IPv6 Introduction

IPv6 Introduction

IPv6 Introduction

By David Beveridge

IPv4 Usage 2010

Why hasn’t it happened yet

• Waiting for everyone else

• Content providers say there are no users

• ISPs say there’s no content

• Lack of CPE Equipment

• Users say it’s not broken so why change

• But, the writing is on the wall

IPv4 Address Depletion

IPv4 Address Depletion

IPv6 Address Types

• Unicast - a single interface, on a single node (eg normal use)

• Anycast – deliver to one of the interfaces in the set (eg load balance)

• Multicast – deliver to all interfaces in the set (eg broadcast)

Terminology

• node - a device that implements IPv6

.

• router - a node that forwards IPv6 packets not explicitly addressed to itself.

• host - any node that is not a router.

• link - a communication facility or medium over which nodes can communicate at the link layer.

• neighbors - nodes attached to the same link.

• interface - a node's attachment to a link.

IPv6 – Address Format

An IPv6 address is represented as eight groups of four hexadecimal digits, each group representing 16 bits (two octets). The groups are separated by a colon (:). A typical example of an IPv6 address follows:

•2001:0db8:85a3:0000:0000:8a2e:0370:7334

•2001:db8:85a3:0:0:8a2e:370:7334

•2001:db8:85a3::8a2e:370:7334

The localhost (loopback) address, 0:0:0:0:0:0:0:1, and the IPv6 unspecified address, 0:0:0:0:0:0:0:0, are reduced to ::1 and ::, respectively

IPv4-mapped IPv6 address

::ffff:c000:280 is usually written as ::ffff:192.0.2.128

IPv6 Common Addresses

::/0 – The entire Internet (0.0.0.0/0)

::/128 – Unspecified Address (0.0.0.0)

• ::1/128 – Loopback Interface (127.0.0.1)

::x.x.x.x/96 – deprecated IPv4 Compatible

::ffff:x.x.x.x/96 – an IPv4-mapped IPv6 address

• fe80::/10 – Local Link Addresses

• ff00::/8 – Multicast

• 2000::/3 – Global Unicast

2001::/32 - Used for Teredo tunneling

2002::/16 — Used for 6to4 addressing

1000::/4, 4000::/3, 6000::/3, 8000::/3, A000::/3, C000::/3, E000::/4 all currently reserved

(future global unicast)

EUI-64 in IPv6

• Automatic Interface Addressing

• Implements IEEE 64-bit Extended Unique

Identifier (EUI-64)

• No need for DHCP or manual configuration

• This is accomplished on Ethernet interfaces by referencing the already unique 48-bit MAC address.

EUI-64 step1

• Convert the 48bit MAC address to 64 bit

• any EUI-64 address having 0xFFFE immediately following its OUI portion can be recognized as having been generated from an EUI-48 (or MAC) address.

EUI-64 step 2

• The second step is to invert the universal/local (U/L) flag

(bit 7) in the OUI portion of the address

The motivation for inverting the "u" bit when forming the interface identifier is to make it easy for system administrators to hand configure local scope identifiers when hardware tokens are not available. This is expected to be case for serial links, tunnel end-points, etc. The alternative would have been for these to be of the form

0200:0:0:1, 0200:0:0:2, etc., instead of the much simpler ::1, ::2

ICMPv6 Types

Neighbor Discovery defines five different ICMP packet types: A pair of

Router Solicitation and Router Advertisement messages, a pair of

Neighbor Solicitation and Neighbor Advertisements messages, and a

Redirect message. The messages serve the following purpose:

•Router Solicitation:

When an interface becomes enabled, hosts may send out Router Solicitations that request routers to generate

Router Advertisements immediately rather than at their next scheduled time.

•Router Advertisement:

Routers advertise their presence together with various link and Internet parameters either periodically, or in response to a Router Solicitation message. Router Advertisements contain prefixes that are used for determining whether another address shares the same link (on-link determination) and/or address configuration, a suggested hop limit value, etc.

ICMPv6 Types

• Neighbor Solicitation:

Sent by a node to determine the link-layer address of a neighbor, or to verify that a neighbor is still reachable via a cached link-layer address. Neighbor Solicitations are also used for Duplicate Address Detection.

• Neighbor Advertisement: A response to a

Neighbor Solicitation message. A node may also send unsolicited Neighbor Advertisements to announce a link-layer address change.

• Redirect: Used by routers to inform hosts of a better first hop for a destination.

IPv6 Network Blocks

• /64 is the standard network block

• 64 bits for the Local Part (as per EUI-64)

• 64 bits for the Network Part

• /48 is the ideal Multiple Network Block

Allocation (65536 x /64s)

• At one million packets per second on a IPv6 subnet with 10,000 hosts it would take over

28 years to find the first host to infect.

Subnetting a /48

• If 2001:db8:1234::/48 is your block

• Then your /64 networks are:-

– 2001:db8:1234:1::/64

– 2001:db8:1234:2::/64

– 2001:db8:1234:3::/64

... etc to …

– 2001:db8:1234:ffff::/64

Subnetting a /56 or /60

• Every hex digit is 4 bits, so…

• 2001:db8:1234:aa00::/56 (256 subnets)

– 2001:db8:1234:aa00::/64

– 2001:db8:1234:aaff::/64

• 2001:db8:1234:aaa0::/60 (16 subnets)

– 2001:db8:1234:aaa0::/64 to

– 2001:db8:1234:aaaf::/64

Service Provider Allocation

• There is enough space to allocate /16 to every organisation who has an AS (autonomous system) number currently.

• Default allocation is currently only /32 which will allow the Internet to grow to 2^16 times the size it is now.

(Many ISP allocations are in their own /24, so their allocation can grow, Optus seems to be in a /20 by itself, Telstra has a full /20 allocated.)

• Every current IPv4 Address user already allocated /48 to allow them to communicate with new IPv6 only users.

(2002::/16 range)

Minimum Allocation to an ISP

• /32 is the standard allocation to small ISPs.

• This allows for 65536 customers to receive a /48 each.

• Initial allocations larger than /32 may be justified if:

– The organization provides comprehensive documentation of planned IPv6 infrastructure which would require a larger allocation; or

– The organization provides comprehensive documentation of all of the following:

• its existing IPv4 infrastructure and customer base,

• its intention to provide its existing IPv4 services via IPv6, and

• its intention to move some of its existing IPv4 customers to IPv6 within two years.

Getting IPv6 now

• Internode

– ADSL Broadband Trial with IPv6 PPP & DHCP Prefix Delgation

– http://ipv6.internode.on.net/access/tunnel-broker/

• Aarnet

– http://broker.aarnet.net.au

– Allocates /64 only

• Hurricane Electric

– http://tunnelbroker.net

– Allocates /48

– Tunnel Broker based in USA or Hong Kong

• Automatic 6to4 Tunnel

– All public IPv4 Addresses already have /48 allocated

• Microsoft Teredo Tunnel

(for NAT users with private IPs)

– Windows XP/2003/Vista/2008 OS

How 6to4 works

• 6to4 performs three functions:

– Assigns a block of IPv6 address space to any host or network that has a global IPv4 address.

– Encapsulates IPv6 packets inside IPv4 packets for transmission over an IPv4 network using 6in4 .

– Routes traffic between 6to4 and "native" IPv6 networks.

• Uses Protocol 41

(eg: 1=ICMP, 6=TCP, 17=UDP, 47=GRE, 50=ESP, 51=AH)

How 6to4 works

• Allocated IPv6 Addresses per IPv4 Address

– 2002:CAFE:F00D::/48 allocated to 202.254.240.13

– 2002:DEAD:BEEF::/48 allocated to 222.173.190.239

– 16 bits for 65536 x ::/64 local networks

• Routing

– BGP Anycast 192.88.99.1 is the path to IPv6

– 2000::/16 is the BGP Advertisement for IPv4

• Reverse DNS

– https://6to4.nro.net

How 6to4 works

Consumer routers with 6to4 support

Apple 's Airport Extreme & Airport Express base station

Linksys WRT610N

• Various

Buffalo Technology wireless routers

D-Link DIR-615, DIR-825 (V2 firmware; currently available for the DIR-825 Rev. B *only*!)

AVM FRITZ!Box

7270 (experimental “Labor” version)

Mikrotik RouterOS software and RouterBoard hardware.

Requires v3 and above with the IPv6 package installed

Fortinet 's FortiGate . Also supports stateful Firewalling,

Antivirus, Application-Control and Intrusion-Protection for

IPv6

D-Link 825 Rev B

http://www.gizmomart.com.au/product_info.php?products_id=262411 $169.95

Windows 6to4

• Windows XP SP2 or better

– For XP Install TCP/IP version 6 Protocol in Control

Panel Add/Remove Windows Components

• Then Enter the following into a command prompt netsh interface ipv6 6to4 set relay 192.88.99.1

MacOS X

MacOS X

CentOS 6to4

/etc/sysconfig/network

NETWORKING_IPV6=yes

IPV6_DEFAULTDEV="tun6to4"

IPV6FORWARDING=yes

(optional)

/etc/sysconfig/network-scripts/ifcfg-ppp0

IPV6INIT=yes

IPV6TO4INIT=yes

IPV6TO4_IPV4ADDR=192.0.1.2

(only required if behind NAT)

IPV6TO4_ROUTING=“eth0-:cafe::0/64 eth1-:face::0/64”

(optional)

IPV6_CONTROL_RADVD=yes

(optional)

CentOS Router Advertisements

/etc/radvd.conf interface eth0

{

AdvSendAdvert on;

MinRtrAdvInterval 30;

MaxRtrAdvInterval 100;

prefix 0:0:0:cafe::/64

{

AdvOnLink on;

AdvAutonomous on;

AdvRouterAddr off;

Base6to4Interface ppp0;

AdvPreferredLifetime 120;

AdvValidLifetime 300;

};

}; interface eth1

{

AdvSendAdvert on;

MinRtrAdvInterval 30;

MaxRtrAdvInterval 100;

prefix 0:0:0:face::/64

{

AdvOnLink on;

AdvAutonomous on;

AdvRouterAddr off;

Base6to4Interface ppp0;

AdvPreferredLifetime 120;

AdvValidLifetime 300;

};

};

How Teredo works

• The Teredo protocol performs several functions:

– Diagnoses UDP over IPv4 (UDPv4) connectivity and discovers the kind of NAT present (using a simplified replacement to the STUN protocol);

– assigns a globally-routable unique IPv6 address to each host using it;

– encapsulates IPv6 packets inside UDPv4 datagrams for transmission over an IPv4 network (this includes NAT traversal );

– routes traffic between Teredo hosts and native (or otherwise non-Teredo) IPv6 hosts.

How Teredo Works

NAT Types

• Cone NAT

Once the NAT translation table entry is in place, inbound traffic to the external address and port number from any source address and port number is allowed and translated.

• Port Restricted

A NAT in which the NAT translation table entry stores a mapping between an internal address and port number and an external address and port number, for either specific source addresses or specific source address and port numbers

• Symmetric

When random port maps are used it’s impossible for both side to choose matching ports

Full Cone 1:1 NAT

Restricted Cone NAPT

Port Restricted NAPT

Symmetric NAPT

Require Related

X

X

X

Source IP

X

X

X

X

Source Port

X

X

X

Remote Port

X

X

Remote IP

X

How Teredo Works

Teredo node types

• Teredo defines several different kinds of node:

– Teredo client

(End User)

It is a host which has IPv4 connectivity to the internet from behind a NAT and uses the Teredo tunneling protocol to access the IPv6 Internet.

Teredo clients are assigned an IPv6 address that starts with the Teredo prefix (2001:0000::/32).

– Teredo server

(NAT Setup)

It is a well-known host which is used for initial configuration of a Teredo tunnel. A Teredo server never forwards any traffic for the client

(apart from IPv6 pings), and has therefore very modest bandwidth requirements (a few hundred bits per second per client at most)

[ citation needed

]

, which allows a single server to support large numbers of clients. Additionally, a Teredo server can be implemented in a fully stateless manner, thus using the same amount of memory regardless of how many clients it supports.

– Teredo relay

(Tunnel Terminator & Traffic Relay)

It serves as the remote end of a Teredo tunnel. A Teredo relay must forward all of the data on behalf of the Teredo clients it serves, with the exception of direct Teredo client to Teredo client exchanges. Therefore, a relay requires a lot of bandwidth and can only support a limited number of simultaneous clients. Each Teredo relay serves a range of IPv6 hosts (e.g. a single campus/company, an ISP or a whole operator network, or even the whole IPv6 Internet ); it forwards traffic between any Teredo clients and any host within said range

– Teredo host-specific relay

(Stand alone server)

It is a Teredo relay whose range of service is limited to the very host it runs on. As such, it has no particular bandwidth or routing requirements. A computer with a host-specific relay will use Teredo to communicate with Teredo clients, but it will stick to its main IPv6 connectivity provider to reach the rest of the IPv6 Internet.

Teredo IP Address

Bits

Length

0 - 31

32 bits

Description Prefix

Part

Decoded

32 - 63

32 bits

Teredo server IPv4

2001:0000 4136:e378

64 - 79

16 bits

Flags

8000

65.54.227.120 cone NAT

80 - 95

16 bits

Obfuscated

UDP port

63bf

40000

96 - 127

32 bits

Client public IPv4

3fff:fdd2

192.0.2.45

As an example, the IPv6 address 2001:0000:4136:e378:8000:63bf:3fff:fdd2 refers to a Teredo client:

• using Teredo server at address 65.54.227.120 (4136e378 in hexadecimal ),

• located behind a cone NAT (bit 64 is set),

• using UDP mapped port 40000 on its NAT (in hexadecimal 63bf xor ffff equals

9c40, or decimal number 40000),

• whose NAT has public IPv4 address 192.0.2.45 (3ffffdd2 xor ffffffff equals c000022d, which is to say 192.0.2.45

Initial communication between

Teredo clients in different sites with restricted NATs

Initial communication from an IPv6-only host to a Teredo client with a restricted NAT

Initial communication from a

Teredo client to an IPv6-only host with a restricted NAT

Example Cisco PIX Config

interface Ethernet0 nameif outside ipv6 address 2001:db8:c000:1051::37/64 ipv6 enable ipv6 nd suppress-ra interface Ethernet1 nameif inside ipv6 address 2001:db8:c000:1052::1/64 ipv6 enable ipv6 unicast-routing ipv6 route outside ::/0 2001:db8:c000:1051::1

IPv6 DNS Records

• AAAA – Forward Lookup box6.bevhost.com IN AAAA 2607:f878:1:668::84

• PTR – Reverse Lookup

4.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.6.6.0.1.0.0.0.8.7.8.f.7.0.

6.2.ip6.arpa IN PTR box6.bevhost.com.

• Glue

For self hosted domains where supported by domain registrar (Melbourne IT only in Australia) bevhost.com is registered with gkg.net yourhostname

.ip6.name can be used if anyone here needs it.

Setting up Bind

/etc/named.conf options {

listen-on port 53 {

127.0.0.1;

96.9.149.84;

96.9.149.85;

};

listen-on-v6 port 53 {

::1;

2607:f878:1:668::84;

2607:f878:1:668::85;

};

};

Setting up postfix & dovecot

/etc/postfix/main.cf inet_protocols = ipv4,ipv6

/etc/dovecot.conf listen = *, [::]

Setting Up Apache

NameVirtualHost [2607:f878:1:668::84]:80

<VirtualHost [2607:f878:1:668::84]:80>

</VirtualHost>

cPanel Scripts

http://wiki.netniche.com.au/index.php/Cpanel_IPv6

•Creates a local part address for each web site based on an MD5 hash of the domain name

Useful PHP 5.1 features

• string inet_ntop ( string $in_addr )

This function converts a 32bit IPv4, or 128bit IPv6 address (if PHP was built with IPv6 support enabled) into an address family appropriate string representation.

• string inet_pton ( string $address )

This function converts a human readable IPv4 or IPv6 address (if PHP was built with IPv6 support enabled) into an address family appropriate 32bit or 128bit binary structure.

<?php

$packed = chr(127) . chr(0) . chr(0) . chr(1);

$expanded = inet_ntop($packed);

/* Outputs: 127.0.0.1 */ echo $expanded;

$packed = str_repeat(chr(0), 15) . chr(1);

$expanded = inet_ntop($packed);

/* Outputs: ::1 */ echo $expanded;

?>

Useful PHP 5.2 features

• Filter can be used to validate IP Addresses mixed filter_var ( mixed $variable [, int $filter = FILTER_DEFAULT [, mixed $options ]] )

$ip = ‘2001:db8:1234::1'; if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) {

echo "This ($ip) IPv6 address is considered valid.";

}

Migration States

Dual Stack Network

Doesn’t solve the problem, as only customers with IP4 Address can access IP4 Content

DS Lite style NAT464

• Requires special CPE equipment or software

Dual Stack with NAT444

Requires subscribers to have dual stack to get to both networks

Stateful NAT64

Suitable for greenfield networks or sites

Requires modified DNS and CGN

Stateless NAT IVI

CERNET in China has been running IPv6↔IPv4 IVI translators for a couple of years and considers the IVI path well proven for enabling v4-v6 transition compared with other coexistence techniques.

DHCPv6 Overview

Used to configure nodes with the following:

– One or more IPv6 addresses, or

– Configuration information, or

– One or more IPv6 prefixes

– Or all of the above

Offer similar functionality to DHCPv4 but for IPv6

Additional mode of operation in DHCPv6

– Stateless DHCPv6 where configuration information only is exchanged

– Stateful is similar to how DHCPv4 traditionally operates

Requires IPv6 transport

DHCPv6 is not simply an upgrade to DHCPv4, it is a separate and distinct protocol

Generally DHCPv4 and DHCPv6 transmit information respective to the versions of IP being used

– In some cases this information can intersect or conflict, for example:

• DNS server IP address, DNS search path

Fundamentals of DHCPv6

DHCPv6 clients listen on port 546, servers and relays listen on port 547

Solely layer 3 protocol unlike DHCPv4

DHCPv6 clients and servers (relays) communicate via link-local multicast addresses

All_DHCP_Relay_Agents_and_Servers and All_DHCP_Servers multicast addresses are used by DHCPv6

Relays may forward DHCPv6 messages to other relays or server using link-local multicast or global unicast IPv6 addresses

Relay agent “chaining” through DHCPv6 message encapsulation

Information about each relay agent between the client and server is encapsulated

DHCPv6 employs a larger option code space

DHCPv6 options are TLV similar to those in DHCPv4

16 bit option type code and length with variable length data

Most information carried in options, instead of fixed header fields

Vendor options also help to ensure that core DHCPv6 options are maximized and not overloaded

DHCPv6 Role of Routers

Routers in IPv6 deployments have different roles in the network compared to routers in IPv4 deployments

IPv6 routers advertise their availability using IPv6 Router Advertisement

Messages

– Unlike in IPv4 deployments hosts are explicitly told where routers are statically, via DHCPv4, etc.

– Details of IPv6 Router behaviour is out of scope

IPv6 routers also transmit additional information that is relevant to the links it serves including but not limited to the following:

– Prefix information or information about prefixes that are in use or valid for a given link or links

– Flags that suggest how DHCPv6 should be used by nodes

Managed bit suggests use of stateful DHCPv6

Other bit suggests use of stateless DHCPv6

– Additionally the Autonomous bit indicates that auto-configuration should be used by nodes

Stateful DHCPv6

• Used when a DHCPv6 client wishes to be allocated an IPv6 address using DHCPv6

• Similar to DHCPv4 today, a DHCPv6 server will allocate one or more IPv6 addresses or prefixes to a DHCPv6 client

– DHCPv6 may leverage a four message exchange (SOLICIT,

ADVERTISE, REQUEST, REPLY), or

– Rapid Commit may be employed which uses only two message

(SOLICIT, REPLY)

• Configuration options like DNS Server IPv6 Addresses

(RFC3646) may or may not be requested and offered to the client

– Note in DHCPv6 adherence to the option request option is more rigidly evaluated and adhered to unlike in DHCPv4 where the parameter request list is more of a hint

Stateful DHCPv6

Stateful DHCPv6 with Rapid Commit

Stateful DHCPv6 with Relay Agent

Stateless DHCPv6

• Assumes one or more techniques used by a node to acquire one or more IPv6 addresses

– Static assignment

– Auto-configuration

• Stateless DHCPv6 is a two message exchange

(INFORMATION-REQUEST, REPLY) between a

DHCPv6 client and server where configuration information only is provided (e.g. DNS server configuration where no IPv4 stack is present)

Stateless DHCPv6

DHCPv6 Server Preference Option

• DHCPv6 server preference option indicates the preferences as configured administratively for a

DHCPv6 server

– Per RFC3315 DHCPv6 clients wait a specified amount of time and gather DHCPv6 server responses to its requests

– If a DHCPv6 server responses contains a preference less than 255

– No preference indicating a preference of zero

– Preference of 255 suggest that no further waiting is required, this is the highest preference

• After waiting the specified amount of time a DHCPv6 client must select the best response

DHCPv6 Reconfigure

Unlike that of DHCPv4, DHCPv6 Reconfigure affords a secure technique for DHCPv6 servers to interact with DHCPv6 clients

The Reconfiguration Key Authentication Protocol, as specified in

RFC3315, is the mechanism used to enable this interaction securely

DHCPv6 clients must advertise support and willingness to enable

Reconfigure

– DHCPv6 server must obviously be enabled and support this behavior as well

After successfully negotiating willingness to support Reconfigure

DHCPv6 servers can be triggered to transmit Reconfigure messages to DHCPv6 clients

– Renew, Information-Request, or Rebind can result from the transmission of a Reconfigure message

Reconfigure Key Authentication Protocol does not imply support for DHCPv6 Authentication as specified in RFC3315

DOCSIS

v3.0

DHCPv6 Reconfigure

Data over cable standard Interface specification (for Cable Modems)

IPv6 is supported by

Google, YouTube, Facebook

BitTorrent

World of Warcraft, Xbox, PS3

RFC5514 – IPv6 over Social Networks

(1 st

April 09)

Conclusions and Recommendations

• DO

– Start now

– Evaluate your networks

– Experiment & Learn

– Plan you migration

– Harden your hosts

• DON’T

– Accept Private NAT IPv4 from an ISP unless IPv6 is offered alongside.

– Purchase new equipment without IPv6 support

Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement