ipv6 fundamentals

5/28/2018 IPv6 Fundamentals

1/137

IPv6FundamentalsMukom Akong T. (@perfexcellent)


2/137

Understand IPv4 exhaustion and its implications Identify IPv6 addresses Create an IPv6 addressing plan Configure and verify IPv6 on a LANFun

damentalsofIPv6

What you should be able to do after "nishingthis module

www.afrinic.net | slide 2


3/137

Fundamental concepts of TCP/IPv4 Building basic IPv4 networks.

Using the command line interface for common routingplatforms

! Cisco IOS! Juniper JUNOS! Quagga


FundamentalsofIPv6

Module Assumptions


4/137


FundamentalsofIPv6

Module deliverables

Describe differences between IPv4 and IPv6Ke

y protocols Basicconfiguration

Create an IPv6 addressing planSubnetting Estimatespace

Allocation

Identify and work with IPv6 addresses

Address structure and notation Types of IPv6 addresses

Understand IPv4 exhaustion implicationsGlobal IPv6 address distribution

Implications of exhaustion


5/137

After this section you should be able to:

Describe the world situation with respect to v4addresses Describe the implications of IPv4 exhaustion

UnderstandingIPv4ExhaustionImplications


6/137

Central IPv4 Pool as at 16.06.2010

www.afrinic.net | slide 6Understa

ndingIPv4Ex

haustionImp

lications


7/137

Central IPv4 Pool as at 31.01.2011


ndingIPv4ExhaustionImp

lications


8/137

Global IPv4 Address Distribution

www.afrinic.net | slide 8Source: www.ipv4depletion.com

Understa


lications


9/137

Projected RIR Depletion Dates

www.afrinic.net | slide 9Source: Geof HoustonU

ndersta


lications


10/137

Exhaustion Consequence: IPv4addresses are now more expensive



lications

$7.5m for666,624v4 addresses


11/137

Exhaustion Consequence: demand forIPv4 addresses may increase its price



lications


12/137

" Black markets have well-known contrary consequences

Exhaustion Consequence: An IPv4 addressblack market emerges



lications


13/137

" Scenario #1: We remain complacent and the world leaves usbehind in IPv4-land

! Cost of connecting to the rest of the world increases!

We miss any market opportunities v6 adoption presents" Scenario #2: A rush for Africas pool by other regions! African networks deprived of critical v4 needed to facilitate

transition to v6

!We are forced to deploy greenfield IPv6 (good)

! Use of NAT increases (bad)

Implications of Africa running out last



lications


14/137


Work comfortably with IPv6s hexadecimal notation Identify, write and shorten IPv6 addresses

IPv6AddressingBasics


15/137

"Network-layersuccessor to IPv4! 128 bits long (296times the total IPv4 address space)! Runs on the same physical infrastructure! The same applications can also run on IPv6! Incompatible with IPv4!

"The only sustainable answer to IPv4 exhaustion! Enables continued growth of the Internet!

Restores end-to-end model! Enables the Internet of ThingsUn

derstanding

IPv6Address

ing

What is IPv6?



16/137

" The 8 groups of hexits are separated by colons" Addresses are conventionally written in lower case

Understanding

IPv6Address

ing

IPv6 addresses are written in hexadecimal


IPv6 address = 128bits(1 or 0)

IPv6 address = 32hexits(0 - 9, a , b , c , d , e , f)

IPv6 address = 8groups of 4hexits2001 : db8 : c001 : face : b00c : dead : babe : 1cee : f001


17/137

How IPv6 addresses are written

Un

derstanding

IPv6Address

ing


Jeff L. Carrell, Implementing IPv6 , the Nuts and Bolts about It, 2011


18/137

" IPv6 is all CIDR i.e. no subnet masks" A prefix is written as:

aaaa:bbbb:cccc:dddd:eeee:ffff/prefix length

" Prefix length is a decimal in the range [0 , 128]" Examples of prefix notation:! 2001:db8::/32 --- a prefix assigned to an organisation! 2001:db8:1ce:c001::/64 --- a prefix assigned to a LAN! 2001:db8:1ce:c001::a/64 ---an address out of a /64 prefixUn

derstanding

IPv6Address

ing

IPv6 pre"xes



19/137

Zero-suppression: omit all leading zeroes in a group of hexits! A leading zero is that which comes immediately after a colon! Each group must still contain at least one hexit

Zero-compression: substitute two or more consecutive groups ofzeroes with one double colon (::)! This should only be done once to avoid ambiguity! If more than substitution is possible, make that which

replaces the most groups

! In case of two equal possible substitutions, make theleftmost one.

Understanding

IPv6Address

ing

Rules for shortening IPv6 addresses



20/137

Shortening IPv6 addresses: Example

Un

derstanding

IPv6Address

ing




21/137

Shortening IPv6 addresses: Example

Un

derstanding

IPv6Address

ing




22/137

IncorrectIPv6 shortening example

Un

derstanding

IPv6Address

ing




23/137


Identify different types of IPv6 addresses Describe the structure and scopes these addresses

IPv6AddressTypes


24/137

Understanding

IPv6Addressing

Types of IPv6 addresses


Unicast addresses Identifies and interface of an IPv6 node Can be used as source and destination of a packet An interface can have multiple valid IPv6 addresses

Multicast addresses Identifies a group of IPv6 addresses Can only be used as the destination of a transmission An interface can belong to multiple multicast addresses

Anycast addresses Same address on multiple nodes Packet to anycast address is delivered only to nearestone Packets are never sourced from an anycast address


25/137

Scope: An address extent of validity


Understanding

IPv6Addressing

LinkLayer

Global Scope Link-local Scope

These scopes do not apply to multicast addresses and theunspecified address

fe80::/10


26/137

"Fixed high order bits of 001=> prefix of 2000::/3

" Example: 2001:db8:dead:beef:c001:babe:0000:aaaf


Global unicast addresses

Global Routing Prefix SubnetID InterfaceID

45 bits 64 bits16 bits3

bits

001

U

nderstanding

IPv6Addressing

IANA>>LIR>>ISP

i k l l i dd


27/137

" First 10 bits are 1111 1110 10 thus prefix fe80::/10" Scope is link local thus not forwarded off-link by routers" One per interface is always automatically configured when IPv6 is enabled" Used for! Automatic address configuration! Default gateway on hosts! Routing protocol updates! Neighbor discovery


Link local unicast addresses

0 InterfaceID

54 bits 64 bits10

bits

1111 1110 10

U

nderstanding

IPv6Addressing

h i k l l dd h bili bl


28/137

If you ping fe80::212:6bff:fe54:f99a (N1), what egress interface

will router R use? see solution next slide


The Link local address reachability problem

fe80::212:6bff:fe54:f99a

R

N1

Fe 0/0Fe 0/1

N2

M2 M1

fe80::212:6bff:fe3a:9e9a

fe80::212:6bff:fe17:fc0f fe80::245:bcff:fe47:1530

U

nderstanding

IPv6Addressing

ZoneIDs resolving Link local address


29/137

" ZoneID (or scopeID)! Provides the extra routing information required! Automatically assigned by the operating system! Only locally significant

" A full link-local address is written as : address%zoneID" Examples of some full link-local addresses with zoneIDs:! [Windows] ping fe80::245:bcff:fe47:1530%11! [Linux] ping6 fe80::245:bcff:fe47:1530%eth0


ZoneIDs resolving Link local addressambiguity

U

nderstanding

IPv6Addressing

E l f i Z ID


30/137

" Windows Host X: fe80::1ce:c01d:dead:babe%7" Windows Host Y: fe80::dead:beef:1ce:c01d%10" Ping from X -> Y is accomplished thus! Use the link local address of Host Y! Append the ZoneID of Host X on the same broadcast domain! ping fe80::dead:beef:1ce:c01d%7 [correct]! ping : fe80::dead:beef:1ce:c01d%11 [wrong]

U

nderstanding

IPv6Addressing

Examples of using ZoneID


U i L l Add


31/137

" Private address space anyone can use without going to an ISP orRIRs

" Prefix fc00::/7 and L flag indicates whether the prefix is locallyassigned (1) or globally assigned (0)

! For L=1, we have fd00::/8for ULAs that anyone can assign.! For L=0, we have fc00::/8for ULAs that are centrally

assigned.

" Scope is global but they are usually filtered by e-BGP routerswww.afrinic.net | slide 31

Unique Local Addresses

Global ID SubnetID InterfaceID


bits

1111 110L

U

nderstanding

IPv6Addressing

U i L l Add Gl b lID Al ith


32/137

1. Get the current time on the day in 64bit NTP format.2. Get the EUI-64 identifier from the MAC address or other unique

identifier.

3. Concatenate (1) and (2)4. Compute the SHA-1 digest of (3)5. Use the least significant 40 bits of (4) as your globalID

U

nderstanding

IPv6Addressing

Unique Local Addresses: GlobalID Algorithm


Global ID SubnetID InterfaceID


bits

1111 110L

6to4 Transition Addresses


33/137

" IPv4-derrived address used in the 6to4 transition mechanism" WWXX:YYZZ is the hex form of public v4 address w.x.y.z" Each public IPv4 address gives an entire /48 IPv6 prefix

U

nderstanding

IPv6Addressing

6to4 Transition Addresses


WWXX:YYZZ SubnetID2002 InterfaceID

48 bits 64 bits16 bits

w.x.y.z

Generating the InterfaceID Last 64 bits


34/137

"Manually typed by an admin on an interface"Automatically! The EUI-64 algorithm.! A pseudo-random number.! A public key (e.g. in the CGAs)

"Reserved interfaceIDs (RFC 5433)! Subnet router anycast: 0000:0000:0000:0000! Reserved subnet anycast: fdff:ffff:ffff:ff80 - ffUn

derstanding

IPv6Addressing

Generating the InterfaceID Last 64 bits


EUI 64 Automatic InterfaceID Generation


35/137

U

nderstanding

IPv6Addressing

EUI-64 Automatic InterfaceID Generation


Privacy concerns with EU 64


36/137

" For a given MAC address! The EUI-64 interfaceID is fixed! It is re-used with the prefix of any network encountered

" It is possible to track a user from their interfaceID! The prefix says what network a user is on! The MAC address can be inferred from the interfaceID

" Privacy addressing (RFC4941) deals with this issueU

nderstanding

IPv6Addres

sing

Privacy concerns with EU-64

learn.afrinic.net | slide 36

IPv4 Mapped Transition Addresses


37/137

" An IPv4 address represented in IPv6 format" Form: ::ffff:w.x.y.z/96 where w.x.y.z is a normal IPv4 address." Internally represents a v4 node to a v6 node" Never used as a source or destination v6 addressU

nderstanding

IPv6Addres

sing

IPv4-Mapped Transition Addresses


0 ffff IPv4 Address

80 bits 16 bits 32 bits

ISATAP transition addresses


38/137

" An IPv6 address formed from an private IPv4 address" Automatically generated and assigned to ISATAP tunnels" Form: 64bitPrefix:0:5efe:a.b.c.d! Where a.b.c.d is an RFC1918 private IPv4 addressU

nderstanding

IPv6Addres

sing

ISATAP transition addresses


Prefix 0000:5efe Private IPv4 Address

64 bits 32 bits 32 bits

Multicast addresses


39/137

" Used as the destination of multicast communication" Start with bits 1111 1111 which is prefix: ff00::/8" Bits 8 16 specify further characteristics of the addressU

nderstanding

IPv6Addres

sing

Multicast addresses


GroupID

112 bits

1111 1111

8

bits

4

bits

4

bits

Scope

Flags

The Flag Bits in multicast addresses


40/137

The Flag Bits in multicast addresses


U

nderstanding

IPv6Addres

sing

Bit Description

3 Reserved (must be set to 0)

2 (R flag) Rendezvous Point address is embedded (1) or not (0)

1 (P flag) Address is based on a unicast prefix (1) or not (0)

0 (T flag) Address is well-known (0) or dynamically assigned (1)

The Scope Bits in multicast addresses


41/137

The Scope Bits in multicast addresses


U

nderstanding

IPv6Addres

sing

Binary Hex Scope

0001 0x1 Interface

0010 0x2 Link

0100 0x4 Administrative

0101 0x5 Site

1000 0x8 Organisation

1110 0xe Global

Others Unassigned or Reserved

Some reserved multicast groups


42/137

Some reserved multicast groups


Some Well-Known/Reserv d Multicast Groups

Address Scope Description

FF01::1 1=Interface All nodes on the interface

FF02::1 2=Link All nodes on the link

FF01::2 1=Interface All routers on the interface

FF02::2 2=Link All routers on the linkFF05::2 5=site All routers in the site

FF02::5 2=Link All OSPFv3 routers

FF02::6 2=Link OSPFv3 designated routers

FF02::A 2=Link All EIGRPv6 routers

FF02::D 2=Link All PIM routers

FF02::1:FFXX:XXXX 2=Link Solicited-node address

U

nderstanding

IPv6Addres

sing

The Solicited Node multicast address


43/137

" Multicast address for all nodes with the same IPv6 address" Constructed as follows:! Prefix FF02::1:FF00:/104! Last 24 bits of the IPv6 unicast address! See examples next slide

The Solicited Node multicast address

IPv6Esse

ntialTheory


Prefix InterfaceID

FF02:1::FF00: Lower 24 bits

104 bits 24 bits

Solicited node multicast addresses in action


44/137

#show ipv6 interface g0/0GigabitEthernet0/0 is up, line protocol is upIPv6 is enabled, link-local address is FE80::CA9C:1DFF:FE6B:B6A0No Virtual link-local address(es):Description: [Link to R1]

Global unicast address(es):2001:43F8:90:C0::2, subnet is 2001:43F8:90:C0::/64Joined group address(es):FF02::1FF02::2FF02::1:FF00:2FF02::1:FF6B:B6A0

MTU is 1500 bytes

IPv6Esse

ntialTheory

Solicited node multicast addresses in action


IPv6 address literals in URLs


45/137

" Problem: The colon in v6 addresses has another meeting in urls! It is a core part of the http://!

It is also used to specify the port

" Solution: enclose the IPv6 address in square bracketshttp://[2001:db8:85a3:8d3:1319:8a2e:370:7348]/

http://[2001:db8:85a3:8d3:1319:8a2e:370:7348]:80/

IPv6 address literals in URLs


IPv6 literals in UNC path names


46/137

" Problem: The colon a illegal character in Microsoft UNCpathnames

" The solution:! Replace all colons in the address with a dash! Replace any % in the zoneID with an s! Append .ipv6-literal.net to the address

" Example: 2001:db8:85a3:8d3:1319:8a2e:370:73482001-db8-85a3-8d3-1319-8a2e-370-7348.ipv6-literal.net" Example: fe80::1%4fe80--1s4.ipv6-literal.net

IPv6 literals in UNC path names


Summary of IPv6 Address Types


47/137

Su a y o 6 dd ess ypes


ummary of IPv6 Address Types

Type Struc ure (16 bit bound ries)

Global Unicast lobalID SubnetID Interf ceID

Link-local fe80 0 Interf ceID

Unique-local fc00 0 SubnetID Interf ceID

Unique-local fd00 0 SubnetID Interf ceIDIPv4-mapped 0 ffff

6to4 2002 SubnetID Interf ceID

ISATAP 64bit v6 Prefi > 0 5efe

Unspecified 0Loopback 0 0001

Multicast ff Multicast Gro pID

U

nderstandingIPv6Addres

sing

IPv6 addressing exercise


48/137

Display the IPv6 configuration on your laptop

U

nderstandingIPv6Addres

sing

g



49/137


IPv6fromanIPv4Perspective

Describe the IPv6 header, noting differences from the v4 header Identify the IPv6 equivalents and functioning of key IPv4 protocols

The IPv6 packet structure


50/137

p


IPv6froma

n

IPv4Perspective

Key characteristics of the IPv6 packet


51/137

"Fixed header size of 40 bytes (320 bits)"Fragmentation not allowed by routers, only end hosts"Minimum supported MTU is 1280 bytes"Optional layer 3 information is put in extension headers

just before the upper-layer headerIPv6froma

n

IPv4Perspec

tive

y p


IPv6 extension headers


52/137

"Serve similar functionality to IPv4 Options headers"Processed only at packet's destination, except for Hop-

by-Hop Options header

"Only appear once in a packet, except for theDestination Options header which appears twice

"A node discards the packet with a Parameter Problemmessage in the following circumstances

"It sees an un-recognized extension header"A Next Header value 0 appears in a header other

than the fixed header

IPv6froma

n

IPv4Perspec

tive


IPv6 packet without extension header


53/137

IPv6froma

n

IPv4Perspec

tive


Courtesy:cisco.com

IPv6 packet with extension headers


54/137

IPv6froma

n

IPv4Perspec

tive


Courtesy:cisco.com

List and order of IPv6 extension headers


55/137

IPv6froma

n

IPv4Perspec

tive


Order Header Code Description1 Basic IPv6 header

2 Hop-by-hop options 0 Examined by all hosts in path

3 Destination options 60 Examined only by destination node

4 Routing 43 Specify the route for a datagram (mobilev6)

5 Fragment 44 Fragmentation parameters

6 Authentication (AH) 51 Verify packet authenticity

7 ESP 50 Encrypted data

8 Destination options 60 Examined only by destination node

9 Mobility 135 Parameters for use with mobile IPv6

The IPv6 header compared to IPv4 header


56/137


Version Header Length TOS Total Length

Identification Flags Fragment OffsetTTL Protocol Header Checksum

Source Address

Destination Address

Options

Version Traffic Class Flow Label

Payload Length Hop Limit

Source Address

Next Header

Source Address

0 4 8 12 16 20 24 28 32

IPv6froma

n

IPv4Perspec

tive

IPv6 packet header on the wire


57/137


IPv6froma

n

IPv4Perspec

tive

Packet header structure changes from IPv4


58/137


IPv6froma

n

IPv4Perspec

tive IPv4 header fields removed from the base IPv6 header

! Fragmentation fields [Identification, flags, fragment offset]! Options

IPv4 header fields eliminated in IPv6

! Header checksum! Header length

Revised fields

! TTL#Hopcount! Protocol#Nextheader!

PrecedenceandToSfields#

TrafficclassNew fields

! Flow label

IPv4 vs IPv6 key functionality comparison


59/137


IPv6froma

n

IPv4Perspec

tive IPv4 IPv6

Network Access Layer! Ethernet and variants! PPP for serial links! ATM

! Ethernet and variants! PPP for serial links! ATM

Host auto-configuration! DHCP ! DHCPv6

! Stateless Address configurationNetwork to Link-layer Address Resolution

! ARP broadcasts ! NDP via ICMPv6 (NS, NA)



60/137


IPv6froma

n

IPv4Perspec

tive IPv4 IPv6

FQDN to IP-address resolution! DNS client-server! A resource records! In-addr-arpa. reverse zone

! DNS client-server! AAAA resource records! ip6.arpa reverse zone

Host multicast group membership! IGMPv1! IGMPv2 ! MLDv1

Automatic default gateway configuration

! DHCP, IRDP, passive RIP ! NDP via ICMPv6 (RA)



61/137


IPv6froman

IPv4Perspec

tive IPv4 IPv6

Routing protocols! Static routing! RIPv1, RIPv2! OSPFv2! BGP4+ IPv4 AF

! Static routing! RIPng! OSPFv3! BGP4+ IPv6 AF

Minimum MTU size

! 576 bytes ! 1280 bytesSending packets to all hosts on subnet

! Broadcast to subnetbroadcast Multicast to ALL_NODES (ff02::1)

Resolving names to IPv6 addresses


62/137

"Most modern DNS servers support IPv6! AAAA records for IPv6 to FQDN mapping! PTR records under ip6.arpa. TLD for FQDN to IP

mapping"DNS is transport-protocol agnostic i.e.! A query over IPv4 could yield AAAA records! A query over IPv6 could yield A records


IPv6froman

IPv4Perspec

tive

Sample IPv6 resource records


63/137


IPv4 IPv6

FQDN toIP Address

[A record]voyager.starfleet.org A

197.1.0.77

[AAAA record]voyager.starfleet.org IN AAAA

2001:0470:0000:0064:0000:0000:0000:0002

IP Addressto FQDN

[PTR record]77.0.1.197.in-addr.arpa

PTR voyager.starfleet.org

[PTR record]2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.6.0.0.0

.0.0.0.0.7.4.0.1.0.0.2.ip6.arpa IN PTRvoyager.starfleet.orgIP

v6froman

IPv4Perspec

tive

Generating IPv6 PTR records


64/137

Write the IPv6 address in full reverse Separate each hexit by a period Append the ip6.arpa domain"Example with sipcalc


IPv6froman

IPv4Perspec

tive

The usual DNS test tools work as expected


65/137


IPv6froman

IPv4Perspec

tive


66/137


TheKeyIPv6FunctionalityProtocols

Describe the importance and functioning of IPv6 ND Describe how ND is used in other key functions of IPv6

ls

IPv6 Neighbor Discovery Protocol (ND)


67/137

"Key protocol upon which most of IPv6s functionalitydepends

"Used by both hosts and routers"Consists of a set of ICMPv6 messages"Works at network layer, thus can use IPsec"Different message exchanges deliver various

functionalitiesTheKeyIPv6FunctionalityProtocol


Functions of IPv6 Neighbor Discovery (ND)ls


68/137


TheKeyIPv6FunctionalityProtoco

Addressre

solutionAddress

autocon"guration

Parameter discovery

Pre"x discovery

Router discovery

Host Router Functions

Duplicate addressdetection

Neighbour

unreachability detection

Next-hop determination

Address resolution

Host CommunicationFunctions

Neighbour Discovery Protocol

ls

5 ICMPv6 messages used by ND


69/137

TheKeyIPv6FunctionalityProtoco


ND

NeighbourSolicitation

Neighbour

Advertisement

RouterSolicitationRouterAdvertisement

Redirect

ols

Router Solicitations and Advertisement


70/137

TheKeyIPv6Fu

nctionalityProtoco


ols

The Router Solicitation message


71/137

TheKeyIPv6Fu

nctionalityProtoco


Sent by IPv6 hostPurpose Find out what routers are present on the link

Src address !IP of querying interface if one exist!Unspecified address ::) if there is no IP address yet

Dst address FF02::2 all-routers)Notes ICMP type 133, ICMP code 0

ols

Sample RS packet capture


72/137

TheKeyIPv6Fu

nctionalityProtoco


ols

The Router Advertisement message


73/137

TheKeyIPv6Fu

nctionalityProtoco


Sent by IPv6 routerPurpose !Advertise its presence prefixes, MTU, hop limits

!Sent periodically or in response to a RS

Src address Routers link local IPv6 address

Dst address !FF02::1 all-v6-nodes) for periodic broadcasts!v6 address of querying node if responding to a RS

Notes ICMP type 134, ICMP code 0

ols

RA Message on the Wire


74/137

TheKeyIPv6Fu

nctionalityProtoco


ols

Sample RA packetcapture


75/137

TheKeyIPv6Fu

nctionalityProtoco


ols

Neighbour Solicitations and Advertisements


76/137

Th

eKeyIPv6Fu

nctionalityProtoco


ols

The Neighbour Solicitation message


77/137

Th

eKeyIPv6Fu

nctionalityProtoco


Sent by IPv6 host

Purpose!Find out link layer address of another host.!Duplicate address detection.!Verify that a neighbour is reachable.

Src address !IP of querying interface if one exist!Unspecified address (::) if there is no IP address yetDst address

!Target neighbours address if known!Solicited node multicast address of target otherwise


ols

The Neighbour Advertisement message


78/137

Th

eKeyIPv6Fu

nctionalityProtoc


Sent by IPv6 host

Purpose!Response to a neighbour solicitation (NS)!Periodically to update neighbors.

Src address!Manual or auto configured address of originatinginterface.

Dst address!IP address of the node which sent the NA.!FF02::1 for periodic advertisements.


cols

Capture of an NA from a router in responseto a NS


79/137

Th

eKeyIPv6Fu

nctionalityProtoc


cols

Packet capture of NA message from a host


80/137

Th

eKeyIPv6Fu

nctionalityP

rotoc


cols

The Redirect message


81/137

Th

eKeyIPv6Fu

nctionalityP

rotoc


Sent by IPv6 router

Purpose Informs a node of a better next-hop router.

Srcaddress Link local address of router.

Dstaddress

IP address of requesting node.Notes ICMP type 137, ICMP code 0

Duplicate address detection

cols


82/137


Th

eKeyIPv6Fu

nctionalityP

rotoc

N2

N1

N3

Tentative IP: 2001:db8::2:260:8ff:fe53:f9d8

IP: 2001:db8::2:260:8ff:fe53:f9d8

NS1

src: ::

dst: FF02::1:FF53:F9D8

hop limit: 255Target: 2001:DB8::2:260:8FF:FE53:F9D8

NA2

src: 2001:DB8::2:260:8FF:FE53:F9D8dst: FF02::1

hop limit: 255

Target: 2001:DB8::2:260:8FF:FE53:F9D8

cols

Duplicate address detection


83/137

" DAD is performed on ALL unicast addresses" DAD is NEVER performed for anycast addresses" If DAD fails! That address cannot be assigned to the interface.! All addresses using that InterfaceID are also not unique! A system management error must be logged

" Unrelated packets sent to a tentative address are discardedTh

eKeyIPv6Fu

nctionalityP

rotoc


How duplicate address detection works

cols


84/137

Host N1 is going to assign address A on its interface I Interface I joins multicast groups:! ff02::1 -- All IPv6 nodes! ff02::ff00:0:a solicited node multicast address for A

N1 sends NS message to ff02::ff:0:a sourced from :: N1 listens for any NS messages to ff02::ff00:0:a from :: DAD fails under any of the following circumstances! N1 receives an NS for a tentative address prior to sending one.! More NSs are received than those expected based on loopback semantics


Th

eKeyIPv6Fu

nctionalityP

rotoc

cols

NS packet capture illustrating duplicateaddress detection (DAD)


85/137

Th

eKeyIPv6Fu

nctionalityP

rotoc


Link-layer address resolution using ND

cols


86/137


N2

N1

NS1

src: IPv6 address [N1]

dst: Solicited node multicast [N2]

data: Link layer address [N1]

query: "what's your link layer address?"

src: IPv6 address [N2]

dst: IPv6 address [N1]

data: Link layer address [N2]

NA 2

Th

eKeyIPv6Fu

nctionalityP

roto

ocols

Neighbour unreachability detection


87/137

" Does not necessarily verify end-to-end reach-ability since aneighbour could be a router (not the final destination)

" How it works:! Send a probe to desired hostssolicited node multicastaddress and receiving a NA or RA in response! Receive a clue from higher level protocol that to say

communication is happening e.g TCP ACK

Th

eKeyIPv6Fu

nctionalityP

roto


ocols

NS packet capture for neighbour reachabilityveri"cation


88/137

Th

eKeyIPv6Fu

nctionalityP

roto



89/137


BasicIPv6Configuration

Configure and verify IPv6 on Windows operating systems Configure and verify IPv6 on Linux operating systems Configure and verify IPv6 on the MAC OS X operating system Configure and verify IPv6 on Cisco IOS Configure and verify IPv6 on Junos

Most Operating Systems have IPv6 enabledby default!


90/137

Operating system IPv6 supported

Windows Windows XP Service Pack 2 and up

Mac OS X 10.4 (Tiger) and up

GNU Linux Kernel 2.6 and up

FreeBSD FreeBSD 4.0 and up

Cisco IOS IOS 12.4; 12.3; 12.xT from 12.2T and up

Junos Junos 5.1 and upBasicIPv6Con"guration


Host Con"guration: Windows Vista/7


91/137


BasicIPv6Con"gurati

on

Host con"guration: Mac OS X


92/137

BasicIPv

6Con"gurati

on


Host Con"guration: Linux


93/137


BasicIPv

6Con"gurati

on

Configure IPv6 on an interface$ifconfig eth0 inet6 add 2001:db8:fedc:abcd::1/64

force an interface to come up at boot-up and get address automatically.In /etc/network/interfacesauto eth0iface eth0 inet manual up /sbin/ip -6 link set eth0 up

Verify#ifconfig eth0 OR

#ip -6 addr show eth0

Working with privacy addresses


94/137

" Privacy address status on various operating sytems! Windows Vista/7 Enabled by default! Mac OS X Not enabled by default! Linux - not enabled by default

" Generally, enabling privacy addresses is not recommendedBasicIPv

6Con"gurati

on


Disabling privacy addressing


95/137


BasicIPv

6Con"gurati

on

Windows Vista/7c:\netsh interface ipv6 set privacy state=enabled|disabledc:\netsh interface ipv6 set global randomizeidentifiers=enabled|disabled

Mac OS XIn /etc/sysctl.confnet.inet6.ip6.use_tempaddr=0|1net.inet6.ip6.temppltime=XX //lifetime of temporary address

Linux#echo "1" > /proc/sys/net/ipv6/conf/default/use_tempaddr

Con"guring basic IPv6 on Cisco IOS


96/137


BasicIPv

6Con"gurati

on Enable IPv6 on an Interface

(config)#ipv6 enable

Assign an IPv6 address with automatic interfaceID(config)#ipv6 address Prefix/prefix-length eui-64

Assign a static IPv6 address(config)#ipv6 address v6address/prefix-length

Enable IPv6 routing and CEF(config)#ipv6 unicast-routing(config)#ipv6 cef

Con"guring basic IPv6 on Junos


97/137


BasicIPv

6Con"guration Enable IPv6 on an Interface

Assign an IPv6 address with automatic interfaceID

Assign a static IPv6 address

Enable IPv6 routing and CEF


98/137

After this section you should be able to: Describe the options for provisioning addresses in IPv6 Describe, and verify how SLAAC works Describe and verify how DHCPv6 works Describe how DHCPv6-PD works

AddressProvisioninginIPv6

Device g

Provision requirements


99/137

HostsIPv6 address

Default gateway

DNS server

CPEsIPv6 address

Default gateway

DNS server

Prefix for LAN(s)

IPv6Addr

essProvision

ing


" The Problem with Traditional DHCP

Automatic IP Con"guration

g


100/137

" The Problem with Traditional DHCP! It's a link-layer protocol and thus can't be routed without use of

relays on every subnet.

! Network and server staff are usually different thus closecoordination is needed (plus usual OSI Layer 8 issues!!)

! Difficult to implement redundancy.! Susceptible to rogue DHCP servers.! If the lease database is corrupted, addresses can be given to

multiple machines.

" Because there are no broadcasts in IPv6, traditional DHCP wont work." The options in IPv6 are:! Stateless Auto-Configuration - new to IPv6! Stateful Auto-Configuration - DHCPv6


IPv6Addr

essProvision

ing

g

Automatic IP Con"guration


101/137

IPv6Addr

essProvision

ing


Typical configuration parametersIPv6 address For client WAN address

Required by clients and CPEs

DNS resolvers Required by clients and CPEsIPv6 delegatedprefix

Required by CPEs to automate LAN-sideconfiguration

g

Automatic IPv6 Con"guration


102/137

IPv6AddressProvision

ing


" Enterprise and campus network config requirements! IPv6 address for the hosts interface! Default routers! DNS resolvers & other options

" Service Provider network config requirements! IPv6 address for CPE WAN interface! Default route to be used by client network! Prefix to be use for CPE LAN interface(s)

" The problem:

Options for Automatic Address Provisioning

g


103/137

" The problem:! SLAAC does not hand out DNS server addresses! DHCPv6 does not hand out default router address! CPEs need auto-delegated prefix for simplicity

" Options: Stateful & stateless DHCPv6 and SLAAC+RDNSS



ing

Stateful DHCP Stateless DHCP SLAAC RDNSSIPv6 Address DHCPv6 RA RA

Default routers RA RA RA

DNS resolver DHCPv6 DHCPv6 RA

Delegated prefix DHCPv6-PD DHCPv6-PD N/A

g

Stateless Auto-Con"guration How it Works

Network X


104/137

" Host N2 will auto-configure anaddress for each of the advertises

prefixes 2001:db8:a::/64 and

2001:db8:d/64.

" Hosts will also auto-configure 2default routersIP

v6AddressProvision

ing


Network X

R1

N2

M2

ff02::1

R2

[RS] RA?1

[RA] 2001:db8:a::2

[RA] 2001:db8:d::3

ff02::1

ff02::1

H t t i t f ID d li k l l dd


g


105/137

Host generates an interfaceID and a link-local address Perform Duplicate Address Detection [DAD] on selected address Query all routers (via RS messages) for additional Router responds with Router Advertisement [RA] which lists

allocated prefixes for the subnet and indicates if it can provide

routing services to connected hosts.

For each prefix received, the host adds its 64bit interfaceIDconfigures an address and does DAD.

Host build a list of 'default routers' from RAs. There's no singledefault gateway like in IPv4.



ing


tive


106/137

" The routers on the subnet are pre-configured with:! Appropriate IPv6 addresses on their interfaces.! Desired prefixes for use on the subnet.! Someday: List of DNS servers to send to hosts [RFC6106]

" If the router advertise multiple prefixes, the host(s) will auto-configure an address for each of the prefixes.

" If multiple routers advertise themselves as default, host typicallychooses and uses one till it fails, then it uses other.


IPv6froma

nIPv4Perspe

ct

Advantages of SLAAC Over Traditional DHCP

g


107/137

"

No separate servers or relays needed on each subnet" No need to involve server admins with management of IP

addresses

" Easy to provide redundancy by plugging in more routers sincethey don't keep state

" No risk of duplicate addresses even after a router fails" Rogue routers less likely and if they do occur, their prefix will

just be in addition to the correct prefixes

" Enables network re-numbering on the flywww.afrinic.net | slide 107


in

Con"guring a Cisco Router for StatelessAuto-Con"guration

Network X

ng


108/137


Network X

R1

N2

M2

ff02::1

R2

[RS] RA?1

[RA] 2001:db8:a::2

[RA] 2001:db8:d::3

ff02::1

ff02::1

R1(config)Interface fastethernet 0/1R1(config-if)ipv6 nd prefix 2001:db8:a::/64

R1(config)Interface fastethernet 0/1

R1(config-if)ipv6 nd prefix 2001:db8:d::/64


in

" Host gets all of its config parameters from central server" Central server can keep state of who has what address

Stateful Con"guration with DHCPv6

ng


109/137

" Central server can keep state of who has what address" A host will use DHCPv6 instead of SLAAC if it gets an RA

message with the M flag = ON and A flag=OFF" Multicast addresses used by DHCPv6! All_DHCP_Relay_Agents_and_Servers (FF02::1:2)! All_DHCP_Servers (FF05::1:3)

" DHCP Messages:! Clients listen on UDP port 546! Servers and relay agents listen on UDP port 547

" Currently does not support a default gateway option!!www.afrinic.net | slide 109


in

How Stateful DHCPv6 Works

Client Router/DHCP RelayDHCP Server

ng


110/137


[ND] RS?1

[DHCP] Solicit3

[DHCP] Solicit4

[ND] RA (M set)2

[DHCP] Advertise (addr)5

[DHCP] Advertise (addr)6

[DHCP] Request (addr)7

[DHCP] Request (addr)8

[DHCP] Reply (addr)9

[DHCP] Reply (addr)10

[DHCP] Confirm (addr)11

[DHCP] Confirm (addr)12


in

Advantages:) Si il t DHCP 4 ill b f ili t t tn

g

Stateful DHCPv6


111/137

a) Similar to DHCPv4, so will be familiar to most operators.b) More options to control how addresses are allocated e.g.! Restrict assignments to a small range of addresses! Map IP addresses to specific clients.

c) Dynamic DNS (DDNS) updates from a central server is moresecure than permitting individual host to update the DNS.

d) It has options to configure other services.e) Can produce centralized accounting logs (troubleshooting and

forensics).Disadvantages:

a) No DHCPv6 clients yet on some operating systems e.g, Android.b) Configuration information for addresses and DNS resolvers mustbe maintained in separate locations.

IPv6AddressProvisionin


ng

Stateless DHCPv6

Client Router DHCP Server


112/137



[ND] RS?1

[DHCP] SolicitOptions e.g DNSserver

3

[DHCP] AdvertiseDNS server address

5

[ND] RAPrefix:

Default router:"O" flag set

2

[DHCP-RELAY] SolicitOptions

4

[DHCP-RELAY] AdvertiseDNS server address

6

Advantages:n

g

Stateless DHCPv6


113/137

!Support for SLAAC is ubiquitous.

! Non-DHCPv6 hosts will still be able to get basic connectivity.(the DNS resolvers can be manually configured )

! Like stateful DHCPv6, other options possible (e.g NTP etc)Disadvantages:! Zero control over how addresses are allocated! If using DDNS, permitting DDNS updates from all clients is

insecure.

!Privacy concerns if EUI-64 method is used for interfaceID

! No centralized log for forensicsIPv6AddressProvisionin


ng

SLAAC + RDNSS


114/137

"SLAAC plus the Recursive DNS server option

" Advantages:! Single protocol (IPv6 ND) thus simpler configuration!

Support for SLAAC is ubiquitous

" Disadvantages:! RDNSS option not widely supported!

No other parameters besides DNS resolver are possible



ng

DHCPv6 - PD

CPE PE

DHCP Server


115/137

" Used to assign a delegated prefix to CPE to use on its LAN." The PE inserts a static route for the delegated prefix in its table

IPv6Add

ressProvisioni


[DHCP] SolicitOptions: IAPD

2

[DHCP] AdvertiseDelegated Prefix

4

[DHCP-RELAY] SolicitOption: IAPD

3

[DHCP-RELAY] AdvertiseDelegated Prefix

5

Provision CPE WAN address1

Key Di#erences Between DHCPv4 & DHCPv6

ng


116/137


IPv6Add

ressProvisioni

DHCPv6 Server Software

ing


117/137


IPv6Add

ressProvisioni


118/137


IPv6AddressPlanning

Subnet an IPv6 prefix Describe how IPv6 addresses are globally managed Estimate the IPv6 addressing needs of your network Carve out your allocated addresses and assign them

For a given IPv6 prefix P and prefix length L

The generic IPv6 subnetting problem


119/137

g p p g

a) List all the sub-prefixes of length L thereinb) Break P into N subnets

Repeat for each sub-prefix as required

IPv6

subnetting


Parent prefix

Sub-prefix #1 Sub-prefix #2 Sub-prefix #3 Sub-prefix #n

IPv4 subnetting concepts to FORGET!


120/137

The purpose of subnetting! IPv4: conserve address space! IPv6: planning and optimization for routing or

security VLSM vs SLSM theres no point to do VLSM in IPv6 Subnets vs hosts number of hosts is rarely relevant in

v6

IPv6

subnetting


Generic IPv6 subnetting procedure


121/137

IPv6subnetting


Find subnet bits (s) Find Subnethexits

FindSubnetID

increment(B)Enumerate

subnetIDs

Step #1: Finding the subnet bits (s)

a) Both L and L are known


122/137

IPv6subnetting


s = L L1

Ex: breaking a /32 to /56s needs 56-32=24 bits

b) Only the number of desired subnets is known

Ex: breaking a /36 into 900 networks needs

2s !N thus s =logN

log2

2s ! 700 thus s = log700log2

= 9.45 "10bits

Step #2: Finding the number of subnet hexits

" The distinguishing hexits of each subnet


123/137

IPv6subnetting


"The distinguishing hexits of each subnet! Knowing number of subnet bits s! Knowing that 1 hexit = 4 bits, then! Number of subnet hexits = s/4 (round up)

"Ex: Breaking 2001:db8:c000::/36 to 900 subnets! s = log 900 log 2 = 9.81 10! # subnet hexits = 10/4 = 2.5 3! Each of the subnets will be like: 2001:db8:cHHH::/46

Step #3: Finding the Increment or Block (B)

" This is difference between consecutive subnetIDs


124/137

IPv6subnetting


"This is difference between consecutive subnetIDs

"Ex: Breaking 2001:db8:c000::/36 to 900 subnets! s = 3 (calculated in previous slides)! L = L + s = 36 + 10 = 46! Format 2001:db8:cHHH::/46 (calculated previously)!

B =216!(L'%16)

B =216!(46%16)

= 216!14

= 22=4 (0x4)

Step #4: Enumerating the subnetIDs

"At this point you know the general subnet format


125/137

IPv6subnetting


p y g

"Taking the subnetIDs only, these form an arithmeticprogression with following characteristics

!Common difference d = block B! Initial term = 000

"Any term of the progression is"Substituting for d = B and initial term = 000"The nth term is:

an=a

0+ (n!1)d

an = (n!1)B

Step #4: Enumerating the subnetID example

" Ex: Breaking 2001:db8:c000::/36 to 900 subnets! s = 3 (calculated in previous slides)


126/137

IPv6subnetting


( p )

! L = L + s = 36 + 10 = 46! Format 2001:db8:cHHH::/46 (calculated previously)! B = 4 (0x4) - as previously calculated

" First subnetID! [Decimal]: a1= 4(1-1) = 0 (0x0)! First subnet: 2001:db8:000::/46

" Last subnetID! [Decimal]: a1024 = 4(1024-1) = 4(1023) = 4092 (0xFFC)!

[Hex]: a400= 4(400-1) = 4(3ff) = FFC! Last subnet: 2001:db8:ffc::/46

Subnetting example : problem


127/137

An ISP with operations in 10cities just got a 2001:db8::/

32allocation from AfriNIC, subnet this prefix accordinglyIPv6subnetting


" Number of subnets: N = 10" Subnet bits required (s): 2s 10 , s = 4 (round to nearest integer)

Subnetting example : analysis

ng


128/137

" Subnet bits required (s): 2 10 , s 4(round to nearest integer)

" Thus, to subnet 2001:db8::/32 to cover 10 subnets,! Well need to use 4 bits! Those 4 bits give us 24= 16 subnets (weve 6 spare subnets)! Prefix length of each subnet is /36 (32+ 4= 36)

" Use the procedure discussed to enumerate the various subnets"

Verify your answer using subnet tools! e.g. sipcalc 2001:db8::/32v6split=36IPv6AddressPlanni

n


s =log 10

log 2=

1

0.301= 3.32 [4 approx]

sipcalc 2001:db8::/32 v6split=36| grep NetworkNetwork - 2001:0db8:0000:0000:0000:0000:0000:0000 -

Subnetting Enumerate Subnets(sipcalc)

ng


129/137

Network - 2001:0db8:1000:0000:0000:0000:0000:0000 -Network - 2001:0db8:2000:0000:0000:0000:0000:0000 -Network - 2001:0db8:3000:0000:0000:0000:0000:0000 -Network - 2001:0db8:4000:0000:0000:0000:0000:0000 -Network - 2001:0db8:5000:0000:0000:0000:0000:0000 -Network - 2001:0db8:6000:0000:0000:0000:0000:0000 -Network - 2001:0db8:7000:0000:0000:0000:0000:0000 -

Network - 2001:0db8:8000:0000:0000:0000:0000:0000 -Network - 2001:0db8:9000:0000:0000:0000:0000:0000 -Network - 2001:0db8:a000:0000:0000:0000:0000:0000 -Network - 2001:0db8:b000:0000:0000:0000:0000:0000 -Network - 2001:0db8:c000:0000:0000:0000:0000:0000 -Network - 2001:0db8:d000:0000:0000:0000:0000:0000 -

Network - 2001:0db8:e000:0000:0000:0000:0000:0000 -Network - 2001:0db8:f000:0000:0000:0000:0000:0000 -

IPv6AddressPlanni


ng

Global IPv6 address management hierarchy

2000::/3

RIRpre!x::/w 12 !w !24





130/137

IPv6AddressPlanni


LIRpre!x::/x y !x !32LIRpre!x::/x y !x !32



LIRpre!x::/x y !x !32

RIRpre!x::/w

RIRpre!x::/w 12!

w!

24

End-sitepre!x::/y x !y ![48 | 52 | 56 | 60]End-sitepre!x::/y x !y ![48 | 52 | 56 | 60]

End-sitepre!

x::/yx !y ![48 | 52 | 56 | 60]

End-sitepre!x::/y x !y ![48 | 52 | 56 | 60]End-sitepre!x::/y x !y ![48 | 52 | 56 | 60]End-sitepre!x::/y x !y ![48 | 52 | 56 | 60]

End-sitepre!x::/y x !y ![48 | 52 | 56 | 60]

[48 | 52 | 56 | 60] !z !64Subnet::/z[48 | 52 | 56 | 60] !z !64Subnet::/z[48 | 52 | 56 | 60] !z !64Subnet::/z[48 | 52 | 56 | 60] !z !64Subnet::/z[48 | 52 | 56 | 60] !z !64Subnet::/z [48 | 52 | 56 | 60] !z !64Subnet::/z

Host:network:pre!xSubnet::/64 InterfaceIDHost:network:pre!xSubnet::/64 InterfaceIDHost:network:pre!xSubnet::/64 InterfaceIDHost:network:pre!xSubnet::/64 InterfaceIDHost:network:pre!xSubnet::/64 InterfaceIDHost:network:pre!xSubnet::/64 InterfaceIDHost:network:pre!xSubnet::/64 InterfaceID

"/32 for LIRs is just minimum size according to most RIR policies.

ng

IPv6 address planning a few clari"cations


131/137

j g p

" If you can show that you need more, you usually can get more!! Do NOT start with /32 [or /48] and try to fit in.! INSTEADanalyse your needs and apply based on them.

" RFCs recommend /64 for all subnets (even p2p and loopbacks)! DO allocate a /64 for all links but,! DO configure what makes operational sense (e.g /127 for p2p

and /128 for loopbacks)

! Do understand what will break if you use longer prefixeswww.afrinic.net | slide 131

IPv6AddressPlanni

Assign at least one /64 per individual network segment Ensure that all prefixes fall on nibble boundaries

ing

Some recommendations for planning


132/137

Plan a hierarchical plan to allow for aggregation! Site: any logical L3 aggregation point (POP, building, floor, )! Region: a collection of site! Autonomous System

Assign at least one /48 per site Reserve one /48 per region for infrastructure needs! Loopback addresses assign from the first bottom of range! Inter-device links assign a /64 but configure what makes

operational sense (/126 , /127 ) Use same prefix lengths for all prefixes of the same level (SLSM)


IPv6AddressPlanni

For your largest SITE! Estimate the number of end-networks in it now

ing

Estimating the size of your initial IPv6 request


133/137

! Adjust for growth in 5 years! Round to nearest nibble boundary. (maxSITEsize)

Estimate the number of #SITEsin your largest region (round tonibble boundary)

#of end-site prefixes: N= #regions x #SITEsx maxSITEsize Subnet bits required to give us N prefixes: Allocation size is! 48 s [if assigning /48s per end-site]! 52 s [if assigning /52s per end-site]


IPv6AddressPlanni

s =log

10N

log102

ing

About Nibble Boundaries


134/137

Try to align allocation units to nibble boundaries

! Round up your estimates to 2nwhere n is a multiple of 4[16, 256, 4096, 65536 etc]

! Ensure your prefixes fall on the following nibbles:/12, /16, /20, /24, /28, /32, /36, /40, /44, /48, /52, /56, /60, /64IPv6AddressPlann


ing

Nibble boundary alignment example


135/137

"Consider the range of addresses for 2001:db8:3c00::/40[first] 2001:db8:3c00:0000:0000:0000:0000:0000[last] 2001:db8:3cff:ffff:ffff:ffff:ffff:ffff

! Easy see that differentiatinghexits range from 0 - f"Consider the range of addresses for 2001:df8:3c00::/42

[first] 2001:db8:3c00:0000:0000:0000:0000:0000

[last] 2001:db8:3c3f:ffff:ffff:ffff:ffff:ffff

! Youll have to calculate the differentiatinghexitsIPv6AddressPlann


ing

IPv6 Address Planning | Example


136/137

An ISP has operations in 10 provinces. The largest

province has 50 POPs, the largest of which has

about 2700 clients. Estimate the IPv6addressing needs of this ISP


IPv6A

ddressPlann

We know! Number of regions: #regions = 10 [round to 16]

b f [ d ]ing

Address planning example analysis andsolution


137/137

! Number of sites: #SITEs = 50 [round up to 256]! maxSITEsize = 2700 [round up to 4096] We calculate! Total number of end-network prefixes required is N! N=16 x 256x 4096= 16,777,216! Number of subnet bits required: s=log16,777,216/log2 = 24.

" Allocation size:! 48 24 = 24 [Assuming /48s to end-sites]! 52 24 = 28 [Assuming /52s to end-sites]

" Thus the ISP needs to request a /24 or /28 from AfriNIC.www.afrinic.net | slide 137

IPv6A

ddressPlann

ipv6 fundamentals

Documents

greenfield ipv6 good

central ipv4 pool

global ipv4 address

ipv4 addressblack market

basic ipv4 networks

total ipv4 address space

world increases

africas pool