6 Tutorial

Catania, 06/06/200799

NAT-PT : an example (1/4)

A is an IPv6-only node that want to be connected to the webserver www.garr.it, that is using IPv4 only

IPv6

NAT-PT

www.garr.it193.206.158.2A2001:760:4:f005::2

DNS

IPv4

NAT PT : an example (2/4)


100/111


IPv6 Tutorial

Catania, 06/06/2007100


A ask for a DNS query for the IPv6 address www.garr.it DNS ALG of the NAT-PT resolves the query in the following

way: It does the DNS query for the IPv4 address : 193.206.158.2

It sends to A an IPv6 address : ::f00f:c1ce:9e02

IPv6

www.garr.it193.206.158.2

DNS

IPv4

A2001:760:4:f005::2

NAT-PT

NAT-PT : an example (3/4)1 9 02 193 206 1 8 2


101/111


IPv6 Tutorial

Catania, 06/06/2007101


A sends a packet to ::f00f:c1ce:9e02 NAT-PT elaborates the request

Associated to A an dynamic IPv4 address from the pool:2001:760:4:f005::2 193.204.161.12

Maintain the association information in a table Sends packets over the IPv4 network to 193.206.158.2 using as

source address 193.204.161.12

IPv6

www.garr.it193.206.158.2

DNS

IPv4

A2001:760:4:f005::2

NAT-PT

2001:760:4:f005::2 ::f00f:c1ce:9e02 193.206.158.2193.204.161.12

NAT-PT : an example (4/4)2001:760:4:f005::2 ::f00f: c1ce:9e02 193 206 158 2193 204 161 12


102/111


IPv6 Tutorial

Catania, 06/06/2007102


Reply packets to A are routed to NAT-PT and translated inIPv6 to be sent to A

A received the IPv6 packets with the source address::f00f:c1cd:8be5

IPv6

www.garr.it

193.206.158.2

DNS

IPv4

A2001:760:4:f005::2

NAT-PT

2001:760:4:f005::2 ::f00f: c1ce:9e02 193.206.158.2193.204.161.12

NAT-PT: limitations and

advantages


103/111


IPv6 Tutorial

Catania, 06/06/2007103

advantages Advantages:

Transparent to the nodes

Limitations: The same problems of IPv4 NAT Fragility

Need of DNS ALG

No direct connectivity


104/111


IPv6 Tutorial

Catania, 06/06/2007104

IPv4-IPv6 transitionConfiguration

How to configure a tunnel (Linux)(1/4)


105/111


IPv6 Tutorial

Catania, 06/06/2007105

(1/4)

IPv4 Network

192.168.1.10 192.168.10.2

2001:760:ffff::10/127

IPv6 in IP

2001:760:ffff::11/127



106/111


IPv6 Tutorial

Catania, 06/06/2007106

(2/4)

To configure use the iptunnel command that permits

to create, to delete and to modify a tunnel ip-over-ip,gre, sit.

iptunnel {add|change|del|show} NAME mode

{ipip|gre|sit} remote local [ ttl TTL ] [ tos TOS ] [ nopmtudisc ] [ devPHYS_DEV ]



107/111


( ) Tunnel configuration and creation of the tunnel interface;

#iptunnel add sit1 remote 192.168.10.2 local 192.168.1.10 mode sit ttl 64

IPv6 address configuration on the tunnel interface

#ifconfig sit1 inet6 add 2001:760:ffff::10/127

Tunnel interface activation

#ifconfig sit1 up

Creation of a static route to the tunnel interface

#route --inet6 add default gw 2001:760:ffff::11

With this route, traffic is routed by default to the tunnel.


108/111

How to configure a tunnel

(Windows)


109/111


(Windows)

IPv6 in IP192.168.1.10 192.168.10.2

2001:760:ffff::10 2001:760:ffff::11

c>ipv6 rtu ::0 2/::192.168.10.2 pubc>ipv6 adu 2/2001:760:ffff::10

interface tunnel0ipv6 address 2001:760:ffff::11tunnel source 192.168.10.2

tunnel destination 192.168.1.10tunnel mode ipv6ip

IPv6 enabled applications


110/111


v6 e ab ed app cat o s http://6net.iif.hu/ipv6_apps

http://www.deepspace6.net/docs/ipv6_status_page_apps.html

(Linux only)

Sendmail, Qmail, Postfix, Thunderbird,Bind, VLC, SSH, Apache, Mozilla,Firefox , Internet Explorer, Irc, Xchat

References


111/111


http://www.ipv6ready.org/

http://www.ipv6tf.org/

http://www.go6.net/

http://www.deepspace6.net/

http://www.6diss.org/

http://www.sixxs.net/

euchinagrid ipv6 tutorial cataniav2 1

Documents